├── .gitignore ├── README.md ├── community ├── passwordlist ├── reconscan.py ├── samrdump.py └── userlist /.gitignore: -------------------------------------------------------------------------------- 1 | *.swp 2 | *.pyc 3 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ## Original Author: 2 | *Mike Czumak (T_v3rn1x) -- @SecuritySift* 3 | *http://www.securitysift.com/offsec-pwb-oscp/* 4 | 5 | 6 | ## Modification Author 7 | *Zach Hilbert @zachhilbert* 8 | 9 | I found this recon script from Mike and consolidated the files into 1 main file using argparse to make it easier to run specific scans. It doesn't always work as expected, but ***expect*** that for now. I haven't taken the time to work out the quirks since I use it right now for the OSCP lab. 10 | 11 | ## Original Readme Text 12 | 13 | This readme file pertains to the reconscan.py script and all associated scripts. 14 | 15 | Currently these scripts include: 16 | reconscan.py (main) 17 | dirbust.py 18 | dnsrecon.py 19 | ftprecon.py 20 | reconscan.py 21 | smbrecon.py 22 | smtprecon.py 23 | snmprecon.py 24 | sshrecon.py 25 | 26 | This collection of scripts is intended to be executed remotely against a list of IPs to enumerate discovered 27 | services such as smb, smtp, snmp, ftp and other. 28 | 29 | How to use: 30 | reconscan.py is the main script which calls all other scripts. Simply run it and it should do the work for you. 31 | Since I wrote this for a very specific use case I hard-coded all paths so be sure you change them accordingly. 32 | You'll also need to check the directories used for writing and modify accordingly as well. I intentionally kept 33 | these scripts modular so that each script could also be run on its own. 34 | 35 | Warning: 36 | These scripts comes as-is with no promise of functionality or accuracy. I strictly wrote them for personal use 37 | I have no plans to maintain updates, I did not write them to be efficient and in some cases you may find the 38 | functions may not produce the desired results so use at your own risk/discretion. I wrote these scripts to 39 | target machines in a lab environment so please only use them against systems for which you have permission!! 40 | 41 | Modification, Distribution, and Attribution: 42 | You are free to modify and/or distribute this script as you wish. I only ask that you maintain original 43 | author attribution and not attempt to sell it or incorporate it into any commercial offering (as if it's 44 | worth anything anyway :) 45 | 46 | -------------------------------------------------------------------------------- /community: -------------------------------------------------------------------------------- 1 | public 2 | private 3 | manager 4 | -------------------------------------------------------------------------------- /passwordlist: -------------------------------------------------------------------------------- 1 | 00000 2 | 000000 3 | 00000000 4 | 010203 5 | 012345 6 | 0123456 7 | 0123456789 8 | 098765 9 | 0987654321 10 | 101010 11 | 102030 12 | 11111 13 | 111111 14 | 11111111 15 | 112233 16 | 121212 17 | 123123 18 | 123123123 19 | 123321 20 | 12345 21 | 123456 22 | 1234567 23 | 12345678 24 | 123456789 25 | 1234567890 26 | 12345678910 27 | 123456a 28 | 123654 29 | 123789 30 | 123abc 31 | 123asdf 32 | 123qwe 33 | 131313 34 | 141414 35 | 14344 36 | 147258 37 | 147258369 38 | 147852 39 | 147852369 40 | 151515 41 | 159357 42 | 159753 43 | 202020 44 | 212121 45 | 222222 46 | 232323 47 | 242424 48 | 246810 49 | 252525 50 | 333333 51 | 444444 52 | 456123 53 | 456789 54 | 50cent 55 | 5201314 56 | 54321 57 | 55555 58 | 555555 59 | 654321 60 | 666666 61 | 696969 62 | 741852 63 | 741852963 64 | 777777 65 | 7777777 66 | 789456 67 | 789456123 68 | 87654321 69 | 888888 70 | 88888888 71 | 987654 72 | 987654321 73 | 999999 74 | 999999999 75 | a123456 76 | aaaaaa 77 | aaliyah 78 | aaron 79 | abc123 80 | abcdef 81 | abcdefg 82 | abigail 83 | adidas 84 | admin 85 | Admin 86 | administrator 87 | adrian 88 | adriana 89 | albert 90 | alberto 91 | alejandra 92 | alejandro 93 | alexander 94 | alexandra 95 | alexis 96 | alfredo 97 | alicia 98 | allison 99 | alyssa 100 | amanda 101 | amber 102 | amelia 103 | america 104 | amigas 105 | amigos 106 | amistad 107 | amorcito 108 | amores 109 | anamaria 110 | anderson 111 | andre 112 | andrea 113 | andreea 114 | andrei 115 | andres 116 | andrew 117 | andrew1 118 | angel 119 | angel1 120 | angela 121 | angeles 122 | angelica 123 | angelina 124 | angelito 125 | angelo 126 | angels 127 | angie 128 | animal 129 | anita 130 | anthony 131 | anthony1 132 | antonio 133 | apple 134 | apples 135 | april 136 | ariana 137 | armando 138 | arsenal 139 | arturo 140 | asdf123 141 | asdfgh 142 | asdfghjkl 143 | ashlee 144 | ashley 145 | ashley1 146 | ashton 147 | asshole 148 | august 149 | austin 150 | autumn 151 | awesome 152 | babyblue 153 | babyboo 154 | babyboy 155 | babydoll 156 | babyface 157 | babygirl 158 | babygirl1 159 | babygurl 160 | babyko 161 | babylove 162 | backup 163 | backupexec 164 | badboy 165 | badgirl 166 | bailey 167 | baller 168 | bambam 169 | banana 170 | bananas 171 | bandit 172 | barbara 173 | barbie 174 | barcelona 175 | barney 176 | baseball 177 | basketball 178 | batista 179 | batman 180 | beatriz 181 | beautiful 182 | beauty 183 | bebita 184 | beckham 185 | bella 186 | benfica 187 | benjamin 188 | bestfriend 189 | bestfriends 190 | bettyboop 191 | beyonce 192 | bhebhe 193 | bianca 194 | billabong 195 | birthday 196 | bitch 197 | bitch1 198 | biteme 199 | blessed 200 | blink182 201 | blonde 202 | blondie 203 | bobby 204 | bonita 205 | bonnie 206 | booboo 207 | booger 208 | boomer 209 | bowwow 210 | bradley 211 | brandon 212 | brandon1 213 | brandy 214 | brenda 215 | brian 216 | brianna 217 | britney 218 | brittany 219 | broken 220 | brooke 221 | brooklyn 222 | bryan 223 | bubble 224 | bubblegum 225 | bubbles 226 | bubbles1 227 | buddy1 228 | buster 229 | butter 230 | buttercup 231 | butterfly 232 | butterfly1 233 | caitlin 234 | california 235 | cameron 236 | camila 237 | camille 238 | canada 239 | cancer 240 | candy 241 | cantik 242 | capricorn 243 | carebear 244 | carlitos 245 | carlos 246 | carmen 247 | carolina 248 | caroline 249 | carter 250 | casper 251 | cassandra 252 | cassie 253 | catalina 254 | catdog 255 | catherine 256 | cecilia 257 | celeste 258 | celtic 259 | cesar 260 | chacha 261 | chance 262 | changeme 263 | charles 264 | charlie 265 | charlie1 266 | charlotte 267 | charmed 268 | cheche 269 | cheerleader 270 | cheese 271 | chelsea 272 | cherry 273 | chester 274 | cheyenne 275 | chicago 276 | chichi 277 | chicken 278 | chiquita 279 | chivas 280 | chloe 281 | chocolate 282 | chris 283 | chris1 284 | chrisbrown 285 | christ 286 | christian 287 | christina 288 | christine 289 | christmas 290 | christopher 291 | chubby 292 | cinderella 293 | claire 294 | claudia 295 | clustadm 296 | cluster 297 | cocacola 298 | colombia 299 | compaq 300 | computer 301 | connor 302 | cookie 303 | cookie1 304 | cookies 305 | cooper 306 | corazon 307 | courtney 308 | cowboys 309 | crazy 310 | cristian 311 | cristina 312 | crystal 313 | cupcake 314 | cuteako 315 | cuteme 316 | cutie 317 | cutiepie 318 | cynthia 319 | daddy 320 | daddy1 321 | daddysgirl 322 | daisy 323 | dakota 324 | dallas 325 | damian 326 | dance 327 | dancer 328 | dancing 329 | daniel 330 | daniel1 331 | daniela 332 | danielle 333 | danny 334 | darkangel 335 | darkness 336 | darling 337 | darren 338 | david 339 | david1 340 | debbie 341 | december 342 | deedee 343 | default 344 | delfin 345 | dell 346 | denise 347 | dennis 348 | desiree 349 | destiny 350 | dexter 351 | diamond 352 | diamonds 353 | diana 354 | diego 355 | dinamo 356 | disney 357 | dmz 358 | dolphin 359 | dolphins 360 | dominic 361 | domino 362 | donald 363 | dragon 364 | dreamer 365 | dreams 366 | dustin 367 | eagles 368 | eduardo 369 | edward 370 | eeyore 371 | elaine 372 | elephant 373 | elijah 374 | elizabeth 375 | emily 376 | eminem 377 | emmanuel 378 | england 379 | enrique 380 | erika 381 | estrella 382 | estrellita 383 | eugene 384 | evelyn 385 | exchadm 386 | exchange 387 | familia 388 | family 389 | fashion 390 | fatima 391 | february 392 | felipe 393 | fernanda 394 | fernando 395 | ferrari 396 | flores 397 | florida 398 | flower 399 | flowers 400 | fluffy 401 | football 402 | football1 403 | forever 404 | francis 405 | francisco 406 | frankie 407 | freddy 408 | freedom 409 | friend 410 | friends 411 | friendship 412 | friendster 413 | froggy 414 | ftp 415 | fucker 416 | fuckme 417 | fuckoff 418 | fuckyou 419 | fuckyou1 420 | fuckyou2 421 | gabriel 422 | gabriela 423 | ganda 424 | gandako 425 | gangsta 426 | gangster 427 | garcia 428 | garfield 429 | gateway 430 | gatita 431 | gatito 432 | gemini 433 | genesis 434 | genius 435 | george 436 | georgia 437 | gerald 438 | gerard 439 | ginger 440 | glitter 441 | gloria 442 | google 443 | gorgeous 444 | grace 445 | gracie 446 | green 447 | greenday 448 | guest 449 | guitar 450 | gustavo 451 | hahaha 452 | hailey 453 | hannah 454 | hannah1 455 | happy 456 | happy1 457 | hardcore 458 | harley 459 | harrypotter 460 | harvey 461 | hawaii 462 | hayden 463 | hearts 464 | heather 465 | heaven 466 | hector 467 | hello 468 | hello1 469 | hellokitty 470 | hermosa 471 | hernandez 472 | hiphop 473 | hockey 474 | hollywood 475 | honey 476 | honeyko 477 | horses 478 | hotdog 479 | hotmail 480 | hotstuff 481 | hottie 482 | hottie1 483 | hunter 484 | icecream 485 | ihateyou 486 | ilovegod 487 | ilovehim 488 | ilovejesus 489 | iloveme 490 | iloveu 491 | iloveu2 492 | iloveyou 493 | iloveyou! 494 | iloveyou1 495 | iloveyou2 496 | imissyou 497 | inlove 498 | internet 499 | inuyasha 500 | ireland 501 | isabel 502 | isabella 503 | isaiah 504 | israel 505 | iubire 506 | iverson 507 | jackass 508 | jackie 509 | jackson 510 | jamaica 511 | james 512 | james1 513 | jamie 514 | janice 515 | janine 516 | january 517 | jasmin 518 | jasmine 519 | jasmine1 520 | jason 521 | jasper 522 | javier 523 | jayden 524 | jayjay 525 | jayson 526 | jazmin 527 | jeffrey 528 | jennifer 529 | jenny 530 | jeremiah 531 | jeremy 532 | jerome 533 | jessica 534 | jessica1 535 | jessie 536 | jesucristo 537 | jesus 538 | jesus1 539 | jesuschrist 540 | jimmy 541 | joanna 542 | joanne 543 | johncena 544 | johnny 545 | johnson 546 | jonathan 547 | jordan 548 | jordan1 549 | jordan23 550 | jorge 551 | joseph 552 | joshua 553 | joshua1 554 | julian 555 | juliana 556 | julius 557 | junior 558 | justin 559 | justin1 560 | justine 561 | justme 562 | karen 563 | karina 564 | karla 565 | katherine 566 | kathleen 567 | katie 568 | katrina 569 | kayla 570 | kelly 571 | kelsey 572 | kenneth 573 | kevin 574 | killer 575 | kimberly 576 | kisses 577 | kissme 578 | kitkat 579 | kitten 580 | kitty 581 | kittycat 582 | KKKKKKK 583 | kristen 584 | kristina 585 | kristine 586 | ladybug 587 | lakers 588 | lalala 589 | laura 590 | lauren 591 | lawrence 592 | leanne 593 | legolas 594 | leonardo 595 | leslie 596 | lester 597 | letmein 598 | liliana 599 | lilmama 600 | linda 601 | lindsay 602 | lindsey 603 | linkinpark 604 | lipgloss 605 | liverpool 606 | lizzie 607 | lokita 608 | lolipop 609 | lolita 610 | lollipop 611 | lollypop 612 | london 613 | lonely 614 | lorena 615 | loser 616 | lotus 617 | louise 618 | love 619 | love12 620 | love123 621 | lovebug 622 | lovelove 623 | lovely 624 | lovely1 625 | loveme 626 | loveme1 627 | lover 628 | lover1 629 | loverboy 630 | lovers 631 | loves 632 | loveu 633 | loveya 634 | loveyou 635 | loving 636 | lucky 637 | lucky1 638 | lucky7 639 | lupita 640 | madalina 641 | maddie 642 | madison 643 | maganda 644 | maggie 645 | mahal 646 | mahalkita 647 | mahalko 648 | maldita 649 | mamita 650 | manchester 651 | manuel 652 | manutd 653 | marcos 654 | marcus 655 | margarita 656 | maria 657 | mariah 658 | marian 659 | mariana 660 | marie 661 | marie1 662 | marina 663 | mario 664 | mariposa 665 | marisol 666 | marissa 667 | marley 668 | marlon 669 | martha 670 | martin 671 | martinez 672 | marvin 673 | maryjane 674 | master 675 | matrix 676 | matthew 677 | matthew1 678 | mauricio 679 | megan 680 | melanie 681 | melissa 682 | melody 683 | melvin 684 | mememe 685 | mendoza 686 | mercedes 687 | metallica 688 | mexico 689 | mhine 690 | miamor 691 | michael 692 | michael1 693 | micheal 694 | michelle 695 | michelle1 696 | mickey 697 | midnight 698 | mierda 699 | miguel 700 | milagros 701 | miller 702 | millie 703 | minnie 704 | miranda 705 | miriam 706 | molly 707 | mommy 708 | mommy1 709 | money 710 | money1 711 | monica 712 | monique 713 | monkey 714 | monkey1 715 | monkeys 716 | monster 717 | morgan 718 | mother 719 | motorola 720 | muffin 721 | murphy 722 | musica 723 | mustang 724 | mybaby 725 | mylife 726 | mylove 727 | myself 728 | myspace 729 | myspace1 730 | naruto 731 | natalia 732 | natalie 733 | natasha 734 | nathan 735 | nelson 736 | nenita 737 | newyork 738 | nicholas 739 | nichole 740 | nicolas 741 | nicole 742 | nicole1 743 | nikita 744 | nikki 745 | nirvana 746 | notes 747 | nothing 748 | november 749 | number1 750 | nursing 751 | october 752 | office 753 | oliver 754 | olivia 755 | omarion 756 | onelove 757 | oracle 758 | orange 759 | orlando 760 | oscar 761 | paloma 762 | pamela 763 | panget 764 | pangit 765 | pantera 766 | panther 767 | panthers 768 | paola 769 | parola 770 | pasaway 771 | pass 772 | passion 773 | password 774 | password! 775 | PASSWORD 776 | password1 777 | password2 778 | patches 779 | patricia 780 | patrick 781 | pauline 782 | peaches 783 | peanut 784 | pebbles 785 | peewee 786 | penguin 787 | people 788 | pepper 789 | phoenix 790 | pictures 791 | piglet 792 | pimpin 793 | pineapple 794 | pinky 795 | playboy 796 | player 797 | playgirl 798 | please 799 | pogiako 800 | pokemon 801 | pollito 802 | poohbear 803 | pookie 804 | poopoo 805 | popcorn 806 | portugal 807 | potter 808 | preciosa 809 | precious 810 | pretty 811 | prince 812 | princesa 813 | princesita 814 | princess 815 | princess1 816 | print 817 | pumpkin 818 | puppies 819 | purple 820 | purple1 821 | pussycat 822 | qazwsx 823 | qwert 824 | qwerty 825 | qwerty1 826 | qwertyuiop 827 | rabbit 828 | rachel 829 | rafael 830 | raiders 831 | rainbow 832 | rangers 833 | raquel 834 | raymond 835 | rebecca 836 | rebelde 837 | red123 838 | regina 839 | remember 840 | replicate 841 | ricardo 842 | richard 843 | robbie 844 | robert 845 | roberto 846 | rodrigo 847 | ronald 848 | ronaldo 849 | ronnie 850 | rosita 851 | roxana 852 | sabrina 853 | sakura 854 | samantha 855 | sammie 856 | sammy 857 | samsung 858 | samuel 859 | sandra 860 | sandy 861 | santiago 862 | santos 863 | sarah 864 | sasuke 865 | savannah 866 | sayang 867 | scarface 868 | school 869 | scooby 870 | scoobydoo 871 | scooter 872 | scorpio 873 | scorpion 874 | scotland 875 | seagate 876 | sebastian 877 | secret 878 | september 879 | sergio 880 | sexybitch 881 | sexygirl 882 | sexylady 883 | sexymama 884 | sexyme 885 | shadow 886 | shadow1 887 | shakira 888 | shannon 889 | sharon 890 | sheena 891 | sheila 892 | shelby 893 | shelly 894 | shopping 895 | shorty 896 | sierra 897 | silver 898 | silvia 899 | simone 900 | simple 901 | simpsons 902 | single 903 | sister 904 | skater 905 | skittles 906 | skyline 907 | slideshow 908 | slipknot 909 | smile 910 | smiles 911 | smiley 912 | smokey 913 | snickers 914 | snoopy 915 | snowball 916 | soccer 917 | soccer1 918 | softball 919 | sophia 920 | sophie 921 | sparkle 922 | sparky 923 | spencer 924 | spider 925 | spiderman 926 | spongebob 927 | sporting 928 | sql 929 | sqlexec 930 | stacey 931 | starwars 932 | steaua 933 | stella 934 | stephanie 935 | stephen 936 | steven 937 | strawberry 938 | stupid 939 | summer 940 | sunflower 941 | sunshine 942 | sunshine1 943 | superman 944 | superstar 945 | susana 946 | sweet 947 | sweet16 948 | sweetheart 949 | sweetie 950 | sweetness 951 | sweetpea 952 | sweets 953 | sweety 954 | swimming 955 | sydney 956 | tamara 957 | tatiana 958 | taurus 959 | taylor 960 | tazmania 961 | teamo 962 | teddybear 963 | teiubesc 964 | tekiero 965 | temp 966 | temp! 967 | temp123 968 | tennis 969 | tequiero 970 | teresa 971 | test 972 | test! 973 | test123 974 | thebest 975 | thomas 976 | thunder 977 | tiffany 978 | tigers 979 | tigger 980 | tigger1 981 | timothy 982 | tinker 983 | tinkerbell 984 | tintin 985 | tivoli 986 | tokiohotel 987 | torres 988 | travis 989 | trinity 990 | tristan 991 | trixie 992 | trouble 993 | truelove 994 | trustno1 995 | tucker 996 | turtle 997 | tweety 998 | twilight 999 | twinkle 1000 | tyler 1001 | undertaker 1002 | united 1003 | valentina 1004 | valeria 1005 | valerie 1006 | vampire 1007 | vanessa 1008 | veritas 1009 | veronica 1010 | victor 1011 | victoria 1012 | vincent 1013 | violet 1014 | virus 1015 | volleyball 1016 | walter 1017 | web 1018 | welcome 1019 | wesley 1020 | westlife 1021 | westside 1022 | whatever 1023 | whitney 1024 | william 1025 | williams 1026 | willow 1027 | wilson 1028 | winnie 1029 | winter 1030 | www 1031 | xavier 1032 | xbox360 1033 | xxxxxx 1034 | yamaha 1035 | yankees 1036 | yellow 1037 | yourmom 1038 | zacefron 1039 | zachary 1040 | zxcvbn 1041 | zxcvbnm 1042 | -------------------------------------------------------------------------------- /reconscan.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | ############################################################################################################### 4 | ## [Title]: reconscan.py -- a recon/enumeration script 5 | ## [Author]: Mike Czumak (T_v3rn1x) -- @SecuritySift 6 | ##------------------------------------------------------------------------------------------------------------- 7 | ## [Details]: 8 | ## This script is intended to be executed remotely against a list of IPs to enumerate discovered services such 9 | ## as smb, smtp, snmp, ftp and other. 10 | ##------------------------------------------------------------------------------------------------------------- 11 | ## [Warning]: 12 | ## This script comes as-is with no promise of functionality or accuracy. I strictly wrote it for personal use 13 | ## I have no plans to maintain updates, I did not write it to be efficient and in some cases you may find the 14 | ## functions may not produce the desired results so use at your own risk/discretion. I wrote this script to 15 | ## target machines in a lab environment so please only use it against systems for which you have permission!! 16 | ##------------------------------------------------------------------------------------------------------------- 17 | ## [Modification, Distribution, and Attribution]: 18 | ## You are free to modify and/or distribute this script as you wish. I only ask that you maintain original 19 | ## author attribution and not attempt to sell it or incorporate it into any commercial offering (as if it's 20 | ## worth anything anyway :) 21 | ############################################################################################################### 22 | import socket 23 | import argparse 24 | import subprocess 25 | import multiprocessing 26 | import os 27 | 28 | 29 | global args 30 | args = None 31 | 32 | def multProc(targetin, scanip, port, OUTDIR): 33 | p = multiprocessing.Process(target=targetin, args=(scanip,port,OUTDIR)) 34 | p.start() 35 | return 36 | 37 | def dnsEnum(ip_address, port, OUTDIR): 38 | print "INFO: Detected DNS on " + ip_address + ":" + port 39 | if port.strip() != "53": 40 | return 41 | 42 | HOSTNAME = "nmblookup -A %s | grep '<00>' | grep -v '' | cut -d' ' -f1" % (ip_address)# grab the hostname 43 | host = subprocess.check_output(HOSTNAME, shell=True).strip() 44 | print "INFO: Attempting Domain Transfer on " + host 45 | ZT = "dig @%s.thinc.local thinc.local axfr" % (host) 46 | ztresults = subprocess.check_output(ZT, shell=True) 47 | if "failed" in ztresults: 48 | print "INFO: Zone Transfer failed for " + host 49 | else: 50 | print "[*] Zone Transfer successful for " + host + "(" + ip_address + ")!!! [see output file]" 51 | outfile = os.path.join(OUTDIR, ip_address+ "_zonetransfer.txt") 52 | dnsf = open(outfile, "w") 53 | dnsf.write(ztresults) 54 | dnsf.close 55 | 56 | return 57 | 58 | def httpEnum(ip_address, port, OUTDIR): 59 | if 'http' in args.only or not len(args.only): 60 | print "INFO: Detected http on " + ip_address + ":" + port 61 | print "INFO: Performing nmap web script scan for " + ip_address + ":" + port 62 | HTTPSCAN = ('nmap -sV -Pn -vv -p %s ' 63 | '--script=http-vhosts,http-userdir-enum,http-apache-negotiation,' 64 | 'http-backup-finder,http-config-backup,http-default-accounts,' 65 | 'http-methods,http-method-tamper,http-passwd,http-robots.txt ' 66 | '-oA %s_http %s') % (port, os.path.join(OUTDIR, ip_address), ip_address) 67 | nmap_file = '%s_http.nmap' % os.path.join(OUTDIR, ip_address) 68 | if not os.path.exists(nmap_file): 69 | subprocess.check_output(HTTPSCAN, shell=True) 70 | 71 | if 'dirb' not in args.only and len(args.only): 72 | return 73 | url = 'http://%s:%s' % (ip_address, port) 74 | outf = os.path.join(OUTDIR, ip_address+"_dirb_") 75 | folders = ["/usr/share/dirb/wordlists", "/usr/share/dirb/wordlists/vulns"] 76 | 77 | found = [] 78 | print "INFO: Starting dirb scan for " + url 79 | for folder in folders: 80 | for filename in os.listdir(folder): 81 | if 'big' in filename or os.path.isdir(os.path.join(folder, filename)): 82 | continue 83 | outfile = " -o " + outf + filename 84 | if os.path.exists(outfile): 85 | print 'dirb scan already run' 86 | return 87 | 88 | DIRBSCAN = "dirb %s %s/%s %s -S -r" % (url, folder, filename, outfile) 89 | try: 90 | results = subprocess.check_output(DIRBSCAN, shell=True) 91 | resultarr = results.split("\n") 92 | for line in resultarr: 93 | if "+" in line and line not in found: 94 | found.append(line) 95 | except: 96 | pass 97 | try: 98 | if found[0] != "": 99 | print "[*] Dirb found the following items..." 100 | for item in found: 101 | print " " + item 102 | except: 103 | print "INFO: No items found during dirb scan of " + url 104 | 105 | return 106 | 107 | def httpsEnum(ip_address, port, OUTDIR): 108 | if 'https' in args.only or not len(args.only): 109 | print "INFO: Detected https on " + ip_address + ":" + port 110 | print "INFO: Performing nmap web script scan for " + ip_address + ":" + port 111 | HTTPSCANS = ('nmap -sV -Pn -vv -p %s ' 112 | '--script=http-vhosts,http-userdir-enum,http-apache-negotiation,http-backup-finder,' 113 | 'http-config-backup,http-default-accounts,http-email-harvest,http-methods,' 114 | 'http-method-tamper,http-passwd,http-robots.txt ' 115 | '-oA %s_https %s') % (port, os.path.join(OUTDIR, ip_address), ip_address) 116 | nmap_file = '%s_https.nmap' % os.path.join(OUTDIR, ip_address) 117 | if not os.path.exists(nmap_file): 118 | subprocess.check_output(HTTPSCANS, shell=True) 119 | 120 | if 'dirb' not in args.only and len(args.only): 121 | return 122 | url = 'https://%s:%s' % (ip_address, port) 123 | outf = os.path.join(OUTDIR, ip_address+"_dirbs_") 124 | folders = ["/usr/share/dirb/wordlists", "/usr/share/dirb/wordlists/vulns"] 125 | 126 | found = [] 127 | print "INFO: Starting dirb scan for " + url 128 | for folder in folders: 129 | for filename in os.listdir(folder): 130 | if 'big' in filename or os.path.isdir(os.path.join(folder, filename)): 131 | continue 132 | outfile = " -o " + outf + filename 133 | if os.path.exists(outfile): 134 | print 'dirb scan already run' 135 | return 136 | 137 | DIRBSCAN = "dirb %s %s/%s %s -S -r" % (url, folder, filename, outfile) 138 | try: 139 | results = subprocess.check_output(DIRBSCAN, shell=True) 140 | resultarr = results.split("\n") 141 | for line in resultarr: 142 | if "+" in line and line not in found: 143 | found.append(line) 144 | except: 145 | pass 146 | 147 | try: 148 | if found[0] != "": 149 | print "[*] Dirb found the following items..." 150 | for item in found: 151 | print " " + item 152 | except: 153 | print "INFO: No items found during dirb scan of " + url 154 | return 155 | 156 | def mssqlEnum(ip_address, port, OUTDIR): 157 | print "INFO: Detected MS-SQL on " + ip_address + ":" + port 158 | print "INFO: Performing nmap mssql script scan for " + ip_address + ":" + port 159 | MSSQLSCAN = ('nmap -vv -sV -Pn -p %s ' 160 | '--script=ms-sql-info,ms-sql-config,ms-sql-dump-hashes ' 161 | '--script-args=mssql.instance-port=1433,smsql.username-sa,mssql.password-sa ' 162 | '-oA %s_mssql %s') % (port, os.path.join(OUTDIR, ip_address), ip_address) 163 | subprocess.check_output(MSSQLSCAN, shell=True) 164 | 165 | def sshEnum(ip_address, port, OUTDIR): 166 | if not args.ssh: 167 | return 168 | print "INFO: Detected SSH on " + ip_address + ":" + port 169 | print "INFO: Performing hydra ssh scan against " + ip_address 170 | HYDRA = "hydra -L userlist -P passwordlist -f -o %s_sshhydra.txt -u %s -s %s ssh" % (os.path.join(OUTDIR, ip_address), ip_address, port) 171 | filename = os.path.join(OUTDIR, ip_address+'_sshresults.txt') 172 | f = open(filename, 'w') 173 | try: 174 | results = subprocess.check_output(HYDRA, shell=True) 175 | resultarr = results.split("\n") 176 | for result in resultarr: 177 | if "login:" in result: 178 | print "[*] Valid ssh credentials found: " + result 179 | f.write("[*] Valid ssh credentials found: " + result) 180 | except: 181 | print "INFO: No valid ssh credentials found" 182 | 183 | f.close() 184 | return 185 | 186 | def snmpEnum(ip_address, port, OUTDIR): 187 | print "INFO: Detected snmp on " + ip_address + ":" + port 188 | 189 | snmpdetect = False 190 | ONESIXONESCAN = "onesixtyone -c community %s" % (ip_address) 191 | results = subprocess.check_output(ONESIXONESCAN, shell=True).strip() 192 | 193 | if results != "": 194 | if "Windows" in results: 195 | results = results.split("Software: ")[1] 196 | snmpdetect = True 197 | elif "Linux" in results: 198 | results = results.split("[public] ")[1] 199 | snmpdetect = True 200 | if snmpdetect: 201 | filename = os.path.join(OUTDIR, '%s_snmprunning' % ip_address) 202 | f = open(filename, 'w') 203 | print "[*] SNMP running on " + ip_address + "; OS Detect: " + results 204 | f.write("[*] SNMP running on " + ip_address + "; OS Detect: " + results +'\n') 205 | f.close() 206 | SNMPWALK = "snmpwalk -c public -v1 %s 1 > %s_snmpwalk.txt" % (ip_address, os.path.join(OUTDIR, ip_address)) 207 | results = subprocess.check_output(SNMPWALK, shell=True) 208 | 209 | NMAPSCAN = ('nmap -vv -sV -sU -Pn -p 161,162 ' 210 | '--script=snmp-netstat,snmp-processes %s -oA %s_snmprecon') % (ip_address, os.path.join(OUTDIR, ip_address)) 211 | results = subprocess.check_output(NMAPSCAN, shell=True) 212 | return 213 | 214 | def smtpEnum(ip_address, port, OUTDIR): 215 | print "INFO: Detected smtp on " + ip_address + ":" + port 216 | print "INFO: Trying SMTP Enum on " + ip_address 217 | 218 | port = int(port) 219 | names = open('userlist', 'r') 220 | filename = os.path.join(OUTDIR, 'smtpenum_%s' % ip_address) 221 | f = open(filename, 'w') 222 | for name in names: 223 | s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) 224 | s.connect((ip_address, port)) 225 | banner=s.recv(1024) 226 | s.send('HELO test@test.org \r\n') 227 | result= s.recv(1024) 228 | s.send('VRFY ' + name.strip() + '\r\n') 229 | result=s.recv(1024) 230 | s.close() 231 | if ("not implemented" in result) or ("disallowed" in result): 232 | print "INFO: VRFY Command not implemented on " + ip_address 233 | return 234 | if (("250" in result) or ("252" in result) and ("Cannot VRFY" not in result)): 235 | print "[*] SMTP VRFY Account found on " + ip_address + ": " + name.strip() 236 | f.write("[*] SMTP VRFY Account found on " + ip_address + ": " + name.strip()+'\n') 237 | names.close() 238 | f.close() 239 | 240 | return 241 | 242 | def smbEnum(ip_address, port, OUTDIR): 243 | print "INFO: Detected SMB on " + ip_address + ":" + port 244 | if port.strip() != "445": 245 | return 246 | 247 | if 'smb' in args.only or not len(args.only): 248 | print "INFO: Detected SMB on " + ip_address + ":" + port 249 | print "INFO: Performing nmap web script scan for " + ip_address + ":" + port 250 | SMBSCAN = ('nmap --script=smb-check-vulns --script-args=unsafe=1 -vv -p %s ' 251 | '-oA %s_smb-enum %s') % (port, os.path.join(OUTDIR, ip_address), ip_address) 252 | nmap_file = '%s_smb-enum.nmap' % os.path.join(OUTDIR, ip_address) 253 | if not os.path.exists(nmap_file): 254 | subprocess.check_output(SMBSCAN, shell=True) 255 | 256 | NBTSCAN = "./samrdump.py %s" % (ip_address) 257 | nbtresults = subprocess.check_output(NBTSCAN, shell=True) 258 | filename = os.path.join(OUTDIR, 'smbenum_%s' % ip_address) 259 | if ("Connection refused" not in nbtresults) and ("Connect error" not in nbtresults) and ("Connection reset" not in nbtresults): 260 | f = open(filename, 'w') 261 | print "[*] SAMRDUMP User accounts/domains found on " + ip_address 262 | lines = nbtresults.split("\n") 263 | for line in lines: 264 | if ("Found" in line) or (" . " in line): 265 | print " [+] " + line 266 | f.write(line+'\n') 267 | f.close() 268 | return 269 | 270 | def ftpEnum(ip_address, port, OUTDIR): 271 | if not args.ftp: 272 | return 273 | print "INFO: Detected ftp on " + ip_address + ":" + port 274 | print "INFO: Performing nmap FTP script scan for " + ip_address + ":" + port 275 | FTPSCAN = ('nmap -sV -Pn -vv -p %s ' 276 | '--script=ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221 ' 277 | '-oA %s_ftp.nmap %s') % (port, os.path.join(OUTDIR, ip_address), ip_address) 278 | results = subprocess.check_output(FTPSCAN, shell=True) 279 | 280 | print "INFO: Performing hydra ftp scan against " + ip_address 281 | HYDRA = "hydra -L userlist -P passwordlist -f -o %s_ftphydra.txt -u %s -s %s ftp" % (os.path.join(OUTDIR, ip_address), ip_address, port) 282 | results = subprocess.check_output(HYDRA, shell=True) 283 | resultarr = results.split("\n") 284 | filename = os.path.join(OUTDIR, 'ftpenum_%s' % ip_address) 285 | f = open(filename, 'w') 286 | for result in resultarr: 287 | if "login:" in result: 288 | print "[*] Valid ftp credentials found: " + result 289 | f.write("[*] Valid ftp credentials found: " + result) 290 | f.close() 291 | return 292 | 293 | def callScan(): 294 | pass 295 | 296 | def nmapScan(ip_address, OUTDIR): 297 | serv_dict = {} 298 | if not len(args.only): 299 | ip_address = ip_address.strip() 300 | print "INFO: Running general TCP/UDP nmap scans for " + ip_address 301 | serv_dict = {} 302 | TCPSCAN = ('nmap -vv -Pn -A -sC -sS -T 4 -p- -oA %s %s') % (os.path.join(OUTDIR, ip_address), ip_address) 303 | UDPSCAN = ('nmap -vv -Pn -A -sC -sU -T 4 --top-ports 200 -oA %sU %s') % (os.path.join(OUTDIR, ip_address), ip_address) 304 | tcp_nmap_file = '%s.nmap' % os.path.join(OUTDIR, ip_address) 305 | udp_nmap_file = '%sU.nmap' % os.path.join(OUTDIR, ip_address) 306 | if not os.path.exists(tcp_nmap_file): 307 | subprocess.check_output(TCPSCAN, shell=True) 308 | if not os.path.exists(udp_nmap_file): 309 | subprocess.check_output(UDPSCAN, shell=True) 310 | 311 | with open(tcp_nmap_file, 'r') as f: 312 | for line in f: 313 | ports = [] 314 | line = line.strip() 315 | if ("tcp" in line) and ("open" in line) and not ("Discovered" in line): 316 | while " " in line: 317 | line = line.replace(" ", " ") 318 | linesplit= line.split(" ") 319 | service = linesplit[2] # grab the service name 320 | port = line.split(" ")[0] # grab the port/proto 321 | if service in serv_dict: 322 | ports = serv_dict[service] # if the service is already in the dict, grab the port list 323 | 324 | ports.append(port) 325 | serv_dict[service] = ports # add service to the dictionary along with the associated port(2) 326 | else: 327 | port_dict = { 328 | 'http': ['80'], 329 | 'https': ['443'], 330 | 'smtp': ['25'], 331 | 'snmp': ['161', '162'], 332 | 'domain': ['53'], 333 | 'ftp': ['21'], 334 | 'microsoft-ds': ['445'], 335 | 'ms-sql': ['1433'] 336 | } 337 | for i, serv in enumerate(args.only): 338 | services = [] 339 | if serv == 'dns': 340 | services.append('domain') 341 | elif serv == 'dirb': 342 | if 'http' not in services: 343 | services.append('http') 344 | if 'https' not in services: 345 | services.append('https') 346 | elif serv == 'sql': 347 | services.append('ms-sql') 348 | elif serv == 'smb': 349 | services.append('microsoft-ds') 350 | else: 351 | services.append(serv) 352 | 353 | for s in services: 354 | serv_dict[s] = port_dict[s] 355 | 356 | 357 | # go through the service dictionary to call additional targeted enumeration functions 358 | for serv in serv_dict: 359 | ports = serv_dict[serv] 360 | for port in ports: 361 | port = port.split('/')[0] 362 | if (serv == "http"): 363 | multProc(httpEnum, ip_address, port, OUTDIR) 364 | elif (serv == "ssl/http") or ("https" in serv): 365 | multProc(httpsEnum, ip_address, port, OUTDIR) 366 | elif "ssh" in serv: 367 | multProc(sshEnum, ip_address, port, OUTDIR) 368 | elif "smtp" in serv: 369 | multProc(smtpEnum, ip_address, port, OUTDIR) 370 | elif "snmp" in serv: 371 | multProc(snmpEnum, ip_address, port, OUTDIR) 372 | elif "domain" in serv: 373 | multProc(dnsEnum, ip_address, port, OUTDIR) 374 | elif "ftp" in serv: 375 | multProc(ftpEnum, ip_address, port, OUTDIR) 376 | elif "microsoft-ds" in serv: 377 | multProc(smbEnum, ip_address, port, OUTDIR) 378 | elif "ms-sql" in serv: 379 | multProc(mssqlEnum, ip_address, port, OUTDIR) 380 | 381 | print "INFO: TCP/UDP Nmap scans completed for " + ip_address 382 | return 383 | 384 | def start_nmap_scan(ip, OUTDIR): 385 | p = multiprocessing.Process(target=nmapScan, args=(ip, OUTDIR)) 386 | p.start() 387 | 388 | def make_dir(path): 389 | if not os.path.exists(path): 390 | os.mkdir(path) 391 | 392 | def main(dir_): 393 | print "############################################################" 394 | print "#### RECON SCAN ####" 395 | print "#### A multi-process service scanner ####" 396 | print "#### http, ftp, dns, ssh, snmp, smtp, ms-sql ####" 397 | print "############################################################" 398 | # grab the discover scan results and start scanning up hosts 399 | if args.ip: 400 | OUTDIR = dir_ 401 | if args.ip not in OUTDIR and not args.nodir: 402 | OUTDIR = os.path.join(dir_, args.ip) 403 | make_dir(OUTDIR) 404 | start_nmap_scan(args.ip, OUTDIR) 405 | else: 406 | for line in args.infile: 407 | ip = line.strip() 408 | OUTDIR = os.path.join(dir_, ip) 409 | make_dir(OUTDIR) 410 | start_nmap_scan(ip, OUTDIR) 411 | args.infile.close() 412 | 413 | if __name__ == '__main__': 414 | parser = argparse.ArgumentParser( 415 | description='Enumerate a host or list of hosts', 416 | epilog='NOTE: Only input file OR IP address should be supplied' 417 | ) 418 | parser.add_argument('ip', nargs='?', help='IP address of host to enumerate') 419 | parser.add_argument('-f', '--infile', type=file, 420 | help='input file to read host to enumerate') 421 | parser.add_argument('-o', '--outdir', default='.', 422 | help='output directory to store results') 423 | parser.add_argument('-N', '--nodir', action='store_true', 424 | help='don\'t creat output directory') 425 | parser.add_argument('-S', '--ssh', action='store_true') 426 | parser.add_argument('-F', '--ftp', action='store_true') 427 | parser.add_argument('-O', '--only', nargs='+', help='List of checks to run in isolation', 428 | default='') 429 | args = parser.parse_args() 430 | OUTDIR = os.path.abspath(args.outdir) 431 | if not os.path.exists(OUTDIR): 432 | print '''!!!!!!!! 433 | Output directory %s does not exist' % OUTDIR 434 | !!!!!!!!''' 435 | elif (not args.ip and not args.infile) or (args.ip and args.infile): 436 | parser.print_help() 437 | else: 438 | main(OUTDIR) 439 | -------------------------------------------------------------------------------- /samrdump.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # Copyright (c) 2003-2012 CORE Security Technologies 3 | # 4 | # This software is provided under under a slightly modified version 5 | # of the Apache Software License. See the accompanying LICENSE file 6 | # for more information. 7 | # 8 | # $Id: samrdump.py 592 2012-07-11 16:45:20Z bethus@gmail.com $ 9 | # 10 | # Description: DCE/RPC SAMR dumper. 11 | # 12 | # Author: 13 | # Javier Kohen 14 | # Alberto Solino 15 | # 16 | # Reference for: 17 | # DCE/RPC for SAMR 18 | 19 | import socket 20 | import string 21 | import sys 22 | import types 23 | 24 | from impacket import uuid, version 25 | from impacket.dcerpc import dcerpc_v4, dcerpc, transport, samr 26 | import argparse 27 | 28 | 29 | class ListUsersException(Exception): 30 | pass 31 | 32 | class SAMRDump: 33 | KNOWN_PROTOCOLS = { 34 | '139/SMB': (r'ncacn_np:%s[\pipe\samr]', 139), 35 | '445/SMB': (r'ncacn_np:%s[\pipe\samr]', 445), 36 | } 37 | 38 | 39 | def __init__(self, protocols = None, 40 | username = '', password = '', domain = '', hashes = None): 41 | if not protocols: 42 | protocols = SAMRDump.KNOWN_PROTOCOLS.keys() 43 | 44 | self.__username = username 45 | self.__password = password 46 | self.__domain = domain 47 | self.__protocols = [protocols] 48 | self.__lmhash = '' 49 | self.__nthash = '' 50 | if hashes is not None: 51 | self.__lmhash, self.__nthash = hashes.split(':') 52 | 53 | 54 | def dump(self, addr): 55 | """Dumps the list of users and shares registered present at 56 | addr. Addr is a valid host name or IP address. 57 | """ 58 | 59 | encoding = sys.getdefaultencoding() 60 | 61 | print 'Retrieving endpoint list from %s' % addr 62 | 63 | # Try all requested protocols until one works. 64 | entries = [] 65 | for protocol in self.__protocols: 66 | protodef = SAMRDump.KNOWN_PROTOCOLS[protocol] 67 | port = protodef[1] 68 | 69 | print "Trying protocol %s..." % protocol 70 | rpctransport = transport.SMBTransport(addr, port, r'\samr', self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash) 71 | 72 | try: 73 | entries = self.__fetchList(rpctransport) 74 | except Exception, e: 75 | print 'Protocol failed: %s' % e 76 | raise 77 | else: 78 | # Got a response. No need for further iterations. 79 | break 80 | 81 | 82 | # Display results. 83 | 84 | for entry in entries: 85 | (username, uid, user) = entry 86 | base = "%s (%d)" % (username, uid) 87 | print base + '/Enabled:', ('false', 'true')[user.is_enabled()] 88 | print base + '/Last Logon:', user.get_logon_time() 89 | print base + '/Last Logoff:', user.get_logoff_time() 90 | print base + '/Kickoff:', user.get_kickoff_time() 91 | print base + '/Last PWD Set:', user.get_pwd_last_set() 92 | print base + '/PWD Can Change:', user.get_pwd_can_change() 93 | print base + '/PWD Must Change:', user.get_pwd_must_change() 94 | print base + '/Group id: %d' % user.get_group_id() 95 | print base + '/Bad pwd count: %d' % user.get_bad_pwd_count() 96 | print base + '/Logon count: %d' % user.get_logon_count() 97 | items = user.get_items() 98 | for i in samr.MSRPCUserInfo.ITEMS.keys(): 99 | name = items[samr.MSRPCUserInfo.ITEMS[i]].get_name() 100 | name = name.encode(encoding, 'replace') 101 | print base + '/' + i + ':', name 102 | 103 | if entries: 104 | num = len(entries) 105 | if 1 == num: 106 | print 'Received one entry.' 107 | else: 108 | print 'Received %d entries.' % num 109 | else: 110 | print 'No entries received.' 111 | 112 | 113 | def __fetchList(self, rpctransport): 114 | dce = dcerpc.DCERPC_v5(rpctransport) 115 | 116 | encoding = sys.getdefaultencoding() 117 | entries = [] 118 | 119 | dce.connect() 120 | dce.bind(samr.MSRPC_UUID_SAMR) 121 | rpcsamr = samr.DCERPCSamr(dce) 122 | 123 | try: 124 | resp = rpcsamr.connect() 125 | if resp.get_return_code() != 0: 126 | raise ListUsersException, 'Connect error' 127 | 128 | _context_handle = resp.get_context_handle() 129 | resp = rpcsamr.enumdomains(_context_handle) 130 | if resp.get_return_code() != 0: 131 | raise ListUsersException, 'EnumDomain error' 132 | 133 | domains = resp.get_domains().elements() 134 | 135 | print 'Found domain(s):' 136 | for i in range(0, resp.get_entries_num()): 137 | print " . %s" % domains[i].get_name() 138 | 139 | print "Looking up users in domain %s" % domains[0].get_name() 140 | resp = rpcsamr.lookupdomain(_context_handle, domains[0]) 141 | if resp.get_return_code() != 0: 142 | raise ListUsersException, 'LookupDomain error' 143 | 144 | resp = rpcsamr.opendomain(_context_handle, resp.get_domain_sid()) 145 | if resp.get_return_code() != 0: 146 | raise ListUsersException, 'OpenDomain error' 147 | 148 | domain_context_handle = resp.get_context_handle() 149 | resp = rpcsamr.enumusers(domain_context_handle) 150 | if resp.get_return_code() != 0 and resp.get_return_code() != 0x105: 151 | raise ListUsersException, 'OpenDomainUsers error' 152 | 153 | done = False 154 | while done is False: 155 | for user in resp.get_users().elements(): 156 | uname = user.get_name().encode(encoding, 'replace') 157 | uid = user.get_id() 158 | 159 | r = rpcsamr.openuser(domain_context_handle, uid) 160 | print "Found user: %s, uid = %d" % (uname, uid) 161 | 162 | if r.get_return_code() == 0: 163 | info = rpcsamr.queryuserinfo(r.get_context_handle()).get_user_info() 164 | entry = (uname, uid, info) 165 | entries.append(entry) 166 | c = rpcsamr.closerequest(r.get_context_handle()) 167 | 168 | # Do we have more users? 169 | if resp.get_return_code() == 0x105: 170 | resp = rpcsamr.enumusers(domain_context_handle, resp.get_resume_handle()) 171 | else: 172 | done = True 173 | except ListUsersException, e: 174 | print "Error listing users: %s" % e 175 | 176 | dce.disconnect() 177 | 178 | return entries 179 | 180 | 181 | # Process command-line arguments. 182 | if __name__ == '__main__': 183 | print version.BANNER 184 | 185 | parser = argparse.ArgumentParser() 186 | 187 | parser.add_argument('target', action='store', help='[domain/][username[:password]@]
') 188 | parser.add_argument('protocol', choices=SAMRDump.KNOWN_PROTOCOLS.keys(), nargs='?', default='445/SMB', help='transport protocol (default 445/SMB)') 189 | 190 | group = parser.add_argument_group('authentication') 191 | 192 | group.add_argument('-hashes', action="store", metavar = "LMHASH:NTHASH", help='NTLM hashes, format is LMHASH:NTHASH') 193 | if len(sys.argv)==1: 194 | parser.print_help() 195 | sys.exit(1) 196 | 197 | options = parser.parse_args() 198 | 199 | import re 200 | 201 | domain, username, password, address = re.compile('(?:(?:([^/@:]*)/)?([^@:]*)(?::([^@]*))?@)?(.*)').match(options.target).groups('') 202 | 203 | if domain is None: 204 | domain = '' 205 | 206 | dumper = SAMRDump(options.protocol, username, password, domain, options.hashes) 207 | dumper.dump(address) 208 | -------------------------------------------------------------------------------- /userlist: -------------------------------------------------------------------------------- 1 | 4Dgifts 2 | EZsetup 3 | OutOfBox 4 | ROOT 5 | adm 6 | admin 7 | administrator 8 | anon 9 | auditor 10 | avahi 11 | avahi-autoipd 12 | backup 13 | bbs 14 | bin 15 | checkfs 16 | checkfsys 17 | checksys 18 | cmwlogin 19 | couchdb 20 | daemon 21 | dbadmin 22 | demo 23 | demos 24 | diag 25 | distccd 26 | dni 27 | fal 28 | fax 29 | ftp 30 | games 31 | gdm 32 | gnats 33 | gopher 34 | gropher 35 | guest 36 | haldaemon 37 | halt 38 | hplip 39 | informix 40 | install 41 | irc 42 | kernoops 43 | libuuid 44 | list 45 | listen 46 | lp 47 | lpadm 48 | lpadmin 49 | lynx 50 | mail 51 | man 52 | me 53 | messagebus 54 | mountfs 55 | mountfsys 56 | mountsys 57 | news 58 | noaccess 59 | nobody 60 | nobody4 61 | nuucp 62 | nxpgsql 63 | operator 64 | oracle 65 | popr 66 | postgres 67 | postmaster 68 | printer 69 | proxy 70 | pulse 71 | rfindd 72 | rje 73 | root 74 | rooty 75 | saned 76 | service 77 | setup 78 | sgiweb 79 | sigver 80 | speech-dispatcher 81 | sshd 82 | sym 83 | symop 84 | sync 85 | sys 86 | sysadm 87 | sysadmin 88 | sysbin 89 | syslog 90 | system_admin 91 | trouble 92 | udadmin 93 | ultra 94 | umountfs 95 | umountfsys 96 | umountsys 97 | unix 98 | us_admin 99 | user 100 | uucp 101 | uucpadm 102 | web 103 | webmaster 104 | www 105 | www-data 106 | xpdb 107 | xpopr 108 | zabbix 109 | --------------------------------------------------------------------------------