├── README ├── email ├── decode_logs.rb ├── message.txt └── sendmail.rb ├── nessus_scripts ├── README └── nessus_http_api.rb ├── parsers └── sslscan │ └── parse_sslscan_weak_keys.rb ├── scanners └── heartbleed-vuln-scanner.rb └── validate ├── dns └── dns_hostname_bind_disclosure.rb └── ssh └── ssh_weak_mac_algos.rb /README: -------------------------------------------------------------------------------- 1 | A collection of useful scripts for penetration testers 2 | -------------------------------------------------------------------------------- /email/decode_logs.rb: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env ruby 2 | require 'base64' 3 | 4 | unless ARGV.length > 0 5 | puts "USAGE: ./parselogs.rb [apache-access.log]\r\n\r\n" 6 | exit! 7 | end 8 | 9 | def clean_line(line) 10 | if line.include?('id=') 11 | first = line.split('id=')[0] 12 | second = line.split('id=')[1] 13 | junk = second.split(" ") 14 | junk[0] = Base64.decode64(junk[0]) 15 | second = "id=" 16 | junk.each { |element| second << element.to_s.chomp + " " } 17 | return first + second 18 | else 19 | return line 20 | end 21 | end 22 | 23 | File.open(ARGV[0], 'r').each_line do |line| 24 | puts clean_line(line) 25 | end 26 | -------------------------------------------------------------------------------- /email/message.txt: -------------------------------------------------------------------------------- 1 | From: #{display_from} <#{from}> 2 | To: #{to} 3 | MIME-Version: 1.0 4 | Content-Type: text/html 5 | Subject: #{subject} 6 | 7 | This is a test email 8 |
9 | From, 10 |
11 | The Phisher 12 | 13 | -------------------------------------------------------------------------------- /email/sendmail.rb: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env ruby 2 | # This script takes a .txt file as an argument. It will iterate through each emailaddress 3 | # in the file and send an email to each target 4 | # Authors: zeknox & R3dy 5 | ########################################################################## 6 | require 'net/smtp' 7 | require 'base64' 8 | 9 | username = 'greg.olson@issds.com' 10 | password = 'password' 11 | from = 'greg.olson@issds.com' 12 | display_from = 'Greg Olson' 13 | subject = 'Microsoft Security Update' 14 | date = 'Thursday, January 18, 2013' 15 | url = 'www.example.com/index.php?' 16 | smtp = 'secureserver.net' 17 | smtpout = 'smtpout.secureserver.net' 18 | port = '3535' 19 | message = [] 20 | 21 | def sendemail(username, password, from, message, email, port, smtpout, smtp) 22 | # code to send email 23 | begin 24 | Net::SMTP.start("#{smtpout}", "#{port}", "#{smtp}","#{username}", "#{password}", :plain) do |smtp| 25 | smtp.send_message message, "#{from}", email.chomp 26 | end 27 | puts "\tSent to: #{email}" 28 | rescue => e 29 | puts "\tIssues Sending to: #{email}\r\n#{e.class}\r\n#{e}" 30 | end 31 | end 32 | 33 | unless ARGV.length == 2 34 | puts "./sendmail.rb \n" 35 | exit! 36 | else 37 | emails = File.open(ARGV[0], 'r') 38 | end 39 | 40 | count = 1 41 | puts "Sending Emails:" 42 | emails.each_line do |email| 43 | message = [] 44 | # base64 encode email address 45 | encode = "#{Base64.encode64("#{email}")}" 46 | 47 | email_message = File.open(ARGV[1], 'r') 48 | email_message.each_line do |line| 49 | if line =~ /\#{url}/ 50 | message << line.gsub(/\#{url}/, "#{url}#{encode.chomp}") 51 | elsif line =~ /\#{to}/ 52 | message << line.gsub(/\#{to}/, "#{email.chomp}") 53 | elsif line =~ /\#{from}/ and line =~ /\#{display_from}/ 54 | message << line.gsub(/\#{display_from} <\#{from}>/, "#{display_from} <#{from}>") 55 | elsif line =~ /\#{display_from}/ and not line =~ /\#{from}/ 56 | message << line.gsub(/\#{display_from}/, "#{display_from}") 57 | elsif line =~ /\#{subject}/ 58 | message << line.gsub(/\#{subject}/, "#{subject}") 59 | elsif line =~ /\#{date}/ 60 | message << line.gsub(/\#{date}/, "#{date}") 61 | else 62 | message << line 63 | end 64 | end 65 | email_message.close 66 | 67 | text = message.join 68 | 69 | # send emails 70 | sendemail(username, password, from, text, email, port, smtpout, smtp) 71 | end 72 | 73 | # close files 74 | emails.close 75 | -------------------------------------------------------------------------------- /nessus_scripts/README: -------------------------------------------------------------------------------- 1 | This repository is a collection of useful nessus scripts that will help assist on penetration tests 2 | 3 | This script accepts a file of IP addresses to be used for external testing. 4 | The file is parsed and nmap run against the targets on off hours creating 5 | output files which are uploaded to nessus. Nessus scans are then kicked 6 | off and when done results are emailed back to the user. 7 | 8 | Usage: ruby nessus_http_api.rb [options] 9 | -v, --verbose Output more information 10 | -n, --server IP The IP address of the Nessus server 11 | --port PORT The port of the Nessus server 12 | -u, --username USER Username of Nessus account 13 | -p, --password PASS Password to Nessus account 14 | -c, --client CLIENTNAME The name of the client 15 | -e, --email EMAIL The email to return results to 16 | -s, --sleep Sleep tille 6pm 17 | -a, --attach Attaches the Nessus file to email 18 | -h, --help Display this screen 19 | 20 | -------------------------------------------------------------------------------- /nessus_scripts/nessus_http_api.rb: -------------------------------------------------------------------------------- 1 | #!/usr/bin/ruby -w 2 | ############################################################################## 3 | # Usage: ruby nessus_http_api.rb 4 | # 5 | # This script accepts a file of IP addresses to be used for external testing. 6 | # The file is parsed and nmap run against the targets on off hours creating 7 | # output files which are uploaded to nessus. Nessus scans are then kicked 8 | # off and when done results are emailed back to the user. 9 | # 10 | # Written by smilingraccoon@gmail.com 11 | ############################################################################## 12 | require 'uri' 13 | require 'net/https' 14 | require 'net/smtp' 15 | require 'openssl' 16 | require 'optparse' 17 | 18 | ## Constant variables, change as you see fit 19 | MAIL_SERVER = 'smtp.comcast.net' 20 | FROMEMAIL = 'scans@domain.com' 21 | BOUNDARY = "---------------------------BOUNDARY--1234567890" 22 | 23 | # require program to run as root 24 | if ENV["USER"] != "root" 25 | puts "\n[-] Must run as root\n\n" 26 | exit 27 | end 28 | 29 | options = {} 30 | optparse = OptionParser.new do |opts| 31 | opts.banner = "\r\nhttp://www.pentestgeek.com/ - Written by smilingraccoon and Zeknox\r\n\r\n" 32 | opts.banner += "Usage: ruby nessus_http_api.rb [options] \r\n" 33 | opts.banner += "Example: nessus_http_api.rb -u root -p toor -c pentestgeek.com -e smilingraccoon@gmail.com targets.txt\r\n\r\n" 34 | options[:server] = "https://127.0.0.1:8834/" 35 | options[:port] = "8834" 36 | options[:username] = "root" 37 | options[:password] = nil 38 | options[:client] = "Clientname" 39 | # Removes sleep till off hours and displays HTTP reponse codes 40 | options[:verbose] = false 41 | options[:sleep] = false 42 | options[:email] = nil 43 | options[:policy] = "Internal Network Scan" 44 | options[:attachment] 45 | 46 | opts.on( '-v', '--verbose', 'Output more information' ) do 47 | options[:verbose] = true 48 | end 49 | 50 | opts.on( '-n', '--server IP', 'The IP address of the Nessus server' ) do |url| 51 | options[:server] = "https://" + url + ":8834/" 52 | end 53 | 54 | opts.on( '--port PORT', 'The port of the Nessus server' ) do |url| 55 | options[:port] = "https://" + url + ":8834/" 56 | end 57 | 58 | opts.on( '-u', '--username USER', 'Username of Nessus account' ) do |user| 59 | options[:username] = user 60 | end 61 | 62 | opts.on( '-p', '--password PASS', 'Password to Nessus account' ) do |pass| 63 | options[:password] = pass 64 | end 65 | 66 | opts.on( '-c', '--client CLIENTNAME', 'The name of the client' ) do |client| 67 | options[:client] = client 68 | end 69 | 70 | opts.on( '-e', '--email EMAIL', 'The email to return results to' ) do |email| 71 | options[:email] = email 72 | end 73 | 74 | opts.on( '-s', '--sleep', 'Sleep tille 6pm' ) do 75 | options[:sleep] = true 76 | end 77 | 78 | opts.on( '-a', '--attach', 'Attaches the Nessus file to email' ) do 79 | options[:attachment] = true 80 | end 81 | 82 | opts.on_tail( '-h', '--help', 'Display this screen' ) do 83 | puts opts 84 | exit 85 | end 86 | 87 | opts.parse! 88 | end 89 | 90 | # make sure argument was passed to script 91 | unless ARGV.length > 0 92 | puts "Usage: ruby nessus_http_api.rb " 93 | exit! 94 | else 95 | log = '' 96 | targetFile = File.new(ARGV[0], "r") 97 | targetList = targetFile.read 98 | log << "Target list is: \n#{targetList}" 99 | end 100 | 101 | def make_connection (req, options) 102 | attempts = 0 103 | begin 104 | response = $https.request(req) 105 | rescue Exception 106 | attempts = attempts + 1 107 | puts "\n[-] Connect could not be established...retrying" 108 | retry unless attempts > 2 109 | puts "\n[-] Cannot connect, check #{options[:server]}" unless attempts < 2 110 | exit 111 | end 112 | print response if options[:verbose] 113 | return response 114 | end 115 | 116 | # Grab directory name to be used in naming files 117 | #customerName = /201[2-9]\/(.*?)\/.*/.match(File.absolute_path(targetFile))[1] 118 | # Sleep till off hours 119 | def delay_start() 120 | time = Time.new 121 | if time.hour < 17 122 | puts "Sleeping until off hours...#{17 - time.hour}:#{sprintf("%02d",60 - time.min)} to go" 123 | sleep 3600*(17 - time.hour) - 60*(time.min) 124 | end 125 | end 126 | 127 | def time() 128 | Time.new 129 | end 130 | 131 | # Kick off nmap scans 132 | def execute_nmap(targetFile, client) 133 | begin 134 | time = time() 135 | nmapStart = time.inspect 136 | dir = ""+File.absolute_path(targetFile).chomp(File.basename(targetFile)) 137 | targetFile.close 138 | system("if [ ! -d \"#{dir}nmap\" ]; then mkdir #{dir}nmap; fi") 139 | system("nmap --open -sT -n -r -vvv -P0 -oA #{dir}nmap/#{client+".log"} -iL #{File.absolute_path(targetFile)}") 140 | nmapScan = "#{dir}nmap/#{client}.log.xml" 141 | time = time() 142 | nmapDone = time.inspect 143 | return nmapStart, nmapDone, nmapScan, dir 144 | rescue 145 | puts "[-] We had issues running nmap" 146 | puts "[-] Exiting program" 147 | exit! 148 | end 149 | end 150 | 151 | # method to login to nessus and obtain a token 152 | def nessus_login(log, options) 153 | begin 154 | # Parses URL 155 | url = URI.parse(options[:server]) 156 | # Make HTTP post request to login page. 157 | req = Net::HTTP::Post.new(url.path + "login") 158 | # Set post data to login information. 159 | req.set_form_data({ "login" => options[:username], "password" => options[:password] }) 160 | # Creates HTTPS for communication 161 | $https = Net::HTTP.new( url.host, url.port ) 162 | $https.use_ssl = true 163 | $https.verify_mode = OpenSSL::SSL::VERIFY_NONE 164 | # Makes the connection to nessus and logs in. Return data from server is parse to acquire token. 165 | response = make_connection(req, options) 166 | token = /(.*)<\/token>/.match(response.body)[1] 167 | log << "Token is: #{token}\n" 168 | # Makes new req to get policy list 169 | req = Net::HTTP::Post.new(url.path + "policy/list") 170 | req.set_form_data({ "token" => token }) 171 | return req, url, token 172 | rescue Exception => e 173 | puts e.message 174 | puts "[-] We had issues logging into nessus" 175 | puts "[-] Exiting program" 176 | exit! 177 | end 178 | end 179 | 180 | # Sleep till off hours 181 | delay_start if options[:sleep] 182 | 183 | # run nmap against targetFile 184 | puts "[+] Executing nmap against hosts" 185 | nmapStart, nmapDone, nmapScan, dir = execute_nmap(targetFile, options[:client]) 186 | puts "\n[+] Completed executing nmap against hosts" 187 | 188 | # login to nesus with credentials 189 | puts "[+] Logging into Nessus with crednetials" 190 | req, url, token = nessus_login(log, options) 191 | 192 | policyID = '' 193 | # Grabs the policy, iterate the lines and looks for the policy name. 194 | # When found sets previous policyID to var to be used when policy id is required by nessus. 195 | make_connection(req, options).body.each_line do |line| 196 | next unless line =~ /policyID|policyName/ 197 | if line =~ /policyID/ 198 | policyID = /(.*)<\/policyID>/.match(line)[1] 199 | else 200 | policyName = /(.*)<\/policyName>/.match(line)[1] 201 | if policyName == options[:policy] 202 | break 203 | end 204 | end 205 | end 206 | 207 | # Makes new req to upload the XML file from nmap 208 | req = Net::HTTP::Post.new(url.path + "file/upload") 209 | 210 | # Creates the body of the HTTPS request and sets proper HTTP content parameters for file 211 | 212 | post_body = [] 213 | post_body << "--#{BOUNDARY}\r\n" 214 | post_body << "Content-Disposition: form-data; name=\"Filedata\"; filename=\"#{File.basename(nmapScan)}\"\r\n" 215 | post_body << "Content-Type: text/xml\r\n" 216 | post_body << "\r\n" 217 | post_body << File.read(nmapScan) 218 | post_body << "\r\n--#{BOUNDARY}--\r\n" 219 | 220 | # Adding parameters to the HTTP header 221 | req["Content-Type"] = "multipart/form-data; boundary=#{BOUNDARY}" 222 | req["Cookie"] = "token=#{token}" 223 | req.body = post_body.join 224 | 225 | #req.each_header {|key,value| puts "#{key} = #{value}"} 226 | make_connection(req, options) 227 | 228 | # Download a copy of the report 229 | req = Net::HTTP::Post.new(url.path + "policy/download") 230 | req.set_form_data({ "token" => token, "policy_id" => policyID }) 231 | 232 | # Set up parameters to pull correct policy 233 | policySettings = {} 234 | policySettings["token"] = token 235 | policySettings["policy_id"] = policyID 236 | policySettings["policy_name"] = options[:policy] 237 | 238 | # Booleans to look for tags within the nessus configuration xml, first section is server preferences 239 | serverPreferences = true 240 | pluginPreferences = false 241 | familySelection = false 242 | individualPlugin = false 243 | tempKey = '' 244 | make_connection(req, options).body.each_line do |line| 245 | if line =~ /^<\/ServerPreferences>$/ 246 | serverPreferences = false 247 | elsif line =~ /^$/ 248 | pluginPreferences = true 249 | elsif line =~ // 250 | familySelection = true 251 | pluginPreferences = false 252 | elsif line =~ // 253 | individualPlugin = true 254 | familySelection = false 255 | end 256 | # If still in server preferences section, look for name and value and add to hash 257 | if(serverPreferences) 258 | if line =~ /.*<\/name>/ 259 | tempKey = /(.*)<\/name>/.match(line)[1] 260 | elsif line =~ /.*<\/value>/ 261 | policySettings[tempKey] = /(.*)<\/value>/.match(line)[1] 262 | end 263 | # If in plugins preferences section, look for fullName and preferenceValue and add to hash 264 | elsif(pluginPreferences) 265 | if line =~ /.*<\/fullName>/ 266 | tempKey = /(.*)<\/fullName>/.match(line)[1] 267 | elsif line =~ /.*<\/preferenceValue[s]{0,1}>/ 268 | policySettings[tempKey] = /(.*)<\/preferenceValue[s]{0,1}>/.match(line)[1] 269 | end 270 | # If in family selection section, look for FamilyName and Status and add to hash 271 | elsif(familySelection) 272 | if line =~ /.*<\/FamilyName>/ 273 | tempKey = "plugin_selection.family." + /(.*)<\/FamilyName>/.match(line)[1] 274 | elsif line =~ /.*<\/Status>/ 275 | policySettings[tempKey] = /(.*)<\/Status>/.match(line)[1] 276 | end 277 | elsif(individualPlugin) 278 | if line =~ /.*<\/PluginId>/ 279 | tempKey = "plugin_selection.individual_plugin." + /(.*)<\/PluginId>/.match(line)[1] 280 | elsif line =~ /.*<\/Status>/ 281 | policySettings[tempKey] = /(.*)<\/Status>/.match(line)[1] 282 | end 283 | end 284 | end 285 | 286 | # Makes new req to edit policy 287 | req = Net::HTTP::Post.new(url.path + "policy/edit") 288 | 289 | # Make the change to the Nmap nasl with new file. 290 | policySettings["Nmap (XML file importer)[file]:File containing XML results :"] = File.basename(nmapScan) 291 | req.set_form_data(policySettings) 292 | 293 | # Log settings used and actual URL body for edit policy 294 | nessus_log = '' 295 | policySettings.each { |key, value| nessus_log << "#{key} is #{value}\n"} 296 | log << "HTTP Request for edit is: \n#{req.body}" 297 | 298 | make_connection(req, options) 299 | 300 | targetList.tr_s('\n',',') 301 | targetList.gsub(/\s/, ",") 302 | 303 | 304 | # Setting up scan based on previously acquired policy ID and passes it nmap file name to use for report name. 305 | req = Net::HTTP::Post.new(url.path + "scan/new") 306 | req.set_form_data({ "token" => token, "policy_id" => policyID, \ 307 | "scan_name" => File.basename(nmapScan).chomp(".log.xml"), \ 308 | "target" => targetList }) 309 | 310 | time = Time.new 311 | scanStart = time.inspect 312 | uuid = '' 313 | # Starts the scan, interates response and grabs the UUID of the scan for later use. 314 | make_connection(req, options).body.each_line do |line| 315 | next unless line =~ /uuid/ 316 | uuid = /(.*)<\/uuid>/.match(line)[1] 317 | end 318 | 319 | req = Net::HTTP::Post.new(url.path + "scan/list") 320 | req.set_form_data({ "token" => token }) 321 | 322 | print "\nStarting nessus scan" 323 | # While the uuid of the scan is showing up in the scan lists sleep until it is no longer there (scan done) 324 | while (make_connection(req, options).body =~ /#{uuid}<\/uuid>/) 325 | 3.times do 326 | sleep 10 327 | print "." 328 | end 329 | end 330 | # Timestamp for when the report finished 331 | time = Time.new 332 | scanDone = time.inspect 333 | puts "\nScan done at #{scanDone}" 334 | 335 | # Download the report 336 | req = Net::HTTP::Post.new(url.path + "file/report/download") 337 | req.set_form_data({ "token" => token , "report" => uuid}) 338 | report = make_connection(req, options).body 339 | 340 | # Setting up var scope 341 | reportMsg = '' 342 | currentHost = '' 343 | hostArray = Array.new 344 | overallRating = {"critical" => 0,"high" => 0,"medium" => 0,"low" => 0,"info" => 0} 345 | rating = {"critical" => 0,"high" => 0,"medium" => 0,"low" => 0,"info" => 0} 346 | hostCount = 0 347 | portCount = 0 348 | # For the downloaded report, parse it by host and pull statistics out 349 | report.each_line do |line| 350 | # Find host IP, increase count by one, and reset the rating stats 351 | if line =~ // 352 | currentHost = //.match(line)[1] 353 | rating = {"critical" => 0,"high" => 0,"medium" => 0,"low" => 0,"info" => 0} 354 | hostCount += 1 355 | # Find end of host, write rating stats to var and re initial array of ports 356 | elsif line =~ /<\/ReportHost>/ 357 | reportMsg << "IP: #{sprintf("%15s", currentHost)}\tC: #{sprintf("%2d", rating["critical"])}\tH: #{sprintf("%2d", rating["high"])}\tM: #{sprintf("%2d", rating["medium"])}\tL: #{sprintf("%2d", rating["low"])}\tI: #{sprintf("%2d", rating["info"])}\tPorts: #{hostArray.sort.join(", ")}\n" 358 | portCount += hostArray.length 359 | hostArray = Array.new 360 | # Find line with port and finding, add port to array and rating to hashes of device and overall ratings 361 | elsif line =~ / 393 | To: Tom <#{options[:email]}> 394 | Subject: External report done for #{options[:client]} 395 | MIME-Version: 1.0 396 | Content-Type: multipart/mixed; boundary=#{BOUNDARY} 397 | 398 | --#{BOUNDARY} 399 | Content-Type: text/plain 400 | Content-Transfer-Encoding:8bit 401 | 402 | Nmap started:\t#{nmapStart} 403 | Nmap ended:\t#{nmapDone} 404 | 405 | Scan started:\t#{scanStart} 406 | Scan ended:\t#{scanDone} 407 | 408 | Hosts scanned: \t#{hostCount}\t\tPorts scanned:#{sprintf("%2d", portCount)} 409 | Total findings:\t\tC: #{sprintf("%2d", overallRating["critical"])}\tH: #{sprintf("%2d", overallRating["high"])}\tM: #{sprintf("%2d", overallRating["medium"])}\tL: #{sprintf("%2d", overallRating["low"])}\tI: #{sprintf("%2d", overallRating["info"])} 410 | 411 | #{reportMsg} 412 | EOF 413 | 414 | # Encode the report in base64 415 | encodedReport = [report].pack("m") if options[:attachment] 416 | 417 | # Build attachment section of email and attach fil e 418 | attachment =< e 438 | print "Exception occured: #{e}" 439 | end 440 | 441 | logFile = File.new("#{dir}script.log",'w') 442 | logFile.write(log) 443 | logFile.close 444 | 445 | logFile = File.new("#{dir}nessus.log",'w') 446 | logFile.write(nessus_log) 447 | logFile.close -------------------------------------------------------------------------------- /parsers/sslscan/parse_sslscan_weak_keys.rb: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env ruby 2 | 3 | # gems 4 | require 'nokogiri' 5 | 6 | # ensure argument has been passed 7 | unless ARGV.length == 1 8 | puts "\n\rUSAGE: ./parse_sslscan_weak_keys.rb \n\r" 9 | exit! 10 | end 11 | 12 | # load file into doc nokogiri object 13 | f = File.open(ARGV[0]) 14 | doc = Nokogiri::XML(f) 15 | f.close 16 | 17 | # display hosts with weak key 18 | doc.xpath('//document/ssltest/certificate/pk').each do |pk| 19 | if pk['bits'].to_i < 2048 20 | host = doc.xpath('/document/ssltest').first['host'] 21 | port = doc.xpath('/document/ssltest').first['port'] 22 | puts "[+] #{host}:#{port} - Weak SSL Certificate Key" 23 | end 24 | end 25 | -------------------------------------------------------------------------------- /scanners/heartbleed-vuln-scanner.rb: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env ruby 2 | # 3 | # heartbleed-vuln-scanner.rb 4 | # -------------------------------- 5 | # Author: Brandon McCann 6 | # -------------------------------- 7 | 8 | # ruby gems 9 | require 'nokogiri' 10 | require 'open-uri' 11 | 12 | # ensure argument has been passed 13 | unless ARGV.length == 1 14 | puts "\n\rUSAGE: ./heartbleed-vuln-scanner.rb \n\r" 15 | exit! 16 | end 17 | 18 | # make http request and parse with nokogiri 19 | def http_request(host) 20 | begin 21 | response = Nokogiri::HTML(open("http:\/\/bleed-1161785939.us-east-1.elb.amazonaws.com\/bleed\/#{host}")) 22 | display_result(response, host) 23 | rescue 24 | puts "[-] #{host}: Issues connecting to site" 25 | end 26 | end 27 | 28 | # display results to stdout 29 | def display_result(response, host) 30 | if response.to_s.include? "\"code\":0" 31 | puts "[+] #{host}: Vulnerable" 32 | else 33 | puts "[-] #{host}: Not Vulnerable" 34 | end 35 | end 36 | 37 | # read file and http request each ip 38 | File.open(ARGV[0], "r") do |f| 39 | f.each_line do |ip| 40 | http_request(ip.chomp) 41 | end 42 | end -------------------------------------------------------------------------------- /validate/dns/dns_hostname_bind_disclosure.rb: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env ruby 2 | # 3 | # dns_hostname_bind_disclosure.rb 4 | # -------------------------------- 5 | # Author: Brandon McCann 6 | # -------------------------------- 7 | # 8 | # attempt to obtain hostname through dns info disclosure 9 | # vulnerability 10 | 11 | # ensure argument has been passed 12 | unless ARGV.length == 1 13 | puts "\n\rUSAGE: ./dns_hostname_bind_disclosure.rb \n\r" 14 | exit! 15 | end 16 | 17 | # send dns_request 18 | def dns_request(ip) 19 | puts "[*] Testing #{ip}" 20 | system("dig @#{ip} hostname.bind chaos txt") 21 | end 22 | 23 | # greet user 24 | puts "=== Testing for DNS Hostname Info Disclosure ===\n\r" 25 | 26 | # read file and make dns request 27 | File.open(ARGV[0], "r") do |f| 28 | f.each_line do |ip| 29 | dns_request(ip.chomp) 30 | end 31 | end -------------------------------------------------------------------------------- /validate/ssh/ssh_weak_mac_algos.rb: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env ruby 2 | # 3 | # ssh_weak_mac_algos.rb 4 | # -------------------------------- 5 | # Author: Brandon McCann 6 | # -------------------------------- 7 | # 8 | # enumerate the list of supported ssh algos 9 | # from a list of ip addresses 10 | 11 | # ensure argument has been passed 12 | unless ARGV.length == 1 13 | puts "\n\rUSAGE: ./ssh_weak_mac_algos.rb \n\r" 14 | exit! 15 | end 16 | 17 | @weak_algos = ['hmac-md5', 'hmac-md5-96', 'hmac-sha1-96'] 18 | 19 | def parse_ssh_algos(output, ip=nil) 20 | @weak_algos.each do |algo| 21 | if output.include? algo 22 | puts "[+] #{ip} - #{algo} Enabled" 23 | end 24 | end 25 | end 26 | 27 | # send dns_request 28 | def ssh_enumeration(ip) 29 | begin 30 | puts "[*] Enumerating SSH algorithms against #{ip}" 31 | nmap_output = `nmap -p 22 -sV #{ip} --script=ssh2-enum-algos` 32 | parse_ssh_algos(nmap_output, ip) 33 | rescue SystemExit, Interrupt 34 | puts "\n\rExiting..." 35 | exit! 36 | rescue Exception => e 37 | puts "[-] Error #{ip} - #{e}" 38 | return 39 | end 40 | end 41 | 42 | # greet user 43 | puts "\n\r=== Testing for Weak SSH Algorithms ===\n\r" 44 | 45 | # read file and make dns request 46 | File.open(ARGV[0], "r") do |f| 47 | f.each_line do |ip| 48 | ssh_enumeration(ip.chomp) 49 | end 50 | end --------------------------------------------------------------------------------