Skip to content

Instantly share code, notes, and snippets.

@StayPirate
Last active June 12, 2020 10:13
Show Gist options
  • Save StayPirate/7374a343d69a3313db8c0dd79245f0b8 to your computer and use it in GitHub Desktop.
Save StayPirate/7374a343d69a3313db8c0dd79245f0b8 to your computer and use it in GitHub Desktop.
The script generates a report of the external perimeter.
#!/bin/bash
###
### To get a fresh list of FQDNs go to [repo]/module/route53 and run
### cat * | grep -E "\s*name\s*=" | awk '{print $3}' | cut -d"\"" -f2 | grep -Ev "^#" | rev | cut -c2- | rev | sort -u
###
if [ ! -n "$1" ]; then
echo "Usage:"
echo -e "\t${0} domains_list.txt [--alive] [--webserver]"
exit 1
fi
if [ $EUID -ne 0 ] && [[ "${@}" == *"--alive"* || "${@}" == *"--webserver"* ]]; then
echo "In order to exploit required nmap functionalities, this script must be run as root."
exit 1
fi
IFS=$'\n'
_temp_csv_file="/tmp/DA_temp_csv_file.csv"
_dns_server="172.16.61.2"
####
#### Add resolved IPs
####
echo "[+] Resolving FQDNs via ${_dns_server}"
#### domain -> domain, +ADD resolved IP
while read i; do
_ips=$(dig $i -t A @${_dns_server} +short 2>/dev/null)
_n_ips=$(echo "$_ips" | grep -oE "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}" | wc -l)
if [ "$_n_ips" -gt "0" ]; then
for l in `echo $_ips | grep -oE "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}"`; do
echo "${i},${l}"
done
else
echo "${i},"
fi
done < ${1} > $_temp_csv_file
####
#### Add ip range owner
####
function find_cird_name {
# In order to properly run, this function requires 'grepcidr'.
# http://pc-tools.net/unix/grepcidr/
local _cidr_name="${1}"
local _cidr_ranges="${2}"
local _exclude_tags="${3}"
local _cat_file_cmd="cat ${_temp_csv_file}"
local _matches_found=0
if [ -n "$3" ]; then
_cat_file_cmd="$_cat_file_cmd | grep -v \"${3}\""
fi
for i in `eval "$_cat_file_cmd"`; do
local _target_domain=$(echo $i | cut -d"," -f1)
local _target_ip=$(echo $i | cut -d"," -f2)
if [ ! -z "$_target_ip" ]; then
if echo $_target_ip | grepcidr "$_cidr_ranges">/dev/null; then
sed "s/^${i}$/${i},${_cidr_name}/g" -i $_temp_csv_file;
((_matches_found=_matches_found+1))
fi
fi
done
echo " ${_cidr_name}: ${_matches_found}"
}
echo "[+] Find IP range ownership"
find_cird_name "SUSE" "195.135.220.0/22 91.193.113.0/24 195.250.132.144/29 193.86.92.176/28 82.113.59.96/28" ""
find_cird_name "AWS_FRANKFURT" "$(curl https://ip-ranges.amazonaws.com/ip-ranges.json 2>/dev/null | grep -E "region.*eu-central-1" -B1 | grep ip_pr | grep -Eo "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/[0-9]{1,2}" | tr "\n" " ")" ""
find_cird_name "AWS_NOT_FRANKFURT" "$(curl https://ip-ranges.amazonaws.com/ip-ranges.json 2>/dev/null | grep -E "region" -B1 | grep ip_pr | grep -Eo "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/[0-9]{1,2}" | tr "\n" " ")" "AWS_FRANKFURT"
find_cird_name "INTERNAL" "10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 127.0.0.0/8" ""
find_cird_name "NOVEL-MFI" "137.65.0.0/16 151.155.28.0/17 149.44.0.0/16 147.2.0.0/16 164.99.0.0/16 130.57.0.0/16 192.31.114.0/24 69.7.179.0/24 150.215.214.0/24 151.155.0.0/16 159.253.243.0/26 159.253.243.60/26" ""
##### Add empty column to IPs with no owner
sed "s/,$/,,/g" -i $_temp_csv_file;
sed -E "s/([0-9]$)/\1,/g" -i $_temp_csv_file;
####
#### Check if host is alive with nmap
####
if [[ "${@}" == *"--alive"* ]]; then
echo "[+] Check alive hosts"
echo -n " "
_matches_found=0
for i in `cat $_temp_csv_file`; do
export _target_ip=$(echo $i | cut -d"," -f2)
if [ ! -z "$_target_ip" ]; then
# ICMP echo request, TCP SYN to port 443, TCP ACK to port 80, and an ICMP timestamp request (SUDO/root)
# TCP SYN to port 443, TCP ACK to port 80 (unprivileged user)
if sudo nmap -sn $_target_ip 2>/dev/null | grep -q "1 host up"; then
sed "s/^${i}$/${i},yes/g" -i $_temp_csv_file;
((_matches_found=_matches_found+1))
echo -n "."
else
sed "s/^${i}$/${i},no/g" -i $_temp_csv_file;
fi
fi
done
echo ""
echo " Alive hosts: ${_matches_found}"
##### Add empty column to domain with no ip
sed "s/,$/,,/g" -i $_temp_csv_file;
fi
####
#### Find listening webserver with nmap
####
if [[ "${@}" == *"--webserver"* ]]; then
echo "[+] Search web-servers"
echo -n " "
_matches_found=0
_web_ports="80,8000,8080,8088,8888,443,8443,1443,11443"
for i in `cat $_temp_csv_file`; do
export _target_ip=$(echo $i | cut -d"," -f2)
if [ ! -z "$_target_ip" ]; then
if sudo nmap -p $_web_ports -sS $_target_ip -Pn -oG /dev/stdout 2>/dev/null | grep -v "Status" | grep -qE "^Host.*open" >/dev/null; then
sed "s/^${i}$/${i},yes/g" -i $_temp_csv_file;
((_matches_found=_matches_found+1))
echo -n "."
else
sed "s/^${i}$/${i},no/g" -i $_temp_csv_file;
fi
fi
done
echo ""
echo " Webserver found: ${_matches_found}"
##### Add empty column to domain with no ip
sed "s/,$/,,/g" -i $_temp_csv_file;
fi
####
#### Moving final report
####
# Add CSV Header
sed -i '1 i\Domain,IP,IP Owner,Host Alive,Webserver' $_temp_csv_file
_output_file="Perimeter_Report_$(date +%m-%d-%Y_%H-%M-%S).csv"
mv $_temp_csv_file "$(pwd)/${_output_file}"
chmod 766 "$(pwd)/${_output_file}"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment