Skip to content

Instantly share code, notes, and snippets.

@freb
Last active Jun 19, 2019
Embed
What would you like to do?
Bash functions for pentest tool output
nmap-uphosts() {
FILE=`realpath $1`
echo "
from lxml import etree
t = etree.parse('$FILE')
if \"-Pn\" in t.xpath(\"string(@args)\"): # port scan
hosts = t.xpath(\"/*/host[ports/port/state[@state='open']]/address[@addrtype='ipv4']/@addr\")
else: # ping scan
hosts = t.xpath(\"/*/host[status[@state='up']]/address[@addrtype='ipv4']/@addr\")
print(' '.join(hosts))
" | python
}
nmap-downhosts() {
FILE=`realpath $1`
echo "
from lxml import etree
t = etree.parse('$FILE')
if \"-Pn\" in t.xpath(\"string(@args)\"): # port scan
hosts = t.xpath(\"/*/host[not(ports/port/state[@state='open'])]/address[@addrtype='ipv4']/@addr\")
else: # ping scan
hosts = t.xpath(\"/*/host[status[@state='down']]/address[@addrtype='ipv4']/@addr\")
print(' '.join(hosts))
" | python
}
nmap-openports() {
FILE=`realpath $1`
python -c \
"from lxml import etree; \
t = etree.parse('$FILE'); \
tcp = t.xpath(\"//state[@state='open']/parent::port[@protocol='tcp']/@portid\"); \
tcp = list(set(tcp)); \
udp = t.xpath(\"//state[@state='open']/parent::port[@protocol='udp']/@portid\"); \
udp = list(set(udp)); \
tcp = sorted(tcp, key=lambda x: int(x)); \
udp = sorted(udp, key=lambda x: int(x)); \
print('T:'+','.join(tcp)+',U:'+','.join(udp)); "
}
nmap-scope() {
FILE=`realpath $1`
echo "
from lxml import etree
t = etree.parse('$FILE')
hosts = t.xpath(\"//state[@state='open']/ancestor::host/address[@addrtype='ipv4']/@addr\")
for h in hosts:
tcpports = t.xpath(\"//host[address/@addr='%s']/ports/port[@protocol='tcp' and state[@state='open']]/@portid\" % h)
udpports = t.xpath(\"//host[address/@addr='%s']/ports/port[@protocol='udp' and state[@state='open']]/@portid\" % h)
tcp = [\"%s/tcp\" % t for t in tcpports]
udp = [\"%s/tcp\" % u for u in udpports]
print(\"%s: %s\" % (h, \", \".join(tcp + udp)))
" | python
}
nmap-topports-tcp() {
echo "T:$(
sudo nmap -oX - -sS --top-ports $1 2>&1 |
xmllint --xpath 'string(//scaninfo/@services)' -
)"
}
nmap-topports-udp() {
echo "U:$(
sudo nmap -oX - -sU --top-ports $1 2>&1 |
xmllint --xpath 'string(//scaninfo/@services)' -
)"
}
# Return the round trip time to a tcp port in microseconds: portrrt host port
nmap-rtt() {
if [ $# -lt 2 ]; then
echo "Usage: portrrt host port"
return
fi
echo "$(
nmap -sT -Pn -n -p$2 -d3 $1 | grep "Final times for host:" | awk '{print $6/1000}'
)"
}
# Get SSL cert (for any host/port)
# nmap and other SSL tools only like to give you the cert if the service behind
# it can be detected. This uses OpenSSL to get the cert from any host/port
# use: host:port...
pt-ssl-cert() {
for host in "$@";
do
echo "Certicicate ($host):"
echo | \
openssl s_client -showcerts -servername "$host" -connect "$host" 2>/dev/null | \
openssl x509 -inform pem -noout -text | \
grep 'Issuer\|Subject\|Public Key\|Public-Key\|Signature Algorithm' | \
sed -e 's/^[[:space:]]*//'
echo
done
}
pt-ssl-cert-all() {
for host in "$@";
do
echo | \
openssl s_client -showcerts -servername "$host" -connect "$host" 2>/dev/null | \
openssl x509 -inform pem -noout -text
done
}
ssllabs-scan-protocols() {
FILE=`realpath $1`
echo "
import json
with open('$FILE') as f:
j = json.load(f)
for h in j:
print('Host:', h['host'])
print('Protocols:')
for e in h['endpoints']:
for p in e['details']['protocols']:
print('\t {} {}'.format(p['name'], p['version']))
print()
" | python
}
ssllabs-scan-weak-ciphers() {
FILE=`realpath $1`
echo "
import json
with open('$FILE') as f:
j = json.load(f)
for h in j:
print('Host:', h['host'])
print('Weak Ciphers:')
for e in h['endpoints']:
for s in e['details']['suites']['list']:
if int(s['cipherStrength']) < 128:
print('\t {} {}'.format(s['cipherStrength'], s['name']))
print()
" | python
}
nessus-openports() {
FILE=`realpath $1`
python -c \
"from lxml import etree; \
t = etree.parse('$FILE'); \
tcp = t.xpath(\"//Report/ReportHost/ReportItem[@port!='0' and @protocol='tcp']/@port\"); \
tcp = list(set(tcp)); \
udp = t.xpath(\"//Report/ReportHost/ReportItem[@port!='0' and @protocol='udp']/@port\"); \
udp = list(set(udp)); \
tcp = sorted(tcp, key=lambda x: int(x)); \
udp = sorted(udp, key=lambda x: int(x)); \
print('T:'+','.join(tcp)+',U:'+','.join(udp)); "
}
nessus-summary() {
FILE=`realpath $1`
echo "
from lxml import etree
t = etree.parse('$FILE')
name = t.xpath('//Report/@name')[0]
print('name: {}'.format(name))
policy = t.xpath('//Policy/policyName/text()')[0]
print('policy: {}'.format(policy))
targets = t.xpath('//preference/name[text() = \'TARGET\']/../value/text()')[0]
print('targets: {}'.format(targets))
lows = t.xpath('//ReportItem[@severity = 1]')
meds = t.xpath('//ReportItem[@severity = 2]')
highs = t.xpath('//ReportItem[@severity = 3]')
print('lows:', len(lows))
for i in lows:
ip = i.xpath('../HostProperties/tag[@name=\'host-ip\']/text()')[0]
print(' {}:{}\t{}'.format(ip, i.xpath('@port')[0], i.xpath('@pluginName')[0]))
print('meds:', len(meds))
for i in meds:
ip = i.xpath('../HostProperties/tag[@name=\'host-ip\']/text()')[0]
print(' {}:{}\t{}'.format(ip, i.xpath('@port')[0], i.xpath('@pluginName')[0]))
print('highs:', len(highs))
for i in highs:
ip = i.xpath('../HostProperties/tag[@name=\'host-ip\']/text()')[0]
print(' {}:{}\t{}'.format(ip, i.xpath('@port')[0], i.xpath('@pluginName')[0]))
" | python
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment