Created
February 26, 2013 04:20
-
-
Save hackingbutlegal/5035842 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
#__________________________________________________________ | |
# Author: phillips321 contact through phillips321.co.uk | |
# License: CC BY-SA 3.0 | |
# Use: All in one pentest script designed for bt5 | |
# Released: www.phillips321.co.uk | |
version=7.0 | |
# Dependencies: | |
# nmap | |
# sslscan | |
# gnome-web-photo | |
# arp-scan | |
# dialog | |
# amap | |
# tree | |
# glibc | |
# nfs-common | |
# xwininfo | |
# onesixtyone v0.8 (included with svn checkout) | |
# enum4linux and polenum (included with svn checkout) | |
# make sure polenum is in your path and enum4linux points to enum4linux.pl | |
# backtrack users can apt-get install sslscan gnome-web-photo arp-scan dialog tree glibc-2.10-1 nfs-common | |
# ToDo: | |
# remove index.blah from wget output | |
# add xml to output from here: http://www.pentesticles.com/2012/05/we-have-port-scans-what-now.html | |
# ensure snmp get follows correct port | |
# add ability to launch nesssus against targets | |
# check if gnome-web-photo can follow redirects | |
# fix snmptget output | |
# prevent threads from being above 50? | |
# ChangeLog: | |
# v7.0 - added MACIGNORE which removes a mac address from targets (good for VMHost MAC) | |
# - This is best added to the custom-config.conf lowercase!!! | |
# - MACIGNORE="be:ef:b0:0b:13:37" | |
# v6.8 - minor bug fixes | |
# v6.7 - added f_progressquick (used when scans<threads to allow quicker loading) | |
# v6.6 - added a sleep to end of wget (allows errors to be seen) | |
# v6.5 - added a numerical sort for IP addresses (1.0.0.99 < 1.0.0.1000) | |
# v6.4 - added echotime function to allow time to be shown easier in output | |
# - cleaned up output to console | |
# - changed progress update from 5 to 3 secs | |
# - changed sleep from 1 to ${SLEEPTIME} (default 0.2) | |
# v6.3 - improved console output and fixed a cp error(missing targets.txt) | |
# v6.2 - removed seperate xterm window for THREADS | |
# - output to terminal now includes time | |
# v6.1 - removed more dialog usage and added time output to terminal | |
# v6.0 - removed dialog as much as possible for now | |
# v5.8 - fixed bug with mask2cidr :-) | |
# v5.7 - minor bug fixes with scansource.txt creation | |
# - have diabled f_mask2cidr due to wierd bug :-( default now to /24 ping sweep | |
# - force wget to only attempt connection once (-t 1) | |
# v5.6 - minor bug fixes | |
# v5.5 - Improved output to scansource.txt | |
# - added nmap ping sweep to scansource.txt | |
# - this require mask2cidr function and cidr value | |
# v5.4 - added wget for all HTTP(s) ports | |
# v5.3 - stooped sslscan from scanning 3389 | |
# v5.2 - added NMAP to title of nmap scans instead of ${OUTPUTDIR} | |
# v5.1 - fixed echo out of vlan_ports.txt at end of scan | |
# v5.0 - added seperate file (custom-config.conf) for loading custom parameters. | |
# - create file called custom-config.conf in the same dir with your settings such as: | |
# -------------------------------------------------------- | |
# THREADS=20 | |
# NMAPUDPCUSTOMPORTS="53,69,161" | |
# MACIGNORE="be:ef:b0:0b:13:37" | |
# -------------------------------------------------------- | |
# v4.3 - outputs targets.txt and vlan_ports.txt at end of scans | |
# v4.2 - added x11 screen grab using xwininfo | |
# v4.1 - added option to create new targets.txt if it already exists | |
# v4.0 - added quick nmap scan to show some ports before main nmap scans | |
# - added timeout and retry count to amap scans -T 2 -C 1 | |
# v3.6 - removed "Os guess incomplese from open ports output" | |
# - added f_scansource to gather details of scan info | |
# - added ipcalc to scansource | |
# v3.5 - add ability to detech if 32 or 64bit architecture (for onesixtyone bin) | |
# v3.4 - fixed bug that didnt create SNMPCommunityStrings.txt output properly | |
# - stopped gwp from taking a photo of 3389 on ssl detection | |
# v3.3 - added custom onesixty one to scan custom ports | |
# v3.2 - fixed issue with target directory | |
# v3.1 - each host now has it's own scan folder for neatness | |
# v3.0 - replaced nbtscan with enum4linux | |
# - added enum4linux-0.8.8 and polenum-0.2 | |
# v2.9 - added 80 to custom tcp ports | |
# - removed delay after opening openports, weakciphers, etc... | |
# - scansource.txt now in outputdir as opposed to startdir | |
# v2.8 - copy targets.txt into output folder and added scansource.txt | |
# v2.7 - fixed error with snmpscan returning with "Host responded with error NO SUCH NAME" | |
# v2.6 - added nfs tree output | |
# v2.5 - fixed vlanports.txt output to remove A-Z | |
# v2.4 - added uniscan to automate some web tests | |
# v2.3 - added swaks to auto test for relay on smtp | |
# v2.2 - added option to display md5 signed certificate hashes | |
# v2.1 - fixed bug creating open_ports.txt where no ports were found (now also shows which scan size was used to create open_ports.txt) | |
# v2.0 - removed duplicate entries in open_ports.txt (see end of f_nmapscans function) | |
# - changed Cancel button to Exit | |
# - removed Cancel button from some dialog windows (such as pause and threads) | |
# - THREADS xterm window now closes when scans are completed | |
# v1.8 - fixed issue with searching for running threads | |
# - removed duplicates from SNMPCommunityStrings.txt | |
# v1.7 - deleted temp before starting scans | |
# v1.6 - Changed xterm font to make nmap windows smaller | |
# v1.5 - Fixed snmp scans (amap not identifying snmp service) | |
# v1.4 - added (n of X) scanned to progress dialog | |
# v1.3 - cleanup after nbtscan (removes scans with no response) | |
# v1.2 - added vlan_ports.txt to show all ports(TCP+UDP found (for ACL testing and import to nessus) | |
# v1.1 - made scan windows smaller using geometry 80x10 | |
# v1.0 - Can now change number of threads on the fly using the popup xterm | |
# v0.6 - COUNT++ improved on nmap scans to be more accurate | |
# v0.5 - offers to create targets.txt if it's now found | |
# - cleans up nmap output if scan was cancelled | |
# v0.4 - addition of custom nmap port scan | |
# v0.3 - comments on all functions | |
# v0.2 - Caught ESC/Cancel signals to quit program | |
# v0.1 - First write | |
# Program | |
f_setdefaults(){ #defaults for running the script | |
NMAPTCP="nmap -sS -vv -d -A -Pn -n -r -oA" # this needs to finish with -oA and cannot include -p | |
NMAPUDP="nmap -sU -vv -d -A -Pn -n -r -oA" # this needs to finish with -oA and cannot include -p | |
NMAPQUICKPORTS="7,13,17,19,21,22,23,25,50,53,69,80,111,123,135,137,139,161,199,443,445,500,1434,1556,2049,2301,2381,3181,3389,5353,8080,8081,8161,47001" | |
NMAPTCPCUSTOMPORTS="21,22,23,25,50,80,135,139,199,443,445,1556,2301,2381,3181,3389,8080,8081,47001" | |
NMAPUDPCUSTOMPORTS="7,13,17,19,53,69,111,123,135,137,161,500,1434,2049,5353,8161" | |
XTERMVALS="-iconic -fn -*-*-*-*-*-*-7-*-*-*-*-*-*-* -geometry 80x10" | |
MACHINE_TYPE=`uname -m` | |
if [ ${MACHINE_TYPE} == 'x86_64' ]; then | |
onesixtyone=`which pentest.sh | sed -e "s/pentest.sh/onesixtyone-0.8\/onesixtyone_x64/"` | |
else | |
onesixtyone=`which pentest.sh | sed -e "s/pentest.sh/onesixtyone-0.8\/onesixtyone_x86/"` | |
fi | |
enum4linux=`which pentest.sh | sed -e "s/pentest.sh/enum4linux-0.8.8\/enum4linux.pl/"` | |
#make sure polenum-0.2 is also in your path | |
NMAPTCPALL=1 ; NMAPTCPDEFAULT=1 ; NMAPTCPCUSTOM=1 | |
NMAPUDPALL=0 ; NMAPUDPDEFAULT=1 ; NMAPUDPCUSTOM=1 | |
RUNARPSCAN=0 | |
RUNQUICKNMAP=0 | |
RUNNMAP=0 | |
RUNAMAP=0 | |
RUNSSLSCAN=0 | |
RUNGWP=0 | |
RUNSNMPSCAN=0 | |
RUNSNMPGET=0 | |
RUNENUM4LINUXSCAN=0 | |
RUNSWAKS=0 | |
RUNUNISCAN=0 | |
RUNNFSSCAN=0 | |
RUNX11GRAB=0 | |
RUNWGET=0 | |
RUNNING=0 | |
THREADS=10 | |
SLEEPTIME=0.2 | |
MACIGNORE="be:ef:b0:0b:13:37" | |
# Load custom config from file custom-config.conf if it exists | |
scriptlocation=`echo "$0" | sed -e s/pentest.sh//` | |
echo ${scriptlocation}custom-config.conf | |
if [[ -e ${scriptlocation}custom-config.conf ]] | |
then | |
echo "[+] Config file found at ${scriptlocation}" | |
. ${scriptlocation}custom-config.conf | |
fi | |
} | |
f_main(){ #this is the main bulk of the program that calls the scans | |
dialog --title "Scan Types" --separate-output --output-fd 2 --checklist "What do you want to run? Scan selections are dependent on the scan type above it being run first. For example, you cannot run sslscan if anamp and nmap have not been run prior." 0 0 0 \ | |
arpscan "run arp-scan to create targets.txt" off \ | |
quicknmap "run a quick nmap of the targets" on \ | |
nmap "nmap targets" on \ | |
amap "amap ports found using nmap" off \ | |
sslscan "sslscan targets" off \ | |
gwp "Take photo of web pages found?" off \ | |
snmpscans "Check for default SNMP community strings" off \ | |
snmpget "Get data from SNMP services using known strings" off \ | |
enum4linux "Run enum4linux against targets" off \ | |
smtp "connect to SMTP to check if they allow relaying of mail" off \ | |
uniscan "run uniscan against HTTP(s) ports" off \ | |
nfsscan "connect to nfs services and list contents" off \ | |
x11grab "get screenshot of x11 sessions" off \ | |
wget "run wget against HTTP(s) ports" off \ | |
2> /tmp/answer | |
case $? in 1|255) : do ; f_exit ;; esac | |
checklist=`cat /tmp/answer` | |
for opt in ${checklist} | |
do | |
case ${opt} in | |
arpscan) : do ; RUNARPSCAN=1 ;; | |
quicknmap) : do ; RUNQUICKNMAP=1 ;; | |
nmap) : do ; RUNNMAP=1 ;; | |
amap) : do ; RUNAMAP=1 ;; | |
sslscan) : do ; RUNSSLSCAN=1 ;; | |
gwp) : do ; RUNGWP=1 ;; | |
snmpscans) : do ; RUNSNMPSCAN=1 ;; | |
snmpget) : do ; RUNSNMPGET=1 ;; | |
enum4linux) : do ; RUNENUM4LINUXSCAN=1 ;; | |
smtp) : do ; RUNSWAKS=1 ;; | |
uniscan) : do ; RUNUNISCAN=1 ;; | |
nfsscan) : do ; RUNNFSSCAN=1 ;; | |
x11grab) : do ; RUNX11GRAB=1 ;; | |
wget) : do ; RUNWGET=1 ;; | |
esac | |
done | |
clear | |
echo -e "\e[00;32m[SETTINGS]\e[00m" | |
read -p "[+] Where would you like the output to go: " -e -i "`pwd`/output" OUTPUTDIR | |
f_directorycheck | |
if [ -s targets.txt ] | |
then | |
cp targets.txt ${OUTPUTDIR}/targets.txt | |
fi | |
read -p "[+] How many threads would you like to run: " -e -i "${THREADS}" THREADS | |
f_scansource | |
if [ ${RUNARPSCAN} == "1" ] ; then f_arpscan ; fi | |
if [ ${RUNQUICKNMAP} == "1" ] ; then f_quicknmap ; fi | |
if [ ${RUNNMAP} == "1" ] ; then f_nmapoptions ; f_nmapscans ; fi | |
if [ ${RUNAMAP} == "1" ] ; then f_amapscans ; fi | |
if [ ${RUNSSLSCAN} == "1" ] ; then f_sslscans ; fi | |
if [ ${RUNGWP} == "1" ] ; then f_gwp ; fi | |
if [ ${RUNSNMPSCAN} == "1" ] ; then f_snmpscan ; fi | |
if [ ${RUNSNMPGET} == "1" ] ; then f_snmpget ; fi | |
if [ ${RUNENUM4LINUXSCAN} == "1" ] ; then f_runenum4linuxscan ; fi | |
if [ ${RUNSWAKS} == "1" ] ; then f_swaksscans ; fi | |
if [ ${RUNUNISCAN} == "1" ] ; then f_uniscan ; fi | |
if [ ${RUNNFSSCAN} == "1" ] ; then f_nfsscan ; fi | |
if [ ${RUNX11GRAB} == "1" ] ; then f_x11grab ; fi | |
if [ ${RUNWGET} == "1" ] ; then f_wget ; fi | |
} | |
f_debug(){ #this is debug information (insert f_debug in the script to pause) | |
echo -e "\e[00;32m[DEBUG]\e[00m" | |
echo "checklist = ${checklist}" | |
echo "NMAPTCPDEFAULT=${NMAPTCPDEFAULT}" | |
echo "NMAPTCPALL=${NMAPTCPALL}" | |
echo "NMAPTCPCUSTOM=${NMAPTCPCUSTOM}" | |
echo "NMAPTCPCUSTOMPORTS=${NMAPTCPCUSTOMPORTS}" | |
echo "NMAPUDPDEFAULT=${NMAPUDPDEFAULT}" | |
echo "NMAPUDPALL=${NMAPUDPALL}" | |
echo "NMAPUDPCUSTOM=${NMAPUDPCUSTOM}" | |
echo "NMAPUDPCUSTOMPORTS=${NMAPUDPCUSTOMPORTS}" | |
echo "Number of scantypes = $((${NMAPTCPDEFAULT}+${NMAPTCPALL}+${NMAPTCPCUSTOM}+${NMAPUDPDEFAULT}+${NMAPUDPALL}+${NMAPUDPCUSTOM}))" | |
echo "Output directory = ${OUTPUTDIR}" | |
echo "Number of threads = ${THREADS}" | |
echo "RUNARPSCAN = ${RUNARPSCAN}" | |
echo "RUNQUICKNMAP = ${RUNQUICKNMAP}" | |
echo "RUNNMAP = ${RUNNMAP}" | |
echo "RUNAMAP = ${RUNAMAP}" | |
echo "RUNSSLSCAN = ${RUNSSLSCAN}" | |
echo "RUNGWP = ${RUNGWP}" | |
echo "RUNSNMPSCAN = ${RUNSNMPSCAN}" | |
echo "RUNSNMPGET = ${RUNSNMPGET}" | |
echo "RUNENUM4LINUXSCAN = ${RUNENUM4LINUXSCAN}" | |
echo "COUNT = ${COUNT}" | |
echo "NUMBER = ${NUMBER}" | |
echo "targets.txt =" ; cat targets.txt | |
echo "result = ${result}" | |
read -p "pause" | |
} | |
f_directorycheck(){ #creates dir if it's not present | |
if [ -d ${OUTPUTDIR} ] ; then sleep 0 ; else mkdir ${OUTPUTDIR} ; fi | |
} | |
f_scansource(){ #creates scansource.txt containing network info | |
echo -e "\e[00;32m[SCANSOURCE]\e[00m" | |
echo "[+] Now creating scansource.txt `echotime`" | |
ipaddr=`ifconfig eth0 | grep "inet addr" | cut -d":" -f2 | cut -d" " -f1` | |
netmask=`ifconfig eth0 | grep "Mask" | cut -d":" -f4` | |
f_mask2cidr ${netmask} #cidr is now /24 /25 /23 and so on | |
echo "[+] Interface Details----------------" > ${OUTPUTDIR}/scansource.txt | |
ifconfig eth0 | sed '/^$/d' >> ${OUTPUTDIR}/scansource.txt | |
echo -e "\n[+] Route Details--------------------" >> ${OUTPUTDIR}/scansource.txt | |
route -n >> ${OUTPUTDIR}/scansource.txt | |
echo -e "\n[+] IPCalc Details-------------------" >> ${OUTPUTDIR}/scansource.txt | |
ipcalc -n -b "${ipaddr}" "${netmask}" >> ${OUTPUTDIR}/scansource.txt | |
echo -e "\n[+] Arp-Scan Details-----------------" >> ${OUTPUTDIR}/scansource.txt | |
arp-scan -l | grep -v packets | grep -v Ending | grep -v Starting | grep -v Interface | sed '/^$/d' >> ${OUTPUTDIR}/scansource.txt | |
echo -e "\n[+] NMAP Ping Sweep Details-----------------" >> ${OUTPUTDIR}/scansource.txt | |
nmap -sP "${ipaddr}/${cidr}" | grep -v "Host is up" | sed -e 's/Nmap scan report for //' | grep -v Nmap | grep -v "${ipaddr}" | sed ':a;N;$!ba;s/\nMAC Address: / /g' | sed '/^$/d' >> ${OUTPUTDIR}/scansource.txt | |
echo "[+] scansource.txt created `echotime`" | |
} | |
f_mask2cidr(){ #function to turn mask into cidr value | |
case $1 in | |
255.255.240.0) cidr="20";; | |
255.255.248.0) cidr="21";; | |
255.255.252.0) cidr="22";; | |
255.255.254.0) cidr="23";; | |
255.255.255.0) cidr="24";; | |
255.255.255.128) cidr="25";; | |
255.255.255.192) cidr="26";; | |
255.255.255.224) cidr="27";; | |
255.255.255.240) cidr="28";; | |
255.255.255.248) cidr="29";; | |
255.255.255.252) cidr="30";; | |
*) cidr="24" ; echo "[+] Error:Not able to figure out cidr from subnetmask (defaulting to /24)" ; sleep 5;; | |
esac | |
} | |
f_progress(){ #outputs progress to screen | |
PERCENTAGE=$(($((${COUNT}*100))/${NUMBER})) | |
echo -en "\e[K\r[+] ${*} - now on ${COUNT} of ${NUMBER} - ${PERCENTAGE}% | " | |
THREADSBEFORE=${THREADS} | |
read -t 5 -p "Threads: " -e -i ${THREADSBEFORE} THREADS | |
if [ $? != 0 ] ; then THREADS=${THREADSBEFORE} ; fi | |
} | |
f_progressquick(){ #outputs progress to screen (uses small sleep) | |
PERCENTAGE=$(($((${COUNT}*100))/${NUMBER})) | |
echo -en "\e[K\r[+] ${*} - loading${COUNT} of ${NUMBER} - ${PERCENTAGE}% | " | |
THREADSBEFORE=${THREADS} | |
read -t ${SLEEPTIME} -p "Threads: " -e -i ${THREADSBEFORE} THREADS | |
if [ $? != 0 ] ; then THREADS=${THREADSBEFORE} ; fi | |
} | |
f_arpscan(){ #creates targets.txt and then allows editing | |
echo -e "\e[00;32m[ARPSCAN]\e[00m" | |
if [ -s targets.txt ] | |
then | |
echo -e "\e[00;31m[+] Error! \e[00m targets.txt file already found" | |
read -p "Do you wish to create a new file(y/n)?: " -e -i "n" ANSWER | |
if [ "$(echo $ANSWER | tr [:upper:] [:lower:])" == "n" ] | |
then | |
echo "\e[00;31m[+] Exiting to prevent overwrite of targets.txt\e[00m" | |
exit 0 | |
fi | |
fi | |
echo "[+] We are now scanning the local subnet for devices using arp-scan `echotime`" | |
arp-scan -l -g | grep . | grep -v ${MACIGNORE} | cut -f1 | grep -v packets |grep -v Interface | grep -v Ending | grep -v Starting | sort -bt . -k 1,1n -k 2,2n -k 3,3n -k 4,4n | uniq > `pwd`/targets.txt | |
echo "[+] Arp-Scan complete. Please remove IPs you dont wish to scan `echotime`" ; sleep 3 | |
nano `pwd`/targets.txt | |
cp `pwd`/targets.txt ${OUTPUTDIR}/targets.txt | |
} | |
f_nmapoptions(){ #determins what type of nmap scans you want | |
echo -e "\e[00;32m[NMAP OPTIONS]\e[00m" | |
ANSWER="y" | |
while [ "$(echo $ANSWER | tr [:upper:] [:lower:])" != "n" ] | |
do | |
echo "[+] Nmap scans types - We are set to run the following:" | |
echo " |_________TCP___________|_________UDP__________|" | |
if [ ${NMAPTCPALL} = "1" ] ; then echo -en " |\e[00;32m Big \e[00m "; else echo -en "|\e[02;31m Big \e[00m "; fi | |
if [ ${NMAPTCPDEFAULT} = "1" ] ; then echo -en "\e[00;32mDefault \e[00m " ; else echo -en "\e[02;31mDefault \e[00m "; fi | |
if [ ${NMAPTCPCUSTOM} = "1" ] ; then echo -en "\e[00;32mCustom \e[00m " ; else echo -en "\e[02;31mCustom \e[00m "; fi | |
if [ ${NMAPUDPALL} = "1" ] ; then echo -en "|\e[00;32m Big \e[00m " ; else echo -en "|\e[02;31m Big \e[00m "; fi | |
if [ ${NMAPUDPDEFAULT} = "1" ] ; then echo -en "\e[00;32mDefault \e[00m " ; else echo -en "\e[02;31mDefault \e[00m "; fi | |
if [ ${NMAPUDPCUSTOM} = "1" ] ; then echo -e "\e[00;32mCustom\e[00m |" ; else echo -e "\e[02;31mCustom\e[00m |"; fi | |
read -p "[+] Do you want to change any of this(y/n)? " -e -i "n" ANSWER | |
if [ "$(echo $ANSWER | tr [:upper:] [:lower:])" == "y" ] | |
then | |
read -p " | Big TCP Scan(y/n)?: " -e -i "y" ANSWER1 | |
if [ "$(echo $ANSWER1 | tr [:upper:] [:lower:])" == "y" ]; then NMAPTCPALL=1 ; else NMAPTCPALL=0 ;fi | |
read -p " | Default TCP Scan(y/n)?: " -e -i "y" ANSWER2 | |
if [ "$(echo $ANSWER2 | tr [:upper:] [:lower:])" == "y" ]; then NMAPTCPDEFAULT=1 ; else NMAPTCPDEFAULT=0 ;fi | |
read -p " | Custom TCP Scan(y/n)?: " -e -i "y" ANSWER3 | |
if [ "$(echo $ANSWER3 | tr [:upper:] [:lower:])" == "y" ]; then NMAPTCPCUSTOM=1 ; else NMAPTCPCUSTOM=0 ;fi | |
read -p " | Big UDP Scan(y/n)?: " -e -i "n" ANSWER4 | |
if [ "$(echo $ANSWER4 | tr [:upper:] [:lower:])" == "y" ]; then NMAPUDPALL=1 ; else NMAPUDPALL=0 ;fi | |
read -p " | Default UDP Scan(y/n)?: " -e -i "y" ANSWER5 | |
if [ "$(echo $ANSWER5 | tr [:upper:] [:lower:])" == "y" ]; then NMAPUDPDEFAULT=1 ; else NMAPUDPDEFAULT=0 ;fi | |
read -p " | Custom UDP Scan(y/n)?: " -e -i "y" ANSWER6 | |
if [ "$(echo $ANSWER6 | tr [:upper:] [:lower:])" == "y" ]; then NMAPUDPCUSTOM=1 ; else NMAPUDPCUSTOM=0 ;fi | |
fi | |
done | |
if [ ${NMAPTCPCUSTOM} = "1" ] | |
then | |
echo "[+] Please enter the NMAP Custom TCP ports:" | |
read -p " | TCP:" -e -i "${NMAPTCPCUSTOMPORTS}" NMAPTCPCUSTOMPORTS | |
fi | |
if [ ${NMAPUDPCUSTOM} = "1" ] | |
then | |
echo "[+] Please enter the NMAP Custom UDP ports:" | |
read -p " | UDP:" -e -i "${NMAPUDPCUSTOMPORTS}" NMAPUDPCUSTOMPORTS | |
fi | |
} | |
f_quicknmap(){ #quick nmap scan of targets | |
echo -e "\e[00;32m[QUICK NMAP]\e[00m" | |
echo -e "[+] Performing a quick nmap.... `echotime`" | |
xterm -title "Quick nmap scan - running" -e "nmap -sSU -vv -iL targets.txt -Pn -p${NMAPQUICKPORTS} -n -r -oN ${OUTPUTDIR}/quicknmap.txt" | |
xterm -title "Quick nmap scan - results" -e "cat ${OUTPUTDIR}/quicknmap.txt | grep -i \"Nmap\ scan\ report\ for\|open\" | grep -v filtered | less" & | |
echo -e "[+] Quick nmap finished `echotime`" | |
} | |
f_nmapscans(){ #nmap scans of targets | |
echo -e "\e[00;32m[NMAP]\e[00m" | |
echo -e "[+] NMAP scans starting `echotime`" | |
COUNT=0 | |
NUMBER=$(((`cat targets.txt| wc -l`)*$((${NMAPTCPDEFAULT}+${NMAPTCPALL}+${NMAPTCPCUSTOM}+${NMAPUDPDEFAULT}+${NMAPUDPALL}+${NMAPUDPCUSTOM})))) | |
if [ -s targets.txt ] ; then sleep 0 ; else echo "[+] targets.txt not found in current directory, we'll create one..." ; f_arpscan ; fi | |
for i in `cat targets.txt` | |
do | |
f_progressquick "NMAP Progress" | |
TARGET=${i} | |
LOC=${OUTPUTDIR}/${TARGET} | |
if [ -d ${LOC} ] ; then sleep 0 ; else mkdir ${LOC} ; fi | |
if [ ${NMAPTCPDEFAULT} = "1" ] ; then ((COUNT++)); sleep ${SLEEPTIME}; xterm ${XTERMVALS} -title "${TARGET} NMAP small TCP" -e "${NMAPTCP} ${LOC}/small.tcp ${TARGET}" & fi | |
if [ ${NMAPTCPALL} = "1" ] ; then ((COUNT++)); sleep ${SLEEPTIME}; xterm ${XTERMVALS} -title "${TARGET} NMAP big TCP" -e "${NMAPTCP} ${LOC}/big.tcp -p1-65535 ${TARGET}" & fi | |
if [ ${NMAPTCPCUSTOM} = "1" ] ; then ((COUNT++)); sleep ${SLEEPTIME}; xterm ${XTERMVALS} -title "${TARGET} NMAP custom TCP" -e "${NMAPTCP} ${LOC}/custom.tcp -p${NMAPTCPCUSTOMPORTS} ${TARGET}" & fi | |
if [ ${NMAPUDPDEFAULT} = "1" ] ; then ((COUNT++)); sleep ${SLEEPTIME}; xterm ${XTERMVALS} -title "${TARGET} NMAP small UDP" -e "${NMAPUDP} ${LOC}/small.udp ${TARGET}" & fi | |
if [ ${NMAPUDPALL} = "1" ] ; then ((COUNT++)); sleep ${SLEEPTIME}; xterm ${XTERMVALS} -title "${TARGET} NMAP big UDP" -e "${NMAPUDP} ${LOC}/big.udp -p1-65535 ${TARGET}" & fi | |
if [ ${NMAPUDPCUSTOM} = "1" ] ; then ((COUNT++)); sleep ${SLEEPTIME}; xterm ${XTERMVALS} -title "${TARGET} NMAP custom UDP" -e "${NMAPUDP} ${LOC}/custom.udp -p${NMAPUDPCUSTOMPORTS} ${TARGET}" & fi | |
while [ `ps -Aef --cols 400 | grep NMAP | grep xterm | wc -l` -ge ${THREADS} ] | |
do | |
f_progress "NMAP Progress" | |
done | |
sleep 5 | |
done | |
while [ `ps -Aef --cols 400 | grep NMAP | grep xterm | wc -l` -gt 0 ] | |
do | |
RUNNING=`ps -Aef --cols 400 | grep NMAP | grep xterm | wc -l` | |
f_progress "NMAP Finishing(${RUNNING}left)" | |
done | |
echo "";echo -e "[+] NMAP scans finished `echotime`" | |
# delete scans that were cancelled during running | |
cd "${OUTPUTDIR}" | |
for i in `ls */*.gnmap`;do wcl=`cat ${i} | wc -l`;if [ ${wcl} -le 2 ];then rm ${i};fi;done | |
for i in `ls */*.xml`;do wcl=`cat ${i} | wc -l`;if [ ${wcl} -le 15 ];then rm ${i};fi;done | |
for i in `ls */*.nmap`;do wcl=`cat ${i} | wc -l`;if [ ${wcl} -le 1 ];then rm ${i};fi;done | |
# create open_ports.txt containing only 1 tcp and 1 udp scan from each IP in order of size (big>small>custom) | |
echo "[+] Creating open_ports.txt `echotime`" | |
if [ -s open_ports.txt ] ; then rm open_ports.txt ; fi | |
for i in `ls */*.nmap | cut -d"/" -f1 | sort -but . -k 1,1n -k 2,2n -k 3,3n -k 4,4n` | |
do | |
echo "###################### ${i} RESULTS ######################" >> open_ports.txt | |
if [ -f ${i}/big.tcp.nmap ] | |
then | |
echo "---------------------- TCP Big------------------------------" >> open_ports.txt | |
cat ${i}/big.tcp.nmap | grep "open" | grep -v "OSScan" | grep -v "Missing" | grep -v "filtered" >> open_ports.txt | |
elif [ -f ${i}/small.tcp.nmap ] | |
then | |
echo "---------------------- TCP Small------------------------------" >> open_ports.txt | |
cat ${i}/small.tcp.nmap | grep "open" | grep -v "OSScan" | grep -v "Missing" | grep -v "filtered" >> open_ports.txt | |
elif [ -f ${i}/custom.tcp.nmap ] | |
then | |
echo "---------------------- TCP Custom------------------------------" >> open_ports.txt | |
cat *${i}/custom.tcp.nmap | grep "open" | grep -v "OSScan" | grep -v "Missing" | grep -v "filtered" >> open_ports.txt | |
else | |
echo "no results" >> open_ports.txt | |
fi | |
if [ -f ${i}/big.udp.nmap ] | |
then | |
echo "---------------------- UDP Big------------------------------" >> open_ports.txt | |
cat ${i}/big.udp.nmap | grep "open" | grep -v "OSScan" | grep -v "Missing" | grep -v "filtered" >> open_ports.txt | |
elif [ -f ${i}/small.udp.nmap ] | |
then | |
echo "---------------------- UDP Small------------------------------" >> open_ports.txt | |
cat ${i}/small.udp.nmap | grep "open" | grep -v "OSScan" | grep -v "Missing" | grep -v "filtered" >> open_ports.txt | |
elif [ -f ${i}/custom.udp.nmap ] | |
then | |
echo "---------------------- UDP Custom------------------------------" >> open_ports.txt | |
cat *${i}/custom.udp.nmap | grep "open" | grep -v "OSScan" | grep -v "Missing" | grep -v "filtered" >> open_ports.txt | |
else | |
echo "no results" >> open_ports.txt | |
fi | |
echo "" >> open_ports.txt | |
done | |
echo "[+] Creating vlan_ports.txt `echotime`" | |
cat open_ports.txt | grep open | cut -f1 -d"/" | sort -nu | grep -v fingerprint | grep -v "|" | sed ':a;N;$!ba;s/\n/,/g' | tr -cd '[0123456789,]' > vlan_ports.txt | |
cd ../ | |
} | |
f_amapscans(){ #amap scans (of nmap output) | |
echo -e "\e[00;32m[AMAP]\e[00m" | |
echo -e "[+] AMAP scans starting `echotime`" | |
cd "${OUTPUTDIR}" | |
COUNT=0 | |
NUMBER=`ls */*.gnmap | sed -e "s/.gnmap//" | wc -l` | |
for i in `ls */*.gnmap | sed -e "s/.gnmap//"` | |
do | |
f_progressquick "AMAP Progress" | |
((COUNT++)); xterm ${XTERMVALS} -title "${i} AMAP" -e "amap -T 2 -C 1 -i ${i}.gnmap -o ${i}.amap | tee -a amap_full.txt" & | |
while [ `ps -Aef --cols 400 | grep AMAP | grep xterm | wc -l` -ge ${THREADS} ] | |
do | |
f_progress "AMAP Progress" | |
done | |
sleep ${SLEEPTIME} | |
done | |
while [ `ps -Aef --cols 400 | grep AMAP | grep xterm | wc -l` -gt 0 ] | |
do | |
RUNNING=`ps -Aef --cols 400 | grep AMAP | grep xterm | wc -l` | |
f_progress "AMAP Finishing(${RUNNING}left)" | |
done | |
cat amap_full.txt | cut -d" " -f3,4,5 | grep matches | sort -but . -k 1,1n -k 2,2n -k 3,3n -k 4,4n > amap.txt | |
cat amap.txt | grep http | cut -d"/" -f 1 | sort -but . -k 1,1n -k 2,2n -k 3,3n -k 4,4n > amap.http.txt | |
cat amap.txt | grep ssl | cut -d"/" -f 1 | sort -but . -k 1,1n -k 2,2n -k 3,3n -k 4,4n > amap.ssl.txt | |
cat amap_full.txt | cut -d" " -f3,4,5 | grep 161/udp | cut -d"/" -f1 | sort -but . -k 1,1n -k 2,2n -k 3,3n -k 4,4n > amap.snmp.txt | |
cat amap.txt | grep smtp | cut -d"/" -f 1 | sort -but . -k 1,1n -k 2,2n -k 3,3n -k 4,4n > amap.smtp.txt | |
cat amap.txt | grep nfs | cut -d"/" -f 1 | sort -but . -k 1,1n -k 2,2n -k 3,3n -k 4,4n > amap.nfs.txt | |
cat amap.txt | grep x-windows | cut -d"/" -f1 | sort -but . -k 1,1n -k 2,2n -k 3,3n -k 4,4n > amap.x11.txt | |
echo ""; echo -e "[+] AMAP scans finished `echotime`" | |
cd ../ | |
} | |
f_sslscans(){ #sslscans of ssl services (using amap output) | |
echo -e "\e[00;32m[SSL SCANS]\e[00m" | |
echo -e "[+] SSLSCAN starting `echotime`" | |
cd "${OUTPUTDIR}" | |
if [ -s amap.ssl.txt ] | |
then | |
COUNT=0 | |
NUMBER=`cat amap.ssl.txt | grep -v 3389 | wc -l` | |
for i in `cat amap.ssl.txt | grep -v 3389` | |
do | |
f_progressquick "SSLSCAN Progress" | |
HOST=`echo $i | cut -d":" -f1` | |
PORT=`echo $i | cut -d":" -f2` | |
((COUNT++)); xterm ${XTERMVALS} -title "${i} SSLSCAN" -e "sslscan --no-failed ${i} | tee ${HOST}/${PORT}.sslscan.txt; sleep 5" & | |
while [ `ps -Aef --cols 400 | grep SSLSCAN | grep xterm | wc -l` -ge ${THREADS} ] | |
do | |
f_progress "SSLSCAN Progress" | |
done | |
sleep ${SLEEPTIME} | |
done | |
while [ `ps -Aef --cols 400 | grep SSLSCAN | grep xterm | wc -l` -gt 0 ] | |
do | |
RUNNING=`ps -Aef --cols 400 | grep SSLSCAN | grep xterm | wc -l` | |
f_progress "SSLSCAN Finishing(${RUNNING}left)" | |
done | |
cat */*.sslscan.txt | grep "Testing\ SSL\|Accepted\|ERROR\|Signature\ Algorithm" | grep "SSLv2\|Testing\|\ 40\|\ 56\|md5" | grep -v "ERROR" > WeakCiphers.txt | |
echo "" | |
fi | |
echo -e "[+] SSLSCAN finished `echotime`" | |
cd ../ | |
} | |
f_gwp(){ #takes photos of http(s) web site roots (using amap output) | |
echo -e "\e[00;32m[GWP]\e[00m" | |
echo -e "[+] Gnome Web Photo Scans starting `echotime`" | |
cd "${OUTPUTDIR}" | |
if [ -s amap.ssl.txt ] | |
then | |
COUNT=0 | |
NUMBER=`cat amap.ssl.txt | grep -v 3389 | wc -l` | |
for i in `cat amap.ssl.txt | grep -v 3389` | |
do | |
f_progressquick "GWP HTTPS Progress" | |
HOST=`echo $i | cut -d":" -f1` | |
PORT=`echo $i | cut -d":" -f2` | |
((COUNT++)); xterm ${XTERMVALS} -title "${i} GNOME-WEB-PHOTO" -e "gnome-web-photo -t 20 -w 1024 -m photo -f --format=png https://${i} ${HOST}/${PORT}_https.png" & | |
while [ `ps -Aef --cols 400 | grep GNOME | grep xterm | wc -l` -ge ${THREADS} ] | |
do | |
f_progress "GWP HTTPS Progress" | |
done | |
sleep ${SLEEPTIME} | |
done | |
fi | |
if [ -s amap.http.txt ] | |
then | |
COUNT=0 | |
NUMBER=`cat amap.http.txt | grep -v 3389 | wc -l` | |
for i in `cat amap.http.txt | grep -v 3389` | |
do | |
f_progress "GWP HTTP Progress" | |
HOST=`echo $i | cut -d":" -f1` | |
PORT=`echo $i | cut -d":" -f2` | |
((COUNT++)); xterm ${XTERMVALS} -title "${i} GNOME-WEB-PHOTO" -e "gnome-web-photo -m photo -f --format=png ${i} ${HOST}/${PORT}__http.png" & | |
while [ `ps -Aef --cols 400 | grep GNOME | grep xterm | wc -l` -ge ${THREADS} ] | |
do | |
f_progress "GWP HTTP Progress" | |
done | |
sleep ${SLEEPTIME} | |
done | |
fi | |
while [ `ps -Aef --cols 400 | grep GNOME | grep xterm | wc -l` -gt 0 ] | |
do | |
RUNNING=`ps -Aef --cols 400 | grep GNOME | grep xterm | wc -l` | |
f_progress "GWP Finishing(${RUNNING}left)" | |
echo "" | |
done | |
echo -e "[+] Gnome Web Photo Scans finished `echotime`" | |
cd ../ | |
} | |
f_snmpscan(){ #checks for default community strings (using amap output) | |
echo -e "\e[00;32m[SNMP]\e[00m" | |
echo -e "[+] SNMP scans starting `echotime`" | |
cd "${OUTPUTDIR}" | |
which pentest.sh > /dev/null; retval=`echo $?` | |
if [ ${retval} = 0 ] | |
then DICT=`which pentest.sh | sed -e "s/pentest.sh/onesixtyone-0.8\/dict.txt/"` | |
else DICT="/pentest/enumeration/snmp/onesixtyone/dict.txt" | |
fi | |
if [ -s amap.snmp.txt ] | |
then | |
COUNT=0 | |
NUMBER=`cat amap.snmp.txt | wc -l` | |
for i in `cat amap.snmp.txt` | |
do | |
f_progressquick "SNMP Scan Progress" | |
HOST=`echo $i | cut -d":" -f1` | |
PORT=`echo $i | cut -d":" -f2` | |
((COUNT++)); xterm ${XTERMVALS} -title "${HOST}_${PORT} SNMPSCAN" -e "${onesixtyone} -c ${DICT} -p ${PORT} ${HOST} | tee ${HOST}/${PORT}_snmpscan.txt; echo finished ; sleep 5" & | |
while [ `ps -Aef --cols 400 | grep SNMPSCAN | grep xterm | wc -l` -ge ${THREADS} ] | |
do | |
f_progress "SNMP Scan Progress" | |
done | |
sleep ${SLEEPTIME} | |
done | |
while [ `ps -Aef --cols 400 | grep SNMPSCAN | grep xterm | wc -l` -gt 0 ] | |
do | |
RUNNING=`ps -Aef --cols 400 | grep SNMPSCAN | grep xterm | wc -l` | |
f_progress "SNMP Scan Finishing(${RUNNING}left)" | |
done | |
echo "" | |
fi | |
cat */*_snmpscan.txt | grep -v canning | grep -v error | grep -v wrong | sort -but . -k 1,1n -k 2,2n -k 3,3n -k 4,4n > SNMPCommunityStrings.txt | |
echo -e "[+] SNMP scans finished `echotime`" | |
cd ../ | |
} | |
f_snmpget(){ #collects data from snmp services (using snmpscan output) | |
echo -e "\e[00;32m[SNMP GET]\e[00m" | |
echo -e "[+] SNMP Get started `echotime`" | |
cd "${OUTPUTDIR}" | |
if [ -s SNMPCommunityStrings.txt ] | |
then | |
COUNT=0 | |
NUMBER=`cat SNMPCommunityStrings.txt | wc -l` | |
for i in `cat SNMPCommunityStrings.txt | cut -f1,2 -d" " | sed -e "s/ //"` | |
do | |
f_progressquick "SNMP Get Progress" | |
HOST=`echo $i | cut -f1 -d"["` | |
string=`echo $i | cut -f2 -d"[" | sed -e "s/]//"` | |
((COUNT++)); xterm ${XTERMVALS} -title "${HOST} SNMPGET" -e "snmpwalk -v2c -c ${string} ${HOST} | tee ${HOST}/snmpget.txt; sleep 5" & | |
while [ `ps -Aef --cols 400 | grep SNMPGET | grep xterm | wc -l` -ge ${THREADS} ] | |
do | |
f_progress "SNMP Get Progress" | |
done | |
sleep ${SLEEPTIME} | |
done | |
while [ `ps -Aef --cols 400 | grep SNMPGET | grep xterm | wc -l` -gt 0 ] | |
do | |
RUNNING=`ps -Aef --cols 400 | grep SNMPGET | grep xterm | wc -l` | |
f_progress "SNMP Get Finishing(${RUNNING}left)" | |
done | |
echo "" | |
fi | |
echo -e "[+] SNMP Get finished `echotime`" | |
cd ../ | |
} | |
f_runenum4linuxscan(){ #enum4linux against targets | |
echo -e "\e[00;32m[ENUM4LINUX]\e[00m" | |
echo -e "[+] Enum4Linux scans starting `echotime`" | |
cd "${OUTPUTDIR}" | |
sleep ${SLEEPTIME} | |
COUNT=0 | |
NUMBER=`cat targets.txt | wc -l` | |
for i in `cat targets.txt` | |
do | |
f_progressquick "Enum4Linux Progress" | |
((COUNT++)); xterm ${XTERMVALS} -title "${i} Enum4Linux" -e "${enum4linux} ${i} | tee ${i}/enum4linux.txt; sleep 5" & | |
while [ `ps -Aef --cols 400 | grep Enum4Linux | grep xterm | wc -l` -ge ${THREADS} ] | |
do | |
f_progress "Enum4Linux Progress" | |
done | |
sleep ${SLEEPTIME} | |
done | |
while [ `ps -Aef --cols 400 | grep Enum4Linux | grep xterm | wc -l` -gt 0 ] | |
do | |
RUNNING=`ps -Aef --cols 400 | grep Enum4Linux | grep xterm | wc -l` | |
f_progress "Enum4Linux Finishing(${RUNNING}left)" | |
done | |
echo -e "[+] Enum4Linux scans finished `echotime`" | |
cd ../ | |
} | |
f_swaksscans(){ #swaks test against smtp (using amap output) | |
echo -e "\e[00;32m[SMTP]\e[00m" | |
echo -e "[+] SMTP (swaks) scans starting `echotime`" | |
cd "${OUTPUTDIR}" | |
if [ -s amap.smtp.txt ] | |
then | |
COUNT=0 | |
NUMBER=`cat amap.smtp.txt | wc -l` | |
for i in `cat amap.smtp.txt` | |
do | |
f_progressquick "SMTP Progress" | |
HOST=`echo $i | cut -d":" -f1` | |
PORT=`echo $i | cut -d":" -f2` | |
((COUNT++)); xterm ${XTERMVALS} -title "${i} SWAKS" -e "/pentest/enumeration/smtp/swaks/swaks --to user@example.com --server ${i} | tee ${HOST}/${PORT}_smtp.txt; sleep 5" & | |
while [ `ps -Aef --cols 400 | grep SWAKS | grep xterm | wc -l` -ge ${THREADS} ] | |
do | |
f_progress "SMTP Progress" | |
done | |
sleep ${SLEEPTIME} | |
done | |
while [ `ps -Aef --cols 400 | grep SWAKS | grep xterm | wc -l` -gt 0 ] | |
do | |
RUNNING=`ps -Aef --cols 400 | grep SWAKS | grep xterm | wc -l` | |
f_progress "SMTP Finishing(${RUNNING}left)" | |
done | |
echo "" | |
fi | |
echo -e "[+] SMTP scans finished `echotime`" | |
cd ../ | |
} | |
f_uniscan(){ #run basic checks against web servers | |
echo -e "\e[00;32m[UNISCAN]\e[00m" | |
echo -e "[+] Uniscan scans starting `echotime`" | |
cd "${OUTPUTDIR}" | |
if [ -s amap.ssl.txt ] | |
then | |
COUNT=0 | |
NUMBER=`cat amap.ssl.txt | wc -l` | |
for i in `cat amap.ssl.txt` | |
do | |
f_progressquick "Uniscan HTTPS Progress" | |
HOST=`echo $i | cut -d":" -f1` | |
PORT=`echo $i | cut -d":" -f2` | |
((COUNT++)); xterm ${XTERMVALS} -title "${i} UNISCAN" -e "cd /pentest/web/uniscan/ ; ./uniscan.pl -u https://${i}/ -qweds | tee ${OUTPUTDIR}/${HOST}/${PORT}_uniscan.txt ; sleep 5" & | |
while [ `ps -Aef --cols 400 | grep UNISCAN | grep xterm | wc -l` -ge ${THREADS} ] | |
do | |
f_progress "Uniscan HTTPS Progress" | |
done | |
sleep ${SLEEPTIME} | |
done | |
echo "" | |
fi | |
if [ -s amap.http.txt ] | |
then | |
COUNT=0 | |
NUMBER=`cat amap.http.txt | wc -l` | |
for i in `cat amap.http.txt` | |
do | |
f_progress "Uniscan HTTP Progress" | |
HOST=`echo $i | cut -d":" -f1` | |
PORT=`echo $i | cut -d":" -f2` | |
((COUNT++)); xterm ${XTERMVALS} -title "${i} UNISCAN" -e "cd /pentest/web/uniscan/ ; ./uniscan.pl -u http://${i}/ -qweds | tee ${OUTPUTDIR}/${HOST}/${PORT}_uniscan.txt" & | |
while [ `ps -Aef --cols 400 | grep UNISCAN | grep xterm | wc -l` -ge ${THREADS} ] | |
do | |
f_progress "Uniscan HTTP Progress" | |
done | |
sleep ${SLEEPTIME} | |
done | |
echo "" | |
fi | |
while [ `ps -Aef --cols 400 | grep UNISCAN | grep xterm | wc -l` -gt 0 ] | |
do | |
RUNNING=`ps -Aef --cols 400 | grep UNISCAN | grep xterm | wc -l` | |
f_progress "Uniscan Finishing(${RUNNING}left)" | |
done | |
echo -e "[+] Uniscan scans finished `echotime`" | |
cd ../ | |
} | |
f_nfsscan(){ #connect to nfs and run tree output | |
echo -e "\e[00;32m[NFS]\e[00m" | |
echo -e "[+] NFS Scans starting `echotime`" | |
cd "${OUTPUTDIR}" | |
if [ -s amap.nfs.txt ] | |
then | |
COUNT=0 | |
NUMBER=`cat amap.nfs.txt | wc -l` | |
for i in `cat amap.nfs.txt | cut -d":" -f1` | |
do | |
f_progressquick "NFS Tree Progress" | |
((COUNT++)); | |
for f in `showmount -e ${i} | cut -d" " -f1 | grep -v "Export"` | |
do | |
mkdir -p /tmp/nfs${f} | |
mount -o nolock,ro -t nfs ${i}:${f} /tmp/nfs${f} | |
xterm ${XTERMVALS} -title "${i} NFS Tree" -e "tree /tmp/nfs${f} | tee -a ${i}/nfs.txt ; sleep 5" & | |
done | |
while [ `ps -Aef --cols 400 | grep "NFS Tree" | grep xterm | wc -l` -ge ${THREADS} ] | |
do | |
f_progress "NFS Tree Progress" | |
done | |
sleep ${SLEEPTIME} | |
done | |
while [ `ps -Aef --cols 400 | grep "NFS Tree" | grep xterm | wc -l` -gt 0 ] | |
do | |
RUNNING=`ps -Aef --cols 400 | grep "NFS Tree" | grep xterm | wc -l` | |
f_progress "NFS Tree Finishing(${RUNNING}left)" | |
done | |
for i in `cat amap.nfs.txt | cut -d":" -f1` | |
do | |
for a in `mount | grep $i | cut -d" " -f1` | |
do | |
umount ${a} | |
done | |
done | |
echo "" | |
fi | |
echo -e "[+] NFS Scans Finished `echotime`" | |
cd ../ | |
} | |
f_x11grab(){ #connects to x11 servers and does screenshot | |
echo -e "\e[00;32m[x11]\e[00m" | |
echo -e "[+] x11 scans starting `echotime`" | |
cd "${OUTPUTDIR}" | |
if [ -s amap.x11.txt ] | |
then | |
COUNT=0 | |
NUMBER=`cat amap.x11.txt | wc -l` | |
for i in `cat amap.x11.txt` | |
do | |
f_progressquick "x11grab Progress" | |
HOST=`echo ${i} | cut -d":" -f1` | |
PORT=`echo ${i} | cut -d":" -f2` | |
PORTTR=`echo ${PORT} | tr -d 60` # buggy need to just use right most char | |
((COUNT++)); xterm ${XTERMVALS} -title "${i} X11grab" -e "xwininfo -tree -root -display ${HOST}:${PORTTR} > ${HOST}/x11_${PORTTR}.txt && import -display ${HOST}:${PORTTR} -window root ${HOST}/x11_${PORTTR}.jpg" & | |
while [ `ps -Aef --cols 400 | grep X11grab | grep xterm | wc -l` -ge ${THREADS} ] | |
do | |
f_progress "x11grab Progress" | |
done | |
sleep ${SLEEPTIME} | |
done | |
while [ `ps -Aef --cols 400 | grep X11grab | grep xterm | wc -l` -gt 0 ] | |
do | |
RUNNING=`ps -Aef --cols 400 | grep X11grab | grep xterm | wc -l` | |
f_progress "x11grab Finishing(${RUNNING}left)" | |
done | |
echo "" | |
fi | |
echo -e "[+] x11 Scans finsihed `echotime`" | |
cd ../ | |
} | |
f_wget(){ #wget of http(s) web sites (using amap output) | |
echo -e "\e[00;32m[WGET]\e[00m" | |
echo -e "[+] WGET scans started `echotime`" | |
cd "${OUTPUTDIR}" | |
if [ -s amap.ssl.txt ] | |
then | |
COUNT=0 | |
NUMBER=`cat amap.ssl.txt | grep -v 3389 | wc -l` | |
for i in `cat amap.ssl.txt | grep -v 3389` | |
do | |
f_progressquick "WGET HTTPS Progress" | |
HOST=`echo $i | cut -d":" -f1` | |
PORT=`echo $i | cut -d":" -f2` | |
((COUNT++)); xterm ${XTERMVALS} -title "${i} WGET" -e "wget -t 1 --no-check-certificate --save-headers -O- https://${i} > ${HOST}/${PORT}_wget_https.txt ; sleep 5" & | |
while [ `ps -Aef --cols 400 | grep WGET | grep xterm | wc -l` -ge ${THREADS} ] | |
do | |
f_progress "WGET HTTPS Progress" | |
done | |
sleep ${SLEEPTIME} | |
done | |
fi | |
if [ -s amap.http.txt ] | |
then | |
COUNT=0 | |
NUMBER=`cat amap.http.txt | grep -v 3389 | wc -l` | |
for i in `cat amap.http.txt | grep -v 3389` | |
do | |
f_progress "WGET HTTP Progress" | |
HOST=`echo $i | cut -d":" -f1` | |
PORT=`echo $i | cut -d":" -f2` | |
((COUNT++)); xterm ${XTERMVALS} -title "${i} WGET" -e "wget -t 1 --save-headers -O- http://${i} > ${HOST}/${PORT}_wget_http.txt ; sleep 5" & | |
while [ `ps -Aef --cols 400 | grep WGET | grep xterm | wc -l` -ge ${THREADS} ] | |
do | |
f_progress "WGET HTTP Progress" | |
done | |
sleep ${SLEEPTIME} | |
done | |
fi | |
while [ `ps -Aef --cols 400 | grep WGET | grep xterm | wc -l` -gt 0 ] | |
do | |
RUNNING=`ps -Aef --cols 400 | grep WGET | grep xterm | wc -l` | |
f_progress "WGET Finishing(${RUNNING}left)" | |
echo "" | |
done | |
echo -e "[+] WGET scans finished `echotime`" | |
cd ../ | |
} | |
f_cleanup(){ #deletes files created that are empty or blank | |
echo "[+] Now cleaning up" | |
cd "${OUTPUTDIR}" | |
for i in `ls */*.png` | |
do | |
iSIZE=`stat -c %s ${i}` | |
if [ ${iSIZE} -eq "469" ] ; then rm ${i} ; fi | |
done | |
if [ -s amap.ssl.txt ] ; then sleep 0 ; else rm amap.ssl.txt ; fi | |
if [ -s amap.http.txt ] ; then sleep 0 ; else rm amap.http.txt ; fi | |
if [ -s WeakCiphers.txt ] ; then sleep 0 ; else rm WeakCiphers.txt ; fi | |
if [ -s SNMPCommunityStrings.txt ] ; then sleep 0 ; else rm SNMPCommunityStrings.txt ; fi | |
if [ -s amap.snmp.txt ] ; then sleep 0 ; else rm amap.snmp.txt ; fi | |
if [ -s amap.smtp.txt ] ; then sleep 0 ; else rm amap.smtp.txt ; fi | |
for i in `ls */enum4linux.txt`;do wcl=`cat ${i} | wc -l`;if [ ${wcl} -le 30 ];then rm ${i};fi;done | |
if [ -s amap.nfs.txt ] ; then sleep 0 ; else rm amap.nfs.txt ; fi | |
cd ../ | |
} | |
f_displayresults(){ #displays output in xterm windows | |
echo -e "\e[00;32m[RESULTS]\e[00m" | |
echo "[+] Displaying results" | |
cd "${OUTPUTDIR}" | |
if [ -s open_ports.txt ] ; then xterm -title "OpenPorts from ${OUTPUTDIR}" -e "grep -E --color=always '.*(ssh|rdp|ssl|http|telnet|https|sslv2|mail|smtp|snmp|oracle|sql|tnls|ftp|sftp|echo|chargen|dns|qotd|motd|finger|rlogin|rexec|discard|daytime).*|' open_ports.txt | less -R" & fi | |
if [ -s WeakCiphers.txt ] ; then xterm -title "WeakCiphers from ${OUTPUTDIR}" -e "less -R WeakCiphers.txt" & fi | |
if [ -s SNMPCommunityStrings.txt ] ; then xterm -title "SNMPCommunityStrings from ${OUTPUTDIR}" -e "less -R SNMPCommunityStrings.txt" & fi | |
cd ../ | |
echo "[+] Scanning has finished, now time to get root" | |
echo "[+] Targets scanned" | |
cat ${OUTPUTDIR}/targets.txt | sed ':a;N;$!ba;s/\n/,/g' | |
echo "[+] Vlan Ports" | |
cat ${OUTPUTDIR}/vlan_ports.txt | |
echo "" | |
} | |
f_exit(){ #this is called upon ESC/Cancel press | |
rm /tmp/answer | |
echo "[+] Exiting.... see ya" | |
exit 1 | |
} | |
echotime(){ #simply displays the time to the screen | |
echo -e "\e[00;30m`date +"%T"`\e[00m" | |
} | |
### What to run ### | |
f_setdefaults | |
f_main | |
f_cleanup | |
f_displayresults | |
#f_debug | |
exit 0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment