Last active
December 15, 2023 17:41
-
-
Save ryan-wendel/2266751e23641ed0ff38fb7a2c3502cf to your computer and use it in GitHub Desktop.
nmap script I use to enumerate hosts and pull banners with amap. Could probably use to add a few more protocols. I'll get on that...
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
HOST="$1" | |
BASE="$2" | |
SCAN_UDP="1" | |
GRAB_BANNERS="1" | |
TOP_TCP_PORTS="100" | |
TOP_UDP_PORTS="50" | |
TEMPLATE_NUM="2" | |
TCP_FILE="${BASE}/${HOST}/tcp_scan_${HOST}" | |
TCP_DEEP_FILE="${BASE}/${HOST}/tcp_scan_deep_${HOST}" | |
UDP_FILE="${BASE}/${HOST}/udp_scan_${HOST}" | |
#SCRIPT_DIR="/home/users/rwendel/tools/nmap/scripts" | |
SCRIPT_DIR="/usr/share/nmap/scripts" | |
#PERF_OPTIONS="-n --max-rtt-timeout 500ms --max-retries 3 --max-scan-delay 20ms" | |
#PERF_OPTIONS="-n -T${TEMPLATE_NUM} --max-rtt-timeout 350ms --max-retries 2" | |
PERF_OPTIONS="-n -T${TEMPLATE_NUM} --initial-rtt-timeout 500ms --min-rtt-timeout 100ms --max-rtt-timeout 1000ms --host-timeout 10m --scan-delay 100ms --max-scan-delay 500ms --max-retries 2" | |
print_help() { | |
echo "Usage: $(basename $0) <host/ip> <project directory>" | |
} | |
if [ -z "${HOST}" ]; then | |
echo "Error: Provide me a host/ip" | |
echo | |
print_help | |
exit 1 | |
fi | |
if [ -z "${BASE}" ]; then | |
echo "Error: Provide me a directory to output to." | |
echo | |
print_help | |
exit 2 | |
fi | |
if [ -z "${SCAN_UDP}" ]; then | |
echo "Error: Provide me with a zero or one to control UDP toggle." | |
echo | |
print_help | |
exit 3 | |
fi | |
if [ -z "${GRAB_BANNERS}" ]; then | |
echo "Error: Provide me with a zero or one to control banner toggle." | |
echo | |
print_help | |
exit 4 | |
fi | |
mkdir -p ${BASE}/${HOST} | |
if [ "$?" -ne "0" ]; then | |
echo "Error: File permissions issue" | |
exit 5 | |
fi | |
if [ "${GRAB_BANNERS}" -gt "0" ]; then | |
mkdir -p ${BASE}/${HOST}/banners | |
fi | |
#nmap -Pn -sS -p- ${PERF_OPTIONS} ${HOST} -oA ${TCP_FILE} | |
nmap -Pn -sS --top-ports ${TOP_TCP_PORTS} ${PERF_OPTIONS} ${HOST} -oA ${TCP_FILE} | |
if [ "${GRAB_BANNERS}" -gt "0" ]; then | |
grep open ${TCP_FILE}.nmap 2>/dev/null | grep -v -e 'Not shown' -e '^#' -e scanned | cut -d'/' -f1 | while read PORT; do | |
#printf "$(amap -b ${HOST} ${PORT})" > "${BASE}/${HOST}/banners/${PORT}_tcp_banner.txt" | |
nmap -Pn -sV -sT -p ${PORT} ${PERF_OPTIONS} --script=banner --script-args=banner.ports=${PORT} ${HOST} > "${BASE}/${HOST}/banners/${PORT}_tcp_banner.txt" | |
done | |
fi | |
if [ "${SCAN_UDP}" -gt "0" ]; then | |
nmap -n -Pn -sU --top-ports ${TOP_UDP_PORTS} ${PERF_OPTIONS} --open ${HOST} -oA ${UDP_FILE} | |
if [ "${GRAB_BANNERS}" -gt "0" ]; then | |
grep open ${UDP_FILE}.nmap 2>/dev/null | grep -v -e 'Not shown' -e '^#' -e scanned | cut -d'/' -f1 | while read PORT; do | |
nmap -Pn -sV -sU -p ${PORT} ${PERF_OPTIONS} --script=banner --script-args=banner.ports=${PORT} ${HOST} > "${BASE}/${HOST}/banners/${PORT}_udp_banner.txt" | |
#printf "$(amap -u -b ${HOST} ${PORT})" > "${BASE}/${HOST}/banners/${PORT}_udp_banner.txt" | |
done | |
fi | |
fi | |
PORTS=$(grep open ${TCP_FILE}.nmap 2>/dev/null | cut -d'/' -f1 | perl -pe 's|\n|,|g' | sed 's/,$//g') | |
if [ -n "${PORTS}" ]; then | |
nmap -A -Pn -sT -p ${PORTS} ${PERF_OPTIONS} ${HOST} -oA ${TCP_DEEP_FILE} | |
grep 'tcp.*open' ${TCP_DEEP_FILE}.nmap | |
fi | |
PORTS=$(grep 'open.*netbios' ${TCP_DEEP_FILE}.nmap 2>/dev/null | cut -d'/' -f1 | perl -pe 's|\n|,|g' | sed 's/,$//g') | |
if [ -n "${PORTS}" ]; then | |
mkdir -p ${BASE}/${HOST}/smb | |
enum4linux -a ${HOST} > ${BASE}/${HOST}/smb/enum_${HOST}.txt | |
echo "######################## OS Discovery" > ${BASE}/${HOST}/smb/smb_info_${HOST}.txt | |
nmap -Pn -p ${PORTS} --script=smb-os-discovery ${PERF_OPTIONS} ${HOST} >> ${BASE}/${HOST}/smb/smb_info_${HOST}.txt | |
echo "######################## Security Mode" >> ${BASE}/${HOST}/smb/smb_info_${HOST}.txt | |
nmap -Pn -p ${PORTS} --script=smb-security-mode ${PERF_OPTIONS} ${HOST} >> ${BASE}/${HOST}/smb/smb_info_${HOST}.txt | |
echo "######################## System Info" >> ${BASE}/${HOST}/smb/smb_info_${HOST}.txt | |
nmap -Pn -p ${PORTS} --script=smb-system-info ${PERF_OPTIONS} ${HOST} >> ${BASE}/${HOST}/smb/smb_info_${HOST}.txt | |
echo "######################## Domains" >> ${BASE}/${HOST}/smb/smb_info_${HOST}.txt | |
nmap -Pn -p ${PORTS} --script=smb-enum-domains ${PERF_OPTIONS} ${HOST} >> ${BASE}/${HOST}/smb/smb_info_${HOST}.txt | |
echo "######################## Shares" >> ${BASE}/${HOST}/smb/smb_info_${HOST}.txt | |
nmap -Pn -p ${PORTS} --script=smb-enum-shares ${PERF_OPTIONS} ${HOST} >> ${BASE}/${HOST}/smb/smb_info_${HOST}.txt | |
echo "######################## Users" >> ${BASE}/${HOST}/smb/smb_info_${HOST}.txt | |
nmap -Pn -p ${PORTS} --script=smb-enum-users ${PERF_OPTIONS} ${HOST} >> ${BASE}/${HOST}/smb/smb_info_${HOST}.txt | |
echo "######################## Groups" >> ${BASE}/${HOST}/smb/smb_info_${HOST}.txt | |
nmap -Pn -p ${PORTS} --script=smb-enum-groups ${PERF_OPTIONS} ${HOST} >> ${BASE}/${HOST}/smb/smb_info_${HOST}.txt | |
echo "######################## SMB ls" >> ${BASE}/${HOST}/smb/smb_info_${HOST}.txt | |
nmap -Pn -p ${PORTS} --script=smb-ls ${PERF_OPTIONS} ${HOST} >> ${BASE}/${HOST}/smb/smb_info_${HOST}.txt | |
echo "######################## SMB Enum " >> ${BASE}/${HOST}/smb/smb_info_${HOST}.txt | |
nmap -Pn -p ${PORTS} --script=smb-mbenum ${PERF_OPTIONS} ${HOST} >> ${BASE}/${HOST}/smb/smb_info_${HOST}.txt | |
echo "######################## SMB Vulns " >> ${BASE}/${HOST}/smb/smb_info_${HOST}.txt | |
nmap -Pn -p ${PORTS} --script=smb-vuln* ${PERF_OPTIONS} ${HOST} >> ${BASE}/${HOST}/smb/smb_info_${HOST}.txt | |
echo "######################## Samba Vulns " >> ${BASE}/${HOST}/smb/smb_info_${HOST}.txt | |
nmap -Pn -p ${PORTS} --script=samba-vuln* ${PERF_OPTIONS} ${HOST} >> ${BASE}/${HOST}/smb/smb_info_${HOST}.txt | |
fi | |
PORTS=$(grep 'open.*http' ${TCP_DEEP_FILE}.nmap 2>/dev/null | cut -d'/' -f1 | perl -pe 's|\n|,|g' | sed 's/,$//g') | |
if [ "${PORTS}" ]; then | |
mkdir -p ${BASE}/${HOST}/http | |
echo "######################## Cookie Flags" > ${BASE}/${HOST}/http/http_info_${HOST}.txt | |
nmap -Pn -p ${PORTS} --script=http-cookie-flags ${PERF_OPTIONS} ${HOST} >> ${BASE}/${HOST}/http/http_info_${HOST}.txt | |
echo "######################## CORS" >> ${BASE}/${HOST}/http/http_info_${HOST}.txt | |
nmap -Pn -p ${PORTS} --script=http-cors ${PERF_OPTIONS} ${HOST} >> ${BASE}/${HOST}/http/http_info_${HOST}.txt | |
echo "######################## Cross Domain Policy" >> ${BASE}/${HOST}/http/http_info_${HOST}.txt | |
nmap -Pn -p ${PORTS} --script=http-cross-domain-policy ${PERF_OPTIONS} ${HOST} >> ${BASE}/${HOST}/http/http_info_${HOST}.txt | |
echo "######################## Methods" >> ${BASE}/${HOST}/http/http_info_${HOST}.txt | |
nmap -Pn -p ${PORTS} --script=http-methods ${PERF_OPTIONS} ${HOST} >> ${BASE}/${HOST}/http/http_info_${HOST}.txt | |
echo "######################## Headers" >> ${BASE}/${HOST}/http/http_info_${HOST}.txt | |
nmap -Pn -p ${PORTS} --script=http-headers ${PERF_OPTIONS} ${HOST} >> ${BASE}/${HOST}/http/http_info_${HOST}.txt | |
echo "######################## Vulns" >> ${BASE}/${HOST}/http/http_info_${HOST}.txt | |
nmap -Pn -p ${PORTS} --script=http-vuln* ${PERF_OPTIONS} ${HOST} >> ${BASE}/${HOST}/http/http_info_${HOST}.txt | |
echo "######################## WAF Detect" >> ${BASE}/${HOST}/http/http_info_${HOST}.txt | |
nmap -Pn -p ${PORTS} --script=http-waf-detect ${PERF_OPTIONS} ${HOST} >> ${BASE}/${HOST}/http/http_info_${HOST}.txt | |
echo "######################## WAF Fingerprint" >> ${BASE}/${HOST}/http/http_info_${HOST}.txt | |
nmap -Pn -p ${PORTS} --script=http-waf-fingerprint ${PERF_OPTIONS} ${HOST} >> ${BASE}/${HOST}/http/http_info_${HOST}.txt | |
fi | |
PORTS=$(grep 'open.*ftp' ${TCP_DEEP_FILE}.nmap 2>/dev/null | cut -d'/' -f1 | perl -pe 's|\n|,|g' | sed 's/,$//g') | |
if [ "${PORTS}" ]; then | |
mkdir -p ${BASE}/${HOST}/ftp | |
nmap -Pn -p ${PORTS} --script=ftp-vuln* ${PERF_OPTIONS} ${HOST} > ${BASE}/${HOST}/ftp/vulns_ftp_${HOST}.txt | |
nmap -Pn -p ${PORTS} --script=ftp-*-backdoor ${PERF_OPTIONS} ${HOST} > ${BASE}/${HOST}/ftp/vulns_ftp_backdoor_${HOST}.txt | |
nmap -Pn -p ${PORTS} --script=ftp-anon ${PERF_OPTIONS} ${HOST} > ${BASE}/${HOST}/ftp/ftp_anon_${HOST}.txt | |
fi | |
PORTS=$(grep 'open.*smtp' ${TCP_DEEP_FILE}.nmap 2>/dev/null | cut -d'/' -f1 | perl -pe 's|\n|,|g' | sed 's/,$//g') | |
if [ "${PORTS}" ]; then | |
mkdir -p ${BASE}/${HOST}/smtp | |
nmap -Pn -p ${PORTS} --script=smtp-vuln* ${PERF_OPTIONS} ${HOST} > ${BASE}/${HOST}/smtp/vuln_smtp_${HOST}.txt | |
nmap -Pn -p ${PORTS} --script=smtp-open-relay ${PERF_OPTIONS} ${HOST} > ${BASE}/${HOST}/smtp/smtp_open_relay_${HOST}.txt | |
nmap -Pn -p ${PORTS} --script=smtp-enum-users ${PERF_OPTIONS} ${HOST} > ${BASE}/${HOST}/smtp/smtp_enum_users_${HOST}.txt | |
fi | |
# MySQL | |
PORTS=$(grep 'open.*mysql' ${TCP_DEEP_FILE}.nmap 2>/dev/null | cut -d'/' -f1 | perl -pe 's|\n|,|g' | sed 's/,$//g') | |
if [ "${PORTS}" ]; then | |
mkdir -p ${BASE}/${HOST}/mysql | |
nmap -Pn -p ${PORTS} --script=mysql-* ${PERF_OPTIONS} ${HOST} > ${BASE}/${HOST}/mysql/mysql_${HOST}.txt | |
fi | |
# SSH | |
PORTS=$(grep 'open.*ssh' ${TCP_DEEP_FILE}.nmap 2>/dev/null | cut -d'/' -f1 | perl -pe 's|\n|,|g' | sed 's/,$//g') | |
if [ "${PORTS}" ]; then | |
mkdir -p ${BASE}/${HOST}/ssh | |
nmap -Pn -p ${PORTS} --script=ssh* ${PERF_OPTIONS} ${HOST} > ${BASE}/${HOST}/ssh/ssh_${HOST}.txt | |
fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment