diff --git a/autorecon.py b/autorecon.py index 41144f8..da143a3 100644 --- a/autorecon.py +++ b/autorecon.py @@ -16,17 +16,19 @@ import os import re import socket import string +from datetime import datetime import sys import toml verbose = 0 -nmap = '-vv --reason -Pn' +nmap_default_options = '--reason -Pn' srvname = '' port_scan_profile = None port_scan_profiles_config = None service_scans_config = None global_patterns = [] +applications = {} username_wordlist = '/usr/share/seclists/Usernames/top-usernames-shortlist.txt' password_wordlist = '/usr/share/seclists/Passwords/darkweb2017-top100.txt' @@ -70,9 +72,11 @@ def cprint(*args, color=Fore.RESET, char='*', sep=' ', end='\n', frame_index=1, vals.update(frame.f_locals) vals.update(kvargs) + clock = datetime.now().strftime('%H:%M:%S') + clock = sep + '[' + Style.BRIGHT + Fore.YELLOW + clock + Style.NORMAL + Fore.RESET + ']' unfmt = '' if char is not None: - unfmt += color + '[' + Style.BRIGHT + char + Style.NORMAL + ']' + Fore.RESET + sep + unfmt += color + '[' + Style.BRIGHT + char + Style.NORMAL + ']' + Fore.RESET + clock + sep unfmt += sep.join(args) fmted = unfmt @@ -104,40 +108,63 @@ def fail(*args, sep=' ', end='\n', file=sys.stderr, **kvargs): cprint(*args, color=Fore.RED, char='!', sep=sep, end=end, file=file, frame_index=2, **kvargs) exit(-1) -port_scan_profiles_config_file = 'port-scan-profiles.toml' -with open(os.path.join(rootdir, 'config', port_scan_profiles_config_file), 'r') as p: + +''' Reads a configuration file, and saves the data to a dictionary + + @replace_values Dictionary with values that should be replaced in the configuration file +''' +def read_configuration_file(filename, replace_values = {}): + data = {} try: - port_scan_profiles_config = toml.load(p) + with open(os.path.join(rootdir, 'config', filename), 'r') as f: + data = f.read() - if len(port_scan_profiles_config) == 0: - fail('There do not appear to be any port scan profiles configured in the {port_scan_profiles_config_file} config file.') + for entry in replace_values: + data = re.sub('{' +entry + '}', replace_values[entry], data) + data = toml.loads(data) + except (OSError, toml.decoder.TomlDecodeError) as e: + fail('Error: The configuration file {filename} could not be read.') - except toml.decoder.TomlDecodeError as e: - fail('Error: Couldn\'t parse {port_scan_profiles_config_file} config file. Check syntax and duplicate tags.') + return data -with open(os.path.join(rootdir, 'config', 'service-scans.toml'), 'r') as c: - try: - service_scans_config = toml.load(c) - except toml.decoder.TomlDecodeError as e: - fail('Error: Couldn\'t parse service-scans.toml config file. Check syntax and duplicate tags.') -with open(os.path.join(rootdir, 'config', 'global-patterns.toml'), 'r') as p: - try: - global_patterns = toml.load(p) - if 'pattern' in global_patterns: - global_patterns = global_patterns['pattern'] - else: - global_patterns = [] - except toml.decoder.TomlDecodeError as e: - fail('Error: Couldn\'t parse global-patterns.toml config file. Check syntax and duplicate tags.') +def get_configuration(): + applications_config = read_configuration_file('config.toml') + if len(applications_config) > 0 and 'applications' in applications_config: + global applications + applications = applications_config['applications'] + for application in applications: + if not os.path.isfile(applications[application]): + warn('Warning: The application {application} was not found on the system in the specified path.') + else: + warn('Warning: The section for application paths was not found in the {application_config_file} configuration file.') -if 'username_wordlist' in service_scans_config: - if isinstance(service_scans_config['username_wordlist'], str): - username_wordlist = service_scans_config['username_wordlist'] + global port_scan_profiles_config + port_scan_profiles_config = read_configuration_file('port-scan-profiles.toml', applications) + if len(port_scan_profiles_config) == 0: + fail('There do not appear to be any port scan profiles configured in the {port_scan_profiles_config_file} config file.') + return False + + global service_scans_config + service_scans_config = read_configuration_file('service-scans.toml', applications) + + global global_patterns + global_patterns = read_configuration_file('global-patterns.toml') + if 'pattern' in global_patterns: + global_patterns = global_patterns['pattern'] + else: + global_patterns = [] + + if 'username_wordlist' in service_scans_config: + if isinstance(service_scans_config['username_wordlist'], str): + username_wordlist = service_scans_config['username_wordlist'] + + if 'password_wordlist' in service_scans_config: + if isinstance(service_scans_config['password_wordlist'], str): + password_wordlist = service_scans_config['password_wordlist'] + + return True -if 'password_wordlist' in service_scans_config: - if isinstance(service_scans_config['password_wordlist'], str): - password_wordlist = service_scans_config['password_wordlist'] async def read_stream(stream, target, tag='?', patterns=[], color=Fore.BLUE): address = target.address @@ -188,11 +215,13 @@ async def run_cmd(semaphore, cmd, target, tag='?', patterns=[]): address = target.address scandir = target.scandir - info('Running task {bgreen}{tag}{rst} on {byellow}{address}{rst}' + (' with {bblue}{cmd}{rst}' if verbose >= 1 else '')) + info('Running task {bgreen}{tag}{rst} on {byellow}{address}{rst}' + (' with {bblue}{cmd}{rst}.' if verbose >= 1 else '.')) async with target.lock: with open(os.path.join(scandir, '_commands.log'), 'a') as file: file.writelines(e('{cmd}\n\n')) + + # TODO: check extended service scanning requested? process = await asyncio.create_subprocess_shell(cmd, stdout=asyncio.subprocess.PIPE, stderr=asyncio.subprocess.PIPE, executable='/bin/bash') @@ -204,12 +233,12 @@ async def run_cmd(semaphore, cmd, target, tag='?', patterns=[]): await process.wait() if process.returncode != 0: - error('Task {bred}{tag}{rst} on {byellow}{address}{rst} returned non-zero exit code: {process.returncode}') + error('Task {bred}{tag}{rst} on {byellow}{address}{rst} returned non-zero exit code: {process.returncode}.') async with target.lock: with open(os.path.join(scandir, '_errors.log'), 'a') as file: file.writelines(e('[*] Task {tag} returned non-zero exit code: {process.returncode}. Command: {cmd}\n')) else: - info('Task {bgreen}{tag}{rst} on {byellow}{address}{rst} finished successfully') + info('Task {bgreen}{tag}{rst} on {byellow}{address}{rst} finished successfully.') return {'returncode': process.returncode, 'name': 'run_cmd'} @@ -289,14 +318,14 @@ async def run_portscan(semaphore, tag, target, service_detection, port_scan=None address = target.address scandir = target.scandir - nmap_extra = nmap + nmap_extra = nmap_default_options ports = '' if port_scan is not None: command = e(port_scan[0]) pattern = port_scan[1] - info('Running port scan {bgreen}{tag}{rst} on {byellow}{address}{rst}' + (' with {bblue}{command}{rst}' if verbose >= 1 else '')) + info('Running port scan {bgreen}{tag}{rst} on {byellow}{address}{rst}' + (' with {bblue}{command}{rst}.' if verbose >= 1 else '.')) async with target.lock: with open(os.path.join(scandir, '_commands.log'), 'a') as file: @@ -310,9 +339,9 @@ async def run_portscan(semaphore, tag, target, service_detection, port_scan=None ] results = await asyncio.gather(*output) - + await process.wait() - + if process.returncode != 0: error('Port scan {bred}{tag}{rst} on {byellow}{address}{rst} returned non-zero exit code: {process.returncode}') async with target.lock: @@ -331,7 +360,7 @@ async def run_portscan(semaphore, tag, target, service_detection, port_scan=None command = e(service_detection[0]) pattern = service_detection[1] - info('Running service detection {bgreen}{tag}{rst} on {byellow}{address}{rst}' + (' with {bblue}{command}{rst}' if verbose >= 1 else '')) + info('Running service detection {bgreen}{tag}{rst} on {byellow}{address}{rst}' + (' with {bblue}{command}{rst}.' if verbose >= 1 else '.')) async with target.lock: with open(os.path.join(scandir, '_commands.log'), 'a') as file: @@ -354,7 +383,7 @@ async def run_portscan(semaphore, tag, target, service_detection, port_scan=None with open(os.path.join(scandir, '_errors.log'), 'a') as file: file.writelines(e('[*] Service detection {tag} returned non-zero exit code: {process.returncode}. Command: {command}\n')) else: - info('Service detection {bgreen}{tag}{rst} on {byellow}{address}{rst} finished successfully') + info('Service detection {bgreen}{tag}{rst} on {byellow}{address}{rst} finished successfully.') services = results[0] @@ -386,7 +415,6 @@ async def scan_services(loop, semaphore, target): for task in done: result = task.result() - if result['returncode'] == 0: if result['name'] == 'run_portscan': for service_tuple in result['services']: @@ -399,15 +427,15 @@ async def scan_services(loop, semaphore, target): port = service_tuple[1] service = service_tuple[2] - info('Found {bmagenta}{service}{rst} on {bmagenta}{protocol}/{port}{rst} on target {byellow}{address}{rst}') + info('Port {bmagenta}{protocol} {port}{rst} ({bmagenta}{service}{rst}) open on target {byellow}{address}{rst}.') with open(os.path.join(target.reportdir, 'notes.txt'), 'a') as file: - file.writelines(e('[*] {service} found on {protocol}/{port}.\n\n\n\n')) + file.writelines(e('[*] Port {protocol} {port} ({service}) open on {address}.\n\n\n\n')) if protocol == 'udp': - nmap_extra = nmap + " -sU" + nmap_extra = nmap_default_options + " -sU" else: - nmap_extra = nmap + nmap_extra = nmap_default_options secure = True if 'ssl' in service or 'tls' in service else False @@ -443,6 +471,20 @@ async def scan_services(loop, semaphore, target): if not matched_service: continue + # NOTE: change for saving results in directories per service + if not service_scan == 'all-services': + category = '{0}/'.format(service_scan) + else: + category = '' + + try: + servicedir = os.path.join(scandir, category) + if not os.path.exists(servicedir): os.mkdir(servicedir) + xmldir = os.path.join(scandir, 'xml', category) + if not os.path.exists(xmldir): os.mkdir(xmldir) + except OSError: + category = '' + if 'manual' in service_scans_config[service_scan]: heading = False with open(os.path.join(scandir, '_manual_commands.txt'), 'a') as file: @@ -514,14 +556,17 @@ async def scan_services(loop, semaphore, target): pending.add(asyncio.ensure_future(run_cmd(semaphore, e(command), target, tag=tag, patterns=patterns))) def scan_host(target, concurrent_scans): - info('Scanning target {byellow}{target.address}{rst}') - + info('Scanning target {byellow}{target.address}{rst}.') + basedir = os.path.abspath(os.path.join(outdir, target.address + srvname)) target.basedir = basedir os.makedirs(basedir, exist_ok=True) exploitdir = os.path.abspath(os.path.join(basedir, 'exploit')) os.makedirs(exploitdir, exist_ok=True) + + exploitdir = os.path.abspath(os.path.join(basedir, 'privilege_escalation')) + os.makedirs(exploitdir, exist_ok=True) lootdir = os.path.abspath(os.path.join(basedir, 'loot')) os.makedirs(lootdir, exist_ok=True) @@ -529,6 +574,8 @@ def scan_host(target, concurrent_scans): reportdir = os.path.abspath(os.path.join(basedir, 'report')) target.reportdir = reportdir os.makedirs(reportdir, exist_ok=True) + f = open(os.path.join(reportdir, 'notes.txt'), 'w') + f.close() screenshotdir = os.path.abspath(os.path.join(reportdir, 'screenshots')) os.makedirs(screenshotdir, exist_ok=True) @@ -553,10 +600,68 @@ def scan_host(target, concurrent_scans): try: loop.run_until_complete(scan_services(loop, semaphore, target)) - info('Finished scanning target {byellow}{target.address}{rst}') + info('Finished scanning target {byellow}{target.address}{rst}.') except KeyboardInterrupt: sys.exit(1) + +''' Reads a list of targets from a file + +''' +def read_targets_from_file(filename, targets, disable_sanity_checks): + + if not os.path.isfile(filename): + error('The file {filename} with target information was not found.') + return (targets, True) + + try: + with open(filename, 'r') as f: + entries = f.read() + except OSError: + error('The file {filename} with target information could not be read.') + return (targets, True) + + + error = False + for ip in entries.split('\n'): + if ip.startswith('#') or len(ip) == 0: continue + + targets, failed = get_ip_address(ip, targets, disable_sanity_checks) + if failed: error = True + + return (targets, error) + + +def get_ip_address(target, targets, disable_sanity_checks): + + errors = False + try: + ip = str(ipaddress.ip_address(target)) + + if ip not in targets: + targets.append(ip) + except ValueError: + try: + target_range = ipaddress.ip_network(target, strict=False) + if not disable_sanity_checks and target_range.num_addresses > 256: + error(target + ' contains ' + str(target_range.num_addresses) + ' addresses. Check that your CIDR notation is correct. If it is, re-run with the --disable-sanity-checks option to suppress this check.') + errors = True + else: + for ip in target_range.hosts(): + ip = str(ip) + if ip not in targets: + targets.append(ip) + except ValueError: + try: + ip = socket.gethostbyname(target) + if target not in targets: + targets.append(target) + except socket.gaierror: + warn(target + ' does not appear to be a valid IP address, IP range, or resolvable hostname.') + + return (targets, errors) + + class Target: def __init__(self, address): self.address = address @@ -569,19 +674,24 @@ class Target: if __name__ == '__main__': parser = argparse.ArgumentParser(description='Network reconnaissance tool to port scan and automatically enumerate services found on multiple targets.') - parser.add_argument('targets', action='store', help='IP addresses (e.g. 10.0.0.1), CIDR notation (e.g. 10.0.0.1/24), or resolvable hostnames (e.g. foo.bar) to scan.', nargs="+") + parser.add_argument('targets', action='store', help='IP addresses (e.g. 10.0.0.1), CIDR notation (e.g. 10.0.0.1/24), or resolvable hostnames (e.g. foo.bar) to scan.', nargs="*") parser.add_argument('-ct', '--concurrent-targets', action='store', metavar='', type=int, default=5, help='The maximum number of target hosts to scan concurrently. Default: %(default)s') parser.add_argument('-cs', '--concurrent-scans', action='store', metavar='', type=int, default=10, help='The maximum number of scans to perform per target host. Default: %(default)s') parser.add_argument('--profile', action='store', default='default', help='The port scanning profile to use (defined in port-scan-profiles.toml). Default: %(default)s') parser.add_argument('-o', '--output', action='store', default='results', help='The output directory for results. Default: %(default)s') nmap_group = parser.add_mutually_exclusive_group() - nmap_group.add_argument('--nmap', action='store', default='-vv --reason -Pn', help='Override the {nmap_extra} variable in scans. Default: %(default)s') + nmap_group.add_argument('--nmap', action='store', default=nmap_default_options, help='Override the {nmap_extra} variable in scans. Default: %(default)s') nmap_group.add_argument('--nmap-append', action='store', default='', help='Append to the default {nmap_extra} variable in scans.') + parser.add_argument('-r', '--read', action='store', type=str, default='', dest='target_file', help='Read targets from file.') parser.add_argument('-v', '--verbose', action='count', default=0, help='Enable verbose output. Repeat for more verbosity.') parser.add_argument('--disable-sanity-checks', action='store_true', default=False, help='Disable sanity checks that would otherwise prevent the scans from running.') + parser.add_argument('--skip-service-scan', action='store_true', default=False, help='Do not perfom extended service scanning but only protocol commands.') parser.error = lambda s: fail(s[0].upper() + s[1:]) args = parser.parse_args() + config_loaded = get_configuration() + if not config_loaded: sys.exit(-1) + errors = False if args.concurrent_targets <= 0: @@ -639,48 +749,26 @@ if __name__ == '__main__': error('Argument --profile: must reference a port scan profile defined in {port_scan_profiles_config_file}. No such profile found: {port_scan_profile}') errors = True - nmap = args.nmap + nmap_default_options = args.nmap if args.nmap_append: - nmap += " " + args.nmap_append + nmap_default_options += " " + args.nmap_append outdir = args.output srvname = '' verbose = args.verbose - if len(args.targets) == 0: + if len(args.targets) == 0 and not len(args.target_file): error('You must specify at least one target to scan!') errors = True targets = [] for target in args.targets: - try: - ip = str(ipaddress.ip_address(target)) + targets, failed = get_ip_address(target, targets, args.disable_sanity_checks) + if failed: errors = True - if ip not in targets: - targets.append(ip) - except ValueError: - - try: - target_range = ipaddress.ip_network(target, strict=False) - if not args.disable_sanity_checks and target_range.num_addresses > 256: - error(target + ' contains ' + str(target_range.num_addresses) + ' addresses. Check that your CIDR notation is correct. If it is, re-run with the --disable-sanity-checks option to suppress this check.') - errors = True - else: - for ip in target_range.hosts(): - ip = str(ip) - if ip not in targets: - targets.append(ip) - except ValueError: - - try: - ip = socket.gethostbyname(target) - - if target not in targets: - targets.append(target) - except socket.gaierror: - error(target + ' does not appear to be a valid IP address, IP range, or resolvable hostname.') - errors = True + if len(args.target_file) > 0: + targets, errors = read_targets_from_file(args.target_file, targets, args.disable_sanity_checks) if not args.disable_sanity_checks and len(targets) > 256: error('A total of ' + str(len(targets)) + ' targets would be scanned. If this is correct, re-run with the --disable-sanity-checks option to suppress this check.') @@ -689,6 +777,7 @@ if __name__ == '__main__': if errors: sys.exit(1) + start_timer = datetime.now().strftime('%H:%M:%S') with ProcessPoolExecutor(max_workers=args.concurrent_targets) as executor: futures = [] @@ -704,3 +793,8 @@ if __name__ == '__main__': future.cancel() executor.shutdown(wait=False) sys.exit(1) + end_timer = datetime.now().strftime('%H:%M:%S') + tdelta = datetime.strptime(end_timer, '%H:%M:%S') - datetime.strptime(start_timer, '%H:%M:%S') + print('\nScanning completed in {}.'.format(tdelta)) + + diff --git a/config/config.toml b/config/config.toml new file mode 100644 index 0000000..f1fde57 --- /dev/null +++ b/config/config.toml @@ -0,0 +1,42 @@ +# configuration for program paths +[applications] + + nmap = '/usr/bin/nmap' + + # password brute-forcing programs + hydra = '/usr/bin/hydra' + medusa = '/usr/bin/medusa' + patator = '/usr/bin/patator' + + # programs for web servers and application + sslscan = '/usr/bin/sslscan' + curl = '/usr/bin/curl' + dirb = '/usr/bin/dirb' + wkhtmltoimage = '/usr/bin/wkhtmltoimage' + whatweb = '/usr/bin/whatweb' + nikto = '/usr/bin/nikto' + gobuster = '/usr/bin/gobuster' + wpscan = '/usr/local/bin/wpscan' + dirsearch = '' + + # Oracle programs + tnscmd10g = '/usr/bin/tnscmd10g' + oscanner = '/usr/bin/oscanner' + odat = '/usr/bin/python odat.py' + + # RPC programs + rpcclient = '/usr/bin/rpcclient' + + # SMB programs + enum4linux = '/usr/bin/enum4linux' + smbclient = '/usr/bin/smbclient' + smbmap = '/usr/bin/smbmap' + smb_version = '/usr/local/bin/get_smb_version' + + # SMTP programs + smtp-user-enum = '/usr/bin/smtp-user-enum' + + # SNMP programs + onesixtyone = '/usr/bin/onesixtyone' + snmpwalk = '/usr/bin/snmpwalk' + diff --git a/config/port-scan-profiles.toml b/config/port-scan-profiles.toml index 31cf8ba..b028949 100644 --- a/config/port-scan-profiles.toml +++ b/config/port-scan-profiles.toml @@ -3,19 +3,19 @@ [default.nmap-quick] [default.nmap-quick.service-detection] - command = 'nmap {nmap_extra} -sV -sC --version-all -oN "{scandir}/_quick_tcp_nmap.txt" -oX "{scandir}/xml/_quick_tcp_nmap.xml" {address}' + command = '{nmap} {nmap_extra} -sV -sC --version-all -oN "{scandir}/_quick_tcp_nmap.txt" -oX "{scandir}/xml/_quick_tcp_nmap.xml" {address}' pattern = '^(?P\d+)\/(?P(tcp|udp))(.*)open(\s*)(?P[\w\-\/]+)(\s*)(.*)$' [default.nmap-full-tcp] [default.nmap-full-tcp.service-detection] - command = 'nmap {nmap_extra} -A --osscan-guess --version-all -p- -oN "{scandir}/_full_tcp_nmap.txt" -oX "{scandir}/xml/_full_tcp_nmap.xml" {address}' + command = '{nmap} {nmap_extra} -A --osscan-guess --version-all -p- -oN "{scandir}/_full_tcp_nmap.txt" -oX "{scandir}/xml/_full_tcp_nmap.xml" {address}' pattern = '^(?P\d+)\/(?P(tcp|udp))(.*)open(\s*)(?P[\w\-\/]+)(\s*)(.*)$' [default.nmap-top-20-udp] [default.nmap-top-20-udp.service-detection] - command = 'nmap {nmap_extra} -sU -A --top-ports=20 --version-all -oN "{scandir}/_top_20_udp_nmap.txt" -oX "{scandir}/xml/_top_20_udp_nmap.xml" {address}' + command = '{nmap} {nmap_extra} -sU -A --top-ports=20 --version-all -oN "{scandir}/_top_20_udp_nmap.txt" -oX "{scandir}/xml/_top_20_udp_nmap.xml" {address}' pattern = '^(?P\d+)\/(?P(tcp|udp))(.*)open(\s*)(?P[\w\-\/]+)(\s*)(.*)$' [quick] @@ -23,13 +23,13 @@ [quick.nmap-quick] [quick.nmap-quick.service-detection] - command = 'nmap {nmap_extra} -sV --version-all -oN "{scandir}/_quick_tcp_nmap.txt" -oX "{scandir}/xml/_quick_tcp_nmap.xml" {address}' + command = '{nmap} {nmap_extra} -sV --version-all -oN "{scandir}/_quick_tcp_nmap.txt" -oX "{scandir}/xml/_quick_tcp_nmap.xml" {address}' pattern = '^(?P\d+)\/(?P(tcp|udp))(.*)open(\s*)(?P[\w\-\/]+)(\s*)(.*)$' [quick.nmap-top-20-udp] [quick.nmap-top-20-udp.service-detection] - command = 'nmap {nmap_extra} -sU -A --top-ports=20 --version-all -oN "{scandir}/_top_20_udp_nmap.txt" -oX "{scandir}/xml/_top_20_udp_nmap.xml" {address}' + command = '{nmap} {nmap_extra} -sU -A --top-ports=20 --version-all -oN "{scandir}/_top_20_udp_nmap.txt" -oX "{scandir}/xml/_top_20_udp_nmap.xml" {address}' pattern = '^(?P\d+)\/(?P(tcp|udp))(.*)open(\s*)(?P[\w\-\/]+)(\s*)(.*)$' [udp] @@ -41,5 +41,16 @@ pattern = '^UDP open\s*[\w-]+\[\s*(?P\d+)\].*$' [udp.udp-top-20.service-detection] - command = 'nmap {nmap_extra} -sU -A -p {ports} --version-all -oN "{scandir}/_top_20_udp_nmap.txt" -oX "{scandir}/xml/_top_20_udp_nmap.xml" {address}' + command = '{nmap} {nmap_extra} -sU -A -p {ports} --version-all -oN "{scandir}/_top_20_udp_nmap.txt" -oX "{scandir}/xml/_top_20_udp_nmap.xml" {address}' pattern = '^(?P\d+)\/(?P(udp))(.*)open(\s*)(?P[\w\-\/]+)(\s*)(.*)$' + + +[debug] + + [debug.nmap-quick] + + [debug.nmap-quick.service-detection] + command = '{nmap} {nmap_extra} --top-ports 10 -oN "{scandir}/_quick_tcp_nmap.txt" -oX "{scandir}/xml/_quick_tcp_nmap.xml" {address}' + pattern = '^(?P\d+)\/(?P(tcp|udp))(.*)open(\s*)(?P[\w\-\/]+)(\s*)(.*)$' + + diff --git a/config/service-scans.toml b/config/service-scans.toml index cc1d5be..32dc974 100644 --- a/config/service-scans.toml +++ b/config/service-scans.toml @@ -10,7 +10,7 @@ service-names = [ [[all-services.scan]] name = 'sslscan' - command = 'if [ "{secure}" == "True" ]; then sslscan --show-certificate --no-colour {address}:{port} 2>&1 | tee "{scandir}/{protocol}_{port}_sslscan.txt"; fi' + command = 'if [ "{secure}" == "True" ]; then {sslscan} --show-certificate --no-colour {address}:{port} 2>&1 | tee "{scandir}/{protocol}_{port}_sslscan.txt"; fi' [cassandra] @@ -20,7 +20,7 @@ service-names = [ [[cassandra.scan]] name = 'nmap-cassandra' - command = 'nmap {nmap_extra} -sV -p {port} --script="(cassandra* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_cassandra_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_cassandra_nmap.xml" {address}' + command = '{nmap} {nmap_extra} -sV -p {port} --script="(cassandra* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{category}{protocol}_{port}_cassandra_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_cassandra_nmap.xml" {address}' [cups] @@ -30,7 +30,7 @@ service-names = [ [[cups.scan]] name = 'nmap-cups' - command = 'nmap {nmap_extra} -sV -p {port} --script="(cups* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_cups_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_cups_nmap.xml" {address}' + command = '{nmap} {nmap_extra} -sV -p {port} --script="(cups* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{category}{protocol}_{port}_cups_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_cups_nmap.xml" {address}' [distcc] @@ -40,7 +40,7 @@ service-names = [ [[distcc.scan]] name = 'nmap-distcc' - command = 'nmap {nmap_extra} -sV -p {port} --script="distcc-cve2004-2687" --script-args="distcc-cve2004-2687.cmd=id" -oN "{scandir}/{protocol}_{port}_distcc_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_distcc_nmap.xml" {address}' + command = '{nmap} {nmap_extra} -sV -p {port} --script="distcc-cve2004-2687" --script-args="distcc-cve2004-2687.cmd=id" -oN "{scandir}/{category}{protocol}_{port}_distcc_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_distcc_nmap.xml" {address}' [dns] @@ -50,7 +50,7 @@ service-names = [ [[dns.scan]] name = 'nmap-dns' - command = 'nmap {nmap_extra} -sV -p {port} --script="(dns* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_dns_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_dns_nmap.xml" {address}' + command = '{nmap} {nmap_extra} -sV -p {port} --script="(dns* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{category}{protocol}_{port}_dns_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_dns_nmap.xml" {address}' [finger] @@ -59,8 +59,8 @@ service-names = [ ] [[finger.scan]] - nmap = 'nmap-finger' - command = 'nmap {nmap_extra} -sV -p {port} --script="finger" -oN "{scandir}/{protocol}_{port}_finger_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_finger_nmap.xml" {address}' + name = 'nmap-finger' + command = '{nmap} {nmap_extra} -sV -p {port} --script="finger" -oN "{scandir}/{category}{protocol}_{port}_finger_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_finger_nmap.xml" {address}' [ftp] @@ -71,7 +71,7 @@ service-names = [ [[ftp.scan]] name = 'nmap-ftp' - command = 'nmap {nmap_extra} -sV -p {port} --script="(ftp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_ftp_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_ftp_nmap.xml" {address}' + command = '{nmap} {nmap_extra} -sV -p {port} --script="(ftp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{category}{protocol}_{port}_ftp_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_ftp_nmap.xml" {address}' [[ftp.scan.pattern]] description = 'Anonymous FTP Enabled!' @@ -80,8 +80,8 @@ service-names = [ [[ftp.manual]] description = 'Bruteforce logins:' commands = [ - 'hydra -L "{username_wordlist}" -P "{password_wordlist}" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_ftp_hydra.txt" ftp://{address}', - 'medusa -U "{username_wordlist}" -P "{password_wordlist}" -e ns -n {port} -O "{scandir}/{protocol}_{port}_ftp_medusa.txt" -M ftp -h {address}' + '{hydra} -L "{username_wordlist}" -P "{password_wordlist}" -e nsr -s {port} -o "{scandir}/{category}{protocol}_{port}_ftp_hydra.txt" ftp://{address}', + '{medusa} -U "{username_wordlist}" -P "{password_wordlist}" -e ns -n {port} -O "{scandir}/{category}{protocol}_{port}_ftp_medusa.txt" -M ftp -h {address}' ] [http] @@ -96,7 +96,7 @@ ignore-service-names = [ [[http.scan]] name = 'nmap-http' - command = 'nmap {nmap_extra} -sV -p {port} --script="(http* or ssl*) and not (broadcast or dos or external or http-slowloris* or fuzzer)" -oN "{scandir}/{protocol}_{port}_http_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_{scheme}_nmap.xml" {address}' + command = '{nmap} {nmap_extra} -sV -p {port} --script="(http* or ssl*) and not (broadcast or dos or external or http-slowloris* or fuzzer)" -oN "{scandir}/{category}{protocol}_{port}_http_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_{scheme}_nmap.xml" {address}' [[http.scan.pattern]] description = 'Identified HTTP Server: {match}' @@ -108,65 +108,65 @@ ignore-service-names = [ [[http.scan]] name = 'curl-index' - command = 'curl -sSik {scheme}://{address}:{port}/ -m 10 2>&1 | tee "{scandir}/{protocol}_{port}_{scheme}_index.html"' + command = 'curl -sSik {scheme}://{address}:{port}/ -m 10 2>&1 | tee "{scandir}/{category}{protocol}_{port}_{scheme}_index.html"' [[http.scan.pattern]] pattern = '(?i)Powered by [^\n]+' [[http.scan]] name = 'curl-robots' - command = 'curl -sSik {scheme}://{address}:{port}/robots.txt -m 10 2>&1 | tee "{scandir}/{protocol}_{port}_{scheme}_robots.txt"' + command = 'curl -sSik {scheme}://{address}:{port}/robots.txt -m 10 2>&1 | tee "{scandir}/{category}{protocol}_{port}_{scheme}_robots.txt"' [[http.scan]] name = 'wkhtmltoimage' - command = 'if hash wkhtmltoimage 2> /dev/null; then wkhtmltoimage --format png {scheme}://{address}:{port}/ {scandir}/{protocol}_{port}_{scheme}_screenshot.png; fi' + command = 'if hash {wkhtmltoimage} 2> /dev/null; then {wkhtmltoimage} --format png {scheme}://{address}:{port}/ {scandir}/{category}{protocol}_{port}_{scheme}_screenshot.png; fi' [[http.scan]] name = 'whatweb' - command = 'whatweb --color=never --no-errors -a 3 -v {scheme}://{address}:{port} 2>&1 | tee "{scandir}/{protocol}_{port}_{scheme}_whatweb.txt"' + command = '{whatweb} --color=never --no-errors -a 3 -v {scheme}://{address}:{port} 2>&1 | tee "{scandir}/{category}{protocol}_{port}_{scheme}_whatweb.txt"' [[http.scan]] name = 'nikto' - command = 'nikto -ask=no -h {scheme}://{address}:{port} 2>&1 | tee "{scandir}/{protocol}_{port}_{scheme}_nikto.txt"' + command = '{nikto} -ask=no -h {scheme}://{address}:{port} 2>&1 | tee "{scandir}/{category}{protocol}_{port}_{scheme}_nikto.txt"' [[http.scan]] name = 'gobuster' - command = 'gobuster -u {scheme}://{address}:{port}/ -w /usr/share/seclists/Discovery/Web-Content/common.txt -e -k -l -s "200,204,301,302,307,403" -x "txt,html,php,asp,aspx" 2>&1 | tee "{scandir}/{protocol}_{port}_{scheme}_gobuster.txt"' + command = '{gobuster} -u {scheme}://{address}:{port}/ -w /usr/share/seclists/Discovery/Web-Content/common.txt -e -k -l -s "200,204,301,302,307,403" -x "txt,html,php,asp,aspx" 2>&1 | tee "{scandir}/{category}{protocol}_{port}_{scheme}_gobuster.txt"' [[http.manual]] description = '(dirsearch) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:' commands = [ - 'dirsearch -u {scheme}://{address}:{port}/ -t 16 -r -e txt,html,php,asp,aspx -f -w /usr/share/seclists/Discovery/Web-Content/big.txt --plain-text-report="{scandir}/{protocol}_{port}_{scheme}_dirsearch_big.txt"', - 'dirsearch -u {scheme}://{address}:{port}/ -t 16 -r -e txt,html,php,asp,aspx -f -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --plain-text-report="{scandir}/{protocol}_{port}_{scheme}_dirsearch_dirbuster.txt"' + 'dirsearch -u {scheme}://{address}:{port}/ -t 16 -r -e txt,html,php,asp,aspx -f -w /usr/share/seclists/Discovery/Web-Content/big.txt --plain-text-report="{scandir}/{category}{protocol}_{port}_{scheme}_dirsearch_big.txt"', + 'dirsearch -u {scheme}://{address}:{port}/ -t 16 -r -e txt,html,php,asp,aspx -f -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --plain-text-report="{scandir}/{category}{protocol}_{port}_{scheme}_dirsearch_dirbuster.txt"' ] [[http.manual]] description = '(dirb) Recursive directory/file enumeration for web servers using various wordlists (same as dirsearch above):' commands = [ - 'dirb {scheme}://{address}:{port}/ -o "{scandir}/{protocol}_{port}_{scheme}_dirb_big.txt" /usr/share/seclists/Discovery/Web-Content/big.txt', - 'dirb {scheme}://{address}:{port}/ -o "{scandir}/{protocol}_{port}_{scheme}_dirb_dirbuster.txt" /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt' + 'dirb {scheme}://{address}:{port}/ -o "{scandir}/{category}{protocol}_{port}_{scheme}_dirb_big.txt" /usr/share/seclists/Discovery/Web-Content/big.txt', + 'dirb {scheme}://{address}:{port}/ -o "{scandir}/{category}{protocol}_{port}_{scheme}_dirb_dirbuster.txt" /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt' ] [[http.manual]] description = '(gobuster) Directory/file enumeration for web servers using various wordlists (same as dirb above):' commands = [ - 'gobuster -u {scheme}://{address}:{port}/ -w /usr/share/seclists/Discovery/Web-Content/big.txt -e -k -l -s "200,204,301,302,307,403,500" -x "txt,html,php,asp,aspx" -o "{scandir}/{protocol}_{port}_{scheme}_gobuster_big.txt"', - 'gobuster -u {scheme}://{address}:{port}/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e -k -l -s "200,204,301,302,307,403,500" -x "txt,html,php,asp,aspx" -o "{scandir}/{protocol}_{port}_{scheme}_gobuster_dirbuster.txt"' + '{gobuster} -u {scheme}://{address}:{port}/ -w /usr/share/seclists/Discovery/Web-Content/big.txt -e -k -l -s "200,204,301,302,307,403,500" -x "txt,html,php,asp,aspx" -o "{scandir}/{category}{protocol}_{port}_{scheme}_gobuster_big.txt"', + '{gobuster} -u {scheme}://{address}:{port}/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e -k -l -s "200,204,301,302,307,403,500" -x "txt,html,php,asp,aspx" -o "{scandir}/{category}{protocol}_{port}_{scheme}_gobuster_dirbuster.txt"' ] [[http.manual]] description = '(wpscan) WordPress Security Scanner (useful if WordPress is found):' commands = [ - 'wpscan --url {scheme}://{address}:{port}/ --no-update -e vp,vt,tt,cb,dbe,u,m -f cli-no-color 2>&1 | tee "{scandir}/{protocol}_{port}_{scheme}_wpscan.txt"' + '{wpscan} --url {scheme}://{address}:{port}/ --no-update -e vp,vt,tt,cb,dbe,u,m -f cli-no-color 2>&1 | tee "{scandir}/{category}{protocol}_{port}_{scheme}_wpscan.txt"' ] [[http.manual]] description = "Credential bruteforcing commands (don't run these without modifying them):" commands = [ - 'hydra -L "{username_wordlist}" -P "{password_wordlist}" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_{scheme}_auth_hydra.txt" {scheme}-get://{address}/path/to/auth/area', - 'medusa -U "{username_wordlist}" -P "{password_wordlist}" -e ns -n {port} -O "{scandir}/{protocol}_{port}_{scheme}_auth_medusa.txt" -M http -h {address} -m DIR:/path/to/auth/area', - 'hydra -L "{username_wordlist}" -P "{password_wordlist}" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_{scheme}_form_hydra.txt" {scheme}-post-form://{address}/path/to/login.php:username=^USER^&password=^PASS^:invalid-login-message', - 'medusa -U "{username_wordlist}" -P "{password_wordlist}" -e ns -n {port} -O "{scandir}/{protocol}_{port}_{scheme}_form_medusa.txt" -M web-form -h {address} -m FORM:/path/to/login.php -m FORM-DATA:"post?username=&password=" -m DENY-SIGNAL:"invalid login message"', + '{hydra} -L "{username_wordlist}" -P "{password_wordlist}" -e nsr -s {port} -o "{scandir}/{category}{protocol}_{port}_{scheme}_auth_hydra.txt" {scheme}-get://{address}/path/to/auth/area', + '{medusa} -U "{username_wordlist}" -P "{password_wordlist}" -e ns -n {port} -O "{scandir}/{category}{protocol}_{port}_{scheme}_auth_medusa.txt" -M http -h {address} -m DIR:/path/to/auth/area', + '{hydra} -L "{username_wordlist}" -P "{password_wordlist}" -e nsr -s {port} -o "{scandir}/{category}{protocol}_{port}_{scheme}_form_hydra.txt" {scheme}-post-form://{address}/path/to/login.php:username=^USER^&password=^PASS^:invalid-login-message', + '{medusa} -U "{username_wordlist}" -P "{password_wordlist}" -e ns -n {port} -O "{scandir}/{category}{protocol}_{port}_{scheme}_form_medusa.txt" -M web-form -h {address} -m FORM:/path/to/login.php -m FORM-DATA:"post?username=&password=" -m DENY-SIGNAL:"invalid login message"', ] [imap] @@ -177,7 +177,7 @@ service-names = [ [[imap.scan]] name = 'nmap-imap' - command = 'nmap {nmap_extra} -sV -p {port} --script="(imap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_imap_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_imap_nmap.xml" {address}' + command = '{nmap} {nmap_extra} -sV -p {port} --script="(imap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{category}{protocol}_{port}_imap_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_imap_nmap.xml" {address}' [kerberos] @@ -188,7 +188,7 @@ service-names = [ [[kerberos.scan]] name = 'nmap-kerberos' - command = 'nmap {nmap_extra} -sV -p {port} --script="krb5-enum-users" -oN "{scandir}/{protocol}_{port}_kerberos_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_kerberos_nmap.xml" {address}' + command = '{nmap} {nmap_extra} -sV -p {port} --script="krb5-enum-users" -oN "{scandir}/{category}{protocol}_{port}_kerberos_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_kerberos_nmap.xml" {address}' [ldap] @@ -198,11 +198,11 @@ service-names = [ [[ldap.scan]] name = 'nmap-ldap' - command = 'nmap {nmap_extra} -sV -p {port} --script="(ldap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_ldap_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_ldap_nmap.xml" {address}' + command = '{nmap} {nmap_extra} -sV -p {port} --script="(ldap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{category}{protocol}_{port}_ldap_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_ldap_nmap.xml" {address}' [[ldap.scan]] name = 'enum4linux' - command = 'enum4linux -a -M -l -d {address} 2>&1 | tee "{scandir}/enum4linux.txt"' + command = '{enum4linux} -a -M -l -d {address} 2>&1 | tee "{scandir}/{category}enum4linux.txt"' run_once = true ports.tcp = [139, 389, 445] ports.udp = [137] @@ -215,7 +215,7 @@ service-names = [ [[mongodb.scan]] name = 'nmap-mongodb' - command = 'nmap {nmap_extra} -sV -p {port} --script="mongodb*" -oN "{scandir}/{protocol}_{port}_mongodb_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_mongodb_nmap.xml" {address}' + command = '{nmap} {nmap_extra} -sV -p {port} --script="mongodb*" -oN "{scandir}/{category}{protocol}_{port}_mongodb_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_mongodb_nmap.xml" {address}' [mssql] @@ -226,7 +226,7 @@ service-names = [ [[mssql.scan]] name = 'nmap-mssql' - command = 'nmap {nmap_extra} -sV -p {port} --script="(ms-sql* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" --script-args="mssql.instance-port={port},mssql.username=sa,mssql.password=sa" -oN "{scandir}/{protocol}_{port}_mssql_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_mssql_nmap.xml" {address}' + command = '{nmap} {nmap_extra} -sV -p {port} --script="(ms-sql* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" --script-args="mssql.instance-port={port},mssql.username=sa,mssql.password=sa" -oN "{scandir}/{category}{protocol}_{port}_mssql_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_mssql_nmap.xml" {address}' [[mssql.manual]] description = '(sqsh) interactive database shell' @@ -242,7 +242,7 @@ service-names = [ [[mysql.scan]] name = 'nmap-mysql' - command = 'nmap {nmap_extra} -sV -p {port} --script="(mysql* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_mysql_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_mysql_nmap.xml" {address}' + command = '{nmap} {nmap_extra} -sV -p {port} --script="(mysql* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{category}{protocol}_{port}_mysql_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_mysql_nmap.xml" {address}' [nfs] @@ -253,7 +253,7 @@ service-names = [ [[nfs.scan]] name = 'nmap-nfs' - command = 'nmap {nmap_extra} -sV -p {port} --script="(rpcinfo or nfs*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_nfs_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_nfs_nmap.xml" {address}' + command = '{nmap} {nmap_extra} -sV -p {port} --script="(rpcinfo or nfs*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{category}{protocol}_{port}_nfs_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_nfs_nmap.xml" {address}' [nntp] @@ -263,7 +263,7 @@ service-names = [ [[nntp.scan]] name = 'nmap-nntp' - command = 'nmap {nmap_extra} -sV -p {port} --script="nntp-ntlm-info" -oN "{scandir}/{protocol}_{port}_nntp_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_nntp_nmap.xml" {address}' + command = '{nmap} {nmap_extra} -sV -p {port} --script="nntp-ntlm-info" -oN "{scandir}/{category}{protocol}_{port}_nntp_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_nntp_nmap.xml" {address}' [oracle] @@ -273,43 +273,43 @@ service-names = [ [[oracle.scan]] name = 'nmap-oracle' - command = 'nmap {nmap_extra} -sV -p {port} --script="(oracle* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_oracle_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_oracle_nmap.xml" {address}' + command = '{nmap} {nmap_extra} -sV -p {port} --script="(oracle* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{category}{protocol}_{port}_oracle_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_oracle_nmap.xml" {address}' [[oracle.scan]] name = 'oracle-tnscmd-ping' - command = 'tnscmd10g ping -h {address} -p {port} 2>&1 | tee "{scandir}/{protocol}_{port}_oracle_tnscmd_ping.txt"' + command = 'tnscmd10g ping -h {address} -p {port} 2>&1 | tee "{scandir}/{category}{protocol}_{port}_oracle_tnscmd_ping.txt"' [[oracle.scan]] name = 'oracle-tnscmd-version' - command = 'tnscmd10g version -h {address} -p {port} 2>&1 | tee "{scandir}/{protocol}_{port}_oracle_tnscmd_version.txt"' + command = 'tnscmd10g version -h {address} -p {port} 2>&1 | tee "{scandir}/{category}{protocol}_{port}_oracle_tnscmd_version.txt"' [[oracle.scan]] name = 'oracle-tnscmd-version' - command = 'tnscmd10g version -h {address} -p {port} 2>&1 | tee "{scandir}/{protocol}_{port}_oracle_tnscmd_version.txt"' + command = 'tnscmd10g version -h {address} -p {port} 2>&1 | tee "{scandir}/{category}{protocol}_{port}_oracle_tnscmd_version.txt"' [[oracle.scan]] name = 'oracle-scanner' - command = 'oscanner -v -s {address} -P {port} 2>&1 | tee "{scandir}/{protocol}_{port}_oracle_scanner.txt"' + command = 'oscanner -v -s {address} -P {port} 2>&1 | tee "{scandir}/{category}{protocol}_{port}_oracle_scanner.txt"' [[oracle.manual]] description = 'Brute-force SIDs using Nmap' - command = 'nmap {nmap_extra} -sV -p {port} --script="oracle-sid-brute" -oN "{scandir}/{protocol}_{port}_oracle_sid-brute_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_oracle_sid-brute_nmap.xml" {address}' + command = '{nmap} {nmap_extra} -sV -p {port} --script="oracle-sid-brute" -oN "{scandir}/{category}{protocol}_{port}_oracle_sid-brute_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_oracle_sid-brute_nmap.xml" {address}' [[oracle.manual]] description = 'Install ODAT (https://github.com/quentinhardy/odat) and run the following commands:' commands = [ - 'python odat.py tnscmd -s {address} -p {port} --ping', - 'python odat.py tnscmd -s {address} -p {port} --version', - 'python odat.py tnscmd -s {address} -p {port} --status', - 'python odat.py sidguesser -s {address} -p {port}', - 'python odat.py passwordguesser -s {address} -p {port} -d --accounts-file accounts/accounts_multiple.txt', - 'python odat.py tnspoison -s {address} -p {port} -d --test-module' + '{odat} tnscmd -s {address} -p {port} --ping', + '{odat} tnscmd -s {address} -p {port} --version', + '{odat} tnscmd -s {address} -p {port} --status', + '{odat} sidguesser -s {address} -p {port}', + '{odat} passwordguesser -s {address} -p {port} -d --accounts-file accounts/accounts_multiple.txt', + '{odat} tnspoison -s {address} -p {port} -d --test-module' ] [[oracle.manual]] description = 'Install Oracle Instant Client (https://github.com/rapid7/metasploit-framework/wiki/How-to-get-Oracle-Support-working-with-Kali-Linux) and then bruteforce with patator:' commands = [ - 'patator oracle_login host={address} port={port} user=COMBO00 password=COMBO01 0=/usr/share/seclists/Passwords/Default-Credentials/oracle-betterdefaultpasslist.txt -x ignore:code=ORA-01017 -x ignore:code=ORA-28000' + '{patator} oracle_login host={address} port={port} user=COMBO00 password=COMBO01 0=/usr/share/seclists/Passwords/Default-Credentials/oracle-betterdefaultpasslist.txt -x ignore:code=ORA-01017 -x ignore:code=ORA-28000' ] [pop3] @@ -320,7 +320,7 @@ service-names = [ [[pop3.scan]] name = 'nmap-pop3' - command = 'nmap {nmap_extra} -sV -p {port} --script="(pop3* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_pop3_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_pop3_nmap.xml" {address}' + command = '{nmap} {nmap_extra} -sV -p {port} --script="(pop3* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{category}{protocol}_{port}_pop3_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_pop3_nmap.xml" {address}' [rdp] @@ -332,13 +332,13 @@ service-names = [ [[rdp.scan]] name = 'nmap-rdp' - command = 'nmap {nmap_extra} -sV -p {port} --script="(rdp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_rdp_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_rdp_nmap.xml" {address}' + command = '{nmap} {nmap_extra} -sV -p {port} --script="(rdp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{category}{protocol}_{port}_rdp_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_rdp_nmap.xml" {address}' [[rdp.manual]] description = 'Bruteforce logins:' commands = [ - 'hydra -L "{username_wordlist}" -P "{password_wordlist}" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_rdp_hydra.txt" rdp://{address}', - 'medusa -U "{username_wordlist}" -P "{password_wordlist}" -e ns -n {port} -O "{scandir}/{protocol}_{port}_rdp_medusa.txt" -M rdp -h {address}' + '{hydra} -L "{username_wordlist}" -P "{password_wordlist}" -e nsr -s {port} -o "{scandir}/{category}{protocol}_{port}_rdp_hydra.txt" rdp://{address}', + '{medusa} -U "{username_wordlist}" -P "{password_wordlist}" -e ns -n {port} -O "{scandir}/{category}{protocol}_{port}_rdp_medusa.txt" -M rdp -h {address}' ] [rmi] @@ -350,7 +350,7 @@ service-names = [ [[rmi.scan]] name = 'nmap-rmi' - command = 'nmap {nmap_extra} -sV -p {port} --script="rmi-vuln-classloader,rmi-dumpregistry" -oN "{scandir}/{protocol}_{port}_rmi_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_rmi_nmap.xml" {address}' + command = '{nmap} {nmap_extra} -sV -p {port} --script="rmi-vuln-classloader,rmi-dumpregistry" -oN "{scandir}/{category}{protocol}_{port}_rmi_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_rmi_nmap.xml" {address}' [rpc] @@ -362,12 +362,12 @@ service-names = [ [[rpc.scan]] name = 'nmap-msrpc' - command = 'nmap {nmap_extra} -sV -p {port} --script="msrpc-enum,rpc-grind,rpcinfo" -oN "{scandir}/{protocol}_{port}_rpc_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_rpc_nmap.xml" {address}' + command = '{nmap} {nmap_extra} -sV -p {port} --script="msrpc-enum,rpc-grind,rpcinfo" -oN "{scandir}/{category}{protocol}_{port}_rpc_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_rpc_nmap.xml" {address}' [[rpc.manual]] description = 'RPC Client:' commands = [ - 'rpcclient -p {port} -U "" {address}' + '{rpcclient} -p {port} -U "" {address}' ] [sip] @@ -378,7 +378,7 @@ service-names = [ [[sip.scan]] name = 'nmap-sip' - command = 'nmap {nmap_extra} -sV -p {port} --script="sip-enum-users,sip-methods" -oN "{scandir}/{protocol}_{port}_sip_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_sip_nmap.xml" {address}' + command = '{nmap} {nmap_extra} -sV -p {port} --script="sip-enum-users,sip-methods" -oN "{scandir}/{category}{protocol}_{port}_sip_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_sip_nmap.xml" {address}' [[sip.scan]] name = 'svwar' @@ -392,13 +392,13 @@ service-names = [ [[ssh.scan]] name = 'nmap-ssh' - command = 'nmap {nmap_extra} -sV -p {port} --script="ssh2-enum-algos,ssh-hostkey,ssh-auth-methods" -oN "{scandir}/{protocol}_{port}_ssh_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_ssh_nmap.xml" {address}' + command = '{nmap} {nmap_extra} -sV -p {port} --script="ssh2-enum-algos,ssh-hostkey,ssh-auth-methods" -oN "{scandir}/{category}{protocol}_{port}_ssh_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_ssh_nmap.xml" {address}' [[ssh.manual]] description = 'Bruteforce logins:' commands = [ - 'hydra -L "{username_wordlist}" -P "{password_wordlist}" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_ssh_hydra.txt" ssh://{address}', - 'medusa -U "{username_wordlist}" -P "{password_wordlist}" -e ns -n {port} -O "{scandir}/{protocol}_{port}_ssh_medusa.txt" -M ssh -h {address}' + '{hydra} -L "{username_wordlist}" -P "{password_wordlist}" -e nsr -s {port} -o "{scandir}/{category}{protocol}_{port}_ssh_hydra.txt" ssh://{address}', + '{medusa} -U "{username_wordlist}" -P "{password_wordlist}" -e ns -n {port} -O "{scandir}/{category}{protocol}_{port}_ssh_medusa.txt" -M ssh -h {address}' ] [smb] @@ -410,45 +410,52 @@ service-names = [ [[smb.scan]] name = 'nmap-smb' - command = 'nmap {nmap_extra} -sV -p {port} --script="(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_smb_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_nmap.xml" {address}' + command = '{nmap} {nmap_extra} -sV -p {port} --script="(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" --script-args="unsafe=1" -oN "{scandir}/{category}{protocol}_{port}_smb_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_smb_nmap.xml" {address}' + [[smb.scan]] + name = 'smbclient' + command = '{smbclient} -L\\ -N -I {address} 2>&1 | tee "{scandir}/{category}smbclient.txt"' + run_once = true + ports.tcp = [139, 445] + + [[smb.scan]] + name = 'smb-version' + command = '{smb_version} {address} -P {port} | head -n 1 | tee -a "{scandir}/{category}smb-version.txt"' + run_once = true + ports.tcp = [139, 445] + + [[smb.scan]] + name = 'smbmap-share-permissions' + command = '{smbmap} -H {address} -P {port} 2>&1 | tee -a "{scandir}/{category}smbmap-share-permissions.txt"; {smbmap} -u null -p "" -H {address} -P {port} 2>&1 | tee -a "{scandir}/{category}smbmap-share-permissions.txt"' + + [[smb.scan]] + name = 'smbmap-list-contents' + command = '{smbmap} -H {address} -P {port} -R 2>&1 | tee -a "{scandir}/{category}smbmap-list-contents.txt"; {smbmap} -u null -p "" -H {address} -P {port} -R 2>&1 | tee -a "{scandir}/{category}smbmap-list-contents.txt"' + + [[smb.scan]] + name = 'smbmap-execute-command' + command = '{smbmap} -H {address} -P {port} -x "ipconfig /all" 2>&1 | tee -a "{scandir}/{category}smbmap-execute-command.txt"; {smbmap} -u null -p "" -H {address} -P {port} -x "ipconfig /all" 2>&1 | tee -a "{scandir}/{category}smbmap-execute-command.txt"' + [[smb.scan]] name = 'enum4linux' - command = 'enum4linux -a -M -l -d {address} 2>&1 | tee "{scandir}/enum4linux.txt"' + command = '{enum4linux} -a -M -l -d {address} 2>&1 | tee "{scandir}/{category}enum4linux.txt"' run_once = true ports.tcp = [139, 389, 445] ports.udp = [137] [[smb.scan]] name = 'nbtscan' - command = 'nbtscan -rvh {address} 2>&1 | tee "{scandir}/nbtscan.txt"' + command = '{nbtscan} -rvh {address} 2>&1 | tee "{scandir}/{category}nbtscan.txt"' run_once = true ports.udp = [137] - [[smb.scan]] - name = 'smbclient' - command = 'smbclient -L\\ -N -I {address} 2>&1 | tee "{scandir}/smbclient.txt"' - run_once = true - ports.tcp = [139, 445] - - [[smb.scan]] - name = 'smbmap-share-permissions' - command = 'smbmap -H {address} -P {port} 2>&1 | tee -a "{scandir}/smbmap-share-permissions.txt"; smbmap -u null -p "" -H {address} -P {port} 2>&1 | tee -a "{scandir}/smbmap-share-permissions.txt"' - - [[smb.scan]] - name = 'smbmap-list-contents' - command = 'smbmap -H {address} -P {port} -R 2>&1 | tee -a "{scandir}/smbmap-list-contents.txt"; smbmap -u null -p "" -H {address} -P {port} -R 2>&1 | tee -a "{scandir}/smbmap-list-contents.txt"' - - [[smb.scan]] - name = 'smbmap-execute-command' - command = 'smbmap -H {address} -P {port} -x "ipconfig /all" 2>&1 | tee -a "{scandir}/smbmap-execute-command.txt"; smbmap -u null -p "" -H {address} -P {port} -x "ipconfig /all" 2>&1 | tee -a "{scandir}/smbmap-execute-command.txt"' [[smb.manual]] - description = 'Nmap scans for SMB vulnerabilities that could potentially cause a DoS if scanned (according to Nmap). Be careful:' + description = '{nmap} scans for SMB vulnerabilities that could potentially cause a DoS if scanned (according to Nmap). Be careful:' commands = [ - 'nmap {nmap_extra} -sV -p {port} --script="smb-vuln-ms06-025" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_smb_ms06-025.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_ms06-025.xml" {address}', - 'nmap {nmap_extra} -sV -p {port} --script="smb-vuln-ms07-029" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_smb_ms07-029.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_ms07-029.xml" {address}', - 'nmap {nmap_extra} -sV -p {port} --script="smb-vuln-ms08-067" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_smb_ms08-067.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_ms08-067.xml" {address}' + '{nmap} {nmap_extra} -sV -p {port} --script="smb-vuln-ms06-025" --script-args="unsafe=1" -oN "{scandir}/{category}{protocol}_{port}_smb_ms06-025.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_smb_ms06-025.xml" {address}', + '{nmap} {nmap_extra} -sV -p {port} --script="smb-vuln-ms07-029" --script-args="unsafe=1" -oN "{scandir}/{category}{protocol}_{port}_smb_ms07-029.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_smb_ms07-029.xml" {address}', + '{nmap} {nmap_extra} -sV -p {port} --script="smb-vuln-ms08-067" --script-args="unsafe=1" -oN "{scandir}/{category}{protocol}_{port}_smb_ms08-067.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_smb_ms08-067.xml" {address}' ] [smtp] @@ -459,11 +466,11 @@ service-names = [ [[smtp.scan]] name = 'nmap-smtp' - command = 'nmap {nmap_extra} -sV -p {port} --script="(smtp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_smtp_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_smtp_nmap.xml" {address}' + command = '{nmap} {nmap_extra} -sV -p {port} --script="(smtp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{category}{protocol}_{port}_smtp_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_smtp_nmap.xml" {address}' [[smtp.scan]] name = 'smtp-user-enum' - command = 'smtp-user-enum -M VRFY -U "{username_wordlist}" -t {address} -p {port} 2>&1 | tee "{scandir}/{protocol}_{port}_smtp_user-enum.txt"' + command = 'smtp-user-enum -M VRFY -U "{username_wordlist}" -t {address} -p {port} 2>&1 | tee "{scandir}/{category}{protocol}_{port}_smtp_user-enum.txt"' [snmp] @@ -473,59 +480,59 @@ service-names = [ [[snmp.scan]] name = 'nmap-snmp' - command = 'nmap {nmap_extra} -sV -p {port} --script="(snmp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_snmp-nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_snmp_nmap.xml" {address}' + command = '{nmap} {nmap_extra} -sV -p {port} --script="(snmp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{category}{protocol}_{port}_snmp-nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_snmp_nmap.xml" {address}' [[snmp.scan]] name = 'onesixtyone' - command = 'onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings_onesixtyone.txt -dd {address} 2>&1 | tee "{scandir}/{protocol}_{port}_snmp_onesixtyone.txt"' + command = 'onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings_onesixtyone.txt -dd {address} 2>&1 | tee "{scandir}/{category}{protocol}_{port}_snmp_onesixtyone.txt"' run_once = true ports.udp = [161] [[snmp.scan]] name = 'snmpwalk' - command = 'snmpwalk -c public -v 1 {address} 2>&1 | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk.txt"' + command = '{snmpwalk} -c public -v 1 {address} 2>&1 | tee "{scandir}/{category}{protocol}_{port}_snmp_snmpwalk.txt"' run_once = true ports.udp = [161] [[snmp.scan]] name = 'snmpwalk-system-processes' - command = 'snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.25.1.6.0 2>&1 | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk_system_processes.txt"' + command = '{snmpwalk} -c public -v 1 {address} 1.3.6.1.2.1.25.1.6.0 2>&1 | tee "{scandir}/{category}{protocol}_{port}_snmp_snmpwalk_system_processes.txt"' run_once = true ports.udp = [161] [[snmp.scan]] name = 'snmpwalk-running-processes' - command = 'snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.25.4.2.1.2 2>&1 | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk_running_processes.txt"' + command = '{snmpwalk} -c public -v 1 {address} 1.3.6.1.2.1.25.4.2.1.2 2>&1 | tee "{scandir}/{category}{protocol}_{port}_snmp_snmpwalk_running_processes.txt"' run_once = true ports.udp = [161] [[snmp.scan]] name = 'snmpwalk-process-paths' - command = 'snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.25.4.2.1.4 2>&1 | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk_process_paths.txt"' + command = '{snmpwalk} -c public -v 1 {address} 1.3.6.1.2.1.25.4.2.1.4 2>&1 | tee "{scandir}/{category}{protocol}_{port}_snmp_snmpwalk_process_paths.txt"' run_once = true ports.udp = [161] [[snmp.scan]] name = 'snmpwalk-storage-units' - command = 'snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.25.2.3.1.4 2>&1 | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk_storage_units.txt"' + command = '{snmpwalk} -c public -v 1 {address} 1.3.6.1.2.1.25.2.3.1.4 2>&1 | tee "{scandir}/{category}{protocol}_{port}_snmp_snmpwalk_storage_units.txt"' run_once = true ports.udp = [161] [[snmp.scan]] name = 'snmpwalk-software-names' - command = 'snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.25.6.3.1.2 2>&1 | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk_software_names.txt"' + command = '{snmpwalk} -c public -v 1 {address} 1.3.6.1.2.1.25.6.3.1.2 2>&1 | tee "{scandir}/{category}{protocol}_{port}_snmp_snmpwalk_software_names.txt"' run_once = true ports.udp = [161] [[snmp.scan]] name = 'snmpwalk-user-accounts' - command = 'snmpwalk -c public -v 1 {address} 1.3.6.1.4.1.77.1.2.25 2>&1 | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk_user_accounts.txt"' + command = '{snmpwalk} -c public -v 1 {address} 1.3.6.1.4.1.77.1.2.25 2>&1 | tee "{scandir}/{category}{protocol}_{port}_snmp_snmpwalk_user_accounts.txt"' run_once = true ports.udp = [161] [[snmp.scan]] name = 'snmpwalk-tcp-ports' - command = 'snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.6.13.1.3 2>&1 | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk_tcp_ports.txt"' + command = '{snmpwalk} -c public -v 1 {address} 1.3.6.1.2.1.6.13.1.3 2>&1 | tee "{scandir}/{category}{protocol}_{port}_snmp_snmpwalk_tcp_ports.txt"' run_once = true ports.udp = [161] @@ -537,7 +544,7 @@ service-names = [ [[telnet.scan]] name = 'nmap-telnet' - command = 'nmap {nmap_extra} -sV -p {port} --script="telnet-encryption,telnet-ntlm-info" -oN "{scandir}/{protocol}_{port}_telnet-nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_telnet_nmap.xml" {address}' + command = '{nmap} {nmap_extra} -sV -p {port} --script="telnet-encryption,telnet-ntlm-info" -oN "{scandir}/{category}{protocol}_{port}_telnet-nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_telnet_nmap.xml" {address}' [tftp] @@ -547,7 +554,7 @@ service-names = [ [[tftp.scan]] name = 'nmap-tftp' - command = 'nmap {nmap_extra} -sV -p {port} --script="tftp-enum" -oN "{scandir}/{protocol}_{port}_tftp-nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_tftp_nmap.xml" {address}' + command = '{nmap} {nmap_extra} -sV -p {port} --script="tftp-enum" -oN "{scandir}/{category}{protocol}_{port}_tftp-nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_tftp_nmap.xml" {address}' [vnc] @@ -557,4 +564,4 @@ service-names = [ [[vnc.scan]] name = 'nmap-vnc' - command = 'nmap {nmap_extra} -sV -p {port} --script="(vnc* or realvnc* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_vnc_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_vnc_nmap.xml" {address}' + command = '{nmap} {nmap_extra} -sV -p {port} --script="(vnc* or realvnc* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" --script-args="unsafe=1" -oN "{scandir}/{category}{protocol}_{port}_vnc_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_vnc_nmap.xml" {address}'