From 7a098537387e1226a4cac100cc1a958cc19294c4 Mon Sep 17 00:00:00 2001 From: svo80 Date: Sun, 28 Apr 2019 06:47:46 +0200 Subject: [PATCH] Targets can be read from a file.\nList of invoked applications is saved in a config file, and a sanity check is performed. Also now use absolute paths for security reasons.\nScan results are saved according to service.\nTotal scan time is indicated to tweak performance.\nSome additional minor modifications as well as changes in the config file. --- autorecon.py | 248 +++++++++++++++++++++++---------- config/config.toml | 42 ++++++ config/port-scan-profiles.toml | 23 ++- config/service-scans.toml | 207 ++++++++++++++------------- 4 files changed, 337 insertions(+), 183 deletions(-) create mode 100644 config/config.toml diff --git a/autorecon.py b/autorecon.py index 41144f8..da143a3 100644 --- a/autorecon.py +++ b/autorecon.py @@ -16,17 +16,19 @@ import os import re import socket import string +from datetime import datetime import sys import toml verbose = 0 -nmap = '-vv --reason -Pn' +nmap_default_options = '--reason -Pn' srvname = '' port_scan_profile = None port_scan_profiles_config = None service_scans_config = None global_patterns = [] +applications = {} username_wordlist = '/usr/share/seclists/Usernames/top-usernames-shortlist.txt' password_wordlist = '/usr/share/seclists/Passwords/darkweb2017-top100.txt' @@ -70,9 +72,11 @@ def cprint(*args, color=Fore.RESET, char='*', sep=' ', end='\n', frame_index=1, vals.update(frame.f_locals) vals.update(kvargs) + clock = datetime.now().strftime('%H:%M:%S') + clock = sep + '[' + Style.BRIGHT + Fore.YELLOW + clock + Style.NORMAL + Fore.RESET + ']' unfmt = '' if char is not None: - unfmt += color + '[' + Style.BRIGHT + char + Style.NORMAL + ']' + Fore.RESET + sep + unfmt += color + '[' + Style.BRIGHT + char + Style.NORMAL + ']' + Fore.RESET + clock + sep unfmt += sep.join(args) fmted = unfmt @@ -104,40 +108,63 @@ def fail(*args, sep=' ', end='\n', file=sys.stderr, **kvargs): cprint(*args, color=Fore.RED, char='!', sep=sep, end=end, file=file, frame_index=2, **kvargs) exit(-1) -port_scan_profiles_config_file = 'port-scan-profiles.toml' -with open(os.path.join(rootdir, 'config', port_scan_profiles_config_file), 'r') as p: + +''' Reads a configuration file, and saves the data to a dictionary + + @replace_values Dictionary with values that should be replaced in the configuration file +''' +def read_configuration_file(filename, replace_values = {}): + data = {} try: - port_scan_profiles_config = toml.load(p) + with open(os.path.join(rootdir, 'config', filename), 'r') as f: + data = f.read() - if len(port_scan_profiles_config) == 0: - fail('There do not appear to be any port scan profiles configured in the {port_scan_profiles_config_file} config file.') + for entry in replace_values: + data = re.sub('{' +entry + '}', replace_values[entry], data) + data = toml.loads(data) + except (OSError, toml.decoder.TomlDecodeError) as e: + fail('Error: The configuration file {filename} could not be read.') - except toml.decoder.TomlDecodeError as e: - fail('Error: Couldn\'t parse {port_scan_profiles_config_file} config file. Check syntax and duplicate tags.') + return data -with open(os.path.join(rootdir, 'config', 'service-scans.toml'), 'r') as c: - try: - service_scans_config = toml.load(c) - except toml.decoder.TomlDecodeError as e: - fail('Error: Couldn\'t parse service-scans.toml config file. Check syntax and duplicate tags.') -with open(os.path.join(rootdir, 'config', 'global-patterns.toml'), 'r') as p: - try: - global_patterns = toml.load(p) - if 'pattern' in global_patterns: - global_patterns = global_patterns['pattern'] - else: - global_patterns = [] - except toml.decoder.TomlDecodeError as e: - fail('Error: Couldn\'t parse global-patterns.toml config file. Check syntax and duplicate tags.') +def get_configuration(): + applications_config = read_configuration_file('config.toml') + if len(applications_config) > 0 and 'applications' in applications_config: + global applications + applications = applications_config['applications'] + for application in applications: + if not os.path.isfile(applications[application]): + warn('Warning: The application {application} was not found on the system in the specified path.') + else: + warn('Warning: The section for application paths was not found in the {application_config_file} configuration file.') -if 'username_wordlist' in service_scans_config: - if isinstance(service_scans_config['username_wordlist'], str): - username_wordlist = service_scans_config['username_wordlist'] + global port_scan_profiles_config + port_scan_profiles_config = read_configuration_file('port-scan-profiles.toml', applications) + if len(port_scan_profiles_config) == 0: + fail('There do not appear to be any port scan profiles configured in the {port_scan_profiles_config_file} config file.') + return False + + global service_scans_config + service_scans_config = read_configuration_file('service-scans.toml', applications) + + global global_patterns + global_patterns = read_configuration_file('global-patterns.toml') + if 'pattern' in global_patterns: + global_patterns = global_patterns['pattern'] + else: + global_patterns = [] + + if 'username_wordlist' in service_scans_config: + if isinstance(service_scans_config['username_wordlist'], str): + username_wordlist = service_scans_config['username_wordlist'] + + if 'password_wordlist' in service_scans_config: + if isinstance(service_scans_config['password_wordlist'], str): + password_wordlist = service_scans_config['password_wordlist'] + + return True -if 'password_wordlist' in service_scans_config: - if isinstance(service_scans_config['password_wordlist'], str): - password_wordlist = service_scans_config['password_wordlist'] async def read_stream(stream, target, tag='?', patterns=[], color=Fore.BLUE): address = target.address @@ -188,11 +215,13 @@ async def run_cmd(semaphore, cmd, target, tag='?', patterns=[]): address = target.address scandir = target.scandir - info('Running task {bgreen}{tag}{rst} on {byellow}{address}{rst}' + (' with {bblue}{cmd}{rst}' if verbose >= 1 else '')) + info('Running task {bgreen}{tag}{rst} on {byellow}{address}{rst}' + (' with {bblue}{cmd}{rst}.' if verbose >= 1 else '.')) async with target.lock: with open(os.path.join(scandir, '_commands.log'), 'a') as file: file.writelines(e('{cmd}\n\n')) + + # TODO: check extended service scanning requested? process = await asyncio.create_subprocess_shell(cmd, stdout=asyncio.subprocess.PIPE, stderr=asyncio.subprocess.PIPE, executable='/bin/bash') @@ -204,12 +233,12 @@ async def run_cmd(semaphore, cmd, target, tag='?', patterns=[]): await process.wait() if process.returncode != 0: - error('Task {bred}{tag}{rst} on {byellow}{address}{rst} returned non-zero exit code: {process.returncode}') + error('Task {bred}{tag}{rst} on {byellow}{address}{rst} returned non-zero exit code: {process.returncode}.') async with target.lock: with open(os.path.join(scandir, '_errors.log'), 'a') as file: file.writelines(e('[*] Task {tag} returned non-zero exit code: {process.returncode}. Command: {cmd}\n')) else: - info('Task {bgreen}{tag}{rst} on {byellow}{address}{rst} finished successfully') + info('Task {bgreen}{tag}{rst} on {byellow}{address}{rst} finished successfully.') return {'returncode': process.returncode, 'name': 'run_cmd'} @@ -289,14 +318,14 @@ async def run_portscan(semaphore, tag, target, service_detection, port_scan=None address = target.address scandir = target.scandir - nmap_extra = nmap + nmap_extra = nmap_default_options ports = '' if port_scan is not None: command = e(port_scan[0]) pattern = port_scan[1] - info('Running port scan {bgreen}{tag}{rst} on {byellow}{address}{rst}' + (' with {bblue}{command}{rst}' if verbose >= 1 else '')) + info('Running port scan {bgreen}{tag}{rst} on {byellow}{address}{rst}' + (' with {bblue}{command}{rst}.' if verbose >= 1 else '.')) async with target.lock: with open(os.path.join(scandir, '_commands.log'), 'a') as file: @@ -310,9 +339,9 @@ async def run_portscan(semaphore, tag, target, service_detection, port_scan=None ] results = await asyncio.gather(*output) - + await process.wait() - + if process.returncode != 0: error('Port scan {bred}{tag}{rst} on {byellow}{address}{rst} returned non-zero exit code: {process.returncode}') async with target.lock: @@ -331,7 +360,7 @@ async def run_portscan(semaphore, tag, target, service_detection, port_scan=None command = e(service_detection[0]) pattern = service_detection[1] - info('Running service detection {bgreen}{tag}{rst} on {byellow}{address}{rst}' + (' with {bblue}{command}{rst}' if verbose >= 1 else '')) + info('Running service detection {bgreen}{tag}{rst} on {byellow}{address}{rst}' + (' with {bblue}{command}{rst}.' if verbose >= 1 else '.')) async with target.lock: with open(os.path.join(scandir, '_commands.log'), 'a') as file: @@ -354,7 +383,7 @@ async def run_portscan(semaphore, tag, target, service_detection, port_scan=None with open(os.path.join(scandir, '_errors.log'), 'a') as file: file.writelines(e('[*] Service detection {tag} returned non-zero exit code: {process.returncode}. Command: {command}\n')) else: - info('Service detection {bgreen}{tag}{rst} on {byellow}{address}{rst} finished successfully') + info('Service detection {bgreen}{tag}{rst} on {byellow}{address}{rst} finished successfully.') services = results[0] @@ -386,7 +415,6 @@ async def scan_services(loop, semaphore, target): for task in done: result = task.result() - if result['returncode'] == 0: if result['name'] == 'run_portscan': for service_tuple in result['services']: @@ -399,15 +427,15 @@ async def scan_services(loop, semaphore, target): port = service_tuple[1] service = service_tuple[2] - info('Found {bmagenta}{service}{rst} on {bmagenta}{protocol}/{port}{rst} on target {byellow}{address}{rst}') + info('Port {bmagenta}{protocol} {port}{rst} ({bmagenta}{service}{rst}) open on target {byellow}{address}{rst}.') with open(os.path.join(target.reportdir, 'notes.txt'), 'a') as file: - file.writelines(e('[*] {service} found on {protocol}/{port}.\n\n\n\n')) + file.writelines(e('[*] Port {protocol} {port} ({service}) open on {address}.\n\n\n\n')) if protocol == 'udp': - nmap_extra = nmap + " -sU" + nmap_extra = nmap_default_options + " -sU" else: - nmap_extra = nmap + nmap_extra = nmap_default_options secure = True if 'ssl' in service or 'tls' in service else False @@ -443,6 +471,20 @@ async def scan_services(loop, semaphore, target): if not matched_service: continue + # NOTE: change for saving results in directories per service + if not service_scan == 'all-services': + category = '{0}/'.format(service_scan) + else: + category = '' + + try: + servicedir = os.path.join(scandir, category) + if not os.path.exists(servicedir): os.mkdir(servicedir) + xmldir = os.path.join(scandir, 'xml', category) + if not os.path.exists(xmldir): os.mkdir(xmldir) + except OSError: + category = '' + if 'manual' in service_scans_config[service_scan]: heading = False with open(os.path.join(scandir, '_manual_commands.txt'), 'a') as file: @@ -514,14 +556,17 @@ async def scan_services(loop, semaphore, target): pending.add(asyncio.ensure_future(run_cmd(semaphore, e(command), target, tag=tag, patterns=patterns))) def scan_host(target, concurrent_scans): - info('Scanning target {byellow}{target.address}{rst}') - + info('Scanning target {byellow}{target.address}{rst}.') + basedir = os.path.abspath(os.path.join(outdir, target.address + srvname)) target.basedir = basedir os.makedirs(basedir, exist_ok=True) exploitdir = os.path.abspath(os.path.join(basedir, 'exploit')) os.makedirs(exploitdir, exist_ok=True) + + exploitdir = os.path.abspath(os.path.join(basedir, 'privilege_escalation')) + os.makedirs(exploitdir, exist_ok=True) lootdir = os.path.abspath(os.path.join(basedir, 'loot')) os.makedirs(lootdir, exist_ok=True) @@ -529,6 +574,8 @@ def scan_host(target, concurrent_scans): reportdir = os.path.abspath(os.path.join(basedir, 'report')) target.reportdir = reportdir os.makedirs(reportdir, exist_ok=True) + f = open(os.path.join(reportdir, 'notes.txt'), 'w') + f.close() screenshotdir = os.path.abspath(os.path.join(reportdir, 'screenshots')) os.makedirs(screenshotdir, exist_ok=True) @@ -553,10 +600,68 @@ def scan_host(target, concurrent_scans): try: loop.run_until_complete(scan_services(loop, semaphore, target)) - info('Finished scanning target {byellow}{target.address}{rst}') + info('Finished scanning target {byellow}{target.address}{rst}.') except KeyboardInterrupt: sys.exit(1) + +''' Reads a list of targets from a file + +''' +def read_targets_from_file(filename, targets, disable_sanity_checks): + + if not os.path.isfile(filename): + error('The file {filename} with target information was not found.') + return (targets, True) + + try: + with open(filename, 'r') as f: + entries = f.read() + except OSError: + error('The file {filename} with target information could not be read.') + return (targets, True) + + + error = False + for ip in entries.split('\n'): + if ip.startswith('#') or len(ip) == 0: continue + + targets, failed = get_ip_address(ip, targets, disable_sanity_checks) + if failed: error = True + + return (targets, error) + + +def get_ip_address(target, targets, disable_sanity_checks): + + errors = False + try: + ip = str(ipaddress.ip_address(target)) + + if ip not in targets: + targets.append(ip) + except ValueError: + try: + target_range = ipaddress.ip_network(target, strict=False) + if not disable_sanity_checks and target_range.num_addresses > 256: + error(target + ' contains ' + str(target_range.num_addresses) + ' addresses. Check that your CIDR notation is correct. If it is, re-run with the --disable-sanity-checks option to suppress this check.') + errors = True + else: + for ip in target_range.hosts(): + ip = str(ip) + if ip not in targets: + targets.append(ip) + except ValueError: + try: + ip = socket.gethostbyname(target) + if target not in targets: + targets.append(target) + except socket.gaierror: + warn(target + ' does not appear to be a valid IP address, IP range, or resolvable hostname.') + + return (targets, errors) + + class Target: def __init__(self, address): self.address = address @@ -569,19 +674,24 @@ class Target: if __name__ == '__main__': parser = argparse.ArgumentParser(description='Network reconnaissance tool to port scan and automatically enumerate services found on multiple targets.') - parser.add_argument('targets', action='store', help='IP addresses (e.g. 10.0.0.1), CIDR notation (e.g. 10.0.0.1/24), or resolvable hostnames (e.g. foo.bar) to scan.', nargs="+") + parser.add_argument('targets', action='store', help='IP addresses (e.g. 10.0.0.1), CIDR notation (e.g. 10.0.0.1/24), or resolvable hostnames (e.g. foo.bar) to scan.', nargs="*") parser.add_argument('-ct', '--concurrent-targets', action='store', metavar='', type=int, default=5, help='The maximum number of target hosts to scan concurrently. Default: %(default)s') parser.add_argument('-cs', '--concurrent-scans', action='store', metavar='', type=int, default=10, help='The maximum number of scans to perform per target host. Default: %(default)s') parser.add_argument('--profile', action='store', default='default', help='The port scanning profile to use (defined in port-scan-profiles.toml). Default: %(default)s') parser.add_argument('-o', '--output', action='store', default='results', help='The output directory for results. Default: %(default)s') nmap_group = parser.add_mutually_exclusive_group() - nmap_group.add_argument('--nmap', action='store', default='-vv --reason -Pn', help='Override the {nmap_extra} variable in scans. Default: %(default)s') + nmap_group.add_argument('--nmap', action='store', default=nmap_default_options, help='Override the {nmap_extra} variable in scans. Default: %(default)s') nmap_group.add_argument('--nmap-append', action='store', default='', help='Append to the default {nmap_extra} variable in scans.') + parser.add_argument('-r', '--read', action='store', type=str, default='', dest='target_file', help='Read targets from file.') parser.add_argument('-v', '--verbose', action='count', default=0, help='Enable verbose output. Repeat for more verbosity.') parser.add_argument('--disable-sanity-checks', action='store_true', default=False, help='Disable sanity checks that would otherwise prevent the scans from running.') + parser.add_argument('--skip-service-scan', action='store_true', default=False, help='Do not perfom extended service scanning but only protocol commands.') parser.error = lambda s: fail(s[0].upper() + s[1:]) args = parser.parse_args() + config_loaded = get_configuration() + if not config_loaded: sys.exit(-1) + errors = False if args.concurrent_targets <= 0: @@ -639,48 +749,26 @@ if __name__ == '__main__': error('Argument --profile: must reference a port scan profile defined in {port_scan_profiles_config_file}. No such profile found: {port_scan_profile}') errors = True - nmap = args.nmap + nmap_default_options = args.nmap if args.nmap_append: - nmap += " " + args.nmap_append + nmap_default_options += " " + args.nmap_append outdir = args.output srvname = '' verbose = args.verbose - if len(args.targets) == 0: + if len(args.targets) == 0 and not len(args.target_file): error('You must specify at least one target to scan!') errors = True targets = [] for target in args.targets: - try: - ip = str(ipaddress.ip_address(target)) + targets, failed = get_ip_address(target, targets, args.disable_sanity_checks) + if failed: errors = True - if ip not in targets: - targets.append(ip) - except ValueError: - - try: - target_range = ipaddress.ip_network(target, strict=False) - if not args.disable_sanity_checks and target_range.num_addresses > 256: - error(target + ' contains ' + str(target_range.num_addresses) + ' addresses. Check that your CIDR notation is correct. If it is, re-run with the --disable-sanity-checks option to suppress this check.') - errors = True - else: - for ip in target_range.hosts(): - ip = str(ip) - if ip not in targets: - targets.append(ip) - except ValueError: - - try: - ip = socket.gethostbyname(target) - - if target not in targets: - targets.append(target) - except socket.gaierror: - error(target + ' does not appear to be a valid IP address, IP range, or resolvable hostname.') - errors = True + if len(args.target_file) > 0: + targets, errors = read_targets_from_file(args.target_file, targets, args.disable_sanity_checks) if not args.disable_sanity_checks and len(targets) > 256: error('A total of ' + str(len(targets)) + ' targets would be scanned. If this is correct, re-run with the --disable-sanity-checks option to suppress this check.') @@ -689,6 +777,7 @@ if __name__ == '__main__': if errors: sys.exit(1) + start_timer = datetime.now().strftime('%H:%M:%S') with ProcessPoolExecutor(max_workers=args.concurrent_targets) as executor: futures = [] @@ -704,3 +793,8 @@ if __name__ == '__main__': future.cancel() executor.shutdown(wait=False) sys.exit(1) + end_timer = datetime.now().strftime('%H:%M:%S') + tdelta = datetime.strptime(end_timer, '%H:%M:%S') - datetime.strptime(start_timer, '%H:%M:%S') + print('\nScanning completed in {}.'.format(tdelta)) + + diff --git a/config/config.toml b/config/config.toml new file mode 100644 index 0000000..f1fde57 --- /dev/null +++ b/config/config.toml @@ -0,0 +1,42 @@ +# configuration for program paths +[applications] + + nmap = '/usr/bin/nmap' + + # password brute-forcing programs + hydra = '/usr/bin/hydra' + medusa = '/usr/bin/medusa' + patator = '/usr/bin/patator' + + # programs for web servers and application + sslscan = '/usr/bin/sslscan' + curl = '/usr/bin/curl' + dirb = '/usr/bin/dirb' + wkhtmltoimage = '/usr/bin/wkhtmltoimage' + whatweb = '/usr/bin/whatweb' + nikto = '/usr/bin/nikto' + gobuster = '/usr/bin/gobuster' + wpscan = '/usr/local/bin/wpscan' + dirsearch = '' + + # Oracle programs + tnscmd10g = '/usr/bin/tnscmd10g' + oscanner = '/usr/bin/oscanner' + odat = '/usr/bin/python odat.py' + + # RPC programs + rpcclient = '/usr/bin/rpcclient' + + # SMB programs + enum4linux = '/usr/bin/enum4linux' + smbclient = '/usr/bin/smbclient' + smbmap = '/usr/bin/smbmap' + smb_version = '/usr/local/bin/get_smb_version' + + # SMTP programs + smtp-user-enum = '/usr/bin/smtp-user-enum' + + # SNMP programs + onesixtyone = '/usr/bin/onesixtyone' + snmpwalk = '/usr/bin/snmpwalk' + diff --git a/config/port-scan-profiles.toml b/config/port-scan-profiles.toml index 31cf8ba..b028949 100644 --- a/config/port-scan-profiles.toml +++ b/config/port-scan-profiles.toml @@ -3,19 +3,19 @@ [default.nmap-quick] [default.nmap-quick.service-detection] - command = 'nmap {nmap_extra} -sV -sC --version-all -oN "{scandir}/_quick_tcp_nmap.txt" -oX "{scandir}/xml/_quick_tcp_nmap.xml" {address}' + command = '{nmap} {nmap_extra} -sV -sC --version-all -oN "{scandir}/_quick_tcp_nmap.txt" -oX "{scandir}/xml/_quick_tcp_nmap.xml" {address}' pattern = '^(?P\d+)\/(?P(tcp|udp))(.*)open(\s*)(?P[\w\-\/]+)(\s*)(.*)$' [default.nmap-full-tcp] [default.nmap-full-tcp.service-detection] - command = 'nmap {nmap_extra} -A --osscan-guess --version-all -p- -oN "{scandir}/_full_tcp_nmap.txt" -oX "{scandir}/xml/_full_tcp_nmap.xml" {address}' + command = '{nmap} {nmap_extra} -A --osscan-guess --version-all -p- -oN "{scandir}/_full_tcp_nmap.txt" -oX "{scandir}/xml/_full_tcp_nmap.xml" {address}' pattern = '^(?P\d+)\/(?P(tcp|udp))(.*)open(\s*)(?P[\w\-\/]+)(\s*)(.*)$' [default.nmap-top-20-udp] [default.nmap-top-20-udp.service-detection] - command = 'nmap {nmap_extra} -sU -A --top-ports=20 --version-all -oN "{scandir}/_top_20_udp_nmap.txt" -oX "{scandir}/xml/_top_20_udp_nmap.xml" {address}' + command = '{nmap} {nmap_extra} -sU -A --top-ports=20 --version-all -oN "{scandir}/_top_20_udp_nmap.txt" -oX "{scandir}/xml/_top_20_udp_nmap.xml" {address}' pattern = '^(?P\d+)\/(?P(tcp|udp))(.*)open(\s*)(?P[\w\-\/]+)(\s*)(.*)$' [quick] @@ -23,13 +23,13 @@ [quick.nmap-quick] [quick.nmap-quick.service-detection] - command = 'nmap {nmap_extra} -sV --version-all -oN "{scandir}/_quick_tcp_nmap.txt" -oX "{scandir}/xml/_quick_tcp_nmap.xml" {address}' + command = '{nmap} {nmap_extra} -sV --version-all -oN "{scandir}/_quick_tcp_nmap.txt" -oX "{scandir}/xml/_quick_tcp_nmap.xml" {address}' pattern = '^(?P\d+)\/(?P(tcp|udp))(.*)open(\s*)(?P[\w\-\/]+)(\s*)(.*)$' [quick.nmap-top-20-udp] [quick.nmap-top-20-udp.service-detection] - command = 'nmap {nmap_extra} -sU -A --top-ports=20 --version-all -oN "{scandir}/_top_20_udp_nmap.txt" -oX "{scandir}/xml/_top_20_udp_nmap.xml" {address}' + command = '{nmap} {nmap_extra} -sU -A --top-ports=20 --version-all -oN "{scandir}/_top_20_udp_nmap.txt" -oX "{scandir}/xml/_top_20_udp_nmap.xml" {address}' pattern = '^(?P\d+)\/(?P(tcp|udp))(.*)open(\s*)(?P[\w\-\/]+)(\s*)(.*)$' [udp] @@ -41,5 +41,16 @@ pattern = '^UDP open\s*[\w-]+\[\s*(?P\d+)\].*$' [udp.udp-top-20.service-detection] - command = 'nmap {nmap_extra} -sU -A -p {ports} --version-all -oN "{scandir}/_top_20_udp_nmap.txt" -oX "{scandir}/xml/_top_20_udp_nmap.xml" {address}' + command = '{nmap} {nmap_extra} -sU -A -p {ports} --version-all -oN "{scandir}/_top_20_udp_nmap.txt" -oX "{scandir}/xml/_top_20_udp_nmap.xml" {address}' pattern = '^(?P\d+)\/(?P(udp))(.*)open(\s*)(?P[\w\-\/]+)(\s*)(.*)$' + + +[debug] + + [debug.nmap-quick] + + [debug.nmap-quick.service-detection] + command = '{nmap} {nmap_extra} --top-ports 10 -oN "{scandir}/_quick_tcp_nmap.txt" -oX "{scandir}/xml/_quick_tcp_nmap.xml" {address}' + pattern = '^(?P\d+)\/(?P(tcp|udp))(.*)open(\s*)(?P[\w\-\/]+)(\s*)(.*)$' + + diff --git a/config/service-scans.toml b/config/service-scans.toml index cc1d5be..32dc974 100644 --- a/config/service-scans.toml +++ b/config/service-scans.toml @@ -10,7 +10,7 @@ service-names = [ [[all-services.scan]] name = 'sslscan' - command = 'if [ "{secure}" == "True" ]; then sslscan --show-certificate --no-colour {address}:{port} 2>&1 | tee "{scandir}/{protocol}_{port}_sslscan.txt"; fi' + command = 'if [ "{secure}" == "True" ]; then {sslscan} --show-certificate --no-colour {address}:{port} 2>&1 | tee "{scandir}/{protocol}_{port}_sslscan.txt"; fi' [cassandra] @@ -20,7 +20,7 @@ service-names = [ [[cassandra.scan]] name = 'nmap-cassandra' - command = 'nmap {nmap_extra} -sV -p {port} --script="(cassandra* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_cassandra_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_cassandra_nmap.xml" {address}' + command = '{nmap} {nmap_extra} -sV -p {port} --script="(cassandra* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{category}{protocol}_{port}_cassandra_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_cassandra_nmap.xml" {address}' [cups] @@ -30,7 +30,7 @@ service-names = [ [[cups.scan]] name = 'nmap-cups' - command = 'nmap {nmap_extra} -sV -p {port} --script="(cups* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_cups_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_cups_nmap.xml" {address}' + command = '{nmap} {nmap_extra} -sV -p {port} --script="(cups* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{category}{protocol}_{port}_cups_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_cups_nmap.xml" {address}' [distcc] @@ -40,7 +40,7 @@ service-names = [ [[distcc.scan]] name = 'nmap-distcc' - command = 'nmap {nmap_extra} -sV -p {port} --script="distcc-cve2004-2687" --script-args="distcc-cve2004-2687.cmd=id" -oN "{scandir}/{protocol}_{port}_distcc_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_distcc_nmap.xml" {address}' + command = '{nmap} {nmap_extra} -sV -p {port} --script="distcc-cve2004-2687" --script-args="distcc-cve2004-2687.cmd=id" -oN "{scandir}/{category}{protocol}_{port}_distcc_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_distcc_nmap.xml" {address}' [dns] @@ -50,7 +50,7 @@ service-names = [ [[dns.scan]] name = 'nmap-dns' - command = 'nmap {nmap_extra} -sV -p {port} --script="(dns* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_dns_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_dns_nmap.xml" {address}' + command = '{nmap} {nmap_extra} -sV -p {port} --script="(dns* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{category}{protocol}_{port}_dns_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_dns_nmap.xml" {address}' [finger] @@ -59,8 +59,8 @@ service-names = [ ] [[finger.scan]] - nmap = 'nmap-finger' - command = 'nmap {nmap_extra} -sV -p {port} --script="finger" -oN "{scandir}/{protocol}_{port}_finger_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_finger_nmap.xml" {address}' + name = 'nmap-finger' + command = '{nmap} {nmap_extra} -sV -p {port} --script="finger" -oN "{scandir}/{category}{protocol}_{port}_finger_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_finger_nmap.xml" {address}' [ftp] @@ -71,7 +71,7 @@ service-names = [ [[ftp.scan]] name = 'nmap-ftp' - command = 'nmap {nmap_extra} -sV -p {port} --script="(ftp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_ftp_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_ftp_nmap.xml" {address}' + command = '{nmap} {nmap_extra} -sV -p {port} --script="(ftp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{category}{protocol}_{port}_ftp_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_ftp_nmap.xml" {address}' [[ftp.scan.pattern]] description = 'Anonymous FTP Enabled!' @@ -80,8 +80,8 @@ service-names = [ [[ftp.manual]] description = 'Bruteforce logins:' commands = [ - 'hydra -L "{username_wordlist}" -P "{password_wordlist}" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_ftp_hydra.txt" ftp://{address}', - 'medusa -U "{username_wordlist}" -P "{password_wordlist}" -e ns -n {port} -O "{scandir}/{protocol}_{port}_ftp_medusa.txt" -M ftp -h {address}' + '{hydra} -L "{username_wordlist}" -P "{password_wordlist}" -e nsr -s {port} -o "{scandir}/{category}{protocol}_{port}_ftp_hydra.txt" ftp://{address}', + '{medusa} -U "{username_wordlist}" -P "{password_wordlist}" -e ns -n {port} -O "{scandir}/{category}{protocol}_{port}_ftp_medusa.txt" -M ftp -h {address}' ] [http] @@ -96,7 +96,7 @@ ignore-service-names = [ [[http.scan]] name = 'nmap-http' - command = 'nmap {nmap_extra} -sV -p {port} --script="(http* or ssl*) and not (broadcast or dos or external or http-slowloris* or fuzzer)" -oN "{scandir}/{protocol}_{port}_http_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_{scheme}_nmap.xml" {address}' + command = '{nmap} {nmap_extra} -sV -p {port} --script="(http* or ssl*) and not (broadcast or dos or external or http-slowloris* or fuzzer)" -oN "{scandir}/{category}{protocol}_{port}_http_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_{scheme}_nmap.xml" {address}' [[http.scan.pattern]] description = 'Identified HTTP Server: {match}' @@ -108,65 +108,65 @@ ignore-service-names = [ [[http.scan]] name = 'curl-index' - command = 'curl -sSik {scheme}://{address}:{port}/ -m 10 2>&1 | tee "{scandir}/{protocol}_{port}_{scheme}_index.html"' + command = 'curl -sSik {scheme}://{address}:{port}/ -m 10 2>&1 | tee "{scandir}/{category}{protocol}_{port}_{scheme}_index.html"' [[http.scan.pattern]] pattern = '(?i)Powered by [^\n]+' [[http.scan]] name = 'curl-robots' - command = 'curl -sSik {scheme}://{address}:{port}/robots.txt -m 10 2>&1 | tee "{scandir}/{protocol}_{port}_{scheme}_robots.txt"' + command = 'curl -sSik {scheme}://{address}:{port}/robots.txt -m 10 2>&1 | tee "{scandir}/{category}{protocol}_{port}_{scheme}_robots.txt"' [[http.scan]] name = 'wkhtmltoimage' - command = 'if hash wkhtmltoimage 2> /dev/null; then wkhtmltoimage --format png {scheme}://{address}:{port}/ {scandir}/{protocol}_{port}_{scheme}_screenshot.png; fi' + command = 'if hash {wkhtmltoimage} 2> /dev/null; then {wkhtmltoimage} --format png {scheme}://{address}:{port}/ {scandir}/{category}{protocol}_{port}_{scheme}_screenshot.png; fi' [[http.scan]] name = 'whatweb' - command = 'whatweb --color=never --no-errors -a 3 -v {scheme}://{address}:{port} 2>&1 | tee "{scandir}/{protocol}_{port}_{scheme}_whatweb.txt"' + command = '{whatweb} --color=never --no-errors -a 3 -v {scheme}://{address}:{port} 2>&1 | tee "{scandir}/{category}{protocol}_{port}_{scheme}_whatweb.txt"' [[http.scan]] name = 'nikto' - command = 'nikto -ask=no -h {scheme}://{address}:{port} 2>&1 | tee "{scandir}/{protocol}_{port}_{scheme}_nikto.txt"' + command = '{nikto} -ask=no -h {scheme}://{address}:{port} 2>&1 | tee "{scandir}/{category}{protocol}_{port}_{scheme}_nikto.txt"' [[http.scan]] name = 'gobuster' - command = 'gobuster -u {scheme}://{address}:{port}/ -w /usr/share/seclists/Discovery/Web-Content/common.txt -e -k -l -s "200,204,301,302,307,403" -x "txt,html,php,asp,aspx" 2>&1 | tee "{scandir}/{protocol}_{port}_{scheme}_gobuster.txt"' + command = '{gobuster} -u {scheme}://{address}:{port}/ -w /usr/share/seclists/Discovery/Web-Content/common.txt -e -k -l -s "200,204,301,302,307,403" -x "txt,html,php,asp,aspx" 2>&1 | tee "{scandir}/{category}{protocol}_{port}_{scheme}_gobuster.txt"' [[http.manual]] description = '(dirsearch) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:' commands = [ - 'dirsearch -u {scheme}://{address}:{port}/ -t 16 -r -e txt,html,php,asp,aspx -f -w /usr/share/seclists/Discovery/Web-Content/big.txt --plain-text-report="{scandir}/{protocol}_{port}_{scheme}_dirsearch_big.txt"', - 'dirsearch -u {scheme}://{address}:{port}/ -t 16 -r -e txt,html,php,asp,aspx -f -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --plain-text-report="{scandir}/{protocol}_{port}_{scheme}_dirsearch_dirbuster.txt"' + 'dirsearch -u {scheme}://{address}:{port}/ -t 16 -r -e txt,html,php,asp,aspx -f -w /usr/share/seclists/Discovery/Web-Content/big.txt --plain-text-report="{scandir}/{category}{protocol}_{port}_{scheme}_dirsearch_big.txt"', + 'dirsearch -u {scheme}://{address}:{port}/ -t 16 -r -e txt,html,php,asp,aspx -f -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --plain-text-report="{scandir}/{category}{protocol}_{port}_{scheme}_dirsearch_dirbuster.txt"' ] [[http.manual]] description = '(dirb) Recursive directory/file enumeration for web servers using various wordlists (same as dirsearch above):' commands = [ - 'dirb {scheme}://{address}:{port}/ -o "{scandir}/{protocol}_{port}_{scheme}_dirb_big.txt" /usr/share/seclists/Discovery/Web-Content/big.txt', - 'dirb {scheme}://{address}:{port}/ -o "{scandir}/{protocol}_{port}_{scheme}_dirb_dirbuster.txt" /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt' + 'dirb {scheme}://{address}:{port}/ -o "{scandir}/{category}{protocol}_{port}_{scheme}_dirb_big.txt" /usr/share/seclists/Discovery/Web-Content/big.txt', + 'dirb {scheme}://{address}:{port}/ -o "{scandir}/{category}{protocol}_{port}_{scheme}_dirb_dirbuster.txt" /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt' ] [[http.manual]] description = '(gobuster) Directory/file enumeration for web servers using various wordlists (same as dirb above):' commands = [ - 'gobuster -u {scheme}://{address}:{port}/ -w /usr/share/seclists/Discovery/Web-Content/big.txt -e -k -l -s "200,204,301,302,307,403,500" -x "txt,html,php,asp,aspx" -o "{scandir}/{protocol}_{port}_{scheme}_gobuster_big.txt"', - 'gobuster -u {scheme}://{address}:{port}/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e -k -l -s "200,204,301,302,307,403,500" -x "txt,html,php,asp,aspx" -o "{scandir}/{protocol}_{port}_{scheme}_gobuster_dirbuster.txt"' + '{gobuster} -u {scheme}://{address}:{port}/ -w /usr/share/seclists/Discovery/Web-Content/big.txt -e -k -l -s "200,204,301,302,307,403,500" -x "txt,html,php,asp,aspx" -o "{scandir}/{category}{protocol}_{port}_{scheme}_gobuster_big.txt"', + '{gobuster} -u {scheme}://{address}:{port}/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e -k -l -s "200,204,301,302,307,403,500" -x "txt,html,php,asp,aspx" -o "{scandir}/{category}{protocol}_{port}_{scheme}_gobuster_dirbuster.txt"' ] [[http.manual]] description = '(wpscan) WordPress Security Scanner (useful if WordPress is found):' commands = [ - 'wpscan --url {scheme}://{address}:{port}/ --no-update -e vp,vt,tt,cb,dbe,u,m -f cli-no-color 2>&1 | tee "{scandir}/{protocol}_{port}_{scheme}_wpscan.txt"' + '{wpscan} --url {scheme}://{address}:{port}/ --no-update -e vp,vt,tt,cb,dbe,u,m -f cli-no-color 2>&1 | tee "{scandir}/{category}{protocol}_{port}_{scheme}_wpscan.txt"' ] [[http.manual]] description = "Credential bruteforcing commands (don't run these without modifying them):" commands = [ - 'hydra -L "{username_wordlist}" -P "{password_wordlist}" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_{scheme}_auth_hydra.txt" {scheme}-get://{address}/path/to/auth/area', - 'medusa -U "{username_wordlist}" -P "{password_wordlist}" -e ns -n {port} -O "{scandir}/{protocol}_{port}_{scheme}_auth_medusa.txt" -M http -h {address} -m DIR:/path/to/auth/area', - 'hydra -L "{username_wordlist}" -P "{password_wordlist}" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_{scheme}_form_hydra.txt" {scheme}-post-form://{address}/path/to/login.php:username=^USER^&password=^PASS^:invalid-login-message', - 'medusa -U "{username_wordlist}" -P "{password_wordlist}" -e ns -n {port} -O "{scandir}/{protocol}_{port}_{scheme}_form_medusa.txt" -M web-form -h {address} -m FORM:/path/to/login.php -m FORM-DATA:"post?username=&password=" -m DENY-SIGNAL:"invalid login message"', + '{hydra} -L "{username_wordlist}" -P "{password_wordlist}" -e nsr -s {port} -o "{scandir}/{category}{protocol}_{port}_{scheme}_auth_hydra.txt" {scheme}-get://{address}/path/to/auth/area', + '{medusa} -U "{username_wordlist}" -P "{password_wordlist}" -e ns -n {port} -O "{scandir}/{category}{protocol}_{port}_{scheme}_auth_medusa.txt" -M http -h {address} -m DIR:/path/to/auth/area', + '{hydra} -L "{username_wordlist}" -P "{password_wordlist}" -e nsr -s {port} -o "{scandir}/{category}{protocol}_{port}_{scheme}_form_hydra.txt" {scheme}-post-form://{address}/path/to/login.php:username=^USER^&password=^PASS^:invalid-login-message', + '{medusa} -U "{username_wordlist}" -P "{password_wordlist}" -e ns -n {port} -O "{scandir}/{category}{protocol}_{port}_{scheme}_form_medusa.txt" -M web-form -h {address} -m FORM:/path/to/login.php -m FORM-DATA:"post?username=&password=" -m DENY-SIGNAL:"invalid login message"', ] [imap] @@ -177,7 +177,7 @@ service-names = [ [[imap.scan]] name = 'nmap-imap' - command = 'nmap {nmap_extra} -sV -p {port} --script="(imap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_imap_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_imap_nmap.xml" {address}' + command = '{nmap} {nmap_extra} -sV -p {port} --script="(imap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{category}{protocol}_{port}_imap_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_imap_nmap.xml" {address}' [kerberos] @@ -188,7 +188,7 @@ service-names = [ [[kerberos.scan]] name = 'nmap-kerberos' - command = 'nmap {nmap_extra} -sV -p {port} --script="krb5-enum-users" -oN "{scandir}/{protocol}_{port}_kerberos_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_kerberos_nmap.xml" {address}' + command = '{nmap} {nmap_extra} -sV -p {port} --script="krb5-enum-users" -oN "{scandir}/{category}{protocol}_{port}_kerberos_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_kerberos_nmap.xml" {address}' [ldap] @@ -198,11 +198,11 @@ service-names = [ [[ldap.scan]] name = 'nmap-ldap' - command = 'nmap {nmap_extra} -sV -p {port} --script="(ldap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_ldap_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_ldap_nmap.xml" {address}' + command = '{nmap} {nmap_extra} -sV -p {port} --script="(ldap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{category}{protocol}_{port}_ldap_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_ldap_nmap.xml" {address}' [[ldap.scan]] name = 'enum4linux' - command = 'enum4linux -a -M -l -d {address} 2>&1 | tee "{scandir}/enum4linux.txt"' + command = '{enum4linux} -a -M -l -d {address} 2>&1 | tee "{scandir}/{category}enum4linux.txt"' run_once = true ports.tcp = [139, 389, 445] ports.udp = [137] @@ -215,7 +215,7 @@ service-names = [ [[mongodb.scan]] name = 'nmap-mongodb' - command = 'nmap {nmap_extra} -sV -p {port} --script="mongodb*" -oN "{scandir}/{protocol}_{port}_mongodb_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_mongodb_nmap.xml" {address}' + command = '{nmap} {nmap_extra} -sV -p {port} --script="mongodb*" -oN "{scandir}/{category}{protocol}_{port}_mongodb_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_mongodb_nmap.xml" {address}' [mssql] @@ -226,7 +226,7 @@ service-names = [ [[mssql.scan]] name = 'nmap-mssql' - command = 'nmap {nmap_extra} -sV -p {port} --script="(ms-sql* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" --script-args="mssql.instance-port={port},mssql.username=sa,mssql.password=sa" -oN "{scandir}/{protocol}_{port}_mssql_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_mssql_nmap.xml" {address}' + command = '{nmap} {nmap_extra} -sV -p {port} --script="(ms-sql* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" --script-args="mssql.instance-port={port},mssql.username=sa,mssql.password=sa" -oN "{scandir}/{category}{protocol}_{port}_mssql_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_mssql_nmap.xml" {address}' [[mssql.manual]] description = '(sqsh) interactive database shell' @@ -242,7 +242,7 @@ service-names = [ [[mysql.scan]] name = 'nmap-mysql' - command = 'nmap {nmap_extra} -sV -p {port} --script="(mysql* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_mysql_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_mysql_nmap.xml" {address}' + command = '{nmap} {nmap_extra} -sV -p {port} --script="(mysql* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{category}{protocol}_{port}_mysql_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_mysql_nmap.xml" {address}' [nfs] @@ -253,7 +253,7 @@ service-names = [ [[nfs.scan]] name = 'nmap-nfs' - command = 'nmap {nmap_extra} -sV -p {port} --script="(rpcinfo or nfs*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_nfs_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_nfs_nmap.xml" {address}' + command = '{nmap} {nmap_extra} -sV -p {port} --script="(rpcinfo or nfs*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{category}{protocol}_{port}_nfs_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_nfs_nmap.xml" {address}' [nntp] @@ -263,7 +263,7 @@ service-names = [ [[nntp.scan]] name = 'nmap-nntp' - command = 'nmap {nmap_extra} -sV -p {port} --script="nntp-ntlm-info" -oN "{scandir}/{protocol}_{port}_nntp_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_nntp_nmap.xml" {address}' + command = '{nmap} {nmap_extra} -sV -p {port} --script="nntp-ntlm-info" -oN "{scandir}/{category}{protocol}_{port}_nntp_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_nntp_nmap.xml" {address}' [oracle] @@ -273,43 +273,43 @@ service-names = [ [[oracle.scan]] name = 'nmap-oracle' - command = 'nmap {nmap_extra} -sV -p {port} --script="(oracle* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_oracle_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_oracle_nmap.xml" {address}' + command = '{nmap} {nmap_extra} -sV -p {port} --script="(oracle* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{category}{protocol}_{port}_oracle_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_oracle_nmap.xml" {address}' [[oracle.scan]] name = 'oracle-tnscmd-ping' - command = 'tnscmd10g ping -h {address} -p {port} 2>&1 | tee "{scandir}/{protocol}_{port}_oracle_tnscmd_ping.txt"' + command = 'tnscmd10g ping -h {address} -p {port} 2>&1 | tee "{scandir}/{category}{protocol}_{port}_oracle_tnscmd_ping.txt"' [[oracle.scan]] name = 'oracle-tnscmd-version' - command = 'tnscmd10g version -h {address} -p {port} 2>&1 | tee "{scandir}/{protocol}_{port}_oracle_tnscmd_version.txt"' + command = 'tnscmd10g version -h {address} -p {port} 2>&1 | tee "{scandir}/{category}{protocol}_{port}_oracle_tnscmd_version.txt"' [[oracle.scan]] name = 'oracle-tnscmd-version' - command = 'tnscmd10g version -h {address} -p {port} 2>&1 | tee "{scandir}/{protocol}_{port}_oracle_tnscmd_version.txt"' + command = 'tnscmd10g version -h {address} -p {port} 2>&1 | tee "{scandir}/{category}{protocol}_{port}_oracle_tnscmd_version.txt"' [[oracle.scan]] name = 'oracle-scanner' - command = 'oscanner -v -s {address} -P {port} 2>&1 | tee "{scandir}/{protocol}_{port}_oracle_scanner.txt"' + command = 'oscanner -v -s {address} -P {port} 2>&1 | tee "{scandir}/{category}{protocol}_{port}_oracle_scanner.txt"' [[oracle.manual]] description = 'Brute-force SIDs using Nmap' - command = 'nmap {nmap_extra} -sV -p {port} --script="oracle-sid-brute" -oN "{scandir}/{protocol}_{port}_oracle_sid-brute_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_oracle_sid-brute_nmap.xml" {address}' + command = '{nmap} {nmap_extra} -sV -p {port} --script="oracle-sid-brute" -oN "{scandir}/{category}{protocol}_{port}_oracle_sid-brute_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_oracle_sid-brute_nmap.xml" {address}' [[oracle.manual]] description = 'Install ODAT (https://github.com/quentinhardy/odat) and run the following commands:' commands = [ - 'python odat.py tnscmd -s {address} -p {port} --ping', - 'python odat.py tnscmd -s {address} -p {port} --version', - 'python odat.py tnscmd -s {address} -p {port} --status', - 'python odat.py sidguesser -s {address} -p {port}', - 'python odat.py passwordguesser -s {address} -p {port} -d --accounts-file accounts/accounts_multiple.txt', - 'python odat.py tnspoison -s {address} -p {port} -d --test-module' + '{odat} tnscmd -s {address} -p {port} --ping', + '{odat} tnscmd -s {address} -p {port} --version', + '{odat} tnscmd -s {address} -p {port} --status', + '{odat} sidguesser -s {address} -p {port}', + '{odat} passwordguesser -s {address} -p {port} -d --accounts-file accounts/accounts_multiple.txt', + '{odat} tnspoison -s {address} -p {port} -d --test-module' ] [[oracle.manual]] description = 'Install Oracle Instant Client (https://github.com/rapid7/metasploit-framework/wiki/How-to-get-Oracle-Support-working-with-Kali-Linux) and then bruteforce with patator:' commands = [ - 'patator oracle_login host={address} port={port} user=COMBO00 password=COMBO01 0=/usr/share/seclists/Passwords/Default-Credentials/oracle-betterdefaultpasslist.txt -x ignore:code=ORA-01017 -x ignore:code=ORA-28000' + '{patator} oracle_login host={address} port={port} user=COMBO00 password=COMBO01 0=/usr/share/seclists/Passwords/Default-Credentials/oracle-betterdefaultpasslist.txt -x ignore:code=ORA-01017 -x ignore:code=ORA-28000' ] [pop3] @@ -320,7 +320,7 @@ service-names = [ [[pop3.scan]] name = 'nmap-pop3' - command = 'nmap {nmap_extra} -sV -p {port} --script="(pop3* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_pop3_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_pop3_nmap.xml" {address}' + command = '{nmap} {nmap_extra} -sV -p {port} --script="(pop3* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{category}{protocol}_{port}_pop3_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_pop3_nmap.xml" {address}' [rdp] @@ -332,13 +332,13 @@ service-names = [ [[rdp.scan]] name = 'nmap-rdp' - command = 'nmap {nmap_extra} -sV -p {port} --script="(rdp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_rdp_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_rdp_nmap.xml" {address}' + command = '{nmap} {nmap_extra} -sV -p {port} --script="(rdp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{category}{protocol}_{port}_rdp_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_rdp_nmap.xml" {address}' [[rdp.manual]] description = 'Bruteforce logins:' commands = [ - 'hydra -L "{username_wordlist}" -P "{password_wordlist}" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_rdp_hydra.txt" rdp://{address}', - 'medusa -U "{username_wordlist}" -P "{password_wordlist}" -e ns -n {port} -O "{scandir}/{protocol}_{port}_rdp_medusa.txt" -M rdp -h {address}' + '{hydra} -L "{username_wordlist}" -P "{password_wordlist}" -e nsr -s {port} -o "{scandir}/{category}{protocol}_{port}_rdp_hydra.txt" rdp://{address}', + '{medusa} -U "{username_wordlist}" -P "{password_wordlist}" -e ns -n {port} -O "{scandir}/{category}{protocol}_{port}_rdp_medusa.txt" -M rdp -h {address}' ] [rmi] @@ -350,7 +350,7 @@ service-names = [ [[rmi.scan]] name = 'nmap-rmi' - command = 'nmap {nmap_extra} -sV -p {port} --script="rmi-vuln-classloader,rmi-dumpregistry" -oN "{scandir}/{protocol}_{port}_rmi_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_rmi_nmap.xml" {address}' + command = '{nmap} {nmap_extra} -sV -p {port} --script="rmi-vuln-classloader,rmi-dumpregistry" -oN "{scandir}/{category}{protocol}_{port}_rmi_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_rmi_nmap.xml" {address}' [rpc] @@ -362,12 +362,12 @@ service-names = [ [[rpc.scan]] name = 'nmap-msrpc' - command = 'nmap {nmap_extra} -sV -p {port} --script="msrpc-enum,rpc-grind,rpcinfo" -oN "{scandir}/{protocol}_{port}_rpc_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_rpc_nmap.xml" {address}' + command = '{nmap} {nmap_extra} -sV -p {port} --script="msrpc-enum,rpc-grind,rpcinfo" -oN "{scandir}/{category}{protocol}_{port}_rpc_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_rpc_nmap.xml" {address}' [[rpc.manual]] description = 'RPC Client:' commands = [ - 'rpcclient -p {port} -U "" {address}' + '{rpcclient} -p {port} -U "" {address}' ] [sip] @@ -378,7 +378,7 @@ service-names = [ [[sip.scan]] name = 'nmap-sip' - command = 'nmap {nmap_extra} -sV -p {port} --script="sip-enum-users,sip-methods" -oN "{scandir}/{protocol}_{port}_sip_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_sip_nmap.xml" {address}' + command = '{nmap} {nmap_extra} -sV -p {port} --script="sip-enum-users,sip-methods" -oN "{scandir}/{category}{protocol}_{port}_sip_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_sip_nmap.xml" {address}' [[sip.scan]] name = 'svwar' @@ -392,13 +392,13 @@ service-names = [ [[ssh.scan]] name = 'nmap-ssh' - command = 'nmap {nmap_extra} -sV -p {port} --script="ssh2-enum-algos,ssh-hostkey,ssh-auth-methods" -oN "{scandir}/{protocol}_{port}_ssh_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_ssh_nmap.xml" {address}' + command = '{nmap} {nmap_extra} -sV -p {port} --script="ssh2-enum-algos,ssh-hostkey,ssh-auth-methods" -oN "{scandir}/{category}{protocol}_{port}_ssh_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_ssh_nmap.xml" {address}' [[ssh.manual]] description = 'Bruteforce logins:' commands = [ - 'hydra -L "{username_wordlist}" -P "{password_wordlist}" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_ssh_hydra.txt" ssh://{address}', - 'medusa -U "{username_wordlist}" -P "{password_wordlist}" -e ns -n {port} -O "{scandir}/{protocol}_{port}_ssh_medusa.txt" -M ssh -h {address}' + '{hydra} -L "{username_wordlist}" -P "{password_wordlist}" -e nsr -s {port} -o "{scandir}/{category}{protocol}_{port}_ssh_hydra.txt" ssh://{address}', + '{medusa} -U "{username_wordlist}" -P "{password_wordlist}" -e ns -n {port} -O "{scandir}/{category}{protocol}_{port}_ssh_medusa.txt" -M ssh -h {address}' ] [smb] @@ -410,45 +410,52 @@ service-names = [ [[smb.scan]] name = 'nmap-smb' - command = 'nmap {nmap_extra} -sV -p {port} --script="(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_smb_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_nmap.xml" {address}' + command = '{nmap} {nmap_extra} -sV -p {port} --script="(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" --script-args="unsafe=1" -oN "{scandir}/{category}{protocol}_{port}_smb_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_smb_nmap.xml" {address}' + [[smb.scan]] + name = 'smbclient' + command = '{smbclient} -L\\ -N -I {address} 2>&1 | tee "{scandir}/{category}smbclient.txt"' + run_once = true + ports.tcp = [139, 445] + + [[smb.scan]] + name = 'smb-version' + command = '{smb_version} {address} -P {port} | head -n 1 | tee -a "{scandir}/{category}smb-version.txt"' + run_once = true + ports.tcp = [139, 445] + + [[smb.scan]] + name = 'smbmap-share-permissions' + command = '{smbmap} -H {address} -P {port} 2>&1 | tee -a "{scandir}/{category}smbmap-share-permissions.txt"; {smbmap} -u null -p "" -H {address} -P {port} 2>&1 | tee -a "{scandir}/{category}smbmap-share-permissions.txt"' + + [[smb.scan]] + name = 'smbmap-list-contents' + command = '{smbmap} -H {address} -P {port} -R 2>&1 | tee -a "{scandir}/{category}smbmap-list-contents.txt"; {smbmap} -u null -p "" -H {address} -P {port} -R 2>&1 | tee -a "{scandir}/{category}smbmap-list-contents.txt"' + + [[smb.scan]] + name = 'smbmap-execute-command' + command = '{smbmap} -H {address} -P {port} -x "ipconfig /all" 2>&1 | tee -a "{scandir}/{category}smbmap-execute-command.txt"; {smbmap} -u null -p "" -H {address} -P {port} -x "ipconfig /all" 2>&1 | tee -a "{scandir}/{category}smbmap-execute-command.txt"' + [[smb.scan]] name = 'enum4linux' - command = 'enum4linux -a -M -l -d {address} 2>&1 | tee "{scandir}/enum4linux.txt"' + command = '{enum4linux} -a -M -l -d {address} 2>&1 | tee "{scandir}/{category}enum4linux.txt"' run_once = true ports.tcp = [139, 389, 445] ports.udp = [137] [[smb.scan]] name = 'nbtscan' - command = 'nbtscan -rvh {address} 2>&1 | tee "{scandir}/nbtscan.txt"' + command = '{nbtscan} -rvh {address} 2>&1 | tee "{scandir}/{category}nbtscan.txt"' run_once = true ports.udp = [137] - [[smb.scan]] - name = 'smbclient' - command = 'smbclient -L\\ -N -I {address} 2>&1 | tee "{scandir}/smbclient.txt"' - run_once = true - ports.tcp = [139, 445] - - [[smb.scan]] - name = 'smbmap-share-permissions' - command = 'smbmap -H {address} -P {port} 2>&1 | tee -a "{scandir}/smbmap-share-permissions.txt"; smbmap -u null -p "" -H {address} -P {port} 2>&1 | tee -a "{scandir}/smbmap-share-permissions.txt"' - - [[smb.scan]] - name = 'smbmap-list-contents' - command = 'smbmap -H {address} -P {port} -R 2>&1 | tee -a "{scandir}/smbmap-list-contents.txt"; smbmap -u null -p "" -H {address} -P {port} -R 2>&1 | tee -a "{scandir}/smbmap-list-contents.txt"' - - [[smb.scan]] - name = 'smbmap-execute-command' - command = 'smbmap -H {address} -P {port} -x "ipconfig /all" 2>&1 | tee -a "{scandir}/smbmap-execute-command.txt"; smbmap -u null -p "" -H {address} -P {port} -x "ipconfig /all" 2>&1 | tee -a "{scandir}/smbmap-execute-command.txt"' [[smb.manual]] - description = 'Nmap scans for SMB vulnerabilities that could potentially cause a DoS if scanned (according to Nmap). Be careful:' + description = '{nmap} scans for SMB vulnerabilities that could potentially cause a DoS if scanned (according to Nmap). Be careful:' commands = [ - 'nmap {nmap_extra} -sV -p {port} --script="smb-vuln-ms06-025" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_smb_ms06-025.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_ms06-025.xml" {address}', - 'nmap {nmap_extra} -sV -p {port} --script="smb-vuln-ms07-029" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_smb_ms07-029.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_ms07-029.xml" {address}', - 'nmap {nmap_extra} -sV -p {port} --script="smb-vuln-ms08-067" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_smb_ms08-067.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_ms08-067.xml" {address}' + '{nmap} {nmap_extra} -sV -p {port} --script="smb-vuln-ms06-025" --script-args="unsafe=1" -oN "{scandir}/{category}{protocol}_{port}_smb_ms06-025.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_smb_ms06-025.xml" {address}', + '{nmap} {nmap_extra} -sV -p {port} --script="smb-vuln-ms07-029" --script-args="unsafe=1" -oN "{scandir}/{category}{protocol}_{port}_smb_ms07-029.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_smb_ms07-029.xml" {address}', + '{nmap} {nmap_extra} -sV -p {port} --script="smb-vuln-ms08-067" --script-args="unsafe=1" -oN "{scandir}/{category}{protocol}_{port}_smb_ms08-067.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_smb_ms08-067.xml" {address}' ] [smtp] @@ -459,11 +466,11 @@ service-names = [ [[smtp.scan]] name = 'nmap-smtp' - command = 'nmap {nmap_extra} -sV -p {port} --script="(smtp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_smtp_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_smtp_nmap.xml" {address}' + command = '{nmap} {nmap_extra} -sV -p {port} --script="(smtp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{category}{protocol}_{port}_smtp_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_smtp_nmap.xml" {address}' [[smtp.scan]] name = 'smtp-user-enum' - command = 'smtp-user-enum -M VRFY -U "{username_wordlist}" -t {address} -p {port} 2>&1 | tee "{scandir}/{protocol}_{port}_smtp_user-enum.txt"' + command = 'smtp-user-enum -M VRFY -U "{username_wordlist}" -t {address} -p {port} 2>&1 | tee "{scandir}/{category}{protocol}_{port}_smtp_user-enum.txt"' [snmp] @@ -473,59 +480,59 @@ service-names = [ [[snmp.scan]] name = 'nmap-snmp' - command = 'nmap {nmap_extra} -sV -p {port} --script="(snmp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_snmp-nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_snmp_nmap.xml" {address}' + command = '{nmap} {nmap_extra} -sV -p {port} --script="(snmp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{category}{protocol}_{port}_snmp-nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_snmp_nmap.xml" {address}' [[snmp.scan]] name = 'onesixtyone' - command = 'onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings_onesixtyone.txt -dd {address} 2>&1 | tee "{scandir}/{protocol}_{port}_snmp_onesixtyone.txt"' + command = 'onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings_onesixtyone.txt -dd {address} 2>&1 | tee "{scandir}/{category}{protocol}_{port}_snmp_onesixtyone.txt"' run_once = true ports.udp = [161] [[snmp.scan]] name = 'snmpwalk' - command = 'snmpwalk -c public -v 1 {address} 2>&1 | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk.txt"' + command = '{snmpwalk} -c public -v 1 {address} 2>&1 | tee "{scandir}/{category}{protocol}_{port}_snmp_snmpwalk.txt"' run_once = true ports.udp = [161] [[snmp.scan]] name = 'snmpwalk-system-processes' - command = 'snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.25.1.6.0 2>&1 | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk_system_processes.txt"' + command = '{snmpwalk} -c public -v 1 {address} 1.3.6.1.2.1.25.1.6.0 2>&1 | tee "{scandir}/{category}{protocol}_{port}_snmp_snmpwalk_system_processes.txt"' run_once = true ports.udp = [161] [[snmp.scan]] name = 'snmpwalk-running-processes' - command = 'snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.25.4.2.1.2 2>&1 | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk_running_processes.txt"' + command = '{snmpwalk} -c public -v 1 {address} 1.3.6.1.2.1.25.4.2.1.2 2>&1 | tee "{scandir}/{category}{protocol}_{port}_snmp_snmpwalk_running_processes.txt"' run_once = true ports.udp = [161] [[snmp.scan]] name = 'snmpwalk-process-paths' - command = 'snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.25.4.2.1.4 2>&1 | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk_process_paths.txt"' + command = '{snmpwalk} -c public -v 1 {address} 1.3.6.1.2.1.25.4.2.1.4 2>&1 | tee "{scandir}/{category}{protocol}_{port}_snmp_snmpwalk_process_paths.txt"' run_once = true ports.udp = [161] [[snmp.scan]] name = 'snmpwalk-storage-units' - command = 'snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.25.2.3.1.4 2>&1 | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk_storage_units.txt"' + command = '{snmpwalk} -c public -v 1 {address} 1.3.6.1.2.1.25.2.3.1.4 2>&1 | tee "{scandir}/{category}{protocol}_{port}_snmp_snmpwalk_storage_units.txt"' run_once = true ports.udp = [161] [[snmp.scan]] name = 'snmpwalk-software-names' - command = 'snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.25.6.3.1.2 2>&1 | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk_software_names.txt"' + command = '{snmpwalk} -c public -v 1 {address} 1.3.6.1.2.1.25.6.3.1.2 2>&1 | tee "{scandir}/{category}{protocol}_{port}_snmp_snmpwalk_software_names.txt"' run_once = true ports.udp = [161] [[snmp.scan]] name = 'snmpwalk-user-accounts' - command = 'snmpwalk -c public -v 1 {address} 1.3.6.1.4.1.77.1.2.25 2>&1 | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk_user_accounts.txt"' + command = '{snmpwalk} -c public -v 1 {address} 1.3.6.1.4.1.77.1.2.25 2>&1 | tee "{scandir}/{category}{protocol}_{port}_snmp_snmpwalk_user_accounts.txt"' run_once = true ports.udp = [161] [[snmp.scan]] name = 'snmpwalk-tcp-ports' - command = 'snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.6.13.1.3 2>&1 | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk_tcp_ports.txt"' + command = '{snmpwalk} -c public -v 1 {address} 1.3.6.1.2.1.6.13.1.3 2>&1 | tee "{scandir}/{category}{protocol}_{port}_snmp_snmpwalk_tcp_ports.txt"' run_once = true ports.udp = [161] @@ -537,7 +544,7 @@ service-names = [ [[telnet.scan]] name = 'nmap-telnet' - command = 'nmap {nmap_extra} -sV -p {port} --script="telnet-encryption,telnet-ntlm-info" -oN "{scandir}/{protocol}_{port}_telnet-nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_telnet_nmap.xml" {address}' + command = '{nmap} {nmap_extra} -sV -p {port} --script="telnet-encryption,telnet-ntlm-info" -oN "{scandir}/{category}{protocol}_{port}_telnet-nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_telnet_nmap.xml" {address}' [tftp] @@ -547,7 +554,7 @@ service-names = [ [[tftp.scan]] name = 'nmap-tftp' - command = 'nmap {nmap_extra} -sV -p {port} --script="tftp-enum" -oN "{scandir}/{protocol}_{port}_tftp-nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_tftp_nmap.xml" {address}' + command = '{nmap} {nmap_extra} -sV -p {port} --script="tftp-enum" -oN "{scandir}/{category}{protocol}_{port}_tftp-nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_tftp_nmap.xml" {address}' [vnc] @@ -557,4 +564,4 @@ service-names = [ [[vnc.scan]] name = 'nmap-vnc' - command = 'nmap {nmap_extra} -sV -p {port} --script="(vnc* or realvnc* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_vnc_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_vnc_nmap.xml" {address}' + command = '{nmap} {nmap_extra} -sV -p {port} --script="(vnc* or realvnc* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" --script-args="unsafe=1" -oN "{scandir}/{category}{protocol}_{port}_vnc_nmap.txt" -oX "{scandir}/xml/{category}{protocol}_{port}_vnc_nmap.xml" {address}'