From 9d008f7b04feccc12b3bac7160b366840f016d20 Mon Sep 17 00:00:00 2001 From: payl0ad Date: Fri, 24 Jan 2020 10:06:17 -0700 Subject: [PATCH] added argument to no include XML directory. added an action to auto print help menu if no arguments are supplied --- autorecon.py | 62 +-- config/port-scan-profiles-no-xml.toml | 45 ++ config/service-scans-no-xml.toml | 577 ++++++++++++++++++++++++++ 3 files changed, 658 insertions(+), 26 deletions(-) create mode 100644 config/port-scan-profiles-no-xml.toml create mode 100644 config/service-scans-no-xml.toml diff --git a/autorecon.py b/autorecon.py index 8d1f05a..5ac5b0e 100755 --- a/autorecon.py +++ b/autorecon.py @@ -146,23 +146,6 @@ def calculate_elapsed_time(start_time): return ', '.join(elapsed_time) -port_scan_profiles_config_file = 'port-scan-profiles.toml' -with open(os.path.join(rootdir, 'config', port_scan_profiles_config_file), 'r') as p: - try: - port_scan_profiles_config = toml.load(p) - - if len(port_scan_profiles_config) == 0: - fail('There do not appear to be any port scan profiles configured in the {port_scan_profiles_config_file} config file.') - - except toml.decoder.TomlDecodeError as e: - fail('Error: Couldn\'t parse {port_scan_profiles_config_file} config file. Check syntax and duplicate tags.') - -with open(os.path.join(rootdir, 'config', 'service-scans.toml'), 'r') as c: - try: - service_scans_config = toml.load(c) - except toml.decoder.TomlDecodeError as e: - fail('Error: Couldn\'t parse service-scans.toml config file. Check syntax and duplicate tags.') - with open(os.path.join(rootdir, 'config', 'global-patterns.toml'), 'r') as p: try: global_patterns = toml.load(p) @@ -173,14 +156,6 @@ with open(os.path.join(rootdir, 'config', 'global-patterns.toml'), 'r') as p: except toml.decoder.TomlDecodeError as e: fail('Error: Couldn\'t parse global-patterns.toml config file. Check syntax and duplicate tags.') -if 'username_wordlist' in service_scans_config: - if isinstance(service_scans_config['username_wordlist'], str): - username_wordlist = service_scans_config['username_wordlist'] - -if 'password_wordlist' in service_scans_config: - if isinstance(service_scans_config['password_wordlist'], str): - password_wordlist = service_scans_config['password_wordlist'] - async def read_stream(stream, target, tag='?', patterns=[], color=Fore.BLUE): address = target.address while True: @@ -627,7 +602,8 @@ def scan_host(target, concurrent_scans): target.scandir = scandir os.makedirs(scandir, exist_ok=True) - os.makedirs(os.path.abspath(os.path.join(scandir, 'xml')), exist_ok=True) + if not xmldir: + os.makedirs(os.path.abspath(os.path.join(scandir, 'xml')), exist_ok=True) # Use a lock when writing to specific files that may be written to by other asynchronous functions. target.lock = asyncio.Lock() @@ -667,6 +643,7 @@ if __name__ == '__main__': parser.add_argument('--single-target', action='store_true', default=False, help='Only scan a single target. A directory named after the target will not be created. Instead, the directory structure will be created within the output directory. Default: false') parser.add_argument('--only-scans-dir', action='store_true', default=False, help='Only create the "scans" directory for results. Other directories (e.g. exploit, loot, report) will not be created. Default: false') parser.add_argument('--heartbeat', action='store', type=int, default=60, help='Specifies the heartbeat interval (in seconds) for task status messages. Default: %(default)s') + parser.add_argument('--no-xml-dir', action='store_true', default=False, help='Do no include nmap XML scan output. Default: false') nmap_group = parser.add_mutually_exclusive_group() nmap_group.add_argument('--nmap', action='store', default='-vv --reason -Pn', help='Override the {nmap_extra} variable in scans. Default: %(default)s') nmap_group.add_argument('--nmap-append', action='store', default='', help='Append to the default {nmap_extra} variable in scans.') @@ -677,6 +654,38 @@ if __name__ == '__main__': single_target = args.single_target only_scans_dir = args.only_scans_dir + xmldir = args.no_xml_dir + + if xmldir: + service_scans_config_file = 'service-scans-no-xml.toml' + port_scan_profiles_config_file = 'port-scan-profiles-no-xml.toml' + else: + service_scans_config_file = 'service-scans.toml' + port_scan_profiles_config_file = 'port-scan-profiles.toml' + + with open(os.path.join(rootdir, 'config', service_scans_config_file), 'r') as c: + try: + service_scans_config = toml.load(c) + except toml.decoder.TomlDecodeError as e: + fail('Error: Couldn\'t parse {service_scans_config_file} config file. Check syntax and duplicate tags.') + + if 'username_wordlist' in service_scans_config: + if isinstance(service_scans_config['username_wordlist'], str): + username_wordlist = service_scans_config['username_wordlist'] + + if 'password_wordlist' in service_scans_config: + if isinstance(service_scans_config['password_wordlist'], str): + password_wordlist = service_scans_config['password_wordlist'] + + with open(os.path.join(rootdir, 'config', port_scan_profiles_config_file), 'r') as p: + try: + port_scan_profiles_config = toml.load(p) + + if len(port_scan_profiles_config) == 0: + fail('There do not appear to be any port scan profiles configured in the {port_scan_profiles_config_file} config file.') + + except toml.decoder.TomlDecodeError as e: + fail('Error: Couldn\'t parse {port_scan_profiles_config_file} config file. Check syntax and duplicate tags.') errors = False @@ -794,6 +803,7 @@ if __name__ == '__main__': if len(targets) == 0: error('You must specify at least one target to scan!') + parser.print_help() errors = True if single_target and len(targets) != 1: diff --git a/config/port-scan-profiles-no-xml.toml b/config/port-scan-profiles-no-xml.toml new file mode 100644 index 0000000..88942a8 --- /dev/null +++ b/config/port-scan-profiles-no-xml.toml @@ -0,0 +1,45 @@ +[default] + + [default.nmap-quick] + + [default.nmap-quick.service-detection] + command = 'nmap {nmap_extra} -sV -sC --version-all -oN "{scandir}/_quick_tcp_nmap.txt" {address}' + pattern = '^(?P\d+)\/(?P(tcp|udp))(.*)open(\s*)(?P[\w\-\/]+)(\s*)(.*)$' + + [default.nmap-full-tcp] + + [default.nmap-full-tcp.service-detection] + command = 'nmap {nmap_extra} -A --osscan-guess --version-all -p- -oN "{scandir}/_full_tcp_nmap.txt" {address}' + pattern = '^(?P\d+)\/(?P(tcp|udp))(.*)open(\s*)(?P[\w\-\/]+)(\s*)(.*)$' + + [default.nmap-top-20-udp] + + [default.nmap-top-20-udp.service-detection] + command = 'nmap {nmap_extra} -sU -A --top-ports=20 --version-all -oN "{scandir}/_top_20_udp_nmap.txt" {address}' + pattern = '^(?P\d+)\/(?P(tcp|udp))(.*)open(\s*)(?P[\w\-\/]+)(\s*)(.*)$' + +[quick] + + [quick.nmap-quick] + + [quick.nmap-quick.service-detection] + command = 'nmap {nmap_extra} -sV --version-all -oN "{scandir}/_quick_tcp_nmap.txt" {address}' + pattern = '^(?P\d+)\/(?P(tcp|udp))(.*)open(\s*)(?P[\w\-\/]+)(\s*)(.*)$' + + [quick.nmap-top-20-udp] + + [quick.nmap-top-20-udp.service-detection] + command = 'nmap {nmap_extra} -sU -A --top-ports=20 --version-all -oN "{scandir}/_top_20_udp_nmap.txt" {address}' + pattern = '^(?P\d+)\/(?P(tcp|udp))(.*)open(\s*)(?P[\w\-\/]+)(\s*)(.*)$' + +[udp] + + [udp.udp-top-20] + + [udp.udp-top-20.port-scan] + command = 'unicornscan -mU -p 631,161,137,123,138,1434,445,135,67,53,139,500,68,520,1900,4500,514,49152,162,69 {address} 2>&1 | tee "{scandir}/_top_20_udp_unicornscan.txt"' + pattern = '^UDP open\s*[\w-]+\[\s*(?P\d+)\].*$' + + [udp.udp-top-20.service-detection] + command = 'nmap {nmap_extra} -sU -A -p {ports} --version-all -oN "{scandir}/_top_20_udp_nmap.txt" {address}' + pattern = '^(?P\d+)\/(?P(udp))(.*)open(\s*)(?P[\w\-\/]+)(\s*)(.*)$' diff --git a/config/service-scans-no-xml.toml b/config/service-scans-no-xml.toml new file mode 100644 index 0000000..0e92033 --- /dev/null +++ b/config/service-scans-no-xml.toml @@ -0,0 +1,577 @@ +# Configurable Variables +username_wordlist = '/usr/share/seclists/Usernames/top-usernames-shortlist.txt' +password_wordlist = '/usr/share/seclists/Passwords/darkweb2017-top100.txt' + +[all-services] # Define scans here that you want to run against all services. + +service-names = [ + '.+' +] + + [[all-services.scan]] + name = 'sslscan' + command = 'if [ "{secure}" == "True" ]; then sslscan --show-certificate --no-colour {address}:{port} 2>&1 | tee "{scandir}/{protocol}_{port}_sslscan.txt"; fi' + +[cassandra] + +service-names = [ + '^apani1' +] + + [[cassandra.scan]] + name = 'nmap-cassandra' + command = 'nmap {nmap_extra} -sV -p {port} --script="banner,(cassandra* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_cassandra_nmap.txt" {address}' + +[cups] + +service-names = [ + '^ipp' +] + + [[cups.scan]] + name = 'nmap-cups' + command = 'nmap {nmap_extra} -sV -p {port} --script="banner,(cups* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_cups_nmap.txt" {address}' + +[distcc] + +service-names = [ + '^distccd' +] + + [[distcc.scan]] + name = 'nmap-distcc' + command = 'nmap {nmap_extra} -sV -p {port} --script="banner,distcc-cve2004-2687" --script-args="distcc-cve2004-2687.cmd=id" -oN "{scandir}/{protocol}_{port}_distcc_nmap.txt" {address}' + +[dns] + +service-names = [ + '^domain' +] + + [[dns.scan]] + name = 'nmap-dns' + command = 'nmap {nmap_extra} -sV -p {port} --script="banner,(dns* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_dns_nmap.txt" {address}' + +[finger] + +service-names = [ + '^finger' +] + + [[finger.scan]] + nmap = 'nmap-finger' + command = 'nmap {nmap_extra} -sV -p {port} --script="banner,finger" -oN "{scandir}/{protocol}_{port}_finger_nmap.txt" {address}' + +[ftp] + +service-names = [ + '^ftp', + '^ftp\-data' +] + + [[ftp.scan]] + name = 'nmap-ftp' + command = 'nmap {nmap_extra} -sV -p {port} --script="banner,(ftp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_ftp_nmap.txt" {address}' + + [[ftp.scan.pattern]] + description = 'Anonymous FTP Enabled!' + pattern = 'Anonymous FTP login allowed' + + [[ftp.manual]] + description = 'Bruteforce logins:' + commands = [ + 'hydra -L "{username_wordlist}" -P "{password_wordlist}" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_ftp_hydra.txt" ftp://{address}', + 'medusa -U "{username_wordlist}" -P "{password_wordlist}" -e ns -n {port} -O "{scandir}/{protocol}_{port}_ftp_medusa.txt" -M ftp -h {address}' + ] + +[http] + +service-names = [ + '^http', +] + +ignore-service-names = [ + '^nacn_http$' +] + + [[http.scan]] + name = 'nmap-http' + command = 'nmap {nmap_extra} -sV -p {port} --script="banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN "{scandir}/{protocol}_{port}_http_nmap.txt" {address}' + + [[http.scan.pattern]] + description = 'Identified HTTP Server: {match}' + pattern = 'Server: ([^\n]+)' + + [[http.scan.pattern]] + description = 'WebDAV is enabled' + pattern = 'WebDAV is ENABLED' + + [[http.scan]] + name = 'curl-index' + command = 'curl -sSik {scheme}://{address}:{port}/ -m 10 2>&1 | tee "{scandir}/{protocol}_{port}_{scheme}_index.html"' + + [[http.scan.pattern]] + pattern = '(?i)Powered by [^\n]+' + + [[http.scan]] + name = 'curl-robots' + command = 'curl -sSik {scheme}://{address}:{port}/robots.txt -m 10 2>&1 | tee "{scandir}/{protocol}_{port}_{scheme}_robots.txt"' + + [[http.scan]] + name = 'wkhtmltoimage' + command = 'if hash wkhtmltoimage 2> /dev/null; then wkhtmltoimage --format png {scheme}://{address}:{port}/ {scandir}/{protocol}_{port}_{scheme}_screenshot.png; fi' + + [[http.scan]] + name = 'whatweb' + command = 'whatweb --color=never --no-errors -a 3 -v {scheme}://{address}:{port} 2>&1 | tee "{scandir}/{protocol}_{port}_{scheme}_whatweb.txt"' + + [[http.scan]] + name = 'nikto' + command = 'nikto -ask=no -h {scheme}://{address}:{port} 2>&1 | tee "{scandir}/{protocol}_{port}_{scheme}_nikto.txt"' + + [[http.scan]] + name = 'gobuster' + command = 'if [[ `gobuster -h 2>&1 | grep -F "mode (dir)"` ]]; then gobuster -u {scheme}://{address}:{port}/ -w /usr/share/seclists/Discovery/Web-Content/common.txt -e -k -l -s "200,204,301,302,307,401,403" -x "txt,html,php,asp,aspx,jsp" -o "{scandir}/{protocol}_{port}_{scheme}_gobuster.txt"; else gobuster dir -u {scheme}://{address}:{port}/ -w /usr/share/seclists/Discovery/Web-Content/common.txt -z -k -l -x "txt,html,php,asp,aspx,jsp" -o "{scandir}/{protocol}_{port}_{scheme}_gobuster.txt"; fi' + + [[http.manual]] + description = '(dirsearch) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:' + commands = [ + 'dirsearch -u {scheme}://{address}:{port}/ -t 16 -r -e txt,html,php,asp,aspx,jsp -f -w /usr/share/seclists/Discovery/Web-Content/big.txt --plain-text-report="{scandir}/{protocol}_{port}_{scheme}_dirsearch_big.txt"', + 'dirsearch -u {scheme}://{address}:{port}/ -t 16 -r -e txt,html,php,asp,aspx,jsp -f -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --plain-text-report="{scandir}/{protocol}_{port}_{scheme}_dirsearch_dirbuster.txt"' + ] + + [[http.manual]] + description = '(dirb) Recursive directory/file enumeration for web servers using various wordlists (same as dirsearch above):' + commands = [ + 'dirb {scheme}://{address}:{port}/ /usr/share/seclists/Discovery/Web-Content/big.txt -l -r -S -X ",.txt,.html,.php,.asp,.aspx,.jsp" -o "{scandir}/{protocol}_{port}_{scheme}_dirb_big.txt"', + 'dirb {scheme}://{address}:{port}/ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -l -r -S -X ",.txt,.html,.php,.asp,.aspx,.jsp" -o "{scandir}/{protocol}_{port}_{scheme}_dirb_dirbuster.txt"' + ] + + [[http.manual]] + description = '(gobuster v3) Directory/file enumeration for web servers using various wordlists (same as dirb above):' + commands = [ + 'gobuster dir -u {scheme}://{address}:{port}/ -w /usr/share/seclists/Discovery/Web-Content/big.txt -e -k -l -s "200,204,301,302,307,403,500" -x "txt,html,php,asp,aspx,jsp" -z -o "{scandir}/{protocol}_{port}_{scheme}_gobuster_big.txt"', + 'gobuster dir -u {scheme}://{address}:{port}/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e -k -l -s "200,204,301,302,307,403,500" -x "txt,html,php,asp,aspx,jsp" -z -o "{scandir}/{protocol}_{port}_{scheme}_gobuster_dirbuster.txt"' + ] + + [[http.manual]] + description = '(gobuster v1 & v2) Directory/file enumeration for web servers using various wordlists (same as dirb above):' + commands = [ + 'gobuster -u {scheme}://{address}:{port}/ -w /usr/share/seclists/Discovery/Web-Content/big.txt -e -k -l -s "200,204,301,302,307,403,500" -x "txt,html,php,asp,aspx,jsp" -o "{scandir}/{protocol}_{port}_{scheme}_gobuster_big.txt"', + 'gobuster -u {scheme}://{address}:{port}/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e -k -l -s "200,204,301,302,307,403,500" -x "txt,html,php,asp,aspx,jsp" -o "{scandir}/{protocol}_{port}_{scheme}_gobuster_dirbuster.txt"' + ] + + [[http.manual]] + description = '(wpscan) WordPress Security Scanner (useful if WordPress is found):' + commands = [ + 'wpscan --url {scheme}://{address}:{port}/ --no-update -e vp,vt,tt,cb,dbe,u,m --plugins-detection aggressive --plugins-version-detection aggressive -f cli-no-color 2>&1 | tee "{scandir}/{protocol}_{port}_{scheme}_wpscan.txt"' + ] + + [[http.manual]] + description = "Credential bruteforcing commands (don't run these without modifying them):" + commands = [ + 'hydra -L "{username_wordlist}" -P "{password_wordlist}" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_{scheme}_auth_hydra.txt" {scheme}-get://{address}/path/to/auth/area', + 'medusa -U "{username_wordlist}" -P "{password_wordlist}" -e ns -n {port} -O "{scandir}/{protocol}_{port}_{scheme}_auth_medusa.txt" -M http -h {address} -m DIR:/path/to/auth/area', + 'hydra -L "{username_wordlist}" -P "{password_wordlist}" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_{scheme}_form_hydra.txt" {scheme}-post-form://{address}/path/to/login.php:username=^USER^&password=^PASS^:invalid-login-message', + 'medusa -U "{username_wordlist}" -P "{password_wordlist}" -e ns -n {port} -O "{scandir}/{protocol}_{port}_{scheme}_form_medusa.txt" -M web-form -h {address} -m FORM:/path/to/login.php -m FORM-DATA:"post?username=&password=" -m DENY-SIGNAL:"invalid login message"', + ] + +[imap] + +service-names = [ + '^imap' +] + + [[imap.scan]] + name = 'nmap-imap' + command = 'nmap {nmap_extra} -sV -p {port} --script="banner,(imap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_imap_nmap.txt" {address}' + +[kerberos] + +service-names = [ + '^kerberos', + '^kpasswd' +] + + [[kerberos.scan]] + name = 'nmap-kerberos' + command = 'nmap {nmap_extra} -sV -p {port} --script="banner,krb5-enum-users" -oN "{scandir}/{protocol}_{port}_kerberos_nmap.txt" {address}' + +[ldap] + +service-names = [ + '^ldap' +] + + [[ldap.scan]] + name = 'nmap-ldap' + command = 'nmap {nmap_extra} -sV -p {port} --script="banner,(ldap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_ldap_nmap.txt" {address}' + + [[ldap.scan]] + name = 'enum4linux' + command = 'enum4linux -a -M -l -d {address} 2>&1 | tee "{scandir}/enum4linux.txt"' + run_once = true + ports.tcp = [139, 389, 445] + ports.udp = [137] + + [[ldap.manual]] + description = 'ldapsearch command (modify before running)' + commands = [ + 'ldapsearch -x -D "" -w """ -p {port} -h {address} -b "dc=example,dc=com" -s sub "(objectclass=*) 2>&1 | tee > "{scandir}/{protocol}_{port}_ldap_all-entries.txt"' + ] + +[mongodb] + +service-names = [ + '^mongod' +] + + [[mongodb.scan]] + name = 'nmap-mongodb' + command = 'nmap {nmap_extra} -sV -p {port} --script="banner,(mongodb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_mongodb_nmap.txt" {address}' + +[mssql] + +service-names = [ + '^mssql', + '^ms\-sql' +] + + [[mssql.scan]] + name = 'nmap-mssql' + command = 'nmap {nmap_extra} -sV -p {port} --script="banner,(ms-sql* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" --script-args="mssql.instance-port={port},mssql.username=sa,mssql.password=sa" -oN "{scandir}/{protocol}_{port}_mssql_nmap.txt" {address}' + + [[mssql.manual]] + description = '(sqsh) interactive database shell' + commands = [ + 'sqsh -U -P -S {address}:{port}' + ] + +[mysql] + +service-names = [ + '^mysql' +] + + [[mysql.scan]] + name = 'nmap-mysql' + command = 'nmap {nmap_extra} -sV -p {port} --script="banner,(mysql* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_mysql_nmap.txt" {address}' + +[nfs] + +service-names = [ + '^nfs', + '^rpcbind' +] + + [[nfs.scan]] + name = 'nmap-nfs' + command = 'nmap {nmap_extra} -sV -p {port} --script="banner,(rpcinfo or nfs*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_nfs_nmap.txt" {address}' + + [[nfs.scan]] + name = 'showmount' + command = 'showmount -e {address} 2>&1 | tee "{scandir}/{protocol}_{port}_showmount.txt"' + +[nntp] + +service-names = [ + '^nntp' +] + + [[nntp.scan]] + name = 'nmap-nntp' + command = 'nmap {nmap_extra} -sV -p {port} --script="banner,nntp-ntlm-info" -oN "{scandir}/{protocol}_{port}_nntp_nmap.txt" {address}' + +[oracle] + +service-names = [ + '^oracle' +] + + [[oracle.scan]] + name = 'nmap-oracle' + command = 'nmap {nmap_extra} -sV -p {port} --script="banner,(oracle* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_oracle_nmap.txt" {address}' + + [[oracle.scan]] + name = 'oracle-tnscmd-ping' + command = 'tnscmd10g ping -h {address} -p {port} 2>&1 | tee "{scandir}/{protocol}_{port}_oracle_tnscmd_ping.txt"' + + [[oracle.scan]] + name = 'oracle-tnscmd-version' + command = 'tnscmd10g version -h {address} -p {port} 2>&1 | tee "{scandir}/{protocol}_{port}_oracle_tnscmd_version.txt"' + + [[oracle.scan]] + name = 'oracle-tnscmd-version' + command = 'tnscmd10g version -h {address} -p {port} 2>&1 | tee "{scandir}/{protocol}_{port}_oracle_tnscmd_version.txt"' + + [[oracle.scan]] + name = 'oracle-scanner' + command = 'oscanner -v -s {address} -P {port} 2>&1 | tee "{scandir}/{protocol}_{port}_oracle_scanner.txt"' + + [[oracle.manual]] + description = 'Brute-force SIDs using Nmap' + command = 'nmap {nmap_extra} -sV -p {port} --script="banner,oracle-sid-brute" -oN "{scandir}/{protocol}_{port}_oracle_sid-brute_nmap.txt" {address}' + + [[oracle.manual]] + description = 'Install ODAT (https://github.com/quentinhardy/odat) and run the following commands:' + commands = [ + 'python odat.py tnscmd -s {address} -p {port} --ping', + 'python odat.py tnscmd -s {address} -p {port} --version', + 'python odat.py tnscmd -s {address} -p {port} --status', + 'python odat.py sidguesser -s {address} -p {port}', + 'python odat.py passwordguesser -s {address} -p {port} -d --accounts-file accounts/accounts_multiple.txt', + 'python odat.py tnspoison -s {address} -p {port} -d --test-module' + ] + + [[oracle.manual]] + description = 'Install Oracle Instant Client (https://github.com/rapid7/metasploit-framework/wiki/How-to-get-Oracle-Support-working-with-Kali-Linux) and then bruteforce with patator:' + commands = [ + 'patator oracle_login host={address} port={port} user=COMBO00 password=COMBO01 0=/usr/share/seclists/Passwords/Default-Credentials/oracle-betterdefaultpasslist.txt -x ignore:code=ORA-01017 -x ignore:code=ORA-28000' + ] + +[pop3] + +service-names = [ + '^pop3' +] + + [[pop3.scan]] + name = 'nmap-pop3' + command = 'nmap {nmap_extra} -sV -p {port} --script="banner,(pop3* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_pop3_nmap.txt" {address}' + +[rdp] + +service-names = [ + '^rdp', + '^ms\-wbt\-server', + '^ms\-term\-serv' +] + + [[rdp.scan]] + name = 'nmap-rdp' + command = 'nmap {nmap_extra} -sV -p {port} --script="banner,(rdp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_rdp_nmap.txt" {address}' + + [[rdp.manual]] + description = 'Bruteforce logins:' + commands = [ + 'hydra -L "{username_wordlist}" -P "{password_wordlist}" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_rdp_hydra.txt" rdp://{address}', + 'medusa -U "{username_wordlist}" -P "{password_wordlist}" -e ns -n {port} -O "{scandir}/{protocol}_{port}_rdp_medusa.txt" -M rdp -h {address}' + ] + +[rmi] + +service-names = [ + '^java\-rmi', + '^rmiregistry' +] + + [[rmi.scan]] + name = 'nmap-rmi' + command = 'nmap {nmap_extra} -sV -p {port} --script="banner,rmi-vuln-classloader,rmi-dumpregistry" -oN "{scandir}/{protocol}_{port}_rmi_nmap.txt" {address}' + +[rpc] + +service-names = [ + '^msrpc', + '^rpcbind', + '^erpc' +] + + [[rpc.scan]] + name = 'nmap-msrpc' + command = 'nmap {nmap_extra} -sV -p {port} --script="banner,msrpc-enum,rpc-grind,rpcinfo" -oN "{scandir}/{protocol}_{port}_rpc_nmap.txt" {address}' + + [[rpc.manual]] + description = 'RPC Client:' + commands = [ + 'rpcclient -p {port} -U "" {address}' + ] + +[sip] + +service-names = [ + '^asterisk' +] + + [[sip.scan]] + name = 'nmap-sip' + command = 'nmap {nmap_extra} -sV -p {port} --script="banner,sip-enum-users,sip-methods" -oN "{scandir}/{protocol}_{port}_sip_nmap.txt" {address}' + + [[sip.scan]] + name = 'svwar' + command = 'svwar -D -m INVITE -p {port} {address}' + +[ssh] + +service-names = [ + '^ssh' +] + + [[ssh.scan]] + name = 'nmap-ssh' + command = 'nmap {nmap_extra} -sV -p {port} --script="banner,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods" -oN "{scandir}/{protocol}_{port}_ssh_nmap.txt" {address}' + + [[ssh.manual]] + description = 'Bruteforce logins:' + commands = [ + 'hydra -L "{username_wordlist}" -P "{password_wordlist}" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_ssh_hydra.txt" ssh://{address}', + 'medusa -U "{username_wordlist}" -P "{password_wordlist}" -e ns -n {port} -O "{scandir}/{protocol}_{port}_ssh_medusa.txt" -M ssh -h {address}' + ] +[smb] + +service-names = [ + '^smb', + '^microsoft\-ds', + '^netbios' +] + + [[smb.scan]] + name = 'nmap-smb' + command = 'nmap {nmap_extra} -sV -p {port} --script="banner,(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_smb_nmap.txt" {address}' + + [[smb.scan]] + name = 'enum4linux' + command = 'enum4linux -a -M -l -d {address} 2>&1 | tee "{scandir}/enum4linux.txt"' + run_once = true + ports.tcp = [139, 389, 445] + ports.udp = [137] + + [[smb.scan]] + name = 'nbtscan' + command = 'nbtscan -rvh {address} 2>&1 | tee "{scandir}/nbtscan.txt"' + run_once = true + ports.udp = [137] + + [[smb.scan]] + name = 'smbclient' + command = 'smbclient -L\\ -N -I {address} 2>&1 | tee "{scandir}/smbclient.txt"' + run_once = true + ports.tcp = [139, 445] + + [[smb.scan]] + name = 'smbmap-share-permissions' + command = 'smbmap -H {address} -P {port} 2>&1 | tee -a "{scandir}/smbmap-share-permissions.txt"; smbmap -u null -p "" -H {address} -P {port} 2>&1 | tee -a "{scandir}/smbmap-share-permissions.txt"' + + [[smb.scan]] + name = 'smbmap-list-contents' + command = 'smbmap -H {address} -P {port} -R 2>&1 | tee -a "{scandir}/smbmap-list-contents.txt"; smbmap -u null -p "" -H {address} -P {port} -R 2>&1 | tee -a "{scandir}/smbmap-list-contents.txt"' + + [[smb.scan]] + name = 'smbmap-execute-command' + command = 'smbmap -H {address} -P {port} -x "ipconfig /all" 2>&1 | tee -a "{scandir}/smbmap-execute-command.txt"; smbmap -u null -p "" -H {address} -P {port} -x "ipconfig /all" 2>&1 | tee -a "{scandir}/smbmap-execute-command.txt"' + + [[smb.manual]] + description = 'Nmap scans for SMB vulnerabilities that could potentially cause a DoS if scanned (according to Nmap). Be careful:' + commands = [ + 'nmap {nmap_extra} -sV -p {port} --script="smb-vuln-ms06-025" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_smb_ms06-025.txt" {address}', + 'nmap {nmap_extra} -sV -p {port} --script="smb-vuln-ms07-029" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_smb_ms07-029.txt" {address}', + 'nmap {nmap_extra} -sV -p {port} --script="smb-vuln-ms08-067" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_smb_ms08-067.txt" {address}' + ] + +[smtp] + +service-names = [ + '^smtp' +] + + [[smtp.scan]] + name = 'nmap-smtp' + command = 'nmap {nmap_extra} -sV -p {port} --script="banner,(smtp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_smtp_nmap.txt" {address}' + + [[smtp.scan]] + name = 'smtp-user-enum' + command = 'smtp-user-enum -M VRFY -U "{username_wordlist}" -t {address} -p {port} 2>&1 | tee "{scandir}/{protocol}_{port}_smtp_user-enum.txt"' + +[snmp] + +service-names = [ + '^snmp' +] + + [[snmp.scan]] + name = 'nmap-snmp' + command = 'nmap {nmap_extra} -sV -p {port} --script="banner,(snmp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_snmp-nmap.txt" {address}' + + [[snmp.scan]] + name = 'onesixtyone' + command = 'onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings-onesixtyone.txt -dd {address} 2>&1 | tee "{scandir}/{protocol}_{port}_snmp_onesixtyone.txt"' + run_once = true + ports.udp = [161] + + [[snmp.scan]] + name = 'snmpwalk' + command = 'snmpwalk -c public -v 1 {address} 2>&1 | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk.txt"' + run_once = true + ports.udp = [161] + + [[snmp.scan]] + name = 'snmpwalk-system-processes' + command = 'snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.25.1.6.0 2>&1 | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk_system_processes.txt"' + run_once = true + ports.udp = [161] + + [[snmp.scan]] + name = 'snmpwalk-running-processes' + command = 'snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.25.4.2.1.2 2>&1 | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk_running_processes.txt"' + run_once = true + ports.udp = [161] + + [[snmp.scan]] + name = 'snmpwalk-process-paths' + command = 'snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.25.4.2.1.4 2>&1 | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk_process_paths.txt"' + run_once = true + ports.udp = [161] + + [[snmp.scan]] + name = 'snmpwalk-storage-units' + command = 'snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.25.2.3.1.4 2>&1 | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk_storage_units.txt"' + run_once = true + ports.udp = [161] + + [[snmp.scan]] + name = 'snmpwalk-software-names' + command = 'snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.25.6.3.1.2 2>&1 | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk_software_names.txt"' + run_once = true + ports.udp = [161] + + [[snmp.scan]] + name = 'snmpwalk-user-accounts' + command = 'snmpwalk -c public -v 1 {address} 1.3.6.1.4.1.77.1.2.25 2>&1 | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk_user_accounts.txt"' + run_once = true + ports.udp = [161] + + [[snmp.scan]] + name = 'snmpwalk-tcp-ports' + command = 'snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.6.13.1.3 2>&1 | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk_tcp_ports.txt"' + run_once = true + ports.udp = [161] + +[telnet] + +service-names = [ + '^telnet' +] + + [[telnet.scan]] + name = 'nmap-telnet' + command = 'nmap {nmap_extra} -sV -p {port} --script="banner,telnet-encryption,telnet-ntlm-info" -oN "{scandir}/{protocol}_{port}_telnet-nmap.txt" {address}' + +[tftp] + +service-names = [ + '^tftp' +] + + [[tftp.scan]] + name = 'nmap-tftp' + command = 'nmap {nmap_extra} -sV -p {port} --script="banner,tftp-enum" -oN "{scandir}/{protocol}_{port}_tftp-nmap.txt" {address}' + +[vnc] + +service-names = [ + '^vnc' +] + + [[vnc.scan]] + name = 'nmap-vnc' + command = 'nmap {nmap_extra} -sV -p {port} --script="banner,(vnc* or realvnc* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_vnc_nmap.txt" {address}'