# Configurable Variables username_wordlist = '/usr/share/seclists/Usernames/top-usernames-shortlist.txt' password_wordlist = '/usr/share/seclists/Passwords/darkweb2017-top100.txt' [cassandra] service-names = [ '^apani1' ] [cassandra.scans] [cassandra.scans.nmap-cassandra] command = 'nmap -vv --reason -Pn -sV {nmap_extra} -p {port} --script="(cassandra* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_cassandra_nmap.txt" -oX "{scandir}/{protocol}_{port}_cassandra_nmap.xml" {address}' [cups] service-names = [ '^ipp' ] [cups.scans] [cups.scans.nmap-cups] command = 'nmap -vv --reason -Pn -sV {nmap_extra} -p {port} --script="(cups* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_cups_nmap.txt" -oX "{scandir}/{protocol}_{port}_cups_nmap.xml" {address}' [dns] service-names = [ '^domain', ] [dns.scans] [dns.scans.nmap-dns] command = 'nmap -vv --reason -Pn -sV {nmap_extra} -p {port} --script="(dns* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_dns_nmap.txt" -oX "{scandir}/{protocol}_{port}_dns_nmap.xml" {address}' [ftp] service-names = [ '^ftp', '^ftp\-data' ] [ftp.scans] [ftp.scans.nmap-ftp] command = 'nmap -vv --reason -Pn -sV {nmap_extra} -p {port} --script="(ftp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_ftp_nmap.txt" -oX "{scandir}/{protocol}_{port}_ftp_nmap.xml" {address}' [ftp.manual] [ftp.manual.bruteforce] description = 'Bruteforce logins:' commands = [ 'hydra -L "{username_wordlist}" -P "{password_wordlist}" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_ftp_hydra.txt" ftp://{address}', 'medusa -U "{username_wordlist}" -P "{password_wordlist}" -e ns -n {port} -O "{scandir}/{protocol}_{port}_ftp_medusa.txt" -M ftp -h {address}' ] [http] service-names = [ '^http', ] ignore-service-names = [ '^nacn_http$' ] [http.scans] [http.scans.nmap-http] command = 'nmap -vv --reason -Pn -sV {nmap_extra} -p {port} --script="(http* or ssl*) and not (broadcast or dos or external or http-slowloris* or fuzzer)" -oN "{scandir}/{protocol}_{port}_http_nmap.txt" -oX "{scandir}/{protocol}_{port}_{scheme}_nmap.xml" {address}' [http.scans.curl-index] command = 'curl -sSik {scheme}://{address}:{port}/ -m 10 -o "{scandir}/{protocol}_{port}_{scheme}_index.html"' [http.scans.curl-robots] command = 'curl -sSik {scheme}://{address}:{port}/robots.txt -m 10 -o "{scandir}/{protocol}_{port}_{scheme}_robots.txt"' [http.scans.whatweb] command = 'whatweb --color=never --no-errors -a 3 -v {scheme}://{address}:{port} | tee "{scandir}/{protocol}_{port}_{scheme}_whatweb.txt"' [http.scans.nikto] command = 'nikto -ask=no -h {scheme}://{address}:{port} | tee "{scandir}/{protocol}_{port}_{scheme}_nikto.txt"' [http.manual] [http.manual.dirb] description = '(dirb) Recursive directory/file enumeration for web servers using various wordlists:' commands = [ 'dirb {scheme}://{address}:{port}/ -o "{scandir}/{protocol}_{port}_{scheme}_dirb_big.txt" /usr/share/seclists/Discovery/Web-Content/big.txt', 'dirb {scheme}://{address}:{port}/ -o "{scandir}/{protocol}_{port}_{scheme}_dirb_common.txt" /usr/share/seclists/Discovery/Web-Content/common.txt', 'dirb {scheme}://{address}:{port}/ -o "{scandir}/{protocol}_{port}_{scheme}_dirb_dirbuster.txt" /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt' ] [http.manual.gobuster] description = '(gobuster) Directory/file enumeration for web servers using various wordlists (same as dirb above, in case you prefer gobuster):' commands = [ 'gobuster -u {scheme}://{address}:{port}/ -o "{scandir}/{protocol}_{port}_{scheme}_gobuster_big.txt" -w /usr/share/seclists/Discovery/Web-Content/big.txt -s "200,204,301,302,307,403,500" -e', 'gobuster -u {scheme}://{address}:{port}/ -o "{scandir}/{protocol}_{port}_{scheme}_gobuster_common.txt" -w /usr/share/seclists/Discovery/Web-Content/common.txt -s "200,204,301,302,307,403,500" -e', 'gobuster -u {scheme}://{address}:{port}/ -o "{scandir}/{protocol}_{port}_{scheme}_gobuster_dirbuster.txt" -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -s "200,204,301,302,307,403,500" -e' ] [http.manual.wpscan] description = '(wpscan) WordPress Security Scanner (useful if WordPress is found):' commands = [ 'wpscan --url {scheme}://{address}:{port}/ --no-update -e vp,vt,tt,cb,dbe,u,m -f cli-no-color | tee "{scandir}/{protocol}_{port}_{scheme}_wpscan.txt"' ] [http.manual.bruteforce] description = "Credential bruteforcing commands (don't run these without modifying them):" commands = [ 'hydra -L "{username_wordlist}" -P "{password_wordlist}" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_{scheme}_auth_hydra.txt" {scheme}-get://{address}/path/to/auth/area', 'medusa -U "{username_wordlist}" -P "{password_wordlist}" -e ns -n {port} -O "{scandir}/{protocol}_{port}_{scheme}_auth_medusa.txt" -M http -h {address} -m DIR:/path/to/auth/area', 'hydra -L "{username_wordlist}" -P "{password_wordlist}" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_{scheme}_form_hydra.txt" {scheme}-post-form://{address}/path/to/login.php:username=^USER^&password=^PASS^:invalid-login-message', 'medusa -U "{username_wordlist}" -P "{password_wordlist}" -e ns -n {port} -O "{scandir}/{protocol}_{port}_{scheme}_form_medusa.txt" -M web-form -h {address} -m FORM:/path/to/login.php -m FORM-DATA:"post?username=&password=" -m DENY-SIGNAL:"invalid login message"', ] [imap] service-names = [ '^imap' ] [imap.scans] [imap.scans.nmap-imap] command = 'nmap -vv --reason -Pn -sV {nmap_extra} -p {port} --script="(imap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_imap_nmap.txt" -oX "{scandir}/{protocol}_{port}_imap_nmap.xml" {address}' [kerberos] service-names = [ '^kerberos' ] [kerberos.scans] [kerberos.scans.nmap-kerberos] command = 'nmap -vv --reason -Pn -sV {nmap_extra} -p {port} --script=krb5-enum-users -oN "{scandir}/{protocol}_{port}_kerberos_nmap.txt" -oX "{scandir}/{protocol}_{port}_kerberos_nmap.xml" {address}' [ldap] service-names = [ '^ldap' ] [ldap.scans] [ldap.scans.nmap-ldap] command = 'nmap -vv --reason -Pn -sV {nmap_extra} -p {port} --script="(ldap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_ldap_nmap.txt" -oX "{scandir}/{protocol}_{port}_ldap_nmap.xml" {address}' [ldap.scans.enum4linux] command = 'enum4linux -a -M -l -d {address} | tee "{scandir}/enum4linux.txt"' run_once = true ports.tcp = [139, 389, 445] ports.udp = [137] [mongodb] service-names = [ '^mongod' ] [mongodb.scans] [mongodb.scans.nmap-mongodb] command = 'nmap -vv --reason -Pn -sV {nmap_extra} -p {port} --script="mongodb*" -oN "{scandir}/{protocol}_{port}_mongodb_nmap.txt" -oX "{scandir}/{protocol}_{port}_mongodb_nmap.xml" {address}' [mssql] service-names = [ '^mssql', '^ms\-sql' ] [mssql.scans] [mssql.scans.nmap-mssql] command = 'nmap -vv --reason -Pn -sV {nmap_extra} -p {port} --script="(ms-sql* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" --script-args=mssql.instance-port={port},mssql.username=sa,mssql.password=sa -oN "{scandir}/{protocol}_{port}_mssql_nmap.txt" -oX "{scandir}/{protocol}_{port}_mssql_nmap.xml" {address}' [mssql.manual] [mssql.manual.sqsh] description = '(sqsh) interactive database shell' command = 'sqsh -U -P -S {address}:{port}' [mysql] service-names = [ '^mysql' ] [mysql.scans] [mysql.scans.nmap-mysql] command = 'nmap -vv --reason -Pn -sV {nmap_extra} -p {port} --script="(mysql* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_mysql_nmap.txt" -oX "{scandir}/{protocol}_{port}_mysql_nmap.xml" {address}' [nfs] service-names = [ '^nfs', '^rpcbind' ] [nfs.scans] [nfs.scans.nmap-nfs] command = 'nmap -vv --reason -Pn -sV {nmap_extra} -p {port} --script="(rpcinfo or nfs*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_nfs_nmap.txt" -oX "{scandir}/{protocol}_{port}_nfs_nmap.xml" {address}' [oracle] service-names = [ '^oracle' ] [oracle.scans] [oracle.scans.nmap-oracle] command = 'nmap -vv --reason -Pn -sV {nmap_extra} -p {port} --script="(oracle* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_oracle_nmap.txt" -oX "{scandir}/{protocol}_{port}_oracle_nmap.xml" {address}' [pop3] service-names = [ '^pop3' ] [pop3.scans] [pop3.scans.nmap-pop3] command = 'nmap -vv --reason -Pn -sV {nmap_extra} -p {port} --script="(pop3* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_pop3_nmap.txt" -oX "{scandir}/{protocol}_{port}_pop3_nmap.xml" {address}' [rdp] service-names = [ '^rdp', '^ms\-wbt\-server', '^ms\-term\-serv' ] [rdp.scans] [rdp.scans.nmap-rdp] command = 'nmap -vv --reason -Pn -sV {nmap_extra} -p {port} --script="(rdp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_rdp_nmap.txt" -oX "{scandir}/{protocol}_{port}_rdp_nmap.xml" {address}' [rdp.manual] [rdp.manual.bruteforce] description = 'Bruteforce logins:' commands = [ 'hydra -L "{username_wordlist}" -P "{password_wordlist}" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_rdp_hydra.txt" rdp://{address}', 'medusa -U "{username_wordlist}" -P "{password_wordlist}" -e ns -n {port} -O "{scandir}/{protocol}_{port}_rdp_medusa.txt" -M rdp -h {address}' ] [rmi] service-names = [ '^java\-rmi', '^rmiregistry' ] [rmi.scans] [rmi.scans.nmap-rmi] command = 'nmap -vv --reason -Pn -sV {nmap_extra} -p {port} --script=rmi-vuln-classloader,rmi-dumpregistry -oN "{scandir}/{protocol}_{port}_rmi_nmap.txt" -oX "{scandir}/{protocol}_{port}_rmi_nmap.xml" {address}' [rpc] service-names = [ '^msrpc', '^rpcbind', '^erpc' ] [msrpc.scans] [msrpc.scans.nmap-msrpc] command = 'nmap -vv --reason -Pn -sV {nmap_extra} -p {port} --script=msrpc-enum,rpc-grind,rpcinfo -oN "{scandir}/{protocol}_{port}_rpc_nmap.txt" -oX "{scandir}/{protocol}_{port}_rpc_nmap.xml" {address}' [ssh] service-names = [ '^ssh' ] [ssh.scans] [ssh.scans.nmap-ssh] command = 'nmap -vv --reason -Pn -sV {nmap_extra} -p {port} --script=ssh2-enum-algos,ssh-hostkey,ssh-auth-methods -oN "{scandir}/{protocol}_{port}_ssh_nmap.txt" -oX "{scandir}/{protocol}_{port}_ssh_nmap.xml" {address}' [ssh.manual] [ssh.manual.bruteforce] description = 'Bruteforce logins:' commands = [ 'hydra -L "{username_wordlist}" -P "{password_wordlist}" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_ssh_hydra.txt" ssh://{address}', 'medusa -U "{username_wordlist}" -P "{password_wordlist}" -e ns -n {port} -O "{scandir}/{protocol}_{port}_ssh_medusa.txt" -M ssh -h {address}' ] [smb] service-names = [ '^smb', '^microsoft\-ds', '^netbios' ] [smb.scans] [smb.scans.nmap-smb] command = 'nmap -vv --reason -Pn -sV {nmap_extra} -p {port} --script="(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" --script-args=unsafe=1 -oN "{scandir}/{protocol}_{port}_smb_nmap.txt" -oX "{scandir}/{protocol}_{port}_smb_nmap.xml" {address}' [smb.scans.enum4linux] command = 'enum4linux -a -M -l -d {address} | tee "{scandir}/enum4linux.txt"' run_once = true ports.tcp = [139, 389, 445] ports.udp = [137] [smb.scans.nbtscan] command = 'nbtscan -rvh {address} | tee "{scandir}/nbtscan.txt"' run_once = true ports.udp = [137] [smb.scans.smbclient] command = 'smbclient -L\\ -N -I {address} | tee "{scandir}/smbclient.txt"' run_once = true ports.tcp = [139, 445] [smtp] service-names = [ '^smtp' ] [smtp.scans] [smtp.scans.nmap-smtp] command = 'nmap -vv --reason -Pn -sV {nmap_extra} -p {port} --script="(smtp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_smtp_nmap.txt" -oX "{scandir}/{protocol}_{port}_smtp_nmap.xml" {address}' [smtp.scans.smtp-user-enum] command = 'smtp-user-enum -M VRFY -U "{username_wordlist}" -t {address} -p {port} | tee "{scandir}/{protocol}_{port}_smtp_user-enum.txt"' [snmp] service-names = [ '^snmp' ] [snmp.scans] [snmp.scans.nmap-snmp] command = 'nmap -vv --reason -Pn -sV {nmap_extra} -p {port} --script="(snmp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_snmp-nmap.txt" -oX "{scandir}/{protocol}_{port}_snmp_nmap.xml" {address}' [snmp.scans.onesixtyone] command = 'onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt -dd -o "{scandir}/{protocol}_{port}_snmp_onesixtyone.txt" {address}' run_once = true ports.udp = [161] [snmp.scans.snmpwalk] command = 'snmpwalk -c public -v 1 {address} | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk.txt"' run_once = true ports.udp = [161] [snmp.scans.snmpwalk-system-processes] command = 'snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.25.1.6.0 | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk_system_processes.txt"' run_once = true ports.udp = [161] [snmp.scans.snmpwalk-running-processes] command = 'snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.25.4.2.1.2 | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk_running_processes.txt"' run_once = true ports.udp = [161] [snmp.scans.snmpwalk-process-paths] command = 'snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.25.4.2.1.4 | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk_process_paths.txt"' run_once = true ports.udp = [161] [snmp.scans.snmpwalk-storage-units] command = 'snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.25.2.3.1.4 | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk_storage_units.txt"' run_once = true ports.udp = [161] [snmp.scans.snmpwalk-software-names] command = 'snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.25.6.3.1.2 | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk_software_names.txt"' run_once = true ports.udp = [161] [snmp.scans.snmpwalk-user-accounts] command = 'snmpwalk -c public -v 1 {address} 1.3.6.1.4.1.77.1.2.25 | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk_user_accounts.txt"' run_once = true ports.udp = [161] [snmp.scans.snmpwalk-tcp-ports] command = 'snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.6.13.1.3 | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk_tcp_ports.txt"' run_once = true ports.udp = [161] [telnet] service-names = [ '^telnet' ] [telnet.scans] [telnet.scans.nmap-telnet] command = 'nmap -vv --reason -Pn -sV {nmap_extra} -p {port} --script=telnet-encryption,telnet-ntlm-info -oN "{scandir}/{protocol}_{port}_telnet-nmap.txt" -oX "{scandir}/{protocol}_{port}_telnet_nmap.xml" {address}' [tftp] service-names = [ '^tftp' ] [tftp.scans] [tftp.scans.nmap-tftp] command = 'nmap -vv --reason -Pn -sV {nmap_extra} -p {port} --script=tftp-enum -oN "{scandir}/{protocol}_{port}_tftp-nmap.txt" -oX "{scandir}/{protocol}_{port}_tftp_nmap.xml" {address}' [vnc] service-names = [ '^vnc' ] [vnc.scans] [vnc.scans.nmap-vnc] command = 'nmap -vv --reason -Pn -sV {nmap_extra} -p {port} --script="(vnc* or realvnc* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" --script-args=unsafe=1 -oN "{scandir}/{protocol}_{port}_vnc_nmap.txt" -oX "{scandir}/{protocol}_{port}_vnc_nmap.xml" {address}'