428 lines
16 KiB
TOML
428 lines
16 KiB
TOML
# Configurable Variables
|
|
username_wordlist = '/usr/share/seclists/Usernames/top-usernames-shortlist.txt'
|
|
password_wordlist = '/usr/share/seclists/Passwords/darkweb2017-top100.txt'
|
|
|
|
[cassandra]
|
|
|
|
service-names = [
|
|
'^apani1'
|
|
]
|
|
|
|
[cassandra.scans]
|
|
|
|
[cassandra.scans.nmap-cassandra]
|
|
command = 'nmap -vv --reason -Pn -sV {nmap_extra} -p {port} --script="(cassandra* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_cassandra_nmap.txt" -oX "{scandir}/{protocol}_{port}_cassandra_nmap.xml" {address}'
|
|
|
|
[cups]
|
|
|
|
service-names = [
|
|
'^ipp'
|
|
]
|
|
|
|
[cups.scans]
|
|
|
|
[cups.scans.nmap-cups]
|
|
command = 'nmap -vv --reason -Pn -sV {nmap_extra} -p {port} --script="(cups* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_cups_nmap.txt" -oX "{scandir}/{protocol}_{port}_cups_nmap.xml" {address}'
|
|
|
|
[dns]
|
|
|
|
service-names = [
|
|
'^domain',
|
|
]
|
|
|
|
[dns.scans]
|
|
|
|
[dns.scans.nmap-dns]
|
|
command = 'nmap -vv --reason -Pn -sV {nmap_extra} -p {port} --script="(dns* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_dns_nmap.txt" -oX "{scandir}/{protocol}_{port}_dns_nmap.xml" {address}'
|
|
|
|
[ftp]
|
|
|
|
service-names = [
|
|
'^ftp',
|
|
'^ftp\-data'
|
|
]
|
|
|
|
[ftp.scans]
|
|
|
|
[ftp.scans.nmap-ftp]
|
|
command = 'nmap -vv --reason -Pn -sV {nmap_extra} -p {port} --script="(ftp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_ftp_nmap.txt" -oX "{scandir}/{protocol}_{port}_ftp_nmap.xml" {address}'
|
|
|
|
[ftp.manual]
|
|
|
|
[ftp.manual.bruteforce]
|
|
description = 'Bruteforce logins:'
|
|
commands = [
|
|
'hydra -L "{username_wordlist}" -P "{password_wordlist}" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_ftp_hydra.txt" ftp://{address}',
|
|
'medusa -U "{username_wordlist}" -P "{password_wordlist}" -e ns -n {port} -O "{scandir}/{protocol}_{port}_ftp_medusa.txt" -M ftp -h {address}'
|
|
]
|
|
|
|
[http]
|
|
|
|
service-names = [
|
|
'^http',
|
|
]
|
|
|
|
ignore-service-names = [
|
|
'^nacn_http$'
|
|
]
|
|
|
|
[http.scans]
|
|
|
|
[http.scans.nmap-http]
|
|
command = 'nmap -vv --reason -Pn -sV {nmap_extra} -p {port} --script="(http* or ssl*) and not (broadcast or dos or external or http-slowloris* or fuzzer)" -oN "{scandir}/{protocol}_{port}_http_nmap.txt" -oX "{scandir}/{protocol}_{port}_{scheme}_nmap.xml" {address}'
|
|
|
|
[http.scans.curl-index]
|
|
command = 'curl -sSik {scheme}://{address}:{port}/ -m 10 -o "{scandir}/{protocol}_{port}_{scheme}_index.html"'
|
|
|
|
[http.scans.curl-robots]
|
|
command = 'curl -sSik {scheme}://{address}:{port}/robots.txt -m 10 -o "{scandir}/{protocol}_{port}_{scheme}_robots.txt"'
|
|
|
|
[http.scans.whatweb]
|
|
command = 'whatweb --color=never --no-errors -a 3 -v {scheme}://{address}:{port} | tee "{scandir}/{protocol}_{port}_{scheme}_whatweb.txt"'
|
|
|
|
[http.scans.nikto]
|
|
command = 'nikto -ask=no -h {scheme}://{address}:{port} | tee "{scandir}/{protocol}_{port}_{scheme}_nikto.txt"'
|
|
|
|
[http.manual]
|
|
|
|
[http.manual.dirb]
|
|
description = '(dirb) Recursive directory/file enumeration for web servers using various wordlists:'
|
|
commands = [
|
|
'dirb {scheme}://{address}:{port}/ -o "{scandir}/{protocol}_{port}_{scheme}_dirb_big.txt" /usr/share/seclists/Discovery/Web-Content/big.txt',
|
|
'dirb {scheme}://{address}:{port}/ -o "{scandir}/{protocol}_{port}_{scheme}_dirb_common.txt" /usr/share/seclists/Discovery/Web-Content/common.txt',
|
|
'dirb {scheme}://{address}:{port}/ -o "{scandir}/{protocol}_{port}_{scheme}_dirb_dirbuster.txt" /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt'
|
|
]
|
|
|
|
[http.manual.gobuster]
|
|
description = '(gobuster) Directory/file enumeration for web servers using various wordlists (same as dirb above, in case you prefer gobuster):'
|
|
commands = [
|
|
'gobuster -u {scheme}://{address}:{port}/ -o "{scandir}/{protocol}_{port}_{scheme}_gobuster_big.txt" -w /usr/share/seclists/Discovery/Web-Content/big.txt -s "200,204,301,302,307,403,500" -e',
|
|
'gobuster -u {scheme}://{address}:{port}/ -o "{scandir}/{protocol}_{port}_{scheme}_gobuster_common.txt" -w /usr/share/seclists/Discovery/Web-Content/common.txt -s "200,204,301,302,307,403,500" -e',
|
|
'gobuster -u {scheme}://{address}:{port}/ -o "{scandir}/{protocol}_{port}_{scheme}_gobuster_dirbuster.txt" -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -s "200,204,301,302,307,403,500" -e'
|
|
]
|
|
|
|
[http.manual.wpscan]
|
|
description = '(wpscan) WordPress Security Scanner (useful if WordPress is found):'
|
|
commands = [
|
|
'wpscan --url {scheme}://{address}:{port}/ --no-update -e vp,vt,tt,cb,dbe,u,m -f cli-no-color | tee "{scandir}/{protocol}_{port}_{scheme}_wpscan.txt"'
|
|
]
|
|
|
|
[http.manual.bruteforce]
|
|
description = "Credential bruteforcing commands (don't run these without modifying them):"
|
|
commands = [
|
|
'hydra -L "{username_wordlist}" -P "{password_wordlist}" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_{scheme}_auth_hydra.txt" {scheme}-get://{address}/path/to/auth/area',
|
|
'medusa -U "{username_wordlist}" -P "{password_wordlist}" -e ns -n {port} -O "{scandir}/{protocol}_{port}_{scheme}_auth_medusa.txt" -M http -h {address} -m DIR:/path/to/auth/area',
|
|
'hydra -L "{username_wordlist}" -P "{password_wordlist}" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_{scheme}_form_hydra.txt" {scheme}-post-form://{address}/path/to/login.php:username=^USER^&password=^PASS^:invalid-login-message',
|
|
'medusa -U "{username_wordlist}" -P "{password_wordlist}" -e ns -n {port} -O "{scandir}/{protocol}_{port}_{scheme}_form_medusa.txt" -M web-form -h {address} -m FORM:/path/to/login.php -m FORM-DATA:"post?username=&password=" -m DENY-SIGNAL:"invalid login message"',
|
|
]
|
|
|
|
[imap]
|
|
|
|
service-names = [
|
|
'^imap'
|
|
]
|
|
|
|
[imap.scans]
|
|
|
|
[imap.scans.nmap-imap]
|
|
command = 'nmap -vv --reason -Pn -sV {nmap_extra} -p {port} --script="(imap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_imap_nmap.txt" -oX "{scandir}/{protocol}_{port}_imap_nmap.xml" {address}'
|
|
|
|
[kerberos]
|
|
|
|
service-names = [
|
|
'^kerberos'
|
|
]
|
|
|
|
[kerberos.scans]
|
|
|
|
[kerberos.scans.nmap-kerberos]
|
|
command = 'nmap -vv --reason -Pn -sV {nmap_extra} -p {port} --script=krb5-enum-users -oN "{scandir}/{protocol}_{port}_kerberos_nmap.txt" -oX "{scandir}/{protocol}_{port}_kerberos_nmap.xml" {address}'
|
|
|
|
[ldap]
|
|
|
|
service-names = [
|
|
'^ldap'
|
|
]
|
|
|
|
[ldap.scans]
|
|
|
|
[ldap.scans.nmap-ldap]
|
|
command = 'nmap -vv --reason -Pn -sV {nmap_extra} -p {port} --script="(ldap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_ldap_nmap.txt" -oX "{scandir}/{protocol}_{port}_ldap_nmap.xml" {address}'
|
|
|
|
[ldap.scans.enum4linux]
|
|
command = 'enum4linux -a -M -l -d {address} | tee "{scandir}/enum4linux.txt"'
|
|
run_once = true
|
|
ports.tcp = [139, 389, 445]
|
|
ports.udp = [137]
|
|
|
|
[mongodb]
|
|
|
|
service-names = [
|
|
'^mongod'
|
|
]
|
|
|
|
[mongodb.scans]
|
|
|
|
[mongodb.scans.nmap-mongodb]
|
|
command = 'nmap -vv --reason -Pn -sV {nmap_extra} -p {port} --script="mongodb*" -oN "{scandir}/{protocol}_{port}_mongodb_nmap.txt" -oX "{scandir}/{protocol}_{port}_mongodb_nmap.xml" {address}'
|
|
|
|
[mssql]
|
|
|
|
service-names = [
|
|
'^mssql',
|
|
'^ms\-sql'
|
|
]
|
|
|
|
[mssql.scans]
|
|
|
|
[mssql.scans.nmap-mssql]
|
|
command = 'nmap -vv --reason -Pn -sV {nmap_extra} -p {port} --script="(ms-sql* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" --script-args=mssql.instance-port={port},mssql.username=sa,mssql.password=sa -oN "{scandir}/{protocol}_{port}_mssql_nmap.txt" -oX "{scandir}/{protocol}_{port}_mssql_nmap.xml" {address}'
|
|
|
|
[mssql.manual]
|
|
|
|
[mssql.manual.sqsh]
|
|
description = '(sqsh) interactive database shell'
|
|
command = 'sqsh -U <username> -P <password> -S {address}:{port}'
|
|
|
|
[mysql]
|
|
|
|
service-names = [
|
|
'^mysql'
|
|
]
|
|
|
|
[mysql.scans]
|
|
|
|
[mysql.scans.nmap-mysql]
|
|
command = 'nmap -vv --reason -Pn -sV {nmap_extra} -p {port} --script="(mysql* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_mysql_nmap.txt" -oX "{scandir}/{protocol}_{port}_mysql_nmap.xml" {address}'
|
|
|
|
[nfs]
|
|
|
|
service-names = [
|
|
'^nfs',
|
|
'^rpcbind'
|
|
]
|
|
|
|
[nfs.scans]
|
|
|
|
[nfs.scans.nmap-nfs]
|
|
command = 'nmap -vv --reason -Pn -sV {nmap_extra} -p {port} --script="(rpcinfo or nfs*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_nfs_nmap.txt" -oX "{scandir}/{protocol}_{port}_nfs_nmap.xml" {address}'
|
|
|
|
[oracle]
|
|
|
|
service-names = [
|
|
'^oracle'
|
|
]
|
|
|
|
[oracle.scans]
|
|
|
|
[oracle.scans.nmap-oracle]
|
|
command = 'nmap -vv --reason -Pn -sV {nmap_extra} -p {port} --script="(oracle* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_oracle_nmap.txt" -oX "{scandir}/{protocol}_{port}_oracle_nmap.xml" {address}'
|
|
|
|
[pop3]
|
|
|
|
service-names = [
|
|
'^pop3'
|
|
]
|
|
|
|
[pop3.scans]
|
|
|
|
[pop3.scans.nmap-pop3]
|
|
command = 'nmap -vv --reason -Pn -sV {nmap_extra} -p {port} --script="(pop3* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_pop3_nmap.txt" -oX "{scandir}/{protocol}_{port}_pop3_nmap.xml" {address}'
|
|
|
|
[rdp]
|
|
|
|
service-names = [
|
|
'^rdp',
|
|
'^ms\-wbt\-server',
|
|
'^ms\-term\-serv'
|
|
]
|
|
|
|
[rdp.scans]
|
|
|
|
[rdp.scans.nmap-rdp]
|
|
command = 'nmap -vv --reason -Pn -sV {nmap_extra} -p {port} --script="(rdp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_rdp_nmap.txt" -oX "{scandir}/{protocol}_{port}_rdp_nmap.xml" {address}'
|
|
|
|
[rdp.manual]
|
|
|
|
[rdp.manual.bruteforce]
|
|
description = 'Bruteforce logins:'
|
|
commands = [
|
|
'hydra -L "{username_wordlist}" -P "{password_wordlist}" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_rdp_hydra.txt" rdp://{address}',
|
|
'medusa -U "{username_wordlist}" -P "{password_wordlist}" -e ns -n {port} -O "{scandir}/{protocol}_{port}_rdp_medusa.txt" -M rdp -h {address}'
|
|
]
|
|
[rmi]
|
|
|
|
service-names = [
|
|
'^java\-rmi',
|
|
'^rmiregistry'
|
|
]
|
|
|
|
[rmi.scans]
|
|
|
|
[rmi.scans.nmap-rmi]
|
|
command = 'nmap -vv --reason -Pn -sV {nmap_extra} -p {port} --script=rmi-vuln-classloader,rmi-dumpregistry -oN "{scandir}/{protocol}_{port}_rmi_nmap.txt" -oX "{scandir}/{protocol}_{port}_rmi_nmap.xml" {address}'
|
|
|
|
[rpc]
|
|
|
|
service-names = [
|
|
'^msrpc',
|
|
'^rpcbind',
|
|
'^erpc'
|
|
]
|
|
|
|
[msrpc.scans]
|
|
|
|
[msrpc.scans.nmap-msrpc]
|
|
command = 'nmap -vv --reason -Pn -sV {nmap_extra} -p {port} --script=msrpc-enum,rpc-grind,rpcinfo -oN "{scandir}/{protocol}_{port}_rpc_nmap.txt" -oX "{scandir}/{protocol}_{port}_rpc_nmap.xml" {address}'
|
|
|
|
[ssh]
|
|
|
|
service-names = [
|
|
'^ssh'
|
|
]
|
|
|
|
[ssh.scans]
|
|
|
|
[ssh.scans.nmap-ssh]
|
|
command = 'nmap -vv --reason -Pn -sV {nmap_extra} -p {port} --script=ssh2-enum-algos,ssh-hostkey,ssh-auth-methods -oN "{scandir}/{protocol}_{port}_ssh_nmap.txt" -oX "{scandir}/{protocol}_{port}_ssh_nmap.xml" {address}'
|
|
|
|
[ssh.manual]
|
|
|
|
[ssh.manual.bruteforce]
|
|
description = 'Bruteforce logins:'
|
|
commands = [
|
|
'hydra -L "{username_wordlist}" -P "{password_wordlist}" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_ssh_hydra.txt" ssh://{address}',
|
|
'medusa -U "{username_wordlist}" -P "{password_wordlist}" -e ns -n {port} -O "{scandir}/{protocol}_{port}_ssh_medusa.txt" -M ssh -h {address}'
|
|
]
|
|
[smb]
|
|
|
|
service-names = [
|
|
'^smb',
|
|
'^microsoft\-ds',
|
|
'^netbios'
|
|
]
|
|
|
|
[smb.scans]
|
|
|
|
[smb.scans.nmap-smb]
|
|
command = 'nmap -vv --reason -Pn -sV {nmap_extra} -p {port} --script="(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" --script-args=unsafe=1 -oN "{scandir}/{protocol}_{port}_smb_nmap.txt" -oX "{scandir}/{protocol}_{port}_smb_nmap.xml" {address}'
|
|
|
|
[smb.scans.enum4linux]
|
|
command = 'enum4linux -a -M -l -d {address} | tee "{scandir}/enum4linux.txt"'
|
|
run_once = true
|
|
ports.tcp = [139, 389, 445]
|
|
ports.udp = [137]
|
|
|
|
[smb.scans.nbtscan]
|
|
command = 'nbtscan -rvh {address} | tee "{scandir}/nbtscan.txt"'
|
|
run_once = true
|
|
ports.udp = [137]
|
|
|
|
[smb.scans.smbclient]
|
|
command = 'smbclient -L\\ -N -I {address} | tee "{scandir}/smbclient.txt"'
|
|
run_once = true
|
|
ports.tcp = [139, 445]
|
|
|
|
[smtp]
|
|
|
|
service-names = [
|
|
'^smtp'
|
|
]
|
|
|
|
[smtp.scans]
|
|
|
|
[smtp.scans.nmap-smtp]
|
|
command = 'nmap -vv --reason -Pn -sV {nmap_extra} -p {port} --script="(smtp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_smtp_nmap.txt" -oX "{scandir}/{protocol}_{port}_smtp_nmap.xml" {address}'
|
|
|
|
[smtp.scans.smtp-user-enum]
|
|
command = 'smtp-user-enum -M VRFY -U "{username_wordlist}" -t {address} -p {port} | tee "{scandir}/{protocol}_{port}_smtp_user-enum.txt"'
|
|
|
|
[snmp]
|
|
|
|
service-names = [
|
|
'^snmp'
|
|
]
|
|
|
|
[snmp.scans]
|
|
|
|
[snmp.scans.nmap-snmp]
|
|
command = 'nmap -vv --reason -Pn -sV {nmap_extra} -p {port} --script="(snmp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_snmp-nmap.txt" -oX "{scandir}/{protocol}_{port}_snmp_nmap.xml" {address}'
|
|
|
|
[snmp.scans.onesixtyone]
|
|
command = 'onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt -dd -o "{scandir}/{protocol}_{port}_snmp_onesixtyone.txt" {address}'
|
|
run_once = true
|
|
ports.udp = [161]
|
|
|
|
[snmp.scans.snmpwalk]
|
|
command = 'snmpwalk -c public -v 1 {address} | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk.txt"'
|
|
run_once = true
|
|
ports.udp = [161]
|
|
|
|
[snmp.scans.snmpwalk-system-processes]
|
|
command = 'snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.25.1.6.0 | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk_system_processes.txt"'
|
|
run_once = true
|
|
ports.udp = [161]
|
|
|
|
[snmp.scans.snmpwalk-running-processes]
|
|
command = 'snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.25.4.2.1.2 | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk_running_processes.txt"'
|
|
run_once = true
|
|
ports.udp = [161]
|
|
|
|
[snmp.scans.snmpwalk-process-paths]
|
|
command = 'snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.25.4.2.1.4 | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk_process_paths.txt"'
|
|
run_once = true
|
|
ports.udp = [161]
|
|
|
|
[snmp.scans.snmpwalk-storage-units]
|
|
command = 'snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.25.2.3.1.4 | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk_storage_units.txt"'
|
|
run_once = true
|
|
ports.udp = [161]
|
|
|
|
[snmp.scans.snmpwalk-software-names]
|
|
command = 'snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.25.6.3.1.2 | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk_software_names.txt"'
|
|
run_once = true
|
|
ports.udp = [161]
|
|
|
|
[snmp.scans.snmpwalk-user-accounts]
|
|
command = 'snmpwalk -c public -v 1 {address} 1.3.6.1.4.1.77.1.2.25 | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk_user_accounts.txt"'
|
|
run_once = true
|
|
ports.udp = [161]
|
|
|
|
[snmp.scans.snmpwalk-tcp-ports]
|
|
command = 'snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.6.13.1.3 | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk_tcp_ports.txt"'
|
|
run_once = true
|
|
ports.udp = [161]
|
|
|
|
[telnet]
|
|
|
|
service-names = [
|
|
'^telnet'
|
|
]
|
|
|
|
[telnet.scans]
|
|
|
|
[telnet.scans.nmap-telnet]
|
|
command = 'nmap -vv --reason -Pn -sV {nmap_extra} -p {port} --script=telnet-encryption,telnet-ntlm-info -oN "{scandir}/{protocol}_{port}_telnet-nmap.txt" -oX "{scandir}/{protocol}_{port}_telnet_nmap.xml" {address}'
|
|
|
|
[tftp]
|
|
|
|
service-names = [
|
|
'^tftp'
|
|
]
|
|
|
|
[tftp.scans]
|
|
|
|
[tftp.scans.nmap-tftp]
|
|
command = 'nmap -vv --reason -Pn -sV {nmap_extra} -p {port} --script=tftp-enum -oN "{scandir}/{protocol}_{port}_tftp-nmap.txt" -oX "{scandir}/{protocol}_{port}_tftp_nmap.xml" {address}'
|
|
|
|
[vnc]
|
|
|
|
service-names = [
|
|
'^vnc'
|
|
]
|
|
|
|
[vnc.scans]
|
|
|
|
[vnc.scans.nmap-vnc]
|
|
command = 'nmap -vv --reason -Pn -sV {nmap_extra} -p {port} --script="(vnc* or realvnc* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" --script-args=unsafe=1 -oN "{scandir}/{protocol}_{port}_vnc_nmap.txt" -oX "{scandir}/{protocol}_{port}_vnc_nmap.xml" {address}'
|