5 years ago · cf54a73537
--- a/README.md
+++ b/README.md
@@ -2,15 +2,15 @@
 
				 
			
 
				 some helper scripts for pentesting
			
 
				 
			
 
				-### create_meter
			
 
				+### create-meter.sh
			
 
				 
			
 
				 script to create linux and windows (x86/x64) meterpreter faster and with less typing.
			
 
				 
			
 
				-### scan
			
 
				+### scan.sh
			
 
				 
			
 
				 nmap wrapper for the first scans that are always done (tcp initial, tcp full, udp).
			
 
				 
			
 
				-### nmap_parse
			
 
				+### nmap-parse.sh
			
 
				 
			
 
				 Usefull in a big network with many hosts.
			
 
				 Parser devides the hosts into files containing all hosts with a certain open port.
			
--- a/create-meter.sh
+++ b/create-meter.sh
--- a/nmap-parse.sh
+++ b/nmap-parse.sh
@@ -0,0 +1,55 @@
 
				+#!/bin/sh
			
 
				+
			
 
				+# .gnmap file as first argument
			
 
				+if [ $# -lt 1 ] ; then
			
 
				+    echo '[-] parse <gnmap-file>'
			
 
				+    exit 1
			
 
				+fi
			
 
				+
			
 
				+if [ ! -f "$1" ]; then
			
 
				+    echo '[-] No such file.'
			
 
				+    exit 1
			
 
				+fi
			
 
				+
			
 
				+if [ ! -d hosts/ ]; then
			
 
				+    echo "[*] creating hosts/ folder"
			
 
				+    mkdir hosts
			
 
				+fi
			
 
				+
			
 
				+function num_hosts {
			
 
				+    echo "$(cat "$1" | grep 'Up' | wc -l)"
			
 
				+}
			
 
				+
			
 
				+# $1 is the file,  $2 must be the port, $3 must be the service-name
			
 
				+function parse_for_service {
			
 
				+    num=$(cat "$1" | grep "$2/open"  | wc -l)
			
 
				+    if [ $num -le 1 ]; then
			
 
				+        echo "[-] No hosts with service $3"
			
 
				+        return
			
 
				+    fi
			
 
				+    filename="hosts/hosts.$3"
			
 
				+    if [ -f "$filename" ]; then
			
 
				+        echo "[-] File exists (for service $3), skiping...."
			
 
				+        return
			
 
				+    fi
			
 
				+
			
 
				+    cat "$1" | grep "$2/open" | awk '{print $2}' | sort -u > $filename
			
 
				+    echo "[+] Outputing all hosts ($num) with an open $3 service to $filename"
			
 
				+    return $num
			
 
				+}
			
 
				+
			
 
				+# Parsing
			
 
				+hosts=$(num_hosts "$1")
			
 
				+echo "[*] A total of $hosts Hosts to parse"
			
 
				+
			
 
				+
			
 
				+parse_for_service "$1" 80 http
			
 
				+parse_for_service "$1" 3389 rdp
			
 
				+parse_for_service "$1" 22 ssh
			
 
				+parse_for_service "$1" 21 ftp
			
 
				+parse_for_service "$1" 53 dns
			
 
				+parse_for_service "$1" 443 https
			
 
				+parse_for_service "$1" 445 smb
			
 
				+
			
 
				+
			
 
				+echo "[+] Done."
			
--- a/scan.sh
+++ b/scan.sh
@@ -0,0 +1,54 @@
 
				+#!/bin/bash
			
 
				+
			
 
				+function initial {
			
 
				+
			
 
				+    if [ -f nmap/initial.nmap ]; then
			
 
				+       echo "[-] initial scan files are already present on system"
			
 
				+       exit 1
			
 
				+    fi
			
 
				+
			
 
				+    echo "[-] Initial scan for $1"
			
 
				+    nmap -T4 -oA nmap/initial "$1" 2> /dev/null
			
 
				+
			
 
				+}
			
 
				+
			
 
				+function allports {
			
 
				+
			
 
				+    if [ -f nmap/all-ports.nmap ]; then
			
 
				+        echo "[-] initial scan files are already present on system"
			
 
				+        exit 1
			
 
				+    fi
			
 
				+    echo "[-] Full scna for $1"
			
 
				+    nmap -T4 -p- -sV -oA nmap/all-ports "$1" 2> /dev/null
			
 
				+
			
 
				+}
			
 
				+
			
 
				+function udp {
			
 
				+
			
 
				+    if [ -f nmap/udp.nmap ]; then
			
 
				+        echo "[-] initial scan files are already present on system"
			
 
				+        exit 1
			
 
				+    fi
			
 
				+    echo "[-] UDP scan for $1 (root is needed for that scan-mode)"
			
 
				+    sudo nmap -T4 --top-ports 1000 -sU -oA nmap/udp "$1" 2> /dev/null
			
 
				+
			
 
				+}
			
 
				+
			
 
				+
			
 
				+if [ $# -ne 2 ]; then
			
 
				+    echo '[-] scan <range> <type> (initial, all, udp)'
			
 
				+    exit 1
			
 
				+fi
			
 
				+
			
 
				+if [ ! -d nmap/ ]; then
			
 
				+    echo "[*] creating nmap folder"
			
 
				+    mkdir nmap
			
 
				+fi
			
 
				+
			
 
				+if [ "$2" = "initial" ]; then
			
 
				+    initial "$1"
			
 
				+elif [ "$2" = "full" ] || [ "$2" = "all" ]; then
			
 
				+    allports "$1"
			
 
				+elif [ "$2" = "udp" ]; then
			
 
				+    udp "$1"
			
 
				+fi
			
--- a/smb-vuln-finder.sh
+++ b/smb-vuln-finder.sh
@@ -0,0 +1,19 @@
 
				+#!/bin/bash
			
 
				+
			
 
				+ips="$1"
			
 
				+echo "[*] Enumerating all SMB Shares"
			
 
				+nmap -p 139,445 --script=smb-enum-shares -iL $ips -oA nmap/smb-enum-shares > /dev/null
			
 
				+echo "[*] Enumerating SMB Vulnerability: MS06-025"
			
 
				+nmap -p 139,445 --script=smb-vuln-ms06-025 -iL $ips -oA nmap/smb-vuln-ms06-025 > /dev/null
			
 
				+echo "[*] Enumerating SMB Vulnerability: MS07-029"
			
 
				+nmap -p 139,445 --script=smb-vuln-ms07-029 -iL $ips -oA nmap/smb-vuln-ms07-029 > /dev/null
			
 
				+echo "[*] Enumerating SMB Vulnerability: MS08-067"
			
 
				+nmap -p 139,445 --script=smb-vuln-ms08-067 -iL $ips -oA nmap/smb-vuln-ms08-067 > /dev/null
			
 
				+echo "[*] Enumerating SMB Vulnerability: MS10-054"
			
 
				+nmap -p 139,445 --script=smb-vuln-ms10-054 -iL $ips -oA nmap/smb-vuln-ms10-054 > /dev/null
			
 
				+echo "[*] Enumerating SMB Vulnerability: MS10-061"
			
 
				+nmap -p 139,445 --script=smb-vuln-ms10-061 -iL $ips -oA nmap/smb-vuln-ms10-061 > /dev/null
			
 
				+echo "[*] Enumerating SMB Vulnerability: ms17-010 (aka EternalBlue)"
			
 
				+nmap -p 139,445 --script=smb-vuln-ms17-010 -iL $ips -oA nmap/smb-vuln-ms17-010 > /dev/null
			
 
				+echo "[*] Enumerating SMB Vulnerability: regsvc-dos"
			
 
				+nmap -p 139,445 --script=smb-vuln-regsvc-dos -iL $ips -oA nmap/smb-vuln-regsvc-dos > /dev/null