1. Information gathering in three stages

1.1 Quick ping sweep of the network

#!/usr/bin/env python
###############################################################
## [Name]: 1-mix-ping_sweep.py -- a recon/enumeration script
## [Author]: Re4son re4son [at] whitedome.com.au
##-------------------------------------------------------------
## [Details]:
## Script to perform a ping sweep over a given range and list 
## each live host in file /targets.txt.
##------------------------------------------------------------
## [Usage]:
## python 1-mix-ping_sweep.py <output>
###############################################################

import subprocess
import sys
import os

if len(sys.argv) != 3:
print "\nUsage: 1-mix-ping-sweep.py <output>\n"
sys.exit(0)</output>

RANGE = sys.argv[1].strip()
OUTDIR = sys.argv[2].strip()

try:
os.stat(OUTDIR)
except:
os.mkdir(OUTDIR)
print " "
print "[!] %s didn't exist, created %s" % (OUTDIR, OUTDIR)

outfile = OUTDIR + "/targets.txt"

res = 0
f = open(outfile, 'w')
print " "
print "[+] Performing ping sweep over %s" % (RANGE)
SWEEP = "nmap -n -sP %s" % (RANGE)
results = subprocess.check_output(SWEEP, shell=True)
lines = results.split("\n")
for line in lines:
line = line.strip()
line = line.rstrip()
if ("Nmap scan report for" in line):
ip_address = line.split(" ")[4]
if (res > 0):
f.write('\n')
f.write("%s" % (ip_address))
print "[*] %s" % (ip_address)
res += 1
print " "
print "[*] Found %s live hosts" % (res)
print "[*] Created target list %s" % (outfile)
print "[*] Paste %s into 3-mix-recon.py" % (outfile)
print " "
f.close()
</output>

 

1.2 Finding DNS servers

#!/usr/bin/env python
###############################################################
## [Name]: 2-mix-find_dns.py -- script to find dns servers 
##                              amongst a list of machines
##-------------------------------------------------------------
## [Author]: Re4son re4son [at] whitedome.com.au
##-------------------------------------------------------------
## [Details]: 
## Script iterates through  and checks if TCP 
## port 53 is open.
## The result is diplayed on screen and written to 
## <output>\DNS-servers.txt 
##-------------------------------------------------------------
## [Usage]: 
## python 2-mix-find_dns.py  <output>
###############################################################

import subprocess
import sys

if len(sys.argv) != 3:
    print "\nUsage: python 2-mix-find_dns.py  <output>\n"
    sys.exit(0)

TARGETS = sys.argv[1].strip()
OUTDIR = sys.argv[2].strip()

outfile = OUTDIR + "/DNS-Servers.txt"


def dnsScan(ip_address):

    return

inf = open(TARGETS, 'r')
outf = open(outfile, 'w')
res = 0
print " "
print "[+] Enumerating TCP port 53 to find dns servers"
outf.write("[+] Enumerating TCP port 53 to find dns servers\n")
for ip_address in inf:
    ip_address = ip_address.strip()
    DNSSCAN = "nmap -n -sV -Pn -vv -p53 %s" % (ip_address)
    results = subprocess.check_output(DNSSCAN, shell=True)
    lines = results.split("\n")
    for line in lines:
        line = line.strip()
        line = line.rstrip()
        if ("53/tcp" in line) and ("open" in line) and ("open" in line) and not ("Discovered" in line):
	    print "[*] Found DNS service running on: %s/TCP" % (ip_address)
            outf.write("[*] Found DNS service running on: %s/TCP\n" % (ip_address))
	    print "   [>] %s" % (line)
            outf.write("   [>] %s\n" % (line))
	    res += 1
print " "
outf.write("\n")
print "[*] Found %s DNS servers" % (res)
outf.write("[*] Found %s DNS servers\n" % (res))
print "[*] Pick one and include in 3-mix-recon.py"
print " "
inf.close()
outf.close()
</output></output></output>

 

1.3 Detailed net scan and setup of directory structure for penetration test:

#!/usr/bin/env python
#############################################################################
## [Name]: 3-mix-recon.py -- a recon/enumeration script
## [Original Author]: Mike Czumak (T_v3rn1x) -- @SecuritySift
## [Author]: Re4son re4son [at] whitedome.com.au
##---------------------------------------------------------------------------
## [Details]: 
## This script is intended to be executed remotely against a list of IPs to 
## enumerate discovered services such 
## as smb, smtp, snmp, ftp and other. 
#############################################################################

import subprocess
import multiprocessing
from multiprocessing import Process, Queue
import os
import time 

TARGETS='/root/192.168.0.0/targets.txt'
OUTDIR='/root/192.168.0.0/'			# Can be empty - will use ./mix-recon-OUTPUT
DNSSRV='192.168.1.11'			# Can be empty - will skip name resolution

def multProc(targetin, scanip, port, outputdir):
    jobs = []
    p = multiprocessing.Process(target=targetin, args=(scanip, port, outputdir))
    jobs.append(p)
    p.start()
    return

def nmapScan(ip_address, outputdir):
   ip_address = ip_address.strip()
   outfile = outputdir + "/" + ip_address + "_findings.txt"

   print "[+] Starting quick nmap scan for %s" % (ip_address)
   QUICKSCAN = "nmap -n -oN '%s/%s.quick.nmap' %s"  % (outputdir, ip_address, ip_address)
   quickresults = subprocess.check_output(QUICKSCAN, shell=True)

   print "[+] Starting detailed TCP/UDP nmap scans for %s" % (ip_address)
   serv_dict = {}
   if DNSSRV:
       TCPSCAN = "nmap -vv -Pn -sS -A -sC -p- -T 3 -script-args=unsafe=1 --dns-servers %s -oN '%s/%s.nmap' -oX '%s/%s_nmap_scan_import.xml' %s"  % (DNSSRV, outputdir, ip_address, outputdir, ip_address, ip_address)
       UDPSCAN = "nmap -vv -Pn -A -sC -sU -T 4 --top-ports 200 --dns-servers %s -oN '%s/%sU.nmap' -oX '%s/%sU_nmap_scan_import.xml' %s" % (DNSSRV, outputdir, ip_address, outputdir, ip_address, ip_address)
   else:
       TCPSCAN = "nmap -vv -Pn -sS -A -sC -p- -T 3 -script-args=unsafe=1 -n %s -oN '%s/%s.nmap' -oX '%s/%s_nmap_scan_import.xml' %s"  % (DNSSRV, outputdir, ip_address, outputdir, ip_address, ip_address)
       UDPSCAN = "nmap -vv -Pn -A -sC -sU -T 4 --top-ports 200 -n %s -oN '%s/%sU.nmap' -oX '%s/%sU_nmap_scan_import.xml' %s" % (DNSSRV, outputdir, ip_address, outputdir, ip_address, ip_address)

   results = subprocess.check_output(TCPSCAN, shell=True)
   udpresults = subprocess.check_output(UDPSCAN, shell=True)
   lines = results.split("\n")
   for line in lines:
      ports = []
      line = line.strip()
      if ("tcp" in line) and ("open" in line) and not ("Discovered" in line):
	 while "  " in line: 
            line = line.replace("  ", " ");
         service = line.split(" ")[2] # grab the service name
	 port = line.split(" ")[0] # grab the port/proto
         if service in serv_dict:
	    ports = serv_dict[service] # if the service is already in the dict, grab the port list
	 
         ports.append(port) 
	 serv_dict[service] = ports # add service to the dictionary along with the associated port(2)
   
   # go through the service dictionary to give some hints for further enumerations 
   f = open(outfile, 'w')
   for serv in serv_dict: 
      ports = serv_dict[serv]
      if ("ftp" in serv):
 	 for port in ports:
	    port = port.split("/")[0]
	    f.write("[*] Found FTP service on %s:%s\n" % (scanip, port))
	    f.write("   [>] Use nmap scripts for further enumeration or hydra for password attack, e.g\n")
	    f.write("   [=] nmap -sV -Pn -vv -p%s --script=ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221 -oN '%s/%s_ftp.nmap' -oX '%s/%s_ftp_nmap_scan_import.xml' %s\n" % (port, outputdir, scanip, outputdir, scanip, scanip))
	    f.write("   [=] hydra -L /usr/share/wordlists/webslayer/others/names.txt -P /usr/share/wordlists/webslayer/others/common_pass.txt -f -o %s/%s_ftphydra.txt -u %s -s %s ftp\n" % (outputdir, scanip, scanip, port))	
      elif (serv == "http"):
 	 for port in ports:
	    port = port.split("/")[0]
	    f.write("[*] Found HTTP service on %s:%s\n" % (scanip, port))
	    f.write("   [>] Use nikto & dirb / dirbuster for service enumeration, e.g\n")
	    f.write("   [=] nikto -h %s -p %s > %s/%s_nikto.txt\n" % (scanip, port, outputdir, scanip))
	    f.write("   [=] dirb http://%s:%s/ -o %s/%s_dirb.txt -r -S -x ./dirb-extensions/php.ext\n" % (scanip, port, outputdir, scanip))
	    f.write("   [=] java -jar /usr/share/dirbuster/DirBuster-1.0-RC1.jar -H -l /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -r %s/%s_dirbuster.txt -u http://%s:%s/\n" % (outputdir, scanip, scanip, port))
      elif (serv == "ssl/http") or ("https" in serv):
	 for port in ports:
	    port = port.split("/")[0]
	    f.write("[*] Found HTTP service on %s:%s\n" % (scanip, port))
	    f.write("   [>] Use nikto & dirb / dirbuster for service enumeration, e.g\n")
	    f.write("   [=] nikto -h %s -p %s > %s/%s_nikto.txt\n" % (scanip, port, outputdir, scanip))
	    f.write("   [=] dirb https://%s:%s/ -o %s/%s_dirb.txt -r -S -x ./dirb-extensions/php.ext\n" % (scanip, port, outputdir, scanip))
	    f.write("   [=] java -jar /usr/share/dirbuster/DirBuster-1.0-RC1.jar -H -l /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -r %s/%s_dirbuster.txt -u http://%s:%s/\n" % (outputdir, scanip, scanip, port))
      elif "mysql" in serv:
 	 for port in ports:
	    port = port.split("/")[0]
	    f.write("[*] Found mysql service on %s:%s\n" % (scanip, port))
	    f.write("   [>] Check out the server for web applications with sqli vulnerabilities\n")
      elif "microsoft-ds" in serv:	
 	 for port in ports:
	    port = port.split("/")[0]
	    f.write("[*] Found MS SMB service on %s:%s\n" % (scanip, port))
	    f.write("   [>] Use nmap scripts or enum4linux for further enumeration, e.g\n")
	    f.write("   [=] nmap -sV -Pn -vv -p%s --script=\"smb-* -oN '%s/%s_smb.nmap' -oX '%s/%s_smb_nmap_scan_import.xml' %s\n" % (port, outputdir, ip_address, outputdir, ip_address, ip_address))
	    f.write("   [=] enum4linux %s\n" % (scanip))
      elif "ms-sql" in serv:
 	 for port in ports:
	    port = port.split("/")[0]
	    f.write("[*] Found MS SQL service on %s:%s\n" % (scanip, port))
	    f.write("   [>] Use nmap scripts for further enumeration, e.g\n")
	    f.write("   [=] nmap -vv -sV -Pn -p %s --script=ms-sql-info,ms-sql-config,ms-sql-dump-hashes --script-args=mssql.instance-port=%s,smsql.username-sa,mssql.password-sa -oX %s/%s_mssql_nmap_scan_import.xml %s" % (port, port, outputdir, ip_address, ip_address))
      elif ("msdrdp" in serv) or ("ms-wbt-server" in serv):
 	 for port in ports:
	    port = port.split("/")[0]
	    f.write("[*] Found RDP service on %s:%s\n" % (scanip, port))
	    f.write("   [>] Use ncrackpassword cracking, e.g\n")
	    f.write("   [=] ncrack -vv --user administrator -P /root/rockyou.txt rdp://%s\n" % (scanip))
      elif "smtp" in serv:
 	 for port in ports:
	    port = port.split("/")[0]
	    f.write("[*] Found SMTP service on %s:%s\n" % (scanip, port))
	    f.write("   [>] Use smtp-user-enum to find users, e.g\n")
	    f.write("   [=] smtp-user-enum -M VRFY -U /usr/share/wfuzz/wordlist/fuzzdb/wordlists-user-passwd/names/namelist.txt -t %s -p %s\n" % (scanip, port))
      elif "snmp" in serv:
 	 for port in ports:
	    port = port.split("/")[0]
	    f.write("[*] Found SNMP service on %s:%s\n" % (scanip, port))
	    f.write("   [>] Use nmap scripts, onesixtyone or snmwalk for further enumeration, e.g\n")
	    f.write("   [=] nmap -sV -Pn -vv -p%s --script=snmp-netstat,snmp-processes -oN '%s/%s_snmp.nmap' -oX '%s/%s_snmp_nmap_scan_import.xml' %s\n" % (port, outputdir, scanip, outputdir, scanip, scanip))
	    f.write("   [=] onesixtyone %s\n" % (scanip))
	    f.write("   [=] snmpwalk -c public -v1 %s > %s/%s_snmpwalk.txt\n" % (scanip, outputdir, scanip))
      elif "ssh" in serv:
 	 for port in ports:
	    port = port.split("/")[0]
	    f.write("[*] Found SSH service on %s:%s\n" % (scanip, port))
	    f.write("   [>] Use medusa or hydra (unreliable) for password cracking, e.g\n")
	    f.write("   [=] medusa -u root -P /root/rockyou.txt -e ns -h %s - %s -M ssh\n" % (scanip, port))
	    f.write("   [=] hydra -f -V -t 1 -l root -P /root/rockyou.txt -s %s %s ssh\n" % (port, scanip))
   f.close()     
   print "[*] TCP/UDP Nmap scans completed for " + ip_address 
   return

# grab the ping sweep results and start scanning up hosts
print "\n"
print "############################################################"
print "####               NETWORK RECONNAISSANCE               ####"
print "############################################################"
print "\n"
 
if __name__=='__main__':
   f = open(TARGETS, 'r')

   if OUTDIR == '':
       OUTDIR = "./mix-recon-OUTPUT"

   try:
       os.stat(OUTDIR)
   except:
       os.mkdir(OUTDIR)

   for scanip in f:
       scanip = scanip.strip()
       print "[+] Creating directory structure for " + scanip

       hostdir = OUTDIR + "/" + scanip
       try:
           os.stat(hostdir)
       except:
           os.mkdir(hostdir)

       nmapdir = hostdir + "/nmap"
       try:
           os.stat(nmapdir)
       except:
           os.mkdir(nmapdir)

       exploitdir = hostdir + "/exploit"
       try:
           os.stat(exploitdir)
       except:
           os.mkdir(exploitdir)

       lootdir = hostdir + "/loot"
       try:
           os.stat(lootdir)
       except:
           os.mkdir(lootdir)

       prooffile = hostdir + "/proof.txt"
       open(prooffile, 'a').close()

       namefile = hostdir + "/0-name"
       open(namefile, 'a').close()

       jobs = []
       p = multiprocessing.Process(target=nmapScan, args=(scanip, nmapdir))
       jobs.append(p)
       p.start()
   f.close()

 

This set of scripts is available on GitHub.

Facebooktwittergoogle_plusredditpinterestlinkedinmail