10th June, 2015
1.1 Quick ping sweep of the network
#!/usr/bin/env python
###############################################################
## [Name]: 1-mix-ping_sweep.py -- a recon/enumeration script
## [Author]: Re4son re4son [at] whitedome.com.au
##-------------------------------------------------------------
## [Details]:
## Script to perform a ping sweep over a given range and list
## each live host in file /targets.txt.
##------------------------------------------------------------
## [Usage]:
## python 1-mix-ping_sweep.py <output>
###############################################################
import subprocess
import sys
import os
if len(sys.argv) != 3:
print "\nUsage: 1-mix-ping-sweep.py <output>\n"
sys.exit(0)</output>
RANGE = sys.argv[1].strip()
OUTDIR = sys.argv[2].strip()
try:
os.stat(OUTDIR)
except:
os.mkdir(OUTDIR)
print " "
print "[!] %s didn't exist, created %s" % (OUTDIR, OUTDIR)
outfile = OUTDIR + "/targets.txt"
res = 0
f = open(outfile, 'w')
print " "
print "[+] Performing ping sweep over %s" % (RANGE)
SWEEP = "nmap -n -sP %s" % (RANGE)
results = subprocess.check_output(SWEEP, shell=True)
lines = results.split("\n")
for line in lines:
line = line.strip()
line = line.rstrip()
if ("Nmap scan report for" in line):
ip_address = line.split(" ")[4]
if (res > 0):
f.write('\n')
f.write("%s" % (ip_address))
print "[*] %s" % (ip_address)
res += 1
print " "
print "[*] Found %s live hosts" % (res)
print "[*] Created target list %s" % (outfile)
print "[*] Paste %s into 3-mix-recon.py" % (outfile)
print " "
f.close()
</output>
1.2 Finding DNS servers
#!/usr/bin/env python
###############################################################
## [Name]: 2-mix-find_dns.py -- script to find dns servers
## amongst a list of machines
##-------------------------------------------------------------
## [Author]: Re4son re4son [at] whitedome.com.au
##-------------------------------------------------------------
## [Details]:
## Script iterates through and checks if TCP
## port 53 is open.
## The result is diplayed on screen and written to
## <output>\DNS-servers.txt
##-------------------------------------------------------------
## [Usage]:
## python 2-mix-find_dns.py <output>
###############################################################
import subprocess
import sys
if len(sys.argv) != 3:
print "\nUsage: python 2-mix-find_dns.py <output>\n"
sys.exit(0)
TARGETS = sys.argv[1].strip()
OUTDIR = sys.argv[2].strip()
outfile = OUTDIR + "/DNS-Servers.txt"
def dnsScan(ip_address):
return
inf = open(TARGETS, 'r')
outf = open(outfile, 'w')
res = 0
print " "
print "[+] Enumerating TCP port 53 to find dns servers"
outf.write("[+] Enumerating TCP port 53 to find dns servers\n")
for ip_address in inf:
ip_address = ip_address.strip()
DNSSCAN = "nmap -n -sV -Pn -vv -p53 %s" % (ip_address)
results = subprocess.check_output(DNSSCAN, shell=True)
lines = results.split("\n")
for line in lines:
line = line.strip()
line = line.rstrip()
if ("53/tcp" in line) and ("open" in line) and ("open" in line) and not ("Discovered" in line):
print "[*] Found DNS service running on: %s/TCP" % (ip_address)
outf.write("[*] Found DNS service running on: %s/TCP\n" % (ip_address))
print " [>] %s" % (line)
outf.write(" [>] %s\n" % (line))
res += 1
print " "
outf.write("\n")
print "[*] Found %s DNS servers" % (res)
outf.write("[*] Found %s DNS servers\n" % (res))
print "[*] Pick one and include in 3-mix-recon.py"
print " "
inf.close()
outf.close()
</output></output></output>
1.3 Detailed net scan and setup of directory structure for penetration test:
#!/usr/bin/env python
#############################################################################
## [Name]: 3-mix-recon.py -- a recon/enumeration script
## [Original Author]: Mike Czumak (T_v3rn1x) -- @SecuritySift
## [Author]: Re4son re4son [at] whitedome.com.au
##---------------------------------------------------------------------------
## [Details]:
## This script is intended to be executed remotely against a list of IPs to
## enumerate discovered services such
## as smb, smtp, snmp, ftp and other.
#############################################################################
import subprocess
import multiprocessing
from multiprocessing import Process, Queue
import os
import time
TARGETS='/root/192.168.0.0/targets.txt'
OUTDIR='/root/192.168.0.0/' # Can be empty - will use ./mix-recon-OUTPUT
DNSSRV='192.168.1.11' # Can be empty - will skip name resolution
def multProc(targetin, scanip, port, outputdir):
jobs = []
p = multiprocessing.Process(target=targetin, args=(scanip, port, outputdir))
jobs.append(p)
p.start()
return
def nmapScan(ip_address, outputdir):
ip_address = ip_address.strip()
outfile = outputdir + "/" + ip_address + "_findings.txt"
print "[+] Starting quick nmap scan for %s" % (ip_address)
QUICKSCAN = "nmap -n -oN '%s/%s.quick.nmap' %s" % (outputdir, ip_address, ip_address)
quickresults = subprocess.check_output(QUICKSCAN, shell=True)
print "[+] Starting detailed TCP/UDP nmap scans for %s" % (ip_address)
serv_dict = {}
if DNSSRV:
TCPSCAN = "nmap -vv -Pn -sS -A -sC -p- -T 3 -script-args=unsafe=1 --dns-servers %s -oN '%s/%s.nmap' -oX '%s/%s_nmap_scan_import.xml' %s" % (DNSSRV, outputdir, ip_address, outputdir, ip_address, ip_address)
UDPSCAN = "nmap -vv -Pn -A -sC -sU -T 4 --top-ports 200 --dns-servers %s -oN '%s/%sU.nmap' -oX '%s/%sU_nmap_scan_import.xml' %s" % (DNSSRV, outputdir, ip_address, outputdir, ip_address, ip_address)
else:
TCPSCAN = "nmap -vv -Pn -sS -A -sC -p- -T 3 -script-args=unsafe=1 -n %s -oN '%s/%s.nmap' -oX '%s/%s_nmap_scan_import.xml' %s" % (DNSSRV, outputdir, ip_address, outputdir, ip_address, ip_address)
UDPSCAN = "nmap -vv -Pn -A -sC -sU -T 4 --top-ports 200 -n %s -oN '%s/%sU.nmap' -oX '%s/%sU_nmap_scan_import.xml' %s" % (DNSSRV, outputdir, ip_address, outputdir, ip_address, ip_address)
results = subprocess.check_output(TCPSCAN, shell=True)
udpresults = subprocess.check_output(UDPSCAN, shell=True)
lines = results.split("\n")
for line in lines:
ports = []
line = line.strip()
if ("tcp" in line) and ("open" in line) and not ("Discovered" in line):
while " " in line:
line = line.replace(" ", " ");
service = line.split(" ")[2] # grab the service name
port = line.split(" ")[0] # grab the port/proto
if service in serv_dict:
ports = serv_dict[service] # if the service is already in the dict, grab the port list
ports.append(port)
serv_dict[service] = ports # add service to the dictionary along with the associated port(2)
# go through the service dictionary to give some hints for further enumerations
f = open(outfile, 'w')
for serv in serv_dict:
ports = serv_dict[serv]
if ("ftp" in serv):
for port in ports:
port = port.split("/")[0]
f.write("[*] Found FTP service on %s:%s\n" % (scanip, port))
f.write(" [>] Use nmap scripts for further enumeration or hydra for password attack, e.g\n")
f.write(" [=] nmap -sV -Pn -vv -p%s --script=ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221 -oN '%s/%s_ftp.nmap' -oX '%s/%s_ftp_nmap_scan_import.xml' %s\n" % (port, outputdir, scanip, outputdir, scanip, scanip))
f.write(" [=] hydra -L /usr/share/wordlists/webslayer/others/names.txt -P /usr/share/wordlists/webslayer/others/common_pass.txt -f -o %s/%s_ftphydra.txt -u %s -s %s ftp\n" % (outputdir, scanip, scanip, port))
elif (serv == "http"):
for port in ports:
port = port.split("/")[0]
f.write("[*] Found HTTP service on %s:%s\n" % (scanip, port))
f.write(" [>] Use nikto & dirb / dirbuster for service enumeration, e.g\n")
f.write(" [=] nikto -h %s -p %s > %s/%s_nikto.txt\n" % (scanip, port, outputdir, scanip))
f.write(" [=] dirb http://%s:%s/ -o %s/%s_dirb.txt -r -S -x ./dirb-extensions/php.ext\n" % (scanip, port, outputdir, scanip))
f.write(" [=] java -jar /usr/share/dirbuster/DirBuster-1.0-RC1.jar -H -l /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -r %s/%s_dirbuster.txt -u http://%s:%s/\n" % (outputdir, scanip, scanip, port))
elif (serv == "ssl/http") or ("https" in serv):
for port in ports:
port = port.split("/")[0]
f.write("[*] Found HTTP service on %s:%s\n" % (scanip, port))
f.write(" [>] Use nikto & dirb / dirbuster for service enumeration, e.g\n")
f.write(" [=] nikto -h %s -p %s > %s/%s_nikto.txt\n" % (scanip, port, outputdir, scanip))
f.write(" [=] dirb https://%s:%s/ -o %s/%s_dirb.txt -r -S -x ./dirb-extensions/php.ext\n" % (scanip, port, outputdir, scanip))
f.write(" [=] java -jar /usr/share/dirbuster/DirBuster-1.0-RC1.jar -H -l /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -r %s/%s_dirbuster.txt -u http://%s:%s/\n" % (outputdir, scanip, scanip, port))
elif "mysql" in serv:
for port in ports:
port = port.split("/")[0]
f.write("[*] Found mysql service on %s:%s\n" % (scanip, port))
f.write(" [>] Check out the server for web applications with sqli vulnerabilities\n")
elif "microsoft-ds" in serv:
for port in ports:
port = port.split("/")[0]
f.write("[*] Found MS SMB service on %s:%s\n" % (scanip, port))
f.write(" [>] Use nmap scripts or enum4linux for further enumeration, e.g\n")
f.write(" [=] nmap -sV -Pn -vv -p%s --script=\"smb-* -oN '%s/%s_smb.nmap' -oX '%s/%s_smb_nmap_scan_import.xml' %s\n" % (port, outputdir, ip_address, outputdir, ip_address, ip_address))
f.write(" [=] enum4linux %s\n" % (scanip))
elif "ms-sql" in serv:
for port in ports:
port = port.split("/")[0]
f.write("[*] Found MS SQL service on %s:%s\n" % (scanip, port))
f.write(" [>] Use nmap scripts for further enumeration, e.g\n")
f.write(" [=] nmap -vv -sV -Pn -p %s --script=ms-sql-info,ms-sql-config,ms-sql-dump-hashes --script-args=mssql.instance-port=%s,smsql.username-sa,mssql.password-sa -oX %s/%s_mssql_nmap_scan_import.xml %s" % (port, port, outputdir, ip_address, ip_address))
elif ("msdrdp" in serv) or ("ms-wbt-server" in serv):
for port in ports:
port = port.split("/")[0]
f.write("[*] Found RDP service on %s:%s\n" % (scanip, port))
f.write(" [>] Use ncrackpassword cracking, e.g\n")
f.write(" [=] ncrack -vv --user administrator -P /root/rockyou.txt rdp://%s\n" % (scanip))
elif "smtp" in serv:
for port in ports:
port = port.split("/")[0]
f.write("[*] Found SMTP service on %s:%s\n" % (scanip, port))
f.write(" [>] Use smtp-user-enum to find users, e.g\n")
f.write(" [=] smtp-user-enum -M VRFY -U /usr/share/wfuzz/wordlist/fuzzdb/wordlists-user-passwd/names/namelist.txt -t %s -p %s\n" % (scanip, port))
elif "snmp" in serv:
for port in ports:
port = port.split("/")[0]
f.write("[*] Found SNMP service on %s:%s\n" % (scanip, port))
f.write(" [>] Use nmap scripts, onesixtyone or snmwalk for further enumeration, e.g\n")
f.write(" [=] nmap -sV -Pn -vv -p%s --script=snmp-netstat,snmp-processes -oN '%s/%s_snmp.nmap' -oX '%s/%s_snmp_nmap_scan_import.xml' %s\n" % (port, outputdir, scanip, outputdir, scanip, scanip))
f.write(" [=] onesixtyone %s\n" % (scanip))
f.write(" [=] snmpwalk -c public -v1 %s > %s/%s_snmpwalk.txt\n" % (scanip, outputdir, scanip))
elif "ssh" in serv:
for port in ports:
port = port.split("/")[0]
f.write("[*] Found SSH service on %s:%s\n" % (scanip, port))
f.write(" [>] Use medusa or hydra (unreliable) for password cracking, e.g\n")
f.write(" [=] medusa -u root -P /root/rockyou.txt -e ns -h %s - %s -M ssh\n" % (scanip, port))
f.write(" [=] hydra -f -V -t 1 -l root -P /root/rockyou.txt -s %s %s ssh\n" % (port, scanip))
f.close()
print "[*] TCP/UDP Nmap scans completed for " + ip_address
return
# grab the ping sweep results and start scanning up hosts
print "\n"
print "############################################################"
print "#### NETWORK RECONNAISSANCE ####"
print "############################################################"
print "\n"
if __name__=='__main__':
f = open(TARGETS, 'r')
if OUTDIR == '':
OUTDIR = "./mix-recon-OUTPUT"
try:
os.stat(OUTDIR)
except:
os.mkdir(OUTDIR)
for scanip in f:
scanip = scanip.strip()
print "[+] Creating directory structure for " + scanip
hostdir = OUTDIR + "/" + scanip
try:
os.stat(hostdir)
except:
os.mkdir(hostdir)
nmapdir = hostdir + "/nmap"
try:
os.stat(nmapdir)
except:
os.mkdir(nmapdir)
exploitdir = hostdir + "/exploit"
try:
os.stat(exploitdir)
except:
os.mkdir(exploitdir)
lootdir = hostdir + "/loot"
try:
os.stat(lootdir)
except:
os.mkdir(lootdir)
prooffile = hostdir + "/proof.txt"
open(prooffile, 'a').close()
namefile = hostdir + "/0-name"
open(namefile, 'a').close()
jobs = []
p = multiprocessing.Process(target=nmapScan, args=(scanip, nmapdir))
jobs.append(p)
p.start()
f.close()
This set of scripts is available on GitHub.
ountless blogs have been published about the Offensive Security PWK course and OSCP certification.
