Browse Source

Project Update / removed AutoRecon

Roman Hergenreder 2 years ago
parent
commit
3a0a75e278

+ 4 - 1
README.md

@@ -7,7 +7,6 @@ This repository contains self-made and common scripts for information gathering,
 - gobuster.sh: Performs gobuster dir scan with raft-large-words-lowercase.txt
 - ssh-check-username.py: Check if user enumeration works for ssh
 - [git-dumper.py](https://github.com/arthaud/git-dumper)
-- [autorecon.py](https://github.com/Tib3rius/AutoRecon)
 - subdomainFuzz.sh: Fuzzes subdomains for a given domain
 
 ### Enumeration: Privilege Escalation & Pivoting
@@ -27,6 +26,8 @@ Can be deployed on victim machines to scan the intranet.
 - genRevShell.py: Generates a reverse shell command (e.g. netcat, python, ...)
 - [php-reverse-shell.php](https://github.com/pentestmonkey/php-reverse-shell)
 - [p0wny-shell.php](https://github.com/flozz/p0wny-shell)
+- [aspx-reverse-shell.aspx](https://github.com/borjmz/aspx-reverse-shell)
+- jsp-webshell.jsp: webshell for Java servlets
 
 ### Miscellaneous
 - upload_file.py: Starts a local tcp server, for netcat usage
@@ -35,6 +36,7 @@ Can be deployed on victim machines to scan the intranet.
 - sql.php: Execute sql queries passed via GET/POST
 - util.py: Collection of some small functions
 - fileserver.py: Create a temporary http server serving in-memory files
+- dnsserver.py: Create a temporary dns server responding dynamically to basic DNS requests (in-memory)
 
 ### Windows
  - nc.exe/nc64.exe: netcat standalone binary
@@ -46,3 +48,4 @@ Can be deployed on victim machines to scan the intranet.
  - [SharpHound.exe](https://github.com/BloodHoundAD/SharpHound3): BloodHound Ingestor
  - [windows-exploit-suggester.py](https://github.com/AonCyberLabs/Windows-Exploit-Suggester)
  - [aspx-reverse-shell.aspx](https://github.com/borjmz/aspx-reverse-shell)
+ - [xp_cmdshell.py](https://github.com/0xalwayslucky/pentesting-tools) (thanks to @alwayslucky)

+ 0 - 885
autorecon.py

@@ -1,885 +0,0 @@
-#!/usr/bin/env python3
-#
-#    AutoRecon is a multi-threaded network reconnaissance tool which performs automated enumeration of services.
-#
-#    This program can be redistributed and/or modified under the terms of the
-#    GNU General Public License, either version 3 of the License, or (at your
-#    option) any later version.
-#
-
-import atexit
-import argparse
-import asyncio
-import colorama
-from colorama import Fore, Style
-from concurrent.futures import ProcessPoolExecutor, as_completed, FIRST_COMPLETED
-from datetime import datetime
-import ipaddress
-import os
-import re
-import socket
-import string
-import sys
-import time
-import toml
-import termios
-import appdirs
-import shutil
-
-# Globals
-verbose = 0
-nmap = "-vv --reason -Pn"
-srvname = ""
-heartbeat_interval = 60
-port_scan_profile = None
-port_scan_profiles_config = None
-service_scans_config = None
-global_patterns = []
-username_wordlist = "/usr/share/seclists/Usernames/top-usernames-shortlist.txt"
-password_wordlist = "/usr/share/seclists/Passwords/darkweb2017-top100.txt"
-single_target = False
-only_scans_dir = False
-
-
-def _quit():
-    TERM_FLAGS = termios.tcgetattr(sys.stdin.fileno())
-    termios.tcsetattr(sys.stdin.fileno(), termios.TCSADRAIN, TERM_FLAGS)
-
-
-def _init():
-    global port_scan_profiles_config
-    global service_scans_config
-    global global_patterns
-
-    atexit.register(_quit)
-    appname = "AutoRecon"
-    rootdir = os.path.dirname(os.path.realpath(__file__))
-    default_config_dir = os.path.join(rootdir, "config")
-    config_dir = appdirs.user_config_dir(appname)
-    port_scan_profiles_config_file = os.path.join(config_dir, "port-scan-profiles.toml")
-    service_scans_config_file = os.path.join(config_dir, "service-scans.toml")
-    global_patterns_config_file = os.path.join(config_dir, "global-patterns.toml")
-
-    # Confirm this directory exists; if not, populate it with the default configurations
-    if not os.path.exists(config_dir):
-        os.makedirs(config_dir, exist_ok=True)
-        shutil.copy(
-            os.path.join(default_config_dir, "port-scan-profiles-default.toml"),
-            port_scan_profiles_config_file,
-        )
-        shutil.copy(
-            os.path.join(default_config_dir, "service-scans-default.toml"),
-            service_scans_config_file,
-        )
-        shutil.copy(
-            os.path.join(default_config_dir, "global-patterns-default.toml"),
-            global_patterns_config_file,
-        )
-
-
-    with open(port_scan_profiles_config_file, "r") as p:
-        try:
-            port_scan_profiles_config = toml.load(p)
-
-            if len(port_scan_profiles_config) == 0:
-                fail(
-                    "There do not appear to be any port scan profiles configured in the {port_scan_profiles_config_file} config file."
-                )
-
-        except toml.decoder.TomlDecodeError as e:
-            fail(
-                "Error: Couldn't parse {port_scan_profiles_config_file} config file. Check syntax and duplicate tags."
-            )
-
-    with open(service_scans_config_file, "r") as c:
-        try:
-            service_scans_config = toml.load(c)
-        except toml.decoder.TomlDecodeError as e:
-            fail(
-                "Error: Couldn't parse service-scans.toml config file. Check syntax and duplicate tags."
-            )
-
-    with open(global_patterns_config_file, "r") as p:
-        try:
-            global_patterns = toml.load(p)
-            if "pattern" in global_patterns:
-                global_patterns = global_patterns["pattern"]
-            else:
-                global_patterns = []
-        except toml.decoder.TomlDecodeError as e:
-            fail(
-                "Error: Couldn't parse global-patterns.toml config file. Check syntax and duplicate tags."
-            )
-
-    if "username_wordlist" in service_scans_config:
-        if isinstance(service_scans_config["username_wordlist"], str):
-            username_wordlist = service_scans_config["username_wordlist"]
-
-    if "password_wordlist" in service_scans_config:
-        if isinstance(service_scans_config["password_wordlist"], str):
-            password_wordlist = service_scans_config["password_wordlist"]
-
-
-def e(*args, frame_index=1, **kvargs):
-    frame = sys._getframe(frame_index)
-
-    vals = {}
-
-    vals.update(frame.f_globals)
-    vals.update(frame.f_locals)
-    vals.update(kvargs)
-
-    return string.Formatter().vformat(' '.join(args), args, vals)
-
-def cprint(*args, color=Fore.RESET, char='*', sep=' ', end='\n', frame_index=1, file=sys.stdout, **kvargs):
-    frame = sys._getframe(frame_index)
-
-    vals = {
-        'bgreen':  Fore.GREEN  + Style.BRIGHT,
-        'bred':    Fore.RED    + Style.BRIGHT,
-        'bblue':   Fore.BLUE   + Style.BRIGHT,
-        'byellow': Fore.YELLOW + Style.BRIGHT,
-        'bmagenta': Fore.MAGENTA + Style.BRIGHT,
-
-        'green':  Fore.GREEN,
-        'red':    Fore.RED,
-        'blue':   Fore.BLUE,
-        'yellow': Fore.YELLOW,
-        'magenta': Fore.MAGENTA,
-
-        'bright': Style.BRIGHT,
-        'srst':   Style.NORMAL,
-        'crst':   Fore.RESET,
-        'rst':    Style.NORMAL + Fore.RESET
-    }
-
-    vals.update(frame.f_globals)
-    vals.update(frame.f_locals)
-    vals.update(kvargs)
-
-    unfmt = ''
-    if char is not None:
-        unfmt += color + '[' + Style.BRIGHT + char + Style.NORMAL + ']' + Fore.RESET + sep
-    unfmt += sep.join(args)
-
-    fmted = unfmt
-
-    for attempt in range(10):
-        try:
-            fmted = string.Formatter().vformat(unfmt, args, vals)
-            break
-        except KeyError as err:
-            key = err.args[0]
-            unfmt = unfmt.replace('{' + key + '}', '{{' + key + '}}')
-
-    print(fmted, sep=sep, end=end, file=file)
-
-def debug(*args, color=Fore.BLUE, sep=' ', end='\n', file=sys.stdout, **kvargs):
-    if verbose >= 2:
-        cprint(*args, color=color, char='-', sep=sep, end=end, file=file, frame_index=2, **kvargs)
-
-def info(*args, sep=' ', end='\n', file=sys.stdout, **kvargs):
-    cprint(*args, color=Fore.GREEN, char='*', sep=sep, end=end, file=file, frame_index=2, **kvargs)
-
-def warn(*args, sep=' ', end='\n', file=sys.stderr, **kvargs):
-    cprint(*args, color=Fore.YELLOW, char='!', sep=sep, end=end, file=file, frame_index=2, **kvargs)
-
-def error(*args, sep=' ', end='\n', file=sys.stderr, **kvargs):
-    cprint(*args, color=Fore.RED, char='!', sep=sep, end=end, file=file, frame_index=2, **kvargs)
-
-def fail(*args, sep=' ', end='\n', file=sys.stderr, **kvargs):
-    cprint(*args, color=Fore.RED, char='!', sep=sep, end=end, file=file, frame_index=2, **kvargs)
-    exit(-1)
-
-def calculate_elapsed_time(start_time):
-    elapsed_seconds = round(time.time() - start_time)
-
-    m, s = divmod(elapsed_seconds, 60)
-    h, m = divmod(m, 60)
-
-    elapsed_time = []
-    if h == 1:
-        elapsed_time.append(str(h) + ' hour')
-    elif h > 1:
-        elapsed_time.append(str(h) + ' hours')
-
-    if m == 1:
-        elapsed_time.append(str(m) + ' minute')
-    elif m > 1:
-        elapsed_time.append(str(m) + ' minutes')
-
-    if s == 1:
-        elapsed_time.append(str(s) + ' second')
-    elif s > 1:
-        elapsed_time.append(str(s) + ' seconds')
-    else:
-        elapsed_time.append('less than a second')
-
-    return ', '.join(elapsed_time)
-
-
-async def read_stream(stream, target, tag='?', patterns=[], color=Fore.BLUE):
-    address = target.address
-    while True:
-        line = ""
-        try:
-            line = await stream.readline()
-        except ValueError:
-            continue
-        
-        if line:
-            line = str(line.rstrip(), 'utf8', 'ignore')
-            debug(color + '[' + Style.BRIGHT + address + ' ' + tag + Style.NORMAL + '] ' + Fore.RESET + '{line}', color=color)
-
-            for p in global_patterns:
-                matches = re.findall(p['pattern'], line)
-                if 'description' in p:
-                    for match in matches:
-                        if verbose >= 1:
-                            info('Task {bgreen}{tag}{rst} on {byellow}{address}{rst} - {bmagenta}' + p['description'].replace('{match}', '{bblue}{match}{crst}{bmagenta}') + '{rst}')
-                        async with target.lock:
-                            with open(os.path.join(target.scandir, '_patterns.log'), 'a') as file:
-                                file.writelines(e('{tag} - ' + p['description'] + '\n\n'))
-                else:
-                    for match in matches:
-                        if verbose >= 1:
-                            info('Task {bgreen}{tag}{rst} on {byellow}{address}{rst} - {bmagenta}Matched Pattern: {bblue}{match}{rst}')
-                        async with target.lock:
-                            with open(os.path.join(target.scandir, '_patterns.log'), 'a') as file:
-                                file.writelines(e('{tag} - Matched Pattern: {match}\n\n'))
-
-            for p in patterns:
-                matches = re.findall(p['pattern'], line)
-                if 'description' in p:
-                    for match in matches:
-                        if verbose >= 1:
-                            info('Task {bgreen}{tag}{rst} on {byellow}{address}{rst} - {bmagenta}' + p['description'].replace('{match}', '{bblue}{match}{crst}{bmagenta}') + '{rst}')
-                        async with target.lock:
-                            with open(os.path.join(target.scandir, '_patterns.log'), 'a') as file:
-                                file.writelines(e('{tag} - ' + p['description'] + '\n\n'))
-                else:
-                    for match in matches:
-                        if verbose >= 1:
-                            info('Task {bgreen}{tag}{rst} on {byellow}{address}{rst} - {bmagenta}Matched Pattern: {bblue}{match}{rst}')
-                        async with target.lock:
-                            with open(os.path.join(target.scandir, '_patterns.log'), 'a') as file:
-                                file.writelines(e('{tag} - Matched Pattern: {match}\n\n'))
-        else:
-            break
-
-async def run_cmd(semaphore, cmd, target, tag='?', patterns=[]):
-    async with semaphore:
-        address = target.address
-        scandir = target.scandir
-
-        info('Running task {bgreen}{tag}{rst} on {byellow}{address}{rst}' + (' with {bblue}{cmd}{rst}' if verbose >= 1 else ''))
-
-        async with target.lock:
-            with open(os.path.join(scandir, '_commands.log'), 'a') as file:
-                file.writelines(e('{cmd}\n\n'))
-
-        start_time = time.time()
-        process = await asyncio.create_subprocess_shell(cmd, stdout=asyncio.subprocess.PIPE, stderr=asyncio.subprocess.PIPE, executable='/bin/bash')
-        async with target.lock:
-            target.running_tasks.append(tag)
-
-        await asyncio.wait([
-            read_stream(process.stdout, target, tag=tag, patterns=patterns),
-            read_stream(process.stderr, target, tag=tag, patterns=patterns, color=Fore.RED)
-        ])
-
-        await process.wait()
-        async with target.lock:
-            target.running_tasks.remove(tag)
-        elapsed_time = calculate_elapsed_time(start_time)
-
-    if process.returncode != 0:
-        error('Task {bred}{tag}{rst} on {byellow}{address}{rst} returned non-zero exit code: {process.returncode}')
-        async with target.lock:
-            with open(os.path.join(scandir, '_errors.log'), 'a') as file:
-                file.writelines(e('[*] Task {tag} returned non-zero exit code: {process.returncode}. Command: {cmd}\n'))
-    else:
-        info('Task {bgreen}{tag}{rst} on {byellow}{address}{rst} finished successfully in {elapsed_time}')
-
-    return {'returncode': process.returncode, 'name': 'run_cmd'}
-
-async def parse_port_scan(stream, tag, target, pattern):
-    address = target.address
-    ports = []
-
-    while True:
-        line = await stream.readline()
-        if line:
-            line = str(line.rstrip(), 'utf8', 'ignore')
-            debug(Fore.BLUE + '[' + Style.BRIGHT + address + ' ' + tag + Style.NORMAL + '] ' + Fore.RESET + '{line}', color=Fore.BLUE)
-
-            parse_match = re.search(pattern, line)
-            if parse_match:
-                ports.append(parse_match.group('port'))
-
-
-            for p in global_patterns:
-                matches = re.findall(p['pattern'], line)
-                if 'description' in p:
-                    for match in matches:
-                        if verbose >= 1:
-                            info('Task {bgreen}{tag}{rst} on {byellow}{address}{rst} - {bmagenta}' + p['description'].replace('{match}', '{bblue}{match}{crst}{bmagenta}') + '{rst}')
-                        async with target.lock:
-                            with open(os.path.join(target.scandir, '_patterns.log'), 'a') as file:
-                                file.writelines(e('{tag} - ' + p['description'] + '\n\n'))
-                else:
-                    for match in matches:
-                        if verbose >= 1:
-                            info('Task {bgreen}{tag}{rst} on {byellow}{address}{rst} - {bmagenta}Matched Pattern: {bblue}{match}{rst}')
-                        async with target.lock:
-                            with open(os.path.join(target.scandir, '_patterns.log'), 'a') as file:
-                                file.writelines(e('{tag} - Matched Pattern: {match}\n\n'))
-        else:
-            break
-
-    return ports
-
-async def parse_service_detection(stream, tag, target, pattern):
-    address = target.address
-    services = []
-
-    while True:
-        line = await stream.readline()
-        if line:
-            line = str(line.rstrip(), 'utf8', 'ignore')
-            debug(Fore.BLUE + '[' + Style.BRIGHT + address + ' ' + tag + Style.NORMAL + '] ' + Fore.RESET + '{line}', color=Fore.BLUE)
-
-            parse_match = re.search(pattern, line)
-            if parse_match:
-                services.append((parse_match.group('protocol').lower(), int(parse_match.group('port')), parse_match.group('service')))
-
-            for p in global_patterns:
-                matches = re.findall(p['pattern'], line)
-                if 'description' in p:
-                    for match in matches:
-                        if verbose >= 1:
-                            info('Task {bgreen}{tag}{rst} on {byellow}{address}{rst} - {bmagenta}' + p['description'].replace('{match}', '{bblue}{match}{crst}{bmagenta}') + '{rst}')
-                        async with target.lock:
-                            with open(os.path.join(target.scandir, '_patterns.log'), 'a') as file:
-                                file.writelines(e('{tag} - ' + p['description'] + '\n\n'))
-                else:
-                    for match in matches:
-                        if verbose >= 1:
-                            info('Task {bgreen}{tag}{rst} on {byellow}{address}{rst} - {bmagenta}Matched Pattern: {bblue}{match}{rst}')
-                        async with target.lock:
-                            with open(os.path.join(target.scandir, '_patterns.log'), 'a') as file:
-                                file.writelines(e('{tag} - Matched Pattern: {match}\n\n'))
-        else:
-            break
-
-    return services
-
-async def run_portscan(semaphore, tag, target, service_detection, port_scan=None):
-    async with semaphore:
-
-        address = target.address
-        scandir = target.scandir
-        nmap_extra = nmap
-
-        ports = ''
-        if port_scan is not None:
-            command = e(port_scan[0])
-            pattern = port_scan[1]
-
-            info('Running port scan {bgreen}{tag}{rst} on {byellow}{address}{rst}' + (' with {bblue}{command}{rst}' if verbose >= 1 else ''))
-
-            async with target.lock:
-                with open(os.path.join(scandir, '_commands.log'), 'a') as file:
-                    file.writelines(e('{command}\n\n'))
-
-            start_time = time.time()
-            process = await asyncio.create_subprocess_shell(command, stdout=asyncio.subprocess.PIPE, stderr=asyncio.subprocess.PIPE, executable='/bin/bash')
-            async with target.lock:
-                target.running_tasks.append(tag)
-
-            output = [
-                parse_port_scan(process.stdout, tag, target, pattern),
-                read_stream(process.stderr, target, tag=tag, color=Fore.RED)
-            ]
-
-            results = await asyncio.gather(*output)
-
-            await process.wait()
-            async with target.lock:
-                target.running_tasks.remove(tag)
-            elapsed_time = calculate_elapsed_time(start_time)
-
-            if process.returncode != 0:
-                error('Port scan {bred}{tag}{rst} on {byellow}{address}{rst} returned non-zero exit code: {process.returncode}')
-                async with target.lock:
-                    with open(os.path.join(scandir, '_errors.log'), 'a') as file:
-                        file.writelines(e('[*] Port scan {tag} returned non-zero exit code: {process.returncode}. Command: {command}\n'))
-                return {'returncode': process.returncode}
-            else:
-                info('Port scan {bgreen}{tag}{rst} on {byellow}{address}{rst} finished successfully in {elapsed_time}')
-
-            ports = results[0]
-            if len(ports) == 0:
-                return {'returncode': -1}
-
-            ports = ','.join(ports)
-
-        command = e(service_detection[0])
-        pattern = service_detection[1]
-
-        info('Running service detection {bgreen}{tag}{rst} on {byellow}{address}{rst}' + (' with {bblue}{command}{rst}' if verbose >= 1 else ''))
-
-        async with target.lock:
-            with open(os.path.join(scandir, '_commands.log'), 'a') as file:
-                file.writelines(e('{command}\n\n'))
-
-        start_time = time.time()
-        process = await asyncio.create_subprocess_shell(command, stdout=asyncio.subprocess.PIPE, stderr=asyncio.subprocess.PIPE, executable='/bin/bash')
-        async with target.lock:
-            target.running_tasks.append(tag)
-
-        output = [
-            parse_service_detection(process.stdout, tag, target, pattern),
-            read_stream(process.stderr, target, tag=tag, color=Fore.RED)
-        ]
-
-        results = await asyncio.gather(*output)
-
-        await process.wait()
-        async with target.lock:
-            target.running_tasks.remove(tag)
-        elapsed_time = calculate_elapsed_time(start_time)
-
-        if process.returncode != 0:
-            error('Service detection {bred}{tag}{rst} on {byellow}{address}{rst} returned non-zero exit code: {process.returncode}')
-            async with target.lock:
-                with open(os.path.join(scandir, '_errors.log'), 'a') as file:
-                    file.writelines(e('[*] Service detection {tag} returned non-zero exit code: {process.returncode}. Command: {command}\n'))
-        else:
-            info('Service detection {bgreen}{tag}{rst} on {byellow}{address}{rst} finished successfully in {elapsed_time}')
-
-        services = results[0]
-
-        return {'returncode': process.returncode, 'name': 'run_portscan', 'services': services}
-
-async def start_heartbeat(target, period=60):
-    while True:
-        await asyncio.sleep(period)
-        async with target.lock:
-            tasks = target.running_tasks
-            count = len(tasks)
-
-            tasks_list = ''
-            if verbose >= 1:
-                tasks_list = ': {bgreen}' + ', '.join(tasks) + '{rst}'
-
-            current_time = datetime.now().strftime('%H:%M:%S')
-
-            if count > 1:
-                info('{bgreen}[{current_time}]{rst} - There are {byellow}{count}{rst} tasks still running on {byellow}{target.address}{rst}' + tasks_list)
-            elif count == 1:
-                info('{bgreen}[{current_time}]{rst} - There is {byellow}1{rst} task still running on {byellow}{target.address}{rst}' + tasks_list)
-
-async def scan_services(loop, semaphore, target):
-    address = target.address
-    scandir = target.scandir
-    pending = []
-
-    heartbeat = loop.create_task(start_heartbeat(target, period=heartbeat_interval))
-
-    for profile in port_scan_profiles_config:
-        if profile == port_scan_profile:
-            for scan in port_scan_profiles_config[profile]:
-                service_detection = (port_scan_profiles_config[profile][scan]['service-detection']['command'], port_scan_profiles_config[profile][scan]['service-detection']['pattern'])
-                if 'port-scan' in port_scan_profiles_config[profile][scan]:
-                    port_scan = (port_scan_profiles_config[profile][scan]['port-scan']['command'], port_scan_profiles_config[profile][scan]['port-scan']['pattern'])
-                    pending.append(run_portscan(semaphore, scan, target, service_detection, port_scan))
-                else:
-                    pending.append(run_portscan(semaphore, scan, target, service_detection))
-            break
-
-    services = []
-
-    while True:
-        if not pending:
-            heartbeat.cancel()
-            break
-
-        done, pending = await asyncio.wait(pending, return_when=FIRST_COMPLETED)
-
-        for task in done:
-            result = task.result()
-
-            if result['returncode'] == 0:
-                if result['name'] == 'run_portscan':
-                    for service_tuple in result['services']:
-                        if service_tuple not in services:
-                            services.append(service_tuple)
-                        else:
-                            continue
-
-                        protocol = service_tuple[0]
-                        port = service_tuple[1]
-                        service = service_tuple[2]
-
-                        info('Found {bmagenta}{service}{rst} on {bmagenta}{protocol}/{port}{rst} on target {byellow}{address}{rst}')
-
-                        if not only_scans_dir:
-                            with open(os.path.join(target.reportdir, 'notes.txt'), 'a') as file:
-                                file.writelines(e('[*] {service} found on {protocol}/{port}.\n\n\n\n'))
-
-                        if protocol == 'udp':
-                            nmap_extra = nmap + " -sU"
-                        else:
-                            nmap_extra = nmap
-
-                        secure = True if 'ssl' in service or 'tls' in service else False
-
-                        # Special cases for HTTP.
-                        scheme = 'https' if 'https' in service or 'ssl' in service or 'tls' in service else 'http'
-
-                        if service.startswith('ssl/') or service.startswith('tls/'):
-                            service = service[4:]
-
-                        for service_scan in service_scans_config:
-                            # Skip over configurable variables since the python toml parser cannot iterate over tables only.
-                            if service_scan in ['username_wordlist', 'password_wordlist']:
-                                continue
-
-                            ignore_service = False
-                            if 'ignore-service-names' in service_scans_config[service_scan]:
-                                for ignore_service_name in service_scans_config[service_scan]['ignore-service-names']:
-                                    if re.search(ignore_service_name, service):
-                                        ignore_service = True
-                                        break
-
-                            if ignore_service:
-                                continue
-
-                            matched_service = False
-
-                            if 'service-names' in service_scans_config[service_scan]:
-                                for service_name in service_scans_config[service_scan]['service-names']:
-                                    if re.search(service_name, service):
-                                        matched_service = True
-                                        break
-
-                            if not matched_service:
-                                continue
-
-                            if 'manual' in service_scans_config[service_scan]:
-                                heading = False
-                                with open(os.path.join(scandir, '_manual_commands.txt'), 'a') as file:
-                                    for manual in service_scans_config[service_scan]['manual']:
-                                        if 'description' in manual:
-                                            if not heading:
-                                                file.writelines(e('[*] {service} on {protocol}/{port}\n\n'))
-                                                heading = True
-                                            description = manual['description']
-                                            file.writelines(e('\t[-] {description}\n\n'))
-                                        if 'commands' in manual:
-                                            if not heading:
-                                                file.writelines(e('[*] {service} on {protocol}/{port}\n\n'))
-                                                heading = True
-                                            for manual_command in manual['commands']:
-                                                manual_command = e(manual_command)
-                                                file.writelines('\t\t' + e('{manual_command}\n\n'))
-                                    if heading:
-                                        file.writelines('\n')
-
-                            if 'scan' in service_scans_config[service_scan]:
-                                for scan in service_scans_config[service_scan]['scan']:
-
-                                    if 'name' in scan:
-                                        name = scan['name']
-                                        if 'command' in scan:
-                                            tag = e('{protocol}/{port}/{name}')
-                                            command = scan['command']
-
-                                            if 'ports' in scan:
-                                                port_match = False
-
-                                                if protocol == 'tcp':
-                                                    if 'tcp' in scan['ports']:
-                                                        for tcp_port in scan['ports']['tcp']:
-                                                            if port == tcp_port:
-                                                                port_match = True
-                                                                break
-                                                elif protocol == 'udp':
-                                                    if 'udp' in scan['ports']:
-                                                        for udp_port in scan['ports']['udp']:
-                                                            if port == udp_port:
-                                                                port_match = True
-                                                                break
-
-                                                if port_match == False:
-                                                    warn(Fore.YELLOW + '[' + Style.BRIGHT + tag + Style.NORMAL + '] Scan cannot be run against {protocol} port {port}. Skipping.' + Fore.RESET)
-                                                    continue
-
-                                            if 'run_once' in scan and scan['run_once'] == True:
-                                                scan_tuple = (name,)
-                                                if scan_tuple in target.scans:
-                                                    warn(Fore.YELLOW + '[' + Style.BRIGHT + tag + ' on ' + address + Style.NORMAL + '] Scan should only be run once and it appears to have already been queued. Skipping.' + Fore.RESET)
-                                                    continue
-                                                else:
-                                                    target.scans.append(scan_tuple)
-                                            else:
-                                                scan_tuple = (protocol, port, service, name)
-                                                if scan_tuple in target.scans:
-                                                    warn(Fore.YELLOW + '[' + Style.BRIGHT + tag + ' on ' + address + Style.NORMAL + '] Scan appears to have already been queued, but it is not marked as run_once in service-scans.toml. Possible duplicate tag? Skipping.' + Fore.RESET)
-                                                    continue
-                                                else:
-                                                    target.scans.append(scan_tuple)
-
-                                            patterns = []
-                                            if 'pattern' in scan:
-                                                patterns = scan['pattern']
-
-                                            pending.add(asyncio.ensure_future(run_cmd(semaphore, e(command), target, tag=tag, patterns=patterns)))
-
-def scan_host(target, concurrent_scans, outdir):
-    start_time = time.time()
-    info('Scanning target {byellow}{target.address}{rst}')
-
-    if single_target:
-        basedir = os.path.abspath(outdir)
-    else:
-        basedir = os.path.abspath(os.path.join(outdir, target.address + srvname))
-    target.basedir = basedir
-    os.makedirs(basedir, exist_ok=True)
-
-    if not only_scans_dir:
-        exploitdir = os.path.abspath(os.path.join(basedir, 'exploit'))
-        os.makedirs(exploitdir, exist_ok=True)
-
-        lootdir = os.path.abspath(os.path.join(basedir, 'loot'))
-        os.makedirs(lootdir, exist_ok=True)
-
-        reportdir = os.path.abspath(os.path.join(basedir, 'report'))
-        target.reportdir = reportdir
-        os.makedirs(reportdir, exist_ok=True)
-
-        open(os.path.abspath(os.path.join(reportdir, 'local.txt')), 'a').close()
-        open(os.path.abspath(os.path.join(reportdir, 'proof.txt')), 'a').close()
-
-        screenshotdir = os.path.abspath(os.path.join(reportdir, 'screenshots'))
-        os.makedirs(screenshotdir, exist_ok=True)
-
-    scandir = os.path.abspath(os.path.join(basedir, 'scans'))
-    target.scandir = scandir
-    os.makedirs(scandir, exist_ok=True)
-
-    os.makedirs(os.path.abspath(os.path.join(scandir, 'xml')), exist_ok=True)
-
-    # Use a lock when writing to specific files that may be written to by other asynchronous functions.
-    target.lock = asyncio.Lock()
-
-    # Get event loop for current process.
-    loop = asyncio.get_event_loop()
-
-    # Create a semaphore to limit number of concurrent scans.
-    semaphore = asyncio.Semaphore(concurrent_scans)
-
-    try:
-        loop.run_until_complete(scan_services(loop, semaphore, target))
-        elapsed_time = calculate_elapsed_time(start_time)
-        info('Finished scanning target {byellow}{target.address}{rst} in {elapsed_time}')
-    except KeyboardInterrupt:
-        sys.exit(1)
-
-class Target:
-    def __init__(self, address):
-        self.address = address
-        self.basedir = ''
-        self.reportdir = ''
-        self.scandir = ''
-        self.scans = []
-        self.lock = None
-        self.running_tasks = []
-
-
-
-def main():
-    global single_target
-    global only_scans_dir
-    global port_scan_profile
-    global heartbeat_interval
-    global nmap
-    global srvname
-    global verbose
-
-    _init()
-    parser = argparse.ArgumentParser(description='Network reconnaissance tool to port scan and automatically enumerate services found on multiple targets.')
-    parser.add_argument('targets', action='store', help='IP addresses (e.g. 10.0.0.1), CIDR notation (e.g. 10.0.0.1/24), or resolvable hostnames (e.g. foo.bar) to scan.', nargs="*")
-    parser.add_argument('-t', '--targets', action='store', type=str, default='', dest='target_file', help='Read targets from file.')
-    parser.add_argument('-ct', '--concurrent-targets', action='store', metavar='<number>', type=int, default=5, help='The maximum number of target hosts to scan concurrently. Default: %(default)s')
-    parser.add_argument('-cs', '--concurrent-scans', action='store', metavar='<number>', type=int, default=10, help='The maximum number of scans to perform per target host. Default: %(default)s')
-    parser.add_argument('--profile', action='store', default='default', dest='profile_name', help='The port scanning profile to use (defined in port-scan-profiles.toml). Default: %(default)s')
-    parser.add_argument('-o', '--output', action='store', default='results', dest='output_dir', help='The output directory for results. Default: %(default)s')
-    parser.add_argument('--single-target', action='store_true', default=False, help='Only scan a single target. A directory named after the target will not be created. Instead, the directory structure will be created within the output directory. Default: false')
-    parser.add_argument('--only-scans-dir', action='store_true', default=False, help='Only create the "scans" directory for results. Other directories (e.g. exploit, loot, report) will not be created. Default: false')
-    parser.add_argument('--heartbeat', action='store', type=int, default=60, help='Specifies the heartbeat interval (in seconds) for task status messages. Default: %(default)s')
-    nmap_group = parser.add_mutually_exclusive_group()
-    nmap_group.add_argument('--nmap', action='store', default='-vv --reason -Pn', help='Override the {nmap_extra} variable in scans. Default: %(default)s')
-    nmap_group.add_argument('--nmap-append', action='store', default='', help='Append to the default {nmap_extra} variable in scans.')
-    parser.add_argument('-v', '--verbose', action='count', default=0, help='Enable verbose output. Repeat for more verbosity.')
-    parser.add_argument('--disable-sanity-checks', action='store_true', default=False, help='Disable sanity checks that would otherwise prevent the scans from running. Default: false')
-    parser.error = lambda s: fail(s[0].upper() + s[1:])
-    args = parser.parse_args()
-
-    single_target = args.single_target
-    only_scans_dir = args.only_scans_dir
-
-    errors = False
-
-    if args.concurrent_targets <= 0:
-        error('Argument -ch/--concurrent-targets: must be at least 1.')
-        errors = True
-
-    concurrent_scans = args.concurrent_scans
-
-    if concurrent_scans <= 0:
-        error('Argument -ct/--concurrent-scans: must be at least 1.')
-        errors = True
-
-    port_scan_profile = args.profile_name
-
-    found_scan_profile = False
-    for profile in port_scan_profiles_config:
-        if profile == port_scan_profile:
-            found_scan_profile = True
-            for scan in port_scan_profiles_config[profile]:
-                if 'service-detection' not in port_scan_profiles_config[profile][scan]:
-                    error('The {profile}.{scan} scan does not have a defined service-detection section. Every scan must at least have a service-detection section defined with a command and a corresponding pattern that extracts the protocol (TCP/UDP), port, and service from the result.')
-                    errors = True
-                else:
-                    if 'command' not in port_scan_profiles_config[profile][scan]['service-detection']:
-                        error('The {profile}.{scan}.service-detection section does not have a command defined. Every service-detection section must have a command and a corresponding pattern that extracts the protocol (TCP/UDP), port, and service from the results.')
-                        errors = True
-                    else:
-                        if '{ports}' in port_scan_profiles_config[profile][scan]['service-detection']['command'] and 'port-scan' not in port_scan_profiles_config[profile][scan]:
-                            error('The {profile}.{scan}.service-detection command appears to reference a port list but there is no port-scan section defined in {profile}.{scan}. Define a port-scan section with a command and corresponding pattern that extracts port numbers from the result, or replace the reference with a static list of ports.')
-                            errors = True
-
-                    if 'pattern' not in port_scan_profiles_config[profile][scan]['service-detection']:
-                        error('The {profile}.{scan}.service-detection section does not have a pattern defined. Every service-detection section must have a command and a corresponding pattern that extracts the protocol (TCP/UDP), port, and service from the results.')
-                        errors = True
-                    else:
-                        if not all(x in port_scan_profiles_config[profile][scan]['service-detection']['pattern'] for x in ['(?P<port>', '(?P<protocol>', '(?P<service>']):
-                            error('The {profile}.{scan}.service-detection pattern does not contain one or more of the following matching groups: port, protocol, service. Ensure that all three of these matching groups are defined and capture the relevant data, e.g. (?P<port>\d+)')
-                            errors = True
-
-                if 'port-scan' in port_scan_profiles_config[profile][scan]:
-                    if 'command' not in port_scan_profiles_config[profile][scan]['port-scan']:
-                        error('The {profile}.{scan}.port-scan section does not have a command defined. Every port-scan section must have a command and a corresponding pattern that extracts the port from the results.')
-                        errors = True
-
-                    if 'pattern' not in port_scan_profiles_config[profile][scan]['port-scan']:
-                        error('The {profile}.{scan}.port-scan section does not have a pattern defined. Every port-scan section must have a command and a corresponding pattern that extracts the port from the results.')
-                        errors = True
-                    else:
-                        if '(?P<port>' not in port_scan_profiles_config[profile][scan]['port-scan']['pattern']:
-                            error('The {profile}.{scan}.port-scan pattern does not contain a port matching group. Ensure that the port matching group is defined and captures the relevant data, e.g. (?P<port>\d+)')
-                            errors = True
-            break
-
-    if not found_scan_profile:
-        error('Argument --profile: must reference a port scan profile defined in {port_scan_profiles_config_file}. No such profile found: {port_scan_profile}')
-        errors = True
-
-    heartbeat_interval = args.heartbeat
-
-    nmap = args.nmap
-    if args.nmap_append:
-        nmap += " " + args.nmap_append
-
-    outdir = args.output_dir
-    srvname = ''
-    verbose = args.verbose
-
-    raw_targets = args.targets
-    targets = []
-
-    if len(args.target_file) > 0:
-        if not os.path.isfile(args.target_file):
-            error('The target file {args.target_file} was not found.')
-            sys.exit(1)
-        try:
-            with open(args.target_file, 'r') as f:
-                lines = f.read()
-                for line in lines.splitlines():
-                    line = line.strip()
-                    if line.startswith('#') or len(line) == 0: continue
-                    if line not in raw_targets:
-                        raw_targets.append(line)
-        except OSError:
-            error('The target file {args.target_file} could not be read.')
-            sys.exit(1)
-
-    for target in raw_targets:
-        try:
-            ip = str(ipaddress.ip_address(target))
-
-            if ip not in targets:
-                targets.append(ip)
-        except ValueError:
-
-            try:
-                target_range = ipaddress.ip_network(target, strict=False)
-                if not args.disable_sanity_checks and target_range.num_addresses > 256:
-                    error(target + ' contains ' + str(target_range.num_addresses) + ' addresses. Check that your CIDR notation is correct. If it is, re-run with the --disable-sanity-checks option to suppress this check.')
-                    errors = True
-                else:
-                    for ip in target_range.hosts():
-                        ip = str(ip)
-                        if ip not in targets:
-                            targets.append(ip)
-            except ValueError:
-
-                try:
-                    ip = socket.gethostbyname(target)
-
-                    if target not in targets:
-                        targets.append(target)
-                except socket.gaierror:
-                    error(target + ' does not appear to be a valid IP address, IP range, or resolvable hostname.')
-                    errors = True
-
-    if len(targets) == 0:
-        error('You must specify at least one target to scan!')
-        errors = True
-
-    if single_target and len(targets) != 1:
-        error('You cannot provide more than one target when scanning in single-target mode.')
-        sys.exit(1)
-
-    if not args.disable_sanity_checks and len(targets) > 256:
-        error('A total of ' + str(len(targets)) + ' targets would be scanned. If this is correct, re-run with the --disable-sanity-checks option to suppress this check.')
-        errors = True
-
-    if errors:
-        sys.exit(1)
-
-    with ProcessPoolExecutor(max_workers=args.concurrent_targets) as executor:
-        start_time = time.time()
-        futures = []
-
-        for address in targets:
-            target = Target(address)
-            futures.append(executor.submit(scan_host, target, concurrent_scans, outdir))
-
-        try:
-            for future in as_completed(futures):
-                future.result()
-        except KeyboardInterrupt:
-            for future in futures:
-                future.cancel()
-            executor.shutdown(wait=False)
-            sys.exit(1)
-
-        elapsed_time = calculate_elapsed_time(start_time)
-        info('{bgreen}Finished scanning all targets in {elapsed_time}!{rst}')
-
-
-if __name__ == '__main__':
-    main()

+ 0 - 8
autorecon_config/global-patterns.toml

@@ -1,8 +0,0 @@
-# Patterns defined in this file will be checked against every line of output (e.g. port scans and service scans)
-
-[[pattern]]
-description = 'Nmap script found a potential vulnerability. ({match})'
-pattern = 'State: (?:(?:LIKELY\_?)?VULNERABLE)'
-
-[[pattern]]
-pattern = '(?i)unauthorized'

+ 0 - 45
autorecon_config/port-scan-profiles.toml

@@ -1,45 +0,0 @@
-[default]
-
-    [default.nmap-quick]
-
-        [default.nmap-quick.service-detection]
-        command = 'nmap {nmap_extra} -sV -sC --version-all -oN "{scandir}/_quick_tcp_nmap.txt" -oX "{scandir}/xml/_quick_tcp_nmap.xml" {address}'
-        pattern = '^(?P<port>\d+)\/(?P<protocol>(tcp|udp))(.*)open(\s*)(?P<service>[\w\-\/]+)(\s*)(.*)$'
-
-    [default.nmap-full-tcp]
-
-        [default.nmap-full-tcp.service-detection]
-        command = 'nmap {nmap_extra} -A --osscan-guess --version-all -p- -oN "{scandir}/_full_tcp_nmap.txt" -oX "{scandir}/xml/_full_tcp_nmap.xml" {address}'
-        pattern = '^(?P<port>\d+)\/(?P<protocol>(tcp|udp))(.*)open(\s*)(?P<service>[\w\-\/]+)(\s*)(.*)$'
-
-    [default.nmap-top-20-udp]
-
-        [default.nmap-top-20-udp.service-detection]
-        command = 'nmap {nmap_extra} -sU -A --top-ports=20 --version-all -oN "{scandir}/_top_20_udp_nmap.txt" -oX "{scandir}/xml/_top_20_udp_nmap.xml" {address}'
-        pattern = '^(?P<port>\d+)\/(?P<protocol>(tcp|udp))(.*)open(\s*)(?P<service>[\w\-\/]+)(\s*)(.*)$'
-
-[quick]
-
-    [quick.nmap-quick]
-
-        [quick.nmap-quick.service-detection]
-        command = 'nmap {nmap_extra} -sV --version-all -oN "{scandir}/_quick_tcp_nmap.txt" -oX "{scandir}/xml/_quick_tcp_nmap.xml" {address}'
-        pattern = '^(?P<port>\d+)\/(?P<protocol>(tcp|udp))(.*)open(\s*)(?P<service>[\w\-\/]+)(\s*)(.*)$'
-
-    [quick.nmap-top-20-udp]
-
-        [quick.nmap-top-20-udp.service-detection]
-        command = 'nmap {nmap_extra} -sU -A --top-ports=20 --version-all -oN "{scandir}/_top_20_udp_nmap.txt" -oX "{scandir}/xml/_top_20_udp_nmap.xml" {address}'
-        pattern = '^(?P<port>\d+)\/(?P<protocol>(tcp|udp))(.*)open(\s*)(?P<service>[\w\-\/]+)(\s*)(.*)$'
-
-[udp]
-
-    [udp.udp-top-20]
-
-        [udp.udp-top-20.port-scan]
-        command = 'unicornscan -mU -p 631,161,137,123,138,1434,445,135,67,53,139,500,68,520,1900,4500,514,49152,162,69 {address} 2>&1 | tee "{scandir}/_top_20_udp_unicornscan.txt"'
-        pattern = '^UDP open\s*[\w-]+\[\s*(?P<port>\d+)\].*$'
-
-        [udp.udp-top-20.service-detection]
-        command = 'nmap {nmap_extra} -sU -A -p {ports} --version-all -oN "{scandir}/_top_20_udp_nmap.txt" -oX "{scandir}/xml/_top_20_udp_nmap.xml" {address}'
-        pattern = '^(?P<port>\d+)\/(?P<protocol>(udp))(.*)open(\s*)(?P<service>[\w\-\/]+)(\s*)(.*)$'

+ 0 - 586
autorecon_config/service-scans.toml

@@ -1,586 +0,0 @@
-# Configurable Variables
-username_wordlist = '/usr/share/seclists/Usernames/top-usernames-shortlist.txt'
-password_wordlist = '/usr/share/seclists/Passwords/darkweb2017-top100.txt'
-
-[all-services] # Define scans here that you want to run against all services.
-
-service-names = [
-    '.+'
-]
-
-    [[all-services.scan]]
-    name = 'sslscan'
-    command = 'if [ "{secure}" == "True" ]; then sslscan --show-certificate --no-colour {address}:{port} 2>&1 | tee "{scandir}/{protocol}_{port}_sslscan.txt"; fi'
-
-[cassandra]
-
-service-names = [
-    '^apani1'
-]
-
-    [[cassandra.scan]]
-    name = 'nmap-cassandra'
-    command = 'nmap {nmap_extra} -sV  -p {port} --script="banner,(cassandra* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_cassandra_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_cassandra_nmap.xml" {address}'
-
-[cups]
-
-service-names = [
-    '^ipp'
-]
-
-    [[cups.scan]]
-    name = 'nmap-cups'
-    command = 'nmap {nmap_extra} -sV -p {port} --script="banner,(cups* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_cups_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_cups_nmap.xml" {address}'
-
-[distcc]
-
-service-names = [
-    '^distccd'
-]
-
-    [[distcc.scan]]
-    name = 'nmap-distcc'
-    command = 'nmap {nmap_extra} -sV -p {port} --script="banner,distcc-cve2004-2687" --script-args="distcc-cve2004-2687.cmd=id" -oN "{scandir}/{protocol}_{port}_distcc_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_distcc_nmap.xml" {address}'
-
-[dns]
-
-service-names = [
-    '^domain'
-]
-
-    [[dns.scan]]
-    name = 'nmap-dns'
-    command = 'nmap {nmap_extra} -sV -p {port} --script="banner,(dns* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_dns_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_dns_nmap.xml" {address}'
-
-[finger]
-
-service-names = [
-    '^finger'
-]
-
-    [[finger.scan]]
-    name = 'nmap-finger'
-    command = 'nmap {nmap_extra} -sV -p {port} --script="banner,finger" -oN "{scandir}/{protocol}_{port}_finger_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_finger_nmap.xml" {address}'
-
-[ftp]
-
-service-names = [
-    '^ftp',
-    '^ftp\-data'
-]
-
-    [[ftp.scan]]
-    name = 'nmap-ftp'
-    command = 'nmap {nmap_extra} -sV -p {port} --script="banner,(ftp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_ftp_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_ftp_nmap.xml" {address}'
-
-        [[ftp.scan.pattern]]
-        description = 'Anonymous FTP Enabled!'
-        pattern = 'Anonymous FTP login allowed'
-
-    [[ftp.manual]]
-    description = 'Bruteforce logins:'
-    commands = [
-        'hydra -L "{username_wordlist}" -P "{password_wordlist}" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_ftp_hydra.txt" ftp://{address}',
-        'medusa -U "{username_wordlist}" -P "{password_wordlist}" -e ns -n {port} -O "{scandir}/{protocol}_{port}_ftp_medusa.txt" -M ftp -h {address}'
-    ]
-
-[http]
-
-service-names = [
-    '^http',
-]
-
-ignore-service-names = [
-    '^nacn_http$'
-]
-
-    [[http.scan]]
-    name = 'nmap-http'
-    command = 'nmap {nmap_extra} -sV -p {port} --script="banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN "{scandir}/{protocol}_{port}_http_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_{scheme}_nmap.xml" {address}'
-
-        [[http.scan.pattern]]
-        description = 'Identified HTTP Server: {match}'
-        pattern = 'Server: ([^\n]+)'
-
-        [[http.scan.pattern]]
-        description = 'WebDAV is enabled'
-        pattern = 'WebDAV is ENABLED'
-
-    [[http.scan]]
-    name = 'curl-index'
-    command = 'curl -sSik {scheme}://{address}:{port}/ -m 10 2>&1 | tee "{scandir}/{protocol}_{port}_{scheme}_index.html"'
-
-        [[http.scan.pattern]]
-        pattern = '(?i)Powered by [^\n]+'
-
-    [[http.scan]]
-    name = 'curl-robots'
-    command = 'curl -sSik {scheme}://{address}:{port}/robots.txt -m 10 2>&1 | tee "{scandir}/{protocol}_{port}_{scheme}_robots.txt"'
-
-    [[http.scan]]
-    name = 'wkhtmltoimage'
-    command = 'if hash wkhtmltoimage 2> /dev/null; then wkhtmltoimage --format png {scheme}://{address}:{port}/ {scandir}/{protocol}_{port}_{scheme}_screenshot.png; fi'
-
-    [[http.scan]]
-    name = 'whatweb'
-    command = 'whatweb --color=never --no-errors -a 3 -v {scheme}://{address}:{port} 2>&1 | tee "{scandir}/{protocol}_{port}_{scheme}_whatweb.txt"'
-
-    [[http.scan]]
-    name = 'feroxbuster'
-    command = 'feroxbuster -u {scheme}://{address}:{port} -t 10 -w /usr/share/seclists/Discovery/Web-Content/common.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -o {scandir}/{protocol}_{port}_{scheme}_feroxbuster.txt'
-
-    [[http.manual]]
-    description = '(nikto) old but generally reliable web server enumeration tool'
-    commands = [
-        'nikto -ask=no -h {scheme}://{address}:{port} 2>&1 | tee "{scandir}/{protocol}_{port}_{scheme}_nikto.txt"'
-    ]
-
-    [[http.manual]]
-    description = '(feroxbuster) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:'
-    commands = [
-        'feroxbuster -u {scheme}://{address}:{port} -t 10 -w /usr/share/seclists/Discovery/Web-Content/big.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -o {scandir}/{protocol}_{port}_{scheme}_feroxbuster_big.txt',
-        'feroxbuster -u {scheme}://{address}:{port} -t 10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -o {scandir}/{protocol}_{port}_{scheme}_feroxbuster_dirbuster.txt'
-    ]
-
-    [[http.manual]]
-    description = '(dirsearch) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:'
-    commands = [
-        'dirsearch -u {scheme}://{address}:{port}/ -t 16 -r -e txt,html,php,asp,aspx,jsp -f -w /usr/share/seclists/Discovery/Web-Content/big.txt --plain-text-report="{scandir}/{protocol}_{port}_{scheme}_dirsearch_big.txt"',
-        'dirsearch -u {scheme}://{address}:{port}/ -t 16 -r -e txt,html,php,asp,aspx,jsp -f -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --plain-text-report="{scandir}/{protocol}_{port}_{scheme}_dirsearch_dirbuster.txt"'
-    ]
-
-    [[http.manual]]
-    description = '(dirb) Recursive directory/file enumeration for web servers using various wordlists (same as dirsearch above):'
-    commands = [
-        'dirb {scheme}://{address}:{port}/ /usr/share/seclists/Discovery/Web-Content/big.txt -l -r -S -X ",.txt,.html,.php,.asp,.aspx,.jsp" -o "{scandir}/{protocol}_{port}_{scheme}_dirb_big.txt"',
-        'dirb {scheme}://{address}:{port}/ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -l -r -S -X ",.txt,.html,.php,.asp,.aspx,.jsp" -o "{scandir}/{protocol}_{port}_{scheme}_dirb_dirbuster.txt"'
-    ]
-
-    [[http.manual]]
-    description = '(gobuster v3) Directory/file enumeration for web servers using various wordlists (same as dirb above):'
-    commands = [
-        'gobuster dir -u {scheme}://{address}:{port}/ -w /usr/share/seclists/Discovery/Web-Content/big.txt -e -k -s "200,204,301,302,307,403,500" -x "txt,html,php,asp,aspx,jsp" -z -o "{scandir}/{protocol}_{port}_{scheme}_gobuster_big.txt"',
-        'gobuster dir -u {scheme}://{address}:{port}/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e -k -s "200,204,301,302,307,403,500" -x "txt,html,php,asp,aspx,jsp" -z -o "{scandir}/{protocol}_{port}_{scheme}_gobuster_dirbuster.txt"'
-    ]
-
-    [[http.manual]]
-    description = '(gobuster v1 & v2) Directory/file enumeration for web servers using various wordlists (same as dirb above):'
-    commands = [
-        'gobuster -u {scheme}://{address}:{port}/ -w /usr/share/seclists/Discovery/Web-Content/big.txt -e -k -l -s "200,204,301,302,307,403,500" -x "txt,html,php,asp,aspx,jsp" -o "{scandir}/{protocol}_{port}_{scheme}_gobuster_big.txt"',
-        'gobuster -u {scheme}://{address}:{port}/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e -k -l -s "200,204,301,302,307,403,500" -x "txt,html,php,asp,aspx,jsp" -o "{scandir}/{protocol}_{port}_{scheme}_gobuster_dirbuster.txt"'
-    ]
-
-    [[http.manual]]
-    description = '(wpscan) WordPress Security Scanner (useful if WordPress is found):'
-    commands = [
-        'wpscan --url {scheme}://{address}:{port}/ --no-update -e vp,vt,tt,cb,dbe,u,m --plugins-detection aggressive --plugins-version-detection aggressive -f cli-no-color 2>&1 | tee "{scandir}/{protocol}_{port}_{scheme}_wpscan.txt"'
-    ]
-
-    [[http.manual]]
-    description = "Credential bruteforcing commands (don't run these without modifying them):"
-    commands = [
-        'hydra -L "{username_wordlist}" -P "{password_wordlist}" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_{scheme}_auth_hydra.txt" {scheme}-get://{address}/path/to/auth/area',
-        'medusa -U "{username_wordlist}" -P "{password_wordlist}" -e ns -n {port} -O "{scandir}/{protocol}_{port}_{scheme}_auth_medusa.txt" -M http -h {address} -m DIR:/path/to/auth/area',
-        'hydra -L "{username_wordlist}" -P "{password_wordlist}" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_{scheme}_form_hydra.txt" {scheme}-post-form://{address}/path/to/login.php:username=^USER^&password=^PASS^:invalid-login-message',
-        'medusa -U "{username_wordlist}" -P "{password_wordlist}" -e ns -n {port} -O "{scandir}/{protocol}_{port}_{scheme}_form_medusa.txt" -M web-form -h {address} -m FORM:/path/to/login.php -m FORM-DATA:"post?username=&password=" -m DENY-SIGNAL:"invalid login message"',
-    ]
-
-[imap]
-
-service-names = [
-    '^imap'
-]
-
-    [[imap.scan]]
-    name = 'nmap-imap'
-    command = 'nmap {nmap_extra} -sV -p {port} --script="banner,(imap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_imap_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_imap_nmap.xml" {address}'
-
-[kerberos]
-
-service-names = [
-    '^kerberos',
-    '^kpasswd'
-]
-
-    [[kerberos.scan]]
-    name = 'nmap-kerberos'
-    command = 'nmap {nmap_extra} -sV -p {port} --script="banner,krb5-enum-users" -oN "{scandir}/{protocol}_{port}_kerberos_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_kerberos_nmap.xml" {address}'
-
-[ldap]
-
-service-names = [
-    '^ldap'
-]
-
-    [[ldap.scan]]
-    name = 'nmap-ldap'
-    command = 'nmap {nmap_extra} -sV -p {port} --script="banner,(ldap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_ldap_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_ldap_nmap.xml" {address}'
-
-    [[ldap.scan]]
-    name = 'enum4linux'
-    command = 'enum4linux -a -M -l -d {address} 2>&1 | tee "{scandir}/enum4linux.txt"'
-    run_once = true
-    ports.tcp = [139, 389, 445]
-    ports.udp = [137]
-
-    [[ldap.manual]]
-    description = 'ldapsearch command (modify before running)'
-    commands = [
-        'ldapsearch -x -D "<username>" -w "<password>"" -p {port} -h {address} -b "dc=example,dc=com" -s sub "(objectclass=*) 2>&1 | tee > "{scandir}/{protocol}_{port}_ldap_all-entries.txt"'
-    ]
-
-[mongodb]
-
-service-names = [
-    '^mongod'
-]
-
-    [[mongodb.scan]]
-    name = 'nmap-mongodb'
-    command = 'nmap {nmap_extra} -sV -p {port} --script="banner,(mongodb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_mongodb_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_mongodb_nmap.xml" {address}'
-
-[mssql]
-
-service-names = [
-    '^mssql',
-    '^ms\-sql'
-]
-
-    [[mssql.scan]]
-    name = 'nmap-mssql'
-    command = 'nmap {nmap_extra} -sV -p {port} --script="banner,(ms-sql* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" --script-args="mssql.instance-port={port},mssql.username=sa,mssql.password=sa" -oN "{scandir}/{protocol}_{port}_mssql_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_mssql_nmap.xml" {address}'
-
-    [[mssql.manual]]
-    description = '(sqsh) interactive database shell'
-    commands = [
-        'sqsh -U <username> -P <password> -S {address}:{port}'
-    ]
-
-[mysql]
-
-service-names = [
-    '^mysql'
-]
-
-    [[mysql.scan]]
-    name = 'nmap-mysql'
-    command = 'nmap {nmap_extra} -sV -p {port} --script="banner,(mysql* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_mysql_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_mysql_nmap.xml" {address}'
-
-[nfs]
-
-service-names = [
-    '^nfs',
-    '^rpcbind'
-]
-
-    [[nfs.scan]]
-    name = 'nmap-nfs'
-    command = 'nmap {nmap_extra} -sV -p {port} --script="banner,(rpcinfo or nfs*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_nfs_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_nfs_nmap.xml" {address}'
-
-    [[nfs.scan]]
-    name = 'showmount'
-    command = 'showmount -e {address} 2>&1 | tee "{scandir}/{protocol}_{port}_showmount.txt"'
-
-[nntp]
-
-service-names = [
-    '^nntp'
-]
-
-    [[nntp.scan]]
-    name = 'nmap-nntp'
-    command = 'nmap {nmap_extra} -sV -p {port} --script="banner,nntp-ntlm-info" -oN "{scandir}/{protocol}_{port}_nntp_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_nntp_nmap.xml" {address}'
-
-[oracle]
-
-service-names = [
-    '^oracle'
-]
-
-    [[oracle.scan]]
-    name = 'nmap-oracle'
-    command = 'nmap {nmap_extra} -sV -p {port} --script="banner,(oracle* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_oracle_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_oracle_nmap.xml" {address}'
-
-    [[oracle.scan]]
-    name = 'oracle-tnscmd-ping'
-    command = 'tnscmd10g ping -h {address} -p {port} 2>&1 | tee "{scandir}/{protocol}_{port}_oracle_tnscmd_ping.txt"'
-
-    [[oracle.scan]]
-    name = 'oracle-tnscmd-version'
-    command = 'tnscmd10g version -h {address} -p {port} 2>&1 | tee "{scandir}/{protocol}_{port}_oracle_tnscmd_version.txt"'
-
-    [[oracle.scan]]
-    name = 'oracle-tnscmd-version'
-    command = 'tnscmd10g version -h {address} -p {port} 2>&1 | tee "{scandir}/{protocol}_{port}_oracle_tnscmd_version.txt"'
-
-    [[oracle.scan]]
-    name = 'oracle-scanner'
-    command = 'oscanner -v -s {address} -P {port} 2>&1 | tee "{scandir}/{protocol}_{port}_oracle_scanner.txt"'
-
-    [[oracle.manual]]
-    description = 'Brute-force SIDs using Nmap'
-    command = 'nmap {nmap_extra} -sV -p {port} --script="banner,oracle-sid-brute" -oN "{scandir}/{protocol}_{port}_oracle_sid-brute_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_oracle_sid-brute_nmap.xml" {address}'
-
-    [[oracle.manual]]
-    description = 'Install ODAT (https://github.com/quentinhardy/odat) and run the following commands:'
-    commands = [
-        'python odat.py tnscmd -s {address} -p {port} --ping',
-        'python odat.py tnscmd -s {address} -p {port} --version',
-        'python odat.py tnscmd -s {address} -p {port} --status',
-        'python odat.py sidguesser -s {address} -p {port}',
-        'python odat.py passwordguesser -s {address} -p {port} -d <sid> --accounts-file accounts/accounts_multiple.txt',
-        'python odat.py tnspoison -s {address} -p {port} -d <sid> --test-module'
-    ]
-
-    [[oracle.manual]]
-    description = 'Install Oracle Instant Client (https://github.com/rapid7/metasploit-framework/wiki/How-to-get-Oracle-Support-working-with-Kali-Linux) and then bruteforce with patator:'
-    commands = [
-        'patator oracle_login host={address} port={port} user=COMBO00 password=COMBO01 0=/usr/share/seclists/Passwords/Default-Credentials/oracle-betterdefaultpasslist.txt -x ignore:code=ORA-01017 -x ignore:code=ORA-28000'
-    ]
-
-[pop3]
-
-service-names = [
-    '^pop3'
-]
-
-    [[pop3.scan]]
-    name = 'nmap-pop3'
-    command = 'nmap {nmap_extra} -sV -p {port} --script="banner,(pop3* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_pop3_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_pop3_nmap.xml" {address}'
-
-[rdp]
-
-service-names = [
-    '^rdp',
-    '^ms\-wbt\-server',
-    '^ms\-term\-serv'
-]
-
-    [[rdp.scan]]
-    name = 'nmap-rdp'
-    command = 'nmap {nmap_extra} -sV -p {port} --script="banner,(rdp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_rdp_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_rdp_nmap.xml" {address}'
-
-    [[rdp.manual]]
-    description = 'Bruteforce logins:'
-    commands = [
-        'hydra -L "{username_wordlist}" -P "{password_wordlist}" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_rdp_hydra.txt" rdp://{address}',
-        'medusa -U "{username_wordlist}" -P "{password_wordlist}" -e ns -n {port} -O "{scandir}/{protocol}_{port}_rdp_medusa.txt" -M rdp -h {address}'
-    ]
-
-[rmi]
-
-service-names = [
-    '^java\-rmi',
-    '^rmiregistry'
-]
-
-    [[rmi.scan]]
-    name = 'nmap-rmi'
-    command = 'nmap {nmap_extra} -sV -p {port} --script="banner,rmi-vuln-classloader,rmi-dumpregistry" -oN "{scandir}/{protocol}_{port}_rmi_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_rmi_nmap.xml" {address}'
-
-[rpc]
-
-service-names = [
-    '^msrpc',
-    '^rpcbind',
-    '^erpc'
-]
-
-    [[rpc.scan]]
-    name = 'nmap-msrpc'
-    command = 'nmap {nmap_extra} -sV -p {port} --script="banner,msrpc-enum,rpc-grind,rpcinfo" -oN "{scandir}/{protocol}_{port}_rpc_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_rpc_nmap.xml" {address}'
-
-    [[rpc.manual]]
-    description = 'RPC Client:'
-    commands = [
-        'rpcclient -p {port} -U "" {address}'
-    ]
-
-[sip]
-
-service-names = [
-    '^asterisk'
-]
-
-    [[sip.scan]]
-    name = 'nmap-sip'
-    command = 'nmap {nmap_extra} -sV -p {port} --script="banner,sip-enum-users,sip-methods" -oN "{scandir}/{protocol}_{port}_sip_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_sip_nmap.xml" {address}'
-
-    [[sip.scan]]
-    name = 'svwar'
-    command = 'svwar -D -m INVITE -p {port} {address}'
-
-[ssh]
-
-service-names = [
-    '^ssh'
-]
-
-    [[ssh.scan]]
-    name = 'nmap-ssh'
-    command = 'nmap {nmap_extra} -sV -p {port} --script="banner,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods" -oN "{scandir}/{protocol}_{port}_ssh_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_ssh_nmap.xml" {address}'
-
-    [[ssh.manual]]
-    description = 'Bruteforce logins:'
-    commands = [
-        'hydra -L "{username_wordlist}" -P "{password_wordlist}" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_ssh_hydra.txt" ssh://{address}',
-        'medusa -U "{username_wordlist}" -P "{password_wordlist}" -e ns -n {port} -O "{scandir}/{protocol}_{port}_ssh_medusa.txt" -M ssh -h {address}'
-    ]
-[smb]
-
-service-names = [
-    '^smb',
-    '^microsoft\-ds',
-    '^netbios'
-]
-
-    [[smb.scan]]
-    name = 'nmap-smb'
-    command = 'nmap {nmap_extra} -sV -p {port} --script="banner,(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_smb_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_nmap.xml" {address}'
-
-    [[smb.scan]]
-    name = 'enum4linux'
-    command = 'enum4linux -a -M -l -d {address} 2>&1 | tee "{scandir}/enum4linux.txt"'
-    run_once = true
-    ports.tcp = [139, 389, 445]
-    ports.udp = [137]
-
-    [[smb.scan]]
-    name = 'nbtscan'
-    command = 'nbtscan -rvh {address} 2>&1 | tee "{scandir}/nbtscan.txt"'
-    run_once = true
-    ports.udp = [137]
-
-    [[smb.scan]]
-    name = 'smbclient'
-    command = 'smbclient -L\\ -N -I {address} 2>&1 | tee "{scandir}/smbclient.txt"'
-    run_once = true
-    ports.tcp = [139, 445]
-
-    [[smb.scan]]
-    name = 'smbmap-share-permissions'
-    command = 'smbmap -H {address} -P {port} 2>&1 | tee -a "{scandir}/smbmap-share-permissions.txt"; smbmap -u null -p "" -H {address} -P {port} 2>&1 | tee -a "{scandir}/smbmap-share-permissions.txt"'
-
-    [[smb.scan]]
-    name = 'smbmap-list-contents'
-    command = 'smbmap -H {address} -P {port} -R 2>&1 | tee -a "{scandir}/smbmap-list-contents.txt"; smbmap -u null -p "" -H {address} -P {port} -R 2>&1 | tee -a "{scandir}/smbmap-list-contents.txt"'
-
-    [[smb.scan]]
-    name = 'smbmap-execute-command'
-    command = 'smbmap -H {address} -P {port} -x "ipconfig /all" 2>&1 | tee -a "{scandir}/smbmap-execute-command.txt"; smbmap -u null -p "" -H {address} -P {port} -x "ipconfig /all" 2>&1 | tee -a "{scandir}/smbmap-execute-command.txt"'
-
-    [[smb.manual]]
-    description = 'Nmap scans for SMB vulnerabilities that could potentially cause a DoS if scanned (according to Nmap). Be careful:'
-    commands = [
-        'nmap {nmap_extra} -sV -p {port} --script="smb-vuln-ms06-025" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_smb_ms06-025.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_ms06-025.xml" {address}',
-        'nmap {nmap_extra} -sV -p {port} --script="smb-vuln-ms07-029" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_smb_ms07-029.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_ms07-029.xml" {address}',
-        'nmap {nmap_extra} -sV -p {port} --script="smb-vuln-ms08-067" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_smb_ms08-067.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_ms08-067.xml" {address}'
-    ]
-
-[smtp]
-
-service-names = [
-    '^smtp'
-]
-
-    [[smtp.scan]]
-    name = 'nmap-smtp'
-    command = 'nmap {nmap_extra} -sV -p {port} --script="banner,(smtp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_smtp_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_smtp_nmap.xml" {address}'
-
-    [[smtp.scan]]
-    name = 'smtp-user-enum'
-    command = 'smtp-user-enum -M VRFY -U "{username_wordlist}" -t {address} -p {port} 2>&1 | tee "{scandir}/{protocol}_{port}_smtp_user-enum.txt"'
-
-[snmp]
-
-service-names = [
-    '^snmp'
-]
-
-    [[snmp.scan]]
-    name = 'nmap-snmp'
-    command = 'nmap {nmap_extra} -sV -p {port} --script="banner,(snmp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_snmp-nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_snmp_nmap.xml" {address}'
-
-    [[snmp.scan]]
-    name = 'onesixtyone'
-    command = 'onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings-onesixtyone.txt -dd {address} 2>&1 | tee "{scandir}/{protocol}_{port}_snmp_onesixtyone.txt"'
-    run_once = true
-    ports.udp = [161]
-
-    [[snmp.scan]]
-    name = 'snmpwalk'
-    command = 'snmpwalk -c public -v 1 {address} 2>&1 | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk.txt"'
-    run_once = true
-    ports.udp = [161]
-
-    [[snmp.scan]]
-    name = 'snmpwalk-system-processes'
-    command = 'snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.25.1.6.0 2>&1 | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk_system_processes.txt"'
-    run_once = true
-    ports.udp = [161]
-
-    [[snmp.scan]]
-    name = 'snmpwalk-running-processes'
-    command = 'snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.25.4.2.1.2 2>&1 | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk_running_processes.txt"'
-    run_once = true
-    ports.udp = [161]
-
-    [[snmp.scan]]
-    name = 'snmpwalk-process-paths'
-    command = 'snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.25.4.2.1.4 2>&1 | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk_process_paths.txt"'
-    run_once = true
-    ports.udp = [161]
-
-    [[snmp.scan]]
-    name = 'snmpwalk-storage-units'
-    command = 'snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.25.2.3.1.4 2>&1 | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk_storage_units.txt"'
-    run_once = true
-    ports.udp = [161]
-
-    [[snmp.scan]]
-    name = 'snmpwalk-software-names'
-    command = 'snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.25.6.3.1.2 2>&1 | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk_software_names.txt"'
-    run_once = true
-    ports.udp = [161]
-
-    [[snmp.scan]]
-    name = 'snmpwalk-user-accounts'
-    command = 'snmpwalk -c public -v 1 {address} 1.3.6.1.4.1.77.1.2.25 2>&1 | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk_user_accounts.txt"'
-    run_once = true
-    ports.udp = [161]
-
-    [[snmp.scan]]
-    name = 'snmpwalk-tcp-ports'
-    command = 'snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.6.13.1.3 2>&1 | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk_tcp_ports.txt"'
-    run_once = true
-    ports.udp = [161]
-
-[telnet]
-
-service-names = [
-    '^telnet'
-]
-
-    [[telnet.scan]]
-    name = 'nmap-telnet'
-    command = 'nmap {nmap_extra} -sV -p {port} --script="banner,telnet-encryption,telnet-ntlm-info" -oN "{scandir}/{protocol}_{port}_telnet-nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_telnet_nmap.xml" {address}'
-
-[tftp]
-
-service-names = [
-    '^tftp'
-]
-
-    [[tftp.scan]]
-    name = 'nmap-tftp'
-    command = 'nmap {nmap_extra} -sV -p {port} --script="banner,tftp-enum" -oN "{scandir}/{protocol}_{port}_tftp-nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_tftp_nmap.xml" {address}'
-
-[vnc]
-
-service-names = [
-    '^vnc'
-]
-
-    [[vnc.scan]]
-    name = 'nmap-vnc'
-    command = 'nmap {nmap_extra} -sV -p {port} --script="banner,(vnc* or realvnc* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_vnc_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_vnc_nmap.xml" {address}'

File diff suppressed because it is too large
+ 191 - 153
linpeas.sh


+ 26 - 0
linux-exploit-suggester.sh

@@ -904,6 +904,32 @@ author: GRIMM
 EOF
 )
 
+EXPLOITS[((n++))]=$(cat <<EOF
+Name: ${txtgrn}[CVE-2021-3490]${txtrst} eBPF ALU32 bounds tracking for bitwise ops
+Reqs: pkg=linux-kernel,ver>=5.7,ver<5.12,CONFIG_BPF_SYSCALL=y,sysctl:kernel.unprivileged_bpf_disabled!=1
+Tags: ubuntu=20.04{kernel:5.8.0-(25|26|27|28|29|30|31|32|33|34|35|36|37|38|39|40|41|42|43|44|45|46|47|48|49|50|51|52)-*},ubuntu=21.04{kernel:5.11.0-16-*}
+Rank: 5
+analysis-url: https://www.graplsecurity.com/post/kernel-pwning-with-ebpf-a-love-story
+src-url: https://codeload.github.com/chompie1337/Linux_LPE_eBPF_CVE-2021-3490/zip/main
+Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1
+author: chompie1337
+EOF
+)
+
+EXPLOITS[((n++))]=$(cat <<EOF
+Name: ${txtgrn}[CVE-2021-22555]${txtrst} Netfilter heap out-of-bounds write
+Reqs: pkg=linux-kernel,ver>=2.6.19,ver<=5.12-rc6
+Tags: ubuntu=20.04{kernel:5.8.0-*}
+Rank: 1
+analysis-url: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
+src-url: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
+ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
+Comments: ip_tables kernel module must be loaded
+exploit-db: 50135
+author: theflow (orginal exploit author); bcoles (author of exploit update at 'ext-url')
+EOF
+)
+
 ############ USERSPACE EXPLOITS ###########################
 n=0
 

+ 71 - 4
lse.sh

@@ -5,7 +5,7 @@
 # Author: Diego Blanco <diego.blanco@treitos.com>
 # GitHub: https://github.com/diego-treitos/linux-smart-enumeration
 #
-lse_version="3.3"
+lse_version="3.7"
 
 #( Colors
 #
@@ -87,7 +87,7 @@ lse_procmon_data=`mktemp`
 lse_procmon_lock=`mktemp`
 
 # printf
-printf "$reset" | grep -q '\\' && alias printf="env printf"
+printf "%s" "$reset" | grep -q '\\' && alias printf="env printf"
 
 # internal data
 lse_common_setuid="
@@ -126,7 +126,9 @@ lse_common_setuid="
 /usr/bin/newuidmap
 /usr/bin/passwd
 /usr/bin/pkexec
+/usr/bin/pmount
 /usr/bin/procmail
+/usr/bin/pumount
 /usr/bin/staprun
 /usr/bin/su
 /usr/bin/sudo
@@ -148,13 +150,17 @@ lse_common_setuid="
 /usr/lib/xorg/Xorg.wrap
 /usr/libexec/Xorg.wrap
 /usr/libexec/abrt-action-install-debuginfo-to-abrt-cache
+/usr/libexec/cockpit-session
 /usr/libexec/dbus-1/dbus-daemon-launch-helper
 /usr/libexec/gstreamer-1.0/gst-ptp-helper
 /usr/libexec/openssh/ssh-keysign
 /usr/libexec/polkit-1/polkit-agent-helper-1
+/usr/libexec/polkit-agent-helper-1
 /usr/libexec/pt_chown
 /usr/libexec/qemu-bridge-helper
+/usr/libexec/spice-client-glib-usb-acl-helper
 /usr/libexec/spice-gtk-x86_64/spice-client-glib-usb-acl-helper
+/usr/local/share/panasonic/printer/bin/L_H0JDUCZAZ
 /usr/sbin/exim4
 /usr/sbin/grub2-set-bootflag
 /usr/sbin/mount.nfs
@@ -170,7 +176,7 @@ lse_common_setuid="
 "
 #regex rules for common setuid
 lse_common_setuid="$lse_common_setuid
-/snap/core/.*
+/snap/core.*
 /var/tmp/mkinitramfs.*
 "
 #critical writable files
@@ -798,6 +804,16 @@ lse_run_tests_filesystem() {
     "Are there possible credentials in any shell history file?" \
     'for h in .bash_history .history .histfile .zhistory; do [ -f "$lse_home/$h" ] && grep $lse_grep_opts -Ei "(user|username|login|pass|password|pw|credentials)[=: ][a-z0-9]+" "$lse_home/$h"; done'
 
+  #nfs exports with no_root_squash
+  lse_test "fst210" "0" \
+    "Are there NFS exports with 'no_root_squash' option?" \
+    'grep $lse_grep_opts "no_root_squash" /etc/exports'
+
+  #nfs exports with no_all_squash
+  lse_test "fst220" "1" \
+    "Are there NFS exports with 'no_all_squash' option?" \
+    'grep $lse_grep_opts "no_all_squash" /etc/exports'
+
   #files owned by user
   lse_test "fst500" "2" \
     "Files owned by user '$lse_user'" \
@@ -816,7 +832,7 @@ lse_run_tests_filesystem() {
   #list nfs shares
   lse_test "fst530" "2" \
     "List NFS server shares" \
-    'ls -la /etc/exports; cat /etc/exports'
+    'ls -la /etc/exports 2>/dev/null && cat /etc/exports'
 
   #dump fstab
   lse_test "fst540" "2" \
@@ -1206,6 +1222,46 @@ lse_run_tests_software() {
     'for f in $lse_user_writable; do test -S "$f" && printf "$f" | grep -a "gpg-agent"; done' \
     "fst000"
 
+  #find keepass database files
+  lse_test "sof090" "0" \
+    "Found any keepass database files?" \
+    'find / $lse_find_opts -regextype egrep -iregex ".*\.kdbx?" -readable -type f -print'
+
+  #find pass database files
+  lse_test "sof100" "0" \
+    "Found any 'pass' store directories?" \
+    'find / $lse_find_opts -name ".password-store" -readable -type d -print'
+
+  #check if any tmux session is active
+  lse_test "sof110" "0" \
+    "Are there any tmux sessions available?" \
+    'tmux list-sessions'
+
+  #check for all tmux sessions for other users
+  lse_test "sof120" "1" \
+    "Are there any tmux sessions from other users?" \
+    'find /tmp -type d -regex "/tmp/tmux-[0-9]+" ! -user $lse_user'
+
+  #check if we have write access to other users tmux sessions
+  lse_test "sof130" "0" \
+    "Can we write to tmux session sockets from other users?" \
+    'find /tmp -writable -type s -regex "/tmp/tmux-[0-9]+/.+" ! -user $lse_user -exec ls -l {} +'
+
+  #check if there is any active screen session
+  lse_test "sof140" "0" \
+    "Are any screen sessions available?" \
+    'screen -ls >/dev/null && screen -ls'
+
+  #find other users screen sessions
+  lse_test "sof150" "1" \
+    "Are there any screen sessions from other users?" \
+    'find /run/screen -type d -regex "/run/screen/S-.+" ! -user $lse_user'
+
+  #find writable screen session sockets from other users
+  lse_test "sof160" "0" \
+    "Can we write to screen session sockets from other users?" \
+    'find /run/screen -type s -writable -regex "/run/screen/S-.+/.+" ! -user $lse_user -exec ls -l {} +'
+
   #sudo version - check to see if there are any known vulnerabilities with this
   lse_test "sof500" "2" \
     "Sudo version" \
@@ -1225,6 +1281,17 @@ lse_run_tests_software() {
   lse_test "sof530" "2" \
     "Apache version" \
     'apache2 -v; httpd -v'
+
+  #check tmux version
+  lse_test "sof540" "2" \
+    "Tmux version" \
+    'tmux -V'
+
+  #check screen version
+  lse_test "sof550" "2" \
+    "Screen version" \
+    'screen -v'
+
 }
 
 

+ 1 - 2
template.py

@@ -20,10 +20,9 @@ USERNAME = "admin"
 PASSWORD = "password"
 
 def login(username, password):
-    # Template method to create a session
     session = requests.Session()
     post_data = { "username": username, "password": password }
-    res = session.post(BASE_URL + "/login", data=post_data, allow_redirects=False)
+    res = session.post(f"{BASE_URL}/login", data=post_data, allow_redirects=False)
     if res.status_code != 302 or "Location" not in res.headers or res.headers["Location"] != "/home":
         print("Login failed")
         exit()

+ 0 - 6
update.sh

@@ -12,12 +12,6 @@ wget --no-verbose https://github.com/carlospolop/privilege-escalation-awesome-sc
 wget --no-verbose https://github.com/rebootuser/LinEnum/raw/master/LinEnum.sh -O LinEnum.sh
 wget --no-verbose https://github.com/stealthcopter/deepce/raw/main/deepce.sh -O deepce.sh
 
-echo "Updating autorecon…"
-wget --no-verbose https://raw.githubusercontent.com/Tib3rius/AutoRecon/master/src/autorecon/autorecon.py -O autorecon.py
-wget --no-verbose https://github.com/Tib3rius/AutoRecon/raw/master/src/autorecon/config/global-patterns-default.toml -O autorecon_config/global-patterns.toml
-wget --no-verbose https://github.com/Tib3rius/AutoRecon/raw/master/src/autorecon/config/port-scan-profiles-default.toml -O autorecon_config/port-scan-profiles.toml
-wget --no-verbose https://github.com/Tib3rius/AutoRecon/raw/master/src/autorecon/config/service-scans-default.toml -O autorecon_config/service-scans.toml
-
 echo "Updating Chisel…"
 location=$(curl -s -I https://github.com/jpillora/chisel/releases/latest | grep -i "location: " | awk '{ print $2 }')
 if [[ "$location" =~ ^https://github.com/jpillora/chisel/releases/tag/v(.*) ]]; then

BIN
win/winPEAS.exe


BIN
win/winPEASx64.exe


Some files were not shown because too many files changed in this diff