Roman/HackingScripts
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update

Browse Source
This commit is contained in:
Roman Hergenreder 2021-06-30 20:44:38 +02:00
parent 1891efe2e4
commit efc3b655a8
14 changed files with 1245 additions and 1351 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
autorecon.py
View File

@ -221,7 +221,12 @@ def calculate_elapsed_time(start_time):
async def read_stream(stream, target, tag='?', patterns=[], color=Fore.BLUE): async def read_stream(stream, target, tag='?', patterns=[], color=Fore.BLUE):
address = target.address address = target.address
while True: while True:
line = await stream.readline() line = ""
try:
line = await stream.readline()
except ValueError:
continue
if line: if line:
line = str(line.rstrip(), 'utf8', 'ignore') line = str(line.rstrip(), 'utf8', 'ignore')
debug(color + '[' + Style.BRIGHT + address + ' ' + tag + Style.NORMAL + '] ' + Fore.RESET + '{line}', color=color) debug(color + '[' + Style.BRIGHT + address + ' ' + tag + Style.NORMAL + '] ' + Fore.RESET + '{line}', color=color)
@ -878,4 +883,3 @@ def main():
if __name__ == '__main__': if __name__ == '__main__':
main() main()

16
autorecon_config/service-scans.toml
View File

@ -59,7 +59,7 @@ service-names = [
] ]
[[finger.scan]] [[finger.scan]]
nmap = 'nmap-finger' name = 'nmap-finger'
command = 'nmap {nmap_extra} -sV -p {port} --script="banner,finger" -oN "{scandir}/{protocol}_{port}_finger_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_finger_nmap.xml" {address}' command = 'nmap {nmap_extra} -sV -p {port} --script="banner,finger" -oN "{scandir}/{protocol}_{port}_finger_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_finger_nmap.xml" {address}'
[ftp] [ftp]
@ -126,8 +126,8 @@ ignore-service-names = [
command = 'whatweb --color=never --no-errors -a 3 -v {scheme}://{address}:{port} 2>&1 | tee "{scandir}/{protocol}_{port}_{scheme}_whatweb.txt"' command = 'whatweb --color=never --no-errors -a 3 -v {scheme}://{address}:{port} 2>&1 | tee "{scandir}/{protocol}_{port}_{scheme}_whatweb.txt"'
[[http.scan]] [[http.scan]]
name = 'ffuf' name = 'feroxbuster'
command = 'ffuf -u {scheme}://{address}:{port}/FUZZ -t 10 -w /usr/share/seclists/Discovery/Web-Content/common.txt -e ".txt,.html,.php,.asp,.aspx,.jsp" -v | tee {scandir}/{protocol}_{port}_{scheme}_ffuf.txt' command = 'feroxbuster -u {scheme}://{address}:{port} -t 10 -w /usr/share/seclists/Discovery/Web-Content/common.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -o {scandir}/{protocol}_{port}_{scheme}_feroxbuster.txt'
[[http.manual]] [[http.manual]]
description = '(nikto) old but generally reliable web server enumeration tool' description = '(nikto) old but generally reliable web server enumeration tool'
@ -136,10 +136,10 @@ ignore-service-names = [
] ]
[[http.manual]] [[http.manual]]
description = '(ffuf) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:' description = '(feroxbuster) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:'
commands = [ commands = [
'ffuf -u {scheme}://{address}:{port}/FUZZ -w /usr/share/seclists/Discovery/Web-Content/big.txt -e ".txt,.html,.php,.asp,.aspx,.jsp" -v | tee {scandir}/{protocol}_{port}_{scheme}_ffuf_big.txt', 'feroxbuster -u {scheme}://{address}:{port} -t 10 -w /usr/share/seclists/Discovery/Web-Content/big.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -o {scandir}/{protocol}_{port}_{scheme}_feroxbuster_big.txt',
'ffuf -u {scheme}://{address}:{port}/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e ".txt,.html,.php,.asp,.aspx,.jsp" -v | tee {scandir}/{protocol}_{port}_{scheme}_ffuf_dirbuster.txt' 'feroxbuster -u {scheme}://{address}:{port} -t 10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -o {scandir}/{protocol}_{port}_{scheme}_feroxbuster_dirbuster.txt'
] ]
[[http.manual]] [[http.manual]]
@ -159,8 +159,8 @@ ignore-service-names = [
[[http.manual]] [[http.manual]]
description = '(gobuster v3) Directory/file enumeration for web servers using various wordlists (same as dirb above):' description = '(gobuster v3) Directory/file enumeration for web servers using various wordlists (same as dirb above):'
commands = [ commands = [
'gobuster dir -u {scheme}://{address}:{port}/ -w /usr/share/seclists/Discovery/Web-Content/big.txt -e -k -l -s "200,204,301,302,307,403,500" -x "txt,html,php,asp,aspx,jsp" -z -o "{scandir}/{protocol}_{port}_{scheme}_gobuster_big.txt"', 'gobuster dir -u {scheme}://{address}:{port}/ -w /usr/share/seclists/Discovery/Web-Content/big.txt -e -k -s "200,204,301,302,307,403,500" -x "txt,html,php,asp,aspx,jsp" -z -o "{scandir}/{protocol}_{port}_{scheme}_gobuster_big.txt"',
'gobuster dir -u {scheme}://{address}:{port}/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e -k -l -s "200,204,301,302,307,403,500" -x "txt,html,php,asp,aspx,jsp" -z -o "{scandir}/{protocol}_{port}_{scheme}_gobuster_dirbuster.txt"' 'gobuster dir -u {scheme}://{address}:{port}/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e -k -s "200,204,301,302,307,403,500" -x "txt,html,php,asp,aspx,jsp" -z -o "{scandir}/{protocol}_{port}_{scheme}_gobuster_dirbuster.txt"'
] ]
[[http.manual]] [[http.manual]]

13
crack_hash.py
View File

@ -65,6 +65,7 @@ class HashType(enum.Enum):
LM = 3000 LM = 3000
NTLM = 1000 NTLM = 1000
MSSQL = 1731 MSSQL = 1731
NTLMV2_SSP = 5600
# Kerberos # Kerberos
KERBEROS_AS_REQ = 7500 KERBEROS_AS_REQ = 7500
@ -109,9 +110,15 @@ class Hash:
elif crypt_type == "S": elif crypt_type == "S":
self.type.append(HashType.DRUPAL7) self.type.append(HashType.DRUPAL7)
else: else:
self.isSalted = ":" in raw_hash if ":" in raw_hash:
if self.isSalted: parts = raw_hash.split(":")
raw_hash, self.salt = raw_hash.split(":") if len(parts) == 2:
self.isSalted = True
raw_hash, self.salt = raw_hash.split(":")
elif len(parts) == 6:
self.type.append(HashType.NTLMV2_SSP)
# Base64 -> hex # Base64 -> hex
try: try:

2
fileserver.py
View File

@ -132,7 +132,7 @@ class HttpFileServer(HTTPServer):
data = data.encode("UTF-8") data = data.encode("UTF-8")
# return 200 - OK and data # return 200 - OK and data
self.addRoute(name, lambda req: (data, 200)) self.addRoute(name, lambda req: (200, data))
def dumpRequest(self, name): def dumpRequest(self, name):
self.dumpRequests.append(self.cleanPath(name)) self.dumpRequests.append(self.cleanPath(name))

2503
linpeas.sh
View File

File diff suppressed because one or more lines are too long

36
lse.sh
View File

@ -4,8 +4,8 @@
# Author: Diego Blanco <diego.blanco@treitos.com> # Author: Diego Blanco <diego.blanco@treitos.com>
# GitHub: https://github.com/diego-treitos/linux-smart-enumeration # GitHub: https://github.com/diego-treitos/linux-smart-enumeration
# #
lse_version="3.2" lse_version="3.3"
#( Colors #( Colors
# #
@ -287,7 +287,7 @@ lse_set_level() {
esac esac
} }
lse_help() { lse_help() {
echo "Use: $0 [options]" echo "Use: $0 [options]"
echo echo
echo " OPTIONS" echo " OPTIONS"
echo " -c Disable color" echo " -c Disable color"
@ -404,7 +404,7 @@ lse_test() {
cecho "${red}---$reset\n" cecho "${red}---$reset\n"
fi fi
return 1 return 1
fi fi
# If level is 2 and lse_level is less than 2, then we do not execute # If level is 2 and lse_level is less than 2, then we do not execute
# level 2 tests unless their output needs to be assigned to a variable # level 2 tests unless their output needs to be assigned to a variable
@ -534,7 +534,7 @@ lse_exit() {
} }
lse_procmon() { lse_procmon() {
# monitor processes # monitor processes
#NOTE: The first number will be the number of occurrences of a process due to #NOTE: The first number will be the number of occurrences of a process due to
# uniq -c # uniq -c
while [ -f "$lse_procmon_lock" ]; do while [ -f "$lse_procmon_lock" ]; do
ps -ewwwo start_time,pid,user:50,args ps -ewwwo start_time,pid,user:50,args
@ -564,7 +564,7 @@ lse_proc_print() {
# A successful test will receive some output while a failed tests will receive # A successful test will receive some output while a failed tests will receive
# an empty string. # an empty string.
# #
########################################################################( users ########################################################################( users
lse_run_tests_users() { lse_run_tests_users() {
lse_header "usr" "users" lse_header "usr" "users"
@ -582,8 +582,8 @@ lse_run_tests_users() {
#other users in an administrative group #other users in an administrative group
lse_test "usr020" "1" \ lse_test "usr020" "1" \
"Are there other users in an administrative groups?" \ "Are there other users in administrative groups?" \
'grep $lse_grep_opts -E "^(adm|admin|root|sudo|wheel)" /etc/group | grep -Ev ":$" | grep $lse_grep_opts -Ei ":[a-z_-]+\$"' 'grep $lse_grep_opts -E "^(adm|admin|root|sudo|wheel)" /etc/group | grep -Ev ":$|:$lse_user$" | grep $lse_grep_opts -Ei ":[,a-z_-]+\$"'
#other users with shell #other users with shell
lse_test "usr030" "1" \ lse_test "usr030" "1" \
@ -591,7 +591,7 @@ lse_run_tests_users() {
'grep $lse_grep_opts -E ":/[a-z/]+sh\$" /etc/passwd' \ 'grep $lse_grep_opts -E ":/[a-z/]+sh\$" /etc/passwd' \
"" \ "" \
"lse_shell_users" "lse_shell_users"
#user env information #user env information
lse_test "usr040" "2" \ lse_test "usr040" "2" \
"Environment information" \ "Environment information" \
@ -722,7 +722,7 @@ lse_run_tests_filesystem() {
"Can we write to any setgid binary?" \ "Can we write to any setgid binary?" \
'for b in $lse_setgid_binaries; do [ -x "$b" ] && [ -w "$b" ] && echo "$b" ;done' \ 'for b in $lse_setgid_binaries; do [ -x "$b" ] && [ -w "$b" ] && echo "$b" ;done' \
"fst040" "fst040"
#can we read /root #can we read /root
lse_test "fst070" "1" \ lse_test "fst070" "1" \
"Can we read /root?" \ "Can we read /root?" \
@ -863,7 +863,7 @@ lse_run_tests_system() {
lse_test "sys050" "1" \ lse_test "sys050" "1" \
"Can root user log in via SSH?" \ "Can root user log in via SSH?" \
'grep -E "^[[:space:]]*PermitRootLogin " /etc/ssh/sshd_config | grep -E "(yes|without-password|prohibit-password)"' 'grep -E "^[[:space:]]*PermitRootLogin " /etc/ssh/sshd_config | grep -E "(yes|without-password|prohibit-password)"'
#list available shells #list available shells
lse_test "sys060" "2" \ lse_test "sys060" "2" \
"List available shells" \ "List available shells" \
@ -919,7 +919,7 @@ lse_run_tests_security() {
"Does current user have capabilities?" \ "Does current user have capabilities?" \
'printf "$lse_user_caps\n" | grep "$lse_user"' \ 'printf "$lse_user_caps\n" | grep "$lse_user"' \
"sec040" "sec040"
#can user read the auditd log #can user read the auditd log
lse_test "sec060" "0" \ lse_test "sec060" "0" \
"Can we read the auditd log?" \ "Can we read the auditd log?" \
@ -927,7 +927,7 @@ lse_run_tests_security() {
} }
##############################################################( recurrent tasks ##############################################################( recurrent tasks
lse_run_tests_recurrent_tasks() { lse_run_tests_recurrent_tasks() {
lse_header "ret" "recurrent tasks" lse_header "ret" "recurrent tasks"
@ -960,7 +960,7 @@ lse_run_tests_recurrent_tasks() {
#can we write to any paths present in cron tasks? #can we write to any paths present in cron tasks?
lse_test "ret050" "1" \ lse_test "ret050" "1" \
"Can we write to any paths present in cron jobs" \ "Can we write to any paths present in cron jobs" \
'for p in `grep --color=never -hERoi "/[a-z0-9_/\.\-]+" /etc/cron* | sort -u`; do [ -w "$p" ] && echo "$p"; done' \ 'for p in `grep --color=never -hERoi "/[a-z0-9_/\.\-]+" /etc/cron* | grep -Ev "/dev/(null|zero|random|urandom)" | sort -u`; do [ -w "$p" ] && echo "$p"; done' \
"" \ "" \
"lse_user_writable_cron_paths" "lse_user_writable_cron_paths"
@ -980,7 +980,7 @@ lse_run_tests_recurrent_tasks() {
#user timers #user timers
lse_test "ret500" "1" \ lse_test "ret500" "1" \
"User systemd timers" \ "User systemd timers" \
'systemctl --user list-timers --all | grep -Ev "(^$|timers listed)"' 'systemctl --user list-timers --all | grep -iq "\.timer" && systemctl --user list-timers --all'
#can we write in any system timer? #can we write in any system timer?
lse_test "ret510" "0" \ lse_test "ret510" "0" \
@ -1026,7 +1026,7 @@ lse_run_tests_network() {
#nameservers #nameservers
lse_test "net530" "2" \ lse_test "net530" "2" \
"Namerservers" \ "Nameservers" \
'grep "nameserver" /etc/resolv.conf' 'grep "nameserver" /etc/resolv.conf'
#systemd nameservers #systemd nameservers
@ -1038,7 +1038,7 @@ lse_run_tests_network() {
lse_test "net550" "2" \ lse_test "net550" "2" \
"Listening TCP" \ "Listening TCP" \
'netstat -tnlp || ss -tnlp' 'netstat -tnlp || ss -tnlp'
#listening UDP #listening UDP
lse_test "net560" "2" \ lse_test "net560" "2" \
"Listening UDP" \ "Listening UDP" \
@ -1187,7 +1187,7 @@ lse_run_tests_software() {
#check if there are ssh private keys in ssh-agent #check if there are ssh private keys in ssh-agent
lse_test "sof050" "0" \ lse_test "sof050" "0" \
"Are there private keys in ssh-agent?" \ "Are there private keys in ssh-agent?" \
'ssh-add -l' 'ssh-add -l | grep -iv "agent has no identities"'
#check if there are gpg keys in gpg-agent #check if there are gpg keys in gpg-agent
lse_test "sof060" "0" \ lse_test "sof060" "0" \

BIN
socat Normal file
View File

Binary file not shown.

12
ssh-check-username.py
View File

@ -26,9 +26,7 @@ class InvalidUsername(Exception):
def add_boolean(*args, **kwargs): def add_boolean(*args, **kwargs):
pass pass
old_service_accept = paramiko.auth_handler.AuthHandler._client_handler_table[paramiko.common.MSG_SERVICE_ACCEPT]
old_service_accept = paramiko.auth_handler.AuthHandler._handler_table[
paramiko.common.MSG_SERVICE_ACCEPT]
def service_accept(*args, **kwargs): def service_accept(*args, **kwargs):
paramiko.message.Message.add_boolean = add_boolean paramiko.message.Message.add_boolean = add_boolean
@ -55,14 +53,14 @@ def _paramiko_tunnel(username, *args, **kwargs):
return return
try: try:
transport.auth_publickey(us, paramiko.RSAKey.generate(2048)) transport.auth_publickey(us, paramiko.RSAKey.generate(2048))
except InvalidUsername: except InvalidUsername or socket.error:
print ('[*] {} - Invalid username'.format(us)) print ('[*] {} - Invalid username'.format(us))
except paramiko.ssh_exception.AuthenticationException: except paramiko.ssh_exception.AuthenticationException:
print ('[+] {} - Valid username'.format(us)) print ('[+] {} - Valid username'.format(us))
return return
paramiko.auth_handler.AuthHandler._handler_table.update({ paramiko.auth_handler.AuthHandler._client_handler_table.update({
paramiko.common.MSG_SERVICE_ACCEPT: service_accept, paramiko.common.MSG_SERVICE_ACCEPT: service_accept,
paramiko.common.MSG_USERAUTH_FAILURE: userauth_failure paramiko.common.MSG_USERAUTH_FAILURE: userauth_failure
}) })
@ -81,7 +79,3 @@ if args.wordlist is not None:
for u in f: for u in f:
usernames.append(u) usernames.append(u)
pool.map(_paramiko_tunnel, usernames) pool.map(_paramiko_tunnel, usernames)

4
template.py
View File

@ -16,6 +16,8 @@ from urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning) requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
BASE_URL = "%s" if "LOCAL" not in sys.argv else "http://127.0.0.1:1337" BASE_URL = "%s" if "LOCAL" not in sys.argv else "http://127.0.0.1:1337"
USERNAME = "admin"
PASSWORD = "password"
def login(username, password): def login(username, password):
# Template method to create a session # Template method to create a session
@ -32,7 +34,7 @@ def exploit(session, payload):
pass pass
if __name__ == "__main__": if __name__ == "__main__":
session = login() session = login(USERNAME, PASSWORD)
exploit(session, "id") exploit(session, "id")
""" % baseUrl """ % baseUrl

BIN
win/accesschk.exe
View File

Binary file not shown.

BIN
win/accesschk64.exe
View File

Binary file not shown.

2
win/winPEAS.bat
View File

@ -451,7 +451,7 @@ CALL :T_Progress 1
:UnquotedServicePaths :UnquotedServicePaths
CALL :ColorLine " %E%33m[+]%E%97m UNQUOTED SERVICE PATHS" CALL :ColorLine " %E%33m[+]%E%97m UNQUOTED SERVICE PATHS"
ECHO. [i] When the path is not quoted (ex: C:\Program files\soft\new folder\exec.exe) Windows will try to execute first 'C:\Progam.exe', then 'C:\Program Files\soft\new.exe' and finally 'C:\Program Files\soft\new folder\exec.exe'. Try to create 'C:\Program Files\soft\new.exe' ECHO. [i] When the path is not quoted (ex: C:\Program files\soft\new folder\exec.exe) Windows will try to execute first 'C:\Program.exe', then 'C:\Program Files\soft\new.exe' and finally 'C:\Program Files\soft\new folder\exec.exe'. Try to create 'C:\Program Files\soft\new.exe'
ECHO. [i] The permissions are also checked and filtered using icacls ECHO. [i] The permissions are also checked and filtered using icacls
ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services
for /f "tokens=2" %%n in ('sc query state^= all^| findstr SERVICE_NAME') do ( for /f "tokens=2" %%n in ('sc query state^= all^| findstr SERVICE_NAME') do (

BIN
win/ysoserial/NDesk.Options.dll Normal file
View File

Binary file not shown.

BIN
win/ysoserial/ysoserial.exe Normal file
View File

Binary file not shown.