Update

autorecon.py

@@ -221,7 +221,12 @@ def calculate_elapsed_time(start_time):
 async def read_stream(stream, target, tag='?', patterns=[], color=Fore.BLUE):
     address = target.address
     while True:
-        line = await stream.readline()
+        line = ""
+        try:
+            line = await stream.readline()
+        except ValueError:
+            continue
+        
         if line:
             line = str(line.rstrip(), 'utf8', 'ignore')
             debug(color + '[' + Style.BRIGHT + address + ' ' + tag + Style.NORMAL + '] ' + Fore.RESET + '{line}', color=color)
@@ -878,4 +883,3 @@ def main():
 
 if __name__ == '__main__':
     main()
-

autorecon_config/service-scans.toml

@@ -59,7 +59,7 @@ service-names = [
 ]
 
     [[finger.scan]]
-    nmap = 'nmap-finger'
+    name = 'nmap-finger'
     command = 'nmap {nmap_extra} -sV -p {port} --script="banner,finger" -oN "{scandir}/{protocol}_{port}_finger_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_finger_nmap.xml" {address}'
 
 [ftp]
@@ -126,8 +126,8 @@ ignore-service-names = [
     command = 'whatweb --color=never --no-errors -a 3 -v {scheme}://{address}:{port} 2>&1 | tee "{scandir}/{protocol}_{port}_{scheme}_whatweb.txt"'
 
     [[http.scan]]
-    name = 'ffuf'
-    command = 'ffuf -u {scheme}://{address}:{port}/FUZZ -t 10 -w /usr/share/seclists/Discovery/Web-Content/common.txt -e ".txt,.html,.php,.asp,.aspx,.jsp" -v | tee {scandir}/{protocol}_{port}_{scheme}_ffuf.txt'
+    name = 'feroxbuster'
+    command = 'feroxbuster -u {scheme}://{address}:{port} -t 10 -w /usr/share/seclists/Discovery/Web-Content/common.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -o {scandir}/{protocol}_{port}_{scheme}_feroxbuster.txt'
 
     [[http.manual]]
     description = '(nikto) old but generally reliable web server enumeration tool'
@@ -136,10 +136,10 @@ ignore-service-names = [
     ]
 
     [[http.manual]]
-    description = '(ffuf) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:'
+    description = '(feroxbuster) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:'
     commands = [
-        'ffuf -u {scheme}://{address}:{port}/FUZZ -w /usr/share/seclists/Discovery/Web-Content/big.txt -e ".txt,.html,.php,.asp,.aspx,.jsp" -v | tee {scandir}/{protocol}_{port}_{scheme}_ffuf_big.txt',
-        'ffuf -u {scheme}://{address}:{port}/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e ".txt,.html,.php,.asp,.aspx,.jsp" -v | tee {scandir}/{protocol}_{port}_{scheme}_ffuf_dirbuster.txt'
+        'feroxbuster -u {scheme}://{address}:{port} -t 10 -w /usr/share/seclists/Discovery/Web-Content/big.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -o {scandir}/{protocol}_{port}_{scheme}_feroxbuster_big.txt',
+        'feroxbuster -u {scheme}://{address}:{port} -t 10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -o {scandir}/{protocol}_{port}_{scheme}_feroxbuster_dirbuster.txt'
     ]
 
     [[http.manual]]
@@ -159,8 +159,8 @@ ignore-service-names = [
     [[http.manual]]
     description = '(gobuster v3) Directory/file enumeration for web servers using various wordlists (same as dirb above):'
     commands = [
-        'gobuster dir -u {scheme}://{address}:{port}/ -w /usr/share/seclists/Discovery/Web-Content/big.txt -e -k -l -s "200,204,301,302,307,403,500" -x "txt,html,php,asp,aspx,jsp" -z -o "{scandir}/{protocol}_{port}_{scheme}_gobuster_big.txt"',
-        'gobuster dir -u {scheme}://{address}:{port}/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e -k -l -s "200,204,301,302,307,403,500" -x "txt,html,php,asp,aspx,jsp" -z -o "{scandir}/{protocol}_{port}_{scheme}_gobuster_dirbuster.txt"'
+        'gobuster dir -u {scheme}://{address}:{port}/ -w /usr/share/seclists/Discovery/Web-Content/big.txt -e -k -s "200,204,301,302,307,403,500" -x "txt,html,php,asp,aspx,jsp" -z -o "{scandir}/{protocol}_{port}_{scheme}_gobuster_big.txt"',
+        'gobuster dir -u {scheme}://{address}:{port}/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e -k -s "200,204,301,302,307,403,500" -x "txt,html,php,asp,aspx,jsp" -z -o "{scandir}/{protocol}_{port}_{scheme}_gobuster_dirbuster.txt"'
     ]
 
     [[http.manual]]

crack_hash.py

@@ -65,6 +65,7 @@ class HashType(enum.Enum):
     LM   = 3000
     NTLM = 1000
     MSSQL = 1731
+    NTLMV2_SSP = 5600
 
     # Kerberos
     KERBEROS_AS_REQ = 7500
@@ -109,9 +110,15 @@ class Hash:
             elif crypt_type == "S":
                 self.type.append(HashType.DRUPAL7)
         else:
-            self.isSalted = ":" in raw_hash
-            if self.isSalted:
-                raw_hash, self.salt = raw_hash.split(":")
+            if ":" in raw_hash:
+                parts = raw_hash.split(":")
+                if len(parts) == 2:
+                    self.isSalted = True
+                    raw_hash, self.salt = raw_hash.split(":")
+                elif len(parts) == 6:
+                    self.type.append(HashType.NTLMV2_SSP)
+
+
 
         # Base64 -> hex
         try:

fileserver.py

@@ -132,7 +132,7 @@ class HttpFileServer(HTTPServer):
             data = data.encode("UTF-8")
 
         # return 200 - OK and data
-        self.addRoute(name, lambda req: (data, 200))
+        self.addRoute(name, lambda req: (200, data))
 
     def dumpRequest(self, name):
         self.dumpRequests.append(self.cleanPath(name))

lse.sh

@@ -5,7 +5,7 @@
 # Author: Diego Blanco <diego.blanco@treitos.com>
 # GitHub: https://github.com/diego-treitos/linux-smart-enumeration
 #
-lse_version="3.2"
+lse_version="3.3"
 
 #( Colors
 #
@@ -582,8 +582,8 @@ lse_run_tests_users() {
 
   #other users in an administrative group
   lse_test "usr020" "1" \
-    "Are there other users in an administrative groups?" \
-    'grep $lse_grep_opts -E "^(adm|admin|root|sudo|wheel)" /etc/group | grep -Ev ":$" | grep $lse_grep_opts -Ei ":[a-z_-]+\$"'
+    "Are there other users in administrative groups?" \
+    'grep $lse_grep_opts -E "^(adm|admin|root|sudo|wheel)" /etc/group | grep -Ev ":$|:$lse_user$" | grep $lse_grep_opts -Ei ":[,a-z_-]+\$"'
 
   #other users with shell
   lse_test "usr030" "1" \
@@ -960,7 +960,7 @@ lse_run_tests_recurrent_tasks() {
   #can we write to any paths present in cron tasks?
   lse_test "ret050" "1" \
     "Can we write to any paths present in cron jobs" \
-    'for p in `grep --color=never -hERoi "/[a-z0-9_/\.\-]+" /etc/cron* | sort -u`; do [ -w "$p" ] && echo "$p"; done' \
+    'for p in `grep --color=never -hERoi "/[a-z0-9_/\.\-]+" /etc/cron* | grep -Ev "/dev/(null|zero|random|urandom)" | sort -u`; do [ -w "$p" ] && echo "$p"; done' \
     "" \
     "lse_user_writable_cron_paths"
 
@@ -980,7 +980,7 @@ lse_run_tests_recurrent_tasks() {
   #user timers
   lse_test "ret500" "1" \
     "User systemd timers" \
-    'systemctl --user list-timers --all | grep -Ev "(^$|timers listed)"'
+    'systemctl --user list-timers --all | grep -iq "\.timer" && systemctl --user list-timers --all'
 
   #can we write in any system timer?
   lse_test "ret510" "0" \
@@ -1026,7 +1026,7 @@ lse_run_tests_network() {
 
   #nameservers
   lse_test "net530" "2" \
-    "Namerservers" \
+    "Nameservers" \
     'grep "nameserver" /etc/resolv.conf'
 
   #systemd nameservers
@@ -1187,7 +1187,7 @@ lse_run_tests_software() {
   #check if there are ssh private keys in ssh-agent
   lse_test "sof050" "0" \
     "Are there private keys in ssh-agent?" \
-    'ssh-add -l'
+    'ssh-add -l | grep -iv "agent has no identities"'
 
   #check if there are gpg keys in gpg-agent
   lse_test "sof060" "0" \

ssh-check-username.py

@@ -26,9 +26,7 @@ class InvalidUsername(Exception):
 def add_boolean(*args, **kwargs):
     pass
 
-
-old_service_accept = paramiko.auth_handler.AuthHandler._handler_table[
-        paramiko.common.MSG_SERVICE_ACCEPT]
+old_service_accept = paramiko.auth_handler.AuthHandler._client_handler_table[paramiko.common.MSG_SERVICE_ACCEPT]
 
 def service_accept(*args, **kwargs):
     paramiko.message.Message.add_boolean = add_boolean
@@ -55,14 +53,14 @@ def _paramiko_tunnel(username, *args, **kwargs):
         return
     try:
         transport.auth_publickey(us, paramiko.RSAKey.generate(2048))
-    except InvalidUsername:
+    except InvalidUsername or socket.error:
         print ('[*] {} - Invalid username'.format(us))
     except paramiko.ssh_exception.AuthenticationException:
         print ('[+] {} - Valid username'.format(us))
         return
 
 
-paramiko.auth_handler.AuthHandler._handler_table.update({
+paramiko.auth_handler.AuthHandler._client_handler_table.update({
     paramiko.common.MSG_SERVICE_ACCEPT: service_accept,
     paramiko.common.MSG_USERAUTH_FAILURE: userauth_failure
 })
@@ -81,7 +79,3 @@ if args.wordlist is not None:
         for u in f:
             usernames.append(u)
         pool.map(_paramiko_tunnel, usernames)
-
-        
-
-

template.py

@@ -16,6 +16,8 @@ from urllib3.exceptions import InsecureRequestWarning
 requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
 
 BASE_URL = "%s" if "LOCAL" not in sys.argv else "http://127.0.0.1:1337"
+USERNAME = "admin"
+PASSWORD = "password"
 
 def login(username, password):
     # Template method to create a session
@@ -32,7 +34,7 @@ def exploit(session, payload):
     pass
 
 if __name__ == "__main__":
-    session = login()
+    session = login(USERNAME, PASSWORD)
     exploit(session, "id")
 """ % baseUrl
 

win/winPEAS.bat

@@ -451,7 +451,7 @@ CALL :T_Progress 1
 
 :UnquotedServicePaths
 CALL :ColorLine " %E%33m[+]%E%97m UNQUOTED SERVICE PATHS"
-ECHO.   [i] When the path is not quoted (ex: C:\Program files\soft\new folder\exec.exe) Windows will try to execute first 'C:\Progam.exe', then 'C:\Program Files\soft\new.exe' and finally 'C:\Program Files\soft\new folder\exec.exe'. Try to create 'C:\Program Files\soft\new.exe'
+ECHO.   [i] When the path is not quoted (ex: C:\Program files\soft\new folder\exec.exe) Windows will try to execute first 'C:\Program.exe', then 'C:\Program Files\soft\new.exe' and finally 'C:\Program Files\soft\new folder\exec.exe'. Try to create 'C:\Program Files\soft\new.exe'
 ECHO.   [i] The permissions are also checked and filtered using icacls
 ECHO.   [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services
 for /f "tokens=2" %%n in ('sc query state^= all^| findstr SERVICE_NAME') do (