587 lines
24 KiB
TOML
587 lines
24 KiB
TOML
# Configurable Variables
|
|
username_wordlist = '/usr/share/seclists/Usernames/top-usernames-shortlist.txt'
|
|
password_wordlist = '/usr/share/seclists/Passwords/darkweb2017-top100.txt'
|
|
|
|
[all-services] # Define scans here that you want to run against all services.
|
|
|
|
service-names = [
|
|
'.+'
|
|
]
|
|
|
|
[[all-services.scan]]
|
|
name = 'sslscan'
|
|
command = 'if [ "{secure}" == "True" ]; then sslscan --show-certificate --no-colour {address}:{port} 2>&1 | tee "{scandir}/{protocol}_{port}_sslscan.txt"; fi'
|
|
|
|
[cassandra]
|
|
|
|
service-names = [
|
|
'^apani1'
|
|
]
|
|
|
|
[[cassandra.scan]]
|
|
name = 'nmap-cassandra'
|
|
command = 'nmap {nmap_extra} -sV -p {port} --script="banner,(cassandra* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_cassandra_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_cassandra_nmap.xml" {address}'
|
|
|
|
[cups]
|
|
|
|
service-names = [
|
|
'^ipp'
|
|
]
|
|
|
|
[[cups.scan]]
|
|
name = 'nmap-cups'
|
|
command = 'nmap {nmap_extra} -sV -p {port} --script="banner,(cups* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_cups_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_cups_nmap.xml" {address}'
|
|
|
|
[distcc]
|
|
|
|
service-names = [
|
|
'^distccd'
|
|
]
|
|
|
|
[[distcc.scan]]
|
|
name = 'nmap-distcc'
|
|
command = 'nmap {nmap_extra} -sV -p {port} --script="banner,distcc-cve2004-2687" --script-args="distcc-cve2004-2687.cmd=id" -oN "{scandir}/{protocol}_{port}_distcc_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_distcc_nmap.xml" {address}'
|
|
|
|
[dns]
|
|
|
|
service-names = [
|
|
'^domain'
|
|
]
|
|
|
|
[[dns.scan]]
|
|
name = 'nmap-dns'
|
|
command = 'nmap {nmap_extra} -sV -p {port} --script="banner,(dns* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_dns_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_dns_nmap.xml" {address}'
|
|
|
|
[finger]
|
|
|
|
service-names = [
|
|
'^finger'
|
|
]
|
|
|
|
[[finger.scan]]
|
|
nmap = 'nmap-finger'
|
|
command = 'nmap {nmap_extra} -sV -p {port} --script="banner,finger" -oN "{scandir}/{protocol}_{port}_finger_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_finger_nmap.xml" {address}'
|
|
|
|
[ftp]
|
|
|
|
service-names = [
|
|
'^ftp',
|
|
'^ftp\-data'
|
|
]
|
|
|
|
[[ftp.scan]]
|
|
name = 'nmap-ftp'
|
|
command = 'nmap {nmap_extra} -sV -p {port} --script="banner,(ftp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_ftp_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_ftp_nmap.xml" {address}'
|
|
|
|
[[ftp.scan.pattern]]
|
|
description = 'Anonymous FTP Enabled!'
|
|
pattern = 'Anonymous FTP login allowed'
|
|
|
|
[[ftp.manual]]
|
|
description = 'Bruteforce logins:'
|
|
commands = [
|
|
'hydra -L "{username_wordlist}" -P "{password_wordlist}" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_ftp_hydra.txt" ftp://{address}',
|
|
'medusa -U "{username_wordlist}" -P "{password_wordlist}" -e ns -n {port} -O "{scandir}/{protocol}_{port}_ftp_medusa.txt" -M ftp -h {address}'
|
|
]
|
|
|
|
[http]
|
|
|
|
service-names = [
|
|
'^http',
|
|
]
|
|
|
|
ignore-service-names = [
|
|
'^nacn_http$'
|
|
]
|
|
|
|
[[http.scan]]
|
|
name = 'nmap-http'
|
|
command = 'nmap {nmap_extra} -sV -p {port} --script="banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN "{scandir}/{protocol}_{port}_http_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_{scheme}_nmap.xml" {address}'
|
|
|
|
[[http.scan.pattern]]
|
|
description = 'Identified HTTP Server: {match}'
|
|
pattern = 'Server: ([^\n]+)'
|
|
|
|
[[http.scan.pattern]]
|
|
description = 'WebDAV is enabled'
|
|
pattern = 'WebDAV is ENABLED'
|
|
|
|
[[http.scan]]
|
|
name = 'curl-index'
|
|
command = 'curl -sSik {scheme}://{address}:{port}/ -m 10 2>&1 | tee "{scandir}/{protocol}_{port}_{scheme}_index.html"'
|
|
|
|
[[http.scan.pattern]]
|
|
pattern = '(?i)Powered by [^\n]+'
|
|
|
|
[[http.scan]]
|
|
name = 'curl-robots'
|
|
command = 'curl -sSik {scheme}://{address}:{port}/robots.txt -m 10 2>&1 | tee "{scandir}/{protocol}_{port}_{scheme}_robots.txt"'
|
|
|
|
[[http.scan]]
|
|
name = 'wkhtmltoimage'
|
|
command = 'if hash wkhtmltoimage 2> /dev/null; then wkhtmltoimage --format png {scheme}://{address}:{port}/ {scandir}/{protocol}_{port}_{scheme}_screenshot.png; fi'
|
|
|
|
[[http.scan]]
|
|
name = 'whatweb'
|
|
command = 'whatweb --color=never --no-errors -a 3 -v {scheme}://{address}:{port} 2>&1 | tee "{scandir}/{protocol}_{port}_{scheme}_whatweb.txt"'
|
|
|
|
[[http.scan]]
|
|
name = 'ffuf'
|
|
command = 'ffuf -u {scheme}://{address}:{port}/FUZZ -t 10 -w /usr/share/seclists/Discovery/Web-Content/common.txt -e ".txt,.html,.php,.asp,.aspx,.jsp" -v | tee {scandir}/{protocol}_{port}_{scheme}_ffuf.txt'
|
|
|
|
[[http.manual]]
|
|
description = '(nikto) old but generally reliable web server enumeration tool'
|
|
commands = [
|
|
'nikto -ask=no -h {scheme}://{address}:{port} 2>&1 | tee "{scandir}/{protocol}_{port}_{scheme}_nikto.txt"'
|
|
]
|
|
|
|
[[http.manual]]
|
|
description = '(ffuf) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:'
|
|
commands = [
|
|
'ffuf -u {scheme}://{address}:{port}/FUZZ -w /usr/share/seclists/Discovery/Web-Content/big.txt -e ".txt,.html,.php,.asp,.aspx,.jsp" -v | tee {scandir}/{protocol}_{port}_{scheme}_ffuf_big.txt',
|
|
'ffuf -u {scheme}://{address}:{port}/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e ".txt,.html,.php,.asp,.aspx,.jsp" -v | tee {scandir}/{protocol}_{port}_{scheme}_ffuf_dirbuster.txt'
|
|
]
|
|
|
|
[[http.manual]]
|
|
description = '(dirsearch) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:'
|
|
commands = [
|
|
'dirsearch -u {scheme}://{address}:{port}/ -t 16 -r -e txt,html,php,asp,aspx,jsp -f -w /usr/share/seclists/Discovery/Web-Content/big.txt --plain-text-report="{scandir}/{protocol}_{port}_{scheme}_dirsearch_big.txt"',
|
|
'dirsearch -u {scheme}://{address}:{port}/ -t 16 -r -e txt,html,php,asp,aspx,jsp -f -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --plain-text-report="{scandir}/{protocol}_{port}_{scheme}_dirsearch_dirbuster.txt"'
|
|
]
|
|
|
|
[[http.manual]]
|
|
description = '(dirb) Recursive directory/file enumeration for web servers using various wordlists (same as dirsearch above):'
|
|
commands = [
|
|
'dirb {scheme}://{address}:{port}/ /usr/share/seclists/Discovery/Web-Content/big.txt -l -r -S -X ",.txt,.html,.php,.asp,.aspx,.jsp" -o "{scandir}/{protocol}_{port}_{scheme}_dirb_big.txt"',
|
|
'dirb {scheme}://{address}:{port}/ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -l -r -S -X ",.txt,.html,.php,.asp,.aspx,.jsp" -o "{scandir}/{protocol}_{port}_{scheme}_dirb_dirbuster.txt"'
|
|
]
|
|
|
|
[[http.manual]]
|
|
description = '(gobuster v3) Directory/file enumeration for web servers using various wordlists (same as dirb above):'
|
|
commands = [
|
|
'gobuster dir -u {scheme}://{address}:{port}/ -w /usr/share/seclists/Discovery/Web-Content/big.txt -e -k -l -s "200,204,301,302,307,403,500" -x "txt,html,php,asp,aspx,jsp" -z -o "{scandir}/{protocol}_{port}_{scheme}_gobuster_big.txt"',
|
|
'gobuster dir -u {scheme}://{address}:{port}/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e -k -l -s "200,204,301,302,307,403,500" -x "txt,html,php,asp,aspx,jsp" -z -o "{scandir}/{protocol}_{port}_{scheme}_gobuster_dirbuster.txt"'
|
|
]
|
|
|
|
[[http.manual]]
|
|
description = '(gobuster v1 & v2) Directory/file enumeration for web servers using various wordlists (same as dirb above):'
|
|
commands = [
|
|
'gobuster -u {scheme}://{address}:{port}/ -w /usr/share/seclists/Discovery/Web-Content/big.txt -e -k -l -s "200,204,301,302,307,403,500" -x "txt,html,php,asp,aspx,jsp" -o "{scandir}/{protocol}_{port}_{scheme}_gobuster_big.txt"',
|
|
'gobuster -u {scheme}://{address}:{port}/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e -k -l -s "200,204,301,302,307,403,500" -x "txt,html,php,asp,aspx,jsp" -o "{scandir}/{protocol}_{port}_{scheme}_gobuster_dirbuster.txt"'
|
|
]
|
|
|
|
[[http.manual]]
|
|
description = '(wpscan) WordPress Security Scanner (useful if WordPress is found):'
|
|
commands = [
|
|
'wpscan --url {scheme}://{address}:{port}/ --no-update -e vp,vt,tt,cb,dbe,u,m --plugins-detection aggressive --plugins-version-detection aggressive -f cli-no-color 2>&1 | tee "{scandir}/{protocol}_{port}_{scheme}_wpscan.txt"'
|
|
]
|
|
|
|
[[http.manual]]
|
|
description = "Credential bruteforcing commands (don't run these without modifying them):"
|
|
commands = [
|
|
'hydra -L "{username_wordlist}" -P "{password_wordlist}" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_{scheme}_auth_hydra.txt" {scheme}-get://{address}/path/to/auth/area',
|
|
'medusa -U "{username_wordlist}" -P "{password_wordlist}" -e ns -n {port} -O "{scandir}/{protocol}_{port}_{scheme}_auth_medusa.txt" -M http -h {address} -m DIR:/path/to/auth/area',
|
|
'hydra -L "{username_wordlist}" -P "{password_wordlist}" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_{scheme}_form_hydra.txt" {scheme}-post-form://{address}/path/to/login.php:username=^USER^&password=^PASS^:invalid-login-message',
|
|
'medusa -U "{username_wordlist}" -P "{password_wordlist}" -e ns -n {port} -O "{scandir}/{protocol}_{port}_{scheme}_form_medusa.txt" -M web-form -h {address} -m FORM:/path/to/login.php -m FORM-DATA:"post?username=&password=" -m DENY-SIGNAL:"invalid login message"',
|
|
]
|
|
|
|
[imap]
|
|
|
|
service-names = [
|
|
'^imap'
|
|
]
|
|
|
|
[[imap.scan]]
|
|
name = 'nmap-imap'
|
|
command = 'nmap {nmap_extra} -sV -p {port} --script="banner,(imap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_imap_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_imap_nmap.xml" {address}'
|
|
|
|
[kerberos]
|
|
|
|
service-names = [
|
|
'^kerberos',
|
|
'^kpasswd'
|
|
]
|
|
|
|
[[kerberos.scan]]
|
|
name = 'nmap-kerberos'
|
|
command = 'nmap {nmap_extra} -sV -p {port} --script="banner,krb5-enum-users" -oN "{scandir}/{protocol}_{port}_kerberos_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_kerberos_nmap.xml" {address}'
|
|
|
|
[ldap]
|
|
|
|
service-names = [
|
|
'^ldap'
|
|
]
|
|
|
|
[[ldap.scan]]
|
|
name = 'nmap-ldap'
|
|
command = 'nmap {nmap_extra} -sV -p {port} --script="banner,(ldap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_ldap_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_ldap_nmap.xml" {address}'
|
|
|
|
[[ldap.scan]]
|
|
name = 'enum4linux'
|
|
command = 'enum4linux -a -M -l -d {address} 2>&1 | tee "{scandir}/enum4linux.txt"'
|
|
run_once = true
|
|
ports.tcp = [139, 389, 445]
|
|
ports.udp = [137]
|
|
|
|
[[ldap.manual]]
|
|
description = 'ldapsearch command (modify before running)'
|
|
commands = [
|
|
'ldapsearch -x -D "<username>" -w "<password>"" -p {port} -h {address} -b "dc=example,dc=com" -s sub "(objectclass=*) 2>&1 | tee > "{scandir}/{protocol}_{port}_ldap_all-entries.txt"'
|
|
]
|
|
|
|
[mongodb]
|
|
|
|
service-names = [
|
|
'^mongod'
|
|
]
|
|
|
|
[[mongodb.scan]]
|
|
name = 'nmap-mongodb'
|
|
command = 'nmap {nmap_extra} -sV -p {port} --script="banner,(mongodb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_mongodb_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_mongodb_nmap.xml" {address}'
|
|
|
|
[mssql]
|
|
|
|
service-names = [
|
|
'^mssql',
|
|
'^ms\-sql'
|
|
]
|
|
|
|
[[mssql.scan]]
|
|
name = 'nmap-mssql'
|
|
command = 'nmap {nmap_extra} -sV -p {port} --script="banner,(ms-sql* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" --script-args="mssql.instance-port={port},mssql.username=sa,mssql.password=sa" -oN "{scandir}/{protocol}_{port}_mssql_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_mssql_nmap.xml" {address}'
|
|
|
|
[[mssql.manual]]
|
|
description = '(sqsh) interactive database shell'
|
|
commands = [
|
|
'sqsh -U <username> -P <password> -S {address}:{port}'
|
|
]
|
|
|
|
[mysql]
|
|
|
|
service-names = [
|
|
'^mysql'
|
|
]
|
|
|
|
[[mysql.scan]]
|
|
name = 'nmap-mysql'
|
|
command = 'nmap {nmap_extra} -sV -p {port} --script="banner,(mysql* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_mysql_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_mysql_nmap.xml" {address}'
|
|
|
|
[nfs]
|
|
|
|
service-names = [
|
|
'^nfs',
|
|
'^rpcbind'
|
|
]
|
|
|
|
[[nfs.scan]]
|
|
name = 'nmap-nfs'
|
|
command = 'nmap {nmap_extra} -sV -p {port} --script="banner,(rpcinfo or nfs*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_nfs_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_nfs_nmap.xml" {address}'
|
|
|
|
[[nfs.scan]]
|
|
name = 'showmount'
|
|
command = 'showmount -e {address} 2>&1 | tee "{scandir}/{protocol}_{port}_showmount.txt"'
|
|
|
|
[nntp]
|
|
|
|
service-names = [
|
|
'^nntp'
|
|
]
|
|
|
|
[[nntp.scan]]
|
|
name = 'nmap-nntp'
|
|
command = 'nmap {nmap_extra} -sV -p {port} --script="banner,nntp-ntlm-info" -oN "{scandir}/{protocol}_{port}_nntp_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_nntp_nmap.xml" {address}'
|
|
|
|
[oracle]
|
|
|
|
service-names = [
|
|
'^oracle'
|
|
]
|
|
|
|
[[oracle.scan]]
|
|
name = 'nmap-oracle'
|
|
command = 'nmap {nmap_extra} -sV -p {port} --script="banner,(oracle* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_oracle_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_oracle_nmap.xml" {address}'
|
|
|
|
[[oracle.scan]]
|
|
name = 'oracle-tnscmd-ping'
|
|
command = 'tnscmd10g ping -h {address} -p {port} 2>&1 | tee "{scandir}/{protocol}_{port}_oracle_tnscmd_ping.txt"'
|
|
|
|
[[oracle.scan]]
|
|
name = 'oracle-tnscmd-version'
|
|
command = 'tnscmd10g version -h {address} -p {port} 2>&1 | tee "{scandir}/{protocol}_{port}_oracle_tnscmd_version.txt"'
|
|
|
|
[[oracle.scan]]
|
|
name = 'oracle-tnscmd-version'
|
|
command = 'tnscmd10g version -h {address} -p {port} 2>&1 | tee "{scandir}/{protocol}_{port}_oracle_tnscmd_version.txt"'
|
|
|
|
[[oracle.scan]]
|
|
name = 'oracle-scanner'
|
|
command = 'oscanner -v -s {address} -P {port} 2>&1 | tee "{scandir}/{protocol}_{port}_oracle_scanner.txt"'
|
|
|
|
[[oracle.manual]]
|
|
description = 'Brute-force SIDs using Nmap'
|
|
command = 'nmap {nmap_extra} -sV -p {port} --script="banner,oracle-sid-brute" -oN "{scandir}/{protocol}_{port}_oracle_sid-brute_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_oracle_sid-brute_nmap.xml" {address}'
|
|
|
|
[[oracle.manual]]
|
|
description = 'Install ODAT (https://github.com/quentinhardy/odat) and run the following commands:'
|
|
commands = [
|
|
'python odat.py tnscmd -s {address} -p {port} --ping',
|
|
'python odat.py tnscmd -s {address} -p {port} --version',
|
|
'python odat.py tnscmd -s {address} -p {port} --status',
|
|
'python odat.py sidguesser -s {address} -p {port}',
|
|
'python odat.py passwordguesser -s {address} -p {port} -d <sid> --accounts-file accounts/accounts_multiple.txt',
|
|
'python odat.py tnspoison -s {address} -p {port} -d <sid> --test-module'
|
|
]
|
|
|
|
[[oracle.manual]]
|
|
description = 'Install Oracle Instant Client (https://github.com/rapid7/metasploit-framework/wiki/How-to-get-Oracle-Support-working-with-Kali-Linux) and then bruteforce with patator:'
|
|
commands = [
|
|
'patator oracle_login host={address} port={port} user=COMBO00 password=COMBO01 0=/usr/share/seclists/Passwords/Default-Credentials/oracle-betterdefaultpasslist.txt -x ignore:code=ORA-01017 -x ignore:code=ORA-28000'
|
|
]
|
|
|
|
[pop3]
|
|
|
|
service-names = [
|
|
'^pop3'
|
|
]
|
|
|
|
[[pop3.scan]]
|
|
name = 'nmap-pop3'
|
|
command = 'nmap {nmap_extra} -sV -p {port} --script="banner,(pop3* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_pop3_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_pop3_nmap.xml" {address}'
|
|
|
|
[rdp]
|
|
|
|
service-names = [
|
|
'^rdp',
|
|
'^ms\-wbt\-server',
|
|
'^ms\-term\-serv'
|
|
]
|
|
|
|
[[rdp.scan]]
|
|
name = 'nmap-rdp'
|
|
command = 'nmap {nmap_extra} -sV -p {port} --script="banner,(rdp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_rdp_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_rdp_nmap.xml" {address}'
|
|
|
|
[[rdp.manual]]
|
|
description = 'Bruteforce logins:'
|
|
commands = [
|
|
'hydra -L "{username_wordlist}" -P "{password_wordlist}" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_rdp_hydra.txt" rdp://{address}',
|
|
'medusa -U "{username_wordlist}" -P "{password_wordlist}" -e ns -n {port} -O "{scandir}/{protocol}_{port}_rdp_medusa.txt" -M rdp -h {address}'
|
|
]
|
|
|
|
[rmi]
|
|
|
|
service-names = [
|
|
'^java\-rmi',
|
|
'^rmiregistry'
|
|
]
|
|
|
|
[[rmi.scan]]
|
|
name = 'nmap-rmi'
|
|
command = 'nmap {nmap_extra} -sV -p {port} --script="banner,rmi-vuln-classloader,rmi-dumpregistry" -oN "{scandir}/{protocol}_{port}_rmi_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_rmi_nmap.xml" {address}'
|
|
|
|
[rpc]
|
|
|
|
service-names = [
|
|
'^msrpc',
|
|
'^rpcbind',
|
|
'^erpc'
|
|
]
|
|
|
|
[[rpc.scan]]
|
|
name = 'nmap-msrpc'
|
|
command = 'nmap {nmap_extra} -sV -p {port} --script="banner,msrpc-enum,rpc-grind,rpcinfo" -oN "{scandir}/{protocol}_{port}_rpc_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_rpc_nmap.xml" {address}'
|
|
|
|
[[rpc.manual]]
|
|
description = 'RPC Client:'
|
|
commands = [
|
|
'rpcclient -p {port} -U "" {address}'
|
|
]
|
|
|
|
[sip]
|
|
|
|
service-names = [
|
|
'^asterisk'
|
|
]
|
|
|
|
[[sip.scan]]
|
|
name = 'nmap-sip'
|
|
command = 'nmap {nmap_extra} -sV -p {port} --script="banner,sip-enum-users,sip-methods" -oN "{scandir}/{protocol}_{port}_sip_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_sip_nmap.xml" {address}'
|
|
|
|
[[sip.scan]]
|
|
name = 'svwar'
|
|
command = 'svwar -D -m INVITE -p {port} {address}'
|
|
|
|
[ssh]
|
|
|
|
service-names = [
|
|
'^ssh'
|
|
]
|
|
|
|
[[ssh.scan]]
|
|
name = 'nmap-ssh'
|
|
command = 'nmap {nmap_extra} -sV -p {port} --script="banner,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods" -oN "{scandir}/{protocol}_{port}_ssh_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_ssh_nmap.xml" {address}'
|
|
|
|
[[ssh.manual]]
|
|
description = 'Bruteforce logins:'
|
|
commands = [
|
|
'hydra -L "{username_wordlist}" -P "{password_wordlist}" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_ssh_hydra.txt" ssh://{address}',
|
|
'medusa -U "{username_wordlist}" -P "{password_wordlist}" -e ns -n {port} -O "{scandir}/{protocol}_{port}_ssh_medusa.txt" -M ssh -h {address}'
|
|
]
|
|
[smb]
|
|
|
|
service-names = [
|
|
'^smb',
|
|
'^microsoft\-ds',
|
|
'^netbios'
|
|
]
|
|
|
|
[[smb.scan]]
|
|
name = 'nmap-smb'
|
|
command = 'nmap {nmap_extra} -sV -p {port} --script="banner,(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_smb_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_nmap.xml" {address}'
|
|
|
|
[[smb.scan]]
|
|
name = 'enum4linux'
|
|
command = 'enum4linux -a -M -l -d {address} 2>&1 | tee "{scandir}/enum4linux.txt"'
|
|
run_once = true
|
|
ports.tcp = [139, 389, 445]
|
|
ports.udp = [137]
|
|
|
|
[[smb.scan]]
|
|
name = 'nbtscan'
|
|
command = 'nbtscan -rvh {address} 2>&1 | tee "{scandir}/nbtscan.txt"'
|
|
run_once = true
|
|
ports.udp = [137]
|
|
|
|
[[smb.scan]]
|
|
name = 'smbclient'
|
|
command = 'smbclient -L\\ -N -I {address} 2>&1 | tee "{scandir}/smbclient.txt"'
|
|
run_once = true
|
|
ports.tcp = [139, 445]
|
|
|
|
[[smb.scan]]
|
|
name = 'smbmap-share-permissions'
|
|
command = 'smbmap -H {address} -P {port} 2>&1 | tee -a "{scandir}/smbmap-share-permissions.txt"; smbmap -u null -p "" -H {address} -P {port} 2>&1 | tee -a "{scandir}/smbmap-share-permissions.txt"'
|
|
|
|
[[smb.scan]]
|
|
name = 'smbmap-list-contents'
|
|
command = 'smbmap -H {address} -P {port} -R 2>&1 | tee -a "{scandir}/smbmap-list-contents.txt"; smbmap -u null -p "" -H {address} -P {port} -R 2>&1 | tee -a "{scandir}/smbmap-list-contents.txt"'
|
|
|
|
[[smb.scan]]
|
|
name = 'smbmap-execute-command'
|
|
command = 'smbmap -H {address} -P {port} -x "ipconfig /all" 2>&1 | tee -a "{scandir}/smbmap-execute-command.txt"; smbmap -u null -p "" -H {address} -P {port} -x "ipconfig /all" 2>&1 | tee -a "{scandir}/smbmap-execute-command.txt"'
|
|
|
|
[[smb.manual]]
|
|
description = 'Nmap scans for SMB vulnerabilities that could potentially cause a DoS if scanned (according to Nmap). Be careful:'
|
|
commands = [
|
|
'nmap {nmap_extra} -sV -p {port} --script="smb-vuln-ms06-025" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_smb_ms06-025.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_ms06-025.xml" {address}',
|
|
'nmap {nmap_extra} -sV -p {port} --script="smb-vuln-ms07-029" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_smb_ms07-029.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_ms07-029.xml" {address}',
|
|
'nmap {nmap_extra} -sV -p {port} --script="smb-vuln-ms08-067" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_smb_ms08-067.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_ms08-067.xml" {address}'
|
|
]
|
|
|
|
[smtp]
|
|
|
|
service-names = [
|
|
'^smtp'
|
|
]
|
|
|
|
[[smtp.scan]]
|
|
name = 'nmap-smtp'
|
|
command = 'nmap {nmap_extra} -sV -p {port} --script="banner,(smtp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_smtp_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_smtp_nmap.xml" {address}'
|
|
|
|
[[smtp.scan]]
|
|
name = 'smtp-user-enum'
|
|
command = 'smtp-user-enum -M VRFY -U "{username_wordlist}" -t {address} -p {port} 2>&1 | tee "{scandir}/{protocol}_{port}_smtp_user-enum.txt"'
|
|
|
|
[snmp]
|
|
|
|
service-names = [
|
|
'^snmp'
|
|
]
|
|
|
|
[[snmp.scan]]
|
|
name = 'nmap-snmp'
|
|
command = 'nmap {nmap_extra} -sV -p {port} --script="banner,(snmp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_snmp-nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_snmp_nmap.xml" {address}'
|
|
|
|
[[snmp.scan]]
|
|
name = 'onesixtyone'
|
|
command = 'onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings-onesixtyone.txt -dd {address} 2>&1 | tee "{scandir}/{protocol}_{port}_snmp_onesixtyone.txt"'
|
|
run_once = true
|
|
ports.udp = [161]
|
|
|
|
[[snmp.scan]]
|
|
name = 'snmpwalk'
|
|
command = 'snmpwalk -c public -v 1 {address} 2>&1 | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk.txt"'
|
|
run_once = true
|
|
ports.udp = [161]
|
|
|
|
[[snmp.scan]]
|
|
name = 'snmpwalk-system-processes'
|
|
command = 'snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.25.1.6.0 2>&1 | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk_system_processes.txt"'
|
|
run_once = true
|
|
ports.udp = [161]
|
|
|
|
[[snmp.scan]]
|
|
name = 'snmpwalk-running-processes'
|
|
command = 'snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.25.4.2.1.2 2>&1 | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk_running_processes.txt"'
|
|
run_once = true
|
|
ports.udp = [161]
|
|
|
|
[[snmp.scan]]
|
|
name = 'snmpwalk-process-paths'
|
|
command = 'snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.25.4.2.1.4 2>&1 | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk_process_paths.txt"'
|
|
run_once = true
|
|
ports.udp = [161]
|
|
|
|
[[snmp.scan]]
|
|
name = 'snmpwalk-storage-units'
|
|
command = 'snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.25.2.3.1.4 2>&1 | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk_storage_units.txt"'
|
|
run_once = true
|
|
ports.udp = [161]
|
|
|
|
[[snmp.scan]]
|
|
name = 'snmpwalk-software-names'
|
|
command = 'snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.25.6.3.1.2 2>&1 | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk_software_names.txt"'
|
|
run_once = true
|
|
ports.udp = [161]
|
|
|
|
[[snmp.scan]]
|
|
name = 'snmpwalk-user-accounts'
|
|
command = 'snmpwalk -c public -v 1 {address} 1.3.6.1.4.1.77.1.2.25 2>&1 | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk_user_accounts.txt"'
|
|
run_once = true
|
|
ports.udp = [161]
|
|
|
|
[[snmp.scan]]
|
|
name = 'snmpwalk-tcp-ports'
|
|
command = 'snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.6.13.1.3 2>&1 | tee "{scandir}/{protocol}_{port}_snmp_snmpwalk_tcp_ports.txt"'
|
|
run_once = true
|
|
ports.udp = [161]
|
|
|
|
[telnet]
|
|
|
|
service-names = [
|
|
'^telnet'
|
|
]
|
|
|
|
[[telnet.scan]]
|
|
name = 'nmap-telnet'
|
|
command = 'nmap {nmap_extra} -sV -p {port} --script="banner,telnet-encryption,telnet-ntlm-info" -oN "{scandir}/{protocol}_{port}_telnet-nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_telnet_nmap.xml" {address}'
|
|
|
|
[tftp]
|
|
|
|
service-names = [
|
|
'^tftp'
|
|
]
|
|
|
|
[[tftp.scan]]
|
|
name = 'nmap-tftp'
|
|
command = 'nmap {nmap_extra} -sV -p {port} --script="banner,tftp-enum" -oN "{scandir}/{protocol}_{port}_tftp-nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_tftp_nmap.xml" {address}'
|
|
|
|
[vnc]
|
|
|
|
service-names = [
|
|
'^vnc'
|
|
]
|
|
|
|
[[vnc.scan]]
|
|
name = 'nmap-vnc'
|
|
command = 'nmap {nmap_extra} -sV -p {port} --script="banner,(vnc* or realvnc* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_vnc_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_vnc_nmap.xml" {address}'
|