UPT: Improve This

1. #!/bin/bash
2.  
3.  
4. # Task 1: Fix directory creation so that all new files/folders can be successfully created
5. # Task 2: Add new service identification checks to the Host Identification Section of the script
6. # Task 3: Add updated/verbose nmap scans to the Service Fingerprinting Section with the correct folder structure for nmap output
7. # Task 4: Ensure that the Web App Testing Section commands output to the correct folder structure so that it is TOGETHER with the other output
8.  
9.  
10. #Make the directories
11. mkdir -p /tmp/customerAudit/internal/scan/services/
12. mkdir -p /tmp/customerAudit/internal/scan/windows/
13. mkdir -p /tmp/customerAudit/internal/scan/sunrpc/
14. mkdir -p /tmp/customerAudit/internal/scan/telnet/
15. mkdir -p /tmp/customerAudit/internal/scan/printers/
16. mkdir -p /tmp/customerAudit/internal/scan/mssql_databases/
17. mkdir -p /tmp/customerAudit/internal/scan/oracle_databases/
18. mkdir -p /tmp/customerAudit/internal/scan/mysql_databases/
19.  
20.  
21.  
22.  
23. ############################# Host Identification Section of the script #############################
24.  
25.  
26.  
27.  
28. ######################
29. # Find Windows Hosts #
30. ######################
31. echo "Scanning for windows hosts."
32.  
33. propecia 10.0.0 445 >> /tmp/customerAudit/internal/scan/services/windows_hosts
34.  
35. echo "Done scanning for windows hosts. SSH is next."
36.  
37.  
38. ##########################
39. # Find hosts running SSH #
40. ##########################
41. echo "Scanning for windows hosts."
42.  
43. propecia 10.0.0 22 >> /tmp/customerAudit/internal/scan/services/ssh_hosts
44.  
45. echo "Done scanning for windows hosts. FTP is next."
46.  
47. ##########################
48. # Find hosts running FTP #
49. ##########################
50. echo "Scanning for windows hosts."
51.  
52. propecia 10.0.0 21 >> /tmp/customerAudit/internal/scan/services/ftp_hosts
53. echo "Done scanning for FTP hosts. SunRPC is next."
54.  
55.  
56. #############################
57. # Find hosts running SunRPC #
58. #############################
59. echo "Scanning for windows hosts."
60.  
61. propecia 10.0.0 111 >> /tmp/customerAudit/internal/scan/services/sunrpc_hosts
62. echo "Done scanning for SunRPC hosts. Telnet is next."
63.  
64.  
65. #############################
66. # Find hosts running Telnet #
67. #############################
68. echo "Scanning for windows hosts."
69.  
70. propecia 10.0.0 23 >> /tmp/customerAudit/internal/scan/services/telnet_hosts
71. echo "Done scanning for Telnet hosts. Printers are next."
72.  
73.  
74. ######################
75. # Find Print Servers #
76. ######################
77. echo "Scanning for windows hosts."
78.  
79. propecia 10.0.0 9100 >> /tmp/customerAudit/internal/scan/services/print_servers
80. echo "Done scanning for Printers. Databases are next."
81.  
82.  
83. ##################
84. # Find Databases #
85. ##################
86. echo "Scanning for MS SQL Servers"
87. propecia 10.0.0 1433 >> /tmp/customerAudit/internal/scan/services/mssql_hosts
88. echo "Done scanning for MS-SQL. Oracle is next."
89.  
90.  
91. echo "Scanning for Oracle Servers"
92. propecia 10.0.0 1521 >> /tmp/customerAudit/internal/scan/services/oracle_hosts
93. echo "Done scanning for Oracle. MySQL is next."
94.  
95. echo "Scanning for MySQL Servers"
96. propecia 10.0.0 3306 >> /tmp/customerAudit/internal/scan/services/mysql_hosts
97. echo "Done scanning for MySQL. MySQL is next."
98.  
99.  
100. echo "Scanning for Postgres Servers"
101. propecia 10.0.0 5432 >> /tmp/customerAudit/internal/scan/services/postgres_hosts
102. echo "Done scanning for Postgres. MongoDB is next."
103.  
104. echo "Scanning for MongoDB Servers"
105. propecia 10.0.0 27017 >> /tmp/customerAudit/internal/scan/services/mongodb_hosts
106. echo "Done scanning for MongoDB."
107.  
108. clear
109.  
110.  
111. echo "Done doing the host discovery. Moving on to nmap'ing each host discovered. Windows hosts are first."
112. sleep 5
113.  
114.  
115.  
116.  
117.  
118.  
119.  
120.  
121.  
122. ############################# Service Fingerprinting Section of the script #############################
123.  
124.  
125.  
126.  
127.  
128.  
129.  
130.  
131.  
132. ###############################
133. # Ok, let's do the NMAP files #
134. ###############################
135.  
136. # Windows
137. for x in `cat /tmp/customerAudit/internal/scan/services/windows_hosts` ; do nmap -Pn -n --open -p445 --script=msrpc-enum,smb-enum-domains,smb-enum-groups,smb-enum-processes,smb-enum-sessions,smb-enum-shares,smb-enum-users,smb-mbenum,smb-os-discovery,smb-security-mode,smb-server-stats,smb-system-info,smbv2-enabled,stuxnet-detect $x > /tmp/customerAudit/internal/scan/windows/$x ; done
138. echo "Done with Windows."
139.  
140. # SSH
141. for x in `cat /tmp/customerAudit/internal/scan/services/ssh_hosts` ; do nmap -Pn -n --open -p22 --script=sshv1,ssh2-enum-algo $x > /tmp/customerAudit/internal/scan/windows/$x ; done
142. echo "Done with SSH."
143.  
144. # FTP
145. for x in `cat /tmp/customerAudit/internal/scan/services/ftp_hosts` ; do nmap -Pn -n --open -p21 --script=banner,ftp-anon,ftp-bounce,ftp-proftpd-backdoor,ftp-vsftpd-backdoor $x > /tmp/customerAudit/internal/scan/ftp/$x ; done
146. echo "Done with FTP."
147.  
148. # SUNRPC
149. for x in `cat /tmp/customerAudit/internal/scan/services/sunrpc_hosts` ; do nmap -Pn -n --open -p111 --script=nfs-ls,nfs-showmount,nfs-statfs,rpcinfo $x > /tmp/customerAudit/internal/scan/sunrpc/$x ; done
150. echo "Done with SunRPC."
151.  
152. # Telnet
153. for x in `cat /tmp/customerAudit/internal/scan/services/telnet_hosts` ; do nmap -sV -O $x > /tmp/customerAudit/internal/scan/telnet/$x ; done
154. echo "Done with Telnet."
155.  
156. # Printers
157. for x in `cat /tmp/customerAudit/internal/scan/services/printserver_hosts` ; do nmap -sV -O $x > /tmp/customerAudit/internal/scan/printers/$x ; done
158. echo "Done with printers."
159.  
160. # SQL Servers
161. for x in `cat /tmp/customerAudit/internal/scan/services/mssql_hosts` ; do nmap -sV -O $x > /tmp/customerAudit/internal/scan/mssql_databases/$x ; done
162. echo "Done with MS SQL."
163.  
164. # Oracle Servers
165. for x in `cat /tmp/customerAudit/internal/scan/services/oracle_hosts` ; do nmap -sV -O $x >> /tmp/customerAudit/internal/scan/oracle_databases/$x ; done
166. echo "Done with Oracle."
167.  
168. # MySQL Servers
169. for x in `cat /tmp/customerAudit/internal/scan/services/mysql_hosts` ; do nmap -sV -O $x >> /tmp/customerAudit/internal/scan/mysql_databases/$x ; done
170. echo "Done with MySQL."
171. echo " "
172. echo " "
173. echo "Done, now check your results."
174.  
175.  
176.  
177.  
178.  
179.  
180.  
181.  
182.  
183. ############################# Web App Testing Section of the script #############################
184.  
185.  
186.  
187.  
188.  
189.  
190.  
191. ############################################
192. # Screenshot the webservers in the network #
193. ############################################
194. nmap -Pn -T 5 -p 80 -A --script=http-screenshot 10.0.0.0/24 -iL /home/strategicsec/labnet-ip-list.txt
195. cd ~/toolz/labscreenshots/
196. sh screenshots.sh
197.  
198.  
199.  
200. #####################################
201. # Run SQLmap against the webservers #
202. #####################################
203. cd /home/strategicsec/toolz/sqlmap-dev/
204.  
205. python sqlmap.py -u http://10.0.0.9 --forms --batch --crawl=10 --level=5 --risk=3
206. python sqlmap.py -u http://10.0.0.63 --forms --batch --crawl=10 --level=5 --risk=3
207. python sqlmap.py -u http://10.0.0.59 --forms --batch --crawl=10 --level=5 --risk=3
208. python sqlmap.py -u http://10.0.0.85 --forms --batch --crawl=10 --level=5 --risk=3
209. python sqlmap.py -u http://10.0.0.94 --forms --batch --crawl=10 --level=5 --risk=3
210. python sqlmap.py -u http://10.0.0.120 --forms --batch --crawl=10 --level=5 --risk=3
211. python sqlmap.py -u http://10.0.0.121 --forms --batch --crawl=10 --level=5 --risk=3