Advertisement
joemccray

UPT: Improve This

Dec 30th, 2016
684
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 7.06 KB | None | 0 0
  1. #!/bin/bash
  2.  
  3.  
  4. # Task 1: Fix directory creation so that all new files/folders can be successfully created
  5. # Task 2: Add new service identification checks to the Host Identification Section of the script
  6. # Task 3: Add updated/verbose nmap scans to the Service Fingerprinting Section with the correct folder structure for nmap output
  7. # Task 4: Ensure that the Web App Testing Section commands output to the correct folder structure so that it is TOGETHER with the other output
  8.  
  9.  
  10. #Make the directories
  11. mkdir -p /tmp/customerAudit/internal/scan/services/
  12. mkdir -p /tmp/customerAudit/internal/scan/windows/
  13. mkdir -p /tmp/customerAudit/internal/scan/sunrpc/
  14. mkdir -p /tmp/customerAudit/internal/scan/telnet/
  15. mkdir -p /tmp/customerAudit/internal/scan/printers/
  16. mkdir -p /tmp/customerAudit/internal/scan/mssql_databases/
  17. mkdir -p /tmp/customerAudit/internal/scan/oracle_databases/
  18. mkdir -p /tmp/customerAudit/internal/scan/mysql_databases/
  19.  
  20.  
  21.  
  22.  
  23. ############################# Host Identification Section of the script #############################
  24.  
  25.  
  26.  
  27.  
  28. ######################
  29. # Find Windows Hosts #
  30. ######################
  31. echo "Scanning for windows hosts."
  32.  
  33. propecia 10.0.0 445 >> /tmp/customerAudit/internal/scan/services/windows_hosts
  34.  
  35. echo "Done scanning for windows hosts. SSH is next."
  36.  
  37.  
  38. ##########################
  39. # Find hosts running SSH #
  40. ##########################
  41. echo "Scanning for windows hosts."
  42.  
  43. propecia 10.0.0 22 >> /tmp/customerAudit/internal/scan/services/ssh_hosts
  44.  
  45. echo "Done scanning for windows hosts. FTP is next."
  46.  
  47. ##########################
  48. # Find hosts running FTP #
  49. ##########################
  50. echo "Scanning for windows hosts."
  51.  
  52. propecia 10.0.0 21 >> /tmp/customerAudit/internal/scan/services/ftp_hosts
  53. echo "Done scanning for FTP hosts. SunRPC is next."
  54.  
  55.  
  56. #############################
  57. # Find hosts running SunRPC #
  58. #############################
  59. echo "Scanning for windows hosts."
  60.  
  61. propecia 10.0.0 111 >> /tmp/customerAudit/internal/scan/services/sunrpc_hosts
  62. echo "Done scanning for SunRPC hosts. Telnet is next."
  63.  
  64.  
  65. #############################
  66. # Find hosts running Telnet #
  67. #############################
  68. echo "Scanning for windows hosts."
  69.  
  70. propecia 10.0.0 23 >> /tmp/customerAudit/internal/scan/services/telnet_hosts
  71. echo "Done scanning for Telnet hosts. Printers are next."
  72.  
  73.  
  74. ######################
  75. # Find Print Servers #
  76. ######################
  77. echo "Scanning for windows hosts."
  78.  
  79. propecia 10.0.0 9100 >> /tmp/customerAudit/internal/scan/services/print_servers
  80. echo "Done scanning for Printers. Databases are next."
  81.  
  82.  
  83. ##################
  84. # Find Databases #
  85. ##################
  86. echo "Scanning for MS SQL Servers"
  87. propecia 10.0.0 1433 >> /tmp/customerAudit/internal/scan/services/mssql_hosts
  88. echo "Done scanning for MS-SQL. Oracle is next."
  89.  
  90.  
  91. echo "Scanning for Oracle Servers"
  92. propecia 10.0.0 1521 >> /tmp/customerAudit/internal/scan/services/oracle_hosts
  93. echo "Done scanning for Oracle. MySQL is next."
  94.  
  95. echo "Scanning for MySQL Servers"
  96. propecia 10.0.0 3306 >> /tmp/customerAudit/internal/scan/services/mysql_hosts
  97. echo "Done scanning for MySQL. MySQL is next."
  98.  
  99.  
  100. echo "Scanning for Postgres Servers"
  101. propecia 10.0.0 5432 >> /tmp/customerAudit/internal/scan/services/postgres_hosts
  102. echo "Done scanning for Postgres. MongoDB is next."
  103.  
  104. echo "Scanning for MongoDB Servers"
  105. propecia 10.0.0 27017 >> /tmp/customerAudit/internal/scan/services/mongodb_hosts
  106. echo "Done scanning for MongoDB."
  107.  
  108. clear
  109.  
  110.  
  111. echo "Done doing the host discovery. Moving on to nmap'ing each host discovered. Windows hosts are first."
  112. sleep 5
  113.  
  114.  
  115.  
  116.  
  117.  
  118.  
  119.  
  120.  
  121.  
  122. ############################# Service Fingerprinting Section of the script #############################
  123.  
  124.  
  125.  
  126.  
  127.  
  128.  
  129.  
  130.  
  131.  
  132. ###############################
  133. # Ok, let's do the NMAP files #
  134. ###############################
  135.  
  136. # Windows
  137. for x in `cat /tmp/customerAudit/internal/scan/services/windows_hosts` ; do nmap -Pn -n --open -p445 --script=msrpc-enum,smb-enum-domains,smb-enum-groups,smb-enum-processes,smb-enum-sessions,smb-enum-shares,smb-enum-users,smb-mbenum,smb-os-discovery,smb-security-mode,smb-server-stats,smb-system-info,smbv2-enabled,stuxnet-detect $x > /tmp/customerAudit/internal/scan/windows/$x ; done
  138. echo "Done with Windows."
  139.  
  140. # SSH
  141. for x in `cat /tmp/customerAudit/internal/scan/services/ssh_hosts` ; do nmap -Pn -n --open -p22 --script=sshv1,ssh2-enum-algo $x > /tmp/customerAudit/internal/scan/windows/$x ; done
  142. echo "Done with SSH."
  143.  
  144. # FTP
  145. for x in `cat /tmp/customerAudit/internal/scan/services/ftp_hosts` ; do nmap -Pn -n --open -p21 --script=banner,ftp-anon,ftp-bounce,ftp-proftpd-backdoor,ftp-vsftpd-backdoor $x > /tmp/customerAudit/internal/scan/ftp/$x ; done
  146. echo "Done with FTP."
  147.  
  148. # SUNRPC
  149. for x in `cat /tmp/customerAudit/internal/scan/services/sunrpc_hosts` ; do nmap -Pn -n --open -p111 --script=nfs-ls,nfs-showmount,nfs-statfs,rpcinfo $x > /tmp/customerAudit/internal/scan/sunrpc/$x ; done
  150. echo "Done with SunRPC."
  151.  
  152. # Telnet
  153. for x in `cat /tmp/customerAudit/internal/scan/services/telnet_hosts` ; do nmap -sV -O $x > /tmp/customerAudit/internal/scan/telnet/$x ; done
  154. echo "Done with Telnet."
  155.  
  156. # Printers
  157. for x in `cat /tmp/customerAudit/internal/scan/services/printserver_hosts` ; do nmap -sV -O $x > /tmp/customerAudit/internal/scan/printers/$x ; done
  158. echo "Done with printers."
  159.  
  160. # SQL Servers
  161. for x in `cat /tmp/customerAudit/internal/scan/services/mssql_hosts` ; do nmap -sV -O $x > /tmp/customerAudit/internal/scan/mssql_databases/$x ; done
  162. echo "Done with MS SQL."
  163.  
  164. # Oracle Servers
  165. for x in `cat /tmp/customerAudit/internal/scan/services/oracle_hosts` ; do nmap -sV -O $x >> /tmp/customerAudit/internal/scan/oracle_databases/$x ; done
  166. echo "Done with Oracle."
  167.  
  168. # MySQL Servers
  169. for x in `cat /tmp/customerAudit/internal/scan/services/mysql_hosts` ; do nmap -sV -O $x >> /tmp/customerAudit/internal/scan/mysql_databases/$x ; done
  170. echo "Done with MySQL."
  171. echo " "
  172. echo " "
  173. echo "Done, now check your results."
  174.  
  175.  
  176.  
  177.  
  178.  
  179.  
  180.  
  181.  
  182.  
  183. ############################# Web App Testing Section of the script #############################
  184.  
  185.  
  186.  
  187.  
  188.  
  189.  
  190.  
  191. ############################################
  192. # Screenshot the webservers in the network #
  193. ############################################
  194. nmap -Pn -T 5 -p 80 -A --script=http-screenshot 10.0.0.0/24 -iL /home/strategicsec/labnet-ip-list.txt
  195. cd ~/toolz/labscreenshots/
  196. sh screenshots.sh
  197.  
  198.  
  199.  
  200. #####################################
  201. # Run SQLmap against the webservers #
  202. #####################################
  203. cd /home/strategicsec/toolz/sqlmap-dev/
  204.  
  205. python sqlmap.py -u http://10.0.0.9 --forms --batch --crawl=10 --level=5 --risk=3
  206. python sqlmap.py -u http://10.0.0.63 --forms --batch --crawl=10 --level=5 --risk=3
  207. python sqlmap.py -u http://10.0.0.59 --forms --batch --crawl=10 --level=5 --risk=3
  208. python sqlmap.py -u http://10.0.0.85 --forms --batch --crawl=10 --level=5 --risk=3
  209. python sqlmap.py -u http://10.0.0.94 --forms --batch --crawl=10 --level=5 --risk=3
  210. python sqlmap.py -u http://10.0.0.120 --forms --batch --crawl=10 --level=5 --risk=3
  211. python sqlmap.py -u http://10.0.0.121 --forms --batch --crawl=10 --level=5 --risk=3
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement