Advertisement
joemccray

NetworkScan Script for CyberWar Class

Jul 26th, 2017
1,063
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 6.16 KB | None | 0 0
  1. #!/bin/bash
  2.  
  3. # Script made during the CyberWar class for the students to play with, debug, and improve.
  4. # Take a look at the following websites for ideas:
  5. # https://github.com/commonexploits/port-scan-automation
  6. # https://www.commonexploits.com/penetration-testing-scripts/
  7. # https://github.com/averagesecurityguy/scripts
  8. #
  9.  
  10.  
  11.  
  12. #############################################
  13. # Check to see if script is running as root #
  14. #############################################
  15. if [ "$EUID" -ne 0 ]
  16. then echo "Please run as root"
  17. exit
  18. fi
  19.  
  20.  
  21.  
  22. ########################
  23. # Make the directories #
  24. ########################
  25. mkdir -p /tmp/customerAudit/internal/scan/services/
  26. mkdir -p /tmp/customerAudit/internal/scan/windows/
  27. mkdir -p /tmp/customerAudit/internal/scan/sunrpc/
  28. mkdir -p /tmp/customerAudit/internal/scan/telnet/
  29. mkdir -p /tmp/customerAudit/internal/scan/printers/
  30. mkdir -p /tmp/customerAudit/internal/scan/mssql_databases/
  31. mkdir -p /tmp/customerAudit/internal/scan/oracle_databases/
  32. mkdir -p /tmp/customerAudit/internal/scan/mysql_databases/
  33.  
  34.  
  35.  
  36.  
  37. ######################
  38. # Find Windows Hosts #
  39. ######################
  40. echo "Scanning for windows hosts."
  41. propecia 172.31.6 445 >> /tmp/customerAudit/internal/scan/services/windows_hosts
  42. clear
  43. echo "Done scanning for windows hosts. FTP is next."
  44.  
  45.  
  46. ##################
  47. # Find FTP Hosts #
  48. ##################
  49. echo "Scanning for hosts running FTP."
  50. propecia 172.31.6 21 >> /tmp/customerAudit/internal/scan/services/ftp_hosts
  51. clear
  52. echo "Done scanning for FTP hosts. SunRPC is next."
  53.  
  54.  
  55. #####################
  56. # Find SunRPC Hosts #
  57. #####################
  58. echo "Scanning for hosts running SunRPC."
  59. propecia 172.31.6 111 >> /tmp/customerAudit/internal/scan/services/sunrpc_hosts
  60. clear
  61. echo "Done scanning for SunRPC hosts. Telnet is next."
  62.  
  63.  
  64. #####################
  65. # Find Telnet Hosts #
  66. #####################
  67. echo "Scanning for hosts running Telnet"
  68. propecia 172.31.6 23 >> /tmp/customerAudit/internal/scan/services/telnet_hosts
  69. clear
  70. echo "Done scanning for Telnet hosts. Printers are next."
  71.  
  72.  
  73. #################
  74. # Find Printers #
  75. #################
  76. echo "Scanning for Printers and Print Servers"
  77. propecia 172.31.6 9100 >> /tmp/customerAudit/internal/scan/services/printserver_hosts
  78. clear
  79. echo "Done scanning for Printers. Databases are next."
  80.  
  81.  
  82. ##################
  83. # Find Databases #
  84. ##################
  85. echo "Scanning for hosts running MS SQL Server"
  86. propecia 172.31.6$MSSQL_COUNTER 1433 >> /tmp/customerAudit/internal/scan/services/mssql_hosts
  87. clear
  88.  
  89. echo "Scanning for hosts running Oracle"
  90. propecia 172.31.6$ORA_COUNTER 1521 >> /tmp/customerAudit/internal/scan/services/oracle_hosts
  91. clear
  92.  
  93.  
  94. echo "Scanning for hosts running MySQL"
  95. propecia 172.31.6$MY_COUNTER 3306 >> /tmp/customerAudit/internal/scan/services/mysql_hosts
  96. clear
  97. echo "Done doing the host discovery. Moving on to nmap'ing each host discovered. Windows hosts are first."
  98.  
  99.  
  100. ###############################
  101. # Ok, let's do the NMAP files #
  102. ###############################
  103.  
  104. # Windows
  105. for x in `cat /tmp/customerAudit/internal/scan/services/windows_hosts` ; do nmap -Pn -n --open -p445 --script=msrpc-enum,smb-enum-domains,smb-enum-groups,smb-enum-processes,smb-enum-sessions,smb-enum-shares,smb-enum-users,smb-mbenum,smb-os-discovery,smb-security-mode,smb-server-stats,smb-system-info,smbv2-enabled,stuxnet-detect $x > /tmp/customerAudit/internal/scan/windows/$x ; done
  106. echo "Done with Windows."
  107.  
  108.  
  109. # FTP
  110. for x in `cat /tmp/customerAudit/internal/scan/services/ftp_hosts` ; do nmap -Pn -n --open -p21 --script=banner,ftp-anon,ftp-bounce,ftp-proftpd-backdoor,ftp-vsftpd-backdoor $x > /tmp/customerAudit/internal/scan/ftp/$x ; done
  111. echo "Done with FTP."
  112.  
  113.  
  114. # SUNRPC
  115. for x in `cat /tmp/customerAudit/internal/scan/services/sunrpc_hosts` ; do nmap -Pn -n --open -p111 --script=nfs-ls,nfs-showmount,nfs-statfs,rpcinfo $x > /tmp/customerAudit/internal/scan/sunrpc/$x ; done
  116. echo "Done with SunRPC."
  117.  
  118.  
  119. # Telnet
  120. for x in `cat /tmp/customerAudit/internal/scan/services/telnet_hosts` ; do nmap -sV -O $x > /tmp/customerAudit/internal/scan/telnet/$x ; done
  121. echo "Done with Telnet."
  122.  
  123.  
  124. # Printers
  125. for x in `cat /tmp/customerAudit/internal/scan/services/printserver_hosts` ; do nmap -sV -O $x > /tmp/customerAudit/internal/scan/printers/$x ; done
  126. echo "Done with printers."
  127.  
  128.  
  129. # SQL Servers
  130. for x in `cat /tmp/customerAudit/internal/scan/services/mssql_hosts` ; do -Pn -n --open -p1433 --script=ms-sql-dump-hashes,ms-sql-empty-password,ms-sql-info $x > /tmp/customerAudit/internal/scan/mssql_databases/$x ; done
  131. echo "Done with MS SQL."
  132.  
  133.  
  134. # Oracle Servers
  135. for x in `cat /tmp/customerAudit/internal/scan/services/oracle_hosts` ; do nmap -Pn -n --open -p1521 --script=oracle-sid-brute --script oracle-enum-users --script-args oracle-enum-users.sid=ORCL,userdb=orausers.txt $x >> /tmp/customerAudit/internal/scan/oracle_databases/$x ; done
  136. echo "Done with Oracle."
  137.  
  138.  
  139. # MySQL Servers
  140. for x in `cat /tmp/customerAudit/internal/scan/services/mysql_hosts` ; do nmap -Pn -n --open -p3306 --script=mysql-databases,mysql-empty-password,mysql-info,mysql-users,mysql-variables $x >> /tmp/customerAudit/internal/scan/mysql_databases/$x ; done
  141. echo "Done with MySQL."
  142. echo " "
  143. echo " "
  144. echo "Done, now check your results."
  145.  
  146.  
  147.  
  148.  
  149. ###########################
  150. ## Nmap NSE tricks to try #
  151. ###########################
  152. #nmap -Pn -n --open -p22 --script=sshv1,ssh2-enum-algos 172.31.6.0/24
  153.  
  154. #nmap -Pn -n -sU --open -p53 --script=dns-blacklist,dns-cache-snoop,dns-nsec-enum,dns-nsid,dns-random-srcport,dns-random-txid,dns-recursion,dns-service-discovery,dns-update,dns-zeustracker,dns-zone-transfer 172.31.6.0/24
  155.  
  156. #nmap -Pn -n --open -p3389 --script=rdp-vuln-ms12-020,rdp-enum-encryption 172.31.6.0/24
  157.  
  158. #nmap -Pn -n --open -p5900 --script=realvnc-auth-bypass,vnc-info 172.31.6.0/24
  159.  
  160. #nmap -Pn -n --open -p6000-6005 --script=x11-access 172.31.6.0/24
  161.  
  162. #nmap -Pn -n --open -p27017 --script=mongodb-databases,mongodb-info 172.31.6.0/24
  163.  
  164. #nmap -sV -oA nse --script-args=unsafe=1 --script-args=unsafe --script "auth,brute,discovery,exploit,external,fuzzer,intrusive,malware,safe,version,vuln and not(http-slowloris or http-brute or http-enum or http-form-fuzzer)" 172.31.6.0/24
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement