New Scan Script

1. #!/bin/bash
2.  
3. # Script made during the CyberWar class for the students to play with, debug, and improve.
4. # Take a look at the following websites for ideas:
5. # https://github.com/commonexploits/port-scan-automation
6. # https://www.commonexploits.com/penetration-testing-scripts/
7. # https://github.com/averagesecurityguy/scripts
8. # https://github.com/jmortega/europython_ethical_hacking/blob/master/NmapScannerAsync.py
9.  
10.  
11.  
12. # Some thoughts of things to add to this script:
13. # Shodan queries (API key)
14. # AWS scanning (need credentials)
15. # Jenkins scanning
16. # Active Directory enumeration
17. # Github scanning (API key required)
18. # Blockchain platforms
19.  
20.  
21.  
22.  
23.  
24.  
25.  
26. #############################################
27. # Check to see if script is running as root #
28. #############################################
29. if [ "$EUID" -ne 0 ]
30. then echo "Please run as root"
31. exit
32. fi
33.  
34.  
35. ####################################
36. # Check to see if gcc is installed #
37. ####################################
38. file1="/usr/bin/gcc"
39. if [ -f "$file1" ]
40. then
41. echo "$file is installed."
42. clear
43. else
44. echo "$file not found."
45. echo Installing gcc
46. apt-get install -y gcc
47. clear
48. fi
49.  
50. ########################
51. # Make the directories #
52. ########################
53. cd /tmp
54. rm -rf customerAudit/
55. rm -rf NetworkAudit/
56. mkdir -p /tmp/NetworkAudit/discovered_services/
57. mkdir -p /tmp/NetworkAudit/scan/windows/
58. mkdir -p /tmp/NetworkAudit/scan/sunrpc/
59. mkdir -p /tmp/NetworkAudit/scan/ssh/
60. mkdir -p /tmp/NetworkAudit/scan/ftp/
61. mkdir -p /tmp/NetworkAudit/scan/http/
62. mkdir -p /tmp/NetworkAudit/scan/telnet/
63. mkdir -p /tmp/NetworkAudit/scan/pop3/
64. mkdir -p /tmp/NetworkAudit/scan/printers/
65. mkdir -p /tmp/NetworkAudit/scan/mssql_databases/
66. mkdir -p /tmp/NetworkAudit/scan/oracle_databases/
67. mkdir -p /tmp/NetworkAudit/scan/mysql_databases/
68. mkdir -p /tmp/NetworkAudit/scan/mongodb_databases/
69.  
70.  
71. #####################
72. # Download propecia #
73. #####################
74. file2="/bin/propecia"
75. if [ -f "$file2" ]
76. then
77. echo "$file is installed."
78. clear
79. else
80. echo "$file not found."
81. echo Installing propecia
82. cd /tmp
83. wget --no-check-certificate https://dl.packetstormsecurity.net/UNIX/scanners/propecia.c
84. gcc propecia.c -o propecia
85. cp propecia /bin
86. fi
87.  
88. ######################
89. # Find Windows Hosts #
90. ######################
91. clear
92. echo "Scanning for windows hosts."
93. propecia 172.31.2 445 >> /tmp/NetworkAudit/discovered_services/windows_hosts
94. clear
95. echo "Done scanning for windows hosts. FTP is next."
96.  
97.  
98. ##################
99. # Find FTP Hosts #
100. ##################
101. echo "Scanning for hosts running FTP."
102. propecia 172.31.2 21 >> /tmp/NetworkAudit/discovered_services/ftp_hosts
103. clear
104. echo "Done scanning for FTP hosts. SSH is next."
105.  
106. ##################
107. # Find SSH Hosts #
108. ##################
109. echo "Scanning for hosts running SSH."
110. propecia 172.31.2 22 >> /tmp/NetworkAudit/discovered_services/ssh_hosts
111. clear
112. echo "Done scanning for SSH hosts. POP3 is next."
113.  
114.  
115. ###################
116. # Find POP3 Hosts #
117. ###################
118. echo "Scanning for hosts running POP3."
119. propecia 172.31.2 110 >> /tmp/NetworkAudit/discovered_services/pop3_hosts
120. clear
121. echo "Done scanning for POP3 hosts. SunRPC is next."
122.  
123.  
124. #####################
125. # Find SunRPC Hosts #
126. #####################
127. echo "Scanning for hosts running SunRPC."
128. propecia 172.31.2 111 >> /tmp/NetworkAudit/discovered_services/sunrpc_hosts
129. clear
130. echo "Done scanning for SunRPC hosts. Telnet is next."
131.  
132.  
133. #####################
134. # Find Telnet Hosts #
135. #####################
136. echo "Scanning for hosts running Telnet."
137. propecia 172.31.2 23 >> /tmp/NetworkAudit/discovered_services/telnet_hosts
138. clear
139. echo "Done scanning for Telnet hosts. HTTP is next."
140.  
141.  
142. ###################
143. # Find HTTP Hosts #
144. ###################
145. echo "Scanning for hosts running HTTP"
146. propecia 172.31.2 80 >> /tmp/NetworkAudit/discovered_services/http_hosts
147. clear
148. echo "Done scanning for HTTP hosts. HTTPS hosts are next."
149.  
150.  
151. ###################
152. # Find HTTPS Hosts #
153. ###################
154. echo "Scanning for hosts running HTTP"
155. propecia 172.31.2 443 >> /tmp/NetworkAudit/discovered_services/https_hosts
156. clear
157. echo "Done scanning for HTTPS hosts. Databases are next."
158.  
159.  
160. ##################
161. # Find Databases #
162. ##################
163. echo "Scanning for hosts running MS SQL Server"
164. propecia 172.31.2 1433 >> /tmp/NetworkAudit/discovered_services/mssql_hosts
165. clear
166.  
167. echo "Scanning for hosts running Oracle"
168. propecia 172.31.2 1521 >> /tmp/NetworkAudit/discovered_services/oracle_hosts
169. clear
170.  
171. echo "Scanning for hosts running Postgres"
172. propecia 172.31.2 5432 >> /tmp/NetworkAudit/discovered_services/postgres_hosts
173. clear
174.  
175. echo "Scanning for hosts running MongoDB"
176. propecia 172.31.2 27017 >> /tmp/NetworkAudit/discovered_services/mongodb_hosts
177. clear
178.  
179. echo "Scanning for hosts running MySQL"
180. propecia 172.31.2 3306 >> /tmp/NetworkAudit/discovered_services/mysql_hosts
181. clear
182. echo "Done doing the host discovery. Moving on to nmap'ing each host discovered. Windows hosts are first."
183.  
184.  
185. ###############################
186. # Ok, let's do the NMAP files #
187. ###############################
188. clear
189. # Windows
190. for x in `cat /tmp/NetworkAudit/discovered_services/windows_hosts` ; do nmap -Pn -n --open -p445 --script=msrpc-enum,smb-enum-domains,smb-enum-groups,smb-enum-processes,smb-enum-sessions,smb-enum-shares,smb-enum-users,smb-mbenum,smb-os-discovery,smb-security-mode,smb-server-stats,smb-system-info,smbv2-enabled,stuxnet-detect $x > /tmp/NetworkAudit/scan/windows/$x ; done
191. echo "Done with Windows."
192.  
193. clear
194. # FTP
195. for x in `cat /tmp/NetworkAudit/discovered_services/ftp_hosts` ; do nmap -Pn -n --open -p21 --script=banner,ftp-anon,ftp-bounce,ftp-proftpd-backdoor,ftp-vsftpd-backdoor $x > /tmp/NetworkAudit/scan/ftp/$x ; done
196. echo "Done with FTP."
197.  
198. clear
199. # SSH
200. for x in `cat /tmp/NetworkAudit/discovered_services/ssh_hosts` ; do nmap -Pn -n --open -p22 --script=sshv1,ssh2-enum-algos $x > /tmp/NetworkAudit/scan/ssh/$x ; done
201. echo "Done with SSH."
202.  
203. clear
204. # SUNRPC
205. for x in `cat /tmp/NetworkAudit/discovered_services/sunrpc_hosts` ; do nmap -Pn -n --open -p111 --script=nfs-ls,nfs-showmount,nfs-statfs,rpcinfo $x > /tmp/NetworkAudit/scan/sunrpc/$x ; done
206. echo "Done with SunRPC."
207.  
208. clear
209. # POP3
210. for x in `cat /tmp/NetworkAudit/discovered_services/pop3_hosts` ; do nmap -Pn -n --open -p110 --script=banner,pop3-capabilities,pop3-ntlm-info,ssl*,tls-nextprotoneg $x > /tmp/NetworkAudit/scan/pop3/$x ; done
211. echo "Done with POP3."
212.  
213. # clear
214. # HTTP Fix this...maybe use https://github.com/jmortega/europython_ethical_hacking/blob/master/NmapScannerAsync.py
215. # as a good reference for what nmap nse scripts to run against port 80 and 443
216. # for x in `cat /tmp/NetworkAudit/discovered_services/http_hosts` ; do nmap -sV -O --script-args=unsafe=1 --script-args=unsafe --script "auth,brute,discovery,exploit,external,fuzzer,intrusive,malware,safe,version,vuln and not(http-slowloris or http-brute or http-enum or http-form-fuzzer)" $x > /tmp/NetworkAudit/scan/http/$x ; done
217. # echo "Done with HTTP."
218.  
219.  
220. # clear
221. # HTTP Fix this...maybe use https://github.com/jmortega/europython_ethical_hacking/blob/master/NmapScannerAsync.py
222. # as a good reference for what nmap nse scripts to run against port 80 and 443
223. # for x in `cat /tmp/NetworkAudit/discovered_services/https_hosts` ; do nmap -sV -O --script-args=unsafe=1 --script-args=unsafe --script "auth,brute,discovery,exploit,external,fuzzer,intrusive,malware,safe,version,vuln and not(http-slowloris or http-brute or http-enum or http-form-fuzzer)" $x > /tmp/NetworkAudit/scan/http/$x ; done
224. # echo "Done with HTTP."
225.  
226.  
227. clear
228. # SQL Servers
229. for x in `cat /tmp/NetworkAudit/discovered_services/mssql_hosts` ; do -Pn -n --open -p1433 --script=ms-sql-dump-hashes,ms-sql-empty-password,ms-sql-info $x > /tmp/NetworkAudit/scan/mssql_databases/$x ; done
230. echo "Done with MS SQL."
231.  
232. clear
233. # Oracle Servers
234. # FIX THIS: needs brute force wordlists for this to run correctly
235. # for x in `cat /tmp/NetworkAudit/discovered_services/oracle_hosts` ; do nmap -Pn -n --open -p1521 --script=oracle-sid-brute --script oracle-enum-users --script-args oracle-enum-users.sid=ORCL,userdb=orausers.txt $x >> /tmp/NetworkAudit/scan/oracle_databases/$x ; done
236. # echo "Done with Oracle."
237.  
238. clear
239. # MongoDB
240. for x in `cat /tmp/NetworkAudit/discovered_services/mongodb_hosts` ; do nmap -Pn -n --open -p27017 --script=mongodb-databases,mongodb-info $x > /tmp/NetworkAudit/scan/mongodb_databases/$x ; done
241. echo "Done with MongoDB."
242.  
243.  
244. clear
245. # MySQL Servers
246. for x in `cat /tmp/NetworkAudit/discovered_services/mysql_hosts` ; do nmap -Pn -n --open -p3306 --script=mysql-databases,mysql-empty-password,mysql-info,mysql-users,mysql-variables $x >> /tmp/NetworkAudit/scan/mysql_databases/$x ; done
247. echo "Done with MySQL."
248.  
249.  
250. # Add postgres nse scripts
251. # References:
252. # https://nmap.org/nsedoc/lib/pgsql.html
253. # https://nmap.org/nsedoc/scripts/pgsql-brute.html
254. #
255.  
256. echo " "
257. echo " "
258. sleep 1
259. clear
260. echo "Done, now check your results."
261. sleep 2
262. clear
263. cd /tmp/NetworkAudit/scan/
264. ls