Advertisement
joemccray

New Scan Script

Dec 21st, 2017
2,381
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 8.92 KB | None | 0 0
  1. #!/bin/bash
  2.  
  3. # Script made during the CyberWar class for the students to play with, debug, and improve.
  4. # Take a look at the following websites for ideas:
  5. # https://github.com/commonexploits/port-scan-automation
  6. # https://www.commonexploits.com/penetration-testing-scripts/
  7. # https://github.com/averagesecurityguy/scripts
  8. # https://github.com/jmortega/europython_ethical_hacking/blob/master/NmapScannerAsync.py
  9.  
  10.  
  11.  
  12. # Some thoughts of things to add to this script:
  13. # Shodan queries (API key)
  14. # AWS scanning (need credentials)
  15. # Jenkins scanning
  16. # Active Directory enumeration
  17. # Github scanning (API key required)
  18. # Blockchain platforms
  19.  
  20.  
  21.  
  22.  
  23.  
  24.  
  25.  
  26. #############################################
  27. # Check to see if script is running as root #
  28. #############################################
  29. if [ "$EUID" -ne 0 ]
  30. then echo "Please run as root"
  31. exit
  32. fi
  33.  
  34.  
  35. ####################################
  36. # Check to see if gcc is installed #
  37. ####################################
  38. file1="/usr/bin/gcc"
  39. if [ -f "$file1" ]
  40. then
  41. echo "$file is installed."
  42. clear
  43. else
  44. echo "$file not found."
  45. echo Installing gcc
  46. apt-get install -y gcc
  47. clear
  48. fi
  49.  
  50. ########################
  51. # Make the directories #
  52. ########################
  53. cd /tmp
  54. rm -rf customerAudit/
  55. rm -rf NetworkAudit/
  56. mkdir -p /tmp/NetworkAudit/discovered_services/
  57. mkdir -p /tmp/NetworkAudit/scan/windows/
  58. mkdir -p /tmp/NetworkAudit/scan/sunrpc/
  59. mkdir -p /tmp/NetworkAudit/scan/ssh/
  60. mkdir -p /tmp/NetworkAudit/scan/ftp/
  61. mkdir -p /tmp/NetworkAudit/scan/http/
  62. mkdir -p /tmp/NetworkAudit/scan/telnet/
  63. mkdir -p /tmp/NetworkAudit/scan/pop3/
  64. mkdir -p /tmp/NetworkAudit/scan/printers/
  65. mkdir -p /tmp/NetworkAudit/scan/mssql_databases/
  66. mkdir -p /tmp/NetworkAudit/scan/oracle_databases/
  67. mkdir -p /tmp/NetworkAudit/scan/mysql_databases/
  68. mkdir -p /tmp/NetworkAudit/scan/mongodb_databases/
  69.  
  70.  
  71. #####################
  72. # Download propecia #
  73. #####################
  74. file2="/bin/propecia"
  75. if [ -f "$file2" ]
  76. then
  77. echo "$file is installed."
  78. clear
  79. else
  80. echo "$file not found."
  81. echo Installing propecia
  82. cd /tmp
  83. wget --no-check-certificate https://dl.packetstormsecurity.net/UNIX/scanners/propecia.c
  84. gcc propecia.c -o propecia
  85. cp propecia /bin
  86. fi
  87.  
  88. ######################
  89. # Find Windows Hosts #
  90. ######################
  91. clear
  92. echo "Scanning for windows hosts."
  93. propecia 172.31.2 445 >> /tmp/NetworkAudit/discovered_services/windows_hosts
  94. clear
  95. echo "Done scanning for windows hosts. FTP is next."
  96.  
  97.  
  98. ##################
  99. # Find FTP Hosts #
  100. ##################
  101. echo "Scanning for hosts running FTP."
  102. propecia 172.31.2 21 >> /tmp/NetworkAudit/discovered_services/ftp_hosts
  103. clear
  104. echo "Done scanning for FTP hosts. SSH is next."
  105.  
  106. ##################
  107. # Find SSH Hosts #
  108. ##################
  109. echo "Scanning for hosts running SSH."
  110. propecia 172.31.2 22 >> /tmp/NetworkAudit/discovered_services/ssh_hosts
  111. clear
  112. echo "Done scanning for SSH hosts. POP3 is next."
  113.  
  114.  
  115. ###################
  116. # Find POP3 Hosts #
  117. ###################
  118. echo "Scanning for hosts running POP3."
  119. propecia 172.31.2 110 >> /tmp/NetworkAudit/discovered_services/pop3_hosts
  120. clear
  121. echo "Done scanning for POP3 hosts. SunRPC is next."
  122.  
  123.  
  124. #####################
  125. # Find SunRPC Hosts #
  126. #####################
  127. echo "Scanning for hosts running SunRPC."
  128. propecia 172.31.2 111 >> /tmp/NetworkAudit/discovered_services/sunrpc_hosts
  129. clear
  130. echo "Done scanning for SunRPC hosts. Telnet is next."
  131.  
  132.  
  133. #####################
  134. # Find Telnet Hosts #
  135. #####################
  136. echo "Scanning for hosts running Telnet."
  137. propecia 172.31.2 23 >> /tmp/NetworkAudit/discovered_services/telnet_hosts
  138. clear
  139. echo "Done scanning for Telnet hosts. HTTP is next."
  140.  
  141.  
  142. ###################
  143. # Find HTTP Hosts #
  144. ###################
  145. echo "Scanning for hosts running HTTP"
  146. propecia 172.31.2 80 >> /tmp/NetworkAudit/discovered_services/http_hosts
  147. clear
  148. echo "Done scanning for HTTP hosts. HTTPS hosts are next."
  149.  
  150.  
  151. ###################
  152. # Find HTTPS Hosts #
  153. ###################
  154. echo "Scanning for hosts running HTTP"
  155. propecia 172.31.2 443 >> /tmp/NetworkAudit/discovered_services/https_hosts
  156. clear
  157. echo "Done scanning for HTTPS hosts. Databases are next."
  158.  
  159.  
  160. ##################
  161. # Find Databases #
  162. ##################
  163. echo "Scanning for hosts running MS SQL Server"
  164. propecia 172.31.2 1433 >> /tmp/NetworkAudit/discovered_services/mssql_hosts
  165. clear
  166.  
  167. echo "Scanning for hosts running Oracle"
  168. propecia 172.31.2 1521 >> /tmp/NetworkAudit/discovered_services/oracle_hosts
  169. clear
  170.  
  171. echo "Scanning for hosts running Postgres"
  172. propecia 172.31.2 5432 >> /tmp/NetworkAudit/discovered_services/postgres_hosts
  173. clear
  174.  
  175. echo "Scanning for hosts running MongoDB"
  176. propecia 172.31.2 27017 >> /tmp/NetworkAudit/discovered_services/mongodb_hosts
  177. clear
  178.  
  179. echo "Scanning for hosts running MySQL"
  180. propecia 172.31.2 3306 >> /tmp/NetworkAudit/discovered_services/mysql_hosts
  181. clear
  182. echo "Done doing the host discovery. Moving on to nmap'ing each host discovered. Windows hosts are first."
  183.  
  184.  
  185. ###############################
  186. # Ok, let's do the NMAP files #
  187. ###############################
  188. clear
  189. # Windows
  190. for x in `cat /tmp/NetworkAudit/discovered_services/windows_hosts` ; do nmap -Pn -n --open -p445 --script=msrpc-enum,smb-enum-domains,smb-enum-groups,smb-enum-processes,smb-enum-sessions,smb-enum-shares,smb-enum-users,smb-mbenum,smb-os-discovery,smb-security-mode,smb-server-stats,smb-system-info,smbv2-enabled,stuxnet-detect $x > /tmp/NetworkAudit/scan/windows/$x ; done
  191. echo "Done with Windows."
  192.  
  193. clear
  194. # FTP
  195. for x in `cat /tmp/NetworkAudit/discovered_services/ftp_hosts` ; do nmap -Pn -n --open -p21 --script=banner,ftp-anon,ftp-bounce,ftp-proftpd-backdoor,ftp-vsftpd-backdoor $x > /tmp/NetworkAudit/scan/ftp/$x ; done
  196. echo "Done with FTP."
  197.  
  198. clear
  199. # SSH
  200. for x in `cat /tmp/NetworkAudit/discovered_services/ssh_hosts` ; do nmap -Pn -n --open -p22 --script=sshv1,ssh2-enum-algos $x > /tmp/NetworkAudit/scan/ssh/$x ; done
  201. echo "Done with SSH."
  202.  
  203. clear
  204. # SUNRPC
  205. for x in `cat /tmp/NetworkAudit/discovered_services/sunrpc_hosts` ; do nmap -Pn -n --open -p111 --script=nfs-ls,nfs-showmount,nfs-statfs,rpcinfo $x > /tmp/NetworkAudit/scan/sunrpc/$x ; done
  206. echo "Done with SunRPC."
  207.  
  208. clear
  209. # POP3
  210. for x in `cat /tmp/NetworkAudit/discovered_services/pop3_hosts` ; do nmap -Pn -n --open -p110 --script=banner,pop3-capabilities,pop3-ntlm-info,ssl*,tls-nextprotoneg $x > /tmp/NetworkAudit/scan/pop3/$x ; done
  211. echo "Done with POP3."
  212.  
  213. # clear
  214. # HTTP Fix this...maybe use https://github.com/jmortega/europython_ethical_hacking/blob/master/NmapScannerAsync.py
  215. # as a good reference for what nmap nse scripts to run against port 80 and 443
  216. # for x in `cat /tmp/NetworkAudit/discovered_services/http_hosts` ; do nmap -sV -O --script-args=unsafe=1 --script-args=unsafe --script "auth,brute,discovery,exploit,external,fuzzer,intrusive,malware,safe,version,vuln and not(http-slowloris or http-brute or http-enum or http-form-fuzzer)" $x > /tmp/NetworkAudit/scan/http/$x ; done
  217. # echo "Done with HTTP."
  218.  
  219.  
  220. # clear
  221. # HTTP Fix this...maybe use https://github.com/jmortega/europython_ethical_hacking/blob/master/NmapScannerAsync.py
  222. # as a good reference for what nmap nse scripts to run against port 80 and 443
  223. # for x in `cat /tmp/NetworkAudit/discovered_services/https_hosts` ; do nmap -sV -O --script-args=unsafe=1 --script-args=unsafe --script "auth,brute,discovery,exploit,external,fuzzer,intrusive,malware,safe,version,vuln and not(http-slowloris or http-brute or http-enum or http-form-fuzzer)" $x > /tmp/NetworkAudit/scan/http/$x ; done
  224. # echo "Done with HTTP."
  225.  
  226.  
  227. clear
  228. # SQL Servers
  229. for x in `cat /tmp/NetworkAudit/discovered_services/mssql_hosts` ; do -Pn -n --open -p1433 --script=ms-sql-dump-hashes,ms-sql-empty-password,ms-sql-info $x > /tmp/NetworkAudit/scan/mssql_databases/$x ; done
  230. echo "Done with MS SQL."
  231.  
  232. clear
  233. # Oracle Servers
  234. # FIX THIS: needs brute force wordlists for this to run correctly
  235. # for x in `cat /tmp/NetworkAudit/discovered_services/oracle_hosts` ; do nmap -Pn -n --open -p1521 --script=oracle-sid-brute --script oracle-enum-users --script-args oracle-enum-users.sid=ORCL,userdb=orausers.txt $x >> /tmp/NetworkAudit/scan/oracle_databases/$x ; done
  236. # echo "Done with Oracle."
  237.  
  238. clear
  239. # MongoDB
  240. for x in `cat /tmp/NetworkAudit/discovered_services/mongodb_hosts` ; do nmap -Pn -n --open -p27017 --script=mongodb-databases,mongodb-info $x > /tmp/NetworkAudit/scan/mongodb_databases/$x ; done
  241. echo "Done with MongoDB."
  242.  
  243.  
  244. clear
  245. # MySQL Servers
  246. for x in `cat /tmp/NetworkAudit/discovered_services/mysql_hosts` ; do nmap -Pn -n --open -p3306 --script=mysql-databases,mysql-empty-password,mysql-info,mysql-users,mysql-variables $x >> /tmp/NetworkAudit/scan/mysql_databases/$x ; done
  247. echo "Done with MySQL."
  248.  
  249.  
  250. # Add postgres nse scripts
  251. # References:
  252. # https://nmap.org/nsedoc/lib/pgsql.html
  253. # https://nmap.org/nsedoc/scripts/pgsql-brute.html
  254. #
  255.  
  256. echo " "
  257. echo " "
  258. sleep 1
  259. clear
  260. echo "Done, now check your results."
  261. sleep 2
  262. clear
  263. cd /tmp/NetworkAudit/scan/
  264. ls
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement