This is a set of scripts for network pentesting. This repository also contains scripts that can be used for attacks, but should only be used for ethical hacking.
Network scanners such as Nessus and GVM (OpenVAS) are very useful for pentests, but they are very time consuming. If you want to scan an entire huge company network, it will take several days. That's why these scripts were developed to make pentesting more efficient.
There are many scripts that specify the target in a txt file. The txt file specifying the target will be in the following format:
192.168.100.0/24
172.16.0.0/12
The txt file specifying the exclude ip will be in the following format:
192.168.100.8 192.168.100.15
These scripts will do a port scan using nmap and save the results as xml.
The results are saved in XML format in the file ./results/yyyymmdd/127.0.0.1_syn_ping_yyyymmdd_hhmmss.xml.
./results/ is listed in gitginore.
This script requires administrative privileges to use SYN scan. It scan all TCP ports without checking whether the host exists by pinging.
$ sudo ./portscan-tcp-all.sh -T<1-5> <target-hosts-list.txt> <exclude-hosts-list.txt>
Log format: ./results/<today>/<ip_range>_<now>.xml
This script requires administrative privileges to use SYN scan. It scan nmap top 1000 ports with checking whether the host exists by pinging.
$ sudo ./portscan-tcp-rapid.sh -T<1-5> <target-hosts-list.txt> <exclude-hosts-list.txt>
Log format: ./results/<today>/<ip_range>_<now>.xml
This script requires administrative privileges to use UDP scan.
$ sudo ./portscan-udp.sh <target-hosts-list.txt> <exclude-hosts-list.txt>
Log format: ./results/<today>/<ip_range>_udp_<now>.xml
These scripts find a server that can be used as a starting point for an attack. It save the result in the xml format output by nmap.
$ ./find-db.sh <target-hosts-list.txt>
- Log format:
./results/<today>/<ip_range>_postgres_<now>.xml./results/<today>/<ip_range>_redis_<now>.xml./results/<today>/<ip_range>_mysql_<now>.xml
$ ./find-smb.sh <target-hosts-list.txt>
Log format: ./results/<today>/<ip_range>_smb_<now>.xml
$ ./find-web.sh <target-hosts-list.txt>
Log format: ./results/<today>/<ip_range>_web_<now>.xml
Because SNMP is UDP, it requires administrative privileges.
$ sudo ./find-snmp.sh <target-hosts-list.txt>
Log format: ./results/<today>/<ip_range>_snmp_<now>.xml
These scripts use nmap to perform brute-force attacks against DB, SMB, and SSH servers and attempt to log in.
It save the result in the xml format output by nmap.
The results are saved in XML format in the file ./results/yyyymmdd/127.0.0.1_noping_yyyymmdd_hhmmss.xml.
./results/ is listed in gitginore.
Just being able to break through the authentication and steal the data is a problem, but if you can log into the DB server, there are cases where you can bring it up to RCE.
$ ./bruteforce-mysql.sh <target-hosts-list.txt>
Log format: ./results/<today>/<ip_addr>_mysql_attack_<now>.xml
$ ./bruteforce-postgres.sh <target-hosts-list.txt>
Log format: ./results/<today>/<ip_addr>_postgres_attack_<now>.xml
$ ./bruteforce-redis.sh <target-hosts-list.txt>
Log format: ./results/<today>/<ip_addr>_redis_attack_<now>.xml
$ ./bruteforce-smb.sh <target-hosts-list.txt>
Log format: ./results/<today>/<ip_addr>_smb_attack_<now>.xml
$ ./bruteforce-ssh.sh <target-hosts-list.txt>
Log format: ./results/<today>/<ip_addr>_ssh_attack_<now>.xml
Because SNMP is UDP, it requires administrative privileges.
$ sudo ./bruteforce-snmp.sh <target-hosts-list.txt>
Log format: ./results/<today>/<ip_addr>_snmp_attack_<now>.xml
You can check the ports that nmap scans, which is useful for specifying the ports to be scanned in the nessus configuration.
$ sudo ./check-nmap-ports.sh -sT 1000
$ sudo ./check-nmap-ports.sh -sU 100
# Ports scanned: TCP(0;) UDP(100;7,9,17,19,49,53,67-69,80,88,111,120,123,135-139,158,161-162,177,427,443,445,497,500,514-515,518,520,593,623,626,631,996-999,1022-1023,1025-1030,1433-1434,1645-1646,1701,1718-1719,1812-1813,1900,2000,2048-2049,2222-2223,3283,3456,3703,4444,4500,5000,5060,5353,5632,9200,10000,17185,20031,30718,31337,32768-32769,32771,32815,33281,49152-49154,49156,49181-49182,49185-49186,49188,49190-49194,49200-49201,65024) SCTP(0;) PROTOCOLS(0;)
WARNING: No targets were specified, so 0 hosts scanned.
$ ./get-alive-ip.sh <target-ip-range>
This script return basic information about the SNMP server. Because SNMP is UDP, it requires administrative privileges.
$ sudo ./get-snmp-info.sh <target-ip>
$ ./nikto-multi.sh <target-hosts-list.txt>
Log format: ./results/<today>/nikto/<ip_addr>_nikto_<now>.xml
This script converts the xml output of nmap to csv so that it can be copied to Google spreadsheet.
Even if you do not specify the name of the output file, it will be output to portscan-result.csv by default.
./results/ and portscan-result.csv are listed in gitginore.
$ gem install ruby-nmap
$ ruby nmap-xml2csv.rb <nmap-output>.xml -o <output-file-name>.csv
$ ruby nmap-xml2csv.rb ./results/20201204/192.168.1.0_24_20201204_072122.xml
[+] parse these xml files:
./results/20201204/192.168.1.0_24_20201204_072122.xml
-----------------------------------------------------
192.168.1.1 53(domain), 80(http)
192.168.1.17 22(ssh)
-----------------------------------------------------
[+] Output: portscan-result.csv
MIT License
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent