If you started t read the blog from the beginning you will see that I failed hard. I ranted about scripting your enumeration. And now I release my own script pack. Well that escalated quickly.
Some background:
At first I was quite happy to type my nmap & co commands by hand.
Unfortunately I had some problems to make a useful folder structure.
Then each tool had a slightly different syntax how to add targets. One would need a singular ip, the next one needed a range like 127.0.0.1/24 other like 127.0.0.1-254.
So scanning got annoying quite fast. Do scan 1, then copy ip, changing names for the scans etc etc.
Then somebody introduced me to sparta and a book to magic tree. Two nice tools, but they have some problems in the flexible scanning department. Lets have a look at the sparta.conf :
[StagedNmapSettings]
stage1-ports=“T:80,443″
stage2-ports=“T:25,135,137,139,445,1433,3306,5432,U:137,161,162,1434″
stage3-ports=“T:23,21,22,110,111,2049,3389,8080,U:500,5060″
stage4-ports=“T:0-20,24,26-79,81-109,112-134,136,138,140-442,444,446-1432,1434-2048,2050-3305,3307-3388,3390-5431,5433-8079,8081-29999″
stage5-ports=T:30000-65535
As you see, nmap has a little problem with port specification. It is hard to select stuff like – -top-ports 1-10 and later 11-20 or so. And you can’t select (by default) which stages of the staged nmap to run.
And you have no convenient way to get a port list for your documentation. And it is mesy in the project folder.
So I started to build my custom scripts, first to make folders for each host. Then to generate a ip list for each tool with a different syntax. Then to find open ports.
Well lets have a look into each script (aka the tutorial, version 08.05.2016 )
All scripts are build for kali linux.
Script 00 the kali vm has sometimes a drifting clock, so just to make sure that the clock works.
Script 0, well just making sure that the /results folder is there. And building the most basic wordlist for onesixtyone.
Script 1, actually the main script of the tool. It manages the IP list. It is build for IP’s in a company network, not domains.
(this is a breaking point, don’t blame me if you run these scripts against the internet or www.google.com or so). It takes the arguments (nmap notation possible, so 127.0.0.1, 127.0.0.1-254 and 127.0.0.1/24 would be possible) and builds two lists. One of all possible targets > IP.txt. And one of all online IP after a nmap scan > online-IP.txt
Script 2 builds a folder for each online host. And it scans for SNMP, HTTP, FTP and SMB on each machine.
Script 3 runs some NETBIOS recons against online targets. Actually it runs more of them then necessary, but I wanted every possible output for later.
Script 4 generates UDP161-IP.txt, HTTP-IP.txt, FTP-IP.txt, SMB-IP.txt to have a subset of targets for more specialized scans.
Script 5 runs different SNMP attacks. Again some stuff double, but I want to have more output before I have some weird awk stuff going on etc …
Script 6 Nmap top 200 ports, UDP & TCP. A fast scan are 100 ports, a full scan are 1000 ports. I think 200 is a nice spot. Double the fast scan and the top 20% of the “full” scan.
Script 7 Nikto against all potential webserver, this script could be better. Right now it is more or less a default nikto.
Script 8 Enum4Linux, again more or less default, just easier to run this way because of syntax. So I have a nice file per host and not a HUGE file for the whole range.
Script 9 & 10 & 11 are nmap scans to get all ports of a target. One range at a time. Could make it more modular, because a huge scan with many ports against many targets will break. But then just use fewer ip’s in Script 1. Running THIS SCRIPTS AGAINST THE INTERNET would be stupid. SCRIPT 11 WILL TAKE TIME.. A LOT … REALLY
Script UU will try to get all unique usernames from the NETBIOS and SNMP scans. It will generate a alluser.txt. Could be useful.
Script XX tries to find all open and open|filtered ports form the nmap scans and puts them in different files. One just for UDP one for TCP, one easy to copy into your documentation with one port per line. One to copy into nmap in their port format. There is no guarantee to find every port, but chances are that if you stay in the -oA ./results/<hostip><hostip>-nmap<scanname> format with further nmap scans you should be golden.
Script YY are a set of different levels of version recon and OS detection for nmap. It grabs the ports from script XX and then tries to figure out what is running. JUST REMEMBER: high version-intensity might break some services, and also it will take longer. So start with the lower version intensity. If needed just copy these scripts with intensity up to 9 😉
So far so good: you can grab your copy here: https://github.com/ucki/URP
I’m glad for feedback, this project was a insane idea at midnight, so not perfect. But I hope it is easy enough to read.
Greetings Ucki