-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathmasseffect.sh
executable file
·290 lines (228 loc) · 12.1 KB
/
masseffect.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
#!/bin/bash
############################################
# by Leon Johnson
#
# This is a program to scan for exploitable
# services and create files to be used to
# pass to other tools to examinie them
#
# this program will do the following:
# [x] scan for services I know how to exploit
# [x] create files of these services to be used with other tools
# [x] Run screenshot tools like aquatone, and gowitness
# [x] identify jenkins and tomcat
# [ ] run jexboss to check for deserialization bugs
# Reset
Off='\033[0m' # Text Reset
# Regular Colors
Black='\033[0;30m' # Black
Red='\033[0;31m' # Red
Green='\033[0;32m' # Green
Yellow='\033[0;33m' # Yellow
Blue='\033[0;34m' # Blue
Purple='\033[0;35m' # Purple
Cyan='\033[0;36m' # Cyan
White='\033[0;37m' # White
# Bold
BBlack='\033[1;30m' # Black
BRed='\033[1;31m' # Red
BGreen='\033[1;32m' # Green
BYellow='\033[1;33m' # Yellow
BBlue='\033[1;34m' # Blue
BPurple='\033[1;35m' # Purple
BCyan='\033[1;36m' # Cyan
BWhite='\033[1;37m' # White
# Underline
UWhite='\033[4;37m' # White
banner="
███ ███ █████ ███████ ███████ ███████ ███████ ███████ ███████ ██████ ████████
████ ████ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██
██ ████ ██ ███████ ███████ ███████ █████ █████ █████ █████ █████ ██ ██
██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██
██ ██ ██ ██ ███████ ███████ ███████ ██ ██ ███████ ██████ ██
$BWhite Port Scanner For Things I Like To Hack$Off | $BYellow@sho_luv$Off
"
usage() {
echo -e "$Off$banner$Off
Usage: $basename $0 [OPTIONS]
Required:
-f <file> File of IP addresses to be scanned
Options:
-r <num> rate to scan
-e <file> file of IP's to be excluded from scan
-h Show this help
"
}
if [ $# -eq 0 ]; then
usage >&2;
exit 0
else
# getopts : after letter means it takes a value
while getopts "hr:e:f:" option; do
case ${option} in
h ) usage
exit 0
#echo "Usage: $0 -f file.apk [-h]"
;;
f ) RANGE="$OPTARG"
rflag=true
;;
r ) re='^[0-9]+$'
if ! [[ $OPTARG =~ $re ]] ; then
echo -e "${BRed}Error: \"$OPTARG\" is not a number$OFF" >&2; exit 1
fi
RATE="--rate $OPTARG"
rflag=true
;;
e ) EXCLUDE="--excludefile $OPTARG"
;;
*)
echo "Invalid Option: -$OPTARG" 1>&2
exit 1
;;
esac
done
fi
# check if file with IPs exist
if [ ! -f $RANGE ]; then
echo -e "$BRed ERROR: File \"$RANGE\" does not exist!$Off"
exit 1
fi
# run masscan with known ports
echo "masscan --open -p 445 -iL $RANGE $EXCLUDE --banners -oB smb $RATE"
masscan --open -p 445 -iL $RANGE $EXCLUDE --banners -oB smb $RATE
masscan --readscan smb | awk '{print $6}' > smb.txt
# https://resources.infosecinstitute.com/masscan-scan-internet-minutes/
echo "iptables -A INPUT -p tcp --dport 60000 -j DROP"
iptables -A INPUT -p tcp --dport 60000 -j DROP
echo "masscan --open -p 80,443,8080,8081 -iL $RANGE $EXCLUDE --banners -oB http $RATE --source-port 60000"
masscan --open -p 80,443,8080,8081 -iL $RANGE $EXCLUDE --banners -oB http $RATE --source-port 60000
masscan --readscan http -oX http.xml
echo "iptables -D INPUT -p tcp --dport 60000 -j DROP"
iptables -D INPUT -p tcp --dport 60000 -j DROP
echo "masscan --open -p U:161 -iL $RANGE $EXCLUDE --banners -oB snmp $RATE"
masscan --open -p U:161 -iL $RANGE $EXCLUDE --banners -oB snmp $RATE
masscan --readscan snmp | grep Discovered | awk '{print $6}' > snmp.txt
# consider using iker.py masscan having issues with udp...
echo "masscan --open -p U:500 -iL $RANGE $EXCLUDE --banners -oB ike $RATE"
masscan --open -p U:500 -iL $RANGE $EXCLUDE --banners -oB ike $RATE
masscan --readscan ike | awk '{print $6}' > ike.txt
echo "masscan --open -pU:623 -iL $RANGE $EXCLUDE --banners -oB ipmi $RATE"
masscan --open -pU:623 -iL $RANGE $EXCLUDE --banners -oB ipmi $RATE
masscan --readscan ipmi | awk '{print $6}' > ipmi.txt
echo "masscan --open -p 21 -iL $RANGE $EXCLUDE --banners -oB ftp $RATE"
masscan --open -p 21 -iL $RANGE $EXCLUDE --banners -oB ftp $RATE
masscan --readscan ftp | awk '{print $6}' > ftp.txt
echo "masscan --open -p 22 -iL $RANGE $EXCLUDE --banners -oB ssh $RATE"
masscan --open -p 22 -iL $RANGE $EXCLUDE --banners -oB ssh $RATE
masscan --readscan ssh | awk '{print $6}' > ssh.txt
echo "masscan --open -p 111 -iL $RANGE $EXCLUDE --banners -oB nfs $RATE"
masscan --open -p 111 -iL $RANGE $EXCLUDE --banners -oB nfs $RATE
masscan --readscan nfs | awk '{print $6}' > nfs.txt
echo "masscan --open -p 513 -iL $RANGE $EXCLUDE --banners -oB rlogin $RATE"
masscan --open -p 513 -iL $RANGE $EXCLUDE --banners -oB rlogin $RATE
masscan --readscan rlogin | awk '{print $6}' > rlogin.txt
# Apache Tomcat versions 6.x, 7.x, 8.x, and 9.x are found to be vulnerable to this Ghostcat
echo "masscan --open -p 8009 -iL $RANGE $EXCLUDE --banners -oB ghost_cat $RATE"
masscan --open -p 8009 -iL $RANGE $EXCLUDE --banners -oB ghost_cat $RATE
masscan --readscan ghost_cat | awk '{print $6}' > ghost_cat.txt
echo "masscan --open -p 1099 -iL $RANGE $EXCLUDE --banners -oB java-rmi $RATE"
masscan --open -p 1099 -iL $RANGE $EXCLUDE --banners -oB java-rmi $RATE
masscan --readscan java-rmi | awk '{print $6}' > java-rmi.txt
echo "masscan --open -p 1433 -iL $RANGE $EXCLUDE --banners -oB mssql $RATE"
masscan --open -p 1433 -iL $RANGE $EXCLUDE --banners -oB mssql $RATE
masscan --readscan mssql | awk '{print $6}' > mssql.txt
echo "masscan --open -p 1521 -iL $RANGE $EXCLUDE --banners -oB oracle $RATE"
masscan --open -p 1521 -iL $RANGE $EXCLUDE --banners -oB oracle $RATE
masscan --readscan oracle | awk '{print $6}' > oracle.txt
echo "masscan --open -p 2010,8000,9999 -iL $RANGE $EXCLUDE --banners -oB jdwp $RATE"
masscan --open -p 2010,8000,9999 -iL $RANGE $EXCLUDE --banners -oB jdwp $RATE
echo "masscan --open -p 3389 -iL $RANGE $EXCLUDE --banners -oB rdp $RATE"
masscan --open -p 3389 -iL $RANGE $EXCLUDE --banners -oB rdp $RATE
masscan --readscan rdp | awk '{print $6}' > rdp.txt
echo "masscan --open -p 4369 -iL $RANGE $EXCLUDE --banners -oB erlang $RATE"
masscan --open -p 4369 -iL $RANGE $EXCLUDE --banners -oB erlang $RATE
masscan --readscan erlang | awk '{print $6}' > erlang.txt
echo "Checking for cisco smart install"
#echo "masscan --open -p 4786 -iL $RANGE $EXCLUDE --banners -oB siet $RATE"
masscan --open -p 4786 -iL $RANGE $EXCLUDE --banners -oB siet $RATE
masscan --readscan siet | awk '{print $6}' > siet.txt
echo "masscan --open -p 5900 -iL $RANGE $EXCLUDE --banners -oB vnc $RATE"
masscan --open -p 5900 -iL $RANGE $EXCLUDE --banners -oB vnc $RATE
masscan --readscan vnc | awk '{print $6}' > vnc.txt
echo "masscan --open -p 5984 -iL $RANGE $EXCLUDE --banners -oB couchdb $RATE"
masscan --open -p 5984 -iL $RANGE $EXCLUDE --banners -oB couchdb $RATE
masscan --readscan couchdb | awk '{print $6}' > couchdb.txt
echo "masscan --open -p 5985,5986 -iL $RANGE $EXCLUDE --banners -oB winrm $RATE"
masscan --open -p 5985,5986 -iL $RANGE $EXCLUDE --banners -oB winrm $RATE
echo "masscan --open -p 6000-6005 -iL $RANGE $EXCLUDE --banners -oB x11 $RATE"
masscan --open -p 6000-6005 -iL $RANGE $EXCLUDE --banners -oB x11 $RATE
echo "masscan --open -p 6379 -iL $RANGE $EXCLUDE --banners -oB redis $RATE"
masscan --open -p 6379 -iL $RANGE $EXCLUDE --banners -oB redis $RATE
masscan --readscan redis | awk '{print $6}' > redis.txt
echo "masscan --open -p 7001 -iL $RANGE $EXCLUDE --banners -oB weblogic $RATE"
masscan --open -p 7001 -iL $RANGE $EXCLUDE --banners -oB weblogic $RATE
masscan --readscan weblogic | awk '{print $6}' > weblogic.txt
echo "masscan --open -p 8383,8400, -iL $RANGE $EXCLUDE --banners -oB manage_engine $RATE"
masscan --open -p 8383,8400, -iL $RANGE $EXCLUDE --banners -oB manage_engine $RATE
echo "masscan --open -p 16992,16993,5900,623,664 -iL $RANGE $EXCLUDE --banners -oB intel-amt $RATE"
masscan --open -p 16992,16993,5900,623,664 -iL $RANGE $EXCLUDE --banners -oB intel-amt $RATE
echo "masscan --open -p 860,3205,3260 -iL $RANGE $EXCLUDE $RATE --banners -oB iscsi"
masscan --open -p 860,3205,3260 -iL $RANGE $EXCLUDE $RATE --banners -oB iscsi
# A authentication bypass and execution of code vulnerability in HPE Integrated Lights-out 4 (iLO 4) version prior to 2.53 was found.
echo "masscan --open -p 17988 -iL $RANGE $EXCLUDE --banners -oB hi-lo $RATE"
masscan --open -p 17988 -iL $RANGE $EXCLUDE --banners -oB hi-lo $RATE
masscan --readscan hi-lo | awk '{print $6}' > hi-lo.txt
echo "masscan --open -p 25672 -iL $RANGE $EXCLUDE --banners -oB rabbitmq $RATE"
masscan --open -p 25672 -iL $RANGE $EXCLUDE --banners -oB rabbitmq $RATE
masscan --readscan rabbitmq | awk '{print $6}' > rabbitmq.txt
echo "masscan --open -p 27017 -iL $RANGE $EXCLUDE --banners -oB mongodb $RATE"
masscan --open -p 27017 -iL $RANGE $EXCLUDE --banners -oB mongodb $RATE
masscan --readscan mongodb | awk '{print $6}' > mongodb.txt
echo "masscan --open -p 389 -iL $RANGE $EXCLUDE --banners -oB ldap $RATE"
masscan --open -p 389 -iL $RANGE $EXCLUDE --banners -oB ldap $RATE
masscan --readscan ldap | awk '{print $6}' > ldap.txt
echo "masscan --open -p 636 -iL $RANGE $EXCLUDE --banners -oB ldaps $RATE"
masscan --open -p 636 -iL $RANGE $EXCLUDE --banners -oB ldaps $RATE
masscan --readscan ldaps | awk '{print $6}' > ldaps.txt
echo "masscan --open -p 9999,30718 -iL $RANGE $EXCLUDE --banners -oB lantronix $RATE"
masscan --open -p 9999,30718 -iL $RANGE $EXCLUDE --banners -oB lantronix $RATE
echo "masscan --open -p 8000,50000,50013 -iL $RANGE $EXCLUDE --banners -oB sap $RATE"
masscan --open -p 8000,50000,50013 -iL $RANGE $EXCLUDE --banners -oB sap $RATE
echo "masscan --open -p 3260 -iL $RANGE $EXCLUDE --banners -oB iSCSI $RATE"
masscan --open -p 3260 -iL $RANGE $EXCLUDE --banners -oB iSCSI $RATE
masscan --readscan iSCSI | awk '{print $6}' > iSCSI.txt
echo "masscan --open -p 9010 -iL $RANGE $EXCLUDE --banners -oB track-it $RATE"
masscan --open -p 9010 -iL $RANGE $EXCLUDE --banners -oB track-it $RATE
masscan --readscan track-it | awk '{print $6}' > track-it.txt
# search for titles in banners
masscan --readscan http | grep title | grep --color=auto -i tomcat
masscan --readscan http | grep title | grep --color=auto -i bitnami
masscan --readscan http | grep title | grep --color=auto -i jenkins
masscan --readscan http | grep title | grep --color=auto -i xerox
# delete files of size zero
find ./ -size 0 -print0 | xargs -0 rm --
# perform web screenshots:
mkdir web
cd web
# Aquatone
# create dirs
mkdir aquatone && cd aquatone
# download aquatone
wget https://github.com/michenriksen/aquatone/releases/download/v1.7.0/aquatone_linux_amd64_1.7.0.zip -O temp.zip && unzip temp.zip && rm README.md && rm LICENSE.txt && rm temp.zip
# run aquatone
cat ../../http.xml | ./aquatone
# Gowitness
# create dirs
cd .. && mkdir gowitness && cd gowitness
# install gowitness
go install github.com/sensepost/gowitness@latest
# run gowitness
~/go/bin/gowitness nmap -f ../../http.xml
# Jexboss
cd ..
git clone https://github.com/sho-luv/jexboss.git
cd jexboss
sqlite3 gowitness/gowitness.sqlite3 "select url from urls" > urls.txt
./jexboss.py -mode file-scan -file urls.txt -out vulnerable_systems.txt