API tools faq
paste
Advertisement
joemccray

NetworkScan Script for CyberWar Class

joemccray
Jul 26th, 2017
1,035
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 6.16 KB | None | 0 0
raw download clone embed print report
  1. #!/bin/bash
  2.  
  3. # Script made during the CyberWar class for the students to play with, debug, and improve.
  4. # Take a look at the following websites for ideas:
  5. # https://github.com/commonexploits/port-scan-automation
  6. # https://www.commonexploits.com/penetration-testing-scripts/
  7. # https://github.com/averagesecurityguy/scripts
  8. #
  9.  
  10.  
  11.  
  12. #############################################
  13. # Check to see if script is running as root #
  14. #############################################
  15. if [ "$EUID" -ne 0 ]
  16. then echo "Please run as root"
  17. exit
  18. fi
  19.  
  20.  
  21.  
  22. ########################
  23. # Make the directories #
  24. ########################
  25. mkdir -p /tmp/customerAudit/internal/scan/services/
  26. mkdir -p /tmp/customerAudit/internal/scan/windows/
  27. mkdir -p /tmp/customerAudit/internal/scan/sunrpc/
  28. mkdir -p /tmp/customerAudit/internal/scan/telnet/
  29. mkdir -p /tmp/customerAudit/internal/scan/printers/
  30. mkdir -p /tmp/customerAudit/internal/scan/mssql_databases/
  31. mkdir -p /tmp/customerAudit/internal/scan/oracle_databases/
  32. mkdir -p /tmp/customerAudit/internal/scan/mysql_databases/
  33.  
  34.  
  35.  
  36.  
  37. ######################
  38. # Find Windows Hosts #
  39. ######################
  40. echo "Scanning for windows hosts."
  41. propecia 172.31.6 445 >> /tmp/customerAudit/internal/scan/services/windows_hosts
  42. clear
  43. echo "Done scanning for windows hosts. FTP is next."
  44.  
  45.  
  46. ##################
  47. # Find FTP Hosts #
  48. ##################
  49. echo "Scanning for hosts running FTP."
  50. propecia 172.31.6 21 >> /tmp/customerAudit/internal/scan/services/ftp_hosts
  51. clear
  52. echo "Done scanning for FTP hosts. SunRPC is next."
  53.  
  54.  
  55. #####################
  56. # Find SunRPC Hosts #
  57. #####################
  58. echo "Scanning for hosts running SunRPC."
  59. propecia 172.31.6 111 >> /tmp/customerAudit/internal/scan/services/sunrpc_hosts
  60. clear
  61. echo "Done scanning for SunRPC hosts. Telnet is next."
  62.  
  63.  
  64. #####################
  65. # Find Telnet Hosts #
  66. #####################
  67. echo "Scanning for hosts running Telnet"
  68. propecia 172.31.6 23 >> /tmp/customerAudit/internal/scan/services/telnet_hosts
  69. clear
  70. echo "Done scanning for Telnet hosts. Printers are next."
  71.  
  72.  
  73. #################
  74. # Find Printers #
  75. #################
  76. echo "Scanning for Printers and Print Servers"
  77. propecia 172.31.6 9100 >> /tmp/customerAudit/internal/scan/services/printserver_hosts
  78. clear
  79. echo "Done scanning for Printers. Databases are next."
  80.  
  81.  
  82. ##################
  83. # Find Databases #
  84. ##################
  85. echo "Scanning for hosts running MS SQL Server"
  86. propecia 172.31.6$MSSQL_COUNTER 1433 >> /tmp/customerAudit/internal/scan/services/mssql_hosts
  87. clear
  88.  
  89. echo "Scanning for hosts running Oracle"
  90. propecia 172.31.6$ORA_COUNTER 1521 >> /tmp/customerAudit/internal/scan/services/oracle_hosts
  91. clear
  92.  
  93.  
  94. echo "Scanning for hosts running MySQL"
  95. propecia 172.31.6$MY_COUNTER 3306 >> /tmp/customerAudit/internal/scan/services/mysql_hosts
  96. clear
  97. echo "Done doing the host discovery. Moving on to nmap'ing each host discovered. Windows hosts are first."
  98.  
  99.  
  100. ###############################
  101. # Ok, let's do the NMAP files #
  102. ###############################
  103.  
  104. # Windows
  105. for x in `cat /tmp/customerAudit/internal/scan/services/windows_hosts` ; do nmap -Pn -n --open -p445 --script=msrpc-enum,smb-enum-domains,smb-enum-groups,smb-enum-processes,smb-enum-sessions,smb-enum-shares,smb-enum-users,smb-mbenum,smb-os-discovery,smb-security-mode,smb-server-stats,smb-system-info,smbv2-enabled,stuxnet-detect $x > /tmp/customerAudit/internal/scan/windows/$x ; done
  106. echo "Done with Windows."
  107.  
  108.  
  109. # FTP
  110. for x in `cat /tmp/customerAudit/internal/scan/services/ftp_hosts` ; do nmap -Pn -n --open -p21 --script=banner,ftp-anon,ftp-bounce,ftp-proftpd-backdoor,ftp-vsftpd-backdoor $x > /tmp/customerAudit/internal/scan/ftp/$x ; done
  111. echo "Done with FTP."
  112.  
  113.  
  114. # SUNRPC
  115. for x in `cat /tmp/customerAudit/internal/scan/services/sunrpc_hosts` ; do nmap -Pn -n --open -p111 --script=nfs-ls,nfs-showmount,nfs-statfs,rpcinfo $x > /tmp/customerAudit/internal/scan/sunrpc/$x ; done
  116. echo "Done with SunRPC."
  117.  
  118.  
  119. # Telnet
  120. for x in `cat /tmp/customerAudit/internal/scan/services/telnet_hosts` ; do nmap -sV -O $x > /tmp/customerAudit/internal/scan/telnet/$x ; done
  121. echo "Done with Telnet."
  122.  
  123.  
  124. # Printers
  125. for x in `cat /tmp/customerAudit/internal/scan/services/printserver_hosts` ; do nmap -sV -O $x > /tmp/customerAudit/internal/scan/printers/$x ; done
  126. echo "Done with printers."
  127.  
  128.  
  129. # SQL Servers
  130. for x in `cat /tmp/customerAudit/internal/scan/services/mssql_hosts` ; do -Pn -n --open -p1433 --script=ms-sql-dump-hashes,ms-sql-empty-password,ms-sql-info $x > /tmp/customerAudit/internal/scan/mssql_databases/$x ; done
  131. echo "Done with MS SQL."
  132.  
  133.  
  134. # Oracle Servers
  135. for x in `cat /tmp/customerAudit/internal/scan/services/oracle_hosts` ; do nmap -Pn -n --open -p1521 --script=oracle-sid-brute --script oracle-enum-users --script-args oracle-enum-users.sid=ORCL,userdb=orausers.txt $x >> /tmp/customerAudit/internal/scan/oracle_databases/$x ; done
  136. echo "Done with Oracle."
  137.  
  138.  
  139. # MySQL Servers
  140. for x in `cat /tmp/customerAudit/internal/scan/services/mysql_hosts` ; do nmap -Pn -n --open -p3306 --script=mysql-databases,mysql-empty-password,mysql-info,mysql-users,mysql-variables $x >> /tmp/customerAudit/internal/scan/mysql_databases/$x ; done
  141. echo "Done with MySQL."
  142. echo " "
  143. echo " "
  144. echo "Done, now check your results."
  145.  
  146.  
  147.  
  148.  
  149. ###########################
  150. ## Nmap NSE tricks to try #
  151. ###########################
  152. #nmap -Pn -n --open -p22 --script=sshv1,ssh2-enum-algos 172.31.6.0/24
  153.  
  154. #nmap -Pn -n -sU --open -p53 --script=dns-blacklist,dns-cache-snoop,dns-nsec-enum,dns-nsid,dns-random-srcport,dns-random-txid,dns-recursion,dns-service-discovery,dns-update,dns-zeustracker,dns-zone-transfer 172.31.6.0/24
  155.  
  156. #nmap -Pn -n --open -p3389 --script=rdp-vuln-ms12-020,rdp-enum-encryption 172.31.6.0/24
  157.  
  158. #nmap -Pn -n --open -p5900 --script=realvnc-auth-bypass,vnc-info 172.31.6.0/24
  159.  
  160. #nmap -Pn -n --open -p6000-6005 --script=x11-access 172.31.6.0/24
  161.  
  162. #nmap -Pn -n --open -p27017 --script=mongodb-databases,mongodb-info 172.31.6.0/24
  163.  
  164. #nmap -sV -oA nse --script-args=unsafe=1 --script-args=unsafe --script "auth,brute,discovery,exploit,external,fuzzer,intrusive,malware,safe,version,vuln and not(http-slowloris or http-brute or http-enum or http-form-fuzzer)" 172.31.6.0/24
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!