NWPentestUtils

This is a set of scripts for network pentesting. This repository also contains scripts that can be used for attacks, but should only be used for ethical hacking.

Motivation

Network scanners such as Nessus and GVM (OpenVAS) are very useful for pentests, but they are very time consuming. If you want to scan an entire huge company network, it will take several days. That's why these scripts were developed to make pentesting more efficient.

Requirements

• Nmap
• Nikto

How to specify the target

There are many scripts that specify the target in a txt file. The txt file specifying the target will be in the following format:

192.168.100.0/24
172.16.0.0/12

The txt file specifying the exclude ip will be in the following format:

192.168.100.8 192.168.100.15

Port scan

These scripts will do a port scan using nmap and save the results as xml. The results are saved in XML format in the file ./results/yyyymmdd/127.0.0.1_syn_ping_yyyymmdd_hhmmss.xml. ./results/ is listed in gitginore.

portscan-tcp-all.sh

This script requires administrative privileges to use SYN scan. It scan all TCP ports without checking whether the host exists by pinging.

$ sudo ./portscan-tcp-all.sh -T<1-5> <target-hosts-list.txt> <exclude-hosts-list.txt>

Log format: ./results/<today>/<ip_range>_<now>.xml

portscan-tcp-rapid.sh

This script requires administrative privileges to use SYN scan. It scan nmap top 1000 ports with checking whether the host exists by pinging.

$ sudo ./portscan-tcp-rapid.sh -T<1-5> <target-hosts-list.txt> <exclude-hosts-list.txt>

Log format: ./results/<today>/<ip_range>_<now>.xml

portscan-udp.sh

This script requires administrative privileges to use UDP scan.

$ sudo ./portscan-udp.sh <target-hosts-list.txt> <exclude-hosts-list.txt>

Log format: ./results/<today>/<ip_range>_udp_<now>.xml

Find specific middleware

These scripts find a server that can be used as a starting point for an attack. It save the result in the xml format output by nmap.

find-db.sh

$ ./find-db.sh <target-hosts-list.txt>

• Log format:
  • ./results/<today>/<ip_range>_postgres_<now>.xml
  • ./results/<today>/<ip_range>_redis_<now>.xml
  • ./results/<today>/<ip_range>_mysql_<now>.xml

find-smb.sh

$ ./find-smb.sh <target-hosts-list.txt>

Log format: ./results/<today>/<ip_range>_smb_<now>.xml

find-web.sh

$ ./find-web.sh <target-hosts-list.txt>

Log format: ./results/<today>/<ip_range>_web_<now>.xml

find-snmp.sh

Because SNMP is UDP, it requires administrative privileges.

$ sudo ./find-snmp.sh <target-hosts-list.txt>

Log format: ./results/<today>/<ip_range>_snmp_<now>.xml

Bruteforce

These scripts use nmap to perform brute-force attacks against DB, SMB, and SSH servers and attempt to log in. It save the result in the xml format output by nmap. The results are saved in XML format in the file ./results/yyyymmdd/127.0.0.1_noping_yyyymmdd_hhmmss.xml. ./results/ is listed in gitginore.

Just being able to break through the authentication and steal the data is a problem, but if you can log into the DB server, there are cases where you can bring it up to RCE.

bruteforce-mysql.sh

$ ./bruteforce-mysql.sh <target-hosts-list.txt>

Log format: ./results/<today>/<ip_addr>_mysql_attack_<now>.xml

bruteforce-postgres.sh

$ ./bruteforce-postgres.sh <target-hosts-list.txt>

Log format: ./results/<today>/<ip_addr>_postgres_attack_<now>.xml

bruteforce-redis.sh

$ ./bruteforce-redis.sh <target-hosts-list.txt>

Log format: ./results/<today>/<ip_addr>_redis_attack_<now>.xml

bruteforce-smb.sh

$ ./bruteforce-smb.sh <target-hosts-list.txt>

Log format: ./results/<today>/<ip_addr>_smb_attack_<now>.xml

bruteforce-ssh.sh

$ ./bruteforce-ssh.sh <target-hosts-list.txt>

Log format: ./results/<today>/<ip_addr>_ssh_attack_<now>.xml

bruteforce-snmp.sh

Because SNMP is UDP, it requires administrative privileges.

$ sudo ./bruteforce-snmp.sh <target-hosts-list.txt>

Log format: ./results/<today>/<ip_addr>_snmp_attack_<now>.xml

Misc

check-nmap-ports.sh

You can check the ports that nmap scans, which is useful for specifying the ports to be scanned in the nessus configuration.

Usage

$ sudo ./check-nmap-ports.sh -sT 1000

Example

$ sudo ./check-nmap-ports.sh -sU 100
# Ports scanned: TCP(0;) UDP(100;7,9,17,19,49,53,67-69,80,88,111,120,123,135-139,158,161-162,177,427,443,445,497,500,514-515,518,520,593,623,626,631,996-999,1022-1023,1025-1030,1433-1434,1645-1646,1701,1718-1719,1812-1813,1900,2000,2048-2049,2222-2223,3283,3456,3703,4444,4500,5000,5060,5353,5632,9200,10000,17185,20031,30718,31337,32768-32769,32771,32815,33281,49152-49154,49156,49181-49182,49185-49186,49188,49190-49194,49200-49201,65024) SCTP(0;) PROTOCOLS(0;)
WARNING: No targets were specified, so 0 hosts scanned.

get-alive-ip.sh

$ ./get-alive-ip.sh <target-ip-range>

get-snmp-info.sh

This script return basic information about the SNMP server. Because SNMP is UDP, it requires administrative privileges.

$ sudo ./get-snmp-info.sh <target-ip>

nikto-multi.sh

$ ./nikto-multi.sh <target-hosts-list.txt>

Log format: ./results/<today>/nikto/<ip_addr>_nikto_<now>.xml

nmap-xml2csv.rb

This script converts the xml output of nmap to csv so that it can be copied to Google spreadsheet. Even if you do not specify the name of the output file, it will be output to portscan-result.csv by default.

./results/ and portscan-result.csv are listed in gitginore.

Usage

$ gem install ruby-nmap
$ ruby nmap-xml2csv.rb <nmap-output>.xml -o <output-file-name>.csv

Example

$ ruby nmap-xml2csv.rb ./results/20201204/192.168.1.0_24_20201204_072122.xml
[+] parse these xml files:
./results/20201204/192.168.1.0_24_20201204_072122.xml
-----------------------------------------------------
192.168.1.1	53(domain), 80(http)
192.168.1.17	22(ssh)
-----------------------------------------------------
[+] Output: portscan-result.csv

License

MIT License