Adding pentest automation scripts discover and enum

discover.sh

@@ -0,0 +1,57 @@
+#!/bin/bash
+
+# This script is used to discover the available devices and open ports on an IP address or range of IP addresses.
+# It uses masscan to perform the discovery and outputs the results in masscan's format.
+# Usage: ./discover.sh <input_file> <output_file>
+# Original script written by zenfosec on 4/7/2025
+
+# Check to see if the script is being run as root
+if [ "$EUID" -ne 0 ]; then
+    echo "Please run as root"
+    exit
+fi
+
+# Check if the correct number of arguments is provided
+if [ "$#" -ne 3 ]; then
+    echo "Usage: $0 <input_file> <ips_up_output_file> <masscan_output_file>"
+    exit 1
+fi
+
+# Perform host discovery using nmap
+echo "Performing host discovery using nmap ICMP echo scan..."
+nmap -sn -PE -n -iL $1 |grep "scan report" |awk '{print $5}' |sort -u -t . -k1,1n -k2,2n -k3,3n -k4,4n > $2
+if [ $? -ne 0 ]; then
+    echo "Error: nmap command failed. Please check your input and try again."
+    exit 1
+fi
+echo "Host discovery completed. Results saved to $2."
+
+# Check if the output file is empty
+if [ ! -s "$2" ]; then
+    echo "Error: The output file is empty. No hosts found."
+    exit 1
+fi
+# Check if the output file exists
+if [ ! -f "$2" ]; then
+    echo "Error: The output file does not exist. Please check your input and try again."
+    exit 1
+fi
+
+# Perform port scanning using masscan
+echo "Performing port scanning using masscan..."
+masscan --rate=10000 -p1-65535 --open --banners -e en0 -iL "$2" -oG "$3"
+if [ $? -ne 0 ]; then
+    echo "Error: masscan command failed. Please check your input and try again."
+    exit 1
+fi
+echo "Discovery completed. Results saved to $3."
+# Check if the output file is empty
+if [ ! -s "$2" ]; then
+    echo "Error: The masscan output file is empty. No open ports found."
+    exit 1
+fi
+# Check if the output file exists
+if [ ! -f "$2" ]; then
+    echo "Error: The masscan output file does not exist. Please check your input and try again."
+    exit 1
+fi

enumerate.sh

@@ -0,0 +1,48 @@
+#!/bin/bash
+
+# This script is used to enumerate services on hosts based on the results of a masscan scan.
+# It uses nmap to perform the enumeration and outputs the results regular nmap format, 
+# grepable format, and XML format.
+# Note that the nmap_output_filename will be used to create three files: nmap_output_filename.nmap, 
+#nmap_output_filename.gnmap, and nmap_output_filename.xml
+# Usage: ./enumerate.sh <input_file> <nmap_output_filename>
+# Original script written by zenfosec on 4/7/2025
+
+# Check to see if the script is being run as root
+if [ "$EUID" -ne 0 ]; then
+    echo "Please run as root"
+    exit
+fi
+# Check if the correct number of arguments is provided
+if [ "$#" -ne 2 ]; then
+    echo "Usage: $0 <input_file> <nmap_output_filename>"
+    exit 1
+fi
+# Check if the input file exists
+if [ ! -f "$1" ]; then
+    echo "Error: The input file does not exist. Please check your input and try again."
+    exit 1
+fi
+# Check if the input file is empty
+if [ ! -s "$1" ]; then
+    echo "Error: The input file is empty. No hosts found."
+    exit 1
+fi
+# Perform service enumeration using nmap
+echo "Parsing masscan output file..."
+
+# Read the masscan output file and extract the ports
+grep "Ports:" "$1" | sed 's/.*Ports: //' | tr ',' '\n' | awk '{print $1}' |cut -d "/" -f1 | sort -u -n > masscan_ports.txt
+
+# Read ports.txt and create a comma-separated list of ports
+for port in $(cat masscan_ports.txt); do
+    ports+="$port,"
+done
+# Remove the trailing comma
+ports=${ports%,}
+echo "Ports: $ports"
+# Read the masscan output file and extract the IPs
+grep "Host:" "$1" | sed 's/.*Host: //' | tr ',' '\n' | awk '{print $1}' | sort -u -t . -k1,1n -k2,2n -k3,3n -k4,4n > masscan_ips.txt
+
+echo "Performing service enumeration and script scanning using nmap..."
+nmap -sV -Pn -p $ports -T4 -iL masscan_ips.txt -oA "$2" -sC --script=default,vuln --host-timeout 10m

ips.txt

@@ -0,0 +1 @@
+10.0.0.0/24

ips_up.txt

@@ -0,0 +1,23 @@
+10.0.0.1
+10.0.0.5
+10.0.0.25
+10.0.0.100
+10.0.0.101
+10.0.0.102
+10.0.0.103
+10.0.0.104
+10.0.0.105
+10.0.0.106
+10.0.0.107
+10.0.0.108
+10.0.0.109
+10.0.0.115
+10.0.0.118
+10.0.0.125
+10.0.0.131
+10.0.0.132
+10.0.0.133
+10.0.0.137
+10.0.0.140
+10.0.0.141
+10.0.0.142

masscan.out

@@ -0,0 +1,84 @@
+# Masscan 1.3.2 scan initiated Mon Apr  7 18:04:07 2025
+# Ports scanned: TCP(65535;1-65535) UDP(0;) SCTP(0;) PROTOCOLS(0;)
+Timestamp: 1744049048	Host: 10.0.0.5 ()	Ports: 35099/open/tcp//unknown//
+Timestamp: 1744049050	Host: 10.0.0.132 ()	Ports: 62078/open/tcp//unknown//
+Timestamp: 1744049051	Host: 10.0.0.5 ()	Ports: 6009/open/tcp//unknown//
+Timestamp: 1744049052	Host: 10.0.0.104 ()	Ports: 10001/open/tcp//scp-config//
+Timestamp: 1744049054	Host: 10.0.0.104 ()	Ports: 33336/open/tcp//unknown//
+Timestamp: 1744049058	Host: 10.0.0.5 ()	Ports: 5001/open/tcp//commplex-link//
+Timestamp: 1744049058	Host: 10.0.0.5 ()	Ports: 111/open/tcp//sunrpc//
+Timestamp: 1744049060	Host: 10.0.0.140 ()	Ports: 49152/open/tcp//unknown//
+Timestamp: 1744049061	Host: 10.0.0.1 ()	Ports: 42421/open/tcp//unknown//
+Timestamp: 1744049062	Host: 10.0.0.131 ()	Ports: 23010/open/tcp//unknown//
+Timestamp: 1744049062	Host: 10.0.0.5 ()	Ports: 5583/open/tcp//unknown//
+Timestamp: 1744049062	Host: 10.0.0.1 ()	Ports: 21/open/tcp//ftp//
+Timestamp: 1744049067	Host: 10.0.0.5 ()	Ports: 139/open/tcp//netbios-ssn//
+Timestamp: 1744049068	Host: 10.0.0.103 ()	Ports: 8081/open/tcp//sunproxyadmin//
+Timestamp: 1744049070	Host: 10.0.0.131 ()	Ports: 9867/open/tcp//unknown//
+Timestamp: 1744049070	Host: 10.0.0.142 ()	Ports: 60651/open/tcp//unknown//
+Timestamp: 1744049071	Host: 10.0.0.109 ()	Ports: 7100/open/tcp//font-service//
+Timestamp: 1744049077	Host: 10.0.0.102 ()	Ports: 853/open/tcp//domain-s//
+Timestamp: 1744049077	Host: 10.0.0.140 ()	Ports: 853/open/tcp//domain-s//
+Timestamp: 1744049081	Host: 10.0.0.101 ()	Ports: 49156/open/tcp//unknown//
+Timestamp: 1744049082	Host: 10.0.0.107 ()	Ports: 49152/open/tcp//unknown//
+Timestamp: 1744049086	Host: 10.0.0.1 ()	Ports: 8200/open/tcp//trivnet1//
+Timestamp: 1744049087	Host: 10.0.0.5 ()	Ports: 22/open/tcp//ssh//
+Timestamp: 1744049090	Host: 10.0.0.102 ()	Ports: 5000/open/tcp//commplex-main//
+Timestamp: 1744049090	Host: 10.0.0.104 ()	Ports: 9000/open/tcp//cslistener//
+Timestamp: 1744049092	Host: 10.0.0.102 ()	Ports: 62078/open/tcp//unknown//
+Timestamp: 1744049092	Host: 10.0.0.25 ()	Ports: 443/open/tcp//https//
+Timestamp: 1744049093	Host: 10.0.0.5 ()	Ports: 1723/open/tcp//pptp//
+Timestamp: 1744049096	Host: 10.0.0.142 ()	Ports: 62078/open/tcp//unknown//
+Timestamp: 1744049097	Host: 10.0.0.133 ()	Ports: 5000/open/tcp//commplex-main//
+Timestamp: 1744049101	Host: 10.0.0.1 ()	Ports: 42422/open/tcp//unknown//
+Timestamp: 1744049104	Host: 10.0.0.1 ()	Ports: 1990/open/tcp//stun-p1//
+Timestamp: 1744049108	Host: 10.0.0.5 ()	Ports: 49152/open/tcp//unknown//
+Timestamp: 1744049108	Host: 10.0.0.25 ()	Ports: 902/open/tcp//ideafarm-chat//
+Timestamp: 1744049111	Host: 10.0.0.5 ()	Ports: 39937/open/tcp//unknown//
+Timestamp: 1744049113	Host: 10.0.0.131 ()	Ports: 443/open/tcp//https//
+Timestamp: 1744049115	Host: 10.0.0.5 ()	Ports: 548/open/tcp//afpovertcp//
+Timestamp: 1744049117	Host: 10.0.0.5 ()	Ports: 49403/open/tcp//unknown//
+Timestamp: 1744049117	Host: 10.0.0.104 ()	Ports: 8008/open/tcp//http-alt//
+Timestamp: 1744049118	Host: 10.0.0.131 ()	Ports: 9100/open/tcp//hp-pdl-datastr//
+Timestamp: 1744049122	Host: 10.0.0.5 ()	Ports: 5000/open/tcp//commplex-main//
+Timestamp: 1744049123	Host: 10.0.0.104 ()	Ports: 8009/open/tcp//unknown//
+Timestamp: 1744049123	Host: 10.0.0.1 ()	Ports: 5000/open/tcp//commplex-main//
+Timestamp: 1744049126	Host: 10.0.0.1 ()	Ports: 443/open/tcp//https//
+Timestamp: 1744049127	Host: 10.0.0.1 ()	Ports: 53/open/tcp//domain//
+Timestamp: 1744049133	Host: 10.0.0.137 ()	Ports: 49152/open/tcp//unknown//
+Timestamp: 1744049136	Host: 10.0.0.107 ()	Ports: 62078/open/tcp//unknown//
+Timestamp: 1744049137	Host: 10.0.0.1 ()	Ports: 80/open/tcp//http//
+Timestamp: 1744049139	Host: 10.0.0.109 ()	Ports: 53764/open/tcp//unknown//
+Timestamp: 1744049139	Host: 10.0.0.101 ()	Ports: 49152/open/tcp//unknown//
+Timestamp: 1744049140	Host: 10.0.0.5 ()	Ports: 443/open/tcp//https//
+Timestamp: 1744049140	Host: 10.0.0.101 ()	Ports: 7000/open/tcp//afs3-fileserver//
+Timestamp: 1744049142	Host: 10.0.0.106 ()	Ports: 80/open/tcp//http//
+Timestamp: 1744049145	Host: 10.0.0.131 ()	Ports: 80/open/tcp//http//
+Timestamp: 1744049149	Host: 10.0.0.140 ()	Ports: 62078/open/tcp//unknown//
+Timestamp: 1744049153	Host: 10.0.0.5 ()	Ports: 8080/open/tcp//http-alt//
+Timestamp: 1744049153	Host: 10.0.0.141 ()	Ports: 62078/open/tcp//unknown//
+Timestamp: 1744049157	Host: 10.0.0.5 ()	Ports: 8765/open/tcp//ultraseek-http//
+Timestamp: 1744049159	Host: 10.0.0.103 ()	Ports: 4548/open/tcp//synchromesh//
+Timestamp: 1744049160	Host: 10.0.0.1 ()	Ports: 56688/open/tcp//unknown//
+Timestamp: 1744049162	Host: 10.0.0.5 ()	Ports: 445/open/tcp//microsoft-ds//
+Timestamp: 1744049162	Host: 10.0.0.5 ()	Ports: 32400/open/tcp//unknown//
+Timestamp: 1744049162	Host: 10.0.0.25 ()	Ports: 9080/open/tcp//glrpc//
+Timestamp: 1744049163	Host: 10.0.0.5 ()	Ports: 514/open/tcp//shell//
+Timestamp: 1744049163	Host: 10.0.0.141 ()	Ports: 60651/open/tcp//unknown//
+Timestamp: 1744049166	Host: 10.0.0.1 ()	Ports: 5555/open/tcp//personal-agent//
+Timestamp: 1744049171	Host: 10.0.0.25 ()	Ports: 8000/open/tcp//irdmi//
+Timestamp: 1744049178	Host: 10.0.0.103 ()	Ports: 22/open/tcp//ssh//
+Timestamp: 1744049178	Host: 10.0.0.140 ()	Ports: 60651/open/tcp//unknown//
+Timestamp: 1744049180	Host: 10.0.0.109 ()	Ports: 853/open/tcp//domain-s//
+Timestamp: 1744049185	Host: 10.0.0.104 ()	Ports: 33337/open/tcp//unknown//
+Timestamp: 1744049187	Host: 10.0.0.131 ()	Ports: 23011/open/tcp//unknown//
+Timestamp: 1744049188	Host: 10.0.0.104 ()	Ports: 8443/open/tcp//pcsync-https//
+Timestamp: 1744049190	Host: 10.0.0.104 ()	Ports: 10000/open/tcp//ndmp//
+Timestamp: 1744049190	Host: 10.0.0.104 ()	Ports: 54380/open/tcp//unknown//
+Timestamp: 1744049193	Host: 10.0.0.142 ()	Ports: 49152/open/tcp//unknown//
+Timestamp: 1744049196	Host: 10.0.0.102 ()	Ports: 49156/open/tcp//unknown//
+Timestamp: 1744049197	Host: 10.0.0.5 ()	Ports: 36133/open/tcp//unknown//
+Timestamp: 1744049199	Host: 10.0.0.102 ()	Ports: 7100/open/tcp//font-service//
+Timestamp: 1744049205	Host: 10.0.0.101 ()	Ports: 7100/open/tcp//font-service//
+Timestamp: 1744049206	Host: 10.0.0.109 ()	Ports: 7000/open/tcp//afs3-fileserver//
+# Masscan done at Mon Apr  7 18:06:48 2025

masscan_ips.txt

@@ -0,0 +1,17 @@
+10.0.0.1
+10.0.0.5
+10.0.0.25
+10.0.0.101
+10.0.0.102
+10.0.0.103
+10.0.0.104
+10.0.0.106
+10.0.0.107
+10.0.0.109
+10.0.0.131
+10.0.0.132
+10.0.0.133
+10.0.0.137
+10.0.0.140
+10.0.0.141
+10.0.0.142

masscan_ports.txt

@@ -0,0 +1,54 @@
+21
+22
+53
+80
+111
+139
+443
+445
+514
+548
+853
+902
+1723
+1990
+4548
+5000
+5001
+5555
+5583
+6009
+7000
+7100
+8000
+8008
+8009
+8080
+8081
+8200
+8443
+8765
+9000
+9080
+9100
+9867
+10000
+10001
+23010
+23011
+32400
+33336
+33337
+35099
+36133
+39937
+42421
+42422
+49152
+49156
+49403
+53764
+54380
+56688
+60651
+62078

paused.conf

@@ -0,0 +1,27 @@
+
+# resume information
+resume-index = 1018697
+seed = 1310826373785535922
+rate = 10000     
+shard = 1/1
+banners = true
+nocapture = servername
+
+output-filename = masscan.out
+output-format = grepable
+
+adapter = en0
+adapter-ip = 10.0.0.115
+# TARGET SELECTION (IP, PORTS, EXCLUDES)
+ports = 1-65535
+range = 10.0.0.1
+range = 10.0.0.5
+range = 10.0.0.25
+range = 10.0.0.100-10.0.0.109
+range = 10.0.0.115
+range = 10.0.0.118
+range = 10.0.0.125
+range = 10.0.0.131
+range = 10.0.0.133
+range = 10.0.0.137
+

tcp-full.gnmap

@@ -0,0 +1,22 @@
+# Nmap 7.95 scan initiated Mon Apr  7 11:29:53 2025 as: nmap -sV -Pn -p 21,22,53,80,111,139,443,445,514,548,853,902,1723,1990,4548,5000,5001,5555,5583,6009,7000,7100,8000,8008,8009,8080,8081,8200,8443,8765,9000,9080,9100,9867,10000,10001,23010,23011,32400,33336,33337,35099,36133,39937,42421,42422,49152,49156,49403,53764,54380,56688,60651,62078 -T4 -iL masscan_ips.txt -oA tcp-full -sC --script=default,vuln --host-timeout 10m
+Host: 10.0.0.1 ()	Status: Up
+Host: 10.0.0.1 ()	Status: Timeout
+Host: 10.0.0.5 ()	Status: Up
+Host: 10.0.0.5 ()	Status: Timeout
+Host: 10.0.0.25 (esxi)	Status: Up
+Host: 10.0.0.25 (esxi)	Status: Timeout
+Host: 10.0.0.101 ()	Status: Up
+Host: 10.0.0.101 ()	Status: Timeout
+Host: 10.0.0.102 ()	Status: Up
+Host: 10.0.0.102 ()	Status: Timeout
+Host: 10.0.0.103 ()	Status: Up
+Host: 10.0.0.103 ()	Status: Timeout
+Host: 10.0.0.104 ()	Status: Up
+Host: 10.0.0.104 ()	Status: Timeout
+Host: 10.0.0.106 ()	Status: Up
+Host: 10.0.0.106 ()	Status: Timeout
+Host: 10.0.0.107 ()	Status: Up
+Host: 10.0.0.107 ()	Status: Timeout
+Host: 10.0.0.131 ()	Status: Up
+Host: 10.0.0.131 ()	Status: Timeout
+# Nmap done at Mon Apr  7 11:47:57 2025 -- 17 IP addresses (10 hosts up) scanned in 1083.96 seconds

tcp-full.nmap

@@ -0,0 +1,39 @@
+# Nmap 7.95 scan initiated Mon Apr  7 11:29:53 2025 as: nmap -sV -Pn -p 21,22,53,80,111,139,443,445,514,548,853,902,1723,1990,4548,5000,5001,5555,5583,6009,7000,7100,8000,8008,8009,8080,8081,8200,8443,8765,9000,9080,9100,9867,10000,10001,23010,23011,32400,33336,33337,35099,36133,39937,42421,42422,49152,49156,49403,53764,54380,56688,60651,62078 -T4 -iL masscan_ips.txt -oA tcp-full -sC --script=default,vuln --host-timeout 10m
+Pre-scan script results:
+| broadcast-avahi-dos: 
+|   Discovered hosts:
+|     224.0.0.251
+|   After NULL UDP avahi packet DoS (CVE-2011-1002).
+|_  Hosts are all up (not vulnerable).
+Nmap scan report for 10.0.0.1
+Host is up (0.0064s latency).
+Skipping host 10.0.0.1 due to host timeout
+Nmap scan report for 10.0.0.5
+Host is up (0.0052s latency).
+Skipping host 10.0.0.5 due to host timeout
+Nmap scan report for esxi (10.0.0.25)
+Host is up (0.0074s latency).
+Skipping host esxi (10.0.0.25) due to host timeout
+Nmap scan report for 10.0.0.101
+Host is up (0.010s latency).
+Skipping host 10.0.0.101 due to host timeout
+Nmap scan report for 10.0.0.102
+Host is up (0.041s latency).
+Skipping host 10.0.0.102 due to host timeout
+Nmap scan report for 10.0.0.103
+Host is up (0.0062s latency).
+Skipping host 10.0.0.103 due to host timeout
+Nmap scan report for 10.0.0.104
+Host is up (0.0091s latency).
+Skipping host 10.0.0.104 due to host timeout
+Nmap scan report for 10.0.0.106
+Host is up (0.0059s latency).
+Skipping host 10.0.0.106 due to host timeout
+Nmap scan report for 10.0.0.107
+Host is up (0.0075s latency).
+Skipping host 10.0.0.107 due to host timeout
+Nmap scan report for 10.0.0.131
+Host is up (0.013s latency).
+Skipping host 10.0.0.131 due to host timeout
+Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+# Nmap done at Mon Apr  7 11:47:57 2025 -- 17 IP addresses (10 hosts up) scanned in 1083.96 seconds