From f38a117eec5fa6fba4d740bf4eb7b419eb5f4176 Mon Sep 17 00:00:00 2001 From: test Date: Mon, 16 Sep 2019 17:08:25 +0500 Subject: [PATCH 1/3] Integrated dirb (http & https) && gobuster for HTTP protocol --- app/settings.py | 33 ++++++++++++-- sparta.conf | 118 ++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 147 insertions(+), 4 deletions(-) create mode 100644 sparta.conf diff --git a/app/settings.py b/app/settings.py index 25b1d1b..93ab98f 100644 --- a/app/settings.py +++ b/app/settings.py @@ -86,7 +86,25 @@ def createDefaultSettings(self): self.actions.beginGroup('PortActions') self.actions.setValue("banner", ["Grab banner", "bash -c \"echo \"\" | nc -v -n -w1 [IP] [PORT]\"", ""]) self.actions.setValue("nmap", ["Run nmap (scripts) on port", "nmap -Pn -sV -sC -vvvvv -p[PORT] [IP] -oA [OUTPUT]", ""]) - self.actions.setValue("nikto", ["Run nikto", "nikto -o \"[OUTPUT].txt\" -p [PORT] -h [IP]", "http,https,ssl,soap,http-proxy,http-alt"]) + self.actions.setValue("nikto", ["Run nikto", "nikto -o \"[OUTPUT].txt\" -p [PORT] -h [IP]", "http,https,ssl,soap,http-proxy,http-alt"]) + + # ------------------------------------------- + # Custom Implemented Scripts + + self.actions.setValue("dirb", ["Run dirb http (quick)", "dirb http://[IP]:[PORT] /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -f -S -o \"[OUTPUT].txt\"", "http,https,ssl,soap,http-proxy,http-alt"]) + + self.actions.setValue("dirbs", ["Run dirb https (quick)", "dirb https://[IP]:[PORT] /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -f -S -o \"[OUTPUT].txt\"", "http,https,ssl,soap,http-proxy,http-alt"]) + + self.actions.setValue("dirbe", ["Run dirb http (exhaustive)", "dirb http://[IP]:[PORT] /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -X .conf,.html,.inc,.ini,.json,.log,.php,.py,.sql,.tar,.txt,.zip -f -S -o \"[OUTPUT].txt\"", "http,https,ssl,soap,http-proxy,http-alt"]) + + self.actions.setValue("dirbes", ["Run dirb https (exhaustive)", "dirb https://[IP]:[PORT] /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -X .conf,.html,.inc,.ini,.json,.log,.php,.py,.sql,.tar,.txt,.zip -f -S -o \"[OUTPUT].txt\"", "http,https,ssl,soap,http-proxy,http-alt"]) + + self.actions.setValue("gobuster", ["Run gobuster (exhaustive)", "gobuster dir -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -k -l -e -b 404 -x .conf,.html,.inc,.ini,.json,.log,.php,.py,.sql,.tar,.txt,.zip --threads 1 --timeout 10s -u http://[IP]:[PORT] --wildcard -z -o \"[OUTPUT].txt\"", "http,https,ssl,soap,http-proxy,http-alt"]) + + + # ------------------------------------------- + + self.actions.setValue("dirbuster", ["Launch dirbuster", "java -Xmx256M -jar /usr/share/dirbuster/DirBuster-1.0-RC1.jar -u http://[IP]:[PORT]/", "http,https,ssl,soap,http-proxy,http-alt"]) self.actions.setValue("webslayer", ["Launch webslayer", "webslayer", "http,https,ssl,soap,http-proxy,http-alt"]) self.actions.setValue("whatweb", ["Run whatweb", "whatweb [IP]:[PORT] --color=never --log-brief=\"[OUTPUT].txt\"", "http,https,ssl,soap,http-proxy,http-alt"]) @@ -156,11 +174,17 @@ def createDefaultSettings(self): self.actions.beginGroup('SchedulerSettings') self.actions.setValue("nikto",["http,https,ssl,soap,http-proxy,http-alt,https-alt","tcp"]) + + # --------------------------------- + # Custom Scheduled Scripts + self.actions.setValue("dirb",["http,https,ssl,soap,http-proxy,http-alt,https-alt","tcp"]) + # --------------------------------- + self.actions.setValue("screenshooter",["http,https,ssl,http-proxy,http-alt,https-alt","tcp"]) self.actions.setValue("smbenum",["microsoft-ds","tcp"]) -# self.actions.setValue("enum4linux","netbios-ssn,microsoft-ds") -# self.actions.setValue("smb-null-sessions","netbios-ssn,microsoft-ds") -# self.actions.setValue("nbtscan","netbios-ns") + self.actions.setValue("enum4linux","netbios-ssn,microsoft-ds") + self.actions.setValue("smb-null-sessions","netbios-ssn,microsoft-ds") + self.actions.setValue("nbtscan","netbios-ns") self.actions.setValue("snmpcheck",["snmp","udp"]) self.actions.setValue("x11screen",["X11","tcp"]) self.actions.setValue("snmp-default",["snmp","udp"]) @@ -430,3 +454,4 @@ def __eq__(self, other): # returns false if settings objects are diffe print s == s2 s2.general_default_terminal = 'whatever' print s == s2 + diff --git a/sparta.conf b/sparta.conf new file mode 100644 index 0000000..73eef80 --- /dev/null +++ b/sparta.conf @@ -0,0 +1,118 @@ +[GeneralSettings] +default-terminal=gnome-terminal +tool-output-black-background=False +screenshooter-timeout=15000 +web-services="http,https,ssl,soap,http-proxy,http-alt,https-alt" +enable-scheduler=True +enable-scheduler-on-import=False +max-fast-processes=10 +max-slow-processes=10 + +[BruteSettings] +store-cleartext-passwords-on-exit=True +username-wordlist-path=/usr/share/wordlists/ +password-wordlist-path=/usr/share/wordlists/ +default-username=root +default-password=password +services="asterisk,afp,cisco,cisco-enable,cvs,firebird,ftp,ftps,http-head,http-get,https-head,https-get,http-get-form,http-post-form,https-get-form,https-post-form,http-proxy,http-proxy-urlenum,icq,imap,imaps,irc,ldap2,ldap2s,ldap3,ldap3s,ldap3-crammd5,ldap3-crammd5s,ldap3-digestmd5,ldap3-digestmd5s,mssql,mysql,ncp,nntp,oracle-listener,oracle-sid,pcanywhere,pcnfs,pop3,pop3s,postgres,rdp,rexec,rlogin,rsh,s7-300,sip,smb,smtp,smtps,smtp-enum,snmp,socks5,ssh,sshkey,svn,teamspeak,telnet,telnets,vmauthd,vnc,xmpp" +no-username-services="cisco,cisco-enable,oracle-listener,s7-300,snmp,vnc" +no-password-services="oracle-sid,rsh,smtp-enum" + +[StagedNmapSettings] +stage1-ports="T:80,443" +stage2-ports="T:25,135,137,139,445,1433,3306,5432,U:137,161,162,1434" +stage3-ports="T:23,21,22,110,111,2049,3389,8080,U:500,5060" +stage4-ports="T:0-20,24,26-79,81-109,112-134,136,138,140-442,444,446-1432,1434-2048,2050-3305,3307-3388,3390-5431,5433-8079,8081-29999" +stage5-ports=T:30000-65535 + +[ToolSettings] +nmap-path=/usr/bin/nmap +hydra-path=/usr/bin/hydra +cutycapt-path=/usr/bin/cutycapt +texteditor-path=/usr/bin/leafpad + +[HostActions] +nmap-fast-tcp=Run nmap (fast TCP), nmap -Pn -F -T4 -vvvv [IP] -oA \"[OUTPUT]\" +nmap-full-tcp=Run nmap (full TCP), nmap -Pn -sV -sC -O -p- -T4 -vvvvv [IP] -oA \"[OUTPUT]\" +nmap-fast-udp=Run nmap (fast UDP), "nmap -n -Pn -sU -F --min-rate=1000 -vvvvv [IP] -oA \"[OUTPUT]\"" +nmap-udp-1000=Run nmap (top 1000 quick UDP), "nmap -n -Pn -sU --min-rate=1000 -vvvvv [IP] -oA \"[OUTPUT]\"" +nmap-full-udp=Run nmap (full UDP), nmap -n -Pn -sU -p- -T4 -vvvvv [IP] -oA \"[OUTPUT]\" +unicornscan-full-udp=Run unicornscan (full UDP), unicornscan -mU -Ir 1000 [IP]:a -v + +[PortActions] +banner=Grab banner, bash -c \"echo \"\" | nc -v -n -w1 [IP] [PORT]\", +nmap=Run nmap (scripts) on port, nmap -Pn -sV -sC -vvvvv -p[PORT] [IP] -oA [OUTPUT], +nikto=Run nikto, nikto -o \"[OUTPUT].txt\" -p [PORT] -h [IP], "http,https,ssl,soap,http-proxy,http-alt" +dirb=Run dirb http (quick), dirb http://[IP]:[PORT] /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -f -S -o \"[OUTPUT].txt\", "http,https,ssl,soap,http-proxy,http-alt" +dirbs=Run dirb https (quick), dirb https://[IP]:[PORT] /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -f -S -o \"[OUTPUT].txt\", "http,https,ssl,soap,http-proxy,http-alt" +dirbe=Run dirb http (exhaustive), dirb http://[IP]:[PORT] /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -f -S -o \"[OUTPUT].txt\" -X ",.conf,.html,.inc,.ini,.json,.log,.php,.py,.sql,.tar,.txt,.zip", "http,https,ssl,soap,http-proxy,http-alt" +dirbes=Run dirb https (exhaustive), dirb https://[IP]:[PORT] /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -f -S -o \"[OUTPUT].txt\" -X ",.conf,.html,.inc,.ini,.json,.log,.php,.py,.sql,.tar,.txt,.zip", "http,https,ssl,soap,http-proxy,http-alt" +gobuster=Run gobuster (exhaustive), gobuster dir -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -k -l -e -b 404 --threads 1 --timeout 10s -u http://192.168.30.179/ --wildcard -z -o \"[OUTPUT].txt\" -x ".conf,.html,.inc,.ini,.json,.log,.php,.py,.sql,.tar,.txt,.zip", "http,https,ssl,soap,http-proxy,http-alt" +dirbuster=Launch dirbuster, java -Xmx256M -jar /usr/share/dirbuster/DirBuster-1.0-RC1.jar -u http://[IP]:[PORT]/, "http,https,ssl,soap,http-proxy,http-alt" +webslayer=Launch webslayer, webslayer, "http,https,ssl,soap,http-proxy,http-alt" +whatweb=Run whatweb, "whatweb [IP]:[PORT] --color=never --log-brief=\"[OUTPUT].txt\"", "http,https,ssl,soap,http-proxy,http-alt" +samrdump=Run samrdump, python /usr/share/doc/python-impacket/examples/samrdump.py [IP] [PORT]/SMB, "netbios-ssn,microsoft-ds" +nbtscan=Run nbtscan, nbtscan -v -h [IP], netbios-ns +smbenum=Run smbenum, bash ./scripts/smbenum.sh [IP], "netbios-ssn,microsoft-ds" +enum4linux=Run enum4linux, enum4linux [IP], "netbios-ssn,microsoft-ds" +polenum=Extract password policy (polenum), polenum [IP], "netbios-ssn,microsoft-ds" +smb-enum-users=Enumerate users (nmap), "nmap -p[PORT] --script=smb-enum-users [IP] -vvvvv", "netbios-ssn,microsoft-ds" +smb-enum-users-rpc=Enumerate users (rpcclient), bash -c \"echo 'enumdomusers' | rpcclient [IP] -U%\", "netbios-ssn,microsoft-ds" +smb-enum-admins=Enumerate domain admins (net), "net rpc group members \"Domain Admins\" -I [IP] -U% ", "netbios-ssn,microsoft-ds" +smb-enum-groups=Enumerate groups (nmap), "nmap -p[PORT] --script=smb-enum-groups [IP] -vvvvv", "netbios-ssn,microsoft-ds" +smb-enum-shares=Enumerate shares (nmap), "nmap -p[PORT] --script=smb-enum-shares [IP] -vvvvv", "netbios-ssn,microsoft-ds" +smb-enum-sessions=Enumerate logged in users (nmap), "nmap -p[PORT] --script=smb-enum-sessions [IP] -vvvvv", "netbios-ssn,microsoft-ds" +smb-enum-policies=Extract password policy (nmap), "nmap -p[PORT] --script=smb-enum-domains [IP] -vvvvv", "netbios-ssn,microsoft-ds" +smb-null-sessions=Check for null sessions (rpcclient), bash -c \"echo 'srvinfo' | rpcclient [IP] -U%\", "netbios-ssn,microsoft-ds" +ldapsearch=Run ldapsearch, ldapsearch -h [IP] -p [PORT] -x -s base, ldap +snmpcheck=Run snmpcheck, snmp-check -t [IP], "snmp,snmptrap" +rpcinfo=Run rpcinfo, rpcinfo -p [IP], rpcbind +rdp-sec-check=Run rdp-sec-check.pl, perl ./scripts/rdp-sec-check.pl [IP]:[PORT], ms-wbt-server +showmount=Show nfs shares, showmount -e [IP], nfs +x11screen=Run x11screenshot, bash ./scripts/x11screenshot.sh [IP], X11 +sslscan=Run sslscan, sslscan --no-failed [IP]:[PORT], "https,ssl" +sslyze=Run sslyze, sslyze --regular [IP]:[PORT], "https,ssl,ms-wbt-server,imap,pop3,smtp" +rwho=Run rwho, rwho -a [IP], who +finger=Enumerate users (finger), ./scripts/fingertool.sh [IP], finger +smtp-enum-vrfy=Enumerate SMTP users (VRFY), smtp-user-enum -M VRFY -U /usr/share/metasploit-framework/data/wordlists/unix_users.txt -t [IP] -p [PORT], smtp +smtp-enum-expn=Enumerate SMTP users (EXPN), smtp-user-enum -M EXPN -U /usr/share/metasploit-framework/data/wordlists/unix_users.txt -t [IP] -p [PORT], smtp +smtp-enum-rcpt=Enumerate SMTP users (RCPT), smtp-user-enum -M RCPT -U /usr/share/metasploit-framework/data/wordlists/unix_users.txt -t [IP] -p [PORT], smtp +ftp-default=Check for default ftp credentials, hydra -s [PORT] -C ./wordlists/ftp-default-userpass.txt -u -o \"[OUTPUT].txt\" -f [IP] ftp, ftp +mssql-default=Check for default mssql credentials, hydra -s [PORT] -C ./wordlists/mssql-default-userpass.txt -u -o \"[OUTPUT].txt\" -f [IP] mssql, ms-sql-s +mysql-default=Check for default mysql credentials, hydra -s [PORT] -C ./wordlists/mysql-default-userpass.txt -u -o \"[OUTPUT].txt\" -f [IP] mysql, mysql +oracle-default=Check for default oracle credentials, hydra -s [PORT] -C ./wordlists/oracle-default-userpass.txt -u -o \"[OUTPUT].txt\" -f [IP] oracle-listener, oracle-tns +postgres-default=Check for default postgres credentials, hydra -s [PORT] -C ./wordlists/postgres-default-userpass.txt -u -o \"[OUTPUT].txt\" -f [IP] postgres, postgresql +snmp-default=Check for default community strings, python ./scripts/snmpbrute.py -t [IP] -p [PORT] -f ./wordlists/snmp-default.txt -b --no-colours, "snmp,snmptrap" +snmp-brute=Bruteforce community strings (medusa), bash -c \"medusa -h [IP] -u root -P ./wordlists/snmp-default.txt -M snmp | grep SUCCESS\", "snmp,snmptrap" +oracle-version=Get version, "msfcli auxiliary/scanner/oracle/tnslsnr_version rhosts=[IP] E", oracle-tns +oracle-sid=Oracle SID enumeration, "msfcli auxiliary/scanner/oracle/sid_enum rhosts=[IP] E", oracle-tns + +[PortTerminalActions] +netcat=Open with netcat, nc -v [IP] [PORT], +telnet=Open with telnet, telnet [IP] [PORT], +ftp=Open with ftp client, ftp [IP] [PORT], ftp +mysql=Open with mysql client (as root), "mysql -u root -h [IP] --port=[PORT] -p", mysql +mssql=Open with mssql client (as sa), python /usr/share/doc/python-impacket/examples/mssqlclient.py -p [PORT] sa@[IP], "mys-sql-s,codasrv-se" +ssh=Open with ssh client (as root), ssh root@[IP] -p [PORT], ssh +psql=Open with postgres client (as postgres), psql -h [IP] -p [PORT] -U postgres, postgres +rdesktop=Open with rdesktop, rdesktop [IP]:[PORT], ms-wbt-server +rpcclient=Open with rpcclient (NULL session), rpcclient [IP] -p [PORT] -U%, "netbios-ssn,microsoft-ds" +vncviewer=Open with vncviewer, vncviewer [IP]:[PORT], vnc +xephyr=Open with Xephyr, Xephyr -query [IP] :1, xdmcp +rlogin=Open with rlogin, rlogin -i root -p [PORT] [IP], login +rsh=Open with rsh, rsh -l root [IP], shell + +[SchedulerSettings] +nikto="http,https,ssl,soap,http-proxy,http-alt,https-alt", tcp +dirb="http,https,ssl,soap,http-proxy,http-alt,https-alt", tcp +screenshooter="http,https,ssl,http-proxy,http-alt,https-alt", tcp +smbenum=microsoft-ds, tcp +snmpcheck=snmp, udp +x11screen=X11, tcp +snmp-default=snmp, udp +smtp-enum-vrfy=smtp, tcp +mysql-default=mysql, tcp +mssql-default=ms-sql-s, tcp +ftp-default=ftp, tcp +postgres-default=postgresql, tcp +oracle-default=oracle-tns, tcp From cdcc9629db1b33ce652ce48f4f2cd1fb3f5068ea Mon Sep 17 00:00:00 2001 From: test Date: Tue, 17 Sep 2019 17:56:22 +0500 Subject: [PATCH 2/3] Integrated automated running of showmount on finding 2049/tcp --- app/settings.py | 1 + sparta.conf | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/app/settings.py b/app/settings.py index 93ab98f..ba506b4 100644 --- a/app/settings.py +++ b/app/settings.py @@ -178,6 +178,7 @@ def createDefaultSettings(self): # --------------------------------- # Custom Scheduled Scripts self.actions.setValue("dirb",["http,https,ssl,soap,http-proxy,http-alt,https-alt","tcp"]) + self.actions.setValue("showmount",["nfs","tcp"]) # --------------------------------- self.actions.setValue("screenshooter",["http,https,ssl,http-proxy,http-alt,https-alt","tcp"]) diff --git a/sparta.conf b/sparta.conf index 73eef80..8dcd448 100644 --- a/sparta.conf +++ b/sparta.conf @@ -105,6 +105,7 @@ rsh=Open with rsh, rsh -l root [IP], shell [SchedulerSettings] nikto="http,https,ssl,soap,http-proxy,http-alt,https-alt", tcp dirb="http,https,ssl,soap,http-proxy,http-alt,https-alt", tcp +showmount=nfs, tcp screenshooter="http,https,ssl,http-proxy,http-alt,https-alt", tcp smbenum=microsoft-ds, tcp snmpcheck=snmp, udp @@ -115,4 +116,4 @@ mysql-default=mysql, tcp mssql-default=ms-sql-s, tcp ftp-default=ftp, tcp postgres-default=postgresql, tcp -oracle-default=oracle-tns, tcp +oracle-default=oracle-tns, tcp \ No newline at end of file From 8707707384ea14d962a6a4f3d247f1aa974838bb Mon Sep 17 00:00:00 2001 From: test Date: Thu, 19 Sep 2019 20:59:59 +0500 Subject: [PATCH 3/3] Included nfs_acl for showmount --- app/settings.py | 4 ++-- sparta.conf | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/app/settings.py b/app/settings.py index ba506b4..8da5684 100644 --- a/app/settings.py +++ b/app/settings.py @@ -129,7 +129,7 @@ def createDefaultSettings(self): self.actions.setValue("snmpcheck", ["Run snmpcheck", "snmp-check -t [IP]", "snmp,snmptrap"]) ###Change from snmpcheck to snmp-check for Kali 2.0 self.actions.setValue("rpcinfo", ["Run rpcinfo", "rpcinfo -p [IP]", "rpcbind"]) self.actions.setValue("rdp-sec-check", ["Run rdp-sec-check.pl", "perl ./scripts/rdp-sec-check.pl [IP]:[PORT]", "ms-wbt-server"]) - self.actions.setValue("showmount", ["Show nfs shares", "showmount -e [IP]", "nfs"]) + self.actions.setValue("showmount", ["Show nfs shares", "showmount -e [IP]", "nfs,nfs_acl"]) self.actions.setValue("x11screen", ["Run x11screenshot", "bash ./scripts/x11screenshot.sh [IP]", "X11"]) self.actions.setValue("sslscan", ["Run sslscan", "sslscan --no-failed [IP]:[PORT]", "https,ssl"]) self.actions.setValue("sslyze", ["Run sslyze", "sslyze --regular [IP]:[PORT]", "https,ssl,ms-wbt-server,imap,pop3,smtp"]) @@ -178,7 +178,7 @@ def createDefaultSettings(self): # --------------------------------- # Custom Scheduled Scripts self.actions.setValue("dirb",["http,https,ssl,soap,http-proxy,http-alt,https-alt","tcp"]) - self.actions.setValue("showmount",["nfs","tcp"]) + self.actions.setValue("showmount",["nfs,nfs_acl","tcp"]) # --------------------------------- self.actions.setValue("screenshooter",["http,https,ssl,http-proxy,http-alt,https-alt","tcp"]) diff --git a/sparta.conf b/sparta.conf index 8dcd448..af6561e 100644 --- a/sparta.conf +++ b/sparta.conf @@ -68,7 +68,7 @@ ldapsearch=Run ldapsearch, ldapsearch -h [IP] -p [PORT] -x -s base, ldap snmpcheck=Run snmpcheck, snmp-check -t [IP], "snmp,snmptrap" rpcinfo=Run rpcinfo, rpcinfo -p [IP], rpcbind rdp-sec-check=Run rdp-sec-check.pl, perl ./scripts/rdp-sec-check.pl [IP]:[PORT], ms-wbt-server -showmount=Show nfs shares, showmount -e [IP], nfs +showmount=Show nfs shares, showmount -e [IP], "nfs,nfs_acl" x11screen=Run x11screenshot, bash ./scripts/x11screenshot.sh [IP], X11 sslscan=Run sslscan, sslscan --no-failed [IP]:[PORT], "https,ssl" sslyze=Run sslyze, sslyze --regular [IP]:[PORT], "https,ssl,ms-wbt-server,imap,pop3,smtp" @@ -105,7 +105,7 @@ rsh=Open with rsh, rsh -l root [IP], shell [SchedulerSettings] nikto="http,https,ssl,soap,http-proxy,http-alt,https-alt", tcp dirb="http,https,ssl,soap,http-proxy,http-alt,https-alt", tcp -showmount=nfs, tcp +showmount="nfs,nfs_acl", tcp screenshooter="http,https,ssl,http-proxy,http-alt,https-alt", tcp smbenum=microsoft-ds, tcp snmpcheck=snmp, udp