-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathwebapp.sh
199 lines (147 loc) · 7.35 KB
/
webapp.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
#!/bin/bash
#Sudo command to prompt for sudo privs
sudo echo 'SUDO PASSWORD CACHED'
user=`whoami`
tools=/home/$user/tools
scripts=/home/$user/scripts
echo "Enter project name"
read -p 'Project Name: ' companyname
### SET VARIABLES ###
echo "Company Name = $companyname"
companypath=~/projects/$companyname
echo "Files stored in $companypath"
#make folder if it does not exist
mkdir -p $companypath
cd $companypath
echo "ENTER/VERIFY IN SCOPE IP ADDRESSES ONE ON EACH LINE IN CIDR NOTATION!!! Opening file in gedit please wait....."
sleep 1
nano $companypath/inscope.txt
# if inscope does not exist then exit
if [ ! -f $companypath/inscope.txt ]
then
echo "inscope.txt not found. Exiting!"
exit 1
else
echo "In scope file found."
fi
#########################################
#Set URL and DOMAIN
url=$(cat $companypath/inscope.txt)
domain=$(echo $url | cut -d '/' -f3)
#Grab Headers
curl -i $url --head > headers.txt
#WAF Detection
wafw00f $url -o waf.txt -f text > waf.log
#Nmap
nmap $domain --open -oN nmap
#whatweb
whatweb $url | tee whatweb.txt
#Methods
#https://github.com/tjcim/ptscripts/blob/master/http_methods.py
#~/tools/ptscripts/http_methods.py -u $url -o methods
#nikto
nikto -url $url -o nikto.txt
#Testssl
testssl -oA testssl $url
#Shcheck
#Used secureheaders site instead
#nuclei
nuclei -ni -u $url | tee nuclei.txt
#Missing headers from nulei scan
cat nuclei.txt | grep -if $scripts/missing-headers.txt > missing-headers.log
#Directory Brute Force
#feroxbuster -A --url $url -o feroxbuster.txt
gobuster dir -w /usr/share/wordlists/dirb/common.txt -u $url -o gobuster.txt --random-agent -k -b 500
#Feroxbuster Parse
#cat feroxbuster.txt | grep 200 | rev | cut -d '/' -f1 | rev | sort -u > feroxbuster-parse.txt
###Block Comment for troubleshooting ####
: <<'END'
sudo nmap -vv -sSU -iL $companypath/inscope.txt -Pn -p U:53,111,161,500,623,2049,1000,T:21,22,23,25,53,80,81,110,111,123,137-139,161,389,443,445,500,512,513,548,623-624,1099,1241,1433-1434,1521,2049,2483-2484,3306,3389,4333,4786,4848,5432,5800,5900,5901,6000,6001,7001,8000,8080,8181,8443,16992-16993,27017,32764 -oA $companypath/nmap/initial
sudo chown $user:$user $companypath/nmap/*
# nmap-grep
$tools/nmap-grep/nmap-grep.sh $companypath/nmap/initial.gnmap --out-dir $companypath/nmap/parsed --no-summary
### Add Metasploit Scripts ###
cd $companypath/nmap/parsed
msfconsole -r $scripts/metasploit.rc
### nmap scan ##
mkdir -p $companypath/nmap
sudo nmap -vv -Pn -sV -iL $companypath/inscope.txt -oA $companypath/nmap/nmap
sudo chown $user:$user $companypath/nmap/*
##Convert nmap scan to CSV for spreadsheet
python3 $scripts/xml2csv.py -f $companypath/nmap/nmap.xml -csv $companypath/nmap/nmap.csv
#python3 /opt/Nmap-Scan-to-CSV/nmap_xml_parser.py -f $companypath/nmap/nmap.xml -csv $companypath/nmap/nmap.csv
# eyewitness
#mkdir -p $companypath/eyewitness
#cd $companypath/eyewitness
####sudo eyewitness -x $companypath/nmap/nmap.xml --no-prompt --delay 10 -d $companypath/eyewitness
#$tools/Eyewitness/Python/EyeWitness.py --proxy-ip 127.0.0.1 --proxy-port 8810 --proxy-type socks5 -x $companypath/nmap/nmap.xml --no-prompt --delay 10 -d $companypath/eyewitness
####$tools/Eyewitness/Python/EyeWitness.py -x $companypath/nmap/nmap.xml --no-prompt --delay 10 -d $companypath/eyewitness
# Aquatone
mkdir -p $companypath/aquatone
cd $companypath/aquatone
cat $companypath/nmap/nmap.xml | $tools/aquatone -nmap -out $companypath/aquatone
#$tools/aquatone -nmap $companypath/nmap/nmap.xml -ports xlarge -out $companypath/aquatone
#Make results folder
mkdir -p $companypath/nmap/results
#Check security headers on URLs in scope
#./shcheck [Target URL]
#SHCHECK
echo "RUNNING SHCHECK"
mkdir -p $companypath/nmap/results/shcheck
cd $companypath/nmap/results/shcheck
parallel -a $companypath/nmap/parsed/web-urls.txt --progress -j 10 "shcheck.py {} -d > {=s/\///g=}"
grep -i missing * | cut -d : -f1,2 | sort -u > AFFECTED-HOSTS.txt
#DNSrecon
echo "RUNNING DNS RECON"
mkdir -p $companypath/nmap/results/dnsrecon
cd $companypath/nmap/results/dnsrecon
parallel -a $companypath/nmap/parsed/dns-tcp-hosts.txt --progress -j 10 "dnsrecon -d {} -t axfr > {=s/\///g=}"
#SSLScan
echo "RUNNING SSL SCAN"
mkdir -p $companypath/nmap/results/sslscan
cd $companypath/nmap/results/sslscan
#while read -r line; do sslscan $line; done < $companypath/nmap/parsed/https-hosts.txt | tee $companypath/nmap/results/sslscan.txt
#while read -r line; do sslscan $line | tee $companypath/nmap/results/sslscan/`echo $line | sed 's/\///g'`; done < $companypath/nmap/parsed/https-hosts.txt
parallel -a $companypath/nmap/parsed/https-hosts.txt --progress -j 10 "sslscan {} > {=s/\///g=}"
#SSL Results
cd $companypath/nmap/results/sslscan
grep "vulnerable" * | grep -v "not" > vulnerable.txt #NEED TO CUT OUT IP IF RESULTS
grep "enabled" * | grep "TLSv1.0" | cut -d ":" -f1 > tls10.txt
grep "enabled" * | grep "TLSv1.1" | cut -d ":" -f1 > tls11.txt
#SSH Audit
#python3 ssh-audit.py -T <target file>
#Extract ssh file from parsed
echo "RUNNING NUCLEI"
mkdir -p $companypath/nmap/results/nuclei
cd $companypath/nmap/results/nuclei
parallel -a $companypath/nmap/parsed/web-urls.txt --progress -j 10 "nuclei -u {} > {=s/\///g=}"
#nikto
echo "RUNNING NIKTO"
mkdir -p $companypath/nmap/results/nikto
cd $companypath/nmap/results/nikto
#while read -r line; do nikto -h $line; done < $companypath/nmap/parsed/web-urls.txt | tee $companypath/nmap/results/nikto.txt
#while read -r line; do proxychains -q nikto -h $line -maxtime 1h | tee $companypath/nmap/results/nikto/`echo $line | sed 's/\///g'`; done < $companypath/nmap/parsed/web-urls.txt
#parallel -a $companypath/nmap/parsed/web-urls.txt --progress -j 10 proxychains -q nikto -h {} -maxtime 1h -output . -Format txt
parallel -a $companypath/nmap/parsed/web-urls.txt --progress -j 10 "nikto -h {} -maxtime 1h > {=s/\///g=}"
#Nikto Grep Vulns
cd $companypath/nmap/results/nikto
grep -i 'real ip' http* > ip-in-header.txt #Internal IP in Header
grep -i 'ip address found' http* >> ip-in-header.txt
grep -i 'outdated' http* > outdated-software.txt
grep -i 'interesting' http* > interesting.txt
grep -i 'indexing' http* >> interesting.txt
grep -i 'OSVBD' http* > osvdb.log
grep -i 'RFC' http* > rfc.log
grep -i 'vulnerable' http* > vulnerable.log
#ffuf
mkdir -p $companypath/nmap/results/ffuf
cd $companypath/nmap/results/ffuf
#while read -r line; do dirb $line; done < $companypath/nmap/parsed/web-urls.txt | tee $companypath/nmap/results/dirb.txt
#ffuf -w /usr/share/wordlists/dirb/common.txt -u $line/FUZZ -o ffuf-
#ffuf -w web-urls.txt:TARGET -w /usr/share/wordlists/dirb/common.txt -u TARGET/FUZZ
#interlace -tL <domain list> -c "ffuf -u _target_ -w /usr/share/wordlists/dirb/common.txt -se -sf -mc all -fc 300,301,302,303,500,400,404 | tee ffuf/$url.txt
#interlace -tL $companypath/nmap/parsed/web-urls.txt -c "ffuf -u _target_ -w /usr/share/wordlists/dirb/common.txt -se -sf -mc all -fc 300,301,302,303,500,400,404 | tee ffuf/$url.txt
#while read -r line; do proxychains -q ffuf -w /usr/share/wordlists/dirb/common.txt -u $line''FUZZ -maxtime-job 3600 -se -sf -mc all -fc 300,301,302,303,500,400,404 | tee $companypath/nmap/results/ffuf/`echo $line | sed 's/\///g'`; done < $companypath/nmap/parsed/web-urls.txt
parallel -a $companypath/nmap/parsed/web-urls.txt --progress -j 10 "ffuf -w /usr/share/wordlists/dirb/common.txt -u {}FUZZ -maxtime-job 3600 -noninteractive -se -sf -mc all -fc 300,301,302,303,500,400,404 > {=s/\///g=}"
END
echo "SCRIPT COMPLETED!!!"