本章讲述自动化信息收集工具nmapAutomator。该工具将很多信息收集工具进行集成,自动全面的帮助attacker收集目标信息。
1.场景
虚拟机:vmware
攻击主机:kali
IP:192.168.239.142
靶机:Windows10
IP:192.168.239.1
服务:xampp启动的apache
2.自动化信息收集工具
nmapAutomator的主要目标是将每次运行的枚举和重建过程自动化,而将我们的注意力放在真正的测试上。
这将确保两件事。
-
自动进行nmap扫描。
-
总是有一些侦察在后台运行。
一旦在 "5-10秒 "内找到初始端口,我们就可以开始手动查看这些端口,并让其余的端口在后台运行,我们这边不需要任何交互。
用法:
复制代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14./nmapAutomator.sh -h Usage: nmapAutomator.sh -H/--host <TARGET-IP> -t/--type <TYPE> Optional: [-r/--remote <REMOTE MODE>] [-d/--dns <DNS SERVER>] [-o/--output <OUTPUT DIRECTORY>] [-s/--static-nmap <STATIC NMAP PATH>] Scan Types: Network : 显示主机网络中的所有实时主机 (~15 seconds) Port : 显示所有开放的端口 (~15 seconds) Script : 对发现的端口运行脚本扫描 (~5 minutes) Full : 运行全范围的端口扫描,然后对新端口进行彻底扫描 (~5-10 minutes) UDP : 运行一个UDP扫描,"需要sudo" (~5 minutes) Vulns : 在所有发现的端口上运行CVE扫描和nmap漏洞扫描 (~5-15 minutes) Recon : 建议重建命令,然后提示自动运行它们 All : 运行所有的扫描 (~20-30 minutes)
举例
复制代码
1
2
3
4
5./nmapAutomator.sh --host 10.1.1.1 --type All ./nmapAutomator.sh -H 10.1.1.1 -t Basic ./nmapAutomator.sh -H academy.htb -t Recon -d 1.1.1.1 ./nmapAutomator.sh -H 10.10.10.10 -t network -s ./nmap
脚本中使用的其他侦察工具包括:
-
nmap Vulners:nmap的NES脚本扫描,主要是相关协议的漏洞。
-
sslscan:SSLScan查询SSL服务,如HTTPS,以确定所支持的密码。SSLScan被设计为简单、精简和快速。它的输出包括SSL服务的首选密码、证书以及文本和XML格式。
-
nikto:Nikto是一个开源的WEB扫描评估软件,可以对Web服务器进行多项安全测试,能在230多种服务器上扫描出 2600多种有潜在危险的文件、CGI及其他问题。Nikto可以扫描指定主机的WEB类型、主机名、指定目录、特定CGI漏洞、返回主机允许的 http模式等。
-
joomscan:漏洞扫描程序(JoomScan)是一个开源项目,旨在自动执行Joomla CMS部署中的漏洞检测和可靠性保证任务。该工具在Perl中实现,可以无缝轻松地扫描Joomla安装,同时通过其轻量级和模块化架构留下最小的占地面积。它不仅可以检测已知的攻击性漏洞,还能够检测到许多错误配置和管理员级别的缺陷,这些缺陷可被攻击者利用来破坏系统。
-
wpscan:WPScan介绍 WPScan是Kali Linux默认自带的一款漏洞扫描工具,它采用Ruby编写,能够扫描WordPress网站中的多种安全漏洞,其中包括WordPress本身的漏洞、插件漏洞和主题漏洞。
-
droopescan:Droopescan是一款基于插件的扫描器,可帮助安全研究人员发现Drupal,SilverStripe,Wordpress,Joomla(枚举版本信息和可利用URL地址)和Moodle的问题。
-
smbmap:SMBMap允许用户列举整个域的samba共享驱动器。列出共享驱动器、驱动器权限、共享内容、上传/下载功能、文件名自动下载模式匹配,甚至执行远程命令。这个工具的设计考虑到了笔测试,目的是简化在大型网络中搜索潜在的敏感数据。
-
enum4linux:上篇介绍
-
dnsrecon:上篇介绍
-
odat:ODAT(Oracle Database Attacking Tool)是一款开源的渗透测试工具,主要用于测试远端oracle数据库的安全性。
-
smtp-user-enum:smtp-user-enum是kali自带的,使用Perl编写的工具,其原理就是通过上述的三种命令枚举用户账户。
-
snmp-check:snmp-check允许你列举SNMP设备,并将输出放在一个非常人可读的友好格式中。它对渗透测试或系统监控很有用。
-
snmpwalk:上篇介绍
-
ldapsearch:它将帮助你在LDAP目录树中搜索条目。
注:以上软件需要自行安装,笔者已经试过,每个软件的安装都可以通过apt进行。经过笔者测试,此脚本如果直接使用,扫描速度非常慢。所以笔者对脚本进行修改,在提升速度的基础上保证了信息收集的正确性。
3.修改后脚本
修改了以下几个地方:
1. 提升gobuster 线程数到50。
2. 屏蔽nikto扫描,实际网络中速度非常慢。
3. nmap加上参数–min-rate用于提升扫描速度。
4. 屏蔽nmap脚本漏洞扫描,实际网络中速度非常慢。
5. 屏蔽fullScan()函数。
笔者用这个脚本进行OSCP考试。在做BOF时,同时开启四个脚本扫4个IP。做完BOF直接获得扫描结果。
复制代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561#!/bin/bash RED='33[0;31m' YELLOW='33[0;33m' GREEN='33[0;32m' NC='33[0m' SECONDS=0 usage(){ echo -e "" echo -e "${RED}Usage: $0 <TARGET-IP> <TYPE>" echo -e "${YELLOW}" echo -e "Scan Types:" echo -e "tQuick: Shows all open ports quickly (~15 seconds)" echo -e "tBasic: Runs Quick Scan, then runs a more thorough scan on found ports (~5 minutes)" echo -e "tUDP: Runs "Basic" on UDP ports (~5 minutes)" echo -e "tFull: Runs a full range port scan, then runs a thorough scan on new ports (~5-10 minutes)" echo -e "tVulns: Runs CVE scan and nmap Vulns scan on all found ports (~5-15 minutes)" echo -e "tRecon: Suggests recon commands, then prompts to automatically run them" echo -e "tAll: Runs all the scans (~20-30 minutes)" echo -e "${NC}" exit 1 } header(){ echo -e "" if [ "$2" == "All" ]; then echo -e "${YELLOW}Running all scans on $1" else echo -e "${YELLOW}Running a $2 scan on $1" fi subnet=$(echo "$1" | cut -d "." -f 1,2,3)".0" checkPing=$(checkPing "$1") nmapType="nmap -Pn" : ' #nmapType=`echo "${checkPing}" | head -n 1` if [ "$nmapType" != "nmap" ]; then echo -e "${NC}" echo -e "${YELLOW}No ping detected.. Running with -Pn option!" echo -e "${NC}" fi ' ttl=$(echo "${checkPing}" | tail -n 1) if [[ $(echo "${ttl}") != "nmap -Pn" ]]; then osType="$(checkOS "$ttl")" echo -e "${NC}" echo -e "${GREEN}Host is likely running $osType" echo -e "${NC}" fi echo -e "" echo -e "" } assignPorts(){ if [ -f nmap/Quick_"$1".nmap ]; then basicPorts=$(cat nmap/Quick_"$1".nmap | grep open | cut -d " " -f 1 | cut -d "/" -f 1 | tr "n" "," | cut -c3- | head -c-2) fi if [ -f nmap/Full_"$1".nmap ]; then if [ -f nmap/Quick_"$1".nmap ]; then allPorts=$(cat nmap/Quick_"$1".nmap nmap/Full_"$1".nmap | grep open | cut -d " " -f 1 | cut -d "/" -f 1 | tr "n" "," | cut -c3- | head -c-1) else allPorts=$(cat nmap/Full_"$1".nmap | grep open | cut -d " " -f 1 | cut -d "/" -f 1 | tr "n" "," | head -c-1) fi fi if [ -f nmap/UDP_"$1".nmap ]; then udpPorts=$(cat nmap/UDP_"$1".nmap | grep -w "open " | cut -d " " -f 1 | cut -d "/" -f 1 | tr "n" "," | cut -c3- | head -c-2) if [[ "$udpPorts" == "Al" ]]; then udpPorts="" fi fi } checkPing(){ pingTest=$(ping -c 1 -W 3 "$1" | grep ttl) if [[ -z $pingTest ]]; then echo "nmap -Pn" else echo "nmap" ttl=$(echo "${pingTest}" | cut -d " " -f 6 | cut -d "=" -f 2) echo "${ttl}" fi } checkOS(){ if [ "$1" == 256 ] || [ "$1" == 255 ] || [ "$1" == 254 ]; then echo "OpenBSD/Cisco/Oracle" elif [ "$1" == 128 ] || [ "$1" == 127 ]; then echo "Windows" elif [ "$1" == 64 ] || [ "$1" == 63 ]; then echo "Linux" else echo "Unknown OS!" fi } cmpPorts(){ oldIFS=$IFS IFS=',' touch nmap/cmpPorts_"$1".txt for i in $(echo "${allPorts}") do if [[ "$i" =~ ^($(echo "${basicPorts}" | sed 's/,/|/g'))$ ]]; then : else echo -n "$i," >> nmap/cmpPorts_"$1".txt fi done extraPorts=$(cat nmap/cmpPorts_"$1".txt | tr "n" "," | head -c-1) rm nmap/cmpPorts_"$1".txt IFS=$oldIFS } quickScan(){ echo -e "${GREEN}---------------------Starting Nmap Quick Scan---------------------" echo -e "${NC}" #$nmapType -T4 -p1-65535 --min-rate 1000 --max-retries 1 --max-scan-delay 20 --defeat-rst-ratelimit --open -oN nmap/Quick_"$1".nmap "$1" $nmapType -T4 -p1-65535 --min-rate 2000 --max-retries 1 --max-scan-delay 20 --defeat-rst-ratelimit --open -oN nmap/Quick_"$1".nmap "$1" assignPorts "$1" echo -e "" echo -e "" echo -e "" } basicScan(){ echo -e "${GREEN}---------------------Starting Nmap Basic Scan---------------------" echo -e "${NC}" if [ -z $(echo "${basicPorts}") ]; then echo -e "${YELLOW}No ports in quick scan.. Skipping!" else $nmapType -sCV --min-rate 1000 -p$(echo "${basicPorts}") -oN nmap/Basic_"$1".nmap "$1" fi if [ -f nmap/Basic_"$1".nmap ] && [[ ! -z $(cat nmap/Basic_"$1".nmap | grep -w "Service Info: OS:") ]]; then serviceOS=$(cat nmap/Basic_"$1".nmap | grep -w "Service Info: OS:" | cut -d ":" -f 3 | cut -c2- | cut -d ";" -f 1 | head -c-1) if [[ "$osType" != "$serviceOS" ]]; then osType=$(echo "${serviceOS}") echo -e "${NC}" echo -e "${NC}" echo -e "${GREEN}OS Detection modified to: $osType" echo -e "${NC}" fi fi echo -e "" echo -e "" echo -e "" } UDPScan(){ echo -e "${GREEN}----------------------Starting Nmap UDP Scan----------------------" echo -e "${NC}" $nmapType -sU --min-rate 1000 -sC --top-ports 20 --max-retries 1 --open -oN nmap/UDP_"$1".nmap "$1" assignPorts "$1" if [ ! -z $(echo "${udpPorts}") ]; then echo "" echo "" echo -e "${YELLOW}Making a script scan on UDP ports: $(echo "${udpPorts}" | sed 's/,/, /g')" echo -e "${NC}" if [ -f /usr/share/nmap/scripts/vulners.nse ]; then $nmapType -sCVU --script vulners --script-args mincvss=7.0 -p$(echo "${udpPorts}") -oN nmap/UDP_"$1".nmap "$1" else $nmapType -sCVU -p$(echo "${udpPorts}") -oN nmap/UDP_"$1".nmap "$1" fi fi echo -e "" echo -e "" echo -e "" } fullScan(){ echo -e "${GREEN}---------------------Starting Nmap Full Scan----------------------" echo -e "${NC}" $nmapType -p- --max-retries 1 --max-rate 500 --max-scan-delay 20 -T4 -v -oN nmap/Full_"$1".nmap "$1" assignPorts "$1" if [ -z $(echo "${basicPorts}") ]; then echo "" echo "" echo -e "${YELLOW}Making a script scan on all ports" echo -e "${NC}" $nmapType -sCV -p$(echo "${allPorts}") -oN nmap/Full_"$1".nmap "$1" assignPorts "$1" else cmpPorts "$1" if [ -z $(echo "${extraPorts}") ]; then echo "" echo "" allPorts="" echo -e "${YELLOW}No new ports" rm nmap/Full_"$1".nmap echo -e "${NC}" else echo "" echo "" echo -e "${YELLOW}Making a script scan on extra ports: $(echo "${extraPorts}" | sed 's/,/, /g')" echo -e "${NC}" $nmapType -sCV -p$(echo "${extraPorts}") -oN nmap/Full_"$1".nmap "$1" assignPorts "$1" fi fi echo -e "" echo -e "" echo -e "" } vulnsScan(){ echo -e "${GREEN}---------------------Starting Nmap Vulns Scan---------------------" echo -e "${NC}" if [ -z $(echo "${allPorts}") ]; then portType="basic" ports=$(echo "${basicPorts}") else portType="all" ports=$(echo "${allPorts}") fi if [ ! -f /usr/share/nmap/scripts/vulners.nse ]; then echo -e "${RED}Please install 'vulners.nse' nmap script:" echo -e "${RED}https://github.com/vulnersCom/nmap-vulners" echo -e "${RED}" echo -e "${RED}Skipping CVE scan!" echo -e "${NC}" else echo -e "${YELLOW}Running CVE scan on $portType ports" echo -e "${NC}" $nmapType -sV --script vulners --script-args mincvss=7.0 -p$(echo "${ports}") -oN nmap/CVEs_"$1".nmap "$1" echo "" fi echo "" echo -e "${YELLOW}Running Vuln scan on $portType ports" echo -e "${NC}" $nmapType -sV --script vuln -p$(echo "${ports}") -oN nmap/Vulns_"$1".nmap "$1" echo -e "" echo -e "" echo -e "" } recon(){ reconRecommend "$1" | tee nmap/Recon_"$1".nmap availableRecon=$(cat nmap/Recon_"$1".nmap | grep "$1" | cut -d " " -f 1 | sed 's/.///g; s/.py//g; s/cd/odat/g;' | sort -u | tr "n" "," | sed 's/,/, /g' | head -c-2) secs=30 count=0 reconCommand="" if [ ! -z "$availableRecon" ]; then while [ ! $(echo "${reconCommand}") == "!" ]; do echo -e "${YELLOW}" echo -e "Which commands would you like to run?${NC}nAll (Default), $availableRecon, Skip <!>n" while [[ ${count} -lt ${secs} ]]; do tlimit=$(( $secs - $count )) echo -e "rRunning Default in (${tlimit}) s: c" read -t 1 reconCommand [ ! -z "$reconCommand" ] && { break ; } count=$((count+1)) done if [ "$reconCommand" == "All" ] || [ -z $(echo "${reconCommand}") ]; then runRecon "$1" "All" reconCommand="!" elif [[ "$reconCommand" =~ ^($(echo "${availableRecon}" | tr ", " "|"))$ ]]; then runRecon "$1" $reconCommand reconCommand="!" elif [ "$reconCommand" == "Skip" ] || [ "$reconCommand" == "!" ]; then reconCommand="!" echo -e "" echo -e "" echo -e "" else echo -e "${NC}" echo -e "${RED}Incorrect choice!" echo -e "${NC}" fi done fi } reconRecommend(){ echo -e "${GREEN}---------------------Recon Recommendations----------------------" echo -e "${NC}" oldIFS=$IFS IFS=$'n' if [ -f nmap/Full_"$1".nmap ] && [ -f nmap/Basic_"$1".nmap ]; then ports=$(echo "${allPorts}") file=$(cat nmap/Basic_"$1".nmap nmap/Full_"$1".nmap | grep -w "open") elif [ -f nmap/Full_"$1".nmap ]; then ports=$(echo "${allPorts}") file=$(cat nmap/Quick_"$1".nmap nmap/Full_"$1".nmap | grep -w "open") elif [ -f nmap/Basic_"$1".nmap ]; then ports=$(echo "${basicPorts}") file=$(cat nmap/Basic_"$1".nmap | grep -w "open") else ports=$(echo "${basicPorts}") file=$(cat nmap/Quick_"$1".nmap | grep -w "open") fi if [[ ! -z $(echo "${file}" | grep -i http) ]]; then echo -e "${NC}" echo -e "${YELLOW}Web Servers Recon:" echo -e "${NC}" fi for line in $file; do if [[ ! -z $(echo "${line}" | grep -i http) ]]; then port=$(echo "${line}" | cut -d "/" -f 1) if [[ ! -z $(echo "${line}" | grep -w "IIS") ]]; then pages=".html,.asp,.aspx,.php" else pages=".html,.php" fi if [[ ! -z $(echo "${line}" | grep ssl/http) ]]; then #echo "sslyze --regular $1 | tee recon/sslyze_$1_$port.txt" echo "sslscan $1 | tee recon/sslscan_$1_$port.txt" echo "gobuster dir -w /usr/share/wordlists/dirb/common.txt -l -t 100 -e -k -x $pages -u https://$1:$port -o recon/gobuster_$1_$port.txt" #echo "nikto -host https://$1:$port -ssl | tee recon/nikto_$1_$port.txt" else echo "gobuster dir -w /usr/share/wordlists/dirb/common.txt -l -t 100 -e -k -x $pages -u http://$1:$port -o recon/gobuster_$1_$port.txt" #echo "nikto -host $1:$port | tee recon/nikto_$1_$port.txt" fi echo "" fi done if [ -f nmap/Basic_"$1".nmap ]; then cms=$(cat nmap/Basic_"$1".nmap | grep http-generator | cut -d " " -f 2) if [ ! -z $(echo "${cms}") ]; then for line in $cms; do port=$(cat nmap/Basic_"$1".nmap | grep "$line" -B1 | grep -w "open" | cut -d "/" -f 1) if [[ "$cms" =~ ^(Joomla|WordPress|Drupal)$ ]]; then echo -e "${NC}" echo -e "${YELLOW}CMS Recon:" echo -e "${NC}" fi case "$cms" in Joomla!) echo "joomscan --url http://$1:$port | tee recon/joomscan_$1_$port.txt";; WordPress) echo "wpscan --url http://$1:$port --enumerate ap,u | tee recon/wpscan_$1_$port.txt";; Drupal) echo "droopescan scan drupal -u http://$1:$port | tee recon/droopescan_$1_$port.txt";; esac done fi fi if [[ ! -z $(echo "${file}" | grep -w "445/tcp") ]]; then echo -e "${NC}" echo -e "${YELLOW}SMB Recon:" echo -e "${NC}" echo "smbmap -H $1 | tee recon/smbmap_$1.txt" echo "smbclient -L "//$1/" -U "guest"% | tee recon/smbclient_$1.txt" if [[ $osType == "Windows" ]]; then echo "nmap -Pn -p445 --script vuln -oN recon/SMB_vulns_$1.txt $1" fi if [[ $osType == "Linux" ]]; then echo "enum4linux -a $1 | tee recon/enum4linux_$1.txt" fi echo "" elif [[ ! -z $(echo "${file}" | grep -w "139/tcp") ]] && [[ $osType == "Linux" ]]; then echo -e "${NC}" echo -e "${YELLOW}SMB Recon:" echo -e "${NC}" echo "enum4linux -a $1 | tee recon/enum4linux_$1.txt" echo "" fi if [ -f nmap/UDP_"$1".nmap ] && [[ ! -z $(cat nmap/UDP_"$1".nmap | grep open | grep -w "161/udp") ]]; then echo -e "${NC}" echo -e "${YELLOW}SNMP Recon:" echo -e "${NC}" echo "snmp-check $1 -c public | tee recon/snmpcheck_$1.txt" echo "snmpwalk -Os -c public -v1 $1 | tee recon/snmpwalk_$1.txt" echo "" fi if [[ ! -z $(echo "${file}" | grep -w "53/tcp") ]]; then echo -e "${NC}" echo -e "${YELLOW}DNS Recon:" echo -e "${NC}" echo "host -l $1 $1 | tee recon/hostname_$1.txt" echo "dnsrecon -r $subnet/24 -n $1 | tee recon/dnsrecon_$1.txt" echo "dnsrecon -r 127.0.0.0/24 -n $1 | tee recon/dnsrecon-local_$1.txt" echo "dig -x $1 @$1 | tee recon/dig_$1.txt" echo "" fi if [[ ! -z $(echo "${file}" | grep -w "389/tcp") ]]; then echo -e "${NC}" echo -e "${YELLOW}ldap Recon:" echo -e "${NC}" echo "ldapsearch -x -h $1 -s base | tee recon/ldapsearch_$1.txt" echo "ldapsearch -x -h $1 -b $(cat recon/ldapsearch_$1.txt | grep rootDomainNamingContext | cut -d ' ' -f2) | tee recon/ldapsearch_DC_$1.txt" echo "nmap -Pn -p 389 --script ldap-search --script-args 'ldap.username="$(cat recon/ldapsearch_$1.txt | grep rootDomainNamingContext | cut -d \" " -f2)"' $1 -oN recon/nmap_ldap_$1.txt" echo "" fi if [[ ! -z $(echo "${file}" | grep -w "1521/tcp") ]]; then echo -e "${NC}" echo -e "${YELLOW}Oracle Recon "Exc. from Default":" echo -e "${NC}" echo "cd /opt/odat/;#$1;" echo "./odat.py sidguesser -s $1 -p 1521" echo "./odat.py passwordguesser -s $1 -p 1521 -d XE --accounts-file accounts/accounts-multiple.txt" echo "cd -;#$1;" echo "" fi IFS=$oldIFS echo -e "" echo -e "" echo -e "" } runRecon(){ echo -e "" echo -e "" echo -e "" echo -e "${GREEN}---------------------Running Recon Commands----------------------" echo -e "${NC}" oldIFS=$IFS IFS=$'n' if [[ ! -d recon/ ]]; then mkdir recon/ fi if [ "$2" == "All" ]; then reconCommands=$(cat nmap/Recon_"$1".nmap | grep "$1" | grep -v odat) else reconCommands=$(cat nmap/Recon_"$1".nmap | grep "$1" | grep "$2") fi for line in $(echo "${reconCommands}"); do currentScan=$(echo "$line" | cut -d " " -f 1 | sed 's/.///g; s/.py//g; s/cd/odat/g;' | sort -u | tr "n" "," | sed 's/,/, /g' | head -c-2) fileName=$(echo "${line}" | awk -F "recon/" '{print $2}' | head -c-1) if [ ! -z recon/$(echo "${fileName}") ] && [ ! -f recon/$(echo "${fileName}") ]; then echo -e "${NC}" echo -e "${YELLOW}Starting $currentScan scan" echo -e "${NC}" echo "$line" | /bin/bash echo -e "${NC}" echo -e "${YELLOW}Finished $currentScan scan" echo -e "${NC}" echo -e "${YELLOW}=========================" fi done IFS=$oldIFS echo -e "" echo -e "" echo -e "" } footer(){ echo -e "${GREEN}---------------------Finished all Nmap scans---------------------" echo -e "${NC}" echo -e "" if (( $SECONDS > 3600 )) ; then let "hours=SECONDS/3600" let "minutes=(SECONDS%3600)/60" let "seconds=(SECONDS%3600)%60" echo -e "${YELLOW}Completed in $hours hour(s), $minutes minute(s) and $seconds second(s)" elif (( $SECONDS > 60 )) ; then let "minutes=(SECONDS%3600)/60" let "seconds=(SECONDS%3600)%60" echo -e "${YELLOW}Completed in $minutes minute(s) and $seconds second(s)" else echo -e "${YELLOW}Completed in $SECONDS seconds" fi echo -e "" } if (( "$#" != 2 )); then usage fi if [[ $1 =~ ^[0-9]+.[0-9]+.[0-9]+.[0-9]+$ ]]; then : else echo -e "${RED}" echo -e "${RED}Invalid IP!" echo -e "${RED}" usage fi if [[ "$2" =~ ^(Quick|Basic|UDP|Full|Vulns|Recon|All|quick|basic|udp|full|vulns|recon|all)$ ]]; then if [[ ! -d $1 ]]; then mkdir "$1" fi cd "$1" || exit if [[ ! -d nmap/ ]]; then mkdir nmap/ fi assignPorts "$1" header "$1" "$2" case "$2" in Quick | quick) quickScan "$1";; Basic | basic) if [ ! -f nmap/Quick_"$1".nmap ]; then quickScan "$1"; fi basicScan "$1";; UDP | udp) UDPScan "$1";; #Full | full) fullScan "$1";; #Vulns | vulns) if [ ! -f nmap/Quick_"$1".nmap ]; then quickScan "$1"; fi # vulnsScan "$1";; Recon | recon) if [ ! -f nmap/Quick_"$1".nmap ]; then quickScan "$1"; fi if [ ! -f nmap/Basic_"$1".nmap ]; then basicScan "$1"; fi recon "$1";; All | all) quickScan "$1" basicScan "$1" UDPScan "$1" #fullScan "$1" # vulnsScan "$1" recon "$1";; esac footer else echo -e "${RED}" echo -e "${RED}Invalid Type!" echo -e "${RED}" usage fi
最后
以上就是朴实过客最近收集整理的关于黑客零基础第二章--信息收集第四章-自动化综合信息收集工具1.场景2.自动化信息收集工具3.修改后脚本的全部内容,更多相关黑客零基础第二章--信息收集第四章-自动化综合信息收集工具1内容请搜索靠谱客的其他文章。
本图文内容来源于网友提供,作为学习参考使用,或来自网络收集整理,版权属于原作者所有。
发表评论 取消回复