Thursday, 28 May 2015

Enumerator script update 3

Here we go again, more changes! So earlier today @digininja sent me a tweet about switching sslscan with tlssled... what a brilliant idea. Much like enum4linux and nbtscan so tlssled is a bash script that runs openssl and sslscan.

TLSSLed brings to the table added tests like a test for TLS v1.1 and v1.2 support (CVE-2011-3389 aka BEAST), a test to check for legacy renegotiation even when secure, a test if SSL/TLS renegotiation is enabled and much more. Full details available in the script itself (should be under /usr/bin/ in your Kali box or you can get the full detail adn the script itself from

Credit for the upgrade to @digininja and @raulsiles for making the script to begin with.

As usual new version available on github.

Many thanks


Tuesday, 26 May 2015

Enumerator script update 2

Yet another update to the previous post, I keep adding and fixing things on that enumerator script.. let see where its going to end! In order to address the lack of SSL enumeration in the previous versions I have added to the script:

  • nikto (for both http and https hosts)
  • sslscan 
Those two should be enough.. at least for an initial feel of the environment and the targets available. After that you can go crazy and hit your targets with dirbuster or webslayer or dirs3arch.. or whatever floats your boat really. I have left nikto pretty much with its most basic options... which kind of crosses over to more of a vulerability assessment field. Its much noisier from an IDS perspective so be warned.. at some point I will tune it down to exactly what I would like it to do.. 

Finally, I remembered to add --reason to my nmaps also -n (DNS enumeration is a different subject) and -vvv just so we get all the information we need from the initial scans.. no need for do-overs! 

Hope you find it useful, as usual latest version available in the same place... here

Thanks for reading


Sunday, 17 May 2015

Enumerator script update

In my previous post, it was explained how the Enumerator script works, what protocols it supports etc etc. Well I wanted to add HTTPS screenshots as well so I had a second look at it, which lead me to cutycapt's latest version. The --insecure option we need to make this work is only available there... so here we go:
apt-get install subversion libqt4-webkit libqt4-dev g++ -y
cd /opt
svn co svn:// .
cd CutyCapt
Now CutyCapt's latest version is in the right path and we are good to go. Minor other changes were made to the script to fix whatever else was wrong as well. Unfortunately nmap http scripts dont seem to work for https.. might have to do something about that later.. for the time being I have just added screenshots on your HTTPS (not that there is going to be a huge difference from an apache header on 80 and its equivalent on 443.. but thats rarely the cards we are dealt).

Latest version available in the same place... here

Thanks for reading


Saturday, 16 May 2015

Enumerator script

I have been contemplating putting something together to automate what can be automated from the initial phases of a penetration testing exercise .. and here it is. This is personal preference mostly, combining the few things I have picked up from here and there. Recomendations for improvements are very welcome. To its majority the script utilises nmap scripts with the odd addtion of external tools (most of them default with Kali) depending on the occasion.

What does it do?

  1. ARP and ping scan your range to id your live targets
  2. Scan the output of the above using the top 2000 ports from nmap for TCP... and since we want to finish this millenium.. top 10 UDP ports (change it if you must to your own peril)
  3. The scan in both occastions is grabbing versions and putting the output in the directory you told it to create in the begining neatly creating a directory structure according to target.
  4. Enumeration covers the following services (all outputs go in the relevant target dirs)
    1. SMTP - hitting 25,465 and 587 with smtp-enum-users.nse smtp-commands.nse and smtp-open-relay.nse
    2. SNMP - using metasploit it kicks off auxiliary/scanner/snmp/snmp_login without involving the database though, if it finds a match it will use snmpcheck to get further details on the host
    3. FTP - check for enabled anonymous access using ftp-anon.nse 
    4. Finger - finger nmap plugin to enumerate users if possible
    5. NFS - nmap scripts nfs-showmount and nfs-ls to identify anything on matching targets
    6. SMB - use nmap's smb-check-vulns.nse to pick up any easy targets and then kick off enum4linux 
    7. TFTP - nmap's tftp-enum.nse
    8. HTTP - for this part you need to have cutycapt installed since it will look for http ports and take a screenshot of the pages residing there, additionally it will run nmap's http-headers, http-methods, http-title, http-auth-finder and http-enum scripts.
I did add a primitive counter for the scanner since that is the longest loop the script runs.. so you know how far from the promise land you are!

Script available on my github here.

Thanks for reading,