I have been contemplating putting something together to automate what can be automated from the initial phases of a penetration testing exercise .. and here it is. This is personal preference mostly, combining the few things I have picked up from here and there. Recomendations for improvements are very welcome. To its majority the script utilises nmap scripts with the odd addtion of external tools (most of them default with Kali) depending on the occasion.
What does it do?
What does it do?
- ARP and ping scan your range to id your live targets
- Scan the output of the above using the top 2000 ports from nmap for TCP... and since we want to finish this millenium.. top 10 UDP ports (change it if you must to your own peril)
- The scan in both occastions is grabbing versions and putting the output in the directory you told it to create in the begining neatly creating a directory structure according to target.
- Enumeration covers the following services (all outputs go in the relevant target dirs)
- SMTP - hitting 25,465 and 587 with smtp-enum-users.nse smtp-commands.nse and smtp-open-relay.nse
- SNMP - using metasploit it kicks off auxiliary/scanner/snmp/snmp_login without involving the database though, if it finds a match it will use snmpcheck to get further details on the host
- FTP - check for enabled anonymous access using ftp-anon.nse
- Finger - finger nmap plugin to enumerate users if possible
- NFS - nmap scripts nfs-showmount and nfs-ls to identify anything on matching targets
- SMB - use nmap's smb-check-vulns.nse to pick up any easy targets and then kick off enum4linux
- TFTP - nmap's tftp-enum.nse
- HTTP - for this part you need to have cutycapt installed since it will look for http ports and take a screenshot of the pages residing there, additionally it will run nmap's http-headers, http-methods, http-title, http-auth-finder and http-enum scripts.
I did add a primitive counter for the scanner since that is the longest loop the script runs.. so you know how far from the promise land you are!
Script available on my github here.
Thanks for reading,