Added Get-HttpStatus and 'Recon' directory

* All recon scripts not live in the 'Recon' directory
* Added Get-HttpStatus - An http[s] enumeration tool
* Added default dictionary for Get-HttpStatus - .\Dictionaries\admin.txt
* Moved Invoke-ReverseDnsLookup to 'Recon'

4 files changed, 342 insertions, 7 deletions

diff --git a/README b/README
index 3680e63..b7fcc8d 100644
--- a/README
+++ b/README
@@ -20,12 +20,6 @@ Get-GPPPassword:
 

    Get-GPPPassword retrieves the plaintext password for accounts pushed through Group Policy in groups.xml.

 

-   Used with permission from @obscuresec (www.obscuresecurity.blogspot.com).

-

-Invoke-ReverseDnsLookup:

-

-   Invoke-ReverseDnsLookup scans an IP address range for DNS PTR records. This script is useful for performing DNS reconnaissance prior to conducting an authorized penetration test.

-

 ----------

 .\PETools

 ----------

@@ -52,7 +46,27 @@ Tools to aid in reverse engineering
 

 Get-ILDisassembly:

 

-   disassembles a raw MSIL byte array passed in from a MethodInfo object in a manner similar to that of Ildasm.

+   Disassembles a raw MSIL byte array passed in from a MethodInfo object in a manner similar to that of Ildasm.

+

+-------

+.\Recon

+-------

+

+Tools to aid in the reconnaissance phase of a penetration test

+

+Get-HttpStatus:

+

+   Returns the HTTP Status Codes and full URL for specified paths when provided with a dictionary file.

+

+Invoke-ReverseDnsLookup:

+

+   Invoke-ReverseDnsLookup scans an IP address range for DNS PTR records. This script is useful for performing DNS reconnaissance prior to conducting an authorized penetration test.

+

+--------------------

+.\Recon\Dictionaries

+--------------------

+

+A collection of dictionaries used to aid in the reconnaissance phase of a penetration test.

 

 -------

 License

diff --git a/Recon/Dictionaries/admin.txt b/Recon/Dictionaries/admin.txt
new file mode 100644
index 0000000..93b2fe1
--- /dev/null
+++ b/Recon/Dictionaries/admin.txt
@@ -0,0 +1,202 @@
+admin1.php

+admin.asp

+admin/account.asp

+admin/account.html

+admin/account.php

+admin/controlpanel.asp

+admin/controlpanel.html

+admin/controlpanel.php

+admin/cp.asp

+admin/cp.html

+admin/cp.php

+admin/home.asp

+admin/home.php

+admin/index.asp

+admin/index.html

+admin/login.asp

+admin/login.html

+admin/login.php

+admin1.asp

+admin1.html

+admin1/

+admin2.asp

+admin2.html

+admin2.php

+admin4_account/

+admin4_colon/

+admincontrol.asp

+admincontrol.html

+admincontrol.php

+administer/

+administr8.asp

+administr8.html

+administr8.php

+administr8/

+administracao.php

+administracao/

+administracion.php

+administracion/

+administrateur.php

+administrateur/

+administratie/

+administration.html

+administration.php

+administration/

+administrator.asp

+administrator.html

+administrator.php

+administrator/account.asp

+administrator/account.html

+administrator/account.php

+administrator/index.asp

+administrator/index.html

+administrator/index.php

+administrator/login.asp

+administrator/login.html

+administrator/login.php

+administratoraccounts/

+administrators/

+administrivia/

+adminpanel.asp

+adminpanel.html

+adminpanel.php

+adminpro/

+admins.asp

+admins.html

+admins.php

+admins/

+AdminTools/

+amministratore.php

+amministratore/

+autologin/

+banneradmin/

+bbadmin/

+beheerder.php

+beheerder/

+bigadmin/

+blogindex/

+cadmins/

+ccms/

+ccms/index.php

+ccms/login.php

+ccp14admin/

+cmsadmin/

+configuration/

+configure/

+controlpanel.asp

+controlpanel.html

+controlpanel.php

+controlpanel/

+cp.asp

+cp.html

+cp.php

+cpanel_file/

+customer_login/

+database_administration/

+Database_Administration/

+dir-login/

+directadmin/

+ezsqliteadmin/

+fileadmin.asp

+fileadmin.html

+fileadmin.php

+formslogin/

+globes_admin/

+hpwebjetadmin/

+Indy_admin/

+irc-macadmin/

+LiveUser_Admin/

+login_db/

+login-redirect/

+login-us/

+login.asp

+login.html

+login.php

+login1/

+loginflat/

+logo_sysadmin/

+Lotus_Domino_Admin/

+macadmin/

+maintenance/

+manuallogin/

+memlogin/

+meta_login/

+modelsearch/login.asp

+modelsearch/login.php

+moderator.asp

+moderator.html

+moderator.php

+moderator/

+moderator/admin.asp

+moderator/admin.html

+moderator/admin.php

+moderator/login.asp

+moderator/login.html

+moderator/login.php

+myadmin/

+navSiteAdmin/

+newsadmin/

+openvpnadmin/

+painel/

+panel/

+pgadmin/

+phpldapadmin/

+phppgadmin/

+phpSQLiteAdmin/

+platz_login/

+power_user/

+project-admins/

+pureadmin/

+radmind-1/

+radmind/

+rcLogin/

+server_admin_small/

+Server.asp

+Server.html

+Server.php

+ServerAdministrator/

+showlogin/

+simpleLogin/

+smblogin/

+sql-admin/

+ss_vms_admin_sm/

+sshadmin/

+staradmin/

+sub-login/

+Super-Admin/

+support_login/

+sys-admin/

+sysadmin.asp

+sysadmin.html

+sysadmin.php

+sysadmin/

+SysAdmin/

+SysAdmin2/

+sysadmins/

+system_administration/

+system-administration/

+ur-admin.asp

+ur-admin.html

+ur-admin.php

+ur-admin/

+useradmin/

+UserLogin/

+utility_login/

+v2/painel/

+vadmind/

+vmailadmin/

+webadmin.asp

+webadmin.html

+webadmin.php

+webmaster/

+websvn/

+wizmysqladmin/

+wp-admin/

+wp-login/

+xlogin/

+yonetici.asp

+yonetici.html

+yonetici.php

+yonetim.asp

+yonetim.html

+yonetim.php
\ No newline at end of file
diff --git a/Recon/Get-HttpStatus.ps1 b/Recon/Get-HttpStatus.ps1
new file mode 100644
index 0000000..2f4b343
--- /dev/null
+++ b/Recon/Get-HttpStatus.ps1
@@ -0,0 +1,119 @@
+function Get-HttpStatus {

+<#

+.SYNOPSIS

+PowerSploit Module - Get-HttpStatus

+

+Returns the HTTP Status Codes and full URL for specified paths.

+

+Author: Chris Campbell (@obscuresec)

+License: BSD 3-Clause

+

+.DESCRIPTION

+A script to check for the existence of a path or file on a webserver.

+

+.PARAMETER Target

+Specifies the remote web host either by IP or hostname.

+

+.PARAMETER Path

+Specifies the remost host.

+

+.PARAMETER Port

+Specifies the port to connect to.

+

+.PARAMETER UseSSL

+Use an SSL connection.

+

+.EXAMPLE

+PS > Get-HttpStatus -Target www.example.com -Path c:\dictionary.txt | Select-Object {where StatusCode -eq 20*}

+

+.EXAMPLE

+PS > Get-HttpStatus -Target www.example.com -Path c:\dictionary.txt -UseSSL

+

+.NOTES

+HTTP Codes: 100 - Informational * 200 - Success * 300 - Redirection * 400 - Client Error * 500 - Server Error

+Status Codes: http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html

+    

+.LINK

+http://obscuresecurity.blogspot.com

+#>

+

+    [CmdletBinding()] Param(

+        [Parameter(Mandatory = $True)] [String] $Target,

+        [Parameter()] [String] [ValidateNotNullOrEmpty()] $Path = '.\Dictionaries\admin.txt',

+        [Parameter()] [Int] $Port,

+        [Parameter()] [Switch] $UseSSL

+    )

+    

+    if (Test-Path $Path) {

+    

+        if ($UseSSL -and $Port -eq 0) {

+            # Default to 443 if SSL is specified but no port is specified

+            $Port = 443

+        } elseif ($Port -eq 0) {

+            # Default to port 80 if no port is specified

+            $Port = 80

+        }

+    

+        $TcpConnection = New-Object System.Net.Sockets.TcpClient

+        Write-Verbose "Path Test Succeeded - Testing Connectivity"

+        

+        try {

+            # Validate that the host is listening before scanning

+            $TcpConnection.Connect($Target, $Port)

+        } catch {

+            Write-Error "Connection Test Failed - Check Target"

+            $Tcpconnection.Close()

+            Return 

+        }

+        

+        $Tcpconnection.Close()

+    } else {

+           Write-Error "Path Test Failed - Check Dictionary Path"

+           Return

+    }

+    

+    if ($UseSSL) {

+        $SSL = 's'

+        # Ignore invalid SSL certificates

+        [System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $True }

+    } else {

+        $SSL = ''

+    }

+    

+    if (($Port -eq 80) -or ($Port -eq 443)) {

+        $PortNum = ''

+    } else {

+        $PortNum = ":$Port"

+    }

+    

+    # Check Http status for each entry in the doctionary file

+    foreach ($Item in Get-Content $Path) {

+

+        $WebTarget = "http$($SSL)://$($Target)$($PortNum)/$($Item)"

+        $URI = New-Object Uri($WebTarget)

+

+        try {

+            $WebRequest = [System.Net.WebRequest]::Create($URI)

+            $WebResponse = $WebRequest.GetResponse()

+            $WebStatus = $WebResponse.StatusCode

+            $ResultObject += $ScanObject

+            $WebResponse.Close()

+        } catch {

+            $WebStatus = $Error[0].Exception.InnerException.Response.StatusCode

+            

+            if ($WebStatus -eq $null) {

+                # Not every exception returns a StatusCode.

+                # If that is the case, return the Status.

+                $WebStatus = $Error[0].Exception.InnerException.Status

+            }

+        } 

+        

+        $Result = @{ Status = $WebStatus;

+                     URL = $WebTarget}

+        

+        $ScanObject = New-Object -TypeName PSObject -Property $Result

+        

+        Write-Output $ScanObject

+        

+    }

+}
\ No newline at end of file
diff --git a/Invoke-ReverseDnsLookup.ps1 b/Recon/Invoke-ReverseDnsLookup.ps1
index af45f2e..af45f2e 100644
--- a/Invoke-ReverseDnsLookup.ps1
+++ b/Recon/Invoke-ReverseDnsLookup.ps1