diff options
| author | bitform <matt@exploit-monday.com> | 2012-08-07 19:14:11 -0400 |
|---|---|---|
| committer | bitform <matt@exploit-monday.com> | 2012-08-07 19:14:11 -0400 |
| commit | 0ecd7cb158a12ec77d202da8a7392891d7d1707a (patch) | |
| tree | 5278954a7844da4e3992d55fc03d732fd143ed63 /Recon | |
| parent | befc24a6e89ce6ff7d5007e27ba5ad4f1e5029a9 (diff) | |
| download | PowerSploit-0ecd7cb158a12ec77d202da8a7392891d7d1707a.tar.gz PowerSploit-0ecd7cb158a12ec77d202da8a7392891d7d1707a.zip | |
Added Get-HttpStatus and 'Recon' directory
* All recon scripts not live in the 'Recon' directory
* Added Get-HttpStatus - An http[s] enumeration tool
* Added default dictionary for Get-HttpStatus - .\Dictionaries\admin.txt
* Moved Invoke-ReverseDnsLookup to 'Recon'
Diffstat (limited to 'Recon')
| -rw-r--r-- | Recon/Dictionaries/admin.txt | 202 | ||||
| -rw-r--r-- | Recon/Get-HttpStatus.ps1 | 119 | ||||
| -rw-r--r-- | Recon/Invoke-ReverseDnsLookup.ps1 | 193 |
3 files changed, 514 insertions, 0 deletions
diff --git a/Recon/Dictionaries/admin.txt b/Recon/Dictionaries/admin.txt new file mode 100644 index 0000000..93b2fe1 --- /dev/null +++ b/Recon/Dictionaries/admin.txt @@ -0,0 +1,202 @@ +admin1.php
+admin.asp
+admin/account.asp
+admin/account.html
+admin/account.php
+admin/controlpanel.asp
+admin/controlpanel.html
+admin/controlpanel.php
+admin/cp.asp
+admin/cp.html
+admin/cp.php
+admin/home.asp
+admin/home.php
+admin/index.asp
+admin/index.html
+admin/login.asp
+admin/login.html
+admin/login.php
+admin1.asp
+admin1.html
+admin1/
+admin2.asp
+admin2.html
+admin2.php
+admin4_account/
+admin4_colon/
+admincontrol.asp
+admincontrol.html
+admincontrol.php
+administer/
+administr8.asp
+administr8.html
+administr8.php
+administr8/
+administracao.php
+administracao/
+administracion.php
+administracion/
+administrateur.php
+administrateur/
+administratie/
+administration.html
+administration.php
+administration/
+administrator.asp
+administrator.html
+administrator.php
+administrator/account.asp
+administrator/account.html
+administrator/account.php
+administrator/index.asp
+administrator/index.html
+administrator/index.php
+administrator/login.asp
+administrator/login.html
+administrator/login.php
+administratoraccounts/
+administrators/
+administrivia/
+adminpanel.asp
+adminpanel.html
+adminpanel.php
+adminpro/
+admins.asp
+admins.html
+admins.php
+admins/
+AdminTools/
+amministratore.php
+amministratore/
+autologin/
+banneradmin/
+bbadmin/
+beheerder.php
+beheerder/
+bigadmin/
+blogindex/
+cadmins/
+ccms/
+ccms/index.php
+ccms/login.php
+ccp14admin/
+cmsadmin/
+configuration/
+configure/
+controlpanel.asp
+controlpanel.html
+controlpanel.php
+controlpanel/
+cp.asp
+cp.html
+cp.php
+cpanel_file/
+customer_login/
+database_administration/
+Database_Administration/
+dir-login/
+directadmin/
+ezsqliteadmin/
+fileadmin.asp
+fileadmin.html
+fileadmin.php
+formslogin/
+globes_admin/
+hpwebjetadmin/
+Indy_admin/
+irc-macadmin/
+LiveUser_Admin/
+login_db/
+login-redirect/
+login-us/
+login.asp
+login.html
+login.php
+login1/
+loginflat/
+logo_sysadmin/
+Lotus_Domino_Admin/
+macadmin/
+maintenance/
+manuallogin/
+memlogin/
+meta_login/
+modelsearch/login.asp
+modelsearch/login.php
+moderator.asp
+moderator.html
+moderator.php
+moderator/
+moderator/admin.asp
+moderator/admin.html
+moderator/admin.php
+moderator/login.asp
+moderator/login.html
+moderator/login.php
+myadmin/
+navSiteAdmin/
+newsadmin/
+openvpnadmin/
+painel/
+panel/
+pgadmin/
+phpldapadmin/
+phppgadmin/
+phpSQLiteAdmin/
+platz_login/
+power_user/
+project-admins/
+pureadmin/
+radmind-1/
+radmind/
+rcLogin/
+server_admin_small/
+Server.asp
+Server.html
+Server.php
+ServerAdministrator/
+showlogin/
+simpleLogin/
+smblogin/
+sql-admin/
+ss_vms_admin_sm/
+sshadmin/
+staradmin/
+sub-login/
+Super-Admin/
+support_login/
+sys-admin/
+sysadmin.asp
+sysadmin.html
+sysadmin.php
+sysadmin/
+SysAdmin/
+SysAdmin2/
+sysadmins/
+system_administration/
+system-administration/
+ur-admin.asp
+ur-admin.html
+ur-admin.php
+ur-admin/
+useradmin/
+UserLogin/
+utility_login/
+v2/painel/
+vadmind/
+vmailadmin/
+webadmin.asp
+webadmin.html
+webadmin.php
+webmaster/
+websvn/
+wizmysqladmin/
+wp-admin/
+wp-login/
+xlogin/
+yonetici.asp
+yonetici.html
+yonetici.php
+yonetim.asp
+yonetim.html
+yonetim.php
\ No newline at end of file diff --git a/Recon/Get-HttpStatus.ps1 b/Recon/Get-HttpStatus.ps1 new file mode 100644 index 0000000..2f4b343 --- /dev/null +++ b/Recon/Get-HttpStatus.ps1 @@ -0,0 +1,119 @@ +function Get-HttpStatus {
+<#
+.SYNOPSIS
+PowerSploit Module - Get-HttpStatus
+
+Returns the HTTP Status Codes and full URL for specified paths.
+
+Author: Chris Campbell (@obscuresec)
+License: BSD 3-Clause
+
+.DESCRIPTION
+A script to check for the existence of a path or file on a webserver.
+
+.PARAMETER Target
+Specifies the remote web host either by IP or hostname.
+
+.PARAMETER Path
+Specifies the remost host.
+
+.PARAMETER Port
+Specifies the port to connect to.
+
+.PARAMETER UseSSL
+Use an SSL connection.
+
+.EXAMPLE
+PS > Get-HttpStatus -Target www.example.com -Path c:\dictionary.txt | Select-Object {where StatusCode -eq 20*}
+
+.EXAMPLE
+PS > Get-HttpStatus -Target www.example.com -Path c:\dictionary.txt -UseSSL
+
+.NOTES
+HTTP Codes: 100 - Informational * 200 - Success * 300 - Redirection * 400 - Client Error * 500 - Server Error
+Status Codes: http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html
+
+.LINK
+http://obscuresecurity.blogspot.com
+#>
+
+ [CmdletBinding()] Param(
+ [Parameter(Mandatory = $True)] [String] $Target,
+ [Parameter()] [String] [ValidateNotNullOrEmpty()] $Path = '.\Dictionaries\admin.txt',
+ [Parameter()] [Int] $Port,
+ [Parameter()] [Switch] $UseSSL
+ )
+
+ if (Test-Path $Path) {
+
+ if ($UseSSL -and $Port -eq 0) {
+ # Default to 443 if SSL is specified but no port is specified
+ $Port = 443
+ } elseif ($Port -eq 0) {
+ # Default to port 80 if no port is specified
+ $Port = 80
+ }
+
+ $TcpConnection = New-Object System.Net.Sockets.TcpClient
+ Write-Verbose "Path Test Succeeded - Testing Connectivity"
+
+ try {
+ # Validate that the host is listening before scanning
+ $TcpConnection.Connect($Target, $Port)
+ } catch {
+ Write-Error "Connection Test Failed - Check Target"
+ $Tcpconnection.Close()
+ Return
+ }
+
+ $Tcpconnection.Close()
+ } else {
+ Write-Error "Path Test Failed - Check Dictionary Path"
+ Return
+ }
+
+ if ($UseSSL) {
+ $SSL = 's'
+ # Ignore invalid SSL certificates
+ [System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $True }
+ } else {
+ $SSL = ''
+ }
+
+ if (($Port -eq 80) -or ($Port -eq 443)) {
+ $PortNum = ''
+ } else {
+ $PortNum = ":$Port"
+ }
+
+ # Check Http status for each entry in the doctionary file
+ foreach ($Item in Get-Content $Path) {
+
+ $WebTarget = "http$($SSL)://$($Target)$($PortNum)/$($Item)"
+ $URI = New-Object Uri($WebTarget)
+
+ try {
+ $WebRequest = [System.Net.WebRequest]::Create($URI)
+ $WebResponse = $WebRequest.GetResponse()
+ $WebStatus = $WebResponse.StatusCode
+ $ResultObject += $ScanObject
+ $WebResponse.Close()
+ } catch {
+ $WebStatus = $Error[0].Exception.InnerException.Response.StatusCode
+
+ if ($WebStatus -eq $null) {
+ # Not every exception returns a StatusCode.
+ # If that is the case, return the Status.
+ $WebStatus = $Error[0].Exception.InnerException.Status
+ }
+ }
+
+ $Result = @{ Status = $WebStatus;
+ URL = $WebTarget}
+
+ $ScanObject = New-Object -TypeName PSObject -Property $Result
+
+ Write-Output $ScanObject
+
+ }
+}
\ No newline at end of file diff --git a/Recon/Invoke-ReverseDnsLookup.ps1 b/Recon/Invoke-ReverseDnsLookup.ps1 new file mode 100644 index 0000000..af45f2e --- /dev/null +++ b/Recon/Invoke-ReverseDnsLookup.ps1 @@ -0,0 +1,193 @@ +function Invoke-ReverseDnsLookup
+{
+
+<#
+.Synopsis
+
+ PowerSploit Module - Invoke-ReverseDnsLookup
+ Author: Matthew Graeber (@mattifestation)
+ License: BSD 3-Clause
+
+.Description
+
+ Invoke-ReverseDnsLookup scans an IP address range for DNS PTR records. This script
+ is useful for performing DNS reconnaisance prior to conducting an authorized
+ penetration test.
+
+.Parameter IPRange
+
+ Specifies the IP address range. The range provided can be in the form of a single
+ IP address, a low-high range, or a CIDR range. Comma-delimited ranges may can be
+ provided.
+
+.Example
+
+ PS> Invoke-ReverseDnsLookup 74.125.228.0/29
+
+ IP HostName
+ -- --------
+ 74.125.228.1 iad23s05-in-f1.1e100.net
+ 74.125.228.2 iad23s05-in-f2.1e100.net
+ 74.125.228.3 iad23s05-in-f3.1e100.net
+ 74.125.228.4 iad23s05-in-f4.1e100.net
+ 74.125.228.5 iad23s05-in-f5.1e100.net
+ 74.125.228.6 iad23s05-in-f6.1e100.net
+
+ Description
+ -----------
+ Returns the hostnames of the IP addresses specified by the CIDR range.
+
+.Example
+
+ PS> Invoke-ReverseDnsLookup '74.125.228.1,74.125.228.4-74.125.228.6'
+
+ IP HostName
+ -- --------
+ 74.125.228.1 iad23s05-in-f1.1e100.net
+ 74.125.228.4 iad23s05-in-f4.1e100.net
+ 74.125.228.5 iad23s05-in-f5.1e100.net
+ 74.125.228.6 iad23s05-in-f6.1e100.net
+
+ Description
+ -----------
+ Returns the hostnames of the IP addresses specified by the IP range specified.
+
+
+.Link
+
+ My blog: http://www.exploit-monday.com
+#>
+
+Param( [Parameter(Position = 0, Mandatory = $True)] [String] $IpRange )
+
+ function Parse-IPList ([String] $IpRange)
+ {
+
+ function IPtoInt
+ {
+ Param([String] $IpString)
+
+ $Hexstr = ""
+ $Octets = $IpString.Split(".")
+ foreach ($Octet in $Octets) {
+ $Hexstr += "{0:X2}" -f [Int] $Octet
+ }
+ return [Convert]::ToInt64($Hexstr, 16)
+ }
+
+ function InttoIP
+ {
+ Param([Int64] $IpInt)
+ $Hexstr = $IpInt.ToString("X8")
+ $IpStr = ""
+ for ($i=0; $i -lt 8; $i += 2) {
+ $IpStr += [Convert]::ToInt64($Hexstr.SubString($i,2), 16)
+ $IpStr += '.'
+ }
+ return $IpStr.TrimEnd('.')
+ }
+
+ $Ip = [System.Net.IPAddress]::Parse("127.0.0.1")
+
+ foreach ($Str in $IpRange.Split(","))
+ {
+ $Item = $Str.Trim()
+ $Result = ""
+ $IpRegex = "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}"
+
+ # First, validate the input
+ switch -regex ($Item)
+ {
+ "^$IpRegex/\d{1,2}$"
+ {
+ $Result = "cidrRange"
+ break
+ }
+ "^$IpRegex-$IpRegex$"
+ {
+ $Result = "range"
+ break
+ }
+ "^$IpRegex$"
+ {
+ $Result = "single"
+ break
+ }
+ default
+ {
+ Write-Warning "Inproper input"
+ return
+ }
+ }
+
+ #Now, start processing the IP addresses
+ switch ($Result)
+ {
+ "cidrRange"
+ {
+ $CidrRange = $Item.Split("/")
+ $Network = $CidrRange[0]
+ $Mask = $CidrRange[1]
+
+ if (!([System.Net.IPAddress]::TryParse($Network, [ref] $Ip))) { Write-Warning "Invalid IP address supplied!"; return}
+ if (($Mask -lt 0) -or ($Mask -gt 30)) { Write-Warning "Invalid network mask! Acceptable values are 0-30"; return}
+
+ $BinaryIP = [Convert]::ToString((IPtoInt $Network),2).PadLeft(32,'0')
+ #Generate lower limit (Excluding network address)
+ $Lower = $BinaryIP.Substring(0, $Mask) + "0" * ((32-$Mask)-1) + "1"
+ #Generate upperr limit (Excluding broadcast address)
+ $Upper = $BinaryIP.Substring(0, $Mask) + "1" * ((32-$Mask)-1) + "0"
+ $LowerInt = [Convert]::ToInt64($Lower, 2)
+ $UpperInt = [Convert]::ToInt64($Upper, 2)
+ for ($i = $LowerInt; $i -le $UpperInt; $i++) { InttoIP $i }
+ }
+ "range"
+ {
+ $Range = $item.Split("-")
+
+ if ([System.Net.IPAddress]::TryParse($Range[0],[ref]$Ip)) { $Temp1 = $Ip }
+ else { Write-Warning "Invalid IP address supplied!"; return }
+
+ if ([System.Net.IPAddress]::TryParse($Range[1],[ref]$Ip)) { $Temp2 = $Ip }
+ else { Write-Warning "Invalid IP address supplied!"; return }
+
+ $Left = (IPtoInt $Temp1.ToString())
+ $Right = (IPtoInt $Temp2.ToString())
+
+ if ($Right -gt $Left) {
+ for ($i = $Left; $i -le $Right; $i++) { InttoIP $i }
+ }
+ else { Write-Warning "Invalid IP range. The right portion must be greater than the left portion."; return}
+
+ break
+ }
+ "single"
+ {
+ if ([System.Net.IPAddress]::TryParse($Item,[ref]$Ip)) { $Ip.IPAddressToString }
+ else { Write-Warning "Invalid IP address supplied!"; return }
+ break
+ }
+ default
+ {
+ Write-Warning "An error occured."
+ return
+ }
+ }
+ }
+
+ }
+
+ Parse-IPList $IpRange | ForEach-Object {
+ try {
+ $Temp = [System.Net.Dns]::GetHostEntry($_)
+
+ $Result = @{
+ IP = $_
+ HostName = $Temp.HostName
+ }
+
+ New-Object PSObject -Property $Result
+ } catch [System.Net.Sockets.SocketException] {}
+ }
+
+}
|