From 0ecd7cb158a12ec77d202da8a7392891d7d1707a Mon Sep 17 00:00:00 2001 From: bitform Date: Tue, 7 Aug 2012 19:14:11 -0400 Subject: Added Get-HttpStatus and 'Recon' directory * All recon scripts not live in the 'Recon' directory * Added Get-HttpStatus - An http[s] enumeration tool * Added default dictionary for Get-HttpStatus - .\Dictionaries\admin.txt * Moved Invoke-ReverseDnsLookup to 'Recon' --- Recon/Dictionaries/admin.txt | 202 ++++++++++++++++++++++++++++++++++++++ Recon/Get-HttpStatus.ps1 | 119 ++++++++++++++++++++++ Recon/Invoke-ReverseDnsLookup.ps1 | 193 ++++++++++++++++++++++++++++++++++++ 3 files changed, 514 insertions(+) create mode 100644 Recon/Dictionaries/admin.txt create mode 100644 Recon/Get-HttpStatus.ps1 create mode 100644 Recon/Invoke-ReverseDnsLookup.ps1 (limited to 'Recon') diff --git a/Recon/Dictionaries/admin.txt b/Recon/Dictionaries/admin.txt new file mode 100644 index 0000000..93b2fe1 --- /dev/null +++ b/Recon/Dictionaries/admin.txt @@ -0,0 +1,202 @@ +admin1.php +admin.asp +admin/account.asp +admin/account.html +admin/account.php +admin/controlpanel.asp +admin/controlpanel.html +admin/controlpanel.php +admin/cp.asp +admin/cp.html +admin/cp.php +admin/home.asp +admin/home.php +admin/index.asp +admin/index.html +admin/login.asp +admin/login.html +admin/login.php +admin1.asp +admin1.html +admin1/ +admin2.asp +admin2.html +admin2.php +admin4_account/ +admin4_colon/ +admincontrol.asp +admincontrol.html +admincontrol.php +administer/ +administr8.asp +administr8.html +administr8.php +administr8/ +administracao.php +administracao/ +administracion.php +administracion/ +administrateur.php +administrateur/ +administratie/ +administration.html +administration.php +administration/ +administrator.asp +administrator.html +administrator.php +administrator/account.asp +administrator/account.html +administrator/account.php +administrator/index.asp +administrator/index.html +administrator/index.php +administrator/login.asp +administrator/login.html +administrator/login.php +administratoraccounts/ +administrators/ +administrivia/ +adminpanel.asp +adminpanel.html +adminpanel.php +adminpro/ +admins.asp +admins.html +admins.php +admins/ +AdminTools/ +amministratore.php +amministratore/ +autologin/ +banneradmin/ +bbadmin/ +beheerder.php +beheerder/ +bigadmin/ +blogindex/ +cadmins/ +ccms/ +ccms/index.php +ccms/login.php +ccp14admin/ +cmsadmin/ +configuration/ +configure/ +controlpanel.asp +controlpanel.html +controlpanel.php +controlpanel/ +cp.asp +cp.html +cp.php +cpanel_file/ +customer_login/ +database_administration/ +Database_Administration/ +dir-login/ +directadmin/ +ezsqliteadmin/ +fileadmin.asp +fileadmin.html +fileadmin.php +formslogin/ +globes_admin/ +hpwebjetadmin/ +Indy_admin/ +irc-macadmin/ +LiveUser_Admin/ +login_db/ +login-redirect/ +login-us/ +login.asp +login.html +login.php +login1/ +loginflat/ +logo_sysadmin/ +Lotus_Domino_Admin/ +macadmin/ +maintenance/ +manuallogin/ +memlogin/ +meta_login/ +modelsearch/login.asp +modelsearch/login.php +moderator.asp +moderator.html +moderator.php +moderator/ +moderator/admin.asp +moderator/admin.html +moderator/admin.php +moderator/login.asp +moderator/login.html +moderator/login.php +myadmin/ +navSiteAdmin/ +newsadmin/ +openvpnadmin/ +painel/ +panel/ +pgadmin/ +phpldapadmin/ +phppgadmin/ +phpSQLiteAdmin/ +platz_login/ +power_user/ +project-admins/ +pureadmin/ +radmind-1/ +radmind/ +rcLogin/ +server_admin_small/ +Server.asp +Server.html +Server.php +ServerAdministrator/ +showlogin/ +simpleLogin/ +smblogin/ +sql-admin/ +ss_vms_admin_sm/ +sshadmin/ +staradmin/ +sub-login/ +Super-Admin/ +support_login/ +sys-admin/ +sysadmin.asp +sysadmin.html +sysadmin.php +sysadmin/ +SysAdmin/ +SysAdmin2/ +sysadmins/ +system_administration/ +system-administration/ +ur-admin.asp +ur-admin.html +ur-admin.php +ur-admin/ +useradmin/ +UserLogin/ +utility_login/ +v2/painel/ +vadmind/ +vmailadmin/ +webadmin.asp +webadmin.html +webadmin.php +webmaster/ +websvn/ +wizmysqladmin/ +wp-admin/ +wp-login/ +xlogin/ +yonetici.asp +yonetici.html +yonetici.php +yonetim.asp +yonetim.html +yonetim.php \ No newline at end of file diff --git a/Recon/Get-HttpStatus.ps1 b/Recon/Get-HttpStatus.ps1 new file mode 100644 index 0000000..2f4b343 --- /dev/null +++ b/Recon/Get-HttpStatus.ps1 @@ -0,0 +1,119 @@ +function Get-HttpStatus { +<# +.SYNOPSIS +PowerSploit Module - Get-HttpStatus + +Returns the HTTP Status Codes and full URL for specified paths. + +Author: Chris Campbell (@obscuresec) +License: BSD 3-Clause + +.DESCRIPTION +A script to check for the existence of a path or file on a webserver. + +.PARAMETER Target +Specifies the remote web host either by IP or hostname. + +.PARAMETER Path +Specifies the remost host. + +.PARAMETER Port +Specifies the port to connect to. + +.PARAMETER UseSSL +Use an SSL connection. + +.EXAMPLE +PS > Get-HttpStatus -Target www.example.com -Path c:\dictionary.txt | Select-Object {where StatusCode -eq 20*} + +.EXAMPLE +PS > Get-HttpStatus -Target www.example.com -Path c:\dictionary.txt -UseSSL + +.NOTES +HTTP Codes: 100 - Informational * 200 - Success * 300 - Redirection * 400 - Client Error * 500 - Server Error +Status Codes: http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html + +.LINK +http://obscuresecurity.blogspot.com +#> + + [CmdletBinding()] Param( + [Parameter(Mandatory = $True)] [String] $Target, + [Parameter()] [String] [ValidateNotNullOrEmpty()] $Path = '.\Dictionaries\admin.txt', + [Parameter()] [Int] $Port, + [Parameter()] [Switch] $UseSSL + ) + + if (Test-Path $Path) { + + if ($UseSSL -and $Port -eq 0) { + # Default to 443 if SSL is specified but no port is specified + $Port = 443 + } elseif ($Port -eq 0) { + # Default to port 80 if no port is specified + $Port = 80 + } + + $TcpConnection = New-Object System.Net.Sockets.TcpClient + Write-Verbose "Path Test Succeeded - Testing Connectivity" + + try { + # Validate that the host is listening before scanning + $TcpConnection.Connect($Target, $Port) + } catch { + Write-Error "Connection Test Failed - Check Target" + $Tcpconnection.Close() + Return + } + + $Tcpconnection.Close() + } else { + Write-Error "Path Test Failed - Check Dictionary Path" + Return + } + + if ($UseSSL) { + $SSL = 's' + # Ignore invalid SSL certificates + [System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $True } + } else { + $SSL = '' + } + + if (($Port -eq 80) -or ($Port -eq 443)) { + $PortNum = '' + } else { + $PortNum = ":$Port" + } + + # Check Http status for each entry in the doctionary file + foreach ($Item in Get-Content $Path) { + + $WebTarget = "http$($SSL)://$($Target)$($PortNum)/$($Item)" + $URI = New-Object Uri($WebTarget) + + try { + $WebRequest = [System.Net.WebRequest]::Create($URI) + $WebResponse = $WebRequest.GetResponse() + $WebStatus = $WebResponse.StatusCode + $ResultObject += $ScanObject + $WebResponse.Close() + } catch { + $WebStatus = $Error[0].Exception.InnerException.Response.StatusCode + + if ($WebStatus -eq $null) { + # Not every exception returns a StatusCode. + # If that is the case, return the Status. + $WebStatus = $Error[0].Exception.InnerException.Status + } + } + + $Result = @{ Status = $WebStatus; + URL = $WebTarget} + + $ScanObject = New-Object -TypeName PSObject -Property $Result + + Write-Output $ScanObject + + } +} \ No newline at end of file diff --git a/Recon/Invoke-ReverseDnsLookup.ps1 b/Recon/Invoke-ReverseDnsLookup.ps1 new file mode 100644 index 0000000..af45f2e --- /dev/null +++ b/Recon/Invoke-ReverseDnsLookup.ps1 @@ -0,0 +1,193 @@ +function Invoke-ReverseDnsLookup +{ + +<# +.Synopsis + + PowerSploit Module - Invoke-ReverseDnsLookup + Author: Matthew Graeber (@mattifestation) + License: BSD 3-Clause + +.Description + + Invoke-ReverseDnsLookup scans an IP address range for DNS PTR records. This script + is useful for performing DNS reconnaisance prior to conducting an authorized + penetration test. + +.Parameter IPRange + + Specifies the IP address range. The range provided can be in the form of a single + IP address, a low-high range, or a CIDR range. Comma-delimited ranges may can be + provided. + +.Example + + PS> Invoke-ReverseDnsLookup 74.125.228.0/29 + + IP HostName + -- -------- + 74.125.228.1 iad23s05-in-f1.1e100.net + 74.125.228.2 iad23s05-in-f2.1e100.net + 74.125.228.3 iad23s05-in-f3.1e100.net + 74.125.228.4 iad23s05-in-f4.1e100.net + 74.125.228.5 iad23s05-in-f5.1e100.net + 74.125.228.6 iad23s05-in-f6.1e100.net + + Description + ----------- + Returns the hostnames of the IP addresses specified by the CIDR range. + +.Example + + PS> Invoke-ReverseDnsLookup '74.125.228.1,74.125.228.4-74.125.228.6' + + IP HostName + -- -------- + 74.125.228.1 iad23s05-in-f1.1e100.net + 74.125.228.4 iad23s05-in-f4.1e100.net + 74.125.228.5 iad23s05-in-f5.1e100.net + 74.125.228.6 iad23s05-in-f6.1e100.net + + Description + ----------- + Returns the hostnames of the IP addresses specified by the IP range specified. + + +.Link + + My blog: http://www.exploit-monday.com +#> + +Param( [Parameter(Position = 0, Mandatory = $True)] [String] $IpRange ) + + function Parse-IPList ([String] $IpRange) + { + + function IPtoInt + { + Param([String] $IpString) + + $Hexstr = "" + $Octets = $IpString.Split(".") + foreach ($Octet in $Octets) { + $Hexstr += "{0:X2}" -f [Int] $Octet + } + return [Convert]::ToInt64($Hexstr, 16) + } + + function InttoIP + { + Param([Int64] $IpInt) + $Hexstr = $IpInt.ToString("X8") + $IpStr = "" + for ($i=0; $i -lt 8; $i += 2) { + $IpStr += [Convert]::ToInt64($Hexstr.SubString($i,2), 16) + $IpStr += '.' + } + return $IpStr.TrimEnd('.') + } + + $Ip = [System.Net.IPAddress]::Parse("127.0.0.1") + + foreach ($Str in $IpRange.Split(",")) + { + $Item = $Str.Trim() + $Result = "" + $IpRegex = "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}" + + # First, validate the input + switch -regex ($Item) + { + "^$IpRegex/\d{1,2}$" + { + $Result = "cidrRange" + break + } + "^$IpRegex-$IpRegex$" + { + $Result = "range" + break + } + "^$IpRegex$" + { + $Result = "single" + break + } + default + { + Write-Warning "Inproper input" + return + } + } + + #Now, start processing the IP addresses + switch ($Result) + { + "cidrRange" + { + $CidrRange = $Item.Split("/") + $Network = $CidrRange[0] + $Mask = $CidrRange[1] + + if (!([System.Net.IPAddress]::TryParse($Network, [ref] $Ip))) { Write-Warning "Invalid IP address supplied!"; return} + if (($Mask -lt 0) -or ($Mask -gt 30)) { Write-Warning "Invalid network mask! Acceptable values are 0-30"; return} + + $BinaryIP = [Convert]::ToString((IPtoInt $Network),2).PadLeft(32,'0') + #Generate lower limit (Excluding network address) + $Lower = $BinaryIP.Substring(0, $Mask) + "0" * ((32-$Mask)-1) + "1" + #Generate upperr limit (Excluding broadcast address) + $Upper = $BinaryIP.Substring(0, $Mask) + "1" * ((32-$Mask)-1) + "0" + $LowerInt = [Convert]::ToInt64($Lower, 2) + $UpperInt = [Convert]::ToInt64($Upper, 2) + for ($i = $LowerInt; $i -le $UpperInt; $i++) { InttoIP $i } + } + "range" + { + $Range = $item.Split("-") + + if ([System.Net.IPAddress]::TryParse($Range[0],[ref]$Ip)) { $Temp1 = $Ip } + else { Write-Warning "Invalid IP address supplied!"; return } + + if ([System.Net.IPAddress]::TryParse($Range[1],[ref]$Ip)) { $Temp2 = $Ip } + else { Write-Warning "Invalid IP address supplied!"; return } + + $Left = (IPtoInt $Temp1.ToString()) + $Right = (IPtoInt $Temp2.ToString()) + + if ($Right -gt $Left) { + for ($i = $Left; $i -le $Right; $i++) { InttoIP $i } + } + else { Write-Warning "Invalid IP range. The right portion must be greater than the left portion."; return} + + break + } + "single" + { + if ([System.Net.IPAddress]::TryParse($Item,[ref]$Ip)) { $Ip.IPAddressToString } + else { Write-Warning "Invalid IP address supplied!"; return } + break + } + default + { + Write-Warning "An error occured." + return + } + } + } + + } + + Parse-IPList $IpRange | ForEach-Object { + try { + $Temp = [System.Net.Dns]::GetHostEntry($_) + + $Result = @{ + IP = $_ + HostName = $Temp.HostName + } + + New-Object PSObject -Property $Result + } catch [System.Net.Sockets.SocketException] {} + } + +} -- cgit v1.2.3