Skip to content

Suggests programs to run against services found during the enumeration phase of a Pentest

License

Notifications You must be signed in to change notification settings

ssstonebraker/Pentest-Service-Enumeration

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

75 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Pentest-Service-Enumeration

Purpose

Suggests binaries to run against services found during the enumeration phase of a Pentest

Background

While studying for the Offensive Security Certified Profesional (OSCP) and Offensive Security Web Assessor (OSWA) certifications I found it hard to keep track of which commands to run during the enumeration phase for specific services.

The purpose of this tool is easily keep track of those commands.

Install Instructions

git clone https://github.com/ssstonebraker/Pentest-Service-Enumeration
cd Pentest-Service-Enumeration
./install.sh

Basic Usage

To view basic usage just type:

pse

This will list out the available services and give an example of how to use the program

[Pentest Service Enumeration: 0.0.3]
- Pentest command reference via the cli
----------------------------------------------------------------------------------------------------
Available Services
[*] dns
[*] ftp
[*] hashcat
[*] http
[*] ldap
[*] linpriv
[*] mimikatz
[*] nfs
[*] rpc
[*] searchsploit
[*] smb
[*] smtp
[*] snmp
[*] sql
[*] ssh
[*] sudo
[*] tcpdump
[*] webdav
[*] wfuzz
----------------------------------------------------------------------------------------------------
Return command references for a service
Usage: pse <service-name>

Examples
[*] pse ftp
[*] pse wfuzz
[*] pse smb

----------------------------------------------------------------------------------------------------
Help: pse -h

Listing commands for a service

pse <service-name>

Example:

List commands to run with smb

# pse smb

----------------------------------------------------------------------------------------------------
connect to remote smb share as null user
[*] smbclient "//$IP/$SHARE_NAME" -U ""
----------------------------------------------------------------------------------------------------
Create a destination mount directory, mount remote share as guest
[*] sudo mkdir /mnt/$IP_$FOLDER; sudo mount -v -t cifs "//$IP/$FOLDER" /mnt/$IP_$FOLDER -o username=guest
----------------------------------------------------------------------------------------------------
Launch a semi-interactive shell
[*] smbexec.py $HOST/$USERNAME:$PASSWORD@$IP
----------------------------------------------------------------------------------------------------
List smb share files using a null user
[*] smbclient -L $IP -U -N
----------------------------------------------------------------------------------------------------
ngrep samba version while connecting via smbclient
[*] export INTERFACE="tun0"; sudo ngrep -i -d $INTERFACE 's.?a.?m.?b.?a.*[[:digit:]]'
----------------------------------------------------------------------------------------------------
Recursive directory listing
[*] smbmap -H $ip -R
----------------------------------------------------------------------------------------------------
Scan IP Address for SMB Pipe Names
[*] pipef -a $IP
----------------------------------------------------------------------------------------------------

List commands to run with wfuzz

# pse wfuzz

[Pentest Service Enumeration: 0.0.3]
----------------------------------------------------------------------------------------------------
Command injection
[*] URL="http://target:80/php/blocklisted.php?ip=127.0.0.1FUZZ"; wfuzz -c -z file,/home/kali/command_injection_custom.txt --hc 404 "$URL"
----------------------------------------------------------------------------------------------------
Directory Discovery (medium) - ignore 404, 301
[*] URL="http://target/FUZZ";FILE="/usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt"; wfuzz -c -z file,"$FILE" --hc 404,301 "$URL"
----------------------------------------------------------------------------------------------------
Directory Discovery (medium) - ignore 404, 403, 301
[*] URL="http://target/FUZZ"; FILE="/usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt"; wfuzz -c -z file,"$FILE" --hc 404,403,301 "$URL"
----------------------------------------------------------------------------------------------------
File discovery
[*] URL="http://target/FUZZ";wfuzz -c -z file,/usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt --hc 301,404,403 "$URL"
----------------------------------------------------------------------------------------------------
POST data fuzzing (password cracking)
[*] URL="http://target:80/wp-login.php" wfuzz -c -z file,/usr/share/seclists/Passwords/xato-net-10-million-passwords-100000.txt --hc 404 -d "log=admin&pwd=FUZZ" "$URL"
----------------------------------------------------------------------------------------------------
Param value fuzzing (find hidden params)
[*] export URL="http://target:80/index.php?FUZZ=data";wfuzz -c -z file,/usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt --hc 404,301 "$URL"
----------------------------------------------------------------------------------------------------
Param value fuzzing (usernames)
[*] URL="http://target:80/index.php?fpv=FUZZ"; wfuzz -c -z file,/usr/share/seclists/Usernames/cirt-default-usernames.txt --hc 404 "$URL"

Adding commands for a service

File Structure

Services are text files located at:

$HOME/.pse/<files>

Every command you want to return should be on a separate line in the format:

description:command

Example Service

File: $HOME/.pse/nfs

Content:

show available nfs mounts:showmount -e $IP
mount a nfs share:export IP=10.11.1.72; sudo mkdir -p /mnt/$IP/home && sudo mount -t nfs $IP:/home /mnt/$IP/home

STORING A NEW COMMAND WITH ARGUMENTS

Edit corresponding service file at $HOME/.pse/<filename> (e.g. $HOME/.pse/smb or $HOME/.pse/dns)

If your want to add a new service, create a file at $HOME/.pse/foo

Example: Create documentation for curl

To add curl as a service for pse:

  1. Create file $HOME/.pse/curl
  2. Add one line per command you want saved in format:
<description>:<command>

Example content for file $HOME/.pse/curl:

Return help content:curl -h
Run curl in verbose mode:curl -v

Now when you run command pse curl:

[Pentest Service Enumeration: 0.0.3]
----------------------------------------------------------------------------------------------------
Return help content
[*] curl -h
----------------------------------------------------------------------------------------------------
Run curl in verbose mode
[*] curl -v
----------------------------------------------------------------------------------------------------

Releases

No releases published

Packages

No packages published

Languages