Suggests binaries to run against services found during the enumeration phase of a Pentest
While studying for the Offensive Security Certified Profesional (OSCP) and Offensive Security Web Assessor (OSWA) certifications I found it hard to keep track of which commands to run during the enumeration phase for specific services.
The purpose of this tool is easily keep track of those commands.
git clone https://github.com/ssstonebraker/Pentest-Service-Enumeration
cd Pentest-Service-Enumeration
./install.sh
To view basic usage just type:
pse
This will list out the available services and give an example of how to use the program
[Pentest Service Enumeration: 0.0.3]
- Pentest command reference via the cli
----------------------------------------------------------------------------------------------------
Available Services
[*] dns
[*] ftp
[*] hashcat
[*] http
[*] ldap
[*] linpriv
[*] mimikatz
[*] nfs
[*] rpc
[*] searchsploit
[*] smb
[*] smtp
[*] snmp
[*] sql
[*] ssh
[*] sudo
[*] tcpdump
[*] webdav
[*] wfuzz
----------------------------------------------------------------------------------------------------
Return command references for a service
Usage: pse <service-name>
Examples
[*] pse ftp
[*] pse wfuzz
[*] pse smb
----------------------------------------------------------------------------------------------------
Help: pse -h
pse <service-name>
List commands to run with smb
# pse smb
----------------------------------------------------------------------------------------------------
connect to remote smb share as null user
[*] smbclient "//$IP/$SHARE_NAME" -U ""
----------------------------------------------------------------------------------------------------
Create a destination mount directory, mount remote share as guest
[*] sudo mkdir /mnt/$IP_$FOLDER; sudo mount -v -t cifs "//$IP/$FOLDER" /mnt/$IP_$FOLDER -o username=guest
----------------------------------------------------------------------------------------------------
Launch a semi-interactive shell
[*] smbexec.py $HOST/$USERNAME:$PASSWORD@$IP
----------------------------------------------------------------------------------------------------
List smb share files using a null user
[*] smbclient -L $IP -U -N
----------------------------------------------------------------------------------------------------
ngrep samba version while connecting via smbclient
[*] export INTERFACE="tun0"; sudo ngrep -i -d $INTERFACE 's.?a.?m.?b.?a.*[[:digit:]]'
----------------------------------------------------------------------------------------------------
Recursive directory listing
[*] smbmap -H $ip -R
----------------------------------------------------------------------------------------------------
Scan IP Address for SMB Pipe Names
[*] pipef -a $IP
----------------------------------------------------------------------------------------------------
List commands to run with wfuzz
# pse wfuzz
[Pentest Service Enumeration: 0.0.3]
----------------------------------------------------------------------------------------------------
Command injection
[*] URL="http://target:80/php/blocklisted.php?ip=127.0.0.1FUZZ"; wfuzz -c -z file,/home/kali/command_injection_custom.txt --hc 404 "$URL"
----------------------------------------------------------------------------------------------------
Directory Discovery (medium) - ignore 404, 301
[*] URL="http://target/FUZZ";FILE="/usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt"; wfuzz -c -z file,"$FILE" --hc 404,301 "$URL"
----------------------------------------------------------------------------------------------------
Directory Discovery (medium) - ignore 404, 403, 301
[*] URL="http://target/FUZZ"; FILE="/usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt"; wfuzz -c -z file,"$FILE" --hc 404,403,301 "$URL"
----------------------------------------------------------------------------------------------------
File discovery
[*] URL="http://target/FUZZ";wfuzz -c -z file,/usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt --hc 301,404,403 "$URL"
----------------------------------------------------------------------------------------------------
POST data fuzzing (password cracking)
[*] URL="http://target:80/wp-login.php" wfuzz -c -z file,/usr/share/seclists/Passwords/xato-net-10-million-passwords-100000.txt --hc 404 -d "log=admin&pwd=FUZZ" "$URL"
----------------------------------------------------------------------------------------------------
Param value fuzzing (find hidden params)
[*] export URL="http://target:80/index.php?FUZZ=data";wfuzz -c -z file,/usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt --hc 404,301 "$URL"
----------------------------------------------------------------------------------------------------
Param value fuzzing (usernames)
[*] URL="http://target:80/index.php?fpv=FUZZ"; wfuzz -c -z file,/usr/share/seclists/Usernames/cirt-default-usernames.txt --hc 404 "$URL"
Services are text files located at:
$HOME/.pse/<files>
Every command you want to return should be on a separate line in the format:
description:command
File: $HOME/.pse/nfs
Content:
show available nfs mounts:showmount -e $IP
mount a nfs share:export IP=10.11.1.72; sudo mkdir -p /mnt/$IP/home && sudo mount -t nfs $IP:/home /mnt/$IP/home
Edit corresponding service file at $HOME/.pse/<filename>
(e.g. $HOME/.pse/smb
or $HOME/.pse/dns
)
If your want to add a new service, create a file at $HOME/.pse/foo
To add curl as a service for pse:
- Create file
$HOME/.pse/curl
- Add one line per command you want saved in format:
<description>:<command>
Example content for file $HOME/.pse/curl
:
Return help content:curl -h
Run curl in verbose mode:curl -v
Now when you run command pse curl
:
[Pentest Service Enumeration: 0.0.3]
----------------------------------------------------------------------------------------------------
Return help content
[*] curl -h
----------------------------------------------------------------------------------------------------
Run curl in verbose mode
[*] curl -v
----------------------------------------------------------------------------------------------------