This forum is in archive mode. You will not be able to post new content.
Pages: [1]

Author Topic: [Bash] Discovery.sh  (Read 2947 times)

0 Members and 1 Guest are viewing this topic.

Offline kenjoe41

  • Symphorophiliac Programmer
  • Administrator
  • Baron
  • *
  • Posts: 990
  • Cookies: 224
    • View Profile
[Bash] Discovery.sh
« on: September 02, 2013, 11:51:30 PM »
I would be selfish not to mention this script as it has been alot of help if quiet some jobs.
It is by Leebaird. It concats alot of the discovery step procedures in you hacking ventures in one to make your Job easier. It's almost 3000 lines so better check it out on GitHub for any updates.
Code: (bash) [Select]
#!/bin/bash
#
# By Lee Baird
# Feel free to contact me via chat or email with any feedback or suggestions that you may have:
# leebaird@gmail.com
#
# Special thanks to the following people:
#
# Jason Arnold - planning original concept, author of ssl-check and co-author of crack-wifi.
# Dave Klug - planning, testing and bug reports.
# Matt Banick - original development.
# Eric Milam - total re-write using functions.
# Martin Bos - IDS evasion techniques.
# Numerous people on freenode IRC - #bash and #sed (e36freak)
# Ben Wood - regex master
# Rob Dixon - report framework idea
# Steve Copland - report framework design

##############################################################################################################

# Variables
interface=$(ifconfig | grep -B10 'Loopback'| grep 'Ethernet' | cut -d ' ' -f1)
ip=$(ifconfig | grep -B10 'Loopback' | grep 'Bcast' | cut -d ':' -f2 | cut -d ' ' -f1)
line="=================================================="
user=$(whoami)

# Catch ctrl+c from user
trap f_terminate 2

##############################################################################################################

f_banner(){
echo
echo "______ ___ ______ ______ _____ _ _ ______ _____"
echo "| \ | |____ | | | \ / |_____ |____/"
echo "|_____/ _|_ _____| |_____ |_____| \/ |_____ | \_"
echo
echo "By Lee Baird"
echo
echo
}

##############################################################################################################

f_error(){
echo
echo -e "\e[1;31m$line\e[0m"
echo
echo -e "\e[1;31m *** Invalid choice or entry. ***\e[0m"
echo
echo -e "\e[1;31m$line\e[0m"
sleep 2
f_main
}

##############################################################################################################

f_location(){
echo
echo -n "Enter the location of your list: "
read location

# Check for no answer
if [ -z $location ]; then
f_error
fi

# Check for wrong answer
if [ ! -f $location ]; then
f_error
fi
}

##############################################################################################################

f_runlocally(){
if [ -z $DISPLAY ]; then
clear
     f_banner
     echo
echo $line
     echo
echo "This option must be run locally, in an X-Windows environment."
     echo
read -p "Press <return> to continue."

     f_main
fi
}

##############################################################################################################

f_terminate(){
rm emails names squatting whois* subdomain* doc pdf ppt txt xls tmp* z* 2>/dev/null

if [ -f $name ]; then
rm -rf $name
fi

PID=$(ps -ef | grep 'discover.sh' | grep -v 'grep' | awk '{print $2}')
kill -9 $PID

echo
echo
}

##############################################################################################################

f_recon(){
clear
f_banner
echo -e "\e[1;34mRECON\e[0m"
echo
echo "1. Company"
echo "2. Person"
echo "3. Previous menu"
echo
echo -n "Choice: "
read choice

case $choice in
     1) f_scrape;;

     2) f_runlocally
     echo
echo $line
     echo
echo -n "First name: "
     read firstName

     # Check for no answer
     if [ -z $firstName ]; then
f_error
     fi

echo
echo -n "Last name: "
     read lastName

     # Check for no answer
     if [ -z $lastName ]; then
f_error
     fi

firefox &
     sleep 2
     firefox -new-tab http://www.123people.com/s/$firstName+$lastName &
     sleep 1
     firefox -new-tab http://www.411.com/name/$firstName-$lastName/ &
     sleep 1
     firefox -new-tab http://www.cvgadget.com/person/$firstName/$lastName &
     sleep 1
     firefox -new-tab http://www.peekyou.com/$fireName_$lastName &
     sleep 1
     firefox -new-tab http://phonenumbers.addresses.com/people/$firstName+$lastName &
     sleep 1
     firefox -new-tab http://search.nndb.com/search/nndb.cgi?nndb=1&omenu=unspecified&query=$firstName+$lastName &
     sleep 1
     firefox -new-tab http://www.spokeo.com/search?q=$firstName+$lastName&s3=t24 &
     sleep 1
     firefox -new-tab http://www.zabasearch.com/query1_zaba.php?sname=$firstName%20$lastName&state=ALL&ref=$ref&se=$se&doby=&city=&name_style=1&tm=&tmr=
     ;;

     3) f_main;;
     *) f_error;;
esac
}

##############################################################################################################

f_scrape(){
clear
f_banner
echo -e "\e[1;34mRECON\e[0m"
echo
echo "1. Passive"
echo "2. Active"
echo "3. Previous menu"
echo
echo -n "Choice: "
read choice

case $choice in
     1)
     echo
echo $line
     echo
echo "Usage: target.com"
     echo
echo -n "Domain: "
     read domain

     # Check for no answer
     if [ -z $domain ]; then
f_error
     fi

     # If folder doesn't exist, create it
     if [ ! -d /$user/$domain ]; then
cp -R /opt/scripts/report/ /$user/$domain
          sed 's/REPLACEDOMAIN/'$domain'/g' /$user/$domain/index.htm > tmp
          mv tmp /$user/$domain/index.htm
     fi

     # Number of tests
     total=24

     echo
echo $line
     echo

echo "goofile (1/$total)"
     python /pentest/enumeration/google/goofile/goofile.py -d $domain -f doc > tmp
     python /pentest/enumeration/google/goofile/goofile.py -d $domain -f docx >> tmp
     python /pentest/enumeration/google/goofile/goofile.py -d $domain -f pdf >> tmp
     python /pentest/enumeration/google/goofile/goofile.py -d $domain -f ppt >> tmp
     python /pentest/enumeration/google/goofile/goofile.py -d $domain -f pptx >> tmp
     python /pentest/enumeration/google/goofile/goofile.py -d $domain -f txt >> tmp
     python /pentest/enumeration/google/goofile/goofile.py -d $domain -f xls >> tmp
     python /pentest/enumeration/google/goofile/goofile.py -d $domain -f xlsx >> tmp

     grep $domain tmp | grep -v 'Searching in' | grep -Fv '...' | sort > tmp2

     grep '.doc' tmp2 | egrep -v '(.pdf|.ppt|.xls)' > doc
     grep '.pdf' tmp2 > pdf
     grep '.ppt' tmp2 > ppt
     grep '.txt' tmp2 | grep -v 'robots.txt' > txt
     grep '.xls' tmp2 > xls

     echo
echo "goog-mail (2/$total)"
     /opt/scripts/mods/goog-mail.py $domain | sort -u > tmp
     grep -Fv '..' tmp > tmp2
     # Remove lines that start with a number
     sed '/^[0-9]/d' tmp2 > tmp3
     # Change to lower case
     cat tmp3 | tr '[A-Z]' '[a-z]' > tmp4
     # Remove blank lines
     sed '/^$/d' tmp4 > zgoog-mail

     echo
echo "goohost"
     echo " IP (3/$total)"
     /pentest/enumeration/google/goohost/goohost.sh -t $domain -m ip >/dev/null
     echo " Email (4/$total)"
     /pentest/enumeration/google/goohost/goohost.sh -t $domain -m mail >/dev/null
     cat report-* > tmp
     # Move the second column to the first position
     grep $domain tmp | awk '{ print $2 " " $1 }' > tmp2
     column -t tmp2 > zgoohost
     rm *-$domain.txt

     echo
echo "theHarvester"
     echo " 123people (5/$total)"
     /pentest/enumeration/theharvester/theHarvester.py -d $domain -b people123 > z123people
     echo " Ask-mod (6/$total)"
     /opt/scripts/mods/theHarvester2.py -d $domain -b ask > zask-mod
     echo " Bing (7/$total)"
     /pentest/enumeration/theharvester/theHarvester.py -d $domain -b bing > zbing
     echo " Google (8/$total)"
     /pentest/enumeration/theharvester/theHarvester.py -d $domain -b google > zgoogle
     echo " Google Profiles (9/$total)"
     /pentest/enumeration/theharvester/theHarvester.py -d $domain -b google-profiles > zgoogle-profiles
     echo " Jigsaw (10/$total)"
     /pentest/enumeration/theharvester/theHarvester.py -d $domain -b jigsaw > zjigsaw
     echo " LinkedIn (11/$total)"
     /pentest/enumeration/theharvester/theHarvester.py -d $domain -b linkedin > zlinkedin
     echo " Login-mod (12/$total)"
     /opt/scripts/mods/theHarvester2.py -d $domain -b login > zlogin-mod
     echo " PGP (13/$total)"
     /pentest/enumeration/theharvester/theHarvester.py -d $domain -b pgp > zpgp
     echo " Yahoo-mod (14/$total)"
     /opt/scripts/mods/theHarvester2.py -d $domain -b yahoo > zyahoo-mod
     echo " All (15/$total)"
     /pentest/enumeration/theharvester/theHarvester.py -d $domain -b all > zall

     echo
echo "Metasploit (16/$total)"
     /opt/metasploit/msf3/msfcli gather/search_email_collector DOMAIN=$domain E > tmp 2>/dev/null
     grep @$domain tmp | awk '{print $2}' | grep -v '%' | grep -Fv '...@' | sort -u > tmp2
     # Change to lower case
     cat tmp2 | tr '[A-Z]' '[a-z]' > tmp3
     # Remove blank lines
     sed '/^$/d' tmp3 > zmsf

     echo
echo "dnsrecon (17/$total)"
     /pentest/enumeration/dns/dnsrecon/dnsrecon.py -d $domain -t goo > tmp
     grep $domain tmp | egrep -v '(Performing Google|Records Found)' > tmp2
     # Remove first 6 characters from each line
     sed 's/^......//' tmp2 > tmp3
     sed 's/A //g' tmp3 | sed 's/CNAME //g' | column -t | sort -u > subdomains1.txt

     echo
echo "URLCrazy (18/$total)"
/pentest/enumeration/web/urlcrazy/urlcrazy $domain -o tmp > /dev/null
     # Clean up
     egrep -v '(#|:|\?|Typo Type|URLCrazy)' tmp | sed 's/[A-Z]\{2\},//g' > tmp2
     # Remove lines that start with -
     grep -v '^-' tmp2 > tmp3
     # Remove blank lines
     sed '/^$/d' tmp3 > tmp4
     sed 's/BAHAMAS/Bahamas/g; s/BELGIUM/Belgium/g; s/GERMANY/Germany/g; s/IRELAND/Ireland/g; s/ITALY/Italy/g; s/JAPAN/Japan/g; s/KOREA REPUBLIC OF/Republic of Korea/g; s/NETHERLANDS/Netherlands/g; s/NORWAY/Norway/g; s/RUSSIAN FEDERATION/Russia/g; s/SPAIN/Spain/g; s/SWEDEN/Sweden/g; s/UNITED KINGDOM/United Kingdom/g; s/UNITED STATES/United States/g' tmp4 > squatting

     ##############################################################

     cat z* | egrep -v '(@|\*|-|=|\||;|:|"|<|>|/|\?)' > tmp
     # Remove blank lines
     sed '/^$/d' tmp > tmp2
     # Remove lines that contain a number
     sed '/[0-9]/d' tmp2 > tmp3
     # Remove lines that start with @ or .
     sed '/^\@\./d' tmp3 > tmp4
     # Remove trailing white space from each line
     sed 's/[ \t]*$//' tmp4 > tmp5
     # Substitute a space for a plus sign
     sed 's/+/ /g' tmp5 > tmp6
     # Change to lower case
     cat tmp6 | tr '[A-Z]' '[a-z]' > tmp7
     # Clean up
     egrep -v '(academy|account|administrator|administrative|advanced|adventure|advertising|america|american|analysis|analyst|antivirus|apple seems|application|applications|architect|article|asian|association|attorney|australia|automation|automotive|balance|bank|bbc|beginning|berlin|beta theta|between|big game|billion|bioimages|biometrics|bizspark|breaches|broker|business|buyer|buying|california|can i help|cannot|capital|career|carrying|cashing|certified|challenger|championship|change|chapter|charge|china|chinese|clearance|cloud|code|college|columbia|communications|community|company pages|competition|competitive|compliance|computer|concept|conference|config|connections|construction|consultant|contributor|controllang|cooperation|coordinator|corporation|creative|croatia|crm|dallas|day care|death toll|delta|department|description|designer|detection|developer|develop|development|devine|digital|diploma|director|disability|disaster|disclosure|dispute|division|dos poc|download|drivers|during|economy|ecovillage|editor|education|effect|electronic|emails|embargo|empower|end user|energy|engineer|enterprise|entertainment|entreprises|entrepreneur|environmental|error page|ethical|example|excellence|executive|expertzone|exploit|facebook|faculty|fall edition|fast track|fatherhood|fbi|federal|filmmaker|finance|financial|forensic|found|freelance|from|frontiers in tax|full|germany|get control|global|google|government|graphic|greater|group|guardian|hackers|hacking|harden|harder|hawaii|hazing|headquarters|health|history|homepage|hospital|house|how to|hurricane|idc|in the news|index|information|innovation|installation|insurers|integrated|international|internet|instructor|insurance|investigation|investment|investor|israel|japan|job|justice|kelowna|knowing|laptops|letter|licensing|lighting|limitless|liveedu|llp|ltd|lsu|luscous|malware|managed|management|manager|managing|manufacturing|marketplace|mastering|md|media|medical|medicine|meta tags|methane|metro|microsoft|middle east|mitigation|money|monitor|more coming|museums|negative|network|network|new user|newspaper|new york|next page|nitrogen|nyc|obtain|occupied|offers|office|online|organizational|outbreak|owners|partner|pathology|people|perceptions|philippines|photo|picture|places|planning|portfolio|potential|preparatory|president|principal|print|private|process|producer|product|professional|professor|profile|project|publichealth|published|pyramid|questions|redeem|redirect|register|registry|regulation|rehab|remote|report|republic|research|revised|rising|rural health|sales|satellite|save the date|school|scheduling|science|search|searc|secured|security|secretary|secrets|see more|selection|senior|service|services|software|solutions|source|special|station home|statistics|strategy|student|successful|superheroines|supervisor|support|switch|system|systems|targeted|technical|technology|tester|textoverflow|theater|time in|tit for tat|toolbook|tools|traditions|trafficking|treasury|trojan|twitter|training|ts|types of scams|unclaimed|underground|university|united states|untitled|view|Violent|virginia bar|voice|volkswagen|volume|wanted|web search|web site|website|welcome|west virginia|when the|whiskey|windows|workers|world|www|xbox)' tmp7 > tmp8
     # Remove leading and trailing whitespace from each line
     sed 's/^[ \t]*//;s/[ \t]*$//' tmp8 > tmp9
     # Remove lines that contain a single word
     sed '/[[:blank:]]/!d' tmp9 > tmp10
     # Clean up
     sed 's/\..../ /g' tmp10 | sed 's/\.../ /g' > tmp11
     # Capitalize the first letter of every word, print last name then first name
     sed "s/\b\(.\)/\u\1/g" tmp11 | awk '{print $2", "$1}' | sort -u > names

     ##############################################################

     cat z* | grep @$domain | grep -vF '...' | egrep -v '(\*|=|\+|\[|\||;|:|"|<|>|/|\?)' > tmp
     # Remove trailing whitespace from each line
     sed 's/[ \t]*$//' tmp > tmp2
     # Change to lower case
     cat tmp2 | tr '[A-Z]' '[a-z]' > tmp3
     # Clean up
     grep -v 'web search' tmp3 | sort -u > emails

     ##############################################################

     cat z* | sed '/^[0-9]/!d' | grep -v '@' > tmp
     # Substitute a space for a colon
     sed 's/:/ /g' tmp > tmp2
     # Move the second column to the first position
     awk '{ print $2 " " $1 }' tmp2 > tmp3
     column -t tmp3 > tmp4
     # Change to lower case
     cat tmp4 | tr '[A-Z]' '[a-z]' > tmp5
     grep $domain tmp5 | sort -u > subdomains2.txt
     cat subdomain* | grep -v "$domain\." | egrep -v '(.nat.|252f)' | sed 's/www\.//g' | column -t | sort -u > subdomains

     ##############################################################

     echo
echo "Whois"
     echo " Domain (19/$total)"
     whois -H $domain > tmp
     # Remove leading whitespace
     sed 's/^[ \t]*//' tmp > tmp2
     # Clean up
     egrep -v '(%|<a|=-=-=-=|Access may be|Additionally|Afilias except|and DNS Hosting|and limitations of|any use of|Be sure to|By submitting an|by the terms|can easily change|circumstances will|clientDeleteProhibited|clientTransferProhibited|clientUpdateProhibited|complaint will|contact information|Contact us|Copy and paste|currently set|database|data contained in|data presented in|date of|dissemination|Domaininfo AB|Domain Management|Domain names in|Domain status: ok|enable high|except as reasonably|failure to|facsimile of|for commercial purpose|for detailed information|For information for|for information purposes|for the sole|Get Noticed|Get a FREE|guarantee its|HREF|In Europe|In most cases|in obtaining|in the address|includes restrictions|including spam|information is provided|is not the|is providing|Learn how|Learn more|makes this information|MarkMonitor|mining this data|minute and one|modify existing|modify these terms|must be sent|name cannot|NamesBeyond|not to use|Note: This|NOTICE|obtaining information about|of Moniker|of this data|or hiding any|or otherwise support|other use of|own existing customers|Please be advised|Please note|policy|prior written consent|privacy is|Professional and|prohibited without|Promote your|protect the|Public Interest|queries or|Register your|Registrars|registration record|repackaging,|responsible for|See Business Registration|server at|solicitations via|sponsorship|Status|support the transmission|telephone, or facsimile|that apply to|that you will|the right| The data is|the transmission|The Trusted Partner|This listing is|This feature is|This information|This service is|to collect or|to entities|to report any|transmission of mass|UNITED STATES|United States|unsolicited advertising|Users may|Version 6|via e-mail|Visit AboutUs.org|while believed|will use this|with many different|with no guarantee|We reserve the|Whois|you agree|You may not)' tmp2 > tmp3
     # Remove lines starting with "*"
     sed '/^*/d' tmp3 > tmp4
     # Remove lines starting with "-"
     sed '/^-/d' tmp4 > tmp5
     # Remove lines starting with http
     sed '/^http/d' tmp5 > tmp6
     # Remove lines starting with US
     sed '/^US/d' tmp6 > tmp7
     # Clean up phone numbers
     sed 's/+1.//g' tmp7 > tmp8
     # Remove leading whitespace from file
     awk '!d && NF {sub(/^[[:blank:]]*/,""); d=1} d' tmp8 > tmp9
     # Remove trailing whitespace from each line
     sed 's/[ \t]*$//' tmp9 > tmp10
     # Compress blank lines
     cat -s tmp10 > tmp11
     # Remove lines that end with various words then a colon or period(s)
     egrep -v '(2:$|3:$|Address.$|Address........$|Address.........$|Ext.:$|FAX:$|Fax............$|Fax.............$|Province:$|Server:$)' tmp11 > tmp12
     # Remove line after "Domain Servers:"
     sed -i '/^Domain Servers:/{n; /.*/d}' tmp12
     # Remove line after "Domain servers"
     sed -i '/^Domain servers/{n; /.*/d}' tmp12
     # Remove blank lines from end of file
     awk '/^[[:space:]]*$/{p++;next} {for(i=0;i<p;i++){printf "\n"}; p=0; print}' tmp12 > whois-domain

     echo " IP (20/$total)"
     y=$(ping -c1 -w2 $domain | grep 'PING' | cut -d ')' -f1 | cut -d '(' -f2) ; whois -H $y > tmp
     # Remove leading whitespace
     sed 's/^[ \t]*//' tmp > tmp2
     # Remove trailing whitespace from each line
     sed 's/[ \t]*$//' tmp2 > tmp3
     # Clean up
     egrep -v '(\#|\%|\*|All reports|Comment|dynamic hosting|For fastest|For more|Found a referral|http|OriginAS:$|Parent:$|point in|RegDate:$|The activity|the correct|Without these)' tmp3 > tmp4
     # Remove leading whitespace from file
     awk '!d && NF {sub(/^[[:blank:]]*/,""); d=1} d' tmp4 > tmp5
     # Remove blank lines from end of file
     awk '/^[[:space:]]*$/{p++;next} {for(i=0;i<p;i++){printf "\n"}; p=0; print}' tmp5 > tmp6
     # Compress blank lines
     cat -s tmp6 > tmp7
     # Clean up
     sed 's/+1-//g' tmp7 > whois-ip
     echo

     # Remove all empty files
     find -type f -empty -exec rm {} +

     echo "mydnstools.info (21/$total)"
     wget -q http://www.mydnstools.info/nslookup/$domain/ANY -O tmp
     sed -n '/ANSWER SECTION/,/WHEN:/p' tmp | egrep -v '(DNSKEY|DS|NSEC3PARAM|Query time|RRSIG|SEC3|SECTION|SERVER|SSEC|TYPE51|WHEN)' | sed 's/;; //g; s/&quot;//g; s/\$domain./\$domain/g; s/$domain./$domain/g; s/.com./.com/g; s/.edu./.edu/g; s/.gov./.gov/g; s/.info./.info/g; s/.net./.net/g; s/.org./.org/g; s/.uk./.uk/g; s/IN//g' | awk '{print $1,$3,$4,$5,$6,$7,$8,$9,$10}' | column -t | sort -u -k2 -k1 > records

     echo "dnssy.com (22/$total)"
     wget -q http://www.dnssy.com/report.php?q=$domain -O tmp
     sed -n '/Results for/,/\/table/p' tmp > tmp2
     echo "<html>" > tmp3
     cat tmp2 | grep -v 'Results for' >> tmp3
     echo "</html>" >> tmp3
     sed 's/Pass/<center><img src="..\/images\/icons\/green.png" height="50" width="50"><\/center>/g;
s/Warning/<center><img src="..\/images\/icons\/yellow.png" height="50" width="50"><\/center>/g;
s/Fail/<center><img src="..\/images\/icons\/red.png" height="50" width="50"><\/center>/g;
s/ class="info"//g; s/ class="rfail"//g; s/ class="rinfo"//g; s/ class="rpass"//g; s/ class="rsecu"//g; s/ class="rwarn"//g;
s/All of the glue/Glue/g; s/All of your MX/All MX/g; s/All of your nameservers/Nameservers/g; s/Checking domain format/Domain format/g;
s/Checking for parent nameservers/Parent nameservers/g; s/Checking for parent glue/Parent glue/g; s/Each of your nameservers/Each nameserver/g;
s/I found the following MX records://g; s/I was unable/Unable/g; s/None of your MX/No MX/g; s/This is all of the MX servers I found.//g;
s/Your nameservers/Nameservers/g; s/Your NS records at your nameservers are://g; s/Your NS records at your parent nameserver are://g;
s/Your SOA/SOA/g; s/Your web server/The web server/g; s/Your web server says it is://g' tmp3 > /$user/$domain/data/config.htm

     echo "robtex.com (23/$total)"
     wget -q http://top.robtex.com/$domain.html#records -O robtex-records.htm
     wget -q http://top.robtex.com/$domain.html#shared -O robtex-shared.htm

     x=$(ls -l | grep 'robtex' | awk '{print $5,$8}' | sort | head -1 | awk '{print $2}')
     mv $x tmp

     sed '/<!DOCTYPE html>/,/<div id="c0a">/d' tmp | sed '/nopad sortable nospan/,/<\/html>/d' | sed '/<div id="c0b1">/,/DNS Records/d' | sed 's/<h2 class="h2s">Graph<\/h2>//g; s/<h2 class="h2s">Shared<\/h2>//g; s/"7.00"/"10.00"/g; s/"9.00"/"12.00"/g' > tmp2

     echo " </div>" >> tmp2
     echo " </div>" >> tmp2
     echo "</div>" >> tmp2
     echo "" >> tmp2
     echo "</body>" >> tmp2
     echo "" >> tmp2
     echo "</html>" >> tmp2

     cat tmp2 >> /$user/$domain/pages/robtex.htm

     echo "urlvoid.com (24/$total)"
     wget -q http://www.urlvoid.com/scan/$domain -O tmp
     sed -n '/Website Blacklist Report/,/<\/table>/p' tmp > tmp2
     sed 's/<img src="http:\/\/www.urlvoid.com\/images\/valid.ico" alt="Clean" title="Clean" \/> NOT FOUND/<center><img src="..\/images\/icons\/green.png" height="25" width="25"><\/center>/g; s/<img src="http:\/\/www.urlvoid.com\/images\/alert.ico" alt="Alert" title="Detected!" \/> <font color="red">DETECTED<\/font>/<center><img src="..\/images\/icons\/red.png" height="25" width="25"><\/center>/g; s/rel="nofollow" //g; s/ title="View more details" target="_blank"//g; s/<img src="http:\/\/www.urlvoid.com\/images\/link.ico" alt="Link" \/>//g; s/ class="tasks"//g; s/<th>Info<\/th>//g' tmp2 | grep -v 'Blacklist Report' > tmp3
     # Remove leading whitespace from each line
     sed 's/^[ \t]*//' tmp3 > /$user/$domain/data/black-listed.htm

     awk '{print $3}' records > tmp
     awk '{print $2}' subdomains >> tmp
     grep -E '([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})' tmp | sort -n -u -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4 > hosts
     cat hosts >> /$user/$domain/data/hosts.htm; echo "</pre>" >> /$user/$domain/data/hosts.htm

     ##############################################################

     echo "Passive Recon" > zreport
     echo $domain >> zreport
     date +%A" - "%B" "%d", "%Y >> zreport
     echo >> zreport
     echo >> zreport

     echo "Summary" >> zreport
     echo $line >> zreport

     echo > tmp

     if [ -f emails ]; then
emailcount=$(wc -l emails | cut -d ' ' -f1)
          echo "Emails $emailcount" >> zreport
          echo "Emails ($emailcount)" >> tmp
          echo $line >> tmp
          cat emails >> tmp
          echo >> tmp
     fi

if [ -f names ]; then
namecount=$(wc -l names | cut -d ' ' -f1)
          echo "Names $namecount" >> zreport
          echo "Names ($namecount)" >> tmp
          echo $line >> tmp
          cat names >> tmp
          echo >> tmp
     fi

if [ -f hosts ]; then
hostcount=$(wc -l hosts | cut -d ' ' -f1)
          echo "Hosts $hostcount" >> zreport
          echo "Hosts ($hostcount)" >> tmp
          echo $line >> tmp
          cat hosts >> tmp
          echo >> tmp
     fi

if [ -f records ]; then
recordscount=$(wc -l records | cut -d ' ' -f1)
          echo "DNS Records $recordscount" >> zreport
          echo "DNS Records ($recordscount)" >> tmp
          echo $line >> tmp
          cat records >> tmp
          echo >> tmp
     fi

if [ -f squatting ]; then
urlcount2=$(wc -l squatting | cut -d ' ' -f1)
          echo "Squatting $urlcount2" >> zreport
          echo "Squatting ($urlcount2)" >> tmp
          echo $line >> tmp
          cat squatting >> tmp
          echo >> tmp
     fi

if [ -f subdomains ]; then
urlcount=$(wc -l subdomains | cut -d ' ' -f1)
          echo "Subdomains $urlcount" >> zreport
          echo "Subdomains ($urlcount)" >> tmp
          echo $line >> tmp
          cat subdomains >> tmp
          echo >> tmp
     fi

if [ -f xls ]; then
xlscount=$(wc -l xls | cut -d ' ' -f1)
          echo "Excel $xlscount" >> zreport
          echo "Excel Files ($xlscount)" >> tmp
          echo $line >> tmp
          cat xls >> tmp
          echo >> tmp
          cat xls >> /$user/$domain/data/xls.htm; echo "</pre>" >> /$user/$domain/data/xls.htm
     fi

if [ -f pdf ]; then
pdfcount=$(wc -l pdf | cut -d ' ' -f1)
          echo "PDF $pdfcount" >> zreport
          echo "PDF Files ($pdfcount)" >> tmp
          echo $line >> tmp
          cat pdf >> tmp
          echo >> tmp
          cat pdf >> /$user/$domain/data/pdf.htm; echo "</pre>" >> /$user/$domain/data/pdf.htm
     fi

if [ -f ppt ]; then
pptcount=$(wc -l ppt | cut -d ' ' -f1)
          echo "PowerPoint $pptcount" >> zreport
          echo "PowerPoint Files ($pptcount)" >> tmp
          echo $line >> tmp
          cat ppt >> tmp
          echo >> tmp
          cat ppt >> /$user/$domain/data/ppt.htm; echo "</pre>" >> /$user/$domain/data/ppt.htm
     fi

if [ -f txt ]; then
txtcount=$(wc -l txt | cut -d ' ' -f1)
          echo "Text $txtcount" >> zreport
          echo "Text Files ($txtcount)" >> tmp
          echo $line >> tmp
          cat txt >> tmp
          echo >> tmp
          cat txt >> /$user/$domain/data/txt.htm; echo "</pre>" >> /$user/$domain/data/txt.htm
     fi

if [ -f doc ]; then
doccount=$(wc -l doc | cut -d ' ' -f1)
          echo "Word $doccount" >> zreport
          echo "Word Files ($doccount)" >> tmp
          echo $line >> tmp
          cat doc >> tmp
          echo >> tmp
          cat doc >> /$user/$domain/data/doc.htm; echo "</pre>" >> /$user/$domain/data/doc.htm
     fi

cat tmp >> zreport
     echo "Whois Domain" >> zreport
     echo $line >> zreport
     cat whois-domain >> zreport

     echo >> zreport
     echo "Whois IP" >> zreport
     echo $line >> zreport
     cat whois-ip >> zreport

     cat emails >> /$user/$domain/data/emails.htm; echo "</pre>" >> /$user/$domain/data/emails.htm
     cat names >> /$user/$domain/data/names.htm; echo "</pre>" >> /$user/$domain/data/names.htm
     cat records >> /$user/$domain/data/records.htm; echo "</pre>" >> /$user/$domain/data/records.htm
     cat squatting >> /$user/$domain/data/squatting.htm; echo "</pre>" >> /$user/$domain/data/squatting.htm
     cat subdomains >> /$user/$domain/data/subdomains.htm; echo "</pre>" >> /$user/$domain/data/subdomains.htm
     cat whois-domain >> /$user/$domain/data/whois-domain.htm; echo "</pre>" >> /$user/$domain/data/whois-domain.htm
     cat whois-ip >> /$user/$domain/data/whois-ip.htm; echo "</pre>" >> /$user/$domain/data/whois-ip.htm
     cat zreport >> /$user/$domain/data/passive-recon.htm; echo "</pre>" >> /$user/$domain/data/passive-recon.htm

     rm emails hosts names records robtex* squatting subdomains* tmp* whois* z* doc pdf ppt txt xls 2>/dev/null

     echo
echo $line
     echo
echo "***Scan complete.***"
     echo
echo
printf 'The supporting data folder is located at \e[1;33m%s\e[0m\n' /$user/$domain/
     echo
read -p "Press <return> to continue."

     ##############################################################

     f_runlocally

     firefox &
     sleep 2
     firefox -new-tab images.google.com &
     sleep 1
     firefox -new-tab arin.net &
     sleep 1
     firefox -new-tab toolbar.netcraft.com/site_report?url=http://www.$domain &
     sleep 1
     firefox -new-tab uptime.netcraft.com/up/graph?site=www.$domain &
     sleep 1
     firefox -new-tab shodanhq.com/search?q=$domain &
     sleep 1
     firefox -new-tab jigsaw.com/ &
     sleep 1
     firefox -new-tab pastebin.com/ &
     sleep 1
     firefox -new-tab google.com/#q=filetype%3Axls+OR+filetype%3Axlsx+site%3A$domain &
     sleep 1
     firefox -new-tab google.com/#q=filetype%3Appt+OR+filetype%3Apptx+site%3A$domain &
     sleep 1
     firefox -new-tab google.com/#q=filetype%3Adoc+OR+filetype%3Adocx+site%3A$domain &
     sleep 1
     firefox -new-tab google.com/#q=filetype%3Apdf+site%3A$domain &
     sleep 1
     firefox -new-tab google.com/#q=filetype%3Atxt+site%3A$domain &
     sleep 1
     firefox -new-tab http://www.urlvoid.com/scan/$domain &
     sleep 1
     firefox -new-tab sec.gov/edgar/searchedgar/companysearch.html &
     sleep 1
     firefox -new-tab google.com/finance/ &
     sleep 1
     firefox -new-tab reuters.com/finance/stocks
     echo
echo
exit
     ;;

     2)
     echo
echo $line
     echo
echo "Usage: target.com"
     echo
echo -n "Domain: "
     read domain

     # Check for no answer
     if [ -z $domain ]; then
f_error
     fi

     # If folder doesn't exist, create it
     if [ ! -d /$user/$domain ]; then
cp -R /opt/scripts/report/ /$user/$domain
          sed 's/REPLACEDOMAIN/'$domain'/' /$user/$domain/index.htm > tmp
          mv tmp /$user/$domain/index.htm
     fi

     # Number of tests
     total=10

     echo
echo $line
     echo

echo "Nmap"
     echo " Email (1/$total)"
     nmap -Pn -n --open -p80 --script=http-email-harvest --script-args=http-email-harvest.maxpagecount=100,http-email-harvest.maxdepth=10 $domain > tmp
     grep @$domain tmp | grep -v '%20' | grep -v 'jpg' | awk '{print $2}' > tmp2
     # Change to lower case
     cat tmp2 | tr '[A-Z]' '[a-z]' | sort -u > zemail

     # Check if file is empty
     if [ ! -s zemail ]; then
rm zemail
     fi

echo
echo "dnsrecon"
     echo " DNS Records (2/$total)"
     /pentest/enumeration/dns/dnsrecon/dnsrecon.py -d $domain -t std > tmp
     egrep -v '(Bind Version for|Could not|Enumerating SRV|not configured|Performing|Records Found|Recursion|Resolving|TXT)' tmp > tmp2
     # Remove first 6 characters from each line
     sed 's/^......//' tmp2 | awk '{print $2,$1,$3,$4,$5,$6,$7,$8,$9,$10}' | column -t | sort -u -k2 -k1 > tmp3
     grep 'TXT' tmp | sed 's/^......//' | awk '{print $2,$1,$3,$4,$5,$6,$7,$8,$9,$10,$11,$12,$13,$14,$15}' >> tmp3
     egrep -v '(SEC3|SKEYs|SSEC)' tmp3 > zdnsrecon
     cat /$user/$domain/data/records.htm zdnsrecon | grep -v '<' | column -t | sort -u -k2 -k1 > tmp3

     echo '<pre style="font-size:14px;">' > /$user/$domain/data/records.htm
     cat tmp3 >> /$user/$domain/data/records.htm; echo "</pre>" >> /$user/$domain/data/records.htm

     echo " Zone Transfer (3/$total)"
     /pentest/enumeration/dns/dnsrecon/dnsrecon.py -d $domain -t axfr > tmp
     egrep -v '(Checking for|Failed|filtered|NS Servers|Removing|TCP Open|Testing NS)' tmp | sed 's/^....//' | sed /^$/d > zonetransfer

     echo " Sub-domains (~5 min) (4/$total)"
     /pentest/enumeration/dns/dnsrecon/dnsrecon.py -d $domain -t brt -D /pentest/enumeration/dns/dnsrecon/namelist.txt --iw -f > tmp
     grep $domain tmp | grep -v "$domain\." | egrep -v '(Performing|Records Found)' | sed 's/\[\*\] //g' | sed 's/^[ \t]*//' | awk '{print $2,$3}' | column -t | sort -u > zdnsrecon-sub

     echo
echo "Fierce (~5 min) (5/$total)"
     /pentest/enumeration/dns/fierce/fierce.pl -dns $domain -wordlist /pentest/enumeration/dns/fierce/hosts.txt -suppress -file tmp4

     sed -n '/Now performing/,/Subnets found/p' tmp4 | grep $domain | awk '{print $2 " " $1}' | column -t | sort -u > zsubdomains-fierce

     cat zdnsrecon-sub zsubdomains-fierce | grep -v '.nat.' | column -t | sort -u > zsubdomains

     if [ -f /$user/$domain/data/subdomains.htm ]; then
cat /$user/$domain/data/subdomains.htm zsubdomains | grep -v "<" | grep -v "$domain\." | column -t | sort -u > zsubdomains-combined
          echo '<pre style="font-size:14px;">' > /$user/$domain/data/subdomains.htm
          cat zsubdomains-combined >> /$user/$domain/data/subdomains.htm; echo "</pre>" >> /$user/$domain/data/subdomains.htm
     fi

grep -v '<' /$user/$domain/data/records.htm | awk '{print $3}' | grep -v '[A-Za-z]' | grep -E '[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}' -o | sort -u > tmp
     awk '{print $2}' /$user/$domain/data/subdomains.htm | grep -v '[A-Za-z]' | sort -u > tmp2
     grep -v ':' zonetransfer | grep -E '[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}' -o | sort -u > tmp3
     cat tmp tmp2 tmp3 | sort -n -u -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4 | sed '/^$/d' > zhosts

     echo
echo "Loadbalancing (6/$total)"
     /pentest/enumeration/web/lbd/lbd.sh $domain > tmp 2>/dev/null
     egrep -v '(Checks if a given|Written by|Proof-of-concept)' tmp > tmp2
     # Remove leading whitespace from file
     awk '!d && NF {sub(/^[[:blank:]]*/,""); d=1} d' tmp2 > tmp3
     # Remove leading whitespace from each line
     sed 's/^[ \t]*//' tmp3 > tmp4
     # Remove blank lines from end of file
     awk '/^[[:space:]]*$/{p++;next} {for(i=0;i<p;i++){printf "\n"}; p=0; print}' tmp4 > tmp5
     # Clean up
     cat -s tmp5 > zloadbalancing

     echo
echo "Traceroute"
     echo " UDP (7/$total)"
     echo "UDP" > tmp
     traceroute $domain | awk -F" " '{print $1,$2,$3}' >> tmp
     echo >> tmp
     echo "ICMP ECHO" >> tmp
     echo " ICMP ECHO (8/$total)"
     traceroute -I $domain | awk -F" " '{print $1,$2,$3}' >> tmp
     echo >> tmp
     echo "TCP SYN" >> tmp
     echo " TCP SYN (9/$total)"
     traceroute -T $domain | awk -F" " '{print $1,$2,$3}' >> tmp
     grep -v 'traceroute' tmp > tmp2
     # Remove blank lines from end of file
     awk '/^[[:space:]]*$/{p++;next} {for(i=0;i<p;i++){printf "\n"}; p=0; print}' tmp2 > ztraceroute

     echo
echo "Whatweb (10/$total)"
     grep -v '<' /$user/$domain/data/subdomains.htm | awk '{print $1}' > tmp
     /pentest/enumeration/web/whatweb/whatweb -i tmp --color=never --no-errors -t 255 > tmp2
     # Find lines that start with http, and insert a line after
     sort tmp2 | sed '/^http/a\ ' > tmp3
     # Cleanup
     sed 's/,/\n/g' tmp3 | sed 's/^[ \t]*//' | sed 's/\(\[[0-9][0-9][0-9]\]\)/\n\1/g' | sed 's/http:\/\///g' | grep -v 'Country' > zwhatweb

     ##############################################################

     echo "Active Recon" > zreport
     echo $domain >> zreport
     date +%A" - "%B" "%d", "%Y >> zreport
     echo >> zreport

     if [ -f zemail ]; then
echo "Emails" >> zreport
          echo "==============================" >> zreport
          cat zemail >> zreport
     fi

echo "Hosts" >> zreport
     echo "==============================" >> zreport
     cat zhosts >> zreport

     echo >> zreport
     echo "DNS Records" >> zreport
     echo "==============================" >> zreport
     cat zdnsrecon >> zreport

     echo >> zreport
     echo "Loadbalancing" >> zreport
     echo "==============================" >> zreport
     cat zloadbalancing >> zreport

     echo >> zreport
     echo "Sub Domains" >> zreport
     echo "==============================" >> zreport
     cat zsubdomains >> zreport

     echo >> zreport
     echo "Traceroute" >> zreport
     echo "==============================" >> zreport
     cat ztraceroute >> zreport

     echo >> zreport
     echo "Zone Transfer" >> zreport
     echo "==============================" >> zreport
     cat zonetransfer >> zreport

     echo >> zreport
     echo "Whatweb" >> zreport
     echo "==============================" >> zreport
     cat zwhatweb >> zreport

     cat zloadbalancing >> /$user/$domain/data/loadbalancing.htm; echo "</pre>" >> /$user/$domain/data/loadbalancing.htm
     cat zreport >> /$user/$domain/data/active-recon.htm; echo "</pre>" >> /$user/$domain/data/active-recon.htm
     cat ztraceroute >> /$user/$domain/data/traceroute.htm; echo "</pre>" >> /$user/$domain/data/traceroute.htm
     cat zwhatweb >> /$user/$domain/data/whatweb.htm; echo "</pre>" >> /$user/$domain/data/whatweb.htm
     cat zonetransfer >> /$user/$domain/data/zonetransfer.htm; echo "</pre>" >> /$user/$domain/data/zonetransfer.htm

     if [[ -f /$user/$domain/data/emails.htm && -f zemail ]]; then
cat /$user/$domain/data/emails.htm zemail | grep -v '<' | sort -u > tmp
          echo '<pre style="font-size:14px;">' > /$user/$domain/data/emails.htm
          cat tmp >> /$user/$domain/data/emails.htm; echo "</pre>" >> /$user/$domain/data/emails.htm
     fi

echo '<pre style="font-size:14px;">' > /$user/$domain/data/hosts.htm
     cat zhosts >> /$user/$domain/data/hosts.htm; echo "</pre>" >> /$user/$domain/data/hosts.htm

     rm tmp* z*

     echo
echo $line
     echo
echo "***Scan complete.***"
     echo
echo
printf 'The supporting data folder is located at \e[1;33m%s\e[0m\n' /$user/$domain/
     echo
echo

firefox /$user/$domain/index.htm &
     exit
     ;;

     3) f_main;;
     *) f_error;;
esac
}

##############################################################################################################

f_typeofscan(){
echo -e "\e[1;34mType of scan: \e[0m"
echo
echo "1. External"
echo "2. Internal"
echo "3. Previous menu"
echo
echo -n "Choice: "
read choice

case $choice in
     1)
     echo
echo -e "\e[1;33m[*] Setting source port to 53.\e[0m"
     sourceport=53
     echo
echo $line
     echo
     ;;

     2)
     echo
echo -e "\e[1;33m[*] Setting source port to 88.\e[0m"
     sourceport=88
     echo
echo $line
     echo
     ;;

     3) f_main;;
     *) f_error;;
esac
}

##############################################################################################################

f_pingsweep(){
clear
f_banner
f_typeofscan

echo -e "\e[1;34mType of input:\e[0m"
echo
echo "1. List containing IPs, ranges and/or CIDRs."
echo "2. Manual"
echo
echo -n "Choice: "
read choice

case $choice in
     1)
     f_location

     echo
echo "Running an Nmap ping sweep for live hosts."
     nmap -iL $location -sn -T4 --stats-every 10s -g $sourceport > tmp
     ;;

     2)
     echo
echo -n "Enter your targets: "
     read manual

     # Check for no answer
     if [ -z $manual ]; then
f_error
     fi

echo
echo "Running an Nmap ping sweep for live hosts."
     nmap -sn -T4 --stats-every 10s -g $sourceport $manual > tmp
     ;;

     *) f_error;;
esac

##############################################################

perl <<'EOF'
# Author: Ben Wood
# Description: Reads an nmap ping sweep and correctly identifies lives hosts

use strict;

undef $/; # Enable slurping

open(my $handle, '<', "tmp");
open(my $output, '>', "tmp2");
while(<$handle>)
{
# Read report lines
while (/((?:[\x00-\xFF]*?(?=Nmap\s+scan\s+report)|[\x00-\xFF]*))/mixg) {
my $report = $1;

# Print IP if host is REALLY up
if (($report =~ /MAC\s+Address/mix)
or ($report =~ /Nmap\s+scan\s+report\s+for\s+\S+?\s+\(\S+\)/mix)) {
my ($ip) = $report =~ /(\d+\.\d+\.\d+\.\d+)/mix;
print $output "$ip\n";
}
}
}
EOF

##############################################################

rm tmp
mv tmp2 /$user/hosts.txt

echo
echo $line
echo
echo "***Scan complete.***"
echo
printf 'The new report is located at \e[1;33m%s\e[0m\n' /$user/hosts.txt
echo
echo
exit
}

##############################################################################################################

f_scanname(){
f_typeofscan

echo -n "Name of scan: "
read name

# Check for no answer
if [ -z $name ]; then
f_error
fi

mkdir -p $name
}

##############################################################################################################

f_single(){
clear
f_banner
f_scanname

echo
echo -n "Single IP, URL or Range: "
read target

# Check for no answer
if [ -z $target ]; then
rm -rf $name
     f_error
fi

echo $target > tmp-list
location=tmp-list

START=$(date +%r\ %Z)

f_discovery
f_numhosts
f_scan
f_ports
f_scripts
f_metasploit
f_report
}

##############################################################################################################

f_lan(){
clear
f_banner
f_scanname

START=$(date +%r\ %Z)

arp-scan -localnet -interface $interface | egrep -v '(Ending|Interface|packets|Starting)' | awk '{print $1}' | sort -n -u -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4 > tmp

# Remove blank lines
sed '/^$/d' tmp > $name/hosts.txt

# Check for zero hosts (empty file)
if [ ! -s $name/hosts.txt ]; then
rm -rf "$name" tmp*
     echo
echo $line
     echo
echo "***Scan complete.***"
     echo
echo -e "\e[1;33mNo hosts found with open ports.\e[0m"
     echo
echo
exit
fi

# Number of hosts
number=$(wc -l $name/hosts.txt | cut -d ' ' -f1)

if [ $number -eq 1 ]; then
echo
echo $line
     echo
echo -e "\e[1;33mHost discovered.\e[0m"
else
echo
echo $line
     echo
echo -e "\e[1;33m$number hosts discovered with open ports.\e[0m"
fi

f_scan
f_ports
f_scripts
f_metasploit
f_report
}

##############################################################################################################

f_lists(){
clear
f_banner
f_scanname

f_location

START=$(date +%r\ %Z)

f_discovery
f_numhosts
f_scan
f_ports
f_scripts
f_metasploit
f_report
}

##############################################################################################################

f_cidr(){
clear
f_banner
f_scanname

echo
echo Usage: 192.168.0.0/16
echo
echo -n "Enter CIDR notation: "
read cidr

# Check for no answer
if [ -z $cidr ]; then
rm -rf $name
     f_error
fi

# Check for wrong answer

sub=$(echo $cidr|cut -d '/' -f2)
max=32

if [ "$sub" -gt "$max" ]; then
f_error
fi

echo $cidr | grep '/' > /dev/null 2>&1

if [ $? -ne 0 ]; then
f_error
fi

echo $cidr | grep [[:alpha:]\|[,\\]] > /dev/null 2>&1

if [ $? -eq 0 ]; then
f_error
fi

echo $cidr > tmp-list
location=tmp-list

echo
echo -n "Do you have an exclusion list? (y/N) "
read ExFile

if [ -z $ExFile ]; then
ExFile="n"
fi

ExFile="$(echo ${ExFile} | tr 'A-Z' 'a-z')"

if [ $ExFile == "y" ]; then
echo -n "Enter the path to the exclude list file: "
     read excludefile

     START=$(date +%r\ %Z)

     if [ -z $excludefile ]; then
f_error
     fi

if [ ! -f $excludefile ]; then
f_error
     fi

f_discoveryexclude
else
f_discovery
fi

f_numhosts
f_scan
f_ports
f_scripts
f_metasploit
f_report
}

##############################################################################################################

f_discovery(){
echo
echo $line
echo
echo -e "\e[1;34mHost discovery.\e[0m"

nmap -iL $location -PP -PE -PM -PI -PA20,53,80,113,443,5060,10043 -PS1,7,9,13,21-23,25,37,42,49,53,69,79-81,105,109-111,113,123,135,137-139,143,161,179,222,264,384,389,407,443,445,465,500,502,512-515,523,540,548,554,617,623,689,705,783,902,910,912,921,993,995,1000,1024,1030,1035,1090,1098-1103,1129,1158,1199,1220,1234,1300,1311,1352,1433-1435,1440,1494,1521,1530,1533,1581-1582,1604,1720,1723,1755,1900,2000-2001,2049,2100,2103,2121,2199,2207,2222,2323,2380,2525,2533,2598,2638,2809,2947,2967,3000,3050,3057,3128,3273,3306,3389,3500,3628,3632,3690,3780,3790,4000,4444-4445,4659,4848,5038,5051,5060-5061,5093,5168,5250,5351,5353,5355,5400,5405,5432-5433,5520-5521,5554-5555,5560,5580,5631-5632,5800,5900-5910,5920,6000,6050,6060,6070,6080,6101,6106,6112,6379,6405,6502-6504,6660,6667,6905,7080,7144,7210,7510,7579-7580,7700,7777,7787,7800-7801,8000,8008,8014,8028,8030,8080-8081,8087,8090,8180,8205,8222,8300,8303,8333,8400,8443-8444,8503,8800,8812,8880,8888-8890,8899,8901-8903,9000,9080-9081,9084,9090,9099,9111,9160,9152,9495,9809-9815,9999-10001,10008,10050,10098,10162,10202-10203,10443,10616,10628,11000,11099,11234,11333,12174,12203,12397,12401,13364,13500,13838,14330,15200,16102,17185,17200,18881,19300,19810,20031,20034,20101,20222,22222,23472,23791,23943,25000,25025,26000,26122,27000,27017,27888,28222,28784,30000,31099,32913,34443,35871,37718,38080,38292,41025,41523-41524,44334,44818,45230,46823-46824,47001-47002,48899,50000-50004,50013,50500-50504,57772,62078,62514,65535 -PU59428 -p1,7,9,13,21-23,25,37,42,49,53,69,79-81,105,109-111,113,123,135,137-139,143,161,179,222,264,384,389,407,443,445,465,500,502,512-515,523,540,548,554,617,623,689,705,783,902,910,912,921,993,995,1000,1024,1030,1035,1090,1098-1103,1129,1158,1199,1220,1234,1300,1311,1352,1433-1435,1440,1494,1521,1530,1533,1581-1582,1604,1720,1723,1755,1900,2000-2001,2049,2100,2103,2121,2199,2207,2222,2323,2380,2525,2533,2598,2638,2809,2947,2967,3000,3050,3057,3128,3273,3306,3389,3500,3628,3632,3690,3780,3790,4000,4444-4445,4659,4848,5038,5051,5060-5061,5093,5168,5250,5351,5353,5355,5400,5405,5432-5433,5520-5521,5554-5555,5560,5580,5631-5632,5800,5900-5910,5920,6000,6050,6060,6070,6080,6101,6106,6112,6379,6405,6502-6504,6660,6667,6905,7080,7144,7210,7510,7579-7580,7700,7777,7787,7800-7801,8000,8008,8014,8028,8030,8080-8081,8087,8090,8180,8205,8222,8300,8303,8333,8400,8443-8444,8503,8800,8812,8880,8888-8890,8899,8901-8903,9000,9080-9081,9084,9090,9099,9111,9160,9152,9495,9809-9815,9999-10001,10008,10050,10098,10162,10202-10203,10443,10616,10628,11000,11099,11234,11333,12174,12203,12397,12401,13364,13500,13838,14330,15200,16102,17185,17200,18881,19300,19810,20031,20034,20101,20222,22222,23472,23791,23943,25000,25025,26000,26122,27000,27017,27888,28222,28784,30000,31099,32913,34443,35871,37718,38080,38292,41025,41523-41524,44334,44818,45230,46823-46824,47001-47002,48899,50000-50004,50013,50500-50504,57772,62078,62514,65535 --host-timeout=10m --max-rtt-timeout=600ms --initial-rtt-timeout=300ms --min-rtt-timeout=300ms --max-retries=2 --min-rate=200 --stats-every 10s -g $sourceport -oN tmp
}

##############################################################################################################

f_discoveryexclude(){
echo
echo $line
echo
echo -e "\e[1;34mHost discovery.\e[0m"

nmap -iL $location --excludefile $excludefile -PP -PE -PM -PI -PA20,53,80,113,443,5060,10043 -PS1,7,9,13,21-23,25,37,42,49,53,69,79-81,105,109-111,113,123,135,137-139,143,161,179,222,264,384,389,407,443,445,465,500,502,512-515,523,540,548,554,617,623,689,705,783,902,910,912,921,993,995,1000,1024,1030,1035,1090,1098-1103,1129,1158,1199,1220,1234,1300,1311,1352,1433-1435,1440,1494,1521,1530,1533,1581-1582,1604,1720,1723,1755,1900,2000-2001,2049,2100,2103,2121,2199,2207,2222,2323,2380,2525,2533,2598,2638,2809,2947,2967,3000,3050,3057,3128,3273,3306,3389,3500,3628,3632,3690,3780,3790,4000,4444-4445,4659,4848,5038,5051,5060-5061,5093,5168,5250,5351,5353,5355,5400,5405,5432-5433,5520-5521,5554-5555,5560,5580,5631-5632,5800,5900-5910,5920,6000,6050,6060,6070,6080,6101,6106,6112,6379,6405,6502-6504,6660,6667,6905,7080,7144,7210,7510,7579-7580,7700,7777,7787,7800-7801,8000,8008,8014,8028,8030,8080-8081,8087,8090,8180,8205,8222,8300,8303,8333,8400,8443-8444,8503,8800,8812,8880,8888-8890,8899,8901-8903,9000,9080-9081,9084,9090,9099,9111,9160,9152,9495,9809-9815,9999-10001,10008,10050,10098,10162,10202-10203,10443,10616,10628,11000,11099,11234,11333,12174,12203,12397,12401,13364,13500,13838,14330,15200,16102,17185,17200,18881,19300,19810,20031,20034,20101,20222,22222,23472,23791,23943,25000,25025,26000,26122,27000,27017,27888,28222,28784,30000,31099,32913,34443,35871,37718,38080,38292,41025,41523-41524,44334,44818,45230,46823-46824,47001-47002,48899,50000-50004,50013,50500-50504,57772,62078,62514,65535 -PU59428 -p1,7,9,13,21-23,25,37,42,49,53,69,79-81,105,109-111,113,123,135,137-139,143,161,179,222,264,384,389,407,443,445,465,500,502,512-515,523,540,548,554,617,623,689,705,783,902,910,912,921,993,995,1000,1024,1030,1035,1090,1098-1103,1129,1158,1199,1220,1234,1300,1311,1352,1433-1435,1440,1494,1521,1530,1533,1581-1582,1604,1720,1723,1755,1900,2000-2001,2049,2100,2103,2121,2199,2207,2222,2323,2380,2525,2533,2598,2638,2809,2947,2967,3000,3050,3057,3128,3273,3306,3389,3500,3628,3632,3690,3780,3790,4000,4444-4445,4659,4848,5038,5051,5060-5061,5093,5168,5250,5351,5353,5355,5400,5405,5432-5433,5520-5521,5554-5555,5560,5580,5631-5632,5800,5900-5910,5920,6000,6050,6060,6070,6080,6101,6106,6112,6379,6405,6502-6504,6660,6667,6905,7080,7144,7210,7510,7579-7580,7700,7777,7787,7800-7801,8000,8008,8014,8028,8030,8080-8081,8087,8090,8180,8205,8222,8300,8303,8333,8400,8443-8444,8503,8800,8812,8880,8888-8890,8899,8901-8903,9000,9080-9081,9084,9090,9099,9111,9160,9152,9495,9809-9815,9999-10001,10008,10050,10098,10162,10202-10203,10443,10616,10628,11000,11099,11234,11333,12174,12203,12397,12401,13364,13500,13838,14330,15200,16102,17185,17200,18881,19300,19810,20031,20034,20101,20222,22222,23472,23791,23943,25000,25025,26000,26122,27000,27017,27888,28222,28784,30000,31099,32913,34443,35871,37718,38080,38292,41025,41523-41524,44334,44818,45230,46823-46824,47001-47002,48899,50000-50004,50013,50500-50504,57772,62078,62514,65535 --host-timeout=10m --max-rtt-timeout=600ms --initial-rtt-timeout=300ms --min-rtt-timeout=300ms --max-retries=2 --min-rate=200 --stats-every 10s -g $sourceport -oN tmp
}

##############################################################################################################

f_numhosts(){
egrep -v '(close|filtered|initiated|latency|rDNS|seconds|STATE|Warning)' tmp | grep 'open' -B1 | grep 'Nmap' | cut -d '(' -f2 | cut -d ')' -f1 > tmp2
sed 's/Nmap scan report for //' tmp2 > tmp3

# Remove blank lines
sed '/^$/d' tmp3 > $name/hosts.txt

# Check for zero hosts (empty file)
if [ ! -s $name/hosts.txt ] ; then
rm -rf "$name" tmp*
     echo
echo $line
     echo
echo "***Scan complete.***"
     echo
echo -e "\e[1;33mNo hosts found with open ports.\e[0m"
     echo
echo
exit
fi

# Number of hosts
number=$(wc -l $name/hosts.txt | cut -d ' ' -f1)

if [ $number -eq 1 ]; then
echo
echo $line
     echo
echo -e "\e[1;33mHost discovered.\e[0m"
else
echo
echo $line
     echo
echo -e "\e[1;33m$number hosts discovered with open ports.\e[0m"
fi
}

##############################################################################################################

f_scan(){
echo
echo $line
echo
echo -e "\e[1;34mRunning default nmap scan.\e[0m"

nmap -iL $name/hosts.txt -Pn -n -sSV -sUV -p U:53,67-69,111,123,135,137-139,161,162,445,500,514,520,523,631,998,1434,1701,1900,4500,5353,6481,17185,31337,49152,49154,T:13,21-23,25,37,42,49,53,67,69,79-81,88,105,109-111,113,123,135,137-139,143,161,179,222,384,389,407,443,445,465,500,512-515,523,524,540,548,554,617,623,631,689,705,783,873,910,912,921,993,995,1000,1024,1050,1080,1099,1100,1158,1220,1300,1311,1344,1352,1433-1435,1494,1521,1524,1533,1581-1582,1604,1720,1723,1755,1900,2000,2049,2100,2103,2121,2202,2207,2222,2323,2380,2525,2533,2598,2628,2638,2947,2967,3000,3031,3050,3057,3128,3260,3306,3389,3500,3628,3632,3690,3780,3790,4000,4369,4445,5019,5051,5060-5061,5093,5168,5250,5353,5400,5405,5432-5433,5554-5555,5666,5672,5800,5850,5900-5910,5984,6000-6005,6050,6060,6070,6080,6101,6106,6112,6379,6405,6502-6504,6660,6666-6667,6697,7080,7144,7210,7510,7634,7777,7787,8000,8008-8009,8028,8030,8080-8081,8090,8091,8180,8222,8300,8332-8333,8400,8443-8444,8787,8800,8880,8888,8899,9080-9081,9090,9100,9111,9152,9160,9999-10000,10050,10202-10203,10443,10616,10628,11000,11211,12174,12203,12345,13500,14330,17185,18881,19150,19300,19810,20031,20222,22222,25000,25025,26000,26122,27017,28222,30000,35871,38292,39292,41025,41523-41524,41364,43729,44334,44813,48992,49663,50000-50004,50013,50030,50060,50070,50075,50090,55852,57772,59034,60010,60030,62078,62514,65535 --open -O --osscan-guess --max-os-tries 1 --version-intensity 0 --host-timeout 5m --min-hostgroup 100 --max-rtt-timeout 600ms --initial-rtt-timeout=300ms --min-rtt-timeout 300ms --max-retries 3 --min-rate 150 --stats-every 10s -g $sourceport -oA $name/nmap

# Clean up nmap output
egrep -v '(1 hop|All|CPE|elapsed|filtered|fingerprint|guesses|GUESSING|hops|initiated|latency|matches|NEXT|Not|NSE|OS:|Please|remaining|RTTVAR|scanned|SF|Skipping|specialized|Starting|Timing|unrecognized|Warning|WARNING)' $name/nmap.nmap > tmp
sed 's/Nmap scan report for //' tmp > tmp2
sed '/^$/! b end; n; /^$/d; : end' tmp2 > $name/nmap.txt

rm $name/nmap.nmap

# Show open ports
grep 'open' $name/nmap.txt | awk '{print $1}' | sort -u | sort -n > $name/ports.txt
grep 'tcp' $name/ports.txt | cut -d '/' -f1 > $name/ports-tcp.txt
grep 'udp' $name/ports.txt | cut -d '/' -f1 > $name/ports-udp.txt

# Clean up and show banners
grep 'open' $name/nmap.txt | awk '{for (i=4;i<=NF;i++) {printf "%s%s",sep, $i;sep=" "}; printf "\n"}' | sort -u > tmp
sed 's/^ //' tmp | sort -u > tmp2

# Remove blank lines
sed '/^$/d' tmp2 > $name/banners.txt

# Remove all empty files
find $name/ -type f -empty -exec rm {} +
}

##############################################################################################################

f_ports(){
echo
echo $line
echo
echo -e "\e[1;34mLocating high-value ports.\e[0m"
echo " TCP"
TCP_PORTS="13 21 22 23 25 70 79 80 110 111 139 143 389 443 445 465 523 524 548 554 631 873 993 995 1050 1080 1099 1158 1344 1352 1433 1521 1720 1723 2202 2628 2947 3031 3260 3306 3389 3632 4369 5019 5432 5666 5672 5850 5900 5984 6000 6001 6002 6003 6004 6005 6379 6666 7210 7634 7777 8000 8009 8080 8081 8091 8222 8332 8333 8400 8443 9100 9160 9999 10000 11211 12345 19150 27017 35871 50000 50030 50060 50070 50075 50090 60010 60030"

for i in $TCP_PORTS; do
cat $name/nmap.gnmap | grep "\<$i/open/tcp\>" | cut -d ' ' -f2 > $name/$i.txt
done

if [ -f $name/523.txt ]; then
mv $name/523.txt $name/523-tcp.txt
fi

echo " UDP"
UDP_PORTS="53 67 69 123 137 161 500 523 1434 1604 3478 5353 6481 17185 31337"

for i in $UDP_PORTS; do
cat $name/nmap.gnmap | grep "\<$i/open/udp\>" | cut -d ' ' -f2 > $name/$i.txt
done

if [ -f $name/523.txt ]; then
mv $name/523.txt $name/523-udp.txt
fi

# Combine Apache HBase ports and sort
cat $name/60010.txt $name/60030.txt > tmp
sort -u -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4 tmp > $name/apache-hbase.txt

# Combine Bitcoin ports and sort
cat $name/8332.txt $name/8333.txt > tmp
sort -u -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4 tmp > $name/bitcoin.txt

# Combine DB2 ports and sort
cat $name/523-tcp.txt $name/523-udp.txt > tmp
sort -u -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4 tmp > $name/db2.txt

# Combine Hadoop ports and sort
cat $name/50030.txt $name/50060.txt $name/50070.txt $name/50075.txt $name/50090.txt > tmp
sort -u -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4 tmp > $name/hadoop.txt

# Combine SSL ports
echo > tmp

port="21 25 443 465 993 995 8443"

for i in $port; do
if [ -f $name/$i.txt ]; then
sed -e 's/$/:'$i'/' $name/$i.txt >> tmp
     fi
done

# Remove blank lines
sed '/^$/d' tmp > $name/ssl.txt

# Combine web ports and sort
cat $name/80.txt $name/443.txt $name/8000.txt $name/8080.txt $name/8443.txt > tmp
sort -u -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4 tmp > $name/web.txt

# Combine X11 ports and sort
cat $name/6000.txt $name/6001.txt $name/6002.txt $name/6003.txt $name/6004.txt $name/6005.txt > tmp
sort -u -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4 tmp > $name/x11.txt

# Remove all empty files
find $name/ -type f -empty -exec rm {} +
}

##############################################################################################################

f_cleanup(){
sed 's/Nmap scan report for //' tmp > tmp2

# Remove lines that start with |, and have various numbers of trailing spaces.
sed -i '/^| *$/d' tmp2

egrep -v '(0 of 100|afp-serverinfo:|ACCESS_DENIED|appears to be clean|cannot|close|closed|Compressors|Could not|Couldn|Denied|denied|Did not|DISABLED|dns-nsid:|dns-service-discovery:|Document Moved|doesn|eppc-enum-processes|error|Error|ERROR|failed|filtered|GET|hbase-region-info:|HEAD|Host is up|Host script results|impervious|incorrect|latency|ldap-rootdse:|LDAP Results|Likely CLEAN|nbstat:|No accounts left|No Allow|no banner|none|Nope.|not allowed|Not Found|Not Shown|not supported|NOT VULNERABLE|nrpe-enum:|ntp-info:|rdp-enum-encryption:|remaining|rpcinfo:|seconds|See http|Service Info|Skipping|smb-check-vulns|smb-mbenum:|sorry|Starting|telnet-encryption:|Telnet server does not|TIMEOUT|Unauthorized|uncompressed|unhandled|Unknown|viewed over a secure|vnc-info:|wdb-version:)' tmp2 > tmp3

grep -v "Can't" tmp3 > tmp4
}

##############################################################################################################

f_scripts(){
echo
echo $line
echo
echo -e "\e[1;34mRunning nmap scripts.\e[0m"

# If the file for the corresponding port doesn't exist, skip
if [ -f $name/13.txt ]; then
echo " Daytime"
nmap -iL $name/13.txt -Pn -n --open -p13 --script=daytime --host-timeout 5m --min-hostgroup 100 -g $sourceport > tmp
f_cleanup
mv tmp4 $name/script-13.txt
fi

if [ -f $name/21.txt ]; then
echo " FTP"
nmap -iL $name/21.txt -Pn -n --open -p21 --script=banner,ftp-anon,ftp-bounce,ftp-proftpd-backdoor,ftp-vsftpd-backdoor --host-timeout 5m --min-hostgroup 100 -g $sourceport > tmp
f_cleanup
mv tmp4 $name/script-21.txt
fi

if [ -f $name/22.txt ]; then
echo " SSH"
nmap -iL $name/22.txt -Pn -n --open -p22 --script=ssh2-enum-algos,sshv1 --host-timeout 5m --min-hostgroup 100 -g $sourceport > tmp
f_cleanup
mv tmp4 $name/script-22.txt
fi

if [ -f $name/23.txt ]; then
echo " Telnet"
nmap -iL $name/23.txt -Pn -n --open -p23 --script=banner,telnet-encryption --host-timeout 5m --min-hostgroup 100 -g $sourceport > tmp
f_cleanup
mv tmp4 $name/script-23.txt
fi

if [ -f $name/25.txt ]; then
echo " SMTP"
nmap -iL $name/25.txt -Pn -n --open -p25 --script=banner,smtp-commands,smtp-open-relay,smtp-strangeport --host-timeout 5m --min-hostgroup 100 -g $sourceport > tmp
f_cleanup
printf '%s\n' 'g/NOT VULNERABLE/d\' '-d' w | ed -s tmp4
mv tmp4 $name/script-25.txt
fi

if [ -f $name/53.txt ]; then
echo " DNS"
nmap -iL $name/53.txt -Pn -n -sU --open -p53 --script=dns-cache-snoop,dns-nsid,dns-random-srcport,dns-random-txid,dns-recursion,dns-service-discovery,dns-update,dns-zone-transfer --host-timeout 5m --min-hostgroup 100 -g $sourceport > tmp
f_cleanup
mv tmp4 $name/script-53.txt
fi

if [ -f $name/67.txt ]; then
echo " DHCP"
nmap -iL $name/67.txt -Pn -n -sU --open -p67 --script=dhcp-discover --host-timeout 5m --min-hostgroup 100 -g $sourceport > tmp
f_cleanup
mv tmp4 $name/script-67.txt
fi

if [ -f $name/70.txt ]; then
echo " Gopher"
nmap -iL $name/70.txt -Pn -n --open -p70 --script=gopher-ls --host-timeout 5m --min-hostgroup 100 -g $sourceport > tmp
f_cleanup
mv tmp4 $name/script-70.txt
fi

if [ -f $name/79.txt ]; then
echo " Finger"
nmap -iL $name/79.txt -Pn -n --open -p79 --script=finger --host-timeout 5m --min-hostgroup 100 -g $sourceport > tmp
f_cleanup
mv tmp4 $name/script-79.txt
fi

if [ -f $name/110.txt ]; then
echo " POP3"
nmap -iL $name/110.txt -Pn -n --open -p110 --script=banner,pop3-capabilities --host-timeout 5m --min-hostgroup 100 -g $sourceport > tmp
f_cleanup
mv tmp4 $name/script-110.txt
fi

if [ -f $name/111.txt ]; then
echo " NFS"
nmap -iL $name/111.txt -Pn -n --open -p111 --script=nfs-ls,nfs-showmount,nfs-statfs,rpcinfo --host-timeout 5m --min-hostgroup 100 -g $sourceport > tmp
f_cleanup
mv tmp4 $name/script-111.txt
fi

if [ -f $name/123.txt ]; then
echo " NTP"
nmap -iL $name/123.txt -Pn -n -sU --open -p123 --script=ntp-info,ntp-monlist --host-timeout 5m --min-hostgroup 100 -g $sourceport > tmp
f_cleanup
mv tmp4 $name/script-123.txt
fi

if [ -f $name/137.txt ]; then
echo " NetBIOS"
nmap -iL $name/137.txt -Pn -n -sU --open -p137 --script=nbstat --host-timeout 5m --min-hostgroup 100 -g $sourceport > tmp
f_cleanup
sed -i '/^MAC/{n; /.*/d}' tmp4 # Find lines that start with MAC, and delete the following line
sed -i '/^137\/udp/{n; /.*/d}' tmp4 # Find lines that start with 137/udp, and delete the following line
mv tmp4 $name/script-137.txt
fi

if [ -f $name/139.txt ]; then
echo " MS08-067"
nmap -iL $name/139.txt -Pn -n --open -p139 --script=smb-check-vulns --host-timeout 5m --min-hostgroup 100 -g $sourceport > tmp
f_cleanup
egrep -v '(SERVICE|netbios)' tmp4 > tmp5
sed '1N;N;/\(.*\n\)\{2\}.*VULNERABLE/P;$d;D' tmp5
sed '/^$/d' tmp5 > tmp6
grep -v '|' tmp6 > $name/script-ms08-067.txt
fi

if [ -f $name/143.txt ]; then
echo " IMAP"
nmap -iL $name/143.txt -Pn -n --open -p143 --script=imap-capabilities --host-timeout 5m --min-hostgroup 100 -g $sourceport > tmp
f_cleanup
mv tmp4 $name/script-143.txt
fi

if [ -f $name/161.txt ]; then
echo " SNMP"
nmap -iL $name/161.txt -Pn -n -sU --open -p161 --script=snmp-hh3c-logins,snmp-interfaces,snmp-netstat,snmp-processes,snmp-sysdescr,snmp-win32-services,snmp-win32-shares,snmp-win32-software,snmp-win32-users --host-timeout 5m --min-hostgroup 100 -g $sourceport > tmp
f_cleanup
mv tmp4 $name/script-161.txt
fi

if [ -f $name/389.txt ]; then
echo " LDAP"
nmap -iL $name/389.txt -Pn -n --open -p389 --script=ldap-rootdse --host-timeout 5m --min-hostgroup 100 -g $sourceport > tmp
f_cleanup
mv tmp4 $name/script-389.txt
fi

if [ -f $name/445.txt ]; then
echo " SMB"
nmap -iL $name/445.txt -Pn -n --open -p445 --script=msrpc-enum,smb-enum-domains,smb-enum-groups,smb-enum-processes,smb-enum-sessions,smb-enum-shares,smb-enum-users,smb-mbenum,smb-os-discovery,smb-security-mode,smb-server-stats,smb-system-info,smbv2-enabled,stuxnet-detect --host-timeout 5m --min-hostgroup 100 -g $sourceport > tmp
f_cleanup
sed -i '/^445/{n; /.*/d}' tmp4 # Find lines that start with 445, and delete the following line
mv tmp4 $name/script-445.txt
fi

if [ -f $name/465.txt ]; then
echo " SMTP/S"
nmap -iL $name/465.txt -Pn -n --open -p465 --script=banner,smtp-commands,smtp-open-relay,smtp-strangeport,smtp-enum-users --host-timeout 5m --min-hostgroup 100 -g $sourceport > tmp
f_cleanup
printf '%s\n' 'g/NOT VULNERABLE/d\' '-d' w | ed -s tmp4
mv tmp4 $name/script-465.txt
fi

if [ -f $name/500.txt ]; then
echo " Ike"
nmap -iL $name/500.txt -Pn -n -sS -sU --open -p500 --script=ike-version --host-timeout 5m --min-hostgroup 100 -g $sourceport > tmp
f_cleanup
mv tmp4 $name/script-500.txt
fi

if [ -f $name/db2.txt ]; then
echo " DB2"
nmap -iL $name/db2.txt -Pn -n -sS -sU --open -p523 --script=db2-das-info,db2-discover --host-timeout 5m --min-hostgroup 100 -g $sourceport > tmp
f_cleanup
mv tmp4 $name/script-523.txt
fi

if [ -f $name/524.txt ]; then
echo " Novell NetWare Core Protocol"
nmap -iL $name/524.txt -Pn -n --open -p524 --script=ncp-enum-users,ncp-serverinfo --host-timeout 5m --min-hostgroup 100 -g $sourceport > tmp
f_cleanup
mv tmp4 $name/script-524.txt
fi

if [ -f $name/548.txt ]; then
echo " AFP"
nmap -iL $name/548.txt -Pn -n --open -p548 --script=afp-ls,afp-path-vuln,afp-serverinfo,afp-showmount --host-timeout 5m --min-hostgroup 100 -g $sourceport > tmp
f_cleanup
mv tmp4 $name/script-548.txt
fi

if [ -f $name/554.txt ]; then
echo " RTSP"
nmap -iL $name/554.txt -Pn -n --open -p554 --script=rtsp-methods --host-timeout 5m --min-hostgroup 100 -g $sourceport > tmp
f_cleanup
mv tmp4 $name/script-554.txt
fi

if [ -f $name/631.txt ]; then
echo " CUPS"
nmap -iL $name/631.txt -Pn -n --open -p631 --script=cups-info,cups-queue-info --host-timeout 5m --min-hostgroup 100 -g $sourceport > tmp
f_cleanup
mv tmp4 $name/script-631.txt
fi

if [ -f $name/873.txt ]; then
echo " rsync"
nmap -iL $name/873.txt -Pn -n --open -p873 --script=rsync-list-modules --host-timeout 5m --min-hostgroup 100 -g $sourceport > tmp
f_cleanup
mv tmp4 $name/script-873.txt
fi

if [ -f $name/993.txt ]; then
echo " IMAP/S"
nmap -iL $name/993.txt -Pn -n --open -p993 --script=banner,sslv2,imap-capabilities --host-timeout 5m --min-hostgroup 100 -g $sourceport > tmp
f_cleanup
mv tmp4 $name/script-993.txt
fi

if [ -f $name/995.txt ]; then
echo " POP3/S"
nmap -iL $name/995.txt -Pn -n --open -p995 --script=banner,sslv2,pop3-capabilities --host-timeout 5m --min-hostgroup 100 -g $sourceport > tmp
f_cleanup
mv tmp4 $name/script-995.txt
fi

if [ -f $name/1050.txt ]; then
echo " COBRA"
nmap -iL $name/1050.txt -Pn -n --open -p1050 --script=giop-info --host-timeout 5m --min-hostgroup 100 -g $sourceport > tmp
f_cleanup
mv tmp4 $name/script-1050.txt
fi

if [ -f $name/1080.txt ]; then
echo " SOCKS"
nmap -iL $name/1080.txt -Pn -n --open -p1080 --script=socks-auth-info --host-timeout 5m --min-hostgroup 100 -g $sourceport > tmp
f_cleanup
mv tmp4 $name/script-1080.txt
fi

if [ -f $name/1099.txt ]; then
echo " RMI Registry"
nmap -iL $name/1099.txt -Pn -n --open -p1099 --script=rmi-dumpregistry --host-timeout 5m --min-hostgroup 100 -g $sourceport > tmp
f_cleanup
mv tmp4 $name/script-1099.txt
fi

if [ -f $name/1344.txt ]; then
echo " ICAP"
nmap -iL $name/1344.txt -Pn -n --open -p1344 --script=icap-info --host-timeout 5m --min-hostgroup 100 -g $sourceport > tmp
f_cleanup
mv tmp4 $name/script-1344.txt
fi

if [ -f $name/1352.txt ]; then
echo " Lotus Domino"
nmap -iL $name/1352.txt -Pn -n --open -p1352 --script=domino-enum-users --host-timeout 5m --min-hostgroup 100 -g $sourceport > tmp
f_cleanup
mv tmp4 $name/script-1352.txt
fi

if [ -f $name/1433.txt ]; then
echo " MS-SQL"
nmap -iL $name/1433.txt -Pn -n --open -p1433 --script=ms-sql-dump-hashes,ms-sql-empty-password,ms-sql-info --host-timeout 5m --min-hostgroup 100 -g $sourceport > tmp
f_cleanup
mv tmp4 $name/script-1433.txt
fi

if [ -f $name/1434.txt ]; then
echo " MS-SQL UDP"
nmap -iL $name/1434.txt -Pn -n -sU --open -p1434 --script=ms-sql-dac --host-timeout 5m --min-hostgroup 100 -g $sourceport > tmp
f_cleanup
mv tmp4 $name/script-1434.txt
fi

if [ -f $name/1521.txt ]; then
echo " Oracle"
nmap -iL $name/1521.txt -Pn -n --open -p1521 --script=oracle-sid-brute --script oracle-enum-users --script-args oracle-enum-users.sid=ORCL,userdb=orausers.txt --host-timeout 5m --min-hostgroup 100 -g $sourceport > tmp
f_cleanup
mv tmp4 $name/script-1521.txt
fi

if [ -f $name/1604.txt ]; then
echo " Citrix"
nmap -iL $name/1604.txt -Pn -n -sU --open -p1604 --script=citrix-enum-apps,citrix-enum-servers --host-timeout 5m --min-hostgroup 100 -g $sourceport > tmp
f_cleanup
mv tmp4 $name/script-1604.txt
fi

if [ -f $name/1723.txt ]; then
echo " PPTP"
nmap -iL $name/1723.txt -Pn -n --open -p1723 --script=pptp-version --host-timeout 5m --min-hostgroup 100 -g $sourceport > tmp
f_cleanup
mv tmp4 $name/script-1723.txt
fi

if [ -f $name/2202.txt ]; then
echo " ACARS"
nmap -iL $name/2202.txt -Pn -n --open -p2202 --script=acarsd-info --host-timeout 5m --min-hostgroup 100 -g $sourceport > tmp
f_cleanup
mv tmp4 $name/script-2202.txt
fi

if [ -f $name/2628.txt ]; then
echo " DICT"
nmap -iL $name/2628.txt -Pn -n --open -p2628 --script=dict-info --host-timeout 5m --min-hostgroup 100 -g $sourceport > tmp
f_cleanup
mv tmp4 $name/script-2628.txt
fi

if [ -f $name/2947.txt ]; then
echo " GPS"
nmap -iL $name/2947.txt -Pn -n --open -p2947 --script=gpsd-info --host-timeout 5m --min-hostgroup 100 -g $sourceport > tmp
f_cleanup
mv tmp4 $name/script-2947.txt
fi

if [ -f $name/3031.txt ]; then
echo " Apple Remote Event"
nmap -iL $name/3031.txt -Pn -n --open -p3031 --script=eppc-enum-processes --host-timeout 5m --min-hostgroup 100 -g $sourceport > tmp
f_cleanup
mv tmp4 $name/script-3031.txt
fi

if [ -f $name/3260.txt ]; then
echo " iSCSI"
nmap -iL $name/3260.txt -Pn -n --open -p3260 --script=iscsi-info --host-timeout 5m --min-hostgroup 100 -g $sourceport > tmp
f_cleanup
mv tmp4 $name/script-3260.txt
fi

if [ -f $name/3306.txt ]; then
echo " MySQL"
nmap -iL $name/3306.txt -Pn -n --open -p3306 --script=mysql-databases,mysql-empty-password,mysql-info,mysql-users,mysql-variables --host-timeout 5m --min-hostgroup 100 -g $sourceport > tmp
f_cleanup
mv tmp4 $name/script-3306.txt
fi

if [ -f $name/3389.txt ]; then
echo " Remote Desktop"
nmap -iL $name/3389.txt -Pn -n --open -p3389 --script=rdp-vuln-ms12-020,rdp-enum-encryption --host-timeout 5m --min-hostgroup 100 -g $sourceport > tmp
f_cleanup
egrep -v '(attackers|Description|Disclosure|http|References|Risk factor)' tmp4 > $name/script-3389.txt
fi

if [ -f $name/3478.txt ]; then
echo " STUN"
nmap -iL $name/3478.txt -Pn -n -sU --open -p3478 --script=stun-version --host-timeout 5m --min-hostgroup 100 -g $sourceport > tmp
f_cleanup
mv tmp4 $name/script-3478.txt
fi

if [ -f $name/3632.txt ]; then
echo " Distributed Compiler Daemon"
nmap -iL $name/3632.txt -Pn -n --open -p3632 --script=distcc-cve2004-2687 --script-args="distcc-exec.cmd='id'" --host-timeout 5m --min-hostgroup 100 -g $sourceport > tmp
f_cleanup
     egrep -v '(IDs|Risk factor|Description|Allows|earlier|Disclosure|Extra|References|http)' tmp4 > $name/script-3632.txt
fi

if [ -f $name/4369.txt ]; then
echo " Erlang Port Mapper"
nmap -iL $name/4369.txt -Pn -n --open -p4369 --script=epmd-info --host-timeout 5m --min-hostgroup 100 -g $sourceport > tmp
f_cleanup
mv tmp4 $name/script-4369.txt
fi

if [ -f $name/5019.txt ]; then
echo " Versant"
nmap -iL $name/5019.txt -Pn -n --open -p5019 --script=versant-info --host-timeout 5m --min-hostgroup 100 -g $sourceport > tmp
f_cleanup
mv tmp4 $name/script-5019.txt
fi

if [ -f $name/5353.txt ]; then
echo " DNS Service Discovery"
nmap -iL $name/5353.txt -Pn -n -sU --open -p5353 --script=dns-service-discovery --host-timeout 5m --min-hostgroup 100 -g $sourceport > tmp
f_cleanup
mv tmp4 $name/script-5353.txt
fi

if [ -f $name/5666.txt ]; then
echo " Nagios"
nmap -iL $name/5666.txt -Pn -n --open -p5666 --script=nrpe-enum --host-timeout 5m --min-hostgroup 100 -g $sourceport > tmp
f_cleanup
mv tmp4 $name/script-5666.txt
fi

if [ -f $name/5672.txt ]; then
echo " AMQP"
nmap -iL $name/5672.txt -Pn -n --open -p5672 --script=amqp-info --host-timeout 5m --min-hostgroup 100 -g $sourceport > tmp
f_cleanup
mv tmp4 $name/script-5672.txt
fi

if [ -f $name/5850.txt ]; then
echo " OpenLookup"
nmap -iL $name/5850.txt -Pn -n --open -p5850 --script=openlookup-info --host-timeout 5m --min-hostgroup 100 -g $sourceport > tmp
f_cleanup
mv tmp4 $name/script-5850.txt
fi

if [ -f $name/5900.txt ]; then
echo " VNC"
nmap -iL $name/5900.txt -Pn -n --open -p5900 --script=realvnc-auth-bypass,vnc-info --host-timeout 5m --min-hostgroup 100 -g $sourceport > tmp
f_cleanup
mv tmp4 $name/script-5900.txt
fi

if [ -f $name/5984.txt ]; then
echo " CouchDB"
nmap -iL $name/5984.txt -Pn -n --open -p5984 --script=couchdb-databases,couchdb-stats --host-timeout 5m --min-hostgroup 100 -g $sourceport > tmp
f_cleanup
mv tmp4 $name/script-5984.txt
fi

if [ -f $name/x11.txt ]; then
echo " X11"
nmap -iL $name/x11.txt -Pn -n --open -p6000-6005 --script=x11-access --host-timeout 5m --min-hostgroup 100 -g $sourceport > tmp
f_cleanup
mv tmp4 $name/script-x11.txt
fi

if [ -f $name/6379.txt ]; then
echo " Redis"
nmap -iL $name/6379.txt -Pn -n --open -p6379 --script=redis-info --host-timeout 5m --min-hostgroup 100 -g $sourceport > tmp
f_cleanup
mv tmp4 $name/script-6379.txt
fi

if [ -f $name/6481.txt ]; then
echo " Sun Service Tags"
nmap -iL $name/6481.txt -Pn -n -sU --open -p6481 --script=servicetags --host-timeout 5m --min-hostgroup 100 -g $sourceport > tmp
f_cleanup
mv tmp4 $name/script-6481.txt
fi

if [ -f $name/6666.txt ]; then
echo " Voldemort"
nmap -iL $name/6666.txt -Pn -n --open -p6666 --script=voldemort-info --host-timeout 5m --min-hostgroup 100 -g $sourceport > tmp
f_cleanup
mv tmp4 $name/script-6666.txt
fi

if [ -f $name/7210.txt ]; then
echo " Max DB"
nmap -iL $name/7210.txt -Pn -n --open -p7210 --script=maxdb-info --host-timeout 5m --min-hostgroup 100 -g $sourceport > tmp
f_cleanup
mv tmp4 $name/script-7210.txt
fi

if [ -f $name/7634.txt ]; then
echo " Hard Disk Info"
nmap -iL $name/7634.txt -Pn -n --open -p7634 --script=hddtemp-info --host-timeout 5m --min-hostgroup 100 -g $sourceport > tmp
f_cleanup
mv tmp4 $name/script-7634.txt
fi

#if [ -f $name/8009.txt ]; then
# echo " AJP"
# nmap -iL $name/8009.txt -Pn -n --open -p8009 --script=ajp-methods,ajp-request --host-timeout 5m --min-hostgroup 100 -g $sourceport > tmp
# f_cleanup
# mv tmp4 $name/script-8009.txt
#fi

if [ -f $name/8081.txt ]; then
echo " McAfee ePO"
nmap -iL $name/8081.txt -Pn -n --open -p8081 --script=mcafee-epo-agent --host-timeout 5m --min-hostgroup 100 -g $sourceport > tmp
f_cleanup
mv tmp4 $name/script-8081.txt
fi

if [ -f $name/8091.txt ]; then
echo " CouchBase Web Administration"
nmap -iL $name/8091.txt -Pn -n --open -p8091 --script=membase-http-info --host-timeout 5m --min-hostgroup 100 -g $sourceport > tmp
f_cleanup
mv tmp4 $name/script-8091.txt
fi

if [ -f $name/bitcoin.txt ]; then
echo " Bitcoin"
nmap -iL $name/bitcoin.txt -Pn -n --open -p8332,8333 --script=bitcoin-getaddr,bitcoin-info,bitcoinrpc-info --host-timeout 5m --min-hostgroup 100 -g $sourceport > tmp
f_cleanup
mv tmp4 $name/script-bitcoin.txt
fi

if [ -f $name/9100.txt ]; then
echo " Lexmark"
nmap -iL $name/9100.txt -Pn -n --open -p9100 --script=lexmark-config --host-timeout 5m --min-hostgroup 100 -g $sourceport > tmp
f_cleanup
mv tmp4 $name/script-9100.txt
fi

if [ -f $name/9160.txt ]; then
echo " Cassandra"
nmap -iL $name/9160.txt -Pn -n --open -p9160 --script=cassandra-info --host-timeout 5m --min-hostgroup 100 -g $sourceport > tmp
f_cleanup
mv tmp4 $name/script-9160.txt
fi

if [ -f $name/9999.txt ]; then
echo " Java Debug Wire Protocol"
nmap -iL $name/9999.txt -Pn -n --open -p9999 --script=jdwp-version --host-timeout 5m --min-hostgroup 100 -g $sourceport > tmp
f_cleanup
mv tmp4 $name/script-9999.txt
fi

if [ -f $name/10000.txt ]; then
echo " Network Data Management"
nmap -iL $name/10000.txt -Pn -n --open -p10000 --script=ndmp-fs-info,ndmp-version --host-timeout 5m --min-hostgroup 100 -g $sourceport > tmp
f_cleanup
mv tmp4 $name/script-10000.txt
fi

if [ -f $name/11211.txt ]; then
echo " Memory Object Caching"
nmap -iL $name/11211.txt -Pn -n --open -p11211 --script=memcached-info --host-timeout 5m --min-hostgroup 100 -g $sourceport > tmp
f_cleanup
mv tmp4 $name/script-11211.txt
fi

if [ -f $name/12345.txt ]; then
echo " NetBus"
nmap -iL $name/12345.txt -Pn -n --open -p12345 --script=netbus-auth-bypass,netbus-version --host-timeout 5m --min-hostgroup 100 -g $sourceport > tmp
f_cleanup
mv tmp4 $name/script-12345.txt
fi

if [ -f $name/17185.txt ]; then
echo " VxWorks"
nmap -iL $name/17185.txt -Pn -n -sU --open -p17185 --script=wdb-version --host-timeout 5m --min-hostgroup 100 -g $sourceport > tmp
f_cleanup
mv tmp4 $name/script-17185.txt
fi

if [ -f $name/19150.txt ]; then
echo " GKRellM"
nmap -iL $name/19150.txt -Pn -n --open -p19150 --script=gkrellm-info --host-timeout 5m --min-hostgroup 100 -g $sourceport > tmp
f_cleanup
mv tmp4 $name/script-19150.txt
fi

if [ -f $name/27017.txt ]; then
echo " MongoDB"
nmap -iL $name/27017.txt -Pn -n --open -p27017 --script=mongodb-databases,mongodb-info --host-timeout 5m --min-hostgroup 100 -g $sourceport > tmp
f_cleanup
mv tmp4 $name/script-27017.txt
fi

if [ -f $name/31337.txt ]; then
echo " BackOrifice"
nmap -iL $name/31337.txt -Pn -n -sU --open -p31337 --script=backorifice-info --host-timeout 5m --min-hostgroup 100 -g $sourceport > tmp
f_cleanup
mv tmp4 $name/script-31337.txt
fi

if [ -f $name/35871.txt ]; then
echo " Flume"
nmap -iL $name/35871.txt -Pn -n --open -p35871 --script=flume-master-info --host-timeout 5m --min-hostgroup 100 -g $sourceport > tmp
f_cleanup
mv tmp4 $name/script-35871.txt
fi

if [ -f $name/50000.txt ]; then
echo " DRDA"
nmap -iL $name/50000.txt -Pn -n --open -p50000 --script=drda-info --host-timeout 5m --min-hostgroup 100 -g $sourceport > tmp
f_cleanup
mv tmp4 $name/script-50000.txt
fi

if [ -f $name/hadoop.txt ]; then
echo " Hadoop"
nmap -iL $name/hadoop.txt -Pn -n --open -p50030,50060,50070,50075,50090 --script=hadoop-datanode-info,hadoop-jobtracker-info,hadoop-namenode-info,hadoop-secondary-namenode-info,hadoop-tasktracker-info --host-timeout 5m --min-hostgroup 100 -g $sourceport > tmp
f_cleanup
mv tmp4 $name/script-hadoop.txt
fi

if [ -f $name/apache-hbase.txt ]; then
echo " Apache HBase"
nmap -iL $name/apache-hbase.txt -Pn -n --open -p60010,60030 --script=hbase-master-info,hbase-region-info --host-timeout 5m --min-hostgroup 100 -g $sourceport > tmp
f_cleanup
mv tmp4 $name/script-apache-hbase.txt
fi

if [ -f $name/web.txt ]; then
echo " Web"
nmap -iL $name/web.txt -Pn -n --open -p80,443,8000,8080,8443 --script=http-methods --host-timeout 5m --min-hostgroup 100 -g $sourceport > tmp
f_cleanup
egrep -v '(html|No Allow|Potentially)' tmp4 > $name/script-web.txt
fi

rm tmp*

for x in $name/./script*; do
if grep '|' $x > /dev/null 2>&1; then
echo > /dev/null 2>&1
     else
rm $x > /dev/null 2>&1
     fi
done
}

##############################################################################################################

f_metasploit(){
echo
echo $line
echo
echo -ne "\e[1;33mRun matching Metasploit auxilaries? (y/N) \e[0m"
read msf

if [ -z $msf ]; then
msf="n"
fi

msf="$(echo ${msf} | tr 'A-Z' 'a-z')"

if [ $msf == "y" ]; then
f_runmsf
else
f_report
fi
}

##############################################################################################################

f_runmsf(){
echo
echo -e "\e[1;34mStarting Metasploit, this takes about 15 sec.\e[0m"

echo workspace -a $name > $name/master.rc

# If the file for the corresponding port doesn't exist, skip
if [ -f $name/21.txt ]; then
echo " FTP"
     sed -i "s/^setg RHOSTS.*/setg RHOSTS file:\/opt\/scripts\/$name\/21.txt/g" /opt/scripts/resource/ftp.rc
     cat resource/ftp.rc >> $name/master.rc
fi

if [ -f $name/22.txt ]; then
echo " SSH"
     sed -i "s/^setg RHOSTS.*/setg RHOSTS file:\/opt\/scripts\/$name\/22.txt/g" /opt/scripts/resource/ssh.rc
     cat resource/ssh.rc >> $name/master.rc
fi

if [ -f $name/23.txt ]; then
echo " Telnet"
     sed -i "s/^setg RHOSTS.*/setg RHOSTS file:\/opt\/scripts\/$name\/23.txt/g" /opt/scripts/resource/telnet.rc
     cat resource/telnet.rc >> $name/master.rc
fi

if [ -f $name/25.txt ]; then
echo " SMTP"
     sed -i "s/^setg RHOSTS.*/setg RHOSTS file:\/opt\/scripts\/$name\/25.txt/g" /opt/scripts/resource/smtp.rc
     cat resource/smtp.rc >> $name/master.rc
fi

if [ -f $name/69.txt ]; then
echo " TFTP"
     sed -i "s/^setg RHOSTS.*/setg RHOSTS file:\/opt\/scripts\/$name\/69.txt/g" /opt/scripts/resource/tftp.rc
     cat resource/tftp.rc >> $name/master.rc
fi

if [ -f $name/79.txt ]; then
echo " Finger"
     sed -i "s/^setg RHOSTS.*/setg RHOSTS file:\/opt\/scripts\/$name\/79.txt/g" /opt/scripts/resource/finger.rc
     cat resource/finger.rc >> $name/master.rc
fi

if [ -f $name/110.txt ]; then
echo " POP3"
     sed -i "s/^setg RHOSTS.*/setg RHOSTS file:\/opt\/scripts\/$name\/110.txt/g" /opt/scripts/resource/pop3.rc
     cat resource/pop3.rc >> $name/master.rc
fi

if [ -f $name/111.txt ]; then
echo " NFS"
     sed -i "s/^setg RHOSTS.*/setg RHOSTS file:\/opt\/scripts\/$name\/111.txt/g" /opt/scripts/resource/nfs.rc
     cat resource/nfs.rc >> $name/master.rc
fi

if [ -f $name/123.txt ]; then
echo " NTP"
     sed -i "s/^setg RHOSTS.*/setg RHOSTS file:\/opt\/scripts\/$name\/123.txt/g" /opt/scripts/resource/ntp.rc
     cat resource/ntp.rc >> $name/master.rc
fi

if [ -f $name/137.txt ]; then
echo " NetBIOS"
     sed -i "s/^setg RHOSTS.*/setg RHOSTS file:\/opt\/scripts\/$name\/137.txt/g" /opt/scripts/resource/netbios.rc
     cat resource/netbios.rc >> $name/master.rc
fi

if [ -f $name/143.txt ]; then
echo " IMAP"
     sed -i "s/^setg RHOSTS.*/setg RHOSTS file:\/opt\/scripts\/$name\/143.txt/g" /opt/scripts/resource/imap.rc
     cat resource/imap.rc >> $name/master.rc
fi

if [ -f $name/161.txt ]; then
echo " SNMP"
     sed -i "s/^setg RHOSTS.*/setg RHOSTS file:\/opt\/scripts\/$name\/161.txt/g" /opt/scripts/resource/snmp.rc
     cat resource/snmp.rc >> $name/master.rc
fi

if [ -f $name/445.txt ]; then
echo " SMB"
     sed -i "s/^setg RHOSTS.*/setg RHOSTS file:\/opt\/scripts\/$name\/445.txt/g" /opt/scripts/resource/smb.rc
     cat resource/smb.rc >> $name/master.rc
fi

if [ -f $name/465.txt ]; then
echo " SMTP/S"
     sed -i "s/^setg RHOSTS.*/setg RHOSTS file:\/opt\/scripts\/$name\/465.txt/g" /opt/scripts/resource/smtp-s.rc
     cat resource/smtp-s.rc >> $name/master.rc
fi

if [ -f $name/523.txt ]; then
echo " db2"
     sed -i "s/^setg RHOSTS.*/setg RHOSTS file:\/opt\/scripts\/$name\/523.txt/g" /opt/scripts/resource/db2.rc
     cat resource/db2.rc >> $name/master.rc
fi

if [ -f $name/548.txt ]; then
echo " AFP"
     sed -i "s/^setg RHOSTS.*/setg RHOSTS file:\/opt\/scripts\/$name\/548.txt/g" /opt/scripts/resource/afp.rc
     cat resource/afp.rc >> $name/master.rc
fi

if [ -f $name/1099.txt ]; then
echo " RMI Registery"
     sed -i "s/^setg RHOSTS.*/setg RHOSTS file:\/opt\/scripts\/$name\/1099.txt/g" /opt/scripts/resource/rmi.rc
     cat resource/rmi.rc >> $name/master.rc
fi

if [ -f $name/1158.txt ]; then
echo " Oracle"
     sed -i "s/^setg RHOSTS.*/setg RHOSTS file:\/opt\/scripts\/$name\/1158.txt/g" /opt/scripts/resource/oracle.rc
     cat resource/oracle.rc >> $name/master.rc
fi

if [ -f $name/1433.txt ]; then
echo " MS-SQL"
     sed -i "s/^setg RHOSTS.*/setg RHOSTS file:\/opt\/scripts\/$name\/1433.txt/g" /opt/scripts/resource/mssql.rc
     cat resource/mssql.rc >> $name/master.rc
fi

if [ -f $name/1521.txt ]; then
echo " Oracle 2"
     sed -i "s/^setg RHOSTS.*/setg RHOSTS file:\/opt\/scripts\/$name\/1521.txt/g" /opt/scripts/resource/oracle2.rc
     cat resource/oracle2.rc >> $name/master.rc
fi

if [ -f $name/1604.txt ]; then
echo " Citrix"
     sed -i "s/^setg RHOSTS.*/setg RHOSTS file:\/opt\/scripts\/$name\/1604.txt/g" /opt/scripts/resource/citrix.rc
     cat resource/citrix.rc >> $name/master.rc
fi

if [ -f $name/1720.txt ]; then
echo " H323"
     sed -i "s/^setg RHOSTS.*/setg RHOSTS file:\/opt\/scripts\/$name\/1720.txt/g" /opt/scripts/resource/h323.rc
     cat resource/h323.rc >> $name/master.rc
fi

if [ -f $name/3306.txt ]; then
echo " MySQL"
     sed -i "s/^setg RHOSTS.*/setg RHOSTS file:\/opt\/scripts\/$name\/3306.txt/g" /opt/scripts/resource/mysql.rc
     cat resource/mysql.rc >> $name/master.rc
fi

if [ -f $name/5432.txt ]; then
echo " Postgres"
     sed -i "s/^setg RHOSTS.*/setg RHOSTS file:\/opt\/scripts\/$name\/5432.txt/g" /opt/scripts/resource/postgres.rc
     cat resource/postgres.rc >> $name/master.rc
fi

if [ -f $name/5900.txt ]; then
echo " VNC"
     sed -i "s/^setg RHOSTS.*/setg RHOSTS file:\/opt\/scripts\/$name\/5900.txt/g" /opt/scripts/resource/vnc.rc
     cat resource/vnc.rc >> $name/master.rc
fi

if [ -f $name/x11.txt ]; then
echo " x11"
     sed -i "s/^setg RHOSTS.*/setg RHOSTS file:\/opt\/scripts\/$name\/x11.txt/g" /opt/scripts/resource/x11.rc
     cat resource/x11.rc >> $name/master.rc
fi

if [ -f $name/7777.txt ]; then
echo " Energizer Duo"
     sed -i "s/^setg RHOSTS.*/setg RHOSTS file:\/opt\/scripts\/$name\/7777.txt/g" /opt/scripts/resource/energizer-duo.rc
     cat resource/energizer-duo.rc >> $name/master.rc
fi

if [ -f $name/8080.txt ]; then
echo " Tomcat"
     sed -i "s/^setg RHOSTS.*/setg RHOSTS file:\/opt\/scripts\/$name\/8080.txt/g" /opt/scripts/resource/tomcat.rc
     cat resource/tomcat.rc >> $name/master.rc
fi

if [ -f $name/8222.txt ]; then
echo " VMware"
     sed -i "s/^setg RHOSTS.*/setg RHOSTS file:\/opt\/scripts\/$name\/8222.txt/g" /opt/scripts/resource/vmware.rc
     cat resource/vmware.rc >> $name/master.rc
fi

if [ -f $name/8400.txt ]; then
echo " Adobe"
     sed -i "s/^setg RHOSTS.*/setg RHOSTS file:\/opt\/scripts\/$name\/8400.txt/g" /opt/scripts/resource/adobe.rc
     cat resource/adobe.rc >> $name/master.rc
fi

if [ -f $name/9999.txt ]; then
echo " Telnet 2"
     sed -i "s/^setg RHOSTS.*/setg RHOSTS file:\/opt\/scripts\/$name\/9999.txt/g" /opt/scripts/resource/telnet2.rc
     cat resource/telnet2.rc >> $name/master.rc
fi

if [ -f $name/17185.txt ]; then
echo " VxWorks"
     sed -i "s/^setg RHOSTS.*/setg RHOSTS file:\/opt\/scripts\/$name\/17185.txt/g" /opt/scripts/resource/vxworks.rc
     cat resource/vxworks.rc >> $name/master.rc
fi

if [ -f $name/50000.txt ]; then
echo " db2 version"
     sed -i "s/^setg RHOSTS.*/setg RHOSTS file:\/opt\/scripts\/$name\/50000.txt/g" /opt/scripts/resource/db2-version.rc
     cat resource/db2-version.rc >> $name/master.rc
fi

if [ -f $name/web.txt ]; then
echo " HTTP"
     sed -i "s/^setg RHOSTS.*/setg RHOSTS file:\/opt\/scripts\/$name\/web.txt/g" /opt/scripts/resource/http-short.rc
     cat resource/http-short.rc >> $name/master.rc
fi

# services -c port,proto,name,info -o /root/test.csv
# hosts -c address,name,os_name,os_flavor,os_sp -o /root/test2.csv

echo db_export -f xml -a $name/metasploit.xml >> $name/master.rc
echo db_import $name/nmap.xml >> $name/master.rc
echo exit >> $name/master.rc

x=$(wc -l $name/master.rc | cut -d ' ' -f1)

if [ $x -eq 3 ]; then
rm $name/master.rc
else
msfconsole -r /opt/scripts/$name/master.rc
     rm $name/master.rc
fi

f_report
}

##############################################################################################################

f_report(){
END=$(date +%r\ %Z)
filename=$name/report.txt
host=$(wc -l $name/hosts.txt | cut -d ' ' -f1)

echo "Discover Report" > $filename
echo "$name" >> $filename
date +%A" - "%B" "%d", "%Y >> $filename
echo >> $filename
echo "Start time - $START" >> $filename
echo "Finish time - $END" >> $filename
echo "Scanner IP - $ip" >> $filename
nmap -V | grep 'version' | cut -d ' ' -f1-3 >> $filename
echo >> $filename
echo $line >> $filename
echo >> $filename

if [ -f $name/script-ms08-067.txt ]; then
echo "May be vulnerable to MS08-067." >> $filename
     echo >> $filename
     cat $name/script-ms08-067.txt >> $filename
     echo >> $filename
     echo $line >> $filename
     echo >> $filename
fi

if [ $host -eq 1 ]; then
echo "1 host discovered." >> $filename
     echo >> $filename
     echo $line >> $filename
     echo >> $filename
     cat $name/nmap.txt >> $filename
     echo $line >> $filename
     echo $line >> $filename
     echo >> $filename
     echo "Nmap Scripts" >> $filename

     SCRIPTS="script-13 script-21 script-22 script-23 script-25 script-53 script-67 script-70 script-79 script-110 script-111 script-123 script-137 script-143 script-161 script-389 script-445 script-465 script-500 script-523 script-524 script-548 script-554 script-631 script-873 script-993 script-995 script-1050 script-1080 script-1099 script-1344 script-1352 script-1433 script-1434 script-1521 script-1604 script-1723 script-2202 script-2628 script-2947 script-3031 script-3260 script-3306 script-3389 script-3478 script-3632 script-4369 script-5019 script-5353 script-5666 script-5672 script-5850 script-5900 script-5984 script-x11 script-6379 script-6481 script-6666 script-7210 script-7634 script-8009 script-8081 script-8091 script-bitcoin script-9100 script-9160 script-9999 script-10000 script-11211 script-12345 script-17185 script-19150 script-27017 script-31337 script-35871 script-50000 script-hadoop script-apache-hbase script-web"

     for i in $SCRIPTS; do
if [ -f $name/"$i.txt" ]; then
cat $name/"$i.txt" >> $filename
               echo $line >> $filename
          fi
done

mv $name /$user/

     START=0
     END=0

     echo
echo $line
echo
echo "***Scan complete.***"
     echo
printf 'The new report is located at \e[1;33m%s\e[0m\n' /$user/$name/report.txt
     echo
echo
exit
fi

echo "Hosts Discovered ($host)" >> $filename
echo >> $filename
cat $name/hosts.txt >> $filename
echo >> $filename

if [ ! -s $name/ports.txt ]; then
echo
echo $line
     echo
echo "***Scan complete.***"
     echo
echo -e "\e[1;33mNo hosts found with open ports.\e[0m"
     echo
echo
exit
else
ports=$(wc -l $name/ports.txt | cut -d ' ' -f1)
fi

echo $line >> $filename
echo >> $filename
echo "Open Ports ($ports)" >> $filename
echo >> $filename

if [ -s $name/ports-tcp.txt ]; then
echo "TCP Ports" >> $filename
     cat $name/ports-tcp.txt >> $filename
     echo >> $filename
fi

if [ -s $name/ports-udp.txt ]; then
echo "UDP Ports" >> $filename
     cat $name/ports-udp.txt >> $filename
     echo >> $filename
fi

echo $line >> $filename

if [ -f $name/banners.txt ]; then
banners=$(wc -l $name/banners.txt | cut -d ' ' -f1)
     echo >> $filename
     echo "Banners ($banners)" >> $filename
     echo >> $filename
     cat $name/banners.txt >> $filename
     echo >> $filename
     echo $line >> $filename
fi

echo >> $filename
echo "High Value Hosts by Port" >> $filename
echo >> $filename

HVPORTS="13 21 22 23 25 53 67 69 70 79 80 110 111 123 137 139 143 161 389 443 445 465 500 523 524 548 554 631 873 993 995 1050 1080 1099 1158 1344 1352 1433 1434 1521 1604 1720 1723 2202 2628 2947 3031 3260 3306 3389 3478 3632 4369 5019 5353 5432 5666 5672 5850 5900 5984 6000 6001 6002 6003 6004 6005 6379 6481 6666 7210 7634 7777 8000 8009 8080 8081 8091 8222 8332 8333 8400 8443 9100 9160 9999 10000 11211 12345 17185 19150 27017 31337 35871 50000 50030 50060 50070 50075 50090 60010 60030"

for i in $HVPORTS; do
if [ -f $name/$i.txt ]; then
echo "Port $i" >> $filename
          cat $name/$i.txt >> $filename
          echo >> $filename
     fi
done

echo $line >> $filename
echo >> $filename
cat $name/nmap.txt >> $filename
echo $line >> $filename
echo $line >> $filename
echo >> $filename
echo "Nmap Scripts" >> $filename

SCRIPTS="script-13 script-21 script-22 script-23 script-25 script-53 script-67 script-70 script-79 script-110 script-111 script-123 script-137 script-143 script-161 script-389 script-445 script-465 script-500 script-523 script-524 script-548 script-554 script-631 script-873 script-993 script-995 script-1050 script-1080 script-1099 script-1344 script-1352 script-1433 script-1434 script-1521 script-1604 script-1723 script-2202 script-2628 script-2947 script-3031 script-3260 script-3306 script-3389 script-3478 script-3632 script-4369 script-5019 script-5353 script-5666 script-5672 script-5850 script-5900 script-5984 script-x11 script-6379 script-6481 script-6666 script-7210 script-7634 script-8009 script-8081 script-8091 script-bitcoin script-9100 script-9160 script-9999 script-10000 script-11211 script-12345 script-17185 script-19150 script-27017 script-31337 script-35871 script-50000 script-hadoop script-apache-hbase script-web"

for i in $SCRIPTS; do
if [ -f $name/"$i.txt" ]; then
cat $name/"$i.txt" >> $filename
          echo $line >> $filename
     fi
done

echo >> $filename

mv $name /$user/

START=0
END=0

echo
echo $line
echo
echo "***Scan complete.***"
echo
printf 'The new report is located at \e[1;33m%s\e[0m\n' /$user/$name/report.txt
echo
echo
exit
}

##############################################################################################################

f_multitabs(){
f_runlocally
clear
f_banner

echo -e "\e[1;34mOpen multiple tabs in Firefox with:\e[0m"
echo
echo "1. List containing IPs and/or URLs."
echo "2. Directories from a domain's robot.txt."
echo "3. Previous menu"
echo
echo -n "Choice: "
read choice

case $choice in
     1)
     f_location

     echo -n "Port (default 80): "
     read port

     # Check if port is a number
     echo "$port" | grep -E "^[0-9]+$" 2>/dev/null
     isnum=$?

     if [ $isnum -ne 0 ] && [ ${#port} -gt 0 ]; then
f_error
     fi

if [ ${#port} -eq 0 ]; then
port=80
     fi

if [ $port -lt 1 ] || [ $port -gt 65535 ]; then
f_error
     fi

firefox &
     sleep 2

     if [ $port -eq 21 ]; then
for i in $(cat $location); do
firefox -new-tab ftp://$i &
               sleep 1
          done
elif [ $port -eq 80 ]; then
for i in $(cat $location); do
firefox -new-tab $i &
               sleep 1
          done
elif [ $port -eq 443 ]; then
for i in $(cat $location); do
firefox -new-tab https://$i &
               sleep 1
          done
else
for i in $(cat $location); do
firefox -new-tab $i:$port &
               sleep 1
          done
fi
     ;;

     2)
     echo
echo $line
     echo
echo "Usage: target.com or target-IP"
     echo
echo -n "Domain: "
     read domain

     # Check for no answer
     if [ -z $domain ]; then
f_error
     fi

wget -q $domain/robots.txt

     grep 'Disallow' robots.txt | awk '{print $2}' > /$user/$domain-robots.txt
     rm robots.txt

     firefox &
     sleep 2

     for i in $(cat /$user/$domain-robots.txt); do
firefox -new-tab $domain$i &
          sleep 1
     done

echo
echo $line
     echo
echo "***Scan complete.***"
     echo
printf 'The new report is located at \e[1;33m%s\e[0m\n' /$user/$domain-robots.txt
     echo
echo
exit
     ;;

     3) f_main;;
     *) f_error;;
esac
}

##############################################################################################################

f_nikto(){
f_runlocally
clear
f_banner

echo -e "\e[1;34mRun multiple instances of Nikto in parallel against a list of IP addresses.\e[0m"
echo -e "\e[1;34mAs scans complete, the tabs will close.\e[0m"
echo
echo "1. List of IPs."
echo "2. List of IP:port."
echo "3. Previous menu"
echo
echo -n "Choice: "
read choice

case $choice in
     1)
     f_location

     echo
echo -n "Port (default 80): "
     read port
     echo

     # Check if port is a number
     echo "$port" | grep -E "^[0-9]+$" 2>/dev/null
     isnum=$?

     if [ $isnum -ne 0 ] && [ ${#port} -gt 0 ]; then
f_error
     fi

if [ ${#port} -eq 0 ]; then
port=80
     fi

if [ $port -lt 1 ] || [ $port -gt 65535 ]; then
f_error
     fi

mkdir /$user/nikto

     while read -r line; do
xdotool key ctrl+shift+t
          sleep 1
          xdotool type "cd /pentest/web/nikto/program/ && ./nikto.pl -h $line -port $port -Format htm --output /$user/nikto/$line.htm ; exit"
          xdotool key Return
     done < "$location"
     ;;

     2)
     f_location

     mkdir /$user/nikto

     while IFS=: read -r host port; do
xdotool key ctrl+shift+t
          sleep 1
          xdotool type "cd /pentest/web/nikto/program/ && ./nikto.pl -h $host -port $port -Format htm --output /root/nikto/$host-$port.htm ; exit"
          xdotool key Return
     done < "$location"
     ;;

     3) f_main;;
     *) f_error;;
esac

echo
echo $line
echo
echo "***Scan complete.***"
echo
printf 'The new report is located at \e[1;33m%s\e[0m\n' /$user/nikto/
echo
echo
exit
}

##############################################################################################################
# Jason
# Need a better way to see if a host is live and has an SSL port open. Try using nmap -p 443.
# Need a better way to locate hosts running SSL on alternate ports. Try using the nmap.grep file.

f_sslcheck(){
clear
f_banner

echo -e "\e[1;34mCheck for SSL certificate issues.\e[0m"

f_location

date2stamp(){
date --utc --date "$1" +%s
}

stamp2date(){
date --utc --date "1970-01-01 $1 sec" "+%Y-%m-%d %T"
}

datediff(){
case $1 in
     -s) sec=1; shift;;
     -m) sec=60; shift;;
     -h) sec=3600; shift;;
     -d) sec=86400; shift;;
     *) sec=86400;;
esac

dte1=$(date2stamp $1)
dte2=$(date2stamp $2)
diffSec=$((dte2-dte1))

if ((diffSec < 0)); then
abs=-1
else
abs=1
fi

echo $((diffSec/sec*abs))
}

monthconv(){
if [ "$1" == "Jan" ]; then monthnum="01"; fi
if [ "$1" == "Feb" ]; then monthnum="02"; fi
if [ "$1" == "Mar" ]; then monthnum="03"; fi
if [ "$1" == "Apr" ]; then monthnum="04"; fi
if [ "$1" == "May" ]; then monthnum="05"; fi
if [ "$1" == "Jun" ]; then monthnum="06"; fi
if [ "$1" == "Jul" ]; then monthnum="07"; fi
if [ "$1" == "Aug" ]; then monthnum="08"; fi
if [ "$1" == "Sep" ]; then monthnum="09"; fi
if [ "$1" == "Oct" ]; then monthnum="10"; fi
if [ "$1" == "Nov" ]; then monthnum="11"; fi
if [ "$1" == "Dec" ]; then monthnum="12"; fi
}

# Number of hosts
number=$(wc -l $location | cut -d ' ' -f1)
N=0

echo
echo "Scanning $number IP addresses."
echo

echo > tmp-report
echo >> tmp-report
echo "SSL Report" >> tmp-report
reportdate=$(date +%A" - "%B" "%d", "%Y)
echo $reportdate >> tmp-report
echo sslscan $(sslscan | grep 'Version' | awk '{print $2}') >> tmp-report
echo >> tmp-report
echo $line >> tmp-report
echo >> tmp-report

while read -r line; do

     # Initialize ssl_$line.txt file
     echo "$line" > ssl_$line.txt
     N=$((N+1))
     sslscan --no-failed $line > ssltmp_$line & pid=$!

     # echo "pid = $pid" # debug statement
     echo -n "$line [$N/$number] "; sleep 40
     echo >> ssl_$line.txt

     if [ -s ssltmp_$line ]; then
ERRORCHECK=$(cat ssltmp_$line | grep 'ERROR:')
          if [[ ! $ERRORCHECK ]]; then

ISSUER=$(cat ssltmp_$line | grep 'Issuer:')
               if [[ $ISSUER ]]; then
cat ssltmp_$line | grep 'Issuer:' >> ssl_$line.txt
                    echo >> ssl_$line.txt
               else
echo "Issuer information not available for this certificate. Look into this!" >> ssl_$line.txt
                    echo >> ssl_$line.txt
               fi

SUBJECT=$(cat ssltmp_$line | grep 'Subject:')
               if [[ $SUBJECT ]]; then
cat ssltmp_$line | grep 'Subject:' >> ssl_$line.txt
                    echo >> ssl_$line.txt
               else
echo "Certificate subject information not available. Look into this!" >> ssl_$line.txt
                    echo >> ssl_$line.txt
               fi

DNS=$(cat ssltmp_$line | grep 'DNS:')
               if [[ $DNS ]]; then
cat ssltmp_$line | grep 'DNS:' >> ssl_$line.txt
                    echo >> ssl_$line.txt
               fi

A=$(cat ssltmp_$line | grep -i 'MD5WithRSAEncryption')
               if [[ $A ]]; then
echo [*] MD5-based Signature in TLS/SSL Server X.509 Certificate >> ssl_$line.txt
                    cat ssltmp_$line | grep -i 'MD5WithRSAEncryption' >> ssl_$line.txt
                    echo >> ssl_$line.txt
               fi

B=$(cat ssltmp_$line | grep 'NULL')
               if [[ $B ]]; then
echo [*] NULL Ciphers >> ssl_$line.txt
                    cat ssltmp_$line | grep 'NULL' >> ssl_$line.txt
                    echo >> ssl_$line.txt
               fi

C=$(cat ssltmp_$line | grep 'SSLv2')
               if [[ $C ]]; then
echo [*] TLS/SSL Server Supports SSLv2 >> ssl_$line.txt
                    cat ssltmp_$line | grep 'SSLv2' > ssltmp2_$line
                    sed '/^ SSL/d' ssltmp2_$line >> ssl_$line.txt
                    echo >> ssl_$line.txt
                    rm ssltmp2_$line
               fi

D=$(cat ssltmp_$line | grep ' 40 bits')
               D2=$(cat ssltmp_$line | grep ' 56 bits')

               if [[ $D || $D2 ]]; then
echo [*] TLS/SSL Server Supports Weak Cipher Algorithms >> ssl_$line.txt
                    cat ssltmp_$line | grep ' 40 bits' >> ssl_$line.txt
                    cat ssltmp_$line | grep ' 56 bits' >> ssl_$line.txt
                    echo >> ssl_$line.txt
               fi

datenow=$(date +%F)
               # echo datenow=$datenow
               datenowstamp=$(date2stamp "$datenow")
               # echo datenowstamp=$datenowstamp
               monthconv $(grep "Not valid after:" ssltmp_$line | awk -F" " {'print $4'})
               # echo monthnum=$monthnum
               expyear=$(grep "Not valid after:" ssltmp_$line | awk -F" " {'print $7'})
               # echo expyear=$expyear
               expday=$(grep "Not valid after:" ssltmp_$line | awk -F" " {'print $5'})
               # echo expday=$expday
               expdate=$(echo "$expyear-$monthnum-$expday")
               # echo expdate=$expdate
               expdatestamp=$(date2stamp "$expdate")
               # echo expdatestamp=$expdatestamp
               numdaysdiff=$(datediff $datenow $expdate)
               # echo numdaysdiff=$numdaysdiff

               if (($expdatestamp < $datenowstamp)); then
echo [*] X.509 Server Certificate is Invalid/Expired >> ssl_$line.txt
                    echo " Cert Expire Date: $expdate" >> ssl_$line.txt
                    echo >> ssl_$line.txt
               fi

E=$(cat ssltmp_$line | grep 'Authority Information Access:')
               if [[ ! $E ]]; then
echo [*] Self-signed TLS/SSL Certificate >> ssl_$line.txt
                    echo >> ssl_$line.txt
               fi

echo $line >> ssl_$line.txt
               echo >> ssl_$line.txt
               echo
               # echo "kill $pid process test"
               (sleep 5 && kill -9 $pid 2>/dev/null) &

               # Add current data to tmp-report
               cat ssl_$line.txt >> tmp-report
          else
echo -e "\e[1;31mCould not open a connection.\e[0m"
               echo $ERRORCHECK >> ssl_$line.txt
               echo >> ssl_$line.txt
               echo $line >> ssl_$line.txt
               cat ssl_$line.txt >> tmp-report
          fi
else
echo -e "\e[1;31mNo response.\e[0m"
          echo "[*] No response." >> ssl_$line.txt
          echo >> ssl_$line.txt
          echo $line >> ssl_$line.txt

          # Add current data to tmp-report
          cat ssl_$line.txt >> tmp-report
     fi
done < "$location"

mv tmp-report /$user/ssl-report.txt
rm ssltmp_* ssl_*.txt 2>/dev/null

echo
echo $line
echo
echo "***Scan complete.***"
echo
printf 'The new report is located at \e[1;33m%s\e[0m\n' /$user/ssl-report.txt
echo
echo
exit
}

##############################################################################################################

f_salesforce(){
clear
f_banner

echo 'Copy the results of a query from salesforce to a file, then parse the results.'

f_location

echo
echo

sed 's/Direct Dial Available//g' $location | sed 's/\[\]//g; s/Addison//g; s/Akron//g; s/Alma //g; s/Apple Valley//g; s/Arlington//g; s/Artesia//g; s/Ashburn//g; s/Atlanta//g; s/Austin//g; s/Baltimore//g; s/Barboursville//g; s/Binghamton//g; s/Birmingham//g; s/Boston//g; s/Burbank//g ; s/Burlington//g; s/Brockton//g; s/Canada//g; s/Camp Springs//g; s/Charleston//g; s/Charlotte//g; s/Chesapeake//g; s/Chicago//g; s/Cincinnati//g; s/Cleveland//g; s/CNN News Group Cable News Network//g; s/Columbia//g; s/Cresskill//g; s/Dallas//g; s/Denver//g; s/Dunkirk//g; s/Durham//g; s/El Paso//g; s/Englewood//g; s/Emeryville//g; s/Encino//g; s/Fallbrook//g; s/Fremont//g; s/Front Royal//g; s/Gardena//g; s/Gastonia//g; s/Glendale//g; s/Hamlin//g; s/Harbor City//g; s/Hawthorne//g; s/Hermosa Beach//g; s/Herndon//g; s/Huntington//g; s/Hurricane//g; s/Hyattsville//g; s/Indianapolis//g; s/Irvine//g; s/JA//g; s/Kansas City//g; s/Knoxville//g; s/La Follette//g; s/La Plata//g; s/Lawrenceville//g; s/Lawndale//g; s/Lithonia//g; s/Lomita//g; s/London//g; s/Long Beach//g; s/Los Angeles//g; s/Machias//g; s/Manhattan//g; s/Marietta//g; s/Marina Del Rey//g; s/Mc Lean//g; s/Miami//g; s/Milpitas//g; s/Milton//g; s/Minneapolis//g; s/Mumbai//g; s/Needham//g; s/New York//g; s/Norwalk//g; s/Oakland//g; s/Oceanport//g; s/Odessa//g; s/Ottawa ON//g; s/Orange//g; s/Philadelphia//g; s/Point Pleasant//g; s/Portland//g; s/Proctorville//g; s/Rancho//g; s/Redondo Beach//g; s/Reston//g; s/Richmond//g; s/Riverdale//g; s/Rllng Hls Est//g; s/Rochester//g; s/Rockville//g; s/Royal Oak//g; s/Sacramento//g; s/Salt Lake City//g; s/San Diego//g; s/San Francisco//g; s/San Jose//g; s/San Mateo//g; s/San Pedro//g; s/Santa Clara//g; s/Santa Monica//g; s/Scotts Valley//g; s/Seattle//g; s/Show Low//g; s/Sitka//g; s/Southfield//g; s/South Lake//g; s/Stephens City//g; s/Stillwater//g; s/Tacoma//g; s/Tallahassee//g; s/Torrance//g; s/Twin Falls//g; s/U.S.//g; s/United Kingdom//g; s/United States//g; s/Vienna//g; s/Walnut Creek//g; s/Washington//g; s/Welch//g; s/Westport//g; s/Wheeling//g; s/Wilton//g; s/Winchester//g; s/Williamsport//g; s/Wilmington//g; s/Winder//g; s/Wynnewood//g;

s/AK //g; s/AL //g; s/AR //g; s/AZ //g; s/CA //g; s/CT //g; s/DC //g; s/DE //g; s/FL //g; s/GA //g; s/HI //g; s/IA //g; s/ID //g; s/IL //g; s/IN //g; s/KS //g; s/KY //g; s/LA //g; s/MA //g; s/ME //g; s/MD //g; s/MI //g; s/MN //g; s/MS //g; s/MT //g; s/NC //g; s/NE //g; s/ND //g; s/NH //g; s/NJ //g; s/NM //g; s/NV //g; s/NY //g; s/OH //g; s/OK //g; s/OR //g; s/PA //g; s/RI //g; s/SC //g; s/SD //g; s/TN //g; s/TX //g; s/UT //g; s/VA //g; s/VT //g; s/WA //g; s/WI //g; s/WV //g; s/WY //g; s/[0-9]\{2\}\/[0-9]\{2\}\/[0-9]\{2\}//g; s/^[ \t]*//' > tmp

# Author: Ben Wood
perl -ne 'if ($_ =~ /(.*?)\t\s*(.*)/) {printf("%-30s%s\n",$1,$2);}' tmp > tmp2

# Remove trailing whitespace from each line
sed 's/[ \t]*$//' tmp2 | sort > /$user/names.txt

rm tmp*
cat /$user/names.txt

echo
echo $line
echo
printf 'The new report is located at \e[1;33m%s\e[0m\n' /$user/names.txt
echo
echo
exit
}

##############################################################################################################

f_listener(){
clear
echo
echo
echo "Starting a Metasploit listener on port 443."
echo "Type - Windows meterpreter reverse TCP."
echo
echo "This takes about 20 seconds."
echo
msfconsole -r /opt/scripts/resource/listener.rc
}

##############################################################################################################

f_updates(){
# Remove entire script categories
if [ -d /root/nmap-svn ]; then
ls -l /root/nmap-svn/scripts | awk '{print $8}' | cut -d '.' -f1 | egrep -v '(broadcast|brute|discover|http|ip-|ssl|targets)' > tmp
else
ls -l /usr/local/share/nmap/scripts | awk '{print $8}' | cut -d '.' -f1 | egrep -v '(broadcast|brute|discover|http|ip-|ssl|targets)' > tmp
fi

# Remove Nmap scripts that take too many arguments, DOS or not relevant
egrep -v '(address-info|ajp-auth|ajp-headers|asn-query|auth-owners|auth-spoof|cccam-version|citrix-enum-apps-xml|citrix-enum-servers-xml|creds-summary|daap-get-library|dns-blacklist|dns-check-zone|dns-client-subnet-scan|dns-fuzz|dns-ip6-arpa-scan|dns-nsec3-enum|dns-nsec-enum|dns-srv-enum|dns-zeustracker|domcon-cmd|duplicates|eap-info|firewalk|firewall-bypass|ftp-libopie|ganglia-info|ftp-vuln-cve2010-4221|hostmap-bfk|hostmap-robtex|iax2-version|informix-query|informix-tables|ipidseq|ipv6-node-info|ipv6-ra-flood|irc-botnet-channels|irc-info|irc-unrealircd-backdoor|isns-info|jdwp-exec|jdwp-info|jdwp-inject|krb5-enum-users|ldap-novell-getpass|ldap-search|llmnr-resolve|metasploit-info|mmouse-exec|ms-sql-config|mrinfo|ms-sql-hasdbaccess|ms-sql-query|ms-sql-tables|ms-sql-xp-cmdshell|mtrace|murmur-version|mysql-audit|mysql-enum|mysql-dump-hashes|mysql-query|mysql-vuln-cve2012-2122|nat-pmp-info|nat-pmp-mapport|netbus-info|omp2-enum-targets|oracle-enum-users|ovs-agent-version|p2p-conficker|path-mtu|pjl-ready-message|quake3-info|quake3-master-getservers|qscan|resolveall|reverse-index|rpc-grind|rpcap-info|samba-vuln-cve-2012-1182|script|sip-enum-users|skypev2-version|smb-flood|smb-ls|smb-print-text|smb-psexec|smb-vuln-ms10-054|smb-vuln-ms10-061|smtp-vuln-cve2010-4344|smtp-vuln-cve2011-1720|smtp-vuln-cve2011-1764|sniffer-detect|snmp-ios-config|socks-open-proxy|sql-injection|ssh-hostkey|ssh2-enum-algos|sshv1|stun-info|tftp-enum|tls-nextprotoneg|traceroute-geolocation|unusual-port|upnp-info|url-snarf|ventrilo-info|vuze-dht-info|whois|xmpp-info)' tmp > tmp-all

grep 'script=' discover.sh | egrep -v '(discover.sh|22.txt|smtp.txt|web.txt)' > tmp
cat tmp | cut -d '=' -f2- | cut -d ' ' -f1 | tr ',' '\n' | egrep -v '(db2-discover|dhcp-discover|dns-service-discovery|membase-http-info|oracle-sid-brute|smb-os-discovery|sslv2)' | sort -u > tmp-used

echo "New Modules" > tmp-updates
echo >> tmp-updates
echo "Nmap scripts" >> tmp-updates
echo "==============================" >> tmp-updates

diff tmp-all tmp-used | egrep '^[<>]' | awk '{print $2}' >> tmp-updates

rm tmp

echo >> tmp-updates
echo "Metasploit auxiliary/scanners" >> tmp-updates
echo "==============================" >> tmp-updates

categories="afp backdoor db2 finger ftp h323 http imap lotus mongodb motorola mssql mysql netbios nfs ntp oracle pcanywhere pop3 postgres rservices scada sip smb smtp snmp ssh telnet tftp upnp vmware vnc vxworks winrm x11"

for i in $categories; do
ls -l /opt/metasploit/msf3/modules/auxiliary/scanner/$i | awk '{print $8}' | cut -d '.' -f1 >> tmp
done

sed '/^$/d' tmp > tmp2

# Remove brute force and misc
egrep -v '(afp_login|anonymous|axis_login|brute_dirs|cisco_upload_file|crawler|db2_auth|dolibarr_login|ektron_cms400net|enum_delicious|enum_wayback|file_same_name_dir|ftp_login|httpbl_lookup|isqlplus_login|isqlplus_sidbrute|lotus_domino_hashes|lotus_domino_login|lucky_punch|mongodb_login|mysql_hashdump|mysql_login|mysql_schemadump|oracle_hashdump|oracle_login|owa_login|pop3_login|postgres_hashdump|postgres_login|postgres_schemadump|postgres_version|prev_dir_same_name_file|rexec_login|rlogin_login|rsh_login|sid_brute|smb_login|snmp_login|snmp_set|squid_pivot_scanning|ssh_identify_pubkeys|ssh_login|ssh_login_pubkey|sybase_easerver_traversal|telnet_encrypt_overflow|telnet_login|tftpbrute|vcms_login|vhost_scanner|vnc_login|web_vulndb|xdb_sid|xdb_sid_brute|xpath)' tmp2 | sort > tmp-msf-all

cat resource/*.rc | grep 'use' > tmp

# Print from the last /, to the end of the line
sed -e 's:.*/\(.*\):\1:g' tmp > tmp-msf-used

grep -v -f tmp-msf-used tmp-msf-all >> tmp-updates

mv tmp-updates /$user/updates
rm tmp*

echo
echo $line
echo
printf 'The new report is located at \e[1;33m%s\e[0m\n' /$user/updates
echo
echo
exit
}

##############################################################################################################

# Loop forever
while :
do

f_main

f_main(){
clear
f_banner

echo -e "\e[1;34mRECON\e[0m"
echo "1. Scrape"
echo
echo -e "\e[1;34mDISCOVER\e[0m" "- Host discovery, port scanning, service enumeration and OS"
echo "identification using Nmap, Nmap scripts and Metasploit scanners."
echo "2. Ping Sweep"
echo "3. Single IP, URL or Range"
echo "4. Local Area Network"
echo "5. List"
echo "6. CIDR Notation"
echo
echo -e "\e[1;34mWEB\e[0m"
echo "7. Open multiple tabs in Firefox"
echo "8. Nikto"
echo "9. SSL Check"
echo
echo -e "\e[1;34mMISC\e[0m"
echo "10. Crack WiFi"
echo "11. Parse salesforce"
echo "12. Start a Metasploit listener"
echo "13. Update BackTrack"
echo "14. Exit"
echo
echo -n "Choice: "
read choice

case $choice in
     1) f_recon;;
     2) f_pingsweep;;
     3) f_single;;
     4) f_lan;;
     5) f_lists;;
     6) f_cidr;;
     7) f_multitabs;;
     f_nikto;;
     9) f_sslcheck;;
     10) ./crack-wifi.sh;;
     11) f_salesforce;;
     12) f_listener;;
     13) ./update.sh && exit;;
     14) clear && exit;;
     99) f_updates;;
     *) f_error;;
esac
}

done
« Last Edit: September 04, 2013, 08:00:43 AM by kenjoe41 »
Report to moderator   Logged
If you can't explain it to a 6 year old, you don't understand it yourself.
http://upload.alpha.evilzone.org/index.php?page=img&img=GwkGGneGR7Pl222zVGmNTjerkhkYNGtBuiYXkpyNv4ScOAWQu0-Y8[<NgGw/hsq]>EvbQrOrousk[/img]

Offline sp0rk

  • Serf
  • *
  • Posts: 38
  • Cookies: -1
    • View Profile
Re: [Bash] Discovery.sh
« Reply #1 on: September 04, 2013, 03:56:09 AM »
The github link isn't working. Seeing as it's 3000 lines like you said I feel it's easier to just ask exactly what "disovery" information is being concatenated?
Report to moderator   Logged

Quote from: Kulverstukas on January 04, 2012, 05:25:50 PM
Welcome. Sit on the couch in the corner and I'll bring in the bitches.

Offline kenjoe41

  • Symphorophiliac Programmer
  • Administrator
  • Baron
  • *
  • Posts: 990
  • Cookies: 224
    • View Profile
Re: [Bash] Discovery.sh
« Reply #2 on: September 04, 2013, 08:02:50 AM »
Quote from: sp0rk on September 04, 2013, 03:56:09 AM
The github link isn't working. Seeing as it's 3000 lines like you said I feel it's easier to just ask exactly what "disovery" information is being concatenated?
Link fixed. You really don't expect me to sweeten this brilliant morning scouring through 2928 line of bash code. Try it.
Report to moderator   Logged
If you can't explain it to a 6 year old, you don't understand it yourself.
http://upload.alpha.evilzone.org/index.php?page=img&img=GwkGGneGR7Pl222zVGmNTjerkhkYNGtBuiYXkpyNv4ScOAWQu0-Y8[<NgGw/hsq]>EvbQrOrousk[/img]

Offline m0l0ko

  • Peasant
  • *
  • Posts: 129
  • Cookies: -4
    • View Profile
Re: [Bash] Discovery.sh
« Reply #3 on: September 22, 2013, 01:05:25 AM »
How do you run it? Heres my attempts to run it:

Code: [Select]
horse@box:~$ /home/horse/ss/discovery.sh
bash: /home/horse/ss/discovery.sh: Permission denied
horse@box:~$ sudo /home/horse/ss/discovery.sh
[sudo] password for horse:
sudo: /home/horse/ss/discovery.sh: command not found
horse@box:~$ sudo sh /home/horse/ss/discovery.sh
: not found/ss/discovery.sh: 18: /home/horse/ss/discovery.sh:
: not found/ss/discovery.sh: 20: /home/horse/ss/discovery.sh:
: not found/ss/discovery.sh: 26: /home/horse/ss/discovery.sh:
: bad trap
: not found/ss/discovery.sh: 29: /home/horse/ss/discovery.sh:
: not found/ss/discovery.sh: 31: /home/horse/ss/discovery.sh:
: not found/ss/discovery.sh: 33: /home/horse/ss/discovery.sh: echo
______ ___ ______ ______ _____ _ _ ______ _____
| \ | |____ | | | \ / |_____ |____/
|_____/ _|_ _____| |_____ |_____| \/ |_____ | \_
: not found/ss/discovery.sh: 37: /home/horse/ss/discovery.sh: echo
By Lee Baird
: not found/ss/discovery.sh: 39: /home/horse/ss/discovery.sh: echo
: not found/ss/discovery.sh: 40: /home/horse/ss/discovery.sh: echo
: not found/ss/discovery.sh: 41: /home/horse/ss/discovery.sh: }
: not found/ss/discovery.sh: 42: /home/horse/ss/discovery.sh:
: not found/ss/discovery.sh: 44: /home/horse/ss/discovery.sh:
: not found/ss/discovery.sh: 46: /home/horse/ss/discovery.sh: echo
\e[0m[1;31m==================================================
: not found/ss/discovery.sh: 48: /home/horse/ss/discovery.sh: echo
-e \e[1;31m *** Invalid choice or entry. ***\e[0m
: not found/ss/discovery.sh: 50: /home/horse/ss/discovery.sh: echo
\e[0m[1;31m==================================================
sleep: invalid time interval `2\r'
Try `sleep --help' for more information.
: not found/ss/discovery.sh: 53: /home/horse/ss/discovery.sh: f_main
: not found/ss/discovery.sh: 54: /home/horse/ss/discovery.sh: }
: not found/ss/discovery.sh: 55: /home/horse/ss/discovery.sh:
: not found/ss/discovery.sh: 57: /home/horse/ss/discovery.sh:
: not found/ss/discovery.sh: 59: /home/horse/ss/discovery.sh: echo
^Chorse@box:~$ clearf your list:

horse@box:~$ bash sh /home/horse/ss/discovery.sh
/bin/sh: /bin/sh: cannot execute binary file
horse@box:~$ sudo chmod +x ./ss/discovery.sh
horse@box:~$ bash sh /home/horse/ss/discovery.sh
/bin/sh: /bin/sh: cannot execute binary file
horse@box:~$
Report to moderator   Logged

Offline Deque

  • P.I.N.N.
  • Global Moderator
  • Overlord
  • *
  • Posts: 1203
  • Cookies: 518
  • Programmer, Malware Analyst
    • View Profile
Re: [Bash] Discovery.sh
« Reply #4 on: September 22, 2013, 07:05:15 AM »
@m0l0ko:
bash discovery.sh
Works fine for me.
« Last Edit: September 22, 2013, 07:06:10 AM by Deque »
Report to moderator   Logged

Offline m0l0ko

  • Peasant
  • *
  • Posts: 129
  • Cookies: -4
    • View Profile
Re: [Bash] Discovery.sh
« Reply #5 on: September 22, 2013, 02:20:38 PM »
Heres what I get:
Code: [Select]
horse@box:~/ss$ bash discovery.sh
discovery.sh: line 18: $'\r': command not found
discovery.sh: line 20: $'\r': command not found
discovery.sh: line 26: $'\r': command not found
: invalid signal specification
discovery.sh: line 29: $'\r': command not found
discovery.sh: line 31: $'\r': command not found
discovery.sh: line 32: syntax error near unexpected token `$'{\r''
'iscovery.sh: line 32: `f_banner(){
horse@box:~/ss$ bash is having problems with the same lines that sh did. Is there something I need to install before I can use this script?
« Last Edit: September 22, 2013, 02:25:15 PM by m0l0ko »
Report to moderator   Logged

Offline Deque

  • P.I.N.N.
  • Global Moderator
  • Overlord
  • *
  • Posts: 1203
  • Cookies: 518
  • Programmer, Malware Analyst
    • View Profile
Re: [Bash] Discovery.sh
« Reply #6 on: September 23, 2013, 08:23:17 PM »
Looks to me like you have the wrong newline (usually happens if you have a script written on windows and try to use it on *nix systems).
Try to fix it with dos2unix.
« Last Edit: September 23, 2013, 08:23:37 PM by Deque »
Report to moderator   Logged
Pages: [1]
 



Want to be here? Contact Ande, Factionwars or Kulverstukas on the forum or at IRC.