Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/Elymaro/rootscan
Speed up your pentest enumeration
https://github.com/Elymaro/rootscan
active-directory audit bash enumeration hacking kerberos ldap linux pentest rdp security smb snmp windows
Last synced: 1 day ago
JSON representation
Speed up your pentest enumeration
- Host: GitHub
- URL: https://github.com/Elymaro/rootscan
- Owner: Elymaro
- License: mit
- Created: 2024-08-13T01:31:27.000Z (5 months ago)
- Default Branch: main
- Last Pushed: 2024-09-23T16:19:59.000Z (4 months ago)
- Last Synced: 2024-09-26T01:52:38.364Z (4 months ago)
- Topics: active-directory, audit, bash, enumeration, hacking, kerberos, ldap, linux, pentest, rdp, security, smb, snmp, windows
- Language: Shell
- Homepage:
- Size: 690 KB
- Stars: 77
- Watchers: 1
- Forks: 10
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# RootScan
The aim of this script is to help and speed up the recognition phase in pentesting, although it is still necessary to carry out a more in-depth search manually.
Key features:
- **HTML report**: Scans ports and generates nmap reports in HTML format for easy reading.
- **Port filtering**: IPs with similar port opened are automatically recorded in a a same file (161.txt, 88.txt..).
- **Attack automation**: If machines are vulnerable, the tool automatically launches the Responder and NTLMRelayx.
- **Integrated Manspider**: Runs Manspider on machines with port 445 open to search for sensitive keywords (only available in NTLM mode).
- **Proxychains support**: Option to use proxychains available at start-up.
- **Kerberos support** : Automated support for NTLM and Kerberos
Some elements can be modified on the targets (only in the SMB function). If this is the case, orange information will be displayed and the recovery commands will be written to a modifs.txt file. The -r option will be used to execute all of them in order to clean up the actions performed.
### Installation
```
git clone https://github.com/Elymaro/rootscan.git
cd rootscan ; chmod +x rootscan.sh
```
### Installation dependencies
```
chmod +x install.sh && ./install.sh
```
### Usage :
For the first start of a projet, you must use option **-f** or at least **-s nmap_fast**
Full enumeration with "b.robinson" acount on the 192.168.1.0/26 network
```
./rootscan.sh -o LAB001 -i eth0 -t 192.168.1.0/26 -u "b.robinson" -p "Kebxj6urt0o" -f
```
Enumeration with "b.robinson" account and his NT Hash. Script will try to enumerate on functions : "nmap_fast" and "smb"
```
./rootscan.sh -o LAB001 -i eth0 -t 192.168.1.17/32 -u "b.robinson" -H "08CFA7DDB10EB084FAC1CB72152B1E95" -s nmap_fast,smb
```
Full enumeration with "anonymous:anonymous" login expect on function "snmp" and "ldap"
```
./rootscan.sh -o LAB001 -i eth0 -t 192.168.1.17/32 -e snmp,ldap
```
Depending on the functions chosen, the script will attempt to dig down and retrieve as much data as possible.
For example SMB:
- Automatic NTLM / Kerberos support
- Attempt to connect in anonymous mode
- Connection attempt in guest mode
- Attempt to connect using the credentials provided
- Users extraction
- Shares discovery
- Exploitation of LSA / SAM / RDP activation / Defender deactivation / impersonate
- ...
The script will also attempt to recover the most popular exploits/misconfigurations such as :
- ms17-010
- zerologon
- petitpotam
- nopac
- spooler
- install_elevated
- gpp_password
- gpp_autologin
- ...
### Options
```
Usage: ./rootscan.sh -o ProjectName -i Interface -t rangeIP [-u Username [-p Password | -n NT_Hash]] [-f | -e nmap_fast | -s smb,vnc] [-m [basic | no-ping]]
Options:
-o Project name (output directory)
-i Network interface
-t IP range (e.g., 192.168.0.0/24,192.168.1.128/27). /32 must be used for individual IP addresses.
-u Username (optional)
-p Password (optional, either Password or NT_Hash must be provided, can be empty)
-H NTLM Hash (optional, either Password or NT_Hash must be provided, can be empty)
-f Execute all functions
-e Execute all functions, but exclude specific functions (-e rdp,winrm)
-s Select specific functions (-s rdp,winrm)
-m Discovery mode : basic=ARP+ping(faster)(Default mode) ; no-ping=no ping requests on machines(slower but more accurate)
-M Modifications or alerts on target systems (e.g., LSA, SAM, NTDS extraction, RDP enabling, Kerberoasting) will not be performed
-r Restore modifications
-h Display help
Available functions:
- nmap_fast : Ports scan, Service versions scan (need to be done at least 1 time at the begin of a project)
- relay : Responder + NTLMRelayx
- manspider : Search sensitive elements (password, username, .. etc) on SMB Shares
- vulns : ms17-010, nopac, zerologon, MSOL creds, GPP_autologin, GPP_password, ...
- ftp : FTP enumeration
- ssh : SSH enumeration
- winrm : WinRM enumeration
- rdp : RDP enumeration
- smtp : SMTP enumeration
- nfs : NFS enumeration
- vnc : VNC enumeration
- zt : Zone Transfer DNS
- printers : Looking for printers
- snmp : Looking for SNMP public communities
- ldap : Anonymous LDAP
- ipmi : IPMI enumeration
- mssql : MSSQL authentication
- smb : anonymous auth., guest auth., shares, users, lsa, dpapi, rdp session ..
- asp : Try ASRepRoasting Attack
- users : Get-ADUsers
- krb : Try Kerberoasting Attack
- web : Try to identify web services
- nmap_full : Deep Nmap
```
### Exemple HTML report
## Contributors
- [O.B. E](https://www.linkedin.com/in/omar-badis-elaffifi/)
- [SAFEIT CONSULTING](https://www.linkedin.com/company/safeit-consulting/)
## Tools
- [fortra](https://github.com/fortra) - impacket
- [Pennyw0rth](https://github.com/Pennyw0rth) NetExec
- [ropnop](https://github.com/ropnop) - Kerbrute
- [blacklanternsecurity](https://github.com/blacklanternsecurity/MANSPIDER) - Manspider