Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/ssstonebraker/Pentest-Service-Enumeration
Suggests programs to run against services found during the enumeration phase of a Pentest
https://github.com/ssstonebraker/Pentest-Service-Enumeration
enumeration-phase oscp oscp-tools pentest pentest-service-enumeration privilege-escalation privilege-escalation-linux
Last synced: 26 days ago
JSON representation
Suggests programs to run against services found during the enumeration phase of a Pentest
- Host: GitHub
- URL: https://github.com/ssstonebraker/Pentest-Service-Enumeration
- Owner: ssstonebraker
- License: gpl-3.0
- Created: 2020-05-24T04:09:22.000Z (over 4 years ago)
- Default Branch: master
- Last Pushed: 2023-08-30T20:01:45.000Z (over 1 year ago)
- Last Synced: 2024-08-03T18:16:25.798Z (4 months ago)
- Topics: enumeration-phase, oscp, oscp-tools, pentest, pentest-service-enumeration, privilege-escalation, privilege-escalation-linux
- Language: Shell
- Homepage:
- Size: 82 KB
- Stars: 95
- Watchers: 4
- Forks: 21
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- awesome-cybersec - Service Enumeration
README
# Pentest-Service-Enumeration
## Purpose
Suggests binaries to run against services found during the enumeration phase of a Pentest## Background
While studying for the Offensive Security Certified Profesional (OSCP) and Offensive Security Web Assessor (OSWA) certifications I found it hard to keep track of which commands to run during the enumeration phase for specific services.The purpose of this tool is easily keep track of those commands.
# Install Instructions
```
git clone https://github.com/ssstonebraker/Pentest-Service-Enumeration
cd Pentest-Service-Enumeration
./install.sh
```# Basic Usage
To view basic usage just type:
```
pse
```
This will list out the available services and give an example of how to use the program
```
[Pentest Service Enumeration: 0.0.3]
- Pentest command reference via the cli
----------------------------------------------------------------------------------------------------
Available Services
[*] dns
[*] ftp
[*] hashcat
[*] http
[*] ldap
[*] linpriv
[*] mimikatz
[*] nfs
[*] rpc
[*] searchsploit
[*] smb
[*] smtp
[*] snmp
[*] sql
[*] ssh
[*] sudo
[*] tcpdump
[*] webdav
[*] wfuzz
----------------------------------------------------------------------------------------------------
Return command references for a service
Usage: pseExamples
[*] pse ftp
[*] pse wfuzz
[*] pse smb----------------------------------------------------------------------------------------------------
Help: pse -h
```
# Listing commands for a service
```
pse
```
## Example:
List commands to run with smb
```
# pse smb----------------------------------------------------------------------------------------------------
connect to remote smb share as null user
[*] smbclient "//$IP/$SHARE_NAME" -U ""
----------------------------------------------------------------------------------------------------
Create a destination mount directory, mount remote share as guest
[*] sudo mkdir /mnt/$IP_$FOLDER; sudo mount -v -t cifs "//$IP/$FOLDER" /mnt/$IP_$FOLDER -o username=guest
----------------------------------------------------------------------------------------------------
Launch a semi-interactive shell
[*] smbexec.py $HOST/$USERNAME:$PASSWORD@$IP
----------------------------------------------------------------------------------------------------
List smb share files using a null user
[*] smbclient -L $IP -U -N
----------------------------------------------------------------------------------------------------
ngrep samba version while connecting via smbclient
[*] export INTERFACE="tun0"; sudo ngrep -i -d $INTERFACE 's.?a.?m.?b.?a.*[[:digit:]]'
----------------------------------------------------------------------------------------------------
Recursive directory listing
[*] smbmap -H $ip -R
----------------------------------------------------------------------------------------------------
Scan IP Address for SMB Pipe Names
[*] pipef -a $IP
----------------------------------------------------------------------------------------------------
```List commands to run with wfuzz
```
# pse wfuzz[Pentest Service Enumeration: 0.0.3]
----------------------------------------------------------------------------------------------------
Command injection
[*] URL="http://target:80/php/blocklisted.php?ip=127.0.0.1FUZZ"; wfuzz -c -z file,/home/kali/command_injection_custom.txt --hc 404 "$URL"
----------------------------------------------------------------------------------------------------
Directory Discovery (medium) - ignore 404, 301
[*] URL="http://target/FUZZ";FILE="/usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt"; wfuzz -c -z file,"$FILE" --hc 404,301 "$URL"
----------------------------------------------------------------------------------------------------
Directory Discovery (medium) - ignore 404, 403, 301
[*] URL="http://target/FUZZ"; FILE="/usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt"; wfuzz -c -z file,"$FILE" --hc 404,403,301 "$URL"
----------------------------------------------------------------------------------------------------
File discovery
[*] URL="http://target/FUZZ";wfuzz -c -z file,/usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt --hc 301,404,403 "$URL"
----------------------------------------------------------------------------------------------------
POST data fuzzing (password cracking)
[*] URL="http://target:80/wp-login.php" wfuzz -c -z file,/usr/share/seclists/Passwords/xato-net-10-million-passwords-100000.txt --hc 404 -d "log=admin&pwd=FUZZ" "$URL"
----------------------------------------------------------------------------------------------------
Param value fuzzing (find hidden params)
[*] export URL="http://target:80/index.php?FUZZ=data";wfuzz -c -z file,/usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt --hc 404,301 "$URL"
----------------------------------------------------------------------------------------------------
Param value fuzzing (usernames)
[*] URL="http://target:80/index.php?fpv=FUZZ"; wfuzz -c -z file,/usr/share/seclists/Usernames/cirt-default-usernames.txt --hc 404 "$URL"
```# Adding commands for a service
## File Structure
Services are text files located at:
```
$HOME/.pse/
```
Every command you want to return should be on a separate line in the format:
```
description:command
```## Example Service
File: ```$HOME/.pse/nfs```Content:
```
show available nfs mounts:showmount -e $IP
mount a nfs share:export IP=10.11.1.72; sudo mkdir -p /mnt/$IP/home && sudo mount -t nfs $IP:/home /mnt/$IP/home
```## STORING A NEW COMMAND WITH ARGUMENTS
Edit corresponding service file at ```$HOME/.pse/``` (e.g. ```$HOME/.pse/smb``` or ```$HOME/.pse/dns```)If your want to add a new service, create a file at ```$HOME/.pse/foo```
### Example: Create documentation for curl
To add curl as a service for pse:
1. Create file ```$HOME/.pse/curl```
2. Add one line per command you want saved in format:```
:
```Example content for file ```$HOME/.pse/curl```:
```
Return help content:curl -h
Run curl in verbose mode:curl -v
```Now when you run command ```pse curl```:
```
[Pentest Service Enumeration: 0.0.3]
----------------------------------------------------------------------------------------------------
Return help content
[*] curl -h
----------------------------------------------------------------------------------------------------
Run curl in verbose mode
[*] curl -v
----------------------------------------------------------------------------------------------------
```