Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/ssstonebraker/Pentest-Service-Enumeration

Suggests programs to run against services found during the enumeration phase of a Pentest
https://github.com/ssstonebraker/Pentest-Service-Enumeration

enumeration-phase oscp oscp-tools pentest pentest-service-enumeration privilege-escalation privilege-escalation-linux

Last synced: 3 months ago
JSON representation

Suggests programs to run against services found during the enumeration phase of a Pentest

Host: GitHub
URL: https://github.com/ssstonebraker/Pentest-Service-Enumeration
Owner: ssstonebraker
License: gpl-3.0
Created: 2020-05-24T04:09:22.000Z (over 4 years ago)
Default Branch: master
Last Pushed: 2023-08-30T20:01:45.000Z (about 1 year ago)
Last Synced: 2024-07-21T16:43:19.044Z (4 months ago)
Topics: enumeration-phase, oscp, oscp-tools, pentest, pentest-service-enumeration, privilege-escalation, privilege-escalation-linux
Language: Shell
Homepage:
Size: 82 KB
Stars: 95
Watchers: 4
Forks: 21
Open Issues: 1
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

awesome-cybersec - Service Enumeration

README

# Pentest-Service-Enumeration

## Purpose
Suggests binaries to run against services found during the enumeration phase of a Pentest

## Background
While studying for the Offensive Security Certified Profesional (OSCP) and Offensive Security Web Assessor (OSWA) certifications I found it hard to keep track of which commands to run during the enumeration phase for specific services.

The purpose of this tool is easily keep track of those commands.

# Install Instructions
```
git clone https://github.com/ssstonebraker/Pentest-Service-Enumeration
cd Pentest-Service-Enumeration
./install.sh
```

# Basic Usage
To view basic usage just type:
```
pse
```
This will list out the available services and give an example of how to use the program
```
[Pentest Service Enumeration: 0.0.3]
- Pentest command reference via the cli
----------------------------------------------------------------------------------------------------
Available Services
[*] dns
[*] ftp
[*] hashcat
[*] http
[*] ldap
[*] linpriv
[*] mimikatz
[*] nfs
[*] rpc
[*] searchsploit
[*] smb
[*] smtp
[*] snmp
[*] sql
[*] ssh
[*] sudo
[*] tcpdump
[*] webdav
[*] wfuzz
----------------------------------------------------------------------------------------------------
Return command references for a service
Usage: pse

Examples
[*] pse ftp
[*] pse wfuzz
[*] pse smb

----------------------------------------------------------------------------------------------------
Help: pse -h
```
# Listing commands for a service
```
pse
```
## Example:
List commands to run with smb
```
# pse smb

----------------------------------------------------------------------------------------------------
connect to remote smb share as null user
[*] smbclient "//$IP/$SHARE_NAME" -U ""
----------------------------------------------------------------------------------------------------
Create a destination mount directory, mount remote share as guest
[*] sudo mkdir /mnt/$IP_$FOLDER; sudo mount -v -t cifs "//$IP/$FOLDER" /mnt/$IP_$FOLDER -o username=guest
----------------------------------------------------------------------------------------------------
Launch a semi-interactive shell
[*] smbexec.py $HOST/$USERNAME:$PASSWORD@$IP
----------------------------------------------------------------------------------------------------
List smb share files using a null user
[*] smbclient -L $IP -U -N
----------------------------------------------------------------------------------------------------
ngrep samba version while connecting via smbclient
[*] export INTERFACE="tun0"; sudo ngrep -i -d $INTERFACE 's.?a.?m.?b.?a.*[[:digit:]]'
----------------------------------------------------------------------------------------------------
Recursive directory listing
[*] smbmap -H $ip -R
----------------------------------------------------------------------------------------------------
Scan IP Address for SMB Pipe Names
[*] pipef -a $IP
----------------------------------------------------------------------------------------------------
```

List commands to run with wfuzz

```
# pse wfuzz

[Pentest Service Enumeration: 0.0.3]
----------------------------------------------------------------------------------------------------
Command injection
[*] URL="http://target:80/php/blocklisted.php?ip=127.0.0.1FUZZ"; wfuzz -c -z file,/home/kali/command_injection_custom.txt --hc 404 "$URL"
----------------------------------------------------------------------------------------------------
Directory Discovery (medium) - ignore 404, 301
[*] URL="http://target/FUZZ";FILE="/usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt"; wfuzz -c -z file,"$FILE" --hc 404,301 "$URL"
----------------------------------------------------------------------------------------------------
Directory Discovery (medium) - ignore 404, 403, 301
[*] URL="http://target/FUZZ"; FILE="/usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt"; wfuzz -c -z file,"$FILE" --hc 404,403,301 "$URL"
----------------------------------------------------------------------------------------------------
File discovery
[*] URL="http://target/FUZZ";wfuzz -c -z file,/usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt --hc 301,404,403 "$URL"
----------------------------------------------------------------------------------------------------
POST data fuzzing (password cracking)
[*] URL="http://target:80/wp-login.php" wfuzz -c -z file,/usr/share/seclists/Passwords/xato-net-10-million-passwords-100000.txt --hc 404 -d "log=admin&pwd=FUZZ" "$URL"
----------------------------------------------------------------------------------------------------
Param value fuzzing (find hidden params)
[*] export URL="http://target:80/index.php?FUZZ=data";wfuzz -c -z file,/usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt --hc 404,301 "$URL"
----------------------------------------------------------------------------------------------------
Param value fuzzing (usernames)
[*] URL="http://target:80/index.php?fpv=FUZZ"; wfuzz -c -z file,/usr/share/seclists/Usernames/cirt-default-usernames.txt --hc 404 "$URL"
```

# Adding commands for a service

## File Structure
Services are text files located at:
```
$HOME/.pse/
```
Every command you want to return should be on a separate line in the format:
```
description:command
```

## Example Service
File: ```$HOME/.pse/nfs```

Content:
```
show available nfs mounts:showmount -e $IP
mount a nfs share:export IP=10.11.1.72; sudo mkdir -p /mnt/$IP/home && sudo mount -t nfs $IP:/home /mnt/$IP/home
```

## STORING A NEW COMMAND WITH ARGUMENTS
Edit corresponding service file at ```$HOME/.pse/``` (e.g. ```$HOME/.pse/smb``` or ```$HOME/.pse/dns```)

If your want to add a new service, create a file at ```$HOME/.pse/foo```

### Example: Create documentation for curl

To add curl as a service for pse:
1. Create file ```$HOME/.pse/curl```
2. Add one line per command you want saved in format:

```
:
```

Example content for file ```$HOME/.pse/curl```:
```
Return help content:curl -h
Run curl in verbose mode:curl -v
```

Now when you run command ```pse curl```:

```
[Pentest Service Enumeration: 0.0.3]
----------------------------------------------------------------------------------------------------
Return help content
[*] curl -h
----------------------------------------------------------------------------------------------------
Run curl in verbose mode
[*] curl -v
----------------------------------------------------------------------------------------------------
```