Here you will find some tools that I've created which may help you out on your next pentest. Nothing major as of yet, but there are a few cool things you might find to be pretty useful.
Unfortunately, I wasn't able to capture screenshots of me using some of these tools in networks other than my home. However, I've tried to demonstrate how they're used via screenshots and videos as much as I can.
iSMTP
There's been countless times when I've needed to test for SMTP user enumeration (RCPT TO and VRFY), internal spoofing, and open relay. I've never found a tool that tested for all three and with great flexibility. iSMTP does just that, making it much easier to knock that process out of the way.
- Usage screenshot #1 (user enumeration): https://dl.dropboxusercontent.com/u/2526790/iSMTP/SMTP%20User%20Enumeration.png
Usage menu:
---------------------------------------------------------------------
SMTP v1.6 - SMTP Server Tester, Alton Johnson ([email protected])
---------------------------------------------------------------------
Usage: ./iSMTP.py <OPTIONS>
Required:
-f <import file> Imports a list of SMTP servers for testing.
(Cannot use with '-h'.)
-h <host> The target IP and port (IP:port).
(Cannot use with '-f'.)
Spoofing:
-i <consultant email> The consultant's email address.
-s <sndr email> The sender's email address.
-r <rcpt email> The recipient's email address.
--sr <email> Specifies both the sender's and recipient's email address.
-S <sndr name> The sender's first and last name.
-R <rcpt name> The recipient's first and last name.
--SR <name> Specifies both the sender's and recipient's first and last name.
-m Enables SMTP spoof testing.
-a Includes .txt attachment with spoofed email.
SMTP enumeration:
-e <file> Enable SMTP user enumeration testing and imports email list.
-l <1|2|3> Specifies enumeration type (1 = VRFY, 2 = RCPT TO, 3 = all).
(Default is 3.)
SMTP relay:
-i <consultant email> The consultant's email address.
-x Enables SMTP external relay testing.
Misc:
-t <secs> The timeout value. (Default is 10.)
-o Creates "ismtp-results" directory and writes output to
ismtp-results/smtp_<service>_<ip>(port).txt
iWebAudit
iWebAudit
Many times, on an internal penetration test, you run across numerous web servers that you don't care about. As opposed to opening up every web server to see what they are, iWebAudit will scan a list of web servers and grab all their titles. By only reading a little bit from each server's response, this makes reporting only the titles much faster.
Usage menu:
------------------------------------------------------------------------------
iWebAudit v1.5 - Web Page Title Analyzer, Alton Johnson ([email protected])
------------------------------------------------------------------------------
Usage: iWebAudit -f <file> -o <output file> -v -h -t 5
-f <file> Supports list of IPs and/or http[s]:https:// formatted IPs.
-o <file> Outputs the results to a file of your choice.
-h Enables HTTP PUT Method Discovery. (optional)
-t <secs> Sets default timeout. Default is 5. (optional)
-v Displays details as script runs. (optional)
pyFoca
======= pyFoca
If you're familiar with the Windows FOCA application, this is basically a python version of it. Pyfoca will use Google to discover files with extensions such as .pdf, .xls, .doc, etc. and download them. Once downloaded, it will extract all metadata which, in many cases, include usernames you can use for password attacks.
Usage menu:
------------------------------------------------------------------------------- pyfoca v1.6 - Document Metadata Extractor, Alton Johnson ([email protected]) -------------------------------------------------------------------------------Usage: ./pyfoca.py <OPTIONS>
Domain options:
-d <domain> Harvests all documents from a domain (saves to pyfoca-downloads/). Afterwards, extract metadata.Parse file/dir:
-f <file> Extracts metadata specifically from one file. (Cannot use with '-d') -w <dir> Extracts metadata from files within specified directory. (Cannot use with '-d')Foca Export Parsing:
-r <directory> Parses data exported from FOCA. Provide directory containing exported files.Misc:
-x After parsing metadata, delete files downloaded from the domain. -e <pdf|doc|xls|all> Search based on provided extension(s). Separate with comma. (Default is all.) -p <number> Searches x amount of google pages (per extension). (Default is 2.) -t <secs> Sets timeout value. (Default is 5.) -v Prints status messages for files that are downloaded.
Supported extensions are: .pdf, .doc, .docx, .xls, .xlsx, and .ppt Example: ./pyfoca.py -d www.domain.com -e pdf,doc -p 3
smbspider
smbspider
Smbspider is a pretty smart when it comes to spidering Windows systems on internal networks. Once you get your hands on some credentials, you can pass them around with smbspider to try spidering systems that the user account has access to. In many cases, you'll end up quickly finding all types of sensitive data hanging out on employees' workstations.
- Menu: https://dl.dropboxusercontent.com/u/2526790/smbspider/smbspiderpy.png
- Script usage screenshot #1: https://dl.dropboxusercontent.com/u/2526790/smbspider/whole_output.png
- Usage video: http:https://www.youtube.com/watch?v=skVZwynHECw
Usage menu:
************************************************************
* _ *
* | | // \\ *
* ___ _ __ ___ | |__ _\\()//_ *
* / __| '_ ` _ \| '_ \ / // \\ \ *
* \__ \ | | | | | |_) | |\__/| *
* |___/_| |_| |_|_.__/ *
* *
* SMB Spider v2.4, Alton Johnson ([email protected]) *
************************************************************
Usage: /root/scripts/ipwn/smbspider.py
Target(s) (required):
-h Provide IP address or a text file containing IPs.
Supported formats: IP, smb:https://ip/share, \\ip\share\
Credentials (required):
-u Specify a valid username to authenticate to the system(s).
-p Specify the password which goes with the username.
-P Use -P to provide password hash if cleartext password isn't known.
-d If using a domain account, provide domain name.
Shares (optional):
-s Specify shares (separate by comma) or specify "profile" to spider user profiles.
-f Specify a list of shares from a file.
Other (optional):
-w Avoid verbose output. Output successful spider results to smbspider_host_share_user.txt.
This option is HIGHLY recommended if numerous systems are being scanned.
-n ** Ignore authentication check prior to spidering.
-g Grab (download) files that match strings provided in text file. (Case sensitive.)
** Examples: *assword.doc, *assw*.doc, pass*.xls, etc.
SMSpam
======= SMSpam
This was my first python script. I created this simple script when someone pissed me off by continuously playing on my phone. They quickly revealed their identity after approximately 50 text messages in about 10 seconds :).
Usage menu:
===================================================
SMSpam v1.0 created by Alton ([email protected])
===================================================
-r: Recipient to send an email to.
-u: Gmail username (include @gmail.com).
-p: Password to login to gmail with.
-m: Message to send to user.
-s: Subject for the email.
-n: How many times you want to send this email.
Nmap Parser
If you have tons of nmap results and want to look at them in a pretty table, check out this nmap result parser.
- Usage screenshot #2: https://dl.dropboxusercontent.com/u/2526790/nmap_parser1.png
Usage menu:
------------------------------------------------------------------------
nmapparse 1.0 - Nmap Output Parser, Alton Johnson ([email protected])
------------------------------------------------------------------------
Usage: ./nmapparse.py results.gnmap
Note: This script must point to a grepable output file from nmap to work properly.
Nmap Scrape
======= Nmap Scrape
This script will take the nmap grepable output format and create text files (filename = port number) with a list of IP addresses in these text files. For example, it'll create an 80.txt file with all IPs with port 80 open. See screenshots for a better understanding.
- Usage screenshot #2: https://dl.dropboxusercontent.com/u/2526790/nmapscrape1.png
Usage menu:
---------------------------------------------------- Nmap Parser v1.0, Alton Johnson ([email protected]) ----------------------------------------------------
Usage: nmapscrape.py <gnmap file>
Java Updater (for Kali Linux)
----------
Eventually I just got tired of referring to Google and Kali's forums to update Java within Kali. Decided to just go ahead and play around with a script to do this automatically, and it came out well. Just run the script and Java's updated. Also makes sure it works with Google Chrome so you don't have to.
Example of output for already up-to-date java version:
root@kali:# ./java-update.py
Updating Java.
[*] Installed version: 7.51
[*] Latest version: 7.51
[*] Already up-to-date.
[*] Checking if Google Chrome exists.
[*] Java already configured to work with Google Chrome.
Example of output for outdated java version:
root@kali:# ./java-update.py
Updating Java.
[*] Installed version: 6.27
[*] Latest version: 7.51
[*] Old version detected. Performing Java update.
[*] Downloading Java update: jdk-7u51-linux-i586.tar.gz [size: 132.98 MB]
[*] Download complete.
[*] Extracting archive.
[*] Extraction complete.
[*] Updating alternatives.
[*] Alternatives updated.
[*] Checking if Google Chrome exists.
[*] Java already configured to work with Google Chrome.
[*] Java update complete. Verify with java -version.
root@kali:# java -version
java version "1.7.0_51"
Java(TM) SE Runtime Environment (build 1.7.0_51-b13)
Java HotSpot(TM) Client VM (build 24.51-b03, mixed mode)
======= Nmap Parser v2.0, Alton Johnson ([email protected])
Usage: nmapscrape.rb <gnmap file>