Suggests binaries to run against services found during the enumeration phase of a Pentest
While studying for the Offensive Security Certified Profesional (OSCP) and Offensive Security Web Assessor (OSWA) certifications I found it hard to keep track of which commands to run during the enumeration phase for specific services (and how to run them).
Eventually I transitioned to a fulltime pentester role and found the problem just got worse.
The purpose of this tool is easily keep track of those commands.
git clone https://github.com/ssstonebraker/Pentest-Service-Enumeration
cd Pentest-Service-Enumeration
./install.sh
To view basic usage just type:
pse
This will list out the available services and give an example of how to use the program
Pentest Service Enumeration (PSE) v2.0
DESCRIPTION:
Store and retrieve pentest commands organized by service type.
Now supports port-based service discovery.
USAGE:
pse [OPTIONS] <service_name|port>
pse [OPTIONS]
OPTIONS:
-h, --help Show this help message
-l, --list List available services with ports
-s, --short <service> Show service commands without descriptions
-e, --edit <service> Edit service file
-c, --create <service> Create new service file
-d, --delete <service> Delete service file
-r, --search <term> Search for term in all service files
EXAMPLES:
pse smb # Show SMB commands
pse ldap # Show LDAP commands
pse 445 # Show services using port 445/tcp (TCP assumed)
pse 53/udp # Show all services using port 53 on UDP
pse 53/all # Show all services using port 53 on UDP or TCP
pse -s ldap # Show LDAP commands (short mode)
pse -e smb # Edit SMB service file
pse -c custom_service # Create new service file
pse -d smb # Delete SMB service file
pse -r "nmap" # Search for "nmap" in all services
pse -l # List all available services with ports
CONFIGURATION:
Service files: /root/.pse
SERVICE FILE FORMAT:
#PORTS:port[/protocol],port[/protocol]
Description:Command
Example:
#PORTS:445/tcp,139/tcp,137/udp,138/udp
List SMB shares:smbclient -L $IP -U "" -N
Mount SMB share:sudo mount -t cifs //$IP/share /mnt/share
[*] Available services in /root/.pse:
--------------------------------------------------------------------------------
adcs [389/tcp,636/tcp,88/tcp,88/udp] Dump all CAs and Templates
dns [53/tcp,53/udp,5353/udp] nmap discover host services using multicast dns (m...
ftp [21/tcp,20/tcp,2121/tcp] Brute Force FTP for a specific username
http [80/tcp,443/tcp,8080/tcp,8443/tcp,8000/tcp,8888/tcp] [dotdotpwn] - Directory Traversal Linux - dotdotpw...
kerberos kerbrute - User enumeration (requires wordlist)
ldap [389/tcp,636/tcp,3268/tcp,3269/tcp] [ldapdomaindump] - Dump information about a domain...
linpriv See what can be ran as root
mimikatz List all commands for module sekurlsa
mssql [1433/tcp,1434/udp] test single sql server connection, local authentic...
nfs [111/tcp,111/udp,2049/tcp,2049/udp] show available nfs mounts
nmap inital scan, list of ip addresses
rpc [111/tcp,111/udp,135/tcp] report rpc information
smb [445/tcp,139/tcp,137/udp,138/udp] smbclient - Interctive session on a smb share fold...
smtp [25/tcp,587/tcp,465/tcp,2525/tcp] Enumerate SMTP users
snmp [161/udp,162/udp] nmap service scan port 161 for snmap
sql Interactively prompt while SQL injecting a saved b...
ssh [22/tcp,2222/tcp,22222/tcp] Hydra brute force ssh for specific user
web Directory discovery (medium)
webdav [80/tcp,443/tcp,8080/tcp,8443/tcp] Test file uploads against webdav
wfuzz Directory Discovery (medium) - ignore 404, 301
--------------------------------------------------------------------------------
pse <service-name>
Below are examples of how to run the program
# pse smb
Output:
[*] Service: smb - Ports: 445/tcp,139/tcp,137/udp,138/udp
--------------------------------------------------------------------------------
smbclient - Interctive session on a smb share folder
[*] smbclient "//$IP/$FOLDER" -U "$USERNAME" --password "$PASSWORD"
--------------------------------------------------------------------------------
smbclient - List available shares
[*] smbclient -L "//$IP" -U "$USERNAME" --password "$PASSWORD"
--------------------------------------------------------------------------------
smbclient - Recurisively download everything (while connected, enter commands one at a time)
[*] 1. recurse on 2. prompt off 3. mget *
--------------------------------------------------------------------------------
Launch a semi-interactive shell
[*] smbexec.py $HOST/$USERNAME:$PASSWORD@$IP
--------------------------------------------------------------------------------
smbclient - (unauthenticated) - List smb share files using a null user
[*] smbclient -L $IP -U -N
--------------------------------------------------------------------------------
ngrep samba version while connecting via smbclient
[*] export INTERFACE="tun0"; sudo ngrep -i -d $INTERFACE 's.?a.?m.?b.?a.*[[:digit:]]'
--------------------------------------------------------------------------------
Recursive directory listing
[*] smbmap -H $ip -R
--------------------------------------------------------------------------------
Create a destination mount directory, mount remote share as guest
[*] sudo mkdir /mnt/$IP_$FOLDER; sudo mount -v -t cifs "//$IP/$FOLDER" /mnt/$IP_$FOLDER -o username=guest
--------------------------------------------------------------------------------
smbclient - (unauthenticated) - Connect to remote smb share as null user
[*] smbclient "//$IP/$SHARE_NAME" -U ""
--------------------------------------------------------------------------------
Scan IP Address for SMB Pipe Names
[*] pipef -a $IP
--------------------------------------------------------------------------------
nxc smb - Check with null user
[*] nxc smb $IP -u '' -p ''
--------------------------------------------------------------------------------
nxc smb - Check with anonymous user
[*] nxc smb $IP -u 'notexistantuser' -p ''
--------------------------------------------------------------------------------
nxc smb - Connect with valid credentials
[*] nxc smb $IP -u "$USERNAME" -p "$PASSWORD"
--------------------------------------------------------------------------------
nxc smb - List available shares
[*] nxc smb $IP -u "$USERNAME" -p "$PASSWORD" --shares
--------------------------------------------------------------------------------
nxc smb - List domain users
[*] nxc smb $IP -u "$USERNAME" -p "$PASSWORD" --users
--------------------------------------------------------------------------------
nxc smb - RID brute force (anonymous)
[*] nxc smb $IP -u 'notexistantuser' -p '' --rid-brute
--------------------------------------------------------------------------------
nxc smb - Run authenticated module (example spider_plus)
[*] nxc smb $IP -u "$USERNAME" -p "$PASSWORD" -M spider_plus
--------------------------------------------------------------------------------
# pse ldap
output:
[*] Service: ldap - Ports: 389/tcp,636/tcp,3268/tcp,3269/tcp
--------------------------------------------------------------------------------
[ldapdomaindump] - Dump information about a domain
[*] ldapdomaindump -u "$USERNAME" -p "$PASSWORD" "$DC_IP"
--------------------------------------------------------------------------------
[ldapsearch] - Dump all user objects (objectClass=user)
[*] ldapsearch -LLL -x -H "ldap://$DC_IP" -D "$USERNAME@$DOMAIN" -w "$PASSWORD" -b "$BASEDN" "(objectClass=user)"
--------------------------------------------------------------------------------
[nxc ldap] - Check if user account is active (512=active, 514=disabled)
[*] nxc ldap "$DC_IP" -u "$USERNAME" -p "$PASSWORD" --query "(sAMAccountName=${USER_TO_CHECK})" "userAccountControl"
--------------------------------------------------------------------------------
[nxc ldap] - Get all LDAP fields for AD user
[*] nxc ldap "$DC_IP" -u "$USERNAME" -p "$PASSWORD" --query "(sAMAccountName=${USER_TO_CHECK})" ""
--------------------------------------------------------------------------------
[nxc ldap] - Test ldap creds to see if they are valid
[*] nxc ldap "$DC_IP" -u "$USERNAME" -p "$PASSWORD"
--------------------------------------------------------------------------------
[nmap] - nmap ldap scan
[*] nmap -n -sV --script "ldap* and not brute" $IP
--------------------------------------------------------------------------------
[ldapsearch] - Unauthenticated bind, replace domain
[*] ldapsearch -x -D "DC=fabricorp,DC=local" -s sub "cn=*" -h $IP
--------------------------------------------------------------------------------
[hydra] - Brute force list of users
[*] hydra -f -I -u -L users.txt -P /usr/share/wordlists/rockyou.txt $IP ldap2 -t 10 -vV
--------------------------------------------------------------------------------
[rpcclient] - SID Lookup (Username is user@domain.local, separate multiple SID by space)
[*] rpcclient -U "$USERNAME" --password="$PASSWORD" //$DC_IP -c "lookupsids $SID"
--------------------------------------------------------------------------------
[nxc smb] - Get AD Lockout Duration (USERNAME="domain\samaccountname")
[*] nxc smb $DC_IP -u $USERNAME -p $PASSWORD --pass-pol
--------------------------------------------------------------------------------
Search by port 80
# pse 80
output:
[*] Port 80/tcp found in the following services:
--------------------------------------------------------------------------------
[HTTP Service]
[*] Ports: 80/tcp,443/tcp,8080/tcp,8443/tcp,8000/tcp,8888/tcp
--------------------------------------------------------------------------------
[dotdotpwn] - Directory Traversal Linux - dotdotpwn
[*] dotdotpwn -m http-url -u http://$IP/site/TRAVERSAL -k "root:"
--------------------------------------------------------------------------------
[dotdotpwn] - Directory Traversal Windows - dotdotpwn
[*] dotdotpwn -o windows -m http-url -u http://$IP/site/TRAVERSAL -k "root:"
--------------------------------------------------------------------------------
[fuff] - Fuzz website directory
[*] ffuf -c -w $WORDLIST -u http://$IP/FUZZ
--------------------------------------------------------------------------------
[dirb] - Scan against http site
[*] dirb http://$IP -r -o $OUTPUTFILE
--------------------------------------------------------------------------------
[dirb] - Scan against https site
[*] dirb https://$IP -r -o $OUTPUTFILE
--------------------------------------------------------------------------------
[dirsearch] - Dirbuster medium for php, txt, sh, and pl extensions
[*] dirsearch -u http://$IP -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -e php,txt,sh,pl -x 404 -t 100
--------------------------------------------------------------------------------
[dirsearch] - RECURSIVE with dirbuster medium for php, txt, sh, and pl extensions
[*] dirsearch -r -u http://$IP -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -e php,txt,sh,pl -x 404 -t 100
--------------------------------------------------------------------------------
[nikto] - scan for header info and all directory checks
[*] nikto -h -C all -host $IP
--------------------------------------------------------------------------------
[curl] - Display only the unqiue text from a web page
[*] curl $IP -s -L | html2text -width '150' | uniq
--------------------------------------------------------------------------------
[gobuster] - Directory scan with common wordlist
[*] gobuster dir -u http://$IP/ -w /usr/share/seclists/Discovery/Web-Content/common.txt -s '200,204,301,302,307,403,500' -e --output $IP_gobuster.txt
--------------------------------------------------------------------------------
[gobuster] - CGI scan, no 302 redirects, 30 second timeout
[*] export IP=$IP; export FOLDER=/usr/share/seclists/Discovery/Web-Content/CGIs.txt; gobuster dir -u http://$IP/ -w $FOLDER --timeout 30s -s '200,204,301,307,403,500' -e --output gobuster-cgi-scan
--------------------------------------------------------------------------------
[nmap] - Enumerate a wordpress site for plugins and themes
[*] nmap -p443 -sV --script http-wordpress-enum $FQDN
--------------------------------------------------------------------------------
[wpscan] - Wordpress plugin vulnerability check
[*] wpscan --url https://$FQDN -e vp --plugins-detection mixed
--------------------------------------------------------------------------------
[nikto] - Scan URL
[*] nikto -h $URL
--------------------------------------------------------------------------------
[nikto] - Scan with a limit of 30 seconds
[*] nikto --host http://$IP -maxtime=30s
--------------------------------------------------------------------------------
[gobuster] - Directory scan with with directory list medium
[*] gobuster dir -u $URL -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
--------------------------------------------------------------------------------
SQL injection test
[*] sqlmap -u "$URL" --batch --crawl=1
--------------------------------------------------------------------------------
[wfuzz] - Directory discovery (medium)
[*] wfuzz -c -z file,/usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt --hc 404,403 $URL/FUZZ
--------------------------------------------------------------------------------
[wfuzz] - Directory Discovery (medium) - ignore 404, 301
[*] URL="http://target/FUZZ";FILE="/usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt"; wfuzz -c -z file,"$FILE" --hc 404,301 "$URL"
--------------------------------------------------------------------------------
[wfuzz] - Directory Discovery (medium) - ignore 404, 403, 301
[*] URL="http://target/FUZZ"; FILE="/usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt"; wfuzz -c -z file,"$FILE" --hc 404,403,301 "$URL"
--------------------------------------------------------------------------------
[wfuzz] - File Discovery
[*] URL="http://target/FUZZ";wfuzz -c -z file,/usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt --hc 301,404,403 "$URL"
--------------------------------------------------------------------------------
[wfuzz] - POST data fuzzing (password cracking)
[*] URL="http://target:80/wp-login.php" wfuzz -c -z file,/usr/share/seclists/Passwords/xato-net-10-million-passwords-100000.txt --hc 404 -d "log=admin&pwd=FUZZ" "$URL"
--------------------------------------------------------------------------------
[wfuzz] - Param value fuzzing (find hidden params)
[*] export URL="http://target:80/index.php?FUZZ=data";wfuzz -c -z file,/usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt --hc 404,301 "$URL"
--------------------------------------------------------------------------------
[wfuzz] - Param value fuzzing (usernames)
[*] URL="http://target:80/index.php?fpv=FUZZ"; wfuzz -c -z file,/usr/share/seclists/Usernames/cirt-default-usernames.txt --hc 404 "$URL"
--------------------------------------------------------------------------------
[wfuzz] - Local File Inclusion
[*] wfuzz -c -u 'http://$IP/mutillidae/index.php?page=FUZZ{arbitrary-file-inclusion.php}' -z file,/usr/share/wordlists/wfuzz/Injections/Traversal.txt,urlencode --filter "lines != 1008"
--------------------------------------------------------------------------------
[WEBDAV Service]
[*] Ports: 80/tcp,443/tcp,8080/tcp,8443/tcp
--------------------------------------------------------------------------------
Test file uploads against webdav
[*] davtest -move -sendbd auto -url http://$IP/webdav
--------------------------------------------------------------------------------
Services are text files located at:
$HOME/.pse/<files>
Every command you want to return should be on a separate line in the format:
description:command
File: $HOME/.pse/nfs
Content:
#PORTS:111/tcp,111/udp,2049/tcp,2049/udp
show available nfs mounts:showmount -e $IP
mount a nfs share:export IP=10.11.1.72; sudo mkdir -p /mnt/$IP/home && sudo mount -t nfs $IP:/home /mnt/$IP/home
You can now use the built-in create functionality:
pse -c <service>
pse -c curl
Output:
[+] Service template created: /Users/braker/.pse/curl
[*]
[*] Edit this file to add your own commands and ports:
[*] pse -e curl
pse -e curl
This will open the service file in your configured editor. If the service doesn't exist, it will create a new one with a helpful template.
# PORTS:port/tcp,port/udp
# PSE Service File Template
#
# Format: Description:Command
# Use $IP, $HOST, $PORT, $USERNAME, $PASSWORD, $FOO, $BAR as placeholders
# You can use any placeholder variables you want in your commands
#
# Example service file:
#PORTS:445/tcp,139/tcp,137/udp,138/udp
[nxc smb] - Check with anonymous user:nxc smb $IP -u 'notexistantuser' -p ''
[nxc smb] - Connect with valid credentials (test creds):nxc smb $IP -u "$USERNAME" -p "$PASSWORD"
[nxc smb] - List available shares:nxc smb $IP -u "$USERNAME" -p "$PASSWORD" --shares
[nxc smb] - List domain users:nxc smb $IP -u "$USERNAME" -p "$PASSWORD" --users
#
# INSTRUCTIONS:
# 1. Replace "port/tcp,port/udp" above with actual ports for this service
# 2. Replace the example commands with your own
# 3. Remove all comments (except your "#PORTS" line (which should be the first line)Replace everything in the file with this:
#PORTS:80/tcp,443/tcp,8080/tcp,8443/tcp
Return headers: curl -I $URL
Return headers, ignore bad cert, follow redirect:curl -k -L -I $URL
Return help content:curl -h
Run curl in verbose mode:curl -v
Edit corresponding service file at $HOME/.pse/<filename> (e.g. $HOME/.pse/smb or $HOME/.pse/dns)
If your want to add a new service, create a file at $HOME/.pse/foo
To add curl as a service for pse:
- Create file
$HOME/.pse/curl - Add the PORTS line (see example)
- Add one line per command you want saved in format:
<description>:<command>
Example content for file $HOME/.pse/curl:
#PORTS:80/tcp,443/tcp,8080/tcp,8443/tcp
Return headers: curl -I $URL
Return headers, ignore bad cert, follow redirect:curl -k -L -I $URL
Return help content:curl -h
Run curl in verbose mode:curl -v
Now when you run command pse curl:
[*] Service: curl - Ports: 80/tcp,443/tcp,8080/tcp,8443/tcp
--------------------------------------------------------------------------------
Return headers
[*] curl -I $URL
--------------------------------------------------------------------------------
Return headers, ignore bad cert, follow redirect
[*] curl -k -L -I $URL
--------------------------------------------------------------------------------
Return help content
[*] curl -h
--------------------------------------------------------------------------------
Run curl in verbose mode
[*] curl -v
--------------------------------------------------------------------------------