UltyScan Documentation Overhaul

templates/passive/network/CVE-2018-15473_-_OpenSSH_Username_Enumeration.sh

@@ -0,0 +1,9 @@
+AUTHOR='@xer0dayz'
+VULN_NAME='CVE-2018-15473 - OpenSSH Username Enumeration'
+FILENAME="$LOOT_DIR/output/msf-$TARGET-*-ssh_enumusers.txt"
+MATCH="\[+\]"
+SEVERITY='P3 - MEDIUM'
+GREP_OPTIONS='-i'
+SEARCH='positive'
+SECONDARY_COMMANDS=''
+TYPE="network"

templates/passive/network/Default_Credentials_BruteX.sh

@@ -0,0 +1,9 @@
+AUTHOR='@xer0dayz'
+VULN_NAME='Default Credentials - BruteX'
+FILENAME="$LOOT_DIR/credentials/brutex-$TARGET.txt $LOOT_DIR/credentials/brutex-$TARGET-*.txt"
+MATCH="password\:\ "
+SEVERITY='P1 - CRITICAL'
+GREP_OPTIONS='-i'
+SEARCH='positive'
+SECONDARY_COMMANDS=''
+TYPE="network"

templates/passive/network/Default_Credentials_NMap.sh

@@ -0,0 +1,9 @@
+AUTHOR='@xer0dayz'
+VULN_NAME='Default Credentials - NMap'
+FILENAME="$LOOT_DIR/output/nmap-$TARGET.txt $LOOT_DIR/output/nmap-$TARGET-*.txt"
+MATCH="Valid\ credentials"
+SEVERITY='P1 - CRITICAL'
+GREP_OPTIONS='-i'
+SEARCH='positive'
+SECONDARY_COMMANDS=''
+TYPE="network"

templates/passive/network/Interesting_Domain_Found.sh

@@ -0,0 +1,10 @@
+AUTHOR='@xer0dayz'
+VULN_NAME='Interesting Domain Found'
+echo "$TARGET" > /tmp/target 
+FILENAME="/tmp/target"
+MATCH="admin|dev|portal|stage|prod|tst|test"
+SEVERITY='P5 - INFO'
+GREP_OPTIONS='-i'
+SEARCH='positive'
+SECONDARY_COMMANDS=''
+TYPE='network'

templates/passive/network/Lack_of_SPF_DNS_Record.sh

@@ -0,0 +1,9 @@
+AUTHOR='@xer0dayz'
+VULN_NAME='Lack of SPF DNS Record'
+FILENAME="$LOOT_DIR/nmap/email-$TARGET.txt"
+MATCH="\[\+\]\ Spoofing\ possible"
+SEVERITY='P4 - LOW'
+GREP_OPTIONS='-i'
+SEARCH='positive'
+SECONDARY_COMMANDS=''
+TYPE='network'

templates/passive/network/Possible_Takeover_Detected.sh

@@ -0,0 +1,9 @@
+AUTHOR='@xer0dayz'
+VULN_NAME='Possible Takeover Detected'
+FILENAME="$LOOT_DIR/nmap/takeovers-$TARGET.txt"
+MATCH='anima|bitly|wordpress|instapage|heroku|github|bitbucket|squarespace|fastly|feed|fresh|ghost|helpscout|helpjuice|instapage|pingdom|surveygizmo|teamwork|tictail|shopify|desk|teamwork|unbounce|helpjuice|helpscout|pingdom|tictail|campaign|monitor|cargocollective|statuspage|tumblr|amazon|hubspot|cloudfront|modulus|unbounce|uservoice|wpengine|cloudapp|azure|trafficmanager|netifly|brandpa'
+SEVERITY='P5 - INFO'
+GREP_OPTIONS='-i'
+SEARCH='positive'
+SECONDARY_COMMANDS=''
+TYPE='network'

templates/passive/network/SMB_Info_Disclosure.sh

@@ -0,0 +1,9 @@
+AUTHOR='@xer0dayz'
+VULN_NAME='SMB Info Disclosure'
+FILENAME="$LOOT_DIR/output/msf-$TARGET-port139.txt $LOOT_DIR/output/msf-$TARGET-port445.txt"
+MATCH="\[\+\]"
+SEVERITY='P4 - LOW'
+GREP_OPTIONS='-i'
+SEARCH='positive'
+SECONDARY_COMMANDS=''
+TYPE="network"

templates/passive/network/SMBv1_Enabled.sh

@@ -0,0 +1,9 @@
+AUTHOR='@xer0dayz'
+VULN_NAME='SMBv1 Enabled'
+FILENAME="$LOOT_DIR/output/nmap-$TARGET-*.txt"
+MATCH="SMBv1"
+SEVERITY='P3 - MEDIUM'
+GREP_OPTIONS='-i'
+SEARCH='positive'
+SECONDARY_COMMANDS=''
+TYPE="network"

templates/passive/network/SSH_Version_Disclosure.sh

@@ -0,0 +1,9 @@
+AUTHOR='@xer0dayz'
+VULN_NAME='SSH Version Disclosure'
+FILENAME="$LOOT_DIR/output/msf-$TARGET-*-ssh_version.txt"
+MATCH="\[\+\]"
+SEVERITY='P4 - LOW'
+GREP_OPTIONS='-i'
+SEARCH='positive'
+SECONDARY_COMMANDS=''
+TYPE="network"

templates/passive/network/Subjack_Takeover_Detected.sh

@@ -0,0 +1,9 @@
+AUTHOR='@xer0dayz'
+VULN_NAME='Subjack Takeover Detected'
+FILENAME="$LOOT_DIR/nmap/subjack-$TARGET.txt"
+MATCH="\[Vulnerable\]"
+SEVERITY='P2 - HIGH'
+GREP_OPTIONS='-i'
+SEARCH='positive'
+SECONDARY_COMMANDS=''
+TYPE="network"

templates/passive/network/Subover_Takeover_Detected.sh

@@ -0,0 +1,9 @@
+AUTHOR='@xer0dayz'
+VULN_NAME='Subover Takeover Detected'
+FILENAME="$LOOT_DIR/nmap/subover-$TARGET.txt"
+MATCH="Takeover\ Possible"
+SEVERITY='P2 - HIGH'
+GREP_OPTIONS='-i'
+SEARCH='positive'
+SECONDARY_COMMANDS=''
+TYPE="network"

templates/passive/network/recursive/Component_With_Known_Vulnerabilities_-_NMap.sh

@@ -0,0 +1,11 @@
+AUTHOR='@xer0dayz'
+VULN_NAME='Component With Known Vulnerabilities - NMap'
+FILENAME="$LOOT_DIR/nmap/nmap-$TARGET.txt $LOOT_DIR/output/nmap-$TARGET.txt $LOOT_DIR/output/nmap-$TARGET-*.txt"
+OUTPUT_NAME=$(echo $VULN_NAME | sed -E 's/[^[:alnum:]]+/_/g')
+MATCH="vulners.com"
+GREP_OPTIONS='-ih'
+TYPE="network"
+
+rm -f $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null
+egrep "$GREP_OPTIONS" "$MATCH" $FILENAME 2> /dev/null | awk -v AWK_TARGET="$TARGET" '$5=AWK_TARGET{print "P3 - MEDIUM, Components with Known Vulnerabilities - NMap, " $5 ", " $2 " " $3 " " $4}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt
+cat $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null

templates/passive/network/recursive/Interesting_Ports_Found.sh

@@ -0,0 +1,23 @@
+AUTHOR='@xer0dayz'
+VULN_NAME='Interesting Ports Found'
+FILENAME="$LOOT_DIR/nmap/ports-$TARGET.txt"
+MATCH="21\ |22\ |23\ |137\ |139\ |445\ |8080\ |8443\ |3306\ |5900\ |53\ |8081\ |5432\ "
+SEVERITY='P5 - INFO'
+GREP_OPTIONS='-i'
+SECONDARY_COMMANDS=''
+OUTPUT_NAME=$(echo $VULN_NAME | sed -E 's/[^[:alnum:]]+/_/g')
+TYPE='network'
+
+rm -f /tmp/match.out 2> /dev/null
+cat $FILENAME 2> /dev/null | egrep $GREP_OPTIONS "$MATCH" $SECONDARY_COMMANDS 2> /dev/null | head -n 1 2> /dev/null > /tmp/match.out
+
+CHARS="$(wc -c /tmp/match.out 2> /dev/null | awk '{print $1}' 2> /dev/null)"
+if [[ $CHARS > 0 ]]; then
+	echo "$SEVERITY, $VULN_NAME, $TARGET, $(cat /tmp/match.out 2> /dev/null)" | tee "$LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt" 2> /dev/null
+	# /bin/bash "$INSTALL_DIR/bin/slack.sh" "[+] [$SEVERITY] $VULN_NAME - $TARGET - EVIDENCE: $(cat /tmp/match.out | tr '\n' ' ') (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•"
+	#echo "•?((¯°·._.• [+] [$SEVERITY] $VULN_NAME - $TARGET - EVIDENCE: $(cat /tmp/match.out) (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt
+else
+	rm -f "$LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt" 2> /dev/null
+fi
+
+rm -f /tmp/match.out 2> /dev/null