平时打靶机时,每次都要进行开放端口扫描,开放端口服务扫描,开放端口漏洞扫描,web目录爆破,我这个人比较懒,想着能不能写个自动脚本,每次只需要输入ip和保存信息的目录就行了,于是花了三四个小时写出这个个人版shell脚本。小白一个,若有错误,请大佬们指正。
#!/bin/bash
startDir=/home/kali/vulnhub/
read -t 30 -p "please input the machine ip:" ip
if [[ $ip =~ ^([0-9]{1,2}|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.([0-9]{1,2}|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.([0-9]{1,2}|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.([0-9]{1,2}|1[0-9][0-9]|2[0-4][0-9]|25[0-5])$ ]];then
echo "the machine ip is:"$ip
read -t 30 -p "please input the file save directory:" dir
echo "the dirctory is :$startDir$dir"
if [ ! -d "$startDir$dir" ];then
mkdir "$startDir$dir"
chown kali: "$startDir$dir"
fi
cd $startDir$dir
pwd
echo "[+++] start tcp open port scan [+++]"
nmap --min-rate 10000 -p- $ip -oA tcp_open_port
if [ $? -ne 0 ];then
echo " excute tcp_open_port scan command fail"
exit 1
fi
echo "[+++] start udp open port scan [+++]"
nmap -sU --min-rate 10000 -p- $ip -oA udp_open_port
if [ $? -ne 0 ];then
echo " excute udp_open_port scan command fail"
exit 1
fi
if [ -f "tcp_open_port.xml" ];then
while read line
do
ports=`cat tcp_open_port.xml|grep -E "portid=\"[0-9]{1,9}\"" -o |awk -F '"' '{print $2}'|tr "\n" ","`
done <tcp_open_port.nmap
echo "[+++]start open port service scan [+++]"
nmap -sT -sV -O -p$ports $ip -oA open_port_service
if [ $? -ne 0 ];then
echo "scan service fail"
exit 1
fi
echo "[+++] start vuln scan [+++]"
nmap --script=vuln -p$ports $ip -oA vuln_scan
if [ $? -ne 0 ];then
echo "vuln script scan fail"
exit 1
fi
portNum=[$ports]
echo $portNum
if [[ $ports =~ 80 ]];then
gobuster dir -u http://$ip -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
fi
else
echo "tcp_open_port.nmap file not exist"
exit 1
fi
chown kali: $startDir$dir -R
else
echo "the ip format is error"
fi
因为nmap扫描1-1024需要使用root权限(我记得),所以这个脚本需要使用root权限去执行,以下这是对一台靶机扫描的结果
┌──(kali㉿kali)-[~]
└─$ sudo bash auxi.sh
[sudo] password for kali:
please input the machine ip:192.168.62.141
the machine ip is:192.168.62.141
please input the file dirctory:mm
the dirctory is :/home/kali/vulnhub/mm
/home/kali/vulnhub/mm
++start tcp open port scan++
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-16 18:05 HKT
Nmap scan report for 192.168.62.141
Host is up (0.00061s latency).
Not shown: 65534 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
MAC Address: 00:0C:29:08:94:3A (VMware)
Nmap done: 1 IP address (1 host up) scanned in 2.73 seconds
++start udp open port scan++
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-16 18:05 HKT
Warning: 192.168.62.141 giving up on port because retransmission cap hit (10).
Nmap scan report for 192.168.62.141
Host is up (0.00058s latency).
All 65535 scanned ports on 192.168.62.141 are in ignored states.
Not shown: 65457 open|filtered udp ports (no-response), 78 closed udp ports (port-unreach)
MAC Address: 00:0C:29:08:94:3A (VMware)
Nmap done: 1 IP address (1 host up) scanned in 72.79 seconds
[+++++]start open port service scan [+++++]
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-16 18:07 HKT
Nmap scan report for 192.168.62.141
Host is up (0.0026s latency).
PORT STATE SERVICE VERSION
80/tcp open http nginx 0.7.67
MAC Address: 00:0C:29:08:94:3A (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6.32
OS details: Linux 2.6.32
Network Distance: 1 hop
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.19 seconds
[++++] start vuln scan [+++]
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-16 18:07 HKT
Nmap scan report for 192.168.62.141
Host is up (0.00051s latency).
PORT STATE SERVICE
80/tcp open http
| http-enum:
|_ /admin/login.php: Possible admin folder
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-cookie-flags:
| /admin/login.php:
| PHPSESSID:
|_ httponly flag not set
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.62.141
| Found the following possible CSRF vulnerabilities:
|
| Path: http://192.168.62.141:80/admin/
| Form id:
| Form action: index.php
|
| Path: http://192.168.62.141:80/admin/index.php
| Form id:
|_ Form action: index.php
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
MAC Address: 00:0C:29:08:94:3A (VMware)
Nmap done: 1 IP address (1 host up) scanned in 72.24 seconds
[80,]
===============================================================
Gobuster v3.4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.62.141
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.4
[+] Timeout: 10s
===============================================================
2023/04/16 18:08:27 Starting gobuster in directory enumeration mode
===============================================================
/images (Status: 301) [Size: 185] [--> http://_/images/]
/admin (Status: 301) [Size: 185] [--> http://_/admin/]
/css (Status: 301) [Size: 185] [--> http://_/css/]
/classes (Status: 301) [Size: 185] [--> http://_/classes/]
Progress: 219089 / 220561 (99.33%)
===============================================================
2023/04/16 18:09:21 Finished
===============================================================
脚本中gobuster目录爆破时只检查了80这个字符是否在所有开放端口的字符当中,实际可能是8080-8090这些端口开放,但因为爆破命令是:
gobuster dir -u http://$ip -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
也可以进行8080-8090端口的目录爆破。还有一种情况,那就是80和8080两个端口都开放且都是http服务,这里只扫描了一个端口(有可能一个也扫不到直接报错?),所以另一个端口需要手动扫描。
当然,这个结果仅供参考,实际打靶过程肯定还需要对其中的一些参数进行调整。后续有考虑对脚本进行拆分,让每个任务单独一个脚本,然后用一个总的shell去执行这些任务脚本,既能压缩时间,提高效率,往后有新的功能加进来时只需要再写一个脚本就行了。这难道就是传说中的高效,拓展性好,哈哈哈哈哈。