1

I posted the following question link on stack overflow and it was pointed out that I should possibly forward it to security exchange. For convenience the question is re-iterated below:

I started creating a script to automate host setup testing in Kali using python. I would like to know if there are any other "scans" that I am missing or that could be done in order to retrieve more information about a specific host?

I would also like to know if any of the current scans can be improved?

The code thus far is shown below:

   #Automate test startup using IP Addresses
import os

def runTerminal(command,name):
    os.system("gnome-terminal --tab -e 'bash -c \"" + command+" > "+name+"\"'")

testName = raw_input("Enter the name of the current test: ")

URL = raw_input("Enter the URL: ")
print "Current test: " + testName + " using host: "+ URL

initialURL = URL.split("://",1)[1] 
if ':' in initialURL:
    port = initialURL.split(":",1)[1]
else:
    port = 0

shortURL=initialURL.split(":",1)[0]

print "URL : " + str(shortURL) + " Port: " + str(port)

#Scan web server for known vulnerabilities
print "Running Nikto..."
niktoCommand = "nikto -h "+ str(shortURL)
runTerminal(niktoCommand,testName+"Nikto.txt")

#transfer a URL or get basic headers
print "Running cURL..."
cURLCommand = "curl -kv "+ str(initialURL) 
runTerminal(cURLCommand,testName+"Curl.txt")

#Network exploration tool and security / port scanner
print "Running Nmap..."
if port == 0:
    NmapCommand = "nmap -sV -A "+str(shortURL)
else:
    NmapCommand = "nmap -sV -A "+str(shortURL)+ " -p "+ port
runTerminal(NmapCommand,testName+"Nmap.txt")

#Web Content Scanner
print "Running Dirb..."
dirbCommand = " dirb "+str(URL)
runTerminal(dirbCommand,testName+"Dirb.txt")

#Fast SSL/TLS scanner
if port == 443:
    print "Running SSLScan..."
    sslCommand = " sslscan "+str(initialURL)
    runTerminal(sslCommand,testName+"SSLScan.txt")

#Web Application Firewall Detection Tool
print "Running wafw00f..."
wafCommand = " wafw00f -av " +str(URL)
runTerminal(wafCommand,testName+"WafScan.txt")

#Scanner similar to dirb mixed with curl
print "Running UniScan..."
uniCommand = " uniscan -u " +str(URL)+" -qweds"
runTerminal(uniCommand,testName+"UniScan.txt")

So far the code takes in a project name in order to save a file, it also takes in a URL which then gets split as required by specific scans. From there it sends the scan specific commands to a function which runs the scan in a new terminal window.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Kyhle Ohlinger
  • 21
  • 5
  • It's a pretty decent setup for basic scanning. Then it depends what you really want to look out for. On dirb you could add `-w` and `-v` options. Nmap command is very basic but can be done so much more with it. If you're on Kali, you could include Vega. I'd also say add Wapiti but it can be very slow and you already have enough scanning power. Also, excuse me for asking, but where do you plan to use the subprocess module? – user633551 Apr 12 '17 at 14:58
  • @user633551 Thanks for the advice, i'll look into those scans. I was going to use the subprocess module and have them run in the same terminal but thought better of it. Also I am just starting to learn these tools and the power behind them, so I don't know all the intricacies surrounding them. I'll look into the flags you mentioned :P – Kyhle Ohlinger Apr 13 '17 at 07:29
  • @user633551 i've created a git repo at github.com/KyhleOhlinger/PentestScripts if anyone is interested in adding to the script, or adding their own pentest scripts. For now I just wanted to get all the basic scans and from there the script will be refined. That will include retrieving any information that may be worthwhile, etc. If you have an idea on what could be worthwhile, it would be great if you could also add to the script :P – Kyhle Ohlinger Apr 16 '17 at 09:22

1 Answers1

0

I would add to this script:

  • Nmap NSE scripts (like "--script=http*" and other relevant scripts)
  • UDP Scanning (you can use "nmap -sU" or any other UDP scanner)

Also, make sure you have good wordlists for your Dirbuster/Nikto scan, usually the easiest attack vectors are on the "hidden" URLs.

Ricardo Reimao
  • 687
  • 4
  • 9