kalinathalie/scan-and-fuzzing-notes.txt

## scan-and-fuzzing-notes.txt
Scan{
	nmap -sn -T2 -PR -iL ranges.txt | awk '/Nmap scan report for/ { if ($6 ~ /^\(/) gsub("[()]", "", $6); else $6=$NF; print $6 }' > hosts.txt
	masscan -p1-65535 --rate=2000 -e eth0 -iL hosts.txt -oG masscan.gnmap
	cat masscan.gnmap | grep "Ports:" | awk '{ip=$4; for(i=4;i<=NF;i++) if ($i ~ /open/) { split($i, a, "/"); ports[ip]=ports[ip]","a[1] }} END { for (ip in ports) { print ip, ports[ip] }}' > targets.txt
	sed 's/ ,/ /g' targets.txt > clean_targets.txt
	rm targets.txt && mkdir output
	while read line; do ip=$(echo $line | cut -d' ' -f1); ports=$(echo $line | cut -d' ' -f2 | sed 's/^,//'); nmap -v -Pn -sV -sC -p $ports $ip -oN output/nmap_$ip.txt; done < clean_targets.txt
}

Fuzzing{
  cd output
  ==============================================================
  awk '
    /Nmap scan report for/ {gsub("[()]", "", $NF); ip=$NF}
    /^[0-9]+\/tcp/ {
        split($1, p, "/")
        port=p[1]
        capture=0
    }
    /http-title/ {
        capture=1
    }
    capture && ip && port {
        print ip ":" port
        capture=0
    }
    ' *.txt > http-hosts.txt
  ==============================================================
  httpx -l http-hosts.txt -o httpx-hosts.txt
  eyewitness -f httpx-hosts.txt -d screen

  ./run-ffuf.sh httpx-hosts.txt /usr/share/dirb/wordlists/big.txt | tee -a ffuf-output.txt
}

run-ffuf.sh{
  #!/bin/bash
  if [ $# -ne 2 ]; then
    echo "Use: $0 <hosts_file> <wordlist>"
    exit 1
  fi

  HOSTS_FILE="$1"
  WORDLIST="$2"
  STATUSCODES="200-299,301,302,307,401,403,405,500"
  USERAGENT="Mozilla/5.0 (Linux; Android 13; SM-G998B) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Mobile Safari/537.36"

  if [ ! -f "$HOSTS_FILE" ]; then
    echo "Can't find '$HOSTS_FILE'!"
    exit 2
  fi

  if [ ! -f "$WORDLIST" ]; then
    echo "Can't find '$WORDLIST' !"
    exit 3
  fi

  # Loop FFuF
  while IFS= read -r HOST || [ -n "$HOST" ]; do
    echo "[*] Running ffuf on $HOST/FUZZ"
    ffuf -w "$WORDLIST" \
       -u "$HOST/FUZZ" \
       -mc "$STATUSCODES" \
       -c \
       -H "User-Agent: $USERAGENT" \
       -ac
  done < "$HOSTS_FILE"
}
	Scan{
	nmap -sn -T2 -PR -iL ranges.txt \| awk '/Nmap scan report for/ { if ($6 ~ /^\(/) gsub("[()]", "", $6); else $6=$NF; print $6 }' > hosts.txt
	masscan -p1-65535 --rate=2000 -e eth0 -iL hosts.txt -oG masscan.gnmap
	cat masscan.gnmap \| grep "Ports:" \| awk '{ip=$4; for(i=4;i<=NF;i++) if ($i ~ /open/) { split($i, a, "/"); ports[ip]=ports[ip]","a[1] }} END { for (ip in ports) { print ip, ports[ip] }}' > targets.txt
	sed 's/ ,/ /g' targets.txt > clean_targets.txt
	rm targets.txt && mkdir output
	while read line; do ip=$(echo $line \| cut -d' ' -f1); ports=$(echo $line \| cut -d' ' -f2 \| sed 's/^,//'); nmap -v -Pn -sV -sC -p $ports $ip -oN output/nmap_$ip.txt; done < clean_targets.txt
	}

	Fuzzing{
	cd output
	==============================================================
	awk '
	/Nmap scan report for/ {gsub("[()]", "", $NF); ip=$NF}
	/^[0-9]+\/tcp/ {
	split($1, p, "/")
	port=p[1]
	capture=0
	}
	/http-title/ {
	capture=1
	}
	capture && ip && port {
	print ip ":" port
	capture=0
	}
	' *.txt > http-hosts.txt
	==============================================================
	httpx -l http-hosts.txt -o httpx-hosts.txt
	eyewitness -f httpx-hosts.txt -d screen

	./run-ffuf.sh httpx-hosts.txt /usr/share/dirb/wordlists/big.txt \| tee -a ffuf-output.txt
	}

	run-ffuf.sh{
	#!/bin/bash
	if [ $# -ne 2 ]; then
	echo "Use: $0 <hosts_file> <wordlist>"
	exit 1
	fi

	HOSTS_FILE="$1"
	WORDLIST="$2"
	STATUSCODES="200-299,301,302,307,401,403,405,500"
	USERAGENT="Mozilla/5.0 (Linux; Android 13; SM-G998B) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Mobile Safari/537.36"

	if [ ! -f "$HOSTS_FILE" ]; then
	echo "Can't find '$HOSTS_FILE'!"
	exit 2
	fi

	if [ ! -f "$WORDLIST" ]; then
	echo "Can't find '$WORDLIST' !"
	exit 3
	fi

	# Loop FFuF
	while IFS= read -r HOST \|\| [ -n "$HOST" ]; do
	echo "[*] Running ffuf on $HOST/FUZZ"
	ffuf -w "$WORDLIST" \
	-u "$HOST/FUZZ" \
	-mc "$STATUSCODES" \
	-c \
	-H "User-Agent: $USERAGENT" \
	-ac
	done < "$HOSTS_FILE"
	}
No results found