-
Notifications
You must be signed in to change notification settings - Fork 87
/
vanquish-attack-plan.ini
168 lines (163 loc) · 8.19 KB
/
vanquish-attack-plan.ini
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
#= Vanquish Attack Plan Config File ============
# Each section represents a phase of the assessment cycle
# the values under each section represent the commands that will be run against each identified service
# the commands are configured in the config.ini file
#= Nmap Scan Ordering ============
# The Vanquish script will alternate between an Nmap scan and the enumeration Plan
[Nmap Scans]
Order: Nmap Fast TCP and UDP Plan,Nmap All TCP Ports Plan
#= Phase Ordering ============
# The following section defines the scan and enumeration phase ordering
# Scans Start = The scans to complete upfront before any enumeration has started... these should be quick
# Scans Background = The slow scans that will run in the background while the enumeration phases are executing
# Enumeration Plan = The order in which the enumeration phases will be executed
[Nmap Fast TCP and UDP Plan]
Order: Nmap Scan Fast TCP,Nmap Scan Fast UDP
[Nmap All TCP Ports Plan]
Order: Nmap Scan All TCP
[Nmap All UDP Ports Plan]
Order: Nmap Scan All UDP
[Enumeration Plan]
Order: Information Gathering,User Enumeration,Web Site Scanning,Password List Generation,User Enumeration Bruteforce
[Post Enumeration Plan]
Order: Metasploit Database Start,Metasploit Database Import,Metasploit Report Generation,Web Content Detection,Web Exploitation,Nmap HTTP Scan,Brute Forcing Lite,Vulnerablity Analysis,Vulnerability Validation,Web Site Nikto Tests,Brute Forcing,Nmap Scan All UDP
#= Nmap Phases ============
# The following sections detail the specific commands that will be run (found in the config.ini) at each nmap phase
# a special "always:" item can be specified to always run these commands against a host once.
# a special "run once:" item will only run the item once per phase regardless of the number of hosts.
[Nmap Scan Fast TCP]
always: Nmap Fast TCP
[Nmap Scan Fast UDP]
always: Nmap Fast UDP
[Nmap Scan All TCP]
always: Nmap All TCP
[Nmap Scan All UDP]
always: Nmap All UDP
#= Enumeration Phases ============
# The following sections detail the specific commands that will be run (found in the config.ini) at each enumeration phase
# a special "always:" item can be specified to always run these commands against a host once.
# a special "run once:" item will only run the item once per phase regardless of the number of hosts.
[Information Gathering]
always: XProbe2 OS Enumeration
http: NMap Http Shell Shock,HTTP Nikto Fast
https: NMap SSL Heartbleed,SSLScan,SSLyze,HTTPS Nikto Fast
ftp: FTP Nmap Anon,FTP Nmap Bounce
mysql: MySQL Nmap Empty Password,MySql Dump Tables
smb: SMB Nmap Vuln Scan,SMB NBTScan,SMB Enum4linux,SMB Nmap All,SMB Nmblookup,SMB Client Connect,SMB Nbtscan-unixwiz
ssn: SMB Nmap Vuln Scan,SMB NBTScan,SMB Enum4linux,SMB Nmap All,SMB Nmblookup,SMB Client Connect,SMB Nbtscan-unixwiz
smtp: SMTP Nmap Vuln Scan,SMTP Nmap Commands
snmp: SNMP Nmap All,SNMP Onesixtyone,SNMP SNMPWalk,SNMP SNMP-Check
ssh: SSLScan,SSLyze,SSH Nmap Hostkey
rexec: Nmap Rexec
rlogin: Nmap Rlogin
vnc: VNC NMap Scan
telnet: Telnet NMap All
dns: DNS Nmap All,DNS Recon,DNS Nmap Host Names Lookup
dhcp: DHCP Nmap Discover, DHCP Nmap Broadcast Discover,DHCP Nmap v6 Broadcast Discover
finger: Finger Nmap All
msrpc: Msrpc Nmap Enum,Msrpc Enum4linux
rdp: RDP Nmap Enum Encryption,RDP Nmap Vuln Scan
rpc: RPC RPCClient Help,RPC RPCClient Enumprivs,RPC RPCClient Netshareenum,RPC RPCClient Srvinfo,RPC RPCClient Lookupnames Root,RPC Nmap RPC Info
kerberos: Kerberos
nfs: NFS List Shares,NFS NMAP Showmount
james-admin: James-Admin
ntp:NTP NTPQ Version,NTP NTPQ Readlist,NTP NTPQ Hostnames,NTP Nmap All
pop3: POP3 Nmap Enum
imap: IMAP Nmap Enum
ms-sql-s: MS-SQL-S Nmap MS-SQL Info
[Web Site Scanning]
http: HTTP What Web,HTTP Wordpress Scan 1,HTTP Wordpress Scan 2,HTTP BlindElephant Guess,HTTP Cewl Password List,HTTP Robots
https: HTTPS What Web,HTTPS Wordpress Scan 1,HTTPS Wordpress Scan 2,HTTPS BlindElephant Guess,HTTPS Cewl Password List,HTTPS Robots
[Web Site Nikto Tests]
http: HTTP Nikto Tests
https: HTTPS Nikto Tests
[Web Content Detection]
http: HTTP GoBuster,HTTP What Web All Urls,HTTP BlindElephant Guess All Urls,HTTP Wordpress Scan All Urls,HTTP Method Check
https: HTTPS GoBuster,HTTPS What Web All Urls,HTTPS BlindElephant Guess All Urls,HTTPS Wordpress Scan All Urls,HTTPS Method Check
[Web Exploitation]
http: HTTP Nmap SQL Injection Scan,HTTP Nmap SQL Injection Findings List Scan
https: HTTP Nmap SQL Injection Scan,HTTPS Nmap SQL Injection Findings List Scan
webmin: Webmin Passwd Exploit,Webmin Shadow Exploit
[GoBuster Web Content Bruteforce]
http: HTTP GoBuster All Dicts
https: HTTPS GoBuster All Dicts
[Nmap HTTP Scan]
http: Nmap Web Scan
https: Nmap Web Scan
[User Enumeration]
smtp: SMTP Nmap Enum Users
snmp: SNMP SNMP-Check
rpc: RPC Enum4Linux User Enumeration
smb: SMB Nmap User Enumeration
ident: Ident ident-user-enum Service Users
[User Enumeration Bruteforce]
smtp:SMTP Emum Users Name,SMTP Emum Users Unix Users
[Password List Generation]
http: HTTP Cewl Password List All Urls
https: HTTPS Cewl Password List All Urls
[Vulnerablity Analysis]
always: Nmap Vulnerability Scan All Host Ports,NMap Vulscan and Version Detection,SearchSploit Nmap
http: HTTP Nmap Vuln Scan
https: HTTP Nmap Vuln Scan
ftp: FTP Nmap Vulnerability Scan
ssh:
snmp: SNMP Nmap All
ms-sql-s: MS-SQL Nmap All
smb: Samba Nmap Vuln Scan
[Vulnerability Validation]
run once: Create File For Upload Test
http: HTTP Put Method Exploit
https: HTTPS Put Method Exploit
[Brute Forcing Lite]
ftp: Hydra dirb-passwords-top-110
ftps: Hydra dirb-passwords-top-110
irc: Hydra dirb-passwords-top-110
imap: Hydra dirb-passwords-top-110
pop3: Hydra dirb-passwords-top-110
mssql: Hydra dirb-passwords-top-110
mysql: Hydra dirb-passwords-top-110
rdp: Hydra dirb-passwords-top-110
rexec: Hydra dirb-passwords-top-110
rlogin: Hydra dirb-passwords-top-110
rsh: Hydra dirb-passwords-top-110
smb: Hydra dirb-passwords-top-110
smtp: Hydra dirb-passwords-top-110
snmp: Hydra dirb-passwords-top-110
ssh: Hydra dirb-passwords-top-110
telnet: Hydra dirb-passwords-top-110
vnc: Hydra dirb-passwords-top-110
# use any credentials discovered to execute exploits
[Brute Forcing]
ftp: Hydra wfuzz-common,Hydra keyboard-patterns,Hydra adobe-top-100,Hydra fastrack,Hydra password list
ftps: Hydra wfuzz-common,Hydra keyboard-patterns,Hydra adobe-top-100,Hydra fastrack,Hydra password list
irc: Hydra wfuzz-common,Hydra keyboard-patterns,Hydra adobe-top-100,Hydra fastrack,Hydra password list
imap: Hydra wfuzz-common,Hydra keyboard-patterns,Hydra adobe-top-100,Hydra fastrack,Hydra password list
pop3: Hydra wfuzz-common,Hydra keyboard-patterns,Hydra adobe-top-100,Hydra fastrack,Hydra password list
mssql: Hydra wfuzz-common,Hydra keyboard-patterns,Hydra adobe-top-100,Hydra fastrack,Hydra password list
mysql: Hydra wfuzz-common,Hydra keyboard-patterns,Hydra adobe-top-100,Hydra fastrack,Hydra password list
rdp: Hydra wfuzz-common,Hydra keyboard-patterns,Hydra adobe-top-100,Hydra fastrack,Hydra password list
rexec: Hydra wfuzz-common,Hydra keyboard-patterns,Hydra adobe-top-100,Hydra fastrack,Hydra password list
rlogin: Hydra wfuzz-common,Hydra keyboard-patterns,Hydra adobe-top-100,Hydra fastrack,Hydra password list
rsh: Hydra wfuzz-common,Hydra keyboard-patterns,Hydra adobe-top-100,Hydra fastrack,Hydra password list
smb: Hydra wfuzz-common,Hydra keyboard-patterns,Hydra adobe-top-100,Hydra fastrack,Hydra password list
smtp: Hydra wfuzz-common,Hydra keyboard-patterns,Hydra adobe-top-100,Hydra fastrack,Hydra password list
snmp: Hydra wfuzz-common,Hydra keyboard-patterns,Hydra adobe-top-100,Hydra fastrack,Hydra password list
ssh: Hydra wfuzz-common,Hydra keyboard-patterns,Hydra adobe-top-100,Hydra fastrack,Hydra password list
telnet: Hydra wfuzz-common,Hydra keyboard-patterns,Hydra adobe-top-100,Hydra fastrack,Hydra password list
vnc: Hydra wfuzz-common,Hydra keyboard-patterns,Hydra adobe-top-100,Hydra fastrack,Hydra password list
# Import data into Metasploit database
[Metasploit Database Start]
run once: Metasploit Start Database
[Metasploit Database Import]
run once: Metasploit Import Database
[Metasploit Report Generation]
run once: Metasploit Hosts Report,Metasploit Services Report
# use any credentials discovered to execute exploits
[Exploitation]
http:HTTP SQLMap,HTTP SQLMap Findings List urlshttp
https:HTTPS SQLMap,HTTPS SQLMap Findings List urlshttps
ftp:
[Exploit Searching]
http:
https:
ftp: