setup/config_default.ini

[celerystalk-config]
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; This section allows you to change some high level celerystalk items
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

; concurrent_tasks - If you change the number of concurrent tasks, you will need to execute ./celerystalk admin restart,
; which restarts celery. You really want to do this when you don't have tasks running. Doing this while task are running
; will certainly mess up celerystalk (it will never figure out that the tasks that got killed actually finished)
concurrent_tasks            : 6

; simple_server_port - celerystalk does not have it's own web server, but after you run a report, it gives you a
; python SimpleHTTPServer command you can copy/paste to view the report if you like. This sets that port.
simple_server_port          : 27007

; max_screenshots_per_vhost - Defines how many paths for each host to send to aquatone. This helps avoid the case where
; the spider or wayback return thousands of paths for one host. Nobody wants 6 GB of screenshots :)
max_screenshots_per_vhost   : 100

[user-config]
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; Define your own variables here and use them in your commands in this
; configuration file
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
USERNAME_LONG_LIST  : /path/to/list
PASSWORD_SHORT_LIST : /path/to/list
PASSWORD_LONG_LIST  : /path/to/list
MY_CUSTOM_LIST      : /path/to/list
COOKIES             : foo=bar
USER_AGENT          : celerystalk

; Note: [OUTPUT] expands to /output_directory/TARGET/TARGET_PORT_toolname
; Example: /pentest/hackTheBox/10.10.10.10/10.10.10.10_80_cewl
; In most cases, you will want to append "| tee [OUTPUT].txt" to the end
; of your command as seen in the commands below

[domain-recon]
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; Subdomain recon - You can add other domain recon tools here, but the
; output has to be just a list of urls with no other text
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
amass               : amass enum -d [DOMAIN] | tee [OUTPUT].txt
sublist3r           : python /opt/Sublist3r/sublist3r.py -d [DOMAIN] | tee [OUTPUT].txt

[nmap-commands]
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; Nmap Configuration Area - Define the nmap command for each scenario here
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; NOTE: ENABLE ONLY ONE tcp_scan entry
; Default nmap scan. Scan top 1000 tcp ports, detect version, don't ping, just scan every host
tcp_scan            : nmap [TARGET] -n -sV -Pn
; Scan all tcp ports, , detect version, don't ping, just scan every host
;tcp_scan            : nmap [TARGET] -n -sV -Pn -p-
; Scan top 3000 tcp ports, , detect version, don't ping, just scan every host
;tcp_scan            : nmap [TARGET] -n -sV -Pn --top-ports 3000
; Scan just 443/tcp, detect version, don't ping, just scan every host
;tcp_scan            : nmap [TARGET] -n -sV -Pn -p 443
; Scan just 80/tcp and 443/tcp, detect version, don't ping, just scan every host
;tcp_scan            : nmap [TARGET] -n -sV -Pn -p 80,443
; Scan 5 of the most common web ports, detect version, don't ping, just scan every host
;tcp_scan            : nmap [TARGET] -n -sV -Pn -p 80,443,8000,8080,8443
; Scan 17 common web ports, detect version, don't ping, just scan every host
;tcp_scan            : nmap [TARGET] -n -sV -Pn -p 80,81,443,591,2082,2087,2095,2096,3000,8000,8001,8008,8080,8083,8443,8834,8888
; Scan 72 common web ports, detect version, don't ping, just scan every host
;tcp_scan            : nmap [TARGET] -n -sV -Pn -p 80,81,300,443,591,593,832,981,1010,1311,2082,2087,2095,2096,2480,3000,3128,3333,4243,4567,4711,4712,4993,5000,5104,5108,5800,6543,7000,7396,7474,8000,8001,8008,8014,8042,8069,8080,8081,8088,8090,8091,8118,8123,8172,8222,8243,8280,8281,8333,8443,8500,8834,8880,8888,8983,9000,9043,9060,9080,9090,9091,9200,9443,9800,9981,12443,16080,18091,18092,20720,28017

; If this is enabled, celerystalk will launch this scan against all hosts (except when starting from nessus scan which already includes udp info)
; *** ENABLE ONLY ONE udp_scan_mode entry***
;udp_scan            : nmap [TARGET] -sU --top-ports 50 -sV -sC -Pn -oN [OUTPUT].txt -oX [OUTPUT].xml
;udp_scan            : nmap [TARGET] -sU --top-ports 100 -sV -sC -Pn -oN [OUTPUT].txt -oX [OUTPUT].xml
;udp_scan            : nmap [TARGET] -sU --top-ports 200 -sV -sC -Pn -oN [OUTPUT].txt -oX [OUTPUT].xml

[nmap-service-names]
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; Mapping of nmap server names to celerystalk supported service types
; This normalized this different service types that nmap/nessus detect so
; that we only have to define which commands to run for http, https, ssh,
; ftp, etc. one time
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

http = http,http-alt,http-proxy,www,http?,http-alt?,www-http
https = ssl,ssl/http,https,ssl/http-alt,ssl/http?,https?,https-alt,http-alt?
ftp = ftp,ftp?
mysql = mysql
dns = dns,domain,domain?,named_udp
mssql = ms-sql, ms-sql-s
telnet = telnet,telnet?
smb = microsoft-ds
remotedesktop = msrdp,ms-wbt-server
smtp = smtp
snmp = snmp
ssh = ssh
msrpc = msrpc,rpcbind
netbios-ssn = netbios-ssn
cups = ipp
java-rmi = java-rmi
vnc = vnc,vpc-http
oracle = oracle-tns
kerberos = kerberos-sec
ldap = ldap
popp3 = pop3
imap = imap
isclap = isclap

[screenshots]
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; Screenshot Configuration Area
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
aquatone            :  /opt/aquatone/aquatone -out [OUTPUT] -resolution "800,600" | tee [OUTPUT]/aquatone_stdout.txt

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; Service Scan Config Area
; In addition to [TARGET],[PORT],[OUTPUT], and [PATH], you can use any of
; your own substitutions defined in the [user-config] section. Just make
; sure you put square brackets around them when you use them in your
; commands. To use USER_AGENT, place [USER_AGENT] in the command line
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
[http]
whatweb-3           : whatweb http://[TARGET]:[PORT]/[PATH] -a3 --colour=never | sed s/],/]\\n/g | tee [OUTPUT].txt
photon              : python3 /opt/Photon/photon.py -u http://[TARGET]:[PORT]/[PATH] -o [OUTPUT] -e json && cat [OUTPUT]/exported.json | tee [OUTPUT].txt
wayback             : curl -sX GET "http://web.archive.org/cdx/search/cdx?url=http://[TARGET]:[PORT]/[PATH]&output=text&fl=original&collapse=urlkey&matchType=prefix" | tee [OUTPUT].txt
cewl                : cewl http://[TARGET]:[PORT]/[PATH] -m 6 -w [OUTPUT].txt
nikto               : nikto -h http://[TARGET]:[PORT]/[PATH] -output [OUTPUT].txt
wpscan              : wpscan --url http://[TARGET]:[PORT]/[PATH] --disable-tls-checks --no-banner -f cli-no-color --enumerate p t tt u | tee [OUTPUT].txt
gobuster_common     : gobuster dir -u http://[TARGET]:[PORT]/[PATH] -k -w /usr/share/seclists/Discovery/Web-Content/common.txt -s '200,204,302,307,403,500' -e -n -q | tee [OUTPUT].txt
gobuster_cmn_w_slash: gobuster dir -u http://[TARGET]:[PORT]/[PATH] -f -k -w /usr/share/seclists/Discovery/Web-Content/common.txt -s '200,204,302,307,403,500' -e -n -q | tee [OUTPUT].txt
;gobuster_robots_dis : gobuster dir -u http://[TARGET]:[PORT]/[PATH] -k -w /usr/share/seclists/Discovery/Web-Content/RobotsDisallowed-Top1000.txt -s '200,204,302,307,403,500' -e -n -q | tee [OUTPUT].txt
;gobuster_robots_slash : gobuster dir -u http://[TARGET]:[PORT]/[PATH] -f -k -w /usr/share/seclists/Discovery/Web-Content/RobotsDisallowed-Top1000.txt -s '200,204,302,307,403,500' -e -n -q | tee [OUTPUT].txt
;gobuster_2.3-medium : gobuster dir -u http://[TARGET]:[PORT]/[PATH] -k -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -s '200,204,307,403,500' -e -n -q | tee [OUTPUT].txt
;gobuster_2.3-md_slash : gobuster dir -u http://[TARGET]:[PORT]/[PATH] -f -k -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -s '200,204,307,403,500' -e -n -q | tee [OUTPUT].txt
;gobuster_cgis       : gobuster dir -u http://[TARGET]:[PORT]/[PATH] -k -w /usr/share/seclists/Discovery/Web_Content/cgis.txt -s '200,204,301,307,403,500' -e -n -q > '[OUTPUT].txt
;gobuster_cgis_w_sl  : gobuster dir -u http://[TARGET]:[PORT]/[PATH] -f -k -w /usr/share/seclists/Discovery/Web_Content/cgis.txt -s '200,204,301,307,403,500' -e -n -q > '[OUTPUT].txt
;wappalyzer_cli      : docker run --rm wappalyzer/cli http://[TARGET]:[PORT]/[PATH] | jq . | tee [OUTPUT].txt
;whatweb-4        : whatweb http://[TARGET]:[PORT]/[PATH] -a4 --colour=never | sed s/],/]\\n/g | tee [OUTPUT].txt
;sqlmap              : sqlmap -u http://[TARGET]:[PORT]/[PATH] --batch --crawl=5 --level 1 --risk 1 -f -a --smart -v0 --disable-coloring | tee [OUTPUT].txt
;curl_robots         : curl http://[TARGET]:[PORT]/[PATH]/robots.txt --user-agent 'Googlebot/2.1 (+http://www.google.com/bot.html)' --connect-timeout 30 --max-time 180  | tee [OUTPUT].txt
;nmap_https_vanquish : nmap [TARGET] -p [PORT] -Pn --script='http* and not (broadcast or dos or external or http-slowloris* or fuzzer)' -oN [output].txt --host-timeout 40m --script-timeout 20m
;nmap_http_vuln      : nmap -sC -sV -Pn -v -p [PORT] --script=http-vuln* --script-args http-vuln-cve2014-3704.cmd="uname -a",http-vuln-cve2014-3704.uri="/drupal" [TARGET] -oN [OUTPUT].txt --host-timeout 40m --script-timeout 20m
;nmap_script_http    : nmap -sC -sV -Pn -v -p [PORT] --script=http-* [TARGET] -d -oN [OUTPUT].txt -oX [OUTPUT].xml --host-timeout 120m --script-timeout 20m
;curl_main           : curl -i http:/[TARGET]:[PORT]/[PATH] -o [OUTPUT].txt
;cmsmap              : cmsmap http://[TARGET]:[PORT]/[PATH] -s -t3 -o [OUTPUT].txt

[https]
whatweb-3           : whatweb https://[TARGET]:[PORT]/[PATH] -a3 --colour=never | sed s/],/]\\n/g | tee [OUTPUT].txt
photon              : python3 /opt/Photon/photon.py -u https://[TARGET]:[PORT]/[PATH] -o [OUTPUT] -e json && cat [OUTPUT]/exported.json | tee [OUTPUT].txt
wayback             : curl -sX GET "http://web.archive.org/cdx/search/cdx?url=http://[TARGET]:[PORT]/[PATH]&output=text&fl=original&collapse=urlkey&matchType=prefix" | tee [OUTPUT].txt
cewl                : cewl https://[TARGET]:[PORT]/[PATH] -m 6 -w [OUTPUT].txt
nikto               : nikto -h https://[TARGET]:[PORT]/[PATH] -ssl -output [OUTPUT].txt
wpscan              : wpscan --url https://[TARGET]:[PORT]/[PATH] --disable-tls-checks --no-banner -f cli-no-color --enumerate p t tt u | tee [OUTPUT].txt
gobuster_common     : gobuster dir -u https://[TARGET]:[PORT]/[PATH] -k -w /usr/share/seclists/Discovery/Web-Content/common.txt -s '200,204,302,307,403,500' -e -n -q | tee [OUTPUT].txt
gobuster_cm_w_slash : gobuster dir -u https://[TARGET]:[PORT]/[PATH] -f -k -w /usr/share/seclists/Discovery/Web-Content/common.txt -s '200,204,302,307,403,500' -e -n -q | tee [OUTPUT].txt
;gobuster_2.3-medium : gobuster dir -u https://[TARGET]:[PORT]/[PATH] -k -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -s '200,204,307,403,500' -e -n -q | tee [OUTPUT].txt
;gobuster_2.3-md_slash : gobuster dir -u https://[TARGET]:[PORT]/[PATH] -f -k -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -s '200,204,307,403,500' -e -n -q | tee [OUTPUT].txt
;gobuster_robots1    : gobuster dir -u https://[TARGET]:[PORT]/[PATH] -k -w /usr/share/seclists/Discovery/Web-Content/RobotsDisallowed-Top1000.txt -s '200,204,302,307,403,500' -e -n -q | tee [OUTPUT].txt
;gobuster_robots_slash :  gobuster dir -u https://[TARGET]:[PORT]/[PATH] -f -k -w /usr/share/seclists/Discovery/Web-Content/RobotsDisallowed-Top1000.txt -s '200,204,302,307,403,500' -e -n -q | tee [OUTPUT].txt
;gobuster_cgis       : gobuster dir -u https://[TARGET]:[PORT]/ -k -w /usr/share/seclists/Discovery/Web_Content/cgis.txt -s '200,204,301,307,403,500' -e -n -q > '[OUTPUT].txt
;gobuster_cgis_slash : gobuster dir -u https://[TARGET]:[PORT]/ -f -k -w /usr/share/seclists/Discovery/Web_Content/cgis.txt -s '200,204,301,307,403,500' -e -n -q > '[OUTPUT].txt
;wappalyzer_cli      : docker run --rm wappalyzer/cli https://[TARGET]:[PORT]/[PATH] | jq . | tee [OUTPUT].txt
;whatweb-4           : whatweb https://[TARGET]:[PORT]/[PATH] -a4 --colour=never | sed s/],/]\\n/g | tee [OUTPUT].txt
;sqlmap              : sqlmap -u https://[TARGET]:[PORT]/[PATH] --batch --crawl=5 --level 1 --risk 1 -f -a --smart -v0 --disable-coloring | tee [OUTPUT].txt
;curl_robots         : curl https://[TARGET]:[PORT]/[PATH]/robots.txt --user-agent 'Googlebot/2.1 (+http://www.google.com/bot.html)' --connect-timeout 30 --max-time 180 | tee [OUTPUT].txt
;nmap_https_vuln     : nmap [TARGET] -p [PORT] -sC -sV -Pn  --script=http-vuln* --script-args http-vuln-cve2014-3704.cmd="uname -a",http-vuln-cve2014-3704.uri="/drupal" [TARGET] -oN [OUTPUT].txt --host-timeout 40m --script-timeout 20m
;nmap_https_vanquish : nmap [TARGET] -p [PORT] --script='(http* or ssl*) and not (broadcast or dos or external or http-slowloris* or fuzzer)' -oN [output].txt --host-timeout 20m --script-timeout 20m
;nmap_all_http       : nmap -sC -sV -Pn -v -p [PORT] --script=http-* [TARGET] -d -oN [OUTPUT].txt -oX [OUTPUT].xml --host-timeout 120m --script-timeout 20m
;curl_main           : curl -i https://[TARGET]:[PORT] -o [OUTPUT].txt
;sslscan             : sslscan --no-colour [TARGET]:[PORT] | tee [OUTPUT].txt
;sslyze              : sslyze [TARGET]:[PORT] --resum --certinfo=basic --compression --reneg --sslv2 --sslv3 --hide_rejected_ciphers  >| tee [OUTPUT].txt
;cmsmap              : cmsmap https://[TARGET]:[PORT]/[PATH] -s -t3 -o [OUTPUT].txt

[ftp]
nmap_scripts        : nmap [TARGET] -sC -sV -Pn -vv -p[PORT] --script=ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-syst,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221 -oN [OUTPUT].txt
hydra_ftp_best15    : hydra -L /usr/share/seclists/Usernames/top-usernames-shortlist.txt -P /usr/share/seclists/Passwords/Common-Credentials/best15.txt -f -o [OUTPUT].txt -u [TARGET] -s [PORT] ftp

[dns]
dnsrecon            : dnsrecon -t axfr -d [TARGET] | tee [OUTPUT].txt
nmap_service_scan   : nmap [TARGET] -p [PORT] -sC -sV -v -Pn  -oN [OUTPUT].txt

[microsoftsql]
nmap_scripts        : nmap [TARGET] -p [PORT] -sC -vv -sV -Pn --script=ms-sql-info,ms-sql-config,ms-sql-dump-hashes --script-args=mssql.instance-port=[PORT],smsql.username-sa,mssql.password-sa -oN [OUTPUT].txt

[telnet]
nmap_service_scan   : nmap [TARGET] -p [PORT] -sC -sV -v -Pn  -oN [OUTPUT].txt
;disabled : ncat -nv [TARGET] [PORT]

[smb]
nmap_scripts_vuln   : nmap [TARGET] -sC -sV -Pn -vv -p 139,[PORT] --script=smb-vuln* --script-args=unsafe=1 -oN '[OUTPUT].txt
enum4linux          : enum4linux -a [TARGET] | tee [OUTPUT].txt
nmap_script_smbusers: nmap [TARGET] -sC -sV -Pn -vv -p [PORT] --script=smb-enum-users -oN '[OUTPUT].txt

[remotedesktop]
ncrack_best15       : ncrack -vv --user administrator -P /usr/share/seclists/Passwords/Common-Credentials/best15.txt rdp://[TARGET] | tee [OUTPUT].txt
crowbar_best15      : crowbar -b rdp -u -s [TARGET]/32 -U /usr/share/seclists/Usernames/top-usernames-shortlist.txt -C /usr/share/seclists/Passwords/Common-Credentials/best15.txt | tee [OUTPUT].txt
nmap_service_scan   : nmap -sC -sV -v -Pn [TARGET] -p [PORT] -oN [OUTPUT].txt
;patator            : python /opt/patator/patator.py rdp_login host=[TARGET] port=[PORT] user=FILE0 password=FILE1 0=/usr/share/seclists/Usernames/top-usernames-shortlist.txt 1=/usr/share/seclists/Passwords/Common-Credentials/best15.txt -x ignore:fgrep='Authentication failure' -x ignore:fgrep='connection failure' | tee [OUTPUT].txt

[smtp]
smtp-user-enum      : smtp-user-enum -M VRFY -U /usr/share/seclists/Usernames/top-usernames-shortlist.txt -t [TARGET] -p [PORT] | tee [OUTPUT].txt
nmap_service_scan   : nmap [TARGET] -p [PORT] -sC -sV -v -Pn  -oN [OUTPUT].txt

[snmp]
nmap_scripts        : nmap -sV -Pn -vv -p[PORT] --script=snmp-netstat,snmp-processes -oN '[OUTPUT].txt
onesixtyone         : onesixtyone [TARGET] | tee [OUTPUT].txt
snmpwalk_public     : snmpwalk -c public -v1 [TARGET] | tee [OUTPUT].txt
snmpwalk_private    : snmpwalk -c private -v1 [TARGET] | tee [OUTPUT].txt

[ssh]
medusa              : medusa -u root -P /usr/share/seclists/Passwords/Common-Credentials/best15.txt -e ns -h [TARGET] - [PORT] -M ssh | tee [OUTPUT].txt
hydra_ssh_best15    : hydra -f -V -t 1 -l root -P /usr/share/seclists/Passwords/Common-Credentials/best15.txt -s [PORT] [TARGET] ssh | tee [OUTPUT].txt
ncrack_ssh_best15   : ncrack -vv -p [PORT] --user root -P /usr/share/seclists/Passwords/Common-Credentials/best15.txt [TARGET] | tee [OUTPUT].txt
nmap_service_scan   : nmap [TARGET] -p [PORT] -sC -sV -v -Pn -oN [OUTPUT].txt
ssh_audit           : ssh-audit -P [PORT] -n [TARGET] | tee [OUTPUT].txt

[msrpc]
nmblookup           : nmblookup -A [TARGET] | tee [OUTPUT].txt
smbclient           : smbclient -L //[TARGET] -p [PORT] -N | tee [OUTPUT].txt
enum4linux          : enum4linux -a [TARGET] | tee [OUTPUT].txt
rpcclient           : rpcclient -U \"\" [TARGET] -p [PORT] -N | tee [OUTPUT].txt
nmap_service_scan   : nmap -sC -sV -v -Pn [TARGET] -p [PORT] -oN [OUTPUT].txt

[netbios-ssn]
nmblookup           : nmblookup -A [TARGET] | tee [OUTPUT].txt
enum4linux          : enum4linux -a [TARGET] | tee [OUTPUT].txt
rpcclient           : rpcclient -U \"\" [TARGET] -p [PORT] -N | tee [OUTPUT].txt
nmap_service_scan   : nmap [TARGET] -p [PORT] -sC -sV -v -Pn -oN [OUTPUT].txt
;smbclient           : smbclient //MOUNT/share -I [TARGET] N
;smbclient           : smbclient -L //[TARGET] -p [PORT] -N | tee [OUTPUT].txt

[cups]
cups_searchsploit   : searchsploit cups | tee [OUTPUT].txt
nmap_service_scan   : nmap [TARGET] -p [PORT] -sC -sV -v -Pn -oN [OUTPUT].txt

[java-rmi]
javarmi_searchsploit: searchsploit java rmi | tee [OUTPUT].txt
nmap_service_scan   : nmap [TARGET] -p [PORT] -sC -sV -v -Pn -oN [OUTPUT].txt

[vnc]
vnc_searchsploit    : searchsploit vnc | tee [OUTPUT].txt
;vnc-patator         : python /opt/patator/patator.py vnc_login host=[TARGET] port=[PORT] password=FILE0 0=/usr/share/seclists/Passwords/Common-Credentials/500-worst-passwords.txt -t 1 -x retry:fgrep!='Authentication failure' --max-retries -1 -x quit:code=0 | tee [OUTPUT].txt
nmap_service_scan   : nmap -sC -sV -v -Pn [TARGET] -p [PORT] -oN [OUTPUT].txt
;crowbar             : crowbar -b vnckey -s [TARGET]/32 -p [TARGET] -k {PASSWD_FILE} | tee [OUTPUT].txt

[oracle]
oracle_searchsploit : searchsploit Oracle TNS Listener | tee [OUTPUT].txt
nmap_service_scan   : nmap [TARGET] -p [PORT] -sC -sV -v -Pn -oN [OUTPUT].txt

[kerberos]
kerberos_searchsploit : searchsploit kerberos | tee [OUTPUT].txt
nmap_service_scan   : nmap [TARGET] -p [PORT] -sC -sV -v -Pn -oN [OUTPUT].txt

[ldap]
ldap_searchsploit   : searchsploit ldap | tee [OUTPUT].txt
nmap_service_scan   : nmap [TARGET] -p [PORT] -sC -sV -v -Pn -oN [OUTPUT].txt

[imap]
nmap_service_scan   : nmap [TARGET] -p [PORT] -sC -sV -v -Pn -oN [OUTPUT].txt

[icslap]
nmap_service_scan   : nmap [TARGET] -p [PORT] -sC -sV -v -Pn -oN [OUTPUT].txt