# Table of Contents
1. [start](#start)
2. [pwd](#pwd)
3. [dns-ldap](#dns-ldap)
4. [recon](#recon)
5. [rpc](rpc)
6. [fuzz](#fuzz)
7. [print](#print)

## Begin <a name="start"></a>

In [None]:
# expected to run with papermill, so gonna do some additional santizing as i can
input_data="10.13.37.14"

In [None]:
#papermill_description=Setup_target

import netaddr, netifaces, pwn, time, re, validators
from dns import resolver
iplist = [netifaces.ifaddresses(i)[netifaces.AF_INET][0]["addr"] for i in netifaces.interfaces() if netifaces.AF_INET in netifaces.ifaddresses(i)]
print("Local Interfaces:")
for i in iplist: 
    print("- "+i)
ip=""
Host=""
input_data=str(input_data)
print("\nTarget: "+input_data+"\n")
try:
    try:
        # try to identify if this is a valid ip address
#        print(netaddr.valid_ipv4(input_data))
        if netaddr.valid_ipv4(input_data):
            ip=input_data
        elif netaddr.valid_ipv6(input_data):
            ip=input_data
        else:
            ip=""
#        print(ip)
    except:
        print('not an ip address')
    if ip == "":
        # this case exists to resolve the domain name to provide both ip and host
        try:
            ip=resolver.resolve(input_data, "A").response.answer[0][0].address
            print('ip = '+str(ip))
            Host=str(input_data)
        except:
            print('host lookup failed')
            # this would mean ip = "" and the input data isn't a resolvable name
    else:
        #this case is if ip exists, set host to default target name
        #This was needed due to some cases creating stuff like vpn.10.10.10.10 which apparently works in curl but not most browsers
        Host=str("target.local")
except:
    print("put proper address")
    exit()
    

## Setup working directory <a name="pwd"></a>

In [None]:
#papermill_description=SetupWorkingDirectory
import re, requests, ldap3
hostsString=ip+" "+Host
!sed -i /{Host}/d /etc/hosts
!echo {hostsString} >> /etc/hosts
workingDir="/share/pentests/"+str(input_data)
!mkdir {workingDir} 2>/dev/null
print("Changing directory to: ")
%cd {workingDir}

## Check if either DNS or LDAP <a name="dns-ldap"></a>

In [None]:
#papermill_description=CheckDNS_and_LDAP
# it seemed far quicker to just try it and see what happens, instead of finding if these ports exist first. may change later
print("\nChecking for dns and ldap")
try:
    if Host != ip:
        testdns=resolver.Resolver(configure=False)
        testdns.nameservers=[ip]
        testdns.resolve(Host, "a")
except:
    pass
try:
    !dnsrecon -r {ip}/32 -n {ip} >> self-dns-check
    !dnsrecon -r {ip}/28 -n {ip} >> self-dns-check
    !dnsrecon -r {ip}/24 -n {ip} >> self-dns-check
    !dnsrecon -r 127.0.0.1/24 -n {ip} >> self-dns-check
    !dnsrecon -d {Host} -a >> self-dns-check
    !dnsrecon -d {Host} -D /share/pentests/wordlists/dns.txt >> self-dns-check
except Exception as e:
    #print(e)
    print('--Likely not a dns server--')
    !echo {ip} {Host} >> self-dns-check
    pass
try:
 server=ldap3.Server(ip, get_info=ldap3.ALL, port=389, use_ssl=False)
 connection=ldap3.Connection(server)
 connection.bind()
 dcinfo=server.info
 open("dcinfo.txt",'w').write(str(dcinfo))
 print("DC Info: \n"+str(dcinfo))
 ldapHostname=!grep -i hostname dcinfo.txt -A1|grep -iv dnshostname|sed s/"\s"//g
 ldapHostname=str(ldapHostname).replace("[","").replace("]","")
 print(ldapHostname)
 !echo "[*]      A "{ldapHostname}>> self-dns-check
except Exception as e:
    print(e)
    print('--Likely not an ldap server--')
    pass

# If ldapHostname was defined, use it to re-write hosts.
try:
 command="""n=`awk -F "\t" '{print $2}' self-dns-check |sort -u|grep -iv localhost|sed /^[[:space:]]*$/d|awk '{print $2}' |sed s/\$/" "/g|tr -d '\\n'`; o=`grep -m1 """+Host+""" /etc/hosts`; e="""+ldapHostname+"""; sed "s/$o/$o $n $e/g" -i /etc/hosts"""
 !{command}
except:
 pass

## Start recon <a name="recon"></a>

In [None]:
#papermill_description=Nmap_and_whatweb
print("Running nmap:")
!nmap -sS -sV -p1- -Pn -n --open -oA {Host}.nmap {ip} >/dev/null
result=!grep -h http {Host}.nmap.nmap|grep -i "open"|awk -F "/" '{{print $$1}}'
print("Web ports: "+str(result))
notwebresults=!grep -h open {Host}.nmap.nmap|grep -iv "http\|scan initiated"|awk -F "/" '{{print $$1}}'
print("Not web ports: "+str(notwebresults))
!cat {Host}.nmap.xml |jc --xml|jq . > {Host}-nmap.json
print("\nRunning whatweb:")
for port in result:
    for test in [Host, ip]:
        !whatweb http://{test}:$port >> whatweb-{Host} 2>/dev/null
        !whatweb https://{test}:$port >> whatweb-{Host} 2>/dev/null
!cat whatweb-{Host}
print("")

## Check rpc <a name="rpc"></a>

In [None]:
print("If msrpc, try rpcdump")
for each in notwebresults:
    if each in ['135', '139', '443', '445', '593']:
        !impacket-rpcdump -port {each} {ip} >> rpcinfo.log 2>/dev/null
        !grep -i ncacn_ip_tcp rpcinfo.log |sort -u

## Start Fuzz <a name="fuzz"></a>

In [None]:
#papermill_description=Begin_Fuzzing
def fuzzing():
    for port in result:
        for line in open("/etc/hosts","r").readlines():
            if Host in line:
                for name in set(str(line).replace("\n","").split(" ")):
                    if validators.domain(name) or validators.ip_address.ipv4(name) or validators.ip_address.ipv6(name):
                        #print(name+":"+port)
                        try:
                            if validators.domain(name):
                                testname='.'.join(name.split('.')[-2:])
                            else:
                                testname="target.local"
                            check=requests.get('http://'+name+":"+port, timeout=20)
                            length=str(len(check.content))
                            if check.status_code: #check if http
                                command="ffuf -s -v -u http://"+name+":"+port+"/FUZZ -recursion -w /share/pentests/wordlists/webcontent-top-10000.txt -o ffuf-"+name+"-"+port+"-http-log >/dev/null"
                                output=!{command}
                                #print(output)
                                command="ffuf -s -v -u http://"+name+":"+port+" -H 'Host: FUZZ."+name+"' -w /share/pentests/wordlists/dns-top-10000.txt -o ffuf-"+name+"-"+port+"-dns-log >/dev/null"
                                output=!{command}
                                #print(output)
                                if name != ip: #instead of re-checking that it's an ip, just check to make sure an ip wasn't pulled from hosts (a situation that happens when overwriting it wrong
                                    command="ffuf -s -v -u http://"+name+":"+port+" -H 'Host: FUZZ."+testname+"' -w /share/pentests/wordlists/dns-top-10000.txt -fs "+length+" -o ffuf-"+testname+"-"+port+"-dns-log >/dev/null"
                                    output=!{command}
                                    #print(output)
                            else: #just go ahead and try https, if this fails, it's irrelevant to put into another if clause
                                command="ffuf -s -v -u https://"+name+":"+port+"/FUZZ -recursion -w /share/pentests/wordlists/webcontent-top-10000.txt -o ffuf-"+name+"-"+port+"-http-log >/dev/null"
                                output=!{command}
                                #print(output)
                                command="ffuf -s -v -u https://"+name+":"+port+" -H 'Host: FUZZ."+name+"' -w /share/pentests/wordlists/dns-top-10000.txt -o ffuf-"+name+"-"+port+"-dns-log >/dev/null"
                                output=!{command}
                                #print(output)
                                if name != ip: #instead of re-checking that it's an ip, just check to make sure an ip wasn't pulled from hosts (a situation that happens when overwriting it wrong
                                    command="ffuf -s -v -u https://"+name+":"+port+" -H 'Host: FUZZ."+testname+"' -w /share/pentests/wordlists/dns-top-10000.txt -fs "+length+" -o ffuf-"+testname+"-"+port+"-dns-log >/dev/null"
                                    output=!{command}
                                    #print(output)
                        except Exception as e: 
                            #print(e)
                            pass
                break

def wordpress(url):
    !docker exec -it kali-0 wpscan --random-user-agent --detection-mode aggressive --plugins-detection aggressive -t 20 -P /data/wordlists/SecLists/Passwords/2023-200_most_used_passwords.txt -e dbe,ap,at,tt,cb,u,m --url {url} >> wpscan

print("\nBegin fuzzing:")
fuzzing()
command="""n=`awk -F "\t" '{print $2}' self-dns-check |sort -u|grep -iv localhost|sed /^[[:space:]]*$/d|awk '{print $2}' |sed s/"$"/" "/g|tr -d '\\n'`; o=`grep -m1 """+Host+""" /etc/hosts`; e=`cat ffuf-*-dns-log|jq -c '.results[] | {url:.url,host:.host,status:.status,length:.length}|map(.)'|awk -F ',' '!s[$4]++' |awk -F '"' '{print $4}'|sort|uniq |sed s/"$"/" "/g|tr -d '\\n'`; sed "s/$o/$o $n $e/g" -i /etc/hosts; grep """+Host+""" /etc/hosts"""
output=!{command}
data=[]
for i in output:
    for o in i.split(' '):
        data.append(o)
print("Found domain results")
for each in set(data):
    if each != "" and each != "\n":
        print(each)
fuzzing()
print("Unique length: ")
!cat ffuf*dns*log |jq -c '.results[] | {size: .length}'|sort -u
time.sleep(2)
command="""for each in `ls ffuf-*`; do cat $each | jq -c '.results[] | {url:.url,status: .status}'; done|sort -u|grep -i 'status":200' """
output=!{command}
print("Found working urls:")
for each in re.findall("://www.([\w\-\.]+)", str(output)):
    print(each)
    if "wp-" in each:
        wordpress(each.split("/")[2])

## Use fuzz results to crawl <a name="print"></a>

In [None]:
#papermill_description=CrawlUrlList
print("Crawled urls:")
!cat ffuf-*-log |jq ".results[] |.url, .input.FUZZ, .status"|sed 'N;N;s/\n/ /g' |sed s/'" "'/'\/'/g|sed s/'"'//g|grep -i "200\|301" |awk '{print $1}'|sort -u >> urls1.txt
!cat urls1.txt |  docker exec -w /data/{str(input_data)}/ -i kali-0 gospider -S /dev/stdin --sitemap --robots -d 900 -c 10 -t 10 -w -o ./crawled0urls 2>&1 >/dev/null
!cat crawled0urls/* |sort -u