This repository contains self-made and common scripts for information gathering, enumeration and more.
I use this repository mostly for automated exploit chains. HackTheBox machines often involve steps like spawning a http server, serving a file, extracting content, steal data through custom DNS/FTP/SSH servers, spawning a reverse shell etc. Using this library I implement a script-to-root mechanism to chain all these steps together. Since the repository also includes lots of common payloads and binaries, I didn't want to put it on PyPI. If you got any recommendations for me, feel free to contact me!
PYTHON_DIR=$(python -c "import sys;print(sys.path[-1])")
# clone directly into python site-packages
git clone https://git.romanh.de/Roman/HackingScripts.git $PYTHON_DIR/hackingscripts
# or use a symlink
git clone https://git.romanh.de/Roman/HackingScripts.git
sudo ln -s $(pwd)/HackingScripts $PYTHON_DIR/hackingscripts
# Install requirements
pip3 install -r $PYTHON_DIR/hackingscripts/requirements.txt- first_scan.sh: Performs initial nmap scan
- gobuster.sh: Performs gobuster dir scan with raft-large-words-lowercase.txt
- subdomainFuzz.sh: Fuzzes subdomains for a given domain
- ssh-check-username.py: Check if user enumeration works for ssh
- git-dumper.py
- LinEnum.sh
- linpeas.sh
- lse.sh
- unix-privesc-check.sh
- uptux.py
- pspy64
- portscan.py: small python script, which scans open TCP ports natively with multithread support. Can be deployed on victim machines to scan the intranet.
- pingscan.py: small python script, which can detect internal hosts via ping probes natively. Can be deployed on victim machines to scan the intranet.
- deepce.sh: Docker Privilege Escalation (e.g. exposed socket)
- socat
- rev_shell.py: Generates a reverse shell command (e.g. netcat, python, ...)
- php-reverse-shell.php
- p0wny-shell.php
- aspx-reverse-shell.aspx
- jsp-webshell.jsp: webshell for Java servlets
- upload_file.py: Starts a local tcp server, for netcat usage
- xss_handler.py: Starts a local http server and generates xss payload to steal cookies
- padBuster.pl
- sql.php: Execute sql queries passed via GET/POST
- util.py: Collection of some small functions
- fileserver.py: Create a temporary http server serving in-memory files
- dnsserver.py: Create a temporary dns server responding dynamically to basic DNS requests (in-memory)
- sshserver.py: Create a temporary ssh server to intercept credentials (TODO: relay) (in-memory)
- smtpserver.py: Create a temporary smtp server (in-memory)
- template.py: Creates a template for web exploits, similar to pwnlib's template
- pcap_file_extract.py: Lists and extracts files from http connections found in pcap files
- find_git_commit.py: Compares a local repository (e.g. downloaded from a remote server) with another git repository to guess the commit hash. Useful to find used versions
- TODO: smb
- sqli.py: An sqlmap-like abstract class for automizing SQL-Injections (WIP)
- nc.exe/nc64.exe: netcat standalone binary
- mimikatz.exe
- plink.exe: command line PuTTY client for port forwarding
- powercat.ps1
- winPEAS.bat
- PowerView.ps1
- SharpHound.exe: BloodHound Ingestor
- windows-exploit-suggester.py
- aspx-reverse-shell.aspx
- xp_cmdshell.py (thanks to @alwayslucky)
- PetitPotam.py
- socat.exe
- TODO: add all Potatoes
TODO: Add some example code or bash commands on how to use the custom libraries, e.g. fileserver, xss_handler, etc.