-
Notifications
You must be signed in to change notification settings - Fork 7
/
battalion
executable file
·305 lines (272 loc) · 10.4 KB
/
battalion
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
#!/bin/bash
# ______________________________________________
# | ____ _ _ _ _ |
# | | __ ) __ _| |_| |_ __ _| (_) ___ _ __ |
# | | _ \ / _` | __| __/ _` | | |/ _ \| '_ \ |
# | | |_) | (_| | |_| || (_| | | | (_) | | | | |
# | |____/ \__,_|\__|\__\__,_|_|_|\___/|_| |_| |
# |_____________________________________________|
#
usage() {
echo "Usage: battalion --name <name> --out <dir> --domain <domain> --company <company> [optional parameters] [--help]"
echo ""
echo "Required Parameters:"
echo " --name <scan name> Scan name that appears in output."
echo " --out <absolute path> Output directory for scan, should be an absolute path that exists."
echo ""
echo "Required Parameters for Domain Scan:"
echo " --domain <domain> Domain being targeted by scan (example: google.com)."
echo ""
echo "Required Parameters for User Scan:"
echo " --company <company name> Company name as it appears on LinkedIn."
echo ""
echo "Optional Parameters:"
echo " --subdomain-list <file> File containing subdomains to verify."
echo " --whitelist <file> File containing IP whitelist."
echo " --email-domain <domain> Used to set an email domain name (default is domain name)."
echo " --email-format <format> Used to set an email format. This prevents discovery"
echo " tasks from running and greatly increases scan speed."
echo " Formats will look {first}.{l} for 'firstname.lastinitial' formats."
echo " --nmap If this flag is set, Nmap scanning is added to the domain scan."
echo " --nmap-aggressive If this flag is set, aggressive Nmap scanning is enabled for the domain."
echo " --shodan <api key> Sets a Shodan API Key and adds Shodan to the domain scan."
echo " --hunter <api key> Sets a Hunter API Key and enables Hunter in the User scan."
echo " --timeout-http <seconds> Configure the timeout in seconds for HTTP detection."
echo " --timeout-eyewitness <seconds> Configure the timeout in seconds for EyeWitness."
echo ""
echo "Scan Types:"
echo " --disable-domain Disable the domain scan."
echo " --disable-user Disable the user scan."
echo ""
echo "Additional Parameters:"
echo " --help Display this usage text."
echo ""
echo "Subdomain Lists:"
echo -n "The subdomain list file is used to specify potential subdomains to test to see if they exist."
echo -n "You can generate a file yourself, or you can use a premade file. The dnsrecon tool that Battalion "
echo -n -e "uses to perform these scans provides lists that we recommend utilizing.\n"
echo ""
echo "IP Whitelist:"
echo -n "The IP Whitelist file is used to specify IP addresses (one per line) allowed"
echo -n "for scanning. All domain-level scans after the initial domain scan are affected."
echo ""
}
usage_short() {
echo "Usage: battalion --name <name> --out <dir> --domain <domain> --company <company> --email-domain <domain> [optional parameters] [--help]"
echo "Please use --help for more information."
}
export SCRIPT_DIRECTORY="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
export BATTALION_DNSRECON_HOME=${BATTALION_DNSRECON_HOME:-$SCRIPT_DIRECTORY/tools/dnsrecon}
export BATTALION_EYEWITNESS_HOME=${BATTALION_EYEWITNESS_HOME:-$SCRIPT_DIRECTORY/tools/EyeWitness}
export BATTALION_HARVESTER_HOME=${BATTALION_HARVESTER_HOME:-$SCRIPT_DIRECTORY/tools/theHarvester}
export BATTALION_WHATWEB_HOME=${BATTALION_WHATWEB_HOME:-$SCRIPT_DIRECTORY/tools/WhatWeb}
export BATTALION_WPSCAN_HOME=${BATTALION_WPSCAN_HOME:-$SCRIPT_DIRECTORY/tools/wpscan}
export BATTALION_DNSTWIST_HOME=${BATTALION_DNSTWIST_HOME:-$SCRIPT_DIRECTORY/tools/dnstwist}
if [ $# -eq 0 ]; then
usage_short
exit 0
fi
DOMAIN_SCAN_ENABLED=true
USER_SCAN_ENABLED=true
while [[ $# -gt 0 ]]
do
KEY="$1"
case $KEY in
--disable-domain)
export DOMAIN_SCAN_ENABLED=false
;;
--disable-user)
export USER_SCAN_ENABLED=false
;;
--name)
SCAN_NAME="$2"
shift
;;
--out)
SCAN_DIRECTORY="$2"
shift
;;
--domain)
DOMAIN_TARGET="$2"
shift
;;
--subdomain-list)
DOMAIN_SUBDOMAIN_LIST="$2"
shift
;;
--whitelist)
IP_WHITELIST_FILE="$2"
shift
;;
--timeout-http)
DOMAIN_HTTP_SCAN_TIMEOUT="$2"
shift
;;
--timeout-eyewitness)
EYEWITNESS_TIMEOUT="$2"
shift
;;
--nmap)
NMAP_ENABLED=true
;;
--nmap-aggressive)
NMAP_AGGRESSIVE_ENABLED=true
;;
--shodan)
export SHODAN_ENABLED=true
SHODAN_API_KEY="$2"
shift
;;
--hunter)
export HUNTER_ENABLED=true
HUNTER_API_KEY="$2"
shift
;;
--company)
COMPANY_NAME="$2"
shift
;;
--email-domain)
EMAIL_DOMAIN="$2"
shift
;;
--email-format)
SPECIFIED_EMAIL_FORMAT="$2"
shift
;;
--help)
usage
exit 0
;;
*)
echo "Unrecognized parameter '$1'"
echo ""
exit 1
;;
esac
shift
done
export SCAN_NAME
export DOMAIN_TARGET
export SHODAN_API_KEY
export HUNTER_API_KEY
export COMPANY_NAME
export DOMAIN_SUBDOMAIN_LIST=${DOMAIN_SUBDOMAIN_LIST:-$BATTALION_DNSRECON_HOME/subdomains-top1mil-20000.txt}
export IP_WHITELIST_FILE
export DOMAIN_HTTP_SCAN_TIMEOUT=${DOMAIN_HTTP_SCAN_TIMEOUT:-3}
export EYEWITNESS_TIMEOUT=${EYEWITNESS_TIMEOUT:-15}
export NMAP_ENABLED=${NMAP_ENABLED:-false}
export NMAP_AGGRESSIVE_ENABLED=${NMAP_AGGRESSIVE_ENABLED:-false}
export SHODAN_ENABLED=${SHODAN_ENABLED:-false}
export HUNTER_ENABLED=${HUNTER_ENABLED:-false}
export EMAIL_DOMAIN=${EMAIL_DOMAIN:-$DOMAIN_TARGET}
CONFIGURATION_ERROR=false
if [ -z "${SCAN_NAME}" ]; then
echo "[Error] The scan name must be configured."
CONFIGURATION_ERROR=true
fi
if [ -z "${SCAN_DIRECTORY}" ]; then
echo "[Error] The scan directory must be configured."
CONFIGURATION_ERROR=true
fi
if $DOMAIN_SCAN_ENABLED && [ -z "${DOMAIN_TARGET}" ]; then
echo "[Error] The domain target must be configured for domain scans."
CONFIGURATION_ERROR=true
fi
if $DOMAIN_SCAN_ENABLED && [ -z "${DOMAIN_SUBDOMAIN_LIST}" ]; then
echo "[Error] A valid subdomain list file must be configured for domain scans."
CONFIGURATION_ERROR=true
fi
if $USER_SCAN_ENABLED && [ -z "${COMPANY_NAME}" ]; then
echo "[Error] If the user scan is enabled a company name must be configured."
CONFIGURATION_ERROR=true
fi
if $CONFIGURATION_ERROR; then
exit 1
fi
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Prepare scan directory structure.
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
export SCAN_DIRECTORY
export DOMAIN_DIRECTORY=$SCAN_DIRECTORY/domain
export WHATWEB_DIRECTORY=$SCAN_DIRECTORY/whatweb
export HTTP_DIRECTORY=$SCAN_DIRECTORY/http
export NMAP_DIRECTORY=$SCAN_DIRECTORY/nmap
export WORDPRESS_DIRECTORY=$SCAN_DIRECTORY/wordpress
export EYEWITNESS_DIRECTORY=$SCAN_DIRECTORY/eyewitness-report
export WHOIS_DIRECTORY=$SCAN_DIRECTORY/whois
export SHODAN_DIRECTORY=$SCAN_DIRECTORY/shodan
export USER_DIRECTORY=$SCAN_DIRECTORY/user
export REPORT_DIRECTORY=$SCAN_DIRECTORY/report
build_dir() {
mkdir -p "${1}" >/dev/null || true
}
build_dir "${SCAN_DIRECTORY}"
build_dir "${DOMAIN_DIRECTORY}"
build_dir "${WHATWEB_DIRECTORY}"
build_dir "${HTTP_DIRECTORY}"
build_dir "${NMAP_DIRECTORY}"
build_dir "${WORDPRESS_DIRECTORY}"
build_dir "${EYEWITNESS_DIRECTORY}"
build_dir "${WHOIS_DIRECTORY}"
build_dir "${SHODAN_DIRECTORY}"
build_dir "${USER_DIRECTORY}"
build_dir "${REPORT_DIRECTORY}"
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Scan Startup
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# First acquire the Host IP address for reporting purposes.
export HOST_IP_ADDRESS="$(curl -s ipinfo.io | grep ip | cut -d\" -f4)"
echo ">> Battalion <<"
echo ""
echo "Running scan '$SCAN_NAME' from IP address $HOST_IP_ADDRESS"
echo ''
export DOMAIN_SCAN_SCRIPTS=$SCRIPT_DIRECTORY/domain-scan/scripts
export USER_SCAN_SCRIPTS=$SCRIPT_DIRECTORY/user-scan/scripts
if $DOMAIN_SCAN_ENABLED ; then
$SCRIPT_DIRECTORY/domain-scan/domain-scan.sh &
DOMAIN_SCAN_PID=$!
echo -e "\t+ Domain scan is enabled and is running with PID ${DOMAIN_SCAN_PID}."
else
echo -e "\t- Domain scan is disabled."
fi
# Note that due to how the user scan polls HaveIBeenPwned, it currently runs extremely
# slowly and will probably outlive the rest of the scanning.
if $USER_SCAN_ENABLED ; then
export LINKEDIN_RESULTS=${SCAN_DIRECTORY}/user/linkedin-users.txt
export POSSIBLE_EMAILS=${SCAN_DIRECTORY}/user/possible-emails.txt
export COMPROMISED_STYLE=${SCAN_DIRECTORY}/user/compromised-style.txt
export PROBABLE_EMAILS=${SCAN_DIRECTORY}/user/probable-emails.txt
export COMPROMISED_EMAILS=${SCAN_DIRECTORY}/user/compromised-emails.txt
export SPECIFIED_EMAIL_FORMAT
$SCRIPT_DIRECTORY/user-scan/user-scan.sh &
USER_SCAN_PID=$!
echo -e "\t+ User scan is enabled and is running with PID ${USER_SCAN_PID}."
else
echo -e "\t- User scan is disabled."
fi
echo ""
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Wait for the scans to complete
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
if $DOMAIN_SCAN_ENABLED ; then
wait $DOMAIN_SCAN_PID
echo "Domain scan complete."
fi
if $USER_SCAN_ENABLED ; then
wait $USER_SCAN_PID
echo "User scan complete."
fi
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Part X - Complete!
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
echo ""
echo "Completed scan '${SCAN_NAME}' in directory ${SCAN_DIRECTORY}"