pentest.sh

#!/bin/bash

SUBDOMAIN_WORDLIST=$(mktemp)
DIRECTORY_WORDLIST=$(mktemp)
TARGET_TYPE=0
SHODAN=0

banner() {

    echo -e '\e[34m
 __   ___      ___  ___  __  ___ 
|__) |__  |\ |  |  |__  /__`  |  
|    |___ | \|  |  |___ .__/  |  
                                   
'

}

printhelp() {

	echo -e "\e[92m[+]\e[0m Automating high-level network and web application analysis together"
	echo -e "\e[91m[-]\e[0m WARNING: Do not use this against machines you are not authorized to test"
	echo -e "\e[93m[!]\e[0m ACTION: Run \"pentest target\"; see documentation for targets supported"
}

zapcheck() {

	if $(zap-cli status | grep -qi "ZAP is running");
	then
		echo -e "\e[91m[-]\e[0m Error: ZAP is already running"
		echo -e "\e[93m[!]\e[0m Action: Stop ZAP"
		exit
	fi

}

sort_output() {

	for i in $(ls | grep _)
	do
		mkdir $(echo $i | sed 's/_.*//g') 2> /dev/null
		mv $(echo $i | sed 's/_.*//g')_* $(echo $i | sed 's/_.*//g') 2> /dev/null
	done

}

shodancheck() {

	if [ -f ~/.shodan/api_key ]
	then
		SHODAN=1
	fi

	# disable if rfc1918 or localhost
	echo $1 | grep -q "^10." && SHODAN=0
	echo $1 | grep -q "^172.1[6-9]." && SHODAN=0
	echo $1 | grep -q "^172.2[0-9]." && SHODAN=0
	echo $1 | grep -q "^172.3[0-2]." && SHODAN=0
	echo $1 | grep -q "^192.168." && SHODAN=0
	echo $1 | grep -q "^0.0.0.0$" && SHODAN=0
	echo $1 | grep -q "^127.0.0.1$" && SHODAN=0

	}

targetcheck() {

	#if hostname
	if echo $1 | grep -qP "^(([a-zA-Z]|[a-zA-Z][a-zA-Z0-9-]*[a-zA-Z0-9])\.)*([A-Za-z]|[A-Za-z][A-Za-z0-9-]*[A-Za-z0-9])$";
	then
		TARGET_TYPE=1
		#if FQDN
		if echo $1 | grep -qi "^[a-zA-Z0-9]*\.[a-zA-Z0-9]*\.[a-zA-Z0-9]*$";
		then
			TARGET_TYPE=2
		fi
	fi

	#if ipv4 addr or ipv6 addr
	if $(echo $1 | grep -qP "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$") || $(echo $1 | grep -qP "^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*");
	then
		TARGET_TYPE=3
	fi

	#if ipv4 cidr or ipv6 cidr
	if $(echo $1 | grep -qP "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$") || $(echo $1 | grep -qP "^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*(\/(12[0-8]|1[0-1][0-9]|[1-9][0-9]|[0-9]))$");
	then
		TARGET_TYPE=4
	fi

	pentest $1 $TARGET_TYPE

	}

pentest() {
	
	if [[ $2 -eq 1 ]];
	then
		echo -e "\e[93m[!]\e[0m WARNING! I will automatically treat subdomains as targets!"
		echo -e "\e[93m[!]\e[0m If you do not want that, specify a subdomain!"
		sleep 5
		echo -e "\e[92m[+]\e[0m Starting documentation for $1 at $(date)" | tee -a documentation_$(echo $1 | tr '.' '_').txt
		/usr/bin/3dt $1
		echo -e "\e[92m[+]\e[0m Creating Temporary File for Subdomain Bruteforcing at $(date)" | tee -a documentation_$(echo $1 | tr '.' '_').txt
		cp /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt $SUBDOMAIN_WORDLIST
		if [ $SHODAN -eq 1 ]
		then
			shodan domain $1 2> /dev/null | grep --color=never . | awk '{print $1}' | sort -u >> $SUBDOMAIN_WORDLIST
		fi
	sort -ufo $SUBDOMAIN_WORDLIST $SUBDOMAIN_WORDLIST
	echo -e "\e[92m[+]\e[0m Identifying subdomains to target at $(date): dnsenum -f $SUBDOMAIN_WORDLIST --enum --noreverse $1 -o dnsenum_$(echo $1 | tr '.' '_').txt 2> /dev/null 1>&2" | tee -a documentation_$(echo $1 | tr '.' '_').txt
	dnsenum -f $SUBDOMAIN_WORDLIST --enum --noreverse $1 -o dnsenum_$(echo $1 | tr '.' '_').txt 2> /dev/null 1>&2
	for i in $(cat dnsenum_$(echo $1 | tr '.' '_').txt | grep -v CNAME | grep --color=never 'fqdn' | sed 's/fqdn/ /g' | tr ' ' '\n' | grep -v "host" | grep -v "testdata" | sed 's/^.//g' | sed 's/...$//g' | sort -u | grep -v '>' | grep -v '<' | grep "^.*\.$1$" | grep "^[a-zA-Z0-9]*\.[a-zA-Z0-9]*\.[a-zA-Z0-9]*$")
	do
		echo -e "\e[92m[+]\e[0m Adding $(echo $i | tr '[:upper:]' '[:lower:]') to targets_$(echo $1 | tr '.' '_').txt at $(date)" | tee -a documentation_$(echo $1 | tr '.' '_').txt
		echo $(echo $i | tr '[:upper:]' '[:lower:]') >> targets_$(echo $1 | tr '.' '_').txt
	done
	echo -e "\e[92m[+]\e[0m Sorting and deduping targets at $(date): sort -ufo targets_$(echo $1 | tr '.' '_').txt targets_$(echo $1 | tr '.' '_').txt" | tee -a documentation_$(echo $1 | tr '.' '_').txt
	sort -ufo targets_$(echo $1 | tr '.' '_').txt targets_$(echo $1 | tr '.' '_').txt # UFOs :)
	for i in $(cat targets_$(echo $1 | tr '.' '_').txt)
	do
		if [ $SHODAN -eq 1 ]
		then
			echo -e "\e[92m[+]\e[0m Pulling OSINT for $i at $(date): shodan domain --details $i > shodan_$(echo $i | tr '.' '_').txt" | tee -a documentation_$(echo $1 | tr '.' '_').txt
			shodan domain --details $i > shodan_$(echo $i | tr '.' '_').txt 2> /dev/null
		fi
		echo -e "\e[92m[+]\e[0m Enumerating network info for $i at $(date): nmap -p- -T4 -sV -sC -oA nmap_$(echo $i | tr '.' '_') $i 2> /dev/null 1>&2"
		nmap -p- -T4 -sV -sC -oA nmap_$(echo $i | tr '.' '_') $i 2> /dev/null 1>&2
		if cat nmap_$(echo $i | tr '.' '_').gnmap | grep -qi "80/open/tcp//http/";
		then
			echo -e "\e[92m[+]\e[0m Looking for misconfigured file permissions on $i at $(date): dirb http://$i/ /usr/share/dirb/wordlists/big.txt -o dirb_$(echo $i | tr '.' '_').txt 2> /dev/null 1>&2" | tee -a documentation_$(echo $1 | tr '.' '_').txt
			cp /usr/share/dirb/wordlists/common.txt $DIRECTORY_WORDLIST
			cat /usr/share/dirb/wordlists/big.txt >> $DIRECTORY_WORDLIST
			sort -ufo $DIRECTORY_WORDLIST $DIRECTORY_WORDLIST
			dirb http://$i/ $DIRECTORY_WORDLIST -o dirb_$(echo $i | tr '.' '_').txt 2> /dev/null 1>&2
			echo -e "\e[92m[+]\e[0m Looking for webserver misconfigurations on $i at $(date): nikto -h $i -o nikto_$(echo $i | tr '.' '_').txt 2> /dev/null 1>&2" | tee -a documentation_$(echo $1 | tr '.' '_').txt
			nikto -h $i -o nikto_$(echo $i | tr '.' '_').txt 2> /dev/null 1>&2
			if [ "$EUID" -eq 0 ];
			then
				/usr/bin/autowasp $i
			fi
		fi
		done
		sort_output
		exit
	elif [[ $2 -eq 2 ]];
	then
		# test fqdn
		if [ $SHODAN -eq 1 ]
		then
			echo -e "\e[92m[+]\e[0m Pulling OSINT for $1 at $(date): shodan domain --details $1 > shodan_$(echo $1 | tr '.' '_').txt" | tee -a documentation_$(echo $1 | tr '.' '_').txt
			shodan domain --details $1 > shodan_$(echo $1 | tr '.' '_').txt 2> /dev/null
		fi
		echo -e "\e[92m[+]\e[0m Enumerating network info for $1 at $(date): nmap -p- -T4 -sV -sC -oA nmap_$(echo $1 | tr '.' '_') $1 2> /dev/null 1>&2" | tee -a documentation_$(echo $1 | tr '.' '_').txt
		nmap -p- -T4 -sV -sC -oA nmap_$(echo $1 | tr '.' '_') $1 2> /dev/null 1>&2
		#if port 80 is open
		if cat nmap_$(echo $1 | tr '.' '_').gnmap | grep -qi "80/open/tcp//http/";
		then
			echo -e "\e[92m[+]\e[0m Looking for misconfigured file permissions on $1 at $(date): dirb http://$1/ /usr/share/dirb/wordlists/big.txt -o dirb_$(echo $1 | tr '.' '_').txt 2> /dev/null 1>&2" | tee -a documentation_$(echo $1 | tr '.' '_').txt
			cp /usr/share/dirb/wordlists/common.txt $DIRECTORY_WORDLIST
			cat /usr/share/dirb/wordlists/big.txt >> $DIRECTORY_WORDLIST
			sort -ufo $DIRECTORY_WORDLIST $DIRECTORY_WORDLIST
			dirb http://$1/ $DIRECTORY_WORDLIST -o dirb_$(echo $1 | tr '.' '_').txt 2> /dev/null 1>&2
			echo -e "\e[92m[+]\e[0m Looking for webserver misconfigurations on $1 at $(date): nikto -h $1 -o nikto_$(echo $1 | tr '.' '_').txt 2> /dev/null 1>&2" | tee -a documentation_$(echo $1 | tr '.' '_').txt
			nikto -h $1 -o nikto_$(echo $1 | tr '.' '_').txt 2> /dev/null 1>&2
			if [ "$EUID" -eq 0 ];
			then
				/usr/bin/autowasp $1
			fi
		fi
		sort_output
		exit
	elif [[ $2 -eq 3 ]];
	then
		# test ip
		echo -e "\e[92m[+]\e[0m Starting targets file at $(date)" | tee -a documentation_$(echo $1 | tr '.:' '__').txt
		echo $1 > targets_$(echo $1 | tr '.:' '__').txt
		if [ $SHODAN -eq 1 ]
		then
			echo -e "\e[92m[+]\e[0m Pulling OSINT for $1 at $(date): shodan host $1 > shodan_$(echo $1 | tr '.:' '__').txt" | tee -a documentation_$(echo $1 | tr '.:' '__').txt
			shodan host $1 > shodan_$(echo $1 | tr '.:' '__').txt 2> /dev/null
		fi
		echo -e "\e[92m[+]\e[0m Enumerating network info for $1 at $(date): nmap -p- -T4 -sV -sC -oA nmap_$(echo $1 | tr '.:' '__') $1 2> /dev/null 1>&2" | tee -a documentation_$(echo $1 | tr '.:' '__').txt
		nmap -p- -T4 -sV -sC -oA nmap_$(echo $1 | tr '.:' '__') $1 2> /dev/null 1>&2
		# if port 80 is open
		if cat nmap_$(echo $1 | tr '.' '_').gnmap | grep -qi "80/open/tcp//http/";
		then
			echo -e "\e[92m[+]\e[0m Looking for misconfigured file permissions on $1 at $(date): dirb http://$1/ /usr/share/dirb/wordlists/big.txt -o dirb_$(echo $1 | tr '.' '_').txt 2> /dev/null 1>&2" | tee -a documentation_$(echo $1 | tr '.' '_').txt
			dirb http://$1/ /usr/share/dirb/wordlists/big.txt -o dirb_$(echo $1 | tr '.' '_').txt 2> /dev/null 1>&2
			echo -e "\e[92m[+]\e[0m Looking for webserver misconfigurations on $1 at $(date): nikto -h $1 -o nikto_$(echo $1 | tr '.' '_').txt 2> /dev/null 1>&2" | tee -a documentation_$(echo $1 | tr '.' '_').txt
			nikto -h $1 -o nikto_$(echo $1 | tr '.' '_').txt 2> /dev/null 1>&2
			if [ "$EUID" -eq 0 ];
			then
				/usr/bin/autowasp $1
			fi
		fi
		sort_output
		exit
	elif [[ $2 -eq 4 ]];
	then
		#test cidr
		echo -e "\e[92m[+]\e[0m Starting targets file at $(date)" | tee -a documentation_$(echo $1 | tr '.:' '__' | tr '/' ' ' | sed 's/ /_cidr/g').txt
		echo $1 > targets_$(echo $1 | tr '.:' '__' | tr '/' ' ' | sed 's/ /_cidr/g').txt
		echo -e "\e[92m[+]\e[0m Enumerating network info for $1 at $(date): nmap -p- -T4 -sV -sC -oA nmap_$(echo $1 | tr '.:' '__' | tr '/' ' ' | sed 's/ /_cidr/g') $1 2> /dev/null 1>&2" | tee -a documentation_$(echo $1 | tr '.:' '__' | tr '/' ' ' | sed 's/ /_cidr/g').txt
		nmap -p- -T4 -sV -sC -oA nmap_$(echo $1 | tr '.:' '__' | tr '/' ' ' | sed 's/ /_cidr/g') $1 2> /dev/null 1>&2
		echo -e "\e[92m[+]\e[0m Re-writing targets file with the following since they are the only ones up at $(date)" | tee -a documentation_$(echo $1 | tr '.:' '__' | tr '/' ' ' | sed 's/ /_cidr/g').txt
		for i in $(echo $(cat nmap_$(echo $1 | tr '.:' '__' | tr '/' ' ' | sed 's/ /_cidr/g').gnmap | grep "Status: Up" | awk -F ' ' '{print $2}' | sort -u))
		do
			echo -e "\e[92m[+]\e[0m $i" | tee -a documentation_$(echo $1 | tr '.:' '__' | tr '/' ' ' | sed 's/ /_cidr/g').txt
		done
		echo $(cat nmap_$(echo $1 | tr '.:' '__' | tr '/' ' ' | sed 's/ /_cidr/g').gnmap | grep "Status: Up" | awk -F ' ' '{print $2}' | sort -u) > targets_$(echo $1 | tr '.:' '__' | tr '/' ' ' | sed 's/ /_cidr/g').txt
		for i in $(cat targets_$(echo $1 | tr '.:' '__' | tr '/' ' ' | sed 's/ /_cidr/g').txt | tr ' ' '\n' | sort -u);
		do
			if [ $SHODAN -eq 1 ]
			then
				echo -e "\e[92m[+]\e[0m Pulling OSINT for $i at $(date): shodan host $i > shodan_$(echo $1 | tr '.:' '__').txt" | tee -a documentation_$(echo $1 | tr '.:' '__' | tr '/' ' ' | sed 's/ /_cidr/g').txt
				shodan host $i > shodan_$(echo $1 | tr '.:' '__').txt 2> /dev/null
			fi
			if cat nmap_$(echo $1 | tr '.:' '__' | tr '/' ' ' | sed 's/ /_cidr/g').gnmap | grep "$i " | grep -qi "80/open/tcp//http/";
			then
				echo -e "\e[92m[+]\e[0m Looking for misconfigured file permissions on $i at $(date): dirb http://$i/ /usr/share/dirb/wordlists/big.txt -o dirb_$(echo $i | tr '.' '_').txt 2> /dev/null 1>&2" | tee -a documentation_$(echo $1 | tr '.' '_').txt
				cp /usr/share/dirb/wordlists/common.txt $DIRECTORY_WORDLIST
				cat /usr/share/dirb/wordlists/big.txt >> $DIRECTORY_WORDLIST
				sort -ufo $DIRECTORY_WORDLIST $DIRECTORY_WORDLIST
				dirb http://$i/ $DIRECTORY_WORDLIST -o dirb_$(echo $i | tr '.' '_').txt 2> /dev/null 1>&2
				echo -e "\e[92m[+]\e[0m Looking for webserver misconfigurations on $i at $(date): nikto -h $i -o nikto_$(echo $i | tr '.' '_').txt 2> /dev/null 1>&2" | tee -a documentation_$(echo $1 | tr '.' '_').txt
				nikto -h $i -o nikto_$(echo $i | tr '.' '_').txt 2> /dev/null 1>&2
				if [ "$EUID" -eq 0 ];
				then
					/usr/bin/autowasp $i
				fi
			fi
		done
		sort_output
		exit
	else
		echo -e "\e[91m[-]\e[0m ERROR: Target type not supported"
		printhelp
		exit
	fi

	}

cleanup() {

	echo -e "\e[92m[+]\e[0m All tests finished on $i at $(date)" | tee -a documentation_$(echo $1 | tr '.' '_').txt
	rm $SUBDOMAIN_WORDLIST
	rm $DIRECTORY_WORDLIST

}


main() {

	banner
	zapcheck
	shodancheck $1
	targetcheck $1
	cleanup

}

main $1