leebaird/discover

adding option for no ping during port scan

Closed this issue · 4 comments

ifrane commented

`f_scan(){
custom='1-1040,1050,1080,1099,1125,1158,1194,1214,1220,1344,1352,1433,1500,1503,1521,1524,1526,1720,1723,1731,1812,1813,1953,1959,2000,2002,2030,2049,2100,2121,2200,2202,2222,2301,2375,2381,2401,2433,2456,2500,2556,2628,2745,2780-2783,2947,3000,3001,3031,3121,3127,3128,3200,3201,3230-3235,3260,3268,3269,3306,3310, 3339,3389,3460,3500,3527,3632,3689,4000,4045,4100,4242,4369,4430,4443,4445,4661,4662,4711,4848,5000,5001,5009,5010,5019,5038,5040,5059,5060,5061,5101,5180,5190,5191,5192,5193,5250,5432,5554,5555,5560,5566,5631,5666,5672,5678,5800,5801,5802,5803,5804,5850,5900-6009,6101,6106,6112,6161,6346,6379,6588,6666,6667,6697,6777,7000,7001,7002,7070,7100,7210,7510,7634,7777,7778,8000,8001,8004,8005,8008,8009,8080,8081,8082,8083,8091,8098,8099,8100,8180,8181,8222,8332,8333,8383,8384,8400,8443,8444,8470-8480,8500,8787,8834,8866,8888,9090,9100,9101,9102,9160,9343,9470-9476,9480,9495,9996,9999,10000,10025,10168,11211,12000,12345,12346,13659,15000,16080,18181-18185,18207,18208,18231,18232,19150,19190,19191,20034,22226,27017,27374,27665,28784,30718,31337,32764,32768,32771,33333,35871,37172,38903,39991,39992,40096,46144,46824,49400,50000,50030,50060,50070,50075,50090,51080,51443,53050,54320,58847,60000,60010,60030,60148,60365,62078,63148'
full='1-65535'
udp='53,67,123,137,161,500,523,1434,1604,2302,3478,3671,4070,5353,6481,17185,31337,44818,47808'
yesping='-sP -PE -PS21-23,25,53,80,110-111,135,139,143,443,445,993,995,1723,3306,3389,5900,8080 -PU53,67-69,123,135,137-139,161-162,445,500,514,520,631,1434,1900,4500,49152'
noping='-Pn'

echo
echo -n "Perform ping scan? (y/N) "
read discping

if [ "$discping" == "y" ]; then
pingscans=$yesping
else
pingscans=$noping
fi

echo
echo -n "Perform full TCP port scan? (y/N) "
read scan

if [ "$scan" == "y" ]; then
tcp=$full
else
tcp=$custom
fi

echo
echo -n "Perform version detection? (y/N) "
read vdetection

if [ "$vdetection" == "y" ]; then
S='sSV'
U='sUV'
else
S='sS'
U='sU'
fi

echo
echo -n "Set scan delay. (0-5, enter for normal) "
read delay

Check for no answer

if [[ -z $delay ]]; then
delay='0'
fi

if [ $delay -lt 0 ] || [ $delay -gt 5 ]; then
f_error
fi

echo
echo $medium

nmap -iL $location --excludefile $excludefile -n -$S -$U $pingscans -p T:$tcp,U:$udp --max-retries 3 --min-rtt-timeout 100ms --max-rtt-timeout $maxrtt --initial-rtt-timeout 500ms --defeat-rst-ratelimit --min-rate 450 --max-rate 15000 --open --stats-every 10s -g $sourceport --scan-delay $delay -oA $name/nmap

x=$(grep '(0 hosts up)' $name/nmap.nmap)

if [[ -n $x ]]; then
rm -rf "$name" tmp
echo
echo $medium
echo
echo "_Scan complete._"
echo
echo
echo -e "\x1B[1;33m[*] No live hosts were found.\x1B[0m"
echo
echo
exit
fi

Clean up

egrep -v '(0000:|0010:|0020:|0030:|0040:|0050:|0060:|0070:|0080:|0090:|00a0:|00b0:|00c0:|00d0:|1 hop|closed|guesses|GUESSING|filtered|fingerprint|FINGERPRINT|general purpose|initiated|latency|Network Distance|No exact OS|No OS matches|OS:|OS CPE|Please report|RTTVAR|scanned in|SF|unreachable|Warning|WARNING)' $name/nmap.nmap | sed 's/Nmap scan report for //' | sed '/^$/! b end; n; /^$/d; : end' > $name/nmap.txt

grep -o '[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}' $name/nmap.nmap | $sip > $name/hosts.txt
hosts=$(wc -l $name/hosts.txt | cut -d ' ' -f1)

grep 'open' $name/nmap.txt | grep -v 'WARNING' | awk '{print $1}' | sort -un > $name/ports.txt
grep 'tcp' $name/ports.txt | cut -d '/' -f1 > $name/ports-tcp.txt
grep 'udp' $name/ports.txt | cut -d '/' -f1 > $name/ports-udp.txt

grep 'open' $name/nmap.txt | grep -v 'really open' | awk '{for (i=4;i<=NF;i++) {printf "%s%s",sep, $i;sep=" "}; printf "\n"}' | sed 's/^ //' | sort -u | sed '/^$/d' > $name/banners.txt

for i in $(cat $name/ports-tcp.txt); do
TCPPORT=$i
cat $name/nmap.gnmap | grep " $i/open/tcp//http/| $i/open/tcp//http-alt/| $i/open/tcp//http-proxy/| $i/open/tcp//appserv-http/" |
sed -e 's/Host: //g' -e 's/ (.//g' -e 's.^.http://.g' -e "s/$/:$i/g" | $sip >> tmp
cat $name/nmap.gnmap | grep " $i/open/tcp//https/| $i/open/tcp//https-alt/| $i/open/tcp//ssl|giop/| $i/open/tcp//ssl|http/| $i/open/tcp//ssl|unknown/" |
sed -e 's/Host: //g' -e 's/ (.//g' -e 's.^.https://.g' -e "s/$/:$i/g" | $sip >> tmp2
done

sed 's/http:////g' tmp > $name/http.txt
sed 's/https:////g' tmp2 > $name/https.txt

Remove all empty files

find $name/ -type f -empty -exec rm {} +
}`

L1ghtn1ng commented

Thanks for the idea, PRs are welcome if you want to do that? otherwise will see about getting the task assigned.

ifrane commented

ok perhaps the PR route makes the most sense. I'm completely new to posting
on GitHub so forgive my mistakes.

I'll make the request

On Wed, Jul 27, 2016 at 3:26 PM, J.Townsend notifications@github.com
wrote:

Thanks for the idea, PRs are welcome if you want to do that? otherwise
will see about getting the task assigned.


You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
#75 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/ATu2fglwQrvouXtrzvcMKC1bIuU61Yhgks5qZ80UgaJpZM4JWoUr
.

L1ghtn1ng commented

In the notes section there is a git.txt
I would recommend you read that as that would be useful for you.

leebaird commented

The -Pn switch is already in use. This is also the default behavior the Nexpose uses.