Here’s my automated scanning script. It’s got a few dependencies but will run with a number of threads and will output to a defined folder.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
#!/bin/bash
#__________________________________________________________
# Author:     phillips321 forum.gnacktrack.co.uk
# License:    CC BY-SA 3.0
# Use:        Update several applications
# Released:   www.gnacktrack.co.uk
  version=1.0
# Dependencies:
#           nmap
#           sslscan
#           gnome-web-photo
#           arp-scan
# debian users can apt-get install nmap sslscan gnome-web-photo arp-scan
#
# ToDo:
#           Delete WeakCiphers if it doesnt contain any weak ciphers
#           Use watch instead of looping a #process left message
#           Use a nice output to show status of scans and what has been complete
#           Allow changing of THREADS on fly by reading THREADS from file
#___________________________________________________________

f_uservariables(){
    CUSTOMPORTS="21,22,23,80,443,445,3389"  #seperate with a comma e.g. CUSTOMPORTS="21,22,23,80,443,445,3389"
    NMAPSTRING="nmap -sS -vv -d -A -P0 -n -r -oA"
}
f_usage(){      #outputs usage information
        echo "MESSAGE: matts-nmap.sh ${version}"
        echo "MESSAGE: Usage: `basename ${0}` [threads max = 99] [big/small/both/custom] [directory]"
        echo "MESSAGE: # `basename ${0}` 5 small VLANxyz"
        echo "MESSAGE: if scan size not given i will scan all ports"
        echo "MESSAGE: if directory is not given then I will write to ./devices/"
        echo "MESSAGE:"
}
f_yesorno(){    #returns 1 if yes is selected
    read -e CONFIRM
    case $CONFIRM in
        y|Y|YES|yes|Yes)
            return 1 ;;
        *)
            return 0 ;;
    esac
}
f_rootcheck(){  #checks for root and exits if not
    if [ `echo -n $USER` != "root" ]
    then
        echo "MESSAGE: matts-nmap.sh ${VERSION}"
        echo "MESSAGE: ERROR: Please run as root!"
        echo "MESSAGE:"
        exit 1
    fi
}
f_threadcheck(){    #checks input for num of threads
    if [ -z ${1} ]
    then
        f_usage
        exit 1
    fi
    THREADS="`echo "${1}" | tr -cd '[:digit:]' | cut -c 1-2`"
}
f_scansizecheck(){  #checks input for type of scan
    if [ ${1} = "big"  ] || [ ${1} = "small" ] || [ ${1} = "both" ] || [ ${1} = "custom" ]
    then
        SIZETYPE="`echo "${1}" | tr -cd '[:alnum:]' | cut -c 1-6`"
        echo "MESSAGE: performing a ${SIZETYPE} scan"
    else
        SIZETYPE="both"
        echo "MESSAGE: no scan size given or its invalid so scan size will be both(small and big)."
    fi 
}
f_directorycheck(){ #checks input for directory name to save to
    if [ -z ${1} ]
    then
        DIRECTORY="devices"
        echo "MESSAGE: no dir given so outputting to ${DIRECTORY}"
    else
        DIRECTORY="`echo "${1}" | tr -cd '[:graph:]'`"
        echo "MESSAGE: output dir = ${DIRECTORY}"
    fi
}
f_outputtargets(){  #cats targets.txt to screen
    echo "MESSAGE: targets.txt contents:"
    cat targets.txt
    echo "MESSAGE: end of IPs/Hosts"
}
f_arpscansubnet(){  #arpscans local subnet
    arp-scan -l -g | grep . | cut -f1 | grep -v packets |grep -v Interface | grep -v Ending | grep -v Starting > targets.txt
}
f_findtargetstxt(){ #checks for targets.txt and offer to create
    if [ -f ./targets.txt ]
    then
        echo "MESSAGE: targets.txt file located"
        f_outputtargets
    else
        echo -n "MESSAGE: there is no targets.txt file so do you want me to create one? yes/no : "
        f_yesorno && exit 0
        echo "MESSAGE: Now arp-scanning current subnet"
        f_arpscansubnet
        echo "MESSAGE: We found `cat targets.txt | wc -l` targets and have output them to targets.txt"
        f_outputtargets
        echo -n "MESSAGE: Do you wish to edit this list? (DELETE YOURSELF!)yes/no : "
        f_yesorno && echo "MESSAGE: Chose not to edit.....continue with scan" || nano targets.txt ; f_outputtargets
    fi
}
f_numberoftargets(){ #counts number of targets in targets.txt
    NUMBER=`wc -l targets.txt`
    COUNT=0
    echo "MESSAGE: Found ${NUMBER} targets to scan"
}
f_createdirectory(){ #makes the directory
    STARTDIR=`pwd`
    mkdir "${STARTDIR}/${1}"
    cp targets.txt ${STARTDIR}/${1}/.
}
f_nmapscans(){  #performs loops of nmap scans
    echo "MESSAGE: Starting Scan with ${THREADS} threads"
    for i in `cat targets.txt`
    do
        TARGET=${i}
        LOC=${DIRECTORY}/${TARGET}
        ((COUNT++))
        echo "MESSAGE: now scanning ${TARGET} ${COUNT} of ${NUMBER}"
        case ${SIZETYPE} in
            small) xterm -title "${TARGET} small TCP" -e "${NMAPSTRING} ${LOC}.small.tcp ${TARGET}" & ;;
            both) xterm -title "${TARGET} small TCP" -e "${NMAPSTRING} ${LOC}.small.tcp ${TARGET}" &
                xterm -title "${TARGET} big TCP" -e "${NMAPSTRING} ${LOC}.big.tcp -p1-65535 ${TARGET}" & ;;
            big) xterm -title "${TARGET} big TCP" -e "${NMAPSTRING} ${LOC}.big.tcp -p1-65535 ${TARGET}" & ;;
            custom) xterm -title "${TARGET} custom TCP" -e "${NMAPSTRING} ${LOC}.custom -p${CUSTOMPORTS} ${TARGET}" & ;;
        esac
        xterm -title "${TARGET} UDP" -e "nmap -sU -vv -d -P0 -n -r -oA ${LOC}.small.udp ${TARGET}" &
        while [ `ps -Aef --cols 200 | grep ${DIRECTORY} | grep xterm | wc -l` -ge ${THREADS} ]
            do
            sleep 5
        done
        sleep 5
    done
    while [ `ps -Aef --cols 200 | grep ${DIRECTORY} | grep xterm | wc -l` -gt 0 ]
    do
        echo MESSAGE: `ps -Aef --cols 200 | grep ${DIRECTORY} | grep xterm | wc -l`nmaps still running
        sleep 10
    done
    echo "MESSAGE: NMap Scanning Complete"
}
f_amapscans(){
    cd "${STARTDIR}/${DIRECTORY}"
    for i in `ls *.gnmap | sed -e "s/.gnmap//"`
    do
        xterm -title "${i} AMAP" -e "amap -i ${i}.gnmap -o ${i}.amap | tee -a amap_full.txt" &
        echo "MESSAGE: now amaping ${i}"
        while [ `ps -Aef --cols 200 | grep AMAP | grep xterm | wc -l` -ge ${THREADS} ]
        do
            sleep 1
        done
        sleep 5
    done
    while [ `ps -Aef --cols 200 | grep AMAP | grep xterm | wc -l` -gt 0 ]
    do
        echo MESSAGE: `ps -Aef --cols 200 | grep AMAP | grep xterm | wc -l`amaps still running
        sleep 10
    done
    cat amap_full.txt | cut -d" " -f3,4,5 | grep matches | sort -n | uniq > amap.txt
    cat amap.txt | grep http | cut -d"/" -f 1 | sort | uniq > amap.http.txt
    cat amap.txt | grep ssl | cut -d"/" -f 1 | sort | uniq > amap.ssl.txt
    cd "${STARTDIR}/.."
    echo "MESSAGE: Amaping Complete"
    sleep 5
}
f_sslscans(){
    cd "${STARTDIR}/${DIRECTORY}"
    if [ -s amap.ssl.txt ]
    then
        cat amap.ssl.txt
        for i in `cat amap.ssl.txt`
        do
            SSLOUT="`echo "${i}" | sed -e s/:/_/g`"
            echo "MESSAGE: now sslscanning ${i} and outputting as ${SSLOUT}.sslscan.txt"
            xterm -title "${i} SSLSCAN" -e "sslscan --no-failed ${i} | tee ${SSLOUT}.sslscan.txt ; sleep 5" &
            while [ `ps -Aef --cols 200 | grep SSLSCAN | grep xterm | wc -l` -ge ${THREADS} ]
                do
                        sleep 2
                done
        sleep 5
        done
        while [ `ps -Aef --cols 200 | grep SSLSCAN | grep xterm | wc -l` -gt 0 ]
        do
            echo MESSAGE: `ps -Aef --cols 200 | grep SSLSCAN | grep xterm | wc -l`sslscans still running
            sleep 10
        done
        cat *.sslscan.txt | grep "Testing\ SSL\|Accepted\|ERROR" | grep "SSLv2\|Testing\|\ 40\|\ 56" | grep -v "ERROR" > WeakCiphers.txt
        echo "MESSAGE: Auto SSLSCAN Complete"
    else
        echo "MESSAGE: sslscan will not run - no ssl ports found using amap"
    fi 
    sleep 5
    cd "${STARTDIR}/.."
   

}
f_gwp(){
    cd "${STARTDIR}/${DIRECTORY}"
    if [ -s amap.ssl.txt ]
    then
        cat amap.ssl.txt
        for i in `cat amap.ssl.txt`
        do
            HTTPOUT="`echo "${i}" | sed -e s/:/_/g`"
            echo "MESSAGE: now taking photo of http://${i} and outputting as ${HTTPOUT}.png"
            xterm -title "${i} GNOME-WEB-PHOTO" -e "gnome-web-photo -m photo -f --format=png http://${i} ${HTTPOUT}.png" &
            while [ `ps -Aef --cols 200 | grep GNOME | grep xterm | wc -l` -ge ${THREADS} ]
            do
                sleep 5
            done
            sleep 5
        done
    else
        echo "MESSAGE: gnome-web-photo will not run - no https ports found using amap"
    fi
    if [ -s amap.http.txt ]
    then
        cat amap.http.txt
        for i in `cat amap.http.txt`
        do
            HTTPOUT="`echo "${i}" | sed -e s/:/_/g`"
            echo "MESSAGE: now taking photo of http://${i} and outputting as ${HTTPOUT}.png"
            xterm -title "${i} GNOME-WEB-PHOTO" -e "gnome-web-photo -m photo -f --format=png ${i} ${HTTPOUT}.png" &
            while [ `ps -Aef --cols 200 | grep GNOME | grep xterm | wc -l` -ge ${THREADS} ]
            do
                sleep 5
            done
            sleep 5
        done
    else
        echo "MESSAGE: gnome-web-photo will not run - no http ports found using amap"
    fi
    while [ `ps -Aef --cols 200 | grep GNOME | grep xterm | wc -l` -gt 0 ]
    do
        echo MESSAGE: `ps -Aef --cols 200 | grep GNOME | grep xterm | wc -l`screenshots still running
        sleep 10
    done
    sleep 5
    cd "${STARTDIR}/.."
}
f_cleanup(){
    cd "${STARTDIR}/${DIRECTORY}"
    for i in `ls *.png`
    do
        iSIZE=`stat -c %s ${i}`
        if [ ${iSIZE} -eq "469" ]
        then
            echo "MESSAGE: Deleting file: ${i} as it is ${iSIZE} bytes"
            rm ${i}
        fi
    done
}
f_displayresults(){
    cd "${STARTDIR}/${DIRECTORY}"
    cat *p.nmap | grep "scan\ report\ for\|Interesting\|open\|---------------------------------------------" | grep -v "OSScan" | grep -v "filtered" > open_ports.txt
    xterm -title "OpenPorts from ${DIRECTORY}" -e "grep -E --color=always '.*(ssh|rdp|ssl|http|telnet|https|sslv2|mail|smtp|snmp|oracle|sql|tnls|ftp|sftp).*|' open_ports.txt | less -R" &
    if [ -s WeakCiphers.txt ]
    then
        xterm -title "WeakCiphers from ${DIRECTORY}" -e "less -R WeakCiphers.txt" &
    else
        echo "No weak ciphers found" > WeakCiphers.txt
        echo "MESSAGE: no weak ciphers found"
    fi
    cd "${STARTDIR}/.."
}

f_uservariables
f_threadcheck ${1}
f_scansizecheck ${2}
f_directorycheck ${3}
f_findtargetstxt
f_numberoftargets
f_createdirectory ${DIRECTORY}
f_nmapscans     #comment me out to skip nmap scans
f_amapscans     #comment me out to skip amap scans
f_sslscans      #comment me out to skip ssl scans
f_gwp           #comment me out to skip web screenshots
f_cleanup
f_displayresults
exit 0

Leave a Reply