StayPirate · June 12, 2020 10:13
diff --git a/perimeter.sh b/perimeter.sh
 #!/bin/bash
 ###
 ### To get a fresh list of FQDNs go to [repo]/module/route53 and run
 ### cat * | grep -E "\s*name\s*=" | awk '{print $3}' | cut -d"\"" -f2 | grep -Ev "^#" | rev | cut -c2- | rev | sort -u
 ###
 if [ ! -n "$1" ]; then
   echo "Usage:"
   echo -e "\t${0} domains_list.txt [--alive] [--webserver]"
   exit 1
 fi
 if [ $EUID -ne 0 ] && [[ "${@}" == *"--alive"* || "${@}" == *"--webserver"*  ]]; then
   echo "In order to exploit required nmap functionalities, this script must be run as root." 
   exit 1
 fi
 IFS=$'\n'
 _temp_csv_file="/tmp/DA_temp_csv_file.csv"
 _dns_server="172.16.61.2"

 ####
 #### Add resolved IPs
 ####
 echo "[+] Resolving FQDNs via ${_dns_server}"
 #### domain -> domain, +ADD resolved IP
 while read i; do 
    _ips=$(dig $i -t A @${_dns_server} +short 2>/dev/null)
    _n_ips=$(echo "$_ips" | grep -oE "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}" | wc -l)
    if [ "$_n_ips" -gt "0" ]; then
        for l in `echo $_ips | grep -oE "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}"`; do
            echo "${i},${l}"
        done
    else
        echo "${i},"
    fi
 done < ${1} > $_temp_csv_file

 ####
 #### Add ip range owner
 ####
 function find_cird_name {
    # In order to properly run, this function requires 'grepcidr'.
    # http://pc-tools.net/unix/grepcidr/
    local _cidr_name="${1}"
    local _cidr_ranges="${2}"
    local _exclude_tags="${3}"
    local _cat_file_cmd="cat ${_temp_csv_file}"
    local _matches_found=0

    if [ -n "$3" ]; then
        _cat_file_cmd="$_cat_file_cmd | grep -v \"${3}\""
    fi

    for i in `eval "$_cat_file_cmd"`; do
        local _target_domain=$(echo $i | cut -d"," -f1)
        local _target_ip=$(echo $i | cut -d"," -f2)
        if [ ! -z "$_target_ip" ]; then
            if echo $_target_ip | grepcidr "$_cidr_ranges">/dev/null; then
                sed "s/^${i}$/${i},${_cidr_name}/g" -i $_temp_csv_file;
                ((_matches_found=_matches_found+1))
            fi
        fi
    done
    echo " ${_cidr_name}: ${_matches_found}"
 }

 echo "[+] Find IP range ownership"

 find_cird_name "SUSE"           "195.135.220.0/22 91.193.113.0/24 195.250.132.144/29 193.86.92.176/28 82.113.59.96/28" ""
 find_cird_name "AWS_FRANKFURT"  "$(curl https://ip-ranges.amazonaws.com/ip-ranges.json 2>/dev/null | grep -E "region.*eu-central-1" -B1 | grep ip_pr | grep -Eo "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/[0-9]{1,2}" | tr "\n" " ")" ""
 find_cird_name "AWS_NOT_FRANKFURT" "$(curl https://ip-ranges.amazonaws.com/ip-ranges.json 2>/dev/null | grep -E "region" -B1 | grep ip_pr | grep -Eo "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/[0-9]{1,2}" | tr "\n" " ")" "AWS_FRANKFURT"
 find_cird_name "INTERNAL"       "10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 127.0.0.0/8"   ""
 find_cird_name "NOVEL-MFI"      "137.65.0.0/16 151.155.28.0/17 149.44.0.0/16 147.2.0.0/16 164.99.0.0/16 130.57.0.0/16 192.31.114.0/24 69.7.179.0/24 150.215.214.0/24 151.155.0.0/16 159.253.243.0/26 159.253.243.60/26" ""

 ##### Add empty column to IPs with no owner
 sed "s/,$/,,/g" -i $_temp_csv_file;
 sed -E "s/([0-9]$)/\1,/g" -i $_temp_csv_file;

 ####
 #### Check if host is alive with nmap
 ####
 if [[ "${@}" == *"--alive"* ]]; then
    echo "[+] Check alive hosts"
    echo -n " "
    _matches_found=0

    for i in `cat $_temp_csv_file`; do
        export _target_ip=$(echo $i | cut -d"," -f2)
        if [ ! -z "$_target_ip" ]; then
            # ICMP echo request, TCP SYN to port 443, TCP ACK to port 80, and an ICMP timestamp request (SUDO/root)
            # TCP SYN to port 443, TCP ACK to port 80 (unprivileged user)
            if sudo nmap -sn $_target_ip 2>/dev/null | grep -q "1 host up"; then
                sed "s/^${i}$/${i},yes/g" -i $_temp_csv_file;
                ((_matches_found=_matches_found+1))
                echo -n "."
            else
                sed "s/^${i}$/${i},no/g" -i $_temp_csv_file;
            fi
        fi
    done
    echo ""
    echo " Alive hosts: ${_matches_found}"
    ##### Add empty column to domain with no ip
    sed "s/,$/,,/g" -i $_temp_csv_file;
 fi

 ####
 #### Find listening webserver with nmap
 ####
 if [[ "${@}" == *"--webserver"* ]]; then
    echo "[+] Search web-servers"
    echo -n " "
    _matches_found=0
    _web_ports="80,8000,8080,8088,8888,443,8443,1443,11443"

    for i in `cat $_temp_csv_file`; do
        export _target_ip=$(echo $i | cut -d"," -f2)
        if [ ! -z "$_target_ip" ]; then
            if sudo nmap -p $_web_ports -sS $_target_ip -Pn -oG /dev/stdout 2>/dev/null | grep -v "Status" | grep -qE "^Host.*open" >/dev/null; then
                sed "s/^${i}$/${i},yes/g" -i $_temp_csv_file;
                ((_matches_found=_matches_found+1))
                echo -n "."
            else
                sed "s/^${i}$/${i},no/g" -i $_temp_csv_file;
            fi
        fi
    done
    echo ""
    echo " Webserver found: ${_matches_found}"
    ##### Add empty column to domain with no ip
    sed "s/,$/,,/g" -i $_temp_csv_file;
 fi

 ####
 #### Moving final report
 ####
 # Add CSV Header
 sed -i '1 i\Domain,IP,IP Owner,Host Alive,Webserver' $_temp_csv_file

 _output_file="Perimeter_Report_$(date +%m-%d-%Y_%H-%M-%S).csv"
 mv $_temp_csv_file "$(pwd)/${_output_file}"
 chmod 766 "$(pwd)/${_output_file}"
	#!/bin/bash
	###
	### To get a fresh list of FQDNs go to [repo]/module/route53 and run
	### cat * \| grep -E "\sname\s=" \| awk '{print $3}' \| cut -d"\"" -f2 \| grep -Ev "^#" \| rev \| cut -c2- \| rev \| sort -u
	###
	if [ ! -n "$1" ]; then
	echo "Usage:"
	echo -e "\t${0} domains_list.txt [--alive] [--webserver]"
	exit 1
	fi
	if [ $EUID -ne 0 ] && [[ "${@}" == "--alive" \|\| "${@}" == "--webserver" ]]; then
	echo "In order to exploit required nmap functionalities, this script must be run as root."
	exit 1
	fi
	IFS=$'\n'
	_temp_csv_file="/tmp/DA_temp_csv_file.csv"
	_dns_server="172.16.61.2"

	####
	#### Add resolved IPs
	####
	echo "[+] Resolving FQDNs via ${_dns_server}"
	#### domain -> domain, +ADD resolved IP
	while read i; do
	_ips=$(dig $i -t A @${_dns_server} +short 2>/dev/null)
	_n_ips=$(echo "$_ips" \| grep -oE "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}" \| wc -l)
	if [ "$_n_ips" -gt "0" ]; then
	for l in `echo $_ips \| grep -oE "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}"`; do
	echo "${i},${l}"
	done
	else
	echo "${i},"
	fi
	done < ${1} > $_temp_csv_file

	####
	#### Add ip range owner
	####
	function find_cird_name {
	# In order to properly run, this function requires 'grepcidr'.
	# http://pc-tools.net/unix/grepcidr/
	local _cidr_name="${1}"
	local _cidr_ranges="${2}"
	local _exclude_tags="${3}"
	local _cat_file_cmd="cat ${_temp_csv_file}"
	local _matches_found=0

	if [ -n "$3" ]; then
	_cat_file_cmd="$_cat_file_cmd \| grep -v \"${3}\""
	fi

	for i in `eval "$_cat_file_cmd"`; do
	local _target_domain=$(echo $i \| cut -d"," -f1)
	local _target_ip=$(echo $i \| cut -d"," -f2)
	if [ ! -z "$_target_ip" ]; then
	if echo $_target_ip \| grepcidr "$_cidr_ranges">/dev/null; then
	sed "s/^${i}$/${i},${_cidr_name}/g" -i $_temp_csv_file;
	((_matches_found=_matches_found+1))
	fi
	fi
	done
	echo " ${_cidr_name}: ${_matches_found}"
	}

	echo "[+] Find IP range ownership"

	find_cird_name "SUSE" "195.135.220.0/22 91.193.113.0/24 195.250.132.144/29 193.86.92.176/28 82.113.59.96/28" ""
	find_cird_name "AWS_FRANKFURT" "$(curl https://ip-ranges.amazonaws.com/ip-ranges.json 2>/dev/null \| grep -E "region.*eu-central-1" -B1 \| grep ip_pr \| grep -Eo "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/[0-9]{1,2}" \| tr "\n" " ")" ""
	find_cird_name "AWS_NOT_FRANKFURT" "$(curl https://ip-ranges.amazonaws.com/ip-ranges.json 2>/dev/null \| grep -E "region" -B1 \| grep ip_pr \| grep -Eo "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/[0-9]{1,2}" \| tr "\n" " ")" "AWS_FRANKFURT"
	find_cird_name "INTERNAL" "10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 127.0.0.0/8" ""
	find_cird_name "NOVEL-MFI" "137.65.0.0/16 151.155.28.0/17 149.44.0.0/16 147.2.0.0/16 164.99.0.0/16 130.57.0.0/16 192.31.114.0/24 69.7.179.0/24 150.215.214.0/24 151.155.0.0/16 159.253.243.0/26 159.253.243.60/26" ""

	##### Add empty column to IPs with no owner
	sed "s/,$/,,/g" -i $_temp_csv_file;
	sed -E "s/([0-9]$)/\1,/g" -i $_temp_csv_file;

	####
	#### Check if host is alive with nmap
	####
	if [[ "${@}" == "--alive" ]]; then
	echo "[+] Check alive hosts"
	echo -n " "
	_matches_found=0

	for i in `cat $_temp_csv_file`; do
	export _target_ip=$(echo $i \| cut -d"," -f2)
	if [ ! -z "$_target_ip" ]; then
	# ICMP echo request, TCP SYN to port 443, TCP ACK to port 80, and an ICMP timestamp request (SUDO/root)
	# TCP SYN to port 443, TCP ACK to port 80 (unprivileged user)
	if sudo nmap -sn $_target_ip 2>/dev/null \| grep -q "1 host up"; then
	sed "s/^${i}$/${i},yes/g" -i $_temp_csv_file;
	((_matches_found=_matches_found+1))
	echo -n "."
	else
	sed "s/^${i}$/${i},no/g" -i $_temp_csv_file;
	fi
	fi
	done
	echo ""
	echo " Alive hosts: ${_matches_found}"
	##### Add empty column to domain with no ip
	sed "s/,$/,,/g" -i $_temp_csv_file;
	fi

	####
	#### Find listening webserver with nmap
	####
	if [[ "${@}" == "--webserver" ]]; then
	echo "[+] Search web-servers"
	echo -n " "
	_matches_found=0
	_web_ports="80,8000,8080,8088,8888,443,8443,1443,11443"

	for i in `cat $_temp_csv_file`; do
	export _target_ip=$(echo $i \| cut -d"," -f2)
	if [ ! -z "$_target_ip" ]; then
	if sudo nmap -p $_web_ports -sS $_target_ip -Pn -oG /dev/stdout 2>/dev/null \| grep -v "Status" \| grep -qE "^Host.*open" >/dev/null; then
	sed "s/^${i}$/${i},yes/g" -i $_temp_csv_file;
	((_matches_found=_matches_found+1))
	echo -n "."
	else
	sed "s/^${i}$/${i},no/g" -i $_temp_csv_file;
	fi
	fi
	done
	echo ""
	echo " Webserver found: ${_matches_found}"
	##### Add empty column to domain with no ip
	sed "s/,$/,,/g" -i $_temp_csv_file;
	fi

	####
	#### Moving final report
	####
	# Add CSV Header
	sed -i '1 i\Domain,IP,IP Owner,Host Alive,Webserver' $_temp_csv_file

	_output_file="Perimeter_Report_$(date +%m-%d-%Y_%H-%M-%S).csv"
	mv $_temp_csv_file "$(pwd)/${_output_file}"
	chmod 766 "$(pwd)/${_output_file}"