The aim of this script is to help and speed up the recognition phase in pentesting, although it is still necessary to carry out a more in-depth search manually.
Key features:
- HTML report: Scans ports and generates nmap reports in HTML format for easy reading.
- Port filtering: IPs with similar port opened are automatically recorded in a a same file (161.txt, 88.txt..).
- Attack automation: If machines are vulnerable, the tool automatically launches the Responder and NTLMRelayx.
- Integrated Manspider: Runs Manspider on machines with port 445 open to search for sensitive keywords (only available in NTLM mode).
- Proxychains support: Option to use proxychains available at start-up.
- Kerberos support : Automated support for NTLM and Kerberos
Some elements can be modified on the targets (only in the SMB function). If this is the case, orange information will be displayed and the recovery commands will be written to a modifs.txt file. The -r option will be used to execute all of them in order to clean up the actions performed.
git clone https://github.com/Elymaro/rootscan.git
cd rootscan ; chmod +x rootscan.sh
chmod +x install.sh && ./install.sh
For the first start of a projet, you must use option -f or at least -s nmap_fast
Full enumeration with "b.robinson" acount on the 192.168.1.0/26 network
./rootscan.sh -o LAB001 -i eth0 -t 192.168.1.0/26 -u "b.robinson" -p "Kebxj6urt0o" -f
Enumeration with "b.robinson" account and his NT Hash. Script will try to enumerate on functions : "nmap_fast" and "smb"
./rootscan.sh -o LAB001 -i eth0 -t 192.168.1.17/32 -u "b.robinson" -H "08CFA7DDB10EB084FAC1CB72152B1E95" -s nmap_fast,smb
Full enumeration with "anonymous:anonymous" login expect on function "snmp" and "ldap"
./rootscan.sh -o LAB001 -i eth0 -t 192.168.1.17/32 -e snmp,ldap
Depending on the functions chosen, the script will attempt to dig down and retrieve as much data as possible. For example SMB:
- Automatic NTLM / Kerberos support
- Attempt to connect in anonymous mode
- Connection attempt in guest mode
- Attempt to connect using the credentials provided
- Users extraction
- Shares discovery
- Exploitation of LSA / SAM / RDP activation / Defender deactivation / impersonate
- ...
The script will also attempt to recover the most popular exploits/misconfigurations such as :
- ms17-010
- zerologon
- petitpotam
- nopac
- spooler
- install_elevated
- gpp_password
- gpp_autologin
- ...
Usage: ./rootscan.sh -o ProjectName -i Interface -t rangeIP [-u Username [-p Password | -n NT_Hash]] [-f | -e nmap_fast | -s smb,vnc] [-m [basic | no-ping]]
Options:
-o Project name (output directory)
-i Network interface
-t IP range (e.g., 192.168.0.0/24,192.168.1.128/27). /32 must be used for individual IP addresses.
-u Username (optional)
-p Password (optional, either Password or NT_Hash must be provided, can be empty)
-H NTLM Hash (optional, either Password or NT_Hash must be provided, can be empty)
-f Execute all functions
-e Execute all functions except specified ones (-e rdp,winrm)
-s Execute only specified functions (-s rdp,winrm)
-m Discovery mode (default: basic). basic = ARP + ping (faster, may miss hosts); no-ping = skip ping (slower, more accurate)
-M Modifications or alerts on target systems may be performed (e.g., SAM / LSA / LSASS / DPAPI / NTDS extraction, RDP enabling)
-r Restore modifications made to targets
-h Display help
Available functions:
- nmap_fast : Scan open ports and service versions (need to be done at least 1 time at the begin of a project)
- relay : Launch Responder and NTLMRelayx
- manspider : Search for sensitive data (passwords, usernames...) on SMB shares
- vulns : Check for ms17-010, NoPac, Zerologon, MSOL creds, GPP_autologin, GPP_password, ...
- ftp : Enumerate FTP services
- ssh : Enumerate SSH services
- winrm : Enumerate WinRM services
- rdp : Enumerate WinRM services
- smtp : Enumerate SMTP services
- nfs : Enumerate NFS shares
- vnc : Enumerate VNC services
- zt : Attempt DNS zone transfers
- printers : Identify reachable printers
- snmp : Search for public SNMP communities
- ldap : Anonymous LDAP enumeration
- ipmi : IPMI service enumeration
- mssql : Attempt MSSQL authentication
- smb : Check anonymous/guest access, shares, users, LSA, DPAPI, ...
- bloodhound : Collect data for BloodHound Community Edition (equivalent to SharpHound/Ingestor)
- users : Enumerate Active Directory users (Get-ADUsers)
- asp : Attempt AS-REP Roasting attack
- krb : Attempt Kerberoasting attack
- web : Identify web services
- nmap_full : Deep Nmap scan
- fortra - impacket
- Pennyw0rth NetExec
- ropnop - Kerbrute
- blacklanternsecurity - Manspider