Shell Script to scan common ports

This shell script scans common ports and preforms basic checks for vulnerabilities and information gathering.

#!/bin/bash
skip_ports=""
current_dir=`pwd`

enum_users="root user admin"
unknown_ports=""

BLACK="\033[30m"
RED="\033[31m"
GREEN="\033[32m"
YELLOW="\033[33m"
BLUE="\033[34m"
PINK="\033[35m"
CYAN="\033[36m"
WHITE="\033[37m"
NORMAL="\033[0;39m"
#art

cat << "EOF"

 
  ____                            _             
 |  _ \ ___  ___ ___  _ __   __ _| |_ ___  _ __ 
 | |_) / _ \/ __/ _ \| '_ \ / _` | __/ _ \| '__|
 |  _ <  __/ (_| (_) | | | | (_| | || (_) | |   
 |_| \_\___|\___\___/|_| |_|\__,_|\__\___/|_|   
                                                

EOF

#Utility functions

function printOk()
{
	printf "$1: $GREEN $2 OK \n $NORMAL"
}

function printWarn()
{
	echo -e "$1: $YELLOW $2 WARNING\n $NORMAL"
}

function printError()
{
	echo -e "$1: $RED $2 FAIL \n $NORMAL"
}

function removeColorCodes()
{
	sed -i 's/\x1B\[[0-9;]\+[A-Za-z]//g' $1
}


function printHeader()
{
	printf "\n"
	printf "$BLUE"
	printf '%*s\n' "${COLUMNS:-$(tput cols)}" '' | tr ' ' '|'
	printf "$RED"
	printf "$BLUE|$RED $1"
	printf "\n"
	printf "$BLUE"
	printf '%*s\n' "${COLUMNS:-$(tput cols)}" '' | tr ' ' '|'
	printf "\n"
	printf "$NORMAL"

}


function subHeader() {
    echo -e "\n\n`tput setaf 3`[*] $1 `tput sgr0`"
}

function taskHeader() {
    echo -e "\n\n`tput setaf 5`[*] $1 `tput sgr0`"
}

function checkURLExists()
{
	checkURL=$1
	statusCode=`curl --output /dev/null  --write-out %{http_code} --silent --head --fail $checkURL`
	
	if [ $statusCode -eq 200 ];then
		printOk "$checkURL" "$statusCode"
		robotExists=yes
	else 
		printError "$checkURL" "$statusCode" 

	fi
	
}

function curlURL()
{
	#url => $1
	statusCode=`curl --output /dev/null  --write-out %{http_code} --silent --head --fail $1`
	if [ $statusCode -eq 200 ];then
		curl --silent $1
	else 
		printError "$checkURL" "${statusCode}"
	fi
	
}


function checkFTPUpload()
{	
	echo "ftp upload test" > ftptest.txt
	outputFile=${report_dir}/${openPort}.txt
	#$1=> username, $2=>password
	ftpLogin=`ftp -n $ftpServer <<SCRIPT
	user $1 $2
	
	put ftptest.txt
SCRIPT`
	subHeader "Checking anonymous ftp upload"
	
	
	echo $ftpLogin | grep -i 'fail\|not enough\|denied' 
	
	if [ $? -eq 0 ];then
		printError "Anonymous FTP Upload" 
	else 
		printOk "Anonymous FTP Upload"
	fi
	
	echo $ftpLogin 

}

#nmap

function NMAP()
{
    taskHeader "Running NMAP on $target"
	nmap -sT -sC -sV -Pn -r -n -p- -T4 $1 -oA ${report_dir}/nmapOutput
    }
function PARSE_NMAP()
{
   grep -i open ${report_dir}/nmapOutput.gnmap | awk '{printf "%s\t", $2;
      for (i=4;i<=NF;i++) {
        split($i,a,"/");
        if (a[2]=="open") printf ",%s",a[1];}
      print ""}' | sed -e 's/,//' > ${report_dir}/openPorts.txt
    
    }

#enum 
function FTP() #21
{	
	outputFile=${report_dir}/${openPort}.txt
	taskHeader "Enumerating FTP: $target:$openPort"
	
	
	nmap -p ${openPort} --script="*ftp* and not *brute*" ${target} -oN ${outputFile} --append-output
}

function SSH() #22
{
	outputFile=${report_dir}/${openPort}.txt
	taskHeader "Enumerating SSH"
	nmap -p ${openPort} --script="*ssh* and not *brute* and not ssh-run" ${target} -oN ${outputFile} --append-output
	

}

function TELNET() #23
{
	outputFile=${report_dir}/${openPort}.txt
	taskHeader "Enumerating Telnet"
	nmap -p ${openPort} --script="*telnet* and not *brute*" ${target} -oN ${outputFile} --append-output
	
}

function SMTP() #25
{
	outputFile=${report_dir}/${openPort}.txt
	taskHeader "Enumerating SMTP"

	nmap -p ${openPort} --script="*smtp* and not *brute*" ${target} -oN ${outputFile} --append-output
}

function WEB() #80,443
{
	taskHeader "Enumerating Web: $target:$openPort"
	outputFile=${report_dir}/${openPort}.txt
	
	#nmap -p ${openPort} --script="*http* and not *brute*" ${target} -oN ${outputFile} --append-output
	nmap -p ${openPort} --script="http-apache-negotiation,http-apache-server-status,http-aspnet-debug,http-auth-finder,http-auth,http-config-backup,http-cookie-flags,http-enum,http-errors,http-fetch,http-fileupload-exploiter,http-frontpage-login,http-git,http-grep,http-headers,http-iis-short-name-brute,http-iis-webdav-vuln,http-ls,http-method-tamper,http-methods,http-open-proxy,http-open-redirect,http-passwd,http-php-version,http-put,http-referer-checker,http-rfi-spider,http-robots.txt,http-security-headers,http-server-header,http-shellshock,http-sql-injection,http-svn-info,http-title,http-userdir-enum,http-vuln-cve2006-3392,http-vuln-cve2009-3960,http-vuln-cve2010-0738,http-vuln-cve2010-2861,http-vuln-cve2011-3192,http-vuln-cve2011-3368,http-vuln-cve2012-1823,http-vuln-cve2013-0156,http-vuln-cve2013-6786,http-vuln-cve2013-7091,http-vuln-cve2014-2126,http-vuln-cve2014-2127,http-vuln-cve2014-2128,http-vuln-cve2014-2129,http-vuln-cve2014-3704,http-vuln-cve2014-8877,http-vuln-cve2015-1427,http-vuln-cve2015-1635,http-vuln-cve2017-1001000,http-vuln-cve2017-5638,http-vuln-cve2017-5689,http-vuln-cve2017-8917 and not *brute*" ${target} -oN ${outputFile} --append-output
	
	

	
    }

function POP() #110
{
	outputFile=${report_dir}
	taskHeader "Enumerating POP: $target:$openPort"
	nmap -p ${openPort} --script="*pop3* and not *brute*" ${target} -oN ${outputFile} --append-output
}
	
function RPCBIND() #111
{
	outputFile=${report_dir}/${openPort}.txt
	taskHeader "Enumerating RPC: $target:$openPort"

	nmap -p ${openPort} --script="*rpc* and not *brute*" ${target} -oN ${outputFile} --append-output
	
}

function MSRPC() #135
{	
	outputFile=${report_dir}/${openPort}.txt
	taskHeader "Enumerating MSRPC: $target:$openPort"
	print "Try RPC DCOM Exploit - ms03_026_dcom, 67.c ? " | tee -a $outputFile
	nmap -p ${openPort} --script="*rpc* and not *brute*" ${target} -oN ${outputFile} --append-output
}

function SAMBA() #139,445
{
	outputFile=${report_dir}/${openPort}.txt
	taskHeader "Enumerating SMB: $target:$openPort"
	nmap -p ${openPort} --script="smb-vuln* and not *brute*" --script-args=unsafe=1 ${target} -oN ${outputFile} --append-output
}

function NFS() #2049
{
	outputFile=${report_dir}/${openPort}.txt
	taskHeader "Enumerating NFS: $target:$openPort"
	nmap -p ${openPort} --script="*nfs* and not *brute*" ${target} -oN ${outputFile} --append-output
}

function RDP() #3389
{
	outputFile=${report_dir}/${openPort}.txt
	taskHeader "Enumerating RDP: $target:$openPort"
	nmap -p ${openPort} --script="*rdp* and not *brute*" ${target} -oN ${outputFile} --append-output
}





function ENUM_PORT()
{
    case $2 in 
		
		"21")
			FTP
			;;
		"22")
			SSH
			;;
		"23")
			TELNET
			;;
		"25")
			SMTP
			;;
		"80" | "443" | "8080")
			WEB #$1 $2
			;;
		# "110")
			# POP
			# ;;
		"111")
			RPCBIND
			;;
		# "135")
			# MSRPC
			# ;;
		"139" | "445")
			SAMBA
			;;
		# "161" | "162" )
			# SNMP
			# ;;
		
		*)
			echo -e "Please perform manual investigation for port $RED $2 $NORMAL"
			;;
	esac		
    }

#script start 
printf "Version: $GREEN 1.0 $NORMAL \n\n\n"
printf "Author: $GREEN Linux Guy! $NORMAL \n\n\n"

output_dir="${current_dir}/reconator"




for target in "$@"
    do
        printHeader "Processing target: ${target} `date`"
		report_dir="${output_dir}/${target}"
	
        openPorts=`awk {'print $2'} ${report_dir}/openPorts.txt | sed "s/,/ /g"`
		subHeader "Starting Service Enumeration for Open Ports: $openPorts"
        for openPort in $openPorts;do
            case "$openPort" in
                "21" | "22" | "23" | "25" | "53" | "69" | "80" | "443"  | "110" | "111" | "135" | "139" | "445" | "161" | "162" | "1443" | "1521" | "2049" | "2100" | "3306" | "3339" | "3389")
             
					ENUM_PORT $target $openPort
                    ;;
                *)
      
					unknown_ports="${unknown_ports} ${openPort}"
                    ;;
            esac
        done
    done


subHeader "$RED These are unknown ports, that require manual investigation$NORMAL"
echo $unknown_ports