Potential Hacktricks based enumeration Platform.

[CoolHandSquid]

@carlospolop, in order to increase the ease of workflow while pen-testing/CTF-ing, I put together a platform to host "basic-information" and "enumeration" scans (as annotated by this book). My thought is that 80% of the time, per open port you are only going to do a banner grab and the initial enumeration to see if it is a foothold opportunity. If you think this is a good idea, let me know and I'll work on coming up with a curl-based API tool to populate the TireFire database periodically with updates to hacktricks. https://github.com/coolhandsquid/TireFire If you would like to reach me more privately coolhandsquid32@gmail.com. HackTricks is a great resource and I love what you do!

[carlospolop]

Hi @CoolHandSquid! This sounds pretty interesting, but I don't completely understand your proposal. Do you mean that you want to automate all the basic information and enumeration from hacktricks inside your tool (which looks pretty good to be honest, well done :) If thats the case, perfect! If not, let me know what I have misunderstood!

[CoolHandSquid]

Thank you for the compliment, and that is correct! In theory, all of the things in hacktricks could be put into the tool, but it would be a lot of hand-jamming. At first, glance, curling the book (or Github directories) looks as if it would be quite a bear to regex through and push into the database. Do you have any better ideas?

[carlospolop]

Nice, that idea sounds pretty cool. I would say to take a look if it's easier to grep from gitbook or from github. Also, atm it might be difficult to find a way to grep the correct commands. If you want you could submit some PRs modifying every service page so it's easier to grep the commands without losing information. Or (and I think this will be easier) create a new section on each service page with the commands exactly with the syntax to execute them (even onliners of metasploit for example). In the last case, I will take in mind the new syntax for the new services that I will add in the future to the book. Let me know what you think!

[carlospolop]

hello?

[CoolHandSquid]

I am currently working on a POC. Once complete I will message you here and send you a link to the fork. Once approved by your grace, I'll go ahead and knock it out for the rest of the protocols!

[carlospolop]

Perfect!

[CoolHandSquid]

I told you I was going in one direction, and I deviated from the original path slightly, but I think you'll like it just the same! I wrote a parser for all of the .md files in the pentest directory to pull out the Protocol, Port number, and bash commands. I put it on Github and explained where it is functionally and what would be needed to get it to jive with HackTricks 100%. Let me know if you think this is worth continuing in pursuit! HackTricksParser

[carlospolop]

Hey mate! That looks pretty cool! How are you planning to parse the enumeration commands? Do you prefer to try to parse them as they are currently, or do you want to create some extra section on each network service indicating each command to run with using some meta languaje?

[carlospolop]

Hey @CoolHandSquid, How is this going? should I close it?

[CoolHandSquid]

I have not touched it. Thank you for reminding me of this project in which I have rekindled excitement. I will be able to get into it late next week. TYFYS

[CoolHandSquid]

Proposal: Before I get to doing a large commit, I want to run past you what I am thinking and adjust to what makes hacktricks even more butt-kicking than it is now. My vision involves adding a tab to the applicable code blocks of the numbered protocols under the pentesting section. A Tab on the first code block, for a larger section of notes, a tab per enumeration command, and potentially a tab for attack techniques. Each of these tabs would get parsed and then brought into the database for TireFire (and TmuxRecon).

Top Code box that is in most (Maybe All) of the protocols

Echo Enumeration Code Box

TireFire post parsing with updated DB

• Known issue: Github markdown does not support tabs, so it will render goofy on GitHub proper.
• Making a hidden file per-protocol is also an option; I do not think that they would show up in git book ( assuming gitbook is the slave to GitHub )
• Let me know if you think this is a solid direction we could go in or if you have an alternative idea of where we could put the parsable/grepable data.

[carlospolop]

Hey mate!

What about instead of creating a tab, creating a new console style box at the end of each pentesting service section (under the title of Hacktricks Automatic Commands, or something like that) and put the commands there?

[CoolHandSquid]

Good call! That is probably a better plan because it will allow the book to render properly in GitHub markdown. I figure if I go through and standardize the code block in the Basic Information section and pull the protocol data from there. That'll be better practice than having to update both the 'Basic Information' section and the 'Hacktricks Automatic Commands' section.

• Is this template about what the doctor ordered?

[carlospolop]

Perfect! I would like to ask you for 2 things:

• Please, create 1 PR per modified page (the integration between gitbook and github isn't perfect and we don't want to lose all the changes for just doing just big PR) and perform the PR as soon as you modified the page (to no achieve a desynchronised state). Also, always merge your version with hacktricks master before start doing changes.
• If you could, define how the meta-language you are going to create works. For example, in the previous case I see several attributes (Name, Description, Coomand) and some tags in the command (like {IP}). If you define all the possible tags and attributes I will follow them in the new additions.

[CoolHandSquid]

Sent 10, single-page PR's and I've got maybe 15 more ready to go! Unfortunately, I'm not seeing them in them along with the Public Pull Requests, are you able to see them? I have PR'd some files that I committed to twice on my local fork due to an original typo, Hopefully, they are able to merge properly.

Once this instance of data movement is over I'll put together a .md for you on the TireFire/TmuxRecon meta language.

[carlospolop]

Hey man, something weird happened. I received the emails of the PRs but I cannot see them in github. Could you try to do the PRs again?

[CoolHandSquid]

I sent one and removed it this morning. I'll have them coming your way here shortly.

[CoolHandSquid]

They are all in!

[carlospolop]

I hae accepted your PRs, let me know once they are working. Also, I saw you added nmap scripts to be launched, but I don't know if you added the execution of metasploit enum scripts. Consider to add them also as they might be pretty useful.

[CoolHandSquid]

• I've got most of the parser complete, but in the effort of best practice and scalability, I'm gonna fork the master, rewrite the code block in YAML, then do the twenty-something PR's. That was an oversight on my part and the lesson has been learned.
• Once I've got the parser up and running, I'll throw something in AWS to do a 0200 Monday morning cronjob to clone the master, parse it and send me the latest database/Error log. (I'll push it to TireFire manually)
• Haven't spent the 15 minutes making you that meta language file yet. It is still on my plate.
• I will look into the msf enum scripts shortly. I like the idea and I see the value.

[carlospolop]

I'm glad you liked the MSF scripts idea. Once this is working create a tutorial or something and let me know so I can share it.

[CoolHandSquid]

I figure I'll be able to get you a tutorial, meta.md, and functioning tool by early next week. I am debating starting a new repository named "HackTricks Automatic Commands". It would be a fork of tirefire and have the options to run it in Tmux, Terminator, and Tilix. I'm already most of the way there. I would just need to do some beta testing and some research on the RPC for Terminator.

[CoolHandSquid]

HackTricks Automatic Commands Is up and running!

Complete

• The weekly parse is what is being used to populate the database.
• The tilix and tmux and interfaces are functioning as they should.
• Quality control on every command in the database so we have a SOLID base to work from.
• Metalanguage is in the README as well as the demos and methodology.

  Todo:

• Adding MSF commands

  Closing point:

• HAC is functionally ready to go. Let me know what you would like to see moving forward from a technical, feature, and marketing standpoint.
• It has been an outstanding adventure making this happen and it's been an honor working with you!

[carlospolop]

Hey man, sorry for the waiting. This is awesome, thank you very much for creating this. My suggestions would be to just keep adding tools and metasploit scripts. Also maybe, create a mode where you can launch all the scans to a service just from the same session, so you dont need 10 sessions to launch 10 commands. And keep adding tools to Web (like nuclei and more you can find in hacktricks).

Keep the good work and thank you!