This tool may be used for legal purposes only.
Users take full responsibility for any actions performed using this tool.
The author accepts no liability for damage caused by this tool.
If these terms are not acceptable to you, then do not use this tool.
Pentester Toolchain is pentesters templating system for automating toolchains for reconnaissance and other purposes. It enables pentesters without coding skills to automate commonly used tools and custom programs while utilizing parallel processing to run scans on multiple hosts simultaneously, save the output, and convert to markdown in a reporting friendly fashion.
- easy to use and understand how to use
- integrates with local shell environment
- simple yaml config file to easily configure fully customizable toolchains of system binaries and custom programs
- parallel host scanning with multiprocessing, allocating one host per core
- ping scan integration and reactive regex system to execute toolchains based on open ports from nmap output
- ability to skip port scanning and automate toolchains on ports of existing targets
- reporting friendly markdown support
Also included is the Network Service Methodology Guide, which integrates in Obsidian and provides recommended tooling associated with enumerated ports
The program is licensed under GNU Public License v3.0
Written in Python 3.10.6 for Kali Linux Debian-based OS. Git is required for associated submodules.
After Python is installed, ensure the following command below is run to ensure all apt packages are installed:
sudo apt install -y awscli docker glusterfs-cli ident-user-enum open-iscsi oscanner rsh-client rusers
- Run the setup.py script to build a virtual environment and install any external packages in the created venv.
Examples:
- Linux:python3 setup.py venv
- Once virtual env is built traverse to the bin directory in the environment folder just created.
- In the venv/bin directory, execute
source activate
to activate the virtual environment. - If for some reason issues are experienced with the setup script, the alternative is to manually create an environment, activate it, then run pip install -r packages.txt in project root (direct path reference to venv pip may be necessary).
- To exit from the virtual environment when finished, execute
deactivate
.
Run the following command to ensure python scripts are installed:
pip install mailspoof
Note: if there is an error finding pip in the venv for mailspoof, make sure Kali OS has the proper packages installed
sudo apt install -y python3-venv
- then rebuild virtual environment with
python -m venv venv
Before executing the program, a few git commands need to be run to ensure the submodules are installed:
git submodule init
git submodule update
Once prerequisites have been met and installation is complete, follow the instructions in the
instructions.yml file; which are mapped to the config.yml default script file to provide examples.
If customization is desired, make a copy of the default config.yml or the blank.yml file to start from scratch.
Once the configuration file is set, simply run:
python3 pentester_toolchain.py <config_file>
If root permissions are needed for associated tools, run:
sudo ./venv/bin/python3 pentester_toolchain.py <config_file>
Note: The default configuration file requires root permissions to execute nmap scans
If a config file arg is not provided the user will be asked for one when the program starts.
Generated output is organized by host in following order with handler output mapped identical to Supported Service Ports:
Nmap
Output -> host -> TCP_Handlers
UDP_Handlers
TCP_UDP_Handlers
Note: Tools like gobuster can create extra directories inside the project folder, simply delete them when finished
20,21 - FTP
22 - SSH
23 - Telnet
25,465,587,2525 - SMTP
43 - Whois
79 - Finger
80,443,8080,8443 - HTTP/HTTPS
110,995 - Pop3/Pop3 over TLS
113 - Ident
119,433 - NNTP/NNTPS (Network News Transport Protocol)
143,993 - IMAP/IMAP over TLS
199 - SNMP Smux
264 - Checkpoint-Firewall
445 - SMB
502 - Modbus
513 - Rlogin
514 - Rsh
548 - Apple Filing Protocol (AFP)
554 - RTSP (Real Time Streaming Protocol)
631 - Cups (IPP)
873 - rsync
1050,1098,1099 - Java RMI
1433 - MsSQL database
1521 - Oracle database (TNS listener)
1883 - Mosquito
2100 - Oracle XML DB FTP
2375,2376 - Docker
3128 - Squid
3260 - ISCSI
3299 - SAPRouter
3306 - MySQL database
3389 - Remote Desktop Protocol (RDP)
3632 - distcc
3690 - Subversion (svn server)
4369 - Erlang Port Mapper Daemon (epmd)
4786 - Cisco Smart Install
5432,5433 - Postgresql
5439 - Redshift
5800,5900 - VNC
5985,5986 - Winrm (Windows Remote Management)
6000 - X11
6379 - Redis
8000 - Java Debug Wire
8009 - Apache JServ (AJP)
8086 - InfluxDB
8333,18333,18444,38333 - Bitcoin
9042,9160 - Apache Cassandra
9100 - Raw printing (JetDirect, AppSocket, PDL-Datastream)
9200 - Elasticsearch
10000 - Network Data Management Protocol (NDMP)
11210 - Memcache
24007,24008,24009,49152 - GlusterFS
27017,27018 - MongoDB
50030,50060,50070,50075,50090 - Hadoop
67 - DHCP
69 - TFTP
1026 - Rusersd
3702 - WS-Discovery
5353 - mDNS
47808 - BACNet
53 - DNS
88 - Kerberos
111 - Rpcbind
123 - NTP
135 - MSRPC
137,138,139 - Netbios
161,162,10161,10162 - SNMP
194,529,6667 - IRC
389,636,3268,3269 - Ldap
500,1723 - IPsec / IKE VPN / Point-to-Point Tunnel Protocol
623 - Intelligent Platform Management Interface (IPMI)
1080 - Socks Proxy
2049 - NFS
5671,5672 - RabbitMQ (AMQP)
5984,6984 - CouchDB
44818 - EthernetIP
-- pentest_automater.py --
nmap_handler - Command execution function for nmap initial probing scans.
scan_process - Begins by setting up process logging facilities, file paths, and directories. If there are no specified ports in config file, nmap scans will be skipped assuming the ports have already been enumerated. Otherwise, an initial nmap scan is run, followed by corresponding tool chains configured based on regex matching of open ports, finishing with a full nmap scan checking all ports.
ScanClass - The scan process service handler class, which maps the ports of interest to their associated service handler function to later be referenced for execution.
proc_alloc - Allocates scan process, adds to process list, and updates associated counter variables.
main - Loads the config file, depending on config file settings, either runs ping scan to identify hosts or already has target host in config file, and launches the scan process on target hosts based on the available number of cpu's.
log_handler - Logging thread that handles multiprocessing logging through the dedicated queue.
-- utils.py --
cmd_parser - Take input command parsed from yaml file, and parses in any delimiters in the command with passed in variable length parameters.
ConfigClass - Class to store yaml file configurations that are referenced throughout operations.
config_input - Prompts user for yaml configuration to use for scan automation.
error_query - Looks up the errno message to get description.
file_handler - Read/Write file operation handler for text and yaml file formats.
logger_config - Retrieves the logging configuration in dict form.
markdown_formatter - Crawls recursively through output dir and converts text output file into markdown copy.
print_err - Displays the error message through stderr (standard error) with multiprocessing locking support.
RegexHandler - Class object to store compiled regex patterns.
scan_parse - Takes the nmap scan output and performs regex matches to identify open ports. The result is returned in a dictionary with mapped comma separated ports.
service_handler - Takes passed in service information and executes commands parsed from yaml config file.
syntax_parse - Parses in value of delimiter where it is placed in command syntax string.
system_cmd - Executes system shell command and returns the output. If improper data type is in command syntax list or error occurs during command execution, the error is displayed via stderr and logged, and False is returned to indicated failed operation.
-- tcp_handlers.py, udp_handlers.py, tcp_udp_handlers.py --
There is around 4 dozen services handled by Pentesters Toolchain, each service has its own handler function to parse and execute corresponding commands from the yaml config class. The functions are laid out in the same manner as the service layout in this section Supported Service Ports
-- pentest_automater.py --
0 - Successful execution (main)
1 - Unexpected exception occurred (main)
2 - If error occurs acquiring targets from YAML config file or initial ping scan fails or error rendering banner (main)
3 - If error occurs setting up CIDR subnet ping executor (ping_executor)
4 - If initial nmap scan fails or ports in regex scan parse do not properly match assigned keys (scan_process)
5 - If service function handler fails due to non-existing key or port fails to convert to int (scan_process)
-- utils.py --
6 - If file operation was attempted on non-existing file (error_query)
7 - If file operation was attempted on file that user does not have access to (error_query)
8 - If IO error occurred during file operation (error_query)
9 - If unexpected error occurred during file operation (error_query)
10 - If write file operation is attempted with no data to write to the file (file_handler)
11 - If attempting to write data to YAML config file (file_handler)
12 - If fatal error occurs attempting to execute command (system_cmd)