commit 16fb04df83f1a5a74af32fd28e1a4a2b34021f4a from: Dominik Lang date: Sun Apr 07 08:47:42 2024 UTC Initial import. With first versions of scripts for gnmap, nuclei, and OpenBSD's httpd access.log commit - /dev/null commit + 16fb04df83f1a5a74af32fd28e1a4a2b34021f4a blob - /dev/null blob + 7c43567503ee9c4dd0ade1c1e2a4938a6ec289c1 (mode 644) --- /dev/null +++ from_accesslog.sh @@ -0,0 +1,15 @@ +#!/bin/sh + +awk ' +NR > 1 { + match($0, "[[].*]") + $5 = substr($0, RSTART + 1, RLENGTH - 2) + + match($0, "\".*\"") + $6 = substr($0, RSTART + 1, RLENGTH - 2) + + l1 = NF-1 + printf "%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\n", $1, $2, $3, $4, $5, $6, $l1, NF + #print $1, $2, $3, $4, $5, $6, $l1, NF +} +' blob - /dev/null blob + e39d14452ac5bfeb13ada588da366704fe2db0ba (mode 644) --- /dev/null +++ from_gnmap.sh @@ -0,0 +1,50 @@ +#!/bin/sh + +# In my opinion, gnmap isn't "grepable" but rather "transformable". +# In my daily doing, I want something grepable with a little less information. +# The goal is to print one entire port section together with its IP per line, e.g. +# +# 192.168.1.42 22 open tcp ssh SSH-2.0-OpenSSH_9.5 +# +# The challenge is that the format uses different types of delimiters +# for the different "fields". +# We only use the address field and the Ports field and ignore everything else. +# +# The Ports field is delimited with "," and within a field delimited with "/" +# First split the "Ports:" field into it's port entry components. +# Then split each of these components into it's subcomponents. + +awk ' +/Ports: / { + # Copy out the relevant parts of the line + r = "Ports: " + + # This should never evaluate to true, but Im paranoid + if (match($0, r) == 0) + next + + portstr = substr($0, RSTART + length(r)) + + sub("[ \t]*Ignored State:.*$", "", portstr) + + # Split the into single port fields + nports = split(portstr, portlist, ",") + + # Loop through each port field + # Split it into its components and trim it, just to be sure + for (i = 1; i <= nports; i++) { + sub("^[ \t]+|[ \t]+$", "", portlist[i]) + np = split(portlist[i], p, "/") + + # Dont use the last field of the split, as it isnt a field anymore + # just the end delimiter + printf "%s", $2 + for (j = 1; j < np; j++) { + # Set empty fields to "-" + sub("^[ \t]*$", "-", p[j]) + printf "\t%s", p[j] + } + printf "\n" + } +} +' blob - /dev/null blob + 0ab061ec72beefa9eeca557766d81355e8fd06a1 (mode 644) --- /dev/null +++ from_nuclei.sh @@ -0,0 +1,23 @@ +#!/bin/sh + +# This is still a work-in-progress + +awk ' +{ + # Remove the surrounding [] brackets of the first three fields + for (i = 1; i <= 3; i++) + $i = substr($i, 2, length($i) - 2) + + printf "%-70s\t%-10s\t%-10s\t%s", $1, $2, $3, $4 + + # If there is additional information at the end, print it + # separated with one space + if (NF > 4) { + printf "\t%s", $5 + for (i = 6; i <= NF; i++) { + printf " %s", $i + } + } + printf "\n" +} +' blob - /dev/null blob + eea74d9555ca7e1e73762663a53dcca72f11fb64 (mode 644) --- /dev/null +++ query_accesslog.sh @@ -0,0 +1,9 @@ +#!/bin/sh + +awk -F "\t" \ + -v OFS="\t" \ + -v domain=1 \ + -v host=2 \ + -v date=5 \ + -v req=6 \ + "${@}" blob - /dev/null blob + 3dca83708675f15ae6ec95975033c7db5080926f (mode 644) --- /dev/null +++ query_gnmap.sh @@ -0,0 +1,13 @@ +#!/bin/sh + +awk -F "\t+" \ + -v OFS="\t" \ + -v host=1 \ + -v port=2 \ + -v state=3 \ + -v proto=4 \ + -v owner=5 \ + -v service=6 \ + -v sunrpc=7 \ + -v version=8 \ + "${@}" blob - /dev/null blob + 8b07fed6f24140e8058bc52938dee90f3dca86ec (mode 644) --- /dev/null +++ query_nuclei.sh @@ -0,0 +1,10 @@ +#!/bin/sh + +awk -F "\t" \ + -v OFS="\t" \ + -v finding=1 \ + -v proto=2 \ + -v level=3 \ + -v loc=4 \ + -v info=5 \ + "${@}"