Scripts

All these scripts are hand written by me and can be found on my github: https://github.com/F1shh-sec/BlueTeamTools/tree/main/scripts

Change All Users Passwords:

#!/bin/bash

newPassword=$1
mapfile -t usersArray < <(awk -F":" '((($7=="/bin/bash")||($7=="/bin/sh"))&&($1!="root")){print $1}' /etc/passwd)

# shellcheck disable=SC2068
for elm in ${usersArray[@]};
do
	echo "Changed Password for $elm to $newPassword"
	skill -kill -u $elm
	killall -u $elm
	echo -e $newPassword'\n'$newPassword'\n' | passwd $elm;
done

Disable all Users With Shell Access:

#!/bin/bash

currentuser=$(whoami)
mapfile -t usersArray < <(awk -v curuser="$currentuser" -F":" '((($7=="/bin/bash")||($7=="/bin/sh"))&&(($1!="root")&&($1!=curuser))){print $1}' /etc/passwd)
echo "Found Users: " "${usersArray[@]}"

# shellcheck disable=SC2068
for elm in ${usersArray[@]};
do
	echo "Disabling: " "$elm"
	usermod -s /sbin/nologon $elm
	killall -u $elm
	skill -kill -u $elm
done

Get the name:pid of all active TCP/UDP connections:

#!/bin/bash

mapfile -t usersArray < <(ss -tulpn | awk -F"users:" '{print $2}' | awk -F"\"" '{print $2}'| awk '!seen[$0]++')

# shellcheck disable=SC2068
for elm in ${usersArray[@]};
do
	pid=$(ss -tulpn | awk -F"\"$elm\"" '{print $2}' | awk -F"," '{print $2}' | awk -F"=" '{print $2}' | awk '!seen[$0]++')
	echo $pid:$elm
done

Get all users with shell access:

#!/bin/bash

mapfile -t usersArray < <(awk -F":" '($7=="/bin/bash"||$7=="/bin/sh"||$7=="/usr/bin/zsh"){print $1}' /etc/passwd)

echo "${usersArray[@]}"

Gets a whole lot of info:

#!/bin/bash

echo "RUNNING PROCESSES:"
echo "--------------"
ps -aux
echo "-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-"

echo "RUNNING SERVICES:"
echo "--------------"
systemctl list-units --type=service --state=running
echo "-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-"

echo "CRONTAB:"
echo "--------------"
crontab -l
echo "-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-"

echo "ACTIVE TCP CONNECTIONS:"
echo "--------------"
ss -tulpn
echo "-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-"