def host_reverse_dns_lookup(host, use_dig=True):
cmd_nmap = 'nmap -Pn -sL -oG - {}'
cmd_dig = 'dig +short {}.in-addr.arpa. PTR'
cmd_dig_2 = 'dig +short -x {}'
dns = ''
if not is_ip(host):
return dns
# using dig
if use_dig:
output = run_process(cmd_dig.format(reverse_ip(host)))
if output:
sep = output[0].strip().strip('.')
if sep and not sep.startswith(';'):
dns = sep
return dns
# using nmap
output = run_process(cmd_nmap.format(host))
for line in output:
sep = line.split()
if len(sep) != 5 or sep[0].strip().lower() != 'host:':
continue
sep = sep[2].strip('()')
if sep and not sep.startswith(';'):
dns = sep
break
return dns
def host_services_detect(host, ports):
if not ports:
return []
cmd_port_tu = 'nmap -n -Pn -sTU -p T:{},U:{} -sV -oG - -oN - -vvvvv --packet-trace {}'
cmd_port_t = 'nmap -n -Pn -sT -p T:{} -sV -oG - -oN - -vvvvv --packet-trace {}'
cmd_port_u = 'nmap -n -Pn -sU -p U:{} -sV -oG - -oN - -vvvvv --packet-trace {}'
cmd_empty = 'nmap -n -Pn -sV -oG - -oN - -vvvvv --packet-trace {}'
open_tcp_ports = get_ports(ports, 'open', 'tcp')
open_udp_ports = get_ports(ports, 'open', 'udp')
if open_tcp_ports and open_udp_ports:
cmd = cmd_port_tu.format(','.join(open_tcp_ports),
','.join(open_udp_ports), host)
elif open_tcp_ports:
cmd = cmd_port_t.format(','.join(open_tcp_ports), host)
elif open_udp_ports:
cmd = cmd_port_u.format(','.join(open_udp_ports), host)
else:
cmd = cmd_empty.format(host)
output = run_process(cmd)
services = {}
for line in output:
sp = line.split('Ports: ')
if len(sp) != 2 or 'Host:' not in line:
continue
ip = sp[0].split()[1]
sp = sp[1]
for port_info in sp.split(','):
if port_info.split('/')[1].lower() == 'open':
port = port_info.split('/')[0].strip()
protocol = port_info.split('/')[2].strip()
service = port_info.split('/')[4].strip('?').strip()
version = port_info.split('/')[6].strip('?').strip()
services.setdefault(ip, []).append(
(port, protocol, service, version))
return services
def host_port_discovery(host, scan_all=False):
cmd_nmap = 'nmap -n -Pn -sSU -F -oG - -oN - -vvvvv --packet-trace {}'
cmd_masscan = 'masscan -p0-65535,U:0-65535 -vvvvv {}'
ports = {}
if scan_all:
cmd = cmd_masscan.format(host)
else:
cmd = cmd_nmap.format(host)
output = run_process(cmd)
if scan_all:
for line in output:
if not line.startswith('Discovered open port '):
continue
port_num, port_type = line.split('Discovered open port ')[1].split()[0].split('/')
ports.setdefault(port_type, {}).setdefault('open', []).append(port_num)
else:
for line in output:
sp = line.split('Ports: ')
if len(sp) != 2:
continue
sp = sp[1].split('///')
for line_2 in sp:
line_2 = line_2.strip(', ')
sp_2 = line_2.split('/')
if len(sp_2) != 5:
continue
port_num = sp_2[0]
port_status = sp_2[1].lower()
port_type = sp_2[2].lower()
if port_type not in ['tcp', 'udp']:
continue
if port_status not in ['open', 'closed', 'filtered', 'open|filtered', 'closed|filtered', 'unfiltered']:
continue
ports.setdefault(port_type, {}).setdefault(port_status, []).append(port_num)
return ports
def host_services_detect(host, ports):
if not ports:
return []
cmd_port_tu = 'nmap -n -Pn -sTU -p T:{},U:{} -sV -oG - -oN - -vvvvv --packet-trace {}'
cmd_port_t = 'nmap -n -Pn -sT -p T:{} -sV -oG - -oN - -vvvvv --packet-trace {}'
cmd_port_u = 'nmap -n -Pn -sU -p U:{} -sV -oG - -oN - -vvvvv --packet-trace {}'
cmd_empty = 'nmap -n -Pn -sV -oG - -oN - -vvvvv --packet-trace {}'
open_tcp_ports = get_ports(ports, 'open', 'tcp')
open_udp_ports = get_ports(ports, 'open', 'udp')
if open_tcp_ports and open_udp_ports:
cmd = cmd_port_tu.format(','.join(open_tcp_ports), ','.join(open_udp_ports), host)
elif open_tcp_ports:
cmd = cmd_port_t.format(','.join(open_tcp_ports), host)
elif open_udp_ports:
cmd = cmd_port_u.format(','.join(open_udp_ports), host)
else:
cmd = cmd_empty.format(host)
output = run_process(cmd)
services = {}
for line in output:
sp = line.split('Ports: ')
if len(sp) != 2 or 'Host:' not in line:
continue
ip = sp[0].split()[1]
sp = sp[1]
for port_info in sp.split(','):
if port_info.split('/')[1].lower() == 'open':
port = port_info.split('/')[0].strip()
protocol = port_info.split('/')[2].strip()
service = port_info.split('/')[4].strip('?').strip()
version = port_info.split('/')[6].strip('?').strip()
services.setdefault(ip, []).append((port, protocol, service, version))
return services
def ssh_authentication_types_available_check(host, port=22):
cmd = 'ssh -vT -o PreferredAuthentications=none -o StrictHostKeyChecking=no {} -p {}'
output = run_process(cmd.format(host, port))
auth_types = []
for line in output:
line = line.strip()
if line.startswith('Permission denied ('):
sep = line.split('(')[1].strip(').').split(',')
auth_types.extend(sep)
return auth_types
def host_dns_wildcard(host):
cmd_w = 'dig +noall +answer *.{}'
cmd_r = 'dig +noall +answer {}.{}'
wildcard_dns = []
if is_ip(host):
return wildcard_dns
random_sub_domain = 'never_exist_{}'.format(generate_chars(4))
output_1 = run_process(cmd_w.format(host))
output_2 = run_process(cmd_r.format(random_sub_domain, host))
outputs = [output_1, output_2]
for output in outputs:
for line in output:
if line.startswith(';') or line.startswith('dig:'):
continue
sep = line.strip().split()
if len(sep) < 4:
continue
wildcard_dns.append((sep[0], sep[3], " ".join(sep[4:])))
return wildcard_dns
def ssh_authentication_types_available_check(host, port=22):
cmd = 'ssh -vT -o PreferredAuthentications=none -o StrictHostKeyChecking=no {} -p {}'
output = run_process(cmd.format(host, port))
auth_types = []
for line in output:
line = line.strip()
if line.startswith('Permission denied ('):
sep = line.split('(')[1].strip(').').split(',')
auth_types.extend(sep)
return auth_types
def ftp_anonymous_access_check(host, port=21):
cmd = 'nmap -Pn -n -p{} --script=ftp-anon {}'
output = run_process(cmd.format(port, host))
res = []
ftp_anon_allow = False
for line in output:
if line.startswith('| ftp-anon: Anonymous FTP login allowed'):
ftp_anon_allow = True
res = output[output.index(line):-1]
break
return ftp_anon_allow, res
def ftp_anonymous_access_check(host, port=21):
cmd = 'nmap -Pn -n -p{} --script=ftp-anon {}'
output = run_process(cmd.format(port, host))
res = []
ftp_anon_allow = False
for line in output:
if line.startswith('| ftp-anon: Anonymous FTP login allowed'):
ftp_anon_allow = True
res = output[output.index(line):-1]
break
return ftp_anon_allow, res
def host_name_server(host):
cmd = 'dig +short NS {}'
ns = []
if is_ip(host):
return ns
output = run_process(cmd.format(host))
for line in output:
if line.startswith(';'):
continue
sp = line.strip().strip('.')
if sp:
ns.append(sp)
return ns
def host_dns_lookup(host):
cmd = 'dig +short {}'
ips = []
if is_ip(host):
return ips
output = run_process(cmd.format(host))
for line in output:
sep = line.strip()
if sep.startswith(';'):
continue
if is_ip(sep):
ips.append(sep)
return ips
def get_name_server_bind_version(ns):
cmd = 'dig +short chaos txt version.bind @{}'
bind_version = ''
if is_ip(ns):
return ns
output = run_process(cmd.format(ns))
for line in output:
if line.startswith(';') or line.startswith('dig:'):
continue
sp = line.strip()
if sp:
return sp
return bind_version
def host_dns_check_allow_recursion(host, ns=None):
cmd = 'dig any @{}'
dr = []
if not ns:
ns = host_name_server(host)
for each_ns in ns:
c = cmd.format(each_ns)
output = run_process(c)
for line in output:
if not line.startswith(';; flags:'):
continue
if 'ra' in line.split(';')[2].split()[1:]:
dr.append(each_ns)
return dr
def host_dns_any_query(host):
cmd = 'dig +nocomments +nostats +nocmd +noquestion any {}'
dns_any_r = []
if is_ip(host):
return dns_any_r
output = run_process(cmd.format(host))
for line in output:
if line.startswith(';') or line.startswith('dig:'):
continue
sep = line.strip().split()
if len(sep) < 4:
continue
dns_any_r.append((sep[0], sep[3], " ".join(sep[4:])))
return dns_any_r
def host_dnssec(host):
cmd = 'dig +nocomments +nostats +nocmd +noquestion -t dnskey {}'
dnssec = []
if is_ip(host):
return dnssec
output = run_process(cmd.format(host))
for line in output:
if line.startswith(';') or line.startswith('dig:'):
continue
sep = line.strip().split()
if len(sep) < 4:
continue
if sep[3].lower() == 'dnskey':
dnssec.append((sep[0], sep[3], " ".join(sep[4:])))
return dnssec
def host_dns_zone_transfer(host, ns=None):
cmd = 'dig @{} {} axfr'
dzt = []
if not ns:
ns = host_name_server(host)
for each_ns in ns:
c = cmd.format(each_ns, host)
output = run_process(c)
for line in output:
if line.startswith(';') or line.startswith('dig:'):
continue
sep = line.strip().split()
if len(sep) < 4:
continue
dzt.append((sep[0], sep[3], " ".join(sep[4:])))
return dzt
def host_list(host):
# @todo, don't use nmap, move to utility
cmd = 'nmap -Pn -sn -n -sL -oG - -oN - -vvvvv --packet-trace {}'
hosts = []
sep_ips = []
single_ips = []
domains = []
for each_host in host.split():
if is_ip(each_host) or is_ip_range(each_host):
sep_ips.append(each_host)
else:
domains.append(each_host)
output = run_process(cmd.format(" ".join(sep_ips)), console=False)
for line in output:
if line.lower().startswith('host:'):
sep = line.split()
single_ips.append(sep[1])
return single_ips, domains
def host_list(host):
# @todo, don't use nmap, move to utility
cmd = 'nmap -Pn -sn -n -sL -oG - -oN - -vvvvv --packet-trace {}'
hosts = []
sep_ips = []
single_ips = []
domains = []
for each_host in host.split():
if is_ip(each_host) or is_ip_range(each_host):
sep_ips.append(each_host)
else:
domains.append(each_host)
output = run_process(cmd.format(" ".join(sep_ips)), console=False)
for line in output:
if line.lower().startswith('host:'):
sep = line.split()
single_ips.append(sep[1])
return single_ips, domains
def rpc_info(host):
cmd = 'rpcinfo -p {}'
info = []
ports = {}
output = run_process(cmd.format(host))
for index, line in enumerate(output):
line = line.strip()
if index == 0 and not line.startswith('program vers proto port service'):
break
elif index == 0 and line.startswith('program vers proto port service'):
continue
sep = line.split()
if len(sep) != 5:
return
program, vers, proto, port, service = sep
info.append((program, vers, proto, port, service))
cur_ports = ports.get(proto, {}).get('open', [])
if port not in cur_ports:
ports.setdefault(proto, {}).setdefault('open', []).append(port)
return info, ports
def host_port_discovery(host, scan_all=False):
cmd_nmap = 'nmap -n -Pn -sSU -F -oG - -oN - -vvvvv --packet-trace {}'
cmd_masscan = 'masscan -p0-65535,U:0-65535 -vvvvv {}'
ports = {}
if scan_all:
cmd = cmd_masscan.format(host)
else:
cmd = cmd_nmap.format(host)
output = run_process(cmd)
if scan_all:
for line in output:
if not line.startswith('Discovered open port '):
continue
port_num, port_type = line.split(
'Discovered open port ')[1].split()[0].split('/')
ports.setdefault(port_type, {}).setdefault('open',
[]).append(port_num)
else:
for line in output:
sp = line.split('Ports: ')
if len(sp) != 2:
continue
sp = sp[1].split('///')
for line_2 in sp:
line_2 = line_2.strip(', ')
sp_2 = line_2.split('/')
if len(sp_2) != 5:
continue
port_num = sp_2[0]
port_status = sp_2[1].lower()
port_type = sp_2[2].lower()
if port_type not in ['tcp', 'udp']:
continue
if port_status not in [
'open', 'closed', 'filtered', 'open|filtered',
'closed|filtered', 'unfiltered'
]:
continue
ports.setdefault(port_type, {}).setdefault(port_status,
[]).append(port_num)
return ports
def check_host_is_up(host, fast=True):
cmd_f = 'nmap -n -sn -oG - -oN - -vvvvv --packet-trace {}'
cmd_s = 'nmap -n -sn -PU53,161,162,40125 -PE -PS21-25,80,113,1050,35000,8000,8080,8081,3389,2323,2222,666,1336 ' \
'-PA21-25,80,113,1050,35000,8000,8080,8081,3389,2323,2222,666,1336 -PY22,80,179,5060 ' \
'-oG - -oN - -vvvvv --packet-trace {}'
if isinstance(host, list):
host = " ".join(host)
hosts = []
if fast:
cmd = cmd_f.format(host)
else:
cmd = cmd_s.format(host)
output = run_process(cmd)
for line in output:
sp = line.split()
if len(sp) != 5:
continue
if sp[-1].lower() == 'up':
hosts.append(sp[1])
return hosts
def check_host_is_up(host, fast=True):
cmd_f = 'nmap -n -sn -oG - -oN - -vvvvv --packet-trace {}'
cmd_s = 'nmap -n -sn -PU53,161,162,40125 -PE -PS21-25,80,113,1050,35000,8000,8080,8081,3389,2323,2222,666,1336 ' \
'-PA21-25,80,113,1050,35000,8000,8080,8081,3389,2323,2222,666,1336 -PY22,80,179,5060 ' \
'-oG - -oN - -vvvvv --packet-trace {}'
if isinstance(host, list):
host = " ".join(host)
hosts = []
if fast:
cmd = cmd_f.format(host)
else:
cmd = cmd_s.format(host)
output = run_process(cmd)
for line in output:
sp = line.split()
if len(sp) != 5:
continue
if sp[-1].lower() == 'up':
hosts.append(sp[1])
return hosts
def rpc_info(host):
cmd = 'rpcinfo -p {}'
info = []
ports = {}
output = run_process(cmd.format(host))
for index, line in enumerate(output):
line = line.strip()
if index == 0 and not line.startswith(
'program vers proto port service'):
break
elif index == 0 and line.startswith(
'program vers proto port service'):
continue
sep = line.split()
if len(sep) != 5:
return
program, vers, proto, port, service = sep
info.append((program, vers, proto, port, service))
cur_ports = ports.get(proto, {}).get('open', [])
if port not in cur_ports:
ports.setdefault(proto, {}).setdefault('open', []).append(port)
return info, ports
def host_whois(host):
cmd = 'whois {}'
output = run_process(cmd.format(host))
address = ''
whois = {}
for line in output:
line = line.lower()
if line.startswith('inetnum:') or line.startswith('netrange:'):
sep = line.split()
whois['net_range'] = sep[1], sep[-1]
elif line.startswith('netname:'):
sep = line.split()
whois['net_name'] = " ".join(sep[1:])
elif line.startswith('descr:'):
sep = line.split()
whois['description'] = " ".join(sep[1:])
elif line.startswith('person:'):
sep = line.split()
whois['person'] = " ".join(sep[1:])
elif line.startswith('address:'):
sep = line.split()
address = address + ' ' + " ".join(sep[1:])
elif line.startswith('fax-no:'):
sep = line.split()
whois['fax_number'] = " ".join(sep[1:])
elif line.startswith('phone:'):
sep = line.split()
whois['phone'] = " ".join(sep[1:])
elif line.startswith('country:'):
sep = line.split()
whois['country'] = " ".join(sep[1:])
elif line.startswith('city:'):
sep = line.split()
whois['city'] = " ".join(sep[1:])
if address:
whois['address'] = address.strip()
return whois
def host_os_detect(host, ports):
cmd_port_tu = 'nmap -n -Pn -sTU -p T:{},U:{} -O -oG - -oN - -vvvvv --packet-trace {}'
cmd_port_t = 'nmap -n -Pn -sT -p T:{} -O -oG - -oN - -vvvvv --packet-trace {}'
cmd_port_u = 'nmap -n -Pn -sU -p U:{} -O -oG - -oN - -vvvvv --packet-trace {}'
cmd_empty = 'nmap -n -Pn -O -oG - -vvvvv --packet-trace {}'
open_tcp_ports = get_ports(ports, 'open', 'tcp')
open_udp_ports = get_ports(ports, 'open', 'udp')
close_tcp_ports = get_ports(ports, 'closed', 'tcp')
close_udp_ports = get_ports(ports, 'closed', 'udp')
tcp_ports = (open_tcp_ports or []) + close_tcp_ports[:5]
udp_ports = (open_udp_ports or []) + close_udp_ports[:5]
if tcp_ports and udp_ports:
cmd = cmd_port_tu.format(','.join(tcp_ports), ','.join(udp_ports),
host)
elif tcp_ports:
cmd = cmd_port_t.format(','.join(tcp_ports), host)
elif udp_ports:
cmd = cmd_port_u.format(','.join(udp_ports), host)
else:
cmd = cmd_empty.format(host)
output = run_process(cmd)
os = {}
for line in output:
if line.startswith('Running: '):
os['running'] = line.split('Running: ')[1:]
elif line.startswith('OS CPE: '):
os['cpe'] = line.split('OS CPE: ')[1:]
elif line.startswith('OS: '):
line = line.replace('OS details:', ' OS details:')
os['os'] = line.split('OS: ')[1:]
elif line.startswith('Running (JUST GUESSING): '):
os['guessing'] = line.split('Running (JUST GUESSING): ')[1:]
elif line.startswith('Aggressive OS guesses: '):
os['aggressive_guessing'] = line.split(
'Aggressive OS guesses: ')[1:]
else:
continue
return os
def host_os_detect(host, ports):
cmd_port_tu = 'nmap -n -Pn -sTU -p T:{},U:{} -O -oG - -oN - -vvvvv --packet-trace {}'
cmd_port_t = 'nmap -n -Pn -sT -p T:{} -O -oG - -oN - -vvvvv --packet-trace {}'
cmd_port_u = 'nmap -n -Pn -sU -p U:{} -O -oG - -oN - -vvvvv --packet-trace {}'
cmd_empty = 'nmap -n -Pn -O -oG - -vvvvv --packet-trace {}'
open_tcp_ports = get_ports(ports, 'open', 'tcp')
open_udp_ports = get_ports(ports, 'open', 'udp')
close_tcp_ports = get_ports(ports, 'closed', 'tcp')
close_udp_ports = get_ports(ports, 'closed', 'udp')
tcp_ports = (open_tcp_ports or []) + close_tcp_ports[:5]
udp_ports = (open_udp_ports or []) + close_udp_ports[:5]
if tcp_ports and udp_ports:
cmd = cmd_port_tu.format(','.join(tcp_ports), ','.join(udp_ports), host)
elif tcp_ports:
cmd = cmd_port_t.format(','.join(tcp_ports), host)
elif udp_ports:
cmd = cmd_port_u.format(','.join(udp_ports), host)
else:
cmd = cmd_empty.format(host)
output = run_process(cmd)
os = {}
for line in output:
if line.startswith('Running: '):
os['running'] = line.split('Running: ')[1:]
elif line.startswith('OS CPE: '):
os['cpe'] = line.split('OS CPE: ')[1:]
elif line.startswith('OS: '):
line = line.replace('OS details:', ' OS details:')
os['os'] = line.split('OS: ')[1:]
elif line.startswith('Running (JUST GUESSING): '):
os['guessing'] = line.split('Running (JUST GUESSING): ')[1:]
elif line.startswith('Aggressive OS guesses: '):
os['aggressive_guessing'] = line.split('Aggressive OS guesses: ')[1:]
else:
continue
return os
