def resolve(self): """ start resolve """ start_time = datetime.now() print 'Subdomain scan started' fmt = "{:60}{:20}" print print fmt.format('fqdn', 'ip') print '-' * 80 for success, hostname, ip in self.tuples.tuple_q: if success: print fmt.format(hostname, ip) if self.dbh: self.dbh.add(ccd.DnsscanResult(ip=ip, fqdn=hostname)) self.tuples.join() while True: try: dom = check_wildcard.wc_hosts.get(False, 0.1) print 'Wildcard enabled: %s' % dom except Queue.Empty: break print("\nfinished in %fs" % cUtil.secs(start_time))
def start(self): start_time = datetime.now() print 'Bruteforcing http_basic logins ...' row_fmt = '{:20}{:20}{:>40}' print '-' * 80 print row_fmt.format('username', 'password', 'uri') print '-' * 80 #time.sleep(10) for status, user, passw, mark in self.tuples.tuple_q: if status != 401: print(row_fmt.format(passw, user, mark.hostname + mark.path)) # now, store result entry in data if self.dbhandler: br = ccd.HttpBruteforceResult( ip=mark.ip, fqdn=mark.hostname, path=mark.path, port=mark.port, user=user, password=passw, ) self.dbhandler.add(br) self.tuples.join() print '-' * 80 print 'Finished in %f seconds' % cUtil.secs(start_time)
def start(self): start = datetime.now() row_fmt = "{:>9}{:>8}{:>8}{:>8}{:>16}" for ip, port, reply in self.tuples.tuple_q: print '-' * len(ip) print ip print '-' * len(ip) print row_fmt.format('program', 'vers', 'proto', 'port', 'service') print '' for program in reply: print row_fmt.format( str(program[0]), str(program[1]), cRpc.RPROTO[str(program[2])], str(program[3]), str(program[4]) ) if self.dbh: br = ccd.RpcinfoResult( ip=ip, port=int(program[3]), program=program[4], program_id=int(program[0]), version=int(program[1]), protocol=cRpc.RPROTO[str(program[2])], ) self.dbh.add(br) print 'Finished in %f seconds' % cUtil.secs(start)
def start(self): start = datetime.now() row_fmt = "{:>9}{:>8}{:>8}{:>8}{:>16}" for ip, port, reply in self.tuples.tuple_q: print '-' * len(ip) print ip print '-' * len(ip) print row_fmt.format('program', 'vers', 'proto', 'port', 'service') print '' for program in reply: print row_fmt.format(str(program[0]), str(program[1]), cRpc.RPROTO[str(program[2])], str(program[3]), str(program[4])) if self.dbh: br = ccd.RpcinfoResult( ip=ip, port=int(program[3]), program=program[4], program_id=int(program[0]), version=int(program[1]), protocol=cRpc.RPROTO[str(program[2])], ) self.dbh.add(br) print 'Finished in %f seconds' % cUtil.secs(start)
def scan(self): start = datetime.now() # read robots.txt self.read_robots() self.out_q = Queue.Queue() self.tasks_waiting = 0 for path in self.known_paths: self.make_new_paths(path, 1) self.threads = [ DirWorker(self.in_q, self.out_q, self.base_url, self.wait) for _ in range(self.nthreads) ] for t in self.threads: t.setDaemon(True) t.start() self._printResults() print '-' * 80 print 'Finished in %fseconds' % cUtil.secs(start)
def scan(self): self.results = {} start = datetime.now() self.tuples = cTuples.cTuples(inputs=[self.ig_targets, self.ig_tests], prep_callback=db_test.test) #self.tuples.setDaemon(True) self.tuples.start() self.ig_tests.start() self.ig_targets.start() for status, mark, result in self.tuples.tuple_q: if status: try: self.results[mark.ident].append(result) except KeyError: self.results[mark.ident] = [] self.results[mark.ident].append(result) self._add_mark(mark) message, nikto_id, request, response, osvdb, method, uri = result self._add_vulnerability( mark, message, nikto_id, request, response, osvdb, method, uri ) self.tuples.join() print 'Finished in %f seconds' % cUtil.secs(start)
def resolve(self): """ start resolve """ start_time = datetime.now() print 'Subdomain scan started' fmt = "{:60}{:20}" print print fmt.format('fqdn', 'ip') print '-' * 80 for success, hostname, ip in self.tuples.tuple_q: if success: print fmt.format(hostname, ip) if self.dbh: self.dbh.add(ccd.DnsscanResult( ip=ip, fqdn=hostname) ) self.tuples.join() while True: try: dom = check_wildcard.wc_hosts.get(False, 0.1) print 'Wildcard enabled: %s' % dom except Queue.Empty: break print("\nfinished in %fs" % cUtil.secs(start_time))
def start(self): start_time = datetime.now() print 'Pop bruteforce started' print '-' * 80 print 'Logins' print '-' * 80 row_fmt = "{:20}{:20}{:>40}" for username, password in self.tuples.tuple_q: print row_fmt.format(password, username, self.host + ':' + str(self.port), '') self.save_result(username, password) self.tuples.join() print("\nfinished in %fs" % cUtil.secs(start_time))
def resolve(self): """ Create threads, set up task queue and start resolving. """ logger.debug("Starting resolve") start_time = datetime.now() fmt = '{:20}{:60}' for ip, hostname in self.tuples.tuple_q: print fmt.format(ip, hostname) if self.dbh: self.dbh.add(ccd.DnsscanResult(ip=ip, fqdn=hostname)) self.tuples.join() print("\nfinished in %fs" % cUtil.secs(start_time))
def start(self): start_time = datetime.now() for target, username in self.tuples.tuple_q: print('Found user %s@%s:%d' % (username, target[0], int(target[1]))) # now, store result entry in data if self.dbhandler: br = ccd.SmtpUserEnumResult(ip=target[0], port=int(target[1]), username=username, command=testusername.command) self.dbhandler.add(br) self.tuples.join() print("\nfinished in %fs" % cUtil.secs(start_time))
def transfer(self): print 'Starting Zonetransfers' start = datetime.now() ntrans = 0 nfailed = 0 failed = [] for success, zone, tr in self.tuples.tuple_q: if success: ntrans += 1 for server, data in tr.items(): print print '-' * 80 print 'Answer from server %s for zone %s' % (server, zone) print '-' * 80 for rr in data: print "%(domainame)s\t%(ttl)d\t%(rclass)s\t%(rtype)s\t%(rdata)s" % rr if self.dbh: try: r = ccd.DnsRecordResult( domainame=rr['domainame'], ttl=rr['ttl'], rclass=rr['rclass'], rtype=rr['rtype'], rdata=rr['rdata'] ) self.dbh.add(r) except Exception as e: print e else: nfailed += 1 failed.append(zone + ': ' + repr(tr)) print '-' * 80 print "finished in %fs" % cUtil.secs(start) print print "Transfer succeded on %d zones" % ntrans print "Transfer failed on %d zones" % nfailed if failed: out_failed_fn = 'failed_zonetransfer_' + time.strftime("%Y_%m_%d_%H_%M_%S") with __builtin__.openhome(out_failed_fn, 'w') as out_failed_fd: out_failed_fd.write('\n'.join(failed)) out_failed_fd.flush() print "\tsee %s" % out_failed_fd.name print
def transfer(self): print 'Starting Zonetransfers' start = datetime.now() ntrans = 0 nfailed = 0 failed = [] for success, zone, tr in self.tuples.tuple_q: if success: ntrans += 1 for server, data in tr.items(): print print '-' * 80 print 'Answer from server %s for zone %s' % (server, zone) print '-' * 80 for rr in data: print "%(domainame)s\t%(ttl)d\t%(rclass)s\t%(rtype)s\t%(rdata)s" % rr if self.dbh: try: r = ccd.DnsRecordResult( domainame=rr['domainame'], ttl=rr['ttl'], rclass=rr['rclass'], rtype=rr['rtype'], rdata=rr['rdata']) self.dbh.add(r) except Exception as e: print e else: nfailed += 1 failed.append(zone + ': ' + repr(tr)) print '-' * 80 print "finished in %fs" % cUtil.secs(start) print print "Transfer succeded on %d zones" % ntrans print "Transfer failed on %d zones" % nfailed if failed: out_failed_fn = 'failed_zonetransfer_' + time.strftime( "%Y_%m_%d_%H_%M_%S") with __builtin__.openhome(out_failed_fn, 'w') as out_failed_fd: out_failed_fd.write('\n'.join(failed)) out_failed_fd.flush() print "\tsee %s" % out_failed_fd.name print
def getversion(self): start = datetime.now() print 'Getting Bind versions ...' for ip, hostname, port, bindversion in self.tuples.tuple_q: print '%s\t%s' % (hostname or ip, bindversion) if self.dbh: r = ccd.DnsVersionResult( ip=ip, fqdn=hostname, port=port, bindversion=bindversion ) self.dbh.add(r) self.tuples.join() print print 'Plugin finished in %f seconds' % cUtil.secs(start)
def resolve(self): """ start resolve """ logger.info("Starting %s", __plgname__) start_time = datetime.now() print "Starting reverse lookup" print '-' * 80 fmt = '{:20}{:>60}' nresolved = 0 nfailed = 0 ips_failed = [] for success, ip, hostname in self.tuples.tuple_q: if success: nresolved += 1 print fmt.format(ip, hostname) if self.dbh: self.dbh.add(ccd.DnsscanResult( ip=ip, fqdn=hostname) ) else: nfailed += 1 ips_failed.append(ip) self.tuples.join() print '-' * 80 print "finished in %fs" % cUtil.secs(start_time) print print "resolved %d ips" % nresolved print "failed to resolve %d ips" % nfailed if ips_failed: out_failed_fn = 'failed_resolve_' + time.strftime("%Y_%m_%d_%H_%M_%S") if not hasattr(__builtin__, 'openhome'): __builtin__.openhome = open with __builtin__.openhome(out_failed_fn, 'w') as out_failed_fd: out_failed_fd.write('\n'.join(ips_failed)) out_failed_fd.flush() print "\tsee %s" % out_failed_fd.name print
def resolve(self): """ Create threads, set up task queue and start resolving. """ logger.debug("Starting resolve") start_time = datetime.now() fmt = '{:20}{:60}' for ip, hostname in self.tuples.tuple_q: print fmt.format(ip, hostname) if self.dbh: self.dbh.add(ccd.DnsscanResult( ip=ip, fqdn=hostname) ) self.tuples.join() print("\nfinished in %fs" % cUtil.secs(start_time))
def start(self): """ Do the thing """ start_time = datetime.now() row_fmt = "{:30} {:30} {:30}" print 'Bruteforcing Telnet logins ...' print '-' * 80 print row_fmt.format('password', 'username', 'server') print '-' * 80 for status, username, password, host, port in self.tuples.tuple_q: if status: print row_fmt.format(password, username, host + ':' + str(port)) if self.dbh: ip = '' fqdn = '' typ = cUtil.getTargetType(host) if typ == cUtil.TTYPE.IP: ip = host if typ == cUtil.TTYPE.DOMAIN: fqdn = host br = ccd.BruteforceResult( ip=ip, fqdn=fqdn, port=int(port), username=username, password=password, service='telnet', ) self.dbh.add(br) #br = ccd.TelnetBruteforceResult( # host=host, # port=int(port), # user=username, # password=password, #) #self.dbh.add(br) self.tuples.join() print '-' * 80 print "Finished in %fs" % cUtil.secs(start_time)
def start(self): start_time = datetime.now() for target, username in self.tuples.tuple_q: print('Found user %s@%s:%d' % (username, target[0], int(target[1]))) # now, store result entry in data if self.dbhandler: br = ccd.SmtpUserEnumResult( ip=target[0], port=int(target[1]), username=username, command=testusername.command ) self.dbhandler.add(br) self.tuples.join() print("\nfinished in %fs" % cUtil.secs(start_time))
def resolve(self): """ start resolve """ logger.info("Starting %s", __plgname__) start_time = datetime.now() print "Starting resolve" print '-' * 80 fmt = "{:65}{:>15}" nresolved = 0 nfailed = 0 hn_failed = [] for success, hostname, ip in self.tuples.tuple_q: if success: nresolved += 1 print fmt.format(hostname, ip) if self.dbh: self.dbh.add(ccd.DnsscanResult( ip=ip, fqdn=hostname) ) else: nfailed += 1 hn_failed.append(hostname) self.tuples.join() print '-' * 80 print "finished in %fs" % cUtil.secs(start_time) print print "resolved %d hostnames" % nresolved print "failed to resolve %d hostnames" % nfailed if hn_failed: out_failed_fn = 'failed_resolve_' + time.strftime("%Y_%m_%d_%H_%M_%S") with __builtin__.openhome(out_failed_fn, 'w') as out_failed_fd: out_failed_fd.write('\n'.join(hn_failed)) out_failed_fd.flush() print "\tsee %s" % out_failed_fd.name print
def resolve(self): """ start resolve """ logger.info("Starting %s", __plgname__) start_time = datetime.now() print "Starting reverse lookup" print '-' * 80 fmt = '{:20}{:>60}' nresolved = 0 nfailed = 0 ips_failed = [] for success, ip, hostname in self.tuples.tuple_q: if success: nresolved += 1 print fmt.format(ip, hostname) if self.dbh: self.dbh.add(ccd.DnsscanResult(ip=ip, fqdn=hostname)) else: nfailed += 1 ips_failed.append(ip) self.tuples.join() print '-' * 80 print "finished in %fs" % cUtil.secs(start_time) print print "resolved %d ips" % nresolved print "failed to resolve %d ips" % nfailed if ips_failed: out_failed_fn = 'failed_resolve_' + time.strftime( "%Y_%m_%d_%H_%M_%S") if not hasattr(__builtin__, 'openhome'): __builtin__.openhome = open with __builtin__.openhome(out_failed_fn, 'w') as out_failed_fd: out_failed_fd.write('\n'.join(ips_failed)) out_failed_fd.flush() print "\tsee %s" % out_failed_fd.name print
def test_user(target, delay, user): # target, u, delay, pwlen): logger.info('testing delay for user %s' % user) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) p = None try: s.connect(target) logger.info('connected to ' + repr(target)) p = paramiko.Transport(s) #p.local_version = cUtil.ssh_version.next() p.connect(username=user) start = datetime.now() try: p.auth_password(user, test_user.pw) except: pass stop = cUtil.secs(start) logger.info('Delay for user %s: %f' % (user, stop)) return stop except Exception, e: logger.warning(e) raise
def resolve(self): """ start resolve """ logger.info("Starting %s", __plgname__) print 'Starting mass dns resolve' start_time = datetime.now() fmt = "{:60}{:20}" for success, hostname, ip in self.tuples.tuple_q: if success: print fmt.format(hostname, ip) if self.dbh: self.dbh.add(ccd.DnsscanResult( ip=ip, fqdn=hostname) ) self.tuples.join() print("\nfinished in %fs" % cUtil.secs(start_time))
def resolve(self): """ start resolve """ logger.info("Starting %s", __plgname__) start_time = datetime.now() print "Starting resolve" print '-' * 80 fmt = "{:65}{:>15}" nresolved = 0 nfailed = 0 hn_failed = [] for success, hostname, ip in self.tuples.tuple_q: if success: nresolved += 1 print fmt.format(hostname, ip) if self.dbh: self.dbh.add(ccd.DnsscanResult(ip=ip, fqdn=hostname)) else: nfailed += 1 hn_failed.append(hostname) self.tuples.join() print '-' * 80 print "finished in %fs" % cUtil.secs(start_time) print print "resolved %d hostnames" % nresolved print "failed to resolve %d hostnames" % nfailed if hn_failed: out_failed_fn = 'failed_resolve_' + time.strftime( "%Y_%m_%d_%H_%M_%S") with __builtin__.openhome(out_failed_fn, 'w') as out_failed_fd: out_failed_fd.write('\n'.join(hn_failed)) out_failed_fd.flush() print "\tsee %s" % out_failed_fd.name print
def start(self): start = datetime.now() row_fmt = '{:30}{:}' for ip, port, dirs in self.tuples.tuple_q: if dirs: print '\nExport list for %s:' % ip for d in dirs: groups = d[1] for client in groups: print row_fmt.format(d[0], client) if self.dbh: br = ccd.ShowmountResult( ip=ip, port=port, export=d[0], client=client, ) self.dbh.add(br) print 'Finished in %f seconds' % cUtil.secs(start)
def scan(self): start = datetime.now() # read robots.txt self.read_robots() self.out_q = Queue.Queue() self.tasks_waiting = 0 for path in self.known_paths: self.make_new_paths(path, 1) self.threads = [DirWorker(self.in_q, self.out_q, self.base_url, self.wait) for _ in range(self.nthreads)] for t in self.threads: t.setDaemon(True) t.start() self._printResults() print '-' * 80 print 'Finished in %fseconds' % cUtil.secs(start)
def start(self): """ Do the thing """ start_time = datetime.now() row_fmt = "{:30} {:30} {:30} | {:30}" for username, password, host, port, status in self.tuples.tuple_q: if status: print row_fmt.format(password, username, host + ':' + str(port), '') if self.dbh: ip = '' fqdn = '' typ = cUtil.getTargetType(host) if typ == cUtil.TTYPE.IP: ip = host if typ == cUtil.TTYPE.DOMAIN: fqdn = host br = ccd.BruteforceResult( ip=ip, fqdn=fqdn, port=int(port), username=username, password=password, service='mysql', ) #br = ccd.MysqlBruteforceResult( # host=host, # port=int(port), # user=username, # password=password, #) self.dbh.add(br) self.tuples.join() print("\nfinished in %fs" % cUtil.secs(start_time))
def start(self): """ Do the thing """ start_time = datetime.now() row_fmt = "{:30}{:30}{:}" for username, password, target in self.tuples.tuple_q: print row_fmt.format(password, username, target[0] + ':' + str(target[1]), '') if self.dbhandler: host, port = target ip = '' fqdn = '' typ = cUtil.getTargetType(host) if typ == cUtil.TTYPE.IP: ip = host if typ == cUtil.TTYPE.DOMAIN: fqdn = host br = ccd.BruteforceResult( ip=ip, fqdn=fqdn, port=int(port), username=username, password=password, service='ssh', ) #br = ccd.SshBruteforceResult( # host=target[0], # port=int(target[1]), # user=username, # password=password, #) self.dbhandler.add(br) self.tuples.join() print("\nfinished in %fs" % cUtil.secs(start_time))
def __init__(self, args, dbh=None): opt = parse(args) global tls_versions tls_versions = opt.tlsv hb_test.OUTDIR = opt.outdir hb_test.TIMEOUT = opt.to try: hb_test.OUTDIR = os.path.join(__builtin__.openhome.base_dir, hb_test.OUTDIR) except: pass if not os.path.exists(hb_test.OUTDIR): os.makedirs(hb_test.OUTDIR) else: logger.info('%s directory already exists' % hb_test.OUTDIR) # check access permissions if not os.access(hb_test.OUTDIR, os.R_OK): print 'Error %s not readable' % hb_test.OUTDIR sys.exit(1) if not os.access(hb_test.OUTDIR, os.W_OK): print 'Error %s not writable' % hb_test.OUTDIR sys.exit(1) if not os.access(hb_test.OUTDIR, os.X_OK): print 'Error %s not executable' % hb_test.OUTDIR sys.exit(1) start = datetime.now() ig_targets = cTuples.cInputGenerator( data=opt.target, filename=opt.target_fn, circle=False, expand_cb=lambda t: cUtil.mkIP2( t, ports=opt.ports, noSplit=True, noResolve=False), maxthreads=opt.nthreads) ig_targets.start() tuples = cTuples.cTuples(inputs=[ig_targets], prep_callback=hb_test, maxthreads=opt.nthreads, delay=opt.delay) tuples.start() n = 0 n_vuln = 0 n_notvuln = 0 n_down = 0 timestamp = time.strftime("%Y-%m-%d_%H:%M:%S") fd_vuln = open( os.path.join(hb_test.OUTDIR, 'vulnerable_%s' % timestamp), 'w') fd_notvuln = open( os.path.join(hb_test.OUTDIR, 'not_vulnerable_%s' % timestamp), 'w') fd_down = open(os.path.join(hb_test.OUTDIR, 'down_%s' % timestamp), 'w') fmt = '{:60}{:<20}' print print 'Started scan for CVE-2014-0160' print 'Testing ports: %s' % ', '.join(map(str, opt.ports)) print 'Testing tls versions: %s' % ', '.join(map(str, opt.tlsv)) print print '-' * 80 print for vulnerable, target, hostname, fn, sample, errors in tuples.tuple_q: n += 1 if vulnerable in opt.tlsv: if dbh: br = ccd.HeartbleedResult( ip=target[0], fqdn=hostname, port=target[1], sample=grep_ascii(sample), risk=9, tlsv=vulnerable, ) dbh.add(br) if not hostname: hostname = target[0] n_vuln += 1 fd_vuln.write('%s:%d\n' % (hostname, target[1])) if errors: fd_vuln.write('Warning: errors occured -> %s\n' % ', '.join(errors)) fd_vuln.flush() if errors: print fmt.format( '\033[93m%s:%d\033[0m' % (hostname, target[1]), 'is vulnerable, tlsv %s' % vulnerable) print '\tError(s): %s' % ', '.join(errors) else: print fmt.format( '\033[91m%s:%d\033[0m' % (hostname, target[1]), 'is vulnerable, tlsv %s' % vulnerable) print '\t%d bytes stored in %s' % (len(sample), fn) elif vulnerable == 'NOT_VULN': if dbh: br = ccd.HeartbleedResult_NV(ip=target[0], fqdn=hostname, port=target[1], risk=0, tlsv='-') dbh.add(br) if not hostname: hostname = target[0] n_notvuln += 1 fd_notvuln.write('%s:%d\n' % (hostname, target[1])) if errors: fd_notvuln.write('\nWarning: errors occured -> %s' % ', '.join(errors)) fd_notvuln.flush() if errors: print fmt.format( '\033[93m%s:%d\033[0m' % (hostname, target[1]), 'is not vulnerable') print '\tError(s): %s' % ', '.join(errors) else: print fmt.format( '\033[92m%s:%d\033[0m' % (hostname, target[1]), 'is not vulnerable') elif vulnerable == 'DOWN': n_down += 1 fd_down.write('%s:%d\n' % (hostname, target[1])) fd_down.flush() tuples.join() print print '-' * 80 print print 'Finished scan in %f seconds' % cUtil.secs(start) print print '%d targets tested' % n print '%d targets found vulnerable (see %s)' % (n_vuln, fd_vuln.name) print '%d targets found not vulnerable (see %s)' % (n_notvuln, fd_notvuln.name) print '%d targets were down (see %s)' % (n_down, fd_down.name) fd_vuln.close() fd_notvuln.close() fd_down.close()
def ssl_test(args, dbh=None): parser = argparse.ArgumentParser( prog=__plgname__, description="ssl version tester v%f" % __version__, epilog=""" Examples: ssl_tester.plg -t www.curesec.com -maxcon 10 """, formatter_class=argparse.RawTextHelpFormatter) parser.add_argument('-T', help='file containing urls or ips', dest='target_fn') parser.add_argument('-t', help='url or ir', nargs='+', dest='target', default=[]) parser.add_argument('-delay', help='delay in between requests', dest='delay', default=0.0, type=float) parser.add_argument( '-C', help= 'filename of cipher suite list to test against (default cipherlist.txt)', dest='cipher_fn', default='cipherlist.txt') parser.add_argument('-port', help='target port (default 443)', dest='port', default=443, type=int) parser.add_argument('-to', help='Server timeout (default 3s)', dest='timeout', type=int, default=3) parser.add_argument( '-maxcon', help='Maximum parallel connections per host (default: unlimited)', type=int, default=0, ) parser.add_argument( '-nt', help= 'Maximum number of threads to scan with, each host gets a new thread (default 10)', dest='nthreads', default=10, type=int) if not args: parser.print_help() sys.exit(0) opt = parser.parse_args(args) # set global target parameters cComm.Mark.MAX_CON = opt.maxcon cComm.Mark.FIX_PORT = opt.port cComm.Mark.TIMEOUT = opt.timeout # only use ssl connections no plain http cComm.Comm.SSL = True start = datetime.now() try: ig_targets = cTuples.cInputGenerator(data=opt.target, filename=opt.target_fn, circle=False, expand_cb=cUtil.mkIP2, prepare_cb=prepare_target, maxthreads=opt.nthreads) except cTuples.ENoInput: print 'Error: No Targets specified, please use the -t/T parameter to set target(s)' sys.exit(1) try: ig_ciphers = cTuples.cInputGenerator(data=[], filename=opt.cipher_fn, prepare_cb=prepare_cb_cipher, circle=True) except cTuples.ENoInput: print 'Error: No Ciphers specified, please use the -C parameter to set a cipher list file' sys.exit(1) ig_targets.start() ig_ciphers.start() tuples = cTuples.cTuples(inputs=[ig_targets, ig_ciphers], prep_callback=check_ssl, maxthreads=opt.nthreads, delay=opt.delay) tuples.start() results = {} for mark, cs, cipher, sev, version in tuples.tuple_q: if dbh: br = ccd.SslInfoResult( ip=mark.ip, fqdn=mark.hostname, port=mark.port, cs=cs, ) dbh.add(br) try: results[mark.ip + ' / ' + mark.hostname][sev].append(cs) except: results[mark.ip + ' / ' + mark.hostname] = {} results[mark.ip + ' / ' + mark.hostname]['weak'] = [] results[mark.ip + ' / ' + mark.hostname]['medium'] = [] results[mark.ip + ' / ' + mark.hostname]['strong'] = [] tuples.join() for ip, c in results.items(): print '-' * len(ip) print ip print '-' * len(ip) for cs in c['weak']: print '\033[91m%s\033[0m' % cs for cs in c['medium']: print '\033[93m%s\033[0m' % cs for cs in c['strong']: print '\033[92m%s\033[0m' % cs print print 'Finished in %f seconds' % cUtil.secs(start)
def ssl_test(args, dbh=None): parser = argparse.ArgumentParser( prog=__plgname__, description="ssl version tester v%f" % __version__, epilog= """ Examples: ssl_tester.plg -t www.curesec.com -maxcon 10 """, formatter_class=argparse.RawTextHelpFormatter ) parser.add_argument('-T', help='file containing urls or ips', dest='target_fn' ) parser.add_argument('-t', help='url or ir', nargs='+', dest='target', default=[] ) parser.add_argument('-delay', help='delay in between requests', dest='delay', default=0.0, type=float ) parser.add_argument('-C', help='filename of cipher suite list to test against (default cipherlist.txt)', dest='cipher_fn', default='cipherlist.txt' ) parser.add_argument('-port', help='target port (default 443)', dest='port', default=443, type=int ) parser.add_argument('-to', help='Server timeout (default 3s)', dest='timeout', type=int, default=3 ) parser.add_argument('-maxcon', help='Maximum parallel connections per host (default: unlimited)', type=int, default=0, ) parser.add_argument('-nt', help='Maximum number of threads to scan with, each host gets a new thread (default 10)', dest='nthreads', default=10, type=int ) if not args: parser.print_help() sys.exit(0) opt = parser.parse_args(args) # set global target parameters cComm.Mark.MAX_CON = opt.maxcon cComm.Mark.FIX_PORT = opt.port cComm.Mark.TIMEOUT = opt.timeout # only use ssl connections no plain http cComm.Comm.SSL = True start = datetime.now() try: ig_targets = cTuples.cInputGenerator(data=opt.target, filename=opt.target_fn, circle=False, expand_cb=cUtil.mkIP2, prepare_cb=prepare_target, maxthreads=opt.nthreads ) except cTuples.ENoInput: print 'Error: No Targets specified, please use the -t/T parameter to set target(s)' sys.exit(1) try: ig_ciphers = cTuples.cInputGenerator(data=[], filename=opt.cipher_fn, prepare_cb=prepare_cb_cipher, circle=True) except cTuples.ENoInput: print 'Error: No Ciphers specified, please use the -C parameter to set a cipher list file' sys.exit(1) ig_targets.start() ig_ciphers.start() tuples = cTuples.cTuples(inputs=[ig_targets, ig_ciphers], prep_callback=check_ssl, maxthreads=opt.nthreads, delay=opt.delay) tuples.start() results = {} for mark, cs, cipher, sev, version in tuples.tuple_q: if dbh: br = ccd.SslInfoResult( ip=mark.ip, fqdn=mark.hostname, port=mark.port, cs=cs, ) dbh.add(br) try: results[mark.ip + ' / ' + mark.hostname][sev].append(cs) except: results[mark.ip + ' / ' + mark.hostname] = {} results[mark.ip + ' / ' + mark.hostname]['weak'] = [] results[mark.ip + ' / ' + mark.hostname]['medium'] = [] results[mark.ip + ' / ' + mark.hostname]['strong'] = [] tuples.join() for ip, c in results.items(): print '-' * len(ip) print ip print '-' * len(ip) for cs in c['weak']: print '\033[91m%s\033[0m' % cs for cs in c['medium']: print '\033[93m%s\033[0m' % cs for cs in c['strong']: print '\033[92m%s\033[0m' % cs print print 'Finished in %f seconds' % cUtil.secs(start)
def start(self): """ Do the thing """ start_time = datetime.now() print '\nStarting bruteforce' row_fmt = "{:30} {:30} {:30}" print '-' * 80 print 'Real logins:' print row_fmt.format('password', 'username', 'target') print '-' * 80 for success, code, user, password, host, port in self.tuples.tuple_q: # we actually found sth. if success: print row_fmt.format(password, user, host + ':' + str(port)) # add creds to database if self.dbh: ip = '' fqdn = '' typ = cUtil.getTargetType(host) if typ == cUtil.TTYPE.IP: ip = host if typ == cUtil.TTYPE.DOMAIN: fqdn = host br = ccd.BruteforceResult( ip=ip, fqdn=fqdn, port=int(port), username=user, password=password, service='ftp', ) #br = ccd.FtpBruteforceResult( # host=host, # port=int(port), # user=user, # password=password, #) self.dbh.add(br) self.tuples.join() if self.anon: print '-' * 80 print 'Anonymous logins:' print row_fmt.format('password', 'username', 'target') print '-' * 80 while True: try: target, passw, user = self.anon_q.get_nowait() except: break host, port = target print row_fmt.format(passw, user, host + ':' + str(port)) # add creds to database if self.dbh: ip = '' fqdn = '' typ = cUtil.getTargetType(host) if typ == cUtil.TTYPE.IP: ip = host if typ == cUtil.TTYPE.DOMAIN: fqdn = host br = ccd.BruteforceResult( ip=ip, fqdn=fqdn, port=int(port), username=user, password=passw, service='ftp', ) #br = ccd.FtpBruteforceResult( # host=host, # port=int(port), # user=user, # password=passw, #) self.dbh.add(br) print("\nfinished in %fs" % cUtil.secs(start_time))
def __init__(self, args, dbh=None): opt = parse(args) global tls_versions tls_versions = opt.tlsv hb_test.OUTDIR = opt.outdir hb_test.TIMEOUT = opt.to try: hb_test.OUTDIR = os.path.join(__builtin__.openhome.base_dir, hb_test.OUTDIR) except: pass if not os.path.exists(hb_test.OUTDIR): os.makedirs(hb_test.OUTDIR) else: logger.info('%s directory already exists' % hb_test.OUTDIR) # check access permissions if not os.access(hb_test.OUTDIR, os.R_OK): print 'Error %s not readable' % hb_test.OUTDIR sys.exit(1) if not os.access(hb_test.OUTDIR, os.W_OK): print 'Error %s not writable' % hb_test.OUTDIR sys.exit(1) if not os.access(hb_test.OUTDIR, os.X_OK): print 'Error %s not executable' % hb_test.OUTDIR sys.exit(1) start = datetime.now() ig_targets = cTuples.cInputGenerator(data=opt.target, filename=opt.target_fn, circle=False, expand_cb=lambda t: cUtil.mkIP2(t, ports=opt.ports, noSplit=True, noResolve=False), maxthreads=opt.nthreads ) ig_targets.start() tuples = cTuples.cTuples(inputs=[ig_targets], prep_callback=hb_test, maxthreads=opt.nthreads, delay=opt.delay) tuples.start() n = 0 n_vuln = 0 n_notvuln = 0 n_down = 0 timestamp = time.strftime("%Y-%m-%d_%H:%M:%S") fd_vuln = open(os.path.join(hb_test.OUTDIR, 'vulnerable_%s' % timestamp), 'w') fd_notvuln = open(os.path.join(hb_test.OUTDIR, 'not_vulnerable_%s' % timestamp), 'w') fd_down = open(os.path.join(hb_test.OUTDIR, 'down_%s' % timestamp), 'w') fmt = '{:60}{:<20}' print print 'Started scan for CVE-2014-0160' print 'Testing ports: %s' % ', '.join(map(str, opt.ports)) print 'Testing tls versions: %s' % ', '.join(map(str, opt.tlsv)) print print '-' * 80 print for vulnerable, target, hostname, fn, sample, errors in tuples.tuple_q: n += 1 if vulnerable in opt.tlsv: if dbh: br = ccd.HeartbleedResult( ip=target[0], fqdn=hostname, port=target[1], sample=grep_ascii(sample), risk=9, tlsv=vulnerable, ) dbh.add(br) if not hostname: hostname = target[0] n_vuln += 1 fd_vuln.write('%s:%d\n' % (hostname, target[1])) if errors: fd_vuln.write('Warning: errors occured -> %s\n' % ', '.join(errors)) fd_vuln.flush() if errors: print fmt.format('\033[93m%s:%d\033[0m' % (hostname, target[1]), 'is vulnerable, tlsv %s' % vulnerable) print '\tError(s): %s' % ', '.join(errors) else: print fmt.format('\033[91m%s:%d\033[0m' % (hostname, target[1]), 'is vulnerable, tlsv %s' % vulnerable) print '\t%d bytes stored in %s' % (len(sample), fn) elif vulnerable == 'NOT_VULN': if dbh: br = ccd.HeartbleedResult_NV( ip=target[0], fqdn=hostname, port=target[1], risk=0, tlsv='-' ) dbh.add(br) if not hostname: hostname = target[0] n_notvuln += 1 fd_notvuln.write('%s:%d\n' % (hostname, target[1])) if errors: fd_notvuln.write('\nWarning: errors occured -> %s' % ', '.join(errors)) fd_notvuln.flush() if errors: print fmt.format('\033[93m%s:%d\033[0m' % (hostname, target[1]), 'is not vulnerable') print '\tError(s): %s' % ', '.join(errors) else: print fmt.format('\033[92m%s:%d\033[0m' % (hostname, target[1]), 'is not vulnerable') elif vulnerable == 'DOWN': n_down += 1 fd_down.write('%s:%d\n' % (hostname, target[1])) fd_down.flush() tuples.join() print print '-' * 80 print print 'Finished scan in %f seconds' % cUtil.secs(start) print print '%d targets tested' % n print '%d targets found vulnerable (see %s)' % (n_vuln, fd_vuln.name) print '%d targets found not vulnerable (see %s)' % (n_notvuln, fd_notvuln.name) print '%d targets were down (see %s)' % (n_down, fd_down.name) fd_vuln.close() fd_notvuln.close() fd_down.close()
try: p.connect(username=user) except Exception, e: logger.warning(e) s.close() break start = datetime.now() try: p.auth_password(user, test_user.pw) except paramiko.AuthenticationException, e: pass except Exception, e: logger.warning(e) s.close() break stop = cUtil.secs(start) res += stop / N_SAMPLES logger.info('estimated dealy for %s: %f' % (target, res)) return res def get_banner(target): s = socket.socket() banner = '' try: s.connect(target) banner = s.recv(1024) except Exception, e: logger.warning(e) finally: s.close()
class SshUserEnum(object): def __init__(self, args, dbh=None): opt = parse(args) self.dbh = dbh self.adj = opt.adj # We don't really need this module here, because we do not operate # multithreaded, however it is convenient to use the mkIP2 and isUp # functions to preprocess the target ips self.ig_targets = cTuples.cInputGenerator( data=opt.targets, filename=opt.target_fn, circle=False, #prepare_cb=cUtil.isUp, expand_cb=lambda t: cUtil.mkIP2( t, ports=[opt.port], #noResolve=True ), ) self.ig_targets.start() # we don't want to overload the server with too many parallel login # attempts as it might influence the delay times # so anyway thats why i use one seperate list of user names per server # instaed of zipping them to the targets if opt.U: self.users = it.chain( __builtin__.openany(opt.U, 'r').readlines(), opt.u) elif opt.u: self.users = opt.u else: self.users = it.chain( __builtin__.openshared('usernames.log', 'r').readlines()) prep_targets.bignore = opt.bignore test_user.pw = 'a' * opt.l def start(self): print 'SSH User Enum started' start = datetime.now() for target, fqdn_tuple in self.ig_targets: if not isinstance(target, str): ip = target[0] port = int(target[1]) if fqdn_tuple: fqdn = ''.join(fqdn_tuple) else: fqdn = '' else: ip = target port = int(fqdn_tuple) fqdn = '' target = (ip, port) res = prep_targets((ip, port)) banner_check, _, delay_est, banner = res delay = delay_est * self.adj delay_est2 = delay_est * (self.adj * 0.25) print '-' * 80 print '[+] Target:\t\t%s:%d (%s)' % (ip, port, fqdn) print '[+] Banner:\t\t%s' % banner print '[+] Est. Delay:\t\t%f' % delay_est print '[+] Delay Thresh:\t%f, %f' % (delay, delay_est2) print '-' * 80 if not banner_check: print '[-] Banner check failed, rerun with -bignore' else: for u in self.users: u = u.rstrip() if not u: continue udelay = None # 3 retries max for _ in range(MAX_RETRIES): try: udelay = test_user(target, delay, u) break except Exception, e: logger.warning(e) if udelay and udelay > delay: print '\033[91m[+] Found %s (%f)\033[0m' % (u, udelay) if self.dbh: sue = ccd.SshUserEnumResult( ip=ip, #fqdn=fqdn, port=port, user=u) self.dbh.add(sue) elif udelay and udelay > delay_est2: print '\033[93m[?] Maybe %s (%f)\033[0m' % (u, udelay) else: if not udelay: udelay = 0.0 print '[-] Discard %s (%f)' % (u, udelay) print '-' * 80 print 'Finished in %f seconds' % cUtil.secs(start)