def checkWeakTomcatCreds(db, footprint_id, limit):
all_hosts = []
vulnerable_hosts = []
os.popen('echo "" > nmap_temp/tomcat_creds_hosts')
for host in dbfunctions.listHostsWithOpenPort(db, footprint_id, 8080,
limit):
os.popen("echo {0} >> nmap_temp/tomcat_creds_hosts".format(host))
all_hosts.append(host)
if len(all_hosts) == 0:
time.sleep(3)
return
results = os.popen(
'nmap -iL nmap_temp/tomcat_creds_hosts -p 8080 --script nmap/tomcat-scan.nse | grep "Found combination" -B 7 | grep -e "Nmap scan report" -e "Found combination"'
).read()
for h in results.split("--"):
if h != "":
ii = h.replace("\n", "").split("|")
host = ii[0].split(" ")[4]
creds = ii[1][23:-2]
print "[{0}] weak tomcat creds [{1}]".format(host, creds)
vulnerable_hosts.append(host)
dbfunctions.updatePortVulnerability(db, footprint_id, host, 8080,
1, 1, 1, creds,
'Weak Tomcat Creds')
for h in all_hosts:
if h not in vulnerable_hosts:
print "{0} does not have weak tomcat creds".format(h)
dbfunctions.updatePortVulnerability(db, footprint_id, h, 8080, 1,
0, 0, '', '')
def checkMS08067(db, footprint_id, limit):
all_hosts = []
vulnerable_hosts = []
os.popen('echo "" > nmap_temp/ms08067_hosts')
for host in dbfunctions.listHostsWithOpenPort(db, footprint_id, 445,
limit):
os.popen("echo {0} >> nmap_temp/ms08067_hosts".format(host))
all_hosts.append(host)
if len(all_hosts) == 0:
time.sleep(3)
return
results = os.popen(
'nmap -iL nmap_temp/ms08067_hosts -p 445 --script smb-check-vulns --script-args=unsafe=1 | grep "MS08-067: VULNERABLE" -B 8 | grep report | cut -d \ -f 5'
).read()
for h in results.split("\n"):
if h != "":
print "[{0}] is vulnerable to MS08-067".format(h)
vulnerable_hosts.append(h)
dbfunctions.updatePortVulnerability(db, footprint_id, h, 445, 1, 1,
1, '', 'MS08-067')
for h in all_hosts:
if h not in vulnerable_hosts:
dbfunctions.updatePortVulnerability(db, footprint_id, h, 445, 1, 0,
0, '', '')
def checkWeakMsSqlCreds(db, footprint_id, limit):
all_hosts = []
vulnerable_hosts = []
os.popen('echo "" > nmap_temp/mssql_creds_hosts')
for host in dbfunctions.listHostsWithOpenPort(db, footprint_id, 1433,
limit):
os.popen("echo {0} >> nmap_temp/mssql_creds_hosts".format(host))
all_hosts.append(host)
if len(all_hosts) == 0:
time.sleep(3)
return
results = os.popen(
'nmap -iL nmap_temp/mssql_creds_hosts -p 1433 --script ms-sql-brute --script-args userdb=creds/mssql_users,passdb=creds/mssql_passes | grep Success -B 2'
).read()
for h in results.split("--"):
if h != "":
ii = h.replace("\n", "").split("|")
host = ii[1].split("[")[1][:-6]
creds = ii[3][7:-17]
print "[{0}] weak sql creds [{1}]".format(host, creds)
vulnerable_hosts.append(host)
dbfunctions.updatePortVulnerability(db, footprint_id, host, 1433,
1, 1, 1, creds,
'Weak SQL Creds')
for h in all_hosts:
if h not in vulnerable_hosts:
print "{0} does not have weak sql creds".format(h)
dbfunctions.updatePortVulnerability(db, footprint_id, h, 1433, 1,
0, 0, '', '')
def checkAnonFTP(db, footprint_id, limit):
all_hosts = []
vulnerable_hosts = []
os.popen('echo "" > nmap_temp/ftp_hosts')
for host in dbfunctions.listHostsWithOpenPort(db, footprint_id, 21, limit):
os.popen("echo {0} >> nmap_temp/ftp_hosts".format(host))
all_hosts.append(host)
if len(all_hosts) == 0:
return
results = os.popen(
"nmap -iL nmap_temp/ftp_hosts -p 21 -n -Pn --script ftp-anon | grep allowed -B 4 | grep report | cut -d \ -f 5"
).read()
for h in results.split("\n"):
if h != "":
#print "[{0}] is vulnerable".format(h)
vulnerable_hosts.append(h)
dbfunctions.updatePortVulnerability(db, footprint_id, h, 21, 1, 1,
0, '', 'Anonymous FTP')
#db.commit()
#print ""
for h in all_hosts:
if h not in vulnerable_hosts:
#print "{0} is not vulnerable".format(h)
dbfunctions.updatePortVulnerability(db, footprint_id, h, 21, 1, 0,
0, '', '')
def checkWeakTomcatCreds(db, footprint_id, limit):
all_hosts = []
vulnerable_hosts = []
os.popen('echo "" > nmap_temp/tomcat_creds_hosts')
for host in dbfunctions.listHostsWithOpenPort(db, footprint_id, 8080, limit):
os.popen("echo {0} >> nmap_temp/tomcat_creds_hosts".format(host))
all_hosts.append(host)
if len(all_hosts) == 0:
time.sleep(3)
return
results = os.popen('nmap -iL nmap_temp/tomcat_creds_hosts -p 8080 --script nmap/tomcat-scan.nse | grep "Found combination" -B 7 | grep -e "Nmap scan report" -e "Found combination"').read()
for h in results.split("--"):
if h != "":
ii = h.replace("\n", "").split("|")
host = ii[0].split(" ")[4]
creds = ii[1][23:-2]
print "[{0}] weak tomcat creds [{1}]".format(host, creds)
vulnerable_hosts.append(host)
dbfunctions.updatePortVulnerability(db, footprint_id, host, 8080, 1, 1, 1, creds, 'Weak Tomcat Creds')
for h in all_hosts:
if h not in vulnerable_hosts:
print "{0} does not have weak tomcat creds".format(h)
dbfunctions.updatePortVulnerability(db, footprint_id, h, 8080, 1, 0, 0, '', '')
def checkWeakMsSqlCreds(db, footprint_id, limit):
all_hosts = []
vulnerable_hosts = []
os.popen('echo "" > nmap_temp/mssql_creds_hosts')
for host in dbfunctions.listHostsWithOpenPort(db, footprint_id, 1433, limit):
os.popen("echo {0} >> nmap_temp/mssql_creds_hosts".format(host))
all_hosts.append(host)
if len(all_hosts) == 0:
time.sleep(3)
return
results = os.popen('nmap -iL nmap_temp/mssql_creds_hosts -p 1433 --script ms-sql-brute --script-args userdb=creds/mssql_users,passdb=creds/mssql_passes | grep Success -B 2').read()
for h in results.split("--"):
if h != "":
ii = h.replace("\n", "").split("|")
host = ii[1].split("[")[1][:-6]
creds = ii[3][7:-17]
print "[{0}] weak sql creds [{1}]".format(host, creds)
vulnerable_hosts.append(host)
dbfunctions.updatePortVulnerability(db, footprint_id, host, 1433, 1, 1, 1, creds, 'Weak SQL Creds')
for h in all_hosts:
if h not in vulnerable_hosts:
print "{0} does not have weak sql creds".format(h)
dbfunctions.updatePortVulnerability(db, footprint_id, h, 1433, 1, 0, 0, '', '')
def checkMS08067(db, footprint_id, limit):
all_hosts = []
vulnerable_hosts = []
os.popen('echo "" > nmap_temp/ms08067_hosts')
for host in dbfunctions.listHostsWithOpenPort(db, footprint_id, 445, limit):
os.popen("echo {0} >> nmap_temp/ms08067_hosts".format(host))
all_hosts.append(host)
if len(all_hosts) == 0:
time.sleep(3)
return
results = os.popen('nmap -iL nmap_temp/ms08067_hosts -p 445 --script smb-check-vulns --script-args=unsafe=1 | grep "MS08-067: VULNERABLE" -B 8 | grep report | cut -d \ -f 5').read()
for h in results.split("\n"):
if h != "":
print "[{0}] is vulnerable to MS08-067".format(h)
vulnerable_hosts.append(h)
dbfunctions.updatePortVulnerability(db, footprint_id, h, 445, 1, 1, 1, '', 'MS08-067')
for h in all_hosts:
if h not in vulnerable_hosts:
dbfunctions.updatePortVulnerability(db, footprint_id, h, 445, 1, 0, 0, '', '')
def checkAnonFTP(db, footprint_id, limit):
all_hosts = []
vulnerable_hosts = []
os.popen('echo "" > nmap_temp/ftp_hosts')
for host in dbfunctions.listHostsWithOpenPort(db, footprint_id, 21, limit):
os.popen("echo {0} >> nmap_temp/ftp_hosts".format(host))
all_hosts.append(host)
if len(all_hosts) == 0:
return
results = os.popen("nmap -iL nmap_temp/ftp_hosts -p 21 -n -Pn --script ftp-anon | grep allowed -B 4 | grep report | cut -d \ -f 5").read()
for h in results.split("\n"):
if h != "":
#print "[{0}] is vulnerable".format(h)
vulnerable_hosts.append(h)
dbfunctions.updatePortVulnerability(db, footprint_id, h, 21, 1, 1, 0, '', 'Anonymous FTP')
#db.commit()
#print ""
for h in all_hosts:
if h not in vulnerable_hosts:
#print "{0} is not vulnerable".format(h)
dbfunctions.updatePortVulnerability(db, footprint_id, h, 21, 1, 0, 0, '', '')