def enum_dns(self, address, port, service, basedir):
nmblookup = e(
"nmblookup -A {address} | grep '<00>' | grep -v '<GROUP>' | cut -d' ' -f1"
)
info('Running task {bgreen}nmblookup-{port}{rst}' +
(' with {bblue}' + nmblookup +
'{rst}' if self.verbose >= 1 else '...'))
try:
host = subprocess.check_output(
nmblookup, shell=True,
stderr=subprocess.DEVNULL).decode().strip()
except subprocess.CalledProcessError:
return
self.run_cmds([(e(
'dig -p{port} @{host}.thinc.local thinc.local axfr > "{basedir}/{port}_dns_dig.txt"'
), e('dig-{port}'))])
def run_nmap(self, address):
out = os.path.join(self.outdir, address + self.srvname)
self.run_cmds([
(e('nmap -vv --reason -sV -sC {self.nmapparams} -p- -oN "{out}/0_tcp_nmap.txt" -oX "{out}/0_tcp_nmap.xml" {address}'
), 'nmap-tcp'),
(e('nmap -vv --reason -sV --version-intensity 0 -sC -sU {self.nmapparams} -oN "{out}/0_udp_nmap.txt" -oX "{out}/0_udp_nmap.xml" {address}'
), 'nmap-udp')
])
nmap_svcs = []
if os.path.exists(out + '/0_tcp_nmap.xml'):
report = NmapParser.parse_fromfile(out + '/0_tcp_nmap.xml')
nmap_svcs += report.hosts[0].services
if os.path.exists(out + '/0_udp_nmap.xml'):
report = NmapParser.parse_fromfile(out + '/0_udp_nmap.xml')
nmap_svcs += report.hosts[0].services
services = []
nmap_svcs = sorted(nmap_svcs, key=lambda s: s.port)
for service in nmap_svcs:
if 'open' not in service.state:
continue
info(
'Service {bgreen}{service.port}{rst}/{bgreen}{service.protocol}{rst} is {bgreen}{service.service}{rst}'
+ (' running {green}' + service.service_dict['product'] +
'{crst}' if 'product' in service.service_dict else '') +
(' version {green}' + service.service_dict['version'] +
'{crst}' if 'version' in service.service_dict else ''))
services.append((address, service.port *
-1 if service.protocol == 'udp' else service.port,
service.service))
return services
def enum_snmp(self, address, port, service, basedir):
self.run_cmds([
(e('nmap -vv --reason -sV {self.nmapparams} -p {port} --script="(snmp*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{basedir}/{port}_snmp_nmap.txt" -oX "{basedir}/{port}_snmp_nmap.xml" {address}'
), e('nmap-{port}')),
(e('onesixtyone -c data/community -dd -o "{basedir}/{port}_snmp_onesixtyone.txt" {address}'
), e('onesixtyone-{port}')),
(e('snmpwalk -c public -v 1 {address} | tee "{basedir}/{port}_snmp_snmpwalk.txt"'
), e('snmpwalk-{port}'))
])
def enum_http(self, address, port, service, basedir):
scheme = 'https' if 'https' in service or 'ssl' in service else 'http'
nikto_ssl = ' -ssl' if 'https' in service or 'ssl' in service else ''
self.run_cmds([
(e('nmap -vv --reason -sV {self.nmapparams} -p {port} --script="(http* or ssl*) and not (broadcast or dos or external or http-slowloris* or fuzzer)" -oN "{basedir}/{port}_http_nmap.txt" -oX "{basedir}/{port}_http_nmap.xml" {address}'
), e('nmap-{port}')),
(e('curl -i {scheme}://{address}:{port}/ -m 10 -o "{basedir}/{port}_http_index.html"'
), e('curl-1-{port}')),
(e('curl -i {scheme}://{address}:{port}/robots.txt -m 10 -o "{basedir}/{port}_http_robots.txt"'
), e('curl-2-{port}'))
])
# wait for previous scan to finish, then:
self.run_cmds([
(e('gobuster -w /usr/share/seclists/Discovery/Web_Content/common.txt -t 10 -u {scheme}://{address}:{port} -e -s "200,204,301,302,307,403,500" | tee "{basedir}/{port}_http_dirb.txt"'
), e('gobuster-{port}')),
(
# -C all potentially slowing it down?
e('nikto -h {scheme}://{address}:{port}{nikto_ssl} -o "{basedir}/{port}_http_nikto.txt"'
),
e('nikto-{port}'))
])
def enum_smb(self, address, port, service, basedir):
if self.hadsmb:
return
nmap_port = port
if port == 139 or port == 445:
nmap_port = '139,445'
self.run_cmds([
(e('nmap -vv --reason -sV {self.nmapparams} -p {nmap_port} --script="(nbstat or smb*) and not (brute or broadcast or dos or external or fuzzer)" --script-args=unsafe=1 -oN "{basedir}/{port}_smb_nmap.txt" -oX "{basedir}/{port}_smb_nmap.xml" {address}'
), e('nmap-{port}')),
(e('enum4linux -a -M -l -d {address} | tee "{basedir}/{port}_smb_enum4linux.txt"'
), e('enum4linux-{port}')),
(e('python2 /usr/share/doc/python-impacket/examples/samrdump.py {address} {port}/SMB | tee "{basedir}/{port}_smb_samrdump.txt"'
), e('samrdump-{port}')),
(e('nbtscan -rvh {address} | tee "{basedir}/{port}_smb_nbtscan.txt"'
), e('nbtscan-{port}'))
])
self.hadsmb = True
def enum_generic_udp(self, address, port, service, basedir):
self.run_cmds([(e(
'nmap -vv --reason -sV -sC {self.nmapparams} -sU -p {port} --script-args=unsafe=1 -oN "{basedir}/{port}_generic_udp_nmap.txt" -oX "{basedir}/{port}_generic_udp_nmap.xml" {address}'
), e('nmap-{port}'))])
def enum_vnc(self, address, port, service, basedir):
self.run_cmds([(e(
'nmap -vv --reason -sV {self.nmapparams} -p {port} --script="(vnc* or realvnc*) and not (brute or broadcast or dos or external or fuzzer)" --script-args=unsafe=1 -oN "{basedir}/{port}_vnc_nmap.txt" -oX "{basedir}/{port}_vnc_nmap.xml" {address}'
), e('nmap-{port}'))])
def enum_nfs(self, address, port, service, basedir):
self.run_cmds([(e(
'nmap -vv --reason -sV {self.nmapparams} -p {port} --script="(rpcinfo or nfs*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{basedir}/{port}_nfs_nmap.txt" -oX "{basedir}/{port}_nfs_nmap.xml" {address}'
), e('nmap-{port}'))])
def enum_mssql(self, address, port, service, basedir):
self.run_cmds([(e(
'nmap -vv --reason -sV {self.nmapparams} -p {port} --script="(ms-sql*) and not (brute or broadcast or dos or external or fuzzer)" --script-args=mssql.instance-port={port},smsql.username-sa,mssql.password-sa -oN "{basedir}/{port}_mssql_nmap.txt" -oX "{basedir}/{port}_mssql_nmap.xml" {address}'
), e('nmap-{port}'))])
def run_amap(self, services, only_unidentified=True):
out = os.path.join(self.outdir, services[0][0] + self.srvname)
ports_tcp = ''
ports_udp = ''
for service in services:
if only_unidentified and 'unknown' not in service[2]:
continue
if service[1] < 0:
ports_udp += str(service[1] * -1) + ','
else:
ports_tcp += str(service[1]) + ','
cmds = []
if len(ports_tcp) != 0:
ports = ports_tcp.rstrip(',')
cmds.append((e(
'amap -A -bqv -m -o "{out}/0_tcp_amap.txt" {services[0][0]} {ports}'
), 'amap-tcp'))
if len(ports_udp) != 0:
ports = ports_udp.rstrip(',')
cmds.append((e(
'amap -A -bqvu -m -o "{out}/0_udp_amap.txt" {services[0][0]} {ports}'
), 'amap-udp'))
self.run_cmds(cmds)
amap_svcs = []
if os.path.exists(out + '/0_tcp_amap.txt'):
with open(out + '/0_tcp_amap.txt') as file:
reader = csv.reader(file,
delimiter=':',
quotechar='"',
dialect=csv.unix_dialect)
for row in reader:
if len(row) > 5 and not row[0].startswith('#'):
amap_svcs.append(
(row[0], int(row[1]) *
-1 if row[2] == 'udp' else int(row[1]), row[5]))
if os.path.exists(out + '/0_udp_amap.txt'):
with open(out + '/0_udp_amap.txt') as file:
reader = csv.reader(file,
delimiter=':',
quotechar='"',
dialect=csv.unix_dialect)
for row in reader:
if len(row) > 5 and not row[0].startswith('#'):
amap_svcs.append(
(row[0], int(row[1]) *
-1 if row[2] == 'udp' else int(row[1]), row[5]))
for i, val in enumerate(services):
for amap_svc in amap_svcs:
if services[i][0] == amap_svc[0] and services[i][
1] == amap_svc[1] and ('unknown' in services[i][2]
or not only_unidentified):
services[i] = amap_svc
return services