Beispiel #1
0
def postgresql(host, port=5432):
    # try:
    #     conn = psycopg2.connect(host=host, port=port, database="postgres",
    #                             user="******", password="******", connect_timeout=timeout)
    #     conn.close()
    #     color_print.red(f"[+] postgresql is not authorized:{host}:{port}:postgres:123456")
    # except:
    #     if "no pg_hba.conf entry" in traceback.format_exc():
    #         color_print.green(f"[+] postgresql service detected (local login only):{host}:{port}")

    socket.setdefaulttimeout(timeout)
    payload = binascii.a2b_hex("00000029000300007573657200706f73746772657300646174616261736500706f7374677265730000")
    try:
        s = socket.socket()
        s.connect((host, port))
        s.send(payload)
        recv_data = s.recv(1024)
        s.close()
        # print(binascii.b2a_hex(recv_data))
        # no pg_hba.conf
        if b"70675f6862612e636f6e66" in binascii.b2a_hex(recv_data):
            color_print.green(f"[+] postgresql service detected (local login only):{host}:{port}:postgres")
        # R
        elif binascii.b2a_hex(recv_data).startswith(b"520000000c0000000"):
            color_print.green(f"[+] postgresql service detected (need password):{host}:{port}:postgres")
        # server_version
        elif b"7365727665725f76657273696f6e" in binascii.b2a_hex(recv_data):
            color_print.red(f"[+] postgresql is not authorized:{host}:{port}:postgres")
    except:
        # traceback.print_exc()
        pass
Beispiel #2
0
def ftp(host, port=21):
    try:
        ftp = FTP(timeout=timeout)
        ftp.connect(host, port)
        color_print.green(f"[+] ftp service detected:{host}:{port}")
        ftp.login('anonymous', '*****@*****.**')
        color_print.red(f"[+] ftp is not authorized to access:{host}:{port}")
        ftp.quit()
    except:
        pass
Beispiel #3
0
def mysql(host, port=3306):
    try:
        conn = pymysql.connect(host=host, port=port, user="******", password="******",
                               db='mysql', connect_timeout=timeout, read_timeout=timeout, write_timeout=timeout)
        conn.close()
        color_print.red(f"[+] mysql weak password:{host}:{port}:root:123456")
    except:
        #print(traceback.format_exc())
        if "Access denied for user" in traceback.format_exc():
            color_print.green(f"[+] detected mysql service:{host}:{port}")
Beispiel #4
0
def grafana(host, port=3000):
    try:
        headers={
        "Content-Type": "application/json;charset=UTF-8"
        }
        data = {"user": "******", "email": "", "password": "******"}
        res = requests.post(f"http://{host}:{port}/login", headers=headers, data=json.dumps(data), timeout=timeout, verify=False)
        if "Logged in" in res.text:
            color_print.red(f"[+] grafana weakpass admin/admin:{host}:{port}")
        else:
            res = requests.get(f"http://{host}:{port}")
            if "grafana.com" in res.text:
                color_print.green(f"[+] grafana service detected:{host}:{port}")
    except Exception as e:
        pass
Beispiel #5
0
def mongo(host, port=27017):
    socket.setdefaulttimeout(timeout)
    payload = binascii.a2b_hex(
        "430000000300000000000000d40700000000000061646d696e2e24636d640000000000ffffffff1c000000016c69737444617461626173657300000000000000f03f00")
    try:
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((host, port))
        s.send(payload)
        recv_data = s.recv(1024)
        if b"databases"in recv_data:
            color_print.red(f"[+] mongodb is not authorized to access:{host}:{port}")
        if b"Unauthorized" in recv_data:
            color_print.green(f"[+] mongodb service detected (authorization required):{host}:{port}")
    except:
        # traceback.print_exc()
        pass
Beispiel #6
0
def smb(host, port=445):
    try:
        conn = SMBConnection("", "", "", "", use_ntlm_v2=True)
        if conn.connect(host, port, timeout=timeout):
            color_print.green(f"[*] smb service detected:{host}:{port}")
            sharelist = conn.listShares()
            for i in sharelist:
                try:
                    conn.listPath(i.name, "/")
                    color_print.red(f"[+] smb unauthorised directory:{host}:{port}/{i.name}")
                except:
                    color_print.green(f"[*] smb directory:{host}:{port}/{i.name}")

        conn.close()
    except:
        pass
Beispiel #7
0
def NXRM_weak_pass(host, port=8081):
    try:
        r = requests.get(f"http://{host}:{port}", timeout=timeout, allow_redirects=True, verify=False)
        if "Nexus" in r.text:
            data = {
                "username": "******",  # base64.b64encode("admin".encode()).decode(),
                "password": "******"  # base64.b64encode("admin123".encode()).decode()
            }
            r = requests.post(f"http://{host}:{port}/service/rapture/session", data=data, timeout=timeout, allow_redirects=False, verify=False)
            if r.status_code == 204 or r.status_code == 405:
                color_print.red(f"[+] Nexus Repository Manager weakpass:{host}:{port}/admin:admin123")
            else:
                color_print.green(f"[+] dectect Nexus Repository Manager service:{host}:{port}")
    except Exception as e:
        # traceback.print_exc()
        pass
Beispiel #8
0
def rsync(host, port=873):
    # refer: https://raw.githubusercontent.com/ysrc/xunfeng/master/vulscan/vuldb/rsync_weak_auth.py
    def _rsync_init(host, port):
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        socket.setdefaulttimeout(timeout)
        s.connect((host, port))
        s.send("@RSYNCD: 31\n".encode())
        _ = s.recv(1024)
        return s

    try:
        # get directory
        s = _rsync_init(host, port)
        s.send(bytes.fromhex('0a'))
        recv_data = s.recv(1024)
        s.close()
        paths = []
        if recv_data:
            for path_name in re.split('\n', recv_data.decode()):
                if path_name and not path_name.startswith('@RSYNCD: '):
                    paths.append(path_name.split('\t')[0].strip())
        if paths:
            color_print.green(f"[+] detected rsync service:{host}:{port}")
        # print(f"get directory bytes-----{recv_data}")
        # print(f"The obtained directory is-----------{paths}")

        # Try to see if can gain unauthorized access
        for path in paths:
            s = _rsync_init(host, port)
            s.send(f"{path}\n".encode())
            recv_data = s.recv(1024)
            # print(f" Trying to grant unauthorized access to the accepted bytes-----------{recv_data}")

            if recv_data.decode() == '\n':
                recv_data = s.recv(1024)
            # The following instructions prove unauthorized access
            if recv_data.decode().startswith('@RSYNCD: OK'):
                color_print.red(
                    f"[+] rsync is not authorized to access:{host}:{port}/{path}"
                )
            s.close()

    except:
        # traceback.print_exc()
        pass
Beispiel #9
0
def redis(host, port=6379):
    socket.setdefaulttimeout(timeout)
    payload = '\x2a\x31\x0d\x0a\x24\x34\x0d\x0a\x69\x6e\x66\x6f\x0d\x0a'
    try:
        s = socket.socket()
        s.connect((host, port))
        s.send(payload.encode('utf-8'))
        recv_data = s.recv(1024)
        s.close()
        if recv_data and b'redis_version' in recv_data:
            color_print.red(f'[+] redis is not authorized to access:{host}:{port}')
        elif b'NOAUTH Authentication required' in recv_data:
            color_print.green(f'[+] redis service detected (authorization required):{host}:{port}')
        elif b"protected mode is enabled" in recv_data:
            color_print.green(f'[+] redis service detected (running in protected mode):{host}:{port}')
    except:
        # traceback.print_exc()
        pass
Beispiel #10
0
def mssql(host, port=1433):
    socket.setdefaulttimeout(timeout)
    payload = binascii.a2b_hex("1001010400000000fc00000001000071001000000683f2f8602e000000000000e001000088ffffff3604000056000d00700002007400090086000d00a000140000000000c8000a00dc000a00f0000600000000000000fc000000fc00000059005400530048004c005400310039003000360030003200370073006100b0a5d2a5f3a5b6a586a596a5e6a5f6a5c6a5700079006d007300730071006c003d0032002e0031002e0034003100390032002e003100360038002e003100330036002e003100320038003a003100340033003300440042002d004c00690062007200610072007900750073005f0065006e0067006c006900730068006d0061007300740065007200")
    try:
        s = socket.socket()
        s.connect((host, port))
        s.send(payload)
        recv_data = s.recv(1024)
        s.close()
        # print(binascii.b2a_hex(recv_data))
        # master
        if b"6d00610073007400650072" in binascii.b2a_hex(recv_data):
            color_print.red(f"[+] mssql weak password:{host}:{port}:sa:Qwe123456")
        # Login failed
        elif b"27007300610027" in binascii.b2a_hex(recv_data):
            color_print.green(f"[+] detected mssql service:{host}:{port}")
    except:
        # traceback.print_exc()
        pass