def same_ip(cls, orig_remote_ip, remote_ip):
# Check is disabled -- always return true
if not getattr(settings, 'RESTRICTEDSESSIONS_RESTRICT_IP', True):
return True
# No original IP or current IP is unknown
if not orig_remote_ip or not remote_ip:
return True
session_network = IPNetwork(orig_remote_ip)
remote_ip = IPAddress(remote_ip)
try:
session_network = session_network.ipv4()
remote_ip = remote_ip.ipv4()
session_network.prefixlen = getattr(
settings, 'RESTRICTEDSESSIONS_IPV4_LENGTH', 32)
except AddrConversionError:
try:
session_network.prefixlen = getattr(
settings, 'RESTRICTEDSESSIONS_IPV6_LENGTH', 64)
except AddrFormatError:
# session_network must be IPv4, but remote_ip is IPv6
return False
# IP belongs to the same network
return remote_ip in session_network
def validate_ip(self, request, remote_ip):
# When we aren't configured to restrict on IP address
if not getattr(settings, 'RESTRICTEDSESSIONS_RESTRICT_IP', True):
return True
# When the IP address key hasn't yet been set on the request session
if SESSION_IP_KEY not in request.session:
return True
# When there is no remote IP, check if one has been set on the session
session_ip = request.session[SESSION_IP_KEY]
if not remote_ip:
if session_ip: # session has remote IP value so validate :-(
return False
else: # Session doesn't have remote IP value so possibly :-)
return True
# Compute fuzzy IP compare based on settings on compare sensitivity
session_network = IPNetwork(session_ip)
remote_ip = IPAddress(remote_ip)
try:
session_network = session_network.ipv4()
remote_ip = remote_ip.ipv4()
session_network.prefixlen = getattr(settings, 'RESTRICTEDSESSIONS_IPV4_LENGTH', 32)
except AddrConversionError:
try:
session_network.prefixlen = getattr(settings, 'RESTRICTEDSESSIONS_IPV6_LENGTH', 64)
except AddrFormatError:
# session_network must be IPv4, but remote_ip is IPv6
return False
return remote_ip in session_network
def validate_ip(self, request, remote_ip):
# When we aren't configured to restrict on IP address
if not getattr(settings, 'RESTRICTEDSESSIONS_RESTRICT_IP', True):
return True
# When the IP address key hasn't yet been set on the request session
if SESSION_IP_KEY not in request.session:
return True
# When there is no remote IP, check if one has been set on the session
session_ip = request.session[SESSION_IP_KEY]
if not remote_ip:
if session_ip: # session has remote IP value so validate :-(
return False
else: # Session doesn't have remote IP value so possibly :-)
return True
# Compute fuzzy IP compare based on settings on compare sensitivity
session_network = IPNetwork(session_ip)
remote_ip = IPAddress(remote_ip)
try:
session_network = session_network.ipv4()
remote_ip = remote_ip.ipv4()
session_network.prefixlen = getattr(
settings, 'RESTRICTEDSESSIONS_IPV4_LENGTH', 32)
except AddrConversionError:
try:
session_network.prefixlen = getattr(
settings, 'RESTRICTEDSESSIONS_IPV6_LENGTH', 64)
except AddrFormatError:
# session_network must be IPv4, but remote_ip is IPv6
return False
return remote_ip in session_network
def test_ip_v4_to_ipv6_compatible():
assert IPAddress('192.0.2.15').ipv6(ipv4_compatible=True) == IPAddress('::192.0.2.15')
assert IPAddress('192.0.2.15').ipv6(ipv4_compatible=True).is_ipv4_compat()
assert IPAddress('192.0.2.15').ipv6(True) == IPAddress('::192.0.2.15')
ip = IPNetwork('192.0.2.1/23')
assert ip.ipv4() == IPNetwork('192.0.2.1/23')
assert ip.ipv6() == IPNetwork('::ffff:192.0.2.1/119')
assert ip.ipv6(ipv4_compatible=True) == IPNetwork('::192.0.2.1/119')
def test_ip_v4_to_ipv6_compatible():
assert IPAddress('192.0.2.15').ipv6(
ipv4_compatible=True) == IPAddress('::192.0.2.15')
assert IPAddress('192.0.2.15').ipv6(ipv4_compatible=True).is_ipv4_compat()
assert IPAddress('192.0.2.15').ipv6(True) == IPAddress('::192.0.2.15')
ip = IPNetwork('192.0.2.1/23')
assert ip.ipv4() == IPNetwork('192.0.2.1/23')
assert ip.ipv6() == IPNetwork('::ffff:192.0.2.1/119')
assert ip.ipv6(ipv4_compatible=True) == IPNetwork('::192.0.2.1/119')
def validate_ip(self, request, remote_ip):
if not getattr(settings, 'RESTRICTEDSESSIONS_RESTRICT_IP', True) or not SESSION_IP_KEY in request.session:
return True
session_network = IPNetwork(request.session[SESSION_IP_KEY])
remote_ip = IPAddress(remote_ip)
try:
session_network = session_network.ipv4()
remote_ip = remote_ip.ipv4()
session_network.prefixlen = getattr(settings, 'RESTRICTEDSESSIONS_IPV4_LENGTH', 32)
except AddrConversionError:
session_network.prefixlen = getattr(settings, 'RESTRICTEDSESSIONS_IPV6_LENGTH', 64)
return remote_ip in session_network
def validate_ip(self, request, remote_ip):
if not getattr(settings, 'RESTRICTEDSESSIONS_RESTRICT_IP', True) or not SESSION_IP_KEY in request.session:
return True
session_network = IPNetwork(request.session[SESSION_IP_KEY])
remote_ip = IPAddress(remote_ip)
try:
session_network = session_network.ipv4()
remote_ip = remote_ip.ipv4()
session_network.prefixlen = IPV4_LENGTH
except AddrConversionError:
try:
session_network.prefixlen = IPV6_LENGTH
except AddrFormatError:
# session_network must be IPv4, but remote_ip is IPv6
return False
return remote_ip in session_network
def validate_ip(self, request, remote_ip):
if not getattr(settings, 'RESTRICTEDSESSIONS_RESTRICT_IP',
True) or not SESSION_IP_KEY in request.session:
return True
session_network = IPNetwork(request.session[SESSION_IP_KEY])
remote_ip = IPAddress(remote_ip)
try:
session_network = session_network.ipv4()
remote_ip = remote_ip.ipv4()
session_network.prefixlen = getattr(
settings, 'RESTRICTEDSESSIONS_IPV4_LENGTH', 32)
except AddrConversionError:
try:
session_network.prefixlen = getattr(
settings, 'RESTRICTEDSESSIONS_IPV6_LENGTH', 64)
except AddrFormatError:
# session_network must be IPv4, but remote_ip is IPv6
return False
return remote_ip in session_network
def same_ip(cls, orig_remote_ip, remote_ip):
# Check is disabled -- always return true
if not getattr(settings, 'RESTRICTEDSESSIONS_RESTRICT_IP', True):
return True
# No original IP or current IP is unknown
if not orig_remote_ip or not remote_ip:
return True
session_network = IPNetwork(orig_remote_ip)
remote_ip = IPAddress(remote_ip)
try:
session_network = session_network.ipv4()
remote_ip = remote_ip.ipv4()
session_network.prefixlen = getattr(settings, 'RESTRICTEDSESSIONS_IPV4_LENGTH', 32)
except AddrConversionError:
try:
session_network.prefixlen = getattr(settings, 'RESTRICTEDSESSIONS_IPV6_LENGTH', 64)
except AddrFormatError:
# session_network must be IPv4, but remote_ip is IPv6
return False
# IP belongs to the same network
return remote_ip in session_network
def run(self):
"""
This is the mainloop of the process manager.
It will go over the ip address given and preform an initial host discovery, after that it will run deeper
level scans of the network starting with the hosts found in the first scan. It will then move onto the remaining
hosts.
:return: True/False/None based on if the process failed to complete
"""
_exit = self.exit
_is_empty = False
_jobs = []
_uncommon_ports = sorted(set(range(65535)) - KNPORTS.as_nums())
_uncommon_ports = ["{}-{}".format(*i) if i[0] != str(i[1]) else i[0] for i in KNPORTS.group(_uncommon_ports)]
try:
self.database.open_db()
self.__load_options()
def job(item, opt_override=""):
if type(item) is list:
ipv4 = NProcess(options=self.options if not opt_override else opt_override)
ipv6 = NProcess(options="{} {}".format("-6", self.options if not opt_override else opt_override))
ipv4.targets.pop() # removes the default target list
ipv6.targets.pop()
for h_ip in item:
if h_ip.ipv4():
ipv4.targets.append(str(h_ip.ipv4()))
else:
ipv6.targets.append(str(h_ip.ipv6()))
if ipv4.targets:
_jobs.append(ipv4)
_jobs[-1].run_background()
if ipv6.targets:
_jobs.append(ipv6)
_jobs[-1].run_background()
else:
if item.ipv4():
_jobs.append(
NProcess(str(item.ipv4()), options=self.options if not opt_override else opt_override))
else:
_jobs.append(NProcess(str(item.ipv6()), options="{} {}".
format("-6", self.options if not opt_override else opt_override)))
_jobs[-1].run_background()
def process_jobs():
for ind, proc in enumerate(_jobs):
if proc.has_terminated():
if proc.rc != 0:
print("nmap scan failed: {0}".format(proc.stderr))
if __DEBUG__: self.to_file(proc.stdout)
try:
parsed = NmapParser.parse(proc.stdout)
if __DEBUG__: print(parsed.summary)
for host in parsed.hosts:
print("Saving {} to database.".format(host.address))
self.database.add_ip_scan(ipaddr=host.address, port_data=host.get_open_ports(),
e_time=parsed.elapsed, command=proc.command,
raw_data=host.get_dict(), _raw=proc.stdout)
except NmapParserException as e:
print("Exception raised while parsing scan: {0}".format(e.msg))
self.database.commit()
del _jobs[ind]
break
# preform 1st level scan
if __DEBUG__: print("Initial Scan")
init_discovery = set()
while self._init_host_scan:
try:
_ip = IPNetwork(self._init_host_scan.pop())
self._scanned_hosts.append(_ip.ipv4() if _ip.ipv4 else _ip.ipv6)
if _ip.ipv4():
_h = NProcess(list("%s" % i for i in _ip.ipv4()), options="-sn")
else:
_h = NProcess(list("%s" % i for i in _ip.ipv6()), options="-sn -6")
_h.sudo_run()
_p = NmapParser.parse(_h.stdout)
for _host in _p.hosts:
if _host.is_up():
init_discovery.add(_host.ipv4 if _host.ipv4 else _host.ipv6)
else:
self._add_host("med", _host.ipv4 if _host.ipv4 else _host.ipv6, 32)
except NmapParserException:
pass
# preform 2nd level scan, will only be preformed on init hosts found
if __DEBUG__: print("Secondary Scans")
_knports = ",".join(
["{}-{}".format(*i) if i[0] != i[1] else str(i[0]) for i in KNPORTS.group(list(KNPORTS.as_nums()))])
for _ip in init_discovery:
for opt in self.__scan_options:
job(IPAddress(_ip), opt_override="{} -p {} {}".format(opt, _knports, self.options))
# all code beyond this point will take a very long time to execute
if __DEBUG__: print("Primary Scans")
if __DEBUG__: print(self.hosts_to_scan)
while 1:
if _exit.kill:
for _index, _j in enumerate(_jobs):
_jobs[_index].stop()
return False
if len(_jobs) < self.max_workers and not _is_empty:
ip_group = []
while len(ip_group) < self.__max_host_scan and not _is_empty:
try:
# job(self.hosts_to_scan['high'].pop())
ip_group.append(self.hosts_to_scan['high'].pop())
except KeyError as e1:
try:
# job(self.hosts_to_scan['med'].pop())
ip_group.append(self.hosts_to_scan['med'].pop())
except KeyError as e2:
try:
# job(self.hosts_to_scan['low'].pop())
ip_group.append(self.hosts_to_scan['low'].pop())
except KeyError as e3:
_is_empty = True
for opt in self.__scan_options:
job(ip_group, opt_override="{} -p {} {}".format(opt, _knports, self.options))
process_jobs()
if len(_jobs) == 0:
break
except Exception as error:
print("Failed: {}\t {}\n Cleaning up processes".format(Exception, error))
traceback.print_tb(error.__traceback__)
for _index, _j in enumerate(_jobs):
try:
_jobs[_index].stop()
except Exception as err:
print("Failed to stop {}\t{}".format(Exception, err))
print("Killing all nmap process!")
system('killall -9 nmap')
system('killall -9 python')
system('killall -9 python3')
print("Killall command for nmap process sent")
finally:
print("Job Failed with kill signal.")
return False
# Time to run the uncommon ports, this will take a HUGE amount of time
print("Final Scan\nThis Scan will take a very long time\n")
_jobs = []
while self._scanned_hosts:
__ip = self._scanned_hosts.pop()
for opt in self.__scan_options:
job(__ip, opt_override="{} -p {} {}".
format(opt, ",".join(_uncommon_ports), self.options))
while 1:
if _exit.kill:
try:
for _index, _j in enumerate(_jobs):
_jobs[_index].stop()
except PermissionError:
return False
finally:
print("Job Failed with kill signal.")
return False
process_jobs()
if len(_jobs) == 0:
break
self.database.close_db()
def get_ipcalc_network(query, netmask=""):
"""
IP calculator tool: supports IPv6 and IPv4 networks. For list of values see below.
IP list is optional since it will return many IPs for some subnets,
if you need to show ip list you will have to append ``?iplist`` to your get request.
**PLEASE NOTE:** iplist will print only 65536 addresses which is /16 in IPv4 subnetting or /112 in IPv6 subnetting.
If you try to get more you will get an error.
:param query: IP address or hostname
:param netmask: (Optional) If you want the whole range of hosts
**Example:**
When getting single host
$ GET ``/api/ipcalc/199.16.156.102/30``
::
{
"results": {
"broadcast": "199.16.156.103",
"cidr": "199.16.156.100/30",
"first_host": "199.16.156.101",
"hostmask": "0.0.0.3",
"ip_bits": "11000111.00010000.10011100.01100110",
"ip_version": 4,
"is_linklocal": false,
"is_loopback": false,
"is_multicast": false,
"is_private": false,
"is_public": true,
"is_reserved": false,
"is_unicast": true,
"last_host": "199.16.156.102",
"netmask": "255.255.255.252",
"netmask_bits": "11111111.11111111.11111111.11111100",
"network": "199.16.156.100",
"network_bits": "11000111.00010000.10011100.01100100",
"num_addresses": 4,
"prefixlen": 30,
"supernet": [
"0.0.0.0/0",
"128.0.0.0/1",
"192.0.0.0/2",
"192.0.0.0/3",
"192.0.0.0/4",
"192.0.0.0/5",
"196.0.0.0/6",
"198.0.0.0/7",
"199.0.0.0/8",
"199.0.0.0/9",
"199.0.0.0/10",
"199.0.0.0/11",
"199.16.0.0/12",
"199.16.0.0/13",
"199.16.0.0/14",
"199.16.0.0/15",
"199.16.0.0/16",
"199.16.128.0/17",
"199.16.128.0/18",
"199.16.128.0/19",
"199.16.144.0/20",
"199.16.152.0/21",
"199.16.156.0/22",
"199.16.156.0/23",
"199.16.156.0/24",
"199.16.156.0/25",
"199.16.156.64/26",
"199.16.156.96/27",
"199.16.156.96/28",
"199.16.156.96/29"
],
"to_ipv6": "::ffff:199.16.156.102/126"
},
"status": "ok"
}
"""
if netmask is not "":
ip = query + '/' + netmask
else:
ip = query
try:
net = IPNetwork(ip)
except AddrFormatError:
abort(400)
results = dict()
results['broadcast'] = str(net.broadcast)
results['network'] = str(net.network)
results['netmask'] = str(net.netmask)
results['cidr'] = str(net.cidr)
results['num_addresses'] = net.size
results['hostmask'] = str(net.hostmask)
results['is_loopback'] = net.is_loopback()
results['is_unicast'] = net.is_unicast()
results['is_multicast'] = net.is_multicast()
results['is_private'] = net.is_private()
results['is_reserved'] = net.is_reserved()
results['is_linklocal'] = net.is_link_local()
results['is_public'] = net.is_unicast() and not net.is_private()
results['prefixlen'] = net.prefixlen
results['ip_version'] = net.version
results['ip_bits'] = net.ip.bits()
results['network_bits'] = net.network.bits()
results['netmask_bits'] = net.netmask.bits()
results['supernet'] = [str(supernet) for supernet in net.supernet()]
if net.version == 4:
results['to_ipv6'] = str(net.ipv6())
if request.query_string == 'iplist':
if net.size <= 65536:
results['ip_list'] = [str(ip) for ip in list(net)]
else:
return error_response("Too many IPs to list (limit is 65536), "
"use smaller subnet or remove '?iplist' from query.", 400)
if net.broadcast is not None:
results['first_host'] = str(net.network + 1)
results['last_host'] = str(net.broadcast - 1)
else:
results['first_host'] = str(net.ip)
results['last_host'] = str(net.ip)
elif net.version == 6:
try:
results['to_ipv4'] = str(net.ipv4())
except AddrConversionError:
results['to_ipv4'] = None
if request.query_string == 'iplist':
if net.size <= 65536:
results['ip_list'] = [str(ip) for ip in list(net)]
else:
return error_response("Too many IPs to list (limit is 65536), "
"use smaller subnet or remove '?iplist' from query.", 400)
return jsonify({'status': "ok",
'results': results})
def _coerce_net(self, net: netaddr.IPNetwork) -> netaddr.IPNetwork:
if self._root.net.version == 4:
return net.ipv4()
return net.ipv6()
