def scan_dns():
helpers.print_heading('Beginning DNS scanning...')
# Create directories
subprocess.run(['mkdir', 'dns'])
subprocess.run(['mkdir', 'dns/nslookup'])
subprocess.run(['mkdir', 'dns/dnsrecon'])
hostname_ip_outfile = open('dns/hostname-ip-map.txt', 'w')
# Do hostname based scanning
with open(os.getcwd() + '/' + args.list, newline=None) as file:
for line in file:
# Strip newlines
hostname = line.rstrip('\n')
# NSLOOKUP
# Capture nslookup output
try:
output_nslookup = subprocess.check_output(
['nslookup', hostname], universal_newlines=True)
except subprocess.CalledProcessError:
continue
# Retrieve the IP address
IP = re.search('Address: (.*)', output_nslookup).group(1)
# Write the nslookup output to file
filename = hostname.replace('.', '-')
nslookup_outfile = open(
'dns/nslookup/nslookup-' + filename + '.txt', 'w')
nslookup_outfile.write(str(output_nslookup))
nslookup_outfile.close()
# Write the hostname - IP mappings to file
hostname_ip_outfile.write(str(hostname) + '\t\t' + IP + '\n')
# Do domain name based scanning
with open(os.getcwd() + '/domains.txt', newline=None) as file:
for line in file:
# Strip newlines
domain = line.rstrip('\n')
# DNSRECON
# Capture the dnsrecon output
output_dnsrecon = subprocess.check_output(
['dnsrecon', '-a', '-z', '-d', domain],
universal_newlines=True)
# Write the output to file
domain = domain.replace('.', '-')
outfile = open('dns/dnsrecon/dnsrecon-' + domain + '.txt', 'w')
outfile.write(str(output_dnsrecon))
outfile.close()
hostname_ip_outfile.close()
def main():
# Print messages
helpers.print_script_message(name, version, tagline)
helpers.print_task_positive('Hold tight...')
# Make output directory
subprocess.run(['mkdir', 'nikto'])
subprocess.run(['mkdir', 'nikto/scan-output'])
subprocess.run(['mkdir', 'nikto/vulnerabilities'])
# Default web ports
web_ports = ['80', '443']
# Process hostnames
# Read the file
with open(os.getcwd() + '/' + args.targets, newline=None) as file:
for line in file:
# Strip newlines
target = line.rstrip('\n')
for port in web_ports:
# Run scan and capture the output
helpers.print_task_positive('Beginning scan - Port: ' + port + ' Target: ' + target)
# Force SSL on port 443
if (port == '80'):
output_nikto = subprocess.check_output(['nikto', '-host', target, '-ask', 'auto'], universal_newlines=True)
else:
output_nikto = subprocess.check_output(['nikto', '-host', target, '-ask', 'auto', '-ssl'], universal_newlines=True)
# Print the output to terminal, if selected
if (args.print):
print(output_nikto)
# Interpret results
if (args.interpret):
interpret(target, port, output_nikto)
# Write the nikto output to file
target_dash = target.replace('.','-')
nikto_outfile = open('nikto/scan-output/' + target_dash + '-' + port + '.txt', 'w')
nikto_outfile.write(str(output_nikto))
nikto_outfile.close()
# Print message if interpret option was selected
if (args.interpret):
print("")
helpers.print_heading("Scans complete")
helpers.print_task_positive("The output above only includes dumb interpretation of scan results.")
helpers.print_task_positive("See the full output in nikto/scan-output for the fun stuff :)")
def scan_ssl():
helpers.print_heading('Beginning SSL Scanning...')
# Create directories for output files
subprocess.run(['mkdir', 'ssl'])
subprocess.run(['mkdir', 'ssl/scan-output'])
subprocess.run(['mkdir', 'ssl/vulnerabilities'])
# Scan one or many
if (args.host):
scan_ssl_host(args.host)
else:
# Read the file
with open(os.getcwd() + '/' + args.list, newline=None) as file:
for line in file:
scan_ssl_host(line)
def nmap_all_ports():
# Prepare for nmap scanning
# Print heading
helpers.print_heading('More nmap scanning')
# Declare global variable
global output_nmap_all_ports
# Do scan over all ports
helpers.print_subtask_positive('Nmap scanning all ports')
output_nmap_all_ports = subprocess.check_output(['nmap', '-p-','-sV', '-O', args.ip, '-oA', 'nmap/nmap-allports'], universal_newlines=True)
# Do a service scan over all open ports
# TODO
print()
def nmap_fast():
# Prepare for nmap scanning
# Print heading
helpers.print_heading('Performing nmap scanning')
# Declare global variable
global output_nmap_fast
# Create nmap directory
helpers.mkdir('nmap')
# Do fast scan
helpers.print_task_positive('Fast nmap scanning')
output_nmap_fast = subprocess.check_output(
['nmap', '-sV', '-O', args.ip, '-oA', 'nmap/nmap-fast'],
universal_newlines=True)
print()
def scan_web():
# Prepare for web scanning
# Print heading
helpers.print_heading('Performing web scanning')
# Test for common web ports
web_ports = helpers.get_web_ports(output_nmap_fast)
# If there are open web ports, scan them
if(not len(web_ports)):
helpers.print_task_negative('No open web ports...')
else:
# Create nikto directory
helpers.mkdir('nikto')
# Make a directory to store results
for port in web_ports:
scan_web_port(port)
# Finised web scanning
helpers.print_task_positive('Finished scanning web ports')
print()
def scan_whois():
helpers.print_heading('Beginning whois Scanning...')
# Create a new directory for output files
subprocess.run(['mkdir', 'whois'])
# Read the file
with open(os.getcwd() + '/domains.txt', newline=None) as file:
for line in file:
# Strip newlines
domain = line.rstrip('\n')
# Capture the whois output
output = subprocess.check_output(
['whois', '-h', 'whois.iana.org', '-H', domain],
universal_newlines=True)
# Write the output to file
domain = domain.replace('.', '-')
outfile = open('whois/whois-' + domain + '.txt', 'w')
outfile.write(str(output))
outfile.close()
def scan_ssl():
helpers.print_heading('Beginning SSL Scanning...')
# Create directories for output files
subprocess.run(['mkdir', 'ssl'])
subprocess.run(['mkdir', 'ssl/scan-output'])
subprocess.run(['mkdir', 'ssl/vulnerabilities'])
# Read the file
with open(os.getcwd() + '/' + args.list, newline=None) as file:
for line in file:
# Strip newlines
hostname = line.rstrip('\n')
# Capture the sslscan output
output_sslscan = subprocess.check_output(['sslscan', hostname],
universal_newlines=True)
# Remove ANSI encoding so we can search
output_sslscan_clean = helpers.remove_ansi(output_sslscan)
# Process the SSLScan output
# SSL / TLS versions
# SSLv2
if (output_sslscan_clean.find('SSLv2') != -1):
helpers.print_task_positive('SSLv2')
vuln_file = open('ssl/vulnerabilities/tls-sslv2-0.txt', 'a')
vuln_file.write(str(hostname) + '\n')
vuln_file.close()
# SSLv3
if (output_sslscan_clean.find('SSLv3') != -1):
helpers.print_task_positive('SSLv3')
vuln_file = open('ssl/vulnerabilities/tls-sslv3-0.txt', 'a')
vuln_file.write(str(hostname) + '\n')
vuln_file.close()
# TLSV1.0
if (output_sslscan_clean.find('TLSv1.0') != -1):
helpers.print_task_positive('TLSv1.0')
vuln_file = open('ssl/vulnerabilities/tls-tlsv1-0.txt', 'a')
vuln_file.write(str(hostname) + '\n')
vuln_file.close()
# TLS Fallback SCSV
if (output_sslscan_clean.find(
'Server does not support TLS Fallback SCSV') != -1):
helpers.print_task_positive('TLS Fallback SCSV')
vuln_file = open('ssl/vulnerabilities/tls-fallback-scsv.txt',
'a')
vuln_file.write(str(hostname) + '\n')
vuln_file.close()
# TLS CRIME
if (output_sslscan_clean.find('Compression enabled (CRIME)') !=
-1):
helpers.print_task_positive('Compression enabled (CRIME)')
vuln_file = open(
'ssl/vulnerabilities/tls-compression-crime.txt', 'a')
vuln_file.write(str(hostname) + '\n')
vuln_file.close()
# Certificate issues
# Expired certificate
if (helpers.remove_control_characters(output_sslscan).find(
'Not valid after: [31m') != -1):
helpers.print_task_positive('Expired certificate')
vuln_file = open('ssl/vulnerabilities/certificate-expired.txt',
'a')
vuln_file.write(str(hostname) + '\n')
vuln_file.close()
# Wildcard certificate
if (output_sslscan_clean.find('Subject: *') != -1):
helpers.print_task_positive('Wildcard certificate')
vuln_file = open(
'ssl/vulnerabilities/certificate-wildcard.txt', 'a')
vuln_file.write(str(hostname) + '\n')
vuln_file.close()
# Weak certificate signature
if (output_sslscan_clean.find('sha1WithRSA') != -1):
helpers.print_task_positive('Weak certificate signature')
vuln_file = open(
'ssl/vulnerabilities/certificate-weak-signature.txt', 'a')
vuln_file.write(str(hostname) + '\n')
vuln_file.close()
# Cipher suites
# Export ciphers
if (output_sslscan_clean.find('EXP-') != -1):
helpers.print_task_positive('Weak cipher - Export cipher')
vuln_file = open('ssl/vulnerabilities/weak-cipher-export.txt',
'a')
vuln_file.write(str(hostname) + '\n')
vuln_file.close()
# RC4
if (output_sslscan_clean.find('RC4') != -1):
helpers.print_task_positive('Weak cipher - RC4')
vuln_file = open('ssl/vulnerabilities/weak-cipher-rc4.txt',
'a')
vuln_file.write(str(hostname) + '\n')
vuln_file.close()
# DES-CBC(3)-SHA
if (output_sslscan_clean.find('DES-CBC') != -1):
helpers.print_task_positive('Weak cipher - DES-CBC')
vuln_file = open('ssl/vulnerabilities/weak-cipher-des-cbc.txt',
'a')
vuln_file.write(str(hostname) + '\n')
vuln_file.close()
# Weak diffie hellman
if (output_sslscan_clean.find('DHE 1024 bits') != -1):
helpers.print_task_positive('Weak cipher - DHE 1024 bits')
vuln_file = open(
'ssl/vulnerabilities/weak-cipher-dhe-1024.txt', 'a')
vuln_file.write(str(hostname) + '\n')
vuln_file.close()
# Capture the sslyze output
output_sslyze = subprocess.check_output(
['sslyze', '--regular', '--hsts', hostname],
universal_newlines=True)
# Process the sslyze output (Only what is missed by SSLScan)
# Client initiated renegotiation
if (output_sslyze.find(
'VULNERABLE - Server honors client-initiated renegotiations'
) != -1):
helpers.print_task_positive(
'Server honors client-initiated renegotiations')
vuln_file = open(
'ssl/vulnerabilities/tls-client-initiated-renegotiations.txt',
'a')
vuln_file.write(str(hostname) + '\n')
vuln_file.close()
# Missing HSTS header
if (output_sslyze.find(
'NOT SUPPORTED - Server did not send an HSTS header.') !=
-1):
helpers.print_task_positive('HSTS Unsupported')
vuln_file = open(
'ssl/vulnerabilities/tls-hsts-unsupported.txt', 'a')
vuln_file.write(str(hostname) + '\n')
vuln_file.close()
# Self-signed certificate
if (output_sslyze.find(
'FAILED - Certificate is NOT Trusted: self signed certificate'
) != -1):
helpers.print_task_positive(
'FAILED - Certificate is NOT Trusted: self signed certificate'
)
vuln_file = open(
'ssl/vulnerabilities/tls-self-signed-certificate.txt', 'a')
vuln_file.write(str(hostname) + '\n')
vuln_file.close()
# Mismatched certificate
if (output_sslyze.find('FAILED - Certificate does NOT') != -1):
helpers.print_task_positive(
'FAILED - Certificate does NOT match')
vuln_file = open(
'ssl/vulnerabilities/tls-mismatched-certificate.txt', 'a')
vuln_file.write(str(hostname) + '\n')
vuln_file.close()
# Untrusted certificate
if (output_sslyze.find('FAILED - Certificate is NOT Trusted') !=
-1):
helpers.print_task_positive(
'FAILED - Certificate is NOT Trusted')
vuln_file = open(
'ssl/vulnerabilities/tls-untrusted-certificate.txt', 'a')
vuln_file.write(str(hostname) + '\n')
vuln_file.close()
# Write the output to file
hostname = hostname.replace('.', '-')
outfile = open('ssl/scan-output/ssl-' + hostname + '.txt', 'w')
outfile.write(str(output_sslscan))
outfile.write(str(output_sslyze))
outfile.close()
