def run(db, tool=None, scope_type=None):
results = []
Port = PortRepository(db)
ports = Port.all(service_name="http", tool=tool)
ports += Port.all(service_name="https", tool=tool)
for p in ports:
if (p.ip_address and
(scope_type == "active" and p.ip_address.in_scope == True) or
(scope_type == "passive" and p.ip_address.passive_scope == True)
or not scope_type):
domain_list = [d.domain for d in p.ip_address.domains]
results.append(
"%s://%s:%s" %
(p.service_name, p.ip_address.ip_address, p.port_number))
for d in domain_list:
results.append("%s://%s:%s" %
(p.service_name, d, p.port_number))
return sort_by_url(results)
class Module(ModuleTemplate):
name = "HeaderScanner"
def __init__(self, db):
self.db = db
self.Port = PortRepository(db, self.name)
def set_options(self):
super(Module, self).set_options()
self.options.add_argument('-t', '--timeout', help='Connection timeout (default 5)', default="5")
self.options.add_argument('-u', '--url', help="URL to get headers")
self.options.add_argument('-i', '--import_db', help="Import URLs from the database", action="store_true")
self.options.add_argument('-th', '--threads', help="Number of threads to run", default="10")
def run(self, args):
if args.import_db:
svc = self.Port.all(service_name='http')
svc += self.Port.all(service_name='https')
data = []
for s in svc:
urls = ["%s://%s:%s" % (s.service_name, s.ip_address.ip_address, s.port_number)]
for d in s.ip_address.domains:
urls.append("%s://%s:%s" % (s.service_name, d.domain, s.port_number))
data.append([s.id, urls, args.timeout])
pool = ThreadPool(int(args.threads))
results = pool.map(process_urls, data)
print("Adding data to the database")
for i, headers in results:
created, svc = self.Port.find_or_create(id=i)
svc.meta['headers'] = headers
svc.update()
self.Port.commit()
class Report(ReportTemplate):
'''
This report displays all of the certificates
from https boxes.
'''
markdown = ['###', '`']
name = "CertReport"
def __init__(self, db):
self.Port = PortRepository(db)
def set_options(self):
super(Report, self).set_options()
self.options.add_argument('-t', '--tool', help="Source tool")
def run(self, args):
results = []
services = self.Port.all(name='https')
certs = {}
for s in services:
if s.passive_scope:
if s.meta.get('sslcert', False):
for k in s.meta['sslcert'].keys():
cert = s.meta['sslcert'][k]
# pdb.set_trace()
if not certs.get(cert, False):
certs[cert] = []
certs[cert].append(k + ':' + str(s.port_number))
for k in certs.keys():
results.append(', '.join(sorted(list(set(certs[k])))))
for l in k.split('\n'):
results.append('\t' + l)
self.process_output(results, args)
class Module(ToolTemplate):
"""
Runs nmap on all web hosts to pull certs and add them to the database
"""
name = "NmapCertScan"
binary_name = "nmap"
def __init__(self, db):
self.db = db
self.Port = PortRepository(db, self.name)
def set_options(self):
super(Module, self).set_options()
self.options.add_argument(
"-s",
"--rescan",
help="Rescan domains that have already been scanned",
action="store_true",
)
def get_targets(self, args):
targets = []
if args.rescan:
services = self.Port.all(service_name="https")
else:
services = self.Port.all(tool=self.name, service_name="https")
for s in services:
if s.ip_address.in_scope:
port = s.port_number
targets.append(
{
"port": port,
"target": s.ip_address.ip_address,
"service_id": s.id,
}
)
for d in s.ip_address.domains:
targets.append(
{"port": port, "target": d.domain, "service_id": s.id}
)
if args.output_path[0] == "/":
output_path = os.path.join(
self.base_config["PROJECT"]["base_path"], args.output_path[1:]
)
else:
output_path = os.path.join(
self.base_config["PROJECT"]["base_path"], args.output_path
)
if not os.path.exists(output_path):
os.makedirs(output_path)
for t in targets:
file_path = os.path.join(output_path, "%s_%s-ssl.xml" % (t["target"], port))
t["output"] = file_path
# pdb.set_trace()
return targets
def build_cmd(self, args):
cmd = self.binary + " -p {port} --script=ssl-cert -oX {output} {target} "
if args.tool_args:
cmd += args.tool_args
return cmd
def process_output(self, cmds):
for data in cmds:
try:
xmldata = xmltodict.parse(open(data["output"]).read())
cert = xmldata["nmaprun"]["host"]["ports"]["port"]["script"]["@output"]
if cert:
# print("Cert found: {}".format(cert))
svc = self.Port.all(id=data["service_id"])[0]
# pdb.set_trace()
if not svc.meta.get("sslcert", False):
svc.meta["sslcert"] = {}
svc.meta["sslcert"][data["target"]] = cert
print(
"Cert added to {} for {}".format(
data["service_id"], data["target"]
)
)
svc.save()
except Exception as e:
display_error("File not valid: {}\nError: {}".format(data["output"], e))
self.Port.commit()
class Module(ModuleTemplate):
'''
Runs nmap on all web hosts to pull certs and add them to the database
'''
name = "NmapCertScan"
def __init__(self, db):
self.db = db
self.Port = PortRepository(db, self.name)
def set_options(self):
super(Module, self).set_options()
self.options.add_argument('-t',
'--threads',
help="Number of threads",
default="1")
self.options.add_argument(
'-o',
'--output_path',
help=
"Path which will contain program output (relative to base_path in config",
default=self.name)
self.options.add_argument(
'-s',
'--rescan',
help="Rescan domains that have already been scanned",
action="store_true")
def run(self, args):
if not args.binary:
self.binary = which.run('nmap')
else:
self.binary = which.run(args.binary)
if not self.binary:
print(
"nmap binary not found. Please explicitly provide path with --binary"
)
if args.rescan:
services = self.Port.all(service_name='https')
else:
services = self.Port.all(tool=self.name, service_name='https')
self.process_services(services, args)
def process_services(self, services, args):
if args.output_path[0] == "/":
output_path = os.path.join(
self.base_config['PROJECT']['base_path'], args.output_path[1:])
else:
output_path = os.path.join(
self.base_config['PROJECT']['base_path'], args.output_path)
if not os.path.exists(output_path):
os.makedirs(output_path)
cmds = []
for s in services:
ip = s.ip_address.ip_address
domains = [d.domain for d in s.ip_address.domains]
port = s.port_number
hosts = [ip] + domains
for h in hosts:
file_path = os.path.join(output_path,
"%s_%s-ssl.xml" % (h, port))
command_args = " -p %s " % port
command_args += " --script=ssl-cert -oX %s " % file_path
cmds.append(shlex.split(self.binary + command_args + h))
pool = ThreadPool(int(args.threads))
# res = subprocess.Popen(cmd).wait()
pool.map(scan_hosts, cmds)
for s in services:
p = s.ip_address.ip_address
domains = [d.domain for d in s.ip_address.domains]
port = s.port_number
hosts = [ip] + domains
data = {}
for h in hosts:
# pdb.set_trace()
print("Processing %s" % file_path)
file_path = os.path.join(output_path,
"%s_%s-ssl.xml" % (h, port))
try:
xmldata = xmltodict.parse(open(file_path).read())
cert = xmldata['nmaprun']['host']['ports']['port'][
'script']['@output']
if cert:
data[h] = cert
except:
print("File not valid: %s" % file_path)
# pdb.set_trace()
s.meta['sslcert'] = data
s.update()
self.Port.commit()
class Module(ToolTemplate):
name = "SSLScan"
binary_name = "sslscan"
def __init__(self, db):
self.db = db
self.Domain = DomainRepository(db, self.name)
self.IPAddress = IPRepository(db, self.name)
self.Port = PortRepository(db, self.name)
def set_options(self):
super(Module, self).set_options()
self.options.add_argument("-ho",
"--host",
help="Host to scan (host:port)")
self.options.add_argument("-f",
"--file",
help="Import hosts from file")
self.options.add_argument(
"-i",
"--import_database",
help="Import hosts from database",
action="store_true",
)
self.options.add_argument(
"-s",
"--rescan",
help="Rescan domains that have already been scanned",
action="store_true",
)
def get_targets(self, args):
targets = []
if args.host:
targets.append(args.host)
elif args.file:
hosts = open(args.file).read().split("\n")
for h in hosts:
if h:
targets.append(h)
elif args.import_database:
hosts = []
svc = []
if args.rescan:
for p in [
"https", "ftps", "imaps", "sip-tls", "imqtunnels",
"smtps"
]:
svc += [
(s, "")
for s in self.Port.all(service_name=p, status="open")
if s.ip_address.in_scope
]
for p in [
"ftp",
"imap",
"irc",
"ldap",
"pop3",
"smtp",
"mysql",
"xmpp",
"psql",
]:
svc += [
(s, "--starttls-%s" % p)
for s in self.Port.all(service_name=p, status="open")
if s.ip_address.in_scope
]
else:
for p in [
"https", "ftps", "imaps", "sip-tls", "imqtunnels",
"smtps"
]:
svc += [(s, "") for s in self.Port.all(
tool=self.name, service_name=p, status="open")
if s.ip_address.in_scope]
for p in [
"ftp",
"imap",
"irc",
"ldap",
"pop3",
"smtp",
"mysql",
"xmpp",
"psql",
]:
svc += [(s, "--starttls-%s" % p) for s in self.Port.all(
tool=self.name, service_name=p, status="open")
if s.ip_address.in_scope]
for s, option in svc:
port_number = s.port_number
ip_address = s.ip_address.ip_address
targets.append({
"target": "%s:%s" % (ip_address, port_number),
"option": option
})
for d in s.ip_address.domains:
targets.append({
"target": "%s:%s" % (d.domain, port_number),
"option": option
})
for t in targets:
if args.output_path[0] == "/":
output_path = os.path.join(
self.base_config["PROJECT"]["base_path"],
args.output_path[1:])
else:
output_path = os.path.join(
self.base_config["PROJECT"]["base_path"], args.output_path)
if not os.path.exists(output_path):
os.makedirs(output_path)
output_path = os.path.join(
output_path,
"{}-sslscan.xml".format(t["target"].replace(":", "_")))
t["output"] = output_path
return targets
def build_cmd(self, args):
cmd = self.binary + " --xml={output} {option} {target} "
if args.tool_args:
cmd += args.tool_args
return cmd
class Module(ToolTemplate):
name = "Hydra"
binary_name = "hydra"
def __init__(self, db):
self.db = db
self.Domain = DomainRepository(db, self.name)
self.IPAddress = IPRepository(db, self.name)
self.Port = PortRepository(db, self.name)
def set_options(self):
super(Module, self).set_options()
self.options.add_argument("-ho",
"--host",
help="Host to scan (service://host:port)")
self.options.add_argument("-hw",
"--host_wordlist",
help="Wordlist to use for one off host")
self.options.add_argument("-f",
"--file",
help="Import hosts from file")
self.options.add_argument(
"-s",
"--rescan",
help="Rescan domains that have already been scanned",
action="store_true",
)
self.options.add_argument(
"--scan_defaults",
help="Pull hosts out of database and scan default passwords",
action="store_true",
)
self.options.add_argument("--ftp_wordlist",
help="Wordlist for FTP services")
self.options.add_argument("--telnet_wordlist",
help="Wordlist for Telnet")
self.options.add_argument("--email_wordlist",
help="Wordlist for email (smtp, pop3, imap)")
self.options.add_argument("--ssh_wordlist", help="Wordlist for SSH")
self.options.add_argument("--vnc_wordlist", help="Wordlist for VNC")
def get_targets(self, args):
targets = []
if args.host:
service, hp = args.host.split("://")
host, port = hp.split(":")[-2:]
targets.append({
"target": host,
"service": service,
"port": port,
"wordlist": args.host_wordlist,
})
elif args.file:
hosts = open(args.file).read().split("\n")
for h in hosts:
if h:
targets.append(h)
elif args.scan_defaults:
lists = {}
if args.ftp_wordlist:
for p in ["ftps", "ftp"]:
lists[args.ftp_wordlist] = [
s
for s in self.Port.all(tool=self.name, service_name=p)
]
if args.telnet_wordlist:
for p in ["telnet"]:
lists[args.telnet_wordlist] = [
s
for s in self.Port.all(tool=self.name, service_name=p)
]
if args.email_wordlist:
for p in ["smtps", "smtp", "pop3", "pop3s", "imap", "imaps"]:
lists[args.email_wordlist] = [
s
for s in self.Port.all(tool=self.name, service_name=p)
]
if args.ssh_wordlist:
for p in ["ssh"]:
lists[args.ssh_wordlist] = [
s
for s in self.Port.all(tool=self.name, service_name=p)
]
if args.vnc_wordlist:
for p in ["vnc"]:
lists[args.vnc_wordlist] = [
s
for s in self.Port.all(tool=self.name, service_name=p)
]
for k in lists.keys():
for s in lists[k]:
port_number = s.port_number
ip_address = s.ip_address.ip_address
name = s.service_name
targets.append({
"service": name,
"target": ip_address,
"port": port_number,
"wordlist": k,
})
if args.output_path[0] == "/":
output_path = os.path.join(
self.base_config["PROJECT"]["base_path"], args.output_path[1:])
else:
output_path = os.path.join(
self.base_config["PROJECT"]["base_path"], args.output_path)
if not os.path.exists(output_path):
os.makedirs(output_path)
for t in targets:
t["output"] = os.path.join(
output_path, "{}-{}.txt".format(t["target"], t["port"]))
return targets
def build_cmd(self, args):
cmd = self.binary + " -o {output} -C {wordlist} "
if args.tool_args:
cmd += args.tool_args
cmd += " {service}://{target}:{port} "
return cmd
class Module(ToolTemplate):
'''
Runs nmap on all web hosts to pull certs and add them to the database
'''
name = "NmapCertScan"
binary_name = "nmap"
def __init__(self, db):
self.db = db
self.Port = PortRepository(db, self.name)
def set_options(self):
super(Module, self).set_options()
self.options.add_argument(
'-s',
'--rescan',
help="Rescan domains that have already been scanned",
action="store_true")
def get_targets(self, args):
targets = []
if args.rescan:
services = self.Port.all(service_name='https')
else:
services = self.Port.all(tool=self.name, service_name='https')
for s in services:
if s.ip_address.in_scope:
port = s.port_number
targets.append({
'port': port,
'target': s.ip_address.ip_address,
'service_id': s.id
})
for d in s.ip_address.domains:
targets.append({
'port': port,
'target': d.domain,
'service_id': s.id
})
if args.output_path[0] == "/":
output_path = os.path.join(
self.base_config['PROJECT']['base_path'], args.output_path[1:])
else:
output_path = os.path.join(
self.base_config['PROJECT']['base_path'], args.output_path)
if not os.path.exists(output_path):
os.makedirs(output_path)
for t in targets:
file_path = os.path.join(output_path,
"%s_%s-ssl.xml" % (t['target'], port))
t['output'] = file_path
# pdb.set_trace()
return targets
def build_cmd(self, args):
cmd = self.binary + " -p {port} --script=ssl-cert -oX {output} {target} "
if args.tool_args:
cmd += args.tool_args
return cmd
def process_output(self, cmds):
for data in cmds:
try:
xmldata = xmltodict.parse(open(data['output']).read())
cert = xmldata['nmaprun']['host']['ports']['port']['script'][
'@output']
if cert:
svc = self.Port.all(id=data['service_id'])[0]
if not svc.meta.get(self.name, False):
svc.meta[self.name] = {}
svc.meta[self.name][data['target']] = cert
svc.update()
except:
display_error("File not valid: {}".format(data['output']))
self.Port.commit()
class Module(ModuleTemplate):
name = "HeaderScanner"
def __init__(self, db):
self.db = db
self.Port = PortRepository(db, self.name)
def set_options(self):
super(Module, self).set_options()
self.options.add_argument("-t",
"--timeout",
help="Connection timeout (default 5)",
default="5")
self.options.add_argument("-u", "--url", help="URL to get headers")
self.options.add_argument(
"-i",
"--import_db",
help="Import URLs from the database",
action="store_true",
)
self.options.add_argument("-th",
"--threads",
help="Number of threads to run",
default="10")
self.options.add_argument("--rescan",
help="Rescan URLs already processed",
action="store_true")
def run(self, args):
if args.import_db:
if args.rescan:
svc = self.Port.all(service_name="http")
svc += self.Port.all(service_name="https")
else:
svc = self.Port.all(service_name="http", tool=self.name)
svc += self.Port.all(service_name="https", tool=self.name)
data = []
for s in svc:
if s.ip_address.in_scope:
urls = [
"%s://%s:%s" % (s.service_name,
s.ip_address.ip_address, s.port_number)
]
for d in s.ip_address.domains:
urls.append("%s://%s:%s" %
(s.service_name, d.domain, s.port_number))
data.append([s.id, urls, args.timeout])
pool = ThreadPool(int(args.threads))
results = pool.map(process_urls, data)
display_new("Adding headers to the database")
for i, headers, cookies in results:
created, svc = self.Port.find_or_create(id=i)
svc.meta["headers"] = headers
svc.meta["cookies"] = cookies
svc.update()
self.Port.commit()
class Module(ModuleTemplate):
name = "Hydra"
def __init__(self, db):
self.db = db
self.Domain = DomainRepository(db, self.name)
self.IPAddress = IPRepository(db, self.name)
self.Port = PortRepository(db, self.name)
def set_options(self):
super(Module, self).set_options()
self.options.add_argument('-ho',
'--host',
help="Host to scan (host:port)")
self.options.add_argument('-f',
'--file',
help="Import hosts from file")
self.options.add_argument('-t',
'--threads',
help='Number of threads to run',
default="1")
self.options.add_argument(
'-o',
'--output_path',
help=
"Path which will contain program output (relative to base_path in config",
default="hydra")
self.options.add_argument(
'-s',
'--rescan',
help="Rescan domains that have already been scanned",
action="store_true")
self.options.add_argument(
'--scan_defaults',
help="Pull hosts out of database and scan default passwords",
action="store_true")
self.options.add_argument('--ftp_wordlist',
help="Wordlist for FTP services")
self.options.add_argument('--telnet_wordlist',
help="Wordlist for Telnet")
self.options.add_argument('--email_wordlist',
help="Wordlist for email (smtp, pop3, imap)")
self.options.add_argument('--ssh_wordlist', help="Wordlist for SSH")
self.options.add_argument('--vnc_wordlist', help="Wordlist for VNC")
def run(self, args):
self.args = args
if not args.binary:
self.binary = which.run('hydra')
else:
self.binary = which.run(args.binary)
if not self.binary:
print(
"hydra binary not found. Please explicitly provide path with --binary"
)
if args.host:
self.process_host(args.host)
elif args.file:
hosts = open(args.file).read().split('\n')
for h in hosts:
if h:
self.process_host(h)
elif args.scan_defaults:
lists = {}
# pdb.set_trace()
if args.ftp_wordlist:
for p in ['ftps', 'ftp']:
lists[args.ftp_wordlist] = [
s
for s in self.Port.all(tool=self.name, service_name=p)
]
if args.telnet_wordlist:
for p in ['telnet']:
lists[args.telnet_wordlist] = [
s
for s in self.Port.all(tool=self.name, service_name=p)
]
if args.email_wordlist:
for p in ['smtps', 'smtp', 'pop3', 'pop3s', 'imap', 'imaps']:
lists[args.email_wordlist] = [
s
for s in self.Port.all(tool=self.name, service_name=p)
]
if args.ssh_wordlist:
for p in ['ssh']:
lists[args.ssh_wordlist] = [
s
for s in self.Port.all(tool=self.name, service_name=p)
]
if args.vnc_wordlist:
for p in ['vnc']:
lists[args.vnc_wordlist] = [
s
for s in self.Port.all(tool=self.name, service_name=p)
]
hosts = []
for k in lists.keys():
for s in lists[k]:
port_number = s.port_number
ip_address = s.ipaddress.ip_address
name = s.service_name
hosts.append("%s://%s:%s|%s" %
(name, ip_address, port_number, k))
self.process_hosts(hosts)
def process_host(self, host):
args = self.args
if args.output_path[0] == "/":
output_path = os.path.join(
self.base_config['PROJECT']['base_path'], args.output_path[1:])
else:
output_path = os.path.join(
self.base_config['PROJECT']['base_path'], args.output_path)
if not os.path.exists(output_path):
os.makedirs(output_path)
xml_path = os.path.join(output_path,
"%s-sslscan.xml" % host.replace(':', '_'))
command_args = " --xml=%s " % xml_path
cmd = shlex.split(self.binary + command_args + host)
print("Executing: %s" % ' '.join(cmd))
res = subprocess.Popen(cmd).wait()
def process_hosts(self, hosts):
args = self.args
if args.output_path[0] == "/":
output_path = os.path.join(
self.base_config['PROJECT']['base_path'], args.output_path[1:])
else:
output_path = os.path.join(
self.base_config['PROJECT']['base_path'], args.output_path)
if not os.path.exists(output_path):
os.makedirs(output_path)
commands = []
for host in hosts:
host_str = host.split('|')[0]
wordlist = host.split('|')[1]
file_path = os.path.join(
output_path,
"%s.txt" % host_str.replace(':', '_').replace('/', '_'))
command_args = " -o %s " % file_path
command_args += " -C %s " % wordlist
cmd = shlex.split(self.binary + command_args + host_str)
commands.append(cmd)
pool = ThreadPool(int(args.threads))
pool.map(run_cmd, commands)
class Module(ToolTemplate):
name = "SSLScan"
binary_name = "sslscan"
def __init__(self, db):
self.db = db
self.Domain = DomainRepository(db, self.name)
self.IPAddress = IPRepository(db, self.name)
self.Port = PortRepository(db, self.name)
def set_options(self):
super(Module, self).set_options()
self.options.add_argument('-ho',
'--host',
help="Host to scan (host:port)")
self.options.add_argument('-f',
'--file',
help="Import hosts from file")
self.options.add_argument('-i',
'--import_database',
help="Import hosts from database",
action="store_true")
self.options.add_argument(
'-s',
'--rescan',
help="Rescan domains that have already been scanned",
action="store_true")
def get_targets(self, args):
targets = []
if args.host:
targets.append(args.host)
elif args.file:
hosts = open(args.file).read().split('\n')
for h in hosts:
if h:
targets.append(h)
elif args.import_database:
hosts = []
svc = []
if args.rescan:
for p in [
'https', 'ftps', 'imaps', 'sip-tls', 'imqtunnels',
'smtps'
]:
svc += [(s, "") for s in self.Port.all(service_name=p)
if s.ip_address.in_scope]
for p in [
'ftp', 'imap', 'irc', 'ldap', 'pop3', 'smtp', 'mysql',
'xmpp', 'psql'
]:
svc += [(s, "--starttls-%s" % p)
for s in self.Port.all(service_name=p)
if s.ip_address.in_scope]
else:
for p in [
'https', 'ftps', 'imaps', 'sip-tls', 'imqtunnels',
'smtps'
]:
svc += [
(s, "")
for s in self.Port.all(tool=self.name, service_name=p)
if s.ip_address.in_scope
]
for p in [
'ftp', 'imap', 'irc', 'ldap', 'pop3', 'smtp', 'mysql',
'xmpp', 'psql'
]:
svc += [
(s, "--starttls-%s" % p)
for s in self.Port.all(tool=self.name, service_name=p)
if s.ip_address.in_scope
]
for s, option in svc:
port_number = s.port_number
ip_address = s.ip_address.ip_address
targets.append({
'target': "%s:%s" % (ip_address, port_number),
'option': option
})
for d in s.ip_address.domains:
targets.append({
'target': "%s:%s" % (d.domain, port_number),
'option': option
})
for t in targets:
if args.output_path[0] == "/":
output_path = os.path.join(
self.base_config['PROJECT']['base_path'],
args.output_path[1:])
else:
output_path = os.path.join(
self.base_config['PROJECT']['base_path'], args.output_path)
if not os.path.exists(output_path):
os.makedirs(output_path)
output_path = os.path.join(
output_path,
"{}-sslscan.xml".format(t['target'].replace(':', '_')))
t['output'] = output_path
return targets
def build_cmd(self, args):
cmd = self.binary + " --xml={output} {option} {target} "
if args.tool_args:
cmd += args.tool_args
return cmd
class Module(ModuleTemplate):
name = "SSLScan"
def __init__(self, db):
self.db = db
self.Domain = DomainRepository(db, self.name)
self.IPAddress = IPRepository(db, self.name)
self.Port = PortRepository(db, self.name)
def set_options(self):
super(Module, self).set_options()
self.options.add_argument('-ho',
'--host',
help="Host to scan (host:port)")
self.options.add_argument('-f',
'--file',
help="Import hosts from file")
self.options.add_argument('-i',
'--import_database',
help="Import hosts from database",
action="store_true")
self.options.add_argument('-t',
'--threads',
help='Number of threads to run',
default="1")
self.options.add_argument(
'-o',
'--output_path',
help=
"Path which will contain program output (relative to base_path in config",
default="sslscan")
self.options.add_argument(
'-s',
'--rescan',
help="Rescan domains that have already been scanned",
action="store_true")
def run(self, args):
self.args = args
if not args.binary:
self.binary = which.run('sslscan')
else:
self.binary = which.run(args.binary)
if not self.binary:
print(
"sslscan binary not found. Please explicitly provide path with --binary"
)
if args.host:
self.process_host(args.host)
elif args.file:
hosts = open(args.file).read().split('\n')
for h in hosts:
if h:
self.process_host(h)
elif args.import_database:
hosts = []
svc = []
for p in [
'https', 'ftps', 'imaps', 'sip-tls', 'imqtunnels', 'smtps'
]:
svc += [(s, "")
for s in self.Port.all(tool=self.name, service_name=p)]
for p in [
'ftp', 'imap', 'irc', 'ldap', 'pop3', 'smtp', 'mysql',
'xmpp', 'psql'
]:
svc += [(s, "--starttls-%s" % p)
for s in self.Port.all(tool=self.name, service_name=p)]
for s, option in svc:
port_number = s.port_number
ip_address = s.ip_address.ip_address
hosts.append(("%s:%s" % (ip_address, port_number), option))
for d in s.ip_address.domains:
hosts.append(("%s:%s" % (d.domain, port_number), option))
self.process_hosts(hosts)
def process_host(self, host):
args = self.args
if args.output_path[0] == "/":
output_path = os.path.join(
self.base_config['PROJECT']['base_path'], args.output_path[1:])
else:
output_path = os.path.join(
self.base_config['PROJECT']['base_path'], args.output_path)
if not os.path.exists(output_path):
os.makedirs(output_path)
xml_path = os.path.join(output_path,
"%s-sslscan.xml" % host.replace(':', '_'))
command_args = " --xml=%s " % xml_path
cmd = shlex.split(self.binary + command_args + host)
print("Executing: %s" % ' '.join(cmd))
res = subprocess.Popen(cmd).wait()
def process_hosts(self, hosts):
args = self.args
if args.output_path[0] == "/":
output_path = os.path.join(
self.base_config['PROJECT']['base_path'], args.output_path[1:])
else:
output_path = os.path.join(
self.base_config['PROJECT']['base_path'], args.output_path)
if not os.path.exists(output_path):
os.makedirs(output_path)
commands = []
for host, option in hosts:
xml_path = os.path.join(output_path,
"%s-sslscan.xml" % host.replace(':', '_'))
command_args = " --xml=%s " % xml_path
cmd = shlex.split(self.binary + command_args + " %s " % option +
host)
commands.append(cmd)
pool = ThreadPool(int(args.threads))
pool.map(run_cmd, commands)
class Report(ReportTemplate):
"""
This report displays all of the hosts sorted by service.
"""
markdown = ["", "# ", "- "]
name = ""
def __init__(self, db):
self.Ports = PortRepository(db)
def run(self, args):
# Cidrs = self.CIDR.
results = {}
ports = self.Ports.all()
services = {}
for p in ports:
if (
(args.scope == "active" and p.ip_address.in_scope)
or (args.scope == "passive" and p.ip_address.passive_scope)
or (args.scope == "all")
and p.status == "open"
):
if not services.get(p.proto, False):
services[p.proto] = {}
if not services[p.proto].get(p.port_number, False):
services[p.proto][p.port_number] = {}
services[p.proto][p.port_number][p.ip_address.ip_address] = {
"domains": [d.domain for d in p.ip_address.domains],
"svc": p.service_name,
}
res = []
for p in sorted(services):
for s in sorted(services[p]):
res.append("\tProtocol: {} Port: {}".format(p, s))
res.append("\n")
for ip in sorted(services[p][s].keys()):
if services[p][s][ip]["domains"]:
res.append(
"\t\t{} ({}): {}".format(
ip,
services[p][s][ip]["svc"],
", ".join(services[p][s][ip]["domains"]),
)
)
else:
res.append(
"\t\t{} ({}) (No domain)".format(
ip, services[p][s][ip]["svc"]
)
)
res.append("\n")
self.process_output(res, args)
