def __init__(self):
"""Initialize the test."""
super().__init__(
name="discover",
summary="CoRE Resource Discovery",
descr="This test allows you to discover and list the well-known "
"resources advertised as CoRE link format on a CoAP server.",
author="Aseem Jakhar",
email="*****@*****.**",
ref=["https://tools.ietf.org/html/rfc6690"],
category=TCategory(TCategory.COAP, TCategory.SW,
TCategory.DISCOVERY),
target=TTarget(TTarget.GENERIC, TTarget.GENERIC, TTarget.GENERIC),
)
self.argparser.add_argument(
"-r",
"--rhost",
required=True,
help="Hostname/IP address of the target CoAP Server",
)
self.argparser.add_argument(
"-p",
"--rport",
default=COAP_PORT,
type=int,
help="Port number of the target CoAP Server. Default "
"is {}".format(COAP_PORT),
)
def __init__(self):
"""Initialize the test."""
super().__init__(
name="get",
summary="CoAP GET",
descr="This test allows you to send a CoAP GET request (Message) "
"to a CoAP server on a specified resource path.",
author="Aseem Jakhar",
email="*****@*****.**",
ref=["https://tools.ietf.org/html/rfc7252"],
category=TCategory(TCategory.COAP, TCategory.SW, TCategory.RECON),
target=TTarget(TTarget.GENERIC, TTarget.GENERIC, TTarget.GENERIC),
)
self.argparser.add_argument(
"-r",
"--rhost",
required=True,
help="Hostname/IP address of the target CoAP Server",
)
self.argparser.add_argument(
"-p",
"--rport",
default=5683,
type=int,
help="Port number of the target CoAP Server. Default is 5683",
)
self.argparser.add_argument(
"-u",
"--path",
default="/.well-known/core",
help=
"Resource URI path of the GET request. Default is discover URI path /.well-known/core",
)
def __init__(self):
"""Initialize the test."""
super().__init__(
name="sub",
summary="MQTT Subscriber",
descr="This test allows you to subscribe to a topic on an MQTT "
"broker and read messages being published on that topic.",
author="Aseem Jakhar",
email="*****@*****.**",
ref=[MQTT_REFERENCE],
category=TCategory(TCategory.MQTT, TCategory.SW, TCategory.RECON),
target=TTarget(TTarget.GENERIC, TTarget.GENERIC, TTarget.GENERIC),
)
self.argparser.add_argument(
"-r",
"--rhost",
required=True,
help="Hostname/IP address of the target MQTT broker",
)
self.argparser.add_argument(
"-p",
"--rport",
default=DEFAULT_MQTT_PORT,
type=int,
help="Port number of the target MQTT broker. Default is 1883",
)
self.argparser.add_argument(
"-t",
"--topic",
default="$SYS/#",
help="Topic filter to subscribe on the MQTT broker. Default is "
"$SYS/#",
)
self.argparser.add_argument(
"-i",
"--id",
help="The client ID to be used for the connection. Default is "
"random client ID",
)
self.argparser.add_argument(
"-u",
"--user",
help="Specify the user name to be used. If not specified, it "
"connects without authentication",
)
self.argparser.add_argument(
"-w",
"--passwd",
help="Specify the password to be used. If not specified, it "
"connects with without authentication",
)
self.argparser.add_argument(
"-o",
"--timeout",
default=DEFAULT_MQTT_TIMEOUT,
type=int,
help="Time, in seconds, it will keep waiting/reading messages. "
"Default is {} secs".format(DEFAULT_MQTT_TIMEOUT),
)
def __init__(self):
"""Initialize the test."""
super().__init__(
name="cmd",
summary="Nmap Command",
descr="This plugin allows you to run nmap by passing its original "
"arguments via the console.",
author="Aseem Jakhar",
email="*****@*****.**",
ref=["https://nmap.org/"],
category=TCategory(TCategory.NMAP, TCategory.SW, TCategory.RECON),
target=TTarget(TTarget.GENERIC, TTarget.GENERIC, TTarget.GENERIC),
)
self.argparser.add_argument(
"-a",
"--args",
required=True,
help="Nmap command line arguments",
)
self.argparser.add_argument(
"-t",
"--timeout",
type=int,
default=NOTIMEOUT,
help="Timeout for nmap command. Default is {} secs, "
"which means no timeout".format(NOTIMEOUT),
)
def __init__(self):
"""Initialize the test."""
super().__init__(
name="writetcp",
summary="Modbus TCP Writer",
descr="This plugin writes the item (coil, register) values to a "
"Modbus server.",
author="Aseem Jakhar",
email="*****@*****.**",
ref=MODBUS_REFERENCE,
category=TCategory(TCategory.MODBUS, TCategory.SW, TCategory.ANALYSIS),
target=TTarget(TTarget.GENERIC, TTarget.GENERIC, TTarget.GENERIC),
)
self.argparser.add_argument(
"-r",
"--rhost",
required=True,
help="The hostname/IP address of the Modbus server",
)
self.argparser.add_argument(
"-p",
"--rport",
default=502,
type=int,
help="The port number of the Modbus server. Default is 502",
)
self.argparser.add_argument(
"-i",
"--item",
default=0,
type=int,
help="The item to write to. {coil} = {}, {} = {}. Default is {coil}".format(
WRITE_ITEMS[COIL], REG, WRITE_ITEMS[REG], coil=COIL
),
)
self.argparser.add_argument(
"-a",
"--address",
default=0,
type=int,
help="The start address of item to write to",
)
self.argparser.add_argument(
"-c",
"--count",
default=1,
type=int,
help="The count of items to write. Default is 1",
)
self.argparser.add_argument(
"-u",
"--unit",
default=1,
type=int,
help="The unit ID of the slave on the server to write to",
)
self.argparser.add_argument(
"-w", "--value", required=True, type=int, help="The value to write"
)
def __init__(self):
"""Initialize the test."""
super().__init__(
name="jtagscan",
summary="JTAG port scan",
descr="This plugin scans JTAG port for JTAG device id, JTAG pins "
"(TMS, TCK, TDO, TDI and TRST) on the target hardware. "
"TRST pin scan is optional and depends upon target HW, if TRST pin "
"is active on target HW, then it must be include in scan. "
"You need to connect Bus Auditor channels (pins) to the suspected "
"pinouts on the target pcb board. "
"Bus Auditor pins must be connected in a sequential range and "
"specified by the start and end pin arguments. "
"If you are seeing permission issues, kindly add a udev rule for "
"your user for the Bus Auditor device.",
author="Dattatray Hinge",
email="*****@*****.**",
ref=[JTAG_REFERENCE],
category=TCategory(TCategory.BUS_AUDITOR, TCategory.HW,
TCategory.RECON),
target=TTarget(TTarget.GENERIC, TTarget.GENERIC, TTarget.GENERIC),
)
self.argparser.add_argument(
"-i",
"--include_trst",
action="store_true",
help="Include TRST pin in scan",
)
self.argparser.add_argument(
"-s",
"--start",
type=int,
default=DEFAFULT_START,
help="First Bus Auditor channel for the scan. If not specified, "
"it will start the scan from channel ({})".format(DEFAFULT_START),
)
self.argparser.add_argument(
"-e",
"--end",
type=int,
default=DEFAFULT_END,
help="Last Bus Auditor channel for the scan. If not specified, "
"it will scan until channel ({})".format(DEFAFULT_END),
)
self.argparser.add_argument(
"-v",
"--volts",
type=str,
default=DEFAULT_VOLTS,
help="Target voltage out. "
"Supported target volts are ({}), ({}), and ({}) If not specified, "
"target voltage will be ({}) volts".format(VOLTAGE_RANGE[0],
VOLTAGE_RANGE[1],
VOLTAGE_RANGE[2],
DEFAULT_VOLTS),
)
def __init__(self):
super().__init__(
name="readflash",
summary="SPI Flash Reader",
descr=
"""This plugin reads data from a serial flash chip that implements SPI protocol.
It needs an FTDI interface to read data from the target flash chip. You can buy
an FTDI device online. If you are interested we have an FTDI based product -
'Expliot Nano' which you can order online from www.expliot.io
This plugin uses pyspiflash package which in turn uses pyftdi python driver
for ftdi chips. For more details on supported flash chips, check the readme at
https://github.com/eblot/pyspiflash. Thank you Emmanuel Blot for pyspiflash.
You may want to run it as root in case you get a USB error related to langid""",
author="Aseem Jakhar",
email="*****@*****.**",
ref=["https://github.com/eblot/pyspiflash"],
category=TCategory(TCategory.SPI, TCategory.HW,
TCategory.ANALYSIS),
target=TTarget(TTarget.GENERIC, TTarget.GENERIC, TTarget.GENERIC))
self.argparser.add_argument(
"-a",
"--addr",
default=0,
type=int,
help=
"""Specify the start address from where data is to be read. Default is 0"""
)
self.argparser.add_argument(
"-l",
"--length",
type=int,
help=
"""Specify the total length of data, in bytes, to be read from the start
address. If not specified, it reads till the end"""
)
self.argparser.add_argument(
"-u",
"--url",
default="ftdi:///1",
help=
"""URL of the connected FTDI device. Default is "ftdi:///1". For more details
on the URL scheme check https://eblot.github.io/pyftdi/urlscheme.html"""
)
self.argparser.add_argument(
"-f",
"--freq",
type=int,
help=
"""Specify a frequency in Hz(example: 1000000 for 1 MHz. If not, specified,
default frequency of the device is used. You may want to decrease the
frequency if you keep seeing FtdiError:UsbError."""
)
self.argparser.add_argument(
"-w",
"--wfile",
help="""Specify the file path where data, read from the spi flash
device, is to be written. If not specified output the
data on the terminal."""
)
def __init__(self):
"""Initialize the test for TPlink smart devices."""
super().__init__(
name="decrypt",
summary="TPLink Smart device communication decryption ",
descr="This plugin helps to fetch the json from the encrypted "
"commands being sent by the user through the KASA mobile to the "
"TP-Link smart device & this fetched json can be then sent to the "
"target device using takeover plugin.",
author="Appar Thusoo",
email="*****@*****.**",
ref=[
"https://www.softscheck.com/en/reverse-engineering-tp-link-hs110/",
"https://github.com/softScheck/tplink-smartplug"
],
category=TCategory(TCategory.CRYPTO, TCategory.SW,
TCategory.EXPLOIT),
target=TTarget(TTarget.TP_LINK_IOT, "1.0", TTarget.TP_LINK),
)
self.argparser.add_argument(
"-d",
"--data",
required=True,
help=
"Specify the hex string from the sniffed communication, without the 0x prefix. Ex. 2a3b4cddeeff11",
)
def __init__(self):
"""Initialize the test."""
super().__init__(
name="scan",
summary="BLE Scanner",
descr="This plugin scans for BLE devices in (BLE range) "
" proximity. NOTE: This plugin needs root privileges. "
"You may run it as $ sudo expliot.",
author="Aseem Jakhar",
email="*****@*****.**",
ref=[BLE_REF],
category=TCategory(TCategory.BLE, TCategory.RD,
TCategory.DISCOVERY),
target=TTarget(TTarget.GENERIC, TTarget.GENERIC, TTarget.GENERIC),
needroot=True,
)
self.argparser.add_argument(
"-i",
"--iface",
default=0,
type=int,
help="HCI interface no. to use for scanning. 0 = hci0, 1 = hci1 "
"and so on. Default is 0",
)
self.argparser.add_argument(
"-t",
"--timeout",
default=10,
type=int,
help="Scan timeout. Default is 10 seconds",
)
self.found = False
def __init__(self):
"""Initialize the test."""
super().__init__(
name="get",
summary="CoAP GET request",
descr="This test allows you to send a CoAP GET request (Message) "
"to a CoAP server on a specified resource path.",
author="Aseem Jakhar",
email="*****@*****.**",
ref=["https://tools.ietf.org/html/rfc7252"],
category=TCategory(TCategory.COAP, TCategory.SW, TCategory.RECON),
target=TTarget(TTarget.GENERIC, TTarget.GENERIC, TTarget.GENERIC),
)
self.argparser.add_argument(
"-r",
"--rhost",
required=True,
help="Hostname/IP address of the target CoAP Server",
)
self.argparser.add_argument(
"-p",
"--rport",
default=COAP_PORT,
type=int,
help="Port number of the target CoAP Server. Default "
"is {}".format(COAP_PORT),
)
self.argparser.add_argument(
"-u",
"--path",
default=ROOTPATH,
help="Resource URI path of the GET request. Default "
"is URI path {}".format(ROOTPATH),
)
def __init__(self):
"""Initialize the test."""
super().__init__(
name="Sample",
summary="Sample Summary",
descr="Sample Description",
author="Sample author",
email="*****@*****.**",
ref=["https://example.com", "https://example.dom"],
category=TCategory(TCategory.COAP, TCategory.SW,
TCategory.EXPLOIT),
target=TTarget(TTarget.GENERIC, TTarget.GENERIC, TTarget.GENERIC),
)
self.argparser.add_argument("-r",
"--rhost",
required=True,
help="IP address of the target")
self.argparser.add_argument(
"-p",
"--rport",
default=DEFAULT_PORT,
type=int,
help="Port number of the target. Default is {}".format(
DEFAULT_PORT),
)
self.argparser.add_argument("-v",
"--verbose",
action="store_true",
help="show verbose output")
def __init__(self):
"""Initialize the mDNS discovery."""
super().__init__(
name="discover",
summary="Discover devices with support for mDNS.",
descr="This plugin tries to detect devices in the local network "
"which are supporting mDNS. That mechanisms is called zero-"
"configuration networking and also known as Bonjour.",
author="Fabian Affolter",
email="*****@*****.**",
ref=[MDNS_REFERENCE],
category=TCategory(TCategory.MDNS, TCategory.SW, TCategory.RECON),
target=TTarget(TTarget.GENERIC, TTarget.GENERIC, TTarget.GENERIC),
)
self.argparser.add_argument("-v",
"--verbose",
action="store_true",
help="Show verbose output")
self.argparser.add_argument("-l",
"--list",
action="store_true",
help="Show supported device types")
self.argparser.add_argument(
"-d", "--device", help="Search for the specified device type only")
self.argparser.add_argument(
"-t",
"--timeout",
default=DEFAULT_MDNS_TIMEOUT,
type=float,
help="Timeout in seconds for each device type. "
"Default is {} seconds.".format(DEFAULT_MDNS_TIMEOUT))
def __init__(self):
"""Initialize the UPNP discovery."""
super().__init__(
name="discover",
summary="Discover devices with support for UPNP.",
descr="This plugin tries to detect devices in the local network "
"which support UPNP (Universal Plug aNd Play.",
author="Aseem Jakhar",
email="*****@*****.**",
ref=[UPNP_REFERENCE],
category=TCategory(TCategory.UPNP, TCategory.SW,
TCategory.DISCOVERY),
target=TTarget(TTarget.GENERIC, TTarget.GENERIC, TTarget.GENERIC),
)
self.argparser.add_argument(
"-v",
"--verbose",
action="store_true",
help="Show verbose output (response and xml)")
self.argparser.add_argument(
"-t",
"--timeout",
default=DEFAULT_UPNP_TIMEOUT,
type=int,
help="Timeout in seconds for each device type. "
"Default is {} seconds".format(DEFAULT_UPNP_TIMEOUT))
def __init__(self):
super().__init__(
name="readeeprom",
summary="I2C EEPROM Reader",
descr=
"""This plugin reads data from an I2C EEPROM chip. It needs an FTDI interface to
read data from the target EEPROM chip. You can buy an FTDI device online. If you
are interested we have an FTDI based product - 'Expliot Nano' which you can
order online from www.expliot.io This plugin uses pyi2cflash package which in
turn uses pyftdi python driver for ftdi chips. For more details on supported
I2C EEPROM chips, check the readme at https://github.com/eblot/pyi2cflash Thank
you Emmanuel Blot for pyi2cflash. You may want to run it as root in case you
get a USB error related to langid""",
author="Aseem Jakhar",
email="*****@*****.**",
ref=["https://github.com/eblot/pyi2cflash"],
category=TCategory(TCategory.I2C, TCategory.HW,
TCategory.ANALYSIS),
target=TTarget(TTarget.GENERIC, TTarget.GENERIC, TTarget.GENERIC))
self.argparser.add_argument(
"-a",
"--addr",
default=0,
type=int,
help=
"""Specify the start address from where data is to be read. Default is 0"""
)
self.argparser.add_argument(
"-l",
"--length",
type=int,
help=
"""Specify the total length of data, in bytes, to be read from the start
address. If not specified, it reads till the end"""
)
self.argparser.add_argument(
"-u",
"--url",
default="ftdi:///1",
help=
"""URL of the connected FTDI device. Default is "ftdi:///1". For more details
on the URL scheme check https://eblot.github.io/pyftdi/urlscheme.html"""
)
self.argparser.add_argument(
"-c",
"--chip",
required=True,
help=
"""Specify the chip. Supported chips are 24AA32A, 24AA64, 24AA128, 24AA256,
24AA512""")
self.argparser.add_argument(
"-w",
"--wfile",
help="""Specify the file path where data, read from the i2c
chip, is to be written. If not specified output the
data on the terminal."""
)
self.slaveaddr = 0x50
def __init__(self):
super().__init__(
name="writetcp",
summary="Modbus TCP Writer",
descr=
"This plugin writes the item (coil, register) values to a Modbus server",
author="Aseem Jakhar",
email="*****@*****.**",
ref=[
"https://en.wikipedia.org/wiki/Modbus",
"http://www.modbus.org/specs.php"
],
category=TCategory(TCategory.MODBUS, TCategory.SW,
TCategory.ANALYSIS),
target=TTarget(TTarget.GENERIC, TTarget.GENERIC, TTarget.GENERIC))
self.argparser.add_argument(
"-r",
"--rhost",
required=True,
help="hotname/IP address of the Modbus server")
self.argparser.add_argument(
"-p",
"--rport",
default=502,
type=int,
help="Port number of the Modbus server. Default is 502")
self.argparser.add_argument(
"-i",
"--item",
default=0,
type=int,
help="""The item to read from. {} = {}, {} = {}.
Default is {}""".format(
self.COIL, self.ITEMS[self.COIL], self.REG,
self.ITEMS[self.REG], self.COIL))
self.argparser.add_argument(
"-a",
"--address",
default=0,
type=int,
help="The start address of item to write to")
self.argparser.add_argument(
"-c",
"--count",
default=1,
type=int,
help="The count of items to write. Default is 1")
self.argparser.add_argument(
"-u",
"--unit",
default=1,
type=int,
help="The Unit ID of the slave on the server to write to")
self.argparser.add_argument("-w",
"--value",
required=True,
type=int,
help="The value to write")
def __init__(self):
"""Initialize the test."""
super().__init__(
name="c-store",
summary="DICOM File Store",
descr="This test case sends a C-STORE message i.e. it sends a DICOM "
"file to the DICOM server (SCP - Service class Provider). It "
"can be used to test storing wrong file for a patient or to "
"fuzz test a server.",
author="Aseem Jakhar",
email="*****@*****.**",
ref=[REFERENCE],
category=TCategory(TCategory.DICOM, TCategory.SW,
TCategory.ANALYSIS),
target=TTarget(TTarget.GENERIC, TTarget.GENERIC, TTarget.GENERIC),
)
self.argparser.add_argument(
"-r",
"--rhost",
required=True,
help="The hostname/IP address of the target DICOM Server (SCP)",
)
self.argparser.add_argument(
"-p",
"--rport",
default=104,
type=int,
help=
"The port number of the target DICOM Server (SCP). Default is 104",
)
self.argparser.add_argument(
"-q",
"--lport",
default=0,
type=int,
help="If specified use this as the source/local port number",
)
self.argparser.add_argument(
"-c",
"--aetscu",
default="ANY-SCU",
help=
"Application Entity Title (AET) of Service Class User (SCU) i.e. "
"the calling AET( client/expliot). Default is 'ANY-SCU' string.",
)
self.argparser.add_argument(
"-s",
"--aetscp",
default="ANY-SCP",
help=
"Application Entity Title (AET) of Service Class Provider (SCP) "
"i.e. the called AET (DICOM server). Default is 'ANY-SCP' string.",
)
self.argparser.add_argument(
"-f",
"--file",
help="Specify the DICOM file to read and send to the SCP.")
def __init__(self):
"""Initialize the test."""
super().__init__(
name="baudscan",
summary="Baud rate scanner for serial connection",
descr="This test helps in identifying the correct baud rate of the "
"serial connection to a UART port on the hardware. It enumerates "
"over a list of baud rates and analyzes the date read over a serial "
"connection for ascii to identify the correct baud rate. You need "
"to connect the UART port of the device using a USBTTL connector "
"(Expliot Nano supports UART too) to your machine running expliot. "
"This test is inspired by devttys0's baudrate.py and the percent idea "
"taken from IoTSecFuzz tool. Thank you devttys0 and IoTSecFuzz Team!",
author="Aseem Jakhar",
email="*****@*****.**",
ref=[
"https://en.wikipedia.org/wiki/Universal_asynchronous_receiver-transmitter"
],
category=TCategory(TCategory.UART, TCategory.HW,
TCategory.ANALYSIS),
target=TTarget(TTarget.GENERIC, TTarget.GENERIC, TTarget.GENERIC),
)
self.argparser.add_argument(
"-b",
"--bauds",
default="1200,2400,4800,9600,19200,38400,57600,115200",
help=
"A comma separated list of baud rates that you want to scan. If "
"not specified, it will scan for default baud rates (1200, 2400, "
"4800, 9600, 19200, 38400, 57600 and 115200).",
)
self.argparser.add_argument(
"-p",
"--port",
default="/dev/ttyUSB0",
help="The device port on the system. Default is /dev/ttyUSB0",
)
self.argparser.add_argument(
"-c",
"--count",
type=int,
default=30,
help="Total count of bytes to read per baud rate. Default is 30",
)
self.argparser.add_argument(
"-t",
"--timeout",
type=float,
default=3,
help="Read timeout, in secs, for each baud rate test. Default is 3",
)
self.argparser.add_argument(
"-v",
"--verbose",
action="store_true",
help="Show verbose output i.e. data read from the device",
)
def __init__(self):
"""Initialize the test."""
super().__init__(
name="pub",
summary="MQTT Publisher",
descr="This test case publishes a message on a topic to a"
"specified MQTT broker on a specified port.",
author="Aseem Jakhar",
email="*****@*****.**",
ref=[MQTT_REFERENCE],
category=TCategory(TCategory.MQTT, TCategory.SW, TCategory.RECON),
target=TTarget(TTarget.GENERIC, TTarget.GENERIC, TTarget.GENERIC),
)
self.argparser.add_argument(
"-r",
"--rhost",
required=True,
help="Hostname/IP address of the target MQTT broker",
)
self.argparser.add_argument(
"-p",
"--rport",
default=DEFAULT_MQTT_PORT,
type=int,
help="Port number of the target MQTT broker. Default is 1883",
)
self.argparser.add_argument(
"-t",
"--topic",
required=True,
help="Topic name on which message has to be published",
)
self.argparser.add_argument(
"-m",
"--msg",
required=True,
help="Message to be published on the specified topic",
)
self.argparser.add_argument(
"-i",
"--id",
help="The client ID to be used for the connection. Default is "
"random client ID",
)
self.argparser.add_argument(
"-u",
"--user",
help="Specify the user name to be used. If not specified, it "
"connects without authentication",
)
self.argparser.add_argument(
"-w",
"--passwd",
help="Specify the password to be used. If not specified, it "
"connects with without authentication",
)
def __init__(self):
"""Initialize the test."""
super().__init__(
name="writecan",
summary="CAN bus writer",
descr="This plugin allows you to write message(s) on the CAN bus "
"e.g, send a data frame. As of now it uses socketcan but if "
"you want to extend it to other interfaces, just open an issue "
"on the official expliot project repository.",
author="Aseem Jakhar",
email="*****@*****.**",
ref=["https://en.wikipedia.org/wiki/CAN_bus"],
category=TCategory(TCategory.CAN, TCategory.HW,
TCategory.ANALYSIS),
target=TTarget(TTarget.GENERIC, TTarget.GENERIC, TTarget.GENERIC),
)
self.argparser.add_argument("-i",
"--iface",
default="vcan0",
help="Interface to use. Default is vcan0")
self.argparser.add_argument(
"-a",
"--arbitid",
required=True,
type=lambda x: int(x, 0),
help="Specify the arbitration ID. For hex value prefix it with 0x",
)
self.argparser.add_argument(
"-e",
"--exid",
action="store_true",
help="Specify this option if using extended format --arbitid",
)
self.argparser.add_argument(
"-d",
"--data",
required=True,
help=
"Specify the data to write, as hex stream, without the 0x prefix",
)
self.argparser.add_argument(
"-c",
"--count",
type=int,
default=1,
help="Specify the no. of messages to write. Default is 1",
)
self.argparser.add_argument(
"-w",
"--wait",
type=float,
help="Specify the wait time, in seconds, between each consecutive "
"message write. Default is to not wait between writes. You "
"may use float values as well, e.g. 0.5",
)
def __init__(self):
super().__init__(
name="writeeeprom",
summary="I2C EEPROM Writer",
descr=
"""This plugin writes data to an I2C EEPROM chip. It needs an FTDI interface to
write data to the target EEPROM chip. You can buy an FTDI device online. If you
are interested we have an FTDI based product - 'Expliot Nano' which you can
order online from www.expliot.io This plugin uses pyi2cflash package which in
turn uses pyftdi python driver for ftdi chips. For more details on supported
I2C EEPROM chips, check the readme at https://github.com/eblot/pyi2cflash Thank
you Emmanuel Blot for pyi2cflash. You may want to run it as root in case you
get a USB error related to langid""",
author="Aseem Jakhar",
email="*****@*****.**",
ref=["https://github.com/eblot/pyspiflash"],
category=TCategory(TCategory.I2C, TCategory.HW,
TCategory.ANALYSIS),
target=TTarget(TTarget.GENERIC, TTarget.GENERIC, TTarget.GENERIC))
self.argparser.add_argument(
"-a",
"--addr",
default=0,
type=int,
help=
"""Specify the start address where data is to be written. Default is 0"""
)
self.argparser.add_argument(
"-u",
"--url",
default="ftdi:///1",
help=
"""URL of the connected FTDI device. Default is "ftdi:///1". For more details
on the URL scheme check https://eblot.github.io/pyftdi/urlscheme.html"""
)
self.argparser.add_argument(
"-c",
"--chip",
required=True,
help=
"""Specify the chip. Supported chips are 24AA32A, 24AA64, 24AA128, 24AA256,
24AA512""")
self.argparser.add_argument(
"-d",
"--data",
help=
"Specify the data to write, as hex stream, without the 0x prefix")
self.argparser.add_argument(
"-r",
"--rfile",
help="""Specify the file path from where data is to be read. This
takes precedence over --data option i.e if both options
are specified --data would be ignored"""
)
self.slaveaddr = 0x50
def __init__(self):
"""Initialize the test."""
super().__init__(
name="readeeprom",
summary="I2C EEPROM Reader",
descr=DESCRIPTION,
author="Aseem Jakhar",
email="*****@*****.**",
ref=["https://github.com/eblot/pyi2cflash"],
category=TCategory(TCategory.I2C, TCategory.HW,
TCategory.ANALYSIS),
target=TTarget(TTarget.GENERIC, TTarget.GENERIC, TTarget.GENERIC),
)
self.argparser.add_argument(
"-a",
"--addr",
default=0,
type=int,
help=
"Specify the start address from where data is to be read. Default is 0",
)
self.argparser.add_argument(
"-l",
"--length",
type=int,
help=
"Specify the total length of data, in bytes, to be read from the start "
"address. If not specified, it reads till the end",
)
self.argparser.add_argument(
"-u",
"--url",
default=DEFAULT_FTDI_URL,
help="URL of the connected FTDI device. Default is {}. "
"For more details on the URL scheme check "
"https://eblot.github.io/pyftdi/urlscheme.html".format(
DEFAULT_FTDI_URL),
)
self.argparser.add_argument(
"-c",
"--chip",
required=True,
help="Specify the chip. Supported chips are 24AA32A, 24AA64, "
"24AA128, 24AA256, 24AA512",
)
self.argparser.add_argument(
"-w",
"--wfile",
help="Specify the file path where data, read from the i2c chip, "
"is to be written. If not specified output the data on the terminal",
)
self.slaveaddr = 0x50
def __init__(self):
super().__init__(
name="devinfo",
summary="Displays Zigbee Auditor device information",
descr="This plugin displays information about Zigbee Auditor.",
author="Dattatray Hinge",
email="*****@*****.**",
ref=["Reference: Zigbee Auditor user manual"],
category=TCategory(TCategory.ZB_AUDITOR, TCategory.RD,
TCategory.RECON),
target=TTarget(TTarget.GENERIC, TTarget.GENERIC, TTarget.GENERIC),
)
def __init__(self):
"""Initialize the test."""
super().__init__(
name="hijack",
summary="Kankun SmartPlug Hijacker",
descr="This test case connects to the Kankun SmartPlug and sends"
"unauthorized switch ON/OFF commands to it. If you don't "
"know the password, try with the default or sniff the network "
"for UDP packets as the commands containing the password are "
"broadcasted. You can decrypt the packets easily using the AES "
"key which is published.",
author="Aseem Jakhar and Sneha Rajguru",
email="*****@*****.**",
ref=["https://payatu.com/hijacking-kankun/"],
category=TCategory(TCategory.UDP, TCategory.SW, TCategory.EXPLOIT),
target=TTarget("kankun", "1.0", "ikonke.com"),
)
self.argparser.add_argument("-r",
"--rhost",
required=True,
help="IP address of Kankun smart plug")
self.argparser.add_argument(
"-p",
"--rport",
default=27431,
type=int,
help="Port number of the smart plug service. Default is 27431",
)
self.argparser.add_argument(
"-m",
"--rmac",
required=True,
help="MAC address of Kankun smartplug. Use colon delimited format "
"with hex digits in small letters ex. ff:ee:dd:00:01:02",
)
self.argparser.add_argument(
"-w",
"--passwd",
default="nopassword",
help=
'The password (if any) for Kankun. Default is the string "nopassword"',
)
self.argparser.add_argument(
"-c",
"--cmd",
required=True,
help=
"The command to send to the smartplug. Valid commands are on / off",
)
self.key = "fdsl;mewrjope456fds4fbvfnjwaugfo"
def __init__(self):
"""Initialize the test."""
super().__init__(
name="uartscan",
summary="UART port scan",
descr="This plugin scans UART port, UART pins (Tx, Rx) and "
" Baudrate on the target hardware. You need to connect Bus "
"Auditor channels (pins) to the suspected pinouts on the target "
"pcb board. Bus Auditor pins must be connected in a sequential "
"range and specified by the start and end pin arguments. "
"When Rx pin is not active on target, and more than two pins are "
"selected for scan, this will give you possible Rx and Tx pins "
"combinations. If you are seeing permission issues, kindly add a "
"udev rule for your user for the Bus Auditor device.",
author="Dattatray Hinge",
email="*****@*****.**",
ref=[UART_REFERENCE],
category=TCategory(TCategory.BUS_AUDITOR, TCategory.HW,
TCategory.RECON),
target=TTarget(TTarget.GENERIC, TTarget.GENERIC, TTarget.GENERIC),
)
self.argparser.add_argument(
"-s",
"--start",
type=int,
default=DEFAFULT_START,
help="First Bus Auditor channel for the scan. If not specified, "
"it will start the scan from channel ({})".format(DEFAFULT_START),
)
self.argparser.add_argument(
"-e",
"--end",
type=int,
default=DEFAFULT_END,
help="Last Bus Auditor channel for the scan. If not specified, "
"it will scan until channel ({})".format(DEFAFULT_END),
)
self.argparser.add_argument(
"-v",
"--volts",
type=str,
default=DEFAULT_VOLTS,
help="Target voltage out. "
"Supported target volts are ({}), ({}), and ({}) If not specified, "
"target voltage will be ({}) volts".format(VOLTAGE_RANGE[0],
VOLTAGE_RANGE[1],
VOLTAGE_RANGE[2],
DEFAULT_VOLTS),
)
def __init__(self):
"""Initialize the test."""
super().__init__(
name="devinfo",
summary="BusAuditor device information",
descr="This plugin displays information about BusAuditor device.",
author="Dattatray Hinge",
email="*****@*****.**",
ref=[BUSAUDITOR_REFERENCE],
category=TCategory(TCategory.BUS_AUDITOR, TCategory.HW,
TCategory.RECON),
target=TTarget(TTarget.GENERIC, TTarget.GENERIC, TTarget.GENERIC),
)
def __init__(self):
"""Initialize the test."""
super().__init__(
name="c-echo",
summary="DICOM Connection Checker",
descr=
"This test case sends a C-ECHO command i.e. attempts to associate "
"with the DICOM server (SCP - Service class Provider) and checks "
"if we get a response from the server. It is a good way to identify "
"if the server is running and we can connect with it i.e. the "
"first step in pen testing DICOM.",
author="Aseem Jakhar",
email="*****@*****.**",
ref=[
REFERENCE,
"http://dicom.nema.org/MEDICAL/dicom/2016a/output/chtml/part07/sect_9.3.5.html",
],
category=TCategory(TCategory.DICOM, TCategory.SW, TCategory.RECON),
target=TTarget(TTarget.GENERIC, TTarget.GENERIC, TTarget.GENERIC),
)
self.argparser.add_argument(
"-r",
"--rhost",
required=True,
help="The hostname/IP address of the target DICOM Server (SCP)",
)
self.argparser.add_argument(
"-p",
"--rport",
default=104,
type=int,
help=
"The port number of the target DICOM Server (SCP). Default is 104",
)
self.argparser.add_argument(
"-c",
"--aetscu",
default="ANY-SCU",
help=
"Application Entity Title (AET) of Service Class User (SCU) i.e. "
"the calling AET (client/expliot). Default is 'ANY-SCU' string.",
)
self.argparser.add_argument(
"-s",
"--aetscp",
default="ANY-SCP",
help=
"Application Entity Title (AET) of Service Class Provider (SCP) i.e. "
"the called AET (DICOM server). Default is 'ANY-SCP' string.",
)
def __init__(self):
"""Initialize the test."""
super().__init__(
name="unlock",
summary="Tapplock unlock",
descr="This plugin allows you to unlock the Tapplocks in close "
"(BLE) proximity. It was made possible by @cybergibbons "
"research on the same and he was kind enough to share his "
"code. NOTE: This plugin needs root privileges. You may run"
"it as $ sudo expliot. Thanks to @slawekja for providing "
"the default key1 (01020304) and serial (00000000) values "
"for earlier version of Tapplock.",
author="Aseem Jakhar (Original code provided by @cybergibbons)",
email="*****@*****.**",
ref=[
"https://www.pentestpartners.com/security-blog/totally-pwning-the-tapplock-smart-lock/"
],
category=TCategory(TCategory.BLE, TCategory.RD, TCategory.EXPLOIT),
target=TTarget("Tapplock", "1.0", "Tapplock"),
needroot=True,
)
self.argparser.add_argument(
"-i",
"--iface",
default=0,
type=int,
help=
"HCI interface no. to use for scanning. 0 = hci0, 1 = hci1 and so on. Default is 0",
)
self.argparser.add_argument(
"-a",
"--addr",
help="BLE Address of specific Tapplock that you want to unlock. "
"If not specified, it will scan and attempt to unlock all the Tapplocks found",
)
self.argparser.add_argument(
"-d",
"--default",
action="store_true",
default=False,
help="Use default key1 (01020304) and Serial (00000000) instead of"
"generating them from the BLE address",
)
self.argparser.add_argument(
"-t",
"--timeout",
default=2,
type=int,
help="Scan timeout. Default is 2 seconds",
)
def __init__(self):
"""Initialize the test."""
super().__init__(
name="crackauth",
summary="MQTT authentication cracker",
descr="This test case attempts to crack the MQTT authentication "
"with the specified credentials. You need specify the user "
"and password or password dictionary.",
author="Aseem Jakhar",
email="*****@*****.**",
ref=[MQTT_REFERENCE],
category=TCategory(TCategory.MQTT, TCategory.SW,
TCategory.ANALYSIS),
target=TTarget(TTarget.GENERIC, TTarget.GENERIC, TTarget.GENERIC),
)
self.argparser.add_argument(
"-r",
"--rhost",
required=True,
help="Hostname/IP address of the target MQTT broker",
)
self.argparser.add_argument(
"-p",
"--rport",
default=DEFAULT_MQTT_PORT,
type=int,
help="Port number of the target MQTT broker. Default is 1883",
)
self.argparser.add_argument(
"-i",
"--id",
help="The client ID to be used for the connection. Default is "
"random client ID",
)
self.argparser.add_argument("-u",
"--user",
help="Specify the user name to be used")
self.argparser.add_argument("-w",
"--passwd",
help="Specify the password to be used")
self.argparser.add_argument(
"-f",
"--pfile",
help="Specify the file containing passwords, one per line. If "
"this option is present, --passwd option will be ignored",
)
self.argparser.add_argument("-v",
"--verbose",
action="store_true",
help="Show verbose output")
def __init__(self):
"""Initialize the test."""
super().__init__(
name="swdscan",
summary="SWD port scan",
descr="This plugin scans SWD port and SWD pins (SW_CLK, SW_DIO) "
"on the target hardware. You need to connect Bus Auditor channels "
"(pins) to the suspected pinouts on the target pcb board. "
"Bus Auditor pins must be connected in a sequential range and "
"specified by the start and end pin arguments."
"If you are seeing permission issues, kindly add a udev rule for "
"your user for the Bus Auditor device.",
author="Dattatray Hinge",
email="*****@*****.**",
ref=[SWD_REFERENCE],
category=TCategory(TCategory.BUS_AUDITOR, TCategory.HW,
TCategory.RECON),
target=TTarget(TTarget.GENERIC, TTarget.GENERIC, TTarget.GENERIC),
)
self.argparser.add_argument(
"-s",
"--start",
type=int,
default=DEFAFULT_START,
help="First Bus Auditor channel for the scan. If not specified, "
"it will start the scan from channel ({})".format(DEFAFULT_START),
)
self.argparser.add_argument(
"-e",
"--end",
type=int,
default=DEFAFULT_END,
help="Last Bus Auditor channel for the scan. If not specified, "
"it will scan until channel ({})".format(DEFAFULT_END),
)
self.argparser.add_argument(
"-v",
"--volts",
type=str,
default=DEFAULT_VOLTS,
help="Target voltage out. "
"Supported target volts are ({}), ({}), and ({}) If not specified, "
"target voltage will be ({}) volts".format(VOLTAGE_RANGE[0],
VOLTAGE_RANGE[1],
VOLTAGE_RANGE[2],
DEFAULT_VOLTS),
)
def __init__(self):
super().__init__(
name="sniffer",
summary="IEEE 802.15.4 packet sniffer",
descr="This plugin captures IEEE 802.15.4 packets on a specified "
"channel and saves them in pcap format.",
author="Dattatray Hinge",
email="*****@*****.**",
ref=[
"https://www.zigbee.org/wp-content/uploads/2014/11/docs-05-3474-20-0csg-zigbee-specification.pdf"
],
category=TCategory(TCategory.ZB_AUDITOR, TCategory.RD,
TCategory.RECON),
target=TTarget(TTarget.GENERIC, TTarget.GENERIC, TTarget.GENERIC),
needroot=True,
)
self.argparser.add_argument(
"-c",
"--channel",
type=int,
required=True,
help="IEEE 802.15.4 2.4 GHz channel to sniff for Zigbee packets",
)
self.argparser.add_argument(
"-f",
"--filepath",
required=True,
help="PACP file name to save packet dump file.",
)
self.argparser.add_argument(
"-n",
"--count",
default=65535,
type=int,
help="Number of packets to be captured before plugin stop. "
"Default is 65535 packets.",
)
self.argparser.add_argument(
"-t",
"--timeout",
default=0,
type=int,
help="Sniffer timeout in seconds. "
"Default is 0 seconds to mean keep running",
)
