def nmap_scan(ip, fileHandle, tcp=True, top1024=True):
"""Portscan a host
nmap options:
-v: verbose
-A: Enable OS detection, version detection, script scanning, and traceroute
-n: Do not resolve symbolic names (i.e. no dns lookups)
"""
ports = "1-1024"
if not top1024:
ports = "1-65535"
if tcp:
start = timer()
out, err = common.runCommand(["nmap", "-v", "-n", "-A", "-p", "%s"%ports, "-sV", ip])
end = timer()
fileHandle.write("%s seconds to complete.\n"%(end-start))
fileHandle.write("===STD OUT===\n")
fileHandle.write(out)
fileHandle.write("\n===STD ERR===\n")
fileHandle.write(err)
return out
else:
start = timer()
out, err = common.runCommand(["nmap", "-v", "-n", "-p", "%s"%ports, "-sU", ip])
end = timer()
fileHandle.write("%s seconds to complete.\n"%(end-start))
fileHandle.write("===STD OUT===\n")
fileHandle.write(out)
fileHandle.write("\n===STD ERR===\n")
fileHandle.write(err)
return out
def extract_details(ip, fileHandle, password):
fileHandle.write("===SNMPWALK===\n")
start = timer()
#enumerate windows users
out, err = common.runCommand(["snmpwalk", "-c", password, "-v1", ip, "1.3.6.1.4.1.77.1.2.25"])
out2 = "Windows Users\n"
out2 += out
err2 = err
#enumerate running windows processes
out, err = common.runCommand(["snmpwalk", "-c", password, "-v1", ip, "1.3.6.1.2.1.25.4.2.1.2"])
out2 += "Running Windows Processes\n"
out2 += out
err2 += err
#enumerate open tcp ports
out, err = common.runCommand(["snmpwalk", "-c", password, "-v1", ip, "1.3.6.1.2.1.6.13.1.3"])
out2 += "Open TCP Ports\n"
out2 += out
err2 += err
#enumerate installed software
out, err = common.runCommand(["snmpwalk", "-c", password, "-v1", ip, "1.3.6.1.2.1.25.6.3.1.2"])
out2 += "Installed Software\n"
out2 += out
err2 += err
end = timer()
fileHandle.write("%s seconds to complete.\n"%(end-start))
fileHandle.write("===STD OUT===\n")
fileHandle.write(out2)
fileHandle.write("\n===STD ERR===\n")
fileHandle.write(err2)
def doSMBscans(ip, outputDir):
"""NSE Scan a host with SMB
nmap options:
--script: Run nmap scripts
"""
smbFile = "%s-%s" % (ip, SMB_FILE)
f = open(os.path.join(outputDir, smbFile), 'w')
now = datetime.datetime.now()
f.write("%s\n" % str(now))
#Nmap
f.write("===NMAP NSE===\n")
start = timer()
out, err = common.runCommand([
"nmap", "-v", "-sV",
"-p %s" % ",".join(common.SMB_PORTS), "--script", "*smb*.nse", ip
])
end = timer()
f.write("%s seconds to complete.\n" % (end - start))
f.write("===STD OUT===\n")
f.write(out)
f.write("\n===STD ERR===\n")
f.write(err)
#nbtscan
f.write("===NBTSCAN===")
start = timer()
out, err = common.runCommand(["nbtscan", "-r", ip])
end = timer()
f.write("%s seconds to complete.\n" % (end - start))
f.write("===STD OUT===\n")
f.write(out)
f.write("\n===STD ERR===\n")
f.write(err)
#enum4linux
f.write("===enum4linux===")
start = timer()
out, err = common.runCommand(["enum4linux", "-a", ip])
end = timer()
f.write("%s seconds to complete.\n" % (end - start))
f.write("===STD OUT===\n")
f.write(out)
f.write("\n===STD ERR===\n")
f.write(err)
f.close()
return out
def onetwopunch_scan(ip, fileHandle, tcp=False):
"""Portscan a host
onetwopunch options:
-t: target list is saved in /tmp/target.txt
-p: port range is all or just tcp
-i tap0: Make sure you direct it out the right interface
-A: Enable OS detection, version detection, script scanning, and traceroute
"""
ports = "all"
if tcp:
ports = "tcp"
tmp = open("/tmp/target.txt", 'w')
tmp.write("%s\n"%ip);
tmp.close();
start = timer()
out, err = common.runCommand([ONE_TWO_PUNCH_LOC, "-t", "/tmp/target.txt", "-p", "%s"%ports, "-i", "tap0", "-n", "-A"])
end = timer()
fileHandle.write("%s seconds to complete.\n"%(end-start))
fileHandle.write("===STD OUT===\n")
fileHandle.write(out)
fileHandle.write("\n===STD ERR===\n")
fileHandle.write(err)
return out
def ping(ip, outputDir):
"""Ping a host
Ping Options:
-c 5: Send 5 packets
-n: Do not resolve symbolic names (i.e. no dns lookups)
Pings a host 5 times, saves results to file, and then returns
if ping was successful
"""
pingFile = "%s-%s"%(args.ip, PING_FILE)
f = open(os.path.join(outputDir, pingFile), 'w')
now = datetime.datetime.now()
f.write("%s\n"%str(now))
start = timer()
out, err = common.runCommand(["ping", "-c", "5", "-n", ip])
end = timer()
f.write("%s seconds to complete.\n"%(end-start))
f.write("===STD OUT===\n")
f.write(out)
f.write("\n===STD ERR===\n")
f.write(err)
f.close()
res = re.search("[0-5]{1} received", out)
if res:
received = int(re.search("[0-5]{1}", res.group(0)).group(0))
if received > 0:
return True
return False
def dirb_scan(ip, fileHandle):
fileHandle.write("===dirb===\n")
start = timer()
out, err = common.runCommand(["dirb", "http://%s/"%ip, "/root/SecLists/Discovery/Web-Content/big.txt", "-r"])
end = timer()
fileHandle.write("%s seconds to complete.\n"%(end-start))
fileHandle.write("===STD OUT===\n")
fileHandle.write(out)
fileHandle.write("\n===STD ERR===\n")
fileHandle.write(err)
def curl_grab(ip, fileHandle):
fileHandle.write("===CURL===\n")
start = timer()
out, err = common.runCommand(["curl", "-v", ip])
end = timer()
fileHandle.write("%s seconds to complete.\n"%(end-start))
fileHandle.write("===STD OUT===\n")
fileHandle.write(out)
fileHandle.write("\n===STD ERR===\n")
fileHandle.write(err)
def nmap_nse_scan(ip, fileHandle):
#Nmap
fileHandle.write("===NMAP NSE===\n")
start = timer()
out, err = common.runCommand(["nmap", "-v", "-sV", "-p %s"%common.SNMP_PORT, "--script", "*snmp*.nse", ip])
end = timer()
fileHandle.write("%s seconds to complete.\n"%(end-start))
fileHandle.write("===STD OUT===\n")
fileHandle.write(out)
fileHandle.write("\n===STD ERR===\n")
fileHandle.write(err)
def nmap_nse_scan(ip, fileHandle):
"""NSE Scan a host with HTTP
nmap options:
--script: Run nmap scripts
"""
#Nmap
fileHandle.write("===NMAP NSE===\n")
start = timer()
out, err = common.runCommand(["nmap", "-v", "-sV", "-p 80,443", "--script", "*http*.nse", ip])
end = timer()
fileHandle.write("%s seconds to complete.\n"%(end-start))
fileHandle.write("===STD OUT===\n")
fileHandle.write(out)
fileHandle.write("\n===STD ERR===\n")
fileHandle.write(err)
def hydra_scan(ip, fileHandle):
#Nmap
fileHandle.write("===HYDRA===\n")
start = timer()
out, err = common.runCommand(["hydra", "-P", "/root/SecLists/Discovery/SNMP/common-snmp-community-strings.txt", "-v", ip, "-f", "snmp"])
end = timer()
fileHandle.write("%s seconds to complete.\n"%(end-start))
fileHandle.write("===STD OUT===\n")
fileHandle.write(out)
fileHandle.write("\n===STD ERR===\n")
fileHandle.write(err)
PW_REG = "password: [\S]*"
res = re.findall(PW_REG, out)
if res:
for pw in res:
return pw.split(" ")[1]
def nmap_nse_scan(ip, fileHandle):
"""NSE Scan a host with smtp
nmap options:
--script: Run nmap scripts
"""
#nmap NSE
fileHandle.write("===nmap NSE===\n")
start = timer()
out, err = common.runCommand([
"nmap", "-v", "-sV",
"-p %s" % common, SMTP_PORT, "--script", "*smtp*.nse", ip
])
end = timer()
fileHandle.write("%s seconds to complete.\n" % (end - start))
fileHandle.write("===STD OUT===\n")
fileHandle.write(out)
fileHandle.write("\n===STD ERR===\n")
fileHandle.write(err)
def onesixtyone_scan(ip, fileHandle):
tmp = open("/tmp/target.txt", 'w')
tmp.write("%s\n"%ip);
tmp.close();
#onesixtyone
fileHandle.write("===onesixtyone===\n")
start = timer()
out, err = common.runCommand([ONE_SIXTY_ONE_LOC, "-c", "/root/SecLists/Discovery/SNMP/common-snmp-community-strings.txt", "-i", "/tmp/target.txt"])
end = timer()
fileHandle.write("%s seconds to complete.\n"%(end-start))
fileHandle.write("===STD OUT===\n")
fileHandle.write(out)
fileHandle.write("\n===STD ERR===\n")
fileHandle.write(err)
PW_REG = "\[.*\]"
for pw in re.findall(PW_REG, out):
return pw
