def brute(self):
# Bruteforce URLs
cmd = "wfuzz -w '%s' -c -u '%s/FUZZ' -L --hc 400,403,404,405,500,501,502,503 \
-f '%s,html'|tee '%s'" % (self.get_resource_path('urls.txt'),
self.url, self.get_output_path('wfuzz.html'), self.get_output_path('wfuzz.txt'))
utils.run_cmd(cmd)
# Detect and bruteforce HTTP Basic authentication
if 'WWW-Authenticate: Basic' not in subprocess.check_output('curl -kLI %s' % self.url, shell=True).decode('utf8'):
return
utils.log('Starting HTTP bruteforce against %s' % (self.url), 'info')
user_list = self.get_resource_path('http_users.txt')
pass_list = self.get_resource_path('http_passwords.txt')
userpass_list = self.get_resource_path('http_userpass.txt')
outfile = self.get_output_path('brute.txt')
if not config.ONLY_CUSTOM_BRUTE:
self.do_bruteforce(outfile, user_list=user_list, pass_list=pass_list)
self.do_bruteforce(outfile, userpass_list=userpass_list)
if config.CUSTOM_USER_LIST:
outfile = self.get_output_path('brute_custom1.txt')
self.do_bruteforce(outfile, user_list=config.CUSTOM_USER_LIST, pass_list=config.CUSTOM_PASS_LIST)
if config.CUSTOM_USERPASS_LIST:
outfile = self.get_output_path('brute_custom2.txt')
self.do_bruteforce(outfile, userpass_list=config.CUSTOM_USERPASS_LIST)
def _port_scan(target, output_dir):
output_path = os.path.join(output_dir, target)
if not os.path.exists(output_path):
os.mkdir(output_path)
# TCP scan
cmd = 'nmap -v -sV -sT -Pn --open -oX %s %s' % (output_path +
'/ports-tcp.xml', target)
if config.FULL_SCAN:
cmd += " -p- -T4"
else:
cmd += " -T5"
utils.run_cmd(cmd)
# UDP scan
cmd = 'nmap -v -n -sV --defeat-icmp-ratelimit -Pn -sU -T4 --open -oX %s %s' % (
output_path + '/ports-udp.xml', target)
if config.FULL_SCAN:
cmd += " "
else:
cmd += " --top-ports 200"
utils.run_cmd(cmd)
tcp_scan = os.path.join(output_path, "ports-tcp.xml")
udp_scan = os.path.join(output_path, "ports-udp.xml")
port_scan_file = os.path.join(output_path, "port-scan.xml")
utils.merge_nmap_files([tcp_scan, udp_scan], port_scan_file)
os.remove(tcp_scan)
os.remove(udp_scan)
results = utils.parse_nmap_xml(port_scan_file)
if not results:
utils.log("No open ports on %s, deleting directory..." % target,
"warning")
shutil.rmtree(output_path)
def do_bruteforce(self, outfile, user_list=None, pass_list=None, userpass_list=None):
if self.tls:
method = 'https-get'
else:
method = 'http-get'
if user_list and pass_list:
cmd = "hydra -V -L %s -P %s -I -e nsr -f -o %s -s %s %s %s /" % (user_list, pass_list, outfile, self.port, self.target, method)
elif userpass_list:
cmd = "hydra -V -C %s -I -f -o %s -s %s %s %s /" % (userpass_list, outfile, self.port, self.target, method)
utils.run_cmd(cmd, wdir=self.output_dir)
def do_bruteforce(self,
outfile,
user_list=None,
pass_list=None,
userpass_list=None):
if user_list and pass_list:
cmd = "hydra -L %s -P %s -I -e nsr -f -s %s %s http-get / |tee %s" % (
user_list, pass_list, self.port, self.target, outfile)
elif userpass_list:
cmd = "hydra -C %s -I -e nsr -f -s %s %s http-get / |tee %s" % (
userpass_list, self.port, self.target, outfile)
utils.run_cmd(cmd)
def _port_scan(target, output_dir):
output_path = os.path.join(output_dir, target)
if not os.path.exists(output_path):
os.mkdir(output_path)
cmd = 'nmap -v -sV -sT -Pn -T4 -n --open -oA %s %s' % (
output_path + '/ports-tcp', target)
if not config.FAST_SCAN:
cmd += " -p-"
utils.run_cmd(cmd)
cmd = 'nmap -v -sV --defeat-icmp-ratelimit -Pn -sU -T4 -n --open -oA %s %s' % (
output_path + '/ports-udp', target)
if not config.FAST_SCAN:
cmd += " -F"
else:
cmd += " --top-ports 20"
utils.run_cmd(cmd)
def enum(self):
utils.log('Starting HTTP enumeration against %s' % (self.url), 'info')
cmd = "whatweb --color=never --log-brief=%s %s" % (
self.get_output_path('whatweb.txt'), self.url)
utils.run_cmd(cmd)
cmd = "dirb %s %s -l -r -o %s" % (self.url,
self.get_ressource_path('urls.txt'),
self.get_output_path('dirb.txt'))
utils.run_cmd(cmd)
cmd = "chromium --headless --no-sandbox --screenshot=%s %s" % (
self.get_output_path('screenshot.png'), self.url)
utils.run_cmd(cmd)
def run(target, output_dir):
utils.log("Performing ping sweep on target %s" % target, "info")
cmd = "nmap -v -n --open -T4 -sn %s -oA %s/sweep" % (target, output_dir)
utils.run_cmd(cmd)
def run(target_file, output_dir):
utils.log("Performing ping sweep on targets ...", "info")
cmd = "nmap -v -n --open -sn -iL %s -oA %s/sweep" % (target_file,
output_dir)
utils.run_cmd(cmd)
def do_bruteforce(self, outfile, user_list=None, pass_list=None, userpass_list=None):
if user_list and pass_list:
cmd = "hydra -t 4 -V -L %s -P %s -I -e nsr -o %s -f ssh://%s:%s" % (user_list, pass_list, outfile, self.target,self.port)
elif userpass_list:
cmd = "hydra -t 4 -V -C %s -I -f -o %s ssh://%s:%s" % (userpass_list, outfile, self.target, self.port)
utils.run_cmd(cmd, wdir=self.get_output_path(''))
def run(targets, output_dir):
utils.log("Importing target list", "info")
utils.run_cmd("nmap -n -T4 -v -sL -oA %s %s" %
(os.path.join(output_dir, 'sweep'), targets))
def screenshot(self, hostname):
url = self.get_url(hostname, self.port, self.tls)
# Screenshot web page
cmd = "chromium --ignore-certificate-errors --disable-gpu --headless --no-sandbox --window-size=1920,1080 "\
"--screenshot='%s' '%s' 2>/dev/null" % (self.get_output_path("sc-%s.png" % (self.url.replace('/', ''))), url)
utils.run_cmd(cmd, timeout=60)
def whatweb(self, hostname):
url = self.get_url(hostname, self.port, self.tls)
# Fingerprint web technologies
cmd = "whatweb --color=never --user-agent '%s' --log-brief=%s %s" % \
(self.user_agent, self.get_output_path('whatweb-%s.txt' % hostname), url)
utils.run_cmd(cmd)
def run(target_file, output_dir):
utils.log("Importing all targets as alive", "info")
utils.run_cmd("nmap -n -T4 -v -sL -oA %s -iL %s" % (os.path.join(output_dir, 'sweep'), target_file))
