def brute(self): # Bruteforce URLs cmd = "wfuzz -w '%s' -c -u '%s/FUZZ' -L --hc 400,403,404,405,500,501,502,503 \ -f '%s,html'|tee '%s'" % (self.get_resource_path('urls.txt'), self.url, self.get_output_path('wfuzz.html'), self.get_output_path('wfuzz.txt')) utils.run_cmd(cmd) # Detect and bruteforce HTTP Basic authentication if 'WWW-Authenticate: Basic' not in subprocess.check_output('curl -kLI %s' % self.url, shell=True).decode('utf8'): return utils.log('Starting HTTP bruteforce against %s' % (self.url), 'info') user_list = self.get_resource_path('http_users.txt') pass_list = self.get_resource_path('http_passwords.txt') userpass_list = self.get_resource_path('http_userpass.txt') outfile = self.get_output_path('brute.txt') if not config.ONLY_CUSTOM_BRUTE: self.do_bruteforce(outfile, user_list=user_list, pass_list=pass_list) self.do_bruteforce(outfile, userpass_list=userpass_list) if config.CUSTOM_USER_LIST: outfile = self.get_output_path('brute_custom1.txt') self.do_bruteforce(outfile, user_list=config.CUSTOM_USER_LIST, pass_list=config.CUSTOM_PASS_LIST) if config.CUSTOM_USERPASS_LIST: outfile = self.get_output_path('brute_custom2.txt') self.do_bruteforce(outfile, userpass_list=config.CUSTOM_USERPASS_LIST)
def _port_scan(target, output_dir): output_path = os.path.join(output_dir, target) if not os.path.exists(output_path): os.mkdir(output_path) # TCP scan cmd = 'nmap -v -sV -sT -Pn --open -oX %s %s' % (output_path + '/ports-tcp.xml', target) if config.FULL_SCAN: cmd += " -p- -T4" else: cmd += " -T5" utils.run_cmd(cmd) # UDP scan cmd = 'nmap -v -n -sV --defeat-icmp-ratelimit -Pn -sU -T4 --open -oX %s %s' % ( output_path + '/ports-udp.xml', target) if config.FULL_SCAN: cmd += " " else: cmd += " --top-ports 200" utils.run_cmd(cmd) tcp_scan = os.path.join(output_path, "ports-tcp.xml") udp_scan = os.path.join(output_path, "ports-udp.xml") port_scan_file = os.path.join(output_path, "port-scan.xml") utils.merge_nmap_files([tcp_scan, udp_scan], port_scan_file) os.remove(tcp_scan) os.remove(udp_scan) results = utils.parse_nmap_xml(port_scan_file) if not results: utils.log("No open ports on %s, deleting directory..." % target, "warning") shutil.rmtree(output_path)
def do_bruteforce(self, outfile, user_list=None, pass_list=None, userpass_list=None): if self.tls: method = 'https-get' else: method = 'http-get' if user_list and pass_list: cmd = "hydra -V -L %s -P %s -I -e nsr -f -o %s -s %s %s %s /" % (user_list, pass_list, outfile, self.port, self.target, method) elif userpass_list: cmd = "hydra -V -C %s -I -f -o %s -s %s %s %s /" % (userpass_list, outfile, self.port, self.target, method) utils.run_cmd(cmd, wdir=self.output_dir)
def do_bruteforce(self, outfile, user_list=None, pass_list=None, userpass_list=None): if user_list and pass_list: cmd = "hydra -L %s -P %s -I -e nsr -f -s %s %s http-get / |tee %s" % ( user_list, pass_list, self.port, self.target, outfile) elif userpass_list: cmd = "hydra -C %s -I -e nsr -f -s %s %s http-get / |tee %s" % ( userpass_list, self.port, self.target, outfile) utils.run_cmd(cmd)
def _port_scan(target, output_dir): output_path = os.path.join(output_dir, target) if not os.path.exists(output_path): os.mkdir(output_path) cmd = 'nmap -v -sV -sT -Pn -T4 -n --open -oA %s %s' % ( output_path + '/ports-tcp', target) if not config.FAST_SCAN: cmd += " -p-" utils.run_cmd(cmd) cmd = 'nmap -v -sV --defeat-icmp-ratelimit -Pn -sU -T4 -n --open -oA %s %s' % ( output_path + '/ports-udp', target) if not config.FAST_SCAN: cmd += " -F" else: cmd += " --top-ports 20" utils.run_cmd(cmd)
def enum(self): utils.log('Starting HTTP enumeration against %s' % (self.url), 'info') cmd = "whatweb --color=never --log-brief=%s %s" % ( self.get_output_path('whatweb.txt'), self.url) utils.run_cmd(cmd) cmd = "dirb %s %s -l -r -o %s" % (self.url, self.get_ressource_path('urls.txt'), self.get_output_path('dirb.txt')) utils.run_cmd(cmd) cmd = "chromium --headless --no-sandbox --screenshot=%s %s" % ( self.get_output_path('screenshot.png'), self.url) utils.run_cmd(cmd)
def run(target, output_dir): utils.log("Performing ping sweep on target %s" % target, "info") cmd = "nmap -v -n --open -T4 -sn %s -oA %s/sweep" % (target, output_dir) utils.run_cmd(cmd)
def run(target_file, output_dir): utils.log("Performing ping sweep on targets ...", "info") cmd = "nmap -v -n --open -sn -iL %s -oA %s/sweep" % (target_file, output_dir) utils.run_cmd(cmd)
def do_bruteforce(self, outfile, user_list=None, pass_list=None, userpass_list=None): if user_list and pass_list: cmd = "hydra -t 4 -V -L %s -P %s -I -e nsr -o %s -f ssh://%s:%s" % (user_list, pass_list, outfile, self.target,self.port) elif userpass_list: cmd = "hydra -t 4 -V -C %s -I -f -o %s ssh://%s:%s" % (userpass_list, outfile, self.target, self.port) utils.run_cmd(cmd, wdir=self.get_output_path(''))
def run(targets, output_dir): utils.log("Importing target list", "info") utils.run_cmd("nmap -n -T4 -v -sL -oA %s %s" % (os.path.join(output_dir, 'sweep'), targets))
def screenshot(self, hostname): url = self.get_url(hostname, self.port, self.tls) # Screenshot web page cmd = "chromium --ignore-certificate-errors --disable-gpu --headless --no-sandbox --window-size=1920,1080 "\ "--screenshot='%s' '%s' 2>/dev/null" % (self.get_output_path("sc-%s.png" % (self.url.replace('/', ''))), url) utils.run_cmd(cmd, timeout=60)
def whatweb(self, hostname): url = self.get_url(hostname, self.port, self.tls) # Fingerprint web technologies cmd = "whatweb --color=never --user-agent '%s' --log-brief=%s %s" % \ (self.user_agent, self.get_output_path('whatweb-%s.txt' % hostname), url) utils.run_cmd(cmd)
def run(target_file, output_dir): utils.log("Importing all targets as alive", "info") utils.run_cmd("nmap -n -T4 -v -sL -oA %s -iL %s" % (os.path.join(output_dir, 'sweep'), target_file))