def start(target, users, passwds, ports, timeout_sec, thread_number, num,
total, log_in_file, time_sleep, language, verbose_level, socks_proxy,
retries, methods_args, scan_id, scan_cmd): # Main function
from core.targets import target_type
from core.targets import target_to_host
if target_type(target) != 'SINGLE_IPv4' or target_type(
target) != 'DOMAIN' or target_type(
target) != 'HTTP' or target_type(target) != 'SINGLE_IPv6':
# requirements check
new_extra_requirements = extra_requirements_dict()
if methods_args is not None:
for extra_requirement in extra_requirements_dict():
if extra_requirement in methods_args:
new_extra_requirements[extra_requirement] = methods_args[
extra_requirement]
extra_requirements = new_extra_requirements
if target_type(target) == 'HTTP':
target = target_to_host(target)
subs = __get_subs(target,
timeout_sec,
log_in_file,
time_sleep,
language,
verbose_level,
socks_proxy,
retries,
num,
total,
extra_requirements=extra_requirements)
if len(subs) is 0:
info(messages(language, "no_subdomain_found"))
if len(subs) is not 0:
info(messages(language, "len_subdomain_found").format(len(subs)))
for sub in subs:
if verbose_level > 2:
info(messages(language, "subdomain_found").format(sub))
data = json.dumps({
'HOST': target,
'USERNAME': '',
'PASSWORD': '',
'PORT': '',
'TYPE': 'subdomain_scan',
'DESCRIPTION': sub,
'TIME': now(),
'CATEGORY': "scan",
'SCAN_ID': scan_id,
'SCAN_CMD': scan_cmd
}) + "\n"
__log_into_file(log_in_file, 'a', data, language)
if len(subs) is 0 and verbose_level is not 0:
data = json.dumps({
'HOST':
target,
'USERNAME':
'',
'PASSWORD':
'',
'PORT':
'',
'TYPE':
'subdomain_scan',
'DESCRIPTION':
messages(language, "subdomain_found").format(
len(subs), ', '.join(subs) if len(subs) > 0 else 'None'),
'TIME':
now(),
'CATEGORY':
"scan",
'SCAN_ID':
scan_id,
'SCAN_CMD':
scan_cmd
}) + "\n"
__log_into_file(log_in_file, 'a', data, language)
return subs
else:
warn(
messages(language,
"input_target_error").format('subdomain_scan', target))
return []
def start(target, users, passwds, ports, timeout_sec, thread_number, num,
total, log_in_file, time_sleep, language, verbose_level, socks_proxy,
retries, methods_args, scan_id, scan_cmd): # Main function
if target_type(target) != 'SINGLE_IPv4' or target_type(
target) != 'DOMAIN' or target_type(
target) != 'HTTP' or target_type(target) != 'SINGLE_IPv6':
# rand useragent
user_agent_list = [
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.5) Gecko/20060719 Firefox/1.5.0.5",
"Googlebot/2.1 ( http://www.googlebot.com/bot.html)",
"Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Ubuntu/10.04"
" Chromium/9.0.595.0 Chrome/9.0.595.0 Safari/534.13",
"Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 5.2; WOW64; .NET CLR 2.0.50727)",
"Opera/9.80 (Windows NT 5.2; U; ru) Presto/2.5.22 Version/10.51",
"Mozilla/5.0 (compatible; 008/0.83; http://www.80legs.com/webcrawler.html) Gecko/2008032620",
"Debian APT-HTTP/1.3 (0.8.10.3)",
"Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)",
"Googlebot/2.1 (+http://www.googlebot.com/bot.html)",
"Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)",
"YahooSeeker/1.2 (compatible; Mozilla 4.0; MSIE 5.5; yahooseeker at yahoo-inc dot com ; "
"http://help.yahoo.com/help/us/shop/merchant/)",
"Mozilla/5.0 (compatible; YandexBot/3.0; +http://yandex.com/bots)",
"Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)",
"msnbot/1.1 (+http://search.msn.com/msnbot.htm)"
]
http_methods = ["GET", "HEAD"]
user_agent = {'User-agent': random.choice(user_agent_list)}
# requirements check
new_extra_requirements = extra_requirements_dict()
if methods_args is not None:
for extra_requirement in extra_requirements_dict():
if extra_requirement in methods_args:
new_extra_requirements[extra_requirement] = methods_args[
extra_requirement]
extra_requirements = new_extra_requirements
if extra_requirements["wp_theme_scan_http_method"][
0] not in http_methods:
warn(messages(language, "wp_theme_scan_get"))
extra_requirements["wp_theme_scan_http_method"] = ["GET"]
random_agent_flag = True
if extra_requirements["wp_theme_scan_random_agent"][0] == "False":
random_agent_flag = False
threads = []
if verbose_level > 3:
total_req = len(themes.themes())
else:
total_req = len(small_themes.themes())
thread_tmp_filename = '{}/tmp/thread_tmp_'.format(
load_file_path()) + ''.join(
random.choice(string.ascii_letters + string.digits)
for _ in range(20))
__log_into_file(thread_tmp_filename, 'w', '1', language)
trying = 0
if target_type(target) != "HTTP":
target = 'https://' + target
if test(str(target), retries, timeout_sec, user_agent,
extra_requirements["wp_theme_scan_http_method"][0],
socks_proxy, verbose_level, trying, total_req, total, num,
language) is 0:
keyboard_interrupt_flag = False
if verbose_level > 3:
scan_list = themes.themes()
else:
scan_list = small_themes.themes()
for idir in scan_list:
idir = "/wp-content/themes/" + idir
if random_agent_flag:
user_agent = {'User-agent': random.choice(user_agent_list)}
t = threading.Thread(
target=check,
args=(target + '/' + idir, user_agent, timeout_sec,
log_in_file, language, time_sleep,
thread_tmp_filename, retries,
extra_requirements["wp_theme_scan_http_method"][0],
socks_proxy, scan_id, scan_cmd))
threads.append(t)
t.start()
trying += 1
if verbose_level > 3:
info(
messages(language, "trying_message").format(
trying, total_req, num, total,
target_to_host(target), "default_port",
'wp_theme_scan'))
while 1:
try:
if threading.activeCount() >= thread_number:
time.sleep(0.01)
else:
break
except KeyboardInterrupt:
keyboard_interrupt_flag = True
break
if keyboard_interrupt_flag:
break
else:
warn(messages(language, "open_error").format(target))
# wait for threads
kill_switch = 0
kill_time = int(timeout_sec / 0.1) if int(timeout_sec /
0.1) is not 0 else 1
while 1:
time.sleep(0.1)
kill_switch += 1
try:
if threading.activeCount() is 1 or kill_switch is kill_time:
break
except KeyboardInterrupt:
break
thread_write = int(open(thread_tmp_filename).read().rsplit()[0])
if thread_write is 1:
info(
messages(language,
"directory_file_404").format(target, "default_port"))
if verbose_level is not 0:
data = json.dumps({
'HOST':
target_to_host(target),
'USERNAME':
'',
'PASSWORD':
'',
'PORT':
'',
'TYPE':
'wp_theme_scan',
'DESCRIPTION':
messages(language, "no_open_ports"),
'TIME':
now(),
'CATEGORY':
"scan",
'SCAN_ID':
scan_id,
'SCAN_CMD':
scan_cmd
})
__log_into_file(log_in_file, 'a', data, language)
os.remove(thread_tmp_filename)
else:
warn(
messages(language,
"input_target_error").format('wp_theme_scan', target))
def analysis(targets, check_ranges, check_subdomains, subs_temp, range_temp,
log_in_file, time_sleep, language, verbose_level, retries,
socks_proxy, enumerate_flag):
"""
analysis and calulcate targets.
Args:
targets: targets
check_ranges: check IP range flag
check_subdomains: check subdomain flag
subs_temp: subdomain temp filename
range_temp: IP range tmp filename
log_in_file: output filename
time_sleep: time to sleep
language: language
verbose_level: verbose level number
retries: retries number
socks_proxy: socks proxy
enumerate_flag: enumerate flag
Returns:
a generator
"""
__log_into_file(range_temp, 'a', '', language)
__log_into_file(subs_temp, 'a', '', language)
for target in targets:
if target_type(target) == 'SINGLE_IPv4':
if check_ranges:
if not enumerate_flag:
info(messages(language, "checking_range").format(target))
IPs = IPRange(getIPRange(target), range_temp, language)
if type(IPs) == netaddr.ip.IPNetwork:
for IPm in IPs:
yield IPm
elif type(IPs) == list:
for IPm in IPs:
for IP in IPm:
yield IP
else:
if not enumerate_flag:
info(messages(language, "target_submitted").format(target))
yield target
elif target_type(target) == 'SINGLE_IPv6':
yield target
elif target_type(target) == 'RANGE_IPv4' or target_type(
target) == 'CIDR_IPv4':
IPs = IPRange(target, range_temp, language)
if not enumerate_flag:
info(messages(language, "checking").format(target))
if type(IPs) == netaddr.ip.IPNetwork:
for IPm in IPs:
yield IPm
elif type(IPs) == list:
for IPm in IPs:
for IP in IPm:
yield IP
elif target_type(target) == 'DOMAIN':
if check_subdomains:
if check_ranges:
if enumerate_flag:
info(messages(language, "checking").format(target))
sub_domains = json.loads(open(subs_temp).read()) if len(open(subs_temp).read()) > 2 else \
__get_subs(target, 3, '', 0, language,
0, socks_proxy, 3, 0, 0)
if len(open(subs_temp).read()) is 0:
__log_into_file(subs_temp, 'a',
json.dumps(sub_domains), language)
if target not in sub_domains:
sub_domains.append(target)
for target in sub_domains:
if not enumerate_flag:
info(
messages(language,
"target_submitted").format(target))
yield target
n = 0
err = 0
IPs = []
while True:
try:
IPs.append(socket.gethostbyname(target))
err = 0
n += 1
if n is 12:
break
except:
err += 1
if err is 3 or n is 12:
break
IPz = list(set(IPs))
for IP in IPz:
if not enumerate_flag:
info(
messages(language,
"checking_range").format(IP))
IPs = IPRange(getIPRange(IP), range_temp, language)
if type(IPs) == netaddr.ip.IPNetwork:
for IPm in IPs:
yield IPm
elif type(IPs) == list:
for IPm in IPs:
for IPn in IPm:
yield IPn
else:
if enumerate_flag:
info(messages(language, "checking").format(target))
sub_domains = json.loads(open(subs_temp).read()) if len(open(subs_temp).read()) > 2 else \
__get_subs(target, 3, '', 0, language,
0, socks_proxy, 3, 0, 0)
if len(open(subs_temp).read()) is 0:
__log_into_file(subs_temp, 'a',
json.dumps(sub_domains), language)
if target not in sub_domains:
sub_domains.append(target)
for target in sub_domains:
if not enumerate_flag:
info(
messages(language,
"target_submitted").format(target))
yield target
else:
if check_ranges:
if not enumerate_flag:
info(messages(language, "checking").format(target))
yield target
n = 0
err = 0
IPs = []
while True:
try:
IPs.append(socket.gethostbyname(target))
err = 0
n += 1
if n is 12:
break
except:
err += 1
if err is 3 or n is 12:
break
IPz = list(set(IPs))
for IP in IPz:
if not enumerate_flag:
info(
messages(language,
"checking_range").format(IP))
IPs = IPRange(getIPRange(IP), range_temp, language)
if type(IPs) == netaddr.ip.IPNetwork:
for IPm in IPs:
yield IPm
elif type(IPs) == list:
for IPm in IPs:
for IPn in IPm:
yield IPn
else:
if not enumerate_flag:
info(
messages(language,
"target_submitted").format(target))
yield target
elif target_type(target) == 'HTTP':
if not enumerate_flag:
info(messages(language, "checking").format(target))
yield target
if check_ranges:
if 'http://' == target[:7].lower():
target = target[7:].rsplit('/')[0]
if 'https://' == target[:8].lower():
target = target[8:].rsplit('/')[0]
yield target
IPs = []
while True:
try:
IPs.append(socket.gethostbyname(target))
err = 0
n += 1
if n is 12:
break
except:
err += 1
if err is 3 or n is 12:
break
IPz = list(set(IPs))
for IP in IPz:
if not enumerate_flag:
info(messages(language, "checking_range").format(IP))
IPs = IPRange(getIPRange(IP), range_temp, language)
if type(IPs) == netaddr.ip.IPNetwork:
for IPm in IPs:
yield IPm
elif type(IPs) == list:
for IPm in IPs:
for IPn in IPm:
yield IPn
else:
__die_failure(messages(language, "unknown_target").format(target))
def __repeater(request_template,
parameters,
timeout_sec,
thread_number,
log_in_file,
time_sleep,
language,
verbose_level,
socks_proxy,
retries,
scan_id,
scan_cmd,
condition,
thread_tmp_filename,
sample_event,
message,
target,
ports,
default_ports,
counter_message=None):
"""
this function is the main repeater functions which determines the type of request, the content type and calls the
appropriate funtion
Args:
request_template: the sample template of the request(to be supplied by the module)
parameters: the payload in form of [[1,2,3], [1,2,3],...]
condition: the condition to be evaluated. eg: response.status_code == 200
sample_event: the template for the event that will be logged into the db
message: the message that you want to display in the terminal when success
counter_message: the message that you want to display if nothing is found
target: the target to be attacked
ports: the ports to be fuzzed
default_ports: if user doesn't supply ports, these are to be fuzzed
other args: retries, time_sleep, timeout_sec, thread_number, log_in_file, time_sleep, language,
verbose_level, socks_proxy, scan_id, scan_cmd, thread_tmp_filename
Returns:
Nothing
"""
if counter_message is None:
counter_message = messages(language, "fuzzer_no_response").format(
sample_event['TYPE'])
__log_into_file(thread_tmp_filename, 'w', '1', language)
output = []
request_text = request_template.replace("\r", "").replace("\n", "\r\n")
content_type = ""
request_type = ""
if request_text.rsplit()[0] == "POST" or request_text.rsplit()[0] == "PUT" or \
request_text.rsplit()[0] == "PATCH":
request_type = "POST"
elif request_text.rsplit()[0] == "GET" or request_text.rsplit()[0] == "HEAD" or \
request_text.rsplit()[0] == "DELETE":
request_type = "GET"
req_type = request_text.rsplit()[0]
threads = []
keyboard_interrupt_flag = False
requests_list = __http_requests_generator(request_text, parameters)
targets = target_builder(target, ports, default_ports)
for request in requests_list:
if request_type == "POST":
t = threading.Thread(
target=request_with_data,
args=(request[0], content_type, req_type, retries, time_sleep,
timeout_sec, request[1], condition, output, sample_event,
message, log_in_file, thread_tmp_filename, language,
targets, ports, default_ports, socks_proxy))
elif request_type == "GET":
t = threading.Thread(
target=request_without_data,
args=(request[0], req_type, retries, time_sleep, timeout_sec,
request[1], condition, output, sample_event, message,
log_in_file, thread_tmp_filename, language, targets,
ports, default_ports, socks_proxy))
threads.append(t)
t.start()
time.sleep(time_sleep)
while 1:
try:
if threading.activeCount() >= thread_number:
time.sleep(0.01)
else:
break
except KeyboardInterrupt:
keyboard_interrupt_flag = True
break
if keyboard_interrupt_flag:
break
# wait for threads
kill_switch = 0
kill_time = int(timeout_sec / 0.1) if int(timeout_sec /
0.1) is not 0 else 1
while 1:
time.sleep(0.1)
kill_switch += 1
try:
if threading.activeCount() is 1 or kill_switch is kill_time:
break
except KeyboardInterrupt:
break
thread_write = int(open(thread_tmp_filename).read().rsplit()[0])
if thread_write is 1 and verbose_level is not 0:
sample_event['DESCRIPTION'] = counter_message
event_parser(message=counter_message,
sample_event=sample_event,
response=None,
payload=None,
log_in_file=log_in_file,
language=language)
os.remove(thread_tmp_filename)
def login(user, passwd, target, port, timeout_sec, log_in_file, language,
retries, time_sleep, thread_tmp_filename, socks_proxy, scan_id,
scan_cmd):
exit = 0
if socks_proxy is not None:
socks_version = socks.SOCKS5 if socks_proxy.startswith(
'socks5://') else socks.SOCKS4
socks_proxy = socks_proxy.rsplit('://')[1]
if '@' in socks_proxy:
socks_username = socks_proxy.rsplit(':')[0]
socks_password = socks_proxy.rsplit(':')[1].rsplit('@')[0]
socks.set_default_proxy(
socks_version,
str(socks_proxy.rsplit('@')[1].rsplit(':')[0]),
int(socks_proxy.rsplit(':')[-1]),
username=socks_username,
password=socks_password)
socket.socket = socks.socksocket
socket.getaddrinfo = getaddrinfo
else:
socks.set_default_proxy(socks_version,
str(socks_proxy.rsplit(':')[0]),
int(socks_proxy.rsplit(':')[1]))
socket.socket = socks.socksocket
socket.getaddrinfo = getaddrinfo
while 1:
target_host = str(target) + ":" + str(port)
try:
if timeout_sec is not None:
req = requests.get(target_host,
timeout=timeout_sec,
auth=(user, passwd))
else:
req = requests.get(target_host, auth=(user, passwd))
flag = 1
if req.status_code != 200:
exit += 1
if exit is retries:
warn(
messages(language, "http_auth_failed").format(
target, user, passwd, port))
return 1
else:
time.sleep(time_sleep)
continue
elif req.status_code == 200:
flag = 0
if flag is 0:
info(
messages(language, "http_auth_success").format(
user, passwd, target, port))
data = json.dumps(
{
'HOST': target,
'USERNAME': user,
'PASSWORD': passwd,
'PORT': port,
'TYPE': 'http_basic_auth_brute',
'DESCRIPTION': messages(language,
"login_successful"),
'TIME': now(),
'CATEGORY': "brute",
'SCAN_ID': scan_id,
'SCAN_CMD': scan_cmd
}) + "\n"
__log_into_file(log_in_file, 'a', data, language)
__log_into_file(thread_tmp_filename, 'w', '0', language)
except:
exit += 1
if exit is retries:
warn(
messages(language, "http_auth_failed").format(
target, user, passwd, port))
return 1
else:
time.sleep(time_sleep)
continue
return flag
def login(user, passwd, target, port, timeout_sec, log_in_file, language,
retries, time_sleep, thread_tmp_filename, socks_proxy, scan_id,
scan_cmd):
exit = 0
if socks_proxy is not None:
socks_version = socks.SOCKS5 if socks_proxy.startswith(
'socks5://') else socks.SOCKS4
socks_proxy = socks_proxy.rsplit('://')[1]
if '@' in socks_proxy:
socks_username = socks_proxy.rsplit(':')[0]
socks_password = socks_proxy.rsplit(':')[1].rsplit('@')[0]
socks.set_default_proxy(
socks_version,
str(socks_proxy.rsplit('@')[1].rsplit(':')[0]),
int(socks_proxy.rsplit(':')[-1]),
username=socks_username,
password=socks_password)
socket.socket = socks.socksocket
socket.getaddrinfo = getaddrinfo
else:
socks.set_default_proxy(socks_version,
str(socks_proxy.rsplit(':')[0]),
int(socks_proxy.rsplit(':')[1]))
socket.socket = socks.socksocket
socket.getaddrinfo = getaddrinfo
while 1:
try:
if timeout_sec is not None:
server = smtplib.SMTP(target, int(port), timeout=timeout_sec)
else:
server = smtplib.SMTP(target, int(port))
server.starttls()
exit = 0
break
except:
exit += 1
if exit is retries:
warn(
messages(language, "smtp_connection_timeout").format(
target, port, user, passwd))
return 1
time.sleep(time_sleep)
flag = 1
try:
server.login(user, passwd)
flag = 0
except smtplib.SMTPException as err:
pass
if flag is 0:
info(
messages(language,
"user_pass_found").format(user, passwd, target, port))
data = json.dumps({
'HOST': target,
'USERNAME': user,
'PASSWORD': passwd,
'PORT': port,
'TYPE': 'smtp_brute',
'DESCRIPTION': messages(language, "login_successful"),
'TIME': now(),
'CATEGORY': "brute",
'SCAN_ID': scan_id,
'SCAN_CMD': scan_cmd
}) + "\n"
__log_into_file(log_in_file, 'a', data, language)
__log_into_file(thread_tmp_filename, 'w', '0', language)
else:
pass
try:
server.quit()
except Exception:
pass
return flag
def analysis(
targets,
check_ranges,
check_subdomains,
subs_temp,
range_temp,
log_in_file,
time_sleep,
language,
verbose_level,
retries,
socks_proxy,
enumerate_flag,
):
"""
analysis and calulcate targets.
Args:
targets: targets
check_ranges: check IP range flag
check_subdomains: check subdomain flag
subs_temp: subdomain temp filename
range_temp: IP range tmp filename
log_in_file: output filename
time_sleep: time to sleep
language: language
verbose_level: verbose level number
retries: retries number
socks_proxy: socks proxy
enumerate_flag: enumerate flag
Returns:
a generator
"""
__log_into_file(range_temp, "a", "", language)
__log_into_file(subs_temp, "a", "", language)
for target in targets:
target = six.ensure_text(target)
if target_type(target) == "SINGLE_IPv4":
if check_ranges:
if not enumerate_flag:
info(messages(language, "checking_range").format(target))
IPs = IPRange(getIPRange(target), range_temp, language)
if type(IPs) == netaddr.ip.IPNetwork:
for IPm in IPs:
yield IPm
elif type(IPs) == list:
for IPm in IPs:
for IP in IPm:
yield IP
else:
if not enumerate_flag:
info(messages(language, "target_submitted").format(target))
yield target
elif target_type(target) == "SINGLE_IPv6":
yield target
elif (target_type(target) == "RANGE_IPv4"
or target_type(target) == "CIDR_IPv4"):
IPs = IPRange(target, range_temp, language)
global temp
if target_type(target) == "CIDR_IPv4" and temp == 0:
net = ipaddress.ip_network(six.text_type(target))
start = net[0]
end = net[-1]
ip1 = int(ipaddress.IPv4Address(six.text_type(start)))
ip2 = int(ipaddress.IPv4Address(six.text_type(end)))
yield ip2 - ip1
temp = 1
break
if target_type(target) == "RANGE_IPv4" and temp == 0:
start, end = target.rsplit("-")
ip1 = int(ipaddress.IPv4Address(six.text_type(start)))
ip2 = int(ipaddress.IPv4Address(six.text_type(end)))
yield ip2 - ip1
temp = 1
break
if not enumerate_flag:
info(messages(language, "checking").format(target))
if type(IPs) == netaddr.ip.IPNetwork:
for IPm in IPs:
yield IPm
elif type(IPs) == list:
for IPm in IPs:
for IP in IPm:
yield IP
elif target_type(target) == "DOMAIN":
if check_subdomains:
if check_ranges:
if enumerate_flag:
info(messages(language, "checking").format(target))
sub_domains = (json.loads(open(subs_temp).read())
if len(open(subs_temp).read()) > 2 else
__get_subs(target, 3, "", 0, language, 0,
socks_proxy, 3, 0, 0))
if len(open(subs_temp).read()) == 0:
__log_into_file(subs_temp, "a",
json.dumps(sub_domains), language)
if target not in sub_domains:
sub_domains.append(target)
for target in sub_domains:
if not enumerate_flag:
info(
messages(language,
"target_submitted").format(target))
yield target
n = 0
err = 0
IPs = []
while True:
try:
IPs.append(socket.gethostbyname(target))
err = 0
n += 1
if n == 12:
break
except Exception:
err += 1
if err == 3 or n == 12:
break
IPz = list(set(IPs))
for IP in IPz:
if not enumerate_flag:
info(
messages(language,
"checking_range").format(IP))
IPs = IPRange(getIPRange(IP), range_temp, language)
if type(IPs) == netaddr.ip.IPNetwork:
for IPm in IPs:
yield IPm
elif type(IPs) == list:
for IPm in IPs:
for IPn in IPm:
yield IPn
else:
if enumerate_flag:
info(messages(language, "checking").format(target))
sub_domains = (json.loads(open(subs_temp).read())
if len(open(subs_temp).read()) > 2 else
__get_subs(target, 3, "", 0, language, 0,
socks_proxy, 3, 0, 0))
if len(open(subs_temp).read()) == 0:
__log_into_file(subs_temp, "a",
json.dumps(sub_domains), language)
if target not in sub_domains:
sub_domains.append(target)
for target in sub_domains:
if not enumerate_flag:
info(
messages(language,
"target_submitted").format(target))
yield target
else:
if check_ranges:
if not enumerate_flag:
info(messages(language, "checking").format(target))
yield target
n = 0
err = 0
IPs = []
while True:
try:
IPs.append(socket.gethostbyname(target))
err = 0
n += 1
if n == 12:
break
except Exception:
err += 1
if err == 3 or n == 12:
break
IPz = list(set(IPs))
for IP in IPz:
if not enumerate_flag:
info(
messages(language,
"checking_range").format(IP))
IPs = IPRange(getIPRange(IP), range_temp, language)
if type(IPs) == netaddr.ip.IPNetwork:
for IPm in IPs:
yield IPm
elif type(IPs) == list:
for IPm in IPs:
for IPn in IPm:
yield IPn
else:
if not enumerate_flag:
info(
messages(language,
"target_submitted").format(target))
yield target
elif target_type(target) == "HTTP":
if not enumerate_flag:
info(messages(language, "checking").format(target))
yield target
if check_ranges:
if "http://" == target[:7].lower():
target = target[7:].rsplit("/")[0]
if "https://" == target[:8].lower():
target = target[8:].rsplit("/")[0]
yield target
IPs = []
while True:
try:
IPs.append(socket.gethostbyname(target))
err = 0
n += 1
if n == 12:
break
except Exception:
err += 1
if err == 3 or n == 12:
break
IPz = list(set(IPs))
for IP in IPz:
if not enumerate_flag:
info(messages(language, "checking_range").format(IP))
IPs = IPRange(getIPRange(IP), range_temp, language)
if type(IPs) == netaddr.ip.IPNetwork:
for IPm in IPs:
yield IPm
elif type(IPs) == list:
for IPm in IPs:
for IPn in IPm:
yield IPn
else:
__die_failure(messages(language, "unknown_target").format(target))
def start(
target,
users,
passwds,
ports,
timeout_sec,
thread_number,
num,
total,
log_in_file,
time_sleep,
language,
verbose_level,
socks_proxy,
retries,
methods_args,
scan_id,
scan_cmd,
): # Main function
if (target_type(target) != "SINGLE_IPv4" or target_type(target) != "DOMAIN"
or target_type(target) != "HTTP"):
# requirements check
new_extra_requirements = extra_requirements_dict()
if methods_args is not None:
for extra_requirement in extra_requirements_dict():
if extra_requirement in methods_args:
new_extra_requirements[extra_requirement] = methods_args[
extra_requirement]
extra_requirements = new_extra_requirements
if ports is None:
ports = extra_requirements["wp_user_enum_ports"]
if target_type(target) == "HTTP":
target = target_to_host(target)
threads = []
total_req = len(ports)
thread_tmp_filename = "{}/tmp/thread_tmp_".format(
load_file_path()) + "".join(
random.choice(string.ascii_letters + string.digits)
for _ in range(20))
__log_into_file(thread_tmp_filename, "w", "1", language)
trying = 0
keyboard_interrupt_flag = False
for port in ports:
port = int(port)
t = threading.Thread(
target=__wp_user_enum,
args=(
target,
int(port),
timeout_sec,
log_in_file,
language,
time_sleep,
thread_tmp_filename,
socks_proxy,
scan_id,
scan_cmd,
),
)
threads.append(t)
t.start()
trying += 1
if verbose_level > 3:
info(
messages(language, "trying_message").format(
trying,
total_req,
num,
total,
target,
port,
"wp_user_enum_scan",
))
while 1:
try:
if threading.activeCount() >= thread_number:
time.sleep(0.01)
else:
break
except KeyboardInterrupt:
keyboard_interrupt_flag = True
break
if keyboard_interrupt_flag:
break
# wait for threads
kill_switch = 0
while 1:
time.sleep(0.1)
kill_switch += 1
try:
if threading.activeCount() == 1:
break
except KeyboardInterrupt:
break
thread_write = int(open(thread_tmp_filename).read().rsplit()[0])
if thread_write == 1 and verbose_level != 0:
info(messages(language, "not_found"))
data = json.dumps({
"HOST": target,
"USERNAME": "",
"PASSWORD": "",
"PORT": "",
"TYPE": "wp_user_enum_scan",
"DESCRIPTION": messages(language, "not_found"),
"TIME": now(),
"CATEGORY": "scan",
"SCAN_ID": scan_id,
"SCAN_CMD": scan_cmd,
})
__log_into_file(log_in_file, "a", data, language)
os.remove(thread_tmp_filename)
else:
warn(
messages(language,
"input_target_error").format("wp_user_enum_scan", target))
def check(target, user_agent, timeout_sec, log_in_file, language, time_sleep,
thread_tmp_filename, retries, http_method, socks_proxy, scan_id,
scan_cmd):
status_codes = [200, 401, 403]
time.sleep(time_sleep)
try:
if socks_proxy is not None:
socks_version = socks.SOCKS5 if socks_proxy.startswith(
'socks5://') else socks.SOCKS4
socks_proxy = socks_proxy.rsplit('://')[1]
if '@' in socks_proxy:
socks_username = socks_proxy.rsplit(':')[0]
socks_password = socks_proxy.rsplit(':')[1].rsplit('@')[0]
socks.set_default_proxy(
socks_version,
str(socks_proxy.rsplit('@')[1].rsplit(':')[0]),
int(socks_proxy.rsplit(':')[-1]),
username=socks_username,
password=socks_password)
socket.socket = socks.socksocket
socket.getaddrinfo = getaddrinfo
else:
socks.set_default_proxy(socks_version,
str(socks_proxy.rsplit(':')[0]),
int(socks_proxy.rsplit(':')[1]))
socket.socket = socks.socksocket
socket.getaddrinfo = getaddrinfo
n = 0
while 1:
try:
if http_method == "GET":
r = requests.get(target,
timeout=timeout_sec,
headers=user_agent)
elif http_method == "HEAD":
r = requests.head(target,
timeout=timeout_sec,
headers=user_agent)
content = r.content
break
except:
n += 1
if n is retries:
warn(
messages(language,
"http_connection_timeout").format(target))
return 1
if r.status_code in status_codes:
info(
messages(language, "found").format(target, r.status_code,
r.reason))
__log_into_file(thread_tmp_filename, 'w', '0', language)
__log_into_file(
log_in_file, 'a',
json.dumps({
'HOST':
target_to_host(target),
'USERNAME':
'',
'PASSWORD':
'',
'PORT':
"",
'TYPE':
'pma_scan',
'DESCRIPTION':
messages(language, "found").format(target, r.status_code,
r.reason),
'TIME':
now(),
'CATEGORY':
"scan",
'SCAN_ID':
scan_id,
'SCAN_CMD':
scan_cmd
}) + '\n', language)
return True
except:
return False
def __sub_takeover(
target,
port,
timeout_sec,
log_in_file,
language,
time_sleep,
thread_tmp_filename,
socks_proxy,
scan_id,
scan_cmd,
extra_requirement,
):
result = sub_takeover(
target,
port,
timeout_sec,
log_in_file,
language,
time_sleep,
thread_tmp_filename,
socks_proxy,
scan_id,
scan_cmd,
extra_requirement,
)
if result:
info(
messages(language, "target_vulnerable").format(
target,
port,
"Potential Subdomain Takeover Vulnerability found pointing to "
+ result.split("_")[2],
))
__log_into_file(thread_tmp_filename, "w", "0", language)
data = json.dumps({
"HOST":
target,
"USERNAME":
"",
"PASSWORD":
"",
"PORT":
port,
"TYPE":
"subomain_takeover_vuln",
"DESCRIPTION":
messages(language, "vulnerable").format(
"Potential Subdomain Takeover Vulnerability found pointing to "
+ result.split("_")[2]),
"TIME":
now(),
"CATEGORY":
"vuln",
"SCAN_ID":
scan_id,
"SCAN_CMD":
scan_cmd,
})
__log_into_file(log_in_file, "a", data, language)
return True
else:
return False
def request_without_data(
request,
req_type,
retries,
time_sleep,
timeout_sec,
payload,
condition,
output,
sample_event,
message,
log_in_file,
thread_tmp_filename,
language,
targets,
ports,
default_ports,
socks_proxy,
):
"""
this function extracts the data, headers and url for the requests other than POST type which is to be sent to
the __http_request_maker function
Args:
request: the returned data from __http_requests_generator function
req_type: GET, POST, PUT, DELETE or PATCH
payload: the payload corresponding to which the request is made
condition: the condition to be evaluated. eg: response.status_code == 200
other args: retries, time_sleep, timeout_sec, output, sample_event,
message, log_in_file, thread_tmp_filename, language
Returns:
the list of outputs in the format
[
{
"payload": payload1,
"condition": condition1,
"result": rule_evaluator(response, condition),
"response": response1
},......
]
"""
request_line, headers_alone = request.split("\r\n", 1)
headers = dict()
try:
for x in headers_alone.split("\r\n"):
headers[x.split(":", 1)[0]] = x.split(":", 1)[1]
except IndexError:
headers[headers_alone.split(":", 1)[0]] = headers_alone.split(":",
1)[1]
clean_headers = {x.strip(): y.strip() for x, y in headers.items()}
headers = clean_headers
headers.pop("Content-Length", None)
url_sample = request_line.strip().split(" ")[1]
for target in targets:
url = url_sample.replace("__target_locat_here__", str(target))
try:
port = url.split(":")[2].split("/")[0]
except IndexError:
if target.startswith("https://"):
port = 443
if target.startswith("http://"):
port = 80
response = __http_request_maker(req_type, url, headers, retries,
time_sleep, timeout_sec)
if isinstance(response, requests.models.Response):
if rule_evaluator(response, condition):
__log_into_file(thread_tmp_filename, "w", "0", language)
sample_event["PORT"] = port
event_parser(
message,
sample_event,
response,
payload,
log_in_file,
language,
)
output.append({
"payload": payload,
"condition": condition,
"result": rule_evaluator(response, condition),
"response": response,
})
return output
def start(target, users, passwds, ports, timeout_sec, thread_number, num,
total, log_in_file, time_sleep, language, verbose_level, socks_proxy,
retries, methods_args, scan_id, scan_cmd): # Main function
if target_type(target) != 'SINGLE_IPv4' or target_type(
target) != 'DOMAIN' or target_type(
target) != 'HTTP' or target_type(target) != 'SINGLE_IPv6':
# rand useragent
user_agent_list = [
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.5) Gecko/20060719 Firefox/1.5.0.5",
"Googlebot/2.1 ( http://www.googlebot.com/bot.html)",
"Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Ubuntu/10.04"
" Chromium/9.0.595.0 Chrome/9.0.595.0 Safari/534.13",
"Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 5.2; WOW64; .NET CLR 2.0.50727)",
"Opera/9.80 (Windows NT 5.2; U; ru) Presto/2.5.22 Version/10.51",
"Mozilla/5.0 (compatible; 008/0.83; http://www.80legs.com/webcrawler.html) Gecko/2008032620",
"Debian APT-HTTP/1.3 (0.8.10.3)",
"Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)",
"Googlebot/2.1 (+http://www.googlebot.com/bot.html)",
"Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)",
"YahooSeeker/1.2 (compatible; Mozilla 4.0; MSIE 5.5; yahooseeker at yahoo-inc dot com ; "
"http://help.yahoo.com/help/us/shop/merchant/)",
"Mozilla/5.0 (compatible; YandexBot/3.0; +http://yandex.com/bots)",
"Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)",
"msnbot/1.1 (+http://search.msn.com/msnbot.htm)"
]
user_agent = {'User-agent': random.choice(user_agent_list)}
limit = 1000
# requirements check
new_extra_requirements = extra_requirements_dict()
if methods_args is not None:
for extra_requirement in extra_requirements_dict():
if extra_requirement in methods_args:
new_extra_requirements[extra_requirement] = methods_args[
extra_requirement]
extra_requirements = new_extra_requirements
random_agent_flag = True
if extra_requirements["wordpress_dos_cve_2018_6389_vuln_random_agent"][
0] != "True":
random_agent_flag = False
if extra_requirements["wordpress_dos_cve_2018_6389_vuln_no_limit"][
0] != "False":
limit = -1
threads = []
total_req = limit
filepath = os.path.dirname(os.path.dirname(os.path.realpath(__file__)))
thread_tmp_filename = '{}/tmp/thread_tmp_'.format(
load_file_path()) + ''.join(
random.choice(string.ascii_letters + string.digits)
for _ in range(20))
__log_into_file(thread_tmp_filename, 'w', '1', language)
trying = 0
if target_type(target) == 'SINGLE_IPv4' or target_type(
target) == 'DOMAIN':
url = 'http://{0}/'.format(target)
else:
if target.count(':') > 1:
__die_failure(messages(language, 105))
http = target.rsplit('://')[0]
host = target_to_host(target)
path = "/".join(
target.replace('http://', '').replace('https://',
'').rsplit('/')[1:])
url = http + '://' + host + '/' + path
if test(url, retries, timeout_sec, user_agent, socks_proxy,
verbose_level, trying, total_req, total, num, language, False,
log_in_file, scan_id, scan_cmd, thread_tmp_filename) is not 0:
warn(messages(language, 109).format(url))
return
info(messages(language, 177).format(target))
n = 0
t = threading.Thread(
target=test,
args=(url, retries, timeout_sec, user_agent, socks_proxy,
verbose_level, trying, total_req, total, num, language, True,
log_in_file, scan_id, scan_cmd, thread_tmp_filename))
t.start()
while (n != limit):
n += 1
if random_agent_flag:
user_agent = {'User-agent': random.choice(user_agent_list)}
t = threading.Thread(target=send_dos,
args=(url, user_agent, timeout_sec,
log_in_file, language, time_sleep,
thread_tmp_filename, retries,
socks_proxy, scan_id, scan_cmd))
threads.append(t)
t.start()
trying += 1
if verbose_level > 3:
info(
messages(language,
72).format(trying, total_req, num, total,
target_to_host(target), port,
'wordpress_dos_cve_2018_6389_vuln'))
try:
if int(open(thread_tmp_filename).read().rsplit()[0]) is 0:
if limit is not -1:
break
except:
pass
while 1:
try:
if threading.activeCount() >= thread_number:
time.sleep(0.01)
else:
break
except KeyboardInterrupt:
break
break
# wait for threads
kill_switch = 0
kill_time = int(timeout_sec / 0.1) if int(timeout_sec /
0.1) is not 0 else 1
while 1:
time.sleep(0.1)
kill_switch += 1
try:
if threading.activeCount() is 2 or kill_switch is kill_time:
break
except KeyboardInterrupt:
break
thread_write = int(open(thread_tmp_filename).read().rsplit()[0])
if thread_write is 1:
info(
messages(language,
141).format("wordpress_dos_cve_2018_6389_vuln"))
if verbose_level is not 0:
data = json.dumps({
'HOST':
target,
'USERNAME':
'',
'PASSWORD':
'',
'PORT':
'',
'TYPE':
'wordpress_dos_cve_2018_6389_vuln',
'DESCRIPTION':
messages(language,
141).format("wordpress_dos_cve_2018_6389_vuln"),
'TIME':
now(),
'CATEGORY':
"scan",
'SCAN_ID':
scan_id,
'SCAN_CMD':
scan_cmd
})
__log_into_file(log_in_file, 'a', data, language)
os.remove(thread_tmp_filename)
else:
warn(
messages(language, 69).format('wordpress_dos_cve_2018_6389_vuln',
target))
def test(target, retries, timeout_sec, user_agent, socks_proxy, verbose_level,
trying, total_req, total, num, language, dos_flag, log_in_file,
scan_id, scan_cmd, thread_tmp_filename):
if verbose_level > 3:
info(
messages(language, 72).format(trying, total_req, num, total,
target_to_host(target), '',
'wordpress_dos_cve_2018_6389_vuln'))
if socks_proxy is not None:
socks_version = socks.SOCKS5 if socks_proxy.startswith(
'socks5://') else socks.SOCKS4
socks_proxy = socks_proxy.rsplit('://')[1]
if '@' in socks_proxy:
socks_username = socks_proxy.rsplit(':')[0]
socks_password = socks_proxy.rsplit(':')[1].rsplit('@')[0]
socks.set_default_proxy(
socks_version,
str(socks_proxy.rsplit('@')[1].rsplit(':')[0]),
int(socks_proxy.rsplit(':')[-1]),
username=socks_username,
password=socks_password)
socket.socket = socks.socksocket
socket.getaddrinfo = getaddrinfo
else:
socks.set_default_proxy(socks_version,
str(socks_proxy.rsplit(':')[0]),
int(socks_proxy.rsplit(':')[1]))
socket.socket = socks.socksocket
socket.getaddrinfo = getaddrinfo
n = 0
while 1:
try:
r = requests.get(target, timeout=timeout_sec,
headers=user_agent).content
return 0
except:
n += 1
if n is retries:
if dos_flag:
__log_into_file(thread_tmp_filename, 'w', '0', language)
info(
messages(
language,
139).format("wordpress_dos_cve_2018_6389_vuln"))
data = json.dumps({
'HOST':
target_to_host(target),
'USERNAME':
'',
'PASSWORD':
'',
'PORT':
'',
'TYPE':
'wordpress_dos_cve_2018_6389_vuln',
'DESCRIPTION':
messages(
language,
139).format("wordpress_dos_cve_2018_6389_vuln"),
'TIME':
now(),
'CATEGORY':
"scan",
'SCAN_ID':
scan_id,
'SCAN_CMD':
scan_cmd
})
__log_into_file(log_in_file, 'a', data, language)
return 1
def login(user, passwd, target, port, timeout_sec, log_in_file, language,
retries, time_sleep, thread_tmp_filename, socks_proxy, scan_id,
scan_cmd):
username_field = "username"
password_field = "password"
exit = 0
class BruteParser(HTMLParser):
def __init__(self):
HTMLParser.__init__(self)
self.parsed_results = {}
def handle_starttag(self, tag, attrs):
if tag == "input":
for name, value in attrs:
if name == "name" and value == username_field:
self.parsed_results[username_field] = username_field
if name == "name" and value == password_field:
self.parsed_results[password_field] = password_field
if socks_proxy is not None:
socks_version = socks.SOCKS5 if socks_proxy.startswith(
'socks5://') else socks.SOCKS4
socks_proxy = socks_proxy.rsplit('://')[1]
if '@' in socks_proxy:
socks_username = socks_proxy.rsplit(':')[0]
socks_password = socks_proxy.rsplit(':')[1].rsplit('@')[0]
socks.set_default_proxy(
socks_version,
str(socks_proxy.rsplit('@')[1].rsplit(':')[0]),
int(socks_proxy.rsplit(':')[-1]),
username=socks_username,
password=socks_password)
socket.socket = socks.socksocket
socket.getaddrinfo = getaddrinfo
else:
socks.set_default_proxy(socks_version,
str(socks_proxy.rsplit(':')[0]),
int(socks_proxy.rsplit(':')[1]))
socket.socket = socks.socksocket
socket.getaddrinfo = getaddrinfo
while 1:
target_host = str(target) + ":" + str(port)
flag = 1
try:
cookie = cookiejar.FileCookieJar("cookies")
opener = request.build_opener(request.HTTPCookieProcessor(cookie))
response = opener.open(target)
page = response.read()
parsed_html = BruteParser()
parsed_html.feed(page)
parsed_html.parsed_results[username_field] = user
parsed_html.parsed_results[password_field] = passwd
post_data = urlencode(parsed_html.parsed_results).encode()
except:
exit += 1
if exit is retries:
warn(
messages(language, "http_form_auth_failed").format(
target, user, passwd, port))
return 1
else:
time.sleep(time_sleep)
continue
try:
if timeout_sec is not None:
brute_force_response = opener.open(target_host,
data=post_data,
timeout=timeout_sec)
else:
brute_force_response = opener.open(target_host, data=post_data)
if brute_force_response.code == 200:
flag = 0
if flag is 0:
info(
messages(language, "http_form_auth_success").format(
user, passwd, target, port))
data = json.dumps(
{
'HOST': target,
'USERNAME': user,
'PASSWORD': passwd,
'PORT': port,
'TYPE': 'http_form_brute',
'DESCRIPTION': messages(language,
"login_successful"),
'TIME': now(),
'CATEGORY': "brute",
'SCAN_ID': scan_id,
'SCAN_CMD': scan_cmd
}) + "\n"
__log_into_file(log_in_file, 'a', data, language)
__log_into_file(thread_tmp_filename, 'w', '0', language)
return flag
except:
exit += 1
if exit is retries:
warn(
messages(language, "http_form_auth_failed").format(
target, user, passwd, port))
return 1
else:
time.sleep(time_sleep)
continue
def sub1(body, headers, dev):
if dev['auth'][3] == "body":
if dev['auth'][4] == "regex":
pattern = dev['auth'][5]
if re.match(pattern, body):
resp = "device " + ctx[
'ip'] + " is of type " + ctx[
'devType'] + " still has default password"
info(resp)
data = json.dumps({
'HOST': ctx['ip'],
'USERNAME': '',
'PASSWORD': '',
'PORT': '',
'TYPE': 'iot_scan',
'DESCRIPTION': str(resp),
'TIME': now(),
'CATEGORY': "scan",
'SCAN_ID': scanid,
'SCAN_CMD': scancmd
}) + "\n"
else:
resp = "device " + ctx[
'ip'] + " of type " + ctx[
'devType'] + " has changed password"
info(resp)
data = json.dumps({
'HOST': ctx['ip'],
'USERNAME': '',
'PASSWORD': '',
'PORT': '',
'TYPE': 'iot_scan',
'DESCRIPTION': str(resp),
'TIME': now(),
'CATEGORY': "scan",
'SCAN_ID': scanid,
'SCAN_CMD': scancmd
}) + "\n"
__log_into_file(loginfile, 'a', data, lang)
return
elif dev['auth'][4] == "!substr":
body = body.decode('utf-8')
if body.index(dev['auth'])[5] < 0:
resp = "device " + ctx[
'ip'] + " is of type " + ctx[
'devType'] + " still has default password"
info(resp)
data = json.dumps({
'HOST': ctx['ip'],
'USERNAME': '',
'PASSWORD': '',
'PORT': '',
'TYPE': 'iot_scan',
'DESCRIPTION': str(resp),
'TIME': now(),
'CATEGORY': "scan",
'SCAN_ID': scanid,
'SCAN_CMD': scancmd
}) + "\n"
else:
resp = "device " + ctx[
'ip'] + " of type " + ctx[
'devType'] + " has changed password"
info(resp)
data = json.dumps({
'HOST': ctx['ip'],
'USERNAME': '',
'PASSWORD': '',
'PORT': '',
'TYPE': 'iot_scan',
'DESCRIPTION': str(resp),
'TIME': now(),
'CATEGORY': "scan",
'SCAN_ID': scanid,
'SCAN_CMD': scancmd
}) + "\n"
__log_into_file(loginfile, 'a', data, lang)
return
def generate(filename = "", first_name="", last_name = "", nick= "", email = "", dob = "", phone = "", partner_name = "", partner_dob = "", bestfriend = "", child_name = "", company = "", other = "", maxm = 8, minm = 16, special_characters = False, leet_speak = False, random_numbers = False, language="en"):
random_l=list()
other = other.replace(" ", "")
words2 = other.split(",")
if special_characters == True:
special = list()
for spec1 in charlist:
special.append(spec1)
for spec2 in charlist:
special.append(spec1 + spec2)
for spec3 in charlist:
special.append(spec1 + spec2 + spec3)
# 1337 mode can convert the characters to leet speak and hello = h3110
################################
funame = first_name.title()
nuick = nick.title()
purtname = partner_name.title()
bustf = bestfriend.title()
chld = child_name.title()
#chldn = childn.title()
cumpny = company.title()
# 3
emails, sep, tail = email.partition("@")
list1 = [first_name, last_name, nick, emails, funame, nuick, phone, partner_name,
bestfriend, purtname, bustf, child_name, company, chld, cumpny]
for i in words2:
list1.append(i)
datepart(partner_dob)
# datepart(childob)
datepart(dob)
list1 = list(filter(None, list1)) # removing empty data
for i in list1:
password_list.append(i)
for j in list1:
if(i.lower()) != (j.lower()):
password_list.append(i + j)
if leet_speak == True:
for i in password_list:
i = i.replace('a', '@')
i = i.replace('t', '7')
i = i.replace('l', '1')
i = i.replace('e', '3')
i = i.replace('i', '!')
i = i.replace('o', '0')
i = i.replace('z', '2')
i = i.replace('g', '9')
i = i.replace('s', '5')
leet_list.append(i)
# Leet Speak chars
# a='@'
# t='7'
# l='1'
# e='3'
# i='!'
# o='0'
# z='2'
# g='9'
# s='5'
####################
if random_numbers == True:
for i in password_list:
for j in random_list:
random_l.append(i + j)
else:
random_l = password_list
if special_characters == True:
for i in random_l:
for j in special:
characters_list.append(i + j)
count = 0
unique_list = password_list + random_l + characters_list + leet_list
unique_list = list(set(tuple(unique_list)))
for i in unique_list:
if minm <= len(i) <= maxm:
pass
else:
unique_list.remove(i)
if filename is not "":
__log_into_file(filename, 'w', json.dumps(unique_list), language, final=True)
return unique_list
def sub2(headers, ctx):
status = int(headers['Status'])
if debug:
print "check_login status=" + str(status)
data = ''
if int(status) == 200:
if ctx['dev']['auth'][0] == "basic":
resp = "device " + ctx['ip'] + " is of type " + ctx[
'devType'] + " still has default password"
info(resp)
data = json.dumps({
'HOST': ctx['ip'],
'USERNAME': '',
'PASSWORD': '',
'PORT': '',
'TYPE': 'iot_scan',
'DESCRIPTION': str(resp),
'TIME': now(),
'CATEGORY': "scan",
'SCAN_ID': scanid,
'SCAN_CMD': scancmd
}) + "\n"
elif ctx['dev']['auth'][0] == "expect200":
resp = "device " + ctx['ip'] + " is of type " + ctx[
'devType'] + "does not have any password"
info(resp)
data = json.dumps({
'HOST': ctx['ip'],
'USERNAME': '',
'PASSWORD': '',
'PORT': '',
'TYPE': 'iot_scan',
'DESCRIPTION': str(resp),
'TIME': now(),
'CATEGORY': "scan",
'SCAN_ID': scanid,
'SCAN_CMD': scancmd
}) + "\n"
elif int(status) == 301 or int(status) == 302:
resp = "device " + ctx['ip'] + " is of type " + ctx[
'devType'] + " still has default password"
info(resp)
data = json.dumps({
'HOST': ctx['ip'],
'USERNAME': '',
'PASSWORD': '',
'PORT': '',
'TYPE': 'iot_scan',
'DESCRIPTION': str(resp),
'TIME': now(),
'CATEGORY': "scan",
'SCAN_ID': scanid,
'SCAN_CMD': scancmd
}) + "\n"
elif int(status) == 401 and ctx['dev']['auth'][0] == "basic":
resp = "device " + ctx['ip'] + " is of type " + ctx[
'devType'] + " has changed password"
info(resp)
data = json.dumps({
'HOST': ctx['ip'],
'USERNAME': '',
'PASSWORD': '',
'PORT': '',
'TYPE': 'iot_scan',
'DESCRIPTION': str(resp),
'TIME': now(),
'CATEGORY': "scan",
'SCAN_ID': scanid,
'SCAN_CMD': scancmd
}) + "\n"
else:
resp = "device " + ctx['ip'] + ": unexpected resp code " + str(
status)
error(resp)
data = json.dumps({
'HOST': ctx['ip'],
'USERNAME': '',
'PASSWORD': '',
'PORT': '',
'TYPE': 'iot_scan',
'DESCRIPTION': str(resp),
'TIME': now(),
'CATEGORY': "scan",
'SCAN_ID': scanid,
'SCAN_CMD': scancmd
}) + "\n"
__log_into_file(loginfile, 'a', data, lang)
return
def start(target, users, passwds, ports, timeout_sec, thread_number, num,
total, log_in_file, time_sleep, language, verbose_level, socks_proxy,
retries, methods_args, scan_id, scan_cmd): # Main function
if target_type(target) != 'SINGLE_IPv4' or target_type(
target) != 'DOMAIN' or target_type(
target) != 'HTTP' or target_type(target) != 'SINGLE_IPv6':
threads = []
thread_tmp_filename = '{}/tmp/thread_tmp_'.format(
load_file_path()) + ''.join(
random.choice(string.ascii_letters + string.digits)
for _ in range(20))
__log_into_file(thread_tmp_filename, 'w', '1', language)
trying = 0
total_req = 8000
if target_type(target) != "HTTP":
target = 'http://' + target
t = threading.Thread(target=analyze,
args=(target, timeout_sec, log_in_file, language,
time_sleep, thread_tmp_filename, retries,
socks_proxy, scan_id, scan_cmd))
threads.append(t)
t.start()
trying += 1
if verbose_level > 3:
info(
messages(language,
"trying_message").format(trying, total_req,
num, total,
target_to_host(target), "",
'dir_scan'))
while 1:
try:
if threading.activeCount() >= thread_number:
time.sleep(0.01)
else:
break
except KeyboardInterrupt:
break
# wait for threads
kill_switch = 0
kill_time = int(timeout_sec / 0.1) if int(timeout_sec /
0.1) is not 0 else 1
while 1:
time.sleep(0.1)
kill_switch += 1
try:
if threading.activeCount() is 1 or kill_switch is kill_time:
break
except KeyboardInterrupt:
break
thread_write = int(open(thread_tmp_filename).read().rsplit()[0])
if thread_write is 1:
info(
messages(language,
"nothing_found").format(target, "wappalyzer_scan"))
if verbose_level is not 0:
data = json.dumps({
'HOST':
target_to_host(target),
'USERNAME':
'',
'PASSWORD':
'',
'PORT':
'',
'TYPE':
'wappalyzer_scan',
'DESCRIPTION':
messages(language, "not_found"),
'TIME':
now(),
'CATEGORY':
"scan",
'SCAN_ID':
scan_id,
'SCAN_CMD':
scan_cmd
})
__log_into_file(log_in_file, 'a', data, language)
os.remove(thread_tmp_filename)
else:
warn(
messages(language,
"input_target_error").format('wappalyzer_scan', target))
def analysis(targets, check_ranges, check_subdomains, subs_temp, range_temp, log_in_file, time_sleep,
language, verbose_level, retries, socks_proxy, enumerate_flag):
__log_into_file(range_temp, 'a', '', language)
__log_into_file(subs_temp, 'a', '', language)
for target in targets:
if target_type(target) == 'SINGLE_IPv4':
if check_ranges:
if not enumerate_flag: info(messages(language, 51).format(target))
IPs = IPRange(getIPRange(target), range_temp, language)
if type(IPs) == netaddr.ip.IPNetwork:
for IPm in IPs:
yield IPm
elif type(IPs) == list:
for IPm in IPs:
for IP in IPm:
yield IP
else:
if not enumerate_flag: info(messages(language, 81).format(target))
yield target
elif target_type(target) == 'SINGLE_IPv6':
yield target
elif target_type(target) == 'RANGE_IPv4' or target_type(target) == 'CIDR_IPv4':
IPs = IPRange(target, range_temp, language)
if not enumerate_flag: info(messages(language, 52).format(target))
if type(IPs) == netaddr.ip.IPNetwork:
for IPm in IPs:
yield IPm
elif type(IPs) == list:
for IPm in IPs:
for IP in IPm:
yield IP
elif target_type(target) == 'DOMAIN':
if check_subdomains:
if check_ranges:
if enumerate_flag: info(messages(language, 52).format(target))
sub_domains = json.loads(open(subs_temp).read()) if len(open(subs_temp).read()) > 2 else \
__get_subs(target, 3, '', 0, language, 0, socks_proxy, 3, 0, 0)
if len(open(subs_temp).read()) is 0:
__log_into_file(subs_temp, 'a', json.dumps(sub_domains), language)
if target not in sub_domains:
sub_domains.append(target)
for target in sub_domains:
if not enumerate_flag: info(messages(language, 81).format(target))
yield target
n = 0
err = 0
IPs = []
while True:
try:
IPs.append(socket.gethostbyname(target))
err = 0
n += 1
if n is 12:
break
except:
err += 1
if err is 3 or n is 12:
break
IPz = list(set(IPs))
for IP in IPz:
if not enumerate_flag: info(messages(language, 51).format(IP))
IPs = IPRange(getIPRange(IP), range_temp, language)
if type(IPs) == netaddr.ip.IPNetwork:
for IPm in IPs:
yield IPm
elif type(IPs) == list:
for IPm in IPs:
for IPn in IPm:
yield IPn
else:
if enumerate_flag: info(messages(language, 52).format(target))
sub_domains = json.loads(open(subs_temp).read()) if len(open(subs_temp).read()) > 2 else \
__get_subs(target, 3, '', 0, language, 0, socks_proxy, 3, 0, 0)
if len(open(subs_temp).read()) is 0:
__log_into_file(subs_temp, 'a', json.dumps(sub_domains), language)
if target not in sub_domains:
sub_domains.append(target)
for target in sub_domains:
if not enumerate_flag: info(messages(language, 81).format(target))
yield target
else:
if check_ranges:
if not enumerate_flag: info(messages(language, 52).format(target))
yield target
n = 0
err = 0
IPs = []
while True:
try:
IPs.append(socket.gethostbyname(target))
err = 0
n += 1
if n is 12:
break
except:
err += 1
if err is 3 or n is 12:
break
IPz = list(set(IPs))
for IP in IPz:
if not enumerate_flag: info(messages(language, 51).format(IP))
IPs = IPRange(getIPRange(IP), range_temp, language)
if type(IPs) == netaddr.ip.IPNetwork:
for IPm in IPs:
yield IPm
elif type(IPs) == list:
for IPm in IPs:
for IPn in IPm:
yield IPn
else:
if not enumerate_flag: info(messages(language, 81).format(target))
yield target
elif target_type(target) == 'HTTP':
if not enumerate_flag: info(messages(language, 52).format(target))
yield target
if check_ranges:
if 'http://' == target[:7].lower():
target = target[7:].rsplit('/')[0]
if 'https://' == target[:8].lower():
target = target[8:].rsplit('/')[0]
yield target
IPs = []
while True:
try:
IPs.append(socket.gethostbyname(target))
err = 0
n += 1
if n is 12:
break
except:
err += 1
if err is 3 or n is 12:
break
IPz = list(set(IPs))
for IP in IPz:
if not enumerate_flag: info(messages(language, 51).format(IP))
IPs = IPRange(getIPRange(IP), range_temp, language)
if type(IPs) == netaddr.ip.IPNetwork:
for IPm in IPs:
yield IPm
elif type(IPs) == list:
for IPm in IPs:
for IPn in IPm:
yield IPn
else:
__die_failure(messages(language, 50).format(target))
def start(target, users, passwds, ports, timeout_sec, thread_number, num,
total, log_in_file, time_sleep, language, verbose_level, socks_proxy,
retries, methods_args, scan_id, scan_cmd): # Main function
if target_type(target) != 'SINGLE_IPv4' or target_type(
target) != 'DOMAIN' or target_type(
target) != 'HTTP' or target_type(target) != 'SINGLE_IPv6':
# rand useragent
user_agent_list = [
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.5) Gecko/20060719 Firefox/1.5.0.5",
"Googlebot/2.1 ( http://www.googlebot.com/bot.html)",
"Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Ubuntu/10.04"
" Chromium/9.0.595.0 Chrome/9.0.595.0 Safari/534.13",
"Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 5.2; WOW64; .NET CLR 2.0.50727)",
"Opera/9.80 (Windows NT 5.2; U; ru) Presto/2.5.22 Version/10.51",
"Mozilla/5.0 (compatible; 008/0.83; http://www.80legs.com/webcrawler.html) Gecko/2008032620",
"Debian APT-HTTP/1.3 (0.8.10.3)",
"Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)",
"Googlebot/2.1 (+http://www.googlebot.com/bot.html)",
"Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)",
"YahooSeeker/1.2 (compatible; Mozilla 4.0; MSIE 5.5; yahooseeker at yahoo-inc dot com ; "
"http://help.yahoo.com/help/us/shop/merchant/)",
"Mozilla/5.0 (compatible; YandexBot/3.0; +http://yandex.com/bots)",
"Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)",
"msnbot/1.1 (+http://search.msn.com/msnbot.htm)"
]
headers = {
'User-agent': random.choice(user_agent_list),
'Content-Type': 'text/xml'
}
# requirements check
new_extra_requirements = extra_requirements_dict()
if methods_args is not None:
for extra_requirement in extra_requirements_dict():
if extra_requirement in methods_args:
new_extra_requirements[extra_requirement] = methods_args[
extra_requirement]
extra_requirements = new_extra_requirements
threads = []
if users is None:
users = extra_requirements["wp_users"]
if passwds is None:
passwds = extra_requirements["wp_passwds"]
if ports is None:
ports = extra_requirements["wp_xmlrpc_brute_ports"]
if verbose_level > 3:
total_req = len(users) * len(passwds) * len(ports)
else:
total_req = len(users) * len(passwds) * len(ports)
thread_tmp_filename = '{}/tmp/thread_tmp_'.format(
load_file_path()) + ''.join(
random.choice(string.ascii_letters + string.digits)
for _ in range(20))
__log_into_file(thread_tmp_filename, 'w', '1', language)
trying = 0
if target_type(target) != "HTTP":
target = 'https://' + target
for port in ports:
if test(str(target), port, retries, timeout_sec, headers,
socks_proxy, verbose_level, trying, total_req, total, num,
language) is True:
keyboard_interrupt_flag = False
for user in users:
for passwd in passwds:
#print(user + " " + passwd)
t = threading.Thread(
target=check,
args=(user, passwd, target, port, headers,
timeout_sec, log_in_file, language, retries,
time_sleep, thread_tmp_filename, socks_proxy,
scan_id, scan_cmd))
threads.append(t)
t.start()
trying += 1
if verbose_level > 3:
info(
messages(language, "trying_message").format(
trying, total_req, num, total,
target_to_host(target), port,
'wp_xmlrpc_brute'))
while 1:
try:
if threading.activeCount() >= thread_number:
time.sleep(0.01)
else:
break
except KeyboardInterrupt:
keyboard_interrupt_flag = True
break
if keyboard_interrupt_flag:
break
else:
warn(messages(language, "open_error").format(target))
# wait for threads
kill_switch = 0
kill_time = int(timeout_sec / 0.1) if int(timeout_sec /
0.1) is not 0 else 1
while 1:
time.sleep(0.1)
kill_switch += 1
try:
if threading.activeCount() is 1 or kill_switch is kill_time:
break
except KeyboardInterrupt:
break
thread_write = int(open(thread_tmp_filename).read().rsplit()[0])
os.remove(thread_tmp_filename)
else:
warn(
messages(language,
"input_target_error").format('wp_xmlrpc_brute', target))
def request_with_data(post_request, content_type, req_type, retries,
time_sleep, timeout_sec, payload, condition, output,
sample_event, message, log_in_file, thread_tmp_filename,
language, targets, ports, default_ports, socks_proxy):
"""
this function extracts the data, headers and url for the POST type request which is to be sent to
the __http_request_maker function
Args:
post_request: the returned data from __http_requests_generator function
req_type: GET, POST, PUT, DELETE or PATCH
content_type: application/json or application/x-www-form-urlencoded
payload: the payload corresponding to which the request is made
condition: the condition to be evaluated. eg: response.status_code == 200
other args: retries, time_sleep, timeout_sec, output, sample_event, message, log_in_file,
thread_tmp_filename, language
Returns:
the list of outputs in the format
[
{
"payload": payload,
"condition": condition,
"result": rule_evaluator(response, condition),
"response": response
},......
]
"""
post_data_format = ""
request_line, headers_alone = post_request.split('\r\n', 1)
headers = Message(StringIO(headers_alone)).dict
clean_headers = {x.strip(): y for x, y in headers.items()}
headers = clean_headers
if "content-type" in headers:
content_type = headers['content-type']
if content_type == 'application/x-www-form-urlencoded':
post_data_format = post_data_parser(post_request.split('\r\n')[-1])
elif content_type == 'application/json':
post_data_format = json.loads(
post_request[post_request.find('{'):post_request.find('}') +
1])
headers.pop("Content-Length", None)
url_sample = request_line.strip().split(' ')[1]
for target in targets:
url = url_sample.replace('__target_locat_here__', str(target))
port = url[url.find(':', 7) + 1:url.find('/', 7)]
response = __http_request_maker(req_type, url, headers, retries,
time_sleep, timeout_sec,
post_data_format, content_type,
socks_proxy)
if isinstance(response, requests.models.Response):
if rule_evaluator(response, condition):
__log_into_file(thread_tmp_filename, 'w', '0', language)
sample_event['PORT'] = port
event_parser(message, sample_event, response, payload,
log_in_file, language)
output.append({
"payload": payload,
"condition": condition,
"result": rule_evaluator(response, condition),
"response": response
})
return output
def check(user, passwd, target, port, headers, timeout_sec, log_in_file,
language, retries, time_sleep, thread_tmp_filename, socks_proxy,
scan_id, scan_cmd):
time.sleep(time_sleep)
try:
if socks_proxy is not None:
socks_version = socks.SOCKS5 if socks_proxy.startswith(
'socks5://') else socks.SOCKS4
socks_proxy = socks_proxy.rsplit('://')[1]
if '@' in socks_proxy:
socks_username = socks_proxy.rsplit(':')[0]
socks_password = socks_proxy.rsplit(':')[1].rsplit('@')[0]
socks.set_default_proxy(
socks_version,
str(socks_proxy.rsplit('@')[1].rsplit(':')[0]),
int(socks_proxy.rsplit(':')[-1]),
username=socks_username,
password=socks_password)
socket.socket = socks.socksocket
socket.getaddrinfo = getaddrinfo
else:
socks.set_default_proxy(socks_version,
str(socks_proxy.rsplit(':')[0]),
int(socks_proxy.rsplit(':')[1]))
socket.socket = socks.socksocket
socket.getaddrinfo = getaddrinfo
n = 0
while 1:
try:
if target_type(target) != "HTTP" and port == 443:
target = 'https://' + target
if target_type(target) != "HTTP" and port == 80:
target = 'http://' + target
target = target + '/xmlrpc.php'
postdata = '''<methodCall><methodName>wp.getUsersBlogs</methodName><params><param><value><string>''' + user + '''</string></value></param><param><value><string>''' + passwd + '''</string></value></param></params></methodCall>'''
r = requests.post(target,
timeout=timeout_sec,
headers=headers,
data=postdata)
if "incorrect" not in r.text.lower() and user in r.text.lower(
):
info(
messages(language, "user_pass_found").format(
user, passwd, target, port))
data = json.dumps(
{
'HOST': target,
'USERNAME': user,
'PASSWORD': passwd,
'PORT': port,
'TYPE': 'wp_xmlrpc_brute',
'DESCRIPTION': messages(language,
"login_successful"),
'TIME': now(),
'CATEGORY': "brute"
}) + "\n"
__log_into_file(log_in_file, 'a', data, language)
break
except Exception:
n += 1
if n is retries:
warn(
messages(language,
"http_connection_timeout").format(target))
return 1
return True
except Exception:
return False
def start(target, users, passwds, ports, timeout_sec, thread_number, num,
total, log_in_file, time_sleep, language, verbose_level, socks_proxy,
retries, methods_args, scan_id, scan_cmd): # Main function
if target_type(target) != 'SINGLE_IPv4' or target_type(
target) != 'DOMAIN' or target_type(target) != 'HTTP':
new_extra_requirements = extra_requirements_dict()
if methods_args is not None:
for extra_requirement in extra_requirements_dict():
if extra_requirement in methods_args:
new_extra_requirements[extra_requirement] = methods_args[
extra_requirement]
extra_requirements = new_extra_requirements
if users is None:
users = extra_requirements["http_basic_auth_brute_users"]
if passwds is None:
passwds = extra_requirements["http_basic_auth_brute_passwds"]
if ports is None:
ports = extra_requirements["http_basic_auth_brute_ports"]
if target.lower().startswith('http://') or target.lower().startswith(
'https://'):
pass
else:
target = 'http://' + str(target)
threads = []
total_req = len(users) * len(passwds)
thread_tmp_filename = '{}/tmp/thread_tmp_'.format(
load_file_path()) + ''.join(
random.choice(string.ascii_letters + string.digits)
for _ in range(20))
__log_into_file(thread_tmp_filename, 'w', '1', language)
trying = 0
keyboard_interrupt_flag = False
for port in ports:
if check_auth(target, timeout_sec, language, port):
continue
for user in users:
for passwd in passwds:
t = threading.Thread(target=login,
args=(user, passwd, target, port,
timeout_sec, log_in_file,
language, retries, time_sleep,
thread_tmp_filename,
socks_proxy, scan_id, scan_cmd))
threads.append(t)
t.start()
trying += 1
if verbose_level > 3:
info(
messages(language, "trying_message").format(
trying, total_req, num, total, target, port,
'http_basic_auth_brute'))
while 1:
try:
if threading.activeCount() >= thread_number:
time.sleep(0.01)
else:
break
except KeyboardInterrupt:
keyboard_interrupt_flag = True
break
if keyboard_interrupt_flag:
break
if keyboard_interrupt_flag:
break
if keyboard_interrupt_flag:
break
# wait for threads
kill_switch = 0
kill_time = int(timeout_sec / 0.1) if int(timeout_sec /
0.1) is not 0 else 1
while 1:
time.sleep(0.1)
kill_switch += 1
try:
if threading.activeCount(
) is 1 or kill_switch is kill_time:
break
except KeyboardInterrupt:
break
thread_write = int(
open(thread_tmp_filename).read().rsplit()[0])
if thread_write is 1 and verbose_level is not 0:
data = json.dumps(
{
'HOST': target,
'USERNAME': '',
'PASSWORD': '',
'PORT': '',
'TYPE': 'http_basic_auth_brute',
'DESCRIPTION': messages(language,
"no_user_passwords"),
'TIME': now(),
'CATEGORY': "brute",
'SCAN_ID': scan_id,
'SCAN_CMD': scan_cmd
}) + "\n"
__log_into_file(log_in_file, 'a', data, language)
os.remove(thread_tmp_filename)
else:
warn(
messages(language,
"input_target_error").format('http_basic_auth_brute',
target))
def start(
target,
users,
passwds,
ports,
timeout_sec,
thread_number,
num,
total,
log_in_file,
time_sleep,
language,
verbose_level,
socks_proxy,
retries,
methods_args,
scan_id,
scan_cmd,
): # Main function
if (
target_type(target) != "SINGLE_IPv4"
or target_type(target) != "DOMAIN"
or target_type(target) != "HTTP"
or target_type(target) != "SINGLE_IPv6"
):
# rand useragent
http_methods = ["GET", "HEAD"]
# requirements check
new_extra_requirements = extra_requirements_dict()
if methods_args is not None:
for extra_requirement in extra_requirements_dict():
if extra_requirement in methods_args:
new_extra_requirements[extra_requirement] = methods_args[
extra_requirement
]
extra_requirements = new_extra_requirements
if extra_requirements["pma_scan_http_method"][0] not in http_methods:
warn(messages(language, "dir_scan_get"))
extra_requirements["pma_scan_http_method"] = ["GET"]
thread_tmp_filename = "{}/tmp/thread_tmp_".format(
load_file_path()
) + "".join(
random.choice(string.ascii_letters + string.digits)
for _ in range(20)
)
__log_into_file(thread_tmp_filename, "w", "1", language)
default_ports = [80, 443]
request = """{0} __target_locat_here__{{0}} \
HTTP/1.1\nUser-Agent: {1}\n\n""".format(
extra_requirements["pma_scan_http_method"][0],
random.choice(useragents.useragents())
if extra_requirements["pma_scan_random_agent"][0].lower() == "true"
else "Mozilla/5.0 (Windows; U; Windows NT 5.1; \
en-US; rv:1.8.0.5) Gecko/20060719 Firefox/1.5.0.5",
)
status_codes = [200, 401, 403]
condition = "response.status_code in {0}".format(status_codes)
message = messages(language, "found")
sample_message = (
'"'
+ message
+ '"'
+ """.format(response.url, response.status_code,\
response.reason)"""
)
sample_event = {
"HOST": target_to_host(target),
"USERNAME": "",
"PASSWORD": "",
"PORT": "PORT",
"TYPE": "pma_scan",
"DESCRIPTION": sample_message,
"TIME": now(),
"CATEGORY": "scan",
"SCAN_ID": scan_id,
"SCAN_CMD": scan_cmd,
}
counter_message = messages(language, "phpmyadmin_dir_404")
__repeater(
request,
[extra_requirements["pma_scan_list"]],
timeout_sec,
thread_number,
log_in_file,
time_sleep,
language,
verbose_level,
socks_proxy,
retries,
scan_id,
scan_cmd,
condition,
thread_tmp_filename,
sample_event,
sample_message,
target,
ports,
default_ports,
counter_message,
)
else:
warn(
messages(language, "input_target_error").format("pma_scan", target)
)
def start(target, users, passwds, ports, timeout_sec, thread_number, num,
total, log_in_file, time_sleep, language, verbose_level, socks_proxy,
retries, methods_args, scan_id, scan_cmd): # Main function
if target_type(target) != 'SINGLE_IPv4' or target_type(
target) != 'DOMAIN' or target_type(target) != 'HTTP':
# requirements check
new_extra_requirements = extra_requirements_dict()
if methods_args is not None:
for extra_requirement in extra_requirements_dict():
if extra_requirement in methods_args:
new_extra_requirements[extra_requirement] = methods_args[
extra_requirement]
extra_requirements = new_extra_requirements
if ports is None:
ports = extra_requirements["xmlrpc_bruteforce_vuln_ports"]
if target_type(target) == 'HTTP':
target = target_to_host(target)
threads = []
total_req = len(ports)
thread_tmp_filename = '{}/tmp/thread_tmp_'.format(
load_file_path()) + ''.join(
random.choice(string.ascii_letters + string.digits)
for _ in range(20))
__log_into_file(thread_tmp_filename, 'w', '1', language)
trying = 0
keyboard_interrupt_flag = False
for port in ports:
port = int(port)
t = threading.Thread(target=__xmlrpc_bruteforce,
args=(target, int(port), timeout_sec,
log_in_file, language, time_sleep,
thread_tmp_filename, socks_proxy,
scan_id, scan_cmd))
threads.append(t)
t.start()
trying += 1
if verbose_level > 3:
info(
messages(language, "trying_message").format(
trying, total_req, num, total, target, port,
'xmlrpc_bruteforce_vuln'))
while 1:
try:
if threading.activeCount() >= thread_number:
time.sleep(0.01)
else:
break
except KeyboardInterrupt:
keyboard_interrupt_flag = True
break
if keyboard_interrupt_flag:
break
# wait for threads
kill_switch = 0
kill_time = int(timeout_sec /
0.1) if int(timeout_sec / 0.1) != 0 else 1
while 1:
time.sleep(0.1)
kill_switch += 1
try:
if threading.activeCount() == 1 or kill_switch == kill_time:
break
except KeyboardInterrupt:
break
thread_write = int(open(thread_tmp_filename).read().rsplit()[0])
if thread_write == 1 and verbose_level != 0:
info(
messages(language, "no_vulnerability_found").format(
'Wordpress_xmlrpc_bruteforce'))
data = json.dumps({
'HOST':
target,
'USERNAME':
'',
'PASSWORD':
'',
'PORT':
'',
'TYPE':
'xmlrpc_bruteforce_vuln',
'DESCRIPTION':
messages(language, "no_vulnerability_found").format(
'Wordpress_xmlrpc_bruteforce'),
'TIME':
now(),
'CATEGORY':
"scan",
'SCAN_ID':
scan_id,
'SCAN_CMD':
scan_cmd
})
__log_into_file(log_in_file, 'a', data, language)
os.remove(thread_tmp_filename)
else:
warn(
messages(language,
"input_target_error").format('xmlrpc_bruteforce_vuln',
target))
def login(user, passwd, target, port, timeout_sec, log_in_file, language,
retries, time_sleep, thread_tmp_filename, socks_proxy):
exit = 0
if socks_proxy is not None:
socks_version = socks.SOCKS5 if socks_proxy.startswith(
'socks5://') else socks.SOCKS4
socks_proxy = socks_proxy.rsplit('://')[1]
if '@' in socks_proxy:
socks_username = socks_proxy.rsplit(':')[0]
socks_password = socks_proxy.rsplit(':')[1].rsplit('@')[0]
socks.set_default_proxy(
socks_version,
str(socks_proxy.rsplit('@')[1].rsplit(':')[0]),
int(socks_proxy.rsplit(':')[-1]),
username=socks_username,
password=socks_password)
socket.socket = socks.socksocket
socket.getaddrinfo = getaddrinfo
else:
socks.set_default_proxy(socks_version,
str(socks_proxy.rsplit(':')[0]),
int(socks_proxy.rsplit(':')[1]))
socket.socket = socks.socksocket
socket.getaddrinfo = getaddrinfo
while 1:
try:
if timeout_sec is not None:
tn = telnetlib.Telnet(target, timeout=timeout_sec)
else:
tn = telnetlib.Telnet(target)
exit = 0
break
except:
exit += 1
if exit is retries:
warn(
messages(language, "telnet_connection_timeout").format(
target, port, user, passwd))
return 1
time.sleep(time_sleep)
flag = 1
try:
tn.read_until("login: "******"\n")
tn.read_until("Password: "******"\n")
flag = 0
except:
pass
if flag is 0:
info(
messages(language,
"user_pass_found").format(user, passwd, target, port))
data = json.dumps({
'HOST': target,
'USERNAME': user,
'PASSWORD': passwd,
'PORT': port,
'TYPE': 'telnet_brute',
'DESCRIPTION': messages(language, "login_successful"),
'TIME': now(),
'CATEGORY': "brute"
}) + "\n"
__log_into_file(log_in_file, 'a', data, language)
__log_into_file(thread_tmp_filename, 'w', '0', language)
else:
pass
return flag
def check(target, user_agent, timeout_sec, log_in_file, language, time_sleep,
thread_tmp_filename, retries, http_method, socks_proxy, scan_id,
scan_cmd):
status_codes = [200, 401, 403]
directory_listing_msgs = [
"<title>Index of /", "<a href=\"\\?C=N;O=D\">Name</a>",
"Directory Listing for", "Parent Directory</a>", "Last modified</a>",
"<TITLE>Folder Listing.", "- Browsing directory "
]
time.sleep(time_sleep)
try:
if socks_proxy is not None:
socks_version = socks.SOCKS5 if socks_proxy.startswith(
'socks5://') else socks.SOCKS4
socks_proxy = socks_proxy.rsplit('://')[1]
if '@' in socks_proxy:
socks_username = socks_proxy.rsplit(':')[0]
socks_password = socks_proxy.rsplit(':')[1].rsplit('@')[0]
socks.set_default_proxy(
socks_version,
str(socks_proxy.rsplit('@')[1].rsplit(':')[0]),
int(socks_proxy.rsplit(':')[-1]),
username=socks_username,
password=socks_password)
socket.socket = socks.socksocket
socket.getaddrinfo = getaddrinfo
else:
socks.set_default_proxy(socks_version,
str(socks_proxy.rsplit(':')[0]),
int(socks_proxy.rsplit(':')[1]))
socket.socket = socks.socksocket
socket.getaddrinfo = getaddrinfo
n = 0
while 1:
try:
if http_method == "GET":
r = requests.get(target,
timeout=timeout_sec,
headers=user_agent)
elif http_method == "HEAD":
r = requests.head(target,
timeout=timeout_sec,
headers=user_agent)
content = r.content
break
except:
n += 1
if n == retries:
warn(
messages(language,
"http_connection_timeout").format(target))
return 1
if version() == 3:
content = content.decode('utf8')
if r.status_code in status_codes:
info(
messages(language, "found").format(target, r.status_code,
r.reason))
__log_into_file(thread_tmp_filename, 'w', '0', language)
data = json.dumps({
'HOST':
target_to_host(target),
'USERNAME':
'',
'PASSWORD':
'',
'PORT':
"",
'TYPE':
'wp_timthumb_scan',
'DESCRIPTION':
messages(language, "found").format(target, r.status_code,
r.reason),
'TIME':
now(),
'CATEGORY':
"scan",
'SCAN_ID':
scan_id,
'SCAN_CMD':
scan_cmd
})
__log_into_file(log_in_file, 'a', data, language)
if r.status_code == 200:
for dlmsg in directory_listing_msgs:
if dlmsg in content:
info(
messages(language,
"directoy_listing").format(target))
data = json.dumps({
'HOST':
target_to_host(target),
'USERNAME':
'',
'PASSWORD':
'',
'PORT':
"",
'TYPE':
'wp_timthumb_scan',
'DESCRIPTION':
messages(language,
"directoy_listing").format(target),
'TIME':
now(),
'CATEGORY':
"scan",
'SCAN_ID':
scan_id,
'SCAN_CMD':
scan_cmd
})
__log_into_file(log_in_file, 'a', data, language)
break
return True
except:
return False
def start(target, users, passwds, ports, timeout_sec, thread_number, num,
total, log_in_file, time_sleep, language, verbose_level, socks_proxy,
retries, methods_args, scan_id, scan_cmd): # Main function
if target_type(target) != 'SINGLE_IPv4' or target_type(
target) != 'DOMAIN' or target_type(
target) != 'HTTP' or target_type != 'SINGLE_IPv6':
# output format
time.sleep(time_sleep)
if socks_proxy is not None:
socks_version = socks.SOCKS5 if socks_proxy.startswith(
'socks5://') else socks.SOCKS4
socks_proxy = socks_proxy.rsplit('://')[1]
if '@' in socks_proxy:
socks_username = socks_proxy.rsplit(':')[0]
socks_password = socks_proxy.rsplit(':')[1].rsplit('@')[0]
socks.set_default_proxy(
socks_version,
str(socks_proxy.rsplit('@')[1].rsplit(':')[0]),
int(socks_proxy.rsplit(':')[-1]),
username=socks_username,
password=socks_password)
socket.socket = socks.socksocket
socket.getaddrinfo = getaddrinfo
else:
socks.set_default_proxy(socks_version,
str(socks_proxy.rsplit(':')[0]),
int(socks_proxy.rsplit(':')[1]))
socket.socket = socks.socksocket
socket.getaddrinfo = getaddrinfo
# set user agent
headers = {
"User-agent":
"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0",
"Accept":
"text/javascript, text/html, application/xml, text/xml, */*",
"Accept-Language": "en-US,en;q=0.5",
"Referer": "https://viewdns.info/"
}
total_req = 1
trying = 1
info(
messages(language,
"trying_process").format(trying, total_req, num, total,
target, 'viewdns ip lookup'))
n = 0
while 1:
try:
res = requests.get(
'https://viewdns.info/reverseip/?host={0}&t=1'.format(
target),
timeout=timeout_sec,
headers=headers,
verify=True).text
break
except:
n += 1
if n is retries:
warn(
messages(
language,
"http_connection_timeout").format("viewdns.info"))
return 1
_values = []
try:
s = '<table>' + \
res.rsplit('''<table border="1">''')[
1].rsplit("<br></td></tr><tr></tr>")[0]
table = ET.XML(s)
rows = iter(table)
headers = [col.text for col in next(rows)]
for row in rows:
values = [col.text for col in row]
_values.append(dict(zip(headers, values))["Domain"])
except Exception:
pass
if len(_values) == 0:
info(messages(language, "viewdns_domain_404"))
if len(_values) > 0:
info(messages(language, "len_domain_found").format(len(_values)))
for domain in _values:
if verbose_level > 3:
info(messages(language, "domain_found").format(domain))
data = json.dumps({
'HOST': target,
'USERNAME': '',
'PASSWORD': '',
'PORT': '',
'TYPE': 'viewdns_reverse_ip_lookup_scan',
'DESCRIPTION': domain,
'TIME': now(),
'CATEGORY': "scan",
'SCAN_ID': scan_id,
'SCAN_CMD': scan_cmd
}) + "\n"
__log_into_file(log_in_file, 'a', data, language)
if verbose_level != 0:
data = json.dumps({
'HOST':
target,
'USERNAME':
'',
'PASSWORD':
'',
'PORT':
'',
'TYPE':
'viewdns_reverse_ip_lookup_scan',
'DESCRIPTION':
messages(language, "domain_found").format(
len(_values),
", ".join(_values) if len(_values) > 0 else "None"),
'TIME':
now(),
'CATEGORY':
"scan",
'SCAN_ID':
scan_id,
'SCAN_CMD':
scan_cmd
}) + "\n"
__log_into_file(log_in_file, 'a', data, language)
else:
warn(
messages(language, "input_target_error").format(
'viewdns_reverse_ip_lookup_scan', target))
def start(target, users, passwds, ports, timeout_sec, thread_number, num, total, log_in_file, time_sleep, language,
verbose_level, socks_proxy, retries, methods_args, scan_id, scan_cmd): # Main function
if target_type(target) != 'SINGLE_IPv4' or target_type(target) != 'DOMAIN' or target_type(
target) != 'HTTP' or target_type(target) != 'SINGLE_IPv6':
# rand useragent
user_agent_list = useragents.useragents()
http_methods = ["GET", "HEAD"]
user_agent = {'User-agent': random.choice(user_agent_list)}
# requirements check
new_extra_requirements = extra_requirements_dict()
if methods_args is not None:
for extra_requirement in extra_requirements_dict():
if extra_requirement in methods_args:
new_extra_requirements[
extra_requirement] = methods_args[extra_requirement]
extra_requirements = new_extra_requirements
if extra_requirements["wp_theme_scan_http_method"][0] not in http_methods:
warn(messages(language, "wp_theme_scan_get"))
extra_requirements["wp_theme_scan_http_method"] = ["GET"]
random_agent_flag = True
if extra_requirements["wp_theme_scan_random_agent"][0] == "False":
random_agent_flag = False
threads = []
if verbose_level > 3:
total_req = len(themes.themes())
else:
total_req = len(small_themes.themes())
thread_tmp_filename = '{}/tmp/thread_tmp_'.format(load_file_path()) + ''.join(
random.choice(string.ascii_letters + string.digits) for _ in range(20))
__log_into_file(thread_tmp_filename, 'w', '1', language)
trying = 0
if target_type(target) != "HTTP":
target = 'https://' + target
if test(str(target), retries, timeout_sec, user_agent, extra_requirements["wp_theme_scan_http_method"][0],
socks_proxy, verbose_level, trying, total_req, total, num, language) == 0:
keyboard_interrupt_flag = False
if verbose_level > 3:
scan_list = themes.themes()
else:
scan_list = small_themes.themes()
for idir in scan_list:
idir = "/wp-content/themes/" + idir
if random_agent_flag:
user_agent = {'User-agent': random.choice(user_agent_list)}
t = threading.Thread(target=check,
args=(
target + '/' + idir, user_agent, timeout_sec, log_in_file, language,
time_sleep, thread_tmp_filename, retries,
extra_requirements[
"wp_theme_scan_http_method"][0],
socks_proxy, scan_id, scan_cmd))
threads.append(t)
t.start()
trying += 1
if verbose_level > 3:
info(messages(language, "trying_message").format(trying, total_req, num, total, target_to_host(target),
"default_port", 'wp_theme_scan'))
while 1:
try:
if threading.activeCount() >= thread_number:
time.sleep(0.01)
else:
break
except KeyboardInterrupt:
keyboard_interrupt_flag = True
break
if keyboard_interrupt_flag:
break
else:
warn(messages(language, "open_error").format(target))
# wait for threads
kill_switch = 0
kill_time = int(
timeout_sec / 0.1) if int(timeout_sec / 0.1) != 0 else 1
while 1:
time.sleep(0.1)
kill_switch += 1
try:
if threading.activeCount() == 1 or kill_switch == kill_time:
break
except KeyboardInterrupt:
break
thread_write = int(open(thread_tmp_filename).read().rsplit()[0])
if thread_write == 1:
info(messages(language, "directory_file_404").format(
target, "default_port"))
if verbose_level != 0:
data = json.dumps(
{'HOST': target_to_host(target), 'USERNAME': '', 'PASSWORD': '', 'PORT': '', 'TYPE': 'wp_theme_scan',
'DESCRIPTION': messages(language, "no_open_ports"), 'TIME': now(), 'CATEGORY': "scan", 'SCAN_ID': scan_id,
'SCAN_CMD': scan_cmd})
__log_into_file(log_in_file, 'a', data, language)
os.remove(thread_tmp_filename)
else:
warn(messages(language, "input_target_error").format(
'wp_theme_scan', target))
def __netcraft(target, timeout_sec, log_in_file, time_sleep, language,
verbose_level, socks_proxy, retries, headers,
thread_tmp_filename):
try:
from core.targets import target_to_host
if socks_proxy is not None:
socks_version = socks.SOCKS5 if socks_proxy.startswith(
'socks5://') else socks.SOCKS4
socks_proxy = socks_proxy.rsplit('://')[1]
if '@' in socks_proxy:
socks_username = socks_proxy.rsplit(':')[0]
socks_password = socks_proxy.rsplit(':')[1].rsplit('@')[0]
socks.set_default_proxy(
socks_version,
str(socks_proxy.rsplit('@')[1].rsplit(':')[0]),
int(socks_proxy.rsplit(':')[-1]),
username=socks_username,
password=socks_password)
socket.socket = socks.socksocket
socket.getaddrinfo = getaddrinfo
else:
socks.set_default_proxy(socks_version,
str(socks_proxy.rsplit(':')[0]),
int(socks_proxy.rsplit(':')[1]))
socket.socket = socks.socksocket
socket.getaddrinfo = getaddrinfo
n = 0
results = ''
url = 'https://searchdns.netcraft.com/?restriction=site+contains&host=*.{0}' \
'&lookup=wait..&position=limited'.format(target)
subs = []
while '<b>Next page</b></a>' not in results:
while 1:
try:
results = requests.get(url, headers=headers)
break
except Exception:
n += 1
if n is 3:
break
if n is 3:
break
if results.status_code is 200:
for l in re.compile(
'<a href="http://toolbar.netcraft.com/site_report\?url=(.*)">'
).findall(results.content):
if '*' not in target_to_host(l) and target_to_host(
l).endswith('.' + target) and target_to_host(
l) not in subs:
subs.append(target_to_host(l))
else:
# warn 403
break
try:
url = 'http://searchdns.netcraft.com' + re.compile(
'<A href="(.*?)"><b>Next page</b></a>').findall(
results.content)[0]
except Exception:
break
__log_into_file(thread_tmp_filename, 'a', '\n'.join(subs), language)
return subs
except Exception:
return []
