def __init__(self, args, dbhandler=None):
"""
Dns2IP class resolves hostnames.
input:
args cmdline arguments without argv[0]
dbhandler database handler
"""
logger.info("Initialising Dns2Ip ...")
opt = parse(args)
self.dbh = dbhandler
try:
ig_targets = cTuples.cInputGenerator(
filename=opt.target_fn,
data=opt.targets,
maxthreads=opt.nthreads,
circle=False,
)
except cTuples.ENoInput:
print 'Error: No Targets specified, please use the -t/T parameter to set target(s)'
sys.exit(1)
ig_targets.start()
self.tuples = cTuples.cTuples(inputs=[ig_targets],
prep_callback=resolve,
maxthreads=opt.nthreads,
delay=opt.delay)
self.tuples.start()
def __init__(self, args, dbhandler=None):
"""
Ip2Dns class gets dns records for one or more ip addresses in parrallel.
input:
args cmdline arguments without argv[0]
dbhandler database handler
"""
logger.info("Initialising Dns2Ip ...")
opt = parse(args)
self.dbh = dbhandler
try:
ig_targets = cTuples.cInputGenerator(
filename=opt.target_fn,
data=opt.targets,
maxthreads=opt.nthreads,
circle=False,
expand_cb=lambda t: cUtil.mkIP2(t, noResolve=True),
)
except cTuples.ENoInput:
print 'Error: No Targets specified, please use the -t/T parameter to set target(s)'
sys.exit(1)
ig_targets.start()
self.tuples = cTuples.cTuples(inputs=[ig_targets],
prep_callback=resolveIP,
maxthreads=opt.nthreads,
delay=opt.delay)
self.tuples.start()
def __init__(self, args, dbh=None):
opts = parse(args)
self.dbh = dbh
self.port = opts.port
try:
ig_targets = cTuples.cInputGenerator(filename=opts.T,
data=opts.t,
maxthreads=opts.nthreads,
circle=False,
expand_cb=lambda t: cUtil.mkIP2(t,
ports=[opts.port],
noSplit=True,
),
)
except cTuples.ENoInput:
print 'Error: No Targets specified, please use the -t/T parameter to set target(s)'
sys.exit(1)
ig_targets.start()
self.tuples = cTuples.cTuples(inputs=[ig_targets],
prep_callback=bversion,
maxthreads=opts.nthreads,
delay=opts.delay)
self.tuples.start()
def __init__(self, args, dbh=None):
opt = parse(args)
self.dbh = dbh
#self.qname = opts.zone
self.dbh = dbh
try:
ig_targets = cTuples.cInputGenerator(
filename=opt.T,
data=opt.t,
maxthreads=opt.nthreads,
prepare_cb=get_ans,
circle=False,
)
except cTuples.ENoInput:
print 'Error: No Targets specified, please use the -t/T parameter to set target(s)'
sys.exit(1)
ig_targets.start()
self.tuples = cTuples.cTuples(inputs=[ig_targets],
prep_callback=ztrans,
maxthreads=opt.nthreads,
delay=opt.delay)
self.tuples.start()
def scan(self):
self.results = {}
start = datetime.now()
self.tuples = cTuples.cTuples(inputs=[self.ig_targets, self.ig_tests], prep_callback=db_test.test)
#self.tuples.setDaemon(True)
self.tuples.start()
self.ig_tests.start()
self.ig_targets.start()
for status, mark, result in self.tuples.tuple_q:
if status:
try:
self.results[mark.ident].append(result)
except KeyError:
self.results[mark.ident] = []
self.results[mark.ident].append(result)
self._add_mark(mark)
message, nikto_id, request, response, osvdb, method, uri = result
self._add_vulnerability(
mark,
message,
nikto_id,
request,
response,
osvdb,
method,
uri
)
self.tuples.join()
print 'Finished in %f seconds' % cUtil.secs(start)
def __init__(self,
args,
dbhandler=None):
"""
Dns2IP class resolves hostnames.
input:
args cmdline arguments without argv[0]
dbhandler database handler
"""
logger.info("Initialising Dns2Ip ...")
opt = parse(args)
self.dbh = dbhandler
try:
ig_targets = cTuples.cInputGenerator(filename=opt.target_fn,
data=opt.targets,
maxthreads=opt.nthreads,
circle=False,
)
except cTuples.ENoInput:
print 'Error: No Targets specified, please use the -t/T parameter to set target(s)'
sys.exit(1)
ig_targets.start()
self.tuples = cTuples.cTuples(inputs=[ig_targets],
prep_callback=resolve,
maxthreads=opt.nthreads,
delay=opt.delay)
self.tuples.start()
def __init__(self, args, dbh=None):
"""
Initialize and run MysqlBruteforce
input:
args cmdline arguments without argv[0]
dbh database handler
"""
# parse argv
opt = parse(args)
# generators for user and password lists
# TODO: self.tls = opt.tls
#self.to = opt.to
self.nthreads = opt.nthreads
# database handle
self.dbh = dbh
# queue stuff
try:
ig_targets = cTuples.cInputGenerator(
data=opt.targets,
filename=opt.target_fn,
circle=False,
expand_cb=lambda t: cUtil.mkIP2(
t, ports=[opt.port], noSplit=True, noResolve=True),
)
except cTuples.ENoInput:
print 'Error: No Targets specified, please use the -t/T parameter to set target(s)'
sys.exit(1)
try:
ig_users = cTuples.cInputGenerator(data=opt.users,
filename=opt.user_fn,
circle=True)
except cTuples.ENoInput:
print 'Error: No Usernames specified, please use the -u/U parameter to set usernames(s)'
sys.exit(1)
try:
ig_passw = cTuples.cInputGenerator(data=opt.passw,
filename=opt.passw_fn,
circle=True)
except cTuples.ENoInput:
print 'Error: No Passwords specified, please use the -p/P parameter to set password(s)'
sys.exit(1)
ig_targets.start()
ig_users.start()
ig_passw.start()
self.tuples = cTuples.cTuples(inputs=[ig_targets, ig_users, ig_passw],
prep_callback=brute,
delay=opt.delay)
self.tuples.start()
def main(dbh,
target=None,
port=None,
password=None,
timeout=None,
verbose=None,
**kwargs):
if verbose:
rLog.set_verbosity_console('vvvv')
testvnc.verbose = verbose
testvnc.timeout = timeout
tuples = cTuples.cTuples(
inputs=[target, port, password],
prep_callback=testvnc,
)
tuples.setDaemon(True)
tuples.start()
row_fmt = "{:24} {:50} {:50}"
print '-' * 126
print row_fmt.format('target', 'password', 'status')
print '-' * 126
for status, target, port, password in tuples.tuple_q:
ip = target[0]
fqdn = ''.join(target[1])
if status == 0:
msg = "\"None\" authentication method detected"
elif status == 1:
msg = "Authentication successful"
br = BruteforceResult2(
password=password,
ip=ip,
fqdn=fqdn,
port=port,
service='vnc',
)
dbh.add(br)
elif status == 2:
msg = "Authentication failed"
elif status == 3:
msg = "Protocol error"
elif status == 4:
msg = "Network error"
elif status == 5:
msg = "Too many failures"
print row_fmt.format('%s:%d' % (ip, port), password, msg)
tuples.join()
def doHost(self, opt):
""" start bruteforce with password and user list (one host)
tHost: Host to attack tuple(host, port)
fusers: user list file name
fpasswords: password list file name
ssh_verisons: list of ssh client version strings
nthreads: number of threads
"""
try:
ig_targets = cTuples.cInputGenerator(
data=opt.targets,
filename=opt.target_fn,
circle=False,
expand_cb=lambda t: cUtil.mkIP2(
t, ports=[opt.port], noResolve=True),
)
except cTuples.ENoInput:
print 'Error: No Targets specified, please use the -t/T parameter to set target(s)'
sys.exit(1)
try:
ig_users = cTuples.cInputGenerator(data=opt.users,
filename=opt.user_fn,
prepare_cb=lambda t: t.strip(),
circle=True)
except cTuples.ENoInput:
print 'Error: No Usernames specified, please use the -u/U parameter to set usernames(s)'
sys.exit(1)
try:
ig_passw = cTuples.cInputGenerator(data=opt.passw,
filename=opt.passw_fn,
prepare_cb=lambda t: t.strip(),
circle=True)
except cTuples.ENoInput:
print 'Error: No Passwords specified, please use the -p/P parameter to set password(s)'
sys.exit(1)
ig_targets.start()
ig_users.start()
ig_passw.start()
self.tuples = cTuples.cTuples(inputs=[ig_targets, ig_users, ig_passw],
prep_callback=brute)
self.tuples.start()
def doHost(self, opt):
""" start bruteforce with password and user list (one host)
tHost: Host to attack tuple(host, port)
fusers: user list file name
fpasswords: password list file name
ssh_verisons: list of ssh client version strings
nthreads: number of threads
"""
try:
ig_targets = cTuples.cInputGenerator(data=opt.targets,
filename=opt.target_fn,
circle=False,
expand_cb=lambda t: cUtil.mkIP2(t,
ports=[opt.port],
noResolve=True
),
)
except cTuples.ENoInput:
print 'Error: No Targets specified, please use the -t/T parameter to set target(s)'
sys.exit(1)
try:
ig_users = cTuples.cInputGenerator(data=opt.users,
filename=opt.user_fn,
prepare_cb=lambda t: t.strip(),
circle=True)
except cTuples.ENoInput:
print 'Error: No Usernames specified, please use the -u/U parameter to set usernames(s)'
sys.exit(1)
try:
ig_passw = cTuples.cInputGenerator(data=opt.passw,
filename=opt.passw_fn,
prepare_cb=lambda t: t.strip(),
circle=True)
except cTuples.ENoInput:
print 'Error: No Passwords specified, please use the -p/P parameter to set password(s)'
sys.exit(1)
ig_targets.start()
ig_users.start()
ig_passw.start()
self.tuples = cTuples.cTuples(inputs=[ig_targets, ig_users, ig_passw], prep_callback=brute)
self.tuples.start()
def main(dbh, target=None, port=None, password=None, timeout=None, verbose=None, **kwargs):
if verbose:
rLog.set_verbosity_console('vvvv')
testvnc.verbose = verbose
testvnc.timeout = timeout
tuples = cTuples.cTuples(inputs=[target, port, password],
prep_callback=testvnc,
)
tuples.setDaemon(True)
tuples.start()
row_fmt = "{:24} {:50} {:50}"
print '-' * 126
print row_fmt.format('target', 'password', 'status')
print '-' * 126
for status, target, port, password in tuples.tuple_q:
ip = target[0]
fqdn = ''.join(target[1])
if status == 0:
msg = "\"None\" authentication method detected"
elif status == 1:
msg = "Authentication successful"
br = BruteforceResult2(
password=password,
ip=ip,
fqdn=fqdn,
port=port,
service='vnc',
)
dbh.add(br)
elif status == 2:
msg = "Authentication failed"
elif status == 3:
msg = "Protocol error"
elif status == 4:
msg = "Network error"
elif status == 5:
msg = "Too many failures"
print row_fmt.format('%s:%d' % (ip, port), password, msg)
tuples.join()
def __init__(self,
args,
dbhandler=None):
"""
Dns2IP concatenates words from a wordlist file with top level domains
and tries to resove the resulting hostnames.
input:
args cmdline arguments without argv[0]
dbhandler database handler
"""
logger.info("Initialising Dns2Ip ...")
opt = parse(args)
resolve.tlds = opt.tld
self.dbh = dbhandler
try:
ig_words = cTuples.cInputGenerator(filename=opt.wordlist_fn,
data=opt.wordlist,
maxthreads=opt.nthreads,
circle=False,
)
ig_words.start()
except cTuples.ENoInput:
print 'Please specify a set of words or a filename containing a wordlist'
sys.exit(1)
try:
ig_tlds = cTuples.cInputGenerator(filename=opt.tld_fn,
data=opt.tld,
maxthreads=opt.nthreads,
circle=True,
)
ig_tlds.start()
except cTuples.ENoInput:
print 'Please specify a set of tlds or a filename containing a tldlist'
sys.exit(1)
self.tuples = cTuples.cTuples(inputs=[ig_words, ig_tlds],
prep_callback=resolve,
maxthreads=opt.nthreads,
delay=opt.delay)
self.tuples.start()
def __init__(self,
args,
dbh=None):
logger.debug('Init RpcScanner')
opt = parse(args)
# file containing RPC program
if opt.fn_rpc:
cRpc.RPC_PATH = opt.fn_rpc
# check if rpc file is readable
try:
fd = __builtin__.openany(cRpc.RPC_PATH, "r")
fd.close()
except:
print 'Error: Could not open RPC program number data base %s' % cRpc.RPC_PATH
sys.exit(1)
self.port = opt.port
# database handle
self.dbh = dbh
try:
ig_targets = cTuples.cInputGenerator(filename=opt.target_fn,
data=opt.targets,
maxthreads=opt.nthreads,
circle=False,
expand_cb=lambda t: cUtil.mkIP2(t,
ports=[opt.port],
noResolve=True
),
)
except cTuples.ENoInput:
print 'Error: No Targets specified, please use the -t/T parameter to set target(s)'
sys.exit(1)
ig_targets.start()
self.tuples = cTuples.cTuples(inputs=[ig_targets],
prep_callback=rpcinfo,
maxthreads=opt.nthreads,
delay=opt.delay)
self.tuples.start()
def __init__(self, args, dbh=None):
logger.debug('Init %s' % __name__)
# database handle
self.dbh = dbh
opt = self.parse(args)
if opt.fn_rpc:
cRpc.RPC_PATH = opt.fn_rpc
# check if rpc file is readable
try:
fd = __builtin__.openany(cRpc.RPC_PATH, "r")
fd.close()
except:
print 'Error: Could not open RPC program number data base %s' % cRpc.RPC_PATH
sys.exit(1)
showmount.version = 1
try:
ig_targets = cTuples.cInputGenerator(
filename=opt.target_fn,
data=opt.targets,
maxthreads=opt.nthreads,
circle=False,
expand_cb=lambda t: cUtil.mkIP2(
t, ports=[opt.port], noResolve=True),
)
except cTuples.ENoInput:
print 'Error: No Targets specified, please use the -t/T parameter to set target(s)'
sys.exit(1)
ig_targets.start()
self.tuples = cTuples.cTuples(inputs=[ig_targets],
prep_callback=showmount,
maxthreads=opt.nthreads,
delay=opt.delay)
self.tuples.start()
def doUph(self, opt):
""" start bruteforce with uph list (multiple hosts)
fuph: uph list file name
ssh_verisons: list of ssh client version strings
nthreads: number of threads
"""
def prep_uph(line):
if not line:
return None
line = line.strip()
parts = line.split(':')
if len(parts) == 3:
user, password, host = parts
port = 22
elif len(parts) == 4:
user, password, host, port = parts
else:
print 'Error: Invalid uph format: %s' % line
r = ((host, int(port)), user, password)
logger.info(r)
return r
try:
ig_targets = cTuples.cInputGenerator(data=[],
filename=opt.uph_lists,
circle=False,
prepare_cb=prep_uph)
except cTuples.ENoInput:
print 'Error: No Targets specified, please use the -t/T parameter to set target(s)'
sys.exit(1)
ig_targets.start()
self.tuples = cTuples.cTuples(inputs=[ig_targets],
prep_callback=brute,
single=False,
delay=opt.delay)
self.tuples.start()
def __init__(self,
args,
dbhandler=None):
"""
Ip2Dns_Bing class gets dns records by searching
Bing for ip:<ip>.
input:
args cmdline arguments without argv[0]
dbhandler database handler
"""
logger.info("Initialising Dns2Ip ...")
self.dbh = dbhandler
opt = parse(args)
self.nthreads = opt.nthreads
resolve.max_results = opt.max_results
try:
ig_targets = cTuples.cInputGenerator(filename=opt.target_fn,
data=opt.targets,
maxthreads=opt.nthreads,
circle=False,
expand_cb=lambda t: cUtil.mkIP2(t, noResolve=True)
)
except cTuples.ENoInput:
print 'Error: No Targets specified, please use the -t/T parameter to set target(s)'
sys.exit(1)
ig_targets.start()
self.tuples = cTuples.cTuples(inputs=[ig_targets],
prep_callback=resolve,
maxthreads=opt.nthreads,
delay=opt.delay)
self.tuples.start()
def doUph(self, opt):
""" start bruteforce with uph list (multiple hosts)
fuph: uph list file name
ssh_verisons: list of ssh client version strings
nthreads: number of threads
"""
def prep_uph(line):
if not line:
return None
line = line.strip()
parts = line.split(':')
if len(parts) == 3:
user, password, host = parts
port = 22
elif len(parts) == 4:
user, password, host, port = parts
else:
print 'Error: Invalid uph format: %s' % line
r = ((host, int(port)), user, password)
logger.info(r)
return r
try:
ig_targets = cTuples.cInputGenerator(data=[],
filename=opt.uph_lists,
circle=False,
prepare_cb=prep_uph
)
except cTuples.ENoInput:
print 'Error: No Targets specified, please use the -t/T parameter to set target(s)'
sys.exit(1)
ig_targets.start()
self.tuples = cTuples.cTuples(inputs=[ig_targets], prep_callback=brute, single=False, delay=opt.delay)
self.tuples.start()
def __init__(self, args, dbh=None):
opt = parse(args)
self.dbh = dbh
#self.qname = opts.zone
self.dbh = dbh
try:
ig_targets = cTuples.cInputGenerator(filename=opt.T,
data=opt.t,
maxthreads=opt.nthreads,
prepare_cb=get_ans,
circle=False,
)
except cTuples.ENoInput:
print 'Error: No Targets specified, please use the -t/T parameter to set target(s)'
sys.exit(1)
ig_targets.start()
self.tuples = cTuples.cTuples(inputs=[ig_targets],
prep_callback=ztrans,
maxthreads=opt.nthreads,
delay=opt.delay)
self.tuples.start()
def __init__(self,
args,
dbh=None):
"""
Initialize and run FtpBruteforce
input:
args cmdline arguments without argv[0]
dbhandler database handler
"""
logger.info('Init FTP bruteforce')
self.dbh = dbh
opt = parse(args)
self.anon_q = Queue.Queue()
brute.to = opt.to
brute.tls = opt.tls
self.anon = opt.anon
if self.anon:
test_special_login_init(self.anon_q, opt.to, opt.tls)
expand_cb = lambda t: cUtil.mkIP2(t,
ports=[opt.port],
noResolve=True
)
try:
ig_targets = cTuples.cInputGenerator(data=opt.targets,
filename=opt.target_fn,
circle=False,
expand_cb=expand_cb,
prepare_cb=opt.anon and test_special_login or None,
maxthreads=opt.nthreads
)
except cTuples.ENoInput:
print 'Error: No Targets specified, please use the -t/T parameter to set target(s)'
sys.exit(1)
try:
ig_users = cTuples.cInputGenerator(data=opt.users,
filename=opt.user_fn,
prepare_cb=lambda x: x.rstrip(),
circle=True,
maxthreads=opt.nthreads)
except cTuples.ENoInput:
print 'Error: No Usernames specified, please use the -u/U parameter to set usernames(s)'
sys.exit(1)
try:
ig_passw = cTuples.cInputGenerator(data=opt.passw,
filename=opt.passw_fn,
prepare_cb=lambda x: x.rstrip(),
circle=True,
maxthreads=opt.nthreads)
except cTuples.ENoInput:
print 'Error: No Passwords specified, please use the -p/P parameter to set password(s)'
sys.exit(1)
ig_targets.start()
ig_users.start()
ig_passw.start()
self.tuples = cTuples.cTuples(inputs=[ig_targets, ig_users, ig_passw],
prep_callback=brute,
maxthreads=opt.nthreads,
delay=opt.delay)
self.tuples.start()
def __init__(self, args, dbhandler=None):
logger.info("Initialising DNS subdomain scanner..")
#FIXME this is bad design. one does not simple initalise an object by
# passing the program arguments ;) we need to parse that in advance
opt = parse(args)
self.dbh = dbhandler
data = []
if opt.bf_length:
allchars = string.letters + string.digits
chars = []
for cs in opt.charsets:
if len(cs) < 3 or cs[1] != '-':
print 'Invalid charset %s' % cs
sys.exit(1)
start = allchars.find(cs[0])
if start < 0:
print 'Invalid charset %s' % cs
sys.exit(1)
stop = allchars.find(cs[2]) + 1
if stop < 1:
print 'Invalid charset %s' % cs
if start > stop:
start, stop = stop, start
chars.extend(allchars[start:stop])
chars.append('')
data = it.imap(lambda t: ''.join(t),
it.product(chars, repeat=opt.bf_length))
try:
if not opt.w:
fnames = []
else:
fnames = [opt.w]
ig_subs = cTuples.cInputGenerator(
filenames=fnames,
data=data,
maxthreads=opt.nt,
circle=False,
)
ig_subs.start()
except cTuples.ENoInput:
print 'Please specify a set of subs or a filename containing a sublist'
sys.exit(1)
try:
ig_domains = cTuples.cInputGenerator(
filename=opt.T,
data=opt.t,
prepare_cb=check_wildcard,
maxthreads=opt.nt,
circle=True,
)
ig_domains.start()
except cTuples.ENoInput:
print 'Please specify a set of domains or a filename containing a domainlist'
sys.exit(1)
self.tuples = cTuples.cTuples(inputs=[ig_subs, ig_domains],
prep_callback=resolve,
maxthreads=opt.nt,
delay=opt.delay)
self.tuples.start()
def ssl_test(args, dbh=None):
parser = argparse.ArgumentParser(
prog=__plgname__,
description="ssl version tester v%f" % __version__,
epilog=""" Examples:
ssl_tester.plg -t www.curesec.com -maxcon 10
""",
formatter_class=argparse.RawTextHelpFormatter)
parser.add_argument('-T',
help='file containing urls or ips',
dest='target_fn')
parser.add_argument('-t',
help='url or ir',
nargs='+',
dest='target',
default=[])
parser.add_argument('-delay',
help='delay in between requests',
dest='delay',
default=0.0,
type=float)
parser.add_argument(
'-C',
help=
'filename of cipher suite list to test against (default cipherlist.txt)',
dest='cipher_fn',
default='cipherlist.txt')
parser.add_argument('-port',
help='target port (default 443)',
dest='port',
default=443,
type=int)
parser.add_argument('-to',
help='Server timeout (default 3s)',
dest='timeout',
type=int,
default=3)
parser.add_argument(
'-maxcon',
help='Maximum parallel connections per host (default: unlimited)',
type=int,
default=0,
)
parser.add_argument(
'-nt',
help=
'Maximum number of threads to scan with, each host gets a new thread (default 10)',
dest='nthreads',
default=10,
type=int)
if not args:
parser.print_help()
sys.exit(0)
opt = parser.parse_args(args)
# set global target parameters
cComm.Mark.MAX_CON = opt.maxcon
cComm.Mark.FIX_PORT = opt.port
cComm.Mark.TIMEOUT = opt.timeout
# only use ssl connections no plain http
cComm.Comm.SSL = True
start = datetime.now()
try:
ig_targets = cTuples.cInputGenerator(data=opt.target,
filename=opt.target_fn,
circle=False,
expand_cb=cUtil.mkIP2,
prepare_cb=prepare_target,
maxthreads=opt.nthreads)
except cTuples.ENoInput:
print 'Error: No Targets specified, please use the -t/T parameter to set target(s)'
sys.exit(1)
try:
ig_ciphers = cTuples.cInputGenerator(data=[],
filename=opt.cipher_fn,
prepare_cb=prepare_cb_cipher,
circle=True)
except cTuples.ENoInput:
print 'Error: No Ciphers specified, please use the -C parameter to set a cipher list file'
sys.exit(1)
ig_targets.start()
ig_ciphers.start()
tuples = cTuples.cTuples(inputs=[ig_targets, ig_ciphers],
prep_callback=check_ssl,
maxthreads=opt.nthreads,
delay=opt.delay)
tuples.start()
results = {}
for mark, cs, cipher, sev, version in tuples.tuple_q:
if dbh:
br = ccd.SslInfoResult(
ip=mark.ip,
fqdn=mark.hostname,
port=mark.port,
cs=cs,
)
dbh.add(br)
try:
results[mark.ip + ' / ' + mark.hostname][sev].append(cs)
except:
results[mark.ip + ' / ' + mark.hostname] = {}
results[mark.ip + ' / ' + mark.hostname]['weak'] = []
results[mark.ip + ' / ' + mark.hostname]['medium'] = []
results[mark.ip + ' / ' + mark.hostname]['strong'] = []
tuples.join()
for ip, c in results.items():
print '-' * len(ip)
print ip
print '-' * len(ip)
for cs in c['weak']:
print '\033[91m%s\033[0m' % cs
for cs in c['medium']:
print '\033[93m%s\033[0m' % cs
for cs in c['strong']:
print '\033[92m%s\033[0m' % cs
print
print 'Finished in %f seconds' % cUtil.secs(start)
def parse(self, args):
description = "### SMTP user enumeration ###\n" + \
"It is based on the SMTP commands: VRFY, EXPN, RCPT.\n" + \
"Results may be inaccurate (false positives) as not all SMTP servers act the same.\n" +\
"Furthermore, this script does not support StartTLS or authentication.\n" +\
"To inspect the server's resonse, use the -v verbosity switch.\n" +\
"Output of valid usernames are in the form of: [username]\n\n"
epilog = """Examples:
smtp_user_enum.plg -command ALL -U users.txt -t 192.168.1.136
"""
parser = argparse.ArgumentParser(
description=description,
epilog=epilog,
formatter_class=argparse.RawTextHelpFormatter
)
parser.add_argument("-command", action="store", dest="command", required=True, help="choose VRFY, EXPN, RCPT or ALL")
parser.add_argument('-T',
help='files containing host:port entries',
default='',
dest='target_fn'
)
parser.add_argument('-t',
help='target hosts',
default=[],
nargs='+',
dest='targets',
)
parser.add_argument('-port',
help='target port (default 25)',
dest='port',
default=25,
type=int
)
parser.add_argument('-delay',
help='delay in between requests',
dest='delay',
default=0.0,
type=float
)
parser.add_argument('-u',
help='usernames',
default=[],
nargs='+',
dest='users',
)
parser.add_argument('-U',
help='file containing one username per line',
default='',
dest='user_fn',
)
parser.add_argument('-nt',
help='number of threads (default 100)',
dest='nthreads',
type=int,
default=100
)
parser.add_argument('-to',
help='Server timeout (default 3s)',
dest='timeout',
type=int,
default=3
)
parser.add_argument('-no_check',
help='disable host check',
action='store_true',
dest='no_check',
)
if not args:
parser.print_help()
sys.exit(1)
opt = parser.parse_args(args)
testusername.command = opt.command
testusername.timeout = opt.timeout
if opt.command != "VRFY" and opt.command != "EXPN" and opt.command != "RCPT" and opt.command != "ALL":
parser.print_help()
print("command must either be 'VRFY', 'EXPN', 'RCPT' or 'ALL'")
sys.exit(1)
try:
ig_targets = cTuples.cInputGenerator(data=opt.targets,
filename=opt.target_fn,
circle=False,
prepare_cb=cUtil.isUp,
expand_cb=lambda t: cUtil.mkIP2(t,
ports=[opt.port],
noResolve=True,
),
maxthreads=opt.nthreads
)
except cTuples.ENoInput:
print 'Error: No Targets specified, please use the -t/T parameter to set target(s)'
sys.exit(1)
try:
ig_users = cTuples.cInputGenerator(data=opt.users,
filename=opt.user_fn,
circle=True)
except cTuples.ENoInput:
print 'Error: No Usernames specified, please use the -u/U parameter to set usernames(s)'
sys.exit(1)
ig_targets.start()
ig_users.start()
self.tuples = cTuples.cTuples(inputs=[ig_targets, ig_users], prep_callback=testusername, delay=opt.delay)
self.tuples.start()
def __init__(self,
args,
dbh=None):
"""
Initialize and run TelnetBruteforce
input:
args cmdline arguments without argv[0]
dbh database handler
"""
self.dbh = dbh
opt = parse(args)
# configure bruteforce parameters for all targets
brute.to = opt.to
brute.tls = opt.tls
expand_cb = lambda t: cUtil.mkIP2(t,
ports=[opt.port],
noResolve=True
)
prepare_cb = cUtil.isUp
if opt.no_check:
prepare_cb = None
try:
ig_targets = cTuples.cInputGenerator(data=opt.targets,
filename=opt.target_fn,
circle=False,
prepare_cb=prepare_cb,
expand_cb=expand_cb,
maxthreads=opt.nthreads,
)
except cTuples.ENoInput:
print 'Error: No Targets specified, please use the -t/T parameter to set target(s)'
sys.exit(1)
try:
ig_users = cTuples.cInputGenerator(data=opt.users,
filename=opt.user_fn,
circle=True)
except cTuples.ENoInput:
print 'Error: No Usernames specified, please use the -u/U parameter to set usernames(s)'
sys.exit(1)
try:
ig_passw = cTuples.cInputGenerator(data=opt.passw,
filename=opt.passw_fn,
circle=True)
except cTuples.ENoInput:
print 'Error: No Passwords specified, please use the -p/P parameter to set password(s)'
sys.exit(1)
ig_targets.start()
ig_users.start()
ig_passw.start()
self.tuples = cTuples.cTuples(inputs=[ig_targets, ig_users, ig_passw],
prep_callback=brute,
maxthreads=opt.nthreads,
delay=opt.delay)
self.tuples.start()
def parse(self, args):
description = "### SMTP user enumeration ###\n" + \
"It is based on the SMTP commands: VRFY, EXPN, RCPT.\n" + \
"Results may be inaccurate (false positives) as not all SMTP servers act the same.\n" +\
"Furthermore, this script does not support StartTLS or authentication.\n" +\
"To inspect the server's resonse, use the -v verbosity switch.\n" +\
"Output of valid usernames are in the form of: [username]\n\n"
epilog = """Examples:
smtp_user_enum.plg -command ALL -U users.txt -t 192.168.1.136
"""
parser = argparse.ArgumentParser(
description=description,
epilog=epilog,
formatter_class=argparse.RawTextHelpFormatter)
parser.add_argument("-command",
action="store",
dest="command",
required=True,
help="choose VRFY, EXPN, RCPT or ALL")
parser.add_argument('-T',
help='files containing host:port entries',
default='',
dest='target_fn')
parser.add_argument(
'-t',
help='target hosts',
default=[],
nargs='+',
dest='targets',
)
parser.add_argument('-port',
help='target port (default 25)',
dest='port',
default=25,
type=int)
parser.add_argument('-delay',
help='delay in between requests',
dest='delay',
default=0.0,
type=float)
parser.add_argument(
'-u',
help='usernames',
default=[],
nargs='+',
dest='users',
)
parser.add_argument(
'-U',
help='file containing one username per line',
default='',
dest='user_fn',
)
parser.add_argument('-nt',
help='number of threads (default 100)',
dest='nthreads',
type=int,
default=100)
parser.add_argument('-to',
help='Server timeout (default 3s)',
dest='timeout',
type=int,
default=3)
parser.add_argument(
'-no_check',
help='disable host check',
action='store_true',
dest='no_check',
)
if not args:
parser.print_help()
sys.exit(1)
opt = parser.parse_args(args)
testusername.command = opt.command
testusername.timeout = opt.timeout
if opt.command != "VRFY" and opt.command != "EXPN" and opt.command != "RCPT" and opt.command != "ALL":
parser.print_help()
print("command must either be 'VRFY', 'EXPN', 'RCPT' or 'ALL'")
sys.exit(1)
try:
ig_targets = cTuples.cInputGenerator(
data=opt.targets,
filename=opt.target_fn,
circle=False,
prepare_cb=cUtil.isUp,
expand_cb=lambda t: cUtil.mkIP2(
t,
ports=[opt.port],
noResolve=True,
),
maxthreads=opt.nthreads)
except cTuples.ENoInput:
print 'Error: No Targets specified, please use the -t/T parameter to set target(s)'
sys.exit(1)
try:
ig_users = cTuples.cInputGenerator(data=opt.users,
filename=opt.user_fn,
circle=True)
except cTuples.ENoInput:
print 'Error: No Usernames specified, please use the -u/U parameter to set usernames(s)'
sys.exit(1)
ig_targets.start()
ig_users.start()
self.tuples = cTuples.cTuples(inputs=[ig_targets, ig_users],
prep_callback=testusername,
delay=opt.delay)
self.tuples.start()
def ssl_test(args, dbh=None):
parser = argparse.ArgumentParser(
prog=__plgname__,
description="ssl version tester v%f" % __version__,
epilog=
""" Examples:
ssl_tester.plg -t www.curesec.com -maxcon 10
""",
formatter_class=argparse.RawTextHelpFormatter
)
parser.add_argument('-T',
help='file containing urls or ips',
dest='target_fn'
)
parser.add_argument('-t',
help='url or ir',
nargs='+',
dest='target',
default=[]
)
parser.add_argument('-delay',
help='delay in between requests',
dest='delay',
default=0.0,
type=float
)
parser.add_argument('-C',
help='filename of cipher suite list to test against (default cipherlist.txt)',
dest='cipher_fn',
default='cipherlist.txt'
)
parser.add_argument('-port',
help='target port (default 443)',
dest='port',
default=443,
type=int
)
parser.add_argument('-to',
help='Server timeout (default 3s)',
dest='timeout',
type=int,
default=3
)
parser.add_argument('-maxcon',
help='Maximum parallel connections per host (default: unlimited)',
type=int,
default=0,
)
parser.add_argument('-nt',
help='Maximum number of threads to scan with, each host gets a new thread (default 10)',
dest='nthreads',
default=10,
type=int
)
if not args:
parser.print_help()
sys.exit(0)
opt = parser.parse_args(args)
# set global target parameters
cComm.Mark.MAX_CON = opt.maxcon
cComm.Mark.FIX_PORT = opt.port
cComm.Mark.TIMEOUT = opt.timeout
# only use ssl connections no plain http
cComm.Comm.SSL = True
start = datetime.now()
try:
ig_targets = cTuples.cInputGenerator(data=opt.target,
filename=opt.target_fn,
circle=False,
expand_cb=cUtil.mkIP2,
prepare_cb=prepare_target,
maxthreads=opt.nthreads
)
except cTuples.ENoInput:
print 'Error: No Targets specified, please use the -t/T parameter to set target(s)'
sys.exit(1)
try:
ig_ciphers = cTuples.cInputGenerator(data=[],
filename=opt.cipher_fn,
prepare_cb=prepare_cb_cipher,
circle=True)
except cTuples.ENoInput:
print 'Error: No Ciphers specified, please use the -C parameter to set a cipher list file'
sys.exit(1)
ig_targets.start()
ig_ciphers.start()
tuples = cTuples.cTuples(inputs=[ig_targets, ig_ciphers],
prep_callback=check_ssl,
maxthreads=opt.nthreads,
delay=opt.delay)
tuples.start()
results = {}
for mark, cs, cipher, sev, version in tuples.tuple_q:
if dbh:
br = ccd.SslInfoResult(
ip=mark.ip,
fqdn=mark.hostname,
port=mark.port,
cs=cs,
)
dbh.add(br)
try:
results[mark.ip + ' / ' + mark.hostname][sev].append(cs)
except:
results[mark.ip + ' / ' + mark.hostname] = {}
results[mark.ip + ' / ' + mark.hostname]['weak'] = []
results[mark.ip + ' / ' + mark.hostname]['medium'] = []
results[mark.ip + ' / ' + mark.hostname]['strong'] = []
tuples.join()
for ip, c in results.items():
print '-' * len(ip)
print ip
print '-' * len(ip)
for cs in c['weak']:
print '\033[91m%s\033[0m' % cs
for cs in c['medium']:
print '\033[93m%s\033[0m' % cs
for cs in c['strong']:
print '\033[92m%s\033[0m' % cs
print
print 'Finished in %f seconds' % cUtil.secs(start)
def __init__(self,
args,
dbhandler=None):
logger.info("Initialising DNS subdomain scanner..")
#FIXME this is bad design. one does not simple initalise an object by
# passing the program arguments ;) we need to parse that in advance
opt = parse(args)
self.dbh = dbhandler
data = []
if opt.bf_length:
allchars = string.letters + string.digits
chars = []
for cs in opt.charsets:
if len(cs) < 3 or cs[1] != '-':
print 'Invalid charset %s' % cs
sys.exit(1)
start = allchars.find(cs[0])
if start < 0:
print 'Invalid charset %s' % cs
sys.exit(1)
stop = allchars.find(cs[2]) + 1
if stop < 1:
print 'Invalid charset %s' % cs
if start > stop:
start, stop = stop, start
chars.extend(allchars[start:stop])
chars.append('')
data = it.imap(lambda t: ''.join(t),
it.product(chars, repeat=opt.bf_length))
try:
if not opt.w:
fnames = []
else:
fnames = [opt.w]
ig_subs = cTuples.cInputGenerator(filenames=fnames,
data=data,
maxthreads=opt.nt,
circle=False,
)
ig_subs.start()
except cTuples.ENoInput:
print 'Please specify a set of subs or a filename containing a sublist'
sys.exit(1)
try:
ig_domains = cTuples.cInputGenerator(filename=opt.T,
data=opt.t,
prepare_cb=check_wildcard,
maxthreads=opt.nt,
circle=True,
)
ig_domains.start()
except cTuples.ENoInput:
print 'Please specify a set of domains or a filename containing a domainlist'
sys.exit(1)
self.tuples = cTuples.cTuples(inputs=[ig_subs, ig_domains],
prep_callback=resolve,
maxthreads=opt.nt,
delay=opt.delay)
self.tuples.start()
expansions[k] = exp.split()
# TODO, thats probably not how its supposed to be handled
for k, v in config.items():
expansions['@' + k] = v
expand.expansions = expansions
cComm.Mark.MAX_CON = opt.maxcon
cComm.Mark.FIX_PORT = opt.port
ig_targets = cTuples.cInputGenerator(data=opt.target,
filename=opt.target_fn,
circle=False,
prepare_cb=cComm.Mark,
maxthreads=opt.nthreads
)
ig_targets.start()
ig_tests = cTuples.cInputGenerator(filename='db_tests',
circle=True,
expand_cb=expand,
maxthreads=opt.nthreads
)
ig_tests.start()
tuples = cTuples.cTuples(inputs=[ig_targets, ig_tests], prep_callback=db_test.test)
tuples.start()
for status, mark, test in tuples.tuple_q:
#print test
if status:
print mark.ident
print test
tuples.join()
def parse(self, args):
description = \
"""### HTTP Basic Authentication Brute Forcer ###
This scripts sends an HTTP request for all combinations of usernames and passwords.
A login attempt is successful if the HTTP staus code of the HTTP reply is not 401.
Be sure to provide a URL which is protected via HTTP Basic Authentication
or you might get lots of false positives. (HTTP/1.1 200 OK)
SSL is supported. Use the -ssl switch
Output of valid credentials in the form [username:password].
Example:
http_basic_bruteforce.plg -t http://url.com:80/priv -u users.txt -p passwords.txt"
"""
parser = argparse.ArgumentParser(description=description, formatter_class=argparse.RawTextHelpFormatter)
parser.add_argument('-T',
help='file containing url paths',
dest='target_fn'
)
parser.add_argument('-t',
help='url path which enforces basic auth',
nargs='+',
dest='target',
default=[]
)
parser.add_argument('-port',
help='target port (default 80)',
dest='port',
default=80,
type=int
)
parser.add_argument('-delay',
help='delay in between requests',
dest='delay',
default=0.0,
type=float
)
parser.add_argument('-U',
help='file containing username per line',
default='',
dest='user_fn',
)
parser.add_argument('-u',
help='usernames',
default=[],
nargs='+',
dest='users',
)
parser.add_argument('-P',
help='file containing password per line',
dest='passw_fn',
default='',
)
parser.add_argument('-p',
help='passwords',
default=[],
nargs='+',
dest='passw',
)
parser.add_argument('-to',
help='Server timeout (default 3s)',
dest='timeout',
type=int,
default=3
)
parser.add_argument('-maxcon',
help='Maximum parallel connections per host (default: unlimited)',
type=int,
default=0,
)
parser.add_argument('-nt',
help='Maximum number of threads to scan with, each host gets a new thread',
dest='nthreads',
default=10,
type=int
)
parser.add_argument('-ssl',
help='Force ssl connection',
dest='ssl',
action='store_true',
default=False
)
parser.add_argument('-nossl',
help='Force plain http connection',
dest='nossl',
action='store_true',
default=False
)
if not args:
parser.print_help()
sys.exit(0)
opt = parser.parse_args(args)
cComm.Comm.SSL = opt.ssl
cComm.Comm.NOSSL = opt.nossl
cComm.Mark.MAX_CON = opt.maxcon
cComm.Mark.FIX_PORT = opt.port
cComm.Mark.TIMEOUT = opt.timeout
def prepare_cb(target):
ip = target[0]
ident = ''.join(target[1])
path = '/'
hostname = target[1]
if not isinstance(hostname, str):
try:
hostname = target[1][0]
if len(target[1]) > 1:
path = ''.join(target[1][1:])
except:
hostname = ''
hostname = ''
mark = cComm.Mark(ident,
ip=ip,
hostname=hostname,
path=path,
ok_codes=[401, ])
if mark.test > 0:
return mark
else:
return None
try:
ig_targets = cTuples.cInputGenerator(data=opt.target,
filename=opt.target_fn,
circle=False,
expand_cb=cUtil.mkIP2,
prepare_cb=prepare_cb,
maxthreads=opt.nthreads
)
except cTuples.ENoInput:
print 'Error: No Targets specified, please use the -t/T parameter to set target(s)'
sys.exit(1)
try:
ig_users = cTuples.cInputGenerator(data=opt.users,
filename=opt.user_fn,
prepare_cb=lambda x: x.rstrip(),
circle=True)
except cTuples.ENoInput:
print 'Error: No Usernames specified, please use the -u/U parameter to set usernames(s)'
sys.exit(1)
try:
ig_passw = cTuples.cInputGenerator(data=opt.passw,
filename=opt.passw_fn,
prepare_cb=lambda x: x.rstrip(),
circle=True)
except cTuples.ENoInput:
print 'Error: No Passwords specified, please use the -p/P parameter to set password(s)'
sys.exit(1)
ig_targets.start()
ig_users.start()
ig_passw.start()
self.tuples = cTuples.cTuples(inputs=[ig_targets, ig_users, ig_passw],
prep_callback=brute,
maxthreads=opt.nthreads,
delay=opt.delay)
self.tuples.start()
def parse_arguments(self, args):
"""parse all command line arguments"""
parser = argparse.ArgumentParser(
formatter_class=argparse.RawTextHelpFormatter,
prog=__plgname__,
description="Bruteforce pop3 logins",
epilog="""Examples:
popbruteforce.plg -t pop.test.local -u [email protected] -p password
popbruteforce.plg -t pop.test.local -P pass.txt -U user.txt -nt 20
"""
)
parser.add_argument(
"-t",
help="target server address or hostname",
dest='target',
required=True,
)
parser.add_argument(
"-port",
help="port number, use 110 in combination with NOSSL/STARTTLS, 995 with SSL crypto",
dest='port',
type=int,
default=-1,
required=False,
)
parser.add_argument('-delay',
help='delay in between requests',
dest='delay',
default=0.0,
type=float
)
parser.add_argument('-u',
help='usernames',
default=[],
nargs='+',
dest='users',
)
parser.add_argument('-p',
help='passwords',
default=[],
nargs='+',
dest='passw',
)
parser.add_argument('-U',
help='file containing one username per line',
default='',
dest='user_fn',
)
parser.add_argument('-P',
help='file containing one password per line',
default='',
dest='passw_fn',
)
parser.add_argument(
"-c",
help="cryptolayer STARTTLS/SSL/NOSSL (default SSL)",
dest='crypto',
default='SSL'
)
parser.add_argument(
"-nt",
help="thread count",
dest='nthreads',
type=int,
default=1,
required=False,
)
if not args:
parser.print_help()
sys.exit(1)
arguments, _ = parser.parse_known_args(args)
typ = cUtil.getTargetType(arguments.target)
if typ == cUtil.TTYPE.DOMAIN:
self.host = socket.gethostbyname(arguments.target)
self.fqdn = arguments.target
elif typ == cUtil.TTYPE.IP:
self.host = arguments.target
self.fqdn = ''
else:
print 'Invalid Target %s' % arguments.target
self.port = arguments.port
if (arguments.crypto):
self.cryptolayer = str(arguments.crypto.upper())
if self.port < 0:
if self.cryptolayer == 'SSL':
self.port = 995
else:
self.port = 110
test.port = self.port
test.host = self.host
test.cryptolayer = self.cryptolayer
try:
ig_users = cTuples.cInputGenerator(data=arguments.users,
filename=arguments.user_fn,
expand_cb=test,
prepare_cb=lambda x: x.strip(),
maxthreads=arguments.nthreads,
circle=False)
except cTuples.ENoInput:
print 'Error: No Usernames specified, please use the -u/U parameter to set usernames(s)'
sys.exit(1)
try:
ig_passw = cTuples.cInputGenerator(data=arguments.passw,
filename=arguments.passw_fn,
prepare_cb=lambda x: x.strip(),
maxthreads=arguments.nthreads,
circle=True)
except cTuples.ENoInput:
print 'Error: No Passwords specified, please use the -p/P parameter to set password(s)'
sys.exit(1)
ig_users.start()
ig_passw.start()
self.tuples = cTuples.cTuples(inputs=[ig_users, ig_passw], prep_callback=brute, delay=arguments.delay)
self.tuples.start()
def __init__(self, args, dbh=None):
opt = parse(args)
global tls_versions
tls_versions = opt.tlsv
hb_test.OUTDIR = opt.outdir
hb_test.TIMEOUT = opt.to
try:
hb_test.OUTDIR = os.path.join(__builtin__.openhome.base_dir, hb_test.OUTDIR)
except:
pass
if not os.path.exists(hb_test.OUTDIR):
os.makedirs(hb_test.OUTDIR)
else:
logger.info('%s directory already exists' % hb_test.OUTDIR)
# check access permissions
if not os.access(hb_test.OUTDIR, os.R_OK):
print 'Error %s not readable' % hb_test.OUTDIR
sys.exit(1)
if not os.access(hb_test.OUTDIR, os.W_OK):
print 'Error %s not writable' % hb_test.OUTDIR
sys.exit(1)
if not os.access(hb_test.OUTDIR, os.X_OK):
print 'Error %s not executable' % hb_test.OUTDIR
sys.exit(1)
start = datetime.now()
ig_targets = cTuples.cInputGenerator(data=opt.target,
filename=opt.target_fn,
circle=False,
expand_cb=lambda t: cUtil.mkIP2(t,
ports=opt.ports,
noSplit=True,
noResolve=False),
maxthreads=opt.nthreads
)
ig_targets.start()
tuples = cTuples.cTuples(inputs=[ig_targets],
prep_callback=hb_test,
maxthreads=opt.nthreads,
delay=opt.delay)
tuples.start()
n = 0
n_vuln = 0
n_notvuln = 0
n_down = 0
timestamp = time.strftime("%Y-%m-%d_%H:%M:%S")
fd_vuln = open(os.path.join(hb_test.OUTDIR, 'vulnerable_%s' % timestamp), 'w')
fd_notvuln = open(os.path.join(hb_test.OUTDIR, 'not_vulnerable_%s' % timestamp), 'w')
fd_down = open(os.path.join(hb_test.OUTDIR, 'down_%s' % timestamp), 'w')
fmt = '{:60}{:<20}'
print
print 'Started scan for CVE-2014-0160'
print 'Testing ports: %s' % ', '.join(map(str, opt.ports))
print 'Testing tls versions: %s' % ', '.join(map(str, opt.tlsv))
print
print '-' * 80
print
for vulnerable, target, hostname, fn, sample, errors in tuples.tuple_q:
n += 1
if vulnerable in opt.tlsv:
if dbh:
br = ccd.HeartbleedResult(
ip=target[0],
fqdn=hostname,
port=target[1],
sample=grep_ascii(sample),
risk=9,
tlsv=vulnerable,
)
dbh.add(br)
if not hostname:
hostname = target[0]
n_vuln += 1
fd_vuln.write('%s:%d\n' % (hostname, target[1]))
if errors:
fd_vuln.write('Warning: errors occured -> %s\n' % ', '.join(errors))
fd_vuln.flush()
if errors:
print fmt.format('\033[93m%s:%d\033[0m' % (hostname, target[1]),
'is vulnerable, tlsv %s' % vulnerable)
print '\tError(s): %s' % ', '.join(errors)
else:
print fmt.format('\033[91m%s:%d\033[0m' % (hostname, target[1]),
'is vulnerable, tlsv %s' % vulnerable)
print '\t%d bytes stored in %s' % (len(sample), fn)
elif vulnerable == 'NOT_VULN':
if dbh:
br = ccd.HeartbleedResult_NV(
ip=target[0],
fqdn=hostname,
port=target[1],
risk=0,
tlsv='-'
)
dbh.add(br)
if not hostname:
hostname = target[0]
n_notvuln += 1
fd_notvuln.write('%s:%d\n' % (hostname, target[1]))
if errors:
fd_notvuln.write('\nWarning: errors occured -> %s' % ', '.join(errors))
fd_notvuln.flush()
if errors:
print fmt.format('\033[93m%s:%d\033[0m' % (hostname, target[1]),
'is not vulnerable')
print '\tError(s): %s' % ', '.join(errors)
else:
print fmt.format('\033[92m%s:%d\033[0m' % (hostname, target[1]),
'is not vulnerable')
elif vulnerable == 'DOWN':
n_down += 1
fd_down.write('%s:%d\n' % (hostname, target[1]))
fd_down.flush()
tuples.join()
print
print '-' * 80
print
print 'Finished scan in %f seconds' % cUtil.secs(start)
print
print '%d targets tested' % n
print '%d targets found vulnerable (see %s)' % (n_vuln, fd_vuln.name)
print '%d targets found not vulnerable (see %s)' % (n_notvuln, fd_notvuln.name)
print '%d targets were down (see %s)' % (n_down, fd_down.name)
fd_vuln.close()
fd_notvuln.close()
fd_down.close()
def parse(self, args):
description = \
"""### HTTP Basic Authentication Brute Forcer ###
This scripts sends an HTTP request for all combinations of usernames and passwords.
A login attempt is successful if the HTTP staus code of the HTTP reply is not 401.
Be sure to provide a URL which is protected via HTTP Basic Authentication
or you might get lots of false positives. (HTTP/1.1 200 OK)
SSL is supported. Use the -ssl switch
Output of valid credentials in the form [username:password].
Example:
http_basic_bruteforce.plg -t http://url.com:80/priv -u users.txt -p passwords.txt"
"""
parser = argparse.ArgumentParser(
description=description,
formatter_class=argparse.RawTextHelpFormatter)
parser.add_argument('-T',
help='file containing url paths',
dest='target_fn')
parser.add_argument('-t',
help='url path which enforces basic auth',
nargs='+',
dest='target',
default=[])
parser.add_argument('-port',
help='target port (default 80)',
dest='port',
default=80,
type=int)
parser.add_argument('-delay',
help='delay in between requests',
dest='delay',
default=0.0,
type=float)
parser.add_argument(
'-U',
help='file containing username per line',
default='',
dest='user_fn',
)
parser.add_argument(
'-u',
help='usernames',
default=[],
nargs='+',
dest='users',
)
parser.add_argument(
'-P',
help='file containing password per line',
dest='passw_fn',
default='',
)
parser.add_argument(
'-p',
help='passwords',
default=[],
nargs='+',
dest='passw',
)
parser.add_argument('-to',
help='Server timeout (default 3s)',
dest='timeout',
type=int,
default=3)
parser.add_argument(
'-maxcon',
help='Maximum parallel connections per host (default: unlimited)',
type=int,
default=0,
)
parser.add_argument(
'-nt',
help=
'Maximum number of threads to scan with, each host gets a new thread',
dest='nthreads',
default=10,
type=int)
parser.add_argument('-ssl',
help='Force ssl connection',
dest='ssl',
action='store_true',
default=False)
parser.add_argument('-nossl',
help='Force plain http connection',
dest='nossl',
action='store_true',
default=False)
if not args:
parser.print_help()
sys.exit(0)
opt = parser.parse_args(args)
cComm.Comm.SSL = opt.ssl
cComm.Comm.NOSSL = opt.nossl
cComm.Mark.MAX_CON = opt.maxcon
cComm.Mark.FIX_PORT = opt.port
cComm.Mark.TIMEOUT = opt.timeout
def prepare_cb(target):
ip = target[0]
ident = ''.join(target[1])
path = '/'
hostname = target[1]
if not isinstance(hostname, str):
try:
hostname = target[1][0]
if len(target[1]) > 1:
path = ''.join(target[1][1:])
except:
hostname = ''
hostname = ''
mark = cComm.Mark(ident,
ip=ip,
hostname=hostname,
path=path,
ok_codes=[
401,
])
if mark.test > 0:
return mark
else:
return None
try:
ig_targets = cTuples.cInputGenerator(data=opt.target,
filename=opt.target_fn,
circle=False,
expand_cb=cUtil.mkIP2,
prepare_cb=prepare_cb,
maxthreads=opt.nthreads)
except cTuples.ENoInput:
print 'Error: No Targets specified, please use the -t/T parameter to set target(s)'
sys.exit(1)
try:
ig_users = cTuples.cInputGenerator(data=opt.users,
filename=opt.user_fn,
prepare_cb=lambda x: x.rstrip(),
circle=True)
except cTuples.ENoInput:
print 'Error: No Usernames specified, please use the -u/U parameter to set usernames(s)'
sys.exit(1)
try:
ig_passw = cTuples.cInputGenerator(data=opt.passw,
filename=opt.passw_fn,
prepare_cb=lambda x: x.rstrip(),
circle=True)
except cTuples.ENoInput:
print 'Error: No Passwords specified, please use the -p/P parameter to set password(s)'
sys.exit(1)
ig_targets.start()
ig_users.start()
ig_passw.start()
self.tuples = cTuples.cTuples(inputs=[ig_targets, ig_users, ig_passw],
prep_callback=brute,
maxthreads=opt.nthreads,
delay=opt.delay)
self.tuples.start()
def __init__(self, args, dbh=None):
opt = parse(args)
global tls_versions
tls_versions = opt.tlsv
hb_test.OUTDIR = opt.outdir
hb_test.TIMEOUT = opt.to
try:
hb_test.OUTDIR = os.path.join(__builtin__.openhome.base_dir,
hb_test.OUTDIR)
except:
pass
if not os.path.exists(hb_test.OUTDIR):
os.makedirs(hb_test.OUTDIR)
else:
logger.info('%s directory already exists' % hb_test.OUTDIR)
# check access permissions
if not os.access(hb_test.OUTDIR, os.R_OK):
print 'Error %s not readable' % hb_test.OUTDIR
sys.exit(1)
if not os.access(hb_test.OUTDIR, os.W_OK):
print 'Error %s not writable' % hb_test.OUTDIR
sys.exit(1)
if not os.access(hb_test.OUTDIR, os.X_OK):
print 'Error %s not executable' % hb_test.OUTDIR
sys.exit(1)
start = datetime.now()
ig_targets = cTuples.cInputGenerator(
data=opt.target,
filename=opt.target_fn,
circle=False,
expand_cb=lambda t: cUtil.mkIP2(
t, ports=opt.ports, noSplit=True, noResolve=False),
maxthreads=opt.nthreads)
ig_targets.start()
tuples = cTuples.cTuples(inputs=[ig_targets],
prep_callback=hb_test,
maxthreads=opt.nthreads,
delay=opt.delay)
tuples.start()
n = 0
n_vuln = 0
n_notvuln = 0
n_down = 0
timestamp = time.strftime("%Y-%m-%d_%H:%M:%S")
fd_vuln = open(
os.path.join(hb_test.OUTDIR, 'vulnerable_%s' % timestamp), 'w')
fd_notvuln = open(
os.path.join(hb_test.OUTDIR, 'not_vulnerable_%s' % timestamp), 'w')
fd_down = open(os.path.join(hb_test.OUTDIR, 'down_%s' % timestamp),
'w')
fmt = '{:60}{:<20}'
print
print 'Started scan for CVE-2014-0160'
print 'Testing ports: %s' % ', '.join(map(str, opt.ports))
print 'Testing tls versions: %s' % ', '.join(map(str, opt.tlsv))
print
print '-' * 80
print
for vulnerable, target, hostname, fn, sample, errors in tuples.tuple_q:
n += 1
if vulnerable in opt.tlsv:
if dbh:
br = ccd.HeartbleedResult(
ip=target[0],
fqdn=hostname,
port=target[1],
sample=grep_ascii(sample),
risk=9,
tlsv=vulnerable,
)
dbh.add(br)
if not hostname:
hostname = target[0]
n_vuln += 1
fd_vuln.write('%s:%d\n' % (hostname, target[1]))
if errors:
fd_vuln.write('Warning: errors occured -> %s\n' %
', '.join(errors))
fd_vuln.flush()
if errors:
print fmt.format(
'\033[93m%s:%d\033[0m' % (hostname, target[1]),
'is vulnerable, tlsv %s' % vulnerable)
print '\tError(s): %s' % ', '.join(errors)
else:
print fmt.format(
'\033[91m%s:%d\033[0m' % (hostname, target[1]),
'is vulnerable, tlsv %s' % vulnerable)
print '\t%d bytes stored in %s' % (len(sample), fn)
elif vulnerable == 'NOT_VULN':
if dbh:
br = ccd.HeartbleedResult_NV(ip=target[0],
fqdn=hostname,
port=target[1],
risk=0,
tlsv='-')
dbh.add(br)
if not hostname:
hostname = target[0]
n_notvuln += 1
fd_notvuln.write('%s:%d\n' % (hostname, target[1]))
if errors:
fd_notvuln.write('\nWarning: errors occured -> %s' %
', '.join(errors))
fd_notvuln.flush()
if errors:
print fmt.format(
'\033[93m%s:%d\033[0m' % (hostname, target[1]),
'is not vulnerable')
print '\tError(s): %s' % ', '.join(errors)
else:
print fmt.format(
'\033[92m%s:%d\033[0m' % (hostname, target[1]),
'is not vulnerable')
elif vulnerable == 'DOWN':
n_down += 1
fd_down.write('%s:%d\n' % (hostname, target[1]))
fd_down.flush()
tuples.join()
print
print '-' * 80
print
print 'Finished scan in %f seconds' % cUtil.secs(start)
print
print '%d targets tested' % n
print '%d targets found vulnerable (see %s)' % (n_vuln, fd_vuln.name)
print '%d targets found not vulnerable (see %s)' % (n_notvuln,
fd_notvuln.name)
print '%d targets were down (see %s)' % (n_down, fd_down.name)
fd_vuln.close()
fd_notvuln.close()
fd_down.close()