def resolve(self):
""" start resolve """
start_time = datetime.now()
print 'Subdomain scan started'
fmt = "{:60}{:20}"
print
print fmt.format('fqdn', 'ip')
print '-' * 80
for success, hostname, ip in self.tuples.tuple_q:
if success:
print fmt.format(hostname, ip)
if self.dbh:
self.dbh.add(ccd.DnsscanResult(ip=ip, fqdn=hostname))
self.tuples.join()
while True:
try:
dom = check_wildcard.wc_hosts.get(False, 0.1)
print 'Wildcard enabled: %s' % dom
except Queue.Empty:
break
print("\nfinished in %fs" % cUtil.secs(start_time))
def start(self):
start_time = datetime.now()
print 'Bruteforcing http_basic logins ...'
row_fmt = '{:20}{:20}{:>40}'
print '-' * 80
print row_fmt.format('username', 'password', 'uri')
print '-' * 80
#time.sleep(10)
for status, user, passw, mark in self.tuples.tuple_q:
if status != 401:
print(row_fmt.format(passw, user, mark.hostname + mark.path))
# now, store result entry in data
if self.dbhandler:
br = ccd.HttpBruteforceResult(
ip=mark.ip,
fqdn=mark.hostname,
path=mark.path,
port=mark.port,
user=user,
password=passw,
)
self.dbhandler.add(br)
self.tuples.join()
print '-' * 80
print 'Finished in %f seconds' % cUtil.secs(start_time)
def start(self):
start = datetime.now()
row_fmt = "{:>9}{:>8}{:>8}{:>8}{:>16}"
for ip, port, reply in self.tuples.tuple_q:
print '-' * len(ip)
print ip
print '-' * len(ip)
print row_fmt.format('program', 'vers', 'proto', 'port', 'service')
print ''
for program in reply:
print row_fmt.format(
str(program[0]),
str(program[1]),
cRpc.RPROTO[str(program[2])],
str(program[3]),
str(program[4])
)
if self.dbh:
br = ccd.RpcinfoResult(
ip=ip,
port=int(program[3]),
program=program[4],
program_id=int(program[0]),
version=int(program[1]),
protocol=cRpc.RPROTO[str(program[2])],
)
self.dbh.add(br)
print 'Finished in %f seconds' % cUtil.secs(start)
def start(self):
start = datetime.now()
row_fmt = "{:>9}{:>8}{:>8}{:>8}{:>16}"
for ip, port, reply in self.tuples.tuple_q:
print '-' * len(ip)
print ip
print '-' * len(ip)
print row_fmt.format('program', 'vers', 'proto', 'port', 'service')
print ''
for program in reply:
print row_fmt.format(str(program[0]), str(program[1]),
cRpc.RPROTO[str(program[2])],
str(program[3]), str(program[4]))
if self.dbh:
br = ccd.RpcinfoResult(
ip=ip,
port=int(program[3]),
program=program[4],
program_id=int(program[0]),
version=int(program[1]),
protocol=cRpc.RPROTO[str(program[2])],
)
self.dbh.add(br)
print 'Finished in %f seconds' % cUtil.secs(start)
def scan(self):
start = datetime.now()
# read robots.txt
self.read_robots()
self.out_q = Queue.Queue()
self.tasks_waiting = 0
for path in self.known_paths:
self.make_new_paths(path, 1)
self.threads = [
DirWorker(self.in_q, self.out_q, self.base_url, self.wait)
for _ in range(self.nthreads)
]
for t in self.threads:
t.setDaemon(True)
t.start()
self._printResults()
print '-' * 80
print 'Finished in %fseconds' % cUtil.secs(start)
def start(self):
start_time = datetime.now()
print 'Bruteforcing http_basic logins ...'
row_fmt = '{:20}{:20}{:>40}'
print '-' * 80
print row_fmt.format('username', 'password', 'uri')
print '-' * 80
#time.sleep(10)
for status, user, passw, mark in self.tuples.tuple_q:
if status != 401:
print(row_fmt.format(passw, user, mark.hostname + mark.path))
# now, store result entry in data
if self.dbhandler:
br = ccd.HttpBruteforceResult(
ip=mark.ip,
fqdn=mark.hostname,
path=mark.path,
port=mark.port,
user=user,
password=passw,
)
self.dbhandler.add(br)
self.tuples.join()
print '-' * 80
print 'Finished in %f seconds' % cUtil.secs(start_time)
def scan(self):
self.results = {}
start = datetime.now()
self.tuples = cTuples.cTuples(inputs=[self.ig_targets, self.ig_tests], prep_callback=db_test.test)
#self.tuples.setDaemon(True)
self.tuples.start()
self.ig_tests.start()
self.ig_targets.start()
for status, mark, result in self.tuples.tuple_q:
if status:
try:
self.results[mark.ident].append(result)
except KeyError:
self.results[mark.ident] = []
self.results[mark.ident].append(result)
self._add_mark(mark)
message, nikto_id, request, response, osvdb, method, uri = result
self._add_vulnerability(
mark,
message,
nikto_id,
request,
response,
osvdb,
method,
uri
)
self.tuples.join()
print 'Finished in %f seconds' % cUtil.secs(start)
def resolve(self):
""" start resolve """
start_time = datetime.now()
print 'Subdomain scan started'
fmt = "{:60}{:20}"
print
print fmt.format('fqdn', 'ip')
print '-' * 80
for success, hostname, ip in self.tuples.tuple_q:
if success:
print fmt.format(hostname, ip)
if self.dbh:
self.dbh.add(ccd.DnsscanResult(
ip=ip,
fqdn=hostname)
)
self.tuples.join()
while True:
try:
dom = check_wildcard.wc_hosts.get(False, 0.1)
print 'Wildcard enabled: %s' % dom
except Queue.Empty:
break
print("\nfinished in %fs" % cUtil.secs(start_time))
def start(self):
start_time = datetime.now()
print 'Pop bruteforce started'
print '-' * 80
print 'Logins'
print '-' * 80
row_fmt = "{:20}{:20}{:>40}"
for username, password in self.tuples.tuple_q:
print row_fmt.format(password, username, self.host + ':' + str(self.port), '')
self.save_result(username, password)
self.tuples.join()
print("\nfinished in %fs" % cUtil.secs(start_time))
def resolve(self):
""" Create threads, set up task queue and start resolving. """
logger.debug("Starting resolve")
start_time = datetime.now()
fmt = '{:20}{:60}'
for ip, hostname in self.tuples.tuple_q:
print fmt.format(ip, hostname)
if self.dbh:
self.dbh.add(ccd.DnsscanResult(ip=ip, fqdn=hostname))
self.tuples.join()
print("\nfinished in %fs" % cUtil.secs(start_time))
def start(self):
start_time = datetime.now()
for target, username in self.tuples.tuple_q:
print('Found user %s@%s:%d' %
(username, target[0], int(target[1])))
# now, store result entry in data
if self.dbhandler:
br = ccd.SmtpUserEnumResult(ip=target[0],
port=int(target[1]),
username=username,
command=testusername.command)
self.dbhandler.add(br)
self.tuples.join()
print("\nfinished in %fs" % cUtil.secs(start_time))
def transfer(self):
print 'Starting Zonetransfers'
start = datetime.now()
ntrans = 0
nfailed = 0
failed = []
for success, zone, tr in self.tuples.tuple_q:
if success:
ntrans += 1
for server, data in tr.items():
print
print '-' * 80
print 'Answer from server %s for zone %s' % (server, zone)
print '-' * 80
for rr in data:
print "%(domainame)s\t%(ttl)d\t%(rclass)s\t%(rtype)s\t%(rdata)s" % rr
if self.dbh:
try:
r = ccd.DnsRecordResult(
domainame=rr['domainame'],
ttl=rr['ttl'],
rclass=rr['rclass'],
rtype=rr['rtype'],
rdata=rr['rdata']
)
self.dbh.add(r)
except Exception as e:
print e
else:
nfailed += 1
failed.append(zone + ': ' + repr(tr))
print '-' * 80
print "finished in %fs" % cUtil.secs(start)
print
print "Transfer succeded on %d zones" % ntrans
print "Transfer failed on %d zones" % nfailed
if failed:
out_failed_fn = 'failed_zonetransfer_' + time.strftime("%Y_%m_%d_%H_%M_%S")
with __builtin__.openhome(out_failed_fn, 'w') as out_failed_fd:
out_failed_fd.write('\n'.join(failed))
out_failed_fd.flush()
print "\tsee %s" % out_failed_fd.name
print
def transfer(self):
print 'Starting Zonetransfers'
start = datetime.now()
ntrans = 0
nfailed = 0
failed = []
for success, zone, tr in self.tuples.tuple_q:
if success:
ntrans += 1
for server, data in tr.items():
print
print '-' * 80
print 'Answer from server %s for zone %s' % (server, zone)
print '-' * 80
for rr in data:
print "%(domainame)s\t%(ttl)d\t%(rclass)s\t%(rtype)s\t%(rdata)s" % rr
if self.dbh:
try:
r = ccd.DnsRecordResult(
domainame=rr['domainame'],
ttl=rr['ttl'],
rclass=rr['rclass'],
rtype=rr['rtype'],
rdata=rr['rdata'])
self.dbh.add(r)
except Exception as e:
print e
else:
nfailed += 1
failed.append(zone + ': ' + repr(tr))
print '-' * 80
print "finished in %fs" % cUtil.secs(start)
print
print "Transfer succeded on %d zones" % ntrans
print "Transfer failed on %d zones" % nfailed
if failed:
out_failed_fn = 'failed_zonetransfer_' + time.strftime(
"%Y_%m_%d_%H_%M_%S")
with __builtin__.openhome(out_failed_fn, 'w') as out_failed_fd:
out_failed_fd.write('\n'.join(failed))
out_failed_fd.flush()
print "\tsee %s" % out_failed_fd.name
print
def getversion(self):
start = datetime.now()
print 'Getting Bind versions ...'
for ip, hostname, port, bindversion in self.tuples.tuple_q:
print '%s\t%s' % (hostname or ip, bindversion)
if self.dbh:
r = ccd.DnsVersionResult(
ip=ip,
fqdn=hostname,
port=port,
bindversion=bindversion
)
self.dbh.add(r)
self.tuples.join()
print
print 'Plugin finished in %f seconds' % cUtil.secs(start)
def resolve(self):
""" start resolve """
logger.info("Starting %s", __plgname__)
start_time = datetime.now()
print "Starting reverse lookup"
print '-' * 80
fmt = '{:20}{:>60}'
nresolved = 0
nfailed = 0
ips_failed = []
for success, ip, hostname in self.tuples.tuple_q:
if success:
nresolved += 1
print fmt.format(ip, hostname)
if self.dbh:
self.dbh.add(ccd.DnsscanResult(
ip=ip,
fqdn=hostname)
)
else:
nfailed += 1
ips_failed.append(ip)
self.tuples.join()
print '-' * 80
print "finished in %fs" % cUtil.secs(start_time)
print
print "resolved %d ips" % nresolved
print "failed to resolve %d ips" % nfailed
if ips_failed:
out_failed_fn = 'failed_resolve_' + time.strftime("%Y_%m_%d_%H_%M_%S")
if not hasattr(__builtin__, 'openhome'):
__builtin__.openhome = open
with __builtin__.openhome(out_failed_fn, 'w') as out_failed_fd:
out_failed_fd.write('\n'.join(ips_failed))
out_failed_fd.flush()
print "\tsee %s" % out_failed_fd.name
print
def resolve(self):
""" Create threads, set up task queue and start resolving. """
logger.debug("Starting resolve")
start_time = datetime.now()
fmt = '{:20}{:60}'
for ip, hostname in self.tuples.tuple_q:
print fmt.format(ip, hostname)
if self.dbh:
self.dbh.add(ccd.DnsscanResult(
ip=ip,
fqdn=hostname)
)
self.tuples.join()
print("\nfinished in %fs" % cUtil.secs(start_time))
def start(self):
""" Do the thing """
start_time = datetime.now()
row_fmt = "{:30} {:30} {:30}"
print 'Bruteforcing Telnet logins ...'
print '-' * 80
print row_fmt.format('password', 'username', 'server')
print '-' * 80
for status, username, password, host, port in self.tuples.tuple_q:
if status:
print row_fmt.format(password, username, host + ':' + str(port))
if self.dbh:
ip = ''
fqdn = ''
typ = cUtil.getTargetType(host)
if typ == cUtil.TTYPE.IP:
ip = host
if typ == cUtil.TTYPE.DOMAIN:
fqdn = host
br = ccd.BruteforceResult(
ip=ip,
fqdn=fqdn,
port=int(port),
username=username,
password=password,
service='telnet',
)
self.dbh.add(br)
#br = ccd.TelnetBruteforceResult(
# host=host,
# port=int(port),
# user=username,
# password=password,
#)
#self.dbh.add(br)
self.tuples.join()
print '-' * 80
print "Finished in %fs" % cUtil.secs(start_time)
def start(self):
start_time = datetime.now()
for target, username in self.tuples.tuple_q:
print('Found user %s@%s:%d' %
(username, target[0], int(target[1])))
# now, store result entry in data
if self.dbhandler:
br = ccd.SmtpUserEnumResult(
ip=target[0],
port=int(target[1]),
username=username,
command=testusername.command
)
self.dbhandler.add(br)
self.tuples.join()
print("\nfinished in %fs" % cUtil.secs(start_time))
def resolve(self):
""" start resolve """
logger.info("Starting %s", __plgname__)
start_time = datetime.now()
print "Starting resolve"
print '-' * 80
fmt = "{:65}{:>15}"
nresolved = 0
nfailed = 0
hn_failed = []
for success, hostname, ip in self.tuples.tuple_q:
if success:
nresolved += 1
print fmt.format(hostname, ip)
if self.dbh:
self.dbh.add(ccd.DnsscanResult(
ip=ip,
fqdn=hostname)
)
else:
nfailed += 1
hn_failed.append(hostname)
self.tuples.join()
print '-' * 80
print "finished in %fs" % cUtil.secs(start_time)
print
print "resolved %d hostnames" % nresolved
print "failed to resolve %d hostnames" % nfailed
if hn_failed:
out_failed_fn = 'failed_resolve_' + time.strftime("%Y_%m_%d_%H_%M_%S")
with __builtin__.openhome(out_failed_fn, 'w') as out_failed_fd:
out_failed_fd.write('\n'.join(hn_failed))
out_failed_fd.flush()
print "\tsee %s" % out_failed_fd.name
print
def resolve(self):
""" start resolve """
logger.info("Starting %s", __plgname__)
start_time = datetime.now()
print "Starting reverse lookup"
print '-' * 80
fmt = '{:20}{:>60}'
nresolved = 0
nfailed = 0
ips_failed = []
for success, ip, hostname in self.tuples.tuple_q:
if success:
nresolved += 1
print fmt.format(ip, hostname)
if self.dbh:
self.dbh.add(ccd.DnsscanResult(ip=ip, fqdn=hostname))
else:
nfailed += 1
ips_failed.append(ip)
self.tuples.join()
print '-' * 80
print "finished in %fs" % cUtil.secs(start_time)
print
print "resolved %d ips" % nresolved
print "failed to resolve %d ips" % nfailed
if ips_failed:
out_failed_fn = 'failed_resolve_' + time.strftime(
"%Y_%m_%d_%H_%M_%S")
if not hasattr(__builtin__, 'openhome'):
__builtin__.openhome = open
with __builtin__.openhome(out_failed_fn, 'w') as out_failed_fd:
out_failed_fd.write('\n'.join(ips_failed))
out_failed_fd.flush()
print "\tsee %s" % out_failed_fd.name
print
def test_user(target, delay, user): # target, u, delay, pwlen):
logger.info('testing delay for user %s' % user)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
p = None
try:
s.connect(target)
logger.info('connected to ' + repr(target))
p = paramiko.Transport(s)
#p.local_version = cUtil.ssh_version.next()
p.connect(username=user)
start = datetime.now()
try:
p.auth_password(user, test_user.pw)
except:
pass
stop = cUtil.secs(start)
logger.info('Delay for user %s: %f' % (user, stop))
return stop
except Exception, e:
logger.warning(e)
raise
def test_user(target, delay, user): # target, u, delay, pwlen):
logger.info('testing delay for user %s' % user)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
p = None
try:
s.connect(target)
logger.info('connected to ' + repr(target))
p = paramiko.Transport(s)
#p.local_version = cUtil.ssh_version.next()
p.connect(username=user)
start = datetime.now()
try:
p.auth_password(user, test_user.pw)
except:
pass
stop = cUtil.secs(start)
logger.info('Delay for user %s: %f' % (user, stop))
return stop
except Exception, e:
logger.warning(e)
raise
def resolve(self):
""" start resolve """
logger.info("Starting %s", __plgname__)
print 'Starting mass dns resolve'
start_time = datetime.now()
fmt = "{:60}{:20}"
for success, hostname, ip in self.tuples.tuple_q:
if success:
print fmt.format(hostname, ip)
if self.dbh:
self.dbh.add(ccd.DnsscanResult(
ip=ip,
fqdn=hostname)
)
self.tuples.join()
print("\nfinished in %fs" % cUtil.secs(start_time))
def resolve(self):
""" start resolve """
logger.info("Starting %s", __plgname__)
start_time = datetime.now()
print "Starting resolve"
print '-' * 80
fmt = "{:65}{:>15}"
nresolved = 0
nfailed = 0
hn_failed = []
for success, hostname, ip in self.tuples.tuple_q:
if success:
nresolved += 1
print fmt.format(hostname, ip)
if self.dbh:
self.dbh.add(ccd.DnsscanResult(ip=ip, fqdn=hostname))
else:
nfailed += 1
hn_failed.append(hostname)
self.tuples.join()
print '-' * 80
print "finished in %fs" % cUtil.secs(start_time)
print
print "resolved %d hostnames" % nresolved
print "failed to resolve %d hostnames" % nfailed
if hn_failed:
out_failed_fn = 'failed_resolve_' + time.strftime(
"%Y_%m_%d_%H_%M_%S")
with __builtin__.openhome(out_failed_fn, 'w') as out_failed_fd:
out_failed_fd.write('\n'.join(hn_failed))
out_failed_fd.flush()
print "\tsee %s" % out_failed_fd.name
print
def start(self):
start = datetime.now()
row_fmt = '{:30}{:}'
for ip, port, dirs in self.tuples.tuple_q:
if dirs:
print '\nExport list for %s:' % ip
for d in dirs:
groups = d[1]
for client in groups:
print row_fmt.format(d[0], client)
if self.dbh:
br = ccd.ShowmountResult(
ip=ip,
port=port,
export=d[0],
client=client,
)
self.dbh.add(br)
print 'Finished in %f seconds' % cUtil.secs(start)
def scan(self):
start = datetime.now()
# read robots.txt
self.read_robots()
self.out_q = Queue.Queue()
self.tasks_waiting = 0
for path in self.known_paths:
self.make_new_paths(path, 1)
self.threads = [DirWorker(self.in_q, self.out_q, self.base_url, self.wait)
for _ in range(self.nthreads)]
for t in self.threads:
t.setDaemon(True)
t.start()
self._printResults()
print '-' * 80
print 'Finished in %fseconds' % cUtil.secs(start)
def start(self):
""" Do the thing """
start_time = datetime.now()
row_fmt = "{:30} {:30} {:30} | {:30}"
for username, password, host, port, status in self.tuples.tuple_q:
if status:
print row_fmt.format(password, username,
host + ':' + str(port), '')
if self.dbh:
ip = ''
fqdn = ''
typ = cUtil.getTargetType(host)
if typ == cUtil.TTYPE.IP:
ip = host
if typ == cUtil.TTYPE.DOMAIN:
fqdn = host
br = ccd.BruteforceResult(
ip=ip,
fqdn=fqdn,
port=int(port),
username=username,
password=password,
service='mysql',
)
#br = ccd.MysqlBruteforceResult(
# host=host,
# port=int(port),
# user=username,
# password=password,
#)
self.dbh.add(br)
self.tuples.join()
print("\nfinished in %fs" % cUtil.secs(start_time))
def start(self):
""" Do the thing """
start_time = datetime.now()
row_fmt = "{:30}{:30}{:}"
for username, password, target in self.tuples.tuple_q:
print row_fmt.format(password, username,
target[0] + ':' + str(target[1]), '')
if self.dbhandler:
host, port = target
ip = ''
fqdn = ''
typ = cUtil.getTargetType(host)
if typ == cUtil.TTYPE.IP:
ip = host
if typ == cUtil.TTYPE.DOMAIN:
fqdn = host
br = ccd.BruteforceResult(
ip=ip,
fqdn=fqdn,
port=int(port),
username=username,
password=password,
service='ssh',
)
#br = ccd.SshBruteforceResult(
# host=target[0],
# port=int(target[1]),
# user=username,
# password=password,
#)
self.dbhandler.add(br)
self.tuples.join()
print("\nfinished in %fs" % cUtil.secs(start_time))
def start(self):
""" Do the thing """
start_time = datetime.now()
row_fmt = "{:30}{:30}{:}"
for username, password, target in self.tuples.tuple_q:
print row_fmt.format(password, username, target[0] + ':' + str(target[1]), '')
if self.dbhandler:
host, port = target
ip = ''
fqdn = ''
typ = cUtil.getTargetType(host)
if typ == cUtil.TTYPE.IP:
ip = host
if typ == cUtil.TTYPE.DOMAIN:
fqdn = host
br = ccd.BruteforceResult(
ip=ip,
fqdn=fqdn,
port=int(port),
username=username,
password=password,
service='ssh',
)
#br = ccd.SshBruteforceResult(
# host=target[0],
# port=int(target[1]),
# user=username,
# password=password,
#)
self.dbhandler.add(br)
self.tuples.join()
print("\nfinished in %fs" % cUtil.secs(start_time))
def __init__(self, args, dbh=None):
opt = parse(args)
global tls_versions
tls_versions = opt.tlsv
hb_test.OUTDIR = opt.outdir
hb_test.TIMEOUT = opt.to
try:
hb_test.OUTDIR = os.path.join(__builtin__.openhome.base_dir,
hb_test.OUTDIR)
except:
pass
if not os.path.exists(hb_test.OUTDIR):
os.makedirs(hb_test.OUTDIR)
else:
logger.info('%s directory already exists' % hb_test.OUTDIR)
# check access permissions
if not os.access(hb_test.OUTDIR, os.R_OK):
print 'Error %s not readable' % hb_test.OUTDIR
sys.exit(1)
if not os.access(hb_test.OUTDIR, os.W_OK):
print 'Error %s not writable' % hb_test.OUTDIR
sys.exit(1)
if not os.access(hb_test.OUTDIR, os.X_OK):
print 'Error %s not executable' % hb_test.OUTDIR
sys.exit(1)
start = datetime.now()
ig_targets = cTuples.cInputGenerator(
data=opt.target,
filename=opt.target_fn,
circle=False,
expand_cb=lambda t: cUtil.mkIP2(
t, ports=opt.ports, noSplit=True, noResolve=False),
maxthreads=opt.nthreads)
ig_targets.start()
tuples = cTuples.cTuples(inputs=[ig_targets],
prep_callback=hb_test,
maxthreads=opt.nthreads,
delay=opt.delay)
tuples.start()
n = 0
n_vuln = 0
n_notvuln = 0
n_down = 0
timestamp = time.strftime("%Y-%m-%d_%H:%M:%S")
fd_vuln = open(
os.path.join(hb_test.OUTDIR, 'vulnerable_%s' % timestamp), 'w')
fd_notvuln = open(
os.path.join(hb_test.OUTDIR, 'not_vulnerable_%s' % timestamp), 'w')
fd_down = open(os.path.join(hb_test.OUTDIR, 'down_%s' % timestamp),
'w')
fmt = '{:60}{:<20}'
print
print 'Started scan for CVE-2014-0160'
print 'Testing ports: %s' % ', '.join(map(str, opt.ports))
print 'Testing tls versions: %s' % ', '.join(map(str, opt.tlsv))
print
print '-' * 80
print
for vulnerable, target, hostname, fn, sample, errors in tuples.tuple_q:
n += 1
if vulnerable in opt.tlsv:
if dbh:
br = ccd.HeartbleedResult(
ip=target[0],
fqdn=hostname,
port=target[1],
sample=grep_ascii(sample),
risk=9,
tlsv=vulnerable,
)
dbh.add(br)
if not hostname:
hostname = target[0]
n_vuln += 1
fd_vuln.write('%s:%d\n' % (hostname, target[1]))
if errors:
fd_vuln.write('Warning: errors occured -> %s\n' %
', '.join(errors))
fd_vuln.flush()
if errors:
print fmt.format(
'\033[93m%s:%d\033[0m' % (hostname, target[1]),
'is vulnerable, tlsv %s' % vulnerable)
print '\tError(s): %s' % ', '.join(errors)
else:
print fmt.format(
'\033[91m%s:%d\033[0m' % (hostname, target[1]),
'is vulnerable, tlsv %s' % vulnerable)
print '\t%d bytes stored in %s' % (len(sample), fn)
elif vulnerable == 'NOT_VULN':
if dbh:
br = ccd.HeartbleedResult_NV(ip=target[0],
fqdn=hostname,
port=target[1],
risk=0,
tlsv='-')
dbh.add(br)
if not hostname:
hostname = target[0]
n_notvuln += 1
fd_notvuln.write('%s:%d\n' % (hostname, target[1]))
if errors:
fd_notvuln.write('\nWarning: errors occured -> %s' %
', '.join(errors))
fd_notvuln.flush()
if errors:
print fmt.format(
'\033[93m%s:%d\033[0m' % (hostname, target[1]),
'is not vulnerable')
print '\tError(s): %s' % ', '.join(errors)
else:
print fmt.format(
'\033[92m%s:%d\033[0m' % (hostname, target[1]),
'is not vulnerable')
elif vulnerable == 'DOWN':
n_down += 1
fd_down.write('%s:%d\n' % (hostname, target[1]))
fd_down.flush()
tuples.join()
print
print '-' * 80
print
print 'Finished scan in %f seconds' % cUtil.secs(start)
print
print '%d targets tested' % n
print '%d targets found vulnerable (see %s)' % (n_vuln, fd_vuln.name)
print '%d targets found not vulnerable (see %s)' % (n_notvuln,
fd_notvuln.name)
print '%d targets were down (see %s)' % (n_down, fd_down.name)
fd_vuln.close()
fd_notvuln.close()
fd_down.close()
def ssl_test(args, dbh=None):
parser = argparse.ArgumentParser(
prog=__plgname__,
description="ssl version tester v%f" % __version__,
epilog=""" Examples:
ssl_tester.plg -t www.curesec.com -maxcon 10
""",
formatter_class=argparse.RawTextHelpFormatter)
parser.add_argument('-T',
help='file containing urls or ips',
dest='target_fn')
parser.add_argument('-t',
help='url or ir',
nargs='+',
dest='target',
default=[])
parser.add_argument('-delay',
help='delay in between requests',
dest='delay',
default=0.0,
type=float)
parser.add_argument(
'-C',
help=
'filename of cipher suite list to test against (default cipherlist.txt)',
dest='cipher_fn',
default='cipherlist.txt')
parser.add_argument('-port',
help='target port (default 443)',
dest='port',
default=443,
type=int)
parser.add_argument('-to',
help='Server timeout (default 3s)',
dest='timeout',
type=int,
default=3)
parser.add_argument(
'-maxcon',
help='Maximum parallel connections per host (default: unlimited)',
type=int,
default=0,
)
parser.add_argument(
'-nt',
help=
'Maximum number of threads to scan with, each host gets a new thread (default 10)',
dest='nthreads',
default=10,
type=int)
if not args:
parser.print_help()
sys.exit(0)
opt = parser.parse_args(args)
# set global target parameters
cComm.Mark.MAX_CON = opt.maxcon
cComm.Mark.FIX_PORT = opt.port
cComm.Mark.TIMEOUT = opt.timeout
# only use ssl connections no plain http
cComm.Comm.SSL = True
start = datetime.now()
try:
ig_targets = cTuples.cInputGenerator(data=opt.target,
filename=opt.target_fn,
circle=False,
expand_cb=cUtil.mkIP2,
prepare_cb=prepare_target,
maxthreads=opt.nthreads)
except cTuples.ENoInput:
print 'Error: No Targets specified, please use the -t/T parameter to set target(s)'
sys.exit(1)
try:
ig_ciphers = cTuples.cInputGenerator(data=[],
filename=opt.cipher_fn,
prepare_cb=prepare_cb_cipher,
circle=True)
except cTuples.ENoInput:
print 'Error: No Ciphers specified, please use the -C parameter to set a cipher list file'
sys.exit(1)
ig_targets.start()
ig_ciphers.start()
tuples = cTuples.cTuples(inputs=[ig_targets, ig_ciphers],
prep_callback=check_ssl,
maxthreads=opt.nthreads,
delay=opt.delay)
tuples.start()
results = {}
for mark, cs, cipher, sev, version in tuples.tuple_q:
if dbh:
br = ccd.SslInfoResult(
ip=mark.ip,
fqdn=mark.hostname,
port=mark.port,
cs=cs,
)
dbh.add(br)
try:
results[mark.ip + ' / ' + mark.hostname][sev].append(cs)
except:
results[mark.ip + ' / ' + mark.hostname] = {}
results[mark.ip + ' / ' + mark.hostname]['weak'] = []
results[mark.ip + ' / ' + mark.hostname]['medium'] = []
results[mark.ip + ' / ' + mark.hostname]['strong'] = []
tuples.join()
for ip, c in results.items():
print '-' * len(ip)
print ip
print '-' * len(ip)
for cs in c['weak']:
print '\033[91m%s\033[0m' % cs
for cs in c['medium']:
print '\033[93m%s\033[0m' % cs
for cs in c['strong']:
print '\033[92m%s\033[0m' % cs
print
print 'Finished in %f seconds' % cUtil.secs(start)
def ssl_test(args, dbh=None):
parser = argparse.ArgumentParser(
prog=__plgname__,
description="ssl version tester v%f" % __version__,
epilog=
""" Examples:
ssl_tester.plg -t www.curesec.com -maxcon 10
""",
formatter_class=argparse.RawTextHelpFormatter
)
parser.add_argument('-T',
help='file containing urls or ips',
dest='target_fn'
)
parser.add_argument('-t',
help='url or ir',
nargs='+',
dest='target',
default=[]
)
parser.add_argument('-delay',
help='delay in between requests',
dest='delay',
default=0.0,
type=float
)
parser.add_argument('-C',
help='filename of cipher suite list to test against (default cipherlist.txt)',
dest='cipher_fn',
default='cipherlist.txt'
)
parser.add_argument('-port',
help='target port (default 443)',
dest='port',
default=443,
type=int
)
parser.add_argument('-to',
help='Server timeout (default 3s)',
dest='timeout',
type=int,
default=3
)
parser.add_argument('-maxcon',
help='Maximum parallel connections per host (default: unlimited)',
type=int,
default=0,
)
parser.add_argument('-nt',
help='Maximum number of threads to scan with, each host gets a new thread (default 10)',
dest='nthreads',
default=10,
type=int
)
if not args:
parser.print_help()
sys.exit(0)
opt = parser.parse_args(args)
# set global target parameters
cComm.Mark.MAX_CON = opt.maxcon
cComm.Mark.FIX_PORT = opt.port
cComm.Mark.TIMEOUT = opt.timeout
# only use ssl connections no plain http
cComm.Comm.SSL = True
start = datetime.now()
try:
ig_targets = cTuples.cInputGenerator(data=opt.target,
filename=opt.target_fn,
circle=False,
expand_cb=cUtil.mkIP2,
prepare_cb=prepare_target,
maxthreads=opt.nthreads
)
except cTuples.ENoInput:
print 'Error: No Targets specified, please use the -t/T parameter to set target(s)'
sys.exit(1)
try:
ig_ciphers = cTuples.cInputGenerator(data=[],
filename=opt.cipher_fn,
prepare_cb=prepare_cb_cipher,
circle=True)
except cTuples.ENoInput:
print 'Error: No Ciphers specified, please use the -C parameter to set a cipher list file'
sys.exit(1)
ig_targets.start()
ig_ciphers.start()
tuples = cTuples.cTuples(inputs=[ig_targets, ig_ciphers],
prep_callback=check_ssl,
maxthreads=opt.nthreads,
delay=opt.delay)
tuples.start()
results = {}
for mark, cs, cipher, sev, version in tuples.tuple_q:
if dbh:
br = ccd.SslInfoResult(
ip=mark.ip,
fqdn=mark.hostname,
port=mark.port,
cs=cs,
)
dbh.add(br)
try:
results[mark.ip + ' / ' + mark.hostname][sev].append(cs)
except:
results[mark.ip + ' / ' + mark.hostname] = {}
results[mark.ip + ' / ' + mark.hostname]['weak'] = []
results[mark.ip + ' / ' + mark.hostname]['medium'] = []
results[mark.ip + ' / ' + mark.hostname]['strong'] = []
tuples.join()
for ip, c in results.items():
print '-' * len(ip)
print ip
print '-' * len(ip)
for cs in c['weak']:
print '\033[91m%s\033[0m' % cs
for cs in c['medium']:
print '\033[93m%s\033[0m' % cs
for cs in c['strong']:
print '\033[92m%s\033[0m' % cs
print
print 'Finished in %f seconds' % cUtil.secs(start)
def start(self):
""" Do the thing """
start_time = datetime.now()
print '\nStarting bruteforce'
row_fmt = "{:30} {:30} {:30}"
print '-' * 80
print 'Real logins:'
print row_fmt.format('password', 'username', 'target')
print '-' * 80
for success, code, user, password, host, port in self.tuples.tuple_q:
# we actually found sth.
if success:
print row_fmt.format(password, user, host + ':' + str(port))
# add creds to database
if self.dbh:
ip = ''
fqdn = ''
typ = cUtil.getTargetType(host)
if typ == cUtil.TTYPE.IP:
ip = host
if typ == cUtil.TTYPE.DOMAIN:
fqdn = host
br = ccd.BruteforceResult(
ip=ip,
fqdn=fqdn,
port=int(port),
username=user,
password=password,
service='ftp',
)
#br = ccd.FtpBruteforceResult(
# host=host,
# port=int(port),
# user=user,
# password=password,
#)
self.dbh.add(br)
self.tuples.join()
if self.anon:
print '-' * 80
print 'Anonymous logins:'
print row_fmt.format('password', 'username', 'target')
print '-' * 80
while True:
try:
target, passw, user = self.anon_q.get_nowait()
except:
break
host, port = target
print row_fmt.format(passw, user, host + ':' + str(port))
# add creds to database
if self.dbh:
ip = ''
fqdn = ''
typ = cUtil.getTargetType(host)
if typ == cUtil.TTYPE.IP:
ip = host
if typ == cUtil.TTYPE.DOMAIN:
fqdn = host
br = ccd.BruteforceResult(
ip=ip,
fqdn=fqdn,
port=int(port),
username=user,
password=passw,
service='ftp',
)
#br = ccd.FtpBruteforceResult(
# host=host,
# port=int(port),
# user=user,
# password=passw,
#)
self.dbh.add(br)
print("\nfinished in %fs" % cUtil.secs(start_time))
def __init__(self, args, dbh=None):
opt = parse(args)
global tls_versions
tls_versions = opt.tlsv
hb_test.OUTDIR = opt.outdir
hb_test.TIMEOUT = opt.to
try:
hb_test.OUTDIR = os.path.join(__builtin__.openhome.base_dir, hb_test.OUTDIR)
except:
pass
if not os.path.exists(hb_test.OUTDIR):
os.makedirs(hb_test.OUTDIR)
else:
logger.info('%s directory already exists' % hb_test.OUTDIR)
# check access permissions
if not os.access(hb_test.OUTDIR, os.R_OK):
print 'Error %s not readable' % hb_test.OUTDIR
sys.exit(1)
if not os.access(hb_test.OUTDIR, os.W_OK):
print 'Error %s not writable' % hb_test.OUTDIR
sys.exit(1)
if not os.access(hb_test.OUTDIR, os.X_OK):
print 'Error %s not executable' % hb_test.OUTDIR
sys.exit(1)
start = datetime.now()
ig_targets = cTuples.cInputGenerator(data=opt.target,
filename=opt.target_fn,
circle=False,
expand_cb=lambda t: cUtil.mkIP2(t,
ports=opt.ports,
noSplit=True,
noResolve=False),
maxthreads=opt.nthreads
)
ig_targets.start()
tuples = cTuples.cTuples(inputs=[ig_targets],
prep_callback=hb_test,
maxthreads=opt.nthreads,
delay=opt.delay)
tuples.start()
n = 0
n_vuln = 0
n_notvuln = 0
n_down = 0
timestamp = time.strftime("%Y-%m-%d_%H:%M:%S")
fd_vuln = open(os.path.join(hb_test.OUTDIR, 'vulnerable_%s' % timestamp), 'w')
fd_notvuln = open(os.path.join(hb_test.OUTDIR, 'not_vulnerable_%s' % timestamp), 'w')
fd_down = open(os.path.join(hb_test.OUTDIR, 'down_%s' % timestamp), 'w')
fmt = '{:60}{:<20}'
print
print 'Started scan for CVE-2014-0160'
print 'Testing ports: %s' % ', '.join(map(str, opt.ports))
print 'Testing tls versions: %s' % ', '.join(map(str, opt.tlsv))
print
print '-' * 80
print
for vulnerable, target, hostname, fn, sample, errors in tuples.tuple_q:
n += 1
if vulnerable in opt.tlsv:
if dbh:
br = ccd.HeartbleedResult(
ip=target[0],
fqdn=hostname,
port=target[1],
sample=grep_ascii(sample),
risk=9,
tlsv=vulnerable,
)
dbh.add(br)
if not hostname:
hostname = target[0]
n_vuln += 1
fd_vuln.write('%s:%d\n' % (hostname, target[1]))
if errors:
fd_vuln.write('Warning: errors occured -> %s\n' % ', '.join(errors))
fd_vuln.flush()
if errors:
print fmt.format('\033[93m%s:%d\033[0m' % (hostname, target[1]),
'is vulnerable, tlsv %s' % vulnerable)
print '\tError(s): %s' % ', '.join(errors)
else:
print fmt.format('\033[91m%s:%d\033[0m' % (hostname, target[1]),
'is vulnerable, tlsv %s' % vulnerable)
print '\t%d bytes stored in %s' % (len(sample), fn)
elif vulnerable == 'NOT_VULN':
if dbh:
br = ccd.HeartbleedResult_NV(
ip=target[0],
fqdn=hostname,
port=target[1],
risk=0,
tlsv='-'
)
dbh.add(br)
if not hostname:
hostname = target[0]
n_notvuln += 1
fd_notvuln.write('%s:%d\n' % (hostname, target[1]))
if errors:
fd_notvuln.write('\nWarning: errors occured -> %s' % ', '.join(errors))
fd_notvuln.flush()
if errors:
print fmt.format('\033[93m%s:%d\033[0m' % (hostname, target[1]),
'is not vulnerable')
print '\tError(s): %s' % ', '.join(errors)
else:
print fmt.format('\033[92m%s:%d\033[0m' % (hostname, target[1]),
'is not vulnerable')
elif vulnerable == 'DOWN':
n_down += 1
fd_down.write('%s:%d\n' % (hostname, target[1]))
fd_down.flush()
tuples.join()
print
print '-' * 80
print
print 'Finished scan in %f seconds' % cUtil.secs(start)
print
print '%d targets tested' % n
print '%d targets found vulnerable (see %s)' % (n_vuln, fd_vuln.name)
print '%d targets found not vulnerable (see %s)' % (n_notvuln, fd_notvuln.name)
print '%d targets were down (see %s)' % (n_down, fd_down.name)
fd_vuln.close()
fd_notvuln.close()
fd_down.close()
try:
p.connect(username=user)
except Exception, e:
logger.warning(e)
s.close()
break
start = datetime.now()
try:
p.auth_password(user, test_user.pw)
except paramiko.AuthenticationException, e:
pass
except Exception, e:
logger.warning(e)
s.close()
break
stop = cUtil.secs(start)
res += stop / N_SAMPLES
logger.info('estimated dealy for %s: %f' % (target, res))
return res
def get_banner(target):
s = socket.socket()
banner = ''
try:
s.connect(target)
banner = s.recv(1024)
except Exception, e:
logger.warning(e)
finally:
s.close()
try:
p.connect(username=user)
except Exception, e:
logger.warning(e)
s.close()
break
start = datetime.now()
try:
p.auth_password(user, test_user.pw)
except paramiko.AuthenticationException, e:
pass
except Exception, e:
logger.warning(e)
s.close()
break
stop = cUtil.secs(start)
res += stop / N_SAMPLES
logger.info('estimated dealy for %s: %f' % (target, res))
return res
def get_banner(target):
s = socket.socket()
banner = ''
try:
s.connect(target)
banner = s.recv(1024)
except Exception, e:
logger.warning(e)
finally:
s.close()
class SshUserEnum(object):
def __init__(self, args, dbh=None):
opt = parse(args)
self.dbh = dbh
self.adj = opt.adj
# We don't really need this module here, because we do not operate
# multithreaded, however it is convenient to use the mkIP2 and isUp
# functions to preprocess the target ips
self.ig_targets = cTuples.cInputGenerator(
data=opt.targets,
filename=opt.target_fn,
circle=False,
#prepare_cb=cUtil.isUp,
expand_cb=lambda t: cUtil.mkIP2(
t,
ports=[opt.port],
#noResolve=True
),
)
self.ig_targets.start()
# we don't want to overload the server with too many parallel login
# attempts as it might influence the delay times
# so anyway thats why i use one seperate list of user names per server
# instaed of zipping them to the targets
if opt.U:
self.users = it.chain(
__builtin__.openany(opt.U, 'r').readlines(), opt.u)
elif opt.u:
self.users = opt.u
else:
self.users = it.chain(
__builtin__.openshared('usernames.log', 'r').readlines())
prep_targets.bignore = opt.bignore
test_user.pw = 'a' * opt.l
def start(self):
print 'SSH User Enum started'
start = datetime.now()
for target, fqdn_tuple in self.ig_targets:
if not isinstance(target, str):
ip = target[0]
port = int(target[1])
if fqdn_tuple:
fqdn = ''.join(fqdn_tuple)
else:
fqdn = ''
else:
ip = target
port = int(fqdn_tuple)
fqdn = ''
target = (ip, port)
res = prep_targets((ip, port))
banner_check, _, delay_est, banner = res
delay = delay_est * self.adj
delay_est2 = delay_est * (self.adj * 0.25)
print '-' * 80
print '[+] Target:\t\t%s:%d (%s)' % (ip, port, fqdn)
print '[+] Banner:\t\t%s' % banner
print '[+] Est. Delay:\t\t%f' % delay_est
print '[+] Delay Thresh:\t%f, %f' % (delay, delay_est2)
print '-' * 80
if not banner_check:
print '[-] Banner check failed, rerun with -bignore'
else:
for u in self.users:
u = u.rstrip()
if not u:
continue
udelay = None
# 3 retries max
for _ in range(MAX_RETRIES):
try:
udelay = test_user(target, delay, u)
break
except Exception, e:
logger.warning(e)
if udelay and udelay > delay:
print '\033[91m[+] Found %s (%f)\033[0m' % (u, udelay)
if self.dbh:
sue = ccd.SshUserEnumResult(
ip=ip,
#fqdn=fqdn,
port=port,
user=u)
self.dbh.add(sue)
elif udelay and udelay > delay_est2:
print '\033[93m[?] Maybe %s (%f)\033[0m' % (u, udelay)
else:
if not udelay:
udelay = 0.0
print '[-] Discard %s (%f)' % (u, udelay)
print '-' * 80
print 'Finished in %f seconds' % cUtil.secs(start)
