def probe_service_for_hosts(self,nmap_file,target):
services = []
#get all available plugins from net plugin order file
net_plugins= self.core.Config.Plugin.GetOrder("net")
for plugin in net_plugins:
services.append(plugin['Name'])
services.append("http")
total_tasks=0
tasklist=""
plugin_list = []
http = []
for service in services:
if plugin_list.count(service)>0:
continue
tasks_for_service = len(self.target_service(nmap_file,service).split("##"))-1
total_tasks = total_tasks+tasks_for_service
tasklist=tasklist+" [ "+service+" - "+str(tasks_for_service)+" tasks ]"
for line in self.target_service(nmap_file,service).split("##"):
if line.strip("\n"):
ip = line.split(":")[0]
port = line.split(":")[1]
plugin_to_invoke = service
service1 = plugin_to_invoke
self.core.Config.Set(service1.upper()+"_PORT_NUMBER",port)
if(service != 'http'):
plugin_list.append(plugin_to_invoke)
else:
self.core.PluginHandler.OnlyPluginsSet = 0;
http.append(port)
log("we have to probe "+str(ip)+":"+str(port)+" for service "+plugin_to_invoke)
self.core.PluginHandler.OnlyPluginsList = self.core.PluginHandler.ValidateAndFormatPluginList(plugin_list)
self.core.PluginHandler.OnlyPluginsSet = max(1,len(plugin_list))
return http
def scan_and_grab_banners(self,file_with_ips,file_prefix,scan_type,nmap_options):
if scan_type == "tcp":
log("Performing TCP portscan, OS detection, Service detection, banner grabbing, etc")
self.core.Shell.shell_exec("nmap -PN -n -v --min-parallelism=10 -iL "+file_with_ips+" -sS -sV -O -oA "+file_prefix+".tcp "+nmap_options)
self.core.Shell.shell_exec("amap -1 -i "+file_prefix+".tcp.gnmap -Abq -m -o "+file_prefix+".tcp.amap -t 90 -T 90 -c 64")
if scan_type=="udp":
log("Performing UDP portscan, Service detection, banner grabbing, etc")
self.core.Shell.shell_exec("nmap -PN -n -v --min-parallelism=10 -iL "+file_with_ips+" -sU -sV -O -oA "+file_prefix+".udp "+nmap_options)
self.core.Shell.shell_exec("amap -1 -i "+file_prefix+".udp.gnmap -Abq -m -o "+file_prefix+".udp.amap")
def ping_sweep(self,target,scantype):
if scantype == "full":
log("Performing Intense Host discovery")
self.core.Shell.shell_exec("nmap -n -v -sP -PE -PP -PS21,22,23,25,80,443,113,21339 -PA80,113,443,10042 --source_port 53 "+ target +" -oA "+ PING_SWEEP_FILE)
if scantype=="arp":
log("Performing ARP host discovery")
self.core.Shell.shell_exec("nmap -n -v -sP -PR "+ target +" -oA "+ PING_SWEEP_FILE)
self.core.Shell.shell_exec("grep Up "+PING_SWEEP_FILE+".gnmap | cut -f2 -d\" \" > "+ PING_SWEEP_FILE+".ips")
def handle_request(callback_function, queue, queue_name="pull"):
#pull server to handle the pull requests, It returns the response by making file of same name in
#request and response folder
request_dir = general.INCOMING_QUEUE_TO_DIR_MAPPING[queue_name]
response_dir = general.OUTGOING_QUEUE_TO_DIR_MAPPING[queue_name]
#wait for request directory to exist in starting
general.wait_until_dir_exists(request_dir, general.sleep_delay)
while True:
if queue.empty() == False:
break
try:
files = general.get_files(request_dir)
#while we have files for procesing
while len(files) > 0:
#open('file1','w+').write(str(files))
for full_filename in files:
filen = full_filename.split("/")
filename = filen[len(filen) - 1]
#skip lock files
if ".lock" in filename:
continue
#skip_if_locked is True then file is skipped if it is locked
data = general.atomic_read_from_file(request_dir,
filename,
skip_if_locked=True)
if data:
result = callback_function(data, "pull")
#write result to response directory
general.atomic_write_to_file(response_dir, filename,
result)
#remove the processed file
os.remove(os.path.join(request_dir, filename))
files = general.get_files(request_dir)
#give away cpu
time.sleep(general.sleep_delay)
except KeyboardInterrupt:
break
except Exception, e:
log("Unexpected Pull server error: " + str(e))
break
def handle_request(callback_function,queue,queue_name="pull"):
#pull server to handle the pull requests, It returns the response by making file of same name in
#request and response folder
request_dir = general.INCOMING_QUEUE_TO_DIR_MAPPING[queue_name]
response_dir = general.OUTGOING_QUEUE_TO_DIR_MAPPING[queue_name]
#wait for request directory to exist in starting
general.wait_until_dir_exists(request_dir,general.sleep_delay)
while True:
if queue.empty()==False:
break
try:
files = general.get_files(request_dir)
#while we have files for procesing
while len(files)>0:
#open('file1','w+').write(str(files))
for full_filename in files:
filen = full_filename.split("/")
filename = filen[len(filen)-1]
#skip lock files
if ".lock" in filename:
continue
#skip_if_locked is True then file is skipped if it is locked
data = general.atomic_read_from_file(request_dir, filename, skip_if_locked=True)
if data:
result = callback_function(data,"pull")
#write result to response directory
general.atomic_write_to_file(response_dir, filename, result)
#remove the processed file
os.remove(os.path.join(request_dir,filename))
files = general.get_files(request_dir)
#give away cpu
time.sleep(general.sleep_delay)
except KeyboardInterrupt:
break
except Exception,e:
log("Unexpected Pull server error: "+str(e))
break
def dns_sweep(self,file_with_ips,file_prefix):
log("Finding misconfigured DNS servers that might allow zone transfers among live ips ..")
self.core.Shell.shell_exec("nmap -PN -n -sS -p 53 -iL "+file_with_ips+" -oA "+file_prefix)
# Step 2 - Extract IPs
dns_servers=file_prefix+".dns_server.ips"
self.core.Shell.shell_exec("grep \"53/open/tcp\" "+file_prefix+".gnmap | cut -f 2 -d \" \" > "+dns_servers)
file = self.open_file(dns_servers)
domain_names=file_prefix+".domain_names"
self.core.Shell.shell_exec("rm -f "+domain_names)
num_dns_servers = 0
for line in file:
if line.strip('\n'):
dns_server = line.strip('\n')
self.core.Shell.shell_exec("host "+dns_server+" "+dns_server+" | grep 'domain name' | cut -f 5 -d' ' | cut -f 2,3,4,5,6,7 -d. | sed 's/\.$//' >> "+domain_names)
num_dns_servers = num_dns_servers+1
try:
file = self.open_file(domain_names)
except IOError:
return
for line in file:
domain = line.strip('\n')
raw_axfr=file_prefix+"."+dns_server+"."+domain+".axfr.raw"
self.core.Shell.shell_exec("host -l "+domain+" "+dns_server+" | grep "+domain+" > "+raw_axfr)
success=self.core.Shell.shell_exec("wc -l "+raw_axfr+" | cut -f 1 -d ' '")
if success > 3:
log("Attempting zone transfer on $dns_server using domain "+domain+".. Success!")
axfr=file_prefix+"."+dns_server+"."+domain+".axfr"
self.core.Shell.shell_exec("rm -f "+axfr)
log(self.core.Shell.shell_exec("grep 'has address' "+raw_axfr+" | cut -f 1,4 -d ' ' | sort -k 2 -t ' ' | sed 's/ /#/g'"))
else:
log("Attempting zone transfer on $dns_server using domain "+domain+" .. Success!")
self.core.Shell.shell_exec("rm -f "+raw_axfr)
if num_dns_servers==0:
return