def main():
try:
# Check if defined "--version" option.
if menu.options.version:
version.show_version()
sys.exit(0)
# Checkall the banner
menu.banner()
# Check python version number.
version.python_version()
# Check if defined "--dependencies" option.
# For checking (non-core) third party dependenices.
if menu.options.noncore_dependencies:
checks.third_party_dependencies()
sys.exit(0)
# Check if defined "--update" option.
if menu.options.update:
update.updater()
sys.exit(0)
# Check if defined "--install" option.
if menu.options.install:
install.installer()
sys.exit(0)
# Check arguments
if len(sys.argv) == 1:
menu.parser.print_help()
print ""
sys.exit(0)
if menu.options.level > 3:
err_msg = "The value for option '--level' "
err_msg += "must be an integer value from range [1, 3]."
print settings.print_error_msg(err_msg)
sys.exit(0)
# Parse target / data from HTTP proxy logs (i.e Burp / WebScarab).
if menu.options.logfile:
parser.logfile_parser()
# Modification on payload
if not menu.options.shellshock:
#settings.CURRENT_USER = "******" + settings.CURRENT_USER + ")"
settings.SYS_USERS = "echo $(" + settings.SYS_USERS + ")"
settings.SYS_PASSES = "echo $(" + settings.SYS_PASSES + ")"
# Check provided parameters for tests
if menu.options.test_parameter:
if menu.options.test_parameter.startswith("="):
menu.options.test_parameter = menu.options.test_parameter[1:]
settings.TEST_PARAMETER = menu.options.test_parameter.split(",")
for i in range(0, len(settings.TEST_PARAMETER)):
if "=" in settings.TEST_PARAMETER[i]:
settings.TEST_PARAMETER[i] = settings.TEST_PARAMETER[
i].split("=")[0]
# Check if defined character used for splitting parameter values.
if menu.options.pdel:
settings.PARAMETER_DELIMITER = menu.options.pdel
# Check if defined character used for splitting cookie values.
if menu.options.cdel:
settings.COOKIE_DELIMITER = menu.options.cdel
# Check if specified wrong injection technique
if menu.options.tech and menu.options.tech not in settings.AVAILABLE_TECHNIQUES:
found_tech = False
# Convert injection technique(s) to lowercase
menu.options.tech = menu.options.tech.lower()
# Check if used the ',' separator
if "," in menu.options.tech:
split_techniques_names = menu.options.tech.split(",")
else:
split_techniques_names = menu.options.tech.split()
if split_techniques_names:
for i in range(0, len(split_techniques_names)):
if len(menu.options.tech) <= 4:
split_first_letter = list(menu.options.tech)
for j in range(0, len(split_first_letter)):
if split_first_letter[
j] in settings.AVAILABLE_TECHNIQUES:
found_tech = True
else:
found_tech = False
if split_techniques_names[i].replace(
' ', ''
) not in settings.AVAILABLE_TECHNIQUES and found_tech == False:
err_msg = "You specified wrong value '" + split_techniques_names[
i] + "' as injection technique. "
err_msg += "The value, must be a string composed by the letters (C)lassic, (E)val-based, "
err_msg += "(T)ime-based, (F)ile-based (with or without commas)."
print settings.print_error_msg(err_msg)
sys.exit(0)
# Check if specified wrong alternative shell
if menu.options.alter_shell:
if menu.options.alter_shell.lower(
) not in settings.AVAILABLE_SHELLS:
err_msg = "'" + menu.options.alter_shell + "' shell is not supported!"
print settings.print_error_msg(err_msg)
sys.exit(0)
# Check the file-destination
if menu.options.file_write and not menu.options.file_dest or \
menu.options.file_upload and not menu.options.file_dest:
err_msg = "Host's absolute filepath to write and/or upload, must be specified (--file-dest)."
print settings.print_error_msg(err_msg)
sys.exit(0)
if menu.options.file_dest and menu.options.file_write == None and menu.options.file_upload == None:
err_msg = "You must enter the '--file-write' or '--file-upload' parameter."
print settings.print_error_msg(err_msg)
sys.exit(0)
# Check if defined "--file-upload" option.
if menu.options.file_upload:
# Check if not defined URL for upload.
if not re.match(settings.VALID_URL_FORMAT,
menu.options.file_upload):
err_msg = "The '" + menu.options.file_upload + "' is not a valid URL. "
print settings.print_error_msg(err_msg)
sys.exit(0)
# Check if defined "--random-agent" option.
if menu.options.random_agent:
menu.options.agent = random.choice(settings.USER_AGENT_LIST)
# Check if defined "--url" option.
if menu.options.url:
url = menu.options.url
# Check if http / https
url = checks.check_http_s(url)
if menu.options.output_dir:
output_dir = menu.options.output_dir
else:
output_dir = settings.OUTPUT_DIR
# One directory up, if Windows or if the script is being run under "/src".
if settings.IS_WINDOWS or "/src" in os.path.dirname(
os.path.abspath(__file__)):
os.chdir("..")
output_dir = os.path.dirname(output_dir)
try:
os.stat(output_dir)
except:
os.mkdir(output_dir)
# The logs filename construction.
filename = logs.create_log_file(url, output_dir)
try:
# Check if defined POST data
if menu.options.data:
request = urllib2.Request(url, menu.options.data)
else:
request = urllib2.Request(url)
headers.do_check(request)
# Check if defined any HTTP Proxy (--proxy option).
if menu.options.proxy:
proxy.do_check(url)
# Check if defined Tor (--tor option).
elif menu.options.tor:
tor.do_check()
info_msg = "Checking connection to the target URL... "
sys.stdout.write(settings.print_info_msg(info_msg))
sys.stdout.flush()
try:
# Check if defined any HTTP Proxy (--proxy option).
if menu.options.proxy:
response = proxy.use_proxy(request)
# Check if defined Tor (--tor option).
elif menu.options.tor:
response = tor.use_tor(request)
else:
try:
response = urllib2.urlopen(request)
except ValueError:
# Invalid format for the '--headers' option.
print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]"
err_msg = "Use '--headers=\"HEADER_NAME:HEADER_VALUE\"' to provide an HTTP header or"
err_msg += " '--headers=\"HEADER_NAME:" + settings.INJECT_TAG + "\"' "
err_msg += "if you want to try to exploit the provided HTTP header."
print settings.print_error_msg(err_msg)
sys.exit(0)
except:
raise
html_data = content = response.read()
print "[ " + Fore.GREEN + "SUCCEED" + Style.RESET_ALL + " ]"
# Used a valid pair of valid credentials
if menu.options.auth_cred:
info_msg = "Identified a valid pair of credentials '" + Style.UNDERLINE
info_msg += menu.options.auth_cred + Style.RESET_ALL + Style.BRIGHT + "'."
print Style.BRIGHT + info_msg + Style.RESET_ALL
try:
if response.info()['server']:
server_banner = response.info()['server']
found_os_server = False
if menu.options.os and checks.user_defined_os():
user_defined_os = settings.TARGET_OS
for i in range(0, len(settings.SERVER_OS_BANNERS)):
if settings.SERVER_OS_BANNERS[i].lower(
) in server_banner.lower():
found_os_server = True
settings.TARGET_OS = settings.SERVER_OS_BANNERS[
i].lower()
if settings.TARGET_OS == "win" or settings.TARGET_OS == "microsoft":
identified_os = "Windows"
if menu.options.os and user_defined_os != "win":
if not checks.identified_os():
settings.TARGET_OS = user_defined_os
settings.TARGET_OS = identified_os[:
3].lower(
)
if menu.options.shellshock:
err_msg = "The shellshock module is not available for " + identified_os + " targets."
print settings.print_critical_msg(
err_msg)
raise SystemExit()
else:
identified_os = "Unix-like (" + settings.TARGET_OS + ")"
if menu.options.os and user_defined_os == "win":
if not checks.identified_os():
settings.TARGET_OS = user_defined_os
found_server_banner = False
if menu.options.verbose:
info_msg = "Identifying the target server..."
print settings.print_info_msg(info_msg)
for i in range(0, len(settings.SERVER_BANNERS)):
if settings.SERVER_BANNERS[i].lower(
) in server_banner.lower():
if menu.options.verbose:
success_msg = "The server was identified as "
success_msg += Style.UNDERLINE + server_banner + Style.RESET_ALL + "."
print settings.print_success_msg(
success_msg)
settings.SERVER_BANNER = server_banner
found_server_banner = True
# Set up default root paths
if settings.SERVER_BANNERS[i].lower(
) == "apache":
if settings.TARGET_OS == "win":
settings.SRV_ROOT_DIR = "\\htdocs"
else:
settings.SRV_ROOT_DIR = "/var/www"
if settings.SERVER_BANNERS[i].lower(
) == "nginx":
settings.SRV_ROOT_DIR = "/usr/share/nginx"
if settings.SERVER_BANNERS[i].lower(
) == "microsoft-iis":
settings.SRV_ROOT_DIR = "\\inetpub\\wwwroot"
break
if not found_server_banner:
warn_msg = "Heuristics have failed to identify server."
print settings.print_warning_msg(warn_msg)
# Store the Server's root dir
settings.DEFAULT_SRV_ROOT_DIR = settings.SRV_ROOT_DIR
# Retrieve everything from the supported enumeration options.
if menu.options.enum_all:
checks.enable_all_enumeration_options()
if menu.options.is_admin or menu.options.is_root and not menu.options.current_user:
menu.options.current_user = True
# Check for wrong flags.
if settings.TARGET_OS == "win":
if menu.options.is_root:
warn_msg = "Swithing '--is-root' to '--is-admin' because the target has been identified as windows."
print settings.print_warning_msg(warn_msg)
if menu.options.passwords:
warn_msg = "The '--passwords' option, is not yet available for Windows targets."
print settings.print_warning_msg(warn_msg)
if menu.options.file_upload:
warn_msg = "The '--file-upload' option, is not yet available for windows targets. "
warn_msg += "Instead, use the '--file-write' option."
print settings.print_warning_msg(warn_msg)
sys.exit(0)
else:
if menu.options.is_admin:
warn_msg = "Swithing the '--is-admin' to '--is-root' because "
warn_msg += "the target has been identified as unix-like. "
print settings.print_warning_msg(warn_msg)
if found_os_server == False and \
not menu.options.os:
# If "--shellshock" option is provided then,
# by default is a Linux/Unix operating system.
if menu.options.shellshock:
pass
else:
warn_msg = "Heuristics have failed to identify server's operating system."
print settings.print_warning_msg(warn_msg)
while True:
question_msg = "Do you recognise the server's operating system? [(W)indows/(U)nix/(q)uit] > "
got_os = raw_input(
settings.print_question_msg(
question_msg)).lower()
if got_os.lower() in settings.CHOICE_OS:
if got_os.lower() == "w":
settings.TARGET_OS = "win"
break
elif got_os.lower() == "u":
break
elif got_os.lower() == "q":
raise SystemExit()
else:
if got_os == "":
got_os = "enter"
err_msg = "'" + got_os + "' is not a valid answer."
print settings.print_error_msg(
err_msg) + "\n"
pass
if not menu.options.os:
if found_server_banner == False:
warn_msg = "The server which was identified as " + server_banner + " seems unknown."
print settings.print_warning_msg(warn_msg)
else:
found_os_server = checks.user_defined_os()
except KeyError:
pass
# Charset detection [1].
# [1] http://www.w3schools.com/html/html_charset.asp
# Check if HTML4 format
if menu.options.verbose:
info_msg = "Identifing the indicated web-page charset..."
print settings.print_info_msg(info_msg)
content = re.findall(r";charset=(.*)\"", html_data)
if len(content) != 0:
charset = content
else:
# Check if HTML5 format
charset = re.findall(r"charset=['\"](.*?)['\"]", html_data)
if len(charset) != 0:
settings.CHARSET = charset[len(charset) - 1]
if settings.CHARSET.lower() not in settings.CHARSET_LIST:
warn_msg = "The indicated web-page charset " + settings.CHARSET + " seems unknown."
print settings.print_warning_msg(warn_msg)
else:
if menu.options.verbose:
success_msg = "The indicated web-page charset appears to be "
success_msg += Style.UNDERLINE + settings.CHARSET + Style.RESET_ALL + "."
print settings.print_success_msg(success_msg)
except urllib2.HTTPError, e:
# Check the codes of responses
if e.getcode() == 500:
print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]"
content = e.read()
sys.exit(0)
# Check for HTTP Error 401 (Unauthorized).
elif e.getcode() == 401:
try:
# Get the auth header value
auth_line = e.headers.get('www-authenticate', '')
# Checking for authentication type name.
auth_type = auth_line.split()[0]
settings.SUPPORTED_HTTP_AUTH_TYPES.index(
auth_type.lower())
# Checking for the realm attribute.
try:
auth_obj = re.match('''(\w*)\s+realm=(.*)''',
auth_line).groups()
realm = auth_obj[1].split(',')[0].replace("\"", "")
except:
realm = False
except ValueError:
print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]"
err_msg = "The identified HTTP authentication type (" + auth_type + ") is not yet supported."
print settings.print_error_msg(err_msg) + "\n"
sys.exit(0)
except IndexError:
print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]"
err_msg = "The provided pair of " + menu.options.auth_type
err_msg += " HTTP authentication credentials '" + menu.options.auth_cred + "'"
err_msg += " seems to be invalid."
print settings.print_error_msg(err_msg)
sys.exit(0)
print "[ " + Fore.GREEN + "SUCCEED" + Style.RESET_ALL + " ]"
if menu.options.auth_type and menu.options.auth_type != auth_type.lower(
):
if checks.identified_http_auth_type(auth_type):
menu.options.auth_type = auth_type.lower()
else:
menu.options.auth_type = auth_type.lower()
# Check for stored auth credentials.
if not menu.options.auth_cred:
try:
stored_auth_creds = session_handler.export_valid_credentials(
url, auth_type.lower())
except:
stored_auth_creds = False
if stored_auth_creds:
menu.options.auth_cred = stored_auth_creds
success_msg = "Identified a valid pair of credentials '" + Style.UNDERLINE
success_msg += menu.options.auth_cred + Style.RESET_ALL + Style.BRIGHT + "'."
print settings.print_success_msg(success_msg)
else:
# Basic authentication
if menu.options.auth_type == "basic":
if not menu.options.ignore_401:
warn_msg = "(" + menu.options.auth_type.capitalize(
) + ") "
warn_msg += "HTTP authentication credentials are required."
printprint_warning_msg(warn_msg)
while True:
question_msg = "Do you want to perform a dictionary-based attack? [Y/n/q] > "
crack_creds = raw_input(
settings.print_question_msg(
question_msg)).lower()
if crack_creds in settings.CHOICE_YES:
auth_creds = authentication.http_auth_cracker(
url, realm)
if auth_creds != False:
menu.options.auth_cred = auth_creds
settings.REQUIRED_AUTHENTICATION = True
break
else:
sys.exit(0)
elif crack_creds in settings.CHOICE_NO:
checks.http_auth_err_msg()
elif crack_creds in settings.CHOICE_QUIT:
sys.exit(0)
else:
if crack_creds == "":
crack_creds = "enter"
err_msg = "'" + crack_creds + "' is not a valid answer."
print settings.print_error_msg(
err_msg) + "\n"
pass
# Digest authentication
elif menu.options.auth_type == "digest":
if not menu.options.ignore_401:
warn_msg = "(" + menu.options.auth_type.capitalize(
) + ") "
warn_msg += "HTTP authentication credentials are required."
print settings.print_warning_msg(warn_msg)
# Check if heuristics have failed to identify the realm attribute.
if not realm:
warn_msg = "Heuristics have failed to identify the realm attribute."
print settings.print_warning_msg(
warn_msg)
while True:
question_msg = "Do you want to perform a dictionary-based attack? [Y/n/q] > "
crack_creds = raw_input(
settings.print_question_msg(
question_msg)).lower()
if crack_creds in settings.CHOICE_YES:
auth_creds = authentication.http_auth_cracker(
url, realm)
if auth_creds != False:
menu.options.auth_cred = auth_creds
settings.REQUIRED_AUTHENTICATION = True
break
else:
sys.exit(0)
elif crack_creds in settings.CHOICE_NO:
checks.http_auth_err_msg()
elif crack_creds in settings.CHOICE_QUIT:
sys.exit(0)
else:
if crack_creds == "":
crack_creds = "enter"
err_msg = "'" + crack_creds + "' is not a valid answer."
print settings.print_error_msg(
err_msg) + "\n"
pass
else:
checks.http_auth_err_msg()
else:
pass
elif e.getcode() == 403:
print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]"
err_msg = "You don't have permission to access this page."
print settings.print_error_msg(err_msg)
sys.exit(0)
elif e.getcode() == 404:
print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]"
err_msg = "The host seems to be down!"
print settings.print_error_msg(err_msg)
sys.exit(0)
else:
raise
except urllib2.URLError, e:
print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]"
err_msg = "The host seems to be down!"
print settings.print_error_msg(err_msg)
sys.exit(0)
def estimate_response_time(url, timesec):
stored_auth_creds = False
if settings.VERBOSITY_LEVEL >= 1:
info_msg = "Estimating the target URL response time... "
sys.stdout.write(settings.print_info_msg(info_msg))
sys.stdout.flush()
# Check if defined POST data
if menu.options.data:
request = urllib2.Request(url, menu.options.data)
else:
url = parameters.get_url_part(url)
request = urllib2.Request(url)
headers.do_check(request)
start = time.time()
try:
response = urllib2.urlopen(request)
response.read(1)
response.close()
# except urllib2.HTTPError, err:
# pass
except urllib2.HTTPError, err:
ignore_start = time.time()
if "Unauthorized" in str(err) and menu.options.ignore_code == settings.UNAUTHORIZED_ERROR:
pass
else:
if settings.VERBOSITY_LEVEL >= 1:
print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]"
err_msg = "Unable to connect to the target URL"
try:
err_msg += " (" + str(err.args[0]).split("] ")[1] + ")."
except IndexError:
err_msg += " (" + str(err) + ")."
print settings.print_critical_msg(err_msg)
# Check for HTTP Error 401 (Unauthorized).
if str(err.getcode()) == settings.UNAUTHORIZED_ERROR:
try:
# Get the auth header value
auth_line = err.headers.get('www-authenticate', '')
# Checking for authentication type name.
auth_type = auth_line.split()[0]
settings.SUPPORTED_HTTP_AUTH_TYPES.index(auth_type.lower())
# Checking for the realm attribute.
try:
auth_obj = re.match('''(\w*)\s+realm=(.*)''', auth_line).groups()
realm = auth_obj[1].split(',')[0].replace("\"", "")
except:
realm = False
except ValueError:
err_msg = "The identified HTTP authentication type (" + str(auth_type) + ") "
err_msg += "is not yet supported."
print settings.print_critical_msg(err_msg) + "\n"
raise SystemExit()
except IndexError:
err_msg = "The provided pair of " + str(menu.options.auth_type)
err_msg += " HTTP authentication credentials '" + str(menu.options.auth_cred) + "'"
err_msg += " seems to be invalid."
print settings.print_critical_msg(err_msg)
raise SystemExit()
if menu.options.auth_type and menu.options.auth_type != auth_type.lower():
if checks.identified_http_auth_type(auth_type):
menu.options.auth_type = auth_type.lower()
else:
menu.options.auth_type = auth_type.lower()
# Check for stored auth credentials.
if not menu.options.auth_cred:
try:
stored_auth_creds = session_handler.export_valid_credentials(url, auth_type.lower())
except:
stored_auth_creds = False
if stored_auth_creds:
menu.options.auth_cred = stored_auth_creds
success_msg = "Identified a valid (stored) pair of credentials '"
success_msg += menu.options.auth_cred + Style.RESET_ALL + Style.BRIGHT + "'."
print settings.print_success_msg(success_msg)
else:
# Basic authentication
if menu.options.auth_type == "basic":
if not menu.options.ignore_code == settings.UNAUTHORIZED_ERROR:
warn_msg = "(" + menu.options.auth_type.capitalize() + ") "
warn_msg += "HTTP authentication credentials are required."
print settings.print_warning_msg(warn_msg)
while True:
if not menu.options.batch:
question_msg = "Do you want to perform a dictionary-based attack? [Y/n] > "
sys.stdout.write(settings.print_question_msg(question_msg))
do_update = sys.stdin.readline().replace("\n","").lower()
else:
do_update = ""
if len(do_update) == 0:
do_update = "y"
if do_update in settings.CHOICE_YES:
auth_creds = authentication.http_auth_cracker(url, realm)
if auth_creds != False:
menu.options.auth_cred = auth_creds
settings.REQUIRED_AUTHENTICATION = True
break
else:
raise SystemExit()
elif do_update in settings.CHOICE_NO:
checks.http_auth_err_msg()
elif do_update in settings.CHOICE_QUIT:
raise SystemExit()
else:
err_msg = "'" + do_update + "' is not a valid answer."
print settings.print_error_msg(err_msg)
pass
# Digest authentication
elif menu.options.auth_type == "digest":
if not menu.options.ignore_code == settings.UNAUTHORIZED_ERROR:
warn_msg = "(" + menu.options.auth_type.capitalize() + ") "
warn_msg += "HTTP authentication credentials are required."
print settings.print_warning_msg(warn_msg)
# Check if heuristics have failed to identify the realm attribute.
if not realm:
warn_msg = "Heuristics have failed to identify the realm attribute."
print settings.print_warning_msg(warn_msg)
while True:
if not menu.options.batch:
question_msg = "Do you want to perform a dictionary-based attack? [Y/n] > "
sys.stdout.write(settings.print_question_msg(question_msg))
do_update = sys.stdin.readline().replace("\n","").lower()
else:
do_update = ""
if len(do_update) == 0:
do_update = "y"
if do_update in settings.CHOICE_YES:
auth_creds = authentication.http_auth_cracker(url, realm)
if auth_creds != False:
menu.options.auth_cred = auth_creds
settings.REQUIRED_AUTHENTICATION = True
break
else:
raise SystemExit()
elif do_update in settings.CHOICE_NO:
checks.http_auth_err_msg()
elif do_update in settings.CHOICE_QUIT:
raise SystemExit()
else:
err_msg = "'" + do_update + "' is not a valid answer."
print settings.print_error_msg(err_msg)
pass
else:
checks.http_auth_err_msg()
else:
pass
ignore_end = time.time()
start = start - (ignore_start - ignore_end)
err_msg += " seems to be invalid."
print settings.print_critical_msg(err_msg)
sys.exit(0)
if settings.VERBOSITY_LEVEL < 2:
print "[ " + Fore.GREEN + "SUCCEED" + Style.RESET_ALL + " ]"
if menu.options.auth_type and menu.options.auth_type != auth_type.lower():
if checks.identified_http_auth_type(auth_type):
menu.options.auth_type = auth_type.lower()
else:
menu.options.auth_type = auth_type.lower()
# Check for stored auth credentials.
if not menu.options.auth_cred:
try:
stored_auth_creds = session_handler.export_valid_credentials(url, auth_type.lower())
except:
stored_auth_creds = False
if stored_auth_creds:
menu.options.auth_cred = stored_auth_creds
success_msg = "Identified a valid pair of credentials '"
success_msg += menu.options.auth_cred + Style.RESET_ALL + Style.BRIGHT + "'."
print settings.print_success_msg(success_msg)
else:
# Basic authentication
if menu.options.auth_type == "basic":
if not menu.options.ignore_401:
warn_msg = "(" + menu.options.auth_type.capitalize() + ") "
warn_msg += "HTTP authentication credentials are required."
print settings.print_warning_msg(warn_msg)
while True:
def main():
try:
# Check if defined "--version" option.
if menu.options.version:
version.show_version()
sys.exit(0)
# Checkall the banner
menu.banner()
# Check python version number.
version.python_version()
# Check if defined "--dependencies" option.
# For checking (non-core) third party dependenices.
if menu.options.noncore_dependencies:
checks.third_party_dependencies()
sys.exit(0)
# Check if defined "--update" option.
if menu.options.update:
update.updater()
sys.exit(0)
# Check if defined "--install" option.
if menu.options.install:
install.installer()
sys.exit(0)
# Check arguments
if len(sys.argv) == 1:
menu.parser.print_help()
print ""
sys.exit(0)
# Define the level of verbosity.
if menu.options.verbose > 1:
err_msg = "The value for option '-v' "
err_msg += "must be an integer value from range [0, 1]."
print settings.print_critical_msg(err_msg)
sys.exit(0)
else:
settings.VERBOSITY_LEVEL = menu.options.verbose
# Check if defined "--delay" option.
if menu.options.delay:
if menu.options.delay > "0":
settings.DELAY = menu.options.delay
# Define the level of tests to perform.
if menu.options.level > 3:
err_msg = "The value for option '--level' "
err_msg += "must be an integer value from range [1, 3]."
print settings.print_critical_msg(err_msg)
sys.exit(0)
# Parse target / data from HTTP proxy logs (i.e Burp / WebScarab).
if menu.options.logfile:
parser.logfile_parser()
# Modification on payload
if not menu.options.shellshock:
#settings.CURRENT_USER = "******" + settings.CURRENT_USER + ")"
settings.SYS_USERS = "echo $(" + settings.SYS_USERS + ")"
settings.SYS_PASSES = "echo $(" + settings.SYS_PASSES + ")"
# Check provided parameters for tests
if menu.options.test_parameter:
if menu.options.test_parameter.startswith("="):
menu.options.test_parameter = menu.options.test_parameter[1:]
settings.TEST_PARAMETER = menu.options.test_parameter.split(settings.PARAMETER_SPLITTING_REGEX)
for i in range(0,len(settings.TEST_PARAMETER)):
if "=" in settings.TEST_PARAMETER[i]:
settings.TEST_PARAMETER[i] = settings.TEST_PARAMETER[i].split("=")[0]
# Check if defined character used for splitting parameter values.
if menu.options.pdel:
settings.PARAMETER_DELIMITER = menu.options.pdel
# Check if defined character used for splitting cookie values.
if menu.options.cdel:
settings.COOKIE_DELIMITER = menu.options.cdel
# Check if specified wrong injection technique
if menu.options.tech and menu.options.tech not in settings.AVAILABLE_TECHNIQUES:
found_tech = False
# Convert injection technique(s) to lowercase
menu.options.tech = menu.options.tech.lower()
# Check if used the ',' separator
if settings.PARAMETER_SPLITTING_REGEX in menu.options.tech:
split_techniques_names = menu.options.tech.split(settings.PARAMETER_SPLITTING_REGEX)
else:
split_techniques_names = menu.options.tech.split()
if split_techniques_names:
for i in range(0,len(split_techniques_names)):
if len(menu.options.tech) <= 4:
split_first_letter = list(menu.options.tech)
for j in range(0,len(split_first_letter)):
if split_first_letter[j] in settings.AVAILABLE_TECHNIQUES:
found_tech = True
else:
found_tech = False
if split_techniques_names[i].replace(' ', '') not in settings.AVAILABLE_TECHNIQUES and \
found_tech == False:
err_msg = "You specified wrong value '" + split_techniques_names[i]
err_msg += "' as injection technique. "
err_msg += "The value, must be a string composed by the letters (C)lassic, (E)val-based, "
err_msg += "(T)ime-based, (F)ile-based (with or without commas)."
print settings.print_critical_msg(err_msg)
sys.exit(0)
# Check if specified wrong alternative shell
if menu.options.alter_shell:
if menu.options.alter_shell.lower() not in settings.AVAILABLE_SHELLS:
err_msg = "'" + menu.options.alter_shell + "' shell is not supported!"
print settings.print_critical_msg(err_msg)
sys.exit(0)
# Check the file-destination
if menu.options.file_write and not menu.options.file_dest or \
menu.options.file_upload and not menu.options.file_dest:
err_msg = "Host's absolute filepath to write and/or upload, must be specified (--file-dest)."
print settings.print_critical_msg(err_msg)
sys.exit(0)
if menu.options.file_dest and menu.options.file_write == None and menu.options.file_upload == None :
err_msg = "You must enter the '--file-write' or '--file-upload' parameter."
print settings.print_critical_msg(err_msg)
sys.exit(0)
# Check if defined "--file-upload" option.
if menu.options.file_upload:
# Check if not defined URL for upload.
if not re.match(settings.VALID_URL_FORMAT, menu.options.file_upload):
err_msg = "The '" + menu.options.file_upload + "' is not a valid URL. "
print settings.print_critical_msg(err_msg)
sys.exit(0)
# Check if defined "--random-agent" option.
if menu.options.random_agent:
menu.options.agent = random.choice(settings.USER_AGENT_LIST)
# Check if defined "--url" option.
if menu.options.url:
url = menu.options.url
# Check if http / https
url = checks.check_http_s(url)
if menu.options.output_dir:
output_dir = menu.options.output_dir
else:
output_dir = settings.OUTPUT_DIR
# One directory up, if Windows or if the script is being run under "/src".
if settings.IS_WINDOWS or "/src" in os.path.dirname(os.path.abspath(__file__)):
os.chdir("..")
output_dir = os.path.dirname(output_dir)
try:
os.stat(output_dir)
except:
os.mkdir(output_dir)
# The logs filename construction.
filename = logs.create_log_file(url, output_dir)
try:
# Check if defined POST data
if menu.options.data:
request = urllib2.Request(url, menu.options.data)
else:
request = urllib2.Request(url)
headers.do_check(request)
# Check if defined any HTTP Proxy (--proxy option).
if menu.options.proxy:
proxy.do_check(url)
# Check if defined Tor (--tor option).
elif menu.options.tor:
tor.do_check()
info_msg = "Checking connection to the target URL... "
sys.stdout.write(settings.print_info_msg(info_msg))
sys.stdout.flush()
try:
# Check if defined any HTTP Proxy (--proxy option).
if menu.options.proxy:
response = proxy.use_proxy(request)
# Check if defined Tor (--tor option).
elif menu.options.tor:
response = tor.use_tor(request)
else:
try:
response = urllib2.urlopen(request)
except ValueError:
# Invalid format for the '--headers' option.
print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]"
err_msg = "Use '--headers=\"HEADER_NAME:HEADER_VALUE\"' "
err_msg += "to provide an HTTP header or"
err_msg += " '--headers=\"HEADER_NAME:" + settings.WILDCARD_CHAR + "\"' "
err_msg += "if you want to try to exploit the provided HTTP header."
print settings.print_critical_msg(err_msg)
sys.exit(0)
except:
raise
html_data = content = response.read()
print "[ " + Fore.GREEN + "SUCCEED" + Style.RESET_ALL + " ]"
# Check for CGI scripts on url
checks.check_CGI_scripts(url)
# Used a valid pair of valid credentials
if menu.options.auth_cred:
success_msg = Style.BRIGHT + "Identified a valid pair of credentials '"
success_msg += menu.options.auth_cred + Style.RESET_ALL
success_msg += Style.BRIGHT + "'." + Style.RESET_ALL
print settings.print_success_msg(success_msg)
try:
if response.info()['server'] :
server_banner = response.info()['server']
found_os_server = False
if menu.options.os and checks.user_defined_os():
user_defined_os = settings.TARGET_OS
for i in range(0,len(settings.SERVER_OS_BANNERS)):
if settings.SERVER_OS_BANNERS[i].lower() in server_banner.lower():
found_os_server = True
settings.TARGET_OS = settings.SERVER_OS_BANNERS[i].lower()
if settings.TARGET_OS == "win" or settings.TARGET_OS == "microsoft" :
identified_os = "Windows"
if menu.options.os and user_defined_os != "win":
if not checks.identified_os():
settings.TARGET_OS = user_defined_os
settings.TARGET_OS = identified_os[:3].lower()
if menu.options.shellshock:
err_msg = "The shellshock module is not available for "
err_msg += identified_os + " targets."
print settings.print_critical_msg(err_msg)
raise SystemExit()
else:
identified_os = "Unix-like (" + settings.TARGET_OS + ")"
if menu.options.os and user_defined_os == "win":
if not checks.identified_os():
settings.TARGET_OS = user_defined_os
found_server_banner = False
if settings.VERBOSITY_LEVEL >= 1:
info_msg = "Identifying the target server... "
sys.stdout.write(settings.print_info_msg(info_msg))
sys.stdout.flush()
for i in range(0,len(settings.SERVER_BANNERS)):
if settings.SERVER_BANNERS[i].lower() in server_banner.lower():
if settings.VERBOSITY_LEVEL >= 1:
print "[ " + Fore.GREEN + "SUCCEED" + Style.RESET_ALL + " ]"
if settings.VERBOSITY_LEVEL >= 1:
success_msg = "The server was identified as "
success_msg += server_banner + Style.RESET_ALL + "."
print settings.print_success_msg(success_msg)
settings.SERVER_BANNER = server_banner
found_server_banner = True
# Set up default root paths
if settings.SERVER_BANNERS[i].lower() == "apache":
if settings.TARGET_OS == "win":
settings.SRV_ROOT_DIR = "\\htdocs"
else:
settings.SRV_ROOT_DIR = "/var/www"
if settings.SERVER_BANNERS[i].lower() == "nginx":
settings.SRV_ROOT_DIR = "/usr/share/nginx"
if settings.SERVER_BANNERS[i].lower() == "microsoft-iis":
settings.SRV_ROOT_DIR = "\\inetpub\\wwwroot"
break
if not found_server_banner:
if settings.VERBOSITY_LEVEL >= 1:
print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]"
warn_msg = "Heuristics have failed to identify server."
print settings.print_warning_msg(warn_msg)
# Load tamper scripts
if menu.options.tamper:
checks.tamper_scripts()
# Store the Server's root dir
settings.DEFAULT_SRV_ROOT_DIR = settings.SRV_ROOT_DIR
if menu.options.is_admin or menu.options.is_root and not menu.options.current_user:
menu.options.current_user = True
# Check for wrong flags.
if settings.TARGET_OS == "win":
if menu.options.is_root :
warn_msg = "Swithing '--is-root' to '--is-admin' because the "
warn_msg += "target has been identified as windows."
print settings.print_warning_msg(warn_msg)
if menu.options.passwords:
warn_msg = "The '--passwords' option, is not yet available for Windows targets."
print settings.print_warning_msg(warn_msg)
if menu.options.file_upload :
warn_msg = "The '--file-upload' option, is not yet available for windows targets. "
warn_msg += "Instead, use the '--file-write' option."
print settings.print_warning_msg(warn_msg)
sys.exit(0)
else:
if menu.options.is_admin :
warn_msg = "Swithing the '--is-admin' to '--is-root' because "
warn_msg += "the target has been identified as unix-like. "
print settings.print_warning_msg(warn_msg)
if found_os_server == False and \
not menu.options.os:
# If "--shellshock" option is provided then,
# by default is a Linux/Unix operating system.
if menu.options.shellshock:
pass
else:
warn_msg = "Heuristics have failed to identify server's operating system."
print settings.print_warning_msg(warn_msg)
while True:
question_msg = "Do you recognise the server's operating system? "
question_msg += "[(W)indows/(U)nix/(q)uit] > "
sys.stdout.write(settings.print_question_msg(question_msg))
got_os = sys.stdin.readline().replace("\n","").lower()
if got_os.lower() in settings.CHOICE_OS :
if got_os.lower() == "w":
settings.TARGET_OS = "win"
break
elif got_os.lower() == "u":
break
elif got_os.lower() == "q":
raise SystemExit()
else:
if got_os == "":
got_os = "enter"
err_msg = "'" + got_os + "' is not a valid answer."
print settings.print_error_msg(err_msg)
pass
if not menu.options.os:
if found_server_banner == False:
warn_msg = "The server which was identified as "
warn_msg += server_banner + " seems unknown."
print settings.print_warning_msg(warn_msg)
else:
found_os_server = checks.user_defined_os()
except KeyError:
pass
# Charset detection.
requests.charset_detection(response)
except urllib2.HTTPError, e:
# Check the codes of responses
if e.getcode() == 500:
print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]"
content = e.read()
sys.exit(0)
# Check for HTTP Error 401 (Unauthorized).
elif e.getcode() == 401:
try:
# Get the auth header value
auth_line = e.headers.get('www-authenticate', '')
# Checking for authentication type name.
auth_type = auth_line.split()[0]
settings.SUPPORTED_HTTP_AUTH_TYPES.index(auth_type.lower())
# Checking for the realm attribute.
try:
auth_obj = re.match('''(\w*)\s+realm=(.*)''', auth_line).groups()
realm = auth_obj[1].split(',')[0].replace("\"", "")
except:
realm = False
except ValueError:
print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]"
err_msg = "The identified HTTP authentication type (" + auth_type + ") "
err_msg += "is not yet supported."
print settings.print_critical_msg(err_msg) + "\n"
sys.exit(0)
except IndexError:
print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]"
err_msg = "The provided pair of " + menu.options.auth_type
err_msg += " HTTP authentication credentials '" + menu.options.auth_cred + "'"
err_msg += " seems to be invalid."
print settings.print_critical_msg(err_msg)
sys.exit(0)
print "[ " + Fore.GREEN + "SUCCEED" + Style.RESET_ALL + " ]"
if menu.options.auth_type and menu.options.auth_type != auth_type.lower():
if checks.identified_http_auth_type(auth_type):
menu.options.auth_type = auth_type.lower()
else:
menu.options.auth_type = auth_type.lower()
# Check for stored auth credentials.
if not menu.options.auth_cred:
try:
stored_auth_creds = session_handler.export_valid_credentials(url, auth_type.lower())
except:
stored_auth_creds = False
if stored_auth_creds:
menu.options.auth_cred = stored_auth_creds
success_msg = "Identified a valid pair of credentials '"
success_msg += menu.options.auth_cred + Style.RESET_ALL + Style.BRIGHT + "'."
print settings.print_success_msg(success_msg)
else:
# Basic authentication
if menu.options.auth_type == "basic":
if not menu.options.ignore_401:
warn_msg = "(" + menu.options.auth_type.capitalize() + ") "
warn_msg += "HTTP authentication credentials are required."
print settings.print_warning_msg(warn_msg)
while True:
question_msg = "Do you want to perform a dictionary-based attack? [Y/n/q] > "
sys.stdout.write(settings.print_question_msg(question_msg))
crack_creds = sys.stdin.readline().replace("\n","").lower()
if crack_creds in settings.CHOICE_YES:
auth_creds = authentication.http_auth_cracker(url, realm)
if auth_creds != False:
menu.options.auth_cred = auth_creds
settings.REQUIRED_AUTHENTICATION = True
break
else:
sys.exit(0)
elif crack_creds in settings.CHOICE_NO:
checks.http_auth_err_msg()
elif crack_creds in settings.CHOICE_QUIT:
sys.exit(0)
else:
if crack_creds == "":
crack_creds = "enter"
err_msg = "'" + crack_creds + "' is not a valid answer."
print settings.print_error_msg(err_msg)
pass
# Digest authentication
elif menu.options.auth_type == "digest":
if not menu.options.ignore_401:
warn_msg = "(" + menu.options.auth_type.capitalize() + ") "
warn_msg += "HTTP authentication credentials are required."
print settings.print_warning_msg(warn_msg)
# Check if heuristics have failed to identify the realm attribute.
if not realm:
warn_msg = "Heuristics have failed to identify the realm attribute."
print settings.print_warning_msg(warn_msg)
while True:
question_msg = "Do you want to perform a dictionary-based attack? [Y/n/q] > "
sys.stdout.write(settings.print_question_msg(question_msg))
crack_creds = sys.stdin.readline().replace("\n","").lower()
if crack_creds in settings.CHOICE_YES:
auth_creds = authentication.http_auth_cracker(url, realm)
if auth_creds != False:
menu.options.auth_cred = auth_creds
settings.REQUIRED_AUTHENTICATION = True
break
else:
sys.exit(0)
elif crack_creds in settings.CHOICE_NO:
checks.http_auth_err_msg()
elif crack_creds in settings.CHOICE_QUIT:
sys.exit(0)
else:
if crack_creds == "":
crack_creds = "enter"
err_msg = "'" + crack_creds + "' is not a valid answer."
print settings.print_error_msg(err_msg)
pass
else:
checks.http_auth_err_msg()
else:
pass
elif e.getcode() == 403:
print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]"
err_msg = "You don't have permission to access this page."
print settings.print_critical_msg(err_msg)
sys.exit(0)
elif e.getcode() == 404:
print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]"
err_msg = "The host seems to be down!"
print settings.print_critical_msg(err_msg)
sys.exit(0)
else:
raise
except urllib2.URLError, e:
print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]"
err_msg = "The host seems to be down!"
print settings.print_critical_msg(err_msg)
sys.exit(0)
def main():
try:
# Check if defined "--version" option.
if menu.options.version:
version.show_version()
sys.exit(0)
# Checkall the banner
menu.banner()
# Check python version number.
version.python_version()
# Check if defined "--dependencies" option.
# For checking (non-core) third party dependenices.
if menu.options.noncore_dependencies:
checks.third_party_dependencies()
sys.exit(0)
# Check if defined "--update" option.
if menu.options.update:
update.updater()
sys.exit(0)
# Check if defined "--install" option.
if menu.options.install:
install.installer()
sys.exit(0)
# Check arguments
if len(sys.argv) == 1:
menu.parser.print_help()
print ""
sys.exit(0)
# Parse target / data from HTTP proxy logs (i.e Burp / WebScarab).
if menu.options.logfile:
parser.logfile_parser()
# Modification on payload
if not menu.options.shellshock:
#settings.CURRENT_USER = "******" + settings.CURRENT_USER + ")"
settings.SYS_USERS = "echo $(" + settings.SYS_USERS + ")"
settings.SYS_PASSES = "echo $(" + settings.SYS_PASSES + ")"
# Check if defined character used for splitting parameter values.
if menu.options.pdel:
settings.PARAMETER_DELIMITER = menu.options.pdel
# Check if defined character used for splitting cookie values.
if menu.options.cdel:
settings.COOKIE_DELIMITER = menu.options.cdel
# Check if specified wrong injection technique
if menu.options.tech and menu.options.tech not in settings.AVAILABLE_TECHNIQUES:
found_tech = False
# Convert injection technique(s) to lowercase
menu.options.tech = menu.options.tech.lower()
# Check if used the ',' separator
if "," in menu.options.tech:
split_techniques_names = menu.options.tech.split(",")
else:
split_techniques_names = menu.options.tech.split()
if split_techniques_names:
for i in range(0,len(split_techniques_names)):
if len(menu.options.tech) <= 4:
split_first_letter = list(menu.options.tech)
for j in range(0,len(split_first_letter)):
if split_first_letter[j] in settings.AVAILABLE_TECHNIQUES:
found_tech = True
else:
found_tech = False
if split_techniques_names[i].replace(' ', '') not in settings.AVAILABLE_TECHNIQUES and found_tech == False:
error_msg = "You specified wrong value '" + split_techniques_names[i] + "' as injection technique. " \
"The value, must be a string composed by the letters (C)lassic, (E)val-based, " \
"(T)ime-based, (F)ile-based (with or without commas)."
print Back.RED + settings.ERROR_SIGN + error_msg + Style.RESET_ALL
sys.exit(0)
# Cookie Injection
if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie:
settings.COOKIE_INJECTION = True
# User-Agent Injection
if menu.options.agent and settings.INJECT_TAG in menu.options.agent:
settings.USER_AGENT_INJECTION = True
# Referer Injection
if menu.options.referer and settings.INJECT_TAG in menu.options.referer:
settings.REFERER_INJECTION = True
# Check if specified wrong alternative shell
if menu.options.alter_shell:
if menu.options.alter_shell.lower() not in settings.AVAILABLE_SHELLS:
print Back.RED + settings.ERROR_SIGN + "'" + menu.options.alter_shell + "' shell is not supported!" + Style.RESET_ALL
sys.exit(0)
# Check the file-destination
if menu.options.file_write and not menu.options.file_dest or \
menu.options.file_upload and not menu.options.file_dest:
print Back.RED + settings.ERROR_SIGN + "Host's absolute filepath to write and/or upload, must be specified (--file-dest)." + Style.RESET_ALL
sys.exit(0)
if menu.options.file_dest and menu.options.file_write == None and menu.options.file_upload == None :
print Back.RED + settings.ERROR_SIGN + "You must enter the '--file-write' or '--file-upload' parameter." + Style.RESET_ALL
sys.exit(0)
# Check if defined "--file-upload" option.
if menu.options.file_upload:
# Check if not defined URL for upload.
if not re.match(settings.VALID_URL_FORMAT, menu.options.file_upload):
print Back.RED + settings.ERROR_SIGN + "The '" + menu.options.file_upload + "' is not a valid URL. " + Style.RESET_ALL
sys.exit(0)
# Check if defined "--random-agent" option.
if menu.options.random_agent:
menu.options.agent = random.choice(settings.USER_AGENT_LIST)
# Check if defined "--url" option.
if menu.options.url:
url = menu.options.url
# Check if http / https
url = checks.check_http_s(url)
if menu.options.output_dir:
output_dir = menu.options.output_dir
else:
output_dir = settings.OUTPUT_DIR
# One directory up, if Windows or if the script is being run under "/src".
if settings.IS_WINDOWS or "/src" in os.path.dirname(os.path.abspath(__file__)):
os.chdir("..")
output_dir = os.path.dirname(output_dir)
try:
os.stat(output_dir)
except:
os.mkdir(output_dir)
# The logs filename construction.
filename = logs.create_log_file(url, output_dir)
try:
# Check if defined POST data
if menu.options.data:
request = urllib2.Request(url, menu.options.data)
else:
request = urllib2.Request(url)
headers.do_check(request)
# Check if defined any HTTP Proxy (--proxy option).
if menu.options.proxy:
proxy.do_check(url)
# Check if defined Tor (--tor option).
elif menu.options.tor:
tor.do_check()
sys.stdout.write(settings.INFO_SIGN + "Checking connection to the target URL... ")
sys.stdout.flush()
try:
# Check if defined any HTTP Proxy (--proxy option).
if menu.options.proxy:
response = proxy.use_proxy(request)
# Check if defined Tor (--tor option).
elif menu.options.tor:
response = tor.use_tor(request)
else:
try:
response = urllib2.urlopen(request)
except ValueError:
# Invalid format for the '--headers' option.
print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]"
error_msg = "Use '--headers=\"HEADER_NAME:HEADER_VALUE\"' to provide an HTTP header or '--headers=\"HEADER_NAME:" + settings.INJECT_TAG + "\"' if you want to try to exploit the provided HTTP header."
print Back.RED + settings.ERROR_SIGN + error_msg + Style.RESET_ALL
sys.exit(0)
except:
raise
html_data = response.read()
content = response.read()
print "[ " + Fore.GREEN + "SUCCEED" + Style.RESET_ALL + " ]"
# Used a valid pair of valid credentials
if menu.options.auth_cred:
print Style.BRIGHT + "(!) Identified a valid pair of credentials '" + Style.UNDERLINE + menu.options.auth_cred + Style.RESET_ALL + Style.BRIGHT + "'." + Style.RESET_ALL
try:
if response.info()['server'] :
server_banner = response.info()['server']
found_os_server = False
if menu.options.os and checks.user_defined_os():
user_defined_os = settings.TARGET_OS
for i in range(0,len(settings.SERVER_OS_BANNERS)):
if settings.SERVER_OS_BANNERS[i].lower() in server_banner.lower():
found_os_server = True
settings.TARGET_OS = settings.SERVER_OS_BANNERS[i].lower()
if settings.TARGET_OS == "win" or settings.TARGET_OS == "microsoft" :
identified_os = "Windows"
if menu.options.os and user_defined_os != "win":
if not checks.identified_os():
settings.TARGET_OS = user_defined_os
settings.TARGET_OS = identified_os[:3].lower()
if menu.options.shellshock:
print Back.RED + settings.CRITICAL_SIGN + "The shellshock module is not available for " + identified_os + " targets." + Style.RESET_ALL
raise SystemExit()
else:
identified_os = "Unix-like (" + settings.TARGET_OS + ")"
if menu.options.os and user_defined_os == "win":
if not checks.identified_os():
settings.TARGET_OS = user_defined_os
found_server_banner = False
for i in range(0,len(settings.SERVER_BANNERS)):
if settings.SERVER_BANNERS[i].lower() in server_banner.lower():
if menu.options.verbose:
print Style.BRIGHT + "(!) The server was identified as " + Style.UNDERLINE + server_banner + Style.RESET_ALL + "." + Style.RESET_ALL
settings.SERVER_BANNER = server_banner
found_server_banner = True
# Set up default root paths
if settings.SERVER_BANNERS[i].lower() == "apache":
if settings.TARGET_OS == "win":
settings.SRV_ROOT_DIR = "\\htdocs"
else:
settings.SRV_ROOT_DIR = "/var/www"
if settings.SERVER_BANNERS[i].lower() == "nginx":
settings.SRV_ROOT_DIR = "/usr/share/nginx"
if settings.SERVER_BANNERS[i].lower() == "microsoft-iis":
settings.SRV_ROOT_DIR = "\\inetpub\\wwwroot"
break
if menu.options.is_admin or menu.options.is_root and not menu.options.current_user:
menu.options.current_user = True
# Check for wrong flags.
if settings.TARGET_OS == "win":
if menu.options.is_root :
print Fore.YELLOW + settings.WARNING_SIGN + "Swithing '--is-root' to '--is-admin' because the target has been identified as windows." + Style.RESET_ALL
error_msg = settings.WARNING_SIGN + "The '--passwords' option, is not yet available for Windows targets."
if menu.options.passwords:
print Fore.YELLOW + settings.WARNING_SIGN + "The '--passwords' option, is not yet available for Windows targets." + Style.RESET_ALL
if menu.options.file_upload :
print Fore.YELLOW + settings.WARNING_SIGN + "The '--file-upload' option, is not yet available for windows targets. Instead, use the '--file-write' option." + Style.RESET_ALL
sys.exit(0)
else:
if menu.options.is_admin :
print Fore.YELLOW + settings.WARNING_SIGN + "Swithing the '--is-admin' to '--is-root' because the target has been identified as unix-like. " + Style.RESET_ALL
if found_os_server == False and \
not menu.options.os:
# If "--shellshock" option is provided then,
# by default is a Linux/Unix operating system.
if menu.options.shellshock:
pass
else:
print Fore.YELLOW + settings.WARNING_SIGN + "Heuristics have failed to identify server's operating system." + Style.RESET_ALL
while True:
got_os = raw_input(settings.QUESTION_SIGN + "Do you recognise the server's operating system? [(W)indows/(U)nix/(q)uit] > ").lower()
if got_os.lower() in settings.CHOICE_OS :
if got_os.lower() == "w":
settings.TARGET_OS = "win"
break
elif got_os.lower() == "u":
break
elif got_os.lower() == "q":
raise SystemExit()
else:
if got_os == "":
got_os = "enter"
print Back.RED + settings.ERROR_SIGN + "'" + got_os + "' is not a valid answer." + Style.RESET_ALL + "\n"
pass
if not menu.options.os:
if found_server_banner == False:
print Fore.YELLOW + settings.WARNING_SIGN + "The server which was identified as " + server_banner + " seems unknown." + Style.RESET_ALL
else:
found_os_server = checks.user_defined_os()
except KeyError:
pass
# Charset detection [1].
# [1] http://www.w3schools.com/html/html_charset.asp
# Check if HTML4 format
content = re.findall(r";charset=(.*)\"", html_data)
if len(content) != 0 :
charset = content
else:
# Check if HTML5 format
charset = re.findall(r"charset=['\"](.*?)['\"]", html_data)
if len(charset) != 0 :
settings.CHARSET = charset[len(charset)-1]
if settings.CHARSET.lower() not in settings.CHARSET_LIST:
print Fore.YELLOW + settings.WARNING_SIGN + "The indicated web-page charset " + settings.CHARSET + " seems unknown." + Style.RESET_ALL
else:
if menu.options.verbose:
print Style.BRIGHT + "(!) The indicated web-page charset appears to be " + Style.UNDERLINE + settings.CHARSET + Style.RESET_ALL + "." + Style.RESET_ALL
# Retrieve everything from the supported enumeration options.
if menu.options.enum_all:
checks.enable_all_enumeration_options()
except urllib2.HTTPError, e:
# Check the codes of responses
if e.getcode() == 500:
print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]"
content = e.read()
sys.exit(0)
# Check for HTTP Error 401 (Unauthorized).
elif e.getcode() == 401:
try:
# Get the auth header value
auth_line = e.headers.get('www-authenticate', '')
# Checking for authentication type name.
auth_type = auth_line.split()[0]
settings.SUPPORTED_HTTP_AUTH_TYPES.index(auth_type.lower())
# Checking for the realm attribute.
try:
auth_obj = re.match('''(\w*)\s+realm=(.*)''', auth_line).groups()
realm = auth_obj[1].split(',')[0].replace("\"", "")
except:
realm = False
except ValueError:
print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]"
print Back.RED + settings.ERROR_SIGN + "The identified HTTP authentication type (" + auth_type + ") is not yet supported." + Style.RESET_ALL + "\n"
sys.exit(0)
except IndexError:
print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]"
error_msg = "The provided pair of " + menu.options.auth_type
error_msg += " HTTP authentication credentials '" + menu.options.auth_cred + "'"
error_msg += " seems to be invalid."
print Back.RED + settings.ERROR_SIGN + error_msg + Style.RESET_ALL
sys.exit(0)
print "[ " + Fore.GREEN + "SUCCEED" + Style.RESET_ALL + " ]"
if menu.options.auth_type and menu.options.auth_type != auth_type.lower():
if checks.identified_http_auth_type(auth_type):
menu.options.auth_type = auth_type.lower()
else:
menu.options.auth_type = auth_type.lower()
# Check for stored auth credentials.
if not menu.options.auth_cred:
try:
stored_auth_creds = session_handler.export_valid_credentials(url, auth_type.lower())
except:
stored_auth_creds = False
if stored_auth_creds:
menu.options.auth_cred = stored_auth_creds
print Style.BRIGHT + "(!) Identified a valid pair of credentials '" + Style.UNDERLINE + menu.options.auth_cred + Style.RESET_ALL + Style.BRIGHT + "'." + Style.RESET_ALL
else:
# Basic authentication
if menu.options.auth_type == "basic":
if not menu.options.ignore_401:
print Fore.YELLOW + settings.WARNING_SIGN + "(" + menu.options.auth_type.capitalize() + ")" + " HTTP authentication credentials are required." + Style.RESET_ALL
while True:
crack_creds = raw_input(settings.QUESTION_SIGN + "Do you want to perform a dictionary-based attack? [Y/n/q] > ").lower()
if crack_creds in settings.CHOICE_YES:
auth_creds = authentication.http_auth_cracker(url, realm)
if auth_creds != False:
menu.options.auth_cred = auth_creds
settings.REQUIRED_AUTHENTICATION = True
break
else:
sys.exit(0)
elif crack_creds in settings.CHOICE_NO:
checks.http_auth_error_msg()
elif crack_creds in settings.CHOICE_QUIT:
sys.exit(0)
else:
if crack_creds == "":
crack_creds = "enter"
print Back.RED + settings.ERROR_SIGN + "'" + crack_creds + "' is not a valid answer." + Style.RESET_ALL + "\n"
pass
# Digest authentication
elif menu.options.auth_type == "digest":
if not menu.options.ignore_401:
print Fore.YELLOW + settings.WARNING_SIGN + "(" + menu.options.auth_type.capitalize() + ")" + " HTTP authentication credentials are required." + Style.RESET_ALL
# Check if heuristics have failed to identify the realm attribute.
if not realm:
warn_msg = "Heuristics have failed to identify the realm attribute."
print Fore.YELLOW + settings.WARNING_SIGN + warn_msg + Style.RESET_ALL
while True:
crack_creds = raw_input(settings.QUESTION_SIGN + "Do you want to perform a dictionary-based attack? [Y/n/q] > ").lower()
if crack_creds in settings.CHOICE_YES:
auth_creds = authentication.http_auth_cracker(url, realm)
if auth_creds != False:
menu.options.auth_cred = auth_creds
settings.REQUIRED_AUTHENTICATION = True
break
else:
sys.exit(0)
elif crack_creds in settings.CHOICE_NO:
checks.http_auth_error_msg()
elif crack_creds in settings.CHOICE_QUIT:
sys.exit(0)
else:
if crack_creds == "":
crack_creds = "enter"
print Back.RED + settings.ERROR_SIGN + "'" + crack_creds + "' is not a valid answer." + Style.RESET_ALL + "\n"
pass
else:
checks.http_auth_error_msg()
else:
pass
elif e.getcode() == 403:
print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]"
print Back.RED + settings.ERROR_SIGN + "You don't have permission to access this page." + Style.RESET_ALL
sys.exit(0)
elif e.getcode() == 404:
print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]"
print Back.RED + settings.ERROR_SIGN + "The host seems to be down!" + Style.RESET_ALL
sys.exit(0)
else:
raise
except urllib2.URLError, e:
print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]"
print Back.RED + settings.ERROR_SIGN + "The host seems to be down!" + Style.RESET_ALL
sys.exit(0)
def estimate_response_time(url, timesec):
if settings.VERBOSITY_LEVEL >= 1:
info_msg = "Estimating the target URL response time... "
sys.stdout.write(settings.print_info_msg(info_msg))
sys.stdout.flush()
# Check if defined POST data
if menu.options.data:
request = urllib2.Request(url, menu.options.data)
else:
url = parameters.get_url_part(url)
request = urllib2.Request(url)
headers.do_check(request)
start = time.time()
try:
response = urllib2.urlopen(request)
response.read(1)
response.close()
# except urllib2.HTTPError, err:
# pass
except urllib2.HTTPError, err:
ignore_start = time.time()
if "Unauthorized" in str(err) and menu.options.ignore_401:
pass
else:
if settings.VERBOSITY_LEVEL >= 1:
print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]"
err_msg = "Unable to connect to the target URL"
try:
err_msg += " (" + str(err.args[0]).split("] ")[1] + ")."
except IndexError:
err_msg += " (" + str(err) + ")."
print settings.print_critical_msg(err_msg)
# Check for HTTP Error 401 (Unauthorized).
if str(err.getcode()) == settings.UNAUTHORIZED_ERROR:
try:
# Get the auth header value
auth_line = err.headers.get('www-authenticate', '')
# Checking for authentication type name.
auth_type = auth_line.split()[0]
settings.SUPPORTED_HTTP_AUTH_TYPES.index(auth_type.lower())
# Checking for the realm attribute.
try:
auth_obj = re.match('''(\w*)\s+realm=(.*)''', auth_line).groups()
realm = auth_obj[1].split(',')[0].replace("\"", "")
except:
realm = False
except ValueError:
err_msg = "The identified HTTP authentication type (" + auth_type + ") "
err_msg += "is not yet supported."
print settings.print_critical_msg(err_msg) + "\n"
raise SystemExit()
except IndexError:
err_msg = "The provided pair of " + menu.options.auth_type
err_msg += " HTTP authentication credentials '" + menu.options.auth_cred + "'"
err_msg += " seems to be invalid."
print settings.print_critical_msg(err_msg)
raise SystemExit()
if menu.options.auth_type and menu.options.auth_type != auth_type.lower():
if checks.identified_http_auth_type(auth_type):
menu.options.auth_type = auth_type.lower()
else:
menu.options.auth_type = auth_type.lower()
# Check for stored auth credentials.
if not menu.options.auth_cred:
try:
stored_auth_creds = session_handler.export_valid_credentials(url, auth_type.lower())
except:
stored_auth_creds = False
if stored_auth_creds:
menu.options.auth_cred = stored_auth_creds
success_msg = "Identified a valid (stored) pair of credentials '"
success_msg += menu.options.auth_cred + Style.RESET_ALL + Style.BRIGHT + "'."
print settings.print_success_msg(success_msg)
else:
# Basic authentication
if menu.options.auth_type == "basic":
if not menu.options.ignore_401:
warn_msg = "(" + menu.options.auth_type.capitalize() + ") "
warn_msg += "HTTP authentication credentials are required."
print settings.print_warning_msg(warn_msg)
while True:
if not menu.options.batch:
question_msg = "Do you want to perform a dictionary-based attack? [Y/n] > "
sys.stdout.write(settings.print_question_msg(question_msg))
do_update = sys.stdin.readline().replace("\n","").lower()
else:
do_update = ""
if len(do_update) == 0:
do_update = "y"
if do_update in settings.CHOICE_YES:
auth_creds = authentication.http_auth_cracker(url, realm)
if auth_creds != False:
menu.options.auth_cred = auth_creds
settings.REQUIRED_AUTHENTICATION = True
break
else:
raise SystemExit()
elif do_update in settings.CHOICE_NO:
checks.http_auth_err_msg()
elif do_update in settings.CHOICE_QUIT:
raise SystemExit()
else:
err_msg = "'" + do_update + "' is not a valid answer."
print settings.print_error_msg(err_msg)
pass
# Digest authentication
elif menu.options.auth_type == "digest":
if not menu.options.ignore_401:
warn_msg = "(" + menu.options.auth_type.capitalize() + ") "
warn_msg += "HTTP authentication credentials are required."
print settings.print_warning_msg(warn_msg)
# Check if heuristics have failed to identify the realm attribute.
if not realm:
warn_msg = "Heuristics have failed to identify the realm attribute."
print settings.print_warning_msg(warn_msg)
while True:
if not menu.options.batch:
question_msg = "Do you want to perform a dictionary-based attack? [Y/n] > "
sys.stdout.write(settings.print_question_msg(question_msg))
do_update = sys.stdin.readline().replace("\n","").lower()
else:
do_update = ""
if len(do_update) == 0:
do_update = "y"
if do_update in settings.CHOICE_YES:
auth_creds = authentication.http_auth_cracker(url, realm)
if auth_creds != False:
menu.options.auth_cred = auth_creds
settings.REQUIRED_AUTHENTICATION = True
break
else:
raise SystemExit()
elif do_update in settings.CHOICE_NO:
checks.http_auth_err_msg()
elif do_update in settings.CHOICE_QUIT:
raise SystemExit()
else:
err_msg = "'" + do_update + "' is not a valid answer."
print settings.print_error_msg(err_msg)
pass
else:
checks.http_auth_err_msg()
else:
pass
ignore_end = time.time()
start = start - (ignore_start - ignore_end)
def estimate_response_time(url, timesec):
stored_auth_creds = False
if settings.VERBOSITY_LEVEL >= 1:
info_msg = "Estimating the target URL response time... "
sys.stdout.write(settings.print_info_msg(info_msg))
sys.stdout.flush()
# Check if defined POST data
if menu.options.data:
request = _urllib.request.Request(url, menu.options.data.encode(settings.UNICODE_ENCODING))
else:
url = parameters.get_url_part(url)
request = _urllib.request.Request(url)
headers.do_check(request)
start = time.time()
try:
response = _urllib.request.urlopen(request)
response.read(1)
response.close()
# except _urllib.error.HTTPError as err:
# pass
except _urllib.error.HTTPError as err:
ignore_start = time.time()
if "Unauthorized" in str(err) and menu.options.ignore_code == settings.UNAUTHORIZED_ERROR:
pass
else:
if settings.VERBOSITY_LEVEL >= 1:
print("[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]")
err_msg = "Unable to connect to the target URL"
try:
err_msg += " (" + str(err.args[0]).split("] ")[1] + ")."
except IndexError:
err_msg += " (" + str(err) + ")."
print(settings.print_critical_msg(err_msg))
# Check for HTTP Error 401 (Unauthorized).
if str(err.getcode()) == settings.UNAUTHORIZED_ERROR:
try:
# Get the auth header value
auth_line = err.headers.get('www-authenticate', '')
# Checking for authentication type name.
auth_type = auth_line.split()[0]
settings.SUPPORTED_HTTP_AUTH_TYPES.index(auth_type.lower())
# Checking for the realm attribute.
try:
auth_obj = re.match('''(\w*)\s+realm=(.*)''', auth_line).groups()
realm = auth_obj[1].split(',')[0].replace("\"", "")
except:
realm = False
except ValueError:
err_msg = "The identified HTTP authentication type (" + str(auth_type) + ") "
err_msg += "is not yet supported."
print(settings.print_critical_msg(err_msg) + "\n")
raise SystemExit()
except IndexError:
err_msg = "The provided pair of " + str(menu.options.auth_type)
err_msg += " HTTP authentication credentials '" + str(menu.options.auth_cred) + "'"
err_msg += " seems to be invalid."
print(settings.print_critical_msg(err_msg))
raise SystemExit()
if menu.options.auth_type and menu.options.auth_type != auth_type.lower():
if checks.identified_http_auth_type(auth_type):
menu.options.auth_type = auth_type.lower()
else:
menu.options.auth_type = auth_type.lower()
# Check for stored auth credentials.
if not menu.options.auth_cred:
try:
stored_auth_creds = session_handler.export_valid_credentials(url, auth_type.lower())
except:
stored_auth_creds = False
if stored_auth_creds:
menu.options.auth_cred = stored_auth_creds
success_msg = "Identified a valid (stored) pair of credentials '"
success_msg += menu.options.auth_cred + Style.RESET_ALL + Style.BRIGHT + "'."
print(settings.print_success_msg(success_msg))
else:
# Basic authentication
if menu.options.auth_type == "basic":
if not menu.options.ignore_code == settings.UNAUTHORIZED_ERROR:
warn_msg = "(" + menu.options.auth_type.capitalize() + ") "
warn_msg += "HTTP authentication credentials are required."
print(settings.print_warning_msg(warn_msg))
while True:
if not menu.options.batch:
question_msg = "Do you want to perform a dictionary-based attack? [Y/n] > "
do_update = _input(settings.print_question_msg(question_msg))
else:
do_update = ""
if len(do_update) == 0:
do_update = "y"
if do_update in settings.CHOICE_YES:
auth_creds = authentication.http_auth_cracker(url, realm)
if auth_creds != False:
menu.options.auth_cred = auth_creds
settings.REQUIRED_AUTHENTICATION = True
break
else:
raise SystemExit()
elif do_update in settings.CHOICE_NO:
checks.http_auth_err_msg()
elif do_update in settings.CHOICE_QUIT:
raise SystemExit()
else:
err_msg = "'" + do_update + "' is not a valid answer."
print(settings.print_error_msg(err_msg))
pass
# Digest authentication
elif menu.options.auth_type == "digest":
if not menu.options.ignore_code == settings.UNAUTHORIZED_ERROR:
warn_msg = "(" + menu.options.auth_type.capitalize() + ") "
warn_msg += "HTTP authentication credentials are required."
print(settings.print_warning_msg(warn_msg))
# Check if heuristics have failed to identify the realm attribute.
if not realm:
warn_msg = "Heuristics have failed to identify the realm attribute."
print(settings.print_warning_msg(warn_msg))
while True:
if not menu.options.batch:
question_msg = "Do you want to perform a dictionary-based attack? [Y/n] > "
do_update = _input(settings.print_question_msg(question_msg))
else:
do_update = ""
if len(do_update) == 0:
do_update = "y"
if do_update in settings.CHOICE_YES:
auth_creds = authentication.http_auth_cracker(url, realm)
if auth_creds != False:
menu.options.auth_cred = auth_creds
settings.REQUIRED_AUTHENTICATION = True
break
else:
raise SystemExit()
elif do_update in settings.CHOICE_NO:
checks.http_auth_err_msg()
elif do_update in settings.CHOICE_QUIT:
raise SystemExit()
else:
err_msg = "'" + do_update + "' is not a valid answer."
print(settings.print_error_msg(err_msg))
pass
else:
checks.http_auth_err_msg()
else:
pass
ignore_end = time.time()
start = start - (ignore_start - ignore_end)
except socket.timeout:
if settings.VERBOSITY_LEVEL >= 1:
print("[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]")
err_msg = "The connection to target URL has timed out."
print(settings.print_critical_msg(err_msg) + "\n")
raise SystemExit()
except _urllib.error.URLError as err_msg:
if settings.VERBOSITY_LEVEL >= 1:
print("[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]")
print(settings.print_critical_msg(str(err_msg.args[0]).split("] ")[1] + "."))
raise SystemExit()
except ValueError as err_msg:
if settings.VERBOSITY_LEVEL >= 1:
print("[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]")
print(settings.print_critical_msg(str(err_msg) + "."))
raise SystemExit()
end = time.time()
diff = end - start
# if settings.VERBOSITY_LEVEL >= 1:
# info_msg = "Estimating the target URL response time... "
# sys.stdout.write(settings.print_info_msg(info_msg))
# sys.stdout.flush()
if int(diff) < 1:
if settings.VERBOSITY_LEVEL >= 1 and stored_auth_creds == False:
print("[ " + Fore.GREEN + "SUCCEED" + Style.RESET_ALL + " ]")
url_time_response = int(diff)
if settings.TARGET_OS == "win":
warn_msg = "Due to the relatively slow response of 'cmd.exe' in target "
warn_msg += "host, there may be delays during the data extraction procedure."
print(settings.print_warning_msg(warn_msg))
else:
if settings.VERBOSITY_LEVEL >= 1:
print("[ " + Fore.GREEN + "SUCCEED" + Style.RESET_ALL + " ]")
url_time_response = int(round(diff))
warn_msg = "The estimated response time is " + str(url_time_response)
warn_msg += " second" + "s"[url_time_response == 1:] + ". That may cause"
if url_time_response >= 3:
warn_msg += " serious"
warn_msg += " delays during the data extraction procedure"
if url_time_response >= 3:
warn_msg += " and/or possible corruptions over the extracted data"
warn_msg += "."
print(settings.print_warning_msg(warn_msg))
if int(timesec) == int(url_time_response):
timesec = int(timesec) + int(url_time_response)
else:
timesec = int(timesec)
# Against windows targets (for more stability), add one extra second delay.
if settings.TARGET_OS == "win" :
timesec = timesec + 1
return timesec, url_time_response
err_msg += " HTTP authentication credentials '" + menu.options.auth_cred + "'"
err_msg += " seems to be invalid."
print settings.print_critical_msg(err_msg)
sys.exit(0)
print "[ " + Fore.GREEN + "SUCCEED" + Style.RESET_ALL + " ]"
if menu.options.auth_type and menu.options.auth_type != auth_type.lower():
if checks.identified_http_auth_type(auth_type):
menu.options.auth_type = auth_type.lower()
else:
menu.options.auth_type = auth_type.lower()
# Check for stored auth credentials.
if not menu.options.auth_cred:
try:
stored_auth_creds = session_handler.export_valid_credentials(url, auth_type.lower())
except:
stored_auth_creds = False
if stored_auth_creds:
menu.options.auth_cred = stored_auth_creds
success_msg = "Identified a valid pair of credentials '"
success_msg += menu.options.auth_cred + Style.RESET_ALL + Style.BRIGHT + "'."
print settings.print_success_msg(success_msg)
else:
# Basic authentication
if menu.options.auth_type == "basic":
if not menu.options.ignore_401:
warn_msg = "(" + menu.options.auth_type.capitalize() + ") "
warn_msg += "HTTP authentication credentials are required."
print settings.print_warning_msg(warn_msg)
while True: