show_success=opt.showSuccessRate ) except InvalidProxyType: supported_proxy_types = ("socks5", "socks4", "https", "http") logger.fatal(set_color( "the provided proxy is not valid, specify the protocol and try again, supported " "proxy protocols are {} (IE socks5://127.0.0.1:9050)".format( ", ".join(list(supported_proxy_types))), level=50 )) except Exception as e: if "Permission denied:" in str(e): logger.fatal(set_color( "your permissions are not allowing Zeus to run, " "try running Zeus with sudo", level=50 )) shutdown() else: logger.exception(set_color( "ran into exception '{}'".format(e), level=50 )) request_issue_creation() pass __run_attacks_main() # search multiple pages of Google elif opt.dorkToUse is not None or opt.useRandomDork and opt.searchMultiplePages: if opt.dorkToUse is not None: dork_to_use = opt.dorkToUse elif opt.useRandomDork: dork_to_use = get_random_dork()
def __run_attacks_main(**kwargs): """ main method to run the attacks """ log_to_use = kwargs.get("log", None) if log_to_use is None: options = (opt.dorkToUse, opt.useRandomDork, opt.dorkFileToUse) log_to_use = URL_LOG_PATH if any(o for o in options) else SPIDER_LOG_PATH try: urls_to_use = get_latest_log_file(log_to_use) except TypeError: urls_to_use = None else: urls_to_use = log_to_use if urls_to_use is None: logger.error(set_color( "unable to run attacks appears that no file was created for the retrieved data", level=40 )) shutdown() options = [ opt.runSqliScan, opt.runPortScan, opt.adminPanelFinder, opt.runXssScan, opt.performWhoisLookup, opt.performClickjackingScan, opt.pgpLookup ] if any(options): with open(urls_to_use) as urls: for i, url in enumerate(urls.readlines(), start=1): current = i if "webcache" in url: logger.warning(set_color( "ran into unexpected webcache URL skipping", level=30 )) current -= 1 else: if not url.strip() == "http://" or url == "https://": logger.info(set_color( "currently running on '{}' (target #{})".format( url.strip(), current ), level=25 )) logger.info(set_color( "fetching target meta-data" )) identified = main_header_check( url, verbose=opt.runInVerbose, agent=agent_to_use, proxy=proxy_to_use, xforward=opt.forwardedForRandomIP, identify_plugins=opt.identifyPlugin, identify_waf=opt.identifyProtection, show_description=opt.showPluginDescription ) if not identified: logger.error(set_color( "target is refusing to allow meta-data dumping, skipping", level=40 )) run_attacks( url.strip(), sqlmap=opt.runSqliScan, nmap=opt.runPortScan, pgp=opt.pgpLookup, xss=opt.runXssScan, whois=opt.performWhoisLookup, admin=opt.adminPanelFinder, clickjacking=opt.performClickjackingScan, github=opt.searchGithub, verbose=opt.runInVerbose, batch=opt.runInBatch, auto_start=opt.autoStartSqlmap, xforward=opt.forwardedForRandomIP, sqlmap_args=opt.sqlmapArguments, nmap_args=opt.nmapArguments, show_all=opt.showAllConnections, do_threading=opt.threadPanels, tamper_script=opt.tamperXssPayloads, timeout=opt.controlTimeout, proxy=proxy_to_use, agent=agent_to_use, conf_file=opt.sqlmapConfigFile, threads=opt.amountOfThreads, force_ssl=opt.forceSSL ) print("\n") else: logger.warning(set_color( "malformed URL discovered, skipping", level=30 ))
def main_header_check(url, **kwargs): """ main function """ verbose = kwargs.get("verbose", False) agent = kwargs.get("agent", None) proxy = kwargs.get("proxy", None) xforward = kwargs.get("xforward", False) identify = kwargs.get("identify", True) protection = {"hostname": url} definition = { "x-xss": ("protection against XSS attacks", "XSS"), "strict-transport": ("protection against unencrypted connections (force HTTPS connection)", "HTTPS"), "x-frame": ("protection against clickjacking vulnerabilities", "CLICKJACKING"), "x-content": ("protection against MIME type attacks", "MIME"), "x-csrf": ("protection against Cross-Site Forgery attacks", "CSRF"), "x-xsrf": ("protection against Cross-Site Forgery attacks", "CSRF"), "public-key": ("protection to reduce success rates of MITM attacks", "MITM"), "content-security": ("header protection against multiple attack types", "ALL") } try: if identify: logger.info(set_color( "checking if target URL is protected by some kind of WAF/IPS/IDS..." )) identified = detect_protection(url, proxy=proxy, agent=agent, verbose=verbose, xforward=xforward) if identified is None: logger.info(set_color( "no WAF/IDS/IPS has been identified on target URL...", level=25 )) else: logger.warning(set_color( "the target URL WAF/IDS/IPS has been identified as '{}'...".format(identified), level=35 )) if verbose: logger.debug(set_color( "loading XML data...", level=10 )) comparable_headers = load_xml_data(HEADER_XML_DATA) logger.info(set_color( "attempting to get request headers for '{}'...".format(url.strip()) )) try: found_headers = load_headers(url, proxy=proxy, agent=agent, xforward=xforward) except (ConnectionError, Exception) as e: if "Read timed out." or "Connection reset by peer" in str(e): found_headers = None else: logger.exception(set_color( "Zeus has hit an unexpected error and cannot continue '{}'...".format(e), level=50 )) request_issue_creation() if found_headers is not None: if verbose: logger.debug(set_color( "fetched {}...".format(found_headers), level=10 )) headers_established = [str(h) for h in compare_headers(found_headers, comparable_headers)] for key in definition.iterkeys(): if any(key in h.lower() for h in headers_established): logger.warning(set_color( "provided target has {}...".format(definition[key][0]), level=30 )) for key in found_headers.iterkeys(): protection[key] = found_headers[key] logger.info(set_color( "writing found headers to log file...", level=25 )) return write_to_log_file(protection, HEADER_RESULT_PATH, HEADERS_FILENAME.format(replace_http(url))) else: logger.error(set_color( "unable to retrieve headers for site '{}'...".format(url.strip()), level=40 )) except KeyboardInterrupt: if not pause(): shutdown()
def main_header_check(url, **kwargs): """ main function """ verbose = kwargs.get("verbose", False) agent = kwargs.get("agent", None) proxy = kwargs.get("proxy", None) xforward = kwargs.get("xforward", False) identify_waf = kwargs.get("identify_waf", True) identify_plugins = kwargs.get("identify_plugins", True) show_description = kwargs.get("show_description", False) attempts = kwargs.get("attempts", 3) default_sleep_time = 5 protection = {"hostname": url} definition = { "x-xss": ("protection against XSS attacks", "XSS"), "strict-transport": ("protection against unencrypted connections (force HTTPS connection)", "HTTPS"), "x-frame": ("protection against clickjacking vulnerabilities", "CLICKJACKING"), "x-content": ("protection against MIME type attacks", "MIME"), "x-csrf": ("protection against Cross-Site Forgery attacks", "CSRF"), "x-xsrf": ("protection against Cross-Site Forgery attacks", "CSRF"), "public-key": ("protection to reduce success rates of MITM attacks", "MITM"), "content-security": ("header protection against multiple attack types", "ALL") } try: req, status, html, headers = get_page(url, proxy=proxy, agent=agent, xforward=xforward) logger.info(set_color( "detecting target charset" )) charset = get_charset(html, headers) if charset is not None: logger.info(set_color( "target charset appears to be '{}'".format(charset), level=25 )) else: logger.warning(set_color( "unable to detect target charset", level=30 )) if identify_waf: waf_url = "{} {}".format(url.strip(), PROTECTION_CHECK_PAYLOAD) _, waf_status, waf_html, waf_headers = get_page(waf_url, xforward=xforward, proxy=proxy, agent=agent) logger.info(set_color( "checking if target URL is protected by some kind of WAF/IPS/IDS" )) if verbose: logger.debug(set_color( "attempting connection to '{}'".format(waf_url), level=10 )) identified_waf = detect_protection(url, waf_status, waf_html, waf_headers, verbose=verbose) if identified_waf is None: logger.info(set_color( "no WAF/IDS/IPS has been identified on target URL", level=25 )) else: logger.warning(set_color( "the target URL WAF/IDS/IPS has been identified as '{}'".format(identified_waf), level=35 )) if identify_plugins: logger.info(set_color( "attempting to identify plugins" )) identified_plugin = detect_plugins(html, headers, verbose=verbose) if identified_plugin is not None: for plugin in identified_plugin: if show_description: logger.info(set_color( "possible plugin identified as '{}' (description: '{}')".format( plugin[0], plugin[1] ), level=25 )) else: logger.info(set_color( "possible plugin identified as '{}'".format( plugin[0] ), level=25 )) else: logger.warning(set_color( "no known plugins identified on target", level=30 )) if verbose: logger.debug(set_color( "loading XML data", level=10 )) comparable_headers = load_xml_data(HEADER_XML_DATA) logger.info(set_color( "attempting to get request headers for '{}'".format(url.strip()) )) try: found_headers = load_headers(url, req) except (ConnectionError, Exception) as e: if "Read timed out." or "Connection reset by peer" in str(e): found_headers = None else: logger.exception(set_color( "Zeus has hit an unexpected error and cannot continue '{}'".format(e), level=50 )) request_issue_creation() if found_headers is not None: if verbose: logger.debug(set_color( "fetched {}".format(found_headers), level=10 )) headers_established = [str(h) for h in compare_headers(found_headers, comparable_headers)] for key in definition.iterkeys(): if any(key in h.lower() for h in headers_established): logger.warning(set_color( "provided target has {}".format(definition[key][0]), level=30 )) for key in found_headers.iterkeys(): protection[key] = found_headers[key] logger.info(set_color( "writing found headers to log file", level=25 )) return write_to_log_file(protection, HEADER_RESULT_PATH, HEADERS_FILENAME.format(replace_http(url))) else: logger.error(set_color( "unable to retrieve headers for site '{}'".format(url.strip()), level=40 )) except ConnectionError: attempts = attempts - 1 if attempts == 0: return False logger.warning(set_color( "target actively refused the connection, sleeping for {}s and retrying the request".format( default_sleep_time ), level=30 )) time.sleep(default_sleep_time) main_header_check( url, proxy=proxy, agent=agent, xforward=xforward, show_description=show_description, identify_plugins=identify_plugins, identify_waf=identify_waf, verbose=verbose, attempts=attempts ) except ReadTimeout: logger.error(set_color( "meta-data retrieval failed due to target URL timing out, skipping", level=40 )) except KeyboardInterrupt: if not pause(): shutdown() except Exception as e: logger.exception(set_color( "meta-data retrieval failed with unexpected error '{}'".format( str(e) ), level=50 ))
def search_multiple_pages(query, link_amount, verbose=False, **kwargs): """ search multiple pages for a lot of links, this will not be done via Google """ proxy = kwargs.get("proxy", None) agent = kwargs.get("agent", None) xforward = kwargs.get("xforward", False) batch = kwargs.get("batch", False) show_success = kwargs.get("show_success", False) attrib, desc = "a", "href" retval = set() search_engine = AUTHORIZED_SEARCH_ENGINES["search-results"] logger.warning( set_color("searching multiple pages will not be done on Google".format( search_engine), level=30)) if not parse_blacklist(query, BLACKLIST_FILE_PATH, batch=batch): shutdown() if not xforward: params = {"Connection": "close", "user-agent": agent} else: ip_list = (create_random_ip(), create_random_ip(), create_random_ip()) params = { "Connection": "close", "user-agent": agent, "X-Forwarded-For": "{}, {}, {}".format(ip_list[0], ip_list[1], ip_list[2]) } page_number = 1 try: while len(retval) <= link_amount: if verbose: logger.debug( set_color("searching page number {}".format(page_number), level=10)) if page_number % 10 == 0: logger.info( set_color("currently on page {} of search results".format( page_number))) page_request = requests.get(search_engine.format( page_number, query, page_number), params=params, proxies=proxy_string_to_dict(proxy)) if page_request.status_code == 200: html_page = page_request.content soup = BeautifulSoup(html_page, "html.parser") if not NO_RESULTS_REGEX.findall(str(soup)): for link in soup.findAll(attrib): redirect = link.get(desc) if redirect is not None: if not any(ex in redirect for ex in URL_EXCLUDES): if URL_REGEX.match(redirect): retval.add(redirect) if page_number < MAX_PAGE_NUMBER: page_number += 1 else: logger.warning( set_color("hit max page number {}".format( MAX_PAGE_NUMBER), level=30)) break else: logger.warning( set_color("no more results found for given query '{}'". format(query), level=30)) break except KeyboardInterrupt: logger.error( set_color("user aborted, dumping already found URL(s)", level=40)) write_to_log_file(retval, URL_LOG_PATH, URL_FILENAME) logger.info( set_color("found a total of {} URL(s)".format(len(retval)), level=25)) shutdown() except Exception as e: logger.exception( set_color("Zeus ran into an unexpected error '{}'".format(e), level=50)) request_issue_creation() shutdown() if len(retval) > 0: logger.info( set_color( "a total of {} URL(s) found out of the requested {}".format( len(retval), link_amount), level=25)) file_path = write_to_log_file(retval, URL_LOG_PATH, URL_FILENAME) if show_success: amount_of_urls = len(open(file_path).readlines()) success_rate = calculate_success(amount_of_urls) logger.info( set_color("provided query has a {} success rate".format( success_rate))) return list(retval) else: logger.warning( set_color( "did not find any links with given query '{}' writing to blacklist" .format(query), level=30)) write_to_log_file(query, BLACKLIST_FILE_PATH, BLACKLIST_FILENAME)
def get_urls(query, url, verbose=False, **kwargs): """ Bypass Google captchas and Google API by using selenium-webdriver to gather the Google URL. This will open a robot controlled browser window and attempt to get a URL from Google that will be used for scraping afterwards. """ query = query.decode('unicode_escape').encode('utf-8') proxy, user_agent = kwargs.get("proxy", None), kwargs.get("user_agent", None) tor, tor_port = kwargs.get("tor", False), kwargs.get("tor_port", None) batch = kwargs.get("batch", False) xforward = kwargs.get("xforward", False) logger.info(set_color("setting up virtual display to hide the browser")) ff_display = Display(visible=0, size=(800, 600)) ff_display.start() browser = var.search.SetBrowser(agent=user_agent, proxy=proxy, tor=tor, xforward=xforward).set_browser() logger.info(set_color("browser will open shortly", level=25)) browser.get(url) if verbose: logger.debug( set_color( "searching search engine for the 'q' element (search button)", level=10)) search = browser.find_element_by_name('q') logger.info( set_color("searching search engine using query '{}'".format(query))) try: # enter the text you want to search and hit enter search.send_keys(query) search.send_keys(Keys.RETURN) if not tor: time.sleep(3) else: logger.warning( set_color( "sleep time has been increased to 10 seconds due to tor being used", level=30)) time.sleep(10) except ElementNotInteractableException: # get rid of the popup box and hit enter after entering the text to search browser.execute_script( "document.querySelectorAll('label.boxed')[1].click()") search.send_keys(query) search.send_keys(Keys.RETURN) time.sleep(3) except UnicodeDecodeError: logger.error( set_color( "your query '{}' appears to have unicode characters in it, selenium is not " "properly formatted to handle unicode characters, this dork will be skipped" .format(query), level=40)) if verbose: logger.debug(set_color("obtaining URL from selenium")) try: retval = browser.current_url except UnexpectedAlertPresentException: logger.warning(set_color("alert present, closing", level=30)) # discover the alert and close it before continuing alert = browser.switch_to.alert alert.accept() retval = browser.current_url # if you have been IP banned, we'll extract the URL from it if IP_BAN_REGEX.search(retval) is not None: logger.warning( set_color( "it appears that Google is attempting to block your IP address, attempting bypass", level=30)) try: retval = URLParser(retval).extract_ip_ban_url() question_msg = ( "zeus was able to successfully extract the URL from Google's ban URL " "it is advised to shutdown zeus and attempt to extract the URL's manually. " "failing to do so will most likely result in no results being found by zeus. " "would you like to shutdown") if not batch: do_continue = prompt(question_msg, opts="yN") else: do_continue = prompt(question_msg, opts="yN", default="y") # shutdown and write the URL to a file if not str(do_continue).lower().startswith("n"): write_to_log_file(retval, EXTRACTED_URL_LOG, EXTRACTED_URL_FILENAME) logger.info( set_color( "it is advised to extract the URL's from the produced URL written to the above " "(IE open the log, copy the url into firefox)".format( retval))) shutdown() except Exception as e: # stop all the random rogue processes, this isn't guaranteed to stop the processes # that's why we have the clean up script in case this fails browser.close() ff_display.stop() logger.exception( set_color( "zeus was unable to extract the correct URL from the ban URL '{}', " "got exception '{}'".format(unquote(retval), e), level=50)) request_issue_creation() shutdown() if verbose: logger.debug( set_color("found current URL from selenium browser", level=10)) logger.info(set_color("closing the browser and continuing process..")) browser.close() ff_display.stop() return retval
def parse_search_results(query, url_to_search, verbose=False, **kwargs): """ Parse a webpage from Google for URL's with a GET(query) parameter """ possible_leftovers = URLParser(None).possible_leftovers splitter = "&" retval = set() query_url = None parse_webcache, pull_all = kwargs.get("parse_webcache", False), kwargs.get( "pull_all", False) proxy_string, user_agent = kwargs.get("proxy", None), kwargs.get("agent", None) forward_for = kwargs.get("forward_for", False) tor = kwargs.get("tor", False) batch = kwargs.get("batch", False) show_success = kwargs.get("show_success", False) if verbose: logger.debug(set_color("parsing blacklist", level=10)) parse_blacklist(query, BLACKLIST_FILE_PATH, batch=batch) if verbose: logger.debug( set_color("checking for user-agent and proxy configuration", level=10)) if not parse_webcache and "google" in url_to_search: logger.warning( set_color( "will not parse webcache URL's (to parse webcache pass -W)", level=30)) if not pull_all: logger.warning( set_color( "only pulling URLs with GET(query) parameters (to pull all URL's pass -E)", level=30)) user_agent_info = "adjusting user-agent header to {}" if user_agent is not DEFAULT_USER_AGENT: user_agent_info = user_agent_info.format(user_agent.strip()) else: user_agent_info = user_agent_info.format( "default user agent '{}'".format(DEFAULT_USER_AGENT)) proxy_string_info = "setting proxy to {}" if proxy_string is not None: proxy_string = proxy_string_to_dict(proxy_string) proxy_string_info = proxy_string_info.format( ''.join(proxy_string.keys()) + "://" + ''.join(proxy_string.values())) elif tor: proxy_string = proxy_string_to_dict("socks5://127.0.0.1:9050") proxy_string_info = proxy_string_info.format("tor proxy settings") else: proxy_string_info = "no proxy configuration detected" if forward_for: ip_to_use = (create_random_ip(), create_random_ip(), create_random_ip()) if verbose: logger.debug( set_color( "random IP addresses generated for headers '{}'".format( ip_to_use), level=10)) headers = { HTTP_HEADER.CONNECTION: "close", HTTP_HEADER.USER_AGENT: user_agent, HTTP_HEADER.X_FORWARDED_FOR: "{}, {}, {}".format(ip_to_use[0], ip_to_use[1], ip_to_use[2]) } else: headers = { HTTP_HEADER.CONNECTION: "close", HTTP_HEADER.USER_AGENT: user_agent } logger.info(set_color("attempting to gather query URL")) try: query_url = get_urls(query, url_to_search, verbose=verbose, user_agent=user_agent, proxy=proxy_string, tor=tor, batch=batch, xforward=forward_for) except Exception as e: if "'/usr/lib/firefoxdriver/webdriver.xpi'" in str(e): logger.fatal( set_color( "firefox was not found in the default location on your system, " "check your installation and make sure it is in /usr/lib, if you " "find it there, restart your system and try again", level=50)) elif "connection refused" in str(e).lower(): logger.fatal( set_color( "there are to many sessions of firefox opened and selenium cannot " "create a new one", level=50)) run_fix( "would you like to attempt to auto clean the open sessions", "sudo sh {}".format(CLEANUP_TOOL_PATH), "kill off the open sessions of firefox and re-run Zeus", exit_process=True) elif "Program install error!" in str(e): logger.error( set_color( "seems the program is having some trouble installing would you like " "to try and automatically fix this issue", level=40)) run_fix( "would you like to attempt to fix this issue automatically", "sudo sh {}".format(FIX_PROGRAM_INSTALL_PATH), "you can manually try and re-install Xvfb to fix the problem", exit_process=True) elif "Message: Reached error page:" in str(e): logger.fatal( set_color( "geckodriver has hit an error that usually means it needs to be reinstalled", level=50)) question = prompt( "would you like to attempt a reinstallation of the geckodriver", opts="yN") if question.lower().startswith("y"): logger.warning( set_color( "rewriting all executed information, path information, and removing geckodriver", level=30)) rewrite_all_paths() logger.info( set_color( "all paths rewritten, you will be forced to re-install everything next run of Zeus" )) else: logger.fatal( set_color( "you will need to remove the geckodriver from /usr/bin and reinstall it", level=50)) shutdown() elif "Unable to find a matching set of capabilities" in str(e): logger.fatal( set_color( "it appears that firefox, selenium, and geckodriver are not playing nice with one another", level=50)) run_fix( "would you like to attempt to resolve this issue automatically", "sudo sh {}".format(REINSTALL_TOOL), ("you will need to reinstall firefox to a later version, update selenium, and reinstall the " "geckodriver to continue using Zeus"), exit_process=True) else: logger.exception( set_color( "{} failed to gather the URL from search engine, caught exception '{}' " "exception has been logged to current log file".format( os.path.basename(__file__), str(e).strip()), level=50)) request_issue_creation() shutdown() logger.info( set_color("URL successfully gathered, searching for GET parameters")) logger.info(set_color(proxy_string_info)) try: req = requests.get(query_url, proxies=proxy_string, params=headers) except ConnectionError: logger.warning( set_color( "target machine refused connection, delaying and trying again", level=30)) time.sleep(3) req = requests.get(query_url, proxies=proxy_string, params=headers) logger.info(set_color(user_agent_info)) req.headers.update(headers) found_urls = URL_REGEX.findall(req.text) for urls in list(found_urls): for url in list(urls): url = unquote(url) if not any(u in url for u in URL_EXCLUDES): if not url == "http://" and not url == "https://": if URL_REGEX.match(url): if isinstance(url, unicode): url = str(url).encode("utf-8") if pull_all: retval.add(url.split(splitter)[0]) else: if URL_QUERY_REGEX.match(url.split(splitter)[0]): retval.add(url.split(splitter)[0]) if verbose: try: logger.debug( set_color("found '{}'".format( url.split(splitter)[0]), level=10)) except TypeError: logger.debug( set_color("found '{}'".format( str(url).split(splitter)[0]), level=10)) except AttributeError: logger.debug( set_color("found '{}".format(str(url)), level=10)) if url is not None: retval.add(url.split(splitter)[0]) true_retval = set() for url in list(retval): if any(l in url for l in possible_leftovers): url = URLParser(url).strip_url_leftovers() if parse_webcache: if "webcache" in url: logger.info(set_color("found a webcache URL, extracting")) url = URLParser(url).extract_webcache_url() if verbose: logger.debug(set_color("found '{}'".format(url), level=15)) true_retval.add(url) else: true_retval.add(url) else: true_retval.add(url) if len(true_retval) != 0: file_path = write_to_log_file(true_retval, URL_LOG_PATH, URL_FILENAME) if show_success: amount_of_urls = len(open(file_path).readlines()) success_rate = calculate_success(amount_of_urls) logger.info( set_color("provided query has a {} success rate".format( success_rate))) else: logger.fatal( set_color( "did not find any URLs with given query '{}' writing query to blacklist" .format(query), level=50)) write_to_log_file(query, BLACKLIST_FILE_PATH, BLACKLIST_FILENAME, blacklist=True) shutdown() logger.info( set_color("found a total of {} URLs with given query '{}'".format( len(true_retval), query))) return list(true_retval) if len(true_retval) != 0 else None