def Enum(self):
"""This is a helper function that will run all the Enumeration Commands Based off of nmaps proxychain original output scan if new ports are discovered."""
npp = nmapParser.NmapParserFunk(self.target)
npp.openProxyPorts()
np = nmapParser.NmapParserFunk(self.target)
np.openPorts()
open_proxy_ports = np.proxy_ports
if len(open_proxy_ports) == 0:
pass
else:
c = config_parser.CommandParser(f"{os.getcwd()}/config/config.yaml", self.target)
pweb = enumWeb.EnumWeb(self.target)
pweb.proxyScan()
http_proxy_commands = pweb.proxy_processes
psslweb = enumWebSSL.EnumWebSSL(self.target)
psslweb.sslProxyScan()
ssl_proxy_commands = psslweb.proxy_processes
all_commands = []
proxy_tcp_ports = npp.proxy_tcp_ports
tcp_proxy_ports = ",".join(map(str, proxy_tcp_ports))
default_command = c.getCmd("proxy", "proxychainsDiscoveredPorts", openTcpProxyPorts=tcp_proxy_ports)
all_commands.append(default_command)
for cmd in http_proxy_commands:
all_commands.append(cmd)
for cmd in ssl_proxy_commands:
all_commands.append(cmd)
sorted_commands = sorted(set(all_commands), reverse=True)
commands_to_run = []
for i in sorted_commands:
commands_to_run.append(i)
allCmds = tuple(commands_to_run)
self.all_processes = allCmds
def SshSingleUserBrute(self):
"""Run patator with seclists probable top 1575 wordlist against a single user specified as a command line argument."""
cmd_info = "[" + fg.green + "+" + fg.rs + "]"
c = config_parser.CommandParser(f"{os.getcwd()}/config/config.yaml",
self.target)
cl = helper_lists.Cewl(self.target)
if not os.path.exists(c.getPath("wordlists", "CewlPlus")):
cl.CewlWordlist()
green = fg.li_green
teal = fg.li_cyan
reset = fg.rs
np = nmapParser.NmapParserFunk(self.target)
np.openPorts()
if os.path.exists(c.getPath("wordlists", "CewlPlus")):
if os.path.getsize(c.getPath("wordlists", "CewlPlus")) > 0:
print(
f"""{teal}Beginning Password Brute Force for User: {reset} {green}{self.user}{reset}"""
)
patator_cmd = c.getCmd("ssh",
"patator_ssh_cewl_auto",
port=self.port,
user=self.user)
print(f"""{cmd_info} {patator_cmd}""")
call(patator_cmd, shell=True)
else:
print(
f"""{teal}Beginning Password Brute Force for User: {reset} {green}{self.user}{reset}"""
)
patator_cmd = c.getCmd("ssh",
"patator_ssh_auto",
port=self.port,
user=self.user)
print(f"""{cmd_info} {patator_cmd}""")
call(patator_cmd, shell=True)
def Scan(self):
"""This Scan() Funciton will run the following tools,
SMBCLIENT, NMBLOOKUP, NBTSCAN, SMBSCAN, AND ENUM4LINUX"""
np = nmapParser.NmapParserFunk(self.target)
np.openPorts()
smb_ports = np.smb_ports
if len(smb_ports) == 0:
pass
else:
c = config_parser.CommandParser(
f"{os.getcwd()}/config/config.yaml", self.target)
if not os.path.exists(c.getPath("smb", "smbDir")):
os.makedirs(c.getPath("smb", "smbDir"))
print(
fg.cyan +
"Enumerating NetBios SMB Samba Ports, Running the following commands:"
+ fg.rs)
commands = []
commands.append(c.getCmd("smb", "smbclient"))
commands.append(c.getCmd("smb", "nmblookup"))
commands.append(c.getCmd("smb", "nmapSmb"))
commands.append(c.getCmd("smb", "nbtscan"))
commands.append(c.getCmd("smb", "smbmapH"))
commands.append(c.getCmd("smb", "smbmapHR"))
commands.append(c.getCmd("smb", "smbmapNull"))
commands.append(c.getCmd("smb", "smbmapNullR"))
commands.append(c.getCmd("smb", "enum4linux"))
self.processes = tuple(commands)
def openUdpPorts(self):
"""The openUdpPorts function will parse all found ports from the UDP nmap xml file fed to
the report variable. All ports will be appended to the lists in __init__ and will
then be accessible from the NmapParserFunk Class."""
c = config_parser.CommandParser(f"{os.getcwd()}/config/config.yaml",
self.target)
report = NmapParser.parse_fromfile(
c.getPath("nmap", "nmap_top_udp_ports_xml"))
self.udp_nmap_services += report.hosts[0].services
self.udp_nmap_services = sorted(self.udp_nmap_services,
key=lambda s: s.port)
for service in self.udp_nmap_services:
if "open" not in service.state:
continue
if "open|filtered" in service.state:
continue
self.udp_services.append((
service.port,
service.service,
service.tunnel,
service.cpelist,
service.banner,
))
for service in self.udp_services:
if service[0] not in self.udp_ports:
self.udp_ports.append(service[0])
if "snmp" in service[1]:
if service[0] not in self.snmp_ports:
self.snmp_ports.append(service[0])
if "sip" in service[1]:
if service[0] not in self.sip_udp_ports:
self.sip_udp_ports.append(service[0])
def genDirsearchUrlList(self):
c = config_parser.CommandParser(f"{os.getcwd()}/config/config.yaml", self.target)
awkprint = "{print $3}"
dirsearch_files = []
dir_list = [
d
for d in glob.iglob(c.getPath("report", "reportGlob"), recursive=True)
if os.path.isdir(d)
]
for d in dir_list:
reportFile_list = [
fname
for fname in glob.iglob(f"{d}/*", recursive=True)
if os.path.isfile(fname)
]
for rf in reportFile_list:
if "nmap" not in rf:
if "dirsearch" in rf:
if not os.path.exists(c.getPath("web", "aquatoneDir")):
os.makedirs(c.getPath("web", "aquatoneDir"))
dirsearch_files.append(rf)
if "nikto" in rf:
check_nikto_lines = f"""wc -l {rf} | cut -d ' ' -f 1"""
num_lines_nikto = check_output(check_nikto_lines, stderr=STDOUT, shell=True).rstrip()
if int(num_lines_nikto) < 100:
call(f"cat {rf}", shell=True)
if len(dirsearch_files) != 0:
all_dirsearch_files_on_one_line = " ".join(map(str, dirsearch_files))
url_list_cmd = f"""cat {all_dirsearch_files_on_one_line} | grep -Ev '400|403' | awk '{awkprint}' | sort -u > {c.getPath("web", "aquatoneDirUrls")}"""
call(url_list_cmd, shell=True)
def genProxyDirsearchUrlList(self):
"""This Class, genProxyDirsearchUrlList is reponsible for sorting all the found URL's
from Dirsearches report output and then it will combined them in to one unique
list that will be fed to Aquatone to generate a nice HTML report that will
Be opened up in the firefox web browser."""
c = config_parser.CommandParser(f"{os.getcwd()}/config/config.yaml", self.target)
if os.path.exists(c.getPath("proxy", "proxyDir")):
awkprint = "{print $3}"
dirsearch_files = []
dir_list = [
d
for d in glob.iglob(c.getPath("proxy", "proxyGlob"), recursive=True)
if os.path.isdir(d)
]
for d in dir_list:
reportFile_list = [
fname
for fname in glob.iglob(f"{d}/*", recursive=True)
if os.path.isfile(fname)
]
for rf in reportFile_list:
if "nmap" not in rf:
if "dirsearch" in rf:
if not os.path.exists(c.getPath("web", "aquatoneDir")):
os.makedirs(c.getPath("web", "aquatoneDir"))
dirsearch_files.append(rf)
if len(dirsearch_files) != 0:
all_dirsearch_files_on_one_line = " ".join(map(str, dirsearch_files))
url_list_cmd = f"""cat {all_dirsearch_files_on_one_line} | grep -Ev '400|403' | awk '{awkprint}' | sort -u > {c.getPath("proxy", "aquatoneDirProxyUrls")}"""
call(url_list_cmd, shell=True)
def fuzzMaster(self):
"""fuzzMaster will run parameth to fuzz for valid .php parameters. Will add more extensions soon."""
c = config_parser.CommandParser(f"{os.getcwd()}/config/config.yaml", self.target)
hl = helper_lists.ignoreURLS()
ignore_urls = hl.ignore_urls
php_urls = []
fuzz_cmds = []
# url_paths = []
cookie_dict = {}
if os.path.exists(c.getPath("web", "aquatoneDirUrls")):
if not os.path.exists(c.getPath("web", "webDir")):
os.makedirs(c.getPath("web", "webDir"))
check_lines = f"""wc -l {c.getPath("web","aquatoneDirUrls")} | cut -d ' ' -f 1"""
num_urls = check_output(check_lines, stderr=STDOUT, shell=True).rstrip()
if int(num_urls) < 150 and (int(num_urls) != 0):
try:
with open(c.getPath("web", "aquatoneDirUrls"), "r") as found_urls:
for line in found_urls:
url = line.rstrip()
if (
url.endswith(".php")
and (url not in ignore_urls)
):
php_urls.append(url)
# url_paths.append(urlsplit(url).path)
except FileNotFoundError as fnf_error:
print(fnf_error)
exit()
if len(php_urls) != 0 and (len(php_urls) < 20):
sorted_urls = [u for u in sorted(set(str(x).lower() for x in php_urls))]
for url in sorted_urls:
with self.no_ssl_verification():
try:
session = requests.Session()
res = session.get(url)
cookie_dict.update(session.cookies.get_dict())
output_name = urlsplit(url).path
upath = str(output_name).replace("/", "-")
if not cookie_dict:
fuzz_cmds.append(c.getCmd("web", "parameth", url=url, upath=upath))
else:
cookie_string = " ".join("{}={}".format(*i) for i in cookie_dict.items())
fuzz_cmds.append(c.getCmd("web", "paramethCookie", url=url, cookies=cookie_string, upath=upath))
except requests.exceptions.ConnectionError as ce_error:
print("Connection Error: ", ce_error)
break
except requests.exceptions.Timeout as t_error:
print("Connection Timeout Error: ", t_error)
break
except requests.exceptions.RequestException as req_err:
print("Some Ambiguous Exception:", req_err)
break
if len(fuzz_cmds) != 0:
print(f"{fg.li_cyan}Fuzzing .php Params ! {fg.rs}")
for i in fuzz_cmds:
print(f"[{fg.li_green}+{fg.rs}] {i}")
self.loginator(i)
call(i, shell=True)
def loginator(self, executed_command):
c = config_parser.CommandParser(f"{os.getcwd()}/config/config.yaml",
self.target)
logging.basicConfig(filename=c.getPath("report", "log"),
format='%(asctime)s %(message)s',
datefmt='%m/%d/%Y %I:%M:%S %p',
level=logging.INFO)
logging.info(f"[+] {executed_command}")
def getRedirect(self):
"""Extra Function for enumWeb HTTP hosts so as not to run Scan() twice."""
np = nmapParser.NmapParserFunk(self.target)
np.openPorts()
dnsPort = np.dns_ports
c = config_parser.CommandParser(f"{os.getcwd()}/config/config.yaml",
self.target)
ig = helper_lists.ignoreDomains()
ignore = ig.ignore
try:
with open(c.getPath("nmap", "nmap_top_ports_nmap"), "r") as nm:
for line in nm:
new = (line.replace("=", " ").replace("/", " ").replace(
"commonName=",
"").replace("/organizationName=",
" ").replace(",", " ").replace("_", " "))
matches = re.findall(
r"(?:[a-zA-Z0-9](?:[a-zA-Z0-9\-]{,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{3,6}",
new)
for x in matches:
if not any(s in x for s in ignore):
self.redirect_hostname.append(x)
if "|_http-title: Did not follow redirect to http:" in line:
print(line)
split_line2 = line.split()
last_word2 = split_line2[-1]
redirect_domainName = (last_word2.replace(
"http://", "").replace("/", "").replace("'", ""))
self.redirect_hostname.append(redirect_domainName)
except FileNotFoundError as fnf_error:
print(fnf_error)
if len(dnsPort) != 0:
if not os.path.exists(c.getPath("dns", "dnsDir")):
os.makedirs(c.getPath("dns", "dnsDir"))
dig_cmd = c.getCmd("dns", "dnsDig")
dp = dig_parser.digParse(self.target, dig_cmd)
dp.parseDig()
dig_hosts = dp.hosts
sub_hosts = dp.subdomains
if len(dig_hosts) != 0:
for x in dig_hosts:
self.redirect_hostname.append(x)
if len(sub_hosts) != 0:
for x in sub_hosts:
self.redirect_hostname.append(x)
if len(self.redirect_hostname) != 0:
alldns = " ".join(map(str, self.redirect_hostname))
zonexferDns = []
dig_command = c.getCmd("dns", "dnsDigAxfr", alldns=alldns)
dp2 = dig_parser.digParse(self.target, dig_command)
dp2.parseDigAxfr()
subdomains = dp2.subdomains
for x in subdomains:
zonexferDns.append(x)
sortedAllDomains = sorted(set(zonexferDns))
for x in sortedAllDomains:
self.redirect_hostname.append(x)
def proxyScan(self):
"""This is the Web Proxy scan function that is called by lib/enumProxy.py.
This function will attempt to run, dirsearch, whatweb, and nikto"""
np = nmapParser.NmapParserFunk(self.target)
np.openPorts()
npp = nmapParser.NmapParserFunk(self.target)
npp.openProxyPorts()
proxy_http_ports = npp.proxy_http_ports
proxy_ports = np.proxy_ports
if len(proxy_http_ports) == 0:
pass
else:
c = config_parser.CommandParser(
f"{os.getcwd()}/config/config.yaml", self.target)
if not os.path.exists(c.getPath("proxy", "proxyDir")):
os.makedirs(c.getPath("proxy", "proxyDir"))
if not os.path.exists(c.getPath("proxy", "proxyWeb")):
os.makedirs(c.getPath("proxy", "proxyWeb"))
proxy_commands = []
for proxy in proxy_ports:
print(
f"""{fg.li_cyan} Enumerating HTTP Ports Through Port: {proxy}, Running the following commands: {fg.rs}"""
)
if not os.path.exists(
c.getPath("proxy", "eyewitnessDirPT", proxy=proxy)):
os.makedirs(
c.getPath("proxy", "eyewitnessDirPT", proxy=proxy))
proxy_commands.append(
c.getCmd("proxy", "eyewitnessProxyServer", proxy=proxy))
proxy_commands.append(
c.getCmd("proxy", "whatwebProxyServer", proxy=proxy))
if len(proxy_http_ports) != 0:
for proxy_http_port in proxy_http_ports:
proxy_commands.append(
c.getCmd("proxy",
"whatwebProxyHttpPorts",
proxy=proxy,
httpProxy=proxy_http_port))
proxy_commands.append(
c.getCmd("proxy",
"dirsearchHttpProxyPortsDict",
proxy=proxy,
httpProxy=proxy_http_port))
proxy_commands.append(
c.getCmd("proxy",
"dirsearchHttpProxyPortsBig",
proxy=proxy,
httpProxy=proxy_http_port))
proxy_commands.append(
c.getCmd("proxy",
"niktoProxyHttpPort",
proxy=proxy,
httpProxy=proxy_http_port))
self.proxy_processes = tuple(proxy_commands)
def listFilesProxy(self):
"""
This function will list all files in report output folder and remove ansi color codes from the file
using sed. It will also display niktos output if the latter was ran.
"""
def removeColor(self, filename):
sedCMD = rf'sed "s,\x1B\[[0-9;]*[a-zA-Z],,g" -i {filename}'
return call(sedCMD, shell=True)
c = config_parser.CommandParser(f"{os.getcwd()}/config/config.yaml",
self.target)
if os.path.exists(c.getPath("proxy", "proxyDir")):
dir_list = [
d for d in glob.iglob(c.getPath("proxy", "proxyGlob"),
recursive=True) if os.path.isdir(d)
]
for d in dir_list:
reportFile_list = [
fname for fname in glob.iglob(f"{d}/*", recursive=True)
if os.path.isfile(fname)
]
for rf in reportFile_list:
if "nmap" not in rf:
if "aquatone" not in rf:
if "eyewitness" not in rf:
if "wafw00f" in rf:
removeColor(self, rf)
if "whatweb" in rf:
removeColor(self, rf)
if "wpscan" in rf:
removeColor(self, rf)
if "sslscan" in rf:
removeColor(self, rf)
if "dnsenum" in rf:
removeColor(self, rf)
if "drupal" in rf:
removeColor(self, rf)
if "joomlavs" in rf:
removeColor(self, rf)
if "oracle" in rf:
removeColor(self, rf)
if "oracle" in rf:
removeColor(self, rf)
if "nikto" in rf:
check_nikto_lines = (
f"""wc -l {rf} | cut -d ' ' -f 1""")
num_lines_nikto = check_output(
check_nikto_lines,
stderr=STDOUT,
shell=True).rstrip()
if int(num_lines_nikto) < 80:
call(f"cat {rf}", shell=True)
if "vulns" in rf:
if fnmatch(rf, "*.log"):
removeColor(self, rf)
def Scan(self):
"""If there is an open http-proxy port from nmaps results. Try to add the server IP to your proxychains
config file and then proceed to scan the target again through the proxy port using proxychains and nmap.
If more ports are discovered open, proceed to enumerate all found open ports through the http-proxy port."""
np = nmapParser.NmapParserFunk(self.target)
np.openPorts()
proxyPorts = np.proxy_ports
hpl = helper_lists.topPortsToScan()
topTCP = hpl.topTCP
topTcpPortsString = ",".join(map(str, topTCP))
cmd_info = "[" + fg.li_green + "+" + fg.rs + "]"
if len(proxyPorts) == 0:
pass
else:
c = config_parser.CommandParser(
f"{os.getcwd()}/config/config.yaml", self.target)
duplicate_cmds = []
add_line_cmd = rf"""sed -e "\$ahttp {self.target} {proxyPorts[0]}" -i /etc/proxychains.conf"""
comment_out_line_cmd = (
f"""sed -e '/socks5/ s/^#*/#/' -i /etc/proxychains.conf""")
proxy_config_file = "/etc/proxychains.conf"
try:
pcCF = open(proxy_config_file, "r")
for line in pcCF:
parsed_lines = line.rstrip()
if not parsed_lines.startswith("#"):
tor_match = re.findall("socks5", parsed_lines)
sorted_tor_matches = sorted(set(tor_match),
reverse=True)
if "socks5" in sorted_tor_matches:
duplicate_cmds.append(comment_out_line_cmd)
if (parsed_lines.startswith("#")
or not parsed_lines.startswith('#')):
matches = re.findall(f"http {self.target}", parsed_lines)
sorted_matches = sorted(set(matches), reverse=True)
if f"http {self.target}" not in sorted_matches:
duplicate_cmds.append(add_line_cmd)
pcCF.close()
sorted_cmds = sorted(set(duplicate_cmds))
if len(sorted_cmds) != 0:
for cmd in sorted_cmds:
call(cmd, shell=True)
except FileNotFoundError as fnf_error:
print(fnf_error)
exit()
if not os.path.exists(c.getPath("proxy", "proxyDir")):
os.makedirs(c.getPath("proxy", "proxyDir"))
proxychains_nmap_top_ports_cmd = c.getCmd(
"proxy",
"proxychainsNmapTopPorts",
topTcpPorts=topTcpPortsString)
print(cmd_info, proxychains_nmap_top_ports_cmd)
call(proxychains_nmap_top_ports_cmd, shell=True)
def OraclePwn(self):
"""OraclePwn will run a helper lib/oracle.sh bash script which will attempt to bruteforce
Oracle if any valid SID's are found from the Scan() Functions results."""
np = nmapParser.NmapParserFunk(self.target)
np.openPorts()
oracle_tns_ports = np.oracle_tns_ports
if len(oracle_tns_ports) == 0:
pass
else:
c = config_parser.CommandParser(f"{os.getcwd()}/config/config.yaml", self.target)
oracle_pwn = f"""bash {c.getPath("oracle","oracleBrute")} {self.target}"""
call(oracle_pwn, shell=True)
def openUdpPorts(self):
"""The openUdpPorts function will parse all found ports from the UDP nmap xml file fed to
the report variable. All ports will be appended to the lists in __init__ and will
then be accessible from the NmapParserFunk Class."""
def parsefile(xmlfile):
parser = make_parser()
parser.setContentHandler(ContentHandler())
parser.parse(xmlfile)
c = config_parser.CommandParser(f"{os.getcwd()}/config/config.yaml",
self.target)
if os.path.exists(c.getPath("nmap", "nmap_top_udp_ports_xml")):
try:
parsefile(c.getPath("nmap", "nmap_top_udp_ports_xml"))
report = NmapParser.parse_fromfile(
c.getPath("nmap", "nmap_top_udp_ports_xml"))
self.udp_nmap_services += report.hosts[0].services
self.udp_nmap_services = sorted(self.udp_nmap_services,
key=lambda s: s.port)
for service in self.udp_nmap_services:
if "open" not in service.state:
continue
if "open|filtered" in service.state:
continue
self.udp_services.append((
service.port,
service.service,
service.tunnel,
service.cpelist,
service.banner,
))
for service in self.udp_services:
if service[0] not in self.udp_ports:
self.udp_ports.append(service[0])
if "snmp" in service[1]:
if service[0] not in self.snmp_ports:
self.snmp_ports.append(service[0])
if "sip" in service[1]:
if service[0] not in self.sip_udp_ports:
self.sip_udp_ports.append(service[0])
if "isakmp?" in service[1] or ("isakmp" in service[1]):
if service[0] not in self.ike_ports:
self.ike_ports.append(service[0])
# print("SNMP PORTS", self.snmp_ports)
# print("UDP SERVICES", self.udp_services)
# print("UDP OPEN PORTS", self.udp_ports)
except Exception as e:
print(
f"""{c.getPath("nmap", "nmap_top_udp_ports_xml")} Cannot Parse UDP nmap xml file. {e}"""
)
return
def SshMultipleUsersBruteCustom(self):
"""Run patator with custome wordlist against a single user specified as a command line argument."""
cmd_info = "[" + fg.green + "+" + fg.rs + "]"
green = fg.li_green
teal = fg.li_cyan
reset = fg.rs
c = config_parser.CommandParser(f"{os.getcwd()}/config/config.yaml", self.target)
np = nmapParser.NmapParserFunk(self.target)
np.openPorts()
print(f"""{teal}Beginning Password Brute Force for User: {reset} {green}{self.users}{reset}""")
patator_cmd = c.getCmd("ssh", "patator_ssh_multiple_users_custom", port=self.port, users=self.users, wordlist=self.passList)
print(f"""{cmd_info} {patator_cmd}""")
call(patator_cmd, shell=True)
def topUdpAllTcp(self):
"""topUdpAllTcp will run a full nmap tcp port scan and a top udp ports scan"""
c = config_parser.CommandParser(f"{os.getcwd()}/config/config.yaml",
self.target)
np = nmapParser.NmapParserFunk(self.target)
np.openPorts()
hpl = helper_lists.topPortsToScan()
topUDP = hpl.topUDP
topUdpPortsString = ",".join(map(str, topUDP))
commands = []
commands.append(c.getCmd("nmap", "nmapFullTcpScan"))
commands.append(
c.getCmd("nmap", "nmapTopUdpScan", topUdpPorts=topUdpPortsString))
self.processes = tuple(commands)
def sslProxyScan(self):
"""This function is called by lib/enumProxy.py and will enumerate HTTPS/SSL Web Servers.
It will run, whatweb, dirsearch, and nikto."""
npp = nmapParser.NmapParserFunk(self.target)
npp.openProxyPorts()
np = nmapParser.NmapParserFunk(self.target)
np.openPorts()
proxy_ssl_ports = npp.proxy_ssl_ports
proxy_ports = np.proxy_ports
if len(proxy_ssl_ports) == 0:
pass
else:
c = config_parser.CommandParser(
f"{os.getcwd()}/config/config.yaml", self.target)
if not os.path.exists(c.getPath("proxy", "proxyDir")):
os.makedirs(c.getPath("proxy", "proxyDir"))
if not os.path.exists(c.getPath("proxy", "proxyWebSSL")):
os.makedirs(c.getPath("proxy", "proxyWebSSL"))
proxy_commands = []
for proxy in proxy_ports:
print(
f"""{fg.li_cyan} Enumerating HTTPS Ports Through {proxy}, Running the following commands: {fg.rs}"""
)
for proxy_ssl_port in proxy_ssl_ports:
proxy_commands.append(
c.getCmd("proxySSL",
"whatwebSSLProxy",
proxy=proxy,
proxySSLPort=proxy_ssl_port))
proxy_commands.append(
c.getCmd("proxySSL",
"dirsearchProxySSLDict",
proxySslPort=proxy_ports,
proxy=proxy_ssl_port))
proxy_commands.append(
c.getCmd("proxySSL",
"dirsearchProxySSLBig",
proxySSLPort=proxy_ports,
proxy=proxy_ssl_port))
proxy_commands.append(
c.getCmd("proxySSL",
"niktoProxySSL",
proxySSLPort=proxy,
proxy=proxy_ssl_port))
self.proxy_processes = tuple(proxy_commands)
def getLinks(self):
"""This feature isn't full implemented yet and is just here to keep the other functions company ;)"""
url = f"""http://{self.target}"""
c = config_parser.CommandParser(f"{os.getcwd()}/config/config.yaml",
self.target)
page = requests.get(url)
data = page.text
soup = BeautifulSoup(data)
links = []
for link in soup.find_all("a"):
links.append(link.get("href"))
if len(links) != 0:
try:
with open(c.getPath("web", "weblinks"), "w") as l:
for link in links:
l.write(link)
except FileNotFoundError as fnf_error:
print(fnf_error)
def listfiles(self):
"""
This function will list all files in report output folder and remove ansi color codes from the file
using sed.
"""
def removeColor(self, filename):
sedCMD = rf'sed "s,\x1B\[[0-9;]*[a-zA-Z],,g" -i {filename}'
return call(sedCMD, shell=True)
c = config_parser.CommandParser(f"{os.getcwd()}/config/config.yaml",
self.target)
dir_list = [
d for d in glob.iglob(c.getPath("report", "reportGlob"),
recursive=True) if os.path.isdir(d)
]
for d in dir_list:
reportFile_list = [
fname for fname in glob.iglob(f"{d}/*", recursive=True)
if os.path.isfile(fname)
]
for rf in reportFile_list:
if "nmap" not in rf:
if "aquatone" not in rf:
if "eyewitness" not in rf:
if "wafw00f" in rf:
removeColor(self, rf)
if "whatweb" in rf:
removeColor(self, rf)
if "sslscan" in rf:
removeColor(self, rf)
if "dnsenum" in rf:
removeColor(self, rf)
if "drupal" in rf:
removeColor(self, rf)
if "joomlavs" in rf:
removeColor(self, rf)
if "oracle" in rf:
removeColor(self, rf)
if "wpscan" in rf:
removeColor(self, rf)
if "vulns" in rf:
if fnmatch(rf, "*.log"):
removeColor(self, rf)
def ftpDownloadAll(self, port):
try:
c = config_parser.CommandParser(f"{os.getcwd()}/config/config.yaml", self.target)
if not os.path.exists(c.getPath("ftp", "ftpDir")):
os.makedirs(c.getPath("ftp", "ftpDir"))
if not os.path.exists(c.getPath("ftp", "anonDownloadPath")):
os.makedirs(c.getPath("ftp", "anonDownloadPath"))
cwd = os.getcwd()
os.chdir(c.getPath("ftp", "anonDownloadPath"))
wget_cmd = f"""wget -m --no-passive -c --read-timeout=5 --tries=5 ftp://anonymous:anonymous@{self.target}:{port}"""
print(f"{fg.li_magenta}Downloading All Files from FTP Server on Port: {fg.rs}{port}")
print(f"[{fg.li_green}+{fg.rs}] {wget_cmd}")
print(f"{fg.li_yellow}")
call(wget_cmd, shell=True)
print(f"{fg.rs}")
os.chdir(cwd)
except IOError as e:
print(e)
return
def vulnCheck(self):
"""Vuln Check will check if OpenSSH is vulnerable to Username Enumeration.
If it is, A message will be printed to the User. This feature can be enabled to automatically
always brute force SSH if the instance is a vulnerable version, however, I've changed this
feature to not run automatically as that option should be left up to the user, among various other
reasons."""
cmd_info = "[" + fg.green + "+" + fg.rs + "]"
manual_cmd_info = "[" + fg.li_yellow + "+" + fg.rs + "]"
blue = fg.li_blue
red = fg.red
green = fg.li_green
reset = fg.rs
np = nmapParser.NmapParserFunk(self.target)
np.openPorts()
ssh_product = np.ssh_product
ssh_version = np.ssh_version
c = config_parser.CommandParser(f"{os.getcwd()}/config/config.yaml",
self.target)
# Check what version OPENSSH is
# If OpenSSH version is less than 7.7, Enumerate Users
# If valid Unique User is found, Brute Force Passwords
if len(ssh_product) == 1:
string_ssh_version = " ".join(map(str, ssh_version))
lowercase_ssh_version = str(string_ssh_version).lower()
first_two_nums = lowercase_ssh_version[0:3]
int_first_two_nums = float(first_two_nums)
if ssh_product[0] == "OpenSSH":
if int_first_two_nums < float(7.7):
ssh_port = np.ssh_ports
print(
f"""{cmd_info} {blue}{ssh_product[0]} {ssh_version[0]}{reset} is {red}VULNERABLE to Username Enumeration{reset}"""
)
print(f"""{green}Consider running:{reset}""")
print(
f"""{manual_cmd_info} {c.getCmd("ssh", "ssh_user_enum", port=ssh_port[0])}"""
)
# sb = brute.Brute(self.target, "ssh", ssh_port)
# sb.SshUsersBrute()
else:
print(
f"""{cmd_info} {blue}{ssh_product[0]} {ssh_version[0]}{reset} is {red}NOT{reset} Vulnerable to Username Enumeration"""
)
def Scan(self):
"""If Ldap ports are open, run nmap ldap scripts, enum4linux and the results
will be fed to the ldap.sh bash script."""
np = nmapParser.NmapParserFunk(self.target)
np.openPorts()
ldap_ports = np.ldap_ports
if len(ldap_ports) == 0:
pass
else:
c = config_parser.CommandParser(
f"{os.getcwd()}/config/config.yaml", self.target)
if not os.path.exists(c.getPath("ldap", "ldapDir")):
os.makedirs(c.getPath("ldap", "ldapDir"))
print(
fg.cyan +
"Enumerating LDAP: Lightweight Directory Access Protocol, Running the following commands:"
+ fg.rs)
string_ldap_ports = ",".join(map(str, ldap_ports))
commands = []
commands.append(
c.getCmd("ldap", "nmapLdap", ldapPorts=string_ldap_ports))
commands.append(c.getCmd("ldap", "enum4linuxLdap"))
self.processes = tuple(commands)
def Scan(self):
"""The Scan() function will run the initial nmap Top Tcp ports scan with enumerate
versions and nmap's default safe scripts via the -sC and -sV flags. -Pn will ignore ping scan
and the script-timeout is set to 5 minutes as sometimes https scripts can get stuck and
output 100's of lines of unnecessary output which will slow the scan time down. 5 minutes is a good timeout
setting."""
rc = run_commands.RunCommands(self.target)
c = config_parser.CommandParser(f"{os.getcwd()}/config/config.yaml",
self.target)
if not os.path.exists(c.getPath("report", "reportDir")):
os.makedirs(c.getPath("report", "reportDir"))
if not os.path.exists(c.getPath("report", "nmapDir")):
os.makedirs(c.getPath("report", "nmapDir"))
print(fg.cyan + "Running Nmap Top Open Ports" + fg.rs)
hpl = helper_lists.topPortsToScan()
topTCP = hpl.topTCP
topTcpPortsString = ",".join(map(str, topTCP))
nmap_command = c.getCmd("nmap",
"nmapTopTcpPorts",
topTcpPorts=topTcpPortsString)
cmd_info = "[" + fg.li_green + "+" + fg.rs + "]"
print(f"""{cmd_info} {fg.li_green}{nmap_command}{fg.rs}""")
rc.loginator(nmap_command)
call(nmap_command, shell=True)
def Scan(self):
"""This Scan() Function will run various oracle scanning tools and attempt to find
valid SID's along with other useful information. The following tools will be used,
Nmap, tnscmd10g, osscanner, and ODAT."""
np = nmapParser.NmapParserFunk(self.target)
np.openPorts()
oracle_tns_ports = np.oracle_tns_ports
if len(oracle_tns_ports) == 0:
pass
else:
c = config_parser.CommandParser(f"{os.getcwd()}/config/config.yaml", self.target)
if not os.path.exists(c.getPath("oracle", "oracleDir")):
os.makedirs(c.getPath("oracle", "oracleDir"))
print(fg.cyan + "Enumerating ORACLE, Running the following commands:" + fg.rs)
# string_oracle_ports = ",".join(map(str, oracle_tns_ports))
commands = []
commands.append(c.getCmd("oracle", "nmapOracle"))
commands.append(c.getCmd("oracle", "tnscmd10g", mode="ping"))
commands.append(c.getCmd("oracle", "tnscmd10g", mode="version"))
commands.append(c.getCmd("oracle", "oscanner"))
commands.append(c.getCmd("oracle", "odatTNS", mode="ping"))
commands.append(c.getCmd("oracle", "odatTNS", mode="version"))
commands.append(c.getCmd("oracle", "odatTNS", mode="status"))
self.processes = tuple(commands)
def Scan(self):
"""Enumerate DNS server if any hostnames are found from lib/domainFinder.py and if
port 53 is open."""
print(fg.cyan + "Checking For Virtual Host Routing and DNS" + fg.rs)
np = nmapParser.NmapParserFunk(self.target)
np.openPorts()
dnsPorts = np.dns_ports
dn = domainFinder.DomainFinder(self.target)
dn.Scan()
redirect_hostname = dn.redirect_hostname
fqdn_hostname = dn.fqdn_hostname
c = config_parser.CommandParser(f"{os.getcwd()}/config/config.yaml",
self.target)
commands = []
if len(redirect_hostname) != 0:
for d in redirect_hostname:
self.hostnames.append(d)
if len(fqdn_hostname) != 0:
for d in fqdn_hostname:
self.hostnames.append(d)
if len(self.hostnames) != 0 and (len(dnsPorts) != 0):
if not os.path.exists(c.getPath("dns", "dnsDir")):
os.makedirs(c.getPath("dns", "dnsDir"))
if not os.path.exists(c.getPath("web", "aquatoneDir")):
os.makedirs(c.getPath("web", "aquatoneDir"))
# string_hosts = " ".join(map(str, self.hostnames))
basename = []
for host in self.hostnames:
basename.append(".".join(host.split('.')[-2:]))
unique_hosts = sorted(set(basename))
for host in unique_hosts:
commands.append(c.getCmd("dns", "dnsenum", hosts=host))
# commands.append(c.getCmd("dns", "vhost", hosts=host))
self.processes = tuple(commands)
def CewlWordlist(self):
np = nmapParser.NmapParserFunk(self.target)
np.openPorts()
http_ports = np.http_ports
htports = []
if len(http_ports) == 1:
htports.append(http_ports[0])
ssl_ports = np.ssl_ports
slports = []
if len(ssl_ports) == 1:
slports.append(ssl_ports[0])
c = config_parser.CommandParser(f"{os.getcwd()}/config/config.yaml", self.target)
if os.path.exists(c.getPath("web", "aquatoneDirUrls")):
if not os.path.exists(c.getPath("wordlists", "wordlistsDir")):
os.makedirs(c.getPath("wordlists", "wordlistsDir"))
url_list = []
urls_file = c.getPath("web", "aquatoneDirUrls")
if os.path.exists(urls_file):
try:
with open(urls_file, "r") as uf:
for line in uf:
if "index.html" in line:
url_list.append(line.rstrip())
if "index.php" in line:
url_list.append(line.rstrip())
if len(htports) == 1:
url_list.append(f"http://{self.target}:{htports[0]}/")
if len(slports) == 1:
url_list.append(f"https://{self.target}:{slports[0]}/")
wordlist = sorted(set(url_list))
except FileNotFoundError as fnf_error:
print(fnf_error)
exit()
cewl_cmds = []
if len(wordlist) != 0:
counter = 0
for url in wordlist:
counter += 1
cewl_cmds.append(f"""cewl {url} -m 3 -w {c.getPath("wordlists","CewlCounter", counter=counter)}""")
if len(cewl_cmds) != 0:
try:
for cmd in cewl_cmds:
call(cmd, shell=True)
except ConnectionRefusedError as cre_error:
print(cre_error)
words = []
try:
with open(c.getPath("wordlists", "CustomPass1575"), "r") as prob:
for line in prob:
words.append(line.rstrip())
for wl in os.listdir(c.getPath("wordlists", "wordlistsDir")):
wlfile = f"""{c.getPath("wordlists","wordlistsDir")}/{wl}"""
with open(wlfile, "r") as wlf:
for line in wlf:
words.append(line.rstrip())
set_unique_words = sorted(set(words))
unique_words = list(set_unique_words)
with open(c.getPath("wordlists", "CewlPlus"), "a") as allwls:
string_words = "\n".join(map(str, unique_words))
allwls.write(str(string_words))
except FileNotFoundError as fnf_error:
print(fnf_error)
def proxyCMS(self):
"""If a Content Management System is discovered on the web from enumProxy's output, Then proceed to try and enumerate the CMS further.
CMS Scanners to be scanned are limited to: Drupal, Wordpress, Joomla, Magento, Tomcat, and Apache WebDav"""
np = nmapParser.NmapParserFunk(self.target)
np.openPorts()
npp = nmapParser.NmapParserFunk(self.target)
npp.openProxyPorts()
proxy_http_ports = npp.proxy_http_ports
proxy_ports = np.proxy_ports
teal = fg.li_cyan
hasPrinted = False
cms_commands = []
cms_counter = 0
reset = fg.rs
if len(proxy_http_ports) == 0:
pass
if len(proxy_ports) == 0:
pass
else:
c = config_parser.CommandParser(f"{os.getcwd()}/config/config.yaml", self.target)
for proxy in proxy_ports:
for proxy_http_port in proxy_http_ports:
whatweb_files = []
wordpress_url = []
wp = helper_lists.Wordpress(self.target)
wordpressDirs = wp.wordpress_dirs
if os.path.exists(c.getPath("proxy", "aquatoneDirProxyUrls")):
try:
with open(c.getPath("proxy", "aquatoneDirProxyUrls"), "r") as purls:
for url in purls:
uline = url.rstrip()
for word in wordpressDirs:
if word in uline:
wordpress_url.append(uline)
except FileNotFoundError as fnf_error:
print(fnf_error)
exit()
sorted_wp_links = sorted(set(wordpress_url))
count = 0
if len(sorted_wp_links) != 0:
for wpdir in sorted_wp_links:
count += 1
try:
# whatweb_proxy_cmd = f"""whatweb -v -a 3 --proxy {self.target}:{proxy_ports[0]} {wpdir} > {c.getPath("reportDir")}/proxy/web/whatweb-proxy-{proxy_http_port}-{count}.txt"""
whatweb_proxy_cmd = c.getCmd("proxy", "whatwebProxyWP", proxyPorts=proxy, wordpressDirs=wpdir, httpProxy=proxy_http_port, count=count)
call(whatweb_proxy_cmd, shell=True)
if count >= 2:
break
except CalledProcessError:
pass # this will handle errors in the called executable.
except OSError:
pass
dir_list = [
d
for d in glob.iglob(c.getPath("proxy", "proxyGlob"), recursive=True)
if os.path.isdir(d)
]
for d in dir_list:
reportFile_list = [
fname
for fname in glob.iglob(f"{d}/*", recursive=True)
if os.path.isfile(fname)
]
for rf in reportFile_list:
if "nmap" not in rf:
if "whatweb" in rf:
if str(proxy_http_port) in rf:
whatweb_files.append(rf)
if len(whatweb_files) != 0:
for i in whatweb_files:
cms_strings = [
"WordPress",
"Magento",
"tomcat",
"WebDAV",
"Drupal",
"Joomla",
]
with open(i, "r") as wwf:
for word in wwf:
fword = (
word.replace("[", " ")
.replace("]", " ")
.replace(",", " ")
)
for cms in cms_strings:
if cms in fword:
if "WordPress" in cms and not hasPrinted:
print(f"{teal}Found WordPress!{reset}")
cms_counter += 1
if len(sorted_wp_links) != 0:
for wpLink in sorted_wp_links:
wpscan_cmd = c.getCmd("proxy", "wpscanProxy", sortedWpDirs=wpLink,
httpProxy=proxy, httpProxyPort=proxy_http_port)
cms_commands.append(wpscan_cmd)
if cms_counter >= 1:
hasPrinted = True
break
manual_brute_force_script = f"""
#!/bin/bash
if [[ -n $(grep -i "User(s) Identified" {c.getPath("proxy", "wpscanReport", proxyPort=proxy_http_port)}) ]]; then
grep -w -A 100 "User(s)" {c.getPath("proxy", "wpscanReport", proxyPort=proxy_http_port)} | grep -w "[+]" | cut -d " " -f 2 | head -n -7 >{c.getPath("proxy", "wpUsers")}
{c.getCmd("proxy", "proxychainsCewl", proxyPorts=proxy_http_port)}
sleep 10
echo "Adding John Rules to Cewl Wordlist!"
{c.getCmd("proxy", "john")}
sleep 3
# brute force again with wpscan
{c.getCmd("proxy", "wpscanCewlBrute", proxyPorts=proxy_http_port, httpProxy=proxy)}
sleep 1
if grep -i "No Valid Passwords Found" wordpress-cewl-brute2.txt; then
if [ -s {c.getPath("proxy", "johnCewl")} ]; then
{c.getCmd("proxy", "wpscanJohnCewlBrute", proxyPorts=proxy_http_port, httpProxy=proxy)}
else
echo "John wordlist is empty :("
fi
sleep 1
if grep -i "No Valid Passwords Found" {c.getPath("proxy","wpscanJohnCoolBrute")}; then
{c.getCmd("proxy", "wpscanFastTrackBrute", proxyPorts=proxy_http_port, httpProxy=proxy)}
fi
fi
fi
"""
try:
with open(c.getPath("proxy", "wordpressBashBruteScript"), "w") as wpb:
print("Creating wordpress Brute Force Script...")
wpb.write(manual_brute_force_script)
call(f"""chmod +x {c.getPath("proxy", "wordpressBashBruteScript")}""", shell=True)
except FileNotFoundError as fnf_error:
print(fnf_error)
if "Drupal" in cms:
drupal_cmd = c.getCmd("proxy", "droopescan", proxyPorts=proxy_http_port)
cms_commands.append(drupal_cmd)
if "Joomla" in cms:
joomla_cmd = c.getCmd("proxy", "joomscan", proxyPorts=proxy_http_port, httpProxy=proxy)
cms_commands.append(joomla_cmd)
if "Magento" in cms:
magento_cmd = c.getCmd("proxy", "magescan", proxyPorts=proxy_http_port)
cms_commands.append(magento_cmd)
if "WebDAV" in cms or ("Microsoft-IIS 6.0" in cms):
webdav_cmd2 = c.getCmd("proxy", "webdavNmap", proxyPort=proxy_http_port)
cms_commands.append(webdav_cmd2)
sorted_commands = sorted(set(cms_commands))
commands_to_run = []
for i in sorted_commands:
commands_to_run.append(i)
mpCmds = tuple(commands_to_run)
self.cms_processes = mpCmds
def openPorts(self):
"""The openPorts function will parse all found ports from the nmap.xml file fed to
the report variable. All ports will be appended to the lists in __init__ and will
then be accessible from the NmapParserFunk Class."""
def parsefile(xmlfile):
parser = make_parser()
parser.setContentHandler(ContentHandler())
parser.parse(xmlfile)
c = config_parser.CommandParser(f"{os.getcwd()}/config/config.yaml",
self.target)
if os.path.exists(c.getPath("nmap", "nmap_top_ports_xml")):
try:
parsefile(c.getPath("nmap", "nmap_top_ports_xml"))
report = NmapParser.parse_fromfile(
c.getPath("nmap", "nmap_top_ports_xml"))
self.nmap_services += report.hosts[0].services
self.nmap_services = sorted(self.nmap_services,
key=lambda s: s.port)
# print(self.nmap_services)
ignored_windows_http_ports = [593, 5985, 47001]
for service in self.nmap_services:
if "open" not in service.state:
continue
if "open|filtered" in service.state:
continue
self.services.append((
service.port,
service.service,
service.tunnel,
service.cpelist,
service.banner,
service.service_dict.get("product", ""),
service.service_dict.get("version", ""),
service.service_dict.get("extrainfo", ""),
service.scripts_results,
))
for service in self.services:
if service[0] not in self.tcp_ports:
self.tcp_ports.append(service[0])
if "ssl" in service[2] or ("ssl" in service[1]):
if "imap" not in service[1]:
if "pop3" not in service[1]:
if "ldap" not in service[1]:
if service[0] not in self.ssl_ports:
self.ssl_ports.append(service[0])
if service[
8] not in self.ssl_script_results:
self.ssl_script_results.append(
service[8])
if "http" in service[1] and (
"ssl/http" not in service[1]) and (
"ssl"
not in service[2]) and ("ssl"
not in service[1]):
if "MiniServ" not in service[5]:
if "http-proxy" not in service[1]:
if service[
0] not in ignored_windows_http_ports:
if service[0] not in self.http_ports:
self.http_ports.append(service[0])
if service[
8] not in self.http_script_results:
self.http_script_results.append(
service[8])
if "netbios-ssn" in service[1]:
if service[0] not in self.smb_ports:
self.smb_ports.append(service[0])
if "microsoft-ds" in service[1]:
if service[0] not in self.smb_ports:
self.smb_ports.append(service[0])
if "domain" in service[1]:
if service[0] not in self.dns_ports:
self.dns_ports.append(service[0])
if "http-proxy" in service[1]:
if service[0] not in self.proxy_ports:
self.proxy_ports.append(service[0])
if "ssh" in service[1]:
if service[0] not in self.ssh_ports:
self.ssh_ports.append(service[0])
if service[5] not in self.ssh_product:
self.ssh_product.append(service[5])
if service[6] not in self.ssh_version:
self.ssh_version.append(service[6])
if service[8] not in self.ssh_script_results:
self.ssh_script_results.append(service[8])
if "oracle-tns" in service[1]:
if service[0] != 49160:
if service[0] not in self.oracle_tns_ports:
self.oracle_tns_ports.append(service[0])
if "ftp" in service[1]:
if service[0] not in self.ftp_ports:
self.ftp_ports.append(service[0])
if service[5] not in self.ftp_product:
self.ftp_product.append(service[5])
if service[6] not in self.ftp_version:
self.ftp_version.append(service[6])
if "smtp" in service[1]:
if service[0] not in self.smtp_ports:
self.smtp_ports.append(service[0])
if service[4] not in self.smtp_version:
self.smtp_version.append(service[4])
if service[5] not in self.smtp_product:
self.smtp_product.append(service[5])
if "rpcbind" in service[1]:
if service[0] not in self.nfs_ports:
self.nfs_ports.append(service[0])
if "msrpc" in service[1]:
if service[0] not in self.rpc_ports:
self.rpc_ports.append(service[0])
if "ldap" in service[1]:
if service[0] not in self.ldap_ports:
self.ldap_ports.append(service[0])
if "BaseHTTPServer" in service[4]:
if service[0] not in self.http_ports:
self.http_ports.append(service[0])
if "Apache" in service[5] and (
"ssl/http" not in service[1]) and (
"ssl"
not in service[2]) and ("ssl"
not in service[1]):
if service[0] not in self.http_ports:
self.http_ports.append(service[0])
if "telnet" in service[1]:
if service[0] not in self.telnet_ports:
self.telnet_ports.append(service[0])
if "asterisk" in service[1]:
if service[0] not in self.sip_ports:
self.sip_ports.append(service[0])
if "vnc" in service[1]:
if service[0] not in self.vnc_ports:
self.vnc_ports.append(service[0])
if "cassandra" in service[1]:
if service[0] not in self.cassandra_ports:
self.cassandra_ports.append(service[0])
if "ms-sql" in service[1]:
if service[0] not in self.mssql_ports:
self.mssql_ports.append(service[0])
if "mysql" in service[1]:
if service[0] not in self.mysql_ports:
self.mysql_ports.append(service[0])
if "finger" in service[1]:
if service[0] not in self.finger_ports:
self.finger_ports.append(service[0])
if "mongod" in service[1]:
if service[0] not in self.mongo_ports:
self.mongo_ports.append(service[0])
if "pop3" in service[1]:
if service[0] not in self.pop3_ports:
self.pop3_ports.append(service[0])
if "kerberos" in service[1]:
if service[0] not in self.kerberos_ports:
self.kerberos_ports.append(service[0])
if "kpasswd" in service[1]:
if service[0] not in self.kerberos_ports:
self.kerberos_ports.append(service[0])
if service[4] not in self.banners:
self.banners.append(service[4])
if service[5] not in self.all_products:
self.all_products.append(service[5])
if len(self.http_script_results) != 0:
for t in self.http_script_results[0]:
result = t["id"], t["output"]
if "http-title" in result:
if result[1] not in self.http_script_title:
self.http_script_title.append(result[1])
# Print Statements for Debugging Purposes..
# print("HTTP PORTS:", self.http_ports)
# if len(self.http_script_results) != 0:
# print("HTTP-Script-Results:", self.http_script_results[0])
# print("ORACLE PORTS:", self.oracle_tns_ports)
# print("OPEN TCP PORTS:", self.tcp_ports)
# print("SSL:", self.ssl_ports)
# print("SMB:", self.smb_ports)
# print("DNS:", self.dns_ports)
# print("Services:", self.services)
# print("SSH:", self.ssh_ports)
# print("SSH VERSION:", self.ssh_version)
# print("FTP VERSION:", self.ftp_version)
# print("FTP PRODUCT", self.ftp_product)
# print("Proxy Ports:", self.proxy_ports)
# print("SSH-Product", self.ssh_product)
if len(self.tcp_ports) > 100:
print(
"Server is Configured to Falsely show all ports as open."
)
print(
"ToDo: Create Alternative Scanning Technique to bypass PortSpoof."
)
print(
"Exiting for now. Continue Your enumeration Manually, Check if http or https are open"
)
print(
"by manually trying to view these ports in the web browser. etc. etc."
)
exit()
except Exception as e:
print(
f"""{c.getPath("nmap", "nmap_top_ports_xml")} Cannot Parse Top Ports nmap xml file. {e}"""
)
return
def openProxyPorts(self):
"""The openProxyPorts function will parse all found ports from the proxychains nmap xml file fed to
the report variable. All ports will be appended to the lists in __init__ and will
then be accessible from the NmapParserFunk Class."""
def parsefile(xmlfile):
parser = make_parser()
parser.setContentHandler(ContentHandler())
parser.parse(xmlfile)
c = config_parser.CommandParser(f"{os.getcwd()}/config/config.yaml",
self.target)
if os.path.exists(c.getPath("nmap", "nmap_proxychain_top_ports")):
try:
parsefile(c.getPath("nmap", "nmap_proxychain_top_ports"))
proxy_report = NmapParser.parse_fromfile(
c.getPath("nmap", "nmap_proxychain_top_ports"))
self.proxy_nmap_services += proxy_report.hosts[0].services
self.proxy_nmap_services = sorted(self.proxy_nmap_services,
key=lambda s: s.port)
ignored_windows_http_ports = [5985, 47001]
for service in self.proxy_nmap_services:
if "open" not in service.state:
continue
self.proxy_services.append((
service.port,
service.service,
service.tunnel,
service.cpelist,
service.banner,
))
for service in self.proxy_services:
if service[0] not in self.proxy_tcp_ports:
self.proxy_tcp_ports.append(service[0])
if "ssl" in service[2] or ("ssl" in service[1]):
if "imap" not in service[1]:
if "pop3" not in service[1]:
if "ldap" not in service[1]:
if service[
0] not in self.proxy_ssl_ports:
self.proxy_ssl_ports.append(
service[0])
if "http" in service[1]:
if "ssl" not in service[2]:
if "ssl" not in service[1]:
if "http-proxy" not in service[1]:
if service[
0] not in ignored_windows_http_ports:
if service[
0] not in self.proxy_http_ports:
self.proxy_http_ports.append(
service[0])
if "netbios-ssn" in service[1]:
if service[0] not in self.proxy_smb_ports:
self.proxy_smb_ports.append(service[0])
if "microsoft-ds" in service[1]:
if service[0] not in self.proxy_smb_ports:
self.proxy_smb_ports.append(service[0])
if "domain" in service[1]:
if service[0] not in self.proxy_dns_ports:
self.proxy_dns_ports.append(service[0])
if "http-proxy" in service[1]:
if service[0] not in self.proxy_ports2:
self.proxy_ports2.append(service[0])
if "ssh" in service[1]:
if service[0] not in self.proxy_ssh_ports:
self.proxy_ssh_ports.append(service[0])
if service[4] not in self.proxy_ssh_version:
self.proxy_ssh_version.append(service[4])
if "oracle-tns" in service[1]:
if service[0] != 49160:
if service[
0] not in self.proxy_oracle_tns_ports:
self.proxy_oracle_tns_ports.append(
service[0])
if "ftp" in service[1]:
if service[0] not in self.proxy_ftp_ports:
self.proxy_ftp_ports.append(service[0])
if "smtp" in service[1]:
if service[0] not in self.proxy_smtp_ports:
self.proxy_smtp_ports.append(service[0])
if "rpcbind" in service[1]:
if service[0] not in self.proxy_nfs_ports:
self.proxy_nfs_ports.append(service[0])
if "msrpc" in service[1]:
if service[0] not in self.proxy_rpc_ports:
self.proxy_rpc_ports.append(service[0])
if "ldap" in service[1]:
if service[0] not in self.proxy_ldap_ports:
self.proxy_ldap_ports.append(service[0])
if "BaseHTTPServer" in service[4]:
if service[0] not in self.proxy_http_ports:
self.proxy_http_ports.append(service[0])
# print("HTTP PORTS:", self.proxy_http_ports)
# print("ORACLE PORTS:", self.proxy_oracle_tns_ports)
# print("OPEN TCP PORTS:", self.proxy_tcp_ports)
# print("SSL:", self.proxy_ssl_ports)
# print("SMB:", self.proxy_smb_ports)
# print("DNS:", self.proxy_dns_ports)
# print("Services:", self.proxy_services)
# print("SSH:", self.proxy_ssh_ports)
# print("SSH VERSION:", self.proxy_ssh_version)
# print("Proxy Ports2:", self.proxy_ports2)
except Exception as e:
print(
f"""{c.getPath("nmap", "nmap_proxychain_top_ports")} Cannot Parse proxychain top ports nmap xml file. {e}"""
)
return
def allOpenPorts(self):
"""The openPorts function will parse all found ports from the FullTcpNmap.xml file fed to
the report variable. All ports will be appended to the lists in __init__ and will
then be accessible from the NmapParserFunk Class."""
def parsefile(xmlfile):
parser = make_parser()
parser.setContentHandler(ContentHandler())
parser.parse(xmlfile)
c = config_parser.CommandParser(f"{os.getcwd()}/config/config.yaml",
self.target)
if os.path.exists(c.getPath("nmap", "nmap_full_tcp_xml")):
try:
parsefile(c.getPath("nmap", "nmap_full_tcp_xml"))
report = NmapParser.parse_fromfile(
c.getPath("nmap", "nmap_full_tcp_xml"))
self.nmap_services += report.hosts[0].services
self.nmap_services = sorted(self.nmap_services,
key=lambda s: s.port)
# print(self.nmap_services)
ignored_windows_http_ports = [5985, 47001]
for service in self.nmap_services:
if "open" not in service.state:
continue
if "open|filtered" in service.state:
continue
self.services.append((
service.port,
service.service,
service.tunnel,
service.cpelist,
service.banner,
service.service_dict.get("product", ""),
service.service_dict.get("version", ""),
service.service_dict.get("extrainfo", ""),
service.scripts_results,
))
for service in self.services:
if service[0] not in self.tcp_ports:
self.tcp_ports.append(service[0])
if "ssl" in service[2] or ("ssl" in service[1]):
if "imap" not in service[1]:
if "pop3" not in service[1]:
if "ldap" not in service[1]:
if service[0] not in self.ssl_ports:
self.ssl_ports.append(service[0])
if service[
8] not in self.ssl_script_results:
self.ssl_script_results.append(
service[8])
if "http" in service[1] and (
"ssl/http" not in service[1]) and (
"ssl"
not in service[2]) and ("ssl"
not in service[1]):
if "MiniServ" not in service[5]:
if "http-proxy" not in service[1]:
if service[
0] not in ignored_windows_http_ports:
if service[0] not in self.http_ports:
self.http_ports.append(service[0])
if service[
8] not in self.http_script_results:
self.http_script_results.append(
service[8])
if "netbios-ssn" in service[1]:
if service[0] not in self.smb_ports:
self.smb_ports.append(service[0])
if "microsoft-ds" in service[1]:
if service[0] not in self.smb_ports:
self.smb_ports.append(service[0])
if "domain" in service[1]:
if service[0] not in self.dns_ports:
self.dns_ports.append(service[0])
if "http-proxy" in service[1]:
if service[0] not in self.proxy_ports:
self.proxy_ports.append(service[0])
if "ssh" in service[1]:
if service[0] not in self.ssh_ports:
self.ssh_ports.append(service[0])
if service[5] not in self.ssh_product:
self.ssh_product.append(service[5])
if service[6] not in self.ssh_version:
self.ssh_version.append(service[6])
if service[8] not in self.ssh_script_results:
self.ssh_script_results.append(service[8])
if "oracle-tns" in service[1]:
if service[0] != 49160:
if service[0] not in self.oracle_tns_ports:
self.oracle_tns_ports.append(service[0])
if "ftp" in service[1]:
if service[0] not in self.ftp_ports:
self.ftp_ports.append(service[0])
if service[5] not in self.ftp_product:
self.ftp_product.append(service[5])
if service[6] not in self.ftp_version:
self.ftp_version.append(service[6])
if "smtp" in service[1]:
if service[0] not in self.smtp_ports:
self.smtp_ports.append(service[0])
if service[4] not in self.smtp_version:
self.smtp_version.append(service[4])
if service[5] not in self.smtp_product:
self.smtp_product.append(service[5])
if "rpcbind" in service[1]:
if service[0] not in self.nfs_ports:
self.nfs_ports.append(service[0])
if "msrpc" in service[1]:
if service[0] not in self.rpc_ports:
self.rpc_ports.append(service[0])
if "ldap" in service[1]:
if service[0] not in self.ldap_ports:
self.ldap_ports.append(service[0])
if "BaseHTTPServer" in service[4]:
if service[0] not in self.http_ports:
self.http_ports.append(service[0])
if "Apache" in service[5] and (
"ssl/http" not in service[1]) and (
"ssl"
not in service[2]) and ("ssl"
not in service[1]):
if service[0] not in self.http_ports:
self.http_ports.append(service[0])
if "telnet" in service[1]:
if service[0] not in self.telnet_ports:
self.telnet_ports.append(service[0])
if "asterisk" in service[1]:
if service[0] not in self.sip_ports:
self.sip_ports.append(service[0])
if "vnc" in service[1]:
if service[0] not in self.vnc_ports:
self.vnc_ports.append(service[0])
if "cassandra" in service[1]:
if service[0] not in self.cassandra_ports:
self.cassandra_ports.append(service[0])
if "ms-sql" in service[1]:
if service[0] not in self.mssql_ports:
self.mssql_ports.append(service[0])
if "mysql" in service[1]:
if service[0] not in self.mysql_ports:
self.mysql_ports.append(service[0])
if "finger" in service[1]:
if service[0] not in self.finger_ports:
self.finger_ports.append(service[0])
if "mongod" in service[1]:
if service[0] not in self.mongo_ports:
self.mongo_ports.append(service[0])
if "pop3" in service[1]:
if service[0] not in self.pop3_ports:
self.pop3_ports.append(service[0])
if "kerberos" in service[1]:
if service[0] not in self.kerberos_ports:
self.kerberos_ports.append(service[0])
if "kpasswd" in service[1]:
if service[0] not in self.kerberos_ports:
self.kerberos_ports.append(service[0])
if service[4] not in self.banners:
self.banners.append(service[4])
if service[5] not in self.all_products:
self.all_products.append(service[5])
if len(self.http_script_results) != 0:
for t in self.http_script_results[0]:
result = t["id"], t["output"]
if "http-title" in result:
if result[1] not in self.http_script_title:
self.http_script_title.append(result[1])
except Exception as e:
print(
f"""{c.getPath("nmap", "nmap_full_tcp_xml")} Cannot Parse Full TCP nmap xml file. {e}"""
)
return
