def start(target, users, passwds, ports, timeout_sec, thread_number, num,
total, log_in_file, time_sleep, language, verbose_level, socks_proxy,
retries, methods_args, scan_id, scan_cmd): # Main function
if target_type(target) != 'SINGLE_IPv4' or target_type(
target) != 'DOMAIN' or target_type(
target) != 'HTTP' or target_type(target) != 'SINGLE_IPv6':
threads = []
thread_tmp_filename = '{}/tmp/thread_tmp_'.format(
load_file_path()) + ''.join(
random.choice(string.ascii_letters + string.digits)
for _ in range(20))
__log_into_file(thread_tmp_filename, 'w', '1', language)
trying = 0
total_req = 8000
if target_type(target) != "HTTP":
target = 'http://' + target
t = threading.Thread(target=analyze,
args=(target, timeout_sec, log_in_file, language,
time_sleep, thread_tmp_filename, retries,
socks_proxy, scan_id, scan_cmd))
threads.append(t)
t.start()
trying += 1
if verbose_level > 3:
info(
messages(language,
"trying_message").format(trying, total_req,
num, total,
target_to_host(target), "",
'dir_scan'))
while 1:
try:
if threading.activeCount() >= thread_number:
time.sleep(0.01)
else:
break
except KeyboardInterrupt:
break
# wait for threads
kill_switch = 0
kill_time = int(timeout_sec /
0.1) if int(timeout_sec / 0.1) != 0 else 1
while 1:
time.sleep(0.1)
kill_switch += 1
try:
if threading.activeCount() == 1 or kill_switch == kill_time:
break
except KeyboardInterrupt:
break
thread_write = int(open(thread_tmp_filename).read().rsplit()[0])
if thread_write == 1:
info(
messages(language,
"nothing_found").format(target, "wappalyzer_scan"))
if verbose_level != 0:
data = json.dumps({
'HOST':
target_to_host(target),
'USERNAME':
'',
'PASSWORD':
'',
'PORT':
'',
'TYPE':
'wappalyzer_scan',
'DESCRIPTION':
messages(language, "not_found"),
'TIME':
now(),
'CATEGORY':
"scan",
'SCAN_ID':
scan_id,
'SCAN_CMD':
scan_cmd
})
__log_into_file(log_in_file, 'a', data, language)
os.remove(thread_tmp_filename)
else:
warn(
messages(language,
"input_target_error").format('wappalyzer_scan', target))
def login(user, passwd, target, port, timeout_sec, log_in_file, language, retries, time_sleep, thread_tmp_filename,
curl_tmp_filename, socks_proxy, scan_id, scan_cmd):
exit = 0
if socks_proxy is not None:
socks_version = socks.SOCKS5 if socks_proxy.startswith(
'socks5://') else socks.SOCKS4
socks_proxy = socks_proxy.rsplit('://')[1]
if '@' in socks_proxy:
socks_username = socks_proxy.rsplit(':')[0]
socks_password = socks_proxy.rsplit(':')[1].rsplit('@')[0]
socks.set_default_proxy(socks_version, str(socks_proxy.rsplit('@')[1].rsplit(':')[0]),
int(socks_proxy.rsplit(':')[-1]), username=socks_username,
password=socks_password)
socket.socket = socks.socksocket
socket.getaddrinfo = getaddrinfo
else:
socks.set_default_proxy(socks_version, str(
socks_proxy.rsplit(':')[0]), int(socks_proxy.rsplit(':')[1]))
socket.socket = socks.socksocket
socket.getaddrinfo = getaddrinfo
while 1:
flag = 1
try:
curl = pycurl.Curl()
curl.setopt(pycurl.URL, target)
curl.setopt(pycurl.SSL_VERIFYPEER, 0)
curl.setopt(pycurl.HTTPAUTH, pycurl.HTTPAUTH_NTLM)
c.setopt(c.WRITEDATA, curl_tmp_filename)
if timeout_sec is not None:
curl.setopt(pycurl.CONNECTTIMEOUT, timeout_sec)
else:
curl.setopt(pycurl.CONNECTTIMEOUT, 30)
curl.perform()
status_code = curl.getinfo(pycurl.HTTP_CODE)
if status_code != 200:
exit += 1
if exit is retries:
warn(messages(language, "http_ntlm_failed").format(
target, user, passwd, port))
return 1
else:
time.sleep(time_sleep)
continue
elif status_code == 200:
flag = 0
if flag is 0:
info(messages(language, "http_ntlm_success").format(
user, passwd, target, port))
data = json.dumps(
{'HOST': target, 'USERNAME': user, 'PASSWORD': passwd, 'PORT': port, 'TYPE': 'http_ntlm_brute',
'DESCRIPTION': messages(language, "login_successful"), 'TIME': now(), 'CATEGORY': "brute",
'SCAN_ID': scan_id, 'SCAN_CMD': scan_cmd}) + "\n"
__log_into_file(log_in_file, 'a', data, language)
__log_into_file(thread_tmp_filename, 'w', '0', language)
except:
exit += 1
if exit is retries:
warn(messages(language, "http_ntlm_failed").format(
target, user, passwd, port))
return 1
else:
time.sleep(time_sleep)
continue
return flag
def check(target, user_agent, timeout_sec, log_in_file, language, time_sleep, thread_tmp_filename, retries,
http_method, socks_proxy, scan_id, scan_cmd):
status_codes = [401, 403]
directory_listing_msgs = ["<title>Index of /", "<a href=\"\\?C=N;O=D\">Name</a>", "Directory Listing for",
"Parent Directory</a>", "Last modified</a>", "<TITLE>Folder Listing.",
"- Browsing directory "]
time.sleep(time_sleep)
try:
if socks_proxy is not None:
socks_version = (
socks.SOCKS5
if socks_proxy.startswith("socks5://")
else socks.SOCKS4
)
socks_proxy = socks_proxy.rsplit("://")[1]
if "@" in socks_proxy:
socks_username = socks_proxy.rsplit(":")[0]
socks_password = socks_proxy.rsplit(":")[1].rsplit("@")[0]
socks.set_default_proxy(
socks_version,
str(socks_proxy.rsplit("@")[1].rsplit(":")[0]),
int(socks_proxy.rsplit(":")[-1]),
username=socks_username,
password=socks_password,
)
socket.socket = socks.socksocket
socket.getaddrinfo = getaddrinfo
else:
socks.set_default_proxy(
socks_version,
str(socks_proxy.rsplit(":")[0]),
int(socks_proxy.rsplit(":")[1]),
)
socket.socket = socks.socksocket
socket.getaddrinfo = getaddrinfo
n = 0
while 1:
try:
if http_method == "GET":
r = requests.get(
target, timeout=timeout_sec, headers=user_agent
)
elif http_method == "HEAD":
r = requests.head(
target, timeout=timeout_sec, headers=user_agent
)
content = r.content
break
except Exception:
n += 1
if n is retries:
warn(
messages(language, "http_connection_timeout").format(
target
)
)
return 1
if version() == 3:
content = content.decode("utf8")
if r.status_code in status_codes:
log_in_file(thread_tmp_filename, "w", "0", language)
info(
messages(language, "found").format(
target, r.status_code, r.reason
),
log_in_file,
"a",
{
"HOST": target_to_host(target),
"USERNAME": "",
"PASSWORD": "",
"PORT": "",
"TYPE": "admin_scan",
"DESCRIPTION": messages(language, "found").format(
target, r.status_code, r.reason
),
"TIME": now(),
"CATEGORY": "scan",
"SCAN_ID": scan_id,
"SCAN_CMD": scan_cmd,
},
language,
thread_tmp_filename,
)
if r.status_code == 200:
data = {
"HOST": target_to_host(target),
"USERNAME": "",
"PASSWORD": "",
"PORT": "",
"TYPE": "admin_scan",
"DESCRIPTION": messages(language, "directoy_listing").format(
target
),
"TIME": now(),
"CATEGORY": "scan",
"SCAN_ID": scan_id,
"SCAN_CMD": scan_cmd,
}
for dlmsg in directory_listing_msgs:
if dlmsg in content:
info(
messages(language, "directoy_listing").format(target),
log_in_file,
"a",
data,
language,
thread_tmp_filename,
)
__log_into_file(
log_in_file,
"a\
",
json.dumps(data),
language,
)
else:
info(
messages(language, "found").format(
target, r.status_code, r.reason
),
log_in_file,
"a",
{
"HOST": target_to_host(target),
"USERNAME": "",
"PASSWORD": "",
"PORT": "",
"TYPE": "admin_scan",
"DESCRIPTION": messages(language, "found").format(
target, r.status_code, r.reason
),
"TIME": now(),
"CATEGORY": "scan",
"SCAN_ID": scan_id,
"SCAN_CMD": scan_cmd,
},
language,
thread_tmp_filename,
)
break
return True
except Exception:
return False
def login(user, passwd, target, port, timeout_sec, log_in_file, language,
retries, time_sleep, thread_tmp_filename, socks_proxy, scan_id,
scan_cmd):
username_field = "username"
password_field = "password"
exit = 0
class BruteParser(HTMLParser):
def __init__(self):
HTMLParser.__init__(self)
self.parsed_results = {}
def handle_starttag(self, tag, attrs):
if tag == "input":
for name, value in attrs:
if name == "name" and value == username_field:
self.parsed_results[username_field] = username_field
if name == "name" and value == password_field:
self.parsed_results[password_field] = password_field
if socks_proxy is not None:
socks_version = socks.SOCKS5 if socks_proxy.startswith(
'socks5://') else socks.SOCKS4
socks_proxy = socks_proxy.rsplit('://')[1]
if '@' in socks_proxy:
socks_username = socks_proxy.rsplit(':')[0]
socks_password = socks_proxy.rsplit(':')[1].rsplit('@')[0]
socks.set_default_proxy(
socks_version,
str(socks_proxy.rsplit('@')[1].rsplit(':')[0]),
int(socks_proxy.rsplit(':')[-1]),
username=socks_username,
password=socks_password)
socket.socket = socks.socksocket
socket.getaddrinfo = getaddrinfo
else:
socks.set_default_proxy(socks_version,
str(socks_proxy.rsplit(':')[0]),
int(socks_proxy.rsplit(':')[1]))
socket.socket = socks.socksocket
socket.getaddrinfo = getaddrinfo
while 1:
target_host = str(target) + ":" + str(port)
flag = 1
try:
cookiejar = cookiejar.FileCookieJar("cookies")
opener = urllib2.build_opener(
urllib2.HTTPCookieProcessor(cookiejar))
response = opener.open(target)
page = response.read()
parsed_html = BruteParser()
parsed_html.feed(page)
parsed_html.parsed_results[username_field] = user
parsed_html.parsed_results[password_field] = passwd
post_data = urllib.urlencode(parsed_html.parsed_results).encode()
except:
exit += 1
if exit is retries:
warn(
messages(language, "http_form_auth_failed").format(
target, user, passwd, port))
return 1
else:
time.sleep(time_sleep)
continue
try:
if timeout_sec is not None:
brute_force_response = opener.open(target_host,
data=post_data,
timeout=timeout_sec)
else:
brute_force_response = opener.open(target_host, data=post_data)
if brute_force_response.code == 200:
flag = 0
if flag is 0:
info(
messages(language, "http_form_auth_success").format(
user, passwd, target, port))
data = json.dumps(
{
'HOST': target,
'USERNAME': user,
'PASSWORD': passwd,
'PORT': port,
'TYPE': 'http_form_brute',
'DESCRIPTION': messages(language,
"login_successful"),
'TIME': now(),
'CATEGORY': "brute",
'SCAN_ID': scan_id,
'SCAN_CMD': scan_cmd
}) + "\n"
__log_into_file(log_in_file, 'a', data, language)
__log_into_file(thread_tmp_filename, 'w', '0', language)
return flag
except:
exit += 1
if exit is retries:
warn(
messages(language, "http_form_auth_failed").format(
target, user, passwd, port))
return 1
else:
time.sleep(time_sleep)
continue
def __weak_encryption(target, port, timeout_sec, log_in_file, language, time_sleep,
thread_tmp_filename, socks_proxy, scan_id, scan_cmd):
if Algorithm(target, port, timeout_sec, log_in_file, language, time_sleep,
thread_tmp_filename, socks_proxy, scan_id, scan_cmd):
info(messages(language, "target_vulnerable").format(
target, port, 'Weak Encryption Algorithm : sha1WithRSAEncryption'))
__log_into_file(thread_tmp_filename, 'w', '0', language)
data = json.dumps({'HOST': target, 'USERNAME': '', 'PASSWORD': '', 'PORT': port, 'TYPE': 'weak_encryption_algorithm_vuln',
'DESCRIPTION': messages(language, "vulnerable").format('Weak Encryption Algorithm : sha1WithRSAEncryption'), 'TIME': now(),
'CATEGORY': "vuln",
'SCAN_ID': scan_id, 'SCAN_CMD': scan_cmd})
__log_into_file(log_in_file, 'a', data, language)
return True
else:
return False
def start(target, users, passwds, ports, timeout_sec, thread_number, num,
total, log_in_file, time_sleep, language, verbose_level, socks_proxy,
retries, methods_args, scan_id, scan_cmd): # Main function
from core.targets import target_type
from core.targets import target_to_host
if target_type(target) != 'SINGLE_IPv4' or target_type(
target) != 'DOMAIN' or target_type(
target) != 'HTTP' or target_type(target) != 'SINGLE_IPv6':
# requirements check
new_extra_requirements = extra_requirements_dict()
if methods_args is not None:
for extra_requirement in extra_requirements_dict():
if extra_requirement in methods_args:
new_extra_requirements[extra_requirement] = methods_args[
extra_requirement]
extra_requirements = new_extra_requirements
if target_type(target) == 'HTTP':
target = target_to_host(target)
subs = __get_subs(target,
timeout_sec,
log_in_file,
time_sleep,
language,
verbose_level,
socks_proxy,
retries,
num,
total,
extra_requirements=extra_requirements)
if len(subs) is 0:
info(messages(language, "no_subdomain_found"))
if len(subs) is not 0:
info(messages(language, "len_subdomain_found").format(len(subs)))
for sub in subs:
if verbose_level > 2:
info(messages(language, "subdomain_found").format(sub))
data = json.dumps({
'HOST': target,
'USERNAME': '',
'PASSWORD': '',
'PORT': '',
'TYPE': 'subdomain_scan',
'DESCRIPTION': sub,
'TIME': now(),
'CATEGORY': "scan",
'SCAN_ID': scan_id,
'SCAN_CMD': scan_cmd
}) + "\n"
__log_into_file(log_in_file, 'a', data, language)
if len(subs) is 0 and verbose_level is not 0:
data = json.dumps({
'HOST':
target,
'USERNAME':
'',
'PASSWORD':
'',
'PORT':
'',
'TYPE':
'subdomain_scan',
'DESCRIPTION':
messages(language, "subdomain_found").format(
len(subs), ', '.join(subs) if len(subs) > 0 else 'None'),
'TIME':
now(),
'CATEGORY':
"scan",
'SCAN_ID':
scan_id,
'SCAN_CMD':
scan_cmd
}) + "\n"
__log_into_file(log_in_file, 'a', data, language)
return subs
else:
warn(
messages(language,
"input_target_error").format('subdomain_scan', target))
return []
def connect(host, port, timeout_sec, log_in_file, language, time_sleep,
thread_tmp_filename, socks_proxy, scan_id, scan_cmd, stealth_flag):
try:
if socks_proxy is not None:
socks_version = socks.SOCKS5 if socks_proxy.startswith(
'socks5://') else socks.SOCKS4
socks_proxy = socks_proxy.rsplit('://')[1]
if '@' in socks_proxy:
socks_username = socks_proxy.rsplit(':')[0]
socks_password = socks_proxy.rsplit(':')[1].rsplit('@')[0]
socks.set_default_proxy(
socks_version,
str(socks_proxy.rsplit('@')[1].rsplit(':')[0]),
int(socks_proxy.rsplit(':')[-1]),
username=socks_username,
password=socks_password)
socket.socket = socks.socksocket
socket.getaddrinfo = getaddrinfo
else:
socks.set_default_proxy(socks_version,
str(socks_proxy.rsplit(':')[0]),
int(socks_proxy.rsplit(':')[1]))
socket.socket = socks.socksocket
socket.getaddrinfo = getaddrinfo
if target_type(host) == "SINGLE_IPv6":
s = socket.socket(socket.AF_INET6, socket.SOCK_STREAM, 0)
else:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
if timeout_sec is not None:
s.settimeout(timeout_sec)
if target_type(host) == "SINGLE_IPv6":
s.connect((host, port, 0, 0))
else:
s.connect((host, port))
try:
service_name = "/" + discover_by_port(host,
port,
timeout_sec,
b"ABC\x00\r\n" * 10,
socks_proxy,
external_run=True)
except Exception as _:
service_name = None
if not service_name or service_name == "/UNKNOWN":
try:
service_name = "/" + socket.getservbyport(port)
except Exception:
service_name = ""
info(
messages(language, "port_found").format(host,
str(port) + service_name,
"TCP_CONNECT"),
log_in_file, "a", {
'HOST':
host,
'USERNAME':
'',
'PASSWORD':
'',
'PORT':
port,
'TYPE':
'port_scan',
'DESCRIPTION':
messages(language, "port/type").format(
str(port) + service_name, "TCP_CONNECT"),
'TIME':
now(),
'CATEGORY':
"scan",
'SCAN_ID':
scan_id,
'SCAN_CMD':
scan_cmd
}, language, thread_tmp_filename)
s.close()
return True
except socket.timeout:
try:
service_name = "/" + discover_by_port(host,
port,
timeout_sec,
b"ABC\x00\r\n" * 10,
socks_proxy,
external_run=True)
except Exception as _:
service_name = None
if not service_name or service_name == "/UNKNOWN":
try:
service_name = "/" + socket.getservbyport(port)
except Exception:
service_name = ""
try:
if filter_port(host, port):
info(
messages(language,
"port_found").format(host,
str(port) + service_name,
"TCP_CONNECT"))
data = json.dumps({
'HOST':
host,
'USERNAME':
'',
'PASSWORD':
'',
'PORT':
port,
'TYPE':
'port_scan',
'DESCRIPTION':
messages(language, "port/type").format(
str(port) + service_name, "TCP_CONNECT"),
'TIME':
now(),
'CATEGORY':
"scan",
'SCAN_ID':
scan_id,
'SCAN_CMD':
scan_cmd
}) + '\n'
__log_into_file(log_in_file, 'a', data, language)
__log_into_file(thread_tmp_filename, 'w', '0', language)
except:
pass
except:
return False
def all_config_keys():
return {
"language":
"en",
"verbose_level":
0,
"show_version":
False,
"check_update":
False,
"log_in_file":
"results/results_{0}_{1}.html".format(
now(model="%Y_%m_%d_%H_%M_%S"),
''.join(random.choice(string.ascii_lowercase) for x in range(10))),
"graph_flag":
"d3_tree_v1_graph",
"help_menu_flag":
False,
"targets":
None,
"targets_list":
None,
"scan_method":
"all",
"exclude_method":
None,
"users":
None,
"users_list":
None,
"passwds":
None,
"passwds_list":
None,
"ports":
None,
"timeout_sec":
2.0,
"time_sleep":
0.0,
"check_ranges":
False,
"check_subdomains":
False,
"thread_number":
10,
"thread_number_host":
10,
"socks_proxy":
None,
"retries":
3,
"ping_flag":
False,
"methods_args":
None,
"method_args_list":
False,
"startup_check_for_update":
True,
"wizard_mode":
False,
"profile":
None
}
def __Memory_leak(target, port, timeout_sec, log_in_file, language, time_sleep,
thread_tmp_filename, socks_proxy, scan_id, scan_cmd):
if Memory_leak(target, port, timeout_sec, log_in_file, language, time_sleep,
thread_tmp_filename, socks_proxy, scan_id, scan_cmd):
info(messages(language, "target_vulnerable").format(target, port,
'FTP server is prone to a memory leak vulnerability in the file rename function. CVE-2017-16892'))
__log_into_file(thread_tmp_filename, 'w', '0', language)
data = json.dumps({'HOST': target, 'USERNAME': '', 'PASSWORD': '', 'PORT': port, 'TYPE': 'Bftpd_memory_leak_vuln',
'DESCRIPTION': messages(language, "vulnerable").format('FTP server is prone to a memory leak vulnerability in the file rename function. CVE-2017-16892'), 'TIME': now(),
'CATEGORY': "vuln",
'SCAN_ID': scan_id, 'SCAN_CMD': scan_cmd})
__log_into_file(log_in_file, 'a', data, language)
return True
else:
return False
def __apache_struts(target, port, timeout_sec, log_in_file, language, time_sleep,
thread_tmp_filename, socks_proxy, scan_id, scan_cmd):
if apache_struts(target, port, timeout_sec, log_in_file, language, time_sleep,
thread_tmp_filename, socks_proxy, scan_id, scan_cmd):
info(messages(language, "target_vulnerable").format(target, port,
'The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string. CVE-2017-5638'))
__log_into_file(thread_tmp_filename, 'w', '0', language)
data = json.dumps({'HOST': target, 'USERNAME': '', 'PASSWORD': '', 'PORT': port, 'TYPE': 'apache_struts_vuln',
'DESCRIPTION': messages(language, "vulnerable").format(''), 'TIME': now(),
'CATEGORY': "vuln",
'SCAN_ID': scan_id, 'SCAN_CMD': scan_cmd})
__log_into_file(log_in_file, 'a', data, language)
return True
else:
return False
def start(target, users, passwds, ports, timeout_sec, thread_number, num, total, log_in_file, time_sleep,
language, verbose_level, socks_proxy, retries, methods_args, scan_id, scan_cmd): # Main function
if target_type(target) != 'SINGLE_IPv4' or target_type(target) != 'DOMAIN' or target_type(target) != 'HTTP':
# requirements check
new_extra_requirements = extra_requirements_dict()
if methods_args is not None:
for extra_requirement in extra_requirements_dict():
if extra_requirement in methods_args:
new_extra_requirements[
extra_requirement] = methods_args[extra_requirement]
extra_requirements = new_extra_requirements
if users is None:
users = extra_requirements["smtp_brute_users"]
if passwds is None:
passwds = extra_requirements["smtp_brute_passwds"]
if ports is None:
ports = extra_requirements["smtp_brute_ports"]
if extra_requirements["smtp_brute_split_user_set_pass"][0] not in ["False", "True"]:
extra_requirements["smtp_brute_split_user_set_pass"][0] = "False"
if target_type(target) == 'HTTP':
target = target_to_host(target)
threads = []
total_req = int(
len(users) * len(passwds) * len(ports) * len(extra_requirements["smtp_brute_split_user_set_pass_prefix"])) \
if extra_requirements["smtp_brute_split_user_set_pass"][0] == "False" \
else int(len(users) * len(ports) * len(extra_requirements["smtp_brute_split_user_set_pass_prefix"]))
thread_tmp_filename = '{}/tmp/thread_tmp_'.format(load_file_path()) + ''.join(
random.choice(string.ascii_letters + string.digits) for _ in range(20))
ports_tmp_filename = '{}/tmp/ports_tmp_'.format(load_file_path()) + ''.join(
random.choice(string.ascii_letters + string.digits) for _ in range(20))
__log_into_file(thread_tmp_filename, 'w', '1', language)
__log_into_file(ports_tmp_filename, 'w', '', language)
ports = test_ports(ports, timeout_sec, target, retries, language, num, total, time_sleep, ports_tmp_filename,
thread_number, total_req, verbose_level, socks_proxy)
trying = 0
if extra_requirements["smtp_brute_split_user_set_pass"][0] == "False":
for port in ports:
for user in users:
for passwd in passwds:
t = threading.Thread(target=login, args=(
user, passwd, target, port, timeout_sec, log_in_file, language, retries, time_sleep,
thread_tmp_filename, socks_proxy,
scan_id, scan_cmd))
threads.append(t)
t.start()
trying += 1
if verbose_level > 3:
info(messages(language, "trying_message").format(trying, total_req, num, total, target, port,
'smtp_brute'))
while 1:
n = 0
for thread in threads:
if thread.isAlive():
n += 1
else:
threads.remove(thread)
if n >= thread_number:
time.sleep(0.01)
else:
break
else:
keyboard_interrupt_flag = False
for port in ports:
for user in users:
for prefix in extra_requirements["smtp_brute_split_user_set_pass_prefix"]:
t = threading.Thread(target=login, args=(user, user.rsplit('@')[0] + prefix, target, port,
timeout_sec, log_in_file, language,
retries, time_sleep, thread_tmp_filename))
threads.append(t)
t.start()
trying += 1
if verbose_level > 3:
info(messages(language, "trying_message").format(trying, total_req, num, total, target, port,
'smtp_brute'))
while 1:
try:
if threading.activeCount() >= thread_number:
time.sleep(0.01)
else:
break
except KeyboardInterrupt:
keyboard_interrupt_flag = True
break
if keyboard_interrupt_flag:
break
else:
break
else:
break
# wait for threads
kill_switch = 0
kill_time = int(
timeout_sec / 0.1) if int(timeout_sec / 0.1) != 0 else 1
while 1:
time.sleep(0.1)
kill_switch += 1
try:
if threading.activeCount() == 1 or kill_switch == kill_time:
break
except KeyboardInterrupt:
break
thread_write = int(open(thread_tmp_filename).read().rsplit()[0])
if thread_write == 1 and verbose_level != 0:
data = json.dumps({'HOST': target, 'USERNAME': '', 'PASSWORD': '', 'PORT': '', 'TYPE': 'smtp_brute',
'DESCRIPTION': messages(language, "no_user_passwords"), 'TIME': now(), 'CATEGORY': "brute",
'SCAN_ID': scan_id, 'SCAN_CMD': scan_cmd}) + "\n"
__log_into_file(log_in_file, 'a', data, language)
os.remove(thread_tmp_filename)
else:
warn(messages(language, "input_target_error").format(target))
def login(user, passwd, target, port, timeout_sec, log_in_file, language,
retries, time_sleep, thread_tmp_filename, socks_proxy):
exit = 0
if socks_proxy is not None:
socks_version = socks.SOCKS5 if socks_proxy.startswith(
'socks5://') else socks.SOCKS4
socks_proxy = socks_proxy.rsplit('://')[1]
if '@' in socks_proxy:
socks_username = socks_proxy.rsplit(':')[0]
socks_password = socks_proxy.rsplit(':')[1].rsplit('@')[0]
socks.set_default_proxy(
socks_version,
str(socks_proxy.rsplit('@')[1].rsplit(':')[0]),
int(socks_proxy.rsplit(':')[-1]),
username=socks_username,
password=socks_password)
socket.socket = socks.socksocket
socket.getaddrinfo = getaddrinfo
else:
socks.set_default_proxy(socks_version,
str(socks_proxy.rsplit(':')[0]),
int(socks_proxy.rsplit(':')[1]))
socket.socket = socks.socksocket
socket.getaddrinfo = getaddrinfo
while 1:
try:
if timeout_sec is not None:
tn = telnetlib.Telnet(target, timeout=timeout_sec)
else:
tn = telnetlib.Telnet(target)
exit = 0
break
except:
exit += 1
if exit is retries:
warn(
messages(language, 182).format(target, port, user, passwd))
return 1
time.sleep(time_sleep)
flag = 1
try:
tn.read_until("login: "******"\n")
tn.read_until("Password: "******"\n")
flag = 0
except:
pass
if flag is 0:
info(messages(language, 70).format(user, passwd, target, port))
data = json.dumps({
'HOST': target,
'USERNAME': user,
'PASSWORD': passwd,
'PORT': port,
'TYPE': 'telnet_brute',
'DESCRIPTION': messages(language, 66),
'TIME': now(),
'CATEGORY': "brute"
}) + "\n"
__log_into_file(log_in_file, 'a', data, language)
__log_into_file(thread_tmp_filename, 'w', '0', language)
else:
pass
return flag
def start(target, users, passwds, ports, timeout_sec, thread_number, num, total, log_in_file, time_sleep,
language, verbose_level, show_version, check_update, socks_proxy, retries, ping_flag,
methods_args, scan_id, scan_cmd): # Main function
if target_type(target) != 'SINGLE_IPv4' or target_type(target) != 'DOMAIN' or target_type(target) != 'HTTP':
# output format
time.sleep(time_sleep)
if socks_proxy is not None:
socks_version = socks.SOCKS5 if socks_proxy.startswith('socks5://') else socks.SOCKS4
socks_proxy = socks_proxy.rsplit('://')[1]
if '@' in socks_proxy:
socks_username = socks_proxy.rsplit(':')[0]
socks_password = socks_proxy.rsplit(':')[1].rsplit('@')[0]
socks.set_default_proxy(socks_version, str(socks_proxy.rsplit('@')[1].rsplit(':')[0]),
int(socks_proxy.rsplit(':')[-1]), username=socks_username,
password=socks_password)
socket.socket = socks.socksocket
socket.getaddrinfo = getaddrinfo
else:
socks.set_default_proxy(socks_version, str(socks_proxy.rsplit(':')[0]), int(socks_proxy.rsplit(':')[1]))
socket.socket = socks.socksocket
socket.getaddrinfo = getaddrinfo
# set user agent
headers = {"User-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0",
"Accept": "text/javascript, text/html, application/xml, text/xml, */*",
"Accept-Language": "en-US,en;q=0.5"
}
# timeout check
if ping_flag and do_one_ping(target_to_host(target), timeout_sec, 8) is None:
if socks_proxy is not None:
socks_version = socks.SOCKS5 if socks_proxy.startswith('socks5://') else socks.SOCKS4
socks_proxy = socks_proxy.rsplit('://')[1]
if '@' in socks_proxy:
socks_username = socks_proxy.rsplit(':')[0]
socks_password = socks_proxy.rsplit(':')[1].rsplit('@')[0]
socks.set_default_proxy(socks_version, str(socks_proxy.rsplit('@')[1].rsplit(':')[0]),
int(socks_proxy.rsplit(':')[-1]), username=socks_username,
password=socks_password)
socket.socket = socks.socksocket
socket.getaddrinfo = getaddrinfo
else:
socks.set_default_proxy(socks_version, str(socks_proxy.rsplit(':')[0]),
int(socks_proxy.rsplit(':')[1]))
socket.socket = socks.socksocket
socket.getaddrinfo = getaddrinfo
warn(messages(language, 100).format(target_to_host(target), 'viewdns_reverse_ip_lookup_scan'))
return None
total_req = 1
trying = 1
info(messages(language, 113).format(trying, total_req, num, total, target, 'viewdns ip lookup'))
n = 0
while 1:
try:
res = requests.get('http://viewdns.info/reverseip/?host={0}&t=1'.format(target), timeout=timeout_sec,
headers=headers, verify=True).text
break
except:
n += 1
if n is retries:
warn(messages(language, 106).format("viewdns.info"))
return 1
_values = []
try:
s = '<table>' + res.rsplit('''<table border="1">''')[1].rsplit("<br></td></tr><tr></tr>")[0]
table = ET.XML(s)
rows = iter(table)
headers = [col.text for col in next(rows)]
for row in rows:
values = [col.text for col in row]
_values.append(dict(zip(headers, values))["Domain"])
except:
pass
info(messages(language, 114).format(len(_values), ", ".join(_values) if len(_values) > 0 else "None"))
if len(_values) > 0:
save = open(log_in_file, 'a')
save.write(json.dumps(
{'HOST': target, 'USERNAME': '', 'PASSWORD': '', 'PORT': '', 'TYPE': 'viewdns_reverse_ip_lookup_scan',
'DESCRIPTION': messages(language, 114).format(len(_values), ", ".join(_values) if len(
_values) > 0 else "None"), 'TIME': now(), 'CATEGORY': "scan", 'SCAN_ID': scan_id,
'SCAN_CMD': scan_cmd}) + '\n')
save.close()
if verbose_level is not 0:
save = open(log_in_file, 'a')
save.write(json.dumps(
{'HOST': target, 'USERNAME': '', 'PASSWORD': '', 'PORT': '', 'TYPE': 'viewdns_reverse_ip_lookup_scan',
'DESCRIPTION': messages(language, 114).format(len(_values), ", ".join(_values) if len(
_values) > 0 else "None"), 'TIME': now(), 'CATEGORY': "scan", 'SCAN_ID': scan_id,
'SCAN_CMD': scan_cmd}) + '\n')
save.close()
else:
warn(messages(language, 69).format('viewdns_reverse_ip_lookup_scan', target))
def __xmlrpc_pingback(target, port, timeout_sec, log_in_file, language, time_sleep,
thread_tmp_filename, socks_proxy, scan_id, scan_cmd):
if xmlrpc_pingback(target, port, timeout_sec, log_in_file, language, time_sleep,
thread_tmp_filename, socks_proxy, scan_id, scan_cmd):
info(messages(language, "target_vulnerable").format(target, port,
'Wordpress XMLRPC pingback Vulnerability'))
__log_into_file(thread_tmp_filename, 'w', '0', language)
data = json.dumps({'HOST': target, 'USERNAME': '', 'PASSWORD': '', 'PORT': port, 'TYPE': 'Wordpress_xmlrpc_pingback_vuln',
'DESCRIPTION': messages(language, "vulnerable").format('Wordpress XMLRPC pingback Vulnerability'), 'TIME': now(),
'CATEGORY': "vuln",
'SCAN_ID': scan_id, 'SCAN_CMD': scan_cmd})
__log_into_file(log_in_file, 'a', data, language)
return True
else:
return False
def sort_logs(log_in_file, language, graph_flag, scan_id, scan_cmd, verbose_level, api_flag, profile, scan_method,
ports):
"""
sort all events, create log file in HTML/TEXT/JSON and remove old logs
Args:
log_in_file: output filename
language: language
graph_flag: graph name
scan_id: scan hash id
scan_cmd: scan cmd
verbose_level: verbose level number
api_flag: API flag
profile: profiles
scan_method: module names
ports: ports
Returns:
True if success otherwise None
"""
_HOST = messages(language, "HOST")
_USERNAME = messages(language, "USERNAME")
_PASSWORD = messages(language, "PASSWORD")
_PORT = messages(language, "PORT")
_TYPE = messages(language, "TYPE")
_DESCRIPTION = messages(language, "DESCRIPTION")
_TIME = messages(language, "TIME")
events_num = 0
report_type = ""
JSON_FROM_DB = __logs_by_scan_id(scan_id, language)
JSON_Data = sorted(JSON_FROM_DB, key=sorted)
if compatible.version() == 2:
import sys
reload(sys)
sys.setdefaultencoding('utf8')
if (len(log_in_file) >= 5 and log_in_file[-5:] == '.html') or (
len(log_in_file) >= 4 and log_in_file[-4:] == '.htm'):
report_type = "HTML"
data = sorted(JSON_FROM_DB, key=lambda x: sorted(x.keys()))
# if user want a graph
_graph = ''
for i in data:
if(i["DESCRIPTION"]):
i["DESCRIPTION"] = html.escape(i["DESCRIPTION"])
break;
if graph_flag is not None:
_graph = build_graph(graph_flag, language, data, 'HOST', 'USERNAME', 'PASSWORD', 'PORT', 'TYPE',
'DESCRIPTION')
from lib.html_log import _log_data
_css = _log_data.css_1
_table = _log_data.table_title.format(_graph, _css, _HOST, _USERNAME, _PASSWORD, _PORT, _TYPE, _DESCRIPTION,
_TIME)
for value in data:
_table += _log_data.table_items.format(value['HOST'], value['USERNAME'], value['PASSWORD'],
value['PORT'], value['TYPE'], value['DESCRIPTION'], value['TIME'])
events_num += 1
_table += _log_data.table_end + '<p class="footer">' + messages(language, "nettacker_version_details") \
.format(compatible.__version__, compatible.__code_name__, now()) + '</p>'
__log_into_file(log_in_file, 'w' if type(_table) ==
str else 'wb', _table, language, final=True)
elif len(log_in_file) >= 5 and log_in_file[-5:] == '.json':
graph_flag = ""
report_type = "JSON"
data = json.dumps(JSON_Data)
events_num = len(JSON_Data)
__log_into_file(log_in_file, 'w', data, language, final=True)
elif len(log_in_file)>=5 and log_in_file[-4:] == '.csv':
graph_flag = ""
report_type = "CSV"
keys = JSON_Data[0].keys()
data = json.dumps(JSON_Data)
events_num = len(JSON_Data)
with open(log_in_file, 'a') as csvfile:
writer = csv.DictWriter(csvfile, fieldnames=keys)
writer.writeheader()
for i in JSON_Data:
dicdata = {key: value for key, value in i.items()
if key in keys}
writer.writerow(dicdata)
else:
graph_flag = ""
report_type = "TEXT"
data, events_num = __build_texttable(JSON_FROM_DB, _HOST, _USERNAME, _PASSWORD, _PORT, _TYPE,
_DESCRIPTION, _TIME, language)
__log_into_file(log_in_file, 'wb', data, language, final=True)
data = data if report_type == "TEXT" else __build_texttable(JSON_FROM_DB, _HOST, _USERNAME, _PASSWORD, _PORT, _TYPE,
_DESCRIPTION, _TIME, language)[0]
info(messages(language, "updating_database"))
category = []
for sm in scan_method:
if sm.rsplit("_")[-1] not in category:
category.append(sm.rsplit("_")[-1])
category = ",".join(list(set(category)))
scan_method = ",".join(scan_method)
if ports is None:
ports = "default"
submit_report_to_db(now(), scan_id, log_in_file, events_num, 0 if verbose_level == 0 else 1, api_flag, report_type,
graph_flag, category, profile, scan_method, language, scan_cmd, ports)
info(messages(language, "removing_logs_db"))
hosts = []
for log in JSON_Data:
if log["HOST"] not in hosts:
hosts.append(log["HOST"])
for host in hosts:
for sm in scan_method.rsplit(','):
remove_old_logs(host, sm, scan_id, language)
# info(messages(language,"inserting_logs_db"))
# for log in JSON_Data:
# submit_logs_to_db(language, log)
if events_num:
info(messages(language, "summary_report"))
write(data)
else:
info(messages(language, "no_event_found"))
info(messages(language, "file_saved").format(log_in_file))
return True
def __go_for_attacks(targets, check_ranges, check_subdomains, log_in_file,
time_sleep, language, verbose_level, retries, socks_proxy,
users, passwds, timeout_sec, thread_number, ports,
ping_flag, methods_args, backup_ports, scan_method,
thread_number_host, graph_flag, profile, api_flag):
"""
preparing for attacks and managing multi-processing for host
Args:
targets: list of calculated targets
check_ranges: check IP range flag
check_subdomains: check subdomain flag
log_in_file: output filename
time_sleep: time sleep seconds
language: language
verbose_level: verbose level number
retries: retries number
socks_proxy: socks proxy address
users: usernames
passwds: passwords
timeout_sec: timeout seconds
thread_number: thread numbers
ports: port numbers
ping_flag: ping before scan flag
methods_args: method args for modules
backup_ports: port numbers (backup)
scan_method: selected module names
thread_number_host: threads for hosts scan
graph_flag: graph name
profile: profile name
api_flag: API flag
Returns:
True when it ends
"""
suff = now(model="%Y_%m_%d_%H_%M_%S") + "".join(
random.choice(string.ascii_lowercase) for x in range(10))
subs_temp = "{}/tmp/subs_temp_".format(load_file_path()) + suff
range_temp = "{}/tmp/ranges_".format(load_file_path()) + suff
total_targets = -1
for total_targets, _ in enumerate(
analysis(targets, check_ranges, check_subdomains, subs_temp,
range_temp, log_in_file, time_sleep, language,
verbose_level, retries, socks_proxy, True)):
pass
total_targets += 1
total_targets = total_targets * len(scan_method)
try:
os.remove(range_temp)
except:
pass
range_temp = "{}/tmp/ranges_".format(load_file_path()) + suff
targets = analysis(targets, check_ranges, check_subdomains, subs_temp,
range_temp, log_in_file, time_sleep, language,
verbose_level, retries, socks_proxy, False)
trying = 0
scan_id = "".join(random.choice("0123456789abcdef") for x in range(32))
scan_cmd = messages(language, 158) if api_flag else " ".join(sys.argv)
for target in targets:
for sm in scan_method:
trying += 1
p = multiprocessing.Process(
target=start_attack,
args=(str(target).rsplit()[0], trying, total_targets, sm,
users, passwds, timeout_sec, thread_number, ports,
log_in_file, time_sleep, language, verbose_level,
socks_proxy, retries, ping_flag, methods_args, scan_id,
scan_cmd))
p.name = str(target) + "->" + sm
p.start()
while 1:
n = 0
processes = multiprocessing.active_children()
for process in processes:
if process.is_alive():
n += 1
else:
processes.remove(process)
if n >= thread_number_host:
time.sleep(0.01)
else:
break
_waiting_for = 0
while 1:
try:
exitflag = True
if len(multiprocessing.active_children()) is not 0:
exitflag = False
_waiting_for += 1
if _waiting_for > 3000:
_waiting_for = 0
info(
messages(language, 138).format(", ".join(
[p.name for p in multiprocessing.active_children()])))
time.sleep(0.01)
if exitflag:
break
except KeyboardInterrupt:
for process in multiprocessing.active_children():
process.terminate()
break
info(messages(language, 42))
os.remove(subs_temp)
os.remove(range_temp)
info(messages(language, 43))
sort_logs(log_in_file, language, graph_flag, scan_id, scan_cmd,
verbose_level, 0, profile, scan_method, backup_ports)
write("\n")
info(messages(language, 44))
write("\n\n")
finish()
return True
def login(user, passwd, target, port, timeout_sec, log_in_file, language,
retries, time_sleep, thread_tmp_filename, socks_proxy, scan_id,
scan_cmd):
exit = 0
if socks_proxy is not None:
socks_version = socks.SOCKS5 if socks_proxy.startswith(
'socks5://') else socks.SOCKS4
socks_proxy = socks_proxy.rsplit('://')[1]
if '@' in socks_proxy:
socks_username = socks_proxy.rsplit(':')[0]
socks_password = socks_proxy.rsplit(':')[1].rsplit('@')[0]
socks.set_default_proxy(
socks_version,
str(socks_proxy.rsplit('@')[1].rsplit(':')[0]),
int(socks_proxy.rsplit(':')[-1]),
username=socks_username,
password=socks_password)
socket.socket = socks.socksocket
socket.getaddrinfo = getaddrinfo
else:
socks.set_default_proxy(socks_version,
str(socks_proxy.rsplit(':')[0]),
int(socks_proxy.rsplit(':')[1]))
socket.socket = socks.socksocket
socket.getaddrinfo = getaddrinfo
while 1:
try:
if timeout_sec is not None:
server = smtplib.SMTP(target, int(port), timeout=timeout_sec)
else:
server = smtplib.SMTP(target, int(port))
server.starttls()
exit = 0
break
except:
exit += 1
if exit is retries:
warn(
messages(language, "smtp_connection_timeout").format(
target, port, user, passwd))
return 1
time.sleep(time_sleep)
flag = 1
try:
server.login(user, passwd)
flag = 0
except smtplib.SMTPException as err:
pass
if flag is 0:
info(
messages(language,
"user_pass_found").format(user, passwd, target, port))
data = json.dumps({
'HOST': target,
'USERNAME': user,
'PASSWORD': passwd,
'PORT': port,
'TYPE': 'smtp_brute',
'DESCRIPTION': messages(language, "login_successful"),
'TIME': now(),
'CATEGORY': "brute",
'SCAN_ID': scan_id,
'SCAN_CMD': scan_cmd
}) + "\n"
__log_into_file(log_in_file, 'a', data, language)
__log_into_file(thread_tmp_filename, 'w', '0', language)
else:
pass
try:
server.quit()
except:
pass
return flag
def start(target, users, passwds, ports, timeout_sec, thread_number, num,
total, log_in_file, time_sleep, language, verbose_level, socks_proxy,
retries, methods_args, scan_id, scan_cmd): # Main function
if target_type(target) != 'SINGLE_IPv4' or target_type(
target) != 'DOMAIN' or target_type(
target) != 'HTTP' or target_type(target) != 'SINGLE_IPv6':
# rand useragent
user_agent_list = [
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.5) Gecko/20060719 Firefox/1.5.0.5",
"Googlebot/2.1 ( http://www.googlebot.com/bot.html)",
"Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Ubuntu/10.04"
" Chromium/9.0.595.0 Chrome/9.0.595.0 Safari/534.13",
"Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 5.2; WOW64; .NET CLR 2.0.50727)",
"Opera/9.80 (Windows NT 5.2; U; ru) Presto/2.5.22 Version/10.51",
"Mozilla/5.0 (compatible; 008/0.83; http://www.80legs.com/webcrawler.html) Gecko/2008032620",
"Debian APT-HTTP/1.3 (0.8.10.3)",
"Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)",
"Googlebot/2.1 (+http://www.googlebot.com/bot.html)",
"Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)",
"YahooSeeker/1.2 (compatible; Mozilla 4.0; MSIE 5.5; yahooseeker at yahoo-inc dot com ; "
"http://help.yahoo.com/help/us/shop/merchant/)",
"Mozilla/5.0 (compatible; YandexBot/3.0; +http://yandex.com/bots)",
"Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)",
"msnbot/1.1 (+http://search.msn.com/msnbot.htm)"
]
http_methods = ["GET", "HEAD"]
user_agent = {'User-agent': random.choice(user_agent_list)}
# requirements check
new_extra_requirements = extra_requirements_dict()
if methods_args is not None:
for extra_requirement in extra_requirements_dict():
if extra_requirement in methods_args:
new_extra_requirements[extra_requirement] = methods_args[
extra_requirement]
extra_requirements = new_extra_requirements
if extra_requirements["dir_scan_http_method"][0] not in http_methods:
warn(messages(language, "dir_scan_get"))
extra_requirements["dir_scan_http_method"] = ["GET"]
random_agent_flag = True
if extra_requirements["dir_scan_random_agent"][0] == "False":
random_agent_flag = False
threads = []
total_req = len(extra_requirements["dir_scan_list"])
thread_tmp_filename = '{}/tmp/thread_tmp_'.format(
load_file_path()) + ''.join(
random.choice(string.ascii_letters + string.digits)
for _ in range(20))
__log_into_file(thread_tmp_filename, 'w', '1', language)
trying = 0
if target_type(target) != "HTTP":
target = 'http://' + target
if test(str(target), retries, timeout_sec, user_agent,
extra_requirements["dir_scan_http_method"][0], socks_proxy,
verbose_level, trying, total_req, total, num, language) is 0:
keyboard_interrupt_flag = False
for idir in extra_requirements["dir_scan_list"]:
if random_agent_flag:
user_agent = {'User-agent': random.choice(user_agent_list)}
t = threading.Thread(
target=check,
args=(target + '/' + idir, user_agent, timeout_sec,
log_in_file, language, time_sleep,
thread_tmp_filename, retries,
extra_requirements["dir_scan_http_method"][0],
socks_proxy, scan_id, scan_cmd))
threads.append(t)
t.start()
trying += 1
if verbose_level > 3:
info(
messages(language, "trying_message").format(
trying, total_req, num, total,
target_to_host(target), "default_port",
'dir_scan'))
while 1:
try:
if threading.activeCount() >= thread_number:
time.sleep(0.01)
else:
break
except KeyboardInterrupt:
keyboard_interrupt_flag = True
break
if keyboard_interrupt_flag:
break
else:
warn(messages(language, "open_error").format(target))
# wait for threads
kill_switch = 0
kill_time = int(timeout_sec / 0.1) if int(timeout_sec /
0.1) is not 0 else 1
while 1:
time.sleep(0.1)
kill_switch += 1
try:
if threading.activeCount() is 1 or kill_switch is kill_time:
break
except KeyboardInterrupt:
break
thread_write = int(open(thread_tmp_filename).read().rsplit()[0])
if thread_write is 1:
info(
messages(language,
"directory_file_404").format(target, "default_port"))
if verbose_level is not 0:
data = json.dumps({
'HOST':
target_to_host(target),
'USERNAME':
'',
'PASSWORD':
'',
'PORT':
'',
'TYPE':
'dir_scan',
'DESCRIPTION':
messages(language, "no_open_ports"),
'TIME':
now(),
'CATEGORY':
"scan",
'SCAN_ID':
scan_id,
'SCAN_CMD':
scan_cmd
})
__log_into_file(log_in_file, 'a', data, language)
os.remove(thread_tmp_filename)
else:
warn(
messages(language,
"input_target_error").format('dir_scan', target))
def stealth(host, port, timeout_sec, log_in_file, language, time_sleep,
thread_tmp_filename, socks_proxy, scan_id, scan_cmd, stealth_flag):
try:
if socks_proxy is not None:
socks_version = socks.SOCKS5 if socks_proxy.startswith(
'socks5://') else socks.SOCKS4
socks_proxy = socks_proxy.rsplit('://')[1]
if '@' in socks_proxy:
socks_username = socks_proxy.rsplit(':')[0]
socks_password = socks_proxy.rsplit(':')[1].rsplit('@')[0]
socks.set_default_proxy(
socks_version,
str(socks_proxy.rsplit('@')[1].rsplit(':')[0]),
int(socks_proxy.rsplit(':')[-1]),
username=socks_username,
password=socks_password)
socket.socket = socks.socksocket
socket.getaddrinfo = getaddrinfo
else:
socks.set_default_proxy(socks_version,
str(socks_proxy.rsplit(':')[0]),
int(socks_proxy.rsplit(':')[1]))
socket.socket = socks.socksocket
src_port = RandShort()
stealth_scan_resp = sr1(IP(dst=host) /
TCP(sport=src_port, dport=port, flags="S"),
timeout=int(timeout_sec))
if (str(type(stealth_scan_resp)) == "<type 'NoneType'>"):
# "Filtered"
pass
elif (stealth_scan_resp.haslayer(TCP)):
if (stealth_scan_resp.getlayer(TCP).flags == 0x12):
# send_rst = sr(IP(dst=host) / TCP(sport=src_port, dport=port, flags="R"), timeout=timeout_sec)
try:
service_name = "/" + discover_by_port(host,
port,
timeout_sec,
b"ABC\x00\r\n" * 10,
socks_proxy,
external_run=True)
except Exception as _:
service_name = None
if not service_name or service_name == "/UNKNOWN":
try:
service_name = "/" + socket.getservbyport(port)
except Exception:
service_name = ""
data = json.dumps({
'HOST':
host,
'USERNAME':
'',
'PASSWORD':
'',
'PORT':
port,
'TYPE':
'port_scan',
'DESCRIPTION':
messages(language, "port/type").format(
str(port) + service_name, "STEALTH"),
'TIME':
now(),
'CATEGORY':
"scan",
'SCAN_ID':
scan_id,
'SCAN_CMD':
scan_cmd
}) + '\n'
__log_into_file(log_in_file, 'a', data, language)
__log_into_file(thread_tmp_filename, 'w', '0', language)
elif (stealth_scan_resp.getlayer(TCP).flags == 0x14):
# "Closed"
pass
elif (stealth_scan_resp.haslayer(ICMP)):
if (int(stealth_scan_resp.getlayer(ICMP).type) == 3
and int(stealth_scan_resp.getlayer(ICMP).code)
in [1, 2, 3, 9, 10, 13]):
pass
else:
# "CHECK"
pass
return True
except:
return False
def check(target, user_agent, timeout_sec, log_in_file, language, time_sleep,
thread_tmp_filename, retries, http_method, socks_proxy, scan_id,
scan_cmd):
status_codes = [200, 401, 403]
directory_listing_msgs = [
"<title>Index of /", "<a href=\"\\?C=N;O=D\">Name</a>",
"Directory Listing for", "Parent Directory</a>", "Last modified</a>",
"<TITLE>Folder Listing.", "- Browsing directory "
]
time.sleep(time_sleep)
try:
if socks_proxy is not None:
socks_version = socks.SOCKS5 if socks_proxy.startswith(
'socks5://') else socks.SOCKS4
socks_proxy = socks_proxy.rsplit('://')[1]
if '@' in socks_proxy:
socks_username = socks_proxy.rsplit(':')[0]
socks_password = socks_proxy.rsplit(':')[1].rsplit('@')[0]
socks.set_default_proxy(
socks_version,
str(socks_proxy.rsplit('@')[1].rsplit(':')[0]),
int(socks_proxy.rsplit(':')[-1]),
username=socks_username,
password=socks_password)
socket.socket = socks.socksocket
socket.getaddrinfo = getaddrinfo
else:
socks.set_default_proxy(socks_version,
str(socks_proxy.rsplit(':')[0]),
int(socks_proxy.rsplit(':')[1]))
socket.socket = socks.socksocket
socket.getaddrinfo = getaddrinfo
n = 0
while 1:
try:
if http_method == "GET":
r = requests.get(target,
timeout=timeout_sec,
headers=user_agent)
elif http_method == "HEAD":
r = requests.head(target,
timeout=timeout_sec,
headers=user_agent)
content = r.content
break
except:
n += 1
if n is retries:
warn(
messages(language,
"http_connection_timeout").format(target))
return 1
if version() is 3:
content = content.decode('utf8')
if r.status_code in status_codes:
info(
messages(language, "found").format(target, r.status_code,
r.reason))
__log_into_file(thread_tmp_filename, 'w', '0', language)
data = json.dumps({
'HOST':
target_to_host(target),
'USERNAME':
'',
'PASSWORD':
'',
'PORT':
"",
'TYPE':
'dir_scan',
'DESCRIPTION':
messages(language, "found").format(target, r.status_code,
r.reason),
'TIME':
now(),
'CATEGORY':
"scan",
'SCAN_ID':
scan_id,
'SCAN_CMD':
scan_cmd
})
__log_into_file(log_in_file, 'a', data, language)
if r.status_code is 200:
for dlmsg in directory_listing_msgs:
if dlmsg in content:
info(
messages(language,
"directoy_listing").format(target))
data = json.dumps({
'HOST':
target_to_host(target),
'USERNAME':
'',
'PASSWORD':
'',
'PORT':
"",
'TYPE':
'dir_scan',
'DESCRIPTION':
messages(language,
"directoy_listing").format(target),
'TIME':
now(),
'CATEGORY':
"scan",
'SCAN_ID':
scan_id,
'SCAN_CMD':
scan_cmd
})
__log_into_file(log_in_file, 'a', data, language)
break
return True
except:
return False
def login(user, passwd, target, port, timeout_sec, log_in_file, language,
retries, time_sleep, thread_tmp_filename, socks_proxy, scan_id,
scan_cmd):
exit = 0
if socks_proxy is not None:
socks_version = socks.SOCKS5 if socks_proxy.startswith(
'socks5://') else socks.SOCKS4
socks_proxy = socks_proxy.rsplit('://')[1]
if '@' in socks_proxy:
socks_username = socks_proxy.rsplit(':')[0]
socks_password = socks_proxy.rsplit(':')[1].rsplit('@')[0]
socks.set_default_proxy(
socks_version,
str(socks_proxy.rsplit('@')[1].rsplit(':')[0]),
int(socks_proxy.rsplit(':')[-1]),
username=socks_username,
password=socks_password)
socket.socket = socks.socksocket
socket.getaddrinfo = getaddrinfo
else:
socks.set_default_proxy(socks_version,
str(socks_proxy.rsplit(':')[0]),
int(socks_proxy.rsplit(':')[1]))
socket.socket = socks.socksocket
socket.getaddrinfo = getaddrinfo
while 1:
try:
creds = user + ":" + passwd
HEADERS["Authorization"] = "Basic " + base64.b64encode(
creds.encode()).decode()
req = requests.get(target,
timeout=timeout_sec,
headers=HEADERS,
verify=False)
flag = 1
if req.status_code in CODES:
exit += 1
if exit == retries:
warn(
messages(language, "http_auth_failed").format(
target, user, passwd, port))
return 1
else:
time.sleep(time_sleep)
continue
elif req.status_code not in CODES:
flag = 0
if flag == 0:
info(
messages(language, "http_auth_success").format(
user, passwd, target, port))
data = json.dumps(
{
'HOST': target,
'USERNAME': user,
'PASSWORD': passwd,
'PORT': port,
'TYPE': 'http_basic_auth_brute',
'DESCRIPTION': messages(language,
"login_successful"),
'TIME': now(),
'CATEGORY': "brute",
'SCAN_ID': scan_id,
'SCAN_CMD': scan_cmd
}) + "\n"
__log_into_file(log_in_file, 'a', data, language)
__log_into_file(thread_tmp_filename, 'w', '0', language)
break
except Exception:
# logging.exception("message")
exit += 1
if exit == retries:
warn(
messages(language, "http_auth_failed").format(
target, user, passwd, port))
return 1
else:
time.sleep(time_sleep)
continue
return flag
def start(target, users, passwds, ports, timeout_sec, thread_number, num, total, log_in_file, time_sleep, language,
verbose_level, socks_proxy, retries, methods_args, scan_id, scan_cmd): # Main function
if target_type(target) != 'SINGLE_IPv4' or target_type(target) != 'DOMAIN' or target_type(
target) != 'HTTP' or target_type(target) != 'SINGLE_IPv6':
# rand useragent
user_agent_list = [
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.5) Gecko/20060719 Firefox/1.5.0.5",
"Googlebot/2.1 ( http://www.googlebot.com/bot.html)",
"Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Ubuntu/10.04"
" Chromium/9.0.595.0 Chrome/9.0.595.0 Safari/534.13",
"Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 5.2; WOW64; .NET CLR 2.0.50727)",
"Opera/9.80 (Windows NT 5.2; U; ru) Presto/2.5.22 Version/10.51",
"Mozilla/5.0 (compatible; 008/0.83; http://www.80legs.com/webcrawler.html) Gecko/2008032620",
"Debian APT-HTTP/1.3 (0.8.10.3)",
"Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)",
"Googlebot/2.1 (+http://www.googlebot.com/bot.html)",
"Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)",
"YahooSeeker/1.2 (compatible; Mozilla 4.0; MSIE 5.5; yahooseeker at yahoo-inc dot com ; "
"http://help.yahoo.com/help/us/shop/merchant/)",
"Mozilla/5.0 (compatible; YandexBot/3.0; +http://yandex.com/bots)",
"Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)",
"msnbot/1.1 (+http://search.msn.com/msnbot.htm)"
]
user_agent = {'User-agent': random.choice(user_agent_list)}
limit = 1000
# requirements check
new_extra_requirements = extra_requirements_dict()
if methods_args is not None:
for extra_requirement in extra_requirements_dict():
if extra_requirement in methods_args:
new_extra_requirements[extra_requirement] = methods_args[extra_requirement]
extra_requirements = new_extra_requirements
random_agent_flag = True
if extra_requirements["wordpress_dos_cve_2018_6389_vuln_random_agent"][0] != "True":
random_agent_flag = False
if extra_requirements["wordpress_dos_cve_2018_6389_vuln_no_limit"][0] != "False":
limit = -1
threads = []
total_req = limit
filepath = os.path.dirname(os.path.dirname(os.path.realpath(__file__)))
thread_tmp_filename = '{}/tmp/thread_tmp_'.format(load_file_path()) + ''.join(
random.choice(string.ascii_letters + string.digits) for _ in range(20))
__log_into_file(thread_tmp_filename, 'w', '1', language)
trying = 0
if target_type(target) == 'SINGLE_IPv4' or target_type(target) == 'DOMAIN':
url = 'http://{0}/'.format(target)
else:
if target.count(':') > 1:
__die_failure(messages(language, 105))
http = target.rsplit('://')[0]
host = target_to_host(target)
path = "/".join(target.replace('http://', '').replace('https://', '').rsplit('/')[1:])
url = http + '://' + host + '/' + path
if test(url, retries, timeout_sec, user_agent, socks_proxy, verbose_level, trying, total_req, total, num,
language, False, log_in_file, scan_id, scan_cmd, thread_tmp_filename) is not 0:
warn(messages(language, 109).format(url))
return
info(messages(language, 177).format(target))
n = 0
t = threading.Thread(target=test,
args=(
url, retries, timeout_sec, user_agent, socks_proxy, verbose_level, trying, total_req,
total, num, language, True, log_in_file, scan_id, scan_cmd, thread_tmp_filename))
t.start()
keyboard_interrupt_flag = False
while (n != limit):
n += 1
if random_agent_flag:
user_agent = {'User-agent': random.choice(user_agent_list)}
t = threading.Thread(target=send_dos,
args=(url, user_agent, timeout_sec, log_in_file, language, time_sleep,
thread_tmp_filename, retries, socks_proxy, scan_id,
scan_cmd))
threads.append(t)
t.start()
trying += 1
if verbose_level > 3:
info(messages(language, 72).format(trying, total_req, num, total, target_to_host(target), port,
'wordpress_dos_cve_2018_6389_vuln'))
try:
if int(open(thread_tmp_filename).read().rsplit()[0]) is 0:
if limit is not -1:
break
except:
pass
while 1:
try:
if threading.activeCount() >= thread_number:
time.sleep(0.01)
else:
break
except KeyboardInterrupt:
keyboard_interrupt_flag = True
break
if keyboard_interrupt_flag:
break
# wait for threads
kill_switch = 0
kill_time = int(timeout_sec / 0.1) if int(timeout_sec / 0.1) is not 0 else 1
while 1:
time.sleep(0.1)
kill_switch += 1
try:
if threading.activeCount() is 2 or kill_switch is kill_time:
break
except KeyboardInterrupt:
break
thread_write = int(open(thread_tmp_filename).read().rsplit()[0])
if thread_write is 1:
info(messages(language, 141).format("wordpress_dos_cve_2018_6389_vuln"))
if verbose_level is not 0:
data = json.dumps({'HOST': target, 'USERNAME': '', 'PASSWORD': '', 'PORT': '',
'TYPE': 'wordpress_dos_cve_2018_6389_vuln',
'DESCRIPTION': messages(language, 141).format("wordpress_dos_cve_2018_6389_vuln"),
'TIME': now(), 'CATEGORY': "scan",
'SCAN_ID': scan_id, 'SCAN_CMD': scan_cmd})
__log_into_file(log_in_file, 'a', data, language)
os.remove(thread_tmp_filename)
else:
warn(messages(language, 69).format('wordpress_dos_cve_2018_6389_vuln', target))
def start(target, users, passwds, ports, timeout_sec, thread_number, num,
total, log_in_file, time_sleep, language, verbose_level, socks_proxy,
retries, ping_flag, methods_args, scan_id,
scan_cmd): # Main function
if target_type(target) != 'SINGLE_IPv4' or target_type(
target) != 'DOMAIN' or target_type(target) != 'HTTP':
# requirements check
new_extra_requirements = extra_requirements_dict()
if methods_args is not None:
for extra_requirement in extra_requirements_dict():
if extra_requirement in methods_args:
new_extra_requirements[extra_requirement] = methods_args[
extra_requirement]
extra_requirements = new_extra_requirements
if ports is None:
ports = extra_requirements["tcp_connect_port_scan_ports"]
if target_type(target) == 'HTTP':
target = target_to_host(target)
if ping_flag:
if socks_proxy is not None:
socks_version = socks.SOCKS5 if socks_proxy.startswith(
'socks5://') else socks.SOCKS4
socks_proxy = socks_proxy.rsplit('://')[1]
if '@' in socks_proxy:
socks_username = socks_proxy.rsplit(':')[0]
socks_password = socks_proxy.rsplit(':')[1].rsplit('@')[0]
socks.set_default_proxy(
socks_version,
str(socks_proxy.rsplit('@')[1].rsplit(':')[0]),
int(socks_proxy.rsplit(':')[-1]),
username=socks_username,
password=socks_password)
socket.socket = socks.socksocket
socket.getaddrinfo = getaddrinfo
else:
socks.set_default_proxy(socks_version,
str(socks_proxy.rsplit(':')[0]),
int(socks_proxy.rsplit(':')[1]))
socket.socket = socks.socksocket
socket.getaddrinfo = getaddrinfo
warn(messages(language, 100).format(target, 'heartbleed_vuln'))
if do_one_ping(target, timeout_sec, 8) is None:
return None
threads = []
max = thread_number
total_req = len(ports)
thread_tmp_filename = 'tmp/thread_tmp_' + ''.join(
random.choice(string.ascii_letters + string.digits)
for _ in range(20))
thread_write = open(thread_tmp_filename, 'w')
thread_write.write('1')
thread_write.close()
trying = 0
for port in ports:
port = int(port)
t = threading.Thread(target=connect,
args=(target, int(port), timeout_sec,
log_in_file, language, time_sleep,
thread_tmp_filename, socks_proxy,
scan_id, scan_cmd))
threads.append(t)
t.start()
trying += 1
if verbose_level is not 0:
info(
messages(language,
72).format(trying, total_req, num, total, target,
port, 'tcp_connect_port_scan'))
while 1:
try:
if threading.activeCount() >= max:
time.sleep(0.01)
else:
break
except KeyboardInterrupt:
break
break
# wait for threads
kill_switch = 0
kill_time = int(timeout_sec / 0.1) if int(timeout_sec /
0.1) is not 0 else 1
while 1:
time.sleep(0.1)
kill_switch += 1
try:
if threading.activeCount() is 1 or kill_switch is kill_time:
break
except KeyboardInterrupt:
break
thread_write = int(open(thread_tmp_filename).read().rsplit()[0])
if thread_write is 1 and verbose_level is not 0:
save = open(log_in_file, 'a')
save.write(
json.dumps({
'HOST': target,
'USERNAME': '',
'PASSWORD': '',
'PORT': '',
'TYPE': 'tcp_connect_port_scan',
'DESCRIPTION': messages(language, 94),
'TIME': now(),
'CATEGORY': "scan",
'SCAN_ID': scan_id,
'SCAN_CMD': scan_cmd
}) + '\n')
save.close()
os.remove(thread_tmp_filename)
else:
warn(messages(language, 69).format('tcp_connect_port_scan', target))
def test(target, retries, timeout_sec, user_agent, socks_proxy, verbose_level, trying, total_req, total,
num, language, dos_flag, log_in_file, scan_id, scan_cmd, thread_tmp_filename):
if verbose_level > 3:
info(messages(language, 72).format(trying, total_req, num, total, target_to_host(target), '',
'wordpress_dos_cve_2018_6389_vuln'))
if socks_proxy is not None:
socks_version = socks.SOCKS5 if socks_proxy.startswith('socks5://') else socks.SOCKS4
socks_proxy = socks_proxy.rsplit('://')[1]
if '@' in socks_proxy:
socks_username = socks_proxy.rsplit(':')[0]
socks_password = socks_proxy.rsplit(':')[1].rsplit('@')[0]
socks.set_default_proxy(socks_version, str(socks_proxy.rsplit('@')[1].rsplit(':')[0]),
int(socks_proxy.rsplit(':')[-1]), username=socks_username,
password=socks_password)
socket.socket = socks.socksocket
socket.getaddrinfo = getaddrinfo
else:
socks.set_default_proxy(socks_version, str(socks_proxy.rsplit(':')[0]), int(socks_proxy.rsplit(':')[1]))
socket.socket = socks.socksocket
socket.getaddrinfo = getaddrinfo
n = 0
while 1:
try:
r = requests.get(target, timeout=timeout_sec, headers=user_agent).content
return 0
except:
n += 1
if n is retries:
if dos_flag:
__log_into_file(thread_tmp_filename, 'w', '0', language)
info(messages(language, 139).format("wordpress_dos_cve_2018_6389_vuln"))
data = json.dumps({'HOST': target_to_host(target), 'USERNAME': '', 'PASSWORD': '', 'PORT': '',
'TYPE': 'wordpress_dos_cve_2018_6389_vuln',
'DESCRIPTION': messages(language, 139).format(
"wordpress_dos_cve_2018_6389_vuln"), 'TIME': now(), 'CATEGORY': "scan",
'SCAN_ID': scan_id, 'SCAN_CMD': scan_cmd})
__log_into_file(log_in_file, 'a', data, language)
return 1
def start(target, users, passwds, ports, timeout_sec, thread_number, num, total, log_in_file, time_sleep,
language, verbose_level, socks_proxy, retries, methods_args, scan_id, scan_cmd): # Main function
if target_type(target) != 'SINGLE_IPv4' or target_type(target) != 'DOMAIN' or target_type(target) != 'HTTP':
new_extra_requirements = extra_requirements_dict()
if methods_args is not None:
for extra_requirement in extra_requirements_dict():
if extra_requirement in methods_args:
new_extra_requirements[
extra_requirement] = methods_args[extra_requirement]
extra_requirements = new_extra_requirements
if users is None:
users = extra_requirements["http_ntlm_brute_users"]
if passwds is None:
passwds = extra_requirements["http_ntlm_brute_passwds"]
if ports is None:
ports = extra_requirements["http_ntlm_brute_ports"]
if target.lower().startswith('http://') or target.lower().startswith('https://'):
pass
else:
target = 'http://' + str(target)
threads = []
total_req = len(users) * len(passwds)
thread_tmp_filename = '{}/tmp/thread_tmp_'.format(load_file_path()) + ''.join(
random.choice(string.ascii_letters + string.digits) for _ in range(20))
curl_tmp_filename = '{}/tmp/ports_tmp_'.format(load_file_path()) + ''.join(
random.choice(string.ascii_letters + string.digits) for _ in range(20))
__log_into_file(thread_tmp_filename, 'w', '1', language)
__log_into_file(curl_tmp_filename, 'w', '', language)
trying = 0
keyboard_interrupt_flag = False
for port in ports:
if check_auth(target, timeout_sec, language, port):
continue
for user in users:
for passwd in passwds:
t = threading.Thread(target=login,
args=(
user, passwd, target, port, timeout_sec, log_in_file, language,
retries, time_sleep, thread_tmp_filename, curl_tmp_filename, socks_proxy,
scan_id, scan_cmd))
threads.append(t)
t.start()
trying += 1
if verbose_level > 3:
info(messages(language, "trying_message").format(trying, total_req, num, total,
target, port, 'http_ntlm_brute'))
while 1:
try:
if threading.activeCount() >= thread_number:
time.sleep(0.01)
else:
break
except KeyboardInterrupt:
keyboard_interrupt_flag = True
break
if keyboard_interrupt_flag:
break
if keyboard_interrupt_flag:
break
if keyboard_interrupt_flag:
break
# wait for threads
kill_switch = 0
kill_time = int(
timeout_sec / 0.1) if int(timeout_sec / 0.1) is not 0 else 1
while 1:
time.sleep(0.1)
kill_switch += 1
try:
if threading.activeCount() is 1 or kill_switch is kill_time:
break
except KeyboardInterrupt:
break
thread_write = int(
open(thread_tmp_filename).read().rsplit()[0])
if thread_write is 1 and verbose_level is not 0:
data = json.dumps({'HOST': target, 'USERNAME': '', 'PASSWORD': '', 'PORT': '',
'TYPE': 'http_ntlm_brute', 'DESCRIPTION': messages(language, "no_user_passwords"), 'TIME': now(),
'CATEGORY': "brute", 'SCAN_ID': scan_id, 'SCAN_CMD': scan_cmd}) + "\n"
__log_into_file(log_in_file, 'a', data, language)
os.remove(thread_tmp_filename)
os.remove(curl_tmp_filename)
else:
warn(messages(language, "input_target_error").format(
'http_ntlm_brute', target))
def access_log(response):
if app.config["OWASP_NETTACKER_CONFIG"]["api_access_log"]:
r_log = open(app.config["OWASP_NETTACKER_CONFIG"]["api_access_log_filename"], "ab")
# if you need to log POST data
# r_log.write(
# '{0} [{1}] {2} "{3} {4}" {5} {6} {7}\r\n'.format(flask_request.remote_addr, now(), flask_request.host,
# flask_request.method, flask_request.full_path,
# flask_request.user_agent, response.status_code,
# json.dumps(flask_request.form)))
r_log.write('{0} [{1}] {2} "{3} {4}" {5} {6}\r\n'.format(flask_request.remote_addr, now(), flask_request.host,
flask_request.method, flask_request.full_path,
flask_request.user_agent, response.status_code))
r_log.close()
return response
def start(
target,
users,
passwds,
ports,
timeout_sec,
thread_number,
num,
total,
log_in_file,
time_sleep,
language,
verbose_level,
socks_proxy,
retries,
methods_args,
scan_id,
scan_cmd,
): # Main function
if (
target_type(target) != "SINGLE_IPv4"
or target_type(target) != "DOMAIN"
or target_type(target) != "HTTP"
or target_type(target) != "SINGLE_IPv6"
):
# rand useragent
user_agent_list = useragents.useragents()
http_methods = ["GET", "HEAD"]
user_agent = {"User-agent": random.choice(user_agent_list)}
# requirements check
new_extra_requirements = extra_requirements_dict()
if methods_args is not None:
for extra_requirement in extra_requirements_dict():
if extra_requirement in methods_args:
new_extra_requirements[extra_requirement] = methods_args[
extra_requirement
]
extra_requirements = new_extra_requirements
if extra_requirements["admin_scan_http_method"][0] not in http_methods:
warn(messages(language, "admin_scan_get"))
extra_requirements["admin_scan_http_method"] = ["GET"]
random_agent_flag = True
if extra_requirements["admin_scan_random_agent"][0] == "False":
random_agent_flag = False
threads = []
total_req = len(extra_requirements["admin_scan_list"])
thread_tmp_filename = "{}/tmp/thread_tmp_".format(
load_file_path()
) + "".join(
random.choice(string.ascii_letters + string.digits)
for _ in range(20)
)
__log_into_file(thread_tmp_filename, "w", "1", language)
trying = 0
if target_type(target) != "HTTP":
target = 'http://' + target
if test(str(target), retries, timeout_sec, user_agent, extra_requirements["admin_scan_http_method"][0],
socks_proxy, verbose_level, trying, total_req, total, num, language) == 0:
keyboard_interrupt_flag = False
for idir in extra_requirements["admin_scan_list"]:
# time.sleep(0.001)
if random_agent_flag:
user_agent = {'User-agent': random.choice(user_agent_list)}
if target.endswith("/"):
target = target[:-1]
if idir.startswith("/"):
idir = idir[1:]
t = threading.Thread(target=check,
args=(
target + "/" + idir, user_agent, timeout_sec, log_in_file, language,
time_sleep, thread_tmp_filename, retries,
extra_requirements[
"admin_scan_http_method"][0],
socks_proxy, scan_id, scan_cmd))
threads.append(t)
t.start()
trying += 1
if verbose_level > 3:
info(
messages(language, "trying_message").format(
trying,
total_req,
num,
total,
target_to_host(target),
"default_port",
"admin_scan",
)
)
while 1:
try:
if threading.activeCount() >= thread_number:
time.sleep(0.01)
else:
break
except KeyboardInterrupt:
keyboard_interrupt_flag = True
break
if keyboard_interrupt_flag:
break
else:
warn(messages(language, "open_error").format(target))
# wait for threads
kill_switch = 0
kill_time = (
int(timeout_sec / 0.1) if int(timeout_sec / 0.1) != 0 else 1
)
while 1:
time.sleep(0.1)
kill_switch += 1
try:
if threading.activeCount() == 1 or kill_switch == kill_time:
break
except KeyboardInterrupt:
break
thread_write = int(open(thread_tmp_filename).read().rsplit()[0])
if thread_write == 1:
if verbose_level != 0:
data = {'HOST': target_to_host(target), 'USERNAME': '', 'PASSWORD': '', 'PORT': '', 'TYPE': 'admin_scan',
'DESCRIPTION': messages(language, "directory_file_404").format(target, "default_port"), 'TIME': now(), 'CATEGORY': "scan", 'SCAN_ID': scan_id,
'SCAN_CMD': scan_cmd}
info(messages(language, "directory_file_404").format(
target, "default_port"), log_in_file, "a",
data, language, thread_tmp_filename)
__log_into_file(log_in_file, 'a', json.dumps(data), language)
os.remove(thread_tmp_filename)
else:
warn(
messages(language, "input_target_error").format(
"admin_scan", target
)
)
def _core_default_config():
return {
"language":
"en",
"verbose_level":
0,
"show_version":
False,
"check_update":
False,
"log_in_file":
"{0}/results_{1}_{2}.html".format(
default_paths()["results_path"], now(model="%Y_%m_%d_%H_%M_%S"),
"".join(random.choice(string.ascii_lowercase) for x in range(10))),
"graph_flag":
"d3_tree_v2_graph",
"help_menu_flag":
False,
"targets":
None,
"targets_list":
None,
"scan_method":
"all",
"exclude_method":
None,
"users":
None,
"users_list":
None,
"passwds":
None,
"passwds_list":
None,
"ports":
None,
"timeout_sec":
2.0,
"time_sleep":
0.0,
"check_ranges":
False,
"check_subdomains":
False,
"thread_number":
10,
"thread_number_host":
10,
"socks_proxy":
None,
"retries":
3,
"ping_flag":
False,
"methods_args":
None,
"method_args_list":
False,
"startup_check_for_update":
True,
"wizard_mode":
False,
"profile":
None,
"start_api":
False,
"api_host":
_api_default_config()["api_host"],
"api_port":
_api_default_config()["api_port"],
"api_debug_mode":
_api_default_config()["api_debug_mode"],
"api_access_key":
_api_default_config()["api_access_key"],
"api_client_white_list":
_api_default_config()["api_client_white_list"]["enabled"],
"api_client_white_list_ips":
_api_default_config()["api_client_white_list"]["ips"],
"api_access_log":
_api_default_config()["api_access_log"]["enabled"],
"api_access_log_filename":
_api_default_config()["api_access_log"]["filename"],
"api_db_name":
_api_default_config()["api_db_name"],
"home_path":
default_paths()["home_path"],
"tmp_path":
default_paths()["tmp_path"],
"results_path":
default_paths()["results_path"]
}
def start(target, users, passwds, ports, timeout_sec, thread_number, num,
total, log_in_file, time_sleep, language, verbose_level, socks_proxy,
retries, methods_args, scan_id, scan_cmd): # Main function
if target_type(target) != 'SINGLE_IPv4' or target_type(
target) != 'DOMAIN' or target_type(target) != 'HTTP':
# requirements check
new_extra_requirements = extra_requirements_dict()
if methods_args is not None:
for extra_requirement in extra_requirements_dict():
if extra_requirement in methods_args:
new_extra_requirements[extra_requirement] = methods_args[
extra_requirement]
extra_requirements = new_extra_requirements
if ports is None:
ports = extra_requirements["cms_detection_ports"]
if target_type(target) == 'HTTP':
target = target_to_host(target)
threads = []
total_req = len(ports)
thread_tmp_filename = '{}/tmp/thread_tmp_'.format(
load_file_path()) + ''.join(
random.choice(string.ascii_letters + string.digits)
for _ in range(20))
__log_into_file(thread_tmp_filename, 'w', '1', language)
trying = 0
keyboard_interrupt_flag = False
for port in ports:
port = int(port)
t = threading.Thread(target=__cms_detection,
args=(target, int(port), timeout_sec,
log_in_file, language, time_sleep,
thread_tmp_filename, socks_proxy,
scan_id, scan_cmd))
threads.append(t)
t.start()
trying += 1
if verbose_level > 3:
info(
messages(language,
"trying_message").format(trying, total_req, num,
total, target, port,
'cms_detection_scan'))
while 1:
try:
if threading.activeCount() >= thread_number:
time.sleep(0.01)
else:
break
except KeyboardInterrupt:
keyboard_interrupt_flag = True
break
if keyboard_interrupt_flag:
break
# wait for threads
kill_switch = 0
kill_time = int(timeout_sec / 0.1) if int(timeout_sec /
0.1) is not 0 else 1
while 1:
time.sleep(0.1)
kill_switch += 1
try:
if threading.activeCount() is 1:
break
except KeyboardInterrupt:
break
thread_write = int(open(thread_tmp_filename).read().rsplit()[0])
if thread_write is 1 and verbose_level is not 0:
info(messages(language, "not_found"))
data = json.dumps({
'HOST': target,
'USERNAME': '',
'PASSWORD': '',
'PORT': '',
'TYPE': 'cms_detection_scan',
'DESCRIPTION': messages(language, "not_found"),
'TIME': now(),
'CATEGORY': "scan",
'SCAN_ID': scan_id,
'SCAN_CMD': scan_cmd
})
__log_into_file(log_in_file, 'a', data, language)
os.remove(thread_tmp_filename)
else:
warn(
messages(language,
"input_target_error").format('cms_detection_scan',
target))
def login(user, passwd, target, port, timeout_sec, log_in_file, language,
retries, time_sleep, thread_tmp_filename, socks_proxy, scan_id,
scan_cmd):
exit = 0
flag = 1
if socks_proxy is not None:
socks_version = socks.SOCKS5 if socks_proxy.startswith(
'socks5://') else socks.SOCKS4
socks_proxy = socks_proxy.rsplit('://')[1]
if '@' in socks_proxy:
socks_username = socks_proxy.rsplit(':')[0]
socks_password = socks_proxy.rsplit(':')[1].rsplit('@')[0]
socks.set_default_proxy(
socks_version,
str(socks_proxy.rsplit('@')[1].rsplit(':')[0]),
int(socks_proxy.rsplit(':')[-1]),
username=socks_username,
password=socks_password)
socket.socket = socks.socksocket
socket.getaddrinfo = getaddrinfo
else:
socks.set_default_proxy(socks_version,
str(socks_proxy.rsplit(':')[0]),
int(socks_proxy.rsplit(':')[1]))
socket.socket = socks.socksocket
socket.getaddrinfo = getaddrinfo
while 1:
try:
paramiko.Transport((target, int(port)))
paramiko_logger = logging.getLogger("paramiko.transport")
paramiko_logger.disabled = True
flag = 0
exit = 0
break
except:
exit += 1
if exit is retries:
warn(
messages(language, 76).format(target, str(port), user,
passwd))
return 1
time.sleep(time_sleep)
if flag is 0:
try:
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
if timeout_sec is not None:
ssh.connect(hostname=target,
username=user,
password=passwd,
port=int(port),
timeout=timeout_sec)
else:
ssh.connect(hostname=target,
username=user,
password=passwd,
port=int(port))
info(messages(language, 70).format(user, passwd, target, port))
save = open(log_in_file, 'a')
save.write(
json.dumps({
'HOST': target,
'USERNAME': user,
'PASSWORD': passwd,
'PORT': port,
'TYPE': 'ssh_brute',
'DESCRIPTION': messages(language, 66),
'TIME': now(),
'CATEGORY': "brute",
'SCAN_ID': scan_id,
'SCAN_CMD': scan_cmd
}) + '\n')
save.close()
thread_write = open(thread_tmp_filename, 'w')
thread_write.write('0')
thread_write.close()
except:
pass
else:
pass
return flag
