def start(target, users, passwds, ports, timeout_sec, thread_number, num, total, log_in_file, time_sleep, language, verbose_level, socks_proxy, retries, methods_args, scan_id, scan_cmd): # Main function from core.targets import target_type from core.targets import target_to_host if target_type(target) != 'SINGLE_IPv4' or target_type( target) != 'DOMAIN' or target_type( target) != 'HTTP' or target_type(target) != 'SINGLE_IPv6': # requirements check new_extra_requirements = extra_requirements_dict() if methods_args is not None: for extra_requirement in extra_requirements_dict(): if extra_requirement in methods_args: new_extra_requirements[extra_requirement] = methods_args[ extra_requirement] extra_requirements = new_extra_requirements if target_type(target) == 'HTTP': target = target_to_host(target) subs = __get_subs(target, timeout_sec, log_in_file, time_sleep, language, verbose_level, socks_proxy, retries, num, total, extra_requirements=extra_requirements) if len(subs) is 0: info(messages(language, "no_subdomain_found")) if len(subs) is not 0: info(messages(language, "len_subdomain_found").format(len(subs))) for sub in subs: if verbose_level > 2: info(messages(language, "subdomain_found").format(sub)) data = json.dumps({ 'HOST': target, 'USERNAME': '', 'PASSWORD': '', 'PORT': '', 'TYPE': 'subdomain_scan', 'DESCRIPTION': sub, 'TIME': now(), 'CATEGORY': "scan", 'SCAN_ID': scan_id, 'SCAN_CMD': scan_cmd }) + "\n" __log_into_file(log_in_file, 'a', data, language) if len(subs) is 0 and verbose_level is not 0: data = json.dumps({ 'HOST': target, 'USERNAME': '', 'PASSWORD': '', 'PORT': '', 'TYPE': 'subdomain_scan', 'DESCRIPTION': messages(language, "subdomain_found").format( len(subs), ', '.join(subs) if len(subs) > 0 else 'None'), 'TIME': now(), 'CATEGORY': "scan", 'SCAN_ID': scan_id, 'SCAN_CMD': scan_cmd }) + "\n" __log_into_file(log_in_file, 'a', data, language) return subs else: warn( messages(language, "input_target_error").format('subdomain_scan', target)) return []
def start(target, users, passwds, ports, timeout_sec, thread_number, num, total, log_in_file, time_sleep, language, verbose_level, socks_proxy, retries, methods_args, scan_id, scan_cmd): # Main function if target_type(target) != 'SINGLE_IPv4' or target_type( target) != 'DOMAIN' or target_type( target) != 'HTTP' or target_type(target) != 'SINGLE_IPv6': # rand useragent user_agent_list = [ "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.5) Gecko/20060719 Firefox/1.5.0.5", "Googlebot/2.1 ( http://www.googlebot.com/bot.html)", "Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Ubuntu/10.04" " Chromium/9.0.595.0 Chrome/9.0.595.0 Safari/534.13", "Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 5.2; WOW64; .NET CLR 2.0.50727)", "Opera/9.80 (Windows NT 5.2; U; ru) Presto/2.5.22 Version/10.51", "Mozilla/5.0 (compatible; 008/0.83; http://www.80legs.com/webcrawler.html) Gecko/2008032620", "Debian APT-HTTP/1.3 (0.8.10.3)", "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)", "Googlebot/2.1 (+http://www.googlebot.com/bot.html)", "Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)", "YahooSeeker/1.2 (compatible; Mozilla 4.0; MSIE 5.5; yahooseeker at yahoo-inc dot com ; " "http://help.yahoo.com/help/us/shop/merchant/)", "Mozilla/5.0 (compatible; YandexBot/3.0; +http://yandex.com/bots)", "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)", "msnbot/1.1 (+http://search.msn.com/msnbot.htm)" ] http_methods = ["GET", "HEAD"] user_agent = {'User-agent': random.choice(user_agent_list)} # requirements check new_extra_requirements = extra_requirements_dict() if methods_args is not None: for extra_requirement in extra_requirements_dict(): if extra_requirement in methods_args: new_extra_requirements[extra_requirement] = methods_args[ extra_requirement] extra_requirements = new_extra_requirements if extra_requirements["wp_theme_scan_http_method"][ 0] not in http_methods: warn(messages(language, "wp_theme_scan_get")) extra_requirements["wp_theme_scan_http_method"] = ["GET"] random_agent_flag = True if extra_requirements["wp_theme_scan_random_agent"][0] == "False": random_agent_flag = False threads = [] if verbose_level > 3: total_req = len(themes.themes()) else: total_req = len(small_themes.themes()) thread_tmp_filename = '{}/tmp/thread_tmp_'.format( load_file_path()) + ''.join( random.choice(string.ascii_letters + string.digits) for _ in range(20)) __log_into_file(thread_tmp_filename, 'w', '1', language) trying = 0 if target_type(target) != "HTTP": target = 'https://' + target if test(str(target), retries, timeout_sec, user_agent, extra_requirements["wp_theme_scan_http_method"][0], socks_proxy, verbose_level, trying, total_req, total, num, language) is 0: keyboard_interrupt_flag = False if verbose_level > 3: scan_list = themes.themes() else: scan_list = small_themes.themes() for idir in scan_list: idir = "/wp-content/themes/" + idir if random_agent_flag: user_agent = {'User-agent': random.choice(user_agent_list)} t = threading.Thread( target=check, args=(target + '/' + idir, user_agent, timeout_sec, log_in_file, language, time_sleep, thread_tmp_filename, retries, extra_requirements["wp_theme_scan_http_method"][0], socks_proxy, scan_id, scan_cmd)) threads.append(t) t.start() trying += 1 if verbose_level > 3: info( messages(language, "trying_message").format( trying, total_req, num, total, target_to_host(target), "default_port", 'wp_theme_scan')) while 1: try: if threading.activeCount() >= thread_number: time.sleep(0.01) else: break except KeyboardInterrupt: keyboard_interrupt_flag = True break if keyboard_interrupt_flag: break else: warn(messages(language, "open_error").format(target)) # wait for threads kill_switch = 0 kill_time = int(timeout_sec / 0.1) if int(timeout_sec / 0.1) is not 0 else 1 while 1: time.sleep(0.1) kill_switch += 1 try: if threading.activeCount() is 1 or kill_switch is kill_time: break except KeyboardInterrupt: break thread_write = int(open(thread_tmp_filename).read().rsplit()[0]) if thread_write is 1: info( messages(language, "directory_file_404").format(target, "default_port")) if verbose_level is not 0: data = json.dumps({ 'HOST': target_to_host(target), 'USERNAME': '', 'PASSWORD': '', 'PORT': '', 'TYPE': 'wp_theme_scan', 'DESCRIPTION': messages(language, "no_open_ports"), 'TIME': now(), 'CATEGORY': "scan", 'SCAN_ID': scan_id, 'SCAN_CMD': scan_cmd }) __log_into_file(log_in_file, 'a', data, language) os.remove(thread_tmp_filename) else: warn( messages(language, "input_target_error").format('wp_theme_scan', target))
def analysis(targets, check_ranges, check_subdomains, subs_temp, range_temp, log_in_file, time_sleep, language, verbose_level, retries, socks_proxy, enumerate_flag): """ analysis and calulcate targets. Args: targets: targets check_ranges: check IP range flag check_subdomains: check subdomain flag subs_temp: subdomain temp filename range_temp: IP range tmp filename log_in_file: output filename time_sleep: time to sleep language: language verbose_level: verbose level number retries: retries number socks_proxy: socks proxy enumerate_flag: enumerate flag Returns: a generator """ __log_into_file(range_temp, 'a', '', language) __log_into_file(subs_temp, 'a', '', language) for target in targets: if target_type(target) == 'SINGLE_IPv4': if check_ranges: if not enumerate_flag: info(messages(language, "checking_range").format(target)) IPs = IPRange(getIPRange(target), range_temp, language) if type(IPs) == netaddr.ip.IPNetwork: for IPm in IPs: yield IPm elif type(IPs) == list: for IPm in IPs: for IP in IPm: yield IP else: if not enumerate_flag: info(messages(language, "target_submitted").format(target)) yield target elif target_type(target) == 'SINGLE_IPv6': yield target elif target_type(target) == 'RANGE_IPv4' or target_type( target) == 'CIDR_IPv4': IPs = IPRange(target, range_temp, language) if not enumerate_flag: info(messages(language, "checking").format(target)) if type(IPs) == netaddr.ip.IPNetwork: for IPm in IPs: yield IPm elif type(IPs) == list: for IPm in IPs: for IP in IPm: yield IP elif target_type(target) == 'DOMAIN': if check_subdomains: if check_ranges: if enumerate_flag: info(messages(language, "checking").format(target)) sub_domains = json.loads(open(subs_temp).read()) if len(open(subs_temp).read()) > 2 else \ __get_subs(target, 3, '', 0, language, 0, socks_proxy, 3, 0, 0) if len(open(subs_temp).read()) is 0: __log_into_file(subs_temp, 'a', json.dumps(sub_domains), language) if target not in sub_domains: sub_domains.append(target) for target in sub_domains: if not enumerate_flag: info( messages(language, "target_submitted").format(target)) yield target n = 0 err = 0 IPs = [] while True: try: IPs.append(socket.gethostbyname(target)) err = 0 n += 1 if n is 12: break except: err += 1 if err is 3 or n is 12: break IPz = list(set(IPs)) for IP in IPz: if not enumerate_flag: info( messages(language, "checking_range").format(IP)) IPs = IPRange(getIPRange(IP), range_temp, language) if type(IPs) == netaddr.ip.IPNetwork: for IPm in IPs: yield IPm elif type(IPs) == list: for IPm in IPs: for IPn in IPm: yield IPn else: if enumerate_flag: info(messages(language, "checking").format(target)) sub_domains = json.loads(open(subs_temp).read()) if len(open(subs_temp).read()) > 2 else \ __get_subs(target, 3, '', 0, language, 0, socks_proxy, 3, 0, 0) if len(open(subs_temp).read()) is 0: __log_into_file(subs_temp, 'a', json.dumps(sub_domains), language) if target not in sub_domains: sub_domains.append(target) for target in sub_domains: if not enumerate_flag: info( messages(language, "target_submitted").format(target)) yield target else: if check_ranges: if not enumerate_flag: info(messages(language, "checking").format(target)) yield target n = 0 err = 0 IPs = [] while True: try: IPs.append(socket.gethostbyname(target)) err = 0 n += 1 if n is 12: break except: err += 1 if err is 3 or n is 12: break IPz = list(set(IPs)) for IP in IPz: if not enumerate_flag: info( messages(language, "checking_range").format(IP)) IPs = IPRange(getIPRange(IP), range_temp, language) if type(IPs) == netaddr.ip.IPNetwork: for IPm in IPs: yield IPm elif type(IPs) == list: for IPm in IPs: for IPn in IPm: yield IPn else: if not enumerate_flag: info( messages(language, "target_submitted").format(target)) yield target elif target_type(target) == 'HTTP': if not enumerate_flag: info(messages(language, "checking").format(target)) yield target if check_ranges: if 'http://' == target[:7].lower(): target = target[7:].rsplit('/')[0] if 'https://' == target[:8].lower(): target = target[8:].rsplit('/')[0] yield target IPs = [] while True: try: IPs.append(socket.gethostbyname(target)) err = 0 n += 1 if n is 12: break except: err += 1 if err is 3 or n is 12: break IPz = list(set(IPs)) for IP in IPz: if not enumerate_flag: info(messages(language, "checking_range").format(IP)) IPs = IPRange(getIPRange(IP), range_temp, language) if type(IPs) == netaddr.ip.IPNetwork: for IPm in IPs: yield IPm elif type(IPs) == list: for IPm in IPs: for IPn in IPm: yield IPn else: __die_failure(messages(language, "unknown_target").format(target))
def __repeater(request_template, parameters, timeout_sec, thread_number, log_in_file, time_sleep, language, verbose_level, socks_proxy, retries, scan_id, scan_cmd, condition, thread_tmp_filename, sample_event, message, target, ports, default_ports, counter_message=None): """ this function is the main repeater functions which determines the type of request, the content type and calls the appropriate funtion Args: request_template: the sample template of the request(to be supplied by the module) parameters: the payload in form of [[1,2,3], [1,2,3],...] condition: the condition to be evaluated. eg: response.status_code == 200 sample_event: the template for the event that will be logged into the db message: the message that you want to display in the terminal when success counter_message: the message that you want to display if nothing is found target: the target to be attacked ports: the ports to be fuzzed default_ports: if user doesn't supply ports, these are to be fuzzed other args: retries, time_sleep, timeout_sec, thread_number, log_in_file, time_sleep, language, verbose_level, socks_proxy, scan_id, scan_cmd, thread_tmp_filename Returns: Nothing """ if counter_message is None: counter_message = messages(language, "fuzzer_no_response").format( sample_event['TYPE']) __log_into_file(thread_tmp_filename, 'w', '1', language) output = [] request_text = request_template.replace("\r", "").replace("\n", "\r\n") content_type = "" request_type = "" if request_text.rsplit()[0] == "POST" or request_text.rsplit()[0] == "PUT" or \ request_text.rsplit()[0] == "PATCH": request_type = "POST" elif request_text.rsplit()[0] == "GET" or request_text.rsplit()[0] == "HEAD" or \ request_text.rsplit()[0] == "DELETE": request_type = "GET" req_type = request_text.rsplit()[0] threads = [] keyboard_interrupt_flag = False requests_list = __http_requests_generator(request_text, parameters) targets = target_builder(target, ports, default_ports) for request in requests_list: if request_type == "POST": t = threading.Thread( target=request_with_data, args=(request[0], content_type, req_type, retries, time_sleep, timeout_sec, request[1], condition, output, sample_event, message, log_in_file, thread_tmp_filename, language, targets, ports, default_ports, socks_proxy)) elif request_type == "GET": t = threading.Thread( target=request_without_data, args=(request[0], req_type, retries, time_sleep, timeout_sec, request[1], condition, output, sample_event, message, log_in_file, thread_tmp_filename, language, targets, ports, default_ports, socks_proxy)) threads.append(t) t.start() time.sleep(time_sleep) while 1: try: if threading.activeCount() >= thread_number: time.sleep(0.01) else: break except KeyboardInterrupt: keyboard_interrupt_flag = True break if keyboard_interrupt_flag: break # wait for threads kill_switch = 0 kill_time = int(timeout_sec / 0.1) if int(timeout_sec / 0.1) is not 0 else 1 while 1: time.sleep(0.1) kill_switch += 1 try: if threading.activeCount() is 1 or kill_switch is kill_time: break except KeyboardInterrupt: break thread_write = int(open(thread_tmp_filename).read().rsplit()[0]) if thread_write is 1 and verbose_level is not 0: sample_event['DESCRIPTION'] = counter_message event_parser(message=counter_message, sample_event=sample_event, response=None, payload=None, log_in_file=log_in_file, language=language) os.remove(thread_tmp_filename)
def login(user, passwd, target, port, timeout_sec, log_in_file, language, retries, time_sleep, thread_tmp_filename, socks_proxy, scan_id, scan_cmd): exit = 0 if socks_proxy is not None: socks_version = socks.SOCKS5 if socks_proxy.startswith( 'socks5://') else socks.SOCKS4 socks_proxy = socks_proxy.rsplit('://')[1] if '@' in socks_proxy: socks_username = socks_proxy.rsplit(':')[0] socks_password = socks_proxy.rsplit(':')[1].rsplit('@')[0] socks.set_default_proxy( socks_version, str(socks_proxy.rsplit('@')[1].rsplit(':')[0]), int(socks_proxy.rsplit(':')[-1]), username=socks_username, password=socks_password) socket.socket = socks.socksocket socket.getaddrinfo = getaddrinfo else: socks.set_default_proxy(socks_version, str(socks_proxy.rsplit(':')[0]), int(socks_proxy.rsplit(':')[1])) socket.socket = socks.socksocket socket.getaddrinfo = getaddrinfo while 1: target_host = str(target) + ":" + str(port) try: if timeout_sec is not None: req = requests.get(target_host, timeout=timeout_sec, auth=(user, passwd)) else: req = requests.get(target_host, auth=(user, passwd)) flag = 1 if req.status_code != 200: exit += 1 if exit is retries: warn( messages(language, "http_auth_failed").format( target, user, passwd, port)) return 1 else: time.sleep(time_sleep) continue elif req.status_code == 200: flag = 0 if flag is 0: info( messages(language, "http_auth_success").format( user, passwd, target, port)) data = json.dumps( { 'HOST': target, 'USERNAME': user, 'PASSWORD': passwd, 'PORT': port, 'TYPE': 'http_basic_auth_brute', 'DESCRIPTION': messages(language, "login_successful"), 'TIME': now(), 'CATEGORY': "brute", 'SCAN_ID': scan_id, 'SCAN_CMD': scan_cmd }) + "\n" __log_into_file(log_in_file, 'a', data, language) __log_into_file(thread_tmp_filename, 'w', '0', language) except: exit += 1 if exit is retries: warn( messages(language, "http_auth_failed").format( target, user, passwd, port)) return 1 else: time.sleep(time_sleep) continue return flag
def login(user, passwd, target, port, timeout_sec, log_in_file, language, retries, time_sleep, thread_tmp_filename, socks_proxy, scan_id, scan_cmd): exit = 0 if socks_proxy is not None: socks_version = socks.SOCKS5 if socks_proxy.startswith( 'socks5://') else socks.SOCKS4 socks_proxy = socks_proxy.rsplit('://')[1] if '@' in socks_proxy: socks_username = socks_proxy.rsplit(':')[0] socks_password = socks_proxy.rsplit(':')[1].rsplit('@')[0] socks.set_default_proxy( socks_version, str(socks_proxy.rsplit('@')[1].rsplit(':')[0]), int(socks_proxy.rsplit(':')[-1]), username=socks_username, password=socks_password) socket.socket = socks.socksocket socket.getaddrinfo = getaddrinfo else: socks.set_default_proxy(socks_version, str(socks_proxy.rsplit(':')[0]), int(socks_proxy.rsplit(':')[1])) socket.socket = socks.socksocket socket.getaddrinfo = getaddrinfo while 1: try: if timeout_sec is not None: server = smtplib.SMTP(target, int(port), timeout=timeout_sec) else: server = smtplib.SMTP(target, int(port)) server.starttls() exit = 0 break except: exit += 1 if exit is retries: warn( messages(language, "smtp_connection_timeout").format( target, port, user, passwd)) return 1 time.sleep(time_sleep) flag = 1 try: server.login(user, passwd) flag = 0 except smtplib.SMTPException as err: pass if flag is 0: info( messages(language, "user_pass_found").format(user, passwd, target, port)) data = json.dumps({ 'HOST': target, 'USERNAME': user, 'PASSWORD': passwd, 'PORT': port, 'TYPE': 'smtp_brute', 'DESCRIPTION': messages(language, "login_successful"), 'TIME': now(), 'CATEGORY': "brute", 'SCAN_ID': scan_id, 'SCAN_CMD': scan_cmd }) + "\n" __log_into_file(log_in_file, 'a', data, language) __log_into_file(thread_tmp_filename, 'w', '0', language) else: pass try: server.quit() except Exception: pass return flag
def analysis( targets, check_ranges, check_subdomains, subs_temp, range_temp, log_in_file, time_sleep, language, verbose_level, retries, socks_proxy, enumerate_flag, ): """ analysis and calulcate targets. Args: targets: targets check_ranges: check IP range flag check_subdomains: check subdomain flag subs_temp: subdomain temp filename range_temp: IP range tmp filename log_in_file: output filename time_sleep: time to sleep language: language verbose_level: verbose level number retries: retries number socks_proxy: socks proxy enumerate_flag: enumerate flag Returns: a generator """ __log_into_file(range_temp, "a", "", language) __log_into_file(subs_temp, "a", "", language) for target in targets: target = six.ensure_text(target) if target_type(target) == "SINGLE_IPv4": if check_ranges: if not enumerate_flag: info(messages(language, "checking_range").format(target)) IPs = IPRange(getIPRange(target), range_temp, language) if type(IPs) == netaddr.ip.IPNetwork: for IPm in IPs: yield IPm elif type(IPs) == list: for IPm in IPs: for IP in IPm: yield IP else: if not enumerate_flag: info(messages(language, "target_submitted").format(target)) yield target elif target_type(target) == "SINGLE_IPv6": yield target elif (target_type(target) == "RANGE_IPv4" or target_type(target) == "CIDR_IPv4"): IPs = IPRange(target, range_temp, language) global temp if target_type(target) == "CIDR_IPv4" and temp == 0: net = ipaddress.ip_network(six.text_type(target)) start = net[0] end = net[-1] ip1 = int(ipaddress.IPv4Address(six.text_type(start))) ip2 = int(ipaddress.IPv4Address(six.text_type(end))) yield ip2 - ip1 temp = 1 break if target_type(target) == "RANGE_IPv4" and temp == 0: start, end = target.rsplit("-") ip1 = int(ipaddress.IPv4Address(six.text_type(start))) ip2 = int(ipaddress.IPv4Address(six.text_type(end))) yield ip2 - ip1 temp = 1 break if not enumerate_flag: info(messages(language, "checking").format(target)) if type(IPs) == netaddr.ip.IPNetwork: for IPm in IPs: yield IPm elif type(IPs) == list: for IPm in IPs: for IP in IPm: yield IP elif target_type(target) == "DOMAIN": if check_subdomains: if check_ranges: if enumerate_flag: info(messages(language, "checking").format(target)) sub_domains = (json.loads(open(subs_temp).read()) if len(open(subs_temp).read()) > 2 else __get_subs(target, 3, "", 0, language, 0, socks_proxy, 3, 0, 0)) if len(open(subs_temp).read()) == 0: __log_into_file(subs_temp, "a", json.dumps(sub_domains), language) if target not in sub_domains: sub_domains.append(target) for target in sub_domains: if not enumerate_flag: info( messages(language, "target_submitted").format(target)) yield target n = 0 err = 0 IPs = [] while True: try: IPs.append(socket.gethostbyname(target)) err = 0 n += 1 if n == 12: break except Exception: err += 1 if err == 3 or n == 12: break IPz = list(set(IPs)) for IP in IPz: if not enumerate_flag: info( messages(language, "checking_range").format(IP)) IPs = IPRange(getIPRange(IP), range_temp, language) if type(IPs) == netaddr.ip.IPNetwork: for IPm in IPs: yield IPm elif type(IPs) == list: for IPm in IPs: for IPn in IPm: yield IPn else: if enumerate_flag: info(messages(language, "checking").format(target)) sub_domains = (json.loads(open(subs_temp).read()) if len(open(subs_temp).read()) > 2 else __get_subs(target, 3, "", 0, language, 0, socks_proxy, 3, 0, 0)) if len(open(subs_temp).read()) == 0: __log_into_file(subs_temp, "a", json.dumps(sub_domains), language) if target not in sub_domains: sub_domains.append(target) for target in sub_domains: if not enumerate_flag: info( messages(language, "target_submitted").format(target)) yield target else: if check_ranges: if not enumerate_flag: info(messages(language, "checking").format(target)) yield target n = 0 err = 0 IPs = [] while True: try: IPs.append(socket.gethostbyname(target)) err = 0 n += 1 if n == 12: break except Exception: err += 1 if err == 3 or n == 12: break IPz = list(set(IPs)) for IP in IPz: if not enumerate_flag: info( messages(language, "checking_range").format(IP)) IPs = IPRange(getIPRange(IP), range_temp, language) if type(IPs) == netaddr.ip.IPNetwork: for IPm in IPs: yield IPm elif type(IPs) == list: for IPm in IPs: for IPn in IPm: yield IPn else: if not enumerate_flag: info( messages(language, "target_submitted").format(target)) yield target elif target_type(target) == "HTTP": if not enumerate_flag: info(messages(language, "checking").format(target)) yield target if check_ranges: if "http://" == target[:7].lower(): target = target[7:].rsplit("/")[0] if "https://" == target[:8].lower(): target = target[8:].rsplit("/")[0] yield target IPs = [] while True: try: IPs.append(socket.gethostbyname(target)) err = 0 n += 1 if n == 12: break except Exception: err += 1 if err == 3 or n == 12: break IPz = list(set(IPs)) for IP in IPz: if not enumerate_flag: info(messages(language, "checking_range").format(IP)) IPs = IPRange(getIPRange(IP), range_temp, language) if type(IPs) == netaddr.ip.IPNetwork: for IPm in IPs: yield IPm elif type(IPs) == list: for IPm in IPs: for IPn in IPm: yield IPn else: __die_failure(messages(language, "unknown_target").format(target))
def start( target, users, passwds, ports, timeout_sec, thread_number, num, total, log_in_file, time_sleep, language, verbose_level, socks_proxy, retries, methods_args, scan_id, scan_cmd, ): # Main function if (target_type(target) != "SINGLE_IPv4" or target_type(target) != "DOMAIN" or target_type(target) != "HTTP"): # requirements check new_extra_requirements = extra_requirements_dict() if methods_args is not None: for extra_requirement in extra_requirements_dict(): if extra_requirement in methods_args: new_extra_requirements[extra_requirement] = methods_args[ extra_requirement] extra_requirements = new_extra_requirements if ports is None: ports = extra_requirements["wp_user_enum_ports"] if target_type(target) == "HTTP": target = target_to_host(target) threads = [] total_req = len(ports) thread_tmp_filename = "{}/tmp/thread_tmp_".format( load_file_path()) + "".join( random.choice(string.ascii_letters + string.digits) for _ in range(20)) __log_into_file(thread_tmp_filename, "w", "1", language) trying = 0 keyboard_interrupt_flag = False for port in ports: port = int(port) t = threading.Thread( target=__wp_user_enum, args=( target, int(port), timeout_sec, log_in_file, language, time_sleep, thread_tmp_filename, socks_proxy, scan_id, scan_cmd, ), ) threads.append(t) t.start() trying += 1 if verbose_level > 3: info( messages(language, "trying_message").format( trying, total_req, num, total, target, port, "wp_user_enum_scan", )) while 1: try: if threading.activeCount() >= thread_number: time.sleep(0.01) else: break except KeyboardInterrupt: keyboard_interrupt_flag = True break if keyboard_interrupt_flag: break # wait for threads kill_switch = 0 while 1: time.sleep(0.1) kill_switch += 1 try: if threading.activeCount() == 1: break except KeyboardInterrupt: break thread_write = int(open(thread_tmp_filename).read().rsplit()[0]) if thread_write == 1 and verbose_level != 0: info(messages(language, "not_found")) data = json.dumps({ "HOST": target, "USERNAME": "", "PASSWORD": "", "PORT": "", "TYPE": "wp_user_enum_scan", "DESCRIPTION": messages(language, "not_found"), "TIME": now(), "CATEGORY": "scan", "SCAN_ID": scan_id, "SCAN_CMD": scan_cmd, }) __log_into_file(log_in_file, "a", data, language) os.remove(thread_tmp_filename) else: warn( messages(language, "input_target_error").format("wp_user_enum_scan", target))
def check(target, user_agent, timeout_sec, log_in_file, language, time_sleep, thread_tmp_filename, retries, http_method, socks_proxy, scan_id, scan_cmd): status_codes = [200, 401, 403] time.sleep(time_sleep) try: if socks_proxy is not None: socks_version = socks.SOCKS5 if socks_proxy.startswith( 'socks5://') else socks.SOCKS4 socks_proxy = socks_proxy.rsplit('://')[1] if '@' in socks_proxy: socks_username = socks_proxy.rsplit(':')[0] socks_password = socks_proxy.rsplit(':')[1].rsplit('@')[0] socks.set_default_proxy( socks_version, str(socks_proxy.rsplit('@')[1].rsplit(':')[0]), int(socks_proxy.rsplit(':')[-1]), username=socks_username, password=socks_password) socket.socket = socks.socksocket socket.getaddrinfo = getaddrinfo else: socks.set_default_proxy(socks_version, str(socks_proxy.rsplit(':')[0]), int(socks_proxy.rsplit(':')[1])) socket.socket = socks.socksocket socket.getaddrinfo = getaddrinfo n = 0 while 1: try: if http_method == "GET": r = requests.get(target, timeout=timeout_sec, headers=user_agent) elif http_method == "HEAD": r = requests.head(target, timeout=timeout_sec, headers=user_agent) content = r.content break except: n += 1 if n is retries: warn( messages(language, "http_connection_timeout").format(target)) return 1 if r.status_code in status_codes: info( messages(language, "found").format(target, r.status_code, r.reason)) __log_into_file(thread_tmp_filename, 'w', '0', language) __log_into_file( log_in_file, 'a', json.dumps({ 'HOST': target_to_host(target), 'USERNAME': '', 'PASSWORD': '', 'PORT': "", 'TYPE': 'pma_scan', 'DESCRIPTION': messages(language, "found").format(target, r.status_code, r.reason), 'TIME': now(), 'CATEGORY': "scan", 'SCAN_ID': scan_id, 'SCAN_CMD': scan_cmd }) + '\n', language) return True except: return False
def __sub_takeover( target, port, timeout_sec, log_in_file, language, time_sleep, thread_tmp_filename, socks_proxy, scan_id, scan_cmd, extra_requirement, ): result = sub_takeover( target, port, timeout_sec, log_in_file, language, time_sleep, thread_tmp_filename, socks_proxy, scan_id, scan_cmd, extra_requirement, ) if result: info( messages(language, "target_vulnerable").format( target, port, "Potential Subdomain Takeover Vulnerability found pointing to " + result.split("_")[2], )) __log_into_file(thread_tmp_filename, "w", "0", language) data = json.dumps({ "HOST": target, "USERNAME": "", "PASSWORD": "", "PORT": port, "TYPE": "subomain_takeover_vuln", "DESCRIPTION": messages(language, "vulnerable").format( "Potential Subdomain Takeover Vulnerability found pointing to " + result.split("_")[2]), "TIME": now(), "CATEGORY": "vuln", "SCAN_ID": scan_id, "SCAN_CMD": scan_cmd, }) __log_into_file(log_in_file, "a", data, language) return True else: return False
def request_without_data( request, req_type, retries, time_sleep, timeout_sec, payload, condition, output, sample_event, message, log_in_file, thread_tmp_filename, language, targets, ports, default_ports, socks_proxy, ): """ this function extracts the data, headers and url for the requests other than POST type which is to be sent to the __http_request_maker function Args: request: the returned data from __http_requests_generator function req_type: GET, POST, PUT, DELETE or PATCH payload: the payload corresponding to which the request is made condition: the condition to be evaluated. eg: response.status_code == 200 other args: retries, time_sleep, timeout_sec, output, sample_event, message, log_in_file, thread_tmp_filename, language Returns: the list of outputs in the format [ { "payload": payload1, "condition": condition1, "result": rule_evaluator(response, condition), "response": response1 },...... ] """ request_line, headers_alone = request.split("\r\n", 1) headers = dict() try: for x in headers_alone.split("\r\n"): headers[x.split(":", 1)[0]] = x.split(":", 1)[1] except IndexError: headers[headers_alone.split(":", 1)[0]] = headers_alone.split(":", 1)[1] clean_headers = {x.strip(): y.strip() for x, y in headers.items()} headers = clean_headers headers.pop("Content-Length", None) url_sample = request_line.strip().split(" ")[1] for target in targets: url = url_sample.replace("__target_locat_here__", str(target)) try: port = url.split(":")[2].split("/")[0] except IndexError: if target.startswith("https://"): port = 443 if target.startswith("http://"): port = 80 response = __http_request_maker(req_type, url, headers, retries, time_sleep, timeout_sec) if isinstance(response, requests.models.Response): if rule_evaluator(response, condition): __log_into_file(thread_tmp_filename, "w", "0", language) sample_event["PORT"] = port event_parser( message, sample_event, response, payload, log_in_file, language, ) output.append({ "payload": payload, "condition": condition, "result": rule_evaluator(response, condition), "response": response, }) return output
def start(target, users, passwds, ports, timeout_sec, thread_number, num, total, log_in_file, time_sleep, language, verbose_level, socks_proxy, retries, methods_args, scan_id, scan_cmd): # Main function if target_type(target) != 'SINGLE_IPv4' or target_type( target) != 'DOMAIN' or target_type( target) != 'HTTP' or target_type(target) != 'SINGLE_IPv6': # rand useragent user_agent_list = [ "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.5) Gecko/20060719 Firefox/1.5.0.5", "Googlebot/2.1 ( http://www.googlebot.com/bot.html)", "Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Ubuntu/10.04" " Chromium/9.0.595.0 Chrome/9.0.595.0 Safari/534.13", "Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 5.2; WOW64; .NET CLR 2.0.50727)", "Opera/9.80 (Windows NT 5.2; U; ru) Presto/2.5.22 Version/10.51", "Mozilla/5.0 (compatible; 008/0.83; http://www.80legs.com/webcrawler.html) Gecko/2008032620", "Debian APT-HTTP/1.3 (0.8.10.3)", "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)", "Googlebot/2.1 (+http://www.googlebot.com/bot.html)", "Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)", "YahooSeeker/1.2 (compatible; Mozilla 4.0; MSIE 5.5; yahooseeker at yahoo-inc dot com ; " "http://help.yahoo.com/help/us/shop/merchant/)", "Mozilla/5.0 (compatible; YandexBot/3.0; +http://yandex.com/bots)", "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)", "msnbot/1.1 (+http://search.msn.com/msnbot.htm)" ] user_agent = {'User-agent': random.choice(user_agent_list)} limit = 1000 # requirements check new_extra_requirements = extra_requirements_dict() if methods_args is not None: for extra_requirement in extra_requirements_dict(): if extra_requirement in methods_args: new_extra_requirements[extra_requirement] = methods_args[ extra_requirement] extra_requirements = new_extra_requirements random_agent_flag = True if extra_requirements["wordpress_dos_cve_2018_6389_vuln_random_agent"][ 0] != "True": random_agent_flag = False if extra_requirements["wordpress_dos_cve_2018_6389_vuln_no_limit"][ 0] != "False": limit = -1 threads = [] total_req = limit filepath = os.path.dirname(os.path.dirname(os.path.realpath(__file__))) thread_tmp_filename = '{}/tmp/thread_tmp_'.format( load_file_path()) + ''.join( random.choice(string.ascii_letters + string.digits) for _ in range(20)) __log_into_file(thread_tmp_filename, 'w', '1', language) trying = 0 if target_type(target) == 'SINGLE_IPv4' or target_type( target) == 'DOMAIN': url = 'http://{0}/'.format(target) else: if target.count(':') > 1: __die_failure(messages(language, 105)) http = target.rsplit('://')[0] host = target_to_host(target) path = "/".join( target.replace('http://', '').replace('https://', '').rsplit('/')[1:]) url = http + '://' + host + '/' + path if test(url, retries, timeout_sec, user_agent, socks_proxy, verbose_level, trying, total_req, total, num, language, False, log_in_file, scan_id, scan_cmd, thread_tmp_filename) is not 0: warn(messages(language, 109).format(url)) return info(messages(language, 177).format(target)) n = 0 t = threading.Thread( target=test, args=(url, retries, timeout_sec, user_agent, socks_proxy, verbose_level, trying, total_req, total, num, language, True, log_in_file, scan_id, scan_cmd, thread_tmp_filename)) t.start() while (n != limit): n += 1 if random_agent_flag: user_agent = {'User-agent': random.choice(user_agent_list)} t = threading.Thread(target=send_dos, args=(url, user_agent, timeout_sec, log_in_file, language, time_sleep, thread_tmp_filename, retries, socks_proxy, scan_id, scan_cmd)) threads.append(t) t.start() trying += 1 if verbose_level > 3: info( messages(language, 72).format(trying, total_req, num, total, target_to_host(target), port, 'wordpress_dos_cve_2018_6389_vuln')) try: if int(open(thread_tmp_filename).read().rsplit()[0]) is 0: if limit is not -1: break except: pass while 1: try: if threading.activeCount() >= thread_number: time.sleep(0.01) else: break except KeyboardInterrupt: break break # wait for threads kill_switch = 0 kill_time = int(timeout_sec / 0.1) if int(timeout_sec / 0.1) is not 0 else 1 while 1: time.sleep(0.1) kill_switch += 1 try: if threading.activeCount() is 2 or kill_switch is kill_time: break except KeyboardInterrupt: break thread_write = int(open(thread_tmp_filename).read().rsplit()[0]) if thread_write is 1: info( messages(language, 141).format("wordpress_dos_cve_2018_6389_vuln")) if verbose_level is not 0: data = json.dumps({ 'HOST': target, 'USERNAME': '', 'PASSWORD': '', 'PORT': '', 'TYPE': 'wordpress_dos_cve_2018_6389_vuln', 'DESCRIPTION': messages(language, 141).format("wordpress_dos_cve_2018_6389_vuln"), 'TIME': now(), 'CATEGORY': "scan", 'SCAN_ID': scan_id, 'SCAN_CMD': scan_cmd }) __log_into_file(log_in_file, 'a', data, language) os.remove(thread_tmp_filename) else: warn( messages(language, 69).format('wordpress_dos_cve_2018_6389_vuln', target))
def test(target, retries, timeout_sec, user_agent, socks_proxy, verbose_level, trying, total_req, total, num, language, dos_flag, log_in_file, scan_id, scan_cmd, thread_tmp_filename): if verbose_level > 3: info( messages(language, 72).format(trying, total_req, num, total, target_to_host(target), '', 'wordpress_dos_cve_2018_6389_vuln')) if socks_proxy is not None: socks_version = socks.SOCKS5 if socks_proxy.startswith( 'socks5://') else socks.SOCKS4 socks_proxy = socks_proxy.rsplit('://')[1] if '@' in socks_proxy: socks_username = socks_proxy.rsplit(':')[0] socks_password = socks_proxy.rsplit(':')[1].rsplit('@')[0] socks.set_default_proxy( socks_version, str(socks_proxy.rsplit('@')[1].rsplit(':')[0]), int(socks_proxy.rsplit(':')[-1]), username=socks_username, password=socks_password) socket.socket = socks.socksocket socket.getaddrinfo = getaddrinfo else: socks.set_default_proxy(socks_version, str(socks_proxy.rsplit(':')[0]), int(socks_proxy.rsplit(':')[1])) socket.socket = socks.socksocket socket.getaddrinfo = getaddrinfo n = 0 while 1: try: r = requests.get(target, timeout=timeout_sec, headers=user_agent).content return 0 except: n += 1 if n is retries: if dos_flag: __log_into_file(thread_tmp_filename, 'w', '0', language) info( messages( language, 139).format("wordpress_dos_cve_2018_6389_vuln")) data = json.dumps({ 'HOST': target_to_host(target), 'USERNAME': '', 'PASSWORD': '', 'PORT': '', 'TYPE': 'wordpress_dos_cve_2018_6389_vuln', 'DESCRIPTION': messages( language, 139).format("wordpress_dos_cve_2018_6389_vuln"), 'TIME': now(), 'CATEGORY': "scan", 'SCAN_ID': scan_id, 'SCAN_CMD': scan_cmd }) __log_into_file(log_in_file, 'a', data, language) return 1
def login(user, passwd, target, port, timeout_sec, log_in_file, language, retries, time_sleep, thread_tmp_filename, socks_proxy, scan_id, scan_cmd): username_field = "username" password_field = "password" exit = 0 class BruteParser(HTMLParser): def __init__(self): HTMLParser.__init__(self) self.parsed_results = {} def handle_starttag(self, tag, attrs): if tag == "input": for name, value in attrs: if name == "name" and value == username_field: self.parsed_results[username_field] = username_field if name == "name" and value == password_field: self.parsed_results[password_field] = password_field if socks_proxy is not None: socks_version = socks.SOCKS5 if socks_proxy.startswith( 'socks5://') else socks.SOCKS4 socks_proxy = socks_proxy.rsplit('://')[1] if '@' in socks_proxy: socks_username = socks_proxy.rsplit(':')[0] socks_password = socks_proxy.rsplit(':')[1].rsplit('@')[0] socks.set_default_proxy( socks_version, str(socks_proxy.rsplit('@')[1].rsplit(':')[0]), int(socks_proxy.rsplit(':')[-1]), username=socks_username, password=socks_password) socket.socket = socks.socksocket socket.getaddrinfo = getaddrinfo else: socks.set_default_proxy(socks_version, str(socks_proxy.rsplit(':')[0]), int(socks_proxy.rsplit(':')[1])) socket.socket = socks.socksocket socket.getaddrinfo = getaddrinfo while 1: target_host = str(target) + ":" + str(port) flag = 1 try: cookie = cookiejar.FileCookieJar("cookies") opener = request.build_opener(request.HTTPCookieProcessor(cookie)) response = opener.open(target) page = response.read() parsed_html = BruteParser() parsed_html.feed(page) parsed_html.parsed_results[username_field] = user parsed_html.parsed_results[password_field] = passwd post_data = urlencode(parsed_html.parsed_results).encode() except: exit += 1 if exit is retries: warn( messages(language, "http_form_auth_failed").format( target, user, passwd, port)) return 1 else: time.sleep(time_sleep) continue try: if timeout_sec is not None: brute_force_response = opener.open(target_host, data=post_data, timeout=timeout_sec) else: brute_force_response = opener.open(target_host, data=post_data) if brute_force_response.code == 200: flag = 0 if flag is 0: info( messages(language, "http_form_auth_success").format( user, passwd, target, port)) data = json.dumps( { 'HOST': target, 'USERNAME': user, 'PASSWORD': passwd, 'PORT': port, 'TYPE': 'http_form_brute', 'DESCRIPTION': messages(language, "login_successful"), 'TIME': now(), 'CATEGORY': "brute", 'SCAN_ID': scan_id, 'SCAN_CMD': scan_cmd }) + "\n" __log_into_file(log_in_file, 'a', data, language) __log_into_file(thread_tmp_filename, 'w', '0', language) return flag except: exit += 1 if exit is retries: warn( messages(language, "http_form_auth_failed").format( target, user, passwd, port)) return 1 else: time.sleep(time_sleep) continue
def sub1(body, headers, dev): if dev['auth'][3] == "body": if dev['auth'][4] == "regex": pattern = dev['auth'][5] if re.match(pattern, body): resp = "device " + ctx[ 'ip'] + " is of type " + ctx[ 'devType'] + " still has default password" info(resp) data = json.dumps({ 'HOST': ctx['ip'], 'USERNAME': '', 'PASSWORD': '', 'PORT': '', 'TYPE': 'iot_scan', 'DESCRIPTION': str(resp), 'TIME': now(), 'CATEGORY': "scan", 'SCAN_ID': scanid, 'SCAN_CMD': scancmd }) + "\n" else: resp = "device " + ctx[ 'ip'] + " of type " + ctx[ 'devType'] + " has changed password" info(resp) data = json.dumps({ 'HOST': ctx['ip'], 'USERNAME': '', 'PASSWORD': '', 'PORT': '', 'TYPE': 'iot_scan', 'DESCRIPTION': str(resp), 'TIME': now(), 'CATEGORY': "scan", 'SCAN_ID': scanid, 'SCAN_CMD': scancmd }) + "\n" __log_into_file(loginfile, 'a', data, lang) return elif dev['auth'][4] == "!substr": body = body.decode('utf-8') if body.index(dev['auth'])[5] < 0: resp = "device " + ctx[ 'ip'] + " is of type " + ctx[ 'devType'] + " still has default password" info(resp) data = json.dumps({ 'HOST': ctx['ip'], 'USERNAME': '', 'PASSWORD': '', 'PORT': '', 'TYPE': 'iot_scan', 'DESCRIPTION': str(resp), 'TIME': now(), 'CATEGORY': "scan", 'SCAN_ID': scanid, 'SCAN_CMD': scancmd }) + "\n" else: resp = "device " + ctx[ 'ip'] + " of type " + ctx[ 'devType'] + " has changed password" info(resp) data = json.dumps({ 'HOST': ctx['ip'], 'USERNAME': '', 'PASSWORD': '', 'PORT': '', 'TYPE': 'iot_scan', 'DESCRIPTION': str(resp), 'TIME': now(), 'CATEGORY': "scan", 'SCAN_ID': scanid, 'SCAN_CMD': scancmd }) + "\n" __log_into_file(loginfile, 'a', data, lang) return
def generate(filename = "", first_name="", last_name = "", nick= "", email = "", dob = "", phone = "", partner_name = "", partner_dob = "", bestfriend = "", child_name = "", company = "", other = "", maxm = 8, minm = 16, special_characters = False, leet_speak = False, random_numbers = False, language="en"): random_l=list() other = other.replace(" ", "") words2 = other.split(",") if special_characters == True: special = list() for spec1 in charlist: special.append(spec1) for spec2 in charlist: special.append(spec1 + spec2) for spec3 in charlist: special.append(spec1 + spec2 + spec3) # 1337 mode can convert the characters to leet speak and hello = h3110 ################################ funame = first_name.title() nuick = nick.title() purtname = partner_name.title() bustf = bestfriend.title() chld = child_name.title() #chldn = childn.title() cumpny = company.title() # 3 emails, sep, tail = email.partition("@") list1 = [first_name, last_name, nick, emails, funame, nuick, phone, partner_name, bestfriend, purtname, bustf, child_name, company, chld, cumpny] for i in words2: list1.append(i) datepart(partner_dob) # datepart(childob) datepart(dob) list1 = list(filter(None, list1)) # removing empty data for i in list1: password_list.append(i) for j in list1: if(i.lower()) != (j.lower()): password_list.append(i + j) if leet_speak == True: for i in password_list: i = i.replace('a', '@') i = i.replace('t', '7') i = i.replace('l', '1') i = i.replace('e', '3') i = i.replace('i', '!') i = i.replace('o', '0') i = i.replace('z', '2') i = i.replace('g', '9') i = i.replace('s', '5') leet_list.append(i) # Leet Speak chars # a='@' # t='7' # l='1' # e='3' # i='!' # o='0' # z='2' # g='9' # s='5' #################### if random_numbers == True: for i in password_list: for j in random_list: random_l.append(i + j) else: random_l = password_list if special_characters == True: for i in random_l: for j in special: characters_list.append(i + j) count = 0 unique_list = password_list + random_l + characters_list + leet_list unique_list = list(set(tuple(unique_list))) for i in unique_list: if minm <= len(i) <= maxm: pass else: unique_list.remove(i) if filename is not "": __log_into_file(filename, 'w', json.dumps(unique_list), language, final=True) return unique_list
def sub2(headers, ctx): status = int(headers['Status']) if debug: print "check_login status=" + str(status) data = '' if int(status) == 200: if ctx['dev']['auth'][0] == "basic": resp = "device " + ctx['ip'] + " is of type " + ctx[ 'devType'] + " still has default password" info(resp) data = json.dumps({ 'HOST': ctx['ip'], 'USERNAME': '', 'PASSWORD': '', 'PORT': '', 'TYPE': 'iot_scan', 'DESCRIPTION': str(resp), 'TIME': now(), 'CATEGORY': "scan", 'SCAN_ID': scanid, 'SCAN_CMD': scancmd }) + "\n" elif ctx['dev']['auth'][0] == "expect200": resp = "device " + ctx['ip'] + " is of type " + ctx[ 'devType'] + "does not have any password" info(resp) data = json.dumps({ 'HOST': ctx['ip'], 'USERNAME': '', 'PASSWORD': '', 'PORT': '', 'TYPE': 'iot_scan', 'DESCRIPTION': str(resp), 'TIME': now(), 'CATEGORY': "scan", 'SCAN_ID': scanid, 'SCAN_CMD': scancmd }) + "\n" elif int(status) == 301 or int(status) == 302: resp = "device " + ctx['ip'] + " is of type " + ctx[ 'devType'] + " still has default password" info(resp) data = json.dumps({ 'HOST': ctx['ip'], 'USERNAME': '', 'PASSWORD': '', 'PORT': '', 'TYPE': 'iot_scan', 'DESCRIPTION': str(resp), 'TIME': now(), 'CATEGORY': "scan", 'SCAN_ID': scanid, 'SCAN_CMD': scancmd }) + "\n" elif int(status) == 401 and ctx['dev']['auth'][0] == "basic": resp = "device " + ctx['ip'] + " is of type " + ctx[ 'devType'] + " has changed password" info(resp) data = json.dumps({ 'HOST': ctx['ip'], 'USERNAME': '', 'PASSWORD': '', 'PORT': '', 'TYPE': 'iot_scan', 'DESCRIPTION': str(resp), 'TIME': now(), 'CATEGORY': "scan", 'SCAN_ID': scanid, 'SCAN_CMD': scancmd }) + "\n" else: resp = "device " + ctx['ip'] + ": unexpected resp code " + str( status) error(resp) data = json.dumps({ 'HOST': ctx['ip'], 'USERNAME': '', 'PASSWORD': '', 'PORT': '', 'TYPE': 'iot_scan', 'DESCRIPTION': str(resp), 'TIME': now(), 'CATEGORY': "scan", 'SCAN_ID': scanid, 'SCAN_CMD': scancmd }) + "\n" __log_into_file(loginfile, 'a', data, lang) return
def start(target, users, passwds, ports, timeout_sec, thread_number, num, total, log_in_file, time_sleep, language, verbose_level, socks_proxy, retries, methods_args, scan_id, scan_cmd): # Main function if target_type(target) != 'SINGLE_IPv4' or target_type( target) != 'DOMAIN' or target_type( target) != 'HTTP' or target_type(target) != 'SINGLE_IPv6': threads = [] thread_tmp_filename = '{}/tmp/thread_tmp_'.format( load_file_path()) + ''.join( random.choice(string.ascii_letters + string.digits) for _ in range(20)) __log_into_file(thread_tmp_filename, 'w', '1', language) trying = 0 total_req = 8000 if target_type(target) != "HTTP": target = 'http://' + target t = threading.Thread(target=analyze, args=(target, timeout_sec, log_in_file, language, time_sleep, thread_tmp_filename, retries, socks_proxy, scan_id, scan_cmd)) threads.append(t) t.start() trying += 1 if verbose_level > 3: info( messages(language, "trying_message").format(trying, total_req, num, total, target_to_host(target), "", 'dir_scan')) while 1: try: if threading.activeCount() >= thread_number: time.sleep(0.01) else: break except KeyboardInterrupt: break # wait for threads kill_switch = 0 kill_time = int(timeout_sec / 0.1) if int(timeout_sec / 0.1) is not 0 else 1 while 1: time.sleep(0.1) kill_switch += 1 try: if threading.activeCount() is 1 or kill_switch is kill_time: break except KeyboardInterrupt: break thread_write = int(open(thread_tmp_filename).read().rsplit()[0]) if thread_write is 1: info( messages(language, "nothing_found").format(target, "wappalyzer_scan")) if verbose_level is not 0: data = json.dumps({ 'HOST': target_to_host(target), 'USERNAME': '', 'PASSWORD': '', 'PORT': '', 'TYPE': 'wappalyzer_scan', 'DESCRIPTION': messages(language, "not_found"), 'TIME': now(), 'CATEGORY': "scan", 'SCAN_ID': scan_id, 'SCAN_CMD': scan_cmd }) __log_into_file(log_in_file, 'a', data, language) os.remove(thread_tmp_filename) else: warn( messages(language, "input_target_error").format('wappalyzer_scan', target))
def analysis(targets, check_ranges, check_subdomains, subs_temp, range_temp, log_in_file, time_sleep, language, verbose_level, retries, socks_proxy, enumerate_flag): __log_into_file(range_temp, 'a', '', language) __log_into_file(subs_temp, 'a', '', language) for target in targets: if target_type(target) == 'SINGLE_IPv4': if check_ranges: if not enumerate_flag: info(messages(language, 51).format(target)) IPs = IPRange(getIPRange(target), range_temp, language) if type(IPs) == netaddr.ip.IPNetwork: for IPm in IPs: yield IPm elif type(IPs) == list: for IPm in IPs: for IP in IPm: yield IP else: if not enumerate_flag: info(messages(language, 81).format(target)) yield target elif target_type(target) == 'SINGLE_IPv6': yield target elif target_type(target) == 'RANGE_IPv4' or target_type(target) == 'CIDR_IPv4': IPs = IPRange(target, range_temp, language) if not enumerate_flag: info(messages(language, 52).format(target)) if type(IPs) == netaddr.ip.IPNetwork: for IPm in IPs: yield IPm elif type(IPs) == list: for IPm in IPs: for IP in IPm: yield IP elif target_type(target) == 'DOMAIN': if check_subdomains: if check_ranges: if enumerate_flag: info(messages(language, 52).format(target)) sub_domains = json.loads(open(subs_temp).read()) if len(open(subs_temp).read()) > 2 else \ __get_subs(target, 3, '', 0, language, 0, socks_proxy, 3, 0, 0) if len(open(subs_temp).read()) is 0: __log_into_file(subs_temp, 'a', json.dumps(sub_domains), language) if target not in sub_domains: sub_domains.append(target) for target in sub_domains: if not enumerate_flag: info(messages(language, 81).format(target)) yield target n = 0 err = 0 IPs = [] while True: try: IPs.append(socket.gethostbyname(target)) err = 0 n += 1 if n is 12: break except: err += 1 if err is 3 or n is 12: break IPz = list(set(IPs)) for IP in IPz: if not enumerate_flag: info(messages(language, 51).format(IP)) IPs = IPRange(getIPRange(IP), range_temp, language) if type(IPs) == netaddr.ip.IPNetwork: for IPm in IPs: yield IPm elif type(IPs) == list: for IPm in IPs: for IPn in IPm: yield IPn else: if enumerate_flag: info(messages(language, 52).format(target)) sub_domains = json.loads(open(subs_temp).read()) if len(open(subs_temp).read()) > 2 else \ __get_subs(target, 3, '', 0, language, 0, socks_proxy, 3, 0, 0) if len(open(subs_temp).read()) is 0: __log_into_file(subs_temp, 'a', json.dumps(sub_domains), language) if target not in sub_domains: sub_domains.append(target) for target in sub_domains: if not enumerate_flag: info(messages(language, 81).format(target)) yield target else: if check_ranges: if not enumerate_flag: info(messages(language, 52).format(target)) yield target n = 0 err = 0 IPs = [] while True: try: IPs.append(socket.gethostbyname(target)) err = 0 n += 1 if n is 12: break except: err += 1 if err is 3 or n is 12: break IPz = list(set(IPs)) for IP in IPz: if not enumerate_flag: info(messages(language, 51).format(IP)) IPs = IPRange(getIPRange(IP), range_temp, language) if type(IPs) == netaddr.ip.IPNetwork: for IPm in IPs: yield IPm elif type(IPs) == list: for IPm in IPs: for IPn in IPm: yield IPn else: if not enumerate_flag: info(messages(language, 81).format(target)) yield target elif target_type(target) == 'HTTP': if not enumerate_flag: info(messages(language, 52).format(target)) yield target if check_ranges: if 'http://' == target[:7].lower(): target = target[7:].rsplit('/')[0] if 'https://' == target[:8].lower(): target = target[8:].rsplit('/')[0] yield target IPs = [] while True: try: IPs.append(socket.gethostbyname(target)) err = 0 n += 1 if n is 12: break except: err += 1 if err is 3 or n is 12: break IPz = list(set(IPs)) for IP in IPz: if not enumerate_flag: info(messages(language, 51).format(IP)) IPs = IPRange(getIPRange(IP), range_temp, language) if type(IPs) == netaddr.ip.IPNetwork: for IPm in IPs: yield IPm elif type(IPs) == list: for IPm in IPs: for IPn in IPm: yield IPn else: __die_failure(messages(language, 50).format(target))
def start(target, users, passwds, ports, timeout_sec, thread_number, num, total, log_in_file, time_sleep, language, verbose_level, socks_proxy, retries, methods_args, scan_id, scan_cmd): # Main function if target_type(target) != 'SINGLE_IPv4' or target_type( target) != 'DOMAIN' or target_type( target) != 'HTTP' or target_type(target) != 'SINGLE_IPv6': # rand useragent user_agent_list = [ "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.5) Gecko/20060719 Firefox/1.5.0.5", "Googlebot/2.1 ( http://www.googlebot.com/bot.html)", "Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Ubuntu/10.04" " Chromium/9.0.595.0 Chrome/9.0.595.0 Safari/534.13", "Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 5.2; WOW64; .NET CLR 2.0.50727)", "Opera/9.80 (Windows NT 5.2; U; ru) Presto/2.5.22 Version/10.51", "Mozilla/5.0 (compatible; 008/0.83; http://www.80legs.com/webcrawler.html) Gecko/2008032620", "Debian APT-HTTP/1.3 (0.8.10.3)", "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)", "Googlebot/2.1 (+http://www.googlebot.com/bot.html)", "Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)", "YahooSeeker/1.2 (compatible; Mozilla 4.0; MSIE 5.5; yahooseeker at yahoo-inc dot com ; " "http://help.yahoo.com/help/us/shop/merchant/)", "Mozilla/5.0 (compatible; YandexBot/3.0; +http://yandex.com/bots)", "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)", "msnbot/1.1 (+http://search.msn.com/msnbot.htm)" ] headers = { 'User-agent': random.choice(user_agent_list), 'Content-Type': 'text/xml' } # requirements check new_extra_requirements = extra_requirements_dict() if methods_args is not None: for extra_requirement in extra_requirements_dict(): if extra_requirement in methods_args: new_extra_requirements[extra_requirement] = methods_args[ extra_requirement] extra_requirements = new_extra_requirements threads = [] if users is None: users = extra_requirements["wp_users"] if passwds is None: passwds = extra_requirements["wp_passwds"] if ports is None: ports = extra_requirements["wp_xmlrpc_brute_ports"] if verbose_level > 3: total_req = len(users) * len(passwds) * len(ports) else: total_req = len(users) * len(passwds) * len(ports) thread_tmp_filename = '{}/tmp/thread_tmp_'.format( load_file_path()) + ''.join( random.choice(string.ascii_letters + string.digits) for _ in range(20)) __log_into_file(thread_tmp_filename, 'w', '1', language) trying = 0 if target_type(target) != "HTTP": target = 'https://' + target for port in ports: if test(str(target), port, retries, timeout_sec, headers, socks_proxy, verbose_level, trying, total_req, total, num, language) is True: keyboard_interrupt_flag = False for user in users: for passwd in passwds: #print(user + " " + passwd) t = threading.Thread( target=check, args=(user, passwd, target, port, headers, timeout_sec, log_in_file, language, retries, time_sleep, thread_tmp_filename, socks_proxy, scan_id, scan_cmd)) threads.append(t) t.start() trying += 1 if verbose_level > 3: info( messages(language, "trying_message").format( trying, total_req, num, total, target_to_host(target), port, 'wp_xmlrpc_brute')) while 1: try: if threading.activeCount() >= thread_number: time.sleep(0.01) else: break except KeyboardInterrupt: keyboard_interrupt_flag = True break if keyboard_interrupt_flag: break else: warn(messages(language, "open_error").format(target)) # wait for threads kill_switch = 0 kill_time = int(timeout_sec / 0.1) if int(timeout_sec / 0.1) is not 0 else 1 while 1: time.sleep(0.1) kill_switch += 1 try: if threading.activeCount() is 1 or kill_switch is kill_time: break except KeyboardInterrupt: break thread_write = int(open(thread_tmp_filename).read().rsplit()[0]) os.remove(thread_tmp_filename) else: warn( messages(language, "input_target_error").format('wp_xmlrpc_brute', target))
def request_with_data(post_request, content_type, req_type, retries, time_sleep, timeout_sec, payload, condition, output, sample_event, message, log_in_file, thread_tmp_filename, language, targets, ports, default_ports, socks_proxy): """ this function extracts the data, headers and url for the POST type request which is to be sent to the __http_request_maker function Args: post_request: the returned data from __http_requests_generator function req_type: GET, POST, PUT, DELETE or PATCH content_type: application/json or application/x-www-form-urlencoded payload: the payload corresponding to which the request is made condition: the condition to be evaluated. eg: response.status_code == 200 other args: retries, time_sleep, timeout_sec, output, sample_event, message, log_in_file, thread_tmp_filename, language Returns: the list of outputs in the format [ { "payload": payload, "condition": condition, "result": rule_evaluator(response, condition), "response": response },...... ] """ post_data_format = "" request_line, headers_alone = post_request.split('\r\n', 1) headers = Message(StringIO(headers_alone)).dict clean_headers = {x.strip(): y for x, y in headers.items()} headers = clean_headers if "content-type" in headers: content_type = headers['content-type'] if content_type == 'application/x-www-form-urlencoded': post_data_format = post_data_parser(post_request.split('\r\n')[-1]) elif content_type == 'application/json': post_data_format = json.loads( post_request[post_request.find('{'):post_request.find('}') + 1]) headers.pop("Content-Length", None) url_sample = request_line.strip().split(' ')[1] for target in targets: url = url_sample.replace('__target_locat_here__', str(target)) port = url[url.find(':', 7) + 1:url.find('/', 7)] response = __http_request_maker(req_type, url, headers, retries, time_sleep, timeout_sec, post_data_format, content_type, socks_proxy) if isinstance(response, requests.models.Response): if rule_evaluator(response, condition): __log_into_file(thread_tmp_filename, 'w', '0', language) sample_event['PORT'] = port event_parser(message, sample_event, response, payload, log_in_file, language) output.append({ "payload": payload, "condition": condition, "result": rule_evaluator(response, condition), "response": response }) return output
def check(user, passwd, target, port, headers, timeout_sec, log_in_file, language, retries, time_sleep, thread_tmp_filename, socks_proxy, scan_id, scan_cmd): time.sleep(time_sleep) try: if socks_proxy is not None: socks_version = socks.SOCKS5 if socks_proxy.startswith( 'socks5://') else socks.SOCKS4 socks_proxy = socks_proxy.rsplit('://')[1] if '@' in socks_proxy: socks_username = socks_proxy.rsplit(':')[0] socks_password = socks_proxy.rsplit(':')[1].rsplit('@')[0] socks.set_default_proxy( socks_version, str(socks_proxy.rsplit('@')[1].rsplit(':')[0]), int(socks_proxy.rsplit(':')[-1]), username=socks_username, password=socks_password) socket.socket = socks.socksocket socket.getaddrinfo = getaddrinfo else: socks.set_default_proxy(socks_version, str(socks_proxy.rsplit(':')[0]), int(socks_proxy.rsplit(':')[1])) socket.socket = socks.socksocket socket.getaddrinfo = getaddrinfo n = 0 while 1: try: if target_type(target) != "HTTP" and port == 443: target = 'https://' + target if target_type(target) != "HTTP" and port == 80: target = 'http://' + target target = target + '/xmlrpc.php' postdata = '''<methodCall><methodName>wp.getUsersBlogs</methodName><params><param><value><string>''' + user + '''</string></value></param><param><value><string>''' + passwd + '''</string></value></param></params></methodCall>''' r = requests.post(target, timeout=timeout_sec, headers=headers, data=postdata) if "incorrect" not in r.text.lower() and user in r.text.lower( ): info( messages(language, "user_pass_found").format( user, passwd, target, port)) data = json.dumps( { 'HOST': target, 'USERNAME': user, 'PASSWORD': passwd, 'PORT': port, 'TYPE': 'wp_xmlrpc_brute', 'DESCRIPTION': messages(language, "login_successful"), 'TIME': now(), 'CATEGORY': "brute" }) + "\n" __log_into_file(log_in_file, 'a', data, language) break except Exception: n += 1 if n is retries: warn( messages(language, "http_connection_timeout").format(target)) return 1 return True except Exception: return False
def start(target, users, passwds, ports, timeout_sec, thread_number, num, total, log_in_file, time_sleep, language, verbose_level, socks_proxy, retries, methods_args, scan_id, scan_cmd): # Main function if target_type(target) != 'SINGLE_IPv4' or target_type( target) != 'DOMAIN' or target_type(target) != 'HTTP': new_extra_requirements = extra_requirements_dict() if methods_args is not None: for extra_requirement in extra_requirements_dict(): if extra_requirement in methods_args: new_extra_requirements[extra_requirement] = methods_args[ extra_requirement] extra_requirements = new_extra_requirements if users is None: users = extra_requirements["http_basic_auth_brute_users"] if passwds is None: passwds = extra_requirements["http_basic_auth_brute_passwds"] if ports is None: ports = extra_requirements["http_basic_auth_brute_ports"] if target.lower().startswith('http://') or target.lower().startswith( 'https://'): pass else: target = 'http://' + str(target) threads = [] total_req = len(users) * len(passwds) thread_tmp_filename = '{}/tmp/thread_tmp_'.format( load_file_path()) + ''.join( random.choice(string.ascii_letters + string.digits) for _ in range(20)) __log_into_file(thread_tmp_filename, 'w', '1', language) trying = 0 keyboard_interrupt_flag = False for port in ports: if check_auth(target, timeout_sec, language, port): continue for user in users: for passwd in passwds: t = threading.Thread(target=login, args=(user, passwd, target, port, timeout_sec, log_in_file, language, retries, time_sleep, thread_tmp_filename, socks_proxy, scan_id, scan_cmd)) threads.append(t) t.start() trying += 1 if verbose_level > 3: info( messages(language, "trying_message").format( trying, total_req, num, total, target, port, 'http_basic_auth_brute')) while 1: try: if threading.activeCount() >= thread_number: time.sleep(0.01) else: break except KeyboardInterrupt: keyboard_interrupt_flag = True break if keyboard_interrupt_flag: break if keyboard_interrupt_flag: break if keyboard_interrupt_flag: break # wait for threads kill_switch = 0 kill_time = int(timeout_sec / 0.1) if int(timeout_sec / 0.1) is not 0 else 1 while 1: time.sleep(0.1) kill_switch += 1 try: if threading.activeCount( ) is 1 or kill_switch is kill_time: break except KeyboardInterrupt: break thread_write = int( open(thread_tmp_filename).read().rsplit()[0]) if thread_write is 1 and verbose_level is not 0: data = json.dumps( { 'HOST': target, 'USERNAME': '', 'PASSWORD': '', 'PORT': '', 'TYPE': 'http_basic_auth_brute', 'DESCRIPTION': messages(language, "no_user_passwords"), 'TIME': now(), 'CATEGORY': "brute", 'SCAN_ID': scan_id, 'SCAN_CMD': scan_cmd }) + "\n" __log_into_file(log_in_file, 'a', data, language) os.remove(thread_tmp_filename) else: warn( messages(language, "input_target_error").format('http_basic_auth_brute', target))
def start( target, users, passwds, ports, timeout_sec, thread_number, num, total, log_in_file, time_sleep, language, verbose_level, socks_proxy, retries, methods_args, scan_id, scan_cmd, ): # Main function if ( target_type(target) != "SINGLE_IPv4" or target_type(target) != "DOMAIN" or target_type(target) != "HTTP" or target_type(target) != "SINGLE_IPv6" ): # rand useragent http_methods = ["GET", "HEAD"] # requirements check new_extra_requirements = extra_requirements_dict() if methods_args is not None: for extra_requirement in extra_requirements_dict(): if extra_requirement in methods_args: new_extra_requirements[extra_requirement] = methods_args[ extra_requirement ] extra_requirements = new_extra_requirements if extra_requirements["pma_scan_http_method"][0] not in http_methods: warn(messages(language, "dir_scan_get")) extra_requirements["pma_scan_http_method"] = ["GET"] thread_tmp_filename = "{}/tmp/thread_tmp_".format( load_file_path() ) + "".join( random.choice(string.ascii_letters + string.digits) for _ in range(20) ) __log_into_file(thread_tmp_filename, "w", "1", language) default_ports = [80, 443] request = """{0} __target_locat_here__{{0}} \ HTTP/1.1\nUser-Agent: {1}\n\n""".format( extra_requirements["pma_scan_http_method"][0], random.choice(useragents.useragents()) if extra_requirements["pma_scan_random_agent"][0].lower() == "true" else "Mozilla/5.0 (Windows; U; Windows NT 5.1; \ en-US; rv:1.8.0.5) Gecko/20060719 Firefox/1.5.0.5", ) status_codes = [200, 401, 403] condition = "response.status_code in {0}".format(status_codes) message = messages(language, "found") sample_message = ( '"' + message + '"' + """.format(response.url, response.status_code,\ response.reason)""" ) sample_event = { "HOST": target_to_host(target), "USERNAME": "", "PASSWORD": "", "PORT": "PORT", "TYPE": "pma_scan", "DESCRIPTION": sample_message, "TIME": now(), "CATEGORY": "scan", "SCAN_ID": scan_id, "SCAN_CMD": scan_cmd, } counter_message = messages(language, "phpmyadmin_dir_404") __repeater( request, [extra_requirements["pma_scan_list"]], timeout_sec, thread_number, log_in_file, time_sleep, language, verbose_level, socks_proxy, retries, scan_id, scan_cmd, condition, thread_tmp_filename, sample_event, sample_message, target, ports, default_ports, counter_message, ) else: warn( messages(language, "input_target_error").format("pma_scan", target) )
def start(target, users, passwds, ports, timeout_sec, thread_number, num, total, log_in_file, time_sleep, language, verbose_level, socks_proxy, retries, methods_args, scan_id, scan_cmd): # Main function if target_type(target) != 'SINGLE_IPv4' or target_type( target) != 'DOMAIN' or target_type(target) != 'HTTP': # requirements check new_extra_requirements = extra_requirements_dict() if methods_args is not None: for extra_requirement in extra_requirements_dict(): if extra_requirement in methods_args: new_extra_requirements[extra_requirement] = methods_args[ extra_requirement] extra_requirements = new_extra_requirements if ports is None: ports = extra_requirements["xmlrpc_bruteforce_vuln_ports"] if target_type(target) == 'HTTP': target = target_to_host(target) threads = [] total_req = len(ports) thread_tmp_filename = '{}/tmp/thread_tmp_'.format( load_file_path()) + ''.join( random.choice(string.ascii_letters + string.digits) for _ in range(20)) __log_into_file(thread_tmp_filename, 'w', '1', language) trying = 0 keyboard_interrupt_flag = False for port in ports: port = int(port) t = threading.Thread(target=__xmlrpc_bruteforce, args=(target, int(port), timeout_sec, log_in_file, language, time_sleep, thread_tmp_filename, socks_proxy, scan_id, scan_cmd)) threads.append(t) t.start() trying += 1 if verbose_level > 3: info( messages(language, "trying_message").format( trying, total_req, num, total, target, port, 'xmlrpc_bruteforce_vuln')) while 1: try: if threading.activeCount() >= thread_number: time.sleep(0.01) else: break except KeyboardInterrupt: keyboard_interrupt_flag = True break if keyboard_interrupt_flag: break # wait for threads kill_switch = 0 kill_time = int(timeout_sec / 0.1) if int(timeout_sec / 0.1) != 0 else 1 while 1: time.sleep(0.1) kill_switch += 1 try: if threading.activeCount() == 1 or kill_switch == kill_time: break except KeyboardInterrupt: break thread_write = int(open(thread_tmp_filename).read().rsplit()[0]) if thread_write == 1 and verbose_level != 0: info( messages(language, "no_vulnerability_found").format( 'Wordpress_xmlrpc_bruteforce')) data = json.dumps({ 'HOST': target, 'USERNAME': '', 'PASSWORD': '', 'PORT': '', 'TYPE': 'xmlrpc_bruteforce_vuln', 'DESCRIPTION': messages(language, "no_vulnerability_found").format( 'Wordpress_xmlrpc_bruteforce'), 'TIME': now(), 'CATEGORY': "scan", 'SCAN_ID': scan_id, 'SCAN_CMD': scan_cmd }) __log_into_file(log_in_file, 'a', data, language) os.remove(thread_tmp_filename) else: warn( messages(language, "input_target_error").format('xmlrpc_bruteforce_vuln', target))
def login(user, passwd, target, port, timeout_sec, log_in_file, language, retries, time_sleep, thread_tmp_filename, socks_proxy): exit = 0 if socks_proxy is not None: socks_version = socks.SOCKS5 if socks_proxy.startswith( 'socks5://') else socks.SOCKS4 socks_proxy = socks_proxy.rsplit('://')[1] if '@' in socks_proxy: socks_username = socks_proxy.rsplit(':')[0] socks_password = socks_proxy.rsplit(':')[1].rsplit('@')[0] socks.set_default_proxy( socks_version, str(socks_proxy.rsplit('@')[1].rsplit(':')[0]), int(socks_proxy.rsplit(':')[-1]), username=socks_username, password=socks_password) socket.socket = socks.socksocket socket.getaddrinfo = getaddrinfo else: socks.set_default_proxy(socks_version, str(socks_proxy.rsplit(':')[0]), int(socks_proxy.rsplit(':')[1])) socket.socket = socks.socksocket socket.getaddrinfo = getaddrinfo while 1: try: if timeout_sec is not None: tn = telnetlib.Telnet(target, timeout=timeout_sec) else: tn = telnetlib.Telnet(target) exit = 0 break except: exit += 1 if exit is retries: warn( messages(language, "telnet_connection_timeout").format( target, port, user, passwd)) return 1 time.sleep(time_sleep) flag = 1 try: tn.read_until("login: "******"\n") tn.read_until("Password: "******"\n") flag = 0 except: pass if flag is 0: info( messages(language, "user_pass_found").format(user, passwd, target, port)) data = json.dumps({ 'HOST': target, 'USERNAME': user, 'PASSWORD': passwd, 'PORT': port, 'TYPE': 'telnet_brute', 'DESCRIPTION': messages(language, "login_successful"), 'TIME': now(), 'CATEGORY': "brute" }) + "\n" __log_into_file(log_in_file, 'a', data, language) __log_into_file(thread_tmp_filename, 'w', '0', language) else: pass return flag
def check(target, user_agent, timeout_sec, log_in_file, language, time_sleep, thread_tmp_filename, retries, http_method, socks_proxy, scan_id, scan_cmd): status_codes = [200, 401, 403] directory_listing_msgs = [ "<title>Index of /", "<a href=\"\\?C=N;O=D\">Name</a>", "Directory Listing for", "Parent Directory</a>", "Last modified</a>", "<TITLE>Folder Listing.", "- Browsing directory " ] time.sleep(time_sleep) try: if socks_proxy is not None: socks_version = socks.SOCKS5 if socks_proxy.startswith( 'socks5://') else socks.SOCKS4 socks_proxy = socks_proxy.rsplit('://')[1] if '@' in socks_proxy: socks_username = socks_proxy.rsplit(':')[0] socks_password = socks_proxy.rsplit(':')[1].rsplit('@')[0] socks.set_default_proxy( socks_version, str(socks_proxy.rsplit('@')[1].rsplit(':')[0]), int(socks_proxy.rsplit(':')[-1]), username=socks_username, password=socks_password) socket.socket = socks.socksocket socket.getaddrinfo = getaddrinfo else: socks.set_default_proxy(socks_version, str(socks_proxy.rsplit(':')[0]), int(socks_proxy.rsplit(':')[1])) socket.socket = socks.socksocket socket.getaddrinfo = getaddrinfo n = 0 while 1: try: if http_method == "GET": r = requests.get(target, timeout=timeout_sec, headers=user_agent) elif http_method == "HEAD": r = requests.head(target, timeout=timeout_sec, headers=user_agent) content = r.content break except: n += 1 if n == retries: warn( messages(language, "http_connection_timeout").format(target)) return 1 if version() == 3: content = content.decode('utf8') if r.status_code in status_codes: info( messages(language, "found").format(target, r.status_code, r.reason)) __log_into_file(thread_tmp_filename, 'w', '0', language) data = json.dumps({ 'HOST': target_to_host(target), 'USERNAME': '', 'PASSWORD': '', 'PORT': "", 'TYPE': 'wp_timthumb_scan', 'DESCRIPTION': messages(language, "found").format(target, r.status_code, r.reason), 'TIME': now(), 'CATEGORY': "scan", 'SCAN_ID': scan_id, 'SCAN_CMD': scan_cmd }) __log_into_file(log_in_file, 'a', data, language) if r.status_code == 200: for dlmsg in directory_listing_msgs: if dlmsg in content: info( messages(language, "directoy_listing").format(target)) data = json.dumps({ 'HOST': target_to_host(target), 'USERNAME': '', 'PASSWORD': '', 'PORT': "", 'TYPE': 'wp_timthumb_scan', 'DESCRIPTION': messages(language, "directoy_listing").format(target), 'TIME': now(), 'CATEGORY': "scan", 'SCAN_ID': scan_id, 'SCAN_CMD': scan_cmd }) __log_into_file(log_in_file, 'a', data, language) break return True except: return False
def start(target, users, passwds, ports, timeout_sec, thread_number, num, total, log_in_file, time_sleep, language, verbose_level, socks_proxy, retries, methods_args, scan_id, scan_cmd): # Main function if target_type(target) != 'SINGLE_IPv4' or target_type( target) != 'DOMAIN' or target_type( target) != 'HTTP' or target_type != 'SINGLE_IPv6': # output format time.sleep(time_sleep) if socks_proxy is not None: socks_version = socks.SOCKS5 if socks_proxy.startswith( 'socks5://') else socks.SOCKS4 socks_proxy = socks_proxy.rsplit('://')[1] if '@' in socks_proxy: socks_username = socks_proxy.rsplit(':')[0] socks_password = socks_proxy.rsplit(':')[1].rsplit('@')[0] socks.set_default_proxy( socks_version, str(socks_proxy.rsplit('@')[1].rsplit(':')[0]), int(socks_proxy.rsplit(':')[-1]), username=socks_username, password=socks_password) socket.socket = socks.socksocket socket.getaddrinfo = getaddrinfo else: socks.set_default_proxy(socks_version, str(socks_proxy.rsplit(':')[0]), int(socks_proxy.rsplit(':')[1])) socket.socket = socks.socksocket socket.getaddrinfo = getaddrinfo # set user agent headers = { "User-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0", "Accept": "text/javascript, text/html, application/xml, text/xml, */*", "Accept-Language": "en-US,en;q=0.5", "Referer": "https://viewdns.info/" } total_req = 1 trying = 1 info( messages(language, "trying_process").format(trying, total_req, num, total, target, 'viewdns ip lookup')) n = 0 while 1: try: res = requests.get( 'https://viewdns.info/reverseip/?host={0}&t=1'.format( target), timeout=timeout_sec, headers=headers, verify=True).text break except: n += 1 if n is retries: warn( messages( language, "http_connection_timeout").format("viewdns.info")) return 1 _values = [] try: s = '<table>' + \ res.rsplit('''<table border="1">''')[ 1].rsplit("<br></td></tr><tr></tr>")[0] table = ET.XML(s) rows = iter(table) headers = [col.text for col in next(rows)] for row in rows: values = [col.text for col in row] _values.append(dict(zip(headers, values))["Domain"]) except Exception: pass if len(_values) == 0: info(messages(language, "viewdns_domain_404")) if len(_values) > 0: info(messages(language, "len_domain_found").format(len(_values))) for domain in _values: if verbose_level > 3: info(messages(language, "domain_found").format(domain)) data = json.dumps({ 'HOST': target, 'USERNAME': '', 'PASSWORD': '', 'PORT': '', 'TYPE': 'viewdns_reverse_ip_lookup_scan', 'DESCRIPTION': domain, 'TIME': now(), 'CATEGORY': "scan", 'SCAN_ID': scan_id, 'SCAN_CMD': scan_cmd }) + "\n" __log_into_file(log_in_file, 'a', data, language) if verbose_level != 0: data = json.dumps({ 'HOST': target, 'USERNAME': '', 'PASSWORD': '', 'PORT': '', 'TYPE': 'viewdns_reverse_ip_lookup_scan', 'DESCRIPTION': messages(language, "domain_found").format( len(_values), ", ".join(_values) if len(_values) > 0 else "None"), 'TIME': now(), 'CATEGORY': "scan", 'SCAN_ID': scan_id, 'SCAN_CMD': scan_cmd }) + "\n" __log_into_file(log_in_file, 'a', data, language) else: warn( messages(language, "input_target_error").format( 'viewdns_reverse_ip_lookup_scan', target))
def start(target, users, passwds, ports, timeout_sec, thread_number, num, total, log_in_file, time_sleep, language, verbose_level, socks_proxy, retries, methods_args, scan_id, scan_cmd): # Main function if target_type(target) != 'SINGLE_IPv4' or target_type(target) != 'DOMAIN' or target_type( target) != 'HTTP' or target_type(target) != 'SINGLE_IPv6': # rand useragent user_agent_list = useragents.useragents() http_methods = ["GET", "HEAD"] user_agent = {'User-agent': random.choice(user_agent_list)} # requirements check new_extra_requirements = extra_requirements_dict() if methods_args is not None: for extra_requirement in extra_requirements_dict(): if extra_requirement in methods_args: new_extra_requirements[ extra_requirement] = methods_args[extra_requirement] extra_requirements = new_extra_requirements if extra_requirements["wp_theme_scan_http_method"][0] not in http_methods: warn(messages(language, "wp_theme_scan_get")) extra_requirements["wp_theme_scan_http_method"] = ["GET"] random_agent_flag = True if extra_requirements["wp_theme_scan_random_agent"][0] == "False": random_agent_flag = False threads = [] if verbose_level > 3: total_req = len(themes.themes()) else: total_req = len(small_themes.themes()) thread_tmp_filename = '{}/tmp/thread_tmp_'.format(load_file_path()) + ''.join( random.choice(string.ascii_letters + string.digits) for _ in range(20)) __log_into_file(thread_tmp_filename, 'w', '1', language) trying = 0 if target_type(target) != "HTTP": target = 'https://' + target if test(str(target), retries, timeout_sec, user_agent, extra_requirements["wp_theme_scan_http_method"][0], socks_proxy, verbose_level, trying, total_req, total, num, language) == 0: keyboard_interrupt_flag = False if verbose_level > 3: scan_list = themes.themes() else: scan_list = small_themes.themes() for idir in scan_list: idir = "/wp-content/themes/" + idir if random_agent_flag: user_agent = {'User-agent': random.choice(user_agent_list)} t = threading.Thread(target=check, args=( target + '/' + idir, user_agent, timeout_sec, log_in_file, language, time_sleep, thread_tmp_filename, retries, extra_requirements[ "wp_theme_scan_http_method"][0], socks_proxy, scan_id, scan_cmd)) threads.append(t) t.start() trying += 1 if verbose_level > 3: info(messages(language, "trying_message").format(trying, total_req, num, total, target_to_host(target), "default_port", 'wp_theme_scan')) while 1: try: if threading.activeCount() >= thread_number: time.sleep(0.01) else: break except KeyboardInterrupt: keyboard_interrupt_flag = True break if keyboard_interrupt_flag: break else: warn(messages(language, "open_error").format(target)) # wait for threads kill_switch = 0 kill_time = int( timeout_sec / 0.1) if int(timeout_sec / 0.1) != 0 else 1 while 1: time.sleep(0.1) kill_switch += 1 try: if threading.activeCount() == 1 or kill_switch == kill_time: break except KeyboardInterrupt: break thread_write = int(open(thread_tmp_filename).read().rsplit()[0]) if thread_write == 1: info(messages(language, "directory_file_404").format( target, "default_port")) if verbose_level != 0: data = json.dumps( {'HOST': target_to_host(target), 'USERNAME': '', 'PASSWORD': '', 'PORT': '', 'TYPE': 'wp_theme_scan', 'DESCRIPTION': messages(language, "no_open_ports"), 'TIME': now(), 'CATEGORY': "scan", 'SCAN_ID': scan_id, 'SCAN_CMD': scan_cmd}) __log_into_file(log_in_file, 'a', data, language) os.remove(thread_tmp_filename) else: warn(messages(language, "input_target_error").format( 'wp_theme_scan', target))
def __netcraft(target, timeout_sec, log_in_file, time_sleep, language, verbose_level, socks_proxy, retries, headers, thread_tmp_filename): try: from core.targets import target_to_host if socks_proxy is not None: socks_version = socks.SOCKS5 if socks_proxy.startswith( 'socks5://') else socks.SOCKS4 socks_proxy = socks_proxy.rsplit('://')[1] if '@' in socks_proxy: socks_username = socks_proxy.rsplit(':')[0] socks_password = socks_proxy.rsplit(':')[1].rsplit('@')[0] socks.set_default_proxy( socks_version, str(socks_proxy.rsplit('@')[1].rsplit(':')[0]), int(socks_proxy.rsplit(':')[-1]), username=socks_username, password=socks_password) socket.socket = socks.socksocket socket.getaddrinfo = getaddrinfo else: socks.set_default_proxy(socks_version, str(socks_proxy.rsplit(':')[0]), int(socks_proxy.rsplit(':')[1])) socket.socket = socks.socksocket socket.getaddrinfo = getaddrinfo n = 0 results = '' url = 'https://searchdns.netcraft.com/?restriction=site+contains&host=*.{0}' \ '&lookup=wait..&position=limited'.format(target) subs = [] while '<b>Next page</b></a>' not in results: while 1: try: results = requests.get(url, headers=headers) break except Exception: n += 1 if n is 3: break if n is 3: break if results.status_code is 200: for l in re.compile( '<a href="http://toolbar.netcraft.com/site_report\?url=(.*)">' ).findall(results.content): if '*' not in target_to_host(l) and target_to_host( l).endswith('.' + target) and target_to_host( l) not in subs: subs.append(target_to_host(l)) else: # warn 403 break try: url = 'http://searchdns.netcraft.com' + re.compile( '<A href="(.*?)"><b>Next page</b></a>').findall( results.content)[0] except Exception: break __log_into_file(thread_tmp_filename, 'a', '\n'.join(subs), language) return subs except Exception: return []