def test_parse_arguments_unknown_argument():
argv = [
'-t', '10.11.1.1',
'-i-do-not-exist',
]
with pytest.raises(SystemExit):
cli_argument_parser().parse(argv)
def test_parse_arguments_mutually_exclusive_user_agent():
argv = [
'-t', '10.11.1.1',
'--user-agent', 'my-user-agent',
'--random-agent',
]
with pytest.raises(SystemExit):
cli_argument_parser().parse(argv)
def test_parse_arguments_mutually_exclusive_output():
argv = [
'-t', '10.11.1.1',
'-oJ',
'-oN',
]
with pytest.raises(SystemExit):
cli_argument_parser().parse(argv)
def test_parse_arguments_default_value(tmpdir):
words = ['word1', 'word2', 'word3']
wordlist = tmpdir.mkdir('test_command').join('default')
wordlist.write('\n'.join(words))
argv = ['-t', 'myhost']
arguments = cli_argument_parser().parse(argv)
expected_arguments = {
'target_hosts': 'myhost',
'wordlists': None,
'base_host': False,
'port': 80,
'real_port': False,
'ignore_http_codes': '404',
'ignore_content_length': 0,
'first_hit': False ,
'unique_depth': 1,
'fuzzy_logic': False,
'no_lookup': False,
'rate_limit': 0,
'random_agent': False,
'user_agent': None,
'add_waf_bypass_headers': False,
'output_normal': None,
'output_json': None,
'stdin': False,
'ssl': False,
}
assert vars(arguments) == expected_arguments
def test_parse_arguments_custom_arguments(tmpdir):
words = ['some', 'other', 'words']
wordlist = tmpdir.mkdir('test_command').join('other_words')
wordlist.write('\n'.join(words))
argv = [
'-t', '10.11.1.1',
'-w', str(wordlist),
'-b', 'myhost',
'-p', '8000',
'-r', '8001',
'--ignore-http-codes', '400,500,302',
'--ignore-content-length', '100',
'--unique-depth', '5',
'--first-hit',
'--ssl',
'--fuzzy-logic',
'--no-lookups',
'--rate-limit', '10',
'--user-agent', 'some-user-agent',
'--waf',
'-oN', '/tmp/on',
'-',
]
arguments = cli_argument_parser().parse(argv)
expected_arguments = {
'target_hosts': '10.11.1.1',
'wordlists': str(wordlist),
'base_host': 'myhost',
'port': 8000,
'real_port': 8001,
'ignore_http_codes': '400,500,302',
'ignore_content_length': 100,
'first_hit': True,
'unique_depth': 5,
'ssl': True,
'fuzzy_logic': True,
'no_lookup': True,
'rate_limit': 10,
'user_agent': 'some-user-agent',
'random_agent': False,
'add_waf_bypass_headers': True,
'output_normal': '/tmp/on',
'output_json': None,
'stdin': True,
}
assert vars(arguments) == expected_arguments
def main():
print_banner()
parser = cli_argument_parser()
arguments = parser.parse(sys.argv[1:])
wordlist_helper = WordList()
wordlist, wordlist_types = wordlist_helper.get_wordlist(
arguments.wordlists)
if len(wordlist) == 0:
print("[!] No words found in provided wordlists, unable to scan.")
sys.exit(1)
print(
"[+] Starting virtual host scan for {host} using "
"port {port} and {inputs}".format(
host=arguments.target_hosts,
port=arguments.port,
inputs=', '.join(wordlist_types),
)
)
user_agents = []
if arguments.user_agent:
print('[>] User-Agent specified, using it.')
user_agents = [arguments.user_agent]
elif arguments.random_agent:
print('[>] Random User-Agent flag set.')
user_agents = load_random_user_agents()
if(arguments.ssl):
print("[>] SSL flag set, sending all results over HTTPS.")
if(arguments.add_waf_bypass_headers):
print("[>] WAF flag set, sending simple WAF bypass headers.")
print("[>] Ignoring HTTP codes: {}".format(arguments.ignore_http_codes))
if(arguments.ignore_content_length > 0):
print(
"[>] Ignoring Content length: {}".format(
arguments.ignore_content_length
)
)
if arguments.first_hit:
print("[>] First hit is set.")
if not arguments.no_lookup:
try:
print("[+] Resolving DNS for additional wordlist entries")
for ip in dns.resolver.query(arguments.target_hosts, 'A'):
host, aliases, ips = gethostbyaddr(str(ip))
wordlist.append(str(ip))
wordlist.append(host)
wordlist.extend(aliases)
except (dns.resolver.NXDOMAIN):
print("[!] Couldn't find any records (NXDOMAIN)")
except (dns.resolver.NoAnswer):
print("[!] Couldn't find any records (NoAnswer)")
scanner_args = vars(arguments)
scanner_args.update({
'target': arguments.target_hosts,
'wordlist': wordlist,
'user_agents': user_agents
})
scanner = virtual_host_scanner(**scanner_args)
scanner.scan()
output = output_helper(scanner, arguments)
print(output.output_normal_likely())
if(arguments.fuzzy_logic):
print(output.output_fuzzy())
if(arguments.output_normal):
output.write_normal(arguments.output_normal)
print("\n[+] Writing normal ouptut to %s" % arguments.output_normal)
if(arguments.output_json):
output.output_json(arguments.output_json)
print("\n[+] Writing json output to %s" % arguments.output_json)
if(arguments.output_grepable):
output.output_grepable(arguments.output_grepable)
print("\n[+] Writing grepable ouptut to %s" % arguments.output_json)
def main():
print_banner()
parser = cli_argument_parser()
arguments = parser.parse(sys.argv[1:])
wordlist = []
word_list_types = []
default_wordlist = DEFAULT_WORDLIST_FILE if not arguments.stdin else None
if arguments.stdin:
word_list_types.append('stdin')
wordlist.extend(list(line for line in sys.stdin.read().splitlines()))
combined = get_combined_word_lists(arguments.wordlists or default_wordlist)
word_list_types.append('wordlists: {}'.format(
', '.join(combined['file_paths']), ))
wordlist.extend(combined['words'])
if len(wordlist) == 0:
print("[!] No words found in provided wordlists, unable to scan.")
sys.exit(1)
print("[+] Starting virtual host scan for {host} using "
"port {port} and {inputs}".format(
host=arguments.target_hosts,
port=arguments.port,
inputs=', '.join(word_list_types),
))
user_agents = []
if arguments.user_agent:
print('[>] User-Agent specified, using it.')
user_agents = [arguments.user_agent]
elif arguments.random_agent:
print('[>] Random User-Agent flag set.')
user_agents = load_random_user_agents()
if (arguments.ssl):
print("[>] SSL flag set, sending all results over HTTPS.")
if (arguments.add_waf_bypass_headers):
print("[>] WAF flag set, sending simple WAF bypass headers.")
print("[>] Ignoring HTTP codes: {}".format(arguments.ignore_http_codes))
if (arguments.ignore_content_length > 0):
print("[>] Ignoring Content length: {}".format(
arguments.ignore_content_length))
if arguments.first_hit:
print("[>] First hit is set.")
if not arguments.no_lookup:
for ip in Resolver().query(arguments.target_hosts, 'A'):
host, aliases, ips = gethostbyaddr(str(ip))
wordlist.append(str(ip))
wordlist.append(host)
wordlist.extend(aliases)
scanner_args = vars(arguments)
scanner_args.update({
'target': arguments.target_hosts,
'wordlist': wordlist,
'user_agents': user_agents
})
scanner = virtual_host_scanner(**scanner_args)
scanner.scan()
output = output_helper(scanner, arguments)
print(output.output_normal_likely())
if (arguments.fuzzy_logic):
print(output.output_fuzzy())
if (arguments.output_normal):
output.write_normal(arguments.output_normal)
print("\n[+] Writing normal ouptut to %s" % arguments.output_normal)
if (arguments.output_json):
output.output_json(arguments.output_json)
print("\n[+] Writing json ouptut to %s" % arguments.output_json)
