def main():
# Print messages
helpers.print_script_message(name, version, tagline)
helpers.print_task_positive('Hold tight...')
# Check that targets have been supplied
if (not args.host and not args.list):
sys.exit('You must supply a target or list of targets. See help (-h) for more details.')
# Disable all scanning if flags have been supplied
if (args.theharvester or args.whois or args.dns):
args.all = False
# Process hostnames into domains / subdomains etc
process_hostnames()
# Run scans based on supplied flags
if (args.all or args.whois):
scan_whois()
if (args.all or args.theharvester):
scan_the_harvester()
if(args.all or args.dns):
scan_dns()
def main():
# Print script message
helpers.print_script_message(name, version, tagline)
# Download git repos
for repo in repositories:
helpers.print_task_positive('Cloning ' + repo)
subprocess.run(['git', 'clone', repo])
print('')
def scan_web_port(port):
# Prepare for web scanning
helpers.print_task_positive('Web scanning port ' + str(port))
## Nikto scanning
helpers.print_subtask_positive('Nikto scanning port ' + str(port))
subprocess.run(['nikto', '-host', args.ip + ':' + str(port), '-o', 'nikto/nikto-' + str(port) + '.txt'], stdout=devnull, stderr=devnull)
## nmap scanning
helpers.print_subtask_positive('Nmap scanning port ' + str(port))
subprocess.run(['nmap', '-A', '--script=http-title,http-headers,http-methods,http-enum', '-p' + str(port), args.ip, '-oA', 'nmap/nmap-web-' + str(port)], stdout=devnull, stderr=devnull)
def scan_dns():
helpers.print_task_positive('Beginning DNS scanning...')
# Create directories
subprocess.run(['mkdir', 'dns'])
subprocess.run(['mkdir', 'dns/nslookup'])
subprocess.run(['mkdir', 'dns/dnsrecon'])
hostname_ip_outfile = open('dns/hostname-ip-map.txt', 'w')
# Do hostname based scanning
with open(os.getcwd() + '/' + args.list, newline=None) as file:
for line in file:
# Strip newlines
hostname = line.rstrip('\n')
# NSLOOKUP
# Capture nslookup output
try:
output_nslookup = subprocess.check_output(['nslookup', hostname], universal_newlines=True)
except subprocess.CalledProcessError:
continue
# Retrieve the IP address
IP = re.search('Address: (.*)', output_nslookup).group(1)
# Write the nslookup output to file
filename = hostname.replace('.','-')
nslookup_outfile = open('dns/nslookup/nslookup-' + filename + '.txt', 'w')
nslookup_outfile.write(str(output_nslookup))
nslookup_outfile.close()
# Write the hostname - IP mappings to file
hostname_ip_outfile.write(str(hostname) + '\t\t' + IP + '\n')
# Do domain name based scanning
with open(os.getcwd() + '/domains.txt', newline=None) as file:
for line in file:
# Strip newlines
domain = line.rstrip('\n')
# DNSRECON
# Capture the dnsrecon output
output_dnsrecon = subprocess.check_output(['dnsrecon', '-a', '-z', '-d', domain], universal_newlines=True)
# Write the output to file
domain = domain.replace('.','-')
outfile = open('dns/dnsrecon/dnsrecon-' + domain + '.txt', 'w')
outfile.write(str(output_dnsrecon))
outfile.close()
hostname_ip_outfile.close()
def main():
# Print messages
helpers.print_script_message(name, version, tagline)
helpers.print_task_positive('Hold tight...')
# Check that targets have been supplied
if (not args.host and not args.list):
sys.exit('You must supply a target or list of targets. See help (-h) for more details.')
# Orchestrate scanning components
scan_ssl()
nmap_fast()
scan_web()
nmap_all_ports()
def main():
# Print messages
helpers.print_script_message(name, version, tagline)
helpers.print_task_positive('Hold tight...')
# Test the IP address
if (not helpers.is_valid_ip(args.ip)):
print('Please use a valid IP address.')
sys.exit('Exiting.')
# Orchestrate scanning components
nmap_fast()
scan_web()
nmap_all_ports()
def nmap_fast():
# Prepare for nmap scanning
# Print heading
helpers.print_heading('Performing nmap scanning')
# Declare global variable
global output_nmap_fast
# Create nmap directory
helpers.mkdir('nmap')
# Do fast scan
helpers.print_task_positive('Fast nmap scanning')
output_nmap_fast = subprocess.check_output(
['nmap', '-sV', '-O', args.ip, '-oA', 'nmap/nmap-fast'],
universal_newlines=True)
print()
def main():
# Print messages
helpers.print_script_message(name, version, tagline)
helpers.print_task_positive('Hold tight...')
# Output file name
if (args.output):
output_name = args.output
else:
output_name = 'resolved.txt'
# Open output file
output_file = open(output_name, 'w')
# read the list of hostnames, line by line.
with open(os.getcwd() + '/' + args.hostnames, newline=None) as file:
for line in file:
# Strip newlines
hostname = line.rstrip('\n')
# Do a host lookup
try:
output_host = subprocess.check_output(['host', hostname],
universal_newlines=True)
except subprocess.CalledProcessError as e:
output_host = e.output
if (len(output_host.split()) >= 3):
ip = output_host.split()[len(output_host.split()) - 1]
else:
ip = 'NOT_FOUND'
if (not helpers.is_valid_ip(ip)):
ip = 'UNDEFINED'
output_file.write(hostname + ':' + ip + '\n')
# Close the output file
output_file.close()
# Finished
print('[+] Resolved IPs written to ' + output_name)
def scan_whois():
helpers.print_task_positive('Beginning whois Scanning...')
# Create a new directory for output files
subprocess.run(['mkdir', 'whois'])
# Read the file
with open(os.getcwd() + '/domains.txt', newline=None) as file:
for line in file:
# Strip newlines
domain = line.rstrip('\n')
# Capture the whois output
output = subprocess.check_output(['whois', '-h', 'whois.iana.org', '-H', domain], universal_newlines=True)
# Write the output to file
domain = domain.replace('.','-')
outfile = open('whois/whois-' + domain + '.txt', 'w')
outfile.write(str(output))
outfile.close()
def scan_web():
# Prepare for web scanning
# Print heading
helpers.print_heading('Performing web scanning')
# Test for common web ports
web_ports = helpers.get_web_ports(output_nmap_fast)
# If there are open web ports, scan them
if(not len(web_ports)):
helpers.print_task_negative('No open web ports...')
else:
# Create nikto directory
helpers.mkdir('nikto')
# Make a directory to store results
for port in web_ports:
scan_web_port(port)
# Finised web scanning
helpers.print_task_positive('Finished scanning web ports')
print()
def main():
# Print messages
helpers.print_script_message(name, version, tagline)
helpers.print_task_positive('Hold tight...')
# Make output directory
subprocess.run(['mkdir', 'nikto'])
subprocess.run(['mkdir', 'nikto/scan-output'])
subprocess.run(['mkdir', 'nikto/vulnerabilities'])
# Default web ports
web_ports = ['80', '443']
# Process hostnames
# Read the file
with open(os.getcwd() + '/' + args.targets, newline=None) as file:
for line in file:
# Strip newlines
target = line.rstrip('\n')
for port in web_ports:
# Run scan and capture the output
helpers.print_task_positive('Beginning scan - Port: ' + port + ' Target: ' + target)
# Force SSL on port 443
if (port == '80'):
output_nikto = subprocess.check_output(['nikto', '-host', target, '-ask', 'auto'], universal_newlines=True)
else:
output_nikto = subprocess.check_output(['nikto', '-host', target, '-ask', 'auto', '-ssl'], universal_newlines=True)
# Print the output to terminal, if selected
if (args.print):
print(output_nikto)
# Interpret results
if (args.interpret):
interpret(target, port, output_nikto)
# Write the nikto output to file
target_dash = target.replace('.','-')
nikto_outfile = open('nikto/scan-output/' + target_dash + '-' + port + '.txt', 'w')
nikto_outfile.write(str(output_nikto))
nikto_outfile.close()
# Print message if interpret option was selected
if (args.interpret):
print("")
helpers.print_heading("Scans complete")
helpers.print_task_positive("The output above only includes dumb interpretation of scan results.")
helpers.print_task_positive("See the full output in nikto/scan-output for the fun stuff :)")
def main():
# Print messages
helpers.print_script_message(name, version, tagline)
helpers.print_task_positive('Hold tight...')
subprocess.run(['mkdir', 'nikto'])
# Process hostnames
# Read the file
with open(os.getcwd() + '/' + args.targets, newline=None) as file:
for line in file:
# Strip newlines
target = line.rstrip('\n')
# Capture nikto output
output_nikto = subprocess.check_output(['nikto', '-host', target],
universal_newlines=True)
# Write the nikto output to file
target = target.replace('.', '-')
nikto_outfile = open('nikto/' + target + '.txt', 'w')
nikto_outfile.write(str(output_nikto))
nikto_outfile.close()
def scan_ssl_host(line):
# Strip newlines
hostname = line.rstrip('\n')
print(hostname)
# Capture the sslscan output
output_sslscan = subprocess.check_output(['sslscan', hostname], universal_newlines=True)
# Remove ANSI encoding so we can search
output_sslscan_clean = helpers.remove_ansi(output_sslscan)
# Process the SSLScan output
# SSL / TLS versions
# SSLv2
if (output_sslscan_clean.find('SSLv2') != -1):
helpers.print_task_positive('SSLv2')
vuln_file = open('ssl/vulnerabilities/tls-sslv2-0.txt', 'a')
vuln_file.write(str(hostname) + '\n')
vuln_file.close()
# SSLv3
if (output_sslscan_clean.find('SSLv3') != -1):
helpers.print_task_positive('SSLv3')
vuln_file = open('ssl/vulnerabilities/tls-sslv3-0.txt', 'a')
vuln_file.write(str(hostname) + '\n')
vuln_file.close()
# TLSV1.0
if (output_sslscan_clean.find('TLSv1.0') != -1):
helpers.print_task_positive('TLSv1.0')
vuln_file = open('ssl/vulnerabilities/tls-tlsv1-0.txt', 'a')
vuln_file.write(str(hostname) + '\n')
vuln_file.close()
# TLS Fallback SCSV
if (output_sslscan_clean.find('Server does not support TLS Fallback SCSV') != -1):
helpers.print_task_positive('TLS Fallback SCSV')
vuln_file = open('ssl/vulnerabilities/tls-fallback-scsv.txt', 'a')
vuln_file.write(str(hostname) + '\n')
vuln_file.close()
# TLS CRIME
if (output_sslscan_clean.find('Compression enabled (CRIME)') != -1):
helpers.print_task_positive('Compression enabled (CRIME)')
vuln_file = open('ssl/vulnerabilities/tls-compression-crime.txt', 'a')
vuln_file.write(str(hostname) + '\n')
vuln_file.close()
# Certificate issues
# Expired certificate
if (helpers.remove_control_characters(output_sslscan).find('Not valid after: [31m') != -1):
helpers.print_task_positive('Expired certificate')
vuln_file = open('ssl/vulnerabilities/certificate-expired.txt', 'a')
vuln_file.write(str(hostname) + '\n')
vuln_file.close()
# Wildcard certificate
if (output_sslscan_clean.find('Subject: *') != -1):
helpers.print_task_positive('Wildcard certificate')
vuln_file = open('ssl/vulnerabilities/certificate-wildcard.txt', 'a')
vuln_file.write(str(hostname) + '\n')
vuln_file.close()
# Weak certificate signature
if (output_sslscan_clean.find('sha1WithRSA') != -1):
helpers.print_task_positive('Weak certificate signature')
vuln_file = open('ssl/vulnerabilities/certificate-weak-signature.txt', 'a')
vuln_file.write(str(hostname) + '\n')
vuln_file.close()
# Cipher suites
# Export ciphers
if (output_sslscan_clean.find('EXP-') != -1):
helpers.print_task_positive('Weak cipher - Export cipher')
vuln_file = open('ssl/vulnerabilities/weak-cipher-export.txt', 'a')
vuln_file.write(str(hostname) + '\n')
vuln_file.close()
# RC4
if (output_sslscan_clean.find('RC4') != -1):
helpers.print_task_positive('Weak cipher - RC4')
vuln_file = open('ssl/vulnerabilities/weak-cipher-rc4.txt', 'a')
vuln_file.write(str(hostname) + '\n')
vuln_file.close()
# DES-CBC(3)-SHA
if (output_sslscan_clean.find('DES-CBC') != -1):
helpers.print_task_positive('Weak cipher - DES-CBC')
vuln_file = open('ssl/vulnerabilities/weak-cipher-des-cbc.txt', 'a')
vuln_file.write(str(hostname) + '\n')
vuln_file.close()
# Weak diffie hellman
if (output_sslscan_clean.find('DHE 1024 bits') != -1):
helpers.print_task_positive('Weak cipher - DHE 1024 bits')
vuln_file = open('ssl/vulnerabilities/weak-cipher-dhe-1024.txt', 'a')
vuln_file.write(str(hostname) + '\n')
vuln_file.close()
# Capture the sslyze output
output_sslyze = subprocess.check_output(['sslyze', '--regular', '--hsts', hostname], universal_newlines=True)
# Process the sslyze output (Only what is missed by SSLScan)
# Client initiated renegotiation
if (output_sslyze.find('VULNERABLE - Server honors client-initiated renegotiations') != -1):
helpers.print_task_positive('Server honors client-initiated renegotiations')
vuln_file = open('ssl/vulnerabilities/tls-client-initiated-renegotiations.txt', 'a')
vuln_file.write(str(hostname) + '\n')
vuln_file.close()
# Missing HSTS header
if (output_sslyze.find('NOT SUPPORTED - Server did not send an HSTS header.') != -1):
helpers.print_task_positive('HSTS Unsupported')
vuln_file = open('ssl/vulnerabilities/tls-hsts-unsupported.txt', 'a')
vuln_file.write(str(hostname) + '\n')
vuln_file.close()
# Self-signed certificate
if (output_sslyze.find('FAILED - Certificate is NOT Trusted: self signed certificate') != -1):
helpers.print_task_positive('FAILED - Certificate is NOT Trusted: self signed certificate')
vuln_file = open('ssl/vulnerabilities/tls-self-signed-certificate.txt', 'a')
vuln_file.write(str(hostname) + '\n')
vuln_file.close()
# Mismatched certificate
if (output_sslyze.find('FAILED - Certificate does NOT') != -1):
helpers.print_task_positive('FAILED - Certificate does NOT match')
vuln_file = open('ssl/vulnerabilities/tls-mismatched-certificate.txt', 'a')
vuln_file.write(str(hostname) + '\n')
vuln_file.close()
# Untrusted certificate
if (output_sslyze.find('FAILED - Certificate is NOT Trusted') != -1):
helpers.print_task_positive('FAILED - Certificate is NOT Trusted')
vuln_file = open('ssl/vulnerabilities/tls-untrusted-certificate.txt', 'a')
vuln_file.write(str(hostname) + '\n')
vuln_file.close()
# Write the output to file
hostname = hostname.replace('.','-')
outfile = open('ssl/scan-output/ssl-' + hostname + '.txt', 'w')
outfile.write(str(output_sslscan))
outfile.write(str(output_sslyze))
outfile.close()
