def scan_target(scan_info, url_to_scan):
resp = get_response(url_to_scan)
if resp is None:
return
try:
if 'IIS' in resp.headers['Server']:
ROOT_DIR = os.path.dirname(os.path.abspath(__file__))
TOOL_DIR = ROOT_DIR + '/tools/IIS-ShortName-Scanner/iis_shortname_scanner.jar'
CONFIG_DIR = ROOT_DIR + '/tools/IIS-ShortName-Scanner/config.xml'
iis_process = subprocess.run(
['java', '-jar', TOOL_DIR, '0', '10', url_to_scan, CONFIG_DIR],
capture_output=True)
message = iis_process.stdout.decode()
if "NOT VULNERABLE" not in message:
img_str = image_creator.create_image_from_string(message)
random_filename = uuid.uuid4().hex
output_dir = ROOT_DIR + '/tools_output/' + random_filename + '.png'
im = Image.open(BytesIO(base64.b64decode(img_str)))
im.save(output_dir, 'PNG')
vulnerability = Vulnerability(
constants.IIS_SHORTNAME_MICROSOFT, scan_info,
"IIS Microsoft files and directories enumeration found")
vulnerability.add_attachment(output_dir, 'IIS-Result.png')
slack.send_vuln_to_channel(vulnerability,
SLACK_NOTIFICATION_CHANNEL)
vulnerability.id = mongo.add_vulnerability(vulnerability)
redmine.create_new_issue(vulnerability)
os.remove(output_dir)
except KeyError:
pass
except Exception:
pass
return
def add_vulnerability(scan_info, data, message, cvssScore):
vulnerability = Vulnerability(constants.UNSECURE_METHOD, scan_info,
message)
img_str = image_creator.create_image_from_string(data)
vulnerability.add_image_string(img_str)
ROOT_DIR = os.path.dirname(os.path.abspath(__file__))
output_dir = ROOT_DIR + '/tools_output/' + str(uuid.uuid4().hex) + '.png'
im = Image.open(BytesIO(base64.b64decode(img_str)))
im.save(output_dir, 'PNG')
vulnerability.add_attachment(output_dir, 'NMAP-result.png')
vulnerability.cvss = cvssScore
slack.send_vuln_to_channel(vulnerability, SLACK_NOTIFICATION_CHANNEL)
vulnerability.id = mongo.add_vulnerability(vulnerability)
redmine.create_new_issue(vulnerability)
with suppress(Exception):
os.remove(output_dir)
def scan_target(scan_info, url_to_scan):
response = get_response(url_to_scan)
if response is None:
return
message = 'Response Headers From: ' + url_to_scan + '\n\n'
for h in response.headers:
message += h + " : " + response.headers[h] + '\n'
img_b64 = image_creator.create_image_from_string(message)
# TODO Chequear el header de caches.
important_headers = [
'Content-Security-Policy', 'X-XSS-Protection', 'x-frame-options',
'X-Content-Type-options', 'Strict-Transport-Security',
'Access-Control-Allow-Origin'
]
reported_invalid = False
reported_exists = False
message_invalid = "Headers with invalid values were found \n"
message_exists = "Headers were not found \n"
if response.status_code != 404:
for header in important_headers:
try:
# If the header exists
if response.headers[header]:
if not check_header_value(header,
response.headers[header]):
message_invalid = message_invalid + "Header %s was found with invalid value \n" % header
# No header differenciation, so we do this for now
if not reported_invalid:
reported_invalid = True
except KeyError:
message_exists = message_exists + "Header %s was not found \n" % header
if not reported_exists:
reported_exists = True
if reported_exists:
add_header_missing_vulnerability(scan_info, img_b64,
message_exists)
if reported_invalid:
add_header_value_vulnerability(scan_info, img_b64, message_invalid)
return
def default_account(scan_info, url_to_scan):
ROOT_DIR = os.path.dirname(os.path.abspath(__file__))
arg_fingerprint_dir = ROOT_DIR + '/tools/http-default-accounts-fingerprints-nndefaccts.lua'
script_to_launch = ROOT_DIR + '/tools/nmap/web_versions/http-default-accounts.nse'
ports = '80,81,443,591,2082,2087,2095,2096,3000,8000,8001,8008,8080,8083,8443,8834,8888'
random_filename = uuid.uuid4().hex
end_name = '.http.def.acc'
output_dir = ROOT_DIR + '/tools_output/' + random_filename + end_name
message = ""
da_subprocess = subprocess.run([
'nmap', '-Pn', '-sV', '-p' + ports, '--script', script_to_launch,
'--script-args', 'http-default-accounts.fingerprintfile=' +
arg_fingerprint_dir, '-oA', output_dir, url_to_scan
],
capture_output=True)
with open(output_dir + '.xml') as xml_file:
my_dict = xmltodict.parse(xml_file.read())
xml_file.close()
json_data = json.dumps(my_dict)
json_data = json.loads(json_data)
try:
test = json_data['nmaprun']['host']['ports']['port']
except KeyError:
return
for port in json_data['nmaprun']['host']['ports']['port']:
try:
for scp in port['script']:
if isinstance(scp, dict):
if "] at /" in scp['@output']:
message += scp['@output']
except KeyError:
pass
if message:
img_str = image_creator.create_image_from_string(message)
add_vuln_to_mongo(scan_info, "default_creds", message, img_str)
cleanup(output_dir)
return