def __init__(self, args, dbhandler=None):
"""
Ip2Dns class gets dns records for one or more ip addresses in parrallel.
input:
args cmdline arguments without argv[0]
dbhandler database handler
"""
logger.info("Initialising Dns2Ip ...")
opt = parse(args)
self.dbh = dbhandler
try:
ig_targets = cTuples.cInputGenerator(
filename=opt.target_fn,
data=opt.targets,
maxthreads=opt.nthreads,
circle=False,
expand_cb=lambda t: cUtil.mkIP2(t, noResolve=True),
)
except cTuples.ENoInput:
print 'Error: No Targets specified, please use the -t/T parameter to set target(s)'
sys.exit(1)
ig_targets.start()
self.tuples = cTuples.cTuples(inputs=[ig_targets],
prep_callback=resolveIP,
maxthreads=opt.nthreads,
delay=opt.delay)
self.tuples.start()
def __init__(self, args, dbh=None):
opt = parse(args)
self.dbh = dbh
self.adj = opt.adj
# We don't really need this module here, because we do not operate
# multithreaded, however it is convenient to use the mkIP2 and isUp
# functions to preprocess the target ips
self.ig_targets = cTuples.cInputGenerator(data=opt.targets,
filename=opt.target_fn,
circle=False,
#prepare_cb=cUtil.isUp,
expand_cb=lambda t: cUtil.mkIP2(t,
ports=[opt.port],
#noResolve=True
),
)
self.ig_targets.start()
# we don't want to overload the server with too many parallel login
# attempts as it might influence the delay times
# so anyway thats why i use one seperate list of user names per server
# instaed of zipping them to the targets
if opt.U:
self.users = it.chain(__builtin__.openany(opt.U, 'r').readlines(), opt.u)
elif opt.u:
self.users = opt.u
else:
self.users = it.chain(__builtin__.openshared('usernames.log', 'r').readlines())
prep_targets.bignore = opt.bignore
test_user.pw = 'a' * opt.l
def __init__(self, args, dbh=None):
opts = parse(args)
self.dbh = dbh
self.port = opts.port
try:
ig_targets = cTuples.cInputGenerator(filename=opts.T,
data=opts.t,
maxthreads=opts.nthreads,
circle=False,
expand_cb=lambda t: cUtil.mkIP2(t,
ports=[opts.port],
noSplit=True,
),
)
except cTuples.ENoInput:
print 'Error: No Targets specified, please use the -t/T parameter to set target(s)'
sys.exit(1)
ig_targets.start()
self.tuples = cTuples.cTuples(inputs=[ig_targets],
prep_callback=bversion,
maxthreads=opts.nthreads,
delay=opts.delay)
self.tuples.start()
def __init__(self, args, dbh=None):
"""
Initialize and run MysqlBruteforce
input:
args cmdline arguments without argv[0]
dbh database handler
"""
# parse argv
opt = parse(args)
# generators for user and password lists
# TODO: self.tls = opt.tls
#self.to = opt.to
self.nthreads = opt.nthreads
# database handle
self.dbh = dbh
# queue stuff
try:
ig_targets = cTuples.cInputGenerator(
data=opt.targets,
filename=opt.target_fn,
circle=False,
expand_cb=lambda t: cUtil.mkIP2(
t, ports=[opt.port], noSplit=True, noResolve=True),
)
except cTuples.ENoInput:
print 'Error: No Targets specified, please use the -t/T parameter to set target(s)'
sys.exit(1)
try:
ig_users = cTuples.cInputGenerator(data=opt.users,
filename=opt.user_fn,
circle=True)
except cTuples.ENoInput:
print 'Error: No Usernames specified, please use the -u/U parameter to set usernames(s)'
sys.exit(1)
try:
ig_passw = cTuples.cInputGenerator(data=opt.passw,
filename=opt.passw_fn,
circle=True)
except cTuples.ENoInput:
print 'Error: No Passwords specified, please use the -p/P parameter to set password(s)'
sys.exit(1)
ig_targets.start()
ig_users.start()
ig_passw.start()
self.tuples = cTuples.cTuples(inputs=[ig_targets, ig_users, ig_passw],
prep_callback=brute,
delay=opt.delay)
self.tuples.start()
def output(self):
#print("Network ranges:")
for s, inetnum in self.inetnums.items():
if not inetnum or not isinstance(inetnum, str):
logger.warning('Got empty inetnum for %s', s)
continue
if self.dbh:
for ip_tup in cUtil.mkIP2(inetnum,
noResolve=True,
noSplit=True):
try:
ip = ip_tup[0]
except:
ip = ip_tup
self.dbh.add(ccd.RipescanResult(ip=ip, search=s))
def doHost(self, opt):
""" start bruteforce with password and user list (one host)
tHost: Host to attack tuple(host, port)
fusers: user list file name
fpasswords: password list file name
ssh_verisons: list of ssh client version strings
nthreads: number of threads
"""
try:
ig_targets = cTuples.cInputGenerator(data=opt.targets,
filename=opt.target_fn,
circle=False,
expand_cb=lambda t: cUtil.mkIP2(t,
ports=[opt.port],
noResolve=True
),
)
except cTuples.ENoInput:
print 'Error: No Targets specified, please use the -t/T parameter to set target(s)'
sys.exit(1)
try:
ig_users = cTuples.cInputGenerator(data=opt.users,
filename=opt.user_fn,
prepare_cb=lambda t: t.strip(),
circle=True)
except cTuples.ENoInput:
print 'Error: No Usernames specified, please use the -u/U parameter to set usernames(s)'
sys.exit(1)
try:
ig_passw = cTuples.cInputGenerator(data=opt.passw,
filename=opt.passw_fn,
prepare_cb=lambda t: t.strip(),
circle=True)
except cTuples.ENoInput:
print 'Error: No Passwords specified, please use the -p/P parameter to set password(s)'
sys.exit(1)
ig_targets.start()
ig_users.start()
ig_passw.start()
self.tuples = cTuples.cTuples(inputs=[ig_targets, ig_users, ig_passw], prep_callback=brute)
self.tuples.start()
def doHost(self, opt):
""" start bruteforce with password and user list (one host)
tHost: Host to attack tuple(host, port)
fusers: user list file name
fpasswords: password list file name
ssh_verisons: list of ssh client version strings
nthreads: number of threads
"""
try:
ig_targets = cTuples.cInputGenerator(
data=opt.targets,
filename=opt.target_fn,
circle=False,
expand_cb=lambda t: cUtil.mkIP2(
t, ports=[opt.port], noResolve=True),
)
except cTuples.ENoInput:
print 'Error: No Targets specified, please use the -t/T parameter to set target(s)'
sys.exit(1)
try:
ig_users = cTuples.cInputGenerator(data=opt.users,
filename=opt.user_fn,
prepare_cb=lambda t: t.strip(),
circle=True)
except cTuples.ENoInput:
print 'Error: No Usernames specified, please use the -u/U parameter to set usernames(s)'
sys.exit(1)
try:
ig_passw = cTuples.cInputGenerator(data=opt.passw,
filename=opt.passw_fn,
prepare_cb=lambda t: t.strip(),
circle=True)
except cTuples.ENoInput:
print 'Error: No Passwords specified, please use the -p/P parameter to set password(s)'
sys.exit(1)
ig_targets.start()
ig_users.start()
ig_passw.start()
self.tuples = cTuples.cTuples(inputs=[ig_targets, ig_users, ig_passw],
prep_callback=brute)
self.tuples.start()
def __init__(self,
args,
dbh=None):
logger.debug('Init RpcScanner')
opt = parse(args)
# file containing RPC program
if opt.fn_rpc:
cRpc.RPC_PATH = opt.fn_rpc
# check if rpc file is readable
try:
fd = __builtin__.openany(cRpc.RPC_PATH, "r")
fd.close()
except:
print 'Error: Could not open RPC program number data base %s' % cRpc.RPC_PATH
sys.exit(1)
self.port = opt.port
# database handle
self.dbh = dbh
try:
ig_targets = cTuples.cInputGenerator(filename=opt.target_fn,
data=opt.targets,
maxthreads=opt.nthreads,
circle=False,
expand_cb=lambda t: cUtil.mkIP2(t,
ports=[opt.port],
noResolve=True
),
)
except cTuples.ENoInput:
print 'Error: No Targets specified, please use the -t/T parameter to set target(s)'
sys.exit(1)
ig_targets.start()
self.tuples = cTuples.cTuples(inputs=[ig_targets],
prep_callback=rpcinfo,
maxthreads=opt.nthreads,
delay=opt.delay)
self.tuples.start()
def __init__(self, args, dbh=None):
logger.debug('Init %s' % __name__)
# database handle
self.dbh = dbh
opt = self.parse(args)
if opt.fn_rpc:
cRpc.RPC_PATH = opt.fn_rpc
# check if rpc file is readable
try:
fd = __builtin__.openany(cRpc.RPC_PATH, "r")
fd.close()
except:
print 'Error: Could not open RPC program number data base %s' % cRpc.RPC_PATH
sys.exit(1)
showmount.version = 1
try:
ig_targets = cTuples.cInputGenerator(
filename=opt.target_fn,
data=opt.targets,
maxthreads=opt.nthreads,
circle=False,
expand_cb=lambda t: cUtil.mkIP2(
t, ports=[opt.port], noResolve=True),
)
except cTuples.ENoInput:
print 'Error: No Targets specified, please use the -t/T parameter to set target(s)'
sys.exit(1)
ig_targets.start()
self.tuples = cTuples.cTuples(inputs=[ig_targets],
prep_callback=showmount,
maxthreads=opt.nthreads,
delay=opt.delay)
self.tuples.start()
def __init__(self,
args,
dbhandler=None):
"""
Ip2Dns_Bing class gets dns records by searching
Bing for ip:<ip>.
input:
args cmdline arguments without argv[0]
dbhandler database handler
"""
logger.info("Initialising Dns2Ip ...")
self.dbh = dbhandler
opt = parse(args)
self.nthreads = opt.nthreads
resolve.max_results = opt.max_results
try:
ig_targets = cTuples.cInputGenerator(filename=opt.target_fn,
data=opt.targets,
maxthreads=opt.nthreads,
circle=False,
expand_cb=lambda t: cUtil.mkIP2(t, noResolve=True)
)
except cTuples.ENoInput:
print 'Error: No Targets specified, please use the -t/T parameter to set target(s)'
sys.exit(1)
ig_targets.start()
self.tuples = cTuples.cTuples(inputs=[ig_targets],
prep_callback=resolve,
maxthreads=opt.nthreads,
delay=opt.delay)
self.tuples.start()
def __init__(self, args, dbh=None):
opt = parse(args)
self.dbh = dbh
self.adj = opt.adj
# We don't really need this module here, because we do not operate
# multithreaded, however it is convenient to use the mkIP2 and isUp
# functions to preprocess the target ips
self.ig_targets = cTuples.cInputGenerator(
data=opt.targets,
filename=opt.target_fn,
circle=False,
#prepare_cb=cUtil.isUp,
expand_cb=lambda t: cUtil.mkIP2(
t,
ports=[opt.port],
#noResolve=True
),
)
self.ig_targets.start()
# we don't want to overload the server with too many parallel login
# attempts as it might influence the delay times
# so anyway thats why i use one seperate list of user names per server
# instaed of zipping them to the targets
if opt.U:
self.users = it.chain(
__builtin__.openany(opt.U, 'r').readlines(), opt.u)
elif opt.u:
self.users = opt.u
else:
self.users = it.chain(
__builtin__.openshared('usernames.log', 'r').readlines())
prep_targets.bignore = opt.bignore
test_user.pw = 'a' * opt.l
def __init__(self,
args,
dbh=None):
"""
Initialize and run FtpBruteforce
input:
args cmdline arguments without argv[0]
dbhandler database handler
"""
logger.info('Init FTP bruteforce')
self.dbh = dbh
opt = parse(args)
self.anon_q = Queue.Queue()
brute.to = opt.to
brute.tls = opt.tls
self.anon = opt.anon
if self.anon:
test_special_login_init(self.anon_q, opt.to, opt.tls)
expand_cb = lambda t: cUtil.mkIP2(t,
ports=[opt.port],
noResolve=True
)
try:
ig_targets = cTuples.cInputGenerator(data=opt.targets,
filename=opt.target_fn,
circle=False,
expand_cb=expand_cb,
prepare_cb=opt.anon and test_special_login or None,
maxthreads=opt.nthreads
)
except cTuples.ENoInput:
print 'Error: No Targets specified, please use the -t/T parameter to set target(s)'
sys.exit(1)
try:
ig_users = cTuples.cInputGenerator(data=opt.users,
filename=opt.user_fn,
prepare_cb=lambda x: x.rstrip(),
circle=True,
maxthreads=opt.nthreads)
except cTuples.ENoInput:
print 'Error: No Usernames specified, please use the -u/U parameter to set usernames(s)'
sys.exit(1)
try:
ig_passw = cTuples.cInputGenerator(data=opt.passw,
filename=opt.passw_fn,
prepare_cb=lambda x: x.rstrip(),
circle=True,
maxthreads=opt.nthreads)
except cTuples.ENoInput:
print 'Error: No Passwords specified, please use the -p/P parameter to set password(s)'
sys.exit(1)
ig_targets.start()
ig_users.start()
ig_passw.start()
self.tuples = cTuples.cTuples(inputs=[ig_targets, ig_users, ig_passw],
prep_callback=brute,
maxthreads=opt.nthreads,
delay=opt.delay)
self.tuples.start()
def parse(self, args):
description = "### SMTP user enumeration ###\n" + \
"It is based on the SMTP commands: VRFY, EXPN, RCPT.\n" + \
"Results may be inaccurate (false positives) as not all SMTP servers act the same.\n" +\
"Furthermore, this script does not support StartTLS or authentication.\n" +\
"To inspect the server's resonse, use the -v verbosity switch.\n" +\
"Output of valid usernames are in the form of: [username]\n\n"
epilog = """Examples:
smtp_user_enum.plg -command ALL -U users.txt -t 192.168.1.136
"""
parser = argparse.ArgumentParser(
description=description,
epilog=epilog,
formatter_class=argparse.RawTextHelpFormatter
)
parser.add_argument("-command", action="store", dest="command", required=True, help="choose VRFY, EXPN, RCPT or ALL")
parser.add_argument('-T',
help='files containing host:port entries',
default='',
dest='target_fn'
)
parser.add_argument('-t',
help='target hosts',
default=[],
nargs='+',
dest='targets',
)
parser.add_argument('-port',
help='target port (default 25)',
dest='port',
default=25,
type=int
)
parser.add_argument('-delay',
help='delay in between requests',
dest='delay',
default=0.0,
type=float
)
parser.add_argument('-u',
help='usernames',
default=[],
nargs='+',
dest='users',
)
parser.add_argument('-U',
help='file containing one username per line',
default='',
dest='user_fn',
)
parser.add_argument('-nt',
help='number of threads (default 100)',
dest='nthreads',
type=int,
default=100
)
parser.add_argument('-to',
help='Server timeout (default 3s)',
dest='timeout',
type=int,
default=3
)
parser.add_argument('-no_check',
help='disable host check',
action='store_true',
dest='no_check',
)
if not args:
parser.print_help()
sys.exit(1)
opt = parser.parse_args(args)
testusername.command = opt.command
testusername.timeout = opt.timeout
if opt.command != "VRFY" and opt.command != "EXPN" and opt.command != "RCPT" and opt.command != "ALL":
parser.print_help()
print("command must either be 'VRFY', 'EXPN', 'RCPT' or 'ALL'")
sys.exit(1)
try:
ig_targets = cTuples.cInputGenerator(data=opt.targets,
filename=opt.target_fn,
circle=False,
prepare_cb=cUtil.isUp,
expand_cb=lambda t: cUtil.mkIP2(t,
ports=[opt.port],
noResolve=True,
),
maxthreads=opt.nthreads
)
except cTuples.ENoInput:
print 'Error: No Targets specified, please use the -t/T parameter to set target(s)'
sys.exit(1)
try:
ig_users = cTuples.cInputGenerator(data=opt.users,
filename=opt.user_fn,
circle=True)
except cTuples.ENoInput:
print 'Error: No Usernames specified, please use the -u/U parameter to set usernames(s)'
sys.exit(1)
ig_targets.start()
ig_users.start()
self.tuples = cTuples.cTuples(inputs=[ig_targets, ig_users], prep_callback=testusername, delay=opt.delay)
self.tuples.start()
def __init__(self, args, dbh=None):
opt = parse(args)
global tls_versions
tls_versions = opt.tlsv
hb_test.OUTDIR = opt.outdir
hb_test.TIMEOUT = opt.to
try:
hb_test.OUTDIR = os.path.join(__builtin__.openhome.base_dir, hb_test.OUTDIR)
except:
pass
if not os.path.exists(hb_test.OUTDIR):
os.makedirs(hb_test.OUTDIR)
else:
logger.info('%s directory already exists' % hb_test.OUTDIR)
# check access permissions
if not os.access(hb_test.OUTDIR, os.R_OK):
print 'Error %s not readable' % hb_test.OUTDIR
sys.exit(1)
if not os.access(hb_test.OUTDIR, os.W_OK):
print 'Error %s not writable' % hb_test.OUTDIR
sys.exit(1)
if not os.access(hb_test.OUTDIR, os.X_OK):
print 'Error %s not executable' % hb_test.OUTDIR
sys.exit(1)
start = datetime.now()
ig_targets = cTuples.cInputGenerator(data=opt.target,
filename=opt.target_fn,
circle=False,
expand_cb=lambda t: cUtil.mkIP2(t,
ports=opt.ports,
noSplit=True,
noResolve=False),
maxthreads=opt.nthreads
)
ig_targets.start()
tuples = cTuples.cTuples(inputs=[ig_targets],
prep_callback=hb_test,
maxthreads=opt.nthreads,
delay=opt.delay)
tuples.start()
n = 0
n_vuln = 0
n_notvuln = 0
n_down = 0
timestamp = time.strftime("%Y-%m-%d_%H:%M:%S")
fd_vuln = open(os.path.join(hb_test.OUTDIR, 'vulnerable_%s' % timestamp), 'w')
fd_notvuln = open(os.path.join(hb_test.OUTDIR, 'not_vulnerable_%s' % timestamp), 'w')
fd_down = open(os.path.join(hb_test.OUTDIR, 'down_%s' % timestamp), 'w')
fmt = '{:60}{:<20}'
print
print 'Started scan for CVE-2014-0160'
print 'Testing ports: %s' % ', '.join(map(str, opt.ports))
print 'Testing tls versions: %s' % ', '.join(map(str, opt.tlsv))
print
print '-' * 80
print
for vulnerable, target, hostname, fn, sample, errors in tuples.tuple_q:
n += 1
if vulnerable in opt.tlsv:
if dbh:
br = ccd.HeartbleedResult(
ip=target[0],
fqdn=hostname,
port=target[1],
sample=grep_ascii(sample),
risk=9,
tlsv=vulnerable,
)
dbh.add(br)
if not hostname:
hostname = target[0]
n_vuln += 1
fd_vuln.write('%s:%d\n' % (hostname, target[1]))
if errors:
fd_vuln.write('Warning: errors occured -> %s\n' % ', '.join(errors))
fd_vuln.flush()
if errors:
print fmt.format('\033[93m%s:%d\033[0m' % (hostname, target[1]),
'is vulnerable, tlsv %s' % vulnerable)
print '\tError(s): %s' % ', '.join(errors)
else:
print fmt.format('\033[91m%s:%d\033[0m' % (hostname, target[1]),
'is vulnerable, tlsv %s' % vulnerable)
print '\t%d bytes stored in %s' % (len(sample), fn)
elif vulnerable == 'NOT_VULN':
if dbh:
br = ccd.HeartbleedResult_NV(
ip=target[0],
fqdn=hostname,
port=target[1],
risk=0,
tlsv='-'
)
dbh.add(br)
if not hostname:
hostname = target[0]
n_notvuln += 1
fd_notvuln.write('%s:%d\n' % (hostname, target[1]))
if errors:
fd_notvuln.write('\nWarning: errors occured -> %s' % ', '.join(errors))
fd_notvuln.flush()
if errors:
print fmt.format('\033[93m%s:%d\033[0m' % (hostname, target[1]),
'is not vulnerable')
print '\tError(s): %s' % ', '.join(errors)
else:
print fmt.format('\033[92m%s:%d\033[0m' % (hostname, target[1]),
'is not vulnerable')
elif vulnerable == 'DOWN':
n_down += 1
fd_down.write('%s:%d\n' % (hostname, target[1]))
fd_down.flush()
tuples.join()
print
print '-' * 80
print
print 'Finished scan in %f seconds' % cUtil.secs(start)
print
print '%d targets tested' % n
print '%d targets found vulnerable (see %s)' % (n_vuln, fd_vuln.name)
print '%d targets found not vulnerable (see %s)' % (n_notvuln, fd_notvuln.name)
print '%d targets were down (see %s)' % (n_down, fd_down.name)
fd_vuln.close()
fd_notvuln.close()
fd_down.close()
def __init__(self,
args,
dbh=None):
"""
Initialize and run TelnetBruteforce
input:
args cmdline arguments without argv[0]
dbh database handler
"""
self.dbh = dbh
opt = parse(args)
# configure bruteforce parameters for all targets
brute.to = opt.to
brute.tls = opt.tls
expand_cb = lambda t: cUtil.mkIP2(t,
ports=[opt.port],
noResolve=True
)
prepare_cb = cUtil.isUp
if opt.no_check:
prepare_cb = None
try:
ig_targets = cTuples.cInputGenerator(data=opt.targets,
filename=opt.target_fn,
circle=False,
prepare_cb=prepare_cb,
expand_cb=expand_cb,
maxthreads=opt.nthreads,
)
except cTuples.ENoInput:
print 'Error: No Targets specified, please use the -t/T parameter to set target(s)'
sys.exit(1)
try:
ig_users = cTuples.cInputGenerator(data=opt.users,
filename=opt.user_fn,
circle=True)
except cTuples.ENoInput:
print 'Error: No Usernames specified, please use the -u/U parameter to set usernames(s)'
sys.exit(1)
try:
ig_passw = cTuples.cInputGenerator(data=opt.passw,
filename=opt.passw_fn,
circle=True)
except cTuples.ENoInput:
print 'Error: No Passwords specified, please use the -p/P parameter to set password(s)'
sys.exit(1)
ig_targets.start()
ig_users.start()
ig_passw.start()
self.tuples = cTuples.cTuples(inputs=[ig_targets, ig_users, ig_passw],
prep_callback=brute,
maxthreads=opt.nthreads,
delay=opt.delay)
self.tuples.start()
def __init__(self, args, dbh=None):
opt = parse(args)
global tls_versions
tls_versions = opt.tlsv
hb_test.OUTDIR = opt.outdir
hb_test.TIMEOUT = opt.to
try:
hb_test.OUTDIR = os.path.join(__builtin__.openhome.base_dir,
hb_test.OUTDIR)
except:
pass
if not os.path.exists(hb_test.OUTDIR):
os.makedirs(hb_test.OUTDIR)
else:
logger.info('%s directory already exists' % hb_test.OUTDIR)
# check access permissions
if not os.access(hb_test.OUTDIR, os.R_OK):
print 'Error %s not readable' % hb_test.OUTDIR
sys.exit(1)
if not os.access(hb_test.OUTDIR, os.W_OK):
print 'Error %s not writable' % hb_test.OUTDIR
sys.exit(1)
if not os.access(hb_test.OUTDIR, os.X_OK):
print 'Error %s not executable' % hb_test.OUTDIR
sys.exit(1)
start = datetime.now()
ig_targets = cTuples.cInputGenerator(
data=opt.target,
filename=opt.target_fn,
circle=False,
expand_cb=lambda t: cUtil.mkIP2(
t, ports=opt.ports, noSplit=True, noResolve=False),
maxthreads=opt.nthreads)
ig_targets.start()
tuples = cTuples.cTuples(inputs=[ig_targets],
prep_callback=hb_test,
maxthreads=opt.nthreads,
delay=opt.delay)
tuples.start()
n = 0
n_vuln = 0
n_notvuln = 0
n_down = 0
timestamp = time.strftime("%Y-%m-%d_%H:%M:%S")
fd_vuln = open(
os.path.join(hb_test.OUTDIR, 'vulnerable_%s' % timestamp), 'w')
fd_notvuln = open(
os.path.join(hb_test.OUTDIR, 'not_vulnerable_%s' % timestamp), 'w')
fd_down = open(os.path.join(hb_test.OUTDIR, 'down_%s' % timestamp),
'w')
fmt = '{:60}{:<20}'
print
print 'Started scan for CVE-2014-0160'
print 'Testing ports: %s' % ', '.join(map(str, opt.ports))
print 'Testing tls versions: %s' % ', '.join(map(str, opt.tlsv))
print
print '-' * 80
print
for vulnerable, target, hostname, fn, sample, errors in tuples.tuple_q:
n += 1
if vulnerable in opt.tlsv:
if dbh:
br = ccd.HeartbleedResult(
ip=target[0],
fqdn=hostname,
port=target[1],
sample=grep_ascii(sample),
risk=9,
tlsv=vulnerable,
)
dbh.add(br)
if not hostname:
hostname = target[0]
n_vuln += 1
fd_vuln.write('%s:%d\n' % (hostname, target[1]))
if errors:
fd_vuln.write('Warning: errors occured -> %s\n' %
', '.join(errors))
fd_vuln.flush()
if errors:
print fmt.format(
'\033[93m%s:%d\033[0m' % (hostname, target[1]),
'is vulnerable, tlsv %s' % vulnerable)
print '\tError(s): %s' % ', '.join(errors)
else:
print fmt.format(
'\033[91m%s:%d\033[0m' % (hostname, target[1]),
'is vulnerable, tlsv %s' % vulnerable)
print '\t%d bytes stored in %s' % (len(sample), fn)
elif vulnerable == 'NOT_VULN':
if dbh:
br = ccd.HeartbleedResult_NV(ip=target[0],
fqdn=hostname,
port=target[1],
risk=0,
tlsv='-')
dbh.add(br)
if not hostname:
hostname = target[0]
n_notvuln += 1
fd_notvuln.write('%s:%d\n' % (hostname, target[1]))
if errors:
fd_notvuln.write('\nWarning: errors occured -> %s' %
', '.join(errors))
fd_notvuln.flush()
if errors:
print fmt.format(
'\033[93m%s:%d\033[0m' % (hostname, target[1]),
'is not vulnerable')
print '\tError(s): %s' % ', '.join(errors)
else:
print fmt.format(
'\033[92m%s:%d\033[0m' % (hostname, target[1]),
'is not vulnerable')
elif vulnerable == 'DOWN':
n_down += 1
fd_down.write('%s:%d\n' % (hostname, target[1]))
fd_down.flush()
tuples.join()
print
print '-' * 80
print
print 'Finished scan in %f seconds' % cUtil.secs(start)
print
print '%d targets tested' % n
print '%d targets found vulnerable (see %s)' % (n_vuln, fd_vuln.name)
print '%d targets found not vulnerable (see %s)' % (n_notvuln,
fd_notvuln.name)
print '%d targets were down (see %s)' % (n_down, fd_down.name)
fd_vuln.close()
fd_notvuln.close()
fd_down.close()
def parse(self, args):
description = "### SMTP user enumeration ###\n" + \
"It is based on the SMTP commands: VRFY, EXPN, RCPT.\n" + \
"Results may be inaccurate (false positives) as not all SMTP servers act the same.\n" +\
"Furthermore, this script does not support StartTLS or authentication.\n" +\
"To inspect the server's resonse, use the -v verbosity switch.\n" +\
"Output of valid usernames are in the form of: [username]\n\n"
epilog = """Examples:
smtp_user_enum.plg -command ALL -U users.txt -t 192.168.1.136
"""
parser = argparse.ArgumentParser(
description=description,
epilog=epilog,
formatter_class=argparse.RawTextHelpFormatter)
parser.add_argument("-command",
action="store",
dest="command",
required=True,
help="choose VRFY, EXPN, RCPT or ALL")
parser.add_argument('-T',
help='files containing host:port entries',
default='',
dest='target_fn')
parser.add_argument(
'-t',
help='target hosts',
default=[],
nargs='+',
dest='targets',
)
parser.add_argument('-port',
help='target port (default 25)',
dest='port',
default=25,
type=int)
parser.add_argument('-delay',
help='delay in between requests',
dest='delay',
default=0.0,
type=float)
parser.add_argument(
'-u',
help='usernames',
default=[],
nargs='+',
dest='users',
)
parser.add_argument(
'-U',
help='file containing one username per line',
default='',
dest='user_fn',
)
parser.add_argument('-nt',
help='number of threads (default 100)',
dest='nthreads',
type=int,
default=100)
parser.add_argument('-to',
help='Server timeout (default 3s)',
dest='timeout',
type=int,
default=3)
parser.add_argument(
'-no_check',
help='disable host check',
action='store_true',
dest='no_check',
)
if not args:
parser.print_help()
sys.exit(1)
opt = parser.parse_args(args)
testusername.command = opt.command
testusername.timeout = opt.timeout
if opt.command != "VRFY" and opt.command != "EXPN" and opt.command != "RCPT" and opt.command != "ALL":
parser.print_help()
print("command must either be 'VRFY', 'EXPN', 'RCPT' or 'ALL'")
sys.exit(1)
try:
ig_targets = cTuples.cInputGenerator(
data=opt.targets,
filename=opt.target_fn,
circle=False,
prepare_cb=cUtil.isUp,
expand_cb=lambda t: cUtil.mkIP2(
t,
ports=[opt.port],
noResolve=True,
),
maxthreads=opt.nthreads)
except cTuples.ENoInput:
print 'Error: No Targets specified, please use the -t/T parameter to set target(s)'
sys.exit(1)
try:
ig_users = cTuples.cInputGenerator(data=opt.users,
filename=opt.user_fn,
circle=True)
except cTuples.ENoInput:
print 'Error: No Usernames specified, please use the -u/U parameter to set usernames(s)'
sys.exit(1)
ig_targets.start()
ig_users.start()
self.tuples = cTuples.cTuples(inputs=[ig_targets, ig_users],
prep_callback=testusername,
delay=opt.delay)
self.tuples.start()
