def metasploit_detect_vulns(self, cmd_output):
r = SmartModuleResult()
if 'VULNERABLE to MS17-010' in cmd_output:
r.add_option('vuln-ms17-010', 'true')
return r
def patator_valid_creds(self, cmd_output):
r = SmartModuleResult()
m = re.findall('[0-9]+ \| (\S+):(\S*)\s+\|', cmd_output)
if m:
for username, password in m:
r.add_credentials(username, password)
return r
def smtpuserenum_valid_users(self, cmd_output):
r = SmartModuleResult()
m = re.findall(': (\S+) exists', cmd_output)
if m:
for username in m:
r.add_username(username)
return r
def wig_detect_cms_server_language(self, cmd_output):
MAPPING_WIG = {
'Magento Enterprise Edition': 'magento',
'ASP.NET': 'asp',
}
r = SmartModuleResult()
try:
m = re.findall('m([a-zA-Z ]+[a-zA-Z]).*(CMS|Platform)\s+',
cmd_output[cmd_output.index('VERSION'):])
if m:
for val, typ in m:
if val in MAPPING_WIG.keys():
val = MAPPING_WIG[val]
val = val.replace(' ', '-')
if typ == 'CMS':
if val.lower() in self.supported_list_options['cms']:
r.add_option('cms', val.lower())
else:
if val.lower(
) in self.supported_list_options['server']:
r.add_option('server', val.lower())
elif val.lower(
) in self.supported_list_options['language']:
r.add_option('language', val.lower())
except:
pass
return r
def jmxbf_valid_creds(self, cmd_output):
r = SmartModuleResult()
m = re.findall('We got a valid connection for: (\S+):(\S*)', cmd_output)
if m:
for username, password in m:
r.add_credentials(username, password)
return r
def ajpy_valid_creds(self, cmd_output):
r = SmartModuleResult()
m = re.findall('Found valid credz: (\S+):(\S*)', cmd_output)
if m:
for username, password in m:
r.add_credentials(username, password)
return r
def msf_tomcat_enum_usernames(self, cmd_output):
r = SmartModuleResult()
m = re.findall('Apache Tomcat (.*) found', cmd_output)
if m:
for username in m:
r.add_username(username, auth_type='tomcat')
return r
def osueta_valid_usernames(self, cmd_output):
r = SmartModuleResult()
m = re.findall('\[\+\] User: (\S+) exists', cmd_output)
if m:
for username in m:
r.add_username(username)
return r
def msdat_valid_creds(self, cmd_output):
r = SmartModuleResult()
m = re.findall('Valid credential: \'(\S+)\'/\'(\S+)\'', cmd_output)
if m:
for username, password in m:
r.add_credentials(username, password)
return r
def nmap_detect_jmx_and_rmissl(self, cmd_output):
r = SmartModuleResult()
if 'jmxrmi' in cmd_output:
r.add_option('jmx', 'true')
if 'ssl' in cmd_output:
r.add_option('rmissl', 'true')
return r
def cmseek_detect_cms(self, cmd_output):
r = SmartModuleResult()
m = re.search('Detected CMS: (?P<cms>[a-zA-Z ]+[a-zA-Z])', cmd_output)
if m:
cms = m.group('cms').replace(' ', '-').lower()
if cms in self.supported_list_options['cms']:
r.add_option('cms', cms)
return r
def domiowned_valid_creds(self, cmd_output):
r = SmartModuleResult()
m = re.findall('^(\S+)\s+(\S+)\s+(Admin|User)\s*$',
cmd_output,
flags=re.MULTILINE)
if m:
for username, password in m:
r.add_credentials(username, password, auth_type='lotusdomino')
return r
def clusterd_detect_server(self, cmd_output):
r = SmartModuleResult()
m = re.search(
'Matched .* fingerprints for service (?P<server>[a-zA-Z]+)',
cmd_output)
if m:
server = m.group('server').lower()
if server in self.supported_list_options['server']:
r.add_option('server', server)
return r
def wpscan_valid_usernames(self, cmd_output):
r = SmartModuleResult()
try:
m = re.findall(
'\|\s+[0-9]+\s+\|\s+(\S+)\s+\|.*\|',
cmd_output[cmd_output.index('Enumerating usernames'):])
if m:
for username in m:
r.add_username(username)
except:
pass
return r
def wpseku_valid_usernames(self, cmd_output):
r = SmartModuleResult()
try:
m = re.findall('\|\s+[0-9]+\s+\|.*\|\s+(\S+)\s+\|',
cmd_output[cmd_output.index('Enumerating userds'):])
if m:
if 'None' in m:
m.remove('None')
for username in m:
r.add_username(username, auth_type='wordpress')
except:
pass
return r
def changeme_valid_creds(self, cmd_output):
MAPPING_CHANGEME = {
'Apache Tomcat': 'tomcat',
'Apache Tomcat Host Manager': 'tomcat',
'Oracle Glassfish': 'glassfish',
'JBoss AS 6': 'jboss',
'JBoss AS 6 Alt': 'jboss',
}
r = SmartModuleResult()
m = re.findall('[+] Found (.*) default cred (.*):(.*)', cmd_output)
if m:
for name, username, password in m:
if name in MAPPING_CHANGEME.keys():
name = MAPPING_CHANGEME[name]
name = name.replace(' ', '-').lower()
if name in self.auth_types:
r.add_credentials(username, password, auth_type=name)
return r
def nmap_detect_vulns(self, cmd_output):
r = SmartModuleResult()
if re.search(
'Microsoft Windows system vulnerable to remote code execution \(MS08-067\)\s*(\r\n|\r|\n)\|\s*State: VULNERABLE',
cmd_output, re.IGNORECASE):
r.add_option('vuln-ms08-067', 'true')
if re.search(
'Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)\s*(\r\n|\r|\n)\|\s*State: VULNERABLE',
cmd_output, re.IGNORECASE):
r.add_option('vuln-ms17-010', 'true')
if re.search(
'SAMBA Remote Code Execution from Writable Share\s*(\r\n|\r|\n)\|\s*State: VULNERABLE',
cmd_output, re.IGNORECASE):
r.add_option('vuln-sambacry', 'true')
return r
def tnscmd_sid(self, cmd_output):
r = SmartModuleResult()
m = re.search('ALIAS=(listener_)?(?P<sid>[a-zA-Z0-9]+)\)', cmd_output)
if m:
r.add_option('sid', m.group('sid'))
return r
def start(self, service):
# Mapping Nmap banner (lowercase) => context-specific option value
MAPPING_BANNER = {
'domino': 'lotusdomino',
}
# Mapping from Wappalyzer output (lowercase) => context-specific option value
MAPPING_WAPPALYZER = {
'apache-tomcat': 'tomcat',
'jboss-application-server': 'jboss',
'jboss-web': 'jboss',
'lotus-domino': 'lotusdomino',
'microsoft-asp.net': 'asp',
'adobe-coldfusion': 'coldfusion',
}
result = SmartModuleResult()
# Autodetect https
if service.url.lower().startswith('https://'):
logger.info('HTTPS protocol detected from URL')
result.add_option('https', 'true')
# Try to detect server from banner
if service.banner:
banner = service.banner.lower()
detected = None
for server in self.supported_list_options['server']:
if server in banner:
result.add_option('server', server)
detected = server
for server in MAPPING_BANNER.keys():
if server in banner:
result.add_option('server', server)
detected = server
if detected:
logger.info('Server detected from banner: {server}'.format(
server=detected))
# Autodetect web technos using Wappalyzer
try:
#print(WebPage(service.url).info())
technos = list(
map(lambda x: x.lower().replace(' ', '-'),
WebPage(service.url).info()['apps'].split(';')))
logger.smartinfo(
'Wappalyzer fingerprinting returns: {}'.format(technos))
for tech in technos:
if tech in MAPPING_WAPPALYZER.keys():
tech = MAPPING_WAPPALYZER[tech]
if tech in self.supported_list_options['language']:
result.add_option('language', tech)
elif tech in self.supported_list_options['cms']:
result.add_option('cms', tech)
elif tech in self.supported_list_options['server']:
result.add_option('server', tech)
except Exception as e:
logger.error('Wappalyzer error: {}'.format(e))
return result
def sjet_auth_disabled(self, cmd_output):
r = SmartModuleResult()
if 'Successfully loaded' in cmd_output:
r.add_option('jmxauthdisabled', 'true')
return r
def wpseku_valid_creds(self, cmd_output):
#TODO
r = SmartModuleResult()
return r
def nmap_detect_ftps(self, cmd_output):
r = SmartModuleResult()
if re.search('open(\s+)ftps', cmd_output):
r.add_option('ftps', 'true')
return r