def __init__(self, host, port, workdir, protocol, intensity, username,
ulist, password, plist, notuse, extensions, path, reexec,
ipv6, domain, interactive, verbose, executed, exec):
Warrior.__init__(self, host, port, workdir, protocol, intensity,
username, ulist, password, plist, notuse, extensions,
path, reexec, ipv6, domain, interactive, verbose,
executed, exec)
self.cmds = [
{
"name":
self.proto + "_nmap_" + self.port,
"cmd":
'nmap -n -sV --script memcached-info -p ' + self.port + ' ' +
self.host,
"shell":
True,
"chain":
False
},
{
"name": self.proto + "_stats_" + self.port,
"cmd":
'echo -e "stats\n" | nc -vn ' + self.host + ' ' + self.port,
"shell": True,
"chain": False
},
]
def __init__(self, host, port, workdir, protocol, intensity, username,
ulist, password, plist, notuse, extensions, path, reexec,
ipv6, domain, interactive, verbose, executed, exec):
Warrior.__init__(self, host, port, workdir, protocol, intensity,
username, ulist, password, plist, notuse, extensions,
path, reexec, ipv6, domain, interactive, verbose,
executed, exec)
msfmodules = [
{
"path": "auxiliary/scanner/sap/sap_service_discovery",
"toset": {
"RHOSTS": self.host
}
},
{
"path": "auxiliary/scanner/sap/sap_router_info_request",
"toset": {
"RHOSTS": self.host,
"RPORT": self.port
}
},
]
self.cmds.append({
"name": self.proto + "_msf_" + self.port,
"cmd": self.create_msf_cmd(msfmodules),
"shell": True,
"chain": False
})
def __init__(self, host, port, workdir, protocol, intensity, username, ulist, password, plist, notuse, extensions, path, reexec, ipv6, domain, interactive, verbose, executed, exec):
Warrior.__init__(self, host, port, workdir, protocol, intensity, username, ulist, password, plist, notuse, extensions, path, reexec, ipv6, domain, interactive, verbose, executed, exec)
self.cmds = [
{"name": self.proto + "_nmap_"+self.port, "cmd": 'nmap -n --scripts "imap* and default" -sV -p ' + self.port + ' ' + self.host, "shell": True, "chain": False},
]
if self.proto == "imap":
self.cmds.append({"name": self.proto + "_version_"+self.port, "cmd": 'nc -w 10 -q 1 -vn ' + self.host + ' ' + self.port + ' </dev/null', "shell": True, "chain": False})
else:
self.cmds.append({"name": self.proto + "_version_"+self.port, "cmd": 'echo "A1 Logout" | openssl s_client -connect '+self.host+':'+self.port+' -crlf -quiet', "shell": True, "chain": False})
msfmodules = [{"path": "auxiliary/scanner/imap/imap_version", "toset": {"RHOSTS": self.host, "RPORT": self.port}}]
self.cmds.append({"name": self.proto+"_msf_"+self.port, "cmd": self.create_msf_cmd(msfmodules), "shell": True, "chain": False})
if self.intensity == "3":
self.extra_info = "You can use the variable 'username' to brute force a single username or the variable ulist to bruteforce a list of usernames."
ssl = " -S " if self.proto is "imaps" else "" # Check if SSL is needed
if username != "":
self.cmds = [{"name": self.proto+"_brute_hydra_"+self.port, "cmd": 'hydra -f -e ns -l '+self.username+' -P '+self.plist + ssl +' -s '+self.port+' '+self.host+' imap', "shell": True, "chain": False}]
else:
self.cmds = [{"name": self.proto+"_brute_hydra_"+self.port, "cmd": 'hydra -f -e ns -L ' + self.ulist + ' -P '+self.plist + ssl +' -s ' + self.port + ' ' + self.host + ' imap', "shell": True, "chain": False}]
def __init__(self, host, port, workdir, protocol, intensity, username, ulist, password, plist, notuse, extensions, path, reexec, ipv6, domain, interactive, verbose, executed, exec):
Warrior.__init__(self, host, port, workdir, protocol, intensity, username, ulist, password, plist, notuse, extensions, path, reexec, ipv6, domain, interactive, verbose, executed, exec)
self.cmds = [
{"name": "ftp_nmap_"+self.port, "cmd": 'nmap -n -sV --script "ftp* and default" -p ' + self.port + ' ' + self.host, "shell": True, "chain": False},
{"name": "ftp_version_"+self.port, "cmd": 'nc -w 10 -q 1 -vn ' + self.host + ' ' + self.port + ' </dev/null', "shell": True, "chain": False},
]
msfmodules = [{"path": "auxiliary/scanner/ftp/anonymous", "toset": {"RHOSTS": self.host, "RPORT": self.port}},
{"path": "auxiliary/scanner/ftp/ftp_version", "toset": {"RHOSTS": self.host, "RPORT": self.port}},]
self.cmds.append({"name": "ftp_msf_"+self.port, "cmd": self.create_msf_cmd(msfmodules), "shell": True, "chain": False})
if self.intensity >= "2":
self.cmds.append({"name": "ftp_nmap_vuln_"+self.port, "cmd": 'nmap -sV --script "ftp* and vuln" -p ' + self.port + ' ' + self.host, "shell": True, "chain": False})
msfmodules_vuln = [
{"path": "auxiliary/scanner/ftp/bison_ftp_traversal", "toset": {"RHOSTS": self.host, "RPORT": self.port}},
{"path": "auxiliary/scanner/ftp/colorado_ftp_traversal", "toset": {"RHOSTS": self.host, "RPORT": self.port}},
{"path": "auxiliary/scanner/ftp/easy_file_sharing_ftp", "toset": {"RHOSTS": self.host, "RPORT": self.port}},
{"path": "auxiliary/scanner/ftp/konica_ftp_traversal", "toset": {"RHOSTS": self.host, "RPORT": self.port}},
{"path": "auxiliary/scanner/ftp/pcman_ftp_traversal", "toset": {"RHOSTS": self.host, "RPORT": self.port}},
{"path": "auxiliary/scanner/ftp/titanftp_xcrc_traversal", "toset": {"RHOSTS": self.host, "RPORT": self.port}},
]
self.cmds.append({"name": "ftp_msf_vuln_"+self.port, "cmd": self.create_msf_cmd(msfmodules_vuln), "shell": True, "chain": False})
if self.intensity == "3":
self.extra_info = "You can use the variable 'username' to brute force a single username or the variable ulist to bruteforce a list of usernames."
if username != "":
self.cmds = [{"name": "ftp_brute_hydra_"+self.port, "cmd": 'hydra -f -e ns -l '+self.username+' -P '+self.plist+' -s '+self.port+' '+self.host+' ftp', "shell": True, "chain": False}]
else:
self.cmds = [{"name": "ftp_brute_hydra_"+self.port, "cmd": 'hydra -f -e ns -L ' + self.ulist + ' -P ' + self.plist + ' -s ' + self.port + ' ' + self.host + ' ftp',"shell": True, "chain": False}]
def __init__(self, host, port, workdir, protocol, intensity, username, ulist, password, plist, notuse, extensions, path, reexec, ipv6, domain, interactive, verbose, executed, exec):
Warrior.__init__(self, host, port, workdir, protocol, intensity, username, ulist, password, plist, notuse, extensions, path, reexec, ipv6, domain, interactive, verbose, executed, exec)
self.cmds = [
{"name": self.proto+"_nmap_"+self.port, "cmd": 'nmap -n --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p ' + self.port + ' ' + self.host, "shell": True, "chain": False},
]
msfmodules = [{"path": "auxiliary/scanner/mssql/mssql_ping", "toset": {"RHOSTS": self.host, "RPORT": self.port}},
]
self.cmds.append({"name": self.proto+"_msf_"+self.port, "cmd": self.create_msf_cmd(msfmodules), "shell": True, "chain": False})
if self.intensity >= "2":
self.extra_info = "If you set the username and password, more authenticated metasploit modules will be executed."
if username != "" and password != "":
msfmodules_auth = [
{"path": "auxiliary/admin/mssql/mssql_enum", "toset": {"RHOSTS": self.host, "RPORT": self.port, "USERNAME": self.username, "PASSWORD": self.password}},
{"path": "admin/mssql/mssql_enum_domain_accounts", "toset": {"RHOSTS": self.host, "RPORT": self.port, "USERNAME": self.username, "PASSWORD": self.password}},
{"path": "admin/mssql/mssql_enum_sql_logins", "toset": {"RHOSTS": self.host, "RPORT": self.port, "USERNAME": self.username, "PASSWORD": self.password}},
{"path": "auxiliary/admin/mssql/mssql_escalate_dbowner", "toset": {"RHOSTS": self.host, "RPORT": self.port, "USERNAME": self.username, "PASSWORD": self.password}},
{"path": "auxiliary/admin/mssql/mssql_escalate_execute_as", "toset": {"RHOSTS": self.host, "RPORT": self.port, "USERNAME": self.username, "PASSWORD": self.password}},
{"path": "auxiliary/admin/mssql/mssql_exec", "toset": {"RHOSTS": self.host, "RPORT": self.port, "CMD": "ipconfig", "USERNAME": self.username, "PASSWORD": self.password}},
{"path": "auxiliary/admin/mssql/mssql_findandsampledata", "toset": {"RHOSTS": self.host, "RPORT": self.port, "USERNAME": self.username, "PASSWORD": self.password}},
{"path": "auxiliary/scanner/mssql/mssql_hashdump", "toset": {"RHOSTS": self.host, "RPORT": self.port, "USERNAME": self.username, "PASSWORD": self.password}},
{"path": "auxiliary/scanner/mssql/mssql_schemadump", "toset": {"RHOSTS": self.host, "RPORT": self.port, "USERNAME": self.username, "PASSWORD": self.password}},
]
self.cmds.append({"name": self.proto+"_msf_auth_"+self.port, "cmd": self.create_msf_cmd(msfmodules_auth), "shell": True, "chain": False})
if self.intensity == "3":
self.extra_info = "You can use the variable 'username' to brute force a single username or the variable ulist to bruteforce a list of usernames."
if username != "":
self.cmds = [{"name": self.proto+"_brute_hydra_"+self.port, "cmd": 'hydra -f -e ns -l '+self.username+' -P '+self.plist+' -s '+self.port+' '+self.host+' mssql', "shell": True, "chain": False}]
else:
self.cmds = [{"name": self.proto+"_brute_hydra_"+self.port, "cmd": 'hydra -f -e ns -L ' + self.ulist + ' -P ' + self.plist + ' -s ' + self.port + ' ' + self.host + ' mssql', "shell": True, "chain": False}]
def __init__(self, host, port, workdir, protocol, intensity, username,
ulist, password, plist, notuse, extensions, path, reexec,
ipv6, domain, interactive, verbose, executed, exec):
Warrior.__init__(self, host, port, workdir, protocol, intensity,
username, ulist, password, plist, notuse, extensions,
path, reexec, ipv6, domain, interactive, verbose,
executed, exec)
if self.intensity == "3":
self.extra_info = "You can use the variable 'username' to brute force a single username or the variable ulist to bruteforce a list of usernames."
if username != "":
self.cmds = [{
"name":
self.proto + "_brute_hydra_" + self.port,
"cmd":
'hydra -f -e ns -l ' + self.username + ' -s ' + self.port +
' ' + self.host + ' rsh',
"shell":
True,
"chain":
False
}]
else:
self.cmds = [{
"name":
self.proto + "_brute_hydra_" + self.port,
"cmd":
'hydra -f -e ns -L ' + self.ulist + ' -s ' + self.port +
' ' + self.host + ' rsh',
"shell":
True,
"chain":
False
}]
def __init__(self, host, port, workdir, protocol, intensity, username,
ulist, password, plist, notuse, extensions, path, reexec,
ipv6, domain, interactive, verbose, executed, exec):
Warrior.__init__(self, host, port, workdir, protocol, intensity,
username, ulist, password, plist, notuse, extensions,
path, reexec, ipv6, domain, interactive, verbose,
executed, exec)
self.cmds = [{
"name": self.proto + "_rpcdump",
"cmd": 'python $(which rpcdump.py) -p 135 ' + self.host +
" || echo 'rpcdump.py is not in path!'",
"shell": True,
"chain": False
}, {
"name":
self.proto + "_nmap_" + self.port,
"cmd":
"nmap -n -sV --script=msrpc-enum -p " + self.port + " " +
self.host,
"shell":
True,
"chain":
False
}]
msfmodules = [{
"path": "scanner/dcerpc/endpoint_mapper",
"toset": {
"RHOSTS": self.host,
"RPORT": self.port
}
}, {
"path": "auxiliary/scanner/dcerpc/management",
"toset": {
"RHOSTS": self.host,
"RPORT": self.port
}
}, {
"path": "auxiliary/scanner/dcerpc/tcp_dcerpc_auditor",
"toset": {
"RHOSTS": self.host,
"RPORT": self.port
}
}, {
"path": "auxiliary/scanner/dcerpc/hidden",
"toset": {
"RHOSTS": self.host,
"RPORT": self.port
}
}]
self.cmds.append({
"name": self.proto + "_msf_" + self.port,
"cmd": self.create_msf_cmd(msfmodules),
"shell": True,
"chain": False
})
def __init__(self, parser, host, port, workdir, proto, intensity, username, ulist, password, plist, notuse, engine, path, reexec, ipv6, domain, interactive, verbose, executed, exec):
self.parser = parser
Warrior.__init__(self, host, port, workdir, general_protocol, intensity, username, ulist, password, plist, notuse, engine, path, reexec, ipv6, domain, interactive, verbose, executed, exec)
self.engine, self.ipv6 = "", ""
self.protohelp = False
self.checked = []
self.stop = False
self.ws = []
self.myexecuted = []
def __init__(self, host, port, workdir, protocol, intensity, username,
ulist, password, plist, notuse, extensions, path, reexec,
ipv6, domain, interactive, verbose, executed, exec):
Warrior.__init__(self, host, port, workdir, protocol, intensity,
username, ulist, password, plist, notuse, extensions,
path, reexec, ipv6, domain, interactive, verbose,
executed, exec)
self.cmds = [
{
"name":
"ntp_nmap",
"cmd":
'nmap -n -sV --script "ntp* and (discovery or vuln) and not (dos or brute)" -p '
+ self.port + " " + self.host,
"shell":
False,
"chain":
False
},
{
"name": "ntpq_readvar",
"cmd": 'ntpq -c readvar ' + self.host,
"shell": False,
"chain": False
},
{
"name": "ntpq_monlist",
"cmd": 'ntpq -c monlist ' + self.host,
"shell": False,
"chain": False
},
{
"name": "ntpq_peers",
"cmd": 'ntpq -c peers ' + self.host,
"shell": False,
"chain": False
},
{
"name": "ntpq_listpeers",
"cmd": 'ntpq -c listpeers ' + self.host,
"shell": False,
"chain": False
},
{
"name": "ntpq_ntpversion",
"cmd": 'ntpq -c ntpversion ' + self.host,
"shell": False,
"chain": False
},
{
"name": "ntpq_sysinfo",
"cmd": 'ntpq -c sysinfo ' + self.host,
"shell": False,
"chain": False
},
]
def __init__(self, host, port, workdir, protocol, intensity, username,
ulist, password, plist, notuse, extensions, path, reexec,
ipv6, domain, interactive, verbose, executed, exec):
Warrior.__init__(self, host, port, workdir, protocol, intensity,
username, ulist, password, plist, notuse, extensions,
path, reexec, ipv6, domain, interactive, verbose,
executed, exec)
self.workdir = self.workdir + "/../"
if self.ip != "":
self.cmds = [{
"name": "udp-proto-scanner",
"cmd": 'udp-proto-scanner.pl ' + self.ip,
"shell": False,
"chain": False
}]
self.cmds += [
{
"name": "nmap_udp",
"cmd":
'nmap -sU -sV -T 4 -oA ' + self.workdir + 'nmapu ' + self.host,
"shell": False,
"chain": False
},
{
"name":
"nmap_init",
"cmd":
'nmap -sV -sC -O -T 4 -oA ' + self.workdir + 'nmapi ' +
self.host,
"shell":
False,
"chain":
True
},
{
"name":
"nmap_full_fast",
"cmd":
'nmap -sV -sC -T 4 -p - -oA ' + self.workdir + 'nmapff ' +
self.host,
"shell":
False,
"chain":
True
},
{
"name": "nmap_full",
"cmd":
'nmap -sV -sC -p - -oA ' + self.workdir + 'nmapf ' + self.host,
"shell": False,
"chain": False
},
#{"name": "nmap_udp_full", "cmd": 'nmap -sU -sV -p - ' + self.host, "shell": False, "chain": False}
]
def __init__(self, host, port, workdir, protocol, intensity, username,
ulist, password, plist, notuse, extensions, path, reexec,
ipv6, domain, interactive, verbose, executed, exec):
Warrior.__init__(self, host, port, workdir, protocol, intensity,
username, ulist, password, plist, notuse, extensions,
path, reexec, ipv6, domain, interactive, verbose,
executed, exec)
self.cmds = [
{
"name":
"mongodb_nmap_" + self.port,
"cmd":
'nmap -n -sV --script "mongo* and default" -p ' + self.port +
' ' + self.host,
"shell":
True,
"chain":
False
},
]
if self.intensity == "3":
self.extra_info = "You can use the variable 'username' to brute force a single username or the variable ulist to bruteforce a list of usernames."
if username != "":
msfmodules_brute = [{
"path": "auxiliary/scanner/mongodb/mongodb_login",
"toset": {
"RHOSTS": self.host,
"RPORT": self.port,
"BLANK_PASSWORDS": "true",
"USER_AS_PASS": "******",
"USERNAME": self.username,
"PASS_FILE": self.plist
}
}]
else:
msfmodules_brute = [
{
"path": "auxiliary/scanner/mongodb/mongodb_login",
"toset": {
"RHOSTS": self.host,
"RPORT": self.port,
"BLANK_PASSWORDS": "true",
"USER_AS_PASS": "******",
"USER_FILE": self.username,
"PASS_FILE": self.plist
}
},
]
self.cmds = [{
"name": "mongodb_brute_msf_" + self.port,
"cmd": self.create_msf_cmd(msfmodules_brute),
"shell": True,
"chain": False
}]
def __init__(self, host, port, workdir, protocol, intensity, username, ulist, password, plist, notuse, extensions, path, reexec, ipv6, domain, interactive, verbose, executed, exec):
Warrior.__init__(self, host, port, workdir, protocol, intensity, username, ulist, password, plist, notuse, extensions, path, reexec, ipv6, domain, interactive, verbose, executed, exec)
self.cmds = [
{"name": "ldap_nmap_"+self.port, "cmd": 'nmap -n -sV --script "ldap* and not brute" -p ' + self.port + ' ' + self.host, "shell": True, "chain": False},
]
if self.intensity >= "2":
if username != "" and password != "" and domain != "":
self.cmds.append({"name": "ldapdomaindump", "cmd": "ldapdomaindump --no-json --no-grep --authtype SIMPLE -o "+self.workdir+" -r " +self.host+ " -u '" + self.domain + "\\" + self.username + "' -p '" + self.password+"' && echo 'To see the HTML output go to: "+self.workdir+"'", "shell": True, "chain": False})
def __init__(self, host, port, workdir, protocol, intensity, username, ulist, password, plist, notuse, extensions, path, reexec, ipv6, domain, interactive, verbose, executed, exec):
Warrior.__init__(self, host, port, workdir, protocol, intensity, username, ulist, password, plist, notuse, extensions, path, reexec, ipv6, domain, interactive, verbose, executed, exec)
self.cmds = [
{"name": self.proto+"_nmap_"+self.port, "cmd": 'nmap -sV -n --script "rsync-list-modules" -p ' + self.port + ' ' + self.host, "shell": True, "chain": False},
]
msfmodules = [{"path": "auxiliary/scanner/rsync/modules_list", "toset": {"RHOSTS": self.host, "RPORT": self.port}}]
self.cmds.append({"name": self.proto+"_msf_"+self.port, "cmd": self.create_msf_cmd(msfmodules), "shell": True, "chain": False})
if self.intensity == "3": # TODO: add bruteforce only for 1 user
self.cmds.append({"name": self.proto+"_brute_nmap_"+self.port, "cmd": 'nmap -sV --script rsync-brute --script-args userdb='+self.ulist+',passdb='+self.plist+' -p '+self.port+' '+self.host, "shell": True, "chain": False})
def __init__(self, host, port, workdir, protocol, intensity, username, ulist, password, plist, notuse, extensions, path, reexec, ipv6, domain, interactive, verbose, executed, exec):
Warrior.__init__(self, host, port, workdir, protocol, intensity, username, ulist, password, plist, notuse, extensions, path, reexec, ipv6, domain, interactive, verbose, executed, exec)
self.cmds = [
{"name": self.proto+"_cmd", "cmd": 'finger @' + self.host, "shell": True, "chain": False},
{"name": self.proto+"_nmap_"+self.port, "cmd": 'nmap -n -sV --script finger -p ' + self.port + ' ' + self.host, "shell": True, "chain": False},
]
msfmodules = [{"path": "auxiliary/scanner/finger/finger_users", "toset": {"RHOSTS": self.host, "RPORT": self.port}}]
self.cmds.append({"name": self.proto+"_msf_"+self.port, "cmd": self.create_msf_cmd(msfmodules), "shell": True, "chain": False})
if self.intensity >= "2":
self.cmds.append({"name": self.proto+"_execution", "cmd": 'finger "|/bin/id@' + self.host+'"', "shell": True, "chain": False})
def __init__(self, host, port, workdir, protocol, intensity, username,
ulist, password, plist, notuse, extensions, path, reexec,
ipv6, domain, interactive, verbose, executed, exec):
Warrior.__init__(self, host, port, workdir, protocol, intensity,
username, ulist, password, plist, notuse, extensions,
path, reexec, ipv6, domain, interactive, verbose,
executed, exec)
self.cmds = [
{
"name":
self.proto + "_nmap_" + self.port,
"cmd":
'nmap -n -sV --script cassandra-info -p ' + self.port + ' ' +
self.host,
"shell":
True,
"chain":
False
},
]
if self.intensity == "3":
self.extra_info = "You can use the variable 'username' to brute force a single username or the variable ulist to bruteforce a list of usernames."
if username != "":
self.cmds = [{
"name":
self.proto + "_brute_nmap_" + self.port,
"cmd":
'nmap -n -sV --script cassandra-brute --script-args userdb='
+ self.username + ',passdb=' + self.plist + ' -p ' +
self.port + ' ' + self.host,
"shell":
True,
"chain":
False
}]
else:
self.cmds = [{
"name":
self.proto + "_brute_nmap_" + self.port,
"cmd":
'nmap -n -sV --script cassandra-brute --script-args userdb='
+ self.ulist + ',passdb=' + self.plist + ' -p ' +
self.port + ' ' + self.host,
"shell":
True,
"chain":
False
}]
def __init__(self, host, port, workdir, protocol, intensity, username, ulist, password, plist, notuse, extensions, path, reexec, ipv6, domain, interactive, verbose, executed, exec):
Warrior.__init__(self, host, port, workdir, protocol, intensity, username, ulist, password, plist, notuse, extensions, path, reexec, ipv6, domain, interactive, verbose, executed, exec)
self.cmds=[
{"name": self.proto+"_nikto_"+self.port, "cmd": 'echo n | nikto -nointeractive -maxtime 45m -timeout 60 -host '+self.proto_host_port_path+' -Plugins "paths;outdated;report_sqlg;auth;content_search;report_text;fileops;parked;shellshock;report_html;cgi;headers;report_nbe;favicon;cookies;robots;report_xml;report_csv;ms10_070;msgs;drupal;apache_expect_xss;siebel;put_del_test;apacheusers;dictionary;embedded;ssl;clientaccesspolicy;httpoptions;subdomain;negotiate;sitefiles;mutiple_index;strutshock;dishwasher;paths;docker_registry;origin_reflection;dir_traversal;multiple_index"', "shell": True, "chain": False},
{"name": self.proto+"_whatweb_"+self.port, "cmd": "whatweb -a 3 "+self.proto_host_port_path, "shell": False, "chain": False},
{"name": self.proto + "_robots_"+self.port, "cmd": 'curl ' + self.proto_host_port + '/robots.txt -L -k --user-agent "Googlebot/2.1 (+http://www.google.com/bot.html)" --connect-timeout 30 --max-time 180', "shell": True, "chain": False},
{"name": self.proto+"_nmap_"+self.port, "cmd": 'nmap -n -sV --script "(http* and not (dos or brute) and not http-xssed)" -p '+self.port+' '+self.host, "shell": True, "chain": False},
{"name": self.proto+"_wafw00f_"+self.port, "cmd": 'wafw00f '+self.proto_host_port_path, "shell": False, "chain": False},
{"name": self.proto+"_fast_dirsearch_"+self.port, "cmd": "dirsearch -F -r -u " + self.proto_host_port_path + " -e " + self.extensions, "shell": False,"chain": False},
{"name": self.proto+"_dirhunt_"+self.port, "cmd": "dirhunt "+self.proto_host_port_path, "shell": False, "chain": False},
#{"name": "gobuster", "cmd": "gobuster -k -fw -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u "+self.proto_host_port_path+" -x html,txt,"+self.extensions, "shell": False, "chain": False},
#{"name":"dirb","cmd": "dirb -S " + self.proto_host_port_path + " -X ." + self.extensions.replace(",",",."), "shell": False, "chain": False}, #Dirb needs the extension with a point. The flag '-f' in dirsearch makes it behave like dirb (force ext and "/")
{"name": self.proto+"_cmsmap_"+self.port, "cmd": 'echo "y" | cmsmap -s '+self.proto_host_port_path, "shell": True, "chain": False},
{"name": self.proto + "_curl_put_"+self.port, "cmd": 'curl -v -X PUT -d "Hey! I am a PUT" ' + self.proto_host_port_path + "/legion.txt", "shell": True, "chain": False},
]
#if self.domain and self.ip:
# self.cmds.append({"name": self.proto+"_vhost-brute", "cmd": "vhost-brute.php --domain "+self.domain+" --ip "+self.ip+" --wordlist "+self.wordlists_path+'/subdomains.txt' + (" --ssl" if self.proto == "https" else ""), "shell": False, "chain": False})
if self.proto == "https":
self.cmds.append({"name": "https_sslscan_"+self.port, "cmd": "sslscan "+self.host_port, "shell": False, "chain": False})
self.cmds.append({"name": "https_sslyze_"+self.port, "cmd": "sslyze --regular "+self.host_port, "shell": False, "chain": False})
self.cmds.append({"name": "https_ssl_nmap_"+self.port, "cmd": 'nmap -sV --script "ssl-* and not brute and not dos" -p ' + self.port + " " +self.host, "shell": True, "chain": False})
if self.intensity >= "2":
self.cmds.append({"name": self.proto + "_medium_dirsearch_"+self.port, "cmd": "dirsearch -f -F -r -u " + self.proto_host_port_path + " -e " + self.extensions + " -w /usr/share/dirb/wordlists/common.txt", "shell": False, "chain": False})
if self.intensity == "3":
self.extra_info = "You can use the variable 'username' to brute force a single username or the variable ulist to bruteforce a list of usernames. The default 'path' is '/'."
if username != "":
self.cmds = [{"name": self.proto + "_brute_hydra_"+self.port, "cmd": "hydra -l "+self.username+" -P "+self.plist+" "+self.host+" "+self.proto+"-get -s "+self.port+" -f -e ns -m "+self.path, "shell": False, "chain": False}]
else:
self.cmds = [{"name": self.proto + "_brute_hydra_"+self.port, "cmd": "hydra -L "+self.ulist+" -P "+self.plist+" "+self.host+" "+self.proto+"-get -s "+self.port+" -f -e ns -m "+self.path, "shell": False, "chain": False}]
dav_auth = "-auth "+self.username+":"+self.password+" " if (self.username and self.password) else ""
self.demand_cmds=[
{"name": self.proto + "_slow_dirsearch_"+self.port, "cmd": "dirsearch -f -F -u " + self.proto_host_port + " -e " + self.extensions + " -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt", "shell": False, "chain": False},
{"name": self.proto + "_sqlmap_"+self.port, "cmd": "sqlmap -u "+self.proto_host_port_path+" --batch --crawl=3 --forms --random-agent --level 1 --risk 1 -f -a" , "shell": False, "chain": False},
{"name": self.proto + "_davtestmove_"+self.port, "cmd": "davtest "+dav_auth+"-move -sendbd auto -url "+self.proto_host_port_path, "shell": False, "chain": False},
{"name": self.proto + "_davtestnorm_"+self.port, "cmd": "davtest "+dav_auth+" -sendbd auto -url " + self.proto_host_port_path, "shell": False, "chain": False},
{"name": self.proto + "_wpscan_"+self.port, "cmd": "wpscan --url "+self.proto_host_port_path+" --rua --no-update --enumerate ap", "shell": False, "chain": False},
{"name": self.proto + "_cewl_"+self.port, "cmd": "cewl "+self.proto_host_port_path+" -m 6", "shell": False, "chain": False},
{"name": self.proto + "_arjun_"+self.port, "cmd": "cd "+ self.git_path+"/arjun 2>/dev/null; ./arjun.py --get -u "+self.proto_host_port_path+"; "+
"./arjun.py --post -u "+self.proto_host_port_path+"; "+
"./arjun.py --json -u "+self.proto_host_port_path+"; cd - 2>/dev/null",
"shell": True, "chain": False},
]
def __init__(self, host, port, workdir, protocol, intensity, username, ulist, password, plist, notuse, extensions, path, reexec, ipv6, domain, interactive, verbose, executed, exec):
Warrior.__init__(self, host, port, workdir, protocol, intensity, username, ulist, password, plist, notuse, extensions, path, reexec, ipv6, domain, interactive, verbose, executed, exec)
self.cmds = [
{"name": self.proto+"_nmap_"+self.port, "cmd": 'nmap -n --script redis-info -sV -p ' + self.port + ' ' + self.host, "shell": True, "chain": False},
]
msfmodules = [
{"path": "auxiliary/scanner/redis/redis_server", "toset": {"RHOSTS": self.host, "RPORT": self.port}},
]
self.cmds.append(
{"name": self.proto+"_msf_"+self.port, "cmd": self.create_msf_cmd(msfmodules), "shell": True, "chain": False})
if self.intensity == "3":
self.cmds = [{"name": self.proto+"_brute_hydra_"+self.port, "cmd": 'hydra -f -P '+self.plist+' -s '+self.port+' '+self.host+' redis', "shell": True, "chain": False}]
def __init__(self, host, port, workdir, protocol, intensity, username,
ulist, password, plist, notuse, extensions, path, reexec,
ipv6, domain, interactive, verbose, executed, exec):
Warrior.__init__(self, host, port, workdir, protocol, intensity,
username, ulist, password, plist, notuse, extensions,
path, reexec, ipv6, domain, interactive, verbose,
executed, exec)
self.cmds = [
{
"name": "rpcinfo",
"cmd": 'rpcinfo ' + self.host,
"shell": False,
"chain": False
},
{
"name":
"rpc_nfs_nmap_" + self.port,
"cmd":
'nmap -n -sV --script "nfs-ls or nfs-showmount or nfs-statfs" -p '
+ self.port + ' ' + self.host,
"shell":
True,
"chain":
False
},
{
"name": self.proto + "_showmount",
"cmd": 'showmount -e ' + self.host,
"shell": True,
"chain": False
},
]
msfmodules = [{
"path": "auxiliary/scanner/nfs/nfsmount",
"toset": {
"RHOSTS": self.host,
"RPORT": self.port
}
}]
self.cmds.append({
"name": self.proto + "_msf_" + self.port,
"cmd": self.create_msf_cmd(msfmodules),
"shell": True,
"chain": False
})
def __init__(self, host, port, workdir, protocol, intensity, username,
ulist, password, plist, notuse, extensions, path, reexec,
ipv6, domain, interactive, verbose, executed, exec):
Warrior.__init__(self, host, port, workdir, protocol, intensity,
username, ulist, password, plist, notuse, extensions,
path, reexec, ipv6, domain, interactive, verbose,
executed, exec)
self.cmds = [
{
"name":
self.proto + "_nmap_" + self.port,
"cmd":
'nmap -n -sV --script "rmi-dumpregistry or rmi-vuln-classloader" '
+ self.port + ' ' + self.host,
"shell":
True,
"chain":
False
},
]
msfmodules = [
{
"path": "auxiliary/scanner/misc/java_rmi_server",
"toset": {
"RHOSTS": self.host,
"RPORT": self.port
}
},
{
"path": "auxiliary/gather/java_rmi_registry",
"toset": {
"RHOSTS": self.host,
"RPORT": self.port
}
},
]
self.cmds.append({
"name": self.proto + "_msf_" + self.port,
"cmd": self.create_msf_cmd(msfmodules),
"shell": True,
"chain": False
})
def __init__(self, host, port, workdir, protocol, intensity, username, ulist, password, plist, notuse, extensions, path, reexec, ipv6, domain, interactive, verbose, executed, exec):
Warrior.__init__(self, host, port, workdir, protocol, intensity, username, ulist, password, plist, notuse, extensions, path, reexec, ipv6, domain, interactive, verbose, executed, exec)
self.cmds = [
{"name": self.proto+"_nmap_"+self.port, "cmd": 'nmap -n -sV --script vnc-info,realvnc-auth-bypass,vnc-title -p ' + self.port + ' ' + self.host, "shell": True,"chain": False},
]
msfmodules = [
{"path": "auxiliary/scanner/vnc/vnc_none_auth", "toset": {"RHOSTS": self.host, "RPORT": self.port}},
]
self.cmds.append(
{"name": self.proto+"_msf_"+self.port, "cmd": self.create_msf_cmd(msfmodules), "shell": True, "chain": False})
if self.intensity == "3":
self.extra_info = "You can use the variable 'username' to brute force a single username or the variable ulist to bruteforce a list of usernames."
if username != "":
self.cmds = [{"name": self.proto+"_brute_hydra_"+self.port, "cmd": 'hydra -f -e ns -l '+self.username+' -P '+self.plist+' -s '+self.port+' '+self.host+' vnc', "shell": True, "chain": False}]
else:
self.cmds = [{"name": self.proto+"_brute_hydra_"+self.port, "cmd": 'hydra -f -e ns -L ' + self.ulist + ' -P ' + self.plist + ' -s ' + self.port + ' ' + self.host + ' vnc', "shell": True, "chain": False}]
def __init__(self, host, port, workdir, protocol, intensity, username,
ulist, password, plist, notuse, extensions, path, reexec,
ipv6, domain, interactive, verbose, executed, exec):
Warrior.__init__(self, host, port, workdir, protocol, intensity,
username, ulist, password, plist, notuse, extensions,
path, reexec, ipv6, domain, interactive, verbose,
executed, exec)
self.cmds = [
{
"name":
self.proto + "_nmap_" + self.port,
"cmd":
'nmap-n --script modbus-discover -sV -p ' + self.port + ' ' +
self.host,
"shell":
True,
"chain":
False
},
]
msfmodules = [{
"path": "auxiliary/scanner/scada/modbusdetect",
"toset": {
"RHOSTS": self.host,
"RPORT": self.port
}
}, {
"path": "auxiliary/scanner/scada/modbus_findunitid",
"toset": {
"RHOSTS": self.host,
"RPORT": self.port
}
}]
self.cmds.append({
"name": self.modbus + "_msf_" + self.port,
"cmd": self.create_msf_cmd(msfmodules),
"shell": True,
"chain": False
})
def __init__(self, host, port, workdir, protocol, intensity, username,
ulist, password, plist, notuse, extensions, path, reexec,
ipv6, domain, interactive, verbose, executed, exec):
Warrior.__init__(self, host, port, workdir, protocol, intensity,
username, ulist, password, plist, notuse, extensions,
path, reexec, ipv6, domain, interactive, verbose,
executed, exec)
msfmodules = [{
"path": "auxiliary/gather/checkpoint_hostname",
"toset": {
"RHOSTS": self.host,
"RPORT": self.port
}
}]
self.cmds = [{
"name": self.proto + "_msf_" + self.port,
"cmd": self.create_msf_cmd(msfmodules),
"shell": True,
"chain": False
}]
def __init__(self, host, port, workdir, protocol, intensity, username, ulist, password, plist, notuse, extensions, path, reexec, ipv6, domain, interactive, verbose, executed, exec):
Warrior.__init__(self, host, port, workdir, protocol, intensity, username, ulist, password, plist, notuse, extensions, path, reexec, ipv6, domain, interactive, verbose, executed, exec)
self.cmds = [
{"name": "enum4linux", "cmd": 'enum4linux -a -u "'+self.username+'" -p "'+self.password+'" '+self.host, "shell": True, "chain": False},
{"name": "smb_nmap", "cmd": 'nmap -n -sV --script "(safe and smb*) or smb-enum-*" -p 135,139,445 ' + self.host, "shell": True, "chain": False},
{"name": "smbmap_"+self.port, "cmd": 'smbmap -u "'+self.username+'" -p "'+self.password+'" -H '+self.host+" -P "+self.port, "shell": True, "chain": False},
{"name": "smbclient", "cmd": "smbclient -U '"+self.username+"%"+self.password+"' -L //" + self.host, "shell": False, "chain": False},
{"name": "nbtscan", "cmd": 'nbtscan ' + self.host, "shell": False, "chain": False},
{"name": "smb_samrdump_"+self.port, "cmd": 'python $(which samrdump.py) -port ' + self.port + ' ' + self.host, "shell": False, "chain": False},
]
msfmodules = [
{"path": "auxiliary/scanner/smb/smb_version", "toset": {"RHOSTS": self.host}},
]
self.cmds.append({"name": self.proto + "_msf", "cmd": self.create_msf_cmd(msfmodules), "shell": True, "chain": False})
if username == "" or ("<" == username[0] and ">" == username[-1]):
self.cmds.append({"name": "smbmap_guest_"+self.port, "cmd": 'smbmap -u "guest" -p "" -H '+self.host+" -P "+self.port, "shell": True, "chain": False})
self.cmds.append({"name": "smbclient_guest", "cmd": "smbclient -U 'guest%' -L //" + self.host, "shell": True, "chain": False})
self.cmds.append({"name": "enum4linux_guest", "cmd": 'enum4linux -a -u "guest" -p "" '+self.host, "shell": True, "chain": False})
def __init__(self, host, port, workdir, protocol, intensity, username,
ulist, password, plist, notuse, extensions, path, reexec,
ipv6, domain, interactive, verbose, executed, exec):
Warrior.__init__(self, host, port, workdir, protocol, intensity,
username, ulist, password, plist, notuse, extensions,
path, reexec, ipv6, domain, interactive, verbose,
executed, exec)
self.cmds = [
{
"name":
self.proto + "_nmap_" + self.port,
"cmd":
'nmap -n -sV --script enip-enumerate -p ' + self.port + ' ' +
self.host,
"shell":
True,
"chain":
False
},
]
def __init__(self, host, port, workdir, protocol, intensity, username, ulist, password, plist, notuse, extensions, path, reexec, ipv6, domain, interactive, verbose, executed, exec):
Warrior.__init__(self, host, port, workdir, protocol, intensity, username, ulist, password, plist, notuse, extensions, path, reexec, ipv6, domain, interactive, verbose, executed, exec)
self.cmds = [
{"name": "ssh_nmap_"+self.port, "cmd": 'nmap -n -sV --script "ssh-auth-methods or ssh-auth-methods or ssh2-enum-algos or sshv1" -p ' + self.port + ' ' + self.host, "shell": True, "chain": False},
{"name": "ssh_sslscan_"+self.port, "cmd": "sslscan "+self.host_port, "shell": False, "chain": False},
{"name": "ssh_sslyze_"+self.port, "cmd": "sslyze --regular "+self.host_port, "shell": False, "chain": False},
{"name": "ssh_version_"+self.port, "cmd": 'nc -w 20 -q 1 -vn ' + self.host + ' ' + self.port+ ' </dev/null', "shell": True, "chain": False},
]
msfmodules = [{"path": "auxiliary/scanner/ssh/ssh_version", "toset": {"RHOSTS": self.host, "RPORT": self.port}}]
self.cmds.append({"name": "ssh_msf_"+self.port, "cmd": self.create_msf_cmd(msfmodules), "shell": True, "chain": False})
if self.intensity >= "2":
msfmodules_vulns = [{"path": "scanner/ssh/ssh_enumusers", "toset": {"RHOSTS": self.host, "RPORT": self.port, "USER_FILE": self.ulist}},
{"path": "auxiliary/scanner/ssh/juniper_backdoor", "toset": {"RHOSTS": self.host, "RPORT": self.port}}]
self.cmds.append({"name": "ssh_msf_vuln_"+self.port, "cmd": self.create_msf_cmd(msfmodules_vulns), "shell": True, "chain": False})
if self.intensity == "3":
self.extra_info = "You can use the variable 'username' to brute force a single username or the variable ulist to bruteforce a list of usernames."
if username != "":
self.cmds = [{"name": "ssh_brute_hydra_"+self.port, "cmd": 'hydra -f -e ns -l ' + self.username + ' -P ' + self.plist + ' -s ' + self.port + ' ' + self.host + ' ssh', "shell": True, "chain": False}]
else:
self.cmds = [{"name": "ssh_brute_hydra_"+self.port, "cmd": 'hydra -f -e ns -L ' + self.ulist + ' -P ' + self.plist + ' -s ' + self.port + ' ' + self.host + ' ssh', "shell": True, "chain": False}]
def __init__(self, host, port, workdir, protocol, intensity, username,
ulist, password, plist, notuse, extensions, path, reexec,
ipv6, domain, interactive, verbose, executed, exec):
Warrior.__init__(self, host, port, workdir, protocol, intensity,
username, ulist, password, plist, notuse, extensions,
path, reexec, ipv6, domain, interactive, verbose,
executed, exec)
self.cmds = [
{
"name": self.proto + "_version_" + self.port,
"cmd": 'nc -w 20 -q 1 -vn ' + self.host + ' ' + self.port +
' </dev/null',
"shell": True,
"chain": False
},
]
msfmodules = [
{
"path": "auxiliary/scanner/postgres/postgres_version",
"toset": {
"RHOSTS": self.host,
"RPORT": self.port
}
},
{
"path":
"auxiliary/scanner/postgres/postgres_dbname_flag_injection",
"toset": {
"RHOSTS": self.host,
"RPORT": self.port
}
},
]
self.cmds.append({
"name": self.proto + "_msf_" + self.port,
"cmd": self.create_msf_cmd(msfmodules),
"shell": True,
"chain": False
})
#Database name param needed
#if self.intensity >= "2":
# if self.username != "" and self.username[-1] != ">" and self.password != "" and self.password[-1] != ">":
# msfmodules_auth = [
# {"path": "auxiliary/scanner/postgres/postgres_hashdump", "toset": {"RHOSTS": self.host, "RPORT": self.port, "DATABASE": self.databasetodo, "USERNAME": self.username, "PASSWORD": self.password}},
# {"path": "auxiliary/scanner/postgres/postgres_schemadump", "toset": {"RHOSTS": self.host, "RPORT": self.port, "DATABASE": self.databasetodo, "USERNAME": self.username, "PASSWORD": self.password}},
# {"path": "auxiliary/admin/postgres/postgres_readfile", "toset": {"RHOSTS": self.host, "RPORT": self.port, "DATABASE": self.databasetodo, "USERNAME": self.username, "PASSWORD": self.password}},
# ]
# self.cmds.append({"name": "pgsql_msf_auth_"+self.port, "cmd": self.create_msf_cmd(msfmodules_auth), "shell": True, "chain": False})
if self.intensity == "3":
self.extra_info = "You can use the variable 'username' to brute force a single username or the variable ulist to bruteforce a list of usernames."
if username != "":
self.cmds = [{
"name":
self.proto + "_brute_hydra_" + self.port,
"cmd":
'hydra -f -e ns -l ' + self.username + ' -P ' +
self.plist + ' -s ' + self.port + ' ' + self.host +
' postgres',
"shell":
True,
"chain":
False
}]
else:
self.cmds = [{
"name":
self.proto + "_brute_hydra_" + self.port,
"cmd":
'hydra -f -e ns -L ' + self.ulist + ' -P ' + self.plist +
' -s ' + self.port + ' ' + self.host + ' postgres',
"shell":
True,
"chain":
False
}]
def __init__(self, host, port, workdir, protocol, intensity, username,
ulist, password, plist, notuse, extensions, path, reexec,
ipv6, domain, interactive, verbose, executed, exec):
Warrior.__init__(self, host, port, workdir, protocol, intensity,
username, ulist, password, plist, notuse, extensions,
path, reexec, ipv6, domain, interactive, verbose,
executed, exec)
self.cmds = [
{
"name":
self.proto + "_nmap_" + self.port,
"cmd":
'nmap -n --script "smtp-open-relay or (default and *smtp*)" -p '
+ self.port + ' ' + self.host,
"shell":
True,
"chain":
False
},
]
if self.proto == "smtp":
self.cmds.append({
"name":
self.proto + "_version_" + self.port,
"cmd":
'nc -w 10 -q 1 -vn ' + self.host + ' ' + self.port +
' </dev/null',
"shell":
True,
"chain":
False
})
else:
self.cmds.append({
"name":
self.proto + "_version_" + self.port,
"cmd":
'echo QUIT | openssl s_client -starttls smtp -crlf -connect ' +
self.host + ':' + self.port,
"shell":
True,
"chain":
False
})
msfmodules = [
{
"path": "auxiliary/scanner/smtp/smtp_version",
"toset": {
"RHOSTS": self.host,
"RPORT": self.port
}
},
{
"path": "auxiliary/scanner/smtp/smtp_ntlm_domain",
"toset": {
"RHOSTS": self.host,
"RPORT": self.port
}
},
{
"path": "auxiliary/scanner/smtp/smtp_relay",
"toset": {
"RHOSTS": self.host,
"RPORT": self.port
}
},
]
self.cmds.append({
"name": self.proto + "_msf_" + self.port,
"cmd": self.create_msf_cmd(msfmodules),
"shell": True,
"chain": False
})
if self.intensity == 2:
self.cmds.append({
"name":
self.proto + "_nmap_vuln_" + self.port,
"cmd":
'nmap --script smtp-vuln-cve2011-1764,smtp-vuln-cve2011-1720,smtp-vuln-cve2010-4344 '
+ self.host + ' ' + self.port,
"shell":
True,
"chain":
False
})
if self.intensity == "3": # TODO: think about using other methods like RCT
self.extra_info = "By default VRFY method is used, if you want to use other (EXPN or RCPT) set it in 'path' variable."
self.extra_info += "\nYou can use the variable 'username' to brute force a single username or the variable ulist to bruteforce a list of usernames."
self.path = "VRFY" if self.path.upper() not in [
"EXPN", "RCPT"
] else self.path.upper()
if username != "":
self.cmds = [{
"name":
self.proto + "_brute",
"cmd":
'smtp-user-enum -M ' + self.path + ' -u ' + self.username +
' -p ' + self.port + ' -t ' + self.host,
"shell":
True,
"chain":
False
}]
else:
self.cmds = [{
"name":
self.proto + "_brute",
"cmd":
'smtp-user-enum -M ' + self.path + ' -U ' + self.ulist +
' -p ' + self.port + ' -t ' + self.host,
"shell":
True,
"chain":
False
}]
def __init__(self, host, port, workdir, protocol, intensity, username,
ulist, password, plist, notuse, extensions, path, reexec,
ipv6, domain, interactive, verbose, executed, exec):
Warrior.__init__(self, host, port, workdir, protocol, intensity,
username, ulist, password, plist, notuse, extensions,
path, reexec, ipv6, domain, interactive, verbose,
executed, exec)
self.cmds = [
{
"name": self.proto + "_version_" + self.port,
"cmd": 'curl http://' + self.host_port + '/',
"shell": True,
"chain": False
},
{
"name": self.proto + "_dbs_" + self.port,
"cmd": 'curl http://' + self.host_port + '/_all_dbs',
"shell": True,
"chain": False
},
]
msfmodules = [
{
"path": "auxiliary/scanner/couchdb/couchdb_enum",
"toset": {
"RHOSTS": self.host,
"RPORT": self.port
}
},
]
self.cmds.append({
"name": self.proto + "_msf_" + self.port,
"cmd": self.create_msf_cmd(msfmodules),
"shell": True,
"chain": False
})
if self.intensity >= "2":
if self.username != "" and self.password != "":
msfmodules_auth = [
{
"path": "auxiliary/scanner/couchdb/couchdb_enum",
"toset": {
"RHOSTS": self.host,
"RPORT": self.port,
"HttpUsername": self.username,
"HttpPassword": self.password
}
},
]
self.cmds.append({
"name": self.proto + "_msf_auth_" + self.port,
"cmd": self.create_msf_cmd(msfmodules_auth),
"shell": True,
"chain": False
})
if self.intensity == "3":
self.extra_info = "You can use the variable 'username' to brute force a single username or the variable ulist to bruteforce a list of usernames."
if username != "":
msfmodules_brute = [
{
"path": "auxiliary/scanner/couchdb/couchdb_login",
"toset": {
"RHOSTS": self.host,
"RPORT": self.port,
"BLANK_PASSWORDS": "true",
"USER_AS_PASS": "******",
"USERNAME": self.username,
"PASS_FILE": self.plist
}
},
]
else:
msfmodules_brute = [
{
"path": "auxiliary/scanner/couchdb/couchdb_login",
"toset": {
"RHOSTS": self.host,
"RPORT": self.port,
"BLANK_PASSWORDS": "true",
"USER_AS_PASS": "******",
"USER_FILE": self.username,
"PASS_FILE": self.plist
}
},
]
self.cmds = [{
"name": self.proto + "_brute_msf_" + self.port,
"cmd": self.create_msf_cmd(msfmodules_brute),
"shell": True,
"chain": False
}]
def __init__(self, host, port, workdir, protocol, intensity, username,
ulist, password, plist, notuse, extensions, path, reexec,
ipv6, domain, interactive, verbose, executed, exec):
Warrior.__init__(self, host, port, workdir, protocol, intensity,
username, ulist, password, plist, notuse, extensions,
path, reexec, ipv6, domain, interactive, verbose,
executed, exec)
self.cmds = [
{
"name": self.proto + "_version_" + self.port,
"cmd": 'nc -w 20 -q 1 -vn ' + self.host + ' ' + self.port +
' </dev/null',
"shell": True,
"chain": False
},
{
"name":
self.proto + "_nmap_" + self.port,
"cmd":
'nmap -n -sV --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 -p '
+ self.port + ' ' + self.host,
"shell":
True,
"chain":
False
},
]
msfmodules = [
{
"path": "auxiliary/scanner/mysql/mysql_version",
"toset": {
"RHOSTS": self.host,
"RPORT": self.port
}
},
{
"path": "auxiliary/scanner/mysql/mysql_authbypass_hashdump",
"toset": {
"RHOSTS": self.host,
"RPORT": self.port
}
},
]
self.cmds.append({
"name": self.proto + "_msf_" + self.port,
"cmd": self.create_msf_cmd(msfmodules),
"shell": True,
"chain": False
})
if self.intensity >= "2":
self.extra_info = "If you set the username and password, more authenticated metasploit modules will be executed."
if username != "" and password != "":
msfmodules_auth = [
{
"path": "auxiliary/admin/mysql/mysql_enum",
"toset": {
"RHOSTS": self.host,
"RPORT": self.port,
"USERNAME": self.username,
"PASSWORD": self.password
}
},
{
"path": "auxiliary/scanner/mysql/mysql_hashdump",
"toset": {
"RHOSTS": self.host,
"RPORT": self.port,
"USERNAME": self.username,
"PASSWORD": self.password
}
},
{
"path": "auxiliary/scanner/mysql/mysql_schemadump",
"toset": {
"RHOSTS": self.host,
"RPORT": self.port,
"USERNAME": self.username,
"PASSWORD": self.password
}
},
]
self.cmds.append({
"name": self.proto + "_msf_auth_" + self.port,
"cmd": self.create_msf_cmd(msfmodules_auth),
"shell": True,
"chain": False
})
if self.intensity == "3":
self.extra_info = "You can use the variable 'username' to brute force a single username or the variable ulist to bruteforce a list of usernames."
if username != "":
self.cmds = [{
"name":
self.proto + "_brute_hydra_" + self.port,
"cmd":
'hydra -f -e ns -l ' + self.username + ' -P ' +
self.plist + ' -s ' + self.port + ' ' + self.host +
' mysql',
"shell":
True,
"chain":
False
}]
else:
self.cmds = [{
"name":
self.proto + "_brute_hydra_" + self.port,
"cmd":
'hydra -f -e ns -L ' + self.ulist + ' -P ' + self.plist +
' -s ' + self.port + ' ' + self.host + ' mysql',
"shell":
True,
"chain":
False
}]
def __init__(self, host, port, workdir, protocol, intensity, username,
ulist, password, plist, notuse, extensions, path, reexec,
ipv6, domain, interactive, verbose, executed, exec):
Warrior.__init__(self, host, port, workdir, protocol, intensity,
username, ulist, password, plist, notuse, extensions,
path, reexec, ipv6, domain, interactive, verbose,
executed, exec)
self.cmds = [
{
"name":
"telnet_nmap_" + self.port,
"cmd":
'nmap -n -sV --script "telnet* and safe" -p ' + self.port +
' ' + self.host,
"shell":
True,
"chain":
False
},
{
"name": "telnet_version_" + self.port,
"cmd": 'nc -w 10 -q 1 -vn ' + self.host + ' ' + self.port +
' </dev/null',
"shell": True,
"chain": False
},
]
msfmodules = [
{
"path": "auxiliary/scanner/telnet/telnet_version",
"toset": {
"RHOSTS": self.host,
"RPORT": self.port
}
},
]
self.cmds.append({
"name": "telnet_msf_" + self.port,
"cmd": self.create_msf_cmd(msfmodules),
"shell": True,
"chain": False
})
if self.intensity >= "2":
msfmodules_vulns = [
{
"path": "auxiliary/scanner/telnet/brocade_enable_login",
"toset": {
"RHOSTS": self.host,
"RPORT": self.port
}
},
{
"path": "auxiliary/scanner/telnet/telnet_encrypt_overflow",
"toset": {
"RHOSTS": self.host,
"RPORT": self.port
}
},
{
"path": "auxiliary/scanner/telnet/telnet_ruggedcom",
"toset": {
"RHOSTS": self.host,
"RPORT": self.port
}
},
]
self.cmds.append({
"name": "telnet_msf_vuln_" + self.port,
"cmd": self.create_msf_cmd(msfmodules_vulns),
"shell": True,
"chain": False
})
if self.intensity == "3":
if username != "":
self.cmds = [{
"name":
"telnet_brute_hydra_" + self.port,
"cmd":
'hydra -f -e ns -l ' + self.username + ' -P ' +
self.plist + ' -s ' + self.port + ' ' + self.host +
' telnet',
"shell":
True,
"chain":
False
}]
else:
self.cmds = [{
"name":
"telnet_brute_hydra_" + self.port,
"cmd":
'hydra -f -e ns -L ' + self.ulist + ' -P ' + self.plist +
' -s ' + self.port + ' ' + self.host + ' telnet',
"shell":
True,
"chain":
False
}]