def check_rule(self, ip, port, values, conf):
c = ConfParser(conf)
p = ScanParser(port, values)
domain = p.get_domain()
module = p.get_module()
if not c.get_cfg_allow_bf():
return
if port != 21 or 'ftp' not in module:
return
usernames = c.get_cfg_usernames() + known_users
passwords = c.get_cfg_passwords() + known_weak
for username in usernames:
for password in passwords:
if self.ftp_attack(ip, username, password):
self.rule_details = 'FTP Server Credentials are set to: {}:{}'.format(username, password)
rds.store_vuln({
'ip':ip,
'port':port,
'domain':domain,
'rule_id':self.rule,
'rule_sev':self.rule_severity,
'rule_desc':self.rule_description,
'rule_confirm':self.rule_confirm,
'rule_details':self.rule_details,
'rule_mitigation':self.rule_mitigation
})
return
def check_rule(self, ip, port, values, conf):
c = ConfParser(conf)
t = Triage()
p = ScanParser(port, values)
domain = p.get_domain()
module = p.get_module()
# When MongoDB authentication is enabled name=mongodb, when authentication is not enabled name=mongodb
if port != 27017 or 'mongodb' not in module:
return
usernames = c.get_cfg_usernames() + known_users
passwords = c.get_cfg_passwords() + known_weak
# Check if MongoDB is configured with or without authentication
if self.mongodb_attack(ip, port, None, None):
js_data = {
'ip': ip,
'port': port,
'domain': domain,
'rule_id': self.rule,
'rule_sev': self.rule_severity,
'rule_desc': self.rule_description,
'rule_confirm':
'Remote server with no authentication on MongoDB',
'rule_details': 'MongoDB is configured with no authentication',
'rule_mitigation': self.rule_mitigation
}
rds.store_vuln(js_data)
return
if not c.get_cfg_allow_bf():
return
for username in usernames:
for password in passwords:
if self.mongodb_attack(ip, port, username, password):
self.rule_details = 'MongoDB Credentials are set to: {}:{}'.format(
username, password)
js_data = {
'ip': ip,
'port': port,
'domain': domain,
'rule_id': self.rule,
'rule_sev': self.rule_severity,
'rule_desc': self.rule_description,
'rule_confirm': self.rule_confirm,
'rule_details': self.rule_details,
'rule_mitigation': self.rule_mitigation
}
rds.store_vuln(js_data)
return
return
def check_rule(self, ip, port, values, conf):
t = Triage()
c = ConfParser(conf)
p = ScanParser(port, values)
module = p.get_module()
domain = p.get_domain()
if not c.get_cfg_allow_bf():
return
if 'http' not in module:
return
usernames = c.get_cfg_usernames() + known_users
passwords = c.get_cfg_passwords() + known_weak
for uri in self.rule_doc_roots:
resp = t.http_request(ip, port, uri=uri)
if resp is not None and resp.status_code == 401:
if 'WWW-Authenticate' in resp.headers and resp.headers[
'WWW-Authenticate'].startswith('Basic'):
for username in usernames:
for password in passwords:
auth_attempt = requests.get(resp.url,
auth=HTTPBasicAuth(
username,
password))
if auth_attempt is not None and auth_attempt.status_code == 200:
self.rule_details = 'Basic Authentication Credentials are set to {}:{} at {}'.format(
username, password, uri)
rds.store_vuln({
'ip':
ip,
'port':
port,
'domain':
domain,
'rule_id':
self.rule,
'rule_sev':
self.rule_severity,
'rule_desc':
self.rule_description,
'rule_confirm':
self.rule_confirm,
'rule_details':
self.rule_details,
'rule_mitigation':
self.rule_mitigation
})
return
def check_rule(self, ip, port, values, conf):
c = ConfParser(conf)
t = Triage()
p = ScanParser(port, values)
domain = p.get_domain()
module = p.get_module()
if not c.get_cfg_allow_bf():
return
if port in ssh_ports or 'ssh' in module:
usernames = c.get_cfg_usernames() + known_users
passwords = c.get_cfg_passwords() + known_weak
output = t.run_cmd(
'ssh -o PreferredAuthentications=none -o ConnectTimeout=5 -o StrictHostKeyChecking=no -o NoHostAuthenticationForLocalhost=yes user@"{}" -p "{}"'
.format(ip, port))
if output and 'password' in str(output):
for username in usernames:
for password in passwords:
if self.ssh_attack(ip, port, username, password):
self.rule_details = 'SSH Server Credentials are set to {}:{}'.format(
username, password)
rds.store_vuln({
'ip':
ip,
'port':
port,
'domain':
domain,
'rule_id':
self.rule,
'rule_sev':
self.rule_severity,
'rule_desc':
self.rule_description,
'rule_confirm':
self.rule_confirm,
'rule_details':
self.rule_details,
'rule_mitigation':
self.rule_mitigation
})
return
def check_rule(self, ip, port, values, conf):
c = ConfParser(conf)
t = Triage()
p = ScanParser(port, values)
domain = p.get_domain()
module = p.get_module()
if not c.get_cfg_allow_bf():
return
if port != 6379 or module != 'redis':
return
passwords = c.get_cfg_passwords() + known_weak
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((ip, port))
s.sendall(b'INFO\n')
data = s.recv(1024)
if 'Authentication required' in data.decode('utf-8'):
for password in passwords:
if self.redis_attack(ip, port, password):
self.rule_details = 'Redis Credentials are set to: {}'.format(
password)
js_data = {
'ip': ip,
'port': port,
'domain': domain,
'rule_id': self.rule,
'rule_sev': self.rule_severity,
'rule_desc': self.rule_description,
'rule_confirm': self.rule_confirm,
'rule_details': self.rule_details,
'rule_mitigation': self.rule_mitigation
}
rds.store_vuln(js_data)
return
except:
return
return
