def Enum(self): """This is a helper function that will run all the Enumeration Commands Based off of nmaps proxychain original output scan if new ports are discovered.""" npp = nmapParser.NmapParserFunk(self.target) npp.openProxyPorts() np = nmapParser.NmapParserFunk(self.target) np.openPorts() open_proxy_ports = np.proxy_ports if len(open_proxy_ports) == 0: pass else: c = config_parser.CommandParser(f"{os.getcwd()}/config/config.yaml", self.target) pweb = enumWeb.EnumWeb(self.target) pweb.proxyScan() http_proxy_commands = pweb.proxy_processes psslweb = enumWebSSL.EnumWebSSL(self.target) psslweb.sslProxyScan() ssl_proxy_commands = psslweb.proxy_processes all_commands = [] proxy_tcp_ports = npp.proxy_tcp_ports tcp_proxy_ports = ",".join(map(str, proxy_tcp_ports)) default_command = c.getCmd("proxy", "proxychainsDiscoveredPorts", openTcpProxyPorts=tcp_proxy_ports) all_commands.append(default_command) for cmd in http_proxy_commands: all_commands.append(cmd) for cmd in ssl_proxy_commands: all_commands.append(cmd) sorted_commands = sorted(set(all_commands), reverse=True) commands_to_run = [] for i in sorted_commands: commands_to_run.append(i) allCmds = tuple(commands_to_run) self.all_processes = allCmds
def SshSingleUserBrute(self): """Run patator with seclists probable top 1575 wordlist against a single user specified as a command line argument.""" cmd_info = "[" + fg.green + "+" + fg.rs + "]" c = config_parser.CommandParser(f"{os.getcwd()}/config/config.yaml", self.target) cl = helper_lists.Cewl(self.target) if not os.path.exists(c.getPath("wordlists", "CewlPlus")): cl.CewlWordlist() green = fg.li_green teal = fg.li_cyan reset = fg.rs np = nmapParser.NmapParserFunk(self.target) np.openPorts() if os.path.exists(c.getPath("wordlists", "CewlPlus")): if os.path.getsize(c.getPath("wordlists", "CewlPlus")) > 0: print( f"""{teal}Beginning Password Brute Force for User: {reset} {green}{self.user}{reset}""" ) patator_cmd = c.getCmd("ssh", "patator_ssh_cewl_auto", port=self.port, user=self.user) print(f"""{cmd_info} {patator_cmd}""") call(patator_cmd, shell=True) else: print( f"""{teal}Beginning Password Brute Force for User: {reset} {green}{self.user}{reset}""" ) patator_cmd = c.getCmd("ssh", "patator_ssh_auto", port=self.port, user=self.user) print(f"""{cmd_info} {patator_cmd}""") call(patator_cmd, shell=True)
def Scan(self): """This Scan() Funciton will run the following tools, SMBCLIENT, NMBLOOKUP, NBTSCAN, SMBSCAN, AND ENUM4LINUX""" np = nmapParser.NmapParserFunk(self.target) np.openPorts() smb_ports = np.smb_ports if len(smb_ports) == 0: pass else: c = config_parser.CommandParser( f"{os.getcwd()}/config/config.yaml", self.target) if not os.path.exists(c.getPath("smb", "smbDir")): os.makedirs(c.getPath("smb", "smbDir")) print( fg.cyan + "Enumerating NetBios SMB Samba Ports, Running the following commands:" + fg.rs) commands = [] commands.append(c.getCmd("smb", "smbclient")) commands.append(c.getCmd("smb", "nmblookup")) commands.append(c.getCmd("smb", "nmapSmb")) commands.append(c.getCmd("smb", "nbtscan")) commands.append(c.getCmd("smb", "smbmapH")) commands.append(c.getCmd("smb", "smbmapHR")) commands.append(c.getCmd("smb", "smbmapNull")) commands.append(c.getCmd("smb", "smbmapNullR")) commands.append(c.getCmd("smb", "enum4linux")) self.processes = tuple(commands)
def openUdpPorts(self): """The openUdpPorts function will parse all found ports from the UDP nmap xml file fed to the report variable. All ports will be appended to the lists in __init__ and will then be accessible from the NmapParserFunk Class.""" c = config_parser.CommandParser(f"{os.getcwd()}/config/config.yaml", self.target) report = NmapParser.parse_fromfile( c.getPath("nmap", "nmap_top_udp_ports_xml")) self.udp_nmap_services += report.hosts[0].services self.udp_nmap_services = sorted(self.udp_nmap_services, key=lambda s: s.port) for service in self.udp_nmap_services: if "open" not in service.state: continue if "open|filtered" in service.state: continue self.udp_services.append(( service.port, service.service, service.tunnel, service.cpelist, service.banner, )) for service in self.udp_services: if service[0] not in self.udp_ports: self.udp_ports.append(service[0]) if "snmp" in service[1]: if service[0] not in self.snmp_ports: self.snmp_ports.append(service[0]) if "sip" in service[1]: if service[0] not in self.sip_udp_ports: self.sip_udp_ports.append(service[0])
def genDirsearchUrlList(self): c = config_parser.CommandParser(f"{os.getcwd()}/config/config.yaml", self.target) awkprint = "{print $3}" dirsearch_files = [] dir_list = [ d for d in glob.iglob(c.getPath("report", "reportGlob"), recursive=True) if os.path.isdir(d) ] for d in dir_list: reportFile_list = [ fname for fname in glob.iglob(f"{d}/*", recursive=True) if os.path.isfile(fname) ] for rf in reportFile_list: if "nmap" not in rf: if "dirsearch" in rf: if not os.path.exists(c.getPath("web", "aquatoneDir")): os.makedirs(c.getPath("web", "aquatoneDir")) dirsearch_files.append(rf) if "nikto" in rf: check_nikto_lines = f"""wc -l {rf} | cut -d ' ' -f 1""" num_lines_nikto = check_output(check_nikto_lines, stderr=STDOUT, shell=True).rstrip() if int(num_lines_nikto) < 100: call(f"cat {rf}", shell=True) if len(dirsearch_files) != 0: all_dirsearch_files_on_one_line = " ".join(map(str, dirsearch_files)) url_list_cmd = f"""cat {all_dirsearch_files_on_one_line} | grep -Ev '400|403' | awk '{awkprint}' | sort -u > {c.getPath("web", "aquatoneDirUrls")}""" call(url_list_cmd, shell=True)
def genProxyDirsearchUrlList(self): """This Class, genProxyDirsearchUrlList is reponsible for sorting all the found URL's from Dirsearches report output and then it will combined them in to one unique list that will be fed to Aquatone to generate a nice HTML report that will Be opened up in the firefox web browser.""" c = config_parser.CommandParser(f"{os.getcwd()}/config/config.yaml", self.target) if os.path.exists(c.getPath("proxy", "proxyDir")): awkprint = "{print $3}" dirsearch_files = [] dir_list = [ d for d in glob.iglob(c.getPath("proxy", "proxyGlob"), recursive=True) if os.path.isdir(d) ] for d in dir_list: reportFile_list = [ fname for fname in glob.iglob(f"{d}/*", recursive=True) if os.path.isfile(fname) ] for rf in reportFile_list: if "nmap" not in rf: if "dirsearch" in rf: if not os.path.exists(c.getPath("web", "aquatoneDir")): os.makedirs(c.getPath("web", "aquatoneDir")) dirsearch_files.append(rf) if len(dirsearch_files) != 0: all_dirsearch_files_on_one_line = " ".join(map(str, dirsearch_files)) url_list_cmd = f"""cat {all_dirsearch_files_on_one_line} | grep -Ev '400|403' | awk '{awkprint}' | sort -u > {c.getPath("proxy", "aquatoneDirProxyUrls")}""" call(url_list_cmd, shell=True)
def fuzzMaster(self): """fuzzMaster will run parameth to fuzz for valid .php parameters. Will add more extensions soon.""" c = config_parser.CommandParser(f"{os.getcwd()}/config/config.yaml", self.target) hl = helper_lists.ignoreURLS() ignore_urls = hl.ignore_urls php_urls = [] fuzz_cmds = [] # url_paths = [] cookie_dict = {} if os.path.exists(c.getPath("web", "aquatoneDirUrls")): if not os.path.exists(c.getPath("web", "webDir")): os.makedirs(c.getPath("web", "webDir")) check_lines = f"""wc -l {c.getPath("web","aquatoneDirUrls")} | cut -d ' ' -f 1""" num_urls = check_output(check_lines, stderr=STDOUT, shell=True).rstrip() if int(num_urls) < 150 and (int(num_urls) != 0): try: with open(c.getPath("web", "aquatoneDirUrls"), "r") as found_urls: for line in found_urls: url = line.rstrip() if ( url.endswith(".php") and (url not in ignore_urls) ): php_urls.append(url) # url_paths.append(urlsplit(url).path) except FileNotFoundError as fnf_error: print(fnf_error) exit() if len(php_urls) != 0 and (len(php_urls) < 20): sorted_urls = [u for u in sorted(set(str(x).lower() for x in php_urls))] for url in sorted_urls: with self.no_ssl_verification(): try: session = requests.Session() res = session.get(url) cookie_dict.update(session.cookies.get_dict()) output_name = urlsplit(url).path upath = str(output_name).replace("/", "-") if not cookie_dict: fuzz_cmds.append(c.getCmd("web", "parameth", url=url, upath=upath)) else: cookie_string = " ".join("{}={}".format(*i) for i in cookie_dict.items()) fuzz_cmds.append(c.getCmd("web", "paramethCookie", url=url, cookies=cookie_string, upath=upath)) except requests.exceptions.ConnectionError as ce_error: print("Connection Error: ", ce_error) break except requests.exceptions.Timeout as t_error: print("Connection Timeout Error: ", t_error) break except requests.exceptions.RequestException as req_err: print("Some Ambiguous Exception:", req_err) break if len(fuzz_cmds) != 0: print(f"{fg.li_cyan}Fuzzing .php Params ! {fg.rs}") for i in fuzz_cmds: print(f"[{fg.li_green}+{fg.rs}] {i}") self.loginator(i) call(i, shell=True)
def loginator(self, executed_command): c = config_parser.CommandParser(f"{os.getcwd()}/config/config.yaml", self.target) logging.basicConfig(filename=c.getPath("report", "log"), format='%(asctime)s %(message)s', datefmt='%m/%d/%Y %I:%M:%S %p', level=logging.INFO) logging.info(f"[+] {executed_command}")
def getRedirect(self): """Extra Function for enumWeb HTTP hosts so as not to run Scan() twice.""" np = nmapParser.NmapParserFunk(self.target) np.openPorts() dnsPort = np.dns_ports c = config_parser.CommandParser(f"{os.getcwd()}/config/config.yaml", self.target) ig = helper_lists.ignoreDomains() ignore = ig.ignore try: with open(c.getPath("nmap", "nmap_top_ports_nmap"), "r") as nm: for line in nm: new = (line.replace("=", " ").replace("/", " ").replace( "commonName=", "").replace("/organizationName=", " ").replace(",", " ").replace("_", " ")) matches = re.findall( r"(?:[a-zA-Z0-9](?:[a-zA-Z0-9\-]{,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{3,6}", new) for x in matches: if not any(s in x for s in ignore): self.redirect_hostname.append(x) if "|_http-title: Did not follow redirect to http:" in line: print(line) split_line2 = line.split() last_word2 = split_line2[-1] redirect_domainName = (last_word2.replace( "http://", "").replace("/", "").replace("'", "")) self.redirect_hostname.append(redirect_domainName) except FileNotFoundError as fnf_error: print(fnf_error) if len(dnsPort) != 0: if not os.path.exists(c.getPath("dns", "dnsDir")): os.makedirs(c.getPath("dns", "dnsDir")) dig_cmd = c.getCmd("dns", "dnsDig") dp = dig_parser.digParse(self.target, dig_cmd) dp.parseDig() dig_hosts = dp.hosts sub_hosts = dp.subdomains if len(dig_hosts) != 0: for x in dig_hosts: self.redirect_hostname.append(x) if len(sub_hosts) != 0: for x in sub_hosts: self.redirect_hostname.append(x) if len(self.redirect_hostname) != 0: alldns = " ".join(map(str, self.redirect_hostname)) zonexferDns = [] dig_command = c.getCmd("dns", "dnsDigAxfr", alldns=alldns) dp2 = dig_parser.digParse(self.target, dig_command) dp2.parseDigAxfr() subdomains = dp2.subdomains for x in subdomains: zonexferDns.append(x) sortedAllDomains = sorted(set(zonexferDns)) for x in sortedAllDomains: self.redirect_hostname.append(x)
def proxyScan(self): """This is the Web Proxy scan function that is called by lib/enumProxy.py. This function will attempt to run, dirsearch, whatweb, and nikto""" np = nmapParser.NmapParserFunk(self.target) np.openPorts() npp = nmapParser.NmapParserFunk(self.target) npp.openProxyPorts() proxy_http_ports = npp.proxy_http_ports proxy_ports = np.proxy_ports if len(proxy_http_ports) == 0: pass else: c = config_parser.CommandParser( f"{os.getcwd()}/config/config.yaml", self.target) if not os.path.exists(c.getPath("proxy", "proxyDir")): os.makedirs(c.getPath("proxy", "proxyDir")) if not os.path.exists(c.getPath("proxy", "proxyWeb")): os.makedirs(c.getPath("proxy", "proxyWeb")) proxy_commands = [] for proxy in proxy_ports: print( f"""{fg.li_cyan} Enumerating HTTP Ports Through Port: {proxy}, Running the following commands: {fg.rs}""" ) if not os.path.exists( c.getPath("proxy", "eyewitnessDirPT", proxy=proxy)): os.makedirs( c.getPath("proxy", "eyewitnessDirPT", proxy=proxy)) proxy_commands.append( c.getCmd("proxy", "eyewitnessProxyServer", proxy=proxy)) proxy_commands.append( c.getCmd("proxy", "whatwebProxyServer", proxy=proxy)) if len(proxy_http_ports) != 0: for proxy_http_port in proxy_http_ports: proxy_commands.append( c.getCmd("proxy", "whatwebProxyHttpPorts", proxy=proxy, httpProxy=proxy_http_port)) proxy_commands.append( c.getCmd("proxy", "dirsearchHttpProxyPortsDict", proxy=proxy, httpProxy=proxy_http_port)) proxy_commands.append( c.getCmd("proxy", "dirsearchHttpProxyPortsBig", proxy=proxy, httpProxy=proxy_http_port)) proxy_commands.append( c.getCmd("proxy", "niktoProxyHttpPort", proxy=proxy, httpProxy=proxy_http_port)) self.proxy_processes = tuple(proxy_commands)
def listFilesProxy(self): """ This function will list all files in report output folder and remove ansi color codes from the file using sed. It will also display niktos output if the latter was ran. """ def removeColor(self, filename): sedCMD = rf'sed "s,\x1B\[[0-9;]*[a-zA-Z],,g" -i {filename}' return call(sedCMD, shell=True) c = config_parser.CommandParser(f"{os.getcwd()}/config/config.yaml", self.target) if os.path.exists(c.getPath("proxy", "proxyDir")): dir_list = [ d for d in glob.iglob(c.getPath("proxy", "proxyGlob"), recursive=True) if os.path.isdir(d) ] for d in dir_list: reportFile_list = [ fname for fname in glob.iglob(f"{d}/*", recursive=True) if os.path.isfile(fname) ] for rf in reportFile_list: if "nmap" not in rf: if "aquatone" not in rf: if "eyewitness" not in rf: if "wafw00f" in rf: removeColor(self, rf) if "whatweb" in rf: removeColor(self, rf) if "wpscan" in rf: removeColor(self, rf) if "sslscan" in rf: removeColor(self, rf) if "dnsenum" in rf: removeColor(self, rf) if "drupal" in rf: removeColor(self, rf) if "joomlavs" in rf: removeColor(self, rf) if "oracle" in rf: removeColor(self, rf) if "oracle" in rf: removeColor(self, rf) if "nikto" in rf: check_nikto_lines = ( f"""wc -l {rf} | cut -d ' ' -f 1""") num_lines_nikto = check_output( check_nikto_lines, stderr=STDOUT, shell=True).rstrip() if int(num_lines_nikto) < 80: call(f"cat {rf}", shell=True) if "vulns" in rf: if fnmatch(rf, "*.log"): removeColor(self, rf)
def Scan(self): """If there is an open http-proxy port from nmaps results. Try to add the server IP to your proxychains config file and then proceed to scan the target again through the proxy port using proxychains and nmap. If more ports are discovered open, proceed to enumerate all found open ports through the http-proxy port.""" np = nmapParser.NmapParserFunk(self.target) np.openPorts() proxyPorts = np.proxy_ports hpl = helper_lists.topPortsToScan() topTCP = hpl.topTCP topTcpPortsString = ",".join(map(str, topTCP)) cmd_info = "[" + fg.li_green + "+" + fg.rs + "]" if len(proxyPorts) == 0: pass else: c = config_parser.CommandParser( f"{os.getcwd()}/config/config.yaml", self.target) duplicate_cmds = [] add_line_cmd = rf"""sed -e "\$ahttp {self.target} {proxyPorts[0]}" -i /etc/proxychains.conf""" comment_out_line_cmd = ( f"""sed -e '/socks5/ s/^#*/#/' -i /etc/proxychains.conf""") proxy_config_file = "/etc/proxychains.conf" try: pcCF = open(proxy_config_file, "r") for line in pcCF: parsed_lines = line.rstrip() if not parsed_lines.startswith("#"): tor_match = re.findall("socks5", parsed_lines) sorted_tor_matches = sorted(set(tor_match), reverse=True) if "socks5" in sorted_tor_matches: duplicate_cmds.append(comment_out_line_cmd) if (parsed_lines.startswith("#") or not parsed_lines.startswith('#')): matches = re.findall(f"http {self.target}", parsed_lines) sorted_matches = sorted(set(matches), reverse=True) if f"http {self.target}" not in sorted_matches: duplicate_cmds.append(add_line_cmd) pcCF.close() sorted_cmds = sorted(set(duplicate_cmds)) if len(sorted_cmds) != 0: for cmd in sorted_cmds: call(cmd, shell=True) except FileNotFoundError as fnf_error: print(fnf_error) exit() if not os.path.exists(c.getPath("proxy", "proxyDir")): os.makedirs(c.getPath("proxy", "proxyDir")) proxychains_nmap_top_ports_cmd = c.getCmd( "proxy", "proxychainsNmapTopPorts", topTcpPorts=topTcpPortsString) print(cmd_info, proxychains_nmap_top_ports_cmd) call(proxychains_nmap_top_ports_cmd, shell=True)
def OraclePwn(self): """OraclePwn will run a helper lib/oracle.sh bash script which will attempt to bruteforce Oracle if any valid SID's are found from the Scan() Functions results.""" np = nmapParser.NmapParserFunk(self.target) np.openPorts() oracle_tns_ports = np.oracle_tns_ports if len(oracle_tns_ports) == 0: pass else: c = config_parser.CommandParser(f"{os.getcwd()}/config/config.yaml", self.target) oracle_pwn = f"""bash {c.getPath("oracle","oracleBrute")} {self.target}""" call(oracle_pwn, shell=True)
def openUdpPorts(self): """The openUdpPorts function will parse all found ports from the UDP nmap xml file fed to the report variable. All ports will be appended to the lists in __init__ and will then be accessible from the NmapParserFunk Class.""" def parsefile(xmlfile): parser = make_parser() parser.setContentHandler(ContentHandler()) parser.parse(xmlfile) c = config_parser.CommandParser(f"{os.getcwd()}/config/config.yaml", self.target) if os.path.exists(c.getPath("nmap", "nmap_top_udp_ports_xml")): try: parsefile(c.getPath("nmap", "nmap_top_udp_ports_xml")) report = NmapParser.parse_fromfile( c.getPath("nmap", "nmap_top_udp_ports_xml")) self.udp_nmap_services += report.hosts[0].services self.udp_nmap_services = sorted(self.udp_nmap_services, key=lambda s: s.port) for service in self.udp_nmap_services: if "open" not in service.state: continue if "open|filtered" in service.state: continue self.udp_services.append(( service.port, service.service, service.tunnel, service.cpelist, service.banner, )) for service in self.udp_services: if service[0] not in self.udp_ports: self.udp_ports.append(service[0]) if "snmp" in service[1]: if service[0] not in self.snmp_ports: self.snmp_ports.append(service[0]) if "sip" in service[1]: if service[0] not in self.sip_udp_ports: self.sip_udp_ports.append(service[0]) if "isakmp?" in service[1] or ("isakmp" in service[1]): if service[0] not in self.ike_ports: self.ike_ports.append(service[0]) # print("SNMP PORTS", self.snmp_ports) # print("UDP SERVICES", self.udp_services) # print("UDP OPEN PORTS", self.udp_ports) except Exception as e: print( f"""{c.getPath("nmap", "nmap_top_udp_ports_xml")} Cannot Parse UDP nmap xml file. {e}""" ) return
def SshMultipleUsersBruteCustom(self): """Run patator with custome wordlist against a single user specified as a command line argument.""" cmd_info = "[" + fg.green + "+" + fg.rs + "]" green = fg.li_green teal = fg.li_cyan reset = fg.rs c = config_parser.CommandParser(f"{os.getcwd()}/config/config.yaml", self.target) np = nmapParser.NmapParserFunk(self.target) np.openPorts() print(f"""{teal}Beginning Password Brute Force for User: {reset} {green}{self.users}{reset}""") patator_cmd = c.getCmd("ssh", "patator_ssh_multiple_users_custom", port=self.port, users=self.users, wordlist=self.passList) print(f"""{cmd_info} {patator_cmd}""") call(patator_cmd, shell=True)
def topUdpAllTcp(self): """topUdpAllTcp will run a full nmap tcp port scan and a top udp ports scan""" c = config_parser.CommandParser(f"{os.getcwd()}/config/config.yaml", self.target) np = nmapParser.NmapParserFunk(self.target) np.openPorts() hpl = helper_lists.topPortsToScan() topUDP = hpl.topUDP topUdpPortsString = ",".join(map(str, topUDP)) commands = [] commands.append(c.getCmd("nmap", "nmapFullTcpScan")) commands.append( c.getCmd("nmap", "nmapTopUdpScan", topUdpPorts=topUdpPortsString)) self.processes = tuple(commands)
def sslProxyScan(self): """This function is called by lib/enumProxy.py and will enumerate HTTPS/SSL Web Servers. It will run, whatweb, dirsearch, and nikto.""" npp = nmapParser.NmapParserFunk(self.target) npp.openProxyPorts() np = nmapParser.NmapParserFunk(self.target) np.openPorts() proxy_ssl_ports = npp.proxy_ssl_ports proxy_ports = np.proxy_ports if len(proxy_ssl_ports) == 0: pass else: c = config_parser.CommandParser( f"{os.getcwd()}/config/config.yaml", self.target) if not os.path.exists(c.getPath("proxy", "proxyDir")): os.makedirs(c.getPath("proxy", "proxyDir")) if not os.path.exists(c.getPath("proxy", "proxyWebSSL")): os.makedirs(c.getPath("proxy", "proxyWebSSL")) proxy_commands = [] for proxy in proxy_ports: print( f"""{fg.li_cyan} Enumerating HTTPS Ports Through {proxy}, Running the following commands: {fg.rs}""" ) for proxy_ssl_port in proxy_ssl_ports: proxy_commands.append( c.getCmd("proxySSL", "whatwebSSLProxy", proxy=proxy, proxySSLPort=proxy_ssl_port)) proxy_commands.append( c.getCmd("proxySSL", "dirsearchProxySSLDict", proxySslPort=proxy_ports, proxy=proxy_ssl_port)) proxy_commands.append( c.getCmd("proxySSL", "dirsearchProxySSLBig", proxySSLPort=proxy_ports, proxy=proxy_ssl_port)) proxy_commands.append( c.getCmd("proxySSL", "niktoProxySSL", proxySSLPort=proxy, proxy=proxy_ssl_port)) self.proxy_processes = tuple(proxy_commands)
def getLinks(self): """This feature isn't full implemented yet and is just here to keep the other functions company ;)""" url = f"""http://{self.target}""" c = config_parser.CommandParser(f"{os.getcwd()}/config/config.yaml", self.target) page = requests.get(url) data = page.text soup = BeautifulSoup(data) links = [] for link in soup.find_all("a"): links.append(link.get("href")) if len(links) != 0: try: with open(c.getPath("web", "weblinks"), "w") as l: for link in links: l.write(link) except FileNotFoundError as fnf_error: print(fnf_error)
def listfiles(self): """ This function will list all files in report output folder and remove ansi color codes from the file using sed. """ def removeColor(self, filename): sedCMD = rf'sed "s,\x1B\[[0-9;]*[a-zA-Z],,g" -i {filename}' return call(sedCMD, shell=True) c = config_parser.CommandParser(f"{os.getcwd()}/config/config.yaml", self.target) dir_list = [ d for d in glob.iglob(c.getPath("report", "reportGlob"), recursive=True) if os.path.isdir(d) ] for d in dir_list: reportFile_list = [ fname for fname in glob.iglob(f"{d}/*", recursive=True) if os.path.isfile(fname) ] for rf in reportFile_list: if "nmap" not in rf: if "aquatone" not in rf: if "eyewitness" not in rf: if "wafw00f" in rf: removeColor(self, rf) if "whatweb" in rf: removeColor(self, rf) if "sslscan" in rf: removeColor(self, rf) if "dnsenum" in rf: removeColor(self, rf) if "drupal" in rf: removeColor(self, rf) if "joomlavs" in rf: removeColor(self, rf) if "oracle" in rf: removeColor(self, rf) if "wpscan" in rf: removeColor(self, rf) if "vulns" in rf: if fnmatch(rf, "*.log"): removeColor(self, rf)
def ftpDownloadAll(self, port): try: c = config_parser.CommandParser(f"{os.getcwd()}/config/config.yaml", self.target) if not os.path.exists(c.getPath("ftp", "ftpDir")): os.makedirs(c.getPath("ftp", "ftpDir")) if not os.path.exists(c.getPath("ftp", "anonDownloadPath")): os.makedirs(c.getPath("ftp", "anonDownloadPath")) cwd = os.getcwd() os.chdir(c.getPath("ftp", "anonDownloadPath")) wget_cmd = f"""wget -m --no-passive -c --read-timeout=5 --tries=5 ftp://anonymous:anonymous@{self.target}:{port}""" print(f"{fg.li_magenta}Downloading All Files from FTP Server on Port: {fg.rs}{port}") print(f"[{fg.li_green}+{fg.rs}] {wget_cmd}") print(f"{fg.li_yellow}") call(wget_cmd, shell=True) print(f"{fg.rs}") os.chdir(cwd) except IOError as e: print(e) return
def vulnCheck(self): """Vuln Check will check if OpenSSH is vulnerable to Username Enumeration. If it is, A message will be printed to the User. This feature can be enabled to automatically always brute force SSH if the instance is a vulnerable version, however, I've changed this feature to not run automatically as that option should be left up to the user, among various other reasons.""" cmd_info = "[" + fg.green + "+" + fg.rs + "]" manual_cmd_info = "[" + fg.li_yellow + "+" + fg.rs + "]" blue = fg.li_blue red = fg.red green = fg.li_green reset = fg.rs np = nmapParser.NmapParserFunk(self.target) np.openPorts() ssh_product = np.ssh_product ssh_version = np.ssh_version c = config_parser.CommandParser(f"{os.getcwd()}/config/config.yaml", self.target) # Check what version OPENSSH is # If OpenSSH version is less than 7.7, Enumerate Users # If valid Unique User is found, Brute Force Passwords if len(ssh_product) == 1: string_ssh_version = " ".join(map(str, ssh_version)) lowercase_ssh_version = str(string_ssh_version).lower() first_two_nums = lowercase_ssh_version[0:3] int_first_two_nums = float(first_two_nums) if ssh_product[0] == "OpenSSH": if int_first_two_nums < float(7.7): ssh_port = np.ssh_ports print( f"""{cmd_info} {blue}{ssh_product[0]} {ssh_version[0]}{reset} is {red}VULNERABLE to Username Enumeration{reset}""" ) print(f"""{green}Consider running:{reset}""") print( f"""{manual_cmd_info} {c.getCmd("ssh", "ssh_user_enum", port=ssh_port[0])}""" ) # sb = brute.Brute(self.target, "ssh", ssh_port) # sb.SshUsersBrute() else: print( f"""{cmd_info} {blue}{ssh_product[0]} {ssh_version[0]}{reset} is {red}NOT{reset} Vulnerable to Username Enumeration""" )
def Scan(self): """If Ldap ports are open, run nmap ldap scripts, enum4linux and the results will be fed to the ldap.sh bash script.""" np = nmapParser.NmapParserFunk(self.target) np.openPorts() ldap_ports = np.ldap_ports if len(ldap_ports) == 0: pass else: c = config_parser.CommandParser( f"{os.getcwd()}/config/config.yaml", self.target) if not os.path.exists(c.getPath("ldap", "ldapDir")): os.makedirs(c.getPath("ldap", "ldapDir")) print( fg.cyan + "Enumerating LDAP: Lightweight Directory Access Protocol, Running the following commands:" + fg.rs) string_ldap_ports = ",".join(map(str, ldap_ports)) commands = [] commands.append( c.getCmd("ldap", "nmapLdap", ldapPorts=string_ldap_ports)) commands.append(c.getCmd("ldap", "enum4linuxLdap")) self.processes = tuple(commands)
def Scan(self): """The Scan() function will run the initial nmap Top Tcp ports scan with enumerate versions and nmap's default safe scripts via the -sC and -sV flags. -Pn will ignore ping scan and the script-timeout is set to 5 minutes as sometimes https scripts can get stuck and output 100's of lines of unnecessary output which will slow the scan time down. 5 minutes is a good timeout setting.""" rc = run_commands.RunCommands(self.target) c = config_parser.CommandParser(f"{os.getcwd()}/config/config.yaml", self.target) if not os.path.exists(c.getPath("report", "reportDir")): os.makedirs(c.getPath("report", "reportDir")) if not os.path.exists(c.getPath("report", "nmapDir")): os.makedirs(c.getPath("report", "nmapDir")) print(fg.cyan + "Running Nmap Top Open Ports" + fg.rs) hpl = helper_lists.topPortsToScan() topTCP = hpl.topTCP topTcpPortsString = ",".join(map(str, topTCP)) nmap_command = c.getCmd("nmap", "nmapTopTcpPorts", topTcpPorts=topTcpPortsString) cmd_info = "[" + fg.li_green + "+" + fg.rs + "]" print(f"""{cmd_info} {fg.li_green}{nmap_command}{fg.rs}""") rc.loginator(nmap_command) call(nmap_command, shell=True)
def Scan(self): """This Scan() Function will run various oracle scanning tools and attempt to find valid SID's along with other useful information. The following tools will be used, Nmap, tnscmd10g, osscanner, and ODAT.""" np = nmapParser.NmapParserFunk(self.target) np.openPorts() oracle_tns_ports = np.oracle_tns_ports if len(oracle_tns_ports) == 0: pass else: c = config_parser.CommandParser(f"{os.getcwd()}/config/config.yaml", self.target) if not os.path.exists(c.getPath("oracle", "oracleDir")): os.makedirs(c.getPath("oracle", "oracleDir")) print(fg.cyan + "Enumerating ORACLE, Running the following commands:" + fg.rs) # string_oracle_ports = ",".join(map(str, oracle_tns_ports)) commands = [] commands.append(c.getCmd("oracle", "nmapOracle")) commands.append(c.getCmd("oracle", "tnscmd10g", mode="ping")) commands.append(c.getCmd("oracle", "tnscmd10g", mode="version")) commands.append(c.getCmd("oracle", "oscanner")) commands.append(c.getCmd("oracle", "odatTNS", mode="ping")) commands.append(c.getCmd("oracle", "odatTNS", mode="version")) commands.append(c.getCmd("oracle", "odatTNS", mode="status")) self.processes = tuple(commands)
def Scan(self): """Enumerate DNS server if any hostnames are found from lib/domainFinder.py and if port 53 is open.""" print(fg.cyan + "Checking For Virtual Host Routing and DNS" + fg.rs) np = nmapParser.NmapParserFunk(self.target) np.openPorts() dnsPorts = np.dns_ports dn = domainFinder.DomainFinder(self.target) dn.Scan() redirect_hostname = dn.redirect_hostname fqdn_hostname = dn.fqdn_hostname c = config_parser.CommandParser(f"{os.getcwd()}/config/config.yaml", self.target) commands = [] if len(redirect_hostname) != 0: for d in redirect_hostname: self.hostnames.append(d) if len(fqdn_hostname) != 0: for d in fqdn_hostname: self.hostnames.append(d) if len(self.hostnames) != 0 and (len(dnsPorts) != 0): if not os.path.exists(c.getPath("dns", "dnsDir")): os.makedirs(c.getPath("dns", "dnsDir")) if not os.path.exists(c.getPath("web", "aquatoneDir")): os.makedirs(c.getPath("web", "aquatoneDir")) # string_hosts = " ".join(map(str, self.hostnames)) basename = [] for host in self.hostnames: basename.append(".".join(host.split('.')[-2:])) unique_hosts = sorted(set(basename)) for host in unique_hosts: commands.append(c.getCmd("dns", "dnsenum", hosts=host)) # commands.append(c.getCmd("dns", "vhost", hosts=host)) self.processes = tuple(commands)
def CewlWordlist(self): np = nmapParser.NmapParserFunk(self.target) np.openPorts() http_ports = np.http_ports htports = [] if len(http_ports) == 1: htports.append(http_ports[0]) ssl_ports = np.ssl_ports slports = [] if len(ssl_ports) == 1: slports.append(ssl_ports[0]) c = config_parser.CommandParser(f"{os.getcwd()}/config/config.yaml", self.target) if os.path.exists(c.getPath("web", "aquatoneDirUrls")): if not os.path.exists(c.getPath("wordlists", "wordlistsDir")): os.makedirs(c.getPath("wordlists", "wordlistsDir")) url_list = [] urls_file = c.getPath("web", "aquatoneDirUrls") if os.path.exists(urls_file): try: with open(urls_file, "r") as uf: for line in uf: if "index.html" in line: url_list.append(line.rstrip()) if "index.php" in line: url_list.append(line.rstrip()) if len(htports) == 1: url_list.append(f"http://{self.target}:{htports[0]}/") if len(slports) == 1: url_list.append(f"https://{self.target}:{slports[0]}/") wordlist = sorted(set(url_list)) except FileNotFoundError as fnf_error: print(fnf_error) exit() cewl_cmds = [] if len(wordlist) != 0: counter = 0 for url in wordlist: counter += 1 cewl_cmds.append(f"""cewl {url} -m 3 -w {c.getPath("wordlists","CewlCounter", counter=counter)}""") if len(cewl_cmds) != 0: try: for cmd in cewl_cmds: call(cmd, shell=True) except ConnectionRefusedError as cre_error: print(cre_error) words = [] try: with open(c.getPath("wordlists", "CustomPass1575"), "r") as prob: for line in prob: words.append(line.rstrip()) for wl in os.listdir(c.getPath("wordlists", "wordlistsDir")): wlfile = f"""{c.getPath("wordlists","wordlistsDir")}/{wl}""" with open(wlfile, "r") as wlf: for line in wlf: words.append(line.rstrip()) set_unique_words = sorted(set(words)) unique_words = list(set_unique_words) with open(c.getPath("wordlists", "CewlPlus"), "a") as allwls: string_words = "\n".join(map(str, unique_words)) allwls.write(str(string_words)) except FileNotFoundError as fnf_error: print(fnf_error)
def proxyCMS(self): """If a Content Management System is discovered on the web from enumProxy's output, Then proceed to try and enumerate the CMS further. CMS Scanners to be scanned are limited to: Drupal, Wordpress, Joomla, Magento, Tomcat, and Apache WebDav""" np = nmapParser.NmapParserFunk(self.target) np.openPorts() npp = nmapParser.NmapParserFunk(self.target) npp.openProxyPorts() proxy_http_ports = npp.proxy_http_ports proxy_ports = np.proxy_ports teal = fg.li_cyan hasPrinted = False cms_commands = [] cms_counter = 0 reset = fg.rs if len(proxy_http_ports) == 0: pass if len(proxy_ports) == 0: pass else: c = config_parser.CommandParser(f"{os.getcwd()}/config/config.yaml", self.target) for proxy in proxy_ports: for proxy_http_port in proxy_http_ports: whatweb_files = [] wordpress_url = [] wp = helper_lists.Wordpress(self.target) wordpressDirs = wp.wordpress_dirs if os.path.exists(c.getPath("proxy", "aquatoneDirProxyUrls")): try: with open(c.getPath("proxy", "aquatoneDirProxyUrls"), "r") as purls: for url in purls: uline = url.rstrip() for word in wordpressDirs: if word in uline: wordpress_url.append(uline) except FileNotFoundError as fnf_error: print(fnf_error) exit() sorted_wp_links = sorted(set(wordpress_url)) count = 0 if len(sorted_wp_links) != 0: for wpdir in sorted_wp_links: count += 1 try: # whatweb_proxy_cmd = f"""whatweb -v -a 3 --proxy {self.target}:{proxy_ports[0]} {wpdir} > {c.getPath("reportDir")}/proxy/web/whatweb-proxy-{proxy_http_port}-{count}.txt""" whatweb_proxy_cmd = c.getCmd("proxy", "whatwebProxyWP", proxyPorts=proxy, wordpressDirs=wpdir, httpProxy=proxy_http_port, count=count) call(whatweb_proxy_cmd, shell=True) if count >= 2: break except CalledProcessError: pass # this will handle errors in the called executable. except OSError: pass dir_list = [ d for d in glob.iglob(c.getPath("proxy", "proxyGlob"), recursive=True) if os.path.isdir(d) ] for d in dir_list: reportFile_list = [ fname for fname in glob.iglob(f"{d}/*", recursive=True) if os.path.isfile(fname) ] for rf in reportFile_list: if "nmap" not in rf: if "whatweb" in rf: if str(proxy_http_port) in rf: whatweb_files.append(rf) if len(whatweb_files) != 0: for i in whatweb_files: cms_strings = [ "WordPress", "Magento", "tomcat", "WebDAV", "Drupal", "Joomla", ] with open(i, "r") as wwf: for word in wwf: fword = ( word.replace("[", " ") .replace("]", " ") .replace(",", " ") ) for cms in cms_strings: if cms in fword: if "WordPress" in cms and not hasPrinted: print(f"{teal}Found WordPress!{reset}") cms_counter += 1 if len(sorted_wp_links) != 0: for wpLink in sorted_wp_links: wpscan_cmd = c.getCmd("proxy", "wpscanProxy", sortedWpDirs=wpLink, httpProxy=proxy, httpProxyPort=proxy_http_port) cms_commands.append(wpscan_cmd) if cms_counter >= 1: hasPrinted = True break manual_brute_force_script = f""" #!/bin/bash if [[ -n $(grep -i "User(s) Identified" {c.getPath("proxy", "wpscanReport", proxyPort=proxy_http_port)}) ]]; then grep -w -A 100 "User(s)" {c.getPath("proxy", "wpscanReport", proxyPort=proxy_http_port)} | grep -w "[+]" | cut -d " " -f 2 | head -n -7 >{c.getPath("proxy", "wpUsers")} {c.getCmd("proxy", "proxychainsCewl", proxyPorts=proxy_http_port)} sleep 10 echo "Adding John Rules to Cewl Wordlist!" {c.getCmd("proxy", "john")} sleep 3 # brute force again with wpscan {c.getCmd("proxy", "wpscanCewlBrute", proxyPorts=proxy_http_port, httpProxy=proxy)} sleep 1 if grep -i "No Valid Passwords Found" wordpress-cewl-brute2.txt; then if [ -s {c.getPath("proxy", "johnCewl")} ]; then {c.getCmd("proxy", "wpscanJohnCewlBrute", proxyPorts=proxy_http_port, httpProxy=proxy)} else echo "John wordlist is empty :(" fi sleep 1 if grep -i "No Valid Passwords Found" {c.getPath("proxy","wpscanJohnCoolBrute")}; then {c.getCmd("proxy", "wpscanFastTrackBrute", proxyPorts=proxy_http_port, httpProxy=proxy)} fi fi fi """ try: with open(c.getPath("proxy", "wordpressBashBruteScript"), "w") as wpb: print("Creating wordpress Brute Force Script...") wpb.write(manual_brute_force_script) call(f"""chmod +x {c.getPath("proxy", "wordpressBashBruteScript")}""", shell=True) except FileNotFoundError as fnf_error: print(fnf_error) if "Drupal" in cms: drupal_cmd = c.getCmd("proxy", "droopescan", proxyPorts=proxy_http_port) cms_commands.append(drupal_cmd) if "Joomla" in cms: joomla_cmd = c.getCmd("proxy", "joomscan", proxyPorts=proxy_http_port, httpProxy=proxy) cms_commands.append(joomla_cmd) if "Magento" in cms: magento_cmd = c.getCmd("proxy", "magescan", proxyPorts=proxy_http_port) cms_commands.append(magento_cmd) if "WebDAV" in cms or ("Microsoft-IIS 6.0" in cms): webdav_cmd2 = c.getCmd("proxy", "webdavNmap", proxyPort=proxy_http_port) cms_commands.append(webdav_cmd2) sorted_commands = sorted(set(cms_commands)) commands_to_run = [] for i in sorted_commands: commands_to_run.append(i) mpCmds = tuple(commands_to_run) self.cms_processes = mpCmds
def openPorts(self): """The openPorts function will parse all found ports from the nmap.xml file fed to the report variable. All ports will be appended to the lists in __init__ and will then be accessible from the NmapParserFunk Class.""" def parsefile(xmlfile): parser = make_parser() parser.setContentHandler(ContentHandler()) parser.parse(xmlfile) c = config_parser.CommandParser(f"{os.getcwd()}/config/config.yaml", self.target) if os.path.exists(c.getPath("nmap", "nmap_top_ports_xml")): try: parsefile(c.getPath("nmap", "nmap_top_ports_xml")) report = NmapParser.parse_fromfile( c.getPath("nmap", "nmap_top_ports_xml")) self.nmap_services += report.hosts[0].services self.nmap_services = sorted(self.nmap_services, key=lambda s: s.port) # print(self.nmap_services) ignored_windows_http_ports = [593, 5985, 47001] for service in self.nmap_services: if "open" not in service.state: continue if "open|filtered" in service.state: continue self.services.append(( service.port, service.service, service.tunnel, service.cpelist, service.banner, service.service_dict.get("product", ""), service.service_dict.get("version", ""), service.service_dict.get("extrainfo", ""), service.scripts_results, )) for service in self.services: if service[0] not in self.tcp_ports: self.tcp_ports.append(service[0]) if "ssl" in service[2] or ("ssl" in service[1]): if "imap" not in service[1]: if "pop3" not in service[1]: if "ldap" not in service[1]: if service[0] not in self.ssl_ports: self.ssl_ports.append(service[0]) if service[ 8] not in self.ssl_script_results: self.ssl_script_results.append( service[8]) if "http" in service[1] and ( "ssl/http" not in service[1]) and ( "ssl" not in service[2]) and ("ssl" not in service[1]): if "MiniServ" not in service[5]: if "http-proxy" not in service[1]: if service[ 0] not in ignored_windows_http_ports: if service[0] not in self.http_ports: self.http_ports.append(service[0]) if service[ 8] not in self.http_script_results: self.http_script_results.append( service[8]) if "netbios-ssn" in service[1]: if service[0] not in self.smb_ports: self.smb_ports.append(service[0]) if "microsoft-ds" in service[1]: if service[0] not in self.smb_ports: self.smb_ports.append(service[0]) if "domain" in service[1]: if service[0] not in self.dns_ports: self.dns_ports.append(service[0]) if "http-proxy" in service[1]: if service[0] not in self.proxy_ports: self.proxy_ports.append(service[0]) if "ssh" in service[1]: if service[0] not in self.ssh_ports: self.ssh_ports.append(service[0]) if service[5] not in self.ssh_product: self.ssh_product.append(service[5]) if service[6] not in self.ssh_version: self.ssh_version.append(service[6]) if service[8] not in self.ssh_script_results: self.ssh_script_results.append(service[8]) if "oracle-tns" in service[1]: if service[0] != 49160: if service[0] not in self.oracle_tns_ports: self.oracle_tns_ports.append(service[0]) if "ftp" in service[1]: if service[0] not in self.ftp_ports: self.ftp_ports.append(service[0]) if service[5] not in self.ftp_product: self.ftp_product.append(service[5]) if service[6] not in self.ftp_version: self.ftp_version.append(service[6]) if "smtp" in service[1]: if service[0] not in self.smtp_ports: self.smtp_ports.append(service[0]) if service[4] not in self.smtp_version: self.smtp_version.append(service[4]) if service[5] not in self.smtp_product: self.smtp_product.append(service[5]) if "rpcbind" in service[1]: if service[0] not in self.nfs_ports: self.nfs_ports.append(service[0]) if "msrpc" in service[1]: if service[0] not in self.rpc_ports: self.rpc_ports.append(service[0]) if "ldap" in service[1]: if service[0] not in self.ldap_ports: self.ldap_ports.append(service[0]) if "BaseHTTPServer" in service[4]: if service[0] not in self.http_ports: self.http_ports.append(service[0]) if "Apache" in service[5] and ( "ssl/http" not in service[1]) and ( "ssl" not in service[2]) and ("ssl" not in service[1]): if service[0] not in self.http_ports: self.http_ports.append(service[0]) if "telnet" in service[1]: if service[0] not in self.telnet_ports: self.telnet_ports.append(service[0]) if "asterisk" in service[1]: if service[0] not in self.sip_ports: self.sip_ports.append(service[0]) if "vnc" in service[1]: if service[0] not in self.vnc_ports: self.vnc_ports.append(service[0]) if "cassandra" in service[1]: if service[0] not in self.cassandra_ports: self.cassandra_ports.append(service[0]) if "ms-sql" in service[1]: if service[0] not in self.mssql_ports: self.mssql_ports.append(service[0]) if "mysql" in service[1]: if service[0] not in self.mysql_ports: self.mysql_ports.append(service[0]) if "finger" in service[1]: if service[0] not in self.finger_ports: self.finger_ports.append(service[0]) if "mongod" in service[1]: if service[0] not in self.mongo_ports: self.mongo_ports.append(service[0]) if "pop3" in service[1]: if service[0] not in self.pop3_ports: self.pop3_ports.append(service[0]) if "kerberos" in service[1]: if service[0] not in self.kerberos_ports: self.kerberos_ports.append(service[0]) if "kpasswd" in service[1]: if service[0] not in self.kerberos_ports: self.kerberos_ports.append(service[0]) if service[4] not in self.banners: self.banners.append(service[4]) if service[5] not in self.all_products: self.all_products.append(service[5]) if len(self.http_script_results) != 0: for t in self.http_script_results[0]: result = t["id"], t["output"] if "http-title" in result: if result[1] not in self.http_script_title: self.http_script_title.append(result[1]) # Print Statements for Debugging Purposes.. # print("HTTP PORTS:", self.http_ports) # if len(self.http_script_results) != 0: # print("HTTP-Script-Results:", self.http_script_results[0]) # print("ORACLE PORTS:", self.oracle_tns_ports) # print("OPEN TCP PORTS:", self.tcp_ports) # print("SSL:", self.ssl_ports) # print("SMB:", self.smb_ports) # print("DNS:", self.dns_ports) # print("Services:", self.services) # print("SSH:", self.ssh_ports) # print("SSH VERSION:", self.ssh_version) # print("FTP VERSION:", self.ftp_version) # print("FTP PRODUCT", self.ftp_product) # print("Proxy Ports:", self.proxy_ports) # print("SSH-Product", self.ssh_product) if len(self.tcp_ports) > 100: print( "Server is Configured to Falsely show all ports as open." ) print( "ToDo: Create Alternative Scanning Technique to bypass PortSpoof." ) print( "Exiting for now. Continue Your enumeration Manually, Check if http or https are open" ) print( "by manually trying to view these ports in the web browser. etc. etc." ) exit() except Exception as e: print( f"""{c.getPath("nmap", "nmap_top_ports_xml")} Cannot Parse Top Ports nmap xml file. {e}""" ) return
def openProxyPorts(self): """The openProxyPorts function will parse all found ports from the proxychains nmap xml file fed to the report variable. All ports will be appended to the lists in __init__ and will then be accessible from the NmapParserFunk Class.""" def parsefile(xmlfile): parser = make_parser() parser.setContentHandler(ContentHandler()) parser.parse(xmlfile) c = config_parser.CommandParser(f"{os.getcwd()}/config/config.yaml", self.target) if os.path.exists(c.getPath("nmap", "nmap_proxychain_top_ports")): try: parsefile(c.getPath("nmap", "nmap_proxychain_top_ports")) proxy_report = NmapParser.parse_fromfile( c.getPath("nmap", "nmap_proxychain_top_ports")) self.proxy_nmap_services += proxy_report.hosts[0].services self.proxy_nmap_services = sorted(self.proxy_nmap_services, key=lambda s: s.port) ignored_windows_http_ports = [5985, 47001] for service in self.proxy_nmap_services: if "open" not in service.state: continue self.proxy_services.append(( service.port, service.service, service.tunnel, service.cpelist, service.banner, )) for service in self.proxy_services: if service[0] not in self.proxy_tcp_ports: self.proxy_tcp_ports.append(service[0]) if "ssl" in service[2] or ("ssl" in service[1]): if "imap" not in service[1]: if "pop3" not in service[1]: if "ldap" not in service[1]: if service[ 0] not in self.proxy_ssl_ports: self.proxy_ssl_ports.append( service[0]) if "http" in service[1]: if "ssl" not in service[2]: if "ssl" not in service[1]: if "http-proxy" not in service[1]: if service[ 0] not in ignored_windows_http_ports: if service[ 0] not in self.proxy_http_ports: self.proxy_http_ports.append( service[0]) if "netbios-ssn" in service[1]: if service[0] not in self.proxy_smb_ports: self.proxy_smb_ports.append(service[0]) if "microsoft-ds" in service[1]: if service[0] not in self.proxy_smb_ports: self.proxy_smb_ports.append(service[0]) if "domain" in service[1]: if service[0] not in self.proxy_dns_ports: self.proxy_dns_ports.append(service[0]) if "http-proxy" in service[1]: if service[0] not in self.proxy_ports2: self.proxy_ports2.append(service[0]) if "ssh" in service[1]: if service[0] not in self.proxy_ssh_ports: self.proxy_ssh_ports.append(service[0]) if service[4] not in self.proxy_ssh_version: self.proxy_ssh_version.append(service[4]) if "oracle-tns" in service[1]: if service[0] != 49160: if service[ 0] not in self.proxy_oracle_tns_ports: self.proxy_oracle_tns_ports.append( service[0]) if "ftp" in service[1]: if service[0] not in self.proxy_ftp_ports: self.proxy_ftp_ports.append(service[0]) if "smtp" in service[1]: if service[0] not in self.proxy_smtp_ports: self.proxy_smtp_ports.append(service[0]) if "rpcbind" in service[1]: if service[0] not in self.proxy_nfs_ports: self.proxy_nfs_ports.append(service[0]) if "msrpc" in service[1]: if service[0] not in self.proxy_rpc_ports: self.proxy_rpc_ports.append(service[0]) if "ldap" in service[1]: if service[0] not in self.proxy_ldap_ports: self.proxy_ldap_ports.append(service[0]) if "BaseHTTPServer" in service[4]: if service[0] not in self.proxy_http_ports: self.proxy_http_ports.append(service[0]) # print("HTTP PORTS:", self.proxy_http_ports) # print("ORACLE PORTS:", self.proxy_oracle_tns_ports) # print("OPEN TCP PORTS:", self.proxy_tcp_ports) # print("SSL:", self.proxy_ssl_ports) # print("SMB:", self.proxy_smb_ports) # print("DNS:", self.proxy_dns_ports) # print("Services:", self.proxy_services) # print("SSH:", self.proxy_ssh_ports) # print("SSH VERSION:", self.proxy_ssh_version) # print("Proxy Ports2:", self.proxy_ports2) except Exception as e: print( f"""{c.getPath("nmap", "nmap_proxychain_top_ports")} Cannot Parse proxychain top ports nmap xml file. {e}""" ) return
def allOpenPorts(self): """The openPorts function will parse all found ports from the FullTcpNmap.xml file fed to the report variable. All ports will be appended to the lists in __init__ and will then be accessible from the NmapParserFunk Class.""" def parsefile(xmlfile): parser = make_parser() parser.setContentHandler(ContentHandler()) parser.parse(xmlfile) c = config_parser.CommandParser(f"{os.getcwd()}/config/config.yaml", self.target) if os.path.exists(c.getPath("nmap", "nmap_full_tcp_xml")): try: parsefile(c.getPath("nmap", "nmap_full_tcp_xml")) report = NmapParser.parse_fromfile( c.getPath("nmap", "nmap_full_tcp_xml")) self.nmap_services += report.hosts[0].services self.nmap_services = sorted(self.nmap_services, key=lambda s: s.port) # print(self.nmap_services) ignored_windows_http_ports = [5985, 47001] for service in self.nmap_services: if "open" not in service.state: continue if "open|filtered" in service.state: continue self.services.append(( service.port, service.service, service.tunnel, service.cpelist, service.banner, service.service_dict.get("product", ""), service.service_dict.get("version", ""), service.service_dict.get("extrainfo", ""), service.scripts_results, )) for service in self.services: if service[0] not in self.tcp_ports: self.tcp_ports.append(service[0]) if "ssl" in service[2] or ("ssl" in service[1]): if "imap" not in service[1]: if "pop3" not in service[1]: if "ldap" not in service[1]: if service[0] not in self.ssl_ports: self.ssl_ports.append(service[0]) if service[ 8] not in self.ssl_script_results: self.ssl_script_results.append( service[8]) if "http" in service[1] and ( "ssl/http" not in service[1]) and ( "ssl" not in service[2]) and ("ssl" not in service[1]): if "MiniServ" not in service[5]: if "http-proxy" not in service[1]: if service[ 0] not in ignored_windows_http_ports: if service[0] not in self.http_ports: self.http_ports.append(service[0]) if service[ 8] not in self.http_script_results: self.http_script_results.append( service[8]) if "netbios-ssn" in service[1]: if service[0] not in self.smb_ports: self.smb_ports.append(service[0]) if "microsoft-ds" in service[1]: if service[0] not in self.smb_ports: self.smb_ports.append(service[0]) if "domain" in service[1]: if service[0] not in self.dns_ports: self.dns_ports.append(service[0]) if "http-proxy" in service[1]: if service[0] not in self.proxy_ports: self.proxy_ports.append(service[0]) if "ssh" in service[1]: if service[0] not in self.ssh_ports: self.ssh_ports.append(service[0]) if service[5] not in self.ssh_product: self.ssh_product.append(service[5]) if service[6] not in self.ssh_version: self.ssh_version.append(service[6]) if service[8] not in self.ssh_script_results: self.ssh_script_results.append(service[8]) if "oracle-tns" in service[1]: if service[0] != 49160: if service[0] not in self.oracle_tns_ports: self.oracle_tns_ports.append(service[0]) if "ftp" in service[1]: if service[0] not in self.ftp_ports: self.ftp_ports.append(service[0]) if service[5] not in self.ftp_product: self.ftp_product.append(service[5]) if service[6] not in self.ftp_version: self.ftp_version.append(service[6]) if "smtp" in service[1]: if service[0] not in self.smtp_ports: self.smtp_ports.append(service[0]) if service[4] not in self.smtp_version: self.smtp_version.append(service[4]) if service[5] not in self.smtp_product: self.smtp_product.append(service[5]) if "rpcbind" in service[1]: if service[0] not in self.nfs_ports: self.nfs_ports.append(service[0]) if "msrpc" in service[1]: if service[0] not in self.rpc_ports: self.rpc_ports.append(service[0]) if "ldap" in service[1]: if service[0] not in self.ldap_ports: self.ldap_ports.append(service[0]) if "BaseHTTPServer" in service[4]: if service[0] not in self.http_ports: self.http_ports.append(service[0]) if "Apache" in service[5] and ( "ssl/http" not in service[1]) and ( "ssl" not in service[2]) and ("ssl" not in service[1]): if service[0] not in self.http_ports: self.http_ports.append(service[0]) if "telnet" in service[1]: if service[0] not in self.telnet_ports: self.telnet_ports.append(service[0]) if "asterisk" in service[1]: if service[0] not in self.sip_ports: self.sip_ports.append(service[0]) if "vnc" in service[1]: if service[0] not in self.vnc_ports: self.vnc_ports.append(service[0]) if "cassandra" in service[1]: if service[0] not in self.cassandra_ports: self.cassandra_ports.append(service[0]) if "ms-sql" in service[1]: if service[0] not in self.mssql_ports: self.mssql_ports.append(service[0]) if "mysql" in service[1]: if service[0] not in self.mysql_ports: self.mysql_ports.append(service[0]) if "finger" in service[1]: if service[0] not in self.finger_ports: self.finger_ports.append(service[0]) if "mongod" in service[1]: if service[0] not in self.mongo_ports: self.mongo_ports.append(service[0]) if "pop3" in service[1]: if service[0] not in self.pop3_ports: self.pop3_ports.append(service[0]) if "kerberos" in service[1]: if service[0] not in self.kerberos_ports: self.kerberos_ports.append(service[0]) if "kpasswd" in service[1]: if service[0] not in self.kerberos_ports: self.kerberos_ports.append(service[0]) if service[4] not in self.banners: self.banners.append(service[4]) if service[5] not in self.all_products: self.all_products.append(service[5]) if len(self.http_script_results) != 0: for t in self.http_script_results[0]: result = t["id"], t["output"] if "http-title" in result: if result[1] not in self.http_script_title: self.http_script_title.append(result[1]) except Exception as e: print( f"""{c.getPath("nmap", "nmap_full_tcp_xml")} Cannot Parse Full TCP nmap xml file. {e}""" ) return