def start(target, users, passwds, ports, timeout_sec, thread_number, num, total, log_in_file, time_sleep, language, verbose_level, socks_proxy, retries, methods_args, scan_id, scan_cmd): # Main function if target_type(target) != 'SINGLE_IPv4' or target_type( target) != 'DOMAIN' or target_type( target) != 'HTTP' or target_type(target) != 'SINGLE_IPv6': threads = [] thread_tmp_filename = '{}/tmp/thread_tmp_'.format( load_file_path()) + ''.join( random.choice(string.ascii_letters + string.digits) for _ in range(20)) __log_into_file(thread_tmp_filename, 'w', '1', language) trying = 0 total_req = 8000 if target_type(target) != "HTTP": target = 'http://' + target t = threading.Thread(target=analyze, args=(target, timeout_sec, log_in_file, language, time_sleep, thread_tmp_filename, retries, socks_proxy, scan_id, scan_cmd)) threads.append(t) t.start() trying += 1 if verbose_level > 3: info( messages(language, "trying_message").format(trying, total_req, num, total, target_to_host(target), "", 'dir_scan')) while 1: try: if threading.activeCount() >= thread_number: time.sleep(0.01) else: break except KeyboardInterrupt: break # wait for threads kill_switch = 0 kill_time = int(timeout_sec / 0.1) if int(timeout_sec / 0.1) != 0 else 1 while 1: time.sleep(0.1) kill_switch += 1 try: if threading.activeCount() == 1 or kill_switch == kill_time: break except KeyboardInterrupt: break thread_write = int(open(thread_tmp_filename).read().rsplit()[0]) if thread_write == 1: info( messages(language, "nothing_found").format(target, "wappalyzer_scan")) if verbose_level != 0: data = json.dumps({ 'HOST': target_to_host(target), 'USERNAME': '', 'PASSWORD': '', 'PORT': '', 'TYPE': 'wappalyzer_scan', 'DESCRIPTION': messages(language, "not_found"), 'TIME': now(), 'CATEGORY': "scan", 'SCAN_ID': scan_id, 'SCAN_CMD': scan_cmd }) __log_into_file(log_in_file, 'a', data, language) os.remove(thread_tmp_filename) else: warn( messages(language, "input_target_error").format('wappalyzer_scan', target))
def login(user, passwd, target, port, timeout_sec, log_in_file, language, retries, time_sleep, thread_tmp_filename, curl_tmp_filename, socks_proxy, scan_id, scan_cmd): exit = 0 if socks_proxy is not None: socks_version = socks.SOCKS5 if socks_proxy.startswith( 'socks5://') else socks.SOCKS4 socks_proxy = socks_proxy.rsplit('://')[1] if '@' in socks_proxy: socks_username = socks_proxy.rsplit(':')[0] socks_password = socks_proxy.rsplit(':')[1].rsplit('@')[0] socks.set_default_proxy(socks_version, str(socks_proxy.rsplit('@')[1].rsplit(':')[0]), int(socks_proxy.rsplit(':')[-1]), username=socks_username, password=socks_password) socket.socket = socks.socksocket socket.getaddrinfo = getaddrinfo else: socks.set_default_proxy(socks_version, str( socks_proxy.rsplit(':')[0]), int(socks_proxy.rsplit(':')[1])) socket.socket = socks.socksocket socket.getaddrinfo = getaddrinfo while 1: flag = 1 try: curl = pycurl.Curl() curl.setopt(pycurl.URL, target) curl.setopt(pycurl.SSL_VERIFYPEER, 0) curl.setopt(pycurl.HTTPAUTH, pycurl.HTTPAUTH_NTLM) c.setopt(c.WRITEDATA, curl_tmp_filename) if timeout_sec is not None: curl.setopt(pycurl.CONNECTTIMEOUT, timeout_sec) else: curl.setopt(pycurl.CONNECTTIMEOUT, 30) curl.perform() status_code = curl.getinfo(pycurl.HTTP_CODE) if status_code != 200: exit += 1 if exit is retries: warn(messages(language, "http_ntlm_failed").format( target, user, passwd, port)) return 1 else: time.sleep(time_sleep) continue elif status_code == 200: flag = 0 if flag is 0: info(messages(language, "http_ntlm_success").format( user, passwd, target, port)) data = json.dumps( {'HOST': target, 'USERNAME': user, 'PASSWORD': passwd, 'PORT': port, 'TYPE': 'http_ntlm_brute', 'DESCRIPTION': messages(language, "login_successful"), 'TIME': now(), 'CATEGORY': "brute", 'SCAN_ID': scan_id, 'SCAN_CMD': scan_cmd}) + "\n" __log_into_file(log_in_file, 'a', data, language) __log_into_file(thread_tmp_filename, 'w', '0', language) except: exit += 1 if exit is retries: warn(messages(language, "http_ntlm_failed").format( target, user, passwd, port)) return 1 else: time.sleep(time_sleep) continue return flag
def check(target, user_agent, timeout_sec, log_in_file, language, time_sleep, thread_tmp_filename, retries, http_method, socks_proxy, scan_id, scan_cmd): status_codes = [401, 403] directory_listing_msgs = ["<title>Index of /", "<a href=\"\\?C=N;O=D\">Name</a>", "Directory Listing for", "Parent Directory</a>", "Last modified</a>", "<TITLE>Folder Listing.", "- Browsing directory "] time.sleep(time_sleep) try: if socks_proxy is not None: socks_version = ( socks.SOCKS5 if socks_proxy.startswith("socks5://") else socks.SOCKS4 ) socks_proxy = socks_proxy.rsplit("://")[1] if "@" in socks_proxy: socks_username = socks_proxy.rsplit(":")[0] socks_password = socks_proxy.rsplit(":")[1].rsplit("@")[0] socks.set_default_proxy( socks_version, str(socks_proxy.rsplit("@")[1].rsplit(":")[0]), int(socks_proxy.rsplit(":")[-1]), username=socks_username, password=socks_password, ) socket.socket = socks.socksocket socket.getaddrinfo = getaddrinfo else: socks.set_default_proxy( socks_version, str(socks_proxy.rsplit(":")[0]), int(socks_proxy.rsplit(":")[1]), ) socket.socket = socks.socksocket socket.getaddrinfo = getaddrinfo n = 0 while 1: try: if http_method == "GET": r = requests.get( target, timeout=timeout_sec, headers=user_agent ) elif http_method == "HEAD": r = requests.head( target, timeout=timeout_sec, headers=user_agent ) content = r.content break except Exception: n += 1 if n is retries: warn( messages(language, "http_connection_timeout").format( target ) ) return 1 if version() == 3: content = content.decode("utf8") if r.status_code in status_codes: log_in_file(thread_tmp_filename, "w", "0", language) info( messages(language, "found").format( target, r.status_code, r.reason ), log_in_file, "a", { "HOST": target_to_host(target), "USERNAME": "", "PASSWORD": "", "PORT": "", "TYPE": "admin_scan", "DESCRIPTION": messages(language, "found").format( target, r.status_code, r.reason ), "TIME": now(), "CATEGORY": "scan", "SCAN_ID": scan_id, "SCAN_CMD": scan_cmd, }, language, thread_tmp_filename, ) if r.status_code == 200: data = { "HOST": target_to_host(target), "USERNAME": "", "PASSWORD": "", "PORT": "", "TYPE": "admin_scan", "DESCRIPTION": messages(language, "directoy_listing").format( target ), "TIME": now(), "CATEGORY": "scan", "SCAN_ID": scan_id, "SCAN_CMD": scan_cmd, } for dlmsg in directory_listing_msgs: if dlmsg in content: info( messages(language, "directoy_listing").format(target), log_in_file, "a", data, language, thread_tmp_filename, ) __log_into_file( log_in_file, "a\ ", json.dumps(data), language, ) else: info( messages(language, "found").format( target, r.status_code, r.reason ), log_in_file, "a", { "HOST": target_to_host(target), "USERNAME": "", "PASSWORD": "", "PORT": "", "TYPE": "admin_scan", "DESCRIPTION": messages(language, "found").format( target, r.status_code, r.reason ), "TIME": now(), "CATEGORY": "scan", "SCAN_ID": scan_id, "SCAN_CMD": scan_cmd, }, language, thread_tmp_filename, ) break return True except Exception: return False
def login(user, passwd, target, port, timeout_sec, log_in_file, language, retries, time_sleep, thread_tmp_filename, socks_proxy, scan_id, scan_cmd): username_field = "username" password_field = "password" exit = 0 class BruteParser(HTMLParser): def __init__(self): HTMLParser.__init__(self) self.parsed_results = {} def handle_starttag(self, tag, attrs): if tag == "input": for name, value in attrs: if name == "name" and value == username_field: self.parsed_results[username_field] = username_field if name == "name" and value == password_field: self.parsed_results[password_field] = password_field if socks_proxy is not None: socks_version = socks.SOCKS5 if socks_proxy.startswith( 'socks5://') else socks.SOCKS4 socks_proxy = socks_proxy.rsplit('://')[1] if '@' in socks_proxy: socks_username = socks_proxy.rsplit(':')[0] socks_password = socks_proxy.rsplit(':')[1].rsplit('@')[0] socks.set_default_proxy( socks_version, str(socks_proxy.rsplit('@')[1].rsplit(':')[0]), int(socks_proxy.rsplit(':')[-1]), username=socks_username, password=socks_password) socket.socket = socks.socksocket socket.getaddrinfo = getaddrinfo else: socks.set_default_proxy(socks_version, str(socks_proxy.rsplit(':')[0]), int(socks_proxy.rsplit(':')[1])) socket.socket = socks.socksocket socket.getaddrinfo = getaddrinfo while 1: target_host = str(target) + ":" + str(port) flag = 1 try: cookiejar = cookiejar.FileCookieJar("cookies") opener = urllib2.build_opener( urllib2.HTTPCookieProcessor(cookiejar)) response = opener.open(target) page = response.read() parsed_html = BruteParser() parsed_html.feed(page) parsed_html.parsed_results[username_field] = user parsed_html.parsed_results[password_field] = passwd post_data = urllib.urlencode(parsed_html.parsed_results).encode() except: exit += 1 if exit is retries: warn( messages(language, "http_form_auth_failed").format( target, user, passwd, port)) return 1 else: time.sleep(time_sleep) continue try: if timeout_sec is not None: brute_force_response = opener.open(target_host, data=post_data, timeout=timeout_sec) else: brute_force_response = opener.open(target_host, data=post_data) if brute_force_response.code == 200: flag = 0 if flag is 0: info( messages(language, "http_form_auth_success").format( user, passwd, target, port)) data = json.dumps( { 'HOST': target, 'USERNAME': user, 'PASSWORD': passwd, 'PORT': port, 'TYPE': 'http_form_brute', 'DESCRIPTION': messages(language, "login_successful"), 'TIME': now(), 'CATEGORY': "brute", 'SCAN_ID': scan_id, 'SCAN_CMD': scan_cmd }) + "\n" __log_into_file(log_in_file, 'a', data, language) __log_into_file(thread_tmp_filename, 'w', '0', language) return flag except: exit += 1 if exit is retries: warn( messages(language, "http_form_auth_failed").format( target, user, passwd, port)) return 1 else: time.sleep(time_sleep) continue
def __weak_encryption(target, port, timeout_sec, log_in_file, language, time_sleep, thread_tmp_filename, socks_proxy, scan_id, scan_cmd): if Algorithm(target, port, timeout_sec, log_in_file, language, time_sleep, thread_tmp_filename, socks_proxy, scan_id, scan_cmd): info(messages(language, "target_vulnerable").format( target, port, 'Weak Encryption Algorithm : sha1WithRSAEncryption')) __log_into_file(thread_tmp_filename, 'w', '0', language) data = json.dumps({'HOST': target, 'USERNAME': '', 'PASSWORD': '', 'PORT': port, 'TYPE': 'weak_encryption_algorithm_vuln', 'DESCRIPTION': messages(language, "vulnerable").format('Weak Encryption Algorithm : sha1WithRSAEncryption'), 'TIME': now(), 'CATEGORY': "vuln", 'SCAN_ID': scan_id, 'SCAN_CMD': scan_cmd}) __log_into_file(log_in_file, 'a', data, language) return True else: return False
def start(target, users, passwds, ports, timeout_sec, thread_number, num, total, log_in_file, time_sleep, language, verbose_level, socks_proxy, retries, methods_args, scan_id, scan_cmd): # Main function from core.targets import target_type from core.targets import target_to_host if target_type(target) != 'SINGLE_IPv4' or target_type( target) != 'DOMAIN' or target_type( target) != 'HTTP' or target_type(target) != 'SINGLE_IPv6': # requirements check new_extra_requirements = extra_requirements_dict() if methods_args is not None: for extra_requirement in extra_requirements_dict(): if extra_requirement in methods_args: new_extra_requirements[extra_requirement] = methods_args[ extra_requirement] extra_requirements = new_extra_requirements if target_type(target) == 'HTTP': target = target_to_host(target) subs = __get_subs(target, timeout_sec, log_in_file, time_sleep, language, verbose_level, socks_proxy, retries, num, total, extra_requirements=extra_requirements) if len(subs) is 0: info(messages(language, "no_subdomain_found")) if len(subs) is not 0: info(messages(language, "len_subdomain_found").format(len(subs))) for sub in subs: if verbose_level > 2: info(messages(language, "subdomain_found").format(sub)) data = json.dumps({ 'HOST': target, 'USERNAME': '', 'PASSWORD': '', 'PORT': '', 'TYPE': 'subdomain_scan', 'DESCRIPTION': sub, 'TIME': now(), 'CATEGORY': "scan", 'SCAN_ID': scan_id, 'SCAN_CMD': scan_cmd }) + "\n" __log_into_file(log_in_file, 'a', data, language) if len(subs) is 0 and verbose_level is not 0: data = json.dumps({ 'HOST': target, 'USERNAME': '', 'PASSWORD': '', 'PORT': '', 'TYPE': 'subdomain_scan', 'DESCRIPTION': messages(language, "subdomain_found").format( len(subs), ', '.join(subs) if len(subs) > 0 else 'None'), 'TIME': now(), 'CATEGORY': "scan", 'SCAN_ID': scan_id, 'SCAN_CMD': scan_cmd }) + "\n" __log_into_file(log_in_file, 'a', data, language) return subs else: warn( messages(language, "input_target_error").format('subdomain_scan', target)) return []
def connect(host, port, timeout_sec, log_in_file, language, time_sleep, thread_tmp_filename, socks_proxy, scan_id, scan_cmd, stealth_flag): try: if socks_proxy is not None: socks_version = socks.SOCKS5 if socks_proxy.startswith( 'socks5://') else socks.SOCKS4 socks_proxy = socks_proxy.rsplit('://')[1] if '@' in socks_proxy: socks_username = socks_proxy.rsplit(':')[0] socks_password = socks_proxy.rsplit(':')[1].rsplit('@')[0] socks.set_default_proxy( socks_version, str(socks_proxy.rsplit('@')[1].rsplit(':')[0]), int(socks_proxy.rsplit(':')[-1]), username=socks_username, password=socks_password) socket.socket = socks.socksocket socket.getaddrinfo = getaddrinfo else: socks.set_default_proxy(socks_version, str(socks_proxy.rsplit(':')[0]), int(socks_proxy.rsplit(':')[1])) socket.socket = socks.socksocket socket.getaddrinfo = getaddrinfo if target_type(host) == "SINGLE_IPv6": s = socket.socket(socket.AF_INET6, socket.SOCK_STREAM, 0) else: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) if timeout_sec is not None: s.settimeout(timeout_sec) if target_type(host) == "SINGLE_IPv6": s.connect((host, port, 0, 0)) else: s.connect((host, port)) try: service_name = "/" + discover_by_port(host, port, timeout_sec, b"ABC\x00\r\n" * 10, socks_proxy, external_run=True) except Exception as _: service_name = None if not service_name or service_name == "/UNKNOWN": try: service_name = "/" + socket.getservbyport(port) except Exception: service_name = "" info( messages(language, "port_found").format(host, str(port) + service_name, "TCP_CONNECT"), log_in_file, "a", { 'HOST': host, 'USERNAME': '', 'PASSWORD': '', 'PORT': port, 'TYPE': 'port_scan', 'DESCRIPTION': messages(language, "port/type").format( str(port) + service_name, "TCP_CONNECT"), 'TIME': now(), 'CATEGORY': "scan", 'SCAN_ID': scan_id, 'SCAN_CMD': scan_cmd }, language, thread_tmp_filename) s.close() return True except socket.timeout: try: service_name = "/" + discover_by_port(host, port, timeout_sec, b"ABC\x00\r\n" * 10, socks_proxy, external_run=True) except Exception as _: service_name = None if not service_name or service_name == "/UNKNOWN": try: service_name = "/" + socket.getservbyport(port) except Exception: service_name = "" try: if filter_port(host, port): info( messages(language, "port_found").format(host, str(port) + service_name, "TCP_CONNECT")) data = json.dumps({ 'HOST': host, 'USERNAME': '', 'PASSWORD': '', 'PORT': port, 'TYPE': 'port_scan', 'DESCRIPTION': messages(language, "port/type").format( str(port) + service_name, "TCP_CONNECT"), 'TIME': now(), 'CATEGORY': "scan", 'SCAN_ID': scan_id, 'SCAN_CMD': scan_cmd }) + '\n' __log_into_file(log_in_file, 'a', data, language) __log_into_file(thread_tmp_filename, 'w', '0', language) except: pass except: return False
def all_config_keys(): return { "language": "en", "verbose_level": 0, "show_version": False, "check_update": False, "log_in_file": "results/results_{0}_{1}.html".format( now(model="%Y_%m_%d_%H_%M_%S"), ''.join(random.choice(string.ascii_lowercase) for x in range(10))), "graph_flag": "d3_tree_v1_graph", "help_menu_flag": False, "targets": None, "targets_list": None, "scan_method": "all", "exclude_method": None, "users": None, "users_list": None, "passwds": None, "passwds_list": None, "ports": None, "timeout_sec": 2.0, "time_sleep": 0.0, "check_ranges": False, "check_subdomains": False, "thread_number": 10, "thread_number_host": 10, "socks_proxy": None, "retries": 3, "ping_flag": False, "methods_args": None, "method_args_list": False, "startup_check_for_update": True, "wizard_mode": False, "profile": None }
def __Memory_leak(target, port, timeout_sec, log_in_file, language, time_sleep, thread_tmp_filename, socks_proxy, scan_id, scan_cmd): if Memory_leak(target, port, timeout_sec, log_in_file, language, time_sleep, thread_tmp_filename, socks_proxy, scan_id, scan_cmd): info(messages(language, "target_vulnerable").format(target, port, 'FTP server is prone to a memory leak vulnerability in the file rename function. CVE-2017-16892')) __log_into_file(thread_tmp_filename, 'w', '0', language) data = json.dumps({'HOST': target, 'USERNAME': '', 'PASSWORD': '', 'PORT': port, 'TYPE': 'Bftpd_memory_leak_vuln', 'DESCRIPTION': messages(language, "vulnerable").format('FTP server is prone to a memory leak vulnerability in the file rename function. CVE-2017-16892'), 'TIME': now(), 'CATEGORY': "vuln", 'SCAN_ID': scan_id, 'SCAN_CMD': scan_cmd}) __log_into_file(log_in_file, 'a', data, language) return True else: return False
def __apache_struts(target, port, timeout_sec, log_in_file, language, time_sleep, thread_tmp_filename, socks_proxy, scan_id, scan_cmd): if apache_struts(target, port, timeout_sec, log_in_file, language, time_sleep, thread_tmp_filename, socks_proxy, scan_id, scan_cmd): info(messages(language, "target_vulnerable").format(target, port, 'The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string. CVE-2017-5638')) __log_into_file(thread_tmp_filename, 'w', '0', language) data = json.dumps({'HOST': target, 'USERNAME': '', 'PASSWORD': '', 'PORT': port, 'TYPE': 'apache_struts_vuln', 'DESCRIPTION': messages(language, "vulnerable").format(''), 'TIME': now(), 'CATEGORY': "vuln", 'SCAN_ID': scan_id, 'SCAN_CMD': scan_cmd}) __log_into_file(log_in_file, 'a', data, language) return True else: return False
def start(target, users, passwds, ports, timeout_sec, thread_number, num, total, log_in_file, time_sleep, language, verbose_level, socks_proxy, retries, methods_args, scan_id, scan_cmd): # Main function if target_type(target) != 'SINGLE_IPv4' or target_type(target) != 'DOMAIN' or target_type(target) != 'HTTP': # requirements check new_extra_requirements = extra_requirements_dict() if methods_args is not None: for extra_requirement in extra_requirements_dict(): if extra_requirement in methods_args: new_extra_requirements[ extra_requirement] = methods_args[extra_requirement] extra_requirements = new_extra_requirements if users is None: users = extra_requirements["smtp_brute_users"] if passwds is None: passwds = extra_requirements["smtp_brute_passwds"] if ports is None: ports = extra_requirements["smtp_brute_ports"] if extra_requirements["smtp_brute_split_user_set_pass"][0] not in ["False", "True"]: extra_requirements["smtp_brute_split_user_set_pass"][0] = "False" if target_type(target) == 'HTTP': target = target_to_host(target) threads = [] total_req = int( len(users) * len(passwds) * len(ports) * len(extra_requirements["smtp_brute_split_user_set_pass_prefix"])) \ if extra_requirements["smtp_brute_split_user_set_pass"][0] == "False" \ else int(len(users) * len(ports) * len(extra_requirements["smtp_brute_split_user_set_pass_prefix"])) thread_tmp_filename = '{}/tmp/thread_tmp_'.format(load_file_path()) + ''.join( random.choice(string.ascii_letters + string.digits) for _ in range(20)) ports_tmp_filename = '{}/tmp/ports_tmp_'.format(load_file_path()) + ''.join( random.choice(string.ascii_letters + string.digits) for _ in range(20)) __log_into_file(thread_tmp_filename, 'w', '1', language) __log_into_file(ports_tmp_filename, 'w', '', language) ports = test_ports(ports, timeout_sec, target, retries, language, num, total, time_sleep, ports_tmp_filename, thread_number, total_req, verbose_level, socks_proxy) trying = 0 if extra_requirements["smtp_brute_split_user_set_pass"][0] == "False": for port in ports: for user in users: for passwd in passwds: t = threading.Thread(target=login, args=( user, passwd, target, port, timeout_sec, log_in_file, language, retries, time_sleep, thread_tmp_filename, socks_proxy, scan_id, scan_cmd)) threads.append(t) t.start() trying += 1 if verbose_level > 3: info(messages(language, "trying_message").format(trying, total_req, num, total, target, port, 'smtp_brute')) while 1: n = 0 for thread in threads: if thread.isAlive(): n += 1 else: threads.remove(thread) if n >= thread_number: time.sleep(0.01) else: break else: keyboard_interrupt_flag = False for port in ports: for user in users: for prefix in extra_requirements["smtp_brute_split_user_set_pass_prefix"]: t = threading.Thread(target=login, args=(user, user.rsplit('@')[0] + prefix, target, port, timeout_sec, log_in_file, language, retries, time_sleep, thread_tmp_filename)) threads.append(t) t.start() trying += 1 if verbose_level > 3: info(messages(language, "trying_message").format(trying, total_req, num, total, target, port, 'smtp_brute')) while 1: try: if threading.activeCount() >= thread_number: time.sleep(0.01) else: break except KeyboardInterrupt: keyboard_interrupt_flag = True break if keyboard_interrupt_flag: break else: break else: break # wait for threads kill_switch = 0 kill_time = int( timeout_sec / 0.1) if int(timeout_sec / 0.1) != 0 else 1 while 1: time.sleep(0.1) kill_switch += 1 try: if threading.activeCount() == 1 or kill_switch == kill_time: break except KeyboardInterrupt: break thread_write = int(open(thread_tmp_filename).read().rsplit()[0]) if thread_write == 1 and verbose_level != 0: data = json.dumps({'HOST': target, 'USERNAME': '', 'PASSWORD': '', 'PORT': '', 'TYPE': 'smtp_brute', 'DESCRIPTION': messages(language, "no_user_passwords"), 'TIME': now(), 'CATEGORY': "brute", 'SCAN_ID': scan_id, 'SCAN_CMD': scan_cmd}) + "\n" __log_into_file(log_in_file, 'a', data, language) os.remove(thread_tmp_filename) else: warn(messages(language, "input_target_error").format(target))
def login(user, passwd, target, port, timeout_sec, log_in_file, language, retries, time_sleep, thread_tmp_filename, socks_proxy): exit = 0 if socks_proxy is not None: socks_version = socks.SOCKS5 if socks_proxy.startswith( 'socks5://') else socks.SOCKS4 socks_proxy = socks_proxy.rsplit('://')[1] if '@' in socks_proxy: socks_username = socks_proxy.rsplit(':')[0] socks_password = socks_proxy.rsplit(':')[1].rsplit('@')[0] socks.set_default_proxy( socks_version, str(socks_proxy.rsplit('@')[1].rsplit(':')[0]), int(socks_proxy.rsplit(':')[-1]), username=socks_username, password=socks_password) socket.socket = socks.socksocket socket.getaddrinfo = getaddrinfo else: socks.set_default_proxy(socks_version, str(socks_proxy.rsplit(':')[0]), int(socks_proxy.rsplit(':')[1])) socket.socket = socks.socksocket socket.getaddrinfo = getaddrinfo while 1: try: if timeout_sec is not None: tn = telnetlib.Telnet(target, timeout=timeout_sec) else: tn = telnetlib.Telnet(target) exit = 0 break except: exit += 1 if exit is retries: warn( messages(language, 182).format(target, port, user, passwd)) return 1 time.sleep(time_sleep) flag = 1 try: tn.read_until("login: "******"\n") tn.read_until("Password: "******"\n") flag = 0 except: pass if flag is 0: info(messages(language, 70).format(user, passwd, target, port)) data = json.dumps({ 'HOST': target, 'USERNAME': user, 'PASSWORD': passwd, 'PORT': port, 'TYPE': 'telnet_brute', 'DESCRIPTION': messages(language, 66), 'TIME': now(), 'CATEGORY': "brute" }) + "\n" __log_into_file(log_in_file, 'a', data, language) __log_into_file(thread_tmp_filename, 'w', '0', language) else: pass return flag
def start(target, users, passwds, ports, timeout_sec, thread_number, num, total, log_in_file, time_sleep, language, verbose_level, show_version, check_update, socks_proxy, retries, ping_flag, methods_args, scan_id, scan_cmd): # Main function if target_type(target) != 'SINGLE_IPv4' or target_type(target) != 'DOMAIN' or target_type(target) != 'HTTP': # output format time.sleep(time_sleep) if socks_proxy is not None: socks_version = socks.SOCKS5 if socks_proxy.startswith('socks5://') else socks.SOCKS4 socks_proxy = socks_proxy.rsplit('://')[1] if '@' in socks_proxy: socks_username = socks_proxy.rsplit(':')[0] socks_password = socks_proxy.rsplit(':')[1].rsplit('@')[0] socks.set_default_proxy(socks_version, str(socks_proxy.rsplit('@')[1].rsplit(':')[0]), int(socks_proxy.rsplit(':')[-1]), username=socks_username, password=socks_password) socket.socket = socks.socksocket socket.getaddrinfo = getaddrinfo else: socks.set_default_proxy(socks_version, str(socks_proxy.rsplit(':')[0]), int(socks_proxy.rsplit(':')[1])) socket.socket = socks.socksocket socket.getaddrinfo = getaddrinfo # set user agent headers = {"User-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0", "Accept": "text/javascript, text/html, application/xml, text/xml, */*", "Accept-Language": "en-US,en;q=0.5" } # timeout check if ping_flag and do_one_ping(target_to_host(target), timeout_sec, 8) is None: if socks_proxy is not None: socks_version = socks.SOCKS5 if socks_proxy.startswith('socks5://') else socks.SOCKS4 socks_proxy = socks_proxy.rsplit('://')[1] if '@' in socks_proxy: socks_username = socks_proxy.rsplit(':')[0] socks_password = socks_proxy.rsplit(':')[1].rsplit('@')[0] socks.set_default_proxy(socks_version, str(socks_proxy.rsplit('@')[1].rsplit(':')[0]), int(socks_proxy.rsplit(':')[-1]), username=socks_username, password=socks_password) socket.socket = socks.socksocket socket.getaddrinfo = getaddrinfo else: socks.set_default_proxy(socks_version, str(socks_proxy.rsplit(':')[0]), int(socks_proxy.rsplit(':')[1])) socket.socket = socks.socksocket socket.getaddrinfo = getaddrinfo warn(messages(language, 100).format(target_to_host(target), 'viewdns_reverse_ip_lookup_scan')) return None total_req = 1 trying = 1 info(messages(language, 113).format(trying, total_req, num, total, target, 'viewdns ip lookup')) n = 0 while 1: try: res = requests.get('http://viewdns.info/reverseip/?host={0}&t=1'.format(target), timeout=timeout_sec, headers=headers, verify=True).text break except: n += 1 if n is retries: warn(messages(language, 106).format("viewdns.info")) return 1 _values = [] try: s = '<table>' + res.rsplit('''<table border="1">''')[1].rsplit("<br></td></tr><tr></tr>")[0] table = ET.XML(s) rows = iter(table) headers = [col.text for col in next(rows)] for row in rows: values = [col.text for col in row] _values.append(dict(zip(headers, values))["Domain"]) except: pass info(messages(language, 114).format(len(_values), ", ".join(_values) if len(_values) > 0 else "None")) if len(_values) > 0: save = open(log_in_file, 'a') save.write(json.dumps( {'HOST': target, 'USERNAME': '', 'PASSWORD': '', 'PORT': '', 'TYPE': 'viewdns_reverse_ip_lookup_scan', 'DESCRIPTION': messages(language, 114).format(len(_values), ", ".join(_values) if len( _values) > 0 else "None"), 'TIME': now(), 'CATEGORY': "scan", 'SCAN_ID': scan_id, 'SCAN_CMD': scan_cmd}) + '\n') save.close() if verbose_level is not 0: save = open(log_in_file, 'a') save.write(json.dumps( {'HOST': target, 'USERNAME': '', 'PASSWORD': '', 'PORT': '', 'TYPE': 'viewdns_reverse_ip_lookup_scan', 'DESCRIPTION': messages(language, 114).format(len(_values), ", ".join(_values) if len( _values) > 0 else "None"), 'TIME': now(), 'CATEGORY': "scan", 'SCAN_ID': scan_id, 'SCAN_CMD': scan_cmd}) + '\n') save.close() else: warn(messages(language, 69).format('viewdns_reverse_ip_lookup_scan', target))
def __xmlrpc_pingback(target, port, timeout_sec, log_in_file, language, time_sleep, thread_tmp_filename, socks_proxy, scan_id, scan_cmd): if xmlrpc_pingback(target, port, timeout_sec, log_in_file, language, time_sleep, thread_tmp_filename, socks_proxy, scan_id, scan_cmd): info(messages(language, "target_vulnerable").format(target, port, 'Wordpress XMLRPC pingback Vulnerability')) __log_into_file(thread_tmp_filename, 'w', '0', language) data = json.dumps({'HOST': target, 'USERNAME': '', 'PASSWORD': '', 'PORT': port, 'TYPE': 'Wordpress_xmlrpc_pingback_vuln', 'DESCRIPTION': messages(language, "vulnerable").format('Wordpress XMLRPC pingback Vulnerability'), 'TIME': now(), 'CATEGORY': "vuln", 'SCAN_ID': scan_id, 'SCAN_CMD': scan_cmd}) __log_into_file(log_in_file, 'a', data, language) return True else: return False
def sort_logs(log_in_file, language, graph_flag, scan_id, scan_cmd, verbose_level, api_flag, profile, scan_method, ports): """ sort all events, create log file in HTML/TEXT/JSON and remove old logs Args: log_in_file: output filename language: language graph_flag: graph name scan_id: scan hash id scan_cmd: scan cmd verbose_level: verbose level number api_flag: API flag profile: profiles scan_method: module names ports: ports Returns: True if success otherwise None """ _HOST = messages(language, "HOST") _USERNAME = messages(language, "USERNAME") _PASSWORD = messages(language, "PASSWORD") _PORT = messages(language, "PORT") _TYPE = messages(language, "TYPE") _DESCRIPTION = messages(language, "DESCRIPTION") _TIME = messages(language, "TIME") events_num = 0 report_type = "" JSON_FROM_DB = __logs_by_scan_id(scan_id, language) JSON_Data = sorted(JSON_FROM_DB, key=sorted) if compatible.version() == 2: import sys reload(sys) sys.setdefaultencoding('utf8') if (len(log_in_file) >= 5 and log_in_file[-5:] == '.html') or ( len(log_in_file) >= 4 and log_in_file[-4:] == '.htm'): report_type = "HTML" data = sorted(JSON_FROM_DB, key=lambda x: sorted(x.keys())) # if user want a graph _graph = '' for i in data: if(i["DESCRIPTION"]): i["DESCRIPTION"] = html.escape(i["DESCRIPTION"]) break; if graph_flag is not None: _graph = build_graph(graph_flag, language, data, 'HOST', 'USERNAME', 'PASSWORD', 'PORT', 'TYPE', 'DESCRIPTION') from lib.html_log import _log_data _css = _log_data.css_1 _table = _log_data.table_title.format(_graph, _css, _HOST, _USERNAME, _PASSWORD, _PORT, _TYPE, _DESCRIPTION, _TIME) for value in data: _table += _log_data.table_items.format(value['HOST'], value['USERNAME'], value['PASSWORD'], value['PORT'], value['TYPE'], value['DESCRIPTION'], value['TIME']) events_num += 1 _table += _log_data.table_end + '<p class="footer">' + messages(language, "nettacker_version_details") \ .format(compatible.__version__, compatible.__code_name__, now()) + '</p>' __log_into_file(log_in_file, 'w' if type(_table) == str else 'wb', _table, language, final=True) elif len(log_in_file) >= 5 and log_in_file[-5:] == '.json': graph_flag = "" report_type = "JSON" data = json.dumps(JSON_Data) events_num = len(JSON_Data) __log_into_file(log_in_file, 'w', data, language, final=True) elif len(log_in_file)>=5 and log_in_file[-4:] == '.csv': graph_flag = "" report_type = "CSV" keys = JSON_Data[0].keys() data = json.dumps(JSON_Data) events_num = len(JSON_Data) with open(log_in_file, 'a') as csvfile: writer = csv.DictWriter(csvfile, fieldnames=keys) writer.writeheader() for i in JSON_Data: dicdata = {key: value for key, value in i.items() if key in keys} writer.writerow(dicdata) else: graph_flag = "" report_type = "TEXT" data, events_num = __build_texttable(JSON_FROM_DB, _HOST, _USERNAME, _PASSWORD, _PORT, _TYPE, _DESCRIPTION, _TIME, language) __log_into_file(log_in_file, 'wb', data, language, final=True) data = data if report_type == "TEXT" else __build_texttable(JSON_FROM_DB, _HOST, _USERNAME, _PASSWORD, _PORT, _TYPE, _DESCRIPTION, _TIME, language)[0] info(messages(language, "updating_database")) category = [] for sm in scan_method: if sm.rsplit("_")[-1] not in category: category.append(sm.rsplit("_")[-1]) category = ",".join(list(set(category))) scan_method = ",".join(scan_method) if ports is None: ports = "default" submit_report_to_db(now(), scan_id, log_in_file, events_num, 0 if verbose_level == 0 else 1, api_flag, report_type, graph_flag, category, profile, scan_method, language, scan_cmd, ports) info(messages(language, "removing_logs_db")) hosts = [] for log in JSON_Data: if log["HOST"] not in hosts: hosts.append(log["HOST"]) for host in hosts: for sm in scan_method.rsplit(','): remove_old_logs(host, sm, scan_id, language) # info(messages(language,"inserting_logs_db")) # for log in JSON_Data: # submit_logs_to_db(language, log) if events_num: info(messages(language, "summary_report")) write(data) else: info(messages(language, "no_event_found")) info(messages(language, "file_saved").format(log_in_file)) return True
def __go_for_attacks(targets, check_ranges, check_subdomains, log_in_file, time_sleep, language, verbose_level, retries, socks_proxy, users, passwds, timeout_sec, thread_number, ports, ping_flag, methods_args, backup_ports, scan_method, thread_number_host, graph_flag, profile, api_flag): """ preparing for attacks and managing multi-processing for host Args: targets: list of calculated targets check_ranges: check IP range flag check_subdomains: check subdomain flag log_in_file: output filename time_sleep: time sleep seconds language: language verbose_level: verbose level number retries: retries number socks_proxy: socks proxy address users: usernames passwds: passwords timeout_sec: timeout seconds thread_number: thread numbers ports: port numbers ping_flag: ping before scan flag methods_args: method args for modules backup_ports: port numbers (backup) scan_method: selected module names thread_number_host: threads for hosts scan graph_flag: graph name profile: profile name api_flag: API flag Returns: True when it ends """ suff = now(model="%Y_%m_%d_%H_%M_%S") + "".join( random.choice(string.ascii_lowercase) for x in range(10)) subs_temp = "{}/tmp/subs_temp_".format(load_file_path()) + suff range_temp = "{}/tmp/ranges_".format(load_file_path()) + suff total_targets = -1 for total_targets, _ in enumerate( analysis(targets, check_ranges, check_subdomains, subs_temp, range_temp, log_in_file, time_sleep, language, verbose_level, retries, socks_proxy, True)): pass total_targets += 1 total_targets = total_targets * len(scan_method) try: os.remove(range_temp) except: pass range_temp = "{}/tmp/ranges_".format(load_file_path()) + suff targets = analysis(targets, check_ranges, check_subdomains, subs_temp, range_temp, log_in_file, time_sleep, language, verbose_level, retries, socks_proxy, False) trying = 0 scan_id = "".join(random.choice("0123456789abcdef") for x in range(32)) scan_cmd = messages(language, 158) if api_flag else " ".join(sys.argv) for target in targets: for sm in scan_method: trying += 1 p = multiprocessing.Process( target=start_attack, args=(str(target).rsplit()[0], trying, total_targets, sm, users, passwds, timeout_sec, thread_number, ports, log_in_file, time_sleep, language, verbose_level, socks_proxy, retries, ping_flag, methods_args, scan_id, scan_cmd)) p.name = str(target) + "->" + sm p.start() while 1: n = 0 processes = multiprocessing.active_children() for process in processes: if process.is_alive(): n += 1 else: processes.remove(process) if n >= thread_number_host: time.sleep(0.01) else: break _waiting_for = 0 while 1: try: exitflag = True if len(multiprocessing.active_children()) is not 0: exitflag = False _waiting_for += 1 if _waiting_for > 3000: _waiting_for = 0 info( messages(language, 138).format(", ".join( [p.name for p in multiprocessing.active_children()]))) time.sleep(0.01) if exitflag: break except KeyboardInterrupt: for process in multiprocessing.active_children(): process.terminate() break info(messages(language, 42)) os.remove(subs_temp) os.remove(range_temp) info(messages(language, 43)) sort_logs(log_in_file, language, graph_flag, scan_id, scan_cmd, verbose_level, 0, profile, scan_method, backup_ports) write("\n") info(messages(language, 44)) write("\n\n") finish() return True
def login(user, passwd, target, port, timeout_sec, log_in_file, language, retries, time_sleep, thread_tmp_filename, socks_proxy, scan_id, scan_cmd): exit = 0 if socks_proxy is not None: socks_version = socks.SOCKS5 if socks_proxy.startswith( 'socks5://') else socks.SOCKS4 socks_proxy = socks_proxy.rsplit('://')[1] if '@' in socks_proxy: socks_username = socks_proxy.rsplit(':')[0] socks_password = socks_proxy.rsplit(':')[1].rsplit('@')[0] socks.set_default_proxy( socks_version, str(socks_proxy.rsplit('@')[1].rsplit(':')[0]), int(socks_proxy.rsplit(':')[-1]), username=socks_username, password=socks_password) socket.socket = socks.socksocket socket.getaddrinfo = getaddrinfo else: socks.set_default_proxy(socks_version, str(socks_proxy.rsplit(':')[0]), int(socks_proxy.rsplit(':')[1])) socket.socket = socks.socksocket socket.getaddrinfo = getaddrinfo while 1: try: if timeout_sec is not None: server = smtplib.SMTP(target, int(port), timeout=timeout_sec) else: server = smtplib.SMTP(target, int(port)) server.starttls() exit = 0 break except: exit += 1 if exit is retries: warn( messages(language, "smtp_connection_timeout").format( target, port, user, passwd)) return 1 time.sleep(time_sleep) flag = 1 try: server.login(user, passwd) flag = 0 except smtplib.SMTPException as err: pass if flag is 0: info( messages(language, "user_pass_found").format(user, passwd, target, port)) data = json.dumps({ 'HOST': target, 'USERNAME': user, 'PASSWORD': passwd, 'PORT': port, 'TYPE': 'smtp_brute', 'DESCRIPTION': messages(language, "login_successful"), 'TIME': now(), 'CATEGORY': "brute", 'SCAN_ID': scan_id, 'SCAN_CMD': scan_cmd }) + "\n" __log_into_file(log_in_file, 'a', data, language) __log_into_file(thread_tmp_filename, 'w', '0', language) else: pass try: server.quit() except: pass return flag
def start(target, users, passwds, ports, timeout_sec, thread_number, num, total, log_in_file, time_sleep, language, verbose_level, socks_proxy, retries, methods_args, scan_id, scan_cmd): # Main function if target_type(target) != 'SINGLE_IPv4' or target_type( target) != 'DOMAIN' or target_type( target) != 'HTTP' or target_type(target) != 'SINGLE_IPv6': # rand useragent user_agent_list = [ "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.5) Gecko/20060719 Firefox/1.5.0.5", "Googlebot/2.1 ( http://www.googlebot.com/bot.html)", "Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Ubuntu/10.04" " Chromium/9.0.595.0 Chrome/9.0.595.0 Safari/534.13", "Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 5.2; WOW64; .NET CLR 2.0.50727)", "Opera/9.80 (Windows NT 5.2; U; ru) Presto/2.5.22 Version/10.51", "Mozilla/5.0 (compatible; 008/0.83; http://www.80legs.com/webcrawler.html) Gecko/2008032620", "Debian APT-HTTP/1.3 (0.8.10.3)", "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)", "Googlebot/2.1 (+http://www.googlebot.com/bot.html)", "Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)", "YahooSeeker/1.2 (compatible; Mozilla 4.0; MSIE 5.5; yahooseeker at yahoo-inc dot com ; " "http://help.yahoo.com/help/us/shop/merchant/)", "Mozilla/5.0 (compatible; YandexBot/3.0; +http://yandex.com/bots)", "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)", "msnbot/1.1 (+http://search.msn.com/msnbot.htm)" ] http_methods = ["GET", "HEAD"] user_agent = {'User-agent': random.choice(user_agent_list)} # requirements check new_extra_requirements = extra_requirements_dict() if methods_args is not None: for extra_requirement in extra_requirements_dict(): if extra_requirement in methods_args: new_extra_requirements[extra_requirement] = methods_args[ extra_requirement] extra_requirements = new_extra_requirements if extra_requirements["dir_scan_http_method"][0] not in http_methods: warn(messages(language, "dir_scan_get")) extra_requirements["dir_scan_http_method"] = ["GET"] random_agent_flag = True if extra_requirements["dir_scan_random_agent"][0] == "False": random_agent_flag = False threads = [] total_req = len(extra_requirements["dir_scan_list"]) thread_tmp_filename = '{}/tmp/thread_tmp_'.format( load_file_path()) + ''.join( random.choice(string.ascii_letters + string.digits) for _ in range(20)) __log_into_file(thread_tmp_filename, 'w', '1', language) trying = 0 if target_type(target) != "HTTP": target = 'http://' + target if test(str(target), retries, timeout_sec, user_agent, extra_requirements["dir_scan_http_method"][0], socks_proxy, verbose_level, trying, total_req, total, num, language) is 0: keyboard_interrupt_flag = False for idir in extra_requirements["dir_scan_list"]: if random_agent_flag: user_agent = {'User-agent': random.choice(user_agent_list)} t = threading.Thread( target=check, args=(target + '/' + idir, user_agent, timeout_sec, log_in_file, language, time_sleep, thread_tmp_filename, retries, extra_requirements["dir_scan_http_method"][0], socks_proxy, scan_id, scan_cmd)) threads.append(t) t.start() trying += 1 if verbose_level > 3: info( messages(language, "trying_message").format( trying, total_req, num, total, target_to_host(target), "default_port", 'dir_scan')) while 1: try: if threading.activeCount() >= thread_number: time.sleep(0.01) else: break except KeyboardInterrupt: keyboard_interrupt_flag = True break if keyboard_interrupt_flag: break else: warn(messages(language, "open_error").format(target)) # wait for threads kill_switch = 0 kill_time = int(timeout_sec / 0.1) if int(timeout_sec / 0.1) is not 0 else 1 while 1: time.sleep(0.1) kill_switch += 1 try: if threading.activeCount() is 1 or kill_switch is kill_time: break except KeyboardInterrupt: break thread_write = int(open(thread_tmp_filename).read().rsplit()[0]) if thread_write is 1: info( messages(language, "directory_file_404").format(target, "default_port")) if verbose_level is not 0: data = json.dumps({ 'HOST': target_to_host(target), 'USERNAME': '', 'PASSWORD': '', 'PORT': '', 'TYPE': 'dir_scan', 'DESCRIPTION': messages(language, "no_open_ports"), 'TIME': now(), 'CATEGORY': "scan", 'SCAN_ID': scan_id, 'SCAN_CMD': scan_cmd }) __log_into_file(log_in_file, 'a', data, language) os.remove(thread_tmp_filename) else: warn( messages(language, "input_target_error").format('dir_scan', target))
def stealth(host, port, timeout_sec, log_in_file, language, time_sleep, thread_tmp_filename, socks_proxy, scan_id, scan_cmd, stealth_flag): try: if socks_proxy is not None: socks_version = socks.SOCKS5 if socks_proxy.startswith( 'socks5://') else socks.SOCKS4 socks_proxy = socks_proxy.rsplit('://')[1] if '@' in socks_proxy: socks_username = socks_proxy.rsplit(':')[0] socks_password = socks_proxy.rsplit(':')[1].rsplit('@')[0] socks.set_default_proxy( socks_version, str(socks_proxy.rsplit('@')[1].rsplit(':')[0]), int(socks_proxy.rsplit(':')[-1]), username=socks_username, password=socks_password) socket.socket = socks.socksocket socket.getaddrinfo = getaddrinfo else: socks.set_default_proxy(socks_version, str(socks_proxy.rsplit(':')[0]), int(socks_proxy.rsplit(':')[1])) socket.socket = socks.socksocket src_port = RandShort() stealth_scan_resp = sr1(IP(dst=host) / TCP(sport=src_port, dport=port, flags="S"), timeout=int(timeout_sec)) if (str(type(stealth_scan_resp)) == "<type 'NoneType'>"): # "Filtered" pass elif (stealth_scan_resp.haslayer(TCP)): if (stealth_scan_resp.getlayer(TCP).flags == 0x12): # send_rst = sr(IP(dst=host) / TCP(sport=src_port, dport=port, flags="R"), timeout=timeout_sec) try: service_name = "/" + discover_by_port(host, port, timeout_sec, b"ABC\x00\r\n" * 10, socks_proxy, external_run=True) except Exception as _: service_name = None if not service_name or service_name == "/UNKNOWN": try: service_name = "/" + socket.getservbyport(port) except Exception: service_name = "" data = json.dumps({ 'HOST': host, 'USERNAME': '', 'PASSWORD': '', 'PORT': port, 'TYPE': 'port_scan', 'DESCRIPTION': messages(language, "port/type").format( str(port) + service_name, "STEALTH"), 'TIME': now(), 'CATEGORY': "scan", 'SCAN_ID': scan_id, 'SCAN_CMD': scan_cmd }) + '\n' __log_into_file(log_in_file, 'a', data, language) __log_into_file(thread_tmp_filename, 'w', '0', language) elif (stealth_scan_resp.getlayer(TCP).flags == 0x14): # "Closed" pass elif (stealth_scan_resp.haslayer(ICMP)): if (int(stealth_scan_resp.getlayer(ICMP).type) == 3 and int(stealth_scan_resp.getlayer(ICMP).code) in [1, 2, 3, 9, 10, 13]): pass else: # "CHECK" pass return True except: return False
def check(target, user_agent, timeout_sec, log_in_file, language, time_sleep, thread_tmp_filename, retries, http_method, socks_proxy, scan_id, scan_cmd): status_codes = [200, 401, 403] directory_listing_msgs = [ "<title>Index of /", "<a href=\"\\?C=N;O=D\">Name</a>", "Directory Listing for", "Parent Directory</a>", "Last modified</a>", "<TITLE>Folder Listing.", "- Browsing directory " ] time.sleep(time_sleep) try: if socks_proxy is not None: socks_version = socks.SOCKS5 if socks_proxy.startswith( 'socks5://') else socks.SOCKS4 socks_proxy = socks_proxy.rsplit('://')[1] if '@' in socks_proxy: socks_username = socks_proxy.rsplit(':')[0] socks_password = socks_proxy.rsplit(':')[1].rsplit('@')[0] socks.set_default_proxy( socks_version, str(socks_proxy.rsplit('@')[1].rsplit(':')[0]), int(socks_proxy.rsplit(':')[-1]), username=socks_username, password=socks_password) socket.socket = socks.socksocket socket.getaddrinfo = getaddrinfo else: socks.set_default_proxy(socks_version, str(socks_proxy.rsplit(':')[0]), int(socks_proxy.rsplit(':')[1])) socket.socket = socks.socksocket socket.getaddrinfo = getaddrinfo n = 0 while 1: try: if http_method == "GET": r = requests.get(target, timeout=timeout_sec, headers=user_agent) elif http_method == "HEAD": r = requests.head(target, timeout=timeout_sec, headers=user_agent) content = r.content break except: n += 1 if n is retries: warn( messages(language, "http_connection_timeout").format(target)) return 1 if version() is 3: content = content.decode('utf8') if r.status_code in status_codes: info( messages(language, "found").format(target, r.status_code, r.reason)) __log_into_file(thread_tmp_filename, 'w', '0', language) data = json.dumps({ 'HOST': target_to_host(target), 'USERNAME': '', 'PASSWORD': '', 'PORT': "", 'TYPE': 'dir_scan', 'DESCRIPTION': messages(language, "found").format(target, r.status_code, r.reason), 'TIME': now(), 'CATEGORY': "scan", 'SCAN_ID': scan_id, 'SCAN_CMD': scan_cmd }) __log_into_file(log_in_file, 'a', data, language) if r.status_code is 200: for dlmsg in directory_listing_msgs: if dlmsg in content: info( messages(language, "directoy_listing").format(target)) data = json.dumps({ 'HOST': target_to_host(target), 'USERNAME': '', 'PASSWORD': '', 'PORT': "", 'TYPE': 'dir_scan', 'DESCRIPTION': messages(language, "directoy_listing").format(target), 'TIME': now(), 'CATEGORY': "scan", 'SCAN_ID': scan_id, 'SCAN_CMD': scan_cmd }) __log_into_file(log_in_file, 'a', data, language) break return True except: return False
def login(user, passwd, target, port, timeout_sec, log_in_file, language, retries, time_sleep, thread_tmp_filename, socks_proxy, scan_id, scan_cmd): exit = 0 if socks_proxy is not None: socks_version = socks.SOCKS5 if socks_proxy.startswith( 'socks5://') else socks.SOCKS4 socks_proxy = socks_proxy.rsplit('://')[1] if '@' in socks_proxy: socks_username = socks_proxy.rsplit(':')[0] socks_password = socks_proxy.rsplit(':')[1].rsplit('@')[0] socks.set_default_proxy( socks_version, str(socks_proxy.rsplit('@')[1].rsplit(':')[0]), int(socks_proxy.rsplit(':')[-1]), username=socks_username, password=socks_password) socket.socket = socks.socksocket socket.getaddrinfo = getaddrinfo else: socks.set_default_proxy(socks_version, str(socks_proxy.rsplit(':')[0]), int(socks_proxy.rsplit(':')[1])) socket.socket = socks.socksocket socket.getaddrinfo = getaddrinfo while 1: try: creds = user + ":" + passwd HEADERS["Authorization"] = "Basic " + base64.b64encode( creds.encode()).decode() req = requests.get(target, timeout=timeout_sec, headers=HEADERS, verify=False) flag = 1 if req.status_code in CODES: exit += 1 if exit == retries: warn( messages(language, "http_auth_failed").format( target, user, passwd, port)) return 1 else: time.sleep(time_sleep) continue elif req.status_code not in CODES: flag = 0 if flag == 0: info( messages(language, "http_auth_success").format( user, passwd, target, port)) data = json.dumps( { 'HOST': target, 'USERNAME': user, 'PASSWORD': passwd, 'PORT': port, 'TYPE': 'http_basic_auth_brute', 'DESCRIPTION': messages(language, "login_successful"), 'TIME': now(), 'CATEGORY': "brute", 'SCAN_ID': scan_id, 'SCAN_CMD': scan_cmd }) + "\n" __log_into_file(log_in_file, 'a', data, language) __log_into_file(thread_tmp_filename, 'w', '0', language) break except Exception: # logging.exception("message") exit += 1 if exit == retries: warn( messages(language, "http_auth_failed").format( target, user, passwd, port)) return 1 else: time.sleep(time_sleep) continue return flag
def start(target, users, passwds, ports, timeout_sec, thread_number, num, total, log_in_file, time_sleep, language, verbose_level, socks_proxy, retries, methods_args, scan_id, scan_cmd): # Main function if target_type(target) != 'SINGLE_IPv4' or target_type(target) != 'DOMAIN' or target_type( target) != 'HTTP' or target_type(target) != 'SINGLE_IPv6': # rand useragent user_agent_list = [ "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.5) Gecko/20060719 Firefox/1.5.0.5", "Googlebot/2.1 ( http://www.googlebot.com/bot.html)", "Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Ubuntu/10.04" " Chromium/9.0.595.0 Chrome/9.0.595.0 Safari/534.13", "Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 5.2; WOW64; .NET CLR 2.0.50727)", "Opera/9.80 (Windows NT 5.2; U; ru) Presto/2.5.22 Version/10.51", "Mozilla/5.0 (compatible; 008/0.83; http://www.80legs.com/webcrawler.html) Gecko/2008032620", "Debian APT-HTTP/1.3 (0.8.10.3)", "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)", "Googlebot/2.1 (+http://www.googlebot.com/bot.html)", "Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)", "YahooSeeker/1.2 (compatible; Mozilla 4.0; MSIE 5.5; yahooseeker at yahoo-inc dot com ; " "http://help.yahoo.com/help/us/shop/merchant/)", "Mozilla/5.0 (compatible; YandexBot/3.0; +http://yandex.com/bots)", "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)", "msnbot/1.1 (+http://search.msn.com/msnbot.htm)" ] user_agent = {'User-agent': random.choice(user_agent_list)} limit = 1000 # requirements check new_extra_requirements = extra_requirements_dict() if methods_args is not None: for extra_requirement in extra_requirements_dict(): if extra_requirement in methods_args: new_extra_requirements[extra_requirement] = methods_args[extra_requirement] extra_requirements = new_extra_requirements random_agent_flag = True if extra_requirements["wordpress_dos_cve_2018_6389_vuln_random_agent"][0] != "True": random_agent_flag = False if extra_requirements["wordpress_dos_cve_2018_6389_vuln_no_limit"][0] != "False": limit = -1 threads = [] total_req = limit filepath = os.path.dirname(os.path.dirname(os.path.realpath(__file__))) thread_tmp_filename = '{}/tmp/thread_tmp_'.format(load_file_path()) + ''.join( random.choice(string.ascii_letters + string.digits) for _ in range(20)) __log_into_file(thread_tmp_filename, 'w', '1', language) trying = 0 if target_type(target) == 'SINGLE_IPv4' or target_type(target) == 'DOMAIN': url = 'http://{0}/'.format(target) else: if target.count(':') > 1: __die_failure(messages(language, 105)) http = target.rsplit('://')[0] host = target_to_host(target) path = "/".join(target.replace('http://', '').replace('https://', '').rsplit('/')[1:]) url = http + '://' + host + '/' + path if test(url, retries, timeout_sec, user_agent, socks_proxy, verbose_level, trying, total_req, total, num, language, False, log_in_file, scan_id, scan_cmd, thread_tmp_filename) is not 0: warn(messages(language, 109).format(url)) return info(messages(language, 177).format(target)) n = 0 t = threading.Thread(target=test, args=( url, retries, timeout_sec, user_agent, socks_proxy, verbose_level, trying, total_req, total, num, language, True, log_in_file, scan_id, scan_cmd, thread_tmp_filename)) t.start() keyboard_interrupt_flag = False while (n != limit): n += 1 if random_agent_flag: user_agent = {'User-agent': random.choice(user_agent_list)} t = threading.Thread(target=send_dos, args=(url, user_agent, timeout_sec, log_in_file, language, time_sleep, thread_tmp_filename, retries, socks_proxy, scan_id, scan_cmd)) threads.append(t) t.start() trying += 1 if verbose_level > 3: info(messages(language, 72).format(trying, total_req, num, total, target_to_host(target), port, 'wordpress_dos_cve_2018_6389_vuln')) try: if int(open(thread_tmp_filename).read().rsplit()[0]) is 0: if limit is not -1: break except: pass while 1: try: if threading.activeCount() >= thread_number: time.sleep(0.01) else: break except KeyboardInterrupt: keyboard_interrupt_flag = True break if keyboard_interrupt_flag: break # wait for threads kill_switch = 0 kill_time = int(timeout_sec / 0.1) if int(timeout_sec / 0.1) is not 0 else 1 while 1: time.sleep(0.1) kill_switch += 1 try: if threading.activeCount() is 2 or kill_switch is kill_time: break except KeyboardInterrupt: break thread_write = int(open(thread_tmp_filename).read().rsplit()[0]) if thread_write is 1: info(messages(language, 141).format("wordpress_dos_cve_2018_6389_vuln")) if verbose_level is not 0: data = json.dumps({'HOST': target, 'USERNAME': '', 'PASSWORD': '', 'PORT': '', 'TYPE': 'wordpress_dos_cve_2018_6389_vuln', 'DESCRIPTION': messages(language, 141).format("wordpress_dos_cve_2018_6389_vuln"), 'TIME': now(), 'CATEGORY': "scan", 'SCAN_ID': scan_id, 'SCAN_CMD': scan_cmd}) __log_into_file(log_in_file, 'a', data, language) os.remove(thread_tmp_filename) else: warn(messages(language, 69).format('wordpress_dos_cve_2018_6389_vuln', target))
def start(target, users, passwds, ports, timeout_sec, thread_number, num, total, log_in_file, time_sleep, language, verbose_level, socks_proxy, retries, ping_flag, methods_args, scan_id, scan_cmd): # Main function if target_type(target) != 'SINGLE_IPv4' or target_type( target) != 'DOMAIN' or target_type(target) != 'HTTP': # requirements check new_extra_requirements = extra_requirements_dict() if methods_args is not None: for extra_requirement in extra_requirements_dict(): if extra_requirement in methods_args: new_extra_requirements[extra_requirement] = methods_args[ extra_requirement] extra_requirements = new_extra_requirements if ports is None: ports = extra_requirements["tcp_connect_port_scan_ports"] if target_type(target) == 'HTTP': target = target_to_host(target) if ping_flag: if socks_proxy is not None: socks_version = socks.SOCKS5 if socks_proxy.startswith( 'socks5://') else socks.SOCKS4 socks_proxy = socks_proxy.rsplit('://')[1] if '@' in socks_proxy: socks_username = socks_proxy.rsplit(':')[0] socks_password = socks_proxy.rsplit(':')[1].rsplit('@')[0] socks.set_default_proxy( socks_version, str(socks_proxy.rsplit('@')[1].rsplit(':')[0]), int(socks_proxy.rsplit(':')[-1]), username=socks_username, password=socks_password) socket.socket = socks.socksocket socket.getaddrinfo = getaddrinfo else: socks.set_default_proxy(socks_version, str(socks_proxy.rsplit(':')[0]), int(socks_proxy.rsplit(':')[1])) socket.socket = socks.socksocket socket.getaddrinfo = getaddrinfo warn(messages(language, 100).format(target, 'heartbleed_vuln')) if do_one_ping(target, timeout_sec, 8) is None: return None threads = [] max = thread_number total_req = len(ports) thread_tmp_filename = 'tmp/thread_tmp_' + ''.join( random.choice(string.ascii_letters + string.digits) for _ in range(20)) thread_write = open(thread_tmp_filename, 'w') thread_write.write('1') thread_write.close() trying = 0 for port in ports: port = int(port) t = threading.Thread(target=connect, args=(target, int(port), timeout_sec, log_in_file, language, time_sleep, thread_tmp_filename, socks_proxy, scan_id, scan_cmd)) threads.append(t) t.start() trying += 1 if verbose_level is not 0: info( messages(language, 72).format(trying, total_req, num, total, target, port, 'tcp_connect_port_scan')) while 1: try: if threading.activeCount() >= max: time.sleep(0.01) else: break except KeyboardInterrupt: break break # wait for threads kill_switch = 0 kill_time = int(timeout_sec / 0.1) if int(timeout_sec / 0.1) is not 0 else 1 while 1: time.sleep(0.1) kill_switch += 1 try: if threading.activeCount() is 1 or kill_switch is kill_time: break except KeyboardInterrupt: break thread_write = int(open(thread_tmp_filename).read().rsplit()[0]) if thread_write is 1 and verbose_level is not 0: save = open(log_in_file, 'a') save.write( json.dumps({ 'HOST': target, 'USERNAME': '', 'PASSWORD': '', 'PORT': '', 'TYPE': 'tcp_connect_port_scan', 'DESCRIPTION': messages(language, 94), 'TIME': now(), 'CATEGORY': "scan", 'SCAN_ID': scan_id, 'SCAN_CMD': scan_cmd }) + '\n') save.close() os.remove(thread_tmp_filename) else: warn(messages(language, 69).format('tcp_connect_port_scan', target))
def test(target, retries, timeout_sec, user_agent, socks_proxy, verbose_level, trying, total_req, total, num, language, dos_flag, log_in_file, scan_id, scan_cmd, thread_tmp_filename): if verbose_level > 3: info(messages(language, 72).format(trying, total_req, num, total, target_to_host(target), '', 'wordpress_dos_cve_2018_6389_vuln')) if socks_proxy is not None: socks_version = socks.SOCKS5 if socks_proxy.startswith('socks5://') else socks.SOCKS4 socks_proxy = socks_proxy.rsplit('://')[1] if '@' in socks_proxy: socks_username = socks_proxy.rsplit(':')[0] socks_password = socks_proxy.rsplit(':')[1].rsplit('@')[0] socks.set_default_proxy(socks_version, str(socks_proxy.rsplit('@')[1].rsplit(':')[0]), int(socks_proxy.rsplit(':')[-1]), username=socks_username, password=socks_password) socket.socket = socks.socksocket socket.getaddrinfo = getaddrinfo else: socks.set_default_proxy(socks_version, str(socks_proxy.rsplit(':')[0]), int(socks_proxy.rsplit(':')[1])) socket.socket = socks.socksocket socket.getaddrinfo = getaddrinfo n = 0 while 1: try: r = requests.get(target, timeout=timeout_sec, headers=user_agent).content return 0 except: n += 1 if n is retries: if dos_flag: __log_into_file(thread_tmp_filename, 'w', '0', language) info(messages(language, 139).format("wordpress_dos_cve_2018_6389_vuln")) data = json.dumps({'HOST': target_to_host(target), 'USERNAME': '', 'PASSWORD': '', 'PORT': '', 'TYPE': 'wordpress_dos_cve_2018_6389_vuln', 'DESCRIPTION': messages(language, 139).format( "wordpress_dos_cve_2018_6389_vuln"), 'TIME': now(), 'CATEGORY': "scan", 'SCAN_ID': scan_id, 'SCAN_CMD': scan_cmd}) __log_into_file(log_in_file, 'a', data, language) return 1
def start(target, users, passwds, ports, timeout_sec, thread_number, num, total, log_in_file, time_sleep, language, verbose_level, socks_proxy, retries, methods_args, scan_id, scan_cmd): # Main function if target_type(target) != 'SINGLE_IPv4' or target_type(target) != 'DOMAIN' or target_type(target) != 'HTTP': new_extra_requirements = extra_requirements_dict() if methods_args is not None: for extra_requirement in extra_requirements_dict(): if extra_requirement in methods_args: new_extra_requirements[ extra_requirement] = methods_args[extra_requirement] extra_requirements = new_extra_requirements if users is None: users = extra_requirements["http_ntlm_brute_users"] if passwds is None: passwds = extra_requirements["http_ntlm_brute_passwds"] if ports is None: ports = extra_requirements["http_ntlm_brute_ports"] if target.lower().startswith('http://') or target.lower().startswith('https://'): pass else: target = 'http://' + str(target) threads = [] total_req = len(users) * len(passwds) thread_tmp_filename = '{}/tmp/thread_tmp_'.format(load_file_path()) + ''.join( random.choice(string.ascii_letters + string.digits) for _ in range(20)) curl_tmp_filename = '{}/tmp/ports_tmp_'.format(load_file_path()) + ''.join( random.choice(string.ascii_letters + string.digits) for _ in range(20)) __log_into_file(thread_tmp_filename, 'w', '1', language) __log_into_file(curl_tmp_filename, 'w', '', language) trying = 0 keyboard_interrupt_flag = False for port in ports: if check_auth(target, timeout_sec, language, port): continue for user in users: for passwd in passwds: t = threading.Thread(target=login, args=( user, passwd, target, port, timeout_sec, log_in_file, language, retries, time_sleep, thread_tmp_filename, curl_tmp_filename, socks_proxy, scan_id, scan_cmd)) threads.append(t) t.start() trying += 1 if verbose_level > 3: info(messages(language, "trying_message").format(trying, total_req, num, total, target, port, 'http_ntlm_brute')) while 1: try: if threading.activeCount() >= thread_number: time.sleep(0.01) else: break except KeyboardInterrupt: keyboard_interrupt_flag = True break if keyboard_interrupt_flag: break if keyboard_interrupt_flag: break if keyboard_interrupt_flag: break # wait for threads kill_switch = 0 kill_time = int( timeout_sec / 0.1) if int(timeout_sec / 0.1) is not 0 else 1 while 1: time.sleep(0.1) kill_switch += 1 try: if threading.activeCount() is 1 or kill_switch is kill_time: break except KeyboardInterrupt: break thread_write = int( open(thread_tmp_filename).read().rsplit()[0]) if thread_write is 1 and verbose_level is not 0: data = json.dumps({'HOST': target, 'USERNAME': '', 'PASSWORD': '', 'PORT': '', 'TYPE': 'http_ntlm_brute', 'DESCRIPTION': messages(language, "no_user_passwords"), 'TIME': now(), 'CATEGORY': "brute", 'SCAN_ID': scan_id, 'SCAN_CMD': scan_cmd}) + "\n" __log_into_file(log_in_file, 'a', data, language) os.remove(thread_tmp_filename) os.remove(curl_tmp_filename) else: warn(messages(language, "input_target_error").format( 'http_ntlm_brute', target))
def access_log(response): if app.config["OWASP_NETTACKER_CONFIG"]["api_access_log"]: r_log = open(app.config["OWASP_NETTACKER_CONFIG"]["api_access_log_filename"], "ab") # if you need to log POST data # r_log.write( # '{0} [{1}] {2} "{3} {4}" {5} {6} {7}\r\n'.format(flask_request.remote_addr, now(), flask_request.host, # flask_request.method, flask_request.full_path, # flask_request.user_agent, response.status_code, # json.dumps(flask_request.form))) r_log.write('{0} [{1}] {2} "{3} {4}" {5} {6}\r\n'.format(flask_request.remote_addr, now(), flask_request.host, flask_request.method, flask_request.full_path, flask_request.user_agent, response.status_code)) r_log.close() return response
def start( target, users, passwds, ports, timeout_sec, thread_number, num, total, log_in_file, time_sleep, language, verbose_level, socks_proxy, retries, methods_args, scan_id, scan_cmd, ): # Main function if ( target_type(target) != "SINGLE_IPv4" or target_type(target) != "DOMAIN" or target_type(target) != "HTTP" or target_type(target) != "SINGLE_IPv6" ): # rand useragent user_agent_list = useragents.useragents() http_methods = ["GET", "HEAD"] user_agent = {"User-agent": random.choice(user_agent_list)} # requirements check new_extra_requirements = extra_requirements_dict() if methods_args is not None: for extra_requirement in extra_requirements_dict(): if extra_requirement in methods_args: new_extra_requirements[extra_requirement] = methods_args[ extra_requirement ] extra_requirements = new_extra_requirements if extra_requirements["admin_scan_http_method"][0] not in http_methods: warn(messages(language, "admin_scan_get")) extra_requirements["admin_scan_http_method"] = ["GET"] random_agent_flag = True if extra_requirements["admin_scan_random_agent"][0] == "False": random_agent_flag = False threads = [] total_req = len(extra_requirements["admin_scan_list"]) thread_tmp_filename = "{}/tmp/thread_tmp_".format( load_file_path() ) + "".join( random.choice(string.ascii_letters + string.digits) for _ in range(20) ) __log_into_file(thread_tmp_filename, "w", "1", language) trying = 0 if target_type(target) != "HTTP": target = 'http://' + target if test(str(target), retries, timeout_sec, user_agent, extra_requirements["admin_scan_http_method"][0], socks_proxy, verbose_level, trying, total_req, total, num, language) == 0: keyboard_interrupt_flag = False for idir in extra_requirements["admin_scan_list"]: # time.sleep(0.001) if random_agent_flag: user_agent = {'User-agent': random.choice(user_agent_list)} if target.endswith("/"): target = target[:-1] if idir.startswith("/"): idir = idir[1:] t = threading.Thread(target=check, args=( target + "/" + idir, user_agent, timeout_sec, log_in_file, language, time_sleep, thread_tmp_filename, retries, extra_requirements[ "admin_scan_http_method"][0], socks_proxy, scan_id, scan_cmd)) threads.append(t) t.start() trying += 1 if verbose_level > 3: info( messages(language, "trying_message").format( trying, total_req, num, total, target_to_host(target), "default_port", "admin_scan", ) ) while 1: try: if threading.activeCount() >= thread_number: time.sleep(0.01) else: break except KeyboardInterrupt: keyboard_interrupt_flag = True break if keyboard_interrupt_flag: break else: warn(messages(language, "open_error").format(target)) # wait for threads kill_switch = 0 kill_time = ( int(timeout_sec / 0.1) if int(timeout_sec / 0.1) != 0 else 1 ) while 1: time.sleep(0.1) kill_switch += 1 try: if threading.activeCount() == 1 or kill_switch == kill_time: break except KeyboardInterrupt: break thread_write = int(open(thread_tmp_filename).read().rsplit()[0]) if thread_write == 1: if verbose_level != 0: data = {'HOST': target_to_host(target), 'USERNAME': '', 'PASSWORD': '', 'PORT': '', 'TYPE': 'admin_scan', 'DESCRIPTION': messages(language, "directory_file_404").format(target, "default_port"), 'TIME': now(), 'CATEGORY': "scan", 'SCAN_ID': scan_id, 'SCAN_CMD': scan_cmd} info(messages(language, "directory_file_404").format( target, "default_port"), log_in_file, "a", data, language, thread_tmp_filename) __log_into_file(log_in_file, 'a', json.dumps(data), language) os.remove(thread_tmp_filename) else: warn( messages(language, "input_target_error").format( "admin_scan", target ) )
def _core_default_config(): return { "language": "en", "verbose_level": 0, "show_version": False, "check_update": False, "log_in_file": "{0}/results_{1}_{2}.html".format( default_paths()["results_path"], now(model="%Y_%m_%d_%H_%M_%S"), "".join(random.choice(string.ascii_lowercase) for x in range(10))), "graph_flag": "d3_tree_v2_graph", "help_menu_flag": False, "targets": None, "targets_list": None, "scan_method": "all", "exclude_method": None, "users": None, "users_list": None, "passwds": None, "passwds_list": None, "ports": None, "timeout_sec": 2.0, "time_sleep": 0.0, "check_ranges": False, "check_subdomains": False, "thread_number": 10, "thread_number_host": 10, "socks_proxy": None, "retries": 3, "ping_flag": False, "methods_args": None, "method_args_list": False, "startup_check_for_update": True, "wizard_mode": False, "profile": None, "start_api": False, "api_host": _api_default_config()["api_host"], "api_port": _api_default_config()["api_port"], "api_debug_mode": _api_default_config()["api_debug_mode"], "api_access_key": _api_default_config()["api_access_key"], "api_client_white_list": _api_default_config()["api_client_white_list"]["enabled"], "api_client_white_list_ips": _api_default_config()["api_client_white_list"]["ips"], "api_access_log": _api_default_config()["api_access_log"]["enabled"], "api_access_log_filename": _api_default_config()["api_access_log"]["filename"], "api_db_name": _api_default_config()["api_db_name"], "home_path": default_paths()["home_path"], "tmp_path": default_paths()["tmp_path"], "results_path": default_paths()["results_path"] }
def start(target, users, passwds, ports, timeout_sec, thread_number, num, total, log_in_file, time_sleep, language, verbose_level, socks_proxy, retries, methods_args, scan_id, scan_cmd): # Main function if target_type(target) != 'SINGLE_IPv4' or target_type( target) != 'DOMAIN' or target_type(target) != 'HTTP': # requirements check new_extra_requirements = extra_requirements_dict() if methods_args is not None: for extra_requirement in extra_requirements_dict(): if extra_requirement in methods_args: new_extra_requirements[extra_requirement] = methods_args[ extra_requirement] extra_requirements = new_extra_requirements if ports is None: ports = extra_requirements["cms_detection_ports"] if target_type(target) == 'HTTP': target = target_to_host(target) threads = [] total_req = len(ports) thread_tmp_filename = '{}/tmp/thread_tmp_'.format( load_file_path()) + ''.join( random.choice(string.ascii_letters + string.digits) for _ in range(20)) __log_into_file(thread_tmp_filename, 'w', '1', language) trying = 0 keyboard_interrupt_flag = False for port in ports: port = int(port) t = threading.Thread(target=__cms_detection, args=(target, int(port), timeout_sec, log_in_file, language, time_sleep, thread_tmp_filename, socks_proxy, scan_id, scan_cmd)) threads.append(t) t.start() trying += 1 if verbose_level > 3: info( messages(language, "trying_message").format(trying, total_req, num, total, target, port, 'cms_detection_scan')) while 1: try: if threading.activeCount() >= thread_number: time.sleep(0.01) else: break except KeyboardInterrupt: keyboard_interrupt_flag = True break if keyboard_interrupt_flag: break # wait for threads kill_switch = 0 kill_time = int(timeout_sec / 0.1) if int(timeout_sec / 0.1) is not 0 else 1 while 1: time.sleep(0.1) kill_switch += 1 try: if threading.activeCount() is 1: break except KeyboardInterrupt: break thread_write = int(open(thread_tmp_filename).read().rsplit()[0]) if thread_write is 1 and verbose_level is not 0: info(messages(language, "not_found")) data = json.dumps({ 'HOST': target, 'USERNAME': '', 'PASSWORD': '', 'PORT': '', 'TYPE': 'cms_detection_scan', 'DESCRIPTION': messages(language, "not_found"), 'TIME': now(), 'CATEGORY': "scan", 'SCAN_ID': scan_id, 'SCAN_CMD': scan_cmd }) __log_into_file(log_in_file, 'a', data, language) os.remove(thread_tmp_filename) else: warn( messages(language, "input_target_error").format('cms_detection_scan', target))
def login(user, passwd, target, port, timeout_sec, log_in_file, language, retries, time_sleep, thread_tmp_filename, socks_proxy, scan_id, scan_cmd): exit = 0 flag = 1 if socks_proxy is not None: socks_version = socks.SOCKS5 if socks_proxy.startswith( 'socks5://') else socks.SOCKS4 socks_proxy = socks_proxy.rsplit('://')[1] if '@' in socks_proxy: socks_username = socks_proxy.rsplit(':')[0] socks_password = socks_proxy.rsplit(':')[1].rsplit('@')[0] socks.set_default_proxy( socks_version, str(socks_proxy.rsplit('@')[1].rsplit(':')[0]), int(socks_proxy.rsplit(':')[-1]), username=socks_username, password=socks_password) socket.socket = socks.socksocket socket.getaddrinfo = getaddrinfo else: socks.set_default_proxy(socks_version, str(socks_proxy.rsplit(':')[0]), int(socks_proxy.rsplit(':')[1])) socket.socket = socks.socksocket socket.getaddrinfo = getaddrinfo while 1: try: paramiko.Transport((target, int(port))) paramiko_logger = logging.getLogger("paramiko.transport") paramiko_logger.disabled = True flag = 0 exit = 0 break except: exit += 1 if exit is retries: warn( messages(language, 76).format(target, str(port), user, passwd)) return 1 time.sleep(time_sleep) if flag is 0: try: ssh = paramiko.SSHClient() ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) if timeout_sec is not None: ssh.connect(hostname=target, username=user, password=passwd, port=int(port), timeout=timeout_sec) else: ssh.connect(hostname=target, username=user, password=passwd, port=int(port)) info(messages(language, 70).format(user, passwd, target, port)) save = open(log_in_file, 'a') save.write( json.dumps({ 'HOST': target, 'USERNAME': user, 'PASSWORD': passwd, 'PORT': port, 'TYPE': 'ssh_brute', 'DESCRIPTION': messages(language, 66), 'TIME': now(), 'CATEGORY': "brute", 'SCAN_ID': scan_id, 'SCAN_CMD': scan_cmd }) + '\n') save.close() thread_write = open(thread_tmp_filename, 'w') thread_write.write('0') thread_write.close() except: pass else: pass return flag