def check_rule(self, ip, port, values, conf): c = ConfParser(conf) t = Triage() p = ScanParser(port, values) domain = p.get_domain() if port in ssh_ports and t.is_ssh(ip, port): output = t.run_cmd('ssh -o PreferredAuthentications=none -o ConnectTimeout=5 -o StrictHostKeyChecking=no -o NoHostAuthenticationForLocalhost=yes user@"{}" -p "{}"'.format(ip, port)) if output and 'password' in str(output): self.rule_details = p.get_product() js_data = { 'ip':ip, 'port':port, 'domain':domain, 'rule_id':self.rule, 'rule_sev':self.rule_severity, 'rule_desc':self.rule_description, 'rule_confirm':self.rule_confirm, 'rule_details':self.rule_details, 'rule_mitigation':self.rule_mitigation } rds.store_vuln(js_data) return
def check_rule(self, ip, port, values, conf): t = Triage() c = ConfParser(conf) p = ScanParser(port, values) domain = p.get_domain() module = p.get_module() product = p.get_product() if 'http' not in module: return resp = t.http_request(ip, port, uri='/.svn/text-base') if resp and 'Index of /' in resp.text: self.rule_details = 'SVN Repository exposed at /.svn/text-base' js_data = { 'ip':ip, 'port':port, 'domain':domain, 'rule_id':self.rule, 'rule_sev':self.rule_severity, 'rule_desc':self.rule_description, 'rule_confirm':self.rule_confirm, 'rule_details':self.rule_details, 'rule_mitigation':self.rule_mitigation } rds.store_vuln(js_data) return
def check_rule(self, ip, port, values, conf): c = ConfParser(conf) t = Triage() p = ScanParser(port, values) domain = p.get_domain() module = p.get_module() product = p.get_product() if module == 'http' or port in http_ports: resp = t.http_request(ip, port, follow_redirects=False) if resp: form = self.contains_password_form(resp.text) if form: if not resp.url.startswith('https://'): self.rule_details = 'Login Page over HTTP' js_data = { 'ip': ip, 'port': port, 'domain': domain, 'rule_id': self.rule, 'rule_sev': self.rule_severity, 'rule_desc': self.rule_description, 'rule_confirm': self.rule_confirm, 'rule_details': self.rule_details, 'rule_mitigation': self.rule_mitigation } rds.store_vuln(js_data) return
def check_rule(self, ip, port, values, conf): c = ConfParser(conf) t = Triage() p = ScanParser(port, values) domain = p.get_domain() module = p.get_module() product = p.get_product() if port in self.rule_match_port: try: ftp = FTP(ip) res = ftp.login() if res: if '230' in res or 'user logged in' in res or 'successful' in res: self.rule_details = 'FTP with Anonymous Access Enabled' js_data = { 'ip': ip, 'port': port, 'domain': domain, 'rule_id': self.rule, 'rule_sev': self.rule_severity, 'rule_desc': self.rule_description, 'rule_confirm': self.rule_confirm, 'rule_details': self.rule_details, 'rule_mitigation': self.rule_mitigation } rds.store_vuln(js_data) except: pass return
def check_rule(self, ip, port, values, conf): t = Triage() c = ConfParser(conf) p = ScanParser(port, values) domain = p.get_domain() module = p.get_module() product = p.get_product() if not 'F5 BIG-IP' in product or not 'BigIP' in product: return resp = t.http_request(ip, port, uri='/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd') if resp is None: return if 'root:x:0:0' in resp.text: self.rule_details = 'F5 BIGIP Vulnerability - CVE-2020-5902' js_data = { 'ip':ip, 'port':port, 'domain':domain, 'rule_id':self.rule, 'rule_sev':self.rule_severity, 'rule_desc':self.rule_description, 'rule_confirm':self.rule_confirm, 'rule_details':self.rule_details, 'rule_mitigation':self.rule_mitigation } rds.store_vuln(js_data) return
def check_rule(self, ip, port, values, conf): c = ConfParser(conf) t = Triage() p = ScanParser(port, values) module = p.get_module() domain = p.get_domain() product = p.get_product() if 'ssh' in module or 'ssh' in product.lower(): if port != 22: self.rule_details = 'SSH is hidden behind port {}'.format(port) js_data = { 'ip': ip, 'port': port, 'domain': domain, 'rule_id': self.rule, 'rule_sev': self.rule_severity, 'rule_desc': self.rule_description, 'rule_confirm': self.rule_confirm, 'rule_details': self.rule_details, 'rule_mitigation': self.rule_mitigation } rds.store_vuln(js_data) return
def check_rule(self, ip, port, values, conf): t = Triage() c = ConfParser(conf) p = ScanParser(port, values) domain = p.get_domain() module = p.get_module() product = p.get_product() if 'http' not in module: return resp = t.http_request(ip, port) if resp is None: return server_header = resp.headers.get('Server', None) if not server_header or 'nginx' not in server_header.lower(): return content_length = resp.headers.get('Content-Length', 0) bytes_length = int(content_length) + 623 content_length = "bytes=-%d,-9223372036854%d" % (bytes_length, 776000 - bytes_length) resp = t.http_request(ip, port, headers={'Range': content_length}) if resp is None: return if resp.status_code == 206 and 'Content-Range' in resp.text: self.rule_details = 'Nginx Integer Overflow' js_data = { 'ip': ip, 'port': port, 'domain': domain, 'rule_id': self.rule, 'rule_sev': self.rule_severity, 'rule_desc': self.rule_description, 'rule_details': self.rule_details, 'rule_mitigation': self.rule_mitigation } rds.store_vuln(js_data) return
def check_rule(self, ip, port, values, conf): c = ConfParser(conf) t = Triage() p = ScanParser(port, values) domain = p.get_domain() module = p.get_module() product = p.get_product() if 'http' not in module: return resp = None random_origin = self.randomize_origin() if domain: resp = t.http_request(domain, port, headers={'Origin': random_origin}) else: resp = t.http_request(ip, port, headers={'Origin': random_origin}) if resp is None: return if 'Access-Control-Allow-Origin' in resp.headers and resp.headers[ 'Access-Control-Allow-Origin'] == random_origin: self.rule_details = 'Header used: "Origin: {}"'.format( random_origin) js_data = { 'ip': ip, 'port': port, 'domain': domain, 'rule_id': self.rule, 'rule_sev': self.rule_severity, 'rule_desc': self.rule_description, 'rule_confirm': self.rule_confirm, 'rule_details': self.rule_details, 'rule_mitigation': self.rule_mitigation } rds.store_vuln(js_data) return
def check_rule(self, ip, port, values, conf): c = ConfParser(conf) t = Triage() p = ScanParser(port, values) domain = p.get_domain() module = p.get_module() product = p.get_product() if 'http' not in module: return resp = None if domain: resp = t.http_request(domain, port) else: resp = t.http_request(ip, port) if resp is None: return for header, value in resp.headers.items(): if header.lower( ) == 'access-control-allow-origin' and value == '*': self.rule_details = 'Access-Control-Allow-Origin is set to: *' js_data = { 'ip': ip, 'port': port, 'domain': domain, 'rule_id': self.rule, 'rule_sev': self.rule_severity, 'rule_desc': self.rule_description, 'rule_confirm': self.rule_confirm, 'rule_details': self.rule_details, 'rule_mitigation': self.rule_mitigation } rds.store_vuln(js_data) return return
def check_rule(self, ip, port, values, conf): t = Triage() c = ConfParser(conf) p = ScanParser(port, values) domain = p.get_domain() module = p.get_module() product = p.get_product() if port != 10043: return resp = t.http_request( ip, port, uri= '/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession' ) if resp is None: return if 'var fgt_lang =' in resp.text: self.rule_details = 'Fortinet SSL VPN ({})'.format(port) js_data = { 'ip': ip, 'port': port, 'domain': domain, 'rule_id': self.rule, 'rule_sev': self.rule_severity, 'rule_desc': self.rule_description, 'rule_confirm': self.rule_confirm, 'rule_details': self.rule_details, 'rule_mitigation': self.rule_mitigation } rds.store_vuln(js_data) return
def check_rule(self, ip, port, values, conf): c = ConfParser(conf) t = Triage() p = ScanParser(port, values) domain = p.get_domain() module = p.get_module() product = p.get_product() if 'http' not in module: return resp = t.http_request(ip, port) if resp is None: return powered_by_headers = ['X-Powered-By', 'X-AspNet-Version'] for poweredby_header in powered_by_headers: result = t.string_in_headers(resp, poweredby_header) if result: self.rule_details = '{}:{}'.format( poweredby_header, resp.headers.get(poweredby_header, None)) js_data = { 'ip': ip, 'port': port, 'domain': domain, 'rule_id': self.rule, 'rule_sev': self.rule_severity, 'rule_desc': self.rule_description, 'rule_confirm': self.rule_confirm, 'rule_details': self.rule_details, 'rule_mitigation': self.rule_mitigation } rds.store_vuln(js_data) return
def check_rule(self, ip, port, values, conf): p = ScanParser(port, values) module = p.get_module() domain = p.get_domain() product = p.get_product() if 'ssh' in module or 'ssh' in product.lower(): if port != 22: self.rule_details = 'Server is hiding SSH behind remote port: {}'.format( port) rds.store_vuln({ 'ip': ip, 'port': port, 'domain': domain, 'rule_id': self.rule, 'rule_sev': self.rule_severity, 'rule_desc': self.rule_description, 'rule_confirm': self.rule_confirm, 'rule_details': self.rule_details, 'rule_mitigation': self.rule_mitigation }) return