def check_rule(self, ip, port, values, conf): c = ConfParser(conf) t = Triage() p = ScanParser(port, values) module = p.get_module() domain = p.get_domain() if 'http' not in module: return resp = None for uri in self.uris: resp = t.http_request(ip, port, uri=uri) if resp: for match in ('C=N;O=D', 'Index of /'): if match in resp.text: self.rule_details = 'Found Open Directory at {}'.format(uri) js_data = { 'ip':ip, 'port':port, 'domain':domain, 'rule_id':self.rule, 'rule_sev':self.rule_severity, 'rule_desc':self.rule_description, 'rule_confirm':self.rule_confirm, 'rule_details':self.rule_details, 'rule_mitigation':self.rule_mitigation } rds.store_vuln(js_data) break return
def check_rule(self, ip, port, values, conf): t = Triage() p = ScanParser(port, values) domain = p.get_domain() module = p.get_module() if 'http' not in module: return payload = '%0d%0aset-cookie:foo=inserted_by_vulnscannerflask' resp = t.http_request(ip, port, follow_redirects=False, uri='/' + payload) if resp is None: return if 'set-cookie' in resp.headers and 'inserted_by_vulnscannerflask' in resp.headers[ 'set-cookie']: self.rule_details = 'Identified CRLF Injection by inserting a Set-Cookie header' rds.store_vuln({ 'ip': ip, 'port': port, 'domain': domain, 'rule_id': self.rule, 'rule_sev': self.rule_severity, 'rule_desc': self.rule_description, 'rule_confirm': self.rule_confirm, 'rule_details': self.rule_details, 'rule_mitigation': self.rule_mitigation }) return
def check_rule(self, ip, port, values, conf): t = Triage() c = ConfParser(conf) p = ScanParser(port, values) domain = p.get_domain() module = p.get_module() product = p.get_product() if not 'F5 BIG-IP' in product or not 'BigIP' in product: return resp = t.http_request(ip, port, uri='/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd') if resp is None: return if 'root:x:0:0' in resp.text: self.rule_details = 'F5 BIGIP Vulnerability - CVE-2020-5902' js_data = { 'ip':ip, 'port':port, 'domain':domain, 'rule_id':self.rule, 'rule_sev':self.rule_severity, 'rule_desc':self.rule_description, 'rule_confirm':self.rule_confirm, 'rule_details':self.rule_details, 'rule_mitigation':self.rule_mitigation } rds.store_vuln(js_data) return
def check_rule(self, ip, port, values, conf): t = Triage() p = ScanParser(port, values) domain = p.get_domain() module = p.get_module() if 'http' not in module: return resp = None for uri in self.uris: resp = t.http_request(ip, port, uri=uri + '/.git/HEAD') if resp and resp.text.startswith('ref:'): self.rule_details = 'Identified a git repository at {}'.format( resp.url) rds.store_vuln({ 'ip': ip, 'port': port, 'domain': domain, 'rule_id': self.rule, 'rule_sev': self.rule_severity, 'rule_desc': self.rule_description, 'rule_confirm': self.rule_confirm, 'rule_details': self.rule_details, 'rule_mitigation': self.rule_mitigation }) return
def check_rule(self, ip, port, values, conf): c = ConfParser(conf) t = Triage() p = ScanParser(port, values) domain = p.get_domain() module = p.get_module() if 'http' not in module: return resp = t.http_request(ip, port, uri='/xmlrpc.php') if resp is None: return if resp.status_code == 405: self.rule_details = 'Server Allows XMLRPC Connections' js_data = { 'ip':ip, 'port':port, 'domain':domain, 'rule_id':self.rule, 'rule_sev':self.rule_severity, 'rule_desc':self.rule_description, 'rule_confirm':self.rule_confirm, 'rule_details':self.rule_details, 'rule_mitigation':self.rule_mitigation } rds.store_vuln(js_data) return
def check_rule(self, ip, port, values, conf): t = Triage() p = ScanParser(port, values) domain = p.get_domain() module = p.get_module() if 'http' not in module: return resp = t.http_request(ip, port, follow_redirects=False, headers={'X-Forwarded-Host': 'www.nerve.local'}) if resp is None: return if 'Location' in resp.headers and resp.headers[ 'Location'] == 'www.nerve.local': self.rule_details = 'Server Redirected to an Arbitrary Location' rds.store_vuln({ 'ip': ip, 'port': port, 'domain': domain, 'rule_id': self.rule, 'rule_sev': self.rule_severity, 'rule_desc': self.rule_description, 'rule_confirm': self.rule_confirm, 'rule_details': self.rule_details, 'rule_mitigation': self.rule_mitigation }) return
def check_rule(self, ip, port, values, conf): c = ConfParser(conf) t = Triage() p = ScanParser(port, values) domain = p.get_domain() module = p.get_module() if 'http' not in module: return resp = None for uri in self.uris: resp = t.http_request(ip, port, uri=uri + '/.git/HEAD') if resp and resp.text.startswith('ref:'): self.rule_details = 'Git Path: {}'.format(uri) js_data = { 'ip':ip, 'port':port, 'domain':domain, 'rule_id':self.rule, 'rule_sev':self.rule_severity, 'rule_desc':self.rule_description, 'rule_confirm':self.rule_confirm, 'rule_details':self.rule_details, 'rule_mitigation':self.rule_mitigation } rds.store_vuln(js_data) return
def check_rule(self, ip, port, values, conf): t = Triage() p = ScanParser(port, values) domain = p.get_domain() module = p.get_module() if 'http' not in module: return resp = t.http_request(ip, port, uri='/xmlrpc.php') if resp is not None and resp.status_code == 405: self.rule_details = 'Server responded to a GET request at /xmlrpc.php with status code: 405' rds.store_vuln({ 'ip': ip, 'port': port, 'domain': domain, 'rule_id': self.rule, 'rule_sev': self.rule_severity, 'rule_desc': self.rule_description, 'rule_confirm': self.rule_confirm, 'rule_details': self.rule_details, 'rule_mitigation': self.rule_mitigation }) return
def check_rule(self, ip, port, values, conf): c = ConfParser(conf) t = Triage() p = ScanParser(port, values) domain = p.get_domain() module = p.get_module() if 'http' not in module: return resp = None for uri in self.uris: resp = t.http_request(ip, port, uri=uri + '/.idea/workspace.xml') if resp: for match in self.rule_match_string: if match in resp.text: self.rule_details = 'Found Intelli IDEA files at {}/.idea/workspace.xml'.format( uri) js_data = { 'ip': ip, 'port': port, 'domain': domain, 'rule_id': self.rule, 'rule_sev': self.rule_severity, 'rule_desc': self.rule_description, 'rule_confirm': self.rule_confirm, 'rule_details': self.rule_details, 'rule_mitigation': self.rule_mitigation } rds.store_vuln(js_data) return
def check_rule(self, ip, port, values, conf): t = Triage() p = ScanParser(port, values) module = p.get_module() domain = p.get_domain() if 'http' not in module: return for uri, values in self.rule_match_string.items(): app_title = values['title'] resp = t.http_request(ip, port, uri=uri) if resp is not None: for match in values['match']: if match in resp.text: self.rule_details = 'Laravel Misconfiguration - {} at {}'.format( app_title, resp.url) rds.store_vuln({ 'ip': ip, 'port': port, 'domain': domain, 'rule_id': self.rule, 'rule_sev': self.rule_severity, 'rule_desc': self.rule_description, 'rule_confirm': self.rule_confirm, 'rule_details': self.rule_details, 'rule_mitigation': self.rule_mitigation }) return
def check_rule(self, ip, port, values, conf): t = Triage() p = ScanParser(port, values) domain = p.get_domain() module = p.get_module() if 'http' not in module: return resp = t.http_request(ip, port, uri='/_vti_inf.html') if not resp: return if 'Content-Length' in resp.headers and resp.headers['Content-Length'] == '247': self.rule_details = 'Exposed FrontPage at {}'.format(resp.url) rds.store_vuln({ 'ip': ip, 'port': port, 'domain': domain, 'rule_id': self.rule, 'rule_sev': self.rule_severity, 'rule_desc': self.rule_description, 'rule_confirm': self.rule_confirm, 'rule_details': self.rule_details, 'rule_mitigation': self.rule_mitigation }) return
def check_rule(self, ip, port, values, conf): c = ConfParser(conf) t = Triage() p = ScanParser(port, values) domain = p.get_domain() module = p.get_module() product = p.get_product() if module == 'http' or port in http_ports: resp = t.http_request(ip, port, follow_redirects=False) if resp: form = self.contains_password_form(resp.text) if form: if not resp.url.startswith('https://'): self.rule_details = 'Login Page over HTTP' js_data = { 'ip': ip, 'port': port, 'domain': domain, 'rule_id': self.rule, 'rule_sev': self.rule_severity, 'rule_desc': self.rule_description, 'rule_confirm': self.rule_confirm, 'rule_details': self.rule_details, 'rule_mitigation': self.rule_mitigation } rds.store_vuln(js_data) return
def check_rule(self, ip, port, values, conf): c = ConfParser(conf) t = Triage() p = ScanParser(port, values) module = p.get_module() domain = p.get_domain() if 'http' in module: resp = t.http_request(ip, port, uri='/server.js', follow_redirects=False) if resp is None: return for i in self.rule_match_string: if i in resp.text: self.rule_details = 'Identified a NodeJS Leakage Indicator: {}'.format( i) js_data = { 'ip': ip, 'port': port, 'domain': domain, 'rule_id': self.rule, 'rule_sev': self.rule_severity, 'rule_desc': self.rule_description, 'rule_confirm': self.rule_confirm, 'rule_details': self.rule_details, 'rule_mitigation': self.rule_mitigation } rds.store_vuln(js_data) return
def check_rule(self, ip, port, values, conf): t = Triage() p = ScanParser(port, values) domain = p.get_domain() module = p.get_module() if 'http' not in module: return resp = None if domain: resp = t.http_request(domain, port, headers={'Origin':'null'}) else: resp = t.http_request(ip, port, headers={'Origin':'null'}) if resp is None: return if 'Access-Control-Allow-Origin' in resp.headers and resp.headers['Access-Control-Allow-Origin'] == 'null': self.rule_details = 'Remote Server accepted a NULL origin. Header used: "Origin: null"' rds.store_vuln({ 'ip':ip, 'port':port, 'domain':domain, 'rule_id':self.rule, 'rule_sev':self.rule_severity, 'rule_desc':self.rule_description, 'rule_confirm':self.rule_confirm, 'rule_details':self.rule_details, 'rule_mitigation':self.rule_mitigation }) return
def check_rule(self, ip, port, values, conf): c = ConfParser(conf) t = Triage() p = ScanParser(port, values) domain = p.get_domain() module = p.get_module() if 'http' not in module: return resp = t.http_request(ip, port, follow_redirects=False, headers={'X-Forwarded-Host':'112000as0az7s62s9d7.com', 'Host': '112000as0az7s62s9d7.com'}) if resp: if 'Location' in resp.headers and '112000as0az7s62s9d7.com' in resp.headers['Location']: self.rule_details = 'Host header injection' js_data = { 'ip': ip, 'port': port, 'domain': domain, 'rule_id': self.rule, 'rule_sev': self.rule_severity, 'rule_desc': self.rule_description, 'rule_confirm': self.rule_confirm, 'rule_details': self.rule_details, 'rule_mitigation': self.rule_mitigation } rds.store_vuln(js_data) return
def check_rule(self, ip, port, values, conf): c = ConfParser(conf) t = Triage() p = ScanParser(port, values) domain = p.get_domain() module = p.get_module() cpe = p.get_cpe() if not cpe: return if not c.get_cfg_allow_inet(): return if 'http' not in module: return if t.has_cves(cpe): self.rule_details = 'List of Vulnerabilities for this version: https://nvd.nist.gov/vuln/search/results?cpe_version={}'.format( cpe) js_data = { 'ip': ip, 'port': port, 'domain': domain, 'rule_id': self.rule, 'rule_sev': self.rule_severity, 'rule_desc': self.rule_description, 'rule_confirm': self.rule_confirm, 'rule_details': self.rule_details, 'rule_mitigation': self.rule_mitigation } rds.store_vuln(js_data) return
def check_rule(self, ip, port, values, conf): p = ScanParser(port, values) t = Triage() domain = p.get_domain() module = p.get_module() if 'http' not in module: return resp = t.http_request(ip, port) for _, val in self.rule_match_string.items(): app_title = val['title'] for match in val['match']: if resp and t.string_in_headers(resp, match): self.rule_details = 'Exposed {} at {}'.format( app_title, resp.url) rds.store_vuln({ 'ip': ip, 'port': port, 'domain': domain, 'rule_id': self.rule, 'rule_sev': self.rule_severity, 'rule_desc': self.rule_description, 'rule_details': self.rule_details, 'rule_mitigation': self.rule_mitigation }) break return
def check_rule(self, ip, port, values, conf): t = Triage() p = ScanParser(port, values) domain = p.get_domain() module = p.get_module() if 'http' not in module: return resp = t.http_request(ip, port, uri='/') if resp is None: return for app, val in self.rule_match_string.items(): app_title = val['title'] for match in val['match']: if match in resp.text: self.rule_details = 'Identified a default page: {} Indicator: "{}" ({})'.format( resp.url, match, app_title) rds.store_vuln({ 'ip': ip, 'port': port, 'domain': domain, 'rule_id': self.rule, 'rule_sev': self.rule_severity, 'rule_desc': self.rule_description, 'rule_confirm': self.rule_confirm, 'rule_details': self.rule_details, 'rule_mitigation': self.rule_mitigation }) return
def check_rule(self, ip, port, values, conf): c = ConfParser(conf) t = Triage() p = ScanParser(port, values) domain = p.get_domain() module = p.get_module() if 'http' not in module: return for uri in self.rule_doc_roots: resp = t.http_request(ip, port, uri=uri) if resp is not None and resp.status_code == 401: if 'WWW-Authenticate' in resp.headers: header = resp.headers['WWW-Authenticate'] if header.startswith('Basic'): self.rule_details = '{} at {}'.format( self.rule_confirm, uri) js_data = { 'ip': ip, 'port': port, 'domain': domain, 'rule_id': self.rule, 'rule_sev': self.rule_severity, 'rule_desc': self.rule_description, 'rule_confirm': self.rule_confirm, 'rule_details': self.rule_details, 'rule_mitigation': self.rule_mitigation } rds.store_vuln(js_data) return
def check_rule(self, ip, port, values, conf): t = Triage() p = ScanParser(port, values) domain = p.get_domain() module = p.get_module() if 'http' not in module: return resp = t.http_request(ip, port, uri='/wp-content/uploads/') if resp and 'Index of /wp-content/uploads' in resp.text: self.rule_details = 'Found Uploads Directory at {}'.format( resp.url) rds.store_vuln({ 'ip': ip, 'port': port, 'domain': domain, 'rule_id': self.rule, 'rule_sev': self.rule_severity, 'rule_desc': self.rule_description, 'rule_confirm': self.rule_confirm, 'rule_details': self.rule_details, 'rule_mitigation': self.rule_mitigation }) return
def check_rule(self, ip, port, values, conf): t = Triage() p = ScanParser(port, values) domain = p.get_domain() module = p.get_module() if port in ssh_ports and 'ssh' in module.lower(): output = t.run_cmd( 'ssh -o PreferredAuthentications=none -o ConnectTimeout=5 -o StrictHostKeyChecking=no -o NoHostAuthenticationForLocalhost=yes user@"{}" -p "{}"' .format(ip, port)) if output and 'password' in str(output): self.rule_details = 'Server accepts passwords as an authentication option' rds.store_vuln({ 'ip': ip, 'port': port, 'domain': domain, 'rule_id': self.rule, 'rule_sev': self.rule_severity, 'rule_desc': self.rule_description, 'rule_confirm': self.rule_confirm, 'rule_details': self.rule_details, 'rule_mitigation': self.rule_mitigation }) return
def check_rule(self, ip, port, values, conf): t = Triage() p = ScanParser(port, values) domain = p.get_domain() module = p.get_module() if 'http' not in module: return resp = t.http_request(ip, port) if resp is None: return powered_by_headers = ['X-Powered-By', 'X-AspNet-Version'] for poweredby_header in powered_by_headers: result = t.string_in_headers(resp, poweredby_header) if result: self.rule_details = 'Server is set with "{}" Headers'.format(poweredby_header) rds.store_vuln({ 'ip':ip, 'port':port, 'domain':domain, 'rule_id':self.rule, 'rule_sev':self.rule_severity, 'rule_desc':self.rule_description, 'rule_confirm':self.rule_confirm, 'rule_details':self.rule_details, 'rule_mitigation':self.rule_mitigation }) return
def check_rule(self, ip, port, values, conf): t = Triage() p = ScanParser(port, values) domain = p.get_domain() if port != 10043: return resp = t.http_request( ip, port, uri= '/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession' ) if resp is None: return if 'var fgt_lang =' in resp.text: self.rule_details = 'Fortinet SSL VPN CVE-2018-13379 Vulnerability at {}'.format( resp.url) rds.store_vuln({ 'ip': ip, 'port': port, 'domain': domain, 'rule_id': self.rule, 'rule_sev': self.rule_severity, 'rule_desc': self.rule_description, 'rule_confirm': self.rule_confirm, 'rule_details': self.rule_details, 'rule_mitigation': self.rule_mitigation }) return
def check_rule(self, ip, port, values, conf): t = Triage() p = ScanParser(port, values) domain = p.get_domain() module = p.get_module() if 'http' not in module: return resp = t.http_request(ip, port, uri='/.svn/text-base') if resp and 'Index of /' in resp.text: self.rule_details = 'SVN Repository exposed at {}'.format(resp.url) rds.store_vuln({ 'ip':ip, 'port':port, 'domain':domain, 'rule_id':self.rule, 'rule_sev':self.rule_severity, 'rule_desc':self.rule_description, 'rule_confirm':self.rule_confirm, 'rule_details':self.rule_details, 'rule_mitigation':self.rule_mitigation }) return
def check_rule(self, ip, port, values, conf): c = ConfParser(conf) t = Triage() p = ScanParser(port, values) domain = p.get_domain() module = p.get_module() if 'http' in module: for uri, values in self.rule_match_string.items(): app_name = values['app'] app_title = values['title'] resp = t.http_request(ip, port, uri=uri) if resp is not None: for match in values['match']: if match in resp.text: self.rule_details = 'Exposed {} at {}'.format( app_title, uri) js_data = { 'ip': ip, 'port': port, 'domain': domain, 'rule_id': self.rule, 'rule_sev': self.rule_severity, 'rule_desc': self.rule_description, 'rule_confirm': self.rule_confirm, 'rule_details': self.rule_details, 'rule_mitigation': self.rule_mitigation } rds.store_vuln(js_data) break return
def check_rule(self, ip, port, values, conf): c = ConfParser(conf) t = Triage() p = ScanParser(port, values) domain = p.get_domain() if not domain: return resp = t.http_request(domain, port) if resp is None: return if resp.status_code == 404 and 'NoSuchBucket' in resp.text: self.rule_details = 'S3 Takeover at {}'.format(domain) js_data = { 'ip': ip, 'port': port, 'domain': domain, 'rule_id': self.rule, 'rule_sev': self.rule_severity, 'rule_desc': self.rule_description, 'rule_confirm': self.rule_confirm, 'rule_details': self.rule_details, 'rule_mitigation': self.rule_mitigation } rds.store_vuln(js_data) return
def check_rule(self, ip, port, values, conf): c = ConfParser(conf) p = ScanParser(port, values) t = Triage() domain = p.get_domain() module = p.get_module() if 'http' not in module: return resp = t.http_request(ip, port) for app, val in self.rule_match_string.items(): app_name = val['app'] app_title = val['title'] for match in val['match']: if resp and t.string_in_headers(resp, match): self.rule_details = '{} - ({})'.format(app, app_title) js_data = { 'ip':ip, 'port':port, 'domain':domain, 'rule_id':self.rule, 'rule_sev':self.rule_severity, 'rule_desc':self.rule_description, 'rule_details':self.rule_details, 'rule_mitigation':self.rule_mitigation } rds.store_vuln(js_data) return
def check_rule(self, ip, port, values, conf): c = ConfParser(conf) t = Triage() p = ScanParser(port, values) domain = p.get_domain() if port in ssh_ports and t.is_ssh(ip, port): output = t.run_cmd('ssh -o PreferredAuthentications=none -o ConnectTimeout=5 -o StrictHostKeyChecking=no -o NoHostAuthenticationForLocalhost=yes user@"{}" -p "{}"'.format(ip, port)) if output and 'password' in str(output): self.rule_details = p.get_product() js_data = { 'ip':ip, 'port':port, 'domain':domain, 'rule_id':self.rule, 'rule_sev':self.rule_severity, 'rule_desc':self.rule_description, 'rule_confirm':self.rule_confirm, 'rule_details':self.rule_details, 'rule_mitigation':self.rule_mitigation } rds.store_vuln(js_data) return
def check_rule(self, ip, port, values, conf): t = Triage() c = ConfParser(conf) p = ScanParser(port, values) module = p.get_module() domain = p.get_domain() if not c.get_cfg_allow_bf(): return if 'http' not in module: return usernames = c.get_cfg_usernames() + known_users passwords = c.get_cfg_passwords() + known_weak for uri in self.rule_doc_roots: resp = t.http_request(ip, port, uri=uri) if resp is not None and resp.status_code == 401: if 'WWW-Authenticate' in resp.headers and resp.headers[ 'WWW-Authenticate'].startswith('Basic'): for username in usernames: for password in passwords: auth_attempt = requests.get(resp.url, auth=HTTPBasicAuth( username, password)) if auth_attempt is not None and auth_attempt.status_code == 200: self.rule_details = 'Basic Authentication Credentials are set to {}:{} at {}'.format( username, password, uri) rds.store_vuln({ 'ip': ip, 'port': port, 'domain': domain, 'rule_id': self.rule, 'rule_sev': self.rule_severity, 'rule_desc': self.rule_description, 'rule_confirm': self.rule_confirm, 'rule_details': self.rule_details, 'rule_mitigation': self.rule_mitigation }) return
def check_rule(self, ip, port, values, conf): c = ConfParser(conf) t = Triage() p = ScanParser(port, values) domain = p.get_domain() module = p.get_module() if not c.get_cfg_allow_bf(): return if port != 3306 or 'mysql' not in module: return usernames = c.get_cfg_usernames() + known_users passwords = c.get_cfg_passwords() + known_weak for username in usernames: for password in passwords: if self.mysql_attack(ip, username, password): self.rule_details = 'MySQL Credentials are set to: {}:{}'.format( username, password) rds.store_vuln({ 'ip': ip, 'port': port, 'domain': domain, 'rule_id': self.rule, 'rule_sev': self.rule_severity, 'rule_desc': self.rule_description, 'rule_confirm': self.rule_confirm, 'rule_details': self.rule_details, 'rule_mitigation': self.rule_mitigation }) return