Exemplo n.º 1
0
def run(db, tool=None, scope_type=None):

    results = []
    Port = PortRepository(db)

    ports = Port.all(service_name="http", tool=tool)
    ports += Port.all(service_name="https", tool=tool)

    for p in ports:

        if (p.ip_address and
            (scope_type == "active" and p.ip_address.in_scope == True) or
            (scope_type == "passive" and p.ip_address.passive_scope == True)
                or not scope_type):

            domain_list = [d.domain for d in p.ip_address.domains]

            results.append(
                "%s://%s:%s" %
                (p.service_name, p.ip_address.ip_address, p.port_number))
            for d in domain_list:
                results.append("%s://%s:%s" %
                               (p.service_name, d, p.port_number))

    return sort_by_url(results)
Exemplo n.º 2
0
	def __init__(self, db):
		self.db = db
		self.BaseDomain = BaseDomainRepository(db, self.name)
		self.Domain = DomainRepository(db, self.name)
		self.IPAddress = IPRepository(db, self.name)
		self.Port = PortRepository(db, self.name)
		self.Vulnerability = VulnRepository(db, self.name)
		self.CVE = CVERepository(db, self.name)
Exemplo n.º 3
0
class Module(ModuleTemplate):
    
    name = "HeaderScanner"

    def __init__(self, db):
        self.db = db
        self.Port = PortRepository(db, self.name)

    def set_options(self):
        super(Module, self).set_options()

        self.options.add_argument('-t', '--timeout', help='Connection timeout (default 5)', default="5")
        self.options.add_argument('-u', '--url', help="URL to get headers")
        self.options.add_argument('-i', '--import_db', help="Import URLs from the database", action="store_true")
        self.options.add_argument('-th', '--threads', help="Number of threads to run", default="10")

    def run(self, args):
        
        if args.import_db:
            

            svc = self.Port.all(service_name='http')
            svc += self.Port.all(service_name='https')

            data = []

            for s in svc:

                urls = ["%s://%s:%s" % (s.service_name, s.ip_address.ip_address, s.port_number)]

                for d in s.ip_address.domains:
                    urls.append("%s://%s:%s" % (s.service_name, d.domain, s.port_number))

                data.append([s.id, urls, args.timeout])                
            
            pool = ThreadPool(int(args.threads))

            results = pool.map(process_urls, data)
            print("Adding data to the database")
            for i, headers in results:
                created, svc = self.Port.find_or_create(id=i)
                svc.meta['headers'] = headers
                svc.update()

            
            self.Port.commit()
Exemplo n.º 4
0
class Report(ReportTemplate):
    '''
    This report displays all of the certificates
    from https boxes.
    '''

    markdown = ['###', '`']

    name = "CertReport"

    def __init__(self, db):
        self.Port = PortRepository(db)

    def set_options(self):
        super(Report, self).set_options()
        self.options.add_argument('-t', '--tool', help="Source tool")

    def run(self, args):

        results = []
        services = self.Port.all(name='https')
        certs = {}
        for s in services:
            if s.passive_scope:
                if s.meta.get('sslcert', False):
                    for k in s.meta['sslcert'].keys():
                        cert = s.meta['sslcert'][k]
                        # pdb.set_trace()
                        if not certs.get(cert, False):
                            certs[cert] = []

                        certs[cert].append(k + ':' + str(s.port_number))

        for k in certs.keys():
            results.append(', '.join(sorted(list(set(certs[k])))))
            for l in k.split('\n'):
                results.append('\t' + l)

        self.process_output(results, args)
Exemplo n.º 5
0
class Module(ModuleTemplate):
    '''
    Runs nmap on all web hosts to pull certs and add them to the database
    '''
    name = "NmapCertScan"

    def __init__(self, db):
        self.db = db
        self.Port = PortRepository(db, self.name)

    def set_options(self):
        super(Module, self).set_options()

        self.options.add_argument('-t',
                                  '--threads',
                                  help="Number of threads",
                                  default="1")
        self.options.add_argument(
            '-o',
            '--output_path',
            help=
            "Path which will contain program output (relative to base_path in config",
            default=self.name)
        self.options.add_argument(
            '-s',
            '--rescan',
            help="Rescan domains that have already been scanned",
            action="store_true")

    def run(self, args):

        if not args.binary:
            self.binary = which.run('nmap')

        else:
            self.binary = which.run(args.binary)

        if not self.binary:
            print(
                "nmap binary not found. Please explicitly provide path with --binary"
            )

        if args.rescan:
            services = self.Port.all(service_name='https')
        else:
            services = self.Port.all(tool=self.name, service_name='https')

        self.process_services(services, args)

    def process_services(self, services, args):

        if args.output_path[0] == "/":
            output_path = os.path.join(
                self.base_config['PROJECT']['base_path'], args.output_path[1:])
        else:
            output_path = os.path.join(
                self.base_config['PROJECT']['base_path'], args.output_path)

        if not os.path.exists(output_path):
            os.makedirs(output_path)

        cmds = []

        for s in services:
            ip = s.ip_address.ip_address
            domains = [d.domain for d in s.ip_address.domains]
            port = s.port_number

            hosts = [ip] + domains

            for h in hosts:

                file_path = os.path.join(output_path,
                                         "%s_%s-ssl.xml" % (h, port))

                command_args = " -p %s " % port

                command_args += " --script=ssl-cert -oX %s " % file_path

                cmds.append(shlex.split(self.binary + command_args + h))

        pool = ThreadPool(int(args.threads))

        # res = subprocess.Popen(cmd).wait()

        pool.map(scan_hosts, cmds)

        for s in services:

            p = s.ip_address.ip_address
            domains = [d.domain for d in s.ip_address.domains]
            port = s.port_number

            hosts = [ip] + domains

            data = {}

            for h in hosts:
                # pdb.set_trace()
                print("Processing %s" % file_path)
                file_path = os.path.join(output_path,
                                         "%s_%s-ssl.xml" % (h, port))

                try:
                    xmldata = xmltodict.parse(open(file_path).read())

                    cert = xmldata['nmaprun']['host']['ports']['port'][
                        'script']['@output']

                    if cert:
                        data[h] = cert

                except:
                    print("File not valid: %s" % file_path)
            # pdb.set_trace()
            s.meta['sslcert'] = data
            s.update()

        self.Port.commit()
Exemplo n.º 6
0
class Module(ToolTemplate):

    name = "SSLScan"
    binary_name = "sslscan"

    def __init__(self, db):
        self.db = db
        self.Domain = DomainRepository(db, self.name)
        self.IPAddress = IPRepository(db, self.name)
        self.Port = PortRepository(db, self.name)

    def set_options(self):
        super(Module, self).set_options()

        self.options.add_argument("-ho",
                                  "--host",
                                  help="Host to scan (host:port)")
        self.options.add_argument("-f",
                                  "--file",
                                  help="Import hosts from file")
        self.options.add_argument(
            "-i",
            "--import_database",
            help="Import hosts from database",
            action="store_true",
        )
        self.options.add_argument(
            "-s",
            "--rescan",
            help="Rescan domains that have already been scanned",
            action="store_true",
        )

    def get_targets(self, args):

        targets = []
        if args.host:
            targets.append(args.host)

        elif args.file:
            hosts = open(args.file).read().split("\n")
            for h in hosts:
                if h:
                    targets.append(h)

        elif args.import_database:

            hosts = []
            svc = []

            if args.rescan:

                for p in [
                        "https", "ftps", "imaps", "sip-tls", "imqtunnels",
                        "smtps"
                ]:
                    svc += [
                        (s, "")
                        for s in self.Port.all(service_name=p, status="open")
                        if s.ip_address.in_scope
                    ]
                for p in [
                        "ftp",
                        "imap",
                        "irc",
                        "ldap",
                        "pop3",
                        "smtp",
                        "mysql",
                        "xmpp",
                        "psql",
                ]:
                    svc += [
                        (s, "--starttls-%s" % p)
                        for s in self.Port.all(service_name=p, status="open")
                        if s.ip_address.in_scope
                    ]
            else:
                for p in [
                        "https", "ftps", "imaps", "sip-tls", "imqtunnels",
                        "smtps"
                ]:
                    svc += [(s, "") for s in self.Port.all(
                        tool=self.name, service_name=p, status="open")
                            if s.ip_address.in_scope]
                for p in [
                        "ftp",
                        "imap",
                        "irc",
                        "ldap",
                        "pop3",
                        "smtp",
                        "mysql",
                        "xmpp",
                        "psql",
                ]:
                    svc += [(s, "--starttls-%s" % p) for s in self.Port.all(
                        tool=self.name, service_name=p, status="open")
                            if s.ip_address.in_scope]

            for s, option in svc:

                port_number = s.port_number
                ip_address = s.ip_address.ip_address

                targets.append({
                    "target": "%s:%s" % (ip_address, port_number),
                    "option": option
                })

                for d in s.ip_address.domains:
                    targets.append({
                        "target": "%s:%s" % (d.domain, port_number),
                        "option": option
                    })

        for t in targets:
            if args.output_path[0] == "/":
                output_path = os.path.join(
                    self.base_config["PROJECT"]["base_path"],
                    args.output_path[1:])
            else:
                output_path = os.path.join(
                    self.base_config["PROJECT"]["base_path"], args.output_path)

            if not os.path.exists(output_path):
                os.makedirs(output_path)

            output_path = os.path.join(
                output_path,
                "{}-sslscan.xml".format(t["target"].replace(":", "_")))
            t["output"] = output_path

        return targets

    def build_cmd(self, args):

        cmd = self.binary + " --xml={output} {option} {target} "

        if args.tool_args:
            cmd += args.tool_args

        return cmd
Exemplo n.º 7
0
class Module(ModuleTemplate):

    name = "SSLScan"

    def __init__(self, db):
        self.db = db
        self.Domain = DomainRepository(db, self.name)
        self.IPAddress = IPRepository(db, self.name)
        self.Port = PortRepository(db, self.name)

    def set_options(self):
        super(Module, self).set_options()

        self.options.add_argument('-ho',
                                  '--host',
                                  help="Host to scan (host:port)")
        self.options.add_argument('-f',
                                  '--file',
                                  help="Import hosts from file")
        self.options.add_argument('-i',
                                  '--import_database',
                                  help="Import hosts from database",
                                  action="store_true")
        self.options.add_argument('-t',
                                  '--threads',
                                  help='Number of threads to run',
                                  default="1")
        self.options.add_argument(
            '-o',
            '--output_path',
            help=
            "Path which will contain program output (relative to base_path in config",
            default="sslscan")
        self.options.add_argument(
            '-s',
            '--rescan',
            help="Rescan domains that have already been scanned",
            action="store_true")

    def run(self, args):

        self.args = args
        if not args.binary:
            self.binary = which.run('sslscan')

        else:
            self.binary = which.run(args.binary)

        if not self.binary:
            print(
                "sslscan binary not found. Please explicitly provide path with --binary"
            )

        if args.host:

            self.process_host(args.host)

        elif args.file:
            hosts = open(args.file).read().split('\n')
            for h in hosts:
                if h:
                    self.process_host(h)

        elif args.import_database:

            hosts = []
            svc = []

            for p in [
                    'https', 'ftps', 'imaps', 'sip-tls', 'imqtunnels', 'smtps'
            ]:
                svc += [(s, "")
                        for s in self.Port.all(tool=self.name, service_name=p)]
            for p in [
                    'ftp', 'imap', 'irc', 'ldap', 'pop3', 'smtp', 'mysql',
                    'xmpp', 'psql'
            ]:
                svc += [(s, "--starttls-%s" % p)
                        for s in self.Port.all(tool=self.name, service_name=p)]

            for s, option in svc:

                port_number = s.port_number
                ip_address = s.ip_address.ip_address

                hosts.append(("%s:%s" % (ip_address, port_number), option))

                for d in s.ip_address.domains:
                    hosts.append(("%s:%s" % (d.domain, port_number), option))

            self.process_hosts(hosts)

    def process_host(self, host):

        args = self.args
        if args.output_path[0] == "/":
            output_path = os.path.join(
                self.base_config['PROJECT']['base_path'], args.output_path[1:])
        else:
            output_path = os.path.join(
                self.base_config['PROJECT']['base_path'], args.output_path)

        if not os.path.exists(output_path):
            os.makedirs(output_path)

        xml_path = os.path.join(output_path,
                                "%s-sslscan.xml" % host.replace(':', '_'))

        command_args = " --xml=%s " % xml_path

        cmd = shlex.split(self.binary + command_args + host)
        print("Executing: %s" % ' '.join(cmd))

        res = subprocess.Popen(cmd).wait()

    def process_hosts(self, hosts):
        args = self.args
        if args.output_path[0] == "/":
            output_path = os.path.join(
                self.base_config['PROJECT']['base_path'], args.output_path[1:])
        else:
            output_path = os.path.join(
                self.base_config['PROJECT']['base_path'], args.output_path)

        if not os.path.exists(output_path):
            os.makedirs(output_path)

        commands = []
        for host, option in hosts:
            xml_path = os.path.join(output_path,
                                    "%s-sslscan.xml" % host.replace(':', '_'))

            command_args = " --xml=%s " % xml_path

            cmd = shlex.split(self.binary + command_args + " %s " % option +
                              host)

            commands.append(cmd)

        pool = ThreadPool(int(args.threads))

        pool.map(run_cmd, commands)
Exemplo n.º 8
0
class Module(ModuleTemplate):

    name = "Nessus"

    def __init__(self, db):
        self.db = db
        self.BaseDomain = BaseDomainRepository(db, self.name)
        self.Domain = DomainRepository(db, self.name)
        self.IPAddress = IPRepository(db, self.name)
        self.Port = PortRepository(db, self.name)
        self.Vulnerability = VulnRepository(db, self.name)
        self.CVE = CVERepository(db, self.name)
        self.ScopeCIDR = ScopeCIDRRepository(db, self.name)

    def set_options(self):
        super(Module, self).set_options()
        self.options.add_argument(
            "--import_file",
            help="Import separated Nessus files separated by a space. DO NOT USE QUOTES OR COMMAS",
            nargs="+",
        )
        self.options.add_argument(
            "--interactive",
            help="Prompt to store domains not in Base Domains already",
            action="store_true",
        )
        self.options.add_argument(
            "--internal",
            help="Store domains not in Base Domains already",
            action="store_true",
        )
        self.options.add_argument(
            "--launch",
            help="Launch Nessus scan using Actively scoped IPs and domains in the database",
            action="store_true",
        )
        self.options.add_argument(
            "--job_name", help="Job name inside Nessus", default="Armory Job"
        )
        self.options.add_argument("--username", help="Nessus Username")
        self.options.add_argument("--password", help="Nessus Password")
        self.options.add_argument(
            "--host", help="Hostname:Port of Nessus web interface (ie localhost:8835"
        )
        self.options.add_argument("--uuid", help="UUID of Nessus Policy to run")
        self.options.add_argument("--policy_id", help="Policy ID to use")
        self.options.add_argument("--folder_id", help="ID for folder to store job in")
        self.options.add_argument(
            "--download",
            help="Download Nessus job from server and import",
            action="store_true",
        )
        self.options.add_argument("--job_id", help="Job ID to download and import")
        self.options.add_argument(
            "--output_path",
            help="Path to store downloaded file (Default: Nessus)",
            default=self.name,
        )

    def run(self, args):
        if args.import_file:
            for nFile in args.import_file:
                self.process_data(nFile, args)
        elif args.launch:
            if (
                not args.username
                and not args.password
                and not args.host
                and not args.uuid
                and not args.policy_id
                and not args.folder_id
            ):
                display_error(
                    "You must supply a username, password, and host to launch a Nessus job"
                )

            else:
                n = NessusRequest(
                    args.username,
                    args.password,
                    args.host,
                    uuid=args.uuid,
                    policy_id=args.policy_id,
                    folder_id=args.folder_id,
                )

                ips = [
                    ip.ip_address
                    for ip in self.IPAddress.all(scope_type="active", tool=self.name)
                ]
                cidrs = [cidr.cidr for cidr in self.ScopeCIDR.all(tool=self.name)]
                domains = [
                    domain.domain
                    for domain in self.Domain.all(scope_type="active", tool=self.name)
                ]
                targets = ", ".join(merge_ranges(ips + cidrs) + domains)

                res = n.launch_job(targets, args.job_name)
                display("New Nessus job launched with ID {}".format(res))
                display(
                    "Remember this number! You'll need it to download the job once it is done."
                )

        elif args.download:
            if (
                not args.username
                and not args.password
                and not args.host
                and not args.job_id
            ):
                display_error(
                    "You must supply host, username, password and job_id to download a report to import"
                )

            else:
                n = NessusRequest(
                    args.username,
                    args.password,
                    args.host,
                    proxies={"https": "127.0.0.1:8080"},
                )

                if args.output_path[0] == "/":
                    output_path = os.path.join(
                        self.base_config["PROJECT"]["base_path"], args.output_path[1:]
                    )
                else:
                    output_path = os.path.join(
                        self.base_config["PROJECT"]["base_path"], args.output_path
                    )

                if not os.path.exists(output_path):
                    os.makedirs(output_path)
                output_path = os.path.join(
                    output_path, "Nessus-export-{}.nessus".format(int(time.time()))
                )
                n.export_file(args.job_id, output_path)

                self.process_data(output_path, args)

    def nessCheckPlugin(self, tag):
        nessPlugins = [
            "10759",
            "77026",
            "20089",
            "56984",
            "71049",
            "70658",
            "40984",
            "11411",
        ]

        pluginID = tag.get("pluginID")

        if pluginID in nessPlugins:
            # print pluginID + " is in the list"
            if pluginID == "10759":
                if tag.find("plugin_output") is not None:
                    return (
                        tag.find("plugin_output").text.split("\n\n")[3].strip()
                    )  # returns IP for Web Server HTTP Header INternal IP disclosure
                else:
                    return ""

            if pluginID == "77026":
                if tag.find("plugin_output") is not None:
                    return (
                        tag.find("plugin_output").text.split("\n\n")[3].strip()
                    )  # Microsoft Exchange Client Access Server Information Disclosure (IP addy)
                else:
                    return ""

            if pluginID == "71049" or pluginID == "70658":
                output = ""
                if tag.find("plugin_output") is not None:
                    tmp = tag.find("plugin_output").text.split(":")[
                        1
                    ]  # SSH Weak MAC & CBC Algorithms Enabled
                    # print "#"*5
                    tmp = tmp.split("\n\n")[1].replace("  ", "")
                    # print "#"*5
                    output = tmp.split("\n")
                    # print ", ".join(output)
                return ", ".join(output)

            if pluginID == "56984":
                if tag.find("plugin_output") is not None:
                    tmp = (
                        tag.find("plugin_output")
                        .text.split("This port supports ")[1]
                        .strip()
                    )  # SSL / TLS Versions Supported
                    tmp = tmp.split("/")
                    bad = []
                    for i in tmp:
                        # print i
                        if "SSLv" in i:
                            bad.append(i)
                        elif "TLSv1.0" in i:
                            bad.append(i)
                    if bad != []:
                        return ", ".join(bad).rstrip(".")
                    else:
                        return ""
                else:
                    return ""

            if pluginID == "40984":  # browsable web dirs
                if tag.find("plugin_output") is not None:
                    tmp = (
                        tag.find("plugin_output")
                        .text.split("The following directories are browsable :")[1]
                        .strip()
                    )
                    directories = tmp.split("\n")

                    return "\n".join(directories)

            if pluginID == "11411":  # Backup Files Disclosure
                if tag.find("plugin_output") is not None:
                    urls = []
                    tmp = (
                        tag.find("plugin_output")
                        .text.split(
                            "It is possible to read the following backup files :"
                        )[1]
                        .strip()
                    )
                    tmpUrls = tmp.split("\n")
                    for url in tmpUrls:
                        if "URL" in url:
                            urls.append(url.split(":")[1].lstrip())
                    if urls:
                        return "\n".join(urls)
                    else:
                        return ""

            if pluginID == "20089":  # F5 cookie
                if tag.find("plugin_output") is not None:
                    f5Output = []
                    cookieVal = []
                    output = tag.find("plugin_output").text.strip().split("\n")
                    for line in output:
                        # print line
                        line = line.split(":")
                        for i, item in enumerate(line):
                            item = item.strip()
                            if "Cookie" in item:
                                cabbage = line.pop(i)
                                tmp = line.pop(i)
                                tmp.strip()
                                cookieVal.append(tmp)
                            else:
                                item = "".join(item)
                                f5Output.append(item)

                    f5Output = " : ".join(f5Output)
                    f5Output = f5Output.replace(" :  : ", ", ")
                    f5Output += " [" + ", ".join(cookieVal) + "]"
                    c = 0
                    tmpF5Output = f5Output.split()
                    for i, letter in enumerate(tmpF5Output):
                        if letter == ":":
                            c += 1
                            if (c % 2) == 0:
                                tmpF5Output[i] = " "
                                return "".join(tmpF5Output).replace("[", " [")
                else:

                    return ""
        else:

            return False

    def getVulns(self, ip, ReportHost):
        """Gets vulns and associated services"""
        for tag in ReportHost.iter("ReportItem"):
            exploitable = False
            cves = []
            vuln_refs = {}
            proto = tag.get("protocol")
            port = tag.get("port")
            svc_name = tag.get("svc_name").replace("?", "")

            tmpPort = proto + "/" + port
            if tmpPort.lower() == "tcp/443":
                portName = "https"
            elif tmpPort.lower() == "tcp/80":
                portName = "http"
            elif svc_name == "www":
                plugin_name = tag.get("pluginName")
                if "tls" in plugin_name.lower() or "ssl" in plugin_name.lower():
                    portName = "https"
                else:
                    portName = "http"
            else:
                portName = svc_name

            if "general" not in portName:
                created, db_port = self.Port.find_or_create(
                    port_number=port, status="open", proto=proto, ip_address_id=ip.id
                )

                if db_port.service_name == "http":
                    if portName == "https":
                        db_port.service_name = portName
                elif db_port.service_name == "https":
                    pass
                else:
                    db_port.service_name = portName
                db_port.save()

                if tag.get("pluginID") == "56984":
                    severity = 1
                elif tag.get("pluginID") == "11411":
                    severity = 3
                else:
                    severity = int(tag.get("severity"))

                findingName = tag.get("pluginName")
                description = tag.find("description").text

                if tag.find("solution") is not None and tag.find("solution") != "n/a":
                    solution = tag.find("solution").text
                else:
                    solution = "No Remediation From Nessus"

                nessCheck = self.nessCheckPlugin(tag)

                if nessCheck:
                    if not db_port.info:
                        db_port.info = {findingName: nessCheck}
                    else:
                        db_port.info[findingName] = nessCheck

                    db_port.save()

                if tag.find("exploit_available") is not None:
                    # print "\nexploit avalable for", findingName
                    exploitable = True

                metasploits = tag.findall("metasploit_name")
                if metasploits:
                    vuln_refs["metasploit"] = []
                    for tmp in metasploits:
                        vuln_refs["metasploit"].append(tmp.text)

                edb_id = tag.findall("edb-id")
                if edb_id:
                    vuln_refs["edb-id"] = []
                    for tmp in edb_id:
                        vuln_refs["edb-id"].append(tmp.text)

                tmpcves = tag.findall("cve")
                for c in tmpcves:
                    if c.text not in cves:
                        cves.append(c.text)

                if not self.Vulnerability.find(name=findingName):
                    created, db_vuln = self.Vulnerability.find_or_create(
                        name=findingName,
                        severity=severity,
                        description=description,
                        remediation=solution,
                    )
                    db_vuln.ports.append(db_port)
                    db_vuln.exploitable = exploitable
                    if exploitable == True:
                        print("\nexploit avalable for", findingName)
                        print()
                    if vuln_refs:
                        db_vuln.exploit_reference = vuln_refs

                else:
                    db_vuln = self.Vulnerability.find(name=findingName)
                    db_vuln.ports.append(db_port)
                    db_vuln.exploitable = exploitable
                    if vuln_refs:
                        if db_vuln.exploit_reference is not None:
                            for key in vuln_refs.keys():
                                if key not in db_vuln.exploit_reference.keys():
                                    db_vuln.exploit_reference[key] = vuln_refs[key]
                                else:
                                    for ref in vuln_refs[key]:
                                        if ref not in db_vuln.exploit_reference[key]:
                                            db_vuln.exploit_reference[key].append(ref)
                        else:
                            db_vuln.exploit_reference = vuln_refs

                for cve in cves:
                    if not self.CVE.find(name=cve):
                        # print "Gathering CVE information for", cve
                        try:
                            res = json.loads(
                                requests.get(
                                    "http://cve.circl.lu/api/cve/%s" % cve
                                ).text
                            )
                            cveDescription = res["summary"]
                            cvss = float(res["cvss"])

                        except:
                            cveDescription = None
                            cvss = None

                        if not self.CVE.find(name=cve):
                            created, db_cve = self.CVE.find_or_create(
                                name=cve,
                                description=cveDescription,
                                temporal_score=cvss,
                            )
                            db_cve.vulnerabilities.append(db_vuln)
                        else:
                            db_cve = self.CVE.find(name=cve)
                            if (
                                db_cve.description is None
                                and cveDescription is not None
                            ):
                                db_cve.description = cveDescription
                            if db_cve.temporal_score is None and cvss is not None:
                                db_cve.temporal_score = cvss
                            db_cve.vulnerabilities.append(db_vuln)

    def process_data(self, nFile, args):
        print("Reading", nFile)
        tree = ET.parse(nFile)
        root = tree.getroot()
        skip = []
        for ReportHost in root.iter("ReportHost"):
            os = []
            hostname = ""
            hostIP = ""
            for HostProperties in ReportHost.iter("HostProperties"):
                for tag in HostProperties:
                    if tag.get("name") == "host-ip":
                        hostIP = tag.text

                    if tag.get("name") == "host-fqdn":
                        hostname = tag.text.lower()
                        hostname = hostname.replace("www.", "")

                    if tag.get("name") == "operating-system":
                        os = tag.text.split("\n")

            if hostIP:  # apparently nessus doesn't always have an IP to work with...

                if hostname:
                    display(
                        "Gathering Nessus info for {} ( {} )".format(hostIP, hostname)
                    )
                else:
                    display("Gathering Nessus info for {}".format(hostIP))

                created, ip = self.IPAddress.find_or_create(ip_address=hostIP)

                if hostname:
                    if not args.internal:

                        created, domain = self.Domain.find_or_create(domain=hostname)

                        if ip not in domain.ip_addresses:
                            ip.save()
                            domain.ip_addresses.append(ip)
                            domain.save()

                    else:
                        created, domain = self.Domain.find_or_create(domain=hostname)

                        if ip not in domain.ip_addresses:
                            domain.ip_addresses.append(ip)
                            domain.update()

                if os:
                    for o in os:
                        if not ip.OS:
                            ip.OS = o
                        else:
                            if o not in ip.OS.split(" OR "):
                                ip.OS += " OR " + o

                self.getVulns(ip, ReportHost)
                self.IPAddress.commit()

        return
Exemplo n.º 9
0
 def __init__(self, db):
     self.db = db
     self.IPAddress = IPRepository(db, self.name)
     self.Domain = DomainRepository(db, self.name)
     self.Port = PortRepository(db, self.name)
     self.Url = UrlRepository(db, self.name)
Exemplo n.º 10
0
 def __init__(self, db):
     self.db = db
     self.Port = PortRepository(db, self.name)
Exemplo n.º 11
0
class Module(ModuleTemplate):

    name = "HeaderScanner"

    def __init__(self, db):
        self.db = db
        self.Port = PortRepository(db, self.name)

    def set_options(self):
        super(Module, self).set_options()

        self.options.add_argument("-t",
                                  "--timeout",
                                  help="Connection timeout (default 5)",
                                  default="5")
        self.options.add_argument("-u", "--url", help="URL to get headers")
        self.options.add_argument(
            "-i",
            "--import_db",
            help="Import URLs from the database",
            action="store_true",
        )
        self.options.add_argument("-th",
                                  "--threads",
                                  help="Number of threads to run",
                                  default="10")
        self.options.add_argument("--rescan",
                                  help="Rescan URLs already processed",
                                  action="store_true")

    def run(self, args):

        if args.import_db:

            if args.rescan:
                svc = self.Port.all(service_name="http")
                svc += self.Port.all(service_name="https")
            else:
                svc = self.Port.all(service_name="http", tool=self.name)
                svc += self.Port.all(service_name="https", tool=self.name)
            data = []

            for s in svc:
                if s.ip_address.in_scope:
                    urls = [
                        "%s://%s:%s" % (s.service_name,
                                        s.ip_address.ip_address, s.port_number)
                    ]

                    for d in s.ip_address.domains:
                        urls.append("%s://%s:%s" %
                                    (s.service_name, d.domain, s.port_number))

                    data.append([s.id, urls, args.timeout])

            pool = ThreadPool(int(args.threads))

            results = pool.map(process_urls, data)
            display_new("Adding headers to the database")
            for i, headers, cookies in results:
                created, svc = self.Port.find_or_create(id=i)

                svc.meta["headers"] = headers

                svc.meta["cookies"] = cookies
                svc.update()

            self.Port.commit()
Exemplo n.º 12
0
class Module(ModuleTemplate):

    name = "Hydra"

    def __init__(self, db):
        self.db = db
        self.Domain = DomainRepository(db, self.name)
        self.IPAddress = IPRepository(db, self.name)
        self.Port = PortRepository(db, self.name)

    def set_options(self):
        super(Module, self).set_options()

        self.options.add_argument('-ho',
                                  '--host',
                                  help="Host to scan (host:port)")
        self.options.add_argument('-f',
                                  '--file',
                                  help="Import hosts from file")

        self.options.add_argument('-t',
                                  '--threads',
                                  help='Number of threads to run',
                                  default="1")
        self.options.add_argument(
            '-o',
            '--output_path',
            help=
            "Path which will contain program output (relative to base_path in config",
            default="hydra")
        self.options.add_argument(
            '-s',
            '--rescan',
            help="Rescan domains that have already been scanned",
            action="store_true")

        self.options.add_argument(
            '--scan_defaults',
            help="Pull hosts out of database and scan default passwords",
            action="store_true")
        self.options.add_argument('--ftp_wordlist',
                                  help="Wordlist for FTP services")
        self.options.add_argument('--telnet_wordlist',
                                  help="Wordlist for Telnet")
        self.options.add_argument('--email_wordlist',
                                  help="Wordlist for email (smtp, pop3, imap)")
        self.options.add_argument('--ssh_wordlist', help="Wordlist for SSH")
        self.options.add_argument('--vnc_wordlist', help="Wordlist for VNC")

    def run(self, args):

        self.args = args
        if not args.binary:
            self.binary = which.run('hydra')

        else:
            self.binary = which.run(args.binary)

        if not self.binary:
            print(
                "hydra binary not found. Please explicitly provide path with --binary"
            )

        if args.host:

            self.process_host(args.host)

        elif args.file:
            hosts = open(args.file).read().split('\n')
            for h in hosts:
                if h:
                    self.process_host(h)

        elif args.scan_defaults:

            lists = {}
            # pdb.set_trace()
            if args.ftp_wordlist:
                for p in ['ftps', 'ftp']:
                    lists[args.ftp_wordlist] = [
                        s
                        for s in self.Port.all(tool=self.name, service_name=p)
                    ]

            if args.telnet_wordlist:
                for p in ['telnet']:
                    lists[args.telnet_wordlist] = [
                        s
                        for s in self.Port.all(tool=self.name, service_name=p)
                    ]

            if args.email_wordlist:
                for p in ['smtps', 'smtp', 'pop3', 'pop3s', 'imap', 'imaps']:
                    lists[args.email_wordlist] = [
                        s
                        for s in self.Port.all(tool=self.name, service_name=p)
                    ]

            if args.ssh_wordlist:
                for p in ['ssh']:
                    lists[args.ssh_wordlist] = [
                        s
                        for s in self.Port.all(tool=self.name, service_name=p)
                    ]

            if args.vnc_wordlist:
                for p in ['vnc']:
                    lists[args.vnc_wordlist] = [
                        s
                        for s in self.Port.all(tool=self.name, service_name=p)
                    ]

            hosts = []
            for k in lists.keys():
                for s in lists[k]:

                    port_number = s.port_number
                    ip_address = s.ipaddress.ip_address
                    name = s.service_name

                    hosts.append("%s://%s:%s|%s" %
                                 (name, ip_address, port_number, k))

            self.process_hosts(hosts)

    def process_host(self, host):

        args = self.args
        if args.output_path[0] == "/":
            output_path = os.path.join(
                self.base_config['PROJECT']['base_path'], args.output_path[1:])
        else:
            output_path = os.path.join(
                self.base_config['PROJECT']['base_path'], args.output_path)

        if not os.path.exists(output_path):
            os.makedirs(output_path)

        xml_path = os.path.join(output_path,
                                "%s-sslscan.xml" % host.replace(':', '_'))

        command_args = " --xml=%s " % xml_path

        cmd = shlex.split(self.binary + command_args + host)
        print("Executing: %s" % ' '.join(cmd))

        res = subprocess.Popen(cmd).wait()

    def process_hosts(self, hosts):
        args = self.args
        if args.output_path[0] == "/":
            output_path = os.path.join(
                self.base_config['PROJECT']['base_path'], args.output_path[1:])
        else:
            output_path = os.path.join(
                self.base_config['PROJECT']['base_path'], args.output_path)

        if not os.path.exists(output_path):
            os.makedirs(output_path)

        commands = []
        for host in hosts:
            host_str = host.split('|')[0]
            wordlist = host.split('|')[1]

            file_path = os.path.join(
                output_path,
                "%s.txt" % host_str.replace(':', '_').replace('/', '_'))

            command_args = " -o %s " % file_path

            command_args += " -C %s " % wordlist

            cmd = shlex.split(self.binary + command_args + host_str)
            commands.append(cmd)

        pool = ThreadPool(int(args.threads))

        pool.map(run_cmd, commands)
Exemplo n.º 13
0
class Module(ToolTemplate):

    name = "SSLScan"
    binary_name = "sslscan"

    def __init__(self, db):
        self.db = db
        self.Domain = DomainRepository(db, self.name)
        self.IPAddress = IPRepository(db, self.name)
        self.Port = PortRepository(db, self.name)

    def set_options(self):
        super(Module, self).set_options()

        self.options.add_argument('-ho',
                                  '--host',
                                  help="Host to scan (host:port)")
        self.options.add_argument('-f',
                                  '--file',
                                  help="Import hosts from file")
        self.options.add_argument('-i',
                                  '--import_database',
                                  help="Import hosts from database",
                                  action="store_true")
        self.options.add_argument(
            '-s',
            '--rescan',
            help="Rescan domains that have already been scanned",
            action="store_true")

    def get_targets(self, args):

        targets = []
        if args.host:
            targets.append(args.host)

        elif args.file:
            hosts = open(args.file).read().split('\n')
            for h in hosts:
                if h:
                    targets.append(h)

        elif args.import_database:

            hosts = []
            svc = []

            if args.rescan:

                for p in [
                        'https', 'ftps', 'imaps', 'sip-tls', 'imqtunnels',
                        'smtps'
                ]:
                    svc += [(s, "") for s in self.Port.all(service_name=p)
                            if s.ip_address.in_scope]
                for p in [
                        'ftp', 'imap', 'irc', 'ldap', 'pop3', 'smtp', 'mysql',
                        'xmpp', 'psql'
                ]:
                    svc += [(s, "--starttls-%s" % p)
                            for s in self.Port.all(service_name=p)
                            if s.ip_address.in_scope]
            else:
                for p in [
                        'https', 'ftps', 'imaps', 'sip-tls', 'imqtunnels',
                        'smtps'
                ]:
                    svc += [
                        (s, "")
                        for s in self.Port.all(tool=self.name, service_name=p)
                        if s.ip_address.in_scope
                    ]
                for p in [
                        'ftp', 'imap', 'irc', 'ldap', 'pop3', 'smtp', 'mysql',
                        'xmpp', 'psql'
                ]:
                    svc += [
                        (s, "--starttls-%s" % p)
                        for s in self.Port.all(tool=self.name, service_name=p)
                        if s.ip_address.in_scope
                    ]

            for s, option in svc:

                port_number = s.port_number
                ip_address = s.ip_address.ip_address

                targets.append({
                    'target': "%s:%s" % (ip_address, port_number),
                    'option': option
                })

                for d in s.ip_address.domains:
                    targets.append({
                        'target': "%s:%s" % (d.domain, port_number),
                        'option': option
                    })

        for t in targets:
            if args.output_path[0] == "/":
                output_path = os.path.join(
                    self.base_config['PROJECT']['base_path'],
                    args.output_path[1:])
            else:
                output_path = os.path.join(
                    self.base_config['PROJECT']['base_path'], args.output_path)

            if not os.path.exists(output_path):
                os.makedirs(output_path)

            output_path = os.path.join(
                output_path,
                "{}-sslscan.xml".format(t['target'].replace(':', '_')))
            t['output'] = output_path

        return targets

    def build_cmd(self, args):

        cmd = self.binary + " --xml={output} {option} {target} "

        if args.tool_args:
            cmd += args.tool_args

        return cmd
Exemplo n.º 14
0
Arquivo: Nmap.py Projeto: kzwkt/armory
class Module(ModuleTemplate):

    name = "Nmap"

    def __init__(self, db):
        self.db = db
        self.BaseDomain = BaseDomainRepository(db, self.name)
        self.Domain = DomainRepository(db, self.name)
        self.IPAddress = IPRepository(db, self.name)
        self.Port = PortRepository(db, self.name)

        self.Vulnerability = VulnRepository(db, self.name)
        self.CVE = CVERepository(db, self.name)
        self.ScopeCIDR = ScopeCIDRRepository(db, self.name)

    def set_options(self):
        super(Module, self).set_options()
        self.options.add_argument(
            '--hosts',
            help=
            "Things to scan separated by a space. DO NOT USE QUOTES OR COMMAS",
            nargs='+')
        self.options.add_argument('--hosts_file', help="File containing hosts")
        self.options.add_argument('--hosts_database',
                                  help="Use unscanned hosts from the database",
                                  action="store_true")
        self.options.add_argument('--import_file', help="Import nmap XML file")
        self.options.add_argument('-A',
                                  help="OS and service info",
                                  action="store_true")
        self.options.add_argument(
            '-o',
            '--output_path',
            help="Relative directory to store Nmap XML output name",
            default="nmap")
        self.options.add_argument('-nf',
                                  '--nFile',
                                  help="Nmap XML output name")
        self.options.add_argument(
            '-T',
            '--timing',
            help="Set timing template (higher is faster)",
            default="4",
            type=str)
        self.options.add_argument(
            '--scripts',
            help="Nmap scripts",
            default=
            'ssl-cert,http-headers,http-methods,http-auth,http-title,http-robots.txt,banner'
        )
        self.options.add_argument(
            '-p',
            help="Comma separate ports to scan",
            default=
            "21,22,23,25,80,110,443,467,587,8000,8080,8081,8082,8443,8008,1099,5005,9080,8880,8887,7001,7002,16200"
        )
        self.options.add_argument('-Pn',
                                  help="Disable ping",
                                  action="store_true",
                                  default=False)
        self.options.add_argument('-sS',
                                  help='Syn scan (default)',
                                  action="store_true",
                                  default=True)
        self.options.add_argument('-sT',
                                  help='TCP scan',
                                  action="store_true",
                                  default=False)
        self.options.add_argument('-sU',
                                  help='UDP scan',
                                  action="store_true",
                                  default=False)
        self.options.add_argument('-OS',
                                  help='Enable OS detection',
                                  action="store_true",
                                  default=False)
        self.options.add_argument("--open",
                                  help="Only show open ports",
                                  action="store_true",
                                  default=False)
        self.options.add_argument("--top_ports", help="Only check X top ports")
        self.options.add_argument("--force",
                                  help="Overwrite files without asking",
                                  action="store_true")
        self.options.add_argument(
            '--interactive',
            help="Prompt to store domains not in Base Domains already",
            default=False,
            action="store_true")
        self.options.add_argument(
            '--internal',
            help="Store domains not in Base Domains already",
            action="store_true")

    def run(self, args):
        if args.binary:
            if os.path.exists(args.binary):
                command = args.binary + " "
            else:
                exit("Specified binary doesn't exist. Quitting now")
        else:
            if not which.run('nmap'):
                exit("Nmap is not globally accessible. Quitting now")
            else:
                command = "nmap "

        if args.output_path[0] == "/":
            self.path = os.path.join(self.base_config['PROJECT']['base_path'],
                                     args.output_path[1:])
        else:
            self.path = os.path.join(self.base_config['PROJECT']['base_path'],
                                     args.output_path)

        if not os.path.exists(self.path):
            os.makedirs(self.path)

        file_name = ""

        if args.hosts:
            if type(args.hosts) == list:
                hosts = args.hosts
            else:
                hosts = [args.hosts]
            _, file_name = tempfile.mkstemp()
            open(file_name, 'w').write('\n'.join(hosts))

        elif args.hosts_database:
            hosts = [h.ip_address for h in self.IPAddress.all(tool=self.name)]
            hosts += [h.cidr for h in self.ScopeCIDR.all(tool=self.name)]
            _, file_name = tempfile.mkstemp()
            open(file_name, 'w').write('\n'.join(hosts))
        elif args.hosts_file:
            file_name = args.hosts_file

        if file_name:
            self.execute_nmap(args, file_name, command)

        elif args.import_file:
            self.import_nmap(args.import_file, args)

    def execute_nmap(self, args, host_file, command):

        if args.nFile:
            nFile = os.path.join(self.path, args.nFile)

        else:
            nFile = os.path.join(self.path, "nmap-scan.xml")
            # if type(hosts) == list:
            #     nFile = os.path.join(self.path,"nmaped_"+",".join(hosts).replace("/","_"))

            # else:
            #     nFile = os.path.join(self.path,"nmaped_"+hosts.replace("/","_").replace(" ",","))

        if os.path.isfile(nFile) and not args.force:
            print(nFile, "exists.")
            answered = False

            while answered == False:
                rerun = raw_input(
                    "Would you like to [r]un nmap again and overwrite the file, [p]arse the file, or change the file [n]ame? "
                )
                if rerun.lower() == 'r':
                    answered = True

                elif rerun.lower() == 'p':
                    answered = True
                    return nFile

                elif rerun.lower() == 'n':
                    new = False
                    while new == False:
                        newFile = raw_input("enter a new file name: ")
                        if not os.path.exists(path + newFile):
                            nFile = path + newFile
                            answered = True
                            new = True
                        else:
                            print("That file exists as well")
                else:
                    "Please enter \'r\' to run nmap, \'p\' to parse the file"

        if args.sS and args.sT:
            technique = "-sT "

        else:
            technique = "-sS "

        if args.sU:
            technique += "-sU "

        if args.A:
            technique += "-A "
        command += technique

        command += "-T" + str(args.timing) + " "

        if args.Pn:
            command += "-Pn "

        if args.open:
            command += "--open "

        if args.top_ports:
            command += "--top-ports %s " % args.top_ports

        if args.OS:
            command += "-O "

        command += "--script " + args.scripts + " "

        command += "-p " + args.p + " "

        command += " -iL %s " % host_file

        command += "-oX " + nFile

        if (args.sS and not args.sT) or args.OS:
            if os.geteuid() != 0:
                #exit("You need to have root privileges to run a Syn scan and OS detection.\nPlease try again, this time using 'sudo'. Exiting.")
                command = "sudo " + command
        scan = subprocess.Popen(command, shell=True).wait()
        self.import_nmap(nFile, args)
        return nFile

    def parseHeaders(self, httpHeaders):
        bsHeaders = [
            'Pragma', 'Expires', 'Date', 'Transfer-Encoding', 'Connection',
            'X-Content-Type-Options', 'Cache-Control', 'X-Frame-Options',
            'Content-Type', 'Content-Length', '(Request type'
        ]
        keepHeaders = {}
        for i in range(0, len(httpHeaders)):
            if httpHeaders[i].strip() != '' and httpHeaders[i].split(
                    ":")[0].strip() not in " ".join(bsHeaders):
                hName = httpHeaders[i].split(":")[0].strip()
                hValue = "".join(httpHeaders[i].split(":")[1:]).strip()
                keepHeaders[hName] = hValue

        if keepHeaders == {}:
            keepHeaders = ""

        return keepHeaders

    def import_nmap(self, filename,
                    args):  #domains={}, ips={}, rejects=[] == temp while no db
        nFile = filename

        try:
            tree = ET.parse(nFile)
            root = tree.getroot()
            hosts = root.findall("host")

        except:
            print(nFile + " doesn't exist somehow...skipping")
            return domains, ips, rejects  #needs to be changed for db

        tmpNames = []
        tmpIPs = {
        }  #tmpIps = {'127.0.0.1':['domain.com']} -- not really used; decided to just let nslookup take care of IP info
        skip = []

        for host in hosts:
            hostIP = host.find("address").get("addr")

            created, ip = self.IPAddress.find_or_create(ip_address=hostIP)

            for hostname in host.findall("hostnames/hostname"):
                hostname = hostname.get("name")
                hostname = hostname.lower().replace("www.", "")

                reHostname = re.search(
                    r"\d{1,3}\-\d{1,3}\-\d{1,3}\-\d{1,3}",
                    hostname)  #attempt to not get PTR record
                if not reHostname and not args.internal:

                    created, domain = self.Domain.find_or_create(
                        domain=hostname)
                    if ip not in domain.ip_addresses:
                        domain.ip_addresses.append(ip)
                        domain.save()

                elif not reHostname and args.internal:
                    created, domain = self.Domain.find_or_create(
                        domain=hostname)
                    if ip not in domain.ip_addresses:
                        domain.ip_addresses.append(ip)
                        domain.save()
                #else:
                #    print("IP hostname found? %s" % hostname)

            for port in host.findall("ports/port"):

                if port.find("state").get("state"):
                    portState = port.find("state").get("state")
                    hostPort = port.get("portid")
                    portProto = port.get("protocol")

                    created, db_port = self.Port.find_or_create(
                        port_number=hostPort,
                        status=portState,
                        proto=portProto,
                        ip_address=ip)

                    if port.find("service") != None:
                        portName = port.find("service").get("name")
                        if portName == "http" and hostPort == "443":
                            portName = "https"
                    else:
                        portName = "Unknown"

                    if created:
                        db_port.service_name = portName
                    info = db_port.info
                    if not info:
                        info = {}

                    for script in port.findall(
                            "script"):  #just getting commonName from cert
                        if script.get("id") == "ssl-cert":
                            db_port.cert = script.get('output')
                            cert_domains = self.get_domains_from_cert(
                                script.get('output'))

                            for hostname in cert_domains:
                                hostname = hostname.lower().replace("www.", "")
                                created, domain = self.Domain.find_or_create(
                                    domain=hostname)
                                if created:
                                    print("New domain found: %s" % hostname)

                        elif script.get("id") == "vulners":
                            print(
                                "Gathering vuln info for {} : {}/{}\n".format(
                                    hostIP, portProto, hostPort))
                            self.parseVulners(script.get("output"), db_port)

                        elif script.get("id") == "banner":
                            info["banner"] = script.get("output")

                        elif script.get("id") == "http-headers":

                            httpHeaders = script.get("output")
                            httpHeaders = httpHeaders.strip().split("\n")
                            keepHeaders = self.parseHeaders(httpHeaders)
                            info["http-headers"] = keepHeaders

                        elif script.get("id") == "http-auth":
                            info['http-auth'] = script.get("output")

                        elif script.get("id") == "http-title":
                            info['http-title'] = script.get("output")

                    db_port.info = info
                    db_port.save()

            self.IPAddress.commit()

    def parseVulners(self, scriptOutput, db_port):
        urls = re.findall('(https://vulners.com/cve/CVE-\d*-\d*)',
                          scriptOutput)
        for url in urls:
            vuln_refs = []
            exploitable = False
            cve = url.split("/cve/")[1]
            vulners = requests.get("https://vulners.com/cve/%s" % cve).text
            exploitdb = re.findall(
                'https://www.exploit-db.com/exploits/\d{,7}', vulners)
            for edb in exploitdb:
                exploitable = True

                if edb.split("/exploits/")[1] not in vuln_refs:
                    vuln_refs.append(edb.split("/exploits/")[1])

            if not self.CVE.find(name=cve):
                #print "Gathering CVE info for", cve
                try:
                    res = json.loads(
                        requests.get('http://cve.circl.lu/api/cve/%s' %
                                     cve).text)
                    cveDescription = res['summary']
                    cvss = float(res['cvss'])
                    findingName = res['oval'][0]['title']
                    if int(cvss) <= 3:
                        severity = 1

                    elif (int(cvss) / 2) == 5:
                        severity = 4

                    else:
                        severity = int(cvss) / 2

                    if not self.Vulnerability.find(name=findingName):
                        #print "Creating", findingName
                        created, db_vuln = self.Vulnerability.find_or_create(
                            name=findingName,
                            severity=severity,
                            description=cveDescription)
                        db_vuln.ports.append(db_port)
                        db_vuln.exploitable = exploitable
                        if vuln_refs:
                            db_vuln.exploit_reference = {'edb-id': vuln_refs}
                            db_vuln.save()

                    else:
                        #print "modifying",findingName
                        db_vuln = self.Vulnerability.find(name=findingName)
                        db_vuln.ports.append(db_port)
                        db_vuln.exploitable = exploitable

                        if vuln_refs:
                            db_vuln.exploitable = exploitable
                            if db_vuln.exploit_reference is not None:
                                if 'edb-id' in db_vuln.exploit_reference:
                                    for ref in vuln_refs:
                                        if ref not in db_vuln.exploit_reference[
                                                'edb-id']:
                                            db_vuln.exploit_reference[
                                                'edb-id'].append(ref)

                                else:
                                    db_vuln.exploit_reference[
                                        'edb-id'] = vuln_refs
                            else:
                                db_vuln.exploit_reference = {
                                    'edb-id': vuln_refs
                                }

                        db_vuln.save()

                    if not self.CVE.find(name=cve):
                        created, db_cve = self.CVE.find_or_create(
                            name=cve,
                            description=cveDescription,
                            temporal_score=cvss)
                        db_cve.vulnerabilities.append(db_vuln)
                        db_cve.save()

                    else:
                        db_cve = self.CVE.find(name=cve)
                        db_cve.vulnerabilities.append(db_vuln)
                        db_cve.save()

                    self.Vulnerability.commit()
                    self.CVE.commit()
                except:
                    print(
                        "something went wrong with the vuln/cve info gathering"
                    )
                    if vulners:
                        print(
                            "Vulners report was found but no exploit-db was discovered"
                        )
                        #"Affected vulners items"
                        #print vulners
                    print("Affected CVE")
                    print(cve)
                    pass

            else:
                db_cve = self.CVE.find(name=cve)
                for db_vulns in db_cve.vulnerabilities:
                    if db_port not in db_vulns.ports:
                        db_vulns.ports.append(db_port)
        return

    def get_domains_from_cert(self, cert):
        # Shamelessly lifted regex from stack overflow
        regex = r'(?:[a-zA-Z0-9](?:[a-zA-Z0-9\-]{,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,6}'

        domains = list(
            set([d for d in re.findall(regex, cert) if '*' not in d]))

        return domains
Exemplo n.º 15
0
#!/usr/bin/python

from armory import initialize_database
from armory import get_config_options
from database.repositories import BaseDomainRepository, DomainRepository, IPRepository, CIDRRepository, UserRepository, CredRepository, VulnRepository, PortRepository, UrlRepository, ScopeCIDRRepository

config = get_config_options()
db = initialize_database(config)
Domains = DomainRepository(db, "Shell Client")
BaseDomains = BaseDomainRepository(db, "Shell Client")
IPAddresses = IPRepository(db, "Shell Client")
CIDRs = CIDRRepository(db, "Shell Client")
Users = UserRepository(db, "Shell Client")
Creds = CredRepository(db, "Shell Client")
Vulns = VulnRepository(db, "Shell Client")
Ports = PortRepository(db, "Shell Client")
Urls = UrlRepository(db, "Shell Client")
ScopeCIDRs = ScopeCIDRRepository(db, "Shell Client")

print("Make sure to use this script with ipython and -i")
print("    ipython -i shell.py")

print("Available database modules: Domains, BaseDomains, IPAddresses,")
print(" CIDRs, Users, Creds, Vulns, Services, Ports, Urls, ScopeCIDRs")
Exemplo n.º 16
0
class Module(ToolTemplate):
    """
    Runs nmap on all web hosts to pull certs and add them to the database
    """

    name = "NmapCertScan"
    binary_name = "nmap"

    def __init__(self, db):
        self.db = db
        self.Port = PortRepository(db, self.name)

    def set_options(self):
        super(Module, self).set_options()

        self.options.add_argument(
            "-s",
            "--rescan",
            help="Rescan domains that have already been scanned",
            action="store_true",
        )

    def get_targets(self, args):

        targets = []
        if args.rescan:
            services = self.Port.all(service_name="https")
        else:
            services = self.Port.all(tool=self.name, service_name="https")

        for s in services:
            if s.ip_address.in_scope:
                port = s.port_number
                targets.append(
                    {
                        "port": port,
                        "target": s.ip_address.ip_address,
                        "service_id": s.id,
                    }
                )
                for d in s.ip_address.domains:
                    targets.append(
                        {"port": port, "target": d.domain, "service_id": s.id}
                    )

        if args.output_path[0] == "/":
            output_path = os.path.join(
                self.base_config["PROJECT"]["base_path"], args.output_path[1:]
            )
        else:
            output_path = os.path.join(
                self.base_config["PROJECT"]["base_path"], args.output_path
            )

        if not os.path.exists(output_path):
            os.makedirs(output_path)

        for t in targets:
            file_path = os.path.join(output_path, "%s_%s-ssl.xml" % (t["target"], port))

            t["output"] = file_path
        # pdb.set_trace()
        return targets

    def build_cmd(self, args):

        cmd = self.binary + " -p {port} --script=ssl-cert -oX {output} {target} "

        if args.tool_args:
            cmd += args.tool_args

        return cmd

    def process_output(self, cmds):

        for data in cmds:

            try:
                xmldata = xmltodict.parse(open(data["output"]).read())

                cert = xmldata["nmaprun"]["host"]["ports"]["port"]["script"]["@output"]

                if cert:
                    # print("Cert found: {}".format(cert))
                    svc = self.Port.all(id=data["service_id"])[0]

                    # pdb.set_trace()
                    if not svc.meta.get("sslcert", False):
                        svc.meta["sslcert"] = {}
                    svc.meta["sslcert"][data["target"]] = cert
                    print(
                        "Cert added to {} for {}".format(
                            data["service_id"], data["target"]
                        )
                    )
                    svc.save()

            except Exception as e:
                display_error("File not valid: {}\nError: {}".format(data["output"], e))

        self.Port.commit()
Exemplo n.º 17
0
class Module(ToolTemplate):
    '''
    Runs nmap on all web hosts to pull certs and add them to the database
    '''
    name = "NmapCertScan"
    binary_name = "nmap"

    def __init__(self, db):
        self.db = db
        self.Port = PortRepository(db, self.name)

    def set_options(self):
        super(Module, self).set_options()

        self.options.add_argument(
            '-s',
            '--rescan',
            help="Rescan domains that have already been scanned",
            action="store_true")

    def get_targets(self, args):

        targets = []
        if args.rescan:
            services = self.Port.all(service_name='https')
        else:
            services = self.Port.all(tool=self.name, service_name='https')

        for s in services:
            if s.ip_address.in_scope:
                port = s.port_number
                targets.append({
                    'port': port,
                    'target': s.ip_address.ip_address,
                    'service_id': s.id
                })
                for d in s.ip_address.domains:
                    targets.append({
                        'port': port,
                        'target': d.domain,
                        'service_id': s.id
                    })

        if args.output_path[0] == "/":
            output_path = os.path.join(
                self.base_config['PROJECT']['base_path'], args.output_path[1:])
        else:
            output_path = os.path.join(
                self.base_config['PROJECT']['base_path'], args.output_path)

        if not os.path.exists(output_path):
            os.makedirs(output_path)

        for t in targets:
            file_path = os.path.join(output_path,
                                     "%s_%s-ssl.xml" % (t['target'], port))

            t['output'] = file_path
        # pdb.set_trace()
        return targets

    def build_cmd(self, args):

        cmd = self.binary + " -p {port} --script=ssl-cert -oX {output} {target} "

        if args.tool_args:
            cmd += args.tool_args

        return cmd

    def process_output(self, cmds):

        for data in cmds:

            try:
                xmldata = xmltodict.parse(open(data['output']).read())

                cert = xmldata['nmaprun']['host']['ports']['port']['script'][
                    '@output']

                if cert:
                    svc = self.Port.all(id=data['service_id'])[0]
                    if not svc.meta.get(self.name, False):
                        svc.meta[self.name] = {}
                    svc.meta[self.name][data['target']] = cert

                    svc.update()

            except:
                display_error("File not valid: {}".format(data['output']))

        self.Port.commit()
Exemplo n.º 18
0
class Module(ModuleTemplate):
    '''
    The Shodan module will either iterate through Shodan search results from net:<cidr>
    for all scoped CIDRs, or a custom search query. The resulting IPs and ports will be
    added to the database, along with a dictionary object of the API results.

    '''
    name = "ShodanImport"

    def __init__(self, db):
        self.db = db
        self.Port = PortRepository(db, self.name)
        self.IPAddress = IPRepository(db, self.name)
        self.ScopeCidr = ScopeCIDRRepository(db, self.name)

    def set_options(self):
        super(Module, self).set_options()

        self.options.add_argument('-k',
                                  '--api_key',
                                  help='API Key for accessing Shodan')
        self.options.add_argument('-s',
                                  '--search',
                                  help="Custom search string")
        self.options.add_argument('-i',
                                  '--import_db',
                                  help="Import scoped IPs from the database",
                                  action="store_true")
        self.options.add_argument('--rescan',
                                  help="Rescan CIDRs already processed",
                                  action="store_true")

    def run(self, args):

        if not args.api_key:
            display_error("You must supply an API key to use shodan!")
            return

        if args.search:
            ranges = [args.search]

        if args.import_db:
            ranges = []
            if args.rescan:
                ranges += [
                    "net:{}".format(c.cidr) for c in self.ScopeCidr.all()
                ]
            else:
                ranges += [
                    "net:{}".format(c.cidr)
                    for c in self.ScopeCidr.all(tool=self.name)
                ]

        api = shodan_api.Shodan(args.api_key)

        for r in ranges:
            time.sleep(1)
            # pdb.set_trace()
            results = api.search(r)

            display("{} results found for: {}".format(results['total'], r))

            for res in results['matches']:
                ip_address_str = res['ip_str']
                port_str = res['port']
                transport = res['transport']
                display("Processing IP: {} Port: {}/{}".format(
                    ip_address_str, port_str, transport))
                created, IP = self.IPAddress.find_or_create(
                    ip_address=ip_address_str)
                created, port = self.Port.find_or_create(ip_address=IP,
                                                         port_number=port_str,
                                                         proto=transport)
                port.meta['shodan_data'] = res
                port.save()

        self.IPAddress.commit()
Exemplo n.º 19
0
class Module(ToolTemplate):

    name = "Hydra"
    binary_name = "hydra"

    def __init__(self, db):
        self.db = db
        self.Domain = DomainRepository(db, self.name)
        self.IPAddress = IPRepository(db, self.name)
        self.Port = PortRepository(db, self.name)

    def set_options(self):
        super(Module, self).set_options()

        self.options.add_argument("-ho",
                                  "--host",
                                  help="Host to scan (service://host:port)")
        self.options.add_argument("-hw",
                                  "--host_wordlist",
                                  help="Wordlist to use for one off host")
        self.options.add_argument("-f",
                                  "--file",
                                  help="Import hosts from file")
        self.options.add_argument(
            "-s",
            "--rescan",
            help="Rescan domains that have already been scanned",
            action="store_true",
        )

        self.options.add_argument(
            "--scan_defaults",
            help="Pull hosts out of database and scan default passwords",
            action="store_true",
        )

        self.options.add_argument("--ftp_wordlist",
                                  help="Wordlist for FTP services")
        self.options.add_argument("--telnet_wordlist",
                                  help="Wordlist for Telnet")
        self.options.add_argument("--email_wordlist",
                                  help="Wordlist for email (smtp, pop3, imap)")
        self.options.add_argument("--ssh_wordlist", help="Wordlist for SSH")
        self.options.add_argument("--vnc_wordlist", help="Wordlist for VNC")

    def get_targets(self, args):
        targets = []

        if args.host:
            service, hp = args.host.split("://")
            host, port = hp.split(":")[-2:]
            targets.append({
                "target": host,
                "service": service,
                "port": port,
                "wordlist": args.host_wordlist,
            })

        elif args.file:
            hosts = open(args.file).read().split("\n")
            for h in hosts:
                if h:
                    targets.append(h)

        elif args.scan_defaults:
            lists = {}
            if args.ftp_wordlist:
                for p in ["ftps", "ftp"]:
                    lists[args.ftp_wordlist] = [
                        s
                        for s in self.Port.all(tool=self.name, service_name=p)
                    ]

            if args.telnet_wordlist:
                for p in ["telnet"]:
                    lists[args.telnet_wordlist] = [
                        s
                        for s in self.Port.all(tool=self.name, service_name=p)
                    ]

            if args.email_wordlist:
                for p in ["smtps", "smtp", "pop3", "pop3s", "imap", "imaps"]:
                    lists[args.email_wordlist] = [
                        s
                        for s in self.Port.all(tool=self.name, service_name=p)
                    ]

            if args.ssh_wordlist:
                for p in ["ssh"]:
                    lists[args.ssh_wordlist] = [
                        s
                        for s in self.Port.all(tool=self.name, service_name=p)
                    ]

            if args.vnc_wordlist:
                for p in ["vnc"]:
                    lists[args.vnc_wordlist] = [
                        s
                        for s in self.Port.all(tool=self.name, service_name=p)
                    ]

            for k in lists.keys():
                for s in lists[k]:

                    port_number = s.port_number
                    ip_address = s.ip_address.ip_address
                    name = s.service_name

                    targets.append({
                        "service": name,
                        "target": ip_address,
                        "port": port_number,
                        "wordlist": k,
                    })

        if args.output_path[0] == "/":
            output_path = os.path.join(
                self.base_config["PROJECT"]["base_path"], args.output_path[1:])
        else:
            output_path = os.path.join(
                self.base_config["PROJECT"]["base_path"], args.output_path)

        if not os.path.exists(output_path):
            os.makedirs(output_path)

        for t in targets:
            t["output"] = os.path.join(
                output_path, "{}-{}.txt".format(t["target"], t["port"]))

        return targets

    def build_cmd(self, args):

        cmd = self.binary + " -o {output} -C {wordlist} "
        if args.tool_args:
            cmd += args.tool_args

        cmd += " {service}://{target}:{port} "

        return cmd
Exemplo n.º 20
0
class Module(ToolTemplate):
    """
    Module for running nmap. Make sure to pass all nmap-specific arguments at the end, after --tool_args

    """

    name = "Nmap"
    binary_name = "nmap"

    def __init__(self, db):
        self.db = db
        self.BaseDomain = BaseDomainRepository(db, self.name)
        self.Domain = DomainRepository(db, self.name)
        self.IPAddress = IPRepository(db, self.name)
        self.Port = PortRepository(db, self.name)

        self.Vulnerability = VulnRepository(db, self.name)
        self.CVE = CVERepository(db, self.name)
        self.ScopeCIDR = ScopeCIDRRepository(db, self.name)

    def set_options(self):
        super(Module, self).set_options()
        self.options.add_argument(
            "--hosts",
            help=
            "Things to scan separated by a space. DO NOT USE QUOTES OR COMMAS",
            nargs="+",
        )
        self.options.add_argument("--hosts_file", help="File containing hosts")
        self.options.add_argument(
            "-i",
            "--hosts_database",
            help="Use unscanned hosts from the database",
            action="store_true",
        )
        self.options.add_argument("--rescan",
                                  help="Overwrite files without asking",
                                  action="store_true")
        self.options.add_argument(
            "--filename",
            help="Output filename. By default will use the current timestamp.",
        )
        self.options.set_defaults(timeout=None)

    def get_targets(self, args):

        targets = []

        if args.hosts:
            if type(args.hosts) == list:
                targets += args.hosts
            else:
                targets += [args.hosts]

        if args.hosts_database:
            if args.rescan:
                targets += [
                    h.ip_address
                    for h in self.IPAddress.all(scope_type="active")
                ]
                targets += [h.cidr for h in self.ScopeCIDR.all()]
            else:
                targets += [
                    h.ip_address
                    for h in self.IPAddress.all(tool=self.name,
                                                scope_type="active")
                ]
                targets += [h.cidr for h in self.ScopeCIDR.all(tool=self.name)]

        if args.hosts_file:
            targets += [
                l for l in open(args.hosts_file).read().split("\n") if l
            ]

        # Here we should deduplicate the targets, and ensure that we don't have IPs listed that also exist inside CIDRs
        data = []
        for t in targets:
            ips = [str(i) for i in list(IPNetwork(t))]
            data += ips

        _, file_name = tempfile.mkstemp()
        open(file_name, "w").write("\n".join(list(set(data))))

        if args.output_path[0] == "/":
            self.path = os.path.join(self.base_config["PROJECT"]["base_path"],
                                     args.output_path[1:])
        else:
            self.path = os.path.join(self.base_config["PROJECT"]["base_path"],
                                     args.output_path)

        if not os.path.exists(self.path):
            os.makedirs(self.path)

        if args.filename:
            output_path = os.path.join(self.path, args.filename)
        else:
            output_path = os.path.join(
                self.path,
                "nmap-scan-%s.xml" %
                datetime.datetime.now().strftime("%Y.%m.%d-%H.%M.%S"),
            )

        return [{"target": file_name, "output": output_path}]

    def build_cmd(self, args):

        command = "sudo " + self.binary + " -oX {output} -iL {target} "

        if args.tool_args:
            command += args.tool_args

        return command

    def process_output(self, cmds):

        self.import_nmap(cmds[0]["output"])
        os.unlink(cmds[0]["target"])

    def parseHeaders(self, httpHeaders):
        bsHeaders = [
            "Pragma",
            "Expires",
            "Date",
            "Transfer-Encoding",
            "Connection",
            "X-Content-Type-Options",
            "Cache-Control",
            "X-Frame-Options",
            "Content-Type",
            "Content-Length",
            "(Request type",
        ]
        keepHeaders = {}
        for i in range(0, len(httpHeaders)):
            if httpHeaders[i].strip() != "" and httpHeaders[i].split(
                    ":")[0].strip() not in " ".join(bsHeaders):
                hName = httpHeaders[i].split(":")[0].strip()
                hValue = "".join(httpHeaders[i].split(":")[1:]).strip()
                keepHeaders[hName] = hValue

        if keepHeaders == {}:
            keepHeaders = ""

        return keepHeaders

    def import_nmap(
            self,
            filename):  # domains={}, ips={}, rejects=[] == temp while no db
        nFile = filename

        try:
            tree = ET.parse(nFile)
            root = tree.getroot()
            hosts = root.findall("host")

        except:
            print(nFile + " doesn't exist somehow...skipping")
            return

        tmpNames = []
        tmpIPs = (
            {}
        )  # tmpIps = {'127.0.0.1':['domain.com']} -- not really used; decided to just let nslookup take care of IP info
        skip = []

        for host in hosts:
            hostIP = host.find("address").get("addr")

            created, ip = self.IPAddress.find_or_create(ip_address=hostIP)

            for hostname in host.findall("hostnames/hostname"):
                hostname = hostname.get("name")
                hostname = hostname.lower().replace("www.", "")

                reHostname = re.search(
                    r"\d{1,3}\-\d{1,3}\-\d{1,3}\-\d{1,3}",
                    hostname)  # attempt to not get PTR record
                if not reHostname:

                    created, domain = self.Domain.find_or_create(
                        domain=hostname)
                    if ip not in domain.ip_addresses:
                        domain.ip_addresses.append(ip)
                        domain.save()

            for port in host.findall("ports/port"):

                if port.find("state").get("state"):
                    portState = port.find("state").get("state")
                    hostPort = port.get("portid")
                    portProto = port.get("protocol")

                    created, db_port = self.Port.find_or_create(
                        port_number=hostPort,
                        status=portState,
                        proto=portProto,
                        ip_address=ip,
                    )

                    if port.find("service") != None:
                        portName = port.find("service").get("name")
                        if portName == "http" and hostPort == "443":
                            portName = "https"
                    else:
                        portName = "Unknown"

                    if created:
                        db_port.service_name = portName
                    info = db_port.info
                    if not info:
                        info = {}

                    for script in port.findall(
                            "script"):  # just getting commonName from cert
                        if script.get("id") == "ssl-cert":
                            db_port.cert = script.get("output")
                            cert_domains = self.get_domains_from_cert(
                                script.get("output"))

                            for hostname in cert_domains:
                                hostname = hostname.lower().replace("www.", "")
                                created, domain = self.Domain.find_or_create(
                                    domain=hostname)
                                if created:
                                    print("New domain found: %s" % hostname)

                        elif script.get("id") == "vulners":
                            print(
                                "Gathering vuln info for {} : {}/{}\n".format(
                                    hostIP, portProto, hostPort))
                            self.parseVulners(script.get("output"), db_port)

                        elif script.get("id") == "banner":
                            info["banner"] = script.get("output")

                        elif script.get("id") == "http-headers":

                            httpHeaders = script.get("output")
                            httpHeaders = httpHeaders.strip().split("\n")
                            keepHeaders = self.parseHeaders(httpHeaders)
                            info["http-headers"] = keepHeaders

                        elif script.get("id") == "http-auth":
                            info["http-auth"] = script.get("output")

                        elif script.get("id") == "http-title":
                            info["http-title"] = script.get("output")

                    db_port.info = info
                    db_port.save()

            self.IPAddress.commit()

    def parseVulners(self, scriptOutput, db_port):
        urls = re.findall("(https://vulners.com/cve/CVE-\d*-\d*)",
                          scriptOutput)
        for url in urls:
            vuln_refs = []
            exploitable = False
            cve = url.split("/cve/")[1]
            vulners = requests.get("https://vulners.com/cve/%s" % cve).text
            exploitdb = re.findall(
                "https://www.exploit-db.com/exploits/\d{,7}", vulners)
            for edb in exploitdb:
                exploitable = True

                if edb.split("/exploits/")[1] not in vuln_refs:
                    vuln_refs.append(edb.split("/exploits/")[1])

            if not self.CVE.find(name=cve):
                # print "Gathering CVE info for", cve
                try:
                    res = json.loads(
                        requests.get("http://cve.circl.lu/api/cve/%s" %
                                     cve).text)
                    cveDescription = res["summary"]
                    cvss = float(res["cvss"])
                    findingName = res["oval"][0]["title"]
                    if int(cvss) <= 3:
                        severity = 1

                    elif (int(cvss) / 2) == 5:
                        severity = 4

                    else:
                        severity = int(cvss) / 2

                    if not self.Vulnerability.find(name=findingName):
                        # print "Creating", findingName
                        created, db_vuln = self.Vulnerability.find_or_create(
                            name=findingName,
                            severity=severity,
                            description=cveDescription,
                        )
                        db_vuln.ports.append(db_port)
                        db_vuln.exploitable = exploitable
                        if vuln_refs:
                            db_vuln.exploit_reference = {"edb-id": vuln_refs}
                            db_vuln.save()

                    else:
                        # print "modifying",findingName
                        db_vuln = self.Vulnerability.find(name=findingName)
                        db_vuln.ports.append(db_port)
                        db_vuln.exploitable = exploitable

                        if vuln_refs:
                            db_vuln.exploitable = exploitable
                            if db_vuln.exploit_reference is not None:
                                if "edb-id" in db_vuln.exploit_reference:
                                    for ref in vuln_refs:
                                        if (ref not in db_vuln.
                                                exploit_reference["edb-id"]):
                                            db_vuln.exploit_reference[
                                                "edb-id"].append(ref)

                                else:
                                    db_vuln.exploit_reference[
                                        "edb-id"] = vuln_refs
                            else:
                                db_vuln.exploit_reference = {
                                    "edb-id": vuln_refs
                                }

                        db_vuln.save()

                    if not self.CVE.find(name=cve):
                        created, db_cve = self.CVE.find_or_create(
                            name=cve,
                            description=cveDescription,
                            temporal_score=cvss)
                        db_cve.vulnerabilities.append(db_vuln)
                        db_cve.save()

                    else:
                        db_cve = self.CVE.find(name=cve)
                        db_cve.vulnerabilities.append(db_vuln)
                        db_cve.save()

                    self.Vulnerability.commit()
                    self.CVE.commit()
                except:
                    print(
                        "something went wrong with the vuln/cve info gathering"
                    )
                    if vulners:
                        print(
                            "Vulners report was found but no exploit-db was discovered"
                        )
                        # "Affected vulners items"
                        # print vulners
                    print("Affected CVE")
                    print(cve)
                    pass

            else:
                db_cve = self.CVE.find(name=cve)
                for db_vulns in db_cve.vulnerabilities:
                    if db_port not in db_vulns.ports:
                        db_vulns.ports.append(db_port)
        return

    def get_domains_from_cert(self, cert):
        # Shamelessly lifted regex from stack overflow
        regex = r"(?:[a-zA-Z0-9](?:[a-zA-Z0-9\-]{,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,6}"

        domains = list(
            set([d for d in re.findall(regex, cert) if "*" not in d]))

        return domains
Exemplo n.º 21
0
class Module(ModuleTemplate):
    """
    The Shodan module will either iterate through Shodan search results from net:<cidr>
    for all scoped CIDRs, or a custom search query. The resulting IPs and ports will be
    added to the database, along with a dictionary object of the API results.

    """

    name = "ShodanImport"

    def __init__(self, db):
        self.db = db
        self.Port = PortRepository(db, self.name)
        self.IPAddress = IPRepository(db, self.name)
        self.ScopeCidr = ScopeCIDRRepository(db, self.name)

    def set_options(self):
        super(Module, self).set_options()

        self.options.add_argument("-k",
                                  "--api_key",
                                  help="API Key for accessing Shodan")
        self.options.add_argument(
            "-s", "--search", help="Custom search string (will use credits)")
        self.options.add_argument(
            "-i",
            "--import_db",
            help="Import scoped IPs from the database",
            action="store_true",
        )
        self.options.add_argument("--rescan",
                                  help="Rescan CIDRs already processed",
                                  action="store_true")
        self.options.add_argument("--fast",
                                  help="Use 'net' filter. (May use credits)",
                                  action="store_true")
        self.options.add_argument(
            "--cidr_only",
            help="Import only CIDRs from database (not individual IPs)",
            action="store_true",
        )

    def run(self, args):

        if not args.api_key:
            display_error("You must supply an API key to use shodan!")
            return

        if args.search:
            ranges = [args.search]

        if args.import_db:
            ranges = []
            if args.rescan:
                if args.fast:
                    ranges += [
                        "net:{}".format(c.cidr) for c in self.ScopeCidr.all()
                    ]
                else:

                    cidrs = [c.cidr for c in self.ScopeCidr.all()]
                    for c in cidrs:
                        ranges += [str(i) for i in IPNetwork(c)]
                if not args.cidr_only:
                    ranges += [
                        "{}".format(i.ip_address)
                        for i in self.IPAddress.all(scope_type="active")
                    ]
            else:
                if args.fast:
                    ranges += [
                        "net:{}".format(c.cidr)
                        for c in self.ScopeCidr.all(tool=self.name)
                    ]
                else:
                    cidrs = [
                        c.cidr for c in self.ScopeCidr.all(tool=self.name)
                    ]
                    for c in cidrs:
                        ranges += [str(i) for i in IPNetwork(c)]
                if not args.cidr_only:
                    ranges += [
                        "{}".format(i.ip_address)
                        for i in self.IPAddress.all(scope_type="active",
                                                    tool=self.name)
                    ]

        api_host_url = "https://api.shodan.io/shodan/host/{}?key={}"
        api_search_url = (
            "https://api.shodan.io/shodan/host/search?key={}&query={}&page={}")
        for r in ranges:

            time.sleep(1)
            if ":" in r:
                display("Doing Shodan search: {}".format(r))
                try:
                    results = json.loads(
                        requests.get(api_search_url.format(args.api_key, r,
                                                           1)).text)
                    if results.get("error") and "request timed out" in results[
                            "error"]:
                        display_warning(
                            "Timeout occurred on Shodan's side.. trying again in 5 seconds."
                        )
                        results = json.loads(
                            requests.get(
                                api_search_url.format(args.api_key, r,
                                                      1)).text)
                except Exception as e:
                    display_error("Something went wrong: {}".format(e))
                    next

                total = len(results["matches"])
                matches = []
                i = 1
                while total > 0:
                    display("Adding {} results from page {}".format(total, i))
                    matches += results["matches"]
                    i += 1
                    try:
                        time.sleep(1)
                        results = json.loads(
                            requests.get(
                                api_search_url.format(args.api_key, r,
                                                      i)).text)
                        if (results.get("error")
                                and "request timed out" in results["error"]):
                            display_warning(
                                "Timeout occurred on Shodan's side.. trying again in 5 seconds."
                            )
                            results = json.loads(
                                requests.get(
                                    api_search_url.format(args.api_key, r,
                                                          1)).text)

                        total = len(results["matches"])

                    except Exception as e:
                        display_error("Something went wrong: {}".format(e))
                        total = 0
                        pdb.set_trace()

                for res in matches:
                    ip_str = res["ip_str"]
                    port_str = res["port"]
                    transport = res["transport"]

                    display("Processing IP: {} Port: {}/{}".format(
                        ip_str, port_str, transport))

                    created, IP = self.IPAddress.find_or_create(
                        ip_address=ip_str)
                    IP.meta["shodan_data"] = results

                    created, port = self.Port.find_or_create(
                        ip_address=IP, port_number=port_str, proto=transport)
                    if created:
                        svc = ""

                        if res.get("ssl", False):
                            svc = "https"
                        elif res.get("http", False):
                            svc = "http"

                        else:
                            svc = ""

                        port.service_name = svc

                    port.meta["shodan_data"] = res
                    port.save()
            else:

                try:
                    results = json.loads(
                        requests.get(api_host_url.format(r,
                                                         args.api_key)).text)
                except Exception as e:
                    display_error("Something went wrong: {}".format(e))
                    next
                # pdb.set_trace()
                if results.get("data", False):

                    display("{} results found for: {}".format(
                        len(results["data"]), r))

                    for res in results["data"]:
                        ip_str = res["ip_str"]
                        port_str = res["port"]
                        transport = res["transport"]
                        display("Processing IP: {} Port: {}/{}".format(
                            ip_str, port_str, transport))
                        created, IP = self.IPAddress.find_or_create(
                            ip_address=ip_str)
                        IP.meta["shodan_data"] = results

                        created, port = self.Port.find_or_create(
                            ip_address=IP,
                            port_number=port_str,
                            proto=transport)
                        if created:
                            svc = ""

                            if res.get("ssl", False):
                                svc = "https"
                            elif res.get("http", False):
                                svc = "http"

                            else:
                                svc = ""

                            port.service_name = svc

                        port.meta["shodan_data"] = res
                        port.save()

        self.IPAddress.commit()
Exemplo n.º 22
0
class Module(ModuleTemplate):

	name = "Nessus"

	def __init__(self, db):
		self.db = db
		self.BaseDomain = BaseDomainRepository(db, self.name)
		self.Domain = DomainRepository(db, self.name)
		self.IPAddress = IPRepository(db, self.name)
		self.Port = PortRepository(db, self.name)
		self.Vulnerability = VulnRepository(db, self.name)
		self.CVE = CVERepository(db, self.name)

	def set_options(self):
		super(Module, self).set_options()
		self.options.add_argument('--import_file', help="Import separated Nessus files separated by a space. DO NOT USE QUOTES OR COMMAS", nargs='+')
		self.options.add_argument('--interactive', help="Prompt to store domains not in Base Domains already", action="store_true")
		self.options.add_argument('--internal', help="Store domains not in Base Domains already", action="store_true")

	def run(self, args):
		if not args.import_file:
			print("You need to supply some options to do something.")

		else:
			for nFile in args.import_file:
				self.process_data(nFile, args)

	def nessCheckPlugin(self, tag):
		nessPlugins = ["10759","77026", "20089", "56984", "71049", "70658", "40984", "11411"] 
		
		pluginID = tag.get("pluginID") 

		if pluginID in nessPlugins:
			#print pluginID + " is in the list"
			if pluginID == "10759":
				if tag.find("plugin_output") is not None:
					return tag.find("plugin_output").text.split("\n\n")[3].strip()		#returns IP for Web Server HTTP Header INternal IP disclosure
				else:
					return ""
				
			if pluginID == "77026":
				if tag.find("plugin_output") is not None:
					return tag.find("plugin_output").text.split("\n\n")[3].strip()		#Microsoft Exchange Client Access Server Information Disclosure (IP addy)
				else:
					return ""
				
			if pluginID == "71049" or pluginID == "70658":
				output = ""
				if tag.find("plugin_output") is not None:
					tmp = tag.find("plugin_output").text.split(":")[1]			#SSH Weak MAC & CBC Algorithms Enabled
					#print "#"*5
					tmp = tmp.split("\n\n")[1].replace("  ","")
					#print "#"*5
					output = tmp.split("\n")
					#print ", ".join(output)
				return ", ".join(output)
			
			if pluginID == "56984":
				if tag.find("plugin_output") is not None:
					tmp = tag.find("plugin_output").text.split("This port supports ")[1].strip()		# SSL / TLS Versions Supported
					tmp = tmp.split("/")
					bad = []
					for i in tmp:
						#print i
						if "SSLv" in i:
							bad.append(i)
						elif "TLSv1.0" in i:
							bad.append(i)
					if bad != []:
						return ", ".join(bad).rstrip(".")
					else:
						return ""
				else:
					return ""
			
			if pluginID == "40984":								#broswable web dirs
				if tag.find("plugin_output") is not None:
					tmp = tag.find("plugin_output").text.split("The following directories are browsable :")[1].strip()
					directories = tmp.split("\n")
					
					return "\n".join(directories)
			
			if pluginID == "11411":								#Backup Files Disclosure
				if tag.find("plugin_output") is not None:
					urls = []
					tmp = tag.find("plugin_output").text.split("It is possible to read the following backup files :")[1].strip()
					tmpUrls = tmp.split("\n")
					for url in tmpUrls:
						if "URL" in url:
							urls.append(url.split(":")[1].lstrip())
					if urls:
						return "\n".join(urls)
					else:
						return ""
				
			if pluginID == "20089":								#F5 cookie
				if tag.find("plugin_output") is not None:
					f5Output = []
					cookieVal = []
					output = tag.find("plugin_output").text.strip().split("\n")
					for line in output:
						#print line
						line = line.split(":")
						for i, item in enumerate(line):
							item = item.strip()
							if "Cookie" in item:
								cabbage = line.pop(i)
								tmp = line.pop(i)
								tmp.strip()
								cookieVal.append(tmp)
							else:
								item = "".join(item)
								f5Output.append(item)
						
					f5Output = " : ".join(f5Output)
					f5Output = f5Output.replace(" :  : ", ", ")
					f5Output += " [" + ", ".join(cookieVal) + "]"
					c = 0
					tmpF5Output = f5Output.split()
					for i, letter in enumerate(tmpF5Output):
						if letter == ":":
							c += 1
							if (c%2) == 0:
								tmpF5Output[i] = " "
								return "".join(tmpF5Output).replace("["," [")
				else:
					return ""
		else:
			return False

	def getVulns(self, ip, ReportHost):
		'''Gets vulns and associated services'''
		for tag in ReportHost.iter("ReportItem"):
			exploitable = False
			cves = []
			vuln_refs = {}
			proto = tag.get("protocol")
			port = tag.get("port")
			svc_name = tag.get("svc_name").replace("?","")

			tmpPort = proto+"/"+port
			if tmpPort.lower() == "tcp/443":
				portName = "https"
			elif tmpPort.lower() == "tcp/80":
				portName = "http"
			elif svc_name == "www":
				plugin_name = tag.get("pluginName")
				if "tls" in plugin_name.lower() or "ssl" in plugin_name.lower():
					portName = "https"
				else:
					portName = "http"
			else:
				portName = svc_name
			
			if "general" not in portName:
				created, db_port = self.Port.find_or_create(port_number=port, status='open', proto=proto, ip_address_id=ip.id)
				
				if db_port.service_name == "http":
					if portName == "https":
						db_port.service_name = portName
				elif db_port.service_name == "https":
					pass
				else:
					db_port.service_name = portName
				db_port.save()

				
				if tag.get("pluginID") == "56984":
					severity = 1
				elif tag.get("pluginID") == "11411":
					severity = 3
				else:
					severity = int(tag.get("severity"))

				findingName = tag.get("pluginName")
				description = tag.find("description").text

				if tag.find("solution") is not None and tag.find("solution") != "n/a":
					solution = tag.find("solution").text
				else:
					solution = "No Remediation From Nessus"

				nessCheck = self.nessCheckPlugin(tag)
				
				if nessCheck:
					if not db_port.info:
						db_port.info = {findingName:nessCheck}
					else:
						db_port.info[findingName] = nessCheck

					db_port.save()

				if tag.find("exploit_available") is not None:
					#print "\nexploit avalable for", findingName
					exploitable = True

				metasploits = tag.findall("metasploit_name")
				if metasploits:
					vuln_refs['metasploit'] = []
					for tmp in metasploits:
						vuln_refs['metasploit'].append(tmp.text)

				edb_id = tag.findall("edb-id")
				if edb_id:
					vuln_refs['edb-id'] = []
					for tmp in edb_id:
						vuln_refs['edb-id'].append(tmp.text)

				tmpcves = tag.findall("cve")
				for c in tmpcves:
					if c.text not in cves:
						cves.append(c.text)
				
				if not self.Vulnerability.find(name=findingName):
					created, db_vuln = self.Vulnerability.find_or_create(name=findingName, severity=severity, description=description, remediation=solution)
					db_vuln.ports.append(db_port)
					db_vuln.exploitable = exploitable
					if exploitable == True:
						print "\nexploit avalable for", findingName
						print
					if vuln_refs:
						db_vuln.exploit_reference = vuln_refs

				else:
					db_vuln = self.Vulnerability.find(name=findingName)
					db_vuln.ports.append(db_port)
					db_vuln.exploitable = exploitable
					if vuln_refs:
						if db_vuln.exploit_reference is not None:
							for key in vuln_refs.keys():
								if key not in db_vuln.exploit_reference.keys():
									db_vuln.exploit_reference[key] = vuln_refs[key]
								else:
									for ref in vuln_refs[key]:
										if ref not in db_vuln.exploit_reference[key]:
											db_vuln.exploit_reference[key].append(ref)
						else:
							db_vuln.exploit_reference = vuln_refs

				for cve in cves:
					if not self.CVE.find(name=cve):
						#print "Gathering CVE information for", cve
						try:
							res = json.loads(requests.get('http://cve.circl.lu/api/cve/%s' % cve).text)
							cveDescription = res['summary']
							cvss = float(res['cvss'])

						except:
							cveDescription = None
							cvss = None

						if not self.CVE.find(name=cve):
							created, db_cve = self.CVE.find_or_create(name=cve, description=cveDescription, temporal_score=cvss)
							db_cve.vulnerabilities.append(db_vuln)
						else:
							db_cve = self.CVE.find(name=cve)
							if db_cve.description is None and cveDescription is not None:
								db_cve.description = cveDescription
							if db_cve.temporal_score is None and cvss is not None:
								db_cve.temporal_score = cvss
							db_cve.vulnerabilities.append(db_vuln)


	def process_data(self, nFile, args):
		print "Reading",nFile
		tree = ET.parse(nFile)
		root = tree.getroot()
		skip = []
		for ReportHost in root.iter('ReportHost'):
			os = []
			hostname = ""
			hostIP = ""
			for HostProperties in ReportHost.iter("HostProperties"):
				for tag in HostProperties:
					if tag.get('name') == "host-ip":
						hostIP = tag.text
						
					if tag.get('name') == "host-fqdn":
						hostname = tag.text.lower()
						hostname = hostname.replace("www.","")

					if tag.get('name') == "operating-system":
						os = tag.text.split("\n")

			if hostIP:		#apparently nessus doesn't always have an IP to work with...

				if hostname:
					print "Gathering Nessus info for {} ( {} )".format(hostIP,hostname)
				else:
					print "Gathering Nessus info for",hostIP
					
				created, ip = self.IPAddress.find_or_create(ip_address=hostIP)

				
				if hostname:
					if not args.internal:

						created, domain = self.Domain.find_or_create(domain=hostname)
					
						if ip not in domain.ip_addresses:
							ip.save()
							domain.ip_addresses.append(ip)
							domain.save()


					else:
						created, domain = self.Domain.find_or_create(domain=hostname)

						if ip not in domain.ip_addresses:
							domain.ip_addresses.append(ip)
							domain.update()

						

				if os:
					for o in os:
						if not ip.OS:
							ip.OS = o
						else:
							if o not in ip.OS.split(" OR "):
								ip.OS += " OR "+o

				self.getVulns(ip, ReportHost)
				self.IPAddress.commit()

		return 
Exemplo n.º 23
0
 def __init__(self, db):
     self.db = db
     self.Port = PortRepository(db, self.name)
     self.IPAddress = IPRepository(db, self.name)
     self.ScopeCidr = ScopeCIDRRepository(db, self.name)
Exemplo n.º 24
0
 def __init__(self, db):
     self.Port = PortRepository(db)
Exemplo n.º 25
0
class Report(ReportTemplate):
    """
    This report displays all of the hosts sorted by service.
    """

    markdown = ["", "# ", "- "]

    name = ""

    def __init__(self, db):
        self.Ports = PortRepository(db)

    def run(self, args):
        # Cidrs = self.CIDR.
        results = {}

        ports = self.Ports.all()
        services = {}

        for p in ports:

            if (
                (args.scope == "active" and p.ip_address.in_scope)
                or (args.scope == "passive" and p.ip_address.passive_scope)
                or (args.scope == "all")
                and p.status == "open"
            ):
                if not services.get(p.proto, False):
                    services[p.proto] = {}

                if not services[p.proto].get(p.port_number, False):
                    services[p.proto][p.port_number] = {}

                services[p.proto][p.port_number][p.ip_address.ip_address] = {
                    "domains": [d.domain for d in p.ip_address.domains],
                    "svc": p.service_name,
                }

        res = []

        for p in sorted(services):
            for s in sorted(services[p]):

                res.append("\tProtocol: {} Port: {}".format(p, s))
                res.append("\n")
                for ip in sorted(services[p][s].keys()):
                    if services[p][s][ip]["domains"]:
                        res.append(
                            "\t\t{} ({}): {}".format(
                                ip,
                                services[p][s][ip]["svc"],
                                ", ".join(services[p][s][ip]["domains"]),
                            )
                        )
                    else:
                        res.append(
                            "\t\t{} ({}) (No domain)".format(
                                ip, services[p][s][ip]["svc"]
                            )
                        )
                res.append("\n")

        self.process_output(res, args)