def snmp_walk(target_hosts, output_directory, quiet):
check_directory(output_directory)
if(valid_ip(target_hosts)):
target_ip(target_hosts, output_directory, quiet)
else:
target_file(target_hosts, output_directory, quiet)
def snmp_walk(target_hosts, output_directory, quiet):
check_directory(output_directory)
if (valid_ip(target_hosts)):
target_ip(target_hosts, output_directory, quiet)
else:
target_file(target_hosts, output_directory, quiet)
def service_scan(target_hosts, output_directory, dns_server, quiet, quick):
check_directory(output_directory)
if (valid_ip(target_hosts)):
target_ip(target_hosts, output_directory, dns_server, quiet, quick)
else:
target_file(target_hosts, output_directory, dns_server, quiet, quick)
def service_scan(target_hosts, output_directory, dns_server, quiet, quick, no_udp_service_scan):
check_directory(output_directory)
if(valid_ip(target_hosts)):
target_ip(target_hosts, output_directory, dns_server, quiet, quick, no_udp_service_scan)
else:
target_file(target_hosts, output_directory, dns_server, quiet, quick, no_udp_service_scan)
def ping_sweeper(target_hosts, output_directory, quiet):
check_directory(output_directory)
output_file = output_directory + "/targets.txt"
print("[+] Writing discovered targets to: %s" % output_file)
live_hosts = 0
f = open(output_file, 'w')
print("[+] Performing ping sweep over %s" % target_hosts)
SWEEP = "nmap -n -sP %s" % (target_hosts)
results = subprocess.check_output(SWEEP, shell=True)
lines = results.split("\n")
for line in lines:
line = line.strip()
line = line.rstrip()
if ("Nmap scan report for" in line):
ip_address = line.split(" ")[4]
if (live_hosts > 0):
f.write('\n')
f.write("%s" % (ip_address))
print(" [>] Discovered host: %s" % (ip_address))
live_hosts += 1
print("[*] Found %s live hosts" % (live_hosts))
print("[*] Created target list %s" % (output_file))
f.close()
def enum4linux(output_directory):
check_directory(output_directory)
hostnames = 0
SWEEP = ''
ips = list()
print(os.path.join(output_directory, 'unicornscan_details_tcp.txt'))
if (os.path.isfile(
os.path.join(output_directory, 'unicornscan_details_tcp.txt'))):
with open(
os.path.join(output_directory, 'unicornscan_details_tcp.txt'),
'r') as f:
for line in f:
#TCP open 139 netbios-ssn 10.11.1.5
line = line.strip().split('\t')
print(line)
if ('TCP open' in line[0]) and ('139' in line[1]):
ips.append(line[3])
else:
return
print(ips)
#p=subprocess.Popen(['md5sum',file],stdout=logfile)
#p.wait()
for ip in ips:
with open(
os.path.join(output_directory, ip, 'scans', 'enum4linux.txt'),
'w') as f:
p = subprocess.Popen(['enum4linux', '-a', ip], stdout=f)
p.wait()
'''
def target_file(target_hosts, output_directory, quiet):
targets = load_targets(target_hosts, output_directory, quiet)
target_file = open(targets, "r")
try:
target_file = open(targets, 'r')
print("[*] Loaded targets from: %s" % (targets))
except:
print("[!] Unable to load: %s" % targets)
for ip_address in target_file:
ip_address = ip_address.strip()
ip_address = ip_address.rstrip()
snmp_directory = output_directory + '/' + ip_address + "/scans/snmp"
check_directory(snmp_directory)
jobs = []
p = multiprocessing.Process(target=snmp_scans,
args=(ip_address, snmp_directory))
jobs.append(p)
p.start()
target_file.close()
def ping_sweeper(target_hosts, output_directory, quiet):
check_directory(output_directory)
output_file = output_directory + "/targets.txt"
print("[+] Writing targets to: %s" % output_file)
live_hosts = 0
f = open(output_file, 'w')
print("[+] Performing ping sweep over %s" % target_hosts)
SWEEP = "nmap -n -sP %s" % (target_hosts)
results = subprocess.check_output(SWEEP, shell=True)
lines = results.split("\n")
for line in lines:
line = line.strip()
line = line.rstrip()
if ("Nmap scan report for" in line):
ip_address = line.split(" ")[4]
if (live_hosts > 0):
f.write('\n')
f.write("%s" % (ip_address))
print(" [>] Discovered host: %s" % (ip_address))
live_hosts += 1
print("[*] Found %s live hosts" % (live_hosts))
print("[*] Created target list %s" % (output_file))
f.close()
def target_ip(target_hosts, output_directory, quiet):
print("[*] Loaded single target: %s" % target_hosts)
target_hosts = target_hosts.strip()
snmp_directory = output_directory + '/' + target_hosts + '/scans/snmp/'
check_directory(snmp_directory)
jobs = []
p = multiprocessing.Process(target=snmp_scans, args=(target_hosts, snmp_directory))
jobs.append(p)
p.start()
def target_ip(target_hosts, output_directory, quiet):
print("[*] Loaded single target: %s" % target_hosts)
target_hosts = target_hosts.strip()
snmp_directory = output_directory + '/' + target_hosts+ '/scans/snmp/'
check_directory(snmp_directory)
jobs = []
p = multiprocessing.Process(target=snmp_scans, args=(target_hosts, snmp_directory))
jobs.append(p)
p.start()
def arp_scan(target_hosts, output_directory, quiet, interface):
check_directory(output_directory)
hostnames = 0
SWEEP = ''
if (os.path.isfile(target_hosts)):
if (interface):
SWEEP = "arp-scan --interface=%s -f %s" % (interface, target_hosts)
else:
SWEEP = "arp-scan -f %s" % (target_hosts)
else:
if ("-" in target_hosts):
start_ip = target_hosts.split("-")[0]
end = int(target_hosts.split("-")[1])
base_ip = start_ip[:start_ip.rfind(".")]
start = int(start_ip[start_ip.rfind(".") + 1:])
target_hosts = start_ip + '-' + base_ip + '.' + str(end)
if (interface):
SWEEP = "arp-scan --interface=%s %s" % (interface, target_hosts)
else:
SWEEP = "arp-scan %s" % (target_hosts)
results = ""
results = subprocess.check_output(SWEEP, shell=True).decode("utf-8")
lines = results.split("\n")
with open(output_directory + "/arp_details.txt",
'w') as f, open(output_directory + "/arp_targets.txt", 'w') as t:
print("[+] Writing hostnames to: %s" % (f.name))
for line in lines:
line = line.strip()
line = line.rstrip()
if ('\t' in line):
#print(line)
ip_address = line.split("\t")[0]
mac = line.split("\t")[1]
make = line.split("\t")[2]
if (hostnames > 0):
f.write('\n')
t.write('\n')
print(" [>] Discovered live IP: %s (%s - %s)" %
(ip_address, mac, make))
f.write("%s %s %s" % (ip_address, mac, make))
t.write("%s" % (ip_address))
hostnames += 1
print("[*] Found %s IPs that respond to ARP." % (hostnames))
print("[*] Created ARP lists %s and %s" % (f.name, t.name))
def find_dns(target_hosts, output_directory, quiet):
check_directory(output_directory)
results = 0
hostcount = 0
dnscount = 0
output_file = open(output_directory + "/DNS-Detailed.txt", 'w')
output_targets = open(output_directory + "DNS-targets.txt", 'w')
targets = load_targets(target_hosts, output_directory, quiet)
target_file = open(targets, 'r')
print("[*] Loaded targets from: %s" % targets)
print("[*] Enumerating TCP port 53 over targets to find dns-servers")
for ip_address in target_file:
host_count += 1
ip_address = ip_address.strip()
ip_address = ip_address.rstrip()
print(" [<] Testing %s for DNS" % ip_address)
DNSSCAN = "nmap -n -sV -Pn -vv -p53 %s" % (ip_address)
results = subprocess.check_output(DNSSCAN, shell=True).decode("utf-8")
lines = results.slit("\n")
for line in lines:
line = line.strip()
line = line.rstrip()
if ("53/tcp" in line) and ("open" in line):
print(" [=] Found DNS service running on: %s" %
(ip_address))
output_file.write("[*] Found DNS service running on: %s\n" %
(ip_address))
output_file.write(" [>] %s\n" % (line))
output_targets.write("%s" % (ip_address))
dnscount += 1
print("[*] Found %s DNS servers within %s hosts" %
(str(dnscount), str(hostcount)))
output_file.close()
output_targets.close()
def ping_sweeper(target_hosts, output_directory, quiet):
check_directory(output_directory)
output_file = output_directory + "/targets.txt"
print("[+] Performing ping sweep over %s" % target_hosts)
lines = call_nmap_sweep(target_hosts)
live_hosts = parse_nmap_output_for_live_hosts(lines)
write_live_hosts_list_to_file(output_file, live_hosts)
for ip_address in live_hosts:
print(" [>] Discovered host: %s" % (ip_address))
print("[*] Found %s live hosts" % (len(live_hosts)))
print("[*] Created target list %s" % (output_file))
def hostname_scan(target_hosts, output_directory, quiet):
check_directory(output_directory)
output_file = output_directory + "hostnames.txt"
f = open(output_file, 'w')
print("[+] Writing hostnames to: %s" % (output_file))
hostnames = 0
SWEEP = ''
if (os.path.isfile(target_hosts)):
SWEEP = "nbtscan -q -f %s" % (target_hosts)
else:
SWEEP = "nbtscan -q %s" % (target_hosts)
results = subprocess.check_output(SWEEP, shell=True).decode("utf-8")
lines = results.split("\n")
for line in lines:
line = line.strip()
line = line.rstrip()
# Final line is blank which causes list index issues if we don't continue
if not " " in line:
continue
while " " in line:
line = line.replace(" ", " ")
ip_address = line.split(" ")[0]
host = line.split(" ")[1]
if (hostnames > 0):
f.write("\n")
print(" [>] Discovered hostname: %s (%s)" % (hostname, ip_address) )
f.write("%s - %s" % (hostname, ip_address))
hostnames += 1
print("[*] Found %s hostnames." % str(hostnames))
print("[*] Created hostname list %s" % (output_file))
f.close()
def hostname_scan(target_hosts, output_directory, quiet):
check_directory(output_directory)
output_file = output_directory + "/hostnames.txt"
f = open(output_file, 'w')
print("[+] Writing hostnames to: %s" % output_file)
hostnames = 0
SWEEP = ''
if(os.path.isfile(target_hosts)):
SWEEP = "nbtscan -q -f %s" % (target_hosts)
else:
SWEEP = "nbtscan -q %s" % (target_hosts)
results = subprocess.check_output(SWEEP, shell=True)
lines = results.split("\n")
for line in lines:
line = line.strip()
line = line.rstrip()
# Final line is blank which causes list index issues if we don't
# continue past it.
if not " " in line:
continue
while " " in line:
line = line.replace(" ", " ");
ip_address = line.split(" ")[0]
host = line.split(" ")[1]
if (hostnames > 0):
f.write('\n')
print(" [>] Discovered hostname: %s (%s)" % (host, ip_address))
f.write("%s - %s" % (host, ip_address))
hostnames += 1
print("[*] Found %s hostnames." % (hostnames))
print("[*] Created hostname list %s" % (output_file))
f.close()
def target_file(target_hosts, output_directory, quiet):
targets = load_targets(target_hosts, output_directory, quiet)
target_file = open(targets, 'r')
try:
target_file = open(targets, 'r')
print("[*] Loaded targets from: %s" % targets)
except:
print("[!] Unable to load: %s" % targets)
for ip_address in target_file:
ip_address = ip_address.strip()
snmp_directory = output_directory + '/' + ip_address+ '/scans/snmp/'
check_directory(snmp_directory)
jobs = []
p = multiprocessing.Process(target=snmp_scans, args=(ip_address, snmp_directory))
jobs.append(p)
p.start()
target_file.close()
def find_dns(target_hosts, output_directory, quiet):
check_directory(output_directory)
results = 0
hostcount = 0
dnscount = 0
output_file = open(output_directory + "/DNS-Detailed.txt", 'w')
output_targets = open(output_directory + "/DNS-targets.txt", 'w')
targets = load_targets(target_hosts, output_directory, quiet)
target_file = open(targets, 'r')
print("[*] Loaded targets from: %s" % targets)
print("[+] Enumerating TCP port 53 over targets to find dns servers")
for ip_address in target_file:
hostcount += 1
ip_address = ip_address.strip()
ip_address = ip_address.rstrip()
print(" [>] Testing %s for DNS" % ip_address)
DNSSCAN = "nmap -n -sV -Pn -vv -p53 %s" % (ip_address)
results = subprocess.check_output(DNSSCAN, shell=True)
lines = results.split("\n")
for line in lines:
line = line.strip()
line = line.rstrip()
if ("53/tcp" in line) and ("open" in line):
print(" [=] Found DNS service running on: %s" % (ip_address))
output_file.write("[*] Found DNS service running on: %s\n" % (ip_address))
output_file.write(" [>] %s\n" % (line))
output_targets.write("%s" % (ip_address))
dnscount += 1
print("[*] Found %s DNS servers within %s hosts" % (str(dnscount), str(hostcount)))
output_file.close()
output_targets.close()
def hostname_scan(target_hosts, output_directory, quiet, dns_server):
check_directory(output_directory)
#f_net = open(output_directory + "/hostnames_netbios.txt", 'w')
#f_dns = open(output_directory + "/hostnames_dns.txt", 'w')
#print("[+] Writing hostnames to: %s" % output_file)
hostnames = 0
SWEEP = ''
if (os.path.isfile(target_hosts)):
SWEEP = "nbtscan -q -f %s" % (target_hosts)
else:
SWEEP = "nbtscan -q %s" % (target_hosts)
results = ""
results = subprocess.check_output(SWEEP, shell=True).decode("utf-8")
lines = results.split("\n")
with open(output_directory + "/hostnames_netbios.txt", 'w') as f:
print("[+] Writing hostnames to: %s" % (f.name))
for line in lines:
line = line.strip()
line = line.rstrip()
# Final line is blank which causes list index issues if we don't
# continue past it.
if not " " in line:
continue
while " " in line:
line = line.replace(" ", " ")
ip_address = line.split(" ")[0]
host = line.split(" ")[1]
if (hostnames > 0):
f.write('\n')
print(" [>] Discovered hostname: %s (%s)" % (host, ip_address))
f.write("%s - %s" % (host, ip_address))
hostnames += 1
print("[*] Found %s NETBIOS hostnames." % (hostnames))
print("[*] Created hostname list %s" % (f.name))
hostnames = 0
SWEEP = ''
results = ""
ips = list()
if (os.path.isfile(target_hosts)):
with open(target_hosts, 'r') as f:
for line in f:
ips.append(line.strip())
else:
if "-" in target_hosts:
start_ip = target_hosts.split("-")[0]
end = int(target_hosts.split("-")[1])
base_ip = start_ip[:start_ip.rfind(".")]
start = int(start_ip[start_ip.rfind(".") + 1:])
for i in range(start, end):
ips.append(base_ip + "." + str(i))
else:
ips.append(target_hosts)
#print(dns_server)
if (dns_server != False):
dns_server = dns_server
elif (os.path.isfile(output_directory + "/dns_servers_targets.txt")):
with open(output_directory + "/dns_servers_targets.txt", 'r') as f:
dns_server = f.readline().strip()
else:
print(
"[*] dns_servers_targets.txt missing, run with --dns option first, or specify DNS server with --dns-server"
)
return
for ip in ips:
ip = ip.strip()
SWEEP = "nslookup %s %s" % (ip, dns_server)
try:
results = results + subprocess.check_output(
SWEEP, shell=True).decode("utf-8")
except subprocess.CalledProcessError as e:
continue #ignore exit codes
lines = results.split("\n")
with open(output_directory + "/hostnames_dns.txt",
'w') as f, open(output_directory + "/hostnames_dns_targets.txt",
'w') as t:
print("[+] Writing hostnames to: %s" % (f.name))
for line in lines:
line = line.strip()
line = line.rstrip()
if "in-addr.arpa" in line:
line2 = line.replace(".in-addr.arpa name = ", " ")
#print(line2)
line2 = '.'.join(reversed(line2.split(' ')[0].split(
'.'))) + ' ' + line2.split(' ')[1][:-1]
#print(line2)
print(" [>] Discovered hostname: %s" % (line2))
f.write("%s" % (line2.strip()))
t.write("%s" % (line2.strip().split(' ')[0]))
if (hostnames > 0):
f.write('\n')
t.write('\n')
hostnames += 1
print("[*] Found %s DNS hostnames." % (hostnames))
print("[*] Created hostname list %s" % (f.name))
def unicorn_scan(target_hosts, output_directory, quiet, interface, pps):
check_directory(output_directory)
hostnames = 0
SWEEP = ''
ips = list()
if (os.path.isfile(target_hosts)):
with open(target_hosts, 'r') as f:
for line in f:
ips.append(line.strip())
if (interface):
SWEEP = "unicornscan -R 1 --pps %s --interface=%s" % (pps,
interface)
else:
SWEEP = "unicornscan -R 1 --pps %s" % (pps)
else:
if ("-" in target_hosts):
start_ip = target_hosts.split("-")[0]
end = int(target_hosts.split("-")[1])
base_ip = start_ip[:start_ip.rfind(".")]
start = int(start_ip[start_ip.rfind(".") + 1:])
for i in range(start, end):
ips.append(base_ip + "." + str(i))
#print(ips)
elif ('/' in target_hosts): #in case we need to change later
ips.append(target_hosts)
else:
ips.append(target_hosts)
if (interface):
SWEEP = "unicornscan -R 1 --pps %s --interface=%s" % (pps,
interface)
else:
SWEEP = "unicornscan -R 1 --pps %s" % (pps)
ports_tcp = set()
ports_udp = set()
with open(output_directory + "/unicornscan_details_tcp.txt",
'w') as t, open(
output_directory + "/unicornscan_details_udp.txt", 'w') as u:
print("[+] Writing unicornscan results to: %s and %s" %
(t.name, u.name))
for ip in ips:
results_tcp = ""
results_udp = ""
hostnames_t = 0
hostnames_u = 0
SWEEP_t = SWEEP + ' -mT ' + ip + ':a' #scan all TCP ports with SYN
print(SWEEP_t)
results_tcp = subprocess.check_output(SWEEP_t,
shell=True).decode("utf-8")
lines_t = results_tcp.split("\n")
for line in lines_t:
#TCP open epmap[ 135] from 10.11.1.5 ttl 128
#TCP open netbios-ssn[ 139] from 10.11.1.5 ttl 128
#TCP open microsoft-ds[ 445] from 10.11.1.5 ttl 128
line = line.split('\t')
#line = line.strip()
#line = line.rstrip()
#line = line.split('\t')
if (len(line) is 4):
protocol = line[0].strip().rstrip()
service = line[1].split('[')[0].strip().rstrip()
port = line[1].split('[')[1][:-1].strip().rstrip()
ip_address = line[3].split(' ')[1].strip().rstrip()
#if (hostnames_t > 0):
# t.write('\n')
#tp.write(',')
print(" [>] Discovered open port: %s\t%s\t%s\t%s" %
(protocol, port, service, ip_address))
t.write("%s\t%s\t%s\t%s\n" %
(protocol, port, service,
ip_address)) #write full details
ports_tcp.add(port)
hostnames_t += 1
print("[*] Found %s open TCP ports on %s" % (hostnames_t, ip))
SWEEP_u = SWEEP + ' -mU ' + ip + ':a' #scan all UDP ports
print(SWEEP_u)
results_udp = subprocess.check_output(SWEEP_u,
shell=True).decode("utf-8")
lines_u = results_udp.split("\n")
for line in lines_u:
#TCP open epmap[ 135] from 10.11.1.5 ttl 128
#TCP open netbios-ssn[ 139] from 10.11.1.5 ttl 128
#TCP open microsoft-ds[ 445] from 10.11.1.5 ttl 128
line = line.split('\t')
#line = line.strip()
#line = line.rstrip()
#line = line.split('\t')
if (len(line) is 4):
protocol = line[0].strip().rstrip()
service = line[1].split('[')[0].strip().rstrip()
port = line[1].split('[')[1][:-1].strip().rstrip()
ip_address = line[3].split(' ')[1].strip().rstrip()
#if (hostnames_u > 0):
# u.write('\n')
# up.write(',')
print(" [>] Discovered open port: %s\t%s\t%s\t%s" %
(protocol, port, service, ip_address))
u.write("%s\t%s\t%s\t%s\n" %
(protocol, port, service, ip_address))
#up.write("%s" % (port)) #write just open port
ports_udp.add(port)
hostnames_u += 1
print("[*] Found %s open UDP ports on %s" % (hostnames_u, ip))
print("[*] Created unicornscan lists %s and %s" % (t.name, u.name))
with open(os.path.join(output_directory, "unicornscan_ports_tcp.txt"),
'w') as tp, open(
os.path.join(output_directory, "unicornscan_ports_udp.txt"),
'w') as up:
print(ports_tcp)
print('\n')
ports_tcp = ','.join(ports_tcp)
print(ports_tcp)
print(ports_udp)
ports_udp = ','.join(ports_udp)
print(ports_udp)
tp.write(str(ports_tcp))
up.write(str(ports_udp))
