Exemplo n.º 1
0
    def __init__(self, host, port, workdir, protocol, intensity, username,
                 ulist, password, plist, notuse, extensions, path, reexec,
                 ipv6, domain, interactive, verbose, executed, exec):
        Warrior.__init__(self, host, port, workdir, protocol, intensity,
                         username, ulist, password, plist, notuse, extensions,
                         path, reexec, ipv6, domain, interactive, verbose,
                         executed, exec)

        self.cmds = [
            {
                "name":
                self.proto + "_nmap_" + self.port,
                "cmd":
                'nmap -n -sV --script memcached-info -p ' + self.port + ' ' +
                self.host,
                "shell":
                True,
                "chain":
                False
            },
            {
                "name": self.proto + "_stats_" + self.port,
                "cmd":
                'echo -e "stats\n" | nc -vn ' + self.host + ' ' + self.port,
                "shell": True,
                "chain": False
            },
        ]
Exemplo n.º 2
0
    def __init__(self, host, port, workdir, protocol, intensity, username,
                 ulist, password, plist, notuse, extensions, path, reexec,
                 ipv6, domain, interactive, verbose, executed, exec):
        Warrior.__init__(self, host, port, workdir, protocol, intensity,
                         username, ulist, password, plist, notuse, extensions,
                         path, reexec, ipv6, domain, interactive, verbose,
                         executed, exec)

        msfmodules = [
            {
                "path": "auxiliary/scanner/sap/sap_service_discovery",
                "toset": {
                    "RHOSTS": self.host
                }
            },
            {
                "path": "auxiliary/scanner/sap/sap_router_info_request",
                "toset": {
                    "RHOSTS": self.host,
                    "RPORT": self.port
                }
            },
        ]
        self.cmds.append({
            "name": self.proto + "_msf_" + self.port,
            "cmd": self.create_msf_cmd(msfmodules),
            "shell": True,
            "chain": False
        })
Exemplo n.º 3
0
    def __init__(self, host, port, workdir, protocol, intensity, username, ulist, password, plist, notuse, extensions, path, reexec, ipv6, domain, interactive, verbose, executed, exec):
        Warrior.__init__(self, host, port, workdir, protocol, intensity, username, ulist, password, plist, notuse, extensions, path, reexec, ipv6, domain, interactive, verbose, executed, exec)


        self.cmds = [
            {"name": self.proto + "_nmap_"+self.port, "cmd": 'nmap -n --scripts "imap* and default" -sV -p ' + self.port + ' ' + self.host, "shell": True, "chain": False},

        ]

        if self.proto == "imap":
            self.cmds.append({"name": self.proto + "_version_"+self.port, "cmd": 'nc -w 10 -q 1 -vn ' + self.host + ' ' + self.port + ' </dev/null', "shell": True, "chain": False})
        else:
            self.cmds.append({"name": self.proto + "_version_"+self.port, "cmd": 'echo "A1 Logout" | openssl s_client -connect '+self.host+':'+self.port+' -crlf -quiet', "shell": True, "chain": False})


        msfmodules = [{"path": "auxiliary/scanner/imap/imap_version", "toset": {"RHOSTS": self.host, "RPORT": self.port}}]

        self.cmds.append({"name": self.proto+"_msf_"+self.port, "cmd": self.create_msf_cmd(msfmodules), "shell": True, "chain": False})

        if self.intensity == "3":
            self.extra_info = "You can use the variable 'username' to brute force a single username or the variable ulist to bruteforce a list of usernames."
            ssl = " -S " if self.proto is "imaps" else ""  # Check if SSL is needed
            if username != "":
                self.cmds = [{"name": self.proto+"_brute_hydra_"+self.port, "cmd": 'hydra -f -e ns -l '+self.username+' -P '+self.plist + ssl +' -s '+self.port+' '+self.host+' imap', "shell": True, "chain": False}]
            else:
                self.cmds = [{"name": self.proto+"_brute_hydra_"+self.port, "cmd": 'hydra -f -e ns -L ' + self.ulist + ' -P '+self.plist + ssl +' -s ' + self.port + ' ' + self.host + ' imap', "shell": True, "chain": False}]
Exemplo n.º 4
0
    def __init__(self, host, port, workdir, protocol, intensity, username, ulist, password, plist, notuse, extensions, path, reexec, ipv6, domain, interactive, verbose, executed, exec):
        Warrior.__init__(self, host, port, workdir, protocol, intensity, username, ulist, password, plist, notuse, extensions, path, reexec, ipv6, domain, interactive, verbose, executed, exec)

        self.cmds = [
            {"name": "ftp_nmap_"+self.port, "cmd": 'nmap -n -sV --script "ftp* and default" -p ' + self.port + ' ' + self.host, "shell": True, "chain": False},
            {"name": "ftp_version_"+self.port, "cmd": 'nc -w 10 -q 1 -vn ' + self.host + ' ' + self.port + ' </dev/null', "shell": True, "chain": False},

        ]

        msfmodules = [{"path": "auxiliary/scanner/ftp/anonymous", "toset": {"RHOSTS": self.host, "RPORT": self.port}},
                      {"path": "auxiliary/scanner/ftp/ftp_version", "toset": {"RHOSTS": self.host, "RPORT": self.port}},]

        self.cmds.append({"name": "ftp_msf_"+self.port, "cmd": self.create_msf_cmd(msfmodules), "shell": True, "chain": False})

        if self.intensity >= "2":
            self.cmds.append({"name": "ftp_nmap_vuln_"+self.port, "cmd": 'nmap -sV --script "ftp* and vuln" -p ' + self.port + ' ' + self.host, "shell": True, "chain": False})
            msfmodules_vuln = [
                {"path": "auxiliary/scanner/ftp/bison_ftp_traversal", "toset": {"RHOSTS": self.host, "RPORT": self.port}},
                {"path": "auxiliary/scanner/ftp/colorado_ftp_traversal", "toset": {"RHOSTS": self.host, "RPORT": self.port}},
                {"path": "auxiliary/scanner/ftp/easy_file_sharing_ftp", "toset": {"RHOSTS": self.host, "RPORT": self.port}},
                {"path": "auxiliary/scanner/ftp/konica_ftp_traversal", "toset": {"RHOSTS": self.host, "RPORT": self.port}},
                {"path": "auxiliary/scanner/ftp/pcman_ftp_traversal", "toset": {"RHOSTS": self.host, "RPORT": self.port}},
                {"path": "auxiliary/scanner/ftp/titanftp_xcrc_traversal", "toset": {"RHOSTS": self.host, "RPORT": self.port}},
            ]
            self.cmds.append({"name": "ftp_msf_vuln_"+self.port, "cmd": self.create_msf_cmd(msfmodules_vuln), "shell": True, "chain": False})

        if self.intensity == "3":
            self.extra_info = "You can use the variable 'username' to brute force a single username or the variable ulist to bruteforce a list of usernames."
            if username != "":
                self.cmds = [{"name": "ftp_brute_hydra_"+self.port, "cmd": 'hydra -f -e ns -l '+self.username+' -P '+self.plist+' -s '+self.port+' '+self.host+' ftp', "shell": True, "chain": False}]
            else:
                self.cmds = [{"name": "ftp_brute_hydra_"+self.port, "cmd": 'hydra -f -e ns -L ' + self.ulist + ' -P ' + self.plist + ' -s ' + self.port + ' ' + self.host + ' ftp',"shell": True, "chain": False}]
Exemplo n.º 5
0
    def __init__(self, host, port, workdir, protocol, intensity, username, ulist, password, plist, notuse, extensions, path, reexec, ipv6, domain, interactive, verbose, executed, exec):
        Warrior.__init__(self, host, port, workdir, protocol, intensity, username, ulist, password, plist, notuse, extensions, path, reexec, ipv6, domain, interactive, verbose, executed, exec)

        self.cmds = [
            {"name": self.proto+"_nmap_"+self.port, "cmd": 'nmap -n --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p ' + self.port + ' ' + self.host, "shell": True, "chain": False},

        ]

        msfmodules = [{"path": "auxiliary/scanner/mssql/mssql_ping", "toset": {"RHOSTS": self.host, "RPORT": self.port}},
                      ]
        self.cmds.append({"name": self.proto+"_msf_"+self.port, "cmd": self.create_msf_cmd(msfmodules), "shell": True, "chain": False})

        if self.intensity >= "2":
            self.extra_info = "If you set the username and password, more authenticated metasploit modules will be executed."
            if username != "" and password != "":
                msfmodules_auth = [
                    {"path": "auxiliary/admin/mssql/mssql_enum", "toset": {"RHOSTS": self.host, "RPORT": self.port, "USERNAME": self.username, "PASSWORD": self.password}},
                    {"path": "admin/mssql/mssql_enum_domain_accounts", "toset": {"RHOSTS": self.host, "RPORT": self.port, "USERNAME": self.username, "PASSWORD": self.password}},
                    {"path": "admin/mssql/mssql_enum_sql_logins", "toset": {"RHOSTS": self.host, "RPORT": self.port, "USERNAME": self.username, "PASSWORD": self.password}},
                    {"path": "auxiliary/admin/mssql/mssql_escalate_dbowner", "toset": {"RHOSTS": self.host, "RPORT": self.port, "USERNAME": self.username, "PASSWORD": self.password}},
                    {"path": "auxiliary/admin/mssql/mssql_escalate_execute_as", "toset": {"RHOSTS": self.host, "RPORT": self.port, "USERNAME": self.username, "PASSWORD": self.password}},
                    {"path": "auxiliary/admin/mssql/mssql_exec", "toset": {"RHOSTS": self.host, "RPORT": self.port, "CMD": "ipconfig", "USERNAME": self.username, "PASSWORD": self.password}},
                    {"path": "auxiliary/admin/mssql/mssql_findandsampledata", "toset": {"RHOSTS": self.host, "RPORT": self.port, "USERNAME": self.username, "PASSWORD": self.password}},
                    {"path": "auxiliary/scanner/mssql/mssql_hashdump", "toset": {"RHOSTS": self.host, "RPORT": self.port, "USERNAME": self.username, "PASSWORD": self.password}},
                    {"path": "auxiliary/scanner/mssql/mssql_schemadump", "toset": {"RHOSTS": self.host, "RPORT": self.port, "USERNAME": self.username, "PASSWORD": self.password}},
                    ]
                self.cmds.append({"name": self.proto+"_msf_auth_"+self.port, "cmd": self.create_msf_cmd(msfmodules_auth), "shell": True, "chain": False})

        if self.intensity == "3":
            self.extra_info = "You can use the variable 'username' to brute force a single username or the variable ulist to bruteforce a list of usernames."
            if username != "":
                self.cmds = [{"name": self.proto+"_brute_hydra_"+self.port, "cmd": 'hydra -f -e ns -l '+self.username+' -P '+self.plist+' -s '+self.port+' '+self.host+' mssql', "shell": True, "chain": False}]
            else:
                self.cmds = [{"name": self.proto+"_brute_hydra_"+self.port, "cmd": 'hydra -f -e ns -L ' + self.ulist + ' -P ' + self.plist + ' -s ' + self.port + ' ' + self.host + ' mssql', "shell": True, "chain": False}]
Exemplo n.º 6
0
    def __init__(self, host, port, workdir, protocol, intensity, username,
                 ulist, password, plist, notuse, extensions, path, reexec,
                 ipv6, domain, interactive, verbose, executed, exec):
        Warrior.__init__(self, host, port, workdir, protocol, intensity,
                         username, ulist, password, plist, notuse, extensions,
                         path, reexec, ipv6, domain, interactive, verbose,
                         executed, exec)

        if self.intensity == "3":
            self.extra_info = "You can use the variable 'username' to brute force a single username or the variable ulist to bruteforce a list of usernames."
            if username != "":
                self.cmds = [{
                    "name":
                    self.proto + "_brute_hydra_" + self.port,
                    "cmd":
                    'hydra -f -e ns -l ' + self.username + ' -s ' + self.port +
                    ' ' + self.host + ' rsh',
                    "shell":
                    True,
                    "chain":
                    False
                }]
            else:
                self.cmds = [{
                    "name":
                    self.proto + "_brute_hydra_" + self.port,
                    "cmd":
                    'hydra -f -e ns -L ' + self.ulist + ' -s ' + self.port +
                    ' ' + self.host + ' rsh',
                    "shell":
                    True,
                    "chain":
                    False
                }]
Exemplo n.º 7
0
    def __init__(self, host, port, workdir, protocol, intensity, username,
                 ulist, password, plist, notuse, extensions, path, reexec,
                 ipv6, domain, interactive, verbose, executed, exec):
        Warrior.__init__(self, host, port, workdir, protocol, intensity,
                         username, ulist, password, plist, notuse, extensions,
                         path, reexec, ipv6, domain, interactive, verbose,
                         executed, exec)

        self.cmds = [{
            "name": self.proto + "_rpcdump",
            "cmd": 'python $(which rpcdump.py) -p 135 ' + self.host +
            " || echo 'rpcdump.py is not in path!'",
            "shell": True,
            "chain": False
        }, {
            "name":
            self.proto + "_nmap_" + self.port,
            "cmd":
            "nmap -n -sV --script=msrpc-enum -p " + self.port + " " +
            self.host,
            "shell":
            True,
            "chain":
            False
        }]

        msfmodules = [{
            "path": "scanner/dcerpc/endpoint_mapper",
            "toset": {
                "RHOSTS": self.host,
                "RPORT": self.port
            }
        }, {
            "path": "auxiliary/scanner/dcerpc/management",
            "toset": {
                "RHOSTS": self.host,
                "RPORT": self.port
            }
        }, {
            "path": "auxiliary/scanner/dcerpc/tcp_dcerpc_auditor",
            "toset": {
                "RHOSTS": self.host,
                "RPORT": self.port
            }
        }, {
            "path": "auxiliary/scanner/dcerpc/hidden",
            "toset": {
                "RHOSTS": self.host,
                "RPORT": self.port
            }
        }]

        self.cmds.append({
            "name": self.proto + "_msf_" + self.port,
            "cmd": self.create_msf_cmd(msfmodules),
            "shell": True,
            "chain": False
        })
Exemplo n.º 8
0
 def __init__(self, parser, host, port, workdir, proto, intensity, username, ulist, password, plist, notuse, engine, path, reexec, ipv6, domain, interactive, verbose, executed, exec):
     self.parser = parser
     Warrior.__init__(self, host, port,  workdir, general_protocol, intensity, username, ulist, password, plist, notuse, engine, path, reexec, ipv6, domain, interactive, verbose, executed, exec)
     self.engine, self.ipv6 = "", ""
     self.protohelp = False
     self.checked = []
     self.stop = False
     self.ws = []
     self.myexecuted = []
Exemplo n.º 9
0
    def __init__(self, host, port, workdir, protocol, intensity, username,
                 ulist, password, plist, notuse, extensions, path, reexec,
                 ipv6, domain, interactive, verbose, executed, exec):
        Warrior.__init__(self, host, port, workdir, protocol, intensity,
                         username, ulist, password, plist, notuse, extensions,
                         path, reexec, ipv6, domain, interactive, verbose,
                         executed, exec)

        self.cmds = [
            {
                "name":
                "ntp_nmap",
                "cmd":
                'nmap -n -sV --script "ntp* and (discovery or vuln) and not (dos or brute)" -p '
                + self.port + " " + self.host,
                "shell":
                False,
                "chain":
                False
            },
            {
                "name": "ntpq_readvar",
                "cmd": 'ntpq -c readvar ' + self.host,
                "shell": False,
                "chain": False
            },
            {
                "name": "ntpq_monlist",
                "cmd": 'ntpq -c monlist ' + self.host,
                "shell": False,
                "chain": False
            },
            {
                "name": "ntpq_peers",
                "cmd": 'ntpq -c peers ' + self.host,
                "shell": False,
                "chain": False
            },
            {
                "name": "ntpq_listpeers",
                "cmd": 'ntpq -c listpeers ' + self.host,
                "shell": False,
                "chain": False
            },
            {
                "name": "ntpq_ntpversion",
                "cmd": 'ntpq -c ntpversion ' + self.host,
                "shell": False,
                "chain": False
            },
            {
                "name": "ntpq_sysinfo",
                "cmd": 'ntpq -c sysinfo ' + self.host,
                "shell": False,
                "chain": False
            },
        ]
Exemplo n.º 10
0
    def __init__(self, host, port, workdir, protocol, intensity, username,
                 ulist, password, plist, notuse, extensions, path, reexec,
                 ipv6, domain, interactive, verbose, executed, exec):
        Warrior.__init__(self, host, port, workdir, protocol, intensity,
                         username, ulist, password, plist, notuse, extensions,
                         path, reexec, ipv6, domain, interactive, verbose,
                         executed, exec)
        self.workdir = self.workdir + "/../"

        if self.ip != "":
            self.cmds = [{
                "name": "udp-proto-scanner",
                "cmd": 'udp-proto-scanner.pl ' + self.ip,
                "shell": False,
                "chain": False
            }]

        self.cmds += [
            {
                "name": "nmap_udp",
                "cmd":
                'nmap -sU -sV -T 4 -oA ' + self.workdir + 'nmapu ' + self.host,
                "shell": False,
                "chain": False
            },
            {
                "name":
                "nmap_init",
                "cmd":
                'nmap -sV -sC -O -T 4 -oA ' + self.workdir + 'nmapi ' +
                self.host,
                "shell":
                False,
                "chain":
                True
            },
            {
                "name":
                "nmap_full_fast",
                "cmd":
                'nmap -sV -sC -T 4 -p - -oA ' + self.workdir + 'nmapff ' +
                self.host,
                "shell":
                False,
                "chain":
                True
            },
            {
                "name": "nmap_full",
                "cmd":
                'nmap -sV -sC -p - -oA ' + self.workdir + 'nmapf ' + self.host,
                "shell": False,
                "chain": False
            },
            #{"name": "nmap_udp_full", "cmd": 'nmap -sU -sV -p - ' + self.host, "shell": False, "chain": False}
        ]
Exemplo n.º 11
0
    def __init__(self, host, port, workdir, protocol, intensity, username,
                 ulist, password, plist, notuse, extensions, path, reexec,
                 ipv6, domain, interactive, verbose, executed, exec):
        Warrior.__init__(self, host, port, workdir, protocol, intensity,
                         username, ulist, password, plist, notuse, extensions,
                         path, reexec, ipv6, domain, interactive, verbose,
                         executed, exec)

        self.cmds = [
            {
                "name":
                "mongodb_nmap_" + self.port,
                "cmd":
                'nmap -n -sV --script "mongo* and default" -p ' + self.port +
                ' ' + self.host,
                "shell":
                True,
                "chain":
                False
            },
        ]

        if self.intensity == "3":
            self.extra_info = "You can use the variable 'username' to brute force a single username or the variable ulist to bruteforce a list of usernames."
            if username != "":
                msfmodules_brute = [{
                    "path": "auxiliary/scanner/mongodb/mongodb_login",
                    "toset": {
                        "RHOSTS": self.host,
                        "RPORT": self.port,
                        "BLANK_PASSWORDS": "true",
                        "USER_AS_PASS": "******",
                        "USERNAME": self.username,
                        "PASS_FILE": self.plist
                    }
                }]
            else:
                msfmodules_brute = [
                    {
                        "path": "auxiliary/scanner/mongodb/mongodb_login",
                        "toset": {
                            "RHOSTS": self.host,
                            "RPORT": self.port,
                            "BLANK_PASSWORDS": "true",
                            "USER_AS_PASS": "******",
                            "USER_FILE": self.username,
                            "PASS_FILE": self.plist
                        }
                    },
                ]
            self.cmds = [{
                "name": "mongodb_brute_msf_" + self.port,
                "cmd": self.create_msf_cmd(msfmodules_brute),
                "shell": True,
                "chain": False
            }]
Exemplo n.º 12
0
    def __init__(self, host, port, workdir, protocol, intensity, username, ulist, password, plist, notuse, extensions, path, reexec, ipv6, domain, interactive, verbose, executed, exec):
        Warrior.__init__(self, host, port, workdir, protocol, intensity, username, ulist, password, plist, notuse, extensions, path, reexec, ipv6, domain, interactive, verbose, executed, exec)

        self.cmds = [
            {"name": "ldap_nmap_"+self.port, "cmd": 'nmap -n -sV --script "ldap* and not brute" -p ' + self.port + ' ' + self.host, "shell": True, "chain": False},
        ]

        if self.intensity >= "2":
            if username != "" and password != "" and domain != "":
                self.cmds.append({"name": "ldapdomaindump", "cmd": "ldapdomaindump --no-json --no-grep --authtype SIMPLE -o "+self.workdir+" -r " +self.host+ " -u '" + self.domain + "\\" + self.username + "' -p '" + self.password+"' && echo 'To see the HTML output go to: "+self.workdir+"'", "shell": True, "chain": False})
Exemplo n.º 13
0
    def __init__(self, host, port, workdir, protocol, intensity, username, ulist, password, plist, notuse, extensions, path, reexec, ipv6, domain, interactive, verbose, executed, exec):
        Warrior.__init__(self, host, port, workdir, protocol, intensity, username, ulist, password, plist, notuse, extensions, path, reexec, ipv6, domain, interactive, verbose, executed, exec)

        self.cmds = [
            {"name": self.proto+"_nmap_"+self.port, "cmd": 'nmap -sV -n --script "rsync-list-modules" -p ' + self.port + ' ' + self.host, "shell": True, "chain": False},
        ]

        msfmodules = [{"path": "auxiliary/scanner/rsync/modules_list", "toset": {"RHOSTS": self.host, "RPORT": self.port}}]
        self.cmds.append({"name": self.proto+"_msf_"+self.port, "cmd": self.create_msf_cmd(msfmodules), "shell": True, "chain": False})

        if self.intensity == "3":  # TODO: add bruteforce only for 1 user
            self.cmds.append({"name": self.proto+"_brute_nmap_"+self.port, "cmd": 'nmap -sV --script rsync-brute --script-args userdb='+self.ulist+',passdb='+self.plist+' -p '+self.port+' '+self.host, "shell": True, "chain": False})
Exemplo n.º 14
0
    def __init__(self, host, port, workdir, protocol, intensity, username, ulist, password, plist, notuse, extensions, path, reexec, ipv6, domain, interactive, verbose, executed, exec):
        Warrior.__init__(self, host, port, workdir, protocol, intensity, username, ulist, password, plist, notuse, extensions, path, reexec, ipv6, domain, interactive, verbose, executed, exec)

        self.cmds = [
            {"name": self.proto+"_cmd", "cmd": 'finger @' + self.host, "shell": True, "chain": False},
            {"name": self.proto+"_nmap_"+self.port, "cmd": 'nmap -n -sV --script finger -p ' + self.port + ' ' + self.host, "shell": True, "chain": False},
        ]

        msfmodules = [{"path": "auxiliary/scanner/finger/finger_users", "toset": {"RHOSTS": self.host, "RPORT": self.port}}]
        self.cmds.append({"name": self.proto+"_msf_"+self.port, "cmd": self.create_msf_cmd(msfmodules), "shell": True, "chain": False})

        if self.intensity >= "2":
            self.cmds.append({"name": self.proto+"_execution", "cmd": 'finger "|/bin/id@' + self.host+'"', "shell": True, "chain": False})
Exemplo n.º 15
0
    def __init__(self, host, port, workdir, protocol, intensity, username,
                 ulist, password, plist, notuse, extensions, path, reexec,
                 ipv6, domain, interactive, verbose, executed, exec):
        Warrior.__init__(self, host, port, workdir, protocol, intensity,
                         username, ulist, password, plist, notuse, extensions,
                         path, reexec, ipv6, domain, interactive, verbose,
                         executed, exec)

        self.cmds = [
            {
                "name":
                self.proto + "_nmap_" + self.port,
                "cmd":
                'nmap -n -sV --script cassandra-info -p ' + self.port + ' ' +
                self.host,
                "shell":
                True,
                "chain":
                False
            },
        ]

        if self.intensity == "3":
            self.extra_info = "You can use the variable 'username' to brute force a single username or the variable ulist to bruteforce a list of usernames."
            if username != "":
                self.cmds = [{
                    "name":
                    self.proto + "_brute_nmap_" + self.port,
                    "cmd":
                    'nmap -n -sV --script cassandra-brute --script-args userdb='
                    + self.username + ',passdb=' + self.plist + ' -p ' +
                    self.port + ' ' + self.host,
                    "shell":
                    True,
                    "chain":
                    False
                }]
            else:
                self.cmds = [{
                    "name":
                    self.proto + "_brute_nmap_" + self.port,
                    "cmd":
                    'nmap -n -sV --script cassandra-brute --script-args userdb='
                    + self.ulist + ',passdb=' + self.plist + ' -p ' +
                    self.port + ' ' + self.host,
                    "shell":
                    True,
                    "chain":
                    False
                }]
Exemplo n.º 16
0
    def __init__(self, host, port, workdir, protocol, intensity, username, ulist, password, plist, notuse, extensions, path, reexec, ipv6, domain, interactive, verbose, executed, exec):
        Warrior.__init__(self, host, port, workdir, protocol, intensity, username, ulist, password, plist, notuse, extensions, path, reexec, ipv6, domain, interactive, verbose, executed, exec)

        self.cmds=[
            {"name": self.proto+"_nikto_"+self.port, "cmd": 'echo n | nikto -nointeractive -maxtime 45m -timeout 60 -host '+self.proto_host_port_path+' -Plugins "paths;outdated;report_sqlg;auth;content_search;report_text;fileops;parked;shellshock;report_html;cgi;headers;report_nbe;favicon;cookies;robots;report_xml;report_csv;ms10_070;msgs;drupal;apache_expect_xss;siebel;put_del_test;apacheusers;dictionary;embedded;ssl;clientaccesspolicy;httpoptions;subdomain;negotiate;sitefiles;mutiple_index;strutshock;dishwasher;paths;docker_registry;origin_reflection;dir_traversal;multiple_index"', "shell": True, "chain": False},
            {"name": self.proto+"_whatweb_"+self.port, "cmd": "whatweb -a 3 "+self.proto_host_port_path, "shell": False, "chain": False},
            {"name": self.proto + "_robots_"+self.port, "cmd": 'curl ' + self.proto_host_port + '/robots.txt -L -k --user-agent "Googlebot/2.1 (+http://www.google.com/bot.html)" --connect-timeout 30 --max-time 180', "shell": True, "chain": False},
            {"name": self.proto+"_nmap_"+self.port, "cmd": 'nmap -n -sV --script "(http* and not (dos or brute) and not http-xssed)" -p '+self.port+' '+self.host, "shell": True, "chain": False},
            {"name": self.proto+"_wafw00f_"+self.port, "cmd": 'wafw00f '+self.proto_host_port_path, "shell": False, "chain": False},
            {"name": self.proto+"_fast_dirsearch_"+self.port, "cmd": "dirsearch -F -r -u " + self.proto_host_port_path + " -e " + self.extensions, "shell": False,"chain": False},
            {"name": self.proto+"_dirhunt_"+self.port, "cmd": "dirhunt "+self.proto_host_port_path, "shell": False, "chain": False},
            #{"name": "gobuster", "cmd": "gobuster -k -fw -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u "+self.proto_host_port_path+" -x html,txt,"+self.extensions, "shell": False, "chain": False},
            #{"name":"dirb","cmd": "dirb -S " + self.proto_host_port_path + " -X ." + self.extensions.replace(",",",."), "shell": False, "chain": False}, #Dirb needs the extension with a point. The flag '-f' in dirsearch makes it behave like dirb (force ext and "/")
            {"name": self.proto+"_cmsmap_"+self.port, "cmd": 'echo "y" | cmsmap -s '+self.proto_host_port_path, "shell": True, "chain": False},
            {"name": self.proto + "_curl_put_"+self.port, "cmd": 'curl -v -X PUT -d "Hey! I am a PUT" ' + self.proto_host_port_path + "/legion.txt", "shell": True, "chain": False},

        ]

        #if self.domain and self.ip:
        #    self.cmds.append({"name": self.proto+"_vhost-brute", "cmd": "vhost-brute.php --domain "+self.domain+" --ip "+self.ip+" --wordlist "+self.wordlists_path+'/subdomains.txt' + (" --ssl" if self.proto == "https" else ""), "shell": False, "chain": False})

        if self.proto == "https":
            self.cmds.append({"name": "https_sslscan_"+self.port, "cmd": "sslscan "+self.host_port, "shell": False, "chain": False})
            self.cmds.append({"name": "https_sslyze_"+self.port, "cmd": "sslyze --regular "+self.host_port, "shell": False, "chain": False})
            self.cmds.append({"name": "https_ssl_nmap_"+self.port, "cmd": 'nmap -sV --script "ssl-* and not brute and not dos" -p ' + self.port + " " +self.host, "shell": True, "chain": False})

        if self.intensity >= "2":
            self.cmds.append({"name": self.proto + "_medium_dirsearch_"+self.port, "cmd": "dirsearch -f -F -r -u " + self.proto_host_port_path + " -e " + self.extensions + " -w /usr/share/dirb/wordlists/common.txt", "shell": False, "chain": False})

        if self.intensity == "3":
            self.extra_info = "You can use the variable 'username' to brute force a single username or the variable ulist to bruteforce a list of usernames. The default 'path' is '/'."
            if username != "":
                self.cmds = [{"name": self.proto + "_brute_hydra_"+self.port, "cmd": "hydra -l "+self.username+" -P "+self.plist+" "+self.host+" "+self.proto+"-get -s "+self.port+" -f -e ns -m "+self.path, "shell": False, "chain": False}]
            else:
                self.cmds = [{"name": self.proto + "_brute_hydra_"+self.port, "cmd": "hydra -L "+self.ulist+" -P "+self.plist+" "+self.host+" "+self.proto+"-get -s "+self.port+" -f -e ns -m "+self.path, "shell": False, "chain": False}]

        dav_auth = "-auth "+self.username+":"+self.password+" " if (self.username and self.password) else ""
        self.demand_cmds=[
            {"name": self.proto + "_slow_dirsearch_"+self.port, "cmd": "dirsearch -f -F -u " + self.proto_host_port + " -e " + self.extensions + " -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt", "shell": False, "chain": False},
            {"name": self.proto + "_sqlmap_"+self.port, "cmd": "sqlmap -u "+self.proto_host_port_path+" --batch --crawl=3 --forms --random-agent --level 1 --risk 1 -f -a" , "shell": False, "chain": False},
            {"name": self.proto + "_davtestmove_"+self.port, "cmd": "davtest "+dav_auth+"-move -sendbd auto -url "+self.proto_host_port_path, "shell": False, "chain": False},
            {"name": self.proto + "_davtestnorm_"+self.port, "cmd": "davtest "+dav_auth+" -sendbd auto -url " + self.proto_host_port_path, "shell": False, "chain": False},
            {"name": self.proto + "_wpscan_"+self.port, "cmd": "wpscan --url "+self.proto_host_port_path+" --rua --no-update --enumerate ap", "shell": False, "chain": False},
            {"name": self.proto + "_cewl_"+self.port, "cmd": "cewl "+self.proto_host_port_path+" -m 6", "shell": False, "chain": False},
            {"name": self.proto + "_arjun_"+self.port, "cmd": "cd "+ self.git_path+"/arjun 2>/dev/null; ./arjun.py --get -u "+self.proto_host_port_path+"; "+
                                                            "./arjun.py --post -u "+self.proto_host_port_path+"; "+
                                                            "./arjun.py --json -u "+self.proto_host_port_path+"; cd - 2>/dev/null",
            "shell": True, "chain": False},
        ]
Exemplo n.º 17
0
    def __init__(self, host, port, workdir, protocol, intensity, username, ulist, password, plist, notuse, extensions, path, reexec, ipv6, domain, interactive, verbose, executed, exec):
        Warrior.__init__(self, host, port, workdir, protocol, intensity, username, ulist, password, plist, notuse, extensions, path, reexec, ipv6, domain, interactive, verbose, executed, exec)

        self.cmds = [
            {"name": self.proto+"_nmap_"+self.port, "cmd": 'nmap -n --script redis-info -sV -p ' + self.port + ' ' + self.host, "shell": True, "chain": False},
        ]

        msfmodules = [
            {"path": "auxiliary/scanner/redis/redis_server", "toset": {"RHOSTS": self.host, "RPORT": self.port}},
        ]
        self.cmds.append(
            {"name": self.proto+"_msf_"+self.port, "cmd": self.create_msf_cmd(msfmodules), "shell": True, "chain": False})

        if self.intensity == "3":
            self.cmds = [{"name": self.proto+"_brute_hydra_"+self.port, "cmd": 'hydra -f -P '+self.plist+' -s '+self.port+' '+self.host+' redis', "shell": True, "chain": False}]
Exemplo n.º 18
0
    def __init__(self, host, port, workdir, protocol, intensity, username,
                 ulist, password, plist, notuse, extensions, path, reexec,
                 ipv6, domain, interactive, verbose, executed, exec):
        Warrior.__init__(self, host, port, workdir, protocol, intensity,
                         username, ulist, password, plist, notuse, extensions,
                         path, reexec, ipv6, domain, interactive, verbose,
                         executed, exec)

        self.cmds = [
            {
                "name": "rpcinfo",
                "cmd": 'rpcinfo ' + self.host,
                "shell": False,
                "chain": False
            },
            {
                "name":
                "rpc_nfs_nmap_" + self.port,
                "cmd":
                'nmap -n -sV --script "nfs-ls or nfs-showmount or nfs-statfs" -p '
                + self.port + ' ' + self.host,
                "shell":
                True,
                "chain":
                False
            },
            {
                "name": self.proto + "_showmount",
                "cmd": 'showmount -e ' + self.host,
                "shell": True,
                "chain": False
            },
        ]

        msfmodules = [{
            "path": "auxiliary/scanner/nfs/nfsmount",
            "toset": {
                "RHOSTS": self.host,
                "RPORT": self.port
            }
        }]
        self.cmds.append({
            "name": self.proto + "_msf_" + self.port,
            "cmd": self.create_msf_cmd(msfmodules),
            "shell": True,
            "chain": False
        })
Exemplo n.º 19
0
    def __init__(self, host, port, workdir, protocol, intensity, username,
                 ulist, password, plist, notuse, extensions, path, reexec,
                 ipv6, domain, interactive, verbose, executed, exec):
        Warrior.__init__(self, host, port, workdir, protocol, intensity,
                         username, ulist, password, plist, notuse, extensions,
                         path, reexec, ipv6, domain, interactive, verbose,
                         executed, exec)

        self.cmds = [
            {
                "name":
                self.proto + "_nmap_" + self.port,
                "cmd":
                'nmap -n -sV --script "rmi-dumpregistry or rmi-vuln-classloader" '
                + self.port + ' ' + self.host,
                "shell":
                True,
                "chain":
                False
            },
        ]

        msfmodules = [
            {
                "path": "auxiliary/scanner/misc/java_rmi_server",
                "toset": {
                    "RHOSTS": self.host,
                    "RPORT": self.port
                }
            },
            {
                "path": "auxiliary/gather/java_rmi_registry",
                "toset": {
                    "RHOSTS": self.host,
                    "RPORT": self.port
                }
            },
        ]
        self.cmds.append({
            "name": self.proto + "_msf_" + self.port,
            "cmd": self.create_msf_cmd(msfmodules),
            "shell": True,
            "chain": False
        })
Exemplo n.º 20
0
    def __init__(self, host, port, workdir, protocol, intensity, username, ulist, password, plist, notuse, extensions, path, reexec, ipv6, domain, interactive, verbose, executed, exec):
        Warrior.__init__(self, host, port, workdir, protocol, intensity, username, ulist, password, plist, notuse, extensions, path, reexec, ipv6, domain, interactive, verbose, executed, exec)

        self.cmds = [
            {"name": self.proto+"_nmap_"+self.port, "cmd": 'nmap -n -sV --script vnc-info,realvnc-auth-bypass,vnc-title -p ' + self.port + ' ' + self.host, "shell": True,"chain": False},

        ]

        msfmodules = [
            {"path": "auxiliary/scanner/vnc/vnc_none_auth", "toset": {"RHOSTS": self.host, "RPORT": self.port}},
        ]
        self.cmds.append(
            {"name": self.proto+"_msf_"+self.port, "cmd": self.create_msf_cmd(msfmodules), "shell": True, "chain": False})

        if self.intensity == "3":
            self.extra_info = "You can use the variable 'username' to brute force a single username or the variable ulist to bruteforce a list of usernames."
            if username != "":
                self.cmds = [{"name": self.proto+"_brute_hydra_"+self.port, "cmd": 'hydra -f -e ns -l '+self.username+' -P '+self.plist+' -s '+self.port+' '+self.host+' vnc', "shell": True, "chain": False}]
            else:
                self.cmds = [{"name": self.proto+"_brute_hydra_"+self.port, "cmd": 'hydra -f -e ns -L ' + self.ulist + ' -P ' + self.plist + ' -s ' + self.port + ' ' + self.host + ' vnc', "shell": True, "chain": False}]
Exemplo n.º 21
0
    def __init__(self, host, port, workdir, protocol, intensity, username,
                 ulist, password, plist, notuse, extensions, path, reexec,
                 ipv6, domain, interactive, verbose, executed, exec):
        Warrior.__init__(self, host, port, workdir, protocol, intensity,
                         username, ulist, password, plist, notuse, extensions,
                         path, reexec, ipv6, domain, interactive, verbose,
                         executed, exec)

        self.cmds = [
            {
                "name":
                self.proto + "_nmap_" + self.port,
                "cmd":
                'nmap-n  --script modbus-discover -sV -p ' + self.port + ' ' +
                self.host,
                "shell":
                True,
                "chain":
                False
            },
        ]

        msfmodules = [{
            "path": "auxiliary/scanner/scada/modbusdetect",
            "toset": {
                "RHOSTS": self.host,
                "RPORT": self.port
            }
        }, {
            "path": "auxiliary/scanner/scada/modbus_findunitid",
            "toset": {
                "RHOSTS": self.host,
                "RPORT": self.port
            }
        }]
        self.cmds.append({
            "name": self.modbus + "_msf_" + self.port,
            "cmd": self.create_msf_cmd(msfmodules),
            "shell": True,
            "chain": False
        })
Exemplo n.º 22
0
    def __init__(self, host, port, workdir, protocol, intensity, username,
                 ulist, password, plist, notuse, extensions, path, reexec,
                 ipv6, domain, interactive, verbose, executed, exec):
        Warrior.__init__(self, host, port, workdir, protocol, intensity,
                         username, ulist, password, plist, notuse, extensions,
                         path, reexec, ipv6, domain, interactive, verbose,
                         executed, exec)

        msfmodules = [{
            "path": "auxiliary/gather/checkpoint_hostname",
            "toset": {
                "RHOSTS": self.host,
                "RPORT": self.port
            }
        }]
        self.cmds = [{
            "name": self.proto + "_msf_" + self.port,
            "cmd": self.create_msf_cmd(msfmodules),
            "shell": True,
            "chain": False
        }]
Exemplo n.º 23
0
    def __init__(self, host, port, workdir, protocol, intensity, username, ulist, password, plist, notuse, extensions, path, reexec, ipv6, domain, interactive, verbose, executed, exec):
        Warrior.__init__(self, host, port, workdir, protocol, intensity, username, ulist, password, plist, notuse, extensions, path, reexec, ipv6, domain, interactive, verbose, executed, exec)

        self.cmds = [
            {"name": "enum4linux", "cmd": 'enum4linux -a -u "'+self.username+'" -p "'+self.password+'" '+self.host, "shell": True, "chain": False},
            {"name": "smb_nmap", "cmd": 'nmap -n -sV --script "(safe and smb*) or smb-enum-*" -p 135,139,445 ' + self.host, "shell": True, "chain": False},
            {"name": "smbmap_"+self.port, "cmd": 'smbmap -u "'+self.username+'" -p "'+self.password+'" -H '+self.host+" -P "+self.port, "shell": True, "chain": False},
            {"name": "smbclient", "cmd": "smbclient -U '"+self.username+"%"+self.password+"' -L //" + self.host, "shell": False, "chain": False},
            {"name": "nbtscan", "cmd": 'nbtscan ' + self.host, "shell": False, "chain": False},
            {"name": "smb_samrdump_"+self.port, "cmd": 'python $(which samrdump.py) -port ' + self.port + ' ' + self.host, "shell": False, "chain": False},
        ]

        msfmodules = [
            {"path": "auxiliary/scanner/smb/smb_version", "toset": {"RHOSTS": self.host}},
        ]
        self.cmds.append({"name": self.proto + "_msf", "cmd": self.create_msf_cmd(msfmodules), "shell": True, "chain": False})

        if username == "" or ("<" == username[0] and ">" == username[-1]):
            self.cmds.append({"name": "smbmap_guest_"+self.port, "cmd": 'smbmap -u "guest" -p "" -H '+self.host+" -P "+self.port, "shell": True, "chain": False})
            self.cmds.append({"name": "smbclient_guest", "cmd": "smbclient -U 'guest%' -L //" + self.host, "shell": True, "chain": False})
            self.cmds.append({"name": "enum4linux_guest", "cmd": 'enum4linux -a -u "guest" -p "" '+self.host, "shell": True, "chain": False})
Exemplo n.º 24
0
    def __init__(self, host, port, workdir, protocol, intensity, username,
                 ulist, password, plist, notuse, extensions, path, reexec,
                 ipv6, domain, interactive, verbose, executed, exec):
        Warrior.__init__(self, host, port, workdir, protocol, intensity,
                         username, ulist, password, plist, notuse, extensions,
                         path, reexec, ipv6, domain, interactive, verbose,
                         executed, exec)

        self.cmds = [
            {
                "name":
                self.proto + "_nmap_" + self.port,
                "cmd":
                'nmap -n -sV --script enip-enumerate -p ' + self.port + ' ' +
                self.host,
                "shell":
                True,
                "chain":
                False
            },
        ]
Exemplo n.º 25
0
    def __init__(self, host, port, workdir, protocol, intensity, username, ulist, password, plist, notuse, extensions, path, reexec, ipv6, domain, interactive, verbose, executed, exec):
        Warrior.__init__(self, host, port, workdir, protocol, intensity, username, ulist, password, plist, notuse, extensions, path, reexec, ipv6, domain, interactive, verbose, executed, exec)

        self.cmds = [
            {"name": "ssh_nmap_"+self.port, "cmd": 'nmap -n -sV --script "ssh-auth-methods or ssh-auth-methods or ssh2-enum-algos or sshv1" -p ' + self.port + ' ' + self.host, "shell": True, "chain": False},
            {"name": "ssh_sslscan_"+self.port, "cmd": "sslscan "+self.host_port, "shell": False, "chain": False},
            {"name": "ssh_sslyze_"+self.port, "cmd": "sslyze --regular "+self.host_port, "shell": False, "chain": False},
            {"name": "ssh_version_"+self.port, "cmd": 'nc -w 20 -q 1 -vn ' + self.host + ' ' + self.port+ ' </dev/null', "shell": True, "chain": False},
        ]

        msfmodules = [{"path": "auxiliary/scanner/ssh/ssh_version", "toset": {"RHOSTS": self.host, "RPORT": self.port}}]
        self.cmds.append({"name": "ssh_msf_"+self.port, "cmd": self.create_msf_cmd(msfmodules), "shell": True, "chain": False})

        if self.intensity >= "2":
            msfmodules_vulns = [{"path": "scanner/ssh/ssh_enumusers", "toset": {"RHOSTS": self.host, "RPORT": self.port, "USER_FILE": self.ulist}},
                                {"path": "auxiliary/scanner/ssh/juniper_backdoor", "toset": {"RHOSTS": self.host, "RPORT": self.port}}]
            self.cmds.append({"name": "ssh_msf_vuln_"+self.port, "cmd": self.create_msf_cmd(msfmodules_vulns), "shell": True, "chain": False})

        if self.intensity == "3":
            self.extra_info = "You can use the variable 'username' to brute force a single username or the variable ulist to bruteforce a list of usernames."
            if username != "":
                self.cmds = [{"name": "ssh_brute_hydra_"+self.port, "cmd": 'hydra -f -e ns -l ' + self.username + ' -P ' + self.plist + ' -s ' + self.port + ' ' + self.host + ' ssh', "shell": True, "chain": False}]
            else:
                self.cmds = [{"name": "ssh_brute_hydra_"+self.port, "cmd": 'hydra -f -e ns -L ' + self.ulist + ' -P ' + self.plist + ' -s ' + self.port + ' ' + self.host + ' ssh', "shell": True, "chain": False}]
Exemplo n.º 26
0
    def __init__(self, host, port, workdir, protocol, intensity, username,
                 ulist, password, plist, notuse, extensions, path, reexec,
                 ipv6, domain, interactive, verbose, executed, exec):
        Warrior.__init__(self, host, port, workdir, protocol, intensity,
                         username, ulist, password, plist, notuse, extensions,
                         path, reexec, ipv6, domain, interactive, verbose,
                         executed, exec)

        self.cmds = [
            {
                "name": self.proto + "_version_" + self.port,
                "cmd": 'nc -w 20 -q 1 -vn ' + self.host + ' ' + self.port +
                ' </dev/null',
                "shell": True,
                "chain": False
            },
        ]

        msfmodules = [
            {
                "path": "auxiliary/scanner/postgres/postgres_version",
                "toset": {
                    "RHOSTS": self.host,
                    "RPORT": self.port
                }
            },
            {
                "path":
                "auxiliary/scanner/postgres/postgres_dbname_flag_injection",
                "toset": {
                    "RHOSTS": self.host,
                    "RPORT": self.port
                }
            },
        ]
        self.cmds.append({
            "name": self.proto + "_msf_" + self.port,
            "cmd": self.create_msf_cmd(msfmodules),
            "shell": True,
            "chain": False
        })

        #Database name param needed
        #if self.intensity >= "2":
        #    if self.username != "" and self.username[-1] != ">" and self.password != "" and self.password[-1] != ">":
        #        msfmodules_auth = [
        #            {"path": "auxiliary/scanner/postgres/postgres_hashdump", "toset": {"RHOSTS": self.host, "RPORT": self.port, "DATABASE": self.databasetodo, "USERNAME": self.username, "PASSWORD": self.password}},
        #            {"path": "auxiliary/scanner/postgres/postgres_schemadump", "toset": {"RHOSTS": self.host, "RPORT": self.port, "DATABASE": self.databasetodo, "USERNAME": self.username, "PASSWORD": self.password}},
        #            {"path": "auxiliary/admin/postgres/postgres_readfile", "toset": {"RHOSTS": self.host, "RPORT": self.port, "DATABASE": self.databasetodo, "USERNAME": self.username, "PASSWORD": self.password}},
        #            ]
        #        self.cmds.append({"name": "pgsql_msf_auth_"+self.port, "cmd": self.create_msf_cmd(msfmodules_auth), "shell": True, "chain": False})

        if self.intensity == "3":
            self.extra_info = "You can use the variable 'username' to brute force a single username or the variable ulist to bruteforce a list of usernames."
            if username != "":
                self.cmds = [{
                    "name":
                    self.proto + "_brute_hydra_" + self.port,
                    "cmd":
                    'hydra -f -e ns -l ' + self.username + ' -P ' +
                    self.plist + ' -s ' + self.port + ' ' + self.host +
                    ' postgres',
                    "shell":
                    True,
                    "chain":
                    False
                }]
            else:
                self.cmds = [{
                    "name":
                    self.proto + "_brute_hydra_" + self.port,
                    "cmd":
                    'hydra -f -e ns -L ' + self.ulist + ' -P ' + self.plist +
                    ' -s ' + self.port + ' ' + self.host + ' postgres',
                    "shell":
                    True,
                    "chain":
                    False
                }]
Exemplo n.º 27
0
    def __init__(self, host, port, workdir, protocol, intensity, username,
                 ulist, password, plist, notuse, extensions, path, reexec,
                 ipv6, domain, interactive, verbose, executed, exec):
        Warrior.__init__(self, host, port, workdir, protocol, intensity,
                         username, ulist, password, plist, notuse, extensions,
                         path, reexec, ipv6, domain, interactive, verbose,
                         executed, exec)

        self.cmds = [
            {
                "name":
                self.proto + "_nmap_" + self.port,
                "cmd":
                'nmap -n --script "smtp-open-relay or (default and *smtp*)" -p '
                + self.port + ' ' + self.host,
                "shell":
                True,
                "chain":
                False
            },
        ]

        if self.proto == "smtp":
            self.cmds.append({
                "name":
                self.proto + "_version_" + self.port,
                "cmd":
                'nc -w 10 -q 1 -vn ' + self.host + ' ' + self.port +
                ' </dev/null',
                "shell":
                True,
                "chain":
                False
            })
        else:
            self.cmds.append({
                "name":
                self.proto + "_version_" + self.port,
                "cmd":
                'echo QUIT | openssl s_client -starttls smtp -crlf -connect ' +
                self.host + ':' + self.port,
                "shell":
                True,
                "chain":
                False
            })

        msfmodules = [
            {
                "path": "auxiliary/scanner/smtp/smtp_version",
                "toset": {
                    "RHOSTS": self.host,
                    "RPORT": self.port
                }
            },
            {
                "path": "auxiliary/scanner/smtp/smtp_ntlm_domain",
                "toset": {
                    "RHOSTS": self.host,
                    "RPORT": self.port
                }
            },
            {
                "path": "auxiliary/scanner/smtp/smtp_relay",
                "toset": {
                    "RHOSTS": self.host,
                    "RPORT": self.port
                }
            },
        ]
        self.cmds.append({
            "name": self.proto + "_msf_" + self.port,
            "cmd": self.create_msf_cmd(msfmodules),
            "shell": True,
            "chain": False
        })

        if self.intensity == 2:
            self.cmds.append({
                "name":
                self.proto + "_nmap_vuln_" + self.port,
                "cmd":
                'nmap --script smtp-vuln-cve2011-1764,smtp-vuln-cve2011-1720,smtp-vuln-cve2010-4344  '
                + self.host + ' ' + self.port,
                "shell":
                True,
                "chain":
                False
            })

        if self.intensity == "3":  # TODO: think about using other methods like RCT
            self.extra_info = "By default VRFY method is used, if you want to use other (EXPN or RCPT) set it in 'path' variable."
            self.extra_info += "\nYou can use the variable 'username' to brute force a single username or the variable ulist to bruteforce a list of usernames."
            self.path = "VRFY" if self.path.upper() not in [
                "EXPN", "RCPT"
            ] else self.path.upper()
            if username != "":
                self.cmds = [{
                    "name":
                    self.proto + "_brute",
                    "cmd":
                    'smtp-user-enum -M ' + self.path + ' -u ' + self.username +
                    ' -p ' + self.port + ' -t ' + self.host,
                    "shell":
                    True,
                    "chain":
                    False
                }]
            else:
                self.cmds = [{
                    "name":
                    self.proto + "_brute",
                    "cmd":
                    'smtp-user-enum -M ' + self.path + ' -U ' + self.ulist +
                    ' -p ' + self.port + ' -t ' + self.host,
                    "shell":
                    True,
                    "chain":
                    False
                }]
Exemplo n.º 28
0
    def __init__(self, host, port, workdir, protocol, intensity, username,
                 ulist, password, plist, notuse, extensions, path, reexec,
                 ipv6, domain, interactive, verbose, executed, exec):
        Warrior.__init__(self, host, port, workdir, protocol, intensity,
                         username, ulist, password, plist, notuse, extensions,
                         path, reexec, ipv6, domain, interactive, verbose,
                         executed, exec)

        self.cmds = [
            {
                "name": self.proto + "_version_" + self.port,
                "cmd": 'curl http://' + self.host_port + '/',
                "shell": True,
                "chain": False
            },
            {
                "name": self.proto + "_dbs_" + self.port,
                "cmd": 'curl http://' + self.host_port + '/_all_dbs',
                "shell": True,
                "chain": False
            },
        ]

        msfmodules = [
            {
                "path": "auxiliary/scanner/couchdb/couchdb_enum",
                "toset": {
                    "RHOSTS": self.host,
                    "RPORT": self.port
                }
            },
        ]
        self.cmds.append({
            "name": self.proto + "_msf_" + self.port,
            "cmd": self.create_msf_cmd(msfmodules),
            "shell": True,
            "chain": False
        })

        if self.intensity >= "2":
            if self.username != "" and self.password != "":
                msfmodules_auth = [
                    {
                        "path": "auxiliary/scanner/couchdb/couchdb_enum",
                        "toset": {
                            "RHOSTS": self.host,
                            "RPORT": self.port,
                            "HttpUsername": self.username,
                            "HttpPassword": self.password
                        }
                    },
                ]
                self.cmds.append({
                    "name": self.proto + "_msf_auth_" + self.port,
                    "cmd": self.create_msf_cmd(msfmodules_auth),
                    "shell": True,
                    "chain": False
                })

        if self.intensity == "3":
            self.extra_info = "You can use the variable 'username' to brute force a single username or the variable ulist to bruteforce a list of usernames."
            if username != "":
                msfmodules_brute = [
                    {
                        "path": "auxiliary/scanner/couchdb/couchdb_login",
                        "toset": {
                            "RHOSTS": self.host,
                            "RPORT": self.port,
                            "BLANK_PASSWORDS": "true",
                            "USER_AS_PASS": "******",
                            "USERNAME": self.username,
                            "PASS_FILE": self.plist
                        }
                    },
                ]
            else:
                msfmodules_brute = [
                    {
                        "path": "auxiliary/scanner/couchdb/couchdb_login",
                        "toset": {
                            "RHOSTS": self.host,
                            "RPORT": self.port,
                            "BLANK_PASSWORDS": "true",
                            "USER_AS_PASS": "******",
                            "USER_FILE": self.username,
                            "PASS_FILE": self.plist
                        }
                    },
                ]
            self.cmds = [{
                "name": self.proto + "_brute_msf_" + self.port,
                "cmd": self.create_msf_cmd(msfmodules_brute),
                "shell": True,
                "chain": False
            }]
Exemplo n.º 29
0
    def __init__(self, host, port, workdir, protocol, intensity, username,
                 ulist, password, plist, notuse, extensions, path, reexec,
                 ipv6, domain, interactive, verbose, executed, exec):
        Warrior.__init__(self, host, port, workdir, protocol, intensity,
                         username, ulist, password, plist, notuse, extensions,
                         path, reexec, ipv6, domain, interactive, verbose,
                         executed, exec)

        self.cmds = [
            {
                "name": self.proto + "_version_" + self.port,
                "cmd": 'nc -w 20 -q 1 -vn ' + self.host + ' ' + self.port +
                ' </dev/null',
                "shell": True,
                "chain": False
            },
            {
                "name":
                self.proto + "_nmap_" + self.port,
                "cmd":
                'nmap -n -sV --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 -p '
                + self.port + ' ' + self.host,
                "shell":
                True,
                "chain":
                False
            },
        ]

        msfmodules = [
            {
                "path": "auxiliary/scanner/mysql/mysql_version",
                "toset": {
                    "RHOSTS": self.host,
                    "RPORT": self.port
                }
            },
            {
                "path": "auxiliary/scanner/mysql/mysql_authbypass_hashdump",
                "toset": {
                    "RHOSTS": self.host,
                    "RPORT": self.port
                }
            },
        ]
        self.cmds.append({
            "name": self.proto + "_msf_" + self.port,
            "cmd": self.create_msf_cmd(msfmodules),
            "shell": True,
            "chain": False
        })

        if self.intensity >= "2":
            self.extra_info = "If you set the username and password, more authenticated metasploit modules will be executed."
            if username != "" and password != "":
                msfmodules_auth = [
                    {
                        "path": "auxiliary/admin/mysql/mysql_enum",
                        "toset": {
                            "RHOSTS": self.host,
                            "RPORT": self.port,
                            "USERNAME": self.username,
                            "PASSWORD": self.password
                        }
                    },
                    {
                        "path": "auxiliary/scanner/mysql/mysql_hashdump",
                        "toset": {
                            "RHOSTS": self.host,
                            "RPORT": self.port,
                            "USERNAME": self.username,
                            "PASSWORD": self.password
                        }
                    },
                    {
                        "path": "auxiliary/scanner/mysql/mysql_schemadump",
                        "toset": {
                            "RHOSTS": self.host,
                            "RPORT": self.port,
                            "USERNAME": self.username,
                            "PASSWORD": self.password
                        }
                    },
                ]
                self.cmds.append({
                    "name": self.proto + "_msf_auth_" + self.port,
                    "cmd": self.create_msf_cmd(msfmodules_auth),
                    "shell": True,
                    "chain": False
                })

        if self.intensity == "3":
            self.extra_info = "You can use the variable 'username' to brute force a single username or the variable ulist to bruteforce a list of usernames."
            if username != "":
                self.cmds = [{
                    "name":
                    self.proto + "_brute_hydra_" + self.port,
                    "cmd":
                    'hydra -f -e ns -l ' + self.username + ' -P ' +
                    self.plist + ' -s ' + self.port + ' ' + self.host +
                    ' mysql',
                    "shell":
                    True,
                    "chain":
                    False
                }]
            else:
                self.cmds = [{
                    "name":
                    self.proto + "_brute_hydra_" + self.port,
                    "cmd":
                    'hydra -f -e ns -L ' + self.ulist + ' -P ' + self.plist +
                    ' -s ' + self.port + ' ' + self.host + ' mysql',
                    "shell":
                    True,
                    "chain":
                    False
                }]
Exemplo n.º 30
0
    def __init__(self, host, port, workdir, protocol, intensity, username,
                 ulist, password, plist, notuse, extensions, path, reexec,
                 ipv6, domain, interactive, verbose, executed, exec):
        Warrior.__init__(self, host, port, workdir, protocol, intensity,
                         username, ulist, password, plist, notuse, extensions,
                         path, reexec, ipv6, domain, interactive, verbose,
                         executed, exec)

        self.cmds = [
            {
                "name":
                "telnet_nmap_" + self.port,
                "cmd":
                'nmap -n -sV --script "telnet* and safe" -p ' + self.port +
                ' ' + self.host,
                "shell":
                True,
                "chain":
                False
            },
            {
                "name": "telnet_version_" + self.port,
                "cmd": 'nc -w 10 -q 1 -vn ' + self.host + ' ' + self.port +
                ' </dev/null',
                "shell": True,
                "chain": False
            },
        ]

        msfmodules = [
            {
                "path": "auxiliary/scanner/telnet/telnet_version",
                "toset": {
                    "RHOSTS": self.host,
                    "RPORT": self.port
                }
            },
        ]
        self.cmds.append({
            "name": "telnet_msf_" + self.port,
            "cmd": self.create_msf_cmd(msfmodules),
            "shell": True,
            "chain": False
        })

        if self.intensity >= "2":
            msfmodules_vulns = [
                {
                    "path": "auxiliary/scanner/telnet/brocade_enable_login",
                    "toset": {
                        "RHOSTS": self.host,
                        "RPORT": self.port
                    }
                },
                {
                    "path": "auxiliary/scanner/telnet/telnet_encrypt_overflow",
                    "toset": {
                        "RHOSTS": self.host,
                        "RPORT": self.port
                    }
                },
                {
                    "path": "auxiliary/scanner/telnet/telnet_ruggedcom",
                    "toset": {
                        "RHOSTS": self.host,
                        "RPORT": self.port
                    }
                },
            ]
            self.cmds.append({
                "name": "telnet_msf_vuln_" + self.port,
                "cmd": self.create_msf_cmd(msfmodules_vulns),
                "shell": True,
                "chain": False
            })

        if self.intensity == "3":
            if username != "":
                self.cmds = [{
                    "name":
                    "telnet_brute_hydra_" + self.port,
                    "cmd":
                    'hydra -f -e ns -l ' + self.username + ' -P ' +
                    self.plist + ' -s ' + self.port + ' ' + self.host +
                    ' telnet',
                    "shell":
                    True,
                    "chain":
                    False
                }]
            else:
                self.cmds = [{
                    "name":
                    "telnet_brute_hydra_" + self.port,
                    "cmd":
                    'hydra -f -e ns -L ' + self.ulist + ' -P ' + self.plist +
                    ' -s ' + self.port + ' ' + self.host + ' telnet',
                    "shell":
                    True,
                    "chain":
                    False
                }]