def ftp_anon_login(scan_info, url_to_scan):
ROOT_DIR = os.path.dirname(os.path.abspath(__file__))
end_name = '.ftp.anon'
random_filename = uuid.uuid4().hex
output_dir = ROOT_DIR + '/tools_output/' + random_filename + end_name
cleanup(output_dir)
anonynomus_subprocess = subprocess.run([
'nmap', '-Pn', '-sV', '-p21', '-vvv', '--script', 'ftp-anon', '-oA',
output_dir, url_to_scan
],
capture_output=True)
with open(output_dir + '.xml') as xml_file:
my_dict = xmltodict.parse(xml_file.read())
xml_file.close()
json_data = json.dumps(my_dict)
json_data = json.loads(json_data)
try:
message = json_data['nmaprun']['host']['ports']['port']['script'][
'@output']
if "Anonymous FTP login allowed" in message:
img_str = image_creator.create_image_from_file(output_dir +
'.nmap')
add_vuln_to_mongo(scan_info, "ftp_anonymous", message, img_str)
except KeyError:
message = None
cleanup(output_dir)
return
def outdated_software(scan_info, url_to_scan):
ROOT_DIR = os.path.dirname(os.path.abspath(__file__))
TOOL_DIR = ROOT_DIR + '/tools/nmap/nmap-vulners/vulners.nse'
random_filename = uuid.uuid4().hex
output_dir = ROOT_DIR + '/tools_output/' + random_filename
outdated_software_process = subprocess.run([
'nmap', '-sV', '-Pn', '-vvv', '--top-ports=500',
'--script=' + TOOL_DIR, '-oA', output_dir, url_to_scan
],
capture_output=True)
with open(output_dir + '.xml') as xml_file:
my_dict = xmltodict.parse(xml_file.read())
xml_file.close()
json_data = json.dumps(my_dict)
json_data = json.loads(json_data)
try:
#If only 1 port exists, we turn it into a list. We also check if port info exists
if not isinstance(json_data['nmaprun']['host']['ports']['port'], list):
json_data['nmaprun']['host']['ports']['port'] = [
json_data['nmaprun']['host']['ports']['port']
]
except KeyError:
return
at_least_one_found = False
message = ''
for port in json_data['nmaprun']['host']['ports']['port']:
#Script with no results
if 'script' not in port:
continue
vulners_found = False
#Check if scripts is a list or dict
if not isinstance(port['script'], list):
port['script'] = [port['script']]
for result in port['script']:
#Vulners result not founc
if 'vulners' in result['@id']:
at_least_one_found = True
vulners_found = True
vulners_message = 'Result: \n'
vulners_message += ' ID:%s \n output:%s\n' % (
result['@id'], result['@output'])
if not vulners_found:
continue
message += '---------------\n'
message += 'Protocol: %s \n' % port['@protocol']
message += 'Port: %s \n' % port['@portid']
message += 'State: %s \n' % port['state']['@state']
message += 'Service: \n'
message += ' Name: %s \n' % port['service']['@name']
message += ' Product: %s \n' % port['service']['@product']
message += ' Version: %s \n' % port['service']['@version']
message += vulners_message
if at_least_one_found:
img_str = image_creator.create_image_from_file(output_dir + '.nmap')
add_vuln_to_mongo(scan_info, 'outdated_software', message, img_str)
cleanup(output_dir)
return
def ssh_ftp_brute_login(scan_info, url_to_scan, is_ssh):
ROOT_DIR = os.path.dirname(os.path.abspath(__file__))
timeout = 'timeout=5s'
time_limit = '0' #seconds
if is_ssh:
brute = ROOT_DIR + '/tools/nmap/server_versions/ssh-brute.nse'
port = '-p22'
end_name = '.ssh.brute'
else:
brute = ROOT_DIR + '/tools/nmap/server_versions/ftp-brute.nse'
port = '-p21'
end_name = '.ftp.brute'
users = settings['WORDLIST']['ssh_ftp_user']
password = settings['WORDLIST']['ssh_ftp_pass']
random_filename = uuid.uuid4().hex
output_dir = ROOT_DIR + '/tools_output/' + random_filename + end_name
cleanup(output_dir)
brute_subprocess = subprocess.run([
'nmap', '-Pn', '-sV', port, '--script', brute, '--script-args',
'userdb=' + users + ',' + 'passdb=' + password + ',' + timeout + ',' +
'brute.delay=' + time_limit + ',' + 'brute.retries=1', '-oA',
output_dir, url_to_scan
],
capture_output=True)
with open(output_dir + '.xml') as xml_file:
my_dict = xmltodict.parse(xml_file.read())
xml_file.close()
json_data = json.dumps(my_dict)
json_data = json.loads(json_data)
try:
message = json_data['nmaprun']['host']['ports']['port']['script'][
'@output']
if "Valid credentials" in message:
name = "ssh_credentials" if is_ssh else "ftp_credentials"
img_str = image_creator.create_image_from_file(output_dir +
'.nmap')
add_vuln_to_mongo(scan_info, name, message, img_str)
except KeyError:
message = None
cleanup(output_dir)
return
def basic_scan(scan_info, url_to_scan):
plaintext_ports=["21","23","80"]
remote_ports=["135","445","513","514","1433","3306","3389"]
random_filename = uuid.uuid4().hex
ROOT_DIR = os.path.dirname(os.path.abspath(__file__))
output_dir = ROOT_DIR + '/tools_output/'+random_filename
basic_scan = subprocess.run(['nmap','-Pn','-sV','-vvv','--top-ports=1000','-oA',output_dir,url_to_scan],capture_output=True)
with open(output_dir + '.xml') as xml_file:
my_dict = xmltodict.parse(xml_file.read())
xml_file.close()
json_data = json.dumps(my_dict)
json_data = json.loads(json_data)
img_str = image_creator.create_image_from_file(output_dir + '.nmap')
try:
mongo.add_nmap_information_to_subdomain(scan_info, json_data['nmaprun']['host']['ports']['port'])
except KeyError:
pass
check_ports_and_report(scan_info,plaintext_ports,'plaintext_services',json_data,img_str)
check_ports_and_report(scan_info,remote_ports,'unnecessary_services',json_data,img_str)
cleanup(output_dir)
return