def check_rule(self, ip, port, values, conf):
c = ConfParser(conf)
t = Triage()
p = ScanParser(port, values)
domain = p.get_domain()
if port in ssh_ports and t.is_ssh(ip, port):
output = t.run_cmd('ssh -o PreferredAuthentications=none -o ConnectTimeout=5 -o StrictHostKeyChecking=no -o NoHostAuthenticationForLocalhost=yes user@"{}" -p "{}"'.format(ip, port))
if output and 'password' in str(output):
self.rule_details = p.get_product()
js_data = {
'ip':ip,
'port':port,
'domain':domain,
'rule_id':self.rule,
'rule_sev':self.rule_severity,
'rule_desc':self.rule_description,
'rule_confirm':self.rule_confirm,
'rule_details':self.rule_details,
'rule_mitigation':self.rule_mitigation
}
rds.store_vuln(js_data)
return
def check_rule(self, ip, port, values, conf):
t = Triage()
c = ConfParser(conf)
p = ScanParser(port, values)
domain = p.get_domain()
module = p.get_module()
product = p.get_product()
if 'http' not in module:
return
resp = t.http_request(ip, port, uri='/.svn/text-base')
if resp and 'Index of /' in resp.text:
self.rule_details = 'SVN Repository exposed at /.svn/text-base'
js_data = {
'ip':ip,
'port':port,
'domain':domain,
'rule_id':self.rule,
'rule_sev':self.rule_severity,
'rule_desc':self.rule_description,
'rule_confirm':self.rule_confirm,
'rule_details':self.rule_details,
'rule_mitigation':self.rule_mitigation
}
rds.store_vuln(js_data)
return
def check_rule(self, ip, port, values, conf):
c = ConfParser(conf)
t = Triage()
p = ScanParser(port, values)
domain = p.get_domain()
module = p.get_module()
product = p.get_product()
if module == 'http' or port in http_ports:
resp = t.http_request(ip, port, follow_redirects=False)
if resp:
form = self.contains_password_form(resp.text)
if form:
if not resp.url.startswith('https://'):
self.rule_details = 'Login Page over HTTP'
js_data = {
'ip': ip,
'port': port,
'domain': domain,
'rule_id': self.rule,
'rule_sev': self.rule_severity,
'rule_desc': self.rule_description,
'rule_confirm': self.rule_confirm,
'rule_details': self.rule_details,
'rule_mitigation': self.rule_mitigation
}
rds.store_vuln(js_data)
return
def check_rule(self, ip, port, values, conf):
c = ConfParser(conf)
t = Triage()
p = ScanParser(port, values)
domain = p.get_domain()
module = p.get_module()
product = p.get_product()
if port in self.rule_match_port:
try:
ftp = FTP(ip)
res = ftp.login()
if res:
if '230' in res or 'user logged in' in res or 'successful' in res:
self.rule_details = 'FTP with Anonymous Access Enabled'
js_data = {
'ip': ip,
'port': port,
'domain': domain,
'rule_id': self.rule,
'rule_sev': self.rule_severity,
'rule_desc': self.rule_description,
'rule_confirm': self.rule_confirm,
'rule_details': self.rule_details,
'rule_mitigation': self.rule_mitigation
}
rds.store_vuln(js_data)
except:
pass
return
def check_rule(self, ip, port, values, conf):
t = Triage()
c = ConfParser(conf)
p = ScanParser(port, values)
domain = p.get_domain()
module = p.get_module()
product = p.get_product()
if not 'F5 BIG-IP' in product or not 'BigIP' in product:
return
resp = t.http_request(ip, port, uri='/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd')
if resp is None:
return
if 'root:x:0:0' in resp.text:
self.rule_details = 'F5 BIGIP Vulnerability - CVE-2020-5902'
js_data = {
'ip':ip,
'port':port,
'domain':domain,
'rule_id':self.rule,
'rule_sev':self.rule_severity,
'rule_desc':self.rule_description,
'rule_confirm':self.rule_confirm,
'rule_details':self.rule_details,
'rule_mitigation':self.rule_mitigation
}
rds.store_vuln(js_data)
return
def check_rule(self, ip, port, values, conf):
c = ConfParser(conf)
t = Triage()
p = ScanParser(port, values)
module = p.get_module()
domain = p.get_domain()
product = p.get_product()
if 'ssh' in module or 'ssh' in product.lower():
if port != 22:
self.rule_details = 'SSH is hidden behind port {}'.format(port)
js_data = {
'ip': ip,
'port': port,
'domain': domain,
'rule_id': self.rule,
'rule_sev': self.rule_severity,
'rule_desc': self.rule_description,
'rule_confirm': self.rule_confirm,
'rule_details': self.rule_details,
'rule_mitigation': self.rule_mitigation
}
rds.store_vuln(js_data)
return
def check_rule(self, ip, port, values, conf):
t = Triage()
c = ConfParser(conf)
p = ScanParser(port, values)
domain = p.get_domain()
module = p.get_module()
product = p.get_product()
if 'http' not in module:
return
resp = t.http_request(ip, port)
if resp is None:
return
server_header = resp.headers.get('Server', None)
if not server_header or 'nginx' not in server_header.lower():
return
content_length = resp.headers.get('Content-Length', 0)
bytes_length = int(content_length) + 623
content_length = "bytes=-%d,-9223372036854%d" % (bytes_length,
776000 - bytes_length)
resp = t.http_request(ip, port, headers={'Range': content_length})
if resp is None:
return
if resp.status_code == 206 and 'Content-Range' in resp.text:
self.rule_details = 'Nginx Integer Overflow'
js_data = {
'ip': ip,
'port': port,
'domain': domain,
'rule_id': self.rule,
'rule_sev': self.rule_severity,
'rule_desc': self.rule_description,
'rule_details': self.rule_details,
'rule_mitigation': self.rule_mitigation
}
rds.store_vuln(js_data)
return
def check_rule(self, ip, port, values, conf):
c = ConfParser(conf)
t = Triage()
p = ScanParser(port, values)
domain = p.get_domain()
module = p.get_module()
product = p.get_product()
if 'http' not in module:
return
resp = None
random_origin = self.randomize_origin()
if domain:
resp = t.http_request(domain,
port,
headers={'Origin': random_origin})
else:
resp = t.http_request(ip, port, headers={'Origin': random_origin})
if resp is None:
return
if 'Access-Control-Allow-Origin' in resp.headers and resp.headers[
'Access-Control-Allow-Origin'] == random_origin:
self.rule_details = 'Header used: "Origin: {}"'.format(
random_origin)
js_data = {
'ip': ip,
'port': port,
'domain': domain,
'rule_id': self.rule,
'rule_sev': self.rule_severity,
'rule_desc': self.rule_description,
'rule_confirm': self.rule_confirm,
'rule_details': self.rule_details,
'rule_mitigation': self.rule_mitigation
}
rds.store_vuln(js_data)
return
def check_rule(self, ip, port, values, conf):
c = ConfParser(conf)
t = Triage()
p = ScanParser(port, values)
domain = p.get_domain()
module = p.get_module()
product = p.get_product()
if 'http' not in module:
return
resp = None
if domain:
resp = t.http_request(domain, port)
else:
resp = t.http_request(ip, port)
if resp is None:
return
for header, value in resp.headers.items():
if header.lower(
) == 'access-control-allow-origin' and value == '*':
self.rule_details = 'Access-Control-Allow-Origin is set to: *'
js_data = {
'ip': ip,
'port': port,
'domain': domain,
'rule_id': self.rule,
'rule_sev': self.rule_severity,
'rule_desc': self.rule_description,
'rule_confirm': self.rule_confirm,
'rule_details': self.rule_details,
'rule_mitigation': self.rule_mitigation
}
rds.store_vuln(js_data)
return
return
def check_rule(self, ip, port, values, conf):
t = Triage()
c = ConfParser(conf)
p = ScanParser(port, values)
domain = p.get_domain()
module = p.get_module()
product = p.get_product()
if port != 10043:
return
resp = t.http_request(
ip,
port,
uri=
'/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession'
)
if resp is None:
return
if 'var fgt_lang =' in resp.text:
self.rule_details = 'Fortinet SSL VPN ({})'.format(port)
js_data = {
'ip': ip,
'port': port,
'domain': domain,
'rule_id': self.rule,
'rule_sev': self.rule_severity,
'rule_desc': self.rule_description,
'rule_confirm': self.rule_confirm,
'rule_details': self.rule_details,
'rule_mitigation': self.rule_mitigation
}
rds.store_vuln(js_data)
return
def check_rule(self, ip, port, values, conf):
c = ConfParser(conf)
t = Triage()
p = ScanParser(port, values)
domain = p.get_domain()
module = p.get_module()
product = p.get_product()
if 'http' not in module:
return
resp = t.http_request(ip, port)
if resp is None:
return
powered_by_headers = ['X-Powered-By', 'X-AspNet-Version']
for poweredby_header in powered_by_headers:
result = t.string_in_headers(resp, poweredby_header)
if result:
self.rule_details = '{}:{}'.format(
poweredby_header, resp.headers.get(poweredby_header, None))
js_data = {
'ip': ip,
'port': port,
'domain': domain,
'rule_id': self.rule,
'rule_sev': self.rule_severity,
'rule_desc': self.rule_description,
'rule_confirm': self.rule_confirm,
'rule_details': self.rule_details,
'rule_mitigation': self.rule_mitigation
}
rds.store_vuln(js_data)
return
def check_rule(self, ip, port, values, conf):
p = ScanParser(port, values)
module = p.get_module()
domain = p.get_domain()
product = p.get_product()
if 'ssh' in module or 'ssh' in product.lower():
if port != 22:
self.rule_details = 'Server is hiding SSH behind remote port: {}'.format(
port)
rds.store_vuln({
'ip': ip,
'port': port,
'domain': domain,
'rule_id': self.rule,
'rule_sev': self.rule_severity,
'rule_desc': self.rule_description,
'rule_confirm': self.rule_confirm,
'rule_details': self.rule_details,
'rule_mitigation': self.rule_mitigation
})
return
