def subdomain_enum(self, target):
print '\n[*] Sub-Domain Enumeration for: %s' % (target)
print '-'*40
#Get word list
if "-w" in sys.argv:
try:
subs = [x.strip() for x in open(coretools.plus_one('-w'))]
except:
print "[!] Error parsing custom word list, reverting to default..."
subs = [x.strip() for x in open('../resources/subdomain_list.txt')]
else:
subs = [x.strip() for x in open('../resources/subdomain_list.txt')]
for s in subs:
query = s+'.'+target
try:
#resp = socket.gethostbyname(str(query))
# DNS Query
resolver = dns.resolver.Resolver()
resolver.timeout = 3
resolver.lifetime = 3
dns_query = resolver.query(query, 'A')
dns_query.nameservers = ['8.8.8.8', '8.8.4.4']
for resp in dns_query:
# Output
space_num = len(sys.argv[-1]) + 10
print '+ %-*s--> %s' % (space_num, query, resp)
#dynamically make output length
if dns_fun.logging:
coretools.write_file(dns_fun.filename, '%-*s %s' % (space_num,query, resp))
except Exception as e:
pass
coretools.exit("\n")
def scan(self, header):
try:
#setup connection
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(2)
sock.connect((self.target, self.port))
#incorporate ssl TLSv1_1
if self.secure:
sock = ssl.wrap_socket(sock,
keyfile=None,
certfile=None,
server_side=False,
cert_reqs=ssl.CERT_NONE,
ssl_version=ssl.PROTOCOL_SSLv23)
sock.sendall(header)
#read response
resp = sock.recv(4096)
# Add HTTP code to summary report
self.summary.append(resp.splitlines()[0][9:])
# Print response header
print "<--------------\nResponse Header\n<--------------"
for line in resp.splitlines():
print line
sock.close()
except KeyboardInterrupt:
coretools.exit("\n[!] Key Event Detected...\n\n")
except Exception as e:
print "[-] HTTP Response: ", e
self.summary.append(e)
def crawler(self):
print "[*] Initializing Scan...\n\nSpider Stats:\n", "-" * 35
crawl_count = 0
while crawl_count < self.max_pages and crawl_count != len(self.pages):
try:
threads = []
self.status(crawl_count)
for z in range(0, self.max_threads):
if crawl_count < self.max_pages and crawl_count != len(
self.pages):
t = Thread(target=self.request_handler,
args=(self.pages[crawl_count], ))
t.daemon = True
threads.append(t)
t.start()
crawl_count += 1
for t in threads:
t.join(1)
#Give time for first threaad to collect links
if crawl_count == 1:
sleep(5)
except KeyboardInterrupt:
coretools.exit("\n[!] Key Event Detected...\n")
except Exception, e:
pass
def start_scan(targets, methods):
print "\n[*] Starting Scan...\n\n"
#verbose = show failed attempts
if "-v" in sys.argv:
verbose = True
else:
verbose = False
num_count = 0
for target in targets:
#progress counter triggers every 20 targest that are scanned
if num_count != 0 and num_count % 20 == 0:
print "[*] get_header.py Status: ", coretools.get_percent(
num_count, len(targets))
#Start scan
output = []
for method in methods:
try:
#Create URL
url = str(method) + str(target)
# Get Header
response = get_header(url)
print "\n[+] Target: %s" % (url)
print response
except KeyboardInterrupt:
coretools.exit("\n[!] Keyboard Interrupt Caught...\n\n")
except Exception as e:
if verbose:
print "\n[-] Target: %s" % (url)
print e
num_count += 1
coretools.exit("\n[!] Scan Complete\n\n")
def main():
#Help banner
if "-h" in sys.argv or len(sys.argv) <= 1: banner()
#Setup info
target = sys.argv[-1]
if "://" in target:
print "\n[!] http / https:// not required, stripping from target..."
temp = target.split("://")
target = temp[1]
#Check if SSL enabled
if "-ssl" in sys.argv:
ssl = True
else:
ssl = False
#Get port information
try:
port = int(coretools.plus_one("-p"))
except:
coretools.exit("\n[-] Error parsing port, see -h for more\n\n")
try:
#Start verb tamper
scan = tamper(target, port, ssl)
for verb in scan.verbs:
scan.scan(scan.add_headers(verb))
#Get Results:
scan.results()
except Exception, e:
coretools.exit("\n Main Error: %s" % (e))
def main():
#help check
if "-h" in sys.argv or len(sys.argv) == 1: banner()
#Choose Scan methods
if "-m" in sys.argv and coretools.plus_one("-m") == "http":
methods = ['http://']
elif "-m" in sys.argv and coretools.plus_one("-m") == "https":
methods = ['https://']
else:
methods = ['http://', 'https://']
#verbose = show failed attempts
if "-v" in sys.argv:
verbose = True
else:
verbose = False
# set max threads
if "-t" in sys.argv:
try:
max_threads = int(coretools.plus_one("-t"))
except:
print "[!] Error parsing max pages, reverting to default"
max_threads = 5
else:
max_threads = 5
#Start program
targets = coretools.list_targets(sys.argv[-1])
status_report(methods, len(targets))
print "\n[*] Starting Scan...\n"
scan_count = 0
while scan_count != len(targets):
threads = []
#Start Threads
for x in range(0, max_threads):
if scan_count != len(targets):
t = Thread(target=scan,
args=(
targets[scan_count],
methods,
verbose,
))
t.daemon = True
threads.append(t)
t.start()
scan_count += 1
for t in threads:
t.join(1)
coretools.exit("\n[!] Scan Complete\n\n")
def main():
# Help banner
if "-h" in sys.argv or len(sys.argv) == 1: banner()
targets = coretools.list_targets(sys.argv[-1])
#verbose output
if "-v" in sys.argv:
v = True
else:
v = False
# set max threads
if "-t" in sys.argv:
try:
max_threads = int(coretools.plus_one("-t"))
except:
print "[!] Error parsing max pages, reverting to default"
max_threads = 5
else:
max_threads = 5
# set max threads
if "-p" in sys.argv:
try:
port = int(coretools.plus_one("-p"))
except:
print "[!] Error parsing max pages, reverting to default"
coretools.exit("[!] Invalid port detected\n\n")
else:
port = 80
print "\n[*] Starting WebDav Scan\n"
#start scan
scan_count = 0
while scan_count != len(targets):
threads = []
for z in range(0, max_threads):
if scan_count != len(targets):
x = Thread(target=scan, args=(
targets[scan_count],
port,
v,
))
threads.append(x)
x.daemon = True
x.start()
scan_count += 1
for t in threads:
t.join(1)
coretools.exit("\n[!] Scan Complete\n\n")
def results(self):
# summarize findings
print "---------------\nSummary of Results\n---------------"
if not self.summary:
coretools.exit(
"[!] No Summary Provided\n[*] Check input and try again")
print "\nTarget: %s Port: %-5s SSL: %s \n" % (
self.target, self.port, self.secure)
verbcount = 0
for s in self.summary:
print '[*] Verb: %-8s Status:' % (self.verbs[verbcount]), s
verbcount += 1
coretools.exit("\n[+] Scan Complete\n")
def banner():
print '''
-------------------------------
Verb Tamper script:
-------------------------------
options:
-ssl For ssl encryption
-p [port] port to send data
Usage:
python http_opt.py -p port [server/IP]
python http_opt.py -p 443 -ssl google.com
python http_opt.py -p 80 127.0.0.1
'''
coretools.exit('\n')
def scan(t, port, v):
# Setup Socket Connection
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(0.5)
# HTTP Request Header
data = 'PROPFIND / HTTP/1.1\n'
data += 'Host: %s\n' % (t)
data += 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.131 Safari/537.36\n'
data += 'Content-Type: application/xml\n'
data += 'Content-Length: 0\n\n'
try:
sock.connect((t, port))
sock.send(data)
resp = sock.recv(2014)
sys.stdout.flush()
x = resp.splitlines()[0]
# pull http code for summary
if "207" in x:
srv_count = 0
for y in resp.splitlines():
if srv_count == 1: break
if 'Server:' in y:
sys.stdout.write("[+] WebDav Enabled: %s (Code: %s %s)\n" %
(t, x.split(" ")[1], y))
srv_count += 1
if srv_count != 1:
print sys.stdout.write(
"[+] WebDav Enabled: %s (Code: %s Server: N/A)\n" %
(t, x.split(" ")[1]))
else:
sys.stdout.write("[-] WebDav Disabled: %s (Code: %s)\n" %
(t, x.split(" ")[1]))
sock.close()
except KeyboardInterrupt:
sock.close()
coretools.exit("\n[!] Key Event Detected...\n\n")
except Exception as e:
if v:
sys.stdout.write("[-] WebDav Disabled: %s (%s)\n" % (t, e))
sock.close()
def setup_logging(self):
try:
if not os.path.exists('spider_output/'):
os.mkdir('spider_output/')
dir = "spider_output/%s/" % (self.source[0:5])
if not os.path.exists(dir):
os.mkdir(dir)
else:
print "[!] Spider of site detected..."
req = raw_input("[*] Delete existing records? (Y/n): ")
if req == "n" or req == "N":
print "\n\n[*] Closing\n"
sys.exit(0)
coretools.remove_dir(dir)
os.mkdir(dir)
return dir
except Exception, e:
coretools.exit("[!] Setup Logging Error: %s" % (e))
def main():
#Help banner
if "-h" in sys.argv or len(sys.argv) == 1: banner()
#starting url prep
url = sys.argv[-1]
if "://" not in url:
print "\n\n[!] Must include http:// | https:// tag"
print "[!] see ./spider.py --help for more\n\n"
sys.exit(0)
if url.endswith("/"):
url = url.rstrip("/")
#set max pages to spider
if "-c" in sys.argv:
try:
max_pages = int(sys.argv[sys.argv.index("-c") + 1])
except:
print "[!] Error parsing max pages, reverting to default"
max_pages = 50
else:
max_pages = 50
#set max threads
if "-t" in sys.argv:
try:
max_threads = int(sys.argv[sys.argv.index("-t") + 1])
except:
print "[!] Error parsing max pages, reverting to default"
max_threads = 5
else:
max_threads = 5
try:
scan = spider(url, max_pages, max_threads)
except KeyboardInterrupt:
coretools.exit("\n[!] Key Event Detected...\n")
except Exception, e:
pass
def banner():
print """
Get_Header
This script will connect to the target machine(s) and return
the full HTTP response header. This will test both http and
https unless otherwise noted in the command line arguments.
Used for recon and fingerprinting target machines.
Method:
-m [http/https] Default will be both http & https
-v Verbose output (show failed attempts)
Targets:
*) python get_header.py -m http scope.txt
*) python get_header.py 10.0.0.1
*) python get_header.py -nw 10.0.0.0/24
*) python get_header.py 10.0.0.1, 10.0.0.3
*) python get_header.py 10.0.0.1-50
"""
coretools.exit("\n")
def https_default(target):
#Prep target domain for scanning, will return https://target.com/
#Check if target has domain extension
if "." not in target:
exit("\n[!] Error Invalid target, try again...\n\n")
#check for Protocol Identifier
try:
if "://" not in target:
# modify for url
print "\n[!] http:// or https:// not privided...\n[*] Defaulting to: https://"
target = str("https://" + target)
#if target ends with /
if target.endswith("/"):
return target
else:
return str(target + "/")
except Exception as E:
# print E
exit("[!] Error prepairing target for scan...")
def banner():
print """
Get_Server
This script will connect to the target machine(s) and return
the HTTP response "Server" header. Used for recon and
fingerprinting target machines.
Method:
-m [http/https] Default will be both http & https
-v Verbose output (show failed attempts)
-t Number of threads (default: 5)
Targets:
*) python get_server.py -m http scope.txt
*) python get_server.py 10.0.0.1
*) python get_server.py 10.0.0.1-5
*) python get_server.py 10.0.0.1,10.0.0.3
*) python get_server.py 10.0.0.0/24
"""
coretools.exit("\n")
def banner():
print '''
DnS_FuN.pY
-----------------------------------
DNS Lookup:
-t [type] DNS lookup types:
[NS, A, AAAA, MX, TXT, CNAME, HINFO, ISDN, PTR, SOA]
-t all Lookup all DNS types
DNS Zone Transfer:
-z Perform DNS Zone Transfer
Sub-Domain Brute Force:
-s Subdomain Brute force
-w [file.txt] custom word list
Example usage:
python dns_fun.py -t MX google.com
python dns_fun.py -z zonetransfer.me
python dns_fun.py -s yahoo.com'''
coretools.exit("\n")
def main():
try:
#help banner
if "-h" in sys.argv or len(sys.argv) == 1: banner()
#quick target input validation
target = sys.argv[-1]
if "://" in target or "." * 2 in target:
coretools.exit("\n[!] DNS_fun Target Error, use -h for more\n\n")
#new class
dns_scan = dns_fun()
if "-t" in sys.argv:
dns_scan.lookup(target, coretools.plus_one("-t"))
elif "-z" in sys.argv:
dns_scan.zone_transfer(target)
elif "-s" in sys.argv:
dns_scan.subdomain_enum(target)
else:
coretools.exit("\n[-] No options selected, use -h for more information\n\n")
except Exception as e:
coretools.exit("[!] Error parsing initial options: %s" % (e))
status_report(methods, len(targets))
print "\n[*] Starting Scan...\n"
scan_count = 0
while scan_count != len(targets):
threads = []
#Start Threads
for x in range(0, max_threads):
if scan_count != len(targets):
t = Thread(target=scan,
args=(
targets[scan_count],
methods,
verbose,
))
t.daemon = True
threads.append(t)
t.start()
scan_count += 1
for t in threads:
t.join(1)
coretools.exit("\n[!] Scan Complete\n\n")
if __name__ == '__main__':
try:
main()
except KeyboardInterrupt:
coretools.exit("\n[!] Keyboard Interrupt Caught...\n\n")
def start_it(self):
try:
#Set Max Threads
try:
if "-t" in sys.argv and int(coretools.plus_one("-t")) <= 50:
max_threads = int(coretools.plus_one("-t"))
else:
print "[*] Using default thread count..."
max_threads = 25
except:
print "[!] Error parsing thread input, reverting to default..."
max_threads = 25
#Set scan depth
try:
if "-d" in sys.argv and int(coretools.plus_one("-d")) <= 8:
max_depth = int(coretools.plus_one("-d"))
else:
print "[*] Using default depth..."
max_depth = 3
except:
print "[!] Error parsing depth input, reverting to default..."
max_depth = 3
#start scan
print "[*] Using max depth: %s, and max threads: %s" % (
max_depth, max_threads)
print "[*] Starting Dir brute force for: %s\n\n" % (
brudis.base_url)
for x in range(0, max_depth):
if x == 0:
temp_url = []
# Put urls in temp list
for y in brudis.depth[0]:
temp_url.append(str(brudis.base_url + y))
else:
temp_url = []
# Put urls temp list
for a in brudis.depth[x]:
for b in brudis.depth[0]:
temp_url.append(str(a + b))
# Setup threading
url_count = 0
while url_count != len(temp_url):
threads = []
for z in range(0, max_threads):
#if statement prevents threading from continuing after list is done
if url_count != len(temp_url):
if brudis.debug:
print "[!!] SENDING %s --> thread #%s" % (
temp_url[url_count], z)
t = Thread(target=brudis.send_it,
args=(self, temp_url[url_count], x + 1))
t.daemon = True
threads.append(t)
t.start()
url_count += 1
for t in threads:
t.join(1)
except KeyboardInterrupt:
coretools.exit("\n[!] Keyboard Interrupt Caught\n")
except Exception as e:
if brudis.bedug:
coretools.exit("\n[!!] Error start_it: %s" % (e))
else:
pass
target = temp[1]
#Check if SSL enabled
if "-ssl" in sys.argv:
ssl = True
else:
ssl = False
#Get port information
try:
port = int(coretools.plus_one("-p"))
except:
coretools.exit("\n[-] Error parsing port, see -h for more\n\n")
try:
#Start verb tamper
scan = tamper(target, port, ssl)
for verb in scan.verbs:
scan.scan(scan.add_headers(verb))
#Get Results:
scan.results()
except Exception, e:
coretools.exit("\n Main Error: %s" % (e))
if __name__ == '__main__':
try:
main()
except KeyboardInterrupt:
coretools.exit("\n[!] Key Event Detected...\n\n")
threads.append(t)
t.start()
crawl_count += 1
for t in threads:
t.join(1)
#Give time for first threaad to collect links
if crawl_count == 1:
sleep(5)
except KeyboardInterrupt:
coretools.exit("\n[!] Key Event Detected...\n")
except Exception, e:
pass
#print "[!] Crawler Error: ", e
self.status(crawl_count)
sys.stdout.write("\x1b[A")
coretools.exit(" " * 65 + "\n[*] Scan Complete\n")
def request_handler(self, url):
# Setup Request
agent = 'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.73 Safari/537.36'
request = urllib2.Request(url)
request.add_header('User-Agent', agent)
request.add_header('Referer', self.source)
# ssl cert handling
ctx = ssl.create_default_context()
ctx.check_hostname = False
ctx.verify_mode = ssl.CERT_NONE
try:
# Capture response
response = urllib2.urlopen(request, timeout=2, context=ctx)