Пример #1
0
def checkWeakTomcatCreds(db, footprint_id, limit):
    all_hosts = []
    vulnerable_hosts = []
    os.popen('echo "" > nmap_temp/tomcat_creds_hosts')

    for host in dbfunctions.listHostsWithOpenPort(db, footprint_id, 8080,
                                                  limit):
        os.popen("echo {0} >> nmap_temp/tomcat_creds_hosts".format(host))
        all_hosts.append(host)

    if len(all_hosts) == 0:
        time.sleep(3)
        return

    results = os.popen(
        'nmap -iL nmap_temp/tomcat_creds_hosts -p 8080 --script nmap/tomcat-scan.nse | grep "Found combination" -B 7 | grep -e "Nmap scan report" -e "Found combination"'
    ).read()

    for h in results.split("--"):
        if h != "":
            ii = h.replace("\n", "").split("|")
            host = ii[0].split(" ")[4]
            creds = ii[1][23:-2]
            print "[{0}] weak tomcat creds [{1}]".format(host, creds)
            vulnerable_hosts.append(host)
            dbfunctions.updatePortVulnerability(db, footprint_id, host, 8080,
                                                1, 1, 1, creds,
                                                'Weak Tomcat Creds')

    for h in all_hosts:
        if h not in vulnerable_hosts:
            print "{0} does not have weak tomcat creds".format(h)
            dbfunctions.updatePortVulnerability(db, footprint_id, h, 8080, 1,
                                                0, 0, '', '')
Пример #2
0
def checkMS08067(db, footprint_id, limit):
    all_hosts = []
    vulnerable_hosts = []
    os.popen('echo "" > nmap_temp/ms08067_hosts')

    for host in dbfunctions.listHostsWithOpenPort(db, footprint_id, 445,
                                                  limit):
        os.popen("echo {0} >> nmap_temp/ms08067_hosts".format(host))
        all_hosts.append(host)

    if len(all_hosts) == 0:
        time.sleep(3)
        return

    results = os.popen(
        'nmap -iL nmap_temp/ms08067_hosts -p 445 --script smb-check-vulns --script-args=unsafe=1 | grep "MS08-067: VULNERABLE" -B 8 | grep report | cut -d \  -f 5'
    ).read()
    for h in results.split("\n"):
        if h != "":
            print "[{0}] is vulnerable to MS08-067".format(h)
            vulnerable_hosts.append(h)
            dbfunctions.updatePortVulnerability(db, footprint_id, h, 445, 1, 1,
                                                1, '', 'MS08-067')

    for h in all_hosts:
        if h not in vulnerable_hosts:
            dbfunctions.updatePortVulnerability(db, footprint_id, h, 445, 1, 0,
                                                0, '', '')
Пример #3
0
def checkWeakMsSqlCreds(db, footprint_id, limit):
    all_hosts = []
    vulnerable_hosts = []
    os.popen('echo "" > nmap_temp/mssql_creds_hosts')

    for host in dbfunctions.listHostsWithOpenPort(db, footprint_id, 1433,
                                                  limit):
        os.popen("echo {0} >> nmap_temp/mssql_creds_hosts".format(host))
        all_hosts.append(host)

    if len(all_hosts) == 0:
        time.sleep(3)
        return

    results = os.popen(
        'nmap -iL nmap_temp/mssql_creds_hosts -p 1433 --script ms-sql-brute --script-args userdb=creds/mssql_users,passdb=creds/mssql_passes | grep Success -B 2'
    ).read()

    for h in results.split("--"):
        if h != "":
            ii = h.replace("\n", "").split("|")
            host = ii[1].split("[")[1][:-6]
            creds = ii[3][7:-17]
            print "[{0}] weak sql creds [{1}]".format(host, creds)
            vulnerable_hosts.append(host)
            dbfunctions.updatePortVulnerability(db, footprint_id, host, 1433,
                                                1, 1, 1, creds,
                                                'Weak SQL Creds')

    for h in all_hosts:
        if h not in vulnerable_hosts:
            print "{0} does not have weak sql creds".format(h)
            dbfunctions.updatePortVulnerability(db, footprint_id, h, 1433, 1,
                                                0, 0, '', '')
Пример #4
0
def checkAnonFTP(db, footprint_id, limit):
    all_hosts = []
    vulnerable_hosts = []
    os.popen('echo "" > nmap_temp/ftp_hosts')
    for host in dbfunctions.listHostsWithOpenPort(db, footprint_id, 21, limit):
        os.popen("echo {0} >> nmap_temp/ftp_hosts".format(host))
        all_hosts.append(host)

    if len(all_hosts) == 0:
        return

    results = os.popen(
        "nmap -iL nmap_temp/ftp_hosts -p 21 -n -Pn --script ftp-anon | grep allowed -B 4 | grep report | cut -d \  -f 5"
    ).read()
    for h in results.split("\n"):
        if h != "":
            #print "[{0}] is vulnerable".format(h)
            vulnerable_hosts.append(h)
            dbfunctions.updatePortVulnerability(db, footprint_id, h, 21, 1, 1,
                                                0, '', 'Anonymous FTP')
            #db.commit()

    #print ""
    for h in all_hosts:
        if h not in vulnerable_hosts:
            #print "{0} is not vulnerable".format(h)
            dbfunctions.updatePortVulnerability(db, footprint_id, h, 21, 1, 0,
                                                0, '', '')
Пример #5
0
def checkWeakTomcatCreds(db,  footprint_id, limit):
    all_hosts = []
    vulnerable_hosts = []
    os.popen('echo "" > nmap_temp/tomcat_creds_hosts')

    for host in dbfunctions.listHostsWithOpenPort(db, footprint_id, 8080, limit):
        os.popen("echo {0} >> nmap_temp/tomcat_creds_hosts".format(host))
        all_hosts.append(host)

    if len(all_hosts) == 0:
        time.sleep(3)
        return

    results = os.popen('nmap -iL nmap_temp/tomcat_creds_hosts -p 8080 --script nmap/tomcat-scan.nse | grep "Found combination" -B 7 | grep -e "Nmap scan report" -e "Found combination"').read()

    for h in results.split("--"):   
        if h != "":
            ii = h.replace("\n", "").split("|")
            host = ii[0].split(" ")[4]
            creds = ii[1][23:-2]
            print "[{0}] weak tomcat creds [{1}]".format(host,  creds)
            vulnerable_hosts.append(host)
            dbfunctions.updatePortVulnerability(db, footprint_id, host, 8080, 1, 1, 1, creds, 'Weak Tomcat Creds')

    for h in all_hosts:
        if h not in vulnerable_hosts:
            print "{0} does not have weak tomcat creds".format(h)
            dbfunctions.updatePortVulnerability(db, footprint_id, h, 8080, 1, 0, 0, '', '')
Пример #6
0
def checkWeakMsSqlCreds(db,  footprint_id, limit):
    all_hosts = []
    vulnerable_hosts = []
    os.popen('echo "" > nmap_temp/mssql_creds_hosts')

    for host in dbfunctions.listHostsWithOpenPort(db, footprint_id, 1433, limit):
        os.popen("echo {0} >> nmap_temp/mssql_creds_hosts".format(host))
        all_hosts.append(host)

    if len(all_hosts) == 0:
        time.sleep(3)
        return

    results = os.popen('nmap -iL nmap_temp/mssql_creds_hosts -p 1433 --script ms-sql-brute --script-args userdb=creds/mssql_users,passdb=creds/mssql_passes | grep Success -B 2').read()

    for h in results.split("--"):   
        if h != "":
            ii = h.replace("\n", "").split("|")
            host = ii[1].split("[")[1][:-6]
            creds = ii[3][7:-17]
            print "[{0}] weak sql creds [{1}]".format(host,  creds)
            vulnerable_hosts.append(host)
            dbfunctions.updatePortVulnerability(db, footprint_id, host, 1433, 1, 1, 1, creds, 'Weak SQL Creds')

    for h in all_hosts:
        if h not in vulnerable_hosts:
            print "{0} does not have weak sql creds".format(h)
            dbfunctions.updatePortVulnerability(db, footprint_id, h, 1433, 1, 0, 0, '', '')
Пример #7
0
def checkMS08067(db,  footprint_id, limit):
    all_hosts = []
    vulnerable_hosts = []
    os.popen('echo "" > nmap_temp/ms08067_hosts')

    for host in dbfunctions.listHostsWithOpenPort(db, footprint_id, 445, limit):
        os.popen("echo {0} >> nmap_temp/ms08067_hosts".format(host))
        all_hosts.append(host)

    if len(all_hosts) == 0:
        time.sleep(3)
        return

    results = os.popen('nmap -iL nmap_temp/ms08067_hosts -p 445 --script smb-check-vulns --script-args=unsafe=1 | grep "MS08-067: VULNERABLE" -B 8 | grep report | cut -d \  -f 5').read()
    for h in results.split("\n"):
        if h != "":
            print "[{0}] is vulnerable to MS08-067".format(h)
            vulnerable_hosts.append(h)
            dbfunctions.updatePortVulnerability(db, footprint_id, h, 445, 1, 1, 1, '', 'MS08-067')

    for h in all_hosts:
        if h not in vulnerable_hosts:
            dbfunctions.updatePortVulnerability(db, footprint_id, h, 445, 1, 0, 0, '', '')
Пример #8
0
def checkAnonFTP(db, footprint_id, limit):
    all_hosts = []
    vulnerable_hosts = []
    os.popen('echo "" > nmap_temp/ftp_hosts')
    for host in dbfunctions.listHostsWithOpenPort(db, footprint_id, 21, limit):
        os.popen("echo {0} >> nmap_temp/ftp_hosts".format(host))
        all_hosts.append(host)

    if len(all_hosts) == 0:
        return

    results = os.popen("nmap -iL nmap_temp/ftp_hosts -p 21 -n -Pn --script ftp-anon | grep allowed -B 4 | grep report | cut -d \  -f 5").read()
    for h in results.split("\n"):
        if h != "":
            #print "[{0}] is vulnerable".format(h)
            vulnerable_hosts.append(h)
            dbfunctions.updatePortVulnerability(db, footprint_id, h, 21, 1, 1, 0, '', 'Anonymous FTP')
            #db.commit()

    #print ""
    for h in all_hosts:
        if h not in vulnerable_hosts:
            #print "{0} is not vulnerable".format(h)
            dbfunctions.updatePortVulnerability(db, footprint_id, h, 21, 1, 0, 0, '', '')