def scan_target(scan_info, url_to_scan): resp = get_response(url_to_scan) if resp is None: return try: if 'IIS' in resp.headers['Server']: ROOT_DIR = os.path.dirname(os.path.abspath(__file__)) TOOL_DIR = ROOT_DIR + '/tools/IIS-ShortName-Scanner/iis_shortname_scanner.jar' CONFIG_DIR = ROOT_DIR + '/tools/IIS-ShortName-Scanner/config.xml' iis_process = subprocess.run( ['java', '-jar', TOOL_DIR, '0', '10', url_to_scan, CONFIG_DIR], capture_output=True) message = iis_process.stdout.decode() if "NOT VULNERABLE" not in message: img_str = image_creator.create_image_from_string(message) random_filename = uuid.uuid4().hex output_dir = ROOT_DIR + '/tools_output/' + random_filename + '.png' im = Image.open(BytesIO(base64.b64decode(img_str))) im.save(output_dir, 'PNG') vulnerability = Vulnerability( constants.IIS_SHORTNAME_MICROSOFT, scan_info, "IIS Microsoft files and directories enumeration found") vulnerability.add_attachment(output_dir, 'IIS-Result.png') slack.send_vuln_to_channel(vulnerability, SLACK_NOTIFICATION_CHANNEL) vulnerability.id = mongo.add_vulnerability(vulnerability) redmine.create_new_issue(vulnerability) os.remove(output_dir) except KeyError: pass except Exception: pass return
def add_vulnerability(scan_info, data, message, cvssScore): vulnerability = Vulnerability(constants.UNSECURE_METHOD, scan_info, message) img_str = image_creator.create_image_from_string(data) vulnerability.add_image_string(img_str) ROOT_DIR = os.path.dirname(os.path.abspath(__file__)) output_dir = ROOT_DIR + '/tools_output/' + str(uuid.uuid4().hex) + '.png' im = Image.open(BytesIO(base64.b64decode(img_str))) im.save(output_dir, 'PNG') vulnerability.add_attachment(output_dir, 'NMAP-result.png') vulnerability.cvss = cvssScore slack.send_vuln_to_channel(vulnerability, SLACK_NOTIFICATION_CHANNEL) vulnerability.id = mongo.add_vulnerability(vulnerability) redmine.create_new_issue(vulnerability) with suppress(Exception): os.remove(output_dir)
def scan_target(scan_info, url_to_scan): response = get_response(url_to_scan) if response is None: return message = 'Response Headers From: ' + url_to_scan + '\n\n' for h in response.headers: message += h + " : " + response.headers[h] + '\n' img_b64 = image_creator.create_image_from_string(message) # TODO Chequear el header de caches. important_headers = [ 'Content-Security-Policy', 'X-XSS-Protection', 'x-frame-options', 'X-Content-Type-options', 'Strict-Transport-Security', 'Access-Control-Allow-Origin' ] reported_invalid = False reported_exists = False message_invalid = "Headers with invalid values were found \n" message_exists = "Headers were not found \n" if response.status_code != 404: for header in important_headers: try: # If the header exists if response.headers[header]: if not check_header_value(header, response.headers[header]): message_invalid = message_invalid + "Header %s was found with invalid value \n" % header # No header differenciation, so we do this for now if not reported_invalid: reported_invalid = True except KeyError: message_exists = message_exists + "Header %s was not found \n" % header if not reported_exists: reported_exists = True if reported_exists: add_header_missing_vulnerability(scan_info, img_b64, message_exists) if reported_invalid: add_header_value_vulnerability(scan_info, img_b64, message_invalid) return
def default_account(scan_info, url_to_scan): ROOT_DIR = os.path.dirname(os.path.abspath(__file__)) arg_fingerprint_dir = ROOT_DIR + '/tools/http-default-accounts-fingerprints-nndefaccts.lua' script_to_launch = ROOT_DIR + '/tools/nmap/web_versions/http-default-accounts.nse' ports = '80,81,443,591,2082,2087,2095,2096,3000,8000,8001,8008,8080,8083,8443,8834,8888' random_filename = uuid.uuid4().hex end_name = '.http.def.acc' output_dir = ROOT_DIR + '/tools_output/' + random_filename + end_name message = "" da_subprocess = subprocess.run([ 'nmap', '-Pn', '-sV', '-p' + ports, '--script', script_to_launch, '--script-args', 'http-default-accounts.fingerprintfile=' + arg_fingerprint_dir, '-oA', output_dir, url_to_scan ], capture_output=True) with open(output_dir + '.xml') as xml_file: my_dict = xmltodict.parse(xml_file.read()) xml_file.close() json_data = json.dumps(my_dict) json_data = json.loads(json_data) try: test = json_data['nmaprun']['host']['ports']['port'] except KeyError: return for port in json_data['nmaprun']['host']['ports']['port']: try: for scp in port['script']: if isinstance(scp, dict): if "] at /" in scp['@output']: message += scp['@output'] except KeyError: pass if message: img_str = image_creator.create_image_from_string(message) add_vuln_to_mongo(scan_info, "default_creds", message, img_str) cleanup(output_dir) return