def enumDNS(self):
"""Helper function to call the lib/DnsEnum Class."""
dn = dnsenum.DnsEnum(self.target)
dn.Scan()
dns_enum_commands = dn.processes
self.mpRun(dns_enum_commands)
def Scan(self):
"""Enumerate HTTPS/SSL Web Server ports based on nmaps output. This function will run the following tools;
WhatWeb, WafW00f, Dirsearch, Nikto, and curl robots.txt"""
np = nmapParser.NmapParserFunk(self.target)
np.openPorts()
df = dnsenum.DnsEnum(self.target)
df.GetHostNames()
heartbleed = df.heartbleed
hostnames = df.hostnames
ssl_ports = np.ssl_ports
system_type = np.os_system_type
if len(ssl_ports) == 0:
pass
else:
c = config_parser.CommandParser(
f"{os.path.expanduser('~')}/.config/autorecon/config.yaml",
self.target)
if not os.path.exists(c.getPath("webSSL", "webSSLDir")):
os.makedirs(c.getPath("webSSL", "webSSLDir"))
if not os.path.exists(c.getPath("web", "aquatoneDir")):
os.makedirs(c.getPath("web", "aquatoneDir"))
print(fg.li_cyan + "Enumerating HTTPS/SSL Ports" + fg.rs)
if heartbleed is True:
rc = run_commands.RunCommands(self.target)
be_mine = peaceout_banner.heartbleed(self.target)
be_mine.bleedOut()
for sslport in ssl_ports:
rc.loginator(c.getCmd("webSSL", "heartbleed",
port=sslport))
call(c.getCmd("webSSL", "heartbleed", port=sslport),
shell=True)
commands = []
if len(hostnames) == 0:
for sslport in ssl_ports:
commands.append(
c.getCmd("webSSL", "niktoSSLTarget", port=sslport))
commands.append(
c.getCmd("webSSL", "whatwebSSLTarget", port=sslport))
commands.append(
c.getCmd("webSSL", "wafw00fSSLTarget", port=sslport))
commands.append(
c.getCmd("webSSL", "curlRobotsSSLTarget",
port=sslport))
if system_type:
if system_type[0] == "Windows":
commands.append(
c.getCmd("webSSL",
"dirsearchSSLTargetDictWindows",
port=sslport))
if system_type[0] == "Linux":
commands.append(
c.getCmd("webSSL",
"dirsearchSSLTargetDict",
port=sslport))
else:
commands.append(
c.getCmd("webSSL",
"dirsearchSSLTargetDict",
port=sslport))
else:
for sslport in ssl_ports:
for host in hostnames:
commands.append(
c.getCmd("webSSL",
"niktoSSLHost",
host=host,
port=sslport))
commands.append(
c.getCmd("webSSL",
"whatwebSSLHost",
host=host,
port=sslport))
commands.append(
c.getCmd("webSSL",
"wafw00fSSLHost",
host=host,
port=sslport))
commands.append(
c.getCmd("webSSL",
"curlRobotsSSLHost",
host=host,
port=sslport))
if system_type:
if system_type[0] == "Windows":
commands.append(
c.getCmd("webSSL",
"dirsearchSSLHostDictWindows",
host=host,
port=sslport))
if system_type[0] == "Linux":
commands.append(
c.getCmd("webSSL",
"dirsearchSSLHostDict",
host=host,
port=sslport))
else:
commands.append(
c.getCmd("webSSL",
"dirsearchSSLHostDict",
host=host,
port=sslport))
self.processes = tuple(commands)
def ScanWebOption(self):
"""Enumerate Web Server ports based on nmaps output. This function will run the following tools;
WhatWeb, WafW00f, Dirsearch Nikto, and curl robots.txt
This is almost identical to the normal web scan except, it uses much larger wordlists.
"""
np = nmapParser.NmapParserFunk(self.target)
np.openPorts()
df = dnsenum.DnsEnum(self.target)
df.GetHostNames()
hostnames = df.hostnames
ssl_ports = np.ssl_ports
if len(ssl_ports) == 0:
pass
else:
commands = []
c = config_parser.CommandParser(
f"{os.path.expanduser('~')}/.config/autorecon/config.yaml",
self.target)
if not os.path.exists(c.getPath("webSSL", "webSSLDir")):
os.makedirs(c.getPath("webSSL", "webSSLDir"))
if not os.path.exists(c.getPath("web", "aquatoneDir")):
os.makedirs(c.getPath("web", "aquatoneDir"))
print(
fg.li_cyan +
"Enumerating HTTPS/SSL Ports, Running the following commands:"
+ fg.rs)
if len(hostnames) == 0:
for sslport in ssl_ports:
commands.append(
c.getCmd("webSSL", "whatwebSSLTarget", port=sslport))
# commands.append(c.getCmd("webSSL", "wafw00fSSLTarget", port=sslport))
# commands.append(c.getCmd("webSSL", "curlRobotsSSLTarget", port=sslport))
commands.append(
c.getCmd("webSSL",
"dirsearchSSLTargetDListMed",
port=sslport,
url=self.web))
commands.append(
c.getCmd("webSSL",
"dirsearchSSLTargetRaftLargeFiles",
port=sslport,
url=self.web))
commands.append(
c.getCmd("webSSL",
"dirsearchSSLTargetRaftLargeDirs",
port=sslport,
url=self.web))
commands.append(
c.getCmd("webSSL",
"dirsearchSSLTargetForeign",
port=sslport,
url=self.web))
# commands.append(c.getCmd("webSSL", "niktoSSLHost", port=sslport))
else:
for sslport in ssl_ports:
for hostname in hostnames:
commands.append(
c.getCmd("webSSL",
"whatwebSSLHost",
host=hostname,
port=sslport))
# commands.append(c.getCmd("webSSL", "wafw00fSSLHost", host=hostname, port=sslport))
# commands.append(c.getCmd("webSSL", "curlRobotsSSLHost", host=hostname, port=sslport))
commands.append(
c.getCmd("webSSL",
"dirsearchSSLHostDListMed",
host=hostname,
port=sslport,
url=self.web))
commands.append(
c.getCmd("webSSL",
"dirsearchSSLHostRaftLargeFiles",
host=hostname,
port=sslport,
url=self.web))
commands.append(
c.getCmd("webSSL",
"dirsearchSSLHostRaftLargeDirs",
host=hostname,
port=sslport,
url=self.web))
commands.append(
c.getCmd("webSSL",
"dirsearchSSLHostForeign",
host=hostname,
port=sslport,
url=self.web))
# commands.append(c.getCmd("webSSL", "niktoSSLHost", host=hostname, port=sslport))
self.processes = tuple(commands)
def sslEnumCMS(self):
"""If a valid CMS is found from initial Web Enumeration, more specifically, WhatWebs results, Then proceed to
Enumerate the CMS further using Wpscan, Magescan, Nmap, Droopescan, Joomscan, and davtest, hydra, and will
create a brute force bash script using Cewl, which will then be used by WpScan to try and brute force
Users and passwords."""
np = nmapParser.NmapParserFunk(self.target)
np.openPorts()
df = dnsenum.DnsEnum(self.target)
df.GetHostNames()
hostnames = df.hostnames
ssl_ports = np.ssl_ports
cms_commands = []
if len(ssl_ports) == 0:
pass
else:
c = config_parser.CommandParser(
f"{os.path.expanduser('~')}/.config/autorecon/config.yaml",
self.target)
for ssl_port in ssl_ports:
whatweb_files = []
whatweb_hostnames = []
dir_list = [
d for d in glob.iglob(c.getPath("report", "reportGlob"),
recursive=True) if os.path.isdir(d)
]
for d in dir_list:
reportFile_list = [
fname
for fname in glob.iglob(f"""{d}/*""", recursive=True)
if os.path.isfile(fname)
]
for rf in reportFile_list:
if "whatweb" in rf:
if str(ssl_port) in rf:
whatweb_files.append(rf)
if len(hostnames) != 0:
for host in hostnames:
if host in rf:
whatweb_hostnames.append(host)
if len(whatweb_files) != 0:
for i in whatweb_files:
cms_strings = [
"WordPress",
"Magento",
"tomcat",
"WebDAV",
"Microsoft-IIS 6.0",
"Drupal",
"Joomla",
"Webmin",
]
try:
with open(i, "r") as wwf:
for word in wwf:
fword = (word.replace("[", " ").replace(
"]", " ").replace(",", " "))
for cms in cms_strings:
if cms in fword:
if len(whatweb_hostnames) != 0:
for hn in whatweb_hostnames:
if hn in i:
if "WordPress" in cms:
if not os.path.exists(
c.getPath(
"vuln",
"vulnDir"
)):
os.makedirs(
c.getPath(
"vuln",
"vulnDir"
))
cms_commands.append(
c.getCmd(
"vuln",
"searchsploit",
strang=str(
cms),
name=
"WordPress"
))
cms_commands.append(
c.getCmd(
"webSSL",
"wpscanSSLHost",
host=hn,
sslPort=
ssl_port))
if "Drupal" in cms:
if not os.path.exists(
c.getPath(
"vuln",
"vulnDir"
)):
os.makedirs(
c.getPath(
"vuln",
"vulnDir"
))
cms_commands.append(
c.getCmd(
"vuln",
"searchsploit",
strang=str(
cms),
name=
"Drupal"))
cms_commands.append(
c.getCmd(
"webSSL",
"droopescanSSLHost",
host=hn,
sslPort=
ssl_port))
if "Joomla" in cms:
if not os.path.exists(
c.getPath(
"vuln",
"vulnDir"
)):
os.makedirs(
c.getPath(
"vuln",
"vulnDir"
))
cms_commands.append(
c.getCmd(
"vuln",
"searchsploit",
strang=str(
cms),
name=
"Joomla"))
cms_commands.append(
c.getCmd(
"webSSL",
"joomscanHost",
host=hn,
sslPort=
ssl_port))
cms_commands.append(
c.getCmd(
"webSSL",
"joomlavsSSLHost",
host=hn,
sslPort=
ssl_port))
if "Magento" in cms:
if not os.path.exists(
c.getPath(
"vuln",
"vulnDir"
)):
os.makedirs(
c.getPath(
"vuln",
"vulnDir"
))
cms_commands.append(
c.getCmd(
"vuln",
"searchsploit",
strang=str(
cms),
name=
"Magento"))
cms_commands.append(
c.getCmd(
"webSSL",
"magescanHost",
host=hn,
sslPort=
ssl_port))
if "WebDAV" in cms:
if not os.path.exists(
c.getPath(
"vuln",
"vulnDir"
)):
os.makedirs(
c.getPath(
"vuln",
"vulnDir"
))
cms_commands.append(
c.getCmd(
"vuln",
"searchsploit",
strang=str(
cms),
name=
"WebDAV"))
cms_commands.append(
c.getCmd(
"webSSL",
"davtestHost",
host=hn))
if "Webmin" in cms:
if not os.path.exists(
c.getPath(
"vuln",
"vulnDir"
)):
os.makedirs(
c.getPath(
"vuln",
"vulnDir"
))
cms_commands.append(
c.getCmd(
"vuln",
"searchsploit",
strang=str(
cms),
name=
"Webmin"))
else:
if "WordPress" in cms:
cms_commands.append(
c.getCmd(
"webSSL",
"wpscanSSLTarget",
sslPort=ssl_port))
manual_brute_force_script = f"""#!/bin/bash
if [[ -n $(grep -i "User(s) Identified" {c.getPath("webSSL", "wpscanSSL", sslPort=ssl_port)}) ]]; then
grep -w -A 100 "User(s)" {c.getPath("webSSL", "wpscanSSL", sslPort=ssl_port)} | grep -w "[+]" | grep -v "WPVulnDB" | cut -d " " -f 2 | head -n -7 >{c.getPath("webSSL", "wpUsers")}
{c.getCmd("webSSL", "cewlSSLTarget", sslPort=ssl_port)}
sleep 10
echo "Adding John Rules to Cewl Wordlist!"
{c.getCmd("webSSL", "johnCewl")}
sleep 3
# brute force again with wpscan
{c.getCmd("webSSL", "wpscanCewlBruteTarget", sslPort=ssl_port)}
sleep 1
if grep -i "No Valid Passwords Found" {c.getPath("webSSL", "wpscanCewlBruteReport")}; then
if [ -s {c.getPath("webSSL", "cewlJohnList")} ]; then
{c.getCmd("webSSL", "wpscanJohnCewlBruteTarget", sslPort=ssl_port)}
else
echo "John wordlist is empty :("
fi
sleep 1
if grep -i "No Valid Passwords Found" {c.getPath("webSSL", "wordpressJohnCewlBrute")}; then
{c.getCmd("webSSL", "wpscanFastTrackHost", sslPort=ssl_port)}
fi
fi
fi
"""
try:
with open(
c.getPath(
"webSSL",
"wordpressBruteBashScript"
), "w") as wpb:
print(
"Creating wordpress Brute Force Script..."
)
wpb.write(
manual_brute_force_script
)
call(
f"""chmod +x {c.getPath("webSSL", "wordpressBruteBashScript")}""",
shell=True)
except FileNotFoundError as fnf_error:
print(fnf_error)
continue
if "Drupal" in cms:
if not os.path.exists(
c.getPath(
"vuln",
"vulnDir")):
os.makedirs(
c.getPath(
"vuln",
"vulnDir"))
cms_commands.append(
c.getCmd(
"vuln",
"searchsploit",
strang=str(cms),
name="Drupal"))
cms_commands.append(
c.getCmd(
"webSSL",
"droopescanSSLHost",
sslPort=ssl_port))
if "Joomla" in cms:
if not os.path.exists(
c.getPath(
"vuln",
"vulnDir")):
os.makedirs(
c.getPath(
"vuln",
"vulnDir"))
cms_commands.append(
c.getCmd(
"vuln",
"searchsploit",
strang=str(cms),
name="Joomla"))
cms_commands.append(
c.getCmd(
"webSSL",
"joomscanTarget",
sslPort=ssl_port))
cms_commands.append(
c.getCmd(
"webSSL",
"joomlavsSSLTarget",
sslPort=ssl_port))
if "Magento" in cms:
if not os.path.exists(
c.getPath(
"vuln",
"vulnDir")):
os.makedirs(
c.getPath(
"vuln",
"vulnDir"))
cms_commands.append(
c.getCmd(
"vuln",
"searchsploit",
strang=str(cms),
name="Magento"))
cms_commands.append(
c.getCmd(
"webSSL",
"magescanTarget",
sslPort=ssl_port))
if "WebDAV" in cms:
if not os.path.exists(
c.getPath(
"vuln",
"vulnDir")):
os.makedirs(
c.getPath(
"vuln",
"vulnDir"))
cms_commands.append(
c.getCmd(
"vuln",
"searchsploit",
strang=str(cms),
name="WebDAV"))
cms_commands.append(
c.getCmd(
"webSSL",
"davtestTarget"))
cms_commands.append(
c.getCmd(
"webSSL",
"nmapWebDav",
sslPot=ssl_port))
if "Webmin" in cms:
if not os.path.exists(
c.getPath(
"vuln",
"vulnDir")):
os.makedirs(
c.getPath(
"vuln",
"vulnDir"))
cms_commands.append(
c.getCmd(
"vuln",
"searchsploit",
strang=str(cms),
name="Webmin"))
except FileNotFoundError as fnf:
print(fnf)
continue
sorted_commands = sorted(set(cms_commands))
commands_to_run = []
for i in sorted_commands:
commands_to_run.append(i)
mpCmds = tuple(commands_to_run)
self.cms_processes = mpCmds