def parse_nmap_report(nmap_stdout, taskid=None):
result = {}
try:
# 处理结果并写入后台数据库
nmap_report = NmapParser.parse(nmap_stdout)
# host.address
hd = ''
# 开始处理扫描结果
for host in nmap_report.hosts:
# print("Nmap scan : {0}".format(host.address))
host.taskid = taskid
hd = host.address
# 处理主机开放的服务和端口
portInfo = []
for serv in host.services:
serv.address = host.address
serv.taskid = taskid
serv.endtime = host.endtime
if serv.state in global_log_states:
p = re.findall('\[(.*)\]', str(serv))
portInfo.append(p[0])
result[hd] = portInfo
#print {host.address: portInfo}
#print '* Scan finished'
return result
except Exception, e:
logger.error('parse nmap report error')
# 处理报表出错,返回错误结果
return e
def parse_nmap_report(nmap_stdout, taskid=None):
result = {}
try:
# 处理结果并写入后台数据库
nmap_report = NmapParser.parse(nmap_stdout)
# host.address
hd = ''
# 开始处理扫描结果
for host in nmap_report.hosts:
# print("Nmap scan : {0}".format(host.address))
host.taskid = taskid
hd = host.address
# 处理主机开放的服务和端口
portInfo = []
for serv in host.services:
serv.address = host.address
serv.taskid = taskid
serv.endtime = host.endtime
if serv.state in global_log_states:
p = re.findall('\[(.*)\]', str(serv))
portInfo.append(p[0])
result[hd] = portInfo
#print {host.address: portInfo}
#print '* Scan finished'
return result
except Exception, e:
logger.error('parse nmap report error')
# 处理报表出错,返回错误结果
return e
def _get_option(section, option):
try:
cf = ConfigParser()
cf.read(paths.CONFIG_PATH, encoding='utf-8')
return cf.get(section=section, option=option)
except:
logger.error('Missing essential options, please check your config-file.')
return ''
def _load_sub_names(self):
self.queue = Queue.Queue()
try:
with open(paths.ROOT_PATH + '/plugins/subDomainsBrute/' + self.names_file) as f:
for line in f:
sub = line.strip()
if sub:
self.queue.put(sub)
except Exception as e:
logger.error(e)
print e
def _load_sub_names(self):
self.queue = Queue.Queue()
try:
with open(paths.ROOT_PATH + '/plugins/subDomainsBrute/' +
self.names_file) as f:
for line in f:
sub = line.strip()
if sub:
self.queue.put(sub)
except Exception as e:
logger.error(e)
print e
def execute(self, sql):
"""
execute sql
:param sql:
:return:
"""
try:
self.cur.execute(sql)
return self.cur.fetchall()
except Exception as e:
logger.error(e)
return False
def _load_next_sub(self):
next_subs = []
try:
with open(paths.ROOT_PATH + '/plugins/subDomainsBrute/next_sub.txt') as f:
for line in f:
sub = line.strip()
if sub and sub not in next_subs:
next_subs.append(sub)
self.next_subs = next_subs
except Exception as e:
logger.error(e)
print e
def execute(self, sql):
"""
execute sql
:param sql:
:return:
"""
try:
self.cur.execute(sql)
return self.cur.fetchall()
except Exception as e:
logger.error(e)
return False
def _load_dns_servers(self):
dns_servers = []
try:
with open(paths.ROOT_PATH + '/plugins/subDomainsBrute/dns_servers.txt') as f:
for line in f:
server = line.strip()
if server.count('.') == 3 and server not in dns_servers:
dns_servers.append(server)
self.dns_servers = dns_servers
self.dns_count = len(dns_servers)
except Exception as e:
logger.error(e)
print e
def _load_next_sub(self):
next_subs = []
try:
with open(paths.ROOT_PATH +
'/plugins/subDomainsBrute/next_sub.txt') as f:
for line in f:
sub = line.strip()
if sub and sub not in next_subs:
next_subs.append(sub)
self.next_subs = next_subs
except Exception as e:
logger.error(e)
print e
def _load_dns_servers(self):
dns_servers = []
try:
with open(paths.ROOT_PATH +
'/plugins/subDomainsBrute/dns_servers.txt') as f:
for line in f:
server = line.strip()
if server.count('.') == 3 and server not in dns_servers:
dns_servers.append(server)
self.dns_servers = dns_servers
self.dns_count = len(dns_servers)
except Exception as e:
logger.error(e)
print e
def _scan(self):
thread_id = int(threading.currentThread().getName())
self.resolvers[thread_id].nameservers = [
self.dns_servers[thread_id % self.dns_count]
] # must be a list object
self.resolvers[thread_id].lifetime = self.resolvers[
thread_id].timeout = 1.0
while self.queue.qsize(
) > 0 and self.found_count < 3000: # limit found count to 3000
sub = self.queue.get(timeout=1.0)
try:
cur_sub_domain = sub + '.' + self.target
answers = self.resolvers[thread_id].query(cur_sub_domain)
is_wildcard_record = False
if answers:
for answer in answers:
self.lock.acquire()
if answer.address not in self.ip_dict:
self.ip_dict[answer.address] = 1
else:
self.ip_dict[answer.address] += 1
if self.ip_dict[
answer.
address] > 6: # a wildcard DNS record
is_wildcard_record = True
self.lock.release()
if is_wildcard_record:
self._update_scan_count()
continue
self.lock.acquire()
self.found_count += 1
ips = ', '.join([answer.address for answer in answers])
msg = cur_sub_domain.ljust(30) + ips
self.output.insert({
'domain': cur_sub_domain,
'ip': ips,
'status': 0
})
sys.stdout.write('\r' + msg + '\r\n')
sys.stdout.flush()
# print time.time()-self.start_time
self.lock.release()
for i in self.next_subs:
self.queue.put(i + '.' + sub)
except Exception, e:
logger.error(e)
print e
self._update_scan_count()
def set_paths(module_path):
paths.ROOT_PATH = module_path
paths.CONFIG_PATH = os.path.join(paths.ROOT_PATH, "config.conf")
paths.POCS_PATH = os.path.join(paths.ROOT_PATH, "pocs")
paths.RESULT_PATH = os.path.join(paths.ROOT_PATH, "result")
if not os.path.isfile(paths.CONFIG_PATH):
err_msg = 'Config files missing, it may cause some issues.\n'
logger.error(err_msg)
if not os.path.exists(paths.POCS_PATH):
logger.error("pocs file missing")
os.mkdir(paths.POCS_PATH)
if not os.path.exists(paths.RESULT_PATH):
os.mkdir(paths.RESULT_PATH)
def insert(self, field):
"""
insert data
:param field:
:return bool:
"""
fields = self._param(field)
n = len(fields['value'])
try:
sql = 'insert into '+self.__table+' ('+fields['key']+') values('+(n*'%s,').rstrip(',')+')'
self.cur.execute(sql, fields['value'])
self.conn.commit()
return True
except Exception as e:
logger.error(e)
return False
def delete(self, condition):
"""
delete
:param condition:
:return:
"""
condition = self._param(condition)
sql = 'delete from %s where %s=' % (self.__table, condition['key'])
sql += '%s'
args = [condition['value'][0]]
try:
self.cur.execute(sql, args)
self.conn.commit()
return True
except Exception as e:
logger.error(e)
return False
def delete(self, condition):
"""
delete
:param condition:
:return:
"""
condition = self._param(condition)
sql = 'delete from %s where %s=' % (self.__table, condition['key'])
sql += '%s'
args = [condition['value'][0]]
try:
self.cur.execute(sql, args)
self.conn.commit()
return True
except Exception as e:
logger.error(e)
return False
def insert(self, field):
"""
insert data
:param field:
:return bool:
"""
fields = self._param(field)
n = len(fields['value'])
try:
sql = 'insert into ' + self.__table + ' (' + fields[
'key'] + ') values(' + (n * '%s,').rstrip(',') + ')'
self.cur.execute(sql, fields['value'])
self.conn.commit()
return True
except Exception as e:
logger.error(e)
return False
def update(self, field, condition):
"""
update data
:param field:
:param condition:
:return bool:
"""
fields = self._param(field)
con = self._param(condition)
params = fields['key'].split(',')
p = ''
for param in params:
p += param + '=%s,'
try:
self.cur.execute('update '+self.__table+' set '+p.rstrip(',')+' where '+con['key']+'='+con['value'][0], fields['value'])
self.conn.commit()
return True
except Exception as e:
logger.error(e)
return False
def _scan(self):
thread_id = int(threading.currentThread().getName())
self.resolvers[thread_id].nameservers = [self.dns_servers[thread_id % self.dns_count]] # must be a list object
self.resolvers[thread_id].lifetime = self.resolvers[thread_id].timeout = 1.0
while self.queue.qsize() > 0 and self.found_count < 3000: # limit found count to 3000
sub = self.queue.get(timeout=1.0)
try:
cur_sub_domain = sub + '.' + self.target
answers = self.resolvers[thread_id].query(cur_sub_domain)
is_wildcard_record = False
if answers:
for answer in answers:
self.lock.acquire()
if answer.address not in self.ip_dict:
self.ip_dict[answer.address] = 1
else:
self.ip_dict[answer.address] += 1
if self.ip_dict[answer.address] > 6: # a wildcard DNS record
is_wildcard_record = True
self.lock.release()
if is_wildcard_record:
self._update_scan_count()
continue
self.lock.acquire()
self.found_count += 1
ips = ', '.join([answer.address for answer in answers])
msg = cur_sub_domain.ljust(30) + ips
self.output.insert({'domain': cur_sub_domain, 'ip': ips, 'status': 0})
sys.stdout.write('\r' + msg + '\r\n')
sys.stdout.flush()
# print time.time()-self.start_time
self.lock.release()
for i in self.next_subs:
self.queue.put(i + '.' + sub)
except Exception, e:
logger.error(e)
print e
self._update_scan_count()
def update(self, field, condition):
"""
update data
:param field:
:param condition:
:return bool:
"""
fields = self._param(field)
con = self._param(condition)
params = fields['key'].split(',')
p = ''
for param in params:
p += param + '=%s,'
try:
self.cur.execute(
'update ' + self.__table + ' set ' + p.rstrip(',') +
' where ' + con['key'] + '=' + con['value'][0],
fields['value'])
self.conn.commit()
return True
except Exception as e:
logger.error(e)
return False
def save_port_info(result, DB):
if result is None or DB is None:
return False
for ip in result:
data = {}
data['ip'] = ip
ports = ''
for port in result[ip]:
ports += port+'|||'
data['port'] = ports.rstrip("|||")
if data:
if DB.check_exist({'ip': data['ip']}) is False:
if DB.insert(data):
sql = 'update gun_domains set status=1 where ip like "%'+data['ip']+'%"'
print(sql)
DB.execute(sql)
print '[ + ] Insert Success: ' + str(result)
else:
logger.error('nmap result insert db error')
print '[ - ] Insert Failed: ' + str(result)
else:
logger.warning('nmap result insert data was existed')
print '[ ! ] Data Was Existed: ' + str(result)
def save_port_info(result, DB):
if result is None or DB is None:
return False
for ip in result:
data = {}
data['ip'] = ip
ports = ''
for port in result[ip]:
ports += port + '|||'
data['port'] = ports.rstrip("|||")
if data:
if DB.check_exist({'ip': data['ip']}) is False:
if DB.insert(data):
sql = 'update gun_domains set status=1 where ip like "%' + data[
'ip'] + '%"'
print(sql)
DB.execute(sql)
print '[ + ] Insert Success: ' + str(result)
else:
logger.error('nmap result insert db error')
print '[ - ] Insert Failed: ' + str(result)
else:
logger.warning('nmap result insert data was existed')
print '[ ! ] Data Was Existed: ' + str(result)
def main():
try:
conf.start_time = time.time()
# First determine the version of python
if version_info < (3, 6):
raise PyVersionException
# Set up the path
set_paths(os.path.dirname(os.path.realpath(__file__)))
# output banner
print(banner())
# Parse command line parameters into cmdLineOptions
cmdLineOptions.update(cmdlineparse().__dict__)
# print(args)
# Load poc, target, concurrent number from parameters, etc.
loader()
# Survival host detection
alive_detect()
# open port scan
portscan()
# load pocs and targets --> tasks
load_poctasks()
# Use coroutines for concurrent scans
run()
logger.info(f"done with {time.time()-conf.start_time}s")
except PyVersionException as e:
logger.error("Please use python> = 3.6 version")
except TargetException1:
logger.error("Please use -u or -f to specify the target")
except TargetException2:
logger.error("No target survives, if you are currently alive, please use -Pn to skip survival")
except PocTaskException:
logger.error("Target has no open ports")