def testBasicAuth(url,port): # Get the test credentials and generate the print _('[+] Credenciais de Teste') userName = raw_input(_("Usuario: ")) psswrd = getpass.getpass() encodedData = base64.b64encode(str(userName)+str(psswrd)) print _('Key gerada (base64): ') + encodedData + '\n' # Make a BASIC HTTP Authentication Packet to send over the socket packet = 'GET / HTTP/1.1\r\nAuthorization: Basic ' + encodedData +'\r\n\r\n' # Maybe Host:www.google.com # Show the sent information print _('[+] Enviando Header') print packet try: # Try to connect using poor configuration, with no SSL warpping at all sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(10) # Use socket to connect with the server by a specific port and send the packet sock.connect((url, port)) sock.send(packet) # Receive the result return buildResponse(False,'\n',_('Resposta: ') + sock.recv(1024)[:40]) sock.close() except socket.error as e: return buildResponse(True,_('O servidor nao esta rodando em HTTP'),'\n')
def detectWAF(url,port,lang): import logging noWAF = _("\nWeb Application Firewall nao detectado") thereIsWAF = _("\nWeb Application Firewall detectado") logging.getLogger("scapy.runtime").setLevel(logging.ERROR) parsed = urlparse(url) if len(parsed.netloc) == 0: parsed = urlparse('http://'+url) pass dst_ip = socket.gethostbyname(parsed.netloc) src_port = RandShort() # A TCP packet with the ACK flag (16) set and the port number to connect to is send to the server. ack_flag_scan_resp = sr1(IP(dst=dst_ip)/TCP(dport=port,flags="A"),timeout=10, verbose=0) # if (str(type(ack_flag_scan_resp))=="<type 'NoneType'>"): return _('Resposta: ') + "<No_Response_to_TCP_ACK>" + buildResponse(True, thereIsWAF,_('\n')) # If the server responds with the RST flag set inside a TCP packet, then the port is unfiltered and a stateful firewall is absent. elif(ack_flag_scan_resp.haslayer(TCP)): if(ack_flag_scan_resp.getlayer(TCP).flags == 0x4): # RST flag = 4 return _('Resposta: ') + "<RST_flag_SET>" + buildResponse(False, _('\n'),noWAF) # RST flag # If the server doesnt respond to our TCK ACK scan packet or if it responds with a TCP packet with ICMP type 3 or code 1, 2, 3, 9, 10, or 13 set, # then the port is filtered and a stateful firewall is present. elif(ack_flag_scan_resp.haslayer(ICMP)): if(int(ack_flag_scan_resp.getlayer(ICMP).type)==3 and int(ack_flag_scan_resp.getlayer(ICMP).code) in [1,2,3,9,10,13]): return _('Resposta: ') + "<ICMP_type_3_TCP_Packet>" + buildResponse(True, thereIsWAF,_('\n'))
def protocolAnalysis(shouldNOTBeOffered,mustBeOffered,beingOffered): # Verify if the protocol should NOT be offered and print the proper result if shouldNOTBeOffered: return buildResponse(not beingOffered,"Nao oferecido\tNAO SEGURO","Oferecido\tNAO SEGURO") # Verify if the protocol MUST be offered and print the proper result elif mustBeOffered: return buildResponse(beingOffered,"Oferecido\tRECOMENDADO","Nao oferecido\tRECOMENDADO") # Just print if the protocol is offered or not elif beingOffered: return "Oferecido\t-" else: return "Nao oferecido\t-"
def testHttps(url,lang): global socket, requests, status_code, ssl try: r = requests.get('https://'+url) response = _('Resposta: ') + str(r) + buildResponse(str(r) == '<Response [200]>', _('\nHttps OK'),_('\nHttps nao utilizado')) pass except requests.exceptions.SSLError as e: err = str(e.message) if '[' in err: err = err.split("[",1)[1] err = err.split("]",1)[0] response = _('Resposta: ') + err + buildResponse(False, '',_('\nHttps nao utilizado')) pass return response
def compareMd5File(fileName, md5Value): # Try to read the file try: with open(fileName, 'r') as fp: md5Check = fp.read() except IOError as e: # If fails to find the file, print a message return _('Arquivo nao encontrado!') # Return a msg depending if the search was successful or not return _('Arquivo encontrado!\n MD5: {}').format(md5Check) + buildResponse( fileFound == md5Value, _(' Valido '), _(' nao confere\n')) return buildResponse(fileFound, )
def getLoginPages(url,lang): loginT = getLoginPage(url,lang) # = (msg,pageFound,pageList) response = _('Resposta: ') + loginT['msg'] + buildResponse(loginT['pageFound']==0, _('\nPaginas de Login OK'),_('\n[+] Paginas de Login contem url comum:')) # Including found urls ins the response. # This runs in O(n) because CPython extends the string in the place for x in loginT['pageList']: response += '\n[|]\t' + x pass return (response,loginT['pageList'])
def testClickJack(url,lang): # Read the return of a "GET" request r = requests.get('http://'+url) validation = ('X-Frame-Options' in r.headers) # Search for the presence of the 'X-Frame-Options' on the header returned and analyse the value if validation == True: validation = (r.headers['X-Frame-Options'] == 'DENY') | (r.headers['X-Frame-Options'] == 'SAMEORIGIN') response = _('Resposta: ') + str(r) + buildResponse(validation,_('\nX-Frame-Options OK'),_('\nX-Frame-Options nao configurada')) return response
def verifyOpenTestPorts(lang, url, openPorts): # Start the list of Test Ports as empty and the found flag as False testPortFound = False # Search for non Commmon ports on the open port list for port in openPorts: if port not in COMMON_PORTS: testPortFound = True testPortList = port # If there is any non common port, build a warning message if testPortFound: # Show a warning if there is any test port open msg = _('Portas de teste abertas: ') for port in testPortList: msg += port + ', ' # Return the response (if there is a problem) with all the problematic ports return buildResponse(False, _('\n'), msg) else: # Return that there is no problem return buildResponse(True, 'Nao ha portas de teste abertas', _('\n'))
def testPFS(host,port,protocol): # Create a list of pfs cipher used by the server pfsCipherOk = '' foundOne = False # Test each pfs cipher based on their protocol for cipher in pfsCipherList.keys(): okResult = testPFSCipher(host,port,cipher) if okResult: foundOne = True pfsCipherOk += (', ' if (len(pfsCipherOk)>0) else '') + cipher return buildResponse(foundOne,_('PFS habilitado com as cifras: ') + pfsCipherOk, _('PFS nao detectado com as cifras testadas'))
def testXSS(url,lang): crawler = Crawler(CrawlerCache('crawler.db')) root_re = re.compile('^/$').match # Important declarations paths = ["/"] usedStrings = [] selection = 3 pageList = [] msg = ["Website is not XSS vulnerable","XSS Vulnerability Found with: "] msgIndex = 0 testAt = (False,"") # Map website structure while (selection != 1) & (selection != 2): selection = int(raw_input(_('Escolha um metodo: \n1 - Inserir os caminhos manualmente\n2 - Buscar os caminhos recursivamente (pode demorar)\n'))) # Append the entire Recursive Search to the end of the paths list if selection == 2: paths = set(paths + crawler.crawl('http://'+url, no_cache=root_re)) # Input method while selection == 1: path = raw_input(_('Insira um caminho iniciando por /: ')) if not path in paths: paths.append(path) pass selection = raw_input(_('Deseja inserir mais caminhos? \n1 - Sim\n2 - Nao\n')) # Testing XSS vulnerabilites on every path for path in paths: print _('Testando ') + bcolors.UNDERLINE + path + bcolors.ENDC testAt = xss('http://'+ str(url) + path) if testAt[0] == True: msgIndex = 1 pageList.append(path) if not testAt[1] in usedStrings: msg[1] = msg[1] + testAt[1] usedStrings.append(testAt[1]) # Making the result response = _('Resposta: ') + msg[msgIndex] + buildResponse(msgIndex==0, _('\nTratamento de XSS OK'),_('\n[+] Paginas vulneraveis XSS:')) for x in pageList: response += '\n[|]\t' + x pass return response
def binExtract(fileName): # Generate the file descriptor using the file name with open(fileName, 'r') as outFile: file_content = outFile.read() # Parse the File content parser = uefi_firmware.AutoParser(file_content) firmwareData = parser.parse() # If the file has a known type, extract the content if parser.type() == 'unknown': firmwareContent = '' else: firmwareContent = firmwareData.showinfo() return _('Resultado: ') + parser.type() + '\n' + buildResponse( parser.type() == 'unknown', _('Sistema de arquivos nao identificado'), _('Sistema de arquivo identificado:\n') + firmwareContent)
def detectWAF2(url,lang): maliciousRequest = mechanize.Browser() maliciousRequest.set_handle_robots(False) maliciousRequest.addheaders = [('User-agent', 'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.1) Gecko/2008071615 Fedora/3.0.1-1.fc9 Firefox/3.0.1')] noWAF = "No WAF detected" thereIsWAF = "WAF detected" headersChange = "Headers Changed" # to a possible improvement #request = urllib2.Request("https://"+url, headers=hdr) maliciousRequest.open("http://"+url) crossSiteScriptingPayLoad = "<svg><script>alert`1`<p>" currentForm = 0 for form in maliciousRequest.forms(): maliciousRequest.select_form(nr = currentForm) # get all the possible SelectControls TextControls = getTextControls(str(maliciousRequest.form)) if len(TextControls)==0: controlT = raw_input(_('Nao ha inputs para teste de Firewall\n')) for x in TextControls: try: # Test if the object is read only or none type (not present) maliciousRequest.form[x] = crossSiteScriptingPayLoad try: maliciousRequest.submit() pass except (mechanize.HTTPError,urllib2.HTTPError) as e: pass except (mechanize._form.AmbiguityError, TypeError,ValueError) as e: pass sourceCode = maliciousRequest.response().read() # Search for a message block from a Firewall if sourceCode.find('WebKnight') >= 0: return _('Resposta: ') + thereIsWAF + buildResponse(True, _('Firewall: WebKnight'),_('')) elif sourceCode.find('Mod_Security') >= 0: return _('Resposta: ') + thereIsWAF + buildResponse(True, _('Firewall: Mod Security'),_('')) elif sourceCode.find('Mod_Security') >= 0: return _('Resposta: ') + thereIsWAF + buildResponse(True, _('Firewall: Mod Security'),_('')) elif sourceCode.find('dotDefender') >= 0: return _('Resposta: ') + thereIsWAF + buildResponse(True, _('Firewall: Dot Defender'),_('')) elif (sourceCode.find('firewall') >= 0) | (sourceCode.find('Firewall') >= 0) | (sourceCode.find('WAF') >= 0): return _('Resposta: ') + thereIsWAF + buildResponse(True, _('Firewall is present'),_('')) ## # Test the nest currentForm += 1 # Build the response return _('Resposta: ') + noWAF + buildResponse(False, _('\n'),_('\nFirewall nao detectado'))
def testFuzz(lang, url, openPorts): # Define the time of the fuzzing tests secondsOfTest = 7 # Define the crash flag crashFlag = False # Send a Fuzz test using common commands for each port depending on the service running for port in openPorts: commonCommand = raw_input( _('\n[+] Porta {}:\n[|] Insira o comando a ser testado: ').format( port)) tempFlag = sendFuzz(url, port, commonCommand, "rn", secondsOfTest) crashFlag = (crashFlag or tempFlag) # Return the response return buildResponse(not crashFlag, _('\nNenhum servico comprometido'), _('\nUma das portas nao respondeu aos requests'))
if response.status_code == 200: # Read the source code and get each field name to try an attack on it params = getParams(response.content) print _('Testando '+ bcolors.UNDERLINE + urlTest + bcolors.ENDC + ' - Campos: ' + ' '.join(str(p) for p in params) ) # Test a SQL Injection on each of the fields in the page source for param in params: # Try to access the url modifying the fields sent try: if (sqli(url,urlTest,param,"1\' or \'1\' = \'1") | sqli(url,urlTest,param,'1\" or \"1\" = \"1')): msgIndex = 1 pageList.append(urlTest) except urllib2.HTTPError, e: # Access forbidden continue response.close() response = _('Resposta: ') + msg[msgIndex] + buildResponse(msgIndex==0, _('\nTratamento de SQL Injection OK - Verificar arquivo de saida'),_('\n[+] Paginas vulneraveis a SQL Injection:')) for page in pageList: response += '\n[|]\t' + bcolors.UNDERLINE + page + bcolors.ENDC pass return response ''' Test the XSS attack on the website ''' def testXSS(url,lang): crawler = Crawler(CrawlerCache('crawler.db')) root_re = re.compile('^/$').match # Important declarations paths = ["/"] usedStrings = []