├── LICENSE ├── README.md ├── flumberbuckets ├── README.md ├── big.txt ├── flumberbuckets.py ├── medium.txt └── resolvers.txt └── portboozle ├── README.md └── portboozle.py /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2019 fellchase 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # flumberboozle 2 | Suite of programs meant to aid in bug hunting and security assessments 3 | 4 | ## Why this weird name? 5 | Just because I heard it first [here](https://youtu.be/lIFE7h3m40U?t=661) so I thought this meaningless word would be fitting name of a repository I don't know what I'm going to do with. 6 | 7 | ## Contents 8 | This repository contains scripts that I wrote or modified other pre-existing scripts, which are useful in Bug Bounty Hunting and Security Assessments of websites. 9 | 10 | ### Flumberbuckets 11 | Flumberbuckets is a multi-threaded tool to automate S3 bucket hunting. I actually got my first bounty through this script so decided develop it further and to further open source it, essentially flumberbuckets takes in a word as argument creates huge list of possible bucket names then finds the buckets that exist & performs tests that you want on those buckets. It provides a good visual overview of buckets that were found and what misconfiguration they have. 12 | 13 | ### Portboozle 14 | Portboozle is a script I wrote as a substitute for masscan as it wasn't working as intended on my machine it wasn't showing the ports that were open on the targets I was scanning while, nmap was showing it properly. I tried to change the config of masscan but it still showed unreliable results, so I decied to write my own script to fix my problems. I know this script is no match for masscan's speed but it's okay for me as it at least shows all ports that were open. If you're facing the same problem with masscan then you could be missing on some open ports try running masscan & nmap on `scanme.nmap.org` and compare the results. 15 | 16 | ## Support the Project 17 | ### Share your story with me! ☺ 18 | If you earned a bounty through use of this script do share the story with me I will be happy to hear that my script was of use to you. You can contact me over twitter @fellchase 19 | 20 | ### Wanna support monetarily 💰? 21 | If you want to thank me monetarily or want to donate to this project you can do so on [paypal.me/fellchase](https://paypal.me/fellchase) I'll be happy to hear your bug bounty story if you got any bounty with this script. -------------------------------------------------------------------------------- /flumberbuckets/README.md: -------------------------------------------------------------------------------- 1 | # flumberbuckets 2 | ![flumberbuckets](https://user-images.githubusercontent.com/11918572/70925058-9bb4a080-2050-11ea-915d-532d2e09505b.jpg) 3 | 4 | Flumberbuckets is a part of suite of scripts that I'll be open-sourcing on GitHub in flumberboozle repository, scripts in this repository are supposed to aid bug hunters in hunting, automating workflows, etc. 5 | 6 | ## What is flumberbuckets? 7 | Flumberbuckets is is yet another S3 bucket enumeration tool which you can choose to use while hunting on bug bounty programs or during security assessment. I designed this tool to serve my purposes and now I am open-sourcing it, there are several different tools that exist for people with different tastes. The aim of this tools was to present S3 bucket enumeration results in better format which is visually more appealing than scrolling through output of a bash script that just runs aws s3 ls in a loop. 8 | 9 | ## How does it work? 10 | Flumberbuckets is a really simple script which combines the best of existing S3 bucket enumeration tools to make S3 bucket enumeration simpler and faster. It achieves this by using DNS resolution for sorting out non existent buckets and runs 10 tests on each bucket, several buckets are checked simultaneously to save time. 11 | 12 | ## But why? 13 | - I actually got my first bounty by finding misconfigured S3 bucket so I decided to write a tool for doing it on larger scale, this script is outcome of that effort. 14 | - Tools I used previously weren't so good at presenting results of enumeration visually, it was a pain to scroll through output of those 15 | - Tools I used previously had smaller word-lists and checked for less functions, I suspect that I missed a few easy bounties because of that. 16 | - Tools I used previously were painfully slow they were bash scripts, they weren't multi-threaded they would sort out nonexistent buckets with HTTP requests, flumberbuckets was an attempt to fix all the problems I encountered while using other scripts. 17 | 18 | ## Is it really worth switching? 19 | 20 | ![Flumberbuckets in action](https://user-images.githubusercontent.com/11918572/70925128-bbe45f80-2050-11ea-99aa-ba85fac325b6.gif) 21 | 22 | You may want to switch over for any of the following reasons 23 | - Faster sorting out nonexistent buckets with DNS(massdns) resolution rather than HTTP 24 | - Multi-threaded enumeration of existent buckets to find misconfiguration 25 | - Cleaner visual output, you can select if you want to just see vulnerable buckets or see all the buckets that exist even though they are not vulnerable. You can save output with -o & --no-colour option 26 | - Several vulnerability tests available like LIST, ACL , POLICY , CORS , REPLICATION , WEBSITE , LOCATION , LOGGING , UPLOAD , DELETE. 27 | - You can decide what tests you want to run on a buckets run all if you want or run only a few if you're in hurry 28 | - I also included DELETE test It's the most overlooked by S3 bucket enumeration tools 29 | - Much more functionality and options compared to other tools 30 | - Enumerating a list of custom buckets, single bucket, enumerating all buckets with a keyword in their name 31 | - Option to accept list of FQDNs or domains for enumeration like assets.example.com can be found by sublister and then you can make a list of subdomains you found and feed it into flumberbuckets, It maybe that company is using S3 bucket with the same name as domain name so it'll check if the bucket "assets.example.com" is vulnerable or not 32 | - Just try it, 200 lines of code delivers a lot of functionality here 33 | 34 | 35 | Note: The performance of flumberbuckets is subject to your connection bandwidth speed and hardware 36 | 37 | ## Installation & Usage 38 | Refer article published on my blog for installation, dependencies and usage 39 | [Releasing Flumberbuckets: S3 Bucket Enumeration Tool for Bug Hunters](https://fellchase.blogspot.com/2019/12/releasing-flumberbuckets-s3-bucket-enumeration-tool.html) 40 | 41 | ## Credits 42 | Flumberbuckets is inspired from following scripts, it combines all the good things in the following tools. 43 | - mass3 44 | - s3enum 45 | - S3Scanner 46 | 47 | ## Support the Project 48 | ### Share your story with me! ☺ 49 | If you earned a bounty through use of this script do share the story with me I will be happy to hear that my script was of use to you. You can contact me over twitter @fellchase 50 | 51 | ### Wanna support monetarily 💰? 52 | If you want to thank me monetarily or want to donate to this project you can do so on [paypal.me/fellchase](https://paypal.me/fellchase) I'll be happy to hear your bug bounty story if you got any bounty with this script. 53 | -------------------------------------------------------------------------------- /flumberbuckets/flumberbuckets.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | import threading, argparse, subprocess, botocore.session, os, sys 4 | from queue import Queue 5 | 6 | parser = argparse.ArgumentParser('./flumberbuckets.py [options] -i [bucket]') 7 | group = parser.add_mutually_exclusive_group(required=True) 8 | group.add_argument('-w', '--wordlist', dest='wordlist', help='location of wordlist from which permutations of keyword will be generated') 9 | group.add_argument("-s", "--single", dest="single", help="check a single bucket only", action='store_const', const=True, default=False) 10 | 11 | parser.add_argument('-i', '--input', dest='input', help='specify keyword or bucket name, supply - as argument to take input from stdin') 12 | parser.add_argument('-t', '--threads', dest='threads', help='specify number of threads to be used for enumeration of existent buckets default is 150', default=150) 13 | parser.add_argument('-o', '--output', dest='output', help='location to save output', default='') 14 | parser.add_argument('-d', '--fqdn', dest='domainlist', help='specify list of FQDNs to search for buckets having same name as FQDN', default='') 15 | try: 16 | par_mdns_path = os.environ['mdns_path'] 17 | except: 18 | par_mdns_path = 'massdns/bin/massdns' 19 | parser.add_argument('-m', dest='mdns_path', help='specify path to massdns binary', default=par_mdns_path) 20 | parser.add_argument('--resolve', dest='resolver_path', help='specify path to resolvers file', default='resolvers.txt') 21 | parser.add_argument('-n', dest='no_banner', help='do not print banner', action='store_const', const=True, default=False) 22 | parser.add_argument('--no-colour', dest='no_colour', help='output is colourless', action='store_const', const=True, default=False) 23 | parser.add_argument('-p', "--print-everything", dest='print_everything', help='print bucket information even if it is not vulnerable', action='store_const', const=True, default=False) 24 | 25 | # Testing relevant arguments 26 | parser.add_argument("-u", "--upload", dest="upload", help="perform file upload test. default=False", action='store_const', const=True, default=False) 27 | parser.add_argument("-r", "--remove", dest="remove", help="remove file from bucket after uploading it. default=False", action='store_const', const=True, default=False) 28 | 29 | parser.add_argument("--acl", dest="acl", help="perform ACL test", action='store_const', const=True, default=False) 30 | parser.add_argument("--policy", dest="policy", help="perform policy test", action='store_const', const=True, default=False) 31 | parser.add_argument("--cors", dest="cors", help="perform CORS configuration test", action='store_const', const=True, default=False) 32 | parser.add_argument("--replication", dest="replication", help="perform replication configuration test", action='store_const', const=True, default=False) 33 | parser.add_argument("--website", dest="website", help="perform website configuration test", action='store_const', const=True, default=False) 34 | parser.add_argument("--location", dest="location", help="perform location test", action='store_const', const=True, default=False) 35 | parser.add_argument("--logging", dest="logging", help="perform logging test", action='store_const', const=True, default=False) 36 | parser.add_argument("-e", "--everything", dest="everything", help="view all bucket configuration. default=True", action='store_const', const=True, default=True) 37 | args = parser.parse_args() 38 | 39 | if args.acl or args.policy or args.cors or args.replication or args.website or args.location or args.logging or args.upload or args.remove: 40 | args.everything = False 41 | 42 | if not args.no_banner: 43 | print(" __ _ _ _ _ _ ".center(117)) 44 | print(" / _| |_ _ _ __ ___ | |__ ___ _ __| |__ _ _ ___| | _____| |_ ___ ".center(117)) 45 | print("| |_| | | | | '_ ` _ \| '_ \ / _ \ '__| '_ \| | | |/ __| |/ / _ \ __/ __| ".center(117)) 46 | print("| _| | |_| | | | | | | |_) | __/ | | |_) | |_| | (__| < __/ |_\__ \ ".center(117)) 47 | print("|_| |_|\__,_|_| |_| |_|_.__/ \___|_| |_.__/ \__,_|\___|_|\_\___|\__|___/ ".center(117)) 48 | print(" ".center(117)) 49 | print("S3 Bucket Enumeration @fellchase ".center(117)) 50 | print(" ".center(117)) 51 | 52 | session = botocore.session.get_session() 53 | c = session.create_client('s3') 54 | thread_lock = threading.Lock() 55 | global_bucket_counter = 0 56 | cols = os.get_terminal_size()[0] 57 | 58 | 59 | green = "\033[1;32m"; yellow = "\033[1;33m"; red = "\033[1;31m"; gray = "\033[1;30m";X = "\033[0m" 60 | if args.no_colour: 61 | green = ""; yellow = ""; red = ""; gray = "";X = "" 62 | 63 | 64 | 65 | def enum_bucket(bucket): 66 | global global_bucket_counter 67 | def run_func(func, msg, flag, arg): 68 | if args.everything or flag: 69 | try: 70 | response = func(**arg) 71 | return True, green + '[' + msg + ']' + X 72 | except: 73 | return False, gray + ' ' + msg + ' ' + X 74 | return False, red + ' ' + msg + ' ' + X 75 | 76 | o_list_objects_v2 = run_func(c.list_objects_v2, 'LIST', True, {"Bucket": bucket}) 77 | o_get_bucket_acl = run_func(c.get_bucket_acl, 'ACL', args.acl, {"Bucket": bucket}) 78 | o_get_bucket_policy = run_func(c.get_bucket_policy, 'POLICY', args.policy, {"Bucket": bucket}) 79 | o_get_bucket_cors = run_func(c.get_bucket_cors, 'CORS', args.cors, {"Bucket": bucket}) 80 | o_get_bucket_replication = run_func(c.get_bucket_replication, 'REPLICATION', args.replication, {"Bucket": bucket}) 81 | o_get_bucket_website = run_func(c.get_bucket_website, 'WEBSITE', args.website, {"Bucket": bucket}) 82 | o_get_bucket_location = run_func(c.get_bucket_location, 'LOCATION', args.location, {"Bucket": bucket}) 83 | o_get_bucket_logging = run_func(c.get_bucket_logging, 'LOGGING', args.logging, {"Bucket": bucket}) 84 | o_put_object = run_func(c.put_object, 'UPLOAD', args.upload, {"Bucket": bucket, "Key": 'BugBounty-flumber.txt', "Body": b"This file is created for assessing the security of your S3 Buckets as part of your VRP and not for any malicous purposes so check for a new report submitted if it's not there, it'll be filed soon :) Thanks"}) 85 | o_delete_object = run_func(c.delete_object, 'DELETE', args.remove, {"Bucket": bucket, "Key": 'BugBounty-flumber.txt'}) 86 | 87 | with thread_lock: 88 | if args.print_everything or o_list_objects_v2[0] or o_get_bucket_acl[0] or o_get_bucket_policy[0] or o_get_bucket_cors[0] or o_get_bucket_replication[0] or o_get_bucket_website[0] or o_get_bucket_location[0] or o_get_bucket_logging[0] or o_put_object[0] or o_delete_object[0]: 89 | global_bucket_counter += 1 90 | print( 91 | (str(global_bucket_counter) + '.').center(4,' '), 92 | o_list_objects_v2[1], '|', 93 | o_get_bucket_acl[1], '|', 94 | o_get_bucket_policy[1], '|', 95 | o_get_bucket_cors[1], '|', 96 | o_get_bucket_replication[1], '|', 97 | o_get_bucket_website[1], '|', 98 | o_get_bucket_location[1], '|', 99 | o_get_bucket_logging[1], '|', 100 | o_put_object[1], '|', 101 | o_delete_object[1], ' > ', 102 | yellow + bucket + X, file=sys.stdout if args.output == '' else open(args.output,'a')) 103 | 104 | 105 | def threader(): 106 | while True: 107 | task = q.get() 108 | enum_bucket(task) 109 | q.task_done() 110 | 111 | 112 | def create_potential_bucket_list(location_of_potential_bucket_file, wordlist): 113 | # Bucket names can contain letters, numbers, periods, and hyphens 114 | # "abcdefghijklmnopqrstuvwxyz0123456789.-" 115 | print(' '*cols,end='\r') # Cleaning up the terminal line 116 | print(green + '[+]' + X, "Generating wordlist", end='\r') 117 | abshere = os.path.join(os.getcwd(), __file__) 118 | generated_list = [args.input + '.s3.amazonaws.com'] 119 | 120 | for word in open(os.path.join(os.path.dirname(abshere), wordlist)): 121 | word = word.strip('\n') 122 | generated_list.append("{0}{1}.s3.amazonaws.com".format(args.input, word)) 123 | generated_list.append("{1}{0}.s3.amazonaws.com".format(args.input, word)) 124 | generated_list.append("{0}.{1}.s3.amazonaws.com".format(args.input, word)) 125 | generated_list.append("{1}.{0}.s3.amazonaws.com".format(args.input, word)) 126 | generated_list.append("{0}-{1}.s3.amazonaws.com".format(args.input, word)) 127 | generated_list.append("{1}-{0}.s3.amazonaws.com".format(args.input, word)) 128 | if args.domainlist: 129 | [generated_list.append(fqdn.strip('\n') + '.s3.amazonaws.com') for fqdn in open(args.domainlist)] 130 | # Add OSINT on Google and github 131 | # Printing generated_list to a file 132 | with open(location_of_potential_bucket_file,'w') as fp: 133 | [print(item, file=fp) for item in generated_list] 134 | return location_of_potential_bucket_file 135 | 136 | 137 | def find_live_buckets(): 138 | if os.path.isfile(args.mdns_path) == False: 139 | quit("massdns binary does not exist") 140 | elif os.path.isfile(args.resolver_path) == False: 141 | quit("resolvers.txt does not exist") 142 | elif os.path.isfile(args.wordlist) == False: 143 | quit("wordlist does not exist") 144 | 145 | potential_buckets_file = create_potential_bucket_list('/tmp/flumberbuckets_massdns.txt', args.wordlist) 146 | mdns_resolve = "{} -r {} --error-log /dev/stderr -q -o S - | tr '[:upper:]' '[:lower:]' | sort -u".format(args.mdns_path, args.resolver_path) 147 | print(' '*cols,end='\r') # Cleaning up the terminal line 148 | print(green + '[+]' + X, "Sorting buckets", end='\r') 149 | output = subprocess.run("< {} {} | grep -v 's3-1-w.amazonaws.com' | grep -v directional | cut -d ' ' -f1 | sed 's/.s3.amazonaws.com.//'".format(potential_buckets_file, mdns_resolve), shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) 150 | os.remove(potential_buckets_file) 151 | if len(output.stdout.decode().strip('\n')) == 0: 152 | print(red + '[-]' + X, "No bucket was found") 153 | quit() 154 | return output.stdout.decode().strip('\n').split('\n') 155 | 156 | 157 | try: 158 | q = Queue() 159 | 160 | if args.single and args.input == '-': 161 | [q.put(item.strip('\n')) for item in open('/dev/stdin') if item] 162 | elif args.single: 163 | with open('/dev/stderr', 'w') as fp: 164 | print(green + '[+]' + X, "Testing", args.input, "bucket, meanwhile you do Google & GitHub dorking for buckets", file=fp) 165 | enum_bucket(args.input) 166 | quit() 167 | elif args.wordlist: 168 | [q.put(x) for x in find_live_buckets()] 169 | 170 | with open('/dev/stderr', 'w') as fp: 171 | print(green + '[+]' + X, "Testing", len(q.queue), "buckets, meanwhile you do Google & GitHub dorking for buckets", file=fp) 172 | 173 | 174 | for x in range(int(args.threads)): 175 | t = threading.Thread(target=threader) 176 | t.daemon = True 177 | t.start() 178 | 179 | q.join() 180 | except KeyboardInterrupt: 181 | print(' '*cols,end='\r') # Cleaning up the terminal line 182 | print(yellow + '[!]' + X, "Terminating") 183 | -------------------------------------------------------------------------------- /flumberbuckets/medium.txt: -------------------------------------------------------------------------------- 1 | ab 2 | ad 3 | admin 4 | administration 5 | administrator 6 | ads 7 | alpha 8 | android 9 | angular 10 | ansible 11 | any 12 | api 13 | api-config 14 | api-configs 15 | apollo 16 | app 17 | app-img 18 | apps 19 | apt 20 | asset 21 | assetmanager 22 | assets 23 | attach 24 | attachment 25 | attachments 26 | avatar 27 | avatars 28 | aws 29 | awscloudtrail 30 | awsfiles 31 | awsiam 32 | awslogs 33 | aws-logs 34 | awsmedia 35 | awsprivate 36 | awsroot 37 | awss3 38 | backgrounds 39 | backup 40 | backups 41 | banner 42 | banners 43 | beta 44 | betas 45 | billing 46 | binaries 47 | blog 48 | blog-assets 49 | blogs 50 | bucket 51 | bugbounty 52 | bugs 53 | bugzilla 54 | build 55 | builds 56 | bulletins 57 | cache 58 | caches 59 | catalogue 60 | cc 61 | cdn 62 | cloud 63 | cloudfront 64 | cloudtrail 65 | cloudtraillog 66 | cloudtraillogs 67 | cloudtrail-logs 68 | cloudtrails 69 | club 70 | clubs 71 | cluster 72 | clusters 73 | code-repo 74 | com 75 | company 76 | conference 77 | conferencing 78 | confidential 79 | config 80 | configs 81 | consultant 82 | consultants 83 | consulting 84 | consumer 85 | contact 86 | content 87 | contents 88 | contracts 89 | corporate 90 | couk 91 | customers 92 | data 93 | data_dump 94 | data_dumps 95 | data-export 96 | data-exports 97 | dataset 98 | datasets 99 | datawarehouse 100 | data-warehouse 101 | db 102 | de 103 | deliveryappstorage 104 | delivery-app-storage 105 | design 106 | desk 107 | dev 108 | devcenter 109 | devel 110 | developer 111 | developers 112 | development 113 | deveopers 114 | dev-files 115 | devops 116 | dist 117 | distribution 118 | distributions 119 | distro 120 | dl 121 | doc 122 | docker 123 | docker-registry 124 | docs 125 | documentation 126 | documents 127 | download 128 | downloads 129 | driver 130 | drivers 131 | dump 132 | editions 133 | elasticache 134 | elasticbeanstalk 135 | elasticsearch 136 | email 137 | emails 138 | engineer 139 | engineering 140 | es 141 | event 142 | events 143 | export 144 | exports 145 | file 146 | files 147 | files-attachments 148 | fileserv 149 | fileserver 150 | filestore 151 | finance 152 | forum 153 | forums 154 | fr 155 | frontend 156 | galleries 157 | gallery 158 | gemini 159 | general 160 | git 161 | github 162 | graphite 163 | graphql 164 | ha 165 | help 166 | helpcenter 167 | helpcentre 168 | helpmedia 169 | html 170 | hub 171 | images 172 | img 173 | imgs 174 | infra 175 | internal 176 | intranet 177 | invalid 178 | investor 179 | investors 180 | invoice 181 | invoices 182 | io 183 | ios 184 | iterable 185 | kafka 186 | kbfiles 187 | kerberos 188 | keynote 189 | kibana 190 | knowledgebase 191 | lab 192 | labs 193 | landing 194 | linux 195 | loadbalancer 196 | local 197 | localhost 198 | log 199 | logexport 200 | logos 201 | logs 202 | logstash 203 | mac 204 | mail 205 | mails 206 | main 207 | main-storage 208 | map 209 | maps 210 | marketing 211 | marketing_assets 212 | matrix 213 | maven 214 | media 215 | mediadownloads 216 | media-downloads 217 | mediauploads 218 | media-uploads 219 | member 220 | members 221 | mercurial 222 | misc 223 | mobile 224 | mobile-staging 225 | net 226 | newsletter 227 | onboarding 228 | opensource 229 | operations 230 | opinion 231 | ops 232 | package 233 | packages 234 | page 235 | pages 236 | partner 237 | partners 238 | pdf 239 | pdfs 240 | photo 241 | photos 242 | pics 243 | picture 244 | pictures 245 | prerelease 246 | prereleases 247 | presentations 248 | private 249 | prod 250 | production 251 | production3 252 | products 253 | profile-photo 254 | profile-photos 255 | profiles 256 | project 257 | projects 258 | ps 259 | public 260 | qa 261 | rates 262 | react 263 | registry 264 | releases 265 | repo 266 | reports 267 | repositories 268 | repository 269 | research 270 | reseller 271 | reserved 272 | resource 273 | resources 274 | rest 275 | retail 276 | retailer 277 | retailers 278 | s3 279 | s3-attachemnts 280 | s3connectortest 281 | s3log 282 | s3-log 283 | s3logs 284 | s3-logs 285 | sales-app 286 | sandbox 287 | scdn 288 | search 289 | share 290 | shared 291 | shop 292 | shops 293 | signal 294 | signals 295 | signature 296 | site 297 | sites 298 | sitestats 299 | smoke 300 | snapshot 301 | snapshots 302 | sp 303 | splunk 304 | spreadsheets 305 | stage 306 | staging 307 | static 308 | statistics 309 | stats 310 | storage 311 | store 312 | studio 313 | submission 314 | submissions 315 | subversion 316 | support 317 | support-attachments 318 | supportdocs 319 | supportmedia 320 | supportuploads 321 | temp 322 | temporary 323 | terraform 324 | terraformbinaries 325 | test 326 | test-sandbox 327 | theme 328 | themekit 329 | themes 330 | tmp 331 | toolbelt 332 | tools 333 | training 334 | ts 335 | ui 336 | ui-staging 337 | update 338 | updates 339 | upload 340 | uploads 341 | us 342 | user-asset 343 | user-assets 344 | usercontent 345 | user-files 346 | users 347 | ux 348 | vagrant 349 | vanitydev 350 | vanitydevelopment 351 | vanityproduction 352 | vanitystaging 353 | video 354 | videos 355 | vm 356 | vms 357 | vps 358 | warehouse 359 | web 360 | webapp 361 | webassets 362 | web-assets 363 | webdata 364 | web-data 365 | web-gstatic 366 | website 367 | websiteassets 368 | website-assets 369 | websites 370 | webstatic 371 | web-static 372 | widget 373 | widgets 374 | windows 375 | wordpress 376 | wp 377 | www 378 | wwwcache 379 | zendesk 380 | -------------------------------------------------------------------------------- /flumberbuckets/resolvers.txt: -------------------------------------------------------------------------------- 1 | 1.1.1.1 2 | 8.8.8.8 3 | 64.6.64.6 4 | 77.88.8.8 5 | 74.82.42.42 6 | 1.0.0.1 7 | 8.8.4.4 8 | 9.9.9.10 9 | 64.6.65.6 10 | 77.88.8.1 -------------------------------------------------------------------------------- /portboozle/README.md: -------------------------------------------------------------------------------- 1 | # Portboozle 2 | Portboozle is a script I wrote as a substitute for masscan as it wasn't working as intended on my machine it wasn't showing the ports that were open on the targets I was scanning while, nmap was showing it properly. I tried to change the config of masscan but it still showed unreliable results, so I decied to write my own script to fix my problems. I know this script is no match for masscan's speed but it's okay for me as it at least shows all ports that were open. If you're facing the same problem with masscan then you could be missing on some open ports try running masscan & nmap on `scanme.nmap.org` and compare the results. 3 | 4 | ## Features 5 | - Save scan progress in JSON format 6 | - Resume scans on startup by launching this script at startup with cron or something 7 | - Auto save on shutdown 8 | - Multi-threaded 9 | - Output greppable to some extent 10 | - Fits into the massdns workflow for bug bounty hunting 11 | - Useful when masscan doesn't work properly 12 | 13 | ## Installation 14 | Python 3 only requires no dependencies just clone the git repo and change directory then run portboozle.py 15 | 16 | ## Usage 17 | ```$ python portboozle.py -h``` 18 | ``` 19 | Usage: cat massdns_output | portboozle.py -p 20 | 21 | Options: 22 | -h, --help show this help message and exit 23 | -p PORTS, --ports=PORTS 24 | Specify target port[s] seperated by comma or just do 25 | 1-65535 or medium or large or huge or massive 26 | -t THREADS, --threads=THREADS 27 | Specify number of threads default is 100 28 | -o OUTPUT, --output=OUTPUT 29 | Output JSON location 30 | -s TIMEOUT, --timeout=TIMEOUT 31 | Socket timeout for port scanning default is 0.7 32 | -d DUMP, --dump=DUMP Path to .portboozle.dump 33 | ``` 34 | 35 | ```$ cat massdns_output_examplecom | ./portboozle.py -p large -o ~/Desktop/example_scan.json``` 36 | Now try pressing CTRL+C it'll save the state somewhere this way you can resume your scan when you again relaunch the script, you can also run the script at startup and it'll do it's job diligently and your portscans will start and stop automatically when you use computer. Auto save function only works if you are going to save output as JSON that is when you use `-o` 37 | 38 | Output saved in JSON format, is categoried into IP and then into hostnames used and ports open on that IP 39 | ``` 40 | "1.1.1.1": { 41 | "hosts": [ 42 | "subdomain.example.com" 43 | ], 44 | "ports": [ 45 | 443, 46 | 80 47 | ] 48 | } 49 | 50 | ``` 51 | 52 | 53 | Following command will just output result to terminal won't autosave on shutdown or quit or won't save the results in JSON format 54 | 55 | ```$ cat massdns_output_examplecom | python portboozle.py -p large``` 56 | 57 | Output on terminal 58 | ``` 59 | 93.184.216.34 | 80 | www.example.com 60 | 93.184.216.34 | 443 | www.example.com 61 | ``` 62 | 63 | massdns_output_examplecom should look like this 64 | ``` 65 | 0000028.example.com. a 235.49.239.47 66 | 0000028.example.com. a 87.140.150.81 67 | 000245000.example.com. a 235.49.239.47 68 | 000245000.example.com. a 87.140.150.81 69 | 001-kz.example.com. a 235.49.239.47 70 | ``` 71 | 72 | ## Support the Project 73 | ### Share your story with me! ☺ 74 | If you earned a bounty through use of this script do share the story with me I'd be happy to hear that my script was of use to you. You can contact me over twitter @fellchase 75 | 76 | ### Wanna support monetarily 💰? 77 | If you want to thank me monetarily or want to donate to this project you can do so on [paypal.me/fellchase](https://paypal.me/fellchase) I'll be happy to hear your bug bounty story if you got any bounty with this script. -------------------------------------------------------------------------------- /portboozle/portboozle.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import threading, socket, optparse, sys, json, signal, os, gzip 4 | from queue import Queue 5 | 6 | 7 | medium = {80, 443, 8000, 8080, 8443} 8 | large = {80, 81, 443, 591, 2082, 2087, 2095, 2096, 3000, 8000, 8001, 8008, 8080, 8083, 8443, 8834, 8888} 9 | huge = {80, 81, 300, 443, 591, 593, 832, 981, 1010, 1311, 2082, 2087, 2095, 2096, 2480, 3000, 3128, 3333, 4243, 4567, 4711, 4712, 4993, 5000, 5104, 5108, 5800, 6543, 7000, 7396, 7474, 8000, 8001, 8008, 8014, 8042, 8069, 8080, 8081, 8088, 8090, 8091, 8118, 8123, 8172, 8222, 8243, 8280, 8281, 8333, 8443, 8500, 8834, 8880, 8888, 8983, 9000, 9043, 9060, 9080, 9090, 9091, 9200, 9443, 9800, 9981, 12443, 16080, 18091, 18092, 20720, 28017} 10 | massive = {8192, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 115, 116, 117, 118, 119, 120, 121, 122, 123, 124, 125, 126, 127, 128, 129, 130, 131, 132, 133, 134, 135, 136, 137, 138, 139, 140, 141, 142, 143, 144, 145, 146, 147, 148, 149, 150, 151, 152, 153, 154, 155, 156, 157, 158, 159, 160, 161, 162, 163, 164, 165, 166, 167, 168, 169, 170, 171, 172, 173, 174, 175, 176, 177, 178, 179, 180, 181, 182, 183, 184, 185, 186, 187, 188, 189, 190, 191, 192, 193, 194, 195, 196, 197, 198, 199, 200, 201, 202, 203, 204, 205, 206, 207, 208, 209, 210, 211, 212, 213, 214, 215, 216, 217, 218, 219, 220, 221, 222, 223, 224, 225, 226, 227, 228, 229, 230, 231, 232, 233, 234, 235, 236, 237, 238, 239, 240, 241, 242, 243, 244, 245, 246, 247, 248, 249, 250, 251, 252, 253, 254, 255, 256, 257, 258, 259, 260, 261, 262, 263, 264, 265, 266, 267, 268, 269, 270, 271, 272, 273, 274, 275, 276, 277, 278, 279, 280, 281, 282, 283, 284, 285, 286, 287, 288, 289, 290, 291, 292, 293, 294, 295, 296, 297, 298, 299, 300, 301, 302, 303, 304, 305, 306, 307, 308, 309, 310, 311, 312, 313, 314, 315, 316, 317, 318, 319, 320, 321, 322, 323, 324, 325, 326, 327, 328, 329, 330, 331, 332, 333, 334, 335, 336, 337, 338, 339, 340, 341, 342, 343, 344, 345, 346, 347, 348, 349, 350, 351, 352, 353, 354, 355, 356, 357, 358, 359, 360, 361, 362, 363, 364, 365, 366, 367, 368, 369, 370, 371, 372, 373, 374, 375, 376, 377, 378, 379, 380, 381, 382, 383, 384, 385, 386, 387, 388, 389, 390, 391, 392, 393, 394, 395, 396, 397, 398, 399, 400, 401, 402, 403, 404, 405, 406, 407, 408, 409, 410, 411, 412, 413, 414, 415, 416, 417, 418, 419, 420, 421, 422, 423, 424, 425, 426, 427, 428, 429, 430, 431, 432, 433, 434, 435, 436, 437, 438, 439, 440, 441, 442, 443, 444, 445, 446, 447, 448, 449, 450, 451, 452, 453, 454, 455, 456, 457, 458, 459, 460, 461, 462, 463, 464, 465, 466, 467, 468, 469, 470, 471, 472, 473, 474, 475, 476, 477, 478, 479, 480, 481, 482, 483, 484, 485, 486, 487, 488, 489, 490, 491, 492, 493, 494, 495, 496, 497, 498, 499, 500, 501, 502, 503, 504, 505, 506, 507, 508, 509, 510, 511, 512, 513, 514, 515, 516, 517, 518, 519, 520, 521, 522, 523, 524, 525, 526, 527, 528, 529, 530, 531, 532, 533, 534, 535, 536, 537, 538, 539, 540, 541, 542, 543, 544, 545, 546, 547, 548, 549, 550, 551, 552, 553, 554, 555, 556, 557, 558, 559, 560, 561, 562, 563, 564, 565, 566, 567, 568, 569, 570, 571, 572, 573, 574, 575, 576, 577, 578, 579, 580, 581, 582, 583, 584, 585, 586, 587, 588, 589, 590, 591, 592, 593, 594, 595, 596, 597, 598, 599, 600, 601, 602, 603, 604, 605, 606, 607, 608, 609, 610, 611, 612, 613, 614, 615, 616, 617, 618, 619, 620, 621, 622, 623, 624, 625, 626, 627, 628, 629, 630, 631, 632, 633, 634, 635, 636, 637, 638, 639, 640, 641, 642, 643, 644, 645, 646, 647, 648, 649, 650, 651, 652, 653, 654, 655, 656, 657, 658, 659, 660, 661, 662, 663, 664, 665, 666, 667, 668, 669, 670, 671, 672, 673, 674, 675, 676, 677, 678, 679, 680, 681, 682, 683, 684, 685, 686, 687, 688, 689, 690, 691, 692, 693, 694, 695, 696, 697, 698, 699, 700, 701, 702, 703, 704, 705, 706, 707, 708, 709, 710, 711, 712, 713, 714, 715, 716, 717, 718, 719, 720, 721, 722, 723, 724, 725, 726, 727, 728, 729, 730, 731, 732, 733, 734, 735, 736, 737, 738, 739, 740, 741, 742, 743, 744, 745, 746, 747, 748, 749, 750, 751, 752, 753, 754, 755, 756, 757, 758, 759, 760, 761, 762, 763, 764, 765, 766, 767, 768, 769, 770, 771, 772, 773, 774, 775, 776, 777, 778, 779, 780, 781, 782, 783, 784, 785, 786, 787, 788, 789, 790, 791, 792, 793, 794, 795, 796, 797, 798, 799, 800, 801, 802, 803, 804, 805, 806, 807, 808, 809, 810, 811, 812, 813, 814, 815, 816, 817, 818, 819, 820, 821, 822, 823, 824, 825, 826, 827, 828, 829, 830, 831, 832, 833, 834, 835, 836, 837, 838, 839, 840, 841, 842, 843, 844, 845, 846, 847, 848, 849, 850, 851, 852, 853, 854, 855, 856, 857, 858, 859, 860, 861, 862, 863, 864, 865, 866, 867, 868, 869, 870, 871, 872, 873, 874, 875, 876, 877, 878, 879, 880, 881, 882, 883, 884, 885, 886, 887, 888, 889, 890, 891, 892, 893, 894, 895, 896, 897, 898, 899, 900, 901, 902, 903, 904, 905, 906, 907, 908, 909, 910, 911, 912, 913, 914, 915, 916, 917, 918, 919, 920, 921, 922, 923, 924, 925, 926, 927, 928, 929, 930, 931, 932, 933, 934, 935, 936, 937, 938, 939, 940, 941, 942, 943, 944, 945, 946, 947, 948, 949, 950, 951, 952, 953, 954, 955, 956, 957, 958, 959, 960, 961, 962, 963, 964, 965, 966, 967, 968, 969, 970, 971, 972, 973, 974, 975, 976, 977, 978, 979, 980, 981, 982, 983, 984, 985, 986, 987, 988, 989, 990, 991, 992, 993, 994, 995, 996, 997, 998, 999, 1000, 1001, 1002, 1007, 9200, 1009, 1010, 1011, 9207, 1021, 1022, 1023, 1024, 1025, 1026, 1027, 1028, 1029, 1030, 1031, 1032, 1033, 1034, 1035, 1036, 1037, 1038, 1039, 1040, 1041, 1042, 1043, 1044, 1045, 1046, 1047, 1048, 1049, 1050, 1051, 1052, 1053, 1054, 1055, 1056, 1057, 1058, 1059, 1060, 1061, 1062, 1063, 1064, 1065, 1066, 1067, 1068, 1069, 1070, 1071, 1072, 1073, 1074, 1075, 1076, 1077, 1078, 1079, 1080, 1081, 1082, 1083, 1084, 1085, 1086, 1087, 1088, 1089, 1090, 1091, 1092, 1093, 1094, 1095, 1096, 1097, 1098, 1099, 1100, 9290, 1102, 32782, 1104, 1105, 1106, 1107, 1108, 32783, 1110, 1111, 1112, 1113, 1114, 32785, 1117, 1119, 1121, 1122, 1123, 1124, 1126, 1130, 1131, 1132, 33899, 1137, 1138, 1141, 1145, 1147, 1148, 1149, 50300, 1151, 1152, 1154, 25734, 25735, 1163, 1164, 1165, 1166, 1169, 1174, 1175, 1183, 1185, 1186, 1187, 1192, 1198, 1199, 1201, 1213, 1216, 1217, 1218, 8383, 9415, 9418, 1233, 1234, 1236, 50389, 1244, 1247, 1248, 9443, 1259, 1271, 1272, 1277, 1287, 9485, 1296, 1300, 1301, 8400, 9500, 1309, 1310, 1311, 9502, 8402, 9503, 8193, 1322, 1328, 1334, 9535, 8194, 50500, 1352, 9575, 9593, 9594, 9595, 1417, 9618, 1433, 1434, 1443, 1455, 1461, 9666, 50636, 17877, 1494, 8200, 1500, 1501, 1503, 8443, 1521, 1524, 1533, 49152, 49153, 49154, 42510, 49155, 1556, 49156, 49157, 49158, 49159, 49160, 1580, 49161, 1583, 49163, 1594, 1600, 49165, 17988, 9800, 49167, 26214, 1641, 50800, 49175, 18040, 49176, 1658, 1666, 9876, 9877, 9878, 1687, 1688, 1700, 9898, 18091, 18092, 9900, 1717, 1718, 1719, 1720, 1721, 18101, 1723, 9917, 9929, 9943, 9944, 1755, 1761, 9968, 1782, 1783, 9981, 1801, 34571, 34572, 1805, 8500, 9998, 9999, 10000, 10001, 10002, 1812, 10003, 10004, 10009, 10010, 10012, 10024, 10025, 1839, 1840, 1862, 1863, 1864, 1875, 10082, 24800, 1900, 1914, 34573, 1935, 1947, 51103, 1971, 1972, 1974, 1984, 10180, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2013, 2020, 2021, 2022, 10215, 2030, 2033, 2034, 2035, 2038, 2040, 2041, 2042, 2043, 8222, 2045, 2046, 2047, 2048, 2049, 10243, 2065, 2068, 2082, 2087, 2095, 2096, 2099, 2100, 2103, 2105, 2106, 2107, 2111, 2119, 2121, 2126, 2135, 2144, 2160, 2161, 2170, 2179, 2190, 2191, 2196, 2200, 2222, 2251, 2260, 2288, 2301, 8600, 2323, 51493, 2366, 10566, 2381, 2382, 2383, 2393, 2394, 2399, 2401, 10616, 10617, 27000, 10621, 10626, 10628, 10629, 27017, 27018, 2480, 2492, 2500, 2522, 2525, 8649, 2557, 8651, 8652, 8243, 8654, 10778, 2601, 2602, 2604, 2605, 18988, 2607, 2608, 2638, 60020, 2701, 2702, 2710, 2717, 2718, 19101, 2725, 35500, 27352, 27353, 27355, 27356, 49400, 2800, 2809, 2811, 8701, 8254, 2869, 2875, 19283, 2909, 2910, 11110, 11111, 2920, 19315, 19350, 2967, 2968, 2998, 3000, 3001, 3003, 3005, 3006, 3007, 3011, 3013, 3017, 11211, 3030, 3031, 3052, 3071, 3077, 60443, 3128, 27715, 3168, 3211, 44176, 3221, 3260, 3261, 3268, 3269, 3283, 3300, 3301, 3306, 8800, 3322, 3323, 3324, 3325, 3333, 3351, 3367, 3369, 3370, 3371, 3372, 3389, 3390, 19780, 3404, 19801, 28017, 19842, 3476, 44442, 44443, 8834, 3493, 8280, 3517, 52673, 3527, 8281, 44501, 3546, 3551, 16992, 16993, 3580, 20000, 20005, 28201, 20031, 3659, 52822, 8873, 3689, 3690, 52848, 3703, 52869, 8880, 3737, 8888, 8290, 3766, 11967, 3784, 8291, 3800, 3801, 12000, 3809, 8292, 3814, 8899, 3826, 3827, 3828, 20221, 20222, 3851, 3869, 3871, 3878, 3880, 3889, 3905, 3914, 3918, 3920, 3945, 3971, 33354, 12174, 3986, 3995, 3998, 4000, 4001, 4002, 4003, 4004, 4005, 4006, 8300, 4045, 41511, 57797, 12265, 4111, 4125, 4126, 4129, 45100, 12345, 61532, 4224, 8983, 4242, 4243, 12443, 4279, 8994, 4321, 9000, 9001, 9002, 20720, 9003, 4343, 9009, 9010, 9011, 4443, 4444, 4445, 4446, 20828, 4449, 9040, 9043, 4550, 61900, 4567, 9050, 9060, 4662, 9071, 4711, 4712, 9080, 9081, 62078, 9090, 9091, 9099, 9100, 9101, 9102, 8333, 9103, 4848, 9110, 9111, 54045, 4899, 4900, 4993, 4998, 5000, 5001, 5002, 5003, 5004, 5009, 5030, 5033, 5050, 5051, 5054, 5060, 5061, 5080, 5087, 5100, 5101, 5102, 5104, 5108, 5120, 32768, 54328, 32769, 21571, 5190, 5200, 32770, 5214, 5221, 5222, 5225, 5226, 32771, 32772, 13456, 5269, 5280, 32773, 5298, 32774, 32775, 5357, 32776, 32777, 5405, 32778, 5414, 30000, 9220, 5431, 5432, 32779, 5440, 32780, 32781, 58080, 5500, 5510, 38292, 13722, 5544, 5550, 5555, 32784, 5560, 5566, 13782, 13783, 5631, 5632, 5633, 5666, 5672, 5678, 5679, 5718, 5730, 49999, 5800, 5801, 5802, 50000, 14000, 50001, 5810, 5811, 50002, 5815, 50003, 5822, 5825, 50006, 5850, 5859, 5862, 5877, 5900, 5901, 5902, 5903, 5904, 55055, 5906, 5907, 55056, 5910, 5911, 5915, 5922, 5925, 5950, 5952, 5959, 5960, 5961, 5962, 5963, 5987, 5988, 5989, 63331, 5998, 5999, 6000, 6001, 6002, 6003, 6004, 6005, 6006, 6007, 6009, 6025, 14238, 6059, 6100, 6101, 6106, 6112, 6123, 6129, 30718, 6156, 14441, 14442, 6346, 30951, 6379, 6389, 55555, 55600, 31038, 6502, 6510, 6543, 6547, 22939, 6565, 6566, 6567, 6580, 6646, 6666, 6667, 6668, 6669, 6689, 6692, 6699, 31337, 6779, 6788, 6789, 6792, 15000, 15002, 15003, 15004, 6839, 6881, 6901, 6969, 7000, 7001, 7002, 7004, 7007, 7019, 7025, 7070, 7100, 7103, 7106, 23502, 48080, 7200, 7201, 64623, 64680, 7396, 7402, 40193, 7435, 7443, 15660, 7474, 7496, 7512, 15742, 56737, 56738, 7625, 7627, 65000, 7676, 7741, 7777, 7778, 65129, 7800, 16000, 16001, 16012, 16016, 16018, 16080, 7911, 7920, 7921, 16113, 7937, 7938, 7999, 8000, 8001, 8002, 8007, 8008, 8009, 8010, 8011, 8014, 8021, 8022, 8031, 8042, 8045, 65389, 24444, 8069, 8080, 8081, 8082, 8083, 8084, 8085, 8086, 8087, 8088, 8089, 8090, 8091, 8093, 8099, 8100, 8118, 8123, 8129, 57294, 40911, 8172, 8180, 8181} 11 | 12 | parser = optparse.OptionParser('cat massdns_output | portboozle.py -p ') 13 | parser.add_option('-p', '--ports', dest='ports', type='string', help='Specify target port[s] seperated by comma or just do 1-65535 or medium or large or huge or massive ') 14 | parser.add_option('-t', '--threads', dest='threads', type='int', help='Specify number of threads default is 100', default=100) 15 | parser.add_option('-o', '--output', dest='output', type='string', help='Output JSON location', default='') 16 | parser.add_option('-s', '--timeout', dest='timeout', type='float', help='Socket timeout for port scanning default is 0.7', default='0.7') 17 | parser.add_option('-d', '--dump', dest='dump', type='string', help='Path to .portboozle.dump', default=sys.path[0] + '/' + '.portboozle.dump') 18 | (options, args) = parser.parse_args() 19 | 20 | 21 | thread_lock = threading.Lock() 22 | global_count = 0 # Will be incremented after each port is done scanning 23 | global_total_count = 0 # Total size of queue 24 | 25 | 26 | def create_portlist(): 27 | if 'massive' in options.ports: 28 | return massive 29 | elif 'huge' in options.ports: 30 | return huge 31 | elif 'large' in options.ports: 32 | return large 33 | elif 'medium' in options.ports: 34 | return medium 35 | 36 | newset = set() 37 | raw = options.ports.split(',') 38 | for x in raw: 39 | if '-' in x: 40 | (start, stop) = x.split('-') 41 | newset.update(range(int(start), int(stop) + 1)) 42 | else: 43 | newset.add(int(x)) 44 | return newset 45 | 46 | 47 | def extract_target(): 48 | ''' 49 | 0000028.example.com. a 235.49.239.47 50 | 0000028.example.com. a 87.140.150.81 51 | 000245000.example.com. a 235.49.239.47 52 | 000245000.example.com. a 87.140.150.81 53 | 001-kz.example.com. a 235.49.239.47 54 | ''' 55 | myset = set() 56 | for line in sys.stdin: 57 | if (line) and (not line.isspace()): 58 | (hostname, record_type, ip) = line.split() 59 | if record_type.lower() != 'a': 60 | continue 61 | 62 | hostname = hostname.strip('.\n') 63 | ip = ip.strip('.\n') 64 | 65 | myset.add(ip) 66 | 67 | while True: 68 | try: 69 | if hostname not in reference_back[ip]["hosts"]: 70 | reference_back[ip]["hosts"].append(hostname) 71 | break 72 | except KeyError: 73 | reference_back[ip] = { 74 | "hosts": [], 75 | "ports": [] 76 | } 77 | return myset 78 | 79 | 80 | def handle_signal(signum, y): 81 | # If you press CTRL + C 82 | with thread_lock: 83 | if options.output: 84 | with gzip.open(options.dump, 'wb') as fp: 85 | fp.write( 86 | json.dumps({ 87 | "cmd": ' '.join(sys.argv), 88 | "timeout": options.timeout, 89 | "threads": options.threads, 90 | "output": options.output, 91 | "global_count": global_count, 92 | "global_total_count": global_total_count, 93 | "reference_back": reference_back, 94 | "q": list(q.queue) 95 | }).encode() 96 | ) 97 | print("State saved in", options.dump, file=sys.stderr) 98 | sys.exit() 99 | 100 | 101 | def portscan(ip, port): 102 | global global_count, global_total_count 103 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 104 | s.settimeout(options.timeout) 105 | try: 106 | # Below function needs to be called wheter we manage to connect to the port or not it's a progress bar 107 | with thread_lock: 108 | global_count += 1 109 | print(' [{:.2%}] Scanning {}/{}'.format(global_count/global_total_count, global_count, global_total_count), file=sys.stderr, end='\r') 110 | 111 | con = s.connect((ip, port)) 112 | # If no exception we are connected and found an open port 113 | with thread_lock: 114 | print(ip + ' | ' + str(port) + ' |', *reference_back[ip]["hosts"]) 115 | if options.output: 116 | reference_back[ip]["ports"].append(port) 117 | con.close() 118 | except Exception as e: 119 | pass 120 | 121 | 122 | def threader(): 123 | while True: 124 | task = q.get() 125 | portscan(*task) 126 | q.task_done() 127 | 128 | 129 | signal.signal(signal.SIGINT, handle_signal) # When you recive KeyboardInterrupt 130 | signal.signal(signal.SIGTERM, handle_signal) # When OS Shutsdown 131 | 132 | 133 | try: 134 | # Hopefully we were able to save dump 135 | with gzip.open(options.dump, 'rb') as fp: 136 | dump = json.loads(fp.read().decode()) 137 | print("Found state file at", options.dump, "discarding the arguments", file=sys.stderr) 138 | # Restoring global variables 139 | options.timeout = dump["timeout"] 140 | options.threads = dump["threads"] 141 | options.output = dump["output"] 142 | global_count = dump["global_count"] 143 | global_total_count = dump["global_total_count"] 144 | reference_back = dump['reference_back'] 145 | # Putting items back in queue 146 | q = Queue() 147 | [q.put(x) for x in dump['q']] 148 | # Now that we've loaded these things into memory lets go ahead and delete them 149 | os.remove(options.dump) 150 | except IOError: 151 | # When dump file doesn't exist, it's a fresh start 152 | reference_back = {} 153 | q = Queue() 154 | for ipAddress in extract_target(): 155 | for aport in create_portlist(): 156 | q.put((ipAddress, aport)) 157 | global_total_count += 1 158 | 159 | 160 | for x in range(options.threads): 161 | t = threading.Thread(target=threader) 162 | t.daemon = True 163 | t.start() 164 | 165 | q.join() 166 | 167 | if options.output: 168 | json.dump(reference_back, open(options.output, 'w'), indent=4) 169 | --------------------------------------------------------------------------------