├── LICENSE.txt ├── README.md ├── config └── flashlight.yaml ├── flashlight-blackhat-arsenal.md ├── flashlight.py ├── images └── flashlight.png └── lib ├── __init__.py ├── active ├── __init__.py ├── corescanner.py ├── osscan.py ├── pingscan.py ├── portscan.py └── scriptscan.py ├── activescan.py ├── core ├── __init__.py ├── config_parser.py ├── core.py ├── exceptions.py ├── logger.py └── threadpool.py ├── filter ├── __init__.py └── filter.py ├── filterscan.py ├── main.py ├── passive ├── __init__.py └── passive.py ├── passivescan.py ├── screen ├── __init__.py └── webscan.py └── screenscan.py /LICENSE.txt: -------------------------------------------------------------------------------- 1 | Copyright (c) 2014 Gökhan ALKAN 2 | Permission is hereby granted, free of charge, to any person obtaining a 3 | copy of this software and associated documentation files (the 4 | "Software"), to deal in the Software without restriction, including 5 | without limitation the rights to use, copy, modify, merge, publish, 6 | distribute, sublicense, and/or sell copies of the Software, and to 7 | permit persons to whom the Software is furnished to do so, subject to 8 | the following conditions: 9 | 10 | The above copyright notice and this permission notice shall be included 11 | in all copies or substantial portions of the Software. 12 | 13 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 14 | OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 15 | MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND 16 | NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE 17 | LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION 18 | OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION 19 | WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 20 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | 2 | ![](https://github.com/galkan/flashlight/blob/master/images/flashlight.png "Flashlight") Automated Information Gathering Tool for Penetration Testers 3 | ===== 4 | 5 | ### Videos : 6 | 7 | https://www.youtube.com/watch?v=EUMKffaAxzs&list=PL1BVM6VWlmWZOv9Hv8TV2v-kAlUmvA5g7&index=4 8 | https://www.youtube.com/watch?v=qCgW-SfYl1c&list=PL1BVM6VWlmWZOv9Hv8TV2v-kAlUmvA5g7&index=5 9 | https://www.youtube.com/watch?v=98Soe01swR8&list=PL1BVM6VWlmWZOv9Hv8TV2v-kAlUmvA5g7&index=6 10 | https://www.youtube.com/watch?v=9wft9zuh1f0&list=PL1BVM6VWlmWZOv9Hv8TV2v-kAlUmvA5g7&index=7 11 | 12 | Pentesters spend too much time during information gathering phase. Flashlight (Fener) provides services to scan network/ports and gather information rapidly on target networks. So Flashlight should be the choice to automate discovery step during a penetration test. In this article, usage of Flashligh application will be explained. 13 | 14 | For more information about using Flashlight, "-h" or "-help" option can be used. 15 | 16 | 17 | 18 | Parameters for the usage of this application can be listed below 19 | 20 |

22 | -h, --help: It shows the information about using the Flashlight application. 23 |
25 | -p <ProjectName> or --project < ProjectName>: It sets project name with the name given. This paramater can be used to save different projects in different workspaces. 26 |
28 | -s <ScanType> or –scan_type < ScanType >: It sets the type of scans. There are four types of scans: Active Scan , Passive Scan, Screenshot Scan and Filtering. These types of scans will be examined later in detail. 29 |
31 | -d < DestinationNetwork>, --destination < DestinationNetwork >: It sets the network or IP where the scan will be executed against. 32 |
34 | -c <FileName>, --config <FileName>: It specifies the configuration file. The scanning is realized according to the information in the configuration file. 35 |
37 | -u <NetworkInterface>, --interface < NetworkInterface>: It sets the network interface used during passive scanning. 38 |
40 | -f <PcapFile>, --pcap_file < PcapFile >: It sets cap File that will be filtered. 41 |
43 | -r <RasterizeFile>, --rasterize < RasterizeFile>: It sets the specific location of Rasterize JavaScript file which will be used for taking screenshots. 44 |
46 | -t <ThreadNumber>, --thread <Threadnember>: It sets the number of Threads. This parameter is valid only on screenshot scanning (screen scan) mode. 47 |
49 | -o <OutputDiectory>, --output < OutputDiectory >: It sets the directory in which the scan results can be saved. The scan results are saved in 3 sub-directories : For Nmap scanning results, "nmap" subdirectory, for PCAP files "pcap" subdirectory and for screenshots "screen" subdirectories are used. Scan results are saved in directory, shown under the output directories by this parameter. If this option is not set, scan results are saved in the directory that Flashlight applications are running. 50 |
52 | -a, --alive: It performs ping scan to discover up IP addresses before the actual vulnerability scan. It is used for active scan. 53 |
55 | -g <DefaultGateway>, --gateway < DefaultGateway >: It identifies the IP address of the gateway. If not set, interface with “-I” parameter is chosen. 56 |
58 | -l <LogFile>, --log < LogFile >: It specifies the log file to save the scan results. If not set, logs are saved in “flashlight.log” file in working directory. 59 |
61 | -k <PassiveTimeout>, --passive_timeout <PassiveTimeout>: It specifies the timeout for sniffing in passive mode. Default value is 15 seconds. This parameter is used for passive scan. 62 |
64 | -m, --mim: It is used to perform MITM attack. 65 |
67 | -n, --nmap-optimize: It is used to optimize nmap scan. 68 |
70 | -v, --verbose: It is used to list detailed information. 71 |
73 | -V, --version: It specifies version of the program. 74 |

76 | 77 | 78 |

Installation

79 | ``` 80 | apt-get install nmap tshark tcpdump dsniff 81 | ``` 82 | 83 | In order to install phantomjs easily, you can download and extract it from https://bitbucket.org/ariya/phantomjs/downloads. 84 | 85 | 86 | Flashlight application can perform 3 basic scan types and 1 analysis type. Each of them are listed below. 87 | 88 |

1) Passive Scan

89 | 90 | In passive scan, no packets are sent into wire. This type of scan is used for listening network and analyzing packets. 91 | 92 | To launch a passive scan by using Flashlight; a project name should be specified like “passive-pro-01”. In the following command, packets that are captured by eth0 are saved into “/root/Desktop/flashlight/output/passive-project-01/pcap" directory, whereas, Pcap files and all logs are saved into "/root/Desktop/log" directory. 93 | 94 | ``` 95 | ./flashlight.py -s passive -p passive-pro-01 -i eth0 -o /root/Desktop/flashlight_test -l /root/Desktop/log –v 96 | ``` 97 | 98 |

99 |

100 |

101 | 102 | When the scan is completed a new directory, named “flashlight_test" and a log file, named “log”, are created in "/root/Desktop/" directory. 103 | 104 |

105 |

106 |

107 | 108 | 109 | Directory structure of “flashlight_test” is like below. PCAP file is saved into “/root/Desktop/flashlight_test/output/passive-pro-01/pcap” directory. This PCAP file can be used for analysis purposes. 110 | ls /root/Desktop/flashlight_test -R 111 | 112 |

113 |

114 |

115 | 116 | 117 | Content of the log file is like command line output: 118 |

119 |

120 |

121 | 122 | 123 | During standard passive scanning Broadcast packets and direct packets to scan machines are captured. Beside this, by using “-mim/-m” parameter, Arp Spoof and MITM attack can be performed. 124 | 125 | 126 | ``` 127 | ./flashlight.py -s passive -p passive-project-02 -i eth0 -g 192.168.74.2 -m -k 50 -v 128 | ``` 129 | 130 |

131 |

132 |

133 | 134 | By analyzing captured PCAP file HTTP traffic can be seen. 135 | 136 |

137 |

138 |

139 | 140 | By decoding Basic Authentication message, credentials denoting access information for web servers will be accessed. 141 |

142 |

143 |

144 | 145 | All parameters during passive scanning are listed below. 146 | 147 | ``` 148 | ./flashlight.py -s passive -p passive-pro-03 -i eth0 -g 192.168.74.2 -m -k 50 -o /root/Desktop/flashlight_passive_full -l /root/Desktop/log -v 149 | ``` 150 | 151 | 152 |

2) Active Scan

153 | 154 | During an active scan, NMAP scripts are used by reading the configuration file. An example configuration file (flashlight.yaml) is stored in “config” directory under the working directory. 155 | 156 | tcp_ports: 157 | 158 | - 21, 22, 23, 25, 80, 443, 445, 3128, 8080 159 | 160 | udp_ports: 161 | 162 | - 53, 161 163 | 164 | scripts: 165 | 166 | - http-enum 167 | 168 | screen_ports: 169 | - 80, 443, 8080, 8443 170 | 171 |

172 |

173 |

174 | 175 | According to "flashlight.yaml" configuration file, the scan executes against "21, 22, 23, 25, 80, 443, 445, 3128, 8080" TCP ports, "53, 161" UDP ports, "http-enum" script by using NMAP. 176 | 177 | Note: During active scan “screen_ports” option is useless. This option just works with screen scan. 178 | 179 | “-a” option is useful to discover up hosts by sending ICMP packets. Beside this, incrementing thread number by using “-t” parameter increases scan speed. 180 | 181 | ``` 182 | ./flashlight.py -p active-project -s active -d 192.168.74.0/24 –t 30 -a -v 183 | ``` 184 | 185 |

186 |

187 |

188 | 189 | By running this command; output files in three different formats (Normal, XML and Grepable) are emitted for four different scan types (Operating system scan, Ping scan, Port scan and Script Scan). 190 | 191 |

192 |

193 |

194 | 195 | The example commands that Flashlight Application runs can be given like so: 196 | 197 |

Operating System Scan: /usr/bin/nmap -n -Pn -O -T5 -iL /tmp/"IPListFile" -oA /root/Desktop/flashlight/output/active-project/nmap/OsScan-"Date" 199 |
Ping Scan: /usr/bin/nmap -n -sn -T5 -iL /tmp/"IPListFile" -oA /root/Desktop/flashlight/output/active-project/nmap/PingScan-"Date" 200 |
Port Scan: /usr/bin/nmap -n -Pn -T5 --open -iL /tmp/"IPListFile" -sS -p T:21,22,23,25,80,443,445,3128,8080,U:53,161 -sU -oA /root/Desktop/flashlight/output/active-project/nmap/PortScan-"Date" 201 |
Script Scan: /usr/bin/nmap -n -Pn -T5 -iL /tmp/"IPListFile" -sS -p T:21,22,23,25,80,443,445,3128,8080,U:53,161 -sU --script=default,http-enum -oA /root/Desktop/flashlight/output/active-project/nmap/ScriptScan-"Date" 202 |

206 |

216 |

… -min-hostgroup 64 -min-parallelism 64 -host-timeout=300m -max-rtt-timeout=600ms -initial-rtt-timeout=300ms -min-rtt-timeout=300ms -max-retries=2 -min-rate=150 …

3) Screen Scan

239 |

245 |

4) Filtering

Windows hosts
Top 10 DNS requests

Installation

1) Passive Scan

2) Active Scan

3) Screen Scan

4) Filtering

Thanks To: