verbal.py

#!/usr/bin/env python3

"""
verbal.py 0.1 - HTTP(S) Request Method Security Scanner
Copyright (c) 2017 Marco Ivaldi <raptor@0xdeadbeef.info>

"The Other Way to Pen-Test" --HD Moore & Valsmith

Verbal is a HTTP request method security scanner. It
tries a series of interesting HTTP methods against a
list of website paths, in order to determine which
methods are available and accessible. The following
HTTP methods are currently supported (HEAD and POST
aren't that interesting, while DELETE and PATCH would
be too dangerous to blindly try as part of an automated
scan):

GET: request a representation of a resource
OPTIONS: get communication options for a resource
TRACE: perform a message loop-back test
DEBUG: start/stop remote debugging session on IIS
PUT: replace a resource with the request payload

Requirements:
Python 3 (https://pythonclock.org/ is ticking...)
Requests (http://docs.python-requests.org/)

Example usage:
$ ./verbal.py -A -u http://example.com -d directories.txt

TODO:
Test thoroughly, especially the PUT scanner
Introduce spidering capabilities and IP address scanning
Implement support for additional methods (e.g. CONNECT)

Get the latest version at:
https://github.com/0xdea/tactical-exploitation/
"""

VERSION = "0.1"
BANNER = """
verbal.py {0} - HTTP(S) Request Method Security Scanner
Copyright (c) 2017 Marco Ivaldi <raptor@0xdeadbeef.info>
""".format(VERSION)

import sys
import argparse
import re
import requests

# disable InsecureRequestWarning
import urllib3
urllib3.disable_warnings()

def http_method_scanner(args):
    """
    Generic HTTP request method scanner
    """

    base = args.u.rstrip("/")
    timeout = args.t

    dirs = set()
    if args.d:
        dirs = {d.rstrip().strip("/") + "/" for d in args.d}
    dirs.add("")

    if args.all: # activate all additional scanners
        args.trace = True
        args.debug = True
        args.put = True

    print("*** Scanning {0} ***\n".format(base))

    for d in sorted(dirs):

        url = base + "/" + d
        print(url)

        # base scanners
        scan_get(url, timeout)
        scan_options(url, timeout)

        # additional scanners
        if args.trace:
            scan_trace(url, timeout)
        if args.debug:
            scan_debug(url, timeout)
        if args.put:
            scan_put(url, timeout)

        print("")

    print("*** Finished {0} ***\n".format(base))

def scan_get(url, timeout):
    """
    GET method and Directory Listing scanner
    """

    try:
        r = requests.get(
                url=url,
                timeout=timeout,
                verify=False)
        print(
                "    GET" + "\t\t> "
                + str(r.status_code) + " ("
                + str(requests.status_codes._codes[r.status_code][0]) + ")")

    except (KeyboardInterrupt, SystemExit):
        sys.exit(1)

    except Exception as err:
        print("\n// error: {0}".format(err))
        sys.exit(1) # exit in case of error

    else: # bonus check;)
        p = re.compile("(Index of )|(To Parent Directory)") # apache, iis
        if p.search(r.text):
            print("        Directory Listing is enabled")

def scan_options(url, timeout):
    """
    OPTIONS method scanner
    """

    try:
        r = requests.options(
                url=url,
                timeout=timeout,
                verify=False)
        print(
                "    OPTIONS" + "\t> "
                + str(r.status_code) + " ("
                + str(requests.status_codes._codes[r.status_code][0]) + ")")
        print("        " + "Methods: " + r.headers["allow"])

    except (KeyboardInterrupt, SystemExit):
        sys.exit(1)

    except Exception as err:
        pass # ignore errors

def scan_trace(url, timeout):
    """
    TRACE method scanner
    """

    try:
        r = requests.request(
                url=url,
                timeout=timeout,
                verify=False,
                method="TRACE")
        print(
                "    TRACE" + "\t> "
                + str(r.status_code) + " ("
                + str(requests.status_codes._codes[r.status_code][0]) + ")")

    except (KeyboardInterrupt, SystemExit):
        sys.exit(1)

    except Exception as err:
        print("        // error: {0}".format(err))

def scan_debug(url, timeout):
    """
    DEBUG method scanner
    """

    target = url + "verbal.aspx"
    headers = {
            "Accept" : "*/*",
            "Command" : "stop-debug"}

    try:
        r = requests.request(
                url=target,
                timeout=timeout,
                verify=False,
                method="DEBUG",
                headers=headers)
        print(
                "    DEBUG" + "\t> "
                + str(r.status_code) + " ("
                + str(requests.status_codes._codes[r.status_code][0]) + ")")

    except (KeyboardInterrupt, SystemExit):
        sys.exit(1)

    except Exception as err:
        print("        // error: {0}".format(err))

def scan_put(url, timeout): # TODO: test thoroughly
    """
    PUT method scanner
    """

    # interesting file types to check
    filetypes = ["txt", "html", "xml", "js", "php", "asp", "aspx", "jsp"]

    print("    PUT")

    for t in filetypes:
        target = url + "verbal." + t

        try:
            r = requests.put(
                    url=target,
                    timeout=timeout,
                    verify=False,
                    data="PENTEST")
            print(
                    "        " + t + "\t> "
                    + str(r.status_code) + " ("
                    + str(requests.status_codes._codes[r.status_code][0]) + ")")

        except (KeyboardInterrupt, SystemExit):
            sys.exit(1)

        except Exception as err:
            print("        // error: {0}".format(err))

def get_args():
    """
    Get command line arguments
    """

    parser = argparse.ArgumentParser()
    parser.set_defaults(func=http_method_scanner)

    # http methods
    parser.add_argument(
            "-T", "--trace",
            action="store_true",
            help="TRACE method scanner")
    parser.add_argument(
            "-D", "--debug",
            action="store_true",
            help="DEBUG method scanner")
    parser.add_argument(
            "-P", "--put",
            action="store_true",
            help="PUT method scanner")
    parser.add_argument(
            "-A", "--all",
            action="store_true",
            help="Scan all supported methods")

    # targets
    parser.add_argument(
            "-u",
            metavar="BASE_URL",
            required=True,
            help="target base URL")
    parser.add_argument(
            "-d",
            metavar="DIR_FILE",
            type=argparse.FileType("r"),
            help="file containing a list of directories")

    # other arguments
    parser.add_argument(
            "-t",
            metavar="TIMEOUT",
            type=int,
            default=5,
            help="timeout in seconds (default: 5)")

    if len(sys.argv) == 1:
        parser.print_help()
        sys.exit(0)

    return parser.parse_args()

def main():
    """
    Main function
    """

    print(BANNER)

    if sys.version_info[0] != 3:
        print("// error: this script requires python 3")
        sys.exit(1)

    args = get_args()
    args.func(args)

if __name__ == "__main__":
    main()