From c92e594f77ccb3b9e62c09b0d73fac1af9eee4e1 Mon Sep 17 00:00:00 2001 From: Tib3rius <48113936+Tib3rius@users.noreply.github.com> Date: Mon, 2 Aug 2021 19:13:09 -0400 Subject: [PATCH] Reformatting & API Function Name Updates Switched spaces to tabs throughout for consistency. Changed add_port_match() to match_port() Changed add_service_match() to match_service_name() Removed un-used variables. --- LICENSE | 192 +-- README.md | 6 +- autorecon.py | 2542 +++++++++++++++++----------------- plugins/databases.py | 156 +-- plugins/default-port-scan.py | 68 +- plugins/dns.py | 16 +- plugins/ftp.py | 38 +- plugins/http.py | 280 ++-- plugins/kerberos.py | 16 +- plugins/ldap.py | 36 +- plugins/misc.py | 208 +-- plugins/nfs.py | 32 +- plugins/rdp.py | 38 +- plugins/rpc.py | 32 +- plugins/sip.py | 32 +- plugins/smb.py | 120 +- plugins/snmp.py | 76 +- plugins/ssh.py | 38 +- plugins/sslscan.py | 20 +- 19 files changed, 1972 insertions(+), 1974 deletions(-) diff --git a/LICENSE b/LICENSE index f288702..1acb731 100644 --- a/LICENSE +++ b/LICENSE @@ -1,11 +1,11 @@ - GNU GENERAL PUBLIC LICENSE - Version 3, 29 June 2007 + GNU GENERAL PUBLIC LICENSE + Version 3, 29 June 2007 Copyright (C) 2007 Free Software Foundation, Inc. Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. - Preamble + Preamble The GNU General Public License is a free, copyleft license for software and other kinds of works. @@ -68,7 +68,7 @@ patents cannot be used to render the program non-free. The precise terms and conditions for copying, distribution and modification follow. - TERMS AND CONDITIONS + TERMS AND CONDITIONS 0. Definitions. @@ -211,26 +211,26 @@ and you may offer support or warranty protection for a fee. produce it from the Program, in the form of source code under the terms of section 4, provided that you also meet all of these conditions: - a) The work must carry prominent notices stating that you modified - it, and giving a relevant date. + a) The work must carry prominent notices stating that you modified + it, and giving a relevant date. - b) The work must carry prominent notices stating that it is - released under this License and any conditions added under section - 7. This requirement modifies the requirement in section 4 to - "keep intact all notices". + b) The work must carry prominent notices stating that it is + released under this License and any conditions added under section + 7. This requirement modifies the requirement in section 4 to + "keep intact all notices". - c) You must license the entire work, as a whole, under this - License to anyone who comes into possession of a copy. This - License will therefore apply, along with any applicable section 7 - additional terms, to the whole of the work, and all its parts, - regardless of how they are packaged. This License gives no - permission to license the work in any other way, but it does not - invalidate such permission if you have separately received it. + c) You must license the entire work, as a whole, under this + License to anyone who comes into possession of a copy. This + License will therefore apply, along with any applicable section 7 + additional terms, to the whole of the work, and all its parts, + regardless of how they are packaged. This License gives no + permission to license the work in any other way, but it does not + invalidate such permission if you have separately received it. - d) If the work has interactive user interfaces, each must display - Appropriate Legal Notices; however, if the Program has interactive - interfaces that do not display Appropriate Legal Notices, your - work need not make them do so. + d) If the work has interactive user interfaces, each must display + Appropriate Legal Notices; however, if the Program has interactive + interfaces that do not display Appropriate Legal Notices, your + work need not make them do so. A compilation of a covered work with other separate and independent works, which are not by their nature extensions of the covered work, @@ -249,46 +249,46 @@ of sections 4 and 5, provided that you also convey the machine-readable Corresponding Source under the terms of this License, in one of these ways: - a) Convey the object code in, or embodied in, a physical product - (including a physical distribution medium), accompanied by the - Corresponding Source fixed on a durable physical medium - customarily used for software interchange. - - b) Convey the object code in, or embodied in, a physical product - (including a physical distribution medium), accompanied by a - written offer, valid for at least three years and valid for as - long as you offer spare parts or customer support for that product - model, to give anyone who possesses the object code either (1) a - copy of the Corresponding Source for all the software in the - product that is covered by this License, on a durable physical - medium customarily used for software interchange, for a price no - more than your reasonable cost of physically performing this - conveying of source, or (2) access to copy the - Corresponding Source from a network server at no charge. - - c) Convey individual copies of the object code with a copy of the - written offer to provide the Corresponding Source. This - alternative is allowed only occasionally and noncommercially, and - only if you received the object code with such an offer, in accord - with subsection 6b. - - d) Convey the object code by offering access from a designated - place (gratis or for a charge), and offer equivalent access to the - Corresponding Source in the same way through the same place at no - further charge. You need not require recipients to copy the - Corresponding Source along with the object code. If the place to - copy the object code is a network server, the Corresponding Source - may be on a different server (operated by you or a third party) - that supports equivalent copying facilities, provided you maintain - clear directions next to the object code saying where to find the - Corresponding Source. Regardless of what server hosts the - Corresponding Source, you remain obligated to ensure that it is - available for as long as needed to satisfy these requirements. - - e) Convey the object code using peer-to-peer transmission, provided - you inform other peers where the object code and Corresponding - Source of the work are being offered to the general public at no - charge under subsection 6d. + a) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by the + Corresponding Source fixed on a durable physical medium + customarily used for software interchange. + + b) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by a + written offer, valid for at least three years and valid for as + long as you offer spare parts or customer support for that product + model, to give anyone who possesses the object code either (1) a + copy of the Corresponding Source for all the software in the + product that is covered by this License, on a durable physical + medium customarily used for software interchange, for a price no + more than your reasonable cost of physically performing this + conveying of source, or (2) access to copy the + Corresponding Source from a network server at no charge. + + c) Convey individual copies of the object code with a copy of the + written offer to provide the Corresponding Source. This + alternative is allowed only occasionally and noncommercially, and + only if you received the object code with such an offer, in accord + with subsection 6b. + + d) Convey the object code by offering access from a designated + place (gratis or for a charge), and offer equivalent access to the + Corresponding Source in the same way through the same place at no + further charge. You need not require recipients to copy the + Corresponding Source along with the object code. If the place to + copy the object code is a network server, the Corresponding Source + may be on a different server (operated by you or a third party) + that supports equivalent copying facilities, provided you maintain + clear directions next to the object code saying where to find the + Corresponding Source. Regardless of what server hosts the + Corresponding Source, you remain obligated to ensure that it is + available for as long as needed to satisfy these requirements. + + e) Convey the object code using peer-to-peer transmission, provided + you inform other peers where the object code and Corresponding + Source of the work are being offered to the general public at no + charge under subsection 6d. A separable portion of the object code, whose source code is excluded from the Corresponding Source as a System Library, need not be @@ -362,28 +362,28 @@ for which you have or can give appropriate copyright permission. add to a covered work, you may (if authorized by the copyright holders of that material) supplement the terms of this License with terms: - a) Disclaiming warranty or limiting liability differently from the - terms of sections 15 and 16 of this License; or + a) Disclaiming warranty or limiting liability differently from the + terms of sections 15 and 16 of this License; or - b) Requiring preservation of specified reasonable legal notices or - author attributions in that material or in the Appropriate Legal - Notices displayed by works containing it; or + b) Requiring preservation of specified reasonable legal notices or + author attributions in that material or in the Appropriate Legal + Notices displayed by works containing it; or - c) Prohibiting misrepresentation of the origin of that material, or - requiring that modified versions of such material be marked in - reasonable ways as different from the original version; or + c) Prohibiting misrepresentation of the origin of that material, or + requiring that modified versions of such material be marked in + reasonable ways as different from the original version; or - d) Limiting the use for publicity purposes of names of licensors or - authors of the material; or + d) Limiting the use for publicity purposes of names of licensors or + authors of the material; or - e) Declining to grant rights under trademark law for use of some - trade names, trademarks, or service marks; or + e) Declining to grant rights under trademark law for use of some + trade names, trademarks, or service marks; or - f) Requiring indemnification of licensors and authors of that - material by anyone who conveys the material (or modified versions of - it) with contractual assumptions of liability to the recipient, for - any liability that these contractual assumptions directly impose on - those licensors and authors. + f) Requiring indemnification of licensors and authors of that + material by anyone who conveys the material (or modified versions of + it) with contractual assumptions of liability to the recipient, for + any liability that these contractual assumptions directly impose on + those licensors and authors. All other non-permissive additional terms are considered "further restrictions" within the meaning of section 10. If the Program as you @@ -618,9 +618,9 @@ an absolute waiver of all civil liability in connection with the Program, unless a warranty or assumption of liability accompanies a copy of the Program in return for a fee. - END OF TERMS AND CONDITIONS + END OF TERMS AND CONDITIONS - How to Apply These Terms to Your New Programs + How to Apply These Terms to Your New Programs If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it @@ -631,31 +631,31 @@ to attach them to the start of each source file to most effectively state the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found. - - Copyright (C) + + Copyright (C) - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. - You should have received a copy of the GNU General Public License - along with this program. If not, see . + You should have received a copy of the GNU General Public License + along with this program. If not, see . Also add information on how to contact you by electronic and paper mail. If the program does terminal interaction, make it output a short notice like this when it starts in an interactive mode: - Copyright (C) - This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. - This is free software, and you are welcome to redistribute it - under certain conditions; type `show c' for details. + Copyright (C) + This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, your program's commands diff --git a/README.md b/README.md index 4652c01..9945c62 100644 --- a/README.md +++ b/README.md @@ -129,9 +129,9 @@ By default, results will be stored in the ./results directory. A new sub directo │   ├── proof.txt │   └── screenshots/ └── scans/ - ├── _commands.log - ├── _manual_commands.txt - └── xml/ + ├── _commands.log + ├── _manual_commands.txt + └── xml/ ``` The exploit directory is intended to contain any exploit code you download / write for the target. diff --git a/autorecon.py b/autorecon.py index 2e0e18d..49950d1 100644 --- a/autorecon.py +++ b/autorecon.py @@ -9,1390 +9,1388 @@ class Pattern: - def __init__(self, pattern, description=None): - self.pattern = pattern - self.description = description + def __init__(self, pattern, description=None): + self.pattern = pattern + self.description = description class Target: - def __init__(self, address, autorecon): - self.address = address - self.autorecon = autorecon - self.basedir = '' - self.reportdir = '' - self.scandir = '' - self.lock = asyncio.Lock() - self.pending_services = [] - self.services = [] - self.scans = [] - self.running_tasks = {} + def __init__(self, address, autorecon): + self.address = address + self.autorecon = autorecon + self.basedir = '' + self.reportdir = '' + self.scandir = '' + self.lock = asyncio.Lock() + self.pending_services = [] + self.services = [] + self.scans = [] + self.running_tasks = {} - async def add_service(self, protocol, port, name, secure=False): - async with self.lock: - self.pending_services.append(Service(protocol, port, name, secure)) + async def add_service(self, protocol, port, name, secure=False): + async with self.lock: + self.pending_services.append(Service(protocol, port, name, secure)) - def extract_service(self, line, regex=None): - return self.autorecon.extract_service(line, regex) + def extract_service(self, line, regex=None): + return self.autorecon.extract_service(line, regex) - async def extract_services(self, stream, regex=None): - return await self.autorecon.extract_services(stream, regex) + async def extract_services(self, stream, regex=None): + return await self.autorecon.extract_services(stream, regex) - async def execute(self, cmd, blocking=True, outfile=None, errfile=None): - target = self + async def execute(self, cmd, blocking=True, outfile=None, errfile=None): + target = self - # Create variables for command references. - address = target.address - scandir = target.scandir + # Create variables for command references. + address = target.address + scandir = target.scandir - nmap_extra = self.autorecon.args.nmap - if self.autorecon.args.nmap_append: - nmap_extra += ' ' + self.autorecon.args.nmap_append + nmap_extra = self.autorecon.args.nmap + if self.autorecon.args.nmap_append: + nmap_extra += ' ' + self.autorecon.args.nmap_append - plugin = inspect.currentframe().f_back.f_locals['self'] + plugin = inspect.currentframe().f_back.f_locals['self'] - cmd = e(cmd) + cmd = e(cmd) - tag = plugin.slug + tag = plugin.slug - if target.autorecon.config['verbose'] >= 1: - info('Port scan {bblue}' + plugin.name + ' (' + tag + '){rst} is running the following command against {byellow}' + address + '{rst}: ' + cmd) + if target.autorecon.config['verbose'] >= 1: + info('Port scan {bblue}' + plugin.name + ' (' + tag + '){rst} is running the following command against {byellow}' + address + '{rst}: ' + cmd) - if outfile is not None: - outfile = os.path.abspath(os.path.join(target.scandir, e(outfile))) + if outfile is not None: + outfile = os.path.abspath(os.path.join(target.scandir, e(outfile))) - if errfile is not None: - errfile = os.path.abspath(os.path.join(target.scandir, e(errfile))) + if errfile is not None: + errfile = os.path.abspath(os.path.join(target.scandir, e(errfile))) - async with target.lock: - with open(os.path.join(target.scandir, '_commands.log'), 'a') as file: - file.writelines(cmd + '\n\n') + async with target.lock: + with open(os.path.join(target.scandir, '_commands.log'), 'a') as file: + file.writelines(cmd + '\n\n') - process, stdout, stderr = await self.autorecon.execute(cmd, target, tag, patterns=plugin.patterns, outfile=outfile, errfile=errfile) + process, stdout, stderr = await self.autorecon.execute(cmd, target, tag, patterns=plugin.patterns, outfile=outfile, errfile=errfile) - target.running_tasks[tag]['processes'].append({'process':process, 'stderr': stderr, 'cmd': cmd}) + target.running_tasks[tag]['processes'].append({'process':process, 'stderr': stderr, 'cmd': cmd}) - if blocking: - while (not (stdout.ended and stderr.ended)): - await asyncio.sleep(0.1) - await process.wait() + if blocking: + while (not (stdout.ended and stderr.ended)): + await asyncio.sleep(0.1) + await process.wait() - return process, stdout, stderr + return process, stdout, stderr class Service: - def __init__(self, protocol, port, name, secure=False): - self.target = None - self.protocol = protocol.lower() - self.port = int(port) - self.name = name - self.secure = secure + def __init__(self, protocol, port, name, secure=False): + self.target = None + self.protocol = protocol.lower() + self.port = int(port) + self.name = name + self.secure = secure - @final - def tag(self): - return self.protocol + '/' + str(self.port) + '/' + self.name + @final + def tag(self): + return self.protocol + '/' + str(self.port) + '/' + self.name - @final - def full_tag(self): - return self.protocol + '/' + str(self.port) + '/' + self.name + '/' + ('secure' if self.secure else 'insecure') + @final + def full_tag(self): + return self.protocol + '/' + str(self.port) + '/' + self.name + '/' + ('secure' if self.secure else 'insecure') - @final - async def execute(self, cmd, blocking=True, outfile=None, errfile=None): - target = self.target + @final + async def execute(self, cmd, blocking=True, outfile=None, errfile=None): + target = self.target - # Create variables for command references. - address = target.address - scandir = target.scandir - protocol = self.protocol - port = self.port - name = self.name + # Create variables for command references. + address = target.address + scandir = target.scandir + protocol = self.protocol + port = self.port + name = self.name - # Special cases for HTTP. - http_scheme = 'https' if 'https' in self.name or self.secure is True else 'http' + # Special cases for HTTP. + http_scheme = 'https' if 'https' in self.name or self.secure is True else 'http' - nmap_extra = self.target.autorecon.args.nmap - if self.target.autorecon.args.nmap_append: - nmap_extra += ' ' + self.target.autorecon.args.nmap_append + nmap_extra = self.target.autorecon.args.nmap + if self.target.autorecon.args.nmap_append: + nmap_extra += ' ' + self.target.autorecon.args.nmap_append - if protocol == 'udp': - nmap_extra += ' -sU' + if protocol == 'udp': + nmap_extra += ' -sU' - plugin = inspect.currentframe().f_back.f_locals['self'] + plugin = inspect.currentframe().f_back.f_locals['self'] - cmd = e(cmd) + cmd = e(cmd) - tag = self.tag() + '/' + plugin.slug + tag = self.tag() + '/' + plugin.slug - if target.autorecon.config['verbose'] >= 1: - info('Service scan {bblue}' + plugin.name + ' (' + tag + '){rst} is running the following command against {byellow}' + address + '{rst}: ' + cmd) + if target.autorecon.config['verbose'] >= 1: + info('Service scan {bblue}' + plugin.name + ' (' + tag + '){rst} is running the following command against {byellow}' + address + '{rst}: ' + cmd) - if outfile is not None: - outfile = os.path.abspath(os.path.join(target.scandir, e(outfile))) + if outfile is not None: + outfile = os.path.abspath(os.path.join(target.scandir, e(outfile))) - if errfile is not None: - errfile = os.path.abspath(os.path.join(target.scandir, e(errfile))) + if errfile is not None: + errfile = os.path.abspath(os.path.join(target.scandir, e(errfile))) - async with target.lock: - with open(os.path.join(target.scandir, '_commands.log'), 'a') as file: - file.writelines(e('{cmd}\n\n')) + async with target.lock: + with open(os.path.join(target.scandir, '_commands.log'), 'a') as file: + file.writelines(e('{cmd}\n\n')) - process, stdout, stderr = await target.autorecon.execute(cmd, target, tag, patterns=plugin.patterns, outfile=outfile, errfile=errfile) + process, stdout, stderr = await target.autorecon.execute(cmd, target, tag, patterns=plugin.patterns, outfile=outfile, errfile=errfile) - target.running_tasks[tag]['processes'].append({'process':process, 'stderr': stderr, 'cmd': cmd}) + target.running_tasks[tag]['processes'].append({'process':process, 'stderr': stderr, 'cmd': cmd}) - if blocking: - while (not (stdout.ended and stderr.ended)): - await asyncio.sleep(0.1) - await process.wait() + if blocking: + while (not (stdout.ended and stderr.ended)): + await asyncio.sleep(0.1) + await process.wait() - return process, stdout, stderr + return process, stdout, stderr class CommandStreamReader(object): - def __init__(self, stream, target, tag,patterns=None, outfile=None): - self.stream = stream - self.target = target - self.tag = tag - self.lines = [] - self.patterns = patterns or [] - self.outfile = outfile - self.ended = False - - async def _read(self): - while True: - if self.stream.at_eof(): - break - line = (await self.stream.readline()).decode('utf8').rstrip() - if self.target.autorecon.config['verbose'] >= 2: - if line != '': - info('{blue}[{bright}' + self.target.address + '/' + self.tag + '{srst}]{crst} ' + line.replace('{', '{{').replace('}', '}}')) - for p in self.patterns: - matches = p.pattern.findall(line) - for match in matches: - async with self.target.lock: - with open(os.path.join(self.target.scandir, '_patterns.log'), 'a') as file: - if p.description: - if self.target.autorecon.config['verbose'] >= 1: - info('{blue}[{bright}' + self.target.address + '/' + self.tag + '{srst}] {crst}{bmagenta}' + p.description.replace('{match}', '{bblue}' + match + '{crst}{bmagenta}') + '{rst}') - file.writelines(p.description.replace('{match}', match) + '\n\n') - else: - if self.target.autorecon.config['verbose'] >= 1: - info('{blue}[{bright}' + self.target.address + '/' + self.tag + '{srst}] {crst}{bmagenta}Matched Pattern: {bblue}' + match + '{rst}') - file.writelines('Matched Pattern: ' + match + '\n\n') - - if self.outfile is not None: - with open(self.outfile, 'a') as writer: - writer.write(line + '\n') - self.lines.append(line) - self.ended = True - - async def readline(self): - while True: - try: - return self.lines.pop(0) - except IndexError: - if self.ended: - return None - else: - await asyncio.sleep(0.1) + def __init__(self, stream, target, tag,patterns=None, outfile=None): + self.stream = stream + self.target = target + self.tag = tag + self.lines = [] + self.patterns = patterns or [] + self.outfile = outfile + self.ended = False + + async def _read(self): + while True: + if self.stream.at_eof(): + break + line = (await self.stream.readline()).decode('utf8').rstrip() + if self.target.autorecon.config['verbose'] >= 2: + if line != '': + info('{blue}[{bright}' + self.target.address + '/' + self.tag + '{srst}]{crst} ' + line.replace('{', '{{').replace('}', '}}')) + for p in self.patterns: + matches = p.pattern.findall(line) + for match in matches: + async with self.target.lock: + with open(os.path.join(self.target.scandir, '_patterns.log'), 'a') as file: + if p.description: + if self.target.autorecon.config['verbose'] >= 1: + info('{blue}[{bright}' + self.target.address + '/' + self.tag + '{srst}] {crst}{bmagenta}' + p.description.replace('{match}', '{bblue}' + match + '{crst}{bmagenta}') + '{rst}') + file.writelines(p.description.replace('{match}', match) + '\n\n') + else: + if self.target.autorecon.config['verbose'] >= 1: + info('{blue}[{bright}' + self.target.address + '/' + self.tag + '{srst}] {crst}{bmagenta}Matched Pattern: {bblue}' + match + '{rst}') + file.writelines('Matched Pattern: ' + match + '\n\n') + + if self.outfile is not None: + with open(self.outfile, 'a') as writer: + writer.write(line + '\n') + self.lines.append(line) + self.ended = True + + async def readline(self): + while True: + try: + return self.lines.pop(0) + except IndexError: + if self.ended: + return None + else: + await asyncio.sleep(0.1) class Plugin(object): - def __init__(self): - self.name = None - self.slug = None - self.description = None - self.type = None - self.tags = ['default'] - self.priority = 1 - self.patterns = [] - self.match = None - self.manual_commands = {} - self.autorecon = None - self.disabled = False - - @final - def add_option(self, name, default=None, help=None): - self.autorecon.add_argument(self, name, metavar='VALUE', default=default, help=help) - - @final - def add_constant_option(self, name, const, default=None, help=None): - self.autorecon.add_argument(self, name, action='store_const', const=const, default=default, help=help) - - @final - def add_true_option(self, name, help=None): - self.autorecon.add_argument(self, name, action='store_true', help=help) - - @final - def add_false_option(self, name, help=None): - self.autorecon.add_argument(self, name, action='store_false', help=help) - - @final - def add_list_option(self, name, default=None, help=None): - self.autorecon.add_argument(self, name, action='append', metavar='VALUE', default=default, help=help) - - @final - def add_choice_option(self, name, choices, default=None, help=None): - if not isinstance(choices, list): - fail('The choices argument for ' + self.name + '\'s ' + name + ' choice option should be a list.') - self.autorecon.add_argument(self, name, choices=choices, default=default, help=help) - - @final - def get_option(self, name): - # TODO: make sure name is simple. - name = self.slug.replace('-', '_') + '.' + slugify(name).replace('-', '_') - - if name in vars(self.autorecon.args): - return vars(self.autorecon.args)[name] - else: - return None - - @final - def get_global_option(self, name): - name = 'global.' + slugify(name).replace('-', '_') - - if name in vars(self.autorecon.args): - return vars(self.autorecon.args)[name] - else: - return None - - @final - def get_global(self, name): - return self.get_global_option(name) - - @final - def add_manual_commands(self, description, commands): - if not isinstance(commands, list): - commands = [commands] - self.manual_commands[description] = commands - - @final - def add_manual_command(self, description, command): - self.add_manual_commands(description, command) - - @final - def add_pattern(self, pattern, description=None): - try: - compiled = re.compile(pattern) - if description: - self.patterns.append(Pattern(compiled, description=description)) - else: - self.patterns.append(Pattern(compiled)) - except re.error: - fail('Error: The pattern "' + pattern + '" in the plugin "' + self.name + '" is invalid regex.') + def __init__(self): + self.name = None + self.slug = None + self.description = None + self.tags = ['default'] + self.priority = 1 + self.patterns = [] + self.manual_commands = {} + self.autorecon = None + self.disabled = False + + @final + def add_option(self, name, default=None, help=None): + self.autorecon.add_argument(self, name, metavar='VALUE', default=default, help=help) + + @final + def add_constant_option(self, name, const, default=None, help=None): + self.autorecon.add_argument(self, name, action='store_const', const=const, default=default, help=help) + + @final + def add_true_option(self, name, help=None): + self.autorecon.add_argument(self, name, action='store_true', help=help) + + @final + def add_false_option(self, name, help=None): + self.autorecon.add_argument(self, name, action='store_false', help=help) + + @final + def add_list_option(self, name, default=None, help=None): + self.autorecon.add_argument(self, name, action='append', metavar='VALUE', default=default, help=help) + + @final + def add_choice_option(self, name, choices, default=None, help=None): + if not isinstance(choices, list): + fail('The choices argument for ' + self.name + '\'s ' + name + ' choice option should be a list.') + self.autorecon.add_argument(self, name, choices=choices, default=default, help=help) + + @final + def get_option(self, name): + # TODO: make sure name is simple. + name = self.slug.replace('-', '_') + '.' + slugify(name).replace('-', '_') + + if name in vars(self.autorecon.args): + return vars(self.autorecon.args)[name] + else: + return None + + @final + def get_global_option(self, name): + name = 'global.' + slugify(name).replace('-', '_') + + if name in vars(self.autorecon.args): + return vars(self.autorecon.args)[name] + else: + return None + + @final + def get_global(self, name): + return self.get_global_option(name) + + @final + def add_manual_commands(self, description, commands): + if not isinstance(commands, list): + commands = [commands] + self.manual_commands[description] = commands + + @final + def add_manual_command(self, description, command): + self.add_manual_commands(description, command) + + @final + def add_pattern(self, pattern, description=None): + try: + compiled = re.compile(pattern) + if description: + self.patterns.append(Pattern(compiled, description=description)) + else: + self.patterns.append(Pattern(compiled)) + except re.error: + fail('Error: The pattern "' + pattern + '" in the plugin "' + self.name + '" is invalid regex.') class PortScan(Plugin): - def __init__(self): - super().__init__() + def __init__(self): + super().__init__() - async def run(self, target): - raise NotImplementedError + async def run(self, target): + raise NotImplementedError class ServiceScan(Plugin): - def __init__(self): - super().__init__() - self.ports = {'tcp':[], 'udp':[]} - self.ignore_ports = {'tcp':[], 'udp':[]} - self.services = [] - self.ignore_services = [] - self.run_once_boolean = False - self.require_ssl_boolean = False - - @final - def add_port_match(self, protocol, port, negative_match=False): - protocol = protocol.lower() - if protocol not in ['tcp', 'udp']: - print('Invalid protocol.') - sys.exit(1) - else: - if not isinstance(port, list): - port = [port] - - port = list(map(int, port)) - - if negative_match: - self.ignore_ports[protocol] = list(set(self.ignore_ports[protocol] + port)) - else: - self.ports[protocol] = list(set(self.ports[protocol] + port)) - - @final - def add_service_match(self, regex, negative_match=False): - if not isinstance(regex, list): - regex = [regex] - - valid_regex = True - for r in regex: - try: - re.compile(r) - except re.error: - print('Invalid regex: ' + r) - valid_regex = False - - if valid_regex: - if negative_match: - self.ignore_services = list(set(self.ignore_services + regex)) - else: - self.services = list(set(self.services + regex)) - else: - sys.exit(1) - - @final - def require_ssl(self, boolean): - self.require_ssl_boolean = boolean - - @final - def run_once(self, boolean): - self.run_once_boolean = boolean + def __init__(self): + super().__init__() + self.ports = {'tcp':[], 'udp':[]} + self.ignore_ports = {'tcp':[], 'udp':[]} + self.service_names = [] + self.ignore_service_names = [] + self.run_once_boolean = False + self.require_ssl_boolean = False + + @final + def match_port(self, protocol, port, negative_match=False): + protocol = protocol.lower() + if protocol not in ['tcp', 'udp']: + print('Invalid protocol.') + sys.exit(1) + else: + if not isinstance(port, list): + port = [port] + + port = list(map(int, port)) + + if negative_match: + self.ignore_ports[protocol] = list(set(self.ignore_ports[protocol] + port)) + else: + self.ports[protocol] = list(set(self.ports[protocol] + port)) + + @final + def match_service_name(self, name, negative_match=False): + if not isinstance(name, list): + name = [name] + + valid_regex = True + for r in name: + try: + re.compile(r) + except re.error: + print('Invalid regex: ' + r) + valid_regex = False + + if valid_regex: + if negative_match: + self.ignore_service_names = list(set(self.ignore_service_names + name)) + else: + self.service_names = list(set(self.service_names + name)) + else: + sys.exit(1) + + @final + def require_ssl(self, boolean): + self.require_ssl_boolean = boolean + + @final + def run_once(self, boolean): + self.run_once_boolean = boolean class AutoRecon(object): - def __init__(self): - self.pending_targets = [] - self.scanning_targets = [] - self.plugins = {} - self.__slug_regex = re.compile('^[a-z0-9\-]+$') - self.plugin_types = {'port':[], 'service':[]} - self.port_scan_semaphore = None - self.service_scan_semaphore = None - self.argparse = None - self.argparse_group = None - self.args = None - self.tags = [] - self.excluded_tags = [] - self.patterns = [] - self.configurable_keys = ['max_scans', 'max_port_scans', 'single_target', 'outdir', 'only_scans_dir', 'heartbeat', 'timeout', 'target_timeout', 'accessible', 'verbose'] - self.config = { - 'protected_classes': ['autorecon', 'target', 'service', 'commandstreamreader', 'plugin', 'portscan', 'servicescan', 'global', 'pattern'], - 'global_file': os.path.dirname(os.path.realpath(__file__)) + '/global.toml', - 'max_scans': 50, - 'max_port_scans': None, - 'single_target': False, - 'outdir': 'results', - 'only_scans_dir': False, - 'heartbeat': 60, - 'timeout': None, - 'target_timeout': None, - 'accessible': False, - 'verbose': 0 - } - self.lock = asyncio.Lock() - self.load_slug = None - self.load_module = None - - def add_argument(self, plugin, name, **kwargs): - # TODO: make sure name is simple. - name = '--' + plugin.slug + '.' + slugify(name) - - if self.argparse_group is None: - self.argparse_group = self.argparse.add_argument_group('plugin arguments', description='These are optional arguments for certain plugins.') - self.argparse_group.add_argument(name, **kwargs) - - def extract_service(self, line, regex): - if regex is None: - regex = '^(?P\d+)\/(?P(tcp|udp))(.*)open(\s*)(?P[\w\-\/]+)(\s*)(.*)$' - match = re.search(regex, line) - if match: - protocol = match.group('protocol').lower() - port = int(match.group('port')) - service = match.group('service') - secure = True if 'ssl' in service or 'tls' in service else False - - if service.startswith('ssl/') or service.startswith('tls/'): - service = service[4:] - - from autorecon import Service - return Service(protocol, port, service, secure) - else: - return None - - async def extract_services(self, stream, regex): - if not isinstance(stream, CommandStreamReader): - print('Error: extract_services must be passed an instance of a CommandStreamReader.') - sys.exit(1) - - services = [] - while True: - line = await stream.readline() - if line is not None: - service = self.extract_service(line, regex) - if service: - services.append(service) - else: - break - return services - - def register(self, plugin): - if plugin.disabled: - return - - for _, loaded_plugin in self.plugins.items(): - if plugin.name == loaded_plugin.name: - fail('Error: Duplicate plugin name "' + plugin.name + '" detected.', file=sys.stderr) - - if plugin.slug is None: - plugin.slug = slugify(plugin.name) - elif not self.__slug_regex.match(plugin.slug): - fail('Error: provided slug "' + plugin.slug + '" is not valid (must only contain lowercase letters, numbers, and hyphens).', file=sys.stderr) - - if plugin.slug in self.config['protected_classes']: - fail('Error: plugin slug "' + plugin.slug + '" is a protected string. Please change.') - - if plugin.slug not in self.plugins: - - for _, loaded_plugin in self.plugins.items(): - if plugin is loaded_plugin: - fail('Error: plugin "' + plugin.name + '" already loaded as "' + loaded_plugin.name + '" (' + str(loaded_plugin) + ')', file=sys.stderr) - - if plugin.description is None: - plugin.description = '' - - configure_function_found = False - run_coroutine_found = False - manual_function_found = False - - for member_name, member_value in inspect.getmembers(plugin, predicate=inspect.ismethod): - if member_name == 'configure': - configure_function_found = True - elif member_name == 'run' and inspect.iscoroutinefunction(member_value): - run_coroutine_found = True - elif member_name == 'manual': - manual_function_found = True - - if not run_coroutine_found and not manual_function_found: - fail('Error: the plugin "' + plugin.name + '" needs either a "manual" function, a "run" coroutine, or both.', file=sys.stderr) - - from autorecon import PortScan, ServiceScan - if issubclass(plugin.__class__, PortScan): - self.plugin_types["port"].append(plugin) - elif issubclass(plugin.__class__, ServiceScan): - self.plugin_types["service"].append(plugin) - else: - fail('Plugin "' + plugin.name + '" is neither a PortScan nor a ServiceScan.', file=sys.stderr) - - plugin.tags = [tag.lower() for tag in plugin.tags] - - plugin.autorecon = self - if configure_function_found: - plugin.configure() - self.plugins[plugin.slug] = plugin - else: - fail('Error: plugin slug "' + plugin.slug + '" is already assigned.', file=sys.stderr) - - async def execute(self, cmd, target, tag, patterns=None, outfile=None, errfile=None): - if patterns: - combined_patterns = self.patterns + patterns - else: - combined_patterns = self.patterns - - process = await asyncio.create_subprocess_shell( - cmd, - stdout=asyncio.subprocess.PIPE, - stderr=asyncio.subprocess.PIPE, - executable='/bin/bash') - - cout = CommandStreamReader(process.stdout, target, tag, patterns=combined_patterns, outfile=outfile) - cerr = CommandStreamReader(process.stderr, target, tag, patterns=combined_patterns, outfile=errfile) - - asyncio.create_task(cout._read()) - asyncio.create_task(cerr._read()) - - return process, cout, cerr + def __init__(self): + self.pending_targets = [] + self.scanning_targets = [] + self.plugins = {} + self.__slug_regex = re.compile('^[a-z0-9\-]+$') + self.plugin_types = {'port':[], 'service':[]} + self.port_scan_semaphore = None + self.service_scan_semaphore = None + self.argparse = None + self.argparse_group = None + self.args = None + self.tags = [] + self.excluded_tags = [] + self.patterns = [] + self.configurable_keys = ['max_scans', 'max_port_scans', 'single_target', 'outdir', 'only_scans_dir', 'heartbeat', 'timeout', 'target_timeout', 'accessible', 'verbose'] + self.config = { + 'protected_classes': ['autorecon', 'target', 'service', 'commandstreamreader', 'plugin', 'portscan', 'servicescan', 'global', 'pattern'], + 'global_file': os.path.dirname(os.path.realpath(__file__)) + '/global.toml', + 'max_scans': 50, + 'max_port_scans': None, + 'single_target': False, + 'outdir': 'results', + 'only_scans_dir': False, + 'heartbeat': 60, + 'timeout': None, + 'target_timeout': None, + 'accessible': False, + 'verbose': 0 + } + self.lock = asyncio.Lock() + self.load_slug = None + self.load_module = None + + def add_argument(self, plugin, name, **kwargs): + # TODO: make sure name is simple. + name = '--' + plugin.slug + '.' + slugify(name) + + if self.argparse_group is None: + self.argparse_group = self.argparse.add_argument_group('plugin arguments', description='These are optional arguments for certain plugins.') + self.argparse_group.add_argument(name, **kwargs) + + def extract_service(self, line, regex): + if regex is None: + regex = '^(?P\d+)\/(?P(tcp|udp))(.*)open(\s*)(?P[\w\-\/]+)(\s*)(.*)$' + match = re.search(regex, line) + if match: + protocol = match.group('protocol').lower() + port = int(match.group('port')) + service = match.group('service') + secure = True if 'ssl' in service or 'tls' in service else False + + if service.startswith('ssl/') or service.startswith('tls/'): + service = service[4:] + + from autorecon import Service + return Service(protocol, port, service, secure) + else: + return None + + async def extract_services(self, stream, regex): + if not isinstance(stream, CommandStreamReader): + print('Error: extract_services must be passed an instance of a CommandStreamReader.') + sys.exit(1) + + services = [] + while True: + line = await stream.readline() + if line is not None: + service = self.extract_service(line, regex) + if service: + services.append(service) + else: + break + return services + + def register(self, plugin): + if plugin.disabled: + return + + for _, loaded_plugin in self.plugins.items(): + if plugin.name == loaded_plugin.name: + fail('Error: Duplicate plugin name "' + plugin.name + '" detected.', file=sys.stderr) + + if plugin.slug is None: + plugin.slug = slugify(plugin.name) + elif not self.__slug_regex.match(plugin.slug): + fail('Error: provided slug "' + plugin.slug + '" is not valid (must only contain lowercase letters, numbers, and hyphens).', file=sys.stderr) + + if plugin.slug in self.config['protected_classes']: + fail('Error: plugin slug "' + plugin.slug + '" is a protected string. Please change.') + + if plugin.slug not in self.plugins: + + for _, loaded_plugin in self.plugins.items(): + if plugin is loaded_plugin: + fail('Error: plugin "' + plugin.name + '" already loaded as "' + loaded_plugin.name + '" (' + str(loaded_plugin) + ')', file=sys.stderr) + + if plugin.description is None: + plugin.description = '' + + configure_function_found = False + run_coroutine_found = False + manual_function_found = False + + for member_name, member_value in inspect.getmembers(plugin, predicate=inspect.ismethod): + if member_name == 'configure': + configure_function_found = True + elif member_name == 'run' and inspect.iscoroutinefunction(member_value): + run_coroutine_found = True + elif member_name == 'manual': + manual_function_found = True + + if not run_coroutine_found and not manual_function_found: + fail('Error: the plugin "' + plugin.name + '" needs either a "manual" function, a "run" coroutine, or both.', file=sys.stderr) + + from autorecon import PortScan, ServiceScan + if issubclass(plugin.__class__, PortScan): + self.plugin_types["port"].append(plugin) + elif issubclass(plugin.__class__, ServiceScan): + self.plugin_types["service"].append(plugin) + else: + fail('Plugin "' + plugin.name + '" is neither a PortScan nor a ServiceScan.', file=sys.stderr) + + plugin.tags = [tag.lower() for tag in plugin.tags] + + plugin.autorecon = self + if configure_function_found: + plugin.configure() + self.plugins[plugin.slug] = plugin + else: + fail('Error: plugin slug "' + plugin.slug + '" is already assigned.', file=sys.stderr) + + async def execute(self, cmd, target, tag, patterns=None, outfile=None, errfile=None): + if patterns: + combined_patterns = self.patterns + patterns + else: + combined_patterns = self.patterns + + process = await asyncio.create_subprocess_shell( + cmd, + stdout=asyncio.subprocess.PIPE, + stderr=asyncio.subprocess.PIPE, + executable='/bin/bash') + + cout = CommandStreamReader(process.stdout, target, tag, patterns=combined_patterns, outfile=outfile) + cerr = CommandStreamReader(process.stderr, target, tag, patterns=combined_patterns, outfile=errfile) + + asyncio.create_task(cout._read()) + asyncio.create_task(cerr._read()) + + return process, cout, cerr # Since this file is run as the main method and also imported by plugins, # we need to make sure that only one instance of the AutoRecon is # created. This cannot be done with Singletons unfortunately, which is # why this hack is here. if 'autorecon' not in sys.modules: # If this file is not yet imported, create the AutoRecon object - autorecon = AutoRecon() + autorecon = AutoRecon() else: # Otherwise, assign it from the __main__ module. - autorecon = sys.modules['__main__'].autorecon + autorecon = sys.modules['__main__'].autorecon def e(*args, frame_index=1, **kvargs): - frame = sys._getframe(frame_index) + frame = sys._getframe(frame_index) - vals = {} + vals = {} - vals.update(frame.f_globals) - vals.update(frame.f_locals) - vals.update(kvargs) + vals.update(frame.f_globals) + vals.update(frame.f_locals) + vals.update(kvargs) - return string.Formatter().vformat(' '.join(args), args, vals) + return string.Formatter().vformat(' '.join(args), args, vals) def cprint(*args, color=Fore.RESET, char='*', sep=' ', end='\n', frame_index=1, file=sys.stdout, printmsg=True, **kvargs): - frame = sys._getframe(frame_index) - - vals = { - 'bgreen': Fore.GREEN + Style.BRIGHT, - 'bred': Fore.RED + Style.BRIGHT, - 'bblue': Fore.BLUE + Style.BRIGHT, - 'byellow': Fore.YELLOW + Style.BRIGHT, - 'bmagenta': Fore.MAGENTA + Style.BRIGHT, - - 'green': Fore.GREEN, - 'red': Fore.RED, - 'blue': Fore.BLUE, - 'yellow': Fore.YELLOW, - 'magenta': Fore.MAGENTA, - - 'bright': Style.BRIGHT, - 'srst': Style.NORMAL, - 'crst': Fore.RESET, - 'rst': Style.NORMAL + Fore.RESET - } - - if autorecon.config['accessible']: - vals = {'bgreen':'', 'bred':'', 'bblue':'', 'byellow':'', 'bmagenta':'', 'green':'', 'red':'', 'blue':'', 'yellow':'', 'magenta':'', 'bright':'', 'srst':'', 'crst':'', 'rst':''} - - vals.update(frame.f_globals) - vals.update(frame.f_locals) - vals.update(kvargs) - - unfmt = '' - if char is not None and not autorecon.config['accessible']: - unfmt += color + '[' + Style.BRIGHT + char + Style.NORMAL + ']' + Fore.RESET + sep - unfmt += sep.join(args) - - fmted = unfmt - - for attempt in range(10): - try: - fmted = string.Formatter().vformat(unfmt, args, vals) - break - except KeyError as err: - key = err.args[0] - unfmt = unfmt.replace('{' + key + '}', '{{' + key + '}}') - - if printmsg: - print(fmted, sep=sep, end=end, file=file) - else: - return fmted + frame = sys._getframe(frame_index) + + vals = { + 'bgreen': Fore.GREEN + Style.BRIGHT, + 'bred': Fore.RED + Style.BRIGHT, + 'bblue': Fore.BLUE + Style.BRIGHT, + 'byellow': Fore.YELLOW + Style.BRIGHT, + 'bmagenta': Fore.MAGENTA + Style.BRIGHT, + + 'green': Fore.GREEN, + 'red': Fore.RED, + 'blue': Fore.BLUE, + 'yellow': Fore.YELLOW, + 'magenta': Fore.MAGENTA, + + 'bright': Style.BRIGHT, + 'srst': Style.NORMAL, + 'crst': Fore.RESET, + 'rst': Style.NORMAL + Fore.RESET + } + + if autorecon.config['accessible']: + vals = {'bgreen':'', 'bred':'', 'bblue':'', 'byellow':'', 'bmagenta':'', 'green':'', 'red':'', 'blue':'', 'yellow':'', 'magenta':'', 'bright':'', 'srst':'', 'crst':'', 'rst':''} + + vals.update(frame.f_globals) + vals.update(frame.f_locals) + vals.update(kvargs) + + unfmt = '' + if char is not None and not autorecon.config['accessible']: + unfmt += color + '[' + Style.BRIGHT + char + Style.NORMAL + ']' + Fore.RESET + sep + unfmt += sep.join(args) + + fmted = unfmt + + for attempt in range(10): + try: + fmted = string.Formatter().vformat(unfmt, args, vals) + break + except KeyError as err: + key = err.args[0] + unfmt = unfmt.replace('{' + key + '}', '{{' + key + '}}') + + if printmsg: + print(fmted, sep=sep, end=end, file=file) + else: + return fmted def debug(*args, color=Fore.GREEN, sep=' ', end='\n', file=sys.stdout, **kvargs): - if verbose >= 2: - if autorecon.config['accessible']: - args = ('Debug:',) + args - cprint(*args, color=color, char='-', sep=sep, end=end, file=file, frame_index=2, **kvargs) + if verbose >= 2: + if autorecon.config['accessible']: + args = ('Debug:',) + args + cprint(*args, color=color, char='-', sep=sep, end=end, file=file, frame_index=2, **kvargs) def info(*args, sep=' ', end='\n', file=sys.stdout, **kvargs): - cprint(*args, color=Fore.BLUE, char='*', sep=sep, end=end, file=file, frame_index=2, **kvargs) + cprint(*args, color=Fore.BLUE, char='*', sep=sep, end=end, file=file, frame_index=2, **kvargs) def warn(*args, sep=' ', end='\n', file=sys.stderr,**kvargs): - if autorecon.config['accessible']: - args = ('Warning:',) + args - cprint(*args, color=Fore.YELLOW, char='!', sep=sep, end=end, file=file, frame_index=2, **kvargs) + if autorecon.config['accessible']: + args = ('Warning:',) + args + cprint(*args, color=Fore.YELLOW, char='!', sep=sep, end=end, file=file, frame_index=2, **kvargs) def error(*args, sep=' ', end='\n', file=sys.stderr, **kvargs): - if autorecon.config['accessible']: - args = ('Error:',) + args - cprint(*args, color=Fore.RED, char='!', sep=sep, end=end, file=file, frame_index=2, **kvargs) + if autorecon.config['accessible']: + args = ('Error:',) + args + cprint(*args, color=Fore.RED, char='!', sep=sep, end=end, file=file, frame_index=2, **kvargs) def fail(*args, sep=' ', end='\n', file=sys.stderr, **kvargs): - if autorecon.config['accessible']: - args = ('Failure:',) + args - cprint(*args, color=Fore.RED, char='!', sep=sep, end=end, file=file, frame_index=2, **kvargs) - exit(-1) + if autorecon.config['accessible']: + args = ('Failure:',) + args + cprint(*args, color=Fore.RED, char='!', sep=sep, end=end, file=file, frame_index=2, **kvargs) + exit(-1) def calculate_elapsed_time(start_time): - elapsed_seconds = round(time.time() - start_time) + elapsed_seconds = round(time.time() - start_time) - m, s = divmod(elapsed_seconds, 60) - h, m = divmod(m, 60) + m, s = divmod(elapsed_seconds, 60) + h, m = divmod(m, 60) - elapsed_time = [] - if h == 1: - elapsed_time.append(str(h) + ' hour') - elif h > 1: - elapsed_time.append(str(h) + ' hours') + elapsed_time = [] + if h == 1: + elapsed_time.append(str(h) + ' hour') + elif h > 1: + elapsed_time.append(str(h) + ' hours') - if m == 1: - elapsed_time.append(str(m) + ' minute') - elif m > 1: - elapsed_time.append(str(m) + ' minutes') + if m == 1: + elapsed_time.append(str(m) + ' minute') + elif m > 1: + elapsed_time.append(str(m) + ' minutes') - if s == 1: - elapsed_time.append(str(s) + ' second') - elif s > 1: - elapsed_time.append(str(s) + ' seconds') - else: - elapsed_time.append('less than a second') + if s == 1: + elapsed_time.append(str(s) + ' second') + elif s > 1: + elapsed_time.append(str(s) + ' seconds') + else: + elapsed_time.append('less than a second') - return ', '.join(elapsed_time) + return ', '.join(elapsed_time) def slugify(name): - return re.sub(r'[\W_]+', '-', unidecode.unidecode(name).lower()).strip('-') + return re.sub(r'[\W_]+', '-', unidecode.unidecode(name).lower()).strip('-') def cancel_all_tasks(signal, frame): - for task in asyncio.all_tasks(): - task.cancel() + for task in asyncio.all_tasks(): + task.cancel() - for target in autorecon.scanning_targets: - for process_list in target.running_tasks.values(): - for process_dict in process_list['processes']: - try: - process_dict['process'].kill() - except ProcessLookupError: # Will get raised if the process finishes before we get to killing it. - pass + for target in autorecon.scanning_targets: + for process_list in target.running_tasks.values(): + for process_dict in process_list['processes']: + try: + process_dict['process'].kill() + except ProcessLookupError: # Will get raised if the process finishes before we get to killing it. + pass async def start_heartbeat(target, period=60): - while True: - await asyncio.sleep(period) - async with target.lock: - count = len(target.running_tasks) + while True: + await asyncio.sleep(period) + async with target.lock: + count = len(target.running_tasks) - tasks_list = '' - if target.autorecon.config['verbose'] >= 1: - tasks_list = ': {bblue}' + ', '.join(target.running_tasks.keys()) + '{rst}' + tasks_list = '' + if target.autorecon.config['verbose'] >= 1: + tasks_list = ': {bblue}' + ', '.join(target.running_tasks.keys()) + '{rst}' - current_time = datetime.now().strftime('%H:%M:%S') + current_time = datetime.now().strftime('%H:%M:%S') - if count > 1: - info('{bgreen}' + current_time + '{rst} - There are {byellow}' + str(count) + '{rst} scans still running against {byellow}' + target.address + '{rst}' + tasks_list) - elif count == 1: - info('{bgreen}' + current_time + '{rst} - There is {byellow}1{rst} scan still running against {byellow}' + target.address + '{rst}' + tasks_list) + if count > 1: + info('{bgreen}' + current_time + '{rst} - There are {byellow}' + str(count) + '{rst} scans still running against {byellow}' + target.address + '{rst}' + tasks_list) + elif count == 1: + info('{bgreen}' + current_time + '{rst} - There is {byellow}1{rst} scan still running against {byellow}' + target.address + '{rst}' + tasks_list) async def port_scan(plugin, target): - async with target.autorecon.port_scan_semaphore: - info('Port scan {bblue}' + plugin.name + ' (' + plugin.slug + '){rst} running against {byellow}' + target.address + '{rst}') - - async with target.lock: - target.running_tasks[plugin.slug] = {'plugin': plugin, 'processes':[]} - - start_time = time.time() - try: - result = await plugin.run(target) - except Exception as ex: - exc_type, exc_value, exc_tb = sys.exc_info() - error_text = ''.join(traceback.format_exception(exc_type, exc_value, exc_tb)[-2:]) - raise Exception(cprint('Error: Port scan {bblue}' + plugin.name + ' (' + plugin.slug + '){rst} running against {byellow}' + target.address + '{rst} produced an exception:\n\n' + error_text, color=Fore.RED, char='!', printmsg=False)) - - for process_dict in target.running_tasks[plugin.slug]['processes']: - if process_dict['process'].returncode is None: - warn('A process was left running after port scan {bblue}' + plugin.name + ' (' + plugin.slug + '){rst} against {byellow}' + target.address + '{rst} finished. Please ensure non-blocking processes are awaited before the run coroutine finishes. Awaiting now.') - await process_dict['process'].wait() - - if process_dict['process'].returncode != 0: - errors = [] - while True: - line = await process_dict['stderr'].readline() - if line is not None: - errors.append(line + '\n') - else: - break - error('Port scan {bblue}' + plugin.name + ' (' + plugin.slug + '){rst} ran a command against {byellow}' + target.address + '{rst} which returned a non-zero exit code (' + str(process_dict['process'].returncode) + '). Check ' + target.scandir + '/_errors.log for more details.') - async with target.lock: - with open(os.path.join(target.scandir, '_errors.log'), 'a') as file: - file.writelines('[*] Port scan ' + plugin.name + ' (' + plugin.slug + ') ran a command which returned a non-zero exit code (' + str(process_dict['process'].returncode) + ').\n') - file.writelines('[-] Command: ' + process_dict['cmd'] + '\n') - if errors: - file.writelines(['[-] Error Output:\n'] + errors + ['\n']) - else: - file.writelines('\n') - - elapsed_time = calculate_elapsed_time(start_time) - - async with target.lock: - target.running_tasks.pop(plugin.slug, None) - - info('Port scan {bblue}' + plugin.name + ' (' + plugin.slug + '){rst} against {byellow}' + target.address + '{rst} finished in ' + elapsed_time) - return {'type':'port', 'plugin':plugin, 'result':result} + async with target.autorecon.port_scan_semaphore: + info('Port scan {bblue}' + plugin.name + ' (' + plugin.slug + '){rst} running against {byellow}' + target.address + '{rst}') + + async with target.lock: + target.running_tasks[plugin.slug] = {'plugin': plugin, 'processes':[]} + + start_time = time.time() + try: + result = await plugin.run(target) + except Exception as ex: + exc_type, exc_value, exc_tb = sys.exc_info() + error_text = ''.join(traceback.format_exception(exc_type, exc_value, exc_tb)[-2:]) + raise Exception(cprint('Error: Port scan {bblue}' + plugin.name + ' (' + plugin.slug + '){rst} running against {byellow}' + target.address + '{rst} produced an exception:\n\n' + error_text, color=Fore.RED, char='!', printmsg=False)) + + for process_dict in target.running_tasks[plugin.slug]['processes']: + if process_dict['process'].returncode is None: + warn('A process was left running after port scan {bblue}' + plugin.name + ' (' + plugin.slug + '){rst} against {byellow}' + target.address + '{rst} finished. Please ensure non-blocking processes are awaited before the run coroutine finishes. Awaiting now.') + await process_dict['process'].wait() + + if process_dict['process'].returncode != 0: + errors = [] + while True: + line = await process_dict['stderr'].readline() + if line is not None: + errors.append(line + '\n') + else: + break + error('Port scan {bblue}' + plugin.name + ' (' + plugin.slug + '){rst} ran a command against {byellow}' + target.address + '{rst} which returned a non-zero exit code (' + str(process_dict['process'].returncode) + '). Check ' + target.scandir + '/_errors.log for more details.') + async with target.lock: + with open(os.path.join(target.scandir, '_errors.log'), 'a') as file: + file.writelines('[*] Port scan ' + plugin.name + ' (' + plugin.slug + ') ran a command which returned a non-zero exit code (' + str(process_dict['process'].returncode) + ').\n') + file.writelines('[-] Command: ' + process_dict['cmd'] + '\n') + if errors: + file.writelines(['[-] Error Output:\n'] + errors + ['\n']) + else: + file.writelines('\n') + + elapsed_time = calculate_elapsed_time(start_time) + + async with target.lock: + target.running_tasks.pop(plugin.slug, None) + + info('Port scan {bblue}' + plugin.name + ' (' + plugin.slug + '){rst} against {byellow}' + target.address + '{rst} finished in ' + elapsed_time) + return {'type':'port', 'plugin':plugin, 'result':result} async def service_scan(plugin, service): - from autorecon import PortScan - semaphore = service.target.autorecon.service_scan_semaphore - - # If service scan semaphore is locked, see if we can use port scan semaphore. - while True: - if semaphore.locked(): - if semaphore != service.target.autorecon.port_scan_semaphore: # This will be true unless user sets max_scans == max_port_scans - - port_scan_task_count = 0 - for targ in service.target.autorecon.scanning_targets: - for process_list in targ.running_tasks.values(): - if issubclass(process_list['plugin'].__class__, PortScan): - port_scan_task_count += 1 - - if not service.target.autorecon.pending_targets and (service.target.autorecon.config['max_port_scans'] - port_scan_task_count) >= 1: # If no more targets, and we have room, use port scan semaphore. - if service.target.autorecon.port_scan_semaphore.locked(): - await asyncio.sleep(1) - continue - semaphore = service.target.autorecon.port_scan_semaphore - break - else: # Do some math to see if we can use the port scan semaphore. - if (service.target.autorecon.config['max_port_scans'] - (port_scan_task_count + (len(service.target.autorecon.pending_targets) * service.target.autorecon.config['port_scan_plugin_count']))) >= 1: - if service.target.autorecon.port_scan_semaphore.locked(): - await asyncio.sleep(1) - continue - semaphore = service.target.autorecon.port_scan_semaphore - break - else: - await asyncio.sleep(1) - else: - break - else: - break - - async with semaphore: - tag = service.tag() + '/' + plugin.slug - info('Service scan {bblue}' + plugin.name + ' (' + tag + '){rst} running against {byellow}' + service.target.address + '{rst}') - - async with service.target.lock: - service.target.running_tasks[tag] = {'plugin': plugin, 'processes':[]} - - start_time = time.time() - try: - result = await plugin.run(service) - except Exception as ex: - exc_type, exc_value, exc_tb = sys.exc_info() - error_text = ''.join(traceback.format_exception(exc_type, exc_value, exc_tb)[-2:]) - raise Exception(cprint('Error: Service scan {bblue}' + plugin.name + ' (' + tag + '){rst} running against {byellow}' + service.target.address + '{rst} produced an exception:\n\n' + error_text, color=Fore.RED, char='!', printmsg=False)) - - for process_dict in service.target.running_tasks[tag]['processes']: - if process_dict['process'].returncode is None: - warn('A process was left running after service scan {bblue}' + plugin.name + ' (' + tag + '){rst} against {byellow}' + service.target.address + '{rst} finished. Please ensure non-blocking processes are awaited before the run coroutine finishes. Awaiting now.') - await process_dict['process'].wait() - - if process_dict['process'].returncode != 0: - errors = [] - while True: - line = await process_dict['stderr'].readline() - if line is not None: - errors.append(line + '\n') - else: - break - error('Service scan {bblue}' + plugin.name + ' (' + tag + '){rst} ran a command against {byellow}' + service.target.address + '{rst} which returned a non-zero exit code (' + str(process_dict['process'].returncode) + '). Check ' + service.target.scandir + '/_errors.log for more details.') - async with service.target.lock: - with open(os.path.join(service.target.scandir, '_errors.log'), 'a') as file: - file.writelines('[*] Service scan ' + plugin.name + ' (' + tag + ') ran a command which returned a non-zero exit code (' + str(process_dict['process'].returncode) + ').\n') - file.writelines('[-] Command: ' + process_dict['cmd'] + '\n') - if errors: - file.writelines(['[-] Error Output:\n'] + errors + ['\n']) - else: - file.writelines('\n') - - elapsed_time = calculate_elapsed_time(start_time) - - async with service.target.lock: - service.target.running_tasks.pop(tag, None) - - info('Service scan {bblue}' + plugin.name + ' (' + tag + '){rst} against {byellow}' + service.target.address + '{rst} finished in ' + elapsed_time) - return {'type':'service', 'plugin':plugin, 'result':result} + from autorecon import PortScan + semaphore = service.target.autorecon.service_scan_semaphore + + # If service scan semaphore is locked, see if we can use port scan semaphore. + while True: + if semaphore.locked(): + if semaphore != service.target.autorecon.port_scan_semaphore: # This will be true unless user sets max_scans == max_port_scans + + port_scan_task_count = 0 + for targ in service.target.autorecon.scanning_targets: + for process_list in targ.running_tasks.values(): + if issubclass(process_list['plugin'].__class__, PortScan): + port_scan_task_count += 1 + + if not service.target.autorecon.pending_targets and (service.target.autorecon.config['max_port_scans'] - port_scan_task_count) >= 1: # If no more targets, and we have room, use port scan semaphore. + if service.target.autorecon.port_scan_semaphore.locked(): + await asyncio.sleep(1) + continue + semaphore = service.target.autorecon.port_scan_semaphore + break + else: # Do some math to see if we can use the port scan semaphore. + if (service.target.autorecon.config['max_port_scans'] - (port_scan_task_count + (len(service.target.autorecon.pending_targets) * service.target.autorecon.config['port_scan_plugin_count']))) >= 1: + if service.target.autorecon.port_scan_semaphore.locked(): + await asyncio.sleep(1) + continue + semaphore = service.target.autorecon.port_scan_semaphore + break + else: + await asyncio.sleep(1) + else: + break + else: + break + + async with semaphore: + tag = service.tag() + '/' + plugin.slug + info('Service scan {bblue}' + plugin.name + ' (' + tag + '){rst} running against {byellow}' + service.target.address + '{rst}') + + async with service.target.lock: + service.target.running_tasks[tag] = {'plugin': plugin, 'processes':[]} + + start_time = time.time() + try: + result = await plugin.run(service) + except Exception as ex: + exc_type, exc_value, exc_tb = sys.exc_info() + error_text = ''.join(traceback.format_exception(exc_type, exc_value, exc_tb)[-2:]) + raise Exception(cprint('Error: Service scan {bblue}' + plugin.name + ' (' + tag + '){rst} running against {byellow}' + service.target.address + '{rst} produced an exception:\n\n' + error_text, color=Fore.RED, char='!', printmsg=False)) + + for process_dict in service.target.running_tasks[tag]['processes']: + if process_dict['process'].returncode is None: + warn('A process was left running after service scan {bblue}' + plugin.name + ' (' + tag + '){rst} against {byellow}' + service.target.address + '{rst} finished. Please ensure non-blocking processes are awaited before the run coroutine finishes. Awaiting now.') + await process_dict['process'].wait() + + if process_dict['process'].returncode != 0: + errors = [] + while True: + line = await process_dict['stderr'].readline() + if line is not None: + errors.append(line + '\n') + else: + break + error('Service scan {bblue}' + plugin.name + ' (' + tag + '){rst} ran a command against {byellow}' + service.target.address + '{rst} which returned a non-zero exit code (' + str(process_dict['process'].returncode) + '). Check ' + service.target.scandir + '/_errors.log for more details.') + async with service.target.lock: + with open(os.path.join(service.target.scandir, '_errors.log'), 'a') as file: + file.writelines('[*] Service scan ' + plugin.name + ' (' + tag + ') ran a command which returned a non-zero exit code (' + str(process_dict['process'].returncode) + ').\n') + file.writelines('[-] Command: ' + process_dict['cmd'] + '\n') + if errors: + file.writelines(['[-] Error Output:\n'] + errors + ['\n']) + else: + file.writelines('\n') + + elapsed_time = calculate_elapsed_time(start_time) + + async with service.target.lock: + service.target.running_tasks.pop(tag, None) + + info('Service scan {bblue}' + plugin.name + ' (' + tag + '){rst} against {byellow}' + service.target.address + '{rst} finished in ' + elapsed_time) + return {'type':'service', 'plugin':plugin, 'result':result} async def scan_target(target): - if target.autorecon.config['single_target']: - basedir = os.path.abspath(target.autorecon.config['outdir']) - else: - basedir = os.path.abspath(os.path.join(target.autorecon.config['outdir'], target.address)) - target.basedir = basedir - os.makedirs(basedir, exist_ok=True) + if target.autorecon.config['single_target']: + basedir = os.path.abspath(target.autorecon.config['outdir']) + else: + basedir = os.path.abspath(os.path.join(target.autorecon.config['outdir'], target.address)) + target.basedir = basedir + os.makedirs(basedir, exist_ok=True) - if not target.autorecon.config['only_scans_dir']: - exploitdir = os.path.abspath(os.path.join(basedir, 'exploit')) - os.makedirs(exploitdir, exist_ok=True) + if not target.autorecon.config['only_scans_dir']: + exploitdir = os.path.abspath(os.path.join(basedir, 'exploit')) + os.makedirs(exploitdir, exist_ok=True) - lootdir = os.path.abspath(os.path.join(basedir, 'loot')) - os.makedirs(lootdir, exist_ok=True) + lootdir = os.path.abspath(os.path.join(basedir, 'loot')) + os.makedirs(lootdir, exist_ok=True) - reportdir = os.path.abspath(os.path.join(basedir, 'report')) - target.reportdir = reportdir - os.makedirs(reportdir, exist_ok=True) + reportdir = os.path.abspath(os.path.join(basedir, 'report')) + target.reportdir = reportdir + os.makedirs(reportdir, exist_ok=True) - open(os.path.abspath(os.path.join(reportdir, 'local.txt')), 'a').close() - open(os.path.abspath(os.path.join(reportdir, 'proof.txt')), 'a').close() + open(os.path.abspath(os.path.join(reportdir, 'local.txt')), 'a').close() + open(os.path.abspath(os.path.join(reportdir, 'proof.txt')), 'a').close() - screenshotdir = os.path.abspath(os.path.join(reportdir, 'screenshots')) - os.makedirs(screenshotdir, exist_ok=True) + screenshotdir = os.path.abspath(os.path.join(reportdir, 'screenshots')) + os.makedirs(screenshotdir, exist_ok=True) - scandir = os.path.abspath(os.path.join(basedir, 'scans')) - target.scandir = scandir - os.makedirs(scandir, exist_ok=True) - - os.makedirs(os.path.abspath(os.path.join(scandir, 'xml')), exist_ok=True) + scandir = os.path.abspath(os.path.join(basedir, 'scans')) + target.scandir = scandir + os.makedirs(scandir, exist_ok=True) + + os.makedirs(os.path.abspath(os.path.join(scandir, 'xml')), exist_ok=True) - pending = [] - - heartbeat = asyncio.create_task(start_heartbeat(target, period=target.autorecon.config['heartbeat'])) - - for plugin in target.autorecon.plugin_types['port']: - plugin_tag_set = set(plugin.tags) - - matching_tags = False - for tag_group in target.autorecon.tags: - if set(tag_group).issubset(plugin_tag_set): - matching_tags = True - break - - excluded_tags = False - for tag_group in target.autorecon.excluded_tags: - if set(tag_group).issubset(plugin_tag_set): - excluded_tags = True - break - - if matching_tags and not excluded_tags: - pending.append(asyncio.create_task(port_scan(plugin, target))) - - async with autorecon.lock: - autorecon.scanning_targets.append(target) - - start_time = time.time() - info('Scanning target {byellow}' + target.address + '{rst}') - - timed_out = False - while pending: - done, pending = await asyncio.wait(pending, return_when=asyncio.FIRST_COMPLETED, timeout=1) - - # Check if global timeout has occurred. - if autorecon.config['target_timeout'] is not None: - elapsed_seconds = round(time.time() - start_time) - m, s = divmod(elapsed_seconds, 60) - if m >= autorecon.config['target_timeout']: - timed_out = True - break - - # Extract Services - services = [] - async with target.lock: - while target.pending_services: - services.append(target.pending_services.pop(0)) - - for task in done: - try: - if task.exception(): - print(task.exception()) - continue - except asyncio.InvalidStateError: - pass - - if task.result()['type'] == 'port': - for service in (task.result()['result'] or []): - services.append(service) - - for service in services: - if service.full_tag() not in target.services: - target.services.append(service.full_tag()) - else: - continue - - info('Found {bmagenta}' + service.name + '{rst} on {bmagenta}' + service.protocol + '/' + str(service.port) + '{rst} on {byellow}' + target.address + '{rst}') - - service.target = target - - # Create variables for command references. - address = target.address - scandir = target.scandir - protocol = service.protocol - port = service.port - - # Special cases for HTTP. - http_scheme = 'https' if 'https' in service.name or service.secure is True else 'http' - - nmap_extra = target.autorecon.args.nmap - if target.autorecon.args.nmap_append: - nmap_extra += ' ' + target.autorecon.args.nmap_append - - if protocol == 'udp': - nmap_extra += ' -sU' - - matching_plugins = [] - heading = False - - for plugin in target.autorecon.plugin_types['service']: - plugin_tag = service.tag() + '/' + plugin.slug - - for s in plugin.services: - if re.search(s, service.name): - plugin_tag_set = set(plugin.tags) - - matching_tags = False - for tag_group in target.autorecon.tags: - if set(tag_group).issubset(plugin_tag_set): - matching_tags = True - break - - excluded_tags = False - for tag_group in target.autorecon.excluded_tags: - if set(tag_group).issubset(plugin_tag_set): - excluded_tags = True - break - - # TODO: Maybe make this less messy, keep manual-only plugins separate? - plugin_is_runnable = False - for member_name, _ in inspect.getmembers(plugin, predicate=inspect.ismethod): - if member_name == 'run': - plugin_is_runnable = True - break - - if plugin_is_runnable and matching_tags and not excluded_tags: - # Skip plugin if run_once_boolean and plugin already in target scans - if plugin.run_once_boolean and (plugin.slug,) in target.scans: - warn('{byellow}[' + plugin_tag + ' against ' + target.address + '{srst}] Plugin should only be run once and it appears to have already been queued. Skipping.{rst}') - continue - - # Skip plugin if require_ssl_boolean and port is not secure - if plugin.require_ssl_boolean and not service.secure: - continue - - # Skip plugin if service port is in ignore_ports: - if port in plugin.ignore_ports[protocol]: - warn('{byellow}[' + plugin_tag + ' against ' + target.address + '{srst}] Plugin cannot be run against ' + protocol + ' port ' + str(port) + '. Skipping.{rst}') - continue - - # Skip plugin if plugin has required ports and service port is not in them: - if plugin.ports[protocol] and port not in plugin.ports[protocol]: - warn('{byellow}[' + plugin_tag + ' against ' + target.address + '{srst}] Plugin can only run on specific ports. Skipping.{rst}') - continue - - for i in plugin.ignore_services: - if re.search(i, service.name): - warn('{byellow}[' + plugin_tag + ' against ' + target.address + '{srst}] Plugin cannot be run against this service. Skipping.{rst}') - continue - - # TODO: check if plugin matches tags, BUT run manual commands anyway! - matching_plugins.append(plugin) - - if plugin.manual_commands and (not plugin.run_once_boolean or (plugin.run_once_boolean and (plugin.slug,) not in target.scans)): - with open(os.path.join(scandir, '_manual_commands.txt'), 'a') as file: - if not heading: - file.write(e('[*] {service.name} on {service.protocol}/{service.port}\n\n')) - heading = True - for description, commands in plugin.manual_commands.items(): - file.write('\t[-] ' + e(description) + '\n\n') - for command in commands: - file.write('\t\t' + e(command) + '\n\n') - file.flush() - - break - - for plugin in matching_plugins: - plugin_tag = service.tag() + '/' + plugin.slug - - scan_tuple = (service.protocol, service.port, service.name, plugin.slug) - if plugin.run_once_boolean: - scan_tuple = (plugin.slug,) - - if scan_tuple in target.scans: - warn('{byellow}[' + plugin_tag + ' against ' + target.address + '{srst}] Plugin appears to have already been queued, but it is not marked as run_once. Possible duplicate service tag? Skipping.{rst}') - continue - else: - target.scans.append(scan_tuple) - - pending.add(asyncio.create_task(service_scan(plugin, service))) - heartbeat.cancel() - elapsed_time = calculate_elapsed_time(start_time) - - if timed_out: - - for task in pending: - task.cancel() - - for process_list in target.running_tasks.values(): - for process_dict in process_list['processes']: - process_dict['process'].kill() - - warn('{byellow}Scanning target ' + target.address + ' took longer than the specified target period (' + str(autorecon.config['target_timeout']) + ' min). Cancelling scans and moving to next target.{rst}') - else: - info('Finished scanning target {byellow}' + target.address + '{rst} in ' + elapsed_time) - - async with autorecon.lock: - autorecon.scanning_targets.remove(target) + pending = [] + + heartbeat = asyncio.create_task(start_heartbeat(target, period=target.autorecon.config['heartbeat'])) + + for plugin in target.autorecon.plugin_types['port']: + plugin_tag_set = set(plugin.tags) + + matching_tags = False + for tag_group in target.autorecon.tags: + if set(tag_group).issubset(plugin_tag_set): + matching_tags = True + break + + excluded_tags = False + for tag_group in target.autorecon.excluded_tags: + if set(tag_group).issubset(plugin_tag_set): + excluded_tags = True + break + + if matching_tags and not excluded_tags: + pending.append(asyncio.create_task(port_scan(plugin, target))) + + async with autorecon.lock: + autorecon.scanning_targets.append(target) + + start_time = time.time() + info('Scanning target {byellow}' + target.address + '{rst}') + + timed_out = False + while pending: + done, pending = await asyncio.wait(pending, return_when=asyncio.FIRST_COMPLETED, timeout=1) + + # Check if global timeout has occurred. + if autorecon.config['target_timeout'] is not None: + elapsed_seconds = round(time.time() - start_time) + m, s = divmod(elapsed_seconds, 60) + if m >= autorecon.config['target_timeout']: + timed_out = True + break + + # Extract Services + services = [] + async with target.lock: + while target.pending_services: + services.append(target.pending_services.pop(0)) + + for task in done: + try: + if task.exception(): + print(task.exception()) + continue + except asyncio.InvalidStateError: + pass + + if task.result()['type'] == 'port': + for service in (task.result()['result'] or []): + services.append(service) + + for service in services: + if service.full_tag() not in target.services: + target.services.append(service.full_tag()) + else: + continue + + info('Found {bmagenta}' + service.name + '{rst} on {bmagenta}' + service.protocol + '/' + str(service.port) + '{rst} on {byellow}' + target.address + '{rst}') + + service.target = target + + # Create variables for command references. + address = target.address + scandir = target.scandir + protocol = service.protocol + port = service.port + + # Special cases for HTTP. + http_scheme = 'https' if 'https' in service.name or service.secure is True else 'http' + + nmap_extra = target.autorecon.args.nmap + if target.autorecon.args.nmap_append: + nmap_extra += ' ' + target.autorecon.args.nmap_append + + if protocol == 'udp': + nmap_extra += ' -sU' + + matching_plugins = [] + heading = False + + for plugin in target.autorecon.plugin_types['service']: + plugin_tag = service.tag() + '/' + plugin.slug + + for s in plugin.service_names: + if re.search(s, service.name): + plugin_tag_set = set(plugin.tags) + + matching_tags = False + for tag_group in target.autorecon.tags: + if set(tag_group).issubset(plugin_tag_set): + matching_tags = True + break + + excluded_tags = False + for tag_group in target.autorecon.excluded_tags: + if set(tag_group).issubset(plugin_tag_set): + excluded_tags = True + break + + # TODO: Maybe make this less messy, keep manual-only plugins separate? + plugin_is_runnable = False + for member_name, _ in inspect.getmembers(plugin, predicate=inspect.ismethod): + if member_name == 'run': + plugin_is_runnable = True + break + + if plugin_is_runnable and matching_tags and not excluded_tags: + # Skip plugin if run_once_boolean and plugin already in target scans + if plugin.run_once_boolean and (plugin.slug,) in target.scans: + warn('{byellow}[' + plugin_tag + ' against ' + target.address + '{srst}] Plugin should only be run once and it appears to have already been queued. Skipping.{rst}') + continue + + # Skip plugin if require_ssl_boolean and port is not secure + if plugin.require_ssl_boolean and not service.secure: + continue + + # Skip plugin if service port is in ignore_ports: + if port in plugin.ignore_ports[protocol]: + warn('{byellow}[' + plugin_tag + ' against ' + target.address + '{srst}] Plugin cannot be run against ' + protocol + ' port ' + str(port) + '. Skipping.{rst}') + continue + + # Skip plugin if plugin has required ports and service port is not in them: + if plugin.ports[protocol] and port not in plugin.ports[protocol]: + warn('{byellow}[' + plugin_tag + ' against ' + target.address + '{srst}] Plugin can only run on specific ports. Skipping.{rst}') + continue + + for i in plugin.ignore_service_names: + if re.search(i, service.name): + warn('{byellow}[' + plugin_tag + ' against ' + target.address + '{srst}] Plugin cannot be run against this service. Skipping.{rst}') + continue + + # TODO: check if plugin matches tags, BUT run manual commands anyway! + matching_plugins.append(plugin) + + if plugin.manual_commands and (not plugin.run_once_boolean or (plugin.run_once_boolean and (plugin.slug,) not in target.scans)): + with open(os.path.join(scandir, '_manual_commands.txt'), 'a') as file: + if not heading: + file.write(e('[*] {service.name} on {service.protocol}/{service.port}\n\n')) + heading = True + for description, commands in plugin.manual_commands.items(): + file.write('\t[-] ' + e(description) + '\n\n') + for command in commands: + file.write('\t\t' + e(command) + '\n\n') + file.flush() + + break + + for plugin in matching_plugins: + plugin_tag = service.tag() + '/' + plugin.slug + + scan_tuple = (service.protocol, service.port, service.name, plugin.slug) + if plugin.run_once_boolean: + scan_tuple = (plugin.slug,) + + if scan_tuple in target.scans: + warn('{byellow}[' + plugin_tag + ' against ' + target.address + '{srst}] Plugin appears to have already been queued, but it is not marked as run_once. Possible duplicate service tag? Skipping.{rst}') + continue + else: + target.scans.append(scan_tuple) + + pending.add(asyncio.create_task(service_scan(plugin, service))) + heartbeat.cancel() + elapsed_time = calculate_elapsed_time(start_time) + + if timed_out: + + for task in pending: + task.cancel() + + for process_list in target.running_tasks.values(): + for process_dict in process_list['processes']: + process_dict['process'].kill() + + warn('{byellow}Scanning target ' + target.address + ' took longer than the specified target period (' + str(autorecon.config['target_timeout']) + ' min). Cancelling scans and moving to next target.{rst}') + else: + info('Finished scanning target {byellow}' + target.address + '{rst} in ' + elapsed_time) + + async with autorecon.lock: + autorecon.scanning_targets.remove(target) async def main(): - from autorecon import Plugin, PortScan, ServiceScan, Target # We have to do this to get around issubclass weirdness when loading plugins. - - parser = argparse.ArgumentParser(add_help=False, description='Network reconnaissance tool to port scan and automatically enumerate services found on multiple targets.') - parser.add_argument('targets', action='store', help='IP addresses (e.g. 10.0.0.1), CIDR notation (e.g. 10.0.0.1/24), or resolvable hostnames (e.g. foo.bar) to scan.', nargs='*') - parser.add_argument('-t', '--targets', action='store', type=str, default='', dest='target_file', help='Read targets from file.') - parser.add_argument('-m', '--max-scans', action='store', type=int, help='The maximum number of concurrent scans to run. Default: 50') - parser.add_argument('-mp', '--max-port-scans', action='store', type=int, help='The maximum number of concurrent port scans to run. Default: 10 (approx 20%% of max-scans unless specified)') - parser.add_argument('-c', '--config', action='store', type=str, default=os.path.dirname(os.path.realpath(__file__)) + '/config.toml', dest='config_file', help='Location of AutoRecon\'s config file. Default: %(default)s') - parser.add_argument('-g', '--global-file', action='store', type=str, dest='global_file', help='Location of AutoRecon\'s global file. Default: ' + os.path.dirname(os.path.realpath(__file__)) + '/global.toml') - parser.add_argument('--tags', action='store', type=str, default='default', help='Tags to determine which plugins should be included. Separate tags by a plus symbol (+) to group tags together. Separate groups with a comma (,) to create multiple groups. For a plugin to be included, it must have all the tags specified in at least one group.') - parser.add_argument('--exclude-tags', action='store', type=str, default='', help='Tags to determine which plugins should be excluded. Separate tags by a plus symbol (+) to group tags together. Separate groups with a comma (,) to create multiple groups. For a plugin to be excluded, it must have all the tags specified in at least one group.') - parser.add_argument('--plugins-dir', action='store', type=str, default=os.path.dirname(os.path.abspath(__file__)) + '/plugins', help='') - parser.add_argument('-o', '--output', action='store', dest='outdir', help='The output directory for results. Default: results') - parser.add_argument('--single-target', action='store_true', help='Only scan a single target. A directory named after the target will not be created. Instead, the directory structure will be created within the output directory. Default: false') - parser.add_argument('--only-scans-dir', action='store_true', help='Only create the "scans" directory for results. Other directories (e.g. exploit, loot, report) will not be created. Default: false') - parser.add_argument('--heartbeat', action='store', type=int, help='Specifies the heartbeat interval (in seconds) for scan status messages. Default: 60') - parser.add_argument('--timeout', action='store', type=int, help='Specifies the maximum amount of time in minutes that AutoRecon should run for. Default: no timeout') - parser.add_argument('--target-timeout', action='store', type=int, help='Specifies the maximum amount of time in minutes that a target should be scanned for before abandoning it and moving on. Default: no timeout') - nmap_group = parser.add_mutually_exclusive_group() - nmap_group.add_argument('--nmap', action='store', default='-vv --reason -Pn', help='Override the {nmap_extra} variable in scans. Default: %(default)s') - nmap_group.add_argument('--nmap-append', action='store', default='', help='Append to the default {nmap_extra} variable in scans.') - parser.add_argument('--disable-sanity-checks', action='store_true', default=False, help='Disable sanity checks that would otherwise prevent the scans from running. Default: false') - parser.add_argument('--accessible', action='store_true', help='Attempts to make AutoRecon output more accessible to screenreaders.') - parser.add_argument('-v', '--verbose', action='count', help='Enable verbose output. Repeat for more verbosity.') - parser.error = lambda s: fail(s[0].upper() + s[1:]) - args, unknown = parser.parse_known_args() - - errors = False - - autorecon.argparse = parser - - # Parse config file and args for global.toml first. - if not os.path.isfile(args.config_file): - fail('Error: Specified config file "' + args.config_file + '" does not exist.') - - with open(args.config_file) as c: - try: - config_toml = toml.load(c) - for key, val in config_toml.items(): - if key.replace('-', '_') == 'global_file': - autorecon.config['global_file'] = val - break - except toml.decoder.TomlDecodeError: - fail('Error: Couldn\'t parse ' + args.config_file + ' config file. Check syntax.') - - args_dict = vars(args) - for key in args_dict: - if key == 'global_file' and args_dict['global_file'] is not None: - autorecon.config['global_file'] = args_dict['global_file'] - break - - if not os.path.isdir(args.plugins_dir): - fail('Error: Specified plugins directory "' + args.plugins_dir + '" does not exist.') - - for plugin_file in os.listdir(args.plugins_dir): - if not plugin_file.startswith('_') and plugin_file.endswith('.py'): - - dirname, filename = os.path.split(plugin_file) - dirname = os.path.abspath(dirname) - - try: - plugin = importlib.import_module('.' + filename[:-3], os.path.basename(args.plugins_dir)) - clsmembers = inspect.getmembers(plugin, predicate=inspect.isclass) - for (_, c) in clsmembers: - if c.__module__ == 'autorecon': - continue - - if c.__name__.lower() in autorecon.config['protected_classes']: - print('Plugin "' + c.__name__ + '" in ' + filename + ' is using a protected class name. Please change it.') - sys.exit(1) - - # Only add classes that are a sub class of either PortScan or ServiceScan - if issubclass(c, PortScan) or issubclass(c, ServiceScan): - autorecon.register(c()) - else: - print('Plugin "' + c.__name__ + '" in ' + filename + ' is not a subclass of either PortScan or ServiceScan.') - except (ImportError, SyntaxError) as ex: - print('cannot import ' + filename + ' plugin') - print(ex) - sys.exit(1) - - if len(autorecon.plugin_types['port']) == 0: - fail('Error: There are no valid PortScan plugins in the plugins directory "' + args.plugins_dir + '".') - - # Sort plugins by priority. - autorecon.plugin_types['port'].sort(key=lambda x: x.priority) - autorecon.plugin_types['service'].sort(key=lambda x: x.priority) - - if not os.path.isfile(autorecon.config['global_file']): - fail('Error: Specified global file "' + autorecon.config['global_file'] + '" does not exist.') - - global_plugin_args = None - with open(autorecon.config['global_file']) as g: - try: - global_toml = toml.load(g) - for key, val in global_toml.items(): - if key == 'global' and isinstance(val, dict): # Process global plugin options. - for gkey, gvals in global_toml['global'].items(): - if isinstance(gvals, dict): - options = {'metavar':'VALUE'} - - if 'default' in gvals: - options['default'] = gvals['default'] - - if 'metavar' in gvals: - options['metavar'] = gvals['metavar'] - - if 'help' in gvals: - options['help'] = gvals['help'] - - if 'type' in gvals: - gtype = gvals['type'].lower() - if gtype == 'constant': - if 'constant' not in gvals: - fail('Global constant option ' + gkey + ' has no constant value set.') - else: - options['action'] = 'store_const' - options['const'] = gvals['constant'] - elif gtype == 'true': - options['action'] = 'store_true' - options.pop('metavar', None) - options.pop('default', None) - elif gtype == 'false': - options['action'] = 'store_false' - options.pop('metavar', None) - options.pop('default', None) - elif gtype == 'list': - options['action'] = 'append' - elif gtype == 'choice': - if 'choices' not in gvals: - fail('Global choice option ' + gkey + ' has no choices value set.') - else: - if not isinstance(gvals['choices'], list): - fail('The \'choices\' value for global choice option ' + gkey + ' should be a list.') - options['choices'] = gvals['choices'] - options.pop('metavar', None) - - if global_plugin_args is None: - global_plugin_args = parser.add_argument_group("global plugin arguments", description="These are optional arguments that can be used by all plugins.") - - global_plugin_args.add_argument('--global.' + slugify(gkey), **options) - - except toml.decoder.TomlDecodeError: - fail('Error: Couldn\'t parse ' + g.name + ' file. Check syntax.') - - for key, val in config_toml.items(): - if key == 'global' and isinstance(val, dict): # Process global plugin options. - for gkey, gval in config_toml['global'].items(): - if isinstance(gval, bool): - for action in autorecon.argparse._actions: - if action.dest == 'global.' + slugify(gkey).replace('-', '_'): - if action.const is True: - action.__setattr__('default', gval) - break - else: - if autorecon.argparse.get_default('global.' + slugify(gkey).replace('-', '_')): - autorecon.argparse.set_defaults(**{'global.' + slugify(gkey).replace('-', '_'): gval}) - - elif key == 'pattern' and isinstance(val, list): # Process global patterns. - for pattern in val: - if 'pattern' in pattern: - try: - compiled = re.compile(pattern['pattern']) - if 'description' in pattern: - autorecon.patterns.append(Pattern(compiled, description=pattern['description'])) - else: - autorecon.patterns.append(Pattern(compiled)) - except re.error: - fail('Error: The pattern "' + pattern['pattern'] + '" in the config file is invalid regex.') - else: - fail('Error: A [[pattern]] in the config file doesn\'t have a required pattern variable.') - elif isinstance(val, dict): # Process potential plugin arguments. - for pkey, pval in config_toml[key].items(): - if autorecon.argparse.get_default(slugify(key).replace('-', '_') + '.' + slugify(pkey).replace('-', '_')): - autorecon.argparse.set_defaults(**{slugify(key).replace('-', '_') + '.' + slugify(pkey).replace('-', '_'): pval}) - else: # Process potential other options. - if key.replace('-', '_') in autorecon.configurable_keys: - autorecon.config[key.replace('-', '_')] = val - autorecon.argparse.set_defaults(**{key.replace('-', '_'): val}) - - parser.add_argument('-h', '--help', action='help', default=argparse.SUPPRESS, help='Show this help message and exit.') - args = parser.parse_args() - - args_dict = vars(args) - for key in args_dict: - if key in autorecon.configurable_keys and args_dict[key] is not None: - # Special case for booleans - if key in ['accessible', 'single_target', 'only_scans_dir'] and autorecon.config[key]: - continue - autorecon.config[key] = args_dict[key] - - autorecon.args = args - - if autorecon.config['max_scans'] <= 0: - error('Argument -m/--max-scans must be at least 1.') - errors = True - - if autorecon.config['max_port_scans'] is None: - autorecon.config['max_port_scans'] = max(1, round(autorecon.config['max_scans'] * 0.2)) - else: - if autorecon.config['max_port_scans'] <= 0: - error('Argument -mp/--max-port-scans must be at least 1.') - errors = True - - if autorecon.config['max_port_scans'] > autorecon.config['max_scans']: - error('Argument -mp/--max-port-scans cannot be greater than argument -m/--max-scans.') - errors = True - - if autorecon.config['heartbeat'] <= 0: - error('Argument --heartbeat must be at least 1.') - errors = True - - if autorecon.config['timeout'] is not None and autorecon.config['timeout'] <= 0: - error('Argument --timeout must be at least 1.') - errors = True - - if autorecon.config['target_timeout'] is not None and autorecon.config['target_timeout'] <= 0: - error('Argument --target-timeout must be at least 1.') - errors = True - - if autorecon.config['timeout'] is not None and autorecon.config['target_timeout'] is not None and autorecon.config['timeout'] < autorecon.config['target_timeout']: - error('Argument --timeout cannot be less than --target-timeout.') - errors = True - - if not errors: - autorecon.port_scan_semaphore = asyncio.Semaphore(autorecon.config['max_port_scans']) - # If max scans and max port scans is the same, the service scan semaphore and port scan semaphore should be the same object - if autorecon.config['max_scans'] == autorecon.config['max_port_scans']: - autorecon.service_scan_semaphore = autorecon.port_scan_semaphore - else: - autorecon.service_scan_semaphore = asyncio.Semaphore(autorecon.config['max_scans'] - autorecon.config['max_port_scans']) - - tags = [] - for tag_group in list(set(filter(None, args.tags.lower().split(',')))): - tags.append(list(set(filter(None, tag_group.split('+'))))) - - # Remove duplicate lists from list. - [autorecon.tags.append(t) for t in tags if t not in autorecon.tags] - - excluded_tags = [] - if args.exclude_tags != '': - for tag_group in list(set(filter(None, args.exclude_tags.lower().split(',')))): - excluded_tags.append(list(set(filter(None, tag_group.split('+'))))) - - # Remove duplicate lists from list. - [autorecon.excluded_tags.append(t) for t in excluded_tags if t not in autorecon.excluded_tags] - - # Generate manual commands. - for _, plugin in autorecon.plugins.items(): - for member_name, _ in inspect.getmembers(plugin, predicate=inspect.ismethod): - if member_name == 'manual': - plugin.manual() - - raw_targets = args.targets - - if len(args.target_file) > 0: - if not os.path.isfile(args.target_file): - error('The target file ' + args.target_file + ' was not found.') - sys.exit(1) - try: - with open(args.target_file, 'r') as f: - lines = f.read() - for line in lines.splitlines(): - line = line.strip() - if line.startswith('#') or len(line) == 0: continue - if line not in raw_targets: - raw_targets.append(line) - except OSError: - error('The target file ' + args.target_file + ' could not be read.') - sys.exit(1) - - for target in raw_targets: - try: - ip = str(ipaddress.ip_address(target)) - - if ip not in autorecon.pending_targets: - autorecon.pending_targets.append(ip) - except ValueError: - - try: - target_range = ipaddress.ip_network(target, strict=False) - if not args.disable_sanity_checks and target_range.num_addresses > 256: - error(target + ' contains ' + str(target_range.num_addresses) + ' addresses. Check that your CIDR notation is correct. If it is, re-run with the --disable-sanity-checks option to suppress this check.') - errors = True - else: - for ip in target_range.hosts(): - ip = str(ip) - if ip not in autorecon.pending_targets: - autorecon.pending_targets.append(ip) - except ValueError: - - try: - ip = socket.gethostbyname(target) - - if target not in autorecon.pending_targets: - autorecon.pending_targets.append(target) - except socket.gaierror: - error(target + ' does not appear to be a valid IP address, IP range, or resolvable hostname.') - errors = True - - if len(autorecon.pending_targets) == 0: - error('You must specify at least one target to scan!') - errors = True - - if autorecon.config['single_target'] and len(autorecon.pending_targets) != 1: - error('You cannot provide more than one target when scanning in single-target mode.') - errors = True - - if not args.disable_sanity_checks and len(autorecon.pending_targets) > 256: - error('A total of ' + str(len(autorecon.pending_targets)) + ' targets would be scanned. If this is correct, re-run with the --disable-sanity-checks option to suppress this check.') - errors = True - - port_scan_plugin_count = 0 - for plugin in autorecon.plugin_types['port']: - matching_tags = False - for tag_group in autorecon.tags: - if set(tag_group).issubset(set(plugin.tags)): - matching_tags = True - break - - excluded_tags = False - for tag_group in autorecon.excluded_tags: - if set(tag_group).issubset(set(plugin.tags)): - excluded_tags = True - break - - if matching_tags and not excluded_tags: - port_scan_plugin_count += 1 - - if port_scan_plugin_count == 0: - error('There are no port scan plugins that match the tags specified.') - errors = True - - if errors: - sys.exit(1) - - autorecon.config['port_scan_plugin_count'] = port_scan_plugin_count - - num_initial_targets = max(1, math.ceil(autorecon.config['max_port_scans'] / port_scan_plugin_count)) - - start_time = time.time() - - pending = [] - i = 0 - while autorecon.pending_targets: - pending.append(asyncio.create_task(scan_target(Target(autorecon.pending_targets.pop(0), autorecon)))) - i+=1 - if i >= num_initial_targets: - break - - timed_out = False - while pending: - done, pending = await asyncio.wait(pending, return_when=asyncio.FIRST_COMPLETED, timeout=1) - # Check if global timeout has occurred. - if autorecon.config['timeout'] is not None: - elapsed_seconds = round(time.time() - start_time) - m, s = divmod(elapsed_seconds, 60) - if m >= autorecon.config['timeout']: - timed_out = True - break - - for task in done: - if autorecon.pending_targets: - pending.add(asyncio.create_task(scan_target(Target(autorecon.pending_targets.pop(0), autorecon)))) - - port_scan_task_count = 0 - for targ in autorecon.scanning_targets: - for process_list in targ.running_tasks.values(): - if issubclass(process_list['plugin'].__class__, PortScan): - port_scan_task_count += 1 - - num_new_targets = math.ceil((autorecon.config['max_port_scans'] - port_scan_task_count) / port_scan_plugin_count) - if num_new_targets > 0: - i = 0 - while autorecon.pending_targets: - pending.add(asyncio.create_task(scan_target(Target(autorecon.pending_targets.pop(0), autorecon)))) - i+=1 - if i >= num_new_targets: - break - - if timed_out: - cancel_all_tasks(None, None) - - elapsed_time = calculate_elapsed_time(start_time) - warn('{byellow}AutoRecon took longer than the specified timeout period (' + str(autorecon.config['timeout']) + ' min). Cancelling all scans and exiting.{rst}') - sys.exit(0) - else: - while len(asyncio.all_tasks()) > 1: # this code runs in the main() task so it will be the only task left running - await asyncio.sleep(1) - - elapsed_time = calculate_elapsed_time(start_time) - info('{bright}Finished scanning all targets in ' + elapsed_time + '!{rst}') + from autorecon import Plugin, PortScan, ServiceScan, Target # We have to do this to get around issubclass weirdness when loading plugins. + + parser = argparse.ArgumentParser(add_help=False, description='Network reconnaissance tool to port scan and automatically enumerate services found on multiple targets.') + parser.add_argument('targets', action='store', help='IP addresses (e.g. 10.0.0.1), CIDR notation (e.g. 10.0.0.1/24), or resolvable hostnames (e.g. foo.bar) to scan.', nargs='*') + parser.add_argument('-t', '--targets', action='store', type=str, default='', dest='target_file', help='Read targets from file.') + parser.add_argument('-m', '--max-scans', action='store', type=int, help='The maximum number of concurrent scans to run. Default: 50') + parser.add_argument('-mp', '--max-port-scans', action='store', type=int, help='The maximum number of concurrent port scans to run. Default: 10 (approx 20%% of max-scans unless specified)') + parser.add_argument('-c', '--config', action='store', type=str, default=os.path.dirname(os.path.realpath(__file__)) + '/config.toml', dest='config_file', help='Location of AutoRecon\'s config file. Default: %(default)s') + parser.add_argument('-g', '--global-file', action='store', type=str, dest='global_file', help='Location of AutoRecon\'s global file. Default: ' + os.path.dirname(os.path.realpath(__file__)) + '/global.toml') + parser.add_argument('--tags', action='store', type=str, default='default', help='Tags to determine which plugins should be included. Separate tags by a plus symbol (+) to group tags together. Separate groups with a comma (,) to create multiple groups. For a plugin to be included, it must have all the tags specified in at least one group.') + parser.add_argument('--exclude-tags', action='store', type=str, default='', help='Tags to determine which plugins should be excluded. Separate tags by a plus symbol (+) to group tags together. Separate groups with a comma (,) to create multiple groups. For a plugin to be excluded, it must have all the tags specified in at least one group.') + parser.add_argument('--plugins-dir', action='store', type=str, default=os.path.dirname(os.path.abspath(__file__)) + '/plugins', help='') + parser.add_argument('-o', '--output', action='store', dest='outdir', help='The output directory for results. Default: results') + parser.add_argument('--single-target', action='store_true', help='Only scan a single target. A directory named after the target will not be created. Instead, the directory structure will be created within the output directory. Default: false') + parser.add_argument('--only-scans-dir', action='store_true', help='Only create the "scans" directory for results. Other directories (e.g. exploit, loot, report) will not be created. Default: false') + parser.add_argument('--heartbeat', action='store', type=int, help='Specifies the heartbeat interval (in seconds) for scan status messages. Default: 60') + parser.add_argument('--timeout', action='store', type=int, help='Specifies the maximum amount of time in minutes that AutoRecon should run for. Default: no timeout') + parser.add_argument('--target-timeout', action='store', type=int, help='Specifies the maximum amount of time in minutes that a target should be scanned for before abandoning it and moving on. Default: no timeout') + nmap_group = parser.add_mutually_exclusive_group() + nmap_group.add_argument('--nmap', action='store', default='-vv --reason -Pn', help='Override the {nmap_extra} variable in scans. Default: %(default)s') + nmap_group.add_argument('--nmap-append', action='store', default='', help='Append to the default {nmap_extra} variable in scans.') + parser.add_argument('--disable-sanity-checks', action='store_true', default=False, help='Disable sanity checks that would otherwise prevent the scans from running. Default: false') + parser.add_argument('--accessible', action='store_true', help='Attempts to make AutoRecon output more accessible to screenreaders.') + parser.add_argument('-v', '--verbose', action='count', help='Enable verbose output. Repeat for more verbosity.') + parser.error = lambda s: fail(s[0].upper() + s[1:]) + args, unknown = parser.parse_known_args() + + errors = False + + autorecon.argparse = parser + + # Parse config file and args for global.toml first. + if not os.path.isfile(args.config_file): + fail('Error: Specified config file "' + args.config_file + '" does not exist.') + + with open(args.config_file) as c: + try: + config_toml = toml.load(c) + for key, val in config_toml.items(): + if key.replace('-', '_') == 'global_file': + autorecon.config['global_file'] = val + break + except toml.decoder.TomlDecodeError: + fail('Error: Couldn\'t parse ' + args.config_file + ' config file. Check syntax.') + + args_dict = vars(args) + for key in args_dict: + if key == 'global_file' and args_dict['global_file'] is not None: + autorecon.config['global_file'] = args_dict['global_file'] + break + + if not os.path.isdir(args.plugins_dir): + fail('Error: Specified plugins directory "' + args.plugins_dir + '" does not exist.') + + for plugin_file in os.listdir(args.plugins_dir): + if not plugin_file.startswith('_') and plugin_file.endswith('.py'): + + dirname, filename = os.path.split(plugin_file) + dirname = os.path.abspath(dirname) + + try: + plugin = importlib.import_module('.' + filename[:-3], os.path.basename(args.plugins_dir)) + clsmembers = inspect.getmembers(plugin, predicate=inspect.isclass) + for (_, c) in clsmembers: + if c.__module__ == 'autorecon': + continue + + if c.__name__.lower() in autorecon.config['protected_classes']: + print('Plugin "' + c.__name__ + '" in ' + filename + ' is using a protected class name. Please change it.') + sys.exit(1) + + # Only add classes that are a sub class of either PortScan or ServiceScan + if issubclass(c, PortScan) or issubclass(c, ServiceScan): + autorecon.register(c()) + else: + print('Plugin "' + c.__name__ + '" in ' + filename + ' is not a subclass of either PortScan or ServiceScan.') + except (ImportError, SyntaxError) as ex: + print('cannot import ' + filename + ' plugin') + print(ex) + sys.exit(1) + + if len(autorecon.plugin_types['port']) == 0: + fail('Error: There are no valid PortScan plugins in the plugins directory "' + args.plugins_dir + '".') + + # Sort plugins by priority. + autorecon.plugin_types['port'].sort(key=lambda x: x.priority) + autorecon.plugin_types['service'].sort(key=lambda x: x.priority) + + if not os.path.isfile(autorecon.config['global_file']): + fail('Error: Specified global file "' + autorecon.config['global_file'] + '" does not exist.') + + global_plugin_args = None + with open(autorecon.config['global_file']) as g: + try: + global_toml = toml.load(g) + for key, val in global_toml.items(): + if key == 'global' and isinstance(val, dict): # Process global plugin options. + for gkey, gvals in global_toml['global'].items(): + if isinstance(gvals, dict): + options = {'metavar':'VALUE'} + + if 'default' in gvals: + options['default'] = gvals['default'] + + if 'metavar' in gvals: + options['metavar'] = gvals['metavar'] + + if 'help' in gvals: + options['help'] = gvals['help'] + + if 'type' in gvals: + gtype = gvals['type'].lower() + if gtype == 'constant': + if 'constant' not in gvals: + fail('Global constant option ' + gkey + ' has no constant value set.') + else: + options['action'] = 'store_const' + options['const'] = gvals['constant'] + elif gtype == 'true': + options['action'] = 'store_true' + options.pop('metavar', None) + options.pop('default', None) + elif gtype == 'false': + options['action'] = 'store_false' + options.pop('metavar', None) + options.pop('default', None) + elif gtype == 'list': + options['action'] = 'append' + elif gtype == 'choice': + if 'choices' not in gvals: + fail('Global choice option ' + gkey + ' has no choices value set.') + else: + if not isinstance(gvals['choices'], list): + fail('The \'choices\' value for global choice option ' + gkey + ' should be a list.') + options['choices'] = gvals['choices'] + options.pop('metavar', None) + + if global_plugin_args is None: + global_plugin_args = parser.add_argument_group("global plugin arguments", description="These are optional arguments that can be used by all plugins.") + + global_plugin_args.add_argument('--global.' + slugify(gkey), **options) + + except toml.decoder.TomlDecodeError: + fail('Error: Couldn\'t parse ' + g.name + ' file. Check syntax.') + + for key, val in config_toml.items(): + if key == 'global' and isinstance(val, dict): # Process global plugin options. + for gkey, gval in config_toml['global'].items(): + if isinstance(gval, bool): + for action in autorecon.argparse._actions: + if action.dest == 'global.' + slugify(gkey).replace('-', '_'): + if action.const is True: + action.__setattr__('default', gval) + break + else: + if autorecon.argparse.get_default('global.' + slugify(gkey).replace('-', '_')): + autorecon.argparse.set_defaults(**{'global.' + slugify(gkey).replace('-', '_'): gval}) + + elif key == 'pattern' and isinstance(val, list): # Process global patterns. + for pattern in val: + if 'pattern' in pattern: + try: + compiled = re.compile(pattern['pattern']) + if 'description' in pattern: + autorecon.patterns.append(Pattern(compiled, description=pattern['description'])) + else: + autorecon.patterns.append(Pattern(compiled)) + except re.error: + fail('Error: The pattern "' + pattern['pattern'] + '" in the config file is invalid regex.') + else: + fail('Error: A [[pattern]] in the config file doesn\'t have a required pattern variable.') + elif isinstance(val, dict): # Process potential plugin arguments. + for pkey, pval in config_toml[key].items(): + if autorecon.argparse.get_default(slugify(key).replace('-', '_') + '.' + slugify(pkey).replace('-', '_')): + autorecon.argparse.set_defaults(**{slugify(key).replace('-', '_') + '.' + slugify(pkey).replace('-', '_'): pval}) + else: # Process potential other options. + if key.replace('-', '_') in autorecon.configurable_keys: + autorecon.config[key.replace('-', '_')] = val + autorecon.argparse.set_defaults(**{key.replace('-', '_'): val}) + + parser.add_argument('-h', '--help', action='help', default=argparse.SUPPRESS, help='Show this help message and exit.') + args = parser.parse_args() + + args_dict = vars(args) + for key in args_dict: + if key in autorecon.configurable_keys and args_dict[key] is not None: + # Special case for booleans + if key in ['accessible', 'single_target', 'only_scans_dir'] and autorecon.config[key]: + continue + autorecon.config[key] = args_dict[key] + + autorecon.args = args + + if autorecon.config['max_scans'] <= 0: + error('Argument -m/--max-scans must be at least 1.') + errors = True + + if autorecon.config['max_port_scans'] is None: + autorecon.config['max_port_scans'] = max(1, round(autorecon.config['max_scans'] * 0.2)) + else: + if autorecon.config['max_port_scans'] <= 0: + error('Argument -mp/--max-port-scans must be at least 1.') + errors = True + + if autorecon.config['max_port_scans'] > autorecon.config['max_scans']: + error('Argument -mp/--max-port-scans cannot be greater than argument -m/--max-scans.') + errors = True + + if autorecon.config['heartbeat'] <= 0: + error('Argument --heartbeat must be at least 1.') + errors = True + + if autorecon.config['timeout'] is not None and autorecon.config['timeout'] <= 0: + error('Argument --timeout must be at least 1.') + errors = True + + if autorecon.config['target_timeout'] is not None and autorecon.config['target_timeout'] <= 0: + error('Argument --target-timeout must be at least 1.') + errors = True + + if autorecon.config['timeout'] is not None and autorecon.config['target_timeout'] is not None and autorecon.config['timeout'] < autorecon.config['target_timeout']: + error('Argument --timeout cannot be less than --target-timeout.') + errors = True + + if not errors: + autorecon.port_scan_semaphore = asyncio.Semaphore(autorecon.config['max_port_scans']) + # If max scans and max port scans is the same, the service scan semaphore and port scan semaphore should be the same object + if autorecon.config['max_scans'] == autorecon.config['max_port_scans']: + autorecon.service_scan_semaphore = autorecon.port_scan_semaphore + else: + autorecon.service_scan_semaphore = asyncio.Semaphore(autorecon.config['max_scans'] - autorecon.config['max_port_scans']) + + tags = [] + for tag_group in list(set(filter(None, args.tags.lower().split(',')))): + tags.append(list(set(filter(None, tag_group.split('+'))))) + + # Remove duplicate lists from list. + [autorecon.tags.append(t) for t in tags if t not in autorecon.tags] + + excluded_tags = [] + if args.exclude_tags != '': + for tag_group in list(set(filter(None, args.exclude_tags.lower().split(',')))): + excluded_tags.append(list(set(filter(None, tag_group.split('+'))))) + + # Remove duplicate lists from list. + [autorecon.excluded_tags.append(t) for t in excluded_tags if t not in autorecon.excluded_tags] + + # Generate manual commands. + for _, plugin in autorecon.plugins.items(): + for member_name, _ in inspect.getmembers(plugin, predicate=inspect.ismethod): + if member_name == 'manual': + plugin.manual() + + raw_targets = args.targets + + if len(args.target_file) > 0: + if not os.path.isfile(args.target_file): + error('The target file ' + args.target_file + ' was not found.') + sys.exit(1) + try: + with open(args.target_file, 'r') as f: + lines = f.read() + for line in lines.splitlines(): + line = line.strip() + if line.startswith('#') or len(line) == 0: continue + if line not in raw_targets: + raw_targets.append(line) + except OSError: + error('The target file ' + args.target_file + ' could not be read.') + sys.exit(1) + + for target in raw_targets: + try: + ip = str(ipaddress.ip_address(target)) + + if ip not in autorecon.pending_targets: + autorecon.pending_targets.append(ip) + except ValueError: + + try: + target_range = ipaddress.ip_network(target, strict=False) + if not args.disable_sanity_checks and target_range.num_addresses > 256: + error(target + ' contains ' + str(target_range.num_addresses) + ' addresses. Check that your CIDR notation is correct. If it is, re-run with the --disable-sanity-checks option to suppress this check.') + errors = True + else: + for ip in target_range.hosts(): + ip = str(ip) + if ip not in autorecon.pending_targets: + autorecon.pending_targets.append(ip) + except ValueError: + + try: + ip = socket.gethostbyname(target) + + if target not in autorecon.pending_targets: + autorecon.pending_targets.append(target) + except socket.gaierror: + error(target + ' does not appear to be a valid IP address, IP range, or resolvable hostname.') + errors = True + + if len(autorecon.pending_targets) == 0: + error('You must specify at least one target to scan!') + errors = True + + if autorecon.config['single_target'] and len(autorecon.pending_targets) != 1: + error('You cannot provide more than one target when scanning in single-target mode.') + errors = True + + if not args.disable_sanity_checks and len(autorecon.pending_targets) > 256: + error('A total of ' + str(len(autorecon.pending_targets)) + ' targets would be scanned. If this is correct, re-run with the --disable-sanity-checks option to suppress this check.') + errors = True + + port_scan_plugin_count = 0 + for plugin in autorecon.plugin_types['port']: + matching_tags = False + for tag_group in autorecon.tags: + if set(tag_group).issubset(set(plugin.tags)): + matching_tags = True + break + + excluded_tags = False + for tag_group in autorecon.excluded_tags: + if set(tag_group).issubset(set(plugin.tags)): + excluded_tags = True + break + + if matching_tags and not excluded_tags: + port_scan_plugin_count += 1 + + if port_scan_plugin_count == 0: + error('There are no port scan plugins that match the tags specified.') + errors = True + + if errors: + sys.exit(1) + + autorecon.config['port_scan_plugin_count'] = port_scan_plugin_count + + num_initial_targets = max(1, math.ceil(autorecon.config['max_port_scans'] / port_scan_plugin_count)) + + start_time = time.time() + + pending = [] + i = 0 + while autorecon.pending_targets: + pending.append(asyncio.create_task(scan_target(Target(autorecon.pending_targets.pop(0), autorecon)))) + i+=1 + if i >= num_initial_targets: + break + + timed_out = False + while pending: + done, pending = await asyncio.wait(pending, return_when=asyncio.FIRST_COMPLETED, timeout=1) + # Check if global timeout has occurred. + if autorecon.config['timeout'] is not None: + elapsed_seconds = round(time.time() - start_time) + m, s = divmod(elapsed_seconds, 60) + if m >= autorecon.config['timeout']: + timed_out = True + break + + for task in done: + if autorecon.pending_targets: + pending.add(asyncio.create_task(scan_target(Target(autorecon.pending_targets.pop(0), autorecon)))) + + port_scan_task_count = 0 + for targ in autorecon.scanning_targets: + for process_list in targ.running_tasks.values(): + if issubclass(process_list['plugin'].__class__, PortScan): + port_scan_task_count += 1 + + num_new_targets = math.ceil((autorecon.config['max_port_scans'] - port_scan_task_count) / port_scan_plugin_count) + if num_new_targets > 0: + i = 0 + while autorecon.pending_targets: + pending.add(asyncio.create_task(scan_target(Target(autorecon.pending_targets.pop(0), autorecon)))) + i+=1 + if i >= num_new_targets: + break + + if timed_out: + cancel_all_tasks(None, None) + + elapsed_time = calculate_elapsed_time(start_time) + warn('{byellow}AutoRecon took longer than the specified timeout period (' + str(autorecon.config['timeout']) + ' min). Cancelling all scans and exiting.{rst}') + sys.exit(0) + else: + while len(asyncio.all_tasks()) > 1: # this code runs in the main() task so it will be the only task left running + await asyncio.sleep(1) + + elapsed_time = calculate_elapsed_time(start_time) + info('{bright}Finished scanning all targets in ' + elapsed_time + '!{rst}') if __name__ == '__main__': - signal.signal(signal.SIGINT, cancel_all_tasks) - try: - asyncio.run(main()) - except asyncio.exceptions.CancelledError: - pass + signal.signal(signal.SIGINT, cancel_all_tasks) + try: + asyncio.run(main()) + except asyncio.exceptions.CancelledError: + pass diff --git a/plugins/databases.py b/plugins/databases.py index 7930bb2..e96d8a6 100644 --- a/plugins/databases.py +++ b/plugins/databases.py @@ -2,121 +2,121 @@ class NmapMongoDB(ServiceScan): - def __init__(self): - super().__init__() - self.name = "Nmap MongoDB" - self.tags = ['default', 'databases'] + def __init__(self): + super().__init__() + self.name = "Nmap MongoDB" + self.tags = ['default', 'databases'] - def configure(self): - self.add_service_match('^mongod') + def configure(self): + self.match_service_name('^mongod') - async def run(self, service): - await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(mongodb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_mongodb_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_mongodb_nmap.xml" {address}') + async def run(self, service): + await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(mongodb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_mongodb_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_mongodb_nmap.xml" {address}') class NmapMSSQL(ServiceScan): - def __init__(self): - super().__init__() - self.name = "Nmap MSSQL" - self.tags = ['default', 'databases'] + def __init__(self): + super().__init__() + self.name = "Nmap MSSQL" + self.tags = ['default', 'databases'] - def configure(self): - self.add_service_match(['^mssql', '^ms\-sql']) + def configure(self): + self.match_service_name(['^mssql', '^ms\-sql']) - def manual(self): - self.add_manual_command('(sqsh) interactive database shell:', 'sqsh -U -P -S {address}:{port}') + def manual(self): + self.add_manual_command('(sqsh) interactive database shell:', 'sqsh -U -P -S {address}:{port}') - async def run(self, service): - await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(ms-sql* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" --script-args="mssql.instance-port={port},mssql.username=sa,mssql.password=sa" -oN "{scandir}/{protocol}_{port}_mssql_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_mssql_nmap.xml" {address}') + async def run(self, service): + await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(ms-sql* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" --script-args="mssql.instance-port={port},mssql.username=sa,mssql.password=sa" -oN "{scandir}/{protocol}_{port}_mssql_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_mssql_nmap.xml" {address}') class NmapMYSQL(ServiceScan): - def __init__(self): - super().__init__() - self.name = "Nmap MYSQL" - self.tags = ['default', 'databases'] + def __init__(self): + super().__init__() + self.name = "Nmap MYSQL" + self.tags = ['default', 'databases'] - def configure(self): - self.add_service_match('^mysql') + def configure(self): + self.match_service_name('^mysql') - def manual(self): - self.add_manual_command('(sqsh) interactive database shell:', 'sqsh -U -P -S {address}:{port}') + def manual(self): + self.add_manual_command('(sqsh) interactive database shell:', 'sqsh -U -P -S {address}:{port}') - async def run(self, service): - await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(mysql* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_mysql_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_mysql_nmap.xml" {address}') + async def run(self, service): + await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(mysql* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_mysql_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_mysql_nmap.xml" {address}') class NmapOracle(ServiceScan): - def __init__(self): - super().__init__() - self.name = "Nmap Oracle" - self.tags = ['default', 'databases'] + def __init__(self): + super().__init__() + self.name = "Nmap Oracle" + self.tags = ['default', 'databases'] - def configure(self): - self.add_service_match('^oracle') + def configure(self): + self.match_service_name('^oracle') - def manual(self): - self.add_manual_command('Brute-force SIDs using Nmap:', 'nmap {nmap_extra} -sV -p {port} --script="banner,oracle-sid-brute" -oN "{scandir}/{protocol}_{port}_oracle_sid-brute_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_oracle_sid-brute_nmap.xml" {address}') + def manual(self): + self.add_manual_command('Brute-force SIDs using Nmap:', 'nmap {nmap_extra} -sV -p {port} --script="banner,oracle-sid-brute" -oN "{scandir}/{protocol}_{port}_oracle_sid-brute_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_oracle_sid-brute_nmap.xml" {address}') - async def run(self, service): - await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(oracle* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_oracle_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_oracle_nmap.xml" {address}') + async def run(self, service): + await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(oracle* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_oracle_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_oracle_nmap.xml" {address}') class OracleTNScmd(ServiceScan): - def __init__(self): - super().__init__() - self.name = "Oracle TNScmd" - self.tags = ['default', 'databases'] + def __init__(self): + super().__init__() + self.name = "Oracle TNScmd" + self.tags = ['default', 'databases'] - def configure(self): - self.add_service_match('^oracle') + def configure(self): + self.match_service_name('^oracle') - async def run(self, service): - await service.execute('tnscmd10g ping -h {address} -p {port} 2>&1', outfile='{protocol}_{port}_oracle_tnscmd_ping.txt') - await service.execute('tnscmd10g version -h {address} -p {port} 2>&1', outfile='{protocol}_{port}_oracle_tnscmd_version.txt') + async def run(self, service): + await service.execute('tnscmd10g ping -h {address} -p {port} 2>&1', outfile='{protocol}_{port}_oracle_tnscmd_ping.txt') + await service.execute('tnscmd10g version -h {address} -p {port} 2>&1', outfile='{protocol}_{port}_oracle_tnscmd_version.txt') class OracleScanner(ServiceScan): - def __init__(self): - super().__init__() - self.name = "Oracle Scanner" - self.tags = ['default', 'databases'] + def __init__(self): + super().__init__() + self.name = "Oracle Scanner" + self.tags = ['default', 'databases'] - def configure(self): - self.add_service_match('^oracle') + def configure(self): + self.match_service_name('^oracle') - async def run(self, service): - await service.execute('oscanner -v -s {address} -P {port} 2>&1', outfile='{protocol}_{port}_oracle_scanner.txt') + async def run(self, service): + await service.execute('oscanner -v -s {address} -P {port} 2>&1', outfile='{protocol}_{port}_oracle_scanner.txt') class OracleODAT(ServiceScan): - def __init__(self): - super().__init__() - self.name = "Oracle ODAT" - self.tags = ['default', 'databases'] + def __init__(self): + super().__init__() + self.name = "Oracle ODAT" + self.tags = ['default', 'databases'] - def configure(self): - self.add_service_match('^oracle') + def configure(self): + self.match_service_name('^oracle') - def manual(self): - self.add_manual_commands('Install ODAT (https://github.com/quentinhardy/odat) and run the following commands:', [ - 'python odat.py tnscmd -s {address} -p {port} --ping', - 'python odat.py tnscmd -s {address} -p {port} --version', - 'python odat.py tnscmd -s {address} -p {port} --status', - 'python odat.py sidguesser -s {address} -p {port}', - 'python odat.py passwordguesser -s {address} -p {port} -d --accounts-file accounts/accounts_multiple.txt', - 'python odat.py tnspoison -s {address} -p {port} -d --test-module' - ]) + def manual(self): + self.add_manual_commands('Install ODAT (https://github.com/quentinhardy/odat) and run the following commands:', [ + 'python odat.py tnscmd -s {address} -p {port} --ping', + 'python odat.py tnscmd -s {address} -p {port} --version', + 'python odat.py tnscmd -s {address} -p {port} --status', + 'python odat.py sidguesser -s {address} -p {port}', + 'python odat.py passwordguesser -s {address} -p {port} -d --accounts-file accounts/accounts_multiple.txt', + 'python odat.py tnspoison -s {address} -p {port} -d --test-module' + ]) class OraclePatator(ServiceScan): - def __init__(self): - super().__init__() - self.name = "Oracle Patator" - self.tags = ['default', 'databases'] + def __init__(self): + super().__init__() + self.name = "Oracle Patator" + self.tags = ['default', 'databases'] - def configure(self): - self.add_service_match('^oracle') + def configure(self): + self.match_service_name('^oracle') - def manual(self): - self.add_manual_command('Install Oracle Instant Client (https://github.com/rapid7/metasploit-framework/wiki/How-to-get-Oracle-Support-working-with-Kali-Linux) and then bruteforce with patator:', 'patator oracle_login host={address} port={port} user=COMBO00 password=COMBO01 0=/usr/share/seclists/Passwords/Default-Credentials/oracle-betterdefaultpasslist.txt -x ignore:code=ORA-01017 -x ignore:code=ORA-28000') + def manual(self): + self.add_manual_command('Install Oracle Instant Client (https://github.com/rapid7/metasploit-framework/wiki/How-to-get-Oracle-Support-working-with-Kali-Linux) and then bruteforce with patator:', 'patator oracle_login host={address} port={port} user=COMBO00 password=COMBO01 0=/usr/share/seclists/Passwords/Default-Credentials/oracle-betterdefaultpasslist.txt -x ignore:code=ORA-01017 -x ignore:code=ORA-28000') diff --git a/plugins/default-port-scan.py b/plugins/default-port-scan.py index f9725f8..8f07637 100644 --- a/plugins/default-port-scan.py +++ b/plugins/default-port-scan.py @@ -3,44 +3,44 @@ class QuickTCPPortScan(PortScan): - def __init__(self): - super().__init__() - self.name = "Top TCP Ports" - self.tags = ["default", "default-port-scan"] - self.priority = 0 - - async def run(self, target): - process, stdout, stderr = await target.execute('nmap {nmap_extra} -sV -sC --version-all -oN "{scandir}/_quick_tcp_nmap.txt" -oX "{scandir}/xml/_quick_tcp_nmap.xml" {address}', blocking=False) - services = await target.extract_services(stdout) - await process.wait() - return services + def __init__(self): + super().__init__() + self.name = "Top TCP Ports" + self.tags = ["default", "default-port-scan"] + self.priority = 0 + + async def run(self, target): + process, stdout, stderr = await target.execute('nmap {nmap_extra} -sV -sC --version-all -oN "{scandir}/_quick_tcp_nmap.txt" -oX "{scandir}/xml/_quick_tcp_nmap.xml" {address}', blocking=False) + services = await target.extract_services(stdout) + await process.wait() + return services class AllTCPPortScan(PortScan): - def __init__(self): - super().__init__() - self.name = "All TCP Ports" - self.tags = ["default", "default-port-scan", "long"] + def __init__(self): + super().__init__() + self.name = "All TCP Ports" + self.tags = ["default", "default-port-scan", "long"] - async def run(self, target): - process, stdout, stderr = await target.execute('nmap {nmap_extra} -A --osscan-guess --version-all -p- -oN "{scandir}/_full_tcp_nmap.txt" -oX "{scandir}/xml/_full_tcp_nmap.xml" {address}', blocking=False) - services = await target.extract_services(stdout) - await process.wait() - return services + async def run(self, target): + process, stdout, stderr = await target.execute('nmap {nmap_extra} -A --osscan-guess --version-all -p- -oN "{scandir}/_full_tcp_nmap.txt" -oX "{scandir}/xml/_full_tcp_nmap.xml" {address}', blocking=False) + services = await target.extract_services(stdout) + await process.wait() + return services class Top20UDPPortScan(PortScan): - def __init__(self): - super().__init__() - self.name = "Top 100 UDP Ports" - self.tags = ["default", "default-port-scan"] - - async def run(self, target): - # Only run UDP scan if user is root. - if os.getuid() == 0: - process, stdout, stderr = await target.execute('nmap {nmap_extra} -sU -A --version-all --top-ports 100 -oN "{scandir}/_top_20_udp_nmap.txt" -oX "{scandir}/xml/_top_20_udp_nmap.xml" {address}', blocking=False) - services = await target.extract_services(stdout) - await process.wait() - return services - else: - error('UDP scan requires AutoRecon be run with root privileges.') + def __init__(self): + super().__init__() + self.name = "Top 100 UDP Ports" + self.tags = ["default", "default-port-scan"] + + async def run(self, target): + # Only run UDP scan if user is root. + if os.getuid() == 0: + process, stdout, stderr = await target.execute('nmap {nmap_extra} -sU -A --version-all --top-ports 100 -oN "{scandir}/_top_20_udp_nmap.txt" -oX "{scandir}/xml/_top_20_udp_nmap.xml" {address}', blocking=False) + services = await target.extract_services(stdout) + await process.wait() + return services + else: + error('UDP scan requires AutoRecon be run with root privileges.') diff --git a/plugins/dns.py b/plugins/dns.py index df4565c..a84324a 100644 --- a/plugins/dns.py +++ b/plugins/dns.py @@ -2,13 +2,13 @@ class DNS(ServiceScan): - def __init__(self): - super().__init__() - self.name = "DNS" - self.tags = ['default', 'dns'] + def __init__(self): + super().__init__() + self.name = "DNS" + self.tags = ['default', 'dns'] - def configure(self): - self.add_service_match('^domain') + def configure(self): + self.match_service_name('^domain') - async def run(self, service): - await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(dns* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_dns_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_dns_nmap.xml" {address}') + async def run(self, service): + await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(dns* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_dns_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_dns_nmap.xml" {address}') diff --git a/plugins/ftp.py b/plugins/ftp.py index 22c49be..04f8641 100644 --- a/plugins/ftp.py +++ b/plugins/ftp.py @@ -2,29 +2,29 @@ class NmapFTP(ServiceScan): - def __init__(self): - super().__init__() - self.name = 'Nmap FTP' - self.tags = ['default', 'ftp'] + def __init__(self): + super().__init__() + self.name = 'Nmap FTP' + self.tags = ['default', 'ftp'] - def configure(self): - self.add_service_match(['^ftp', '^ftp\-data']) + def configure(self): + self.match_service_name(['^ftp', '^ftp\-data']) - async def run(self, service): - await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(ftp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_ftp_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_ftp_nmap.xml" {address}') + async def run(self, service): + await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(ftp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_ftp_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_ftp_nmap.xml" {address}') class BruteforceFTP(ServiceScan): - def __init__(self): - super().__init__() - self.name = "Bruteforce FTP" - self.tags = ['default', 'ftp'] + def __init__(self): + super().__init__() + self.name = "Bruteforce FTP" + self.tags = ['default', 'ftp'] - def configure(self): - self.add_service_match(['^ftp', '^ftp\-data']) + def configure(self): + self.match_service_name(['^ftp', '^ftp\-data']) - def manual(self): - self.add_manual_commands('Bruteforce logins:', [ - 'hydra -L "' + self.get_global('username_wordlist') + '" -P "' + self.get_global('password_wordlist') + '" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_ftp_hydra.txt" ftp://{address}', - 'medusa -U "' + self.get_global('username_wordlist') + '" -P "' + self.get_global('password_wordlist') + '" -e ns -n {port} -O "{scandir}/{protocol}_{port}_ftp_medusa.txt" -M ftp -h {address}' - ]) + def manual(self): + self.add_manual_commands('Bruteforce logins:', [ + 'hydra -L "' + self.get_global('username_wordlist') + '" -P "' + self.get_global('password_wordlist') + '" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_ftp_hydra.txt" ftp://{address}', + 'medusa -U "' + self.get_global('username_wordlist') + '" -P "' + self.get_global('password_wordlist') + '" -e ns -n {port} -O "{scandir}/{protocol}_{port}_ftp_medusa.txt" -M ftp -h {address}' + ]) diff --git a/plugins/http.py b/plugins/http.py index 4e3eddd..6ac62d2 100644 --- a/plugins/http.py +++ b/plugins/http.py @@ -4,183 +4,183 @@ class NmapHTTP(ServiceScan): - def __init__(self): - super().__init__() - self.name = "Nmap HTTP" - self.tags = ['default', 'http'] + def __init__(self): + super().__init__() + self.name = "Nmap HTTP" + self.tags = ['default', 'http'] - def configure(self): - self.add_service_match('^http') - self.add_service_match('^nacn_http$', negative_match=True) - self.add_pattern('Server: ([^\n]+)', description='Identified HTTP Server: {match}') - self.add_pattern('WebDAV is ENABLED', description='WebDAV is enabled') + def configure(self): + self.match_service_name('^http') + self.match_service_name('^nacn_http$', negative_match=True) + self.add_pattern('Server: ([^\n]+)', description='Identified HTTP Server: {match}') + self.add_pattern('WebDAV is ENABLED', description='WebDAV is enabled') - async def run(self, service): - await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN "{scandir}/{protocol}_{port}_{http_scheme}_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_{http_scheme}_nmap.xml" {address}') + async def run(self, service): + await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN "{scandir}/{protocol}_{port}_{http_scheme}_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_{http_scheme}_nmap.xml" {address}') class BruteforceHTTP(ServiceScan): - def __init__(self): - super().__init__() - self.name = "Bruteforce HTTP" - self.tags = ['default', 'http'] + def __init__(self): + super().__init__() + self.name = "Bruteforce HTTP" + self.tags = ['default', 'http'] - def configure(self): - self.add_service_match('^http') - self.add_service_match('^nacn_http$', negative_match=True) + def configure(self): + self.match_service_name('^http') + self.match_service_name('^nacn_http$', negative_match=True) - def manual(self): - self.add_manual_commands('Credential bruteforcing commands (don\'t run these without modifying them):', [ - 'hydra -L "' + self.get_global('username_wordlist') + '" -P "' + self.get_global('password_wordlist') + '" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_{http_scheme}_auth_hydra.txt" {http_scheme}-get://{address}/path/to/auth/area', - 'medusa -U "' + self.get_global('username_wordlist') + '" -P "' + self.get_global('password_wordlist') + '" -e ns -n {port} -O "{scandir}/{protocol}_{port}_{http_scheme}_auth_medusa.txt" -M http -h {address} -m DIR:/path/to/auth/area', - 'hydra -L "' + self.get_global('username_wordlist') + '" -P "' + self.get_global('password_wordlist') + '" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_{http_scheme}_form_hydra.txt" {http_scheme}-post-form://{address}/path/to/login.php:username=^USER^&password=^PASS^:invalid-login-message', - 'medusa -U "' + self.get_global('username_wordlist') + '" -P "' + self.get_global('password_wordlist') + '" -e ns -n {port} -O "{scandir}/{protocol}_{port}_{http_scheme}_form_medusa.txt" -M web-form -h {address} -m FORM:/path/to/login.php -m FORM-DATA:"post?username=&password=" -m DENY-SIGNAL:"invalid login message"' - ]) + def manual(self): + self.add_manual_commands('Credential bruteforcing commands (don\'t run these without modifying them):', [ + 'hydra -L "' + self.get_global('username_wordlist') + '" -P "' + self.get_global('password_wordlist') + '" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_{http_scheme}_auth_hydra.txt" {http_scheme}-get://{address}/path/to/auth/area', + 'medusa -U "' + self.get_global('username_wordlist') + '" -P "' + self.get_global('password_wordlist') + '" -e ns -n {port} -O "{scandir}/{protocol}_{port}_{http_scheme}_auth_medusa.txt" -M http -h {address} -m DIR:/path/to/auth/area', + 'hydra -L "' + self.get_global('username_wordlist') + '" -P "' + self.get_global('password_wordlist') + '" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_{http_scheme}_form_hydra.txt" {http_scheme}-post-form://{address}/path/to/login.php:username=^USER^&password=^PASS^:invalid-login-message', + 'medusa -U "' + self.get_global('username_wordlist') + '" -P "' + self.get_global('password_wordlist') + '" -e ns -n {port} -O "{scandir}/{protocol}_{port}_{http_scheme}_form_medusa.txt" -M web-form -h {address} -m FORM:/path/to/login.php -m FORM-DATA:"post?username=&password=" -m DENY-SIGNAL:"invalid login message"' + ]) class Curl(ServiceScan): - def __init__(self): - super().__init__() - self.name = "Curl" - self.tags = ['default', 'http'] + def __init__(self): + super().__init__() + self.name = "Curl" + self.tags = ['default', 'http'] - def configure(self): - self.add_option("path", default="/", help="The path on the web server to curl. Default: %(default)s") - self.add_service_match('^http') - self.add_service_match('^nacn_http$', negative_match=True) - self.add_pattern('(?i)Powered by [^\n]+') + def configure(self): + self.add_option("path", default="/", help="The path on the web server to curl. Default: %(default)s") + self.match_service_name('^http') + self.match_service_name('^nacn_http$', negative_match=True) + self.add_pattern('(?i)Powered by [^\n]+') - async def run(self, service): - if service.protocol == 'tcp': - await service.execute('curl -sSik {http_scheme}://{address}:{port}' + self.get_option('path'), outfile='{protocol}_{port}_{http_scheme}_curl.html') + async def run(self, service): + if service.protocol == 'tcp': + await service.execute('curl -sSik {http_scheme}://{address}:{port}' + self.get_option('path'), outfile='{protocol}_{port}_{http_scheme}_curl.html') class CurlRobots(ServiceScan): - def __init__(self): - super().__init__() - self.name = "Curl Robots" - self.tags = ['default', 'http'] + def __init__(self): + super().__init__() + self.name = "Curl Robots" + self.tags = ['default', 'http'] - def configure(self): - self.add_service_match('^http') - self.add_service_match('^nacn_http$', negative_match=True) + def configure(self): + self.match_service_name('^http') + self.match_service_name('^nacn_http$', negative_match=True) - async def run(self, service): - if service.protocol == 'tcp': - await service.execute('curl -sSik {http_scheme}://{address}:{port}/robots.txt', outfile='{protocol}_{port}_{http_scheme}_curl-robots.txt') + async def run(self, service): + if service.protocol == 'tcp': + await service.execute('curl -sSik {http_scheme}://{address}:{port}/robots.txt', outfile='{protocol}_{port}_{http_scheme}_curl-robots.txt') class DirBuster(ServiceScan): - def __init__(self): - super().__init__() - self.name = "DirBuster" - self.slug = 'dirbuster' - self.priority = 0 - self.tags = ['default', 'http', 'long'] - - def configure(self): - self.add_choice_option('tool', default='feroxbuster', choices=['feroxbuster', 'gobuster', 'dirsearch', 'ffuf', 'dirb'], help='The tool to use for directory busting. Default: %(default)s') - self.add_list_option('wordlist', default=['/usr/share/seclists/Discovery/Web-Content/common.txt'], help='The wordlist to use when directory busting. Specify the option multiple times to use multiple wordlists. Default: %(default)s') - self.add_option('threads', default=10, help='The number of threads to use when directory busting. Default: %(default)s') - self.add_service_match('^http') - self.add_service_match('^nacn_http$', negative_match=True) - - def manual(self): - self.add_manual_command('(feroxbuster) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:', [ - 'feroxbuster -u {http_scheme}://{address}:{port} -t 10 -w /usr/share/seclists/Discovery/Web-Content/big.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -o {scandir}/{protocol}_{port}_{http_scheme}_feroxbuster_big.txt', - 'feroxbuster -u {http_scheme}://{address}:{port} -t 10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -o {scandir}/{protocol}_{port}_{http_scheme}_feroxbuster_dirbuster.txt' - ]) - - self.add_manual_command('(gobuster v3) Multi-threaded directory/file enumeration for web servers using various wordlists:', [ - 'gobuster dir -u {http_scheme}://{address}:{port}/ -w /usr/share/seclists/Discovery/Web-Content/big.txt -e -k -s "200,204,301,302,307,403,500" -x "txt,html,php,asp,aspx,jsp" -z -o "{scandir}/{protocol}_{port}_{http_scheme}_gobuster_big.txt"', - 'gobuster dir -u {http_scheme}://{address}:{port}/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e -k -s "200,204,301,302,307,403,500" -x "txt,html,php,asp,aspx,jsp" -z -o "{scandir}/{protocol}_{port}_{http_scheme}_gobuster_dirbuster.txt"' - ]) - - self.add_manual_command('(dirsearch) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:', [ - 'dirsearch -u {http_scheme}://{address}:{port}/ -t 16 -r -e txt,html,php,asp,aspx,jsp -f -w /usr/share/seclists/Discovery/Web-Content/big.txt --format=plain --output="{scandir}/{protocol}_{port}_{http_scheme}_dirsearch_big.txt"', - 'dirsearch -u {http_scheme}://{address}:{port}/ -t 16 -r -e txt,html,php,asp,aspx,jsp -f -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --format=plain --output="{scandir}/{protocol}_{port}_{http_scheme}_dirsearch_dirbuster.txt"' - ]) - - self.add_manual_command('(dirb) Recursive directory/file enumeration for web servers using various wordlists:', [ - 'dirb {http_scheme}://{address}:{port}/ /usr/share/seclists/Discovery/Web-Content/big.txt -l -r -S -X ",.txt,.html,.php,.asp,.aspx,.jsp" -o "{scandir}/{protocol}_{port}_{http_scheme}_dirb_big.txt"', - 'dirb {http_scheme}://{address}:{port}/ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -l -r -S -X ",.txt,.html,.php,.asp,.aspx,.jsp" -o "{scandir}/{protocol}_{port}_{http_scheme}_dirb_dirbuster.txt"' - ]) - - self.add_manual_command('(gobuster v1 & v2) Multi-threaded directory/file enumeration for web servers using various wordlists:', [ - 'gobuster -u {http_scheme}://{address}:{port}/ -w /usr/share/seclists/Discovery/Web-Content/big.txt -e -k -l -s "200,204,301,302,307,403,500" -x "txt,html,php,asp,aspx,jsp" -o "{scandir}/{protocol}_{port}_{http_scheme}_gobuster_big.txt"', - 'gobuster -u {http_scheme}://{address}:{port}/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e -k -l -s "200,204,301,302,307,403,500" -x "txt,html,php,asp,aspx,jsp" -o "{scandir}/{protocol}_{port}_{http_scheme}_gobuster_dirbuster.txt"' - ]) - - async def run(self, service): - for wordlist in self.get_option('wordlist'): - name = os.path.splitext(os.path.basename(wordlist))[0] - if self.get_option('tool') == 'feroxbuster': - await service.execute('feroxbuster -u {http_scheme}://{address}:{port}/ -t ' + str(self.get_option('threads')) + ' -w ' + wordlist + ' -x "txt,html,php,asp,aspx,jsp" -v -k -n -q -o "{scandir}/{protocol}_{port}_{http_scheme}_feroxbuster_' + name + '.txt"') - elif self.get_option('tool') == 'gobuster': - await service.execute('gobuster dir -u {http_scheme}://{address}:{port}/ -t ' + str(self.get_option('threads')) + ' -w ' + wordlist + ' -e -k -s "200,204,301,302,307,403,500" -x "txt,html,php,asp,aspx,jsp" -z -o "{scandir}/{protocol}_{port}_{http_scheme}_gobuster_' + name + '.txt"') - elif self.get_option('tool') == 'dirsearch': - await service.execute('dirsearch -u {http_scheme}://{address}:{port}/ -t ' + str(self.get_option('threads')) + ' -r -e txt,html,php,asp,aspx,jsp -f -w ' + wordlist + ' --format=plain --output="{scandir}/{protocol}_{port}_{http_scheme}_dirsearch_' + name + '.txt"') - elif self.get_option('tool') == 'ffuf': - await service.execute('ffuf -u {http_scheme}://{address}:{port}/FUZZ -t ' + str(self.get_option('threads')) + ' -w ' + wordlist + ' -e ".txt,.html,.php,.asp,.aspx,.jsp" -v | tee {scandir}/{protocol}_{port}_{http_scheme}_ffuf_' + name + '.txt') - elif self.get_option('tool') == 'dirb': - await service.execute('dirb {http_scheme}://{address}:{port}/ ' + wordlist + ' -l -r -S -X ",.txt,.html,.php,.asp,.aspx,.jsp" -o "{scandir}/{protocol}_{port}_{http_scheme}_dirb_' + name + '.txt"') + def __init__(self): + super().__init__() + self.name = "DirBuster" + self.slug = 'dirbuster' + self.priority = 0 + self.tags = ['default', 'http', 'long'] + + def configure(self): + self.add_choice_option('tool', default='feroxbuster', choices=['feroxbuster', 'gobuster', 'dirsearch', 'ffuf', 'dirb'], help='The tool to use for directory busting. Default: %(default)s') + self.add_list_option('wordlist', default=['/usr/share/seclists/Discovery/Web-Content/common.txt'], help='The wordlist to use when directory busting. Specify the option multiple times to use multiple wordlists. Default: %(default)s') + self.add_option('threads', default=10, help='The number of threads to use when directory busting. Default: %(default)s') + self.match_service_name('^http') + self.match_service_name('^nacn_http$', negative_match=True) + + def manual(self): + self.add_manual_command('(feroxbuster) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:', [ + 'feroxbuster -u {http_scheme}://{address}:{port} -t 10 -w /usr/share/seclists/Discovery/Web-Content/big.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -o {scandir}/{protocol}_{port}_{http_scheme}_feroxbuster_big.txt', + 'feroxbuster -u {http_scheme}://{address}:{port} -t 10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -o {scandir}/{protocol}_{port}_{http_scheme}_feroxbuster_dirbuster.txt' + ]) + + self.add_manual_command('(gobuster v3) Multi-threaded directory/file enumeration for web servers using various wordlists:', [ + 'gobuster dir -u {http_scheme}://{address}:{port}/ -w /usr/share/seclists/Discovery/Web-Content/big.txt -e -k -s "200,204,301,302,307,403,500" -x "txt,html,php,asp,aspx,jsp" -z -o "{scandir}/{protocol}_{port}_{http_scheme}_gobuster_big.txt"', + 'gobuster dir -u {http_scheme}://{address}:{port}/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e -k -s "200,204,301,302,307,403,500" -x "txt,html,php,asp,aspx,jsp" -z -o "{scandir}/{protocol}_{port}_{http_scheme}_gobuster_dirbuster.txt"' + ]) + + self.add_manual_command('(dirsearch) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:', [ + 'dirsearch -u {http_scheme}://{address}:{port}/ -t 16 -r -e txt,html,php,asp,aspx,jsp -f -w /usr/share/seclists/Discovery/Web-Content/big.txt --format=plain --output="{scandir}/{protocol}_{port}_{http_scheme}_dirsearch_big.txt"', + 'dirsearch -u {http_scheme}://{address}:{port}/ -t 16 -r -e txt,html,php,asp,aspx,jsp -f -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --format=plain --output="{scandir}/{protocol}_{port}_{http_scheme}_dirsearch_dirbuster.txt"' + ]) + + self.add_manual_command('(dirb) Recursive directory/file enumeration for web servers using various wordlists:', [ + 'dirb {http_scheme}://{address}:{port}/ /usr/share/seclists/Discovery/Web-Content/big.txt -l -r -S -X ",.txt,.html,.php,.asp,.aspx,.jsp" -o "{scandir}/{protocol}_{port}_{http_scheme}_dirb_big.txt"', + 'dirb {http_scheme}://{address}:{port}/ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -l -r -S -X ",.txt,.html,.php,.asp,.aspx,.jsp" -o "{scandir}/{protocol}_{port}_{http_scheme}_dirb_dirbuster.txt"' + ]) + + self.add_manual_command('(gobuster v1 & v2) Multi-threaded directory/file enumeration for web servers using various wordlists:', [ + 'gobuster -u {http_scheme}://{address}:{port}/ -w /usr/share/seclists/Discovery/Web-Content/big.txt -e -k -l -s "200,204,301,302,307,403,500" -x "txt,html,php,asp,aspx,jsp" -o "{scandir}/{protocol}_{port}_{http_scheme}_gobuster_big.txt"', + 'gobuster -u {http_scheme}://{address}:{port}/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e -k -l -s "200,204,301,302,307,403,500" -x "txt,html,php,asp,aspx,jsp" -o "{scandir}/{protocol}_{port}_{http_scheme}_gobuster_dirbuster.txt"' + ]) + + async def run(self, service): + for wordlist in self.get_option('wordlist'): + name = os.path.splitext(os.path.basename(wordlist))[0] + if self.get_option('tool') == 'feroxbuster': + await service.execute('feroxbuster -u {http_scheme}://{address}:{port}/ -t ' + str(self.get_option('threads')) + ' -w ' + wordlist + ' -x "txt,html,php,asp,aspx,jsp" -v -k -n -q -o "{scandir}/{protocol}_{port}_{http_scheme}_feroxbuster_' + name + '.txt"') + elif self.get_option('tool') == 'gobuster': + await service.execute('gobuster dir -u {http_scheme}://{address}:{port}/ -t ' + str(self.get_option('threads')) + ' -w ' + wordlist + ' -e -k -s "200,204,301,302,307,403,500" -x "txt,html,php,asp,aspx,jsp" -z -o "{scandir}/{protocol}_{port}_{http_scheme}_gobuster_' + name + '.txt"') + elif self.get_option('tool') == 'dirsearch': + await service.execute('dirsearch -u {http_scheme}://{address}:{port}/ -t ' + str(self.get_option('threads')) + ' -r -e txt,html,php,asp,aspx,jsp -f -w ' + wordlist + ' --format=plain --output="{scandir}/{protocol}_{port}_{http_scheme}_dirsearch_' + name + '.txt"') + elif self.get_option('tool') == 'ffuf': + await service.execute('ffuf -u {http_scheme}://{address}:{port}/FUZZ -t ' + str(self.get_option('threads')) + ' -w ' + wordlist + ' -e ".txt,.html,.php,.asp,.aspx,.jsp" -v | tee {scandir}/{protocol}_{port}_{http_scheme}_ffuf_' + name + '.txt') + elif self.get_option('tool') == 'dirb': + await service.execute('dirb {http_scheme}://{address}:{port}/ ' + wordlist + ' -l -r -S -X ",.txt,.html,.php,.asp,.aspx,.jsp" -o "{scandir}/{protocol}_{port}_{http_scheme}_dirb_' + name + '.txt"') class Nikto(ServiceScan): - def __init__(self): - super().__init__() - self.name = 'nikto' - self.tags = ['default', 'http', 'long'] + def __init__(self): + super().__init__() + self.name = 'nikto' + self.tags = ['default', 'http', 'long'] - def configure(self): - self.add_service_match('^http') - self.add_service_match('^nacn_http$', negative_match=True) + def configure(self): + self.match_service_name('^http') + self.match_service_name('^nacn_http$', negative_match=True) - def manual(self): - self.add_manual_command('(nikto) old but generally reliable web server enumeration tool:', 'nikto -ask=no -h {http_scheme}://{address}:{port} 2>&1 | tee "{scandir}/{protocol}_{port}_{http_scheme}_nikto.txt"') + def manual(self): + self.add_manual_command('(nikto) old but generally reliable web server enumeration tool:', 'nikto -ask=no -h {http_scheme}://{address}:{port} 2>&1 | tee "{scandir}/{protocol}_{port}_{http_scheme}_nikto.txt"') class WhatWeb(ServiceScan): - def __init__(self): - super().__init__() - self.name = "whatweb" - self.tags = ['default', 'http'] + def __init__(self): + super().__init__() + self.name = "whatweb" + self.tags = ['default', 'http'] - def configure(self): - self.add_service_match('^http') - self.add_service_match('^nacn_http$', negative_match=True) + def configure(self): + self.match_service_name('^http') + self.match_service_name('^nacn_http$', negative_match=True) - async def run(self, service): - if service.protocol == 'tcp': - await service.execute('whatweb --color=never --no-errors -a 3 -v {http_scheme}://{address}:{port} 2>&1', outfile='{protocol}_{port}_{http_scheme}_whatweb.txt') + async def run(self, service): + if service.protocol == 'tcp': + await service.execute('whatweb --color=never --no-errors -a 3 -v {http_scheme}://{address}:{port} 2>&1', outfile='{protocol}_{port}_{http_scheme}_whatweb.txt') class WkHTMLToImage(ServiceScan): - def __init__(self): - super().__init__() - self.name = "wkhtmltoimage" - self.tags = ['default', 'http'] + def __init__(self): + super().__init__() + self.name = "wkhtmltoimage" + self.tags = ['default', 'http'] - def configure(self): - self.add_service_match('^http') - self.add_service_match('^nacn_http$', negative_match=True) + def configure(self): + self.match_service_name('^http') + self.match_service_name('^nacn_http$', negative_match=True) - async def run(self, service): - if which('wkhtmltoimage') is not None and service.protocol == 'tcp': - await service.execute('wkhtmltoimage --format png {http_scheme}://{address}:{port}/ {scandir}/{protocol}_{port}_{http_scheme}_screenshot.png') - else: - error('The wkhtmltoimage program could not be found. Make sure it is installed. (On Kali, run: sudo apt install wkhtmltopdf)') + async def run(self, service): + if which('wkhtmltoimage') is not None and service.protocol == 'tcp': + await service.execute('wkhtmltoimage --format png {http_scheme}://{address}:{port}/ {scandir}/{protocol}_{port}_{http_scheme}_screenshot.png') + else: + error('The wkhtmltoimage program could not be found. Make sure it is installed. (On Kali, run: sudo apt install wkhtmltopdf)') class WPScan(ServiceScan): - def __init__(self): - super().__init__() - self.name = 'WPScan' - self.tags = ['default', 'http'] + def __init__(self): + super().__init__() + self.name = 'WPScan' + self.tags = ['default', 'http'] - def configure(self): - self.add_service_match('^http') - self.add_service_match('^nacn_http$', negative_match=True) + def configure(self): + self.match_service_name('^http') + self.match_service_name('^nacn_http$', negative_match=True) - def manual(self): - self.add_manual_command('(wpscan) WordPress Security Scanner (useful if WordPress is found):', 'wpscan --url {http_scheme}://{address}:{port}/ --no-update -e vp,vt,tt,cb,dbe,u,m --plugins-detection aggressive --plugins-version-detection aggressive -f cli-no-color 2>&1 | tee "{scandir}/{protocol}_{port}_{http_scheme}_wpscan.txt"') + def manual(self): + self.add_manual_command('(wpscan) WordPress Security Scanner (useful if WordPress is found):', 'wpscan --url {http_scheme}://{address}:{port}/ --no-update -e vp,vt,tt,cb,dbe,u,m --plugins-detection aggressive --plugins-version-detection aggressive -f cli-no-color 2>&1 | tee "{scandir}/{protocol}_{port}_{http_scheme}_wpscan.txt"') diff --git a/plugins/kerberos.py b/plugins/kerberos.py index b093bbc..5637f56 100644 --- a/plugins/kerberos.py +++ b/plugins/kerberos.py @@ -2,13 +2,13 @@ class NmapKerberos(ServiceScan): - def __init__(self): - super().__init__() - self.name = "Nmap Kerberos" - self.tags = ['default', 'kerberos', 'active-directory'] + def __init__(self): + super().__init__() + self.name = "Nmap Kerberos" + self.tags = ['default', 'kerberos', 'active-directory'] - def configure(self): - self.add_service_match(['^kerberos', '^kpasswd']) + def configure(self): + self.match_service_name(['^kerberos', '^kpasswd']) - async def run(self, service): - await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,krb5-enum-users" -oN "{scandir}/{protocol}_{port}_kerberos_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_kerberos_nmap.xml" {address}') + async def run(self, service): + await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,krb5-enum-users" -oN "{scandir}/{protocol}_{port}_kerberos_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_kerberos_nmap.xml" {address}') diff --git a/plugins/ldap.py b/plugins/ldap.py index 39e88dd..2a08dca 100644 --- a/plugins/ldap.py +++ b/plugins/ldap.py @@ -2,28 +2,28 @@ class NmapLDAP(ServiceScan): - def __init__(self): - super().__init__() - self.name = "Nmap LDAP" - self.tags = ['default', 'ldap', 'active-directory'] + def __init__(self): + super().__init__() + self.name = "Nmap LDAP" + self.tags = ['default', 'ldap', 'active-directory'] - def configure(self): - self.add_service_match('^ldap') + def configure(self): + self.match_service_name('^ldap') - async def run(self, service): - await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(ldap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_ldap_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_ldap_nmap.xml" {address}') + async def run(self, service): + await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(ldap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_ldap_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_ldap_nmap.xml" {address}') class LDAPSearch(ServiceScan): - def __init__(self): - super().__init__() - self.name = 'LDAP Search' - self.tags = ['default', 'ldap', 'active-directory'] + def __init__(self): + super().__init__() + self.name = 'LDAP Search' + self.tags = ['default', 'ldap', 'active-directory'] - def configure(self): - self.add_service_match('^ldap') + def configure(self): + self.match_service_name('^ldap') - def manual(self): - self.add_manual_command('ldapsearch command (modify before running):', [ - 'ldapsearch -x -D "" -w """ -p {port} -h {address} -b "dc=example,dc=com" -s sub "(objectclass=*) 2>&1 | tee > "{scandir}/{protocol}_{port}_ldap_all-entries.txt"' - ]) + def manual(self): + self.add_manual_command('ldapsearch command (modify before running):', [ + 'ldapsearch -x -D "" -w """ -p {port} -h {address} -b "dc=example,dc=com" -s sub "(objectclass=*) 2>&1 | tee > "{scandir}/{protocol}_{port}_ldap_all-entries.txt"' + ]) diff --git a/plugins/misc.py b/plugins/misc.py index 0e4144a..a682db5 100644 --- a/plugins/misc.py +++ b/plugins/misc.py @@ -2,169 +2,169 @@ class NmapCassandra(ServiceScan): - def __init__(self): - super().__init__() - self.name = "Nmap Cassandra" - self.tags = ['default', 'cassandra'] + def __init__(self): + super().__init__() + self.name = "Nmap Cassandra" + self.tags = ['default', 'cassandra'] - def configure(self): - self.add_service_match('^apani1') + def configure(self): + self.match_service_name('^apani1') - async def run(self, service): - await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(cassandra* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_cassandra_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_cassandra_nmap.xml" {address}') + async def run(self, service): + await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(cassandra* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_cassandra_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_cassandra_nmap.xml" {address}') class NmapCUPS(ServiceScan): - def __init__(self): - super().__init__() - self.name = "Nmap CUPS" - self.tags = ['default', 'cups'] + def __init__(self): + super().__init__() + self.name = "Nmap CUPS" + self.tags = ['default', 'cups'] - def configure(self): - self.add_service_match('^ipp') + def configure(self): + self.match_service_name('^ipp') - async def run(self, service): - await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(cups* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_cups_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_cups_nmap.xml" {address}') + async def run(self, service): + await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(cups* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_cups_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_cups_nmap.xml" {address}') class NmapDistccd(ServiceScan): - def __init__(self): - super().__init__() - self.name = "Nmap distccd" - self.tags = ['default', 'distccd'] + def __init__(self): + super().__init__() + self.name = "Nmap distccd" + self.tags = ['default', 'distccd'] - def configure(self): - self.add_service_match('^distccd') + def configure(self): + self.match_service_name('^distccd') - async def run(self, service): - await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,distcc-cve2004-2687" --script-args="distcc-cve2004-2687.cmd=id" -oN "{scandir}/{protocol}_{port}_distcc_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_distcc_nmap.xml" {address}') + async def run(self, service): + await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,distcc-cve2004-2687" --script-args="distcc-cve2004-2687.cmd=id" -oN "{scandir}/{protocol}_{port}_distcc_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_distcc_nmap.xml" {address}') class NmapFinger(ServiceScan): - def __init__(self): - super().__init__() - self.name = "Nmap finger" - self.tags = ['default', 'finger'] + def __init__(self): + super().__init__() + self.name = "Nmap finger" + self.tags = ['default', 'finger'] - def configure(self): - self.add_service_match('^finger') + def configure(self): + self.match_service_name('^finger') - async def run(self, service): - await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,finger" -oN "{scandir}/{protocol}_{port}_finger_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_finger_nmap.xml" {address}') + async def run(self, service): + await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,finger" -oN "{scandir}/{protocol}_{port}_finger_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_finger_nmap.xml" {address}') class NmapIMAP(ServiceScan): - def __init__(self): - super().__init__() - self.name = "Nmap IMAP" - self.tags = ['default', 'imap', 'email'] + def __init__(self): + super().__init__() + self.name = "Nmap IMAP" + self.tags = ['default', 'imap', 'email'] - def configure(self): - self.add_service_match('^imap') + def configure(self): + self.match_service_name('^imap') - async def run(self, service): - await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(imap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_imap_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_imap_nmap.xml" {address}') + async def run(self, service): + await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(imap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_imap_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_imap_nmap.xml" {address}') class NmapNNTP(ServiceScan): - def __init__(self): - super().__init__() - self.name = "Nmap NNTP" - self.tags = ['default', 'nntp'] + def __init__(self): + super().__init__() + self.name = "Nmap NNTP" + self.tags = ['default', 'nntp'] - def configure(self): - self.add_service_match('^nntp') + def configure(self): + self.match_service_name('^nntp') - async def run(self, service): - await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,nntp-ntlm-info" -oN "{scandir}/{protocol}_{port}_nntp_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_nntp_nmap.xml" {address}') + async def run(self, service): + await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,nntp-ntlm-info" -oN "{scandir}/{protocol}_{port}_nntp_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_nntp_nmap.xml" {address}') class NmapPOP3(ServiceScan): - def __init__(self): - super().__init__() - self.name = "Nmap POP3" - self.tags = ['default', 'pop3', 'email'] + def __init__(self): + super().__init__() + self.name = "Nmap POP3" + self.tags = ['default', 'pop3', 'email'] - def configure(self): - self.add_service_match('^pop3') + def configure(self): + self.match_service_name('^pop3') - async def run(self, service): - await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(pop3* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_pop3_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_pop3_nmap.xml" {address}') + async def run(self, service): + await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(pop3* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_pop3_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_pop3_nmap.xml" {address}') class NmapRMI(ServiceScan): - def __init__(self): - super().__init__() - self.name = "Nmap RMI" - self.tags = ['default', 'rmi'] + def __init__(self): + super().__init__() + self.name = "Nmap RMI" + self.tags = ['default', 'rmi'] - def configure(self): - self.add_service_match(['^java\-rmi', '^rmiregistry']) + def configure(self): + self.match_service_name(['^java\-rmi', '^rmiregistry']) - async def run(self, service): - await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,rmi-vuln-classloader,rmi-dumpregistry" -oN "{scandir}/{protocol}_{port}_rmi_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_rmi_nmap.xml" {address}') + async def run(self, service): + await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,rmi-vuln-classloader,rmi-dumpregistry" -oN "{scandir}/{protocol}_{port}_rmi_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_rmi_nmap.xml" {address}') class NmapSMTP(ServiceScan): - def __init__(self): - super().__init__() - self.name = "Nmap SMTP" - self.tags = ['default', 'smtp', 'email'] + def __init__(self): + super().__init__() + self.name = "Nmap SMTP" + self.tags = ['default', 'smtp', 'email'] - def configure(self): - self.add_service_match('^smtp') + def configure(self): + self.match_service_name('^smtp') - async def run(self, service): - await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(smtp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_smtp_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_smtp_nmap.xml" {address}') + async def run(self, service): + await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(smtp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_smtp_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_smtp_nmap.xml" {address}') class SMTPUserEnum(ServiceScan): - def __init__(self): - super().__init__() - self.name = 'SMTP-User-Enum' - self.tags = ['default', 'smtp', 'email'] + def __init__(self): + super().__init__() + self.name = 'SMTP-User-Enum' + self.tags = ['default', 'smtp', 'email'] - def configure(self): - self.add_service_match('^smtp') + def configure(self): + self.match_service_name('^smtp') - async def run(self, service): - await service.execute('smtp-user-enum -M VRFY -U "' + self.get_global('username_wordlist') + '" -t {address} -p {port} 2>&1', outfile='{protocol}_{port}_smtp_user-enum.txt') + async def run(self, service): + await service.execute('smtp-user-enum -M VRFY -U "' + self.get_global('username_wordlist') + '" -t {address} -p {port} 2>&1', outfile='{protocol}_{port}_smtp_user-enum.txt') class NmapTelnet(ServiceScan): - def __init__(self): - super().__init__() - self.name = 'Nmap Telnet' - self.tags = ['default', 'telnet'] + def __init__(self): + super().__init__() + self.name = 'Nmap Telnet' + self.tags = ['default', 'telnet'] - def configure(self): - self.add_service_match('^telnet') + def configure(self): + self.match_service_name('^telnet') - async def run(self, service): - await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,telnet-encryption,telnet-ntlm-info" -oN "{scandir}/{protocol}_{port}_telnet-nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_telnet_nmap.xml" {address}') + async def run(self, service): + await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,telnet-encryption,telnet-ntlm-info" -oN "{scandir}/{protocol}_{port}_telnet-nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_telnet_nmap.xml" {address}') class NmapTFTP(ServiceScan): - def __init__(self): - super().__init__() - self.name = 'Nmap TFTP' - self.tags = ['default', 'tftp'] + def __init__(self): + super().__init__() + self.name = 'Nmap TFTP' + self.tags = ['default', 'tftp'] - def configure(self): - self.add_service_match('^tftp') + def configure(self): + self.match_service_name('^tftp') - async def run(self, service): - await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,tftp-enum" -oN "{scandir}/{protocol}_{port}_tftp-nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_tftp_nmap.xml" {address}') + async def run(self, service): + await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,tftp-enum" -oN "{scandir}/{protocol}_{port}_tftp-nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_tftp_nmap.xml" {address}') class NmapVNC(ServiceScan): - def __init__(self): - super().__init__() - self.name = 'Nmap VNC' - self.tags = ['default', 'vnc'] + def __init__(self): + super().__init__() + self.name = 'Nmap VNC' + self.tags = ['default', 'vnc'] - def configure(self): - self.add_service_match('^vnc') + def configure(self): + self.match_service_name('^vnc') - async def run(self, service): - await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(vnc* or realvnc* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_vnc_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_vnc_nmap.xml" {address}') + async def run(self, service): + await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(vnc* or realvnc* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_vnc_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_vnc_nmap.xml" {address}') diff --git a/plugins/nfs.py b/plugins/nfs.py index 8210580..d47df84 100644 --- a/plugins/nfs.py +++ b/plugins/nfs.py @@ -2,26 +2,26 @@ class NmapNFS(ServiceScan): - def __init__(self): - super().__init__() - self.name = "Nmap NFS" - self.tags = ['default', 'nfs'] + def __init__(self): + super().__init__() + self.name = "Nmap NFS" + self.tags = ['default', 'nfs'] - def configure(self): - self.add_service_match(['^nfs', '^rpcbind']) + def configure(self): + self.match_service_name(['^nfs', '^rpcbind']) - async def run(self, service): - await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(rpcinfo or nfs*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_nfs_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_nfs_nmap.xml" {address}') + async def run(self, service): + await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(rpcinfo or nfs*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_nfs_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_nfs_nmap.xml" {address}') class Showmount(ServiceScan): - def __init__(self): - super().__init__() - self.name = "showmount" - self.tags = ['default', 'nfs'] + def __init__(self): + super().__init__() + self.name = "showmount" + self.tags = ['default', 'nfs'] - def configure(self): - self.add_service_match(['^nfs', '^rpcbind']) + def configure(self): + self.match_service_name(['^nfs', '^rpcbind']) - async def run(self, service): - await service.execute('showmount -e {address} 2>&1', outfile='{protocol}_{port}_showmount.txt') + async def run(self, service): + await service.execute('showmount -e {address} 2>&1', outfile='{protocol}_{port}_showmount.txt') diff --git a/plugins/rdp.py b/plugins/rdp.py index a4dc5cb..c2be577 100644 --- a/plugins/rdp.py +++ b/plugins/rdp.py @@ -2,29 +2,29 @@ class NmapRDP(ServiceScan): - def __init__(self): - super().__init__() - self.name = "Nmap RDP" - self.tags = ['default', 'rdp'] + def __init__(self): + super().__init__() + self.name = "Nmap RDP" + self.tags = ['default', 'rdp'] - def configure(self): - self.add_service_match(['^rdp', '^ms\-wbt\-server', '^ms\-term\-serv']) + def configure(self): + self.match_service_name(['^rdp', '^ms\-wbt\-server', '^ms\-term\-serv']) - async def run(self, service): - await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(rdp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_rdp_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_rdp_nmap.xml" {address}') + async def run(self, service): + await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(rdp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_rdp_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_rdp_nmap.xml" {address}') class BruteforceRDP(ServiceScan): - def __init__(self): - super().__init__() - self.name = "Bruteforce RDP" - self.tags = ['default', 'rdp'] + def __init__(self): + super().__init__() + self.name = "Bruteforce RDP" + self.tags = ['default', 'rdp'] - def configure(self): - self.add_service_match(['^rdp', '^ms\-wbt\-server', '^ms\-term\-serv']) + def configure(self): + self.match_service_name(['^rdp', '^ms\-wbt\-server', '^ms\-term\-serv']) - def manual(self): - self.add_manual_commands('Bruteforce logins:', [ - 'hydra -L "' + self.get_global('username_wordlist') + '" -P "' + self.get_global('password_wordlist') + '" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_rdp_hydra.txt" rdp://{address}', - 'medusa -U "' + self.get_global('username_wordlist') + '" -P "' + self.get_global('password_wordlist') + '" -e ns -n {port} -O "{scandir}/{protocol}_{port}_rdp_medusa.txt" -M rdp -h {address}' - ]) + def manual(self): + self.add_manual_commands('Bruteforce logins:', [ + 'hydra -L "' + self.get_global('username_wordlist') + '" -P "' + self.get_global('password_wordlist') + '" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_rdp_hydra.txt" rdp://{address}', + 'medusa -U "' + self.get_global('username_wordlist') + '" -P "' + self.get_global('password_wordlist') + '" -e ns -n {port} -O "{scandir}/{protocol}_{port}_rdp_medusa.txt" -M rdp -h {address}' + ]) diff --git a/plugins/rpc.py b/plugins/rpc.py index 63535dd..be5beb9 100644 --- a/plugins/rpc.py +++ b/plugins/rpc.py @@ -2,26 +2,26 @@ class NmapMSRPC(ServiceScan): - def __init__(self): - super().__init__() - self.name = "Nmap MSRPC" - self.tags = ['default', 'rpc'] + def __init__(self): + super().__init__() + self.name = "Nmap MSRPC" + self.tags = ['default', 'rpc'] - def configure(self): - self.add_service_match(['^msrpc', '^rpcbind', '^erpc']) + def configure(self): + self.match_service_name(['^msrpc', '^rpcbind', '^erpc']) - async def run(self, service): - await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,msrpc-enum,rpc-grind,rpcinfo" -oN "{scandir}/{protocol}_{port}_rpc_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_rpc_nmap.xml" {address}') + async def run(self, service): + await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,msrpc-enum,rpc-grind,rpcinfo" -oN "{scandir}/{protocol}_{port}_rpc_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_rpc_nmap.xml" {address}') class RPCClient(ServiceScan): - def __init__(self): - super().__init__() - self.name = "rpcclient" - self.tags = ['default', 'rpc'] + def __init__(self): + super().__init__() + self.name = "rpcclient" + self.tags = ['default', 'rpc'] - def configure(self): - self.add_service_match(['^msrpc', '^rpcbind', '^erpc']) + def configure(self): + self.match_service_name(['^msrpc', '^rpcbind', '^erpc']) - def manual(self): - self.add_manual_command('RPC Client:', 'rpcclient -p {port} -U "" {address}') + def manual(self): + self.add_manual_command('RPC Client:', 'rpcclient -p {port} -U "" {address}') diff --git a/plugins/sip.py b/plugins/sip.py index da93233..7553de0 100644 --- a/plugins/sip.py +++ b/plugins/sip.py @@ -2,26 +2,26 @@ class NmapSIP(ServiceScan): - def __init__(self): - super().__init__() - self.name = "Nmap SIP" - self.tags = ['default', 'sip'] + def __init__(self): + super().__init__() + self.name = "Nmap SIP" + self.tags = ['default', 'sip'] - def configure(self): - self.add_service_match('^asterisk') + def configure(self): + self.match_service_name('^asterisk') - async def run(self, service): - await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,sip-enum-users,sip-methods" -oN "{scandir}/{protocol}_{port}_sip_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_sip_nmap.xml" {address}') + async def run(self, service): + await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,sip-enum-users,sip-methods" -oN "{scandir}/{protocol}_{port}_sip_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_sip_nmap.xml" {address}') class SIPVicious(ServiceScan): - def __init__(self): - super().__init__() - self.name = "SIPVicious" - self.tags = ['default', 'sip'] + def __init__(self): + super().__init__() + self.name = "SIPVicious" + self.tags = ['default', 'sip'] - def configure(self): - self.add_service_match('^asterisk') + def configure(self): + self.match_service_name('^asterisk') - def manual(self): - self.add_manual_command('svwar:', 'svwar -D -m INVITE -p {port} {address}') + def manual(self): + self.add_manual_command('svwar:', 'svwar -D -m INVITE -p {port} {address}') diff --git a/plugins/smb.py b/plugins/smb.py index 40b84a2..e5bd73e 100644 --- a/plugins/smb.py +++ b/plugins/smb.py @@ -2,84 +2,84 @@ class NmapSMB(ServiceScan): - def __init__(self): - super().__init__() - self.name = "Nmap SMB" - self.tags = ['default', 'smb', 'active-directory'] + def __init__(self): + super().__init__() + self.name = "Nmap SMB" + self.tags = ['default', 'smb', 'active-directory'] - def configure(self): - self.add_service_match(['^smb', '^microsoft\-ds', '^netbios']) + def configure(self): + self.match_service_name(['^smb', '^microsoft\-ds', '^netbios']) - def manual(self): - self.add_manual_commands('Nmap scans for SMB vulnerabilities that could potentially cause a DoS if scanned (according to Nmap). Be careful:', [ - 'nmap {nmap_extra} -sV -p {port} --script="smb-vuln-ms06-025" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_smb_ms06-025.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_ms06-025.xml" {address}', - 'nmap {nmap_extra} -sV -p {port} --script="smb-vuln-ms07-029" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_smb_ms07-029.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_ms07-029.xml" {address}', - 'nmap {nmap_extra} -sV -p {port} --script="smb-vuln-ms08-067" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_smb_ms08-067.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_ms08-067.xml" {address}' - ]) + def manual(self): + self.add_manual_commands('Nmap scans for SMB vulnerabilities that could potentially cause a DoS if scanned (according to Nmap). Be careful:', [ + 'nmap {nmap_extra} -sV -p {port} --script="smb-vuln-ms06-025" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_smb_ms06-025.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_ms06-025.xml" {address}', + 'nmap {nmap_extra} -sV -p {port} --script="smb-vuln-ms07-029" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_smb_ms07-029.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_ms07-029.xml" {address}', + 'nmap {nmap_extra} -sV -p {port} --script="smb-vuln-ms08-067" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_smb_ms08-067.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_ms08-067.xml" {address}' + ]) - async def run(self, service): - await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_smb_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_nmap.xml" {address}') + async def run(self, service): + await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_smb_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_nmap.xml" {address}') class Enum4Linux(ServiceScan): - def __init__(self): - super().__init__() - self.name = "Enum4Linux" - self.tags = ['default', 'enum4linux', 'active-directory'] + def __init__(self): + super().__init__() + self.name = "Enum4Linux" + self.tags = ['default', 'enum4linux', 'active-directory'] - def configure(self): - self.add_service_match(['^ldap', '^smb', '^microsoft\-ds', '^netbios']) - self.add_port_match('tcp', [139, 389, 445]) - self.add_port_match('udp', 137) - self.run_once(True) + def configure(self): + self.match_service_name(['^ldap', '^smb', '^microsoft\-ds', '^netbios']) + self.match_port('tcp', [139, 389, 445]) + self.match_port('udp', 137) + self.run_once(True) - async def run(self, service): - await service.execute('enum4linux -a -M -l -d {address} 2>&1', outfile='enum4linux.txt') + async def run(self, service): + await service.execute('enum4linux -a -M -l -d {address} 2>&1', outfile='enum4linux.txt') class NBTScan(ServiceScan): - def __init__(self): - super().__init__() - self.name = "nbtscan" - self.tags = ['default', 'netbios', 'active-directory'] + def __init__(self): + super().__init__() + self.name = "nbtscan" + self.tags = ['default', 'netbios', 'active-directory'] - def configure(self): - self.add_service_match(['^smb', '^microsoft\-ds', '^netbios']) - self.add_port_match('udp', 137) - self.run_once(True) + def configure(self): + self.match_service_name(['^smb', '^microsoft\-ds', '^netbios']) + self.match_port('udp', 137) + self.run_once(True) - async def run(self, service): - await service.execute('nbtscan -rvh {address} 2>&1', outfile='nbtscan.txt') + async def run(self, service): + await service.execute('nbtscan -rvh {address} 2>&1', outfile='nbtscan.txt') class SMBClient(ServiceScan): - def __init__(self): - super().__init__() - self.name = "SMBClient" - self.tags = ['default', 'smb', 'active-directory'] + def __init__(self): + super().__init__() + self.name = "SMBClient" + self.tags = ['default', 'smb', 'active-directory'] - def configure(self): - self.add_service_match(['^smb', '^microsoft\-ds', '^netbios']) - self.add_port_match('tcp', [139, 445]) - self.run_once(True) + def configure(self): + self.match_service_name(['^smb', '^microsoft\-ds', '^netbios']) + self.match_port('tcp', [139, 445]) + self.run_once(True) - async def run(self, service): - await service.execute('smbclient -L\\\\ -N -I {address} 2>&1', outfile='smbclient.txt') + async def run(self, service): + await service.execute('smbclient -L\\\\ -N -I {address} 2>&1', outfile='smbclient.txt') class SMBMap(ServiceScan): - def __init__(self): - super().__init__() - self.name = "SMBMap" - self.tags = ['default', 'smb', 'active-directory'] - - def configure(self): - self.add_service_match(['^smb', '^microsoft\-ds', '^netbios']) - - async def run(self, service): - await service.execute('smbmap -H {address} -P {port} 2>&1', outfile='smbmap-share-permissions.txt') - await service.execute('smbmap -u null -p "" -H {address} -P {port} 2>&1', outfile='smbmap-share-permissions.txt') - await service.execute('smbmap -H {address} -P {port} -R 2>&1', outfile='smbmap-list-contents.txt') - await service.execute('smbmap -u null -p "" -H {address} -P {port} -R 2>&1', outfile='smbmap-list-contents.txt') - await service.execute('smbmap -H {address} -P {port} -x "ipconfig /all" 2>&1', outfile='smbmap-execute-command.txt') - await service.execute('smbmap -u null -p "" -H {address} -P {port} -x "ipconfig /all" 2>&1', outfile='smbmap-execute-command.txt') + def __init__(self): + super().__init__() + self.name = "SMBMap" + self.tags = ['default', 'smb', 'active-directory'] + + def configure(self): + self.match_service_name(['^smb', '^microsoft\-ds', '^netbios']) + + async def run(self, service): + await service.execute('smbmap -H {address} -P {port} 2>&1', outfile='smbmap-share-permissions.txt') + await service.execute('smbmap -u null -p "" -H {address} -P {port} 2>&1', outfile='smbmap-share-permissions.txt') + await service.execute('smbmap -H {address} -P {port} -R 2>&1', outfile='smbmap-list-contents.txt') + await service.execute('smbmap -u null -p "" -H {address} -P {port} -R 2>&1', outfile='smbmap-list-contents.txt') + await service.execute('smbmap -H {address} -P {port} -x "ipconfig /all" 2>&1', outfile='smbmap-execute-command.txt') + await service.execute('smbmap -u null -p "" -H {address} -P {port} -x "ipconfig /all" 2>&1', outfile='smbmap-execute-command.txt') diff --git a/plugins/snmp.py b/plugins/snmp.py index 83d552f..05b63ce 100644 --- a/plugins/snmp.py +++ b/plugins/snmp.py @@ -2,51 +2,51 @@ class NmapSNMP(ServiceScan): - def __init__(self): - super().__init__() - self.name = "Nmap SNMP" - self.tags = ['default', 'snmp'] + def __init__(self): + super().__init__() + self.name = "Nmap SNMP" + self.tags = ['default', 'snmp'] - def configure(self): - self.add_service_match('^snmp') + def configure(self): + self.match_service_name('^snmp') - async def run(self, service): - await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(snmp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_snmp-nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_snmp_nmap.xml" {address}') + async def run(self, service): + await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(snmp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_snmp-nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_snmp_nmap.xml" {address}') class OneSixtyOne(ServiceScan): - def __init__(self): - super().__init__() - self.name = "OneSixtyOne" - self.tags = ['default', 'snmp'] + def __init__(self): + super().__init__() + self.name = "OneSixtyOne" + self.tags = ['default', 'snmp'] - def configure(self): - self.add_service_match('^snmp') - self.add_port_match('udp', 161) - self.run_once(True) - self.add_option('community-strings', default='/usr/share/seclists/Discovery/SNMP/common-snmp-community-strings-onesixtyone.txt', help='The file containing a list of community strings to try. Default: %(default)s') + def configure(self): + self.match_service_name('^snmp') + self.match_port('udp', 161) + self.run_once(True) + self.add_option('community-strings', default='/usr/share/seclists/Discovery/SNMP/common-snmp-community-strings-onesixtyone.txt', help='The file containing a list of community strings to try. Default: %(default)s') - async def run(self, service): - await service.execute('onesixtyone -c ' + service.get_option('community-strings') + ' -dd {address} 2>&1', outfile='{protocol}_{port}_snmp_onesixtyone.txt') + async def run(self, service): + await service.execute('onesixtyone -c ' + service.get_option('community-strings') + ' -dd {address} 2>&1', outfile='{protocol}_{port}_snmp_onesixtyone.txt') class SNMPWalk(ServiceScan): - def __init__(self): - super().__init__() - self.name = "SNMPWalk" - self.tags = ['default', 'snmp'] - - def configure(self): - self.add_service_match('^snmp') - self.add_port_match('udp', 161) - self.run_once(True) - - async def run(self, service): - await service.execute('snmpwalk -c public -v 1 {address} 2>&1', outfile='{protocol}_{port}_snmp_snmpwalk.txt') - await service.execute('snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.25.1.6.0 2>&1', outfile='{protocol}_{port}_snmp_snmpwalk_system_processes.txt') - await service.execute('snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.25.4.2.1.2 2>&1', outfile='{scandir}/{protocol}_{port}_snmp_snmpwalk_running_processes.txt') - await service.execute('snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.25.4.2.1.4 2>&1', outfile='{protocol}_{port}_snmp_snmpwalk_process_paths.txt') - await service.execute('snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.25.2.3.1.4 2>&1', outfile='{protocol}_{port}_snmp_snmpwalk_storage_units.txt') - await service.execute('snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.25.2.3.1.4 2>&1', outfile='{protocol}_{port}_snmp_snmpwalk_software_names.txt') - await service.execute('snmpwalk -c public -v 1 {address} 1.3.6.1.4.1.77.1.2.25 2>&1', outfile='{protocol}_{port}_snmp_snmpwalk_user_accounts.txt') - await service.execute('snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.6.13.1.3 2>&1', outfile='{protocol}_{port}_snmp_snmpwalk_tcp_ports.txt') + def __init__(self): + super().__init__() + self.name = "SNMPWalk" + self.tags = ['default', 'snmp'] + + def configure(self): + self.match_service_name('^snmp') + self.match_port('udp', 161) + self.run_once(True) + + async def run(self, service): + await service.execute('snmpwalk -c public -v 1 {address} 2>&1', outfile='{protocol}_{port}_snmp_snmpwalk.txt') + await service.execute('snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.25.1.6.0 2>&1', outfile='{protocol}_{port}_snmp_snmpwalk_system_processes.txt') + await service.execute('snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.25.4.2.1.2 2>&1', outfile='{scandir}/{protocol}_{port}_snmp_snmpwalk_running_processes.txt') + await service.execute('snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.25.4.2.1.4 2>&1', outfile='{protocol}_{port}_snmp_snmpwalk_process_paths.txt') + await service.execute('snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.25.2.3.1.4 2>&1', outfile='{protocol}_{port}_snmp_snmpwalk_storage_units.txt') + await service.execute('snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.25.2.3.1.4 2>&1', outfile='{protocol}_{port}_snmp_snmpwalk_software_names.txt') + await service.execute('snmpwalk -c public -v 1 {address} 1.3.6.1.4.1.77.1.2.25 2>&1', outfile='{protocol}_{port}_snmp_snmpwalk_user_accounts.txt') + await service.execute('snmpwalk -c public -v 1 {address} 1.3.6.1.2.1.6.13.1.3 2>&1', outfile='{protocol}_{port}_snmp_snmpwalk_tcp_ports.txt') diff --git a/plugins/ssh.py b/plugins/ssh.py index 637c390..07e0d97 100644 --- a/plugins/ssh.py +++ b/plugins/ssh.py @@ -2,29 +2,29 @@ class NmapSSH(ServiceScan): - def __init__(self): - super().__init__() - self.name = "Nmap SSH" - self.tags = ['default', 'ssh'] + def __init__(self): + super().__init__() + self.name = "Nmap SSH" + self.tags = ['default', 'ssh'] - def configure(self): - self.add_service_match('^ssh') + def configure(self): + self.match_service_name('^ssh') - async def run(self, service): - await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods" -oN "{scandir}/{protocol}_{port}_ssh_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_ssh_nmap.xml" {address}') + async def run(self, service): + await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,ssh2-enum-algos,ssh-hostkey,ssh-auth-methods" -oN "{scandir}/{protocol}_{port}_ssh_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_ssh_nmap.xml" {address}') class BruteforceSSH(ServiceScan): - def __init__(self): - super().__init__() - self.name = "Bruteforce SSH" - self.tags = ['default', 'ssh'] + def __init__(self): + super().__init__() + self.name = "Bruteforce SSH" + self.tags = ['default', 'ssh'] - def configure(self): - self.add_service_match('ssh') + def configure(self): + self.match_service_name('ssh') - def manual(self): - self.add_manual_command('Bruteforce logins:', [ - 'hydra -L "' + self.get_global('username_wordlist') + '" -P "' + self.get_global('password_wordlist') + '" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_ssh_hydra.txt" ssh://{address}', - 'medusa -U "' + self.get_global('username_wordlist') + '" -P "' + self.get_global('password_wordlist') + '" -e ns -n {port} -O "{scandir}/{protocol}_{port}_ssh_medusa.txt" -M ssh -h {address}' - ]) + def manual(self): + self.add_manual_command('Bruteforce logins:', [ + 'hydra -L "' + self.get_global('username_wordlist') + '" -P "' + self.get_global('password_wordlist') + '" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_ssh_hydra.txt" ssh://{address}', + 'medusa -U "' + self.get_global('username_wordlist') + '" -P "' + self.get_global('password_wordlist') + '" -e ns -n {port} -O "{scandir}/{protocol}_{port}_ssh_medusa.txt" -M ssh -h {address}' + ]) diff --git a/plugins/sslscan.py b/plugins/sslscan.py index c9a8833..1ece982 100644 --- a/plugins/sslscan.py +++ b/plugins/sslscan.py @@ -2,15 +2,15 @@ class SSLScan(ServiceScan): - def __init__(self): - super().__init__() - self.name = "SSL Scan" - self.tags = ['default', 'ssl', 'tls'] + def __init__(self): + super().__init__() + self.name = "SSL Scan" + self.tags = ['default', 'ssl', 'tls'] - def configure(self): - self.add_service_match('.+') - self.require_ssl(True) + def configure(self): + self.match_service_name('.+') + self.require_ssl(True) - async def run(self, service): - if service.protocol == 'tcp' and service.secure: - await service.execute('sslscan --show-certificate --no-colour {address}:{port} 2>&1', outfile='{protocol}_{port}_sslscan.html') + async def run(self, service): + if service.protocol == 'tcp' and service.secure: + await service.execute('sslscan --show-certificate --no-colour {address}:{port} 2>&1', outfile='{protocol}_{port}_sslscan.html')