From 37a5cfb4eed67532f76f75552eda101a1573fd80 Mon Sep 17 00:00:00 2001 From: Tib3rius <48113936+Tib3rius@users.noreply.github.com> Date: Sat, 14 Aug 2021 19:41:10 -0400 Subject: [PATCH] Updated Manual Commands Manual commands function manual() now requires two arguments to make it more advanced. --- autorecon.py | 69 ++++++++++++++++++++++++-------------------- plugins/databases.py | 20 ++++++------- plugins/ftp.py | 4 +-- plugins/http.py | 24 +++++++-------- plugins/ldap.py | 4 +-- plugins/misc.py | 4 +-- plugins/rdp.py | 4 +-- plugins/rpc.py | 4 +-- plugins/sip.py | 4 +-- plugins/smb.py | 4 +-- plugins/ssh.py | 4 +-- 11 files changed, 76 insertions(+), 69 deletions(-) diff --git a/autorecon.py b/autorecon.py index 485c831..0bec848 100644 --- a/autorecon.py +++ b/autorecon.py @@ -86,6 +86,7 @@ class Service: self.port = int(port) self.name = name self.secure = secure + self.manual_commands = {} @final def tag(self): @@ -95,6 +96,20 @@ class Service: def full_tag(self): return self.protocol + '/' + str(self.port) + '/' + self.name + '/' + ('secure' if self.secure else 'insecure') + @final + def add_manual_commands(self, description, commands): + if not isinstance(commands, list): + commands = [commands] + if description not in self.manual_commands: + self.manual_commands[description] = [] + + # Merge in new unique commands, while preserving order. + [self.manual_commands[description].append(m) for m in commands if m not in self.manual_commands[description]] + + @final + def add_manual_command(self, description, command): + self.add_manual_commands(description, command) + @final async def execute(self, cmd, blocking=True, outfile=None, errfile=None): target = self.target @@ -209,7 +224,6 @@ class Plugin(object): self.tags = ['default'] self.priority = 1 self.patterns = [] - self.manual_commands = {} self.autorecon = None self.disabled = False @@ -264,20 +278,6 @@ class Plugin(object): def get_global(self, name, default=None): return self.get_global_option(name, default) - @final - def add_manual_commands(self, description, commands): - if not isinstance(commands, list): - commands = [commands] - if description not in self.manual_commands: - self.manual_commands[description] = [] - - # Merge in new unique commands, while preserving order. - [self.manual_commands[description].append(m) for m in commands if m not in self.manual_commands[description]] - - @final - def add_manual_command(self, description, command): - self.add_manual_commands(description, command) - @final def add_pattern(self, pattern, description=None): try: @@ -470,8 +470,12 @@ class AutoRecon(object): if member_name == 'configure': configure_function_found = True elif member_name == 'run' and inspect.iscoroutinefunction(member_value): + if len(inspect.signature(member_value).parameters) != 2: + fail('Error: the "run" coroutine in the plugin "' + plugin.name + '" should have two arguments.', file=sys.stderr) run_coroutine_found = True elif member_name == 'manual': + if len(inspect.signature(member_value).parameters) != 3: + fail('Error: the "manual" function in the plugin "' + plugin.name + '" should have three arguments.', file=sys.stderr) manual_function_found = True if not run_coroutine_found and not manual_function_found: @@ -913,6 +917,7 @@ async def scan_target(target): heading = False for plugin in target.autorecon.plugin_types['service']: + plugin_was_run = False plugin_service_match = False plugin_tag = service.tag() + '/' + plugin.slug @@ -971,18 +976,26 @@ async def scan_target(target): continue # TODO: check if plugin matches tags, BUT run manual commands anyway! + plugin_was_run = True matching_plugins.append(plugin) - if plugin.manual_commands and (not plugin.run_once_boolean or (plugin.run_once_boolean and (plugin.slug,) not in target.scans)): - with open(os.path.join(scandir, '_manual_commands.txt'), 'a') as file: - if not heading: - file.write(e('[*] {service.name} on {service.protocol}/{service.port}\n\n')) - heading = True - for description, commands in plugin.manual_commands.items(): - file.write('\t[-] ' + e(description) + '\n\n') - for command in commands: - file.write('\t\t' + e(command) + '\n\n') - file.flush() + for member_name, _ in inspect.getmembers(plugin, predicate=inspect.ismethod): + if member_name == 'manual': + plugin.manual(service, plugin_was_run) + + if service.manual_commands and (not plugin.run_once_boolean or (plugin.run_once_boolean and (plugin.slug,) not in target.scans)): + with open(os.path.join(scandir, '_manual_commands.txt'), 'a') as file: + if not heading: + file.write(e('[*] {service.name} on {service.protocol}/{service.port}\n\n')) + heading = True + for description, commands in service.manual_commands.items(): + file.write('\t[-] ' + e(description) + '\n\n') + for command in commands: + file.write('\t\t' + e(command) + '\n\n') + file.flush() + + service.manual_commands = {} + break break @@ -1281,12 +1294,6 @@ async def main(): # Remove duplicate lists from list. [autorecon.excluded_tags.append(t) for t in excluded_tags if t not in autorecon.excluded_tags] - # Generate manual commands. - for _, plugin in autorecon.plugins.items(): - for member_name, _ in inspect.getmembers(plugin, predicate=inspect.ismethod): - if member_name == 'manual': - plugin.manual() - raw_targets = args.targets if len(args.target_file) > 0: diff --git a/plugins/databases.py b/plugins/databases.py index e96d8a6..7b03051 100644 --- a/plugins/databases.py +++ b/plugins/databases.py @@ -23,8 +23,8 @@ class NmapMSSQL(ServiceScan): def configure(self): self.match_service_name(['^mssql', '^ms\-sql']) - def manual(self): - self.add_manual_command('(sqsh) interactive database shell:', 'sqsh -U -P -S {address}:{port}') + def manual(self, service, plugin_was_run): + service.add_manual_command('(sqsh) interactive database shell:', 'sqsh -U -P -S {address}:{port}') async def run(self, service): await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(ms-sql* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" --script-args="mssql.instance-port={port},mssql.username=sa,mssql.password=sa" -oN "{scandir}/{protocol}_{port}_mssql_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_mssql_nmap.xml" {address}') @@ -39,8 +39,8 @@ class NmapMYSQL(ServiceScan): def configure(self): self.match_service_name('^mysql') - def manual(self): - self.add_manual_command('(sqsh) interactive database shell:', 'sqsh -U -P -S {address}:{port}') + def manual(self, service, plugin_was_run): + service.add_manual_command('(sqsh) interactive database shell:', 'sqsh -U -P -S {address}:{port}') async def run(self, service): await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(mysql* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_mysql_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_mysql_nmap.xml" {address}') @@ -55,8 +55,8 @@ class NmapOracle(ServiceScan): def configure(self): self.match_service_name('^oracle') - def manual(self): - self.add_manual_command('Brute-force SIDs using Nmap:', 'nmap {nmap_extra} -sV -p {port} --script="banner,oracle-sid-brute" -oN "{scandir}/{protocol}_{port}_oracle_sid-brute_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_oracle_sid-brute_nmap.xml" {address}') + def manual(self, service, plugin_was_run): + service.add_manual_command('Brute-force SIDs using Nmap:', 'nmap {nmap_extra} -sV -p {port} --script="banner,oracle-sid-brute" -oN "{scandir}/{protocol}_{port}_oracle_sid-brute_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_oracle_sid-brute_nmap.xml" {address}') async def run(self, service): await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(oracle* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_oracle_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_oracle_nmap.xml" {address}') @@ -98,8 +98,8 @@ class OracleODAT(ServiceScan): def configure(self): self.match_service_name('^oracle') - def manual(self): - self.add_manual_commands('Install ODAT (https://github.com/quentinhardy/odat) and run the following commands:', [ + def manual(self, service, plugin_was_run): + service.add_manual_commands('Install ODAT (https://github.com/quentinhardy/odat) and run the following commands:', [ 'python odat.py tnscmd -s {address} -p {port} --ping', 'python odat.py tnscmd -s {address} -p {port} --version', 'python odat.py tnscmd -s {address} -p {port} --status', @@ -118,5 +118,5 @@ class OraclePatator(ServiceScan): def configure(self): self.match_service_name('^oracle') - def manual(self): - self.add_manual_command('Install Oracle Instant Client (https://github.com/rapid7/metasploit-framework/wiki/How-to-get-Oracle-Support-working-with-Kali-Linux) and then bruteforce with patator:', 'patator oracle_login host={address} port={port} user=COMBO00 password=COMBO01 0=/usr/share/seclists/Passwords/Default-Credentials/oracle-betterdefaultpasslist.txt -x ignore:code=ORA-01017 -x ignore:code=ORA-28000') + def manual(self, service, plugin_was_run): + service.add_manual_command('Install Oracle Instant Client (https://github.com/rapid7/metasploit-framework/wiki/How-to-get-Oracle-Support-working-with-Kali-Linux) and then bruteforce with patator:', 'patator oracle_login host={address} port={port} user=COMBO00 password=COMBO01 0=/usr/share/seclists/Passwords/Default-Credentials/oracle-betterdefaultpasslist.txt -x ignore:code=ORA-01017 -x ignore:code=ORA-28000') diff --git a/plugins/ftp.py b/plugins/ftp.py index 456c44e..90a3b6f 100644 --- a/plugins/ftp.py +++ b/plugins/ftp.py @@ -23,8 +23,8 @@ class BruteforceFTP(ServiceScan): def configure(self): self.match_service_name(['^ftp', '^ftp\-data']) - def manual(self): - self.add_manual_commands('Bruteforce logins:', [ + def manual(self, service, plugin_was_run): + service.add_manual_commands('Bruteforce logins:', [ 'hydra -L "' + self.get_global('username_wordlist', default='/usr/share/seclists/Usernames/top-usernames-shortlist.txt') + '" -P "' + self.get_global('password_wordlist', default='/usr/share/seclists/Passwords/darkweb2017-top100.txt') + '" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_ftp_hydra.txt" ftp://{address}', 'medusa -U "' + self.get_global('username_wordlist', default='/usr/share/seclists/Usernames/top-usernames-shortlist.txt') + '" -P "' + self.get_global('password_wordlist', default='/usr/share/seclists/Passwords/darkweb2017-top100.txt') + '" -e ns -n {port} -O "{scandir}/{protocol}_{port}_ftp_medusa.txt" -M ftp -h {address}' ]) diff --git a/plugins/http.py b/plugins/http.py index 7a3321b..866cde3 100644 --- a/plugins/http.py +++ b/plugins/http.py @@ -29,8 +29,8 @@ class BruteforceHTTP(ServiceScan): self.match_service_name('^http') self.match_service_name('^nacn_http$', negative_match=True) - def manual(self): - self.add_manual_commands('Credential bruteforcing commands (don\'t run these without modifying them):', [ + def manual(self, service, plugin_was_run): + service.add_manual_commands('Credential bruteforcing commands (don\'t run these without modifying them):', [ 'hydra -L "' + self.get_global('username_wordlist', default='/usr/share/seclists/Usernames/top-usernames-shortlist.txt') + '" -P "' + self.get_global('password_wordlist', default='/usr/share/seclists/Passwords/darkweb2017-top100.txt') + '" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_{http_scheme}_auth_hydra.txt" {http_scheme}-get://{address}/path/to/auth/area', 'medusa -U "' + self.get_global('username_wordlist', default='/usr/share/seclists/Usernames/top-usernames-shortlist.txt') + '" -P "' + self.get_global('password_wordlist', default='/usr/share/seclists/Passwords/darkweb2017-top100.txt') + '" -e ns -n {port} -O "{scandir}/{protocol}_{port}_{http_scheme}_auth_medusa.txt" -M http -h {address} -m DIR:/path/to/auth/area', 'hydra -L "' + self.get_global('username_wordlist', default='/usr/share/seclists/Usernames/top-usernames-shortlist.txt') + '" -P "' + self.get_global('password_wordlist', default='/usr/share/seclists/Passwords/darkweb2017-top100.txt') + '" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_{http_scheme}_form_hydra.txt" {http_scheme}-post-form://{address}/path/to/login.php:username=^USER^&password=^PASS^:invalid-login-message', @@ -85,28 +85,28 @@ class DirBuster(ServiceScan): self.match_service_name('^http') self.match_service_name('^nacn_http$', negative_match=True) - def manual(self): - self.add_manual_command('(feroxbuster) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:', [ + def manual(self, service, plugin_was_run): + service.add_manual_command('(feroxbuster) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:', [ 'feroxbuster -u {http_scheme}://{address}:{port} -t ' + str(self.get_option('threads')) + ' -w /usr/share/seclists/Discovery/Web-Content/big.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -o {scandir}/{protocol}_{port}_{http_scheme}_feroxbuster_big.txt', 'feroxbuster -u {http_scheme}://{address}:{port} -t ' + str(self.get_option('threads')) + ' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -o {scandir}/{protocol}_{port}_{http_scheme}_feroxbuster_dirbuster.txt' ]) - self.add_manual_command('(gobuster v3) Multi-threaded directory/file enumeration for web servers using various wordlists:', [ + service.add_manual_command('(gobuster v3) Multi-threaded directory/file enumeration for web servers using various wordlists:', [ 'gobuster dir -u {http_scheme}://{address}:{port}/ -t ' + str(self.get_option('threads')) + ' -w /usr/share/seclists/Discovery/Web-Content/big.txt -e -k -s "200,204,301,302,307,403,500" -x "txt,html,php,asp,aspx,jsp" -z -o "{scandir}/{protocol}_{port}_{http_scheme}_gobuster_big.txt"', 'gobuster dir -u {http_scheme}://{address}:{port}/ -t ' + str(self.get_option('threads')) + ' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e -k -s "200,204,301,302,307,403,500" -x "txt,html,php,asp,aspx,jsp" -z -o "{scandir}/{protocol}_{port}_{http_scheme}_gobuster_dirbuster.txt"' ]) - self.add_manual_command('(dirsearch) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:', [ + service.add_manual_command('(dirsearch) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:', [ 'dirsearch -u {http_scheme}://{address}:{port}/ -t ' + str(self.get_option('threads')) + ' -r -e txt,html,php,asp,aspx,jsp -f -w /usr/share/seclists/Discovery/Web-Content/big.txt --format=plain --output="{scandir}/{protocol}_{port}_{http_scheme}_dirsearch_big.txt"', 'dirsearch -u {http_scheme}://{address}:{port}/ -t ' + str(self.get_option('threads')) + ' -r -e txt,html,php,asp,aspx,jsp -f -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --format=plain --output="{scandir}/{protocol}_{port}_{http_scheme}_dirsearch_dirbuster.txt"' ]) - self.add_manual_command('(dirb) Recursive directory/file enumeration for web servers using various wordlists:', [ + service.add_manual_command('(dirb) Recursive directory/file enumeration for web servers using various wordlists:', [ 'dirb {http_scheme}://{address}:{port}/ /usr/share/seclists/Discovery/Web-Content/big.txt -l -r -S -X ",.txt,.html,.php,.asp,.aspx,.jsp" -o "{scandir}/{protocol}_{port}_{http_scheme}_dirb_big.txt"', 'dirb {http_scheme}://{address}:{port}/ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -l -r -S -X ",.txt,.html,.php,.asp,.aspx,.jsp" -o "{scandir}/{protocol}_{port}_{http_scheme}_dirb_dirbuster.txt"' ]) - self.add_manual_command('(gobuster v1 & v2) Multi-threaded directory/file enumeration for web servers using various wordlists:', [ + service.add_manual_command('(gobuster v1 & v2) Multi-threaded directory/file enumeration for web servers using various wordlists:', [ 'gobuster -u {http_scheme}://{address}:{port}/ -t ' + str(self.get_option('threads')) + ' -w /usr/share/seclists/Discovery/Web-Content/big.txt -e -k -l -s "200,204,301,302,307,403,500" -x "txt,html,php,asp,aspx,jsp" -o "{scandir}/{protocol}_{port}_{http_scheme}_gobuster_big.txt"', 'gobuster -u {http_scheme}://{address}:{port}/ -t ' + str(self.get_option('threads')) + ' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e -k -l -s "200,204,301,302,307,403,500" -x "txt,html,php,asp,aspx,jsp" -o "{scandir}/{protocol}_{port}_{http_scheme}_gobuster_dirbuster.txt"' ]) @@ -136,8 +136,8 @@ class Nikto(ServiceScan): self.match_service_name('^http') self.match_service_name('^nacn_http$', negative_match=True) - def manual(self): - self.add_manual_command('(nikto) old but generally reliable web server enumeration tool:', 'nikto -ask=no -h {http_scheme}://{address}:{port} 2>&1 | tee "{scandir}/{protocol}_{port}_{http_scheme}_nikto.txt"') + def manual(self, service, plugin_was_run): + service.add_manual_command('(nikto) old but generally reliable web server enumeration tool:', 'nikto -ask=no -h {http_scheme}://{address}:{port} 2>&1 | tee "{scandir}/{protocol}_{port}_{http_scheme}_nikto.txt"') class WhatWeb(ServiceScan): @@ -182,5 +182,5 @@ class WPScan(ServiceScan): self.match_service_name('^http') self.match_service_name('^nacn_http$', negative_match=True) - def manual(self): - self.add_manual_command('(wpscan) WordPress Security Scanner (useful if WordPress is found):', 'wpscan --url {http_scheme}://{address}:{port}/ --no-update -e vp,vt,tt,cb,dbe,u,m --plugins-detection aggressive --plugins-version-detection aggressive -f cli-no-color 2>&1 | tee "{scandir}/{protocol}_{port}_{http_scheme}_wpscan.txt"') + def manual(self, service, plugin_was_run): + service.add_manual_command('(wpscan) WordPress Security Scanner (useful if WordPress is found):', 'wpscan --url {http_scheme}://{address}:{port}/ --no-update -e vp,vt,tt,cb,dbe,u,m --plugins-detection aggressive --plugins-version-detection aggressive -f cli-no-color 2>&1 | tee "{scandir}/{protocol}_{port}_{http_scheme}_wpscan.txt"') diff --git a/plugins/ldap.py b/plugins/ldap.py index 2a08dca..3a6a53a 100644 --- a/plugins/ldap.py +++ b/plugins/ldap.py @@ -23,7 +23,7 @@ class LDAPSearch(ServiceScan): def configure(self): self.match_service_name('^ldap') - def manual(self): - self.add_manual_command('ldapsearch command (modify before running):', [ + def manual(self, service, plugin_was_run): + service.add_manual_command('ldapsearch command (modify before running):', [ 'ldapsearch -x -D "" -w """ -p {port} -h {address} -b "dc=example,dc=com" -s sub "(objectclass=*) 2>&1 | tee > "{scandir}/{protocol}_{port}_ldap_all-entries.txt"' ]) diff --git a/plugins/misc.py b/plugins/misc.py index adf570e..ec847ec 100644 --- a/plugins/misc.py +++ b/plugins/misc.py @@ -131,8 +131,8 @@ class SMTPUserEnum(ServiceScan): await service.execute('hydra smtp-enum://{address}:{port}/vrfy -L "' + self.get_global('username_wordlist', default='/usr/share/seclists/Usernames/top-usernames-shortlist.txt') + '" 2>&1', outfile='{protocol}_{port}_smtp_user-enum_hydra_vrfy.txt') await service.execute('hydra smtp-enum://{address}:{port}/expn -L "' + self.get_global('username_wordlist', default='/usr/share/seclists/Usernames/top-usernames-shortlist.txt') + '" 2>&1', outfile='{protocol}_{port}_smtp_user-enum_hydra_expn.txt') - def manual(self): - self.add_manual_command('Try User Enumeration using "RCPT TO". Replace with the target\'s domain name:', [ + def manual(self, service, plugin_was_run): + service.add_manual_command('Try User Enumeration using "RCPT TO". Replace with the target\'s domain name:', [ 'hydra smtp-enum://{address}:{port}/rcpt -L "' + self.get_global('username_wordlist', default='/usr/share/seclists/Usernames/top-usernames-shortlist.txt') + '" -o "{scandir}/{protocol}_{port}_smtp_user-enum_hydra_rcpt.txt" -p ' ]) diff --git a/plugins/rdp.py b/plugins/rdp.py index f1dce27..d53a191 100644 --- a/plugins/rdp.py +++ b/plugins/rdp.py @@ -23,8 +23,8 @@ class BruteforceRDP(ServiceScan): def configure(self): self.match_service_name(['^rdp', '^ms\-wbt\-server', '^ms\-term\-serv']) - def manual(self): - self.add_manual_commands('Bruteforce logins:', [ + def manual(self, service, plugin_was_run): + service.add_manual_commands('Bruteforce logins:', [ 'hydra -L "' + self.get_global('username_wordlist', default='/usr/share/seclists/Usernames/top-usernames-shortlist.txt') + '" -P "' + self.get_global('password_wordlist', default='/usr/share/seclists/Passwords/darkweb2017-top100.txt') + '" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_rdp_hydra.txt" rdp://{address}', 'medusa -U "' + self.get_global('username_wordlist', default='/usr/share/seclists/Usernames/top-usernames-shortlist.txt') + '" -P "' + self.get_global('password_wordlist', default='/usr/share/seclists/Passwords/darkweb2017-top100.txt') + '" -e ns -n {port} -O "{scandir}/{protocol}_{port}_rdp_medusa.txt" -M rdp -h {address}' ]) diff --git a/plugins/rpc.py b/plugins/rpc.py index be5beb9..e4d2419 100644 --- a/plugins/rpc.py +++ b/plugins/rpc.py @@ -23,5 +23,5 @@ class RPCClient(ServiceScan): def configure(self): self.match_service_name(['^msrpc', '^rpcbind', '^erpc']) - def manual(self): - self.add_manual_command('RPC Client:', 'rpcclient -p {port} -U "" {address}') + def manual(self, service, plugin_was_run): + service.add_manual_command('RPC Client:', 'rpcclient -p {port} -U "" {address}') diff --git a/plugins/sip.py b/plugins/sip.py index 7553de0..a7ce898 100644 --- a/plugins/sip.py +++ b/plugins/sip.py @@ -23,5 +23,5 @@ class SIPVicious(ServiceScan): def configure(self): self.match_service_name('^asterisk') - def manual(self): - self.add_manual_command('svwar:', 'svwar -D -m INVITE -p {port} {address}') + def manual(self, service, plugin_was_run): + service.add_manual_command('svwar:', 'svwar -D -m INVITE -p {port} {address}') diff --git a/plugins/smb.py b/plugins/smb.py index e5bd73e..88da54e 100644 --- a/plugins/smb.py +++ b/plugins/smb.py @@ -10,8 +10,8 @@ class NmapSMB(ServiceScan): def configure(self): self.match_service_name(['^smb', '^microsoft\-ds', '^netbios']) - def manual(self): - self.add_manual_commands('Nmap scans for SMB vulnerabilities that could potentially cause a DoS if scanned (according to Nmap). Be careful:', [ + def manual(self, service, plugin_was_run): + service.add_manual_commands('Nmap scans for SMB vulnerabilities that could potentially cause a DoS if scanned (according to Nmap). Be careful:', [ 'nmap {nmap_extra} -sV -p {port} --script="smb-vuln-ms06-025" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_smb_ms06-025.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_ms06-025.xml" {address}', 'nmap {nmap_extra} -sV -p {port} --script="smb-vuln-ms07-029" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_smb_ms07-029.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_ms07-029.xml" {address}', 'nmap {nmap_extra} -sV -p {port} --script="smb-vuln-ms08-067" --script-args="unsafe=1" -oN "{scandir}/{protocol}_{port}_smb_ms08-067.txt" -oX "{scandir}/xml/{protocol}_{port}_smb_ms08-067.xml" {address}' diff --git a/plugins/ssh.py b/plugins/ssh.py index d57d30e..bb75718 100644 --- a/plugins/ssh.py +++ b/plugins/ssh.py @@ -23,8 +23,8 @@ class BruteforceSSH(ServiceScan): def configure(self): self.match_service_name('ssh') - def manual(self): - self.add_manual_command('Bruteforce logins:', [ + def manual(self, service, plugin_was_run): + service.add_manual_command('Bruteforce logins:', [ 'hydra -L "' + self.get_global('username_wordlist', default='/usr/share/seclists/Usernames/top-usernames-shortlist.txt') + '" -P "' + self.get_global('password_wordlist', default='/usr/share/seclists/Passwords/darkweb2017-top100.txt') + '" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_ssh_hydra.txt" ssh://{address}', 'medusa -U "' + self.get_global('username_wordlist', default='/usr/share/seclists/Usernames/top-usernames-shortlist.txt') + '" -P "' + self.get_global('password_wordlist', default='/usr/share/seclists/Passwords/darkweb2017-top100.txt') + '" -e ns -n {port} -O "{scandir}/{protocol}_{port}_ssh_medusa.txt" -M ssh -h {address}' ])