From 76dab09f5e8f9ca6eff52fd7b505f636c4f45ea9 Mon Sep 17 00:00:00 2001 From: Tib3rius <48113936+Tib3rius@users.noreply.github.com> Date: Sun, 29 Aug 2021 17:59:38 -0400 Subject: [PATCH] IPv6 Plugin Support + Bug Fix Added a lot of plugin support for IPv6. Added new {addressv6} template variable. Fixed bug in new --ports feature. Added correct global.toml file. --- autorecon.py | 39 ++++++++++++++++++----------- global.toml | 12 +++++++++ plugins/databases.py | 11 ++++++--- plugins/ftp.py | 4 +-- plugins/http.py | 59 ++++++++++++++++++++++++-------------------- plugins/rdp.py | 4 +-- plugins/rsync.py | 2 +- plugins/sip.py | 3 ++- plugins/smb.py | 19 ++++++++------ plugins/smtp.py | 6 ++--- plugins/snmp.py | 3 ++- plugins/ssh.py | 4 +-- plugins/sslscan.py | 2 +- 13 files changed, 101 insertions(+), 67 deletions(-) diff --git a/autorecon.py b/autorecon.py index 25fcdd5..8cd5543 100644 --- a/autorecon.py +++ b/autorecon.py @@ -58,6 +58,7 @@ class Target: # Create variables for command references. address = target.address + addressv6 = target.address scandir = target.scandir nmap_extra = self.autorecon.args.nmap @@ -66,6 +67,7 @@ class Target: if target.type == 'IPv6': nmap_extra += ' -6' + addressv6 = '[' + addressv6 + ']' plugin = inspect.currentframe().f_back.f_locals['self'] @@ -136,6 +138,7 @@ class Service: # Create variables for command references. address = target.address + addressv6 = target.address scandir = target.scandir protocol = self.protocol port = self.port @@ -158,6 +161,7 @@ class Service: if self.target.type == 'IPv6': nmap_extra += ' -6' + addressv6 = '[' + addressv6 + ']' plugin = inspect.currentframe().f_back.f_locals['self'] @@ -849,22 +853,23 @@ def handle_keyboard(key): info('{bgreen}' + current_time + '{rst} - There is {byellow}1{rst} scan still running against {byellow}' + target.address + '{rst}' + tasks_list) async def port_scan(plugin, target): - if autorecon.config['ports']['tcp'] or autorecon.config['ports']['udp']: - target.ports = {'tcp':None, 'udp':None} - if autorecon.config['ports']['tcp']: - target.ports['tcp'] = ','.join(autorecon.config['ports']['tcp']) - if autorecon.config['ports']['udp']: - target.ports['udp'] = ','.join(autorecon.config['ports']['udp']) - if plugin.type is None: - warn('Port scan {bblue}' + plugin.name + ' (' + plugin.slug + '){rst} does not have a type set, and --ports was used. Skipping.') - return {'type':'port', 'plugin':plugin, 'result':[]} - else: - if plugin.type == 'tcp' and not autorecon.config['ports']['tcp']: - warn('Port scan {bblue}' + plugin.name + ' (' + plugin.slug + '){rst} is a TCP port scan but no TCP ports were set using --ports. Skipping') - return {'type':'port', 'plugin':plugin, 'result':[]} - elif plugin.type == 'udp' and not autorecon.config['ports']['udp']: - warn('Port scan {bblue}' + plugin.name + ' (' + plugin.slug + '){rst} is a UDP port scan but no UDP ports were set using --ports. Skipping') + if autorecon.config['ports']: + if autorecon.config['ports']['tcp'] or autorecon.config['ports']['udp']: + target.ports = {'tcp':None, 'udp':None} + if autorecon.config['ports']['tcp']: + target.ports['tcp'] = ','.join(autorecon.config['ports']['tcp']) + if autorecon.config['ports']['udp']: + target.ports['udp'] = ','.join(autorecon.config['ports']['udp']) + if plugin.type is None: + warn('Port scan {bblue}' + plugin.name + ' (' + plugin.slug + '){rst} does not have a type set, and --ports was used. Skipping.') return {'type':'port', 'plugin':plugin, 'result':[]} + else: + if plugin.type == 'tcp' and not autorecon.config['ports']['tcp']: + warn('Port scan {bblue}' + plugin.name + ' (' + plugin.slug + '){rst} is a TCP port scan but no TCP ports were set using --ports. Skipping') + return {'type':'port', 'plugin':plugin, 'result':[]} + elif plugin.type == 'udp' and not autorecon.config['ports']['udp']: + warn('Port scan {bblue}' + plugin.name + ' (' + plugin.slug + '){rst} is a UDP port scan but no UDP ports were set using --ports. Skipping') + return {'type':'port', 'plugin':plugin, 'result':[]} async with target.autorecon.port_scan_semaphore: info('Port scan {bblue}' + plugin.name + ' (' + plugin.slug + '){rst} running against {byellow}' + target.address + '{rst}') @@ -951,6 +956,7 @@ async def service_scan(plugin, service): async with semaphore: # Create variables for fformat references. address = service.target.address + addressv6 = service.target.address scandir = service.target.scandir protocol = service.protocol port = service.port @@ -968,6 +974,7 @@ async def service_scan(plugin, service): if service.target.type == 'IPv6': nmap_extra += ' -6' + addressv6 = '[' + addressv6 + ']' tag = service.tag() + '/' + plugin.slug @@ -1146,6 +1153,7 @@ async def scan_target(target): # Create variables for command references. address = target.address + addressv6 = target.address scandir = target.scandir protocol = service.protocol port = service.port @@ -1162,6 +1170,7 @@ async def scan_target(target): if target.type == 'IPv6': nmap_extra += ' -6' + addressv6 = '[' + addressv6 + ']' service_match = False matching_plugins = [] diff --git a/global.toml b/global.toml index 7dbe866..5ef1da5 100644 --- a/global.toml +++ b/global.toml @@ -8,3 +8,15 @@ help = 'A wordlist of passwords, useful for bruteforcing. Default: %(default)s' [global.domain] help = 'The domain to use (if known). Used for DNS and/or Active Directory. Default: %(default)s' + +# Configure global pattern matching here. +[[pattern]] +description = 'Nmap script found a potential vulnerability. ({match})' +pattern = 'State: (?:(?:LIKELY\_?)?VULNERABLE)' + +[[pattern]] +pattern = '(?i)unauthorized' + +[[pattern]] +description = 'CVE Identified: {match}' +pattern = '(CVE-\d{4}-\d{4,7})' diff --git a/plugins/databases.py b/plugins/databases.py index b45d320..a791ac0 100644 --- a/plugins/databases.py +++ b/plugins/databases.py @@ -24,7 +24,8 @@ class NmapMSSQL(ServiceScan): self.match_service_name(['^mssql', '^ms\-sql']) def manual(self, service, plugin_was_run): - service.add_manual_command('(sqsh) interactive database shell:', 'sqsh -U -P -S {address}:{port}') + if service.target.type == 'IPv4': + service.add_manual_command('(sqsh) interactive database shell:', 'sqsh -U -P -S {address}:{port}') async def run(self, service): await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(ms-sql* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" --script-args="mssql.instance-port={port},mssql.username=sa,mssql.password=sa" -oN "{scandir}/{protocol}_{port}_mssql_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_mssql_nmap.xml" {address}') @@ -40,7 +41,8 @@ class NmapMYSQL(ServiceScan): self.match_service_name('^mysql') def manual(self, service, plugin_was_run): - service.add_manual_command('(sqsh) interactive database shell:', 'sqsh -U -P -S {address}:{port}') + if service.target.type == 'IPv4': + service.add_manual_command('(sqsh) interactive database shell:', 'sqsh -U -P -S {address}:{port}') async def run(self, service): await service.execute('nmap {nmap_extra} -sV -p {port} --script="banner,(mysql* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "{scandir}/{protocol}_{port}_mysql_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_mysql_nmap.xml" {address}') @@ -72,8 +74,9 @@ class OracleTNScmd(ServiceScan): self.match_service_name('^oracle') async def run(self, service): - await service.execute('tnscmd10g ping -h {address} -p {port} 2>&1', outfile='{protocol}_{port}_oracle_tnscmd_ping.txt') - await service.execute('tnscmd10g version -h {address} -p {port} 2>&1', outfile='{protocol}_{port}_oracle_tnscmd_version.txt') + if service.target.type == 'IPv4': + await service.execute('tnscmd10g ping -h {address} -p {port} 2>&1', outfile='{protocol}_{port}_oracle_tnscmd_ping.txt') + await service.execute('tnscmd10g version -h {address} -p {port} 2>&1', outfile='{protocol}_{port}_oracle_tnscmd_version.txt') class OracleScanner(ServiceScan): diff --git a/plugins/ftp.py b/plugins/ftp.py index 386a0db..cb9b7ca 100644 --- a/plugins/ftp.py +++ b/plugins/ftp.py @@ -25,6 +25,6 @@ class BruteforceFTP(ServiceScan): def manual(self, service, plugin_was_run): service.add_manual_commands('Bruteforce logins:', [ - 'hydra -L "' + self.get_global('username_wordlist', default='/usr/share/seclists/Usernames/top-usernames-shortlist.txt') + '" -P "' + self.get_global('password_wordlist', default='/usr/share/seclists/Passwords/darkweb2017-top100.txt') + '" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_ftp_hydra.txt" ftp://{address}', - 'medusa -U "' + self.get_global('username_wordlist', default='/usr/share/seclists/Usernames/top-usernames-shortlist.txt') + '" -P "' + self.get_global('password_wordlist', default='/usr/share/seclists/Passwords/darkweb2017-top100.txt') + '" -e ns -n {port} -O "{scandir}/{protocol}_{port}_ftp_medusa.txt" -M ftp -h {address}' + 'hydra -L "' + self.get_global('username_wordlist', default='/usr/share/seclists/Usernames/top-usernames-shortlist.txt') + '" -P "' + self.get_global('password_wordlist', default='/usr/share/seclists/Passwords/darkweb2017-top100.txt') + '" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_ftp_hydra.txt" ftp://{addressv6}', + 'medusa -U "' + self.get_global('username_wordlist', default='/usr/share/seclists/Usernames/top-usernames-shortlist.txt') + '" -P "' + self.get_global('password_wordlist', default='/usr/share/seclists/Passwords/darkweb2017-top100.txt') + '" -e ns -n {port} -O "{scandir}/{protocol}_{port}_ftp_medusa.txt" -M ftp -h {addressv6}' ]) diff --git a/plugins/http.py b/plugins/http.py index 961bf5c..97b5b89 100644 --- a/plugins/http.py +++ b/plugins/http.py @@ -31,10 +31,10 @@ class BruteforceHTTP(ServiceScan): def manual(self, service, plugin_was_run): service.add_manual_commands('Credential bruteforcing commands (don\'t run these without modifying them):', [ - 'hydra -L "' + self.get_global('username_wordlist', default='/usr/share/seclists/Usernames/top-usernames-shortlist.txt') + '" -P "' + self.get_global('password_wordlist', default='/usr/share/seclists/Passwords/darkweb2017-top100.txt') + '" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_{http_scheme}_auth_hydra.txt" {http_scheme}-get://{address}/path/to/auth/area', - 'medusa -U "' + self.get_global('username_wordlist', default='/usr/share/seclists/Usernames/top-usernames-shortlist.txt') + '" -P "' + self.get_global('password_wordlist', default='/usr/share/seclists/Passwords/darkweb2017-top100.txt') + '" -e ns -n {port} -O "{scandir}/{protocol}_{port}_{http_scheme}_auth_medusa.txt" -M http -h {address} -m DIR:/path/to/auth/area', - 'hydra -L "' + self.get_global('username_wordlist', default='/usr/share/seclists/Usernames/top-usernames-shortlist.txt') + '" -P "' + self.get_global('password_wordlist', default='/usr/share/seclists/Passwords/darkweb2017-top100.txt') + '" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_{http_scheme}_form_hydra.txt" {http_scheme}-post-form://{address}/path/to/login.php:username=^USER^&password=^PASS^:invalid-login-message', - 'medusa -U "' + self.get_global('username_wordlist', default='/usr/share/seclists/Usernames/top-usernames-shortlist.txt') + '" -P "' + self.get_global('password_wordlist', default='/usr/share/seclists/Passwords/darkweb2017-top100.txt') + '" -e ns -n {port} -O "{scandir}/{protocol}_{port}_{http_scheme}_form_medusa.txt" -M web-form -h {address} -m FORM:/path/to/login.php -m FORM-DATA:"post?username=&password=" -m DENY-SIGNAL:"invalid login message"' + 'hydra -L "' + self.get_global('username_wordlist', default='/usr/share/seclists/Usernames/top-usernames-shortlist.txt') + '" -P "' + self.get_global('password_wordlist', default='/usr/share/seclists/Passwords/darkweb2017-top100.txt') + '" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_{http_scheme}_auth_hydra.txt" {http_scheme}-get://{addressv6}/path/to/auth/area', + 'medusa -U "' + self.get_global('username_wordlist', default='/usr/share/seclists/Usernames/top-usernames-shortlist.txt') + '" -P "' + self.get_global('password_wordlist', default='/usr/share/seclists/Passwords/darkweb2017-top100.txt') + '" -e ns -n {port} -O "{scandir}/{protocol}_{port}_{http_scheme}_auth_medusa.txt" -M http -h {addressv6} -m DIR:/path/to/auth/area', + 'hydra -L "' + self.get_global('username_wordlist', default='/usr/share/seclists/Usernames/top-usernames-shortlist.txt') + '" -P "' + self.get_global('password_wordlist', default='/usr/share/seclists/Passwords/darkweb2017-top100.txt') + '" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_{http_scheme}_form_hydra.txt" {http_scheme}-post-form://{addressv6}/path/to/login.php:username=^USER^&password=^PASS^:invalid-login-message', + 'medusa -U "' + self.get_global('username_wordlist', default='/usr/share/seclists/Usernames/top-usernames-shortlist.txt') + '" -P "' + self.get_global('password_wordlist', default='/usr/share/seclists/Passwords/darkweb2017-top100.txt') + '" -e ns -n {port} -O "{scandir}/{protocol}_{port}_{http_scheme}_form_medusa.txt" -M web-form -h {addressv6} -m FORM:/path/to/login.php -m FORM-DATA:"post?username=&password=" -m DENY-SIGNAL:"invalid login message"' ]) class Curl(ServiceScan): @@ -52,7 +52,7 @@ class Curl(ServiceScan): async def run(self, service): if service.protocol == 'tcp': - await service.execute('curl -sSik {http_scheme}://{address}:{port}' + self.get_option('path'), outfile='{protocol}_{port}_{http_scheme}_curl.html') + await service.execute('curl -sSik {http_scheme}://{addressv6}:{port}' + self.get_option('path'), outfile='{protocol}_{port}_{http_scheme}_curl.html') class CurlRobots(ServiceScan): @@ -67,7 +67,7 @@ class CurlRobots(ServiceScan): async def run(self, service): if service.protocol == 'tcp': - _, stdout, _ = await service.execute('curl -sSikf {http_scheme}://{address}:{port}/robots.txt') + _, stdout, _ = await service.execute('curl -sSikf {http_scheme}://{addressv6}:{port}/robots.txt') lines = await stdout.readlines() if lines: @@ -99,40 +99,44 @@ class DirBuster(ServiceScan): for wordlist in self.get_option('wordlist'): name = os.path.splitext(os.path.basename(wordlist))[0] if self.get_option('tool') == 'feroxbuster': - await service.execute('feroxbuster -u {http_scheme}://{address}:{port}/ -t ' + str(self.get_option('threads')) + ' -w ' + wordlist + ' -x ' + self.get_option('ext') + ' -v -k -n -q -o "{scandir}/{protocol}_{port}_{http_scheme}_feroxbuster_' + name + '.txt"') + await service.execute('feroxbuster -u {http_scheme}://{addressv6}:{port}/ -t ' + str(self.get_option('threads')) + ' -w ' + wordlist + ' -x ' + self.get_option('ext') + ' -v -k -n -q -o "{scandir}/{protocol}_{port}_{http_scheme}_feroxbuster_' + name + '.txt"') elif self.get_option('tool') == 'gobuster': - await service.execute('gobuster dir -u {http_scheme}://{address}:{port}/ -t ' + str(self.get_option('threads')) + ' -w ' + wordlist + ' -e -k -x "' + self.get_option('ext') + '" -z -o "{scandir}/{protocol}_{port}_{http_scheme}_gobuster_' + name + '.txt"') + await service.execute('gobuster dir -u {http_scheme}://{addressv6}:{port}/ -t ' + str(self.get_option('threads')) + ' -w ' + wordlist + ' -e -k -x "' + self.get_option('ext') + '" -z -o "{scandir}/{protocol}_{port}_{http_scheme}_gobuster_' + name + '.txt"') elif self.get_option('tool') == 'dirsearch': - await service.execute('dirsearch -u {http_scheme}://{address}:{port}/ -t ' + str(self.get_option('threads')) + ' -e ' + self.get_option('ext') + ' -f -q -w ' + wordlist + ' --format=plain -o "{scandir}/{protocol}_{port}_{http_scheme}_dirsearch_' + name + '.txt"') + if service.target.type == 'IPv6': + error('dirsearch does not support IPv6.') + else: + await service.execute('dirsearch -u {http_scheme}://{address}:{port}/ -t ' + str(self.get_option('threads')) + ' -e ' + self.get_option('ext') + ' -f -q -w ' + wordlist + ' --format=plain -o "{scandir}/{protocol}_{port}_{http_scheme}_dirsearch_' + name + '.txt"') elif self.get_option('tool') == 'ffuf': - await service.execute('ffuf -u {http_scheme}://{address}:{port}/FUZZ -t ' + str(self.get_option('threads')) + ' -w ' + wordlist + ' -e "' + dot_extensions + '" -v -noninteractive | tee {scandir}/{protocol}_{port}_{http_scheme}_ffuf_' + name + '.txt') + await service.execute('ffuf -u {http_scheme}://{addressv6}:{port}/FUZZ -t ' + str(self.get_option('threads')) + ' -w ' + wordlist + ' -e "' + dot_extensions + '" -v -noninteractive | tee {scandir}/{protocol}_{port}_{http_scheme}_ffuf_' + name + '.txt') elif self.get_option('tool') == 'dirb': - await service.execute('dirb {http_scheme}://{address}:{port}/ ' + wordlist + ' -l -r -S -X ",' + dot_extensions + '" -o "{scandir}/{protocol}_{port}_{http_scheme}_dirb_' + name + '.txt"') + await service.execute('dirb {http_scheme}://{addressv6}:{port}/ ' + wordlist + ' -l -r -S -X ",' + dot_extensions + '" -o "{scandir}/{protocol}_{port}_{http_scheme}_dirb_' + name + '.txt"') def manual(self, service, plugin_was_run): service.add_manual_command('(feroxbuster) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:', [ - 'feroxbuster -u {http_scheme}://{address}:{port} -t ' + str(self.get_option('threads')) + ' -w /usr/share/seclists/Discovery/Web-Content/big.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -o {scandir}/{protocol}_{port}_{http_scheme}_feroxbuster_big.txt', - 'feroxbuster -u {http_scheme}://{address}:{port} -t ' + str(self.get_option('threads')) + ' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -o {scandir}/{protocol}_{port}_{http_scheme}_feroxbuster_dirbuster.txt' + 'feroxbuster -u {http_scheme}://{addressv6}:{port} -t ' + str(self.get_option('threads')) + ' -w /usr/share/seclists/Discovery/Web-Content/big.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -o {scandir}/{protocol}_{port}_{http_scheme}_feroxbuster_big.txt', + 'feroxbuster -u {http_scheme}://{addressv6}:{port} -t ' + str(self.get_option('threads')) + ' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -o {scandir}/{protocol}_{port}_{http_scheme}_feroxbuster_dirbuster.txt' ]) service.add_manual_command('(gobuster v3) Multi-threaded directory/file enumeration for web servers using various wordlists:', [ - 'gobuster dir -u {http_scheme}://{address}:{port}/ -t ' + str(self.get_option('threads')) + ' -w /usr/share/seclists/Discovery/Web-Content/big.txt -e -k -x "txt,html,php,asp,aspx,jsp" -z -o "{scandir}/{protocol}_{port}_{http_scheme}_gobuster_big.txt"', - 'gobuster dir -u {http_scheme}://{address}:{port}/ -t ' + str(self.get_option('threads')) + ' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e -k -x "txt,html,php,asp,aspx,jsp" -z -o "{scandir}/{protocol}_{port}_{http_scheme}_gobuster_dirbuster.txt"' + 'gobuster dir -u {http_scheme}://{addressv6}:{port}/ -t ' + str(self.get_option('threads')) + ' -w /usr/share/seclists/Discovery/Web-Content/big.txt -e -k -x "txt,html,php,asp,aspx,jsp" -z -o "{scandir}/{protocol}_{port}_{http_scheme}_gobuster_big.txt"', + 'gobuster dir -u {http_scheme}://{addressv6}:{port}/ -t ' + str(self.get_option('threads')) + ' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e -k -x "txt,html,php,asp,aspx,jsp" -z -o "{scandir}/{protocol}_{port}_{http_scheme}_gobuster_dirbuster.txt"' ]) - service.add_manual_command('(dirsearch) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:', [ - 'dirsearch -u {http_scheme}://{address}:{port}/ -t ' + str(self.get_option('threads')) + ' -r -e txt,html,php,asp,aspx,jsp -f -w /usr/share/seclists/Discovery/Web-Content/big.txt --format=plain --output="{scandir}/{protocol}_{port}_{http_scheme}_dirsearch_big.txt"', - 'dirsearch -u {http_scheme}://{address}:{port}/ -t ' + str(self.get_option('threads')) + ' -r -e txt,html,php,asp,aspx,jsp -f -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --format=plain --output="{scandir}/{protocol}_{port}_{http_scheme}_dirsearch_dirbuster.txt"' - ]) + if service.target.type == 'IPv4': + service.add_manual_command('(dirsearch) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:', [ + 'dirsearch -u {http_scheme}://{address}:{port}/ -t ' + str(self.get_option('threads')) + ' -r -e txt,html,php,asp,aspx,jsp -f -w /usr/share/seclists/Discovery/Web-Content/big.txt --format=plain --output="{scandir}/{protocol}_{port}_{http_scheme}_dirsearch_big.txt"', + 'dirsearch -u {http_scheme}://{address}:{port}/ -t ' + str(self.get_option('threads')) + ' -r -e txt,html,php,asp,aspx,jsp -f -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --format=plain --output="{scandir}/{protocol}_{port}_{http_scheme}_dirsearch_dirbuster.txt"' + ]) service.add_manual_command('(dirb) Recursive directory/file enumeration for web servers using various wordlists:', [ - 'dirb {http_scheme}://{address}:{port}/ /usr/share/seclists/Discovery/Web-Content/big.txt -l -r -S -X ",.txt,.html,.php,.asp,.aspx,.jsp" -o "{scandir}/{protocol}_{port}_{http_scheme}_dirb_big.txt"', - 'dirb {http_scheme}://{address}:{port}/ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -l -r -S -X ",.txt,.html,.php,.asp,.aspx,.jsp" -o "{scandir}/{protocol}_{port}_{http_scheme}_dirb_dirbuster.txt"' + 'dirb {http_scheme}://{addressv6}:{port}/ /usr/share/seclists/Discovery/Web-Content/big.txt -l -r -S -X ",.txt,.html,.php,.asp,.aspx,.jsp" -o "{scandir}/{protocol}_{port}_{http_scheme}_dirb_big.txt"', + 'dirb {http_scheme}://{addressv6}:{port}/ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -l -r -S -X ",.txt,.html,.php,.asp,.aspx,.jsp" -o "{scandir}/{protocol}_{port}_{http_scheme}_dirb_dirbuster.txt"' ]) service.add_manual_command('(gobuster v1 & v2) Multi-threaded directory/file enumeration for web servers using various wordlists:', [ - 'gobuster -u {http_scheme}://{address}:{port}/ -t ' + str(self.get_option('threads')) + ' -w /usr/share/seclists/Discovery/Web-Content/big.txt -e -k -l -x "txt,html,php,asp,aspx,jsp" -o "{scandir}/{protocol}_{port}_{http_scheme}_gobuster_big.txt"', - 'gobuster -u {http_scheme}://{address}:{port}/ -t ' + str(self.get_option('threads')) + ' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e -k -l -x "txt,html,php,asp,aspx,jsp" -o "{scandir}/{protocol}_{port}_{http_scheme}_gobuster_dirbuster.txt"' + 'gobuster -u {http_scheme}://{addressv6}:{port}/ -t ' + str(self.get_option('threads')) + ' -w /usr/share/seclists/Discovery/Web-Content/big.txt -e -k -l -x "txt,html,php,asp,aspx,jsp" -o "{scandir}/{protocol}_{port}_{http_scheme}_gobuster_big.txt"', + 'gobuster -u {http_scheme}://{addressv6}:{port}/ -t ' + str(self.get_option('threads')) + ' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e -k -l -x "txt,html,php,asp,aspx,jsp" -o "{scandir}/{protocol}_{port}_{http_scheme}_gobuster_dirbuster.txt"' ]) class Nikto(ServiceScan): @@ -147,7 +151,8 @@ class Nikto(ServiceScan): self.match_service_name('^nacn_http$', negative_match=True) def manual(self, service, plugin_was_run): - service.add_manual_command('(nikto) old but generally reliable web server enumeration tool:', 'nikto -ask=no -h {http_scheme}://{address}:{port} 2>&1 | tee "{scandir}/{protocol}_{port}_{http_scheme}_nikto.txt"') + if service.target.type == 'IPv4': + service.add_manual_command('(nikto) old but generally reliable web server enumeration tool:', 'nikto -ask=no -h {http_scheme}://{address}:{port} 2>&1 | tee "{scandir}/{protocol}_{port}_{http_scheme}_nikto.txt"') class WhatWeb(ServiceScan): @@ -161,7 +166,7 @@ class WhatWeb(ServiceScan): self.match_service_name('^nacn_http$', negative_match=True) async def run(self, service): - if service.protocol == 'tcp': + if service.protocol == 'tcp' and service.target.type == 'IPv4': await service.execute('whatweb --color=never --no-errors -a 3 -v {http_scheme}://{address}:{port} 2>&1', outfile='{protocol}_{port}_{http_scheme}_whatweb.txt') class WkHTMLToImage(ServiceScan): @@ -178,7 +183,7 @@ class WkHTMLToImage(ServiceScan): async def run(self, service): if which('wkhtmltoimage') is not None: if service.protocol == 'tcp': - await service.execute('wkhtmltoimage --format png {http_scheme}://{address}:{port}/ {scandir}/{protocol}_{port}_{http_scheme}_screenshot.png') + await service.execute('wkhtmltoimage --format png {http_scheme}://{addressv6}:{port}/ {scandir}/{protocol}_{port}_{http_scheme}_screenshot.png') else: error('The wkhtmltoimage program could not be found. Make sure it is installed. (On Kali, run: sudo apt install wkhtmltopdf)') @@ -194,4 +199,4 @@ class WPScan(ServiceScan): self.match_service_name('^nacn_http$', negative_match=True) def manual(self, service, plugin_was_run): - service.add_manual_command('(wpscan) WordPress Security Scanner (useful if WordPress is found):', 'wpscan --url {http_scheme}://{address}:{port}/ --no-update -e vp,vt,tt,cb,dbe,u,m --plugins-detection aggressive --plugins-version-detection aggressive -f cli-no-color 2>&1 | tee "{scandir}/{protocol}_{port}_{http_scheme}_wpscan.txt"') + service.add_manual_command('(wpscan) WordPress Security Scanner (useful if WordPress is found):', 'wpscan --url {http_scheme}://{addressv6}:{port}/ --no-update -e vp,vt,tt,cb,dbe,u,m --plugins-detection aggressive --plugins-version-detection aggressive -f cli-no-color 2>&1 | tee "{scandir}/{protocol}_{port}_{http_scheme}_wpscan.txt"') diff --git a/plugins/rdp.py b/plugins/rdp.py index f075e71..4dfc78e 100644 --- a/plugins/rdp.py +++ b/plugins/rdp.py @@ -25,6 +25,6 @@ class BruteforceRDP(ServiceScan): def manual(self, service, plugin_was_run): service.add_manual_commands('Bruteforce logins:', [ - 'hydra -L "' + self.get_global('username_wordlist', default='/usr/share/seclists/Usernames/top-usernames-shortlist.txt') + '" -P "' + self.get_global('password_wordlist', default='/usr/share/seclists/Passwords/darkweb2017-top100.txt') + '" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_rdp_hydra.txt" rdp://{address}', - 'medusa -U "' + self.get_global('username_wordlist', default='/usr/share/seclists/Usernames/top-usernames-shortlist.txt') + '" -P "' + self.get_global('password_wordlist', default='/usr/share/seclists/Passwords/darkweb2017-top100.txt') + '" -e ns -n {port} -O "{scandir}/{protocol}_{port}_rdp_medusa.txt" -M rdp -h {address}' + 'hydra -L "' + self.get_global('username_wordlist', default='/usr/share/seclists/Usernames/top-usernames-shortlist.txt') + '" -P "' + self.get_global('password_wordlist', default='/usr/share/seclists/Passwords/darkweb2017-top100.txt') + '" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_rdp_hydra.txt" rdp://{addressv6}', + 'medusa -U "' + self.get_global('username_wordlist', default='/usr/share/seclists/Usernames/top-usernames-shortlist.txt') + '" -P "' + self.get_global('password_wordlist', default='/usr/share/seclists/Passwords/darkweb2017-top100.txt') + '" -e ns -n {port} -O "{scandir}/{protocol}_{port}_rdp_medusa.txt" -M rdp -h {addressv6}' ]) diff --git a/plugins/rsync.py b/plugins/rsync.py index 52c02d5..2b4b44e 100644 --- a/plugins/rsync.py +++ b/plugins/rsync.py @@ -24,4 +24,4 @@ class RsyncList(ServiceScan): self.match_service_name('^rsync') async def run(self, service): - await service.execute('rsync -av --list-only rsync://{address}:{port}', outfile='{protocol}_{port}_rsync_file_list.txt') + await service.execute('rsync -av --list-only rsync://{addressv6}:{port}', outfile='{protocol}_{port}_rsync_file_list.txt') diff --git a/plugins/sip.py b/plugins/sip.py index bbbe24c..cbc57f4 100644 --- a/plugins/sip.py +++ b/plugins/sip.py @@ -24,4 +24,5 @@ class SIPVicious(ServiceScan): self.match_service_name('^asterisk') def manual(self, service, plugin_was_run): - service.add_manual_command('svwar:', 'svwar -D -m INVITE -p {port} {address}') + if service.target.type == 'IPv4': + service.add_manual_command('svwar:', 'svwar -D -m INVITE -p {port} {address}') diff --git a/plugins/smb.py b/plugins/smb.py index 70ea2ff..d36697d 100644 --- a/plugins/smb.py +++ b/plugins/smb.py @@ -50,7 +50,8 @@ class Enum4Linux(ServiceScan): self.run_once(True) async def run(self, service): - await service.execute('enum4linux -a -M -l -d {address} 2>&1', outfile='enum4linux.txt') + if service.target.type == 'IPv4': + await service.execute('enum4linux -a -M -l -d {address} 2>&1', outfile='enum4linux.txt') class NBTScan(ServiceScan): @@ -65,7 +66,8 @@ class NBTScan(ServiceScan): self.run_once(True) async def run(self, service): - await service.execute('nbtscan -rvh {address} 2>&1', outfile='nbtscan.txt') + if service.target.type == 'IPv4': + await service.execute('nbtscan -rvh {address} 2>&1', outfile='nbtscan.txt') class SMBClient(ServiceScan): @@ -93,9 +95,10 @@ class SMBMap(ServiceScan): self.match_service_name(['^smb', '^microsoft\-ds', '^netbios']) async def run(self, service): - await service.execute('smbmap -H {address} -P {port} 2>&1', outfile='smbmap-share-permissions.txt') - await service.execute('smbmap -u null -p "" -H {address} -P {port} 2>&1', outfile='smbmap-share-permissions.txt') - await service.execute('smbmap -H {address} -P {port} -R 2>&1', outfile='smbmap-list-contents.txt') - await service.execute('smbmap -u null -p "" -H {address} -P {port} -R 2>&1', outfile='smbmap-list-contents.txt') - await service.execute('smbmap -H {address} -P {port} -x "ipconfig /all" 2>&1', outfile='smbmap-execute-command.txt') - await service.execute('smbmap -u null -p "" -H {address} -P {port} -x "ipconfig /all" 2>&1', outfile='smbmap-execute-command.txt') + if service.target.type == 'IPv4': + await service.execute('smbmap -H {address} -P {port} 2>&1', outfile='smbmap-share-permissions.txt') + await service.execute('smbmap -u null -p "" -H {address} -P {port} 2>&1', outfile='smbmap-share-permissions.txt') + await service.execute('smbmap -H {address} -P {port} -R 2>&1', outfile='smbmap-list-contents.txt') + await service.execute('smbmap -u null -p "" -H {address} -P {port} -R 2>&1', outfile='smbmap-list-contents.txt') + await service.execute('smbmap -H {address} -P {port} -x "ipconfig /all" 2>&1', outfile='smbmap-execute-command.txt') + await service.execute('smbmap -u null -p "" -H {address} -P {port} -x "ipconfig /all" 2>&1', outfile='smbmap-execute-command.txt') diff --git a/plugins/smtp.py b/plugins/smtp.py index 50ec9c5..3ced44e 100644 --- a/plugins/smtp.py +++ b/plugins/smtp.py @@ -24,10 +24,10 @@ class SMTPUserEnum(ServiceScan): self.match_service_name('^smtp') async def run(self, service): - await service.execute('hydra smtp-enum://{address}:{port}/vrfy -L "' + self.get_global('username_wordlist', default='/usr/share/seclists/Usernames/top-usernames-shortlist.txt') + '" 2>&1', outfile='{protocol}_{port}_smtp_user-enum_hydra_vrfy.txt') - await service.execute('hydra smtp-enum://{address}:{port}/expn -L "' + self.get_global('username_wordlist', default='/usr/share/seclists/Usernames/top-usernames-shortlist.txt') + '" 2>&1', outfile='{protocol}_{port}_smtp_user-enum_hydra_expn.txt') + await service.execute('hydra smtp-enum://{addressv6}:{port}/vrfy -L "' + self.get_global('username_wordlist', default='/usr/share/seclists/Usernames/top-usernames-shortlist.txt') + '" 2>&1', outfile='{protocol}_{port}_smtp_user-enum_hydra_vrfy.txt') + await service.execute('hydra smtp-enum://{addressv6}:{port}/expn -L "' + self.get_global('username_wordlist', default='/usr/share/seclists/Usernames/top-usernames-shortlist.txt') + '" 2>&1', outfile='{protocol}_{port}_smtp_user-enum_hydra_expn.txt') def manual(self, service, plugin_was_run): service.add_manual_command('Try User Enumeration using "RCPT TO". Replace with the target\'s domain name:', [ - 'hydra smtp-enum://{address}:{port}/rcpt -L "' + self.get_global('username_wordlist', default='/usr/share/seclists/Usernames/top-usernames-shortlist.txt') + '" -o "{scandir}/{protocol}_{port}_smtp_user-enum_hydra_rcpt.txt" -p ' + 'hydra smtp-enum://{addressv6}:{port}/rcpt -L "' + self.get_global('username_wordlist', default='/usr/share/seclists/Usernames/top-usernames-shortlist.txt') + '" -o "{scandir}/{protocol}_{port}_smtp_user-enum_hydra_rcpt.txt" -p ' ]) diff --git a/plugins/snmp.py b/plugins/snmp.py index 2a4ea25..2355cd5 100644 --- a/plugins/snmp.py +++ b/plugins/snmp.py @@ -27,7 +27,8 @@ class OneSixtyOne(ServiceScan): self.add_option('community-strings', default='/usr/share/seclists/Discovery/SNMP/common-snmp-community-strings-onesixtyone.txt', help='The file containing a list of community strings to try. Default: %(default)s') async def run(self, service): - await service.execute('onesixtyone -c ' + service.get_option('community-strings') + ' -dd {address} 2>&1', outfile='{protocol}_{port}_snmp_onesixtyone.txt') + if service.target.type == 'IPv4': + await service.execute('onesixtyone -c ' + service.get_option('community-strings') + ' -dd {address} 2>&1', outfile='{protocol}_{port}_snmp_onesixtyone.txt') class SNMPWalk(ServiceScan): diff --git a/plugins/ssh.py b/plugins/ssh.py index 8c95956..aa5d1ec 100644 --- a/plugins/ssh.py +++ b/plugins/ssh.py @@ -25,6 +25,6 @@ class BruteforceSSH(ServiceScan): def manual(self, service, plugin_was_run): service.add_manual_command('Bruteforce logins:', [ - 'hydra -L "' + self.get_global('username_wordlist', default='/usr/share/seclists/Usernames/top-usernames-shortlist.txt') + '" -P "' + self.get_global('password_wordlist', default='/usr/share/seclists/Passwords/darkweb2017-top100.txt') + '" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_ssh_hydra.txt" ssh://{address}', - 'medusa -U "' + self.get_global('username_wordlist', default='/usr/share/seclists/Usernames/top-usernames-shortlist.txt') + '" -P "' + self.get_global('password_wordlist', default='/usr/share/seclists/Passwords/darkweb2017-top100.txt') + '" -e ns -n {port} -O "{scandir}/{protocol}_{port}_ssh_medusa.txt" -M ssh -h {address}' + 'hydra -L "' + self.get_global('username_wordlist', default='/usr/share/seclists/Usernames/top-usernames-shortlist.txt') + '" -P "' + self.get_global('password_wordlist', default='/usr/share/seclists/Passwords/darkweb2017-top100.txt') + '" -e nsr -s {port} -o "{scandir}/{protocol}_{port}_ssh_hydra.txt" ssh://{addressv6}', + 'medusa -U "' + self.get_global('username_wordlist', default='/usr/share/seclists/Usernames/top-usernames-shortlist.txt') + '" -P "' + self.get_global('password_wordlist', default='/usr/share/seclists/Passwords/darkweb2017-top100.txt') + '" -e ns -n {port} -O "{scandir}/{protocol}_{port}_ssh_medusa.txt" -M ssh -h {addressv6}' ]) diff --git a/plugins/sslscan.py b/plugins/sslscan.py index d9b3f7b..88ae41c 100644 --- a/plugins/sslscan.py +++ b/plugins/sslscan.py @@ -13,4 +13,4 @@ class SSLScan(ServiceScan): async def run(self, service): if service.protocol == 'tcp' and service.secure: - await service.execute('sslscan --show-certificate --no-colour {address}:{port} 2>&1', outfile='{protocol}_{port}_sslscan.html') + await service.execute('sslscan --show-certificate --no-colour {addressv6}:{port} 2>&1', outfile='{protocol}_{port}_sslscan.html')