Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
YAPF_Framework/yapf-scanner.py
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
445 lines (387 sloc)
15.4 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python | |
import socket | |
import curl | |
import os | |
import argparse | |
import time | |
import random | |
from pexpect import pxssh | |
# ---------------------------------------------------------------- | |
# add ssh remote logins | |
# add ftp anon logins | |
# add some more info gathering techniques | |
# add features so that arguments parsed into prog could do more | |
# its functions, functionalities, operations, everything needs to be completed | |
# increase the number of ports in ports text file. | |
# add some wait time with the find set uid function | |
# expand upon the ftp anon function and the exploit function | |
# add some new headers from ascii art | |
# add proxy option for the web search function | |
""" Port file MUST be placed in the same direcrtory as the python source file """ | |
# Place all those stupid title headers in another file and import instead | |
# Place ugly functions in different files and import them as modules instead | |
# To neaten this code | |
## ERROR ## | |
# logical error | |
# When you decline the prompt to enter exploit mode | |
# or quit exploit mode and enter it manually | |
# and then you enter show open ports | |
# option '7.' seems to contain logical errors. | |
# I suspect that the error is between lines 98-141 | |
## ERROR ## | |
# another logical error | |
# When you run the port scanner and no ports are returned | |
# Exploit mode is made available to run | |
# ---------------------------------------------------------------- | |
def main(*args): #takes an array of arguments | |
Ports = [] | |
port_True = False | |
option=" " | |
target=None | |
ban = showBanner() | |
pscan_occurence = False #assign the selected banner to var ban | |
print "\033[92m%s\033[0m" % ban #print banner in green | |
print "Brought to you by...\n" | |
time.sleep(1) | |
print """\033[33m ) ( | |
) ( /( ( )\ ) ( | |
) /( )\()) ( )\ (()/( )\ | |
( )(_))((_)\ )\ (((_) /(_))((((_)( | |
(_(_()) _((_)((_) )\___ (_)) )\ _ )\ | |
|_ _| | || || __| ((/ __||_ _| (_)_\(_) | |
| | | __ || _| | (__ | | / _ \ | |
|_| |_||_||___| \___||___| /_/ \_\ | |
\033[0m\n""" | |
if args: | |
arguments = [] | |
for arg in args: | |
arguments.append(arg) | |
for a in arguments: | |
if ("." in a) or (a == "localhost"): | |
target = a | |
print "Target set to: %s"%str(target) | |
elif arg == "T": #if the array has a "T" in this means that -PS (port scan arg) is true | |
p = portScan(target) | |
counter = 0 | |
for i in p: | |
Ports.append(i) | |
counter += 1 | |
if counter > 0: | |
pscan_occurence = True | |
port_True = True | |
else: | |
print "invlaid target" | |
try: | |
quit = Menu(option, target, pscan_occurence, Ports, port_True) | |
if quit == 'q' or quit == 'Q': | |
exit() | |
except IndexError: | |
time.sleep(0.5) | |
print "CIA reports:-> FATAL ERROR <-: Exiting program." | |
time.sleep(0.5) | |
exit() | |
# port_True has been made a parameter to show whether user passed -PS as argument or not | |
def Menu(option, target, pscan_occurence, port_arg, port_True): | |
Ports = [] | |
while not option[0] in ["q","Q"]: | |
if target == None: | |
print "\nTarget currently set to: %s"%str(target) | |
print "\033[91m---------------------------\033[0m" | |
print "Main Menu" | |
print "\033[91m---------------------------\033[0m" | |
print "1. Set target" | |
if target!=None: | |
print "2. Port scan target (most common ports)" | |
print "3. URL directory brute-force" | |
print "4. Test for anonymous FTP" | |
print "5. Enumerate local users" | |
print "6. Find local setuid files" | |
if pscan_occurence == True: | |
print "7. Exploit" | |
print "Q. Quit" | |
option=raw_input("\nChoose an option: ") | |
if option[0] == "1": | |
target=setTarget() | |
pscan_occurence = False | |
port_True = False # at this point user would have manually entered a target | |
Ports = [] # reset Ports to NULL (because we assume the target has been reset) | |
elif option[0] == "2": | |
p = portScan(target) | |
counter = 0 | |
for i in p: | |
Ports.append(i) | |
counter += 1 | |
if counter > 0: | |
pscan_occurence = True | |
elif option[0] == "3": | |
urlDirForce(target) | |
elif option[0] == "4": | |
checkAnonFTP(target) | |
elif option[0] == "5": | |
usr = enumLocalUsers() | |
elif option[0] == "6": | |
findSetUID() | |
elif option[0] in ["Q","q"]: | |
break | |
elif (pscan_occurence == True) and (option[0] == "7") and (port_True == False): | |
exploit(target, Ports) | |
elif (pscan_occurence == True) and (option[0] == "7") and (port_True == True): | |
exploit(target, port_arg) | |
elif option == "clear" or option == "CLEAR": | |
os.system("clear") | |
else: | |
print "Unknown option\n\n" | |
if option[0] == "q" or option[0] == "Q": | |
return option[0] | |
def showBanner(): | |
#the different available banners for the program so far | |
banners = [""" __ __ _ ____ _____ | |
\ \ / / / \ | _ \ | ___| | |
\ V / / _ \ | |_) || |_ | |
| | / ___ \ | __/ | _| | |
|_| /_/ \_\|_| |_| | |
""", | |
""" | |
_________ _...._ | |
.-. .- \ |.' '-. _.._ | |
\ \ / / \ .'```'. '. .' .._| | |
\ \ / / __ \ | \ \ | ' | |
\ \ / /.:--.'. | | | |__| |__ | |
\ \ / // | \ | | \ / .|__ __| | |
\ ` / `" __ | | | |\`'-.-' .' | | | |
\ / .'.''| | | | '-....-'` | | | |
/ / / / | |_ .' '. | | | |
|`-' / \ \._,\ '/'-----------' | | | |
'..' `--' `" |_| | |
""", | |
""" $$$$$$\ | |
$$ __$$\ | |
$$\ $$\ $$$$$$\ $$$$$$\ $$ / \__| | |
$$ | $$ | \____$$\ $$ __$$\ $$$$\ | |
$$ | $$ | $$$$$$$ |$$ / $$ |$$ _| | |
$$ | $$ |$$ __$$ |$$ | $$ |$$ | | |
\$$$$$$$ |\$$$$$$$ |$$$$$$$ |$$ | | |
\____$$ | \_______|$$ ____/ \__| | |
$$\ $$ | $$ | | |
\$$$$$$ | $$ | | |
\______/ \__| | |
""", | |
""" | |
.-. | |
/ \ | |
___ ___ .---. .-.. | .`. ; | |
( )( ) / .-, \ / \ | |(___) | |
| | | | (__) ; | ' .-, ; | |_ | |
| | | | .'` | | | . | ( __) | |
| ' | | / .'| | | | | | | | | |
' `-' | | / | | | | | | | | | |
`.__. | ; | ; | | | ' | | | | |
___ | | ' `-' | | `-' ' | | | |
( )' | `.__.'_. | \__.' (___) | |
; `-' ' | | | |
.__.' (___) | |
""", | |
""".------..------..------..------. | |
|Y.--. ||4.--. ||P.--. ||F.--. | | |
| (\/) || :/\: || :/\: || :(): | | |
| :\/: || :\/: || (__) || ()() | | |
| '--'Y|| '--'4|| '--'P|| '--'F| | |
`------'`------'`------'`------' | |
""", | |
"""YYYYYYY YYYYYYY ffffffffffffffff | |
Y:::::Y Y:::::Y f::::::::::::::::f | |
Y:::::Y Y:::::Y f::::::::::::::::::f | |
Y::::::Y Y::::::Y f::::::fffffff:::::f | |
YYY:::::Y Y:::::YYYaaaaaaaaaaaaa ppppp ppppppppp f:::::f ffffff | |
Y:::::Y Y:::::Y a::::::::::::a p::::ppp:::::::::p f:::::f | |
Y:::::Y:::::Y aaaaaaaaa:::::ap:::::::::::::::::p f:::::::ffffff | |
Y:::::::::Y a::::app::::::ppppp::::::pf::::::::::::f | |
Y:::::::Y aaaaaaa:::::a p:::::p p:::::pf::::::::::::f | |
Y:::::Y aa::::::::::::a p:::::p p:::::pf:::::::ffffff | |
Y:::::Y a::::aaaa::::::a p:::::p p:::::p f:::::f | |
Y:::::Y a::::a a:::::a p:::::p p::::::p f:::::f | |
Y:::::Y a::::a a:::::a p:::::ppppp:::::::pf:::::::f | |
YYYY:::::YYYY a:::::aaaa::::::a p::::::::::::::::p f:::::::f | |
Y:::::::::::Y a::::::::::aa:::ap::::::::::::::pp f:::::::f | |
YYYYYYYYYYYYY aaaaaaaaaa aaaap::::::pppppppp fffffffff | |
p:::::p | |
p:::::p | |
p:::::::p | |
p:::::::p | |
p:::::::p | |
ppppppppp | |
""", | |
""".-. .-. .--. ,---. ,---. | |
\ \_/ )/ / /\ \ | .-.\ | .-' | |
\ (_)/ /__\ \| |-' )| `-. | |
) ( | __ || |--' | .-' | |
| | | | |)|| | | | | |
/(_| |_| (_)/( )\| | |
(__) (__) (__) | |
"""] | |
random.seed() # seed the romdomizer with system time | |
return random.choice(banners) #return a randomly selected banner | |
def checkPort(target,portnum, pName): | |
""" Return true if the port is open, false otherwise """ | |
#Todo/Extra: Run silently and just return True/False | |
# Too many false results displayed | |
sock = socket.socket() | |
open_ports = [] | |
try: | |
sock.connect((target, portnum)) | |
print "\033[92mPort: %d OPEN --> %s\033[0m" % (portnum, pName), #prints in green colour | |
open_ports.append((portnum, pName)) | |
return open_ports | |
except socket.error, e: | |
return False | |
return open_ports | |
def checkURL(url): | |
""" Return the status code returned from the web server, False if no success at all """ | |
#Todo/Extra: only show successes, or better still, return the list | |
#and let the caller decide what to do | |
c=curl.Curl() | |
response=c.get(url) | |
code=c.info()["http-code"] #returns the code 200 or 404 I think | |
if code!=404: #200 meaning it works (I think) | |
print "!!!", | |
print "Request for %s gives a code of %d"%(url,code) | |
return | |
def urlDirForce(root): | |
""" Tries a standard list of common web directories to see if any exost on the target fromt he given root URL """ | |
#dirb <url_base> <url_base> [<wordlist_file(s)>] [options] | |
#List of dirs to try | |
dirs=["admin", "administrator", "backup", "config", | |
"cpanel", "data", "images", "panel", "proxy", "staff", | |
"uploads", "upload", "user", "users", "webmaster", "webhp"] | |
#Take off any white space from the root given | |
root=root.strip() | |
#Check the root starts with http:// | |
if not root.lower().startswith("http://"): | |
root="http://"+root | |
#Make sure it ends with / | |
if root[-1]!="/": | |
root=root+"/" | |
#Now run the check for every dir | |
for i in dirs: | |
checkURL(root+i) | |
return | |
def portScan(target): | |
""" Returns a list of open ports from the range 1-100 on the target """ | |
#TODO/Extra: Update port list to cover most common rather than | |
#first 100 | |
fname = open("commonPorts.txt") | |
p = [] # contains all the open ports | |
n = [] # contains all the open port names | |
#testing purposes only | |
OPEN_PORTS = [] | |
for line in fname.readlines(): | |
portNum = line.split('\t') | |
p.append(portNum[0]) | |
n.append(portNum[1]) | |
print "\nScanning ports now..." | |
time.sleep(1) | |
counter = 0 #used to iterate through n / port names | |
for ports in p: | |
ports_lst = checkPort(target, int(ports), n[counter]) | |
if ports_lst == False: | |
pass | |
else: | |
OPEN_PORTS.append(ports) | |
counter+=1 | |
counter2 = 0 | |
for p in OPEN_PORTS: | |
if p: | |
counter2 +=1 | |
print counter2,"port(s) found\n" | |
time.sleep(0.5) | |
if OPEN_PORTS: | |
i = raw_input("would you like to proceed to exploit stage? (Y/N): ") | |
if i == "n" or i == "N": | |
return OPEN_PORTS | |
else: | |
exploit(target, OPEN_PORTS) | |
return OPEN_PORTS | |
def checkAnonFTP(target,port=21): | |
""" Returns True if the target appears to be running an anonymous FTP service. False otherwise. Defaults to checking on port 21 """ | |
s=socket.socket() | |
s.connect((target,port)) | |
data=s.recv(100) | |
s.send("USER anonymous\n") | |
data=s.recv(100) | |
s.send("PASS anonymous\n") | |
data=s.recv(100) | |
s.close() | |
if data.startswith("230"): | |
print "Anonymous FTP enabled" | |
return True | |
return False | |
def enumLocalUsers(): | |
users=[] | |
f=open("/etc/passwd", 'r') | |
for l in f: | |
time.sleep(0.09) | |
print l.split(":")[0] | |
users.append(l) | |
time.sleep(1) | |
print "\n- Potential users = \'", users[0].split(':')[0], "\' \'", users[-1].split(':')[0], "\'" | |
time.sleep(0.3) | |
print "- Evaluated /etc/passwd\n- Returning to main menu" | |
POSSIBLE_USER = users[-1] | |
return POSSIBLE_USER | |
#split each element by the colon, as appears in te passwd file | |
def findSetUID(): | |
#TODO/URGENT: Fix this | |
#Hmmm, this just shows the executables, but we need the ones with | |
#setUID | |
os.system("find / -perm -4000 -user root -type f -print") | |
# find | |
# / root | |
# -perm (permission) -4000 (set to 4000 [root code]) | |
# -type f (says the type we're looking for are files) | |
# -print (print out the results) | |
def setTarget(): | |
return raw_input("Enter target IP/URL: ") | |
def exploit(*args): | |
print "\033[91m-- Loading 3xPl0i7 S74G3...\033[0m" | |
time.sleep(1) | |
print "\033[91m-- Warning exploitation is very dangerous, be careful how you use this...\033[0m" | |
time.sleep(0.5) | |
print "\033[91m-- Remember you are a member of the CIA. Use this tool responsibly.\033[0m" | |
time.sleep(0.5) | |
not_true = False | |
while not_true == False: | |
i = raw_input("CIA-SAYS-> ") | |
if i[0] == "q" or i[0] == "Q": | |
time.sleep(0.7) | |
print "exiting exploit mode\n" | |
break; | |
if i == "clear" or i == "CLEAR": | |
os.system("clear") | |
if i == "show target": | |
print args[0] | |
if i == "show open ports": | |
print "open ports:" | |
for p in args[1]: | |
print "-", p | |
if i == "h" or i == "help": | |
Exploit_Help() | |
def Exploit_Help(): | |
print """-> show target\n-> show open ports\n-> show exploits""" | |
if __name__=="__main__": | |
parser = argparse.ArgumentParser() | |
parser.add_argument("-t", "--target", help="specify port number", required=False, type=str) | |
grp = parser.add_mutually_exclusive_group() | |
grp.add_argument("-PS", "--portScanner", help="execute port scanner", action="store_true") | |
args = parser.parse_args() | |
if args.target and args.portScanner: | |
main(args.target, "T") | |
if not args.target and args.portScanner: | |
print "\033[93m[!] Cannot execute port scan without specified target\033[0m" #make red | |
time.sleep(1) | |
print "loading program..." | |
time.sleep(1) | |
main() | |
if args.target and not args.portScanner: | |
main(args.target) | |
if not args.target and not args.portScanner: | |
main() |