Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

YAPF_Framework/yapf-scanner.py

Go to file
 
 
Cannot retrieve contributors at this time
445 lines (387 sloc) 15.4 KB
Raw Blame
Open in GitHub Desktop
#!/usr/bin/env python
import socket
import curl
import os
import argparse
import time
import random
from pexpect import pxssh
# ----------------------------------------------------------------
# add ssh remote logins
# add ftp anon logins
# add some more info gathering techniques
# add features so that arguments parsed into prog could do more
# its functions, functionalities, operations, everything needs to be completed
# increase the number of ports in ports text file.
# add some wait time with the find set uid function
# expand upon the ftp anon function and the exploit function
# add some new headers from ascii art
# add proxy option for the web search function
""" Port file MUST be placed in the same direcrtory as the python source file """
# Place all those stupid title headers in another file and import instead
# Place ugly functions in different files and import them as modules instead
# To neaten this code
## ERROR ##
# logical error
# When you decline the prompt to enter exploit mode
# or quit exploit mode and enter it manually
# and then you enter show open ports
# option '7.' seems to contain logical errors.
# I suspect that the error is between lines 98-141
## ERROR ##
# another logical error
# When you run the port scanner and no ports are returned
# Exploit mode is made available to run
# ----------------------------------------------------------------
def main(*args): #takes an array of arguments
Ports = []
port_True = False
option=" "
target=None
ban = showBanner()
pscan_occurence = False #assign the selected banner to var ban
print "\033[92m%s\033[0m" % ban #print banner in green
print "Brought to you by...\n"
time.sleep(1)
print """\033[33m ) (
) ( /( ( )\ ) (
) /( )\()) ( )\ (()/( )\
( )(_))((_)\ )\ (((_) /(_))((((_)(
(_(_()) _((_)((_) )\___ (_)) )\ _ )\
|_ _| | || || __| ((/ __||_ _| (_)_\(_)
| | | __ || _| | (__ | | / _ \
|_| |_||_||___| \___||___| /_/ \_\
\033[0m\n"""
if args:
arguments = []
for arg in args:
arguments.append(arg)
for a in arguments:
if ("." in a) or (a == "localhost"):
target = a
print "Target set to: %s"%str(target)
elif arg == "T": #if the array has a "T" in this means that -PS (port scan arg) is true
p = portScan(target)
counter = 0
for i in p:
Ports.append(i)
counter += 1
if counter > 0:
pscan_occurence = True
port_True = True
else:
print "invlaid target"
try:
quit = Menu(option, target, pscan_occurence, Ports, port_True)
if quit == 'q' or quit == 'Q':
exit()
except IndexError:
time.sleep(0.5)
print "CIA reports:-> FATAL ERROR <-: Exiting program."
time.sleep(0.5)
exit()
# port_True has been made a parameter to show whether user passed -PS as argument or not
def Menu(option, target, pscan_occurence, port_arg, port_True):
Ports = []
while not option[0] in ["q","Q"]:
if target == None:
print "\nTarget currently set to: %s"%str(target)
print "\033[91m---------------------------\033[0m"
print "Main Menu"
print "\033[91m---------------------------\033[0m"
print "1. Set target"
if target!=None:
print "2. Port scan target (most common ports)"
print "3. URL directory brute-force"
print "4. Test for anonymous FTP"
print "5. Enumerate local users"
print "6. Find local setuid files"
if pscan_occurence == True:
print "7. Exploit"
print "Q. Quit"
option=raw_input("\nChoose an option: ")
if option[0] == "1":
target=setTarget()
pscan_occurence = False
port_True = False # at this point user would have manually entered a target
Ports = [] # reset Ports to NULL (because we assume the target has been reset)
elif option[0] == "2":
p = portScan(target)
counter = 0
for i in p:
Ports.append(i)
counter += 1
if counter > 0:
pscan_occurence = True
elif option[0] == "3":
urlDirForce(target)
elif option[0] == "4":
checkAnonFTP(target)
elif option[0] == "5":
usr = enumLocalUsers()
elif option[0] == "6":
findSetUID()
elif option[0] in ["Q","q"]:
break
elif (pscan_occurence == True) and (option[0] == "7") and (port_True == False):
exploit(target, Ports)
elif (pscan_occurence == True) and (option[0] == "7") and (port_True == True):
exploit(target, port_arg)
elif option == "clear" or option == "CLEAR":
os.system("clear")
else:
print "Unknown option\n\n"
if option[0] == "q" or option[0] == "Q":
return option[0]
def showBanner():
#the different available banners for the program so far
banners = [""" __ __ _ ____ _____
\ \ / / / \ | _ \ | ___|
\ V / / _ \ | |_) || |_
| | / ___ \ | __/ | _|
|_| /_/ \_\|_| |_|
""",
"""
_________ _...._
.-. .- \ |.' '-. _.._
\ \ / / \ .'```'. '. .' .._|
\ \ / / __ \ | \ \ | '
\ \ / /.:--.'. | | | |__| |__
\ \ / // | \ | | \ / .|__ __|
\ ` / `" __ | | | |\`'-.-' .' | |
\ / .'.''| | | | '-....-'` | |
/ / / / | |_ .' '. | |
|`-' / \ \._,\ '/'-----------' | |
'..' `--' `" |_|
""",
""" $$$$$$\
$$ __$$\
$$\ $$\ $$$$$$\ $$$$$$\ $$ / \__|
$$ | $$ | \____$$\ $$ __$$\ $$$$\
$$ | $$ | $$$$$$$ |$$ / $$ |$$ _|
$$ | $$ |$$ __$$ |$$ | $$ |$$ |
\$$$$$$$ |\$$$$$$$ |$$$$$$$ |$$ |
\____$$ | \_______|$$ ____/ \__|
$$\ $$ | $$ |
\$$$$$$ | $$ |
\______/ \__|
""",
"""
.-.
/ \
___ ___ .---. .-.. | .`. ;
( )( ) / .-, \ / \ | |(___)
| | | | (__) ; | ' .-, ; | |_
| | | | .'` | | | . | ( __)
| ' | | / .'| | | | | | | |
' `-' | | / | | | | | | | |
`.__. | ; | ; | | | ' | | |
___ | | ' `-' | | `-' ' | |
( )' | `.__.'_. | \__.' (___)
; `-' ' | |
.__.' (___)
""",
""".------..------..------..------.
|Y.--. ||4.--. ||P.--. ||F.--. |
| (\/) || :/\: || :/\: || :(): |
| :\/: || :\/: || (__) || ()() |
| '--'Y|| '--'4|| '--'P|| '--'F|
`------'`------'`------'`------'
""",
"""YYYYYYY YYYYYYY ffffffffffffffff
Y:::::Y Y:::::Y f::::::::::::::::f
Y:::::Y Y:::::Y f::::::::::::::::::f
Y::::::Y Y::::::Y f::::::fffffff:::::f
YYY:::::Y Y:::::YYYaaaaaaaaaaaaa ppppp ppppppppp f:::::f ffffff
Y:::::Y Y:::::Y a::::::::::::a p::::ppp:::::::::p f:::::f
Y:::::Y:::::Y aaaaaaaaa:::::ap:::::::::::::::::p f:::::::ffffff
Y:::::::::Y a::::app::::::ppppp::::::pf::::::::::::f
Y:::::::Y aaaaaaa:::::a p:::::p p:::::pf::::::::::::f
Y:::::Y aa::::::::::::a p:::::p p:::::pf:::::::ffffff
Y:::::Y a::::aaaa::::::a p:::::p p:::::p f:::::f
Y:::::Y a::::a a:::::a p:::::p p::::::p f:::::f
Y:::::Y a::::a a:::::a p:::::ppppp:::::::pf:::::::f
YYYY:::::YYYY a:::::aaaa::::::a p::::::::::::::::p f:::::::f
Y:::::::::::Y a::::::::::aa:::ap::::::::::::::pp f:::::::f
YYYYYYYYYYYYY aaaaaaaaaa aaaap::::::pppppppp fffffffff
p:::::p
p:::::p
p:::::::p
p:::::::p
p:::::::p
ppppppppp
""",
""".-. .-. .--. ,---. ,---.
\ \_/ )/ / /\ \ | .-.\ | .-'
\ (_)/ /__\ \| |-' )| `-.
) ( | __ || |--' | .-'
| | | | |)|| | | |
/(_| |_| (_)/( )\|
(__) (__) (__)
"""]
random.seed() # seed the romdomizer with system time
return random.choice(banners) #return a randomly selected banner
def checkPort(target,portnum, pName):
""" Return true if the port is open, false otherwise """
#Todo/Extra: Run silently and just return True/False
# Too many false results displayed
sock = socket.socket()
open_ports = []
try:
sock.connect((target, portnum))
print "\033[92mPort: %d OPEN --> %s\033[0m" % (portnum, pName), #prints in green colour
open_ports.append((portnum, pName))
return open_ports
except socket.error, e:
return False
return open_ports
def checkURL(url):
""" Return the status code returned from the web server, False if no success at all """
#Todo/Extra: only show successes, or better still, return the list
#and let the caller decide what to do
c=curl.Curl()
response=c.get(url)
code=c.info()["http-code"] #returns the code 200 or 404 I think
if code!=404: #200 meaning it works (I think)
print "!!!",
print "Request for %s gives a code of %d"%(url,code)
return
def urlDirForce(root):
""" Tries a standard list of common web directories to see if any exost on the target fromt he given root URL """
#dirb <url_base> <url_base> [<wordlist_file(s)>] [options]
#List of dirs to try
dirs=["admin", "administrator", "backup", "config",
"cpanel", "data", "images", "panel", "proxy", "staff",
"uploads", "upload", "user", "users", "webmaster", "webhp"]
#Take off any white space from the root given
root=root.strip()
#Check the root starts with http://
if not root.lower().startswith("http://"):
root="http://"+root
#Make sure it ends with /
if root[-1]!="/":
root=root+"/"
#Now run the check for every dir
for i in dirs:
checkURL(root+i)
return
def portScan(target):
""" Returns a list of open ports from the range 1-100 on the target """
#TODO/Extra: Update port list to cover most common rather than
#first 100
fname = open("commonPorts.txt")
p = [] # contains all the open ports
n = [] # contains all the open port names
#testing purposes only
OPEN_PORTS = []
for line in fname.readlines():
portNum = line.split('\t')
p.append(portNum[0])
n.append(portNum[1])
print "\nScanning ports now..."
time.sleep(1)
counter = 0 #used to iterate through n / port names
for ports in p:
ports_lst = checkPort(target, int(ports), n[counter])
if ports_lst == False:
pass
else:
OPEN_PORTS.append(ports)
counter+=1
counter2 = 0
for p in OPEN_PORTS:
if p:
counter2 +=1
print counter2,"port(s) found\n"
time.sleep(0.5)
if OPEN_PORTS:
i = raw_input("would you like to proceed to exploit stage? (Y/N): ")
if i == "n" or i == "N":
return OPEN_PORTS
else:
exploit(target, OPEN_PORTS)
return OPEN_PORTS
def checkAnonFTP(target,port=21):
""" Returns True if the target appears to be running an anonymous FTP service. False otherwise. Defaults to checking on port 21 """
s=socket.socket()
s.connect((target,port))
data=s.recv(100)
s.send("USER anonymous\n")
data=s.recv(100)
s.send("PASS anonymous\n")
data=s.recv(100)
s.close()
if data.startswith("230"):
print "Anonymous FTP enabled"
return True
return False
def enumLocalUsers():
users=[]
f=open("/etc/passwd", 'r')
for l in f:
time.sleep(0.09)
print l.split(":")[0]
users.append(l)
time.sleep(1)
print "\n- Potential users = \'", users[0].split(':')[0], "\' \'", users[-1].split(':')[0], "\'"
time.sleep(0.3)
print "- Evaluated /etc/passwd\n- Returning to main menu"
POSSIBLE_USER = users[-1]
return POSSIBLE_USER
#split each element by the colon, as appears in te passwd file
def findSetUID():
#TODO/URGENT: Fix this
#Hmmm, this just shows the executables, but we need the ones with
#setUID
os.system("find / -perm -4000 -user root -type f -print")
# find
# / root
# -perm (permission) -4000 (set to 4000 [root code])
# -type f (says the type we're looking for are files)
# -print (print out the results)
def setTarget():
return raw_input("Enter target IP/URL: ")
def exploit(*args):
print "\033[91m-- Loading 3xPl0i7 S74G3...\033[0m"
time.sleep(1)
print "\033[91m-- Warning exploitation is very dangerous, be careful how you use this...\033[0m"
time.sleep(0.5)
print "\033[91m-- Remember you are a member of the CIA. Use this tool responsibly.\033[0m"
time.sleep(0.5)
not_true = False
while not_true == False:
i = raw_input("CIA-SAYS-> ")
if i[0] == "q" or i[0] == "Q":
time.sleep(0.7)
print "exiting exploit mode\n"
break;
if i == "clear" or i == "CLEAR":
os.system("clear")
if i == "show target":
print args[0]
if i == "show open ports":
print "open ports:"
for p in args[1]:
print "-", p
if i == "h" or i == "help":
Exploit_Help()
def Exploit_Help():
print """-> show target\n-> show open ports\n-> show exploits"""
if __name__=="__main__":
parser = argparse.ArgumentParser()
parser.add_argument("-t", "--target", help="specify port number", required=False, type=str)
grp = parser.add_mutually_exclusive_group()
grp.add_argument("-PS", "--portScanner", help="execute port scanner", action="store_true")
args = parser.parse_args()
if args.target and args.portScanner:
main(args.target, "T")
if not args.target and args.portScanner:
print "\033[93m[!] Cannot execute port scan without specified target\033[0m" #make red
time.sleep(1)
print "loading program..."
time.sleep(1)
main()
if args.target and not args.portScanner:
main(args.target)
if not args.target and not args.portScanner:
main()