Skip to content

Commit

Permalink
Added dirb/testssl. SSH now uses medusa. Minor bugfix to SMTP.
Browse files Browse the repository at this point in the history
  • Loading branch information
JonnyHightower committed Nov 17, 2016
1 parent a56e320 commit 898b7ef
Show file tree
Hide file tree
Showing 9 changed files with 238 additions and 88 deletions.
2 changes: 1 addition & 1 deletion VERSION
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
1.1.5
1.1.6
91 changes: 89 additions & 2 deletions content/HTTP/HTTP.gsm
View file
Original file line number Diff line number Diff line change
Expand Up @@ -169,14 +169,16 @@ sub activate {
my $screenshotTimeout=25; # Seconds
my $SSL=0;
my $VirtualHost=undef;
my $defaultDirbList="NEET/common.txt";

if ("$file" eq "https.txt"){
$SSL=1;

my $sslscan=$MainScan->getPath("sslscan");
if ($sslscan && !$self->IsScanComplete("${name}_ssl",$target)){
my $error=$MainScan->System($MainScan->getPath("sslscan") . " $socket > ${outputDir}/raw/sslscan-${socket}.txt 2>&1");
my $error=$MainScan->System($MainScan->getPath("sslscan") . " $socket > ${outputDir}/raw/sslscan-${port}.txt 2>&1");
if (!$error){
my @ciphers=$MainScan->ReadFile("${outputDir}/raw/sslscan-${socket}.txt");
my @ciphers=$MainScan->ReadFile("${outputDir}/raw/sslscan-${port}.txt");
my ($pref,$weak,$two,$badpref,$null,$prefnull)=(0,0,0,0,0,0);
for my $cipher (@ciphers){
if ($cipher =~ /Prefered Server Cipher/){
Expand Down Expand Up @@ -228,6 +230,42 @@ sub activate {
} else {
$Log->Status("GSM thread $threadID ($name -> $target): Already checked SSL ciphers - skipping","LOGONLY");
}

if (-x "/opt/neet/pkg/testssl/testssl.sh" && !$self->IsScanComplete("${name}_testssl-$port",$target)){
$MainScan->System("/opt/neet/pkg/testssl/testssl.sh" . " $socket > ${outputDir}/raw/testssl-${port}.txt 2>&1");
if (-f "${outputDir}/raw/testssl-${port}.txt"){
my @output=$MainScan->ReadFile("${outputDir}/raw/testssl-${port}.txt");
for my $line (@output){
if ($line =~ /CRIME/ && $line =~ /is vulnerable/){
my $message="SSL service vulnerable to CRIME";
$MainScan->RecordVulnerability($target,"GSM-HTTPS-7",$message);
next;
}
if ($line =~ /BREACH/ && $line =~ /is vulnerable/){
my $message="SSL service vulnerable to BREACH";
$MainScan->RecordVulnerability($target,"GSM-HTTPS-8",$message);
next;
}
if ($line =~ /Heartbleed/ && $line !~ /\(ok\)/){
my $message="SSL service vulnerable to Heartbleed";
$MainScan->RecordVulnerability($target,"GSM-HTTPS-9",$message);
next;
}
if ($line =~ /\sCCS\s/ && $line =~ /VULNERABLE/){
my $message="SSL service vulnerable to Change Cipher Spec";
$MainScan->RecordVulnerability($target,"GSM-HTTPS-10",$message);
next;
}
if ($line =~ /SSLv2/ && $line !~ /\(ok\)/){
my $message="SSL service supports SSLv2";
$MainScan->RecordVulnerability($target,"GSM-HTTPS-11",$message);
next;
}
}
$self->SetScanComplete("${name}_testssl-$port","$target");
}
}

}

# Record what we found on this port
Expand Down Expand Up @@ -341,6 +379,55 @@ sub activate {
}
}

# Run DIRB
my $dirb=$MainScan->getPath("dirb");
if ($dirb && -x "$dirb" && !$self->IsScanComplete("${name}_dirb-$port",$target)){
my $url="http://$socket";
if ("$file" eq "https.txt"){
$url =~ s/http/https/;
}

my @wordlists=$Config->GetClassValues("module.http.dirb.wordlist");
# Use the default wordlist unlist the user has specified others in the configuraation
# file
if ($#wordlists<0){
$Log->Warn("DIRB: No wordlists configured (add module.http.dirb.wordlist in neet config). Using default list.");
@wordlists=($defaultDirbList);
}

# Run dirb using each list
for my $wrdlist (@wordlists){
$wrdlist =~ s/\.\.//g;
$wrdlist =~ s/"//g;
$wrdlist =~ s?^NEET/?/opt/neet/resources/dirb/?;
if (! -f $wrdlist){
$Log->Warn("DIRB: wordlist \"$wrdlist\" not found!");
next;
}
$MainScan->System("$dirb $url \"$wrdlist\" -w -S >> ${outputDir}/raw/dirb-${port}.txt 2>&1");
}

# Did we get any results?
my ($list,$count)=(0,0);
if (-f "${outputDir}/raw/dirb-${port}.txt"){
for my $line ($MainScan->ReadFile("${outputDir}/raw/dirb-${port}.txt")){
if (index($line,"+ http")>-1){
$count++;
} elsif (index($line,"IS LISTABLE.")>-1){
$list++;
}
}
}
if ($list){
my $message="At least $list listable directories under $url. Check DIRB output.";
$MainScan->RecordIssue($target,"GSM-HTTP-6",$message);
}
if ($count>1){
my $message="$count interesting URLS at $url. Check DIRB output.";
$MainScan->RecordIssue($target,"GSM-HTTP-7",$message);
}
$self->SetScanComplete("${name}_dirb-$port","$target");
}

#>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>>
#>>>>>>>>>>>>> End of module-specific code >>>>>>>>>>>>>>
Expand Down
36 changes: 18 additions & 18 deletions content/SMTP/SMTP.gsm
View file
Original file line number Diff line number Diff line change
Expand Up @@ -114,20 +114,20 @@ sub activate {
};
alarm ($timeout);
eval {
print "Sending: $message" if ($DEBUG);
print $sock ("$message");
$response=<$sock>;
print "Response: $response" if ($DEBUG);
print "Sending: $message" if ($DEBUG);
print $sock ("$message");
$response=<$sock>;
print "Response: $response" if ($DEBUG);
alarm 0;
};

if ("$@" !~ /^TIMEOUT/){
$SIG{'ALRM'}='';
if ($response =~ /^\d{3}\s/){
($code,$response) = split(" ", $response,2);
print "Code: $code Message: $response" if ($DEBUG);
if ($response && $response =~ /^\d{3}\s/){
($code,$response) = split(" ", $response,2);
print "Code: $code Message: $response" if ($DEBUG);
return ($code,$response);
}
}
} else {
$SIG{'ALRM'}='';
return (0,0);
Expand Down Expand Up @@ -168,10 +168,10 @@ sub activate {
$smtpUser .= "@" . $domain;
}
($code,$response)= SMTP($sock,"VRFY $smtpUser\r\n");
if ($code =~ /^5/){
if (defined($code) && $code =~ /^5/){
$skip=1;
last;
} elsif ($code =~ /^25\d/ && $response !~ /Cannot VRFY /i){
} elsif ((defined($code) && defined($response)) && $code =~ /^25\d/ && $response !~ /Cannot VRFY /i){
if ("$user" eq "$randomString"){
$FalsePositive=1;
last;
Expand All @@ -197,10 +197,10 @@ sub activate {
$smtpUser .= "@" . $domain;
}
($code,$response)= SMTP($sock,"EXPN $smtpUser\r\n");
if ($code =~ /^5/){
if (defined($code) && $code =~ /^5/){
$skip=1;
last;
} elsif ($code =~ /^25\d/ && $response !~ /Cannot EXPN /i){
} elsif ((defined($code) && defined($response)) && $code =~ /^25\d/ && $response !~ /Cannot EXPN /i){
if ("$user" eq "$randomString"){
$FalsePositive=1;
last;
Expand Down Expand Up @@ -236,7 +236,7 @@ sub activate {
);
if ($sock){
($code,$response)= SMTP($sock,"");
if ($code){
if ($code && $response){
for my $element (split " ", $response){
if (($element =~ /\./) && ($element !~ /SMTP/)){
chomp $element;
Expand All @@ -257,7 +257,7 @@ sub activate {
$smtpUser .= "@" . $domain;
}
($code,$response)= SMTP($sock,"EXPN $smtpUser\r\n");
if ($code =~ /^25\d/ && $response !~ /Cannot /i){
if ((defined($code) && defined($response)) && $code =~ /^25\d/ && $response !~ /Cannot /i){
push @validUsers, $user;
}
}
Expand Down Expand Up @@ -294,12 +294,12 @@ sub activate {
for my $user (@testUsers){
my $smtpUser=$user;
if ($expnUseDomain){
$smtpUser .= "@" . $domain;
$smtpUser .= "@" . $domain;
}
($code,$response)= SMTP($sock,"VRFY $smtpUser\r\n");
if ($code =~ /^25\d/ && $response !~ /Cannot /i){
push @validUsers, $user;
}
if (($code && $response) && $code =~ /^25\d/ && $response !~ /Cannot /i){
push @validUsers, $user;
}
}
close $sock;
}
Expand Down
29 changes: 11 additions & 18 deletions content/SSH/SSH.gsm
View file
Original file line number Diff line number Diff line change
Expand Up @@ -163,17 +163,9 @@ sub activate {
};

# And now the code for the actual test:

# This check is now incorporated in the service discovery module
# Get the banner: See if we're supporting protocol 1
#my @banner=$MainScan->ReadFile("$outputDir/banners/${port}.txt");
#for my $line (@banner){
# chomp $line;
# if (index($line,"SSH-1.")==0){
# $MainScan->ConfigError($host, "issue", "SSHProto", "Host supports SSH protocol 1.x");
# last;
# }
#}
# Do we run against Windows machines as well? 1=YES, 0=NO (Only Unix machines)
# CAUTION: This can cause account lockout!!
my $RunAgainstWindows=1;

my ($osDetermined,$unix)=(0,0);
# Do we know the OS, and is the target running Unix?
Expand All @@ -190,18 +182,18 @@ sub activate {

if ($osDetermined){
# Don't run anything if we don't know the OS
my $patator=$MainScan->getPath("patator.py");
my $output="$outputDir/raw/patator-$port.txt";
if ($patator && $unix){
my $medusa=$MainScan->getPath("medusa");
my $output="$outputDir/raw/medusa-$port.txt";
if ($medusa && ($unix || $RunAgainstWindows)){
my ($username,$password)=('root',"");
$MainScan->System("$patator ssh_login port=$port host=$host user=$username password=FILE0 0=$resourceDir/passwords.txt persistent=1 -x ignore:mesg='Authentication failed.' -x ignore,reset,retry:mesg='No existing session' -x quit:code=0 > $output 2>&1");
$MainScan->System("$medusa -h $host -u $username -P \"$resourceDir/passwords.txt\" -e ns -f -n $port -M ssh > $output 2>&1");
@file=$MainScan->ReadFile($output);
for my $line (@file){
if (($line =~ /SSH/) && ($line !~ /Error/)){
if (($line =~ /ACCOUNT FOUND: \[ssh\]/)){
# Logged in
$password=$line;
$password =~ s/^[\S\s]+\s+\|\s+([\S\s]+)\|[\S\s]+\|[\S\s]+$/$1/;
$password =~ s/\s+$//g;
$password =~ s/^ACCOUNT FOUND: \[ssh\] Host: $host User: $username Password: ([\S\s]+) \[SUCCESS\]\s+$/$1/;
#$password =~ s/\s+$//g;
#$MainScan->StoreGuessedPassword($target,"comp","SSH",$username,$password,"GSM-SSH-1","Logged in as $username password $password");
# Instead of storing it in a flat file, use the credential manager
$credentialManager->addCredential(
Expand All @@ -218,6 +210,7 @@ sub activate {
}
}
}

$self->SetScanComplete("$name","$target");
}
} else {
Expand Down
6 changes: 5 additions & 1 deletion content/SSH/passwords.txt
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,8 @@

welcome1
Welcome1
Welcome1!
welcome1!
WELCOME1
toor
root
Root
Expand Down
Loading

0 comments on commit 898b7ef

Please sign in to comment.