Advertisement
opexxx

analyze_hosts.sh

May 6th, 2014
271
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 25.89 KB | None | 0 0
  1. #!/bin/bash
  2.  
  3. # analyze_hosts - Scans one or more hosts on security vulnerabilities
  4. #
  5. # Copyright (C) 2012-2014 Peter Mosmans
  6. #                         <support AT go-forward.net>
  7. #
  8. # This source code (shell script) is subject to the terms of the Mozilla Public
  9. # License, v. 2.0. If a copy of the MPL was not distributed with this
  10. # file, You can obtain one at http://mozilla.org/MPL/2.0/.
  11.  
  12. # TODO: - add: option to only list commands, don't execute them
  13. #       - change: use base options
  14. #       - add: make logging of output default
  15. #       - add: grep on errors of ssh script output
  16. #       - add: check installation (whether all tools are present)
  17. #       - change: refactor looping of ports
  18.  
  19.  
  20. NAME="analyze_hosts"
  21. VERSION="0.82 (29-04-2014)"
  22.  
  23. # statuses
  24. declare -c ERROR=-1
  25. declare -c UNKNOWN=0
  26. declare -c OPEN=1 UP=1 NONEWLINE=1 BASIC=1
  27. declare -c ADVANCED=2
  28. declare -c ALTERNATIVE=4
  29.  
  30. # logging and verboseness
  31. declare -c NOLOGFILE=-1
  32. declare -c QUIET=1
  33. declare -c STDOUT=2
  34. declare -c VERBOSE=4
  35. declare -c LOGFILE=8
  36. declare -c RAWLOGS=16
  37. declare -c SEPARATELOGS=32
  38.  
  39. # scantypes
  40. declare -i dnstest=$UNKNOWN fingerprint=$UNKNOWN nikto=$UNKNOWN
  41. declare -i portscan=$UNKNOWN sshscan=$UNKNOWN sslscan=$UNKNOWN
  42. declare -i trace=$UNKNOWN whois=$UNKNOWN webscan=$UNKNOWN
  43.  
  44. # defaults
  45. declare -i loglevel=$STDOUT
  46. declare -i timeout=30
  47. declare webports=80,443
  48. declare sslports=443,993,995
  49.  
  50. # statuses
  51. declare -i hoststatus=$UNKNOWN portstatus=$UNKNOWN
  52. datestring=$(date +%Y-%m-%d)
  53. workdir=/tmp
  54.  
  55. # colours
  56. declare -c BLUE='\E[1;49;96m' LIGHTBLUE='\E[2;49;96m'
  57. declare -c RED='\E[1;49;31m' LIGHTRED='\E[2;49;31m'
  58. declare -c GREEN='\E[1;49;32m' LIGHTGREEN='\E[2;49;32m'
  59.  
  60. trap abortscan INT
  61. trap cleanup QUIT
  62.  
  63. # define functions
  64. prettyprint() {
  65.     (($loglevel&$QUIET)) && return
  66.     [[ -z $nocolor ]] && echo -ne $2
  67.     if [[ "$3" == "$NONEWLINE" ]]; then
  68.         echo -n "$1"
  69.     else
  70.         echo "$1"
  71.     fi
  72.     [[ -z $nocolor ]] && tput sgr0
  73. }
  74.  
  75. usage() {
  76.     prettyprint "$NAME version $VERSION" $BLUE
  77.     prettyprint "      (c) 2012-2014 Peter Mosmans [Go Forward]" $LIGHTBLUE
  78.     prettyprint "      Licensed under the Mozilla Public License 2.0" $LIGHTBLUE
  79.     echo ""
  80.     echo " usage: $0 [OPTION]... [HOST]"
  81.     echo ""
  82.     echo "Scanning options:"
  83.     echo " -a, --all               perform all basic scans"
  84.     echo "     --max               perform all advanced scans (more thorough)"
  85.     echo " -b, --basic             perform basic scans (fingerprint, ssl, trace)"
  86.     echo "                         results of HOST matches regexp FILTER"
  87.     echo "     --dns               test for recursive query"
  88.     echo " -f                      perform web fingerprinting (all webports)"
  89.     echo "     --fingerprint       perform all web fingerprinting methods"
  90.     echo " -h, --header            show webserver headers (all webports)"
  91.     echo " -n, --nikto             nikto webscan (all webports)"
  92.     echo " -p                      nmap portscan (top 1000 ports)"
  93.     echo "     --ports             nmap portscan (all ports)"
  94.     echo " -s                      check SSL configuration"
  95.     echo "     --ssl               perform all SSL configuration checks"
  96.     echo "     --timeout=SECONDS   change timeout for sslscan (default=$timeout)"
  97.     echo "     --ssh               perform SSH configuration checks"
  98.     echo " -t                      check webserver for HTTP TRACE method"
  99.     echo "     --trace             perform all HTTP TRACE method checks"
  100.     echo " -w, --whois             perform WHOIS lookup for (hostname and) IP address"
  101.     echo " -W                      confirm WHOIS results before continuing scan"
  102.     echo "     --filter=FILTER     only proceed with scan of HOST if WHOIS"
  103.     echo "     --wordlist=filename scan webserver for existence of files in filename"
  104.     echo ""
  105.     echo "Port selection (comma separated list):"
  106.     echo "     --webports=PORTS    use PORTS for web scans (default $webports)"
  107.     echo "     --sslports=PORTS    use PORTS for ssl scans (default $sslports)"
  108.     echo ""
  109.     echo "Logging and input file:"
  110.     echo " -d, --directory=DIR     location of temporary files (default /tmp)"
  111.     echo " -i, --inputfile=FILE    use a file containing hostnames"
  112.     echo " -l, --log               log each scan in a separate logfile"
  113.     echo "     --nocolor           don't use fancy colors in screen output"
  114.     echo " -o, --output=FILE       concatenate all results into FILE"
  115.     echo " -q, --quiet             quiet"
  116.     echo " -v, --verbose           show server responses"
  117.     echo ""
  118.     echo " -u                      update this script (if it's a cloned repository)"
  119.     echo "     --update            force update (overwrite all local modifications)"
  120.     echo "     --version           print version information and exit"
  121.     echo ""
  122.     prettyprint "                         BLUE: status messages" $BLUE
  123.     prettyprint "                         GREEN: secure settings" $GREEN
  124.     prettyprint "                         RED: possible vulnerabilities" $RED
  125.     echo ""
  126.     echo " [HOST] can be a single (IP) address, an IP range, eg. 127.0.0.1-255"
  127.     echo " or multiple comma-separated addressess"
  128.     echo ""
  129.     echo "example: $0 -a --filter Amazon www.google.com"
  130.     echo ""
  131. }
  132.  
  133. # setlogfilename (name)
  134. # sets the GLOBAL variable logfile and tool
  135. setlogfilename() {
  136.     logfile=$workdir/${target}_$1_${datestring}.txt
  137.     if type $1 >/dev/null 2>&1; then
  138.         tool=$1
  139.     else
  140.         showstatus "ERROR: The program $1 could not be found" $RED
  141.         tool=$ERROR
  142.     fi
  143. }
  144.  
  145. # purgelogs logfile [LOGLEVEL]
  146. # purges the current logfile
  147. # if LOGLEVEL = VERBOSE then show log on screen
  148. purgelogs() {
  149.     local currentloglevel=$loglevel
  150.     if [[ ! -z $1 ]]; then let "loglevel=loglevel|$1"; fi
  151.     if [[ ! -z "$$logfile" ]] && [[ -f "$logfile" ]]; then
  152.         if (($loglevel&$VERBOSE)); then
  153.             if [[ -s "$logfile" ]]; then
  154.                 showstatus "$(grep -v '^#' $logfile)"
  155.                 showstatus ""
  156.             fi
  157.         fi
  158.         if (($loglevel&$RAWLOGS)); then
  159.             grep -v '^[#%]' $logfile >> $outputfile
  160.         fi
  161.         if !(($loglevel&$SEPARATELOGS)); then rm $logfile 1>/dev/null 2>&1; fi
  162.     fi
  163.     tool=$ERROR
  164.     loglevel=$currentloglevel
  165. }
  166.  
  167. # showstatus message [COLOR] [LOGFILE|NOLOGFILE|NONEWLINE]
  168. #                    COLOR: color of message
  169. #                    LOGFILE: only write contents to logfile
  170. #                    NOLOGFILE: don't log contents to logfile
  171. #                    NONEWLINE: don't echo new line character
  172.  
  173. showstatus() {
  174.     if [[ ! -z "$2" ]]; then
  175.         case "$2" in
  176.             $LOGFILE)
  177.                 (($loglevel&$LOGFILE)) && echo "$1" >> $outputfile;;
  178.             $NOLOGFILE)
  179.                 !(($loglevel&$QUIET)) && echo "$1";;
  180.             $NONEWLINE)
  181.                 !(($loglevel&$QUIET)) && echo -n "$1"
  182.                 (($loglevel&$LOGFILE)) && echo -n "$1" >> $outputfile;;
  183.             (*)
  184.                 prettyprint "$1" $2 $3
  185.                 (($loglevel&$LOGFILE)) && echo "$1" >> $outputfile;;
  186.         esac
  187.     else
  188.         !(($loglevel&$QUIET)) && echo "$1"
  189.         (($loglevel&$LOGFILE)) && echo "$1" >> $outputfile
  190.     fi
  191. }
  192.  
  193. do_update() {
  194.     local realpath=$(dirname $(readlink -f $0))
  195.     if [[ -d $realpath/.git ]]; then
  196.         setlogfilename "git"
  197.         if (($tool!=$ERROR)); then
  198.             local status=$UNKNOWN
  199.             showstatus "current version: $VERSION"
  200.             pushd $realpath 1>/dev/null 2>&1
  201.             if [[ ! -z "$1" ]]; then
  202.                 showstatus "forcing update, overwriting local changes"
  203.                 git fetch origin master 1>$logfile 2>&1
  204.                 git reset --hard FETCH_HEAD 1>>$logfile 2>&1
  205.             else
  206.                 git pull 1>$logfile 2>&1
  207.             fi
  208.             grep -Eq "error: |Permission denied" $logfile && status=$ERROR
  209.             grep -q "Already up-to-date." $logfile && status=$OPEN
  210.             popd 1>/dev/null 2>&1
  211.         else
  212.             status=$ERROR
  213.         fi
  214.         case $status in
  215.             $ERROR) showstatus "error updating $0" $RED;;
  216.             $UNKNOWN) showstatus "succesfully updated to $(awk '{FS="\""}/^VERSION=/{print $2}' $0)" $GREEN;;
  217.             $OPEN) showstatus "already running latest version" $BLUE;;
  218.         esac
  219.         purgelogs
  220.         exit 0
  221.     else
  222.         showstatus "Sorry, this doesn't seem to be a git archive"
  223.         showstatus "Please clone the repository using the following command: "
  224.         showstatus "git clone https://github.com/PeterMosmans/security-scripts.git"
  225.     fi;
  226. }
  227.  
  228. startup() {
  229.     flag=$OPEN
  230.     trap cleanup EXIT
  231.     showstatus "$NAME version $VERSION starting on $(date +%d-%m-%Y' at '%R)"
  232.     if (($loglevel&$LOGFILE)); then
  233.         if [[ -n $appendfile ]]; then
  234.             showstatus "appending to existing file $outputfile"
  235.         else
  236.             showstatus "logging to $outputfile"
  237.         fi
  238.     fi
  239.     showstatus "scanparameters: $options" $LOGFILE
  240.     [[ -n "$workdir" ]] && pushd $workdir 1>/dev/null 2>&1
  241. }
  242.  
  243. version() {
  244.     curl --version
  245.     echo ""
  246.     nikto -Version
  247.     echo ""
  248.     nmap -V
  249.     echo ""
  250.     sslscan --version|sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g"
  251.     echo ""
  252.     prettyprint "$NAME version $VERSION" $BLUE
  253.     prettyprint "      (c) 2013-2014 Peter Mosmans [Go Forward]" $LIGHTBLUE
  254.     prettyprint "      Licensed under the Mozilla Public License 2.0" $LIGHTBLUE
  255.     echo ""
  256. }
  257.  
  258. checkifportopen() {
  259.     portstatus=$UNKNOWN
  260.     if [[ -s "$portselection" ]]; then
  261.         portstatus=$ERROR
  262.         grep -q " $1/open/" $portselection && portstatus=$OPEN
  263.     fi
  264. }
  265.  
  266. do_dnstest() {
  267.     setlogfilename "dig"
  268.     if (($tool!=$ERROR)); then
  269.         local status=$UNKNOWN
  270.         local ports=53
  271.         showstatus "trying recursive dig... " $NONEWLINE
  272.         dig google.com @$target 1>$logfile 2>&1 </dev/null
  273.         grep -q "ANSWER SECTION" $logfile && status=$OPEN
  274.         if (($status==$OPEN)); then
  275.             showstatus "recursion allowed" $RED
  276.         else
  277.             showstatus "no recursion or answer detected" $GREEN
  278.         fi
  279.         purgelogs
  280.     fi
  281. }
  282.  
  283. do_fingerprint() {
  284.     if (($fingerprint==$BASIC)) || (($fingerprint==$ADVANCED)); then
  285.         setlogfilename "whatweb"
  286.         if (($tool!=$ERROR)); then
  287.             for port in ${webports//,/ }; do
  288.                 setlogfilename "whatweb"
  289.                 showstatus "performing whatweb fingerprinting on $target port $port... "
  290.                 if [[ ! $sslports =~ $port ]]; then
  291.                     whatweb -a3 --color never http://$target:$port --log-brief $logfile 1>/dev/null 2>&1
  292.                 else
  293.                     whatweb -a3 --color never https://$target:$port --log-brief $logfile 1>/dev/null 2>&1
  294.                 fi
  295.                 purgelogs $VERBOSE
  296.             done
  297.         fi
  298.     fi
  299.  
  300.     if (($fingerprint==$ADVANCED)) || (($fingerprint==$ALTERNATIVE)); then
  301.         setlogfilename "curl"
  302.         if (($tool!=$ERROR)); then
  303.             for port in ${webports//,/ }; do
  304.                 setlogfilename "curl"
  305.                 checkifportopen $port
  306.                 if (($portstatus==$ERROR)); then
  307.                     showstatus "$target port $port closed" $BLUE
  308.                 else
  309.                     showstatus "retrieving headers from $target port $port... " $NONEWLINE
  310.                     if [[ ! $sslports =~ $port ]]; then
  311.                         curl -A "$NAME" -q --insecure -m 10 --dump-header $logfile http://$target:$port 1>/dev/null 2>&1 || showstatus "could not connect to $target port $port" $BLUE $NONEWLINE
  312.                     else
  313.                         curl -A "$NAME" -q --insecure -m 10 --dump-header $logfile https://$target:$port 1>/dev/null 2>&1 || showstatus "could not connect to $target port $port" $BLUE $NONEWLINE
  314.                     fi
  315.                     showstatus ""
  316.                     purgelogs $VERBOSE
  317.                 fi
  318.             done
  319.         fi
  320.     fi
  321. }
  322.  
  323. do_nikto() {
  324.     setlogfilename "nikto"
  325.     if (($tool!=$ERROR)); then
  326.         [[ $target =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]] && showstatus "FQDN preferred over IP address"
  327.         for port in ${webports//,/ }; do
  328.             setlogfilename "nikto"
  329.             checkifportopen $port
  330.             if (($portstatus==$ERROR)); then
  331.                 showstatus "port $port closed" $GREEN
  332.             else
  333.                 showstatus "performing nikto webscan on port $port... "
  334.                 nikto -host $target:$port -Format txt -output $logfile 1>/dev/null 2>&1 </dev/null
  335.             fi
  336.             purgelogs $VERBOSE
  337.         done
  338.     fi
  339. }
  340.  
  341. do_portscan() {
  342.     setlogfilename "nmap"
  343.     hoststatus=$UNKNOWN
  344.     if (($portscan>=$ADVANCED)); then
  345.         showstatus "performing advanced nmap portscan (all ports)... " $NONEWLINE
  346.         nmap --open -p- -sV -sC -oN $logfile -oG $portselection $target 1>/dev/null 2>&1 </dev/null
  347.     else
  348.         showstatus "performing nmap portscan... " $NONEWLINE
  349.         nmap --open -sV -sC -oN $logfile -oG $portselection $target 1>/dev/null 2>&1 </dev/null
  350.     fi
  351.     grep -q "0 hosts up" $portselection || hoststatus=$UP
  352.     if (($hoststatus<$UP)); then
  353.         showstatus "host down" $BLUE
  354.     else
  355.         showstatus "host is up" $BLUE
  356.     fi
  357.     purgelogs $VERBOSE
  358. }
  359.  
  360. do_sshscan() {
  361.     if (($sshscan>=$BASIC)); then
  362.         setlogfilename "nmap"
  363.         local portstatus=$UNKNOWN
  364.         local ports=22
  365.         showstatus "trying nmap SSH scan on $target port $ports... " $NONEWLINE
  366.         nmap -Pn -p $ports --open --script banner.nse,sshv1.nse,ssh-hostkey.nse,ssh2-enum-algos.nse -oN $logfile $target 1>/dev/null 2>&1 </dev/null
  367.         grep -q " open " $logfile && portstatus=$OPEN
  368.         if (($portstatus<$OPEN)); then
  369.             showstatus "port closed" $BLUE
  370.             purgelogs
  371.         else
  372.             showstatus "port open" $BLUE
  373.             purgelogs $VERBOSE
  374.         fi
  375.     fi
  376. }
  377.  
  378. do_sslscan() {
  379.     setlogfilename "sslscan"
  380.     if (($sslscan>=$BASIC)) && (($tool!=$ERROR)); then
  381.        for port in ${sslports//,/ }; do
  382.            checkifportopen $port
  383.            if (($portstatus==$ERROR)); then
  384.                showstatus "port $port closed" $BLUE
  385.                return
  386.            fi
  387.            showstatus "performing sslscan on $target port $port..." $NONEWLINE
  388.            timeout $timeout sslscan --no-failed $target:$port|sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g" > $logfile || portstatus=$ERROR
  389.            if [[ -s $logfile ]] ; then
  390.                grep -qe "ERROR: Could not open a connection to host" $logfile&&portstatus=$ERROR
  391.            else
  392.                portstatus=$ERROR
  393.            fi
  394.            if (($portstatus==$ERROR)) ; then
  395.                showstatus "could not connect" $BLUE
  396.            else
  397.                showstatus ""
  398.                showstatus "$(awk '/(Accepted).*(ADH|RC4|IDEA|SSLv2|EXP|MD5|NULL| 40| 56)/{print $2,$3,$4,$5}' $logfile)" $RED
  399.            fi
  400.            purgelogs
  401.        done
  402.     fi
  403.  
  404.     if (($sslscan>=$ADVANCED)); then
  405.         showstatus "performing nmap sslscan on $target ports $sslports..."
  406.         setlogfilename "nmap"
  407.         nmap -p $sslports --script ssl-enum-ciphers --open -oN $logfile $target 1>/dev/null 2>&1 </dev/null
  408.         if [[ -s $logfile ]] ; then
  409.             showstatus "$(awk '/( - )(broken|weak|unknown)/{print $2}' $logfile)" $RED
  410.         else
  411.             showstatus "could not connect to $target ports $sslports" $BLUE
  412.         fi
  413.         purgelogs
  414.     fi
  415. }
  416.  
  417. do_trace() {
  418.     setlogfilename "curl"
  419.     if (($tool!=$ERROR)); then
  420.         for port in ${webports//,/ }; do
  421.             setlogfilename "curl"
  422.             checkifportopen $port
  423.             showstatus "trying TRACE method on $target port $port... " $NONEWLINE
  424.             if (($portstatus==$ERROR)); then
  425.                 showstatus "$target port $port closed" $GREEN
  426.             else
  427.                 local prefix="http://"
  428.                 [[ $sslports =~ $port ]] && prefix="--insecure https://"
  429.                 curl -q -s -A "$NAME" -i -m 30 -X TRACE -o $logfile $prefix$target:$port/ 1>/dev/null 2>&1
  430.                 if [[ -s $logfile ]]; then
  431.                     status=$(awk 'NR==1 {print $2}' $logfile)
  432.                     if (($status==200)); then
  433.                         showstatus "TRACE enabled on port $port" $RED
  434.                     else
  435.                         showstatus "disabled (HTTP $status)" $GREEN
  436.                     fi
  437.                 else
  438.                     showstatus "could not connect" $BLUE
  439.                 fi
  440.             fi
  441.             purgelogs
  442.         done
  443.     fi
  444.  
  445.     if (($trace>=$ADVANCED)); then
  446.         setlogfilename "nmap"
  447.         showstatus "trying nmap TRACE method on ports $webports... " $NONEWLINE
  448.         nmap -p$webports --open --script http-trace -oN $logfile $target 1>/dev/null 2>&1 </dev/null
  449.     if [[ -s $logfile ]]; then
  450.             status="$(awk '{FS="/";a[++i]=$1}/TRACE is enabled/{print "TRACE enabled on port "a[NR-1]}' $logfile)"
  451.             if [[ -z "$status" ]]; then
  452.                 grep -q " open " $logfile && status=$OPEN
  453.                 if [[ $OPEN -eq $status ]]; then
  454.                     showstatus "disabled"  $GREEN
  455.                 else
  456.                     showstatus "could not connect" $BLUE
  457.                 fi
  458.             else
  459.                 showstatus "$status" $RED
  460.             fi
  461.         fi
  462.         purgelogs
  463.     fi
  464. }
  465.  
  466. do_webscan() {
  467.     setlogfilename "curl"
  468.     if (($tool!=$ERROR)); then
  469.         for port in ${webports//,/ }; do
  470.             showstatus "trying list $wordlist on $target port $port... "
  471.             local prefix="http://"
  472.             [[ $sslports =~ $port ]] && prefix="--insecure https://"
  473.             if [[ -s "$wordlist" ]]; then
  474.                 while read word; do
  475.                     setlogfilename "curl"
  476.                     curl -q -s -A "$NAME" -I -m 10 -o $logfile $prefix$target/$word </dev/null
  477.                     if [[ -s $logfile ]]; then
  478.                         status=$(awk 'NR==1 {print $2}' $logfile)
  479.                         (($status==200)) && showstatus "$target:$port/$word returns 200 OK" $RED
  480.                     fi
  481.                     purgelogs
  482.                 done < "$wordlist"
  483.             else
  484.                 showstatus "could not open $wordlist" $RED
  485.             fi
  486.         done
  487.     fi
  488. }
  489.  
  490. execute_all() {
  491.     portselection=$(mktemp -q $NAME.XXXXXXX --tmpdir=$workdir)
  492.     if (($whois>=$BASIC)); then
  493.         local nomatch=
  494.         local ip=
  495.         setlogfilename "whois"
  496.         if [[ $target =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
  497.             ip=$target
  498.             local reverse=$(host $target|awk '{print $5}'|sed s'/[.]$//')
  499.             if [[ "$reverse" == "3(NXDOMAIN)" ]] ; then
  500.                 showstatus "$target does not resolve to a PTR record"
  501.             else
  502.                 showstatus "$target resolves to " $NONEWLINE
  503.                 showstatus $reverse $BLUE
  504.             fi
  505.         else
  506.             whois ${target#*.} > $logfile
  507.             grep -q "No match for" $logfile && whois ${target%%*.} > $logfile
  508.             # not all whois servers use the same formatting
  509.             showstatus "$(grep -iE '^(registra|date|admin |tech|name server)(.*):(.*)[^ ]$' $logfile)"
  510.             showstatus "$(awk '/Registrar( Technical Contacts)*:[ ]*$|(Domain )*[Nn]ameservers:[ ]*$|Technical:[ ]*$/{s=1}s; /^$/{s=0}' $logfile)"
  511.             ip=$(host -c IN $target|awk '/address/{print $4}'|head -1)
  512.             if [[ ! -n "$ip" ]]; then
  513.                 showstatus "$target does not resolve to an IP address - aborting scans" $RED
  514.                 purgelogs
  515.                 return
  516.             else
  517.                 showstatus "$target resolves to $ip"
  518.             fi
  519.         fi
  520.         whois -H $ip > $logfile
  521.         showstatus "$(grep -iE '^(inetnum|netrange|netname|nettype|descr|orgname|orgid|originas|country|origin):(.*)[^ ]$' $logfile)"
  522.         if [[ -n "$filter" ]]; then
  523.             if grep -qiE "^(inetnum|netrange|netname|nettype|descr|orgname|orgid|originas|country|origin):.*($filter)" $logfile; then
  524.                 showstatus "WHOIS info matches $filter - continuing scans" $GREEN
  525.             else
  526.                 showstatus "WHOIS info doesn't match $filter - aborting scans on $target" $RED
  527.                 purgelogs
  528.                 return
  529.             fi
  530.         fi
  531.  
  532.         (($whois&$ADVANCED)) && read -p "press any key to continue: " failsafe < stdin
  533.         purgelogs
  534.     fi
  535.  
  536.     (($portscan>=$BASIC)) && do_portscan
  537.     (($dnstest>=$BASIC)) && do_dnstest
  538.     (($fingerprint>=$BASIC)) && do_fingerprint
  539.     (($nikto>=$BASIC)) && do_nikto
  540.     (($sshscan>=$BASIC)) && do_sshscan
  541.     (($sslscan>=$BASIC)) && do_sslscan
  542.     (($trace>=$BASIC)) && do_trace
  543.     (($webscan>=$BASIC)) && do_webscan
  544.     [[ -e "$portselection" ]] && rm $portselection 1>/dev/null 2>&1
  545. }
  546.  
  547. looptargets() {
  548.     if [[ -s "$inputfile" ]]; then
  549.         total=$(grep -c . $inputfile)
  550.         local counter=1
  551.         while read target; do
  552.             if [[ ! -z "$target" ]]; then
  553.                showstatus ""
  554.                showstatus "working on " $NONEWLINE
  555.                showstatus "$target" $BLUE $NONEWLINE
  556.                showstatus " ($counter of $total)"
  557.                let counter=$counter+1
  558.                execute_all
  559.             fi
  560.         done < "$inputfile"
  561.     else
  562.         showstatus ""
  563.         showstatus "working on " $NONEWLINE
  564.         showstatus "$target" $BLUE
  565.         execute_all
  566.     fi
  567. }
  568.  
  569. abortscan() {
  570.     flag=$ERROR
  571.      if (($tool!=$ERROR)); then
  572.          showstatus ""
  573.          showstatus "interrupted $tool while working on $target..." $RED
  574.          purgelogs
  575.          prettyprint "press Ctrl-C again to abort scan, or wait 10 seconds to resume" $BLUE
  576.          sleep 10 && flag=$OPEN
  577.      fi
  578.      ((flag==$ERROR)) && exit 1
  579. }
  580.  
  581. cleanup() {
  582.     trap '' EXIT INT QUIT
  583.     if [[ ! -z $tool ]] && (($ERROR!=$tool)); then
  584.         showstatus "$tool interrupted..." $RED
  585.         purgelogs
  586.     fi
  587.     showstatus "cleaning up temporary files..."
  588.     [[ -e "$portselection" ]] && rm "$portselection"
  589.     [[ -e "$tmpfile" ]] && rm "$tmpfile"
  590.     [[ -n "$workdir" ]] && popd 1>/dev/null
  591.     (($loglevel&$LOGFILE)) && showstatus "logged to $outputfile" $NOLOGFILE
  592.     showstatus "ended on $(date +%d-%m-%Y' at '%R)"
  593.     exit
  594. }
  595.  
  596. if ! options=$(getopt -o ad:fhi:lno:pqstuvwWy -l dns,directory:,filter:,fingerprint,header,inputfile:,log,max,nikto,nocolor,output:,ports,quiet,ssh,ssl,sslports:,timeout:,trace,update,version,webports:,whois,wordlist: -- "$@") ; then
  597.     usage
  598.     exit 1
  599. fi
  600.  
  601. eval set -- $options
  602. if [[ "$#" -le 1 ]]; then
  603.     usage
  604.     exit 1
  605. fi
  606.  
  607. while [[ $# -gt 0 ]]; do
  608.     case $1 in
  609.         -a|--all)
  610.             dnstest=$BASIC
  611.             fingerprint=$BASIC
  612.             nikto=$BASIC
  613.             portscan=$BASIC
  614.             sshscan=$BASIC
  615.             sslscan=$BASIC
  616.             trace=$BASIC
  617.             whois=$BASIC;;
  618.         --allports) portscan=$ADVANCED;;
  619.         --dns) dnstest=$ADVANCED;;
  620.         -f) fingerprint=$BASIC;;
  621.         --fingerprint) fingerprint=$ADVANCED;;
  622.         -h|--header) fingerprint=$ALTERNATIVE;;
  623.         -d|--directory) workdir=$2
  624.             shift ;;
  625.         --filter) filter="$2"
  626.             whois=$ADVANCED
  627.             shift ;;
  628.         -i|--inputfile) inputfile="$2"
  629.             [[ ! $inputfile =~ ^/ ]] && inputfile=$(pwd)/$inputfile
  630.             if [[ ! -s "$inputfile" ]]; then
  631.                 echo "error: cannot find $inputfile"
  632.                 exit 1
  633.             fi          
  634.             shift ;;
  635.         -l) log="TRUE";;
  636.         --max)            
  637.             dnstest=$ADVANCED
  638.             fingerprint=$ADVANCED
  639.             nikto=$ADVANCED
  640.             portscan=$ADVANCED
  641.             sshscan=$ADVANCED
  642.             sslscan=$ADVANCED
  643.             trace=$ADVANCED
  644.             whois=$ADVANCED;;
  645.         -n) nikto=$BASIC;;
  646.         --nikto) nikto=$ADVANCED;;
  647.         --nocolor) nocolor=TRUE;;
  648.         -o|--output)
  649.             let "loglevel=loglevel|$LOGFILE"
  650.             outputfile=$2
  651.             [[ ! $outputfile =~ ^/ ]] && outputfile=$(pwd)/$outputfile
  652.             [[ -s $outputfile ]] && appendfile=1
  653.             shift ;;
  654.         -p) portscan=$BASIC;;
  655.         --ports) portscan=$ADVANCED;;
  656.         --webports) webports=$2
  657.             shift ;;
  658.         --sslports) sslports=$2
  659.             shift ;;
  660.         -q|--quiet) let "loglevel=loglevel|$QUIET";;
  661.         -s) sslscan=$BASIC;;
  662.         --ssh) sshscan=$BASIC;;
  663.         --ssl) sslscan=$ADVANCED;;
  664.         -t) trace=$BASIC;;
  665.         --timeout) timeout=$2
  666.             shift ;;
  667.         --trace) trace=$ADVANCED;;
  668.         -u) do_update && exit 0;;
  669.         --update) do_update 1 && exit 0;;
  670.         -v) let "loglevel=loglevel|$VERBOSE";;
  671.         --version) version;
  672.                    exit 0;;
  673.         -w|--whois) whois=$BASIC;;
  674.         -W) let "whois=whois|$ADVANCED";;
  675.         --wordlist) let "webscan=webscan|$BASIC"
  676.             wordlist=$2
  677.             [[ ! $wordlist =~ ^/ ]] && wordlist=$(pwd)/$wordlist
  678.             shift ;;
  679.         (--) shift;
  680.              break;;
  681.         (-*) echo "$0: unrecognized option $1" 1>&2; exit 1;;
  682.         (*) break;;
  683.     esac
  684.     shift
  685. done
  686.  
  687. if ! type nmap >/dev/null 2>&1; then
  688.     prettyprint "ERROR: the program nmap is needed but could not be found" $RED
  689.     exit
  690. fi
  691.  
  692. if [[ ! -s "$inputfile" ]]; then
  693.     if [[ ! -n "$1" ]]; then
  694.         echo "Nothing to do... no target specified"
  695.         exit
  696.     fi
  697.     umask 177
  698.     if [[ -n "$workdir" ]]; then
  699.         [[ -d $workdir ]] || mkdir $workdir 1>/dev/null 2>&1
  700.     fi
  701.     tmpfile=$(mktemp -q $NAME.XXXXXXX --tmpdir=$workdir)
  702.     if [[ $1 =~ -.*[0-9]$ ]]; then
  703.         nmap -nsL $1 2>/dev/null|awk '/scan report/{print $5}' >$tmpfile
  704.         inputfile=$tmpfile
  705.     fi
  706.     if [[ $1 =~ , ]]; then
  707.         for targets in ${1//,/ }; do
  708.             echo $targets >> $tmpfile
  709.         done
  710.         inputfile=$tmpfile
  711.     fi
  712. fi
  713.  
  714. target=$1
  715. startup
  716. looptargets
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement