2016-10-19 03:52:23 +00:00
|
|
|
##
|
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
|
|
##
|
|
|
|
|
|
|
|
|
|
|
|
require 'msf/core'
|
2016-10-20 01:40:45 +00:00
|
|
|
require 'rex/proto/http'
|
2016-10-19 03:52:23 +00:00
|
|
|
|
|
|
|
|
|
|
|
class MetasploitModule < Msf::Auxiliary
|
|
|
|
|
|
|
|
include Msf::Auxiliary::Report
|
|
|
|
|
|
|
|
def initialize(info={})
|
|
|
|
super(update_info(info,
|
|
|
|
'Name' => 'ZoomEye Search',
|
|
|
|
'Description' => %q{
|
|
|
|
The module use the ZoomEye API to search ZoomEye. ZoomEye is a search
|
|
|
|
engine for cyberspace that lets the user find specific network
|
2016-10-19 07:23:11 +00:00
|
|
|
components(ip, services, etc.).
|
2016-10-19 03:52:23 +00:00
|
|
|
},
|
|
|
|
'Author' => [ 'Nixawk' ],
|
2016-10-19 07:23:11 +00:00
|
|
|
'References' => [
|
|
|
|
['URL', 'https://github.com/zoomeye/SDK'],
|
|
|
|
['URL', 'https://www.zoomeye.org/api/doc'],
|
|
|
|
['URL', 'https://www.zoomeye.org/help/manual']
|
|
|
|
],
|
2016-10-19 03:52:23 +00:00
|
|
|
'License' => MSF_LICENSE
|
|
|
|
))
|
|
|
|
|
|
|
|
deregister_options('RHOST', 'DOMAIN', 'DigestAuthIIS', 'NTLM::SendLM',
|
|
|
|
'NTLM::SendNTLM', 'VHOST', 'RPORT', 'NTLM::SendSPN', 'NTLM::UseLMKey',
|
|
|
|
'NTLM::UseNTLM2_session', 'NTLM::UseNTLMv2', 'SSL')
|
|
|
|
|
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
OptString.new('ZOOMEYE_APIKEY', [true, 'The ZoomEye API Key']),
|
|
|
|
OptString.new('ZOOMEYE_DORK', [true, 'The ZoomEye Dock']),
|
|
|
|
OptEnum.new('RESOURCE', [true, 'ZoomEye Resource Type', 'host', ['host', 'web']]),
|
|
|
|
OptInt.new('MAXPAGE', [true, 'Max amount of pages to collect', 1])
|
|
|
|
], self.class)
|
|
|
|
end
|
|
|
|
|
2016-10-20 01:40:45 +00:00
|
|
|
# Check to see if api.zoomeye.org resolves properly
|
|
|
|
def zoomeye_resolvable?
|
|
|
|
begin
|
|
|
|
Rex::Socket.resolv_to_dotted("api.zoomeye.org")
|
|
|
|
rescue RuntimeError, SocketError
|
|
|
|
return false
|
|
|
|
end
|
|
|
|
|
|
|
|
true
|
|
|
|
end
|
|
|
|
|
2016-10-20 01:54:31 +00:00
|
|
|
def dork_search(dork, resource, page)
|
2016-10-19 03:52:23 +00:00
|
|
|
# param: dork
|
|
|
|
# ex: country:cn
|
|
|
|
# access https://www.zoomeye.org/search/dorks for more details.
|
|
|
|
# param: page
|
|
|
|
# total page(s) number
|
|
|
|
# param: resource
|
|
|
|
# set a search resource type, ex: [web, host]
|
|
|
|
# param: facet
|
|
|
|
# ex: [app, device]
|
|
|
|
# A comma-separated list of properties to get summary information
|
|
|
|
|
2016-10-20 01:40:45 +00:00
|
|
|
cli = Rex::Proto::Http::Client.new('api.zoomeye.org', 443, {}, true)
|
|
|
|
cli.connect
|
|
|
|
|
|
|
|
begin
|
|
|
|
req = cli.request_cgi({
|
|
|
|
'uri' => "/#{resource}/search",
|
|
|
|
'method' => 'GET',
|
|
|
|
'headers' => { 'Authorization' => "JWT #{datastore['ZOOMEYE_APIKEY']}" },
|
|
|
|
'vars_get' => {
|
2016-10-20 01:54:31 +00:00
|
|
|
'query' => dork,
|
2016-10-20 01:40:45 +00:00
|
|
|
'page' => page,
|
2016-10-20 01:54:31 +00:00
|
|
|
'facet' => 'ip'
|
2016-10-20 01:40:45 +00:00
|
|
|
}
|
|
|
|
})
|
|
|
|
|
|
|
|
res = cli.send_recv(req)
|
2016-10-20 01:54:31 +00:00
|
|
|
|
2016-10-20 01:40:45 +00:00
|
|
|
rescue ::Rex::ConnectionError, Errno::ECONNREFUSED, Errno::ETIMEDOUT
|
|
|
|
print_error("HTTP Connection Failed")
|
|
|
|
end
|
2016-10-19 03:52:23 +00:00
|
|
|
|
2016-10-20 01:40:45 +00:00
|
|
|
unless res
|
|
|
|
print_error('server_response_error')
|
|
|
|
return
|
|
|
|
end
|
2016-10-19 03:52:23 +00:00
|
|
|
|
|
|
|
# Invalid Token, Not enough segments
|
|
|
|
# Invalid Token, Signature has expired
|
|
|
|
if res.body =~ /Invalid Token, /
|
|
|
|
fail_with(Failure::BadConfig, '401 Unauthorized. Your ZOOMEYE_APIKEY is invalid')
|
|
|
|
end
|
|
|
|
|
|
|
|
ActiveSupport::JSON.decode(res.body)
|
|
|
|
end
|
|
|
|
|
|
|
|
def match_records?(records)
|
2016-10-20 00:59:02 +00:00
|
|
|
records && records.key?('matches')
|
2016-10-19 03:52:23 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def parse_host_records(records)
|
|
|
|
records.each do |match|
|
|
|
|
host = match['ip']
|
|
|
|
port = match['portinfo']['port']
|
|
|
|
|
|
|
|
report_service(:host => host, :port => port)
|
|
|
|
print_good("Host: #{host} ,PORT: #{port}")
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def parse_web_records(records)
|
|
|
|
records.each do |match|
|
|
|
|
host = match['ip'][0]
|
|
|
|
domains = match['domains']
|
|
|
|
|
|
|
|
report_host(:host => host)
|
|
|
|
print_good("Host: #{host}, Domains: #{domains}")
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def run
|
2016-10-20 01:40:45 +00:00
|
|
|
# check to ensure api.zoomeye.org is resolvable
|
|
|
|
unless zoomeye_resolvable?
|
|
|
|
print_error("Unable to resolve api.zoomeye.org")
|
|
|
|
return
|
|
|
|
end
|
|
|
|
|
|
|
|
# create ZoomEye request parameters
|
2016-10-19 03:52:23 +00:00
|
|
|
dork = datastore['ZOOMEYE_DORK']
|
|
|
|
resource = datastore['RESOURCE']
|
|
|
|
page = 1
|
|
|
|
maxpage = datastore['MAXPAGE']
|
|
|
|
|
2016-10-20 01:40:45 +00:00
|
|
|
# scroll max pages from ZoomEye
|
2016-10-19 03:52:23 +00:00
|
|
|
while page <= maxpage
|
|
|
|
print_status("ZoomEye #{resource} Search: #{dork} - page: #{page}")
|
|
|
|
results = dork_search(dork, resource, page) if dork
|
|
|
|
break unless match_records?(results)
|
|
|
|
|
|
|
|
matches = results['matches']
|
|
|
|
if resource.include?('web')
|
|
|
|
parse_web_records(matches)
|
|
|
|
else
|
|
|
|
parse_host_records(matches)
|
|
|
|
end
|
|
|
|
page += 1
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|