DOOM_SEC是在thorn上实现的分布式任务分发的ip端口漏洞扫描器
nmap扫描端口分发,可port,service,banner多种命中,检测插件可水平拓展
依赖https://github.com/ring04h/thorns ,向ring0致敬
##关于任务调度
跳转到https://github.com/ring04h/thorns
##关于port分发命中 你能从nmap中拿到的结果是port,service,banner。所以你需要根据三个参数来命中你的扫描插件
目前已经添加的检测模块是心脏滴血、structs远程代码执行、svn泄露、IIS TTP.sys检测、struts classloader漏洞检测、常见端口弱口令、破壳漏洞、备份代码扫描、
jboss及zabbix扫描、http服务banner的收集、es部分漏洞等
global_words = {
#心脏滴血check
"openssl" : {
"script" : "exp/PoC.py -p %(port)s %(address)s",
"port" : [443,587,465,995,8443],
"service" : ["https","smtp","pop","imap","https-alt"],
"banner": "None"
},
"structs" : {
"script" : "exp/new_check_struts2.py %(address)s %(port)s",
"port": [80,81,8080,8000,8443,9090],
"service":["http","http-alt","http-proxy","unknown","xmpp"],
"banner": "None"
},
"svn":{
"script" : "exp/svn.py %(address)s %(port)s",
"port" : [80,443],
"service":["http","http-alt","https","http-proxy","unknown","xmpp"],
"banner" : "None"
},
"iis":{
"script" : "exp/iis.py %(address)s %(port)s",
"port" : [80,81,8080,8000,8443,9090],
"service": ["None"],
"banner": "iis"
},
"classloader":{
"script" : "exp/classloader.py %(address)s %(port)s",
"port" : [80,443],
"service":["http","http-alt","http-proxy","unknown","xmpp"],
"banner" : "None"
},
"hydra":{
"script" : "exp/hydra.py %(address)s %(service)s %(port)s",
"port" : [21,22,3306],
"service": ["ssh","mysql","ftp","smtp"],
"banner": "None"
},
"backup":{
"script" : "exp/backup_check.php -t %(address)s -p %(port)s",
"port": [80,81,8080,8000,8443,9090],
"service":["http","http-alt","http-proxy","unknown","xmpp"],
"banner" : "None"
},
"shockbash":{
"script": "exp/shellshock.py %(address)s %(port)s",
"port": [80,81,8080,8000,8443,9090],
"service":["http","http-alt","http-proxy","unknown","xmpp"],
"banner" : "None"
},
"fastcgi":{
"script": "exp/fast_cgi.py %(address)s",
"port" : [9000],
"service": ["None"],
"banner" : "None"
},
"es20153337":{
"script": "exp/es20153337.py %(address)s /etc/passwd",
"port" : [9200],
"service": ["None"],
"banner" : "None"
},
"WeakBanner":{
"script": "exp/jboss.py %(address)s %(port)s",
"port": [80,81,8080,8000,8443,9090],
"service":["http","http-alt","http-proxy","unknown","xmpp"],
"banner":"JBoss"
},
"banner":{
"script": "exp/banner.py %(address)s %(port)s",
"port": [80,81,443,88,8080,8081,8000,8443,9090],
"service":["http","https","https-alt","http-alt","http-proxy","unknown","xmpp"],
"banner":"None"
},
"rsync":{
"script": "exp/rsync.py %(address)s %(port)s",
"port": [873],
"service":["rsync"],
"banner":"extrainfo"
},
"test" : {
"script" : "exp/test.py",
"port" : [3306],
"service" : ["mysql"],
"banner": "None"
}
}##如何添加一个插件
在exp目录下添加你的exp,检测到存在漏洞后输出wakaka~即可,如这个弱口令扫描的
#!/usr/bin/python
#coding:utf-8
#author:root@1137.me
import sys
import subprocess
import time
globalUserFile = "exp/hydra/user.txt"
globalPassFile = "exp/hydra/pass.txt"
globalTimeout = 60
def hydraCheck(target,port,service):
cmdLine = 'hydra -L %s -P %s -s %s -e ns %s %s' %(globalUserFile, globalPassFile, port, target, service )
print cmdLine
proc = subprocess.Popen(cmdLine,shell=True,stdout=subprocess.PIPE,stderr=subprocess.PIPE,close_fds=True)
deadline = time.time() + globalTimeout
while time.time() < deadline and proc.poll() == None:
time.sleep(globalTimeout)
if proc.poll() == None:
proc.terminate()
output,stderr = proc.communicate()
print output
#output = proc.stdout.readlines()
if "password" in output:
print "~wakaka"
return output
命中输出wakaka即可
##如何使用
- 参考thorn
- 你需要修改以下两个文件的smtp信息的配置为你的
- util/phpmail.php
- util/secmail.py
- 部分插件依赖mongo,mysql,redis,请安装他们
##最后
Enjoy It