pwn 0.4.670 → 0.4.672

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d48662417de23f29ea2e4a610b7c79477a98ee0164cbc393848ebc5a389015ec
-  data.tar.gz: c3b99f5416f14f38e7d49ddb749a105805a1b72322713ab9dcf93fd3289d2764
+  metadata.gz: 9c947c88a2f7794cdb7116df8766315e92e2beed8d2911998848ef522d065174
+  data.tar.gz: e04d20bc854c1f8e39fba70bd70c9da49623b1242a05a667886914bff1658186
 SHA512:
-  metadata.gz: b35d6ecd5fdd6a0c3a33cd5fcd19516ba9e8bdb20c56587af541c2ceff0c348cf3c7828e2bbf04b034979b6bad7ad30a4a8f018219d860dc0cb8e72526b760df
-  data.tar.gz: d46298ac157563739c49d686d60df1064cd1cafeecf2d2b02b502c6a3b7804ebf990f9b907ab5382b11c6e868b787e076cd76bd1201b9263869f376379eb114e
+  metadata.gz: 3c79d2adde425d48c119519c791376ac73ab5b30d2de7018b5fc0efc58ae28d1ca7c9c7d1d0adde3532ce9708c67c02054428d0beedf99058717a261412a4f3c
+  data.tar.gz: 98197ecaf90a52bf701faf8c96005eff4dc142682e2c0a8ae00ea7eea93dadfd3cdc1c1bad5119613eecb343532438935e73d7a272927322af8f77ea20455b7f

data/README.md

@@ -37,7 +37,7 @@ $ rvm use ruby-3.2.2@pwn
 $ rvm list gemsets
 $ gem install --verbose pwn
 $ pwn
-pwn[v0.4.670]:001 >>> PWN.help
+pwn[v0.4.672]:001 >>> PWN.help
 ```
 
 [![Installing the pwn Security Automation Framework](https://raw.githubusercontent.com/0dayInc/pwn/master/documentation/pwn_install.png)](https://youtu.be/G7iLUY4FzsI)
@@ -52,7 +52,7 @@ $ rvm use ruby-3.2.2@pwn
 $ gem uninstall --all --executables pwn
 $ gem install --verbose pwn
 $ pwn
-pwn[v0.4.670]:001 >>> PWN.help
+pwn[v0.4.672]:001 >>> PWN.help
 ```
 
 

data/bin/pwn_nmap_discover_tcp_udp

@@ -0,0 +1,221 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: false
+
+require 'optparse'
+require 'pwn'
+
+opts = {}
+OptionParser.new do |options|
+  options.banner = "USAGE:
+    #{$PROGRAM_NAME} [opts]
+  "
+
+  options.on('-IRANGE', '--ip-range=RANGE', '<Required - nmap supported ip range e.g. 192.168.1.1-20, 192.168.1.0/24, etc>') do |i|
+    opts[:ip_range] = i
+  end
+
+  options.on('-eFILE', '--target-exclude-file=FILE', '<Optional - nmap excludes file>') do |e|
+    opts[:exclude_file] = e
+  end
+
+  options.on('-iINTERFACE', '--interface=INTERFACE', '<Optional - use specified network interface (Default: eth0)') do |i|
+    opts[:interface] = i
+  end
+
+  options.on('-T', '--tor', '<Optional - Source Scans from Tor Nodes>') do |t|
+    opts[:with_tor] = t
+  end
+end.parse!
+
+if opts.empty?
+  puts `#{$PROGRAM_NAME} --help`
+  exit 1
+end
+
+ip_range = opts[:ip_range]
+exclude_file = opts[:exclude_file]
+exclude_file ||= '/tmp/nmap_targets_exclude.txt'
+interface = opts[:interface]
+interface ||= 'eth0'
+with_tor = true if opts[:with_tor]
+with_tor ||= false
+if with_tor
+  tor_obj = PWN::Plugins::Tor.start
+  proxy = ["socks4://#{tor_obj[:ip]}:#{tor_obj[:port]}"]
+end
+
+File.new(exclude_file, 'w') unless File.exist?(exclude_file)
+nmap_results_root = File.dirname(exclude_file)
+FileUtils.mkdir_p nmap_results_root
+puts "nmap Results Saved in: #{nmap_results_root}"
+
+discovery_ports = {
+  ftp: 21,
+  ssh: 22,
+  telnet: 23,
+  smtp: 25,
+  dns: 53,
+  http: 80,
+  pop3: 110,
+  rpc: 111,
+  ident: 113,
+  ntp: 123,
+  netbios_name_service: 137,
+  netbios_session_service: 139,
+  imap: 143,
+  snmp: 161,
+  ldap: 389,
+  https: 443,
+  smb: 445,
+  smtps: 465,
+  remote_process: 512,
+  login: 513,
+  rsh: 514,
+  ldaps: 636,
+  rsync: 873,
+  imaps: 993,
+  openvpn: 1194,
+  mssql: 1433,
+  oracle: 1521,
+  pptp: 1723,
+  radius: 1812,
+  nfs: 2049,
+  mysql: 3306,
+  rdp: 3389,
+  meterpreter: 4444,
+  upnp: 5000,
+  sip: 5060,
+  postgres: 5432,
+  postgres_alt: 5433,
+  amqp: 5672,
+  vnc: 5900,
+  vncs: 5901,
+  xfree86: 6000,
+  irc: 6667,
+  http_alt: 8080,
+  https_alt: 8443,
+  http_alt2: 8888,
+  http_alt3: 9090,
+  http_alt4: 9999
+}
+
+target_file = "#{nmap_results_root}/nmap_targets.txt"
+latest_discovery_results = "#{nmap_results_root}/nmap_latest_discovery_results"
+latest_tcp_results = "#{nmap_results_root}/nmap_latest_tcp_results"
+latest_udp_results = "#{nmap_results_root}/nmap_latest_udp_results"
+
+begin
+  # Per man nmap:
+  # The main effects of T0 are serializing the scan so only one port
+  # is scanned at a time, and waiting five minutes between sending
+  # each probe.
+  # T1 and T2 are similar but they only wait 15 seconds and 0.4 seconds,
+  # respectively, between probes.
+  # T3 is Nmap's default behavior, which includes parallelization.
+  # T4 does the equivalent of --max-rtt-timeout 1250ms --min-rtt-timeout 100ms
+  # --initial-rtt-timeout 500ms --max-retries 6 and sets the maximum TCP and
+  # SCTP scan delay to 10ms.
+  # T5 does the equivalent of --max-rtt-timeout 300ms --min-rtt-timeout 50ms
+  # --initial-rtt-timeout 250ms --max-retries 2 --host-timeout 15m
+  # --script-timeout 10m --max-scan-delay as well as setting the maximum TCP
+  # and SCTP scan delay to 5ms. Maximum UDP scan delay is not set by T4 or T5,
+  # but it can be set with the --max-scan-delay option.
+
+  # Target Discovery Scan
+  # Using -T5 template to reduce number of
+  # retransmission attempts on filtered ports.
+  PWN::Plugins::NmapIt.port_scan do |nmap|
+    nmap.exclude_file = exclude_file
+    nmap.interface = interface
+    nmap.insane_timing = true
+    nmap.ping = true
+    nmap.arp_ping = true
+    nmap.icmp_echo_discovery = true
+    nmap.icmp_timestamp_discovery = true
+    nmap.syn_discovery = discovery_ports.values
+    nmap.ack_discovery = discovery_ports.values
+    nmap.udp_discovery = discovery_ports.values
+    nmap.sctp_init_ping = discovery_ports.values
+    nmap.output_all = latest_discovery_results
+    nmap.targets = ip_range
+    nmap.randomize_hosts = true
+    nmap.proxies = proxy if with_tor
+  end
+
+  # Generate targets.txt from discovery above
+  # taking into consideration IPs to skip scans
+  File.open(target_file, 'w') do |f|
+    PWN::Plugins::NmapIt.parse_xml_results(
+      xml_file: "#{latest_discovery_results}.xml"
+    ) do |xml|
+      xml.each_host do |host|
+        f.puts host.ip unless File.read(exclude_file).include?(host.ip)
+      end
+    end
+  end
+  sorted_targets = File.readlines(target_file).sort.join
+  File.write(target_file, sorted_targets)
+
+  # Switch Tor Exit Node if with_tor
+  PWN::Plugins::Tor.switch_exit_node(tor_obj: tor_obj) if with_tor
+
+  # TCP Scan
+  # Using -T5 template to reduce number of
+  # retransmission attempts on filtered ports.
+  PWN::Plugins::NmapIt.port_scan do |nmap|
+    nmap.target_file = target_file
+    nmap.randomize_hosts = true
+    nmap.show_reason = true
+    nmap.exclude_file = exclude_file
+    nmap.interface = interface
+    nmap.min_host_group = 3
+    nmap.host_timeout = '999m'
+    nmap.insane_timing = true
+    nmap.skip_discovery = true
+    nmap.syn_scan = true
+    nmap.default_script = true
+    nmap.update_scriptdb = true
+    nmap.service_scan = true
+    nmap.os_fingerprint = true
+    nmap.verbose = true
+    nmap.all = true
+    nmap.ports = [1..65_535]
+    nmap.output_all = latest_tcp_results
+    nmap.proxies = proxy if with_tor
+  end
+  FileUtils.cp("#{latest_tcp_results}.nmap", "#{latest_tcp_results}.txt")
+
+  # Switch Tor Exit Node if with_tor
+  PWN::Plugins::Tor.switch_exit_node(tor_obj: tor_obj) if with_tor
+
+  # UDP Scan
+  # Using -T5 template to reduce number of
+  # retransmission attempts on filtered ports.
+  PWN::Plugins::NmapIt.port_scan do |nmap|
+    nmap.target_file = target_file
+    nmap.randomize_hosts = true
+    nmap.show_reason = true
+    nmap.exclude_file = exclude_file
+    nmap.interface = interface
+    nmap.min_host_group = 3
+    nmap.host_timeout = '999m'
+    nmap.insane_timing = true
+    nmap.skip_discovery = true
+    nmap.udp_scan = true
+    nmap.default_script = true
+    nmap.update_scriptdb = true
+    nmap.service_scan = true
+    nmap.os_fingerprint = true
+    nmap.verbose = true
+    nmap.all = true
+    nmap.output_all = latest_udp_results
+    nmap.proxies = proxy if with_tor
+  end
+  FileUtils.cp("#{latest_udp_results}.nmap", "#{latest_udp_results}.txt")
+rescue SystemExit, Interrupt
+  puts "\nGoodbye."
+rescue StandardError => e
+  raise e
+ensure
+  tor_obj = PWN::Plugins::Tor.stop(tor_obj: tor_obj) if with_tor
+end

data/lib/pwn/plugins/nmap_it.rb

@@ -5,11 +5,17 @@ require 'nmap/xml'
 
 module PWN
   module Plugins
-    # This plugin is used as an  interface to nmap, the exploration tool and security / port scanner.
+    # This plugin is used as an  interface to nmap, the exploration tool and security / port scanner.  More info on available options can be found at: https://github.com/postmodern/ruby-nmap/blob/main/lib/nmap/command.rb
     module NmapIt
       # Supported Method Parameters::
       # PWN::Plugins::NmapIt.port_scan do |nmap|
       #   puts nmap.public_methods
+      #   nmap.connect_scan = true
+      #   nmap.service_scan = true
+      #   nmap.verbose = true
+      #   nmap.ports = [1..1024,1337]
+      #   nmap.targets = '127.0.0.1'
+      #   nmap.xml = '/tmp/nmap_port_scan_res.xml'
       # end
 
       public_class_method def self.port_scan

data/lib/pwn/plugins/openvas.rb

@@ -147,9 +147,10 @@ module PWN
       # PWN::Plugins::OpenVAS.save_report(
       #   report_type: 'required report type (csv|itg|pdf|txt|xml)',
       #   report_id: 'required report id to save',
-      #   report_filter: 'optional - results filter (Default: "")
+      #   report_dir: 'required directory to save report',
       #   username: 'required username',
-      #   password: 'optional password (will prompt if nil)'
+      #   password: 'optional password (will prompt if nil)',
+      #   report_filter: 'optional - results filter (Default: "apply_overrides=0 levels=hml rows=1000 min_qod=70 first=1 sort-reverse=severity")
       # )
 
       public_class_method def self.save_report(opts = {})
@@ -160,9 +161,6 @@ module PWN
           report_dir
         )
 
-        report_filter = opts[:report_filter]
-        report_filter ||= 'apply_overrides=0 levels=hml rows=1000 min_qod=70 first=1 sort-reverse=severity'
-
         username = opts[:username].to_s.scrub
 
         password = if opts[:password].nil?
@@ -171,6 +169,9 @@ module PWN
                      opts[:password].to_s.scrub
                    end
 
+        report_filter = opts[:report_filter]
+        report_filter ||= 'apply_overrides=0 levels=hml rows=1000 min_qod=70 first=1 sort-reverse=severity'
+
         case report_type.to_sym
         when :csv
           report_type_name = 'CSV Results'
@@ -296,7 +297,8 @@ module PWN
             report_id: 'required report id to save',
             report_dir: 'required directory to save report',
             username: 'required username',
-            password: 'optional password (will prompt if nil)'
+            password: 'optional password (will prompt if nil)',
+            report_filter: 'optional - results filter (Default: \"apply_overrides=0 levels=hml rows=1000 min_qod=70 first=1 sort-reverse=severity\")
           )
 
           report_types = #{self}.get_report_types(

data/lib/pwn/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module PWN
-  VERSION = '0.4.670'
+  VERSION = '0.4.672'
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: pwn
 version: !ruby/object:Gem::Version
-  version: 0.4.670
+  version: 0.4.672
 platform: ruby
 authors:
 - 0day Inc.
@@ -1123,6 +1123,7 @@ executables:
 - pwn_nessus_cloud_scan_crud
 - pwn_nessus_cloud_vulnscan
 - pwn_nexpose
+- pwn_nmap_discover_tcp_udp
 - pwn_openvas_vulnscan
 - pwn_owasp_zap_active_scan
 - pwn_pastebin_sample_filter
@@ -1190,6 +1191,7 @@ files:
 - bin/pwn_nessus_cloud_scan_crud
 - bin/pwn_nessus_cloud_vulnscan
 - bin/pwn_nexpose
+- bin/pwn_nmap_discover_tcp_udp
 - bin/pwn_openvas_vulnscan
 - bin/pwn_owasp_zap_active_scan
 - bin/pwn_pastebin_sample_filter