pwn 0.4.670 → 0.4.672
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +2 -2
- data/bin/pwn_nmap_discover_tcp_udp +221 -0
- data/lib/pwn/plugins/nmap_it.rb +7 -1
- data/lib/pwn/plugins/openvas.rb +8 -6
- data/lib/pwn/version.rb +1 -1
- metadata +3 -1
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 9c947c88a2f7794cdb7116df8766315e92e2beed8d2911998848ef522d065174
|
4
|
+
data.tar.gz: e04d20bc854c1f8e39fba70bd70c9da49623b1242a05a667886914bff1658186
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 3c79d2adde425d48c119519c791376ac73ab5b30d2de7018b5fc0efc58ae28d1ca7c9c7d1d0adde3532ce9708c67c02054428d0beedf99058717a261412a4f3c
|
7
|
+
data.tar.gz: 98197ecaf90a52bf701faf8c96005eff4dc142682e2c0a8ae00ea7eea93dadfd3cdc1c1bad5119613eecb343532438935e73d7a272927322af8f77ea20455b7f
|
data/README.md
CHANGED
@@ -37,7 +37,7 @@ $ rvm use ruby-3.2.2@pwn
|
|
37
37
|
$ rvm list gemsets
|
38
38
|
$ gem install --verbose pwn
|
39
39
|
$ pwn
|
40
|
-
pwn[v0.4.
|
40
|
+
pwn[v0.4.672]:001 >>> PWN.help
|
41
41
|
```
|
42
42
|
|
43
43
|
[![Installing the pwn Security Automation Framework](https://raw.githubusercontent.com/0dayInc/pwn/master/documentation/pwn_install.png)](https://youtu.be/G7iLUY4FzsI)
|
@@ -52,7 +52,7 @@ $ rvm use ruby-3.2.2@pwn
|
|
52
52
|
$ gem uninstall --all --executables pwn
|
53
53
|
$ gem install --verbose pwn
|
54
54
|
$ pwn
|
55
|
-
pwn[v0.4.
|
55
|
+
pwn[v0.4.672]:001 >>> PWN.help
|
56
56
|
```
|
57
57
|
|
58
58
|
|
@@ -0,0 +1,221 @@
|
|
1
|
+
#!/usr/bin/env ruby
|
2
|
+
# frozen_string_literal: false
|
3
|
+
|
4
|
+
require 'optparse'
|
5
|
+
require 'pwn'
|
6
|
+
|
7
|
+
opts = {}
|
8
|
+
OptionParser.new do |options|
|
9
|
+
options.banner = "USAGE:
|
10
|
+
#{$PROGRAM_NAME} [opts]
|
11
|
+
"
|
12
|
+
|
13
|
+
options.on('-IRANGE', '--ip-range=RANGE', '<Required - nmap supported ip range e.g. 192.168.1.1-20, 192.168.1.0/24, etc>') do |i|
|
14
|
+
opts[:ip_range] = i
|
15
|
+
end
|
16
|
+
|
17
|
+
options.on('-eFILE', '--target-exclude-file=FILE', '<Optional - nmap excludes file>') do |e|
|
18
|
+
opts[:exclude_file] = e
|
19
|
+
end
|
20
|
+
|
21
|
+
options.on('-iINTERFACE', '--interface=INTERFACE', '<Optional - use specified network interface (Default: eth0)') do |i|
|
22
|
+
opts[:interface] = i
|
23
|
+
end
|
24
|
+
|
25
|
+
options.on('-T', '--tor', '<Optional - Source Scans from Tor Nodes>') do |t|
|
26
|
+
opts[:with_tor] = t
|
27
|
+
end
|
28
|
+
end.parse!
|
29
|
+
|
30
|
+
if opts.empty?
|
31
|
+
puts `#{$PROGRAM_NAME} --help`
|
32
|
+
exit 1
|
33
|
+
end
|
34
|
+
|
35
|
+
ip_range = opts[:ip_range]
|
36
|
+
exclude_file = opts[:exclude_file]
|
37
|
+
exclude_file ||= '/tmp/nmap_targets_exclude.txt'
|
38
|
+
interface = opts[:interface]
|
39
|
+
interface ||= 'eth0'
|
40
|
+
with_tor = true if opts[:with_tor]
|
41
|
+
with_tor ||= false
|
42
|
+
if with_tor
|
43
|
+
tor_obj = PWN::Plugins::Tor.start
|
44
|
+
proxy = ["socks4://#{tor_obj[:ip]}:#{tor_obj[:port]}"]
|
45
|
+
end
|
46
|
+
|
47
|
+
File.new(exclude_file, 'w') unless File.exist?(exclude_file)
|
48
|
+
nmap_results_root = File.dirname(exclude_file)
|
49
|
+
FileUtils.mkdir_p nmap_results_root
|
50
|
+
puts "nmap Results Saved in: #{nmap_results_root}"
|
51
|
+
|
52
|
+
discovery_ports = {
|
53
|
+
ftp: 21,
|
54
|
+
ssh: 22,
|
55
|
+
telnet: 23,
|
56
|
+
smtp: 25,
|
57
|
+
dns: 53,
|
58
|
+
http: 80,
|
59
|
+
pop3: 110,
|
60
|
+
rpc: 111,
|
61
|
+
ident: 113,
|
62
|
+
ntp: 123,
|
63
|
+
netbios_name_service: 137,
|
64
|
+
netbios_session_service: 139,
|
65
|
+
imap: 143,
|
66
|
+
snmp: 161,
|
67
|
+
ldap: 389,
|
68
|
+
https: 443,
|
69
|
+
smb: 445,
|
70
|
+
smtps: 465,
|
71
|
+
remote_process: 512,
|
72
|
+
login: 513,
|
73
|
+
rsh: 514,
|
74
|
+
ldaps: 636,
|
75
|
+
rsync: 873,
|
76
|
+
imaps: 993,
|
77
|
+
openvpn: 1194,
|
78
|
+
mssql: 1433,
|
79
|
+
oracle: 1521,
|
80
|
+
pptp: 1723,
|
81
|
+
radius: 1812,
|
82
|
+
nfs: 2049,
|
83
|
+
mysql: 3306,
|
84
|
+
rdp: 3389,
|
85
|
+
meterpreter: 4444,
|
86
|
+
upnp: 5000,
|
87
|
+
sip: 5060,
|
88
|
+
postgres: 5432,
|
89
|
+
postgres_alt: 5433,
|
90
|
+
amqp: 5672,
|
91
|
+
vnc: 5900,
|
92
|
+
vncs: 5901,
|
93
|
+
xfree86: 6000,
|
94
|
+
irc: 6667,
|
95
|
+
http_alt: 8080,
|
96
|
+
https_alt: 8443,
|
97
|
+
http_alt2: 8888,
|
98
|
+
http_alt3: 9090,
|
99
|
+
http_alt4: 9999
|
100
|
+
}
|
101
|
+
|
102
|
+
target_file = "#{nmap_results_root}/nmap_targets.txt"
|
103
|
+
latest_discovery_results = "#{nmap_results_root}/nmap_latest_discovery_results"
|
104
|
+
latest_tcp_results = "#{nmap_results_root}/nmap_latest_tcp_results"
|
105
|
+
latest_udp_results = "#{nmap_results_root}/nmap_latest_udp_results"
|
106
|
+
|
107
|
+
begin
|
108
|
+
# Per man nmap:
|
109
|
+
# The main effects of T0 are serializing the scan so only one port
|
110
|
+
# is scanned at a time, and waiting five minutes between sending
|
111
|
+
# each probe.
|
112
|
+
# T1 and T2 are similar but they only wait 15 seconds and 0.4 seconds,
|
113
|
+
# respectively, between probes.
|
114
|
+
# T3 is Nmap's default behavior, which includes parallelization.
|
115
|
+
# T4 does the equivalent of --max-rtt-timeout 1250ms --min-rtt-timeout 100ms
|
116
|
+
# --initial-rtt-timeout 500ms --max-retries 6 and sets the maximum TCP and
|
117
|
+
# SCTP scan delay to 10ms.
|
118
|
+
# T5 does the equivalent of --max-rtt-timeout 300ms --min-rtt-timeout 50ms
|
119
|
+
# --initial-rtt-timeout 250ms --max-retries 2 --host-timeout 15m
|
120
|
+
# --script-timeout 10m --max-scan-delay as well as setting the maximum TCP
|
121
|
+
# and SCTP scan delay to 5ms. Maximum UDP scan delay is not set by T4 or T5,
|
122
|
+
# but it can be set with the --max-scan-delay option.
|
123
|
+
|
124
|
+
# Target Discovery Scan
|
125
|
+
# Using -T5 template to reduce number of
|
126
|
+
# retransmission attempts on filtered ports.
|
127
|
+
PWN::Plugins::NmapIt.port_scan do |nmap|
|
128
|
+
nmap.exclude_file = exclude_file
|
129
|
+
nmap.interface = interface
|
130
|
+
nmap.insane_timing = true
|
131
|
+
nmap.ping = true
|
132
|
+
nmap.arp_ping = true
|
133
|
+
nmap.icmp_echo_discovery = true
|
134
|
+
nmap.icmp_timestamp_discovery = true
|
135
|
+
nmap.syn_discovery = discovery_ports.values
|
136
|
+
nmap.ack_discovery = discovery_ports.values
|
137
|
+
nmap.udp_discovery = discovery_ports.values
|
138
|
+
nmap.sctp_init_ping = discovery_ports.values
|
139
|
+
nmap.output_all = latest_discovery_results
|
140
|
+
nmap.targets = ip_range
|
141
|
+
nmap.randomize_hosts = true
|
142
|
+
nmap.proxies = proxy if with_tor
|
143
|
+
end
|
144
|
+
|
145
|
+
# Generate targets.txt from discovery above
|
146
|
+
# taking into consideration IPs to skip scans
|
147
|
+
File.open(target_file, 'w') do |f|
|
148
|
+
PWN::Plugins::NmapIt.parse_xml_results(
|
149
|
+
xml_file: "#{latest_discovery_results}.xml"
|
150
|
+
) do |xml|
|
151
|
+
xml.each_host do |host|
|
152
|
+
f.puts host.ip unless File.read(exclude_file).include?(host.ip)
|
153
|
+
end
|
154
|
+
end
|
155
|
+
end
|
156
|
+
sorted_targets = File.readlines(target_file).sort.join
|
157
|
+
File.write(target_file, sorted_targets)
|
158
|
+
|
159
|
+
# Switch Tor Exit Node if with_tor
|
160
|
+
PWN::Plugins::Tor.switch_exit_node(tor_obj: tor_obj) if with_tor
|
161
|
+
|
162
|
+
# TCP Scan
|
163
|
+
# Using -T5 template to reduce number of
|
164
|
+
# retransmission attempts on filtered ports.
|
165
|
+
PWN::Plugins::NmapIt.port_scan do |nmap|
|
166
|
+
nmap.target_file = target_file
|
167
|
+
nmap.randomize_hosts = true
|
168
|
+
nmap.show_reason = true
|
169
|
+
nmap.exclude_file = exclude_file
|
170
|
+
nmap.interface = interface
|
171
|
+
nmap.min_host_group = 3
|
172
|
+
nmap.host_timeout = '999m'
|
173
|
+
nmap.insane_timing = true
|
174
|
+
nmap.skip_discovery = true
|
175
|
+
nmap.syn_scan = true
|
176
|
+
nmap.default_script = true
|
177
|
+
nmap.update_scriptdb = true
|
178
|
+
nmap.service_scan = true
|
179
|
+
nmap.os_fingerprint = true
|
180
|
+
nmap.verbose = true
|
181
|
+
nmap.all = true
|
182
|
+
nmap.ports = [1..65_535]
|
183
|
+
nmap.output_all = latest_tcp_results
|
184
|
+
nmap.proxies = proxy if with_tor
|
185
|
+
end
|
186
|
+
FileUtils.cp("#{latest_tcp_results}.nmap", "#{latest_tcp_results}.txt")
|
187
|
+
|
188
|
+
# Switch Tor Exit Node if with_tor
|
189
|
+
PWN::Plugins::Tor.switch_exit_node(tor_obj: tor_obj) if with_tor
|
190
|
+
|
191
|
+
# UDP Scan
|
192
|
+
# Using -T5 template to reduce number of
|
193
|
+
# retransmission attempts on filtered ports.
|
194
|
+
PWN::Plugins::NmapIt.port_scan do |nmap|
|
195
|
+
nmap.target_file = target_file
|
196
|
+
nmap.randomize_hosts = true
|
197
|
+
nmap.show_reason = true
|
198
|
+
nmap.exclude_file = exclude_file
|
199
|
+
nmap.interface = interface
|
200
|
+
nmap.min_host_group = 3
|
201
|
+
nmap.host_timeout = '999m'
|
202
|
+
nmap.insane_timing = true
|
203
|
+
nmap.skip_discovery = true
|
204
|
+
nmap.udp_scan = true
|
205
|
+
nmap.default_script = true
|
206
|
+
nmap.update_scriptdb = true
|
207
|
+
nmap.service_scan = true
|
208
|
+
nmap.os_fingerprint = true
|
209
|
+
nmap.verbose = true
|
210
|
+
nmap.all = true
|
211
|
+
nmap.output_all = latest_udp_results
|
212
|
+
nmap.proxies = proxy if with_tor
|
213
|
+
end
|
214
|
+
FileUtils.cp("#{latest_udp_results}.nmap", "#{latest_udp_results}.txt")
|
215
|
+
rescue SystemExit, Interrupt
|
216
|
+
puts "\nGoodbye."
|
217
|
+
rescue StandardError => e
|
218
|
+
raise e
|
219
|
+
ensure
|
220
|
+
tor_obj = PWN::Plugins::Tor.stop(tor_obj: tor_obj) if with_tor
|
221
|
+
end
|
data/lib/pwn/plugins/nmap_it.rb
CHANGED
@@ -5,11 +5,17 @@ require 'nmap/xml'
|
|
5
5
|
|
6
6
|
module PWN
|
7
7
|
module Plugins
|
8
|
-
# This plugin is used as an interface to nmap, the exploration tool and security / port scanner.
|
8
|
+
# This plugin is used as an interface to nmap, the exploration tool and security / port scanner. More info on available options can be found at: https://github.com/postmodern/ruby-nmap/blob/main/lib/nmap/command.rb
|
9
9
|
module NmapIt
|
10
10
|
# Supported Method Parameters::
|
11
11
|
# PWN::Plugins::NmapIt.port_scan do |nmap|
|
12
12
|
# puts nmap.public_methods
|
13
|
+
# nmap.connect_scan = true
|
14
|
+
# nmap.service_scan = true
|
15
|
+
# nmap.verbose = true
|
16
|
+
# nmap.ports = [1..1024,1337]
|
17
|
+
# nmap.targets = '127.0.0.1'
|
18
|
+
# nmap.xml = '/tmp/nmap_port_scan_res.xml'
|
13
19
|
# end
|
14
20
|
|
15
21
|
public_class_method def self.port_scan
|
data/lib/pwn/plugins/openvas.rb
CHANGED
@@ -147,9 +147,10 @@ module PWN
|
|
147
147
|
# PWN::Plugins::OpenVAS.save_report(
|
148
148
|
# report_type: 'required report type (csv|itg|pdf|txt|xml)',
|
149
149
|
# report_id: 'required report id to save',
|
150
|
-
#
|
150
|
+
# report_dir: 'required directory to save report',
|
151
151
|
# username: 'required username',
|
152
|
-
# password: 'optional password (will prompt if nil)'
|
152
|
+
# password: 'optional password (will prompt if nil)',
|
153
|
+
# report_filter: 'optional - results filter (Default: "apply_overrides=0 levels=hml rows=1000 min_qod=70 first=1 sort-reverse=severity")
|
153
154
|
# )
|
154
155
|
|
155
156
|
public_class_method def self.save_report(opts = {})
|
@@ -160,9 +161,6 @@ module PWN
|
|
160
161
|
report_dir
|
161
162
|
)
|
162
163
|
|
163
|
-
report_filter = opts[:report_filter]
|
164
|
-
report_filter ||= 'apply_overrides=0 levels=hml rows=1000 min_qod=70 first=1 sort-reverse=severity'
|
165
|
-
|
166
164
|
username = opts[:username].to_s.scrub
|
167
165
|
|
168
166
|
password = if opts[:password].nil?
|
@@ -171,6 +169,9 @@ module PWN
|
|
171
169
|
opts[:password].to_s.scrub
|
172
170
|
end
|
173
171
|
|
172
|
+
report_filter = opts[:report_filter]
|
173
|
+
report_filter ||= 'apply_overrides=0 levels=hml rows=1000 min_qod=70 first=1 sort-reverse=severity'
|
174
|
+
|
174
175
|
case report_type.to_sym
|
175
176
|
when :csv
|
176
177
|
report_type_name = 'CSV Results'
|
@@ -296,7 +297,8 @@ module PWN
|
|
296
297
|
report_id: 'required report id to save',
|
297
298
|
report_dir: 'required directory to save report',
|
298
299
|
username: 'required username',
|
299
|
-
password: 'optional password (will prompt if nil)'
|
300
|
+
password: 'optional password (will prompt if nil)',
|
301
|
+
report_filter: 'optional - results filter (Default: \"apply_overrides=0 levels=hml rows=1000 min_qod=70 first=1 sort-reverse=severity\")
|
300
302
|
)
|
301
303
|
|
302
304
|
report_types = #{self}.get_report_types(
|
data/lib/pwn/version.rb
CHANGED
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: pwn
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.4.
|
4
|
+
version: 0.4.672
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- 0day Inc.
|
@@ -1123,6 +1123,7 @@ executables:
|
|
1123
1123
|
- pwn_nessus_cloud_scan_crud
|
1124
1124
|
- pwn_nessus_cloud_vulnscan
|
1125
1125
|
- pwn_nexpose
|
1126
|
+
- pwn_nmap_discover_tcp_udp
|
1126
1127
|
- pwn_openvas_vulnscan
|
1127
1128
|
- pwn_owasp_zap_active_scan
|
1128
1129
|
- pwn_pastebin_sample_filter
|
@@ -1190,6 +1191,7 @@ files:
|
|
1190
1191
|
- bin/pwn_nessus_cloud_scan_crud
|
1191
1192
|
- bin/pwn_nessus_cloud_vulnscan
|
1192
1193
|
- bin/pwn_nexpose
|
1194
|
+
- bin/pwn_nmap_discover_tcp_udp
|
1193
1195
|
- bin/pwn_openvas_vulnscan
|
1194
1196
|
- bin/pwn_owasp_zap_active_scan
|
1195
1197
|
- bin/pwn_pastebin_sample_filter
|