souleyez 2.43.29__py3-none-any.whl → 2.43.34__py3-none-any.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- souleyez/__init__.py +1 -2
- souleyez/ai/__init__.py +21 -15
- souleyez/ai/action_mapper.py +249 -150
- souleyez/ai/chain_advisor.py +116 -100
- souleyez/ai/claude_provider.py +29 -28
- souleyez/ai/context_builder.py +80 -62
- souleyez/ai/executor.py +158 -117
- souleyez/ai/feedback_handler.py +136 -121
- souleyez/ai/llm_factory.py +27 -20
- souleyez/ai/llm_provider.py +4 -2
- souleyez/ai/ollama_provider.py +6 -9
- souleyez/ai/ollama_service.py +44 -37
- souleyez/ai/path_scorer.py +91 -76
- souleyez/ai/recommender.py +176 -144
- souleyez/ai/report_context.py +74 -73
- souleyez/ai/report_service.py +84 -66
- souleyez/ai/result_parser.py +222 -229
- souleyez/ai/safety.py +67 -44
- souleyez/auth/__init__.py +23 -22
- souleyez/auth/audit.py +36 -26
- souleyez/auth/engagement_access.py +65 -48
- souleyez/auth/permissions.py +14 -3
- souleyez/auth/session_manager.py +54 -37
- souleyez/auth/user_manager.py +109 -64
- souleyez/commands/audit.py +40 -43
- souleyez/commands/auth.py +35 -15
- souleyez/commands/deliverables.py +55 -50
- souleyez/commands/engagement.py +47 -28
- souleyez/commands/license.py +32 -23
- souleyez/commands/screenshots.py +36 -32
- souleyez/commands/user.py +82 -36
- souleyez/config.py +52 -44
- souleyez/core/credential_tester.py +87 -81
- souleyez/core/cve_mappings.py +179 -192
- souleyez/core/cve_matcher.py +162 -148
- souleyez/core/msf_auto_mapper.py +100 -83
- souleyez/core/msf_chain_engine.py +294 -256
- souleyez/core/msf_database.py +153 -70
- souleyez/core/msf_integration.py +679 -673
- souleyez/core/msf_rpc_client.py +40 -42
- souleyez/core/msf_rpc_manager.py +77 -79
- souleyez/core/msf_sync_manager.py +241 -181
- souleyez/core/network_utils.py +22 -15
- souleyez/core/parser_handler.py +34 -25
- souleyez/core/pending_chains.py +114 -63
- souleyez/core/templates.py +158 -107
- souleyez/core/tool_chaining.py +9526 -2879
- souleyez/core/version_utils.py +79 -94
- souleyez/core/vuln_correlation.py +136 -89
- souleyez/core/web_utils.py +33 -32
- souleyez/data/wordlists/ad_users.txt +378 -0
- souleyez/data/wordlists/api_endpoints_large.txt +769 -0
- souleyez/data/wordlists/home_dir_sensitive.txt +39 -0
- souleyez/data/wordlists/lfi_payloads.txt +82 -0
- souleyez/data/wordlists/passwords_brute.txt +1548 -0
- souleyez/data/wordlists/passwords_crack.txt +2479 -0
- souleyez/data/wordlists/passwords_spray.txt +386 -0
- souleyez/data/wordlists/subdomains_large.txt +5057 -0
- souleyez/data/wordlists/usernames_common.txt +694 -0
- souleyez/data/wordlists/web_dirs_large.txt +4769 -0
- souleyez/detection/__init__.py +1 -1
- souleyez/detection/attack_signatures.py +12 -17
- souleyez/detection/mitre_mappings.py +61 -55
- souleyez/detection/validator.py +97 -86
- souleyez/devtools.py +23 -10
- souleyez/docs/README.md +4 -4
- souleyez/docs/api-reference/cli-commands.md +2 -2
- souleyez/docs/developer-guide/adding-new-tools.md +562 -0
- souleyez/docs/user-guide/auto-chaining.md +30 -8
- souleyez/docs/user-guide/getting-started.md +1 -1
- souleyez/docs/user-guide/installation.md +26 -3
- souleyez/docs/user-guide/metasploit-integration.md +2 -2
- souleyez/docs/user-guide/rbac.md +1 -1
- souleyez/docs/user-guide/scope-management.md +1 -1
- souleyez/docs/user-guide/siem-integration.md +1 -1
- souleyez/docs/user-guide/tools-reference.md +1 -8
- souleyez/docs/user-guide/worker-management.md +1 -1
- souleyez/engine/background.py +1239 -535
- souleyez/engine/base.py +4 -1
- souleyez/engine/job_status.py +17 -49
- souleyez/engine/log_sanitizer.py +103 -77
- souleyez/engine/manager.py +38 -7
- souleyez/engine/result_handler.py +2200 -1550
- souleyez/engine/worker_manager.py +50 -41
- souleyez/export/evidence_bundle.py +72 -62
- souleyez/feature_flags/features.py +16 -20
- souleyez/feature_flags.py +5 -9
- souleyez/handlers/__init__.py +11 -0
- souleyez/handlers/base.py +188 -0
- souleyez/handlers/bash_handler.py +277 -0
- souleyez/handlers/bloodhound_handler.py +243 -0
- souleyez/handlers/certipy_handler.py +311 -0
- souleyez/handlers/crackmapexec_handler.py +486 -0
- souleyez/handlers/dnsrecon_handler.py +344 -0
- souleyez/handlers/enum4linux_handler.py +400 -0
- souleyez/handlers/evil_winrm_handler.py +493 -0
- souleyez/handlers/ffuf_handler.py +815 -0
- souleyez/handlers/gobuster_handler.py +1114 -0
- souleyez/handlers/gpp_extract_handler.py +334 -0
- souleyez/handlers/hashcat_handler.py +444 -0
- souleyez/handlers/hydra_handler.py +563 -0
- souleyez/handlers/impacket_getuserspns_handler.py +343 -0
- souleyez/handlers/impacket_psexec_handler.py +222 -0
- souleyez/handlers/impacket_secretsdump_handler.py +426 -0
- souleyez/handlers/john_handler.py +286 -0
- souleyez/handlers/katana_handler.py +425 -0
- souleyez/handlers/kerbrute_handler.py +298 -0
- souleyez/handlers/ldapsearch_handler.py +636 -0
- souleyez/handlers/lfi_extract_handler.py +464 -0
- souleyez/handlers/msf_auxiliary_handler.py +408 -0
- souleyez/handlers/msf_exploit_handler.py +380 -0
- souleyez/handlers/nikto_handler.py +413 -0
- souleyez/handlers/nmap_handler.py +821 -0
- souleyez/handlers/nuclei_handler.py +359 -0
- souleyez/handlers/nxc_handler.py +371 -0
- souleyez/handlers/rdp_sec_check_handler.py +353 -0
- souleyez/handlers/registry.py +292 -0
- souleyez/handlers/responder_handler.py +232 -0
- souleyez/handlers/service_explorer_handler.py +434 -0
- souleyez/handlers/smbclient_handler.py +344 -0
- souleyez/handlers/smbmap_handler.py +510 -0
- souleyez/handlers/smbpasswd_handler.py +296 -0
- souleyez/handlers/sqlmap_handler.py +1116 -0
- souleyez/handlers/theharvester_handler.py +601 -0
- souleyez/handlers/web_login_test_handler.py +327 -0
- souleyez/handlers/whois_handler.py +277 -0
- souleyez/handlers/wpscan_handler.py +554 -0
- souleyez/history.py +32 -16
- souleyez/importers/msf_importer.py +106 -75
- souleyez/importers/smart_importer.py +208 -147
- souleyez/integrations/siem/__init__.py +10 -10
- souleyez/integrations/siem/base.py +17 -18
- souleyez/integrations/siem/elastic.py +108 -122
- souleyez/integrations/siem/factory.py +207 -80
- souleyez/integrations/siem/googlesecops.py +146 -154
- souleyez/integrations/siem/rule_mappings/__init__.py +1 -1
- souleyez/integrations/siem/rule_mappings/wazuh_rules.py +8 -5
- souleyez/integrations/siem/sentinel.py +107 -109
- souleyez/integrations/siem/splunk.py +246 -212
- souleyez/integrations/siem/wazuh.py +65 -71
- souleyez/integrations/wazuh/__init__.py +5 -5
- souleyez/integrations/wazuh/client.py +70 -93
- souleyez/integrations/wazuh/config.py +85 -57
- souleyez/integrations/wazuh/host_mapper.py +28 -36
- souleyez/integrations/wazuh/sync.py +78 -68
- souleyez/intelligence/__init__.py +4 -5
- souleyez/intelligence/correlation_analyzer.py +309 -295
- souleyez/intelligence/exploit_knowledge.py +661 -623
- souleyez/intelligence/exploit_suggestions.py +159 -139
- souleyez/intelligence/gap_analyzer.py +132 -97
- souleyez/intelligence/gap_detector.py +251 -214
- souleyez/intelligence/sensitive_tables.py +266 -129
- souleyez/intelligence/service_parser.py +137 -123
- souleyez/intelligence/surface_analyzer.py +407 -268
- souleyez/intelligence/target_parser.py +159 -162
- souleyez/licensing/__init__.py +6 -6
- souleyez/licensing/validator.py +17 -19
- souleyez/log_config.py +79 -54
- souleyez/main.py +1505 -687
- souleyez/migrations/fix_job_counter.py +16 -14
- souleyez/parsers/bloodhound_parser.py +41 -39
- souleyez/parsers/crackmapexec_parser.py +178 -111
- souleyez/parsers/dalfox_parser.py +72 -77
- souleyez/parsers/dnsrecon_parser.py +103 -91
- souleyez/parsers/enum4linux_parser.py +183 -153
- souleyez/parsers/ffuf_parser.py +29 -25
- souleyez/parsers/gobuster_parser.py +301 -41
- souleyez/parsers/hashcat_parser.py +324 -79
- souleyez/parsers/http_fingerprint_parser.py +350 -103
- souleyez/parsers/hydra_parser.py +131 -111
- souleyez/parsers/impacket_parser.py +231 -178
- souleyez/parsers/john_parser.py +98 -86
- souleyez/parsers/katana_parser.py +316 -0
- souleyez/parsers/msf_parser.py +943 -498
- souleyez/parsers/nikto_parser.py +346 -65
- souleyez/parsers/nmap_parser.py +262 -174
- souleyez/parsers/nuclei_parser.py +40 -44
- souleyez/parsers/responder_parser.py +26 -26
- souleyez/parsers/searchsploit_parser.py +74 -74
- souleyez/parsers/service_explorer_parser.py +279 -0
- souleyez/parsers/smbmap_parser.py +180 -124
- souleyez/parsers/sqlmap_parser.py +434 -308
- souleyez/parsers/theharvester_parser.py +75 -57
- souleyez/parsers/whois_parser.py +135 -94
- souleyez/parsers/wpscan_parser.py +278 -190
- souleyez/plugins/afp.py +44 -36
- souleyez/plugins/afp_brute.py +114 -46
- souleyez/plugins/ard.py +48 -37
- souleyez/plugins/bloodhound.py +95 -61
- souleyez/plugins/certipy.py +303 -0
- souleyez/plugins/crackmapexec.py +186 -85
- souleyez/plugins/dalfox.py +120 -59
- souleyez/plugins/dns_hijack.py +146 -41
- souleyez/plugins/dnsrecon.py +97 -61
- souleyez/plugins/enum4linux.py +91 -66
- souleyez/plugins/evil_winrm.py +291 -0
- souleyez/plugins/ffuf.py +166 -90
- souleyez/plugins/firmware_extract.py +133 -29
- souleyez/plugins/gobuster.py +387 -190
- souleyez/plugins/gpp_extract.py +393 -0
- souleyez/plugins/hashcat.py +100 -73
- souleyez/plugins/http_fingerprint.py +854 -267
- souleyez/plugins/hydra.py +566 -200
- souleyez/plugins/impacket_getnpusers.py +117 -69
- souleyez/plugins/impacket_psexec.py +84 -64
- souleyez/plugins/impacket_secretsdump.py +103 -69
- souleyez/plugins/impacket_smbclient.py +89 -75
- souleyez/plugins/john.py +86 -69
- souleyez/plugins/katana.py +313 -0
- souleyez/plugins/kerbrute.py +237 -0
- souleyez/plugins/lfi_extract.py +541 -0
- souleyez/plugins/macos_ssh.py +117 -48
- souleyez/plugins/mdns.py +35 -30
- souleyez/plugins/msf_auxiliary.py +253 -130
- souleyez/plugins/msf_exploit.py +239 -161
- souleyez/plugins/nikto.py +134 -78
- souleyez/plugins/nmap.py +275 -91
- souleyez/plugins/nuclei.py +180 -89
- souleyez/plugins/nxc.py +285 -0
- souleyez/plugins/plugin_base.py +35 -36
- souleyez/plugins/plugin_template.py +13 -5
- souleyez/plugins/rdp_sec_check.py +130 -0
- souleyez/plugins/responder.py +112 -71
- souleyez/plugins/router_http_brute.py +76 -65
- souleyez/plugins/router_ssh_brute.py +118 -41
- souleyez/plugins/router_telnet_brute.py +124 -42
- souleyez/plugins/routersploit.py +91 -59
- souleyez/plugins/routersploit_exploit.py +77 -55
- souleyez/plugins/searchsploit.py +91 -77
- souleyez/plugins/service_explorer.py +1160 -0
- souleyez/plugins/smbmap.py +122 -72
- souleyez/plugins/smbpasswd.py +215 -0
- souleyez/plugins/sqlmap.py +301 -113
- souleyez/plugins/theharvester.py +127 -75
- souleyez/plugins/tr069.py +79 -57
- souleyez/plugins/upnp.py +65 -47
- souleyez/plugins/upnp_abuse.py +73 -55
- souleyez/plugins/vnc_access.py +129 -42
- souleyez/plugins/vnc_brute.py +109 -38
- souleyez/plugins/web_login_test.py +417 -0
- souleyez/plugins/whois.py +77 -58
- souleyez/plugins/wpscan.py +173 -69
- souleyez/reporting/__init__.py +2 -1
- souleyez/reporting/attack_chain.py +411 -346
- souleyez/reporting/charts.py +436 -501
- souleyez/reporting/compliance_mappings.py +334 -201
- souleyez/reporting/detection_report.py +126 -125
- souleyez/reporting/formatters.py +828 -591
- souleyez/reporting/generator.py +386 -302
- souleyez/reporting/metrics.py +72 -75
- souleyez/scanner.py +35 -29
- souleyez/security/__init__.py +37 -11
- souleyez/security/scope_validator.py +175 -106
- souleyez/security/validation.py +223 -149
- souleyez/security.py +22 -6
- souleyez/storage/credentials.py +247 -186
- souleyez/storage/crypto.py +296 -129
- souleyez/storage/database.py +73 -50
- souleyez/storage/db.py +58 -36
- souleyez/storage/deliverable_evidence.py +177 -128
- souleyez/storage/deliverable_exporter.py +282 -246
- souleyez/storage/deliverable_templates.py +134 -116
- souleyez/storage/deliverables.py +135 -130
- souleyez/storage/engagements.py +109 -56
- souleyez/storage/evidence.py +181 -152
- souleyez/storage/execution_log.py +31 -17
- souleyez/storage/exploit_attempts.py +93 -57
- souleyez/storage/exploits.py +67 -36
- souleyez/storage/findings.py +48 -61
- souleyez/storage/hosts.py +176 -144
- souleyez/storage/migrate_to_engagements.py +43 -19
- souleyez/storage/migrations/_001_add_credential_enhancements.py +22 -12
- souleyez/storage/migrations/_002_add_status_tracking.py +10 -7
- souleyez/storage/migrations/_003_add_execution_log.py +14 -8
- souleyez/storage/migrations/_005_screenshots.py +13 -5
- souleyez/storage/migrations/_006_deliverables.py +13 -5
- souleyez/storage/migrations/_007_deliverable_templates.py +12 -7
- souleyez/storage/migrations/_008_add_nuclei_table.py +10 -4
- souleyez/storage/migrations/_010_evidence_linking.py +17 -10
- souleyez/storage/migrations/_011_timeline_tracking.py +20 -13
- souleyez/storage/migrations/_012_team_collaboration.py +34 -21
- souleyez/storage/migrations/_013_add_host_tags.py +12 -6
- souleyez/storage/migrations/_014_exploit_attempts.py +22 -10
- souleyez/storage/migrations/_015_add_mac_os_fields.py +15 -7
- souleyez/storage/migrations/_016_add_domain_field.py +10 -4
- souleyez/storage/migrations/_017_msf_sessions.py +16 -8
- souleyez/storage/migrations/_018_add_osint_target.py +10 -6
- souleyez/storage/migrations/_019_add_engagement_type.py +10 -6
- souleyez/storage/migrations/_020_add_rbac.py +36 -15
- souleyez/storage/migrations/_021_wazuh_integration.py +20 -8
- souleyez/storage/migrations/_022_wazuh_indexer_columns.py +6 -4
- souleyez/storage/migrations/_023_fix_detection_results_fk.py +16 -6
- souleyez/storage/migrations/_024_wazuh_vulnerabilities.py +26 -10
- souleyez/storage/migrations/_025_multi_siem_support.py +3 -5
- souleyez/storage/migrations/_026_add_engagement_scope.py +31 -12
- souleyez/storage/migrations/_027_multi_siem_persistence.py +32 -15
- souleyez/storage/migrations/__init__.py +26 -26
- souleyez/storage/migrations/migration_manager.py +19 -19
- souleyez/storage/msf_sessions.py +100 -65
- souleyez/storage/osint.py +17 -24
- souleyez/storage/recommendation_engine.py +269 -235
- souleyez/storage/screenshots.py +33 -32
- souleyez/storage/smb_shares.py +136 -92
- souleyez/storage/sqlmap_data.py +183 -128
- souleyez/storage/team_collaboration.py +135 -141
- souleyez/storage/timeline_tracker.py +122 -94
- souleyez/storage/wazuh_vulns.py +64 -66
- souleyez/storage/web_paths.py +33 -37
- souleyez/testing/credential_tester.py +221 -205
- souleyez/ui/__init__.py +1 -1
- souleyez/ui/ai_quotes.py +12 -12
- souleyez/ui/attack_surface.py +2439 -1516
- souleyez/ui/chain_rules_view.py +914 -382
- souleyez/ui/correlation_view.py +312 -230
- souleyez/ui/dashboard.py +2382 -1130
- souleyez/ui/deliverables_view.py +148 -62
- souleyez/ui/design_system.py +13 -13
- souleyez/ui/errors.py +49 -49
- souleyez/ui/evidence_linking_view.py +284 -179
- souleyez/ui/evidence_vault.py +393 -285
- souleyez/ui/exploit_suggestions_view.py +555 -349
- souleyez/ui/export_view.py +100 -66
- souleyez/ui/gap_analysis_view.py +315 -171
- souleyez/ui/help_system.py +105 -97
- souleyez/ui/intelligence_view.py +436 -293
- souleyez/ui/interactive.py +22827 -10678
- souleyez/ui/interactive_selector.py +75 -68
- souleyez/ui/log_formatter.py +47 -39
- souleyez/ui/menu_components.py +22 -13
- souleyez/ui/msf_auxiliary_menu.py +184 -133
- souleyez/ui/pending_chains_view.py +336 -172
- souleyez/ui/progress_indicators.py +5 -3
- souleyez/ui/recommendations_view.py +195 -137
- souleyez/ui/rule_builder.py +343 -225
- souleyez/ui/setup_wizard.py +678 -284
- souleyez/ui/shortcuts.py +217 -165
- souleyez/ui/splunk_gap_analysis_view.py +452 -270
- souleyez/ui/splunk_vulns_view.py +139 -86
- souleyez/ui/team_dashboard.py +498 -335
- souleyez/ui/template_selector.py +196 -105
- souleyez/ui/terminal.py +6 -6
- souleyez/ui/timeline_view.py +198 -127
- souleyez/ui/tool_setup.py +264 -164
- souleyez/ui/tutorial.py +202 -72
- souleyez/ui/tutorial_state.py +40 -40
- souleyez/ui/wazuh_vulns_view.py +235 -141
- souleyez/ui/wordlist_browser.py +260 -107
- souleyez/ui.py +464 -312
- souleyez/utils/tool_checker.py +427 -367
- souleyez/utils.py +33 -29
- souleyez/wordlists.py +134 -167
- {souleyez-2.43.29.dist-info → souleyez-2.43.34.dist-info}/METADATA +1 -1
- souleyez-2.43.34.dist-info/RECORD +443 -0
- {souleyez-2.43.29.dist-info → souleyez-2.43.34.dist-info}/WHEEL +1 -1
- souleyez-2.43.29.dist-info/RECORD +0 -379
- {souleyez-2.43.29.dist-info → souleyez-2.43.34.dist-info}/entry_points.txt +0 -0
- {souleyez-2.43.29.dist-info → souleyez-2.43.34.dist-info}/licenses/LICENSE +0 -0
- {souleyez-2.43.29.dist-info → souleyez-2.43.34.dist-info}/top_level.txt +0 -0
souleyez/plugins/upnp.py
CHANGED
|
@@ -35,7 +35,7 @@ HELP = {
|
|
|
35
35
|
"examples": [
|
|
36
36
|
"souleyez jobs enqueue upnp 192.168.1.1",
|
|
37
37
|
"souleyez jobs enqueue upnp 192.168.1.0/24",
|
|
38
|
-
|
|
38
|
+
'souleyez jobs enqueue upnp 10.0.0.1 --args "--script upnp-info"',
|
|
39
39
|
],
|
|
40
40
|
"flags": [
|
|
41
41
|
["--full", "Run all UPnP scripts (info + brute)"],
|
|
@@ -43,35 +43,50 @@ HELP = {
|
|
|
43
43
|
],
|
|
44
44
|
"presets": [
|
|
45
45
|
{"name": "Quick Discovery", "args": [], "desc": "Fast UPnP service discovery"},
|
|
46
|
-
{
|
|
46
|
+
{
|
|
47
|
+
"name": "Full Enumeration",
|
|
48
|
+
"args": ["--full"],
|
|
49
|
+
"desc": "All UPnP scripts including brute force",
|
|
50
|
+
},
|
|
47
51
|
],
|
|
48
52
|
"help_sections": [
|
|
49
53
|
{
|
|
50
54
|
"title": "What is UPnP?",
|
|
51
55
|
"color": "cyan",
|
|
52
56
|
"content": [
|
|
53
|
-
{
|
|
54
|
-
|
|
55
|
-
"
|
|
56
|
-
|
|
57
|
-
|
|
58
|
-
"
|
|
59
|
-
|
|
60
|
-
|
|
57
|
+
{
|
|
58
|
+
"title": "Overview",
|
|
59
|
+
"desc": "UPnP allows devices to discover and communicate with each other automatically. Routers use it for NAT traversal (port forwarding).",
|
|
60
|
+
},
|
|
61
|
+
{
|
|
62
|
+
"title": "Security Issues",
|
|
63
|
+
"desc": "Common UPnP vulnerabilities",
|
|
64
|
+
"tips": [
|
|
65
|
+
"Unauthenticated port forwarding (expose internal services)",
|
|
66
|
+
"Device information disclosure (model, firmware)",
|
|
67
|
+
"Known exploits for specific router firmware",
|
|
68
|
+
"Can be abused for DDoS amplification",
|
|
69
|
+
],
|
|
70
|
+
},
|
|
71
|
+
],
|
|
61
72
|
},
|
|
62
73
|
{
|
|
63
74
|
"title": "What to Look For",
|
|
64
75
|
"color": "green",
|
|
65
76
|
"content": [
|
|
66
|
-
{
|
|
67
|
-
"
|
|
68
|
-
"
|
|
69
|
-
"
|
|
70
|
-
|
|
71
|
-
|
|
72
|
-
|
|
73
|
-
|
|
74
|
-
|
|
77
|
+
{
|
|
78
|
+
"title": "Indicators",
|
|
79
|
+
"desc": "Signs of vulnerable UPnP",
|
|
80
|
+
"tips": [
|
|
81
|
+
"UPnP enabled and externally accessible",
|
|
82
|
+
"Old firmware versions with known CVEs",
|
|
83
|
+
"Add port mapping action available",
|
|
84
|
+
"Device info revealing make/model",
|
|
85
|
+
],
|
|
86
|
+
}
|
|
87
|
+
],
|
|
88
|
+
},
|
|
89
|
+
],
|
|
75
90
|
}
|
|
76
91
|
|
|
77
92
|
|
|
@@ -84,9 +99,12 @@ class UPnPPlugin(PluginBase):
|
|
|
84
99
|
def _is_root(self) -> bool:
|
|
85
100
|
"""Check if running as root."""
|
|
86
101
|
import os
|
|
102
|
+
|
|
87
103
|
return os.geteuid() == 0
|
|
88
104
|
|
|
89
|
-
def build_command(
|
|
105
|
+
def build_command(
|
|
106
|
+
self, target: str, args: List[str] = None, label: str = "", log_path: str = None
|
|
107
|
+
):
|
|
90
108
|
"""Build nmap command for UPnP enumeration."""
|
|
91
109
|
args = args or []
|
|
92
110
|
|
|
@@ -95,70 +113,70 @@ class UPnPPlugin(PluginBase):
|
|
|
95
113
|
target = validate_target(target)
|
|
96
114
|
except ValidationError as e:
|
|
97
115
|
if log_path:
|
|
98
|
-
with open(log_path,
|
|
116
|
+
with open(log_path, "w") as f:
|
|
99
117
|
f.write(f"ERROR: Invalid target: {e}\n")
|
|
100
118
|
return None
|
|
101
119
|
|
|
102
120
|
# Determine which scripts to run
|
|
103
|
-
if
|
|
104
|
-
scripts =
|
|
121
|
+
if "--full" in args:
|
|
122
|
+
scripts = "upnp-info,broadcast-upnp-info"
|
|
105
123
|
else:
|
|
106
|
-
scripts =
|
|
124
|
+
scripts = "upnp-info"
|
|
107
125
|
|
|
108
126
|
# Build nmap command for UPnP
|
|
109
127
|
# UPnP uses UDP 1900 for discovery (SSDP) and TCP high ports for control
|
|
110
128
|
cmd = [
|
|
111
|
-
|
|
112
|
-
|
|
113
|
-
|
|
114
|
-
|
|
115
|
-
|
|
116
|
-
|
|
117
|
-
|
|
118
|
-
|
|
129
|
+
"nmap",
|
|
130
|
+
"-sU",
|
|
131
|
+
"-sS", # UDP and TCP SYN scan
|
|
132
|
+
"-p",
|
|
133
|
+
"U:1900,T:49152-49156,5000,2869", # Common UPnP ports
|
|
134
|
+
"--script",
|
|
135
|
+
scripts,
|
|
136
|
+
"-oN",
|
|
137
|
+
"-", # Output to stdout
|
|
138
|
+
"--open",
|
|
139
|
+
"-T4",
|
|
140
|
+
target,
|
|
119
141
|
]
|
|
120
142
|
|
|
121
143
|
# UPnP scan requires root (uses -sU and -sS)
|
|
122
144
|
if not self._is_root():
|
|
123
|
-
cmd = [
|
|
145
|
+
cmd = ["sudo", "-n"] + cmd
|
|
124
146
|
|
|
125
|
-
return {
|
|
126
|
-
'cmd': cmd,
|
|
127
|
-
'timeout': 600 # 10 minute timeout
|
|
128
|
-
}
|
|
147
|
+
return {"cmd": cmd, "timeout": 600} # 10 minute timeout
|
|
129
148
|
|
|
130
|
-
def run(
|
|
149
|
+
def run(
|
|
150
|
+
self, target: str, args: List[str] = None, label: str = "", log_path: str = None
|
|
151
|
+
) -> int:
|
|
131
152
|
"""Execute UPnP enumeration."""
|
|
132
153
|
cmd_spec = self.build_command(target, args, label, log_path)
|
|
133
154
|
if cmd_spec is None:
|
|
134
155
|
return 1
|
|
135
156
|
|
|
136
|
-
cmd = cmd_spec[
|
|
157
|
+
cmd = cmd_spec["cmd"]
|
|
137
158
|
|
|
138
159
|
if log_path:
|
|
139
|
-
with open(log_path,
|
|
160
|
+
with open(log_path, "w") as f:
|
|
140
161
|
f.write(f"# UPnP Enumeration on {target}\n")
|
|
141
162
|
f.write(f"# Command: {' '.join(cmd)}\n")
|
|
142
163
|
f.write(f"# Started: {time.strftime('%Y-%m-%d %H:%M:%S')}\n\n")
|
|
143
164
|
|
|
144
165
|
try:
|
|
145
|
-
with open(log_path,
|
|
166
|
+
with open(log_path, "a") as f:
|
|
146
167
|
result = subprocess.run(
|
|
147
|
-
cmd,
|
|
148
|
-
stdout=f,
|
|
149
|
-
stderr=subprocess.STDOUT,
|
|
150
|
-
timeout=cmd_spec['timeout']
|
|
168
|
+
cmd, stdout=f, stderr=subprocess.STDOUT, timeout=cmd_spec["timeout"]
|
|
151
169
|
)
|
|
152
170
|
return result.returncode
|
|
153
171
|
|
|
154
172
|
except subprocess.TimeoutExpired:
|
|
155
173
|
if log_path:
|
|
156
|
-
with open(log_path,
|
|
174
|
+
with open(log_path, "a") as f:
|
|
157
175
|
f.write("\n\n# ERROR: Scan timed out\n")
|
|
158
176
|
return 124
|
|
159
177
|
except Exception as e:
|
|
160
178
|
if log_path:
|
|
161
|
-
with open(log_path,
|
|
179
|
+
with open(log_path, "a") as f:
|
|
162
180
|
f.write(f"\n\n# ERROR: {e}\n")
|
|
163
181
|
return 1
|
|
164
182
|
|
souleyez/plugins/upnp_abuse.py
CHANGED
|
@@ -30,12 +30,12 @@ HELP = {
|
|
|
30
30
|
"- Port forwards persist until router reboot (usually)\n"
|
|
31
31
|
"- Clean up your test forwards when done\n"
|
|
32
32
|
),
|
|
33
|
-
"usage":
|
|
33
|
+
"usage": 'souleyez jobs enqueue upnp_abuse <router_ip> --args "<action>"',
|
|
34
34
|
"examples": [
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
|
|
38
|
-
|
|
35
|
+
'souleyez jobs enqueue upnp_abuse 192.168.1.1 --args "list"',
|
|
36
|
+
'souleyez jobs enqueue upnp_abuse 192.168.1.1 --args "info"',
|
|
37
|
+
'souleyez jobs enqueue upnp_abuse 192.168.1.1 --args "add 8888 192.168.1.100 22 TCP"',
|
|
38
|
+
'souleyez jobs enqueue upnp_abuse 192.168.1.1 --args "delete 8888 TCP"',
|
|
39
39
|
],
|
|
40
40
|
"flags": [
|
|
41
41
|
["list", "List existing port mappings"],
|
|
@@ -44,37 +44,57 @@ HELP = {
|
|
|
44
44
|
["delete EXT_PORT PROTO", "Remove port forward"],
|
|
45
45
|
],
|
|
46
46
|
"presets": [
|
|
47
|
-
{
|
|
48
|
-
|
|
49
|
-
|
|
47
|
+
{
|
|
48
|
+
"name": "List Mappings",
|
|
49
|
+
"args": ["list"],
|
|
50
|
+
"desc": "Show existing port forwards",
|
|
51
|
+
},
|
|
52
|
+
{
|
|
53
|
+
"name": "Get Info",
|
|
54
|
+
"args": ["info"],
|
|
55
|
+
"desc": "External IP and gateway details",
|
|
56
|
+
},
|
|
57
|
+
{
|
|
58
|
+
"name": "Expose SSH",
|
|
59
|
+
"args": ["add", "2222", "TARGET_IP", "22", "TCP"],
|
|
60
|
+
"desc": "Expose SSH on port 2222",
|
|
61
|
+
},
|
|
50
62
|
],
|
|
51
63
|
"help_sections": [
|
|
52
64
|
{
|
|
53
65
|
"title": "What Can UPnP Abuse Do?",
|
|
54
66
|
"color": "cyan",
|
|
55
67
|
"content": [
|
|
56
|
-
{
|
|
57
|
-
"
|
|
58
|
-
"
|
|
59
|
-
"
|
|
60
|
-
|
|
61
|
-
|
|
62
|
-
|
|
63
|
-
|
|
68
|
+
{
|
|
69
|
+
"title": "Capabilities",
|
|
70
|
+
"desc": "What this plugin enables",
|
|
71
|
+
"tips": [
|
|
72
|
+
"View all active port forwards on the router",
|
|
73
|
+
"Get the router's external (public) IP address",
|
|
74
|
+
"Add new port forwards without authentication",
|
|
75
|
+
"Remove port forwards you added",
|
|
76
|
+
"Redirect external traffic to internal hosts",
|
|
77
|
+
],
|
|
78
|
+
}
|
|
79
|
+
],
|
|
64
80
|
},
|
|
65
81
|
{
|
|
66
82
|
"title": "Attack Scenarios",
|
|
67
83
|
"color": "red",
|
|
68
84
|
"content": [
|
|
69
|
-
{
|
|
70
|
-
"
|
|
71
|
-
"
|
|
72
|
-
"
|
|
73
|
-
|
|
74
|
-
|
|
75
|
-
|
|
76
|
-
|
|
77
|
-
|
|
85
|
+
{
|
|
86
|
+
"title": "Common Uses",
|
|
87
|
+
"desc": "How attackers abuse UPnP",
|
|
88
|
+
"tips": [
|
|
89
|
+
"Expose internal services (SSH, RDP, web) to internet",
|
|
90
|
+
"Create persistent access through router",
|
|
91
|
+
"Pivot from compromised LAN device to WAN access",
|
|
92
|
+
"Map network by listing existing forwards",
|
|
93
|
+
],
|
|
94
|
+
}
|
|
95
|
+
],
|
|
96
|
+
},
|
|
97
|
+
],
|
|
78
98
|
}
|
|
79
99
|
|
|
80
100
|
|
|
@@ -86,40 +106,42 @@ class UPnPAbusePlugin(PluginBase):
|
|
|
86
106
|
|
|
87
107
|
def check_tool_available(self) -> tuple:
|
|
88
108
|
"""Check if upnpc is available."""
|
|
89
|
-
if shutil.which(
|
|
109
|
+
if shutil.which("upnpc"):
|
|
90
110
|
return True, None
|
|
91
111
|
return False, "upnpc not found. Install with: sudo apt install miniupnpc"
|
|
92
112
|
|
|
93
|
-
def build_command(
|
|
113
|
+
def build_command(
|
|
114
|
+
self, target: str, args: List[str] = None, label: str = "", log_path: str = None
|
|
115
|
+
):
|
|
94
116
|
"""Build upnpc command for UPnP manipulation."""
|
|
95
|
-
args = args or [
|
|
117
|
+
args = args or ["list"]
|
|
96
118
|
|
|
97
119
|
# Validate target
|
|
98
120
|
try:
|
|
99
121
|
target = validate_target(target)
|
|
100
122
|
except ValidationError as e:
|
|
101
123
|
if log_path:
|
|
102
|
-
with open(log_path,
|
|
124
|
+
with open(log_path, "w") as f:
|
|
103
125
|
f.write(f"ERROR: Invalid target: {e}\n")
|
|
104
126
|
return None
|
|
105
127
|
|
|
106
|
-
action = args[0] if args else
|
|
128
|
+
action = args[0] if args else "list"
|
|
107
129
|
|
|
108
|
-
if action ==
|
|
109
|
-
cmd = [
|
|
110
|
-
elif action ==
|
|
111
|
-
cmd = [
|
|
112
|
-
elif action ==
|
|
130
|
+
if action == "list":
|
|
131
|
+
cmd = ["upnpc", "-l"]
|
|
132
|
+
elif action == "info":
|
|
133
|
+
cmd = ["upnpc", "-s"]
|
|
134
|
+
elif action == "add" and len(args) >= 5:
|
|
113
135
|
# add EXT_PORT INT_IP INT_PORT PROTO
|
|
114
136
|
ext_port, int_ip, int_port, proto = args[1], args[2], args[3], args[4]
|
|
115
|
-
cmd = [
|
|
116
|
-
elif action ==
|
|
137
|
+
cmd = ["upnpc", "-a", int_ip, int_port, ext_port, proto]
|
|
138
|
+
elif action == "delete" and len(args) >= 3:
|
|
117
139
|
# delete EXT_PORT PROTO
|
|
118
140
|
ext_port, proto = args[1], args[2]
|
|
119
|
-
cmd = [
|
|
141
|
+
cmd = ["upnpc", "-d", ext_port, proto]
|
|
120
142
|
else:
|
|
121
143
|
if log_path:
|
|
122
|
-
with open(log_path,
|
|
144
|
+
with open(log_path, "w") as f:
|
|
123
145
|
f.write("ERROR: Invalid action. Use: list, info, add, or delete\n")
|
|
124
146
|
f.write(" list - List port mappings\n")
|
|
125
147
|
f.write(" info - Get external IP and gateway info\n")
|
|
@@ -127,51 +149,47 @@ class UPnPAbusePlugin(PluginBase):
|
|
|
127
149
|
f.write(" delete EXT_PORT PROTO - Remove mapping\n")
|
|
128
150
|
return None
|
|
129
151
|
|
|
130
|
-
return {
|
|
131
|
-
'cmd': cmd,
|
|
132
|
-
'timeout': 60 # Quick timeout for UPnP operations
|
|
133
|
-
}
|
|
152
|
+
return {"cmd": cmd, "timeout": 60} # Quick timeout for UPnP operations
|
|
134
153
|
|
|
135
|
-
def run(
|
|
154
|
+
def run(
|
|
155
|
+
self, target: str, args: List[str] = None, label: str = "", log_path: str = None
|
|
156
|
+
) -> int:
|
|
136
157
|
"""Execute UPnP manipulation."""
|
|
137
158
|
cmd_spec = self.build_command(target, args, label, log_path)
|
|
138
159
|
if cmd_spec is None:
|
|
139
160
|
return 1
|
|
140
161
|
|
|
141
|
-
cmd = cmd_spec[
|
|
142
|
-
action = args[0] if args else
|
|
162
|
+
cmd = cmd_spec["cmd"]
|
|
163
|
+
action = args[0] if args else "list"
|
|
143
164
|
|
|
144
165
|
if log_path:
|
|
145
|
-
with open(log_path,
|
|
166
|
+
with open(log_path, "w") as f:
|
|
146
167
|
f.write(f"# UPnP Abuse on {target}\n")
|
|
147
168
|
f.write(f"# Action: {action}\n")
|
|
148
169
|
f.write(f"# Command: {' '.join(cmd)}\n")
|
|
149
170
|
f.write(f"# Started: {time.strftime('%Y-%m-%d %H:%M:%S')}\n\n")
|
|
150
171
|
|
|
151
172
|
try:
|
|
152
|
-
with open(log_path,
|
|
173
|
+
with open(log_path, "a") as f:
|
|
153
174
|
result = subprocess.run(
|
|
154
|
-
cmd,
|
|
155
|
-
stdout=f,
|
|
156
|
-
stderr=subprocess.STDOUT,
|
|
157
|
-
timeout=cmd_spec['timeout']
|
|
175
|
+
cmd, stdout=f, stderr=subprocess.STDOUT, timeout=cmd_spec["timeout"]
|
|
158
176
|
)
|
|
159
177
|
return result.returncode
|
|
160
178
|
|
|
161
179
|
except subprocess.TimeoutExpired:
|
|
162
180
|
if log_path:
|
|
163
|
-
with open(log_path,
|
|
181
|
+
with open(log_path, "a") as f:
|
|
164
182
|
f.write("\n\n# ERROR: Operation timed out\n")
|
|
165
183
|
return 124
|
|
166
184
|
except FileNotFoundError:
|
|
167
185
|
if log_path:
|
|
168
|
-
with open(log_path,
|
|
186
|
+
with open(log_path, "a") as f:
|
|
169
187
|
f.write("\n\n# ERROR: upnpc not found\n")
|
|
170
188
|
f.write("Install with: sudo apt install miniupnpc\n")
|
|
171
189
|
return 127
|
|
172
190
|
except Exception as e:
|
|
173
191
|
if log_path:
|
|
174
|
-
with open(log_path,
|
|
192
|
+
with open(log_path, "a") as f:
|
|
175
193
|
f.write(f"\n\n# ERROR: {e}\n")
|
|
176
194
|
return 1
|
|
177
195
|
|