public PersistentNMapHost(NMapHost host)
{
this.DeviceType = host.DeviceType;
this.Hostname = host.Hostname;
this.IPAddressv4 = host.IPAddressv4;
this.IPAddressV6 = host.IPAddressV6;
this.MAC = host.MAC;
this.NetworkDistance = host.NetworkDistance;
this.OS = host.OS;
this.OS_Details = host.OS_Details;
this.PersistentPorts = new List<PersistentPort>();
foreach (Port port in host.Ports)
{
PersistentPort pport = new PersistentPort(port);
this.PersistentPorts.Add(pport);
}
}
private List<IToolResults> ScanHost(NMapHost host, SQLMapOptions sqlmapOptions, Dictionary<string, string> config)
{
List<IToolResults > _results = new List<IToolResults> ();
Console.WriteLine ("Scanning host: " + host.Hostname);
foreach (var port in host.Ports) {
port.ParentIPAddress = host.IPAddressv4;
if ((port.Service == "http" || port.Service == "https") && bool.Parse(config["isSQLMap"])) {
IToolOptions _options = new WapitiToolOptions();
(_options as WapitiToolOptions).Host = host.IPAddressv4;
(_options as WapitiToolOptions).Port = port.PortNumber;
(_options as WapitiToolOptions).Path = config["wapitiPath"];
Wapiti wapiti = new Wapiti(_options);
Console.WriteLine("Running wapiti (http/" + port.PortNumber + ") on host: " + (string.IsNullOrEmpty(host.Hostname) ? host.IPAddressv4 : host.Hostname));
WapitiToolResults wapitiResults = null;
try
{
wapitiResults = wapiti.Run(new TimeSpan(0,10,0)) as WapitiToolResults;
wapitiResults.HostIPAddressV4 = host.IPAddressv4;
wapitiResults.HostPort = port.PortNumber;
wapitiResults.IsTCP = true;
_results.Add(wapitiResults);
}
catch(Exception ex)
{
Console.WriteLine(ex.Message);
}
if (sqlmapOptions != null && wapitiResults != null) {
if (wapitiResults.Bugs == null) { // we get bugs from the findings of wapiti, if wapiti didn't run, no bugs.
sqlmapOptions.URL = port.Service + "://" + host.IPAddressv4;
sqlmapOptions.Port = port.PortNumber;
sqlmapOptions.Path = config ["sqlmapPath"];
SQLMap mapper = new SQLMap (sqlmapOptions);
SQLMapResults sqlmapResults = mapper.Run () as SQLMapResults;
sqlmapResults.ParentHostPort = port;
_results.Add (sqlmapResults);
} else {
foreach (WapitiBug bug in wapitiResults.Bugs) {
if (bug.Type.StartsWith ("SQL Injection")) {
Console.WriteLine("Starting SQLMap on host/port: " + (string.IsNullOrEmpty(host.Hostname) ? host.IPAddressv4 : host.Hostname) + "/" + port.PortNumber);
sqlmapOptions.Path = config ["sqlmapPath"];
SQLMap mapper = new SQLMap (sqlmapOptions);
SQLMapResults results = mapper.Run (bug) as SQLMapResults;
if (results == null )
continue;
if (results.Vulnerabilities != null)
foreach (var vuln in results.Vulnerabilities)
vuln.Target = bug.URL;
results.ParentHostPort = port;
_results.Add (results);
} else if (bug.Type.Contains ("Cross Site Scripting)")) {
//dsxs
}
}
}
}
}
}
Console.WriteLine ("Done with host: " + host.Hostname);
return _results;
}
private List<IToolResults> ScanHost(NMapHost host, SQLMapOptions sqlmapOptions, Dictionary<string, string> config)
{
List<IToolResults > _results = new List<IToolResults> ();
Console.WriteLine ("Scanning host: " + host.Hostname);
foreach (var port in host.Ports) {
port.ParentIPAddress = host.IPAddressv4;
if ((port.Service == "http" || port.Service == "https") && bool.Parse (config ["isSQLMap"])) {
IToolOptions _options = new WapitiToolOptions ();
(_options as WapitiToolOptions).Host = host.IPAddressv4;
(_options as WapitiToolOptions).Port = port.PortNumber;
(_options as WapitiToolOptions).Path = config ["wapitiPath"];
Wapiti wapiti = new Wapiti (_options);
Console.WriteLine ("Running wapiti (http/" + port.PortNumber + ") on host: " + (string.IsNullOrEmpty (host.Hostname) ? host.IPAddressv4 : host.Hostname));
WapitiToolResults wapitiResults = null;
try {
wapitiResults = wapiti.Run (new TimeSpan (0, 10, 0)) as WapitiToolResults;
wapitiResults.HostIPAddressV4 = host.IPAddressv4;
wapitiResults.HostPort = port.PortNumber;
wapitiResults.IsTCP = true;
_results.Add (wapitiResults);
} catch (Exception ex) {
Console.WriteLine (ex.Message);
}
if (sqlmapOptions != null && wapitiResults != null) {
if (wapitiResults.Bugs == null) { // we get bugs from the findings of wapiti, if wapiti didn't run, no bugs.
sqlmapOptions.URL = port.Service + "://" + host.IPAddressv4;
sqlmapOptions.Port = port.PortNumber;
sqlmapOptions.Path = config ["sqlmapPath"];
SQLMap mapper = new SQLMap (sqlmapOptions);
SQLMapResults sqlmapResults = mapper.Run () as SQLMapResults;
sqlmapResults.ParentHostPort = port;
_results.Add (sqlmapResults);
} else {
using (SqlmapSession sess = new SqlmapSession("127.0.0.1", 8775)) {
using (SqlmapManager manager = new SqlmapManager(sess)) {
foreach (WapitiBug bug in wapitiResults.Bugs) {
if (bug.Type.StartsWith ("SQL Injection")) {
Console.WriteLine ("Starting SQLMap on host/port: " + (string.IsNullOrEmpty (host.Hostname) ? host.IPAddressv4 : host.Hostname) + "/" + port.PortNumber);
sqlmapOptions.Path = config ["sqlmapPath"];
//SQLMap mapper = new SQLMap (sqlmapOptions);
//SQLMapResults results = mapper.Run (bug) as SQLMapResults;
// if (results == null )
// continue;
//
// if (results.Vulnerabilities != null)
// foreach (var vuln in results.Vulnerabilities)
// vuln.Target = bug.URL;
//
// results.ParentHostPort = port;
//
// _results.Add (results);
string taskid = manager.NewTask ();
Dictionary<string, object> opts = manager.GetOptions (taskid);
if (bug.URL.Contains (bug.Parameter)) {
opts ["url"] = bug.URL.Replace("%BF%27%22%28", "abcd").Replace("%27+or+benchmark%2810000000%2CMD5%281%29%29%23", "abcd");
manager.StartTask(taskid, opts);
} else {
opts ["url"] = bug.URL;
opts["data"] = bug.Parameter.Replace("%BF%27%22%28", "abcd").Replace("%27+or+benchmark%2810000000%2CMD5%281%29%29%23", "abcd");
manager.StartTask(taskid, opts);
}
SqlmapStatus status = manager.GetScanStatus(taskid);
while (status.Status != "terminated")
{
System.Threading.Thread.Sleep(new TimeSpan(0,0,10));
status = manager.GetScanStatus(taskid);
}
List<SqlmapLogItem> logItems = manager.GetLog(taskid);
SQLMapResults results = new SQLMapResults();
results.Vulnerabilities = new List<SQLMapVulnerability>();
foreach (SqlmapLogItem item in logItems.Where(l => l.Level == "INFO" && l.Message.EndsWith("injectable")))
{
SQLMapVulnerability vuln = new SQLMapVulnerability();
Console.WriteLine(item.Message);
}
manager.DeleteTask(taskid);
} else if (bug.Type.Contains ("Cross Site Scripting)")) {
//dsxs
}
}
}
}
}
}
}
}
Console.WriteLine ("Done with host: " + host.Hostname);
return _results;
}
private void ScanHost(NMapHost host, out List <IToolResults> toolResults)
{
IToolOptions _options;
string eventDescription;
toolResults = new List <IToolResults> ();
bool routed = false;
int tries = 0;
foreach (Port port in host.Ports)
{
if (port.Service == "http")
{
_options = new NiktoToolOptions();
(_options as NiktoToolOptions).Host = host.IPAddressv4;
(_options as NiktoToolOptions).Port = port.PortNumber;
(_options as NiktoToolOptions).Path = this.Configuration ["niktoPath"];
Nikto nikto = new Nikto(_options);
eventDescription = "Running nikto (http) on host: " + (string.IsNullOrEmpty(host.Hostname) ? host.IPAddressv4 : host.Hostname);
CreateEvent(DateTime.Now, eventDescription, 1);
Console.WriteLine(eventDescription);
NiktoToolResults niktoResults = (nikto.Run() as NiktoToolResults);
niktoResults.HostIPAddressV4 = host.IPAddressv4;
niktoResults.HostPort = port.PortNumber;
niktoResults.IsTCP = true;
toolResults.Add(niktoResults);
}
else if (port.Service == "https")
{
_options = new SSLScanToolOptions();
(_options as SSLScanToolOptions).Host = host.IPAddressv4;
(_options as SSLScanToolOptions).Port = port.PortNumber;
(_options as SSLScanToolOptions).Path = this.Configuration ["sslscanPath"];
SSLScan sslscan = new SSLScan(_options);
eventDescription = "Running sslscan (https) on host: " + (string.IsNullOrEmpty(host.Hostname) ? host.IPAddressv4 : host.Hostname);
CreateEvent(DateTime.Now, eventDescription, 1);
Console.WriteLine(eventDescription);
SSLScanToolResults sslResults = (sslscan.Run() as SSLScanToolResults);
sslResults.HostIPAddressV4 = host.IPAddressv4;
sslResults.HostPort = port.PortNumber;
sslResults.IsTCP = true;
toolResults.Add(sslResults);
_options = new NiktoToolOptions();
(_options as NiktoToolOptions).Host = host.IPAddressv4;
(_options as NiktoToolOptions).Port = port.PortNumber;
(_options as NiktoToolOptions).IsSSL = true;
(_options as NiktoToolOptions).Path = this.Configuration ["niktoPath"];
Nikto nikto = new Nikto(_options);
eventDescription = "Running nikto (https) on host: " + (string.IsNullOrEmpty(host.Hostname) ? host.IPAddressv4 : host.Hostname);
CreateEvent(DateTime.Now, eventDescription, 1);
Console.WriteLine(eventDescription);
NiktoToolResults niktoResults = (nikto.Run() as NiktoToolResults);
niktoResults.HostIPAddressV4 = host.IPAddressv4;
niktoResults.HostPort = port.PortNumber;
niktoResults.IsTCP = true;
toolResults.Add(niktoResults);
}
else if (port.Service == "ssh")
{
_options = new SSLScanToolOptions();
(_options as SSLScanToolOptions).Host = host.IPAddressv4;
(_options as SSLScanToolOptions).Port = port.PortNumber;
(_options as SSLScanToolOptions).Path = this.Configuration ["sslscanPath"];
SSLScan sslscan = new SSLScan(_options);
eventDescription = "Running sslscan (ssh) on host: " + (string.IsNullOrEmpty(host.Hostname) ? host.IPAddressv4 : host.Hostname);
CreateEvent(DateTime.Now, eventDescription, 1);
Console.WriteLine(eventDescription);
SSLScanToolResults sslResults = (sslscan.Run() as SSLScanToolResults);
sslResults.HostIPAddressV4 = host.IPAddressv4;
sslResults.HostPort = port.PortNumber;
sslResults.IsTCP = true;
toolResults.Add(sslResults);
}
else if (port.PortNumber == 445) //smb
{
_options = new SMBClientToolOptions();
(_options as SMBClientToolOptions).Host = host.IPAddressv4;
(_options as SMBClientToolOptions).RecurseShares = true;
(_options as SMBClientToolOptions).Path = this.Configuration ["smbclientPath"];
SMBClient smb = new SMBClient(_options);
eventDescription = "Running smbclient (cifs) on host: " + (string.IsNullOrEmpty(host.Hostname) ? host.IPAddressv4 : host.Hostname);
CreateEvent(DateTime.Now, eventDescription, 1);
Console.WriteLine(eventDescription);
SMBClientToolResults smbResults = smb.Run() as SMBClientToolResults;
smbResults.ParentPort = port;
smbResults.HostIPAddressV4 = host.IPAddressv4;
smbResults.HostPort = port.PortNumber;
smbResults.IsTCP = true;
toolResults.Add(smbResults);
eventDescription = string.Format("Found {0} shares on host {1}", smbResults.ShareDetails.Count, host.Hostname);
CreateEvent(DateTime.Now, eventDescription, 1);
Console.WriteLine(eventDescription);
}
else if (port.Service == "snmp")
{
_options = new OneSixtyOneToolOptions();
(_options as OneSixtyOneToolOptions).Host = host.IPAddressv4;
(_options as OneSixtyOneToolOptions).Path = this.Configuration ["onesixtyonePath"];
OneSixtyOne onesixone = new OneSixtyOne(_options);
eventDescription = "Running onesixtyone (snmp) on host: " + (string.IsNullOrEmpty(host.Hostname) ? host.IPAddressv4 : host.Hostname);
CreateEvent(DateTime.Now, eventDescription, 1);
Console.WriteLine(eventDescription);
OneSixtyOneToolResults osoResults = onesixone.Run() as OneSixtyOneToolResults;
osoResults.HostIPAddressV4 = host.IPAddressv4;
osoResults.HostPort = port.PortNumber;
osoResults.IsTCP = true;
toolResults.Add(osoResults);
}
}
eventDescription = "Finished host " + (string.IsNullOrEmpty(host.Hostname) ? host.IPAddressv4 : host.Hostname);
CreateEvent(DateTime.Now, eventDescription, 1);
Console.WriteLine(eventDescription);
}
public virtual void Run(out NessusScan nessusScan, out NexposeScan nexposeScan, out OpenVASScan openvasScan, out MetasploitScan metasploitScan, out Dictionary <NMapHost, IList <IToolResults> > toolResults)
{
if (this.Configuration == null)
{
throw new Exception("Configuration not set");
}
DateTime start = DateTime.Now;
metasploitScan = null;
nessusScan = null;
nexposeScan = null;
openvasScan = null;
string openvasTaskID = string.Empty;
string nessusScanID = string.Empty;
string nexposeScanID = string.Empty;
int uniqueNo = new Random().Next();
IList <NMapHost> hosts = this.ParentProfile.CurrentResults.Hosts;
if (hosts.Count() == 0)
{
Console.WriteLine("ERROR: no hosts in the profile. Aborting.");
toolResults = null;
return;
}
csv = string.Empty;
foreach (NMapHost host in hosts)
{
csv = csv + host.IPAddressv4 + ", "; //trailing , is OK in this case
}
string openvasReportID = string.Empty;
if (this.ScanOptions.IsOpenVASAssessment)
{
Console.WriteLine("Creating OpenVAS Scan...");
OpenVASTarget target = new OpenVASTarget();
target.Hosts = csv;
target.Name = this.ParentProfile.Name + uniqueNo.ToString();
target.SMBCredentials = new OpenVASLSCCredential();
target.SSHCredentials = new OpenVASLSCCredential();
using (OpenVASManagerSession ovasSession = new OpenVASManagerSession(this.Configuration ["openvasUser"], this.Configuration ["openvasPass"], this.Configuration ["openvasHost"])) {
using (OpenVASObjectManager openvasManager = new OpenVASObjectManager(ovasSession)) {
target = openvasManager.CreateTarget(target);
OpenVASConfig config = openvasManager.GetAllConfigs()
.Where(c => c.RemoteConfigID == new Guid(this.Configuration ["openvasConfig"]))
.SingleOrDefault();
OpenVASTask task = new OpenVASTask();
task.Comment = string.Format("Task for scan {0}", this.Name);
task.Target = target;
task.Config = config;
task = openvasManager.CreateTask(task);
XmlDocument taskResponse = openvasManager.StartTask(task.RemoteTaskID.ToString());
if (!taskResponse.FirstChild.Attributes ["status"].Value.StartsWith("20"))
{
throw new Exception("Creating OpenVAS scan failed: " +
taskResponse.FirstChild.Attributes ["status_text"].Value
);
}
openvasReportID = taskResponse.FirstChild.FirstChild.InnerText;
openvasTaskID = task.RemoteTaskID.ToString();
}
Console.WriteLine("Done creating and starting OpenVAS scan.");
}
}
if (this.ScanOptions.IsNessusAssessment)
{
Console.WriteLine("Creating Nessus scan...");
using (NessusManagerSession nessusSession = new NessusManagerSession(this.Configuration["nessusHost"])) {
bool loggedIn = false;
nessusSession.Authenticate(this.Configuration ["nessusUser"], this.Configuration ["nessusPass"], 1234, out loggedIn);
if (!loggedIn)
{
throw new Exception("Invalid username/password");
}
using (NessusObjectManager nessusManager = new NessusObjectManager(nessusSession)) {
var tmp = nessusManager.CreateAndStartScan(csv, -2, this.Name + uniqueNo.ToString());
string scanName = tmp.Name;
nessusScanID = scanName;
string reportID = string.Empty;
foreach (XmlNode node in nessusManager.ListReports().LastChild.ChildNodes)
{
if (node.Name == "contents")
{
string tmpReportID = string.Empty;
foreach (XmlNode child in node.FirstChild.ChildNodes)
{
foreach (XmlNode c in child.ChildNodes)
{
if (c.Name == "name")
{
tmpReportID = c.InnerText;
}
else if (c.Name == "readableName" && c.InnerText == scanName)
{
reportID = tmpReportID;
}
}
}
tmpReportID = string.Empty;
}
}
}
Console.WriteLine("Done creating and starting Nessus scan.");
}
}
if (this.ScanOptions.IsNexposeAssessment)
{
Console.WriteLine("Creating NeXpose scan...");
int siteID = 0;
if (this.ScanOptions.RemoteNexposeSiteID <= 0)
{
XmlDocument d = null;
string id = "-1";
string template = "full-audit";
string name = this.Name + uniqueNo.ToString();
string description = "A site for the the profile " + this.ParentProfile.Name;
string siteXml = "<Site id=\"" + id + "\" name=\"" + name + "\" description=\"" + description + "\">";
siteXml = siteXml + "<Hosts>";
foreach (string host in csv.Split(','))
{
siteXml = siteXml + "<host>" + host + "</host>";
}
siteXml = siteXml + "</Hosts>" +
"<Credentials></Credentials>" +
"<Alerting></Alerting>" +
"<ScanConfig configID=\"" + id + "\" name=\"" + name + "\" templateID=\"" + template + "\"></ScanConfig>" +
"</Site>";
XmlDocument doc = new XmlDocument();
doc.LoadXml(siteXml);
using (NexposeSession session = new NexposeSession(this.Configuration["nexposeHost"])) {
session.Authenticate(this.Configuration ["nexposeUser"], this.Configuration ["nexposePass"]);
using (NexposeManager11 manager = new NexposeManager11(session)) {
XmlDocument response = manager.SaveOrUpdateSite(doc.FirstChild);
d = response;
}
}
siteID = int.Parse(d.FirstChild.Attributes ["site-id"].Value);
this.ScanOptions.RemoteNexposeSiteID = siteID;
}
else
{
siteID = this.ScanOptions.RemoteNexposeSiteID;
}
using (NexposeSession session = new NexposeSession(this.Configuration["nexposeHost"])) {
session.Authenticate(this.Configuration ["nexposeUser"], this.Configuration ["nexposePass"]);
using (NexposeManager11 manager = new NexposeManager11(session)) {
XmlDocument response = manager.ScanSite(siteID.ToString());
nexposeScanID = response.FirstChild.FirstChild.Attributes ["scan-id"].Value;
}
}
Console.WriteLine("Done creating and starting NeXpose scan.");
}
Dictionary <NMapHost, IList <IToolResults> > results = new Dictionary <NMapHost, IList <IToolResults> > ();
services = new List <string> ();
foreach (var host in hosts)
{
foreach (Port port in (host as NMapHost).Ports)
{
services.Add(port.Service);
}
NMapHost threadHost = host as NMapHost;
Console.WriteLine("Starting scan for host: " + threadHost.Hostname + "(" + threadHost.IPAddressv4 + ")");
results.Add(threadHost, ScanHost(threadHost, this.ScanOptions.SQLMapOptions, this.Configuration));
}
toolResults = results;
bool done = false;
if (this.ScanOptions.IsNessusAssessment || this.ScanOptions.IsNexposeAssessment || this.ScanOptions.IsOpenVASAssessment)
{
while (!done)
{
if (!string.IsNullOrEmpty(openvasTaskID) && this.OpenVASScanIsRunning(openvasTaskID))
{
Console.WriteLine("Waiting on OpenVAS scan " + openvasTaskID);
Thread.Sleep(new TimeSpan(0, 0, 60));
continue;
}
if (!string.IsNullOrEmpty(nessusScanID) && this.NessusScanIsRunning(nessusScanID))
{
Console.WriteLine("Waiting on Nessus scan " + nessusScanID);
Thread.Sleep(new TimeSpan(0, 0, 60));
continue;
}
if (!string.IsNullOrEmpty(nexposeScanID) && this.NexposeScanIsRunning(nexposeScanID))
{
Console.WriteLine("Waiting on NeXpose scan " + nexposeScanID);
Thread.Sleep(new TimeSpan(0, 0, 60));
continue;
}
done = true;
}
Dictionary <VulnerabilityScanType, string> scans = new Dictionary <VulnerabilityScanType, string> ();
if (!string.IsNullOrEmpty(openvasReportID))
{
scans.Add(VulnerabilityScanType.OpenVAS, openvasReportID);
}
if (!string.IsNullOrEmpty(nexposeScanID))
{
scans.Add(VulnerabilityScanType.Nexpose, this.ScanOptions.RemoteNexposeSiteID.ToString());
}
if (!string.IsNullOrEmpty(nessusScanID))
{
scans.Add(VulnerabilityScanType.Nessus, nessusScanID);
}
Dictionary <VulnerabilityScanType, XmlNode> reports = this.GetReports(scans);
foreach (var report in reports)
{
if (report.Key == VulnerabilityScanType.Nessus)
{
nessusScan = new NessusScan(report.Value);
}
else if (report.Key == VulnerabilityScanType.Nexpose)
{
nexposeScan = new NexposeScan(report.Value);
}
else if (report.Key == VulnerabilityScanType.OpenVAS)
{
openvasScan = new OpenVASScan(report.Value);
}
else
{
throw new Exception("Don't know this scan type");
}
}
if (this.ScanOptions.IsMetasploitAssessment)
{
string workspace = Guid.NewGuid().ToString();
this.CreateNewMetasploitWorkspace(workspace);
this.ImportScansIntoMetasploitPro(reports, workspace);
string proTaskID = this.BeginMetasploitProAssessment(workspace, csv, false);
while (this.MetasploitProAssessmentIsRunning(proTaskID))
{
Console.WriteLine("Waiting on exploit assessment from metasploit: task " + proTaskID);
System.Threading.Thread.Sleep(new TimeSpan(0, 0, 30));
}
metasploitScan = new MetasploitScan(this.GetMetasploitProReport(workspace));
}
}
TimeSpan duration = DateTime.Now - start;
this.Duration = duration.TotalSeconds.ToString();
this.HasRun = true;
}
private List <IToolResults> ScanHost(NMapHost host, SQLMapOptions sqlmapOptions, Dictionary <string, string> config)
{
List <IToolResults> _results = new List <IToolResults> ();
Console.WriteLine("Scanning host: " + host.Hostname);
foreach (var port in host.Ports)
{
port.ParentIPAddress = host.IPAddressv4;
if ((port.Service == "http" || port.Service == "https") && bool.Parse(config ["isSQLMap"]))
{
IToolOptions _options = new WapitiToolOptions();
(_options as WapitiToolOptions).Host = host.IPAddressv4;
(_options as WapitiToolOptions).Port = port.PortNumber;
(_options as WapitiToolOptions).Path = config ["wapitiPath"];
Wapiti wapiti = new Wapiti(_options);
Console.WriteLine("Running wapiti (http/" + port.PortNumber + ") on host: " + (string.IsNullOrEmpty(host.Hostname) ? host.IPAddressv4 : host.Hostname));
WapitiToolResults wapitiResults = null;
try {
wapitiResults = wapiti.Run(new TimeSpan(0, 10, 0)) as WapitiToolResults;
wapitiResults.HostIPAddressV4 = host.IPAddressv4;
wapitiResults.HostPort = port.PortNumber;
wapitiResults.IsTCP = true;
_results.Add(wapitiResults);
} catch (Exception ex) {
Console.WriteLine(ex.Message);
}
if (sqlmapOptions != null && wapitiResults != null)
{
if (wapitiResults.Bugs == null) // we get bugs from the findings of wapiti, if wapiti didn't run, no bugs.
{
sqlmapOptions.URL = port.Service + "://" + host.IPAddressv4;
sqlmapOptions.Port = port.PortNumber;
sqlmapOptions.Path = config ["sqlmapPath"];
SQLMap mapper = new SQLMap(sqlmapOptions);
SQLMapResults sqlmapResults = mapper.Run() as SQLMapResults;
sqlmapResults.ParentHostPort = port;
_results.Add(sqlmapResults);
}
else
{
using (SqlmapSession sess = new SqlmapSession("127.0.0.1", 8775)) {
using (SqlmapManager manager = new SqlmapManager(sess)) {
foreach (WapitiBug bug in wapitiResults.Bugs)
{
if (bug.Type.StartsWith("SQL Injection"))
{
Console.WriteLine("Starting SQLMap on host/port: " + (string.IsNullOrEmpty(host.Hostname) ? host.IPAddressv4 : host.Hostname) + "/" + port.PortNumber);
sqlmapOptions.Path = config ["sqlmapPath"];
//SQLMap mapper = new SQLMap (sqlmapOptions);
//SQLMapResults results = mapper.Run (bug) as SQLMapResults;
// if (results == null )
// continue;
//
// if (results.Vulnerabilities != null)
// foreach (var vuln in results.Vulnerabilities)
// vuln.Target = bug.URL;
//
// results.ParentHostPort = port;
//
// _results.Add (results);
string taskid = manager.NewTask();
Dictionary <string, object> opts = manager.GetOptions(taskid);
if (bug.URL.Contains(bug.Parameter))
{
opts ["url"] = bug.URL.Replace("%BF%27%22%28", "abcd").Replace("%27+or+benchmark%2810000000%2CMD5%281%29%29%23", "abcd");
manager.StartTask(taskid, opts);
}
else
{
opts ["url"] = bug.URL;
opts["data"] = bug.Parameter.Replace("%BF%27%22%28", "abcd").Replace("%27+or+benchmark%2810000000%2CMD5%281%29%29%23", "abcd");
manager.StartTask(taskid, opts);
}
SqlmapStatus status = manager.GetScanStatus(taskid);
while (status.Status != "terminated")
{
System.Threading.Thread.Sleep(new TimeSpan(0, 0, 10));
status = manager.GetScanStatus(taskid);
}
List <SqlmapLogItem> logItems = manager.GetLog(taskid);
SQLMapResults results = new SQLMapResults();
results.Vulnerabilities = new List <SQLMapVulnerability>();
foreach (SqlmapLogItem item in logItems.Where(l => l.Level == "INFO" && l.Message.EndsWith("injectable")))
{
SQLMapVulnerability vuln = new SQLMapVulnerability();
Console.WriteLine(item.Message);
}
manager.DeleteTask(taskid);
}
else if (bug.Type.Contains("Cross Site Scripting)"))
{
//dsxs
}
}
}
}
}
}
}
}
Console.WriteLine("Done with host: " + host.Hostname);
return(_results);
}
private void ParseOutput(string output)
{
List<NMapHost> hosts = new List<NMapHost>();
Regex portRegex = new Regex(@"^[0-9]{1,5}/[tcp|udp]");
NMapHost host = null;
foreach(string line in output.Split('\n'))
{
if (string.IsNullOrEmpty(line))
{
if (host != null && !string.IsNullOrEmpty(host.IPAddressv4))
hosts.Add(host);
host = new NMapHost();
host.Ports = new List<Port>();
continue;
}
if (line.StartsWith("Device type: "))
{
host.DeviceType = line.Replace("Device type: ", string.Empty);
}
else if (line.StartsWith("Running: "))
{
host.OS = line.Replace("Running: ", string.Empty);
}
else if (line.StartsWith("OS details: "))
{
host.OS_Details = line.Replace("OS details: ", string.Empty);
}
else if (line.StartsWith("Network Distance: "))
{
host.NetworkDistance = line.Replace("Network Distance: ", string.Empty);
}
else if (line.StartsWith("MAC Address: "))
{
host.MAC = line.Replace("MAC Address: ", string.Empty);
}
else if (portRegex.IsMatch(line))
{
Port port = new Port();
string l2 = Regex.Replace(line, @"\s{2,}", " ");
string[] t = l2.Split(' ');
string p = t[0]; //port in [0-9]{1,5}/[udp|tcp] form
string st = t[1]; //state of port (open)
string ser = t[2]; //service on port (http(s), ssh)
//this also sets IsTCP since it returns !IsUDP
port.IsUDP = (p.Split('/')[1] == "udp");
port.Service = ser;
port.State = st;
port.PortNumber = int.Parse(p.Split('/')[0]);
host.Ports.Add(port);
}
else if (line.StartsWith("Nmap scan report for "))
{
string l2 = line.Replace("Nmap scan report for ", string.Empty);
string[] t = l2.Split(' ');
if (t.Length == 1)
host.IPAddressv4 = t[0];
else
{
host.Hostname = t[0];
string ip = t[1].Substring(1);
ip = ip.Substring(0, ip.Length - 1);
host.IPAddressv4 = ip;
}
}
}
this.Hosts = hosts;
}
private void ParseOutput(string output)
{
List <NMapHost> hosts = new List <NMapHost>();
Regex portRegex = new Regex(@"^[0-9]{1,5}/[tcp|udp]");
NMapHost host = null;
foreach (string line in output.Split('\n'))
{
if (string.IsNullOrEmpty(line))
{
if (host != null && !string.IsNullOrEmpty(host.IPAddressv4))
{
hosts.Add(host);
}
host = new NMapHost();
host.Ports = new List <Port>();
continue;
}
if (line.StartsWith("Device type: "))
{
host.DeviceType = line.Replace("Device type: ", string.Empty);
}
else if (line.StartsWith("Running: "))
{
host.OS = line.Replace("Running: ", string.Empty);
}
else if (line.StartsWith("OS details: "))
{
host.OS_Details = line.Replace("OS details: ", string.Empty);
}
else if (line.StartsWith("Network Distance: "))
{
host.NetworkDistance = line.Replace("Network Distance: ", string.Empty);
}
else if (line.StartsWith("MAC Address: "))
{
host.MAC = line.Replace("MAC Address: ", string.Empty);
}
else if (portRegex.IsMatch(line))
{
Port port = new Port();
string l2 = Regex.Replace(line, @"\s{2,}", " ");
string[] t = l2.Split(' ');
string p = t[0]; //port in [0-9]{1,5}/[udp|tcp] form
string st = t[1]; //state of port (open)
string ser = t[2]; //service on port (http(s), ssh)
//this also sets IsTCP since it returns !IsUDP
port.IsUDP = (p.Split('/')[1] == "udp");
port.Service = ser;
port.State = st;
port.PortNumber = int.Parse(p.Split('/')[0]);
host.Ports.Add(port);
}
else if (line.StartsWith("Nmap scan report for "))
{
string l2 = line.Replace("Nmap scan report for ", string.Empty);
string[] t = l2.Split(' ');
if (t.Length == 1)
{
host.IPAddressv4 = t[0];
}
else
{
host.Hostname = t[0];
string ip = t[1].Substring(1);
ip = ip.Substring(0, ip.Length - 1);
host.IPAddressv4 = ip;
}
}
}
this.Hosts = hosts;
}
private void ScanHost(NMapHost host, out List<IToolResults> toolResults)
{
IToolOptions _options;
string eventDescription;
toolResults = new List<IToolResults> ();
bool routed = false;
int tries = 0;
foreach (Port port in host.Ports) {
if (port.Service == "http") {
_options = new NiktoToolOptions ();
(_options as NiktoToolOptions).Host = host.IPAddressv4;
(_options as NiktoToolOptions).Port = port.PortNumber;
(_options as NiktoToolOptions).Path = this.Configuration ["niktoPath"];
Nikto nikto = new Nikto (_options);
eventDescription = "Running nikto (http) on host: " + (string.IsNullOrEmpty (host.Hostname) ? host.IPAddressv4 : host.Hostname);
CreateEvent(DateTime.Now, eventDescription, 1);
Console.WriteLine(eventDescription);
NiktoToolResults niktoResults = (nikto.Run () as NiktoToolResults);
niktoResults.HostIPAddressV4 = host.IPAddressv4;
niktoResults.HostPort = port.PortNumber;
niktoResults.IsTCP = true;
toolResults.Add (niktoResults);
} else if (port.Service == "https") {
_options = new SSLScanToolOptions ();
(_options as SSLScanToolOptions).Host = host.IPAddressv4;
(_options as SSLScanToolOptions).Port = port.PortNumber;
(_options as SSLScanToolOptions).Path = this.Configuration ["sslscanPath"];
SSLScan sslscan = new SSLScan (_options);
eventDescription = "Running sslscan (https) on host: " + (string.IsNullOrEmpty (host.Hostname) ? host.IPAddressv4 : host.Hostname);
CreateEvent(DateTime.Now, eventDescription, 1);
Console.WriteLine(eventDescription);
SSLScanToolResults sslResults = (sslscan.Run () as SSLScanToolResults);
sslResults.HostIPAddressV4 = host.IPAddressv4;
sslResults.HostPort = port.PortNumber;
sslResults.IsTCP = true;
toolResults.Add (sslResults);
_options = new NiktoToolOptions ();
(_options as NiktoToolOptions).Host = host.IPAddressv4;
(_options as NiktoToolOptions).Port = port.PortNumber;
(_options as NiktoToolOptions).IsSSL = true;
(_options as NiktoToolOptions).Path = this.Configuration ["niktoPath"];
Nikto nikto = new Nikto (_options);
eventDescription = "Running nikto (https) on host: " + (string.IsNullOrEmpty (host.Hostname) ? host.IPAddressv4 : host.Hostname);
CreateEvent(DateTime.Now, eventDescription, 1);
Console.WriteLine(eventDescription);
NiktoToolResults niktoResults = (nikto.Run () as NiktoToolResults);
niktoResults.HostIPAddressV4 = host.IPAddressv4;
niktoResults.HostPort = port.PortNumber;
niktoResults.IsTCP = true;
toolResults.Add (niktoResults);
} else if (port.Service == "ssh") {
_options = new SSLScanToolOptions ();
(_options as SSLScanToolOptions).Host = host.IPAddressv4;
(_options as SSLScanToolOptions).Port = port.PortNumber;
(_options as SSLScanToolOptions).Path = this.Configuration ["sslscanPath"];
SSLScan sslscan = new SSLScan (_options);
eventDescription = "Running sslscan (ssh) on host: " + (string.IsNullOrEmpty (host.Hostname) ? host.IPAddressv4 : host.Hostname);
CreateEvent(DateTime.Now, eventDescription, 1);
Console.WriteLine(eventDescription);
SSLScanToolResults sslResults = (sslscan.Run () as SSLScanToolResults);
sslResults.HostIPAddressV4 = host.IPAddressv4;
sslResults.HostPort = port.PortNumber;
sslResults.IsTCP = true;
toolResults.Add (sslResults);
} else if (port.PortNumber == 445) { //smb
_options = new SMBClientToolOptions ();
(_options as SMBClientToolOptions).Host = host.IPAddressv4;
(_options as SMBClientToolOptions).RecurseShares = true;
(_options as SMBClientToolOptions).Path = this.Configuration ["smbclientPath"];
SMBClient smb = new SMBClient (_options);
eventDescription = "Running smbclient (cifs) on host: " + (string.IsNullOrEmpty (host.Hostname) ? host.IPAddressv4 : host.Hostname);
CreateEvent(DateTime.Now, eventDescription, 1);
Console.WriteLine(eventDescription);
SMBClientToolResults smbResults = smb.Run () as SMBClientToolResults;
smbResults.ParentPort = port;
smbResults.HostIPAddressV4 = host.IPAddressv4;
smbResults.HostPort = port.PortNumber;
smbResults.IsTCP = true;
toolResults.Add (smbResults);
eventDescription = string.Format("Found {0} shares on host {1}", smbResults.ShareDetails.Count, host.Hostname);
CreateEvent(DateTime.Now, eventDescription, 1);
Console.WriteLine(eventDescription);
} else if (port.Service == "snmp") {
_options = new OneSixtyOneToolOptions ();
(_options as OneSixtyOneToolOptions).Host = host.IPAddressv4;
(_options as OneSixtyOneToolOptions).Path = this.Configuration ["onesixtyonePath"];
OneSixtyOne onesixone = new OneSixtyOne (_options);
eventDescription = "Running onesixtyone (snmp) on host: " + (string.IsNullOrEmpty (host.Hostname) ? host.IPAddressv4 : host.Hostname);
CreateEvent(DateTime.Now, eventDescription, 1);
Console.WriteLine(eventDescription);
OneSixtyOneToolResults osoResults = onesixone.Run () as OneSixtyOneToolResults;
osoResults.HostIPAddressV4 = host.IPAddressv4;
osoResults.HostPort = port.PortNumber;
osoResults.IsTCP = true;
toolResults.Add (osoResults);
}
}
eventDescription = "Finished host " + (string.IsNullOrEmpty (host.Hostname) ? host.IPAddressv4 : host.Hostname);
CreateEvent(DateTime.Now, eventDescription, 1);
Console.WriteLine(eventDescription);
}
