Пример #1
0
        // Figure out what a port is based off its banner
        public static string FindUnknownPortInfo(string target, int port)
        {
            string postScanActions = "";
            // A port I'm not familiar with - Try parse the banner
            List <string> bannerList = General.MultiBannerGrab(target, port);

            // Remove empty entries
            bannerList.RemoveAll(x => x == "");

            // And dupes
            bannerList = bannerList.Distinct().ToList();

            string unknownPortResult = ""; // ("Port " + port).Pastel(Color.Green);

            if (!bannerList.Any())
            {
                unknownPortResult += $"Port {port} - Empty".Pastel(Color.Green);
                Console.WriteLine(unknownPortResult + Environment.NewLine + "- No Response" + Environment.NewLine);
                return("");
            }

            foreach (string theBanner in bannerList)
            {
                unknownPortResult = "";
                // Console.WriteLine("Checking: " + theBanner);
                // We now have a proper banner
                if (theBanner.StartsWith("220") && theBanner.Contains("ESMTP"))
                {
                    unknownPortResult += $"Port {port} - SMTP".Pastel(Color.Green);
                    string smtpInfo = SMTP.GetInfo(target, port); // Can't just parse the banner directly since there could be other useful stuff
                    Console.WriteLine(unknownPortResult + Environment.NewLine + smtpInfo + Environment.NewLine);
                }
                // SSH
                else if (theBanner.Contains("SSH-2.0-OpenSSH") || theBanner == "SSH-2.0-Go")
                {
                    unknownPortResult += $"Port {port} - SSH".Pastel(Color.Green) + Environment.NewLine;
                    if (theBanner.Contains("\r\nProtocol mismatch."))
                    {
                        unknownPortResult += Environment.NewLine + "- TCP Protocol Mismatch";
                    }
                    unknownPortResult += SSH.GetInfo(target, port);
                    Console.WriteLine(unknownPortResult + Environment.NewLine);
                }
                // WinRM - HTTP with special stuff
                else if (theBanner.Contains("Server: Microsoft-HTTPAPI/2.0"))
                {
                    unknownPortResult += $"Port {port} - WinRM".Pastel(Color.Green);
                    string portData = WinRM.GetInfo(target, port);
                    Console.WriteLine(unknownPortResult + Environment.NewLine + portData + Environment.NewLine);
                }
                // Squid - HTTP with different special stuff
                else if (theBanner.Contains("Server: squid"))
                {
                    unknownPortResult += $"Port {port} - Squid".Pastel(Color.Green);
                    string portData = Squid.GetInfo(target, port);
                    Console.WriteLine(unknownPortResult + Environment.NewLine + portData + Environment.NewLine);
                }
                else if (theBanner == "Reecon - HTTPS")
                {
                    // Console.WriteLine("Found HTTPS - Enumerating");
                    string httpsData = HTTPS.GetInfo(target, port);
                    if (httpsData != "")
                    {
                        Console.WriteLine(unknownPortResult += $"Port {port} - HTTPS".Pastel(Color.Green) + Environment.NewLine + httpsData + Environment.NewLine);
                        postScanActions += $"- gobuster dir -u=https://{target}:{port}/ -w ~/wordlists/directory-list-2.3-medium.txt -t 25 -o gobuster-{port}-medium.txt -x.php,.txt" + Environment.NewLine;
                        postScanActions += $"- gobuster dir -u=https://{target}:{port}/ -w ~/wordlists/common.txt -t 25 -o gobuster-{port}-common.txt -x.php,.txt" + Environment.NewLine;
                    }
                }
                // Probably a general HTTP or HTTPS web server - Try both
                else if (
                    theBanner.Contains("Server: Apache") || // Apache Web Server
                    theBanner.Contains("Server: cloudflare") || // Cloudflare Server
                    theBanner.StartsWith("HTTP/1.1") ||
                    theBanner.StartsWith("HTTP/1.0") ||
                    theBanner.Contains("Error code explanation: 400 = Bad request syntax or unsupported method.") || // BaseHTTP/0.3 Python/2.7.12
                    theBanner.Contains("<p>Error code: 400</p>") || // TryHackMe - Task 12 Day 7
                    theBanner.Contains("<h1>Bad Request (400)</h1>") ||
                    theBanner.Trim().StartsWith("<!DOCTYPE html>")    // General HTML
                    )
                {
                    string httpData = HTTP.GetInfo(target, port);
                    if (httpData != "")
                    {
                        Console.WriteLine(unknownPortResult += $"Port {port} - HTTP".Pastel(Color.Green) + Environment.NewLine + httpData + Environment.NewLine);
                        postScanActions += $"- gobuster dir -u=http://{target}:{port}/ -w ~/wordlists/directory-list-2.3-medium.txt -t 25 -o gobuster-" + port + "-medium.txt -x.php,.txt" + Environment.NewLine;
                        postScanActions += $"- gobuster dir -u=http://{target}:{port}/ -w ~/wordlists/common.txt -t 25 -o gobuster-" + port + "-common.txt -x.php,.txt" + Environment.NewLine;
                    }
                    string httpsData = HTTPS.GetInfo(target, port);
                    if (httpsData != "")
                    {
                        Console.WriteLine(unknownPortResult += $"Port {port} - HTTPS".Pastel(Color.Green) + Environment.NewLine + httpsData + Environment.NewLine);
                        postScanActions += $"- gobuster dir -u=https://{target}:{port}/ -w ~/wordlists/directory-list-2.3-medium.txt -t 25 -o gobuster-{port}-medium.txt -x.php,.txt" + Environment.NewLine;
                        postScanActions += $"- gobuster dir -u=https://{target}:{port}/ -w ~/wordlists/common.txt -t 25 -o gobuster-{port}-common.txt -x.php,.txt" + Environment.NewLine;
                    }
                    break;
                }
                else if (theBanner == "-ERR unknown command 'Woof'") // Probably Redis
                {
                    unknownPortResult += $"Port {port} - Redis".Pastel(Color.Green);
                    string portData = Redis.GetInfo(target, port);
                    Console.WriteLine(unknownPortResult + Environment.NewLine + portData + Environment.NewLine);
                }
                else if (theBanner == "+OK Dovecot ready.")
                {
                    unknownPortResult += $"Port {port} - pop3 (Dovecot)".Pastel(Color.Green) + Environment.NewLine;
                    unknownPortResult += POP3.GetInfo(target);
                    Console.WriteLine(unknownPortResult);
                }
                else if (theBanner == "ncacn_http/1.0")
                {
                    // Woof
                    unknownPortResult += "- Microsoft Windows RPC over HTTP".Pastel(Color.Green) + Environment.NewLine;
                    unknownPortResult += "- Reecon currently lacks Microsoft Windows RPC over HTTP support" + Environment.NewLine;
                    Console.WriteLine(unknownPortResult);
                }
                else if (theBanner.StartsWith("AMQP"))
                {
                    byte[] theBannerBytes = General.GetBytes(theBanner);
                    if (bannerList.Count != 8)
                    {
                        Console.WriteLine("AMQP found with an invalid Banner Byte Count! Bug Reelix");
                        return("");
                    }
                    // First 0-3: AMQP
                    // 4-7: Version
                    if (theBannerBytes[4] == 0 && theBannerBytes[5] == 0 && theBannerBytes[6] == 9 && theBannerBytes[7] == 1)
                    {
                        Console.WriteLine("Port " + port + " - AMQP".Pastel(Color.Green) + Environment.NewLine + "- Version 0-9-1" + Environment.NewLine + "- Bug Reelix to finish AMQP decoding..." + Environment.NewLine);
                        // theBanner = General.BannerGrab(ip, port, theBanner); // Need to send the bytes of AMQP0091

                        // Oh gawd....
                        // \u0001\0\0\0\0\u0001?\0\n\0\n\0\t\0\0\u0001?\fcapabilitiesF\0\0\0?\u0012publisher_confirmst\u0001\u001aexchange_exchange_bindingst\u0001\nbasic.nackt\u0001\u0016consumer_cancel_notifyt\u0001\u0012connection.blockedt\u0001\u0013consumer_prioritiest\u0001\u001cauthentication_failure_closet\u0001\u0010per_consumer_qost\u0001\u000fdirect_reply_tot\u0001\fcluster_nameS\0\0\0\u0010rabbit@dyplesher\tcopyrightS\0\0\0.Copyright (C) 2007-2018 Pivotal Software, Inc.\vinformationS\0\0\05Licensed under the MPL.  See http://www.rabbitmq.com/\bplatformS\0\0\0\u0011Erlang/OTP 22.0.7\aproductS\0\0\0\bRabbitMQ\aversionS\0\0\0\u00053.7.8\0\0\0\u000ePLAIN AMQPLAIN\0\0\0\u0005en_US?
                        // https://svn.nmap.org/nmap/nselib/amqp.lua
                        postScanActions += $"- AMQP is up and nmap knows more: nmap --script amqp-info -p{port} {target}" + Environment.NewLine;
                    }
                    else
                    {
                        Console.WriteLine($"Port {port} - AMQP".Pastel(Color.Green) + Environment.NewLine + "- Unknown AMQP Version: " + (int)theBannerBytes[4] + (int)theBannerBytes[5] + (int)theBannerBytes[6] + (int)theBannerBytes[7] + Environment.NewLine);
                    }
                }
                else if (theBanner == "</stream:stream>")
                {
                    unknownPortResult += $"Port {port} - xmpp".Pastel(Color.Green) + Environment.NewLine;
                    unknownPortResult += "- Client Name: Wildfire XMPP Client" + Environment.NewLine;
                    Console.WriteLine(unknownPortResult);
                }
                else if (theBanner.StartsWith("@RSYNCD"))
                {
                    unknownPortResult += $"Port {port} - Rsync".Pastel(Color.Green) + Environment.NewLine;
                    unknownPortResult += Rsync.GetInfo(target, port);
                    Console.WriteLine(unknownPortResult);
                }
                else if (theBanner.Trim().StartsWith("( success ( 2 2 ( ) ( edit-pipeline"))
                {
                    unknownPortResult += $"Port {port} - SVN (Subversion)".Pastel(Color.Green) + Environment.NewLine;
                    unknownPortResult += "- Bug Reelix to fix this. Ref: Port 3690";
                    Console.WriteLine(unknownPortResult);
                }
                else if (theBanner.Length > 5 && theBanner[0] == 255 && theBanner[1] == 253 && theBanner[2] == 24)
                {
                    unknownPortResult += $"Port {port} - Telnet".Pastel(Color.Green) + Environment.NewLine;
                    unknownPortResult += Telnet.GetInfo(target, port);
                    Console.WriteLine(unknownPortResult);
                }
            }
            // 47538/tcp open  socks-proxy Socks4A
            // -> [?? _ ??

            if (unknownPortResult == "")
            {
                // If there are 2 results and 1 "Closed" - Removed the Closed
                if (bannerList.Count == 2)
                {
                    if (bannerList.Count(x => x == "Reecon - Closed") == 1)
                    {
                        bannerList.RemoveAll(x => x == "Reecon - Closed");
                    }
                }
                if (bannerList.Count == 1)
                {
                    string theBanner = bannerList[0];
                    if (theBanner == "Reecon - Connection reset by peer")
                    {
                        unknownPortResult += $"Port {port} - Reset" + Environment.NewLine;
                        unknownPortResult += "- Connection reset by peer (No Useful response)" + Environment.NewLine;
                    }
                    else if (theBanner == "Reecon - Closed")
                    {
                        unknownPortResult += $"Port {port} - Closed".Pastel(Color.Green) + Environment.NewLine;
                        unknownPortResult += "- Port is closed" + Environment.NewLine;
                    }
                    else
                    {
                        unknownPortResult += $"Port {port} - Unknown".Pastel(Color.Green) + Environment.NewLine;
                        unknownPortResult += "- Unknown Response: -->" + theBanner + "<--" + Environment.NewLine;
                        unknownPortResult += $"- TODO: nmap -sC -sV {target} -p{port}" + Environment.NewLine;
                    }
                }
                else
                {
                    unknownPortResult += $"Port {port} - Unknown (Dumping possible outcomes)".Pastel(Color.Red) + Environment.NewLine;
                    // Truly unknown - Find the best result
                    foreach (string theBanner in bannerList)
                    {
                        if (theBanner == "Reecon - Connection reset by peer")
                        {
                            unknownPortResult += "- Connection reset by peer (No Useful response)" + Environment.NewLine;
                        }
                        else if (theBanner == "Reecon - Closed")
                        {
                            unknownPortResult += "- Port is closed" + Environment.NewLine;
                        }
                        else
                        {
                            unknownPortResult += "- Unknown Response: -->" + theBanner + "<--" + Environment.NewLine;
                            unknownPortResult += $"- TODO: nmap -sC -sV {target} -p{port}" + Environment.NewLine;
                        }
                    }
                }
                Console.WriteLine(unknownPortResult);
            }

            return(postScanActions);
        }
Пример #2
0
        static void Main(string[] args)
        {
            DateTime startDate = DateTime.Now;

            Console.ForegroundColor = ConsoleColor.Yellow;
            Console.WriteLine("Reecon - Version 0.25c ( https://github.com/Reelix/Reecon )");
            Console.ForegroundColor = ConsoleColor.White;
            if (args.Length == 0)
            {
                Console.WriteLine("Usage");
                Console.WriteLine("-----");
                Console.WriteLine("Basic Scan:\tReecon IPHere (Optional: -noping to skip the online check)");
                Console.WriteLine("Display IP:\tReecon -ip");
                Console.WriteLine("NMap-Load Scan:\tReecon outfile.nmap (Requires -oG on a regular nmap scan)");
                Console.WriteLine("Binary Pwn:\tReecon -pwn FileName (Very buggy)");
                Console.WriteLine("Searchsploit:\tReecon -searchsploit nameHere (Beta)");
                Console.WriteLine("Shell Gen:\tReecon -shell");
                Console.WriteLine("SMB Brute:\tReecon -smb-brute (Linux Only)");
                Console.WriteLine("WinRM Brute:\tReecon -winrm-brute IP UserList PassList");
                Console.WriteLine("LFI Test:\tReecon -lfi (Very buggy)");
                Console.WriteLine("Web Info:\tReecon -web url (Very buggy)");
                Console.ResetColor();
                return;
            }

            // Check if it's anything custom
            if (args.Contains("-ip") || args.Contains("--ip"))
            {
                General.GetIP();
                Console.ResetColor();
                return;
            }
            else if (args.Contains("-lfi") || args.Contains("--lfi"))
            {
                LFI.Scan(args);
                Console.ResetColor();
                return;
            }
            else if (args.Contains("-pwn") || args.Contains("--pwn"))
            {
                Pwn.Scan(args);
                Console.ResetColor();
                return;
            }
            else if (args.Contains("-searchsploit") || args.Contains("--searchsploit"))
            {
                Searchsploit.Search(args);
                Console.ResetColor();
                return;
            }
            else if (args.Contains("-shell") || args.Contains("--shell"))
            {
                Shell.GetInfo(args);
                Console.ResetColor();
                return;
            }
            else if (args.Contains("-smb-brute"))
            {
                SMB.SMBBrute(args);
                Console.ResetColor();
                return;
            }
            else if (args.Contains("-winrm-brute"))
            {
                WinRM.WinRMBrute(args);
                Console.ResetColor();
                return;
            }
            else if (args.Contains("-web") || args.Contains("--web"))
            {
                Web.GetInfo(args);
                Console.ResetColor();
                return;
            }
            else if (args.Contains("-osint") || args.Contains("--osint"))
            {
                OSINT.GetInfo(args);
                Console.ResetColor();
                return;
            }

            // Check if you should check if the target is up
            bool mustPing = true;

            if (args.Contains("-noping") || args.Contains("--noping"))
            {
                mustPing = false;
                args     = args.Where(x => !x.Contains("noping")).ToArray();
            }
            // A common typo
            if (args.Contains("-nopign"))
            {
                Console.WriteLine("You typo'd noping");
                Console.ResetColor();
                return;
            }

            // Everything below here has a maximum of 2 args
            if (args.Length > 2)
            {
                Console.WriteLine("You probably typo'd something");
                Console.ResetColor();
                return;
            }

            // Target
            if (args[0].EndsWith(".nmap"))
            {
                string fileName = args[0];
                var(Target, Ports) = Nmap.ParseFile(fileName, false);
                target             = Target;
                if (!Ports.Any())
                {
                    Console.WriteLine("Error: Empty file - Bug Reelix!");
                }
                else
                {
                    portList.AddRange(Ports);
                }
            }
            else
            {
                target = args[0];
            }

            if (target.StartsWith("http"))
            {
                Console.WriteLine("Cannot do a standard scan on a URL - Try a -web scan");
                Console.ResetColor();
                return;
            }

            // Custom ports
            if (args.Length == 2)
            {
                string portArg = args[1];
                try
                {
                    portList.AddRange(portArg.Split(',').ToList().Select(x => int.Parse(x)));
                }
                catch
                {
                    // Not a list of ports - Probably a name
                }
            }

            // First check if it's actually up
            if (mustPing)
            {
                Console.WriteLine("Checking if target is online...");
                bool?isHostOnline = General.IsUp(target);
                General.ClearPreviousConsoleLine();

                if (isHostOnline == null)
                {
                    Console.WriteLine("Invalid target: " + target);
                    return;
                }
                if (!isHostOnline.Value)
                {
                    Console.WriteLine("Host is not responding to pings :(");
                    Console.WriteLine("If you are sure it's up and are specifying ports, you can use -noping");
                    return;
                }
            }

            if (portList.Count == 0)
            {
                // Scan the target
                string fileName = Nmap.DefaultScan(args, mustPing);
                fileName += ".nmap";

                // Parse the ports
                var(Target, Ports) = Nmap.ParseFile(fileName, false);
                target             = Target;
                portList.AddRange(Ports);
            }

            // Everything parsed - Down to the scanning!
            PortInfo.LoadPortInfo();

            // Ports have been defined (Either nmap or custom)
            if (portList.Count != 0)
            {
                Console.Write("Scanning: " + target);
                Console.Write(" (Port");
                if (portList.Count > 1)
                {
                    Console.Write("s");
                }
                Console.WriteLine(": " + string.Join(",", portList) + ")");
                ScanPorts(portList);
            }
            else
            {
                // All parsing and scans done - But still no ports
                Console.WriteLine("No open ports found to scan :<");
                return;
            }

            // Everything done - Now for some helpful info!
            Console.WriteLine("Finished - Some things you probably want to do: ");
            if (portList.Count == 0)
            {
                // Something broke, or there are only UDP Ports :|
                Console.WriteLine("- nmap -sC -sV -p- " + target + " -oN nmap.txt");
                Console.WriteLine("- nmap -sU " + target + " -oN nmap-UDP.txt");
            }
            else
            {
                postScanList.Add($"- Nmap Script+Version Scan: nmap -sC -sV -p{string.Join(",", portList)} {target} -oN nmap.txt" + Environment.NewLine);
                postScanList.Add($"- Nmap UDP Scan: sudo nmap -sU {target}" + Environment.NewLine);
                foreach (string item in postScanList)
                {
                    // They already have newlines in them
                    Console.Write(item);
                }
            }
            DateTime endDate = DateTime.Now;
            TimeSpan t       = endDate - startDate;

            Console.WriteLine("Done in " + string.Format("{0:0.00}s", t.TotalSeconds) + " - Have fun :)");
            Console.ResetColor();
        }