1+ import os
2+ import requests
3+ import re
4+ from bs4 import BeautifulSoup
5+ import platform
6+ import socket
7+ from dnsknife .scanner import Scanner
8+
9+ ssr = platform .system ()
10+ if ssr == "Linux" :
11+ sudo = 'sudo'
12+ print ("OS:{}" .format ('Linux' ))
13+ elif ssr == "windows" :
14+ sudo = ""
15+ print ("OS:{}" .format ('windows' ))
16+
17+ def greedy ():
18+ banner = """
19+ ________________________________________________
20+ / _____/\______ \_ _____/\_ _____/\______ \
21+ / \ ___ | _/| __)_ | __)_ | | \
22+ \ \_\ \| | \| \ | \ | ` \
23+
24+ \/ \/ \/ \/ \/
25+ .___ _________.____ _____ _______ ________
26+ | |/ _____/| | / _ \ \ \ \______ \
27+ | |\_____ \ | | / /_\ \ / | \ | | \
28+ | |/ \| |___/ | \/ | \| ` \
29+
30+ \/ \/ \/ \/ \/ """
31+ cist = ['[1]自动收集基本侦察(即whois,ping,DNS等),NMAP端口扫描,自动暴力收集子域,收集DNS信息并检查区域传输' ,'[2]NMap脚本' ]
32+ civsd = {'1' :wds ,
33+ '2' :nmap_script ,
34+ '3' :builtwith_looup }
35+
36+ while True :
37+ print ()
38+ print (banner )
39+ for c in cist :
40+ print (c )
41+ user = input ('haq>' )
42+
43+ if user in civsd :
44+ civsd .get (user )()
45+
46+ def wds ():
47+ user = input ('查询的url是:' )
48+ headers = {'user-agent' :'Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36' }
49+ url = 'https://www.whois.com/search.php?query={}' .format (user )
50+ reqt = requests .get (url = url ,headers = headers )
51+ bd = BeautifulSoup (reqt .content .decode ('utf-8' ),'html.parser' )
52+ print ('[+]whois信息' )
53+ print ('========================================================' )
54+ for pre in bd .find_all ('pre' ):
55+ print (pre .get_text ())
56+ print ('========================================================' )
57+
58+ guids = []
59+ guids2 = []
60+ print ('[+]超级ping,判断是否有CDN' )
61+ print ('' )
62+ print ('========================================================' )
63+ urli = 'http://ping.chinaz.com/{}' .format (user )
64+ headers = {
65+ 'user-agent' : 'Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36' }
66+ datas = {'host' : '{}' .format (user ), 'checktype' : '0' , 'linetype' : '电信' ,
67+ 'linetype' : '多线' ,
68+ 'linetype' : '联通' ,
69+ 'linetype' : '移动' ,
70+ 'linetype' : '海外' }
71+ rev = requests .post (url = urli , headers = headers , data = datas )
72+ bd = BeautifulSoup (rev .text , 'html.parser' )
73+ tr = bd .find_all ('div' )
74+ for v in tr :
75+ guids .append (v .get ('id' ))
76+
77+ for key in guids :
78+ qz = re .findall (
79+ '[0-9-a-z-A-Z][0-9-a-z-A-Z][0-9-a-z-A-Z][0-9-a-z-A-Z][0-9-a-z-A-Z][0-9-a-z-A-Z][0-9-a-z-A-Z][0-9-a-z-A-Z]-[0-9-a-z-A-Z][0-9-a-z-A-Z][0-9-a-z-A-Z][0-9-a-z-A-Z]-[0-9-a-z-A-Z][0-9-a-z-A-Z][0-9-a-z-A-Z][0-9-a-z-A-Z]-[0-9-a-z-A-Z][0-9-a-z-A-Z][0-9-a-z-A-Z][0-9-a-z-A-Z]-[0-9-a-z-A-Z][0-9-a-z-A-Z][0-9-a-z-A-Z][0-9-a-z-A-Z][0-9-a-z-A-Z][0-9-a-z-A-Z][0-9-a-z-A-Z][0-9-a-z-A-Z][0-9-a-z-A-Z][0-9-a-z-A-Z][0-9-a-z-A-Z][0-9-a-z-A-Z]' ,
80+ str (key ))
81+ for r in qz :
82+ guids2 .append (r + '' )
83+
84+ url = 'http://ping.chinaz.com/iframe.ashx?t=ping&callback=jQuery111306709270458227905_1535617821100'
85+ for v in guids2 :
86+ data = {'guid' : '{}' .format (v ),
87+ 'host' : 'www.baidu.com/' ,
88+ 'ishost' : 'false' ,
89+ 'encode' : 'uZVguOxtxhFU4L0rQ|zXgulyePFesj4w' ,
90+ 'checktype' : '0' }
91+ headers = {'user-agent' : 'Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36' }
92+ reqt = requests .get (url = url , headers = headers , data = data )
93+ hostname = re .findall ("ip:'.*'" , reqt .text )
94+ for l in hostname :
95+ print ('[+]节点:{}' .format (l ))
96+
97+ print ('===========================================================' )
98+ print ('' )
99+ print ('===========================================================' )
100+ print ('[+]dns查询' )
101+ dnscer = Scanner ('{}' .format (user .replace ('www.' ,'' )).strip ()).scan ()
102+ for l in dnscer :
103+ print (l )
104+ dnscer .close ()
105+ print ('===========================================================' )
106+ print ('' )
107+ print ('===========================================================' )
108+ print ('[+]nmap端口扫描' )
109+ ml = "{} nmap -sS -sC -T4 -A {}" .format (sudo ,socket .gethostbyname (user )).strip ()
110+ os .system (ml )
111+ print ('===========================================================' )
112+ print ('' )
113+ print ('===========================================================' )
114+ print ('[+]子域名查询' )
115+ headers = {'user-agent' : 'Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36' }
116+ url = 'http://site.ip138.com/{}/domain.htm' .format (user .replace ('www.' ,'' ).strip ())
117+ reqt = requests .get (url = url , headers = headers )
118+ domain = re .findall ('<a href=".*" target="_blank">.*</a></p>' , reqt .content .decode ('utf-8' ))
119+ for i in domain :
120+ bd = BeautifulSoup (i , 'html.parser' )
121+ print (bd .get_text ())
122+ print ('===========================================================' )
123+
124+ def nmap_script ():
125+ nmap_list = ['[1]负责处理鉴权证书(绕开鉴权)的脚本,也可以作为检测部分应用弱口令' ,'[2]提供暴力破解的方式 可对数据库,smb,snmp等进行简单密码的暴力猜解' ,'[3]检查是否存在常见漏洞' ,'[4]在局域网内探查更多服务开启状况' ,'[5]检查vnc bypass' ,'[6]smb扫描' ,'[7]Mssql扫描' ,'[8]Mysql扫描' ,'[9]中间件检测' ]
126+ while True :
127+ for k in nmap_list :
128+ print (k )
129+
130+ ip = input ('IP:' )
131+ user2 = input ('选择:' )
132+ if user2 == '1' :
133+ print ('============================================' )
134+ print ('[+]负责处理鉴权证书(绕开鉴权)的脚本,也可以作为检测部分应用弱口令' )
135+ print ('[+]{} nmap --script=auth {}' .format (sudo ,ip ))
136+ os .system ('{} nmap --script=auth {}' .format (sudo ,ip ))
137+ print ('============================================' )
138+ elif user2 == '2' :
139+ print ('============================================' )
140+ print ('[+]暴力破解' )
141+ print ('[+]{} nmap --script=brute {}' .format (sudo ,ip ))
142+ os .system ('{} nmap --script=brute {}' .format (sudo ,ip ))
143+ print ('============================================' )
144+ elif user2 == '3' :
145+ print ('============================================' )
146+ print ('[+]检查是否存在常见漏洞' )
147+ print ('[+]{} nmap --script=vuln {}' .format (sudo ,ip ))
148+ os .system ('{} nmap --script=vuln {}' .format (sudo ,ip ))
149+ print ('============================================' )
150+ elif user2 == '4' :
151+ print ('============================================' )
152+ print ('[+]在局域网内探查更多服务开启状况' )
153+ print ('[+]{} nmap --script=broadcast {}' .format (sudo ,ip ))
154+ os .system ('{} nmap --script=broadcast {}' .format (sudo ,ip ))
155+ print ('============================================' )
156+ elif user2 == '5' :
157+ print ('============================================' )
158+ print ('[+]检查vnc bypass' )
159+ print ('[+]{} nmap --script=realvnc-auth-bypass {}' .format (sudo ,ip ))
160+ os .system ('{} nmap --script=realvnc-auth-bypass {}' .format (sudo ,ip ))
161+ print ('============================================' )
162+ print ('' )
163+ print ('============================================' )
164+ print ('[+]{} nmap --script=vnc-auth {}' .format (sudo ,ip ))
165+ os .system ('{} nmap --script=vnc-auth {}' .format (sudo ,ip ))
166+ print ('============================================' )
167+ print ('[+]{} nmap --script=vnc-info {}' .format (sudo ,ip ))
168+ os .system ('nmap --script=vnc-info {}' .format (sudo ,ip ))
169+ print ('============================================' )
170+ elif user2 == '6' :
171+ print ('============================================' )
172+ print ('[+]smb扫描' )
173+ print ('[+]smb破解' )
174+ print ('[+]{} nmap --script=smb-brute.nse {}' .format (sudo ,ip ))
175+ os .system ('{} nmap --script=smb-brute.nse {}' .format (sudo ,ip ))
176+ print ('============================================' )
177+ print ('[+]smb已知几个严重漏' )
178+ print ('[+]{} nmap --script=smb-check-vulns.nse --script-args=unsafe=1 {}' .format (sudo ,ip ))
179+ os .system ('{} nmap --script=smb-check-vulns.nse --script-args=unsafe=1 {}' .format (sudo ,ip ))
180+ print ('============================================' )
181+ print ('' )
182+ print ('============================================' )
183+ print ('[+]系统信息' )
184+ print ('[+]{} nmap -n -p445 --script=smb-os-discovery.nse --script-args=smbuser=test,smbpass=test {}' .format (sudo ,ip ))
185+ os .system ('{} nmap -n -p445 --script=smb-os-discovery.nse --script-args=smbuser=test,smbpass=test {}' .format (sudo ,ip ))
186+ print ('============================================' )
187+ print ('' )
188+ print ('============================================' )
189+ print ('[+]扫描smb漏洞' )
190+ print ('[+]{} nmap --script smb-vuln-ms* {}' .format (sudo ,ip ))
191+ os .system ('{} nmap --script smb-vuln-ms* {}' .format (sudo ,ip ))
192+ print ('============================================' )
193+ elif user2 == '7' :
194+ print ('============================================' )
195+ print ('[+]猜解mssql用户名和密码' )
196+ isw = input ('mssqlport:' )
197+ username = input ('mssqlusername.txt:' )
198+ passwd = input ('mssqlpasswd.txt:' )
199+ print ('{} nmap -p {} --script=ms-sql-brute --script-args=userdb={},passdb={} {}' .format (sudo ,isw ,username ,passwd ,ip ))
200+ os .system ('{} nmap -p {} --script=ms-sql-brute --script-args=userdb={},passdb={} {}' .format (sudo ,isw ,username ,passwd ,ip ))
201+ print ('=============================================' )
202+ elif user2 == '8' :
203+ print ('============================================' )
204+ print ('' )
205+ print ('============================================' )
206+ print ('[+]扫描root空口令' )
207+ mysqlport = input ('mysqlport:' )
208+ print ('{} nmap -p {} --script=mysql-empty-password.nse {}' .format (sudo ,mysqlport ,ip ))
209+ os .system ('{} nmap -p {} --script=mysql-empty-password.nse {}' .format (sudo ,mysqlport ,ip ))
210+ print ('============================================' )
211+ print ('[+]列出所有mysql用户' )
212+ print ('{} nmap -p {} --script=mysql-users.nse --script-args=mysqluser=root {} ' .format (sudo ,mysqlport ,ip ))
213+ os .system ('{} nmap -p {} --script=mysql-users.nse --script-args=mysqluser=root {} ' .format (sudo ,mysqlport ,ip ))
214+ print ('============================================' )
215+ elif user2 == '9' :
216+ print ('===========================================' )
217+ print ('[+]扫描1-65535端口' )
218+ print ('[+]{} nmap -p 1-65535 -T4 {}' .format (sudo ,ip ))
219+ os .system ('{} nmap -p 1-65535 -T4 {}' .format (sudo ,ip ))
220+ print ('===========================================' )
221+ print ('' )
222+ print ('===========================================' )
223+ print ('[+]检测http服务拒绝' )
224+ print ('[+]{} nmap --max-parallelism 800--script http-slowloris {}' .format (sudo ,ip ))
225+ os .system ('{} nmap --max-parallelism 800--script http-slowloris {}' .format (sudo ,ip ))
226+ print ('===========================================' )
227+ print ('' )
228+ print ('===========================================' )
229+ print ('[+]使用nmap 进行利用第三方的数据库或资源进行信息收集或者攻击' )
230+ print ('[+]{} nmap --script external {}' .format (sudo ,ip ))
231+ print ('===========================================' )
232+ print ('' )
233+ print ('===========================================' )
234+ print ('[+]使用nmap 进行模糊测试,发送异常的包到目标机,探测出潜在漏洞' )
235+ print ('[+]{} nmap --script fuzzer {}' .format (sudo ,ip ))
236+ os .system ('{} nmap --script fuzzer {}' .format (sudo ,ip ))
237+ print ('============================================' )
238+ print ('' )
239+ print ('============================================' )
240+ print ('[+]nmap进行CVE漏洞扫描' )
241+ print ('[+]{} nmap --script vulscan -sV {}' .format (sudo ,ip ))
242+ os .system ('{} nmap --script vulscan -sV {}' .format (sudo ,ip ))
243+ print ('============================================' )
244+ elif user2 or ip == 'q' :
245+ print ('[+]退出nmap扫描功能' )
246+ break
247+ else :
248+ continue
249+
250+
251+ if __name__ == '__main__' :
252+ greedy ()
0 commit comments