DOOM是在thorn上实现的分布式任务分发的ip端口漏洞扫描器
PHP Python HTML JavaScript CSS Makefile Shell
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
exp
libnmap
src
test
util
README.md
block.list
port_check.py
run.py
sqli_check.py
tasks.py
test.py
wyfunc.py
wyfunc.pyc
wyportmap.py

README.md

DOOM_SEC

DOOM_SEC是在thorn上实现的分布式任务分发的ip端口漏洞扫描器

nmap扫描端口分发,可port,service,banner多种命中,检测插件可水平拓展

依赖https://github.com/ring04h/thorns ,向ring0致敬

##关于任务调度

跳转到https://github.com/ring04h/thorns

##关于port分发命中 你能从nmap中拿到的结果是port,service,banner。所以你需要根据三个参数来命中你的扫描插件

目前已经添加的检测模块是心脏滴血structs远程代码执行svn泄露IIS TTP.sys检测struts classloader漏洞检测常见端口弱口令破壳漏洞备份代码扫描jboss及zabbix扫描http服务banner的收集es部分漏洞

global_words = {
    #心脏滴血check
    "openssl" : {
        "script" : "exp/PoC.py -p %(port)s %(address)s",
        "port" : [443,587,465,995,8443],
        "service" : ["https","smtp","pop","imap","https-alt"],
        "banner": "None"
    },
    "structs" : {
        "script" : "exp/new_check_struts2.py %(address)s %(port)s",
        "port": [80,81,8080,8000,8443,9090],
        "service":["http","http-alt","http-proxy","unknown","xmpp"],
        "banner": "None"
    },
    "svn":{
        "script" : "exp/svn.py %(address)s %(port)s",
        "port" : [80,443],
        "service":["http","http-alt","https","http-proxy","unknown","xmpp"],
        "banner" : "None"
    },
    "iis":{
        "script" : "exp/iis.py %(address)s %(port)s",
        "port" : [80,81,8080,8000,8443,9090],
        "service": ["None"],
        "banner": "iis"
    },
    "classloader":{
        "script" : "exp/classloader.py %(address)s %(port)s",
        "port" : [80,443],
        "service":["http","http-alt","http-proxy","unknown","xmpp"],
        "banner" : "None"
    },
    "hydra":{
        "script" : "exp/hydra.py %(address)s %(service)s %(port)s",
        "port" : [21,22,3306],
        "service": ["ssh","mysql","ftp","smtp"],
        "banner": "None"
    },
    "backup":{
        "script" : "exp/backup_check.php -t %(address)s -p %(port)s",
        "port": [80,81,8080,8000,8443,9090],
        "service":["http","http-alt","http-proxy","unknown","xmpp"],
        "banner" : "None"
    },
    "shockbash":{
        "script": "exp/shellshock.py %(address)s %(port)s",
        "port": [80,81,8080,8000,8443,9090],
        "service":["http","http-alt","http-proxy","unknown","xmpp"],
        "banner" : "None"
    },
    "fastcgi":{
        "script": "exp/fast_cgi.py %(address)s",
        "port" : [9000],
        "service": ["None"],
        "banner" : "None"
    },
    "es20153337":{
        "script": "exp/es20153337.py %(address)s /etc/passwd",
        "port" : [9200],
        "service": ["None"],
        "banner" : "None"
    },
    "WeakBanner":{
        "script": "exp/jboss.py %(address)s %(port)s",
        "port": [80,81,8080,8000,8443,9090],
        "service":["http","http-alt","http-proxy","unknown","xmpp"],
        "banner":"JBoss"
    },
    "banner":{
        "script": "exp/banner.py %(address)s %(port)s",
        "port": [80,81,443,88,8080,8081,8000,8443,9090],
        "service":["http","https","https-alt","http-alt","http-proxy","unknown","xmpp"],
        "banner":"None"
    },
    "rsync":{
        "script": "exp/rsync.py %(address)s %(port)s",
        "port": [873],
        "service":["rsync"],
        "banner":"extrainfo"        
    },
    "test" : {
        "script" : "exp/test.py",
        "port" : [3306],
        "service" : ["mysql"],
        "banner": "None"
    }
}

##如何添加一个插件

在exp目录下添加你的exp,检测到存在漏洞后输出wakaka~即可,如这个弱口令扫描的

#!/usr/bin/python
#coding:utf-8
#author:root@1137.me

import sys
import subprocess
import time

globalUserFile = "exp/hydra/user.txt"
globalPassFile = "exp/hydra/pass.txt"
globalTimeout = 60
def hydraCheck(target,port,service):
    cmdLine = 'hydra  -L %s -P %s -s %s -e ns %s %s' %(globalUserFile, globalPassFile, port, target, service )
    print cmdLine
    proc = subprocess.Popen(cmdLine,shell=True,stdout=subprocess.PIPE,stderr=subprocess.PIPE,close_fds=True)
    deadline = time.time() + globalTimeout
    while time.time() < deadline and proc.poll() == None:
        time.sleep(globalTimeout)
    if proc.poll() == None:
        proc.terminate()
    output,stderr = proc.communicate()
    print output
    #output = proc.stdout.readlines()    
    if "password" in output:
        print "~wakaka"
    return output
    
    

命中输出wakaka即可

##如何使用

  • 参考thorn
  • 你需要修改以下两个文件的smtp信息的配置为你的
    • util/phpmail.php
  • util/secmail.py
  • 部分插件依赖mongo,mysql,redis,请安装他们

##最后

Enjoy It