forked from Seabreg/dnmap
-
Notifications
You must be signed in to change notification settings - Fork 0
/
dnmap_client.py
401 lines (320 loc) · 12.4 KB
/
dnmap_client.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
#! /usr/bin/env python3
# Copyright (C) 2022 Team HackTrack Linux
# Copyright (C) 2009 Sebastian Garcia
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
#
# Author:
# Sebastian Garcia eldraco@gmail.com
#
# Based on code from Twisted examples.
# Copyright (c) Twisted Matrix Laboratories.
# Copyright (c) Twisted Matrix Laboratories.
# See LICENSE for details.
#
# CHANGELOG
# 0.7
# - Convert python code to python3
# 0.6
# - Added some more chars to the command injection prevention.
# - Clients decide the nmap scanning rate.
# - If the server sends a --min-rate parameter, we now delete it. WE control the scan speed.
# - Clients decide the nmap scanning rate.
# - Exit if nmap is not installed
# - Stop sending the euid, it was a privacy violation. Now we just say if we are root or not.
#
# TODO
# - privileges on nmap
#
try:
from OpenSSL import SSL
except:
print('You need openssl libs for python. apt-get install python-openssl')
exit(-1)
import sys
try:
from twisted.internet.protocol import ClientFactory, ReconnectingClientFactory
from twisted.protocols.basic import LineReceiver
from twisted.internet import ssl, reactor
except:
print('You need twisted libs for python. apt-get install python-twisted')
exit(-1)
import time, getopt, shlex
from subprocess import Popen
from subprocess import PIPE
import os
import random
# import module
from art import *
# random large text to art representation
# This art will be random every time
tprint("dnmap Client","rnd")
# Global variables
server_ip = False
server_port = 46001
vernum = '0.7'
# Your name alias defaults to anonymous
alias='Anonymous'
debug=False
# Do not use a max rate by default
maxrate = False
# End global variables
# Print version information and exit
def version():
print("+----------------------------------------------------------------------+")
print("| dnmap Client Version "+ vernum +" |")
print("| dnmap is a framework to distribute nmap scans among several clients. |")
print("| It reads an already created file with nmap commands and send |")
print("| those commands to each client connected to it. |")
print("| |")
print("| Author: Team HackTrack Linux, team@hacktracklinux.org |")
print("| www.hacktracklinux.org |")
print("+----------------------------------------------------------------------+")
print()
# Print help information and exit:
def usage():
print("+----------------------------------------------------------------------+")
print("| dnmap Client Version "+ vernum +" |")
print("| dnmap is a framework to distribute nmap scans among several clients. |")
print("| It reads an already created file with nmap commands and send |")
print("| those commands to each client connected to it. |")
print("| |")
print("| Author: Team HackTrack Linux, team@hacktracklinux.org |")
print("| www.hacktracklinux.org |")
print("+----------------------------------------------------------------------+")
print("\nusage: %s <options>" % sys.argv[0])
print("options:")
print(" -s, --server-ip IP address of dnmap server.")
print(" -p, --server-port Port of dnmap server. Dnmap port defaults to 46001")
print(" -a, --alias Your name alias so we can give credit to you for your help. Optional")
print(" -d, --debug Debuging.")
print(" -m, --max-rate Force nmaps commands to use at most this rate. Useful to slow nmap down. Adds the --max-rate parameter.")
print()
sys.exit(1)
def check_clean(line):
global debug
try:
outbound_chars = [';', '#', '`']
ret = True
for char in outbound_chars:
if char in line:
ret = False
return ret
except Exception as inst:
print('Problem in dataReceived function')
print(type(inst))
print(inst.args)
print(inst)
class NmapClient(LineReceiver):
def connectionMade(self):
global client_id
global alias
global debug
print('Client connected succesfully...')
print('Waiting for more commands....')
if debug:
print(' -- Your client ID is: {0} , and your alias is: {1}'.format(str(client_id), str(alias)))
euid = os.geteuid()
# Do not send the euid, just tell if we are root or not.
if euid==0:
# True
iamroot = 1
else:
# False
iamroot = 0
# 'Client ID' text must be sent to receive another command
line = 'Starts the Client ID:{0}:Alias:{1}:Version:{2}:ImRoot:{3}'.format(str(client_id),str(alias),vernum,iamroot)
if debug:
print(' -- Line sent: {0}'.format(line))
self.sendLine(line)
#line = 'Send more commands to Client ID:{0}:Alias:{1}:\0'.format(str(client_id),str(alias))
line = 'Send more commands'
if debug:
print(' -- Line sent: {0}'.format(line))
self.sendLine(line)
def dataReceived(self, line):
global debug
global client_id
global alias
# If a wait is received. just wait.
if 'Wait' in line:
sleeptime = int(line.split(':')[1])
time.sleep(sleeptime)
# Ask for more
#line = 'Send more commands to Client ID:{0}:Alias:{1}:'.format(str(client_id),str(alias))
line = 'Send more commands'
if debug:
print(' -- Line sent: {0}'.format(line))
self.sendLine(line)
else:
# dataReceived does not wait for end of lines or CR nor LF
if debug:
print("\tCommand Received: {0}".format(line.strip('\n').strip('\r')))
# A little bit of protection from the server
if check_clean(line):
# Store the nmap output file so we can send it to the server later
try:
nmap_output_file = line.split('-oA ')[1].split(' ')[0].strip(' ')
except IndexError:
random_file_name = str(random.randrange(0, 100000000, 1))
print('+ No -oA given. We add it anyway so not to lose the results. Added -oA '+random_file_name)
line = line + '-oA '+random_file_name
nmap_output_file = line.split('-oA ')[1].split(' ')[0].strip(' ')
try:
nmap_returncode = -1
# Check for rate commands
# Verfiy that the server is NOT trying to force us to be faster. NMAP PARAMETER DEPENDACE
if 'min-rate' in line:
temp_vect = shlex.split(line)
word_index = temp_vect.index('--min-rate')
# Just delete the --min-rate parameter with its value
nmap_command = temp_vect[0:word_index] + temp_vect[word_index + 1:]
else:
nmap_command = shlex.split(line)
# Do we have to add a max-rate parameter?
if maxrate:
nmap_command.append('--max-rate')
nmap_command.append(str((maxrate)))
# Strip the command, so we can controll that only nmap is executed really
nmap_command = nmap_command[1:]
nmap_command.insert(0,'nmap')
# Recreate the final command to show it
nmap_command_string = ''
for i in nmap_command:
nmap_command_string = nmap_command_string + i + ' '
print("\tCommand Executed: {0}".format(nmap_command_string))
# For some reason this executable thing does not work! seems to change nmap sP for sS
#nmap_process = Popen(nmap_command,executable='nmap',stdout=PIPE)
nmap_process = Popen(nmap_command,stdout=PIPE)
raw_nmap_output = nmap_process.communicate()[0]
nmap_returncode = nmap_process.returncode
except OSError:
print('You don\'t have nmap installed. You can install it with apt-get install nmap')
exit(-1)
except ValueError:
raw_nmap_output = 'Invalid nmap arguments.'
print(raw_nmap_output)
except Exception as inst:
print('Problem in dataReceived function')
print(type(inst))
print(inst.args)
print(inst)
if nmap_returncode >= 0:
# Nmap ended ok
# Tell the server that we are sending the nmap output
print('\tSending output to the server...')
#line = 'Nmap Output File:{0}:{1}:{2}:'.format(nmap_output_file.strip('\n').strip('\r'),str(client_id),str(alias))
line = 'Nmap Output File:{0}:'.format(nmap_output_file.strip('\n').strip('\r'))
if debug:
print(' -- Line sent: {0}'.format(line))
self.sendLine(line)
self.sendLine(raw_nmap_output)
#line = 'Nmap Output Finished:{0}:{1}:{2}:'.format(nmap_output_file.strip('\n').strip('\r'),str(client_id),str(alias))
line = 'Nmap Output Finished:{0}:'.format(nmap_output_file.strip('\n').strip('\r'))
if debug:
print(' -- Line sent: {0}'.format(line))
self.sendLine(line)
# Move nmap output files to its directory
os.system('mv *.nmap nmap_output > /dev/null 2>&1')
os.system('mv *.gnmap nmap_output > /dev/null 2>&1')
os.system('mv *.xml nmap_output > /dev/null 2>&1')
# Ask for another command.
# 'Client ID' text must be sent to receive another command
print('Waiting for more commands....')
#line = 'Send more commands to Client ID:{0}:Alias:{1}:'.format(str(client_id),str(alias))
line = 'Send more commands'
if debug:
print(' -- Line sent: {0}'.format(line))
self.sendLine(line)
else:
# Something strange was sent to us...
print()
print('WARNING! Ignoring some strange command was sent to us: {0}'.format(line))
line = 'Send more commands'
if debug:
print(' -- Line sent: {0}'.format(line))
self.sendLine(line)
class NmapClientFactory(ReconnectingClientFactory):
try:
protocol = NmapClient
def startedConnecting(self, connector):
print('Starting connection...')
def clientConnectionFailed(self, connector, reason):
print('Connection failed:', reason.getErrorMessage())
# Try to reconnect
print('Trying to reconnect. Please wait...')
ReconnectingClientFactory.clientConnectionLost(self, connector, reason)
def clientConnectionLost(self, connector, reason):
print('Connection lost. Reason: {0}'.format(reason.getErrorMessage()))
# Try to reconnect
print('Trying to reconnect in 10 secs. Please wait...')
ReconnectingClientFactory.clientConnectionLost(self, connector, reason)
except Exception as inst:
print('Problem in NmapClientFactory')
print(type(inst))
print(inst.args)
print(inst)
def process_commands():
global server_ip
global server_port
global client_id
global factory
try:
print('Client Started...')
# Generate the client unique ID
client_id = str(random.randrange(0, 100000000, 1))
# Create the output directory
print('Nmap output files stored in \'nmap_output\' directory...')
os.system('mkdir nmap_output > /dev/null 2>&1')
factory = NmapClientFactory()
# Do not wait more that 10 seconds between reconnections
factory.maxDelay = 10
reactor.connectSSL(str(server_ip), int(server_port), factory, ssl.ClientContextFactory())
#reactor.addSystemEventTrigger('before','shutdown',myCleanUpFunction)
reactor.run()
except Exception as inst:
print('Problem in process_commands function')
print(type(inst))
print(inst.args)
print(inst)
def main():
global server_ip
global server_port
global alias
global debug
global maxrate
try:
opts, args = getopt.getopt(sys.argv[1:], "a:dm:p:s:", ["server-ip=","server-port","max-rate","alias=","debug"])
except getopt.GetoptError: usage()
for opt, arg in opts:
if opt in ("-s", "--server-ip"): server_ip=str(arg)
if opt in ("-p", "--server-port"): server_port=arg
if opt in ("-a", "--alias"): alias=str(arg).strip('\n').strip('\r').strip(' ')
if opt in ("-d", "--debug"): debug=True
if opt in ("-m", "--max-rate"): maxrate=str(arg)
try:
if server_ip and server_port:
version()
# Start connecting
process_commands()
else:
usage()
except KeyboardInterrupt:
# CTRL-C pretty handling.
print("Keyboard Interruption!. Exiting.")
sys.exit(1)
if __name__ == '__main__':
main()