1 Star 1 Fork 0

爱玲 / Vxscan

加入 Gitee
与超过 1200万 开发者一起发现、参与优秀开源项目,私有仓库也完全免费 :)
免费加入
克隆/下载
贡献代码
同步代码
取消
提示: 由于 Git 不支持空文件夾,创建文件夹后会生成空的 .keep 文件
Loading...
README
Apache-2.0

Vxscan 2.0

Build Status ISSUE star license python

English | 简体中文

python3写的综合扫描工具,主要用来敏感文件探测(目录扫描与js泄露接口),WAF/CDN识别,端口扫描,指纹/服务识别,弱口令探测,POC扫描,SQL注入等功能。

Update

2019.10.31
目录扫描使用了uvloop+asyncio+aiohttp
修复了一堆BUG
404页面验证添加了更多逻辑
2019.9.20
删除了暴力破解模块,速度实在是太慢了
修复了端口扫描和目录扫描的一部分BUG
修复了生成html报告空白问题,主要是没有转义
2019.8.19
添加了禁止扫描gov.cn与edu.cn域名,程序检测到会立即终止运行
修改了程序输出界面 改为时间+插件+域名+结果样式
删除了原来SQL注入插件,增加了弱口令探测插件(Mysql、Postgresql、SSH等)
将Fofa的指纹识别库与WEBEYE合并 指纹规则2000+条
2019.7.19
添加了socks5全局代理 封装了requests
优化了目录结构
删除了原来html报告,采用了从Perun里抽取的html报表
去掉了json结果输出,调整为存储到sqllite3数据库中,入库时进行去重,扫描时如果目标主机已存在db文件中则跳过
添加了phpinfo、leaks常见的信息泄露扫描插件
pdns加入viewdns.info接口
2019.7.1
显示ping检测失败的主机
-u 命令可以添加多个目标,用逗号隔开
修复指纹识别报错问题
2019.6.18
修复了指纹识别iis网站报错的问题,修改了apps.json
删除了一些容易引起错误的第三方库与脚本
扫描如果出现一闪而过就完成,那是因为程序首先检测dns解析与ping操作
第一次用Vxscan时,fake_useragent会加载这里的 https://fake-useragent.herokuapp.com/browsers/0.1.11 的ua列表,可能会出现加载超时错误

Requirements

Python version > 3.6
requests
pyfiglet
fake-useragent
beautifulsoup4
pymysql
python-nmap
geoip2
tldextract
lxml
pymongo
virustotal_python
dnspython
pysocks

apt install nmap

wget https://geolite.maxmind.com/download/geoip/database/GeoLite2-City.tar.gz
After decompressing, put GeoLite2-City.mmdb inside to vxscan/data/GeoLite2-City.mmdb

wget https://geolite.maxmind.com/download/geoip/database/GeoLite2-ASN.tar.gz
After decompressing, put the GeoLite2-ASN.mmdb inside to vxscan/data/GeoLite2-ASN.mmdb

pip3 install -r requirements.txt

Features

  • Webinfo
    • GeoIP
    • DNS 解析验证
    • Ping 存活验证
    • HTTPS/HTTP 验证
    • WAF/CDN 探测
      • WAF Rules
      • CDN IP段
      • CDN ASN
    • HTTP 标题
    • HTTP Server
    • HTTP Headers
    • 指纹识别
      • Wappalyzer (1100+)
      • WEBEYE (100+)
      • FOFA (2000+)
    • PDNS
      • virustotal
      • viewdns.info
    • 旁站查询
      • yougetsignal.com
      • api.hackertarget.com
    • 操作系统版本探测 (nmap)
  • Ports
    • 400+ Ports
    • 140+ 端口指纹特征
    • 记录Banner信息
    • 跳过CDN IP
    • 全端口开放的主机(portspoof)自动跳过
  • URLS
    • 解析robots.txt将内容加入扫描列表中
    • 常见备份、后门、目录、中间件、敏感文件地址
    • 使用笛卡尔乘积方式生成字典列表
    • 随机的UserAgent、XFF、X-Real-IP、Referer
    • 自定义404页面识别 (页面相似度、页面关键词)
    • 识别自定义302跳转
    • 过滤无效Content-Type,无效状态吗
    • 保存url、title、contype、rsp_len、rsp_code
    • 大文件识别,扫描url时将添加stream=True方式,这样不会遇到大文件就全部加载。
  • Vuln
    • 将一个主机多个HTTP端口加入POC目标
    • 根据指纹、端口服务来调用POC
    • 未授权、反序列化、RCE、Sqli...
  • Crawl
    • 通过爬虫提取动态参数,去参去重
    • Js 文件信息泄露 (phone,apikey,email,ip,domain,todo)
    • HTML 注释泄露 (phone,email,domain,ip,todo)
  • Report
    • 结果存入Sqlite3数据库
    • 入库去重,检测到已有项目将不在扫描
    • 生成html报告

Usage

python3 Vxscan.py -h

optional arguments:
  -h, --help            show this help message and exit  
  -u URL, --url URL     Start scanning this url -u xxx.com  
  -i INET, --inet INET  cidr eg. 1.1.1.1 or 1.1.1.0/24  
  -s SAVE, --save SAVE  save in dbfile  
  -f FILE, --file FILE  read the url from the file  

1. 扫描一个网站
python3 vxscan.py -u http://www.xxx.com/
2. 从文件列表里扫描网站
python3 vxscan.py -f hosts.txt
3. 扫描一个C段
python3 vxscan.py -i 127.0.0.0/24

Structure

/
├─Vxscan.py  主文件
├─data
│  ├─path  urls路径
│  ├─apps.json  Web指纹信息
│  ├─apps.txt  Web指纹信息(WEBEYE)
│  ├─GeoLite2-ASN.mmdb      geoip
│  ├─GeoLite2-City.mmdb     asn
├─doc    存放一些图片或者文档资源
├─report    html报告相关内容
├─lib  
│  ├─bcolor.py    终端颜色输出  
│  ├─cli_output.py   终端输出
│  ├─common.py    判断CDN、端口扫描、POC扫描等
│  ├─iscdn.py     根据ip段和asn范围来判断IP是不是CDN
│  ├─options.py     选项设置
│  ├─random_header.py   自定义header头
│  ├─Requests.py   封装的requests库,做一些自定义设置
│  ├─settings.py      设置脚本
│  ├─sqldb.py      所有与sqlite3有关的都在这里
│  ├─url.py     对抓取的连接进行去重
│  ├─verify.py     script脚本提供验证接口
│  ├─vuln.py      批量调用POC扫描
│  ├─waf.py     waf规则
│  ├─webinfo.py  web信息获取   
├─script  
│  ├─Poc.py         Poc脚本
│  ├─......
├─Plugins
│  ├─ActiveReconnaissance
│    ├─active.py         判断主机存活并且验证dns解析
│    ├─check_waf.py      判断网站waf
│    ├─crawl.py         抓取网站连接并测试
│    ├─osdetect.py      操作系统识别
│  ├─InformationGathering
│    ├─geoip.py         地理位置查询
│    ├─js_leaks.py      js信息泄露
│  ├─PassiveReconnaissance
│    ├─ip_history.py        pdns接口
│    ├─reverse_domain.py    旁站查询
│    ├─virustotal.py        VT Pdns查询
│    ├─wappalyzer.py      CMS被动指纹识别
│  ├─Scanning
│    ├─async_scan   异步扫描
│    ├─dir_scan     目录扫描
│    ├─port_scan    端口扫描

├─requirements.txt
├─report.py         html 报告生成
├─logo.jpg
├─error.log

SETTING

# coding=utf-8

# 全局超时时间
TIMEOUT = 5

# 国家验证
VERIFY_COUNTRY = True

# 要排除的状态吗
BLOCK_CODE = [0, 308, 400, 401, 403, 404, 405, 406, 408, 410, 411, 417, 418, 429, 493, 500, 502, 503, 504, 999]
# 设置扫描线程
THREADS = 100
# 要排除的 内容类型
BLOCK_CONTYPE = [
    'image/jpeg', 'image/gif', 'image/png', 'application/javascript', 'application/x-javascript', 'text/css',
    'application/x-shockwave-flash', 'text/javascript', 'image/x-icon', 'x-icon'
]

# 是否启动目录扫描
SCANDIR = True

# 是否启动POC插件
POC = True

# 是否开启抓取插件
CRAWL = False

# 如果存在于结果db中就跳过
CHECK_DB = False

# 无效的404页面
PAGE_404 = [
    'page_404"', "404.png", '找不到页面', '页面找不到', "Not Found", "访问的页面不存在",
    "page does't exist", 'notice_404', '404 not found'
]

# ping探测
PING = True

# 设置代理
# SOCKS5 = ('127.0.0.1', 1080)
SOCKS5 = ()

# shodan
SHODAN_API = ''

# VT接口
VIRUSTOTAL_API = ''

# 设置cookie
COOKIE = 'random'
# COOKIE = {'Cookie': 'SRCtest'}

POC

1. 根据端口开放或者指纹识别结果来调用POC
在script目录下新建python文件,定义好check函数,传进来的参数主要是ip地址、端口列表、指纹识别列表,然后将结果return回去:

import pymongo
from lib.verify import verify

timeout = 2
vuln = ['27017', 'Mongodb']

def check(url, ip, ports, apps):
    # verify用来验证扫描列表中是否有Mongodb相关的结果,如果端口没有开启则不进行扫描
    if verify(vuln, ports, apps):
        try:
            conn = pymongo.MongoClient(host=ip, port=27017, serverSelectionTimeoutMS=timeout)
            database_list = conn.list_database_names()
            if not database_list:
                conn.close()
                return
            conn.close()
            return '27017 MongoDB Unauthorized Access'
        except Exception as e:
            pass

2. 在目标IP开放的每个HTTP端口上遍历一遍
根据传递过来的端口服务列表生成要扫描的url,然后在每个web端口中去访问一遍,下面脚本会获取ip每个http端口的标题

from lib.verify import get_list
from lib.random_header import HEADERS
from lxml import etree
import requests

def get_title(url):
    try:
        r = requests.get(url, headers=HEADERS, timeout=3, verify=False)
        html = etree.HTML(r.text)
        title = html.xpath('//title/text()')
        return url + ' | ' + title[0]
    except:
        pass


def check(url, ip, ports, apps):
    result = []
    probe = get_list(ip, ports)
    for i in probe:
        out = get_title(i)
        if out:
            result.append(out)
    return result

Fingerprint

如何添加指纹识别特征
修改data/apps.txt文件内容
1. 匹配HTTP Header头
Cacti|headers|Set-Cookie|Cacti=
2. 匹配HTTP响应体
ASP|index|index|<a[^>]?href=('|")[^http][^>]?.asp(?|#|\1)
3. 拆分Headers头,在k或者v中匹配
ThinkSNS|match|match|T3_lang

Waf/CDN list

360
360wzws
Anquanbao
Armor
BaiduYunjiasu
AWS WAF
AdNovum
Airee CDN
Art of Defence HyperGuard
ArvanCloud
Barracuda NG
Beluga CDN
BinarySEC
BlockDoS
Bluedon IST
CacheFly CDN
ChinaCache CDN
Cisco ACE XML Gateway
CloudFlare CDN
Cloudfront CDN
Comodo
CompState
DenyALL WAF
DenyAll
Distil Firewall
DoSArrest Internet Security
F5 BIG-IP APM
F5 BIG-IP ASM
F5-TrafficShield
Fastly CDN
FortiWeb
FortiWeb Firewall
GoDaddy
GreyWizard Firewall
HuaweiCloudWAF
HyperGuard Firewall
IBM DataPower
ISAServer
Immunify360
Imperva SecureSphere
Incapsula CDN
Jiasule
KONA
KeyCDN
ModSecurity
NGENIX CDN
NSFOCUS
Naxsi
NetContinuum
NetContinuum WAF
Neusoft SEnginx
Newdefend
Palo Alto Firewall
PerimeterX Firewall
PowerCDN
Profense
Qiniu CDN
Reblaze Firewall
SDWAF
Safe3
Safedog
SiteLock TrueShield
SonicWALL
SonicWall
Sophos UTM Firewall
Stingray
Sucuri
Teros WAF
Usp-Sec
Varnish
Wallarm
WatchGuard
WebKnight
West263CDN
Yundun
Yunsuo
ZenEdge Firewall
aesecure
aliyun
azion CDN
cloudflare CDN
dotDefender
limelight CDN
maxcdn CDN
mod_security
yunsuo

Output

image image image

Note

指纹识别主要调用Wappalyzer与WebEye:
https://github.com/b4ubles/python3-Wappalyzer
https://github.com/zerokeeper/WebEye
Poc参考了:
BBscan扫描器 https://github.com/lijiejie/BBScan
POC-T https://github.com/Xyntax/POC-T/tree/2.0/script
Perun https://github.com/WyAtu/Perun
参考了anthx的端口扫描、服务判断: https://raw.githubusercontent.com/AnthraX1/InsightScan/master/scanner.py
js敏感信息正则提取参考了:
https://github.com/nsonaniya2010/SubDomainizer
WAF判断使用的是waf00f与whatwaf的判断规则:
https://github.com/EnableSecurity/wafw00f
https://github.com/Ekultek/WhatWaf
html报告使用了:
https://github.com/WyAtu/Perun https://github.com/ly1102

请使用者遵守《中华人民共和国网络安全法》,勿用于非授权测试,如作他用所承受的法律责任一概与作者无关,下载使用即代表使用者同意上述观点

Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 1. Definitions. "License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. "Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License. "Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. "You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License. "Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files. "Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types. "Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below). "Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof. "Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution." "Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work. 2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form. 3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed. 4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions: (a) You must give any other recipients of the Work or Derivative Works a copy of this License; and (b) You must cause any modified files to carry prominent notices stating that You changed the files; and (c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and (d) If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License. You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License. 5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions. 6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file. 7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License. 8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages. 9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability. END OF TERMS AND CONDITIONS APPENDIX: How to apply the Apache License to your work. To apply the Apache License to your work, attach the following boilerplate notice, with the fields enclosed by brackets "[]" replaced with your own identifying information. (Don't include the brackets!) The text should be enclosed in the appropriate comment syntax for the file format. We also recommend that a file or class name and description of purpose be included on the same "printed page" as the copyright notice for easier identification within third-party archives. Copyright [yyyy] [name of copyright owner] Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

简介

python3写的综合扫描工具,主要用来存活验证,敏感文件探测(目录扫描/js泄露接口/html注释泄露),WAF/CDN识别,端口扫描,指纹/服务识别,操作系统识别,POC扫描,SQL注入,绕过CDN,查询旁站等功能,主要用来甲方自测或乙方授权测试,请勿用来搞破坏。 展开 收起
Apache-2.0
取消

发行版

暂无发行版

贡献者

全部

近期动态

加载更多
不能加载更多了
1
https://gitee.com/xiaoshen2017/Vxscan.git
git@gitee.com:xiaoshen2017/Vxscan.git
xiaoshen2017
Vxscan
Vxscan
master

搜索帮助

14c37bed 8189591 565d56ea 8189591