enumeration/tools/remoterecon.py

#!/usr/bin/python

###################################################
#
#   RemoteRecon - written by Justin Ohneiser
# ------------------------------------------------
# Inspired by reconscan.py by Mike Czumak
#
# This program will conduct full reconnaissance
# on a target using three steps:
#   1. Light NMAP scan -> to identify services
#   2. Modular enumeration for each service
#   3. Heavy NMAP scan
#
# [Warning]:
# This script comes as-is with no promise of functionality or accuracy.  I strictly wrote it for personal use
# I have no plans to maintain updates, I did not write it to be efficient and in some cases you may find the
# functions may not produce the desired results so use at your own risk/discretion. I wrote this script to
# target machines in a lab environment so please only use it against systems for which you have permission!!
#-------------------------------------------------------------------------------------------------------------
# [Modification, Distribution, and Attribution]:
# You are free to modify and/or distribute this script as you wish.  I only ask that you maintain original
# author attribution and not attempt to sell it or incorporate it into any commercial offering (as if it's
# worth anything anyway :)
#
# Designed for use in Kali Linux 4.6.0-kali1-686
###################################################

import os, sys, subprocess, re, urlparse

class bcolors:
    HEADER = '\033[95m'
    OKBLUE = '\033[94m'
    OKGREEN = '\033[92m'
    WARNING = '\033[93m'
    FAIL = '\033[91m'
    ENDC = '\033[0m'
    BOLD = '\033[1m'
    UNDERLINE = '\033[4m'

# ------------------------------------
#       Toolbox
# ------------------------------------

def printHeader(target):
    print ""
    print "###################################################"
    print "##   Enumerating %s" % target
    print "##"
    print "###################################################"
    print ""

def printUsage():
    print "Usage: %s <target ip>" % sys.argv[0]

def printPlus(message):
    print bcolors.OKGREEN + "[+] " + message + bcolors.ENDC

def printMinus(message):
    print bcolors.WARNING + "[-] " + message + bcolors.ENDC

def printStd(message):
    print "[*] " + message

def printErr(message):
    print bcolors.FAIL + "[!] " + message + bcolors.ENDC

def printDbg(message):
    print bcolors.OKBLUE + "[?] " + message + bcolors.ENDC

def printInBox(command, result):
    top =   "###################################################"
    bot =   "==================================================="
    sub =   "---------------------------------------------------"
    return "%s\n\n%s\n\n%s\n\n%s\n%s\n" % (top, command, sub, result, bot)

def parseNmapScan(results):
    services = {}
    lines = results.split("\n")
    for line in lines:
        ports = []
        line = line.strip()
        if ("tcp" in line or "udp" in line) and ("open" in line) and not ("filtered" in line) and not ("Discovered" in line):
            while "  " in line:
                line = line.replace("  ", " ");
            linesplit = line.split(" ")
            service = linesplit[2]
            port = linesplit[0]
            if service in services:
                ports = services[service]
            ports.append(port)
            services[service] = ports
    return services

def dispatchModules(target, services):
    for service in services:
        ports = services[service]
        if service in KNOWN_SERVICES:
            try:
                KNOWN_SERVICES[service](target, ports)
            except AttributeError:
                printDbg("No module available for %s - %s" % (service, ports))
        else:
            printDbg("No module available for %s - %s" % (service, ports))

def validate_ip(s):
    a = s.split('.')
    if len(a) != 4:
        return False
    for x in a:
        if not x.isdigit():
            return False
        i = int(x)
        if i < 0 or i > 255:
            return False
    return True

def parse_ip(s):
    urls = re.findall("http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+", s)
    for url in urls:
        url = url.lower()
    return list(set(urls))

def parse_ip_directories(s):
    urls = re.findall("http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+/", s)
    for url in urls:
        url = url.lower()
    return list(set(urls))

# ------------------------------------
#       Setup
# ------------------------------------

def prepareFolder(target):
    printStd("Preparing portfolio")
    directory = "%s/%s" % (os.getcwd(), target)
    if not os.path.exists(directory):
        os.makedirs(directory)
        return None
    return directory

def writeToFile(target, name, content):
    path = "%s/%s/%s.txt" % (os.getcwd(), target, name)
    file = open(path, "a+")
    file.write(content)
    file.close()
    return path

# ------------------------------------
#       Scans
# ------------------------------------

# Light NMAP
# ========================
def conductLightNmap(target):
    printStd("Conducting light nmap scan")
    NAME = "nmap_light"

    # Conduct Scan #
    TCPSCAN = "nmap %s" % target
    UDPSCAN = "nmap -sU -p 161 %s" % target
    tcpResults = ""
    udpResults = ""
    try:
        tcpResults = subprocess.check_output(TCPSCAN, shell=True)
        udpResults = subprocess.check_output(UDPSCAN, shell=True)
        print "%s" % tcpResults

        # Write Results #
        content = "%s" % printInBox(TCPSCAN, tcpResults)
        path = writeToFile(target, NAME, content)
        
        printPlus("Finished light nmap scan: %s" % path)
    except KeyboardInterrupt:
        printMinus("Skipping:\n\t%s" % TCPSCAN)
    except Exception as e:
        printErr("Unable to conduct light nmap scan:\n\t%s\n\n%s" % (TCPSCAN, e))
        sys.exit(2)

    # Filter Results #
    services = parseNmapScan("%s\n%s" % (tcpResults, udpResults))

    return services
# ========================

# Heavy NMAP
# ========================
def conductHeavyNmap(target):
    printStd("Conducting heavy nmap scan")
    NAME = "nmap_heavy"
    
    # Conduct Heavy nmap Scan #
    TCPSCAN = "nmap -A --top-ports 10000 %s" % target
    try:
        tcpResults = subprocess.check_output(TCPSCAN, shell=True)
        
        # Write Results #
        content = "%s" % printInBox(TCPSCAN, tcpResults)
        path = writeToFile(target, NAME, content)
        printPlus("Finished heavy nmap scan: %s/%s/nmap_heavy.txt" % (os.getcwd(), target))
    except KeyboardInterrupt:
        printMinus("Skipping:\n\t%s" % TCPSCAN)
    except Exception:
        printErr("Unable to conduct heavy nmap scan:\n\t%s" % TCPSCAN)

    printStd("Conducting UDP scan")

    # Conduct UDP Scan #
    UDPSCAN = "nmap -sU --top-ports 100 %s" % target
    try:
        udpResults = subprocess.check_output(UDPSCAN, shell=True)
        
        # Write Results #
        content = "%s" % printInBox(UDPSCAN, udpResults)
        path = writeToFile(target, NAME, content)
        printPlus("Finished UDP scan: %s/%s/nmap_heavy.txt" % (os.getcwd(), target))
    except KeyboardInterrupt:
        printMinus("Skipping:\n\t%s" % UDPSCAN)
    except Exception:
        printErr("Unable to conduct UDP scan:\n\t%s" % UDPSCAN)
# ========================

# FTP
# ========================
def ftp(target, ports):
    printStd("Investigating FTP")
    NAME = "ftp"
    
    # Conduct nmap Scan #
    portString = ""
    for port in ports:
        port = port.split("/")[0]
        portString += "%s," % port
    SCRIPTS = "ftp-vuln-*, ftp-anon"
    NMAPSCAN = "nmap -p %s -sV -sC --script=\"%s\" %s" % (portString, SCRIPTS, target)
    try:
        nmapResults = subprocess.check_output(NMAPSCAN, shell=True)

        # Write Results #
        content = "%s" % printInBox(NMAPSCAN, nmapResults)
        path = writeToFile(target, NAME, content)
        printPlus("Finished investigating FTP: %s" % path)
    except KeyboardInterrupt:
        printMinus("Skipping:\n\t%s" % NMAPSCAN)
    except Exception:
        printErr("Unable to conduct FTP scan:\n\t%s" % NMAPSCAN)
# ========================

# SMTP
# ========================
def smtp(target, ports):
    printStd("Investigating SMTP")
    NAME = "smtp"

    # Conduct nmap Scan #
    portString = ""
    for port in ports:
        port = port.split("/")[0]
        portString += "%s," % port
    NMAPSCAN = "nmap -p %s -sV --script=\"smtp-vuln*\" %s" % (portString, target)
    try:
        nmapscanResults = subprocess.check_output(NMAPSCAN, shell=True)

        # Write Results #
        content = "%s" % printInBox(NMAPSCAN, nmapscanResults)
        path = writeToFile(target, NAME, content)
        printPlus("Finished scanning SMTP: %s" % path)
    except KeyboardInterrupt:
        printMinus("Skipping:\n\t%s" % NMAPSCAN)
    except Exception:
        printErr("Unable to conduct SMTP scan:\n\t%s" % NMAPSCAN)

    # Conduct Brute #
    printStd("Trying to brute-force SMTP users")
    SCAN1 = "smtp-user-enum -M EXPN -U /usr/share/fern-wifi-cracker/extras/wordlists/common.txt -t %s" % target
    try:
        scan1Results = subprocess.check_output(SCAN1, shell=True)
        
        # Write Results #
        content = "%s" % (printInBox(SCAN1, scan1Results))
        path = writeToFile(target, NAME, content)
        printPlus("Finished investigating SMTP: %s" % path)
    except KeyboardInterrupt:
        printMinus("Skipping:\n\t%s" % SCAN1)
    except Exception:
        printErr("Unable to conduct SMTP brute force:\n\t%s\n\t%s" % SCAN1)
# ========================

# POP3
# ========================
def pop3(target, ports):
    printStd("Investigating POP3")
    NAME = "pop3"
    
    # Conduct Basic Scan"
    portString = ""
    for port in ports:
        port = port.split("/")[0]
        portString += "%s," % port
    NMAPSCAN = "nmap -p %s -sV --script=\"pop3-capabilities,pop3-ntlm-info\" %s" % (portString, target)
    try:
        nmapscanResults = subprocess.check_output(NMAPSCAN, shell=True)

        # Write Results #
        content = "%s" % printInBox(NMAPSCAN, nmapscanResults)
        path = writeToFile(target, NAME, content)
        printPlus("Finished enumerating POP3: %s" % path)
    except KeyboardInterrupt:
        printMinus("Skipping:\n\t%s" % NMAPSCAN)
    except Exception:
        printErr("Unable to enumerate POP3:\n\t%s" % NMAPSCAN)

    # Conduct Brute Force"
    printStd("Trying to brute-force POP3 users")
    BRUTE = "nmap -p %s --script=\"pop3-brute\" %s" % (portString, target)
    try:
        bruteResults = subprocess.check_output(BRUTE, shell=True)

        # Write Results #
        content = "%s" % printInBox(BRUTE, bruteResults)
        path = writeToFile(target, NAME, content)
        printPlus("Finished investigating POP3: %s" % path)
    except KeyboardInterrupt:
        printMinus("Skipping:\n\t%s" % BRUTE)
    except Exception:
        printErr("Unable to brute-force POP3 users:\n\t%s" % BRUTE)
# ========================

# IMAP
# ========================
def imap(target, ports):
    printStd("Investigating IMAP")
    NAME = "imap"
    
    # Conduct Basic Scan"
    portString = ""
    for port in ports:
        port = port.split("/")[0]
        portString += "%s," % port
    NMAPSCAN = "nmap -p %s -sV --script=\"imap-capabilities,imap-ntlm-info\" %s" % (portString, target)
    try:
        nmapscanResults = subprocess.check_output(NMAPSCAN, shell=True)
        
        # Write Results #
        content = "%s" % printInBox(NMAPSCAN, nmapscanResults)
        path = writeToFile(target, NAME, content)
        printPlus("Finished enumerating IMAP: %s" % path)
    except KeyboardInterrupt:
        printMinus("Skipping:\n\t%s" % NMAPSCAN)
    except Exception:
        printErr("Unable to enumerate IMAP:\n\t%s" % NMAPSCAN)

    # Conduct Brute Force"
    printStd("Trying to brute-force IMAP users")
    BRUTE = "nmap -p %s --script=\"imap-brute\" %s" % (portString, target)
    try:
        bruteResults = subprocess.check_output(BRUTE, shell=True)
        
        # Write Results #
        content = "%s" % printInBox(BRUTE, bruteResults)
        path = writeToFile(target, NAME, content)
        printPlus("Finished investigating IMAP: %s" % path)
    except KeyboardInterrupt:
        printMinus("Skipping:\n\t%s" % BRUTE)
    except Exception:
        printErr("Unable to brute-force IMAP users:\n\t%s" % BRUTE)
# ========================

# SMB
# ========================
def smb(target, ports):
    printStd("Investigating SMB")
    NAME = "smb"

    # Conduct Vulnerability Scans #
    SCAN1 = "nmap -sV -sC --script=\"smb-vuln-*,samba-vuln-*\" -p 445,139 %s" % target
    SCAN2 = "nmap -sU -sV -sC --script=\"smb-vuln-*\" -p U:137,T:139 %s" % target
    try:
        scan1Results = subprocess.check_output(SCAN1, shell=True)
        scan2Results = subprocess.check_output(SCAN2, shell=True)

        # Write Results #
        content = "%s\n%s" % (printInBox(SCAN1, scan1Results), printInBox(SCAN2, scan2Results))
        path = writeToFile(target, NAME, content)
        printPlus("Finished investigating SMB Vulnerabilities: %s" % path)
    except KeyboardInterrupt:
        printMinus("Skipping:\n\t%s\n\t%s" % (SCAN1, SCAN2))
    except Exception:
        printErr("Unable to conduct SMB vulnerability scan:\n\t%s\n\t%s" % (SCAN1, SCAN2))

    # Conduct Scan #
    printStd("Investigating SMB Access")
    LOOKUP = "nmblookup -A %s" % target
    SCAN = "enum4linux %s" % target
    ADVICE = "use :: smbclient //<server>/<share> -I <target ip> -N :: to mount shared drive anonymously"
    try:
        # Lookup #
        lookupResults = subprocess.check_output(LOOKUP, shell=True)

        # Write Results #
        content = "%s" % printInBox(LOOKUP, lookupResults)
        path = writeToFile(target, NAME, content)
        
        # Scan #
        scanResults = subprocess.check_output(SCAN, shell=True)

        # Write Results #
        content = "%s" % printInBox(SCAN, "%s\n\n%s" % (scanResults, ADVICE))
        path = writeToFile(target, NAME, content)
        printPlus("Finished investigating SMB: %s" % path)
    except KeyboardInterrupt:
        printMinus("Skipping:\n\t%s" % SCAN)
    except Exception:
        printErr("Unable to conduct SMB scan:\n\t%s" % SCAN)
# ========================

# HTTP
# ========================
def http(target, ports):
    printStd("Investigating HTTP")
    NAME = "http"

    # Conduct nmap Scan #
    SCRIPTS = "http-methods,http-robots.txt,http-vuln-*,http-userdir-enum,http-iis-webdav-vuln,http-majordomo2-dir-traversal,http-axis2-dir-traversal,http-tplink-dir-traversal,http-useragent-tester"
    
    portString = ""
    for port in ports:
        port = port.split("/")[0]
        portString += "%s," % port
    NMAPSCAN = "nmap -p %s -sC -sV --script=\"%s\" %s" % (portString, SCRIPTS, target)
    try:
        nmapscanResults = subprocess.check_output(NMAPSCAN, shell=True)

        # Write Results #
        content = "%s" % printInBox(NMAPSCAN, nmapscanResults)
        path = writeToFile(target, NAME, content)
        printPlus("Finished scanning HTTP: %s" % path)
    except KeyboardInterrupt:
        printMinus("Skipping:\n\t%s" % NMAPSCAN)
    except Exception:
        printErr("Unable to conduct HTTP scan:\n\t%s" % NMAPSCAN)

    # Conduct WebDav Scan #
    printStd("Trying to identify WebDav")
    WEBDAVSCAN = "nmap -p %s --script http-webdav-scan %s -d 2>/dev/null | grep 'http-webdav-scan %s'" % (portString, target, target)
    try:
        webdavscanResults = subprocess.check_output(WEBDAVSCAN, shell=True)

        # Write Results #
        content = "%s" % printInBox(WEBDAVSCAN, webdavscanResults)
        path = writeToFile(target, NAME, content)
        printPlus("Finished scanning WebDav: %s" % path)
    except KeyboardInterrupt:
        printMinus("Skipping:\n\t%s" % WEBDAVSCAN)
    except subprocess.CalledProcessError as ex:
        if ex.returncode != 1:
            raise Exception
    except Exception:
        printErr("Unable to perform WebDav analysis:\n\t%s" % WEBDAVSCAN)

    # Conduct Brute #
    for port in ports:
        urlArr = []
        urlDir = ["/"]
        port = port.split("/")[0]
        printStd("Trying to brute-force HTTP directories on port %s" % port)
        DIRB = "dirb http://%s:%s /usr/share/wordlists/dirb/common.txt -S -r" % (target, port)
        try:
            dirbResults = subprocess.check_output(DIRB, shell=True)

            # Parse Results for Spider #
            urlArr = parse_ip(dirbResults)
            urlDir = parse_ip_directories(dirbResults)
            
            # Write Results #
            content = "%s" % printInBox(DIRB, dirbResults)
            path = writeToFile(target, NAME, content)
            printPlus("Finished HTTP brute-force against port %s: %s - Found: %s" % (port, path, len(urlArr)))
        except KeyboardInterrupt:
            printMinus("Skipping:\n\t%s" % DIRB)
        except Exception:
            printErr("Unable to brute-force HTTP on port %s:\n\t%s" % (port, DIRB))

        # Conduct Spider #
        SCRIPTS = "http-shellshock,http-auth-finder,http-backup-finder,http-comments-displayer,http-config-backup,http-default-accounts,http-dombased-xss,http-errors,http-fileupload-exploiter,http-method-tamper,http-passwd,http-phpmyadmin-dir-traversal,http-phpself-xss,http-rfi-spider,http-sitemap-generator,http-sql-injection,http-stored-xss,http-unsafe-output-escaping"

        # Spidered Vulnerability Scans
        for url in urlDir:
            # Nikto Scan #
            NIKTO = "nikto -host http://%s:%s -root %s" % (target, port, urlparse.urlparse(url).path)
            try:
                printStd("Crawling %s for vulnerabilities (nikto)" % url)
            
                niktoResults = subprocess.check_output(NIKTO, shell=True)
                # ...sometimes this doesn't work...?
                if "0 host(s) tested" in niktoResults:
                    niktoResults = subprocess.check_output(NIKTO, shell=True)
            
                if "0 host(s) tested" in niktoResults:
                    printDbg(niktoResults)
                    raise Exception
            
                # Write Results #
                content = "%s" % printInBox(NIKTO, niktoResults)
                path = writeToFile(target, NAME, content)
                printPlus("Finished crawling %s for vulnerabilities (nikto): %s" % (url, path))
            
            except KeyboardInterrupt:
                printMinus("Skipping:\n\t%s" % NIKTO)
            except Exception as e:
                print str(e)
                printErr("Unable to conduct HTTP vulnerability crawl (nikto):\n\t%s" % NIKTO)

            # Nmap Scan #
            SCRIPTARGS = "http-shellshock.uri=%(url)s,http-backup-finder.url=%(url)s,http-config-backup.path=%(url)s,http-default-accounts.category=web,http-default-accounts.basepath=%(url)s,httpspider.url=%(url)s,http-method-tamper.uri=%(url)s,http-passwd.root=%(url)s,http-phpmyadmin-dir-traversal.dir=%(url)s,http-phpself-xss.uri=%(url)s,http-rfi-spider.url=%(url)s,http-sitemap-generator.url=%(url)s,http-sql-injection.url=%(url)s,http-unsafe-output-escaping.url=%(url)s" % {"url":urlparse.urlparse(url).path}
            VULNSCAN = "nmap -p %s %s --script=\"%s\" --script-args=\"%s\" 2>&1" % (port, target, SCRIPTS, SCRIPTARGS)
            try:
                printStd("Crawling %s for vulnerabilities (nmap)" % url)
                vulnscanResults = subprocess.check_output(VULNSCAN, shell=True)

                # Write Results #
                content = "%s" % printInBox(VULNSCAN, vulnscanResults)
                path = writeToFile(target, NAME, content)
                printPlus("Finished crawling %s for vulnerabilities (nmap): %s" % (url, path))

            except KeyboardInterrupt:
                printMinus("Skipping:\n\t%s" % VULNSCAN)
            except Exception:
                printErr("Unable to conduct HTTP vulnerability crawl (nmap):\n\t%s" % VULNSCAN)

# ========================

# HTTPS
# ========================
def https(target, ports):
    printStd("Investigating HTTPS")
    NAME = "https"
    
    # Conduct NMAP Scan #
    SCRIPTS = "http-methods,http-robots.txt,http-vuln-*,http-shellshock,http-userdir-enum,http-iis-webdav-vuln,http-majordomo2-dir-traversal,http-axis2-dir-traversal,http-tplink-dir-traversal,http-useragent-tester,ssl-*"

    portString = ""
    for port in ports:
        port = port.split("/")[0]
        portString += "%s," % port
    NMAPSCAN = "nmap -p %s -sV -sC --script=\"%s\" %s" % (portString, SCRIPTS, target)
    try:
        nmapscanResults = subprocess.check_output(NMAPSCAN, shell=True)

        # Write Scan Results #
        content = "%s" % printInBox(NMAPSCAN, nmapscanResults)
        path = writeToFile(target, NAME, content)
        printPlus("Finished scanning HTTPS: %s" % path)
    except KeyboardInterrupt:
        printMinus("Skipping:\n\t%s" % NMAPSCAN)
    except Exception:
        printErr("Unable to conduct HTTPS scan:\n\t%s" % NMAPSCAN)

    # Conduct WebDav Scan #
    printStd("Trying to identify WebDav")
    WEBDAVSCAN = "nmap -p %s --script http-webdav-scan %s -d 2>/dev/null | grep 'http-webdav-scan %s'" % (portString, target, target)
    try:
        webdavscanResults = subprocess.check_output(WEBDAVSCAN, shell=True)
        
        # Write Results #
        content = "%s" % printInBox(WEBDAVSCAN, webdavscanResults)
        path = writeToFile(target, NAME, content)
        printPlus("Finished scanning WebDav: %s" % path)
    except KeyboardInterrupt:
        printMinus("Skipping:\n\t%s" % WEBDAVSCAN)
    except subprocess.CalledProcessError as ex:
        if ex.returncode != 1:
            raise Exception
    except Exception:
        printErr("Unable to perform WebDav analysis:\n\t%s" % WEBDAVSCAN)

    # Conduct Brute #
    for port in ports:
        urlArr = []
        urlDir = ["/"]
        port = port.split("/")[0]
        printStd("Trying to brute-force HTTPS directories on port %s" % port)
        DIRB = "dirb https://%s:%s /usr/share/wordlists/dirb/common.txt -S -r" % (target, port)
        try:
            dirbResults = subprocess.check_output(DIRB, shell=True)
            
            # Parse Results for Spider #
            urlArr = parse_ip(dirbResults)
            urlDir = parse_ip_directories(dirbResults)
            
            # Write Results #
            content = "%s" % printInBox(DIRB, dirbResults)
            path = writeToFile(target, NAME, content)
            printPlus("Finished HTTPS brute-force against port %s: %s - Found: %s" % (port, path, len(urlArr)))
        except KeyboardInterrupt:
            printMinus("Skipping:\n\t%s" % DIRB)
        except Exception:
            printErr("Unable to brute-force HTTPS on port %s:\n\t%s" % (port, DIRB))
        
        # Conduct Spider #
        SCRIPTS = "http-auth-finder,http-backup-finder,http-comments-displayer,http-config-backup,http-default-accounts,http-dombased-xss,http-errors,http-fileupload-exploiter,http-method-tamper,http-passwd,http-phpmyadmin-dir-traversal,http-phpself-xss,http-rfi-spider,http-sitemap-generator,http-sql-injection,http-stored-xss,http-unsafe-output-escaping"

        # Spidered Vulnerability Scans
        for url in urlDir:
            # Nikto Scan #
            NIKTO = "nikto -host https://%s:%s -root %s -ssl" % (target, port, urlparse.urlparse(url).path)
            try:
                printStd("Crawling %s for vulnerabilities (nikto)" % url)
                
                niktoResults = subprocess.check_output(NIKTO, shell=True)
                # ...sometimes this doesn't work...?
                if "0 host(s) tested" in niktoResults:
                    niktoResults = subprocess.check_output(NIKTO, shell=True)
                
                if "0 host(s) tested" in niktoResults:
                    raise Exception
                
                # Write Results #
                content = "%s" % printInBox(NIKTO, niktoResults)
                path = writeToFile(target, NAME, content)
                printPlus("Finished crawling %s for vulnerabilities (nikto): %s" % (url, path))
            
            except KeyboardInterrupt:
                printMinus("Skipping:\n\t%s" % NIKTO)
            except Exception:
                printErr("Unable to conduct HTTPS vulnerability crawl (nikto):\n\t%s" % NIKTO)
            
            # Nmap Scan #
            SCRIPTARGS = "http-backup-finder.url=%(url)s,http-config-backup.path=%(url)s,http-default-accounts.category=web,http-default-accounts.basepath=%(url)s,httpspider.url=%(url)s,http-method-tamper.uri=%(url)s,http-passwd.root=%(url)s,http-phpmyadmin-dir-traversal.dir=%(url)s,http-phpself-xss.uri=%(url)s,http-rfi-spider.url=%(url)s,http-sitemap-generator.url=%(url)s,http-sql-injection.url=%(url)s,http-unsafe-output-escaping.url=%(url)s" % {"url":urlparse.urlparse(url).path}
            VULNSCAN = "nmap -p %s %s --script=\"%s\" --script-args=\"%s\" 2>&1" % (port, target, SCRIPTS, SCRIPTARGS)
            try:
                printStd("Crawling %s for vulnerabilities (nmap)" % url)
                vulnscanResults = subprocess.check_output(VULNSCAN, shell=True)
                
                # Write Results #
                content = "%s" % printInBox(VULNSCAN, vulnscanResults)
                path = writeToFile(target, NAME, content)
                printPlus("Finished crawling %s for vulnerabilities (nmap): %s" % (url, path))

            except KeyboardInterrupt:
                printMinus("Skipping:\n\t%s" % VULNSCAN)
            except Exception:
                printErr("Unable to conduct HTTPS vulnerability crawl (nmap):\n\t%s" % VULNSCAN)
# ========================

# SNMP
# ========================
def snmp(target, ports):
    printStd("Investigating SNMP")
    NAME = "snmp"

    # Conduct Scans #
    portString = ""
    for port in ports:
        port = port.split("/")[0]
        portString += "%s," % port
    NMAPSCAN = "nmap -sU -p %s --script=\"snmp-*\" %s" % (portString, target)

    ONESIXTYONE = "onesixtyone -c /usr/share/doc/onesixtyone/dict.txt %s 2>&1" % target
    ADVICE = "If match community string, use :: snmpwalk -c <community string> -v1 %s :: to enumerate" % target
    foundCount = 0
    try:
        nmapscanResults = subprocess.check_output(NMAPSCAN, shell=True)

        # Write Results #
        content = "%s" % printInBox(NMAPSCAN, nmapscanResults)
        path = writeToFile(target, NAME, content)
        
        onesixtyoneResults = subprocess.check_output(ONESIXTYONE, shell=True)
        foundCount = len(onesixtyoneResults.split('\n')) - 1
        
        # Write Results #
        content = "%s" % printInBox(ONESIXTYONE, onesixtyoneResults)
        path = writeToFile(target, NAME, content)
        
        printPlus("Finished investigating SNMP: %s" % path)
    except KeyboardInterrupt:
        printMinus("Skipping:\n\t%s" % ONESIXTYONE)
    except Exception:
        printErr("Unable to conduct SNMP scan:\n\t%s" % ONESIXTYONE)

    if foundCount > 1:
        printStd("Mapping SNMP")
        WALK = "for s in $(onesixtyone -c /usr/share/doc/onesixtyone/dict.txt %s | grep %s | cut -d ' ' -f 2 | sed -e 's/\[//g' -e 's/\]//g');do snmpwalk -c $s -v1 %s;done" % (target, target, target)
        try:
            walkResults = subprocess.check_output(WALK, shell=True)

            # Write Results #
            content = "%s" % printInBox(WALK, walkResults)
            path = writeToFile(target, NAME, content)

            printPlus("Finished mapping SNMP: %s" % path)
        except KeyboardInterrupt:
            printMinus("Skipping:\n\t%s" % WALK)
        except Exception:
            printErr("unable to map SNMP:\n\t%s" % WALK)
# ========================

# MS-SQL
# ========================
def ms_sql(target, ports):
    printStd("Investigating MS-SQL")
    NAME = "ms_sql"

    # Conduct nmap Scan #
    portString = ""
    for port in ports:
        port = port.split("/")[0]
        portString += "%s," % port
    NMAPSCAN = "nmap -p %s -sV -sC %s" % (portString, target)
    try:
        nmapscanResults = subprocess.check_output(NMAPSCAN, shell=True)

        # Write Scan Results #
        content = "%s" % printInBox(NMAPSCAN, nmapscanResults)
        path = writeToFile(target, NAME, content)
        printPlus("Finished scanning MS-SQL: %s" % path)
    except KeyboardInterrupt:
        printMinus("Skipping:\n\t%s" % NMAPSCAN)
    except Exception:
        printErr("Unable to conduct MS-SQL scan:\n\t%s" % NMAPSCAN)

    # Conduct Brute #
    printStd("Trying to brute-force MS-SQL")
    BRUTE = "medusa -h %s -U /usr/share/wordlists/metasploit/default_users_for_services_unhash.txt -P /usr/share/wordlists/metasploit/default_pass_for_services_unhash.txt -M mssql -L -f 2>&1" % (target)
    try:
        bruteResults = subprocess.check_output(BRUTE, shell=True)

        # Write Brute Results #
        content = "%s" % printInBox(BRUTE, bruteResults)
        path = writeToFile(target, NAME, content)
        printPlus("Finished conducting MS-SQL brute-force: %s" % path)
    except KeyboardInterrupt:
        printMinus("Skipping:\n\t%s" % BRUTE)
    except Exception:
        printErr("Unable to conduct MS-SQL brute-force:\n\t%s" % BRUTE)
# ========================

# MySQL
# ========================
def mysql(target, ports):
    printStd("Investigating MySQL")
    NAME = "mysql"
    
    # Conduct nmap Scan #
    portString = ""
    for port in ports:
        port = port.split("/")[0]
        portString += "%s," % port
    NMAPSCAN = "nmap -p %s -sV -sC %s" % (portString, target)
    try:
        nmapscanResults = subprocess.check_output(NMAPSCAN, shell=True)

        # Write Scan Results #
        content = "%s" % printInBox(NMAPSCAN, nmapscanResults)
        path = writeToFile(target, NAME, content)
        printPlus("Finished scanning MySQL: %s" % path)
    except KeyboardInterrupt:
        printMinus("Skipping:\n\t%s" % NMAPSCAN)
    except Exception:
        printMinus("Unable to conduct MySQL scan:\n\t%s" % NMAPSCAN)

    # Conduct Brute #
    printStd("Trying to brute-force MySQL")
    BRUTE = "medusa -h %s -U /usr/share/wordlists/metasploit/default_users_for_services_unhash.txt -P /usr/share/wordlists/metasploit/default_pass_for_services_unhash.txt -M mysql -L -f 2>&1" % (target)
    try:
        bruteResults = subprocess.check_output(BRUTE, shell=True)

        # Write Brute Results #
        content = "%s" % printInBox(BRUTE, bruteResults)
        path = writeToFile(target, NAME, content)
        printPlus("Finished conducting MySQL brute-force: %s" % path)
    except KeyboardInterrupt:
        printMinus("Skipping:\n\t%s" % BRUTE)
    except Exception:
        printErr("Unable to conudct MySQL brute-foce:\n\t%s" % BRUTE)
# ========================
# NFS
# ========================
def nfs(target, ports):
    printStd("Investigating NFS")
    NAME = "nfs"
    
    # Conduct rpcinfo #
    RPCINFO = "rpcinfo -s %s" % target
    try:
        rpcinfoResults = subprocess.check_output(RPCINFO, shell=True)
    
        # Write Results #
        content = "%s" % printInBox(RPCINFO, rpcinfoResults)
        path = writeToFile(target, NAME, content)
        printPlus("Finished scanning RPC processes: %s" % path)
    except KeyboardInterrupt:
        printMinus("Skipping:\n\t%s" % RPCINFO)
    except Exception:
        printErr("Unable to scan RPC processes:\n\t%s" % RPCINFO)
    
    # Conduct showmount #
    printStd("Capturing accessible NFS shares")
    SHOWMOUNT = "showmount -e %s" % target
    ADVICE = "Use :: mount -t ntf %s:[share] /mnt/%s -o nolock :: to mount share"
    try:
        showmountResults = subprocess.check_output(SHOWMOUNT, shell=True)
    
        # Write Results #
        content = "%s" % printInBox(SHOWMOUNT, "%s\n\n%s" % (showmountResults, ADVICE))
        path = writeToFile(target, NAME, content)
        printPlus("Captured accessible NFS shares: %s" % path)
    except KeyboardInterrupt:
        printMinus("Skipping:\n\t%s" % SHOWMOUNT)
    except Exception:
        printErr("Unable to capture accessible NFS shares:\n\t%s" % SHOWMOUNT)
    
    # Conduct nmap Scan #
    printStd("Exploring accessible NFS shares")
    portString = ""
    for port in ports:
        port = port.split("/")[0]
        portString += "%s," % port
    NMAPSCAN = "nmap -p %s -sV -sC --script=\"nfs-showmount,nfs-ls\" %s" % (portString, target)
    try:
        nmapResults = subprocess.check_output(NMAPSCAN, shell=True)
        
        # Write Results #
        content = "%s" % printInBox(NMAPSCAN, nmapResults)
        path = writeToFile(target, NAME, content)
        printPlus("Finished investigating NFS: %s" % path)
    except KeyboardInterrupt:
        printMinus("Skipping:\n\t%s" % NMAPSCAN)
    except Exception:
        printErr("Unable to conduct NFS scan:\n\t%s" % NMAPSCAN)
# ========================

# ------------------------------------
#       Main
# ------------------------------------

KNOWN_SERVICES = {
    "ftp"           :   ftp,
    "smtp"          :   smtp,
    "pop3"          :   pop3,
    "imap"          :   imap,
    "netbios-ssn"   :   smb,
    "http"          :   http,
    "http-alt"      :   http,
    "http-proxy"    :   http,
    "https"         :   https,
    "snmp"          :   snmp,
    "ms-sql-s"      :   ms_sql,
    "mysql"         :   mysql,
    "rpcbind"       :   nfs
}

def main(argv):
    if len(sys.argv) != 2:
        printUsage()
        sys.exit(2)
    
    TARGET = sys.argv[1]
    if not validate_ip(TARGET):
        printMinus("Invalid IP Address")
        printUsage()
        sys.exit(2)

    printHeader(TARGET)
    error = prepareFolder(TARGET)
    if None != error:
        printMinus("Portfolio for %s already exists at %s" % (TARGET, error))
        printUsage()
        sys.exit(2)

    try:
        SERVICES = conductLightNmap(TARGET)
        dispatchModules(TARGET, SERVICES)
        conductHeavyNmap(TARGET)
    except KeyboardInterrupt:
        print "\n\nExiting.\n"
        sys.exit(1)

if __name__ == "__main__":
    main(sys.argv[1:])