forked from victor0013/CVE-2019-0708
-
Notifications
You must be signed in to change notification settings - Fork 2
/
scan_with_docker.py
executable file
·105 lines (82 loc) · 2.88 KB
/
scan_with_docker.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
#!/usr/bin/env python3
import re
import sys
import shlex
import socket
import ipaddress
import subprocess
from multiprocessing.dummy import Pool as ThreadPool
# Note, you don't have to enter an API key to simply scan a subnet.
SHODAN_API_KEY = "Insert your API key here if you want to use Shodan"
def port_scan(ip):
try:
socket.create_connection((str(ip), 3389), timeout=1)
return str(ip)
except:
pass
return None
def run_rdesktop_in_docker(ip):
args = ['/usr/bin/docker'] + shlex.split("run cve-2019-0708:latest {}".format(str(ip)))
process = subprocess.Popen(args, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=False)
try:
stdout, stderr = process.communicate(timeout=10)
except:
process.kill()
stdout, stderr = process.communicate(timeout=1)
returncode = process.returncode
if returncode != 0:
return None
elif stdout is not None and re.search('Target is VULNERABLE', stdout.decode('UTF-8')):
return str(ip)
return None
def shodan_search(search_term):
try:
import shodan
except:
print('Please install shodan if you want to get hosts using the API.')
sys.exit(1)
api = shodan.Shodan(SHODAN_API_KEY)
results = api.search(search_term)
if results['total'] > 0:
input("Shodan search returned {} hosts, press enter to start scan".format(results['total']))
return [x['ip_str'] for x in results['matches']]
return None
def main():
if len(sys.argv) < 2:
print('Usage with a subnet: scan_with_docker.py x.x.x.x/x')
print('Usage with shodan: scan_with_docker.py \'hostname:"*.example.com" port:3389\'')
sys.exit(1)
try:
hosts_to_scan = ipaddress.ip_network(sys.argv[1]).hosts()
except:
print("Not a valid subnet. Trying to use as Shodan search terms ...")
hosts_to_scan = shodan_search(sys.argv[1])
if hosts_to_scan is None:
print('No available hosts to scan. Exiting.')
sys.exit(1)
port_scan_pool = ThreadPool(100)
rdesktop_pool = ThreadPool(20)
port_scan_result = port_scan_pool.map(port_scan, hosts_to_scan)
try:
port_scan_pool.join()
port_scan_pool.close()
except:
pass
# Filter the result to only include IP-addresses
hosts_with_port_3389_open = [x for x in port_scan_result if x is not None]
rdesktop_result = rdesktop_pool.map(run_rdesktop_in_docker, hosts_with_port_3389_open)
try:
rdesktop_pool.join()
rdesktop_pool.close()
except:
pass
# Filter the result to only include vulnerable hosts
hosts_with_vuln = [x for x in rdesktop_result if x is not None]
if len(hosts_with_vuln) > 0:
print('Vulnerable hosts:')
for host in hosts_with_vuln:
print(host)
else:
print('No vulnerable hosts found')
if __name__ == '__main__':
main()