PeterMosmans/security-scripts

GitHub: PeterMosmans/security-scripts

一个封装了 nmap、nikto、testssl.sh 等开源安全工具的 Python/Bash 脚本集合,用于自动化扫描主机的网络安全漏洞与配置缺陷。

Stars: 283 | Forks: 78

# security-scripts 一系列与安全相关的 Python 和 Bash shell 脚本,主要围绕 测试主机的安全漏洞。对于 shell 脚本,不需要 任何花哨的编程框架,所需的只是一个 Bash shell。 请注意,强烈建议使用 `analyze_hosts.py`,因为它是 最新版本。Bash 版本的 `analyze_hosts.sh` 不会再添加任何新功能。 `analyze_hosts` 也可作为 Docker 镜像使用,其中包含开源 扫描器 `droopescan`、`nmap`、`Nikto` 和 `testssl.sh`。你可以使用 提供的 Dockerfile 自行构建,或者从 Docker Hub 获取镜像 ``` docker run --rm gofwd/analyze_hosts ``` 你也可以用这种方式运行包含的工具;只需覆盖 entrypoint 即可。作 为例子,运行 `testssl.sh`: ``` docker run --rm --entrypoint 'testssl.sh' gofwd/analyze_hosts ``` ## analyze_hosts.py 一个封装了多个开源安全工具的简单包装脚本,旨在简化 对主机网络漏洞的扫描。该脚本允许你分析一台 或多台主机是否存在常见的配置错误漏洞和弱点。 该脚本的主要目标是尽可能轻松地执行 常规安全测试,且无需任何繁重的先决条件,使输出尽可能 具有参考价值,并使用开源工具。它可以轻松地用作 计划任务,或被集成到持续集成环境中。 唯一的要求是 `nmap` 和 `Python3`。 由于扫描输出可以写入 JSON 文件,因此可用于生成 扫描之间的 deltas(差异),或将输出用于进一步检查。 ### 安装 请注意,你也可以直接从 Docker 镜像运行 `analyze_hosts`: ``` docker run --rm gofwd/analyze_hosts ``` 不使用 virtualenv 的一次性安装步骤(所有必需的 Python 库 都在 `requirements.txt` 文件中指定): ``` git clone https://github.com/PeterMosmans/security-scripts && \ cd security-script && \ pip3 install -r requirements.txt ``` ### 用法 ``` usage: analyze_hosts.py [-h] [--version] [--dry-run] [-i INPUTFILE] [-o OUTPUT_FILE] [--compact] [--queuefile QUEUEFILE] [--resume] [--settings SETTINGS] [--exit-code] [--force] [--debug] [-v] [-q] [--allports] [-n] [-p PORT] [--up] [--udp] [--framework] [--http] [--compression] [--headers] [--trace] [--redirect] [--force-ssl] [--json JSON] [--ssl] [--nikto] [--sslcert] [-w] [--proxy PROXY] [--timeout TIMEOUT] [--threads THREADS] [--user-agent USER_AGENT] [--password PASSWORD] [--username USERNAME] [--maxtime MAXTIME] [target] analyze_hosts - scans one or more hosts for security misconfigurations Copyright (C) 2015-2022 Peter Mosmans [Go Forward] This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. positional arguments: target [TARGET] can be a single (IP) address, an IP range, or multiple comma-separated addressess optional arguments: -h, --help show this help message and exit --version Show version and exit --dry-run Only show commands, don't actually do anything -i INPUTFILE, --inputfile INPUTFILE A file containing targets, one per line -o OUTPUT_FILE, --output-file OUTPUT_FILE output file containing all scanresults (default analyze_hosts.output) --compact Only log raw logfiles and alerts to file --queuefile QUEUEFILE the queuefile --resume Resume working on the queue --settings SETTINGS Name of settings file to use (default analyze_hosts.yml) --exit-code When supplied, return exit code 1 when alerts are discovered --force Ignore / overwrite the queuefile --debug Show debug information -v, --verbose Be more verbose -q, --quiet Do not show scan outputs on the console --allports Run a full-blown nmap scan on all ports -n, --no-portscan Do NOT run a nmap portscan -p PORT, --port PORT Specific port(s) to scan --up Assume host is up (do not rely on ping probe) --udp Check for open UDP ports as well --framework Analyze the website and run webscans --http Check for various HTTP vulnerabilities (compression, headers, trace) --compression Check for webserver compression --headers Check for various HTTP headers --trace Check webserver for HTTP TRACE method --redirect Check for insecure redirect --force-ssl Enforce SSL/TLS check on all open ports --json JSON Save output in JSON file --ssl Check for various SSL/TLS vulnerabilities --nikto Run a nikto scan --sslcert Download SSL certificate -w, --whois Perform a whois lookup --proxy PROXY Use proxy server (host:port) --timeout TIMEOUT Timeout for requests in seconds (default 10) --threads THREADS Maximum number of threads (default 5) --user-agent USER_AGENT Custom User-Agent to use (default analyze_hosts) --password PASSWORD Password for HTTP basic host authentication --username USERNAME Username for HTTP basic host authentication --maxtime MAXTIME Timeout for scans in seconds (default 600) ``` `analyze_hosts` 脚本会自动执行其他扫描(基于其 指纹或开放端口): ``` droopescan nikto testssl.sh WPscan ``` 如果无法在标准路径中找到这些 工具,你可以使用以下环境变量(全大写)来指定它们: CURL, DROOPESCAN, NIKTO, OPENSSL, TESTSSL, WPSCAN ### 抑制误报 可以使用配置文件 (`--settings`) 来配置或调整每个 主机/端口组合的扫描参数。这允许你抑制扫描 结果中的误报。目前支持 Nikto 的 `Plugins`、`Tuning` 和 `output` 参数, 以及一个允许/预期开放端口的列表和 testssl 参数: 示例配置文件: ``` targets: 127.0.0.1: allowed_ports: [22, 80, 443] ports: - port: 80 nikto_plugins: "@@ALL" nikto_tuning: "x1" nikto_output: "report.html" - port: 443 testssl_untrusted: true testssl: - "--ccs-injection" - "--ticketbleed" - "--robot" ``` 这将在扫描端口 80 时,为 Nikto 提供 `-Plugins '@@ALL' -Tuning 'x1' -output 'report.html'` 参数。 此外,如果发现除端口 22、 80 或 443 之外的开放端口,它不会生成警报。默认情况下,如果发现除 80 或 443 之外的开放端口,将会生成警报。 如果端口 443 上的 SSL/TLS endpoint 包含 不受信任的(自签名)证书,也不会生成警报。并且,代替所有默认测试,仅会执行 三次 SSL/TLS 测试。 ### JSON 格式 ``` { "arguments": { "target": "1.2.3.1/30", "version": false, "dry_run": false, "inputfile": "0frnfb4e", "output_file": "output.txt, "compact": true, "queuefile": "analyze_hosts.queue", "resume": false, "force": false, "debug": false, "verbose": false, "quiet": false, "allports": false, "no_portscan": false, "port": null, "up": false, "udp": false, "framework": false, "http": true, "json": "results.json", "ssl": true, "nikto": true, "sslcert": false, "trace": false, "whois": false, "proxy": null, "timeout": true, "threads": 5, "user_agent": "analyze_hosts", "password": null, "username": null, "maxtime": 1200, "testssl.sh": true, "curl": false, "wpscan": true, "droopescan": true, "nmap": true, "nmap_arguments": "-sV --open -sS --script=banner,dns-nsid,dns-recursion,http-cisco-anyconnect,http-php-version,http-title,http-trace,ntp-info,ntp-monlist,nbstat,rdp-enum-encryption,rpcinfo,sip-methods,smb-os-discovery,smb-security-mode,smtp-open-relay,ssh2-enum-algos,vnc-info,xmlrpc-methods,xmpp-info" }, "date_start": "2020-05-26 31:33:06" "results": { "1.2.3.1": { "ports": [ 53 ] }, "1.2.3.2": { "ports": [] }, "1.2.3.3": { "ports": [ 80, 443 ], "alerts": [ ":443 LUCKY13 (CVE-2013-0169), experimental potentially VULNERABLE, uses cipher block chaining (CBC) ciphers with TLS. Check patches" ] }, "1.2.3.4": { "ports": [ 80, 443 ], "alerts": [ ":443 + OSVDB-3092: /download/: This might be interesting...", ":443 + OSVDB-3092: /status/: This might be interesting...", ":443 + OSVDB-4231: /DHrPp.xml: Coccoon from Apache-XML project reveals file system path in error messages.", ":443 + OSVDB-3092: /upgrade.php: upgrade.php was found." ] } }, "date_finish": "2020-05-26 31:33:07" } ``` ## display_results.py 一个用于很好地格式化扫描结果的辅助脚本,以便轻松 查看扫描结果。 ``` usage: display_results.py [-h] [--info] [--version] [inputfile] display_results version 0.0.1 - displays scan results nicely positional arguments: inputfile A JSON file containing scan results optional arguments: -h, --help show this help message and exit --info Show also informational items --version Show version and exit ``` ## analyze-hosts.sh 一个封装了多个开源安全工具的简单包装脚本,旨在简化 对主机网络漏洞的扫描。该脚本允许你分析一台 或多台主机是否存在常见的配置错误漏洞和弱点。该 脚本的主要目标是尽可能轻松地执行 常规安全测试,且无需任何繁重的先决条件,使输出尽可能 具有参考价值,并使用开源工具.... - [cipherscan](https://github.com/jvehent/cipherscan) - curl - nmap - [openssl-1.0.2-chacha](https://github.com/PeterMosmans/openssl/tree/1.0.2-chacha/) - [whatweb](https://github.com/urbanadventurer/WhatWeb) * whois ### 示例 #### SSL 证书 ``` ./analyze_hosts.sh --sslcert www.google.com ``` 显示证书的详细信息,如颁发者和主体。当 证书过期或当证书是证书颁发机构时,它会发出警告。 示例输出: ``` trying to retrieve SSL x.509 certificate on www.google.com:443... received issuer= countryName = US organizationName = Google Inc commonName = Google Internet Authority G2 subject= countryName = US stateOrProvinceName = California localityName = Mountain View organizationName = Google Inc commonName = www.google.com OK: certificate is valid between 16-07-2014 and 14-10-2014 ``` #### SSL/TLS ciphers ``` ./analyze_hosts.sh --ssl --sslports 443 -v www.microsoft.com ``` 检查允许哪些 ciphers。当使用不安全的 ciphers 时,它会发出警告。 默认情况下,会检查端口 443、465、993、995 和 3389。你可以 使用 --sslports 指定端口。-v 标志会输出所有结果,而不管 消息类型如何。 示例输出: ``` prio ciphersuite protocols pfs_keysize 1 RC4-MD5 SSLv3,TLSv1 2 RC4-SHA SSLv3,TLSv1 3 DES-CBC3-SHA SSLv3,TLSv1 4 AES256-SHA TLSv1 5 AES128-SHA TLSv1 Certificate: UNTRUSTED, 2048 bit, sha1WithRSAEncryption signature trying to retrieve SSL x.509 certificate on www.microsoft.com:443... received issuer= domainComponent = com domainComponent = microsoft domainComponent = corp domainComponent = redmond commonName = MSIT Machine Auth CA 2 subject= countryName = US stateOrProvinceName = WA localityName = Redmond organizationName = Microsoft Corporation organizationalUnitName = MSCOM commonName = www.microsoft.com OK: certificate is valid between 12-01-2013 and 12-01-2015 performing nmap sslscan on www.microsoft.com ports 443... Nmap scan report for www.microsoft.com (134.170.184.133) Host is up (0.15s latency). PORT STATE SERVICE 443/tcp open https | ssl-enum-ciphers: | SSLv3: | ciphers: | TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong | TLS_RSA_WITH_RC4_128_MD5 - strong | TLS_RSA_WITH_RC4_128_SHA - strong | compressors: | NULL | TLSv1.0: | ciphers: | TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong | TLS_RSA_WITH_AES_128_CBC_SHA - strong | TLS_RSA_WITH_AES_256_CBC_SHA - strong | TLS_RSA_WITH_RC4_128_MD5 - strong | TLS_RSA_WITH_RC4_128_SHA - strong | compressors: | NULL |_ least strength: strong ``` ### 用法 ``` ./analyze_hosts.sh [OPTION]... [HOST] Scanning options: -a, --all perform all basic scans --max perform all advanced scans (more thorough) -b, --basic perform basic scans (fingerprint, ssl, trace) results of HOST matches regexp FILTER --dns test for recursive query and version string -f perform web fingerprinting (all webports) --fingerprint perform all web fingerprinting methods -h, --header show webserver headers (all webports) -n, --nikto nikto webscan (all webports) -p nmap portscan (top 1000 TCP ports) --ports nmap portscan (all ports, TCP and UDP) --redirect test for open secure redirect -s check SSL configuration --ssl perform all SSL configuration checks --sslcert show details of SSL certificate --timeout=SECONDS change timeout for tools (default 60) --ssh perform SSH configuration checks -t check webserver for HTTP TRACE method --trace perform all HTTP TRACE method checks -w, --whois perform WHOIS lookup for (hostname and) IP address -W confirm WHOIS results before continuing scan --filter=FILTER only proceed with scan of HOST if WHOIS --wordlist=filename scan webserver for existence of files in filename Port selection (comma separated list): --webports=PORTS use PORTS for web scans (default 80,443,8080) --sslports=PORTS use PORTS for ssl scans (default 443,465,993,995,3389) Logging and input file: -d, --directory=DIR location of temporary files (default /tmp) -i, --inputfile=FILE use a file containing hostnames -l, --log log each scan in a separate logfile --nocolor don't use fancy colors in screen output -o, --output=FILE concatenate all OK and WARNING messages into FILE -q, --quiet quiet -v, --verbose show server responses Default programs: --cipherscan=FILE location of cipherscan (default cipherscan) --openssl=FILE location of openssl (default openssl) -u update this script (if it's a cloned repository) --update force update (overwrite all local modifications) --version print version information and exit BLUE: INFO, status messages GREEN: OK, secure settings RED: WARNING, possible vulnerabilities [HOST] can be a single (IP) address, an IP range, eg. 127.0.0.1-255 or multiple comma-separated addressess ``` ### 历史记录 - 自 0.88 起:初步支持 starttls xmpp ## test_ssl_handhake.sh 一个用于测试 TLS/SSL 握手的脚本。包含几个 bug 测试: - 使用 tls1_2 协议时的 128 cipher 限制 - aRSA cipher 顺序 - 版本不兼容的服务器 \$ ./test_ssl_handshake.sh ``` (c) 2014 Peter Mosmans [Go Forward] Licensed under the GPL 3.0 tests SSL/TLS handshakes (for known bugs) usage: ./test_ssl_handshake.sh target[:port] [start] [start] number of ciphers to start with (default 125) --ciphers=FILE a file containing a list which ciphers to use --cipherstring=CIPHERSTRING cipherstring (default ) -f | --force continue even though the error has been detected --iterate iterate through all the ciphers instead of adding --openssl=FILE location of openssl (default ) -v | --verbose be more verbose, please tests: --128 test for 128 cipherlimit --intolerant test for version intolerant server --rsa test for RSA order sensitivity by default, all tests will be performed ```
标签:Bash, Docker, Python, 安全防御评估, 应用安全, 插件系统, 无后门, 请求拦截, 逆向工具