PeterMosmans/security-scripts
GitHub: PeterMosmans/security-scripts
一个封装了 nmap、nikto、testssl.sh 等开源安全工具的 Python/Bash 脚本集合,用于自动化扫描主机的网络安全漏洞与配置缺陷。
Stars: 283 | Forks: 78
# security-scripts
一系列与安全相关的 Python 和 Bash shell 脚本,主要围绕
测试主机的安全漏洞。对于 shell 脚本,不需要
任何花哨的编程框架,所需的只是一个 Bash shell。
请注意,强烈建议使用 `analyze_hosts.py`,因为它是
最新版本。Bash 版本的
`analyze_hosts.sh` 不会再添加任何新功能。
`analyze_hosts` 也可作为 Docker 镜像使用,其中包含开源
扫描器 `droopescan`、`nmap`、`Nikto` 和 `testssl.sh`。你可以使用
提供的 Dockerfile 自行构建,或者从 Docker Hub 获取镜像
```
docker run --rm gofwd/analyze_hosts
```
你也可以用这种方式运行包含的工具;只需覆盖 entrypoint 即可。作
为例子,运行 `testssl.sh`:
```
docker run --rm --entrypoint 'testssl.sh' gofwd/analyze_hosts
```
## analyze_hosts.py
一个封装了多个开源安全工具的简单包装脚本,旨在简化
对主机网络漏洞的扫描。该脚本允许你分析一台
或多台主机是否存在常见的配置错误漏洞和弱点。
该脚本的主要目标是尽可能轻松地执行
常规安全测试,且无需任何繁重的先决条件,使输出尽可能
具有参考价值,并使用开源工具。它可以轻松地用作
计划任务,或被集成到持续集成环境中。
唯一的要求是 `nmap` 和 `Python3`。
由于扫描输出可以写入 JSON 文件,因此可用于生成
扫描之间的 deltas(差异),或将输出用于进一步检查。
### 安装
请注意,你也可以直接从 Docker 镜像运行 `analyze_hosts`:
```
docker run --rm gofwd/analyze_hosts
```
不使用 virtualenv 的一次性安装步骤(所有必需的 Python 库
都在 `requirements.txt` 文件中指定):
```
git clone https://github.com/PeterMosmans/security-scripts && \
cd security-script && \
pip3 install -r requirements.txt
```
### 用法
```
usage: analyze_hosts.py [-h] [--version] [--dry-run] [-i INPUTFILE] [-o OUTPUT_FILE] [--compact] [--queuefile QUEUEFILE] [--resume] [--settings SETTINGS]
[--exit-code] [--force] [--debug] [-v] [-q] [--allports] [-n] [-p PORT] [--up] [--udp] [--framework] [--http] [--compression]
[--headers] [--trace] [--redirect] [--force-ssl] [--json JSON] [--ssl] [--nikto] [--sslcert] [-w] [--proxy PROXY]
[--timeout TIMEOUT] [--threads THREADS] [--user-agent USER_AGENT] [--password PASSWORD] [--username USERNAME] [--maxtime MAXTIME]
[target]
analyze_hosts - scans one or more hosts for security misconfigurations
Copyright (C) 2015-2022 Peter Mosmans [Go Forward]
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
positional arguments:
target [TARGET] can be a single (IP) address, an IP range, or multiple comma-separated addressess
optional arguments:
-h, --help show this help message and exit
--version Show version and exit
--dry-run Only show commands, don't actually do anything
-i INPUTFILE, --inputfile INPUTFILE
A file containing targets, one per line
-o OUTPUT_FILE, --output-file OUTPUT_FILE
output file containing all scanresults (default analyze_hosts.output)
--compact Only log raw logfiles and alerts to file
--queuefile QUEUEFILE
the queuefile
--resume Resume working on the queue
--settings SETTINGS Name of settings file to use (default analyze_hosts.yml)
--exit-code When supplied, return exit code 1 when alerts are discovered
--force Ignore / overwrite the queuefile
--debug Show debug information
-v, --verbose Be more verbose
-q, --quiet Do not show scan outputs on the console
--allports Run a full-blown nmap scan on all ports
-n, --no-portscan Do NOT run a nmap portscan
-p PORT, --port PORT Specific port(s) to scan
--up Assume host is up (do not rely on ping probe)
--udp Check for open UDP ports as well
--framework Analyze the website and run webscans
--http Check for various HTTP vulnerabilities (compression, headers, trace)
--compression Check for webserver compression
--headers Check for various HTTP headers
--trace Check webserver for HTTP TRACE method
--redirect Check for insecure redirect
--force-ssl Enforce SSL/TLS check on all open ports
--json JSON Save output in JSON file
--ssl Check for various SSL/TLS vulnerabilities
--nikto Run a nikto scan
--sslcert Download SSL certificate
-w, --whois Perform a whois lookup
--proxy PROXY Use proxy server (host:port)
--timeout TIMEOUT Timeout for requests in seconds (default 10)
--threads THREADS Maximum number of threads (default 5)
--user-agent USER_AGENT
Custom User-Agent to use (default analyze_hosts)
--password PASSWORD Password for HTTP basic host authentication
--username USERNAME Username for HTTP basic host authentication
--maxtime MAXTIME Timeout for scans in seconds (default 600)
```
`analyze_hosts` 脚本会自动执行其他扫描(基于其
指纹或开放端口):
```
droopescan
nikto
testssl.sh
WPscan
```
如果无法在标准路径中找到这些
工具,你可以使用以下环境变量(全大写)来指定它们:
CURL, DROOPESCAN, NIKTO, OPENSSL, TESTSSL, WPSCAN
### 抑制误报
可以使用配置文件 (`--settings`) 来配置或调整每个
主机/端口组合的扫描参数。这允许你抑制扫描
结果中的误报。目前支持 Nikto 的 `Plugins`、`Tuning` 和 `output` 参数,
以及一个允许/预期开放端口的列表和 testssl
参数:
示例配置文件:
```
targets:
127.0.0.1:
allowed_ports: [22, 80, 443]
ports:
- port: 80
nikto_plugins: "@@ALL"
nikto_tuning: "x1"
nikto_output: "report.html"
- port: 443
testssl_untrusted: true
testssl:
- "--ccs-injection"
- "--ticketbleed"
- "--robot"
```
这将在扫描端口 80 时,为 Nikto 提供 `-Plugins '@@ALL' -Tuning 'x1' -output 'report.html'`
参数。
此外,如果发现除端口 22、
80 或 443 之外的开放端口,它不会生成警报。默认情况下,如果发现除
80 或 443 之外的开放端口,将会生成警报。
如果端口 443 上的 SSL/TLS endpoint 包含
不受信任的(自签名)证书,也不会生成警报。并且,代替所有默认测试,仅会执行
三次 SSL/TLS 测试。
### JSON 格式
```
{
"arguments": {
"target": "1.2.3.1/30",
"version": false,
"dry_run": false,
"inputfile": "0frnfb4e",
"output_file": "output.txt,
"compact": true,
"queuefile": "analyze_hosts.queue",
"resume": false,
"force": false,
"debug": false,
"verbose": false,
"quiet": false,
"allports": false,
"no_portscan": false,
"port": null,
"up": false,
"udp": false,
"framework": false,
"http": true,
"json": "results.json",
"ssl": true,
"nikto": true,
"sslcert": false,
"trace": false,
"whois": false,
"proxy": null,
"timeout": true,
"threads": 5,
"user_agent": "analyze_hosts",
"password": null,
"username": null,
"maxtime": 1200,
"testssl.sh": true,
"curl": false,
"wpscan": true,
"droopescan": true,
"nmap": true,
"nmap_arguments": "-sV --open -sS --script=banner,dns-nsid,dns-recursion,http-cisco-anyconnect,http-php-version,http-title,http-trace,ntp-info,ntp-monlist,nbstat,rdp-enum-encryption,rpcinfo,sip-methods,smb-os-discovery,smb-security-mode,smtp-open-relay,ssh2-enum-algos,vnc-info,xmlrpc-methods,xmpp-info"
},
"date_start": "2020-05-26 31:33:06"
"results": {
"1.2.3.1": {
"ports": [
53
]
},
"1.2.3.2": {
"ports": []
},
"1.2.3.3": {
"ports": [
80,
443
],
"alerts": [
":443 LUCKY13 (CVE-2013-0169), experimental potentially VULNERABLE, uses cipher block chaining (CBC) ciphers with TLS. Check patches"
]
},
"1.2.3.4": {
"ports": [
80,
443
],
"alerts": [
":443 + OSVDB-3092: /download/: This might be interesting...",
":443 + OSVDB-3092: /status/: This might be interesting...",
":443 + OSVDB-4231: /DHrPp.xml: Coccoon from Apache-XML project reveals file system path in error messages.",
":443 + OSVDB-3092: /upgrade.php: upgrade.php was found."
]
}
},
"date_finish": "2020-05-26 31:33:07"
}
```
## display_results.py
一个用于很好地格式化扫描结果的辅助脚本,以便轻松
查看扫描结果。
```
usage: display_results.py [-h] [--info] [--version] [inputfile]
display_results version 0.0.1 - displays scan results nicely
positional arguments:
inputfile A JSON file containing scan results
optional arguments:
-h, --help show this help message and exit
--info Show also informational items
--version Show version and exit
```
## analyze-hosts.sh
一个封装了多个开源安全工具的简单包装脚本,旨在简化
对主机网络漏洞的扫描。该脚本允许你分析一台
或多台主机是否存在常见的配置错误漏洞和弱点。该
脚本的主要目标是尽可能轻松地执行
常规安全测试,且无需任何繁重的先决条件,使输出尽可能
具有参考价值,并使用开源工具....
- [cipherscan](https://github.com/jvehent/cipherscan)
- curl
- nmap
- [openssl-1.0.2-chacha](https://github.com/PeterMosmans/openssl/tree/1.0.2-chacha/)
- [whatweb](https://github.com/urbanadventurer/WhatWeb)
* whois
### 示例
#### SSL 证书
```
./analyze_hosts.sh --sslcert www.google.com
```
显示证书的详细信息,如颁发者和主体。当
证书过期或当证书是证书颁发机构时,它会发出警告。
示例输出:
```
trying to retrieve SSL x.509 certificate on www.google.com:443... received
issuer=
countryName = US
organizationName = Google Inc
commonName = Google Internet Authority G2
subject=
countryName = US
stateOrProvinceName = California
localityName = Mountain View
organizationName = Google Inc
commonName = www.google.com
OK: certificate is valid between 16-07-2014 and 14-10-2014
```
#### SSL/TLS ciphers
```
./analyze_hosts.sh --ssl --sslports 443 -v www.microsoft.com
```
检查允许哪些 ciphers。当使用不安全的 ciphers 时,它会发出警告。
默认情况下,会检查端口 443、465、993、995 和 3389。你可以
使用 --sslports 指定端口。-v 标志会输出所有结果,而不管
消息类型如何。
示例输出:
```
prio ciphersuite protocols pfs_keysize
1 RC4-MD5 SSLv3,TLSv1
2 RC4-SHA SSLv3,TLSv1
3 DES-CBC3-SHA SSLv3,TLSv1
4 AES256-SHA TLSv1
5 AES128-SHA TLSv1
Certificate: UNTRUSTED, 2048 bit, sha1WithRSAEncryption signature
trying to retrieve SSL x.509 certificate on www.microsoft.com:443... received
issuer=
domainComponent = com
domainComponent = microsoft
domainComponent = corp
domainComponent = redmond
commonName = MSIT Machine Auth CA 2
subject=
countryName = US
stateOrProvinceName = WA
localityName = Redmond
organizationName = Microsoft Corporation
organizationalUnitName = MSCOM
commonName = www.microsoft.com
OK: certificate is valid between 12-01-2013 and 12-01-2015
performing nmap sslscan on www.microsoft.com ports 443...
Nmap scan report for www.microsoft.com (134.170.184.133)
Host is up (0.15s latency).
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| SSLv3:
| ciphers:
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_RC4_128_MD5 - strong
| TLS_RSA_WITH_RC4_128_SHA - strong
| compressors:
| NULL
| TLSv1.0:
| ciphers:
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_RC4_128_MD5 - strong
| TLS_RSA_WITH_RC4_128_SHA - strong
| compressors:
| NULL
|_ least strength: strong
```
### 用法
```
./analyze_hosts.sh [OPTION]... [HOST]
Scanning options:
-a, --all perform all basic scans
--max perform all advanced scans (more thorough)
-b, --basic perform basic scans (fingerprint, ssl, trace)
results of HOST matches regexp FILTER
--dns test for recursive query and version string
-f perform web fingerprinting (all webports)
--fingerprint perform all web fingerprinting methods
-h, --header show webserver headers (all webports)
-n, --nikto nikto webscan (all webports)
-p nmap portscan (top 1000 TCP ports)
--ports nmap portscan (all ports, TCP and UDP)
--redirect test for open secure redirect
-s check SSL configuration
--ssl perform all SSL configuration checks
--sslcert show details of SSL certificate
--timeout=SECONDS change timeout for tools (default 60)
--ssh perform SSH configuration checks
-t check webserver for HTTP TRACE method
--trace perform all HTTP TRACE method checks
-w, --whois perform WHOIS lookup for (hostname and) IP address
-W confirm WHOIS results before continuing scan
--filter=FILTER only proceed with scan of HOST if WHOIS
--wordlist=filename scan webserver for existence of files in filename
Port selection (comma separated list):
--webports=PORTS use PORTS for web scans (default 80,443,8080)
--sslports=PORTS use PORTS for ssl scans (default 443,465,993,995,3389)
Logging and input file:
-d, --directory=DIR location of temporary files (default /tmp)
-i, --inputfile=FILE use a file containing hostnames
-l, --log log each scan in a separate logfile
--nocolor don't use fancy colors in screen output
-o, --output=FILE concatenate all OK and WARNING messages into FILE
-q, --quiet quiet
-v, --verbose show server responses
Default programs:
--cipherscan=FILE location of cipherscan (default cipherscan)
--openssl=FILE location of openssl (default openssl)
-u update this script (if it's a cloned repository)
--update force update (overwrite all local modifications)
--version print version information and exit
BLUE: INFO, status messages
GREEN: OK, secure settings
RED: WARNING, possible vulnerabilities
[HOST] can be a single (IP) address, an IP range, eg. 127.0.0.1-255
or multiple comma-separated addressess
```
### 历史记录
- 自 0.88 起:初步支持 starttls xmpp
## test_ssl_handhake.sh
一个用于测试 TLS/SSL 握手的脚本。包含几个 bug 测试:
- 使用 tls1_2 协议时的 128 cipher 限制
- aRSA cipher 顺序
- 版本不兼容的服务器
\$ ./test_ssl_handshake.sh
```
(c) 2014 Peter Mosmans [Go Forward]
Licensed under the GPL 3.0
tests SSL/TLS handshakes (for known bugs)
usage: ./test_ssl_handshake.sh target[:port] [start]
[start] number of ciphers to start with (default 125)
--ciphers=FILE a file containing a list which ciphers to use
--cipherstring=CIPHERSTRING
cipherstring (default )
-f | --force continue even though the error has been detected
--iterate iterate through all the ciphers instead of adding
--openssl=FILE location of openssl (default )
-v | --verbose be more verbose, please
tests:
--128 test for 128 cipherlimit
--intolerant test for version intolerant server
--rsa test for RSA order sensitivity
by default, all tests will be performed
```
标签:Bash, Docker, Python, 安全防御评估, 应用安全, 插件系统, 无后门, 请求拦截, 逆向工具