diff --git a/bin/Tools.py b/bin/Tools.py index a9628f51..32a522d3 100755 --- a/bin/Tools.py +++ b/bin/Tools.py @@ -131,7 +131,7 @@ tools_dict = { }, 'dnsenum': { 'name': 'dnsenum', - 'regex1': r'(?s)dnsenum VERSION:.+?Trying Zone Transfer', + 'regex1': r'(?s)dnsenum(\.pl)? VERSION:.+?Trying Zone Transfer', 'nb_regex': 1, 'max_execution_time': default_max_execution_time, 'tag': 'infoleak:automatic-detection="dnsenum-tool"', # tag if all regex match @@ -185,9 +185,547 @@ tools_dict = { 'max_execution_time': default_max_execution_time, 'tag': 'infoleak:automatic-detection="uniscan-tool"', # tag if all regex match }, + 'masscan': { + 'name': 'masscan', + 'regex1': r'(?s)Starting masscan [\d.]+.+?Scanning|bit.ly/14GZzcT', + 'nb_regex': 1, + 'max_execution_time': default_max_execution_time, + 'tag': 'infoleak:automatic-detection="masscan-tool"', # tag if all regex match + }, + 'msfconsole': { + 'name': 'msfconsole', + 'regex1': r'=\[ metasploit v[\d.]+.+?msf >', + 'nb_regex': 1, + 'max_execution_time': default_max_execution_time, + 'tag': 'infoleak:automatic-detection="msfconsole-tool"', # tag if all regex match + }, + 'amap': { + 'name': 'amap', + 'regex1': r'\bamap v[\d.]+ \(www.thc.org/thc-amap\)', + 'nb_regex': 1, + 'max_execution_time': default_max_execution_time, + 'tag': 'infoleak:automatic-detection="amap-tool"', # tag if all regex match + }, + 'automater': { + 'name': 'automater', + 'regex1': r'(?s)\[\*\] Checking.+?_+ Results found for:', + 'nb_regex': 1, + 'max_execution_time': default_max_execution_time, + 'tag': 'infoleak:automatic-detection="automater-tool"', # tag if all regex match + }, + 'braa': { + 'name': 'braa', + 'regex1': r'\bbraa public@[\d.]+', + 'nb_regex': 1, + 'max_execution_time': default_max_execution_time, + 'tag': 'infoleak:automatic-detection="braa-tool"', # tag if all regex match + }, + 'ciscotorch': { + 'name': 'ciscotorch', + 'regex1': r'Becase we need it', + 'nb_regex': 1, + 'max_execution_time': default_max_execution_time, + 'tag': 'infoleak:automatic-detection="ciscotorch-tool"', # tag if all regex match + }, + 'theharvester': { + 'name': 'theharvester', + 'regex1': r'Starting harvesting process for domain:', + 'nb_regex': 1, + 'max_execution_time': default_max_execution_time, + 'tag': 'infoleak:automatic-detection="theharvester-tool"', # tag if all regex match + }, + 'sslstrip': { + 'name': 'sslstrip', + 'regex1': r'sslstrip [\d.]+ by Moxie Marlinspike running', + 'nb_regex': 1, + 'max_execution_time': default_max_execution_time, + 'tag': 'infoleak:automatic-detection="sslstrip-tool"', # tag if all regex match + }, + 'sslcaudit': { + 'name': 'sslcaudit', + 'regex1': r'# filebag location:', + 'nb_regex': 1, + 'max_execution_time': default_max_execution_time, + 'tag': 'infoleak:automatic-detection="sslcaudit-tool"', # tag if all regex match + }, + 'smbmap': { + 'name': 'smbmap', + 'regex1': r'\[\+\] Finding open SMB ports\.\.\.', + 'nb_regex': 1, + 'max_execution_time': default_max_execution_time, + 'tag': 'infoleak:automatic-detection="smbmap-tool"', # tag if all regex match + }, + 'reconng': { + 'name': 'reconng', + 'regex1': r'\[\*\] Status: unfixed|\[recon-ng\]\[default\]', + 'nb_regex': 1, + 'max_execution_time': default_max_execution_time, + 'tag': 'infoleak:automatic-detection="reconng-tool"', # tag if all regex match + }, + 'p0f': { + 'name': 'p0f', + 'regex1': r'\bp0f [^ ]+ by Michal Zalewski', + 'nb_regex': 1, + 'max_execution_time': default_max_execution_time, + 'tag': 'infoleak:automatic-detection="p0f-tool"', # tag if all regex match + }, + 'hping3': { + 'name': 'hping3', + 'regex1': r'\bHPING [^ ]+ \([^)]+\): [^ ]+ mode set', + 'nb_regex': 1, + 'max_execution_time': default_max_execution_time, + 'tag': 'infoleak:automatic-detection="hping3-tool"', # tag if all regex match + }, + 'enum4linux': { + 'name': 'enum4linux', + 'regex1': r'Starting enum4linux v[\d.]+|\| Target Information \|', + 'nb_regex': 1, + 'max_execution_time': default_max_execution_time, + 'tag': 'infoleak:automatic-detection="enum4linux-tool"', # tag if all regex match + }, + 'dnstracer': { + 'name': 'dnstracer', + 'regex1': r'(?s)Tracing to.+?DNS HEADER \(send\)', + 'nb_regex': 1, + 'max_execution_time': default_max_execution_time, + 'tag': 'infoleak:automatic-detection="dnstracer-tool"', # tag if all regex match + }, + 'dnmap': { + 'name': 'dnmap', + 'regex1': r'dnmap_(client|server)|Nmap output files stored in \'nmap_output\' directory', + 'nb_regex': 1, + 'max_execution_time': default_max_execution_time, + 'tag': 'infoleak:automatic-detection="dnmap-tool"', # tag if all regex match + }, + 'arpscan': { + 'name': 'arpscan', + 'regex1': r'Starting arp-scan [^ ]+ with \d+ hosts', + 'nb_regex': 1, + 'max_execution_time': default_max_execution_time, + 'tag': 'infoleak:automatic-detection="arpscan-tool"', # tag if all regex match + }, + 'cdpsnarf': { + 'name': 'cdpsnarf', + 'regex1': r'(?s)CDPSnarf v[^ ]+.+?Waiting for a CDP packet\.\.\.', + 'nb_regex': 1, + 'max_execution_time': default_max_execution_time, + 'tag': 'infoleak:automatic-detection="cdpsnarf-tool"', # tag if all regex match + }, + 'dnsmap': { + 'name': 'dnsmap', + 'regex1': r'DNS Network Mapper by pagvac', + 'nb_regex': 1, + 'max_execution_time': default_max_execution_time, + 'tag': 'infoleak:automatic-detection="dnsmap-tool"', # tag if all regex match + }, + 'dotdotpwn': { + 'name': 'dotdotpwn', + 'regex1': r'DotDotPwn v[^ ]+|dotdotpwn@sectester.net|\[\+\] Creating Traversal patterns', + 'nb_regex': 1, + 'max_execution_time': default_max_execution_time, + 'tag': 'infoleak:automatic-detection="dotdotpwn-tool"', # tag if all regex match + }, + 'searchsploit': { + 'name': 'searchsploit', + 'regex1': r'\| (exploits|shellcodes|)/|\.searchsploit_rc', + 'nb_regex': 1, + 'max_execution_time': default_max_execution_time, + 'tag': 'infoleak:automatic-detection="searchsploit-tool"', # tag if all regex match + }, + 'fierce': { + 'name': 'fierce', + 'regex1': r'(?s)Trying zone transfer first.+Checking for wildcard DNS', + 'nb_regex': 1, + 'max_execution_time': default_max_execution_time, + 'tag': 'infoleak:automatic-detection="fierce-tool"', # tag if all regex match + }, + 'firewalk': { + 'name': 'firewalk', + 'regex1': r'Firewalk state initialization completed successfully|Ramping phase source port', + 'nb_regex': 1, + 'max_execution_time': default_max_execution_time, + 'tag': 'infoleak:automatic-detection="firewalk-tool"', # tag if all regex match + }, + 'fragroute': { + 'name': 'fragroute', + 'regex1': r'\bfragroute: tcp_seg -> ip_frag', + 'nb_regex': 1, + 'max_execution_time': default_max_execution_time, + 'tag': 'infoleak:automatic-detection="fragroute-tool"', # tag if all regex match + }, + 'fragrouter': { + 'name': 'fragrouter', + 'regex1': r'fragrouter: frag-\d+:', + 'nb_regex': 1, + 'max_execution_time': default_max_execution_time, + 'tag': 'infoleak:automatic-detection="fragrouter-tool"', # tag if all regex match + }, + 'goofile': { + 'name': 'goofile', + 'regex1': r'code.google.com/p/goofile\b', + 'nb_regex': 1, + 'max_execution_time': default_max_execution_time, + 'tag': 'infoleak:automatic-detection="goofile-tool"', # tag if all regex match + }, + 'intrace': { + 'name': 'intrace', + 'regex1': r'\bInTrace [\d.]+ \-\-', + 'nb_regex': 1, + 'max_execution_time': default_max_execution_time, + 'tag': 'infoleak:automatic-detection="intrace-tool"', # tag if all regex match + }, + 'ismtp': { + 'name': 'ismtp', + 'regex1': r'Testing SMTP server \[user enumeration\]', + 'nb_regex': 1, + 'max_execution_time': default_max_execution_time, + 'tag': 'infoleak:automatic-detection="ismtp-tool"', # tag if all regex match + }, + 'lbd': { + 'name': 'lbd', + 'regex1': r'Checking for (DNS|HTTP)-Loadbalancing', + 'nb_regex': 1, + 'max_execution_time': default_max_execution_time, + 'tag': 'infoleak:automatic-detection="lbd-tool"', # tag if all regex match + }, + 'miranda': { + 'name': 'miranda', + 'regex1': r'Entering discovery mode for \'upnp:', + 'nb_regex': 1, + 'max_execution_time': default_max_execution_time, + 'tag': 'infoleak:automatic-detection="miranda-tool"', # tag if all regex match + }, + 'ncat': { + 'name': 'ncat', + 'regex1': r'nmap.org/ncat', + 'nb_regex': 1, + 'max_execution_time': default_max_execution_time, + 'tag': 'infoleak:automatic-detection="ncat-tool"', # tag if all regex match + }, + 'ohrwurm': { + 'name': 'ohrwurm', + 'regex1': r'\bohrwurm-[\d.]+', + 'nb_regex': 1, + 'max_execution_time': default_max_execution_time, + 'tag': 'infoleak:automatic-detection="ohrwurm-tool"', # tag if all regex match + }, + 'oscanner': { + 'name': 'oscanner', + 'regex1': r'Loading services/sids from service file', + 'nb_regex': 1, + 'max_execution_time': default_max_execution_time, + 'tag': 'infoleak:automatic-detection="oscanner-tool"', # tag if all regex match + }, + 'sfuzz': { + 'name': 'sfuzz', + 'regex1': r'AREALLYBADSTRING|sfuzz/sfuzz', + 'nb_regex': 1, + 'max_execution_time': default_max_execution_time, + 'tag': 'infoleak:automatic-detection="sfuzz-tool"', # tag if all regex match + }, + 'sidguess': { + 'name': 'sidguess', + 'regex1': r'SIDGuesser v[\d.]+', + 'nb_regex': 1, + 'max_execution_time': default_max_execution_time, + 'tag': 'infoleak:automatic-detection="sidguess-tool"', # tag if all regex match + }, + 'sqlninja': { + 'name': 'sqlninja', + 'regex1': r'Sqlninja rel\. [\d.]+', + 'nb_regex': 1, + 'max_execution_time': default_max_execution_time, + 'tag': 'infoleak:automatic-detection="sqlninja-tool"', # tag if all regex match + }, + 'sqlsus': { + 'name': 'sqlsus', + 'regex1': r'sqlsus version [\d.]+', + 'nb_regex': 1, + 'max_execution_time': default_max_execution_time, + 'tag': 'infoleak:automatic-detection="sqlsus-tool"', # tag if all regex match + }, + 'dnsdict6': { + 'name': 'dnsdict6', + 'regex1': r'Starting DNS enumeration work on', + 'nb_regex': 1, + 'max_execution_time': default_max_execution_time, + 'tag': 'infoleak:automatic-detection="dnsdict6-tool"', # tag if all regex match + }, + 'unixprivesccheck': { + 'name': 'unixprivesccheck', + 'regex1': r'Recording Interface IP addresses', + 'nb_regex': 1, + 'max_execution_time': default_max_execution_time, + 'tag': 'infoleak:automatic-detection="unixprivesccheck-tool"', # tag if all regex match + }, + 'yersinia': { + 'name': 'yersinia', + 'regex1': r'yersinia@yersinia.net', + 'nb_regex': 1, + 'max_execution_time': default_max_execution_time, + 'tag': 'infoleak:automatic-detection="yersinia-tool"', # tag if all regex match + }, + 'armitage': { + 'name': 'armitage', + 'regex1': r'\[\*\] Starting msfrpcd for you', + 'nb_regex': 1, + 'max_execution_time': default_max_execution_time, + 'tag': 'infoleak:automatic-detection="armitage-tool"', # tag if all regex match + }, + 'backdoorfactory': { + 'name': 'backdoorfactory', + 'regex1': r'\[\*\] In the backdoor module', + 'nb_regex': 1, + 'max_execution_time': default_max_execution_time, + 'tag': 'infoleak:automatic-detection="backdoorfactory-tool"', # tag if all regex match + }, + 'beef': { + 'name': 'beef', + 'regex1': r'Please wait as BeEF services are started', + 'nb_regex': 1, + 'max_execution_time': default_max_execution_time, + 'tag': 'infoleak:automatic-detection="beef-tool"', # tag if all regex match + }, + 'cat': { + 'name': 'cat', + 'regex1': r'Cisco Auditing Tool.+?g0ne', + 'nb_regex': 1, + 'max_execution_time': default_max_execution_time, + 'tag': 'infoleak:automatic-detection="cat-tool"', # tag if all regex match + }, + 'cge': { + 'name': 'cge', + 'regex1': r'Vulnerability successful exploited with \[', + 'nb_regex': 1, + 'max_execution_time': default_max_execution_time, + 'tag': 'infoleak:automatic-detection="cge-tool"', # tag if all regex match + }, + 'john': { + 'name': 'john', + 'regex1': r'John the Ripper password cracker, ver:|Loaded \d+ password hash \(', + 'nb_regex': 1, + 'max_execution_time': default_max_execution_time, + 'tag': 'infoleak:automatic-detection="john-tool"', # tag if all regex match + }, + 'keimpx': { + 'name': 'keimpx', + 'regex1': r'\bkeimpx [\d.]+', + 'nb_regex': 1, + 'max_execution_time': default_max_execution_time, + 'tag': 'infoleak:automatic-detection="keimpx-tool"', # tag if all regex match + }, + 'maskprocessor': { + 'name': 'maskprocessor', + 'regex1': r'mp by atom, High-Performance word generator', + 'nb_regex': 1, + 'max_execution_time': default_max_execution_time, + 'tag': 'infoleak:automatic-detection="maskprocessor-tool"', # tag if all regex match + }, + 'ncrack': { + 'name': 'ncrack', + 'regex1': r'Starting Ncrack[^\n]+http://ncrack.org', + 'nb_regex': 1, + 'max_execution_time': default_max_execution_time, + 'tag': 'infoleak:automatic-detection="ncrack-tool"', # tag if all regex match + }, + 'patator': { + 'name': 'patator', + 'regex1': r'http://code.google.com/p/patator/|Starting Patator v', + 'nb_regex': 1, + 'max_execution_time': default_max_execution_time, + 'tag': 'infoleak:automatic-detection="patator-tool"', # tag if all regex match + }, + 'phrasendrescher': { + 'name': 'phrasendrescher', + 'regex1': r'phrasen\|drescher [\d.]+', + 'nb_regex': 1, + 'max_execution_time': default_max_execution_time, + 'tag': 'infoleak:automatic-detection="phrasendrescher-tool"', # tag if all regex match + }, + 'polenum': { + 'name': 'polenum', + 'regex1': r'\[\+\] Password Complexity Flags:', + 'nb_regex': 1, + 'max_execution_time': default_max_execution_time, + 'tag': 'infoleak:automatic-detection="polenum-tool"', # tag if all regex match + }, + 'rainbowcrack': { + 'name': 'rainbowcrack', + 'regex1': r'Official Website: http://project-rainbowcrack.com/', + 'nb_regex': 1, + 'max_execution_time': default_max_execution_time, + 'tag': 'infoleak:automatic-detection="rainbowcrack-tool"', # tag if all regex match + }, + 'rcracki_mt': { + 'name': 'rcracki_mt', + 'regex1': r'Found \d+ rainbowtable files\.\.\.', + 'nb_regex': 1, + 'max_execution_time': default_max_execution_time, + 'tag': 'infoleak:automatic-detection="rcracki_mt-tool"', # tag if all regex match + }, + 'tcpdump': { + 'name': 'tcpdump', + 'regex1': r'tcpdump: listening on.+capture size \d+|\d+ packets received by filter', + 'nb_regex': 1, + 'max_execution_time': default_max_execution_time, + 'tag': 'infoleak:automatic-detection="tcpdump-tool"', # tag if all regex match + }, + 'hydra': { + 'name': 'hydra', + 'regex1': r'Hydra \(http://www.thc.org/thc-hydra\)', + 'nb_regex': 1, + 'max_execution_time': default_max_execution_time, + 'tag': 'infoleak:automatic-detection="hydra-tool"', # tag if all regex match + }, + 'netcat': { + 'name': 'netcat', + 'regex1': r'Listening on \[[\d.]+\] \(family', + 'nb_regex': 1, + 'max_execution_time': default_max_execution_time, + 'tag': 'infoleak:automatic-detection="netcat-tool"', # tag if all regex match + }, + 'nslookup': { + 'name': 'nslookup', + 'regex1': r'Non-authoritative answer:', + 'nb_regex': 1, + 'max_execution_time': default_max_execution_time, + 'tag': 'infoleak:automatic-detection="nslookup-tool"', # tag if all regex match + }, + 'dig': { + 'name': 'dig', + 'regex1': r'; <<>> DiG [\d.]+', + 'nb_regex': 1, + 'max_execution_time': default_max_execution_time, + 'tag': 'infoleak:automatic-detection="dig-tool"', # tag if all regex match + }, + 'whois': { + 'name': 'whois', + 'regex1': r'(?i)Registrar WHOIS Server:|Registrar URL: http://|DNSSEC: unsigned|information on Whois status codes|REGISTERED, DELEGATED|[Rr]egistrar:|%[^\n]+(WHOIS|2016/679)', + 'nb_regex': 1, + 'max_execution_time': default_max_execution_time, + 'tag': 'infoleak:automatic-detection="whois-tool"', # tag if all regex match + }, + 'nessus': { + 'name': 'nessus', + 'regex1': r'nessus_(report_(get|list|exploits)|scan_(new|status))|nessuscli|nessusd|nessus-service', + 'nb_regex': 1, + 'max_execution_time': default_max_execution_time, + 'tag': 'infoleak:automatic-detection="nessus-tool"', # tag if all regex match + }, + 'openvas': { + 'name': 'openvas', + 'regex1': r'/openvas/', + 'nb_regex': 1, + 'max_execution_time': default_max_execution_time, + 'tag': 'infoleak:automatic-detection="openvas-tool"', # tag if all regex match + }, + 'golismero': { + 'name': 'golismero', + 'regex1': r'GoLismero[\n]+The Web Knife', + 'nb_regex': 1, + 'max_execution_time': default_max_execution_time, + 'tag': 'infoleak:automatic-detection="golismero-tool"', # tag if all regex match + }, + 'wpscan': { + 'name': 'wpscan', + 'regex1': r'WordPress Security Scanner by the WPScan Team|\[\+\] Interesting header:', + 'nb_regex': 1, + 'max_execution_time': default_max_execution_time, + 'tag': 'infoleak:automatic-detection="wpscan-tool"', # tag if all regex match + }, + 'skipfish': { + 'name': 'skipfish', + 'regex1': r'\[\+\] Sorting and annotating crawl nodes:|skipfish version [\d.]+', + 'nb_regex': 1, + 'max_execution_time': default_max_execution_time, + 'tag': 'infoleak:automatic-detection="skipfish-tool"', # tag if all regex match + }, + 'arachni': { + 'name': 'arachni', + 'regex1': r'With the support of the community and the Arachni Team|\[\*\] Waiting for plugins to settle\.\.\.', + 'nb_regex': 1, + 'max_execution_time': default_max_execution_time, + 'tag': 'infoleak:automatic-detection="arachni-tool"', # tag if all regex match + }, + 'dirb': { + 'name': 'dirb', + 'regex1': r'==> DIRECTORY:|\bDIRB v[\d.]+', + 'nb_regex': 1, + 'max_execution_time': default_max_execution_time, + 'tag': 'infoleak:automatic-detection="dirb-tool"', # tag if all regex match + }, + 'joomscan': { + 'name': 'joomscan', + 'regex1': r'OWASP Joomla! Vulnerability Scanner v[\d.]+', + 'nb_regex': 1, + 'max_execution_time': default_max_execution_time, + 'tag': 'infoleak:automatic-detection="joomscan-tool"', # tag if all regex match + }, + 'jbossautopwn': { + 'name': 'jbossautopwn', + 'regex1': r'\[x\] Now creating BSH script\.\.\.|\[x\] Now deploying \.war file:', + 'nb_regex': 1, + 'max_execution_time': default_max_execution_time, + 'tag': 'infoleak:automatic-detection="jbossautopwn-tool"', # tag if all regex match + }, + 'grabber': { + 'name': 'grabber', + 'regex1': r'runSpiderScan @', + 'nb_regex': 1, + 'max_execution_time': default_max_execution_time, + 'tag': 'infoleak:automatic-detection="grabber-tool"', # tag if all regex match + }, + 'fimap': { + 'name': 'fimap', + 'regex1': r'Automatic LFI/RFI scanner and exploiter', + 'nb_regex': 1, + 'max_execution_time': default_max_execution_time, + 'tag': 'infoleak:automatic-detection="fimap-tool"', # tag if all regex match + }, + 'dsxs': { + 'name': 'dsxs', + 'regex1': r'Damn Small XSS Scanner \(DSXS\)', + 'nb_regex': 1, + 'max_execution_time': default_max_execution_time, + 'tag': 'infoleak:automatic-detection="dsxs-tool"', # tag if all regex match + }, + 'dsss': { + 'name': 'dsss', + 'regex1': r'Damn Small SQLi Scanner \(DSSS\)', + 'nb_regex': 1, + 'max_execution_time': default_max_execution_time, + 'tag': 'infoleak:automatic-detection="dsss-tool"', # tag if all regex match + }, + 'dsjs': { + 'name': 'dsjs', + 'regex1': r'Damn Small JS Scanner \(DSJS\)', + 'nb_regex': 1, + 'max_execution_time': default_max_execution_time, + 'tag': 'infoleak:automatic-detection="dsjs-tool"', # tag if all regex match + }, + 'dsfs': { + 'name': 'dsfs', + 'regex1': r'Damn Small FI Scanner \(DSFS\)', + 'nb_regex': 1, + 'max_execution_time': default_max_execution_time, + 'tag': 'infoleak:automatic-detection="dsfs-tool"', # tag if all regex match + }, + 'identywaf': { + 'name': 'identywaf', + 'regex1': r'\[o\] initializing handlers\.\.\.', + 'nb_regex': 1, + 'max_execution_time': default_max_execution_time, + 'tag': 'infoleak:automatic-detection="identywaf-tool"', # tag if all regex match + }, + 'whatwaf': { + 'name': 'whatwaf', + 'regex1': r'