-
Notifications
You must be signed in to change notification settings - Fork 10
/
uberscan.pl
6034 lines (4936 loc) · 209 KB
/
uberscan.pl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
#!/usr/bin/perl
#
#
#
# *** UBERSCAN ***
#
# Project to wrap all my wardialler / scanners into one!
#
#
# Copyright 2017 Batch McNulty
#
# Protected by the GNU Public Licence V3.0
#
# As of April 2017 you can contact me at batchmcnulty@protonmail.com
#
###################### AFTER A LONG REST COMING BACK IN 2020
#
# It's almost finished - I just have to cure the feature-itis.
=begin commment dont' use this code!
* Split into everyday features and advanced features.
* By default, show everyday features help, with an -adv rider, advanced features
* By default, it should show servers it's found
=end comment;
=cut
#
# ####################################################################################
# ISSUE: When selecting UDP scan, defaults to scanning Port 0 (which isn't a real UDP port)
# add search for a BGP server it sends a BGP request etc?
# Things to add to UDP scan:
# Selecting string to send by scan (so if you seach for a time server it sends a time request,
# Being able to add your own string to the "string to send" doobrie
# (DONE - see commandchr.pl in parent directory)
# ALSO maybe have a string to send in TCP mode ("banner" scans)
# Pre-cooked strings, like the clock thing as well as the roll your own feature.
# maybe even a "send random gibberish" function, that could be fun
# Think about taking some options away as well.
# Not much point replicating an NMAP style UDP scan, when, er...
# NMAP already does that much better than I ever could.
# On the other hand, this is much easier to use than NMAP.
# Portscan might not be neccesary in UDP mode - check that out!
# (think UDP switches that off anyway)
# Another thing: Add better logging. Currently defaults to no logging of failed conns
# make the UDP scan default to port 123, Network Time Protocol to go with the
# default sendstring which is also a NTP query.
# Created random options.
# Fake originating IP?
# Allow user to specify length of random string.
# Also add TCP to "sendstring" - make it so it can be sent in banner scan.
# Also, add a "sendfirst / sendsecond" option.
#Implement the following:
# -stringlength:nn Specifies length of random string. "; DONE
# -stringorder:1 Transmit string first, before a reply is recieved (default in UDP mode)";
# -stringorder:2 Transmit string after a reply has been recieved"; (default in TCP mode)";
# -stringorder:both Try transmitting both ways";
# -stringorder:random Decide randomly";
# THIS IS A LOT HARDER THAN IT LOOKS!
# * POSSIBLY CAN'T BE DONE WITH UDP
# * Requires either MAJOR surgery to HackBanner() or entirely new routine just for this hack
# Create a HackCustom() routine?
# Implement "pre-rolled" strings: HTTP request
#### BIG PROBLEM ####
# -random_ip NO LONGER WORKS in banner or UDP mode!
# they all default to port 0!
# banner and UDP die after 1 try in random mode even if a port is specified
# THINK I've fixed it! turns out to have been input error.
# Yeah, that's sorted. Problem solved, leaving in case it comes back
#Other things to do:
#Custom "nmap" style TCP portscan
# -synscan implemented but NOT tested.
# OK, a little bit of testing has shown it to be a bit slower than vanilla portscan
# - at least when done through a proxy
# Got it stabilized at around 1700 ips/min
# - needs to be higher than 2000 to compete with fresh proxies
# Also need to get its ability to find open ports more integrated into the program
# especially as regards "banner" scans - alternative to this is to search for open ports
# perhaps a new option called -searchopen where it just searches for open ports
# without trying to hack them
# Would have to replace scantype at some point in the program
# while allowing the user to still use scantype:foo
# DON'T have it imply -nmap_portscan though - it can be its own thing
# OK. Project searchopen
# Doesn't seem to need many retransmissions, can get by with 5 easily.
# Check UDP and string_to_send works properly
# - defaults to UDP Time request (can't remember which, might be NTP)
#
# Add code to save new Telnet servers in FOUND_TELNET_SERVERS.txt
# ***************** 2020 ******************
# Ideas:
# to SCANTYPE option, add ALL.
use strict;
no warnings;
use Fcntl qw/:DEFAULT :flock/;
use utf8;
#use Encoding::FixLatin qw (fix_latin);
use Encode qw(decode encode);
use Scalar::Util qw(looks_like_number);
our $syn_result;
our $megahack; # For port-scanning (mainly UDP)
my @input = @ARGV;
my $ipspace = "undefined";
my $numinputs = scalar @input;
my $username = "undefined";
my $password = "undefined";
my $numofips = "undefined";
our $ip_filename = "ipnumbers.txt";
our @filecontents_array = "";
our $filecontents_string = "";
our $options = "undefined";
our $ip_count = 0;
our $curr_ip = "undefined";
our @ip_array = "";
our $socket = "undefined";
our $remote_host = "undefined";
our $remote_port = "0";
our $protocol = "tcp";
our $reply = "";
our $output = "undefined";
### mass-popcrack stuff ###
our $error_result = "500";
our $usernamelogon = "undefined";
our $passwordtry = "undefined";
### wordlist stuff ###
our $wordlist_filename = "undefined";
our $numofusernames = 0;
our $numofpasswords = 0;
our @word_array = "";
our @password_array = "";
our @username_array = "";
our $password_count = 0;
our $username_count = 0;
## error handling ##
our $conn_error = "no";
our $retry = 0;
our $max_retries = 5;
our $max_retries_option = "";
#### Fixed inputs, program update ####
my $username_option = "undefined";
my $password_option = "undefined";
our $ip_option = "";
my $ip_option_offset;
our $userfile = "undefined";
our $passfile = "undefined";
### ipblock_gen #####
our $ip_input = "undefined";
#### range_gen ####
our $first_ip = "undefined";
our $second_ip = "undefined";
#### external commands including whois scan on found machines ####
our $cmd = "undefined";
our $shell ="undefined";
### New input system ###
our @input_matches = "undefined";
$input_matches[0] = "undefined";
our $index_of_first_ip = 0;
our $index_of_second_ip = 0;
### New options: -scantype: -port: and -whois
our $scan_option = "undefined";
our $scantype = "undefined";
our $port_option = "undefined";
our $port = "undefined";
our $whois_option = "OFF";
### -ftpanon option ###
our $ftpanon = "undefined";
### -smtpbug option ####
our $smtpbug = "undefined";
######### error_correct ###########
our $running_error_correct = 'NO';
######## HackTelnet (Net::Telnet version)
# our @telnet_output = "undefined";
# our $telnet_output_array_loopcount = 0;
# our $telnet = "undefined";
####### HackHTTP stuff ######
our $return_code;
our $response_code;
our $foreign_headers;
####### Multitasking ################
our $forktimes = 0;
our $forktimes_option = "forktimes_option: Undefined";
########### Time ####################
our $starttime = time();
our $timenow = 0;
our $uptime = 0;
our $times_looped = 0;
our $ips_generated = 0;
our $forkcount = 0;
our $minutesup;
our $ipspermin;
our $maxmins;
##### New report file writer, w/ file locking ###########
our $filename;
our $verbal_report;
###### -noportscan option: ##################
our $port_scan_option;
our $port_test;
####### -synscan #########
our $synscan_option;
our $synscan;
our $syn_timeout = 210000; # Looks like the sweet spot!
my $syn_timeout_option;
#our $syn_trans_attempts = 5;
our $syn_trans_attempts = 4;
my $syn_trans_attempts_option;
our $syn_trans_factor = (($syn_timeout) / $syn_trans_attempts);
print "\n syn_trans_factor is $syn_trans_factor\n";
# $syn_trans_factor has to be recalculated if we change timeout or retrans attempts
# It's this way so we don't have to waste cycles recalcing it and
# so we don't retransmit on the last cycle before we give up
####### -debug and -logall options ###################
our $debug_option;
our $debug;
our $logall_option;
our $logall;
######## -timeout and -portscan_timeout options #########
our $timeout_option;
our $timeout = 30;
our $portscan_timeout_option;
our $portscan_timeout = 1;
##### a save to file (unimplemented) ###########
our $save_to_passfile;
#### Yet more debugging, it's important though.####
# $banner is a variable for the first reply, so we can save banners
# and for the -scantype:banner option
#
# The $addenda variable allows each file-writing subroutine to write a specific comment ###
# on something that's happened. ###
our $banner;
our $addenda;
################### a null variable for the stupid "press ENTER to continue" bit #########
my $nothing;
######## -pause option #####################
my $pause_option;
######## -spamcheck and -novrfy options ###################
my $spamcheck_option;
my $novrfy_option;
############ Stops searching when a password is found (random mode only for now, sorry) ######
our $login_found;
##### CSV mode ##############
our $csv_option;
###### GPL "mode" #############
our $gpl_option;
####### String to send in UDP scans. ####
# It defaults to a UDP TIME REQUEST
my $string_to_send_option;
our $string_to_send = chr(27);
our $string_to_send .= chr(0).chr(0).chr(0).chr(0).chr(0).chr(0).chr(0).chr(0).chr(0).chr(0);
our $string_to_send .= chr(0).chr(0).chr(0).chr(0).chr(0).chr(0).chr(0).chr(0).chr(0).chr(0);
our $string_to_send .= chr(0).chr(0).chr(0).chr(0).chr(0).chr(0).chr(0).chr(0).chr(0).chr(0);
our $string_to_send .= chr(0).chr(0).chr(0).chr(0).chr(0).chr(0).chr(0).chr(0).chr(0).chr(0);
our $string_to_send .= chr(0).chr(0).chr(0).chr(0).chr(0).chr(0).chr(0);
######## More strings to send: #######
our $prerolled_http_request = "GET / HTTP/1.1";
our $prerolled_http_request .= chr(13).chr(12);
our $prerolled_http_request .= "Host: www.example.com";
our $prerolled_http_request .= chr(13).chr(12);
our $prerolled_http_request .= "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)";
our $prerolled_http_request .= chr(13).chr(12);
#print "\n***************************************";
#print "\nprerolled http: $prerolled_http_request";
#print "\n***************************************";
#die;
###### Machinery for changing that string using nonprintable characters ####
my $chr_count = 0;
my $delimited_chr_codes;
my @chr_codes;
our $stringlength_option;
our $random_string_length = 0;
########## Order in which string is transmitted ###########################
my $stringorder_option;
our $stringorder;
################################
our $customhack_option;
################################# VALIDATE INPUT #########################################
unless ($numinputs > 1
|| $input[0] eq '-gpl'
|| $input[0] eq '-GPL'
|| $input[0] eq '-ftpanon'
|| $input[0] eq '-smtpbug'
|| $input[0] =~ "banner"
|| $input[0] =~ "Banner"
|| $input[0] =~ "BANNER"
|| $input[0] =~ "udp"
|| $input[0] =~ "UDP"
) {
print "\n ERROR - this program requires at least two inputs.\n";
PrintOptions();
die "\n";
}
print "\n \t\t *** UBERSCAN 2.0 *** ";
############### Debugging, comment out on completion #############
#print "\n username_option: $username_option \n ";
#print "\n password_option: $password_option \n ";
#print "\n ip_option: $ip_option \n ";
#print "\n forktimes: $forktimes \n";
#print "\n input_matches: @input_matches \n";
#print "\n input: @input \n";
print "\n";
##################### Display GPL if required ##########################
@input_matches = grep { /-gpl|-GPL/ } @input;
$gpl_option = $input_matches[0];
if ($gpl_option eq '-gpl' || $gpl_option eq '-GPL') {
print "\n";
PrintGPL();
die;
}
####################### Accept a string for UDP scanning / l33t hax0ring ##########
@input_matches = grep { /-sendstring:/ } @input;
$string_to_send_option = $input_matches[0];
print "\n ********** string_to_send_option:";
print $string_to_send_option;
if ($string_to_send_option =~ '-sendstring:') {# BOOKMARK - DOUBLE CHECK THIS
$string_to_send = substr ($input_matches[0], 12); # as I fucked with it! (fixed it, seems OK)
chomp $string_to_send;
if ($string_to_send =~ "prerolled_http_request") {
$string_to_send = $prerolled_http_request;
}
$string_to_send .="\n";
print "\n String to send in UDP / Custom TCP scan:$string_to_send";
}
#else {
# print "\n No printable string has been supplied for UDP, searching for nonprinting string\n";
#}
####################### Accept a nonprinting string for UDP scanning ##########
#@input_matches = grep { /-sendstring_np:/ } @input;
# $string_to_send_option = $input_matches[0];
# BOOKMARK
elsif ($string_to_send_option =~ '-sendstring_np:') {
$string_to_send = '';
$delimited_chr_codes = substr ($input_matches[0], 15); # BOOKMARK - DOUBLE CHECK THIS,
# or was it this I fucked with?
# (fixed it, seems OK)
print "\n delimited_chr_codes:\t".$delimited_chr_codes;
foreach ($delimited_chr_codes) {
@chr_codes = split(',',$_);
print "\n";
print '$_:'."\t\t\t".$_;
print "\nchr_codes:\t\t";
print @chr_codes;
#@string_to_send_arr = chr(split ",",$_);
}
print "\n\n";
until ($chr_count == scalar(@chr_codes)) {
$string_to_send .= chr($chr_codes[$chr_count]);
$chr_count++;
}
print "\n string_to_send are: ";
print $string_to_send;
$chr_count = 0;
chomp $string_to_send; # I'm not sure about that - let's test it!
$string_to_send .="\n";
print "\n String to send in UDP scan:$string_to_send";
}
else {
print "No string has been supplied for UDP - sending $string_to_send (defaults to time request)";
}
@input_matches = grep { /-stringlength:/ } @input;
$stringlength_option = $input_matches[0];
if ($stringlength_option =~ "-stringlength:") {
$random_string_length = substr ($input_matches[0], 14);
print "Length of random string is user set to:$random_string_length";
}
#################### Process -whois option ##################
@input_matches = grep { /-whois|-WHOIS/ } @input;
$whois_option = $input_matches[0];
if ($whois_option eq '-whois' || $csv_option eq '-WHOIS') {
print "\n whois option is ON. Will do a WHOIS search on any hacked IP addresses and put";
print "\n the results in whoisreport.txt.";
print "\n";
$whois_option = "ON";
}
#################### Process -csv option to enable CSV mode #############
@input_matches = grep { /-csv|-CSV/ } @input;
$csv_option = $input_matches[0];
if ($csv_option eq '-csv' || $csv_option eq '-CSV') {
$csv_option = "ON";
print "\n CSV mode ON. All output files except downloaded webpages will be in CSV mode ";
print "in format: Scantype,IP address,port,username,password,minutesup";
print "\n";
}
#################### Process -spamcheck and -novrfy options ###########
### -spamcheck ###
@input_matches = grep { /-spamcheck/ } @input;
$spamcheck_option = $input_matches[0];
if ($spamcheck_option eq '-spamcheck' || $spamcheck_option eq '-SPAMCHECK') {
$spamcheck_option = "ON";
print "\n Spammer vulnerability checking ON. (SMTP scantype only)";
print "\n";
}
### -novrfy ###
@input_matches = grep { /-novrfy/ } @input;
$novrfy_option = $input_matches[0];
if ($novrfy_option eq '-novrfy' || $novrfy_option eq '-NOVRFY') {
$novrfy_option = "ON";
$spamcheck_option = "ON";
$username_option = '-user:not_applicable_no_vrfy_option_selected';
# Above kludge resolves a bug-ette which stopped -novrfy from working.
print "\n VRFY commands switched OFF, spammer vulnerability checking ON (SMTP only)";
print "\n";
}
################## Process -timeout option ###################
@input_matches = grep { /-timeout:/ } @input;
$timeout_option = $input_matches[0];
if ($timeout_option =~ '-timeout:') {
print "\n -timeout option selected. ";
print "\n The timeout for connections has been re-set to ";
$timeout = substr ($input_matches[0], 9);
print "$timeout \n";
}
################## Process -portscan_timeout option ###################
@input_matches = grep { /-portscan_timeout:/ } @input;
$portscan_timeout_option = $input_matches[0];
if ($portscan_timeout_option =~ '-portscan_timeout:') {
print "\n -portscan_timeout option selected. ";
print "\n The timeout for the portscanner has been re-set to ";
$portscan_timeout = substr ($input_matches[0], 18);
print "$portscan_timeout \n";
print "\n";
}
############## Process -debug option ########################
@input_matches = grep { /-debug/ } @input;
$debug_option = $input_matches[0];
if ($debug_option eq '-debug') {
print "\n -debug option selected. Files will be generated to reflect various errors, ";
print "failed attempts to re-try connections, and webpages downloaded by the ";
print " -httpscan option (where applicable)";
print "\n";
$debug = "ON";
}
############## Process -logall option ########################
@input_matches = grep { /-logall/ } @input;
$logall_option = $input_matches[0];
if ($logall_option eq '-logall') {
print "\n -logall option selected. Files will be generated logging EVERY error, ";
print "even the extremely commonplace ones that would usually drown out the ";
print "interesting ones.";
print "\n";
$debug = "ON";
$logall = "ON";
}
################## Process -noportscan option ###############
@input_matches = grep { /-noportscan/ } @input;
$port_scan_option = $input_matches[0];
if ($port_scan_option eq '-noportscan') {
print "\n Port scan off, will assume target port's open when hacking ";
undef ($port_scan_option);
}
else {
$port_scan_option = "ON";
print "\n Port scan enabled (default), will test to see if port's open before trying to ";
print "hack it";
}
print "\n";
################## Process -synscan option ###########
@input_matches = grep { /-synscan/ } @input;
$synscan_option = $input_matches[0];
if ($synscan_option eq '-synscan') {
$synscan = "ON";
}
################## Process -syn_timeout option ###########
@input_matches = grep { /-syn_timeout:/ } @input;
$syn_timeout_option = $input_matches[0];
if ($syn_timeout_option =~ '-syn_timeout:') {
$syn_timeout = substr ($input_matches[0], 13);
$syn_trans_factor = ($syn_timeout / $syn_trans_attempts);
print "\n SYN timeout value adjusted to $syn_timeout cycles";
print "\n SYN packet transmission attempts are $syn_trans_attempts";
print "\n syn_trans_factor is now $syn_trans_factor\n";
}
################## Process -syn_trans_attempts option ###########
@input_matches = grep { /-syn_trans_attempts:/ } @input;
$syn_trans_attempts_option = $input_matches[0];
if ($syn_trans_attempts_option =~ '-syn_trans_attempts:') {
$syn_trans_attempts = substr ($input_matches[0], 20);
print "\n SYN packet transmission attempts adjusted to $syn_trans_attempts";
print "\n SYN timeout value is $syn_timeout";
$syn_trans_factor = ($syn_timeout / $syn_trans_attempts);
print "\n syn_trans_factor is now $syn_trans_factor\n";
}
################### Process -smtpbug option to find SMTP bug(s) ################
@input_matches = grep { /-smtpbug/ } @input;
$smtpbug = $input_matches[0];
if ($smtpbug eq '-smtpbug') {
$scantype = 'SMTP';
$scan_option = '-scantype:SMTP';
$username_option = '-user:not_applicable_when_smtpbug_option_selected';
# Minor bug of what happens if I try to search for an SMTP username called "debug"?
# resolved by creating a stupid fake $username_option
print "\n -smtpbug scan selected \n";
}
################################ Process -maxmins option ################
@input_matches = grep { /-maxmins:/ } @input;
$maxmins = substr($input_matches[0], 9);
if ($maxmins) {
print "\n OK, maxmins set to $maxmins. I will stop running after $maxmins minutes \n";
}
else {
print "\n -maxmins option not set, will run until I'm finished (or forever if a random_ip option has been set)";
}
print "\n";
################################ Process -ftpanon option ################
@input_matches = grep { /-ftpanon/ } @input;
$ftpanon = $input_matches[0];
if ($ftpanon eq '-ftpanon') {
$scantype = 'FTP';
$scan_option = '-scantype:FTP';
$username_option = '-user:ftp';
$password_option = '-pass:ftp';
print "\n -ftpanon (scan for anonymous FTP servers) selected \n";
}
################ Process forktimes option (multitasking) #######################
@input_matches = grep { /-forktimes:/ } @input;
$forktimes_option = @input_matches[0];
if ($forktimes_option =~ '-forktimes:') {
$forktimes = substr (@input_matches[0], 11);
print "\n forktimes set to $forktimes ";
}
print "\n";
if ($forktimes >0) {print "\n Multitasking mode selected, will run $forktimes processes in parallel\n";}
else {print " Single-task mode selected... \n";}
################# Process and act on max_retries option ####################################
@input_matches = grep { /max_retries/ } @input;
print "\n input_matches: @input_matches \n";
$max_retries_option = $input_matches[0];
if ($max_retries_option =~ '-max_retries:') {
$max_retries = substr ($input_matches[0], 13);
if (length($max_retries) == 0) { # Detect blank input
die "oops! You didn't give the max_retries option a number. \n Usage: -max_retries:20 (for example)\n";
}
print "\n max_retries set to $max_retries \n";
}
else {
print "\n max_retries set to default value of $max_retries \n";
}
############ Process scan type option (errors corrected in HackMaster() #################
unless ($ftpanon eq '-ftpanon' || $smtpbug eq '-smtpbug') {
@input_matches = grep { /-scantype:/ } @input;
$scan_option = $input_matches[0];
}
print "\n";
print "scan_option is $scan_option";
print "\n";
if ($scan_option =~ '-scantype:') {
print "Scan option selected. Good.";
print "\n";
$scantype = substr ($scan_option,10); # BOOKMARK POSS BUG of bad banner search
print "Scan type is: $scantype \n \n";
}
else {
print "\n\n YOU DID NOT ENTER A SCAN TYPE.";
print "\n (\$scantype = $scantype)";
print "\n (Check to see if you entered the '-scantype:' option before the actual scan type)";
print "\n";
PrintScanOptions();
print "\n ";
die "\n\n Didn't enter a scan type. I'm very dissapointed in you, Dick. \n\n";
}
######################### Process stringorder option ####################
@input_matches = grep { /-stringorder:/ } @input;
$stringorder_option = $input_matches[0];
print "\n";
print "Stringorder_option:$stringorder_option";
print "\n";
if ($stringorder_option eq "-stringorder:1") {
$stringorder = 1;
print "(I will transmit custom string first)";
}
elsif ($stringorder_option eq "-stringorder:2") {
$stringorder = 2;
print "(I will wait to recieve a string before transmitting)";
}
elsif ($stringorder_option eq "-stringorder:both") {
$stringorder = "both";
print "(I will do both, somehow)";
}
elsif ($stringorder_option eq "-stringorder:random") {
$stringorder = "random";
print "(I will switch around at random)";
}
else {
print "No string order option selected, will default according to scan type- UDP will transmit first, Banner mode (TCP) will do it second";
$stringorder = "default";
}
##################### Process port option (if entered) ##########################
@input_matches = grep { /-port:/ } @input;
$port_option = $input_matches[0];
print "\n";
print "port_option is $port_option";
print "\n";
if ($port_option =~ '-port:') {
$port = substr($port_option, 6); # Sets port to value in $port_option
$remote_port = $port;
print "\n Port: $port remote_port: $remote_port \n";
}
else {
print "Port option not set, deciding by scan";
if ($scantype eq "SSH" || $scantype eq "ssh") {$remote_port = 22;}
if ($scantype eq "FTP" || $scantype eq "ftp") {$remote_port = 21;}
if ($scantype eq "HTTP" || $scantype eq "http") {$remote_port = 80;}
if ($scantype eq "Telnet"|| $scantype eq "telnet" || $scantype eq "TELNET"){$remote_port = 23;}
if ($scantype eq "POP2" || $scantype eq "pop2") {$remote_port = 109;}
if ($scantype eq "POP3" || $scantype eq "pop3") {$remote_port = 110;}
if ($scantype eq "SMTP" || $scantype eq "smtp") {$remote_port = 25;}
if ($scantype eq "Banner" || $scantype eq "banner" || $scantype eq "BANNER") {$remote_port = 1433;}
if ($scantype eq "Searchopen" || $scantype eq "searchopen" || $scantype eq "SEARCHOPEN") {$remote_port = 1433;}
if ($scantype eq "udp" || $scantype eq "UDP" || $scantype eq "Udp") {$remote_port = 123;}
print "\n Scan type is $scantype, so port is $remote_port \n";
}
############################ Process username #############################################
unless ($ftpanon eq '-ftpanon' ||
$novrfy_option eq "ON" ||
$smtpbug eq '-smtpbug' ||
$scantype =~ 'banner' ||
$scantype =~ 'Banner' ||
$scantype =~ 'BANNER' ||
$scantype =~ 'searchopen' ||
$scantype =~ 'Searchopen' ||
$scantype =~ 'SEARCHOPEN' ||
$scantype =~ 'udp' ||
$scantype =~ 'UDP' ) {
@input_matches = grep { /-user/ } @input;
$username_option = $input_matches[0];
}
if ($username_option =~ '-user:') {
$username = substr($username_option, 6);
unless ($novrfy_option eq "ON" or $smtpbug eq '-smtpbug') {
print "\n Username is: $username \n";
}
}
elsif ($username_option =~ '-userblank') {
$username = '';
print "\n Username is set to blank. (Username:$username) See?";
}
elsif ($username_option =~ '-userfile:') {
$userfile = substr($username_option, 10);
print "\n Load usernames from file $userfile \n";
}
elsif ($scantype =~ "banner"||
$scantype =~ "Banner"||
$scantype =~ "BANNER"||
$scantype =~ 'searchopen' ||
$scantype =~ 'Searchopen' ||
$scantype =~ 'SEARCHOPEN' ||
$scantype =~ "CUSTOM"||
$scantype =~ "Custom"||
$scantype =~ "custom"||
$scantype =~ "udp"||
$scantype =~ "UDP") {
print "\n No need to load usernames, as doing a banner / UDP search \n"
}
elsif ($novrfy_option eq "ON") {
print "\n No need to load usernames as only scanning for spammer-vulnerable SMTP servers";
}
else {
PrintOptions();
statistics();
print "\n ********* DON'T PANIC - YOU JUST ENTERED THE USERNAME OPTION WRONG ********* ";
print "\n\n If you're like me, you probably typed -username:username or just";
print "\n plain forgot to specify a username option.";
print "\n\n Specify usernames with either -user:username, or ";
print "\n -userfile:wordlist.txt to specify a wordlist file.";
print "\n\n";
die;
}
########################### Process password #############################################
unless ($ftpanon eq '-ftpanon' ||
$scantype eq "SMTP" ||
$scantype eq "smtp" ||
$scantype =~ 'banner'||
$scantype =~ 'Banner'||
$scantype =~ 'BANNER'||
$scantype =~ 'searchopen' ||
$scantype =~ 'Searchopen' ||
$scantype =~ 'SEARCHOPEN' ||
$scantype =~ "CUSTOM"||
$scantype =~ "Custom"||
$scantype =~ "custom"||
$scantype =~ 'udp'||
$scantype =~ 'UDP' ) {
@input_matches = grep { /-pass/ } @input;
$password_option = $input_matches[0];
}
unless ($scantype eq "SMTP" ||
$scantype eq "smtp" ||
$scantype =~ 'banner' ||
$scantype =~ 'Banner' ||
$scantype =~ 'BANNER' ||
$scantype =~ 'searchopen' ||
$scantype =~ 'Searchopen' ||
$scantype =~ 'SEARCHOPEN' ||
$scantype =~ "CUSTOM"||
$scantype =~ "Custom"||
$scantype =~ "custom"||
$scantype =~ 'udp' ||
$scantype =~ 'UDP' ) {
if ($password_option =~ '-pass:') {
$password = substr($password_option, 6);
print "\n Password is: $password";
}
elsif ($password_option =~ '-passblank') {
$password = '';
print "\n Password is blank (Password:$password) See?";
}
elsif ($password_option =~ '-passfile:') {
$passfile = substr($password_option, 10);
print "\n Load passwords from file $passfile\n";
}
else {
PrintOptions();
print "\n ********* DON'T PANIC - YOU JUST ENTERED THE PASSWORD OPTION WRONG ********* ";
print "\n\n If you're like me, you probably typed -password:password or just";
print "\n plain forgot to specify a password option.";
print "\n\n Specify passwords with either -pass:password, -passblank (to";
print "\n try blank passwords) or -passfile:wordlist.txt to specify a";
print "\n wordlist file.";
print "\n\n";
die;