Implementation of a web version of the class Metasploit attack framework



This is part of a professional practice of my present knot, carefully taken out to share.

In the project, the attack module not only provides the automatic attack function, but also provides the user extension platform, and makes the effective extension through the stipulation rules writing rule.

(1) Attack module design

The attack module adopts the command line mode, and the design function sketch is as follows:

(a) Specify Exp name attack:

L Full Domain scanning

That is, to attack all existing domain names.

Python safecatcli.py-m exp_name-n [exploit_file_name]-O All

L Single Target scan

That is, the input URL or IP address is loaded into the attack script.

Python safecatcli.py-m exp_name-n [exploit_file_name]-o single-u [url or IP addr]

Lip Segment Scan

An attack on a host of an IP segment.

Python safecatcli.py-m exp_name-n [exploit_file_name]-O range-start [your-start-ip-addr]-end [YOUR-END-IP-ADDR]

(b) Specifying keywords for scanning:

You_class_name fill in the flag you want to attack, such as the integration of the project Discuz,ftp,ecshop, etc., here to fill in the information

L Specify query statement attack

Parse the submitted query statement, find the list of qualified domain names from es, and then load all the attack scripts of a module to attack.

Python safecatcli.py-c [your class name]-Q "[Your query string]"

For example: Attacking Taiwan's discuz host

Python safecatcli.py-c discuz-q "Discuz Country:taiwan"

L Specify a domain name attack

That is, a committed domain is attacked, loading all scripts from the module to attack.

Python safecatcli.py-c discuz-u [domain]

(2) Attack module implementation

The package structure of the entire attack module is as follows:

safecatcli.py is the portal file, and for how to build a command-line parsing system, we chose to use a library Optparse module in Python to complete. By using the Add_option method in the Optionparser class, you can easily add a command-line argument, such as adding a module selection parameter "-M" to achieve the following:

For the two modules that appear in the design (Specify the attack script module, the specified keyword module), two classes (Expmodule, keymodule) are implemented respectively. The member variables, class method names, and functions in a class are as follows:

Lexpmodule class:

Name	Function
self.es	Elasticsearch Client
Self.exp	Loaded exp Attack code
Self.file	Report files generated after the scan is complete
Self.httptools	HTTP Action Class
Scanall ()	Whole library domain name scanning function realizes
Scanonehost (target)	Single Target scanning function implementation
Scanonerange (STARTIP,ENDIP)	IP Segment Scanning function implementation

Regardless of the mode, the scan mode is the following mode:

A whole-Library domain name scan is a list of scanned domain names by acquiring all the domain names in the existing data, which requires interaction with the Elasticsearch server, and can be achieved through query DSL queries. After each task executes, the results of the task execution are saved and the ". Cat" suffix file is used as a report file and is provided to the user through the Web layer's views function. Finally, log the task to the database (Mysql).

A single target scan is a list of scanned domain names by the URL or IP address given by the user through the command-line arguments. Because it is a word scan, no reports are generated for downloading, but the results are printed through the Web layer and recorded in the database.

IP segment scanning is also based on a user-supplied IP address segment (consisting of a starting address, a termination address) as a list of domain names scanned. The process that a task passes is consistent with the whole library domain name scan.

Lkeymodule

Name	Function
self.es	Elasticsearch Client
Self.flag	User-supplied device or network component keywords (such as discuz)
Self.file	Report files generated after the scan is complete
Self.httptools	HTTP Action Class
Loadexploit ()	Load all exp attack code of the corresponding module
Queryparser (query)	Parsing a user's query statement
Scanbyquery (query)	Attack based on user search
Scanbydomain (Domain)	Attack a domain name or IP

Keymodule is primarily used to attack according to the keyword (key). Key definition is currently included in the network components or network equipment names, such as Discuz, Dedecms and so on. Another feature of this module is that it will load all the attack scripts below the key for polling attacks.

Scanbyquery mainly based on the user submitted query string from the Elasticsearch to pull the list of domain names scanned.

The Scanbydomain attacks according to the individual domain target submitted by the user.

The essence of the attack framework is to dynamically load the attack class, which uses Python's IMP module to complete class dynamic loading, and if the path problem leads to the unsuccessful class loading, you can add the working directory of the corresponding module to the Sys.path list directly.

(3) Definition and implementation of the rules for the writing of attacking classes

In order to achieve the scalability of the framework, writing rules must be limited, and some unified methods are abstracted out in the parent class Exploitcore, here mainly in the parent class to implement scanning rule validation, but because of time constraints, I just put out the framework, did not implement the method in the parent class.

The rules for writing an attack class are defined as follows:

1) class name Safecatexploit