Implementation of a web version of the class Metasploit attack framework

Source: Internet
Author: User
Tags in python


This is part of a professional practice of my present knot, carefully taken out to share.

In the project, the attack module not only provides the automatic attack function, but also provides the user extension platform, and makes the effective extension through the stipulation rules writing rule.

(1) Attack module design

The attack module adopts the command line mode, and the design function sketch is as follows:

(a) Specify Exp name attack:

L Full Domain scanning

That is, to attack all existing domain names.

Python safecatcli.py-m exp_name-n [exploit_file_name]-O All

L Single Target scan

That is, the input URL or IP address is loaded into the attack script.

Python safecatcli.py-m exp_name-n [exploit_file_name]-o single-u [url or IP addr]

Lip Segment Scan

An attack on a host of an IP segment.

Python safecatcli.py-m exp_name-n [exploit_file_name]-O range-start [your-start-ip-addr]-end [YOUR-END-IP-ADDR]

(b) Specifying keywords for scanning:

You_class_name fill in the flag you want to attack, such as the integration of the project Discuz,ftp,ecshop, etc., here to fill in the information

L Specify query statement attack

Parse the submitted query statement, find the list of qualified domain names from es, and then load all the attack scripts of a module to attack.

Python safecatcli.py-c [your class name]-Q "[Your query string]"

For example: Attacking Taiwan's discuz host

Python safecatcli.py-c discuz-q "Discuz Country:taiwan"

L Specify a domain name attack

That is, a committed domain is attacked, loading all scripts from the module to attack.

Python safecatcli.py-c discuz-u [domain]

(2) Attack module implementation

The package structure of the entire attack module is as follows:


safecatcli.py is the portal file, and for how to build a command-line parsing system, we chose to use a library Optparse module in Python to complete. By using the Add_option method in the Optionparser class, you can easily add a command-line argument, such as adding a module selection parameter "-M" to achieve the following:

For the two modules that appear in the design (Specify the attack script module, the specified keyword module), two classes (Expmodule, keymodule) are implemented respectively. The member variables, class method names, and functions in a class are as follows:

Lexpmodule class:

Name

Function

self.es

Elasticsearch Client

Self.exp

Loaded exp Attack code

Self.file

Report files generated after the scan is complete

Self.httptools

HTTP Action Class

Scanall ()

Whole library domain name scanning function realizes

Scanonehost (target)

Single Target scanning function implementation

Scanonerange (STARTIP,ENDIP)

IP Segment Scanning function implementation


Regardless of the mode, the scan mode is the following mode:

A whole-Library domain name scan is a list of scanned domain names by acquiring all the domain names in the existing data, which requires interaction with the Elasticsearch server, and can be achieved through query DSL queries. After each task executes, the results of the task execution are saved and the ". Cat" suffix file is used as a report file and is provided to the user through the Web layer's views function. Finally, log the task to the database (Mysql).

A single target scan is a list of scanned domain names by the URL or IP address given by the user through the command-line arguments. Because it is a word scan, no reports are generated for downloading, but the results are printed through the Web layer and recorded in the database.

IP segment scanning is also based on a user-supplied IP address segment (consisting of a starting address, a termination address) as a list of domain names scanned. The process that a task passes is consistent with the whole library domain name scan.

Lkeymodule

Name

Function

self.es

Elasticsearch Client

Self.flag

User-supplied device or network component keywords (such as discuz)

Self.file

Report files generated after the scan is complete

Self.httptools

HTTP Action Class

Loadexploit ()

Load all exp attack code of the corresponding module

Queryparser (query)

Parsing a user's query statement

Scanbyquery (query)

Attack based on user search

Scanbydomain (Domain)

Attack a domain name or IP

Keymodule is primarily used to attack according to the keyword (key). Key definition is currently included in the network components or network equipment names, such as Discuz, Dedecms and so on. Another feature of this module is that it will load all the attack scripts below the key for polling attacks.

Scanbyquery mainly based on the user submitted query string from the Elasticsearch to pull the list of domain names scanned.

The Scanbydomain attacks according to the individual domain target submitted by the user.

The essence of the attack framework is to dynamically load the attack class, which uses Python's IMP module to complete class dynamic loading, and if the path problem leads to the unsuccessful class loading, you can add the working directory of the corresponding module to the Sys.path list directly.

(3) Definition and implementation of the rules for the writing of attacking classes

In order to achieve the scalability of the framework, writing rules must be limited, and some unified methods are abstracted out in the parent class Exploitcore, here mainly in the parent class to implement scanning rule validation, but because of time constraints, I just put out the framework, did not implement the method in the parent class.

The rules for writing an attack class are defined as follows:

1) class name Safecatexploit

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.