Scanner for Intranet

Overview

cthun3是集成端口扫描,服务识别,netbios扫描,网站识别,暴力破解和漏洞扫描的工具. cthun(克苏恩)是魔兽世界电子游戏中一位上古之神

截图

cthun3结合viper使用时截图

image.png image.png image.png image.png image.png

使用方法

端口扫描

-ps-ip

端口扫描的ip地址范围,例如可以输入

-ps-ip 192.168.146.1-255,192.168.147.1-192.168.148.255,192.168.149.1/24,ip.txt

ip.txt与cthun在同一目录,ip.txt内容可以是如下格式

192.168.146.1-255
192.168.147.1-192.168.148.255,192.168.149.1/24

-ps-p

端口扫描的端口范围,例如可以输入

-ps-p 22,80,1-65535

-ps-tp

端口扫描top N端口,例如可以输入

-ps-tp 100

-ps-r

端口扫描每个端口的重试次数,可以增强稳定性

-ps-r 2

组合起来就可以像如下方式使用

cthun -ps-ip 192.168.146.1-255,ip.txt -ps-p 60000 -ps-tp 100 

Netbios扫描

-ns-ip

端口扫描的ip地址范围,例如可以输入

-ns-ip 192.168.146.1-255,192.168.147.1-192.168.148.255,192.168.149.1/24,ip.txt

ip.txt与cthun在同一目录,ip.txt内容可以是如下格式

192.168.146.1-255
192.168.147.1-192.168.148.255,192.168.149.1/24

Http扫描

-hs-ipport

与portscan组合使用,http扫描会自动将portscan结果中http及https协议的ip:port加入到扫描队列,只需输入

-hs-ipport ps

http扫描也可单独指定的ip:port列表,例如可以输入

-hs-ipport 192.168.146.1/24:8009,192.168.146.1-255:80,ipport.txt

ipport.txt与cthun在同一目录,ip.txt内容可以是如下格式

192.168.146.1-255:80
192.168.147.1-192.168.148.255:443,192.168.149.1/24:8080

-hs-url

检查网站是否存在指定的url

-hs-url /admin/login.jsp,/js/ijustcheck.js,/shell.php

组合起来就可以像如下方式使用

cthun -ps-ip ip.txt -ps-tp 100 -hs-ipport ps -hs-url /admin/login.jsp

cthun -hs-ipport 192.168.146.1-255:80 -hs-url /admin/login.jsp

暴力破解

-bf

与portscan组合使用,暴力破解会自动将portscan结果中符合条件的协议的ip:port加入到破解队列,只需输入

-bf

暴力破解协议列表:smb,ssh,redis,ftp,rdp,mysql,mongodb,memcached,vnc

-bf-smb

smb协议暴力破解,支持和user:pass及hashs暴力破解 与portscan组合使用,自动将portscan结果中smb协议的ip:port加入到扫描队列,只需输入

-bf-smb ps

http扫描也可单独指定的ip:port列表,例如可以输入

-bf-smb 192.168.146.1/24:445,192.168.146.1-255:445,ipport.txt

--bf-ssh -bf-redis -bf-ftp -bf-rdp -bf-mysql -bf-mongodb -bf-memcached -bf-vnc

参考-bf-smb使用方法

-bf-u

暴力破解用户名字典,

-bf-u  lab\\administrator,administrator,root,user.txt

user.txt文件内容格式

root
test
funnywolf

-bf-p

暴力破解密码字典,

-bf-u   1234qwer!@#$,root,foobared,password.txt

password.txt文件内容格式

root
test
123456

-bf-h

smb暴力破解哈希字典(注意不支持命令行直接输入hash内容)

-bf-h hashes.txt

hashes.txt文件内容格式

sealgod,domainadmin1,ae946ec6f4ca785ba54985f61a715a72:1d4d84d758cfa9a8a39f7121cb3e51ed
sealgod,domainadmin2,be946ec6f4ca785ba54985f61a715a72:2d4d84d758cfa9a8a39f7121cb3e51ed

-bf-sk

ssh协议私钥暴力破解,id_rsa为私钥文件名,id_rsa与cthun同一目录

-bf-sk id_rsa

--bf-dd

暴力破解是否使用内置字典

-bf-dd

组合起来就可以像如下方式使用

cthun -ps-ip ip.txt -ps-tp 100 -bf -bf-u user.txt -bf-p password.txt

cthun -ps-ip ip.txt -ps-tp 100 -bf-smb ps -bf-u user.txt -bf-p password.txt

cthun -bf-smb 192.168.146.1-255:445 -bf-u user.txt -bf-p password.txt

漏洞扫描

-vs

与portscan组合使用,漏洞会自动将portscan结果中符合条件的协议的ip:port加入到破解队列,只需输入

-vs

漏洞扫描协议列表:smb,http,https

-vs-smb -vs-http

参考-bf-smb使用方法

网络参数

-ms

最大连接数,Windows建议为100,Linux建议为300

-ms 200

-st

socket超时时间(秒),一般内网中网络延时很低,建议小于0.3

-st 0.2

-lh

是否加载ipportservice.log中的历史扫描结果,用于http扫描 暴力破解 漏洞扫描

-lh

优点

  • 端口扫描扫描速度快(255个IP,TOP100端口,15秒)
  • 服务识别准确(集成NMAP指纹数据库)
  • 单文件无依赖(方便内网扫描)
  • 适应性强(Windows Server 2003/Windows XP,Windows Server 2012,CentOS6,Debain9,ubuntu16)
  • 支持多种协议暴力破解
  • 支持netbios扫描(获取多网卡ip)
  • 支持vul扫描(ms17-010)

缺点

  • 可执行文件大(20M)
  • 不支持Windows Server 2003/Windows XP

漏洞列表

  • ms17-010
  • CVE_2019_3396
  • CVE_2017_12149
  • S2_015
  • S2_016
  • S2_045
  • CVE_2017_12615
  • CVE_2017_10271
  • CVE_2018_2894
  • CVE_2019_2729

依赖

  • RDP的暴力破解依赖OpenSSL(Windows Server 2003/Windows XP不能使用rdp暴力破解,其他功能无影响)
  • Linux服务器需要glibc版本大于2.5(高于centos5,ldd --version查看)

已测试

  • Windows Server 2003
  • Windows7
  • Windows Server 2012
  • CentOS5
  • Kali

更新日志

v1.0 20210712

新功能

  • 发布第一个版本
You might also like...
A simple subdomain scanner in python

Subdomain-Scanner A simple subdomain scanner in python ✨ Features scans subdomains of a domain thats it! 💁‍♀️ How to use first download the scanner.p

Sqli-Scanner is a python3 script written to scan websites for SQL injection vulnerabilities

Sqli-Scanner is a python3 script written to scan websites for SQL injection vulnerabilities Features 1 Scan one website 2 Scan multiple websites Insta

a cool, easily usable and customisable subdomains scanner
a cool, easily usable and customisable subdomains scanner

Subdah 🔎 another subdomains scanner. Installation ⚠️ Python 3.10 required ⚠️ $ git clone https://github.com/traumatism/subdah $ cd subdah $ pip3 inst

Web Headers Security Scanner
Web Headers Security Scanner

Web Headers Security Scanner

Kriecher is a simple Web Scanner which will run it's own checks for the OWASP

Kriecher is a simple Web Scanner which will run it's own checks for the OWASP top 10 https://owasp.org/www-project-top-ten/# as well as run a

An Advanced Local Network IP Scanner, made in python of course!
An Advanced Local Network IP Scanner, made in python of course!

██╗██████╗    ██████╗ █████╗ █████╗ ███╗ ██╗███╗ ██╗███████╗██████╗ ██║██╔══██╗  ██╔════╝██╔══██╗██╔══██╗████╗ ██║████╗ ██║██╔════╝██╔══██

XSS scanner in python

DeadXSS XSS scanner in python How to Download: Step 1: git clone https://github.com/Deadeye0x/DeadXSS.git Step 2: cd DeadXSS Step 3: python3 DeadXSS.p

Advanced subdomain scanner,  any domain hidden subdomains
Advanced subdomain scanner, any domain hidden subdomains

little advanced subdomain scanner made in python, works very quick and has options to change the port u want it to connect for

Moodle community-based vulnerability scanner
Moodle community-based vulnerability scanner

badmoodle Moodle community-based vulnerability scanner Description badmoodle is an unofficial community-based vulnerability scanner for moodle that sc

Releases(v1.0)
Owner
rootkit
hack for fun
rootkit
Dlint is a tool for encouraging best coding practices and helping ensure Python code is secure.

Dlint Dlint is a tool for encouraging best coding practices and helping ensure Python code is secure. The most important thing I have done as a progra

Dlint 127 Dec 27, 2022
Separation of Mainlobes and Sidelobes in the Ultrasound Image Based on the Spatial Covariance (MIST) and Aperture-Domain Spectrum of Received Signals

Separation of Mainlobes and Sidelobes in the Ultrasound Image Based on the Spatial Covariance (MIST) and Aperture-Domain Spectrum of Received Signals

Rehman Ali 3 Jan 03, 2023
Mass Check Vulnerable Log4j CVE-2021-44228

Log4j-CVE-2021-44228 Mass Check Vulnerable Log4j CVE-2021-44228 Introduction Actually I just checked via Vulnerable Application from https://github.co

Justakazh 6 Dec 28, 2022
A Static Analysis Tool for Detecting Security Vulnerabilities in Python Web Applications

This project is no longer maintained March 2020 Update: Please go see the amazing Pysa tutorial that should get you up to speed finding security vulne

2.1k Dec 25, 2022
A collection of write-ups and solutions for Cyber FastTrack Spring 2021.

IMPORTANT: Please contact us before you use any styling or content shown here! Cyber FastTrack Spring 2021 / National Cyber Scholarship Competition -

Alice 48 Aug 28, 2022
Deobfuscate Log4Shell payloads with ease

Ox4Shell Deobfuscate Log4Shell payloads with ease. Description Since the release

Oxeye 137 Jan 02, 2023
Safety checks your installed dependencies for known security vulnerabilities

Safety checks your installed dependencies for known security vulnerabilities. By default it uses the open Python vulnerability database Safety DB, but

pyup.io 1.4k Dec 30, 2022
Web Headers Security Scanner

Web Headers Security Scanner

Emre Koybasi 3 Dec 16, 2022
Buffer Overflow para SLmail5.5 32 bits

SLmail5.5-Exploit-BoF Buffer Overflow para SLmail5.5 32 bits con un par de utilidades para que puedas hacer el tuyo REQUISITOS PARA QUE FUNCIONE: Desa

Luis Javier 15 Jul 30, 2022
Update of uncaptcha2 from 2019

YouTube Video Proof of Concept I created a new YouTube Video with technical Explanation for breaking Google's Audio reCAPTCHAs: Click on the image bel

Nikolai Tschacher 153 Dec 20, 2022
A gui application used for network reconnaissance while pentesting

netrecon A gui application used for network reconnaissance while pentesting

Krisna Pranav 4 Sep 03, 2022
这次是可可萝病毒!

可可萝病毒! 事情是这样的,我又开始不干正事了。 众所周知,在Python里,0x0等于0,但是不等于可可萝。 这很不好,我们得把它改成可可萝! 效果 一般的Python—— Python 3.8.0 (tags/v3.8.0:fa919fd, Oct 14 2019, 19:37:50) [MSC

黄巍 29 Jul 14, 2022
Denial Attacks by Various Methods

Denial Service Attack Denial Attacks by Various Methods IIIIIIIIIIIIIIIIIIII PPPPPPPPPPPPPPPPP VVVVVVVV VVVVVVVV I::

Baris Dincer 9 Nov 26, 2022
Generate obfuscated meterpreter shells

Generator Evade AV with obfuscated payloads Installation must install dotnet prior to running the script with net45 Running ./generator.py -ip Your-I

Fawaz Al-Mutairi 219 Nov 28, 2022
Industry ready custom API payload with an easy format for building Python APIs (Django/Django Rest Framework)

Industry ready custom API payload with an easy format for building Python APIs (Django/Django Rest Framework) Yosh! If you are a django backend develo

Abram (^o^) 7 Sep 30, 2022
Internal network honeypot for detecting if an attacker or insider threat scans your network for log4j CVE-2021-44228

log4j-honeypot-flask Internal network honeypot for detecting if an attacker or insider threat scans your network for log4j CVE-2021-44228 This can be

Binary Defense 144 Nov 19, 2022
Course: Information Security with Python

Curso: Segurança da Informação com Python Curso realizado atravès da Plataforma da Digital Innovation One Prof: Bruno Dias Conteúdo: Introdução aos co

Elizeu Barbosa Abreu 1 Nov 28, 2021
A simple python-function, to gain all wlan passwords from stored wlan-profiles on a computer.

Wlan Fetcher Windows10 Description A simple python-function, to gain all wlan passwords from stored wlan-profiles on a computer. Usage This Script onl

2 Nov 20, 2021
Herramienta para descargar eventos de Sucuri WAF hacia disco.

Descarga los eventos de Sucuri Script para descargar los eventos del Sucuri Web Application Firewall (WAF) en el disco como archivos CSV. Requerimient

CSIRT-RD 2 Nov 29, 2021
Privacy-respecting metasearch engine

Privacy-respecting, hackable metasearch engine / pronunciation səːks. If you are looking for running instances, ready to use, then visit searx.space.

Searx engine 12.4k Jan 08, 2023