sssnake/Autarch
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Autarch/modules/recon.py

2192 lines
94 KiB
Python
Raw Normal View History

Initial public release — AUTARCH v1.0.0 Full security platform with web dashboard, 16 Flask blueprints, 26 modules, autonomous AI agent, WebUSB hardware support, and Archon Android companion app. Includes Hash Toolkit, debug console, anti-stalkerware shield, Metasploit/RouterSploit integration, WireGuard VPN, OSINT reconnaissance, and multi-backend LLM support. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-01 03:57:32 -08:00
"""
AUTARCH Recon Module
Open Source Intelligence (OSINT) gathering
Domain, IP, email, username, and phone reconnaissance tools.
Integrates with social-analyzer for social media analysis.
Uses unified sites database from sherlock, maigret, and social-analyzer.
"""
import os
import sys
import subprocess
import socket
import re
import json
import time
import concurrent.futures
import urllib.request
from pathlib import Path
from urllib.parse import urlparse, quote
from typing import List, Dict, Optional, Tuple
from random import randint
from datetime import datetime
# Module metadata
DESCRIPTION = "OSINT & reconnaissance tools"
AUTHOR = "darkHal"
VERSION = "2.3"
CATEGORY = "osint"
sys.path.insert(0, str(Path(__file__).parent.parent))
from core.banner import Colors, clear_screen, display_banner
from core.sites_db import get_sites_db
from core.report_generator import get_report_generator
from core.config import get_config
class Recon:
"""OSINT and reconnaissance tools."""
def __init__(self):
self.social_analyzer_available = self._check_social_analyzer()
self.sites_db = get_sites_db()
self.config = get_config()
osint_settings = self.config.get_osint_settings()
self.scan_config = {
'max_sites': 200,
'include_nsfw': osint_settings['include_nsfw'],
'categories': None, # None = all categories
'timeout': osint_settings['timeout'],
'threads': osint_settings['max_threads'],
}
def _check_social_analyzer(self) -> bool:
"""Check if social-analyzer is installed."""
try:
result = subprocess.run(
"social-analyzer --help",
shell=True,
capture_output=True,
timeout=5
)
return result.returncode == 0
except:
return False
def print_status(self, message: str, status: str = "info"):
colors = {"info": Colors.CYAN, "success": Colors.GREEN, "warning": Colors.YELLOW, "error": Colors.RED}
symbols = {"info": "*", "success": "+", "warning": "!", "error": "X"}
print(f"{colors.get(status, Colors.WHITE)}[{symbols.get(status, '*')}] {message}{Colors.RESET}")
def run_cmd(self, cmd: str, timeout: int = 30) -> tuple:
try:
result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=timeout)
return result.returncode == 0, result.stdout.strip()
except:
return False, ""
# ==================== EMAIL OSINT ====================
def email_lookup(self):
"""Email address OSINT."""
print(f"\n{Colors.BOLD}Email OSINT{Colors.RESET}")
email = input(f"{Colors.WHITE}Enter email address: {Colors.RESET}").strip()
if not email or '@' not in email:
self.print_status("Invalid email address", "error")
return
username, domain = email.split('@')
print(f"\n{Colors.CYAN}{'' * 50}{Colors.RESET}")
print(f"{Colors.BOLD}Target: {email}{Colors.RESET}")
print(f"{Colors.CYAN}{'' * 50}{Colors.RESET}\n")
# Email format analysis
print(f"{Colors.CYAN}Email Analysis:{Colors.RESET}")
print(f" Username: {username}")
print(f" Domain: {domain}")
# Check if domain has MX records
success, output = self.run_cmd(f"dig +short MX {domain}")
if success and output:
print(f" Mail Svr: {output.split()[1] if len(output.split()) > 1 else output}")
else:
print(f" Mail Svr: {Colors.YELLOW}No MX record{Colors.RESET}")
# Breach check resources
print(f"\n{Colors.CYAN}Breach Check Resources:{Colors.RESET}")
print(f" HaveIBeenPwned: https://haveibeenpwned.com/account/{quote(email)}")
print(f" DeHashed: https://dehashed.com/search?query={quote(email)}")
print(f" IntelX: https://intelx.io/?s={quote(email)}")
# Email validation
print(f"\n{Colors.CYAN}Email Validation:{Colors.RESET}")
# Check common patterns
disposable_domains = ['tempmail', 'throwaway', 'guerrilla', 'mailinator', '10minute']
is_disposable = any(d in domain.lower() for d in disposable_domains)
print(f" Disposable: {'Yes' if is_disposable else 'No'}")
# Gravatar check
import hashlib
email_hash = hashlib.md5(email.lower().encode()).hexdigest()
print(f" Gravatar: https://gravatar.com/avatar/{email_hash}")
# Related accounts lookup
print(f"\n{Colors.CYAN}Account Search:{Colors.RESET}")
print(f" Google: https://www.google.com/search?q=\"{quote(email)}\"")
print(f" GitHub: https://api.github.com/search/users?q={quote(email)}+in:email")
def email_permutator(self):
"""Generate email permutations."""
print(f"\n{Colors.BOLD}Email Permutator{Colors.RESET}")
first_name = input(f"{Colors.WHITE}First name: {Colors.RESET}").strip().lower()
last_name = input(f"{Colors.WHITE}Last name: {Colors.RESET}").strip().lower()
domain = input(f"{Colors.WHITE}Domain (e.g., company.com): {Colors.RESET}").strip().lower()
if not first_name or not last_name or not domain:
return
# Generate permutations
permutations = [
f"{first_name}.{last_name}@{domain}",
f"{first_name}{last_name}@{domain}",
f"{last_name}.{first_name}@{domain}",
f"{last_name}{first_name}@{domain}",
f"{first_name[0]}{last_name}@{domain}",
f"{first_name}{last_name[0]}@{domain}",
f"{first_name[0]}.{last_name}@{domain}",
f"{first_name}.{last_name[0]}@{domain}",
f"{last_name}@{domain}",
f"{first_name}@{domain}",
f"{first_name}_{last_name}@{domain}",
f"{first_name}-{last_name}@{domain}",
]
print(f"\n{Colors.CYAN}Generated Email Permutations:{Colors.RESET}\n")
for email in permutations:
print(f" {email}")
# Save option
save = input(f"\n{Colors.WHITE}Save to file? (y/n): {Colors.RESET}").strip().lower()
if save == 'y':
filename = f"{first_name}_{last_name}_emails.txt"
with open(filename, 'w') as f:
f.write('\n'.join(permutations))
self.print_status(f"Saved to {filename}", "success")
# ==================== USERNAME OSINT ====================
# WAF/Captcha detection - only specific challenge page indicators
WAF_PATTERNS = re.compile(
r'captcha-info|Completing the CAPTCHA|'
r'cf-browser-verification|cf_chl_prog|'
r'ddos protection by|verify you are human|'
r'please turn javascript on|enable cookies to continue',
re.IGNORECASE
)
WAF_TITLE_PATTERNS = re.compile(
r'just a moment|attention required|'
r'ddos-guard|security check required',
re.IGNORECASE
)
# Detection strings - return "false" means if found, user does NOT exist
# Detection strings - return "true" means if found, user EXISTS
SHARED_DETECTIONS = {
'mastodon': [
{'return': False, 'string': "The page you are looking for isn"},
{'return': True, 'string': 'profile:username'},
{'return': True, 'string': '/@{username}'},
],
'discourse': [
{'return': True, 'string': 'og:title'},
{'return': True, 'string': '"{username}"'},
],
'gitlab': [
{'return': True, 'string': 'user-profile'},
],
'phpbb': [
{'return': False, 'string': 'No user'},
{'return': True, 'string': 'memberlist'},
],
'xenforo': [
{'return': False, 'string': 'The requested member could not be found'},
{'return': True, 'string': 'member-header'},
],
'vbulletin': [
{'return': False, 'string': 'is not a member'},
{'return': True, 'string': 'profile-header'},
],
}
# Common patterns indicating user does NOT exist (return: false)
# Prioritized by specificity - more specific patterns first
NOT_FOUND_STRINGS = [
# Very specific "not found" phrases
'user not found', 'profile not found', 'account not found',
'member not found', 'page not found', 'no user found',
'does not exist', 'doesn\'t exist', 'no such user',
'could not be found', 'cannot be found', 'user doesn\'t exist',
'the specified member cannot be found',
'the requested user is not valid',
'this user is not registered',
'this username is available', 'username is available',
'claim this username', 'this name is available',
# Account status
'user has been deleted', 'account has been suspended',
'account has been deleted', 'user has been banned',
'this account has been suspended', 'account is suspended',
'this profile is no longer available',
# Soft 404 phrases
'there\'s nothing here', 'this page is no longer available',
'the page you are looking for isn\'t here',
'hmm...this page doesn\'t exist', 'oops! page not found',
'sorry, nobody on reddit goes by that name',
'something went wrong', 'we couldn\'t find',
# Registration/signup prompts (indicates username available)
'create an account', 'sign up now', 'register now',
'join now', 'create your account',
]
# Patterns that strongly indicate user EXISTS (return: true)
# These should be profile-specific elements
FOUND_STRINGS = [
# Profile metadata
'og:title', 'profile:username', 'og:profile',
# Profile structure indicators
'user-profile', 'member-header', 'profile-header',
'profile-info', 'user-info', 'profile-content',
'profile-card', 'user-card', 'member-card',
# User statistics
'followers', 'following', 'subscribers', 'friends',
'member since', 'joined', 'last seen', 'last active',
'total posts', 'reputation', 'karma', 'cake day',
# Action buttons (only appear on real profiles)
'send message', 'private message', 'follow user',
'add friend', 'block user', 'report user',
# Verified indicators
'verified account', 'verified user',
]
# Site-specific detection patterns (like cupidcr4wl's data)
# Format: domain -> {check_text: [...], not_found_text: [...]}
SITE_PATTERNS = {
# Social Media
'reddit.com': {
'check_text': ['karma', 'cake day', 'trophy-case'],
'not_found_text': ['sorry, nobody on reddit goes by that name', 'page not found'],
},
'twitter.com': {
'check_text': ['followers', 'following', 'data-testid="UserName"'],
'not_found_text': ['this account doesn\'t exist', 'account suspended'],
},
'x.com': {
'check_text': ['followers', 'following', 'data-testid="UserName"'],
'not_found_text': ['this account doesn\'t exist', 'account suspended'],
},
'instagram.com': {
'check_text': ['followers', 'following', 'edge_owner_to_timeline_media'],
'not_found_text': ['sorry, this page isn\'t available'],
},
'tiktok.com': {
'check_text': ['followers', 'following', 'likes'],
'not_found_text': ['couldn\'t find this account'],
},
'github.com': {
'check_text': ['contributions', 'repositories', 'gist-summary'],
'not_found_text': ['not found'],
},
'youtube.com': {
'check_text': ['subscribers', 'channel-header'],
'not_found_text': ['this page isn\'t available'],
},
# Forums
'forums.': {
'check_text': ['member since', 'posts:', 'joined:', 'post count'],
'not_found_text': ['member not found', 'no user', 'user doesn\'t exist'],
},
# Adult/Cam sites
'chaturbate.com': {
'check_text': ['broadcaster_gender', 'room_status', 'bio', 'following'],
'not_found_text': ['http 404', 'page not found', 'bio page not available'],
},
'onlyfans.com': {
'check_text': ['subscribersCount', '@'],
'not_found_text': ['sorry, this page is not available'],
},
'fansly.com': {
'check_text': ['followers', 'subscribersCount'],
'not_found_text': ['not found'],
},
'pornhub.com': {
'check_text': ['subscribers', 'video views', 'profile-info'],
'not_found_text': ['page not found', '404'],
},
'xvideos.com': {
'check_text': ['subscribers', 'video views'],
'not_found_text': ['not found'],
},
'stripchat.com': {
'check_text': ['followers', 'bio'],
'not_found_text': ['not found', 'model not found'],
},
# Art/Creative
'deviantart.com': {
'check_text': ['watchers', 'deviations', 'gallery'],
'not_found_text': ['this deviant doesn\'t exist'],
},
'artstation.com': {
'check_text': ['followers', 'following', 'likes'],
'not_found_text': ['not found'],
},
'furaffinity.net': {
'check_text': ['submissions', 'favorites', 'watchers'],
'not_found_text': ['user not found', 'the user you specified could not be found'],
},
'e621.net': {
'check_text': ['favorites', 'uploads'],
'not_found_text': ['not found'],
},
# Gaming
'twitch.tv': {
'check_text': ['followers', 'channel-header'],
'not_found_text': ['sorry, unless you\'ve got a time machine'],
},
'steam': {
'check_text': ['recent activity', 'level'],
'not_found_text': ['specified profile could not be found'],
},
# Dating
'fetlife.com': {
'check_text': ['role:', 'orientation:', 'looking for:'],
'not_found_text': ['user not found', 'the page you requested'],
},
}
# Tracker/aggregator sites to deprioritize (not the real site)
TRACKER_DOMAINS = [
'tracker', 'stats', 'lookup', 'checker', 'finder', 'search',
'viewer', 'imginn', 'picuki', 'dumpor', 'smihub', 'tumbral',
'gramho', 'pixwox', 'instastories', 'storiesig', 'insta',
'webstagram', 'vibbi', 'picbear', 'sometag', 'mulpix',
]
# Common false positive URLs to skip
FALSE_POSITIVE_URLS = [
'/login', '/signin', '/signup', '/register', '/join',
'/404', '/error', '/not-found', '/notfound',
'/search', '/home', '/index', '/welcome',
]
# Site-specific cookies for age verification and consent
SITE_COOKIES = {
'chaturbate.com': 'agreeterms=1; age_verified=1',
'stripchat.com': 'age_confirmed=true',
'bongacams.com': 'bonga_age=true',
'cam4.com': 'age_checked=true',
'myfreecams.com': 'mfc_age_check=1',
'camsoda.com': 'age_verified=1',
'livejasmin.com': 'age_gate=true',
'pornhub.com': 'age_verified=1; accessAgeDisclaimerPH=1',
'xvideos.com': 'age_verified=1',
'xhamster.com': 'age_check=1',
'xnxx.com': 'age_verified=1',
'redtube.com': 'age_verified=1',
'youporn.com': 'age_verified=1',
'spankbang.com': 'age_verified=1',
'eporner.com': 'age_verified=1',
'fapster.xxx': 'age_verified=1',
'rule34.xxx': 'age_gate=1',
'e621.net': 'age_check=1',
'furaffinity.net': 'sfw=0',
'inkbunny.net': 'age_check=1',
'hentai-foundry.com': 'age_check=1',
'f95zone.to': 'xf_logged_in=1',
'imgsrc.ru': 'lang=en; over18=1',
'fansly.com': 'age_verified=1',
'onlyfans.com': 'age_verified=1',
'fetlife.com': 'age_check=1',
}
# Random User-Agent rotation to avoid detection
USER_AGENTS = [
'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36',
'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36',
'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.2 Safari/605.1.15',
'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36',
]
@staticmethod
def validate_username(username: str) -> Tuple[bool, str]:
"""Validate username before searching (like Snoop).
Returns:
Tuple of (is_valid, error_message)
"""
if not username:
return False, "Username cannot be empty"
if len(username) < 2:
return False, "Username too short (minimum 2 characters)"
if len(username) > 100:
return False, "Username too long (maximum 100 characters)"
# Check for obviously invalid characters
invalid_chars = set('<>{}[]|\\^~`')
if any(c in username for c in invalid_chars):
return False, f"Username contains invalid characters: {invalid_chars}"
# If it looks like an email, extract the username part
if '@' in username and '.' in username.split('@')[-1]:
return True, "email" # Signal this is an email
return True, "ok"
def _get_site_patterns(self, domain: str) -> Optional[Dict]:
"""Get site-specific detection patterns for a domain."""
domain_lower = domain.lower()
for pattern_domain, patterns in self.SITE_PATTERNS.items():
if pattern_domain in domain_lower:
return patterns
return None
def _check_site(self, site: Dict, username: str, retry: int = 0) -> Optional[Dict]:
"""Check if username exists on a site using CupidCr4wl-style detection.
Detection logic (following CupidCr4wl pattern):
1. If status 200 + error_string found NOT FOUND (return None)
2. If status 200 + match_string found FOUND (green)
3. If status 200 + neither matched POSSIBLE (yellow)
4. If status == error_code NOT FOUND (return None)
5. Response URL redirect detection for response_url/redirection types
"""
try:
# Random delay to avoid rate limiting (like Snoop)
time.sleep(randint(10, 100) / 1000)
url = site['url'].replace('{}', username)
# Build request with rotating User-Agent
# NOTE: Don't request gzip encoding - urllib doesn't auto-decompress it
headers = {
'User-Agent': self.USER_AGENTS[randint(0, len(self.USER_AGENTS) - 1)],
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
'Accept-Language': 'en-US,en;q=0.9',
'Connection': 'keep-alive',
'Upgrade-Insecure-Requests': '1',
}
if site.get('headers'):
headers.update(site['headers'])
# Add site-specific cookies for age verification
parsed_url = urlparse(url)
domain = parsed_url.netloc.lower()
for cookie_domain, cookies in self.SITE_COOKIES.items():
if cookie_domain in domain:
headers['Cookie'] = cookies
break
req = urllib.request.Request(url, headers=headers)
# Get detection info from database
error_type = site.get('error_type', 'status_code')
error_code = site.get('error_code')
error_string = site.get('error_string', '').strip() if site.get('error_string') else None
match_code = site.get('match_code')
match_string = site.get('match_string', '').strip() if site.get('match_string') else None
# Get site-specific patterns
site_patterns = self._get_site_patterns(domain)
try:
with urllib.request.urlopen(req, timeout=self.scan_config['timeout']) as response:
status_code = response.getcode()
final_url = response.geturl()
resp_headers = {k.lower(): v.lower() for k, v in response.headers.items()}
raw_content = response.read()
try:
content = raw_content.decode('utf-8', errors='ignore')
except:
content = raw_content.decode('latin-1', errors='ignore')
content_lower = content.lower()
content_len = len(content)
# === WAF/Captcha Detection ===
is_filtered = False
# Extract title for analysis
title = ''
title_match = re.search(r'<title[^>]*>([^<]+)</title>', content, re.IGNORECASE)
if title_match:
title = title_match.group(1).strip()
# Check for Cloudflare challenge page (not just Cloudflare-served sites)
cf_challenge_patterns = [
'just a moment', 'checking your browser', 'please wait',
'ray id', 'cf-browser-verification', 'cf_chl_opt',
'enable javascript and cookies', 'why do i have to complete a captcha',
]
if any(p in content_lower for p in cf_challenge_patterns):
is_filtered = True
# Check for actual WAF block patterns in content
if self.WAF_PATTERNS.search(content):
# Only flag if it's a short page (likely error/block page)
if content_len < 5000:
is_filtered = True
# Check title for WAF patterns (challenge pages have distinctive titles)
if title and self.WAF_TITLE_PATTERNS.search(title):
# "Just a moment..." is Cloudflare challenge
if 'moment' in title.lower() or 'attention' in title.lower() or 'blocked' in title.lower():
is_filtered = True
if is_filtered:
return {
'name': site['name'],
'url': url,
'category': site.get('category', 'other'),
'status': 'filtered',
'rate': '0%',
'title': 'filtered',
}
# === CupidCr4wl-Style Detection System ===
username_lower = username.lower()
# Collect all not_found and check texts
not_found_texts = []
check_texts = []
# 1. Add database patterns
if error_string:
not_found_texts.append(error_string.lower())
if match_string:
# Handle {username} placeholder
check_texts.append(
match_string.replace('{username}', username)
.replace('{account}', username).lower()
)
# 2. Add site-specific patterns
if site_patterns:
not_found_texts.extend([s.lower() for s in site_patterns.get('not_found_text', [])])
check_texts.extend([s.lower() for s in site_patterns.get('check_text', [])])
# 3. Detection based on error_type
# --- Status code detection ---
if error_type == 'status_code':
if error_code and status_code == error_code:
return None # Expected "not found" status code
if status_code >= 400:
return None # Error status
# --- Response URL / Redirect detection ---
if error_type in ('response_url', 'redirection'):
# Check if redirected away from profile page
if final_url != url and username_lower not in final_url.lower():
# Check if redirected to login/error page
final_lower = final_url.lower()
if any(fp in final_lower for fp in self.FALSE_POSITIVE_URLS):
return None
# Redirected to different page - likely not found
if domain not in final_lower:
return None
# === Pattern Matching (CupidCr4wl style) ===
not_found_matched = []
check_matched = []
# Check not_found_texts
for nf_text in not_found_texts:
if nf_text and nf_text in content_lower:
not_found_matched.append(nf_text)
# Check check_texts
for c_text in check_texts:
if c_text and c_text in content_lower:
check_matched.append(c_text)
# Fallback: check generic NOT_FOUND_STRINGS if no specific patterns
if not not_found_texts:
for nf_string in self.NOT_FOUND_STRINGS:
if nf_string.lower() in content_lower:
not_found_matched.append(nf_string)
break # One is enough
# Fallback: check generic FOUND_STRINGS if no specific patterns
if not check_texts:
for f_string in self.FOUND_STRINGS:
check_str = f_string.replace('{username}', username_lower).lower()
if check_str in content_lower:
check_matched.append(f_string)
# === Determine Result (CupidCr4wl logic) ===
# Priority: not_found_text match beats everything
if not_found_matched:
# Not found text was found - user doesn't exist
return None
# Username presence check
username_in_content = username_lower in content_lower
username_in_title = username_lower in title.lower() if title else False
# Calculate confidence
found_indicators = len(check_matched)
if username_in_content:
found_indicators += 1
if username_in_title:
found_indicators += 1
# Determine status
if check_matched and (username_in_content or username_in_title):
# check_text matched AND username found → FOUND (green)
status = 'good'
rate = min(100, 60 + (found_indicators * 10))
elif check_matched:
# check_text matched but username not explicitly found → POSSIBLE (yellow)
status = 'maybe'
rate = 50 + (found_indicators * 10)
elif username_in_content and status_code == 200:
# No patterns matched but username in content with 200 → POSSIBLE
status = 'maybe'
rate = 40 + (found_indicators * 5)
elif status_code == 200 and content_len > 1000:
# Got 200 with substantial content but no matches → LOW confidence
status = 'maybe'
rate = 30
else:
# Nothing matched
return None
# === Additional Validation ===
# Very short pages are usually error pages
if content_len < 500 and not check_matched:
if not username_in_content:
return None
# Check for tracker sites
url_lower = url.lower()
is_tracker = any(t in url_lower for t in self.TRACKER_DOMAINS)
# Minimum threshold
if rate < 30:
return None
return {
'name': site['name'],
'url': url,
'category': site.get('category', 'other'),
'rate': f'{rate}%',
'status': status,
'title': title[:100] if title else '',
'is_tracker': is_tracker,
'check_matched': len(check_matched),
'not_found_matched': len(not_found_matched),
'error_type': error_type,
'has_pattern': bool(error_string or match_string or site_patterns),
}
except urllib.error.HTTPError as e:
# Handle HTTP errors using database patterns
if error_code and e.code == error_code:
# Expected "not found" code from database
return None
if e.code == 404:
return None
if e.code in [403, 401]:
return {
'name': site['name'],
'url': url,
'category': site.get('category', 'other'),
'status': 'restricted',
'rate': '?',
}
# Retry on 5xx errors
if e.code >= 500 and retry < 2:
time.sleep(1)
return self._check_site(site, username, retry + 1)
return None
except urllib.error.URLError as e:
# Retry on connection errors
if retry < 2:
time.sleep(1)
return self._check_site(site, username, retry + 1)
return None
except Exception:
return None
except Exception:
return None
return None
def username_lookup(self):
"""Username OSINT across platforms using sites database."""
print(f"\n{Colors.BOLD}Username OSINT{Colors.RESET}")
# Show database stats
db_stats = self.sites_db.get_stats()
print(f"{Colors.DIM}Database: {db_stats['total_sites']} sites available{Colors.RESET}\n")
username = input(f"{Colors.WHITE}Enter username: {Colors.RESET}").strip()
if not username:
return
# Validate username
is_valid, validation_msg = self.validate_username(username)
if not is_valid:
self.print_status(validation_msg, "error")
return
# If it's an email, ask if they want to extract username
if validation_msg == "email":
email_username = username.split('@')[0]
use_email_user = input(f"{Colors.WHITE}Detected email. Use '{email_username}' as username? (y/n): {Colors.RESET}").strip().lower()
if use_email_user == 'y':
username = email_username
print(f"{Colors.CYAN}[*] Using username: {username}{Colors.RESET}")
# Scan type selection
print(f"\n{Colors.CYAN}Scan Type:{Colors.RESET}")
print(f" {Colors.GREEN}[1]{Colors.RESET} Quick scan (top 100 sites)")
print(f" {Colors.GREEN}[2]{Colors.RESET} Standard scan (500 sites)")
print(f" {Colors.GREEN}[3]{Colors.RESET} Full scan (all {db_stats['enabled_sites']} sites)")
print(f" {Colors.GREEN}[4]{Colors.RESET} Custom scan (by category)")
scan_choice = input(f"\n{Colors.WHITE}Select [1-4]: {Colors.RESET}").strip()
max_sites = 100
categories = None
# Use config setting as default
osint_settings = self.config.get_osint_settings()
include_nsfw = osint_settings['include_nsfw']
if scan_choice == '2':
max_sites = 500
elif scan_choice == '3':
max_sites = 99999 # All sites
elif scan_choice == '4':
# Category selection
cats = self.sites_db.get_categories()
print(f"\n{Colors.CYAN}Available Categories:{Colors.RESET}")
for i, (cat, count) in enumerate(cats, 1):
print(f" {Colors.GREEN}[{i}]{Colors.RESET} {cat} ({count} sites)")
cat_input = input(f"\n{Colors.WHITE}Enter category numbers (comma-separated): {Colors.RESET}").strip()
try:
indices = [int(x.strip()) - 1 for x in cat_input.split(',')]
categories = [cats[i][0] for i in indices if 0 <= i < len(cats)]
except:
categories = None
max_sites = 99999
# NSFW option (default from config)
if db_stats['nsfw_sites'] > 0:
default_nsfw = 'y' if include_nsfw else 'n'
nsfw_choice = input(f"{Colors.WHITE}Include NSFW sites? (y/n) [{Colors.GREEN if include_nsfw else Colors.DIM}{default_nsfw}{Colors.WHITE}]: {Colors.RESET}").strip().lower()
if nsfw_choice: # Only change if user provided input
include_nsfw = nsfw_choice == 'y'
print(f"\n{Colors.CYAN}{'' * 60}{Colors.RESET}")
print(f"{Colors.BOLD}Target Username: {username}{Colors.RESET}")
print(f"{Colors.CYAN}{'' * 60}{Colors.RESET}\n")
# Get sites from database
sites = self.sites_db.get_sites_for_scan(
categories=categories,
include_nsfw=include_nsfw,
max_sites=max_sites
)
total_sites = len(sites)
est_time = (total_sites * self.scan_config['timeout']) // self.scan_config['threads'] // 60
print(f"{Colors.CYAN}[*] Scanning {total_sites} sites with {self.scan_config['threads']} threads...{Colors.RESET}")
print(f"{Colors.DIM} (Estimated time: {est_time}-{est_time*2} minutes for full scan){Colors.RESET}\n")
found = []
checked = 0
errors = 0
scan_start = time.time()
# Multi-threaded scanning
try:
with concurrent.futures.ThreadPoolExecutor(max_workers=self.scan_config['threads']) as executor:
future_to_site = {executor.submit(self._check_site, site, username): site for site in sites}
for future in concurrent.futures.as_completed(future_to_site):
site = future_to_site[future]
checked += 1
# Show current site being checked (verbose)
print(f"\r{Colors.DIM} [{checked}/{total_sites}] Checking: {site['name'][:30]:30}{Colors.RESET}", end='', flush=True)
try:
result = future.result()
if result:
found.append(result)
status = result.get('status', '')
rate = result.get('rate', '0%')
is_tracker = result.get('is_tracker', False)
# Clear the checking line and display result
print(f"\r{' ' * 60}\r", end='')
# Display based on status (social-analyzer style)
if status == 'filtered':
pass # Don't show filtered/WAF blocked
elif status == 'restricted':
pass # Don't show restricted in real-time, summarize later
elif status == 'good':
marker = f"{Colors.DIM}[tracker]{Colors.RESET} " if is_tracker else ""
print(f" {Colors.GREEN}[+]{Colors.RESET} {result['name']:25} {marker}{result['url']} {Colors.GREEN}[{rate}]{Colors.RESET}")
elif status == 'maybe' and not is_tracker:
print(f" {Colors.YELLOW}[?]{Colors.RESET} {result['name']:25} {result['url']} {Colors.YELLOW}[{rate}]{Colors.RESET}")
# 'bad' status not shown in real-time
except Exception as e:
errors += 1
# Progress indicator every 100 sites
if checked % 100 == 0:
print(f"\r{' ' * 60}\r{Colors.DIM} ... progress: {checked}/{total_sites} sites checked, {len(found)} found{Colors.RESET}")
# Clear the last checking line
print(f"\r{' ' * 60}\r", end='')
except KeyboardInterrupt:
print(f"\n{Colors.YELLOW}[!] Scan interrupted by user{Colors.RESET}")
# Summary
print(f"\n{Colors.CYAN}{'' * 60}{Colors.RESET}")
print(f"{Colors.BOLD}Results Summary{Colors.RESET}")
print(f"{Colors.CYAN}{'' * 60}{Colors.RESET}")
print(f" Sites in scan: {total_sites}")
print(f" Sites checked: {checked}")
print(f" Profiles found: {Colors.GREEN}{len(found)}{Colors.RESET}")
if errors > 0:
print(f" Errors: {Colors.YELLOW}{errors}{Colors.RESET}")
if found:
# Categorize results (social-analyzer style: good/maybe/bad)
good = [f for f in found if f.get('status') == 'good']
maybe = [f for f in found if f.get('status') == 'maybe']
bad = [f for f in found if f.get('status') == 'bad']
restricted = [f for f in found if f.get('status') == 'restricted']
filtered = [f for f in found if f.get('status') == 'filtered']
# Separate trackers from real sites
good_real = [f for f in good if not f.get('is_tracker')]
good_trackers = [f for f in good if f.get('is_tracker')]
maybe_real = [f for f in maybe if not f.get('is_tracker')]
# Count pattern-based detections
pattern_based = [f for f in found if f.get('has_pattern')]
generic_based = [f for f in found if not f.get('has_pattern')]
print(f"\n{Colors.CYAN}Results Breakdown:{Colors.RESET}")
print(f" {Colors.GREEN}Detected (good):{Colors.RESET} {len(good_real)}")
print(f" {Colors.YELLOW}Unknown (maybe):{Colors.RESET} {len(maybe_real)}")
print(f" {Colors.DIM}Bad (low rate):{Colors.RESET} {len(bad)}")
print(f" {Colors.DIM}Restricted (403):{Colors.RESET} {len(restricted)}")
print(f" {Colors.DIM}Filtered (WAF):{Colors.RESET} {len(filtered)}")
print(f" {Colors.DIM}Tracker sites:{Colors.RESET} {len(good_trackers)}")
print(f"\n{Colors.CYAN}Detection Method:{Colors.RESET}")
print(f" {Colors.GREEN}Pattern-based:{Colors.RESET} {len(pattern_based)} (from database)")
print(f" {Colors.DIM}Generic fallback:{Colors.RESET} {len(generic_based)}")
# Group detected by category
by_cat = {}
for f in good_real:
cat = f.get('category', 'other')
if cat not in by_cat:
by_cat[cat] = []
by_cat[cat].append(f)
if by_cat:
print(f"\n{Colors.CYAN}Detected by Category:{Colors.RESET}")
for cat, items in sorted(by_cat.items(), key=lambda x: -len(x[1])):
print(f" {cat}: {len(items)}")
# Show detected profiles (good status)
if good_real:
print(f"\n{Colors.GREEN}{'' * 40}{Colors.RESET}")
print(f"{Colors.GREEN}Detected Profiles:{Colors.RESET}")
print(f"{Colors.GREEN}{'' * 40}{Colors.RESET}")
for r in sorted(good_real, key=lambda x: x['name'].lower())[:20]:
print(f" [{r.get('rate', '?')}] {r['name']}: {r['url']}")
# Show unknown profiles (maybe status)
if maybe_real:
print(f"\n{Colors.YELLOW}{'' * 40}{Colors.RESET}")
print(f"{Colors.YELLOW}Unknown (may exist):{Colors.RESET}")
print(f"{Colors.YELLOW}{'' * 40}{Colors.RESET}")
for r in sorted(maybe_real, key=lambda x: x['name'].lower())[:15]:
print(f" [{r.get('rate', '?')}] {r['name']}: {r['url']}")
# Option to show restricted
if restricted:
show_restricted = input(f"\n{Colors.WHITE}Show {len(restricted)} restricted results? (y/n): {Colors.RESET}").strip().lower()
if show_restricted == 'y':
print(f"\n{Colors.YELLOW}Restricted (may exist, access denied):{Colors.RESET}")
for r in restricted[:30]:
print(f" [?] {r['name']}: {r['url']}")
# Save option
save = input(f"\n{Colors.WHITE}Save results? [{Colors.GREEN}1{Colors.WHITE}] JSON [{Colors.GREEN}2{Colors.WHITE}] HTML [{Colors.GREEN}3{Colors.WHITE}] Both [{Colors.RED}n{Colors.WHITE}] No: {Colors.RESET}").strip().lower()
if save in ['1', '2', '3']:
if save in ['1', '3']:
filename = f"{username}_profiles.json"
with open(filename, 'w') as f:
json.dump({'username': username, 'found': found, 'total_checked': checked}, f, indent=2)
self.print_status(f"Saved JSON to {filename}", "success")
if save in ['2', '3']:
# Generate HTML report
reporter = get_report_generator()
scan_time = time.time() - scan_start
report_path = reporter.generate_username_report(
username=username,
results=found,
total_checked=checked,
scan_time=scan_time
)
self.print_status(f"Saved HTML report to {report_path}", "success")
def social_analyzer_search(self, username: str):
"""Run social-analyzer on a username."""
if not self.social_analyzer_available:
self.print_status("social-analyzer not installed. Install with: pip install social-analyzer", "warning")
return
print(f"\n{Colors.CYAN}Running social-analyzer...{Colors.RESET}")
print(f"{Colors.DIM}This may take a few minutes...{Colors.RESET}\n")
# Run social-analyzer
cmd = f"social-analyzer --username '{username}' --metadata --output json 2>/dev/null"
success, output = self.run_cmd(cmd, timeout=300)
if success and output:
try:
results = json.loads(output)
detected = results.get('detected', [])
if detected:
print(f"{Colors.GREEN}Found {len(detected)} profiles:{Colors.RESET}\n")
for profile in detected[:20]:
site = profile.get('site', 'Unknown')
link = profile.get('link', '')
print(f" {Colors.GREEN}+{Colors.RESET} {site:20} {link}")
else:
print(f"{Colors.YELLOW}No profiles detected{Colors.RESET}")
except json.JSONDecodeError:
print(output) # Show raw output
else:
self.print_status("social-analyzer scan completed (check for results)", "info")
# ==================== PHONE OSINT ====================
def phone_lookup(self):
"""Phone number OSINT."""
print(f"\n{Colors.BOLD}Phone Number OSINT{Colors.RESET}")
print(f"{Colors.DIM}Enter with country code (e.g., +1234567890){Colors.RESET}\n")
phone = input(f"{Colors.WHITE}Enter phone number: {Colors.RESET}").strip()
if not phone:
return
# Clean phone number
phone_clean = re.sub(r'[^\d+]', '', phone)
print(f"\n{Colors.CYAN}{'' * 50}{Colors.RESET}")
print(f"{Colors.BOLD}Target: {phone_clean}{Colors.RESET}")
print(f"{Colors.CYAN}{'' * 50}{Colors.RESET}\n")
# Parse phone number
print(f"{Colors.CYAN}Number Analysis:{Colors.RESET}")
# Country code detection
country_codes = {
'+1': 'USA/Canada', '+44': 'UK', '+49': 'Germany', '+33': 'France',
'+81': 'Japan', '+86': 'China', '+91': 'India', '+7': 'Russia',
'+61': 'Australia', '+55': 'Brazil', '+34': 'Spain', '+39': 'Italy'
}
country = 'Unknown'
for code, name in country_codes.items():
if phone_clean.startswith(code):
country = name
break
print(f" Country: {country}")
print(f" Format: {phone_clean}")
# Carrier lookup resources
print(f"\n{Colors.CYAN}Carrier Lookup:{Colors.RESET}")
print(f" NumVerify: https://numverify.com/")
print(f" Twilio: https://www.twilio.com/lookup")
# Search resources
print(f"\n{Colors.CYAN}Search Resources:{Colors.RESET}")
print(f" TrueCaller: https://www.truecaller.com/search/{quote(phone_clean)}")
print(f" Sync.me: https://sync.me/search/?number={quote(phone_clean)}")
print(f" SpyDialer: https://www.spydialer.com/")
print(f" WhitePages: https://www.whitepages.com/phone/{quote(phone_clean)}")
print(f" Google: https://www.google.com/search?q=\"{quote(phone_clean)}\"")
# Messaging apps check
print(f"\n{Colors.CYAN}Messaging Apps (manual check):{Colors.RESET}")
print(f" - WhatsApp: Add to contacts and check profile")
print(f" - Telegram: Search by phone number")
print(f" - Signal: Check if registered")
# CallerID spam check
print(f"\n{Colors.CYAN}Spam/Scam Check:{Colors.RESET}")
print(f" https://www.shouldianswer.com/phone-number/{phone_clean.replace('+', '')}")
# ==================== DOMAIN/IP (from original) ====================
def domain_info(self):
"""Gather domain information."""
print(f"\n{Colors.BOLD}Domain Reconnaissance{Colors.RESET}")
domain = input(f"{Colors.WHITE}Enter domain: {Colors.RESET}").strip()
if not domain:
return
if '://' in domain:
domain = urlparse(domain).netloc
domain = domain.split('/')[0]
print(f"\n{Colors.CYAN}{'' * 50}{Colors.RESET}")
print(f"{Colors.BOLD}Target: {domain}{Colors.RESET}")
print(f"{Colors.CYAN}{'' * 50}{Colors.RESET}\n")
# DNS Resolution
print(f"{Colors.CYAN}DNS Records:{Colors.RESET}")
try:
ip = socket.gethostbyname(domain)
print(f" A Record: {ip}")
except:
print(f" A Record: {Colors.RED}Not found{Colors.RESET}")
for record_type in ['MX', 'NS', 'TXT']:
success, output = self.run_cmd(f"dig +short {record_type} {domain} 2>/dev/null")
if success and output:
records = output.split('\n')[:3]
print(f" {record_type} Record: {records[0]}")
# WHOIS
print(f"\n{Colors.CYAN}WHOIS Information:{Colors.RESET}")
success, output = self.run_cmd(f"whois {domain} 2>/dev/null")
if success and output:
important = ['Registrar:', 'Creation Date:', 'Expiration Date:', 'Name Server:', 'Organization:']
for line in output.split('\n'):
for key in important:
if key.lower() in line.lower():
print(f" {line.strip()}")
break
# Subdomains
print(f"\n{Colors.CYAN}Subdomains (via crt.sh):{Colors.RESET}")
success, output = self.run_cmd(f"curl -s 'https://crt.sh/?q=%.{domain}&output=json' 2>/dev/null | head -5000")
if success and output:
try:
certs = json.loads(output)
subdomains = set()
for cert in certs:
name = cert.get('name_value', '')
for sub in name.split('\n'):
if sub and '*' not in sub:
subdomains.add(sub)
for sub in sorted(subdomains)[:15]:
print(f" {sub}")
if len(subdomains) > 15:
print(f" {Colors.DIM}... and {len(subdomains) - 15} more{Colors.RESET}")
except:
pass
def ip_info(self):
"""Gather IP address information."""
print(f"\n{Colors.BOLD}IP Address Reconnaissance{Colors.RESET}")
ip = input(f"{Colors.WHITE}Enter IP address: {Colors.RESET}").strip()
if not ip:
return
try:
socket.inet_aton(ip)
except:
self.print_status("Invalid IP address", "error")
return
print(f"\n{Colors.CYAN}{'' * 50}{Colors.RESET}")
print(f"{Colors.BOLD}Target: {ip}{Colors.RESET}")
print(f"{Colors.CYAN}{'' * 50}{Colors.RESET}\n")
# Reverse DNS
print(f"{Colors.CYAN}Reverse DNS:{Colors.RESET}")
try:
hostname = socket.gethostbyaddr(ip)[0]
print(f" Hostname: {hostname}")
except:
print(f" Hostname: {Colors.DIM}Not found{Colors.RESET}")
# GeoIP
print(f"\n{Colors.CYAN}Geolocation:{Colors.RESET}")
success, output = self.run_cmd(f"curl -s 'http://ip-api.com/json/{ip}' 2>/dev/null")
if success and output:
try:
data = json.loads(output)
print(f" Country: {data.get('country', 'Unknown')}")
print(f" Region: {data.get('regionName', 'Unknown')}")
print(f" City: {data.get('city', 'Unknown')}")
print(f" ISP: {data.get('isp', 'Unknown')}")
print(f" Org: {data.get('org', 'Unknown')}")
except:
pass
# Quick port scan
print(f"\n{Colors.CYAN}Quick Port Scan:{Colors.RESET}")
common_ports = [21, 22, 23, 25, 80, 443, 445, 3306, 3389, 8080]
for port in common_ports:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(0.5)
if sock.connect_ex((ip, port)) == 0:
print(f" {port}/tcp open")
sock.close()
def subdomain_enum(self):
"""Enumerate subdomains."""
print(f"\n{Colors.BOLD}Subdomain Enumeration{Colors.RESET}")
domain = input(f"{Colors.WHITE}Enter domain: {Colors.RESET}").strip()
if not domain:
return
if '://' in domain:
domain = urlparse(domain).netloc
print(f"\n{Colors.CYAN}Enumerating subdomains for {domain}...{Colors.RESET}\n")
subdomains = set()
# Certificate Transparency
self.print_status("Checking certificate transparency logs...", "info")
success, output = self.run_cmd(f"curl -s 'https://crt.sh/?q=%.{domain}&output=json' 2>/dev/null")
if success and output:
try:
certs = json.loads(output)
for cert in certs:
name = cert.get('name_value', '')
for sub in name.split('\n'):
if sub and '*' not in sub and domain in sub:
subdomains.add(sub.strip())
except:
pass
# Common subdomains
self.print_status("Checking common subdomains...", "info")
common_subs = [
'www', 'mail', 'ftp', 'webmail', 'smtp', 'pop', 'ns1', 'ns2',
'vpn', 'api', 'dev', 'staging', 'test', 'blog', 'shop', 'admin',
'portal', 'secure', 'app', 'mobile', 'cdn', 'static', 'assets'
]
for sub in common_subs:
fqdn = f"{sub}.{domain}"
try:
socket.gethostbyname(fqdn)
subdomains.add(fqdn)
except:
pass
print(f"\n{Colors.GREEN}Found {len(subdomains)} subdomains:{Colors.RESET}\n")
for sub in sorted(subdomains):
try:
ip = socket.gethostbyname(sub)
print(f" {sub:40} -> {ip}")
except:
print(f" {sub}")
def tech_detect(self):
"""Detect technologies on a website."""
print(f"\n{Colors.BOLD}Technology Detection{Colors.RESET}")
url = input(f"{Colors.WHITE}Enter URL: {Colors.RESET}").strip()
if not url:
return
if not url.startswith('http'):
url = f"https://{url}"
print(f"\n{Colors.CYAN}Analyzing {url}...{Colors.RESET}\n")
# Fetch headers
success, output = self.run_cmd(f"curl -sI '{url}' 2>/dev/null")
if success and output:
print(f"{Colors.CYAN}HTTP Headers:{Colors.RESET}")
for line in output.split('\n'):
if ':' in line:
key = line.split(':')[0].lower()
if key in ['server', 'x-powered-by', 'x-aspnet-version', 'x-generator']:
print(f" {line.strip()}")
techs = []
output_lower = output.lower()
if 'nginx' in output_lower: techs.append("Nginx")
if 'apache' in output_lower: techs.append("Apache")
if 'cloudflare' in output_lower: techs.append("Cloudflare")
if 'php' in output_lower: techs.append("PHP")
if techs:
print(f"\n{Colors.CYAN}Detected:{Colors.RESET}")
for tech in techs:
print(f" {Colors.GREEN}+{Colors.RESET} {tech}")
# ==================== TOOLS ====================
def run_geoip_module(self):
"""Run the GEO IP/Domain Lookup module."""
try:
from modules.geoip import run as geoip_run
geoip_run()
except ImportError as e:
self.print_status(f"Failed to load GEO IP module: {e}", "error")
except Exception as e:
self.print_status(f"Error running GEO IP module: {e}", "error")
def run_yandex_module(self):
"""Run the Yandex OSINT module."""
try:
from modules.yandex_osint import run as yandex_run
yandex_run()
except ImportError as e:
self.print_status(f"Failed to load Yandex OSINT module: {e}", "error")
except Exception as e:
self.print_status(f"Error running Yandex OSINT module: {e}", "error")
def run_network_test(self):
"""Run the Network Test module."""
try:
from modules.nettest import run as nettest_run
nettest_run()
except ImportError as e:
self.print_status(f"Failed to load Network Test module: {e}", "error")
except Exception as e:
self.print_status(f"Error running Network Test module: {e}", "error")
def run_snoop_decoder(self):
"""Run the Snoop Database Decoder module."""
try:
from modules.snoop_decoder import run as snoop_run
snoop_run()
except ImportError as e:
self.print_status(f"Failed to load Snoop Decoder: {e}", "error")
except Exception as e:
self.print_status(f"Error running Snoop Decoder: {e}", "error")
def run_dossier_manager(self):
"""Run the Dossier Manager module."""
try:
from modules.dossier import run as dossier_run
dossier_run()
except ImportError as e:
self.print_status(f"Failed to load Dossier Manager: {e}", "error")
except Exception as e:
self.print_status(f"Error running Dossier Manager: {e}", "error")
def show_sites_db_stats(self):
"""Display sites database statistics."""
print(f"\n{Colors.BOLD}Sites Database Statistics{Colors.RESET}")
print(f"{Colors.CYAN}{'' * 50}{Colors.RESET}\n")
stats = self.sites_db.get_stats()
coverage = self.sites_db.get_detection_coverage()
print(f" {Colors.CYAN}Database Path:{Colors.RESET} {stats['db_path']}")
print(f" {Colors.CYAN}Database Size:{Colors.RESET} {stats['db_size_mb']:.2f} MB")
print()
print(f" {Colors.GREEN}Total Sites:{Colors.RESET} {stats['total_sites']:,}")
print(f" {Colors.GREEN}Enabled:{Colors.RESET} {stats['enabled_sites']:,}")
print(f" {Colors.RED}NSFW Sites:{Colors.RESET} {stats['nsfw_sites']:,}")
# Detection coverage section
print(f"\n {Colors.CYAN}Detection Coverage:{Colors.RESET}")
print(f" With detection type: {stats['with_detection']:>5,} ({coverage.get('pct_error_type', 0):.1f}%)")
print(f" With error string: {coverage['with_error_string']:>5,} ({coverage.get('pct_error_string', 0):.1f}%)")
print(f" With match string: {coverage['with_match_string']:>5,} ({coverage.get('pct_match_string', 0):.1f}%)")
# By error type
if stats.get('by_error_type'):
print(f"\n {Colors.CYAN}By Detection Method:{Colors.RESET}")
for etype, count in sorted(stats['by_error_type'].items(), key=lambda x: -x[1]):
bar = '' * min(int(count / 200), 25)
print(f" {etype:20} {count:>5,} {Colors.MAGENTA}{bar}{Colors.RESET}")
print(f"\n {Colors.CYAN}By Source:{Colors.RESET}")
for source, count in sorted(stats['by_source'].items(), key=lambda x: -x[1]):
bar = '' * min(int(count / 200), 30)
print(f" {source:20} {count:>5,} {Colors.GREEN}{bar}{Colors.RESET}")
print(f"\n {Colors.CYAN}By Category:{Colors.RESET}")
for cat, count in sorted(stats['by_category'].items(), key=lambda x: -x[1])[:10]:
bar = '' * min(int(count / 100), 30)
print(f" {cat:20} {count:>5,} {Colors.BLUE}{bar}{Colors.RESET}")
# ==================== NMAP SCANNER ====================
def _check_nmap(self) -> bool:
"""Check if nmap is installed."""
from core.paths import find_tool
return find_tool('nmap') is not None
def _run_nmap(self, target: str, flags: str, description: str, timeout: int = 300):
"""Run an nmap scan with live output and color coding."""
if not target.strip():
self.print_status("Target cannot be empty", "error")
return
cmd = f"nmap {flags} {target}"
print(f"\n{Colors.CYAN}{'' * 60}{Colors.RESET}")
print(f"{Colors.BOLD}Scan: {description}{Colors.RESET}")
print(f"{Colors.DIM}Command: {cmd}{Colors.RESET}")
print(f"{Colors.CYAN}{'' * 60}{Colors.RESET}\n")
full_output = []
open_ports = []
try:
proc = subprocess.Popen(
cmd, shell=True,
stdout=subprocess.PIPE, stderr=subprocess.STDOUT
)
for raw_line in iter(proc.stdout.readline, b''):
line = raw_line.decode('utf-8', errors='ignore').rstrip('\n')
full_output.append(line)
line_lower = line.lower()
if 'open' in line_lower and ('tcp' in line_lower or 'udp' in line_lower or '/' in line):
print(f" {Colors.GREEN}{line}{Colors.RESET}")
open_ports.append(line.strip())
elif 'closed' in line_lower or 'filtered' in line_lower:
print(f" {Colors.DIM}{line}{Colors.RESET}")
elif 'nmap scan report' in line_lower:
print(f" {Colors.CYAN}{Colors.BOLD}{line}{Colors.RESET}")
else:
print(f" {line}")
proc.wait(timeout=timeout)
except subprocess.TimeoutExpired:
proc.kill()
self.print_status("Scan timed out", "warning")
except KeyboardInterrupt:
proc.kill()
self.print_status("Scan interrupted", "warning")
except Exception as e:
self.print_status(f"Scan error: {e}", "error")
return
# Summary
print(f"\n{Colors.CYAN}{'' * 60}{Colors.RESET}")
if open_ports:
print(f"{Colors.GREEN}{Colors.BOLD}Open ports found: {len(open_ports)}{Colors.RESET}")
for p in open_ports:
print(f" {Colors.GREEN} {p}{Colors.RESET}")
else:
print(f"{Colors.YELLOW}No open ports found{Colors.RESET}")
print(f"{Colors.CYAN}{'' * 60}{Colors.RESET}")
# Save option
save = input(f"\n{Colors.WHITE}Save output to file? (y/n): {Colors.RESET}").strip().lower()
if save == 'y':
safe_target = re.sub(r'[^\w.\-]', '_', target)
filename = f"{safe_target}_nmap.txt"
with open(filename, 'w') as f:
f.write('\n'.join(full_output))
self.print_status(f"Saved to {filename}", "success")
def nmap_scanner(self):
"""Nmap scanner submenu."""
if not self._check_nmap():
self.print_status("nmap is not installed", "error")
return
while True:
print(f"\n{Colors.BOLD}Nmap Scanner{Colors.RESET}")
print(f"{Colors.CYAN}{'' * 50}{Colors.RESET}")
print(f" {Colors.GREEN}[1]{Colors.RESET} Top 100 Ports - Fastest common port scan")
print(f" {Colors.GREEN}[2]{Colors.RESET} Quick Scan - Default top 1000 ports")
print(f" {Colors.GREEN}[3]{Colors.RESET} Full TCP Scan - All 65535 ports (slow)")
print(f" {Colors.GREEN}[4]{Colors.RESET} Stealth SYN Scan - Half-open scan (needs root)")
print(f" {Colors.GREEN}[5]{Colors.RESET} Service Detection - Detect service versions (-sV)")
print(f" {Colors.GREEN}[6]{Colors.RESET} OS Detection - OS fingerprinting (needs root)")
print(f" {Colors.GREEN}[7]{Colors.RESET} Vulnerability Scan - NSE vuln scripts")
print(f" {Colors.GREEN}[8]{Colors.RESET} UDP Scan - Top 100 UDP ports (slow, needs root)")
print(f" {Colors.GREEN}[9]{Colors.RESET} Custom Scan - Enter your own nmap flags")
print(f" {Colors.DIM}[0]{Colors.RESET} Back")
choice = input(f"\n{Colors.WHITE} Select: {Colors.RESET}").strip()
if choice == "0":
break
presets = {
"1": ("--top-ports 100 -T4", "Top 100 Ports"),
"2": ("-T4", "Quick Scan (Top 1000)"),
"3": ("-p- -T4", "Full TCP Scan (All 65535 Ports)"),
"4": ("-sS -T4", "Stealth SYN Scan"),
"5": ("-sV -T4", "Service Version Detection"),
"6": ("-O -T4", "OS Detection"),
"7": ("--script vuln -T4", "Vulnerability Scan"),
"8": ("-sU --top-ports 100 -T4", "UDP Scan (Top 100)"),
}
if choice in presets:
target = input(f"{Colors.WHITE} Target IP/hostname: {Colors.RESET}").strip()
if target:
flags, desc = presets[choice]
self._run_nmap(target, flags, desc)
elif choice == "9":
target = input(f"{Colors.WHITE} Target IP/hostname: {Colors.RESET}").strip()
if target:
flags = input(f"{Colors.WHITE} Nmap flags: {Colors.RESET}").strip()
if flags:
self._run_nmap(target, flags, f"Custom Scan ({flags})")
# ==================== NETWORK MAPPER ====================
def network_mapper(self):
"""Network mapper - discover hosts and services on a subnet."""
print(f"\n{Colors.BOLD}Network Mapper{Colors.RESET}")
print(f"{Colors.DIM}Discover hosts and services on your network{Colors.RESET}")
print(f"{Colors.CYAN}{'' * 50}{Colors.RESET}\n")
print(f" {Colors.GREEN}[1]{Colors.RESET} Enter subnet manually")
print(f" {Colors.GREEN}[A]{Colors.RESET} Auto-detect local subnet")
print()
choice = input(f"{Colors.WHITE} Select: {Colors.RESET}").strip().lower()
if choice == 'a':
subnet = self._auto_detect_subnet()
if not subnet:
self.print_status("Could not auto-detect subnet", "error")
return
print(f"{Colors.CYAN}[*] Detected subnet: {subnet}{Colors.RESET}")
elif choice == '1':
subnet = input(f"{Colors.WHITE}Enter subnet (e.g., 192.168.1.0/24): {Colors.RESET}").strip()
if not subnet:
return
else:
return
# Phase 1: Ping sweep
self.print_status(f"Phase 1: Ping sweep on {subnet}...", "info")
live_hosts = self._nmap_ping_sweep(subnet)
if not live_hosts:
self.print_status("No live hosts found", "warning")
return
self.print_status(f"Found {len(live_hosts)} live hosts", "success")
# Phase 2: Service scan
scan_services = input(f"{Colors.WHITE}Scan services on discovered hosts? (y/n) [{Colors.GREEN}y{Colors.WHITE}]: {Colors.RESET}").strip().lower()
if scan_services == 'n':
for ip in live_hosts:
print(f" {Colors.GREEN}+{Colors.RESET} {ip}")
return
self.print_status(f"Phase 2: Service detection on {len(live_hosts)} hosts...", "info")
hosts = []
for i, ip in enumerate(live_hosts, 1):
print(f"\r{Colors.DIM} [{i}/{len(live_hosts)}] Scanning {ip}...{Colors.RESET}", end='', flush=True)
host_info = self._nmap_host_detail(ip)
hosts.append(host_info)
print(f"\r{' ' * 60}\r", end='')
self._display_network_map(hosts, subnet)
def _auto_detect_subnet(self) -> str:
"""Auto-detect the local subnet."""
success, output = self.run_cmd("hostname -I")
if success and output:
local_ip = output.strip().split()[0]
# Append /24
parts = local_ip.split('.')
if len(parts) == 4:
return f"{parts[0]}.{parts[1]}.{parts[2]}.0/24"
return ""
def _nmap_ping_sweep(self, subnet: str) -> list:
"""Run nmap ping sweep to find live hosts."""
success, output = self.run_cmd(f"nmap -sn {subnet}", timeout=120)
if not success:
return []
hosts = []
for line in output.split('\n'):
if 'Nmap scan report for' in line:
# Extract IP
ip_match = re.search(r'(\d+\.\d+\.\d+\.\d+)', line)
if ip_match:
hosts.append(ip_match.group(1))
return hosts
def _nmap_host_detail(self, ip: str) -> dict:
"""Get detailed service info for a single host."""
result = {'ip': ip, 'hostname': '', 'os_guess': '', 'ports': []}
success, output = self.run_cmd(f"nmap -sV --top-ports 20 -T4 {ip}", timeout=120)
if not success:
return result
for line in output.split('\n'):
if 'Nmap scan report for' in line:
# Extract hostname
hostname_match = re.search(r'for (\S+)\s+\(', line)
if hostname_match:
result['hostname'] = hostname_match.group(1)
port_match = re.match(r'\s*(\d+)/(tcp|udp)\s+(\S+)\s+(.*)', line)
if port_match:
result['ports'].append({
'port': int(port_match.group(1)),
'state': port_match.group(3),
'service': port_match.group(4).strip(),
})
if 'OS details:' in line:
result['os_guess'] = line.split('OS details:')[1].strip()
elif 'Service Info: OS:' in line:
os_match = re.search(r'OS: ([^;]+)', line)
if os_match:
result['os_guess'] = os_match.group(1).strip()
return result
def _display_network_map(self, hosts: list, subnet: str):
"""Display network map results and save."""
print(f"\n{Colors.CYAN}{'' * 75}{Colors.RESET}")
print(f"{Colors.BOLD}Network Map: {subnet}{Colors.RESET}")
print(f"{Colors.CYAN}{'' * 75}{Colors.RESET}\n")
print(f" {'IP':<18} {'Hostname':<20} {'OS':<15} {'Open Ports'}")
print(f" {'' * 70}")
for host in hosts:
ip = host['ip']
hostname = host.get('hostname', '')[:18] or '-'
os_guess = host.get('os_guess', '')[:13] or '-'
open_ports = [p for p in host.get('ports', []) if p.get('state') == 'open']
ports_str = ', '.join(f"{p['port']}" for p in open_ports[:6])
if len(open_ports) > 6:
ports_str += f" +{len(open_ports)-6} more"
print(f" {ip:<18} {hostname:<20} {os_guess:<15} {ports_str}")
# Show services
for p in open_ports[:6]:
service = p.get('service', '')
if service:
print(f" {'':<18} {Colors.DIM}{p['port']:>5}/tcp {service}{Colors.RESET}")
# Save results
os.makedirs("results", exist_ok=True)
safe_subnet = re.sub(r'[^\w.\-]', '_', subnet)
filename = f"results/network_map_{safe_subnet}.json"
with open(filename, 'w') as f:
json.dump({'subnet': subnet, 'hosts': hosts, 'timestamp': datetime.now().isoformat()}, f, indent=2)
self.print_status(f"Saved to {filename}", "success")
# ==================== WEB SCANNER ====================
def web_scanner(self):
"""Web application security scanner."""
print(f"\n{Colors.BOLD}Web Scanner{Colors.RESET}")
print(f"{Colors.DIM}Check web applications for security issues{Colors.RESET}")
print(f"{Colors.CYAN}{'' * 50}{Colors.RESET}\n")
url = input(f"{Colors.WHITE}Enter URL: {Colors.RESET}").strip()
if not url:
return
if not url.startswith('http'):
url = f"https://{url}"
parsed = urlparse(url)
hostname = parsed.netloc
print(f"\n{Colors.CYAN}Scanning {url}...{Colors.RESET}\n")
all_findings = []
# Header checks
self.print_status("Checking HTTP headers...", "info")
header_findings = self._web_check_headers(url)
all_findings.extend(header_findings)
# SSL check
if parsed.scheme == 'https':
self.print_status("Checking SSL/TLS...", "info")
ssl_findings = self._web_check_ssl(hostname)
all_findings.extend(ssl_findings)
# Directory bruteforce
self.print_status("Checking common paths...", "info")
dir_findings = self._web_dir_bruteforce(url)
all_findings.extend(dir_findings)
# Display findings by severity
print(f"\n{Colors.CYAN}{'' * 60}{Colors.RESET}")
print(f"{Colors.BOLD}Web Scanner Results: {url}{Colors.RESET}")
print(f"{Colors.CYAN}{'' * 60}{Colors.RESET}\n")
high = [f for f in all_findings if f.get('severity') == 'HIGH']
medium = [f for f in all_findings if f.get('severity') == 'MEDIUM']
low = [f for f in all_findings if f.get('severity') == 'LOW']
info = [f for f in all_findings if f.get('severity') == 'INFO']
for sev, items, color in [('HIGH', high, Colors.RED), ('MEDIUM', medium, Colors.YELLOW),
('LOW', low, Colors.CYAN), ('INFO', info, Colors.DIM)]:
if items:
print(f" {color}{Colors.BOLD}{sev} ({len(items)}){Colors.RESET}")
for item in items:
print(f" {color} [{sev}]{Colors.RESET} {item['title']}")
if item.get('detail'):
print(f" {Colors.DIM}{item['detail']}{Colors.RESET}")
print()
print(f" {Colors.BOLD}Total findings: {len(all_findings)}{Colors.RESET}")
print(f" HIGH: {len(high)} | MEDIUM: {len(medium)} | LOW: {len(low)} | INFO: {len(info)}")
def _web_check_headers(self, url: str) -> list:
"""Check HTTP response headers for security issues."""
findings = []
try:
req = urllib.request.Request(url, headers={
'User-Agent': self.USER_AGENTS[0],
})
with urllib.request.urlopen(req, timeout=10) as response:
headers = {k.lower(): v for k, v in response.headers.items()}
# Server header
if 'server' in headers:
findings.append({'title': f"Server header exposed: {headers['server']}", 'severity': 'LOW', 'detail': 'Consider hiding server version'})
if 'x-powered-by' in headers:
findings.append({'title': f"X-Powered-By exposed: {headers['x-powered-by']}", 'severity': 'LOW', 'detail': 'Remove X-Powered-By header'})
# Missing security headers
security_headers = {
'strict-transport-security': ('HSTS missing', 'HIGH', 'Add Strict-Transport-Security header'),
'content-security-policy': ('CSP missing', 'HIGH', 'Add Content-Security-Policy header'),
'x-frame-options': ('X-Frame-Options missing', 'MEDIUM', 'Clickjacking protection missing'),
'x-content-type-options': ('X-Content-Type-Options missing', 'MEDIUM', 'Add nosniff header'),
'referrer-policy': ('Referrer-Policy missing', 'MEDIUM', 'Add Referrer-Policy header'),
}
for header, (title, severity, detail) in security_headers.items():
if header not in headers:
findings.append({'title': title, 'severity': severity, 'detail': detail})
# Misconfigurations
misconfig_findings = self._web_check_misconfigs(headers)
findings.extend(misconfig_findings)
except urllib.error.HTTPError as e:
findings.append({'title': f"HTTP Error: {e.code}", 'severity': 'INFO', 'detail': str(e.reason)})
except Exception as e:
findings.append({'title': f"Connection error: {str(e)[:60]}", 'severity': 'INFO', 'detail': ''})
return findings
def _web_check_ssl(self, hostname: str) -> list:
"""Check SSL/TLS configuration."""
findings = []
success, output = self.run_cmd(
f"echo | openssl s_client -connect {hostname}:443 -servername {hostname} 2>/dev/null",
timeout=15
)
if not success or not output:
findings.append({'title': 'SSL check failed or no HTTPS', 'severity': 'INFO', 'detail': ''})
return findings
# Check certificate details
success2, cert_output = self.run_cmd(
f"echo | openssl s_client -connect {hostname}:443 -servername {hostname} 2>/dev/null | openssl x509 -noout -dates -issuer -subject 2>/dev/null",
timeout=15
)
if success2 and cert_output:
for line in cert_output.split('\n'):
if 'notAfter' in line:
expiry = line.split('=', 1)[1].strip() if '=' in line else ''
findings.append({'title': f"Certificate expires: {expiry}", 'severity': 'INFO', 'detail': ''})
elif 'issuer' in line.lower():
findings.append({'title': f"Certificate issuer: {line.split('=', 1)[-1].strip()[:60]}", 'severity': 'INFO', 'detail': ''})
# Check for weak protocols
for protocol in ['ssl3', 'tls1', 'tls1_1']:
success, _ = self.run_cmd(
f"echo | openssl s_client -connect {hostname}:443 -{protocol} 2>/dev/null",
timeout=10
)
if success:
proto_name = protocol.replace('ssl3', 'SSLv3').replace('tls1_1', 'TLSv1.1').replace('tls1', 'TLSv1.0')
findings.append({'title': f"Weak protocol supported: {proto_name}", 'severity': 'HIGH', 'detail': 'Disable legacy protocols'})
return findings
def _web_dir_bruteforce(self, url: str) -> list:
"""Check for common sensitive paths."""
findings = []
common_paths = [
'.git/HEAD', '.env', '.htaccess', 'robots.txt', 'sitemap.xml',
'admin/', 'wp-admin/', 'phpinfo.php', 'server-status', 'backup/',
'.DS_Store', 'config.php', '.svn/', 'web.config', 'wp-login.php',
'.well-known/security.txt', 'crossdomain.xml', 'elmah.axd',
'wp-config.php.bak', 'dump.sql', 'database.sql', 'debug/',
'api/', 'swagger-ui.html', 'graphql', '.git/config',
'composer.json', 'package.json', '.env.bak', 'Dockerfile',
'docker-compose.yml', 'readme.md',
]
base_url = url.rstrip('/')
for path in common_paths:
try:
check_url = f"{base_url}/{path}"
req = urllib.request.Request(check_url, method='HEAD', headers={
'User-Agent': self.USER_AGENTS[0],
})
with urllib.request.urlopen(req, timeout=5) as response:
status = response.getcode()
if status in [200, 403]:
severity = 'HIGH' if path in ['.git/HEAD', '.env', '.git/config', 'dump.sql', 'database.sql'] else 'MEDIUM'
status_str = 'Found' if status == 200 else 'Forbidden'
findings.append({
'title': f"/{path} [{status}] {status_str}",
'severity': severity,
'detail': check_url,
})
except:
pass
return findings
def _web_check_misconfigs(self, headers: dict) -> list:
"""Check for common misconfigurations in headers."""
findings = []
# CORS wildcard
acao = headers.get('access-control-allow-origin', '')
if acao == '*':
findings.append({'title': 'CORS wildcard: Access-Control-Allow-Origin: *', 'severity': 'MEDIUM', 'detail': 'Restrict CORS origins'})
# Cookie security
set_cookie = headers.get('set-cookie', '')
if set_cookie:
if 'secure' not in set_cookie.lower():
findings.append({'title': 'Cookie missing Secure flag', 'severity': 'MEDIUM', 'detail': ''})
if 'httponly' not in set_cookie.lower():
findings.append({'title': 'Cookie missing HttpOnly flag', 'severity': 'MEDIUM', 'detail': ''})
return findings
# ==================== VULNERABILITY CORRELATOR ====================
SERVICE_TO_CPE = {
'apache': ('apache', 'http_server'),
'nginx': ('f5', 'nginx'),
'openssh': ('openbsd', 'openssh'),
'openssl': ('openssl', 'openssl'),
'mysql': ('oracle', 'mysql'),
'mariadb': ('mariadb', 'mariadb'),
'postgresql': ('postgresql', 'postgresql'),
'postgres': ('postgresql', 'postgresql'),
'samba': ('samba', 'samba'),
'vsftpd': ('vsftpd_project', 'vsftpd'),
'proftpd': ('proftpd_project', 'proftpd'),
'postfix': ('postfix', 'postfix'),
'dovecot': ('dovecot', 'dovecot'),
'php': ('php', 'php'),
'tomcat': ('apache', 'tomcat'),
'iis': ('microsoft', 'internet_information_services'),
'exim': ('exim', 'exim'),
'bind': ('isc', 'bind'),
'cups': ('apple', 'cups'),
'redis': ('redis', 'redis'),
'mongodb': ('mongodb', 'mongodb'),
'elasticsearch': ('elastic', 'elasticsearch'),
'jenkins': ('jenkins', 'jenkins'),
'node': ('nodejs', 'node.js'),
}
def vuln_correlator(self):
"""Vulnerability correlator - match services to CVEs."""
print(f"\n{Colors.BOLD}Vulnerability Correlator{Colors.RESET}")
print(f"{Colors.DIM}Match detected services against CVE database{Colors.RESET}")
print(f"{Colors.CYAN}{'' * 50}{Colors.RESET}\n")
print(f" {Colors.GREEN}[1]{Colors.RESET} Run fresh nmap -sV scan")
print(f" {Colors.GREEN}[2]{Colors.RESET} Load from Network Map JSON")
print(f" {Colors.GREEN}[3]{Colors.RESET} Load from nmap output file")
print()
choice = input(f"{Colors.WHITE} Select: {Colors.RESET}").strip()
services = []
target = ""
if choice == "1":
target = input(f"{Colors.WHITE}Target IP/hostname: {Colors.RESET}").strip()
if not target:
return
self.print_status(f"Running nmap -sV on {target}...", "info")
success, output = self.run_cmd(f"nmap -sV -T4 {target}", timeout=300)
if success:
services = self._parse_nmap_services(output)
else:
self.print_status("nmap scan failed", "error")
return
elif choice == "2":
# Load from network map JSON
json_files = sorted(Path("results").glob("network_map_*.json")) if Path("results").exists() else []
if not json_files:
self.print_status("No network map files found. Run Network Mapper first.", "warning")
return
print(f"\n{Colors.CYAN}Available network maps:{Colors.RESET}")
for i, f in enumerate(json_files, 1):
print(f" {Colors.GREEN}[{i}]{Colors.RESET} {f.name}")
sel = input(f"\n{Colors.WHITE}Select: {Colors.RESET}").strip()
try:
idx = int(sel) - 1
with open(json_files[idx], 'r') as f:
data = json.load(f)
target = data.get('subnet', 'unknown')
for host in data.get('hosts', []):
for port_info in host.get('ports', []):
if port_info.get('state') == 'open':
services.append({
'port': port_info['port'],
'protocol': 'tcp',
'service': port_info.get('service', ''),
'version': '',
'host': host['ip'],
})
# Try to parse service+version
svc = port_info.get('service', '')
parts = svc.split()
if len(parts) >= 2:
services[-1]['service'] = parts[0]
services[-1]['version'] = parts[1]
except (ValueError, IndexError, json.JSONDecodeError) as e:
self.print_status(f"Error loading file: {e}", "error")
return
elif choice == "3":
filepath = input(f"{Colors.WHITE}Path to nmap output file: {Colors.RESET}").strip()
if not filepath or not os.path.exists(filepath):
self.print_status("File not found", "error")
return
with open(filepath, 'r') as f:
output = f.read()
services = self._parse_nmap_services(output)
target = filepath
if not services:
self.print_status("No services found to correlate", "warning")
return
self.print_status(f"Found {len(services)} services, correlating with CVE database...", "info")
# Correlate each service
correlations = []
try:
from core.cve import get_cve_db
cve_db = get_cve_db()
except ImportError:
self.print_status("CVE database module not available", "error")
return
for svc in services:
cves = self._correlate_service(svc, cve_db)
if cves:
correlations.append({
'service': svc,
'cves': cves,
})
self._display_vuln_report(correlations, target)
def _parse_nmap_services(self, nmap_output: str) -> list:
"""Parse nmap -sV output for services."""
services = []
port_re = re.compile(r'(\d+)/(tcp|udp)\s+open\s+(\S+)\s*(.*)')
current_host = ''
for line in nmap_output.split('\n'):
if 'Nmap scan report for' in line:
ip_match = re.search(r'(\d+\.\d+\.\d+\.\d+)', line)
current_host = ip_match.group(1) if ip_match else ''
m = port_re.match(line.strip())
if m:
service_full = m.group(4).strip()
# Split product and version
parts = service_full.split()
product = parts[0] if parts else m.group(3)
version = parts[1] if len(parts) > 1 else ''
services.append({
'port': int(m.group(1)),
'protocol': m.group(2),
'service': product,
'version': version,
'host': current_host,
})
return services
def _build_cpe(self, service: str, product: str, version: str) -> str:
"""Build a CPE string from service info."""
service_lower = service.lower()
product_lower = product.lower()
# Try to find in lookup table
for key, (vendor, prod) in self.SERVICE_TO_CPE.items():
if key in service_lower or key in product_lower:
cpe = f"cpe:2.3:a:{vendor}:{prod}"
if version:
clean_ver = re.sub(r'[^0-9.]', '', version)
if clean_ver:
cpe += f":{clean_ver}"
return cpe
return ""
def _correlate_service(self, service_info: dict, cve_db) -> list:
"""Correlate a service with CVEs from the database."""
service = service_info.get('service', '')
version = service_info.get('version', '')
# Try CPE-based search
cpe = self._build_cpe(service, service, version)
cves = []
if cpe:
cves = cve_db.search_cves(cpe_pattern=cpe, max_results=20)
# Fallback to keyword search
if len(cves) < 5:
keyword = f"{service} {version}".strip()
keyword_cves = cve_db.search_cves(keyword=keyword, max_results=20)
seen = {c['cve_id'] for c in cves}
for c in keyword_cves:
if c['cve_id'] not in seen:
cves.append(c)
# Sort by CVSS score descending
cves.sort(key=lambda x: x.get('cvss_score', 0) or 0, reverse=True)
return cves[:15]
def _display_vuln_report(self, correlations: list, target: str):
"""Display vulnerability correlation results."""
print(f"\n{Colors.CYAN}{'' * 70}{Colors.RESET}")
print(f"{Colors.BOLD}Vulnerability Report: {target}{Colors.RESET}")
print(f"{Colors.CYAN}{'' * 70}{Colors.RESET}\n")
total_cves = 0
severity_counts = {'CRITICAL': 0, 'HIGH': 0, 'MEDIUM': 0, 'LOW': 0}
for corr in correlations:
svc = corr['service']
cves = corr['cves']
host = svc.get('host', '')
port = svc.get('port', '')
service_name = svc.get('service', '')
version = svc.get('version', '')
print(f" {Colors.BOLD}{service_name}:{version}{Colors.RESET} on port {port} ({host})")
for cve in cves:
total_cves += 1
score = cve.get('cvss_score', 0) or 0
severity = cve.get('severity', 'UNKNOWN')
cve_id = cve.get('cve_id', '')
desc = (cve.get('description', '') or '')[:80]
# Count and color
if severity in severity_counts:
severity_counts[severity] += 1
if severity in ('CRITICAL', 'HIGH'):
sev_color = Colors.RED
elif severity == 'MEDIUM':
sev_color = Colors.YELLOW
else:
sev_color = Colors.CYAN
print(f" {sev_color}{cve_id} ({severity} {score}){Colors.RESET} {desc}")
print()
# Summary
print(f"{Colors.CYAN}{'' * 70}{Colors.RESET}")
print(f"{Colors.BOLD}Summary:{Colors.RESET} {total_cves} CVEs across {len(correlations)} services")
print(f" CRITICAL: {severity_counts['CRITICAL']} | HIGH: {severity_counts['HIGH']} | MEDIUM: {severity_counts['MEDIUM']} | LOW: {severity_counts['LOW']}")
# Save results
if correlations:
os.makedirs("results", exist_ok=True)
safe_target = re.sub(r'[^\w.\-]', '_', str(target))
filename = f"results/vuln_correlator_{safe_target}.json"
save_data = {
'target': target,
'timestamp': datetime.now().isoformat(),
'correlations': [
{
'service': c['service'],
'cves': [{'cve_id': cve.get('cve_id'), 'severity': cve.get('severity'),
'cvss_score': cve.get('cvss_score'), 'description': cve.get('description', '')[:200]}
for cve in c['cves']]
} for c in correlations
]
}
with open(filename, 'w') as f:
json.dump(save_data, f, indent=2)
self.print_status(f"Saved to {filename}", "success")
# ==================== MENU ====================
def show_menu(self):
clear_screen()
display_banner()
print(f"{Colors.GREEN}{Colors.BOLD} OSINT & Reconnaissance{Colors.RESET}")
print(f"{Colors.DIM} Open source intelligence gathering{Colors.RESET}")
# Social-analyzer status
if self.social_analyzer_available:
print(f"{Colors.DIM} social-analyzer: {Colors.GREEN}Available{Colors.RESET}")
else:
print(f"{Colors.DIM} social-analyzer: {Colors.YELLOW}Not installed{Colors.RESET}")
print(f"{Colors.DIM} {'' * 50}{Colors.RESET}")
print()
print(f" {Colors.GREEN}Email{Colors.RESET}")
print(f" {Colors.GREEN}[1]{Colors.RESET} Email Lookup")
print(f" {Colors.GREEN}[2]{Colors.RESET} Email Permutator")
print()
print(f" {Colors.GREEN}Username{Colors.RESET}")
print(f" {Colors.GREEN}[3]{Colors.RESET} Username Lookup")
print(f" {Colors.GREEN}[4]{Colors.RESET} Social Analyzer")
print()
print(f" {Colors.GREEN}Phone{Colors.RESET}")
print(f" {Colors.GREEN}[5]{Colors.RESET} Phone Number Lookup")
print()
print(f" {Colors.GREEN}Domain/IP{Colors.RESET}")
print(f" {Colors.GREEN}[6]{Colors.RESET} Domain Recon")
print(f" {Colors.GREEN}[7]{Colors.RESET} IP Address Lookup")
print(f" {Colors.GREEN}[8]{Colors.RESET} Subdomain Enum")
print(f" {Colors.GREEN}[9]{Colors.RESET} Tech Detection")
print()
print(f" {Colors.MAGENTA}Dossier{Colors.RESET}")
print(f" {Colors.MAGENTA}[R]{Colors.RESET} Dossier Manager")
print()
print(f" {Colors.YELLOW}Network{Colors.RESET}")
print(f" {Colors.YELLOW}[W]{Colors.RESET} Network Mapper")
print(f" {Colors.YELLOW}[H]{Colors.RESET} Web Scanner")
print(f" {Colors.YELLOW}[V]{Colors.RESET} Vulnerability Correlator")
print()
print(f" {Colors.CYAN}Tools{Colors.RESET}")
print(f" {Colors.CYAN}[G]{Colors.RESET} GEO IP/Domain Lookup")
print(f" {Colors.CYAN}[Y]{Colors.RESET} Yandex OSINT")
print(f" {Colors.CYAN}[N]{Colors.RESET} Network Test")
print(f" {Colors.CYAN}[S]{Colors.RESET} Snoop Database Decoder")
print(f" {Colors.CYAN}[D]{Colors.RESET} Sites Database Stats")
print(f" {Colors.CYAN}[X]{Colors.RESET} Nmap Scanner")
print()
print(f" {Colors.DIM}[0]{Colors.RESET} Back")
print()
def run(self):
while True:
self.show_menu()
try:
choice = input(f"{Colors.WHITE} Select: {Colors.RESET}").strip()
if choice == "0":
break
elif choice == "1":
self.email_lookup()
elif choice == "2":
self.email_permutator()
elif choice == "3":
self.username_lookup()
elif choice == "4":
username = input(f"\n{Colors.WHITE}Enter username: {Colors.RESET}").strip()
if username:
self.social_analyzer_search(username)
elif choice == "5":
self.phone_lookup()
elif choice == "6":
self.domain_info()
elif choice == "7":
self.ip_info()
elif choice == "8":
self.subdomain_enum()
elif choice == "9":
self.tech_detect()
elif choice.lower() == "g":
self.run_geoip_module()
elif choice.lower() == "y":
self.run_yandex_module()
elif choice.lower() == "n":
self.run_network_test()
elif choice.lower() == "s":
self.run_snoop_decoder()
elif choice.lower() == "d":
self.show_sites_db_stats()
elif choice.lower() == "r":
self.run_dossier_manager()
elif choice.lower() == "x":
self.nmap_scanner()
elif choice.lower() == "w":
self.network_mapper()
elif choice.lower() == "h":
self.web_scanner()
elif choice.lower() == "v":
self.vuln_correlator()
if choice in ["1", "2", "3", "4", "5", "6", "7", "8", "9",
"g", "y", "n", "G", "Y", "N", "x", "X",
"w", "W", "h", "H", "v", "V"]:
input(f"\n{Colors.WHITE}Press Enter to continue...{Colors.RESET}")
except (EOFError, KeyboardInterrupt):
break
def run():
Recon().run()
if __name__ == "__main__":
run()
Reference in New Issue Copy Permalink