Skip to main content
  1. All Posts/

security-scripts

Tools Shell

security-scripts

A collection of security related Python and Bash shell scripts, mainly revolving
around testing hosts for security vulnerabilities. For the shell scripts no
fancy programming framework is required, all that is needed is a Bash shell.
Note that it is highly recommended to use analyze_hosts.py as it is the most
recent version. No new features will be added to the Bash version
analyze_hosts.sh.
analyze_hosts is also available as Docker image, including the open source
scanners droopescan, nmap, Nikto and testssl.sh. Build it yourself using
the supplied Dockerfile, or grab the image from Docker Hub

docker run --rm gofwd/analyze_hosts

You can also run the included tools that way; just override the entrypoint. As
an example, run testssl.sh:

docker run --rm --entrypoint 'testssl.sh' gofwd/analyze_hosts

analyze_hosts.py

A simple wrapper script around several open source security tools to simplify
scanning of hosts for network vulnerabilities. The script lets you analyze one
or several hosts for common misconfiguration vulnerabilities and weaknesses.
The main objectives for the script is to make it as easy as possible to perform
generic security tests, without any heavy prerequisites, make the output as
informative as possible, and use open source tools. It can easily be used as
scheduled task, or be implemented in Continuous Integration environments.
The only requirements are nmap and Python3.
As the scan output can be written to a JSON file it can be used to generate
deltas (differences) between scans, or to use the output for further inspection.

Installation

Note that you can also run analyze_hosts straight from a Docker image:

docker run --rm gofwd/analyze_hosts

One-time installation steps without virtualenv (all required Python libraries
are specified in the requirements.txt file):

git clone https://github.com/PeterMosmans/security-scripts && 
cd security-script && 
pip3 install -r requirements.txt

Usage

usage: analyze_hosts.py [-h] [--version] [--dry-run] [-i INPUTFILE] [-o OUTPUT_FILE] [--compact] [--queuefile QUEUEFILE] [--resume] [--settings SETTINGS]
                        [--exit-code] [--force] [--debug] [-v] [-q] [--allports] [-n] [-p PORT] [--up] [--udp] [--framework] [--http] [--compression]
                        [--headers] [--trace] [--redirect] [--force-ssl] [--json JSON] [--ssl] [--nikto] [--sslcert] [-w] [--proxy PROXY]
                        [--timeout TIMEOUT] [--threads THREADS] [--user-agent USER_AGENT] [--password PASSWORD] [--username USERNAME] [--maxtime MAXTIME]
                        [target]

analyze_hosts - scans one or more hosts for security misconfigurations

Copyright (C) 2015-2022 Peter Mosmans [Go Forward]
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.

positional arguments:
  target                [TARGET] can be a single (IP) address, an IP range, or multiple comma-separated addressess

optional arguments:
  -h, --help            show this help message and exit
  --version             Show version and exit
  --dry-run             Only show commands, don't actually do anything
  -i INPUTFILE, --inputfile INPUTFILE
                        A file containing targets, one per line
  -o OUTPUT_FILE, --output-file OUTPUT_FILE
                        output file containing all scanresults (default analyze_hosts.output)
  --compact             Only log raw logfiles and alerts to file
  --queuefile QUEUEFILE
                        the queuefile
  --resume              Resume working on the queue
  --settings SETTINGS   Name of settings file to use (default analyze_hosts.yml)
  --exit-code           When supplied, return exit code 1 when alerts are discovered
  --force               Ignore / overwrite the queuefile
  --debug               Show debug information
  -v, --verbose         Be more verbose
  -q, --quiet           Do not show scan outputs on the console
  --allports            Run a full-blown nmap scan on all ports
  -n, --no-portscan     Do NOT run a nmap portscan
  -p PORT, --port PORT  Specific port(s) to scan
  --up                  Assume host is up (do not rely on ping probe)
  --udp                 Check for open UDP ports as well
  --framework           Analyze the website and run webscans
  --http                Check for various HTTP vulnerabilities (compression, headers, trace)
  --compression         Check for webserver compression
  --headers             Check for various HTTP headers
  --trace               Check webserver for HTTP TRACE method
  --redirect            Check for insecure redirect
  --force-ssl           Enforce SSL/TLS check on all open ports
  --json JSON           Save output in JSON file
  --ssl                 Check for various SSL/TLS vulnerabilities
  --nikto               Run a nikto scan
  --sslcert             Download SSL certificate
  -w, --whois           Perform a whois lookup
  --proxy PROXY         Use proxy server (host:port)
  --timeout TIMEOUT     Timeout for requests in seconds (default 10)
  --threads THREADS     Maximum number of threads (default 5)
  --user-agent USER_AGENT
                        Custom User-Agent to use (default analyze_hosts)
  --password PASSWORD   Password for HTTP basic host authentication
  --username USERNAME   Username for HTTP basic host authentication
  --maxtime MAXTIME     Timeout for scans in seconds (default 600)

The script analyze_hosts automatically execute other scans (based on their
fingerprint or open ports):

droopescan
nikto
testssl.sh
WPscan

You can use the following environment variables (all uppercase) to specify the
tools if they cannot be found in the standard paths:
CURL, DROOPESCAN, NIKTO, OPENSSL, TESTSSL, WPSCAN

Suppressing false positives

A settings file can be used (--settings) to configure or tweak scan parameters
per host / port combination. This allows you to suppress false positives in scan
results. Currently the Nikto Plugins, Tuning and output parameters are
supported, as well as a list of allowed / expected open ports, and testssl
parameters:
Example settings file:

targets:
  127.0.0.1:
    allowed_ports: [22, 80, 443]
    ports:
      - port: 80
        nikto_plugins: "@@ALL"
        nikto_tuning: "x1"
        nikto_output: "report.html"
      - port: 443
        testssl_untrusted: true
        testssl:
          - "--ccs-injection"
          - "--ticketbleed"
          - "--robot"

This will supply the `-Plugins ‘@@ALL’ -Tuning ‘x1’ -output ‘report.html’
parameters to Nikto, when port 80 is scanned.
Furthermore, it will not generate an alert when an open port other than port 22,
80 or 443 is found. By default, an alert will be generated if an open port other
than 80 or 443 is found.
There will no alert be generated if the SSL/TLS endpoint on port 443 contains an
untrusted (self-signed) certificate. And instead of all default tests, only
three SSL/TLS tests will be performed.

JSON format

{
  "arguments": {
    "target": "1.2.3.1/30",
    "version": false,
    "dry_run": false,
    "inputfile": "0frnfb4e",
    "output_file": "output.txt,
    "compact": true,
    "queuefile": "analyze_hosts.queue",
    "resume": false,
    "force": false,
    "debug": false,
    "verbose": false,
    "quiet": false,
    "allports": false,
    "no_portscan": false,
    "port": null,
    "up": false,
    "udp": false,
    "framework": false,
    "http": true,
    "json": "results.json",
    "ssl": true,
    "nikto": true,
    "sslcert": false,
    "trace": false,
    "whois": false,
    "proxy": null,
    "timeout": true,
    "threads": 5,
    "user_agent": "analyze_hosts",
    "password": null,
    "username": null,
    "maxtime": 1200,
    "testssl.sh": true,
    "curl": false,
    "wpscan": true,
    "droopescan": true,
    "nmap": true,
    "nmap_arguments": "-sV --open -sS...