search

ztgrace / changeme

A default credential scanner.
GNU General Public License v3.0
1.44k stars 248 forks source link

Weblogic check + bug fix #11

Closed AlessandroZ closed 7 years ago

AlessandroZ commented 7 years ago

Hi,

I added weblogic check and some bug fix.

For example, when you have multiple passwords to check, using a proxy I saw that only the last username / password couple on the list was sent. it was because, the "data" dictionary wasn't correct.

I also add an option to specify a particular host / port and protocol. I like to check manually what I'm doing, so even if it's a good idea to parse the nmap file, I prefer to have the opportunity to check only one port. By default, it retrieves the port and protocol on the configuration file. However, if you explicitly give it, it takes your value. For example, now you can put: python changeme.py --target http://<ip>:<port>

Moreover, now you are more flexible on the subcategory name. You don't need to give the exact name to work. For example, it will work if you put only: python changeme.py --target http://<ip>:<port> --category web --name "tomcat"

I would be interested to add a mssql check (it could be easy to do using impacket: https://github.com/CoreSecurity/impacket/blob/master/examples/mssqlclient.py When I get an mssql instance, I will check it.

I think, it could be a good idea, to add the possibility to list "categories" and "subcategories" from the command line, to not always enter on the source code to see what it exists.

I'm also really interesting about creating a python package for this project (#6). It's really easy to do, but for you project, it seems a little bit more complicated because you list your creds category using "os.walk" and I don't think a package could manage that. It would be easier to have only python files. I will think about it.

Thanks for your project. Its seems great.

ztgrace commented 7 years ago

Awesome PR, thanks! I just came across the data dict bug on Sunday, but didn't have a chance to fix it yet.

I like the single target/port idea but I'll likely refactor it so specify a single port as an argument. I think it would be less parsing logic and a bit more flexible.

The cred name fix is great, it was on my short list of enhancements to make.

I absolutely want to add additional protocols to the scanner and my short list is SSH, Telnet, SNMP and MSSQL. However I want to address #6 along with refactoring the code into more modular classes. For example, abstracting the scanning logic into a Scanner class and move the targets logic into it's own class. Then it'll make adding additional protocols easier as the you'd only have to implement the protocol specifics for that scanner.

Thanks again, and feel free to suggest additional enhancements by opening an issue.

-Zach