"""Intelligent scanner with advanced fingerprinting"""

def __init__(self, proxy_manager=None):

self.proxy_manager = proxy_manager

self.port_services = self._load_service_db()

self.waf_signatures = self._load_waf_signatures()

self.service_fingerprints = self._load_service_fingerprints()

def _load_service_db(self):

"""Load service database"""

return {

21: {"name": "FTP", "banner_keywords": ["FTP", "vsftpd", "ProFTPD"]},

22: {"name": "SSH", "banner_keywords": ["SSH", "OpenSSH"]},

23: {"name": "Telnet", "banner_keywords": ["Telnet"]},

25: {"name": "SMTP", "banner_keywords": ["SMTP", "ESMTP", "Postfix"]},

53: {"name": "DNS", "banner_keywords": []},

80: {"name": "HTTP", "banner_keywords": ["Apache", "nginx", "IIS", "lighttpd"]},

110: {"name": "POP3", "banner_keywords": ["POP3", "Dovecot"]},

143: {"name": "IMAP", "banner_keywords": ["IMAP", "Dovecot"]},

443: {"name": "HTTPS", "banner_keywords": ["Apache", "nginx", "IIS"]},

445: {"name": "SMB", "banner_keywords": ["SMB", "SAMBA"]},

3306: {"name": "MySQL", "banner_keywords": ["MySQL"]},

3389: {"name": "RDP", "banner_keywords": ["RDP", "Terminal Server"]},

5432: {"name": "PostgreSQL", "banner_keywords": ["PostgreSQL"]},

5900: {"name": "VNC", "banner_keywords": ["RFB", "VNC"]},

6379: {"name": "Redis", "banner_keywords": ["Redis"]},

8080: {"name": "HTTP-Proxy", "banner_keywords": ["Apache", "nginx", "Tomcat"]},

8443: {"name": "HTTPS-Alt", "banner_keywords": ["Apache", "nginx"]},

9000: {"name": "PHP-FPM", "banner_keywords": ["PHP"]},

9200: {"name": "Elasticsearch", "banner_keywords": ["elasticsearch"]},

27017: {"name": "MongoDB", "banner_keywords": ["MongoDB"]},

}

def _load_waf_signatures(self):

"""Load WAF detection signatures"""

return {

"Cloudflare": {

"headers": ["cf-ray", "cf-cache-status", "cf-request-id"],

"cookies": ["__cfduid", "__cflb"],

"html_patterns": ["cloudflare", "Ray ID"],

"response_codes": [403, 503]

},

"Akamai": {

"headers": ["x-akamai-transformed", "x-akamai-request-id"],

"cookies": ["ak_bmsc"],

"html_patterns": ["Akamai", "Error 403 Access Denied"],

"response_codes": [403]

},

"Imperva": {

"headers": ["x-cdn", "incap_ses_", "visid_incap_"],

"cookies": ["incap_ses_", "visid_incap_"],

"html_patterns": ["imperva", "Request unsuccessful"],

"response_codes": [403, 406]

},

"AWS WAF": {

"headers": ["x-amz-id-1", "x-amz-id-2"],

"cookies": ["aws-waf-token"],

"html_patterns": ["Request blocked"],

"response_codes": [403]

},

"Sucuri": {

"headers": ["x-sucuri-id", "x-sucuri-cache"],

"cookies": ["sucuri_cloudproxy_uuid_"],

"html_patterns": ["Sucuri", "Access Denied"],

"response_codes": [403]

},

"ModSecurity": {

"headers": [],

"cookies": [],

"html_patterns": ["Mod_Security", "This error was generated by Mod_Security"],

"response_codes": [403]

}

}

def _load_service_fingerprints(self):

"""Load service fingerprints for banner grabbing"""

return {

"HTTP": {

"probes": [

b"GET / HTTP/1.0\r\n\r\n",

b"HEAD / HTTP/1.0\r\n\r\n",

b"GET /robots.txt HTTP/1.0\r\n\r\n"

],

"patterns": {

"Apache": [r"Apache", r"Server:\s*Apache"],

"nginx": [r"nginx", r"Server:\s*nginx"],

"IIS": [r"Microsoft-IIS", r"Server:\s*Microsoft-IIS"],

"Tomcat": [r"Apache-Coyote", r"Server:\s*Apache-Coyote"],

"lighttpd": [r"lighttpd", r"Server:\s*lighttpd"]

}

},

"SSH": {

"probes": [b"\n"],

"patterns": {

"OpenSSH": [r"OpenSSH"],

"Dropbear": [r"dropbear"],

"Cisco": [r"Cisco"]

}

},

"SMTP": {

"probes": [b"EHLO test\r\n"],

"patterns": {

"Postfix": [r"Postfix"],

"Exim": [r"Exim"],

"Sendmail": [r"Sendmail"],

"Microsoft Exchange": [r"Microsoft ESMTP"]

}

},

"FTP": {

"probes": [b"\n"],

"patterns": {

"vsftpd": [r"vsFTPd"],

"ProFTPD": [r"ProFTPD"],

"Pure-FTPd": [r"Pure-FTPd"]

}

}

}

def scan_port_socket(self, target, port, timeout=1.0):

"""Fast socket-based port scanning"""

result = {

"port": port,

"open": False,

"service": "unknown",

"banner": "",

"version": "",

"response_time": 0

}

try:

start_time = time.time()

sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

sock.settimeout(timeout)

# Set socket options for faster scanning

sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)

sock.setsockopt(socket.IPPROTO_TCP, socket.TCP_NODELAY, 1)

response = sock.connect_ex((target, port))

elapsed = (time.time() - start_time) * 1000 # Convert to ms

if response == 0:

result["open"] = True

result["response_time"] = round(elapsed, 2)

# Try to grab banner

try:

sock.settimeout(0.5)

banner = sock.recv(1024)

if banner:

result["banner"] = banner.decode('utf-8', errors='ignore').strip()

# Fingerprint service

service_info = self._fingerprint_service(port, result["banner"])

result["service"] = service_info["name"]

result["version"] = service_info["version"]

except:

pass

sock.close()

except socket.timeout:

pass

except Exception as e:

pass

return result

def _fingerprint_service(self, port, banner):

"""Intelligent service fingerprinting"""

result = {"name": "unknown", "version": ""}

if not banner:

# Default service name from port

if port in self.port_services:

result["name"] = self.port_services[port]["name"]

return result

banner_lower = banner.lower()

# HTTP services

if port in [80, 443, 8080, 8443]:

for server, patterns in self.service_fingerprints.get("HTTP", {}).get("patterns", {}).items():

for pattern in patterns:

if re.search(pattern, banner, re.IGNORECASE):

result["name"] = f"HTTP ({server})"

# Try to extract version

version_match = re.search(r'(\d+\.\d+(\.\d+)?)', banner)

if version_match:

result["version"] = version_match.group(1)

break

# SSH fingerprinting

elif port == 22:

for server, patterns in self.service_fingerprints.get("SSH", {}).get("patterns", {}).items():

for pattern in patterns:

if re.search(pattern, banner, re.IGNORECASE):

result["name"] = f"SSH ({server})"

version_match = re.search(r'(\d+\.\d+(\.\d+)?)', banner)

if version_match:

result["version"] = version_match.group(1)

break

# SMTP fingerprinting

elif port == 25:

for server, patterns in self.service_fingerprints.get("SMTP", {}).get("patterns", {}).items():

for pattern in patterns:

if re.search(pattern, banner, re.IGNORECASE):

result["name"] = f"SMTP ({server})"

break

# FTP fingerprinting

elif port == 21:

for server, patterns in self.service_fingerprints.get("FTP", {}).get("patterns", {}).items():

for pattern in patterns:

if re.search(pattern, banner, re.IGNORECASE):

result["name"] = f"FTP ({server})"

break

# Database services

elif "mysql" in banner_lower:

result["name"] = "MySQL"

version_match = re.search(r'(\d+\.\d+\.\d+)', banner)

if version_match:

result["version"] = version_match.group(1)

elif "postgresql" in banner_lower:

result["name"] = "PostgreSQL"

elif "redis" in banner_lower:

result["name"] = "Redis"

version_match = re.search(r'v=(\d+\.\d+\.\d+)', banner)

if version_match:

result["version"] = version_match.group(1)

elif "mongodb" in banner_lower:

result["name"] = "MongoDB"

# Custom service detection based on keywords

for service_keywords in ["apache", "nginx", "iis", "tomcat", "node", "python"]:

if service_keywords in banner_lower:

result["name"] = service_keywords.capitalize()

break

return result

async def detect_waf_async(self, target_url):

"""Asynchronous WAF detection"""

waf_results = []

try:

connector = aiohttp.TCPConnector(ssl=False)

headers = {

'User-Agent': get_random_ua(),

'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',

'Accept-Language': 'en-US,en;q=0.5',

}

# Test with malicious payload to trigger WAF

test_payloads = [

"/../../../etc/passwd",

"<script>alert(1)</script>",

"' OR '1'='1",

"| cat /etc/passwd",

"../../../windows/win.ini"

]

async with aiohttp.ClientSession(headers=headers, connector=connector) as session:

# First, get normal response

try:

async with session.get(target_url, timeout=10) as normal_resp:

normal_html = await normal_resp.text()

normal_headers = dict(normal_resp.headers)

normal_status = normal_resp.status

except:

normal_html = ""

normal_headers = {}

normal_status = 0

# Test with malicious payloads

for payload in test_payloads[:2]: # Limit to 2 for speed

test_url = f"{target_url.rstrip('/')}/{payload}"

try:

async with session.get(test_url, timeout=8) as resp:

resp_status = resp.status

resp_headers = dict(resp.headers)

resp_html = await resp.text()

# Check WAF signatures

for waf_name, signatures in self.waf_signatures.items():

detected = False

# Check headers

for header in signatures.get("headers", []):

if header.lower() in (h.lower() for h in resp_headers.keys()):

detected = True

break

# Check cookies

if not detected and "set-cookie" in resp_headers:

cookies = resp_headers["set-cookie"].lower()

for cookie in signatures.get("cookies", []):

if cookie.lower() in cookies:

detected = True

break

# Check HTML patterns

if not detected:

for pattern in signatures.get("html_patterns", []):

if pattern.lower() in resp_html.lower():

detected = True

break

# Check response codes

if not detected and resp_status in signatures.get("response_codes", []):

if resp_status != normal_status: # Different from normal response

detected = True

if detected:

waf_results.append({

"waf": waf_name,

"confidence": "high",

"indicators": [

f"Response code: {resp_status}",

f"Headers match: {list(signatures['headers'])[:2] if signatures['headers'] else 'N/A'}"

]

})

except:

continue

except Exception as e:

pass

return waf_results

def fast_port_scan(self, target, ports=None, max_workers=100):

"""Fast multi-threaded port scanning"""

if ports is None:

ports = [21, 22, 23, 25, 53, 80, 110, 143, 443, 445, 993, 995,

1433, 1521, 1723, 3306, 3389, 5432, 5900, 6379, 8080,

8443, 9000, 9200, 11211, 27017]

open_ports = []

print(f"{C}[*] Scanning {len(ports)} ports on {target}{W}")

with ThreadPoolExecutor(max_workers=max_workers) as executor:

futures = {executor.submit(self.scan_port_socket, target, port): port for port in ports}

for future in futures:

port = futures[future]

try:

result = future.result(timeout=2.0)

if result["open"]:

open_ports.append(result)

service_color = G if result["service"] != "unknown" else Y

banner_preview = result["banner"][:50] + "..." if len(result["banner"]) > 50 else result["banner"]

print(f" {G}[+] Port {port}/TCP {service_color}({result['service']}){W}")

if result["version"]:

print(f" Version: {result['version']}")

if result["banner"]:

print(f" Banner: {banner_preview}")

if result["response_time"]:

print(f" Response: {result['response_time']}ms")

print()

except:

pass

return open_ports

def advanced_fingerprinting(self, target, port):

"""Advanced service fingerprinting with multiple probes"""

results = []

if port in [80, 443, 8080, 8443]:

# HTTP fingerprinting

http_probes = [

("GET / HTTP/1.0\r\nHost: {}\r\n\r\n".format(target), "HTTP/1.0"),

("GET / HTTP/1.1\r\nHost: {}\r\n\r\n".format(target), "HTTP/1.1"),

("OPTIONS / HTTP/1.0\r\nHost: {}\r\n\r\n".format(target), "OPTIONS"),

("GET /robots.txt HTTP/1.0\r\nHost: {}\r\n\r\n".format(target), "ROBOTS"),

]

for probe, probe_name in http_probes:

try:

sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

sock.settimeout(2)

sock.connect((target, port))

sock.send(probe.encode())

response = sock.recv(4096).decode('utf-8', errors='ignore')

sock.close()

if response:

server_match = re.search(r'Server:\s*(.+?)\r\n', response, re.IGNORECASE)

if server_match:

results.append(f"Server: {server_match.group(1)}")

powered_by = re.search(r'X-Powered-By:\s*(.+?)\r\n', response, re.IGNORECASE)

if powered_by:

results.append(f"Powered By: {powered_by.group(1)}")

# Check for technologies

tech_indicators = {

"PHP": ["PHP", "X-PHP"],

"ASP.NET": ["ASP.NET", "X-AspNet-Version"],

"Node.js": ["X-Powered-By: Express"],

"Python": ["Python", "Django", "Flask"],

"Ruby": ["Ruby", "Rails", "Phusion Passenger"],

"Java": ["Servlet", "JSP", "JSESSIONID"]

}

for tech, indicators in tech_indicators.items():

for indicator in indicators:

if indicator in response:

results.append(f"Technology: {tech}")

break

break

except:

continue

"""Enhanced reconnaissance with all new features"""

if scanner is None:

scanner = IntelligentScanner()

results = {

"geo_info": {},

"open_ports": [],

"fingerprint_results": [],

"waf_detected": [],

"technologies": [],

"vulnerability_hints": []

}

print(f"\n{G}[*] Advanced Intelligence Gathering on {target}...{W}")

print(f"{C}{'='*60}{W}")

# Step 1: Basic host resolution

try:

print(f"{Y}[1] Host Resolution:{W}")

ip_addr = socket.gethostbyname(target.split('://')[-1].split('/')[0].split(':')[0])

print(f" {C}IP Address: {ip_addr}{W}")

# Get hostname if available

try:

hostname = socket.gethostbyaddr(ip_addr)[0]

print(f" {C}Hostname: {hostname}{W}")

except:

hostname = ip_addr

results["target_ip"] = ip_addr

results["hostname"] = hostname

except Exception as e:

print(f" {R}[!] Cannot resolve target: {e}{W}")

return results

# Step 2: Fast port scanning

print(f"\n{Y}[2] Port Scanning (Fast Socket Method):{W}")

open_ports = scanner.fast_port_scan(ip_addr)

results["open_ports"] = open_ports

if not open_ports:

print(f" {Y}[!] No open ports found{W}")

else:

print(f" {G}[+] Found {len(open_ports)} open ports{W}")

# Step 3: Advanced fingerprinting on open ports

if open_ports:

print(f"\n{Y}[3] Service Fingerprinting:{W}")

for port_info in open_ports[:5]: # Limit to first 5 for speed

port = port_info["port"]

print(f" {C}[*] Analyzing port {port}...{W}")

fingerprint = scanner.advanced_fingerprinting(ip_addr, port)

if fingerprint:

for item in fingerprint:

print(f" {G}→ {item}{W}")

results["fingerprint_results"].append({

"port": port,

"info": item

})

# Step 4: WAF Detection

print(f"\n{Y}[4] WAF Detection:{W}")

try:

target_url = f"http://{target}" if not target.startswith(('http://', 'https://')) else target

waf_results = await scanner.detect_waf_async(target_url)

if waf_results:

for waf in waf_results:

print(f" {R}[!] Detected WAF: {waf['waf']} (confidence: {waf['confidence']}){W}")

for indicator in waf.get('indicators', []):

print(f" {Y}→ {indicator}{W}")

results["waf_detected"].append(waf)

else:

print(f" {G}[✓] No WAF detected{W}")

except Exception as e:

print(f" {Y}[!] WAF detection failed: {e}{W}")

# Step 5: Technology Detection

print(f"\n{Y}[5] Technology Detection:{W}")

tech_detected = set()

# Check common technologies

tech_checks = [

(80, "HTTP", ["Apache", "nginx", "IIS"]),

(443, "HTTPS", ["Apache", "nginx", "IIS"]),

(8080, "HTTP-Proxy", ["Apache", "nginx", "Tomcat"]),

(3306, "MySQL", ["MySQL"]),

(5432, "PostgreSQL", ["PostgreSQL"]),

]

for port, service, techs in tech_checks:

for port_info in open_ports:

if port_info["port"] == port:

for tech in techs:

if tech.lower() in str(port_info.get("banner", "")).lower():

tech_detected.add(tech)

print(f" {G}[+] {tech} detected on port {port}{W}")

if tech_detected:

results["technologies"] = list(tech_detected)

else:

print(f" {Y}[!] No specific technologies identified{W}")

# Step 6: Vulnerability hints based on findings

print(f"\n{Y}[6] Vulnerability Assessment Hints:{W}")

vulnerability_hints = []

# Check for common vulnerable services

for port_info in open_ports:

port = port_info["port"]

service = port_info.get("service", "").lower()

banner = port_info.get("banner", "").lower()

# SSH vulnerabilities

if port == 22:

if "openssh" in banner:

if any(ver in banner for ver in ["7.2", "7.3", "7.4"]):

vulnerability_hints.append({

"port": port,

"service": "SSH",

"vulnerability": "Potential OpenSSH vulnerabilities",

"severity": "medium",

"cve": ["CVE-2018-15473", "CVE-2016-6515"]

})

print(f" {R}[!] Port 22: Check for OpenSSH vulnerabilities{W}")

# HTTP vulnerabilities

elif port in [80, 443, 8080]:

if "apache" in banner and "2.4" in banner:

vulnerability_hints.append({

"port": port,

"service": "HTTP",

"vulnerability": "Apache HTTP Server vulnerabilities",

"severity": "low",

"cve": ["CVE-2021-40438", "CVE-2021-41773"]

})

print(f" {Y}[!] Port {port}: Check Apache version for vulnerabilities{W}")

# SMB vulnerabilities

elif port == 445:

vulnerability_hints.append({

"port": port,

"service": "SMB",

"vulnerability": "SMB protocol vulnerabilities (EternalBlue)",

"severity": "critical",

"cve": ["CVE-2017-0144", "CVE-2017-0145"]

})

print(f" {R}[!] Port 445: SMB port open - check for EternalBlue vulnerability{W}")

# RDP vulnerabilities

elif port == 3389:

vulnerability_hints.append({

"port": port,

"service": "RDP",

"vulnerability": "RDP BlueKeep vulnerability",

"severity": "critical",

"cve": ["CVE-2019-0708"]

})

print(f" {R}[!] Port 3389: RDP port open - check for BlueKeep vulnerability{W}")

results["vulnerability_hints"] = vulnerability_hints

print(f"\n{G}{'='*60}{W}")

print(f"{C}[*] Reconnaissance Completed!{W}")

print(f"{G}{'='*60}{W}")

# Save results

save_finding("advanced_recon", target, results)

"""Advanced web auditor with WAF detection and intelligent scanning"""

clean()

scanner = IntelligentScanner(proxy_manager)

print(f"\n{G}{'='*60}{W}")

print(f"{C} ADVANCED WEB VULNERABILITY AUDITOR{W}")

print(f"{G}{'='*60}{W}")

target = input(f"\n{Y}Target URL (e.g. http://site.com/): {W}").strip()

if not target.startswith(('http://', 'https://')):

target = 'http://' + target

# Phase 1: WAF Detection

print(f"\n{Y}[PHASE 1] WAF Detection:{W}")

waf_results = await scanner.detect_waf_async(target)

if waf_results:

print(f"{R}[!] WAF Detected: {waf_results[0]['waf']}{W}")

print(f"{Y}[*] Adjusting scan strategy...{W}")

else:

print(f"{G}[✓] No WAF detected{W}")

# Phase 2: Technology Stack Detection

print(f"\n{Y}[PHASE 2] Technology Detection:{W}")

try:

session = get_session(proxy_manager)

response = session.get(target, timeout=10, verify=False)

tech_indicators = {

"PHP": ["PHP", "X-Powered-By: PHP", ".php"],

"ASP.NET": [".aspx", "ASP.NET", "X-AspNet-Version"],

"Node.js": ["X-Powered-By: Express", "Node.js"],

"Python": ["Python", "Django", "Flask", ".py"],

"Java": ["JSESSIONID", "Servlet", "JSP", ".jsp"],

"Ruby": ["Ruby", "Rails", ".rb"],

"WordPress": ["wp-content", "wp-includes", "WordPress"],

"Joomla": ["joomla", "Joomla"],

"Drupal": ["Drupal", "drupal"],

}

detected_tech = []

response_text = response.text

headers = response.headers

for tech, indicators in tech_indicators.items():

for indicator in indicators:

if indicator.lower() in response_text.lower() or \

any(indicator.lower() in str(h).lower() for h in headers.values()):

detected_tech.append(tech)

print(f" {G}[+] {tech}{W}")

break

if not detected_tech:

print(f" {Y}[!] Could not detect specific technology{W}")

# Check security headers

print(f"\n{Y}[PHASE 3] Security Headers Analysis:{W}")

security_headers = {

"Content-Security-Policy": "Prevents XSS",

"X-Frame-Options": "Prevents clickjacking",

"X-Content-Type-Options": "Prevents MIME sniffing",

"X-XSS-Protection": "XSS protection",

"Strict-Transport-Security": "HSTS",

"Referrer-Policy": "Controls referrer info",

}

missing_headers = []

for header, purpose in security_headers.items():

if header in headers:

print(f" {G}[✓] {header}: {headers[header][:50]}...{W}")

else:

print(f" {R}[✗] Missing: {header} - {purpose}{W}")

missing_headers.append(header)

if missing_headers:

save_finding("security_headers", target, {

"missing_headers": missing_headers,

"detected_tech": detected_tech,

"waf_detected": [waf['waf'] for waf in waf_results] if waf_results else []

})

except Exception as e:

print(f"{R}[!] Initial analysis failed: {e}{W}")

# Phase 4: Vulnerability Scanning

print(f"\n{Y}[PHASE 4] Vulnerability Scanning:{W}")

# Import vulnerability scanning functions

from scanner_legacy import scan_url_advanced # Keep original scanning logic

payloads = {

'SQLi': ["'", "' OR '1'='1", "' UNION SELECT NULL--"],

'XSS': ["<script>alert(1)</script>", "\"><img src=x onerror=alert(1)>"],

'LFI': ["../../../../etc/passwd", "....//....//etc/passwd"],

'Command Injection': [";whoami", "|id", "$(ls -la)"],

'XXE': ["<?xml", "<!DOCTYPE"],

'SSRF': ["http://169.254.169.254", "http://localhost"],

}

connector = aiohttp.TCPConnector(limit=THREADS, ssl=False)

async with aiohttp.ClientSession(

connector=connector,

headers=get_headers(),

timeout=aiohttp.ClientTimeout(total=30)

) as session:

total_findings = 0

tasks = []

for cat, p_list in payloads.items():

print(f"{C}[*] Testing {cat}...{W}")

for p in p_list[:3]: # Limit payloads for speed

task = asyncio.create_task(

scan_url_advanced(session, target, p, cat, target, proxy_manager)

)

tasks.append(task)

for future in asyncio.as_completed(tasks):

found, vuln_type, confidence = await future

if found:

total_findings += 1

print(f"\n{G}[*] Scan completed!{W}")

print(f"{C}[*] Total findings: {total_findings}{W}")

# Generate report

if total_findings > 0 or waf_results or missing_headers:

print(f"\n{Y}[REPORT SUMMARY]{W}")

print(f"{C}{'-'*50}{W}")

if waf_results:

print(f"{R}• WAF Detected: {waf_results[0]['waf']}{W}")

if missing_headers:

print(f"{Y}• Missing Security Headers: {len(missing_headers)}{W}")

if total_findings > 0:

print(f"{R}• Vulnerabilities Found: {total_findings}{W}")

print(f"{G}[+] Report saved to: {REPORT_FILE}{W}")

"""Fast brute forcer with intelligent wordlist selection"""

clean()

print(f"\n{G}{'='*60}{W}")

print(f"{C} INTELLIGENT DIRECTORY BRUTEFORCER{W}")

print(f"{G}{'='*60}{W}")

target = input(f"{Y}Target Base URL: {W}").strip()

if not target.startswith(('http://', 'https://')):

target = 'http://' + target

if not target.endswith("/"):

target += "/"

# Select wordlist based on target

print(f"\n{Y}[*] Selecting optimal wordlist...{W}")

wordlists = {

"common": ["admin", "login", "dashboard", "wp-admin", "config", ".env",

"phpmyadmin", "test", "api", "robots.txt", ".git", ".htaccess",

"backup", "archive", "old", "temp", "tmp", "cgi-bin"],

"api": ["api/v1", "api/v2", "rest/api", "graphql", "swagger", "openapi",

"docs", "documentation", "v1/users", "v2/auth", "oauth"],

"admin": ["administrator", "adminpanel", "controlpanel", "cp", "manager",

"moderator", "superadmin", "sysadmin", "webadmin"],

"files": ["config.php", "config.json", ".env.local", ".env.production",

"database.yml", "settings.py", "composer.json", "package.json",

"web.config", ".htpasswd", ".gitignore"],

}

# Choose wordlist based on target analysis

selected_words = []

# Always include common words

selected_words.extend(wordlists["common"])

# Check if API endpoint might exist

if any(keyword in target.lower() for keyword in ["api", "rest", "graphql"]):

selected_words.extend(wordlists["api"][:5])

print(f"{C}[*] Adding API endpoints to scan{W}")

# Check for admin panels

selected_words.extend(wordlists["admin"][:5])

# Add file extensions based on technology guess

if ".php" in target or "php" in target:

selected_words.extend(["index.php", "login.php", "admin.php", "config.php"])

elif ".asp" in target or ".aspx" in target:

selected_words.extend(["default.aspx", "login.aspx", "admin.aspx"])

print(f"{C}[*] Using {len(selected_words)} optimized paths{W}")

found_paths = []

async with aiohttp.ClientSession(

headers=get_headers(),

timeout=aiohttp.ClientTimeout(total=30)

) as session:

tasks = []

for path in selected_words:

task = asyncio.create_task(brute_path_advanced(session, target, path))

tasks.append(task)

for future in asyncio.as_completed(tasks):

result = await future

if result:

url, status, msg, path = result

found_paths.append({

"url": url,

"status": status,

"message": msg,

"path": path

})

# Display results

if found_paths:

print(f"\n{G}[*] Found {len(found_paths)} accessible paths:{W}")

# Categorize by status code

status_200 = [p for p in found_paths if p["status"] == 200]

status_403 = [p for p in found_paths if p["status"] == 403]

status_redirect = [p for p in found_paths if p["status"] in [301, 302]]

if status_200:

print(f"\n{Y}[200 OK - Accessible]{W}")

for item in status_200[:5]:

print(f" {G}→ {item['path']}{W}")

if status_403:

print(f"\n{Y}[403 Forbidden - Exists but restricted]{W}")

for item in status_403[:3]:

print(f" {R}→ {item['path']}{W}")

if status_redirect:

print(f"\n{Y}[30X Redirect]{W}")

for item in status_redirect[:3]:

print(f" {BL}→ {item['path']}{W}")

# Save findings

save_finding("bruteforce", target, {

"paths_found": found_paths,

"total_tested": len(selected_words),

"wordlist_type": "optimized"

})

else:

print(f"{Y}[!] No accessible paths found{W}")

"""Advanced path brute forcer with intelligent detection"""

try:

# Test different variations

variations = [

url + word,

url + word + "/",

url + word + ".php",

url + word + ".html",

url + word.upper(),

url + word.lower(),

url + word + "~",

]

for test_url in variations:

try:

async with session.get(test_url, timeout=3, ssl=False) as resp:

status = resp.status

content_length = resp.headers.get('Content-Length', 0)

if status == 200:

# Check if it's not a generic 404 page

content = await resp.text()

if len(content) > 100: # Not a tiny error page

return (test_url, 200, "Found", word)

elif status == 403:

return (test_url, 403, "Forbidden", word)

elif status in [301, 302]:

location = resp.headers.get('Location', '')

return (test_url, status, f"Redirect to {location[:30]}", word)

except asyncio.TimeoutError:

continue

except:

continue

return None

except Exception:

"""Main recon function wrapper"""

clean()

print(f"\n{G}{'='*60}{W}")

print(f"{C} ADVANCED INTELLIGENCE GATHERING{W}")

print(f"{G}{'='*60}{W}")

target = input(f"{Y}Enter Target Domain/IP: {W}").strip()

# Remove protocol if present

if target.startswith(('http://', 'https://')):

target = target.split('://')[1]

scanner = IntelligentScanner()

loop = asyncio.new_event_loop()

asyncio.set_event_loop(loop)

results = loop.run_until_complete(advanced_recon_async(target, scanner))

# Display summary

if results:

print(f"\n{Y}[SUMMARY]{W}")

print(f"{C}{'-'*50}{W}")

print(f"{G}• Target IP: {results.get('target_ip', 'Unknown')}{W}")

print(f"{G}• Open Ports: {len(results.get('open_ports', []))}{W}")

print(f"{G}• WAF Detected: {len(results.get('waf_detected', []))}{W}")

print(f"{G}• Technologies: {len(results.get('technologies', []))}{W}")

print(f"{G}• Vulnerability Hints: {len(results.get('vulnerability_hints', []))}{W}")

# Show critical findings

vuln_hints = results.get('vulnerability_hints', [])

for hint in vuln_hints:

if hint.get('severity') == 'critical':

print(f"{R} ! Critical: {hint.get('vulnerability')} on port {hint.get('port')}{W}")

"""Network scanner for discovering hosts"""

clean()

print(f"\n{G}{'='*60}{W}")

print(f"{C} NETWORK SCANNER{W}")

print(f"{G}{'='*60}{W}")

network = input(f"{Y}Enter Network (e.g., 192.168.1.0/24): {W}").strip()

try:

network_obj = ipaddress.ip_network(network, strict=False)

print(f"{C}[*] Scanning {network_obj.num_addresses} hosts...{W}")