#!/bin/sh
#
#	Network Security Analysis Tool
#		    v 1.x
#	 (c) 2000 by Mixter, 2xs ltd.
#
#	xnsat - X frontend to nsat
# requires X11 and Tcl/Tk with windowing shell (wish) installed
# \
exec wish "$0" "$@"

global status ping coward conffile scantype
global timeout maxproc maxlife minidle
global first last binary vhost xxx

# Change this to the correct path
set binary "/usr/local/bin/nsat"

set scantype 0
set status 1
set ping 0
set coward 0
set conffile ""
set vhost ""
set timeout 0
set maxproc 0
set maxlife 0
set minidle 0
set first "127.0.0.1"
set last "0"

if {![file exists $binary]} {
wm withdraw .
toplevel .x
wm title .x "Error"
label .x.x -text "CANNOT FIND FILE: $binary - PLEASE EDIT XNSAT"
checkbutton .x.y -text "OK" -command "destroy ."
pack .x.x .x.y
} {

wm withdraw .
toplevel .nsat
wm title .nsat "Network Security Analysis Tool v1.x   (c) 2000 Mixter, 2xs ltd."
wm geometry .nsat 550x900+50+50

frame .nsat.fb
button .nsat.fb.start -text "Scan!" -command "scan"
button .nsat.fb.rec -text "Recover" -command "rec"
button .nsat.fb.logs -text "Logs" -command "logs"
button .nsat.fb.finish -text "Close" -command "bye"
button .nsat.fb.help -text "Help" -command "help"
button .nsat.fb.conf -text "Create config file" -command conf
pack .nsat.fb.finish .nsat.fb.help -side right -anchor n
pack .nsat.fb.start .nsat.fb.rec -side right -anchor n
pack .nsat.fb.logs .nsat.fb.conf -side right -anchor n
pack .nsat.fb -anchor nw

label .nsat.c1 -text "Options"
frame .nsat.clt
pack .nsat.c1 .nsat.clt -fill x -anchor nw
checkbutton .nsat.clt.t1 -text "Display status" -variable status
checkbutton .nsat.clt.t2 -text "Ping dependent" -variable ping
checkbutton .nsat.clt.t3 -text "Stealth mode" -variable coward
pack .nsat.clt.t1 .nsat.clt.t2 .nsat.clt.t3 -side left -anchor nw
focus .nsat.clt

checkbutton .nsat.t4 -text "File scan (non-checked: single host / range scan)" -variable scantype
pack .nsat.t4 -side top -anchor nw

label .nsat.l1 -text "Connection timeout: "
label .nsat.l2 -text "Maximum processes: "
label .nsat.l3 -text "Maximum lifetime: "
label .nsat.l4 -text "Minimum idletime: "
label .nsat.l5 -text "Configuration File: "
label .nsat.l6 -text "Virtual Host: "

entry .nsat.te1 -width 20 -relief sunken -bd 2 -textvariable timeout
entry .nsat.te2 -width 20 -relief sunken -bd 2 -textvariable maxproc
entry .nsat.te3 -width 20 -relief sunken -bd 2 -textvariable maxlife
entry .nsat.te4 -width 20 -relief sunken -bd 2 -textvariable minidle
entry .nsat.te5 -textvariable conffile
entry .nsat.te6 -textvariable vhost

pack .nsat.l1 .nsat.te1 .nsat.l2 .nsat.te2 .nsat.l3 .nsat.te3 .nsat.l4 .nsat.te4 .nsat.l5 .nsat.te5 .nsat.l6 .nsat.te6 -anchor nw -side top

label .nsat.c3 -text "Target Selection"
pack .nsat.c3 -anchor n

label .nsat.bt2 -text "Start IP/Host or input filename: "
entry .nsat.be1 -width 20 -relief sunken -bd 2 -textvariable first
pack .nsat.bt2 .nsat.be1 -side top -anchor n

label .nsat.bt3 -text "End IP (or 0 for single/file scan): "
entry .nsat.be2 -width 20 -relief sunken -bd 2 -textvariable last
pack .nsat.bt3 .nsat.be2 -side top -anchor n

frame .nsat.opt
text .nsat.opt.output -height 55 -width 75 -relief sunken -yscrollcommand ".nsat.opt.scl set"
scrollbar .nsat.opt.scl -command ".nsat.opt.output yview"
pack .nsat.opt.scl -side right -fill y -anchor nw
pack .nsat.opt -side top -anchor nw
pack .nsat.opt.output -anchor nw
.nsat.opt.output insert 1.0 "Scan Status\n"
.nsat.opt.output tag add sline {1.0 linestart} {1.0 lineend}
.nsat.opt.output tag configure sline -foreground red
.nsat.opt.output tag configure sline -underline 1
.nsat.opt.output tag configure sline -justify center
.nsat.opt.output insert 2.0 "\n"
.nsat.opt.output configure -state disabled
.nsat.opt.output configure -state normal

proc conf { } {
global file cgi port
global os icmp netstat ftp ftp2 ssh telnet smtp smtp2 bind finger pop2 pop3 rpc
global rpc2 nntp smb imap nlps ircd x11 netbios bo snmp www www2 www3 bd
toplevel .conf
wm title .conf "NSAT Configuration File Utility"
wm geometry .conf 600x350
button .conf.close -text Close -command "destroy .conf"
button .conf.write -text "Write configuration!" -command { conf2 }
pack .conf.close .conf.write -side top
label .conf.la -text "This tool is only used to create a basic configuration file, which should be manually customized"
label .conf.lb -text " for best results. Please be aware that it doesn't use all of the configuration settings."
pack .conf.la .conf.lb -anchor nw -side top
label .conf.l0 -text "Config file name: "
entry .conf.t0 -width 20 -relief sunken -bd 2 -textvariable file
label .conf.l1 -text "CGI database file: "
entry .conf.t1 -width 20 -relief sunken -bd 2 -textvariable cgi
label .conf.l2 -text "Port to scan: "
entry .conf.t2 -width 20 -relief sunken -bd 2 -textvariable port
pack .conf.l0 .conf.t0 .conf.l1 .conf.t1 .conf.l2 .conf.t2 -anchor nw -side top
frame .conf.a
frame .conf.b
frame .conf.c
frame .conf.d
checkbutton .conf.a.c1 -text "OS detection" -variable os
checkbutton .conf.a.c2 -text "icmp" -variable icmp
checkbutton .conf.a.c3 -text "netstat" -variable netstat
checkbutton .conf.a.c4 -text "ftp" -variable ftp
checkbutton .conf.a.c5 -text "ftp writable" -variable ftp2
checkbutton .conf.a.c6 -text "ssh" -variable ssh
checkbutton .conf.a.c7 -text "telnet" -variable telnet
checkbutton .conf.b.c8 -text "smtp" -variable smtp
checkbutton .conf.b.c9 -text "smtp fakemail" -variable smtp2
checkbutton .conf.b.c10 -text "bind" -variable bind
checkbutton .conf.b.c11 -text "finger" -variable finger
checkbutton .conf.b.c12 -text "pop2" -variable pop2
checkbutton .conf.b.c13 -text "pop3" -variable pop3
checkbutton .conf.b.c14 -text "portmap dump" -variable rpc
checkbutton .conf.c.c15 -text "nfs exports" -variable rpc2
checkbutton .conf.c.c16 -text "nntp" -variable nntp
checkbutton .conf.c.c17 -text "smb/netbios session" -variable smb
checkbutton .conf.c.c18 -text "imap" -variable imap
checkbutton .conf.c.c19 -text "nlps" -variable nlps
checkbutton .conf.c.c20 -text "ircd" -variable ircd
checkbutton .conf.c.c21 -text "x11" -variable x11
checkbutton .conf.d.c22 -text "netbios name" -variable netbios
checkbutton .conf.d.c23 -text "back orifice" -variable bo
checkbutton .conf.d.c24 -text "snmp" -variable snmp
checkbutton .conf.d.c25 -text "http" -variable www
checkbutton .conf.d.c26 -text "cgi" -variable www2
checkbutton .conf.d.c27 -text "cgi IDS evasion" -variable www3
checkbutton .conf.d.c28 -text "backdoors" -variable bd
pack .conf.a -fill x -anchor nw
pack .conf.b -fill x -anchor nw
pack .conf.c -fill x -anchor nw
pack .conf.d -fill x -anchor nw
pack .conf.a.c1 .conf.a.c2 .conf.a.c3 .conf.a.c4 .conf.a.c5 .conf.a.c6 .conf.a.c7 -side left -anchor nw
pack .conf.b.c8 .conf.b.c9 .conf.b.c10 .conf.b.c11 .conf.b.c12 .conf.b.c13 .conf.b.c14 -side left -anchor nw
pack .conf.c.c15 .conf.c.c16 .conf.c.c17 .conf.c.c18 .conf.c.c19 .conf.c.c20 .conf.c.c21 -side left -anchor nw
pack .conf.d.c22 .conf.d.c23 .conf.d.c24 .conf.d.c25 .conf.d.c26 .conf.d.c27 .conf.d.c28 -side left -anchor nw
focus .conf.a
focus .conf.b
focus .conf.c
focus .conf.d
}

proc conf2 { } {
global file cgi port
global os icmp netstat ftp ftp2 ssh telnet smtp smtp2 bind finger pop2 pop3 rpc
global rpc2 nntp smb imap nlps ircd x11 netbios bo snmp www www2 www3 bd

if {[info exists file] && $file != ""} {
  set fd [open $file w]
  puts $fd "### NSAT example configuration. Created by xnsat."
 } { return }

if {[info exists cgi] && $cgi != ""} {
  puts $fd "CGIFile $cgi"
 }
if {[info exists port] && $port != ""} {
  puts $fd "PortScan $port"
 }
if {[info exists os] && $os} {
  puts $fd "OSFingerprinting 1"
 }
if {[info exists icmp] && $icmp} {
  puts $fd "IcmpPing"
 }
if {[info exists netstat] && $netstat} {
  puts $fd "NetstatScanVerbose"
 }
if {[info exists ftp] && $ftp} {
  puts $fd "FtpScanAnonymous"
 }
if {[info exists ftp2] && $ftp2} {
  puts $fd "FtpScanWritable"
 }
if {[info exists ssh] && $ssh} {
  puts $fd "SshScan"
 }
if {[info exists telnet] && $telnet} {
  puts $fd "TelnetDumpBanner"
 }
if {[info exists smtp] && $smtp} {
  puts $fd "SmtpInfoCheck"
 }
if {[info exists smtp2] && $smtp2} {
  puts $fd "SmtpFakeMail"
 }
if {[info exists bind] && $bind} {
  puts $fd "BindVersionScanAll"
 }
if {[info exists finger] && $finger} {
  puts $fd "FingerScan"
 }
if {[info exists pop2] && $pop2} {
  puts $fd "Pop2Scan"
 }
if {[info exists pop3] && $pop3} {
  puts $fd "Pop3Scan"
 }
if {[info exists rpc] && $rpc} {
  puts $fd "RPCVerboseScan"
 }
if {[info exists rpc2] && $rpc2} {
  puts $fd "RPCNFSExportsCheck"
 }
if {[info exists nntp] && $nntp} {
  puts $fd "NNtpScan"
 }
if {[info exists smb] && $smb} {
  puts $fd "SmbScan"
 }
if {[info exists imap] && $imap} {
  puts $fd "ImapScan"
 }
if {[info exists nlps] && $nlps} {
  puts $fd "NlpsScan"
 }
if {[info exists ircd] && $ircd} {
  puts $fd "IrcdVerboseScan"
 }
if {[info exists x11] && $x11} {
  puts $fd "XWinDisplayCheck"
 }
if {[info exists netbios] && $netbios} {
  puts $fd "NetbiosScan"
 }
if {[info exists bo] && $bo} {
  puts $fd "BackOrificeScan"
 }
if {[info exists snmp] && $snmp} {
  puts $fd "SnmpScan"
 }
if {[info exists www] && $www} {
  puts $fd "WebScan"
 }
if {[info exists www2] && $www2} {
  puts $fd "WebScanCgi"
 }
if {[info exists www3] && $www3} {
  puts $fd "WebScanIDSEvasion"
 }
if {[info exists bd] && $bd} {
  puts $fd "BackdoorScan"
 }

 close $fd
}

proc help { } {
toplevel .help
wm title .help "xnsat help"
wm geometry .help 500x300
label .help.1 -text "This is the X frontend to NSAT, the"
label .help.2 -text "Network Security Analysis Tool."
label .help.3 -text "The purpose of this application is to audit services"
label .help.4 -text "of any amount of hosts remotely and reliably. You can"
label .help.5 -text "learn about NSATs capabilities and usage by reading the"
label .help.6 -text "nsat(8) manpage."
label .help.7 -text "Please be aware that a couple of log files will be created"
label .help.8 -text "in the current directory, so consider running xnsat from"
label .help.10 -text "a separate path. xnsat will either parse IP addresses from"
label .help.11 -text "a filename, or scan a range of IPs incrementally."
label .help.12 -text "In case the last IP is zero, xnsat will perform a"
label .help.13 -text "single-host-scan."
pack .help.1 .help.2 .help.3 .help.4 .help.5 .help.6 .help.7 .help.8 .help.10 .help.11 .help.12 .help.13
button .help.ok -text "OK" -command "destroy .help"
pack .help.ok -side bottom
}

proc rec { } {
global binary
if {[catch "exec $binary" x]} {
 .nsat.opt.output insert 2.0 "ERROR: $x\n"
 } {
 .nsat.opt.output insert 2.0 "Succeeded:\n$x\n"
 }
.nsat.opt.output insert 2.0 "\n"
return;
}

proc scan { } {
global status ping coward conffile scantype
global timeout maxproc maxlife minidle
global first last binary vhost xxx

catch "exec rm -f .nsrc .nspid"
set optstring ""
if {$status} {append optstring " -n"}
append optstring " -p " $ping
append optstring " -c " $coward
if {$conffile != ""} {append optstring " -C " $conffile}
if {$vhost != ""} {append optstring " -V " $vhost}
if {$timeout} {append optstring " -t " $timeout}
if {$maxproc} {append optstring " -m " $maxproc}
if {$maxlife} {append optstring " -l " $maxlife}
if {$minidle} {append optstring " -i " $minidle}

if {$scantype} {
  if {![file exists $first]} { .nsat.opt.output insert 2.0 "* File not found: $first\n" ; return }
  set arg "$binary $optstring -f $first"
 } {
  if {$last != "0"} {
  set arg "$binary $optstring -s $first -e $last"
  } {
  set arg "$binary $optstring -h $first"
  }
 }
set i [catch "exec /bin/sh -c \"${arg} >status.log\" &" xxx]
if {$i} {
.nsat.opt.output insert 2.0 "ERROR: $xxx\n"
return;
} {
.nsat.opt.output insert 2.0 "Launched, pid $xxx.\n"
}
after 5000 actualize
.nsat.opt.output insert 2.0 "\n"
return;
}

proc actualize { } {
global status updtime
set txt [exec cat status.log]
.nsat.opt.output insert 2.0 "$txt\n"
.nsat.opt.output insert 2.0 "\n\[*\]                       S T A T U S                       \[*\]\n"
if {$status} {after 5000 act_2}
}

proc act_2 { } {
global xxx
set txt [exec tail -35 status.log]
.nsat.opt.output insert 2.0 "$txt\n\n\n\n\n\n\n\n\n\n"
.nsat.opt.output insert 2.0 "\n\[*\]                       U P D A T E                       \[*\]\n"
if {![catch "exec kill -17 $xxx" y]} {after 5000 act_2} { act_3 }
}

proc act_3 { } {
set txt [exec tail -35 status.log]
.nsat.opt.output insert 2.0 "$txt\n\n\n\n\n\n\n\n\n\n"
.nsat.opt.output insert 2.0 "\n\[*\]                      F I N I S H E D                       \[*\]\n"
}

proc bye { } {
catch "exec killall -9 nsat"
destroy .
}

proc logs { } {
toplevel .log
wm title .log "View NSAT Log Files"
#wm geometry .log 500x300
set filez { ports ftp ssh telnet sendmail dns httpd pop2 pop3 imap os
            unknown-os finger snmp smb }
set filez2 { nntp exports netstat backdoor
            ircd xwindows netbios icmp rpc cgi bo nlps debug }

button .log.close -text Close -command "destroy .log"
pack .log.close

frame  .log.a
foreach bt $filez {
 if { [file readable ${bt}.log] } {
   button .log.a.${bt} -text $bt -command ".log.opt.output insert 2.0 \"\n[exec cat ${bt}.log]\"\n"
   pack .log.a.${bt} -anchor n -side right
  }
 }
frame  .log.b
foreach bt $filez2 {
 if { [file readable ${bt}.log] } {
   button .log.b.${bt} -text $bt -command ".log.opt.output insert 2.0 \"\n\n\n[exec cat ${bt}.log]\"\n"
   pack .log.b.${bt} -anchor n -side right
  }
 }
pack .log.a -anchor nw
pack .log.b -anchor sw
frame .log.opt
text .log.opt.output -height 35 -width 75 -relief sunken -yscrollcommand ".log.opt.scl set"
scrollbar .log.opt.scl -command ".log.opt.output yview"
pack .log.opt.scl -side right -fill y -anchor nw
pack .log.opt -side top -anchor nw
pack .log.opt.output -anchor nw
.log.opt.output configure -state disabled
.log.opt.output configure -state normal
}

proc * { } {}

}
