def main():
import argparse
import platform
import logging
from asysocks import logger as asylogger
parser = argparse.ArgumentParser(description='Interactive SMB client')
parser.add_argument('-v', '--verbose', action='count', default=0)
parser.add_argument('-s', '--silent', action='store_true', help='do not print banner')
parser.add_argument('-n', '--no-interactive', action='store_true')
parser.add_argument('smb_url', help = 'Connection string that describes the authentication and target. Example: smb+ntlm-password://TEST\\Administrator:[email protected]')
parser.add_argument('commands', nargs='*')
args = parser.parse_args()
if args.silent is False:
print(__banner__)
if args.verbose >=1:
logger.setLevel(logging.DEBUG)
if args.verbose > 2:
print('setting deepdebug')
logger.setLevel(1) #enabling deep debug
sockslogger.setLevel(1)
asylogger.setLevel(1)
asyncio.get_event_loop().set_debug(True)
logging.basicConfig(level=logging.DEBUG)
asyncio.run(amain(args))
def main():
import argparse
parser = argparse.ArgumentParser(description='MS LDAP library')
parser.add_argument('-v',
'--verbose',
action='count',
default=0,
help='Verbosity, can be stacked')
parser.add_argument('-n', '--no-interactive', action='store_true')
parser.add_argument('url', help='Connection string in URL format.')
parser.add_argument(
'commands',
nargs='*',
help=
"Takes a series of commands which will be executed until error encountered. If the command is 'i' is encountered during execution it drops back to interactive shell."
)
args = parser.parse_args()
###### VERBOSITY
if args.verbose == 0:
logging.basicConfig(level=logging.INFO)
else:
sockslogger.setLevel(logging.DEBUG)
logger.setLevel(logging.DEBUG)
logging.basicConfig(level=logging.DEBUG)
asyncio.run(amain(args))
def main():
import argparse
import platform
import logging
from asysocks import logger as sockslogger
parser = argparse.ArgumentParser(description='Zerologon tester')
parser.add_argument('-v', '--verbose', action='count', default=0)
parser.add_argument('-e',
'--exploit',
action='store_true',
help='perform the expolit')
parser.add_argument('dc_ip', help='IP address of the domain controller')
parser.add_argument(
'dc_name', help='NETBIOS NAME of the domain controller (without $)')
args = parser.parse_args()
if args.verbose >= 1:
logger.setLevel(logging.DEBUG)
if args.verbose > 2:
print('setting deepdebug')
logger.setLevel(1) #enabling deep debug
sockslogger.setLevel(1)
asyncio.get_event_loop().set_debug(True)
logging.basicConfig(level=logging.DEBUG)
asyncio.run(run(args.dc_name, args.dc_ip, args.exploit))
def main():
import argparse
parser = argparse.ArgumentParser(description='MS LDAP library')
parser.add_argument('-v',
'--verbose',
action='count',
default=0,
help='Verbosity, can be stacked')
parser.add_argument('-n', '--no-interactive', action='store_true')
parser.add_argument('url', help='Connection string in URL format.')
args = parser.parse_args()
###### VERBOSITY
if args.verbose == 0:
logging.basicConfig(level=logging.INFO)
else:
sockslogger.setLevel(logging.DEBUG)
logger.setLevel(logging.DEBUG)
logging.basicConfig(level=logging.DEBUG)
ldap_url = MSLDAPURLDecoder(args.url)
compdomlist = MSLDAPCompDomainList(ldap_url)
asyncio.run(compdomlist.run())
def main():
import argparse
parser = argparse.ArgumentParser(description='Transparent TCP tunnel for SOCKS unaware clients.')
parser.add_argument('proxy_connection_string', help='connection string decribing the socks5 proxy server connection properties')
parser.add_argument('dst_ip', help='IP address of the desination server')
parser.add_argument('dst_port', type = int, help='port number of the desination service')
parser.add_argument('-l', '--listen-ip', default = '127.0.0.1', help='Listener IP address to bind to')
parser.add_argument('-p', '--listen-port', type = int, default = 11111, help='Listener port number to bind to')
parser.add_argument('-t', '--timeout', type = int, default = None, help='Endpoint timeout')
parser.add_argument('-v', '--verbose', action='count', default=0)
args = parser.parse_args()
if args.verbose >=1:
logger.setLevel(logging.DEBUG)
elif args.verbose > 2:
logger.setLevel(1)
comms = SocksLitenerComms(args.listen_ip, args.listen_port)
url = SocksClientURL.from_url(args.proxy_connection_string)
url.endpoint_ip = args.dst_ip
url.endpoint_port = args.dst_port
url.endpoint_timeout = args.timeout
target = url.get_target()
credentials = url.get_creds()
if args.verbose >=1:
print(str(target))
print(__banner__)
layout = """Connection layout
CLIENT --->|
CLIENT --->|(LISTENER) %s:%s |--->| (%s) %s:%s |--->| (FINAL DST) %s:%s
CLIENT --->|
""" % (args.listen_ip, args.listen_port, target.version.name.upper() ,target.server_ip, target.server_port, args.dst_ip, args.dst_port)
print(layout)
client = SOCKSClient(comms, target, credentials)
print('Waiting for incoming connections')
asyncio.run(client.run())
def main():
import argparse
import platform
parser = argparse.ArgumentParser(description='Interactive SMB client')
parser.add_argument('-v', '--verbose', action='count', default=0)
parser.add_argument('-n', '--no-interactive', action='store_true')
parser.add_argument('smb_url', help = 'Connection string that describes the authentication and target. Example: smb+ntlm-password://TEST\\Administrator:[email protected]')
parser.add_argument('commands', nargs='*')
args = parser.parse_args()
print(__banner__)
if args.verbose > 2:
print('setting deepdebug')
logger.setLevel(1) #enabling deep debug
sockslogger.setLevel(1)
print(args.commands)
asyncio.run(amain(args))
print(res)
target_user = '******'
spn = KerberosSPN.from_user_email(target_user)
url = 'kerberos+pw://TEST\\victim:[email protected]/?timeout=77'
ku = KerberosClientURL.from_url(url)
target = ku.get_target()
cred = ku.get_creds()
arr = Kerberoast(target, cred)
res = await arr.run([spn])
print(res)
target_user = '******'
spn = KerberosSPN.from_user_email(target_user)
url = 'kerberos+pw://TEST\\victim:[email protected]/?proxyhost=10.10.10.102&proxytype=socks5&proxyport=1080'
ku = KerberosClientURL.from_url(url)
target = ku.get_target()
print(target)
cred = ku.get_creds()
arr = Kerberoast(target, cred)
res = await arr.run([spn])
print(res)
if __name__ == '__main__':
from asysocks import logger as alogger
from pycquery_krb.common.url import KerberosClientURL
import asyncio
alogger.setLevel(2)
asyncio.run(main())
def main():
import argparse
parser = argparse.ArgumentParser(
description='SOCKS5 proxy auth bruteforcer')
parser.add_argument(
'proxy_connection_string',
help=
'connection string decribing the socks5 proxy server connection properties'
)
parser.add_argument(
'-u',
'--users',
action='append',
help='User or users file with one user per line. can be stacked')
parser.add_argument(
'-p',
'--passwords',
action='append',
help=
'Password or password file with one password per line. can be stacked')
parser.add_argument('-t',
'--timeout',
type=int,
default=None,
help='Brute retries sleep time')
parser.add_argument('-w',
'--worker-count',
type=int,
default=1,
help='Parallelism')
parser.add_argument('-v',
'--verbose',
action='count',
default=0,
help='Verbosity')
parser.add_argument('-s',
'--silent',
action='store_true',
help='dont print banner')
parser.add_argument('-o', '--out-file', help='output file')
parser.add_argument('--positive',
action='store_true',
help='only show sucsessful results')
args = parser.parse_args()
if args.silent is False:
print(__banner__)
logger.setLevel(100)
if args.verbose >= 1:
logger.setLevel(logging.DEBUG)
elif args.verbose > 2:
logger.setLevel(1)
url = SocksClientURL.from_url(args.proxy_connection_string)
brute = SOCKSBrute(url)
brute.timeout = args.timeout
brute.worker_cnt = args.worker_count
brute.output_file = args.out_file
brute.only_positive = args.positive
if args.users is None or args.passwords is None:
print('Users "-u" and Passwords "-p" must be set! Exiting')
return
notfile = []
for target in args.users:
try:
f = open(target, 'r')
f.close()
brute.user_gens.append(FileStringGen(target))
except:
notfile.append(target)
if len(notfile) > 0:
brute.user_gens.append(ListStringGen(notfile))
if len(brute.user_gens) == 0:
print('[-] No suitable users were found!')
return
notfile = []
for target in args.passwords:
try:
f = open(target, 'r')
f.close()
brute.password_gens.append(FileStringGen(target))
except:
notfile.append(target)
if len(notfile) > 0:
brute.password_gens.append(ListStringGen(notfile))
if len(brute.password_gens) == 0:
print('[-] No suitable passwords were found!')
return
_, err = asyncio.run(brute.run())
if err is not None:
print('Failed to perform bruting! Reason: %s' % err)
return
if args.silent is False:
print('Done!')
import ipaddress
import logging
import asyncio
from asysocks.common.target import SocksTarget
from asysocks.common.comms import SocksQueueComms
from asysocks.common.constants import *
from asysocks.client import SOCKSClient
from asysocks import logger
logging.basicConfig(level=2)
logger.setLevel(logging.DEBUG)
async def read_q(in_queue):
while True:
data = await in_queue.get()
print(data)
async def main():
in_queue = asyncio.Queue()
out_queue = asyncio.Queue()
await out_queue.put(b'GET / HTTP/1.1\r\nHost: google.com\r\n\r\n')
target = SocksTarget()
#target.version = SocksServerVersion.SOCKS4
target.version = SocksServerVersion.SOCKS5
target.server_ip = '127.0.0.1'
target.server_port = 9050
target.is_bind = False
target.proto = SocksProtocol.TCP
def main():
import argparse
parser = argparse.ArgumentParser(
description='SOCKS/HTTP proxy port scanner')
parser.add_argument(
'proxy_connection_string',
help=
'connection string decribing the socks5 proxy server connection properties'
)
parser.add_argument(
'-p',
'--ports',
action='append',
help=
'port to scan / port range to scan / port range file. can be stacked')
parser.add_argument('-t',
'--timeout',
type=int,
default=None,
help='Scan retries sleep time')
parser.add_argument('-r',
'--retries',
type=int,
default=0,
help='Retries for testing the port')
parser.add_argument('-w',
'--worker-count',
type=int,
default=1,
help='Parallelism')
parser.add_argument('-v', '--verbose', action='count', default=0)
parser.add_argument('targets',
nargs='+',
help='IP address / IP range (CDIR) / targets file')
args = parser.parse_args()
logger.setLevel(100)
if args.verbose >= 1:
logger.setLevel(logging.DEBUG)
elif args.verbose > 2:
logger.setLevel(1)
url = SocksClientURL.from_url(args.proxy_connection_string)
scanner = SOCKSPortscan(url)
scanner.max_retries = args.retries
scanner.retries_timeout = args.timeout
scanner.worker_cnt = args.worker_count
notfile = []
for target in args.targets:
try:
f = open(target, 'r')
f.close()
scanner.target_gens.append(FileTargetIPGen(target))
except:
notfile.append(target)
if len(notfile) > 0:
scanner.target_gens.append(ListTargetIPGen(notfile))
if len(scanner.target_gens) == 0:
print('[-] No suitable targets were found!')
return
notfile = []
for target in args.ports:
try:
f = open(target, 'r')
f.close()
scanner.port_gens.append(FileTargetPortGen(target))
except:
notfile.append(target)
if len(notfile) > 0:
scanner.port_gens.append(ListTargetPortGen(notfile))
if len(scanner.port_gens) == 0:
print('[-] No suitable ports were found!')
return
asyncio.run(scanner.run())
def main():
import argparse
parser = argparse.ArgumentParser(
description='SOCKS5 proxy security tester')
parser.add_argument('host', help='')
parser.add_argument('port', help='')
parser.add_argument('-t',
'--timeout',
type=int,
default=None,
help='Timeout')
parser.add_argument('-v',
'--verbose',
action='count',
default=0,
help='Verbosity')
parser.add_argument('--ssl', action='store_true', help='SSL')
parser.add_argument('-s', '--silent', action='store_true', help='SSL')
parser.add_argument('--verify-host',
help='Destination host to test proxy on')
parser.add_argument('--verify-port',
type=int,
help='Destination port to test proxy on')
parser.add_argument('--verify-send',
help='Data to send to destination to test the proxy')
parser.add_argument(
'--verify-recv',
help='Data expected to be recieved from the destination via proxy')
parser.add_argument('-u', '--username', help='Username for proxy auth')
parser.add_argument('-p', '--password', help='Password for proxy auth')
args = parser.parse_args()
if args.silent is False:
print(__banner__)
logger.setLevel(100)
if args.verbose >= 1:
logger.setLevel(logging.DEBUG)
elif args.verbose > 2:
logger.setLevel(1)
socsec = SocksSecurity()
socsec.server_ip = args.host
socsec.server_port = args.port
socsec.server_sslctx = None if args.ssl is False else ssl.create_default_context(
)
socsec.timeout = args.timeout
socsec.verify_host = args.verify_host #endpoint ip/hostname to test the connection
socsec.verify_port = args.verify_port #endpoint port
socsec.verify_send = args.verify_send #data to be sent to the endpoint service upon succsessfull connection
socsec.verify_recv = args.verify_recv #data expected from the endpoint service in response to verify_send
supported, notsupported, errors = asyncio.run(socsec.socks5_authmethods())
for method, err in errors:
print('[AUTHMETHOD][E] %s : %s' % (method.name, err))
for method in supported:
print('[AUTHMETHOD][+] %s' % method.name)
for method in notsupported:
print('[AUTHMETHOD][-] %s' % method.name)
res, err = asyncio.run(socsec.socks5_noauth())
if err is not None:
print('[NOAUTH][E] Error while determining noauth. Reson: %s' % err)
elif res is True:
print('[NOAUTH][+] No authentication needed')
elif res is False:
print('[NOAUTH][-] Authentication needed')
res, err = asyncio.run(socsec.socks5_bind(args.username, args.password))
if err is not None:
print('[BIND][E] Error while determining BIND support. Reson: %s' %
err)
elif res is True:
print('[BIND][+] Server supports BIND')
elif res is False:
print('[BIND][-] Server doesnt support BIND')
res, err = asyncio.run(socsec.socks5_local(args.username, args.password))
if err is not None:
print(
'[LOCALPORT][E] Error while determining local connect support. Reson: %s'
% err)
elif res is True:
print('[LOCALPORT][+] Server supports connecting to localhost')
elif res is False:
print('[LOCALPORT][-] Server doesnt support connecting to localhost')
if args.verify_host is not None and args.verify_port is not None:
if args.username is not None:
res, err = asyncio.run(
socsec.socks5_login(args.username, args.password))
else:
res, err = asyncio.run(socsec.socks5_noauth())
if err is not None:
print(
'[CONNTEST][E] Error while performing connection test! Reason: %s'
% err)
elif res is True:
print('[CONNTEST][+] Server sucsessfully connected to %s:%s' %
(args.verify_host, args.verify_port))
elif res is False:
print('[CONNTEST][-] Server failed to connect to %s:%s' %
(args.verify_host, args.verify_port))
if args.silent is False:
print('Done!')
async def run(args):
try:
if args.silent is True:
print(__banner__)
if args.verbose == 0:
logging.basicConfig(level=logging.INFO)
jdlogger.setLevel(logging.INFO)
msldaplogger.setLevel(logging.CRITICAL)
asysockslogger.setLevel(logging.CRITICAL)
smblogger.setLevel(100)
elif args.verbose == 1:
logging.basicConfig(level=logging.DEBUG)
jdlogger.setLevel(logging.DEBUG)
msldaplogger.setLevel(logging.WARNING)
smblogger.setLevel(logging.CRITICAL)
asysockslogger.setLevel(logging.CRITICAL)
elif args.verbose > 1:
logging.basicConfig(level=1)
msldaplogger.setLevel(logging.DEBUG)
jdlogger.setLevel(1)
smblogger.setLevel(1)
asysockslogger.setLevel(1)
if not args.sql and args.command != 'auto':
print(
'SQL connection identification is missing! You need to provide the --sql parameter'
)
sys.exit()
work_dir = args.work_dir
ldap_url = None
smb_url = None
if hasattr(args, 'ldap_url'):
ldap_url = args.ldap_url
if hasattr(args, 'smb_url'):
smb_url = args.smb_url
db_conn = args.sql
db_session = None
if db_conn is not None:
db_session = get_session(db_conn)
os.environ['JACKDAW_SQLITE'] = '0'
if args.sql.lower().startswith('sqlite'):
os.environ['JACKDAW_SQLITE'] = '1'
else:
os.environ['JACKDAW_SQLITE'] = '1'
if args.command == 'enum':
with multiprocessing.Pool() as mp_pool:
gatherer = Gatherer(db_session,
work_dir,
ldap_url,
smb_url,
kerb_url=args.kerberoast,
ldap_worker_cnt=args.ldap_workers,
smb_worker_cnt=args.smb_workers,
mp_pool=mp_pool,
smb_gather_types=['all'],
progress_queue=None,
show_progress=args.silent,
calc_edges=True,
ad_id=None,
dns=args.dns,
no_work_dir=args.no_work_dir,
proxy=args.proxy)
res, err = await gatherer.run()
if err is not None:
raise err
elif args.command == 'auto':
_, err = await run_auto(ldap_worker_cnt=args.ldap_workers,
smb_worker_cnt=args.smb_workers,
dns=args.dns,
work_dir=work_dir,
show_progress=args.silent,
no_work_dir=args.no_work_dir)
if err is not None:
print(err)
elif args.command == 'dbinit':
create_db(db_conn)
elif args.command == 'adinfo':
from jackdaw.dbmodel.adinfo import ADInfo
from jackdaw.utils.table import print_table
rows = [['Ad ID', 'domain name', 'scantime']]
for did, distinguishedName, creation in db_session.query(
ADInfo).with_entities(ADInfo.id, ADInfo.distinguishedName,
ADInfo.fetched_at).all():
name = distinguishedName.replace('DC=', '')
name = name.replace(',', '.')
rows.append([str(did), name, creation.isoformat()])
print_table(rows)
elif args.command == 'ldap':
with multiprocessing.Pool() as mp_pool:
gatherer = Gatherer(db_session,
work_dir,
ldap_url,
smb_url,
ldap_worker_cnt=args.ldap_workers,
smb_worker_cnt=None,
mp_pool=mp_pool,
smb_gather_types=['all'],
progress_queue=None,
show_progress=args.silent,
calc_edges=args.calculate_edges,
ad_id=args.ad_id,
no_work_dir=args.no_work_dir,
proxy=args.proxy)
_, err = await gatherer.run()
if err is not None:
raise err
elif args.command == 'kerberoast':
gatherer = Gatherer(db_session,
work_dir,
None,
None,
kerb_url=args.kerberos_url,
ldap_worker_cnt=None,
smb_worker_cnt=None,
mp_pool=None,
smb_gather_types=[],
progress_queue=None,
show_progress=False,
calc_edges=False,
ad_id=args.ad_id,
proxy=args.proxy)
_, err = await gatherer.run()
if err is not None:
raise err
print('Kerberoast Finished!')
elif args.command in ['shares', 'sessions', 'localgroups', 'smball']:
if args.command == 'smball':
args.command = 'all'
gatherer = Gatherer(db_session,
work_dir,
ldap_url,
smb_url,
ad_id=args.ad_id,
ldap_worker_cnt=None,
smb_worker_cnt=args.smb_workers,
mp_pool=None,
smb_gather_types=args.command,
progress_queue=None,
show_progress=args.silent,
calc_edges=False,
proxy=args.proxy)
_, err = await gatherer.run()
if err is not None:
raise err
elif args.command == 'dns':
gatherer = Gatherer(db_session,
work_dir,
None,
None,
ad_id=args.ad_id,
ldap_worker_cnt=None,
smb_worker_cnt=None,
mp_pool=None,
smb_gather_types=None,
progress_queue=None,
show_progress=args.silent,
calc_edges=False,
dns=args.dns,
proxy=args.proxy)
_, err = await gatherer.run()
if err is not None:
raise err
elif args.command == 'version':
print('Jackdaw version: %s' % jdversion)
print('MSLDAP version : %s' % ldapversion)
print('AIOSMB version : %s' % smbversion)
elif args.command == 'smbfiles':
gatherer = SMBFileGatherer(
db_session,
args.ad_id,
args.smb_url,
worker_cnt=args.smb_workers,
progress_queue=None,
show_progress=True,
stream_data=False,
depth=args.depth,
to_file=args.out_file,
)
_, err = await gatherer.run()
if err is not None:
raise err
elif args.command == 'creds':
creds = JackDawCredentials(db_conn, args.domain_id)
creds.add_credentials_impacket(args.impacket_file)
elif args.command == 'passwords':
creds = JackDawCredentials(db_conn)
creds.add_cracked_passwords(args.potfile, args.disable_usercheck,
args.disable_passwordcheck)
elif args.command == 'uncracked':
creds = JackDawCredentials(db_conn, args.domain_id)
creds.get_uncracked_hashes(args.hash_type, args.history)
elif args.command == 'cracked':
creds = JackDawCredentials(db_conn, args.domain_id)
creds.get_cracked_info()
elif args.command == 'recalc':
with multiprocessing.Pool() as mp_pool:
gatherer = Gatherer(db_session,
work_dir,
None,
None,
mp_pool=mp_pool,
progress_queue=None,
show_progress=args.silent,
calc_edges=True,
store_to_db=True,
ad_id=None,
graph_id=args.graphid)
_, err = await gatherer.run()
if err is not None:
raise err
elif args.command == 'nest':
from jackdaw.nest.wrapper import NestServer
debug = bool(args.verbose)
server = NestServer(
args.sql,
bind_ip=args.ip,
bind_port=args.port,
debug=debug,
work_dir=args.work_dir,
graph_backend=args.backend,
)
server.run()
elif args.command == 'ws':
from jackdaw.nest.ws.server import NestWebSocketServer
server = NestWebSocketServer(args.listen_ip,
args.listen_port,
args.sql,
args.work_dir,
args.backend,
ssl_ctx=None,
wsnet_router=args.wsrouter)
await server.run()
elif args.command == 'bhimport':
from jackdaw.utils.bhimport import BHImport
print(
'DISCLAIMER! This feature is still beta! Bloodhound acquires way less data than Jackdaw therefore not all functionality will work after import. Any errors during import will be silently ignored, use "-vvv" verbosity level to see all errors.'
)
bh = BHImport.from_zipfile(args.bhfile)
bh.db_conn = db_conn
if args.verbose > 1:
bh.set_debug(True)
bh.run()
print('Import complete!')
elif args.command == 'createcache':
print(args)
from jackdaw.nest.functions.graph import create as creategraphcache
if args.backend.upper() == 'networkx'.upper():
from jackdaw.nest.graph.backends.networkx.domaingraph import JackDawDomainGraphNetworkx
graph_type = JackDawDomainGraphNetworkx
elif args.backend.upper() == 'igraph'.upper():
from jackdaw.nest.graph.backends.igraph.domaingraph import JackDawDomainGraphIGraph
graph_type = JackDawDomainGraphIGraph
elif args.backend.upper() == 'graphtools'.upper():
from jackdaw.nest.graph.backends.graphtools.domaingraph import JackDawDomainGraphGrapthTools
graph_type = JackDawDomainGraphGrapthTools
session = get_session(db_conn)
creategraphcache(args.graph_id, session, args.work_dir, graph_type,
db_conn)
except Exception as e:
jdlogger.exception('main')