Ejemplo n.º 1
0
def setup_hashcat(session_id):
    provider = Provider()
    sessions = provider.sessions()
    hashcat = provider.hashcat()
    system = provider.system()

    if not sessions.can_access(current_user, session_id):
        flash('Access Denied', 'error')
        return redirect(url_for('home.index'))

    user_id = 0 if current_user.admin else current_user.id
    session = sessions.get(user_id=user_id, session_id=session_id)[0]

    supported_hashes = hashcat.get_supported_hashes()

    # We need to process the array in a way to make it easy for JSON usage.
    supported_hashes = hashcat.compact_hashes(supported_hashes)
    if len(supported_hashes) == 0:
        home_directory = system.get_system_user_home_directory()
        flash('Could not get the supported hashes from hashcat', 'error')
        flash(
            'If you have compiled hashcat from source, make sure %s/.hashcat directory exists and is writable'
            % home_directory, 'error')

    return render_template('sessions/setup/hashcat.html',
                           session=session,
                           hashes_json=json.dumps(supported_hashes,
                                                  indent=4,
                                                  sort_keys=True,
                                                  default=str))
Ejemplo n.º 2
0
def login_process():
    if current_user.is_authenticated:
        return redirect(url_for('home.index'))

    provider = Provider()
    ldap = provider.ldap()
    users = provider.users()
    settings = provider.settings()

    username = request.form['username']
    password = request.form['password']
    next = urllib.parse.unquote_plus(request.form['next'].strip())

    allow_logins = int(settings.get('allow_logins', 0))

    # First check if user is local. Local users take priority.
    user = UserModel.query.filter(
        and_(
            func.lower(UserModel.username) == func.lower(username),
            UserModel.ldap == 0)).first()
    if user:
        if not users.validate_password(user.password, password):
            flash('Invalid credentials', 'error')
            return redirect(url_for('auth.login', next=next))
    elif ldap.is_enabled() and allow_logins == 1:
        if not ldap.authenticate(username, password, True):
            flash('Invalid credentials', 'error')
            return redirect(url_for('auth.login', next=next))
        user = UserModel.query.filter(
            and_(
                func.lower(UserModel.username) == func.lower(username),
                UserModel.ldap == 1)).first()

        if not user:
            flash(
                'Could not create your local account. Please contact the administrator.',
                'error')
            return redirect(url_for('auth.login', next=next))
    else:
        flash('Invalid credentials', 'error')
        return redirect(url_for('auth.login', next=next))

    # If we reach this point it means that our user exists. Check if the user is active.
    if user.active is False:
        flash('Your account has been disabled by the Administrator.', 'error')
        return redirect(url_for('auth.login', next=next))

    user = users.login_session(user)
    login_user(user)
    users.record_login(user.id)

    # On every login we get the hashcat version and the git hash version.
    system = provider.system()
    system.run_updates()

    if next and url_parse(next).netloc == '':
        return redirect(next)

    return redirect(url_for('home.index'))
Ejemplo n.º 3
0
def settings_hashcat_save():
    if not current_user.admin:
        flash('Access Denied', 'error')
        return redirect(url_for('home.index'))

    provider = Provider()
    settings = provider.settings()

    hashcat_binary = request.form['hashcat_binary'].strip()
    hashcat_rules_path = request.form['hashcat_rules_path'].strip()
    hashcat_status_interval = request.form['hashcat_status_interval'].strip()
    hashcat_force = int(request.form.get('hashcat_force', 0))

    has_errors = False
    if len(hashcat_binary) == 0 or not os.path.isfile(hashcat_binary):
        has_errors = True
        flash('Hashcat executable does not exist', 'error')
    elif not os.access(hashcat_binary, os.X_OK):
        has_errors = True
        flash('Hashcat file is not executable', 'error')

    if len(hashcat_rules_path) == 0 or not os.path.isdir(hashcat_rules_path):
        has_errors = True
        flash('Hashcat rules directory does not exist', 'error')
    elif not os.access(hashcat_rules_path, os.R_OK):
        has_errors = True
        flash('Hashcat rules directory is not readable', 'error')

    if len(hashcat_status_interval) == 0:
        has_errors = True
        flash('Hashcat Status Interval must be set', 'error')

    hashcat_status_interval = int(hashcat_status_interval)
    if hashcat_status_interval <= 0:
        hashcat_status_interval = 10

    if has_errors:
        return redirect(url_for('admin.settings_hashcat'))

    settings.save('hashcat_binary', hashcat_binary)
    settings.save('hashcat_rules_path', hashcat_rules_path)
    settings.save('hashcat_status_interval', hashcat_status_interval)
    settings.save('hashcat_force', hashcat_force)

    # When settings are saved, run system updates.
    system = provider.system()
    system.run_updates()

    flash('Settings saved', 'success')
    return redirect(url_for('admin.settings_hashcat'))
Ejemplo n.º 4
0
def system():
    provider = Provider()
    system = provider.system()
    daemon = provider.daemon()

    system.run_updates()

    return render_template(
        'config/system/system.html',
        is_venv=system.is_virtual_environment(),
        flask=system.can_run_flask(),
        version=system.check_version(system.get_python_version(), '3.6'),
        daemon_running=daemon.is_running(),
        daemon_configured=daemon.is_configured()
    )
Ejemplo n.º 5
0
def login_2fa_process():
    next = urllib.parse.unquote_plus(request.args.get('next', '').strip())
    otp = request.form['otp'].strip()

    provider = Provider()
    users = provider.users()

    id = int(session['otp_userid']) if 'otp_userid' in session else 0
    otp_time = int(session['otp_time']) if 'otp_time' in session else 0

    can_continue = True
    if id <= 0:
        can_continue = False
    elif int(time.time()) > (otp_time + 120):
        # This page is valid for 2 minutes.
        can_continue = False

    if not can_continue:
        session.pop('otp_userid', None)
        session.pop('otp_time', None)

        return redirect(url_for('auth.login', next=next))

    user = users.get_user(id)
    if not user:
        return redirect(url_for('auth.login', next=next))

    if not users.otp_verify_user(user, otp):
        flash('Invalid Code', 'error')
        return redirect(url_for('auth.login_2fa', next=next))

    session.pop('otp_userid', None)
    session.pop('otp_time', None)

    # If we reach this point it means that our user exists. Check if the user is active.
    user = users.login_session(user)
    login_user(user)

    # On every login we get the hashcat version and the git hash version.
    system = provider.system()
    system.run_updates()

    if next and url_parse(next).netloc == '':
        return redirect(next)

    return redirect(url_for('home.index'))
Ejemplo n.º 6
0
def settings_auth_save_general():
    if not current_user.admin:
        flash('Access Denied', 'error')
        return redirect(url_for('home.index'))

    provider = Provider()
    settings = provider.settings()

    allow_logins = request.form.get('allow_logins', 0)
    settings.save('allow_logins', allow_logins)

    # When settings are saved, run system updates.
    system = provider.system()
    system.run_updates()

    flash('Settings saved', 'success')
    return redirect(url_for('admin.settings_auth'))
Ejemplo n.º 7
0
def ldap_save():
    provider = Provider()
    settings = provider.settings()

    ldap_enabled = int(request.form.get('ldap_enabled', 0))
    ldap_ssl = int(request.form.get('ldap_ssl', 0))
    ldap_bind_pass = request.form['ldap_bind_pass'].strip()

    # Put the rest of the ldap options in a dict to make it easier to validate and save.
    ldap_settings = {
        'ldap_auth_type': {
            'value': request.form['ldap_auth_type'].strip(),
            'error': 'Please select authentication type'
        },
        'ldap_host': {
            'value': request.form['ldap_host'].strip(),
            'error': 'LDAP Host cannot be empty'
        },
        'ldap_base_dn': {
            'value': request.form['ldap_base_dn'].strip(),
            'error': 'LDAP Base cannot be empty'
        },
        'ldap_domain': {
            'value': request.form['ldap_domain'].strip(),
            'error': 'LDAP Domain cannot be empty'
        },
        'ldap_bind_user': {
            'value': request.form['ldap_bind_user'].strip(),
            'error': 'LDAP Bind User cannot be empty'
        },
        'ldap_mapping_username': {
            'value': request.form['ldap_mapping_username'].strip(),
            'error': 'LDAP Mapping Username cannot be empty'
        },
        'ldap_mapping_fullname': {
            'value': request.form['ldap_mapping_fullname'].strip(),
            'error': 'LDAP Mapping Full Name cannot be empty'
        }
    }

    has_errors = False
    if ldap_enabled == 1:
        # If it's disabled it doesn't make sense to validate any settings.
        for key, data in ldap_settings.items():
            if len(data['value']) == 0:
                has_errors = True
                flash(data['error'], 'error')

    if has_errors:
        return redirect(url_for('config.ldap'))

    settings.save('ldap_mapping_email',
                  request.form['ldap_mapping_email'].strip())
    settings.save('ldap_enabled', ldap_enabled)
    settings.save('ldap_ssl', ldap_ssl)
    for key, data in ldap_settings.items():
        settings.save(key, data['value'])

    # If the password is not '********' then save it. This is because we show that value instead of the actual password.
    if len(ldap_bind_pass) > 0 and ldap_bind_pass != '********':
        settings.save('ldap_bind_pass', ldap_bind_pass)

    # When settings are saved, run system updates.
    system = provider.system()
    system.run_updates()

    flash('Settings saved', 'success')
    return redirect(url_for('config.ldap'))
Ejemplo n.º 8
0
def login_process():
    if current_user.is_authenticated:
        return redirect(url_for('home.index'))

    provider = Provider()
    ldap = provider.ldap()
    users = provider.users()
    settings = provider.settings()

    username = request.form['username']
    password = request.form['password']
    next = urllib.parse.unquote_plus(request.form['next'].strip())

    # First check if user is local. Local users take priority.
    user = UserModel.query.filter(and_(func.lower(UserModel.username) == func.lower(username), UserModel.ldap == 0)).first()
    if user:
        if not users.validate_password(user.password, password):
            flash('Invalid credentials', 'error')
            return redirect(url_for('auth.login', next=next))
    elif ldap.is_enabled():
        ldap_result = ldap.authenticate(username, password)
        if ldap_result is False:
            if len(ldap.error_message) > 0:
                flash(ldap.error_message, 'error')
            else:
                flash('Invalid credentials', 'error')
            return redirect(url_for('auth.login', next=next))
        elif ldap_result['result'] == ldap.AUTH_SUCCESS:
            ldap_user = ldap_result['user']
        elif ldap_result['result'] == ldap.AUTH_CHANGE_PASSWORD:
            session['ldap_username'] = username
            session['ldap_time'] = int(time.time())
            flash('Your LDAP password has expired or needs changing', 'error')
            return redirect(url_for('auth.ldap_changepwd', next=next))
        elif ldap_result['result'] == ldap.AUTH_LOCKED:
            flash('Your AD account is disabled', 'error')
            return redirect(url_for('auth.login', next=next))
        else:
            if len(ldap.error_message) > 0:
                flash(ldap.error_message, 'error')
            else:
                flash('Invalid credentials', 'error')
            return redirect(url_for('auth.login', next=next))

        user = users.get_ldap_user(ldap_user['username'])
        if not user:
            # Create
            user = users.create_ldap_user(ldap_user['username'], ldap_user['fullname'], ldap_user['email'])
            if not user:
                flash('Could not create LDAP user', 'error')
                return redirect(url_for('auth.login', next=next))
    else:
        flash('Invalid credentials', 'error')
        return redirect(url_for('auth.login', next=next))

    # If we reach this point it means that our user exists. Check if the user is active.
    if user.active is False:
        flash('Your account has been disabled by the Administrator.', 'error')
        return redirect(url_for('auth.login', next=next))

    user = users.login_session(user)
    login_user(user)
    users.record_login(user.id)

    # On every login we get the hashcat version and the git hash version.
    system = provider.system()
    system.run_updates()

    if next and url_parse(next).netloc == '':
        return redirect(next)

    return redirect(url_for('home.index'))
Ejemplo n.º 9
0
def login_process():
    if current_user.is_authenticated:
        return redirect(url_for('home.index'))

    username = request.form['username'].strip()
    password = request.form['password'].strip()

    next = urllib.parse.unquote_plus(request.form['next'].strip())
    provider = Provider()
    users = provider.users()
    ldap = provider.ldap()
    zones = provider.dns_zones()

    # First lookup local users.
    user = users.find_user_login(username, False)
    if user:
        if not users.validate_password(user.password, password):
            flash('Invalid credentials', 'error')
            return redirect(url_for('auth.login', next=next))
    elif ldap.enabled:
        ldap_result = ldap.authenticate(username, password)
        if ldap_result is False:
            if len(ldap.error_message) > 0:
                flash(ldap.error_message, 'error')
            else:
                flash('Invalid credentials', 'error')
            return redirect(url_for('auth.login', next=next))
        elif ldap_result['result'] == ldap.AUTH_SUCCESS:
            ldap_user = ldap_result['user']
        elif ldap_result['result'] == ldap.AUTH_CHANGE_PASSWORD:
            session['ldap_username'] = username
            session['ldap_time'] = int(time.time())
            flash('Your LDAP password has expired or needs changing', 'error')
            return redirect(url_for('auth.ldap_changepwd', next=next))
        elif ldap_result['result'] == ldap.AUTH_LOCKED:
            flash('Your AD account is disabled', 'error')
            return redirect(url_for('auth.login', next=next))
        else:
            if len(ldap.error_message) > 0:
                flash(ldap.error_message, 'error')
            else:
                flash('Invalid credentials', 'error')
            return redirect(url_for('auth.login', next=next))

        # Now see if the user exists.
        user = users.find_user_login(username, True)
        if not user:
            # Doesn't exist yet, we'll have to create them now.
            user = users.save(0, ldap_user['username'].lower(), password,
                              ldap_user['fullname'], ldap_user['email'], False,
                              True, True)
            if not user:
                flash(
                    'Could not create LDAP user: {0}'.format(users.last_error),
                    'error')
                return redirect(url_for('auth.login', next=next))

            # Now we need to create a zone for that user.
            if not zones.create_user_base_zone(user):
                flash(
                    'User has been created but there was a problem creating their base domain. Make sure the DNS Base Domain has been set.',
                    'error')
                return redirect(url_for('auth.login', next=next))
    else:
        flash('Invalid credentials', 'error')
        return redirect(url_for('auth.login', next=next))

    if not user.active:
        # This check has to be after the password validation.
        flash('Your account is disabled.', 'error')
        return redirect(url_for('auth.login', next=next))

    # Forward to 2FA validation if it's enabled.
    if user.has_2fa():
        session['otp_userid'] = user.id
        session['otp_time'] = int(time.time())
        return redirect(url_for('auth.login_2fa', next=next))

    user = users.login_session(user)
    login_user(user)

    # On every login we get the hashcat version and the git hash version.
    system = provider.system()
    system.run_updates()

    if next and url_parse(next).netloc == '':
        return redirect(next)

    return redirect(url_for('home.index'))
Ejemplo n.º 10
0
def login_process():
    if current_user.is_authenticated:
        return redirect(url_for('home.index'))

    username = request.form['username'].strip()
    password = request.form['password'].strip()

    next = urllib.parse.unquote_plus(request.form['next'].strip())
    provider = Provider()
    users = provider.users()
    ldap = provider.ldap()
    radius = provider.radius()
    zones = provider.dns_zones()

    # If more than one external methods are defined, the user has to specify which one they want to authenticate
    # against, as we won't be trying each and every one until we get a hit. If only one method is enabled (ie LDAP) then
    # LOCAL auth will be tried first and then it will try LDAP.
    multiauth = ldap.enabled and radius.enabled
    auth = request.form['auth'].strip().lower(
    ) if 'auth' in request.form else ''

    login_result = False
    fullname = ''
    email = ''

    if (multiauth is False) or (multiauth is True and auth == 'local'):
        auth = 'local'  # For when multiauth = False.
        login_result = __auth_local(username, password)

    if (login_result is False) and ldap.enabled:
        if (multiauth is False) or (multiauth is True and auth == 'ldap'):
            auth = 'ldap'
            ldap_result, error_message = __auth_ldap(username, password)
            if ldap_result is False:
                error_message = error_message if len(
                    error_message) > 0 else 'Invalid credentials'
                flash(error_message, 'error')
                return redirect(url_for('auth.login', next=next))
            elif ldap_result['result'] == ldap.AUTH_SUCCESS:
                login_result = True
                fullname = ldap_result['user']['fullname'].lower()
                email = ldap_result['user']['email'].lower()
            elif ldap_result['result'] == ldap.AUTH_CHANGE_PASSWORD:
                if ldap.pwchange:
                    session['ldap_username'] = username
                    session['ldap_time'] = int(time.time())
                    flash('Your LDAP password has expired or needs changing',
                          'error')
                    return redirect(url_for('auth.ldap_changepwd', next=next))
                else:
                    flash('Your LDAP password has expired or needs changing',
                          'error')
                    return redirect(url_for('auth.login', next=next))
            elif ldap_result['result'] == ldap.AUTH_LOCKED:
                flash('Your AD account is disabled', 'error')
                return redirect(url_for('auth.login', next=next))
            else:
                flash('Invalid credentials', 'error')
                return redirect(url_for('auth.login', next=next))

    if (login_result is False) and radius.enabled:
        if (multiauth is False) or (multiauth is True and auth == 'radius'):
            auth = 'radius'
            radius_result, error_message = __auth_radius(username, password)
            if radius_result is False:
                error_message = error_message if len(
                    error_message) > 0 else 'Invalid credentials'
                flash(error_message, 'error')
                return redirect(url_for('auth.login', next=next))
            login_result = radius_result
            fullname = username.lower()
            email = ''

    if login_result is False:
        flash('Invalid credentials', 'error')
        return redirect(url_for('auth.login', next=next))

    # Check to see if the user exists. This will return false only if it's the first login of an external user.
    user = users.find_user_login(username)
    if not user:
        user = users.save(0, username.lower(), password, fullname.lower(),
                          email.lower(), False, auth, True)
        if not user:
            flash(
                'Could not create external user: {0}'.format(users.last_error),
                'error')
            return redirect(url_for('auth.login', next=next))

        # Now create the default zone for that user.
        if not zones.create_user_base_zone(user):
            flash(
                'User has been created but there was a problem creating their base domain. Make sure the DNS Base Domain has been set.',
                'error')
            return redirect(url_for('auth.login', next=next))

    if not user.active:
        # This check has to be after the password validation.
        flash('Your account is disabled.', 'error')
        return redirect(url_for('auth.login', next=next))

    # Forward to 2FA validation if it's enabled.
    if user.has_2fa():
        session['otp_userid'] = user.id
        session['otp_time'] = int(time.time())
        return redirect(url_for('auth.login_2fa', next=next))

    user = users.login_session(user)
    login_user(user)

    # On every login we get the hashcat version and the git hash version.
    system = provider.system()
    system.run_updates()

    if next and url_parse(next).netloc == '':
        return redirect(next)

    return redirect(url_for('home.index'))