def execute_scan(self, verbose): redir_cmd = scan.gettunnel(self, self.target, 'tcp', self.port) PATH_TO_DAPUTOUCH = scan.find_newest_touch(self, 'Darkpulsar', 'exe', touch_type='implants') PATH_TO_DAPUXML = scan.find_newest_touch(self, 'Darkpulsar', 'xml', touch_type='implants') dapucmd = ops.cmd.getDszCommand('run', dszquiet=(not verbose)) dapu_cmd_list = [] dapu_cmd_list.append(('--InConfig %s' % PATH_TO_DAPUXML)) dapu_cmd_list.append(('--TargetIp %s' % '127.0.0.1')) dapu_cmd_list.append(('--TargetPort %s' % redir_cmd.lplisten)) dapu_cmd_list.append(('--NetworkTimeout %s' % self.timeout)) dapu_cmd_list.append(('--Protocol %s' % 'SMB')) dapu_cmd_list.append(('--ImplantAction %s' % 'PingPong')) outconfig = os.path.join(ops.LOGDIR, 'Logs', ('%s_%s_%s.xml' % (os.path.basename(PATH_TO_DAPUTOUCH), self.target, dsz.Timestamp()))) dapu_cmd_list.append(('--OutConfig %s' % outconfig)) dapu_cmd_string = ((PATH_TO_DAPUTOUCH + ' ') + ' '.join(dapu_cmd_list)) dapucmd.command = ('cmd /C %s' % dapu_cmd_string) dapucmd.arglist.append('-redirect') dapucmd.arglist.append( ('-directory %s' % os.path.join(ops.DSZDISKSDIR, 'lib', 'x86-Windows'))) dapucmd.prefixes.append('local') dapucmd.prefixes.append('log') dapuobject = dapucmd.execute() ops.networking.redirect.stop_tunnel(dsz_cmd=redir_cmd) screenlog = os.path.join(ops.PROJECTLOGDIR, dapuobject.commandmetadata.screenlog) f = open(screenlog, 'r') screenlog_lines = f.readlines() f.close() for line in screenlog_lines: if ('Process terminated with status 0' in line): self.success = True break elif ('Process terminated with status 6' in line): self.success = False self.error = line.strip( 'Process terminated with status ').strip() break elif ('Process terminated with status' in line): self.error = line.strip( 'Process terminated with status ').strip() self.timestamp = dsz.Timestamp()
def execute_scan(self, verbose): redir_cmd = scan.gettunnel(self, self.target, 'tcp', self.port) PATH_TO_RPCTOUCH = scan.find_newest_touch(self, 'Rpctouch', 'exe') PATH_TO_RPCXML = scan.find_newest_touch(self, 'Rpctouch', 'xml') rpccmd = ops.cmd.getDszCommand('run', dszquiet=(not verbose)) rpc_cmd_list = [] rpc_cmd_list.append(('--InConfig %s' % PATH_TO_RPCXML)) rpc_cmd_list.append(('--TargetIp %s' % '127.0.0.1')) rpc_cmd_list.append(('--TargetPort %s' % redir_cmd.lplisten)) rpc_cmd_list.append(('--NetworkTimeout %s' % self.timeout)) if (int(self.port) == 445): rpc_cmd_list.append(('--Protocol %s' % 'SMB')) elif (int(self.port) == 139): rpc_cmd_list.append(('--Protocol %s' % 'NBT')) rpc_cmd_list.append(('--NetBIOSName %s' % '*SMBSERVER')) rpc_cmd_list.append(('--TouchLanguage %s' % 'False')) rpc_cmd_list.append(('--TouchArchitecture %s' % 'False')) outconfig = os.path.join( ops.LOGDIR, 'Logs', ('%s_%s_%s.xml' % (os.path.basename(PATH_TO_RPCTOUCH), self.target, dsz.Timestamp()))) rpc_cmd_list.append(('--OutConfig %s' % outconfig)) rpc_cmd_string = ((PATH_TO_RPCTOUCH + ' ') + ' '.join(rpc_cmd_list)) rpccmd.command = ('cmd /C %s' % rpc_cmd_string) rpccmd.arglist.append('-redirect') rpccmd.arglist.append( ('-directory %s' % os.path.join(ops.DSZDISKSDIR, 'lib', 'x86-Windows'))) rpccmd.prefixes.append('local') rpccmd.prefixes.append('log') rpcobject = rpccmd.execute() ops.networking.redirect.stop_tunnel(dsz_cmd=redir_cmd) cmd_output = {} cmd_output['error'] = None screenlog = os.path.join(ops.PROJECTLOGDIR, rpcobject.commandmetadata.screenlog) f = open(screenlog, 'r') screenlog_lines = f.readlines() f.close() error = False for line in screenlog_lines: re_out = re.search('] SMB String:', line.strip()) if (re_out is not None): self.os = line.split(':')[(-1)].strip() if ((self.os is None) or (self.os == '(none)')): error = True self.timestamp = dsz.Timestamp() if (error == False): self.success = True
def execute_scan(self, verbose): redir_cmd = scan.gettunnel(self, self.target, 'tcp', self.port) PATH_TO_RPCTOUCH = scan.find_newest_touch(self, 'Rpctouch', 'exe') PATH_TO_RPCXML = scan.find_newest_touch(self, 'Rpctouch', 'xml') rpccmd = ops.cmd.getDszCommand('run', dszquiet=(not verbose)) rpc_cmd_list = [] rpc_cmd_list.append(('--InConfig %s' % PATH_TO_RPCXML)) rpc_cmd_list.append(('--TargetIp %s' % '127.0.0.1')) rpc_cmd_list.append(('--TargetPort %s' % redir_cmd.lplisten)) rpc_cmd_list.append(('--NetworkTimeout %s' % self.timeout)) if (int(self.port) == 445): rpc_cmd_list.append(('--Protocol %s' % 'SMB')) elif (int(self.port) == 139): rpc_cmd_list.append(('--Protocol %s' % 'NBT')) rpc_cmd_list.append(('--NetBIOSName %s' % '*SMBSERVER')) rpc_cmd_list.append(('--TouchLanguage %s' % 'False')) rpc_cmd_list.append(('--TouchArchitecture %s' % 'False')) outconfig = os.path.join(ops.LOGDIR, 'Logs', ('%s_%s_%s.xml' % (os.path.basename(PATH_TO_RPCTOUCH), self.target, dsz.Timestamp()))) rpc_cmd_list.append(('--OutConfig %s' % outconfig)) rpc_cmd_string = ((PATH_TO_RPCTOUCH + ' ') + ' '.join(rpc_cmd_list)) rpccmd.command = ('cmd /C %s' % rpc_cmd_string) rpccmd.arglist.append('-redirect') rpccmd.arglist.append(('-directory %s' % os.path.join(ops.DSZDISKSDIR, 'lib', 'x86-Windows'))) rpccmd.prefixes.append('local') rpccmd.prefixes.append('log') rpcobject = rpccmd.execute() ops.networking.redirect.stop_tunnel(dsz_cmd=redir_cmd) cmd_output = {} cmd_output['error'] = None screenlog = os.path.join(ops.PROJECTLOGDIR, rpcobject.commandmetadata.screenlog) f = open(screenlog, 'r') screenlog_lines = f.readlines() f.close() error = False for line in screenlog_lines: re_out = re.search('] SMB String:', line.strip()) if (re_out is not None): self.os = line.split(':')[(-1)].strip() if ((self.os is None) or (self.os == '(none)')): error = True self.timestamp = dsz.Timestamp() if (error == False): self.success = True
def execute_scan(self, verbose): redir_cmd = scan.gettunnel(self, self.target, 'tcp', self.port) PATH_TO_DAPUTOUCH = scan.find_newest_touch(self, 'Darkpulsar', 'exe', touch_type='implants') PATH_TO_DAPUXML = scan.find_newest_touch(self, 'Darkpulsar', 'xml', touch_type='implants') dapucmd = ops.cmd.getDszCommand('run', dszquiet=(not verbose)) dapu_cmd_list = [] dapu_cmd_list.append(('--InConfig %s' % PATH_TO_DAPUXML)) dapu_cmd_list.append(('--TargetIp %s' % '127.0.0.1')) dapu_cmd_list.append(('--TargetPort %s' % redir_cmd.lplisten)) dapu_cmd_list.append(('--NetworkTimeout %s' % self.timeout)) dapu_cmd_list.append(('--Protocol %s' % 'SMB')) dapu_cmd_list.append(('--ImplantAction %s' % 'PingPong')) outconfig = os.path.join(ops.LOGDIR, 'Logs', ('%s_%s_%s.xml' % (os.path.basename(PATH_TO_DAPUTOUCH), self.target, dsz.Timestamp()))) dapu_cmd_list.append(('--OutConfig %s' % outconfig)) dapu_cmd_string = ((PATH_TO_DAPUTOUCH + ' ') + ' '.join(dapu_cmd_list)) dapucmd.command = ('cmd /C %s' % dapu_cmd_string) dapucmd.arglist.append('-redirect') dapucmd.arglist.append(('-directory %s' % os.path.join(ops.DSZDISKSDIR, 'lib', 'x86-Windows'))) dapucmd.prefixes.append('local') dapucmd.prefixes.append('log') dapuobject = dapucmd.execute() ops.networking.redirect.stop_tunnel(dsz_cmd=redir_cmd) screenlog = os.path.join(ops.PROJECTLOGDIR, dapuobject.commandmetadata.screenlog) f = open(screenlog, 'r') screenlog_lines = f.readlines() f.close() for line in screenlog_lines: if ('Process terminated with status 0' in line): self.success = True break elif ('Process terminated with status 6' in line): self.success = False self.error = line.strip('Process terminated with status ').strip() break elif ('Process terminated with status' in line): self.error = line.strip('Process terminated with status ').strip() self.timestamp = dsz.Timestamp()
def execute_scan(self, verbose): redir_cmd = scan.gettunnel(self, self.target, 'tcp', self.port) PATH_TO_SMBTOUCH = scan.find_newest_touch(self, 'Smbtouch', 'exe') PATH_TO_SMBXML = scan.find_newest_touch(self, 'Smbtouch', 'xml') smbcmd = ops.cmd.getDszCommand('run', dszquiet=(not verbose)) smb_cmd_list = [] smb_cmd_list.append(('--InConfig %s' % PATH_TO_SMBXML)) smb_cmd_list.append(('--TargetIp %s' % '127.0.0.1')) smb_cmd_list.append(('--TargetPort %s' % redir_cmd.lplisten)) smb_cmd_list.append(('--NetworkTimeout %s' % self.timeout)) if (int(self.port) == 445): smb_cmd_list.append(('--Protocol %s' % 'SMB')) elif (int(self.port) == 139): smb_cmd_list.append(('--Protocol %s' % 'NBT')) smb_cmd_list.append(('--Credentials %s' % 'Anonymous')) outconfig = os.path.join( ops.LOGDIR, 'Logs', ('%s_%s_%s.xml' % (os.path.basename(PATH_TO_SMBTOUCH), self.target, dsz.Timestamp()))) smb_cmd_list.append(('--OutConfig %s' % outconfig)) smb_cmd_string = ((PATH_TO_SMBTOUCH + ' ') + ' '.join(smb_cmd_list)) smbcmd.command = ('cmd /C %s' % smb_cmd_string) smbcmd.arglist.append('-redirect') smbcmd.arglist.append( ('-directory %s' % os.path.join(ops.DSZDISKSDIR, 'lib', 'x86-Windows'))) smbcmd.prefixes.append('local') smbcmd.prefixes.append('log') smbobject = smbcmd.execute() ops.networking.redirect.stop_tunnel(dsz_cmd=redir_cmd) cmd_output = {} cmd_output['error'] = None screenlog = os.path.join(ops.PROJECTLOGDIR, smbobject.commandmetadata.screenlog) f = open(screenlog, 'r') screenlog_lines = f.readlines() f.close() vulnerable = [] not_vulnerable = [] not_supported = [] for line in screenlog_lines: re_out = re.search('Error 0x', line) if (re_out is not None): cmd_output['error'] = line.split('-')[(-1)].strip() re_out = re.search('ETERNAL', line) if (re_out is not None): line_split = line.split('-') exploit = line_split[0].strip() if (exploit == 'ETERNALBLUE'): exploit = 'ETEB' elif (exploit == 'ETERNALROMANCE'): exploit = 'ETRO' elif (exploit == 'ETERNALCHAMPION'): exploit = 'ETCH' elif (exploit == 'ETERNALSYNERGY'): exploit = 'ETSY' if ((re.search('FB', line) is not None) or (re.search('DANE', line) is not None)): vulnerable.append(exploit) elif (re.search('not supported', line) is not None): not_supported.append(exploit) else: not_vulnerable.append(exploit) self.vulnerable = ','.join(vulnerable) self.not_vulnerable = ','.join(not_vulnerable) self.not_supported = ','.join(not_supported) if (cmd_output['error'] is None): tree = ElementTree() tree.parse(outconfig) root = tree.getroot() outparams = root.find('{urn:trch}outputparameters').getchildren() for ele in outparams: try: cmd_output[ele.get('name')] = ele.find( '{urn:trch}value').text except: continue if ('Target' in cmd_output.keys()): self.os = cmd_output['Target'] if ('TargetOsArchitecture' in cmd_output.keys()): self.arch = cmd_output['TargetOsArchitecture'] if ('PipeName' in cmd_output.keys()): self.pipe = cmd_output['PipeName'] if ('ShareName' in cmd_output.keys()): self.share = cmd_output['ShareName'] if ('Credentials' in cmd_output.keys()): self.credentials = cmd_output['Credentials'] self.error = cmd_output['error'] self.timestamp = dsz.Timestamp() if ((cmd_output['error'] is None) or (not (cmd_output['error'] == 'ErrorConnectionTimedOut'))): self.success = True