def execute_scan(self, verbose):
redir_cmd = scan.gettunnel(self, self.target, 'tcp', self.port)
PATH_TO_DAPUTOUCH = scan.find_newest_touch(self,
'Darkpulsar',
'exe',
touch_type='implants')
PATH_TO_DAPUXML = scan.find_newest_touch(self,
'Darkpulsar',
'xml',
touch_type='implants')
dapucmd = ops.cmd.getDszCommand('run', dszquiet=(not verbose))
dapu_cmd_list = []
dapu_cmd_list.append(('--InConfig %s' % PATH_TO_DAPUXML))
dapu_cmd_list.append(('--TargetIp %s' % '127.0.0.1'))
dapu_cmd_list.append(('--TargetPort %s' % redir_cmd.lplisten))
dapu_cmd_list.append(('--NetworkTimeout %s' % self.timeout))
dapu_cmd_list.append(('--Protocol %s' % 'SMB'))
dapu_cmd_list.append(('--ImplantAction %s' % 'PingPong'))
outconfig = os.path.join(ops.LOGDIR, 'Logs',
('%s_%s_%s.xml' %
(os.path.basename(PATH_TO_DAPUTOUCH),
self.target, dsz.Timestamp())))
dapu_cmd_list.append(('--OutConfig %s' % outconfig))
dapu_cmd_string = ((PATH_TO_DAPUTOUCH + ' ') + ' '.join(dapu_cmd_list))
dapucmd.command = ('cmd /C %s' % dapu_cmd_string)
dapucmd.arglist.append('-redirect')
dapucmd.arglist.append(
('-directory %s' %
os.path.join(ops.DSZDISKSDIR, 'lib', 'x86-Windows')))
dapucmd.prefixes.append('local')
dapucmd.prefixes.append('log')
dapuobject = dapucmd.execute()
ops.networking.redirect.stop_tunnel(dsz_cmd=redir_cmd)
screenlog = os.path.join(ops.PROJECTLOGDIR,
dapuobject.commandmetadata.screenlog)
f = open(screenlog, 'r')
screenlog_lines = f.readlines()
f.close()
for line in screenlog_lines:
if ('Process terminated with status 0' in line):
self.success = True
break
elif ('Process terminated with status 6' in line):
self.success = False
self.error = line.strip(
'Process terminated with status ').strip()
break
elif ('Process terminated with status' in line):
self.error = line.strip(
'Process terminated with status ').strip()
self.timestamp = dsz.Timestamp()
def execute_scan(self, verbose):
redir_cmd = scan.gettunnel(self, self.target, 'tcp', self.port)
PATH_TO_RPCTOUCH = scan.find_newest_touch(self, 'Rpctouch', 'exe')
PATH_TO_RPCXML = scan.find_newest_touch(self, 'Rpctouch', 'xml')
rpccmd = ops.cmd.getDszCommand('run', dszquiet=(not verbose))
rpc_cmd_list = []
rpc_cmd_list.append(('--InConfig %s' % PATH_TO_RPCXML))
rpc_cmd_list.append(('--TargetIp %s' % '127.0.0.1'))
rpc_cmd_list.append(('--TargetPort %s' % redir_cmd.lplisten))
rpc_cmd_list.append(('--NetworkTimeout %s' % self.timeout))
if (int(self.port) == 445):
rpc_cmd_list.append(('--Protocol %s' % 'SMB'))
elif (int(self.port) == 139):
rpc_cmd_list.append(('--Protocol %s' % 'NBT'))
rpc_cmd_list.append(('--NetBIOSName %s' % '*SMBSERVER'))
rpc_cmd_list.append(('--TouchLanguage %s' % 'False'))
rpc_cmd_list.append(('--TouchArchitecture %s' % 'False'))
outconfig = os.path.join(
ops.LOGDIR, 'Logs',
('%s_%s_%s.xml' % (os.path.basename(PATH_TO_RPCTOUCH), self.target,
dsz.Timestamp())))
rpc_cmd_list.append(('--OutConfig %s' % outconfig))
rpc_cmd_string = ((PATH_TO_RPCTOUCH + ' ') + ' '.join(rpc_cmd_list))
rpccmd.command = ('cmd /C %s' % rpc_cmd_string)
rpccmd.arglist.append('-redirect')
rpccmd.arglist.append(
('-directory %s' %
os.path.join(ops.DSZDISKSDIR, 'lib', 'x86-Windows')))
rpccmd.prefixes.append('local')
rpccmd.prefixes.append('log')
rpcobject = rpccmd.execute()
ops.networking.redirect.stop_tunnel(dsz_cmd=redir_cmd)
cmd_output = {}
cmd_output['error'] = None
screenlog = os.path.join(ops.PROJECTLOGDIR,
rpcobject.commandmetadata.screenlog)
f = open(screenlog, 'r')
screenlog_lines = f.readlines()
f.close()
error = False
for line in screenlog_lines:
re_out = re.search('] SMB String:', line.strip())
if (re_out is not None):
self.os = line.split(':')[(-1)].strip()
if ((self.os is None) or (self.os == '(none)')):
error = True
self.timestamp = dsz.Timestamp()
if (error == False):
self.success = True
def execute_scan(self, verbose):
self.error = ''
redir_cmd = scan.gettunnel(self, self.target, 'tcp', self.port)
PROT_TYPE = 'rpc_tcp'
PROT_NUM = '1'
if (int(self.port) == 139):
pass
elif (int(self.port) == 445):
PROT_TYPE = 'rpc_smb'
PROT_NUM = '3'
elif (int(self.port) == 80):
PROT_TYPE = 'rpc_http'
PROT_NUM = '6'
PATH_TO_RPC = os.path.join(ops.TOOLS, 'RPC2.exe')
rpccmd = ops.cmd.getDszCommand('run', dszquiet=(not verbose))
rpccmd.command = (
'%s -i 127.0.0.1 -p %s -t 1 -b %s -r %s -o %s -h %s' %
(PATH_TO_RPC, redir_cmd.lplisten, PROT_NUM, self.type,
self.timeout, self.target))
rpccmd.arglist.append('-redirect')
rpccmd.prefixes.append('local')
rpccmd.prefixes.append('log')
rpcobject = rpccmd.execute()
ops.networking.redirect.stop_tunnel(dsz_cmd=redir_cmd)
for processoutput in rpcobject.processoutput:
lines = processoutput.output.split('\n')
for line in lines:
if line.startswith('NativeOS'):
self.nativeos = line.strip('NativeOS:').strip()
elif line.startswith('NativeLanMan'):
self.nativelanman = line.strip('NativeLanMan:').strip()
elif line.startswith('PrimaryDomain'):
self.primarydomain = line.strip('PrimaryDomain:').strip()
elif line.startswith('OemDomainName'):
self.oemdomain = line.strip('OemDomainName=').strip()
elif line.startswith('Looks like '):
self.lookslike = line.strip('Looks like ').strip()
elif (re.search('failed: 10054', line.strip()) is not None):
self.error = line.strip()
elif (re.search('ErrorConnectionTimedOut', line.strip())
is not None):
self.error = line.strip()
elif line.startswith('FAULT: Status'):
self.error = line.strip()
self.timestamp = dsz.Timestamp()
if ((re.search('failed: 10054', self.error) is None) and
(re.search('ErrorConnectionTimedOut', self.error) is None)):
self.success = True
def execute_scan(self, verbose):
redir_cmd = scan.gettunnel(self, self.target, 'tcp', self.port)
PATH_TO_RPCTOUCH = scan.find_newest_touch(self, 'Rpctouch', 'exe')
PATH_TO_RPCXML = scan.find_newest_touch(self, 'Rpctouch', 'xml')
rpccmd = ops.cmd.getDszCommand('run', dszquiet=(not verbose))
rpc_cmd_list = []
rpc_cmd_list.append(('--InConfig %s' % PATH_TO_RPCXML))
rpc_cmd_list.append(('--TargetIp %s' % '127.0.0.1'))
rpc_cmd_list.append(('--TargetPort %s' % redir_cmd.lplisten))
rpc_cmd_list.append(('--NetworkTimeout %s' % self.timeout))
if (int(self.port) == 445):
rpc_cmd_list.append(('--Protocol %s' % 'SMB'))
elif (int(self.port) == 139):
rpc_cmd_list.append(('--Protocol %s' % 'NBT'))
rpc_cmd_list.append(('--NetBIOSName %s' % '*SMBSERVER'))
rpc_cmd_list.append(('--TouchLanguage %s' % 'False'))
rpc_cmd_list.append(('--TouchArchitecture %s' % 'False'))
outconfig = os.path.join(ops.LOGDIR, 'Logs', ('%s_%s_%s.xml' % (os.path.basename(PATH_TO_RPCTOUCH), self.target, dsz.Timestamp())))
rpc_cmd_list.append(('--OutConfig %s' % outconfig))
rpc_cmd_string = ((PATH_TO_RPCTOUCH + ' ') + ' '.join(rpc_cmd_list))
rpccmd.command = ('cmd /C %s' % rpc_cmd_string)
rpccmd.arglist.append('-redirect')
rpccmd.arglist.append(('-directory %s' % os.path.join(ops.DSZDISKSDIR, 'lib', 'x86-Windows')))
rpccmd.prefixes.append('local')
rpccmd.prefixes.append('log')
rpcobject = rpccmd.execute()
ops.networking.redirect.stop_tunnel(dsz_cmd=redir_cmd)
cmd_output = {}
cmd_output['error'] = None
screenlog = os.path.join(ops.PROJECTLOGDIR, rpcobject.commandmetadata.screenlog)
f = open(screenlog, 'r')
screenlog_lines = f.readlines()
f.close()
error = False
for line in screenlog_lines:
re_out = re.search('] SMB String:', line.strip())
if (re_out is not None):
self.os = line.split(':')[(-1)].strip()
if ((self.os is None) or (self.os == '(none)')):
error = True
self.timestamp = dsz.Timestamp()
if (error == False):
self.success = True
def execute_scan(self, verbose):
self.error = ''
redir_cmd = scan.gettunnel(self, self.target, 'tcp', self.port)
PROT_TYPE = 'rpc_tcp'
PROT_NUM = '1'
if (int(self.port) == 139):
pass
elif (int(self.port) == 445):
PROT_TYPE = 'rpc_smb'
PROT_NUM = '3'
elif (int(self.port) == 80):
PROT_TYPE = 'rpc_http'
PROT_NUM = '6'
PATH_TO_RPC = os.path.join(ops.TOOLS, 'RPC2.exe')
rpccmd = ops.cmd.getDszCommand('run', dszquiet=(not verbose))
rpccmd.command = ('%s -i 127.0.0.1 -p %s -t 1 -b %s -r %s -o %s -h %s' % (PATH_TO_RPC, redir_cmd.lplisten, PROT_NUM, self.type, self.timeout, self.target))
rpccmd.arglist.append('-redirect')
rpccmd.prefixes.append('local')
rpccmd.prefixes.append('log')
rpcobject = rpccmd.execute()
ops.networking.redirect.stop_tunnel(dsz_cmd=redir_cmd)
for processoutput in rpcobject.processoutput:
lines = processoutput.output.split('\n')
for line in lines:
if line.startswith('NativeOS'):
self.nativeos = line.strip('NativeOS:').strip()
elif line.startswith('NativeLanMan'):
self.nativelanman = line.strip('NativeLanMan:').strip()
elif line.startswith('PrimaryDomain'):
self.primarydomain = line.strip('PrimaryDomain:').strip()
elif line.startswith('OemDomainName'):
self.oemdomain = line.strip('OemDomainName=').strip()
elif line.startswith('Looks like '):
self.lookslike = line.strip('Looks like ').strip()
elif (re.search('failed: 10054', line.strip()) is not None):
self.error = line.strip()
elif (re.search('ErrorConnectionTimedOut', line.strip()) is not None):
self.error = line.strip()
elif line.startswith('FAULT: Status'):
self.error = line.strip()
self.timestamp = dsz.Timestamp()
if ((re.search('failed: 10054', self.error) is None) and (re.search('ErrorConnectionTimedOut', self.error) is None)):
self.success = True
def execute_scan(self, verbose):
redir_cmd = scan.gettunnel(self, self.target, 'tcp', self.port)
PATH_TO_DAPUTOUCH = scan.find_newest_touch(self, 'Darkpulsar', 'exe', touch_type='implants')
PATH_TO_DAPUXML = scan.find_newest_touch(self, 'Darkpulsar', 'xml', touch_type='implants')
dapucmd = ops.cmd.getDszCommand('run', dszquiet=(not verbose))
dapu_cmd_list = []
dapu_cmd_list.append(('--InConfig %s' % PATH_TO_DAPUXML))
dapu_cmd_list.append(('--TargetIp %s' % '127.0.0.1'))
dapu_cmd_list.append(('--TargetPort %s' % redir_cmd.lplisten))
dapu_cmd_list.append(('--NetworkTimeout %s' % self.timeout))
dapu_cmd_list.append(('--Protocol %s' % 'SMB'))
dapu_cmd_list.append(('--ImplantAction %s' % 'PingPong'))
outconfig = os.path.join(ops.LOGDIR, 'Logs', ('%s_%s_%s.xml' % (os.path.basename(PATH_TO_DAPUTOUCH), self.target, dsz.Timestamp())))
dapu_cmd_list.append(('--OutConfig %s' % outconfig))
dapu_cmd_string = ((PATH_TO_DAPUTOUCH + ' ') + ' '.join(dapu_cmd_list))
dapucmd.command = ('cmd /C %s' % dapu_cmd_string)
dapucmd.arglist.append('-redirect')
dapucmd.arglist.append(('-directory %s' % os.path.join(ops.DSZDISKSDIR, 'lib', 'x86-Windows')))
dapucmd.prefixes.append('local')
dapucmd.prefixes.append('log')
dapuobject = dapucmd.execute()
ops.networking.redirect.stop_tunnel(dsz_cmd=redir_cmd)
screenlog = os.path.join(ops.PROJECTLOGDIR, dapuobject.commandmetadata.screenlog)
f = open(screenlog, 'r')
screenlog_lines = f.readlines()
f.close()
for line in screenlog_lines:
if ('Process terminated with status 0' in line):
self.success = True
break
elif ('Process terminated with status 6' in line):
self.success = False
self.error = line.strip('Process terminated with status ').strip()
break
elif ('Process terminated with status' in line):
self.error = line.strip('Process terminated with status ').strip()
self.timestamp = dsz.Timestamp()
def execute_scan(self, verbose):
redir_cmd = scan.gettunnel(self, self.target, 'tcp', self.port)
PATH_TO_SMBTOUCH = scan.find_newest_touch(self, 'Smbtouch', 'exe')
PATH_TO_SMBXML = scan.find_newest_touch(self, 'Smbtouch', 'xml')
smbcmd = ops.cmd.getDszCommand('run', dszquiet=(not verbose))
smb_cmd_list = []
smb_cmd_list.append(('--InConfig %s' % PATH_TO_SMBXML))
smb_cmd_list.append(('--TargetIp %s' % '127.0.0.1'))
smb_cmd_list.append(('--TargetPort %s' % redir_cmd.lplisten))
smb_cmd_list.append(('--NetworkTimeout %s' % self.timeout))
if (int(self.port) == 445):
smb_cmd_list.append(('--Protocol %s' % 'SMB'))
elif (int(self.port) == 139):
smb_cmd_list.append(('--Protocol %s' % 'NBT'))
smb_cmd_list.append(('--Credentials %s' % 'Anonymous'))
outconfig = os.path.join(
ops.LOGDIR, 'Logs',
('%s_%s_%s.xml' % (os.path.basename(PATH_TO_SMBTOUCH), self.target,
dsz.Timestamp())))
smb_cmd_list.append(('--OutConfig %s' % outconfig))
smb_cmd_string = ((PATH_TO_SMBTOUCH + ' ') + ' '.join(smb_cmd_list))
smbcmd.command = ('cmd /C %s' % smb_cmd_string)
smbcmd.arglist.append('-redirect')
smbcmd.arglist.append(
('-directory %s' %
os.path.join(ops.DSZDISKSDIR, 'lib', 'x86-Windows')))
smbcmd.prefixes.append('local')
smbcmd.prefixes.append('log')
smbobject = smbcmd.execute()
ops.networking.redirect.stop_tunnel(dsz_cmd=redir_cmd)
cmd_output = {}
cmd_output['error'] = None
screenlog = os.path.join(ops.PROJECTLOGDIR,
smbobject.commandmetadata.screenlog)
f = open(screenlog, 'r')
screenlog_lines = f.readlines()
f.close()
vulnerable = []
not_vulnerable = []
not_supported = []
for line in screenlog_lines:
re_out = re.search('Error 0x', line)
if (re_out is not None):
cmd_output['error'] = line.split('-')[(-1)].strip()
re_out = re.search('ETERNAL', line)
if (re_out is not None):
line_split = line.split('-')
exploit = line_split[0].strip()
if (exploit == 'ETERNALBLUE'):
exploit = 'ETEB'
elif (exploit == 'ETERNALROMANCE'):
exploit = 'ETRO'
elif (exploit == 'ETERNALCHAMPION'):
exploit = 'ETCH'
elif (exploit == 'ETERNALSYNERGY'):
exploit = 'ETSY'
if ((re.search('FB', line) is not None)
or (re.search('DANE', line) is not None)):
vulnerable.append(exploit)
elif (re.search('not supported', line) is not None):
not_supported.append(exploit)
else:
not_vulnerable.append(exploit)
self.vulnerable = ','.join(vulnerable)
self.not_vulnerable = ','.join(not_vulnerable)
self.not_supported = ','.join(not_supported)
if (cmd_output['error'] is None):
tree = ElementTree()
tree.parse(outconfig)
root = tree.getroot()
outparams = root.find('{urn:trch}outputparameters').getchildren()
for ele in outparams:
try:
cmd_output[ele.get('name')] = ele.find(
'{urn:trch}value').text
except:
continue
if ('Target' in cmd_output.keys()):
self.os = cmd_output['Target']
if ('TargetOsArchitecture' in cmd_output.keys()):
self.arch = cmd_output['TargetOsArchitecture']
if ('PipeName' in cmd_output.keys()):
self.pipe = cmd_output['PipeName']
if ('ShareName' in cmd_output.keys()):
self.share = cmd_output['ShareName']
if ('Credentials' in cmd_output.keys()):
self.credentials = cmd_output['Credentials']
self.error = cmd_output['error']
self.timestamp = dsz.Timestamp()
if ((cmd_output['error'] is None)
or (not (cmd_output['error'] == 'ErrorConnectionTimedOut'))):
self.success = True