def check(target): url = url_processor.checkhttp(target[0], target[1]) try: r = requests.get(url, verify=False) head_check = str(r.headers['microsoftsharepointteamservices']) return head_check except: print (red + "[!] " + endc + "No SharePoint found at the given URL. Check your URL and port specification.") return None
def check(target): url = url_processor.checkhttp(target[0], target[1]) try: r = requests.get(url, verify=False) head_check = str(r.headers['microsoftsharepointteamservices']) return head_check except: print( red + "[!] " + endc + "No SharePoint found at the given URL. Check your URL and port specification." ) return None
def changetarget(full): # If the full flag is True, just erase the existing Target[] for simplicity if full: target[0] = None target[1] = None # Do the changes while True: tarout = ["", ""] t = raw_input(cyan + "[?] Please enter a target URL now: " + endc) tarout[0] = t target[0] = t # Put on global var...cause I gotta # First run: No port set, and full = False if full is not True and target[1] is None: tarout[1] = changeport() # Runtime change: Full is true and port has been cleared elif full is True and target[1] is None: tarout[1] = changeport() # Call changeport() for runtime change # If we were just here to get a url, but the port was specified... elif full is not True and target[1] is not None: tarout[1] = target[1] # If we get here, likely the user failed to specify a valid URL the first time and we're rewriting target[] else: tarout[1] = changeport() # Assign that new port to the global variable target[1] = tarout[1] tarout[0] = url_processor.checkhttp( t, tarout[1]) # Process the target string if check(tarout) is not None: # With the new port, go ahead and correct the target specification for the protocol return tarout else: # Loop again, but set full to True, b/c we need to overwrite what was previously specified. full = True continue
def changeport(): while True: try: port = raw_input(cyan + "[?] Enter target port (80 or 443): " + endc) port = int(port) if port == 80 or 443: break except: print(yellow + "[!] Bad Port. Try again." + endc) # Check for a standard port number var = url_processor.checkhttp(target[0], port) if var is not None: target[1] = var # If a non standard port was identified, call self else: port = changeport() return port
def changetarget(full): # If the full flag is True, just erase the existing Target[] for simplicity if full: target[0] = None target[1] = None # Do the changes while True: tarout = ["", ""] t = raw_input(cyan + "[?] Please enter a target URL now: " + endc) tarout[0] = t target[0] = t # Put on global var...cause I gotta # First run: No port set, and full = False if full is not True and target[1] is None: tarout[1] = changeport() # Runtime change: Full is true and port has been cleared elif full is True and target[1] is None: tarout[1] = changeport() # Call changeport() for runtime change # If we were just here to get a url, but the port was specified... elif full is not True and target[1] is not None: tarout[1] = target[1] # If we get here, likely the user failed to specify a valid URL the first time and we're rewriting target[] else: tarout[1] = changeport() # Assign that new port to the global variable target[1] = tarout[1] tarout[0] = url_processor.checkhttp(t, tarout[1]) # Process the target string if check(tarout) is not None: # With the new port, go ahead and correct the target specification for the protocol return tarout else: # Loop again, but set full to True, b/c we need to overwrite what was previously specified. full = True continue
##################################################################################### # Handle target specification. This can come in the following combinations: # 1; Port but no target # 2; target but no port # 3; Neither target nor port # 4; Both provided # Right now, if the target is blank, then both must be set manually, eliminating (2) ##################################################################################### # A Target was provided if args.t is not None: # A port was also provided if args.p is not None: target[0] = args.t # Assign values target[1] = int(args.p) target[0] = url_processor.checkhttp(target[0], target[1]) # check URL # If the user provided a target but no port elif args.p is None: print(red + "[!]" + " Target specified on command line, but no port! Use -p to specify the port!") sys.exit(0) # No Target was provided... elif args.t is None: # A port was provided, but no target if args.p is not None: print(red + "[!]" + " Port specified on command line, but no target! Use -t to specify the target!") sys.exit(0) # Nothing was provided... elif args.p is None:
def enumusers(target, start=None, end=None, creds=None): results = [] # Results Container failures = [] # Failure Container to retry with Force if start is None: # Assign default Start and End values start = 1 sys.stdout.write(yellow + "[!] " + endc + "No start value provided, starting at UID=%d" % start + endc) sys.stdout.write("\n") if end is None: end = 10 sys.stdout.write(yellow + "[!] " + endc + "No stop value provided, stopping at UID=%d" % end + endc) sys.stdout.write("\n") # Ensure proper target specification target = url_processor.checkhttp(target[0], target[1]) # Check traget formatting # Begin requesting pages for i in range(start, end): # From start to end... r = target + "/UserDisp.aspx?ID=" + str(i) # Compiled request string sys.stdout.write(yellow + "\r[...] Trying %s" % r + endc) try: if creds is not None: page = requests.get(r, HttpNtlmAuthentication=creds) # Open the page if creds is None: page = requests.get(r) # Check for 2xx HTTP response and false positive indicators code_match = re.search("[2**]", str(page.status_code)) nf_match = re.search("Not Found", page._content) # Gotta regex for Not Found to avoid capitalization variations if code_match is not None and page._content.__contains__("404") is False and nf_match is None: results.append(i) # Add to results if successful sys.stdout.flush() else: failures.append(i) # Add to Failures to retry with Force sys.stdout.flush() except: # Handle things that go badly... sys.stdout.write(red + "\n[X] " + endc + "Unexpected Error in enumusers()\n" + endc) sys.stdout.write( yellow + "\n[!] " + endc + "Re-attempting failed IDs with the Force parameter set to True..." + endc) sys.stdout.write("\n") # Re-request all users with ?Force = True for user in failures: r = target + "/UserDisp.aspx?ID=" + str(user) + "?Force=True" # Request string with True parameter sys.stdout.write(yellow + "\r[...] Retrying %s" % r + endc) try: if creds is not None: page = requests.get(r, HttpNtlmAuthentication=creds) # Open the page if creds is None: page = requests.get(r) code_match = re.search("[2**]", str(page.status_code)) # Check for success code 2xx nf_match = re.search("Not Found", page._content) # Gotta regex for Not Found to avoid capitalization variations if code_match is not None and page._content.__contains__("404") is False and nf_match is None: results.append(user) # Add to results if successful, remove from Failures failures.remove(user) else: pass except: # Handle things that go badly... sys.stdout.write(red + "\n[X] " + endc + "Unexpected Error in enumusers(), failures loop" + endc) sys.stdout.flush() logging.info("UserID Brute Force Completed.") sys.stdout.write("\n") return results # Return array of successful IDs
##################################################################################### # Handle target specification. This can come in the following combinations: # 1; Port but no target # 2; target but no port # 3; Neither target nor port # 4; Both provided # Right now, if the target is blank, then both must be set manually, eliminating (2) ##################################################################################### # A Target was provided if args.t is not None: # A port was also provided if args.p is not None: target[0] = args.t # Assign values target[1] = int(args.p) target[0] = url_processor.checkhttp(target[0], target[1]) # check URL # If the user provided a target but no port elif args.p is None: print( red + "[!]" + " Target specified on command line, but no port! Use -p to specify the port!" ) sys.exit(0) # No Target was provided... elif args.t is None: # A port was provided, but no target if args.p is not None: print( red + "[!]" +
def enumusers(target, start=None, end=None, creds=None): results = [] # Results Container failures = [] # Failure Container to retry with Force if start is None: # Assign default Start and End values start = 1 sys.stdout.write(yellow + "[!] " + endc + "No start value provided, starting at UID=%d" % start + endc) sys.stdout.write("\n") if end is None: end = 10 sys.stdout.write(yellow + "[!] " + endc + "No stop value provided, stopping at UID=%d" % end + endc) sys.stdout.write("\n") # Ensure proper target specification target = url_processor.checkhttp(target[0], target[1]) # Check traget formatting # Begin requesting pages for i in range(start, end): # From start to end... r = target + "/UserDisp.aspx?ID=" + str(i) # Compiled request string sys.stdout.write(yellow + "\r[...] Trying %s" % r + endc) try: if creds is not None: page = requests.get( r, HttpNtlmAuthentication=creds) # Open the page if creds is None: page = requests.get(r) # Check for 2xx HTTP response and false positive indicators code_match = re.search("[2**]", str(page.status_code)) nf_match = re.search( "Not Found", page._content ) # Gotta regex for Not Found to avoid capitalization variations if code_match is not None and page._content.__contains__( "404") is False and nf_match is None: results.append(i) # Add to results if successful sys.stdout.flush() else: failures.append(i) # Add to Failures to retry with Force sys.stdout.flush() except: # Handle things that go badly... sys.stdout.write(red + "\n[X] " + endc + "Unexpected Error in enumusers()\n" + endc) sys.stdout.write( yellow + "\n[!] " + endc + "Re-attempting failed IDs with the Force parameter set to True..." + endc) sys.stdout.write("\n") # Re-request all users with ?Force = True for user in failures: r = target + "/UserDisp.aspx?ID=" + str( user) + "?Force=True" # Request string with True parameter sys.stdout.write(yellow + "\r[...] Retrying %s" % r + endc) try: if creds is not None: page = requests.get( r, HttpNtlmAuthentication=creds) # Open the page if creds is None: page = requests.get(r) code_match = re.search("[2**]", str( page.status_code)) # Check for success code 2xx nf_match = re.search( "Not Found", page._content ) # Gotta regex for Not Found to avoid capitalization variations if code_match is not None and page._content.__contains__( "404") is False and nf_match is None: results.append( user) # Add to results if successful, remove from Failures failures.remove(user) else: pass except: # Handle things that go badly... sys.stdout.write(red + "\n[X] " + endc + "Unexpected Error in enumusers(), failures loop" + endc) sys.stdout.flush() logging.info("UserID Brute Force Completed.") sys.stdout.write("\n") return results # Return array of successful IDs