def httpscan_worker(target,
useragent,
proxy,
dir_bruteforce,
extensions,
dir_bruteforce_workers,
timeout,
excluded_code=[]):
httpscan = HTTPScan(target['method'], target['hostname'], target['port'],
useragent, proxy, timeout)
output = httpscan.get(target['path'])
if output != None and not output['code'] in excluded_code:
output['message_type'] = 'http'
output['target'] = httpscan.url(target['path'])
Output.write(output)
if httpscan.method == 'https':
names = httpscan.get_cert_hostnames()
if len(names) != 0:
Output.write({
"target":
httpscan.url(target['path']),
"message":
"certificates names: %s" % ", ".join(names)
})
if dir_bruteforce:
extension_list = ['']
if extensions != None:
extension_list += extensions.split(',')
extension_list = list(set(extension_list))
gen = dir_bruteforce_generator(target, dir_bruteforce,
extension_list)
gen_size = dir_file_count(dir_bruteforce) * len(extension_list)
args = (useragent, proxy, None, extensions, dir_bruteforce_workers,
timeout, [400, 404])
dispatch(gen,
gen_size,
httpscan_worker,
args,
workers=dir_bruteforce_workers,
process=False,
pg_name=httpscan.url(target['path']))
def telnetscan_worker(target, actions, creds, timeout):
try:
telnet = Telnet(target['hostname'], target['port'], timeout)
banner = telnet.connect()
Output.write({
'target': telnet.url(),
'message': 'Telnet: %s' % banner
})
if 'username' in creds and 'password' in creds:
success = telnet.auth(creds['username'], creds['password'])
if success:
Output.write({
'target':
telnet.url(),
'message':
'Successful authentication with username %s and password %s'
% (creds['username'], creds['password'])
})
if 'command' in actions:
output = "Command '%s':\n" % actions['command']['command']
output += telnet.execute(actions['command']['command'])
Output.write({
'target': target['hostname'],
'message': output
})
else:
Output.write({
'target':
telnet.url(),
'message':
'Authentication failure with username %s and password %s' %
(creds['username'], creds['password'])
})
if 'bruteforce' in actions:
if 'username_file' in actions['bruteforce'] != None:
Output.write({
'target': telnet.url(),
'message': 'Starting bruteforce:'
})
username_file = actions['bruteforce']['username_file']
password_file = actions['bruteforce'][
'password_file'] if 'password_file' in actions[
'bruteforce'] else None
bruteforce_workers = actions['bruteforce']['workers']
# The generator will provide a username:password_list couple
gen = bruteforce_generator(target, username_file,
password_file)
gen_size = bruteforce_generator_count(target, username_file,
password_file)
args = (timeout, )
dispatch(gen,
gen_size,
bruteforce_worker,
args,
workers=bruteforce_workers,
process=False,
pg_name=target['hostname'])
except ConnectionRefusedError:
pass
except Exception as e:
Output.write({
'target':
telnet.url(),
'message':
'%s: %s\n%s' % (type(e), e, traceback.format_exc())
})
finally:
telnet.disconnect()
def postgrescan_worker(target, actions, creds, timeout):
try:
postgresql = PostgreSQL(target['hostname'], target['port'], timeout)
if not 'username' in creds:
pass
elif not 'password' in creds:
pass
else:
username = creds['username']
password = creds['password']
success = False
success, version = postgresql.auth(username, password)
postgresql_info = {'version': version}
postgresql_info['target'] = postgresql.url()
postgresql_info['message_type'] = 'postgresql'
Output.write(postgresql_info)
if success:
Output.write({
'target':
postgresql.url(),
'message':
'Successful authentication with credentials %s and password %s'
% (username, password)
})
if 'list_dbs' in actions:
databases = postgresql.list_databases()
output = "Databases:\n"
for db in databases:
output += " " * 60 + "- %s:\n" % db['name']
for table in db['tables']:
output += " " * 60 + "\t- %s\n" % table
Output.write({
'target': postgresql.url(),
'message': output
})
if 'cmd' in actions:
output = "Command result:\n"
output += postgresql.execute_cmd(actions['cmd']['command'])
Output.write({
'target': postgresql.url(),
'message': output
})
else:
Output.write({
'target':
postgresql.url(),
'message':
'Authentication failure with credentials %s and password %s'
% (username, password)
})
if 'bruteforce' in actions:
if 'username_file' in actions['bruteforce'] != None:
Output.write({
'target': postgresql.url(),
'message': 'Starting bruteforce:'
})
username_file = actions['bruteforce']['username_file']
password_file = actions['bruteforce'][
'password_file'] if 'password_file' in actions[
'bruteforce'] else None
bruteforce_workers = actions['bruteforce']['workers']
# The generator will provide a username:password_list couple
gen = bruteforce_generator(target, username_file,
password_file)
gen_size = bruteforce_generator_count(target, username_file,
password_file)
args = (timeout, )
dispatch(gen,
gen_size,
bruteforce_worker,
args,
workers=bruteforce_workers,
process=False,
pg_name=target['hostname'])
except OSError:
pass
except ConnectionRefusedError:
pass
except Exception as e:
Output.write({
'target':
postgresql.url(),
'message':
'%s: %s\n%s' % (type(e), e, traceback.format_exc())
})
finally:
postgresql.disconnect()
def sshscan_worker(target, actions, creds, timeout):
try:
ssh = SSH(target['hostname'], target['port'], timeout)
version = ssh.get_version()
if not version:
return
Output.write({'target': ssh.url(), 'message': '%s' % version})
if 'username' in creds and 'password' in creds:
success = ssh.auth(creds['username'], creds['password'])
if success:
Output.write({
'target':
ssh.url(),
'message':
'Successful authentication with username %s and password %s'
% (creds['username'], creds['password'])
})
if 'command' in actions:
output = "Command '%s':\n" % actions['command']['command']
output += ssh.execute(actions['command']['command'])
Output.write({
'target': target['hostname'],
'message': output
})
else:
Output.write({
'target':
ssh.url(),
'message':
'Authentication failure with username %s and password %s' %
(creds['username'], creds['password'])
})
if 'bruteforce' in actions:
if 'username_file' in actions['bruteforce'] != None:
Output.write({
'target': ssh.url(),
'message': 'Starting bruteforce:'
})
username_file = actions['bruteforce']['username_file']
password_file = actions['bruteforce'][
'password_file'] if 'password_file' in actions[
'bruteforce'] else None
bruteforce_workers = actions['bruteforce']['workers']
# The generator will provide a username:password_list couple
gen = bruteforce_generator(target, username_file,
password_file)
gen_size = bruteforce_generator_count(target, username_file,
password_file)
args = (timeout, )
dispatch(gen,
gen_size,
bruteforce_worker,
args,
workers=bruteforce_workers,
process=False,
pg_name=target['hostname'])
except paramiko.AuthenticationException as e:
Output.write({
'target':
ssh.url(),
'message':
'Authentication failure with username %s and password %s' %
(creds['username'], creds['password'])
})
except ValueError as e:
Output.write({
'target':
ssh.url(),
'message':
"Authentication failure because of crypto failure: %s" % str(e)
})
except paramiko.SSHException as e:
pass
except socket.error:
pass
except Exception as e:
Output.write({
'target':
ssh.url(),
'message':
'%s: %s\n%s' % (type(e), e, traceback.format_exc())
})
finally:
ssh.disconnect()
def ftpscan_worker(target, actions, creds, timeout):
try:
ftpscan = FTPScan(target['hostname'], target['port'], timeout)
ftp_code, version = ftpscan.grab_banner()
if ftp_code:
Output.write({
'target': ftpscan.url(),
'message': '%d %s' % (ftp_code, version)
})
if 'username' in creds and 'password' in creds:
success = ftpscan.auth(creds['username'], creds['password'])
else:
success = ftpscan.auth()
if success:
if 'username' in creds and 'password' in creds:
Output.write({
'target':
ftpscan.url(),
'message':
'Successful connection with credentials %s:%s' % creds
})
else:
Output.write({
'target': ftpscan.url(),
'message': 'Successful anonymous connection'
})
if 'list' in actions:
try:
ftp_dir = '/'
contents = ""
for content in ftpscan.list_content(
ftp_dir, recurse=actions['list']['recurse']):
if 'size' in content:
contents += " " * 60 + "- %s %s\n" % (
content['name'].ljust(30),
sizeof_fmt(content['size']))
else:
contents += " " * 60 + "- %s\n" % content[
'name']
Output.write({
'target':
ftpscan.url(),
'message':
'Contents of %s\n%s' % (ftp_dir, contents)
})
except socket.timeout as e:
Output.write({
'target':
ftpscan.url(),
'message':
'Timeout while listing folder, do you have a firewall enabled ?'
})
if 'bruteforce' in actions:
if 'username_file' in actions['bruteforce'] != None:
Output.write({
'target': ftpscan.url(),
'message': 'Starting bruteforce:'
})
username_file = actions['bruteforce']['username_file']
password_file = actions['bruteforce'][
'password_file'] if 'password_file' in actions[
'bruteforce'] else None
bruteforce_workers = actions['bruteforce']['workers']
# The generator will provide a username:password_list couple
gen = bruteforce_generator(target, username_file,
password_file)
gen_size = bruteforce_generator_count(target, username_file,
password_file)
args = (timeout, )
dispatch(gen,
gen_size,
bruteforce_worker,
args,
workers=bruteforce_workers,
process=False,
pg_name=target['hostname'])
except Exception as e:
Output.write({
'target':
ftpscan.url(),
'message':
'%s: %s\n%s' % (type(e), e, traceback.format_exc())
})
finally:
ftpscan.disconnect()
def mysqlscan_worker(target, actions, creds, timeout):
try:
mysqlscan = MySQLScan(target['hostname'], target['port'], timeout)
# We are against a MySQL server
# Gather info
version = mysqlscan.get_server_version_unauth()
if version == None:
return
mysql_info = {'version': version}
mysql_info['target'] = mysqlscan.url()
mysql_info['message_type'] = 'mysql'
Output.write(mysql_info)
if not 'username' in creds:
pass
elif not 'password' in creds:
pass
else:
username = creds['username']
password = creds['password']
success = False
try:
success, version = mysqlscan.auth(username, password)
Output.write({
'target':
mysqlscan.url(),
'message':
'Successful authentication with credentials %s and password %s'
% (username, password)
})
except AuthFailure as e:
Output.write({
'target':
mysqlscan.url(),
'message':
'Authentication failure with credentials %s and password %s: %s'
% (username, password, str(e))
})
if success:
if 'list_dbs' in actions:
databases = mysqlscan.list_databases()
output = "Databases:\n"
for db in databases:
output += " " * 60 + "- %s:\n" % db['name']
for table in db['tables']:
output += " " * 60 + "\t- %s\n" % table
Output.write({
'target': mysqlscan.url(),
'message': output
})
if 'list_hashes' in actions:
hashes = mysqlscan.list_hashes()
output = "Hashes:\n"
for account in hashes:
user = "******" % (account['username'],
account['host'])
output += " " * 60 + "- %s %s\n" % (user,
account['hash'])
Output.write({
'target': mysqlscan.url(),
'message': output
})
if 'sql' in actions:
output = "Query result:\n"
result = mysqlscan.execute_sql(actions['sql']['query'])
for item in result:
output += "- %s\n" % (item, )
Output.write({
'target': mysqlscan.url(),
'message': output
})
if 'bruteforce' in actions:
if 'username_file' in actions['bruteforce'] != None:
Output.write({
'target': mysqlscan.url(),
'message': 'Starting bruteforce:'
})
username_file = actions['bruteforce']['username_file']
password_file = actions['bruteforce'][
'password_file'] if 'password_file' in actions[
'bruteforce'] else None
bruteforce_workers = actions['bruteforce']['workers']
# The generator will provide a username:password_list couple
gen = bruteforce_generator(target, username_file,
password_file)
gen_size = bruteforce_generator_count(target, username_file,
password_file)
args = (timeout, )
dispatch(gen,
gen_size,
bruteforce_worker,
args,
workers=bruteforce_workers,
process=False,
pg_name=target['hostname'])
except OSError:
pass
except ConnectionRefusedError:
pass
except Exception as e:
Output.write({
'target':
mysqlscan.url(),
'message':
'%s: %s\n%s' % (type(e), e, traceback.format_exc())
})
finally:
mysqlscan.disconnect()
def mongoscan_worker(target, actions, creds, timeout):
try:
auth = False
version_printed = False
mongo = Mongo(target['hostname'], target['port'], timeout)
# try anonymous auth
auth, version = mongo.auth(None, None)
if auth:
version_printed = True
Output.write({'target': mongo.url(), 'message': version})
Output.write({
'target':
mongo.url(),
'message':
'Authentication success with anonymous credentials'
})
if 'username' in creds and 'password' in creds:
mongo_auth = Mongo(target['hostname'], target['port'], timeout)
auth2, version = mongo_auth.auth(creds['username'],
creds['password'],
database=target['database'])
if auth2:
auth = auth2
if not version_printed:
Output.write({'target': mongo.url(), 'message': version})
Output.write({
'target':
mongo.url(),
'message':
'Authentication success with username %s and password %s for database \'%s\''
%
(creds['username'], creds['password'], target['database'])
})
mongo.disconnect()
mongo = mongo_auth
if not auth:
Output.write({'target': mongo.url(), 'message': 'Unknown'})
else:
if 'list_dbs' in actions:
databases = mongo.list_databases()
output = "Databases:\n"
for db in databases:
output += " " * 60 + "- %s:\n" % db['name']
for table in db['collections']:
output += " " * 60 + "\t- %s\n" % table
Output.write({'target': mongo.url(), 'message': output})
if 'bruteforce' in actions:
if 'username_file' in actions['bruteforce'] != None:
Output.write({
'target': mongo.url(),
'message': 'Starting bruteforce:'
})
username_file = actions['bruteforce']['username_file']
password_file = actions['bruteforce'][
'password_file'] if 'password_file' in actions[
'bruteforce'] else None
bruteforce_workers = actions['bruteforce']['workers']
# The generator will provide a username:password_list couple
gen = bruteforce_generator(target, username_file,
password_file)
gen_size = bruteforce_generator_count(target, username_file,
password_file)
args = (timeout, )
dispatch(gen,
gen_size,
bruteforce_worker,
args,
workers=bruteforce_workers,
process=False,
pg_name=target['hostname'])
except OSError:
pass
except ConnectionRefusedError:
pass
except Exception as e:
Output.write({
'target':
mongo.url(),
'message':
'%s: %s\n%s' % (type(e), e, traceback.format_exc())
})
finally:
mongo.disconnect()
def redisscan_worker(target, actions, creds, timeout):
try:
auth = False
version_printed = False
redis = Redis(target['hostname'], target['port'], timeout)
# try anonymous auth
auth, version = redis.auth(None)
if auth:
version_printed = True
Output.write({'target': redis.url(), 'message': version})
Output.write({'target': redis.url(), 'message': 'Authentication success with anonymous credentials'})
if 'password' in creds:
redis_auth = Redis(target['hostname'], target['port'], timeout)
auth2, version2 = redis_auth.auth(creds['password'])
if auth2:
auth = auth2
version = version2
if not version_printed:
Output.write({'target': redis.url(), 'message': version})
Output.write({'target': redis.url(), 'message': 'Authentication success with password %s' % (creds['password'],)})
redis.disconnect()
redis = redis_auth
if version:
# check if vulnerable to CVE-2015-4335
version_tuple = tuple([int(i) for i in version.split(".")])
if version_tuple < (2, 8, 21) or version_tuple[0] == 3 and version_tuple < (3, 0, 2):
Output.write({'target': redis.url(), 'message': "RCE on Redis (CVE-2015-4335)"})
if not auth:
Output.write({'target': redis.url(), 'message': 'Unknown'})
else:
"""
if 'list_dbs' in actions:
databases = redis.list_databases()
output = "Databases:\n"
for db in databases:
output += " "*60+"- %s:\n" % db['name']
for table in db['collections']:
output += " "*60+"\t- %s\n" % table
Output.write({'target': redis.url(), 'message': output})
"""
if 'bruteforce' in actions:
if 'password_file' in actions['bruteforce'] != None:
Output.write({'target': redis.url(), 'message': 'Starting bruteforce:'})
password_file = actions['bruteforce']['password_file']
bruteforce_workers = actions['bruteforce']['workers']
# The generator will provide a username:password_list couple
gen = bruteforce_generator(target, password_file)
gen_size = bruteforce_generator_count(target, password_file)
args = (timeout,)
dispatch(gen, gen_size, bruteforce_worker, args, workers=bruteforce_workers, process=False, pg_name=target['hostname'])
except OSError:
pass
except ConnectionRefusedError:
pass
except redislib.exceptions.ConnectionError:
pass
except redislib.exceptions.TimeoutError:
pass
except Exception as e:
Output.write({'target': redis.url(), 'message': '%s: %s\n%s' % (type(e), e, traceback.format_exc())})
finally:
redis.disconnect()
def smbscan_worker(target, actions, creds, timeout):
try:
smbscan = SMBScan(target['hostname'], target['port'], timeout)
if smbscan.connect():
# We are against a SMB server
# Gather info
smb_info = smbscan.get_server_info()
smb_info['target'] = smbscan.url()
smb_info['message_type'] = 'smb'
Output.write(smb_info)
smbscan.disconnect()
# Start new connection
smbscan.connect()
success = False
is_admin = False
# Authenticate
if not 'username' in creds:
pass
else:
if not 'domain' in creds:
creds['domain'] = 'WORKGROUP'
if '\\' in creds['username']:
creds['domain'] = creds['username'].split('\\')[0]
creds['username'] = creds['username'].split('\\')[1]
if 'password' in creds:
try:
success, is_admin = smbscan.auth(
domain=creds['domain'],
username=creds['username'],
password=creds['password'])
Output.write({
'target':
smbscan.url(),
'message':
'Successful authentication with credentials {domain}\\{username} and password {password}'
.format(**creds)
})
except AuthFailure as e:
Output.write({
'target':
smbscan.url(),
'message':
'Authentication failure with credentials {domain}\\{username} and password {password}: %s'
.format(**creds) % str(e)
})
elif 'hash' in creds:
try:
success, is_admin = smbscan.auth(
domain=creds['domain'],
username=creds['username'],
hash=creds['hash'])
Output.write({
'target':
smbscan.url(),
'message':
'Successful authentication with credentials {domain}\\{username} and hash {hash}'
.format(**creds)
})
except AuthFailure as e:
Output.write({
'target':
smbscan.url(),
'message':
'Authentication failure with credentials {domain}\\{username} and hash {hash}: %s'
.format(**creds) % str(e)
})
else:
try:
success, is_admin = smbscan.auth(
domain=creds['domain'],
username=creds['username'],
password='')
Output.write({
'target':
smbscan.url(),
'message':
'Successful authentication with credentials {domain}\\{username} and no password'
.format(**creds)
})
except AuthFailure as e:
Output.write({
'target':
smbscan.url(),
'message':
'Authentication failure with credentials {domain}\\{username} and no password: %s'
.format(**creds) % str(e)
})
if is_admin:
Output.write({
'target':
smbscan.url(),
'message':
'Administrative privileges with credentials {domain}\\{username}'
.format(**creds)
})
if success:
# Authenticated, now perform actions
share_list = []
if 'list_shares' in actions:
shares = "Shares:\n"
try:
for share_info in smbscan.list_shares():
shares += " " * 60 + "- %s %s %s\n" % (
share_info['name'].ljust(15), ", ".join(
share_info['access']).ljust(20),
share_info['remark'])
share_list.append(share_info['name'])
Output.write({
'target': smbscan.url(),
'message': shares
})
except impacket.smbconnection.SessionError as e:
if 'STATUS_ACCESS_DENIED' in str(e):
Output.write({
'target':
smbscan.url(),
'message':
'List shares: Access denied'
})
else:
raise e
if 'list' in actions:
try:
if not 'share' in actions['list']:
if len(share_list) == 0:
for share_info in smbscan.list_shares():
share_list.append(share_info['name'])
else:
share_list = [actions['list']['share']]
for share in share_list:
contents = "Content of share %s:\n" % share
for content in smbscan.list_content(
path="\\",
share=share,
recurse=actions['list']['recurse']):
if 'size' in content:
contents += " " * 60 + "- %s %s\n" % (
content['name'].ljust(30),
sizeof_fmt(content['size']))
else:
contents += " " * 60 + "- %s\n" % (
content['name'].ljust(30), )
Output.write({
'target': smbscan.url(),
'message': contents
})
except impacket.smbconnection.SessionError as e:
if 'STATUS_ACCESS_DENIED' in str(e):
Output.write({
'target':
smbscan.url(),
'message':
'List share contents: Access denied'
})
else:
raise e
if 'command' in actions:
output = smbscan.exec(
actions['command']['command'],
exec_method=actions['command']['method'],
get_output=True)
if output:
Output.write({
'target':
smbscan.url(),
'message':
'Executed command \'%s\':\n%s' %
(actions['command']['command'], output)
})
else:
Output.write({
'target':
smbscan.url(),
'message':
'Failed to execute command %s' %
(actions['command']['command'], )
})
if 'sam' in actions:
output = "SAM hashes:\n"
try:
entries = smbscan.dump_sam()
for entry in entries:
output += " " * 60 + "- %s %s\n" % (
entry['username'].ljust(30), entry['hash'])
Output.write({
'target': smbscan.url(),
'message': output
})
except impacket.dcerpc.v5.rpcrt.DCERPCException as e:
if 'access_denied' in str(e):
Output.write({
'target': smbscan.url(),
'message': 'SAM dump: Access denied'
})
else:
raise e
if 'lsa' in actions:
output = "LSA secrets:\n"
try:
entries = smbscan.dump_lsa()
for entry in entries:
output += " " * 60 + "- %s\n" % (entry['secret'], )
Output.write({
'target': smbscan.url(),
'message': output
})
except impacket.dcerpc.v5.rpcrt.DCERPCException as e:
if 'access_denied' in str(e):
Output.write({
'target': smbscan.url(),
'message': 'LSA dump: Access denied'
})
else:
raise e
if 'users' in actions:
Output.write({
'target': smbscan.url(),
'message': 'Users:'
})
try:
entries = smbscan.enum_users()
for entry in entries:
user = '******' % (entry['domain'],
entry['username'])
Output.write({
'target':
smbscan.url(),
'message':
'(%d) %s %s [%s]' %
(entry['uid'], user.ljust(30),
entry['fullname'].ljust(30), ','.join(
entry['tags']))
})
except impacket.dcerpc.v5.rpcrt.DCERPCException as e:
if 'access_denied' in str(e):
Output.write({
'target': smbscan.url(),
'message': 'Enum users: Access denied'
})
else:
raise e
if 'groups' in actions:
Output.write({
'target': smbscan.url(),
'message': 'Groups:'
})
try:
entries = smbscan.enum_groups()
for entry in entries:
group = '%s\\%s' % (entry['domain'],
entry['groupname'])
Output.write({
'target':
smbscan.url(),
'message':
'(%d) %s %s' %
(entry['uid'], group.ljust(30),
entry['admin_comment'])
})
except impacket.dcerpc.v5.rpcrt.DCERPCException as e:
if 'access_denied' in str(e):
Output.write({
'target':
smbscan.url(),
'message':
'Enum groups: Access denied'
})
else:
raise e
if 'admins' in actions:
Output.write({
'target': smbscan.url(),
'message': 'Administrators:'
})
try:
entries = smbscan.enum_admins()
for entry in entries:
admin = '%s\\%s' % (entry['domain'], entry['name'])
Output.write({
'target':
smbscan.url(),
'message':
'- %s (%s)' % (admin.ljust(30), entry['type'])
})
except impacket.dcerpc.v5.rpcrt.DCERPCException as e:
if 'access_denied' in str(e):
Output.write({
'target':
smbscan.url(),
'message':
'Enum admins: Access denied'
})
else:
raise e
if 'passpol' in actions:
try:
password_policy = smbscan.enum_password_policy()
output = "Password policy:\n"
output += " " * 60 + "- Complexity: %s\n" % (
"Enabled" if password_policy['complexity'] == 1
else "Disabled", )
output += " " * 60 + "- Minimum length: %d\n" % password_policy[
'minimum_length']
output += " " * 60 + "- History: last %d passwords\n" % password_policy[
'history_length']
output += " " * 60 + "- Maximum age: %s\n" % password_policy[
'maximum_age']
output += " " * 60 + "- Minimum age: %s\n" % password_policy[
'minimum_age']
output += " " * 60 + "- Lock threshold: %s\n" % (
str(password_policy['lock_threshold'])
if password_policy['lock_threshold'] != 0 else
"Disabled", )
if password_policy['lock_threshold'] != 0:
output += " " * 60 + "- Lock duration: %s\n" % password_policy[
'lock_duration']
Output.write({
'target': smbscan.url(),
'message': output
})
except impacket.dcerpc.v5.rpcrt.DCERPCException as e:
if 'access_denied' in str(e):
Output.write({
'target':
smbscan.url(),
'message':
'Enum password policy: Access denied'
})
else:
raise e
if 'loggedin' in actions:
Output.write({
'target': smbscan.url(),
'message': 'Logged in users:'
})
try:
entries = smbscan.enum_loggedin()
for entry in entries:
Output.write({
'target':
smbscan.url(),
'message':
'Logged in: %s\\%s' %
(entry['domain'], entry['username'])
})
except impacket.dcerpc.v5.rpcrt.DCERPCException as e:
if 'access_denied' in str(e):
Output.write({
'target':
smbscan.url(),
'message':
'Enum logged in: Access denied'
})
else:
raise e
if 'session' in actions:
Output.write({
'target': smbscan.url(),
'message': 'Sessions:'
})
try:
entries = smbscan.enum_sessions()
for entry in entries:
Output.write({
'target': smbscan.url(),
'message': 'Session: %s' % (entry, )
})
except impacket.dcerpc.v5.rpcrt.DCERPCException as e:
if 'access_denied' in str(e):
Output.write({
'target':
smbscan.url(),
'message':
'Enum sessions: Access denied'
})
else:
raise e
if 'rid_brute' in actions:
Output.write({
'target':
smbscan.url(),
'message':
'Users discovered via RID bruteforce:'
})
try:
entries = smbscan.rid_bruteforce(
actions['rid_brute']['start'],
actions['rid_brute']['end'])
for entry in entries:
user = '******' % (entry['domain'], entry['name'])
Output.write({
'target':
smbscan.url(),
'message':
'- %s (%s)' % (user.ljust(30), entry['type'])
})
except impacket.dcerpc.v5.rpcrt.DCERPCException as e:
if 'access_denied' in str(e):
Output.write({
'target':
smbscan.url(),
'message':
'RID brutefroce: Access denied'
})
else:
raise e
if 'bruteforce' in actions:
if 'username_file' in actions['bruteforce'] != None:
Output.write({
'target': smbscan.url(),
'message': 'Starting bruteforce:'
})
if 'domain' in creds:
domain = creds['domain']
else:
domain = 'WORKGROUP'
username_file = actions['bruteforce']['username_file']
password_file = actions['bruteforce'][
'password_file'] if 'password_file' in actions[
'bruteforce'] else None
bruteforce_workers = actions['bruteforce']['workers']
# The generator will provide a username:password_list couple
gen = bruteforce_generator(target, domain, username_file,
password_file)
gen_size = bruteforce_generator_count(
target, domain, username_file, password_file)
args = (timeout, )
dispatch(gen,
gen_size,
bruteforce_worker,
args,
workers=bruteforce_workers,
process=False,
pg_name=target['hostname'])
if 'simple_bruteforce' in actions:
if 'username_file' in actions['bruteforce'] != None:
Output.write({
'target': smbscan.url(),
'message': 'Starting simple bruteforce:'
})
if 'domain' in creds:
domain = creds['domain']
else:
domain = 'WORKGROUP'
username_file = actions['bruteforce']['username_file']
bruteforce_workers = actions['bruteforce']['workers']
# The generator will provide a username:password_list couple
gen = bruteforce_generator(target,
domain,
username_file,
None,
simple_bruteforce=True)
gen_size = bruteforce_generator_count(
target, domain, username_file, password_file)
args = (timeout, )
dispatch(gen,
gen_size,
bruteforce_worker,
args,
workers=bruteforce_workers,
process=False,
pg_name=target['hostname'])
except ConnectionResetError:
Output.write({
'target': smbscan.url(),
'message': 'Connection reset by target'
})
except TypeError as e:
if 'ConnectionResetError' in str(e):
Output.write({
'target': smbscan.url(),
'message': 'Connection reset by target'
})
else:
Output.write({
'target':
smbscan.url(),
'message':
'%s: %s\n%s' % (type(e), e, traceback.format_exc())
})
except Exception as e:
Output.write({
'target':
smbscan.url(),
'message':
'%s: %s\n%s' % (type(e), e, traceback.format_exc())
})
finally:
smbscan.disconnect()