def update(sessionid=None, action=None, sleep=0): if sessionid is None or sessionid <= 0: context = data_return(306, TRANSPORT_MSG.get(306), {}) return context if action == "next": result_flag = RpcClient.call( Method.SessionMeterpreterTransportNext, [sessionid]) elif action == "prev": result_flag = RpcClient.call( Method.SessionMeterpreterTransportPrev, [sessionid]) elif action == "sleep": result_flag = RpcClient.call( Method.SessionMeterpreterTransportSleep, [sessionid, sleep]) if result_flag: reconnect_time = time.time() + sleep Notice.send_warn( f'切换Session到休眠 SID:{sessionid} 重连时间: {time.strftime("%Y-%m-%d %H:%M:%S", time.localtime(reconnect_time))}' ) context = data_return(203, TRANSPORT_MSG.get(203), {}) return context else: context = data_return(305, TRANSPORT_MSG.get(305), []) return context else: result_flag = False if result_flag: Notice.send_info(f"切换传输完成 SID:{sessionid}") context = data_return(202, TRANSPORT_MSG.get(202), {}) return context else: context = data_return(302, TRANSPORT_MSG.get(302), []) return context
def write(data=None): cid = Xcache.get_console_id() if cid is None: get_active_console_result = Console.get_active_console() if get_active_console_result: cid = Xcache.get_console_id() else: return False, None params = [cid, data + "\r\n"] result = RpcClient.call(Method.ConsoleWrite, params) if result is None or result.get("result") == "failure": get_active_console_result = Console.get_active_console() if get_active_console_result: cid = Xcache.get_console_id() params = [cid, data + "\r\n"] result = RpcClient.call(Method.ConsoleWrite, params) if result is None or result.get("result") == "failure": return False, None else: return True, result else: return False, result else: return True, result
def destory(query_params): opts = { "uuid": None, "transport": None, "lhost": None, "lport": None, "ua": None, "proxy_host": None, "proxy_port": None, "proxy_type": None, "proxy_user": None, "proxy_pass": None, "comm_timeout": None, "session_exp": None, "retry_total": None, "retry_wait": None, "cert": None, "luri": None, } sessionid = query_params.get("sessionid") opts["url"] = query_params.get("url") result_flag = RpcClient.call(Method.SessionMeterpreterTransportRemove, [sessionid, opts]) if result_flag: Notice.send_info(f"删除传输 SID:{sessionid}") context = data_return(204, TRANSPORT_MSG.get(204), {}) return context else: context = data_return(304, TRANSPORT_MSG.get(304), []) return context
def destroy(sessionid=None): if sessionid is None or sessionid <= 0: context = data_return(304, Session_MSG.get(304), {}) return context else: params = [sessionid] try: result = RpcClient.call(Method.SessionStop, params, timeout=12) if result is None: # 删除超时 Notice.send_success( f"{Session_MSG.get(202)} SID: {sessionid}") context = data_return(202, Session_MSG.get(202), {}) return context elif result.get('result') == 'success': Notice.send_success( f"{Session_MSG.get(201)} SID: {sessionid}") context = data_return(201, Session_MSG.get(201), {}) return context else: Notice.send_warning( f"{Session_MSG.get(301)} SID: {sessionid}") context = data_return(301, Session_MSG.get(301), {}) return context except Exception as E: logger.error(E) Notice.send_warning(f"{Session_MSG.get(301)} SID: {sessionid}") context = data_return(301, Session_MSG.get(301), {}) return context
def run(module_type=None, mname=None, opts=None, runasjob=False, timeout=1800): """实时运行MSF模块""" params = [module_type, mname, opts, runasjob, timeout] result = RpcClient.call(Method.ModuleExecute, params) return result
def run_as_job( module_type, mname, opts, ): """后台任务方式运行""" params = [module_type, mname, opts, True, 5] result = RpcClient.call(Method.ModuleExecute, params) return result
def get_match_route_for_ipaddress_list(ipaddress_list=None): if isinstance(ipaddress_list, list) is not True: return None if ipaddress_list is []: return [] params = [ipaddress_list] result = RpcClient.call(Method.SessionMeterpreterRouteGet, params) return result
def reset_active_console(): result = RpcClient.call(Method.ConsoleList, []) if result is None: Xcache.set_console_id(None) else: consoles = result.get("consoles") if len(consoles) == 0: pass else: for console in consoles: # 删除已知命令行 cid = int(console.get("id")) params = [cid] RpcClient.call(Method.ConsoleDestroy, params) result = RpcClient.call(Method.ConsoleCreate) if result is None: Xcache.set_console_id(None) else: active_id = int(result.get("id")) Xcache.set_console_id(active_id)
def tabs(line=None): cid = Xcache.get_console_id() if cid is None: return False, {} params = [cid, line] result = RpcClient.call(Method.ConsoleTabs, params) if result is None or result.get("result") == "failure": logger.warning("Cid: {}错误".format(cid)) return False, {} else: return True, result
def destroy_adv_job(task_uuid=None, job_id=None, broker=None): try: if broker == BROKER.post_python_job: flag = aps_module.delete_job_by_uuid(task_uuid) if flag is not True: context = data_return(304, Job_MSG.get(304), {}) return context else: context = data_return(204, Job_MSG.get(204), { "uuid": task_uuid, "job_id": job_id }) return context elif broker == BROKER.post_msf_job: req = Xcache.get_module_task_by_uuid(task_uuid=task_uuid) common_module_instance = req.get("module") Xcache.del_module_task_by_uuid(task_uuid) params = [job_id] result = RpcClient.call(Method.JobStop, params) if result is None: context = data_return(305, Job_MSG.get(305), {}) return context if result.get('result') == 'success': # 发送通知 Notice.send_info("模块: {} {} 手动删除完成".format( common_module_instance.NAME, common_module_instance.target_str)) context = data_return(204, Job_MSG.get(204), { "uuid": task_uuid, "job_id": job_id }) return context else: context = data_return(304, Job_MSG.get(304), {}) return context elif broker == BROKER.bot_msf_job: flag = Xcache.del_bot_wait_by_group_uuid(task_uuid) if flag is not True: context = data_return(304, Job_MSG.get(304), {}) return context else: context = data_return(204, Job_MSG.get(204), {"uuid": task_uuid}) return context else: context = data_return(304, Job_MSG.get(304), {}) return context except Exception as E: logger.error(E) context = data_return(500, CODE_MSG.get(500), {}) return context
def list_msfrpc_jobs_no_cache(): infos = {} try: result = RpcClient.call(Method.JobList) Xcache.set_msf_job_cache(result) if result is None: infos = {} else: infos = result except Exception as E: logger.error(E) return infos
def get_active_console(): result = RpcClient.call(Method.ConsoleList, []) if result is None: Xcache.set_console_id(None) return False else: consoles = result.get("consoles") if len(consoles) == 0: consoles_create_opt = {"SkipDatabaseInit": True, 'AllowCommandPassthru': False} result = RpcClient.call(Method.ConsoleCreate, [consoles_create_opt]) if result is None: Xcache.set_console_id(None) return False else: active_id = int(result.get("id")) Xcache.set_console_id(active_id) return True else: active_id = int(consoles[0].get("id")) Xcache.set_console_id(active_id) return True
def session_kill(): cid = Xcache.get_console_id() if cid is None: return False, {} params = [cid] result = RpcClient.call(Method.ConsoleSessionKill, params) if result is None: return False, {} elif result.get("result") == "failure": logger.warning("Cid: {}错误".format(cid)) return False, {} else: return True, result
def destroy(id=None): try: params = [id] result = RpcClient.call(Method.JobStop, params) if result is None: return False if result.get('result') == 'success': return True else: return False except Exception as E: logger.error(E) return False
def create(ipaddress=None, sessionid=None, user_input=None): try: user_input = user_input.strip() if user_input.startswith('shell'): command = user_input[len('shell'):] if len(command) == 0: new_bufer = "\n{}\n".format( "Not support switch to Dos/Bash,input like\"shell whoami\" to run os cmd." ) result = Xcache.add_sessionio_cache(ipaddress, new_bufer) context = data_return(200, SessionIO_MSG.get(200), result) return context else: user_input = f"shell -c '{command}'" if user_input.startswith('exit'): params = [sessionid] result = RpcClient.call(Method.SessionMeterpreterSessionKill, params) context = data_return(203, SessionIO_MSG.get(203), result) return context params = [sessionid, user_input] result = RpcClient.call(Method.SessionMeterpreterWrite, params) if result is None: context = data_return(305, SessionIO_MSG.get(305), {}) elif result.get('result') == 'success': new_bufer = "{}{}\n".format(METERPRETER_PROMPT, user_input) result = Xcache.add_sessionio_cache(ipaddress, new_bufer) context = data_return(200, SessionIO_MSG.get(200), result) else: context = data_return(305, SessionIO_MSG.get(305), {}) except Exception as E: logger.error(E) context = data_return(306, SessionIO_MSG.get(306), {}) return context
def is_msf_job_alive(job_id): time.sleep(0.5) try: result = RpcClient.call(Method.JobList) Xcache.set_msf_job_cache(result) if result is None: return False else: if result.get(str(job_id)) is not None: return True else: return False except Exception as E: logger.error(E) return False
def update_service_status(): data = { 'json_rpc': { 'status': False }, } # 检查msfrpc服务状态 result = RpcClient.call(method=Method.CoreVersion, params=None, timeout=3) if result is None: data['json_rpc'] = {'status': False} logger.warning("json_rpc服务无法连接,请确认!") else: data['json_rpc'] = {'status': True} return data
def update(ipaddress=None, sessionid=None): old_result = Xcache.get_sessionio_cache(ipaddress) if sessionid is None or sessionid == -1: context = data_return(202, SessionIO_MSG.get(202), old_result) return context try: params = [sessionid] result = RpcClient.call(Method.SessionMeterpreterRead, params) if result is None or (isinstance(result, dict) is not True): context = data_return(303, SessionIO_MSG.get(303), old_result) return context new_bufer = result.get('data') result = Xcache.add_sessionio_cache(ipaddress, new_bufer) context = data_return(200, CODE_MSG.get(200), result) # code特殊处理 except Exception as E: logger.error(E) context = data_return(306, SessionIO_MSG.get(405), old_result) return context
def putin_post_msf_module_queue(msf_module=None): """调用msgrpc生成job,放入列表""" params = [ msf_module.type, msf_module.mname, msf_module.opts, True, # 强制设置后台运行 0 # 超时时间 ] result = RpcClient.call(Method.ModuleExecute, params) if result is None: Notice.send_warning(f"渗透服务连接失败,无法执行模块 :{msf_module.NAME}") return False elif result == "license expire": Notice.send_warning(f"License 过期,无法执行模块 :{msf_module.NAME}") return False # result 数据格式 # {'job_id': 3, 'uuid': 'dbcb2530-95b1-0137-5100-000c2966078a', 'module': b'\x80\ub.'} if result.get("job_id") is None: logger.warning("模块实例:{} uuid: {} 创建后台任务失败".format( msf_module.NAME, result.get("uuid"))) Notice.send_warning("模块: {} {} 创建后台任务失败,请检查输入参数".format( msf_module.NAME, msf_module.target_str)) return False else: logger.warning("模块实例放入列表:{} job_id: {} uuid: {}".format( msf_module.NAME, result.get("job_id"), result.get("uuid"))) # 放入请求队列 req = { 'broker': msf_module.MODULE_BROKER, 'uuid': result.get("uuid"), 'module': msf_module, 'time': int(time.time()), 'job_id': result.get("job_id"), } Xcache.create_module_task(req) Notice.send_info("模块: {} {} 开始执行".format(msf_module.NAME, msf_module.target_str)) return True
def list_transport(sessionid): tmp_enum_list = Handler.list_handler_config() result_list = RpcClient.call(Method.SessionMeterpreterTransportList, [sessionid]) if result_list is None: transports = [] return { 'session_exp': 0, 'transports': transports, "handlers": tmp_enum_list } else: result_list["handlers"] = tmp_enum_list transports = result_list.get("transports") current_transport_url = None if len(transports) > 0: transports[0]["active"] = True current_transport_url = transports[0].get("url") i = 0 for transport in transports: transport["tid"] = i i += 1 if transport.get("url") == current_transport_url: transport["active"] = True if transport.get("cert_hash") is not None: cert_hash = transport.get("cert_hash") transport["cert_hash"] = base64.b64encode( cert_hash.encode("utf-8")) def get_url(data): return data.get("url") transports.sort(key=get_url) return result_list
def _set_base_info(self): info = RpcClient.call(Method.SessionGet, [self.sessionid], timeout=3) if info is None: return False # 处理linux的no-user问题 if str(info.get('info')).split(' @ ')[0] == "no-user": info['info'] = info.get('info')[10:] self.info = info.get('info') self.type = info.get('type') self.session_host = info.get('session_host') self.session_port = info.get('session_port') self.target_host = info.get('target_host') self.tunnel_local = info.get('tunnel_local') self.tunnel_peer = info.get('tunnel_peer') self.exploit_uuid = info.get('exploit_uuid') self.via_exploit = info.get('via_exploit') self.via_payload = info.get('via_payload') self.arch = info.get('arch') self.platform = info.get('platform') self._session_uuid = info.get('uuid') self.last_checkin = info.get('last_checkin') // 10 * 10 self.fromnow = (int(time.time()) - info.get('last_checkin')) // 10 * 10 self.tunnel_peer_ip = info.get('tunnel_peer').split(":")[0] self.tunnel_peer_locate = Geoip.get_city( info.get('tunnel_peer').split(":")[0]) self.load_powershell = info.get('load_powershell') self.load_python = info.get('load_python') routestrlist = info.get('routes') try: if isinstance(routestrlist, list): for routestr in routestrlist: routestr.split('/') tmpdict = { "subnet": routestr.split('/')[0], 'netmask': routestr.split('/')[1] } self.route.append(tmpdict) except Exception as E: logger.error(E) try: self.user = str(info.get('info')).split(' @ ')[0] self.computer = str(info.get('info')).split(' @ ')[1] except Exception as _: return False else: try: self.os = info.get('advanced_info').get("sysinfo").get("OS") self.os_short = info.get('advanced_info').get("sysinfo").get( "OS").split("(")[0] if len(self.os_short) > 18: self.os_short = f"{self.os_short[0:6]} ... {self.os_short[-6:]}" except Exception as _: self.os = None self.os_short = None try: self.is_admin = info.get('advanced_info').get("sysinfo").get( "IsAdmin") except Exception as _: pass try: self.logged_on_users = info.get('advanced_info').get( "sysinfo").get("Logged On Users") except Exception as _: pass try: self.pid = info.get('advanced_info').get("sysinfo").get("Pid") except Exception as _: pass try: self.domain = info.get('advanced_info').get("sysinfo").get( "Domain") except Exception as _: pass self.available = True return True
def run_with_output(module_type, mname, opts, _timeout=180): """实时运行,获取输出""" params = [module_type, mname, opts, False, _timeout] result = RpcClient.call(Method.ModuleExecute, params) return result
def list_portfwd(): result_list = RpcClient.call(Method.SessionMeterpreterPortFwdList) if result_list is None: return [] else: return result_list
def list_sessions(): uuid_msfjobid = {} msfjobs = Job.list_msfrpc_jobs() if msfjobs is not None: for jobid in msfjobs: datastore = msfjobs[jobid].get("datastore") if datastore is not None: uuid_msfjobid[msfjobs[jobid]["uuid"]] = {"job_id": int(jobid), "PAYLOAD": datastore.get("PAYLOAD"), "LPORT": datastore.get("LPORT"), "LHOST": datastore.get("LHOST"), "RHOST": datastore.get("RHOST")} sessions_available_count = 0 sessions = [] infos = RpcClient.call(Method.SessionList, timeout=3) if infos is None: return sessions if infos.get('error'): logger.warning(infos.get('error_string')) return sessions sessionhosts = [] for key in infos.keys(): info = infos.get(key) if info is not None: one_session = {} try: one_session['id'] = int(key) except Exception as E: logger.warning(E) continue # 处理linux的no-user问题 if str(info.get('info')).split(' @ ')[0] == "no-user": info['info'] = info.get('info')[10:] one_session['type'] = info.get('type') one_session['session_host'] = info.get('session_host') one_session['tunnel_local'] = info.get('tunnel_local') one_session['tunnel_peer'] = info.get('tunnel_peer') one_session['tunnel_peer_ip'] = info.get('tunnel_peer').split(":")[0] one_session['tunnel_peer_locate'] = Geoip.get_city(info.get('tunnel_peer').split(":")[0]) one_session['via_exploit'] = info.get('via_exploit') one_session['exploit_uuid'] = info.get('exploit_uuid') if uuid_msfjobid.get(info.get('exploit_uuid')) is None: one_session['job_info'] = {"job_id": -1, "PAYLOAD": None, "LPORT": None, "LHOST": None, "RHOST": None} else: one_session['job_info'] = uuid_msfjobid.get(info.get('exploit_uuid')) one_session['via_payload'] = info.get('via_payload') one_session['tunnel_peer_ip'] = info.get('tunnel_peer').split(":")[0] one_session['tunnel_peer_locate'] = Geoip.get_city(info.get('tunnel_peer').split(":")[0]) one_session['uuid'] = info.get('uuid') one_session['platform'] = info.get('platform') one_session['last_checkin'] = info.get('last_checkin') // 5 * 5 one_session['fromnow'] = (int(time.time()) - info.get('last_checkin')) // 5 * 5 one_session['info'] = info.get('info') one_session['arch'] = info.get('arch') try: one_session['user'] = str(info.get('info')).split(' @ ')[0] one_session['computer'] = str(info.get('info')).split(' @ ')[1] except Exception as _: one_session['user'] = "******" one_session['computer'] = "Initializing" one_session['advanced_info'] = {"sysinfo": {}, "username": "******"} one_session['os'] = None one_session['load_powershell'] = False one_session['load_python'] = False one_session['routes'] = [] one_session['isadmin'] = False one_session['available'] = False # 是否初始化完成 sessions.append(one_session) continue one_session['load_powershell'] = info.get('load_powershell') one_session['load_python'] = info.get('load_python') one_session['advanced_info'] = info.get('advanced_info') try: one_session['os'] = info.get('advanced_info').get("sysinfo").get("OS") one_session['os_short'] = info.get('advanced_info').get("sysinfo").get("OS").split("(")[0] except Exception as _: one_session['os'] = None one_session['os_short'] = None try: one_session['isadmin'] = info.get('advanced_info').get("sysinfo").get("IsAdmin") if info.get('platform').lower().startswith('linux'): if "uid=0" in one_session['info'].lower(): one_session['isadmin'] = True except Exception as _: one_session['isadmin'] = None routestrlist = info.get('routes') one_session['routes'] = [] try: if isinstance(routestrlist, list): for routestr in routestrlist: routestr.split('/') tmpdict = {"subnet": routestr.split('/')[0], 'netmask': routestr.split('/')[1]} one_session['routes'].append(tmpdict) except Exception as E: logger.error(E) one_session['available'] = True sessions.append(one_session) # session监控统计信息 sessionhosts.append(info.get('session_host')) sessions_available_count += 1 def split_ip(ip): try: result = tuple(int(part) for part in ip.split('.')) except Exception as E: logger.exception(E) return 0, 0, 0 return result def session_host_key(item): return split_ip(item.get("session_host")) sessions = sorted(sessions, key=session_host_key) # session监控功能 if Xcache.get_sessionmonitor_conf().get("flag"): if Xcache.get_session_count() < sessions_available_count: Notice.send_sms(f"当前Session数量: {sessions_available_count} IP列表: {','.join(sessionhosts)}") Notice.send_info(f"当前Session数量: {sessions_available_count}") if Xcache.get_session_count() != sessions_available_count: Xcache.set_session_count(sessions_available_count) return sessions
def create(sessionid=None, handler=None): # 获取不同转发的默认参数 try: handleropts = json.loads(handler) except Exception as E: logger.warning(E) context = data_return(303, TRANSPORT_MSG.get(303), []) return context opts = { "uuid": None, "transport": None, "lhost": None, "lport": None, "ua": None, "proxy_host": None, "proxy_port": None, "proxy_type": None, "proxy_user": None, "proxy_pass": None, "comm_timeout": None, "session_exp": None, "retry_total": None, "retry_wait": None, "cert": None, "luri": None, } handler_payload = handleropts.get("PAYLOAD") if "reverse_tcp" in handler_payload: opts["transport"] = "reverse_tcp" elif "reverse_https" in handler_payload: opts["transport"] = "reverse_https" elif "reverse_http" in handler_payload: opts["transport"] = "reverse_http" elif "bind_tcp" in handler_payload: opts["transport"] = "bind_tcp" else: context = data_return(303, TRANSPORT_MSG.get(303), []) return context opts["uuid"] = handleropts.get("PayloadUUIDSeed") opts["lhost"] = handleropts.get("LHOST") opts["lport"] = handleropts.get("LPORT") opts["ua"] = handleropts.get("HttpUserAgent") opts["proxy_host"] = handleropts.get("HttpProxyHost") opts["proxy_port"] = handleropts.get("HttpProxyPort") opts["proxy_type"] = handleropts.get("HttpProxyType") opts["proxy_user"] = handleropts.get("HttpProxyUser") opts["proxy_pass"] = handleropts.get("HttpProxyPass") opts["comm_timeout"] = handleropts.get("SessionCommunicationTimeout") opts["session_exp"] = handleropts.get("SessionExpirationTimeout") opts["retry_total"] = handleropts.get("SessionRetryTotal") opts["retry_wait"] = handleropts.get("SessionRetryWait") opts["cert"] = handleropts.get("HandlerSSLCert") opts["luri"] = handleropts.get("LURI") result_flag = RpcClient.call(Method.SessionMeterpreterTransportAdd, [sessionid, opts]) if result_flag: Notice.send_success(f"新增传输 SID:{sessionid}") context = data_return(201, TRANSPORT_MSG.get(201), {}) return context else: context = data_return(301, TRANSPORT_MSG.get(301), []) return context
def list_route(): result = RpcClient.call(Method.SessionMeterpreterRouteList) if result is None: return [] return result