def setup_hashcat(session_id): provider = Provider() sessions = provider.sessions() hashcat = provider.hashcat() system = provider.system() if not sessions.can_access(current_user, session_id): flash('Access Denied', 'error') return redirect(url_for('home.index')) user_id = 0 if current_user.admin else current_user.id session = sessions.get(user_id=user_id, session_id=session_id)[0] supported_hashes = hashcat.get_supported_hashes() # We need to process the array in a way to make it easy for JSON usage. supported_hashes = hashcat.compact_hashes(supported_hashes) if len(supported_hashes) == 0: home_directory = system.get_system_user_home_directory() flash('Could not get the supported hashes from hashcat', 'error') flash( 'If you have compiled hashcat from source, make sure %s/.hashcat directory exists and is writable' % home_directory, 'error') return render_template('sessions/setup/hashcat.html', session=session, hashes_json=json.dumps(supported_hashes, indent=4, sort_keys=True, default=str))
def login_process(): if current_user.is_authenticated: return redirect(url_for('home.index')) provider = Provider() ldap = provider.ldap() users = provider.users() settings = provider.settings() username = request.form['username'] password = request.form['password'] next = urllib.parse.unquote_plus(request.form['next'].strip()) allow_logins = int(settings.get('allow_logins', 0)) # First check if user is local. Local users take priority. user = UserModel.query.filter( and_( func.lower(UserModel.username) == func.lower(username), UserModel.ldap == 0)).first() if user: if not users.validate_password(user.password, password): flash('Invalid credentials', 'error') return redirect(url_for('auth.login', next=next)) elif ldap.is_enabled() and allow_logins == 1: if not ldap.authenticate(username, password, True): flash('Invalid credentials', 'error') return redirect(url_for('auth.login', next=next)) user = UserModel.query.filter( and_( func.lower(UserModel.username) == func.lower(username), UserModel.ldap == 1)).first() if not user: flash( 'Could not create your local account. Please contact the administrator.', 'error') return redirect(url_for('auth.login', next=next)) else: flash('Invalid credentials', 'error') return redirect(url_for('auth.login', next=next)) # If we reach this point it means that our user exists. Check if the user is active. if user.active is False: flash('Your account has been disabled by the Administrator.', 'error') return redirect(url_for('auth.login', next=next)) user = users.login_session(user) login_user(user) users.record_login(user.id) # On every login we get the hashcat version and the git hash version. system = provider.system() system.run_updates() if next and url_parse(next).netloc == '': return redirect(next) return redirect(url_for('home.index'))
def settings_hashcat_save(): if not current_user.admin: flash('Access Denied', 'error') return redirect(url_for('home.index')) provider = Provider() settings = provider.settings() hashcat_binary = request.form['hashcat_binary'].strip() hashcat_rules_path = request.form['hashcat_rules_path'].strip() hashcat_status_interval = request.form['hashcat_status_interval'].strip() hashcat_force = int(request.form.get('hashcat_force', 0)) has_errors = False if len(hashcat_binary) == 0 or not os.path.isfile(hashcat_binary): has_errors = True flash('Hashcat executable does not exist', 'error') elif not os.access(hashcat_binary, os.X_OK): has_errors = True flash('Hashcat file is not executable', 'error') if len(hashcat_rules_path) == 0 or not os.path.isdir(hashcat_rules_path): has_errors = True flash('Hashcat rules directory does not exist', 'error') elif not os.access(hashcat_rules_path, os.R_OK): has_errors = True flash('Hashcat rules directory is not readable', 'error') if len(hashcat_status_interval) == 0: has_errors = True flash('Hashcat Status Interval must be set', 'error') hashcat_status_interval = int(hashcat_status_interval) if hashcat_status_interval <= 0: hashcat_status_interval = 10 if has_errors: return redirect(url_for('admin.settings_hashcat')) settings.save('hashcat_binary', hashcat_binary) settings.save('hashcat_rules_path', hashcat_rules_path) settings.save('hashcat_status_interval', hashcat_status_interval) settings.save('hashcat_force', hashcat_force) # When settings are saved, run system updates. system = provider.system() system.run_updates() flash('Settings saved', 'success') return redirect(url_for('admin.settings_hashcat'))
def system(): provider = Provider() system = provider.system() daemon = provider.daemon() system.run_updates() return render_template( 'config/system/system.html', is_venv=system.is_virtual_environment(), flask=system.can_run_flask(), version=system.check_version(system.get_python_version(), '3.6'), daemon_running=daemon.is_running(), daemon_configured=daemon.is_configured() )
def login_2fa_process(): next = urllib.parse.unquote_plus(request.args.get('next', '').strip()) otp = request.form['otp'].strip() provider = Provider() users = provider.users() id = int(session['otp_userid']) if 'otp_userid' in session else 0 otp_time = int(session['otp_time']) if 'otp_time' in session else 0 can_continue = True if id <= 0: can_continue = False elif int(time.time()) > (otp_time + 120): # This page is valid for 2 minutes. can_continue = False if not can_continue: session.pop('otp_userid', None) session.pop('otp_time', None) return redirect(url_for('auth.login', next=next)) user = users.get_user(id) if not user: return redirect(url_for('auth.login', next=next)) if not users.otp_verify_user(user, otp): flash('Invalid Code', 'error') return redirect(url_for('auth.login_2fa', next=next)) session.pop('otp_userid', None) session.pop('otp_time', None) # If we reach this point it means that our user exists. Check if the user is active. user = users.login_session(user) login_user(user) # On every login we get the hashcat version and the git hash version. system = provider.system() system.run_updates() if next and url_parse(next).netloc == '': return redirect(next) return redirect(url_for('home.index'))
def settings_auth_save_general(): if not current_user.admin: flash('Access Denied', 'error') return redirect(url_for('home.index')) provider = Provider() settings = provider.settings() allow_logins = request.form.get('allow_logins', 0) settings.save('allow_logins', allow_logins) # When settings are saved, run system updates. system = provider.system() system.run_updates() flash('Settings saved', 'success') return redirect(url_for('admin.settings_auth'))
def ldap_save(): provider = Provider() settings = provider.settings() ldap_enabled = int(request.form.get('ldap_enabled', 0)) ldap_ssl = int(request.form.get('ldap_ssl', 0)) ldap_bind_pass = request.form['ldap_bind_pass'].strip() # Put the rest of the ldap options in a dict to make it easier to validate and save. ldap_settings = { 'ldap_auth_type': { 'value': request.form['ldap_auth_type'].strip(), 'error': 'Please select authentication type' }, 'ldap_host': { 'value': request.form['ldap_host'].strip(), 'error': 'LDAP Host cannot be empty' }, 'ldap_base_dn': { 'value': request.form['ldap_base_dn'].strip(), 'error': 'LDAP Base cannot be empty' }, 'ldap_domain': { 'value': request.form['ldap_domain'].strip(), 'error': 'LDAP Domain cannot be empty' }, 'ldap_bind_user': { 'value': request.form['ldap_bind_user'].strip(), 'error': 'LDAP Bind User cannot be empty' }, 'ldap_mapping_username': { 'value': request.form['ldap_mapping_username'].strip(), 'error': 'LDAP Mapping Username cannot be empty' }, 'ldap_mapping_fullname': { 'value': request.form['ldap_mapping_fullname'].strip(), 'error': 'LDAP Mapping Full Name cannot be empty' } } has_errors = False if ldap_enabled == 1: # If it's disabled it doesn't make sense to validate any settings. for key, data in ldap_settings.items(): if len(data['value']) == 0: has_errors = True flash(data['error'], 'error') if has_errors: return redirect(url_for('config.ldap')) settings.save('ldap_mapping_email', request.form['ldap_mapping_email'].strip()) settings.save('ldap_enabled', ldap_enabled) settings.save('ldap_ssl', ldap_ssl) for key, data in ldap_settings.items(): settings.save(key, data['value']) # If the password is not '********' then save it. This is because we show that value instead of the actual password. if len(ldap_bind_pass) > 0 and ldap_bind_pass != '********': settings.save('ldap_bind_pass', ldap_bind_pass) # When settings are saved, run system updates. system = provider.system() system.run_updates() flash('Settings saved', 'success') return redirect(url_for('config.ldap'))
def login_process(): if current_user.is_authenticated: return redirect(url_for('home.index')) provider = Provider() ldap = provider.ldap() users = provider.users() settings = provider.settings() username = request.form['username'] password = request.form['password'] next = urllib.parse.unquote_plus(request.form['next'].strip()) # First check if user is local. Local users take priority. user = UserModel.query.filter(and_(func.lower(UserModel.username) == func.lower(username), UserModel.ldap == 0)).first() if user: if not users.validate_password(user.password, password): flash('Invalid credentials', 'error') return redirect(url_for('auth.login', next=next)) elif ldap.is_enabled(): ldap_result = ldap.authenticate(username, password) if ldap_result is False: if len(ldap.error_message) > 0: flash(ldap.error_message, 'error') else: flash('Invalid credentials', 'error') return redirect(url_for('auth.login', next=next)) elif ldap_result['result'] == ldap.AUTH_SUCCESS: ldap_user = ldap_result['user'] elif ldap_result['result'] == ldap.AUTH_CHANGE_PASSWORD: session['ldap_username'] = username session['ldap_time'] = int(time.time()) flash('Your LDAP password has expired or needs changing', 'error') return redirect(url_for('auth.ldap_changepwd', next=next)) elif ldap_result['result'] == ldap.AUTH_LOCKED: flash('Your AD account is disabled', 'error') return redirect(url_for('auth.login', next=next)) else: if len(ldap.error_message) > 0: flash(ldap.error_message, 'error') else: flash('Invalid credentials', 'error') return redirect(url_for('auth.login', next=next)) user = users.get_ldap_user(ldap_user['username']) if not user: # Create user = users.create_ldap_user(ldap_user['username'], ldap_user['fullname'], ldap_user['email']) if not user: flash('Could not create LDAP user', 'error') return redirect(url_for('auth.login', next=next)) else: flash('Invalid credentials', 'error') return redirect(url_for('auth.login', next=next)) # If we reach this point it means that our user exists. Check if the user is active. if user.active is False: flash('Your account has been disabled by the Administrator.', 'error') return redirect(url_for('auth.login', next=next)) user = users.login_session(user) login_user(user) users.record_login(user.id) # On every login we get the hashcat version and the git hash version. system = provider.system() system.run_updates() if next and url_parse(next).netloc == '': return redirect(next) return redirect(url_for('home.index'))
def login_process(): if current_user.is_authenticated: return redirect(url_for('home.index')) username = request.form['username'].strip() password = request.form['password'].strip() next = urllib.parse.unquote_plus(request.form['next'].strip()) provider = Provider() users = provider.users() ldap = provider.ldap() zones = provider.dns_zones() # First lookup local users. user = users.find_user_login(username, False) if user: if not users.validate_password(user.password, password): flash('Invalid credentials', 'error') return redirect(url_for('auth.login', next=next)) elif ldap.enabled: ldap_result = ldap.authenticate(username, password) if ldap_result is False: if len(ldap.error_message) > 0: flash(ldap.error_message, 'error') else: flash('Invalid credentials', 'error') return redirect(url_for('auth.login', next=next)) elif ldap_result['result'] == ldap.AUTH_SUCCESS: ldap_user = ldap_result['user'] elif ldap_result['result'] == ldap.AUTH_CHANGE_PASSWORD: session['ldap_username'] = username session['ldap_time'] = int(time.time()) flash('Your LDAP password has expired or needs changing', 'error') return redirect(url_for('auth.ldap_changepwd', next=next)) elif ldap_result['result'] == ldap.AUTH_LOCKED: flash('Your AD account is disabled', 'error') return redirect(url_for('auth.login', next=next)) else: if len(ldap.error_message) > 0: flash(ldap.error_message, 'error') else: flash('Invalid credentials', 'error') return redirect(url_for('auth.login', next=next)) # Now see if the user exists. user = users.find_user_login(username, True) if not user: # Doesn't exist yet, we'll have to create them now. user = users.save(0, ldap_user['username'].lower(), password, ldap_user['fullname'], ldap_user['email'], False, True, True) if not user: flash( 'Could not create LDAP user: {0}'.format(users.last_error), 'error') return redirect(url_for('auth.login', next=next)) # Now we need to create a zone for that user. if not zones.create_user_base_zone(user): flash( 'User has been created but there was a problem creating their base domain. Make sure the DNS Base Domain has been set.', 'error') return redirect(url_for('auth.login', next=next)) else: flash('Invalid credentials', 'error') return redirect(url_for('auth.login', next=next)) if not user.active: # This check has to be after the password validation. flash('Your account is disabled.', 'error') return redirect(url_for('auth.login', next=next)) # Forward to 2FA validation if it's enabled. if user.has_2fa(): session['otp_userid'] = user.id session['otp_time'] = int(time.time()) return redirect(url_for('auth.login_2fa', next=next)) user = users.login_session(user) login_user(user) # On every login we get the hashcat version and the git hash version. system = provider.system() system.run_updates() if next and url_parse(next).netloc == '': return redirect(next) return redirect(url_for('home.index'))
def login_process(): if current_user.is_authenticated: return redirect(url_for('home.index')) username = request.form['username'].strip() password = request.form['password'].strip() next = urllib.parse.unquote_plus(request.form['next'].strip()) provider = Provider() users = provider.users() ldap = provider.ldap() radius = provider.radius() zones = provider.dns_zones() # If more than one external methods are defined, the user has to specify which one they want to authenticate # against, as we won't be trying each and every one until we get a hit. If only one method is enabled (ie LDAP) then # LOCAL auth will be tried first and then it will try LDAP. multiauth = ldap.enabled and radius.enabled auth = request.form['auth'].strip().lower( ) if 'auth' in request.form else '' login_result = False fullname = '' email = '' if (multiauth is False) or (multiauth is True and auth == 'local'): auth = 'local' # For when multiauth = False. login_result = __auth_local(username, password) if (login_result is False) and ldap.enabled: if (multiauth is False) or (multiauth is True and auth == 'ldap'): auth = 'ldap' ldap_result, error_message = __auth_ldap(username, password) if ldap_result is False: error_message = error_message if len( error_message) > 0 else 'Invalid credentials' flash(error_message, 'error') return redirect(url_for('auth.login', next=next)) elif ldap_result['result'] == ldap.AUTH_SUCCESS: login_result = True fullname = ldap_result['user']['fullname'].lower() email = ldap_result['user']['email'].lower() elif ldap_result['result'] == ldap.AUTH_CHANGE_PASSWORD: if ldap.pwchange: session['ldap_username'] = username session['ldap_time'] = int(time.time()) flash('Your LDAP password has expired or needs changing', 'error') return redirect(url_for('auth.ldap_changepwd', next=next)) else: flash('Your LDAP password has expired or needs changing', 'error') return redirect(url_for('auth.login', next=next)) elif ldap_result['result'] == ldap.AUTH_LOCKED: flash('Your AD account is disabled', 'error') return redirect(url_for('auth.login', next=next)) else: flash('Invalid credentials', 'error') return redirect(url_for('auth.login', next=next)) if (login_result is False) and radius.enabled: if (multiauth is False) or (multiauth is True and auth == 'radius'): auth = 'radius' radius_result, error_message = __auth_radius(username, password) if radius_result is False: error_message = error_message if len( error_message) > 0 else 'Invalid credentials' flash(error_message, 'error') return redirect(url_for('auth.login', next=next)) login_result = radius_result fullname = username.lower() email = '' if login_result is False: flash('Invalid credentials', 'error') return redirect(url_for('auth.login', next=next)) # Check to see if the user exists. This will return false only if it's the first login of an external user. user = users.find_user_login(username) if not user: user = users.save(0, username.lower(), password, fullname.lower(), email.lower(), False, auth, True) if not user: flash( 'Could not create external user: {0}'.format(users.last_error), 'error') return redirect(url_for('auth.login', next=next)) # Now create the default zone for that user. if not zones.create_user_base_zone(user): flash( 'User has been created but there was a problem creating their base domain. Make sure the DNS Base Domain has been set.', 'error') return redirect(url_for('auth.login', next=next)) if not user.active: # This check has to be after the password validation. flash('Your account is disabled.', 'error') return redirect(url_for('auth.login', next=next)) # Forward to 2FA validation if it's enabled. if user.has_2fa(): session['otp_userid'] = user.id session['otp_time'] = int(time.time()) return redirect(url_for('auth.login_2fa', next=next)) user = users.login_session(user) login_user(user) # On every login we get the hashcat version and the git hash version. system = provider.system() system.run_updates() if next and url_parse(next).netloc == '': return redirect(next) return redirect(url_for('home.index'))