mirror of
https://github.com/lanjelot/patator
synced 2024-11-16 06:15:24 +00:00
3043 lines
96 KiB
Python
Executable File
3043 lines
96 KiB
Python
Executable File
#!/usr/bin/env python
|
|
|
|
# Copyright (C) 2012 Sebastien MACKE
|
|
#
|
|
# This program is free software; you can redistribute it and/or modify it under
|
|
# the terms of the GNU General Public License version 2, as published by the
|
|
# Free Software Foundation
|
|
#
|
|
# This program is distributed in the hope that it will be useful, but WITHOUT
|
|
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
|
|
# FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
|
|
# details (http://www.gnu.org/licenses/gpl.txt).
|
|
|
|
__author__ = 'Sebastien Macke'
|
|
__email__ = 'patator@hsc.fr'
|
|
__url__ = 'http://www.hsc.fr/ressources/outils/patator/'
|
|
__git__ = 'http://code.google.com/p/patator/'
|
|
__version__ = '0.4-beta'
|
|
__license__ = 'GPLv2'
|
|
__banner__ = 'Patator v%s (%s)' % (__version__, __git__)
|
|
|
|
# README {{{
|
|
|
|
'''
|
|
INTRODUCTION
|
|
------------
|
|
|
|
* What ?
|
|
|
|
Patator is a multi-purpose brute-forcer, with a modular design and a flexible usage.
|
|
|
|
Currently it supports the following modules:
|
|
- ftp_login : Brute-force FTP
|
|
- ssh_login : Brute-force SSH
|
|
- telnet_login : Brute-force Telnet
|
|
- smtp_login : Brute-force SMTP
|
|
- smtp_vrfy : Enumerate valid users using the SMTP 'VRFY' command
|
|
- smtp_rcpt : Enumerate valid users using the SMTP 'RCPT TO' command
|
|
- http_fuzz : Brute-force HTTP/HTTPS
|
|
- pop_passd : Brute-force poppassd (not POP3)
|
|
- ldap_login : Brute-force LDAP
|
|
- smb_login : Brute-force SMB
|
|
- mssql_login : Brute-force MSSQL
|
|
- oracle_login : Brute-force Oracle
|
|
- mysql_login : Brute-force MySQL
|
|
- pgsql_login : Brute-force PostgreSQL
|
|
- vnc_login : Brute-force VNC
|
|
|
|
- dns_forward : Forward lookup subdomains
|
|
- dns_reverse : Reverse lookup subnets
|
|
- snmp_login : Brute-force SNMPv1/2 and SNMPv3
|
|
|
|
- unzip_pass : Brute-force the password of encrypted ZIP files
|
|
- keystore_pass : Brute-force the password of Java keystore files
|
|
|
|
Future modules to be implemented:
|
|
- rdp_login
|
|
- vmware_login (902/tcp)
|
|
- pop3_login
|
|
|
|
The name "Patator" comes from http://www.youtube.com/watch?v=xoBkBvnTTjo
|
|
"Whatever the payload to fire, always use the same launch tube"
|
|
|
|
* Why ?
|
|
|
|
Basically, I got tired of using Medusa, Hydra, ncrack, metasploit auxiliary modules, nmap NSE scripts and the like because:
|
|
- they either do not work or are not reliable (got me false negatives several times in the past)
|
|
- they are slow (not multi-threaded or not testing multiple passwords within the same TCP connection)
|
|
- they lack very useful features that are easy to code in python (eg. interactive runtime)
|
|
|
|
|
|
FEATURES
|
|
--------
|
|
* No false negatives, as it is the user that decides what results to ignore based on:
|
|
+ status code of response
|
|
+ size of response
|
|
+ matching string or regex in response data
|
|
+ ... see --help
|
|
|
|
* Modular design
|
|
+ not limited to network modules (eg. the unzip_pass module)
|
|
+ not limited to brute-forcing (eg. remote exploit testing, or vulnerable version probing)
|
|
|
|
* Interactive runtime
|
|
+ show verbose progress
|
|
+ pause/unpause execution
|
|
+ increase/decrease verbosity
|
|
+ add new actions & conditions during runtime in order to exclude more types of response from showing
|
|
+ ... press h to see all available interactive commands
|
|
|
|
* Use persistent connections (ie. will test several passwords until the server disconnects)
|
|
|
|
* Multi-threaded
|
|
|
|
* Flexible user input
|
|
- Any part of a payload is fuzzable:
|
|
+ use FILE[0-9] keywords to iterate on a file
|
|
+ use COMBO[0-9] keywords to iterate on the combo entries of a file
|
|
+ use NET[0-9] keywords to iterate on every host of a network subnet
|
|
|
|
- Iteration over the joined wordlists may be done in any order
|
|
|
|
* Save every response (along with request) to seperate log files for later reviewing
|
|
|
|
|
|
INSTALL
|
|
-------
|
|
|
|
* Dependencies (best tested versions)
|
|
|
|
| Required for | URL | Version |
|
|
--------------------------------------------------------------------------------------------------
|
|
paramiko | SSH | http://www.lag.net/paramiko/ | 1.7.7.1 |
|
|
--------------------------------------------------------------------------------------------------
|
|
pycurl | HTTP | http://pycurl.sourceforge.net/ | 7.19.0 |
|
|
--------------------------------------------------------------------------------------------------
|
|
openldap | LDAP | http://www.openldap.org/ | 2.4.24 |
|
|
--------------------------------------------------------------------------------------------------
|
|
impacket | SMB | http://oss.coresecurity.com/projects/impacket.html | svn#414 |
|
|
--------------------------------------------------------------------------------------------------
|
|
cx_Oracle | Oracle | http://cx-oracle.sourceforge.net/ | 5.1.1 |
|
|
--------------------------------------------------------------------------------------------------
|
|
mysql-python | MySQL | http://sourceforge.net/projects/mysql-python/ | 1.2.3 |
|
|
--------------------------------------------------------------------------------------------------
|
|
psycopg | PostgreSQL | http://initd.org/psycopg/ | 2.4.1 |
|
|
--------------------------------------------------------------------------------------------------
|
|
pycrypto | VNC | http://www.dlitz.net/software/pycrypto/ | 2.3 |
|
|
--------------------------------------------------------------------------------------------------
|
|
pydns | DNS | http://pydns.sourceforge.net/ | 2.3.4 |
|
|
--------------------------------------------------------------------------------------------------
|
|
pysnmp | SNMP | http://pysnmp.sf.net/ | 4.1.16a |
|
|
--------------------------------------------------------------------------------------------------
|
|
IPy | NETx keywords | https://github.com/haypo/python-ipy | 0.75 |
|
|
--------------------------------------------------------------------------------------------------
|
|
unzip | ZIP passwords | http://www.info-zip.org/ | 6.0 |
|
|
--------------------------------------------------------------------------------------------------
|
|
Java | keystore files | http://www.oracle.com/technetwork/java/javase/ | 6u29 |
|
|
--------------------------------------------------------------------------------------------------
|
|
python | | http://www.python.org/ | 2.6.6 |
|
|
--------------------------------------------------------------------------------------------------
|
|
|
|
* Shortcuts (optionnal)
|
|
ln -s path/to/patator.py /usr/bin/ftp_login
|
|
ln -s path/to/patator.py /usr/bin/http_fuzz
|
|
so on ...
|
|
|
|
|
|
USAGE
|
|
-----
|
|
|
|
$ python patator.py <module> -h
|
|
or
|
|
$ <module> -h (if you created the shortcuts)
|
|
|
|
There are global options and module options:
|
|
- all global options start with - or --
|
|
- all module options are of the form option=value
|
|
|
|
All module options are fuzzable:
|
|
---------
|
|
./module host=FILE0 port=FILE1 foobar=FILE2.google.FILE3 0=hosts.txt 1=ports.txt 2=foo.txt 3=bar.txt
|
|
|
|
The keywords (FILE, COMBO, NET, ...) act as place-holders. They indicate the type of wordlist
|
|
and where to replace themselves with the actual words to test.
|
|
|
|
Each keyword is numbered in order to:
|
|
- match the corresponding wordlist
|
|
- and indicate in what order to iterate over all the wordlists
|
|
|
|
For instance, this would be the classic order:
|
|
---------
|
|
./module host=FILE0 user=FILE1 password=FILE2 0=hosts.txt 1=logins.txt 2=passwords.txt
|
|
10.0.0.1 root password
|
|
10.0.0.1 root 123456
|
|
10.0.0.1 root qsdfghj
|
|
....
|
|
10.0.0.1 test password
|
|
10.0.0.1 test 123456
|
|
10.0.0.1 test qsdfghj
|
|
...
|
|
10.0.0.2 root password
|
|
...
|
|
|
|
When a better way may be:
|
|
---------
|
|
./module host=FILE2 password=FILE1 user=FILE0 0=logins.txt 1=passwords.txt 2=hosts.txt
|
|
10.0.0.1 root password
|
|
10.0.0.2 root password
|
|
10.0.0.1 admin password
|
|
10.0.0.2 admin password
|
|
10.0.0.1 root 123456
|
|
10.0.0.2 root 123456
|
|
10.0.0.1 admin 123456
|
|
...
|
|
|
|
|
|
* Keywords
|
|
|
|
Brute-force a list of hosts with a file containing combo entries (each line := login:password).
|
|
---------
|
|
./module host=FILE0 user=COMBO10 password=COMBO11 0=hosts.txt 1=combos.txt
|
|
|
|
|
|
Scan subnets to just grab version banners.
|
|
---------
|
|
./module host=NET0 0=10.0.1.0/24,10.0.2.0/24,10.0.3.128-10.0.3.255
|
|
|
|
|
|
* Actions & Conditions
|
|
|
|
Use the -x option to do specific actions upon receiving expected results. For instance:
|
|
|
|
To ignore responses with status code 301 *AND* a size within a range.
|
|
---------
|
|
./module host=10.0.0.1 user=FILE0 -x ignore:code=301,size=57-74
|
|
|
|
To ignore responses with status code 500 *OR* containing "Internal error".
|
|
---------
|
|
./module host=10.0.0.1 user=FILE0 -x ignore:code=500 -x ignore:fgrep='Internal error'
|
|
|
|
Remember that conditions are ANDed within the same -x option, use multiple -x options to
|
|
specify ORed conditions.
|
|
|
|
|
|
* Failures (--failure-delay and --max-retries options)
|
|
|
|
During execution, failures may happen, such as a TCP connect timeout for
|
|
instance. A failure is actually an exception that is not caught by the module,
|
|
and as a result the exception is caught upstream by the controller. By default,
|
|
such exceptions, or failures, are not reported to the user, the controller will
|
|
try 5 more times before reporting the failed payload with the code "xxx"
|
|
(--max-retries defaults to 5).
|
|
|
|
After catching a failure, the controller will discard the module instance that
|
|
may be in a dubious state to create a brand new one, and then sleep for 0.5
|
|
second before trying again the same payload (--failure-delay defaults to 0.5).
|
|
|
|
|
|
* Read carefully the following examples to get a good understanding of how patator works.
|
|
{{{ FTP
|
|
|
|
* Brute-force authentication.
|
|
(a) Do not report wrong passwords.
|
|
(b) Do not report everytime the server shuts down the TCP connection (ie. max login attempts
|
|
reached), reconnect and retry last login/password.
|
|
(c) Reconnect when a valid password is found (need to logoff before testing other passwords).
|
|
---------
|
|
ftp_login host=10.0.0.1 user=FILE0 password=FILE1 0=logins.txt 1=passwords.txt
|
|
-x ignore:mesg='Login incorrect.' -x ignore,reset,retry:code=500 -x reset:fgrep='Login success'
|
|
(a) (b) (c)
|
|
|
|
NB. If you get errors like "too many connections from your IP address", try
|
|
decreasing the number of threads, the server may be enforcing a maximum
|
|
number of concurrent connections.
|
|
|
|
|
|
* Same as before, but stop testing a user after his password is found.
|
|
---------
|
|
ftp_login ... -x reset,free=user:fgrep='Login success'
|
|
|
|
|
|
* Find anonymous FTP servers on a subnet.
|
|
---------
|
|
ftp_login host=NET0 user=anonymous password=test@example.com 0=10.0.0.0/24
|
|
|
|
}}}
|
|
{{{ SSH
|
|
* Brute-force authentication.
|
|
(a) Do not report wrong passwords.
|
|
(b) Do not report everytime the server shuts down the TCP connection (ie. max login attempts
|
|
reached), reconnect and retry last login/password.
|
|
(c) Reconnect when a valid password is found (need to logoff before testing other passwords).
|
|
--------- (a)
|
|
ssh_login host=10.0.0.1 user=FILE0 password=FILE0 0=logins.txt -x ignore:mesg='Authentication failed.'
|
|
-x ignore,reset,retry:mesg='No existing session' -x reset:code=0
|
|
(b) (c)
|
|
|
|
NB. If you get errors like "Error reading SSH protocol banner ... Connection reset by peer",
|
|
try decreasing the number of threads, the server may be enforcing a maximum
|
|
number of concurrent connections (eg. MaxStartups in OpenSSH).
|
|
|
|
|
|
* Brute-force several hosts and stop testing a host after a valid password is found.
|
|
---------
|
|
ssh_login host=FILE0 user=FILE1 password=FILE2 0=hosts.txt 1=logins.txt 2=passwords.txt
|
|
-x ignore:mesg='Authentication failed.' -x ignore,reset,retry:mesg='No existing session'
|
|
-x reset,free=host:code=0
|
|
|
|
|
|
* Same as previous, but stop testing a user on a host after his password is found.
|
|
---------
|
|
ssh_login host=FILE0 user=FILE1 password=FILE2 0=hosts.txt 1=logins.txt 2=passwords.txt
|
|
...
|
|
-x reset,free=host+user:code=0
|
|
|
|
}}}
|
|
{{{ Telnet
|
|
|
|
* Brute-force authentication.
|
|
(a) Enter login after first prompt is detected, enter password after second prompt.
|
|
(b) The regex to detect the login and password prompts.
|
|
(c) Reconnect when we get no login prompt back (max number of tries reached or successful login).
|
|
------------ (a)
|
|
telnet_login host=10.0.0.1 inputs='FILE0\nFILE1' 0=logins.txt 1=passwords.txt
|
|
prompt_re='Username:|Password:' -x reset:egrep!='% Login failed!.+Username:'
|
|
(b) (c)
|
|
|
|
NB. If you get errors like "telnet connection closed", this is because they occur
|
|
at TCP connect time, so try decreasing the number of threads, the server may
|
|
be enforcing a maximum number of concurrent connections.
|
|
|
|
}}}
|
|
{{{ SMTP
|
|
|
|
* Enumerate valid users using the VRFY command.
|
|
(a) Do not report invalid recipients.
|
|
(b) Do not report when the server shuts us down with "421 too many errors",
|
|
reconnect and resume testing.
|
|
--------- (a)
|
|
smtp_vrfy host=10.0.0.1 user=FILE0 0=logins.txt -x ignore:fgrep='User unknown in local
|
|
recipient table' -x ignore,reset,retry:code=421
|
|
(b)
|
|
|
|
* Use the RCPT TO command in case the VRFY command was disabled.
|
|
---------
|
|
smtp_rcpt host=10.0.0.1 user=FILE0@localhost 0=logins.txt helo='ehlo mx.fb.com' mail_from=root
|
|
|
|
|
|
* Brute-force authentication.
|
|
(a) Send a fake hostname (by default the real hostname is sent)
|
|
------------ (a)
|
|
smtp_login host=10.0.0.1 helo='ehlo its.me.com' user=FILE0@dom.com password=FILE1 0=logins.txt 1=passwords.txt
|
|
|
|
}}}
|
|
{{{ HTTP
|
|
|
|
* Find hidden Web resources.
|
|
(a) Use a specific header.
|
|
(b) Follow redirects.
|
|
(c) Do not report 404 errors.
|
|
(d) Retry on 500 errors.
|
|
--------- (a)
|
|
http_fuzz url=http://localhost/FILE0 0=words.txt header='Cookie: SESSID=A2FD8B2DA4'
|
|
follow=1 -x ignore:code=404 -x ignore,retry:code=500
|
|
(b) (c) (d)
|
|
|
|
NB. You may be able to go 10 times faster using webef (http://www.hsc.fr/ressources/outils/webef/).
|
|
It is the fastest HTTP brute-forcer I know, yet at the moment it still lacks useful features
|
|
that will prevent you from performing the following attacks.
|
|
|
|
* Brute-force phpMyAdmin logon.
|
|
(a) Use POST requests.
|
|
(b) Follow redirects using cookies sent by server.
|
|
(c) Ignore failed authentications.
|
|
--------- (a) (b) (b)
|
|
http_fuzz url=http://10.0.0.1/phpmyadmin/index.php method=POST follow=1 accept_cookie=1
|
|
body='pma_username=root&pma_password=FILE0&server=1&lang=en' 0=passwords.txt
|
|
-x ignore:fgrep='Cannot log in to the MySQL server'
|
|
(c)
|
|
|
|
* Scan subnet for directory listings.
|
|
(a) Ignore not matching reponses.
|
|
(b) Save matching responses into directory.
|
|
---------
|
|
http_fuzz url=http://NET0/FILE1 0=10.0.0.0/24 1=dirs.txt -x ignore:fgrep!='Index of'
|
|
-l /tmp/directory_listings (a)
|
|
(b)
|
|
|
|
* Brute-force Basic authentication.
|
|
(a) Single mode (login == password).
|
|
(b) Do not report failed login attempts.
|
|
---------
|
|
http_fuzz url=http://10.0.0.1/manager/html user_pass=FILE0:FILE0 0=logins.txt -x ignore:code=401
|
|
(a) (b)
|
|
|
|
* Find hidden virtual hosts.
|
|
(a) Read template from file.
|
|
(b) Fuzz both the Host and User-Agent headers.
|
|
---------
|
|
echo -e 'Host: FILE0\nUser-Agent: FILE1' > headers.txt
|
|
http_fuzz url=http://10.0.0.1/ header=@headers.txt 0=vhosts.txt 1=agents.txt
|
|
(a) (b)
|
|
|
|
* Brute-force logon using GET requests.
|
|
(a) Encode everything surrounded by the two tags _@@_ in hexadecimal.
|
|
(b) Ignore HTTP 200 responses with a content size (header+body) within given range
|
|
and that also contain the given string.
|
|
(c) Use a different delimiter string because the comma cannot be escaped.
|
|
--------- (a) (a)
|
|
http_fuzz url='http://10.0.0.1/login?username=admin&password=_@@_FILE0_@@_' -e _@@_:hex
|
|
0=words.txt -x ignore:'code=200|size=1500-|fgrep=Welcome, unauthenticated user' -X'|'
|
|
(b) (c)
|
|
|
|
* Brute-force logon that enforces a random nonce to be submitted along every POST.
|
|
(a) Request page that provides the nonce as a hidden input field using GET.
|
|
(b) Use regex to extract the nonce that is to be submitted by the main request.
|
|
---------
|
|
http_fuzz url=http://10.0.0.1/login method=POST body='user=admin&pass=FILE0&nonce=_@@_' accept_cookie=1
|
|
before_urls=http://10.0.0.1/index before_egrep=_@@_:'nput type="hidden" name="nonce" value="(\w+)"/>'
|
|
(a) (b)
|
|
|
|
* Test the OPTIONS method against a list of URLs.
|
|
(a) Ignore URLs that only allow the HEAD and GET methods.
|
|
(b) Header end of line is '\r\n'.
|
|
(c) Use a different delimiter string because the comma cannot be escaped.
|
|
---------
|
|
http_fuzz url=FILE0 0=urls.txt method=OPTIONS -x ignore:egrep='^Allow: HEAD, GET\r$' -X '|'
|
|
(a) (b) (c)
|
|
}}}
|
|
{{{ LDAP
|
|
|
|
* Brute-force authentication.
|
|
(a) Do not report wrong passwords.
|
|
(b) Talk SSL/TLS to port 636.
|
|
---------
|
|
ldap_login host=10.0.0.1 bindn='cn=FILE0,dc=example,dc=com' 0=logins.txt bindpw=FILE1 1=passwords.txt
|
|
-x ignore:mesg='ldap_bind: Invalid credentials (49)' ssl=1 port=636
|
|
(a) (b)
|
|
}}}
|
|
{{{ SMB
|
|
|
|
* Brute-force authentication.
|
|
(a) Do not report wrong passwords.
|
|
(b) Reconnect when a valid password is found (need to logoff before testing other passwords).
|
|
---------
|
|
smb_login host=10.0.0.1 user=FILE0 password=FILE1 0=logins.txt 1=passwords.txt
|
|
-x ignore:fgrep=STATUS_LOGON_FAILURE -x reset:code=0
|
|
(a) (b)
|
|
|
|
NB. If you suddenly get STATUS_ACCOUNT_LOCKED_OUT errors for an account
|
|
although it is not the first password you test on this account, then you must
|
|
have locked it.
|
|
|
|
|
|
* Pass-the-hash.
|
|
(a) Test a list of hosts.
|
|
(b) Test every user (each line := login:rid:LM hash:NT hash).
|
|
--------- (a) (b)
|
|
smb_login host=FILE0 0=hosts.txt user=COMBO10 password_hash=COMBO12:COMBO13 1=pwdump.txt -x ...
|
|
|
|
}}}
|
|
{{{ MSSQL
|
|
|
|
* Brute-force authentication.
|
|
-----------
|
|
mssql_login host=10.0.0.1 user=sa password=FILE0 0=passwords.txt -x ignore:fgrep='Login failed for user'
|
|
|
|
}}}
|
|
{{{ Oracle
|
|
Beware, by default in Oracle, accounts are permanently locked out after 10 wrong passwords,
|
|
except for the SYS account.
|
|
|
|
* Brute-force authentication.
|
|
------------
|
|
oracle_login host=10.0.0.1 user=SYS password=FILE0 0=passwords.txt sid=ORCL -x ignore:code=ORA-01017
|
|
|
|
NB0. With Oracle 10g XE (Express Edition), you do not need to pass a SID.
|
|
|
|
NB1. If you get ORA-12516 errors, it may be because you reached the limit of
|
|
concurrent connections or db processes, try using "--rate-limit 0.5 -t 2" to be
|
|
more polite. Also you can run "alter system set processes=150 scope=spfile;"
|
|
and restart your database to get rid of this.
|
|
|
|
|
|
* Brute-force SID.
|
|
------------
|
|
oracle_login host=10.0.0.1 sid=FILE0 0=sids.txt -x ignore:code=ORA-12505
|
|
|
|
NB. Against Oracle9, it may crash (Segmentation fault) as soon as a valid SID is
|
|
found (cx_Oracle bug). Sometimes, the SID gets printed out before the crash,
|
|
so try running the same command again if it did not.
|
|
|
|
}}}
|
|
{{{ MySQL
|
|
|
|
* Brute-force authentication.
|
|
-----------
|
|
mysql_login host=10.0.0.1 user=FILE0 password=FILE0 0=logins.txt -x ignore:fgrep='Access denied for user'
|
|
|
|
}}}
|
|
{{{ PostgresSQL
|
|
|
|
* Brute-force authentication.
|
|
-----------
|
|
pgsql_login host=10.0.0.1 user=postgres password=FILE0 0=passwords.txt
|
|
-x ignore:fgrep='password authentication failed for user'
|
|
|
|
}}}
|
|
{{{ VNC
|
|
Some VNC servers have built-in anti-bruteforce functionnality that temporarily
|
|
blacklists the attacker IP address after too many wrong passwords.
|
|
- RealVNC-4.1.3 or TightVNC-1.3.10 for example, allow 5 failed attempts and
|
|
then enforce a 10 second delay. For each subsequent failed attempt that
|
|
delay is doubled.
|
|
- RealVNC-3.3.7 or UltraVNC allow 6 failed attempts and then enforce a 10
|
|
second delay between each following attempt.
|
|
|
|
* Brute-force authentication.
|
|
(a) No need to use more than one thread.
|
|
(b) Keep retrying the same password when we are blacklisted by the server.
|
|
(c) Exit execution as soon as a valid password is found.
|
|
--------- (a)
|
|
vnc_login host=10.0.0.1 password=FILE0 0=passwords.txt --threads 1
|
|
-x retry:fgrep!='Authentication failure' --max-retries -1 -x quit:code=0
|
|
(b) (b) (c)
|
|
}}}
|
|
{{{ Unzip
|
|
|
|
* Brute-force the ZIP file password.
|
|
----------
|
|
unzip_pass zipfile=path/to/file.zip password=FILE0 0=passwords.txt -x ignore:code!=0
|
|
|
|
}}}
|
|
{{{ DNS
|
|
|
|
* Forward lookup subdomains.
|
|
(a) Ignore NXDOMAIN responses (rcode 3).
|
|
-----------
|
|
dns_forward domain=FILE0.google.com 0=names.txt -x ignore:code=3
|
|
(a)
|
|
* Forward lookup domain with all possible TLDs.
|
|
-----------
|
|
dns_forward domain=google.MOD0 0=TLD -x ignore:code=3
|
|
|
|
* Foward lookup SRV records.
|
|
-----------
|
|
dns_forward domain=MOD0.microsoft.com 0=SRV qtype=SRV -x ignore:code=3
|
|
|
|
* Reverse lookup several subnets.
|
|
(a) Ignore names that do not contain 'google.com'.
|
|
(b) Ignore generic PTR records.
|
|
-----------
|
|
dns_reverse host=NET0 0=216.239.32.0-216.239.47.255,8.8.8.0/24 -x ignore:code=3 -x ignore:fgrep!=google.com -x ignore:fgrep=216-239-
|
|
(a) (b)
|
|
}}}
|
|
{{{ SNMP
|
|
|
|
* SNMPv1/2 : Find valid community names.
|
|
----------
|
|
snmp_login host=10.0.0.1 community=FILE0 1=names.txt -x ignore:mesg='No SNMP response received before timeout'
|
|
|
|
|
|
* SNMPv3 : Find valid usernames.
|
|
----------
|
|
snmp_login host=10.0.0.1 version=3 user=FILE0 0=logins.txt -x ignore:mesg=unknownUserName
|
|
|
|
|
|
* SNMPv3 : Find valid passwords.
|
|
----------
|
|
snmp_login host=10.0.0.1 version=3 user=myuser auth_key=FILE0 0=passwords.txt -x ignore:mesg=wrongDigest
|
|
|
|
NB0. If you get "notInTimeWindow" error messages, increase the retries option.
|
|
NB1. SNMPv3 requires passphrases to be at least 8 characters long.
|
|
|
|
}}}
|
|
|
|
CHANGELOG
|
|
---------
|
|
|
|
* v0.3 2011/12/16
|
|
- minor bugs fixed in http_fuzz
|
|
- option -e better implemented
|
|
- better warnings about missing dependencies
|
|
|
|
* v0.2 2011/12/01
|
|
- new smtp_login module
|
|
- several bugs fixed
|
|
|
|
* v0.1 2011/11/25 : Public release
|
|
|
|
|
|
TODO
|
|
----
|
|
* SSL support for SMTP, MySQL, ... (use socat in the meantime)
|
|
* new option -e ns like in Medusa (not likely to be implemented due to design)
|
|
* replace PyDNS|paramiko|IPy with a better module (scapy|libssh2|... ?)
|
|
'''
|
|
|
|
# }}}
|
|
|
|
# imports and logging {{{
|
|
import logging
|
|
formatter = logging.Formatter('%(asctime)s %(name)-7s %(levelname)7s - %(message)s', datefmt='%H:%M:%S')
|
|
handler = logging.StreamHandler()
|
|
handler.setFormatter(formatter)
|
|
logger = logging.getLogger('patator')
|
|
logger.setLevel(logging.INFO)
|
|
logger.addHandler(handler)
|
|
|
|
import re
|
|
import os
|
|
from sys import stdin, exc_info, exit, version_info
|
|
from time import localtime, strftime, sleep, time
|
|
from functools import reduce
|
|
from threading import Thread, active_count
|
|
from select import select
|
|
from itertools import product, chain, islice
|
|
from string import ascii_lowercase
|
|
from binascii import hexlify
|
|
from base64 import b64encode
|
|
from datetime import timedelta, datetime
|
|
from struct import unpack
|
|
import socket
|
|
import subprocess
|
|
import hashlib
|
|
try:
|
|
# python3+
|
|
from queue import Queue, Empty, Full
|
|
from urllib.parse import quote, urlencode, urlparse, urlunparse, parse_qsl
|
|
from io import StringIO
|
|
except ImportError:
|
|
# python2.6+
|
|
from Queue import Queue, Empty, Full
|
|
from urllib import quote, urlencode
|
|
from urlparse import urlparse, urlunparse, parse_qsl
|
|
from cStringIO import StringIO
|
|
|
|
warnings = []
|
|
try:
|
|
from IPy import IP
|
|
has_ipy = True
|
|
except ImportError:
|
|
has_ipy = False
|
|
warnings.append('IPy')
|
|
|
|
# imports }}}
|
|
|
|
# utils {{{
|
|
def which(program):
|
|
def is_exe(fpath):
|
|
return os.path.exists(fpath) and os.access(fpath, os.X_OK)
|
|
|
|
fpath, fname = os.path.split(program)
|
|
if fpath:
|
|
if is_exe(program):
|
|
return program
|
|
else:
|
|
for path in os.environ["PATH"].split(os.pathsep):
|
|
exe_file = os.path.join(path, program)
|
|
if is_exe(exe_file):
|
|
return exe_file
|
|
|
|
return None
|
|
|
|
def create_dir(top_path):
|
|
top_path = os.path.abspath(top_path)
|
|
if os.path.isdir(top_path):
|
|
files = os.listdir(top_path)
|
|
if files:
|
|
if raw_input("Directory '%s' is not empty, do you want to wipe it ? [Y/n]: " % top_path) == 'n':
|
|
exit(0)
|
|
for root, dirs, files in os.walk(top_path):
|
|
if dirs:
|
|
print("Directory '%s' contains sub-directories, safely aborting..." % root)
|
|
exit(0)
|
|
for f in files:
|
|
os.unlink(os.path.join(root, f))
|
|
break
|
|
else:
|
|
os.mkdir(top_path)
|
|
return top_path
|
|
|
|
def create_time_dir(top_path, desc):
|
|
now = localtime()
|
|
date, time = strftime('%Y-%m-%d', now), strftime('%H%M%S', now)
|
|
top_path = os.path.abspath(top_path)
|
|
date_path = os.path.join(top_path, date)
|
|
time_path = os.path.join(top_path, date, time + '_' + desc)
|
|
|
|
if not os.path.isdir(top_path):
|
|
os.makedirs(top_path)
|
|
if not os.path.isdir(date_path):
|
|
os.mkdir(date_path)
|
|
if not os.path.isdir(time_path):
|
|
os.mkdir(time_path)
|
|
|
|
return time_path
|
|
|
|
def pprint_seconds(seconds, fmt):
|
|
return fmt % reduce(lambda x,y: divmod(x[0], y) + x[1:], [(seconds,),60,60])
|
|
|
|
def md5hex(plain):
|
|
return hashlib.md5(plain).hexdigest()
|
|
|
|
def sha1hex(plain):
|
|
return hashlib.sha1(plain).hexdigest()
|
|
|
|
# }}}
|
|
|
|
# Controller {{{
|
|
class Controller:
|
|
actions = {}
|
|
free_list = []
|
|
paused = False
|
|
from_stdin = False
|
|
start_time = 0
|
|
total_size = 1
|
|
log_dir = None
|
|
thread_report = []
|
|
thread_progress = []
|
|
|
|
payload = {}
|
|
iter_keys = {}
|
|
enc_keys = []
|
|
|
|
builtin_actions = (
|
|
('ignore', 'do not report'),
|
|
('retry', 'try payload again'),
|
|
('free', 'dismiss future types of payloads'),
|
|
('quit', 'terminate execution now'),
|
|
)
|
|
|
|
available_encodings = {
|
|
'hex': (hexlify, 'encode in hexadecimal'),
|
|
'b64': (b64encode, 'encode in base64'),
|
|
'md5': (md5hex, 'hash in md5'),
|
|
'sha1': (sha1hex, 'hash in sha1'),
|
|
}
|
|
|
|
def expand_key(self, arg):
|
|
yield arg.split('=', 1)
|
|
|
|
def find_file_keys(self, value):
|
|
return map(int, re.findall(r'FILE(\d)', value))
|
|
|
|
def find_net_keys(self, value):
|
|
return map(int, re.findall(r'NET(\d)', value))
|
|
|
|
def find_combo_keys(self, value):
|
|
return [map(int, t) for t in re.findall(r'COMBO(\d)(\d)', value)]
|
|
|
|
def find_module_keys(self, value):
|
|
return map(int, re.findall(r'MOD(\d)', value))
|
|
|
|
def usage_parser(self, name):
|
|
from optparse import OptionParser
|
|
from optparse import OptionGroup
|
|
from optparse import IndentedHelpFormatter
|
|
class MyFormatter(IndentedHelpFormatter):
|
|
def format_epilog(self, epilog):
|
|
return epilog
|
|
|
|
def format_heading(self, heading):
|
|
if self.current_indent == 0 and heading == 'Options':
|
|
heading = 'Global options'
|
|
return "%*s%s:\n" % (self.current_indent, "", heading)
|
|
|
|
def format_usage(self, usage):
|
|
return '%s\nUsage: %s\n' % (__banner__, usage)
|
|
|
|
available_actions = self.builtin_actions + self.module.available_actions
|
|
available_conditions = self.module.Response.available_conditions
|
|
|
|
usage = '''%%prog <module-options ...> [global-options ...]
|
|
|
|
Examples:
|
|
%s''' % '\n '.join(self.module.usage_hints)
|
|
|
|
usage += '''
|
|
|
|
Module options:
|
|
%s ''' % ('\n'.join(' %-14s: %s' % (k, v) for k, v in self.module.available_options))
|
|
|
|
epilog = '''
|
|
Syntax:
|
|
-x actions:conditions
|
|
|
|
actions := action[,action]*
|
|
action := "%s"
|
|
conditions := condition=value[,condition=value]*
|
|
condition := "%s"
|
|
''' % ('" | "'.join(k for k, v in available_actions),
|
|
'" | "'.join(k for k, v in available_conditions))
|
|
|
|
epilog += '''
|
|
%s
|
|
|
|
%s
|
|
''' % ('\n'.join(' %-12s: %s' % (k, v) for k, v in available_actions),
|
|
'\n'.join(' %-12s: %s' % (k, v) for k, v in available_conditions))
|
|
|
|
epilog += '''
|
|
For example, to ignore all redirects to the home page:
|
|
... -x ignore:code=302,fgrep='Location: /home.html'
|
|
|
|
-e tag:encoding
|
|
|
|
tag := any unique string (eg. T@G or _@@_ or ...)
|
|
encoding := "%s"
|
|
|
|
%s''' % ('" | "'.join(k for k in self.available_encodings),
|
|
'\n'.join(' %-12s: %s' % (k, v) for k, (f, v) in self.available_encodings.items()))
|
|
|
|
epilog += '''
|
|
|
|
For example, to encode every password in base64:
|
|
... host=10.0.0.1 user=admin password=_@@_FILE0_@@_ -e _@@_:b64
|
|
|
|
Please read the README inside for more examples and usage information.
|
|
'''
|
|
|
|
parser = OptionParser(usage=usage, prog=name, epilog=epilog, version=__banner__, formatter=MyFormatter())
|
|
|
|
exe_grp = OptionGroup(parser, 'Execution')
|
|
exe_grp.add_option('-x', dest='actions', action='append', default=[], metavar='arg', help='actions and conditions, see Syntax below')
|
|
exe_grp.add_option('--start', dest='start', type='int', default=0, metavar='N', help='start from offset N in the wordlist product')
|
|
exe_grp.add_option('--stop', dest='stop', type='int', default=None, metavar='N', help='stop at offset N')
|
|
exe_grp.add_option('--resume', dest='resume', metavar='r1[,rN]*', help='resume previous run')
|
|
exe_grp.add_option('-e', dest='encodings', action='append', default=[], metavar='arg', help='encode everything between two tags, see Syntax below')
|
|
exe_grp.add_option('-C', dest='combo_delim', default=':', metavar='str', help="delimiter string in combo files (default is ':')")
|
|
exe_grp.add_option('-X', dest='condition_delim', default=',', metavar='str', help="delimiter string in conditions (default is ',')")
|
|
|
|
opt_grp = OptionGroup(parser, 'Optimization')
|
|
opt_grp.add_option('--rate-limit', dest='rate_limit', type='float', default=0, metavar='N', help='wait N seconds between tests (default is 0)')
|
|
opt_grp.add_option('--rate-reset', dest='rate_reset', type='int', default=0, metavar='N', help='reset module every N tests (default is 0: never reset)')
|
|
opt_grp.add_option('--failure-delay', dest='failure_delay', type='float', default=0.5, metavar='N', help='wait N seconds after a failure (default is 0.5)')
|
|
opt_grp.add_option('--max-retries', dest='max_retries', type='int', default=5, metavar='N', help='skip payload after N failures (default is 5) (-1 for unlimited)')
|
|
opt_grp.add_option('-t', '--threads', dest='num_threads', type='int', default=10, metavar='N', help='number of threads (default is 10)')
|
|
|
|
log_grp = OptionGroup(parser, 'Logging')
|
|
log_grp.add_option('-l', dest='log_dir', metavar='DIR', help="save output and response data into DIR ")
|
|
log_grp.add_option('-L', dest='auto_log', metavar='SFX', help="automatically save into DIR/yyyy-mm-dd/hh:mm:ss_SFX (DIR defaults to '/tmp/patator')")
|
|
|
|
dbg_grp = OptionGroup(parser, 'Debugging')
|
|
dbg_grp.add_option('-d', '--debug', dest='debug', action='store_true', default=False, help='enable debug messages')
|
|
|
|
parser.option_groups.extend([exe_grp, opt_grp, log_grp, dbg_grp])
|
|
|
|
return parser
|
|
|
|
def parse_usage(self, argv):
|
|
parser = self.usage_parser(argv[0])
|
|
opts, args = parser.parse_args(argv[1:])
|
|
|
|
if opts.debug:
|
|
logger.setLevel(logging.DEBUG)
|
|
|
|
if not len(args) > 0:
|
|
parser.print_usage()
|
|
print('ERROR: wrong usage. Please read the README inside for more information.')
|
|
exit(2)
|
|
|
|
return opts, args
|
|
|
|
def __init__(self, module, argv):
|
|
self.module = module
|
|
opts, args = self.parse_usage(argv)
|
|
|
|
self.combo_delim = opts.combo_delim
|
|
self.condition_delim = opts.condition_delim
|
|
self.rate_reset = opts.rate_reset
|
|
self.rate_limit = opts.rate_limit
|
|
self.failure_delay = opts.failure_delay
|
|
self.max_retries = opts.max_retries
|
|
self.num_threads = opts.num_threads
|
|
self.start, self.stop, self.resume = opts.start, opts.stop, opts.resume
|
|
|
|
wlists = {}
|
|
kargs = []
|
|
for arg in args: # ('host=NET0', '0=10.0.0.0/24', 'user=COMBO10', 'password=COMBO11', '1=combos.txt', 'domain=MOD2', '2=TLD')
|
|
for k, v in self.expand_key(arg):
|
|
logger.debug('k: %s, v: %s' % (k, v))
|
|
|
|
if k.isdigit():
|
|
wlists[k] = v
|
|
|
|
else:
|
|
if v.startswith('@'):
|
|
p = os.path.expanduser(v[1:])
|
|
v = open(p).read()
|
|
kargs.append((k, v))
|
|
|
|
iter_vals = [v for k, v in sorted(wlists.items())]
|
|
logger.debug('iter_vals: %s' % iter_vals) # ['10.0.0.0/24', 'combos.txt', 'TLD']
|
|
logger.debug('kargs: %s' % kargs) # [('host', 'NET0'), ('user', 'COMBO10'), ('password', 'COMBO11'), ('domain', 'MOD2')]
|
|
|
|
for k, v in kargs:
|
|
|
|
for e in opts.encodings:
|
|
meta, enc = e.split(':')
|
|
if re.search(r'{0}.+?{0}'.format(meta), v):
|
|
self.enc_keys.append((k, meta, self.available_encodings[enc][0]))
|
|
|
|
for i in self.find_file_keys(v):
|
|
if i not in self.iter_keys:
|
|
self.iter_keys[i] = ('FILE', iter_vals[i], [])
|
|
self.iter_keys[i][2].append(k)
|
|
|
|
else:
|
|
for i in self.find_net_keys(v):
|
|
if i not in self.iter_keys:
|
|
self.iter_keys[i] = ('NET', iter_vals[i], [])
|
|
self.iter_keys[i][2].append(k)
|
|
|
|
if not has_ipy:
|
|
logger.warn('IPy (https://github.com/haypo/python-ipy) is required for using NETx keywords.')
|
|
logger.warn('Please read the README inside for more information.')
|
|
exit(3)
|
|
|
|
else:
|
|
for i, j in self.find_combo_keys(v):
|
|
if i not in self.iter_keys:
|
|
self.iter_keys[i] = ('COMBO', iter_vals[i], [])
|
|
self.iter_keys[i][2].append((j, k))
|
|
|
|
else:
|
|
for i in self.find_module_keys(v):
|
|
if i not in self.iter_keys:
|
|
self.iter_keys[i] = ('MOD', iter_vals[i], [])
|
|
self.iter_keys[i][2].append(k)
|
|
|
|
else:
|
|
self.payload[k] = v
|
|
|
|
# { 0: ('NET', '10.0.0.0/24', ['host']), 1: ('COMBO', 'combos.txt', [(0, 'user'), (1, 'password')]), 2: ('MOD', 'TLD', ['domain'])
|
|
logger.debug('iter_keys: %s' % self.iter_keys)
|
|
logger.debug('enc_keys: %s' % self.enc_keys) # [('password', 'ENC', hexlify), ('header', 'B64', b64encode), ...
|
|
logger.debug('payload: %s' % self.payload)
|
|
|
|
self.available_actions = [k for k, _ in self.builtin_actions + self.module.available_actions]
|
|
self.module_actions = [k for k, _ in self.module.available_actions]
|
|
|
|
for x in opts.actions:
|
|
self.update_actions(x)
|
|
|
|
logger.debug('actions: %s' % self.actions)
|
|
|
|
if opts.auto_log:
|
|
self.log_dir = create_time_dir(opts.log_dir or '/tmp/patator', opts.auto_log)
|
|
elif opts.log_dir:
|
|
self.log_dir = create_dir(opts.log_dir)
|
|
|
|
if self.log_dir:
|
|
log_file = os.path.join(self.log_dir, 'RUNTIME.log')
|
|
with open(log_file, 'w') as f:
|
|
f.write('$ %s\n' % ' '.join(argv))
|
|
|
|
handler = logging.FileHandler(log_file)
|
|
handler.setFormatter(formatter)
|
|
logging.getLogger('patator').addHandler(handler)
|
|
|
|
def update_actions(self, arg):
|
|
actions, conditions = arg.split(':', 1)
|
|
|
|
for action in actions.split(','):
|
|
conds = conditions.split(self.condition_delim)
|
|
new_cond = []
|
|
|
|
for cond in conds:
|
|
key, val = cond.split('=', 1)
|
|
new_cond.append((key, val))
|
|
|
|
if '=' in action:
|
|
name, opts = action.split('=')
|
|
else:
|
|
name, opts = action, None
|
|
|
|
if name not in self.available_actions:
|
|
raise NotImplementedError('Unsupported action: %s' % n)
|
|
|
|
if name not in self.actions:
|
|
self.actions[name] = []
|
|
|
|
self.actions[name].append((new_cond, opts))
|
|
|
|
def lookup_actions(self, resp):
|
|
actions = {}
|
|
for action, conditions in self.actions.items():
|
|
for condition, opts in conditions:
|
|
for key, val in condition:
|
|
if key[-1] == '!':
|
|
if resp.match(key[:-1], val):
|
|
break
|
|
else:
|
|
if not resp.match(key, val):
|
|
break
|
|
else:
|
|
actions[action] = opts
|
|
return actions
|
|
|
|
def check_free(self, payload):
|
|
# free_list: 'host=10.0.0.1', 'user=anonymous', 'host=10.0.0.7,user=test', ...
|
|
for m in self.free_list:
|
|
args = m.split(',', 1)
|
|
for arg in args:
|
|
k, v = arg.split('=', 1)
|
|
if payload[k] != v:
|
|
break
|
|
else:
|
|
return True
|
|
|
|
return False
|
|
|
|
def register_free(self, payload, opts):
|
|
self.free_list.append(','.join('%s=%s' % (k, payload[k]) for k in opts.split('+')))
|
|
|
|
def fire(self):
|
|
logger.info('Starting %s at %s' % (__banner__, strftime('%Y-%m-%d %H:%M %Z', localtime())))
|
|
|
|
try:
|
|
tryok = False
|
|
self.start_threads()
|
|
self.monitor_progress()
|
|
tryok = True
|
|
except SystemExit:
|
|
pass
|
|
except KeyboardInterrupt:
|
|
print
|
|
except:
|
|
logger.exception(exc_info()[1])
|
|
|
|
hits_count = sum(p.hits_count for p in self.thread_progress)
|
|
done_count = sum(p.done_count for p in self.thread_progress)
|
|
skip_count = sum(p.skip_count for p in self.thread_progress)
|
|
fail_count = sum(p.fail_count for p in self.thread_progress)
|
|
|
|
total_time = time() - self.start_time
|
|
speed_avg = done_count / total_time
|
|
|
|
if self.from_stdin:
|
|
if tryok:
|
|
self.total_size = done_count+skip_count
|
|
else:
|
|
self.total_size = -1
|
|
|
|
self.show_final()
|
|
|
|
logger.info('Hits/Done/Skip/Fail/Size: %d/%d/%d/%d/%d, Avg: %d r/s, Time: %s' % (hits_count,
|
|
done_count, skip_count, fail_count, self.total_size, speed_avg,
|
|
pprint_seconds(total_time, '%dh %dm %ds')))
|
|
|
|
if not tryok:
|
|
resume = []
|
|
for i, p in enumerate(self.thread_progress):
|
|
c = p.done_count
|
|
if self.resume:
|
|
if i < len(self.resume):
|
|
c += self.resume[i]
|
|
resume.append(str(c))
|
|
|
|
logger.info('To resume execution, pass --resume %s' % ','.join(resume))
|
|
|
|
def push_final(self, resp): pass
|
|
def show_final(self): pass
|
|
|
|
def start_threads(self):
|
|
gqueues = [Queue(maxsize=10000) for i in range(self.num_threads)]
|
|
|
|
# producer
|
|
t = Thread(target=self.produce, args=(gqueues,))
|
|
t.daemon = True
|
|
t.start()
|
|
|
|
class Progress:
|
|
def __init__(self):
|
|
self.current = ''
|
|
self.done_count = 0
|
|
self.hits_count = 0
|
|
self.skip_count = 0
|
|
self.fail_count = 0
|
|
self.seconds = [1]*25 # avoid division by zero early bug condition
|
|
|
|
# consumers
|
|
for num in range(self.num_threads):
|
|
pqueue = Queue()
|
|
t = Thread(target=self.consume, args=(gqueues[num], pqueue))
|
|
t.daemon = True
|
|
t.start()
|
|
self.thread_report.append(pqueue)
|
|
self.thread_progress.append(Progress())
|
|
|
|
def produce(self, queues):
|
|
|
|
iterables = []
|
|
for _, (t, v, _) in self.iter_keys.items():
|
|
|
|
if t in ('FILE', 'COMBO'):
|
|
size = 0
|
|
fds = []
|
|
|
|
for f in v.split(','):
|
|
if f == '-': # stdin
|
|
from sys import maxint
|
|
size += maxint
|
|
fds.append(stdin)
|
|
self.from_stdin = True
|
|
|
|
else:
|
|
f = os.path.expanduser(f)
|
|
size += sum(1 for _ in open(f))
|
|
fds.append(open(f))
|
|
|
|
iterable = chain(*fds)
|
|
|
|
elif t == 'NET':
|
|
subnets = [IP(n, make_net=True) for n in v.split(',')]
|
|
size = sum(len(s) for s in subnets)
|
|
iterable = chain(*subnets)
|
|
|
|
elif t == 'MOD':
|
|
iterable, size = self.module.available_keys[v]()
|
|
|
|
else:
|
|
raise NotImplementedError("Incorrect keyword '%s'" % t)
|
|
|
|
self.total_size *= size
|
|
iterables.append(iterable)
|
|
|
|
if self.stop:
|
|
self.total_size = self.stop - self.start
|
|
else:
|
|
self.total_size -= self.start
|
|
|
|
if self.resume:
|
|
self.resume = [int(i) for i in self.resume.split(',')]
|
|
self.total_size -= sum(self.resume)
|
|
|
|
logger.info('')
|
|
logger.info('%-15s | %-25s \t | %5s | %s' % ('code & size', 'candidate', 'num', 'mesg'))
|
|
logger.info('-' * 63)
|
|
|
|
self.start_time = time()
|
|
count = 0
|
|
for pp in islice(product(*iterables), self.start, self.stop):
|
|
|
|
cid = count % self.num_threads
|
|
prod = [str(p).strip('\r\n') for p in pp]
|
|
|
|
if self.resume:
|
|
idx = count % len(self.resume)
|
|
off = self.resume[idx]
|
|
|
|
if count < off * len(self.resume):
|
|
logger.debug('Skipping %d %s, resume[%d]: %s' % (count, ':'.join(prod), idx, self.resume[idx]))
|
|
count += 1
|
|
continue
|
|
|
|
queues[cid].put(prod)
|
|
count += 1
|
|
|
|
for q in queues:
|
|
q.put(None)
|
|
|
|
def consume(self, gqueue, pqueue):
|
|
module = self.module()
|
|
rate_count = 0
|
|
|
|
while True:
|
|
prod = gqueue.get()
|
|
if not prod: return
|
|
|
|
payload = self.payload.copy()
|
|
|
|
for i, (t, _, keys) in self.iter_keys.items():
|
|
if t == 'FILE':
|
|
for k in keys:
|
|
payload[k] = payload[k].replace('FILE%d' % i, prod[i])
|
|
elif t == 'NET':
|
|
for k in keys:
|
|
payload[k] = payload[k].replace('NET%d' % i, prod[i])
|
|
elif t == 'COMBO':
|
|
for j, k in keys:
|
|
payload[k] = payload[k].replace('COMBO%d%d' % (i, j), prod[i].split(self.combo_delim)[j])
|
|
elif t == 'MOD':
|
|
for k in keys:
|
|
payload[k] = payload[k].replace('MOD%d' %i, prod[i])
|
|
|
|
for k, m, e in self.enc_keys:
|
|
payload[k] = re.sub(r'{0}(.+?){0}'.format(m), lambda m: e(m.group(1)), payload[k])
|
|
|
|
pp_prod = ':'.join(prod)
|
|
logger.debug('pp_prod: %s' % pp_prod)
|
|
|
|
if self.check_free(payload):
|
|
pqueue.put_nowait(('skip', pp_prod, None, 0))
|
|
continue
|
|
|
|
num_try = 0
|
|
start_time = time()
|
|
while num_try < self.max_retries or self.max_retries < 0:
|
|
num_try += 1
|
|
|
|
while self.paused:
|
|
sleep(1)
|
|
|
|
if self.rate_reset > 0:
|
|
if rate_count >= self.rate_reset:
|
|
logger.debug('Reset module')
|
|
module = self.module()
|
|
rate_count = 0
|
|
|
|
if self.rate_limit:
|
|
sleep(self.rate_limit)
|
|
|
|
logger.debug('payload: %s' % payload)
|
|
|
|
try:
|
|
rate_count += 1
|
|
resp = module.execute(**payload)
|
|
|
|
except:
|
|
e_type, e_value, _ = exc_info()
|
|
resp = '%s, %s' % (e_type, e_value.args)
|
|
logger.debug('except: %s' % resp)
|
|
module = self.module()
|
|
rate_count = 0
|
|
sleep(self.failure_delay)
|
|
continue
|
|
|
|
actions = self.lookup_actions(resp)
|
|
pqueue.put_nowait((actions, pp_prod, resp, time() - start_time))
|
|
|
|
for name in self.module_actions:
|
|
if name in actions:
|
|
getattr(module, name)(**payload)
|
|
|
|
if 'free' in actions:
|
|
opts = actions['free']
|
|
self.register_free(payload, opts)
|
|
|
|
if 'retry' in actions:
|
|
logger.debug('Retry %d/%d: %s' % (num_try, self.max_retries, resp))
|
|
sleep(self.failure_delay)
|
|
continue
|
|
|
|
break
|
|
|
|
else:
|
|
pqueue.put_nowait((['fail'], pp_prod, resp, time() - start_time))
|
|
|
|
def monitor_progress(self):
|
|
while active_count() > 1:
|
|
self.report_progress()
|
|
|
|
if not self.from_stdin:
|
|
self.monitor_interaction()
|
|
|
|
self.report_progress()
|
|
|
|
def report_progress(self):
|
|
for i, pq in enumerate(self.thread_report):
|
|
p = self.thread_progress[i]
|
|
|
|
while True:
|
|
|
|
try:
|
|
actions, current, resp, seconds = pq.get_nowait()
|
|
logger.debug('actions: %s' % actions)
|
|
|
|
except Empty:
|
|
break
|
|
|
|
if actions == 'skip':
|
|
p.skip_count += 1
|
|
continue
|
|
|
|
offset = (self.start + p.done_count * self.num_threads) + i + 1
|
|
p.current = current
|
|
p.seconds[p.done_count % len(p.seconds)] = seconds
|
|
|
|
if 'fail' in actions:
|
|
p.fail_count += 1
|
|
p.done_count += 1
|
|
logger.warn('%-15s | %-25s \t | %5d | %s' % ('xxx', current, offset, resp))
|
|
continue
|
|
|
|
if 'ignore' not in actions:
|
|
p.hits_count += 1
|
|
logger.info('%-15s | %-25s \t | %5d | %s' % (resp.compact(), current, offset, resp))
|
|
|
|
if self.log_dir:
|
|
filename = '%d_%s' % (offset, resp.compact().replace(' ', '_'))
|
|
with open('%s/%s.txt' % (self.log_dir, filename), 'w') as f:
|
|
f.write(resp.dump())
|
|
|
|
self.push_final(resp)
|
|
|
|
if 'retry' not in actions:
|
|
p.done_count += 1
|
|
|
|
if 'quit' in actions:
|
|
logger.info('Quitting (user match condition)')
|
|
raise SystemExit
|
|
|
|
|
|
def monitor_interaction(self):
|
|
|
|
i, _, _ = select([stdin], [], [], .1)
|
|
if not i: return
|
|
command = i[0].readline().strip()
|
|
|
|
if command == 'h':
|
|
logger.info('''Available commands:
|
|
h show help
|
|
<Enter> show progress
|
|
d/D increase/decrease debug level
|
|
p pause progress
|
|
f show verbose progress
|
|
x arg add monitor condition
|
|
a show all active conditions
|
|
q terminate execution now
|
|
''')
|
|
|
|
elif command == 'q':
|
|
raise KeyboardInterrupt
|
|
|
|
elif command == 'p':
|
|
self.paused = not self.paused
|
|
logger.info(self.paused and 'Paused' or 'Unpaused')
|
|
|
|
elif command == 'd':
|
|
logger.setLevel(logging.DEBUG)
|
|
|
|
elif command == 'D':
|
|
logger.setLevel(logging.INFO)
|
|
|
|
elif command == 'a':
|
|
logger.info(self.actions)
|
|
|
|
elif command.startswith('x'):
|
|
_, arg = command.split(' ', 1)
|
|
self.update_actions(arg)
|
|
|
|
else: # show progress
|
|
total_count = sum(p.done_count for p in self.thread_progress)
|
|
speed_avg = self.num_threads / (sum(sum(p.seconds) / len(p.seconds) for p in self.thread_progress) / self.num_threads)
|
|
remain_seconds = (self.total_size - total_count) / speed_avg
|
|
etc_time = datetime.now() + timedelta(seconds = remain_seconds)
|
|
|
|
logger.info('Progress: {0:>3}% ({1}/{2}) | Speed: {3:.0f} r/s | ETC: {4} ({5} remaining) {6}'.format(
|
|
total_count * 100/self.total_size,
|
|
total_count,
|
|
self.total_size,
|
|
speed_avg,
|
|
etc_time.strftime('%H:%M:%S'),
|
|
pprint_seconds(remain_seconds, '%02d:%02d:%02d'),
|
|
self.paused and '| Paused' or ''))
|
|
|
|
if command == 'f':
|
|
for i, p in enumerate(self.thread_progress):
|
|
logger.info(' #{0}: {1:>3}% ({2}/{3}) {4}'.format(
|
|
i,
|
|
p.done_count * 100/(self.total_size/self.num_threads),
|
|
p.done_count,
|
|
self.total_size/self.num_threads,
|
|
p.current))
|
|
|
|
# }}}
|
|
|
|
# Response_Base {{{
|
|
def match_size(size, val):
|
|
if '-' in val:
|
|
size_min, size_max = val.split('-')
|
|
|
|
if not size_min and not size_max:
|
|
raise ValueError('Invalid interval')
|
|
|
|
elif not size_min: # size == -N
|
|
return size <= int(size_max)
|
|
|
|
elif not size_max: # size == N-
|
|
return size >= int(size_min)
|
|
|
|
else:
|
|
size_min, size_max = int(size_min), int(size_max)
|
|
if size_min >= size_max:
|
|
raise ValueError('Invalid interval')
|
|
|
|
return size_min <= size <= size_max
|
|
|
|
else:
|
|
return size == int(val)
|
|
|
|
class Response_Base:
|
|
|
|
available_conditions = (
|
|
('code', 'match status code'),
|
|
('size', 'match size (N or N-M or N- or -N)'),
|
|
('mesg', 'match message'),
|
|
('fgrep', 'search for string'),
|
|
('egrep', 'search for regex'),
|
|
)
|
|
|
|
def __init__(self, code, mesg, trace=''):
|
|
self.code, self.mesg = code, mesg
|
|
self.size = len(self.mesg)
|
|
self.trace = trace
|
|
|
|
def compact(self):
|
|
return '%s %d' % (self.code, self.size)
|
|
|
|
def __str__(self):
|
|
return self.mesg
|
|
|
|
def match(self, key, val):
|
|
return getattr(self, 'match_'+key)(val)
|
|
|
|
def match_code(self, val):
|
|
return val == str(self.code)
|
|
|
|
def match_size(self, val):
|
|
return match_size(self.size, val)
|
|
|
|
def match_mesg(self, val):
|
|
return val == self.mesg
|
|
|
|
def match_fgrep(self, val):
|
|
return val in str(self)
|
|
|
|
def match_egrep(self, val):
|
|
return re.search(val, str(self))
|
|
|
|
def dump(self):
|
|
return self.trace or str(self)
|
|
|
|
# }}}
|
|
|
|
# TCP_Cache {{{
|
|
class TCP_Cache:
|
|
|
|
available_actions = (
|
|
('reset', 'close current connection in order to reconnect for next probe'),
|
|
)
|
|
|
|
available_options = (
|
|
('persistent', 'use persistent connections [1|0]'),
|
|
)
|
|
|
|
cache_keys = ('host', 'port')
|
|
|
|
def __init__(self):
|
|
self.cache = {} # {'10.0.0.1:21': fp, ...}
|
|
|
|
def __del__(self):
|
|
for k in self.cache:
|
|
fp = self.cache[k]
|
|
try: fp.close()
|
|
except: pass
|
|
|
|
def get_key(self, **kwargs):
|
|
keys = []
|
|
for k in self.cache_keys:
|
|
if k in kwargs:
|
|
keys.append(kwargs[k])
|
|
return ':'.join(k for k in keys if k is not None), keys
|
|
|
|
def get_tcp(self, persistent, **kwargs):
|
|
k, z = self.get_key(**kwargs)
|
|
if k not in self.cache:
|
|
|
|
logger.debug('New connection: %s' % k)
|
|
fp, banner = self.new_tcp(*z)
|
|
|
|
if persistent == '1':
|
|
self.cache[k] = fp
|
|
|
|
else:
|
|
fp, banner = self.cache[k], ''
|
|
|
|
return fp, banner
|
|
|
|
def del_tcp(self, k):
|
|
if k in self.cache:
|
|
logger.debug('Delete connection: %s' % k)
|
|
fp = self.cache[k]
|
|
try: fp.close()
|
|
except: pass
|
|
del self.cache[k]
|
|
|
|
def reset(self, **kwargs):
|
|
k, _ = self.get_key(**kwargs)
|
|
logger.debug('Reset connection: %s' % k)
|
|
self.del_tcp(k)
|
|
|
|
# }}}
|
|
|
|
# FTP {{{
|
|
from ftplib import FTP, Error as FTP_Error
|
|
class FTP_login(TCP_Cache):
|
|
'''Brute-force FTP authentication'''
|
|
|
|
usage_hints = (
|
|
"""%prog host=10.0.0.1 user=FILE0 password=FILE1 0=logins.txt 1=passwords.txt"""
|
|
""" -x ignore:mesg='Login incorrect.' -x ignore,reset,retry:code=500 -x reset:fgrep='Login success'""",
|
|
)
|
|
|
|
available_options = (
|
|
('host', 'hostnames or subnets to target'),
|
|
('port', 'ports to target [21]'),
|
|
('user', 'usernames to test'),
|
|
('password', 'passwords to test'),
|
|
)
|
|
available_options += TCP_Cache.available_options
|
|
|
|
Response = Response_Base
|
|
|
|
def new_tcp(self, host, port):
|
|
fp = FTP()
|
|
resp = fp.connect(host, int(port or 21))
|
|
return fp, resp
|
|
|
|
def execute(self, host, port=None, user=None, password=None, persistent='1'):
|
|
try:
|
|
fp, resp = self.get_tcp(persistent, host=host, port=port)
|
|
|
|
if user is not None:
|
|
resp = fp.sendcmd('USER ' + user)
|
|
if password is not None:
|
|
resp = fp.sendcmd('PASS ' + password)
|
|
|
|
logger.debug('No error: %s' % resp)
|
|
|
|
except FTP_Error as e:
|
|
resp = str(e)
|
|
logger.debug('FTP_Error: %s' % resp)
|
|
|
|
except EOFError:
|
|
logger.debug('EOFError')
|
|
resp = '500 Connection reset by peer'
|
|
|
|
except socket.error:
|
|
logger.debug('socket.error')
|
|
resp = '500 Connection reset by peer'
|
|
|
|
code, mesg = resp.split(' ', 1)
|
|
return self.Response(code, mesg)
|
|
|
|
# }}}
|
|
|
|
# SSH {{{
|
|
try:
|
|
import paramiko
|
|
l = logging.getLogger('paramiko.transport')
|
|
l.setLevel(logging.CRITICAL)
|
|
l.addHandler(handler)
|
|
except ImportError:
|
|
warnings.append('paramiko')
|
|
|
|
class SSH_login(TCP_Cache):
|
|
'''Brute-force SSH authentication'''
|
|
|
|
usage_hints = (
|
|
"""%prog host=10.0.0.1 user=root password=FILE0 0=passwords.txt"""
|
|
""" -x ignore:mesg='Authentication failed.' -x ignore,reset,retry:mesg='No existing session' -x reset:code=0""",
|
|
)
|
|
|
|
available_options = (
|
|
('host', 'hostnames or subnets to target'),
|
|
('port', 'ports to target [22]'),
|
|
('user', 'usernames to test'),
|
|
('password', 'passwords to test'),
|
|
('auth_type', 'auth type to use [password|keyboard-interactive]'),
|
|
)
|
|
available_options += TCP_Cache.available_options
|
|
|
|
Response = Response_Base
|
|
|
|
cache_keys = ('host', 'port', 'user')
|
|
def new_tcp(self, host, port, user):
|
|
fp = paramiko.Transport('%s:%s' % (host, int(port or 22)))
|
|
fp.start_client()
|
|
return fp, fp.remote_version
|
|
|
|
def execute(self, host, port=None, user=None, password=None, persistent='1', auth_type='password'):
|
|
try:
|
|
fp, resp = self.get_tcp(persistent, host=host, port=port, user=user)
|
|
|
|
if user is not None and password is not None:
|
|
if auth_type == 'password':
|
|
fp.auth_password(user, password, fallback=False)
|
|
|
|
elif auth_type == 'keyboard-interactive':
|
|
fp.auth_interactive(user, lambda a,b,c: [password] if len(c) == 1 else [])
|
|
|
|
else:
|
|
raise NotImplementedError("Incorrect auth_type '%s'" % auth_type)
|
|
|
|
logger.debug('No error')
|
|
code, mesg = '0', resp
|
|
|
|
except paramiko.AuthenticationException as e:
|
|
code, mesg = '1', str(e)
|
|
logger.debug('AuthenticationException: %s' % mesg)
|
|
|
|
except paramiko.SSHException as e:
|
|
code, mesg = '1', str(e)
|
|
logger.debug('SSHException: %s' % mesg)
|
|
|
|
return self.Response(code, mesg)
|
|
|
|
# }}}
|
|
|
|
# Telnet {{{
|
|
from telnetlib import Telnet
|
|
class Telnet_login(TCP_Cache):
|
|
'''Brute-force Telnet authentication'''
|
|
|
|
usage_hints = (
|
|
"""%prog host=10.0.0.1 inputs='FILE0\\nFILE1' 0=logins.txt 1=passwords.txt persistent=0"""
|
|
""" prompt_re='Username:|Password:' -x ignore:egrep='Login incorrect.+Username:'""",
|
|
)
|
|
|
|
available_options = (
|
|
('host', 'hostnames or subnets to target'),
|
|
('port', 'ports to target [23]'),
|
|
('inputs', 'list of values to input'),
|
|
('prompt_re', 'regular expression to match prompts [\w+]'),
|
|
('timeout', 'seconds to wait for prompt_re to match received data [20]'),
|
|
)
|
|
available_options += TCP_Cache.available_options
|
|
|
|
Response = Response_Base
|
|
|
|
def new_tcp(self, host, port):
|
|
fp = Telnet(host, int(port or 23))
|
|
self.prompt_count = 0
|
|
return fp, None
|
|
|
|
def execute(self, host, port=None, inputs=None, prompt_re='\w+:', timeout='20', persistent='1'):
|
|
fp, _ = self.get_tcp(persistent, host=host, port=port)
|
|
trace = ''
|
|
timeout = int(timeout)
|
|
|
|
if self.prompt_count == 0:
|
|
_, _, raw = fp.expect([prompt_re], timeout=timeout)
|
|
logger.debug('raw banner: %s' % repr(raw))
|
|
trace += raw
|
|
self.prompt_count += 1
|
|
|
|
try:
|
|
for val in inputs.split(r'\n'):
|
|
logger.debug('input: %s' % val)
|
|
cmd = val + '\n' #'\r\x00'
|
|
fp.write(cmd)
|
|
trace += cmd
|
|
|
|
_, _, raw = fp.expect([prompt_re], timeout=timeout)
|
|
logger.debug('raw %d: %s' % (self.prompt_count, repr(raw)))
|
|
trace += raw
|
|
self.prompt_count += 1
|
|
|
|
mesg = repr(raw)[1:-1] # strip enclosing single quotes
|
|
|
|
except EOFError as e:
|
|
mesg = 'EOFError: %s' % e
|
|
logger.debug(mesg)
|
|
|
|
return self.Response('0', mesg, trace)
|
|
|
|
# }}}
|
|
|
|
# SMTP {{{
|
|
from smtplib import SMTP, SMTPAuthenticationError, SMTPHeloError, SMTPException
|
|
class SMTP_Base(TCP_Cache):
|
|
|
|
available_options = TCP_Cache.available_options
|
|
available_options += (
|
|
('host', 'hostnames or subnets to target'),
|
|
('port', 'ports to target [25]'),
|
|
('helo', 'first command to send after connect [None]'),
|
|
('user', 'usernames to test'),
|
|
)
|
|
|
|
Response = Response_Base
|
|
|
|
cache_keys = ('host', 'port', 'helo')
|
|
|
|
def new_tcp(self, host, port, helo):
|
|
fp = SMTP()
|
|
resp = fp.connect(host, int(port or 25))
|
|
|
|
if helo:
|
|
cmd, name = helo.split(' ', 1)
|
|
|
|
if cmd.lower() == 'ehlo':
|
|
resp = fp.ehlo(name)
|
|
else:
|
|
resp = fp.helo(name)
|
|
|
|
return fp, resp
|
|
|
|
|
|
class SMTP_vrfy(SMTP_Base):
|
|
'''Enumerate valid users using SMTP VRFY'''
|
|
|
|
usage_hints = (
|
|
'''%prog host=10.0.0.1 user=FILE0 0=logins.txt [helo='ehlo its.me.com']'''
|
|
''' -x ignore:fgrep='User unknown' -x ignore,reset,retry:code=421''',
|
|
)
|
|
|
|
def execute(self, host, port=None, helo=None, user=None, persistent='1'):
|
|
fp, resp = self.get_tcp(persistent, host=host, port=port, helo=helo)
|
|
|
|
if user is not None:
|
|
resp = fp.verify(user)
|
|
|
|
code, mesg = resp
|
|
return self.Response(code, mesg)
|
|
|
|
|
|
class SMTP_rcpt(SMTP_Base):
|
|
'''Enumerate valid users using SMTP RCPT TO'''
|
|
|
|
usage_hints = (
|
|
'''%prog host=10.0.0.1 user=FILE0@localhost 0=logins.txt [helo='ehlo its.me.com']'''
|
|
''' [mail_from=bar@example.com] -x ignore:fgrep='User unknown' -x ignore,reset,retry:code=421''',
|
|
)
|
|
|
|
available_options = SMTP_Base.available_options
|
|
available_options += (
|
|
('mail_from', 'sender email [test@example.org]'),
|
|
)
|
|
|
|
def execute(self, host, port=None, helo=None, mail_from='test@example.org', user=None, persistent='1'):
|
|
fp, resp = self.get_tcp(persistent, host=host, port=port, helo=helo)
|
|
|
|
if mail_from:
|
|
resp = fp.mail(mail_from)
|
|
|
|
if user:
|
|
resp = fp.rcpt(user)
|
|
|
|
fp.rset()
|
|
|
|
code, mesg = resp
|
|
return self.Response(code, mesg)
|
|
|
|
|
|
class SMTP_login(SMTP_Base):
|
|
'''Brute-force SMTP authentication'''
|
|
|
|
usage_hints = (
|
|
'''%prog host=10.0.0.1 user=f.bar@dom.com password=FILE0 0=passwords.txt [helo='ehlo its.me.com']'''
|
|
''' -x ignore:fgrep='Authentication failed' -x ignore,reset,retry:code=421''',
|
|
)
|
|
|
|
available_options = SMTP_Base.available_options
|
|
available_options += (
|
|
('password', 'passwords to test'),
|
|
)
|
|
|
|
def execute(self, host, port=None, helo=None, user='', password='', persistent='1'):
|
|
fp, resp = self.get_tcp(persistent, host=host, port=port, helo=helo)
|
|
|
|
try:
|
|
resp = fp.login(user, password)
|
|
|
|
except (SMTPHeloError,SMTPAuthenticationError,SMTPException) as resp:
|
|
logger.debug('SMTPError: %s' % resp)
|
|
|
|
code, mesg = resp
|
|
return self.Response(code, mesg)
|
|
|
|
# }}}
|
|
|
|
# LDAP {{{
|
|
if not which('ldapsearch'):
|
|
warnings.append('openldap')
|
|
|
|
class Response_LDAP(Response_Base):
|
|
def __init__(self, resp):
|
|
self.code, self.out, self.err = resp
|
|
self.size = len(self.out + self.err)
|
|
self.mesg = ', '.join(p.strip() for p in self.out.splitlines() + self.err.splitlines())
|
|
|
|
def dump(self):
|
|
return '\n'.join(['out:', self.out, 'err:', self.err])
|
|
|
|
# Because python-ldap-2.4.4 did not allow using a PasswordPolicyControl
|
|
# during bind authentication (cf. http://article.gmane.org/gmane.comp.python.ldap/1003),
|
|
# I chose to wrap around ldapsearch with "-e ppolicy".
|
|
|
|
class LDAP_login:
|
|
'''Brute-force LDAP authentication'''
|
|
|
|
usage_hints = (
|
|
"""%prog host=10.0.0.1 bindn='cn=Directory Manager' bindpw=FILE0 0=passwords.txt"""
|
|
""" -x ignore:mesg='ldap_bind: Invalid credentials (49)'""",
|
|
)
|
|
|
|
available_options = (
|
|
('host', 'hostnames or subnets to target'),
|
|
('port', 'ports to target [389]'),
|
|
('binddn', 'usernames to test'),
|
|
('bindpw', 'passwords to test'),
|
|
('basedn', 'base DN for search'),
|
|
('ssl', 'use SSL/TLS [0|1]'),
|
|
)
|
|
available_actions = ()
|
|
|
|
Response = Response_LDAP
|
|
|
|
def execute(self, host, port='389', binddn='', bindpw='', basedn='', ssl='0'):
|
|
uri = 'ldap%s://%s:%s' % ('s' if ssl != '0' else '', host, port)
|
|
cmd = ['ldapsearch', '-H', uri, '-e', 'ppolicy', '-D', binddn, '-w', bindpw, '-b', basedn]
|
|
p = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE, env={'LDAPTLS_REQCERT': 'never'})
|
|
out = p.stdout.read()
|
|
err = p.stderr.read()
|
|
code = p.wait()
|
|
|
|
return self.Response((code, out, err))
|
|
|
|
# }}}
|
|
|
|
# SMB {{{
|
|
try:
|
|
from impacket import smb as impacket_smb
|
|
except ImportError:
|
|
warnings.append('impacket')
|
|
|
|
class SMB_login(TCP_Cache):
|
|
'''Brute-force SMB authentication'''
|
|
|
|
usage_hints = (
|
|
"""%prog host=10.0.0.1 user=FILE0 password=FILE1 0=logins.txt 1=passwords.txt"""
|
|
""" -x ignore:fgrep=STATUS_LOGON_FAILURE -x reset:code=0""",
|
|
)
|
|
|
|
available_options = (
|
|
('host', 'hostnames or subnets to target'),
|
|
('port', 'ports to target [139]'),
|
|
('user', 'usernames to test'),
|
|
('password', 'passwords to test'),
|
|
('password_hash', "LM/NT hashes to test, at least one hash must be provided ('lm:nt' or ':nt' or 'lm:')"),
|
|
('domain', 'domains to test'),
|
|
)
|
|
available_options += TCP_Cache.available_options
|
|
|
|
Response = Response_Base
|
|
|
|
# ripped from medusa smbnt.c
|
|
error_map = {
|
|
0xFF: 'UNKNOWN_ERROR_CODE',
|
|
0x00: 'STATUS_SUCCESS',
|
|
0x0D: 'STATUS_INVALID_PARAMETER',
|
|
0x5E: 'STATUS_NO_LOGON_SERVERS',
|
|
0x6D: 'STATUS_LOGON_FAILURE',
|
|
0x6E: 'STATUS_ACCOUNT_RESTRICTION',
|
|
0x6F: 'STATUS_INVALID_LOGON_HOURS',
|
|
0x70: 'STATUS_INVALID_WORKSTATION',
|
|
0x71: 'STATUS_PASSWORD_EXPIRED',
|
|
0x72: 'STATUS_ACCOUNT_DISABLED',
|
|
0x5B: 'STATUS_LOGON_TYPE_NOT_GRANTED',
|
|
0x8D: 'STATUS_TRUSTED_RELATIONSHIP_FAILURE',
|
|
0x93: 'STATUS_ACCOUNT_EXPIRED',
|
|
0x24: 'STATUS_PASSWORD_MUST_CHANGE',
|
|
0x34: 'STATUS_ACCOUNT_LOCKED_OUT',
|
|
0x01: 'AS400_STATUS_LOGON_FAILURE',
|
|
}
|
|
|
|
def new_tcp(self, host, port):
|
|
fp = impacket_smb.SMB("*SMBSERVER", host, sess_port=int(port or 139))
|
|
return fp, fp.get_server_name()
|
|
|
|
def execute(self, host, port=None, user=None, password=None, password_hash=None, domain='', persistent='1'):
|
|
fp, mesg = self.get_tcp(persistent, host=host, port=port)
|
|
|
|
try:
|
|
if user is not None:
|
|
if password is not None:
|
|
fp.login(user, password, domain)
|
|
|
|
else:
|
|
lmhash, nthash = password_hash.split(':')
|
|
fp.login(user, '', domain, lmhash, nthash)
|
|
|
|
code = '0'
|
|
|
|
except impacket_smb.SessionError as e:
|
|
code = '%x-%x' % (e.error_class, e.error_code)
|
|
mesg = self.error_map.get(e.error_code, '')
|
|
|
|
error_class = e.error_classes.get(e.error_class, None) # (ERRNT, {})
|
|
if error_class:
|
|
class_str = error_class[0] # 'ERRNT'
|
|
error_tuple = error_class[1].get(e.error_code, None) # ('ERRnoaccess', 'Access denied.') or None
|
|
|
|
if error_tuple:
|
|
mesg += ' - %s %s' % error_tuple
|
|
else:
|
|
mesg += ' - %s' % class_str
|
|
|
|
return self.Response(code, mesg)
|
|
|
|
# }}}
|
|
|
|
# POP {{{
|
|
class Passd_Error(Exception): pass
|
|
class Passd:
|
|
def connect(self, host, port):
|
|
self.fp = socket.create_connection((host, port))
|
|
return self.getresp() # welcome banner
|
|
|
|
def close(self):
|
|
self.fp.close()
|
|
|
|
def sendcmd(self, cmd):
|
|
self.fp.sendall(cmd + '\r\n')
|
|
return self.getresp()
|
|
|
|
def getresp(self):
|
|
resp = self.fp.recv(1024)
|
|
while not resp.endswith('\r\n'):
|
|
resp += self.fp.recv(1024)
|
|
|
|
code, _ = self.unparse(resp)
|
|
if not code.startswith('2'):
|
|
raise Passd_Error(resp)
|
|
|
|
return resp
|
|
|
|
def unparse(self, resp):
|
|
i = resp.rstrip().rfind('\n') + 1
|
|
code = resp[i:i+3]
|
|
mesg = resp[i+4:]
|
|
|
|
return code, mesg
|
|
|
|
class POP_passd:
|
|
'''Brute-force poppassd authentication (http://netwinsite.com/poppassd/ not POP3)'''
|
|
|
|
usage_hints = (
|
|
'''%prog host=10.0.0.1 user=FILE0 password=FILE1 0=logins.txt 1=passwords.txt -x ignore:code=500''',
|
|
)
|
|
|
|
available_options = (
|
|
('host', 'hostnames or subnets to target'),
|
|
('port', 'ports to target [106]'),
|
|
('user', 'usernames to test'),
|
|
('password', 'passwords to test'),
|
|
)
|
|
available_actions = ()
|
|
|
|
Response = Response_Base
|
|
|
|
def execute(self, host, port=None, user=None, password=None):
|
|
try:
|
|
fp = Passd()
|
|
resp = fp.connect(host, int(port or 106))
|
|
trace = resp
|
|
|
|
if user is not None:
|
|
cmd = 'user %s' % user
|
|
resp = fp.sendcmd(cmd)
|
|
trace += '\r\n'.join((cmd, resp))
|
|
|
|
if password is not None:
|
|
cmd = 'pass %s' % password
|
|
resp = fp.sendcmd(cmd)
|
|
trace += '\r\n'.join((cmd, resp))
|
|
|
|
except Passd_Error as e:
|
|
resp = str(e)
|
|
logger.debug('Passd_Error: %s' % resp)
|
|
trace += '\r\n'.join((cmd, resp))
|
|
|
|
finally:
|
|
fp.close()
|
|
|
|
code, mesg = fp.unparse(resp)
|
|
return self.Response(code, mesg, trace)
|
|
|
|
# }}}
|
|
|
|
# MySQL {{{
|
|
try:
|
|
import _mysql
|
|
except ImportError:
|
|
warnings.append('mysql-python')
|
|
|
|
class MySQL_login:
|
|
'''Brute-force MySQL authentication'''
|
|
|
|
usage_hints = (
|
|
"""%prog host=10.0.0.1 user=FILE0 password=FILE1 0=logins.txt 1=passwords.txt -x ignore:fgrep='Access denied for user'""",
|
|
)
|
|
|
|
available_options = (
|
|
('host', 'hostnames or subnets to target'),
|
|
('port', 'ports to target [3306]'),
|
|
('user', 'usernames to test'),
|
|
('password', 'passwords to test'),
|
|
)
|
|
available_actions = ()
|
|
|
|
Response = Response_Base
|
|
|
|
def execute(self, host, port=None, user='anony', password=''):
|
|
|
|
try:
|
|
fp = _mysql.connect(host=host, port=int(port or 3306), user=user, passwd=password)
|
|
resp = '0', fp.get_server_info()
|
|
|
|
except _mysql.Error as resp: pass
|
|
|
|
code, mesg = resp
|
|
return self.Response(code, mesg)
|
|
|
|
# }}}
|
|
|
|
# MSSQL {{{
|
|
# I did not use pymssql because neither version 1.x nor 2.0.0b1_dev were multithreads safe (they all segfault)
|
|
class MSSQL:
|
|
# ripped from medusa mssql.c
|
|
hdr = '\x02\x00\x02\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' \
|
|
'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
|
|
|
|
pt2 = '\x30\x30\x30\x30\x30\x30\x61\x30\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' \
|
|
'\x00\x00\x00\x20\x18\x81\xb8\x2c\x08\x03\x01\x06\x0a\x09\x01\x01\x00\x00\x00\x00\x00\x00' \
|
|
'\x00\x00\x00\x73\x71\x75\x65\x6c\x64\x61\x20\x31\x2e\x30\x00\x00\x00\x00\x00\x00\x00\x00' \
|
|
'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' \
|
|
'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
|
|
|
|
pt3 = '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' \
|
|
'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' \
|
|
'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' \
|
|
'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' \
|
|
'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' \
|
|
'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' \
|
|
'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' \
|
|
'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' \
|
|
'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' \
|
|
'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' \
|
|
'\x00\x00\x00\x00\x04\x02\x00\x00\x4d\x53\x44\x42\x4c\x49\x42\x00\x00\x00\x07\x06\x00\x00' \
|
|
'\x00\x00\x0d\x11\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' \
|
|
'\x00\x00\x00\x00\x00\x00'
|
|
|
|
langp = '\x02\x01\x00\x47\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00' \
|
|
'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' \
|
|
'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x30\x30\x30\x00\x00' \
|
|
'\x00\x03\x00\x00\x00'
|
|
|
|
def connect(self, host, port):
|
|
self.fp = socket.create_connection((host, port))
|
|
|
|
def login(self, user, password):
|
|
MAX_LEN = 30
|
|
user_len = len(user)
|
|
password_len = len(password)
|
|
data = self.hdr + user[:MAX_LEN] + '\x00' * (MAX_LEN - user_len) + chr(user_len) + \
|
|
password[:MAX_LEN] + '\x00' * (MAX_LEN - password_len) + chr(password_len) + self.pt2 + chr(password_len) + \
|
|
password[:MAX_LEN] + '\x00' * (MAX_LEN - password_len) + self.pt3
|
|
|
|
self.fp.sendall(data)
|
|
self.fp.sendall(self.langp)
|
|
|
|
resp = self.fp.recv(1024)
|
|
code, size = self.parse(resp)
|
|
|
|
return code, size
|
|
|
|
def parse(self, resp):
|
|
i = 8
|
|
while True:
|
|
resp = resp[i:]
|
|
code, size = unpack('<cH', resp[:3])
|
|
#logger.debug('code: %s / size: %d' % (code.encode('hex'), size))
|
|
|
|
if code == '\xfd': # Done
|
|
break
|
|
|
|
if code in ('\xaa', '\xab') : # Error or Info message
|
|
num, state, severity, msg_len = unpack('IBBB', resp[3:10])
|
|
msg = resp[11:11+msg_len]
|
|
return num, msg
|
|
|
|
i = size + 3
|
|
|
|
raise Exception('Failed to parse response')
|
|
|
|
class MSSQL_login:
|
|
'''Brute-force MSSQL authentication'''
|
|
|
|
usage_hints = (
|
|
"""%prog host=10.0.0.1 user=sa password=FILE0 0=passwords.txt -x ignore:fgrep='Login failed for user'""",
|
|
)
|
|
|
|
available_options = (
|
|
('host', 'hostnames or subnets to target'),
|
|
('port', 'ports to target [1433]'),
|
|
('user', 'usernames to test'),
|
|
('password', 'passwords to test'),
|
|
)
|
|
available_actions = ()
|
|
|
|
Response = Response_Base
|
|
|
|
def __init__(self):
|
|
self.m = MSSQL()
|
|
|
|
def execute(self, host, port=None, user='', password=''):
|
|
self.m.connect(host, int(port or 1433))
|
|
code, mesg = self.m.login(user, password)
|
|
return self.Response(code, mesg)
|
|
|
|
# }}}
|
|
|
|
# Oracle {{{
|
|
try:
|
|
import cx_Oracle
|
|
except ImportError:
|
|
warnings.append('cx_Oracle')
|
|
|
|
class Oracle_login:
|
|
'''Brute-force Oracle authentication'''
|
|
|
|
usage_hints = (
|
|
"""%prog host=10.0.0.1 sid=FILE0 0=sids.txt -x ignore:code=ORA-12505""",
|
|
"""%prog host=10.0.0.1 user=SYS password=FILE0 0=passwords.txt -x ignore:code=ORA-01017""",
|
|
)
|
|
|
|
available_options = (
|
|
('host', 'hostnames or subnets to target'),
|
|
('port', 'ports to target [1521]'),
|
|
('user', 'usernames to test'),
|
|
('password', 'passwords to test'),
|
|
('sid', 'sid or service names to test'),
|
|
)
|
|
available_actions = ()
|
|
|
|
Response = Response_Base
|
|
|
|
def execute(self, host, port=None, user='', password='', sid=''):
|
|
dsn = cx_Oracle.makedsn(host, port or '1521', sid)
|
|
try:
|
|
fp = cx_Oracle.connect(user, password, dsn)
|
|
code, mesg = '0', fp.version
|
|
|
|
except cx_Oracle.DatabaseError as e:
|
|
code, mesg = e[0].message[:-1].split(': ', 1)
|
|
|
|
return self.Response(code, mesg)
|
|
|
|
# }}}
|
|
|
|
# PostgreSQL {{{
|
|
try:
|
|
import psycopg2
|
|
except ImportError:
|
|
warnings.append('psycopg')
|
|
|
|
class Pgsql_login:
|
|
'''Brute-force PostgreSQL authentication'''
|
|
|
|
usage_hints = (
|
|
"""%prog host=10.0.0.1 user=postgres password=FILE0 0=passwords.txt -x ignore:fgrep='password authentication failed for user'""",
|
|
)
|
|
|
|
available_options = (
|
|
('host', 'hostnames or subnets to target'),
|
|
('port', 'ports to target [5432]'),
|
|
('user', 'usernames to test'),
|
|
('password', 'passwords to test'),
|
|
('database', 'databases to test [postgres]'),
|
|
)
|
|
available_actions = ()
|
|
|
|
Response = Response_Base
|
|
|
|
def execute(self, host, port=None, user=None, password=None, database='postgres', ssl='disable'):
|
|
try:
|
|
psycopg2.connect(host=host, port=int(port or 5432), user=user, password=password, database=database, sslmode=ssl)
|
|
code, mesg = '0', 'OK'
|
|
except psycopg2.OperationalError as e:
|
|
code, mesg = '1', str(e)[:-1]
|
|
|
|
return self.Response(code, mesg)
|
|
|
|
# }}}
|
|
|
|
# HTTP {{{
|
|
try:
|
|
import pycurl
|
|
except ImportError:
|
|
warnings.append('pycurl')
|
|
|
|
class Controller_HTTP(Controller):
|
|
def expand_key(self, arg):
|
|
key, val = arg.split('=', 1)
|
|
if key == 'url':
|
|
m = re.match(r'(?:(?P<scheme>.+)://)?(?P<host>.+?)(?::(?P<port>[^/]+))?/'\
|
|
+ '(?P<path>[^;?#]*)'\
|
|
+ '(?:\;(?P<params>[^?#]*))?'\
|
|
+ '(?:\?(?P<query>[^#]*))?'\
|
|
+ '(?:\#(?P<fragment>.*))?' , val)
|
|
|
|
if not m:
|
|
yield (key, val)
|
|
|
|
else:
|
|
for k, v in m.groupdict().items():
|
|
if v is not None:
|
|
yield (k, v)
|
|
else:
|
|
yield (key, val)
|
|
|
|
class Response_HTTP(Response_Base):
|
|
|
|
def __init__(self, code, content_length, response, trace):
|
|
self.code, self.content_length = code, content_length
|
|
self.response, self.trace = response, trace
|
|
self.size = len(self.response)
|
|
|
|
def compact(self):
|
|
return '%s %s' % (self.code, '%d:%d' % (self.size, self.content_length))
|
|
|
|
def __str__(self):
|
|
i = self.response.rfind('HTTP/', 0, 5000)
|
|
if i == -1:
|
|
return ''
|
|
else:
|
|
j = self.response.find('\n', i)
|
|
line = self.response[i:j]
|
|
return line.strip()
|
|
|
|
def match_clen(self, val):
|
|
return match_size(self.content_length, val)
|
|
|
|
def match_fgrep(self, val):
|
|
return val in self.response
|
|
|
|
def match_egrep(self, val):
|
|
return re.search(val, self.response, re.M)
|
|
|
|
available_conditions = Response_Base.available_conditions
|
|
available_conditions += (
|
|
('clen', 'match Content-Length header (N or N-M or N- or -N)'),
|
|
)
|
|
|
|
class HTTP_fuzz(TCP_Cache):
|
|
'''Fuzz HTTP/HTTPS'''
|
|
|
|
usage_hints = [
|
|
"""%prog url=http://10.0.0.1/FILE0 0=paths.txt -x ignore:code=404 -x ignore,retry:code=500""",
|
|
|
|
"""%prog url=http://10.0.0.1/manager/html user_pass=COMBO00:COMBO01 0=combos.txt"""
|
|
""" -x ignore:code=401""",
|
|
|
|
"""%prog url=http://10.0.0.1/phpmyadmin/index.php method=POST"""
|
|
""" body='pma_username=root&pma_password=FILE0&server=1&lang=en' 0=passwords.txt follow=1"""
|
|
""" accept_cookie=1 -x ignore:fgrep='Cannot log in to the MySQL server'""",
|
|
]
|
|
|
|
available_options = (
|
|
('url', 'main url to target (scheme://host[:port]/path?query)'),
|
|
#('host', 'hostnames or subnets to target'),
|
|
#('port', 'ports to target'),
|
|
#('scheme', 'scheme [http | https]'),
|
|
#('path', 'web path [/]'),
|
|
#('query', 'query string'),
|
|
('body', 'body data'),
|
|
('header', 'use custom headers, delimited with "\\r\\n"'),
|
|
('method', 'method to use [GET | POST | HEAD | ...]'),
|
|
('user_pass', 'username and password for HTTP authentication (user:pass)'),
|
|
('auth_type', 'type of HTTP authentication [basic | digest | ntlm]'),
|
|
('follow', 'follow any Location redirect [0|1]'),
|
|
('max_follow', 'redirection limit [5]'),
|
|
('accept_cookie', 'save received cookies to issue them in future requests [0|1]'),
|
|
('http_proxy', 'HTTP proxy to use (host:port)'),
|
|
('ssl_cert', 'client SSL certificate file (cert+key in PEM format)'),
|
|
('timeout_tcp', 'seconds to wait for a TCP handshake [10]'),
|
|
('timeout', 'seconds to wait for a HTTP response [20]'),
|
|
('before_urls', 'comma-separated URLs to query before the main request'),
|
|
('before_egrep', 'extract substring from the before_urls responses to include it in the main request'),
|
|
('after_urls', 'comma-separated URLs to query after the main request'),
|
|
('max_mem', 'store no more than N bytes of request+response data in memory [-1 (unlimited)]'),
|
|
)
|
|
available_options += TCP_Cache.available_options
|
|
|
|
Response = Response_HTTP
|
|
|
|
cache_keys = ('host', 'port', 'scheme')
|
|
def new_tcp(self, host, port, scheme):
|
|
fp = pycurl.Curl()
|
|
fp.setopt(pycurl.SSL_VERIFYPEER, 0)
|
|
fp.setopt(pycurl.SSL_VERIFYHOST, 0)
|
|
fp.setopt(pycurl.HEADER, 1)
|
|
fp.setopt(pycurl.USERAGENT, 'Mozilla/5.0')
|
|
fp.setopt(pycurl.NOSIGNAL, 1)
|
|
|
|
return fp, None
|
|
|
|
def execute(self, url=None, host=None, port=None, scheme='http', path='/', params='', query='', fragment='', body='', header='', method='GET', user_pass='', auth_type='basic',
|
|
follow='0', max_follow='5', accept_cookie='0', http_proxy='', ssl_cert='', timeout_tcp='10', timeout='20', persistent='1',
|
|
before_urls='', before_egrep='', after_urls='', max_mem='-1'):
|
|
|
|
if url:
|
|
scheme, host, path, params, query, fragment = urlparse(url)
|
|
if ':' in host:
|
|
host, port = host.split(':')
|
|
del url
|
|
|
|
fp, _ = self.get_tcp(persistent, host=host, port=port, scheme=scheme)
|
|
|
|
fp.setopt(pycurl.FOLLOWLOCATION, int(follow))
|
|
fp.setopt(pycurl.MAXREDIRS, int(max_follow))
|
|
fp.setopt(pycurl.CONNECTTIMEOUT, int(timeout_tcp))
|
|
fp.setopt(pycurl.TIMEOUT, int(timeout))
|
|
fp.setopt(pycurl.PROXY, http_proxy)
|
|
|
|
def noop(buf): pass
|
|
fp.setopt(pycurl.WRITEFUNCTION, noop)
|
|
|
|
def debug_func(t, s):
|
|
if max_mem > 0 and trace.tell() > max_mem:
|
|
return 0
|
|
|
|
if t in (pycurl.INFOTYPE_HEADER_OUT, pycurl.INFOTYPE_DATA_OUT):
|
|
trace.write(s)
|
|
|
|
elif t in (pycurl.INFOTYPE_HEADER_IN, pycurl.INFOTYPE_DATA_IN):
|
|
trace.write(s)
|
|
response.write(s)
|
|
|
|
max_mem = int(max_mem)
|
|
response, trace = StringIO(), StringIO()
|
|
|
|
fp.setopt(pycurl.DEBUGFUNCTION, debug_func)
|
|
fp.setopt(pycurl.VERBOSE, 1)
|
|
|
|
if user_pass:
|
|
fp.setopt(pycurl.USERPWD, user_pass)
|
|
if auth_type == 'basic':
|
|
fp.setopt(pycurl.HTTPAUTH, pycurl.HTTPAUTH_BASIC)
|
|
elif auth_type == 'digest':
|
|
fp.setopt(pycurl.HTTPAUTH, pycurl.HTTPAUTH_DIGEST)
|
|
elif auth_type == 'ntlm':
|
|
fp.setopt(pycurl.HTTPAUTH, pycurl.HTTPAUTH_NTLM)
|
|
else:
|
|
raise NotImplementedError("Incorrect auth_type '%s'" % auth_type)
|
|
|
|
if ssl_cert:
|
|
fp.setopt(pycurl.SSLCERT, ssl_cert)
|
|
|
|
if accept_cookie == '1':
|
|
fp.setopt(pycurl.COOKIEFILE, '')
|
|
# warning: do not pass a Cookie: header into HTTPHEADER if using COOKIEFILE as it will
|
|
# produce requests with more than one Cookie: header
|
|
# and the server will process only one of them (eg. Apache only reads the last one)
|
|
|
|
def perform_fp(fp, method, url, header='', body=''):
|
|
#logger.debug('perform: %s' % url)
|
|
fp.setopt(pycurl.URL, url)
|
|
|
|
if method == 'GET':
|
|
fp.setopt(pycurl.HTTPGET, 1)
|
|
|
|
elif method == 'POST':
|
|
fp.setopt(pycurl.POST, 1)
|
|
fp.setopt(pycurl.POSTFIELDS, body)
|
|
|
|
elif method == 'HEAD':
|
|
fp.setopt(pycurl.NOBODY, 1)
|
|
|
|
else:
|
|
fp.setopt(pycurl.CUSTOMREQUEST, method)
|
|
|
|
headers = [h.strip('\r') for h in header.split('\n') if h]
|
|
fp.setopt(pycurl.HTTPHEADER, headers) # warning: this disables the use of "Expect: 100-continue" header
|
|
|
|
fp.perform()
|
|
|
|
if before_urls:
|
|
for before_url in before_urls.split(','):
|
|
perform_fp(fp, 'GET', before_url)
|
|
|
|
if before_egrep:
|
|
mark, regex = before_egrep.split(':', 1)
|
|
val = re.search(regex, response.getvalue(), re.M).group(1)
|
|
|
|
header = header.replace(mark, val)
|
|
query = query.replace(mark, val)
|
|
body = body.replace(mark, val)
|
|
|
|
path = quote(path)
|
|
query = urlencode(parse_qsl(query, True))
|
|
body = urlencode(parse_qsl(body, True))
|
|
|
|
if port:
|
|
host = '%s:%s' % (host, port)
|
|
|
|
url = urlunparse((scheme, host, path, params, query, fragment))
|
|
perform_fp(fp, method, url, header, body)
|
|
|
|
if after_urls:
|
|
for after_url in after_urls.split(','):
|
|
perform_fp(fp, 'GET', after_url)
|
|
|
|
http_code = fp.getinfo(pycurl.HTTP_CODE)
|
|
content_length = fp.getinfo(pycurl.CONTENT_LENGTH_DOWNLOAD)
|
|
|
|
return self.Response(http_code, content_length, response.getvalue(), trace.getvalue())
|
|
|
|
# }}}
|
|
|
|
# VNC {{{
|
|
try:
|
|
from Crypto.Cipher import DES
|
|
except ImportError:
|
|
warnings.append('pycrypto')
|
|
|
|
class VNC_Error(Exception): pass
|
|
class VNC:
|
|
def connect(self, host, port):
|
|
self.fp = socket.create_connection((host, port))
|
|
resp = self.fp.recv(99) # banner
|
|
|
|
logger.debug('banner: %s' % repr(resp))
|
|
self.version = resp[:11].decode('ascii')
|
|
|
|
if len(resp) > 12:
|
|
raise VNC_Error('%s %s' % (self.version, resp[12:].decode('ascii', 'ignore')))
|
|
|
|
return self.version
|
|
|
|
def login(self, password):
|
|
logger.debug('Remote version: %s' % self.version)
|
|
major, minor = self.version[6], self.version[10]
|
|
|
|
if (major, minor) in [('3', '8'), ('4', '1')]:
|
|
proto = b'RFB 003.008\n'
|
|
|
|
elif (major, minor) == ('3', '7'):
|
|
proto = b'RFB 003.007\n'
|
|
|
|
else:
|
|
proto = b'RFB 003.003\n'
|
|
|
|
logger.debug('Client version: %s' % proto[:-1])
|
|
self.fp.sendall(proto)
|
|
|
|
sleep(0.5)
|
|
|
|
resp = self.fp.recv(99)
|
|
logger.debug('Security types supported: %s' % repr(resp))
|
|
|
|
if minor in ('7', '8'):
|
|
code = ord(resp[0:1])
|
|
if code == 0:
|
|
raise VNC_Error('Session setup failed: %s' % resp.decode('ascii', 'ignore'))
|
|
|
|
self.fp.sendall(b'\x02') # always use classic VNC authentication
|
|
resp = self.fp.recv(99)
|
|
|
|
else: # minor == '3':
|
|
code = ord(resp[3:4])
|
|
if code != 2:
|
|
raise VNC_Error('Session setup failed: %s' % resp.decode('ascii', 'ignore'))
|
|
|
|
resp = resp[-16:]
|
|
|
|
if len(resp) != 16:
|
|
raise VNC_Error('Unexpected challenge size (unsupported authentication type ?)')
|
|
|
|
logger.debug('challenge: %s' % repr(resp))
|
|
pw = password.ljust(8, '\x00')[:8] # make sure it is 8 chars long, zero padded
|
|
|
|
key = self.gen_key(pw)
|
|
logger.debug('key: %s' % repr(key))
|
|
|
|
des = DES.new(key, DES.MODE_ECB)
|
|
enc = des.encrypt(resp)
|
|
|
|
logger.debug('enc: %s' % repr(enc))
|
|
self.fp.sendall(enc)
|
|
|
|
resp = self.fp.recv(99)
|
|
logger.debug('resp: %s' % repr(resp))
|
|
|
|
code = ord(resp[3:4])
|
|
mesg = resp[8:].decode('ascii', 'ignore')
|
|
|
|
if code == 1:
|
|
return code, mesg or 'Authentication failure'
|
|
|
|
elif code == 0:
|
|
return code, mesg or 'OK'
|
|
|
|
else:
|
|
raise VNC_Error('Unknown response: %s (code: %s)' % (repr(resp), code))
|
|
|
|
|
|
def gen_key(self, key):
|
|
newkey = []
|
|
for ki in range(len(key)):
|
|
bsrc = ord(key[ki])
|
|
btgt = 0
|
|
for i in range(8):
|
|
if bsrc & (1 << i):
|
|
btgt = btgt | (1 << 7-i)
|
|
newkey.append(btgt)
|
|
|
|
if version_info[0] == 2:
|
|
return ''.join(chr(c) for c in newkey)
|
|
else:
|
|
return bytes(newkey)
|
|
|
|
|
|
class VNC_login:
|
|
'''Brute-force VNC authentication'''
|
|
|
|
usage_hints = (
|
|
"""%prog host=10.0.0.1 password=FILE0 0=passwords.txt -t 1 -x retry:fgrep!='Authentication failure' --max-retries -1 -x quit:code=0""",
|
|
)
|
|
|
|
available_options = (
|
|
('host', 'hostnames or subnets to target'),
|
|
('port', 'ports to target [5900]'),
|
|
('password', 'passwords to test'),
|
|
)
|
|
available_actions = ()
|
|
|
|
Response = Response_Base
|
|
|
|
def __init__(self):
|
|
self.m = VNC()
|
|
def execute(self, host, port=None, password=None):
|
|
try:
|
|
code, mesg = 0, self.m.connect(host, int(port or 5900))
|
|
|
|
if password is not None:
|
|
code, mesg = self.m.login(password)
|
|
|
|
except VNC_Error as e:
|
|
code, mesg = 2, str(e)
|
|
logger.debug('VNC_Error: %s' % mesg)
|
|
|
|
return self.Response(code, mesg)
|
|
|
|
# }}}
|
|
|
|
# DNS {{{
|
|
class HostInfo:
|
|
def __init__(self):
|
|
self.name = set()
|
|
self.ip = set()
|
|
self.alias = set()
|
|
|
|
def __str__(self):
|
|
line = ''
|
|
if self.name:
|
|
line = ' '.join(self.name)
|
|
if self.ip:
|
|
if line: line += ' / '
|
|
line += ' '.join(map(str, self.ip))
|
|
if self.alias:
|
|
if line: line += ' / '
|
|
line += ' '.join(self.alias)
|
|
|
|
return line
|
|
|
|
class Controller_DNS(Controller):
|
|
hostmap = {}
|
|
|
|
# show_final {{{
|
|
def show_final(self):
|
|
'''
|
|
1.2.3.4 ftp.example.com
|
|
. www.example.com
|
|
. www2.example.com
|
|
noip cms.example.com -> www.mistake.com
|
|
'''
|
|
ipmap = {}
|
|
noips = set()
|
|
|
|
'''
|
|
hostmap = {
|
|
'ftp.example.com': {'ip': ['1.2.3.4'], 'alias': []},
|
|
'www.example.com': {'ip': ['1.2.3.4'], 'alias': ['www2.example.com']},
|
|
'www.mistake.com': {'ip': [], 'alias': ['cms.example.com']}, ...}
|
|
ipmap = {'1.2.3.4': {'name': ['www.example.com', 'ftp.example.com'], 'alias': ('www2.example.com')}}
|
|
noips = ['cms.example.com -> www.mistake.com', ...]
|
|
'''
|
|
for name, hinfo in self.hostmap.items():
|
|
logger.debug('%s -> %s' % (name, hinfo))
|
|
if not hinfo.ip: # orphan CNAME hostnames (with no IP address) may be still valid virtual hosts
|
|
for alias in hinfo.alias:
|
|
noips.add('%s -> %s' % (alias, name))
|
|
else:
|
|
for ip in hinfo.ip:
|
|
if ip not in ipmap: ipmap[ip] = HostInfo()
|
|
ipmap[ip].name.add(name)
|
|
ipmap[ip].alias.update(hinfo.alias)
|
|
|
|
# pretty print
|
|
def pprint_info(key, infos):
|
|
first = True
|
|
for info in infos:
|
|
if first:
|
|
print('%34s %s' % (info, key))
|
|
first = False
|
|
else:
|
|
print('%34s %s' % (info, key))
|
|
|
|
print('Hostmap ' + '-'*42)
|
|
for ip, hinfo in sorted(ipmap.items()):
|
|
pprint_info( ip, hinfo.name)
|
|
pprint_info('.', hinfo.alias)
|
|
|
|
pprint_info('noip', noips)
|
|
|
|
print('Domains ' + '-'*42)
|
|
domains = {}
|
|
networks = {}
|
|
for ip, hinfo in ipmap.items():
|
|
for name in hinfo.name:
|
|
i = 1 if name.count('.') > 1 else 0
|
|
d = '.'.join(name.split('.')[i:])
|
|
if d not in domains: domains[d] = 0
|
|
domains[d] += 1
|
|
|
|
for domain, count in sorted(domains.items(), key=lambda a:a[0].split('.')[-1::-1]):
|
|
print('%34s %d' % (domain, count))
|
|
|
|
print('Networks ' + '-'*41)
|
|
nets = {}
|
|
for ip in set(ipmap):
|
|
if not ip.version() == 4:
|
|
nets[ip] = [ip]
|
|
else:
|
|
n = ip.make_net('255.255.255.0')
|
|
if n not in nets: nets[n] = []
|
|
nets[n].append(ip)
|
|
|
|
for net, ips in sorted(nets.items()):
|
|
if len(ips) == 1:
|
|
print(' '*10 + '%39s' % ips[0])
|
|
else:
|
|
print(' '*10 + '%37s.x' % '.'.join(str(net).split('.')[:-1]))
|
|
|
|
# }}}
|
|
|
|
def push_final(self, resp):
|
|
for name, hinfo in resp.hostmap.items():
|
|
if name not in self.hostmap:
|
|
self.hostmap[name] = hinfo
|
|
else:
|
|
self.hostmap[name].ip.update(hinfo.ip)
|
|
self.hostmap[name].alias.update(hinfo.alias)
|
|
|
|
def generate_tld():
|
|
gtld = [
|
|
'aero', 'arpa', 'asia', 'biz', 'cat', 'com', 'coop', 'edu',
|
|
'gov', 'info', 'int', 'jobs', 'mil', 'mobi', 'museum', 'name',
|
|
'net', 'org', 'pro', 'tel', 'travel']
|
|
|
|
cctld = [''.join(i) for i in product(*[ascii_lowercase]*2)]
|
|
tld = gtld + cctld
|
|
return tld, len(tld)
|
|
|
|
def generate_srv():
|
|
common = [
|
|
'_gc._tcp', '_kerberos._tcp', '_kerberos._udp', '_ldap._tcp',
|
|
'_test._tcp', '_sips._tcp', '_sip._udp', '_sip._tcp', '_aix._tcp', '_aix._udp',
|
|
'_finger._tcp', '_ftp._tcp', '_http._tcp', '_nntp._tcp', '_telnet._tcp',
|
|
'_whois._tcp', '_h323cs._tcp', '_h323cs._udp', '_h323be._tcp', '_h323be._udp',
|
|
'_h323ls._tcp', '_h323ls._udp', '_sipinternal._tcp', '_sipinternaltls._tcp',
|
|
'_sip._tls', '_sipfederationtls._tcp', '_jabber._tcp', '_xmpp-server._tcp', '_xmpp-client._tcp',
|
|
'_imap.tcp', '_certificates._tcp', '_crls._tcp', '_pgpkeys._tcp', '_pgprevokations._tcp',
|
|
'_cmp._tcp', '_svcp._tcp', '_crl._tcp', '_ocsp._tcp', '_PKIXREP._tcp',
|
|
'_smtp._tcp', '_hkp._tcp', '_hkps._tcp', '_jabber._udp', '_xmpp-server._udp',
|
|
'_xmpp-client._udp', '_jabber-client._tcp', '_jabber-client._udp',
|
|
'_adsp._domainkey', '_policy._domainkey', '_domainkey', '_ldap._tcp.dc._msdcs', '_ldap._udp.dc._msdcs']
|
|
|
|
def distro():
|
|
import os
|
|
import re
|
|
files = ['/usr/share/nmap/nmap-protocols', '/usr/share/nmap/nmap-services', '/etc/protocols', '/etc/services']
|
|
ret = []
|
|
for f in files:
|
|
if not os.path.isfile(f):
|
|
logger.warn("File '%s' is missing, there will be less records to test" % f)
|
|
continue
|
|
for line in open(f):
|
|
match = re.match(r'([a-zA-Z0-9]+)\s', line)
|
|
if not match: continue
|
|
for w in re.split(r'[^a-z0-9]', match.group(1).strip().lower()):
|
|
ret.extend(['_%s.%s' % (w, i) for i in ('_tcp', '_udp')])
|
|
return ret
|
|
|
|
srv = set(common + distro())
|
|
return srv, len(srv)
|
|
|
|
try:
|
|
from DNS import DnsRequest, DNSError
|
|
except ImportError:
|
|
warnings.append('pydns')
|
|
|
|
class DNS_reverse:
|
|
'''Reverse lookup subnets'''
|
|
|
|
usage_hints = [
|
|
"""%prog host=NET0 0=192.168.0.0/24 -x ignore:code=3""",
|
|
"""%prog host=NET0 0=216.239.32.0-216.239.47.255,8.8.8.0/24 -x ignore:code=3 -x ignore:fgrep!=google.com -x ignore:fgrep=216-239-""",
|
|
]
|
|
|
|
available_options = (
|
|
('host', 'IP addresses to reverse'),
|
|
('server', 'name server to query (directly asking a zone authoritative NS may return more results) [8.8.8.8]'),
|
|
('timeout', 'seconds to wait for a DNS response [10]'),
|
|
)
|
|
available_actions = ()
|
|
|
|
Response = Response_Base
|
|
|
|
def execute(self, host, server='8.8.8.8', timeout='10'):
|
|
resolver = DnsRequest(qtype='PTR', server=server, timeout=int(timeout))
|
|
|
|
ip = IP(host)
|
|
ptr = ip.reverseName()
|
|
result = resolver.req(ptr.rstrip('.'))
|
|
hostnames = [ans['data'] for ans in result.answers]
|
|
|
|
hostmap = {}
|
|
for n in hostnames:
|
|
if n not in hostmap: hostmap[n] = HostInfo()
|
|
hostmap[n].ip.add(ip)
|
|
|
|
code = result.header['rcode']
|
|
status = result.header['status']
|
|
mesg = '%s %s' % (status, ', '.join(hostnames))
|
|
|
|
resp = self.Response(code, mesg)
|
|
resp.hostmap = hostmap
|
|
|
|
return resp
|
|
|
|
class DNS_forward:
|
|
'''Forward lookup subdomains'''
|
|
|
|
usage_hints = [
|
|
"""%prog domain=FILE0.google.com 0=names.txt -x ignore:code=3""",
|
|
"""%prog domain=google.MOD0 0=TLD -x ignore:code=3""",
|
|
"""%prog domain=MOD0.microsoft.com 0=SRV qtype=SRV -x ignore:code=3""",
|
|
]
|
|
|
|
available_options = (
|
|
('domain', 'domains to lookup'),
|
|
('server', 'name server to query (directly asking the zone authoritative NS may return more results) [8.8.8.8]'),
|
|
('timeout', 'seconds to wait for a DNS response [10]'),
|
|
('qtype', 'comma-separated list of types to query [ANY,A,AAAA]'),
|
|
)
|
|
available_actions = ()
|
|
|
|
available_keys = {
|
|
'TLD': generate_tld,
|
|
'SRV': generate_srv,
|
|
}
|
|
|
|
Response = Response_Base
|
|
|
|
def execute(self, domain, server='8.8.8.8', timeout='10', qtype='ANY,A,AAAA'):
|
|
resolver = DnsRequest(server=server, timeout=int(timeout))
|
|
|
|
hostmap = {}
|
|
for qt in qtype.split(','):
|
|
result = resolver.req(domain, qtype=qt.strip())
|
|
|
|
for r in result.answers + result.additional + result.authority:
|
|
t = r['typename']
|
|
n = r['name']
|
|
d = r['data']
|
|
|
|
if t not in ('A', 'AAAA', 'CNAME', 'DNAME', 'SRV'):
|
|
continue
|
|
|
|
if t == 'SRV':
|
|
_, _, _, d = d
|
|
|
|
if t in ('CNAME', 'DNAME', 'SRV'):
|
|
n, d = d, n
|
|
|
|
if n not in hostmap:
|
|
hostmap[n] = HostInfo()
|
|
|
|
if t == 'A':
|
|
hostmap[n].ip.add(IP(d))
|
|
|
|
elif t == 'AAAA':
|
|
hostmap[n].ip.add(IP(hexlify(d)))
|
|
|
|
elif t in ('CNAME', 'DNAME'):
|
|
hostmap[n].alias.add(d)
|
|
|
|
elif t == 'SRV':
|
|
hostmap[n].alias.add(d)
|
|
|
|
code = result.header['rcode']
|
|
status = result.header['status']
|
|
mesg = '%s %s' % (status, ' | '.join('%s / %s' % (k, v) for k, v in hostmap.items()))
|
|
|
|
resp = self.Response(code, mesg)
|
|
resp.hostmap = hostmap
|
|
|
|
return resp
|
|
|
|
# }}}
|
|
|
|
# SNMP {{{
|
|
try:
|
|
from pysnmp.entity.rfc3413.oneliner import cmdgen
|
|
except ImportError:
|
|
warnings.append('pysnmp')
|
|
|
|
class SNMP_login:
|
|
'''Brute-force SNMP v1/2/3 authentication'''
|
|
|
|
usage_hints = (
|
|
"""%prog host=10.0.0.1 version=2 community=FILE0 1=names.txt -x ignore:mesg='No SNMP response received before timeout'""",
|
|
"""%prog host=10.0.0.1 version=3 user=FILE0 0=logins.txt -x ignore:mesg=unknownUserName""",
|
|
"""%prog host=10.0.0.1 version=3 user=myuser auth_key=FILE0 0=passwords.txt -x ignore:mesg=wrongDigest""",
|
|
)
|
|
|
|
available_options = (
|
|
('host', 'hostnames or subnets to target'),
|
|
('port', 'ports to target [161]'),
|
|
('version', 'SNMP version to use [2|3|1]'),
|
|
#('security_name', 'SNMP v1/v2 username, for most purposes it can be any arbitrary string [test-agent]'),
|
|
('community', 'SNMPv1/2c community names to test [public]'),
|
|
('user', 'SNMPv3 usernames to test [myuser]'),
|
|
('auth_key', 'SNMPv3 pass-phrases to test [my_password]'),
|
|
#('priv_key', 'SNMP v3 secret key for encryption'), # see http://pysnmp.sourceforge.net/docs/4.x/index.html#UsmUserData
|
|
#('auth_protocol', ''),
|
|
#('priv_protocol', ''),
|
|
('timeout', 'seconds to wait for a response [1]'),
|
|
('retries', 'number of successive request retries [2]'),
|
|
)
|
|
available_actions = ()
|
|
|
|
Response = Response_Base
|
|
|
|
def execute(self, host, port=None, version='2', community='public', user='myuser', auth_key='my_password', timeout='1', retries='2'):
|
|
if version in ('1', '2'):
|
|
security_model = cmdgen.CommunityData('test-agent', community, 0 if version == '1' else 1)
|
|
|
|
elif version == '3':
|
|
security_model = cmdgen.UsmUserData(user, auth_key) # , priv_key)
|
|
if len(auth_key) < 8:
|
|
return self.Response('1', 'SNMPv3 requires passphrases to be at least 8 characters long')
|
|
|
|
else:
|
|
raise NotImplementedError("Incorrect SNMP version '%s'" % version)
|
|
|
|
errorIndication, errorStatus, errorIndex, varBinds = cmdgen.CommandGenerator().getCmd(
|
|
security_model,
|
|
cmdgen.UdpTransportTarget((host, int(port or 161)), timeout=int(timeout), retries=int(retries)),
|
|
(1,3,6,1,2,1,1,1,0)
|
|
)
|
|
|
|
code = '%d-%d' % (errorStatus, errorIndex)
|
|
if not errorIndication:
|
|
mesg = '%s' % varBinds
|
|
else:
|
|
mesg = '%s' % errorIndication
|
|
|
|
return self.Response(code, mesg)
|
|
|
|
# }}}
|
|
|
|
# Unzip {{{
|
|
if not which('unzip'):
|
|
warnings.append('unzip')
|
|
|
|
class Response_Unzip(Response_Base):
|
|
def __init__(self, resp):
|
|
self.code, self.out, self.err = resp
|
|
self.size = len(self.out + self.err)
|
|
if '\n' in self.out:
|
|
self.mesg = self.out.splitlines()[-1]
|
|
else:
|
|
self.mesg = self.out
|
|
|
|
def __str__(self):
|
|
return '%s [%s] %s' % (self.code, self.size, self.mesg)
|
|
|
|
def dump(self):
|
|
return 'out: %s\n\nerr: %s' % (self.out, self.err)
|
|
|
|
class Unzip_pass:
|
|
'''Brute-force the password of encrypted ZIP files'''
|
|
|
|
usage_hints = [
|
|
"""%prog zipfile=path/to/file.zip password=FILE0 0=passwords.txt -x ignore:code!=0""",
|
|
]
|
|
|
|
available_options = (
|
|
('zipfile', 'ZIP files to test'),
|
|
('password', 'passwords to test'),
|
|
)
|
|
|
|
available_actions = ()
|
|
|
|
Response = Response_Unzip
|
|
|
|
def execute(self, zipfile, password):
|
|
zipfile = os.path.abspath(zipfile)
|
|
cmd = ['unzip', '-t', '-q', '-P', password, zipfile]
|
|
p = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
|
|
out = p.stdout.read()
|
|
err = p.stderr.read()
|
|
code = p.wait()
|
|
|
|
return self.Response((code, out, err))
|
|
|
|
# }}}
|
|
|
|
# Keystore {{{
|
|
if not which('keytool'):
|
|
warnings.append('java')
|
|
|
|
class Response_Keystore(Response_Base):
|
|
def __init__(self, resp):
|
|
self.code, self.out, self.err = resp
|
|
self.size = len(self.out + self.err)
|
|
self.mesg = self.out.replace('\n', ' ')
|
|
|
|
def __str__(self):
|
|
return '%s [%s] %s' % (self.code, self.size, self.mesg)
|
|
|
|
def dump(self):
|
|
return 'out: %s\nerr: %s' % (self.out, self.err)
|
|
|
|
class Keystore_pass:
|
|
'''Brute-force the password of Java keystore files'''
|
|
|
|
usage_hints = [
|
|
"""%prog keystore=path/to/keystore.jks password=FILE0 0=passwords.txt -x ignore:fgrep='password was incorrect'""",
|
|
]
|
|
|
|
available_options = (
|
|
('keystore', 'keystore files to test'),
|
|
('password', 'passwords to test'),
|
|
('storetype', 'type of keystore to test'),
|
|
)
|
|
|
|
available_actions = ()
|
|
|
|
Response = Response_Keystore
|
|
|
|
def execute(self, keystore, password, storetype='jks'):
|
|
keystore = os.path.abspath(keystore)
|
|
cmd = ['keytool', '-list', '-keystore', keystore, '-storepass', password, '-storetype', storetype]
|
|
p = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
|
|
out = p.stdout.read()
|
|
err = p.stderr.read()
|
|
code = p.wait()
|
|
|
|
return self.Response((code, out, err))
|
|
|
|
# }}}
|
|
|
|
# modules {{{
|
|
modules = [
|
|
('ftp_login', (Controller, FTP_login)),
|
|
('ssh_login', (Controller, SSH_login)),
|
|
('telnet_login', (Controller, Telnet_login)),
|
|
('smtp_login', (Controller, SMTP_login)),
|
|
('smtp_vrfy', (Controller, SMTP_vrfy)),
|
|
('smtp_rcpt', (Controller, SMTP_rcpt)),
|
|
('http_fuzz', (Controller_HTTP, HTTP_fuzz)),
|
|
('pop_passd', (Controller, POP_passd)),
|
|
('smb_login', (Controller, SMB_login)),
|
|
('ldap_login', (Controller, LDAP_login)),
|
|
('mssql_login', (Controller, MSSQL_login)),
|
|
('oracle_login', (Controller, Oracle_login)),
|
|
('mysql_login', (Controller, MySQL_login)),
|
|
#'rdp_login',
|
|
('pgsql_login', (Controller, Pgsql_login)),
|
|
('vnc_login', (Controller, VNC_login)),
|
|
|
|
('dns_reverse', (Controller_DNS, DNS_reverse)),
|
|
('dns_forward', (Controller_DNS, DNS_forward)),
|
|
('snmp_login', (Controller, SNMP_login)),
|
|
|
|
('unzip_pass', (Controller, Unzip_pass)),
|
|
('keystore_pass', (Controller, Keystore_pass)),
|
|
]
|
|
|
|
dependencies = {
|
|
'paramiko': [('ssh_login',), 'http://www.lag.net/paramiko/'],
|
|
'pycurl': [('http_fuzz',), 'http://pycurl.sourceforge.net/'],
|
|
'openldap': [('ldap_login',), 'http://www.openldap.org/'],
|
|
'impacket': [('smb_login',), 'http://oss.coresecurity.com/projects/impacket.html'],
|
|
'cx_Oracle': [('oracle_login',), 'http://cx-oracle.sourceforge.net/'],
|
|
'mysql-python': [('mysql_login',), 'http://sourceforge.net/projects/mysql-python/'],
|
|
'psycopg': [('pgsql_login',), 'http://initd.org/psycopg/'],
|
|
'pycrypto': [('vnc_login',), 'http://www.dlitz.net/software/pycrypto/'],
|
|
'pydns': [('dns_reverse', 'dns_forward'), 'http://pydns.sourceforge.net/'],
|
|
'IPy': [('dns_reverse', 'dns_forward'), 'https://github.com/haypo/python-ipy'],
|
|
'pysnmp': [('snmp_login',), 'http://pysnmp.sf.net/'],
|
|
'unzip': [('unzip_pass',), 'http://www.info-zip.org/'],
|
|
'java': [('keystore_pass',), 'http://www.oracle.com/technetwork/java/javase/'],
|
|
}
|
|
# }}}
|
|
|
|
# main {{{
|
|
if __name__ == '__main__':
|
|
from sys import argv
|
|
from os.path import basename
|
|
|
|
def show_usage():
|
|
print(__banner__)
|
|
print('''Usage: patator.py module --help
|
|
|
|
Available modules:
|
|
%s''' % '\n'.join(' + %-13s : %s' % (k, v[1].__doc__) for k, v in modules))
|
|
|
|
exit(2)
|
|
|
|
available = dict(modules)
|
|
name = basename(argv[0]).lower()
|
|
|
|
if name not in available:
|
|
if len(argv) == 1:
|
|
show_usage()
|
|
|
|
name = basename(argv[1]).lower()
|
|
if name not in available:
|
|
show_usage()
|
|
|
|
argv = argv[1:]
|
|
|
|
# dependencies
|
|
abort = False
|
|
for w in warnings:
|
|
mods, url = dependencies[w]
|
|
if name in mods:
|
|
print('ERROR: %s (%s) is required to run %s.' % (w, url, name))
|
|
abort = True
|
|
|
|
if abort:
|
|
print('Please read the README inside for more information.')
|
|
exit(3)
|
|
|
|
# start
|
|
ctrl, module = available[name]
|
|
powder = ctrl(module, [name] + argv[1:])
|
|
powder.fire()
|
|
|
|
# }}}
|
|
|
|
# vim: ts=2 sw=2 sts=2 et fdm=marker bg=dark
|