#!/usr/bin/env python# -*- Coding: UTF-8 -*-import sysimport binasciii

1. #!/usr/bin/env python
2. # -*- Coding: UTF-8 -*-
3.  
4. import sys
5. import binascii
6. import logging
7. from ZIBE import logs, zbutil
8. from ZIBE.context_mgr import ContextManager, ZIBEException
9. from ZIBE.shell import ZIBEShell
10. from optparse import OptionParser
11. import os
12.  
13. if os.name == "nt":
14. sep = ';'
15. else:
16. sep = ":"
17. for v in os.environ['PATH'].split(sep):
18. sys.path.append(v)
19.  
20. __logo__ = '''
21. .sssssssss.
22. .ssssssssssssssssss
23. sssssssssssssssssssssss
24. sssssssssssssssssssssssssss
25. @@sssssssssssssssssssssss@ss
26. |s@@@@sssssssssssssss@@@@s|s
27. _____|sssss@@@@@sssss@@@@@sssss|s
28. / sssssssss@sssss@sssssssss|s
29. / .----+.ssssssss@sssss@ssssssss.|
30. / / |...sssssss@sss@sssssss...|
31. | | |.......sss@sss@ssss......|
32. | | |..........s@ss@sss.......|
33. | | |...........@ss@..........|
34. \ \ |............ss@..........|
35. \ , +...........ss@...........|
36. \______ .........................|
37. | ........................|
38. /...........................\\
39. |.............................|
40. |.......................|
41. |...............|
42. '''
43.  
44.  
45. class ZIBEOptionParser(OptionParser):
46. def __init__(self):
47. OptionParser.__init__(self)
48. self.add_option('--TargetIp', help='IP Address of Target Machine', dest="TargetIp")
49. self.add_option('--TargetPort', help='Port of Target Machine', dest="TargetPort", default=445, type='int')
50. self.add_option('--NetworkTimeout', help='Timeout for networking calls', dest="NetworkTimeout", default=60, type='int')
51. self.add_option('--TargetEPMPort', help='Port of Target Machine', dest="TargetEPMPort", default=135, type='int')
52. self.add_option('--CredentialType', help='Type of credential provided', dest="CredentialType", default="UsernamePassword")
53. self.add_option('--Username', help='Account Username', dest="Username")
54. self.add_option('--Credential', help='Account Password', dest="Credential")
55. self.add_option('--Domain', help='Account Domain', dest="Domain", default=None)
56.  
57. # Kerberos options
58. self.add_option("--UseESRO", action="store_true", dest="UseESRO")
59. self.add_option('--KerbCredentialType', help="The type of credential to use when performing the kerberos authentication", dest='KerbCredentialType')
60. self.add_option('--TargetNetbiosName', help="NETBIOS name of the target computer", dest='TargetNetbiosName')
61. self.add_option('--TargetDcIp', help="Domain Controller's IP address", dest='TargetDcIp')
62. self.add_option('--TargetDcKerberosPort', help="Port used by the Kerberos service", dest='TargetDcKerberosPort', default=88, type='int')
63. self.add_option('--TargetDcSMBPort', help="Port used by the Kerberos service", dest='TargetDcSMBPort', default=445, type='int')
64.  
65. # DAPU Options
66. self.add_option('--PrivateKey', help='DAPU Private Key', dest="PrivateKey")
67.  
68. # Usability options
69. self.add_option('--TabCompletion', help='Disable tab completion, which uses more network traffic, and may be painful over slow networks',
70. dest="TabCompletion")
71.  
72. try:
73. sys.path.append(os.path.abspath(os.path.join(os.environ['FBDIR'], "fuzzbunch")))
74. from coli import CommandlineWrapper
75. except Exception as e:
76. print "Fuzzbunch directory not registered. Using command line arguments"
77. class CommandlineWrapper(object):
78. def __call__(self, args):
79. print "Called local commandlinewrapper"
80. d = {}
81. context = {}
82. self.processParams(args, None, d, context, logs.get_logger('debug.log'))
83.  
84. class ZIBE(CommandlineWrapper):
85.  
86. def __init__(self):
87. CommandlineWrapper.__init__(self)
88. self.parser = ZIBEOptionParser()
89. self.opts = None
90. self.args = None
91.  
92. def __del__(self):
93. pass
94.  
95. def validateParams(self, params):
96. return True
97.  
98. def cleanup(self, flags, context, logConfig):
99. return
100.  
101. def getID(self):
102. return "b7bc209584db8d06d97dd5a6fa8b2453a93aa94a"
103.  
104. def processParams(self, inputs, constants, outputs, context, logConfig):
105. # As a bi-product of the way we do things, we need to remove
106. # the StreamHandler from the logConfig we receive
107. for l in logConfig.handlers:
108. if not isinstance(l, logging.FileHandler):
109. logConfig.removeHandler(l)
110. try:
111. options, args = self.parser.parse_args(inputs)
112.  
113. if options.TargetIp == "" or options.TargetPort > 65535:
114. print("IP/port are invalid")
115. return
116. if options.CredentialType not in ['UsernamePassword', 'PasswordHash', 'Kerberos', 'DAPU']:
117. print("Invalid credential type. ")
118. return
119. except:
120. self.parser.print_usage()
121. return
122. print "[+] TargetIp: %s" % (options.TargetIp)
123. print "[+] TargetPort: %d" % (options.TargetPort)
124.  
125. mgr = ContextManager()
126. ctx = mgr.create_context("UselessContextName", options.TargetIp, options.TargetPort, options.TargetEPMPort)
127.  
128. print "[+] CredentialType: %s" % (options.CredentialType)
129. try:
130. if options.CredentialType in ['UsernamePassword', 'PasswordHash']:
131. domain = options.Domain or '\\' in options.Username
132. try:
133. if options.CredentialType == 'UsernamePassword' and domain:
134. ctx.provider( ctx.PROVIDER_NTLM_DOMAIN )
135. if options.Domain:
136. ctx.domain(options.Domain)
137. ctx.username( zbutil.arg_to_utf8(options.Username) )
138. ctx.password( zbutil.arg_to_utf8(options.Credential) )
139. print "[+] Username: %s" % (zbutil.arg_to_utf8(options.Username))
140. print "[+] Credential: %s" % (zbutil.arg_to_utf8(options.Credential))
141. elif options.CredentialType == 'UsernamePassword' and not domain:
142. ctx.provider( ctx.PROVIDER_NTLM_PLAINTEXT )
143. ctx.username( zbutil.arg_to_utf8(options.Username) )
144. ctx.password( zbutil.arg_to_utf8(options.Credential) )
145. print "[+] Username: %s" % (zbutil.arg_to_utf8(options.Username))
146. print "[+] Credential: %s" % (zbutil.arg_to_utf8(options.Credential))
147. elif options.CredentialType == 'PasswordHash' and domain:
148. ctx.provider( ctx.PROVIDER_NTLM_DOMAIN_HASH )
149. if options.Domain:
150. ctx.domain(options.Domain)
151. ctx.username( zbutil.arg_to_utf8(options.Username) )
152. ctx.password_hash(binascii.unhexlify(options.Credential))
153. print "[+] Username: %s" % (zbutil.arg_to_utf8(options.Username))
154. print "[+] Password Hash: %s" % (options.Credential)
155. elif options.CredentialType == 'PasswordHash' and not domain:
156. ctx.provider( ctx.PROVIDER_NTLM_PWHASH )
157. ctx.username( zbutil.arg_to_utf8(options.Username) )
158. ctx.password_hash(binascii.unhexlify(options.Credential))
159. print "[+] Username: %s" % (zbutil.arg_to_utf8(options.Username))
160. print "[+] Password Hash: %s" % (options.Credential)
161. except Exception as e:
162. print("Unable to parse username or password: %s" % (e))
163. return
164. elif options.CredentialType == 'Kerberos':
165. if options.KerbCredentialType not in ['Password', 'PasswordHash']:
166. print("Invalid Kerberos credential type (--KerbCredentialType)")
167. return
168.  
169. if not options.TargetDcIp or options.TargetDcIp == "":
170. print("Invalid domain controller IP address")
171. return
172. if not options.TargetNetbiosName or options.TargetNetbiosName == "":
173. print("TargetNetbiosName is required")
174. return
175. print "[+] TargetDcIp: %s" % (options.TargetDcIp)
176. print "[+] TargetDcPort: %s" % (options.TargetDcKerberosPort)
177. print "[+] TargetDcSMBPort: %s" % (options.TargetDcSMBPort)
178. print "[+] TargetNetbiosName: %s" % (zbutil.arg_to_utf8(options.TargetNetbiosName))
179. print "[+] KerbCredentialType: %s" % (options.KerbCredentialType)
180. print "[+] Username: %s" % (zbutil.arg_to_utf8(options.Username))
181. if options.KerbCredentialType == 'Password':
182. if options.UseESRO:
183. ctx.provider( ctx.PROVIDER_ESRO_PLAINTEXT )
184. else:
185. ctx.provider( ctx.PROVIDER_KERB_PLAINTEXT )
186.  
187. ctx.password(zbutil.arg_to_utf8(options.Credential))
188. print "[+] Password: %s" % (zbutil.arg_to_utf8(options.Credential))
189. else: # Password Hash
190. if options.UseESRO:
191. ctx.provider( ctx.PROVIDER_ESRO_HASH )
192. else:
193. ctx.provider( ctx.PROVIDER_KERB_HASH )
194.  
195. try:
196. ctx.password_hash(binascii.unhexlify( options.Credential ))
197. print "[+] PasswordHash: %s" % (options.Credential)
198. except TypeError as e:
199. print("Invalid password hash. Password must be encoded using binhex representation")
200. print(str(e))
201.  
202. ctx.kdc_location( options.TargetDcIp, options.TargetDcKerberosPort, options.TargetDcSMBPort )
203. ctx.target_name( zbutil.arg_to_utf8(options.TargetNetbiosName))
204. ctx.username(zbutil.arg_to_utf8(options.Username))
205.  
206. elif options.CredentialType == 'DAPU':
207. ctx.provider( ctx.PROVIDER_DAPU )
208. ctx.dp_key( binascii.unhexlify( options.PrivateKey))
209. else:
210. print("Invalid Authentication mechanism")
211. return
212. except Exception, e:
213. print("Error when parsing parameters: " + str(e) )
214. import traceback
215. print(traceback.format_exc())
216. return
217.  
218. try:
219. ctx.start_session()
220. except ZIBEException, err:
221. print("Failed to start ZIBE session: " + str(err) )
222. return
223.  
224. print(__logo__)
225. if options.TabCompletion:
226. shell = ZIBEShell(context=ctx, logger=logConfig)
227. else:
228. shell = ZIBEShell(context=ctx, completekey=None, logger=logConfig)
229.  
230. shell.cmdloop(intro="ZIBE Interactive Shell")
231. mgr.release_context(ctx)
232.  
233. if __name__ == "__main__":
234. z = ZIBE()
235. z(sys.argv[1:])