Roman Hergenreder 2 years ago
parent
commit
efc3b655a8
14 changed files with 202 additions and 107 deletions
  1. 6 2
      autorecon.py
  2. 8 8
      autorecon_config/service-scans.toml
  3. 10 3
      crack_hash.py
  4. 1 1
      fileserver.py
  5. 152 64
      linpeas.sh
  6. 18 18
      lse.sh
  7. BIN
      socat
  8. 3 9
      ssh-check-username.py
  9. 3 1
      template.py
  10. BIN
      win/accesschk.exe
  11. BIN
      win/accesschk64.exe
  12. 1 1
      win/winPEAS.bat
  13. BIN
      win/ysoserial/NDesk.Options.dll
  14. BIN
      win/ysoserial/ysoserial.exe

+ 6 - 2
autorecon.py

@@ -221,7 +221,12 @@ def calculate_elapsed_time(start_time):
 async def read_stream(stream, target, tag='?', patterns=[], color=Fore.BLUE):
     address = target.address
     while True:
-        line = await stream.readline()
+        line = ""
+        try:
+            line = await stream.readline()
+        except ValueError:
+            continue
+        
         if line:
             line = str(line.rstrip(), 'utf8', 'ignore')
             debug(color + '[' + Style.BRIGHT + address + ' ' + tag + Style.NORMAL + '] ' + Fore.RESET + '{line}', color=color)
@@ -878,4 +883,3 @@ def main():
 
 if __name__ == '__main__':
     main()
-

+ 8 - 8
autorecon_config/service-scans.toml

@@ -59,7 +59,7 @@ service-names = [
 ]
 
     [[finger.scan]]
-    nmap = 'nmap-finger'
+    name = 'nmap-finger'
     command = 'nmap {nmap_extra} -sV -p {port} --script="banner,finger" -oN "{scandir}/{protocol}_{port}_finger_nmap.txt" -oX "{scandir}/xml/{protocol}_{port}_finger_nmap.xml" {address}'
 
 [ftp]
@@ -126,8 +126,8 @@ ignore-service-names = [
     command = 'whatweb --color=never --no-errors -a 3 -v {scheme}://{address}:{port} 2>&1 | tee "{scandir}/{protocol}_{port}_{scheme}_whatweb.txt"'
 
     [[http.scan]]
-    name = 'ffuf'
-    command = 'ffuf -u {scheme}://{address}:{port}/FUZZ -t 10 -w /usr/share/seclists/Discovery/Web-Content/common.txt -e ".txt,.html,.php,.asp,.aspx,.jsp" -v | tee {scandir}/{protocol}_{port}_{scheme}_ffuf.txt'
+    name = 'feroxbuster'
+    command = 'feroxbuster -u {scheme}://{address}:{port} -t 10 -w /usr/share/seclists/Discovery/Web-Content/common.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -o {scandir}/{protocol}_{port}_{scheme}_feroxbuster.txt'
 
     [[http.manual]]
     description = '(nikto) old but generally reliable web server enumeration tool'
@@ -136,10 +136,10 @@ ignore-service-names = [
     ]
 
     [[http.manual]]
-    description = '(ffuf) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:'
+    description = '(feroxbuster) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:'
     commands = [
-        'ffuf -u {scheme}://{address}:{port}/FUZZ -w /usr/share/seclists/Discovery/Web-Content/big.txt -e ".txt,.html,.php,.asp,.aspx,.jsp" -v | tee {scandir}/{protocol}_{port}_{scheme}_ffuf_big.txt',
-        'ffuf -u {scheme}://{address}:{port}/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e ".txt,.html,.php,.asp,.aspx,.jsp" -v | tee {scandir}/{protocol}_{port}_{scheme}_ffuf_dirbuster.txt'
+        'feroxbuster -u {scheme}://{address}:{port} -t 10 -w /usr/share/seclists/Discovery/Web-Content/big.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -o {scandir}/{protocol}_{port}_{scheme}_feroxbuster_big.txt',
+        'feroxbuster -u {scheme}://{address}:{port} -t 10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -o {scandir}/{protocol}_{port}_{scheme}_feroxbuster_dirbuster.txt'
     ]
 
     [[http.manual]]
@@ -159,8 +159,8 @@ ignore-service-names = [
     [[http.manual]]
     description = '(gobuster v3) Directory/file enumeration for web servers using various wordlists (same as dirb above):'
     commands = [
-        'gobuster dir -u {scheme}://{address}:{port}/ -w /usr/share/seclists/Discovery/Web-Content/big.txt -e -k -l -s "200,204,301,302,307,403,500" -x "txt,html,php,asp,aspx,jsp" -z -o "{scandir}/{protocol}_{port}_{scheme}_gobuster_big.txt"',
-        'gobuster dir -u {scheme}://{address}:{port}/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e -k -l -s "200,204,301,302,307,403,500" -x "txt,html,php,asp,aspx,jsp" -z -o "{scandir}/{protocol}_{port}_{scheme}_gobuster_dirbuster.txt"'
+        'gobuster dir -u {scheme}://{address}:{port}/ -w /usr/share/seclists/Discovery/Web-Content/big.txt -e -k -s "200,204,301,302,307,403,500" -x "txt,html,php,asp,aspx,jsp" -z -o "{scandir}/{protocol}_{port}_{scheme}_gobuster_big.txt"',
+        'gobuster dir -u {scheme}://{address}:{port}/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e -k -s "200,204,301,302,307,403,500" -x "txt,html,php,asp,aspx,jsp" -z -o "{scandir}/{protocol}_{port}_{scheme}_gobuster_dirbuster.txt"'
     ]
 
     [[http.manual]]

+ 10 - 3
crack_hash.py

@@ -65,6 +65,7 @@ class HashType(enum.Enum):
     LM   = 3000
     NTLM = 1000
     MSSQL = 1731
+    NTLMV2_SSP = 5600
 
     # Kerberos
     KERBEROS_AS_REQ = 7500
@@ -109,9 +110,15 @@ class Hash:
             elif crypt_type == "S":
                 self.type.append(HashType.DRUPAL7)
         else:
-            self.isSalted = ":" in raw_hash
-            if self.isSalted:
-                raw_hash, self.salt = raw_hash.split(":")
+            if ":" in raw_hash:
+                parts = raw_hash.split(":")
+                if len(parts) == 2:
+                    self.isSalted = True
+                    raw_hash, self.salt = raw_hash.split(":")
+                elif len(parts) == 6:
+                    self.type.append(HashType.NTLMV2_SSP)
+
+
 
         # Base64 -> hex
         try:

+ 1 - 1
fileserver.py

@@ -132,7 +132,7 @@ class HttpFileServer(HTTPServer):
             data = data.encode("UTF-8")
 
         # return 200 - OK and data
-        self.addRoute(name, lambda req: (data, 200))
+        self.addRoute(name, lambda req: (200, data))
 
     def dumpRequest(self, name):
         self.dumpRequests.append(self.cleanPath(name))

File diff suppressed because it is too large
+ 152 - 64
linpeas.sh


+ 18 - 18
lse.sh

@@ -4,8 +4,8 @@
 
 # Author: Diego Blanco <diego.blanco@treitos.com>
 # GitHub: https://github.com/diego-treitos/linux-smart-enumeration
-# 
-lse_version="3.2"
+#
+lse_version="3.3"
 
 #( Colors
 #
@@ -287,7 +287,7 @@ lse_set_level() {
   esac
 }
 lse_help() {
-  echo "Use: $0 [options]" 
+  echo "Use: $0 [options]"
   echo
   echo " OPTIONS"
   echo "  -c           Disable color"
@@ -404,7 +404,7 @@ lse_test() {
       cecho "${red}---$reset\n"
     fi
     return 1
-  fi 
+  fi
 
   # If level is 2 and lse_level is less than 2, then we do not execute
   # level 2 tests unless their output needs to be assigned to a variable
@@ -534,7 +534,7 @@ lse_exit() {
 }
 lse_procmon() {
   # monitor processes
-  #NOTE: The first number will be the number of occurrences of a process due to 
+  #NOTE: The first number will be the number of occurrences of a process due to
   #      uniq -c
   while [ -f "$lse_procmon_lock" ]; do
     ps -ewwwo start_time,pid,user:50,args
@@ -564,7 +564,7 @@ lse_proc_print() {
 #  A successful test will receive some output while a failed tests will receive
 # an empty string.
 #
-########################################################################( users 
+########################################################################( users
 lse_run_tests_users() {
   lse_header "usr" "users"
 
@@ -582,8 +582,8 @@ lse_run_tests_users() {
 
   #other users in an administrative group
   lse_test "usr020" "1" \
-    "Are there other users in an administrative groups?" \
-    'grep $lse_grep_opts -E "^(adm|admin|root|sudo|wheel)" /etc/group | grep -Ev ":$" | grep $lse_grep_opts -Ei ":[a-z_-]+\$"'
+    "Are there other users in administrative groups?" \
+    'grep $lse_grep_opts -E "^(adm|admin|root|sudo|wheel)" /etc/group | grep -Ev ":$|:$lse_user$" | grep $lse_grep_opts -Ei ":[,a-z_-]+\$"'
 
   #other users with shell
   lse_test "usr030" "1" \
@@ -591,7 +591,7 @@ lse_run_tests_users() {
     'grep $lse_grep_opts -E ":/[a-z/]+sh\$" /etc/passwd' \
     "" \
     "lse_shell_users"
-    
+
   #user env information
   lse_test "usr040" "2" \
     "Environment information" \
@@ -722,7 +722,7 @@ lse_run_tests_filesystem() {
     "Can we write to any setgid binary?" \
     'for b in $lse_setgid_binaries; do [ -x "$b" ] && [ -w "$b" ] && echo "$b" ;done' \
     "fst040"
-    
+
   #can we read /root
   lse_test "fst070" "1" \
     "Can we read /root?" \
@@ -863,7 +863,7 @@ lse_run_tests_system() {
   lse_test "sys050" "1" \
     "Can root user log in via SSH?" \
     'grep -E "^[[:space:]]*PermitRootLogin " /etc/ssh/sshd_config | grep -E "(yes|without-password|prohibit-password)"'
-    
+
   #list available shells
   lse_test "sys060" "2" \
     "List available shells" \
@@ -919,7 +919,7 @@ lse_run_tests_security() {
     "Does current user have capabilities?" \
     'printf "$lse_user_caps\n" | grep "$lse_user"' \
     "sec040"
-  
+
   #can user read the auditd log
   lse_test "sec060" "0" \
     "Can we read the auditd log?" \
@@ -927,7 +927,7 @@ lse_run_tests_security() {
 }
 
 
-##############################################################( recurrent tasks 
+##############################################################( recurrent tasks
 lse_run_tests_recurrent_tasks() {
   lse_header "ret" "recurrent tasks"
 
@@ -960,7 +960,7 @@ lse_run_tests_recurrent_tasks() {
   #can we write to any paths present in cron tasks?
   lse_test "ret050" "1" \
     "Can we write to any paths present in cron jobs" \
-    'for p in `grep --color=never -hERoi "/[a-z0-9_/\.\-]+" /etc/cron* | sort -u`; do [ -w "$p" ] && echo "$p"; done' \
+    'for p in `grep --color=never -hERoi "/[a-z0-9_/\.\-]+" /etc/cron* | grep -Ev "/dev/(null|zero|random|urandom)" | sort -u`; do [ -w "$p" ] && echo "$p"; done' \
     "" \
     "lse_user_writable_cron_paths"
 
@@ -980,7 +980,7 @@ lse_run_tests_recurrent_tasks() {
   #user timers
   lse_test "ret500" "1" \
     "User systemd timers" \
-    'systemctl --user list-timers --all | grep -Ev "(^$|timers listed)"'
+    'systemctl --user list-timers --all | grep -iq "\.timer" && systemctl --user list-timers --all'
 
   #can we write in any system timer?
   lse_test "ret510" "0" \
@@ -1026,7 +1026,7 @@ lse_run_tests_network() {
 
   #nameservers
   lse_test "net530" "2" \
-    "Namerservers" \
+    "Nameservers" \
     'grep "nameserver" /etc/resolv.conf'
 
   #systemd nameservers
@@ -1038,7 +1038,7 @@ lse_run_tests_network() {
   lse_test "net550" "2" \
     "Listening TCP" \
     'netstat -tnlp || ss -tnlp'
-  
+
   #listening UDP
   lse_test "net560" "2" \
     "Listening UDP" \
@@ -1187,7 +1187,7 @@ lse_run_tests_software() {
   #check if there are ssh private keys in ssh-agent
   lse_test "sof050" "0" \
     "Are there private keys in ssh-agent?" \
-    'ssh-add -l'
+    'ssh-add -l | grep -iv "agent has no identities"'
 
   #check if there are gpg keys in gpg-agent
   lse_test "sof060" "0" \

BIN
socat


+ 3 - 9
ssh-check-username.py

@@ -26,9 +26,7 @@ class InvalidUsername(Exception):
 def add_boolean(*args, **kwargs):
     pass
 
-
-old_service_accept = paramiko.auth_handler.AuthHandler._handler_table[
-        paramiko.common.MSG_SERVICE_ACCEPT]
+old_service_accept = paramiko.auth_handler.AuthHandler._client_handler_table[paramiko.common.MSG_SERVICE_ACCEPT]
 
 def service_accept(*args, **kwargs):
     paramiko.message.Message.add_boolean = add_boolean
@@ -55,14 +53,14 @@ def _paramiko_tunnel(username, *args, **kwargs):
         return
     try:
         transport.auth_publickey(us, paramiko.RSAKey.generate(2048))
-    except InvalidUsername:
+    except InvalidUsername or socket.error:
         print ('[*] {} - Invalid username'.format(us))
     except paramiko.ssh_exception.AuthenticationException:
         print ('[+] {} - Valid username'.format(us))
         return
 
 
-paramiko.auth_handler.AuthHandler._handler_table.update({
+paramiko.auth_handler.AuthHandler._client_handler_table.update({
     paramiko.common.MSG_SERVICE_ACCEPT: service_accept,
     paramiko.common.MSG_USERAUTH_FAILURE: userauth_failure
 })
@@ -81,7 +79,3 @@ if args.wordlist is not None:
         for u in f:
             usernames.append(u)
         pool.map(_paramiko_tunnel, usernames)
-
-        
-
-

+ 3 - 1
template.py

@@ -16,6 +16,8 @@ from urllib3.exceptions import InsecureRequestWarning
 requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
 
 BASE_URL = "%s" if "LOCAL" not in sys.argv else "http://127.0.0.1:1337"
+USERNAME = "admin"
+PASSWORD = "password"
 
 def login(username, password):
     # Template method to create a session
@@ -32,7 +34,7 @@ def exploit(session, payload):
     pass
 
 if __name__ == "__main__":
-    session = login()
+    session = login(USERNAME, PASSWORD)
     exploit(session, "id")
 """ % baseUrl
 

BIN
win/accesschk.exe


BIN
win/accesschk64.exe


+ 1 - 1
win/winPEAS.bat

@@ -451,7 +451,7 @@ CALL :T_Progress 1
 
 :UnquotedServicePaths
 CALL :ColorLine " %E%33m[+]%E%97m UNQUOTED SERVICE PATHS"
-ECHO.   [i] When the path is not quoted (ex: C:\Program files\soft\new folder\exec.exe) Windows will try to execute first 'C:\Progam.exe', then 'C:\Program Files\soft\new.exe' and finally 'C:\Program Files\soft\new folder\exec.exe'. Try to create 'C:\Program Files\soft\new.exe'
+ECHO.   [i] When the path is not quoted (ex: C:\Program files\soft\new folder\exec.exe) Windows will try to execute first 'C:\Program.exe', then 'C:\Program Files\soft\new.exe' and finally 'C:\Program Files\soft\new folder\exec.exe'. Try to create 'C:\Program Files\soft\new.exe'
 ECHO.   [i] The permissions are also checked and filtered using icacls
 ECHO.   [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services
 for /f "tokens=2" %%n in ('sc query state^= all^| findstr SERVICE_NAME') do (

BIN
win/ysoserial/NDesk.Options.dll


BIN
win/ysoserial/ysoserial.exe


Some files were not shown because too many files changed in this diff