public static void WinRMBrute(string[] args)
{
if (args.Length != 4)
{
Console.WriteLine("WinRM Brute Usage: reecon -winrm-brute IP Userfile Passfile");
return;
}
string ip = args[1];
string userFile = args[2];
string passFile = args[3];
// Windows: Only files
if (General.GetOS() == General.OS.Windows)
{
if (!File.Exists(userFile))
{
Console.WriteLine("Unable to find UserFile: " + userFile);
return;
}
if (!File.Exists(passFile))
{
Console.WriteLine("Unable to find Passfile: " + passFile);
return;
}
WinRMBrute_Windows(ip, userFile, passFile);
}
// Linux takes either
else
{
WinRMBrute_Linux(ip, userFile, passFile);
}
}
public static string GetInfo(string ip)
{
string toReturn = "";
if (General.GetOS() == General.OS.Linux)
{
if (General.IsInstalledOnLinux("svn"))
{
// svn info svn://ip - Anything super useful?
string processOutput = string.Join("|", General.GetProcessOutput("svn", "log svn://" + ip));
List <string> commitList = processOutput.Split(new[] { "------------------------------------------------------------------------" }, StringSplitOptions.None).ToList();
commitList.RemoveAll(string.IsNullOrEmpty);
foreach (string commit in commitList)
{
List <string> splitItems = commit.Split('|').ToList();
splitItems.RemoveAll(string.IsNullOrEmpty);
// 0 - Revision
// 1 - Name
// 2 - Date
// 3 - Lines (?)
// 4 - Comment
try
{
string commitRevision = splitItems[0].Trim();
int commitDiff = int.Parse(commitRevision.Replace("r", "")) - 1; // Indexes - How do they work!
string commitName = splitItems[1].Trim();
string commitDate = splitItems[2];
string commitLines = splitItems[3];
string commitComments = splitItems[4];
string commitInfo = "- Commit " + commitRevision + " by " + commitName + " - " + commitComments + " ( svn diff -r" + commitDiff + " svn://" + ip + " )";
toReturn += commitInfo + Environment.NewLine;
}
catch (Exception ex)
{
toReturn += "- Conversion Error: " + ex.Message + Environment.NewLine;
}
}
toReturn = toReturn.Trim(Environment.NewLine.ToCharArray());
}
else
{
Console.WriteLine("svn is not installed - Skipping enumeration (You probably want to 'svn install subversion')");
}
}
else
{
Console.WriteLine("svn.GetInfo currently lacks Windows support. Bug Reelix.");
}
return(toReturn);
}
public static string DefaultScan(string[] args, bool mustPing)
{
// ip[0]
// outputfile[1]
if (args.Length < 1)
{
Console.WriteLine("Usage: ip outfile");
Environment.Exit(0);
}
string target = "";
string fileName = "";
if (args.Length == 1)
{
target = args[0];
Console.WriteLine("Outfile name (1 word, no extension)");
fileName = Console.ReadLine();
}
else if (args.Length == 2)
{
target = args[0];
fileName = args[1];
}
// Check if nmap is installed
if (!General.IsInstalledOnLinux("nmap"))
{
Console.WriteLine("Error - nmap is not installed");
Environment.Exit(0);
}
DateTime beforeNmapDate = DateTime.Now;
Console.WriteLine($"Doing an optimized Nmap scan on {target} - This may take awhile...");
string noPing = mustPing ? "" : " -Pn ";
if (General.GetOS() == General.OS.Linux)
{
General.RunProcess($"sudo", $"nmap -sS -p- {noPing} --min-rate=5000 {target} -oG {fileName}.nmap");
}
else
{
General.RunProcess($"nmap", $"-sS -p- {noPing} --min-rate=5000 {target} -oG {fileName}.nmap");
}
DateTime afterNmapDate = DateTime.Now;
TimeSpan nmapScanDuration = afterNmapDate - beforeNmapDate;
Console.WriteLine("Scan complete in " + string.Format("{0:0.00}s", nmapScanDuration.TotalSeconds) + $" - {fileName}.nmap for reecon");
return(fileName);
}
public static string GetInfo(string target, int port)
{
string toReturn = "";
toReturn += GetOSDetails(target);
if (SMB_MS17_010.IsVulnerable(target))
{
toReturn += "----> VULNERABLE TO ETERNAL BLUE (MS10-017) <-----" + Environment.NewLine;
toReturn += "-----> Metasploit: use windows/smb/ms17_010_psexec" + Environment.NewLine;
}
if (General.GetOS() == General.OS.Linux)
{
toReturn += SMB.TestAnonymousAccess_Linux(target);
}
else
{
toReturn += "- Reecon currently lacks advanced SMB Support on Windows (Ironic, I know)";
}
return(toReturn.Trim(Environment.NewLine.ToCharArray()));
}
private static string GetRPCInfo(string ip)
{
// Beware!
string rpcInfo = "";
bool anonAccess = false;
bool signing = true;
if (General.GetOS() == General.OS.Linux)
{
if (General.IsInstalledOnLinux("rpcclient", "/usr/bin/rpcclient"))
{
// Find the Domain Name
// Console.WriteLine("RPC - lsaquery");
List <string> domainNameList = rpcclient.GetLsaqueryOutput(ip);
domainNameList.RemoveAll(x => !x.StartsWith("Domain Name:"));
if (domainNameList.Count == 1)
{
anonAccess = true;
rpcInfo += "- " + domainNameList[0] + Environment.NewLine;
}
// Server info
// Console.WriteLine("RPC - srvinfo");
List <string> srvinfoList = rpcclient.GetSrvinfoOutput(ip);
bool setNoSigning = false;
// If it's denied the first time - Try the no-signing backup
if (srvinfoList.Count != 0 && srvinfoList[0].Contains("NT_STATUS_ACCESS_DENIED"))
{
// noSigning backup!
// Console.WriteLine("RPC - srvinfo - noSigning Backup");
srvinfoList = rpcclient.GetSrvinfoOutput(ip, false);
setNoSigning = true;
}
if (srvinfoList.Count != 0 && !srvinfoList[0].Contains("NT_STATUS_ACCESS_DENIED") && !srvinfoList[0].Contains("NT_STATUS_LOGON_FAILURE"))
{
// If it only worked with the no-signing backup - Yay!
if (setNoSigning)
{
Console.WriteLine("Sneaky access found with RPC - This might take a bit longer than planned (Up to 3 minutes)");
signing = false;
}
anonAccess = true;
/*
* MOTUNUI Wk Sv PrQ Unx NT SNT motunui server (Samba, Ubuntu)
* platform_id : 500
* os version : 6.1
* server type : 0x809a03
*/
rpcInfo += "- srvinfo: " + srvinfoList[0] + Environment.NewLine;
// https://en.wikipedia.org/wiki/List_of_Microsoft_Windows_versions
if (srvinfoList.Count == 4)
{
if (srvinfoList[2].Trim().StartsWith("os version"))
{
string osVersion = srvinfoList[2];
osVersion = osVersion.Split(':')[1];
osVersion = osVersion.Trim();
if (osVersion == "6.1")
{
rpcInfo += "- srvinfo (OS): Windows 7 OR Windows Server 2008 (One of the two)" + Environment.NewLine;
}
else if (osVersion == "6.2")
{
rpcInfo += "- srvinfo (OS): Windows 8 OR Windows Server 2012 (One of the two)" + Environment.NewLine;
}
else if (osVersion == "10.0")
{
rpcInfo += "- srvinfo (OS): Windows 10 OR Windows Server 2016 OR Windows Server 2019 (10.0 is very vague)" + Environment.NewLine;
}
else
{
rpcInfo += "- srvinfo (OS): Unknown - ID: " + osVersion + " - Bug Reelix!" + Environment.NewLine;
}
}
else
{
rpcInfo += "- Weird srvinfo return - Bug Reelix!";
}
}
}
// Console.WriteLine("RPC - enumdomusers");
List <string> enumdomusersList = rpcclient.GetEnumdomusersOutput(ip, signing);
if (enumdomusersList.Count == 0 || // Allowed - But no results
enumdomusersList.Count == 1 && enumdomusersList[0].Contains("NT_STATUS_ACCESS_DENIED"))
{
// Find public SIDs with lsaenumsid
// Console.WriteLine("RPC - lsaenumid");
List <string> sidList = rpcclient.GetLsaenumsidOutput(ip, signing);
if (sidList.Count != 0 && !sidList[0].Contains("NT_STATUS_ACCESS_DENIED"))
{
anonAccess = true;
rpcInfo += "- Found SIDs" + Environment.NewLine;
List <string> sidResolution = rpcclient.GetLookupsidsOutput(ip, sidList, signing);
if (sidResolution.Count != 0)
{
foreach (string result in sidResolution)
{
rpcInfo += "-- " + result + Environment.NewLine;
}
}
}
// Find sneaky SIDs
// Console.WriteLine("RPC - lookupnames");
List <string> sneakyNameLookup = rpcclient.GetLookupnamesOutput(ip, "administrator guest krbtgt root bin none", signing);
sneakyNameLookup.RemoveAll(x => !x.Contains("(User: "******"-") + 1);
if (!sneakySIDBaseList.Contains(sneakySIDBase))
{
sneakySIDBaseList.Add(sneakySIDBase);
}
}
}
// Needs the base SID to enumerate
if (sneakySIDBaseList.Count != 0)
{
List <string> sneakySIDList = new();
foreach (string sneakyBase in sneakySIDBaseList)
{
// Low ones are just system names - Can ignore them - Proper ones start from 1000
for (int j = 1000; j <= 1015; j++)
{
sneakySIDList.Add(sneakyBase + j);
}
// Some sneakier ones hiding from 1100 instead
for (int j = 1100; j <= 1115; j++)
{
sneakySIDList.Add(sneakyBase + j);
}
List <string> sneakySIDLookup = rpcclient.GetLookupsidsOutput(ip, sneakySIDList, signing);
if (sneakySIDLookup.Count != 0)
{
// Remove non-users
sneakySIDLookup.RemoveAll(x => !x.Trim().EndsWith("(1)"));
foreach (string lookupResult in sneakySIDLookup)
{
string name = lookupResult.Substring(0, lookupResult.LastIndexOf(" (1)"));
name = name.Remove(0, name.LastIndexOf("\\") + 1);
// Some invalid ones simply have the number itself instead of the name
// A bit hacky, but it works
if (!int.TryParse(name, out int toIgnore))
{
rpcInfo += "-- " + $"Sneaky Username Found: {name}".Pastel(Color.Orange) + Environment.NewLine;
}
}
}
}
}
}
}
else // Count > 0
{
string firstItem = enumdomusersList[0];
if (firstItem.Contains("user:"******"rid:"))
{
// All is fine
if (enumdomusersList.Count >= 3)
{
Console.WriteLine("Found a lot of useful RPC info - Output may take a few seconds longer than expected");
}
rpcInfo += "- User Listing" + Environment.NewLine;
List <string> usernames = new List <string>();
foreach (string user in enumdomusersList)
{
// user:[fox] rid:[0x3e8]
string username = user.Remove(0, user.IndexOf("[") + 1);
username = username.Substring(0, username.IndexOf("]"));
usernames.Add(username);
rpcInfo += rpcclient.GetQueryuserInfo(ip, username);
}
// See if there are any we're missing
// Get the default names list
var defaultNames = rpcclient.LookupNames(ip, "administrator guest krbtgt root bin none", signing);
// Filter them to only get the users
defaultNames = defaultNames.Where(x => x.Type.Contains("User")).ToList();
// Get the users SIDs
List <string> defaultNameSids = defaultNames.Select(x => x.SID).ToList();
// Sneaky sid lookup by the sids
var sneakySids = rpcclient.GetSneakySids(ip, defaultNameSids, signing);
// Remove the names we already have
sneakySids.RemoveAll(x => usernames.Contains(x.Name));
// Rest are missed!
foreach (var item in sneakySids)
{
rpcInfo += "-- " + $"Sneaky Username Found: {item.Name}".Pastel(Color.Orange) + Environment.NewLine;
}
// 23 -> https://room362.com/post/2017/reset-ad-user-password-with-linux/
rpcInfo += "--> rpcclient -> setuserinfo2 userNameHere 23 'newPasswordHere'" + Environment.NewLine;
}
else if (firstItem == "Cannot connect to server. Error was NT_STATUS_RESOURCE_NAME_NOT_FOUND")
{
rpcInfo = "- Cannot connect - Are you sure it's up?" + Environment.NewLine;
}
else if (firstItem == "Cannot connect to server. Error was NT_STATUS_IO_TIMEOUT")
{
rpcInfo = "- Cannot connect - It timed out :<" + Environment.NewLine;
}
else if (firstItem == "Cannot connect to server. Error was NT_STATUS_CONNECTION_DISCONNECTED")
{
rpcInfo = "- Cannot connect - It kicks you out instantly" + Environment.NewLine;
}
else if (firstItem.Contains("was NT_STATUS_ACCESS_DENIED"))
{
rpcInfo = "- enumdomusers is denied - Probably can't get anything useful" + Environment.NewLine;
}
else if (firstItem.Contains("was NT_STATUS_LOGON_FAILURE"))
{
rpcInfo = "- Unable to log on at all - Possibly a timeout :(" + Environment.NewLine;
}
else
{
foreach (string item in enumdomusersList)
{
Console.WriteLine("Debug Info item: " + item);
}
rpcInfo = "- Unknown items in NETBIOS.GetRPCInfo - Bug Reelix (Check Debug Info Item output)" + Environment.NewLine;
}
}
if (anonAccess == true)
{
rpcInfo += "- " + $"Anonymous access permitted! -> rpcclient -U \"\"%\"\" {ip}".Pastel(Color.Orange) + Environment.NewLine;
}
else
{
rpcInfo += "- No anonymous RPC access" + Environment.NewLine;
// 23 -> https://room362.com/post/2017/reset-ad-user-password-with-linux/
rpcInfo += "-- If you get access -> enumdomusers / queryuser usernameHere / setuserinfo2 userNameHere 23 'newPasswordHere'" + Environment.NewLine;
}
}
else
{
rpcInfo = "- Error: Cannot find /usr/bin/rpcclient - Please install smbclient (Includes it)".Pastel(Color.Red) + Environment.NewLine;
}
}
else
{
rpcInfo = "- No RPC Info - Try run on Linux (rpcclient)" + Environment.NewLine;
}
return(rpcInfo);
}
// For the "Some things you probably want to do" list
public static string GetAdditionalPortInfo(string target, int port)
{
string postScanActions = "";
// Additional port info
if (port == 23)
{
postScanActions += "- Telnet: Just telnet in - Bug Reelix to update this though..." + Environment.NewLine;
}
else if (port == 53)
{
// TODO: https://svn.nmap.org/nmap/scripts/dns-nsid.nse
postScanActions += $"- Try a reverse lookup (Linux): dig @{target} -x {target}" + Environment.NewLine;
postScanActions += $"- Try a zone transfer (Linux): dig axfr domain.com @{target}" + Environment.NewLine;
}
else if (port == 80)
{
postScanActions += $"- gobuster dir -u=http://{target}/ -w ~/wordlists/directory-list-2.3-medium.txt -t 25 -o gobuster-http-medium.txt -x.php,.txt" + Environment.NewLine;
postScanActions += $"- gobuster dir -u=http://{target}/ -w ~/wordlists/common.txt -t 25 -o gobuster-http-common.txt -x.php,.txt" + Environment.NewLine;
}
else if (port == 88)
{
// Post Scan
string defaultNamingContext = LDAP.GetDefaultNamingContext(target, true);
defaultNamingContext = defaultNamingContext.Replace("DC=", "").Replace(",", ".");
// Username enum
postScanActions += $"- Kerberos Username Enum: kerbrute userenum --dc {defaultNamingContext}/ -d {target} users.txt" + Environment.NewLine;
// Requests TGT (Ticket Granting Tickets) for users
postScanActions += $"- Kerberos TGT Request: sudo GetNPUsers.py {defaultNamingContext}/ -dc-ip {target} -request" + Environment.NewLine;
// Test for users with 'Do not require Kerberos preauthentication'
postScanActions += $"- Kerberos non-preauth: sudo GetNPUsers.py {defaultNamingContext}/ -usersfile sampleUsersHere.txt -dc-ip {target}" + Environment.NewLine;
// Post exploitation
postScanActions += $"- If you get details: python3 secretsdump.py usernameHere:\"passwordHere\"@{target} | grep :" + Environment.NewLine;
}
else if (port == 443)
{
postScanActions += $"- gobuster dir -u=https://{target}/ -w ~/wordlists/directory-list-2.3-medium.txt -t 25 -o gobuster-https-medium.txt -x.php,.txt" + Environment.NewLine;
postScanActions += $"- gobuster dir -u=https://{target}/ -w ~/wordlists/common -t 25 -o gobuster-https-common.txt -x.php,.txt" + Environment.NewLine;
}
else if (port == 445)
{
if (General.GetOS() == General.OS.Windows)
{
postScanActions += $"- Port 445 - Linux (SMBClient) has better info on this: smbclient -L {target} --no-pass" + Environment.NewLine;
}
postScanActions += $"- Port 445 - I miss a lot: nmap -sC -sV -p445 {target}" + Environment.NewLine;
postScanActions += $"- Port 445 - Testing passwords: crackmapexec smb {target} -u users.txt -p passwords.txt" + Environment.NewLine;
postScanActions += $"- Port 445 - Authenticated SID Lookup: sudo lookupsid.py DOMAIN/Username:password@{target}" + Environment.NewLine;
}
else if (port == 2049)
{
postScanActions += "- NFS: rpcinfo -p " + target + Environment.NewLine;
}
else if (port == 3128)
{
postScanActions += $"- Squid: If you get a password, run: squidclient -v -h {target} -w 'passwordHere' mgr:menu" + Environment.NewLine;
}
else if (port == 3306)
{
postScanActions += $"- Try: hydra -L users.txt -P passwords.txt {target} mysql" + Environment.NewLine;
}
else if (port == 3389)
{
// TODO: https://nmap.org/nsedoc/scripts/rdp-ntlm-info.html
// https://svn.nmap.org/nmap/scripts/rdp-ntlm-info.nse
/*
* string NTLM_NEGOTIATE_BLOB = "30 37 A0 03 02 01 60 A1 30 30 2E 30 2C A0 2A 04 28"
+ "4e 54 4c 4d 53 53 50 00" // Identifier - NTLMSSP
+ "01 00 00 00" //Type: NTLMSSP Negotiate -01
+ "B7 82 08 E2 " // Flags(NEGOTIATE_SIGN_ALWAYS | NEGOTIATE_NTLM | NEGOTIATE_SIGN | REQUEST_TARGET | NEGOTIATE_UNICODE)
+ "00 00 " // DomainNameLen
+ "00 00" // DomainNameMaxLen
+ "00 00 00 00" // DomainNameBufferOffset
+ "00 00 " // WorkstationLen
+ "00 00" // WorkstationMaxLen
+ "00 00 00 00" // WorkstationBufferOffset
+ "0A" // ProductMajorVersion = 10
+ "00 " // ProductMinorVersion = 0
+ "63 45 " // ProductBuild = 0x4563 = 17763
+ "00 00 00" // Reserved
+ "0F"; // NTLMRevision = 5 = NTLMSSP_REVISION_W2K3
+
+
+ byte[] byteData = General.StringToByteArray(NTLM_NEGOTIATE_BLOB);
+ string result = General.BannerGrabBytes(ip, port, byteData);
+ Console.WriteLine("Result: " + result);
*/
}
else if (port == 3690)
{
// Banner: ( success ( 2 2 ( ) ( edit-pipeline svndiff1 accepts-svndiff2 absent-entries commit-revprops depth log-revprops atomic-revprops partial-replay inherited-props ephemeral-txnprops file-revs-reverse list ) ) )
postScanActions += "- SVN: svn diff -r1 svn://" + target + Environment.NewLine;
}
else if (port == 4369)
{
// TODO: https://svn.nmap.org/nmap/scripts/epmd-info.nse
postScanActions += $"- EPMD: nmap {target} -p4369 --script=epmd-info -sV" + Environment.NewLine;
}
else if (port == 5222)
{
// TODO: Jabber
// 5222/tcp open jabber Ignite Realtime Openfire Jabber server 3.10.0 or later
}
else if (port == 5269)
{
// jabber / xmpp-server
postScanActions += "- nmap --script=xmpp-info " + target + " -p" + port;
}
// 5269/tcp open xmpp Wildfire XMPP Client ???
else if (port == 5672)
{
string portHeader = "Port 5672 - Advanced Message Queuing Protocol (AMQP)";
string portData = General.BannerGrab(target, 5672, "Woof" + Environment.NewLine + Environment.NewLine);
if (portData.StartsWith("AMQP"))
{
if (portData[4] == 0 && portData[5] == 0 && portData[6] == 9 && portData[7] == 1)
{
portData = "- Version 0-9-1";
// theBanner = General.BannerGrab(ip, port, theBanner); // Need to send the bytes of AMQP0091
// Oh gawd....
// \u0001\0\0\0\0\u0001?\0\n\0\n\0\t\0\0\u0001?\fcapabilitiesF\0\0\0?\u0012publisher_confirmst\u0001\u001aexchange_exchange_bindingst\u0001\nbasic.nackt\u0001\u0016consumer_cancel_notifyt\u0001\u0012connection.blockedt\u0001\u0013consumer_prioritiest\u0001\u001cauthentication_failure_closet\u0001\u0010per_consumer_qost\u0001\u000fdirect_reply_tot\u0001\fcluster_nameS\0\0\0\u0010rabbit@dyplesher\tcopyrightS\0\0\0.Copyright (C) 2007-2018 Pivotal Software, Inc.\vinformationS\0\0\05Licensed under the MPL. See http://www.rabbitmq.com/\bplatformS\0\0\0\u0011Erlang/OTP 22.0.7\aproductS\0\0\0\bRabbitMQ\aversionS\0\0\0\u00053.7.8\0\0\0\u000ePLAIN AMQPLAIN\0\0\0\u0005en_US?
// https://svn.nmap.org/nmap/nselib/amqp.lua
postScanActions += $"- AMQP is up and nmap knows more: nmap --script amqp-info -p{port} {target}" + Environment.NewLine;
}
else
{
portData = "- 5672.Unknown Version - Bug Reelix";
}
}
else
{
portData = "- 5672.Unknown - Bug Reelix";
}
Console.WriteLine(portHeader + Environment.NewLine + portData + Environment.NewLine);
}
else if (port == 9100)
{
// TODO: Clean - Should the file be named "Printer.cs" or "jetdirect.cs" ???
string portHeader = $"Port {port} - Printer (jetdirect)";
// PJL
// http://hacking-printers.net/wiki/index.php/Printer_Security_Testing_Cheat_Sheet
// Yoinked from Nmap
string bannerInfo = General.BannerGrab(target, port, "@PJL INFO ID\r\n");
string portData = "";
if (bannerInfo != "")
{
portData += "- Version: " + bannerInfo + Environment.NewLine;
// Yoinked from PRET
List <string> dirList = General.BannerGrab(target, port, "@PJL FSDIRLIST NAME=\"0:/ \" ENTRY=1 COUNT=65535\r\n").Split("\r\n".ToCharArray()).ToList();
// Clean new lines
dirList.RemoveAll(string.IsNullOrEmpty);
// Append each item
portData += "- Directory List: " + Environment.NewLine;
foreach (string dir in dirList)
{
portData += "-- " + dir + Environment.NewLine;
}
portData = portData.Trim(Environment.NewLine.ToCharArray());
// PFL Successful - Add pjl to the post scan actions
postScanActions += portData + Environment.NewLine + $"- Printer: pret.py {target} pjl ( https://github.com/RUB-NDS/PRET )" + Environment.NewLine;
}
else
{
portData = "- Unknown - Bug Reelix!";
}
// TODO: Add PCL (Printer Command Language), XEX, IPDS
Console.WriteLine(portHeader + Environment.NewLine + portData + Environment.NewLine);
}
else if (port == 11211)
{
postScanActions += "- 11211 - Memcache" + Environment.NewLine;
postScanActions += "-- Verify: stats (Dumps \"STAT\")" + Environment.NewLine;
postScanActions += "-- Dump key names: lru_crawler metadump all" + Environment.NewLine;
postScanActions += "-- Read key: get keyname" + Environment.NewLine;
}
else if (port == 27017)
{
// MongoDB
postScanActions += "- 27017 - MongoDB: NMap can get the version" + Environment.NewLine;
// Nmap can get the version - What else can we get?
}
return(postScanActions);
}
public static string GetInfo(string target, int port)
{
// TODO: https://svn.nmap.org/nmap/scripts/nfs-ls.nse
string fileList = "";
if (General.GetOS() == General.OS.Windows)
{
if (File.Exists(@"C:\Windows\System32\showmount.exe"))
{
List <string> outputLines = General.GetProcessOutput(@"C:\Windows\System32\showmount.exe", "-e " + target);
if (outputLines.Count > 1)
{
outputLines.RemoveAt(0);
fileList = "- Files:" + Environment.NewLine;
foreach (string line in outputLines)
{
fileList += "-- " + line + Environment.NewLine;
}
fileList = fileList.Trim(Environment.NewLine.ToCharArray());
fileList += Environment.NewLine + $"- To Mount --> mount \\\\{target}\\shareNameHere x:";
}
fileList = fileList.Trim(Environment.NewLine.ToCharArray());
return(fileList);
}
else
{
fileList = "- showmount does not exist - Bug Reelix to update this section for more compatibility";
return(fileList);
}
}
else if (General.GetOS() == General.OS.Linux)
{
if (General.IsInstalledOnLinux("showmount")) // "/sbin/showmount" OR "/usr/sbin/showmount"
{
List <string> showmountOutput = General.GetProcessOutput("showmount", "-e " + target);
foreach (string line in showmountOutput)
{
// https://github.com/TheRealPoloMints/Blog/blob/master/Security%20Challenge%20Walkthroughs/Networks%202/bash
// NFS V1
if (line.Trim().EndsWith("*"))
{
fileList += "- " + line.Pastel(Color.Orange) + Environment.NewLine;
fileList += "-- NFSV1 -> " + "sudo mount -t nfs {target}:/mountNameHere /tmp/mount/ -nolock".Pastel(Color.Orange) + Environment.NewLine;
fileList += "--- " + "Try copy over a version of bash onto the share, +s +x it, then ./bash -p".Pastel(Color.Orange) + Environment.NewLine;
}
// NFS V2
else if (line.Contains(" (everyone)"))
{
fileList += "- " + line.Pastel(Color.Orange) + Environment.NewLine;
fileList += "-- NFSV2 -> " + $"sudo mount -t nfs -o vers=2 {target}:/mountNameHere /mnt".Pastel(Color.Orange) + Environment.NewLine;
fileList += "--- " + "Try copy over a version of bash onto the share, +s +x it, then ./bash -p".Pastel(Color.Orange) + Environment.NewLine;
}
else
{
fileList += "- " + line + Environment.NewLine;
}
}
return(fileList.Trim(Environment.NewLine.ToCharArray()));
//
// Windows
//
// ManagementClass objMC = new ManagementClass("Win32_ServerFeature"); // Only in Windows Server 2008 / R2
/*
* ManagementClass objMC = new ManagementClass("Win32_OptionalFeature");
* ManagementObjectCollection objMOC = objMC.GetInstances();
* foreach (ManagementObject objMO in objMOC)
* {
* //Console.WriteLine("Woof!");
* string featureName = (string)objMO.Properties["Name"].Value;
* if (!featureName.ToUpper().Contains("NFS"))
* {
* continue;
* }
* uint installState = 0;
* try
* {
* installState = (uint)objMO.Properties["InstallState"].Value; // 1 = Enabled, 2 = Disabled, 3 = Absent, 4 = Unknown
* }
* catch
* {
* Console.WriteLine("Error - InstallState is: " + (string)objMO.Properties["InstallState"].Value);
* }
*
* //add to my list
* Console.WriteLine("Installed: " + featureName + " -> " + installState);
* }
*/
}
else
{
return("- Error - showmount is not installed - Unable to enumerate! Run: sudo apt install nfs-common".Pastel(Color.Red));
}
}
else
{
Console.WriteLine("Error - OS Not Supportd - Bug Reelix");
}
return("");
}
private static string GetRPCInfo(string ip)
{
string rpcInfo = "";
bool anonAccess = false;
if (General.GetOS() == General.OS.Linux)
{
if (General.IsInstalledOnLinux("rpcclient", "/usr/bin/rpcclient"))
{
// Find the Domain Name
List <string> domainNameList = General.GetProcessOutput("rpcclient", $"-U \"\"%\"\" {ip} -c \"lsaquery\"");
domainNameList.RemoveAll(x => !x.StartsWith("Domain Name:"));
if (domainNameList.Count == 1)
{
anonAccess = true;
rpcInfo += "- " + domainNameList[0] + Environment.NewLine;
}
// Find basic users
List <string> enumdomusersList = General.GetProcessOutput("rpcclient", $"-U \"\"%\"\" {ip} -c \"enumdomusers\"");
if (enumdomusersList.Count == 0)
{
List <string> srvinfoList = General.GetProcessOutput("rpcclient", $"-U \"\"%\"\" {ip} -c \"srvinfo\"");
if (srvinfoList.Count != 0)
{
anonAccess = true;
rpcInfo += "- srvinfo: " + srvinfoList[0] + Environment.NewLine;
}
// Find public SIDs with lsaenumsid
List <string> sidList = General.GetProcessOutput("rpcclient", $"-U \"\"%\"\" {ip} -c \"lsaenumsid\"");
if (sidList.Count != 0)
{
anonAccess = true;
rpcInfo += "- Found SIDs" + Environment.NewLine;
// Remove the "found X SIDs" text
sidList.RemoveAll(x => x.StartsWith("found "));
// Remove blanks
sidList.RemoveAll(x => string.IsNullOrEmpty(x));
string sidListString = string.Join(' ', sidList);
// Enumerate the rest
List <string> sidResolution = General.GetProcessOutput("rpcclient", $"-U \"\"%\"\" {ip} -c \"lookupsids {sidListString}\"");
if (sidResolution.Count != 0)
{
foreach (string result in sidResolution)
{
rpcInfo += "-- " + result + Environment.NewLine;
}
}
}
// Find sneaky SIDs
List <string> sneakyNameLookup = General.GetProcessOutput("rpcclient", $"-U \"\"%\"\" {ip} -c \"lookupnames administrator guest krbtgt root bin none");
sneakyNameLookup.RemoveAll(x => !x.Contains("(User: "******"-") + 1);
if (!sneakySIDBaseList.Contains(sneakySIDBase))
{
sneakySIDBaseList.Add(sneakySIDBase);
}
}
}
if (sneakySIDBaseList.Count != 0)
{
List <string> sneakySIDList = new List <string>();
foreach (string sneakyBase in sneakySIDBaseList)
{
// Low ones are just system names - Can ignore them - Proper ones start from 1000
sneakySIDList.Add(sneakyBase + "1000");
sneakySIDList.Add(sneakyBase + "1001");
sneakySIDList.Add(sneakyBase + "1002");
sneakySIDList.Add(sneakyBase + "1003");
sneakySIDList.Add(sneakyBase + "1004");
sneakySIDList.Add(sneakyBase + "1005");
sneakySIDList.Add(sneakyBase + "1006");
sneakySIDList.Add(sneakyBase + "1007");
sneakySIDList.Add(sneakyBase + "1008");
sneakySIDList.Add(sneakyBase + "1009");
sneakySIDList.Add(sneakyBase + "1010");
List <string> sneakySIDLookup = General.GetProcessOutput("rpcclient", $"-U \"\"%\"\" {ip} -c \"lookupsids " + string.Join(" ", sneakySIDList) + "\"");
if (sneakySIDLookup.Count != 0)
{
foreach (string lookupResult in sneakySIDLookup)
{
string name = lookupResult.Substring(0, lookupResult.IndexOf(" (1)"));
name = name.Remove(0, name.LastIndexOf("\\") + 1);
// Invalid ones simply have the number itself instead of the name
// A bit hacky, but it works
if (!int.TryParse(name, out int toIgnore))
{
rpcInfo += "-- Sneaky Name Found: " + name + Environment.NewLine;
}
}
}
}
}
}
}
else // Count > 0
{
string firstItem = enumdomusersList[0];
if (firstItem.Contains("user:"******"rid:"))
{
// All is fine
if (enumdomusersList.Count >= 3)
{
Console.WriteLine("Found a lot of useful RPC info - Output may take a few seconds longer than expected");
}
rpcInfo = "- User Listing" + Environment.NewLine;
foreach (string user in enumdomusersList)
{
rpcInfo += QueryEnumDomUser(ip, user);
}
// 23 -> https://room362.com/post/2017/reset-ad-user-password-with-linux/
rpcInfo += "--> rpcclient -> setuserinfo2 userNameHere 23 'newPasswordHere'" + Environment.NewLine;
}
else if (firstItem == "Cannot connect to server. Error was NT_STATUS_RESOURCE_NAME_NOT_FOUND")
{
rpcInfo = "- Cannot connect - Are you sure it's up?" + Environment.NewLine;
}
else if (firstItem == "Cannot connect to server. Error was NT_STATUS_IO_TIMEOUT")
{
rpcInfo = "- Cannot connect - It timed out :<" + Environment.NewLine;
}
else if (firstItem == "Cannot connect to server. Error was NT_STATUS_CONNECTION_DISCONNECTED")
{
rpcInfo = "- Cannot connect - It kicks you out instantly" + Environment.NewLine;
}
else
{
foreach (string item in enumdomusersList)
{
Console.WriteLine("Debug Info item: " + item);
}
rpcInfo = "- Unknown items in NETBIOS.GetRPCInfo - Bug Reelix (Check Debug Info Item output)" + Environment.NewLine;
}
}
if (anonAccess == true)
{
rpcInfo += "- " + $"Anonymous access permitted! -> rpcclient -U \"\"%\"\" {ip}".Pastel(Color.Orange) + Environment.NewLine;
}
else
{
rpcInfo += "- No anonymous RPC access" + Environment.NewLine;
// 23 -> https://room362.com/post/2017/reset-ad-user-password-with-linux/
rpcInfo += "-- If you get access -> enumdomusers / queryuser usernameHere / setuserinfo2 userNameHere 23 'newPasswordHere'" + Environment.NewLine;
}
}
else
{
rpcInfo = "- Error: Cannot find /usr/bin/rpcclient - Please install smbclient (Includes it)".Pastel(Color.Red) + Environment.NewLine;
}
}
else
{
rpcInfo = "- No RPC Info - Try run on Linux (rpcclient)" + Environment.NewLine;
}
return(rpcInfo);
}
public static string GetInfo(string target, int port)
{
// TODO: https://svn.nmap.org/nmap/scripts/nfs-ls.nse
string fileList = "";
if (General.GetOS() == General.OS.Windows)
{
if (File.Exists(@"C:\Windows\System32\showmount.exe"))
{
List <string> outputLines = General.GetProcessOutput(@"C:\Windows\System32\showmount.exe", "-e " + target);
if (outputLines.Count > 1)
{
outputLines.RemoveAt(0);
fileList = "- Files:" + Environment.NewLine;
foreach (string line in outputLines)
{
fileList += "-- " + line + Environment.NewLine;
}
fileList = fileList.Trim(Environment.NewLine.ToCharArray());
fileList += Environment.NewLine + $"- To Mount --> mount \\\\{target}\\shareNameHere x:";
}
fileList = fileList.Trim(Environment.NewLine.ToCharArray());
return(fileList);
}
else
{
fileList = "- showmount does not exist - Bug Reelix to update this section for more compatibility";
return(fileList);
}
}
else if (General.GetOS() == General.OS.Linux)
{
if (General.IsInstalledOnLinux("showmount", "/sbin/showmount") == true)
{
List <string> showmountOutput = General.GetProcessOutput("showmount", "-e " + target);
foreach (string line in showmountOutput)
{
if (line.Contains(" (everyone)"))
{
fileList += "- " + line.Pastel(Color.Orange) + Environment.NewLine;
fileList += "-- " + $"mount -t nfs -o vers=2 {target}:/mountNameHere /mnt".Pastel(Color.Orange) + Environment.NewLine;
}
else
{
fileList += "- " + line + Environment.NewLine;
}
}
return(fileList.Trim(Environment.NewLine.ToCharArray()));
//
// Windows
//
// ManagementClass objMC = new ManagementClass("Win32_ServerFeature"); // Only in Windows Server 2008 / R2
/*
* ManagementClass objMC = new ManagementClass("Win32_OptionalFeature");
* ManagementObjectCollection objMOC = objMC.GetInstances();
* foreach (ManagementObject objMO in objMOC)
* {
* //Console.WriteLine("Woof!");
* string featureName = (string)objMO.Properties["Name"].Value;
* if (!featureName.ToUpper().Contains("NFS"))
* {
* continue;
* }
* uint installState = 0;
* try
* {
* installState = (uint)objMO.Properties["InstallState"].Value; // 1 = Enabled, 2 = Disabled, 3 = Absent, 4 = Unknown
* }
* catch
* {
* Console.WriteLine("Error - InstallState is: " + (string)objMO.Properties["InstallState"].Value);
* }
*
* //add to my list
* Console.WriteLine("Installed: " + featureName + " -> " + installState);
* }
*/
}
}
else
{
Console.WriteLine("Error - OS Not Supportd - Bug Reelix");
}
return("");
}