Archives
/
patator
mirror of https://github.com/lanjelot/patator
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

new vmauthd_login module

Browse Source
pull/4/merge
lanjelot 12 years ago
parent 5ef1281611
commit f58e7afe10
1 changed files with 114 additions and 46 deletions
Show Stats Download Patch File Download Diff File

160
patator.py
Unescape Escape View File

@ -44,6 +44,7 @@ Currently it supports the following modules:
- ldap_login : Brute-force LDAP - ldap_login : Brute-force LDAP
- smb_login : Brute-force SMB - smb_login : Brute-force SMB
- smb_lookupsid : Brute-force SMB SID-lookup - smb_lookupsid : Brute-force SMB SID-lookup
- vmauthd_login : Brute-force VMware Authentication Daemon
- mssql_login : Brute-force MSSQL - mssql_login : Brute-force MSSQL
- oracle_login : Brute-force Oracle - oracle_login : Brute-force Oracle
- mysql_login : Brute-force MySQL - mysql_login : Brute-force MySQL
@ -234,7 +235,7 @@ instance. A failure is actually an exception that the module does not expect,
and as a result the exception is caught upstream by the controller. and as a result the exception is caught upstream by the controller.
Such exceptions, or failures, are not immediately reported to the user, the Such exceptions, or failures, are not immediately reported to the user, the
controller will try 5 more times before reporting the failed payload with the controller will try 4 more times before reporting the failed payload with the
code "xxx" (--max-retries defaults to 5). code "xxx" (--max-retries defaults to 5).
@ -2233,38 +2234,6 @@ class POP_login(TCP_Cache):
code, mesg = resp.split(' ', 1) code, mesg = resp.split(' ', 1)
return self.Response(code, mesg) return self.Response(code, mesg)
class Passd_Error(Exception): pass
class Passd:
def connect(self, host, port):
self.fp = socket.create_connection((host, port))
return self.getresp() # welcome banner
def close(self):
self.fp.close()
def sendcmd(self, cmd):
self.fp.sendall(cmd + '\r\n')
return self.getresp()
def getresp(self):
resp = self.fp.recv(1024)
while not resp.endswith('\r\n'):
resp += self.fp.recv(1024)
code, _ = self.unparse(resp)
if not code.startswith('2'):
raise Passd_Error(resp)
return resp
def unparse(self, resp):
i = resp.rstrip().rfind('\n') + 1
code = resp[i:i+3]
mesg = resp[i+4:]
return code, mesg
class POP_passd: class POP_passd:
'''Brute-force poppassd (http://netwinsite.com/poppassd/)''' '''Brute-force poppassd (http://netwinsite.com/poppassd/)'''
@ -2277,36 +2246,37 @@ class POP_passd:
('port', 'ports to target [106]'), ('port', 'ports to target [106]'),
('user', 'usernames to test'), ('user', 'usernames to test'),
('password', 'passwords to test'), ('password', 'passwords to test'),
('timeout', 'seconds to wait for a response [10]'),
) )
available_actions = () available_actions = ()
Response = Response_Base Response = Response_Base
def execute(self, host, port='106', user=None, password=None): def execute(self, host, port='106', user=None, password=None, timeout='10'):
fp = Passd() fp = LineReceiver()
resp = fp.connect(host, int(port)) resp = fp.connect(host, int(port), int(timeout))
trace = resp trace = resp + '\r\n'
try: try:
if user is not None: if user is not None:
cmd = 'user %s' % user cmd = 'USER %s' % user
resp = fp.sendcmd(cmd) resp = fp.sendcmd(cmd)
trace += '\r\n'.join((cmd, resp)) trace += '%s\r\n%s\r\n' % (cmd, resp)
if password is not None: if password is not None:
cmd = 'pass %s' % password cmd = 'PASS %s' % password
resp = fp.sendcmd(cmd) resp = fp.sendcmd(cmd)
trace += '\r\n'.join((cmd, resp)) trace += '%s\r\n%s\r\n' % (cmd, resp)
except Passd_Error as e: except LineReceiver_Error as e:
resp = str(e) resp = str(e)
logger.debug('Passd_Error: %s' % resp) logger.debug('LineReceiver_Error: %s' % resp)
trace += '\r\n'.join((cmd, resp)) trace += '%s\r\n%s\r\n' % (cmd, resp)
finally: finally:
fp.close() fp.close()
code, mesg = fp.unparse(resp) code, mesg = fp.parse(resp)
return self.Response(code, mesg, trace) return self.Response(code, mesg, trace)
# }}} # }}}
@ -2354,6 +2324,103 @@ class IMAP_login:
# }}} # }}}
# VMauthd {{{
from ssl import wrap_socket
class LineReceiver_Error(Exception): pass
class LineReceiver:
def connect(self, host, port, timeout, ssl=False):
self.sock = socket.create_connection((host, port), timeout)
banner = self.getresp()
if ssl:
self.sock = wrap_socket(self.sock)
return banner # welcome banner
def close(self):
self.sock.close()
def sendcmd(self, cmd):
self.sock.sendall(cmd + '\r\n')
return self.getresp()
def getresp(self):
resp = self.sock.recv(1024)
while not resp.endswith('\n'):
resp += self.sock.recv(1024)
resp = resp.rstrip()
code, _ = self.parse(resp)
if not code.isdigit():
raise Exception('Unexpected response: %s' % resp)
if code[0] not in ('1', '2', '3'):
raise LineReceiver_Error(resp)
return resp
def parse(self, resp):
i = resp.rfind('\n') + 1
code = resp[i:i+3]
mesg = resp[i+4:]
return code, mesg
class VMauthd_login(TCP_Cache):
'''Brute-force VMware Authentication Daemon'''
usage_hints = (
'''%prog host=10.0.0.1 user=root password=FILE0 0=passwords.txt''',
)
available_options = (
('host', 'hostnames or subnets to target'),
('port', 'ports to target [902]'),
('user', 'usernames to test'),
('password', 'passwords to test'),
('ssl', 'use SSL [1|0]'),
('timeout', 'seconds to wait for a response [10]'),
)
available_options += TCP_Cache.available_options
Response = Response_Base
def connect(self, host, port, ssl, timeout):
fp = LineReceiver()
banner = fp.connect(host, int(port), int(timeout), ssl != '0')
return TCP_Connection(fp, banner)
def execute(self, host, port='902', user=None, password=None, ssl='1', timeout='10', persistent='1'):
fp, resp = self.bind(host, port, ssl, timeout=timeout)
trace = resp + '\r\n'
try:
if user is not None:
cmd = 'USER %s' % user
resp = fp.sendcmd(cmd)
trace += '%s\r\n%s\r\n' % (cmd, resp)
if password is not None:
cmd = 'PASS %s' % password
resp = fp.sendcmd(cmd)
trace += '%s\r\n%s\r\n' % (cmd, resp)
except LineReceiver_Error as e:
resp = str(e)
logger.debug('LineReceiver_Error: %s' % resp)
trace += '%s\r\n%s\r\n' % (cmd, resp)
if persistent == '0':
self.reset()
code, mesg = fp.parse(resp)
return self.Response(code, mesg, trace)
# }}}
# MySQL {{{ # MySQL {{{
try: try:
import _mysql import _mysql
@ -3383,6 +3450,7 @@ modules = [
('ldap_login', (Controller, LDAP_login)), ('ldap_login', (Controller, LDAP_login)),
('smb_login', (Controller, SMB_login)), ('smb_login', (Controller, SMB_login)),
('smb_lookupsid', (Controller, SMB_lookupsid)), ('smb_lookupsid', (Controller, SMB_lookupsid)),
('vmauthd_login', (Controller, VMauthd_login)),
('mssql_login', (Controller, MSSQL_login)), ('mssql_login', (Controller, MSSQL_login)),
('oracle_login', (Controller, Oracle_login)), ('oracle_login', (Controller, Oracle_login)),
('mysql_login', (Controller, MySQL_login)), ('mysql_login', (Controller, MySQL_login)),

Write Preview
Loading…
Cancel
Save