From eb7ac4b4ba78c99bcfd4f537147e826832fc1de8 Mon Sep 17 00:00:00 2001 From: lanjelot Date: Tue, 21 Jul 2020 20:39:46 +1000 Subject: [PATCH] Fix #138 to add dcom_login module --- patator.py | 37 ++++++++++++++++++++++++++++++++++++- run-tests.sh | 5 +++++ testing/unix/Dockerfile | 1 - 3 files changed, 41 insertions(+), 2 deletions(-) diff --git a/patator.py b/patator.py index ed4eb80..18f2abe 100755 --- a/patator.py +++ b/patator.py @@ -47,6 +47,7 @@ + pop_passd : Brute-force poppassd (http://netwinsite.com/poppassd/) + imap_login : Brute-force IMAP4 + ldap_login : Brute-force LDAP + + dcom_login : Brute-force DCOM + smb_login : Brute-force SMB + smb_lookupsid : Brute-force SMB SID-lookup + rlogin_login : Brute-force rlogin @@ -2856,6 +2857,39 @@ def execute(self, host, port='79', user='', timeout='5'): resp.lines = [l.strip('\r\n') for l in mesg.split('\n')] return resp +# }}} + +# DCOM {{{ +from impacket.dcerpc.v5.dcomrt import DCOMConnection +from impacket.dcerpc.v5.dcom import wmi + +class DCOM_login: + '''Brute-force DCOM''' + + usage_hints = ( + """%prog host=10.0.0.1 user='admin' password=FILE0 0=passwords.txt""", + ) + + available_options = ( + ('host', 'target host'), + ('user', 'usernames to test'), + ('password', 'passwords to test'), + ('domain', 'domains to test'), + ) + available_actions = () + + Response = Response_Base + + def execute(self, host, user='', password='', domain=''): + dcom = DCOMConnection(host, user, password, domain) + try: + with Timing() as timing: + iInterface = dcom.CoCreateInstanceEx(wmi.CLSID_WbemLevel1Login,wmi.IID_IWbemLevel1Login) + code, mesg = 0, 'OK' + except Exception as e: + code, mesg = 1, e.error_string + dcom.disconnect() + return self.Response(code, mesg, timing) # }}} @@ -5077,6 +5111,7 @@ def execute(self, data, data2='', delay='1'): ('pop_passd', (Controller, POP_passd)), ('imap_login', (Controller, IMAP_login)), ('ldap_login', (Controller, LDAP_login)), + ('dcom_login', (Controller, DCOM_login)), ('smb_login', (Controller, SMB_login)), ('smb_lookupsid', (Controller, SMB_lookupsid)), ('rlogin_login', (Controller, Rlogin_login)), @@ -5109,7 +5144,7 @@ def execute(self, data, data2='', delay='1'): 'libcurl': [('http_fuzz', 'rdp_gateway'), 'https://curl.haxx.se/', '7.58.0'], 'ajpy': [('ajp_fuzz',), 'https://github.com/hypn0s/AJPy/', '0.0.4'], 'openldap': [('ldap_login',), 'http://www.openldap.org/', '2.4.45'], - 'impacket': [('smb_login', 'smb_lookupsid', 'mssql_login'), 'https://github.com/CoreSecurity/impacket', '0.9.20'], + 'impacket': [('smb_login', 'smb_lookupsid', 'dcom_login', 'mssql_login'), 'https://github.com/CoreSecurity/impacket', '0.9.20'], 'pyopenssl': [('mssql_login',), 'https://pyopenssl.org/', '19.1.0'], 'cx_Oracle': [('oracle_login',), 'http://cx-oracle.sourceforge.net/', '7.3.0'], 'mysqlclient': [('mysql_login',), 'https://github.com/PyMySQL/mysqlclient-python', '1.4.6'], diff --git a/run-tests.sh b/run-tests.sh index 1ba355a..39f419a 100755 --- a/run-tests.sh +++ b/run-tests.sh @@ -1,5 +1,10 @@ #!/bin/bash +if ! type docker-compose 2>/dev/null; then + echo 'docker-compose is required' + exit 1 +fi + case "$1" in python2|python3) PYTHON=$1 diff --git a/testing/unix/Dockerfile b/testing/unix/Dockerfile index 6778ab8..d4c1d6a 100644 --- a/testing/unix/Dockerfile +++ b/testing/unix/Dockerfile @@ -112,7 +112,6 @@ socat tcp-l:4444,fork,reuseaddr exec:\"echo -e 'W\xe1\xc0me'\" &\n\ cp -v /root/enc.zip /root/keystore.jks /root/enc.db /root/umbraco_users.pw /opt/patator/\n\ su - vncuser -c 'vncserver -rfbport 5900'\n\ service smbd start\n\ -touch /opt/patator/.all-started\n\ tail -f /dev/null\n" > /usr/local/sbin/start-all-services.sh CMD ["bash", "/usr/local/sbin/start-all-services.sh"]