Crowbar

galkan · Oct 1, 2014 · 3283e5a · 3283e5a
1 parent c8a7317
commit 3283e5a
Show file tree

Hide file tree

Showing 7 changed files with 115 additions and 29 deletions.
diff --git a/lib/core/__init__.py b/lib/core/__init__.py
diff --git a/lib/common.py → lib/core/common.py b/lib/common.py → lib/core/common.py
diff --git a/lib/iprange.py → lib/core/iprange.py b/lib/iprange.py → lib/core/iprange.py
@@ -1,12 +1,12 @@
 
 try:
+ import re
+ import sys
  import socket 
  import struct
+except ImportError,err:
  import sys
- import re
-except ImportError,e:
- import sys
- sys.stdout.write("%s\n" %e)
+ sys.stdout.write("%s\n" %err)
  sys.exit(14)
 
 

diff --git a/lib/logger.py → lib/core/logger.py b/lib/logger.py → lib/core/logger.py
@@ -10,7 +10,7 @@
 
 class Logger:
 
- def __init__(self, log_file, output_file):
+ def __init__(self, log_file, output_file, opt = None):
 
 
  self.logger_log = logging.getLogger('log_file')
@@ -22,6 +22,11 @@ def __init__(self, log_file, output_file):
  handler_log.setFormatter(formatter)
  self.logger_log.addHandler(handler_log)
 
+ if opt is not None:
+ consolelogHandler = logging.StreamHandler()
+ consolelogHandler.setFormatter(formatter)
+ self.logger_log.addHandler(consolelogHandler)
+
 
  self.logger_output = logging.getLogger('output_file')
  self.logger_output.setLevel(logging.INFO)

diff --git a/lib/threadpool.py → lib/core/threadpool.py b/lib/threadpool.py → lib/core/threadpool.py
diff --git a/lib/main.py b/lib/main.py
@@ -9,13 +9,14 @@
  import argparse
  import tempfile
  import subprocess
- from lib.common import *
- from lib.logger import Logger
- from lib.threadpool import ThreadPool
- from lib.iprange import IpRange,InvalidIPAddress
-except ImportError,e:
+ from lib.nmap import Nmap
+ from lib.core.common import *
+ from lib.core.logger import Logger
+ from lib.core.threadpool import ThreadPool
+ from lib.core.iprange import IpRange,InvalidIPAddress
+except ImportError,err:
  import sys
- sys.stdout.write("%s\n" %e)
+ sys.stdout.write("%s\n" %err)
  sys.exit(1)
 
 
@@ -74,6 +75,8 @@ def __call__(self, parser, args, values, option = None):
 
 
 class Main:
+
+ is_success = 0
 
  def __init__(self):
 
@@ -110,6 +113,8 @@ def __init__(self):
  parser.add_argument('-p', '--port', dest = 'port', action = 'store', help = 'Service Port Number', type = int) 
  parser.add_argument('-k', '--key', dest = 'key_file', action = 'store', help = 'Key File')
  parser.add_argument('-m', '--config', dest = 'config', action = 'store', help = 'Configuration File')
+ parser.add_argument('-d', '--discover', dest = 'discover', action = 'store_true', help = '', default = None)
+ parser.add_argument('-v', '--verbose', dest = 'verbose', action = 'store_true', help = '', default = None)
 
  parser.add_argument('options', nargs = '*', action = AddressAction)
 
@@ -121,9 +126,12 @@ def __init__(self):
 
 
  self.ip_list = []
- iprange = IpRange()
 
- try:
+ if self.args.discover:
+ self.nmap = Nmap()
+ else:
+ iprange = IpRange()
+ try:
  if self.args.server is not None:
  for _ in self.args.server.split(","):
  for ip in iprange.iprange(_):
@@ -133,14 +141,18 @@ def __init__(self):
  for ip in iprange.iprange(_):
  if not ip in self.ip_list:
  self.ip_list.append(ip)
- except IOError: 
+  except IOError: 
  print >> sys.stderr, "File: %s cannot be opened !!!"% self.args.server_file
  sys.exit(1)
- except:
+  except:
  print >> sys.stderr, "InvalidIPAddress !!! Please try to use IP/CIDR notation <192.168.37.37/32, 192.168.1.0/24>"
  sys.exit(1)
-
- self.logger = Logger(self.args.log_file, self.args.output)
+
+ if self.args.verbose:
+ self.logger = Logger(self.args.log_file, self.args.output, True)
+ else:
+ self.logger = Logger(self.args.log_file, self.args.output)
+
  self.logger.log_file("START")
 
 
@@ -153,12 +165,13 @@ def openvpnlogin(self, host, username, password, brute_file, port):
  openvpn_cmd = "%s --config %s --auth-user-pass %s --remote %s %s"% (self.openvpn_path, self.args.config, brute_file_name, host, port)
  proc = subprocess.Popen(shlex.split(openvpn_cmd), shell=False, stdout = subprocess.PIPE, stderr = subprocess.PIPE)
 
- brute = "LOG: OPENVPN: " + host + ":" + username + ":" + password + ":" + brute_file_name
+ brute = "LOG-OPENVPN: " + host + ":" + username + ":" + password + ":" + brute_file_name
  self.logger.log_file(brute)
  for line in iter(proc.stdout.readline, ''):
  if re.search(self.vpn_success, line):
- result = bcolors.OKGREEN + "VPN-SUCCESS: " + bcolors.ENDC + bcolors.OKBLUE + host + "," + username + "," + password + bcolors.ENDC
+ result = bcolors.OKGREEN + "VPN-SUCCESS: " + bcolors.ENDC + bcolors.OKBLUE + host + " - " + username + ":" + password + bcolors.ENDC
  self.logger.output_file(result)
+ Main.is_success = 1
  os.kill(proc.pid, signal.SIGQUIT)
 
  brute_file.close()
@@ -177,6 +190,11 @@ def openvpn(self):
  port = self.args.port
 
 
+ if self.args.discover:
+ result = self.nmap.port_scan(self.args.server, port)
+ self.ip_list = result
+
+
  try:
  pool = ThreadPool(int(self.args.thread))
  except Exception, err:
@@ -224,13 +242,14 @@ def vnclogin(self, ip, port, passwd_file):
  vnc_cmd = "%s -passwd %s %s:%s"% (self.vncviewer_path, passwd_file, ip, port)
  proc = subprocess.Popen(shlex.split(vnc_cmd), shell=False, stdout = subprocess.PIPE, stderr = subprocess.PIPE) 
 
- brute = "LOG: VNC: " + ip + ":" + str(port) + ":" + passwd_file
+ brute = "LOG-VNC: " + ip + ":" + str(port) + ":" + passwd_file
  self.logger.log_file(brute)
  for line in iter(proc.stderr.readline, ''):
  if re.search(self.vnc_success, line):
  os.kill(proc.pid, signal.SIGQUIT)
- result = bcolors.OKGREEN + "VNC-SUCCESS: " + bcolors.ENDC + bcolors.OKBLUE + ip + "," + str(port) + "," + passwd_file + bcolors.ENDC
+ result = bcolors.OKGREEN + "VNC-SUCCESS: " + bcolors.ENDC + bcolors.OKBLUE + ip + ":" + str(port) + " - " + passwd_file + bcolors.ENDC
  self.logger.output_file(result)
+ Main.is_success = 1
  break
 
 
@@ -244,7 +263,11 @@ def vnckey(self, *options):
 
  if self.args.port is not None:
  port = self.args.port
-
+
+ if self.args.discover:
+ result = self.nmap.port_scan(self.args.server, port)
+ self.ip_list = result
+
  if not os.path.isfile(self.args.passwd_file):
  print >> sys.stderr, "Password file doesn't exists !!!"
  sys.exit(1) 
@@ -271,8 +294,9 @@ def rdplogin(self, ip, user, password, port):
  self.logger.log_file(brute)
  for line in iter(proc.stderr.readline, ''):
  if re.search(self.rdp_success, line):
- result = bcolors.OKGREEN + "RDP-SUCCESS : " + bcolors.ENDC + bcolors.OKBLUE + ip + "," + user + "," + password + "," + str(port) + bcolors.ENDC
- self.logger.output_file(result) 
+ result = bcolors.OKGREEN + "RDP-SUCCESS : " + bcolors.ENDC + bcolors.OKBLUE + ip + ":" + str(port) + " - " + user + ":" + password + "," + bcolors.ENDC
+ self.logger.output_file(result)
+ Main.is_success = 1
  break
  elif re.search(self.rdp_display_error, line):
  print >> sys.stderr, "Please check \$DISPLAY is properly set. See readme %s"% self.crowbar_readme
@@ -290,6 +314,9 @@ def rdp(self):
  if self.args.port is not None:
  port = self.args.port
 
+ if self.args.discover:
+ result = self.nmap.port_scan(self.args.server, port)
+ self.ip_list = result
 
  try: 
  pool = ThreadPool(int(self.args.thread))
@@ -326,24 +353,29 @@ def sshlogin(self, ip, port, user, keyfile, timeout):
  except:
  pass
  else:
- brute = "LOG-SSH : " + ip + ":" + str(port) + ":" + user + ":" + keyfile + ":" + str(timeout)
+ brute = "LOG-SSH: " + ip + ":" + str(port) + ":" + user + ":" + keyfile + ":" + str(timeout)
  self.logger.log_file(brute)
 
  try:
  ssh.connect(ip, port, username = user, password = None, pkey = None, key_filename = keyfile, timeout = timeout, allow_agent = False, look_for_keys = False)
- result = bcolors.OKGREEN + "SUCCESS-SSH : " + bcolors.ENDC + bcolors.OKBLUE + ip + "," + str(port) + "," + user + "," + keyfile + bcolors.ENDC
+ result = bcolors.OKGREEN + "SSH-SUCCESS : " + bcolors.ENDC + bcolors.OKBLUE + ip + ":" + str(port) + " - " + user + ":" + keyfile + bcolors.ENDC
  self.logger.output_file(result)
+ Main.is_success = 1
  except:
  pass
 
 
  def sshkey(self):
 
  port = 22
-  
+
  if self.args.port is not None:
  port = self.args.port
 
+ if self.args.discover:
+ result = self.nmap.port_scan(self.args.server, port)
+ self.ip_list = result
+
  try:
  pool = ThreadPool(self.args.thread)
  except Exception, err:
@@ -383,8 +415,11 @@ def run(self, brute_type):
  else:
  self.services[brute_type]()
  self.logger.log_file("STOP")
-
-
+
+ if Main.is_success == 0:
+ print "No result is found ..."
+
+
  def signal_handler(self, signal, frame):
 
  print('Exit ...')

diff --git a/lib/nmap.py b/lib/nmap.py
@@ -0,0 +1,46 @@
+try:
+ import re
+ import os 
+ import sys 
+ import tempfile
+ import subprocess
+except ImportError, err:
+ import sys
+ sys.stdout.write("%s\n" %err)
+ sys.exit(1)
+
+
+class Nmap:
+
+
+ def __init__(self):
+
+ self.nmap_path = "/usr/bin/nmap"
+
+ if not os.path.exists(self.nmap_path):
+ print >> sys.stderr, "File: %s doesn't exists !!!"% self.nmap_path
+ sys.exit(1)
+
+
+ def port_scan(self, ip_list, port): 
+
+ result = []
+ open_port = re.compile("Host:\s([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})\s\(\)\s+Ports:\s+%s"% port)
+
+ tmpfile = tempfile.NamedTemporaryFile(mode = 'w+t')
+ tmpfile_name = tmpfile.name
+
+ nmap_scan_option = "-n -Pn -T4 -sS %s --open -p %s --host-timeout=10m --max-rtt-timeout=600ms --initial-rtt-timeout=300ms --min-rtt-timeout=300ms --max-retries=2 --min-rate=150 -oG %s"% (ip_list, port, tmpfile_name)
+ run_nmap = "%s %s"% (self.nmap_path, nmap_scan_option)
+
+ proc = subprocess.Popen([run_nmap], shell = True, stdout = subprocess.PIPE,)
+ stdout_value = str(proc.communicate())
+
+ for line in open(tmpfile_name,"r"):
+ if re.search(open_port, line):
+ ip = line[:-1].split(" ")[1]
+ result.append(ip)
+
+ return result 
+
+