Merge branch 'p0dalirius:master' into ntlm-scan

Author: AdrianVollmer

LICENSE

@@ -17,9 +17,9 @@ install: build
 
 build:
 	python3 -m pip uninstall coercer --yes --break-system-packages
-	pip install .[build] --break-system-packages
+	python3 -m pip install .[build] --break-system-packages
 	python3 -m build --wheel
 
 upload: build
-	pip install .[twine] --break-system-packages
-	twine upload dist/*
+	python3 -m pip install .[twine] --break-system-packages
+	python3 -m twine upload dist/*

Makefile

@@ -8,7 +8,8 @@
 import argparse
 import os
 import sys
-
+from sectools.network.domains import is_fqdn
+from sectools.network.ip import is_ipv4_cidr, is_ipv4_addr, is_ipv6_addr, expand_cidr, expand_port_range
 from coercer.core.Reporter import Reporter
 from coercer.structures.Credentials import Credentials
 from coercer.core.modes.scan import action_scan
@@ -187,7 +188,38 @@ def main():
             print("[!] Could not open targets file '%s'." % options.targets_file)
             sys.exit(0)
 
-    credentials = Credentials(username=options.username, password=options.password, domain=options.domain, lmhash=lmhash, nthash=nthash)
+    # Sort uniq on targets list
+    targets = sorted(list(set(targets)))
+
+    final_targets = []
+    # Parsing target to filter IP/DNS/CIDR
+    for target in targets:
+        if is_ipv4_cidr(target):
+            final_targets += [ip for ip in expand_cidr(target)]
+        elif is_ipv4_addr(target):
+            final_targets.append(target)
+        elif is_ipv6_addr(target):
+            final_targets.append(target)
+        elif is_fqdn(target):
+            final_targets.append(target)
+        elif target.startswith("http://") or target.startswith("https://"):
+            import urllib.parse
+            target = urllib.parse.urlparse(target).netloc
+            final_targets.append(target)
+        else:
+            if options.debug:
+                print("[debug] Target '%s' was not added." % target)
+    
+    # Sort 
+    targets = sorted(list(set(final_targets)))
+
+    credentials = Credentials(
+        username=options.username, 
+        password=options.password, 
+        domain=options.domain, 
+        lmhash=lmhash, 
+        nthash=nthash
+    )
 
     # Processing actions
     if options.mode == "coerce":
@@ -214,13 +246,14 @@ def main():
                 if not "msrpc" in options.filter_transport_name or try_login(credentials, target, verbose=options.verbose):
                     # Starting action
                     action_scan(target, available_methods, options, credentials, reporter)
-                    # Reporting results
-                    if options.export_json is not None:
-                        reporter.exportJSON(options.export_json)
-                    if options.export_xlsx is not None:
-                        reporter.exportXLSX(options.export_xlsx)
-                    if options.export_sqlite is not None:
-                        reporter.exportSQLITE(target, options.export_sqlite)
+
+            # Reporting results
+            if options.export_json is not None:
+                reporter.exportJSON(options.export_json)
+            if options.export_xlsx is not None:
+                reporter.exportXLSX(options.export_xlsx)
+            if options.export_sqlite is not None:
+                reporter.exportSQLITE(options.export_sqlite)
 
     elif options.mode == "fuzz":
         reporter.print_info("Starting fuzz mode")
@@ -235,13 +268,14 @@ def main():
                 if not "msrpc" in options.filter_transport_name or try_login(credentials, target, verbose=options.verbose):
                     # Starting action
                     action_fuzz(target, available_methods, options, credentials, reporter)
-                    # Reporting results
-                    if options.export_json is not None:
-                        reporter.exportJSON(options.export_json)
-                    if options.export_xlsx is not None:
-                        reporter.exportXLSX(options.export_xlsx)
-                    if options.export_sqlite is not None:
-                        reporter.exportSQLITE(target, options.export_sqlite)
+
+            # Reporting results
+            if options.export_json is not None:
+                reporter.exportJSON(options.export_json)
+            if options.export_xlsx is not None:
+                reporter.exportXLSX(options.export_xlsx)
+            if options.export_sqlite is not None:
+                reporter.exportSQLITE(options.export_sqlite)
 
     print("[+] All done! Bye Bye!")
 

coercer/__main__.py

@@ -43,19 +43,21 @@ def print_warn(self, message):
     def print_verbose(self, message):
         print("[debug]",message)
 
-    def report_test_result(self, uuid, version, namedpipe, msprotocol_rpc_instance, result, exploitpath):
+    def report_test_result(self, target, uuid, version, namedpipe, msprotocol_rpc_instance, result, exploitpath):
         function_name = msprotocol_rpc_instance.function["name"]
-        if uuid not in self.test_results.keys():
-            self.test_results[uuid] = {}
-        if version not in self.test_results[uuid].keys():
-            self.test_results[uuid][version] = {}
-        if function_name not in self.test_results[uuid][version].keys():
-            self.test_results[uuid][version][function_name] = {}
-        if namedpipe not in self.test_results[uuid][version][function_name].keys():
-            self.test_results[uuid][version][function_name][namedpipe] = []
+        if target not in self.test_results.keys():
+            self.test_results[target] = {}
+        if uuid not in self.test_results[target].keys():
+            self.test_results[target][uuid] = {}
+        if version not in self.test_results[target][uuid].keys():
+            self.test_results[target][uuid][version] = {}
+        if function_name not in self.test_results[target][uuid][version].keys():
+            self.test_results[target][uuid][version][function_name] = {}
+        if namedpipe not in self.test_results[target][uuid][version][function_name].keys():
+            self.test_results[target][uuid][version][function_name][namedpipe] = []
 
         # Save result to database
-        self.test_results[uuid][version][function_name][namedpipe].append({
+        self.test_results[target][uuid][version][function_name][namedpipe].append({
             "function": msprotocol_rpc_instance.function,
             "protocol": msprotocol_rpc_instance.protocol,
             "testresult": result.name,
@@ -102,21 +104,22 @@ def exportXLSX(self, filename):
         worksheet = workbook.add_worksheet()
 
         header_format = workbook.add_format({'bold': 1})
-        header_fields = ["Interface UUID", "Interface version", "SMB named pipe", "Protocol long name", "Protocol short name", "RPC function name", "Operation number", "Result", "Working path"]
+        header_fields = ["Target", "Interface UUID", "Interface version", "SMB named pipe", "Protocol long name", "Protocol short name", "RPC function name", "Operation number", "Result", "Working path"]
         for k in range(len(header_fields)):
             worksheet.set_column(k, k + 1, len(header_fields[k]) + 3)
         worksheet.set_row(0, 60, header_format)
         worksheet.write_row(0, 0, header_fields)
 
         row_id = 1
-        for uuid in self.test_results.keys():
-            for version in self.test_results[uuid].keys():
-                for function_name in self.test_results[uuid][version].keys():
-                    for namedpipe in self.test_results[uuid][version][function_name].keys():
-                        for test_result in self.test_results[uuid][version][function_name][namedpipe]:
-                            data = [uuid, version, namedpipe, test_result["protocol"]["longname"], test_result["protocol"]["shortname"], test_result["function"]["name"], test_result["function"]["opnum"], test_result["testresult"], test_result["exploitpath"]]
-                            worksheet.write_row(row_id, 0, data)
-                            row_id += 1
+        for target in self.test_results.keys():
+            for uuid in self.test_results[target].keys():
+                for version in self.test_results[target][uuid].keys():
+                    for function_name in self.test_results[target][uuid][version].keys():
+                        for namedpipe in self.test_results[target][uuid][version][function_name].keys():
+                            for test_result in self.test_results[target][uuid][version][function_name][namedpipe]:
+                                data = [target, uuid, version, namedpipe, test_result["protocol"]["longname"], test_result["protocol"]["shortname"], test_result["function"]["name"], test_result["function"]["opnum"], test_result["testresult"], test_result["exploitpath"]]
+                                worksheet.write_row(row_id, 0, data)
+                                row_id += 1
         worksheet.autofilter(0, 0, row_id, len(header_fields) - 1)
         workbook.close()
         self.print_info("Results exported to XLSX in '%s'" % path_to_file)
@@ -136,7 +139,7 @@ def exportJSON(self, filename):
         f.close()
         self.print_info("Results exported to JSON in '%s'" % path_to_file)
 
-    def exportSQLITE(self, target, filename):
+    def exportSQLITE(self, filename):
         basepath = os.path.dirname(filename)
         filename = os.path.basename(filename)
         if basepath not in [".", ""]:
@@ -151,23 +154,25 @@ def exportSQLITE(self, target, filename):
         # Creating a cursor object using the cursor() method
         cursor = conn.cursor()
         cursor.execute("CREATE TABLE IF NOT EXISTS results(target VARCHAR(255), uuid VARCHAR(255), version VARCHAR(255), named_pipe VARCHAR(255), protocol_shortname VARCHAR(255), protocol_longname VARCHAR(512), function_name VARCHAR(255), result VARCHAR(255), path VARCHAR(512));")
-        for uuid in self.test_results.keys():
-            for version in self.test_results[uuid].keys():
-                for function_name in self.test_results[uuid][version].keys():
-                    for named_pipe in self.test_results[uuid][version][function_name].keys():
-                        for test_result in self.test_results[uuid][version][function_name][named_pipe]:
-                            cursor.execute("INSERT INTO results VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)", (
-                                    target,
-                                    uuid,
-                                    version,
-                                    named_pipe,
-                                    test_result["protocol"]["shortname"],
-                                    test_result["protocol"]["longname"],
-                                    function_name,
-                                    test_result["testresult"],
-                                    str(bytes(test_result["exploitpath"], 'utf-8'))[2:-1].replace('\\\\', '\\')
+        cursor.execute("DELETE FROM results;")
+        for target in self.test_results.keys():
+            for uuid in self.test_results[target].keys():
+                for version in self.test_results[target][uuid].keys():
+                    for function_name in self.test_results[target][uuid][version].keys():
+                        for named_pipe in self.test_results[target][uuid][version][function_name].keys():
+                            for test_result in self.test_results[target][uuid][version][function_name][named_pipe]:
+                                cursor.execute("INSERT INTO results VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)", (
+                                        target,
+                                        uuid,
+                                        version,
+                                        named_pipe,
+                                        test_result["protocol"]["shortname"],
+                                        test_result["protocol"]["longname"],
+                                        function_name,
+                                        test_result["testresult"],
+                                        str(bytes(test_result["exploitpath"], 'utf-8'))[2:-1].replace('\\\\', '\\')
+                                    )
                                 )
-                            )
         # Commit your changes in the database
         conn.commit()
         # Closing the connection

coercer/core/Reporter.py

@@ -127,6 +127,7 @@ def action_coerce(target, available_methods, options, credentials, reporter):
                                             )
 
                                             reporter.report_test_result(
+                                                target=target,
                                                 uuid=uuid, version=version, namedpipe="",
                                                 msprotocol_rpc_instance=msprotocol_rpc_instance,
                                                 result=result,
@@ -201,6 +202,7 @@ def action_coerce(target, available_methods, options, credentials, reporter):
                                             )
 
                                             reporter.report_test_result(
+                                                target=target,
                                                 uuid=uuid, version=version, namedpipe=namedpipe,
                                                 msprotocol_rpc_instance=msprotocol_rpc_instance,
                                                 result=result,

coercer/core/modes/coerce.py

@@ -177,6 +177,7 @@ def action_fuzz(target, available_methods, options, credentials, reporter):
                                             )
 
                                             reporter.report_test_result(
+                                                target=target,
                                                 uuid=uuid, version=version, namedpipe=namedpipe,
                                                 msprotocol_rpc_instance=msprotocol_rpc_instance,
                                                 result=result,
@@ -247,6 +248,7 @@ def action_fuzz(target, available_methods, options, credentials, reporter):
                                             )
 
                                             reporter.report_test_result(
+                                                target=target,
                                                 uuid=uuid, version=version, namedpipe=namedpipe,
                                                 msprotocol_rpc_instance=msprotocol_rpc_instance,
                                                 result=result,

coercer/core/modes/fuzz.py

@@ -135,6 +135,7 @@ def action_scan(target, available_methods, options, credentials, reporter):
                                             )
 
                                             reporter.report_test_result(
+                                                target=target,
                                                 uuid=uuid, version=version, namedpipe=namedpipe,
                                                 msprotocol_rpc_instance=msprotocol_rpc_instance,
                                                 result=result,
@@ -206,6 +207,7 @@ def action_scan(target, available_methods, options, credentials, reporter):
                                             )
 
                                             reporter.report_test_result(
+                                                target=target,
                                                 uuid=uuid, version=version, namedpipe=namedpipe,
                                                 msprotocol_rpc_instance=msprotocol_rpc_instance,
                                                 result=result,

coercer/core/modes/scan.py

@@ -8,6 +8,8 @@ authors = ["p0dalirius"]
 python = "^3.7"
 impacket = "^0.10.0"
 xlsxWriter = ">=3.0.0"
+jinja2 = ">=3.1.3"
+sectools = ">=1.4.3"
 
 [tool.poetry.dev-dependencies]
 

pyproject.toml

@@ -1,3 +1,4 @@
 impacket
 xlsxwriter
-jinja2
+jinja2
+sectools