Skip to content

Commit

Permalink
Sniper v1.3 by 1N3 @ CrowdShield
Browse files Browse the repository at this point in the history
  • Loading branch information
@1N3
1N3 committed Sep 6, 2015
0 parents commit 1e31520
Show file tree
Hide file tree
Showing 8 changed files with 4,594 additions and 0 deletions.
Binary file added .fuse_hidden00013e8300000004
Binary file not shown.
Binary file added .fuse_hidden00013ea800000006
Binary file not shown.
Binary file added bin/dnsdict6
Binary file not shown.
3,861 changes: 3,861 additions & 0 deletions bin/inurlbr.php

Large diffs are not rendered by default.

201 changes: 201 additions & 0 deletions bin/samrdump.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,201 @@
#!/usr/bin/python
# Copyright (c) 2003-2015 CORE Security Technologies
#
# This software is provided under under a slightly modified version
# of the Apache Software License. See the accompanying LICENSE file
# for more information.
#
# Description: DCE/RPC SAMR dumper.
#
# Author:
# Javier Kohen <[email protected]>
# Alberto Solino (@agsolino)
#
# Reference for:
# DCE/RPC for SAMR

import sys
import logging
import argparse

from impacket.examples import logger
from impacket import version
from impacket.nt_errors import STATUS_MORE_ENTRIES
from impacket.dcerpc.v5 import transport, samr
from impacket.dcerpc.v5.rpcrt import DCERPCException


class ListUsersException(Exception):
pass

class SAMRDump:
KNOWN_PROTOCOLS = {
'139/SMB': (r'ncacn_np:%s[\pipe\samr]', 139),
'445/SMB': (r'ncacn_np:%s[\pipe\samr]', 445),
}


def __init__(self, protocols = None,
username = '', password = '', domain = '', hashes = None, aesKey=None, doKerberos = False):
if not protocols:
self.__protocols = SAMRDump.KNOWN_PROTOCOLS.keys()
else:
self.__protocols = [protocols]

self.__username = username
self.__password = password
self.__domain = domain
self.__lmhash = ''
self.__nthash = ''
self.__aesKey = aesKey
self.__doKerberos = doKerberos
if hashes is not None:
self.__lmhash, self.__nthash = hashes.split(':')


def dump(self, addr):
"""Dumps the list of users and shares registered present at
addr. Addr is a valid host name or IP address.
"""

logging.info('Retrieving endpoint list from %s' % addr)

# Try all requested protocols until one works.
entries = []
for protocol in self.__protocols:
protodef = SAMRDump.KNOWN_PROTOCOLS[protocol]
port = protodef[1]

logging.info("Trying protocol %s..." % protocol)
rpctransport = transport.SMBTransport(addr, port, r'\samr', self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash, self.__aesKey, doKerberos = self.__doKerberos)

try:
entries = self.__fetchList(rpctransport)
except Exception, e:
logging.critical(str(e))
else:
# Got a response. No need for further iterations.
break

# Display results.

for entry in entries:
(username, uid, user) = entry
base = "%s (%d)" % (username, uid)
print base + '/FullName:', user['FullName']
print base + '/UserComment:', user['UserComment']
print base + '/PrimaryGroupId:', user['PrimaryGroupId']
print base + '/BadPasswordCount:', user['BadPasswordCount']
print base + '/LogonCount:', user['LogonCount']

if entries:
num = len(entries)
if 1 == num:
logging.info('Received one entry.')
else:
logging.info('Received %d entries.' % num)
else:
logging.info('No entries received.')


def __fetchList(self, rpctransport):
dce = rpctransport.get_dce_rpc()

entries = []

dce.connect()
dce.bind(samr.MSRPC_UUID_SAMR)

try:
resp = samr.hSamrConnect(dce)
serverHandle = resp['ServerHandle']

resp = samr.hSamrEnumerateDomainsInSamServer(dce, serverHandle)
domains = resp['Buffer']['Buffer']

print 'Found domain(s):'
for domain in domains:
print " . %s" % domain['Name']

logging.info("Looking up users in domain %s" % domains[0]['Name'])

resp = samr.hSamrLookupDomainInSamServer(dce, serverHandle,domains[0]['Name'] )

resp = samr.hSamrOpenDomain(dce, serverHandle = serverHandle, domainId = resp['DomainId'])
domainHandle = resp['DomainHandle']

status = STATUS_MORE_ENTRIES
enumerationContext = 0
while status == STATUS_MORE_ENTRIES:
try:
resp = samr.hSamrEnumerateUsersInDomain(dce, domainHandle, enumerationContext = enumerationContext)
except DCERPCException, e:
if str(e).find('STATUS_MORE_ENTRIES') < 0:
raise
resp = e.get_packet()

for user in resp['Buffer']['Buffer']:
r = samr.hSamrOpenUser(dce, domainHandle, samr.MAXIMUM_ALLOWED, user['RelativeId'])
print "Found user: %s, uid = %d" % (user['Name'], user['RelativeId'] )
info = samr.hSamrQueryInformationUser2(dce, r['UserHandle'],samr.USER_INFORMATION_CLASS.UserAllInformation)
entry = (user['Name'], user['RelativeId'], info['Buffer']['All'])
entries.append(entry)
samr.hSamrCloseHandle(dce, r['UserHandle'])

enumerationContext = resp['EnumerationContext']
status = resp['ErrorCode']

except ListUsersException, e:
logging.critical("Error listing users: %s" % e)

dce.disconnect()

return entries


# Process command-line arguments.
if __name__ == '__main__':
# Init the example's logger theme
logger.init()
print version.BANNER

parser = argparse.ArgumentParser(add_help = True, description = "This script downloads the list of users for the target system.")

parser.add_argument('target', action='store', help='[[domain/]username[:password]@]<targetName or address>')
parser.add_argument('protocol', choices=SAMRDump.KNOWN_PROTOCOLS.keys(), nargs='?', default='445/SMB', help='transport protocol (default 445/SMB)')
parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')

group = parser.add_argument_group('authentication')

group.add_argument('-hashes', action="store", metavar = "LMHASH:NTHASH", help='NTLM hashes, format is LMHASH:NTHASH')
group.add_argument('-no-pass', action="store_true", help='don\'t ask for password (useful for -k)')
group.add_argument('-k', action="store_true", help='Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the ones specified in the command line')
group.add_argument('-aesKey', action="store", metavar = "hex key", help='AES key to use for Kerberos Authentication (128 or 256 bits)')

if len(sys.argv)==1:
parser.print_help()
sys.exit(1)

options = parser.parse_args()

if options.debug is True:
logging.getLogger().setLevel(logging.DEBUG)
else:
logging.getLogger().setLevel(logging.INFO)

import re

domain, username, password, address = re.compile('(?:(?:([^/@:]*)/)?([^@:]*)(?::([^@]*))?@)?(.*)').match(options.target).groups('')

if domain is None:
domain = ''

if options.aesKey is not None:
options.k = True

if password == '' and username != '' and options.hashes is None and options.no_pass is False and options.aesKey is None:
from getpass import getpass
password = getpass("Password:")

dumper = SAMRDump(options.protocol, username, password, domain, options.hashes, options.aesKey, options.k)
dumper.dump(address)
14 changes: 14 additions & 0 deletions install.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
#!/bin/bash
# Install script for sn1per
#
echo "Installing sn1per dependencies..."
apt-get install host whois theharvester dnsenum curl nmap php5 php5-curl wapiti hydra iceweasel wpscan sqlmap arachni w3af golismero nbtscan enum4linux cisco-torch metasploit-framework theharvester nmap dnsenum snmpwalk nikto smtp-user-enum whatweb python nbtscan sslscan amap
git clone https://github.com/1N3/Findsploit.git
git clone https://github.com/1N3/BruteX.git
git clone https://github.com/1N3/Goohak.git
git clone https://github.com/1N3/XSSTracer.git
git clone https://github.com/1N3/SuperMicro-Password-Scanner
git clone https://github.com/Dionach/CMSmap.git
mkdir loot
echo "Be sure to install the following packages manually and update the sniper script references: dig dnsdict6 cmsmap samrdump inurlbr wafw00f showmount samrdump rpcinfo"
echo "Done!"
Empty file added loot/README
Empty file.
Loading

0 comments on commit 1e31520

Please sign in to comment.