diff --git a/README.md b/README.md index dd253e1..44afb6d 100644 --- a/README.md +++ b/README.md @@ -30,6 +30,7 @@ Currently it supports the following modules: * rdp_login : Brute-force RDP (NLA) * pgsql_login : Brute-force PostgreSQL * vnc_login : Brute-force VNC +* cs_login : Brute-force Cobalt Strike Team Server * dns_forward : Brute-force DNS * dns_reverse : Brute-force DNS (reverse lookup subnets) * ike_enum : Enumerate IKE transforms diff --git a/patator.py b/patator.py index 1f3bb66..0d5fccb 100755 --- a/patator.py +++ b/patator.py @@ -56,6 +56,7 @@ * rdp_login : Brute-force RDP (NLA) + pgsql_login : Brute-force PostgreSQL + vnc_login : Brute-force VNC + + cs_login : Brute-force Cobalt Strike Team Server + dns_forward : Forward DNS lookup + dns_reverse : Reverse DNS lookup @@ -529,6 +530,15 @@ vnc_login host=10.0.0.1 password=FILE0 0=passwords.txt --threads 1 -x retry:fgrep!='Authentication failure' --max-retries -1 -x quit:code=0 (b) (b) (c) +}}} +{{{ CS + +* Brute-force Cobalt Strike Team Server authentication. + +--------- + +cs_login host=10.0.0.1 password=FILE0 0=rockyou.txt -t 1 -x 'quit:code=0' + }}} {{{ DNS @@ -4085,6 +4095,50 @@ def execute(self, host, port=None, password=None, timeout='10'): # }}} +# CS {{{ +try: + import ssl, struct +except ImportError: + notfound.append('ssl or struct') + +class CS_login: + '''Brute-force CS''' + + usage_hints = ( + '''%prog host=10.0.0.1 password=FILE0 0=rockyou.txt -t 1 -x 'quit:code=0' ''', + ) + + available_options = ( + ('host', 'target host'), + ('port', 'target port [50050]'), + ('password', 'passwords to test'), + ('timeout', 'seconds to wait for a response [10]') + ) + available_actions = () + + Response = Response_Base + + def execute(self, host, port=50050, password=None, timeout='10'): + with Timing() as timing: + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.settimeout(int(timeout)) + ss = ssl.wrap_socket(s, ssl_version=ssl.PROTOCOL_TLSv1_2) + addr = (host, int(port)) + ss.connect(addr) + password_len = struct.pack('b', len(password)) + req = b'\x00\x00\xbe\xef' + password_len + password.encode('utf8') + b'A' * 255 + ss.send(req) + r1 = ss.recv(1) + r2 = ss.recv(1) + r3 = ss.recv(1) + ss.close() + if(r3 == b'\xca'): + code, mesg = 0, 'OK' + else: + code, mesg = 1, 'CS auth failed' + return self.Response(code, mesg, timing) +# }}} + # DNS {{{ try: import dns.rdatatype @@ -4862,6 +4916,7 @@ def execute(self, data, data2='', delay='1'): ('rdp_login', (Controller, RDP_login)), ('pgsql_login', (Controller, Pgsql_login)), ('vnc_login', (Controller, VNC_login)), + ('cs_login', (Controller, CS_login)), ('dns_forward', (Controller_DNS, DNS_forward)), ('dns_reverse', (Controller_DNS, DNS_reverse)),