Created
September 26, 2013 17:04
-
-
Save rsmudge/6717164 to your computer and use it in GitHub Desktop.
Cortana Hail Mary / Find Attacks Example (taken from my development testing... not tested recently. This code was used in a highly stripped down version of Armitage)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# | |
# This code is related to the Attacks -> Find Attacks and Attacks -> Hail Mary features | |
# | |
popup attacks { | |
item "&Find Attacks" { | |
spawn(&runFindAttacks); | |
} | |
item "&Hail Mary" { | |
spawn(&runHailMary); | |
} | |
} | |
sub exploitPorts { | |
local('$exploit %exploits $options $port'); | |
foreach $exploit (modules("exploits")) { | |
$options = options("exploit", $exploit); | |
if ('RPORT' in $options) { | |
$port = $options['RPORT']['default']; | |
%exploits[$exploit] = $port; | |
} | |
} | |
return %exploits; | |
} | |
sub score { | |
local('%score'); | |
%score['excellent'] = 5; | |
%score['great'] = 4; | |
%score['good'] = 3; | |
%score['normal'] = 2; | |
%score['poor'] = 1; | |
return %score[$1]; | |
} | |
sub sortedExploits { | |
on console_show { | |
local('$line $module $date $rank %info @r'); | |
foreach $line (split("\n", $3)) { | |
if ($line ismatch '\s+(.*?)\s+(\d{4}-\d{2}-\d{2})\s+(\w+)\s+.*') { | |
($module, $date, $rank) = matched(); | |
if ($rank ne "manual") { | |
push(@r, %(date => parseDate("MM-dd-yy", $date), rank => score($rank), name => $module)); | |
} | |
} | |
} | |
fire_event_async("exploit_information", @r); | |
quit(); | |
} | |
cmd_async("show exploits"); | |
} | |
sub isHostMatch { | |
if ([$1 startsWith: "multi/"]) { | |
return 1; | |
} | |
else { | |
local('$os'); | |
$os = host_os($2); | |
if ($os eq "Microsoft Windows" && [$1 startsWith: "windows/"]) { | |
return 1; | |
} | |
else if ($os eq "Linux" && [$1 startsWith: "linux/"]) { | |
return 1; | |
} | |
else if ($os eq "Linux" && [$1 startsWith: "unix/"]) { | |
return 1; | |
} | |
} | |
return $null; | |
} | |
sub runHailMary { | |
global('$console $fork'); | |
$console = open_text_tab("Hail Mary", $null, "all"); | |
# let this happen in a separate thread... | |
$fork = fork(&exploitPorts); | |
on tab_close { | |
quit(); | |
} | |
on exploit_information { | |
local('$exploits $port $host %options $total $minrank'); | |
# retrieve our exploit info... from our earlier thread. | |
%ports = wait($fork); | |
# sort our exploits... | |
$minrank = score(pref_get("armitage.required_exploit_rank.string", "great")); | |
$exploits = filter(lambda({ | |
return iff ($1['rank'] >= $minrank, $1); | |
}, \$minrank), $1); | |
$exploits = map({ return $1['name']; }, sort({ | |
if ($2['rank'] == $1['rank']) { | |
return $2['date'] <=> $1['date']; | |
} | |
else { | |
return $2['rank'] <=> $1['rank']; | |
} | |
}, $exploits)); | |
# go through our exploits... best ones first | |
foreach $exploit ($exploits) { | |
$port = %ports[$exploit]; | |
foreach $host (hosts()) { | |
if (isHostMatch($exploit, $host) && $host hasservice $port) { | |
exploit($exploit, $host); | |
append($console, "\cC[*]\o $[20]host => $exploit $+ \n"); | |
$total++; | |
} | |
} | |
} | |
append($console, "\cC[*]\o Launched $total exploits...\n"); | |
} | |
# let's rock... | |
append($console, "\cC[*]\o Analyzing modules...\n"); | |
spawn(&sortedExploits); | |
} | |
sub runFindAttacks { | |
global('$fork'); | |
# let this happen in a separate thread... | |
$fork = fork(&exploitPorts); | |
on exploit_information { | |
local('$exploits $port $host %options $total %menus $minrank'); | |
# retrieve our exploit info... from our earlier thread. | |
%ports = wait($fork); | |
# filter exploits that fall below our threshold | |
$minrank = score(pref_get("armitage.required_exploit_rank.string", "great")); | |
$exploits = map({ return $1['name']; }, filter(lambda({ | |
return iff ($1['rank'] >= $minrank, $1); | |
}, \$minrank), $1)); | |
# go through our exploits... best ones first | |
foreach $exploit ($exploits) { | |
$port = %ports[$exploit]; | |
foreach $host (hosts()) { | |
if (isHostMatch($exploit, $host) && $host hasservice $port) { | |
($null, $srvc, $module) = split('\\/', $exploit); | |
if ($host !in %menus) { | |
%menus[$host] = %(); | |
} | |
if ($srvc !in %menus[$host]) { | |
%menus[$host][$srvc] = @(); | |
} | |
push(%menus[$host][$srvc], $exploit); | |
} | |
} | |
} | |
fire_event_async("attack_analysis_complete", %menus); | |
quit(); | |
} | |
spawn(&sortedExploits); | |
} | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment