Open main menu
Posts
Gists
Guilds
Users
Decipher
Docs
Open user menu
Log in
Sign up
Create a new gist
Posts
Gists
Guilds
Users
Decipher
Docs
Files
src/machine.src
cli/libfish.src
src/machine.src
MachineServices = {}
//class eval shit
exploits_inspect = function(obj, scope)
exploits_len = 0
if scope.hasIndex("exploits") then exploits_len = scope.exploits.len
return scope.exploits.len
end function
Service.attrs.push("exploits")
Service.load_exploits_from_cache = function()
exploits = self.machine.exploits_cache
if exploits.hasIndex(self.info_to_key) == 0 then return 0
self.scan = new Scan
self.scan.init(self.nmap.ip, self.port)
self.scan.machine = self.machine
self.exploits = []
for x in exploits[self.info_to_key]
exploit = new ScanExploit
exploit.init(self.scan, x)
self.exploits.push(exploit)
end for
return 1
end function
Service.load_exploits_from_scan = function()
exploits = self.machine.exploits_cache
self.scan = new Scan
self.scan.init(self.nmap.ip, self.port)
self.scan.machine = self.machine
self.scan.execute
self.exploits = self.scan.get_exploits
end function
Service.set_exploits = function()
// skip_if_no_cache scan_only_if_no_cache scan_everytime
if self.machine.scan_strategy == "scan_everytime" then
self.load_exploits_from_scan
else if self.machine.scan_strategy == "skip_if_no_cache" then
self.load_exploits_from_cache
else if self.machine.scan_strategy == "scan_only_if_no_cache" then
if self.load_exploits_from_cache == 0 then self.load_exploits_from_scan
end if
end function
// require passwords list set in custom_object
Service.quick_root_shell = function
attack_script = self.machine.TABLEATTACK_SCRIPT
for x in self.exploits
x.set_result
if typeof(x.result) != "shell" then continue
remote_shell = x.result
remote_comp = remote_shell.host_computer
key = remote_comp.public_ip + "|" + remote_comp.local_ip
self.machine.credentials_db.reload
if self.machine.credentials_db.obj.hasIndex(key) then
get_custom_object.saved_password = self.machine.credentials_db.obj[key].password
if self.machine.skip_logging == false then
key = remote_comp.public_ip + "|" + remote_comp.local_ip
self.machine.credentials_db.reload
if self.machine.credentials_db.obj.hasIndex(key) then
get_custom_object.saved_password = self.machine.credentials_db.obj[key].password
end if
end if
// escalate to root
if remote_comp.File("/home/guest/tableAttack.src") != null then
remote_comp.File("/home/guest/tableAttack.src").delete
end if
remote_comp.touch("/home/guest", "tableAttack.src")
remote_comp.File("/home/guest/tableAttack.src").set_content(attack_script.get_content)
print "building script"
remote_shell.build("/home/guest/tableAttack.src", "/home/guest")
remote_shell.launch("/home/guest/tableAttack")
// save credentials in a db
self.machine.credentials_db.reload
pas = get_custom_object.password
if pas == null then pas = ""
key = remote_comp.public_ip + "|" + remote_comp.local_ip
self.machine.credentials_db.obj[key] = {"user": "root", "password": pas}
self.machine.credentials_db.save
if self.machine.skip_logging == false then
// save credentials in a db
self.machine.credentials_db.reload
pas = get_custom_object.password
if pas == null then pas = ""
key = remote_comp.public_ip + "|" + remote_comp.local_ip
self.machine.credentials_db.obj[key] = {"user": "root", "password": pas}
self.machine.credentials_db.save
end if
root_shell = get_custom_object.shell
return root_shell
end for
return null
end function
ScanExploit.set_result_callback = function()
// save entry
if typeof(self.result) != "shell" then return
if self.scan.machine.skip_logging == true then return
self.scan.machine.entries_db.reload
key = self.scan.machine.entries_db.obj.indexes.len
entry = {}
entry.local_ip = self.result.host_computer.local_ip
entry.public_ip = self.result.host_computer.public_ip
entry.exploit = {"address": self.address, "value": self.value, "port": str(self.scan.port)}
self.scan.machine.entries_db.obj[key] = entry
self.scan.machine.entries_db.save
end function
Machine = {}
Machine.exploits_cache = function
return self.exploits_db.get
end function
//Machine.passwords_list : required passwords list
//Machine.table_attack_script : required table attack script
Machine.services_inspect = function(obj, scope)
f = function(o)
exploits_len = 0
if o.hasIndex("exploits") then exploits_len = o.exploits.len
return o.inspect(["info", [exploits_len, "exploits_len"], "port"])
end function
return scope.services.map(@f)
end function
Machine.attrs = ["ip", [@Machine.services_inspect, "services"]]
Machine.metaxploit = null //required
Machine.config_path = home_dir + "/Config"
Machine.shell = get_shell
Machine.computer = Machine.shell.host_computer
Machine.skip_logging = false
// skip_if_no_cache scan_only_if_no_cache scan_everytime
Machine.scan_strategy = "scan_only_if_no_cache"
Machine.setup_disks = function
print "initiating databases"
Machine.PASSWORDS_DISK = new Disk
Machine.PASSWORDS_DISK.init(self.config_path, "passwords")
Machine.EXPLOITS_DISK = new Disk
Machine.EXPLOITS_DISK.init(self.config_path, "exploits")
Machine.ENTRIES_DISK = new Disk
Machine.ENTRIES_DISK.init(self.config_path, "entries")
Machine.CREDENTIALS_DISK = new Disk
Machine.CREDENTIALS_DISK.init(self.config_path, "credentials")
if self.skip_logging == false then
Machine.ENTRIES_DISK = new Disk
Machine.ENTRIES_DISK.init(self.config_path, "entries")
Machine.CREDENTIALS_DISK = new Disk
Machine.CREDENTIALS_DISK.init(self.config_path, "credentials")
end if
print "finished"
end function
Machine.setup_disks
Machine.init = function(ip)
self.TABLEATTACK_SCRIPT = self.computer.File(self.config_path + "/tableAttack.src")
// skip_if_no_cache scan_only_if_no_cache scan_everytime
self.scan_strategy = "scan_only_if_no_cache"
self.ip = ip
self.set_services
self.exploits_db = new DocDB
self.exploits_db.init(self.EXPLOITS_DISK)
if self.scan_strategy != "scan_everytime" then
self.exploits_db = new DocDB
self.exploits_db.init(self.EXPLOITS_DISK)
end if
self.entries_db = new DocDB
self.entries_db.init(self.ENTRIES_DISK)
if self.skip_logging == false then
self.entries_db = new DocDB
self.entries_db.init(self.ENTRIES_DISK)
self.credentials_db = new DocDB
self.credentials_db.init(self.CREDENTIALS_DISK)
self.credentials_db = new DocDB
self.credentials_db.init(self.CREDENTIALS_DISK)
end if
if not get_custom_object.hasIndex("passwords") then
print "reading passwords database"
self.passwords = self.PASSWORDS_DISK.read_chars.split(char(10))
get_custom_object.passwords = self.passwords
print "finished"
end if
end function
Machine.save_exploits = function()
self.exploits_db.reload
for s in self.services
key = s.info_to_key
exploits = []
if s.hasIndex("exploits") == 0 then continue
for x in s.exploits
x_obj = {}
x_obj["address"] = x.address
x_obj["value"] = x.value
x_obj["requirements"] = x.requirements
x_obj["requirements_len"] = x.requirements_len
if x.hasIndex("result") == 1 then x_obj["result"] = typeof(x.result)
exploits.push x_obj
end for
self.exploits_db.obj[key] = exploits
self.exploits_db.save
end for
end function
Machine.quick_attack = function(only_routers = true)
target_services = self.services
if only_routers == true then
target_services = [self.router_service]
end if
for service in target_services
service.set_exploits
root_shell = service.quick_root_shell
if typeof(root_shell) == "shell" then return root_shell
end for
return null
end function
Machine.set_services = function()
self.nmap = new Nmap
self.nmap.init(self.ip)
self.nmap.machine = self
self.services = self.nmap.services
for s in self.services
s.machine = self
end for
end function
Machine.router_service = function()
for s in self.services
if s.port == null then return s
end for
return null
end function
Machine.open_services = function()
f = function(o)
return o.status == "open"
end function
return self.services.select(@f)
end function
cli/libfish.src
import_code("/home/me/h/src/utils.src") // exports map.inspect, p
import_code("/home/me/h/libs/list.src") // exports list utils and map utils
import_code("/home/me/h/libs/disk.src") // exports Disk, Block
import_code("/home/me/h/libs/nmap.src") // exports Nmap, Service
import_code("/home/me/h/libs/scan.src") // exports Scan
import_code("/home/me/h/libs/json.src") // exports Json
import_code("/home/me/h/src/rndIP.src") // exports rnd_ip
import_code("/home/me/h/src/docDB.src") // exports DocDB
import_code("/home/me/h/src/machine.src") // exports Machine, MachineService, depends on Scan, Nmap , Json, DocDB
import_code("/home/me/h/libs/meta.src") // exports Meta
import_code("/home/me/h/src/shell.src") // extend map
get_shell.host_computer.create_folder(home_dir + "/Config", "libs")
LIB_STORE_PATH = home_dir + "/Config/libs"
for i in Service.remote_lib_dict.indexes
get_shell.host_computer.create_folder(LIB_STORE_PATH,i)
end for
for i in Service.local_lib_dict.indexes
get_shell.host_computer.create_folder(LIB_STORE_PATH,i)
end for
Machine.metaxploit = include_lib("/lib/metaxploit.so")
Scan.metaxploit = include_lib("/lib/metaxploit.so")
Command = {}
Command.libfish_sig = {}
Command.libfish_sig["description"] = "hack random npcs to find libs"
lib_param_desc = []
lib_param_desc.push "libs to search for, if this param is present the command will only search for the specific libs passed "
lib_param_desc.push "but you can pass as many lib names as you want, the valid params are: "
lib_param_desc.push Service.remote_lib_dict.indexes.join(", ")
lib_param_desc = lib_param_desc.join("")
Command.libfish_sig["args"] = [["lib", lib_param_desc]]
Command.libfish_sig["options"] = [{["-l", "--search-local-libs"]: "save local libs aswell"}]
get_known_libs_from_libs_folder = function(folder)
known_libs = []
lib_folders = folder.get_folders
for lib_folder in lib_folders
lib_versions_folder = lib_folder.get_folders
for lib_version_folder in lib_versions_folder
key = lib_folder.name + lib_version_folder.name
known_libs.push key
end for
end for
return known_libs
end function
Command.libfish = function(args = [], options = {})
if args.len > 0 then
for arg in args
if Service.remote_lib_dict.hasIndex(arg) == 0 then exit("invalid param, look at the docs")
end for
for i in Service.remote_lib_dict.indexes
if args.indexOf(i) == null then Service.remote_lib_dict.remove(i)
end for
end if
Machine.scan_strategy = "scan_everytime"
Machine.skip_logging = true
while true
print "AAAAAAAAAAAA"
machine = new Machine
machine.init(rnd_ip)
for s in machine.services
libs_folder = get_shell.host_computer.File(LIB_STORE_PATH)
known_libs = get_known_libs_from_libs_folder(libs_folder)
s.set_exploits
key = s.info.replace(".", "").replace(" ", "")
if options["-l"] == false then
// skip service if not listed on libs
if not Service.remote_lib_dict.hasIndex(s.info.split(" ")[0]) then continue
// skip service if remote lib is already in store
if known_libs.indexOf(key) then continue
end if
sh = s.quick_root_shell
if typeof(sh) != "shell" then continue
print "checking for " + s.info.split(" ")[0]
if Service.remote_lib_dict.hasIndex(s.info.split(" ")[0]) == true then
if known_libs.indexOf(key) == null
and key
then
print "checking if " + key + " is already stored"
if known_libs.indexOf(key) == null then
print "saving remote " + s.info
so_name = Service.remote_lib_dict[s.info.split(" ")[0]]
name_key = s.info.split(" ")[0]
version_key = s.info.split(" ")[1].replace(".", "")
get_shell.host_computer.create_folder(LIB_STORE_PATH + "/" + name_key, version_key)
sh.scp("/lib/" + so_name, LIB_STORE_PATH + "/" + name_key + "/" + version_key, get_shell)
end if
end if
if options["-l"] == true then
for i in Service.local_lib_dict.values
if typeof(sh.host_computer.File("/lib/" + i)) != "file" then continue
sh.scp("/lib/" + i, LIB_STORE_PATH, get_shell)
lib = machine.metaxploit.load("/lib/" + i)
name_key = Service.local_lib_dict.indexOf(i)
version_key = lib.version.replace(".", "")
key = name_key + version_key
if known_libs.indexOf(key) then
get_shell.host_computer.File(LIB_STORE_PATH + "/" + i).delete
else
print "saving local " + name_key + " " + version_key
get_shell.host_computer.create_folder(LIB_STORE_PATH + "/" + name_key, version_key)
get_shell.host_computer.File(LIB_STORE_PATH + "/" + i).move(LIB_STORE_PATH + "/" + name_key + "/" + version_key, i)
end if
end for
end if
end for
end while
end function
import_code("/home/me/h/libs/thor.src") //depends on Listlib, exports Thor
Thor.init(Command, "libfish")