plunder 2.0.0a

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: bbebd78c8c112b0e33711b45fa10d1e6eabb4de4
+  data.tar.gz: 8acf065be1107b051e3434db977f03bd3e4074c1
+SHA512:
+  metadata.gz: 232c90294a83f26e97de70ab32fb2f301592d1ef19656fb10a0a0a0c3d6482153c956905d2f1fe591b7837ab7d07425926d43b3cecc00c0324d5e010d1a212b2
+  data.tar.gz: 928179b760f52ece7f2a6883adf2a5fbd6b82530bc9eb31bb664c2158fc6a926e7e93aaf507c089b58a9b2e24ce180ea45df7f4e52e11d0be7cbb05d22dc6770

data/bin/agent

@@ -0,0 +1,48 @@
+#!/usr/bin/env ruby
+# -*- mode: ruby; -*-
+#
+# Plunder - SMB scanning and auditing tool
+# Copyright (C) 2017 Joshua Stone
+# 
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+# 
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+# 
+
+require_relative '../ext/smbclient/smbclient.so'
+
+domain = STDIN.readline.chomp
+user   = STDIN.readline.chomp
+pass   = STDIN.readline.chomp
+
+client = SMBClient.new(domain, user, pass)
+
+STDIN.each_line do |line|
+  begin
+    listing = client.list(line.chomp)
+    if listing == nil
+      STDOUT.puts "E failure"
+    else
+      (dirs, files) = client.list(line.chomp)
+      dirs.each  { |dir|  STDOUT.puts "D #{dir}"  }
+      files.each { |file| STDOUT.puts "F #{file}" }
+    end
+  rescue Exception => e
+    log = open("agent.log", "a")
+    log.puts "Agent exception: #{e.class}:#{e.message}"
+    log.close
+  ensure
+    STDOUT.puts "C done"
+    STDOUT.flush
+  end    
+end

data/bin/plunder

@@ -0,0 +1,158 @@
+#!/usr/bin/env ruby
+# -*- mode: ruby; -*-
+#
+# Plunder - SMB scanning and auditing tool
+# Copyright (C) 2017 Joshua Stone
+# 
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+# 
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+# 
+
+$pry = false
+
+require 'time'
+require 'set'
+require 'pry'
+require 'yaml'
+require 'uri'
+
+require_relative '../lib/core/io.rb'
+require_relative '../lib/core/commands.rb'
+require_relative '../lib/core/plunder.rb'
+require_relative '../lib/core/config.rb'
+require_relative '../lib/core/client.rb'
+
+begin
+  require 'pry'
+  $pry = true
+rescue LoadError
+  puts
+  Plunder::Report.error("'pry' gem not found, debugging will be less fun!")
+end  
+
+Plunder::PlunderIO.banner
+
+if ARGV.length == 0
+  Plunder::PlunderIO.usage
+  exit 1
+end
+
+cmd = Plunder::Commands.new do
+  command("init") do
+    name    = next_arg
+    path    = name + ".yaml"
+    default = Plunder::Config.default(name)
+    open(path, "w") { |file| file.write(default.to_yaml) }
+    puts "  [+] wrote default config to file '\x1b[32;1m#{path}\x1b[0m'"
+  end
+
+  command("scan") do
+    plunder = Plunder::Plunder.new(next_arg)
+    Plunder::Report.init(plunder.name)
+    begin
+      Plunder::Report.notify("<mag>#{Time::now.to_s}<rst> : Starting scan")
+      plunder.scan(next_arg.to_i)
+    ensure
+      Plunder::Report.notify("<mag>#{Time::now.to_s}<rst> : Completed scan")
+      plunder.save
+    end
+  end
+
+  command("creds") do
+    config = Plunder::Config.new(next_arg + ".yaml")
+    config[:domain] = next_arg.strip
+    config[:user]   = next_arg.strip
+    config[:pass]   = next_arg.strip
+    Plunder::Report.notify("Saved creds")
+    config.save
+  end
+
+  command("summary") do
+    plunder = Plunder::Plunder.new(next_arg)
+    plunder.load
+    domain = plunder.config[:domain]
+    user   = plunder.config[:user]
+    pass   = plunder.config[:pass]
+    Plunder::Report.notify("Credentials:    '<cya>#{domain}<gra>\\<cya>#{user}<gra>'%'<cya>#{pass}<gra>'<rst>")
+    Plunder::Report.notify("Target Count:   #{plunder.config[:targets].length}")
+    Plunder::Report.notify("Files indexed:  #{plunder.fsdb.length}")
+  end
+
+  command("target") do
+    config = Plunder::Config.new(next_arg + ".yaml")
+    url = "smb://#{next_arg}/"
+    config.add_target(url)
+  end
+
+  command("targets") do
+    config = Plunder::Config.new(next_arg + ".yaml")
+    stream = STDIN
+    stream = open(next_arg) if @args.length > 0
+    stream.each_line do |line|
+      config.add_target("smb://#{line.chomp}/")
+    end
+  end
+
+  command("search") do
+    plunder = Plunder::Plunder.new(next_arg)
+    plunder.load
+    plunder.select_files(next_arg) do |file, id|
+      printf("FILE %-8d %s\n", id, URI::decode(file))
+    end
+  end
+
+  command("mirror") do
+    plunder = Plunder::Plunder.new(next_arg)
+    plunder.load
+    loaded = Set.new
+    stream = STDIN
+    stream = open(next_arg) if @args.length > 0
+    stream.each_line do |line|
+      url = plunder.fsdb[line.to_i]
+      unless loaded.member? url
+        plunder.mirror(url)
+        puts "  [-] Mirrored '\x1b[32;1m#{url}\x1b[0m'"
+        loaded << url
+      end
+    end
+  end
+
+  command("listing") do
+    plunder = Plunder::Plunder.new(next_arg)
+    plunder.load
+    0.upto(plunder.fsdb.length - 1) do |index|
+      printf("FILE %-8d %s\n", index, plunder.fsdb[index])
+    end
+  end
+
+  command("client") do
+    plunder = Plunder::Plunder.new(next_arg)
+    plunder.load
+    client  = Plunder::Client.new(plunder)
+    puts ""
+    client.repl
+  end
+
+  if $pry
+    command("debug") do
+      plunder = Plunder::Plunder.new(next_arg)
+      plunder.load
+      binding.pry
+    end
+  end
+end
+
+cmd.run ARGV
+
+puts ""

data/ext/fsdb/extconf.rb

@@ -0,0 +1,13 @@
+# Loads mkmf which is used to make makefiles for Ruby extensions
+require 'mkmf'
+
+$CFLAGS << ' -Wno-unused-result '
+
+# Give it a name
+extension_name = 'fsdb'
+
+# The destination
+dir_config(extension_name)
+
+# Do the work
+create_makefile(extension_name)

data/ext/fsdb/fsdb-c.c

@@ -0,0 +1,134 @@
+// 
+// Plunder - SMB scanning and auditing tool
+// Copyright (C) 2017 Joshua Stone
+// 
+// This program is free software; you can redistribute it and/or
+// modify it under the terms of the GNU General Public License
+// as published by the Free Software Foundation; either version 2
+// of the License, or (at your option) any later version.
+// 
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+// 
+// You should have received a copy of the GNU General Public License
+// along with this program; if not, write to the Free Software
+// Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+// 
+
+#include "fsdb-c.h"
+
+fsdb fsdb_init(int bins) {
+  fsdb f;
+
+  f.strings = vault_init(1024);
+  f.paths   = vault_init(1024);
+  f.index   = vault_init(1024);
+  f.hash    = hash_init(bins);
+  f.count   = 0;
+
+  return f;
+}
+
+uint32_t fsdb_insert_path(fsdb *f, char *path) {
+  uint32_t  ret;
+  uint32_t  indices[MAXPATHLEN];
+  char     *cursor = path + 6;
+  char     *base   = cursor;
+  int       pindex = 0;
+  uint32_t  value  = 0;
+
+  while(*cursor) {
+    if(*cursor == '/') {
+      *cursor = 0;
+      if(!match(f->hash, base, f->strings, &value)) {
+	value = vault_insert_string(&f->strings, base);
+	hash_put(&f->hash, base, value);
+      }
+      indices[pindex++] = value;
+      base = cursor + 1;
+    }
+    cursor++;
+  }
+
+  indices[pindex] = 0x48544150;
+
+  value = vault_insert_bytes(&f->paths, indices, (pindex + 1) * 4);
+  ret = vault_insert_bytes(&f->index, &value, 4);
+  f->count++;
+  return ret;
+}
+
+char *fsdb_get_id(fsdb f, int id) {
+  char *name;
+  int offset;
+  int len;
+
+  len = DEF_NAME_LEN;
+  name = (char *) malloc(len + 1);
+  offset = 0;
+
+  uint32_t  path   = *((uint32_t *)vault_get(f.index, id * 4));
+  uint32_t *cursor =   (uint32_t *)vault_get(f.paths, path);
+
+  offset += snprintf(name, len - offset, "smb:/");
+  while(*cursor != 0x48544150) {
+    uint8_t *elt   = vault_get(f.strings, *cursor++);
+    int   bytes = strlen((char *)elt);
+
+    while(offset + bytes + 2 > len) {
+      len  = (len << 1) - (len >> 1);
+      name = realloc(name, len + 1);
+    }
+
+    name[offset++] = '/';
+    memcpy(name + offset, elt, bytes);
+    offset += bytes;
+  }
+
+  name[offset] = 0;
+
+  return name;
+}
+
+uint32_t fsdb_intern(fsdb *f, char *s) {
+  uint32_t value = 0;
+  
+  if(!match(f->hash, s, f->strings, &value)) {
+    value = vault_insert_string(&f->strings, s);
+    hash_put(&f->hash, s, value);
+  }
+
+  return value;
+}
+
+int match(hash h, char *s, vault v, uint32_t *val) {
+  int len = strlen(s);
+  cons *c;
+
+  if((c = hash_get(h, s))) {
+    while(c) {
+      if(strncmp(s, (char *)vault_get(v, c->index), len) == 0) {
+	*val = c->index;
+	return 1;
+      }
+      c = c->next;
+    }
+  }
+
+  // note that the above may fail if there are already colliding
+  // entries in the hash, but none of them are the same as the
+  // current target.  So we need to fall through here to make
+  // sure "false positives" get handled appropriately.
+
+  return 0;
+}
+
+void fsdb_free(fsdb *f) {
+  vault_free(f->strings);
+  vault_free(f->paths);
+  vault_free(f->index);
+  hash_free(f->hash);
+  free(f);
+}

data/ext/fsdb/fsdb-c.h

@@ -0,0 +1,49 @@
+// 
+// Plunder - SMB scanning and auditing tool
+// Copyright (C) 2017 Joshua Stone
+// 
+// This program is free software; you can redistribute it and/or
+// modify it under the terms of the GNU General Public License
+// as published by the Free Software Foundation; either version 2
+// of the License, or (at your option) any later version.
+// 
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+// 
+// You should have received a copy of the GNU General Public License
+// along with this program; if not, write to the Free Software
+// Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+// 
+
+#ifndef FSDB_C_H
+#define FSDB_C_H
+
+#define MAXPATHLEN    256
+#define DEF_NAME_LEN  128
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdint.h>
+
+#include "vault.h"
+#include "hash.h"
+#include "utilities.h"
+
+typedef struct {
+  vault    strings;
+  vault    paths;
+  vault    index;
+  hash     hash;
+  uint32_t count;
+} fsdb;
+
+fsdb     fsdb_init(int bins);
+uint32_t fsdb_insert_path(fsdb *f, char *path);
+void     fsdb_free(fsdb *f);
+uint32_t fsdb_intern(fsdb *f, char *s);
+int      match(hash h, char *s, vault v, uint32_t *val);
+char    *fsdb_get_id(fsdb f, int id);
+
+#endif

data/ext/fsdb/fsdb.c

@@ -0,0 +1,267 @@
+// 
+// Plunder - SMB scanning and auditing tool
+// Copyright (C) 2017 Joshua Stone
+// 
+// This program is free software; you can redistribute it and/or
+// modify it under the terms of the GNU General Public License
+// as published by the Free Software Foundation; either version 2
+// of the License, or (at your option) any later version.
+// 
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+// 
+// You should have received a copy of the GNU General Public License
+// along with this program; if not, write to the Free Software
+// Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+// 
+
+#include <ruby.h>
+#include <ctype.h>
+#include "fsdb-c.h"
+
+VALUE fsdb_klass = Qnil;
+
+void Init_fsdb();
+VALUE method_init(VALUE self);
+VALUE method_setup(VALUE self);
+VALUE method_put(VALUE self, VALUE string);
+VALUE method_debug(VALUE self);
+VALUE method_get(VALUE self, VALUE num);
+VALUE method_length(VALUE self);
+VALUE method_contains(VALUE self, VALUE string);
+VALUE method_intern(VALUE self, VALUE string);
+VALUE method_lookup(VALUE self, VALUE num);
+VALUE method_write(VALUE self, VALUE path);
+VALUE method_read(VALUE self, VALUE path);
+VALUE method_each_name(VALUE self);
+VALUE method_select_index(VALUE self, VALUE target);
+
+void Init_fsdb() {
+  fsdb_klass = rb_define_class("FSDB", rb_cObject);
+
+  rb_define_singleton_method(fsdb_klass, "new",  method_setup, 0);
+  rb_define_singleton_method(fsdb_klass, "read", method_read,  1);
+
+  rb_define_method(fsdb_klass, "put",       method_put,       1);
+  rb_define_method(fsdb_klass, "[]",        method_get,       1);
+  rb_define_method(fsdb_klass, "debug",     method_debug,     0);
+  rb_define_method(fsdb_klass, "length",    method_length,    0);
+  rb_define_method(fsdb_klass, "contains",  method_contains,  1);
+  rb_define_method(fsdb_klass, "intern",    method_intern,    1);
+  rb_define_method(fsdb_klass, "lookup",    method_lookup,    1);
+  rb_define_method(fsdb_klass, "write",     method_write,     1);
+  rb_define_method(fsdb_klass, "each_name", method_each_name, 0);
+  rb_define_method(fsdb_klass, "select_index", method_select_index, 1);
+}
+
+VALUE method_setup(VALUE self) {
+  fsdb *f;
+  f = (fsdb *) malloc(sizeof(fsdb));
+  *f = fsdb_init(1 << 19);
+  return Data_Wrap_Struct(fsdb_klass, NULL, fsdb_free, f);
+}
+
+VALUE method_put(VALUE self, VALUE string) {
+  char *s = StringValueCStr(string);
+  fsdb *f;
+  Data_Get_Struct(self, fsdb, f);
+  return UINT2NUM((fsdb_insert_path(f, s) / sizeof(uint32_t)) - 1);
+}
+
+VALUE method_debug(VALUE self) {
+  fsdb *f;
+  Data_Get_Struct(self, fsdb, f);
+  printf(" # Count:  %d\n", f->count);
+  vault_info(f->strings, "Strings");
+  hexdump(f->strings.base, 256);
+
+  vault_info(f->paths, "Paths");
+  hexdump(f->paths.base,   256);
+
+  vault_info(f->index, "Index");
+  hexdump(f->index.base,   256);
+
+  hash_info(f->hash);
+  return Qtrue;
+}
+
+VALUE method_get(VALUE self, VALUE num) {
+  fsdb *f;
+  VALUE ret;
+  unsigned int i;
+
+  i = NUM2UINT(num) + 1;
+  Data_Get_Struct(self, fsdb, f);
+
+  if(i > 0 && i <= f->count) {
+    char *name = fsdb_get_id(*f, i);
+    ret = rb_str_new_cstr(name);
+    free(name);
+    return ret;
+  } else {
+    return Qnil;
+  }
+}
+
+VALUE method_contains(VALUE self, VALUE string) {
+  char *s = StringValueCStr(string);
+  fsdb *f;
+  int i;
+  VALUE ret = rb_eval_string_protect("[]", &i);
+  char *buffer;
+  int buflen;
+
+  buflen = 1024;
+  buffer = (char *)malloc(buflen);
+
+  Data_Get_Struct(self, fsdb, f);
+  for(i = 1; i <= f->count; i++) {
+    char *name = fsdb_get_id(*f, i);
+    int len    = strlen(name);
+
+    while(len + 1 > buflen) {
+      buflen = buflen * 2;
+      buffer = realloc(buffer, buflen + 1);
+    }
+    
+    strncpy(buffer, name, len + 1);
+    for(char *p = buffer; *p; p++)
+      *p = tolower(*p);
+
+    if(strstr(buffer, s)) {
+      rb_funcall(ret, rb_intern("<<"), 1, rb_str_new_cstr(name));
+    }
+
+    free(name);
+  }
+  
+  return ret;
+}
+
+VALUE method_length(VALUE self) {
+  fsdb *f;
+  Data_Get_Struct(self, fsdb, f);
+  return UINT2NUM(f->count);
+}
+
+VALUE method_intern(VALUE self, VALUE string) {
+  char *s;
+  fsdb *f;
+
+  s = StringValueCStr(string);
+  Data_Get_Struct(self, fsdb, f);
+
+  return UINT2NUM(fsdb_intern(f, s));
+}
+
+VALUE method_lookup(VALUE self, VALUE num) {
+  fsdb *f;
+  char *s;
+
+  Data_Get_Struct(self, fsdb, f);
+  s = (char *)vault_get(f->strings, NUM2UINT(num));
+
+  return rb_str_new_cstr(s);
+}
+
+VALUE method_write(VALUE self, VALUE path) {
+  char *p = StringValueCStr(path);
+  fsdb *f;
+  FILE *out;
+  Data_Get_Struct(self, fsdb, f);
+
+  if(!(out = fopen(p, "wb"))) {
+    return Qnil;
+  }
+  
+  fwrite(f, sizeof(fsdb), 1, out);
+  fwrite(f->strings.base, 1, f->strings.size, out);
+  fwrite(f->paths.base, 1, f->paths.size, out);
+  fwrite(f->index.base, 1, f->index.size, out);
+  hash_write(f->hash, out);
+
+  fclose(out);
+
+  return Qtrue;
+}
+
+VALUE method_read(VALUE self, VALUE path) {
+  char *p = StringValueCStr(path);
+  fsdb *f;
+  FILE *in;
+
+  f = (fsdb *) malloc(sizeof(fsdb));
+  
+  if(!(in = fopen(p, "rb"))) {
+    return Qnil;
+  }
+
+  fread(f, sizeof(fsdb), 1, in);
+
+  f->strings.base = (uint8_t *) malloc(f->strings.size);
+  f->paths.base   = (uint8_t *) malloc(f->paths.size);
+  f->index.base   = (uint8_t *) malloc(f->index.size);
+
+  fread(f->strings.base, 1, f->strings.size, in);
+  fread(f->paths.base,   1, f->paths.size,   in);
+  fread(f->index.base,   1, f->index.size,   in);
+  f->hash = hash_read(in);
+
+  fclose(in);
+
+  return Data_Wrap_Struct(fsdb_klass, NULL, fsdb_free, f);
+}
+
+VALUE method_each_name(VALUE self) {
+  if(rb_block_given_p()) {
+    fsdb *f;
+    char *top, *cursor;
+
+    Data_Get_Struct(self, fsdb, f);
+    cursor = (char *)(f->strings.base + 4);
+    top    = f->strings.top + ((char *)f->strings.base);
+
+    while(cursor < top) {
+      int len = strlen(cursor);
+      VALUE name = rb_str_new(cursor, len);
+      VALUE num  = UINT2NUM(cursor - ((char *)f->strings.base));
+      rb_yield_values(2, name, num);
+      cursor += len + 1;
+    }
+    return Qtrue;
+  }
+  return Qnil;
+}
+
+VALUE method_select_index(VALUE self, VALUE target) {
+  uint32_t index = 0;
+  uint32_t value = NUM2UINT(target);
+  uint32_t sep   = 0x48544150;
+
+  if(rb_block_given_p()) {
+    fsdb *f;
+    uint32_t *top, *cursor;
+
+    Data_Get_Struct(self, fsdb, f);
+
+    cursor = ((uint32_t *)(f->paths.base)) + 1;
+    top    = (uint32_t *)(f->paths.top + ((char *)f->paths.base));
+    
+    while(cursor < top) {
+      fflush(stdout);
+      while(*cursor != sep) {
+	if(*cursor == value && *(cursor+1) == sep) {
+	  rb_yield(UINT2NUM(index));
+	}
+	cursor++;
+      }
+      cursor++;
+      index++;
+    }
+    
+    return Qtrue;
+  }
+  return Qnil;
+}