plunder 2.0.0a

data/lib/core/agent.rb

@@ -0,0 +1,67 @@
+#
+# Plunder - SMB scanning and auditing tool
+# Copyright (C) 2017 Joshua Stone
+# 
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+# 
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+# 
+
+module Plunder
+  class Agent
+    attr_accessor :free
+    
+    def initialize(domain, user, pass)
+      path = File.dirname(__FILE__)
+      @pipe = IO.popen("#{path}/../../bin/agent", "r+")
+      @pipe.puts domain
+      @pipe.puts user
+      @pipe.puts pass
+      @free = true
+    end
+
+    def checkout
+      @free = false
+      return self
+    end
+
+    def checkin
+      @free = true
+    end
+
+    def list(target)
+      dirs  = []
+      files = []
+      
+      @pipe.puts target
+      
+      while true
+        line = @pipe.readline.chomp
+        case line[0]
+        when "D"
+          dirs << line[2..-1]
+        when "F"
+          files << line[2..-1]
+        when "C"
+          break
+        when "E"
+          Report.error("'<cya>#{target}<rst>' authentication failure!")
+          exit!
+        end
+      end
+
+      return [dirs, files]
+    end
+
+  end
+end

data/lib/core/analyzer.rb

@@ -0,0 +1,84 @@
+#
+# Plunder - SMB scanning and auditing tool
+# Copyright (C) 2017 Joshua Stone
+# 
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+# 
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+# 
+
+require 'thread'
+
+module Plunder
+  class Analyzer
+    attr_accessor :config, :queue
+
+    def initialize(conf)
+      @config = conf
+      @queue  = Queue.new
+    end
+    
+    def mirror?(dir, file)
+      url = "#{dir}#{file}"
+      ext = File.extname(file).downcase
+      @config[:mirror].each do |(kind, match, size)|
+        case kind
+        when :filename
+          return size if file =~ /#{match}/i
+        when :path
+          return size if url =~ /#{match}/i
+        end
+      end
+      return nil
+    end
+
+    def <<(value)
+      @queue << value
+    end
+
+    def alert?(dir, file)
+      url = "#{dir}#{file}"
+      ext = File.extname(file).downcase
+      @config[:alert].each do |(kind, match)|
+        case kind
+        when :filename
+          return true if file =~ /#{match}/i
+        when :path
+          return true if url =~ /#{match}/i
+        when :extensions
+          match.each do |entry|
+            return true if ext == entry
+          end
+        end
+      end
+      return false
+    end
+
+    def run
+      Thread.new do
+        Report.notify("Started analysis thread")
+        while true
+          (path, file, url, id) = @queue.pop
+          begin
+          if alert?(path, file)
+            Report.alert(sprintf("%8d %s", id, URI::decode(url)))
+          end
+          rescue Exception => e
+            STDERR.puts "#{e.class} : #{e.message}"
+          end
+        end
+      end
+    end
+
+  end
+end

data/lib/core/client.rb

@@ -0,0 +1,163 @@
+#
+# Plunder - SMB scanning and auditing tool
+# Copyright (C) 2017 Joshua Stone
+# 
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+# 
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+# 
+
+require 'pp'
+
+module Plunder
+  class Client
+    def initialize(plunder)
+      @plunder = plunder
+      @done    = false
+      @current = []
+      @next    = list_targets
+    end
+    
+    def repl
+      until @done
+        begin
+          handle(prompt)
+        rescue EOFError
+          puts ""
+          exit!
+        end
+      end
+    end
+
+    def where
+      return "smb://" + @current.join("/")
+    end
+
+    def prompt
+      print(Report.colorize(" <blu>Plunder <cya>#{where} <blu>><rst> "))
+      STDOUT.flush
+      return readline
+    end
+
+    def handle(cmd)
+      cmd.strip!
+      fields = cmd.split(/\s(?=(?:[^"]|"[^"]*")*$)/)
+      command = fields.shift
+      case command
+      when "cd"
+        path = fields[0].gsub(/\"/, "")
+        if path == "/"
+          chdir("/")
+        elsif path.start_with? "smb://"
+          chdir("/")
+          path.split(/\//)[2..-1].each do |seg|
+            break unless chdir(seg)
+          end
+        else
+          path.split(/\//).each do |seg|
+            break unless chdir(seg)
+          end
+        end
+      when "whoami"
+        whoami
+      when "ls"
+        list
+      when "quit"
+        @done = true
+      when "exit"
+        @done = true
+      when "cat"
+        if fields[0].start_with? "smb://"
+          cat fields[0]
+        else
+          cat(where + "/" + fields[0])
+        end
+      when "mirror"
+        if fields.length > 1
+          fields.each do |file|
+            path = URI::encode(where + "/" + file)
+            puts(Report.colorize(" mirroring '<cya>#{path}<rst>'"))
+            @plunder.mirror(path)
+          end
+        end
+      else
+        puts(Report.colorize("Unknown or malformed command <red>#{cmd}<rst>!"))
+      end
+    end
+      
+    def list
+      here = where
+      puts ""
+      @next[0].each do |dir|
+        puts(Report.colorize(" <grn>D<cya> #{dir}<rst>"))
+      end
+      @next[1].each do |file|
+        puts(Report.colorize("   #{file}"))
+      end
+      puts ""
+    end
+
+    def list_next
+      if @current == []
+        @next = list_targets
+      else
+        @next = @plunder.client.list(where + "/")
+        @next.each { |i| i.map! { |j| URI::decode j } }
+      end
+    end      
+
+    def chdir(sub)
+      if sub == ".."
+        @current.pop
+      elsif sub == "."
+      elsif sub == "/"
+        @current = []
+      elsif available(sub)
+        @current.push(sub)
+      else
+        puts(Report.colorize(" <red>ERROR<rst> cannot find or access '<cya>#{sub}<rst>'"))
+      end
+      list_next
+    end
+
+    def available(child)
+      @next[0].each do |dir|
+        return true if dir.downcase == child.downcase
+      end
+      return false
+    end
+    
+    def display(res)
+      pp res
+    end
+    
+    def list_targets
+      @next = [@plunder.targets.collect { |i| i.host }, []]
+    end
+
+    def cat(url)
+      puts @plunder.client.slurp(url)
+    end
+    
+    def whoami
+      dom = @plunder.config[:domain]
+      usr = @plunder.config[:user]
+      pwd = @plunder.config[:pass]
+
+      puts ""
+      puts(Report.colorize(" User:     <grn>#{dom}<gra>\\<grn>#{usr}<rst>"))
+      puts(Report.colorize(" Password: <grn>#{pwd}<rst>"))
+      puts ""
+    end
+  end
+end

data/lib/core/commands.rb

@@ -0,0 +1,53 @@
+#
+# Plunder - SMB scanning and auditing tool
+# Copyright (C) 2017 Joshua Stone
+# 
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+# 
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+# 
+
+require_relative 'report.rb'
+
+module Plunder
+  class Commands
+    attr_accessor :commands
+
+    def initialize(&block)
+      @commands = {}
+      instance_eval(&block)
+    end
+
+    def command(name, &block)
+      @commands[name] = block
+    end
+
+    def run(args)
+      @args = args
+      cmd = next_arg
+      punt("not enough arguments") unless @commands[cmd]
+      instance_eval(&@commands[cmd])
+    end
+
+    def next_arg()
+      punt("not enough arguments") unless @args.length > 0
+      return @args.shift
+    end
+
+    def punt(message)
+      Report.error(message)
+      puts
+      exit 2
+    end
+  end
+end

data/lib/core/config.rb

@@ -0,0 +1,103 @@
+#
+# Plunder - SMB scanning and auditing tool
+# Copyright (C) 2017 Joshua Stone
+# 
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+# 
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+# 
+
+module Plunder
+  class Config
+    attr_accessor :config, :path
+    
+    def Config.default(name)
+      return {
+        :domain    => "WORKGROUP",
+        :user      => "guest",
+        :pass      => "",
+        :file      => "#{name}.dat",
+        :threads   => 8,
+        :blacklist => {
+          :dirs    => ['winsxs'],
+          :shares  => ['admin%24', 'ipc%24', 'print%24', 'c%24']
+        },
+        :tarpit    => 10000,
+        :mirror => [
+
+          # type      regex                             max download (bytes)
+          # ----      -----                             --------------------
+          [:filename, '^web\.config$',                  1E6],
+          [:filename, '^passwd$',                       1E6],
+          [:filename, '^shadow$',                       1E6],
+          [:filename, '\.netrc$',                       1E6],
+          [:filename, 'password.*(docx|doc|xls|xlsx)$', 1e6],
+          [:filename, 'credit.*card',                   1e9],
+          [:filename, '\.yaml$',                        1E6],
+          [:filename, '\.htaccess$',                    1E6],
+          [:filename, '\.kdbx$',                        1E7],
+          [:path,     'SYSVOL.*groups.xml$',            1E6],
+          [:path,     'SYSVOL.*drives.xml$',            1E6],
+          [:path,     'SYSVOL.*datasources.xml$',       1E6],
+          [:path,     'SYSVOL.*printers.xml$',          1E6],
+          [:path,     'SYSVOL.*services.xml$',          1E6],
+          [:path,     'SYSVOL.*scheduledtasks.xml$',    1E6],
+          [:path,     'NETLOGON.*\.(bat|vbs)$',         1E6]
+        ],
+        :alert => [
+          [:filename, 'passw'],
+          [:filename, 'datab'],
+          [:filename, 'card'],
+          [:filename, 'account'],
+          [:extensions, ['.bat', '.asp', '.aspx', '.php', '.vbs', '.xml', '.conf', 
+                         '.config', '.sql', '.vmdk']]
+        ],
+        :targets => [ ]
+      }
+    end
+
+    def initialize(path)
+      unless File.exists? path
+        puts "\x1b[31;1mError:\x1b[0m #{path} does not exist"
+        exit 3
+      end
+
+      @path   = path
+      @config = YAML.load(File.read(path))
+    end
+
+    def [](value)
+      return @config[value]
+    end
+
+    def []=(name, value)
+      return @config[name] = value
+    end
+
+    def save
+      File.open(@path, "w") do |file|
+        file.write(@config.to_yaml)
+      end
+    end
+
+    def add_target(url)
+      if @config[:targets].member? url
+        puts "  [+] '\x1b[31;1m#{url}\x1b[0m' already in target list"
+      else      
+        @config[:targets] << url
+        save
+        puts "  [+] '\x1b[31;1m#{url}\x1b[0m' added to target list"
+      end
+    end      
+  end
+end