plunder 2.0.0a

data/lib/core/io.rb

@@ -0,0 +1,84 @@
+#
+# Plunder - SMB scanning and auditing tool
+# Copyright (C) 2017 Joshua Stone
+# 
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+# 
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+# 
+
+module Plunder
+  module PlunderIO
+    def banner
+      puts ""
+      puts "\x1b[34;1m------------------------------------------------------------------------------\x1b[0m"
+      puts "\x1b[32;1m        Plunder - SMB Scanner - by Joshua Stone - yakovdk@gmail.com\x1b[0m"
+      puts "\x1b[34;1m------------------------------------------------------------------------------\x1b[0m"
+      puts ""
+      puts(Report.colorize("                  <gra>Plunder, Copyright (C) 2017 Joshua Stone\n" +
+                           "           Plunder comes with ABSOLUTELY NO WARRANTY; for details\n" +
+                           "           refer to the file 'LICENSE' in the source distribution.<rst>"))
+      puts ""
+    end
+
+    def usage
+      puts "usage: plunder <cmd> [args...]"
+      puts ""
+      puts " Description:"
+      puts " ------------"
+      puts ""
+      puts " Plunder is an SMB share enumeration and scanning tool that can be used for"
+      puts " security assessments, penetration tests, risk analysis, or auditing.  The"
+      puts " core of Plunder is a tunable, highly efficient, breadth-first share scanner"
+      puts " that quickly indexes an environment according to a specified config file."
+      puts ""
+      puts " Commands:"
+      puts " ---------"
+      puts ""
+      puts "  CMD     ARGS             DESCRIPTION"
+      puts "  ---     ----             -----------"
+      puts "  init    <name>           Initialize config file for new project"
+      puts "  scan    <cfg>  <depth>   Scan using indicated config to indicated depth"
+      puts "  target  <cfg>  <ip>      Add <ip> to list of targets in config file"
+      puts "  targets <cfg>  [<file>]  Add targets from STDIN or indicated file"
+      puts "  search  <cfg>  <expr>    Search filenames for <expr>"
+      puts "  mirror  <cfg>  [<file>]  Mirror files by ID from STDIN or indicated file"
+      puts "  listing <cfg>            List all files and IDs"
+      puts "  summary <cfg>            Describe current configuration"
+      puts "  debug   <cfg>            Sets up scanner and enters pry (if 'pry' exists)"
+      puts "  client  <cfg>            Rudimentary interactive SMB client"
+      puts ""
+      puts "  creds   <cfg>  <dom> <user> <pass>"
+      puts "                           Set indicated credentials for scan config"
+      puts ""
+      puts " Note that for downloading purposes, files are to be referenced by ID, which"
+      puts " is a unique index into the FS database.  This can be obtained via the "
+      puts " 'listing' command or by searching for matches with 'search'."
+      puts ""
+      puts " Procedure:"
+      puts " ----------"
+      puts ""
+      puts "   1. Run 'plunder init foo' to create a config file"
+      puts "   2. Edit the config file (foo.yaml)"
+      puts "   3. Add targets, e.g. with 'plunder targets foo ips.txt'"
+      puts "   4. Scan to desired depth: 'plunder scan foo 8'"
+      puts "   5. Search for interesting files: 'plunder search foo \"^web.config\$\""
+      puts "   6. Save IDs: \"... | grep ^FILE | awk '{print $2}'\" > ids.txt"
+      puts "   7. Mirror the interesting files: 'plunder mirror foo < ids.txt'"
+      puts ""
+    end      
+
+    module_function :usage
+    module_function :banner
+  end
+end

data/lib/core/plunder.rb

@@ -0,0 +1,208 @@
+#
+# Plunder - SMB scanning and auditing tool
+# Copyright (C) 2017 Joshua Stone
+# 
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+# 
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+# 
+
+require 'fileutils'
+require 'time'
+
+require_relative '../../ext/fsdb/fsdb.so'
+require_relative '../../ext/smbclient/smbclient.so'
+require_relative 'report.rb'
+require_relative 'analyzer.rb'
+require_relative 'agent.rb'
+require_relative 'target.rb'
+
+module Plunder
+  class Plunder
+    attr_accessor :name, :client, :fsdb, :next, :depth, :clients, :pool, :agents, :targets, :config
+
+    def initialize(name)
+      @name    = name
+      @config  = YAML.load(File.read(name + ".yaml"))
+      @fsdb    = FSDB.new
+      @targets = @config[:targets].map { |i| Target.new i }
+      @count   = 0
+      @depth   = 0
+      @dom     = @config[:domain]
+      @user    = @config[:user]
+      @pass    = @config[:pass]
+      @dbmut   = Mutex.new
+      @agmut   = Mutex.new
+      @iomut   = Mutex.new
+      @percent = 0
+      
+      @analyzer = Analyzer.new(@config)
+      @analyzer.run
+
+      @config[:tarpit]  = @config[:tarpit].to_i
+      @config[:threads] = @config[:threads].to_i
+
+      @agents = []
+      @config[:threads].times { @agents << Agent.new(@dom, @user, @pass) }
+
+      @client  = SMBClient.new(@dom, @user, @pass)
+
+      Report.notify("Tarpit threshold is #{@config[:tarpit]} subdirs")
+    end
+
+    def load
+      if File.exists? @config[:file]
+        @fsdb = FSDB.read(@config[:file])
+        Report.notify("Loaded FSDB from '<grn>#{@config[:file]}<rst>'")
+      else
+        Report.notify("FSDB file at <grn>#{@config[:file]}<rst> does not exist yet")
+      end
+    end
+
+    def mirror(url)
+      fields = url.split(/\//)
+      localdir = "./mirror/" + fields[2..-2].join("/")
+      FileUtils::mkdir_p localdir
+      open(localdir + "/" + fields[-1], "w") do |file|
+        content = @client.slurp(url)
+        file.write(content)
+      end
+    end
+
+    def save
+      file = @config[:file]
+      @fsdb.write(file)
+      Report.notify("Wrote output to '<grn>#{file}<rst>'")
+    end
+
+    def scan(depth)
+      return if depth == 0
+
+      @depth += 1
+
+      Report.notify("<mag>#{Time::now.to_s}<rst> : Starting scan at depth <grn>#{@depth}<rst>" + " " * 25)
+      
+      length = @targets.inject(0) { |i,j| i + j.paths.length }
+      count  = 0
+
+      return if length == 0
+
+      @targets.each do |target|
+        agent = free_agent
+        Thread.new(target, agent) do |t, a|
+          t.paths.each do |path|
+            t.rest += scan_path(path, a)
+            count += 1
+            stats(count, length)
+          end
+          a.checkin
+          t.paths = t.rest
+          t.rest = []
+        end
+      end
+
+      sleep 0.1 until @agents.all? { |a| a.free }
+
+      clear_line
+
+      self.scan(depth - 1)
+    end
+
+    def free_agent
+      while true
+        @agents.each do |agent|
+          if agent.free
+            return agent.checkout
+          end
+        end
+        sleep 0.1
+      end
+    end
+
+    def stats(count, total)
+      amount = (100.0 * count / total).floor
+      if amount != @last
+        @iomut.synchronize do
+          @last = amount
+          clear_line
+          print("      Progress: #{amount} % (#{@fsdb.length})")
+          STDOUT.flush
+        end
+      end
+    end
+
+    def clear_line
+      100.times { print("\x08") }
+      STDOUT.flush
+    end
+
+    def scan_path(path, agent)
+      path += "/" unless path.end_with? "/"
+      fields  = path.split(/\//)[2..-1]
+      rest    = []
+
+      listing = agent.list path
+      if listing == nil
+        Report.error("Authentication failure at #{path}, exiting for safety!")
+        exit!
+      end
+      (dirs, files) = listing
+      @count += files.length
+      
+      files.each do |file|
+        url = "#{path}#{file}"
+        index = 0
+        @dbmut.synchronize { index = @fsdb.put("#{path}#{file}/") }
+        @analyzer << [path, file, url, index]
+        mirror(url) if @analyzer.mirror?(path, file)
+      end
+      
+      if dirs.length > @config[:tarpit]
+        Report.warning("TARPIT: #{path}, truncating to #{@config[:tarpit]}")
+        dirs = dirs[0..@config[:tarpit]]
+      end
+      
+      dirs.each  do |dir|
+        rest << "#{path}#{dir}" if scan_dir?(path, dir)
+      end
+      
+      return rest
+    end
+    
+    def filter(list, dir)
+      list.each do |entry|
+        return true if dir =~ /#{entry}/i
+      end
+      return false
+    end
+    
+    def scan_dir?(target, dir)
+      return false if filter(@config[:blacklist][:dirs], dir)
+      if @depth == 1
+        return false if filter(@config[:blacklist][:shares], dir)
+      end
+      return true
+    end
+
+    def select_files(expr, &block)
+      @fsdb.each_name do |name, index|
+        if name =~ /#{expr}/i
+          fsdb.select_index(index) do |id|
+            yield(fsdb[id], id)
+          end
+        end
+      end
+    end
+    
+  end
+end

data/lib/core/report.rb

@@ -0,0 +1,78 @@
+#
+# Plunder - SMB scanning and auditing tool
+# Copyright (C) 2017 Joshua Stone
+# 
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+# 
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+# 
+
+require 'time'
+require 'thread'
+
+module Plunder
+  class Report
+    @@log = nil
+    @@mut = Mutex.new
+
+    def Report.init(file)
+      now = Time::now
+      stamp = sprintf("%04d-%02d-%02d-%02d:%02d:%02d",
+                      now.year, now.month, now.day,
+                      now.hour, now.min, now.sec)
+      name = "#{file}_#{stamp}.log"
+      self.notify(colorize("Logging hits to '<grn>#{name}<rst>'"))
+      @@log = open(name, "a") unless @@log
+      @@log.puts("CONTROL #{Time::now().to_s} init log")
+    end
+    
+    def Report.notify(message)
+      @@mut.synchronize do
+        puts("  [-] #{colorize(message)}")
+      end
+    end
+
+    def Report.error(message)
+      @@mut.synchronize do
+        puts(colorize("  [!] <red>ERROR:<rst> #{message}"))
+      end
+    end
+
+    def Report.colorize(str)
+      return str.
+               gsub("<gra>", "\x1b[30;1m").
+               gsub("<red>", "\x1b[31;1m").
+               gsub("<grn>", "\x1b[32;1m").
+               gsub("<yel>", "\x1b[33;1m").
+               gsub("<blu>", "\x1b[34;1m").
+               gsub("<mag>", "\x1b[35;1m").
+               gsub("<cya>", "\x1b[36;1m").
+               gsub("<whi>", "\x1b[37;1m").
+               gsub("<rst>", "\x1b[0m")
+    end
+
+    def Report.warning(name)
+      @@mut.synchronize do
+        puts(colorize("  [!] <yel>WARNING:<rst> #{message}"))
+      end
+    end
+    
+    def Report.alert(name)
+      @@mut.synchronize do
+        # puts(colorize("  [+] #{name}"))
+        @@log.puts("ALERT   " + name) if @@log
+      end
+    end
+
+  end
+end

data/lib/core/target.rb

@@ -0,0 +1,33 @@
+#
+# Plunder - SMB scanning and auditing tool
+# Copyright (C) 2017 Joshua Stone
+# 
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+# 
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+# 
+
+require 'uri'
+
+module Plunder
+  class Target
+    attr_accessor :url, :paths, :rest, :host
+
+    def initialize(url)
+      @host = URI::parse(url).host
+      @url = url
+      @paths = [url]      
+      @rest = []
+    end
+  end
+end    

data/lib/core/tree.rb

@@ -0,0 +1,59 @@
+#
+# Plunder - SMB scanning and auditing tool
+# Copyright (C) 2017 Joshua Stone
+# 
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+# 
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+# 
+
+class Tree
+  attr_accessor :root, :node, :children
+
+  def initialize(nodeid)
+    @node = nodeid
+    @children = {}
+  end
+
+  def <<(child)
+    @children[child.node] << child
+  end
+
+  def [](id)
+    return @children[id]
+  end
+
+  def insert(nodes)
+    return unless nodes.length > 0
+    @children[nodes[0]] = Tree.new(nodes[0]) unless @children[nodes[0]]
+    @children[nodes[0]].insert(nodes[1..-1])
+  end
+
+  def member?(id)
+    return @children[id] ? true : false
+  end
+
+  def pprint(fsdb=nil, depth=0)
+    if @node > 0
+      print " " + " + " * (depth - 1)
+      puts (fsdb ? fsdb.lookup(@node) : @node.to_s)
+    end
+
+    @children.each do |id,child|
+      child.pprint(fsdb, depth + 1)
+    end
+
+    return true
+  end
+end
+