last github update

peterpt · Dec 8, 2018 · 17aa361 · 17aa361
1 parent 9a62e2d
commit 17aa361
Show file tree

Hide file tree

Showing 11 changed files with 272 additions and 63 deletions.
diff --git a/Changelog.md b/Changelog.md
@@ -1,5 +1,5 @@
 ##----------Eternal Check (Changelog) --------------- 
 
-
+* 2.0 - Implemented Architouch and RPCTouch where Archtouch uses port 49152 (case opened) in target to retrieve achitecture & RPC touch will retrieve accurate OS Version
 * 1.1 - Added Eagerlever Vulnerability check & alternative smbv1 check to port 139 in case port 445 is not opened on target
 * 1.0 - First Release
diff --git a/README.md b/README.md
@@ -1,6 +1,4 @@
-# Project moved to : https://gitlab.com/peterpt/eternal_check
-
-## Eternal Check
+## Eternal Check 2.0
 
 * Eternal Check verifies if an ip is vulnerable to the smb vulnerabilities 
 - Eternal Blue 
@@ -10,10 +8,13 @@
 - Erraticgopher SMB v1 Exploit (Windows XP & Server 2003)
 - Eagerlever SMB v1 Exploit (Windows XP & 2000)
 
-
 # Screenshots
-<img src="https://s14.postimg.cc/nerjpjatt/echeck.jpg" width="55%"></img>
-* <img src="https://s14.postimg.cc/sz4108ua9/echeck2.jpg" width="25%"></img><img src="https://s14.postimg.cc/4vd9byjj5/echeck3.jpg" width="25%"></img><img src="https://s14.postimg.cc/slcha227l/erratic.jpg" width="25%"></img><img src="https://s31.postimg.cc/4mwf576ez/echeck11.jpg" width="25%"></img>
+<img src="https://s22.postimg.cc/ypjtt6wfl/echeck20.png" width="55%"></img>
+* <img src="https://s22.postimg.cc/6pfq90nv5/echeck2-2003.png" width="25%"></img><img src="https://s22.postimg.cc/v5xw3i41d/echeck2.png" width="25%"></img><img src="https://s22.postimg.cc/n1udc79hd/echeck2b.png" width="25%"></img>
+
+# Added in 2.0
+* Architouch (uses port 49152 "In case opened" in remote ip to retrieve OS architecture)
+* RpcTouch (uses also SMB port to retrieve OS version)
 
 # Eternal Check Running (Video)
 * Eternal Check 1.0 : https://www.youtube.com/watch?v=rQBCELDPiok
@@ -44,3 +45,6 @@ https://wiki.debian.org/Wine to know how to install wine32 on a 64bit machine
 * https://blogs.technet.microsoft.com/srd/2017/07/13/eternal-synergy-exploit-analysis/
 * https://blogs.technet.microsoft.com/srd/2017/06/29/eternal-champion-exploit-analysis/
 * https://en.wikipedia.org/wiki/EternalBlue
+
+# Last version 1.1
+* https://gitlab.com/peterpt/eternal_check/tree/Eternal_Check-1.1
diff --git a/echeck b/echeck
@@ -1,14 +1,17 @@
 #!/bin/bash
 #######################################################
 # Eternal Check                                       # 
-# Denveloped by peterpt at http://github.com/peterpt  #
+# Denveloped by peterpt at http://gitlab.com/peterpt  #
 #######################################################
 
 # Eternal check verifies if a supposed ip is vulnerable to
 # Eternal Blue / Eternal Romance / Eternal Champion / Eternal Synergy / Erraticgopher / EagleLever
 # Smb Vulnerabily 
 # https://www.rapid7.com/db/vulnerabilities/msft-cve-2017-0145
 # https://www.rapid7.com/db/modules/exploit/windows/smb/ms17_010_eternalblue
+# -------
+# In case the remote ip have the RPC port 49152 opened then Echeck will check if it is possible
+# to retrieve architecture from that ip
 # Colours
 cyan='\e[0;36m'
 green='\e[0;34m'
@@ -21,36 +24,44 @@ BlueF='\e[1;34m' #Biru
 RESET="\033[00m" #normal
 orange='\e[38;5;166m'
 #   --------------Variables------------------
-vers="1.1"
+vers="2.0"
 path=$(pwd)
 tools="cd $path/tools"
 tout="20s" # Timeout for smbtouch and namepipe processes in seconds when running
 # This means that if one of the executables get hanged then timeout var will kill them on that specific time
 
-rport="445"
+rport="139,445,49152" # Remote ports checked with nmap
 tconf="0" # Target confirmation online 0 means not checked , 1 means checked
 # Output Logs
 log="$path/log"
-nmplog="$path/nmlog"
+nmlog="$path/nmlog"
 nplog="$path/npout"   # Named Pipe
 stlog="$path/stout"   # SMB Touch
 eglog="$path/egout"   # ErraticGopher
+archlog="$path/archout" # Architouch
+rpclog="$path/rpcout" # RPCtouch
 # End logs
 
 # Main skeletons
+rpcskl="$path/xml/Rpctouch-2.1.0.Skeleton.xml"
+archskl="$path/xml/Architouch-1.0.0.Skeleton.xml"
 npskl="$path/xml/Namedpipetouch-2.0.0.Skeleton.xml"
 stskl="$path/xml/Smbtouch-1.1.1.Skeleton.xml"
 egskl="$path/xml/Erraticgophertouch-1.0.1.Skeleton.xml"
 # End Skeletons
 
 # Fuzzbunch Executables
+rpcexe="$path/tools/Rpctouch-2.1.0.exe"
+archexe="$path/tools/Architouch-1.0.0.exe"
 npexe="$path/tools/Namedpipetouch-2.0.0.exe"
 stexe="$path/tools/Smbtouch-1.1.1.exe"
 egexe="$path/tools/Erraticgophertouch-1.0.1.exe"
 elexe="$path/tools/elv.exe"
 # End Executables
 
 # Out Config
+archout="$path/tools/Architouch-1.0.0.xml"
+rpcout="$path/tools/Rpctouch-2.1.0.xml"
 npout="$path/tools/Namedpipetouch-2.0.0.xml"
 stout="$path/tools/Smbtouch-1.1.1.xml"
 egout="$path/tools/Erraticgophertouch-1.0.1.xml"
@@ -64,38 +75,19 @@ function ctrl_c() {
 srvstop
 }
 
-# Verifies if target have port 445 opened using nmap before proceed
-
-chknet () {
-tgt=$(nmap -Pn -p 445 $rhost )
-vrf=$(echo $tgt | grep "open")
-if [[ -z "$vrf" ]]
-then
-tgt=$(nmap -Pn -p 139 $rhost )
-vrf=$(echo $tgt | grep "open")
-if [[ -z "$vrf" ]]
-then
-echo ""
-echo -e "$yellow""* -$red It looks that $rhost does not have Netbios port 139 or Samba port 445 opened"
-sleep 5
-srvstop
-else
-rport="139"
-fi
-fi
-echo -e "$okegreen""* -$yellow$rhost$okegreen is online to be checked at TCP port $rport"
-tconf="1"
-}
-
 # Temporary files created during the execution of the tool
 delf () {
+rm -rf "$rpclog" >/dev/null 2>&1
+rm -rf "$rpcout" >/dev/null 2>&1		
+rm -rf "$archlog" >/dev/null 2>&1
+rm -rf "$archout" >/dev/null 2>&1	
 rm -rf "$nplog" >/dev/null 2>&1
 rm -rf "$npout" >/dev/null 2>&1	
 rm -rf "$egout" >/dev/null 2>&1	
 rm -rf "$stout" >/dev/null 2>&1	
 rm -rf "$log" >/dev/null 2>&1	
 rm -rf "$stlog" >/dev/null 2>&1	
-rm -rf "$nmplog" >/dev/null 2>&1
+rm -rf "$nmlog" >/dev/null 2>&1
 rm -rf "$eglog" >/dev/null 2>&1
 rm -rf "$path/tools/*.log" >/dev/null 2>&1
 }
@@ -123,6 +115,14 @@ elif [[ ! -f "$elexe" ]]
 then
 echo "Incomplete package , (eaglelever exe) missing"
 exit 1
+elif [[ ! -f "$archexe" ]]
+then
+echo "Incomplete package , (architouch exe) missing"
+exit 1
+elif [[ ! -f "$rpcexe" ]]
+then
+echo "Incomplete package , (rpctouch exe) missing"
+exit 1
 elif [[ ! -f "$npskl" ]]
 then
 echo "Incomplete package , (namedpipe skl) missing"
@@ -135,6 +135,14 @@ elif [[ ! -f "$egskl" ]]
 then
 echo "Incomplete package , (erraticgophertouch skl) missing"
 exit 1
+elif [[ ! -f "$archskl" ]]
+then
+echo "Incomplete package , (architouch skl) missing"
+exit 1
+elif [[ ! -f "$rpcskl" ]]
+then
+echo "Incomplete package , (rpctouch skl) missing"
+exit 1
 fi
 
 }
@@ -153,7 +161,7 @@ echo -e "$orange""*$okegreen      ██ ▄▄██▀▐█▐▀▀▪▄█
 echo -e "$orange""*$okegreen      ▐███▌██▌▐▀▐█▄▄▌▐███▌▐█.█▌        $orange *"
 echo -e "$orange""*$okegreen      ·▀▀▀ ▀▀▀ · ▀▀▀ ·▀▀▀ ·▀  ▀  $yellow $vers$orange   *" 
 echo -e "$orange""******************************************"
-echo -e "$orange""*$okegreen      http://github.com/peterpt         $orange*"
+echo -e "$orange""*$okegreen      http://gitlab.com/peterpt         $orange*"
 echo -e "$orange""******************************************"
 }
 
@@ -263,7 +271,7 @@ exit 1
 eglvr () {
 echo -e "$orange""* - Launching Eagerlever on$okegreen $rhost"	
 rm -rf $path/tools/*.log >/dev/null 2>&1
-lch=$(timeout "$tout" wine "elv.exe" -r 2 -i $rhost -p $rport -t 1 -b 3 -rpc >/dev/null 2>&1)
+lch=$(timeout "$tout" wine "elv.exe" -r 2 -i $rhost -p $rport -t 1 -b $elvprot -rpc >/dev/null 2>&1)
 lgfl=$(ls $path/tools/*.log | awk '{print$1}')
 if [[ ! -f "$lgfl" ]]
 then
@@ -290,7 +298,7 @@ echo ""
 cp "$egskl" "$egout"
 sed -i -e "s/RHOST/$rhost/g" $egout
 sed -i -e "s/RPORT/$rport/g" $egout	
-eg=$(timeout "$tout" wine Erraticgophertouch-1.0.1.exe)	
+eg=$(timeout "$tout" wine Erraticgophertouch-1.0.1.exe 2>&1)	
 echo "$eg" > "$eglog"
 egok=$(grep "target IS vulnerable" < $eglog)
 if [[ ! -z "$egok" ]]
@@ -300,7 +308,6 @@ else
 echo -e "$okegreen""* -$yellow $rhost$okegreen is not vulnerable to$yellow ERRATICGOPHER$okegreen Vulnerability "
 fi
 echo ""
-eglvr
 }	
 
 # Named pipe function to search for vulnerable SMB pipes on target
@@ -314,18 +321,18 @@ echo -e "$orange""* - Launching Namedpipe on$okegreen $rhost"
 cp "$npskl" "$npout"
 sed -i -e "s/RHOST/$rhost/g" $npout	
 sed -i -e "s/RPORT/$rport/g" $npout	
-np=$(timeout "$tout" wine Namedpipetouch-2.0.0.exe)	
+sed -i -e "s/PROT/$prot/g" $npout	
+np=$(timeout "$tout" wine Namedpipetouch-2.0.0.exe 2>&1)	
 echo "$np" > "$nplog"
 npok=$(grep "Pipe Found:" < $nplog | awk '{print$4}')
 if [[ ! -z "$npok" ]]
 then
 echo -e "$okegreen""* - Pipes Found on$yellow $rhost$yellow "
-cat $nplog | grep "Pipe Found:" | awk '{print$4}' | sed 's/[\PIPE\]//g' | tr "" "\n"
+grep "Pipe Found:" "$nplog" | awk '{print$4}' | sed 's/[\PIPE\]//g' | tr "" "\n"
 else
-echo -e "$okegreen""* - Unable to find aditional smbpipes"
+echo -e "$okegreen""* -$yellow Unable to find aditional smbpipes"
 fi
 echo ""
-egtouch	
 }	
 
 # Smbtouch verifies if the target ip is vulnerable to any of the exploits and also search for main windows pipes
@@ -335,11 +342,12 @@ smbtouch () {
 cp "$stskl" "$stout"
 sed -i -e "s/RHOST/$rhost/g" $stout
 sed -i -e "s/RPORT/$rport/g" $stout
+sed -i -e "s/PROT/$prot/g" $stout
 echo ""
 tools="cd $path/tools"
 echo -e "$orange""* - Launching Smbtouch on $okegreen $rhost"
 $tools
-st=$(timeout "$tout" wine Smbtouch-1.1.1.exe)
+st=$(timeout "$tout" wine Smbtouch-1.1.1.exe 2>&1)
 echo "$st" > "$stlog"
 sbosl=$(grep -n "Target OS" < $stlog | tr ":" "\n" | sed -n 1p)
 osvar=$((sbosl+1))
@@ -349,10 +357,7 @@ sbnv=$(grep "Target is not vulnerable" < $stlog)
 sbnvarch64=$(grep "64-bit" < $stlog | awk '{print$4}')
 sbnvarch32=$(grep "32-bit" < $stlog | awk '{print$4}')
 errort=$(sed -n "$osvar"p < $stlog | grep "SMB")
-if [[ ! -z "$errort" ]]
-then
-egtouch
-elif [[ ! -z "$osout" ]]
+if [[ ! -z "$osout" ]]
 then
 echo ""
 echo -e "$okegreen""* - Target OS :$yellow $osout"
@@ -370,12 +375,10 @@ if [[ ! -z "$sbfl" ]]
 then
 echo -e "$red""x - Unable to smbtouch on $rhost"
 echo ""
-namedpipe
 elif [[ ! -z "$sbnv" ]]
 then
-echo -e "$red""x - Unable to smbtouch on $rhost"
 echo ""
-namedpipe
+echo -e "$red""x - Unable to smbtouch on $rhost"
 fi
 
 # Vulnerable to some exploit
@@ -402,7 +405,6 @@ if [[ ! -z "$stvlnpp" ]]
 then
 echo -e "$okegreen""* - Available pipes :$yellow $stvlnpp"
 fi
-namedpipe
 }
 
 
@@ -419,13 +421,6 @@ echo -e "$yellow" "Invalid IP"
 sleep 3
 clear && logo && target
 fi
-
-# Quick checking with nmap on user provided ip 
-if [[ "$tconf" == "0" ]]
-then
-chknet
-fi 
-smbtouch
 else
 inv=$(echo "$rhost" | grep [a-zA-Z] )
 if [[ ! -z "$inv" ]]
@@ -436,13 +431,93 @@ rhost=""
 sleep 3
 clear && logo && target
 fi
-smbtouch
+chknet
 fi
+chknet
 }
+rpctouch() {
+cp "$rpcskl" "$rpcout"
+sed -i -e "s/RHOST/$rhost/g" $rpcout
+sed -i -e "s/RPORT/$rport/g" $rpcout
+sed -i -e "s/PROT/$prot/g" $rpcout
+echo ""
+tools="cd $path/tools"
+echo -e "$orange""* - Launching Rpctouch on $okegreen $rhost"
+$tools
+rpct=$(timeout "$tout" wine Rpctouch-2.1.0.exe 2>&1)
+echo "$rpct" > "$rpclog"
+successrpc=$(grep "SMB String:" < "$rpclog" | awk '{$1=$2=$3=""; print $0}' | sed 's/^ *//')	
+echo ""
+if [[ ! -z "$successrpc" ]]
+then
+echo -e "$okegreen""* - Target OS :$yellow $successrpc"
+else
+echo -e "$red""* - Unable to retrive RPC info from$yellow $rhost"
+fi		
+}
+
+#Architouch uses remote port 49152 to retrieve host OS Architecture	
+archtouch(){
+cp "$archskl" "$archout"
+sed -i -e "s/RHOST/$rhost/g" $archout
+echo ""
+tools="cd $path/tools"
+echo -e "$orange""* - Launching Architouch on $okegreen $rhost$orange using port$yellow 49152"
+$tools
+archt=$(timeout "$tout" wine Architouch-1.0.0.exe 2>&1)
+echo "$archt" > "$archlog"
+success=$(grep "Target is" < "$archlog" | awk '{$1=$2=$3=""; print $0}' | sed 's/^ *//')	
+echo ""
+if [[ ! -z "$success" ]]
+then
+echo -e "$okegreen""* - Target Architecture :$yellow $success"
+echo ""
+else
+echo -e "$red""* - Unable to retrive Architecture from$yellow $rhost"
+echo ""
+fi
+}	
+# This function does a quick ip scan on remote host and check if specific ports are opened
+chknet () {
+nmap -Pn -p "$rport" "$rhost" -oN $nmlog >/dev/null 2>&1
+nbiosvrf=$(grep "open" < "$nmlog" | grep "139")
+smbvrf=$(grep "open" < "$nmlog" | grep "445")
+archvrf=$(grep "open" < "$nmlog" | grep "49152")
+if [[ ! -z "$archvrf" ]]
+then
+archtouch
+fi
+if [[ ! -z "$smbvrf" ]]
+then
+echo -e "$okegreen""Testing $yellow Samba (port 445)$okegreen on$yellow $rhost"
+prot="SMB"
+rport="445"
+elvprot="3"
+rpctouch && smbtouch && namedpipe && egtouch && eglvr && exit 1
+else
+if [[ ! -z "$nbiosvrf" ]]
+then
+echo -e "$yellow""SMB (port445)$okegreen not detected on$yellow $rhost"
+echo -e "$okegreen""Testing $yellow Netbios (port 139)$okegreen on$yellow $rhost"
+prot="NBT"
+rport="139"
+elvprot="2"
+rpctouch && smbtouch && namedpipe && eglvr && exit 1
+else
+echo ""
+echo -e "$yellow""* -$red It looks that $rhost does not have Netbios port 139 or Samba port 445 opened"
+sleep 5
+srvstop
+fi
+fi
+srvstop
+}
+
+
 if [ -z "$1" ]
 then
 intro && chkfls && delf && dep && servstart && logo && target 
 else
 rhost="$1"
-intro && chkfls && delf && dep  && servstart && logo && chknet && tconf="1" && target 
+intro && chkfls && delf && dep  && servstart && logo && chknet && target 
 fi