diff --git a/Changelog.md b/Changelog.md
index d9d01a9..a325906 100644
--- a/Changelog.md
+++ b/Changelog.md
@@ -1,5 +1,5 @@
##----------Eternal Check (Changelog) ---------------
-
+* 2.0 - Implemented Architouch and RPCTouch where Archtouch uses port 49152 (case opened) in target to retrieve achitecture & RPC touch will retrieve accurate OS Version
* 1.1 - Added Eagerlever Vulnerability check & alternative smbv1 check to port 139 in case port 445 is not opened on target
* 1.0 - First Release
\ No newline at end of file
diff --git a/README.md b/README.md
index 719973e..ef4121c 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,4 @@
-# Project moved to : https://gitlab.com/peterpt/eternal_check
-
-## Eternal Check
+## Eternal Check 2.0
* Eternal Check verifies if an ip is vulnerable to the smb vulnerabilities
- Eternal Blue
@@ -10,10 +8,13 @@
- Erraticgopher SMB v1 Exploit (Windows XP & Server 2003)
- Eagerlever SMB v1 Exploit (Windows XP & 2000)
-
# Screenshots
-
-* 
+
+* 
+
+# Added in 2.0
+* Architouch (uses port 49152 "In case opened" in remote ip to retrieve OS architecture)
+* RpcTouch (uses also SMB port to retrieve OS version)
# Eternal Check Running (Video)
* Eternal Check 1.0 : https://www.youtube.com/watch?v=rQBCELDPiok
@@ -44,3 +45,6 @@ https://wiki.debian.org/Wine to know how to install wine32 on a 64bit machine
* https://blogs.technet.microsoft.com/srd/2017/07/13/eternal-synergy-exploit-analysis/
* https://blogs.technet.microsoft.com/srd/2017/06/29/eternal-champion-exploit-analysis/
* https://en.wikipedia.org/wiki/EternalBlue
+
+# Last version 1.1
+* https://gitlab.com/peterpt/eternal_check/tree/Eternal_Check-1.1
diff --git a/echeck b/echeck
index 1c518c4..fd99875 100755
--- a/echeck
+++ b/echeck
@@ -1,7 +1,7 @@
#!/bin/bash
#######################################################
# Eternal Check #
-# Denveloped by peterpt at http://github.com/peterpt #
+# Denveloped by peterpt at http://gitlab.com/peterpt #
#######################################################
# Eternal check verifies if a supposed ip is vulnerable to
@@ -9,6 +9,9 @@
# Smb Vulnerabily
# https://www.rapid7.com/db/vulnerabilities/msft-cve-2017-0145
# https://www.rapid7.com/db/modules/exploit/windows/smb/ms17_010_eternalblue
+# -------
+# In case the remote ip have the RPC port 49152 opened then Echeck will check if it is possible
+# to retrieve architecture from that ip
# Colours
cyan='\e[0;36m'
green='\e[0;34m'
@@ -21,29 +24,35 @@ BlueF='\e[1;34m' #Biru
RESET="\033[00m" #normal
orange='\e[38;5;166m'
# --------------Variables------------------
-vers="1.1"
+vers="2.0"
path=$(pwd)
tools="cd $path/tools"
tout="20s" # Timeout for smbtouch and namepipe processes in seconds when running
# This means that if one of the executables get hanged then timeout var will kill them on that specific time
-rport="445"
+rport="139,445,49152" # Remote ports checked with nmap
tconf="0" # Target confirmation online 0 means not checked , 1 means checked
# Output Logs
log="$path/log"
-nmplog="$path/nmlog"
+nmlog="$path/nmlog"
nplog="$path/npout" # Named Pipe
stlog="$path/stout" # SMB Touch
eglog="$path/egout" # ErraticGopher
+archlog="$path/archout" # Architouch
+rpclog="$path/rpcout" # RPCtouch
# End logs
# Main skeletons
+rpcskl="$path/xml/Rpctouch-2.1.0.Skeleton.xml"
+archskl="$path/xml/Architouch-1.0.0.Skeleton.xml"
npskl="$path/xml/Namedpipetouch-2.0.0.Skeleton.xml"
stskl="$path/xml/Smbtouch-1.1.1.Skeleton.xml"
egskl="$path/xml/Erraticgophertouch-1.0.1.Skeleton.xml"
# End Skeletons
# Fuzzbunch Executables
+rpcexe="$path/tools/Rpctouch-2.1.0.exe"
+archexe="$path/tools/Architouch-1.0.0.exe"
npexe="$path/tools/Namedpipetouch-2.0.0.exe"
stexe="$path/tools/Smbtouch-1.1.1.exe"
egexe="$path/tools/Erraticgophertouch-1.0.1.exe"
@@ -51,6 +60,8 @@ elexe="$path/tools/elv.exe"
# End Executables
# Out Config
+archout="$path/tools/Architouch-1.0.0.xml"
+rpcout="$path/tools/Rpctouch-2.1.0.xml"
npout="$path/tools/Namedpipetouch-2.0.0.xml"
stout="$path/tools/Smbtouch-1.1.1.xml"
egout="$path/tools/Erraticgophertouch-1.0.1.xml"
@@ -64,38 +75,19 @@ function ctrl_c() {
srvstop
}
-# Verifies if target have port 445 opened using nmap before proceed
-
-chknet () {
-tgt=$(nmap -Pn -p 445 $rhost )
-vrf=$(echo $tgt | grep "open")
-if [[ -z "$vrf" ]]
-then
-tgt=$(nmap -Pn -p 139 $rhost )
-vrf=$(echo $tgt | grep "open")
-if [[ -z "$vrf" ]]
-then
-echo ""
-echo -e "$yellow""* -$red It looks that $rhost does not have Netbios port 139 or Samba port 445 opened"
-sleep 5
-srvstop
-else
-rport="139"
-fi
-fi
-echo -e "$okegreen""* -$yellow$rhost$okegreen is online to be checked at TCP port $rport"
-tconf="1"
-}
-
# Temporary files created during the execution of the tool
delf () {
+rm -rf "$rpclog" >/dev/null 2>&1
+rm -rf "$rpcout" >/dev/null 2>&1
+rm -rf "$archlog" >/dev/null 2>&1
+rm -rf "$archout" >/dev/null 2>&1
rm -rf "$nplog" >/dev/null 2>&1
rm -rf "$npout" >/dev/null 2>&1
rm -rf "$egout" >/dev/null 2>&1
rm -rf "$stout" >/dev/null 2>&1
rm -rf "$log" >/dev/null 2>&1
rm -rf "$stlog" >/dev/null 2>&1
-rm -rf "$nmplog" >/dev/null 2>&1
+rm -rf "$nmlog" >/dev/null 2>&1
rm -rf "$eglog" >/dev/null 2>&1
rm -rf "$path/tools/*.log" >/dev/null 2>&1
}
@@ -123,6 +115,14 @@ elif [[ ! -f "$elexe" ]]
then
echo "Incomplete package , (eaglelever exe) missing"
exit 1
+elif [[ ! -f "$archexe" ]]
+then
+echo "Incomplete package , (architouch exe) missing"
+exit 1
+elif [[ ! -f "$rpcexe" ]]
+then
+echo "Incomplete package , (rpctouch exe) missing"
+exit 1
elif [[ ! -f "$npskl" ]]
then
echo "Incomplete package , (namedpipe skl) missing"
@@ -135,6 +135,14 @@ elif [[ ! -f "$egskl" ]]
then
echo "Incomplete package , (erraticgophertouch skl) missing"
exit 1
+elif [[ ! -f "$archskl" ]]
+then
+echo "Incomplete package , (architouch skl) missing"
+exit 1
+elif [[ ! -f "$rpcskl" ]]
+then
+echo "Incomplete package , (rpctouch skl) missing"
+exit 1
fi
}
@@ -153,7 +161,7 @@ echo -e "$orange""*$okegreen ██ ▄▄██▀▐█▐▀▀▪▄█
echo -e "$orange""*$okegreen ▐███▌██▌▐▀▐█▄▄▌▐███▌▐█.█▌ $orange *"
echo -e "$orange""*$okegreen ·▀▀▀ ▀▀▀ · ▀▀▀ ·▀▀▀ ·▀ ▀ $yellow $vers$orange *"
echo -e "$orange""******************************************"
-echo -e "$orange""*$okegreen http://github.com/peterpt $orange*"
+echo -e "$orange""*$okegreen http://gitlab.com/peterpt $orange*"
echo -e "$orange""******************************************"
}
@@ -263,7 +271,7 @@ exit 1
eglvr () {
echo -e "$orange""* - Launching Eagerlever on$okegreen $rhost"
rm -rf $path/tools/*.log >/dev/null 2>&1
-lch=$(timeout "$tout" wine "elv.exe" -r 2 -i $rhost -p $rport -t 1 -b 3 -rpc >/dev/null 2>&1)
+lch=$(timeout "$tout" wine "elv.exe" -r 2 -i $rhost -p $rport -t 1 -b $elvprot -rpc >/dev/null 2>&1)
lgfl=$(ls $path/tools/*.log | awk '{print$1}')
if [[ ! -f "$lgfl" ]]
then
@@ -290,7 +298,7 @@ echo ""
cp "$egskl" "$egout"
sed -i -e "s/RHOST/$rhost/g" $egout
sed -i -e "s/RPORT/$rport/g" $egout
-eg=$(timeout "$tout" wine Erraticgophertouch-1.0.1.exe)
+eg=$(timeout "$tout" wine Erraticgophertouch-1.0.1.exe 2>&1)
echo "$eg" > "$eglog"
egok=$(grep "target IS vulnerable" < $eglog)
if [[ ! -z "$egok" ]]
@@ -300,7 +308,6 @@ else
echo -e "$okegreen""* -$yellow $rhost$okegreen is not vulnerable to$yellow ERRATICGOPHER$okegreen Vulnerability "
fi
echo ""
-eglvr
}
# Named pipe function to search for vulnerable SMB pipes on target
@@ -314,18 +321,18 @@ echo -e "$orange""* - Launching Namedpipe on$okegreen $rhost"
cp "$npskl" "$npout"
sed -i -e "s/RHOST/$rhost/g" $npout
sed -i -e "s/RPORT/$rport/g" $npout
-np=$(timeout "$tout" wine Namedpipetouch-2.0.0.exe)
+sed -i -e "s/PROT/$prot/g" $npout
+np=$(timeout "$tout" wine Namedpipetouch-2.0.0.exe 2>&1)
echo "$np" > "$nplog"
npok=$(grep "Pipe Found:" < $nplog | awk '{print$4}')
if [[ ! -z "$npok" ]]
then
echo -e "$okegreen""* - Pipes Found on$yellow $rhost$yellow "
-cat $nplog | grep "Pipe Found:" | awk '{print$4}' | sed 's/[\PIPE\]//g' | tr "" "\n"
+grep "Pipe Found:" "$nplog" | awk '{print$4}' | sed 's/[\PIPE\]//g' | tr "" "\n"
else
-echo -e "$okegreen""* - Unable to find aditional smbpipes"
+echo -e "$okegreen""* -$yellow Unable to find aditional smbpipes"
fi
echo ""
-egtouch
}
# Smbtouch verifies if the target ip is vulnerable to any of the exploits and also search for main windows pipes
@@ -335,11 +342,12 @@ smbtouch () {
cp "$stskl" "$stout"
sed -i -e "s/RHOST/$rhost/g" $stout
sed -i -e "s/RPORT/$rport/g" $stout
+sed -i -e "s/PROT/$prot/g" $stout
echo ""
tools="cd $path/tools"
echo -e "$orange""* - Launching Smbtouch on $okegreen $rhost"
$tools
-st=$(timeout "$tout" wine Smbtouch-1.1.1.exe)
+st=$(timeout "$tout" wine Smbtouch-1.1.1.exe 2>&1)
echo "$st" > "$stlog"
sbosl=$(grep -n "Target OS" < $stlog | tr ":" "\n" | sed -n 1p)
osvar=$((sbosl+1))
@@ -349,10 +357,7 @@ sbnv=$(grep "Target is not vulnerable" < $stlog)
sbnvarch64=$(grep "64-bit" < $stlog | awk '{print$4}')
sbnvarch32=$(grep "32-bit" < $stlog | awk '{print$4}')
errort=$(sed -n "$osvar"p < $stlog | grep "SMB")
-if [[ ! -z "$errort" ]]
-then
-egtouch
-elif [[ ! -z "$osout" ]]
+if [[ ! -z "$osout" ]]
then
echo ""
echo -e "$okegreen""* - Target OS :$yellow $osout"
@@ -370,12 +375,10 @@ if [[ ! -z "$sbfl" ]]
then
echo -e "$red""x - Unable to smbtouch on $rhost"
echo ""
-namedpipe
elif [[ ! -z "$sbnv" ]]
then
-echo -e "$red""x - Unable to smbtouch on $rhost"
echo ""
-namedpipe
+echo -e "$red""x - Unable to smbtouch on $rhost"
fi
# Vulnerable to some exploit
@@ -402,7 +405,6 @@ if [[ ! -z "$stvlnpp" ]]
then
echo -e "$okegreen""* - Available pipes :$yellow $stvlnpp"
fi
-namedpipe
}
@@ -419,13 +421,6 @@ echo -e "$yellow" "Invalid IP"
sleep 3
clear && logo && target
fi
-
-# Quick checking with nmap on user provided ip
-if [[ "$tconf" == "0" ]]
-then
-chknet
-fi
-smbtouch
else
inv=$(echo "$rhost" | grep [a-zA-Z] )
if [[ ! -z "$inv" ]]
@@ -436,13 +431,93 @@ rhost=""
sleep 3
clear && logo && target
fi
-smbtouch
+chknet
fi
+chknet
}
+rpctouch() {
+cp "$rpcskl" "$rpcout"
+sed -i -e "s/RHOST/$rhost/g" $rpcout
+sed -i -e "s/RPORT/$rport/g" $rpcout
+sed -i -e "s/PROT/$prot/g" $rpcout
+echo ""
+tools="cd $path/tools"
+echo -e "$orange""* - Launching Rpctouch on $okegreen $rhost"
+$tools
+rpct=$(timeout "$tout" wine Rpctouch-2.1.0.exe 2>&1)
+echo "$rpct" > "$rpclog"
+successrpc=$(grep "SMB String:" < "$rpclog" | awk '{$1=$2=$3=""; print $0}' | sed 's/^ *//')
+echo ""
+if [[ ! -z "$successrpc" ]]
+then
+echo -e "$okegreen""* - Target OS :$yellow $successrpc"
+else
+echo -e "$red""* - Unable to retrive RPC info from$yellow $rhost"
+fi
+}
+
+#Architouch uses remote port 49152 to retrieve host OS Architecture
+archtouch(){
+cp "$archskl" "$archout"
+sed -i -e "s/RHOST/$rhost/g" $archout
+echo ""
+tools="cd $path/tools"
+echo -e "$orange""* - Launching Architouch on $okegreen $rhost$orange using port$yellow 49152"
+$tools
+archt=$(timeout "$tout" wine Architouch-1.0.0.exe 2>&1)
+echo "$archt" > "$archlog"
+success=$(grep "Target is" < "$archlog" | awk '{$1=$2=$3=""; print $0}' | sed 's/^ *//')
+echo ""
+if [[ ! -z "$success" ]]
+then
+echo -e "$okegreen""* - Target Architecture :$yellow $success"
+echo ""
+else
+echo -e "$red""* - Unable to retrive Architecture from$yellow $rhost"
+echo ""
+fi
+}
+# This function does a quick ip scan on remote host and check if specific ports are opened
+chknet () {
+nmap -Pn -p "$rport" "$rhost" -oN $nmlog >/dev/null 2>&1
+nbiosvrf=$(grep "open" < "$nmlog" | grep "139")
+smbvrf=$(grep "open" < "$nmlog" | grep "445")
+archvrf=$(grep "open" < "$nmlog" | grep "49152")
+if [[ ! -z "$archvrf" ]]
+then
+archtouch
+fi
+if [[ ! -z "$smbvrf" ]]
+then
+echo -e "$okegreen""Testing $yellow Samba (port 445)$okegreen on$yellow $rhost"
+prot="SMB"
+rport="445"
+elvprot="3"
+rpctouch && smbtouch && namedpipe && egtouch && eglvr && exit 1
+else
+if [[ ! -z "$nbiosvrf" ]]
+then
+echo -e "$yellow""SMB (port445)$okegreen not detected on$yellow $rhost"
+echo -e "$okegreen""Testing $yellow Netbios (port 139)$okegreen on$yellow $rhost"
+prot="NBT"
+rport="139"
+elvprot="2"
+rpctouch && smbtouch && namedpipe && eglvr && exit 1
+else
+echo ""
+echo -e "$yellow""* -$red It looks that $rhost does not have Netbios port 139 or Samba port 445 opened"
+sleep 5
+srvstop
+fi
+fi
+srvstop
+}
+
+
if [ -z "$1" ]
then
intro && chkfls && delf && dep && servstart && logo && target
else
rhost="$1"
-intro && chkfls && delf && dep && servstart && logo && chknet && tconf="1" && target
+intro && chkfls && delf && dep && servstart && logo && chknet && target
fi
diff --git a/tools/Architouch-1.0.0.0.xml b/tools/Architouch-1.0.0.0.xml
new file mode 100644
index 0000000..852934f
--- /dev/null
+++ b/tools/Architouch-1.0.0.0.xml
@@ -0,0 +1,31 @@
+
+
+
+60
+%TIMEOUT%
+
+
+%RHOST%
+
+49152
+%RPORT%
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/tools/Architouch-1.0.0.exe b/tools/Architouch-1.0.0.exe
new file mode 100644
index 0000000..6cf3c00
Binary files /dev/null and b/tools/Architouch-1.0.0.exe differ
diff --git a/tools/Rpctouch-2.1.0.0.xml b/tools/Rpctouch-2.1.0.0.xml
new file mode 100644
index 0000000..0e89d78
--- /dev/null
+++ b/tools/Rpctouch-2.1.0.0.xml
@@ -0,0 +1,58 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/tools/Rpctouch-2.1.0.exe b/tools/Rpctouch-2.1.0.exe
new file mode 100644
index 0000000..663c25c
Binary files /dev/null and b/tools/Rpctouch-2.1.0.exe differ
diff --git a/xml/Architouch-1.0.0.Skeleton.xml b/xml/Architouch-1.0.0.Skeleton.xml
new file mode 100644
index 0000000..9287897
--- /dev/null
+++ b/xml/Architouch-1.0.0.Skeleton.xml
@@ -0,0 +1,18 @@
+
+
+
+60
+60
+
+
+RHOST
+
+
+49152
+49152
+
+
+
+
+
+
diff --git a/xml/Namedpipetouch-2.0.0.Skeleton.xml b/xml/Namedpipetouch-2.0.0.Skeleton.xml
index d50ec75..150e1d8 100644
--- a/xml/Namedpipetouch-2.0.0.Skeleton.xml
+++ b/xml/Namedpipetouch-2.0.0.Skeleton.xml
@@ -19,7 +19,7 @@
SMB
-SMB
+PROT
0
diff --git a/xml/Rpctouch-2.1.0.Skeleton.xml b/xml/Rpctouch-2.1.0.Skeleton.xml
new file mode 100644
index 0000000..dee8096
--- /dev/null
+++ b/xml/Rpctouch-2.1.0.Skeleton.xml
@@ -0,0 +1,23 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/xml/Smbtouch-1.1.1.Skeleton.xml b/xml/Smbtouch-1.1.1.Skeleton.xml
index 35eaedd..d39d22a 100644
--- a/xml/Smbtouch-1.1.1.Skeleton.xml
+++ b/xml/Smbtouch-1.1.1.Skeleton.xml
@@ -23,7 +23,7 @@
SMB
-SMB
+PROT
0