Merge pull request #74 from NullArray/dev-beta

Dev beta

.github/ISSUE_TEMPLATE.md

@@ -0,0 +1,27 @@
+<!-- 
+In order for us to properly diagnose and troubleshoot your issue 
+we will need you to follow this issue template
+-->
+
+# Running information
+
+ <!-- Running detail, OS, arch, did you clone, etc -->
+ - What branch did you download?
+ - Clone, or docker run?
+ - What OS are you running?
+
+# Exploit module information
+
+ <!-- We will need this information to determine if it is a metasploit issue or not -->
+ - What exploit was deployed?
+ - Was a session generated for the target?
+ - What version of metasploit are you running?
+
+# Program information
+
+ <!-- Basic python information we will need -->
+ - Python version number?
+ - AutoSploit version number?
+ - Any console output that is relevant to the issue:
+ - Traceback (error) if any:
+

.gitignore

@@ -1,4 +1,7 @@
 *.pyc
 .idea/*
 api.p
-hosts.txt
+hosts.txt
+secret.p
+uid.p
+etc/tokens/*

Docker/Dockerfile

@@ -8,7 +8,7 @@ RUN apt update && apt install -y postgresql \
 								 git \
 								 metasploit-framework
 
-RUN git clone https://github.com/NullArray/AutoSploit.git && pip install shodan blessings
+RUN git clone https://github.com/NullArray/AutoSploit.git && pip install requests psutil
 COPY database.yml /root/.msf4/database.yml
 WORKDIR AutoSploit
 EXPOSE 80 443 4444

Docker/README.md

@@ -1,5 +1,4 @@
-Docker deployment instructions
-=====
+# Docker deployment instructions
 
 ## tl;dr
 
@@ -24,19 +23,19 @@ docker build -t autosploit .
 docker run -it --network haknet -p 80:80 -p 443:443 -p 4444:4444 autosploit
 ```
 
-
 ## Abstract
 
-* Launching `Autosploit` as a Docker container makes it very easy to use the tool in a hosted cloud environment (AWS, Azure, ...)
-* Separate `postgres` database into individual service for data persistence and potential async updating of the database
-* Create a small bridge network ``haknet`` so the service discovery is automatic
-* Launch `postgres` and `Autosploit` container, both linked by `haknet`
-* Autosploit will automatically launch preconfigured `msfconsole` to the external `postgres` container through `haknet` transparent network
-* Total image size of Kali + Metasploit + Autosploit : 1.75GB
+- Launching `Autosploit` as a Docker container makes it very easy to use the tool in a hosted cloud environment (AWS, Azure, ...)
+- Separate `postgres` database into individual service for data persistence and potential async updating of the database
+- Create a small bridge network `haknet` so the service discovery is automatic
+- Launch `postgres` and `Autosploit` container, both linked by `haknet`
+- Autosploit will automatically launch preconfigured `msfconsole` to the external `postgres` container through `haknet` transparent network
+- Total image size of Kali + Metasploit + Autosploit : 1.75GB
 
 ## Deploy
 
-##### Step 1 - Create bridge network
+### Step 1 - Create bridge network
+
 This will enable the Metasploit Framework to talk to the `postgres` database using its hostname, making it abstract.
 
 A Tor Socks Proxy can also be added to perform transparent proxy when launching exploits (not for reverse shells though, obviously).
@@ -45,22 +44,23 @@ A Tor Socks Proxy can also be added to perform transparent proxy when launching
 docker network create -d bridge haknet
 ```
 
-##### Step 2 - Launch services
+### Step 2 - Launch services
 
 All automagically linked
 
-
-###### Step 2.1 - Launch postgres
+#### Step 2.1 - Launch postgres
 
 Launch a vanilla `postgres` service, linked to `haknet`
+
 ```bash
 docker run --network haknet --name msfdb -e POSTGRES_PASSWORD=s3cr3t -d postgres
 ```
-###### Step 2.2 - Launch Autosploit
+
+#### Step 2.2 - Launch Autosploit
 
 Launch `Autosploit`.
 
-This Dockerfile will copy the default database config to ```~/.msf4/database.yml```. You can edit the configuration file `database.yml` to your liking before building.
+This Dockerfile will copy the default database config to `~/.msf4/database.yml`. You can edit the configuration file `database.yml` to your liking before building.
 
 Please be aware that the first build will take some time (~10mn)
 

Docker/database.yml

@@ -1,12 +1,12 @@
 development: &pgsql
-  adapter: postgresql
-  database: postgres
-  username: postgres
-  password: s3cr3t
-  host: msfdb
-  port: 5432
-  pool: 200
-timeout: 5
+  adapter:   postgresql
+  database:  postgres
+  username:  postgres
+  password:  s3cr3t
+  host:      msfdb
+  port:      5432
+  pool:      200
+timeout:     5
 
-production: &production
-  <<: *pgsql
+production:  &production
+  <<:        *pgsql

Docker/docker-compose.yml

@@ -1,9 +1,9 @@
-version: '3'
+version:         '3'
 
 services:
   autosploit:
     build:
-      context: .
+      context:   .
     ports:
       - 80:80
       - 443:433
@@ -13,7 +13,7 @@ services:
     depends_on:
       - postgres
   postgres:
-    image: postgres
+    image:       postgres
     environment:
       - POSTGRES_PASSWORD=s3cr3t
     networks:
@@ -23,8 +23,7 @@ services:
 
 networks:
   haknet:
-    driver: bridge
+    driver:      bridge
 
 volumes:
   db:
-

README.md

@@ -1,53 +1,115 @@
 # AutoSploit
 
-As the name might suggest AutoSploit attempts to automate the exploitation of remote hosts. Targets are collected automatically as well by employing the Shodan.io API. The program allows the user to enter their platform specific search query such as; `Apache`, `IIS`, etc, upon which a list of candidates will be retrieved.                           
-
-After this operation has been completed the 'Exploit' component of the program will go about the business of attempting to exploit these targets by running a series of Metasploit modules against them. Which Metasploit modules will be employed in this manner is determined by programmatically comparing the name of the module to the initial search query. However, I have added functionality to run all available modules against the targets in a 'Hail Mary' type of attack as well.
-
-The available Metasploit modules have been selected to facilitate Remote Code Execution and to attempt to gain Reverse TCP Shells and/or Meterpreter sessions. Workspace, local host and local port for MSF facilitated back connections are configured through the dialog that comes up before the 'Exploit' component is started.
+As the name might suggest AutoSploit attempts to automate the exploitation of remote hosts. Targets can be collected automatically through Shodan, Censys or Zoomeye. But options to add your custom targets and host lists have been included as well.
+The available Metasploit modules have been selected to facilitate Remote Code Execution and to attempt to gain Reverse TCP Shells and/or Meterpreter sessions. Workspace, local host and local port for MSF facilitated back connections are configured by filling out the dialog that comes up before the exploit component is started
 
 **Operational Security Consideration**
 
 Receiving back connections on your local machine might not be the best idea from an OPSEC standpoint. Instead consider running this tool from a VPS that has all the dependencies required, available.
 
+The new version of AutoSploit has a feature that allows you to set a proxy before you connect and a custom user-agent.
+
 ## Usage
 
-Clone the repo. Or deploy via Docker. Details for which can be found [here](https://github.com/NullArray/AutoSploit/tree/master/Docker) Special thanks to [Khast3x](https://github.com/khast3x) for their contribution in this regard.
+Clone the repo. Or deploy via Docker. Details for which can be found [here](https://github.com/NullArray/AutoSploit/tree/master/Docker) 
 
 `git clone https://github.com/NullArray/AutoSploit.git`
 
-After which it can be started from the terminal with `python autosploit.py`. After which you can select one of five actions. Please see the option summary below.
+Starting the program with `python autosploit.py` will open an AutoSploit terminal session. The options for which are as follows.
+
 ```
-+------------------+----------------------------------------------------+
-|     Option       |                   Summary                          |
-+------------------+----------------------------------------------------+
-|1. Usage          | Display this informational message.                |
-|2. Gather Hosts   | Query Shodan for a list of platform specific IPs.  |
-|3. View Hosts     | Print gathered IPs/RHOSTS.                         |
-|4. Exploit        | Configure MSF and Start exploiting gathered targets|
-|5. Quit           | Exits AutoSploit.                                  |
-+------------------+----------------------------------------------------+
+1. Usage And Legal
+2. Gather Hosts
+3. Custom Hosts
+4. Add Single Host
+5. View Gathered Hosts
+6. Exploit Gathered Hosts
+99. Quit
 ```
-## Available Modules
-The Metasploit modules available with this tool are selected for RCE. You can find them in the `modules.txt` file that is included in this repo. Should you wish to add more or other modules please do so in the following format.
+
+Choosing option `2` will prompt you for a platform specific search query. Enter `IIS` or `Apache` in example and choose a search engine. After doing so the collected hosts will be saved to be used in the `Exploit` component.
+
+As of version 2.0 AutoSploit can be started with a number of command line arguments/flags as well. Type `python autosploit.py -h` 
+to display all the options available to you. I've posted the options below as well for reference.
+
 ```
-use exploit/linux/http/netgear_wnr2000_rce;exploit -j; 
+usage: python autosploit.py -[c|z|s|a] -[q] QUERY
+                            [-C] WORKSPACE LHOST LPORT [-e]
+                            [--ruby-exec] [--msf-path] PATH [-E] EXPLOIT-FILE-PATH
+                            [--rand-agent] [--proxy] PROTO://IP:PORT [-P] AGENT
+
+optional arguments:
+  -h, --help            show this help message and exit
+
+search engines:
+  possible search engines to use
+
+  -c, --censys          use censys.io as the search engine to gather hosts
+  -z, --zoomeye         use zoomeye.org as the search engine to gather hosts
+  -s, --shodan          use shodan.io as the search engine to gather hosts
+  -a, --all             search all available search engines to gather hosts
+
+requests:
+  arguments to edit your requests
+
+  --proxy PROTO://IP:PORT
+                        run behind a proxy while performing the searches
+  --random-agent        use a random HTTP User-Agent header
+  -P USER-AGENT, --personal-agent USER-AGENT
+                        pass a personal User-Agent to use for HTTP requests
+  -q QUERY, --query QUERY
+                        pass your search query
+
+exploits:
+  arguments to edit your exploits
+
+  -E PATH, --exploit-file PATH
+                        provide a text file to convert into JSON and save for
+                        later use
+  -C WORKSPACE LHOST LPORT, --config WORKSPACE LHOST LPORT
+                        set the configuration for MSF (IE -C default 127.0.0.1
+                        8080)
+  -e, --exploit         start exploiting the already gathered hosts
+
+misc arguments:
+  arguments that don't fit anywhere else
+
+  --ruby-exec           if you need to run the Ruby executable with MSF use
+                        this
+  --msf-path MSF-PATH   pass the path to your framework if it is not in your
+                        ENV PATH
 ```
-With each new module on it's own line.
+
 
 ## Dependencies
+
 AutoSploit depends on the following Python2.7 modules.
+
 ```
-shodan
-blessings
+requests
+psutil
 ```
+
 Should you find you do not have these installed get them with pip like so.
+
+```bash
+pip install requests psutil
 ```
-pip install shodan
-pip install blessings
+
+or
+
+```bash
+pip install -r requirements.txt
 ```
-Since the program invokes functionality from the Metasploit Framework you need to have this installed also. 
-Get it from Rapid7 by clicking [here](https://www.rapid7.com/products/metasploit/).
+
+Since the program invokes functionality from the Metasploit Framework you need to have this installed also. Get it from Rapid7 by clicking [here](https://www.rapid7.com/products/metasploit/).
+
+## Acknowledgements
+
+Special thanks to [Ekultek](https://github.com/Ekultek) without whoms contributions to the project version 2.0 would have been a lot less spectacular.
+
+And thanks to [Khast3x](https://github.com/khast3x) for setting up Docker support.
+
 
 
 ### Active Development
@@ -60,7 +122,4 @@ that have expressed an interest in doing so. The new version will include extra
 
 If you happen to encounter a bug please feel free to [Open a Ticket](https://github.com/NullArray/AutoSploit/issues).
 
-If you wish to contribute to the development of this project please be sure to read [CONTRIBUTING.md](https://github.com/NullArray/AutoSploit/blob/master/CONTRIBUTING.md) before you get started as it contains our contribution guidelines.
-
 Thanks in advance.
-

api_calls/censys.py

@@ -0,0 +1,44 @@
+import requests
+
+import lib.settings
+from lib.errors import AutoSploitAPIConnectionError
+from lib.settings import (
+    HOST_FILE,
+    API_URLS,
+    write_to_file
+)
+
+
+class CensysAPIHook(object):
+
+    """
+    Censys API hook
+    """
+
+    def __init__(self, identity=None, token=None, query=None, proxy=None, agent=None, **kwargs):
+        self.id = identity
+        self.token = token
+        self.query = query
+        self.proxy = proxy
+        self.user_agent = agent
+        self.host_file = HOST_FILE
+
+    def censys(self):
+        """
+        connect to the Censys API and pull all IP addresses from the provided query
+        """
+        discovered_censys_hosts = set()
+        try:
+            lib.settings.start_animation("searching Censys with given query '{}'".format(self.query))
+            req = requests.post(
+                API_URLS["censys"], auth=(self.id, self.token),
+                json={"query": self.query}, headers=self.user_agent,
+                proxies=self.proxy
+            )
+            json_data = req.json()
+            for item in json_data["results"]:
+                discovered_censys_hosts.add(str(item["ip"]))
+            write_to_file(discovered_censys_hosts, self.host_file)
+            return True
+        except Exception as e:
+            raise AutoSploitAPIConnectionError(str(e))