Full Code of 3gstudent/Smbtouch-Scanner for AI

Repository: 3gstudent/Smbtouch-Scanner
Branch: master
Commit: c980f6b2956d
Files: 4
Total size: 7.1 KB

Directory structure:
gitextract_ys15vjru/

├── LICENSE
├── README.md
├── Smbtouch-1.1.1.xml
└── SmbtouchScanner.py

================================================
FILE CONTENTS
================================================

================================================
FILE: LICENSE
================================================
BSD 3-Clause License

Copyright (c) 2017, 
All rights reserved.

Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:

* Redistributions of source code must retain the above copyright notice, this
  list of conditions and the following disclaimer.

* Redistributions in binary form must reproduce the above copyright notice,
  this list of conditions and the following disclaimer in the documentation
  and/or other materials provided with the distribution.

* Neither the name of the copyright holder nor the names of its
  contributors may be used to endorse or promote products derived from
  this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.


================================================
FILE: README.md
================================================
# Smbtouch-Scanner


Author: 3gstudent

License: BSD 3-Clause

---
Automatically scan the inner network.

Use Smbtouch.exe to detect whether the target is vulnerable.

**List of vulnerabilities：**

- ETERNALBLUE
- ETERNALCHAMPION
- ETERNALROMANCE
- ETERNALSYNERGY


Protocol: SMB

Scan port:445

**Note:**

   You can also use protocl NBT and port 139,just change the Smbtouch-1.1.1.xml

You can get Smbtouch.exe from this:

https://github.com/x0rz/EQGRP_Lost_in_Translation/blob/master/windows/touches/Smbtouch-1.1.1.exe

or

https://github.com/fuzzbunch/fuzzbunch/blob/master/touches/Smbtouch-1.1.1.exe

More details:

https://3gstudent.github.io/%E5%86%85%E7%BD%91%E5%AE%89%E5%85%A8-%E5%88%A9%E7%94%A8NSA-Smbtouch%E6%89%B9%E9%87%8F%E6%A3%80%E6%B5%8B%E5%86%85%E7%BD%91

---

Maybe need to use multithread to improve efficiency.


================================================
FILE: Smbtouch-1.1.1.xml
================================================
<?xml version='1.0' encoding='utf-8'?>
<config xmlns='urn:trch' name='Smbtouch' version='1.1.1' schemaversion='2.1.0' configversion='1.1.1.0' id='985f383e6edd6d9397aa5da9601c8bc867f6b713'>
  <inputparameters>
    <parameter type='S16' name='NetworkTimeout' description='Timeout for blocking network calls (in seconds).  Use -1 for no timeout.'>
      <value>60</value>
    </parameter>
    <parameter type='IPv4' name='TargetIp' description='Target IP Address'>
      <value>127.0.0.1</value>
    </parameter>
    <parameter type='TcpPort' name='TargetPort' description='Port used by the SMB service'>
      <value>445</value>
    </parameter>
    <parameter hidden='true' required='false' type='IPv4' name='RedirectedTargetIp' description='Physical (redirected) target IP'/>

    <parameter hidden='true' required='false' type='TcpPort' name='RedirectedTargetPort' description='Physical (redirected) target port'/>
    <paramchoice name='Protocol' description='SMB (default port 445) or NBT (default port 139)'>
      <value>SMB</value>
      <paramgroup name='SMB' description=''>
        <parameter hidden='true' type='Boolean' name='UsingNbt' description='Boolean stating to use Nbt or not'>
          <value>0</value>
        </parameter>
      </paramgroup>
      <paramgroup name='NBT' description=''>
        <parameter hidden='true' type='Boolean' name='UsingNbt' description='Boolean stating to use Nbt or not'>
          <value>1</value>
        </parameter>
      </paramgroup>
    </paramchoice>
    <parameter type='String' name='Pipe' description='Test an additional pipe to see if it is accessible (optional)'>
      <default/>
    </parameter>
    <parameter type='Buffer' name='Share' description='Test a file share to see if it is accessible (optional), entered as hex bytes (in unicode)'>
      <default/>
    </parameter>
    <paramchoice name='Credentials' description='Type of credentials to use'>
      <value>Anonymous</value>
      <paramgroup name='Anonymous' description='Anonymous (NULL session)'/>
      <paramgroup name='Guest' description='Guest account'/>
      <paramgroup name='Blank' description='User account with no password set'>
        <parameter type='Buffer' name='Username' description='Username entered as hex bytes (in unicode)'/>
      </paramgroup>
      <paramgroup name='Password' description='User name and password'>
        <parameter type='Buffer' name='Username' description='Username entered as hex bytes (in unicode)'/>
        <parameter type='Buffer' name='Password' description='Password entered as hex bytes (in unicode)'/>
      </paramgroup>
      <paramgroup name='NTLM' description='User name and NTLM hash'>
        <parameter type='Buffer' name='Username' description='Username entered as hex bytes (in unicode)'/>
        <parameter type='Buffer' name='NtlmHash' description='NTLM password hash (in hex)'/>
      </paramgroup>
    </paramchoice>
  </inputparameters>
  <constants>
    <parameter type='U8' name='Anonymous' description=''>
      <value>0</value>
    </parameter>
    <parameter type='U8' name='Guest' description=''>
      <value>1</value>
    </parameter>
    <parameter type='U8' name='Blank' description=''>
      <value>2</value>
    </parameter>
    <parameter type='U8' name='Password' description=''>
      <value>3</value>
    </parameter>
    <parameter type='U8' name='NTLM' description=''>
      <value>4</value>
    </parameter>
  </constants>

</config>


================================================
FILE: SmbtouchScanner.py
================================================

#
# Smbtouch Scanner
# By: 3gstudent
# License: BSD 3-Clause
'''

Automatically scan the inner network.
Use Smbtouch.exe to detect whether the target is vulnerable.
Protocol: SMB
Scan port:445
Note:
   You can also use protocl NBT and port 139,just change the Smbtouch-1.1.1.xml

You can get Smbtouch.exe from this:
https://github.com/x0rz/EQGRP_Lost_in_Translation/blob/master/windows/touches/Smbtouch-1.1.1.exe

'''
import os
import fileinput
#Start IP,change it
BeginIP = '192.168.1.1'
#End IP,change it
EndIP = '192.168.1.10'
#Log file
fp = open('log.txt', 'w+')

OldIP = '      <value>127.0.0.1</value>'
TempIP = OldIP
IP1 =  BeginIP.split('.')[0]
IP2 =  BeginIP.split('.')[1]
IP3 =  BeginIP.split('.')[2]
IP4 = BeginIP.split('.')[-1]
EndIP_last = EndIP.split('.')[-1]

for i in range(int(IP4)-1,int(EndIP_last)):
     ip = str(IP1+'.'+IP2+'.'+IP3+'.'+IP4)
     int_IP4 = int(IP4)
     int_IP4 += 1
     IP4 = str(int_IP4)
     NewIP= '      <value>'+ip+'</value>'
     for line in fileinput.input('Smbtouch-1.1.1.xml',inplace=1):  
     	print line.rstrip().replace(TempIP,NewIP)
     TempIP = NewIP			     
     Output = os.popen(r"Smbtouch-1.1.1.exe").read()
     Output = Output[0:Output.find('<config',1)]
     fp.writelines(Output)
     Flag = Output.find('[-] Touch failed')
     if Flag == -1 :
	print '[+] Touch success:	' +ip
     else:  
	print '[-] Touch failed:	' +ip
else:
     fp.close( )     
     for line in fileinput.input('Smbtouch-1.1.1.xml',inplace=1):  
     	print line.rstrip().replace(NewIP,OldIP)