Merge branch 'dev'

fix bug

README.md

@@ -11,7 +11,7 @@
 ![code](https://pbs.twimg.com/media/ElkdkAGXIAAl_4P?format=jpg&name=small)
 
 适用内网渗透测试。 ~~F-Scrack的翻版，给fscan和Ladon做了个分类，[X-Crack](https://github.com/netxfly/x-crack) 套壳~~
-，包括三个模块信息收集(probe)、弱密码爆破(crack)、命令执行(sqlcmd)，此处参考gobuster的爆破模式
+，包括三个模块信息收集(probe)、弱密码爆破(crack)、命令执行(sqlcmd)，参考gobuster的爆破模式
 
 ```bash
 Usage:
@@ -41,24 +41,29 @@ Flags:
 ### Probe 内网信息收集
 内网探测信息，有如下插件:
 
-| 插件名称      | 探测效果 | 默认端口 |
+| 插件名称      | 插件效果 | 默认端口 |
 | --------- | :-----|------|
 | oxid      | 多网卡 |   TCP 135 |
 | netbios     | Nbtscan     | UDP 137
 | ms17010     |  ms17010漏洞 | TCP 445 
 | zookeeper      |    zookeeper未授权 | TCP 2181
 | smbghost      | smbghost漏洞    | TCP 445
-|ntlm-smb       | NTLM信息收集(smbv1和smbv2) | TCP 445
-|ntlm-wmi       | NTLM信息收集     | TCP 135
-|ntlm-winrm     | NTLM信息收集     | TCP 5985
-|ntlm-mssql     | NTLM信息收集     | TCP 1433
+| ntlm-smb       | NTLM信息收集(smbv1和smbv2) | TCP 445
+| ntlm-wmi       | NTLM信息收集     | TCP 135
+| ntlm-winrm     | NTLM信息收集     | TCP 5985
+| ntlm-mssql     | NTLM信息收集     | TCP 1433
 
 
-```bash
+```
+ALL选项默认加载插件: ntlm-smb,oxid,netbios,ntlm-wmi,zookeeper
 cube probe -x oxid -i 192.168.2.1/24
 cube probe -x ALL -i 192.168.2.1/24
 ```
 
+#### Probe注意事项
+`ntlm-smb`模块发送了smbv1和smbv2探测包，smbv1的返回包会包含具体的操作系统，smbv2只会有一个Build版本号，比如Win10常见的`Build: 10.0.19041`,
+`10.0.19044`可以指 Windows 10 或 Windows Server 2019 的 21H1 版本。
+
 ### Crack 弱密码爆破
 ```bash
 cube crack -h
@@ -86,7 +91,26 @@ Global Flags:
 ```
 用户名(`-u/--user-file`)和密码(`-p/--pass-file`)成对出现，可以任意组合， 可用插件：`ssh，mysql，redis，elastic，ftp，httpbasic，mongo，mssql，smb，postgres`
 
+| 插件名称      | 插件效果 | 默认端口 |
+| --------- | :-----|------|
+| mysql     | Mysql爆破 | TCP 3306 |
+| mssql     | Mssql爆破 | TCP 1433
+| mongo     | Mongo爆破 | TCP 27017
+| elastic   | ES爆破    | TCP 9200
+| postgres  | postgres爆破(未测试) | TCP 5432
+| ssh       | SSH爆破     | TCP 22
+| redis     | redis爆破     | TCP 6379
+| ftp       | ftp爆破     | TCP 21
+
+
+| 插件名称      | 插件效果 | 默认端口 |
+| --------- | :-----|------|
+| httpbasic        | basic认证爆破     | 自己指定
+| jenkins          | jenkins爆破     | 自己指定
+| phpmyadmin       | phpmyadmin爆破     | 自己指定
+
 ```
+ALL默认加载插件：mysql,smb,mssql,mongo,elastic,postgres,ssh,redis,ftp
 Examples:
 cube crack -u root -p root -i 192.168.1.1 -x ALL //加载全部可组合插件
 cube crack -u root -p root -i 192.168.1.1 -x ssh
@@ -126,13 +150,7 @@ cube sqlcmd -x mssql-clr://172.16.157.163 -usa -p123456 -e "whoami"
 cube sqlcmd -x mssql-clr://172.16.157.163 -usa -p123456 -e "close" //close CLR
 ```
 
-#### ELK SIEM Detections Rule
-```
-1. mssql execute cmd
-process where event.type in ("start", "process_started") and
-process.name : "cmd.exe" and process.parent.name : "sqlservr.exe"
 
-```
 
 ### TODO
 NTLM信息识别收集：

cubelib/crackTask.go

@@ -63,11 +63,11 @@ func saveCrackReport(taskResult model.CrackTaskResult) {
 	if len(taskResult.Result) > 0 {
 		log.Debugf("Put Result to Map: %v\n", taskResult)
 		k := fmt.Sprintf("%v-%v-%v", taskResult.CrackTask.Ip, taskResult.CrackTask.Port, taskResult.CrackTask.CrackPlugin)
-		h := MakeTaskHash(k)
-		SetTaskHash(h)
+		h := util.MakeTaskHash(k)
+		util.SetTaskHash(h)
 		//s1 := fmt.Sprintf("[+]: %s://%s:%s %s", taskResult.CrackTask.CrackPlugin, taskResult.CrackTask.Ip, taskResult.CrackTask.Port, taskResult.Result)
 		//fmt.Println(s1)
-		SetResultMap(taskResult)
+		util.SetResultMap(taskResult)
 	}
 }
 
@@ -91,8 +91,8 @@ func runUnitTask(ctx context.Context, tasks chan model.CrackTask, wg *sync.WaitG
 
 			log.Debugf("Checking %s Password: %s://%s:%s@%s:%s", task.CrackPlugin, task.CrackPlugin, task.Auth.User, task.Auth.Password, task.Ip, task.Port)
 			k := fmt.Sprintf("%v-%v-%v", task.Ip, task.Port, task.CrackPlugin)
-			h := MakeTaskHash(k)
-			if CheckTaskHash(h) {
+			h := util.MakeTaskHash(k)
+			if util.CheckTaskHash(h) {
 				wg.Done()
 				continue
 			}
@@ -120,13 +120,13 @@ func opt2slice(str string, file string) []string {
 
 		return r
 	}
-	r, _ := FileReader(file)
+	r, _ := util.FileReader(file)
 	return r
 }
 
 func genPlugins(plugin string) []string {
 	pluginList := strings.Split(plugin, ",")
-	if len(pluginList) > 1 && SliceContain("ALL", pluginList) {
+	if len(pluginList) > 1 && util.SliceContain("ALL", pluginList) {
 		log.Errorf("invalid plugin: %s", plugin)
 	}
 
@@ -175,7 +175,7 @@ func StartCrackTask(opt *model.CrackOptions, globalopts *model.GlobalOptions) {
 		num = globalopts.Threads
 	}
 
-	if SliceContain(opt.CrackPlugin, Plugins.CrackFuncExclude) {
+	if util.SliceContain(opt.CrackPlugin, Plugins.CrackFuncExclude) {
 		AliveIPS = append(AliveIPS, util.IpAddr{
 			Ip:     opt.Ip,
 			Port:   "",
@@ -212,6 +212,6 @@ func StartCrackTask(opt *model.CrackOptions, globalopts *model.GlobalOptions) {
 	}
 	//wg.Wait()
 	waitTimeout(&wg, model.ThreadTimeout*2)
-	ReadResultMap()
-	getFinishTime(t1)
+	util.ReadResultMap()
+	util.GetFinishTime(t1)
 }

cubelib/probeTask.go

@@ -13,16 +13,15 @@ import (
 	"time"
 )
 
-func ValidPlugin(plugin string) ([]string, error) {
+func validPlugin(plugin string) []string {
 	pluginList := strings.Split(plugin, ",")
-	if len(pluginList) > 1 && SliceContain("ALL", pluginList) {
-		return nil, fmt.Errorf("invalid plugin: %s", plugin)
+	if len(pluginList) > 1 && util.SliceContain("ALL", pluginList) {
+		log.Errorf("invalid plugin: %s", plugin)
 	}
-
 	if plugin == "ALL" {
-		pluginList = Plugins.ProbeKeys[1:]
+		pluginList = Plugins.ProbeKeys
 	}
-	return pluginList, nil
+	return pluginList
 }
 
 func generateTasks(AliveIPS []util.IpAddr, scanPlugin []string) (tasks []model.ProbeTask) {
@@ -39,7 +38,7 @@ func generateTasks(AliveIPS []util.IpAddr, scanPlugin []string) (tasks []model.P
 func saveReport(taskResult model.ProbeTaskResult) {
 	if len(taskResult.Result) > 0 {
 		s := fmt.Sprintf("[*]: %s\n[*]: %s:%s\n", taskResult.ProbeTask.ScanPlugin, taskResult.ProbeTask.Ip, taskResult.ProbeTask.Port)
-		s1 := fmt.Sprintf("[*]: %s", taskResult.Result)
+		s1 := fmt.Sprintf("%s\n", taskResult.Result)
 		log.Infof(s + s1)
 	}
 }
@@ -54,7 +53,7 @@ func executeProbeTask(ctx context.Context, taskChan chan model.ProbeTask, wg *sy
 				return
 			}
 
-			log.Debugf("Checking %s Password: %s://%s:%s", task.ScanPlugin, task.ScanPlugin, task.Ip, task.Port)
+			log.Debugf("Probe %s: %s://%s:%s", task.ScanPlugin, task.ScanPlugin, task.Ip, task.Port)
 			fn := Plugins.ProbeFuncMap[task.ScanPlugin]
 			r := fn(task)
 			saveReport(r)
@@ -100,18 +99,14 @@ func StartProbeTask(opt *model.ProbeOptions, globalopts *model.GlobalOptions) {
 	if err != nil {
 		log.Error(err)
 	}
-	pluginList, err := ValidPlugin(opt.ScanPlugin)
-	if err != nil {
-		log.Error(err)
-	}
-	if !Subset(pluginList, Plugins.ProbeKeys) {
+	pluginList := validPlugin(opt.ScanPlugin)
+	if !util.Subset(pluginList, Plugins.ProbeKeys) && !util.Subset(pluginList, Plugins.ProbeFuncExclude) {
 		log.Errorf("plugins not found: %s", pluginList)
 	}
 	log.Infof("Loading plugin: %s", strings.Join(pluginList, ","))
 	ctx := context.Background()
 
 	AliveIPS := util.CheckAlive(ctx, threadNum, delay, ips, pluginList, opt.Port)
-
 	tasks := generateTasks(AliveIPS, pluginList)
 
 	taskChan := make(chan model.ProbeTask, threadNum*2)
@@ -126,8 +121,8 @@ func StartProbeTask(opt *model.ProbeOptions, globalopts *model.GlobalOptions) {
 		wg.Add(1)
 		taskChan <- task
 	}
-
+	//wg.Wait()
 	waitTimeout(&wg, model.ThreadTimeout)
-	getFinishTime(t1)
+	util.GetFinishTime(t1)
 
 }

cubelib/sqlcmdTask.go

@@ -4,6 +4,7 @@ import (
 	"cube/log"
 	"cube/model"
 	Plugins "cube/plugins"
+	"cube/util"
 	"fmt"
 	"strings"
 )
@@ -17,7 +18,7 @@ func SaveSqlcmdReport(taskResult model.SqlcmdTaskResult) {
 }
 
 func StartSqlcmdTask(opt *model.SqlcmdOptions, globalopts *model.GlobalOptions) {
-	s, err := ParseService(opt.Service)
+	s, err := util.ParseService(opt.Service)
 	if err != nil {
 		log.Error(err)
 	}

go.mod

@@ -3,7 +3,8 @@ module cube
 go 1.16
 
 require (
-	github.com/JKme/go-ntlmssp v1.2.5
+	github.com/JKme/go-ntlmssp v1.2.6
+	github.com/JKme/gomanuf v1.0.1
 	github.com/denisenkom/go-mssqldb v0.10.0
 	github.com/go-sql-driver/mysql v1.6.0
 	github.com/jlaffaye/ftp v0.0.0-20210307004419-5d4190119067

go.sum

@@ -13,8 +13,10 @@ cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiy
 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
-github.com/JKme/go-ntlmssp v1.2.5 h1:YhL+tkdc3qYXXhIGoGMLjT0y6sia/keRrrkBP99ypO8=
-github.com/JKme/go-ntlmssp v1.2.5/go.mod h1:h70Bm5p1N0ejFrkuFCl80IxpoNzCmG1gHAhsVJG3ASg=
+github.com/JKme/go-ntlmssp v1.2.6 h1:i1jvRUJuSPyK98b9ktRVWOBpXCeUonySEgkNDmU6H0Q=
+github.com/JKme/go-ntlmssp v1.2.6/go.mod h1:h70Bm5p1N0ejFrkuFCl80IxpoNzCmG1gHAhsVJG3ASg=
+github.com/JKme/gomanuf v1.0.1 h1:X5vmD/+UnyaAoYzfalwh3VqhXiJ0Cq4I+HxEByGh6Ug=
+github.com/JKme/gomanuf v1.0.1/go.mod h1:CoAe/8M4Z8B+SCJxehMCT+ptM9MWsAjBk7T0mOd+a0o=
 github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
 github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=