echeck

#!/bin/bash
#######################################################
# Eternal Check                                       # 
# Denveloped by peterpt at http://gitlab.com/peterpt  #
#######################################################

# Eternal check verifies if a supposed ip is vulnerable to
# Eternal Blue / Eternal Romance / Eternal Champion / Eternal Synergy / Erraticgopher / EagleLever
# Smb Vulnerabily 
# https://www.rapid7.com/db/vulnerabilities/msft-cve-2017-0145
# https://www.rapid7.com/db/modules/exploit/windows/smb/ms17_010_eternalblue
# -------
# In case the remote ip have the RPC port 49152 opened then Echeck will check if it is possible
# to retrieve architecture from that ip
# Colours
cyan='\e[0;36m'
green='\e[0;34m'
okegreen='\033[92m'
lightgreen='\e[1;32m'
white='\e[1;37m'
red='\e[1;31m'
yellow='\e[0;33m'
BlueF='\e[1;34m' #Biru
RESET="\033[00m" #normal
orange='\e[38;5;166m'
#   --------------Variables------------------
vers="2.0"
path=$(pwd)
tools="cd $path/tools"
tout="20s" # Timeout for smbtouch and namepipe processes in seconds when running
# This means that if one of the executables get hanged then timeout var will kill them on that specific time

rport="139,445,49152" # Remote ports checked with nmap
tconf="0" # Target confirmation online 0 means not checked , 1 means checked
# Output Logs
log="$path/log"
nmlog="$path/nmlog"
nplog="$path/npout"   # Named Pipe
stlog="$path/stout"   # SMB Touch
eglog="$path/egout"   # ErraticGopher
archlog="$path/archout" # Architouch
rpclog="$path/rpcout" # RPCtouch
# End logs

# Main skeletons
rpcskl="$path/xml/Rpctouch-2.1.0.Skeleton.xml"
archskl="$path/xml/Architouch-1.0.0.Skeleton.xml"
npskl="$path/xml/Namedpipetouch-2.0.0.Skeleton.xml"
stskl="$path/xml/Smbtouch-1.1.1.Skeleton.xml"
egskl="$path/xml/Erraticgophertouch-1.0.1.Skeleton.xml"
# End Skeletons

# Fuzzbunch Executables
rpcexe="$path/tools/Rpctouch-2.1.0.exe"
archexe="$path/tools/Architouch-1.0.0.exe"
npexe="$path/tools/Namedpipetouch-2.0.0.exe"
stexe="$path/tools/Smbtouch-1.1.1.exe"
egexe="$path/tools/Erraticgophertouch-1.0.1.exe"
elexe="$path/tools/elv.exe"
# End Executables

# Out Config
archout="$path/tools/Architouch-1.0.0.xml"
rpcout="$path/tools/Rpctouch-2.1.0.xml"
npout="$path/tools/Namedpipetouch-2.0.0.xml"
stout="$path/tools/Smbtouch-1.1.1.xml"
egout="$path/tools/Erraticgophertouch-1.0.1.xml"
# End Out Config

#   ---------END--------VARIABLES-------------------

# CTRL+C when pressed will stop services and exit
trap ctrl_c INT
function ctrl_c() {
srvstop
}

# Temporary files created during the execution of the tool
delf () {
rm -rf "$rpclog" >/dev/null 2>&1
rm -rf "$rpcout" >/dev/null 2>&1		
rm -rf "$archlog" >/dev/null 2>&1
rm -rf "$archout" >/dev/null 2>&1	
rm -rf "$nplog" >/dev/null 2>&1
rm -rf "$npout" >/dev/null 2>&1	
rm -rf "$egout" >/dev/null 2>&1	
rm -rf "$stout" >/dev/null 2>&1	
rm -rf "$log" >/dev/null 2>&1	
rm -rf "$stlog" >/dev/null 2>&1	
rm -rf "$nmlog" >/dev/null 2>&1
rm -rf "$eglog" >/dev/null 2>&1
rm -rf "$path/tools/*.log" >/dev/null 2>&1
}

intro () {
delf
echo -e "$orange" "Eternal Check $vers just started"
}

# Verification if Fuzzbunch Executables and main xmls files for config exist 
chkfls () {
if [[ ! -f "$npexe" ]]
then
echo "Incomplete package , (namedpipe exe) missing"
exit 1
elif [[ ! -f "$stexe" ]]
then
echo "Incomplete package , (smbtouch exe) missing"
exit 1
elif [[ ! -f "$egexe" ]]
then
echo "Incomplete package , (erraticgophertouch exe) missing"
exit 1
elif [[ ! -f "$elexe" ]]
then
echo "Incomplete package , (eaglelever exe) missing"
exit 1
elif [[ ! -f "$archexe" ]]
then
echo "Incomplete package , (architouch exe) missing"
exit 1
elif [[ ! -f "$rpcexe" ]]
then
echo "Incomplete package , (rpctouch exe) missing"
exit 1
elif [[ ! -f "$npskl" ]]
then
echo "Incomplete package , (namedpipe skl) missing"
exit 1
elif [[ ! -f "$stskl" ]]
then
echo "Incomplete package , (smbtouch skl) missing"
exit 1
elif [[ ! -f "$egskl" ]]
then
echo "Incomplete package , (erraticgophertouch skl) missing"
exit 1
elif [[ ! -f "$archskl" ]]
then
echo "Incomplete package , (architouch skl) missing"
exit 1
elif [[ ! -f "$rpcskl" ]]
then
echo "Incomplete package , (rpctouch skl) missing"
exit 1
fi

}

logo (){
echo ""
echo -e "$orange""******************************************"
echo -e "$orange""*$okegreen  ▄▄▄ .▄▄▄▄▄▄▄▄ .▄▄▄   ▐ ▄  ▄▄▄· ▄▄▌$orange    *"
echo -e "$orange""*$okegreen  ▀▄.▀·•██  ▀▄.▀·▀▄ █·•█▌▐█▐█ ▀█ ██• $orange   *"
echo -e "$orange""*$okegreen  ▐▀▀▪▄ ▐█.▪▐▀▀▪▄▐▀▀▄ ▐█▐▐▌▄█▀▀█ ██▪  $orange  *"
echo -e "$orange""*$okegreen  ▐█▄▄▌ ▐█▌·▐█▄▄▌▐█•█▌██▐█▌▐█ ▪▐▌▐█▌▐▌$orange  *"
echo -e "$orange""*$okegreen   ▀▀▀  ▀▀▀  ▀▀▀ .▀  ▀▀▀ █▪ ▀  ▀ .▀▀▀ $orange  *"
echo -e "$orange""*$okegreen       ▄▄·  ▄ .▄▄▄▄ . ▄▄· ▄ •▄        $orange  *"
echo -e "$orange""*$okegreen      ▐█ ▌▪██▪▐█▀▄.▀·▐█ ▌▪█▌▄▌▪        $orange *"
echo -e "$orange""*$okegreen      ██ ▄▄██▀▐█▐▀▀▪▄██ ▄▄▐▀▀▄·        $orange *"
echo -e "$orange""*$okegreen      ▐███▌██▌▐▀▐█▄▄▌▐███▌▐█.█▌        $orange *"
echo -e "$orange""*$okegreen      ·▀▀▀ ▀▀▀ · ▀▀▀ ·▀▀▀ ·▀  ▀  $yellow $vers$orange   *" 
echo -e "$orange""******************************************"
echo -e "$orange""*$okegreen      http://github.com/peterpt         $orange*"
echo -e "$orange""******************************************"
}

# Required Services start
servstart () {
echo ""
echo -e "$okegreen""Searching for required activated services"
winbservice="winbind"
if (( $(ps -ef | grep -v grep | grep $winbservice | wc -l) > 0 ))
then
echo -e "$okegreen""$winbservice is running!!!"
else
echo -e "$okegreen""Starting Winbind Service"
/etc/init.d/$winbservice start >/dev/null 2>&1
fi
}

# Dependencies
dep () {
	echo -ne "$okegreen" "Checking Dependencies ...."
which wget > /dev/null 2>&1
      if [ "$?" -eq "1" ]; then
      echo "[$red x$okegreen ] Not Ok "
      echo ""
      echo -e "$red" "[x] Wget "
      echo ""
   echo -e "$red" "Wget Missing"
echo ""
echo -e "$yellow" "Try : apt-get install wget"
exit 1
fi  
sleep 0.5 
which nc > /dev/null 2>&1
      if [ "$?" -eq "1" ]; then
      echo "[$red x$okegreen ] Not Ok "
      echo ""
   echo -e "$red" "Netcat Missing"
echo ""
echo -e "$yellow" "Try : apt-get install netcat"
exit 1
fi 
sleep 0.5 
which nmap > /dev/null 2>&1
      if [ "$?" -eq "1" ]; then
      echo "[$red x$okegreen ] Not Ok "
      echo ""
   echo -e "$red" "Network Map Missing"
echo ""
echo -e "$yellow" "Try : apt-get install nmap"
exit 1
fi 
sleep 0.5 
which wine > /dev/null 2>&1
      if [ "$?" -eq "1" ]; then
      echo "[$red x$okegreen ] Not Ok "
      echo ""
      echo -e "$red" "[x] Wine32 "
      echo ""
   echo -e "$red" "Wine Missing"
echo ""
echo -e "$yellow" "Try : apt-get install wine"
exit 1
else
rm -f $log

# Verifies witch wine arch is installed on user station

winearch32=$(winepath -u c:\\windows\\system32 | tee $log > /dev/null 2>&1)
if ! grep system32 < "$log" > /dev/null 2>&1 ; then
if grep syswow64 < "$log" > /dev/null 2>&1 ; then
echo "[$red x$okegreen ] Not Ok "
      echo ""
echo -e "$yellow" "Detected Wine 64bit Arch"
echo ""
echo -e "$okegreen" "Go to$yellow https://wiki.debian.org/Wine$okegreen (to know how to install wine32 on a 64bit machine)"
exit 1
fi
fi
fi 
which winbindd > /dev/null 2>&1
      if [ "$?" -eq "1" ]; then
      echo "[$red x$okegreen ] Not Ok "
      echo ""
   echo -e "$red" "Winbind Missing"
echo ""
echo -e "$yellow" "Try : apt-get install winbind"
exit 1
fi 
sleep 0.5
echo -e "$okegreen""[✔] Ok "
sleep 2
}

# Stop services and exit tool
srvstop () {
winbservice="winbind"	
if (( $(ps -ef | grep -v grep | grep $winbservice | wc -l) > 0 ))
then
echo ""
echo -e "$okegreen""Stopping Winbind Service & Exiting"
/etc/init.d/$winbservice stop >/dev/null 2>&1
fi
delf
exit 1
}

eglvr () {
echo -e "$orange""* - Launching Eagerlever on$okegreen $rhost"	
rm -rf $path/tools/*.log >/dev/null 2>&1
lch=$(timeout "$tout" wine "elv.exe" -r 2 -i $rhost -p $rport -t 1 -b $elvprot -rpc >/dev/null 2>&1)
lgfl=$(ls $path/tools/*.log | awk '{print$1}')
if [[ ! -f "$lgfl" ]]
then
echo -e "$okegreen""* - $yellow Unable to find log file from eagerlever touch"
sleep 4
srvstop
fi
nv=$(grep "Target is vulnerable to EAGERLEVER" < $lgfl)
if [[ -z "$nv" ]]
then
echo -e "$okegreen""* -$yellow $rhost$okegreen is not vulnerable to$yellow Eagerlever$okegreen Vulnerability"
sleep 4
else
echo -e "$okegreen""* -$yellow $rhost$okegreen is vulnerable to$yellow Eagerlever$okegreen Vulnerability"
sleep 4
fi
srvstop
}             	

# Erraticgopher exploits SMB V1 on Windows XP & Server 2003
egtouch () {
echo -e "$orange""* - Launching Erraticgopher on$okegreen $rhost"	
echo ""
cp "$egskl" "$egout"
sed -i -e "s/RHOST/$rhost/g" $egout
sed -i -e "s/RPORT/$rport/g" $egout	
eg=$(timeout "$tout" wine Erraticgophertouch-1.0.1.exe 2>&1)	
echo "$eg" > "$eglog"
egok=$(grep "target IS vulnerable" < $eglog)
if [[ ! -z "$egok" ]]
then
echo -e "$okegreen""* -$yellow $rhost$okegreen is vulnerable to Erraticgopher Vulnerability "
else
echo -e "$okegreen""* -$yellow $rhost$okegreen is not vulnerable to$yellow ERRATICGOPHER$okegreen Vulnerability "
fi
echo ""
}	

# Named pipe function to search for vulnerable SMB pipes on target
# Named pipe not only search for other default windows pipes , as also for a big list of possible altertative pipes
# Antivirus pipes , Sql server pipes , etc ... , every program that connects to the network creates a pipe
# and namedpipe tool checks that from a predetermided configured list .
# The list of pipes to check are the default created by NSA until the time of the leaked package by Shadow Brokers

namedpipe () {
echo -e "$orange""* - Launching Namedpipe on$okegreen $rhost"	
cp "$npskl" "$npout"
sed -i -e "s/RHOST/$rhost/g" $npout	
sed -i -e "s/RPORT/$rport/g" $npout	
sed -i -e "s/PROT/$prot/g" $npout	
np=$(timeout "$tout" wine Namedpipetouch-2.0.0.exe 2>&1)	
echo "$np" > "$nplog"
npok=$(grep "Pipe Found:" < $nplog | awk '{print$4}')
if [[ ! -z "$npok" ]]
then
echo -e "$okegreen""* - Pipes Found on$yellow $rhost$yellow "
grep "Pipe Found:" "$nplog" | awk '{print$4}' | sed 's/[\PIPE\]//g' | tr "" "\n"
else
echo -e "$okegreen""* -$yellow Unable to find aditional smbpipes"
fi
echo ""
}	

# Smbtouch verifies if the target ip is vulnerable to any of the exploits and also search for main windows pipes
# if they are vulnerable , lsass , spoolss , browser  (basically the pipes that Windows have by default working)

smbtouch () {
cp "$stskl" "$stout"
sed -i -e "s/RHOST/$rhost/g" $stout
sed -i -e "s/RPORT/$rport/g" $stout
sed -i -e "s/PROT/$prot/g" $stout
echo ""
tools="cd $path/tools"
echo -e "$orange""* - Launching Smbtouch on $okegreen $rhost"
$tools
st=$(timeout "$tout" wine Smbtouch-1.1.1.exe 2>&1)
echo "$st" > "$stlog"
sbosl=$(grep -n "Target OS" < $stlog | tr ":" "\n" | sed -n 1p)
osvar=$((sbosl+1))
osout=$(sed -n "$osvar"p < $stlog | sed 's/^ *//')
sbfl=$(grep "Touch failed" < $stlog)
sbnv=$(grep "Target is not vulnerable" < $stlog)
sbnvarch64=$(grep "64-bit" < $stlog | awk '{print$4}')
sbnvarch32=$(grep "32-bit" < $stlog | awk '{print$4}')
errort=$(sed -n "$osvar"p < $stlog | grep "SMB")
if [[ ! -z "$osout" ]]
then
echo ""
echo -e "$okegreen""* - Target OS :$yellow $osout"
fi
if [[ ! -z "$sbnvarch32" ]]
then
echo ""
echo -e "$okegreen""* - Target Architecture :$yellow $sbnvarch32"
elif [[ ! -z "$sbnvarch64" ]]
then
echo ""
echo -e "$okegreen""* - Target Achitecture :$yellow $sbnvarch64"
fi
if [[ ! -z "$sbfl" ]]
then
echo -e "$red""x - Unable to smbtouch on $rhost"
echo ""
elif [[ ! -z "$sbnv" ]]
then
echo ""
echo -e "$red""x - Unable to smbtouch on $rhost"
fi

# Vulnerable to some exploit
stvlndnfb=$(grep "DANE/FB" < "$stlog" | awk '{print$1}' | sed -n 1p)
stvlnfb=$(grep "FB" < "$stlog" | awk '{print$1}' | sed -n 1p)
stvlndn=$(grep "DANE" < "$stlog" | awk '{print$1}' | sed -n 1p)
if [[ ! -z $stvlnfb ]]
then
echo -e "$okegreen""* - Vulnerable to : $yellow $stvlnfb $okegreen using : $yellow Fuzzbunch $okegreen injection method" 
fi
if [[ ! -z $stvlndn ]]
then
echo -e "$okegreen""* - Vulnerable to : $yellow $stvlndn $okegreen using : $yellow DaringNeophyte $okegreen injection method" 
fi
if [[ ! -z $stvlndnfb ]]
then
echo -e "$okegreen""* - Vulnerable to : $yellow $stvlndnfb $okegreen using : $yellow DaringNeophyte$okegreen &$yellow Fuzzbunch $okegreen injection method" 
fi

# checking for pipes
stvlnpp=$(grep "Success!" < "$stlog" | awk '{print$2}' )
echo ""
if [[ ! -z "$stvlnpp" ]]
then
echo -e "$okegreen""* - Available pipes :$yellow $stvlnpp"
fi
}


target () {
	if [[ -z "$rhost" ]]
	then
echo -ne "$okegreen" "Enter IP to check :$yellow ";tput sgr0
read -r rhost
inv=$(echo "$rhost" | grep [a-zA-Z] )
if [[ ! -z "$inv" ]]
then
echo ""
echo -e "$yellow" "Invalid IP" 
sleep 3
clear && logo && target
fi
else
inv=$(echo "$rhost" | grep [a-zA-Z] )
if [[ ! -z "$inv" ]]
then
echo ""
echo -e "$yellow" "Invalid IP" 
rhost=""
sleep 3
clear && logo && target
fi
chknet
fi
chknet
}
rpctouch() {
cp "$rpcskl" "$rpcout"
sed -i -e "s/RHOST/$rhost/g" $rpcout
sed -i -e "s/RPORT/$rport/g" $rpcout
sed -i -e "s/PROT/$prot/g" $rpcout
echo ""
tools="cd $path/tools"
echo -e "$orange""* - Launching Rpctouch on $okegreen $rhost"
$tools
rpct=$(timeout "$tout" wine Rpctouch-2.1.0.exe 2>&1)
echo "$rpct" > "$rpclog"
successrpc=$(grep "SMB String:" < "$rpclog" | awk '{$1=$2=$3=""; print $0}' | sed 's/^ *//')	
echo ""
if [[ ! -z "$successrpc" ]]
then
echo -e "$okegreen""* - Target OS :$yellow $successrpc"
else
echo -e "$red""* - Unable to retrive RPC info from$yellow $rhost"
fi		
}

#Architouch uses remote port 49152 to retrieve host OS Architecture	
archtouch(){
cp "$archskl" "$archout"
sed -i -e "s/RHOST/$rhost/g" $archout
echo ""
tools="cd $path/tools"
echo -e "$orange""* - Launching Architouch on $okegreen $rhost$orange using port$yellow 49152"
$tools
archt=$(timeout "$tout" wine Architouch-1.0.0.exe 2>&1)
echo "$archt" > "$archlog"
success=$(grep "Target is" < "$archlog" | awk '{$1=$2=$3=""; print $0}' | sed 's/^ *//')	
echo ""
if [[ ! -z "$success" ]]
then
echo -e "$okegreen""* - Target Architecture :$yellow $success"
echo ""
else
echo -e "$red""* - Unable to retrive Architecture from$yellow $rhost"
echo ""
fi
}	
# This function does a quick ip scan on remote host and check if specific ports are opened
chknet () {
nmap -Pn -p "$rport" "$rhost" -oN $nmlog >/dev/null 2>&1
nbiosvrf=$(grep "open" < "$nmlog" | grep "139")
smbvrf=$(grep "open" < "$nmlog" | grep "445")
archvrf=$(grep "open" < "$nmlog" | grep "49152")
if [[ ! -z "$archvrf" ]]
then
archtouch
fi
if [[ ! -z "$smbvrf" ]]
then
echo -e "$okegreen""Testing $yellow Samba (port 445)$okegreen on$yellow $rhost"
prot="SMB"
rport="445"
elvprot="3"
rpctouch && smbtouch && namedpipe && egtouch && eglvr && exit 1
else
if [[ ! -z "$nbiosvrf" ]]
then
echo -e "$yellow""SMB (port445)$okegreen not detected on$yellow $rhost"
echo -e "$okegreen""Testing $yellow Netbios (port 139)$okegreen on$yellow $rhost"
prot="NBT"
rport="139"
elvprot="2"
rpctouch && smbtouch && namedpipe && eglvr && exit 1
else
echo ""
echo -e "$yellow""* -$red It looks that $rhost does not have Netbios port 139 or Samba port 445 opened"
sleep 5
srvstop
fi
fi
srvstop
}


if [ -z "$1" ]
then
intro && chkfls && delf && dep && servstart && logo && target 
else
rhost="$1"
intro && chkfls && delf && dep  && servstart && logo && chknet && target 
fi