Recently during an internal penetration test, I was performing ARP spoofing and i discovered a SSH connection from the administrator computer to another box.
That sounds like the correct way to access remote hosts securely. However, the problem was that the company was using a network switch that was vulnerable to ARP spoofing.
I came across the below article about performing ARP spoofing and MITM SSH connections to steal credentials.
When performing arp spoofing and performing a mitm attack on SSH, the victim does get an alert message saying that there is a key mismatch but most people just ignore them anyway.
Below is the link to the original article.
In the article, the author demonstrates the use of a software called JMITM2 (http://www.david-guembel.de/index.php?id=6) which is sort of like a honey pot that proxies SSH connections between the victim and the target SSH server.
However, there are a number of steps to be done manually to execute this attack during an internal penetration test.
1. Check if network is vulnerable to ARP spoofing
2. Check if there are any active SSH connections in the network
2. Identify the victim computer and SSH server
3. Modify the configuration files of JMITM2
4. Modifying iptables
5. ARP spoofing
6. Checking JMITM2 console for credentials
7. Re-arp the router and victim host with the correct MAC addresses of each.
It would save a great amount of time to automate these steps. I wrote a script that does just that.
Running the command below checks the network for active SSH connections (via ARP spoofing) and then automates the whole attack to outputs any credentials captured to the console.
python2.7 mitmSSH.py -analyze
If you know the victim host IP and SSH server, you can use the below command
python2.7 mitmSSH.py -host victims -ssh sshServerIP
There are a couple of things that are still in the works to improve the script.
1. Switching from intercepter-ng for ARP spoofing to scapy.
The script can be grabbed from the below link
During web application testing, it is useful to get the directory and file listing of the root of the web application that you are testing so as to ensure complete coverage of the application.
You can use the below command to get a files and directories listing of the web application root
ls –laR /var/www > cd–filelist.txt
I wrote a simple script to parse and convert the output so that I can pipe the URLs directly to Burpsuite.
The script can be found at https://github.com/milo2012/pentest_scripts/blob/master/web/parseFileList.py
Below is an example of how you can use the script.
python parseFileList.py -f cd-filelist.txt > filelist_out.txt
After running the command, you must modify the filelist_out.txt to search/replace each lines with the FQDN of the website.
E.g. replace /var/www/html/www.domain.com with https://www.domain.com
Next, start Burpsuite and point the proxy listener to 127.0.0.1 port 8080.
The next line will use send each URLs in teh filelist_out.txt to Burpsuite using Curl and Xargs.
cat filelist_out.txt | xargs curl –user-agent “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.152 Safari/537.36″ -k -x http://localhost:8080 >/dev/null 2>&1
Sit back and enjoy some coffee as this process could take some time.
I made some changes to wmiexec.py script due to some anonyances I encountered during peneration tests.
The use case scenario for these modded scripts is that if the password contains special characters like @ or : and you can’t use it with the default wmiexec.py/psexec.py/smbexec.py scripts (maybe its just me who can’t figure out how to know how to use them :P)
These 3 scripts (wmiexec.py/psexec.py/smbexec.py) are the common tools that you can use if you want to get the remote host to execute a meterpreter exe file generated via Veil-Evasion.
Using the modded scripts, you can get a list of hosts to run a single command (eg ipconfig) using one line of command.
The source code for the modded scriptscan be found here
Special thanks for Corelabs for making these scripts. Impacket scripts can be found here https://code.google.com/p/impacket/.
Screenshot of psexec.py
Examples of how you can use the modded psexec.py
python wmiexec.py -d testdomain -u user -p pass -ip 192.168.2.1 -command ipconfig
python wmiexec.py -d testdomain -u user -p pass -ip 192.168.2.1 -f ips.txt -command ipconfig
Screenshot of smbexec.py
Examples of how you can use the modded smbexec.py
python smbexec.py -d testdomain -u user -p pass -ip 192.168.2.1
python smbexec.py -d testdomain -u user -p pass -f ips.txt
Screenshot of wmiexec.py
Examples of how you can use the modded wmiexec.py
python psexec.py -d testdomain -u user -p pass -ip 192.168.2.1 -command ipconfig
python psexec.py -d testdomain -u user -p pass -f ips.txt -command ipconfig
Cirt.net is a useful resource that contains the default credentials for various devices.
I wrote a script that crawls, parses and extracts the credentials from cirt.net and outputs them into the “combo” format as required by medusa. Medusa is a brute force tool for numerous services like MySQL, SMB, SSH, Telnet and etc.
Currently, only ssh and telnet related credentials are extracted from cirt.net.
You can download the “combo” word lists for ssh and telnet via the direct links below.
SSH combo list for Medusa
Telnet combo list for Medusa
Combined users.txt and passwords.txt that you can use with Patator (https://code.google.com/p/patator/) which is another awesome brute force tool.
Sample command for medusa “combo” SSH attack.
medusa -M ssh -C wordList_ssh.txt -H port22.txt
If you would like to play around with the python script, you can download the file at the below location.
Patator is another awesome tool that you can use for brute forcing SSH logins
Sample command for patator SSH attack
patator.py ssh_login host=10.0.0.1 user=FILE0 password=FILE1 0=users.txt 1=passwords.txt -x ignore:mesg=’Authentication failed.’
Special shoutout to Cirt.net for maintaining and providing the extensive database of default credentials at cirt.net/passwords
I wrote a script to extend the functions of Burp plugin – Carbonator.
Carbonator is an awesome script by Integris Security. Carbonator uses Jython which is easy for me to understand.
Its similar to Sodapop by Redspin. However, the Sodapop script seems broken now.
Below is a link to Sodapop by Redspin
Below is a description for Carbonator from their website.
Carbonator’s purpose is to enable the ability to automate the vulnerability scanning of a large number of web applications.
A single command from a command line can now produce volumes of vulnerability information.
Carbonator can be found here
I made some additional tweaks to the original carbonator.py script as well as created my own launch_burp.py run script.
The additional functionalities that I have included are
1. Allow you to run Burp/Carbonator against a file containing a list of domain names/IPS/urls. Below is a screenshot of the file format.
2. Run Bing lookup against the IP address of the domain name and find other websites that are hosted on the same IP address (using the IP:x.x.x.x keyword in Bing) and run Burp/Carbonator against these additional websites. These seems to be some false positives in Bing search engine. The script checks to make sure that the domain name resolves to the same IP address.
3. Search Google for links belonging to the domain name (using the site:domain.com keyword) in Google and run Burp/Carbonator against these links. You might find additional website content/links as compared to crawling http://www.domain.com.
My Github repo for the code is at https//github.com/milo2012/carbonator. Please feel free to send me your feedback/comments. Thank you for reading.
I wrote a script to easily dump a sample size of data from each table in the Oracle databases.
If you want to search for column names matching (passw|bank|credit|card), you can enable the -idf argument. This is similar to auxillary/admin/mssql/mssql_idf module in Metasploit.
The script can be downloaded at https://github.com/milo2012/pentest_scripts/blob/master/oracle_pillage/ora_pillage.py
Please send your feedback to @keith55 or keith.lee2012[at]gmail.com.