Using IPv6 to Bypass Security (tool)

June 22, 2018 Leave a comment

John Anderson from Trustwave wrote an interesting post on Trustwave SpiderLabs blog (link at end of this post).

In the article, an attacker was able to use IPv6 to bypass security protections that was in place for iPv4 but not IPv6.

The number of open ports on the IPv6 and IPv4 addresses on the same host are different.

Below is a walkthrough of how to perform the technique.

1) Sends an ICMP echo request (ping6 ff02::1%eth0) to the broadcast address (ff02::1) , all IPv6 hosts in the local network will reply
2) Sends an ARP requests to all IPv4 hosts in the local network
3) Performs a port scan of all IPv4 and IPv6 hosts that are alive in the local network
4) Match the IPv6 address to the IPv4 address based on the MAC address information.
5) Checks to see if the scan against the IPv6 address on the host returns more open ports that the IPv4 address on the same host and outputs the difference in ports (if any)

I wrote a simple script to make the testing for this easier by automating these steps so that we can focus on more important testing.

Below is a screenshot of how the tool looks like when it runs.

In the screenshot below (in the last few lines), TCP ports 22, 111 and 8080 were accessible on the IPv6 interface of the host (10.5.192.48 | fe80::250:56ff:fe97:7a3b) but not on the IPv4 interface.

The next step would be to fingerprint the services running on the IPv6 interface, test for default or weak accounts (SSH), look for vulnerabilities and so on. You might just get lucky.

You can find the tool in the below Github link
https://github.com/milo2012/ipv4Bypass

 

Below are some useful articles that are related
https://www.trustwave.com/Resources/SpiderLabs-Blog/Using-IPv6-to-Bypass-Security/

https://www.darkreading.com/vulnerabilities—threats/weaponizing-ipv6-to-bypass-ipv4-security-/a/d-id/1331993

Advertisements

(CVE-2018-0296) Script to extract usernames from Cisco ASA devices

June 21, 2018 Leave a comment

I wrote a simple script to extract usernames from Cisco ASA devices if they are vulnerable to CVE-2018-0296.

You can check out this blog post for more technical details.
https://sekurak.pl/opis-bledu-cve-2018-0296-ominiecie-uwierzytelnienia-w-webinterfejsie-cisco-asa/

Screen Shot 2018-06-21 at 5.04.44 PM

This script would be useful instead of doing it manually.

However, there are easier ways to get usernames belonging to an organization.

The script is available at https://github.com/milo2012/CVE-2018-0296.

Categories: Uncategorized

pathBrute – yet another dirbuster alternative

April 21, 2018 Leave a comment

pathBrute is yet another dirbuster alternative.

It’s written in Go so it’s blazing fast.

pathBrute contains/uses a number of self compiled wordlists for identifying “interesting” content and potentially vulnerable websites.
1) 13925 URI paths from Exploit-Database (increasing regularly)
2) URI paths from Metasploit Framework

pathBrute can also use wordlists from other sources if you prefer.

pathBrute can also be used for identifying if any type of CMS (Joomla, WordPress and Drupal) is running on the target websites and fingerprint the versions of the CMS using the –cms option.

Binaries for different platforms and architectures are available in the the below Github project’s release section.

pathBrute is also available as a docket container.

I hope this tool will come in handy to you as it is to me.

The tool can be downloaded from https://github.com/milo2012/pathbrute

Categories: Uncategorized

Enumerating Domains of Specific Organisations

December 21, 2017 Leave a comment

My friend Paul wrote a tweet about a useful tip on how to enumerate the domains of a specific organization using curl.

Do follow him at @PaulWebSec if you haven’t.

I decided to expand on his tip.  It might be sometimes hard to find out the full organization name but you do know the domain name that they use (or maybe I am just lazy)

Below is the script that I wrote.  You only need to provide the domain name that the organization is using.    Please see the below example.

$ python test.py -h

Usage: test.py [options]
Options:
  -h, –help  show this help message and exit
  -t THREADS  number of threads
  -n DOMAIN   domain name
  -r          resolve DNS name

Below is an example of the script running against TechCrunch.com


$ python test.py -n techcrunch.com -t 20 -r
[*] Found the below organization names
TechCrunch, Inc., TechCrunch

[*] Found the below domains
5echcrunch.com
6echcrunch.com
aoltechcrunch.com
cleantechcrunch.com
crunch-pad.biz
crunch-pad.info
——– redacted for brevity ——–

[*] Results
—————————-  ——————————————-
5echcrunch.com              165.160.13.20, 165.160.15.20
6echcrunch.com              165.160.13.20, 165.160.15.20
aoltechcrunch.com         165.160.13.20, 165.160.15.20
cleantechcrunch.com     165.160.13.20, 165.160.15.20
crunch-pad.biz                165.160.15.20, 165.160.13.20
crunch-pad.info               165.160.15.20, 165.160.13.20
crunch-pad.net                165.160.13.20, 165.160.15.20

——– redacted for brevity ——–

 

The script can be downloaded from https://gist.github.com/milo2012/1714d2952c09b96ba2d8777f1cbf9de1

Categories: Uncategorized

Punycode Phishing Domains Generator

November 9, 2017 Leave a comment

I wrote a simple script that can generate Pnnycode domain names that I can use during phishing tests.
The issue with Punycode is that an attacker can create a spoof website with a URL that looks exactly the same like the real website.  It relies on the way that many browsers interpret punycode.

Firefox and Safari seems to be vulnerable to punycode phishing attack currently.

There are around 80 similar looking domains being generated by the script.


$ python genPunycodeDomain.py -d uniqlo.com

uniqlo.com          uniqlo.com [54.199.235.240]
unïqlo.com          xn--unqlo-dta.com [available]
unìqlo.com          xn--unqlo-usa.com [available]
uníqlo.com          xn--unqlo-0sa.com [available]
uniqlö.com          xn--uniql-nua.com [available]
uniqlò.com          xn--uniql-yta.com [available]
uniqló.com          xn--uniql-4ta.com [available]
üniqlo.com          xn--niqlo-jva.com [available]
ùniqlo.com          xn--niqlo-0ua.com [available]
úniqlo.com          xn--niqlo-6ua.com [available]
uniql0.com          uniql0.com [153.122.57.60]
unïqlö.com          xn--unql-6pa8b.com [available]
unïqlò.com          xn--unql-6pau.com [available]
unïqló.com          xn--unql-6pa0a.com [available]
ünïqlo.com          xn--nqlo-5pa0f.com [available]
ùnïqlo.com          xn--nqlo-5pa2d.com [available]
únïqlo.com          xn--nqlo-5pa8d.com [available]
unïql0.com          xn--unql0-dta.com [available]
unìqlö.com          xn--unql-rpa6d.com [available]
unìqlò.com          xn--unql-rpa2b.com [available]
unìqló.com          xn--unql-rpa8b.com [available]
ünìqlo.com          xn--nqlo-qpa8g.com [available]
ùnìqlo.com          xn--nqlo-qpa0f.com [available]
únìqlo.com          xn--nqlo-qpa6f.com [available]
unìql0.com          xn--unql0-usa.com [available]
uníqlö.com          xn--unql-wpa0d.com [available]
uníqlò.com          xn--unql-wpa6a.com [available]
uníqló.com          xn--unql-wpa2b.com [available]
üníqlo.com          xn--nqlo-vpa2g.com [available]
ùníqlo.com          xn--nqlo-vpa4e.com [available]
úníqlo.com          xn--nqlo-vpa0f.com [available]
uníql0.com          xn--unql0-0sa.com [available]
üniqlö.com          xn--niql-8qa5a.com [available]
ùniqlö.com          xn--niql-8qan.com [available]
úniqlö.com          xn--niql-8qat.com [available]
üniqlò.com          xn--niql-oqa9c.com [available]
ùniqlò.com          xn--niql-oqa1b.com [available]
úniqlò.com          xn--niql-oqa7b.com [available]
üniqló.com          xn--niql-tqa3c.com [available]
ùniqló.com          xn--niql-tqa5a.com [available]
úniqló.com          xn--niql-tqa1b.com [available]
üniql0.com          xn--niql0-jva.com [available]
ùniql0.com          xn--niql0-0ua.com [available]
úniql0.com          xn--niql0-6ua.com [available]
ünïqlö.com          xn--nql-zma1b5a.com [available]
ùnïqlö.com          xn--nql-zma1bn.com [available]
únïqlö.com          xn--nql-zma1bt.com [available]
ünïqlò.com          xn--nql-zmar9c.com [available]
ùnïqlò.com          xn--nql-zmar1b.com [available]
únïqlò.com          xn--nql-zmar7b.com [available]
ünïqló.com          xn--nql-zmaw3c.com [available]
ùnïqló.com          xn--nql-zmaw5a.com [available]
únïqló.com          xn--nql-zmaw1b.com [available]
ünïql0.com          xn--nql0-5pa0f.com [available]
ùnïql0.com          xn--nql0-5pa2d.com [available]
únïql0.com          xn--nql0-5pa8d.com [available]
ünìqlö.com          xn--nql-nma6c5a.com [available]
ùnìqlö.com          xn--nql-nma6cn.com [available]
únìqlö.com          xn--nql-nma6ct.com [available]
ünìqlò.com          xn--nql-nma6a5c.com [available]
ùnìqlò.com          xn--nql-nma6azb.com [available]
únìqlò.com          xn--nql-nma6a5b.com [available]
ünìqló.com          xn--nql-nma1bzc.com [available]
ùnìqló.com          xn--nql-nma1b5a.com [available]
únìqló.com          xn--nql-nma1bzb.com [available]
ünìql0.com          xn--nql0-qpa8g.com [available]
ùnìql0.com          xn--nql0-qpa0f.com [available]
únìql0.com          xn--nql0-qpa6f.com [available]
üníqlö.com          xn--nql-rma1c5a.com [available]
ùníqlö.com          xn--nql-rma1cn.com [available]
úníqlö.com          xn--nql-rma1ct.com [available]
üníqlò.com          xn--nql-rma1a9c.com [available]
ùníqlò.com          xn--nql-rma1a1b.com [available]
úníqlò.com          xn--nql-rma1a7b.com [available]
üníqló.com          xn--nql-rma6azc.com [available]
ùníqló.com          xn--nql-rma6a5a.com [available]
úníqló.com          xn--nql-rma6azb.com [available]
üníql0.com          xn--nql0-vpa2g.com [available]
ùníql0.com          xn--nql0-vpa4e.com [available]
úníql0.com          xn--nql0-vpa0f.com [available]

The domain on the left column is how the domain will appear in the browser’s location bar.
The domain on the right column is the domain to use/register.
If the domain is already in use, the IP address will appear next to the domain in the output above.

I hope this can be useful to some of you during your phishing tests.

The link to the source code is available at https://gist.github.com/milo2012/889752dadbf2d45c8e96d4a096a1736d

Below are some references to phishing with punycode.
https://www.xudongz.com/blog/2017/idn-phishing/
Phishing with ‘punycode’ – when foreign letters spell English words

Categories: Uncategorized

Jumping from Corporate to Compromising Semi-Isolated Network

September 21, 2017 1 comment

Finding and attacking hosts in Semi-Isolated networks
The new script ‘hopandhack‘ can be used by attackers to automatically find and hunt down hosts that are not directly accessible from the attacker’s machine.  In some organizations, IT administrators have to use something called a ‘jump box’ or VPN to access the secure data centre or PCI network where sensitive data are stored .

The ‘hopandhack’ script automates the process of finding hosts with the necessary routes to these secure network and compromises them.  The functionality of hopandhack will be incorporated into Portia in the next week or so.

hopandhack script can be found at https://github.com/SpiderLabs/portia under the filename ‘hopandhack.py’.

Basic Workflow of how the attack works.

Below is a video demo as presented at Rootcon (2017).  In the video, the attacker is able to access one host (host A) but not the other host (host B) thats in the secure network.

Host A has an active route to host B.  In order to compromise host B, the attacker has to setup a relay from host A to host B and then use this relay to dump credentials/hashes from host B.

More functionalities will be added in future.

The tool is currently available as a standalone tool and its functionalities will be ported over to Portia in the following week.
https://github.com/SpiderLabs/portia/blob/master/hopandhack.py

The slides from Rootcon 2017 is available at https://www.slideshare.net/secret/tkQFhYeFY3zEi4

Portia GitHub link

July 30, 2017 Leave a comment

Below is the updated GitHub link for Portia https://github.com/SpiderLabs/portia

Categories: Uncategorized