Archive

Author Archive

Medusa ‘combo’ word lists (default usernames and passwords) for SSH and Telnet services

August 16, 2014 Leave a comment

Cirt.net is a useful resource that contains the default credentials for various devices.

I wrote a script that crawls, parses and extracts the credentials from cirt.net and outputs them into the “combo” format as required by medusa. Medusa is a brute force tool for numerous services like MySQL, SMB, SSH, Telnet and etc.

Currently, only ssh and telnet related credentials are extracted from cirt.net.

You can download the “combo” word lists for ssh and telnet via the direct links below.

SSH combo list for Medusa

https://github.com/milo2012/pentest_scripts/blob/master/default_accounts_wordlist/wordList_ssh.txt

Telnet combo list for Medusa

https://github.com/milo2012/pentest_scripts/blob/master/default_accounts_wordlist/wordList_telnet.txt

Combined users.txt and passwords.txt that you can use with Patator (https://code.google.com/p/patator/) which is another awesome brute force tool.

Sample command for medusa “combo” SSH attack.
medusa -M ssh -C wordList_ssh.txt -H port22.txt

If you would like to play around with the python script, you can download the file at the below location.

Github

https://github.com/milo2012/pentest_scripts/tree/master/default_accounts_wordlist

Patator is another awesome tool that you can use for brute forcing SSH logins

https://code.google.com/p/patator/

Sample command for patator SSH attack

patator.py ssh_login host=10.0.0.1 user=FILE0 password=FILE1 0=users.txt 1=passwords.txt -x ignore:mesg=’Authentication failed.’

Shoutout

Special shoutout to Cirt.net for maintaining and providing the extensive database of default credentials at cirt.net/passwords

Extended functionality for Burp Plugin – Carbonator

August 4, 2014 10 comments

I wrote a script to extend the functions of Burp plugin – Carbonator.

Carbonator is an awesome script by Integris Security. Carbonator uses Jython which is easy for me to understand.

Its similar to Sodapop by Redspin. However, the Sodapop script seems broken now.

Below is a link to Sodapop by Redspin

http://www.redspin.com/blog/2010/09/20/advanced-burp-suite-automation-2/

Below is a description for Carbonator from their website.
Carbonator’s purpose is to enable the ability to automate the vulnerability scanning of a large number of web applications.
A single command from a command line can now produce volumes of vulnerability information.

Carbonator can be found here

https://www.integrissecurity.com/index.php?resources=Carbonator

Burp Carbonator Extension Mod

I made some additional tweaks to the original carbonator.py script as well as created my own launch_burp.py run script.

The additional functionalities that I have included are
1. Allow you to run Burp/Carbonator against a file containing a list of domain names/IPS/urls. Below is a screenshot of the file format.

Carbonator file input containing domain names/urls/ip

2. Run Bing lookup against the IP address of the domain name and find other websites that are hosted on the same IP address (using the IP:x.x.x.x keyword in Bing) and run Burp/Carbonator against these additional websites. These seems to be some false positives in Bing search engine. The script checks to make sure that the domain name resolves to the same IP address.

3. Search Google for links belonging to the domain name (using the site:domain.com keyword) in Google and run Burp/Carbonator against these links. You might find additional website content/links as compared to crawling http://www.domain.com.

My Github repo for the code is at https//github.com/milo2012/carbonator. Please feel free to send me your feedback/comments. Thank you for reading.

Oracle Exploitation – Interesting Data Finder/Data Dumper

September 11, 2013 Leave a comment

I wrote a script to easily dump a sample size of data from each table in the Oracle databases.

If you want to search for column names matching (passw|bank|credit|card), you can enable the -idf argument. This is similar to auxillary/admin/mssql/mssql_idf module in Metasploit.

Oracle Pillaging

The script can be downloaded at https://github.com/milo2012/pentest_scripts/blob/master/oracle_pillage/ora_pillage.py

Please send your feedback to @keith55 or keith.lee2012[at]gmail.com.

Categories: Databases, Oracle

Oracle Exploitation – Privilege Escalation

September 7, 2013 Leave a comment

 

Many times during Penetration Tests, we found a limited account for the Oracle database server.  The next step would be to find a SQL injection vulnerability to obtain DBA privileges. There are a number of Metasploit modules that we can use to escalate to DBA privileges.  The Metasploit modules scripts below are for different varying versions of Oracle database servers. I cant remember which Metasploit modules are for which versions.

Metasploit Oracle SQL Injection Modules

To speed things up, I wrote a script that does the below

(1) Check if the account specified has access to the database
(2) Check if the account has DBA privileges
(3) If no, check the version of the Oracle database server
(4) Select the relevant Oracle SQL injection modules for that version of Oracle database and write a Metasploit resource script to disk
(5) Run the Metasploit resource script and attempt to gain DBA privileges
(6) Check permissions of account and verifies if DBA privileges have been obtained.

ora_priv.py script

ora_priv.py script

The script is still a work in progress.  You can download the script via the below link.
https://github.com/milo2012/pentest_scripts/blob/master/oracle_pillage/ora_priv.py

Categories: Exploitation, Oracle

WordPress Plugin NextGEN Gallery 1.9.12 Arbitrary File Upload vulnerability (CVE-2013-3684)

August 10, 2013 Leave a comment

I converted the original WordPress Plugin NextGEN Gallery 1.9.12 Arbitrary File Upload exploit from Perl to Python for fun.

The original exploit can be found at http://downloads.securityfocus.com/vulnerabilities/exploits/60533.pl

Below is the python script for CVE-2013-3684

https://github.com/milo2012/pentest_scripts/tree/master/wordpress_exploits

CVE-2013-3684

Categories: Exploitation

Command Line IMAP/POP3 Email Downloader

July 30, 2013 Leave a comment

Wrote this script “Command Line IMAP/POP3 Email Downloader” some time ago.
Found it during spring cleaning.

Download the script here

https://github.com/milo2012/pentest_scripts/tree/master/emaildownloader

Categories: Uncategorized

niktoHelper – Bridge between Nmap Grepable Output and Nikto

July 7, 2013 Leave a comment

During a penetration test, Nikto is usually used after Nmap. However, sometimes the web servers are virtual hosts (serving more than one website on the same web server)

The usual steps after running Nmap against the hosts are
1. Go to Bing.com and do a reverse DNS lookup (e.g. IP:69.194.235.101) on the IPs.
2. If there are no results, check the SSL certificate on the host
3. Run nikto.pl with the vhost parameter. (e.g.)

perl nikto.pl -vhost www.bd-motor.com -maxtime 7200 -Cgidirs all -ssl -host  69.194.235.103 -port 80 -output nikto_69.194.235.103-port443-www.bd-motor.com.txt

This script automates all of the above steps.

Below is what you see when you run niktoHelper.py without any arguments.

You are able to select the number of threads to use using the -child argument.
To only display the Nikto command output, use the -display argument.

Image

To run nikto against a selected website, key in the number followed by comma
E.g. 1,4,10

To run nikto against all results, key in ALL and press enter
To skip all websites shown, press ENTER or key in NONE followed by enter key.Image

If you use the -display argument, the Nikto command is supposed to be used against the websites are shown on screen.

Image

The script can be downloaded at https://github.com/milo2012/pentest_scripts/tree/master/niktohelper

If you have any feedback and suggestion, please send it to me below. Thank you

Follow

Get every new post delivered to your Inbox.