Archive

Archive for the ‘Automation’ Category

CVE-2013-6117 – Tool (Multithreaded and Extremely Fast)

July 23, 2018 Leave a comment

I wrote a simple script in Go to test if the target Dahua DVR device is vulnerable to authentication bypass flaw (CVE-2013-6117).

Dahua DVRs listen on TCP port 37777 by default.

If it is vulnerable, it will dump the credentials along with the dynamic dns name (DynDNS).

Some system administrators might use the same password for other systems. Therefore, a penetration tester might be able to use the credentials obtained from the DVR to gain further access into the network by accessing other systems or applications.

As the script is written in Go, it makes the tool extremely fast.

For more information regarding this vulnerability, you might want to check out https://depthsecurity.com/blog/dahua-dvr-authentication-bypass-cve-2013-6117.

Screen Shot 2018-07-24 at 2.06.12 AM.png
The script can be downloaded from https://github.com/milo2012/CVE-2013-6117.

 

Advertisements

Using IPv6 to Bypass Security (tool)

June 22, 2018 Leave a comment

John Anderson from Trustwave wrote an interesting post on Trustwave SpiderLabs blog (link at end of this post).

In the article, an attacker was able to use IPv6 to bypass security protections that was in place for iPv4 but not IPv6.

The number of open ports on the IPv6 and IPv4 addresses on the same host are different.

Below is a walkthrough of how to perform the technique.

1) Sends an ICMP echo request (ping6 ff02::1%eth0) to the broadcast address (ff02::1) , all IPv6 hosts in the local network will reply
2) Sends an ARP requests to all IPv4 hosts in the local network
3) Performs a port scan of all IPv4 and IPv6 hosts that are alive in the local network
4) Match the IPv6 address to the IPv4 address based on the MAC address information.
5) Checks to see if the scan against the IPv6 address on the host returns more open ports that the IPv4 address on the same host and outputs the difference in ports (if any)

I wrote a simple script to make the testing for this easier by automating these steps so that we can focus on more important testing.

Below is a screenshot of how the tool looks like when it runs.

In the screenshot below (in the last few lines), TCP ports 22, 111 and 8080 were accessible on the IPv6 interface of the host (10.5.192.48 | fe80::250:56ff:fe97:7a3b) but not on the IPv4 interface.

The next step would be to fingerprint the services running on the IPv6 interface, test for default or weak accounts (SSH), look for vulnerabilities and so on. You might just get lucky.

You can find the tool in the below Github link
https://github.com/milo2012/ipv4Bypass

 

Below are some useful articles that are related
https://www.trustwave.com/Resources/SpiderLabs-Blog/Using-IPv6-to-Bypass-Security/

https://www.darkreading.com/vulnerabilities—threats/weaponizing-ipv6-to-bypass-ipv4-security-/a/d-id/1331993

Jumping from Corporate to Compromising Semi-Isolated Network

September 21, 2017 1 comment

Finding and attacking hosts in Semi-Isolated networks
The new script ‘hopandhack‘ can be used by attackers to automatically find and hunt down hosts that are not directly accessible from the attacker’s machine.  In some organizations, IT administrators have to use something called a ‘jump box’ or VPN to access the secure data centre or PCI network where sensitive data are stored .

The ‘hopandhack’ script automates the process of finding hosts with the necessary routes to these secure network and compromises them.  The functionality of hopandhack will be incorporated into Portia in the next week or so.

hopandhack script can be found at https://github.com/SpiderLabs/portia under the filename ‘hopandhack.py’.

Basic Workflow of how the attack works.

Below is a video demo as presented at Rootcon (2017).  In the video, the attacker is able to access one host (host A) but not the other host (host B) thats in the secure network.

Host A has an active route to host B.  In order to compromise host B, the attacker has to setup a relay from host A to host B and then use this relay to dump credentials/hashes from host B.

More functionalities will be added in future.

The tool is currently available as a standalone tool and its functionalities will be ported over to Portia in the following week.
https://github.com/SpiderLabs/portia/blob/master/hopandhack.py

The slides from Rootcon 2017 is available at https://www.slideshare.net/secret/tkQFhYeFY3zEi4

metasploitHelper and nmap2nessus released at Blackhat Asia Arsenal 2015

March 30, 2015 Leave a comment

@mgianarakis and me (@keith55) presented two new tools (metasploitHelper and nmap2nessus) at Blackhat Asia Arsenal in Singapore on 26th and 27th of March, 2015.

The tools were developed to help guys like us during vulnerability assessments and penetration tests.

Blog posts about the tools will be coming soon. Meanwhile, the information on the Github pages should be sufficient to get you started.
The tools are open source.  Feel free to contribute to the projects. Thank you

MetasploitHelper
Slides: http://bit.ly/1D62PWB
GitHub: https://github.com/milo2012/nmap2nessus

Nmap2nessus
Slides: http://bit.ly/1GxaYTA
GitHub: https://github.com/milo2012/metasploitHelper

winboxHunter

August 27, 2014 Leave a comment

Prerequisites:

– Python2.7
– Impacket (svn checkout http://impacket.googlecode.com/svn/trunk/ impacket-read-only)
– Ruby
– Veil Evasion (git clone https://github.com/Veil-Framework/Veil-Evasion.git)

Description:

If you are working on a penetration test remotely, its sometimes hard to determine when the users start work or connect their laptops to the network.

winboxHunter is useful if you have managed to capture and cracked a bunch of NTLM credentails and want to run Metasploit against these windows boxes as and when they are connected to the network.

winboxHunter listens for NBNS broadcast packets so that when a new winBox is connected to the network, it will use the Impacket scripts (psexec.py and wmiexec.py) to push an executable onto the winBox and runs it.

In the background, winboxHunter runs Metasploit with payload handler (multi/handler) and listens for incoming connections from the winboxes.

You might want to modify autorunCmd.rc to specify the Metasploit commands you want to run on the pwned winbox upon connecting back to Metasploit.

See meterpreter.rc and autorunCmd.rc for more details.

If a host changes its IP address due to DHCP lease expiration, it will not attempt to exploit the winbox twice.

Format of password.txt

domain/username password

Instructions:

Meterpreter executable

You only need to use one of the below 2 options

– You can either use your own meterpreter payload executable using the -e or –exe argument (payload=windows/meterpreter/reverse_https, rport=8443) or

– You can use the -n or –enableVeil argument to generate a meterpreter payload executable using Veil Evasion
You can run winboxHunter using the below sample command

ruby winboxHunter.rb -n -f password.txt -v

When you run winboxHunter, a linux screen with the name “msfscreen” will be created and msfconsole will be executed. You can connect to the screen via the below command

screen -dr msfscreen

The source code for winboxHunter can be found at https://github.com/milo2012/winboxHunter