CVE-2013-6117 – Tool (Multithreaded and Extremely Fast)

I wrote a simple script in Go to test if the target Dahua DVR device is vulnerable to authentication bypass flaw (CVE-2013-6117).

Dahua DVRs listen on TCP port 37777 by default.

If it is vulnerable, it will dump the credentials along with the dynamic dns name (DynDNS).

Some system administrators might use the same password for other systems. Therefore, a penetration tester might be able to use the credentials obtained from the DVR to gain further access into the network by accessing other systems or applications.

As the script is written in Go, it makes the tool extremely fast.

For more information regarding this vulnerability, you might want to check out https://depthsecurity.com/blog/dahua-dvr-authentication-bypass-cve-2013-6117.

The script can be downloaded from https://github.com/milo2012/CVE-2013-6117.

 

Using IPv6 to Bypass Security (tool)

John Anderson from Trustwave wrote an interesting post on Trustwave SpiderLabs blog (link at end of this post).

In the article, an attacker was able to use IPv6 to bypass security protections that was in place for iPv4 but not IPv6.

The number of open ports on the IPv6 and IPv4 addresses on the same host are different.

Below is a walkthrough of how to perform the technique.

1) Sends an ICMP echo request (ping6 ff02::1%eth0) to the broadcast address (ff02::1) , all IPv6 hosts in the local network will reply
2) Sends an ARP requests to all IPv4 hosts in the local network
3) Performs a port scan of all IPv4 and IPv6 hosts that are alive in the local network
4) Match the IPv6 address to the IPv4 address based on the MAC address information.
5) Checks to see if the scan against the IPv6 address on the host returns more open ports that the IPv4 address on the same host and outputs the difference in ports (if any)

I wrote a simple script to make the testing for this easier by automating these steps so that we can focus on more important testing.

Below is a screenshot of how the tool looks like when it runs.

In the screenshot below (in the last few lines), TCP ports 22, 111 and 8080 were accessible on the IPv6 interface of the host (10.5.192.48 | fe80::250:56ff:fe97:7a3b) but not on the IPv4 interface.

The next step would be to fingerprint the services running on the IPv6 interface, test for default or weak accounts (SSH), look for vulnerabilities and so on. You might just get lucky.

You can find the tool in the below Github link
https://github.com/milo2012/ipv4Bypass

 

Below are some useful articles that are related
https://www.trustwave.com/Resources/SpiderLabs-Blog/Using-IPv6-to-Bypass-Security/

https://www.darkreading.com/vulnerabilities—threats/weaponizing-ipv6-to-bypass-ipv4-security-/a/d-id/1331993

Jumping from Corporate to Compromising Semi-Isolated Network

Finding and attacking hosts in Semi-Isolated networks
The new script ‘hopandhack‘ can be used by attackers to automatically find and hunt down hosts that are not directly accessible from the attacker’s machine.  In some organizations, IT administrators have to use something called a ‘jump box’ or VPN to access the secure data centre or PCI network where sensitive data are stored .

The ‘hopandhack’ script automates the process of finding hosts with the necessary routes to these secure network and compromises them.  The functionality of hopandhack will be incorporated into Portia in the next week or so.

hopandhack script can be found at https://github.com/SpiderLabs/portia under the filename ‘hopandhack.py’.

Basic Workflow of how the attack works.

Below is a video demo as presented at Rootcon (2017).  In the video, the attacker is able to access one host (host A) but not the other host (host B) thats in the secure network.

Host A has an active route to host B.  In order to compromise host B, the attacker has to setup a relay from host A to host B and then use this relay to dump credentials/hashes from host B.

More functionalities will be added in future.

The tool is currently available as a standalone tool and its functionalities will be ported over to Portia in the following week.
https://github.com/SpiderLabs/portia/blob/master/hopandhack.py

The slides from Rootcon 2017 is available at https://www.slideshare.net/secret/tkQFhYeFY3zEi4

metasploitHelper and nmap2nessus released at Blackhat Asia Arsenal 2015

@mgianarakis and me (@keith55) presented two new tools (metasploitHelper and nmap2nessus) at Blackhat Asia Arsenal in Singapore on 26th and 27th of March, 2015.

The tools were developed to help guys like us during vulnerability assessments and penetration tests.

Blog posts about the tools will be coming soon. Meanwhile, the information on the Github pages should be sufficient to get you started.
The tools are open source.  Feel free to contribute to the projects. Thank you

MetasploitHelper
Slides: http://bit.ly/1D62PWB
GitHub: https://github.com/milo2012/nmap2nessus

Nmap2nessus
Slides: http://bit.ly/1GxaYTA
GitHub: https://github.com/milo2012/metasploitHelper

Pentesting Firebird Databases

There seems to be limited information on pentesting Firebird databases on the Internet.
Firebird database server listens on TCP port 3050.

One good resource I found is http://blog.opensecurityresearch.com/2012/07/fun-with-firebird-database-default.html.

It seems like most people do not change the default SYSDBA credentials for their Firebird database. Below are the default credentials. 
Username: SYSDBA
Password: masterkey

I have encountered before that the access card database system was using Firebird database for its backend.
This python script requires pyfirebirdsql library from https://github.com/nakagami/pyfirebirdsql.

Firebird requires you to supply the database name on the server you are trying to.
One way to get around it is to check for active connections on the Firebird database server.

What this tools does is to
1. Connect to the Firebird database server using the default credentials
2. List the connected databases
3. Dump the records from the Firebird database server

You can also use the -wordlist argument to supply it a wordlist of database names so that it can attempt to brute-force. That is useful if there aren’t any active connections (or databases not mounted) on the Firebird database that you are trying to access.

Below is a screenshot of the tool in action.

The common-tables.txt file from sqlmap is useful if you need a wordlist.
https://raw.githubusercontent.com/sqlmapproject/sqlmap/master/txt/common-tables.txt

The tool can be downloaded from the below Github repo.
https://github.com/milo2012/firebirdDump

Test AS/400 for default credentials

I wrote a simple script to test default credentials in AS/400. I made use of the library and sample code from http://tn5250py.cvs.sourceforge.net/.  It currently only works with IBM AS/400 telnet servers for now.

You can pull the code from https://github.com/milo2012/pentest_scripts/tree/master/as400.
You will have to supply the ip and port of the AS400 server in the command line

Below is a screenshot of the tool in action.

Corelabs Impacket Scripts (Modded)

I made some changes to wmiexec.py script due to some anonyances I encountered during peneration tests.

The use case scenario for these modded scripts is that if the password contains special characters like @ or : and you can’t use it with the default wmiexec.py/psexec.py/smbexec.py scripts (maybe its just me who can’t figure out how to know how to use them :P)

These 3 scripts (wmiexec.py/psexec.py/smbexec.py) are the common tools that you can use if you want to get the remote host to execute a meterpreter exe file generated via Veil-Evasion.

Using the modded scripts, you can get a list of hosts to run a single command (eg ipconfig) using one line of command.

The source code for the modded scriptscan be found here
https://github.com/milo2012/pentest_scripts/tree/master/impacket.

Special thanks for Corelabs for making these scripts. Impacket scripts can be found here https://code.google.com/p/impacket/.

Screenshot of psexec.py

Examples of how you can use the modded psexec.py
python wmiexec.py -d testdomain -u user -p pass -ip 192.168.2.1 -command ipconfig
python wmiexec.py -d testdomain -u user -p pass -ip 192.168.2.1 -f ips.txt -command ipconfig

Screenshot of smbexec.py

Examples of how you can use the modded smbexec.py
python smbexec.py -d testdomain -u user -p pass -ip 192.168.2.1
python smbexec.py -d testdomain -u user -p pass -f ips.txt

Screenshot of wmiexec.py
Examples of how you can use the modded wmiexec.py
python psexec.py -d testdomain -u user -p pass -ip 192.168.2.1 -command ipconfig
python psexec.py -d testdomain -u user -p pass -f ips.txt -command ipconfig

winboxHunter

Prerequisites:

– Python2.7
– Impacket (svn checkout http://impacket.googlecode.com/svn/trunk/ impacket-read-only)
– Ruby
– Veil Evasion (git clone https://github.com/Veil-Framework/Veil-Evasion.git)

Description:

If you are working on a penetration test remotely, its sometimes hard to determine when the users start work or connect their laptops to the network.

winboxHunter is useful if you have managed to capture and cracked a bunch of NTLM credentails and want to run Metasploit against these windows boxes as and when they are connected to the network.

winboxHunter listens for NBNS broadcast packets so that when a new winBox is connected to the network, it will use the Impacket scripts (psexec.py and wmiexec.py) to push an executable onto the winBox and runs it.

In the background, winboxHunter runs Metasploit with payload handler (multi/handler) and listens for incoming connections from the winboxes.

You might want to modify autorunCmd.rc to specify the Metasploit commands you want to run on the pwned winbox upon connecting back to Metasploit.

See meterpreter.rc and autorunCmd.rc for more details.

If a host changes its IP address due to DHCP lease expiration, it will not attempt to exploit the winbox twice.

Format of password.txt

domain/username password

Instructions:

Meterpreter executable

You only need to use one of the below 2 options

– You can either use your own meterpreter payload executable using the -e or –exe argument (payload=windows/meterpreter/reverse_https, rport=8443) or

– You can use the -n or –enableVeil argument to generate a meterpreter payload executable using Veil Evasion
You can run winboxHunter using the below sample command

ruby winboxHunter.rb -n -f password.txt -v

When you run winboxHunter, a linux screen with the name “msfscreen” will be created and msfconsole will be executed. You can connect to the screen via the below command

screen -dr msfscreen

The source code for winboxHunter can be found at https://github.com/milo2012/winboxHunter

Medusa ‘combo’ word lists (default usernames and passwords) for SSH and Telnet services

Cirt.net is a useful resource that contains the default credentials for various devices.

I wrote a script that crawls, parses and extracts the credentials from cirt.net and outputs them into the “combo” format as required by medusa. Medusa is a brute force tool for numerous services like MySQL, SMB, SSH, Telnet and etc.

Currently, only ssh and telnet related credentials are extracted from cirt.net.

You can download the “combo” word lists for ssh and telnet via the direct links below.

SSH combo list for Medusa
https://github.com/milo2012/pentest_scripts/blob/master/default_accounts_wordlist/wordList_ssh.txt

Telnet combo list for Medusa
https://github.com/milo2012/pentest_scripts/blob/master/default_accounts_wordlist/wordList_telnet.txt

Combined users.txt and passwords.txt that you can use with Patator (https://code.google.com/p/patator/) which is another awesome brute force tool.

Sample command for medusa “combo” SSH attack.
medusa -M ssh -C wordList_ssh.txt -H port22.txt

If you would like to play around with the python script, you can download the file at the below location.

Github
https://github.com/milo2012/pentest_scripts/tree/master/default_accounts_wordlist

Patator is another awesome tool that you can use for brute forcing SSH logins

https://code.google.com/p/patator/

Sample command for patator SSH attack

patator.py ssh_login host=10.0.0.1 user=FILE0 password=FILE1 0=users.txt 1=passwords.txt -x ignore:mesg=’Authentication failed.’

Shoutout

Special shoutout to Cirt.net for maintaining and providing the extensive database of default credentials at cirt.net/passwords

Extended functionality for Burp Plugin – Carbonator

I wrote a script to extend the functions of Burp plugin – Carbonator.

Carbonator is an awesome script by Integris Security. Carbonator uses Jython which is easy for me to understand.

Its similar to Sodapop by Redspin. However, the Sodapop script seems broken now.

Below is a link to Sodapop by Redspin
http://www.redspin.com/blog/2010/09/20/advanced-burp-suite-automation-2/

Below is a description for Carbonator from their website.
Carbonator’s purpose is to enable the ability to automate the vulnerability scanning of a large number of web applications.
A single command from a command line can now produce volumes of vulnerability information.

Carbonator can be found here
https://www.integrissecurity.com/index.php?resources=Carbonator

I made some additional tweaks to the original carbonator.py script as well as created my own launch_burp.py run script.

The additional functionalities that I have included are
1. Allow you to run Burp/Carbonator against a file containing a list of domain names/IPS/urls. Below is a screenshot of the file format.

2. Run Bing lookup against the IP address of the domain name and find other websites that are hosted on the same IP address (using the IP:x.x.x.x keyword in Bing) and run Burp/Carbonator against these additional websites. These seems to be some false positives in Bing search engine. The script checks to make sure that the domain name resolves to the same IP address.

3. Search Google for links belonging to the domain name (using the site:domain.com keyword) in Google and run Burp/Carbonator against these links. You might find additional website content/links as compared to crawling http://www.domain.com.

My Github repo for the code is at https//github.com/milo2012/carbonator. Please feel free to send me your feedback/comments. Thank you for reading.