This tool is oriented to the extraction of metadata from files published in the domains of the target. It looks into the following type of files : PDF, PPT, DOC, XLS and MDB, and looks into different relevant fields, like "Author" or "Last Saved by".
The idea is to look into fields that may be used to get information about users, so can be used for brute-force attacks. This information can also provide windows domain users, or the methodology used by the company to generate user names.
Once the docs are identified, they are downloaded and analyzed. The information is presented in an HTML document. Please feel free to use this tool and don´t heasitate to send us your feedback.
Download: metagoofil-1.2.tar
jueves 6 de septiembre de 2007
domingo 26 de agosto de 2007
Wfuzz, proxys and webserver scanning...
Today i was performing a pentest on a very big network. After struggling a bit i managed to upload files to a web server, an antivirus was running so many known tools didn't work, so it's time for more creativity. I pulled the http-proxy, a python based proxy developed by Edge-security, and compiled it into binary with py2exe, created an self-extracting zip, and uploaded to the server. I configured the proxy to listen on the port 53, as they leave that port unfiltered, neat :P
Well, so far so good, now i needed to know which machines were running webservers. I could have programmed a python scanner and upload it, but i was running out of time, so i went for wfuzz, the swiss knife for application testing (every body says their tool is a swiss knife), i used this command line to scan for web servers in the internal LAN through the proxy:
me ----> Server w/proxy ---->LAN
wfuzz -x serverip:53 -c -z range -r 1-254 --hc XXX -t 5 http://10.10.1.FUZZ
Some wfuzz switchs:
-x set proxy
--hc is used to hide the XXX error code from the results, as machines w/o webserver will fail the request (this is added on the new version).
With this command line, i will get every web server on the segment 10.10.1.X, i had to repeat this line for every segment the compromised server could reach, just that easy, fast and fun.
The http-proxy i used is part of the next framework that is being baked at Edge-security, stay tuned..
See you soon, Laramies.
Well, so far so good, now i needed to know which machines were running webservers. I could have programmed a python scanner and upload it, but i was running out of time, so i went for wfuzz, the swiss knife for application testing (every body says their tool is a swiss knife), i used this command line to scan for web servers in the internal LAN through the proxy:
me ----> Server w/proxy ---->LAN
wfuzz -x serverip:53 -c -z range -r 1-254 --hc XXX -t 5 http://10.10.1.FUZZ
Some wfuzz switchs:
-x set proxy
--hc is used to hide the XXX error code from the results, as machines w/o webserver will fail the request (this is added on the new version).
With this command line, i will get every web server on the segment 10.10.1.X, i had to repeat this line for every segment the compromised server could reach, just that easy, fast and fun.
The http-proxy i used is part of the next framework that is being baked at Edge-security, stay tuned..
See you soon, Laramies.
Suscribirse a:
Entradas (Atom)
