In one of the latest penetration tests we faced a SSH server that was based in Maverick SSHTOOLS.
The funny thing is that this server was implemented by copy & pasting the example from the web, which had the Port forwarding feature enabled.
After running a bruteforce attack, we found that the admin account had the "admin" password (strong password policy btw), but when we tried to login there was no shell, the server echoed everything we typed. So we went for the Port forwarding option, we forwarded some ports to interesting services like Terminal Server in the same machine and it worked, so then we though that would be great to be able to scan the internal network through this port forwarding feature, and that´s how we came up with this SSHscan tool.
SSHscan.py will allow you to scan a internal network through a SSH with port forwarding enabled. The tool allows to create a port forward in localhost for every open port detected in the internal network range.
This tool is not one that can be used in every engagement but when you have the opportunity and the need it will came handy.
The tool has been included in the edgeSSH kit, where we will include all the scripts related with SSH, at the moment only bruteSSH, a SSH login bruteforcer and scanSSH are included in the kit.
You can download the code here://code.google.com/p/edgessh
Command line options:
-h: target host
-u: username
-p: password
-l: targets lists to scan
-t: threads
--remote-host: host to scan
--remote-ports: port list to scan
--default-ports: scan default ports
--all-ports: scan all 65535 ports
--keep-tunnels: Forward all open ports
Examples:
scanssh.py -h 192.168.1.55 -u root -p passowrd -t list.txt
scanssh.py -h 192.168.1.55 -u root -p password --remote-host 127.0.0.1 --remote-ports 80,443
scanssh.py -h 192.168.1.55 -u root -p password --remote-host 127.0.0.1 --default-ports
Enjoy Edge-Security
Wednesday, June 22, 2011
Friday, July 9, 2010
OWASP VI Spain Meeting -2010: And still bruteforcing
Hi all, the past 19 of June i presented at OWASP VI Spain Meeting, a review of Bruteforce attacks in web applications, this is an old technique that is still useful for the attackers, and i showed with examples that is present in many attacks that affect big companies like Facebook, Yahoo, AT&T, Tuenti, etc. Also i presented the latest version of Webslayer a tool to perform all kind of bruteforce attacks in web applications.
You can find the presentation here:
http://www.owasp.org/images/2/2a/Bruteforce2010.key.pdf
And also the video of the talk (spanish) here.
Here is a picture of the conference showing the Webslayer results interface:
Next version will add some requested features like multiple proxies support, delay between request, and many more.
Stay tuned and enjoy...
Christian
Friday, May 14, 2010
Massive Web Application discovery with Wfuzz
Last week i had to review like 40 websites for a penetration test in a short period of time, so the first thing i wanted was to search for directories or files in the web servers, so how can i automate the full scan with Wfuzz? We can use a command like this:
$ wfuzz -c -z file -f urllist.txt,dictionary.txt --html --hc 404 http://FUZZ/FUZ2Z 2> results.html
The first FUZZ will be replaced with the content of urllist.txt, where you should have the websites address in the format "www.target.com", and the second FUZ2Z will be replaced with the dictionary, in my case i used the big.txt.
Soon i will release an update of Webslayer, and will show how to do this with it.
Enjoy!
Laramies
Monday, January 11, 2010
Security Ezines 2010
Hi all, in this brief post i will like to share some new ezines about security that were relased this year, the first one is called Into the Boxes, and it's centered in Forensics and Incident response, it's a join effort from Harlan Carvey and Don (securityripcord), this ezine looks promising. You can download the first issue here.
The other ezine is the one launched by Hack In the Box (HitB), this magazine has a very professional look and a lot of articles, can be compared with a Hakin9 magazine, but free. They relaunched the ezine this year. You can download the first issue here.
It's cool to see fresh initiatives for sharing knowledge :)
I would like to see a Kindle version of them ;)
Monday, November 9, 2009
Owning Windows 7 - Double hack (physical access required)
Hi all, i finished my Windows 7 upgrade and i decided to check and old trick that worked on XP and Vista, no foo required, it's an easy one:
If you have access to a Windows 7 Box, you can still replace the binary c:\windows\system32\sethc.exe by your favourite backdoor (you can insert the same binary with the meterpreter embedded) and trigger it pressing 5 times the shift key on the login screen. Also the trick works by replacing c:\windows\system32\utilman.exe, and pressing WIN-U in the login screen. (you must boot with a live CD in order to replace the binaries)
I know, i know.. if someone have access to your machine it's game over, but hey this it's still there and this could have been improved and avoid the direct calling of two binaries by a key combination.
You can see the double cmd.exe popping one for sethc.exe and the other for utilman.exe, both with "nt authority\system" privileges.
If you don't have your disk encrypted you should do it... if you have it encrypted, beware with the Evil Maid.
Enjoy,
Christian
Friday, May 8, 2009
Pangolin and your data
This will be a brief entry about a dubious behavior of Pangolin (SQL Injection Tool). Today we were checking some of the features of Pangolin, and i had special interest on the ORACLE UTL_HTPP injection, i checked the options and there wasn't a configuration for the local HTTP server, so i was wondering how the hell they got the results back.
So i started Pangolin against a test server, and there wasn't any open port in my machine, next step my coworker Javi, launched the attack and sniffed the traffic, all the injection was urlencoded+Oracle (char) encoding, after decoding we found that the results of the injection is sent to a nosec.org web server, and then Pangolin perform a GET to retrieve the data. WTH?
At least let the user know what are you doing with the data, i don't think this will make penetration testers happy, knowing that they customers data is traveling via a third party server.
Be careful where you send your data ;)
-CMM
Tuesday, April 28, 2009
Information Gathering: Delicious
Delicious is a service for keeping your bookmarks in one place (online), it's social bookmarking.
So let's go with an example; if you have some nicknames from your target, you can search directly on their Delicious profile, all their public links, for example my profile:
http://delicious.com/laramies
Remember that users can mark a link as private, but here is where we can be lucky if they forget to save it as private.
Another way of searching in Delicious, is using target company URL's or IP's, in this example i will use just a standard internal ip:
192.168.1.1
And look the second result:
The root password in the url :)
In particular cases you can obtain interesting results
-CMM
Subscribe to:
Posts (Atom)