Hey,

I’ve been working with a few large clients and needed to search a lot of network shares with a standard user account to see if the shares looked dangerous or overly permissive for the user, e.g. an Admin share has full everyone permissions and the user can capture sensitive data. To do this I’ve been using metasploit smb_enumshares and then manually looking through to see which ones were accessible from the list. As you can imagine this can take some time and not be very useful, however over a period of time I have seen some Hyper-V backups on shares that were accessible to users and could be download and back doored for the admin password hash etc.

This is a well worth task. So to cut a long story short I created a python script to do it, basically give it user credentials and a cidr subnet and it will enumerate all shares and files/folders that are available to the given user, Simples.

Usage: python ./shares.py <username> <password> <domain> <hostip> <cidr-rhosts>

Let me know what you think, but i’m sure you will find this extremely useful as I have already. A few dependencies listed below

#pip install https://pypi.python.org/packages/source/p/pysmb/pysmb-1.1.13.tar.gz
#smbconnection.py is another dependancy

Download link: shares.py

 

Hey,

Needed to parse an Nmap scan really simply and couldn’t find anything useful so I created a simple c# application to do it. Thought others might find it useful, here’s a screenshot of the beast at work.

NmapParser

 

I have been making a few programs in c# for parsing nessus and while these have been really good I wanted to expand my knowledge and create a python parser so that I can edit and change it on the fly while pentesting to get any specific information that I need or require. For example, I have used nmap to find all the web services but this never picks all of them up whereas nessus does and places a ‘svc_name=www’ under each port when this is the case, irrespective of whether it is ssl based or not.

Then I have a list of hosts and ports that I can have some confidence in and start to further explore each web port with ‘nikto’ and possible screenshot with ‘wkhtmltoimage’.

To cut a long story short I started writing my own class for this then stumbled across this code https://code.google.com/p/pynessus/. These classes allow you to call all its functions to parse or deal directly with the nessus scanning engine and run scans etc. I have only used this in the smallest way upto now but thought its an interesting blog and others could benefit from this too.

Here is an example script that pulls out all the web services from a nessus scan and places them in a list with their retrospective port after a colon, 10.0.0.1:443.

 

---

import dotnessus_v2

preport = “/tmp/localhost.nessus”
rpt = dotnessus_v2.Report()
rpt.parse(preport)

for t in rpt.targets:
    for v in t.vulns:
        if v.get(‘svc_name’) == ‘www’:
            print t.name +”:”+ v.get(‘port’)

---

 

Here is another example script that uses the other class to initiate a connection to the nessus server and launches a scan. Once the scan has launched you can also use the script to download reports as shown below. I take no credit in creating these scripts as they have been created by the author, I mererly have used the functions to pull out what data I want from the nessus and want to share this as I think its very useful.

 

---

import pynessus

server = “localhost”
port = “8834”
user = “nessus-user”
password = “nessus-password”

n = pynessus.NessusServer(server, port, user, password)

n.launch_scan(scan_name, policy_id, target_list_iter)

n.download_report(report_uuid)

---

Anyway, thought its worth a simple blog, heres the link to the class files. I also run these through a series of other little scripts to run nikto on all hosts aswell as running a screenshot grab for all web based services so that I can see them quickly. Here is a little bash script I wrote that takes the output from the above and gets a screen capture of all web services. First of all I run the web-parse.py to get my host list like so.

python web-parse.py | sort | uniq | tee web-hosts.txt

Then run my bash script below and for loop to run nikto.

for host in `cat web-hosts.txt`; do nikto -h $host > $host.txt ; done

grab.sh web-hosts.txt

---

 

#!/bin/sh

filename=”$1″
while read -r line
do
    name=$line
    echo “Name read from file – $name”

    TIMEOUT=3

    ( wkhtmltoimage http://$name $name.jpg ) & pid=$!
    ( sleep $TIMEOUT && kill -HUP $pid ) 2>/dev/null & watcher=$!
    wait $pid 2>/dev/null && pkill -HUP -P $watcher

    ( wkhtmltoimage https://$name $name-ssl.jpg ) & pid=$!
    ( sleep $TIMEOUT && kill -HUP $pid ) 2>/dev/null & watcher=$!
    wait $pid 2>/dev/null && pkill -HUP -P $watcher

done < “$filename”

---

Enjoy 🙂

Hi folks,

I slightly updated my program to show a few extra bits of information about the service. Firstly it now shows whether that user can stop and start the service, including the running state. Also it now shows the permissions on the parent folder incase these are different to that of the binary.

Happy hacking 🙂 Here is another link to the tool 

Hi Everyone,

I know there are quite a few tools that do similar to this already but I wanted to create my own and just output all this data to an HTML file ‘simples’.

So basically this outputs a file called report.html and lists all the services and permissions on those binaries. It also has a column on whether they are unquoted service paths. Quite neat, looking to make loads of these type of tools for breakout testing, its also fairly useful when you have limited access to the box or need to download a tool that will run as a low level user and just open it with tools on the workstation, usually Internet Explorer.The following screenshot shows an example of the output.

Take a look and let me know what you think. Hopefully will be writing more into this so that it can do a lot more.

Download here

🙂

Hi,

When testing I always find myself doing more advanced exploitation on boxes and mostly use metasploit to do all these tasks, however I always forget the exact syntax for creating a metasploit payload and then setting up a multi/handler.

Obviously there is a load of easy ways to do this but I thought I would create a simple python script that basically takes your IP from eth0, then asks what type of payload to create and the output location. Once it has generated this is will create a multi/handler session with all the same settings ready for you. This then makes it terribly easy to run paygen then double click file from my samba share.

It could be improved by adding AV bypass techniques such as veil or ultimate payload but for now I have just done the basics. Anyway here is the script paygen, let me know thoughts, suggestions, insults etc……

PAYGEN

Have fun 🙂

Hi folks,

For some time now I have been finding the Java RMI remote class loading vulnerability and have been very suceesful with metasploit, however recently I have had Anti-Virus (AV) pick this up. While this is not a standard executable my usual AV bypass techniques were useless so I had to expand my research. For those who don’t know, Java Remote Method Invocation (RMI) services are used within applications to allow Java objects to be used from a remote location without the use of any authentication. If a client invokes a remote method to be called, the client would pass all the information in the form of a Java Object to the RMI service for this to then be executed.

When passing the Object the client can also specify a Class Loader which specifies where the Java code for manipulating the Object can be found, this is typically a URL to a Jar file. Without authentication or verification, the server then downloads the Java object and executes it under the same permissions as the Java RMI service (usually SYSTEM).

As a pentester you can take advantage of this RMI service to load and execute Java code on the system. This can all be done using metasploit just search for java_rmi. Anyway I am more interested in the times if fails because of Anti-Virus. To get around this I had to decompile the Payload.class file from within metasploit and make some fundamental changes as seen below.

cd /usr/share/metasploit-framework/data/java/metasploit/
cp Payload.class Payload-backup.class
jad Payload.class
sed -i ‘s/spawn/runme/’ Payload.jad
mv Payload.jad Payload.java
javac Payload.java

Once I did this I could successfully exploit this again. One thing to note is that I was using the Java target so you end up with a Java meterpreter shell to which you can escalate into a normal Meterpreter after.

 

There are probably better Java obfuscation techniques that may have done this easier so any comments would be appreciated.

Cheers 🙂

I was on a pentest the other day and investigating a proprietary protocol to a management agent and wanted to replay this traffic from a script. I knew I could capture the traffic in wireshark but didnt really know how to replay this or even parts to send a command to the port. Well it took me a little while to get it all working as I wanted but to send a command and a few reply to various responses after an initial connect. To do this I used Zulu from Andy Davies (NCC) and created a python script with some useful hexdump commands.

This blog will allow you to re-create or replay a management station type scenario with a client and opens a whole load of new attack scenarios. First you need to man-in-the-middle the traffic from the client to the management server within Zulu and/or Wireshark.

Installing Zulu can be found here.

Start

Open Zulu and setup you network proxy to intercept the traffic like the following image:

Once you have successfully captured all the requests and responses you can save out the requests to a file. Now you have all the valid requests that a client would send and all the valid responses that the manager would respond with. So now you want to create and edit your python handler to act as a server.

Here is the link to the “Protocol-Responder” script template.
Here is the link to the “Protocol-Sender” script template.

 

Read and edit the # commented sections to suit your needs and add and edit the hex content. To easily convert the hex content from a file that you may have piped from nc or downloaded from wireshark or zulu use the following hexdump & sed command below.

If you are using the Zulu files, remove the first two lines from each of the “In” files and then cat each specific file you would like to use the hex from to respond as:

cat hexfile.txt | hexdump -v -e ‘”0x” 1/1 “%02X” ” “‘|sed -e ‘s/ 0x/\\x/g’|sed -e ‘s/0x/\\x/g’

The output is like as follows:

\x00\x00\x00\x00\x00\x00\x00\xB6\x00\x00\x00\x45

Then you can add it to your python script:

def run(self):
print “Connection from : “+ip+”:”+str(port)

             self.socket.send(“\x00\x00\x00\x00\x00\x00\x00\xB6\x00\x00\x00\x45”)

Anyway it took me a while to be able to create such a server or even an exploit sender with specific hex values and thought it may be useful to the community.

Have fun 🙂

Any feedback or comments are highly appreciated.

It took me a little while to find all the correct dependencies for Zulu so I thought this may come in handy for others.

ZULU Dependencies

Manual Install

Install https://www.python.org/ftp/python/2.7.6/python-2.7.6.msi

Install http://sourceforge.net/projects/pywin32/files/pywin32/Build%20218/pywin32-218.win-amd64-py2.7.exe/download

Install http://downloads.sourceforge.net/wxpython/wxPython3.0-win64-3.0.0.0-py27.exe

Pip Install

Download https://raw.github.com/pypa/pip/master/contrib/get-pip.py
C:\Python27\python.exe get-pip

Other Dependencies

pip install winappdbg
pip install pyserial
pip install https://sendkeys-ctypes.googlecode.com/files/SendKeys-ctypes-0.2.zip
pip install https://dpkt.googlecode.com/files/dpkt-1.8.tar.gz
git clone https://github.com/nccgroup/Zulu.git
create a log directory within zulu folder
c:\python27\python zulu.py

Hi All,

Recently I was doing some pentesting and needed to connect to a website using Integrated Windows Authentication (IWA) with only support for Kerberos allowed. At first I thought I was pretty much in a dead end because almost every post insinuates for Kerberos authentication to work your client machine needs to be added to the domain.

Well In a Word You Don’t!!!

It is possible to have your own Linux or Windows machine connect to a website using kerberos tickets. In order to set this up I needed to configure a few things.

apt-get install krb5-config
apt-get install libpam-krb5
apt-get install krb5-kdc
dpkg-reconfigure krb5-config

kinit ben@HACME.NET (Must be uppercase as its a Kerberos REALM)
klist (Shows all tickets granted)

klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ben@HACKME.COM

Valid starting     Expires            Service principal
14/03/14 09:24:36  14/03/14 19:24:42  krbtgt/HACKME.COM@HACKME.COM
	renew until 15/03/14 09:24:36
14/03/14 09:28:33  14/03/14 19:24:42  HTTP/win-lbak0qmafe8.hackme.com@
	renew until 15/03/14 09:24:36
14/03/14 09:28:33  14/03/14 19:24:42  HTTP/win-lbak0qmafe8.hackme.com@HACKME.COM
	renew until 15/03/14 09:24:36

Once you have got a TGT from the KDC you can configure FireFox or Google Chrome or Even IE to get the HTTP ticket from the KDC.

Allowing IE to Retrieve HTTP Tickets

IE requires the site to be added to the Intranet and IWA enabled. For IE in Windows other tools must be used to get the Kerberos tickets, i.e. MIT tools

Kerberos: The Network Authentication Protocol – MIT

Allowing Firefox to Retrieve HTTP Tickets

Navigate to about:config
Search negotiate and add the following settings to have .hackme.com and restart firefox

network.negotiate-auth.trusted-uris;

network.negotiate-auth.delegation-uris;

Allowing Chrome to Retrieve HTTP Tickets

Start google chrome like this, make sure you have all the dns pointing to the correct domain dns servers
google-chrome --auth-server-whitelist="*.hackme.com" --user-data-dir
http://win-lbak0qmafe8.hackme.com/