Portcullis Labs - All Content

SSHatter-1.0.tar.gz | Download

Mon, 14 Dec 2009 22:29:57 GMT

/download/SSHatter-1.0.tar.gz

SSHatter | Content

Mon, 14 Dec 2009 19:20:44 GMT

Password brute forcer for SSH.

Features:

Multi threaded
Supports both SSH v1 and v2 protocols
Supports key based brute forcing
Support for post brute force exploration
Mass mode to run one command across all targets
Support for sudo based privilege escalation
Integrated file transfer support

Firefox Lockdown | Document

Tue, 23 Jun 2009 15:02:12 GMT

With Firefox's popularity rising on a day-by-day basis, many corporate environments are starting to employ the power of Firefox as their default browser. But without sufficient restrictions or lock-downs Firefox becomes a powerful client controlled web browser that a sophisticated user can manipulate for their own benefits.

Firefox can be locked down similar to Internet Explorer, and this guide will give you the relevant information that is needed to create a secure, locked-down configuration, to restrict knowledgeable users actions into manipulating Firefox for their own needs.

Introducing Heyoka: DNS Tunneling 2.0 | Content

Tue, 24 Mar 2009 14:45:47 GMT

Slides from SOURCE Boston 2009, presenting heyoka, a new DNS tunneling tool that uses spoofed traffic to avoid detection and multiple encodings to improve speed. By Alberto Revelli and Nico Leidecker.

Heyoka | Download

Tue, 24 Mar 2009 14:37:27 GMT

/download/Heyoka-SOURCEBoston2009.pdf

OWASP AU 2009 Slides | Content

Thu, 19 Mar 2009 13:14:32 GMT

Slides from OWASP Australia 2009.

Owasp Au Rev4

View more presentations from sumsid1234.

ldapuserenum | Content

Wed, 26 Nov 2008 14:27:41 GMT

This page has been removed.

Insecure Trends in Web 2.0 Applications | Content

Fri, 31 Oct 2008 16:08:40 GMT

Non technical talk about insecure trends in Web 2.0 applications. Explains what's wrong with today's Web 2.0 applications and why new comers keep repeating these.

Flash Security | Content

Fri, 31 Oct 2008 16:00:50 GMT

This presentation given at RIATalks, it's about fundamental flash security issues, attack surface of Flash and secure development.

During the presentation there was stealing data through vulnerable Crossdomain.xml files, you can download source code of this file - FlashSecurityCrossdomain.zip.

MS08-067 check | Content

Tue, 18 Nov 2008 12:22:54 GMT

This tool can be used to anonymously check if a target machine or a list of target machines are affected by MS08-067 issue (Vulnerability in Server Service Could Allow Remote Code Execution).

Usage

$ python ms08-067_check.py -h
Usage: ms08-067_check.py [option] {-t |-l }

Options:
  --version   show program's version number and exit
  -h, --help  show this help message and exit
  -d          show description and exit
  -t TARGET   target IP or hostname
  -l LIST     text file with list of targets
  -s          be silent

Example

$ python ms08-067_check.py -t 192.168.123.30
192.168.123.30: VULNERABLE

Note

On Windows XP Service Pack 2 and Windows XP Service Pack 3 this check might lead to a race condition and heap corruption in the svchost.exe process, but it may not crash the service immediately: it can trigger later on inside any of the shared services in the process.

References

udp-proto-scanner | Content

Wed, 26 Nov 2008 16:23:36 GMT

udp-proto-scanner.pl discovers UDP services by sending triggers to a list of hosts:

$ udp-proto-scanner.pl -f ips.txt
$ udp-proto-scanner.pl 10.0.0.0/16 172.16.16.1 192.168.0.1
$ udp-proto-scanner.pl -p ntp -f ips.txt

The probe names (for -p) are defined in udp-proto-scanner.conf. List probe names using the -l option:

$ udp-proto-scanner.pl -l

What's it Used For?

It's used in the host-discovery and service-discovery phases of a pentest.

It can be helpful if you need to discover hosts that only offer UDP services
and are otherwise well firewalled - e.g. if you want to find all the DNS
servers in a range of IP addresses. Alternatively on a LAN, you might want
a quick way to find all the TFTP servers.

Not all UDP services can be discovered in this way (e.g. SNMPv1 won't respond
unless you know a valid community string). However, many UDP services can be
discovered, e.g.:

DNS
TFTP
NTP
NBT
SunRPC
MS SQL
DB2
SNMPv3

It's Not a Portscanner

It won't give you a list of open and closed ports for each host. It's simply
looking for specific UDP services.

Efficiency

It's most efficient to run udp-proto-scanner.pl against whole networks (e.g.
256 IPs or more). If you run it against small numbers of hosts it will seem
quite slow because it waits for 1 second between each different type of probe.

One cool feature of udp-proto-scanner is that it doesn't load the whole host list
into memory. Therefore if you want to scan 17 million IPs, you can. It'll
take a while, but you won't run out of memory.

Credits

The UDP probes are mainly taken from amap, nmap and ike-scan.
Inspiration for the scanning code was drawn from ike-scan.
Net::Netmask by David Muir Sharnoff is included in this tool.

Apache Users | Content

Thu, 11 Sep 2008 11:22:18 GMT

This Perl script will enumerate the usernames on any system that uses Apache with the UserDir module.

polenum | Content

Thu, 30 Oct 2008 11:54:12 GMT

polenum is a python script which uses the Impacket Library from CORE Security Technologies to extract the password policy information from a windows machine. This allows a non-windows (Linux, Mac OSX, BSD etc..) user to query the password policy of a remote windows box without the need to have access to a windows machine.

features

can extract password and associated information from a windows machine
will connect over a NULL or authenticated share
supports encrypted/signed sessions

limitations

no NTLMv2 support
has a problem with domain connected workstations

download

download polenum

vessl | Content

Thu, 30 Oct 2008 11:51:42 GMT

vessl is a simple wrapper script that connects, extracts and then verifies the ssl certificate of an encrypted service. It was originally written in order to script up the ability to verify ssl certificates across a large network.

features

vessl will connect to any service that openssl can
it will extract and verify against a given CA Pem file
it will check that certificate matches the host it is on
it produce a map going from ip's to hostname
checks to see if certificate is based on a blacklisted debian key

dependencies

openssl
ping
openssl-vulnkey
mktemp
CA Pem File

download

download vessl

BSQL Hacker Help | Document

Mon, 18 Aug 2008 15:33:37 GMT

BSQL Hacker | Content

Wed, 29 Oct 2008 15:28:02 GMT

BSQL (Blind SQL) Hacker is an automated SQL Injection Framework / Tool designed to exploit SQL injection vulnerabilities virtually in any database.

BSQL Hacker aims for experienced users as well as beginners who want to automate SQL Injections (especially Blind SQL Injections).

It allows metasploit alike exploit repository to share and update exploits.

Source Code Repository

Public SVN Server (including nightly builds development environment)

Download Installer

BSQLHackerSetup-0909.exe

Key Features

Easy Mode
- SQL Injection Wizard
- Automated Attack Support (database dump)
  - ORACLE
  - MSSQL
  - MySQL (experimental)
General
- Fast and Multithreaded
- 4 Different SQL Injection Support
  - Blind SQL Injection
  - Time Based Blind SQL Injection
  - Deep Blind (based on advanced time delays) SQL Injection
  - Error Based SQL Injection
- Can automate most of the new SQL Injection methods those relies on Blind SQL Injection
- RegEx Signature support
- Console and GUI Support
- Load / Save Support
- Token / Nonce / ViewState etc. Support
- Session Sharing Support
- Advanced Configuration Support
- Automated Attack mode, Automatically extract all database schema and data mode

Update / Exploit Repository Features
- Metasploit alike but exploit repository support
- Allows to save and share SQL Injection exploits
- Supports auto-update
- Custom GUI support for exploits (cookie input, URL input etc.)

GUI Features
- Load and Save
- Template and Attack File Support (Users can save sessions and share them. Some sections like username, password or cookie in the templates can be show to the user in a GUI)
- Visually view true and false responses as well as full HTML response, including time and stats

Connection Related
- Proxy Support (Authenticated Proxy Support)
- NTLM, Basic Auth Support, use default credentials of current user/application
- SSL (also invalid certificates) Support
- Custom Header Support

Injection Points (only one of them or combination)
- Query String
- Post
- HTTP Headers
- Cookies

Other
- Post Injection data can be stored in a separated file
- XML Output (not stable)
- CSRF protection support

one time session tokens or asp.net viewstate ort similar can be used for separated login sessions, bypassing proxy pages etc.

It's still beta and there are known issues :

Automated Attack for MySQL is experimental, might not work properly

Deep Blind SQL Injection | Content

Mon, 18 Aug 2008 06:28:37 GMT

Deep Blind SQL Injection reading data is more complex than in classic blind injection. However it is still possible to retrieve data, moreover it is possible with a 66% reduction in the number of requests made of the server, requiring two rather than six requests to retrieve each char.

Download White Paper

DoS Attacks Using SQL Wildcards | Content

Mon, 18 Aug 2008 06:19:30 GMT

This paper discusses abusing Microsoft SQL Query wildcards to consume CPU in database servers. This can be achieved using only the search field present in most common web applications. If an application has the following properties then it is highly possibly vulnerable to wildcard attacks:

1- An SQL Server Backend;
2- More than 300 records in the database and around 500 bytes of data per row;
3- An application level search feature.

As you might notice I have just described 90% of Microsoft SQL Server based CMSs, blogs, CRMs and e-commerce web applications. Other databases could be vulnerable depending on how the applications implement search functionalities although common implementation of the search functionality in SQL Server back-end applications is vulnerable.

Download White Paper

Introduction To Format Strings | Content

Tue, 17 Jun 2008 13:11:17 GMT

What?

This presentation tries to cover the basics of format strings exploitation. Starting with an explanation of the legitimate use of Format Strings (Yin) moving onto how programming flaws can be exploited using this technique.

Why?

I spent many months getting my head aorund the nuonces of FS explitation so though I would put together a presentation on all the little things that I though were they key points when coming accross this subject for the first time. This hopefully will act as a good basis for the More Adventures In Format Strings presentation

acccheck | Content

Wed, 09 Apr 2008 18:48:49 GMT

The tool is designed as a password dictionary attack tool that targets windows authentication via the SMB protocol. It is really a wrapper script around the 'smbclient' binary, and as a result is dependent on it for its execution.

The simplest way to run the tool is as follows:

./acccheck.pl -t 10.10.10.1

This mode of execution attempts to connect to the target ADMIN$ share with the username 'Administrator' and a [BLANK] for the password.

./acccheck.pl -t 10.10.10.1 -u test -p test

This mode of execution attempts to connect to the target IPC$ share with the username 'test' and a password 'test'.

Each -t, -u and -p flags can be substituted by -T, -U and -P, where each represents an input file rather than a single input from standard in.

E.g.
./acccheck.pl -T iplist -U userfile -P passwordfile

Only use -v mode on very small dictionaries, otherwise, this has the affect of slowing the scan down to the rate the system writes to standard out.

Any username/password combinations found are written to a file called 'cracked' in the working directory.

MIBparse | Content

Mon, 07 Apr 2008 23:38:19 GMT

MIBparse.pl has been designed as an offline parser to quickly parse output from SNMP tools such as 'snmpwalk' (NET-SNMP project 'net-snmp.sourceforge.net'). The output returned depends on the options that are selected by the user. Typically, information relating to the system, services, open ports, users, shares and installed components is some of the information that can be extracted by the tool.

Requirements

The only requirement is Perl.

Running

The simplest way to run the tool is as follows:

./MIBparse -f public.txt

Where "public.txt" is the output from 'snmpwalk' piped to a file. In this mode all available information is displayed to the user as standard out.

The information that is output can be tailored using the '-a' flag. The following values can be used in conjunction with this flag:

1 = All
2 = System
3 = Routing information
4 = Services
5 = TCP ports
6 = UDP ports
7 = Users
8 = Shares
9 = Domain
10 = Installed components
11 = Community strings

Each value corresponds to the type of information that is output. As an example, '-a 7' will output all of the users from a Windows system. The example execution in this case would include:

./MIBparse.pl -f public.txt -a 7

If you wish to execute the tool from a working directory which is not in your $PATH then the '-b' option can be used to specify the location of the 'tags' file. This option can also be used to specify any file as a tags file as long as the format of the file conforms to the example that is provided. The example execution in such a case would be:

./MIBparse.pl -f public.txt -b ./tags
OR
./MIBparse.pl -f public.txt -b ./mytagsfile

Finally, the '-b' flag can be used in conjunction with the '-a' flag. The example execution in such a case would be:

./MIBparse.pl -f public.txt -b ./mytagsfile -a 7

How to Detect and Exploit 99% of XSS Vulnerabilities | Content

Wed, 02 Apr 2008 16:23:40 GMT

This presentation has given in Intercon 2007 (Portcullis's internal conference), Talks about exploiting and identifying most common XSS vulnerabilities in real world.

Examples include following types,

Classic XSS Vulnerabilities
In HTML Attributes
In Comments
In Javascript Blocks
DOM Based XSS
Flash Based XSS
Direct Linking

Presentation was heavily based on demonstration, so you need to fill in the blanks.

nbtscan-1.5.2 | Content

Thu, 03 Apr 2008 14:24:31 GMT

NBTscan is a program for scanning IP networks for NetBIOS name information. It sends NetBIOS status query to each address in supplied range and lists received information in human readable form. For each responded host it lists IP address, NetBIOS computer name, logged-in user name and MAC address.