http://labs.portcullis.co.uk Labs Portcullis updates. en Labs portcullis Tue, 22 Feb 2011 11:21:14 GMT http://backend.userland.com/rss 60 hhttp://labs.portcullis.co.uk/mg/logo.gif http://labs.portcullis.co.uk Tue, 18 Nov 2008 12:22:54 GMT http://labs.portcullis.co.uk/application/ms08-067-check/ <p>This tool can be used to anonymously check if a target machine or a list of target machines are affected by <a href="http://www.microsoft.com/technet/security/Bulletin/ms08-067.mspx">MS08-067</a> issue (Vulnerability in Server Service Could Allow Remote Code Execution).</p> <h2>Usage</h2> <pre> $ python ms08-067_check.py -h Usage: ms08-067_check.py [option] {-t <target>|-l <iplist.txt>}<br /><br />Options:<br /> --version show program's version number and exit<br /> -h, --help show this help message and exit<br /> -d show description and exit<br /> -t TARGET target IP or hostname<br /> -l LIST text file with list of targets<br /> -s be silent<target><iplist.txt><br /></iplist.txt></target></iplist.txt></target></pre> <h2>Example</h2> <pre> $ python ms08-067_check.py -t 192.168.123.30 192.168.123.30: VULNERABLE </pre> <h2>Note</h2> <p>On Windows XP Service Pack 2 and Windows XP Service Pack 3 this check might lead to a race condition and heap corruption in the <i>svchost.exe</i> process, but it may not crash the service immediately: it can trigger later on inside any of the shared services in the process.</p> <h2>References</h2> <ul> <li>BID: <a href="http://www.securityfocus.com/bid/31874">31874</a></li> <li>CVE: <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250">2008-4250</a></li> <li><a href="http://blogs.technet.com/swi/archive/2008/10/25/most-common-questions-that-we-ve-been-asked-regarding-ms08-067.aspx">http://blogs.technet.com/swi/archive/2008/10/25/most-common-questions-that-we-ve-been-asked-regarding-ms08-067.aspx</a></li> <li><a href="http://www.microsoft.com/technet/security/advisory/958963.mspx">http://www.microsoft.com/technet/security/advisory/958963.mspx</a></li> <li><a href="http://www.phreedom.org/blog/2008/decompiling-ms08-067/">http://www.phreedom.org/blog/2008/decompiling-ms08-067/</a></li> <li><a href="http://metasploit.com/dev/trac/browser/framework3/trunk/modules/exploits/windows/smb/ms08_067_netapi.rb">http://metasploit.com/dev/trac/browser/framework3/trunk/modules/exploits/windows/smb/ms08_067_netapi.rb</a></li> <li><a href="http://blog.threatexpert.com/2008/10/gimmiva-exploits-zero-day-vulnerability.html">http://blog.threatexpert.com/2008/10/gimmiva-exploits-zero-day-vulnerability.html</a></li> <li><a href="http://blogs.securiteam.com/index.php/archives/1150">http://blogs.securiteam.com/index.php/archives/1150</a></li> </ul> Thu, 30 Oct 2008 11:54:12 GMT http://labs.portcullis.co.uk/application/polenum/ <p>polenum is a python script which uses the&nbsp;<a href="http://oss.coresecurity.com/projects/impacket.html">Impacket</a> Library from CORE Security Technologies to extract the password policy information from a windows machine. This allows a non-windows (Linux, Mac OSX, BSD etc..) user to query the password policy of a remote windows box without the need to have access to a windows machine.</p> <h2>features</h2> <ul> <li>can extract password and associated information from a windows machine</li> <li>will connect over a NULL or authenticated share</li> <li>supports encrypted/signed sessions</li> </ul> <h2>limitations</h2> <ul> <li>no NTLMv2 support</li> <li>has a problem with domain connected workstations</li> </ul> <h2>download</h2> <p><a href="/download/polenum-0.2.tar.bz2"> download polenum</a></p> <p>&nbsp;</p> Fri, 09 Oct 2009 13:33:35 GMT http://labs.portcullis.co.uk/application/hoppy/ <p>hoppy is a <u><strong>h</strong></u>ttp <u><strong>o</strong></u>ptions <u><strong>p</strong></u>rober written in <u><strong>py</strong></u>thon. It checks the availability of HTTP methods as well as probing them to see if they can be forced to disclose system information.</p> <h2>features</h2> <ul> <li>HTTP Method detection, TRACK, TRACE, PUT etc</li> <li>Internal IP address disclosure detection</li> <li>Internal Path Disclosure detection</li> <li>Transparent working so you can see exactly what it did</li> <li>Data extraction</li> <li>Spider to find directories for webDAV detection</li> <li>ms09-020 IIS auth bypass check on all discovered directories</li> </ul> <h2>download</h2> <p><a href="/download/hoppy-1.7.3.tar.bz2"> download hoppy</a></p> <p>&nbsp;</p>