Portcullis Labs - perl

SSHatter | Content

Wed, 16 Feb 2011 12:19:48 GMT

Password brute forcer for SSH.

Features:

Multi threaded
Supports both SSH v1 and v2 protocols
Supports key based brute forcing
Support for post brute force exploration
Mass mode to run one command across all targets
Support for sudo based privilege escalation
Integrated file transfer support

udp-proto-scanner | Content

Wed, 26 Nov 2008 16:23:36 GMT

udp-proto-scanner.pl discovers UDP services by sending triggers to a list of hosts:

$ udp-proto-scanner.pl -f ips.txt
$ udp-proto-scanner.pl 10.0.0.0/16 172.16.16.1 192.168.0.1
$ udp-proto-scanner.pl -p ntp -f ips.txt

The probe names (for -p) are defined in udp-proto-scanner.conf. List probe names using the -l option:

$ udp-proto-scanner.pl -l

What's it Used For?

It's used in the host-discovery and service-discovery phases of a pentest.

It can be helpful if you need to discover hosts that only offer UDP services
and are otherwise well firewalled - e.g. if you want to find all the DNS
servers in a range of IP addresses. Alternatively on a LAN, you might want
a quick way to find all the TFTP servers.

Not all UDP services can be discovered in this way (e.g. SNMPv1 won't respond
unless you know a valid community string). However, many UDP services can be
discovered, e.g.:

DNS
TFTP
NTP
NBT
SunRPC
MS SQL
DB2
SNMPv3

It's Not a Portscanner

It won't give you a list of open and closed ports for each host. It's simply
looking for specific UDP services.

Efficiency

It's most efficient to run udp-proto-scanner.pl against whole networks (e.g.
256 IPs or more). If you run it against small numbers of hosts it will seem
quite slow because it waits for 1 second between each different type of probe.

One cool feature of udp-proto-scanner is that it doesn't load the whole host list
into memory. Therefore if you want to scan 17 million IPs, you can. It'll
take a while, but you won't run out of memory.

Credits

The UDP probes are mainly taken from amap, nmap and ike-scan.
Inspiration for the scanning code was drawn from ike-scan.
Net::Netmask by David Muir Sharnoff is included in this tool.

Apache Users | Content

Thu, 11 Sep 2008 11:22:18 GMT

This Perl script will enumerate the usernames on any system that uses Apache with the UserDir module.

acccheck | Content

Wed, 09 Apr 2008 18:48:49 GMT

The tool is designed as a password dictionary attack tool that targets windows authentication via the SMB protocol. It is really a wrapper script around the 'smbclient' binary, and as a result is dependent on it for its execution.

The simplest way to run the tool is as follows:

./acccheck.pl -t 10.10.10.1

This mode of execution attempts to connect to the target ADMIN$ share with the username 'Administrator' and a [BLANK] for the password.

./acccheck.pl -t 10.10.10.1 -u test -p test

This mode of execution attempts to connect to the target IPC$ share with the username 'test' and a password 'test'.

Each -t, -u and -p flags can be substituted by -T, -U and -P, where each represents an input file rather than a single input from standard in.

E.g.
./acccheck.pl -T iplist -U userfile -P passwordfile

Only use -v mode on very small dictionaries, otherwise, this has the affect of slowing the scan down to the rate the system writes to standard out.

Any username/password combinations found are written to a file called 'cracked' in the working directory.

MIBparse | Content

Mon, 07 Apr 2008 23:38:19 GMT

MIBparse.pl has been designed as an offline parser to quickly parse output from SNMP tools such as 'snmpwalk' (NET-SNMP project 'net-snmp.sourceforge.net'). The output returned depends on the options that are selected by the user. Typically, information relating to the system, services, open ports, users, shares and installed components is some of the information that can be extracted by the tool.

Requirements

The only requirement is Perl.

Running

The simplest way to run the tool is as follows:

./MIBparse -f public.txt

Where "public.txt" is the output from 'snmpwalk' piped to a file. In this mode all available information is displayed to the user as standard out.

The information that is output can be tailored using the '-a' flag. The following values can be used in conjunction with this flag:

1 = All
2 = System
3 = Routing information
4 = Services
5 = TCP ports
6 = UDP ports
7 = Users
8 = Shares
9 = Domain
10 = Installed components
11 = Community strings

Each value corresponds to the type of information that is output. As an example, '-a 7' will output all of the users from a Windows system. The example execution in this case would include:

./MIBparse.pl -f public.txt -a 7

If you wish to execute the tool from a working directory which is not in your $PATH then the '-b' option can be used to specify the location of the 'tags' file. This option can also be used to specify any file as a tags file as long as the format of the file conforms to the example that is provided. The example execution in such a case would be:

./MIBparse.pl -f public.txt -b ./tags
OR
./MIBparse.pl -f public.txt -b ./mytagsfile

Finally, the '-b' flag can be used in conjunction with the '-a' flag. The example execution in such a case would be:

./MIBparse.pl -f public.txt -b ./mytagsfile -a 7

BSQL brute forcer V2 | Content

Wed, 18 Jun 2008 12:21:58 GMT

This is a modified version of 'bsqlbfv1.2-th.pl'. This perl script allows extraction of data from Blind SQL Injections. It accepts custom SQL queries as a command line parameter and it works for both integer and string based injections. Databases supported:-

0. MS-SQL
1. MySQl
2. Postgres
3. Oracle

The tool supports 2 attack modes(-type switch):-

Type 0:- Blind SQL Injection based on true and false conditions returned by back-end server

Type 1:- Blind SQL Injection based on true and error(e.g syntax error) returned by back-end server.

Usage example:
$./bsqlbf-v2.pl -url http://192.168.1.1/injection_string_post/1.asp?p=1 -method post -match true -database 0 -sql "select top 1 name from sysobjects where xtype='U'"

ManySSL | Content

Tue, 09 Dec 2008 15:40:49 GMT

This PERL script will enumerate the SSL ciphers in use on any SSL encrypted service. It is not restricted to HTTPS and can be used on SMTP servers that support STARTTLS.

Features Include

Warn the operator if a self-signed certificate is detected.
Warn the operator if an expired certificate is detected.
Full cipher, key-exchange and authentication key strength output.
Use of a client specificed SSL certificate.

http-dir-enum | Content

Fri, 28 Mar 2008 16:49:57 GMT

http-dir-enum is a tool for finding content that is not linked on a website. Its main use is for finding directories that exist on a server. Simply provide a dictionary file and a URL.

This tool is written in PERL and uses the LWP library.

Features include:

Automatic detection of which HTTP response code to ignore (normally 404, but can vary on some sites)
Support for bruteforcing Files and Directories
Can search for directories recursively
Proxy support
Support for HTTP Basic Authentication
Support for sending custom cookies
Save scan output in XML format
Command line (lack of GUI is a feature, not a bug)
Mutli-threading for extra speed
HTTP keep alive support for extra speed (can be turned off)

Check out the usage page for a full list of options. There are also lots of examples to get you started.

enum4linux | Content

Tue, 16 Sep 2008 11:29:28 GMT

Enum4linux is a tool for enumerating information from Windows and Samba systems. It attempts to offer similar functionality to enum.exe formerly available from www.bindview.com.

It is written in PERL and is basically a wrapper around the Samba tools smbclient, rpclient, net and nmblookup. The samba package is therefore a dependency.

Features include:

RID Cycling (When RestrictAnonymous is set to 1 on Windows 2000)
User Listing (When RestrictAnonymous is set to 0 on Windows 2000)
Listing of Group Membership Information
Share Enumeration
Detecting if host is in a Workgroup or a Domain
Identifying the remote Operating System
Password Policy Retrieval (using polenum)

Check out the usage page for a full list of options. There are also lots of examples to get you started.