Portcullis Labs - Tools

SSHatter | Content

Wed, 16 Feb 2011 12:19:48 GMT

Password brute forcer for SSH.

Features:

Multi threaded
Supports both SSH v1 and v2 protocols
Supports key based brute forcing
Support for post brute force exploration
Mass mode to run one command across all targets
Support for sudo based privilege escalation
Integrated file transfer support

MS08-067 check | Content

Tue, 18 Nov 2008 12:22:54 GMT

This tool can be used to anonymously check if a target machine or a list of target machines are affected by MS08-067 issue (Vulnerability in Server Service Could Allow Remote Code Execution).

Usage

$ python ms08-067_check.py -h
Usage: ms08-067_check.py [option] {-t |-l }

Options:
  --version   show program's version number and exit
  -h, --help  show this help message and exit
  -d          show description and exit
  -t TARGET   target IP or hostname
  -l LIST     text file with list of targets
  -s          be silent

Example

$ python ms08-067_check.py -t 192.168.123.30
192.168.123.30: VULNERABLE

Note

On Windows XP Service Pack 2 and Windows XP Service Pack 3 this check might lead to a race condition and heap corruption in the svchost.exe process, but it may not crash the service immediately: it can trigger later on inside any of the shared services in the process.

References

udp-proto-scanner | Content

Wed, 26 Nov 2008 16:23:36 GMT

udp-proto-scanner.pl discovers UDP services by sending triggers to a list of hosts:

$ udp-proto-scanner.pl -f ips.txt
$ udp-proto-scanner.pl 10.0.0.0/16 172.16.16.1 192.168.0.1
$ udp-proto-scanner.pl -p ntp -f ips.txt

The probe names (for -p) are defined in udp-proto-scanner.conf. List probe names using the -l option:

$ udp-proto-scanner.pl -l

What's it Used For?

It's used in the host-discovery and service-discovery phases of a pentest.

It can be helpful if you need to discover hosts that only offer UDP services
and are otherwise well firewalled - e.g. if you want to find all the DNS
servers in a range of IP addresses. Alternatively on a LAN, you might want
a quick way to find all the TFTP servers.

Not all UDP services can be discovered in this way (e.g. SNMPv1 won't respond
unless you know a valid community string). However, many UDP services can be
discovered, e.g.:

DNS
TFTP
NTP
NBT
SunRPC
MS SQL
DB2
SNMPv3

It's Not a Portscanner

It won't give you a list of open and closed ports for each host. It's simply
looking for specific UDP services.

Efficiency

It's most efficient to run udp-proto-scanner.pl against whole networks (e.g.
256 IPs or more). If you run it against small numbers of hosts it will seem
quite slow because it waits for 1 second between each different type of probe.

One cool feature of udp-proto-scanner is that it doesn't load the whole host list
into memory. Therefore if you want to scan 17 million IPs, you can. It'll
take a while, but you won't run out of memory.

Credits

The UDP probes are mainly taken from amap, nmap and ike-scan.
Inspiration for the scanning code was drawn from ike-scan.
Net::Netmask by David Muir Sharnoff is included in this tool.

polenum | Content

Thu, 30 Oct 2008 11:54:12 GMT

polenum is a python script which uses the Impacket Library from CORE Security Technologies to extract the password policy information from a windows machine. This allows a non-windows (Linux, Mac OSX, BSD etc..) user to query the password policy of a remote windows box without the need to have access to a windows machine.

features

can extract password and associated information from a windows machine
will connect over a NULL or authenticated share
supports encrypted/signed sessions

limitations

no NTLMv2 support
has a problem with domain connected workstations

download

download polenum

vessl | Content

Thu, 30 Oct 2008 11:51:42 GMT

vessl is a simple wrapper script that connects, extracts and then verifies the ssl certificate of an encrypted service. It was originally written in order to script up the ability to verify ssl certificates across a large network.

features

vessl will connect to any service that openssl can
it will extract and verify against a given CA Pem file
it will check that certificate matches the host it is on
it produce a map going from ip's to hostname
checks to see if certificate is based on a blacklisted debian key

dependencies

openssl
ping
openssl-vulnkey
mktemp
CA Pem File

download

download vessl

BSQL Hacker | Content

Wed, 29 Oct 2008 15:28:02 GMT

BSQL (Blind SQL) Hacker is an automated SQL Injection Framework / Tool designed to exploit SQL injection vulnerabilities virtually in any database.

BSQL Hacker aims for experienced users as well as beginners who want to automate SQL Injections (especially Blind SQL Injections).

It allows metasploit alike exploit repository to share and update exploits.

Source Code Repository

Public SVN Server (including nightly builds development environment)

Download Installer

BSQLHackerSetup-0909.exe

Key Features

Easy Mode
- SQL Injection Wizard
- Automated Attack Support (database dump)
  - ORACLE
  - MSSQL
  - MySQL (experimental)
General
- Fast and Multithreaded
- 4 Different SQL Injection Support
  - Blind SQL Injection
  - Time Based Blind SQL Injection
  - Deep Blind (based on advanced time delays) SQL Injection
  - Error Based SQL Injection
- Can automate most of the new SQL Injection methods those relies on Blind SQL Injection
- RegEx Signature support
- Console and GUI Support
- Load / Save Support
- Token / Nonce / ViewState etc. Support
- Session Sharing Support
- Advanced Configuration Support
- Automated Attack mode, Automatically extract all database schema and data mode

Update / Exploit Repository Features
- Metasploit alike but exploit repository support
- Allows to save and share SQL Injection exploits
- Supports auto-update
- Custom GUI support for exploits (cookie input, URL input etc.)

GUI Features
- Load and Save
- Template and Attack File Support (Users can save sessions and share them. Some sections like username, password or cookie in the templates can be show to the user in a GUI)
- Visually view true and false responses as well as full HTML response, including time and stats

Connection Related
- Proxy Support (Authenticated Proxy Support)
- NTLM, Basic Auth Support, use default credentials of current user/application
- SSL (also invalid certificates) Support
- Custom Header Support

Injection Points (only one of them or combination)
- Query String
- Post
- HTTP Headers
- Cookies

Other
- Post Injection data can be stored in a separated file
- XML Output (not stable)
- CSRF protection support

one time session tokens or asp.net viewstate ort similar can be used for separated login sessions, bypassing proxy pages etc.

It's still beta and there are known issues :

Automated Attack for MySQL is experimental, might not work properly

acccheck | Content

Wed, 09 Apr 2008 18:48:49 GMT

The tool is designed as a password dictionary attack tool that targets windows authentication via the SMB protocol. It is really a wrapper script around the 'smbclient' binary, and as a result is dependent on it for its execution.

The simplest way to run the tool is as follows:

./acccheck.pl -t 10.10.10.1

This mode of execution attempts to connect to the target ADMIN$ share with the username 'Administrator' and a [BLANK] for the password.

./acccheck.pl -t 10.10.10.1 -u test -p test

This mode of execution attempts to connect to the target IPC$ share with the username 'test' and a password 'test'.

Each -t, -u and -p flags can be substituted by -T, -U and -P, where each represents an input file rather than a single input from standard in.

E.g.
./acccheck.pl -T iplist -U userfile -P passwordfile

Only use -v mode on very small dictionaries, otherwise, this has the affect of slowing the scan down to the rate the system writes to standard out.

Any username/password combinations found are written to a file called 'cracked' in the working directory.

MIBparse | Content

Mon, 07 Apr 2008 23:38:19 GMT

MIBparse.pl has been designed as an offline parser to quickly parse output from SNMP tools such as 'snmpwalk' (NET-SNMP project 'net-snmp.sourceforge.net'). The output returned depends on the options that are selected by the user. Typically, information relating to the system, services, open ports, users, shares and installed components is some of the information that can be extracted by the tool.

Requirements

The only requirement is Perl.

Running

The simplest way to run the tool is as follows:

./MIBparse -f public.txt

Where "public.txt" is the output from 'snmpwalk' piped to a file. In this mode all available information is displayed to the user as standard out.

The information that is output can be tailored using the '-a' flag. The following values can be used in conjunction with this flag:

1 = All
2 = System
3 = Routing information
4 = Services
5 = TCP ports
6 = UDP ports
7 = Users
8 = Shares
9 = Domain
10 = Installed components
11 = Community strings

Each value corresponds to the type of information that is output. As an example, '-a 7' will output all of the users from a Windows system. The example execution in this case would include:

./MIBparse.pl -f public.txt -a 7

If you wish to execute the tool from a working directory which is not in your $PATH then the '-b' option can be used to specify the location of the 'tags' file. This option can also be used to specify any file as a tags file as long as the format of the file conforms to the example that is provided. The example execution in such a case would be:

./MIBparse.pl -f public.txt -b ./tags
OR
./MIBparse.pl -f public.txt -b ./mytagsfile

Finally, the '-b' flag can be used in conjunction with the '-a' flag. The example execution in such a case would be:

./MIBparse.pl -f public.txt -b ./mytagsfile -a 7

nbtscan-1.5.2 | Content

Thu, 03 Apr 2008 14:24:31 GMT

NBTscan is a program for scanning IP networks for NetBIOS name information. It sends NetBIOS status query to each address in supplied range and lists received information in human readable form. For each responded host it lists IP address, NetBIOS computer name, logged-in user name and MAC address.

Sun Patch Check | Content

Wed, 02 Apr 2008 10:49:02 GMT

Sun Patch Check is a tool that does exactly what it says on the tin. Sun Patch Check compares the output from the Sun Solaris showrev command to that from the Sun recommended patch list.

Requirements

Sun Patch Check only requires the GNU C compiler.

Download

The latest version of Sun Patch Check can be downloaded from here.

Compiling

Sun Patch Check can be compiled from source using the following command:

gcc -o sunpatchcheck sunpatchcheck.c

Running

Before you can use Sun Patch Check to check the patches of any Sun Solaris system you will need to update the patch list from the Sun web site. This can be done with the following command:

sunpatchcheck --update

You may want to update the patch list on a regular basis otherwise there may be more recent patches missing from the database.

You will need to collect a patch list from a Sun Solaris system you want to check. This can be done with the following Solaris command:

showrev -p >patchlist.txt

Sun Patch Check needs to know what version of Solaris you are comparing the patches from, this is specified on the command line when running Sun Patch Check. To check the patches from a Solaris 10 Sparc system using the file extracted in the previous example:

sunpatchcheck --check=patchlist.txt --solaris=10

Online help for all options is available using:

sunpatchcheck --help

License

Sun Patch Check is covered by the GPL v3 license, but you will also need to agree to the Sun Solve license.

Banner Grab | Content

Wed, 02 Apr 2008 12:36:30 GMT

BannerGrab is a tool that performs connection, trigger-based and basic information collection from network services. The program has two modes of operation; simple connection banner grabbing and the default mode which makes use of service triggers to enumerate additional information.

BannerGrab can connect to TCP services, UDP services and can connect to SSL services. SSL service banner grabbing will also return the SSL connection details.

Requirements

BannerGrab requires the GNU C compiler and has been tested on Linux, but should work on other UNIX type systems. It has even been known to run from an iPhone.

BannerGrab has an optional requirement of the OpenSSL library to perform SSL-based grabs. However, SSL support can be disabled.

Download

BannerGrab can be downloaded from the Source Forge project site at sourceforge.net/projects/bannergrab.

Compiling

BannerGrab includes a Makefile, so it can be built in the usual way:

make
make install (as root)

However, it can be manually compiled as follows:

gcc -lssl -o bannergrab bannergrab.c

On Mac OS-X systems it can be compiled as follows:

gcc -lssl -lcrypto -o bannergrab bannergrab.c

It can be compiled without OpenSSL support as follows:

gcc -DNOSSL -o bannergrab bannergrab.c

Running

BannerGrab can be run in its simplest form by specifying a host and port as the parameters. For example:

bannergrab 127.0.0.1 80

More advanced options can be shown using the online help with the following command:

bannergrab --help

License

BannerGrab is covered by the GPL v3 license with the following exception:

In addition, as a special exception, the copyright holders give
permission to link the code of portions of this program with the
OpenSSL library under certain conditions as described in each
individual source file, and distribute linked combinations
including the two.
You must obey the GNU General Public License in all respects
for all of the code used other than OpenSSL. If you modify
file(s) with this exception, you may extend this exception to your
version of the file(s), but you are not obligated to do so. If you
do not wish to do so, delete this exception statement from your
version. If you delete this exception statement from all source
files in the program, then also delete it here.

viewstate | Content

Wed, 02 Apr 2008 10:50:25 GMT

Viewstate is an ASP.Net viewstate decoder, checker, parser and encoder. It supports both old and new types of viewstate and the data can be extracted directly from the web.

Requirements

Viewstate is platform independent and can be downloaded in source code or Windows binary formats. If you are building viewstate from source you will need the GNU C compiler (under Windows you can use MinGW).

Downloads

Viewstate can be downloaded from the Source Forge project page sourceforge.net/projects/viewstate.

Compiling

A Makefile is provided to provide the usual compilation process of:

make
make install (as root)

However, you can compile it manually with the following:

gcc -o viewstate viewstate.c

Running

If viewstate is run with no options, the online help is displayed. But a simple decode of the viewstate data held by the Acme company web site would be:

viewstate --decode --url=http://www.acme.fake/main.asp

License

Viewstate is covered by the GPL v3 license.

BSQL brute forcer V2 | Content

Wed, 18 Jun 2008 12:21:58 GMT

This is a modified version of 'bsqlbfv1.2-th.pl'. This perl script allows extraction of data from Blind SQL Injections. It accepts custom SQL queries as a command line parameter and it works for both integer and string based injections. Databases supported:-

0. MS-SQL
1. MySQl
2. Postgres
3. Oracle

The tool supports 2 attack modes(-type switch):-

Type 0:- Blind SQL Injection based on true and false conditions returned by back-end server

Type 1:- Blind SQL Injection based on true and error(e.g syntax error) returned by back-end server.

Usage example:
$./bsqlbf-v2.pl -url http://192.168.1.1/injection_string_post/1.asp?p=1 -method post -match true -database 0 -sql "select top 1 name from sysobjects where xtype='U'"

hoppy | Content

Fri, 09 Oct 2009 13:33:35 GMT

hoppy is a http options prober written in python. It checks the availability of HTTP methods as well as probing them to see if they can be forced to disclose system information.

features

HTTP Method detection, TRACK, TRACE, PUT etc
Internal IP address disclosure detection
Internal Path Disclosure detection
Transparent working so you can see exactly what it did
Data extraction
Spider to find directories for webDAV detection
ms09-020 IIS auth bypass check on all discovered directories

download

download hoppy

onesixtyone | Content

Mon, 31 Mar 2008 13:09:44 GMT

This is an updated version of Solar Eclipse's SNMP bruteforcing tool. Onesixtyone is an SNMP scanner that sends multiple SNMP requests to multiple IP addresses, trying different community strings and waiting for replies. This version fixes a number of bugs in other publically available versions of the software, such as allowing for very large dictionary files and reading target IP addresses from a file.

Features:

Very fast scanning speed (over 50,000 guesses per second)
Scan a single host or thousands of hosts at the same time
Tunable scan speed to support both LAN and WAN testing

Bug Fixes:

Very large dictionary files supported
Enhanced error messages
-w option works correctly to slow down / speed up scans

Check out the usage page for a full list of options. There are some examples to get you started.

XSS Tunnel | Content

Wed, 02 Apr 2008 15:12:53 GMT

What Is XSS Tunnelling?

XSS Tunnelling is the tunnelling of HTTP traffic through an XSS Channel to use virtually any application that supports HTTP proxies.

What Is XSS Tunnel?

XSS Tunnel is a standard HTTP proxy which sits on an attacker’s system. Any tool that is configured to use it will tunnel its traffic through the active XSS Channel on the XSS Shell server. The XSS Tunnel converts the request and responds transparently to validate the HTTP responses and XSS Shell requests.

Refer to XSS Tunnelling paper to read details.

Demonstration Video

Download XSS Tunnelling demonstration video. Video shows how to use XSS Tunnel to bypass NTLM by exploiting an example permanent XSS.

Download

Download package includes following files :

Binary Release of XSS Tunnel v1.0.8
.NET Solution + Source Code for XSS Tunnel v1.0.8
XSS Tunnelling White Paper
XSS Shell v0.6.2 Release (ASP files, database and documentation)

XSS Shell | Content

Mon, 10 Nov 2008 14:11:20 GMT

XSS Shell is powerful a XSS backdoor and zombie manager. This concept first presented by "XSS-Proxy - http://xss-proxy.sourceforge.net/". Normally in XSS attacks attacker has one shot, in XSS Shell you can interactively send requests and get responses from victim. you can backdoor the page.

You can steal basic auth, you can bypass IP restrictions in administration panels, you can DDoS some systems with a permanent XSS vulnerability etc. Attack possibilities are limited with ideas. Basically this tool demonstrates that you can do more with XSS.

Download

This package includes the latest version of XSS Shell and XSS Tunnel. XSS Shell can be used without XSS Tunnel, however you'll get more out of it with XSS Tunnel.

Download SS Shell and XSS Tunnel

Features

XSS Shell has several features to gain whole access over victim. Also you can simply add your own commands.

Most of the features can enable or disabled from configuration or can be tweaked from source code.

Regenerating Pages
- This is one of the key and advanced features of XSS Shell. XSS Shell re-renders the infected page and keep user in virtual environment. Thus even user click any links in the infected page he or she will be still under control! (within cross-domain restrictions) In normal XSS attacks when user leaves the page you can't do anything
- Secondly this feature keeps the session open so even victim follow an outside link from infected page session is not going to timeout and you will be still in charge.
Keylogger
Mouse Logger (click points + current DOM)
Built-in Commands;
- Get Keylogger Data
- Get Current Page (Current rendered DOM / like screenshot)
- Get Cookie
- Execute supplied javaScript (eval)
- Get Clipboard (IE only)
- Get internal IP address (Firefox + JVM only)
- Check victim's visited URL history

Installation

XSS Shell uses ASP + MS Access database as backend but you can simply port them into any other server-side solution. You just need to stick with simple communication protocol.

Install Admin Interface

Copy "xssshell" folder into your web server
Copy "db" to a secure place (below root)
Configure "database path" from "xssshell/db.asp"
Modify hard coded password in db.asp [default password is : w00t]
Now you can access admin interface from something like http://[YOURHOST]/xssshell/

Configure XSS Shell for communication;

Open xssshell.asp
2. Set "SERVER" variable to where your XSSShell folder is located. i.e: "http://[YOURHOST]/xssshell/";
3. Be sure to check "ME", "CONNECTOR", "COMMANDS_URL" variables. If you changed filenames, folder names or some kind of different configuration you need modify them.

Now open your admin interface from your browser,

To test it, just modify "sample_victim/default.asp" source code and replace "http://attacker:81/release/xssshell.js" URL with your own XSS Shell URL. Open "sample_victim" folder in some other browser and may be upload in to some other server.

Now you should see a zombie in admin interface. Just write something into "parameters" textarea and click "alert()". You should see an alert message in victim's browser.

Security Notes

As a hunter be careful about possible "Backfire" in getSelfHTML(). Someone can hack you back or track you by another XSS or XSS Shell attack.
Checkout "showdata.asp" and implement your own "filter()" function to make it safer for you.
Put "On error resume next" to db.asp, better modify your web server to not show any error.

How to Extend

First implement new feature to xssshell.asp

Add new enum for your control
- Set a name and unique number like "CMD_GETCOOKIE"
- var CMD_SAMPLE = 78;
- Set datatype for your response (generally TEXT),
- dataTypes[CMD_SAMPLE] = TEXT;
Write your function and add it to page
- function cmdSample(){return "yeah working !"}
Call it
- Go inside to "function processGivenCommand(cmd)"
- Add a new case like "case CMD_SAMPLE:"
Report it back
- Inside the case call log;
  "log(cmdSample(), dataTypes[cmd.cmd], cmd.attackID, "waitAndRun()");"

Secondly Implement it to admin interface;

In db.asp just add a new element to "Commands" array (command name, command unique number, description).

i.e. "cmdSample()",78,"Command sample ! Just returns a message"

There are parameters and lots of helper in the code. Check out other commands for reference.

Enable debug feature to debug your new commands easily.

External Libraries

moo.ajax -moofx.mad4milk.net
script.aculo.us - (http://script.aculo.us, http://mir.aculo.us)

sucrack | Content

Mon, 31 Mar 2008 16:21:52 GMT

sucrack is a multithreaded Linux/UNIX tool for brute-force cracking local user accounts via su.

This tool comes in handy when you've gained access to a low-privilege user account but are allowed to su to other users. Many su implementations require a pseudo terminal to be attached in order to take the password from the user. This can't be easily achieved with a simple shell script. This tool, written in C, is highly efficient and can attempt multiple logins at the same time.

Please be advised that using this tool will take a lot of the CPU performance and fill up the logs quite quickly. sucrack is so far known to be running on FreeBSD, NetBSD, Linux.

Check out the Usage and Examples page for more information.

ManySSL | Content

Tue, 09 Dec 2008 15:40:49 GMT

This PERL script will enumerate the SSL ciphers in use on any SSL encrypted service. It is not restricted to HTTPS and can be used on SMTP servers that support STARTTLS.

Features Include

Warn the operator if a self-signed certificate is detected.
Warn the operator if an expired certificate is detected.
Full cipher, key-exchange and authentication key strength output.
Use of a client specificed SSL certificate.

rmiInfo | Content

Mon, 31 Mar 2008 14:49:45 GMT

rmiInfo is a tool to help extract information from Java Remote Method Invocation (RMI) services, which can then be used to find possible security vulnerabilities. The main aim being to identify the location of the RMI stub. If one is able to find the stub, then this is the first step in being able to construct java code to talk directly to the RMI service.

rmiInfo is able to not only extract information from RMI registries but also RMI services as well.

From a registry it is able to extract the following information:

Name of attached services.
Location of the service (IP address and port number).
Name of the stub interface.

From an RMI service it is able to extract the following information:

Location of remotely deployed code.

Thus if you combine the information for the service and the registry, you are able to determine the location and name of remotely deployed stubs.

Other features of rmiInfo:

If it finds an RMI registry, it will recursively scan all the services identified.
Platform independent (Java based).

http-dir-enum | Content

Fri, 28 Mar 2008 16:49:57 GMT

http-dir-enum is a tool for finding content that is not linked on a website. Its main use is for finding directories that exist on a server. Simply provide a dictionary file and a URL.

This tool is written in PERL and uses the LWP library.

Features include:

Automatic detection of which HTTP response code to ignore (normally 404, but can vary on some sites)
Support for bruteforcing Files and Directories
Can search for directories recursively
Proxy support
Support for HTTP Basic Authentication
Support for sending custom cookies
Save scan output in XML format
Command line (lack of GUI is a feature, not a bug)
Mutli-threading for extra speed
HTTP keep alive support for extra speed (can be turned off)

Check out the usage page for a full list of options. There are also lots of examples to get you started.

enum4linux | Content

Tue, 16 Sep 2008 11:29:28 GMT

Enum4linux is a tool for enumerating information from Windows and Samba systems. It attempts to offer similar functionality to enum.exe formerly available from www.bindview.com.

It is written in PERL and is basically a wrapper around the Samba tools smbclient, rpclient, net and nmblookup. The samba package is therefore a dependency.

Features include:

RID Cycling (When RestrictAnonymous is set to 1 on Windows 2000)
User Listing (When RestrictAnonymous is set to 0 on Windows 2000)
Listing of Group Membership Information
Share Enumeration
Detecting if host is in a Workgroup or a Domain
Identifying the remote Operating System
Password Policy Retrieval (using polenum)

Check out the usage page for a full list of options. There are also lots of examples to get you started.

phrasen|drescher | Content

Fri, 27 Jun 2008 11:28:34 GMT

phrasen|drescher is a modular and multi processing pass phrase cracking tool. In version 1.1 it comes with two plugins with the purposes to:

crack pass phrases of RSA or DSA keys
crack MS SQL 2000/2005 SHA1 hashes
remote SSHv2 account brute forcing
HTTP login form account cracking

A simple plugin API allows an easy development of new plugins.

Further features are:

Modular
Multi Processing
Dictionary attack with or without permutations (uppercase, lowercase, l33t, etc.)
Bruteforce attacks for custom character sets
Runs on FreeBSD, NetBSD, OpenBSD, MacOS and Linux

Check out the Usage and Examples page for more information.