Portcullis Labs - Tools

Local MySQL Password Auditor | Content

Fri, 15 Feb 2013 15:29:23 GMT

mysql-local-bruteforcer is a tool to perform password security audit against local instances of MySQL installation. It attempts to enumerate local passwords against either the dictionary of passwords and single user or dictionary of users and passwords.

It is written in Python and can be easily ported as an executable for windows using tools such as py2exe.

Installation

No installation needed, just download and run.

Usage
To crack single password for a user:
options: -d -u

To crack passwords for multiple users:
    options: -d -U

Options
-h, --help            show this help message and exit
-d FILE, --dictionary=FILE
                        local password dictionary to use
-U FILE, --usernames=FILE
                        local username dictionary to use
-v, --verbose         don't print any messages
-u USERNAME, --username=USERNAME
                        username to crack password against
-f FORCE, --force=FORCE
                        force quit after first successful crack

HeaderCheck | Content

Fri, 15 Feb 2013 09:08:18 GMT

HeaderCheck is a Python script for checking the security settings of several HTTP headers returned by a server.

The following headers are checked

X-XSS-Protection
X-Content-Type-Options
X-Frame-Options
Cache-Control
Content-Security-Policy
WebKit-X-CSP
X-Content-Security-Policy
Strict-Transport-Security
Access-Control-Allow-Origin
Origin

Each header is assessed based on good practice settings as well as displayed for manual checking.

Installing

HeaderCheck is a stand alone python script, as such just decompress the download and move the script to the desired location.

Running

HeaderCheck can be run in the following form.

python HeaderCheck.py [targeturl] [subdirectory]

for example:

python HeaderCheck.py www.google.com /

python HeaderCheck.py www.bbc.co.uk /news

Please note the space between the domain and the sub directory.

UNIXSocketScanner | Content

Thu, 31 Jan 2013 01:40:07 GMT

UNIX socket scanner.

Features:

Multi threaded
Supports both internal probes format and nmap probes format

get-dhcp-opts | Content

Wed, 12 Dec 2012 10:06:03 GMT

get-dhcp-opts is a tool to discover DHCP/BOOTP servers on your LAN, and dump the DHCP/BOOTP options.

Sometimes network infraestructures use DHCP/BOOTP to provide special configurations. For example, the voip network can use these special options to configure the phones (VoIP server address, configuration file URLs, ...).

get-dhcp-opts display these options and detect Rogue DHCP Servers on your network.

Features

Request DHCP Options
DHCP Options autodetection & conversion
Multiple DHCP Servers detection (aka. Rogue DHCP Servers)

Notes

get-dhcp-opts only sends DHCP Discover packets, so if the DHCP server is OK, it don't reserve the IP for your MAC.

rdp-sec-check | Content

Sun, 15 Jul 2012 15:17:44 GMT

rdp-sec-check is a tool to remotely check if certain security features of an RDP service (AKA Terminal Services) have been enabled. It does not require authentication, only network connectivity to TCP port 3389.

It can determine many (though not quite all) of the security settings from the RDP-Tcp Properties | General tab:

Check which security layers are supported by the service: Standard RDP Security, TLSv1.0, CredSSP
For Standard RDP Security it detects the level of encryption supported: 40-bit, 56-bit, 128-bit, FIPS

The following potential security issues are flagged if present:

The service supports Standard RDP Security. This is known to be vulnerable to an active Man in the Middle attack.
The service supports weak encryption (40-bit or 56-bit).
The service does not mandate Network Level Authentication (NLA). NLA can help to prevent certain types of Denial of Service attack.
The service supports FIPS encryption but doesn't mandate it - may only be interesting for jurisdictions where FIPS is required

Dependencies

rdp-sec-check is a simple PERL script that requires one module from CPAN. Run 'cpan' as root then install the Encoding::BER module:

# cpan

cpan[1]> install Encoding::BER

Output Example #1: An old Windows 2000 RDP Service

$ rdp-sec-check.pl 10.0.0.94
Starting rdp-sec-check v0.8-beta ( http://labs.portcullis.co.uk/application/rdp-sec-check/ ) at Mon Jul  9 13:34:38 2012

Target:    10.0.0.94
IP:        10.0.0.94
Port:      3389

[+] Checking supported protocols

[-] Checking if RDP Security (PROTOCOL_RDP) is supported...Negotiation ignored - old Windows 2000/XP/2003 system?
[-] Checking if TLS Security (PROTOCOL_SSL) is supported...Negotiation ignored - old Windows 2000/XP/2003 system?
[-] Checking if CredSSP Security (PROTOCOL_HYBRID) is supported [uses NLA]...Negotiation ignored - old Windows 2000/XP/2003 system??

[+] Checking RDP Security Layer

[-] Checking RDP Security Layer with encryption ENCRYPTION_METHOD_NONE...Not supported
[-] Checking RDP Security Layer with encryption ENCRYPTION_METHOD_40BIT...Supported.  Server encryption level: ENCRYPTION_LEVEL_CLIENT_COMPATIBLE
[-] Checking RDP Security Layer with encryption ENCRYPTION_METHOD_128BIT...Not supported
[-] Checking RDP Security Layer with encryption ENCRYPTION_METHOD_56BIT...Supported.  Server encryption level: ENCRYPTION_LEVEL_CLIENT_COMPATIBLE
[-] Checking RDP Security Layer with encryption ENCRYPTION_METHOD_FIPS...Not supported

[+] Summary of protocol support

[-] 10.0.0.94:3389 supports PROTOCOL_RDP   : TRUE
[-] 10.0.0.94:3389 supports PROTOCOL_HYBRID: FALSE
[-] 10.0.0.94:3389 supports PROTOCOL_SSL   : FALSE

[+] Summary of RDP encryption support

[-] 10.0.0.94:3389 has encryption level: ENCRYPTION_LEVEL_CLIENT_COMPATIBLE
[-] 10.0.0.94:3389 supports ENCRYPTION_METHOD_NONE   : FALSE
[-] 10.0.0.94:3389 supports ENCRYPTION_METHOD_40BIT  : TRUE
[-] 10.0.0.94:3389 supports ENCRYPTION_METHOD_128BIT : FALSE
[-] 10.0.0.94:3389 supports ENCRYPTION_METHOD_56BIT  : TRUE
[-] 10.0.0.94:3389 supports ENCRYPTION_METHOD_FIPS   : FALSE

[+] Summary of security issues

[-] 10.0.0.94:3389 has issue NLA_NOT_SUPPORTED_DOS
[-] 10.0.0.94:3389 has issue ONLY_RDP_SUPPORTED_MITM
[-] 10.0.0.94:3389 has issue WEAK_RDP_ENCRYPTION_SUPPORTED

rdp-sec-check v0.8-beta completed at Mon Jul  9 13:34:39 2012

Output Example #2: A Windows 2003 SP0 RDP Service

$ rdp-sec-check.pl 10.0.0.93
Starting rdp-sec-check v0.8-beta ( http://labs.portcullis.co.uk/application/rdp-sec-check/ ) at Mon Jul  9 13:35:34 2012

Target:    10.0.0.93
IP:        10.0.0.93
Port:      3389

[+] Checking supported protocols

[-] Checking if RDP Security (PROTOCOL_RDP) is supported...Negotiation ignored - old Windows 2000/XP/2003 system?
[-] Checking if TLS Security (PROTOCOL_SSL) is supported...Negotiation ignored - old Windows 2000/XP/2003 system?
[-] Checking if CredSSP Security (PROTOCOL_HYBRID) is supported [uses NLA]...Negotiation ignored - old Windows 2000/XP/2003 system??

[+] Checking RDP Security Layer

[-] Checking RDP Security Layer with encryption ENCRYPTION_METHOD_NONE...Not supported
[-] Checking RDP Security Layer with encryption ENCRYPTION_METHOD_40BIT...Supported.  Server encryption level: ENCRYPTION_LEVEL_CLIENT_COMPATIBLE
[-] Checking RDP Security Layer with encryption ENCRYPTION_METHOD_128BIT...Supported.  Server encryption level: ENCRYPTION_LEVEL_CLIENT_COMPATIBLE
[-] Checking RDP Security Layer with encryption ENCRYPTION_METHOD_56BIT...Supported.  Server encryption level: ENCRYPTION_LEVEL_CLIENT_COMPATIBLE
[-] Checking RDP Security Layer with encryption ENCRYPTION_METHOD_FIPS...Supported.  Server encryption level: ENCRYPTION_LEVEL_CLIENT_COMPATIBLE

[+] Summary of protocol support

[-] 10.0.0.93:3389 supports PROTOCOL_RDP   : TRUE
[-] 10.0.0.93:3389 supports PROTOCOL_HYBRID: FALSE
[-] 10.0.0.93:3389 supports PROTOCOL_SSL   : FALSE

[+] Summary of RDP encryption support

[-] 10.0.0.93:3389 has encryption level: ENCRYPTION_LEVEL_CLIENT_COMPATIBLE
[-] 10.0.0.93:3389 supports ENCRYPTION_METHOD_NONE   : FALSE
[-] 10.0.0.93:3389 supports ENCRYPTION_METHOD_40BIT  : TRUE
[-] 10.0.0.93:3389 supports ENCRYPTION_METHOD_128BIT : TRUE
[-] 10.0.0.93:3389 supports ENCRYPTION_METHOD_56BIT  : TRUE
[-] 10.0.0.93:3389 supports ENCRYPTION_METHOD_FIPS   : TRUE

[+] Summary of security issues

[-] 10.0.0.93:3389 has issue NLA_NOT_SUPPORTED_DOS
[-] 10.0.0.93:3389 has issue FIPS_SUPPORTED_BUT_NOT_MANDATED
[-] 10.0.0.93:3389 has issue ONLY_RDP_SUPPORTED_MITM
[-] 10.0.0.93:3389 has issue WEAK_RDP_ENCRYPTION_SUPPORTED

Output Example #3: A typical Windows 2003 RDP Service

$ rdp-sec-check.pl 10.0.0.111
Starting rdp-sec-check v0.8-beta ( http://labs.portcullis.co.uk/application/rdp-sec-check/ ) at Mon Jul  9 13:36:56 2012

Target:    10.0.0.111
IP:        10.0.0.111
Port:      3389

[+] Checking supported protocols

[-] Checking if RDP Security (PROTOCOL_RDP) is supported...Supported
[-] Checking if TLS Security (PROTOCOL_SSL) is supported...Not supported - SSL_NOT_ALLOWED_BY_SERVER
[-] Checking if CredSSP Security (PROTOCOL_HYBRID) is supported [uses NLA]...Not supported - SSL_NOT_ALLOWED_BY_SERVER

[+] Checking RDP Security Layer

[-] Checking RDP Security Layer with encryption ENCRYPTION_METHOD_NONE...Not supported
[-] Checking RDP Security Layer with encryption ENCRYPTION_METHOD_40BIT...Supported.  Server encryption level: ENCRYPTION_LEVEL_CLIENT_COMPATIBLE
[-] Checking RDP Security Layer with encryption ENCRYPTION_METHOD_128BIT...Supported.  Server encryption level: ENCRYPTION_LEVEL_CLIENT_COMPATIBLE
[-] Checking RDP Security Layer with encryption ENCRYPTION_METHOD_56BIT...Supported.  Server encryption level: ENCRYPTION_LEVEL_CLIENT_COMPATIBLE
[-] Checking RDP Security Layer with encryption ENCRYPTION_METHOD_FIPS...Supported.  Server encryption level: ENCRYPTION_LEVEL_CLIENT_COMPATIBLE

[+] Summary of protocol support

[-] 10.0.0.111:3389 supports PROTOCOL_RDP   : TRUE
[-] 10.0.0.111:3389 supports PROTOCOL_HYBRID: FALSE
[-] 10.0.0.111:3389 supports PROTOCOL_SSL   : FALSE

[+] Summary of RDP encryption support

[-] 10.0.0.111:3389 has encryption level: ENCRYPTION_LEVEL_CLIENT_COMPATIBLE
[-] 10.0.0.111:3389 supports ENCRYPTION_METHOD_NONE   : FALSE
[-] 10.0.0.111:3389 supports ENCRYPTION_METHOD_40BIT  : TRUE
[-] 10.0.0.111:3389 supports ENCRYPTION_METHOD_128BIT : TRUE
[-] 10.0.0.111:3389 supports ENCRYPTION_METHOD_56BIT  : TRUE
[-] 10.0.0.111:3389 supports ENCRYPTION_METHOD_FIPS   : TRUE

[+] Summary of security issues

[-] 10.0.0.111:3389 has issue NLA_NOT_SUPPORTED_DOS
[-] 10.0.0.111:3389 has issue FIPS_SUPPORTED_BUT_NOT_MANDATED
[-] 10.0.0.111:3389 has issue ONLY_RDP_SUPPORTED_MITM
[-] 10.0.0.111:3389 has issue WEAK_RDP_ENCRYPTION_SUPPORTED

rdp-sec-check v0.8-beta completed at Mon Jul  9 13:36:56 2012

Output Example #4: A well configured Windows 2008 RDP Service

$ rdp-sec-check.pl 10.0.0.21
Starting rdp-sec-check v0.8-beta ( http://labs.portcullis.co.uk/application/rdp-sec-check/ ) at Mon Jul  9 13:32:30 2012

Target:    10.0.0.21
IP:        10.0.0.21
Port:      3389

[+] Checking supported protocols

[-] Checking if RDP Security (PROTOCOL_RDP) is supported...Not supported - HYBRID_REQUIRED_BY_SERVER
[-] Checking if TLS Security (PROTOCOL_SSL) is supported...Not supported - HYBRID_REQUIRED_BY_SERVER
[-] Checking if CredSSP Security (PROTOCOL_HYBRID) is supported [uses NLA]...Supported

[+] Checking RDP Security Layer

[-] Checking RDP Security Layer with encryption ENCRYPTION_METHOD_NONE...Not supported
[-] Checking RDP Security Layer with encryption ENCRYPTION_METHOD_40BIT...Not supported
[-] Checking RDP Security Layer with encryption ENCRYPTION_METHOD_128BIT...Not supported
[-] Checking RDP Security Layer with encryption ENCRYPTION_METHOD_56BIT...Not supported
[-] Checking RDP Security Layer with encryption ENCRYPTION_METHOD_FIPS...Not supported

[+] Summary of protocol support

[-] 10.0.0.21:3389 supports PROTOCOL_RDP   : FALSE
[-] 10.0.0.21:3389 supports PROTOCOL_HYBRID: TRUE
[-] 10.0.0.21:3389 supports PROTOCOL_SSL   : FALSE

[+] Summary of RDP encryption support

[-] 10.0.0.21:3389 supports ENCRYPTION_METHOD_NONE   : FALSE
[-] 10.0.0.21:3389 supports ENCRYPTION_METHOD_40BIT  : FALSE
[-] 10.0.0.21:3389 supports ENCRYPTION_METHOD_128BIT : FALSE
[-] 10.0.0.21:3389 supports ENCRYPTION_METHOD_56BIT  : FALSE
[-] 10.0.0.21:3389 supports ENCRYPTION_METHOD_FIPS   : FALSE

[+] Summary of security issues

rdp-sec-check v0.8-beta completed at Mon Jul  9 13:32:31 2012

ssl-cipher-suite-enum | Content

Wed, 13 Feb 2013 12:11:30 GMT

ssl-cipher-suite-enum is a tool for enumerating the SSL cipher suites supported by network services (principally HTTPS).

Key Features

Support for legacy and newer versions of SSL/TLS: SSLv2.0, TLSv1.0/SSLv3.0, TLSv1.1, TLSv1.2
Support for SSL testing over SMTP (STARTTLS), RDP and FTP (AUTH SSL)
Flagging of common security issues on a per-host and per-cipher-suite basis (see below for list)
Works even when the service requires a client SSL certificate
Bruteforces SSLv3+ cipher suites - rather than relying on a fixed list of cipher suites that were known at the time of writing
No reliance on SSL libraries - which can cause false negatives
Human readable and greppable output - to support reporting and automation
Fast scan rate - 1000 connections/second over the LAN
Option to throttle connection speed
Optimised scanning - group unpopular cipher sites into a single handshake to reduce the number of required connections
Option to logging all output to a file
Support for scanning a list of hosts
Handling of servers that accept cipher suites the client didn't offer - rare but it does happen!

Security Issues Identified

ssl-cipher-suite-enum identifies the following common security issues relating to SSL:

SSLv2 being supported - being vulnerable to a downgrade attack and other problems inherent to this version of the protocol.
Cipher suites that use symmetric encryption where the key length is less than 128-bits.
Support of key exchange algorithms that don't support forward secrecy - or equivalently, cipher suites that allow sniffed traffic to be retrospectively decrypted if the private SSL key were to be compromised.
Anonymous Diffie Hellman key exchanges - which allow Man in the Middle attacks
Cipher suites / protocol combinations that are vulnerable to the BEAST attack - i.e. combinations that would leave the client->server stream open to the BEAST attack

Overview

The tool performs a similar function to sslscan, THCSSLCheck and sslyze, but differs by crafting part of the SSL handshake instead of using an SSL library to establish a full connection. For SSLv3.0 and above, cipher suites are bruteforced (each cipher suite is represented as a 2 byte field: generally 0x00?? or 0xC0?? - yielding 512 possible values). For SSLv2 only known cipher suites are tried - the search space seems much larger v2 cipher suites and precludes timely bruteforcing.

The handshake-crafting approach provides some significant advantages over library-based tools. Libraries either become outdated and therefore incapable of testing for new protocols such as TLSv1.2 or exotic cipher suites; or they are updated and lose support for older protocols - namely SSLv2. This can be a significant cause of false negative results when performing vulnerability assessments.

ssl-cipher-suite-enum therefore aims to ensure that you can always identify all support cipher suites and that you never miss the fact that SSLv2 is supported. There is, of course an increased risk of false positive results, though: failing to use an SSL library means that the connection is never fully established. ssl-cipher-suit-enum will not detect that an application refuses to talk over weaker cipher suites or that full connection fails for some other reason - such as a client certificate being required.

Also see the FAQ page.

Example Output 1: Old Host Supporting SSLv2

$ ssl-cipher-suite-enum.pl 127.0.0.1
Starting ssl-cipher-enum v0.4-beta ( http://labs.portcullis.co.uk/application/ssl-cipher-suite-enum/ ) at Tue Jul  3 14:48:21 2012

[+] Scanning 1 hosts

=== Scan Info ===

Target:    127.0.0.1
IP:        127.0.0.1
Port:      443
Protocols: SSLv2.0,SSLv3.0,TLSv1.0,TLSv1.1,TLSv1.2
Scan Rate: unlimited

=== Testing protocol SSLv2.0 ===

[+] Cipher suite supported on 127.0.0.1:443: SSLv2.0 RC4_128_WITH_MD5[010080] SSL2_INSEC,NO_PFS
[+] Cipher suite supported on 127.0.0.1:443: SSLv2.0 RC4_128_EXPORT40_WITH_MD5[020080] SSL2_INSEC,NO_PFS,WEAK_ENC
[+] Cipher suite supported on 127.0.0.1:443: SSLv2.0 RC2_128_CBC_WITH_MD5[030080] SSL2_INSEC,BEAST,NO_PFS
[+] Cipher suite supported on 127.0.0.1:443: SSLv2.0 RC2_128_CBC_EXPORT40_WITH_MD5[040080] SSL2_INSEC,BEAST,NO_PFS,WEAK_ENC
[+] Cipher suite supported on 127.0.0.1:443: SSLv2.0 DES_64_CBC_WITH_MD5[060040] SSL2_INSEC,BEAST,NO_PFS,WEAK_ENC
[+] Cipher suite supported on 127.0.0.1:443: SSLv2.0 DES_192_EDE3_CBC_WITH_MD5[0700c0] SSL2_INSEC,BEAST,NO_PFS
[+] 6 SSLv2.0 cipher suites supported

[V] 127.0.0.1:443 - Some clients could be vulnerable to BEAST attack - if HTTPS service
[V] 127.0.0.1:443 - Some connections might be protected with a weak (<128-bit) symmetric encryption key

=== Testing protocol SSLv3.0 ===

[+] 0 SSLv3.0 cipher suites supported


=== Testing protocol TLSv1.0 ===

[+] 0 TLSv1.0 cipher suites supported


=== Testing protocol TLSv1.1 ===

[+] 0 TLSv1.1 cipher suites supported


=== Testing protocol TLSv1.2 ===

[+] 0 TLSv1.2 cipher suites supported

[+] Summary of support cipher suites for 127.0.0.1:443

SSLv2.0:
* RC4_128_WITH_MD5
* RC4_128_EXPORT40_WITH_MD5
* RC2_128_CBC_WITH_MD5
* RC2_128_CBC_EXPORT40_WITH_MD5
* DES_64_CBC_WITH_MD5
* DES_192_EDE3_CBC_WITH_MD5

[+] Summary of weakness "BEAST" for 127.0.0.1:443

SSLv2.0:
* RC2_128_CBC_WITH_MD5
* RC2_128_CBC_EXPORT40_WITH_MD5
* DES_64_CBC_WITH_MD5
* DES_192_EDE3_CBC_WITH_MD5

[+] Summary of weakness "NO_PFS" for 127.0.0.1:443

SSLv2.0:
* RC4_128_WITH_MD5
* RC4_128_EXPORT40_WITH_MD5
* RC2_128_CBC_WITH_MD5
* RC2_128_CBC_EXPORT40_WITH_MD5
* DES_64_CBC_WITH_MD5
* DES_192_EDE3_CBC_WITH_MD5

[+] Summary of weakness "SSL2_INSEC" for 127.0.0.1:443

SSLv2.0:
* RC4_128_WITH_MD5
* RC4_128_EXPORT40_WITH_MD5
* RC2_128_CBC_WITH_MD5
* RC2_128_CBC_EXPORT40_WITH_MD5
* DES_64_CBC_WITH_MD5
* DES_192_EDE3_CBC_WITH_MD5

[+] Summary of weakness "WEAK_ENC" for 127.0.0.1:443

SSLv2.0:
* RC4_128_EXPORT40_WITH_MD5
* RC2_128_CBC_EXPORT40_WITH_MD5
* DES_64_CBC_WITH_MD5


=== Scan Complete ===

[+] ssl-cipher-enum v0.4-beta completed at Tue Jul  3 14:48:22 2012.  918 connections in 1 secs.
Example Output 2: Average Modern SSL Service$ ssl-cipher-suite-enum.pl localhost:443
Starting ssl-cipher-enum v0.4-beta ( http://labs.portcullis.co.uk/application/ssl-cipher-suite-enum/ ) at Tue Jul  3 14:48:41 2012

[+] Scanning 1 hosts

=== Scan Info ===

Target:    localhost
IP:        127.0.0.2
Port:      443
Protocols: SSLv2.0,SSLv3.0,TLSv1.0,TLSv1.1,TLSv1.2
Scan Rate: unlimited

=== Testing protocol SSLv2.0 ===

[+] 0 SSLv2.0 cipher suites supported


=== Testing protocol SSLv3.0 ===

[+] Cipher suite supported on 127.0.0.2:443: SSLv3.0 RSA_RC4_128_SHA[0005] NO_PFS
[+] Cipher suite supported on 127.0.0.2:443: SSLv3.0 RSA_DES_192_CBC3_SHA[000a] BEAST,NO_PFS
[+] Cipher suite supported on 127.0.0.2:443: SSLv3.0 EDH_RSA_DES_192_CBC3_SHA[0016] BEAST
[+] Cipher suite supported on 127.0.0.2:443: SSLv3.0 RSA_WITH_AES_128_SHA[002f] BEAST,NO_PFS
[+] Cipher suite supported on 127.0.0.2:443: SSLv3.0 DHE_RSA_WITH_AES_128_SHA[0033] BEAST
[+] Cipher suite supported on 127.0.0.2:443: SSLv3.0 RSA_WITH_AES_256_SHA[0035] BEAST,NO_PFS
[+] Cipher suite supported on 127.0.0.2:443: SSLv3.0 DHE_RSA_WITH_AES_256_SHA[0039] BEAST

[+] Preferred SSLv3.0 cipher suite on 127.0.0.2:443: RSA_RC4_128_SHA[0005]

[+] 7 SSLv3.0 cipher suites supported

[V] 127.0.0.2:443 - Some clients could be vulnerable to BEAST attack - if HTTPS service
[V] 127.0.0.2:443 - Most encrypted connections will not use forward secrecy

=== Testing protocol TLSv1.0 ===

[+] Cipher suite supported on 127.0.0.2:443: TLSv1.0 RSA_RC4_128_SHA[0005] NO_PFS
[+] Cipher suite supported on 127.0.0.2:443: TLSv1.0 RSA_DES_192_CBC3_SHA[000a] BEAST,NO_PFS
[+] Cipher suite supported on 127.0.0.2:443: TLSv1.0 EDH_RSA_DES_192_CBC3_SHA[0016] BEAST
[+] Cipher suite supported on 127.0.0.2:443: TLSv1.0 RSA_WITH_AES_128_SHA[002f] BEAST,NO_PFS
[+] Cipher suite supported on 127.0.0.2:443: TLSv1.0 DHE_RSA_WITH_AES_128_SHA[0033] BEAST
[+] Cipher suite supported on 127.0.0.2:443: TLSv1.0 RSA_WITH_AES_256_SHA[0035] BEAST,NO_PFS
[+] Cipher suite supported on 127.0.0.2:443: TLSv1.0 DHE_RSA_WITH_AES_256_SHA[0039] BEAST

[+] Preferred TLSv1.0 cipher suite on 127.0.0.2:443: RSA_RC4_128_SHA[0005]

[+] 7 TLSv1.0 cipher suites supported

[V] 127.0.0.2:443 - Some clients could be vulnerable to BEAST attack - if HTTPS service
[V] 127.0.0.2:443 - Most encrypted connections will not use forward secrecy

=== Testing protocol TLSv1.1 ===

[+] Protocol TLSv1.1 is not supported.  Skipping.
[+] 0 TLSv1.1 cipher suites supported


=== Testing protocol TLSv1.2 ===

[+] Protocol TLSv1.2 is not supported.  Skipping.
[+] 0 TLSv1.2 cipher suites supported

[+] Summary of support cipher suites for 127.0.0.2:443

SSLv3.0:
* RSA_RC4_128_SHA
* RSA_DES_192_CBC3_SHA
* EDH_RSA_DES_192_CBC3_SHA
* RSA_WITH_AES_128_SHA
* DHE_RSA_WITH_AES_128_SHA
* RSA_WITH_AES_256_SHA
* DHE_RSA_WITH_AES_256_SHA

TLSv1.0:
* RSA_RC4_128_SHA
* RSA_DES_192_CBC3_SHA
* EDH_RSA_DES_192_CBC3_SHA
* RSA_WITH_AES_128_SHA
* DHE_RSA_WITH_AES_128_SHA
* RSA_WITH_AES_256_SHA
* DHE_RSA_WITH_AES_256_SHA

[+] Summary of weakness "BEAST" for 127.0.0.2:443

SSLv3.0:
* RSA_DES_192_CBC3_SHA
* EDH_RSA_DES_192_CBC3_SHA
* RSA_WITH_AES_128_SHA
* DHE_RSA_WITH_AES_128_SHA
* RSA_WITH_AES_256_SHA
* DHE_RSA_WITH_AES_256_SHA

TLSv1.0:
* RSA_DES_192_CBC3_SHA
* EDH_RSA_DES_192_CBC3_SHA
* RSA_WITH_AES_128_SHA
* DHE_RSA_WITH_AES_128_SHA
* RSA_WITH_AES_256_SHA
* DHE_RSA_WITH_AES_256_SHA

[+] Summary of weakness "NO_PFS" for 127.0.0.2:443

SSLv3.0:
* RSA_RC4_128_SHA
* RSA_DES_192_CBC3_SHA
* RSA_WITH_AES_128_SHA
* RSA_WITH_AES_256_SHA

TLSv1.0:
* RSA_RC4_128_SHA
* RSA_DES_192_CBC3_SHA
* RSA_WITH_AES_128_SHA
* RSA_WITH_AES_256_SHA


=== Scan Complete ===

[+] ssl-cipher-enum v0.4-beta completed at Tue Jul  3 14:48:41 2012.  470 connections in 0 secs.
Example Output 3: Well Secured Service Supporting TLSv1.2$ ssl-cipher-suite-enum.pl www.example.com
Starting ssl-cipher-enum v0.4-beta ( http://labs.portcullis.co.uk/application/ssl-cipher-suite-enum/ ) at Tue Jul  3 14:48:52 2012

[+] Scanning 1 hosts

=== Scan Info ===

Target:    www.example.com
IP:        127.0.0.3
Port:      443
Protocols: SSLv2.0,SSLv3.0,TLSv1.0,TLSv1.1,TLSv1.2
Scan Rate: unlimited

=== Testing protocol SSLv2.0 ===

[+] 0 SSLv2.0 cipher suites supported


=== Testing protocol SSLv3.0 ===

[+] Cipher suite supported on 127.0.0.3:443: SSLv3.0 RSA_RC4_128_MD5[0004] NO_PFS
[+] Cipher suite supported on 127.0.0.3:443: SSLv3.0 RSA_RC4_128_SHA[0005] NO_PFS
[+] Cipher suite supported on 127.0.0.3:443: SSLv3.0 RSA_DES_192_CBC3_SHA[000a] BEAST,NO_PFS
[+] Cipher suite supported on 127.0.0.3:443: SSLv3.0 ECDHE_RSA_WITH_RC4_128_SHA[c011] 
[+] Cipher suite supported on 127.0.0.3:443: SSLv3.0 ECDHE_RSA_WITH_DES_192_CBC3_SHA[c012] BEAST
[+] Cipher suite supported on 127.0.0.3:443: SSLv3.0 ECDHE_RSA_WITH_AES_128_CBC_SHA[c013] BEAST
[+] Cipher suite supported on 127.0.0.3:443: SSLv3.0 ECDHE_RSA_WITH_AES_256_CBC_SHA[c014] BEAST
[+] Cipher suite supported on 127.0.0.3:443: SSLv3.0 RSA_WITH_AES_128_SHA[002f] BEAST,NO_PFS
[+] Cipher suite supported on 127.0.0.3:443: SSLv3.0 RSA_WITH_AES_256_SHA[0035] BEAST,NO_PFS

[+] Preferred SSLv3.0 cipher suite on 127.0.0.3:443: ECDHE_RSA_WITH_RC4_128_SHA[c011]

[+] 9 SSLv3.0 cipher suites supported

[V] 127.0.0.3:443 - Some clients could be vulnerable to BEAST attack - if HTTPS service
[V] 127.0.0.3:443 - Some encrypted connections may not have forward secrecy

=== Testing protocol TLSv1.0 ===

[+] Cipher suite supported on 127.0.0.3:443: TLSv1.0 RSA_RC4_128_MD5[0004] NO_PFS
[+] Cipher suite supported on 127.0.0.3:443: TLSv1.0 RSA_RC4_128_SHA[0005] NO_PFS
[+] Cipher suite supported on 127.0.0.3:443: TLSv1.0 RSA_DES_192_CBC3_SHA[000a] BEAST,NO_PFS
[+] Cipher suite supported on 127.0.0.3:443: TLSv1.0 ECDHE_RSA_WITH_RC4_128_SHA[c011] 
[+] Cipher suite supported on 127.0.0.3:443: TLSv1.0 ECDHE_RSA_WITH_DES_192_CBC3_SHA[c012] BEAST
[+] Cipher suite supported on 127.0.0.3:443: TLSv1.0 ECDHE_RSA_WITH_AES_128_CBC_SHA[c013] BEAST
[+] Cipher suite supported on 127.0.0.3:443: TLSv1.0 ECDHE_RSA_WITH_AES_256_CBC_SHA[c014] BEAST
[+] Cipher suite supported on 127.0.0.3:443: TLSv1.0 RSA_WITH_AES_128_SHA[002f] BEAST,NO_PFS
[+] Cipher suite supported on 127.0.0.3:443: TLSv1.0 RSA_WITH_AES_256_SHA[0035] BEAST,NO_PFS

[+] Preferred TLSv1.0 cipher suite on 127.0.0.3:443: ECDHE_RSA_WITH_RC4_128_SHA[c011]

[+] 9 TLSv1.0 cipher suites supported

[V] 127.0.0.3:443 - Some clients could be vulnerable to BEAST attack - if HTTPS service
[V] 127.0.0.3:443 - Some encrypted connections may not have forward secrecy

=== Testing protocol TLSv1.1 ===

[+] Cipher suite supported on 127.0.0.3:443: TLSv1.1 RSA_RC4_128_MD5[0004] NO_PFS
[+] Cipher suite supported on 127.0.0.3:443: TLSv1.1 RSA_RC4_128_SHA[0005] NO_PFS
[+] Cipher suite supported on 127.0.0.3:443: TLSv1.1 RSA_DES_192_CBC3_SHA[000a] NO_PFS
[+] Cipher suite supported on 127.0.0.3:443: TLSv1.1 ECDHE_RSA_WITH_RC4_128_SHA[c011] 
[+] Cipher suite supported on 127.0.0.3:443: TLSv1.1 ECDHE_RSA_WITH_DES_192_CBC3_SHA[c012] 
[+] Cipher suite supported on 127.0.0.3:443: TLSv1.1 ECDHE_RSA_WITH_AES_128_CBC_SHA[c013] 
[+] Cipher suite supported on 127.0.0.3:443: TLSv1.1 ECDHE_RSA_WITH_AES_256_CBC_SHA[c014] 
[+] Cipher suite supported on 127.0.0.3:443: TLSv1.1 RSA_WITH_AES_128_SHA[002f] NO_PFS
[+] Cipher suite supported on 127.0.0.3:443: TLSv1.1 RSA_WITH_AES_256_SHA[0035] NO_PFS

[+] Preferred TLSv1.1 cipher suite on 127.0.0.3:443: ECDHE_RSA_WITH_RC4_128_SHA[c011]

[+] 9 TLSv1.1 cipher suites supported

[V] 127.0.0.3:443 - Some encrypted connections may not have forward secrecy

=== Testing protocol TLSv1.2 ===

[+] Cipher suite supported on 127.0.0.3:443: TLSv1.2 RSA_RC4_128_MD5[0004] NO_PFS
[+] Cipher suite supported on 127.0.0.3:443: TLSv1.2 RSA_RC4_128_SHA[0005] NO_PFS
[+] Cipher suite supported on 127.0.0.3:443: TLSv1.2 RSA_DES_192_CBC3_SHA[000a] NO_PFS
[+] Cipher suite supported on 127.0.0.3:443: TLSv1.2 ECDHE_RSA_WITH_RC4_128_SHA[c011] 
[+] Cipher suite supported on 127.0.0.3:443: TLSv1.2 ECDHE_RSA_WITH_DES_192_CBC3_SHA[c012] 
[+] Cipher suite supported on 127.0.0.3:443: TLSv1.2 ECDHE_RSA_WITH_AES_128_CBC_SHA[c013] 
[+] Cipher suite supported on 127.0.0.3:443: TLSv1.2 ECDHE_RSA_WITH_AES_256_CBC_SHA[c014] 
[+] Cipher suite supported on 127.0.0.3:443: TLSv1.2 ECDHE_RSA_WITH_AES_128_CBC_SHA256[c027] 
[+] Cipher suite supported on 127.0.0.3:443: TLSv1.2 ECDHE_RSA_WITH_AES_256_CBC_SHA384[c028] 
[+] Cipher suite supported on 127.0.0.3:443: TLSv1.2 RSA_WITH_AES_128_SHA[002f] NO_PFS
[+] Cipher suite supported on 127.0.0.3:443: TLSv1.2 ECDHE_RSA_WITH_AES_128_GCM_SHA256[c02f] 
[+] Cipher suite supported on 127.0.0.3:443: TLSv1.2 ECDHE_RSA_WITH_AES_256_GCM_SHA384[c030] 
[+] Cipher suite supported on 127.0.0.3:443: TLSv1.2 RSA_WITH_AES_256_SHA[0035] NO_PFS
[+] Cipher suite supported on 127.0.0.3:443: TLSv1.2 RSA_WITH_AES_128_CBC_SHA256[003c] NO_PFS
[+] Cipher suite supported on 127.0.0.3:443: TLSv1.2 RSA_WITH_AES_256_CBC_SHA256[003d] NO_PFS
[+] Cipher suite supported on 127.0.0.3:443: TLSv1.2 RSA_WITH_AES_128_GCM_SHA256[009c] NO_PFS
[+] Cipher suite supported on 127.0.0.3:443: TLSv1.2 RSA_WITH_AES_256_GCM_SHA384[009d] NO_PFS

[+] Preferred TLSv1.2 cipher suite on 127.0.0.3:443: ECDHE_RSA_WITH_RC4_128_SHA[c011]

[+] 17 TLSv1.2 cipher suites supported

[V] 127.0.0.3:443 - Some encrypted connections may not have forward secrecy
[+] Summary of support cipher suites for 127.0.0.3:443

SSLv3.0:
* RSA_RC4_128_MD5
* RSA_RC4_128_SHA
* RSA_DES_192_CBC3_SHA
* RSA_WITH_AES_128_SHA
* RSA_WITH_AES_256_SHA
* ECDHE_RSA_WITH_RC4_128_SHA
* ECDHE_RSA_WITH_DES_192_CBC3_SHA
* ECDHE_RSA_WITH_AES_128_CBC_SHA
* ECDHE_RSA_WITH_AES_256_CBC_SHA

TLSv1.0:
* RSA_RC4_128_MD5
* RSA_RC4_128_SHA
* RSA_DES_192_CBC3_SHA
* RSA_WITH_AES_128_SHA
* RSA_WITH_AES_256_SHA
* ECDHE_RSA_WITH_RC4_128_SHA
* ECDHE_RSA_WITH_DES_192_CBC3_SHA
* ECDHE_RSA_WITH_AES_128_CBC_SHA
* ECDHE_RSA_WITH_AES_256_CBC_SHA

TLSv1.1:
* RSA_RC4_128_MD5
* RSA_RC4_128_SHA
* RSA_DES_192_CBC3_SHA
* RSA_WITH_AES_128_SHA
* RSA_WITH_AES_256_SHA
* ECDHE_RSA_WITH_RC4_128_SHA
* ECDHE_RSA_WITH_DES_192_CBC3_SHA
* ECDHE_RSA_WITH_AES_128_CBC_SHA
* ECDHE_RSA_WITH_AES_256_CBC_SHA

TLSv1.2:
* RSA_RC4_128_MD5
* RSA_RC4_128_SHA
* RSA_DES_192_CBC3_SHA
* RSA_WITH_AES_128_SHA
* RSA_WITH_AES_256_SHA
* RSA_WITH_AES_128_CBC_SHA256
* RSA_WITH_AES_256_CBC_SHA256
* RSA_WITH_AES_128_GCM_SHA256
* RSA_WITH_AES_256_GCM_SHA384
* ECDHE_RSA_WITH_RC4_128_SHA
* ECDHE_RSA_WITH_DES_192_CBC3_SHA
* ECDHE_RSA_WITH_AES_128_CBC_SHA
* ECDHE_RSA_WITH_AES_256_CBC_SHA
* ECDHE_RSA_WITH_AES_128_CBC_SHA256
* ECDHE_RSA_WITH_AES_256_CBC_SHA384
* ECDHE_RSA_WITH_AES_128_GCM_SHA256
* ECDHE_RSA_WITH_AES_256_GCM_SHA384

[+] Summary of weakness "BEAST" for 127.0.0.3:443

SSLv3.0:
* RSA_DES_192_CBC3_SHA
* RSA_WITH_AES_128_SHA
* RSA_WITH_AES_256_SHA
* ECDHE_RSA_WITH_DES_192_CBC3_SHA
* ECDHE_RSA_WITH_AES_128_CBC_SHA
* ECDHE_RSA_WITH_AES_256_CBC_SHA

TLSv1.0:
* RSA_DES_192_CBC3_SHA
* RSA_WITH_AES_128_SHA
* RSA_WITH_AES_256_SHA
* ECDHE_RSA_WITH_DES_192_CBC3_SHA
* ECDHE_RSA_WITH_AES_128_CBC_SHA
* ECDHE_RSA_WITH_AES_256_CBC_SHA

[+] Summary of weakness "NO_PFS" for 127.0.0.3:443

SSLv3.0:
* RSA_RC4_128_MD5
* RSA_RC4_128_SHA
* RSA_DES_192_CBC3_SHA
* RSA_WITH_AES_128_SHA
* RSA_WITH_AES_256_SHA

TLSv1.0:
* RSA_RC4_128_MD5
* RSA_RC4_128_SHA
* RSA_DES_192_CBC3_SHA
* RSA_WITH_AES_128_SHA
* RSA_WITH_AES_256_SHA

TLSv1.1:
* RSA_RC4_128_MD5
* RSA_RC4_128_SHA
* RSA_DES_192_CBC3_SHA
* RSA_WITH_AES_128_SHA
* RSA_WITH_AES_256_SHA

TLSv1.2:
* RSA_RC4_128_MD5
* RSA_RC4_128_SHA
* RSA_DES_192_CBC3_SHA
* RSA_WITH_AES_128_SHA
* RSA_WITH_AES_256_SHA
* RSA_WITH_AES_128_CBC_SHA256
* RSA_WITH_AES_256_CBC_SHA256
* RSA_WITH_AES_128_GCM_SHA256
* RSA_WITH_AES_256_GCM_SHA384


=== Scan Complete ===

[+] ssl-cipher-enum v0.4-beta completed at Tue Jul  3 14:49:39 2012.  922 connections in 47 secs.

Output Example #4: Scanning SMTP Server That Supports STARTTLS

$ ./ssl-cipher-suite-enum.pl --smtp 10.0.0.4:25
Starting ssl-cipher-suite-enum v0.9 ( http://labs.portcullis.co.uk/application/ssl-cipher-suite-enum/ ) at Thu Jul 12 07:02:20 2012

[+] Scanning 1 hosts

=== Scan Info ===

Target:    10.0.0.4
IP:        10.0.0.4
Port:      25
Protocols: SSLv2.0,SSLv3.0,TLSv1.0,TLSv1.1,TLSv1.2
Preamble:  SMTP
Scan Rate: unlimited

=== Testing protocol SSLv2.0 ===

[+] Cipher suite supported on 10.0.0.4:25: SSLv2.0 RC4_128_WITH_MD5[010080] SSL2_INSEC,NO_PFS
[+] Cipher suite supported on 10.0.0.4:25: SSLv2.0 RC4_128_EXPORT40_WITH_MD5[020080] SSL2_INSEC,NO_PFS,WEAK_ENC
[+] Cipher suite supported on 10.0.0.4:25: SSLv2.0 RC2_128_CBC_WITH_MD5[030080] SSL2_INSEC,NO_PFS
[+] Cipher suite supported on 10.0.0.4:25: SSLv2.0 RC2_128_CBC_EXPORT40_WITH_MD5[040080] SSL2_INSEC,NO_PFS,WEAK_ENC
[+] Cipher suite supported on 10.0.0.4:25: SSLv2.0 DES_64_CBC_WITH_MD5[060040] SSL2_INSEC,NO_PFS,WEAK_ENC
[+] Cipher suite supported on 10.0.0.4:25: SSLv2.0 DES_192_EDE3_CBC_WITH_MD5[0700c0] SSL2_INSEC,NO_PFS
[+] 6 SSLv2.0 cipher suites supported

[V] 10.0.0.4:25 - Some connections might be protected with a weak (<128-bit) symmetric encryption key

=== Testing protocol SSLv3.0 ===

[+] Cipher suite supported on 10.0.0.4:25: SSLv3.0 RSA_RC4_40_MD5[0003] NO_PFS,WEAK_ENC
[+] Cipher suite supported on 10.0.0.4:25: SSLv3.0 RSA_RC4_128_MD5[0004] NO_PFS
[+] Cipher suite supported on 10.0.0.4:25: SSLv3.0 RSA_RC4_128_SHA[0005] NO_PFS
[+] Cipher suite supported on 10.0.0.4:25: SSLv3.0 RSA_RC2_40_MD5[0006] NO_PFS,WEAK_ENC
[+] Cipher suite supported on 10.0.0.4:25: SSLv3.0 RSA_DES_40_CBC_SHA[0008] NO_PFS,WEAK_ENC
[+] Cipher suite supported on 10.0.0.4:25: SSLv3.0 RSA_DES_64_CBC_SHA[0009] NO_PFS,WEAK_ENC
[+] Cipher suite supported on 10.0.0.4:25: SSLv3.0 RSA_DES_192_CBC3_SHA[000a] NO_PFS
[+] Cipher suite supported on 10.0.0.4:25: SSLv3.0 EDH_RSA_DES_40_CBC_SHA[0014] WEAK_ENC
[+] Cipher suite supported on 10.0.0.4:25: SSLv3.0 EDH_RSA_DES_64_CBC_SHA[0015] WEAK_ENC
[+] Cipher suite supported on 10.0.0.4:25: SSLv3.0 EDH_RSA_DES_192_CBC3_SHA[0016] 
[+] Cipher suite supported on 10.0.0.4:25: SSLv3.0 RSA_WITH_AES_128_SHA[002f] NO_PFS
[+] Cipher suite supported on 10.0.0.4:25: SSLv3.0 DHE_RSA_WITH_AES_128_SHA[0033] 
[+] Cipher suite supported on 10.0.0.4:25: SSLv3.0 RSA_WITH_AES_256_SHA[0035] NO_PFS
[+] Cipher suite supported on 10.0.0.4:25: SSLv3.0 DHE_RSA_WITH_AES_256_SHA[0039] 

[+] Preferred SSLv3.0 cipher suite on 10.0.0.4:25: RSA_RC4_40_MD5[0003] NO_PFS,WEAK_ENC

[+] 14 SSLv3.0 cipher suites supported

[V] 10.0.0.4:25 - Some connections might be protected with a weak (<128-bit) symmetric encryption key
[V] 10.0.0.4:25 - Most encrypted connections will not use forward secrecy

=== Testing protocol TLSv1.0 ===

[+] Cipher suite supported on 10.0.0.4:25: TLSv1.0 RSA_RC4_40_MD5[0003] NO_PFS,WEAK_ENC
[+] Cipher suite supported on 10.0.0.4:25: TLSv1.0 RSA_RC4_128_MD5[0004] NO_PFS
[+] Cipher suite supported on 10.0.0.4:25: TLSv1.0 RSA_RC4_128_SHA[0005] NO_PFS
[+] Cipher suite supported on 10.0.0.4:25: TLSv1.0 RSA_RC2_40_MD5[0006] NO_PFS,WEAK_ENC
[+] Cipher suite supported on 10.0.0.4:25: TLSv1.0 RSA_DES_40_CBC_SHA[0008] NO_PFS,WEAK_ENC
[+] Cipher suite supported on 10.0.0.4:25: TLSv1.0 RSA_DES_64_CBC_SHA[0009] NO_PFS,WEAK_ENC
[+] Cipher suite supported on 10.0.0.4:25: TLSv1.0 RSA_DES_192_CBC3_SHA[000a] NO_PFS
[+] Cipher suite supported on 10.0.0.4:25: TLSv1.0 EDH_RSA_DES_40_CBC_SHA[0014] WEAK_ENC
[+] Cipher suite supported on 10.0.0.4:25: TLSv1.0 EDH_RSA_DES_64_CBC_SHA[0015] WEAK_ENC
[+] Cipher suite supported on 10.0.0.4:25: TLSv1.0 EDH_RSA_DES_192_CBC3_SHA[0016] 
[+] Cipher suite supported on 10.0.0.4:25: TLSv1.0 RSA_WITH_AES_128_SHA[002f] NO_PFS
[+] Cipher suite supported on 10.0.0.4:25: TLSv1.0 DHE_RSA_WITH_AES_128_SHA[0033] 
[+] Cipher suite supported on 10.0.0.4:25: TLSv1.0 RSA_WITH_AES_256_SHA[0035] NO_PFS
[+] Cipher suite supported on 10.0.0.4:25: TLSv1.0 DHE_RSA_WITH_AES_256_SHA[0039] 

[+] Preferred TLSv1.0 cipher suite on 10.0.0.4:25: RSA_RC4_40_MD5[0003] NO_PFS,WEAK_ENC

[+] 14 TLSv1.0 cipher suites supported

[V] 10.0.0.4:25 - Some connections might be protected with a weak (<128-bit) symmetric encryption key
[V] 10.0.0.4:25 - Most encrypted connections will not use forward secrecy

=== Testing protocol TLSv1.1 ===

[+] Protocol TLSv1.1 is not supported.  Skipping.
[+] 0 TLSv1.1 cipher suites supported


=== Testing protocol TLSv1.2 ===

[+] Protocol TLSv1.2 is not supported.  Skipping.
[+] 0 TLSv1.2 cipher suites supported

[+] Summary of support cipher suites for 10.0.0.4:25

SSLv2.0:
* RC4_128_WITH_MD5
* RC4_128_EXPORT40_WITH_MD5
* RC2_128_CBC_WITH_MD5
* RC2_128_CBC_EXPORT40_WITH_MD5
* DES_64_CBC_WITH_MD5
* DES_192_EDE3_CBC_WITH_MD5

SSLv3.0:
* RSA_RC4_40_MD5
* RSA_RC4_128_MD5
* RSA_RC4_128_SHA
* RSA_RC2_40_MD5
* RSA_DES_40_CBC_SHA
* RSA_DES_64_CBC_SHA
* RSA_DES_192_CBC3_SHA
* EDH_RSA_DES_40_CBC_SHA
* EDH_RSA_DES_64_CBC_SHA
* EDH_RSA_DES_192_CBC3_SHA
* RSA_WITH_AES_128_SHA
* DHE_RSA_WITH_AES_128_SHA
* RSA_WITH_AES_256_SHA
* DHE_RSA_WITH_AES_256_SHA

TLSv1.0:
* RSA_RC4_40_MD5
* RSA_RC4_128_MD5
* RSA_RC4_128_SHA
* RSA_RC2_40_MD5
* RSA_DES_40_CBC_SHA
* RSA_DES_64_CBC_SHA
* RSA_DES_192_CBC3_SHA
* EDH_RSA_DES_40_CBC_SHA
* EDH_RSA_DES_64_CBC_SHA
* EDH_RSA_DES_192_CBC3_SHA
* RSA_WITH_AES_128_SHA
* DHE_RSA_WITH_AES_128_SHA
* RSA_WITH_AES_256_SHA
* DHE_RSA_WITH_AES_256_SHA

[+] Summary of weakness "NO_PFS" for 10.0.0.4:25

SSLv2.0:
* RC4_128_WITH_MD5
* RC4_128_EXPORT40_WITH_MD5
* RC2_128_CBC_WITH_MD5
* RC2_128_CBC_EXPORT40_WITH_MD5
* DES_64_CBC_WITH_MD5
* DES_192_EDE3_CBC_WITH_MD5

SSLv3.0:
* RSA_RC4_40_MD5
* RSA_RC4_128_MD5
* RSA_RC4_128_SHA
* RSA_RC2_40_MD5
* RSA_DES_40_CBC_SHA
* RSA_DES_64_CBC_SHA
* RSA_DES_192_CBC3_SHA
* RSA_WITH_AES_128_SHA
* RSA_WITH_AES_256_SHA

TLSv1.0:
* RSA_RC4_40_MD5
* RSA_RC4_128_MD5
* RSA_RC4_128_SHA
* RSA_RC2_40_MD5
* RSA_DES_40_CBC_SHA
* RSA_DES_64_CBC_SHA
* RSA_DES_192_CBC3_SHA
* RSA_WITH_AES_128_SHA
* RSA_WITH_AES_256_SHA

[+] Summary of weakness "SSL2_INSEC" for 10.0.0.4:25

SSLv2.0:
* RC4_128_WITH_MD5
* RC4_128_EXPORT40_WITH_MD5
* RC2_128_CBC_WITH_MD5
* RC2_128_CBC_EXPORT40_WITH_MD5
* DES_64_CBC_WITH_MD5
* DES_192_EDE3_CBC_WITH_MD5

[+] Summary of weakness "WEAK_ENC" for 10.0.0.4:25

SSLv2.0:
* RC4_128_EXPORT40_WITH_MD5
* RC2_128_CBC_EXPORT40_WITH_MD5
* DES_64_CBC_WITH_MD5

SSLv3.0:
* RSA_RC4_40_MD5
* RSA_RC2_40_MD5
* RSA_DES_40_CBC_SHA
* RSA_DES_64_CBC_SHA
* EDH_RSA_DES_40_CBC_SHA
* EDH_RSA_DES_64_CBC_SHA

TLSv1.0:
* RSA_RC4_40_MD5
* RSA_RC2_40_MD5
* RSA_DES_40_CBC_SHA
* RSA_DES_64_CBC_SHA
* EDH_RSA_DES_40_CBC_SHA
* EDH_RSA_DES_64_CBC_SHA


=== Scan Complete ===

[+] ssl-cipher-suite-enum v0.9 completed at Thu Jul 12 07:03:37 2012.  470 connections in 77 secs.

Output Example #5: Scanning An RDP Service

$ ./ssl-cipher-suite-enum.pl --rdp --tlsv1 10.0.0.5:3389
Starting ssl-cipher-suite-enum v0.9 ( http://labs.portcullis.co.uk/application/ssl-cipher-suite-enum/ ) at Thu Jul 12 07:07:59 2012

[+] Scanning 1 hosts

=== Scan Info ===

Target:    10.0.0.5
IP:        10.0.0.5
Port:      3389
Protocols: TLSv1.0
Preamble:  RDP
Scan Rate: unlimited

=== Testing protocol TLSv1.0 ===

[+] Cipher suite supported on 10.0.0.5:3389: TLSv1.0 RSA_RC4_128_MD5[0004] NO_PFS
[+] Cipher suite supported on 10.0.0.5:3389: TLSv1.0 RSA_RC4_128_SHA[0005] NO_PFS
[+] Cipher suite supported on 10.0.0.5:3389: TLSv1.0 RSA_DES_192_CBC3_SHA[000a] NO_PFS
[+] Cipher suite supported on 10.0.0.5:3389: TLSv1.0 ECDHE_RSA_WITH_AES_128_CBC_SHA[c013] 
[+] Cipher suite supported on 10.0.0.5:3389: TLSv1.0 ECDHE_RSA_WITH_AES_256_CBC_SHA[c014] 
[+] Cipher suite supported on 10.0.0.5:3389: TLSv1.0 RSA_WITH_AES_128_SHA[002f] NO_PFS
[+] Cipher suite supported on 10.0.0.5:3389: TLSv1.0 RSA_WITH_AES_256_SHA[0035] NO_PFS

[+] Preferred TLSv1.0 cipher suite on 10.0.0.5:3389: RSA_WITH_AES_128_SHA[002f] NO_PFS

[+] 7 TLSv1.0 cipher suites supported

[V] 10.0.0.5:3389 - Most encrypted connections will not use forward secrecy
[+] Summary of support cipher suites for 10.0.0.5:3389

TLSv1.0:
* RSA_RC4_128_MD5
* RSA_RC4_128_SHA
* RSA_DES_192_CBC3_SHA
* RSA_WITH_AES_128_SHA
* RSA_WITH_AES_256_SHA
* ECDHE_RSA_WITH_AES_128_CBC_SHA
* ECDHE_RSA_WITH_AES_256_CBC_SHA

[+] Summary of weakness "NO_PFS" for 10.0.0.5:3389

TLSv1.0:
* RSA_RC4_128_MD5
* RSA_RC4_128_SHA
* RSA_DES_192_CBC3_SHA
* RSA_WITH_AES_128_SHA
* RSA_WITH_AES_256_SHA


=== Scan Complete ===

[+] ssl-cipher-suite-enum v0.9 completed at Thu Jul 12 07:08:21 2012.  227 connections in 22 secs.

VulnApp | Content

Sat, 15 Sep 2012 11:11:19 GMT

Recently myself and a colleague were asked to give some training to a client's ASP.net development team. My colleague was asked to give the main training session whilst I was asked to run a post training game to test the developers retention of the concepts. After looking at some of the existing ASP.net applications I decided I'd like to write my own. The result of this is VulnApp, a BSD licensed ASP.net application implementing some of the most common applications we come across on our penetration testing engagements. The source is also available from my CVS server so that others can, if they like, contribute.

To make it easier for developers to learn, I've logged tickets for all of the intentional vulnerabilities I've introduced along the way. Be aware that there might be others I've missed, particularly gaps in the enforcement of ACLs and logic bugs. I'd encourage you to log any other vulnerabilies you find along the way.

secdump | Content

Sat, 24 Mar 2012 17:52:38 GMT

secdump is a simple meterpreter module uploads and runs gsecdump from truesec.

     
meterpreter > run secdump
UploadExec gsecdump

OPTIONS:

    -a        Dump all creds
    -h        Help menu.
    -l        Dump LSA Secrets
    -p        Path on target to upload executable, default is %TEMP%.
    -s        Dump hashes from SAM/AD
    -u        Dump Active logon session hashes
    -w        Dump Wireless Creds {NOT IMPLEMENTED}

nopc | Content

Tue, 03 Jul 2012 13:53:26 GMT

Ever been trying to perform a patch analysis of a UNIX based machine without network access to it? I have and it used to be a wrestling match to make reasonable sense of the output from tools like "/bin/rpm -qa --qf '%{NAME}-%{VERSION}-%{RELEASE}|%{EPOCH}\n' > patchlist.txt".

Out of this came nopc. Nopc utilises the ability of Nessus to perform an accurate patch analysis once it has extracted the information from the system, but instructs you on how to manually recover this same information. Below is an example usage for a Redhat patch review.

d@p:~/src$ ./nopc.sh
[+] What type of system have you got the patch output for?
 1 - Redhat
 2 - OSX
 3 - Debian
 4 - Ubuntu
 5 - Slackware *
 6 - Solaris (Maybe !11)
 7 - AIX 
 8 - HP-UX *
 9 - FreeBSD *
 10 - Cisco

 * UNTESTED!!

Enter 1-10? 1
[+] Redhat Selected
[+] Run '/bin/rpm -qa --qf '%{NAME}-%{VERSION}-%{RELEASE}|%{EPOCH}\n' > patchlist.txt' 
[+] Enter Location of file: patchlist.txt
[+] Enter the Contents of /etc/redhat-release 
[+] Enter Text Requested: Red Hat Enterprise Linux Server release 5
[+] To run this in a script the command would be:

./nopc.sh -s '1' 'patchlist.txt' 'Red Hat Enterprise Linux Server release 5'

[+] Locating Nasls
....

SSHatter | Content

Wed, 16 Feb 2011 12:19:48 GMT

Password brute forcer for SSH.

Features:

Multi threaded
Supports both SSH v1 and v2 protocols
Supports key based brute forcing
Support for post brute force exploration
Mass mode to run one command across all targets
Support for sudo based privilege escalation
Integrated file transfer support

MS08-067 check | Content

Tue, 18 Nov 2008 12:22:54 GMT

This tool can be used to anonymously check if a target machine or a list of target machines are affected by MS08-067 issue (Vulnerability in Server Service Could Allow Remote Code Execution).

Usage

$ python ms08-067_check.py -h
Usage: ms08-067_check.py [option] {-t |-l }

Options:
  --version   show program's version number and exit
  -h, --help  show this help message and exit
  -d          show description and exit
  -t TARGET   target IP or hostname
  -l LIST     text file with list of targets
  -s          be silent

Example

$ python ms08-067_check.py -t 192.168.123.30
192.168.123.30: VULNERABLE

Note

On Windows XP Service Pack 2 and Windows XP Service Pack 3 this check might lead to a race condition and heap corruption in the svchost.exe process, but it may not crash the service immediately: it can trigger later on inside any of the shared services in the process.

References

udp-proto-scanner | Content

Wed, 26 Nov 2008 16:23:36 GMT

udp-proto-scanner.pl discovers UDP services by sending triggers to a list of hosts:

$ udp-proto-scanner.pl -f ips.txt
$ udp-proto-scanner.pl 10.0.0.0/16 172.16.16.1 192.168.0.1
$ udp-proto-scanner.pl -p ntp -f ips.txt

The probe names (for -p) are defined in udp-proto-scanner.conf. List probe names using the -l option:

$ udp-proto-scanner.pl -l

What's it Used For?

It's used in the host-discovery and service-discovery phases of a pentest.

It can be helpful if you need to discover hosts that only offer UDP services
and are otherwise well firewalled - e.g. if you want to find all the DNS
servers in a range of IP addresses. Alternatively on a LAN, you might want
a quick way to find all the TFTP servers.

Not all UDP services can be discovered in this way (e.g. SNMPv1 won't respond
unless you know a valid community string). However, many UDP services can be
discovered, e.g.:

DNS
TFTP
NTP
NBT
SunRPC
MS SQL
DB2
SNMPv3

It's Not a Portscanner

It won't give you a list of open and closed ports for each host. It's simply
looking for specific UDP services.

Efficiency

It's most efficient to run udp-proto-scanner.pl against whole networks (e.g.
256 IPs or more). If you run it against small numbers of hosts it will seem
quite slow because it waits for 1 second between each different type of probe.

One cool feature of udp-proto-scanner is that it doesn't load the whole host list
into memory. Therefore if you want to scan 17 million IPs, you can. It'll
take a while, but you won't run out of memory.

Credits

The UDP probes are mainly taken from amap, nmap and ike-scan.
Inspiration for the scanning code was drawn from ike-scan.
Net::Netmask by David Muir Sharnoff is included in this tool.

polenum | Content

Thu, 30 Oct 2008 11:54:12 GMT

polenum is a python script which uses the Impacket Library from CORE Security Technologies to extract the password policy information from a windows machine. This allows a non-windows (Linux, Mac OSX, BSD etc..) user to query the password policy of a remote windows box without the need to have access to a windows machine.

features

can extract password and associated information from a windows machine
will connect over a NULL or authenticated share
supports encrypted/signed sessions

limitations

no NTLMv2 support
has a problem with domain connected workstations

download

download polenum

vessl | Content

Thu, 30 Oct 2008 11:51:42 GMT

vessl is a simple wrapper script that connects, extracts and then verifies the ssl certificate of an encrypted service. It was originally written in order to script up the ability to verify ssl certificates across a large network.

features

vessl will connect to any service that openssl can
it will extract and verify against a given CA Pem file
it will check that certificate matches the host it is on
it produce a map going from ip's to hostname
checks to see if certificate is based on a blacklisted debian key

dependencies

openssl
ping
openssl-vulnkey
mktemp
CA Pem File

download

download vessl

BSQL Hacker | Content

Wed, 16 Jan 2013 14:45:35 GMT

BSQL (Blind SQL) Hacker is an automated SQL Injection Framework / Tool designed to exploit SQL injection vulnerabilities virtually in any database.

BSQL Hacker aims for experienced users as well as beginners who want to automate SQL Injections (especially Blind SQL Injections).

It allows metasploit alike exploit repository to share and update exploits.

See a sample exploitation video.

Download Installer

BSQLHackerSetup-0909.exe

Key Features

Easy Mode
- SQL Injection Wizard
- Automated Attack Support (database dump)
  - ORACLE
  - MSSQL
  - MySQL (experimental)
General
- Fast and Multithreaded
- 4 Different SQL Injection Support
  - Blind SQL Injection
  - Time Based Blind SQL Injection
  - Deep Blind (based on advanced time delays) SQL Injection
  - Error Based SQL Injection
- Can automate most of the new SQL Injection methods those relies on Blind SQL Injection
- RegEx Signature support
- Console and GUI Support
- Load / Save Support
- Token / Nonce / ViewState etc. Support
- Session Sharing Support
- Advanced Configuration Support
- Automated Attack mode, Automatically extract all database schema and data mode

Update / Exploit Repository Features
- Metasploit alike but exploit repository support
- Allows to save and share SQL Injection exploits
- Supports auto-update
- Custom GUI support for exploits (cookie input, URL input etc.)

GUI Features
- Load and Save
- Template and Attack File Support (Users can save sessions and share them. Some sections like username, password or cookie in the templates can be show to the user in a GUI)
- Visually view true and false responses as well as full HTML response, including time and stats

Connection Related
- Proxy Support (Authenticated Proxy Support)
- NTLM, Basic Auth Support, use default credentials of current user/application
- SSL (also invalid certificates) Support
- Custom Header Support

Injection Points (only one of them or combination)
- Query String
- Post
- HTTP Headers
- Cookies

Other
- Post Injection data can be stored in a separated file
- XML Output (not stable)
- CSRF protection support

one time session tokens or asp.net viewstate ort similar can be used for separated login sessions, bypassing proxy pages etc.

It's still beta and there are known issues :

Automated Attack for MySQL is experimental, might not work properly

acccheck | Content

Wed, 09 Apr 2008 18:48:49 GMT

The tool is designed as a password dictionary attack tool that targets windows authentication via the SMB protocol. It is really a wrapper script around the 'smbclient' binary, and as a result is dependent on it for its execution.

The simplest way to run the tool is as follows:

./acccheck.pl -t 10.10.10.1

This mode of execution attempts to connect to the target ADMIN$ share with the username 'Administrator' and a [BLANK] for the password.

./acccheck.pl -t 10.10.10.1 -u test -p test

This mode of execution attempts to connect to the target IPC$ share with the username 'test' and a password 'test'.

Each -t, -u and -p flags can be substituted by -T, -U and -P, where each represents an input file rather than a single input from standard in.

E.g.
./acccheck.pl -T iplist -U userfile -P passwordfile

Only use -v mode on very small dictionaries, otherwise, this has the affect of slowing the scan down to the rate the system writes to standard out.

Any username/password combinations found are written to a file called 'cracked' in the working directory.

MIBparse | Content

Mon, 07 Apr 2008 23:38:19 GMT

MIBparse.pl has been designed as an offline parser to quickly parse output from SNMP tools such as 'snmpwalk' (NET-SNMP project 'net-snmp.sourceforge.net'). The output returned depends on the options that are selected by the user. Typically, information relating to the system, services, open ports, users, shares and installed components is some of the information that can be extracted by the tool.

Requirements

The only requirement is Perl.

Running

The simplest way to run the tool is as follows:

./MIBparse -f public.txt

Where "public.txt" is the output from 'snmpwalk' piped to a file. In this mode all available information is displayed to the user as standard out.

The information that is output can be tailored using the '-a' flag. The following values can be used in conjunction with this flag:

1 = All
2 = System
3 = Routing information
4 = Services
5 = TCP ports
6 = UDP ports
7 = Users
8 = Shares
9 = Domain
10 = Installed components
11 = Community strings

Each value corresponds to the type of information that is output. As an example, '-a 7' will output all of the users from a Windows system. The example execution in this case would include:

./MIBparse.pl -f public.txt -a 7

If you wish to execute the tool from a working directory which is not in your $PATH then the '-b' option can be used to specify the location of the 'tags' file. This option can also be used to specify any file as a tags file as long as the format of the file conforms to the example that is provided. The example execution in such a case would be:

./MIBparse.pl -f public.txt -b ./tags
OR
./MIBparse.pl -f public.txt -b ./mytagsfile

Finally, the '-b' flag can be used in conjunction with the '-a' flag. The example execution in such a case would be:

./MIBparse.pl -f public.txt -b ./mytagsfile -a 7

nbtscan-1.5.2 | Content

Thu, 03 Apr 2008 14:24:31 GMT

NBTscan is a program for scanning IP networks for NetBIOS name information. It sends NetBIOS status query to each address in supplied range and lists received information in human readable form. For each responded host it lists IP address, NetBIOS computer name, logged-in user name and MAC address.

Sun Patch Check | Content

Wed, 02 Apr 2008 10:49:02 GMT

Sun Patch Check is a tool that does exactly what it says on the tin. Sun Patch Check compares the output from the Sun Solaris showrev command to that from the Sun recommended patch list.

Requirements

Sun Patch Check only requires the GNU C compiler.

Download

The latest version of Sun Patch Check can be downloaded from here.

Compiling

Sun Patch Check can be compiled from source using the following command:

gcc -o sunpatchcheck sunpatchcheck.c

Running

Before you can use Sun Patch Check to check the patches of any Sun Solaris system you will need to update the patch list from the Sun web site. This can be done with the following command:

sunpatchcheck --update

You may want to update the patch list on a regular basis otherwise there may be more recent patches missing from the database.

You will need to collect a patch list from a Sun Solaris system you want to check. This can be done with the following Solaris command:

showrev -p >patchlist.txt

Sun Patch Check needs to know what version of Solaris you are comparing the patches from, this is specified on the command line when running Sun Patch Check. To check the patches from a Solaris 10 Sparc system using the file extracted in the previous example:

sunpatchcheck --check=patchlist.txt --solaris=10

Online help for all options is available using:

sunpatchcheck --help

License

Sun Patch Check is covered by the GPL v3 license, but you will also need to agree to the Sun Solve license.

Banner Grab | Content

Wed, 02 Apr 2008 12:36:30 GMT

BannerGrab is a tool that performs connection, trigger-based and basic information collection from network services. The program has two modes of operation; simple connection banner grabbing and the default mode which makes use of service triggers to enumerate additional information.

BannerGrab can connect to TCP services, UDP services and can connect to SSL services. SSL service banner grabbing will also return the SSL connection details.

Requirements

BannerGrab requires the GNU C compiler and has been tested on Linux, but should work on other UNIX type systems. It has even been known to run from an iPhone.

BannerGrab has an optional requirement of the OpenSSL library to perform SSL-based grabs. However, SSL support can be disabled.

Download

BannerGrab can be downloaded from the Source Forge project site at sourceforge.net/projects/bannergrab.

Compiling

BannerGrab includes a Makefile, so it can be built in the usual way:

make
make install (as root)

However, it can be manually compiled as follows:

gcc -lssl -o bannergrab bannergrab.c

On Mac OS-X systems it can be compiled as follows:

gcc -lssl -lcrypto -o bannergrab bannergrab.c

It can be compiled without OpenSSL support as follows:

gcc -DNOSSL -o bannergrab bannergrab.c

Running

BannerGrab can be run in its simplest form by specifying a host and port as the parameters. For example:

bannergrab 127.0.0.1 80

More advanced options can be shown using the online help with the following command:

bannergrab --help

License

BannerGrab is covered by the GPL v3 license with the following exception:

In addition, as a special exception, the copyright holders give
permission to link the code of portions of this program with the
OpenSSL library under certain conditions as described in each
individual source file, and distribute linked combinations
including the two.
You must obey the GNU General Public License in all respects
for all of the code used other than OpenSSL. If you modify
file(s) with this exception, you may extend this exception to your
version of the file(s), but you are not obligated to do so. If you
do not wish to do so, delete this exception statement from your
version. If you delete this exception statement from all source
files in the program, then also delete it here.

viewstate | Content

Wed, 02 Apr 2008 10:50:25 GMT

Viewstate is an ASP.Net viewstate decoder, checker, parser and encoder. It supports both old and new types of viewstate and the data can be extracted directly from the web.

Requirements

Viewstate is platform independent and can be downloaded in source code or Windows binary formats. If you are building viewstate from source you will need the GNU C compiler (under Windows you can use MinGW).

Downloads

Viewstate can be downloaded from the Source Forge project page sourceforge.net/projects/viewstate.

Compiling

A Makefile is provided to provide the usual compilation process of:

make
make install (as root)

However, you can compile it manually with the following:

gcc -o viewstate viewstate.c

Running

If viewstate is run with no options, the online help is displayed. But a simple decode of the viewstate data held by the Acme company web site would be:

viewstate --decode --url=http://www.acme.fake/main.asp

License

Viewstate is covered by the GPL v3 license.

BSQL brute forcer V2 | Content

Wed, 18 Jun 2008 12:21:58 GMT

This is a modified version of 'bsqlbfv1.2-th.pl'. This perl script allows extraction of data from Blind SQL Injections. It accepts custom SQL queries as a command line parameter and it works for both integer and string based injections. Databases supported:-

0. MS-SQL
1. MySQl
2. Postgres
3. Oracle

The tool supports 2 attack modes(-type switch):-

Type 0:- Blind SQL Injection based on true and false conditions returned by back-end server

Type 1:- Blind SQL Injection based on true and error(e.g syntax error) returned by back-end server.

Usage example:
$./bsqlbf-v2.pl -url http://192.168.1.1/injection_string_post/1.asp?p=1 -method post -match true -database 0 -sql "select top 1 name from sysobjects where xtype='U'"

hoppy | Content

Fri, 09 Oct 2009 13:33:35 GMT

hoppy is a http options prober written in python. It checks the availability of HTTP methods as well as probing them to see if they can be forced to disclose system information.

features

HTTP Method detection, TRACK, TRACE, PUT etc
Internal IP address disclosure detection
Internal Path Disclosure detection
Transparent working so you can see exactly what it did
Data extraction
Spider to find directories for webDAV detection
ms09-020 IIS auth bypass check on all discovered directories

download

download hoppy

onesixtyone | Content

Mon, 31 Mar 2008 13:09:44 GMT

This is an updated version of Solar Eclipse's SNMP bruteforcing tool. Onesixtyone is an SNMP scanner that sends multiple SNMP requests to multiple IP addresses, trying different community strings and waiting for replies. This version fixes a number of bugs in other publically available versions of the software, such as allowing for very large dictionary files and reading target IP addresses from a file.

Features:

Very fast scanning speed (over 50,000 guesses per second)
Scan a single host or thousands of hosts at the same time
Tunable scan speed to support both LAN and WAN testing

Bug Fixes:

Very large dictionary files supported
Enhanced error messages
-w option works correctly to slow down / speed up scans

Check out the usage page for a full list of options. There are some examples to get you started.

XSS Tunnel | Content

Wed, 02 Apr 2008 15:12:53 GMT

What Is XSS Tunnelling?

XSS Tunnelling is the tunnelling of HTTP traffic through an XSS Channel to use virtually any application that supports HTTP proxies.

What Is XSS Tunnel?

XSS Tunnel is a standard HTTP proxy which sits on an attacker’s system. Any tool that is configured to use it will tunnel its traffic through the active XSS Channel on the XSS Shell server. The XSS Tunnel converts the request and responds transparently to validate the HTTP responses and XSS Shell requests.

Refer to XSS Tunnelling paper to read details.

Demonstration Video

Download XSS Tunnelling demonstration video. Video shows how to use XSS Tunnel to bypass NTLM by exploiting an example permanent XSS.

Download

Download package includes following files :

Binary Release of XSS Tunnel v1.0.8
.NET Solution + Source Code for XSS Tunnel v1.0.8
XSS Tunnelling White Paper
XSS Shell v0.6.2 Release (ASP files, database and documentation)

XSS Shell | Content

Mon, 10 Nov 2008 14:11:20 GMT

XSS Shell is powerful a XSS backdoor and zombie manager. This concept first presented by "XSS-Proxy - http://xss-proxy.sourceforge.net/". Normally in XSS attacks attacker has one shot, in XSS Shell you can interactively send requests and get responses from victim. you can backdoor the page.

You can steal basic auth, you can bypass IP restrictions in administration panels, you can DDoS some systems with a permanent XSS vulnerability etc. Attack possibilities are limited with ideas. Basically this tool demonstrates that you can do more with XSS.

Download

This package includes the latest version of XSS Shell and XSS Tunnel. XSS Shell can be used without XSS Tunnel, however you'll get more out of it with XSS Tunnel.

Download SS Shell and XSS Tunnel

Features

XSS Shell has several features to gain whole access over victim. Also you can simply add your own commands.

Most of the features can enable or disabled from configuration or can be tweaked from source code.

Regenerating Pages
- This is one of the key and advanced features of XSS Shell. XSS Shell re-renders the infected page and keep user in virtual environment. Thus even user click any links in the infected page he or she will be still under control! (within cross-domain restrictions) In normal XSS attacks when user leaves the page you can't do anything
- Secondly this feature keeps the session open so even victim follow an outside link from infected page session is not going to timeout and you will be still in charge.
Keylogger
Mouse Logger (click points + current DOM)
Built-in Commands;
- Get Keylogger Data
- Get Current Page (Current rendered DOM / like screenshot)
- Get Cookie
- Execute supplied javaScript (eval)
- Get Clipboard (IE only)
- Get internal IP address (Firefox + JVM only)
- Check victim's visited URL history

Installation

XSS Shell uses ASP + MS Access database as backend but you can simply port them into any other server-side solution. You just need to stick with simple communication protocol.

Install Admin Interface

Copy "xssshell" folder into your web server
Copy "db" to a secure place (below root)
Configure "database path" from "xssshell/db.asp"
Modify hard coded password in db.asp [default password is : w00t]
Now you can access admin interface from something like http://[YOURHOST]/xssshell/

Configure XSS Shell for communication;

Open xssshell.asp
2. Set "SERVER" variable to where your XSSShell folder is located. i.e: "http://[YOURHOST]/xssshell/";
3. Be sure to check "ME", "CONNECTOR", "COMMANDS_URL" variables. If you changed filenames, folder names or some kind of different configuration you need modify them.

Now open your admin interface from your browser,

To test it, just modify "sample_victim/default.asp" source code and replace "http://attacker:81/release/xssshell.js" URL with your own XSS Shell URL. Open "sample_victim" folder in some other browser and may be upload in to some other server.

Now you should see a zombie in admin interface. Just write something into "parameters" textarea and click "alert()". You should see an alert message in victim's browser.

Security Notes

As a hunter be careful about possible "Backfire" in getSelfHTML(). Someone can hack you back or track you by another XSS or XSS Shell attack.
Checkout "showdata.asp" and implement your own "filter()" function to make it safer for you.
Put "On error resume next" to db.asp, better modify your web server to not show any error.

How to Extend

First implement new feature to xssshell.asp

Add new enum for your control
- Set a name and unique number like "CMD_GETCOOKIE"
- var CMD_SAMPLE = 78;
- Set datatype for your response (generally TEXT),
- dataTypes[CMD_SAMPLE] = TEXT;
Write your function and add it to page
- function cmdSample(){return "yeah working !"}
Call it
- Go inside to "function processGivenCommand(cmd)"
- Add a new case like "case CMD_SAMPLE:"
Report it back
- Inside the case call log;
  "log(cmdSample(), dataTypes[cmd.cmd], cmd.attackID, "waitAndRun()");"

Secondly Implement it to admin interface;

In db.asp just add a new element to "Commands" array (command name, command unique number, description).

i.e. "cmdSample()",78,"Command sample ! Just returns a message"

There are parameters and lots of helper in the code. Check out other commands for reference.

Enable debug feature to debug your new commands easily.

External Libraries

moo.ajax -moofx.mad4milk.net
script.aculo.us - (http://script.aculo.us, http://mir.aculo.us)

sucrack | Content

Mon, 31 Mar 2008 16:21:52 GMT

sucrack is a multithreaded Linux/UNIX tool for brute-force cracking local user accounts via su.

This tool comes in handy when you've gained access to a low-privilege user account but are allowed to su to other users. Many su implementations require a pseudo terminal to be attached in order to take the password from the user. This can't be easily achieved with a simple shell script. This tool, written in C, is highly efficient and can attempt multiple logins at the same time.

Please be advised that using this tool will take a lot of the CPU performance and fill up the logs quite quickly. sucrack is so far known to be running on FreeBSD, NetBSD, Linux.

Check out the Usage and Examples page for more information.

ManySSL | Content

Tue, 09 Dec 2008 15:40:49 GMT

This PERL script will enumerate the SSL ciphers in use on any SSL encrypted service. It is not restricted to HTTPS and can be used on SMTP servers that support STARTTLS.

Features Include

Warn the operator if a self-signed certificate is detected.
Warn the operator if an expired certificate is detected.
Full cipher, key-exchange and authentication key strength output.
Use of a client specificed SSL certificate.

rmiInfo | Content

Mon, 31 Mar 2008 14:49:45 GMT

rmiInfo is a tool to help extract information from Java Remote Method Invocation (RMI) services, which can then be used to find possible security vulnerabilities. The main aim being to identify the location of the RMI stub. If one is able to find the stub, then this is the first step in being able to construct java code to talk directly to the RMI service.

rmiInfo is able to not only extract information from RMI registries but also RMI services as well.

From a registry it is able to extract the following information:

Name of attached services.
Location of the service (IP address and port number).
Name of the stub interface.

From an RMI service it is able to extract the following information:

Location of remotely deployed code.

Thus if you combine the information for the service and the registry, you are able to determine the location and name of remotely deployed stubs.

Other features of rmiInfo:

If it finds an RMI registry, it will recursively scan all the services identified.
Platform independent (Java based).

http-dir-enum | Content

Fri, 28 Mar 2008 16:49:57 GMT

http-dir-enum is a tool for finding content that is not linked on a website. Its main use is for finding directories that exist on a server. Simply provide a dictionary file and a URL.

This tool is written in PERL and uses the LWP library.

Features include:

Automatic detection of which HTTP response code to ignore (normally 404, but can vary on some sites)
Support for bruteforcing Files and Directories
Can search for directories recursively
Proxy support
Support for HTTP Basic Authentication
Support for sending custom cookies
Save scan output in XML format
Command line (lack of GUI is a feature, not a bug)
Mutli-threading for extra speed
HTTP keep alive support for extra speed (can be turned off)

Check out the usage page for a full list of options. There are also lots of examples to get you started.

enum4linux | Content

Tue, 16 Sep 2008 11:29:28 GMT

Enum4linux is a tool for enumerating information from Windows and Samba systems. It attempts to offer similar functionality to enum.exe formerly available from www.bindview.com.

It is written in PERL and is basically a wrapper around the Samba tools smbclient, rpclient, net and nmblookup. The samba package is therefore a dependency.

Features include:

RID Cycling (When RestrictAnonymous is set to 1 on Windows 2000)
User Listing (When RestrictAnonymous is set to 0 on Windows 2000)
Listing of Group Membership Information
Share Enumeration
Detecting if host is in a Workgroup or a Domain
Identifying the remote Operating System
Password Policy Retrieval (using polenum)

Check out the usage page for a full list of options. There are also lots of examples to get you started.

phrasen|drescher | Content

Fri, 27 Jun 2008 11:28:34 GMT

phrasen|drescher is a modular and multi processing pass phrase cracking tool. In version 1.1 it comes with two plugins with the purposes to:

crack pass phrases of RSA or DSA keys
crack MS SQL 2000/2005 SHA1 hashes
remote SSHv2 account brute forcing
HTTP login form account cracking

A simple plugin API allows an easy development of new plugins.

Further features are:

Modular
Multi Processing
Dictionary attack with or without permutations (uppercase, lowercase, l33t, etc.)
Bruteforce attacks for custom character sets
Runs on FreeBSD, NetBSD, OpenBSD, MacOS and Linux

Check out the Usage and Examples page for more information.