Portcullis Labs - windows

polenum | Content

Thu, 30 Oct 2008 11:54:12 GMT

polenum is a python script which uses the Impacket Library from CORE Security Technologies to extract the password policy information from a windows machine. This allows a non-windows (Linux, Mac OSX, BSD etc..) user to query the password policy of a remote windows box without the need to have access to a windows machine.

features

can extract password and associated information from a windows machine
will connect over a NULL or authenticated share
supports encrypted/signed sessions

limitations

no NTLMv2 support
has a problem with domain connected workstations

download

download polenum

BSQL Hacker | Content

Wed, 29 Oct 2008 15:28:02 GMT

BSQL (Blind SQL) Hacker is an automated SQL Injection Framework / Tool designed to exploit SQL injection vulnerabilities virtually in any database.

BSQL Hacker aims for experienced users as well as beginners who want to automate SQL Injections (especially Blind SQL Injections).

It allows metasploit alike exploit repository to share and update exploits.

Source Code Repository

Public SVN Server (including nightly builds development environment)

Download Installer

BSQLHackerSetup-0909.exe

Key Features

Easy Mode
- SQL Injection Wizard
- Automated Attack Support (database dump)
  - ORACLE
  - MSSQL
  - MySQL (experimental)
General
- Fast and Multithreaded
- 4 Different SQL Injection Support
  - Blind SQL Injection
  - Time Based Blind SQL Injection
  - Deep Blind (based on advanced time delays) SQL Injection
  - Error Based SQL Injection
- Can automate most of the new SQL Injection methods those relies on Blind SQL Injection
- RegEx Signature support
- Console and GUI Support
- Load / Save Support
- Token / Nonce / ViewState etc. Support
- Session Sharing Support
- Advanced Configuration Support
- Automated Attack mode, Automatically extract all database schema and data mode

Update / Exploit Repository Features
- Metasploit alike but exploit repository support
- Allows to save and share SQL Injection exploits
- Supports auto-update
- Custom GUI support for exploits (cookie input, URL input etc.)

GUI Features
- Load and Save
- Template and Attack File Support (Users can save sessions and share them. Some sections like username, password or cookie in the templates can be show to the user in a GUI)
- Visually view true and false responses as well as full HTML response, including time and stats

Connection Related
- Proxy Support (Authenticated Proxy Support)
- NTLM, Basic Auth Support, use default credentials of current user/application
- SSL (also invalid certificates) Support
- Custom Header Support

Injection Points (only one of them or combination)
- Query String
- Post
- HTTP Headers
- Cookies

Other
- Post Injection data can be stored in a separated file
- XML Output (not stable)
- CSRF protection support

one time session tokens or asp.net viewstate ort similar can be used for separated login sessions, bypassing proxy pages etc.

It's still beta and there are known issues :

Automated Attack for MySQL is experimental, might not work properly

XSS Shell | Content

Mon, 10 Nov 2008 14:11:20 GMT

XSS Shell is powerful a XSS backdoor and zombie manager. This concept first presented by "XSS-Proxy - http://xss-proxy.sourceforge.net/". Normally in XSS attacks attacker has one shot, in XSS Shell you can interactively send requests and get responses from victim. you can backdoor the page.

You can steal basic auth, you can bypass IP restrictions in administration panels, you can DDoS some systems with a permanent XSS vulnerability etc. Attack possibilities are limited with ideas. Basically this tool demonstrates that you can do more with XSS.

Download

This package includes the latest version of XSS Shell and XSS Tunnel. XSS Shell can be used without XSS Tunnel, however you'll get more out of it with XSS Tunnel.

Download SS Shell and XSS Tunnel

Features

XSS Shell has several features to gain whole access over victim. Also you can simply add your own commands.

Most of the features can enable or disabled from configuration or can be tweaked from source code.

Regenerating Pages
- This is one of the key and advanced features of XSS Shell. XSS Shell re-renders the infected page and keep user in virtual environment. Thus even user click any links in the infected page he or she will be still under control! (within cross-domain restrictions) In normal XSS attacks when user leaves the page you can't do anything
- Secondly this feature keeps the session open so even victim follow an outside link from infected page session is not going to timeout and you will be still in charge.
Keylogger
Mouse Logger (click points + current DOM)
Built-in Commands;
- Get Keylogger Data
- Get Current Page (Current rendered DOM / like screenshot)
- Get Cookie
- Execute supplied javaScript (eval)
- Get Clipboard (IE only)
- Get internal IP address (Firefox + JVM only)
- Check victim's visited URL history

Installation

XSS Shell uses ASP + MS Access database as backend but you can simply port them into any other server-side solution. You just need to stick with simple communication protocol.

Install Admin Interface

Copy "xssshell" folder into your web server
Copy "db" to a secure place (below root)
Configure "database path" from "xssshell/db.asp"
Modify hard coded password in db.asp [default password is : w00t]
Now you can access admin interface from something like http://[YOURHOST]/xssshell/

Configure XSS Shell for communication;

Open xssshell.asp
2. Set "SERVER" variable to where your XSSShell folder is located. i.e: "http://[YOURHOST]/xssshell/";
3. Be sure to check "ME", "CONNECTOR", "COMMANDS_URL" variables. If you changed filenames, folder names or some kind of different configuration you need modify them.

Now open your admin interface from your browser,

To test it, just modify "sample_victim/default.asp" source code and replace "http://attacker:81/release/xssshell.js" URL with your own XSS Shell URL. Open "sample_victim" folder in some other browser and may be upload in to some other server.

Now you should see a zombie in admin interface. Just write something into "parameters" textarea and click "alert()". You should see an alert message in victim's browser.

Security Notes

As a hunter be careful about possible "Backfire" in getSelfHTML(). Someone can hack you back or track you by another XSS or XSS Shell attack.
Checkout "showdata.asp" and implement your own "filter()" function to make it safer for you.
Put "On error resume next" to db.asp, better modify your web server to not show any error.

How to Extend

First implement new feature to xssshell.asp

Add new enum for your control
- Set a name and unique number like "CMD_GETCOOKIE"
- var CMD_SAMPLE = 78;
- Set datatype for your response (generally TEXT),
- dataTypes[CMD_SAMPLE] = TEXT;
Write your function and add it to page
- function cmdSample(){return "yeah working !"}
Call it
- Go inside to "function processGivenCommand(cmd)"
- Add a new case like "case CMD_SAMPLE:"
Report it back
- Inside the case call log;
  "log(cmdSample(), dataTypes[cmd.cmd], cmd.attackID, "waitAndRun()");"

Secondly Implement it to admin interface;

In db.asp just add a new element to "Commands" array (command name, command unique number, description).

i.e. "cmdSample()",78,"Command sample ! Just returns a message"

There are parameters and lots of helper in the code. Check out other commands for reference.

Enable debug feature to debug your new commands easily.

External Libraries

moo.ajax -moofx.mad4milk.net
script.aculo.us - (http://script.aculo.us, http://mir.aculo.us)

enum4linux | Content

Tue, 16 Sep 2008 11:29:28 GMT

Enum4linux is a tool for enumerating information from Windows and Samba systems. It attempts to offer similar functionality to enum.exe formerly available from www.bindview.com.

It is written in PERL and is basically a wrapper around the Samba tools smbclient, rpclient, net and nmblookup. The samba package is therefore a dependency.

Features include:

RID Cycling (When RestrictAnonymous is set to 1 on Windows 2000)
User Listing (When RestrictAnonymous is set to 0 on Windows 2000)
Listing of Group Membership Information
Share Enumeration
Detecting if host is in a Workgroup or a Domain
Identifying the remote Operating System
Password Policy Retrieval (using polenum)

Check out the usage page for a full list of options. There are also lots of examples to get you started.