Portcullis Labs » FC https://labs.portcullis.co.uk Research and Development en-US hourly 1 http://wordpress.org/?v=3.8.5 RPDscan https://labs.portcullis.co.uk/tools/rpdscan/ https://labs.portcullis.co.uk/tools/rpdscan/#comments Thu, 06 Nov 2014 19:46:13 +0000 https://labs.portcullis.co.uk/?p=4408 RPDscan (Remmina Password Decrypt Scanner) is a tool to find and decrypt saved passwords in Remmina RDP configurations. Key features Finds every Remmina configuration file and preferences Decrypts every saved password for every user it finds Python based for easy access and speed Overview Remmina is a well used Linux based RDP connection software, as many people […]

The post RPDscan appeared first on Portcullis Labs.

]]>
RPDscan (Remmina Password Decrypt Scanner) is a tool to find and decrypt saved passwords in Remmina RDP configurations.

Key features

  • Finds every Remmina configuration file and preferences
  • Decrypts every saved password for every user it finds
  • Python based for easy access and speed

Overview

Remmina is a well used Linux based RDP connection software, as many people who use Linux use Remmina for connecting to multiple machines they often save the password for each connection, Remmina stores this password in an encrypted manner using a private key hidden in a seperate preference file for each user on the Linux machine. RPDscan actively finds these preference files and extracts the private key then uses this key to decrypt all of the saved passwords and then displays to the user the username the password and computer details.

Requirements

  • Python
  • Linux target

Installation

Download the script onto your target machine and run, there is no installation required for this tool.

Usage

# python RPDscan.py

RPDscan is initially set to search only the /home directory as 99% of all files will be in that location, however the python file can easily be edited to include the entire / tree.

Examples

# python RPDscan.py
found this pref file /home/fc/.remmina/remmina.pref========
Found a conf file: /home/fc/.remmina/1366367609312.remmina
Saved password:
^**D!sEx@mpl3ssh_username=ssh_server=

username=fc

domain=

server=172.16.0.266

========
Found a conf file: /home/fc/.remmina/1366641829516.remmina

server=10.256.0.1

Saved password:
@n0ther3Xamp!e

ssh_username=

ssh_server=

username=ExampleDomain\\Administrator

domain=

Here you can see that RPDscan has found two saved password files and extracted all the data you need to connect.

RPDscan Py
RPDscan.py.tgz
April 16, 2014
1.1 KiB
MD5 hash: 935738ab08748ff5ef09c2346ffc4755
Details

The post RPDscan appeared first on Portcullis Labs.

]]>
https://labs.portcullis.co.uk/tools/rpdscan/feed/ 0
University outreach https://labs.portcullis.co.uk/blog/university-outreach/ https://labs.portcullis.co.uk/blog/university-outreach/#comments Fri, 30 May 2014 08:25:21 +0000 https://labs.portcullis.co.uk/?p=3820 As part of Portcullis’s ongoing commitment to filling the ever expanding lack of computing skills within the workplace, we have in the last year and a half been working together with Universities from across the country to provide a bridge between younger generations who may not be aware of even the existence of Penetration Testing […]

The post University outreach appeared first on Portcullis Labs.

]]>
As part of Portcullis’s ongoing commitment to filling the ever expanding lack of computing skills within the workplace, we have in the last year and a half been working together with Universities from across the country to provide a bridge between younger generations who may not be aware of even the existence of Penetration Testing or would like to see what happens in the average week of a pentester.

Each lecture is generally an hour long and consists of topics that introduce Portcullis and the world of ethical hacking/pentesting, this is then typically followed by a presentation on various fields and rolls that a penetration tester is expected to carry out such as Web Application Assessments, Network Assessments and specialist fields such as Social Engineering. During the lecture students and teachers alike are invited to interject with questions. At the end of the lecture there is generally another half hour or more of Q/A with both students and teachers, in almost all cases the enthusiasm of the crowd to learn and participate mean the Q/A session generally continues well after the lecture hall has been vacated.

If the university is keen the tester will often allow small numbers of students either through self volunteering or teacher suggestion to attend a small hour or so live demonstration on how keen students can set up their own testing lab at home and where to begin their journey to becoming a fully fledged Penetration Tester. Exceptional students are normally easy to pick out of even a crowd of 200, the students that show promise are given an invite to prove themselves within their field and potentially join Portcullis under one of the very limited and much sort after Graduate Programme positions offered by Portcullis each year.

We have found that this approach not only educates the students (and sometimes teachers) on the possibilities of their skills, most students on computer science courses know only that they could go into development or system administration, almost 90% of students are not aware this wonderful world of hacking can not only be legal but a productive and excited job. We have also found that when Portcullis and the University work in partnership it is possible to integrate security based modules more easily into the course syllabus as students become more acutely aware as to the relevance of these units from both defence and attack even if they have no goal to become a Penetration Tester.

One particular university lecturer even produced a blog post about a recent visit to the University of Central Lancashire.

If your university is keen to have Portcullis send one of our senior Penetration Testers to give a lecture and demo, please feel free to contact us and we will do our best to accommodate you.

The post University outreach appeared first on Portcullis Labs.

]]>
https://labs.portcullis.co.uk/blog/university-outreach/feed/ 0
AMES (Another Metasploit Exploit Suggester) https://labs.portcullis.co.uk/tools/ames-another-metasploit-exploit-suggester/ https://labs.portcullis.co.uk/tools/ames-another-metasploit-exploit-suggester/#comments Thu, 03 Apr 2014 05:30:54 +0000 https://labs.portcullis.co.uk/?p=3795 AMES is a tool to parse the new Nessus output files and autogenerate an easy to copy and paste command line exploit using Metasploit CLI. Key features Handles the new .nessus xml based file output Keeps up to date with new Metasploit exploits as you update MSF database Python based for easy access and speed Overview The AMES tool passes the new style .nessus xml file output […]

The post AMES (Another Metasploit Exploit Suggester) appeared first on Portcullis Labs.

]]>
AMES is a tool to parse the new Nessus output files and autogenerate an easy to copy and paste command line exploit using Metasploit CLI.

Key features

  • Handles the new .nessus xml based file output
  • Keeps up to date with new Metasploit exploits as you update MSF database
  • Python based for easy access and speed

Overview

The AMES tool passes the new style .nessus xml file output from Nessus scanning software, it will then locate any exploit based on the CVE reported. The Tool will then build a selection of command lines that the user can easily copy and paste to use. Since metasploit removed the autopwn feature this is as point and click exploit that can be used.

Requirements

  • Python
  • Metasploit Framework

In addition to these you will need to edit the ames.py file and update the location of your Metasploit Trunk and save it.

Optional requirements

Nessus is only required if you wish to perform your own scans and generate reports, it is not a requirement to run the tool against reports generated elsewhere.

  • Nessus

Installation

Download the script and run, there is no installation required for this tool.

Usage

On your first run you will see the following error:

First Run Error
image-3796

First Run Error

This is just a reminder that you need to edit the ames.py file and replace the “Trunk = ” line with the location for your Metasploit trunk location.

Trunk Update
image-3797

Trunk Update

Once your Trunk location has been set in ames.py you can then use the tool as below.

$ python ames.py [nessus report file]

Copy and paste the relevant exploit you wish to attempt.

Examples

Example
image-3798

Example

Here you can see that AMES has discovered some expoilts and sorted them, just copy and paste the msfcli command line

System Example
image-3799

System Example

Here we see one of the command lines copy and pasted and successfully exploit a system discovered by Nessus.

Ames Py
ames.py.tgz
February 21, 2014
2.1 KiB
MD5 hash: f2efb955fa5b083bc9065a486f049488
Details

The post AMES (Another Metasploit Exploit Suggester) appeared first on Portcullis Labs.

]]>
https://labs.portcullis.co.uk/tools/ames-another-metasploit-exploit-suggester/feed/ 0
Raspberry ph0wn https://labs.portcullis.co.uk/blog/raspberry-ph0wn/ https://labs.portcullis.co.uk/blog/raspberry-ph0wn/#comments Tue, 11 Mar 2014 06:28:45 +0000 https://labs.portcullis.co.uk/?p=3825 Recently the technical team had a discussion about subversive attack vectors that could be utilised by social engineering attacks to provide a long term remote connection to a network whilst remaining undetected. After a spark of inspiration and half an evening later the following device was made as a proof of concept. We took an […]

The post Raspberry ph0wn appeared first on Portcullis Labs.

]]>
Recently the technical team had a discussion about subversive attack vectors that could be utilised by social engineering attacks to provide a long term remote connection to a network whilst remaining undetected.

After a spark of inspiration and half an evening later the following device was made as a proof of concept.

We took an ordinary desk VoIP phone and opened it up (voiding warranties is so heart warming).

Plain desk phone
image-3826

Plain desk phone

As you can see there is a lot of spare room inside a modern phone, hiding a device in one of these is going to be easy.

Open phone
image-3827

Open phone

In order for this device to work undetected we needed a way to connect the device to the target’s network and also a way to power the device, thankfully both solutions are already present. Power was provided by hacking a micro USB cable end off and soldering directly to the power board of the phone which coincidently was running 5 volts, exactly what we needed to run the Raspberry Pi.

Ideally we would have taken the time to cross solder the RJ45 connector, however as this was a proof of concept, an additional RJ45 socket was soldered into place.

Added RJ45
image-3828

Added RJ45

RJ45 port in place
image-3829

RJ45 port in place

Power attached
image-3830

Power attached

Powered up the device now acts as both a VOIP phone and powers up the Raspberry Pi, the POC device uses two network cables but in the real world the Pi would be attached to the same singular network point.

Powerd Ph0wn
image-3831

Powerd Ph0wn

Finally we moved the speaker and attached a USB webcam to provide simple voice/video as well as a wireless adapter.

USB webcam
image-3832

USB webcam

Put back together it is impossible to see that inside is a perfect remotely accessible device plugged directly onto the target’s network.

Completed Ph0wn POC
image-3833

Completed Ph0wn POC

The post Raspberry ph0wn appeared first on Portcullis Labs.

]]>
https://labs.portcullis.co.uk/blog/raspberry-ph0wn/feed/ 0
HeaderCheck https://labs.portcullis.co.uk/tools/headercheck/ https://labs.portcullis.co.uk/tools/headercheck/#comments Fri, 26 Apr 2013 18:40:09 +0000 http://wordpress.65535.com/blogtest/?p=220 HeaderCheck is a python script used to check the security settings of various headers returned by web servers. The following headers are checked: X-XSS-Protection X-Content-Type-Options X-Frame-Options Cache-Control Content-Security-Policy WebKit-X-CSP X-Content-Security-Policy Strict-Transport-Security Access-Control-Allow-Origin Origin Each header is assessed based on good practice settings as well as displayed for manual checking. Installation HeaderCheck is a stand alone […]

The post HeaderCheck appeared first on Portcullis Labs.

]]>
HeaderCheck is a python script used to check the security settings of various headers returned by web servers.

The following headers are checked:

  • X-XSS-Protection
  • X-Content-Type-Options
  • X-Frame-Options
  • Cache-Control
  • Content-Security-Policy
  • WebKit-X-CSP
  • X-Content-Security-Policy
  • Strict-Transport-Security
  • Access-Control-Allow-Origin
  • Origin

Each header is assessed based on good practice settings as well as displayed for manual checking.

Installation

HeaderCheck is a stand alone python script, as such just decompress the download and move the script to the desired location.

Usage

HeaderCheck can be run in the following form.

$ python HeaderCheck.py [targeturl] [subdirectory]

For example:

$ python HeaderCheck.py www.google.com /
$ python HeaderCheck.py www.bbc.co.uk /news

Please note the space between the domain and the sub directory.

Header Check V1
header_check.v1.tgz
April 26, 2013
808.0 B
MD5 hash: b2092341009bff9c47c705004c2311c1
Details

The post HeaderCheck appeared first on Portcullis Labs.

]]>
https://labs.portcullis.co.uk/tools/headercheck/feed/ 0