Portcullis Labs » NIL https://labs.portcullis.co.uk Research and Development en-US hourly 1 http://wordpress.org/?v=3.8.5 phrasen|drescher https://labs.portcullis.co.uk/tools/phrasen-drescher/ https://labs.portcullis.co.uk/tools/phrasen-drescher/#comments Fri, 26 Apr 2013 18:31:47 +0000 http://wordpress.65535.com/blogtest/?p=197 A tool for bruteforce guessing pass phrases, password hashes or remote accounts of various services. phrasen|drescher is a modular and multi processing pass phrase cracking tool. Key Features In version 1.1 it comes with two plugins with the purposes to: crack pass phrases of RSA or DSA keys crack MS SQL 2000/2005 SHA1 hashes remote […]

The post phrasen|drescher appeared first on Portcullis Labs.

]]>
A tool for bruteforce guessing pass phrases, password hashes or remote accounts of various services.

phrasen|drescher is a modular and multi processing pass phrase cracking tool.

Key Features

In version 1.1 it comes with two plugins with the purposes to:

  • crack pass phrases of RSA or DSA keys
  • crack MS SQL 2000/2005 SHA1 hashes
  • remote SSHv2 account brute forcing
  • HTTP login form account cracking

A simple plugin API allows an easy development of new plugins.

Further features are:

  • Modular
  • Multi Processing
  • Dictionary attack with or without permutations (uppercase, lowercase, l33t, etc.)
  • Bruteforce attacks for custom character sets
  • Runs on FreeBSD, NetBSD, OpenBSD, MacOS and Linux

Usage

phrasen|drescher 1.1.1 - the passphrase cracker
Copyright (C) 2008 Nico Leidecker; http://www.leidecker.info

Usage: ./pd plugin [options]

 Available plugins:
   http-raw  mssql  rsa-dsa  ssh

 General Options:
   h           : print this message
   v           : verbose mode
   i from[:to] : incremental mode beginning with word length `from'
                 and going to `to'
   d file      : run dictionary based with words from `file'
   w number    : number of worker threads (default is one)
   r rules     : specify rewriting rules for the dictionary mode:
                   A = all characters upper case
                   F = first character upper case
                   L = last character upper case
                   W = first letter of each word to upper case
                   a = all characters lower case
                   f = first character lower case
                   l = last character lower case
                   w = first letter of each word to lower case
                   D = prepend digit
                   d = append digit
                   e = 1337 characters
                   x = all rules

 Environment Variables::
   PD_PLUGINS : the directory containing plugins
   PD_CHARMAP : the characters for the incremental mode are
                taken from a character list. A customized list
                can be specified in the environment variable

Examples

Plugin Handling

The default plugin directory is ./plugins. However you can specify a custom path:

$ export PD_PLUGINS=/my/plugin/directory
$ pd
phrasen|drescher 1.1.1 - the passphrase cracker
Copyright (C) 2008 Nico Leidecker; nfl@portcullis-security.com

Usage: pd plugin [options]
Please choose a plugin first or use -h for more help
Available plugins:
 rsa-dsa  mssql  ssh  http-raw

Set the plugin directory in the environment variable
PD_PLUGINS if required.

Dictionary Mode

You can perform a simple dictionary attack on a RSA private key pass phrase using the corresponding module like this:

$ phrasendrescher rsa-dsa -d dict.txt -K ~/.ssh/id_rsa
phrasen|drescher 1.1.1 - the passphrase cracker
Copyright (C) 2008 Nico Leidecker; nfl@portcullis-security.com

match: (0) ~/.ssh/id_rsa [test123]
finished!
bye, bye...

Dictionary Mode With Permutations

If you want to permute your dictionary there are loads of options (see Usage page), e.g:

$ phrasendrescher rsa-dsa -r aF -d dict.txt -K ~/.ssh/id_rsa
phrasen|drescher 1.1.1 - the passphrase cracker
Copyright (C) 2008 Nico Leidecker; nfl@portcullis-security.com

match: (0) ~/.ssh/id_rsa [test123]
finished!
bye, bye...

Here the ‘a’ rule converts each word to lower case and the ‘F’ rule uses initial caps for each word.

Brute Force Mode

You can specify a custom character set for a brute force attack. Here we choose quick a small character set, so the attack will actually finish:

$ PD_CHARMAP="tes1234" phrasendrescher rsa-dsa -i 1:7 -K ~/.ssh/id_rsa
phrasen|drescher 1.1.1 - the passphrase cracker
Copyright (C) 2008 Nico Leidecker; nfl@portcullis-security.com

match: (0) ~/.ssh/id_rsa [test123]
finished!
bye, bye...
Phrasendrescher-1.1.1 Tar
305.1 KiB
MD5 hash: 633145dfef99002110ff13483555f812
Details

The post phrasen|drescher appeared first on Portcullis Labs.

]]>
https://labs.portcullis.co.uk/tools/phrasen-drescher/feed/ 0
sucrack https://labs.portcullis.co.uk/tools/sucrack/ https://labs.portcullis.co.uk/tools/sucrack/#comments Fri, 26 Apr 2013 18:20:26 +0000 http://wordpress.65535.com/blogtest/?p=180 sucrack is a multithreaded Linux/UNIX tool for brute-force cracking local user accounts via su. This tool comes in handy when you’ve gained access to a low-privilege user account but are allowed to su to other users. Many su implementations require a pseudo terminal to be attached in order to take the password from the user. This can’t […]

The post sucrack appeared first on Portcullis Labs.

]]>
sucrack is a multithreaded Linux/UNIX tool for brute-force cracking local user accounts via su.

This tool comes in handy when you’ve gained access to a low-privilege user account but are allowed to su to other users. Many su implementations require a pseudo terminal to be attached in order to take the password from the user. This can’t be easily achieved with a simple shell script. This tool, written in C, is highly efficient and can attempt multiple logins at the same time.

Please be advised that using this tool will take a lot of the CPU performance and fill up the logs quite quickly. sucrack is so far known to be running on FreeBSD, NetBSD, Linux.

Installation

First of all, you’ll want to upload the source to the target system (assuming you don’t have a pre-compiled copy that will work):

$ tar xfz sucrack-1.2.3.tar.gz
$ cd sucrack-1.2.3
$ ./configure
$ make
$ cd src

Obviously, you won’t have the luxury of running “make install” yet as you’re not root.

Usage

sucrack 1.2.3 (LINUX) - the su cracker
Copyright (C) 2006  Nico Leidecker; nfl@portcullis-security.com

 Usage: ./sucrack [-char] [-w num] [-b size] [-s sec] [-u user] [-l rules] wordlist

 The word list can either be an existing file or stdin. In that case, use '-' instead of a file name

 Options:
   h       : print this message
   a       : ansi escape codes not available.
             Use the --enable-statistics configure flag.
   s sec   : statistics display interval not available.
             Use the --enable-statistics configure flag.
   c       : only print statistics if a key other than `q' is pressed. (default)
   r       : enable rewriter
   w num   : number of worker threads running with
   b size  : size of word list buffer
   u user  : user account to su to
   l rules : specify rewriting rules; rules can be:
               A = all characters upper case
               F = first character upper case
               L = last character upper case
               a = all characters lower case
               f = first character lower case
               l = last character lower case
               D = prepend digit
               d = append digit
               e = 1337 characters
               x = all rules

 Environment Variables:
   SUCRACK_SU_PATH      : The path to su (usually /bin/su or /usr/bin/su)

   SUCRACK_AUTH_FAILURE : The message su returns on an authentication
                          failure (like "su: Authentication failure" or "su: Sorry")
   SUCRACK_AUTH_SUCCESS : The message that indicates an authentication
                          success. This message must not be a password
                          listed in the wordlist (default is "SUCRACK_SUCCESS")

 Example:
   export SUCRACK_AUTH_SUCCESS="sucrack_says_hello"
   ./sucrack -a -w 20 -s 10 -u root -rl AFLafld dict.txt

Examples

Running a dictionary attack on an account

On my dual-core test system, this 100-thread attack ran at around 50 guesses per second.

$ ./sucrack -w 100 -u root dict.txt
password is: test123

Bear in mind that if the target system has little memory or little CPU power, running 100 threads may DoS the system, so be careful.

Permuting the dictionary

Check out the Usage page for list of options to alter the case, append digits, etc. to the dictionary. In the example below, we try each word in lower case and append a digit:

$ ./sucrack -w 100 -r -l ad -u smbguest dict.txt
password is: test123

Reading Passwords from STDIN

Besides of getting passwords from a dictionary or in the incremental mode, you can use the password generator of your choice and feed sucrack with passwords. John the Ripper’s great password generator can be used this way for instance:

$ john --stdout --incremental | sucrack -
Sucrack-1.2.3 Tar
sucrack-1.2.3.tar.gz
April 26, 2013
109.5 KiB
MD5 hash: 6ebfe5e94577a53ce8dcabadd3581ec3
Details

The post sucrack appeared first on Portcullis Labs.

]]>
https://labs.portcullis.co.uk/tools/sucrack/feed/ 0
Having Fun With PostgreSQL https://labs.portcullis.co.uk/whitepapers/having-fun-with-postgresql/ https://labs.portcullis.co.uk/whitepapers/having-fun-with-postgresql/#comments Fri, 26 Apr 2013 17:54:28 +0000 http://wordpress.65535.com/blogtest/?p=108 PostgreSQL is one of the most commonly used open source database management systems. This document describes weaknesses in the PostgreSQL configuration that may be abused for privilege escalation, as well as remote command execution and the uploading of arbitrary files to the system.

The post Having Fun With PostgreSQL appeared first on Portcullis Labs.

]]>
PostgreSQL is one of the most commonly used open source database management systems.

This document describes weaknesses in the PostgreSQL configuration that may be abused for privilege escalation, as well as remote command execution and the uploading of arbitrary files to the system.

Having Fun With PostgreSQL
133.5 KiB
MD5 hash: 3278ca0a980845fd57e4fee660f30ae1
Details

The post Having Fun With PostgreSQL appeared first on Portcullis Labs.

]]>
https://labs.portcullis.co.uk/whitepapers/having-fun-with-postgresql/feed/ 0