Key features

• Finds every Remmina configuration file and preferences
• Decrypts every saved password for every user it finds
• Python based for easy access and speed

Overview

Remmina is a well used Linux based RDP connection software, as many people who use Linux use Remmina for connecting to multiple machines they often save the password for each connection, Remmina stores this password in an encrypted manner using a private key hidden in a seperate preference file for each user on the Linux machine. RPDscan actively finds these preference files and extracts the private key then uses this key to decrypt all of the saved passwords and then displays to the user the username the password and computer details.

Requirements

• Python
• Linux target

Installation

Download the script onto your target machine and run, there is no installation required for this tool.

Usage

# python RPDscan.py

RPDscan is initially set to search only the /home directory as 99% of all files will be in that location, however the python file can easily be edited to include the entire / tree.

Examples

# python RPDscan.py
found this pref file /home/fc/.remmina/remmina.pref========
Found a conf file: /home/fc/.remmina/1366367609312.remmina
Saved password:
^**D!sEx@mpl3ssh_username=ssh_server=

username=fc

domain=

server=172.16.0.266

========
Found a conf file: /home/fc/.remmina/1366641829516.remmina

server=10.256.0.1

Saved password:
@n0ther3Xamp!e

ssh_username=

ssh_server=

username=ExampleDomain\\Administrator

domain=

Here you can see that RPDscan has found two saved password files and extracted all the data you need to connect.

RPDscan.py.tgz
April 16, 2014

1.1 KiB
MD5 hash: 935738ab08748ff5ef09c2346ffc4755
Details

Date:

April 16, 2014

The post RPDscan appeared first on Portcullis Labs.

Key features

• Handles the new .nessus xml based file output
• Keeps up to date with new Metasploit exploits as you update MSF database
• Python based for easy access and speed

Overview

The AMES tool passes the new style .nessus xml file output from Nessus scanning software, it will then locate any exploit based on the CVE reported. The Tool will then build a selection of command lines that the user can easily copy and paste to use. Since metasploit removed the autopwn feature this is as point and click exploit that can be used.

Requirements

• Python
• Metasploit Framework

In addition to these you will need to edit the ames.py file and update the location of your Metasploit Trunk and save it.

Optional requirements

Nessus is only required if you wish to perform your own scans and generate reports, it is not a requirement to run the tool against reports generated elsewhere.

• Nessus

Installation

Download the script and run, there is no installation required for this tool.

Usage

On your first run you will see the following error:

First Run Error

This is just a reminder that you need to edit the ames.py file and replace the “Trunk = ” line with the location for your Metasploit trunk location.

Trunk Update

Once your Trunk location has been set in ames.py you can then use the tool as below.

$ python ames.py [nessus report file]

Copy and paste the relevant exploit you wish to attempt.

Examples

Example

Here you can see that AMES has discovered some expoilts and sorted them, just copy and paste the msfcli command line

System Example

Here we see one of the command lines copy and pasted and successfully exploit a system discovered by Nessus.

ames.py.tgz
February 21, 2014

2.1 KiB
MD5 hash: f2efb955fa5b083bc9065a486f049488
Details

Date:

February 21, 2014

The post AMES (Another Metasploit Exploit Suggester) appeared first on Portcullis Labs.

Key features

• Checks the WordPress version
• Checks the WordPress plugins versions
• Checks WordPress minor updates are enabled
• Checks the WordPress configuration
• Checks the theme configuration
• Identifies the presence of backup files in web folder
• Checks the Anti-Virus
• Checks the file and directory permissions
• Checks HTTPS in admin panel is enabled

Overview

WordPress-build-review checks the basic security configuration that a WordPress installation should have.

The idea of this tool is to perform a build review on WordPress installations. This tool should works with the default installed software in a Linux distribution.

This tool was developed and tested in Linux. However, it should also work on other POSIX alike platforms as long as the dependencies (GNU utils) are available. Please let us know if you try running this tool in other platforms, your feedback is appreciated.

Installation

Download the tool from the link below and uncompress it.

Make sure you have the tools `curl’ and `bc’ installed in your system.

Usage

$ ./wordpress-build-review.sh /full/path/to/wordpress/root/folder/
...
Starting wordpress-build-review v1.0 at Fri Jan 31 16:19:53 GMT 2014

by David Muñoz ( dmg@portcullis-security.com )

This tool checks the basic security configuration that a wordpress installation
should have.

Use of this script is only permitted on systems which you have been granted
legal permission to perform a security assessment of. Apart from this
condition the GPL v2 applies.

Search the output below for the word '[VV]' for the security issues found.
If you don't see it then this script didn't find any problems.
Search the output below for the word '[WW]' for problems occurred during script
execution. These problems must be checked manually.
Finally search the output below for the word '[II]' for correct issues.
...

Examples

Here we can see some example issues that the tool is able to identify:

$ ./wordpress-build-review.sh /var/www/wordpress | grep "[VV]"
...
[VV][001]File wp-login.php found. It is recommended to change its name.
[VV][002]File readme.html found. It is recommended to delete it.
[VV][005]The wordpress version installed is out-to-date. Installed version is: 3.8. Last version is: 3.8.1.
[VV][006]Plugin 6scan-protection is out-of-date. Please, update it. Installed version is: 3.0.5. Last version is: 3.0.6.
[VV][009]HTTPS on the LOGIN and ADMIN sections are not enabled in wp-config but SSL may still being enforced by the web server config.
[VV][015]File /var/www/wordpress/test.bak found, consider to remove it.
[VV][015]File /var/www/wordpress/wp-config.php~ found, consider to remove it.
[VV]Default or backup files found, please remove them.
[VV][012]The file /var/www/wordpress/wp-config.php~ has 664 permissions, consider to set it to 644 or 640
[VV]Incorrect file permissions, please correct them.
[VV][013]The folder /var/www/wordpress/wp-content/plugins/test has 775 permissions, consider to set it to 755 or 750
[VV]Incorrect folder permissions, please correct them.
[VV][010]Wordpress table prefix is set by default <wp_>. Please, consider to change it.
[VV][008]Wordpress database user is root, please change it.
...

wordpress-build-review_v1.0.tar.gz
February 17, 2014

5.2 KiB
MD5 hash: 4a6072f4c13478a8707275fd3c17c9f7
Details

Date:

February 17, 2014

The post WordPress Build Review appeared first on Portcullis Labs.

Key features

• Support for targets file
• Support for saving the tool output to a specified logfile
• Control over the connection and responses timeouts
• Control over the number of retries when timeouts occurs

Overview

rdp-sec-check is a Perl script to enumerate the different security settings of an remote destktop service (AKA Terminal Services).

It does not require authentication, only network connectivity to TCP port 3389.

It can determine many (though not quite all) of the security settings from the RDP-Tcp Properties | General tab:

• Check which security layers are supported by the service: Standard RDP Security, TLSv1.0, CredSSP
• For Standard RDP Security it detects the level of encryption supported: 40-bit, 56-bit, 128-bit, FIPS

The following potential security issues are flagged if present:

• The service supports Standard RDP Security – rhis is known to be vulnerable to an active “Man-In-The-Middle” attack
• The service supports weak encryption (40-bit or 56-bit)
• The service does not mandate Network Level Authentication (NLA) - NLA can help to prevent certain types of Denial of Service attack
• The service supports FIPS encryption but doesn’t mandate it – may only be interesting for jurisdictions where FIPS is required

Requirements

rdp-sec-check is a simple Perl script that requires one module from CPAN. Run ‘cpan’ as root then install the Encoding::BER module:

# cpan
cpan[1]> install Encoding::BER

Example output 1: An old Windows 2000 RDP service

$ rdp-sec-check.pl 10.0.0.94
Starting rdp-sec-check v0.8-beta ( https://labs.portcullis.co.uk/application/rdp-sec-check/ ) at Mon Jul  9 13:34:38 2012

Target:    10.0.0.94
IP:        10.0.0.94
Port:      3389

[+] Checking supported protocols

[-] Checking if RDP Security (PROTOCOL_RDP) is supported...Negotiation ignored - old Windows 2000/XP/2003 system?
[-] Checking if TLS Security (PROTOCOL_SSL) is supported...Negotiation ignored - old Windows 2000/XP/2003 system?
[-] Checking if CredSSP Security (PROTOCOL_HYBRID) is supported [uses NLA]...Negotiation ignored - old Windows 2000/XP/2003 system??

[+] Checking RDP Security Layer

[-] Checking RDP Security Layer with encryption ENCRYPTION_METHOD_NONE...Not supported
[-] Checking RDP Security Layer with encryption ENCRYPTION_METHOD_40BIT...Supported.  Server encryption level: ENCRYPTION_LEVEL_CLIENT_COMPATIBLE
[-] Checking RDP Security Layer with encryption ENCRYPTION_METHOD_128BIT...Not supported
[-] Checking RDP Security Layer with encryption ENCRYPTION_METHOD_56BIT...Supported.  Server encryption level: ENCRYPTION_LEVEL_CLIENT_COMPATIBLE
[-] Checking RDP Security Layer with encryption ENCRYPTION_METHOD_FIPS...Not supported

[+] Summary of protocol support

[-] 10.0.0.94:3389 supports PROTOCOL_RDP   : TRUE
[-] 10.0.0.94:3389 supports PROTOCOL_HYBRID: FALSE
[-] 10.0.0.94:3389 supports PROTOCOL_SSL   : FALSE

[+] Summary of RDP encryption support

[-] 10.0.0.94:3389 has encryption level: ENCRYPTION_LEVEL_CLIENT_COMPATIBLE
[-] 10.0.0.94:3389 supports ENCRYPTION_METHOD_NONE   : FALSE
[-] 10.0.0.94:3389 supports ENCRYPTION_METHOD_40BIT  : TRUE
[-] 10.0.0.94:3389 supports ENCRYPTION_METHOD_128BIT : FALSE
[-] 10.0.0.94:3389 supports ENCRYPTION_METHOD_56BIT  : TRUE
[-] 10.0.0.94:3389 supports ENCRYPTION_METHOD_FIPS   : FALSE

[+] Summary of security issues

[-] 10.0.0.94:3389 has issue NLA_NOT_SUPPORTED_DOS
[-] 10.0.0.94:3389 has issue ONLY_RDP_SUPPORTED_MITM
[-] 10.0.0.94:3389 has issue WEAK_RDP_ENCRYPTION_SUPPORTED

rdp-sec-check v0.8-beta completed at Mon Jul  9 13:34:39 2012

Example output 2: A Windows 2003 SP0 RDP service

$ rdp-sec-check.pl 10.0.0.93
Starting rdp-sec-check v0.8-beta ( https://labs.portcullis.co.uk/application/rdp-sec-check/ ) at Mon Jul  9 13:35:34 2012

Target:    10.0.0.93
IP:        10.0.0.93
Port:      3389

[+] Checking supported protocols

[-] Checking if RDP Security (PROTOCOL_RDP) is supported...Negotiation ignored - old Windows 2000/XP/2003 system?
[-] Checking if TLS Security (PROTOCOL_SSL) is supported...Negotiation ignored - old Windows 2000/XP/2003 system?
[-] Checking if CredSSP Security (PROTOCOL_HYBRID) is supported [uses NLA]...Negotiation ignored - old Windows 2000/XP/2003 system??

[+] Checking RDP Security Layer

[-] Checking RDP Security Layer with encryption ENCRYPTION_METHOD_NONE...Not supported
[-] Checking RDP Security Layer with encryption ENCRYPTION_METHOD_40BIT...Supported.  Server encryption level: ENCRYPTION_LEVEL_CLIENT_COMPATIBLE
[-] Checking RDP Security Layer with encryption ENCRYPTION_METHOD_128BIT...Supported.  Server encryption level: ENCRYPTION_LEVEL_CLIENT_COMPATIBLE
[-] Checking RDP Security Layer with encryption ENCRYPTION_METHOD_56BIT...Supported.  Server encryption level: ENCRYPTION_LEVEL_CLIENT_COMPATIBLE
[-] Checking RDP Security Layer with encryption ENCRYPTION_METHOD_FIPS...Supported.  Server encryption level: ENCRYPTION_LEVEL_CLIENT_COMPATIBLE

[+] Summary of protocol support

[-] 10.0.0.93:3389 supports PROTOCOL_RDP   : TRUE
[-] 10.0.0.93:3389 supports PROTOCOL_HYBRID: FALSE
[-] 10.0.0.93:3389 supports PROTOCOL_SSL   : FALSE

[+] Summary of RDP encryption support

[-] 10.0.0.93:3389 has encryption level: ENCRYPTION_LEVEL_CLIENT_COMPATIBLE
[-] 10.0.0.93:3389 supports ENCRYPTION_METHOD_NONE   : FALSE
[-] 10.0.0.93:3389 supports ENCRYPTION_METHOD_40BIT  : TRUE
[-] 10.0.0.93:3389 supports ENCRYPTION_METHOD_128BIT : TRUE
[-] 10.0.0.93:3389 supports ENCRYPTION_METHOD_56BIT  : TRUE
[-] 10.0.0.93:3389 supports ENCRYPTION_METHOD_FIPS   : TRUE

[+] Summary of security issues

[-] 10.0.0.93:3389 has issue NLA_NOT_SUPPORTED_DOS
[-] 10.0.0.93:3389 has issue FIPS_SUPPORTED_BUT_NOT_MANDATED
[-] 10.0.0.93:3389 has issue ONLY_RDP_SUPPORTED_MITM
[-] 10.0.0.93:3389 has issue WEAK_RDP_ENCRYPTION_SUPPORTED

Example output 3: A typical Windows 2003 RDP service

$ rdp-sec-check.pl 10.0.0.111
Starting rdp-sec-check v0.8-beta ( https://labs.portcullis.co.uk/application/rdp-sec-check/ ) at Mon Jul  9 13:36:56 2012

Target:    10.0.0.111
IP:        10.0.0.111
Port:      3389

[+] Checking supported protocols

[-] Checking if RDP Security (PROTOCOL_RDP) is supported...Supported
[-] Checking if TLS Security (PROTOCOL_SSL) is supported...Not supported - SSL_NOT_ALLOWED_BY_SERVER
[-] Checking if CredSSP Security (PROTOCOL_HYBRID) is supported [uses NLA]...Not supported - SSL_NOT_ALLOWED_BY_SERVER

[+] Checking RDP Security Layer

[-] Checking RDP Security Layer with encryption ENCRYPTION_METHOD_NONE...Not supported
[-] Checking RDP Security Layer with encryption ENCRYPTION_METHOD_40BIT...Supported.  Server encryption level: ENCRYPTION_LEVEL_CLIENT_COMPATIBLE
[-] Checking RDP Security Layer with encryption ENCRYPTION_METHOD_128BIT...Supported.  Server encryption level: ENCRYPTION_LEVEL_CLIENT_COMPATIBLE
[-] Checking RDP Security Layer with encryption ENCRYPTION_METHOD_56BIT...Supported.  Server encryption level: ENCRYPTION_LEVEL_CLIENT_COMPATIBLE
[-] Checking RDP Security Layer with encryption ENCRYPTION_METHOD_FIPS...Supported.  Server encryption level: ENCRYPTION_LEVEL_CLIENT_COMPATIBLE

[+] Summary of protocol support

[-] 10.0.0.111:3389 supports PROTOCOL_RDP   : TRUE
[-] 10.0.0.111:3389 supports PROTOCOL_HYBRID: FALSE
[-] 10.0.0.111:3389 supports PROTOCOL_SSL   : FALSE

[+] Summary of RDP encryption support

[-] 10.0.0.111:3389 has encryption level: ENCRYPTION_LEVEL_CLIENT_COMPATIBLE
[-] 10.0.0.111:3389 supports ENCRYPTION_METHOD_NONE   : FALSE
[-] 10.0.0.111:3389 supports ENCRYPTION_METHOD_40BIT  : TRUE
[-] 10.0.0.111:3389 supports ENCRYPTION_METHOD_128BIT : TRUE
[-] 10.0.0.111:3389 supports ENCRYPTION_METHOD_56BIT  : TRUE
[-] 10.0.0.111:3389 supports ENCRYPTION_METHOD_FIPS   : TRUE

[+] Summary of security issues

[-] 10.0.0.111:3389 has issue NLA_NOT_SUPPORTED_DOS
[-] 10.0.0.111:3389 has issue FIPS_SUPPORTED_BUT_NOT_MANDATED
[-] 10.0.0.111:3389 has issue ONLY_RDP_SUPPORTED_MITM
[-] 10.0.0.111:3389 has issue WEAK_RDP_ENCRYPTION_SUPPORTED

rdp-sec-check v0.8-beta completed at Mon Jul  9 13:36:56 2012

Example output 4: A well configured Windows 2008 RDP service

$ rdp-sec-check.pl 10.0.0.21
Starting rdp-sec-check v0.8-beta ( https://labs.portcullis.co.uk/application/rdp-sec-check/ ) at Mon Jul  9 13:32:30 2012

Target:    10.0.0.21
IP:        10.0.0.21
Port:      3389

[+] Checking supported protocols

[-] Checking if RDP Security (PROTOCOL_RDP) is supported...Not supported - HYBRID_REQUIRED_BY_SERVER
[-] Checking if TLS Security (PROTOCOL_SSL) is supported...Not supported - HYBRID_REQUIRED_BY_SERVER
[-] Checking if CredSSP Security (PROTOCOL_HYBRID) is supported [uses NLA]...Supported

[+] Checking RDP Security Layer

[-] Checking RDP Security Layer with encryption ENCRYPTION_METHOD_NONE...Not supported
[-] Checking RDP Security Layer with encryption ENCRYPTION_METHOD_40BIT...Not supported
[-] Checking RDP Security Layer with encryption ENCRYPTION_METHOD_128BIT...Not supported
[-] Checking RDP Security Layer with encryption ENCRYPTION_METHOD_56BIT...Not supported
[-] Checking RDP Security Layer with encryption ENCRYPTION_METHOD_FIPS...Not supported

[+] Summary of protocol support

[-] 10.0.0.21:3389 supports PROTOCOL_RDP   : FALSE
[-] 10.0.0.21:3389 supports PROTOCOL_HYBRID: TRUE
[-] 10.0.0.21:3389 supports PROTOCOL_SSL   : FALSE

[+] Summary of RDP encryption support

[-] 10.0.0.21:3389 supports ENCRYPTION_METHOD_NONE   : FALSE
[-] 10.0.0.21:3389 supports ENCRYPTION_METHOD_40BIT  : FALSE
[-] 10.0.0.21:3389 supports ENCRYPTION_METHOD_128BIT : FALSE
[-] 10.0.0.21:3389 supports ENCRYPTION_METHOD_56BIT  : FALSE
[-] 10.0.0.21:3389 supports ENCRYPTION_METHOD_FIPS   : FALSE

[+] Summary of security issues

rdp-sec-check v0.8-beta completed at Mon Jul  9 13:32:31 2012

The latest version of the code will be maintained on github. Older versions are available below.

The post rdp-sec-check appeared first on Portcullis Labs.

Key features

• Discover VPN services running
• Fingerprint based on vendor IDs (VID)
• Guess implementation basing on responses analysis (backoff)
• Enumerate supported transforms in Main Mode
• Check for Aggressive Mode
• Enumerate supported transforms in this Aggressive Mode
• Enumerate valid client/group IDs in Aggressive Mode
• Allow for rate limiting
• Analyse results to list actual issues
• Export results in 2 different formats
• Load IPs from command line or text files
• Determine support for IKEv2

Overview

iker scans and analyses the Internet Key Exchange (IKE) protocol, identifying common misconfigurations in VPN concentrators. It is based on ike-scan.

It discovers and try to fingerprint the VPNs in a first step. Later, it tries to enumerates valid transforms in Main Mode and in Aggressive Mode if it is supported. Finally, it will try to enumerate group IDs if a dictionary was provided.

iker implements two ways of enumerating valid group IDs:

• Cisco IPSec VPN Implementation Group Name Enumeration Vulnerability
• Responses analysis

Once all the tests have been launched, iker analyses the results and generates a report with the issues found.

Requirements

• ike-scan
• Python

In addition, the following Python packages are used (they usually are included with normal Python installations):

• subprocess
• argparse

Installation

Download iker from the link below and uncompress it.

Usage

$ sudo python iker.py -h

iker v. 1.0

The ike-scan based script which checks for security flaws in IPsec-based VPNs.

                               by Julio Gomez ( jgo@portcullis-security.com )

usage: iker.py [-h] [-v] [-d DELAY] [-i INPUT] [-o OUTPUT] [-x XML]
               [--encalgs ENCALGS] [--hashalgs HASHALGS]
               [--authmethods AUTHMETHODS] [--dhgroups DHGROUPS] [--fullalgs]
               [--ikepath IKEPATH] [-c CLIENTIDS]
               [target]

positional arguments:
  target                The IP address or the network (CIDR notation) to scan.

optional arguments:
  -h, --help            show this help message and exit
  -v, --verbose         Be verbose.
  -d DELAY, --delay DELAY
                        Delay between requests (in milliseconds). Default: 0
                        (No delay).
  -i INPUT, --input INPUT
                        An input file with an IP address/network per line.
  -o OUTPUT, --output OUTPUT
                        An output file to store the results.
  -x XML, --xml XML     An output file to store the results in XML format.
                        Default: output.xml
  --encalgs ENCALGS     The encryption algorithms to check. Default: DES,
                        3DES, AES/128, AES/192 and AES/256. Example:
                        --encalgs="1 5 7/128 7/192 7/256"
  --hashalgs HASHALGS   The hash algorithms to check. Default: MD5 and SHA1.
                        Example: --hashalgs="1 2"
  --authmethods AUTHMETHODS
                        The authorization methods to check. Default: Pre-
                        Shared Key, RSA Signatures, Hybrid Mode and XAUTH.
                        Example: --authmethods="1 3 64221 65001"
  --dhgroups DHGROUPS   The Diffie-Hellman groups to check. Default: MODP 768,
                        MODP 1024 and MODP 1536. Example: --dhgroups="1 2 5"
  --fullalgs            Equivalent to: --encalgs="1 2 3 4 5 6 7/128 7/192
                        7/256 8" --hashalgs="1 2 3 4 5 6" --authmethods="1 2 3
                        4 5 6 7 8 64221 64222 64223 64224 65001 65002 65003
                        65004 65005 65006 65007 65008 65009 65010"
                        --dhgroups="1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
                        18"
  --ikepath IKEPATH     The FULL ike-scan path if it is not in the PATH
                        variable and/or the name changed.
  -c CLIENTIDS, --clientids CLIENTIDS
                        A file (dictionary) with a client ID per line to
                        enumerate valid client IDs in Aggressive Mode.
                        Default: unset - This test is not launched by default.

Examples

Loading the hosts/ranges to scan from a text file and saving the results into a text and an XML file:

$ sudo python iker.py -i ips.txt -o output.txt -x output.xml -v

iker v. 1.0

The ike-scan based script which checks for security flaws in IPsec-based VPNs.

                               by Julio Gomez ( jgo@portcullis-security.com )

Starting iker (https://labs.portcullis.co.uk/tools/) at Mon, 20 Jan 2014 14:34:15 +0000
[*] Discovering IKE services, please wait...
10.0.0.2 Notify message 14 (NO-PROPOSAL-CHOSEN)
 HDR=(CKY-R=0000000000000000, msgid=f904f872)

[*] Trying to fingerprint the devices. This proccess is going to take a while (1-5 minutes per IP). Be patient...
[*] The device 10.0.0.2 could not been fingerprinted because no transform is known.

[*] Looking for accepted transforms at 10.0.0.2
[*] Transform found: Enc=3DES Hash=MD5 Auth=RSA_Sig Group=2:modp1024 LifeType=Seconds LifeDuration(4)=0x00007080
[*] Vendor ID identified for IP 10.0.0.2 with transform Enc=3DES Hash=MD5 Auth=RSA_Sig Group=2:modp1024 LifeType=Seconds LifeDuration(4)=0x00007080: Firewall-1 NGX

[*] Trying to fingerprint the devices (again). This proccess is going to take a while (1-5 minutes per IP). Be patient...
[*] Implementation guessed for IP 10.0.0.2: Firewall-1 4.1/NG/NGX
...

Specifying the encryption algorithms to check for supported transforms:

$ sudo python iker.py --encalgs "1 2 3 4 5 6 7/128 7/192 7/256 8" 10.0.2.2
[...]

Specifying that all the encryption algorithms, the hashing algorithms, the authentication methods and the DH groups must be checked:

$ sudo python iker.py --fullalgs 10.0.2.2
[...]

iker_v1.1.tar
July 17, 2014
Version: 1.1

40.0 KiB
MD5 hash: c255b6beffcf1e0a2026a9fd3faede8a
Details

Date:

July 17, 2014

The post iker appeared first on Portcullis Labs.

Key features

• Allows on the fly manipulation of Content Security Policy
• Enables UX developers to get visual feedback on how a CSP affects the application functionality
• Minimises the changes required to an existing application to allow this to happen

Overview

Content Security Policies are a new feature of modern browsers that support HTML 5 designed to augment the traditional Same Origin Policy of browsers and help to limit the potential impact of Cross-site Scripting and other content manipulation vulnerabilities that may exist within a given web site and which could be exploited by an attacker. It allows allows web site owners to declare approved sources of content that browsers should be allowed to load on that page out-of-band through the use of additional HTTP headers.

The aim here is to minimise the leg work for UX developers in creating web applications that both function and utilise secure development practices. We do this by reducing the server side code changes down to the injection of some client side JavaScript along with a few lines of server side stub code (in this case, in PHP). Once this has been integrated into application in a staging environment, the UX developer can tweak the CSP from their own browser and see how it affects the application functionality :).

Installation

• Copy styles and js from src/html to your web root
• Copy index.php from src/html/examples/php to your web root or tweak your existing web pages in a similar fashion

Usage

The client side code (HTML) should include the following changes:

<head>
...
	<link rel="stylesheet" href="styles/cspCalculator.css" type="text/css"/>
...
</head>
<body>
	<script src="js/cspCalculator.js"></script>
	...
</body>

This will result in the CSS and JavaScript used to construct the cspCalculator UI being injected into resultant pages.

Additionally, as a minimum case, the server side code should implement the following logic:

$directiveslist = array("default-src", "connect-src", "font-src", "frame-src", "img-src", "media-src", "object-src", "script-src", "style-src", "sandbox");
$headerslist =  array("Content-Security-Policy", "X-Content-Security-Policy", "X-WebKit-CSP");
foreach ($directiveslist as $directivename) {
	header("Set-Cookie: " . $directivename . "=" . $_COOKIE[$directivename], false);
}
foreach ($headerslist as $headername) {
	$headervalue = "";
	foreach ($directiveslist as $directivename) {
		$headervalue .= "; " . $directivename . " " . $_COOKIE[$directivename];
	}
	header($headername . ": " . $headervalue);
}

We use cookies as a back channel to allow changes to the Content Security Policy by the UX developer from the UI to easily be signaled back to the web application so that the appropriate headers can be set. Cookies work nicely for this purpose as they do not interfere with any GET or POST parameters that the application may need to send for normal operation.

Once operational, your web application will now include a drop down cspCalculator box on each of its pages. Within the drop down you will see various text boxes for each of the CSP directives that can be defined. The “Calculate” button next to each will attempt to determine the appropriate policy by examining the page’s DOM (something that isn’t 100% effective yet). The “Apply” button will force a round-trip to the server to force it to send the page with the new CSP headers applied. It is recommended that you use this tool in combination with something such as Chrome’s Inspect Element feature to identify any DOM elements that are blocked and which cspCalculator is unable to identify automatically.

cspCalculator should not be deployed in a production environment, since the setting of cookies and/or a CSP by use of header() calls may itself introduce other classes of vulnerability. Rather, once the appropriate CSP has been identified it should be set statically through the use of header() (as in PHP) or other similar calls.

Examples

Since cspCalculator isn’t particularly easy to demonstrate in a static context, a demo version has been deployed for your amusement. This can be found on at www.cspcalculator.org. It has been presented on a separate domain to minimise the risks outlined above in the Usage section of this page.

cspCalculator-0.2.tar.gz
November 29, 2013

14.2 KiB
MD5 hash: 496b55e3ffa575178428d1d85e42e113
Details

Date:

November 29, 2013

The post cspCalculator appeared first on Portcullis Labs.

Key features

• Catch OS X application’s crashes
• Display CPU registers
• Display disassembled code at the instruction that produced the crash
• Display a part of the stack
• Works transparently wether the application is 32 or 64 bits

Overview

The crash tool is a similar tool than the crash.exe tool from FileFuzz but for OS X. Used with an application fuzzer, it monitors the target application for exceptions.

It is written in C and it works on both x86 and x86_64 architectures. It uses the excellent BeaEngine to disassemble the code.

Installation

In order to install the tool, you’ll need to generate a developer certificate.

It can be done following those simple steps:

1. Open Keychain Access.app
2. Open menu Keychain Access/Certificate Assistant/Create a Certificate…
3. Choose a name (codesigning-cert in the example).
4. Set Identity Type to Self Signed Root.
5. Set Certificate Type to Code Signing.
6. Select the Let me override defaults.
7. Click several times on Continue until you get to the Specify a Location For The Certificate screen, then set Keychain to System.
8. Finally, using the contextual menu for the certificate, select Get Info, open the Trust item, and set Code Signing to Always Trust.
9. You must quit Keychain Access application in order to use the certificate.

Then run the following commands:

$ make
gcc -Iinclude/ -Wall -pedantic -framework Security -sectcreate __TEXT __info_plist ./Info.plist BeaEngine.o crash.c -o crash
$ sudo make install
Password:
cp crash /usr/local/bin
chgrp procmod /usr/local/bin/crash
chmod 2755 /usr/local/bin/crash
codesign -s codesigning-cert /usr/local/bin/crash
$

Usage

$ ./crash
Usage: crash [options] target arguments
  -t seconds        timeout (default: 5).

Using BeaEngine version 4.1-175.

Examples

# Define the amount of time the target program is allowed to live.
$ sudo ./crash -t 2 /usr/local/bin/dummy64
[+] PID: 31273. Executing: /usr/local/bin/dummy64
PID: 31273 (0x7a29)
[+] Timeout exceeded, exiting.
$

# Catching a crash from a 64 bits application.
$ sudo ./crash -t 2 /usr/local/bin/dummy64 1 0
[+] PID: 31282. Executing: /usr/local/bin/dummy64 1 0
[+] Exception: unknown exception code 0xd.
----------------------------------------------------------------------------------------------
[ RAX: 4141414141414141  RBX: 0000000000000000  RCX: 4242424242424242  RDX: ffffffffffffffff ]
[ RSI: 0000000000000000  RDI: 000000000000003c  RBP: 00007fff52359ef0  RSP: 00007fff52359eb0 ]
[ R08: 0000000000000000  R09: 0000000000000000  R10: 0000000000000001  R11: 00007fff76360250 ]
[ R12: 0000000000000000  R13: 0000000000000000  R14: 0000000000000000  R15: 0000000000000000 ]
[     CS: 002b      FS: 0000      GS: 0000      RIP: 000000010d8a6ed4    o d I t s Z a p C   ]

000000010d8a6ed4: mov        qword [rax], rcx
000000010d8a6ed7: mov         [rbp-0x18], 0x00000000
000000010d8a6ede: mov        eax,  [rbp-0x18]
000000010d8a6ee1: mov         [rbp-0x14], eax
000000010d8a6ee4: mov        eax,  [rbp-0x14]
000000010d8a6ee7: add        rsp, 0x40

Stack:
00007fff52359eb0: 00007fff52359f38  8.5R....
00007fff52359eb0: 0000000000000000  ........
00007fff52359eb0: 0000000000000000  ........
00007fff52359eb0: 4141414141414141  AAAAAAAA
00007fff52359eb0: 0000000000000001  ........
00007fff52359eb0: 0000000000000000  ........
00007fff52359eb0: 00007fff52359f10  ..5R....
00007fff52359eb0: 000000036d4a705e  ^pJm....
----------------------------------------------------------------------------------------------

# Catching a crash from a 32 bits application.
$ sudo ./crash -t 2 /usr/local/bin/dummy32 1 0
[+] PID: 31285. Executing: /usr/local/bin/dummy32 1 0
[+] Exception: KERN_INVALID_ADDRESS.
--------------------------------------------------------------
[ EAX: 00000000  EBX: bff6df54  ECX: bff6de4c  EDX: 99ce68e6 ]
[ ESI: 00000000  EDI: 00000000  EBP: bff6df08  ESP: bff6ded0 ]
[ ES: 0023  CS: 001b  SS: 0023  DS: 0023  FS: 0000  GS: 000f ]
[ EIP: 00093f23                            o d I t S Z a P C ]

00093f23: mov         [0x41414141], 0x42424242
00093f2d: mov         [ebp-0x10], 0x00000000
00093f34: mov        eax,  [ebp-0x10]
00093f37: mov         [ebp-0x0C], eax
00093f3a: mov        eax,  [ebp-0x0C]
00093f3d: add        esp, 0x38

Stack:
bff6ded0: 00000000  ....
bff6ded0: 0000000a  ....
bff6ded0: 8fe925ec  .%..
bff6ded0: 00093e5b  [>..
bff6ded0: 00000001  ....
bff6ded0: bff6df50  P...
bff6ded0: bff6df40  @...
bff6ded0: bff6df38  8...
--------------------------------------------------------------

crash-1.0.tar.bz2
December 17, 2013

253.3 KiB
MD5 hash: 53f1eb77dc8d1eeee38bc5da6cca25be
Details

Date:

December 17, 2013

The post Crash appeared first on Portcullis Labs.

Key features

• Allows dumping of segments in a variety of formats including JPEGs
• Allows patching of segments

Overview

System V shared memory segments created with shmget() are assigned an owner, a group and a set of permissions intended to limit access to the segment to designated processes only. The owner of a shared memory segment can change the ownership and permissions on a segment after its creation using shmctl(). Any subsequent processes that wish to attach to the segment can only do so if they have the appropriate permissions. Once attached, the process can read or write to the segment, as per the permissions that were set when the segment was created.

smaSHeM takes advantage of applications that set weak permissions on such segments, allowing an attacker to dump or patch their contents. As discussed in my presentation at 44CON 2013 entitled “I miss LSD“, in the case of many X11 applications it is possible to extract pixmaps of previously rendered GUI artifacts. When compiled with QtCore linking enabled, smaSHeM aids in that process by brute forcing potentially valid dimensions for the raw pixmap dump.

Installation

$ ./configure [--with-qtcore] && make && make install

Usage

$ smaSHeM -v | -i <shmemid> -l <shmemlength> <-@ <patchoffset> -s <patchstring> | -d [-p | -c | -P | -j -x <xstart> -X <endx> -y <starty> -Y <yend>]>

Examples

Dumping the contents of a System V shared memory segment prettily:

$ smaSHeM -i 94273546 -l 459200 -d -P
0xf32fa000      00 00 00 00 1a 1a 1a 1a ........
0xf32fa008      7d 7d 7d 7d a7 a7 a7 a7 ........
0xf32fa010      af af af af af af af af ........
0xf32fa018      af af af af af af af af ........
0xf32fa020      af af af af af af af af ........
0xf32fa028      af af af af af af af af ........
0xf32fa030      af af af af af af af af ........
0xf32fa038      af af af af af af af af ........
0xf32fa040      af af af af af af af af ........
0xf32fa048      af af af af af af af af ........
0xf32fa050      af af af af af af af af ........
0xf32fa058      af af af af af af af af ........
0xf32fa060      af af af af af af af af ........
0xf32fa068      af af af af af af af af ........
0xf32fa070      af af af af af af af af ........
0xf32fa078      af af af af af af af af ........
...

Patching a segment:

$ smaSHeM -i 41779331 -l 2640 -@ 0 -s `perl -e 'print "A"x1024'`

Dumping the contents of a segment as a set of JPEGs with dimensions 0-300×30 (required QtCore):

$ smaSHeM -i 41779331 -l 2640 -d -J -x 0 -X 300 -y 30 -Y 30

smaSHeM-0.4.tar.gz
November 12, 2013

210.0 KiB
MD5 hash: 2e30e4edd2faf5946b6c0e1a244fd0ba
Details

Date:

November 12, 2013

The post smaSHeM appeared first on Portcullis Labs.

Key features

This natty python 2 script scrapes a series of web applications (including bing and yougetsignal’s database) and looks at Subject Alternative Names in the SSL certificate to find as many web applications which resolve to an IP address as possible. No guarantees are made as to the completeness or accuracy of the data, but it’s the best we can do. It can give an insight into the attack surface associated with a given IP address, allowing testers to advise client in situations where the risk is out of their control.

Usage and example

$ python2 allthevhosts.py 213.165.238.226
[+] bing search complete
[+] myipneighbours Search Complete
[E]ipneighbour search error.
[+] yougetsignal Search Complete
[+] SAN enumeration complete.
[+] resolved original addresss...
[+] verifying that 8 found URLs resolve to the same address
[+] all URLs resolved

www.portcullis-security.com
labs.portcullis.co.uk
www.portcullis.co.uk
ctads.net
portcullis-forensics.com
portcullis-security.com
portcullis.co.uk

allthevhosts.tar.gz
November 4, 2013

1.7 KiB
MD5 hash: be3c25a78d89f9b5234689250824fbed
Details

Date:

November 4, 2013

The post Finding all the vhosts appeared first on Portcullis Labs.

Key features

This handy little python 2 script does whois lookups on the IP addresses given in a file (one per line), and will give you the range and owner of each of the addresses (with duplicates removed) so you can spot anything that looks fishy before you start testing*.

Usage and example

IP address file:

8.8.8.8
8.8.8.9
4.4.2.2

And to run:

$ python2 whoislikeaboss.py ips
8.0.0.0 - 8.255.255.255 Level 3 Communications, Inc.
4.0.0.0 - 4.255.255.255 Level 3 Communications, Inc.

Simples!

*- Common sense not included.

whoislikeaboss.tar.gz
November 4, 2013

901.0 B
MD5 hash: c628b46d07ee1c65668687e6d11a09c9
Details

Date:

November 4, 2013

The post Whois… Like A Boss! appeared first on Portcullis Labs.