Tuesday, April 10, 2018

Tool Review - CrackMapExec



Marcello Salvati/@byt3bl33d3r


CrackMapExec (CME) is designed to be used as a post-exploitation tool to help facilitate the detection, enumeration, accessing, and further exploitation of data/security of an Active Directory Network.


BSD License

How to Install

On Kali linux it is as simple as
# apt-get install crackmapexec
For other Debian/Ubuntu linux it is as simple as
# apt-get install -y libssl-dev libffi-dev python-dev build-essential# pip install crackmapexec
If by chance you feel the need to install from source, the steps are as follows:
# apt-get install -y libssl-dev libffi-dev python-dev build-essential# pip install --user pipenv# git clone --recursive https://github.com/byt3bl33d3r/CrackMapExec# cd CrackMapExec && pipenv install# pipenv shell# python setup.py install
There are also versions available for Arch Linux and Mac OSX.  For more information please visit the WIKI.

Sample Usage

As with most command line tools, CME provides a useful help screen.

It also provides context help, for example, here is a sample of the help for the "smb" protocol:

For the "smb" protocol, there are a number of different modules that can be used as well:


Monday, February 12, 2018

Tool Review - JexBoss




João Filho Matos Figueiredo/@joaomatosf


JexBoss is just the shortened name for the "JBoss (and other Java Deserialization Vulnerabilities) verify and EXploitation Tool"

JexBoss is a python tool designed to identify /test for the presence of various exploitable vulnerabilities that can be found in JBoss Application Server, Tomcat, Jenkins, or other Java frameworks/platforms/etc...


Apache License, Version 2.0

How to Install

On most Linux systems, the user will probably just download the source from GitHub:
git clone https://github.com/joaomatosf/jexboss.git
and then they will need to ensure all dependencies are installed:
pip install -r requires.txt
Or the user could download the latest version from GitHub as follows:
Download the latest version at: https://github.com/joaomatosf/jexboss/archive/master.zipunzip master.zipcd jexboss-masterpip install -r requires.txt
JexBoss can also be installed on Windows systems as well. According to the developer, the user can you can use the Git Bash to run JexBoss. Follow the steps below:
  • Download and install Python
  • Download and install Git for Windows
  • After installing, run the Git for Windows and type the following commands:
git clone https://github.com/joaomatosf/jexboss.git
cd jexboss
pip install -r requires.txt

Sample Usage

As with most Linux tools, JexBoss comes with the typical "-h" flag to display the help/usage:

That shows the syntax to execute JexBoss is:
usage: JexBoss [-h] [--version] [--auto-exploit] [--disable-check-updates]                                                                                                                                                        [-mode {standalone,auto-scan,file-scan}] [--app-unserialize]               [--servlet-unserialize] [--jboss] [--jenkins] [--struts2]               [--jmxtomcat] [--proxy PROXY] [--proxy-cred LOGIN:PASS]               [--jboss-login LOGIN:PASS] [--timeout TIMEOUT]               [--cookies NAME=VALUE] [--reverse-host RHOST:RPORT] [--cmd CMD]               [--dns URL] [--windows] [--post-parameter PARAMETER]               [--show-payload]               [--gadget {commons-collections3.1,commons-collections4.0,jdk7u21,jdk8u20,groovy1,dns}]               [--load-gadget FILENAME] [--force] [-host HOST]               [-network NETWORK] [-ports PORTS] [-results FILENAME]               [-file FILENAME_HOSTS] [-out FILENAME_RESULTS]
As with most tools, not all of those command line options are necessary.  At the very minimum, the user will need to enter:
jexboss.py -u <hostname/IP/URL>
Beyond the that simple command, the user can specify any of the other options as well, depending on their needs.  Some of the other command line options include flags for enabling Auto-Exploitation of vulnerable systems, flags to test for just one of JBoss/Jenkins/Struts2/Tomcat, and flags to specify login credentials.


Monday, February 5, 2018

Intro to Programming - Part 1

This is my first post of a new series of programming centric posts.  This series will be starting with a short overview of common programming topic without going into too much depth on basic concepts like, What is a programming Language, What is a variable, etc...

There are entire courses, college classes, and so on available if someone really wants to learn the topics in more detail.

The purpose of this "Intro to Programming" series is to make sure everyone has at least a basic understanding before I get into the next series on "Intro to Python Programming".  Once that series is complete, I will be moving on into "Python for Pentesters".


SlideDeck via SlideShare:

Monday, January 29, 2018

Tool Review - Nmap NSE Scripts




Originally written by Gordon Lyon (Fyodor Vaskovich)
As Nmap is opensource, many other people have contributed to it over the years.


Nmap is probably one of, if not the most, recognized and used security tool.  Among Nmaps features are, host discovery, port scanning, service version detection, OS detection, and the Nmap Scripting Engine (NSE).


Custom License based on GPLv2

How to Install

On most Linux systems, there will be a prepackaged bundle for it.  For example, on  Kali Linux, it is easy to install it from apt:
apt-get install nmap 
However, if the user wishes to have the latest and greatest version of Nmap, they will need to download it and install it from source:
git clone https://github.com/nmap/nmap.git
and then they will need to configure and build the binaries:
cd nmap ./configure
make install

A very in-depth installation guide can be found here.

Sample NSE Usage

It is the NSE that we will be looking at today.  As I stated above, many people know of and have used Nmap and as such, I do not plan on covering all of the standard uses and features of it; there are plenty of other blogs, videos, and books out there already for that.  Instead, I want to focus on the NSE and how it can be used in a penetration assessment.

At the time of writing this article, there are 586 NSE scripts.  Those are associated with 14 (15 if you include the "all" category) script categories:
  • all
  • auth
  • broadcast
  • brute
  • default
  • discovery
  • dos
  • exploit
  • external
  • fuzzer
  • intrusive
  • malware
  • safe
  • version
  • vuln

To use any of the scripts, the user will need to specify them on the command line using the "--script" flag.  For example, if they wished to execute the smb-security-mode.nse script, they would type:
nmap --script smb-security-mode.nse -p 445 <target IP>
Multiple scripts can be specified at one time by separating them with a comma:
nmap --script smb-security-mode.nse,smb-os-discovery.nse -p 445 <target IP>
Similarly, an entire category can be specified:
nmap --script discovery <target IP>
A more complicated selection of scripts can be determined using the and, or, and not operators. For example, if the user wished to run every script except those in the dos category:
nmap --script "not dos" <target IP>
Or possibly all scripts that are in the vuln category but also the safe category:
nmap --script "vuln and safe" <target IP>
By utilizing the script categories, boolean operators, and single script selections, it is possible to be very specific in determining the script selections.

Yes that was a lot of information there and yes I could probably write an entire book on just that (and I am sure someone probably already has), but for this article, I wish to focus mostly on the vuln script category.

First, let's try to find any windows/smb vulnerabilities on a target system:
nmap --script vuln -p445 <target IP>

So, this particular host appears to be missing a few critical patches which we would likely be able to exploit and gain access.

But that was just for port 445/tcp, what does this look like for other ports, like 5432/TCP (postgresql)?
nmap --script (vuln and safe) <target IP>

This was just a sampling of the types of findings that Nmap is able to identify.

That will be enough for this article.  I may do another article on Nmap in the future, but for now, this should be enough to get people interested in looking into the other items that Nmap can do.  Now go out and try it out on your own test network.


Monday, January 22, 2018

Tool Review - BruteSpray




Shane Young/@x90skysn3k & Jacob Robles/@shellfail


BruteSpray is a python script that takes a Nmap gnmap/xml output as an input file and automatically starts brute-forcing services with default credentials using Medusa.



How to Install

On most Linux systems, the user will need to download the source from GitHub:
git clone https://github.com/x90skysn3k/brutespray.git
and then they will need to ensure all dependencies are installed:
pip install -r requirements.txt
On Kali Linux, it is much easier. Simple install from apt:
apt-get install brutespray 

Sample Usage

As with most Linux tools, brutespray comes with the typical "-h" flag to display the help/usage:

That shows the syntax to execute brutespray is:
brutespray.py -f <input file> -t <# of threads> -T <# of simultaneous hosts> -u/-U <username/UsernameFile> -p/-P <password/PasswordFile> -c -i
Not all of those command line options are necessary.  At the very minimum, the user will need to enter:
brutespray.py -f <input file>
Beyond the that simple command, the user can specify any of the other options as well, depending on their needs.
Of these other command line options, the most interesting is the "-i (interactive)" flag. When using this option, the user is prompted for all of the other information in a "Wizard" like manner:


Tuesday, January 16, 2018

A New Year

Happy 2018!!!!

Last year I wanted to try something new so I started the Pentest Fails Youtube series.  It has been a blast.  I enjoyed sharing the stories of both my fails as well as hearing other people share theirs.

For this year I have a few new plans I would like to share with you.
  1. I will be continuing the Pentest Fails videos.
  2. I will be starting a new video series where I demo and review various pentest tools.
  3. I will be starting a new video series where I step though "Programming for Pentesters".

For the Pentest Fails videos, not much will be changing.  I will still be sharing both my stories as well as stories other people have provided me.  Of course, there may be a few guest storytellers showing up as well.  However, I will be reducing the rate at which I will be releasing these videos to just 1 time a month.  This should allow me more time to prepare better videos and hopefully improve the overall quality of the videos and content.

For the tool review and demo video series, I want to discuss and share the tools that I personally find useful or interesting.  I will be creating new blog articles for each tool as well as showing how to install and execute the tool.  Due to the nature of the tools, some videos may be shorter than others.  I expect to be releasing about 2 new tool demo videos a month.

Finally, the "Programming for Pentesters" video series.  For this, I will be starting with a short introduction to programming and programming concepts followed by discussions of more advanced concepts.  As it is the primary language I am currently coding in, most of the code shown in the videos will be written Python. For the basic description of concepts or when I am roughing out a tool idea, I will be using Pseudo-Code as it is much more general and can better convey some concepts.  Along with the basic videos in this series, I may also include some "Lets Code" videos where I show the process from concept to final tool for some program I am writing.

Now being able to pull all of this off will not be an easy task for me, but I feel I can do it and it is a challenge I have set for myself for this year.

In order to keep everything in line and on time, I am proposing the following schedule for videos:
  • 1st Monday of the Month  => "Programming for Pentesters" (and "Let's Code")
  • 2nd Monday of the Month => Tool Demo
  • 3rdMonday of the Month  => Pentest Fails
  • 4th Monday of the Month => Tool Demo
  • 5th Monday of the Month => ???  TBD

Now if a given month falls in such a way that it has a 5th Monday, then I will come up with some special content for it.  That may take the form of some 1-off video or maybe just an extra of one of the other video series.  It will really depend on what I feel like at that time.

If a given month does NOT have a 4th Monday due to the way the weeks fall, then I will simply forgo the second Tool Demo video for that month.

Hopefully, everyone enjoys the videos and I look forward to seeing everyone's comments.

Thank you and have a great day.

Thursday, April 9, 2015

New Script/Tool: KeyLogging in JavaScript

So, you want to set up a keylogger within a website.  Ultimately it is fairly simple.  there are 2 items you will need.  First will be a way to log the keystrokes and second would be a way to capture the keystrokes.

For the logging of the key strokes, the simplest way would be with a small script similar to the following one.  This script accepts any GET or POST parameter and then logs it to the specified file.  Of course with this, it is assumed that you have a place to host this script and that the script has the proper permissions to create and write to the file.

It should be noted that I have used a version of that logging script for numerous situations, mostly for social engineering.  It works well for credential harvesting websites.  It also is useful as a simple data exfiltration script.

With that taken care of, now we need to build a way to capture the key strokes.  One of the simplest ways to go about this is demonstrated in the following code sample.  This code when included within a webpage (with the proper surrounding "script" tags) will capture every key pressed (as long as it is a printable character) and then send it off to a secondary logging script.

The previous simple key capture script has a few limitations.  The primary one is that it only captures printable characters.  Thus, key presses like [Backspace], [tab], [enter], [arrow keys], and so on will not be captured.  To account for these missing keys, it is important to not only listen for "onkeypress" but also for "onkeydown".  The following code takes this into account to provide a much more complete key capturing script.

Hopefully, you will find these scripts of use.  As always, if you have any questions/comments/criticisms, please feel free to let me know.