Recently, I was asked to test all SMB enabled devices on a fairly large network to find any hosts that still supported SMBv1. This was about a month before Nmap released their SMB version enumeration NSE. I quickly threw together a script using Impacket from CoreImpact (https://github.com/CoreSecurity/impacket). The initial script was about 10 lines including the imports, it was slow and only allowed for a single set of hardcoded input files. It was also single threaded so it was slow, about 4 seconds per address, it took almost a full day to complete for each iteration. Testing a patch program using this was untenable.
As we’re huge fans of code re-use I wrapped the script in my tried and true threading modules, re-learned argparse and created a function python program to only negotiate SMBv1 connections to a host. By only performing SMBv1 negotiation and not even including the options to enumerate others I didn’t duplicate the functionality from Nmap and don’t have to worry about false positives.
This script will generate a large amount of ARP requests during testing this is per RFC when connecting to port 139. If stealth is important reduce the threads using the -t option. Happy hunting and enjoy scanning for SMBv1.
Have you ever manually tested the Glassfish Authentication Bypass (CVE Details)? What about manually testing it on 40+ servers while dealing with indecisive people patching systems on the fly? I had that wonderful opportunity while running tests for a federal agency.
After all the headache and bureaucracy, I wrote a quick python program just to test for that specific case of verb tampering.
Time passed…and I switched jobs. During the interim, I spent a lot of time thinking about web verbs and what I could use them for as a penetration tester. Web verb tampering is on OWASP’s list but doesn’t seem to get the same amount of attention that the different types of injections command.
What this lead to was Verbinator. Verbinator tests web verbs and cases. Lots of web verbs. I found all of the RFC specified verbs plus some others used mostly by Microsoft. All of the RFC numbers and verbs are in the source if you’re interested. As a bonus, you can also cram some random text in for the verb because web servers absolutely LOVE unexpected input. While reading return data is barrels of fun, I also added a differential ability to show if the response changed when the web verb case was altered.
If you have any questions, comments, or ideas for improving the program, please let me know.
This is a direct collaboration with Doofenshmirtz Evil Incorporated all work is subject to platypus attack.
Source just rename it to .py verbinator
I was able to use the bash shellshock vulnerability last week to manually find a vulnerability in a web server through the HTTP User-agent. If you can do something manually there is a good chance that it can be done programmatically. This python program is an extension of that belief.
This program has three simple parts: an ICMP network listener, a urllib2 HTTP request generator, and a simple parser that displays the results. Why ICMP? 5 ping packets generated from a vulnerable server should not be a huge burden. Isn’t urllib2 pretty dated? It really is, but it ignores SSL certificate issues so I didn’t have to handle HTTPS requests differently from the HTTP requests.
This isn’t weaponized at all, while it can be weaponized pretty easily that is up to you and we don’t recommend testing this on an address that you aren’t authorized to use. Metasploitable2 has a shellshock User-agent vulnerability if you want to test this on a controlled network.
Usage – python shellshockUAScanner.py -r <CIDR range> -t <number of threads *default is 16> -i <interface *default is eth0>
I got some great feedback on the original code. I made a few of the quick and easy changes and am putting it out with those now. Send in your feedback using email or Twitter, the goal is to have a fast tool that is useful for the info sec community.
Changes in V1:
Added a start/end messages
Added progress counters to give better user feedback when scanning large ranges
Changes coming in V2:
Threading to make it faster in large ranges
IP randmization to prevent firewalls from blocking the tool due to sequential scans
I really like the network scanner propecia. But from the date in the program it was written in 1999. I wanted the same speed and simple use that also included IPv6 checks. My C programming isn’t that great so I decided to port it to python. propecia…pypecia…see what I did there?
The reason I needed to add the additional functionality was to check a firewall for proper rules restricting both IPv4 and IPv6 traffic. Hint, it wasn’t. Having a server in a DMZ locked up tight on the IPv4 interface and unsecured on the IPv6 interface is like locking half of the doors on your car and wondering why things got stolen.
pypecia scans a single port across the given CIDR network range: python pypecia.py -p <port> -r <CIDR range>
This is a small python script that will parse a word list by length. While working for another company I was able to use a NULL session to get the company password policy for Active Directory. Running the passwords that were shorter than the minimum length from the policy was a waste of time so I threw this together to solve that issue.
Usage is python dictbylenth.py -i <inputfile> -o <outputfile> -l <minimumlength>