Merge branch 'master' of github.com:mgeeky/Penetration-Testing-Tools

This commit is contained in:
Mariusz B 2018-05-02 01:48:15 +02:00
commit 9bc0df2e0c
4 changed files with 69 additions and 8 deletions

View File

@ -42,7 +42,7 @@ regexes = {
'SNMP-Server User/Password' : r'snmp-server user \name [\w-]+ auth md5 0x\hash priv 0x\hash localizedkey', 'SNMP-Server User/Password' : r'snmp-server user \name [\w-]+ auth md5 0x\hash priv 0x\hash localizedkey',
'FTP Server Username' : r'ip ftp username \name', 'FTP Server Username' : r'ip ftp username \name',
'FTP Server Password' : r'ip ftp password \password', 'FTP Server Password' : r'ip ftp password \password',
'ISAKMP Key' : r'crypto isakmp key \password address \ip', 'ISAKMP Pre-Shared Key' : r'crypto isakmp key \password(?: address \ip)?',
'SNMP-Server User Auth & Encr keys' : r'snmp-server user \name .* encrypted auth md5 ([0-9a-f\:]+) priv aes \d+ ([0-9a-f\:]+)', 'SNMP-Server User Auth & Encr keys' : r'snmp-server user \name .* encrypted auth md5 ([0-9a-f\:]+) priv aes \d+ ([0-9a-f\:]+)',
'PPP PAP Sent Username & Password' : r'ppp pap sent-username \name password \password', 'PPP PAP Sent Username & Password' : r'ppp pap sent-username \name password \password',
}, },

View File

@ -13,6 +13,12 @@ try {
} catch { } catch {
} }
One can additionally add, right after Get-Credential following parameters that could improve
pretext's quality during social engineering attempt:
-Credential domain\username - when we know our victim's domain and/or username - we can supply this info to the dialog
-Message "Some luring sentence" - to include some luring message
#> #>
try { ((Get-Credential -Credential $null).GetNetworkCredential() | Select-Object @{name="User"; expression={If ($_.Domain -ne [string]::Empty) {"{0}\{1}" -f ($_.Domain), ($_.UserName)} Else { $_.UserName} }}, Password | Format-List) } catch { } try { ((Get-Credential -Credential $null).GetNetworkCredential() | Select-Object @{name="User"; expression={If ($_.Domain -ne [string]::Empty) {"{0}\{1}" -f ($_.Domain), ($_.UserName)} Else { $_.UserName} }}, Password | Format-List) } catch { }

View File

@ -54,7 +54,7 @@
- **`post.php`** - (GIST discontinued, for recent version check: https://github.com/mgeeky/PhishingPost ) PHP Credentials Harversting script to be used during Social Engineering Phishing campaigns/projects. ([gist](https://gist.github.com/mgeeky/32375178621a5920e8c810d2d7e3b2e5)) - **`post.php`** - (GIST discontinued, for recent version check: https://github.com/mgeeky/PhishingPost ) PHP Credentials Harversting script to be used during Social Engineering Phishing campaigns/projects. ([gist](https://gist.github.com/mgeeky/32375178621a5920e8c810d2d7e3b2e5))
- **`reencode.py`** - ReEncoder.py - script allowing for recursive encoding detection, decoding and then re-encoding. To be used for instance in fuzzing purposes. Requires: jwt (pip install pyjwt). ([gist](https://gist.github.com/mgeeky/1052681318a8164b112edfcdcb30798f)) - **`reencode.py`** - ReEncoder.py - script allowing for recursive encoding detection, decoding and then re-encoding. To be used for instance in fuzzing purposes. Imagine you want to fuzz XML parameters within **PaReq** packet of 3DSecure standard. This packet has been ZLIB compressed, then Base64 encoded, then URLEncoded. In order to modify the inner XML you would need to peel off that encoding layers and then reaplly them in reversed order. This script allows you to do that in an automated manner. ([gist](https://gist.github.com/mgeeky/1052681318a8164b112edfcdcb30798f))
Sample output could look like: Sample output could look like:
@ -143,3 +143,7 @@ Node('/None/Base64/URLEncoder', decoded='AAAA')
- **`XXE Payloads`** - Internal IP address leakage via Object RTC (ORTC) interface implemented in Microsoft Edge. ([gist](https://gist.github.com/mgeeky/181c6836488e35fcbf70290a048cd51d)) - **`XXE Payloads`** - Internal IP address leakage via Object RTC (ORTC) interface implemented in Microsoft Edge. ([gist](https://gist.github.com/mgeeky/181c6836488e35fcbf70290a048cd51d))
- **`ysoserial-generator.py`** - This tool helps fuzzing applications that use Java serialization under the hood, by automating `ysoserial` proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.
This tool generates every possible payload for every implemented gadget, thus resulting in number of payload files (or one file with number of lines), being URL/Base64 encoded along the way or not - which can be later used for manual penetration testing assignments like pasting that file to BurpSuite intruder, or enumerating every payload from within bash/python script.

View File

@ -2,7 +2,10 @@
# #
# ReEncoder.py - script allowing for recursive encoding detection, decoding and then re-encoding. # ReEncoder.py - script allowing for recursive encoding detection, decoding and then re-encoding.
# To be used for instance in fuzzing purposes. # To be used for instance in fuzzing purposes. Imagine you want to fuzz XML parameters within
# **PaReq** packet of 3DSecure standard. This packet has been ZLIB compressed, then Base64 encoded,
# then URLEncoded. In order to modify the inner XML you would need to peel off that encoding layers
# and then reaplly them in reversed order. This script allows you to do that in an automated manner
# #
# NOTICE: # NOTICE:
# If the input string's length is divisble by 4, Base64 will be able to decode it - thus, the script # If the input string's length is divisble by 4, Base64 will be able to decode it - thus, the script
@ -21,6 +24,7 @@
import re import re
import sys import sys
import jwt import jwt
import zlib
import math import math
import base64 import base64
import urllib import urllib
@ -35,6 +39,22 @@ class ReEncoder:
# Switch this to show some verbose informations about decoding process. # Switch this to show some verbose informations about decoding process.
DEBUG = False DEBUG = False
class Utils:
@staticmethod
def isBinaryData(data):
nonBinary = 0
percOfBinaryToAssume = 0.10
for d in data:
c = ord(d)
if c in (10, 13):
nonBinary += 1
elif c >= 0x20 and c <= 0x7f:
nonBinary += 1
binary = len(data) - nonBinary
return binary >= int(percOfBinaryToAssume * len(data))
# ============================================================ # ============================================================
# ENCODERS SECTION # ENCODERS SECTION
# #
@ -75,7 +95,7 @@ class ReEncoder:
if urllib.quote(urllib.unquote(data)) == data and (urllib.unquote(data) != data): if urllib.quote(urllib.unquote(data)) == data and (urllib.unquote(data) != data):
return True return True
if re.match(r'^(?:%[0-9a-f]{2})+$', data, re.I): if re.search(r'(?:%[0-9a-f]{2})+', data, re.I):
return True return True
return False return False
@ -157,6 +177,28 @@ class ReEncoder:
def decode(self, data): def decode(self, data):
return jwt.decode(data, verify = False) return jwt.decode(data, verify = False)
class ZlibEncoder(Encoder):
def name(self):
return 'ZLIB'
def check(self, data):
if not ReEncoder.Utils.isBinaryData(data):
return False
try:
if zlib.compress(zlib.decompress(data)) == data:
return True
except:
pass
return False
def encode(self, data):
return zlib.compress(data)
def decode(self, data):
return zlib.decompress(data)
# ============================================================ # ============================================================
# ENCODING DETECTION IMPLEMENTATION # ENCODING DETECTION IMPLEMENTATION
@ -172,6 +214,7 @@ class ReEncoder:
ReEncoder.Base64Encoder(), ReEncoder.Base64Encoder(),
ReEncoder.Base64URLSafeEncoder(), ReEncoder.Base64URLSafeEncoder(),
ReEncoder.JWTEncoder(), ReEncoder.JWTEncoder(),
ReEncoder.ZlibEncoder(),
# None must always be the last detector # None must always be the last detector
ReEncoder.NoneEncoder(), ReEncoder.NoneEncoder(),
@ -352,6 +395,9 @@ class ReEncoder:
return encodings return encodings
def getWinningDecodePath(self, root):
return [x for x in self.evaluateEncodingTree(root) if x != 'None']
def process(self, data): def process(self, data):
root = anytree.Node('None', decoded = data) root = anytree.Node('None', decoded = data)
prev = root prev = root
@ -368,9 +414,10 @@ class ReEncoder:
prev = currNode prev = currNode
for pre, fill, node in anytree.RenderTree(root): for pre, fill, node in anytree.RenderTree(root):
if node.name != 'None':
ReEncoder.log("%s%s (%s)" % (pre, node.name, node.decoded[:20].decode('ascii', 'ignore'))) ReEncoder.log("%s%s (%s)" % (pre, node.name, node.decoded[:20].decode('ascii', 'ignore')))
self.encodings = self.evaluateEncodingTree(root) self.encodings = self.getWinningDecodePath(root)
ReEncoder.log('[+] Selected encodings: {}'.format(str(self.encodings))) ReEncoder.log('[+] Selected encodings: {}'.format(str(self.encodings)))
def decode(self, data, encodings = []): def decode(self, data, encodings = []):
@ -399,6 +446,10 @@ class ReEncoder:
return data return data
def main(argv): def main(argv):
# Sample 1: ZLIB -> Base64 -> URLEncode
sample = 'eJzzSM3JyVcozy%2FKSVFIK8rPVQhKdc1Lzk9JLVIEAIr8Cck%3D'
# Sample 2: URLEncode -> Base64 -> HexEncode
sample = '4a5451344a5459314a545a6a4a545a6a4a545a6d4a5449774a5463334a545a6d4a5463794a545a6a4a5459304a5449784a5449774a544e684a544a6b4a544935' sample = '4a5451344a5459314a545a6a4a545a6a4a545a6d4a5449774a5463334a545a6d4a5463794a545a6a4a5459304a5449784a5449774a544e684a544a6b4a544935'
if len(argv) != 2: if len(argv) != 2: