| .. | ||
| dtpscan.py | ||
| host-scanner-via-udp.py | ||
| iis_webdav_upload.py | ||
| networkConfigurationCredentialsExtract.py | ||
| nmap-grep-to-table.sh | ||
| pingsweep.py | ||
| README.md | ||
| smb-credential-leak.html | ||
| smtpdowngrade.rb | ||
| smtpvrfy.py | ||
| sshbrute.py | ||
| tcpproxy.py | ||
| VLANHopperDTP.py | ||
Networks Penetration Testing related scripts, tools and Cheatsheets
-
dtpscan.py- DTP Scanner - simple script trying to determine type of configured switchport and DTP negotation mode in order to assist in VLAN Hopping attacks. (gist) -
smtpdowngrade.rb- Bettercap TCP Proxy SMTP Downgrade module - prevents the SMTP client from sending "STARTTLS" and returns "454 TLS Not available..." to the client. (gist) -
networkConfigurationCredentialsExtract.py- Network-configuration Credentials extraction script - intended to sweep input configuration file and extract keys, hashes, passwords. (gist) -
VLANHopperDTP.py- VLAN Hopping via DTP Trunk (Switch) Spoofing exploit - script automating full VLAN Hopping attack, from DTP detection to VLAN Hop with DHCP lease request (gist)Sample output:
$ ./VLANHopperDTP.py --help
:: VLAN Hopping via DTP Trunk negotiation
Performs VLAN Hopping via negotiated DTP Trunk / Switch Spoofing technique
Mariusz B. / mgeeky, '18
v0.3
usage: ./VLANHopperDTP.py [options]
optional arguments: -h, --help show this help message and exit -i DEV, --interface DEV Select interface on which to operate. -e CMD, --execute CMD Launch specified command after hopping to new VLAN. One can use one of following placeholders in command: %IFACE (choosen interface), %IP (acquired IP), %NET (net address), %HWADDR (MAC), %GW (gateway), %MASK (full mask), %CIDR (short mask). For instance: -e "arp-scan -I %IFACE %NET%CIDR". May be repeated for more commands. The command will be launched SYNCHRONOUSLY, meaning - one have to append "&" at the end to make the script go along. -E CMD, --exit-execute CMD Launch specified command at the end of this script (during cleanup phase). -m HWADDR, --mac-address HWADDR Changes MAC address of the interface before and after attack. -f, --force Attempt VLAN Hopping even if DTP was not detected (like in Nonegotiate situation). -a, --analyse Analyse mode: do not create subinterfaces, don't ask for DHCP leases. -v, --verbose Display verbose output. -d, --debug Display debug output.
$ sudo ./VLANHopperDTP.py -i enp5s0f1
:: VLAN Hopping via DTP Trunk negotiation
Performs VLAN Hopping via negotiated DTP Trunk / Switch Spoofing technique
Mariusz B. / mgeeky, '18
v0.2
[+] VLAN Hopping IS possible. [>] After Hopping to other VLANs - leave this program running to maintain connections. [>] Discovering new VLANs... ==> VLAN discovered: 10 ==> VLAN discovered: 20 ==> VLAN discovered: 30 ==> VLAN discovered: 99 [+] Hopped to VLAN 10.: 172.16.10.10 [+] Hopped to VLAN 20.: 172.16.20.10 [+] Hopped to VLAN 30.: 172.16.30.11 [+] Hopped to VLAN 99.: 172.16.99.10 ```
-
nmap-grep-to-table.sh- Script converting nmap's greppable output (-oG) into a printable per-host tables. (gist) -
host-scanner-via-udp.py- Running Hosts scanner leveraging ICMP Destination Unreachable response upon UDP closed port packet. (gist) -
smb-credential-leak.html- SMB Credentials leakage by MSEdge as presented in Browser Security White Paper, X41 D-Sec GmbH. (gist) -
iis_webdav_upload.py- Microsoft IIS WebDAV Write Code Execution exploit (based on Metasploit HDM's <iis_webdav_upload_asp> implementation). (gist) -
smtpvrfy.py- SMTP VRFY python tool intended to check whether SMTP server is leaking usernames. (gist) -
pingsweep.py- Quick Python Scapy-based ping-sweeper. (gist) -
sshbrute.py- ripped out from Violent Python - by TJ O'Connor. (gist)