Friday, July 8, 2016

Pen Testing Scripts By Common Exploits

It has been a long time since I have posted on the blog, I have been very busy!
I have created quite a few new scripts over the last year that I have finally shared and also have updated a few.
These typically are scripts I have made for specific jobs I have been to make life easier.
Things to consider, some of the scripts are older and may have bugs. These are scripts I have created with basic knowledge of bash etc. They do the job, use them or don’t use them, so I am not looking for a code review thanks :)
Here is a list of tools you can find and a brief overview of what they do:

New tools released 2014.

Whatsfree

Useful for when conducting pentests. Quickly find a live IP address to use.
This can be handy when the client says “just pick one that is free” or when they give you a spreadsheet with an IP address to use and you want to ensure it is really free. Quite often typos will occur and you could take out a live box if you set the wrong IP.
You do not need to set any IP address on your interface, just run it and it will list what IPs are free in the local subnet you enter.
whatsfree

Livehosts

This is a cut down version of LazyMap script I released. It will scan the given local or remote subnet and discover and count which hosts are live.
Works very quickly just using some NMAP switches, lists and counts them. Handy for input into Nessus and also to work out how populated the VLANs are.
During a pentest typically you will be given a spreadsheet with a list of VLANs and expected number of hosts. I always run this and then make a note of how many hosts were actually there. for example you expect to see 4 hosts and you see 40, this could impact the schedule so is worth alerting people at an early stage.
livehosts

Sonijohn

Something I created on the spot during a review on some Sonicwall firewalls. I wanted to check the password strength for the users. Sonicwall firewall configs export in a base64 file.
This script you just point at the exported config file, it will decode it and extract all usernames and password hashes. It then changes them around in a way that makes them compatible with John the Ripper password cracker.
So just then run John at them and it will work.
sonijohn

Junijohn

Much like the Sonicwall scipt, this is the same thing for Juniper Firewalls.
junijohn

Updated Scripts

DTPscan

This is a PASSIVE VLAN hopping script. I have updated and fixed this as a recent change to the way tshark outputs a summary broke this script.
This will sniff a network port (no IP address needed) and look for DTP packets. If it finds DTP it will work out what mode it is in and tell you and indicate if it thinks VLAN hopping will be possible.
Then you could run something like Frogger to carry out an ACTIVE attack to hop VLANS. A lot of clients now want to know “can you VLAN hop” this will tell you within 90 seconds if you can or not.
dtpscan

Previous Scripts

WinocPHC (Windows Offline Password Hash Checker)

Simply point at any extract password hashes from Windows operating systems that have been extracted with tools such as FGDump, pwdump, gsecdump etc.
It will look through and highlight any user accounts that have the same password set and list the users. Also checks and separates disabled or previously used passwords.
This is useful if you have extract domain hashes and find that half the users have the same password, this is likely to indicate an issue in the user creation process where the user is not being forced to change the password at first login. Also is good to highly password history issues, if the user can keep setting the same password it will list that too.
winocphc

LazyMap

Useful for any kind of internal infrastructure testing/VA. This will discover the live hosts, then port scan with NMAP just the live hosts.
It then will list out all the unique open ports and then create you a Nessus policy. Then you just import the Nessus policy (which contains just the open ports found) and paste in the live hosts. This will be a much faster and accurate test as it is only scanning the live hosts and open ports. Also records start/stop times etc. Outputs all findings into client folders and auto excludes your own IP address. How many people Nessus the complete range where your tester laptops are and do not exclude?
lazymap

IPGen

A very simple script to generate IP address lists. Just give it a range and any IP addresses to exclude (see above, you want to exclude yourself and any other testers) and it will spit out a list of IP addresses. Then just paste these into Nessus etc.
ipgen

wEAPe

A wireless network tool for testing managed wireless networks using 802.1x (PEAP/LEAP etc). It will assiocate against the AP and wait and extract any hostnames or domain usernames from the traffic as they authenticate to the wireless network. You do not need the wireless key/cert to do this.
weape

Frogger

An ACTIVE VLAN hopping tool. This will abuse the DTP protocol and imitate a trunk port. It will then extract any VLAN information from the switch and allow you to hop onto the other VLANs.
frogger

Av0id

handy little script to create Metasploit payloads to shell boxes running various Anti-Virus programs. Unfortunately these has been submitted to online scanners such as VirusTotal which share info with A.V vendors, therefore it doesn’t work too good now and gets flagged!
avoid

EasyDA

A great tool for any Windows based infrastructure test. Insert a Windows password hash or clear text password and range of IPs. It will look for common password reuse within the network. It will also track down and look for where the Domain Administrator account is logged in. If common passwords exist and you find where the DA is, its game over. You are the domain admin, just impersonate the token and job done.
easyda

Cisc0wn

Cisco SNMP enumeration, brute force, config downloader and password cracking script. Automate SNMP community checking, information extraction and configuration downloads from Cisco devices.
ciscown







0 Comments:

Post a Comment