AWSBucketDump – AWS S3 Security Scanning Tool
AWSBucketDump is an AWS S3 Security Scanning Tool, which allows you to quickly enumerate AWS S3 buckets to look for interesting or confidential files. It’s similar to a subdomain brute-forcing tool but is made specifically for S3 buckets and also has some extra features that allow you to grep for delicious files as well as download interesting files if you’re not afraid to quickly fill up your hard drive.
Using the download feature might fill your hard drive up, you can provide a max file size for each download at the command line when you run the tool. Keep in mind that it is in bytes.
By default, there are two threads for checking buckets and two buckets for downloading.
AWSBucketDump Usage
|
1 2 3 4 5 6 7 8 |
usage: AWSBucketDump.py [-h] [-D] [-t THREADS] -l HOSTLIST [-g GREPWORDS] [-m MAXSIZE] -h, --help show this help message and exit -D Download files - this requires significant disk space -d If set to 1 or True, create directories for each host w/ results -t THREADS number of threads -l HOSTLIST -g GREPWORDS Provide a wordlist to grep for -m MAXSIZE Maximum file size to download. |
Example:
|
1 |
python AWSBucketDump.py -l BucketNames.txt -g interesting_Keywords.txt -D -m 500000 -d 1 |
AWSBucketDump S3 Security Tool Requirements
Non-Standard Python Libraries:
- xmltodict
- requests
- argparse
A great accompaniment would be these DNS wordlists from the SecLists repository: Discovery >> DNS
You can download AWSBucketDump here:
Or read more here.
Topic: Hacking Tools
nbtscan Download – NetBIOS Scanner For Windows & Linux
nbtscan is a command-line NetBIOS scanner for Windows that is SUPER fast, it scans for open NetBIOS nameservers on a local or remote TCP/IP network, and this is the first step in the finding of open shares.
It is based on the functionality of the standard Windows tool nbtstat, but it operates on a range of addresses instead of just one.
What is nbtscan?
NETBIOS is commonly known as the Windows “Network Neighborhood” protocol, and (among other things), it provides a name service that listens on UDP port 137. When it receives a query on this port, it responds with a list of all services it offers. Windows ships with a standard tool nbtstat which queries a single IP address when given the -A parameter. When running against a machine on the local network (a development box), it shows:
|
1 2 3 4 5 6 7 8 9 10 11 12 |
C:\> nbtstat -A 192.168.1.99 NetBIOS Remote Machine Name Table Name Type Status --------------------------------------------- XPDEV <00> UNIQUE Registered UNIXWIX <00> GROUP Registered XPDEV <03> UNIQUE Registered XPDEV <20> UNIQUE Registered UNIXWIX <1E> GROUP Registered MAC Address = 00-50-04-6D-50-37 |
The numeric code (in hexadecimal) and the type serve to identify the service being offered, and (for instance) a UNIQUE code of <20> indicates that the machine is running the file-sharing service. Unfortunately, nbtstat only reports the codes, and it requires looking up the meanings elsewhere. The References section at the end of this document lists some resources to learn what all the codes mean.
Machines participating in NetBIOS listen on UDP port 137 for these queries and respond accordingly. Simple configurations might only have a few resource records (as above), but an NT server supporting a large enterprise could easily have more than a dozen. Though it’s sometimes useful to examine the full set of resource records for a given machine, in practice it’s more useful to summarize them into the key “interesting” services.
Our tool has taken this approach. Not only does it scan ranges of addresses — instead of just one machine — but it can fully decode most of the resource record types and can summarize the interesting data on a one-line display.
On our network, we have quite a few machines, but it appears that only three respond to our queries:
|
1 2 3 4 5 |
C:\> nbtscan 192.168.1.0/24 192.168.1.3 MTNDEW\WINDEV SHARING DC 192.168.1.5 MTNDEW\TESTING 192.168.1.9 MTNDEW\WIZ SHARING U=STEVE 192.168.1.99 MTNDEW\XPDEV SHARING |
Using nbtscan NetBIOS Scanner
When nbtscan is run without command-line arguments, it reports a short “help” listing that summarizes the options available, which are expanded on here.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
--version / -V -This simply shows the current version information, and I try to keep it updated on each rebuild. Version history is below. -f - This shows the full NBT resource record responses for each machine scanned, not just the one-line summary. This is recommended when studying one single machine, but it's much less useful when scanning a larger range. -O outfile - Send results to outfile rather than to the standard output. -H - Generate an HTTP header. During penetration testing, sometimes we are able to install the nbtscan.exe program on a remote IIS web server and run it with the "Unicode" exploit, but since the output is "regular" text, the output gets confused by the web server that thinks it's a broken CGI script. The -H option addes a simple Content-type: text/plain header with a blank line that makes the output show up correctly. -P - Generate Perl hashref output, which can be loaded into an existing program for easier processing. This is much easier than parsing text output. -v - This turns on some more verbose debugging, but this is really only meant for the developer's use and probably won't help an end-user that much. The code considered "verbose" changes from release to release as bugs are tracked down, and we make no effort to make this useful in the general case. -n - In a few reporting modes, the IP address of the remote machine is used as a key to look up the "inverse" name. This is normally helpful, but many nameservers are misconfigured in a way that make this appear to "hang", so -n turns off this inverse name lookup. -p port - This allows specification of a UDP port number to be used as the source in sending a query. Normally the program picks a random ephemeral port number, and this is entirely sufficient in most cases. But some Windows 95 machines send their responses to port 137 no matter where the query came from (we consider this a bug), so using -p 137 will force nbtscan to bind to this port instead of the random one. In addition, some older versions of the ZoneAlarm personal firewall would incorrectly allow NETBIOS queries if the source port is 53 (DNS). But note that you can't bind to a port that already is in use, and on Windows this usually means that port 137 is unavailable to you. -m - Include the MAC (aka "Ethernet") addresses in the response, which is already implied by the -f option. -T secs - When scanning a large range of addresses, it's not always clear when we are "finished". If we send out (say) five queries, we're clearly done when we get five responses, but if any machine does not respond, we have to rely on timeouts. The -T option controls how long we'll wait for any response, and the default is 2 seconds. -w msecs - Unless the local network is being scanned, we cannot typically blast many queries lest packets be lost on the way. We normally pause for a short time after each network write operation to allow things to clear out before sending another, and this allows the "tuning" of that time. It is specified in milliseconds, and the default is 10 milliseconds. -t tries - Try each address up to tries times, which is useful when dealing with a remote network that is (somehow) dropping packets. Once a given machine has responded, it won't be queried again. Default = 1. -n - Don't look up inverse DNS names in the full listing (show IP addresses). -1 - Force the use of Winsock version 1 (Windows only) rather than the default which is usually version 2. |
If you want something to screw with a tool like nbtscan you can check out something like Fake NetBIOS Tool – Simulate Windows Hosts.
Download nbtscan
Windows – The Win32 version of the tool, which works well on Windows 9x, NT and 2000, is available below as nbtscan.exe. It’s written in portable C and is less than 40 kbytes, requires no special libraries or DLLs, and is run in a MS-DOS command window.
Linux – The code works fine on Linux, and a version built on Red Hat Linux 6.2 is available as well.
You can download nbtscan here:
nbtscan.exe (v1.0.35) – Windows binary (36 kbytes)
nbtscan-1.0.35-redhat-linux – Linux binary (44kbytes)
nbtscan-1.0.31-sco-5.0.6.bin – SCO Open Server 5.0.6
nbtscan-source-1.0.35.tgz (gzip’d tarball)
nbtscan-source-1.0.35.zip (ZIP)
Or read more here.
Topic: Networking Hacking
Equifax Data Breach – Hack Due To Missed Apache Patch
The Equifax data breach is pretty huge with 143 million records leaked from the hack in the US alone with unknown more in Canada and the UK.
The original statement about the breach is as follows for those that weren’t up to date with it, which came out Sept 7th (4 months AFTER the breach happened).
Equifax Inc. (NYSE: EFX) today announced a cybersecurity incident potentially impacting approximately 143 million U.S. consumers. Criminals exploited a U.S. website application vulnerability to gain access to certain files. Based on the company’s investigation, the unauthorized access occurred from mid-May through July 2017. The company has found no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.
The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. In addition, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed.
So pretty serious stuff with a kit ripe for social engineering and some pretty heavy weight identity theft.
Some good info in this video, skip to 3:02 for the Equifax story coverage:
Just today the entry point has been published, which is pretty unusual in these type of cases to get ANY info other than the fact it happened. It’s linked to a flaw in Apache Struts that was public in March 2017.
Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted. We know that criminals exploited a U.S. website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.
As the Apache Foundation pointed out earlier this week, it reported CVE-2017-5638 in March 2017. Doubt us? Here’s the NIST notification that mentions it as being notified on March 10th.
It’s a pretty nasty situation especially if you watched the video above and you realise that Equifax is also managing to monetize their screw up.
You can find the latest here: https://www.equifaxsecurity2017.com
At least a good amount of information is coming out around this case so we can keep an eye on it and see what else turns up.
Source: The Register
Topic: Hacking News
Seth – RDP Man In The Middle Attack Tool
Seth is an RDP Man In The Middle attack tool written in Python to MiTM RDP connections by attempting to downgrade the connection in order to extract clear text credentials.
It was developed to raise awareness and educate about the importance of properly configured RDP connections in the context of pentests, workshops or talks.
Usage of Seth RDP Man In The Middle Attack Tool
Run it like this:
|
1 |
$ ./seth.sh <INTERFACE> <ATTACKER IP> <VICTIM IP> <GATEWAY IP|HOST IP> |
Unless the RDP host is on the same subnet as the victim machine, the last IP address must be that of the gateway.
The script performs ARP spoofing to gain a Man-in-the-Middle position and redirects the traffic such that it runs through an RDP proxy. The proxy can be called separately:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
$ ./rdp-cred-sniffer.py -h usage: rdp-cred-sniffer.py [-h] [-d] [-p LISTEN_PORT] [-b BIND_IP] [-g {0,1,3,11}] -c CERTFILE -k KEYFILE target_host [target_port] RDP credential sniffer -- Adrian Vollmer, SySS GmbH 2017 positional arguments: target_host target host of the RDP service target_port TCP port of the target RDP service (default 3389) optional arguments: -h, --help show this help message and exit -d, --debug show debug information -p LISTEN_PORT, --listen-port LISTEN_PORT TCP port to listen on (default 3389) -b BIND_IP, --bind-ip BIND_IP IP address to bind the fake service to (default all) -g {0,1,3,11}, --downgrade {0,1,3,11} downgrade the authentication protocol to this (default 3) -c CERTFILE, --certfile CERTFILE path to the certificate file -k KEYFILE, --keyfile KEYFILE path to the key file |
Requirements for Seth RDP MiTM Attack Tool
- python3
- tcpdump
- arpspoof (arpspoof is part of dsniff)
- openssl < 1.1.0f
OpenSSL should not be too recent, as it does not support older versions of the SSL protocol and thus may be incompatible with older version of the Windows RDP client.
You can check out the full paper here:
– Attacking RDP How to Eavesdrop on Poorly Secured RDP Connections
There’s also another related tool which can extract RDP sessions:
– SessionGopher – Session Extraction Tool
You can download Seth for RDP MiTM here:
Or read more here.
Topic: Hacking Tools
dcrawl – Web Crawler For Unique Domains
dcrawl is a simple, but smart, multithreaded web crawler for randomly gathering huge lists of unique domain names. How does dcrawl work? dcrawl takes one site URL as input and detects all a href= links in the site’s body. Each found link is put into the queue. Successively, each queued link is crawled in the […]
Topic: Hacking Tools
Time Warner Hacked – AWS Config Exposes 4M Subscribers
What’s the latest on the web, Time Warner Hacked is what it’s about now as a bad AWS S3 config (once again) exposes the details of approximately 4 Million subscribers. This follows not long after the Instagram API leaking user contact information and a few other recent leaks involving poorly secured Amazon AWS S3 buckets […]
Topic: Hacking News