It has been a long time since I have posted on the blog, I have been very busy!
I have created quite a few new scripts over the last year that I have finally shared and also have updated a few.
These typically are scripts I have made for specific jobs I have been to make life easier.
Things to consider, some of the scripts are older and may have bugs. These are scripts I have created with basic knowledge of bash etc. They do the job, use them or don’t use them, so I am not looking for a code review thanks
Here is a list of tools you can find and a brief overview of what they do:
Useful for when conducting pentests. Quickly find a live IP address to use.
This can be handy when the client says “just pick one that is free” or when they give you a spreadsheet with an IP address to use and you want to ensure it is really free. Quite often typos will occur and you could take out a live box if you set the wrong IP.
You do not need to set any IP address on your interface, just run it and it will list what IPs are free in the local subnet you enter.
This is a cut down version of LazyMap script I released. It will scan the given local or remote subnet and discover and count which hosts are live.
Works very quickly just using some NMAP switches, lists and counts them. Handy for input into Nessus and also to work out how populated the VLANs are.
During a pentest typically you will be given a spreadsheet with a list of VLANs and expected number of hosts. I always run this and then make a note of how many hosts were actually there. for example you expect to see 4 hosts and you see 40, this could impact the schedule so is worth alerting people at an early stage.
Something I created on the spot during a review on some Sonicwall firewalls. I wanted to check the password strength for the users. Sonicwall firewall configs export in a base64 file.
This script you just point at the exported config file, it will decode it and extract all usernames and password hashes. It then changes them around in a way that makes them compatible with John the Ripper password cracker.
This is a PASSIVE VLAN hopping script. I have updated and fixed this as a recent change to the way tshark outputs a summary broke this script.
This will sniff a network port (no IP address needed) and look for DTP packets. If it finds DTP it will work out what mode it is in and tell you and indicate if it thinks VLAN hopping will be possible.
Then you could run something like Frogger to carry out an ACTIVE attack to hop VLANS. A lot of clients now want to know “can you VLAN hop” this will tell you within 90 seconds if you can or not.
Simply point at any extract password hashes from Windows operating systems that have been extracted with tools such as FGDump, pwdump, gsecdump etc.
It will look through and highlight any user accounts that have the same password set and list the users. Also checks and separates disabled or previously used passwords.
This is useful if you have extract domain hashes and find that half the users have the same password, this is likely to indicate an issue in the user creation process where the user is not being forced to change the password at first login. Also is good to highly password history issues, if the user can keep setting the same password it will list that too.
Useful for any kind of internal infrastructure testing/VA. This will discover the live hosts, then port scan with NMAP just the live hosts.
It then will list out all the unique open ports and then create you a Nessus policy. Then you just import the Nessus policy (which contains just the open ports found) and paste in the live hosts. This will be a much faster and accurate test as it is only scanning the live hosts and open ports. Also records start/stop times etc. Outputs all findings into client folders and auto excludes your own IP address. How many people Nessus the complete range where your tester laptops are and do not exclude?
A very simple script to generate IP address lists. Just give it a range and any IP addresses to exclude (see above, you want to exclude yourself and any other testers) and it will spit out a list of IP addresses. Then just paste these into Nessus etc.
A wireless network tool for testing managed wireless networks using 802.1x (PEAP/LEAP etc). It will assiocate against the AP and wait and extract any hostnames or domain usernames from the traffic as they authenticate to the wireless network. You do not need the wireless key/cert to do this.
handy little script to create Metasploit payloads to shell boxes running various Anti-Virus programs. Unfortunately these has been submitted to online scanners such as VirusTotal which share info with A.V vendors, therefore it doesn’t work too good now and gets flagged!
A great tool for any Windows based infrastructure test. Insert a Windows password hash or clear text password and range of IPs. It will look for common password reuse within the network. It will also track down and look for where the Domain Administrator account is logged in. If common passwords exist and you find where the DA is, its game over. You are the domain admin, just impersonate the token and job done.
Recently I have been a bit frustrated with cracking wireless keys and was looking for better ways to improve the speed.
I decided to setup a Amazon Ec2 cluster to give that a go at cracking WPA handshakes and also to improve general password cracking with John the Ripper.
It can be quite annoying gaining the handshake or hash whilst onsite on a client test and not having enough time or power to crack them.
I have done some playing around and managed to setup a dual cluster in Amazon. It wasn’t that easy to setup, but I wont get into detail in this post of how to do that.
The reason that the Amazon cloud cluster appeals to me is I can just power it on when I need it and only costs around $2 USD per hour whilst it is on. So a very cheap solution for cracking. I am currently using a cluster of just 2 systems, but you can increase this up to 20 systems.
I have created some comparisons between my laptop and the cluster. My laptop is a very good spec and fast system.
8GB RAM – Intel i7 8 Core
22GB RAM 8 Core (2x cluster, so 16 cores)
Aircrack is probably the most commonly used cracking tool for wireless PSK handshakes used with WPA/WPA2 etc. The issue is aircrack is only multi threaded and not multi core. So it wont utilise all that power you have. It will still run fast and is a great tool. Below are some stats on running aircrack on my laptop and on the cluster.
Aircrack running on my laptop
So we are getting 2,716 k/s which is still pretty fast on the laptop.
Aircrack running on Amazon cluster
So on the Amazon cluster we are getting 6,969 k/s – 7,1000 k/s – fast but not the increase you would expect from the cluster, only about 2x as fast. This is because it will not utilise all the cores available.
Pyrit will also crack WPA handshakes and the advantage of this is it supports multi core. So you can crack the PSK much quicker than aircrack.
Some Pyrit stats using the benchmark.
Pyrit running on my laptop (is utilising all 8x cores).
So you can see 2,346 PMKs/s using all 8 cores on my laptop… pretty fast!
Pyrit running on Amazon EC2 with all 16 cores in the cluster.
45,041 PMKs/s – so about 20x faster. Not bad hey!
Cracking the WPA PSK with Pyrit
On my laptop (using 8x cores)
(speed varied between 1800 and 2300 PMKs)
On Amazon cluster (using 16x cores)
Speed varied between 24,000 PMKs and 50,000 PMKs but mostly sat around 49,000 – pretty fast! at least 10-20x faster than the laptop and 4-8x faster than running aircrack on the cluster.
Password Cracking With John The Ripper
My laptop (no MPI support installed)
We are getting 2,944K c/s. Not bad for a laptop.
My Laptop (with MPI support installed using 8x cores)
9,59K c/s on the same laptop once MPI support installed using 8x cores
Amazon EC2 (with MPI support installed using 16 cores)
On the cluster we are getting 23,273K c/s – Pretty impressive!
Wordlists and Using John/Crunch
One of the big issues I find with trying to brute force the WPA handshakes is always wordlists. I have a massive collection of wordlists, but generally I don’t have that much success when trying to reveal the key. Most wordlists are mixed character length, so running a standard wordlist that has passwords between 4-7 characters is a waste of time when the WPA key will be 8 characters or more.
What I have done recently is harness the power of John or Crunch and feed that into Aircrack etc, so I don’t have to use wordlists.
John The Ripper
What you can do is feed John’s power into Aircrack. So you will not need a wordlist. You can also lock John down further by setting the min/max length or character sets, this will save you time in any password cracking you try.
The below command will feed John into Aircrack without using a wordlist.
john –incremental=All –stdout | aircrack-ng -b 00:FE:F4:23:BD:A0 -w – handshake.cap
Ideally we want to lock John down more, if you suspect it is a pin code and not a word you could use –incremental=digits etc. But we really want to set the min/max key lengths as what is the point of testing from 0-7 characters if they will not be there?.
Edit john.conf and copy a existing section and edit it accordingly.
Now we would call the custom setting like this
john –incremental=Alnum8 –stdout | aircrack-ng -b 00:FE:F4:23:BD:A0 -w – handshake.cap
This will only test for 8 character passwords. Quite often if I don’t have much luck cracking the wireless key, I will at least ask the client for the length so I can drill it down more.
You can also use Crunch to create wordlists on the fly and feed these into Aircrack.
Thiswill test a min length or 8 and max length of 8 characters. a-z upper and lowercase, numeric 0-9. You can also add other characters such as !$% etc. You can also set the format, so if you know it ends in 1234 you could do -t @@@@1234 and it will only match where the @ symbols are.
Here you will see the above feeding into Aircrack. Obviously this is still going to take a LONG time as so many combinations.
For this demo I setup my AP with a weak 8 character key. Lets say we know this is comm something, useful if you think it is the company name on a test. So lets run crunch and match everything after comm and lets assume it is all lowercase.
So we will run this. This will try comm then all lowercase characters to crack digits 5,6,7,8