πŸ”’
There are new articles available, click to refresh the page.
Yesterday β€” 23 January 2022Tools

Whatfiles - Log What Files Are Accessed By Any Linux Process

23 January 2022 at 20:30
By: Zion3R


Whatfiles is a Linux utility that logs what files another program reads/writes/creates/deletes on your system. It traces any new processes and threads that are created by the targeted process as well.


Rationale:

I've long been frustrated at the lack of a simple utility to see which files a process touches from main() to exit. Whether you don't trust a software vendor or are concerned about malware, it's important to be able to know what a program or installer does to your system. lsof only observes a moment in time and strace is large and somewhat complicated.

Sample output:

mode:  read, file: /home/theron/.gimp-2.8/tool-options/gimp-clone-tool, syscall: openat(), PID: 8566, process: gimp
mode: read, file: /home/theron/.gimp-2.8/tool-options/gimp-heal-tool, syscall: openat(), PID: 8566, process: gimp
mode: read, file: /home/theron/.gimp-2.8/tool-options/gimp-perspective-clone-tool, syscall: openat(), PID: 8566, process: gimp
mode: read, file: /home/theron/.gimp-2.8/tool-options/gimp-convolve-tool, syscall: openat(), PID: 8566, process: gimp
mode: read, file: /home/theron/.gimp-2.8/tool-options/gimp-smudge-tool, syscall: openat(), PID: 8566, process: gimp
mode: read, file: /home/theron/.gimp-2.8/tool-options/gimp-dodge-burn-tool, syscall: openat(), PID: 8566, process: gimp
mode: read, file: /home/theron/.gimp-2.8/tool-options/gimp-desaturate-tool, syscall: openat(), PID: 8566, process: gim p
mode: read, file: /home/theron/.gimp-2.8/plug-ins, syscall: openat(), PID: 8566, process: gimp
mode: read, file: /usr/lib/gimp/2.0/plug-ins, syscall: openat(), PID: 8566, process: gimp
mode: read, file: /home/theron/.gimp-2.8/pluginrc, syscall: openat(), PID: 8566, process: gimp
mode: read, file: /usr/share/locale/en_US/LC_MESSAGES/gimp20-std-plug-ins.mo, syscall: openat(), PID: 8566, process: gimp
mode: read, file: /usr/lib/gimp/2.0/plug-ins/script-fu, syscall: openat(), PID: 8566, process: gimp
mode: read, file: /etc/ld.so.cache, syscall: openat(), PID: 8574, process: /usr/lib/gimp/2.0/plug-ins/script-fu
mode: read, file: /etc/ld.so.cache, syscall: openat(), PID: 8574, process: /usr/lib/gimp/2.0/plug-ins/script-fu
mode: read, file: /usr/lib/libgimpui-2.0.so.0, syscall: openat(), PID: 8574, process: /usr/lib/gimp/2.0/plug-ins/script-fu
mode: read, file: /usr/lib/libgimpwidgets-2.0.so.0, syscall: openat(), PID: 8574, process: /usr/lib/g imp/2.0/plug-ins/script-fu
mode: read, file: /usr/lib/libgimpwidgets-2.0.so.0, syscall: openat(), PID: 8574, process: /usr/lib/gimp/2.0/plug-ins/script-fu
mode: read, file: /usr/lib/libgimp-2.0.so.0, syscall: openat(), PID: 8574, process: /usr/lib/gimp/2.0/plug-ins/script-fu
mode: read, file: /usr/lib/libgimpcolor-2.0.so.0, syscall: openat(), PID: 8574, process: /usr/lib/gimp/2.0/plug-ins/script-fu

Use:

  • basic use, launches ls and writes output to a log file in the current directory:

    $ whatfiles ls -lah ~/Documents

  • specify output file location with -o:

    $ whatfiles -o MyLogFile cd ..

  • include debug output, print to stdout rather than log file:

    $ whatfiles -d -s apt install zoom

  • attach to currently running process (requires root privileges):

    $ sudo whatfiles -p 1234

Distribution

Ready-to-use binaries are on the releases page! Someone also kindly added it to the Arch repository, and letompouce set up a GitLab pipeline as well.

Compilation (requires gcc and make):

$ cd whatfiles
$ make
$ sudo make install

Supports x86, x86_64, ARM32, and ARM64 architectures.

Questions that could be asked at some point:

  • Isn't this just a reimplementation of strace -fe trace=creat,open,openat,unlink,unlinkat ./program?

    Yes. Though it aims to be simpler and more user friendly.

  • Are there Mac and Windows versions?

    No. Tracing syscalls on Mac requires task_for_pid(), which requires code signing, which I can't get to work, and anyway I have no interest in paying Apple $100/year to write free software. dtruss on Mac can be used to follow a single process and its children, though the -t flag seems to only accept a single syscall to filter on. fs_usage does something similar though I'm not sure if it follows child processes/threads. Process Monitor for Windows is pretty great.

Known issues:

  • Tabs crash when whatfiles is used to launch Firefox. (Attaching with -p [PID] once it's running works fine, as does using whatfiles to launch a second Firefox window if one's already open.)

Planned features:

  • None currently, open to requests and PRs.

Thank you for your interest, and please also check out Cloaker, Nestur, and Flying Carpet!



CFRipper – CloudFormation Security Scanning & Audit Tool

23 January 2022 at 17:15
By: Darknet
CFRipper – CloudFormation Security Scanning & Audit Tool

CFRipper is a Python-based Library and CLI security analyzer that functions as an AWS CloudFormation security scanning and audit tool, it aims to prevent vulnerabilities from getting to production infrastructure through vulnerable CloudFormation scripts.

You can use CFRipper to prevent deploying insecure AWS resources into your Cloud environment. You can write your own compliance checks by adding new custom plugins.

CFRipper should be part of your CI/CD pipeline. It runs just before a CloudFormation stack is deployed or updated and if the CloudFormation script fails to pass the security check it fails the deployment and notifies the team that owns the stack.

Read the rest of CFRipper – CloudFormation Security Scanning & Audit Tool now! Only available at Darknet.

Second-Order - Subdomain Takeover Scanner

23 January 2022 at 11:30
By: Zion3R


Scans web applications for second-order subdomain takeover by crawling the app, and collecting URLs (and other data) that match certain rules, or respond in a certain way.


Installation

From binary

Download a prebuilt binary from the releases page and unzip it.

From source

Go version 1.17 is recommended.

go install -v github.com/mhmdiaa/[email protected]

Docker

docker pull mhmdiaa/second-order

Command line options

Directory to save results in (default "output") -threads int Number of threads (default 10)">
  -target string
Target URL
-config string
Configuration file (default "config.json")
-depth int
Depth to crawl (default 1)
-header value
Header name and value separated by a colon 'Name: Value' (can be used more than once)
-insecure
Accept untrusted SSL/TLS certificates
-output string
Directory to save results in (default "output")
-threads int
Number of threads (default 10)

Configuration File

Example configuration files are in config

  • LogQueries: A map of tag-attribute queries that will be searched for in crawled pages. For example, "a": "href" means log every href attribute of every a tag.
  • LogNon200Queries: A map of tag-attribute queries that will be searched for in crawled pages, and logged only if they contain a valid URL that doesn't return a 200 status code.
  • LogInline: A list of tags whose inline content (between the opening and closing tags) will be logged, like title and script

Output

All results are saved in JSON files that specify what and where data was found

  • The results of LogQueries are saved in attributes.json
{
"https://example.com/": {
"input[name]": [
"user",
"id",
"debug"
]
}
}
  • The results of LogNon200Queries are saved in non-200-url-attributes.json
{
"https://example.com/": {
"script[src]": [
"https://cdn.old_abandoned_domain.com/app.js",
]
}
}
  • The results of LogInline are saved in inline.json
{
"https://example.com/": {
"title": [
"Example - Home"
]
},
"https://example.com/login": {
"title": [
"Example - login"
]
}
}

Usage Ideas

This is a list of tips and ideas (not necessarily related to second-order subdomain takeover) on what to use Second Order for.

  • Check for second-order subdomain takeover: takeover.json. (Duh!)
  • Collect inline and imported JS code: javascript.json.
  • Find where a target hosts static files cdn.json. (S3 buckets, anyone?)
  • Collect <input> names to build a tailored parameter bruteforcing wordlist: parameters.json.
  • Feel free to contribute more ideas!

References

https://shubs.io/high-frequency-security-bug-hunting-120-days-120-bugs/#secondorder

https://edoverflow.com/2017/broken-link-hijacking/



Before yesterdayTools

Mandiant-Azure-AD-Investigator - PowerShell module for detecting artifacts that may be indicators of UNC2452 and other threat actor activity

22 January 2022 at 20:30
By: Zion3R


This repository contains a PowerShell module for detecting artifacts that may be indicators of UNC2452 and other threat actor activity. Some indicators are "high-fidelity" indicators of compromise, while other artifacts are so called "dual-use" artifacts. Dual-use artifacts may be related to threat actor activity, but also may be related to legitimate functionality. Analysis and verification will be required for these. For a detailed description of the techniques used by UNC2452 see our blog.


This tool is read-only. It does not make any changes to the Microsoft 365 environment.

In summary this module will:

It will not:

  • Identify a compromise 100% of the time, or
  • Tell you if an artifact is legitimate admin activity or threat actor activity.

With community feedback, the tool may become more thorough in its detection of IOCs. Please open an issue, submit a PR, or contact the authors if you have problems, ideas, or feedback.

Features

Federated Domains (Invoke-MandiantAuditAzureADDomains)

This module uses MS Online PowerShell to look for and audit federated domains in Azure AD. All federated domains will be output to the file federated domains.csv.

  • Signing Certificate Unusual Validity Period - Alerts on a federated domain where the signing certificates have a validity period of > 1 year. AD FS managed certificates are valid for only one year. Validity periods that are longer than one year could be an indication that a threat actor has tampered with the domain federation settings. They may also be indicative of the use of a legitimate custom token-signing certificate. Have your administrators verify if this is the case.
  • Signing Certificate Mismatch - Alerts on federated domains where the issuer or subject of the signing certificates do not match. In most cases the token-signing certificates will always be from the same issuer and have the same subject. If there is a mismatch, then it could be an indication that a threat actor has tampered with the domain federation settings. Have your administrators verify if the subject and issuer names are expected, and if not consider performing a forensic investigation to determine how the changes were made and to identify any other evidence of compromise.
  • Azure AD Backdoor (any.sts) - Alerts on federated domains configured with any.sts as the Issuer URI. This is indicative of usage of the Azure AD Backdoor tool. Consider performing a forensic investigation to determine how the changes were made and to identify any other evidence of compromise.
  • Federated Domains - Lists all federated domains and the token issuer URI. Verify that the domain should be federated and that the issuer URI is expected.
  • Unverified Domains - Lists all unverified domains in Azure AD. Unverified domains should not be kept in Azure AD for long in an unverified state. Consider removing them.

Examples

!! Evidence of AAD backdoor found.
Consider performing a detailed forensic investigation
Domain name: foobar.com
Domain federation name:
Federation issuer URI: http://any.sts/16B45E3B

‼️
The script has identified a domain that has been federated with an issuer URI that is an indicator of an Azure AD Backdoor. The backdoor sets the issuer URI to hxxp://any.sts by default. Consider performing a forensic investigation to determine how the changes were made and identify any other evidence of compromise.
!! A token signing certificate has a validity period of more than 365 days. 
This may be evidence of a signing certificate not generated by AD FS.
Domain name: foobar.com
Federation issuer uri: http://sts.foobar.com
Signing cert not valid before: 1/1/2020 00:00:00
Signing cert not valid after: 12/31/2025 23:59:59

The script has identified a federated domain with a token-signing certificate that is valid for longer than the standard 365 days. Consult with your administrators to see if the token-signing certificate is manually managed and if it is expected to have the stated validity period. Consider performing a forensic investigation if this is not expected.

Service Principals (Invoke-MandiantAuditAzureADServicePrincipals)

This module uses Azure AD PowerShell to look for and audit Service Principals in Azure AD.

  • First-party Service Principals with added credentials - First-party (Microsoft published) Service Principals should not have added credentials except in rare circumstances. Environments that are or were previously in a hybrid-mode may have credentials added to Exchange Online, Skype for Business, and AAD Password Protection Proxy Service Principals. Verify that the Service Principal credential is part of a legitimate use case. Consider performing a forensic investigation if the credential is not legitimate.
  • Service Principals with high level privileges and added credentials - Identifies Service Principals that have high-risk API permissions assigned and added credentials. While the Service Principal and added permissions are likely legitimate, the added credentials may not be. Verify that the Service Principal credentials are part of a legitimate use case. Verify that the Service Principal needs the listed permissions.

Examples

!! Identified first-party (Microsoft published) Service Principals with added credentials.
Only in rare cases should a first-party Service Principal have an added credential.
Verify that the added credential has a legitimate use case and consider further investigation if not
*******************************************************************
Object ID : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
App ID : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Display Name : Office 365 Exchange Online
Key Credentials :

CustomKeyIdentifier :
EndDate : 12/9/2017 2:10:29 AM
KeyId : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
StartDate : 12/9/2015 1:40:30 AM
Type : AsymmetricX509Cert
Usage : Verify
Value :

The script has identified a first-party (Microsoft) Service Principal with added credentials. First-party Service Principals should not have added credentials except in rare cases. Environments that are or were previously in a hybrid-mode may have credentials added to Exchange Online, Skype for Business, and AAD Password Protection Proxy Service Principals. This may also be an artifact of UNC2452 activity in your environment. Consult with your administrators and search the audit logs to verify the credential is legitimate. You can also use the "Service Principal Sign-Ins" tab in the Azure AD Sign-Ins blade to search for authentications to your tenant using this Service Principal.
!! Identified Service Principals with high-risk API permissions and added credentials.
Verify that the added credential has a legitimate use case and consider further investigation if not
Object ID : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
App ID : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Display Name : TestingApp
Key Credentials :
CustomKeyIdentifier :
EndDate : 1/7/2025 12:00:00 AM
KeyId : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
StartDate : 1/7/2021 12:00:00 AM
Type : Symmetric
Usage : Verify
Value :
Password Credentials :
Risky Permissions : Domain.ReadWrite.All

The script has identified a Service Principal with high-risk API permissions and added credentials. This may be expected, as some third-party or custom-built applications require added credentials in order to function. This may also be an artifact of UNC2452 activity in your environment. Consult with your administrators and search the audit logs to verify the credential is legitimate. You can also use the "Service Principal Sign-Ins" tab in the Azure AD Sign-Ins blade to search for authentications to your tenant using this Service Principal.

Applications (Invoke-MandiantAuditAzureADApplications)

This module uses Azure AD PowerShell to look for and audit Applications in Azure AD.

  • Applications with high level privileges and added credentials - Alerts on Applications that have high-risk API permissions and added credentials. While the Applications and added permissions are likely legitimate, the added credentials may not be. Verify that the Application credentials are part of a legitimate use case. Verify that the Applications needs the listed permissions.

Example

!! High-privileged Application with credentials found.
Validate that the application needs these permissions.
Validate that the credentials added to the application are associated with a legitimate use case.

ObjectID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
AppID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
DisplayName: Acme Test App
KeyCredentials:
PasswordCredentials:

CustomKeyIdentifier :
EndDate : 12/22/2021 4:01:52 PM
KeyId : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
StartDate : 12/22/2020 4:01:52 PM
Value :

CustomKeyIdentifier :
EndDate : 12/21/2021 6:32:54 PM
KeyId : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
StartDate : 12/21/2020 6:33:16 PM
Value :

Risky Permissions:
Mail.Read (Read mail in all mailboxes)
Directory.Read.Al l (Read all data in the organization directory)

The script has identified an Application with high-risk API permissions and added credentials. This may be expected, as some third-party or custom-built applications require added credentials in order to function. This may also be an artifact of UNC2452 activity in your environment. Consult with your administrators and search the audit logs to verify the credential is legitimate.

Cloud Solution Provider Program (Invoke-MandiantGetCSPInformation)

This module checks to see if the tenant is managed by a CSP, or partner, and if delegated administration is enabled. Delegated administration allows the CSP to access a customer tenant with the same privileges as a Global Administrator. Although the CSP program enforces strong security controls on the partner's tenant, a threat actor that compromises the CSP may be able to access customer environments. Organizations should verify if their partner needs delegated admin privileges and remove it if not. If the partner must maintain delegated admin access, consider implementing Conditional Access Policies to restrict their access.

Organizations can check and manage partner relationships by navigating to the Admin Center and navigating to Settings -> Partner Relationships on the left-hand menu bar.

Mailbox Folder Permissions (Get-MandiantMailboxFolderPermissions)

This module audits all the mailboxes in the tenant for the existance of suspicious folder permissions. Specifically, this module will examine the "Top of Information Store" and "Inbox" folders in each mailbox and check the permissions assigned to the "Default" and "Anonymous" users. Any value other than "None" will result in the mailbox being flagged for analysis. In general the Default and Anonymous users should not have permissions on user inboxes as this will allow any user to read their contents. Some organizations may find shared mailboxes with this permission, but it is not recommended practice.

Application Impersonation (Get-MandiantApplicationImpersonationHolders)

This module outputs the list of users and groups that hold the ApplicationImpersonation role. Any user or member of a group in the output of this command can use impersonation to "act as" and access the mailbox of any other user in the tenant. Organizations should audit the output of this command to ensure that only expected users and groups are included, and where possible further restrict the scope.

Unified Audit Log (Get-MandiantUnc2452AuditLogs)

This module is a helper script to search the Unified Audit Log. Searching the Unified Audit Log has many technical caveats that can be easy to overlook. This module can help simplify the search process by implementing best practices for navigating these caveats and handling some common errors.

By default, the module will search for log entries that can record UNC2452 techniques. The log records may also capture legitimate administrator activity, and will need to be verified.

  • Update Application - Records actions taken to update App Registrations.
  • Set Domain Auth - Records when authentication settings for a domain are changed, including the creation of federation realm objects. These events should occur rarely in an environment and may indicate a threat actor configuring an AAD backdoor.
  • Set Federation Settings - Records when the federation realm object for a domain is modified. These events should occur rarely in an environment and may indicate a threat actor preparing to execute a Golden SAML attack.
  • Update Application Certificates and Secrets - Records when a secret or certificate is added to an App Registration.
  • PowerShell Mailbox Logins - Records Mailbox Login operations where the client application was PowerShell.
  • Update Service Principal - Records when updates are made to an existing Service Principal.
  • Add Service Principal Credentials - Records when a secret or certificate is added to a Service Principal.
  • Add App Role Assignment - Records when an App Role (Application Permission) is added.
  • App Role Assignment for User - Records when an App Role is assigned to a user.
  • PowerShell Authentication - Records when a user authenticates to Azure AD using a PowerShell client.
  • New Management Role Assignments - Records when new management role assignments are created. This can be useful to identify new ApplicationImpersonation grants.

Usage

Required Modules

The PowerShell module requires the installation of three Microsoft 365 PowerShell modules.

  • AzureAD
  • MSOnline
  • ExchangeOnlineManagement

To install the modules:

  1. Open a PowerShell window as a local administrator (right-click then select Run As Administrator)
  2. Run the command Install-Module <MODULE NAME HERE> and follow the prompts

Required User Permissions

The PowerShell module must be run with a Microsoft 365 account assigned specific privileges.

  • Global Administrator or Global Reader role in the Azure AD portal
  • View-Only Audit Logs in the Exchange Control Panel

To grant an account View-Only Audit Logs in the Exchange Control Panel:

  1. Navigate to https://outlook.office365.com/ecp and login as a global admin or exchange admin (not the exact URL may differ if you are in an alternate cloud)
  2. Click admin roles in the dashboard, or expand the roles tab on the left and click admin roles if you are in the new UI
  3. Create a new admin role by clicking the + sign or clicking add new role group
  4. Give your role a name and default write-scope
  5. Add the View-Only Audit Logs permission to the role
  6. Add the user to the role

Note it can take up to an hour for this role to apply

Running the tool

  1. Download this tool as a ZIP and unzip it, or clone the repository to your system
  2. Open a PowerShell window
  3. Change directories to the location of this module cd C:\path\to\the\module
  4. Import this module Import-Module .\MandiantAzureADInvestigator.psd1 you should receive this output

Mandiant Azure AD Investigator
Focusing on UNC2452 Investigations

PS C:\Users\admin\Desktop\mandiant>
  1. Connect to Azure AD by running Connect-MandiantAzureEnvironment -UserPrincipalName <your username here>. You should receive a login prompt and output to the PowerShell window indicating the connections have been established. Note: If you run into issues you may need to change your execution policy by running Set-ExecutionPolicy -ExecutionPolicy RemoteSigned. This may require administrator privileges.
----------------------------------------------------------------------------
The module allows access to all existing remote PowerShell (V1) cmdlets in addition to the 9 new, faster, and more reliable cmdlets.

|--------------------------------------------------------------------------|
| Old Cmdlets | New/Reliable/Faster Cmdlets |
|--------------------------------------------------------------------------|
| Get-CASMailbox | Get-EXOCASMailbox |
| Get-Mailbox | Get-EXOMailbox |
| Get-MailboxFolderPermission | Get-EXOMailboxFolderPermission |
| Get-MailboxFolderStatistics | Get-EXOMailboxFolderStatistics |
| Get-MailboxPermission | Get-EXOMailboxPermission |
| Get-MailboxStatistics | Get-EXOMailboxStatistics |
| Get-MobileDeviceStatistics | Get-EXOMobileDeviceStatistics |
| Get-Recipient | Get-EXORecipient |
| Get-RecipientPermission | Get-EXORecipientPermission |
|--------------------------------------------------------------------------|

To get additional information, run: Get-Help Connect-ExchangeOnline or check https://aka.ms/exops-docs

Send your product improvement suggestions and feedback to [email protected] For issues related to the module, contact Microsoft support. Don't use the feedback alias for problems or support issues.
----------------------------------------------------------------------------

Account Environment TenantId TenantDomain
------- ----------- -------- ------------
[email protected] AzureCloud xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx test.onm...
  1. Run all checks Invoke-MandiantAllChecks -OutputPath <path\to\output\files>. You can also run individual checks using the specific cmdlet.
  2. Review the output on the screen and the written CSV files.

Further Reading

For additional information from Mandiant regarding UNC2452, please see:

The response to UNC2452 has been a significant effort across the security industry and these blogs heavily cite additional contributions that will be of value to users of this tool. We recommend reading the linked material from these posts to best understand activity in your environment. As always, the Mandiant team is available to answer follow-up questions or further assist on an investigation by contacting us here.



Pwndora - Massive IPv4 Scanner, Find And Analyze Internet-Connected Devices In Minutes, Create Your Own IoT Search Engine At Home

22 January 2022 at 11:30
By: Zion3R


Pwndora is a massive and fast IPv4 address range scanner, integrated with multi-threading.

Using sockets, it analyzes which ports are open, and collects more information about targets, each result is stored in Elasticsearch. You can integrate with Kibana to be able to visualize and manipulate data, basically it's like having your own IoT search engine at home.


Features

  • Port scanning with different options and retrieve software banner information.
  • Detect some web technologies running on servers, using Webtech integration.
  • Retrieves IP geolocation from Maxmind free database, updated periodically.
  • Possibility to take screenshots from hosts with HTTP using Rendertron.
  • Anonymous login detection on FTP servers

Usage

usage: CLI.py [-h] [-s START] [-e END] [-t THREADS] [--massive FILE] [--timeout TIMEOUT]
[--screenshot] [--top-ports] [--all-ports] [--update]
options:
-h, --help show this help message and exit
-s START Start IPv4 address
-e END End IPv4 address
-t THREADS Number of threads [Default: 50]
--massive FILE File path with IPv4 ranges
--timeout TIMEOUT Socket timeout [Default: 0.5]
--screenshot Take screenshots from hosts with HTTP
--top-ports Scan only 20 most used ports [Default]
--all-ports Scan 1000 most used ports
--update Update database from Wappalyzer

Examples

If this is your first time running, you should use the --update argument.

Scan only a single IPv4 address range:

python3 CLI.py -s 192.168.0.0 -e 192.168.0.255 -t 150 --top-ports

Scan from a text file with multiple IPv4 address ranges:

python3 CLI.py --massive-scan Argentina.csv -t 200 --all-ports --screenshot 

If you use an excessive amount of threads, some ISPs may detect suspicious traffic and disconnect you from the network.

To-do list

Requirements

pip install -r requirements.txt

Contributing

Pull requests are welcome. For major changes, please open an issue first to discuss what you would like to change. Please make sure to update tests as appropriate.

Contact

[email protected]



T-Reqs-HTTP-Fuzzer - A Grammar-Based HTTP Fuzzer

21 January 2022 at 20:30
By: Zion3R


T-Reqs (Two Requests) is a grammar-based HTTP Fuzzer written as a part of the paper titled "T-Reqs: HTTP Request Smuggling with Differential Fuzzing" which was presented at ACM CCS 2021.


BibTeX of the paper:

@inproceedings{ccs2021treqs,
title={T-Reqs: HTTP Request Smuggling with Differential Fuzzing},
author={Jabiyev, Bahruz and Sprecher, Steven and Onarlioglu, Kaan and Kirda, Engin},
booktitle={Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security},
pages={1805--1820},
year={2021}
}

About

T-Reqs is for fuzzing HTTP servers by sending mutated HTTP requests with versions 1.1 and earlier. It has three main components: 1) generating inputs, 2) mutating generated inputs and 3) delivering them to the target server(s).

Generating Inputs

A CFG grammar fed into the fuzzer is used to generate HTTP requests. As the example grammar shown below is tailored for request line fuzzing, every request line component and possible values for each of them are explicitly specified. This allows us to generate valid requests with various forms of request line and also to treat each request line component as a separate unit from the mutation perspective.

 '<start>':
['<request>'],
'<request>':
['<request-line><base><the-rest>'],
'<request-line>':
['<method-name><space><uri><space><protocol><separator><version><newline>'],
'<method-name>':
['GET', 'HEAD', 'POST', 'PUT', 'DELETE', 'CONNECT', 'OPTIONS', 'TRACE', 'PATCH'],
'<space>':
[' '],
'<uri>':
['/_URI_'],
'<protocol>':
['HTTP'],
'<separator>':
['/'],
'<version>':
['0.9', '1.0', '1.1'],
'<newline>':
['\r\n'],
'<base>':
['Host: _HOST_\r\nConnection:close\r\nX-Request-ID: _REQUEST_ID_\r\n'],
'<the-rest>':
['Content-Length: 5\r\n\r\nBBBBBBBBBB'],

Mutating Inputs

Each component can be marked in two ways: string mutable and tree mutable (see the example configuration). If a component is string mutable, then a random character can be deleted, replaced, or inserted at a random position. In the example shown below (left side), the last character in the protocol version (1) is deleted, the third letter in the method name (S) is replaced with R, and a forward slash is inserted at the beginning of the URI. Whereas, if a component is tree mutable, then a random component can be deleted, replaced, or inserted at a random position under that component. The example below (right side) shows three tree mutations applied on the request line component: 1) method is replaced by protocol, 2) an extra URI is inserted after the current URI, and 3) the existing proto< /em> is deleted.

Usage

Configuration

The fuzzer should be informed about the user preferences about the generation and mutation of inputs. More specifically, the input grammar, the mutable components, mutation preferences among other things should be specified in the configuration file (see an example configuration).

Running modes

To be able to reproduce the inputs generated and mutated in each iteration, a seed number is used. In fact, this seed number serves as a seed for random number generations during the formation and mutation of an input. Depending on how these seeds are fed into the fuzzer, it runs in one of these two modes: individual and collective. In the individual mode, inputs are generated and mutated based on the seeds specified by a user. In the command below, a single seed (i.e., 505) is specified. Alternatively, a list of seeds could be specified with -f option (see help page for more).

python3 main.py -i -c config -s 505

Whereas, in the collective mode (which is default), it starts from zero as the seed value and increments it in each iteration until the end number is reached. The beginning and end numbers can be customized.

python3 main.py -c config

Using for Finding HRS discrepancies

HTTP Request Smuggling relies on different body parsing behaviors between servers where one server uses Transfer-Encoding header while the other prefers Content-Length header to decide the boundaries of a request body, or one server ignores a request body, whereas the other one processes it.

To analyze the body parsing of servers in response to various mutations in various forms of an HTTP request, we need to have a feedback mechanism installed on those servers to tell us about the body parsing behavior. One way of installing a feedback mechanism on a server, is to run the server in the reverse-proxy mode and have it forward requests to a "feedback provider" script running as a service. This service measures the length of the body in received requests and saves it for comparing it later with other servers.

An example "feedback provider" script is available in this repository. However, this script sends the body length information back in a response assuming that this information is stored on the client side.

License

T-Reqs is licensed under MIT license.



  • There are no more articles
❌