LibSSH Scanner – Script To Identify Hosts Vulnerable To CVE-2018-10933

This is a python based script to identify hosts vulnerable to CVE-2018-10933.The vulnerability is present on versions of libssh 0.6+ and was remediated by a patch present in libssh 0.7.6 and 0.8.4. For more details: https://www.libssh.org/2018/10/16/libssh-0-8-4-and-0-7-6-security-and-bugfix-release/HelpCVE-2018-10933 Scanner – Find vulnerable libssh services by Leap Security (@LeapSecurity)optional arguments: -h, –help show this help message and exit -v, –version show program’s version number and exit -t TARGET, –target TARGET An ip address or new line delimited file containing IPs to banner grab for the vulnerability. -p PORT, –port PORT Set port of SSH serviceDownload Libssh-Scanner

Link: http://feedproxy.google.com/~r/PentestTools/~3/QmL8AcFG_pI/libssh-scanner-script-to-identify-hosts.html

AutoRDPwn – The Shadow Attack Framework

AutoRDPwn is a script created in Powershell and designed to automate the Shadow attack on Microsoft Windows computers. This vulnerability allows a remote attacker to view his victim’s desktop without his consent, and even control it on request. For its correct operation, it is necessary to comply with the requirements described in the user guide.RequirementsPowershell 5.0 or higherChangesVersion 4.0• Fixed a bug in the scheduled task to remove the user AutoRDPwn• The Scheluded Task attack has been replaced by Invoke-Command• It is now possible to choose the language of the application and launch the attack on English versions of Windows*The rest of the changes can be consulted in the CHANGELOG fileUseExecution in a line:powershell -ExecutionPolicy Bypass “cd $ env: TEMP; iwr https://goo.gl/HSkAXP -Outfile AutoRDPwn.ps1;. \ AutoRDPwn.ps1"The detailed guide of use can be found at the following link:https://darkbyte.net/autordpwn-la-guia-definitivaCredits and Acknowledgments• Mark Russinovich for his tool PsExec -> https://docs.microsoft.com/en-us/sysinternals/downloads/psexec• Stas’M Corp. for its RDP tool Wrapper -> https://github.com/stascorp/rdpwrap• Kevin Robertson for his tool Invoke-TheHash -> https://github.com/Kevin-Robertson/Invoke-TheHash• Benjamin Delpy for his tool Mimikatz -> https://github.com/gentilkiwi/mimikatzContactThis software does not offer any kind of guarantee. Its use is exclusive for educational environments and / or security audits with the corresponding consent of the client. I am not responsible for its misuse or for any possible damage caused by it.For more information, you can contact through info@darkbyte.netDownload AutoRDPwn

Link: http://feedproxy.google.com/~r/PentestTools/~3/FJO5eg5Xcpk/autordpwn-shadow-attack-framework.html

XXRF Shots – Tool to Test SSRF Vulnerabilities

What is SSRF vulnerability?Server Side Request Forgery (SSRF) is a type of vulnerability class where attacker sends crafted request from a vulnerable web application, including the unauthorised access to the internal resources behind the firewall which are inaccessible directly from the external network.Installationgit clone https://github.com/ariya/phantomjs.gitcd phantomjschmod +x build.py./build.pyUsage./xxrf.shEnter the url with vulnerable parameter and hit return key. The script is designed to perform two different tasks. At first it will inject the payload next to the vulnerable parameter and process the request to another python script written by @maaaaz. The python script requires phantomJS to perform screenshot function. It uses the list of injected payload and screenshots them and places them in a screenshot directory.Example:https://www.example.com/index.php?url=VideoDownload XXRF-Shots

Link: http://feedproxy.google.com/~r/PentestTools/~3/lmopLFQ_91o/xxrf-shots-tool-to-test-ssrf.html

TakeOver v1 – Extracts CNAME Record Of All Subdomains At Once

What is Subdomain Takeover?Subdomain takeover is a class of vulnerability where subdomain points to an external service that has been deleted. The external services are Github, Heroku, Gitlab, Tumblr and so on. Let’s assume we have a subdomain sub.example.com that points to an external service such as GitHub. If the Github page is removed by its owner and forgot to remove the DNS entry that points to GitHub service. An attacker can simply takeover subdomain by adding CNAME file containing the sub.example.com.Here is the command that checks CNAME record of a subdomain.$dig CNAME apt.shopify.com –> apt.shopify.com.s3-website-us-east-1.amazonaws.com.How Can Takeover script help bug bounty hunters?There are a lot of sites having thousands of subdomain and it’s really hard to check each subdomain. Here we got a script that shows CNAME record for each domain. It takes a file name as an input and perform some action and finally produce it output, which shows CNAME record for each domain. The input file should contain a list of subdomains.How can I recognise if the subdomain is vulnerable to subdomain takeover?There are some fingerprints should be analysed when service is deleted and DNS entry remains as it is. The attacker get this error when visiting vulnerable subdomain such as “There isn’t a Github Pages site here.” or view below image for more detail.Security researcher @edoverflow has listed all services and their fingerprints. For more detail visit https://github.com/EdOverflow/can-i-take-over-xyzYoutubeDownload TakeOver-v1

Link: http://feedproxy.google.com/~r/PentestTools/~3/ZHQM026H0rI/takeover-v1-extracts-cname-record-of.html