» shell

Keeping Current with Skipfish

Posted on April 7, 2010 by The Shell Shakespear Leave a comment

You have followed our posts on how to install skipfish on your Ubuntu/Debian based machine, and read our testing with Mutillidae. With the rapid speed of skipfish releases however, your local copy may start to smell. Now you can automate the delivery of fresh fish to your doorstep. Copy the code below to update_skippy.sh in your skipfish directory, run chmod +x update_skippy.sh and then ./update_skippy.sh to ensure your security tool-bowl is kept well stocked.

#!/bin/bash
# Checks local version of skipfish and update if newer version exists
# Copyright (C) 2010 Paul Haas <phaas AT redspin DOT com>
# Licensed under the GNU Public License version 3.0 or greater

SKIP='https://code.google.com/p/skipfish/downloads/list'
TGZ='"[^"]*.tgz"'
LOCAL=$(head -n1 ChangeLog | grep -o '[0-9.]*')
REMOTE=$(wget -q "$SKIP" -O- | grep -e "version" | cut -d' ' -f4)
#REMOTE=$(curl -s "$SKIP" | grep -e "version" | cut -d' ' -f4) # Curl optional
LM=${LOCAL%.[0-9]*}
Lm=${LOCAL#[0-9]*.}
RM=${REMOTE%.[0-9]*}
Rm=${REMOTE#[0-9]*.}

if [[ "$LM" -lt "$RM" || "$LM" -eq "$RM" && "$Lm" -lt "$Rm" ]]
then
	echo "Updating Skipfish from $LOCAL to $REMOTE."
	wget -q "$SKIP" -O- | grep -o "$TGZ" | tr -d \" | wget -q -i- -O- | tar zxf - --strip=1
	#curl -s "$SKIP" | grep -o "$TGZ" | tr -d \" | xargs curl -s | tar zxf - --strip=1
	make clean
	make
else
	echo "Skipfish $LOCAL ($REMOTE) is up to date."
fi

String Encoding in the Shell

Posted on July 24, 2009 by The Shell Shakespear Leave a comment

Data encoding in the shell is a quick and reliable method to parse input in one type of format to format of another type. This could be done in order to determine how an application has converted input, or to encode your input in such a way as to bypass a security filter. These include some valuable methods such as HEX, HTML, URL, various password representations, common hashes and even some compression encodings. What follows are some of my favourite methods to convert input on the command line. Some of these rely on commands that are non-standard, but typically available from your Linux Distribution’s repository. Lots of Python snippets are included as well. These examples can be run individually by or all together in a bash file encode.sh:

#!/bin/bash
 
if [ $# -ne 1 ]
then
  echo "Performs a number of encodings on the first argument string"
  echo "Usage: `basename $0` {string}"
  exit 1
fi
 
printf "\n# String Scrambles:\n"
printf "%-20s\t" 'Normal:'; echo "$1"
printf "%-20s\t" 'Reversed:'; echo "$1" | rev
printf "%-20s\t" 'Case Reversed:'; echo "$1" | tr '[A-Z][a-z]' '[a-z][A-Z]'
printf "%-20s\t" 'ROT13:'; echo "$1" | gcipher -c Rot -k 13
#printf "%-20s\t" 'Rot13:' ; python -c "print '''$1'''.encode('rot13')"
printf "%-20s\t" 'GIE:'; echo "$1" | gcipher -c Gie
printf "%-20s\t" 'Caesar:'; echo "$1" | gcipher -c Ceasar
printf "%-20s\t" 'Vigenere:'; echo "$1" | gcipher -c Vigenere -k vigenere
# printf "%-20s\t" 'Anagrams:'; wordplay -s "$1" | sort -u | sed -n '1h;2,$H;${g;s/\n/, /g;p}'
# Due to both terminal and editor encodings, this is better executed on a non-UTF8 terminal:
printf "%-20s\t" 'Leet (l334):'; echo "$1" | tr [a-z] [A-Z] | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' '4ß(Ð3ƒ9H1JK£MN0PQ®$7µVWX¥2' | sed 's_H_|-|_g;s_J_\_|_g;s_K_|{_g;s_M_|\\/|_g;s_N_|\\|_g;s_P_|°_g;s_Q_¶¸_g;s_V_\\/_g;s_W_\\/\\/_g;s_X_)(_g' #See http://www.albinoblacksheep.com/text/leet
 
printf "\n# Numerical Representations:\n"
printf "%-20s\t" 'INT:'; echo -n "$1" | hexdump -ve '/1 "%03i"'; echo
printf "%-20s\t" 'HEX:'; echo -n "$1" | hexdump -ve '/1 "%02x"'; echo
printf "%-20s\t" 'OCT:'; echo -n "$1" | hexdump -ve '/1 "%02o"'; echo
printf "%-20s\t" 'BIN:'; echo -n "$1" | xxd -b -g0 -c0 | cut -b10-56 | tr -d '\n '; echo
 
printf "\n# Passwords:\n"
printf "%-20s\t" "CRYPT w/o SALT:"; echo -n "$1" | openssl passwd -crypt -stdin -salt 00
printf "%-20s\t" "CRYPT w/ Random SALT:"; echo -n "$1" | openssl passwd -crypt -stdin
printf "%-20s\t" "DES w/ CR SALT:"; echo -n "$1" | openssl passwd -crypt -stdin -salt CR
printf "%-20s\t" "Shadow w/o SALT:"; echo -n "$1" | openssl passwd -1 -stdin -salt 00000000
printf "%-20s\t" "Shadow w/ RANDOM SALT:"; echo -n "$1" | openssl passwd -1 -stdin
printf "%-20s\t" "Apache w/o SALT:"; echo -n "$1" |  openssl passwd -apr1 -stdin -salt 00000000
printf "%-20s\t" "Apache w/ RANDOM SALT:"; echo -n "$1" |  openssl passwd -apr1 -stdin
printf "%-20s\t" "LM Password:"; python -c "import smbpasswd; print smbpasswd.lmhash(\"\"\"$1\"\"\")" #requires python-smbpasswd
printf "%-20s\t" "NTLM Password:"; python -c "import smbpasswd; print smbpasswd.nthash(\"\"\"$1\"\"\")" #requires python-smbpasswd
 
printf "\n# Digest Hashes (newline not included):\n"
#printf "%-20s\t" 'BINARY MD5:' ; echo -n $1 | openssl dgst -binary
printf "%-20s\t" 'MD5:'; echo -n $1 | openssl dgst -md5
printf "%-20s\t" 'MD4:'; echo -n $1 | openssl dgst -md4
printf "%-20s\t" 'MD2:'; echo -n $1 | openssl dgst -md2
printf "%-20s\t" 'SHA1:'; echo -n $1 | openssl dgst -sha1
printf "%-20s\t" 'SHA:'; echo -n $1 | openssl dgst -sha
printf "%-20s\t" 'SHA224:'; echo -n $1 | openssl dgst -sha224
printf "%-20s\t" 'SHA256:'; echo -n $1 | openssl dgst -sha256
printf "%-20s\t" 'SHA384:'; echo -n $1 | openssl dgst -sha384
printf "%-20s\t" 'SHA512:'; echo -n $1 | openssl dgst -sha512
#printf "%-20s\t" 'MDC2:' ; echo -n $1 | openssl dgst -mdc2
printf "%-20s\t" 'RIPEMD160:'; echo -n $1 | openssl dgst -ripemd160
printf "%-20s\t" 'CRC32:'; python -c "import binascii; print binascii.crc32('''$1''') &amp; 0xffffffff"
 
printf "\n# Web Encodings\n"
printf "%-20s\t" 'URLQuote:'; python -c "import urllib; print urllib.quote('''$1''')"
printf "%-20s\t" 'URLEscape:'; echo "$1" | recode ..HTML
printf "%-20s\t" 'HTML HEX Entity:'; echo -n "$1" | hexdump -ve '/1 "&amp;#x%02x;"'; echo
printf "%-20s\t" 'HTML Entity:'; echo -n "$1" | hexdump -ve '/1 "&amp;#%02i;"'; echo
printf "%-20s\t" 'Javascript String'; echo -n "String.fromCharCode("; echo -n "$1" | hexdump -ve '/1 "%i,"' | sed 's_,$_)\n_'
printf "%-20s\t" 'SQL String'; echo -n $1 | hexdump -ve '/1 "char(%i)+"' | sed 's_+$_\n_g'
 
printf "\n# UTF Encodings\n"
printf "%-20s\t" 'UTF-7:'; echo $1 | iconv -t utf7
printf "%-20s\t" 'UTF-8:'; echo $1 | iconv -t utf8
printf "%-20s\t" 'UTF-16:'; echo $1 | iconv -t utf16
printf "%-20s\t" 'UTF-32:'; echo $1 | iconv -t utf32
printf "%-20s\t" 'Unicode:'; echo $1 | iconv -t unicode
printf "%-20s\t" 'ASCII:'; echo $1 | iconv -t ascii
 
printf "\n# Encodings\n" #http://docs.python.org/library/codecs.html#standard-encodings
printf "%-20s\t" 'Base64:'; echo -n $1 | openssl enc -e -base64
#printf "%-20s\t" 'Base64:'; python -c "import base64; print base64.b64encode('''$1''')"
printf "%-20s\t" 'Base32:'; python -c "import base64; print base64.b32encode('''$1''')"
printf "%-20s\t" 'Base16:'; python -c "import base64; print base64.b16encode('''$1''')"
#printf "%-20s\t" 'UUEncode:'; python -c "print repr('''$1'''.encode('uu_codec'))"
#printf "%-20s\t" 'UUEncode:';; echo -n $1 | hexdump -ve '/1 "#%02x"' | tr '#' '%'
printf "%-20s\t" 'UUEncode:'; python -c "import binascii; print binascii.b2a_uu('''$1''')" | tr -s '\n'
printf "%-20s\t" 'Punycode:' ; python -c "print '''$1'''.encode('punycode')"
printf "%-20s\t" 'Mime Quotable:' ; python -c "print '''$1'''.encode('quopri_codec')"
 
printf "\n# Compression Encodings\n"
#printf "%-20s\t" 'Bzip2:' ; python -c "print repr('''$1'''.encode('bz2_codec'))" | sed "s_^'\(.*\)'\$_\1_"
#printf "%-20s\t" 'Zlib (gzip):' ; python -c "print repr('''$1'''.encode('zlib_codec'))" | sed "s_^'\(.*\)'\$_\1_"
printf "%-20s\t" '7z:' ; echo -n "$1" | 7z a dummy -tgzip -si -so 2&gt;/dev/null | hexdump -ve '/1 "%02x"'| sed "s_\(..\)_\\\x\1_g"; echo
printf "%-20s\t" 'Bzip2:' ; echo -n "$1" | bzip2 -f | hexdump -ve '/1 "%02x"'| sed "s_\(..\)_\\\x\1_g"; echo
printf "%-20s\t" 'GZip:' ; echo -n "$1" | gzip -f | hexdump -ve '/1 "%02x"'| sed "s_\(..\)_\\\x\1_g"; echo
printf "%-20s\t" 'Zip:' ; echo -n "$1" | zip 2&gt;/dev/null | hexdump -ve '/1 "%02x"'| sed "s_\(..\)_\\\x\1_g"; echo
 
#printf "\n# OpenSSL Ciphers with empty passphrase, key and iv:\n"
#for line in `openssl enc -h 2&gt;&amp;1 | sed -n '/Cipher Types/,//p' | grep -v -e "Cipher Types" -e "^$" | tr -s [:space:] '\n'`; do printf "%-20s\t" "$line:"; echo -n $1 | openssl enc -k "" -e -a -p -K 0 -iv 0 "$line" | sed -n '1h;2,$H;${g;s/\n/, /g;p}'; done
 
#printf "\n# All iconv Output Encodings ~= 1153:\n"
#for line in `iconv -l`; do printf "%-20s\t" "$line"; echo -n $1 | iconv -t "$line" 2&gt;/dev/null; echo; done

Example Run:

$ ./encode.sh '<strong>Hello World!</strong>'
 
# String Scrambles:
Normal:             	<strong>Hello World!</strong>
Reversed:           	&gt;b/&lt;!dlroW olleH&gt;b&lt;
Case Reversed:      	<strong>hELLO wORLD!</strong>
ROT13:              	Uryyb Jbeyq!
GIE:                	Svool Dliow!
Caesar:             	Khoor Zruog!
Vigenere:           	Pkpys Nsmtj!
Leet (l334):        	|-|3££0 \/\/0®£Ð!
 
# Numerical Representations:
INT:                	060098062072101108108111032087111114108100033060047098062
HEX:                	3c623e48656c6c6f20576f726c64213c2f623e
OCT:                	74142761101451541541574012715716215414441745714276
BIN:                	00111100011000100011111001001000011001010110110011011000110111100100000010101110110111101110010110110001100100001000010011110000101111011000100111110
 
# Passwords:
CRYPT w/o SALT:     	00H1EnAbbudEI
CRYPT w/ Random SALT:	/4tA4dY0Q8cJ6
DES w/ CR SALT:     	CRIFJgo.7OagA
Shadow w/o SALT:    	$1$00000000$PMrPd4yWfOkVwO2sHSqTv0
Shadow w/ RANDOM SALT:	$1$oJ0Qki6o$gNf/bXtOWA8Mi0wLa0SUp1
Apache w/o SALT:    	$apr1$00000000$XxCLeI7Ovl7HAPRfPavSe.
Apache w/ RANDOM SALT:	$apr1$Xr5GeJLw$Io1K0NZ0nvA4tClI77nyP/
LM Password:        	40033C993361335925522E685FA5299A
NTLM Password:      	E78EC9AB6886A6EADA6E61AAC053B93F
 
# Digest Hashes (newline not included):
MD5:                	26228b4d80d62285a839a475c9c7574f
MD4:                	1554d219d316077223f51c640d164ca6
MD2:                	f8057b72e7f174ef7cf80165fef67b37
SHA1:               	b44e743e733384dc8db8aa971f496ff3d22041db
SHA:                	e0053cc39e21839c3826c170b15a919d6a2c58e5
SHA224:             	08568694b48256a072ff5a1ed9e5b7ac52a0de09f93819d98e9d3188
SHA256:             	27889613b22d5c515af08ff865713664c4d53fcf9c9f7f280f6fa269177a6aac
SHA384:             	318e1f73428cb544afa1967328847fcc64a1c33d5f27319848ee203192b8b9e958c4417db4732499a848fb05107f0372
SHA512:             	fe1ab72b5677a17695134eb27f44548a0c02e4275997e364176c3adbac735ff73810a38b5674a311b97da81b16f35fa9e9618d0f02bbb0e5818cdd76b01a9dc3
RIPEMD160:          	cd47833973c967e0ff1d64b957adbaedcac2202a
CRC32:              	1574079884
 
# Web Encodings
URLQuote:           	%3Cb%3EHello%20World%21%3C/b%3E
URLEscape:          	&amp;lt;b&amp;gt;Hello World!&amp;lt;/b&amp;gt;
HTML HEX Entity:    	&lt;b&gt;Hello World!&lt;/b&gt;
HTML Entity:        	&lt;b&gt;Hello World!&lt;/b&gt;
Javascript String   	String.fromCharCode(60,98,62,72,101,108,108,111,32,87,111,114,108,100,33,60,47,98,62)
SQL String          	char(60)+char(98)+char(62)+char(72)+char(101)+char(108)+char(108)+char(111)+char(32)+char(87)+char(111)+char(114)+char(108)+char(100)+char(33)+char(60)+char(47)+char(98)+char(62)
 
# UTF Encodings
UTF-7:              	+ADw-b+AD4-Hello World+ACEAPA-/b+AD4
UTF-8:              	<strong>Hello World!</strong>
UTF-16:             	ÿþ<strong>Hello World!</strong>
UTF-32:             	ÿþ<strong>Hello World!</strong>
Unicode:            	ÿþ<strong>Hello World!</strong>
ASCII:              	<strong>Hello World!</strong>
 
# Encodings
Base64:             	PGI+SGVsbG8gV29ybGQhPC9iPg==
Base32:             	HRRD4SDFNRWG6ICXN5ZGYZBBHQXWEPQ=
Base16:             	3C623E48656C6C6F20576F726C64213C2F623E
UUEncode:           	3/&amp;(^2&amp;5L;&amp;\@5V]R;&amp;0A/"]B/@
Punycode:           	<strong>Hello World!</strong>-
Mime Quotable:      	<strong>Hello=20World!</strong>
 
# Compression Encodings
7z:                 	\x1f\x8b\x08\x00\x38\x5b\x6b\x4a\x00\x00\x01\x13\x00\xec\xff\x3c\x62\x3e\x48\x65\x6c\x6c\x6f\x20\x57\x6f\x72\x6c\x64\x21\x3c\x2f\x62\x3e\x8c\x8d\xd2\x5d\x13\x00\x00\x00
Bzip2:              	\x42\x5a\x68\x39\x31\x41\x59\x26\x53\x59\x59\x24\xfc\x0e\x00\x00\x02\x1f\x80\x60\x00\x80\x05\x00\x40\x00\x80\x16\x04\x90\x00\x20\x00\x21\xa9\xa3\x13\x68\xd0\x80\x68\x03\x0c\x3c\x90\xd3\xf8\xc2\x97\x82\x5a\x2e\xe4\x8a\x70\xa1\x20\xb2\x49\xf8\x1c
GZip:               	\x1f\x8b\x08\x00\xb8\x09\x6a\x4a\x00\x03\xb3\x49\xb2\xf3\x48\xcd\xc9\xc9\x57\x08\xcf\x2f\xca\x49\x51\xb4\xd1\x4f\xb2\x03\x00\x8c\x8d\xd2\x5d\x13\x00\x00\x00
Zip:                	\x50\x4b\x03\x04\x14\x00\x08\x00\x08\x00\xae\x62\xf8\x3a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x2d\xb3\x49\xb2\xf3\x48\xcd\xc9\xc9\x57\x08\xcf\x2f\xca\x49\x51\xb4\xd1\x4f\xb2\x03\x00\x50\x4b\x07\x08\x8c\x8d\xd2\x5d\x15\x00\x00\x00\x13\x00\x00\x00\x50\x4b\x01\x02\x17\x03\x14\x00\x08\x00\x08\x00\xae\x62\xf8\x3a\x8c\x8d\xd2\x5d\x15\x00\x00\x00\x13\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x80\x11\x00\x00\x00\x00\x2d\x50\x4b\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00\x2f\x00\x00\x00\x44\x00\x00\x00\x00\x00

Anyone else have some useful oneliner encodings that are not included here? Best post gets a cookie!

Sed, Grep and Awk

Posted on July 8, 2009 by The Shell Shakespear 1 Comment

Sed, Grep and Awk are true *nix tools, known for their awkward names and equally awkward syntax. They represent the most immediate access to Regular Expressions (REs) which are themselves worthy of knowledge. Even their attempted replacement, Perl, is also known producing useful yet unreadable code. Though I acknowledge their awkward natures, their usefulness cannot be ignored, and learning how to use each will aid you in your ascension to line processing supremacy. Each is best used in the following manner:

  • Grep: Matching
  • Sed: Replacing and Line Manipulation
  • Awk: Advanced Line Processing
# Insert 'Beginning' at the start of a file, and 'Ending' at the end
sed "1s/\(.*\)/Beginning\n\1/;\$a\\Ending"
 
#Escape shell metacharacters active within double quotes
sed 's/\([\\/\\`\\"$\\\\^.\\+\\{\\}]\)/\\\1/g'
 
#Replace all literal newlines with their representation '\n'
sed -e :a -e '$!N;s/\n/\\n/;ta'
 
# Filter out URL parameters
sed 's_=[^&amp;]*\(&amp;\|$\)_=\1_g'
 
# Get rid of regular expressions in a variable
sed 's:[]\[\^\$\.\*\/]:\\\\&amp;:g'`
 
#Replace last comma(,) in each line with 'and'
sed 's#\(.*\),\([^,]*\)#\1 and\2#'
 
#Match phone numbers with area code in any given format and output in format: (nnn) nnn-nnnn
# SED DOES NOT RESPECT the shorthand character classes \c\s\S\d\D\w\W
sed -e 's#[^0-9]*\([0-9]\{3\}\)[^0-9]*\([0-9]\{3\}\)[^0-9]*\([0-9]\{4\}\)#(\1) \2-\3#'
grep -o '(\?[0-9]\{3\})\? \?[0-9]\{3\}-\?[0-9]\{4\}'
 
# Match CVE Numbers
grep -o 'CVE-[0-9]\{4\}-[0-9]\{1,5\}'
 
# Match input fields with a hidden input type in an HTML file
grep -io ']*hidden[^&gt;]*&gt;' hidden.csv | sed 's#""#"#g;s#value="[^"]*"#value=""#g' | sort -u | less
 
#Parse IIS Logs for a certain IP ADDRESS (127.0.0.1)
grep 127.0.0.1 *.log | grep -v -e ".gif" -e ".jpg" -e ".ico" -e ".css" -e ".pdf" -e "404" | cut -d' ' -f2,4,5,6,10 | awk '{printf "%s %-04s http://site.com%s?%s  Ref:(%s)\n",$1,$2,$3,$4,$5}' | tr -d '-' | sed 's/Ref:()//g' | sed 's/\? //g' | awk '{printf "%s %-04s %-70s\t%s\n",$1,$2,$3,$4}'
 
#Find all links in a file
egrep -IRo '(((http(s)?|ftp|telnet|news|gopher)://|mailto:)[^\(\)&lt;\"'\''[:space:]]+)'
 
#Pretty printing fields with awk
awk -F':' '{printf "%-16s %-16s\n",$1,$2}'
 
# 'uniq' the file using only the first field
awk '!x[$1]++'
 
# uniq 3rd field in a file
awk '{ if (! third_col[$3]) print $0;  third_col[$3]++; }'
 
# Lists directories where the tree contains one or more files:
find ./ -type f | awk -F/ '{$NF=""} d[$0]++==0' OFS=/
 
# How many lines in a file that do not start with # and are not empty would fit in a tweet (140 characters)?
grep -v '^#\|^$' shell1liners.sh | awk '{if (length&lt;141) {print "Tweet("length"): " $0;}}'
grep -v '^#\|^$' shell1liners.sh | awk '{if (length&gt;140) {print "No Tweet("length"): " $0;}}'

Checking for SSL Vulnerabilities on the Command Line

Posted on July 3, 2009 by The Shell Shakespear 2 Comments

While Nessus is a wonderful vulnerability scanner, sometimes it is too slow and resource heavy for individual issues. The following 2 equivalent scripts perform checks for the following SSL related Nessus plugins:

  • 20007: SSL Version 2 (v2) Protocol Detection
  • 26928: SSL Weak Cipher Suites Supported
  • 31705: SSL Anonymous Cipher Suites Supported

The first is the curl version:

#!/bin/bash
# phaas at redspin.com: Never us a 'sh when a bash is necessary
# Checks the Equivalent of Nessus Plugin 20007, 26928 and 31705 (10863+21643)
 
if [ $# -lt 1 ]
then
  echo "List SSL Weakness present for a given website"
  echo "Usage: `basename $0` website {port}"
  exit 1
fi
web=${1-'www.redspin.com'}
port=${2-'443'}
 
# Check for the insecure SSLv2 version
curl -m1 -Ik "https://$web:$port" --ciphers sslv2 &amp;&gt; /dev/null
if [[ "$?" -eq 0 ]]; then echo -e "$web:$port: (ssl2) Weak SSLv2 encryption enabled"; fi
 
# Enumerate weak SSL ciphers using curl
IFS=$'\n' # Loop across lines, rather than words
ciphers='LOW:EXP:eNULL:aNULL' # Include EXP (Export Ciphers)
for line in `openssl ciphers -v $ciphers | tr -s ' '`; do
	version=`echo "$line" | cut -d' ' -f2 | tr [:upper:] [:lower:]`
	cipher=`echo "$line" | cut -d' ' -f1`
	auth=`echo "$line" | tr -s ' ' | grep -o "Au=[^ ]*" | cut -d'=' -f2`
	strength=`echo "$line" | sed 's#Kx=[^ ]*##' | grep -o '([0-9]*)' | tr -d '()' | grep -v 'None'`
	if [[ "$auth" == 'None' ]]; then auth="no"; fi
	if [[ -z "$strength" ]]; then strength="without encryption"; else strength="at $strength bit encryption"; fi
 
	#echo "curl -m1 -Ik https://$web:$port --ciphers $cipher -$version &amp;&gt; /dev/null"
	curl -m1 -Ik "https://$web:$port" --ciphers "$cipher" -$version &amp;&gt; /dev/null
	if [[ "$?" -eq 0 ]]; then
		echo -e "$web:$port: ($version) $cipher = Supported $strength with $auth authentication support"
	fi
done

And the following is the openssl version:

#!/bin/bash
# phaas at redspin.com: Never us a 'sh when a bash is necessary
# Checks the Equivalent of Nessus Plugin 20007, 26928 and 31705 (10863+21643)
 
if [ $# -lt 1 ]
then
  echo "List SSL Weakness present for a given website"
  echo "Usage: `basename $0` website {port}"
  exit 1
fi
web=${1-'www.redspin.com'}
port=${2-'443'}
 
# Check for the insecure SSLv2 version
sslv2=`echo -e '' | openssl s_client -connect $web:$port -ssl2 -no_ssl3 -no_tls1 2&gt;/dev/null | grep -i 'SSLv2'`
if [ -n "$sslv2" ]; then echo -e "$web:$port: (ssl2) Weak SSLv2 encryption enabled"; fi
 
# Enumerate weak SSL ciphers using openssl
IFS=$'\n' # Loop across lines, rather than words
ciphers='LOW:EXP:eNULL:aNULL' # Include EXP (Export Ciphers)
for line in `openssl ciphers -v $ciphers | tr -s ' '`; do
	version=`echo "$line" | cut -d' ' -f2 | tr [:upper:] [:lower:] | tr -d 'v'`
	cipher=`echo "$line" | cut -d' ' -f1`
	auth=`echo "$line" | tr -s ' ' | grep -o "Au=[^ ]*" | cut -d'=' -f2`
	strength=`echo "$line" | sed 's#Kx=[^ ]*##' | grep -o '([0-9]*)' | tr -d '()' | grep -v 'None'`
 
	if [[ "$auth" == 'None' ]]; then auth="no"; fi
	if [[ -z "$strength" ]]; then strength="without encryption"; else strength="at $strength bit encryption"; fi
 
	#echo "openssl s_client -connect $web:$port -$version -cipher $cipher"
	supported=`echo "" | openssl s_client -connect $web:$port -$version -cipher $cipher 2&gt;&amp;1 | grep DONE`
	if [[ -n "$supported" ]]; then
		echo -e "$web:$port: ($version) $cipher = Supported $strength with $auth authentication support"
	fi
done

I decided to include both because while openssl is usually included by default on most Linux distributions, curl is easier to obtain on Windows machines.

Handling HTTP and SSL in the Shell

Posted on July 1, 2009 by The Shell Shakespear Leave a comment

The topic of this week’s shell1liners is handling HTTP and SSL in Bash:

#netcat scanner for HTTP servers
for i in $(seq 1 255); do nc -n -v -z "192.168.1.$i" 80 | grep "open"; done | tee webservers.txt
 
# Manually perform a HTTP Get Request
echo -ne "GET / HTTP/1.0\n\n" | nc www.redspin.com 80
# Manually perform a HTTP Get Request on a SSL Port
echo -ne "GET / HTTP/1.0\n\n" | socat – OPENSSL:www.website.com:443,verify=0
# Create a local TCP pipe to a remote SSL port (to allow netcat to probe a SSL service)
socat -vd TCP-LISTEN:8888,fork OPENSSL:www.redspin.com:443,verify=0
 
# Always connect to a given webserver PORT regardless if it is SSL or normal HTTP
(curl -iks -m2 "https://www.redspin.com:PORT" || curl -iks -m2 "www.redspin.com:PORT")
 
# Perform a check on a list of webservers (HTTP or HTTPS): HOST:PORT -&gt; HOST:PORT|WEB SERVER|HTML Title
# Includes a 2 seconds timeout using curl's -m2, and parallelization using xargs's -P10
cat webservers.txt | xargs -P10 -I'{}' bash -c '(curl -Liks -m2 "https://{}" || curl -Liks -m2 "{}") | grep -iao -e "^Server: .*" -e "" | sed "s#Server: \(.*\)#|\1|#i;s###ig" | tr -d "\r\n" | sed "1s/^/{}/;\$a\\" | sed "s/^\([^|]*\)|$/\1||/"' | tee webserver_info.txt
 
# Check if Trace is enabled on a given website
echo -ne "TRACE /something HTTP/1.0\nX-Header: Trace Enabled\n\n" | socat - OPENSSL:www.website.com:443,verify=0
# Check for the insecure SSLv2 protocol on a website
echo -e '' | openssl s_client -connect WEBSITE:PORT -ssl2 -no_ssl3 -no_tls1 2&gt;/dev/null | grep 'SSLv2'
 
# Bruteforce a given numerical webpath, printing the HTTP status code for each request
for ((i=0;i/dev/null | grep HTTP/1.1) | tee webbf.txt ; done
 
# Simple HTTP Listener
python -m SimpleHTTPServer
# Simple HTTPS (SSL) Listener without a server certificate
sudo openssl s_server -accept 443 -nocert
# Simple HTTPS (SSL) Listener with a bad self-signed server certificate
echo -ne "\n\n\n\n\n\n\n" | openssl req -new -newkey rsa:1024 -days 1 -nodes -x509 -keyout out.pem -out out.pem ; openssl s_server -cert out.pem -www

An Introduction to Shell One Liners

Posted on June 25, 2009 by The Shell Shakespear 3 Comments

The knowledge and use of the command line is a powerful tool that can aid in the creation, modification and automation of routine tasks that a security auditor or any computer user may come up against.  The flexibility, simplicity, and leetness of the shell oneliner can replace thousand-line perl code which otherwise would be thrown away after the task is complete.  We have decided to provide share some of our favorite oneliners that we have found useful, either culled from other sources or created by ourselves.  All of these examples should run comfortably from a Linux bash shell or Cygwin-Windows equivalent, with the required applications listed in the oneliner.

The topic of this week is IP address manipulation:

# Sort by IP Addresses
sort -n -t. -k1,1 -k2,2 -k3,3 -k4,4
 
# Sort by IP Addresses and Port like IP:PORT
sed 's#:#.#' | sort -n -t. -k1,1 -k2,2 -k3,3 -k4,4 -k5,5 | sed 's#\(\([0-9]\{1,3\}\.\)\{4\}\)#\1:#;s#\.:#:#'
 
# IP2HOST: IP -&gt; IP (HOST) using 'bind-host' package built into Ubuntu
for i in $(cat ips.txt); do echo "$i ("`host $i | grep -v NXDOMAIN | cut -d' ' -f5`")"; done | sort -n -t. -k1,1 -k2,2 -k3,3 -k4,4 | sed 's#()##' | tee ip_hosts.txt
 
# HOST2IP: HOST -&gt; IP (HOST) using 'host' package available in Ubuntu
for i in $(cat hosts.txt); do host `echo "$i" | tr -d [[:blank:]]` | grep -v -e 'alias' -e 'handled' -e 'timed' | sed 's/Host \(.*\) .*/\1 0.0.0.0/' | sed "s/;;.*/$i - - 0.0.0.0/" | awk -F' ' '{printf "%s (%s)\n",$4,$1}'; done | sort -n -t. -k1,1 -k2,2 -k3,3 -k4,4 | tee ip_hosts.txt
 
#Print IP addresses in a file
egrep -o '[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}'
 
# Print IP addresses in a file: Perl edition
perl -nle 'print $&amp; if /(\d{1,3}\.){3}\d{1,3}/'
 
# Print IP address in all files in the current directory tree with some pretty color matching
find . -type f -exec egrep -a -H -n --color=auto '[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}' {} \;

Thanks to readers for suggesting the color syntax support implemented using wp-syntax. I furthermore learned that the Visual Editor of WP was oppressing my HTML code, stripping tags in the WP-Syntax <pre> tag that should be present, so I’ll be keeping my edits in HTML mode from now on.