Your SlideShare is downloading. ×
0
Cutting accounts down to scythe
Cutting accounts down to scythe
Cutting accounts down to scythe
Cutting accounts down to scythe
Cutting accounts down to scythe
Cutting accounts down to scythe
Cutting accounts down to scythe
Cutting accounts down to scythe
Cutting accounts down to scythe
Cutting accounts down to scythe
Cutting accounts down to scythe
Cutting accounts down to scythe
Cutting accounts down to scythe
Cutting accounts down to scythe
Cutting accounts down to scythe
Cutting accounts down to scythe
Cutting accounts down to scythe
Cutting accounts down to scythe
Cutting accounts down to scythe
Cutting accounts down to scythe
Cutting accounts down to scythe
Cutting accounts down to scythe
Cutting accounts down to scythe
Cutting accounts down to scythe
Cutting accounts down to scythe
Cutting accounts down to scythe
Cutting accounts down to scythe
Cutting accounts down to scythe
Cutting accounts down to scythe
Cutting accounts down to scythe
Cutting accounts down to scythe
Cutting accounts down to scythe
Cutting accounts down to scythe
Cutting accounts down to scythe
Cutting accounts down to scythe
Cutting accounts down to scythe
Cutting accounts down to scythe
Cutting accounts down to scythe
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Cutting accounts down to scythe

7,025

Published on

BruCON 2012 (Lightning Talk) …

BruCON 2012 (Lightning Talk)
Ghent, Belgium (27th Sept. 2012)

Cutting accounts down to scythe!

---------- Abstract: ----------
Scythe is a framework for user/account enumeration. It is designed to allow users to easily extend and add new modules as required for POC attacks during penetration tests.

The framework offers the ability to check a list of user accounts/email addresses against a given website to see which accounts are valid.

Advanced features include cookie and CSRF token support, as well as error detection and timeout/retry functions.

Currently in beta, available from gi

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
7,025
On Slideshare
0
From Embeds
0
Number of Embeds
8
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Cutting accounts down to SCYTHE! Chris John Riley
  • 2. “THE WISEST MAN, IS HE WHO KNOWS, THAT HE KNOWS NOTHING” SOCRATES: APOLOGY, 21D
  • 3. NOTAN EXPERT!
  • 4. 1) What2) Why3) How4) Q’s
  • 5. WHAT?
  • 6. FRAMEWORK FOR USER ENUMERATION
  • 7. WhatWritten in Python ThreadedModular Description files (XML)Easy to use Hopefully!
  • 8. WHY?
  • 9. BECAUSEPENETRATIONTESTERS ARE…
  • 10. WhySpeed up account enumeration  POC ExamplesOffer advanced features  Cookie support  CSRF token collection  Wait / Retries  Threading
  • 11. HOW?
  • 12. IT ALL STARTSWITH A MODULE
  • 13. BASIC
  • 14. Basic module<module> <site> <name>basic module</name> <url> <![CDATA[https://example.com/signup_check/ username=<ACCOUNT>]]> </url> <method>GET</method> <successmatch>taken</successmatch> </site></module>
  • 15. ADVANCED
  • 16. <!-- Wordpress.com - Logon user enumeration issue --><module> <site> <name>Wordpress.com</name> <url><![CDATA[https://wordpress.com/wp-login.php]]></url> <method>POST</method> <postParameters> <![CDATA [log=<ACCOUNT>&pwd=<RANDOM>redirect_to=http://wordpress.com]]> </postParameters> <headers></headers> <requestCookie>False</requestCookie> <requestCSRF>False</requestCSRF> <successmatch>The password you entered for the email or user</successmatch> <negativematch>Invalid email or username</negativematch> <errormatch>You have exceeded the login limit</errormatch> <date>13/09/2012</date> <version>2</version> <author>CJR</author> <category>blogs</category> </site></module>
  • 17. <!-- Wordpress.com - Logon user enumeration issue --><module> <site> <name>Wordpress.com</name> <url><![CDATA[https://wordpress.com/wp-login.php]]></url> <method>POST</method> <postParameters> <![CDATA [log=<ACCOUNT>&pwd=<RANDOM>redirect_to=http://wordpress.com]]> </postParameters> <headers></headers> <requestCookie>False</requestCookie> <requestCSRF>False</requestCSRF> <successmatch>The password you entered for the email or user</successmatch> <negativematch>Invalid email or username</negativematch> <errormatch>You have exceeded the login limit</errormatch> <date>13/09/2012</date> <version>2</version> <author>CJR</author> <category>blogs</category> </site></module>
  • 18. <!-- Wordpress.com - Logon user enumeration issue --><module> <site> <name>Wordpress.com</name> <url><![CDATA[https://wordpress.com/wp- login.php]]></url> <method>POST</method> <postParameters> <![CDATA [log=<ACCOUNT>&pwd=<RANDOM>redirect_to= http://wordpress.com]]> </postParameters>
  • 19. <headers></headers> <requestCookie>False</requestCookie> <requestCSRF>False</requestCSRF> <successmatch>The password you entered for the email or user</successmatch> <negativematch>Invalid email or username</negativematch> <errormatch>You have exceeded the login limit</errormatch> <date>13/09/2012</date> <version>2</version> <author>CJR</author> <category>blogs</category> </site></module>
  • 20. ADD A LIST OFUSERNAMES / EMAILS
  • 21. # usernames/email 1 per linetesttestusertestuser2testtestdevuser… or just -–account=test,test2,…
  • 22. MIX AND LEAVE TO RUN FOR A FEW MINUTES
  • 23. How XML contains replacement points  <ACCOUNT>  <RANDOM>  <CSRFTOKEN> These are used to create testcases
  • 24. GOALS
  • 25. Goals Flexible Running  Single module (targeted)  --single wordpress.com  Category of modules  --category=blogs  Single account  --account=test  Filename containing accounts  --accountfile=accounts.txt
  • 26. Goals Flexible Handling  Error detection  Retry on error (<errorcode>)  -- retries and --retrytime  Handles cookies and CSRF tokens  <CSRF_URL>  <CSRF_regex> to extract token  Insert into request using <CSRFTOKEN>
  • 27. Goals Flexible Output  Verbose output  Detailed request info  Output success to file  Summary at completion  Debug mode  Stores body and headers for each request
  • 28. GITHUB.COM/CHRISJOHNRILEY/SCYTHE
  • 29. Questions?
  • 30. GO FORTH ANDENUMERATE ALL THE THINGS!
  • 31. Thanks for coming http://c22.cc contact@c22.cc

×