Cutting accounts down to         SCYTHE!       Chris John Riley
“THE WISEST MAN, IS HE WHO KNOWS, THAT HE   KNOWS NOTHING”             SOCRATES: APOLOGY, 21D
NOTAN EXPERT!
1) What2) Why3) How4) Q’s
WHAT?
FRAMEWORK FOR    USER ENUMERATION
WhatWritten in Python ThreadedModular Description files (XML)Easy to use Hopefully!
WHY?
BECAUSEPENETRATIONTESTERS ARE…
WhySpeed up account enumeration  POC ExamplesOffer advanced features  Cookie support  CSRF token collection  Wait / ...
HOW?
IT ALL STARTSWITH A MODULE
BASIC
Basic module<module> <site>  <name>basic module</name>  <url>  <![CDATA[https://example.com/signup_check/  username=<ACCOU...
ADVANCED
<!-- Wordpress.com - Logon user enumeration issue --><module>  <site>     <name>Wordpress.com</name>     <url><![CDATA[htt...
<!-- Wordpress.com - Logon user enumeration issue --><module>  <site>     <name>Wordpress.com</name>     <url><![CDATA[htt...
<!-- Wordpress.com - Logon user enumeration issue --><module>  <site>      <name>Wordpress.com</name>      <url><![CDATA[h...
<headers></headers>    <requestCookie>False</requestCookie>    <requestCSRF>False</requestCSRF>    <successmatch>The passw...
ADD A LIST OFUSERNAMES /   EMAILS
# usernames/email 1 per linetesttestusertestuser2testtestdevuser…    or just -–account=test,test2,…
MIX AND LEAVE TO RUN FOR A FEW   MINUTES
How XML contains replacement points    <ACCOUNT>    <RANDOM>    <CSRFTOKEN> These are used to create testcases
GOALS
Goals Flexible Running   Single module (targeted)     --single wordpress.com   Category of modules     --category=blo...
Goals Flexible Handling   Error detection     Retry on error (<errorcode>)     -- retries and --retrytime   Handles c...
Goals Flexible Output   Verbose output     Detailed request info   Output success to file   Summary at completion   ...
GITHUB.COM/CHRISJOHNRILEY/SCYTHE
Questions?
GO FORTH ANDENUMERATE ALL  THE THINGS!
Thanks for coming     http://c22.cc   contact@c22.cc
Cutting accounts down to scythe
Cutting accounts down to scythe
Cutting accounts down to scythe
Cutting accounts down to scythe
Cutting accounts down to scythe
Cutting accounts down to scythe
Cutting accounts down to scythe
Upcoming SlideShare
Loading in...5
×

Cutting accounts down to scythe

7,463

Published on

BruCON 2012 (Lightning Talk)
Ghent, Belgium (27th Sept. 2012)

Cutting accounts down to scythe!

---------- Abstract: ----------
Scythe is a framework for user/account enumeration. It is designed to allow users to easily extend and add new modules as required for POC attacks during penetration tests.

The framework offers the ability to check a list of user accounts/email addresses against a given website to see which accounts are valid.

Advanced features include cookie and CSRF token support, as well as error detection and timeout/retry functions.

Currently in beta, available from gi

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
7,463
On Slideshare
0
From Embeds
0
Number of Embeds
8
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Cutting accounts down to scythe

  1. 1. Cutting accounts down to SCYTHE! Chris John Riley
  2. 2. “THE WISEST MAN, IS HE WHO KNOWS, THAT HE KNOWS NOTHING” SOCRATES: APOLOGY, 21D
  3. 3. NOTAN EXPERT!
  4. 4. 1) What2) Why3) How4) Q’s
  5. 5. WHAT?
  6. 6. FRAMEWORK FOR USER ENUMERATION
  7. 7. WhatWritten in Python ThreadedModular Description files (XML)Easy to use Hopefully!
  8. 8. WHY?
  9. 9. BECAUSEPENETRATIONTESTERS ARE…
  10. 10. WhySpeed up account enumeration  POC ExamplesOffer advanced features  Cookie support  CSRF token collection  Wait / Retries  Threading
  11. 11. HOW?
  12. 12. IT ALL STARTSWITH A MODULE
  13. 13. BASIC
  14. 14. Basic module<module> <site> <name>basic module</name> <url> <![CDATA[https://example.com/signup_check/ username=<ACCOUNT>]]> </url> <method>GET</method> <successmatch>taken</successmatch> </site></module>
  15. 15. ADVANCED
  16. 16. <!-- Wordpress.com - Logon user enumeration issue --><module> <site> <name>Wordpress.com</name> <url><![CDATA[https://wordpress.com/wp-login.php]]></url> <method>POST</method> <postParameters> <![CDATA [log=<ACCOUNT>&pwd=<RANDOM>redirect_to=http://wordpress.com]]> </postParameters> <headers></headers> <requestCookie>False</requestCookie> <requestCSRF>False</requestCSRF> <successmatch>The password you entered for the email or user</successmatch> <negativematch>Invalid email or username</negativematch> <errormatch>You have exceeded the login limit</errormatch> <date>13/09/2012</date> <version>2</version> <author>CJR</author> <category>blogs</category> </site></module>
  17. 17. <!-- Wordpress.com - Logon user enumeration issue --><module> <site> <name>Wordpress.com</name> <url><![CDATA[https://wordpress.com/wp-login.php]]></url> <method>POST</method> <postParameters> <![CDATA [log=<ACCOUNT>&pwd=<RANDOM>redirect_to=http://wordpress.com]]> </postParameters> <headers></headers> <requestCookie>False</requestCookie> <requestCSRF>False</requestCSRF> <successmatch>The password you entered for the email or user</successmatch> <negativematch>Invalid email or username</negativematch> <errormatch>You have exceeded the login limit</errormatch> <date>13/09/2012</date> <version>2</version> <author>CJR</author> <category>blogs</category> </site></module>
  18. 18. <!-- Wordpress.com - Logon user enumeration issue --><module> <site> <name>Wordpress.com</name> <url><![CDATA[https://wordpress.com/wp- login.php]]></url> <method>POST</method> <postParameters> <![CDATA [log=<ACCOUNT>&pwd=<RANDOM>redirect_to= http://wordpress.com]]> </postParameters>
  19. 19. <headers></headers> <requestCookie>False</requestCookie> <requestCSRF>False</requestCSRF> <successmatch>The password you entered for the email or user</successmatch> <negativematch>Invalid email or username</negativematch> <errormatch>You have exceeded the login limit</errormatch> <date>13/09/2012</date> <version>2</version> <author>CJR</author> <category>blogs</category> </site></module>
  20. 20. ADD A LIST OFUSERNAMES / EMAILS
  21. 21. # usernames/email 1 per linetesttestusertestuser2testtestdevuser… or just -–account=test,test2,…
  22. 22. MIX AND LEAVE TO RUN FOR A FEW MINUTES
  23. 23. How XML contains replacement points  <ACCOUNT>  <RANDOM>  <CSRFTOKEN> These are used to create testcases
  24. 24. GOALS
  25. 25. Goals Flexible Running  Single module (targeted)  --single wordpress.com  Category of modules  --category=blogs  Single account  --account=test  Filename containing accounts  --accountfile=accounts.txt
  26. 26. Goals Flexible Handling  Error detection  Retry on error (<errorcode>)  -- retries and --retrytime  Handles cookies and CSRF tokens  <CSRF_URL>  <CSRF_regex> to extract token  Insert into request using <CSRFTOKEN>
  27. 27. Goals Flexible Output  Verbose output  Detailed request info  Output success to file  Summary at completion  Debug mode  Stores body and headers for each request
  28. 28. GITHUB.COM/CHRISJOHNRILEY/SCYTHE
  29. 29. Questions?
  30. 30. GO FORTH ANDENUMERATE ALL THE THINGS!
  31. 31. Thanks for coming http://c22.cc contact@c22.cc

×