Termux ID: Denial of Service -->

    Social Items

Home / Denial of Service


cve-search is a tool to import CVE (Common Vulnerabilities and Exposures) and CPE (Common Platform Enumeration) into a MongoDB to facilitate search and processing of CVEs.
The main objective of the software is to avoid doing direct and public lookup into the public CVE databases. This is usually faster to do local lookups and limits your sensitive queries via the Internet.
cve-search includes a back-end to store vulnerabilities and related information, an intuitive web interface for search and managing vulnerabilities, a series of tools to query the system and a web API interface.
cve-search is used by many organizations including the public CVE services of CIRCL.

Requirements
The requirements can be installed with pip:
sudo pip3 install -r requirements.txt

Installation of MongoDB
First, you'll need to have a Python 3 installation (3.3 or higher). Then you need to install MongoDB (2.2) from source (this should also work with any standard packages from your favorite distribution). Don't forget to install the headers for development while installing MongoDB. You can go to http://docs.mongodb.org/manual/installation/ for to get the packages for your distribution, or http://www.mongodb.org/downloads for the source code.

Populating the database
For the initial run, you need to populate the CVE database by running:
./sbin/db_mgmt.py -p
./sbin/db_mgmt_cpe_dictionary.py
./sbin/db_updater.py -c
It will fetch all the existing XML files from the Common Vulnerabilities and Exposures database and the Common Platform Enumeration. The initial Common Platform Enumeration (CPE) import might take some time depending of your configuration.
If you want to add the cross-references from NIST, Red Hat and other vendors:
./sbin/db_mgmt_ref.py
A more detailed documentation can be found in the Documentations folder of the project.

Databases and collections
The MongoDB database is called cvedb and there are 11 collections:
  • cves (Common Vulnerabilities and Exposure items) - source NVD NIST
  • cpe (Common Platform Enumeration items) - source NVD NIST
  • cwe (Common Weakness Enumeration items) - source NVD NIST
  • capec (Common Attack Pattern Enumeration and Classification) - source NVD NIST
  • ranking (ranking rules per group) - local cve-search
  • d2sec (Exploitation reference from D2 Elliot Web Exploitation Framework) - source d2sec.com
  • MITRE Reference Key/Maps - source MITRE reference Key/Maps
  • ms - (Microsoft Bulletin (Security Vulnerabilities and Bulletin)) - source Microsoft
  • exploitdb (Offensive Security - Exploit Database) - source offensive security
  • info (metadata of each collection like last-modified) - local cve-search
  • via4 VIA4CVE cross-references.
The Redis database has 3 databases:
  • 10: The cpe (Common Platform Enumeration) cache - source MongoDB cvedb collection cpe
  • 11: The notification database - source cve-search
  • 12: The CVE reference database is a cross-reference database to CVE ids against various vendors ID - source NVD NIST/MITRE
The reference database has 3 additional sources:

Updating the database
An updater script helps to start the db_mgmt_*
./sbin/db_updater.py -v
You can run it in a crontab, logging is done in syslog by default.

Repopulating the database
To easily drop and re-populate all the databases
./sbin/db_updater.py -v -f
This will drop all the existing external sources and reimport everything. This operation can take some time and it's usually only required when new attributes parsing are added in cve-search.

Usage
You can search the database using search.py
./bin/search.py -p cisco:ios:12.4
./bin/search.py -p cisco:ios:12.4 -o json
./bin/search.py -f nagios -n
./bin/search.py -p microsoft:windows_7 -o html
If you want to search all the WebEx vulnerabilities and only printing the official references from the supplier.
./bin/search.py -p webex: -o csv  -v "cisco"
You can also dump the JSON for a specific CVE ID.
./bin/search.py -c CVE-2010-3333
Or you can use the XMPP bot
./bin/search_xmpp.py -j mybot@jabber.org -p strongpassword
Or dump the last 2 CVE entries in RSS or Atom format
./bin/dump_last.py -f atom -l 2
Or you can use the webinterface.
./web/index.py

Usage of the ranking database
There is a ranking database allowing to rank software vulnerabilities based on their common platform enumeration name. The ranking can be done per organization or department within your organization or any meaningful name for you.
As an example, you can add a partial CPE name like "sap:netweaver" which is very critical for your accounting department.
./sbin/db_ranking.py  -c "sap:netweaver" -g "accounting" -r 3
and then you can lookup the ranking (-r option) for a specific CVE-ID:
./bin/search.py -c CVE-2012-4341  -r  -n

Advanced usage
As cve-search is based on a set of tools, it can be used and combined with standard Unix tools. If you ever wonder what are the top vendors using the term "unknown" for their vulnerabilities:
python3 bin/search_fulltext.py -q unknown -f | jq -c '. | .vulnerable_configuration[0]' | cut -f5 -d: | sort  | uniq -c  | sort -nr | head -10

1500 oracle
381 sun
372 hp
232 google
208 ibm
126 mozilla
103 microsoft
100 adobe
 78 apple
 68 linux
You can compare CVSS (Common Vulnerability Scoring System ) values of some products based on their CPE name. Like comparing oracle:java versus sun:jre and using R to make some statistics about their CVSS values:
python3 bin/search.py -p oracle:java -o json  | jq -r '.cvss' | Rscript -e 'summary(as.numeric(read.table(file("stdin"))[,1]))'
Min. 1st Qu.  Median    Mean 3rd Qu.    Max.
1.800   5.350   9.300   7.832  10.000  10.000


python3 bin/search.py -p sun:jre -o json  | jq -r '.cvss' | Rscript -e 'summary(as.numeric(read.table(file("stdin"))[,1]))'
Min. 1st Qu.  Median    Mean 3rd Qu.    Max.
0.000   5.000   7.500   7.333  10.000  10.000

Fulltext indexing
If you want to index all the CVEs from your current MongoDB collection:
./sbin/db_fulltext.py
and you query the fulltext index (to get a list of matching CVE-ID):
./bin/search_fulltext.py -q NFS -q Linux
or to query the fulltext index and output the JSON object for each CVE-ID:
./bin/search_fulltext.py -q NFS -q Linux -f

Fulltext visualization
The fulltext indexer visualization is using the fulltext indexes to build a list of the most common keywords used in CVE. NLTK is required to generate the keywords with the most common English stopwords and lemmatize the output. NTLK for Python 3 exists but you need to use the alpha version of NLTK.
./bin/search_fulltext.py  -g -s >cve.json


You can see a visualization on the demo site.

Web interface
The web interface is a minimal interface to see the last CVE entries and query a specific CVE. You'll need flask in order to run the website and Flask-PyMongo. To start the web interface:
cd ./web
./index.py
Then you can connect on http://127.0.0.1:5000/ to browser the last CVE.

Web API interface
The web interface includes a minimal JSON API to get CVE by ID, by vendor or product. A public version of the API is also accessible on cve.circl.lu.
List the know vendors in JSON
curl http://127.0.0.1:5000/api/browse/
Dump the product of a specific vendor in JSON
curl  http://127.0.0.1:5000/api/browse/zyxel 
{
  "product": [
    "n300_netusb_nbg-419n",
    "n300_netusb_nbg-419n_firmware",
    "p-660h-61",
    "p-660h-63",
    "p-660h-67",
    "p-660h-d1",
    "p-660h-d3",
    "p-660h-t1",
    "p-660h-t3",
    "p-660hw",
    "p-660hw_d1",
    "p-660hw_d3",
    "p-660hw_t3"
  ],
  "vendor": "zyxel"
}
Find the associated vulnerabilities to a vendor and a product
curl  http://127.0.0.1:5000/api/search/zyxel/p-660hw
[{"cwe": "CWE-352", "references": ["http://www.exploit-db.com/exploits/33518", "http://secunia.com/advisories/58513", "http://packetstormsecurity.com/files/126812/Zyxel-P-660HW-T1-Cross-Site-Request-Forgery.html", "http://osvdb.org/show/osvdb/107449"], "vulnerable_configuration": ["cpe:/h:zyxel:p-660hw:_t1:v3"], "Published": "2014-06-16T14:55:09.713-04:00", "id": "CVE-2014-4162", "Modified": "2014-07-17T01:07:29.683-04:00", "cvss": 6.8, "summary": "Multiple cross-site request forgery (CSRF) vulnerabilities in the Zyxel P-660HW-T1 (v3) wireless router allow remote attackers to hijack the authentication of administrators for requests that change the (1) wifi password or (2) SSID via a request to Forms/WLAN_General_1."}, {"cwe": "CWE-20", "references": ["http://www.kb.cert.org/vuls/id/893726"], "vulnerable_configuration": ["cpe:/h:zyxel:p-660h-63:-", "cpe:/h:zyxel:p-660h-t1:-", "cpe:/h:zyxel:p-660h-d3:-", "cpe:/h:zyxel:p-660h-t3:v2", "cpe:/h:zyxel:p-660h-t1:v2", "cpe:/h:zyxel:p-660h-d1:-", "cpe:/h:zyxel:p-660h-67:-", "cpe:/h:zyxel:p-660h-61:-", "cpe:/h:zyxel:p-660hw_t3:v2", "cpe:/h:zyxel:p-660hw_t3:-", "cpe:/h:zyxel:p-660hw_d3:-", "cpe:/h:zyxel:p-660hw_d1:v2", "cpe:/h:zyxel:p-660hw_d1:-", "cpe:/h:zyxel:p-660hw:_t1:v2", "cpe:/h:zyxel:p-660hw:_t1:-"], "Published": "2014-04-01T23:58:16.967-04:00", "id": "CVE-2013-3588", "Modified": "2014-04-02T11:29:53.243-04:00", "cvss": 7.8, "summary": "The web management interface on Zyxel P660 devices allows remote attackers to cause a denial of service (reboot) via a flood of TCP SYN packets."}, {"cwe": "CWE-79", "references": ["http://osvdb.org/ref/99/rompager407.pdf", "http://osvdb.org/99694", "http://antoniovazquezblanco.github.io/docs/advisories/Advisory_RomPagerXSS.pdf"], "vulnerable_configuration": ["cpe:/h:d-link:dsl-2640r:-", "cpe:/h:d-link:dsl-2641r:-", "cpe:/h:huawei:mt882:-", "cpe:/h:sitecom:wl-174:-", "cpe:/h:tp-link:td-8816:-", "cpe:/a:allegrosoft:rompager:4.07", "cpe:/h:zyxel:p-660hw_d1:-"], "Published": "2014-01-16T14:55:04.607-05:00", "id": "CVE-2013-6786", "Modified": "2014-01-17T11:01:47.353-05:00", "cvss": 4.3, "summary": "Cross-site scripting (XSS) vulnerability in Allegro RomPager before 4.51, as used on the ZyXEL P660HW-D1, Huawei MT882, Sitecom WL-174, TP-LINK TD-8816, and D-Link DSL-2640R and DSL-2641R, when the \"forbidden author header\" protection mechanism is bypassed, allows remote attackers to inject arbitrary web script or HTML by requesting a nonexistent URI in conjunction with a crafted HTTP Referer header that is not properly handled in a 404 page.  NOTE: there is no CVE for a \"URL redirection\" issue that some sources list separately."}, {"cwe": "CWE-79", "references": ["http://xforce.iss.net/xforce/xfdb/41109", "http://www.securityfocus.com/archive/1/archive/1/489009/100/0/threaded", "http://www.gnucitizen.org/projects/router-hacking-challenge/"], "vulnerable_configuration": ["cpe:/h:zyxel:p-660hw_t3:v2", "cpe:/h:zyxel:p-660hw:_t1:v2", "cpe:/h:zyxel:p-660hw_d1:v2", "cpe:/h:zyxel:p-660hw_t3:-", "cpe:/h:zyxel:p-660hw:_t1:-", "cpe:/h:zyxel:p-660hw_d3:-", "cpe:/h:zyxel:p-660hw_d1:-"], "Published": "2008-03-10T13:44:00.000-04:00", "id": "CVE-2008-1257", "Modified": "2012-05-31T00:00:00.000-04:00", "cvss": 4.3, "summary": "Cross-site scripting (XSS) vulnerability in Forms/DiagGeneral_2 on the ZyXEL P-660HW series router allows remote attackers to inject arbitrary web script or HTML via the PingIPAddr parameter."}, {"id": "CVE-2008-1256", "references": ["http://xforce.iss.net/xforce/xfdb/41108", "http://www.securityfocus.com/archive/1/archive/1/489009/100/0/threaded", "http://www.gnucitizen.org/projects/router-hacking-challenge/"], "vulnerable_configuration": ["cpe:/h:zyxel:p-660hw"], "Published": "2008-03-10T13:44:00.000-04:00", "Modified": "2011-03-07T22:06:25.080-05:00", "cvss": 10.0, "summary": "The ZyXEL P-660HW series router has \"admin\" as its default password, which allows remote attackers to gain administrative access."}, {"cwe": "CWE-264", "references": ["http://www.securityfocus.com/archive/1/archive/1/489009/100/0/threaded", "http://www.gnucitizen.org/projects/router-hacking-challenge/", "http://xforce.iss.net/xforce/xfdb/41114"], "vulnerable_configuration": ["cpe:/h:zyxel:p-660hw"], "Published": "2008-03-10T13:44:00.000-04:00", "id": "CVE-2008-1255", "Modified": "2008-09-05T17:37:15.440-04:00", "cvss": 10.0, "summary": "The ZyXEL P-660HW series router maintains authentication state by IP address, which allows remote attackers to bypass authentication by establishing a session from a source IP address of a previously authenticated user."}, {"cwe": "CWE-352", "references": ["http://www.securityfocus.com/archive/1/archive/1/489009/100/0/threaded", "http://www.gnucitizen.org/projects/router-hacking-challenge/", "http://xforce.iss.net/xforce/xfdb/41111"], "vulnerable_configuration": ["cpe:/h:zyxel:p-660hw"], "Published": "2008-03-10T13:44:00.000-04:00", "id": "CVE-2008-1254", "Modified": "2008-09-05T17:37:15.287-04:00", "cvss": 6.8, "summary": "Multiple cross-site request forgery (CSRF) vulnerabilities on the ZyXEL P-660HW series router allow remote attackers to (1) change DNS servers and (2) add keywords to the \"bannedlist\" via unspecified vectors."}]

Software using cve-search

cve-search - A Tool To Perform Local Searches For Known Vulnerabilities


Habu is to teach (and learn) some concepts about Python and Network Hacking.
These are basic functions that help with some tasks for Ethical Hacking and Penetration Testing.
Most of them are related with networking, and the implementations are intended to be understandable for who wants to read the source code and learn from that.

Some techniques implemented in the current version are:
  • ARP Poisoning
  • ARP Sniffing
  • DHCP Discover
  • DHCP Starvation
  • LAND Attack
  • SNMP Cracking
  • SYN Flooding
  • TCP Flags Analysis
  • TCP ISN Analysis
  • TCP Port Scan


Installation
To install Habu, simply:
$ pip3 install habu


Dependencies
Habu requires:
  • Click
  • Python (3.x),
  • Scapy-Python3
  • Matplotlib (Optional, only needed if you want to make some graphs)


Get Help
All the commands implement the option '--help', that shows the help, arguments, options, and default values.


Verbose Mode
Almost all commands implement the verbose mode with the '-v' option. This can give you some extra info about what habu is doing.


habu.arpoison: ARP Poisoning
This command sends ARP 'is-at' packets to each victim, poisoning their ARP tables for send the traffic to your system.
$ sudo habu.arpoison 192.168.1.5 192.168.1.6
Ether / ARP is at 00:c2:c6:30:2c:58 says 192.168.1.6
Ether / ARP is at 00:c2:c6:30:2c:58 says 192.168.1.5
Ether / ARP is at 00:c2:c6:30:2c:58 says 192.168.1.6
Ether / ARP is at 00:c2:c6:30:2c:58 says 192.168.1.5
...
Note: If you want a full working Man In The Middle attack, you need to enable the packet forwarding on your operating system to act like a router. You can do that using:
echo 1 > /proc/sys/net/ipv4/ip_forward


habu.arpsniff: Discover devices on your LAN capturing ARP packets
This command listen for ARP packets and shows information each device.
Columns: Seconds from last packet | IP | MAC | Vendor
1   192.168.0.1         a4:08:f5:19:17:a4   Sagemcom Broadband SAS
7   192.168.0.2         64:bc:0c:33:e5:57   LG Electronics (Mobile Communications)
2   192.168.0.5         00:c2:c6:30:2c:58   Intel Corporate
6   192.168.0.7         54:f2:01:db:35:58   Samsung Electronics Co.,Ltd


habu.contest: Check your connection capabilities
This command tries to connect to various services and check if you can reach them using your internet connection.
$ habu.contest
IP:    True
DNS:   True
FTP:   True
SSH:   True
HTTP:  True
HTTPS: True


habu.dhcp_discover: Discover DHCP servers
This command send a DHCP request and shows what devices has replied. Using the '-v' parameter (verbose) you can see all the options (like DNS servers) included on the responses.
$ sudo habu.dhcp_discover
Ether / IP / UDP 192.168.0.1:bootps > 192.168.0.5:bootpc / BOOTP / DHCP


habu.dhcp_starvation: Fill the DHCP leases
This command send multiple DHCP requests from forged MAC addresses to fill the DHCP server leases. When all the available network addresses are assigned, the DHCP server don't send responses. So, some attacks, like DHCP spoofing can be made.
$ sudo habu.dhcp_starvation
Ether / IP / UDP 192.168.0.1:bootps > 192.168.0.6:bootpc / BOOTP / DHCP
Ether / IP / UDP 192.168.0.1:bootps > 192.168.0.7:bootpc / BOOTP / DHCP
Ether / IP / UDP 192.168.0.1:bootps > 192.168.0.8:bootpc / BOOTP / DHCP


habu.eicar: Prints the EICAR test string
This command prints the EICAR test string that can be used to test antimalware engines. More info: http://www.eicar.org/86-0-Intended-use.html
$ habu.eicar
X5O!P%@AP[4\XZP54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
Note: The below string is incorrect because is not a good idea write the complete in this text file. Some antivirus program can be detect it like a virus. :)


habu.hasher: Computes various hashes with the input data
This command computes various hashes for the input data, that can be a file or a stream.
If the filename is '-', the data is taken from the standard input (stdin) so, three different variants exists to call this command:
$ habu.hasher README.rst
md5  : 375375d9cfb2aacab7c8d1a9afd3d9b7
sha1 : 21c67b9ef44bc24d47eef6adab648ba34662927e

$ cat README.rst | habu.hasher -
md5  : 375375d9cfb2aacab7c8d1a9afd3d9b7
sha1 : 21c67b9ef44bc24d47eef6adab648ba34662927e

$ habu.hasher - < README.rst
md5  : 375375d9cfb2aacab7c8d1a9afd3d9b7
sha1 : 21c67b9ef44bc24d47eef6adab648ba34662927e
Note: The output above shows only MD5 and SHA1 to make it short, but the real output includes more algorithms.
You can also specify which algorithm to use. In such case, the output is only the value of the calculated hash:
$ habu.hasher -a md5 README.rst
375375d9cfb2aacab7c8d1a9afd3d9b7


habu.ip: Prints your current public IP
This command prints your current public IP based on the response from https://api.ipify.org.
$ habu.ip
182.26.32.246


habu.isn: Prints the TCP sequence numbers for an IP
This command creates TCP connections and prints the TCP initial sequence numbers for each connections.
$ sudo habu.isn www.portantier.com
1962287220
1800895007
589617930
3393793979
469428558
You can get a graphical representation (needs the matplotlib package) using the '-g' option:
$ sudo habu.isn -g -c 10 www.portantier.com
Note: The above command uses '-c' option to define that 10 connections must be created.


habu.land: Implements the LAND attack
This command implements the LAND attack, that sends packets forging the source IP address to be the same that the destination IP. Also uses the same source and destination port.
The attack is very old, and can be used to make a Denial of Service on old systems, like Windows NT 4.0. More information here: https://en.wikipedia.org/wiki/LAND
sudo habu.land 172.16.0.10
............
Note: Each dot (.) is a sent packet. You can specify how many packets send with the '-c' option. The default is never stop. Also, you can specify the destination port, with the '-p' option.


habu.ping: ICMP echo requests
This command implements the classic 'ping' with ICMP echo requests.
$ sudo habu.ping 8.8.8.8
IP / ICMP 8.8.8.8 > 192.168.0.5 echo-reply 0 / Padding
IP / ICMP 8.8.8.8 > 192.168.0.5 echo-reply 0 / Padding
IP / ICMP 8.8.8.8 > 192.168.0.5 echo-reply 0 / Padding
IP / ICMP 8.8.8.8 > 192.168.0.5 echo-reply 0 / Padding


habu.snmp_crack: SNMP Community Cracker
This command launches snmp-get queries against an IP, and tells you when finds a valid community string (is a simple SNMP cracker).
The dictionary used is the distributed with the onesixtyone tool (https://github.com/trailofbits/onesixtyone)
$ sudo habu.snmp_crack 179.125.234.210
Community found: private
Community found: public
Note: You can also receive messages like <UNIVERSAL> <class 'scapy.asn1.asn1.ASN1_Class_metaclass'>, I don't know how to supress them for now.


habu.synflood: SYN Flood Attack Implementation
This command launches a lot of TCP connections and keeps them opened. Some very old systems can suffer a Denial of Service with this. More info: https://en.wikipedia.org/wiki/SYN_flood
$ sudo habu.synflood 172.16.0.10
.................
Each dot is a packet sent.
You can use the options '-2' and '-3' to forge the layer 2/3 addresses. If you use them, each connection will be sent from a random layer2 (MAC) and/or layer3 (IP) address.
You can choose the number of connections to create with the option '-c'. The default is never stop creating connections.
Note: If you send the packets from your real IP address and you want to keep the connections half-open, you need to setup for firewall to don't send the RST packets. With habu, you can do this with the following command (only works with Linux+IPTables):
$ sudo habu.firewall --no-rst
You can check the results with "iptables -L -n", and you will see something like this:
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp flags:0x04/0x04


habu.tcpflags: TCP Flag Fuzzer
This command send TCP packets with different flags and tell you what responses receives.
It can be used to analyze how the different TCP/IP stack implementations and configurations responds to packet with various flag combinations.
$ sudo habu.tcpflags www.portantier.com
S  -> SA
FS -> SA
FA -> R
SA -> R
By default, the command sends all possible flag combinations. You can specify with flags must ever be present (reducing the quantity of possible combinations), with the option '-f'.
Also, you can specify which flags you want to be present on the response packets to show, with the option '-r'.
With the next command, you see all the possible combinations that have the FIN (F) flag set and generates a response that contains the RST (R) flag.
$ sudo habu.tcpflags -f F -r R www.portantier.com
FPA  -> R
FSPA -> R
FAU  -> R


habu - Network Hacking Toolkit

Subscribe to: Posts (Atom)