Scylla & 1.0 Alpha (101% biano) http://www.2secure.org Sergio Valderrama (flacman at cuteam dot org) Carlos Rodriguez (iker at cuteam dot org) Special thanks to: RPM (Our designer, and webshell creator), Zealot (for his help with charybdis), Tronador (he build pieces of mail modules) Download: You would be able to download the source only (with compiling instructions) from here: http://code.google.eom/p/scylla-vl/ (will be uploaded the 22 of July) Abstract When there's no technical vulnerability to exploit, you should try to hack what humans left for you, and believe me, this always works. Scylla provides all the power of what a real audit, intrusion, exclusion and analysis tool needs, giving the possibility of scanning misconfigu ration bugs dynamically. Scylla aims to be a better tool for security auditors, extremely fast, designed based on real scenarios, developed by experienced coders and constructed with actual IT work methods. The words "Configuration Tracer" are the best definition for Scylla, a tool to help on IT audits. Introduction This document is a reference manual about what Scylla is, and what its capabilities are. This document will show the user a hypothetical scenario that shows what he/she is able to do when Using Scylla and basic explanation of each one of its modules and its features. Scylla is not solely meant to be an exploitation tool or a tool to discover vulnerabilities within applications, but rather as a method to hack and patch "human stupidity", such as common errors or flaws unintentionally put in service configuration. Scylla is built over an extremely fast and reliable core, with anti-anti Brute force techniques, error recovery protocols, and a lot of speedup tricks with most manual (and other types of attacks unknown to the user) being coded to avoid repetitive tasks. BTW, if you haven't read well, this is 1.0a version, and the "a" comes from "A lot of work to do", "A lot of bugs (I think)" and "A lot of testing left", and we will appreciate a lot your help ©. Objective Scylla is a tool to audit different online application protocols and configurations, built over a brute-force core. This tool acts at a tool for unifying auditing techniques, in other words, it does what oscanner, winfingerprint, Hydra, DirBuster, and other tools do, and also what those tools don't do. Scylla is arguably the first free-open source auditing/hacking tool for protocols such as LDAP, DB2, Postgres, terminal and Mssql; Scylla adds tons of new features to what those other tools do but with a key difference: it does them faster and smarter! Supported Protocols ✓ Terminal (Telnet, SSH, telnets) ✓ FTP (FTPS, FTP, SFTP) ✓ SMB (Also Windows RPC) ✓ LDAP ✓ POP3(POP3S) ✓ SMTP(SMTPS) ✓ IMAP ✓ MySql ✓ MSSQL ^ Oracle (Database and TNS Listener) ✓ DB2 (Database and DAS) ✓ HTTP(HTTPS; Basic AUTH Brute Force, Digest AUTH Brute Force, Form Brute Force, Directory and files Brute Force) ^ DNS (DNS snooping) s Postgres SQL ^ And more coming... How does Scylla work? Scylla functions on three basic stages: Pre-Hack Stage: This stage is defined as what information Scylla can readily obtain without resorting to brute-force attacks (something like enumeration). Here is where anti-anti-Brute Force techniques are implemented, such as getting information on password policies, latency times, etc. Scylla is also obtaining extra information to make the attack: searching for protocol and service versions, verify null sessions, and system enumeration among other things. It also builds specially crafted lists (based on other lists.) When applicable, the AutoPWN modules (such as a "one click" web shell upload on a MySQL attack or opening a blind shell using MSSQL services without any previous information). Brute Force Stage Here is where Scylla shines. It is an extremely fast brute force core. For example when hydra makes 7.000 tries/min, Scylla makes over 22.000 tries/min over MSFTPd. Post Hack Stage: What can you do with a user-password combination? Simple stuff like fetching the /etc/shadow file or the FEAT response of an FTP server, or more complex stuff such as spawning a shell with just one MSSQL command (a OneClickOwnage paper implementation). It is more or less like Maintaining Access or Expanding Influences. Charybdis Charybdis is Scylla's counterpart. He's at the other side of the river. What if you "pwnd" a Linux server (or even a windows server) and you can't get heavy tools or don't have GUI access to it (or simply, you are a *Nix user)? This is why Charybdis was built: To be at the other side waiting for Scylla. It's simply a multi-platform high speed pipe between Scylla and whatever is on the other side. Supporting Scylla from basic "bounce" functionality to socks proxy connection, Charybdis is specially crafted to provide the best performance to the attacker. Deep Documentation (what you should see) Basic features: s User, password list based Brute force V Multiple hosts support •/ Multiple session support •/ Nmap integration •/ Non-synchronized threads (proof to be a bit faster) ✓ Ability to restore sessions s Session auto-saving (based on SQL Server CE) s Easy to use s Auto configured options •J Hacker oriented s Free, and always free s Database browser (who have hacked a DB and don't have a DB client to connect to it? And worse if you don't have internet) s Open source tool List creation List creation is a component to create new lists based on existing dictionaries. The idea is to take each word in a specific list and compose different words based on it. As-Is: Nothing special, just leave the dictionary just as it is. Double: Duplicates the word. Cut - CutCut. CasePerms: Creates every letter-Case permutation of the word. Cut - CuT, CUT, cuT, cut, CUt, etc. Reverse: Reverse the word. CUTeam - meaTUC. LowerCase: Adds the lower case version of the word. Cut - cut. Uppercase: Adds the upper case version of the word. Cut - CUT. H4x0r: Adds the word in "hackers-jargon" (replace each vocal for numbers except u, b for 8, t for 7, 1 for 1 and s for 5). CUTeam - CU734m. H4x0rPermutation: Creates every H4x0r-Case permutation of the word. Cuteam - Cu7eam, Cu73am, Cu7e4m, Cute4m, etc. Date ap/prepend: Adds the word with different years appended or pre pended (from 1985 to the actual year). CUT - 1985CUT, 2000CUT, CUT1990, CUT2010, etc. 2Number Append: Adds the word with 2 numbers (from 00 to 99) appended. Cut-CutOO, Cut 01... Cut99. Scylla Modules Most of the hacks mentioned here are configurable options, and the default options are options that will let you "auto-pwn" or the ones considered less intrusive or the most important for the author. FTP Pre-Hacks: S If a user is blocked, gets the maximum number of tries until a user gets blocked (numTries) and for the next user just tries numTries passwords. S SFTP - Get supported ciphers Hack: Built from scratch SFTP brute force module, FTP and FTPS brute force. Post-Hacks: S Fetch FEAT response. •/ Fetch PWD response (actual directory). •/ Fetch SYST answer (Operating system information) s Check LIST, STOR, MKD, DELE and RMD permissions (list, upload, make directory, delete file and remove directory). S Basic Directory Transversal hacks o /../../../../../../etc/shadow o \..\..\..\..\..\..\config.sys Terminal Pre-Hacks: s If a user is blocked, gets the maximum number of tries until a user gets blocked (numTries) and for the next user just tries numTries passwords. s Process "connection limit" answers and wait 20 milliseconds until next try. S Process MSTelnetd when user+password are correct but the user isn't in the TelnetClients group. s SSH2 - Get and Set supported ciphers Hack: Built from scratch SSH brute force module, implemented as fast as possible in the login process (C++), Telnet, Telnets. More servers supported (this makes it a bit slower...). Post-Hacks: S Fetch CD response. S Fetch SUDO capabilities response. s Neat (or putty) integration s Fetch /etc/shadow and /etc/passwd POP3 Pre-Hacks: S Verify authentication types supported by server S Verify if APOP authentication is available (and use it if so) Hack: POP3, POP3S, Auth-login, Auth-plan Auth-md5 Post-Hacks: •/ Retrieve first 10 e-mail headers S Get number of messages in the account s Get e-mail addresses used in mails received SMTP Pre-Hacks: S VRFY brute force pre-attack (tries to get only valid users) S Anonymous login S Verify authentication types supported by server Hack: SMTP, SMTPS, Auth-login, Auth-plan Auth-md5 Post-Hacks: S Try sending a mail to root S Mail relay (tries to send from [attacker@cuteam.org and attacker© specified_IP_or_URL] to [Your_mail@any_domain.com and pick_a_mail@specified_IP_or_URL]) MSSQL: MSSQL has 2 modalities: FastAttack (really fast, raw brute force) and Normal (Using SQLCIient). The difference is that SQLCIient is safer, it has a better error management and has more pre-hacks making it a bit more intelligent; use it to avoid blocking accounts or stuff like that. Also, most post-hacks use SQLCIient. If a hack is available only for SQLCIient it would be marked as SC. Pre-Hacks: S SC: If a password must be changed it prompts a dialog for you to change it if you want. s SC: If max users connection limit reached, wait 100 ms until next try (with the same thread). S SC: If User+Password found but there is an error. Marks the user+password as found and displays the error. s SC: If user is blocked, tries for next user. s SC: Test for SSPI (actual Windows user authentication) y SC: Specify System version type (SQLServer 2k, 2k5, 2k8 or lastest) S SC: Specify Local Machine Name S SC: Specify database to connect s Try SA user with null password SQLCIient and raw brute force. SSL Support. Post-Hacks: s Open UI for command execution. Opens a basic GUI to execute commands. Saves the command log in the Report Database (see report section). If don't have enough permissions to execute commands, it tries to hack it using: sp_configure 'show advanced options', 1; RECONFIGURE; sp_configure 'xp_cmdshell', 1; RECONFIGURE S One click ownage hack. Execute any payload you define (default is TX shell), just as specified in http://ferruh.mavituna.com/papers/oneclickownage.pdf. s Show Databases the user can access S Fetch Users Info, including: Usernames, SID, Password Hash, Creation date, is disabled and default database name. s Open Scylla DB Browser MySQL (MySQUAL in honor to SENA, Colombia xD) This module uses MySQL.Data.dll or ODBC (no support available) to connect to the remote host. A "raw" and faster version will be also implemented with limited pre-hacks. Pre-Hacks: S If max users connection limit reached, wait 100 ms until next try (with the same thread). S If received message "password to long must be hex", just try the passwords that meet: passLen LESSOREQUALTHAN #password(length received in the error) AND ! password. haveDig its S Just try passwords of less than 16 characters (mysql don't support more) S If want to use SSL certificates or a special SSL cipher connection, it would use ODBC with the specified options. Also, an auto-signed certificate is provided. Hacks: SSL support, specially crafted SSL configuration, certificate based SSL Post-Hacks: s Fetch databases that can be accessed by the user. S Fetch users profile, including: Host, User name, Password hash, Select_priv, Insert_priv, Update_priv, Delete_priv, Create_priv, Drop_priv, Reload_priv, Shutdown_priv, Process_priv, File_priv, Grant_priv, References_priv, Index_priv, Alter_priv. S If there is a http server, try to upload a web based PHP shell to it (A specially basic auto-destroyable shell, or the famous C99). S Execute server commands (via UDF) s Open Scylla DB Browser DB2 Pre-Hacks: ^ Obtain DAS information (server database access profile) S - User-ID auth only - brute force S Fetch EXCSAT and other packet responses (used to Auto Configure the Hack phase and give additional info to the user). S Host less than 18 characters accepted Hack: SSL support (if applicable), encrypted auth. Post-Hacks: V List all tables (list tables for all) V List tables for specific users (select name, creator from systables order by name) s Security policies check (select * from syssecuritypolicies) s Audit policies check (select * from sysauditpolicies) S Fetch Roles and Role authorizations •/ Fetch for users authorizations (select grantee, tableschema, tablename from sysuserauth) V Fetch users and users privileges ORACLE This module uses Ora.Net provider for database connection. TNSListener module is built as a partner of Oracle module. y Fetch SID •/ SID Brute force s TNS version detection s Allow the user to specify a SID (obligatory if no SID could be fetched or guessed, if no, Scylla would use ORCL) s Try to use over 500 default users-passwords before the real brute force •/ Fetch Blocked accounts If user must connect as SYSOPER or SYSDBA, tell the user and append SYSDBA to the connection string for post-hacks. Post-Hacks: V Fetch usernames and user information s Fetch users access dates •/ Fetch new and old password hashes V Fetch database names the user can see •J Fetch Policies •J Fetch Roles and Role information V Fetch Links (useful to find clear-text passwords and other interesting info) ■s Open Scylla DB Browser SMB The trick here is using the windows API that is actually faster than SAMBA. This module is not just about SMB, but windows RPC. Pre-Hacks: •/ Try for null or anonymous sessions. •J Try to fetch password policy and adjust the hack phase settings to avoid blocking users and stuff like that. s If operating system just accepts LM authentication, remove all password of length greater than 14 from the password list. NT, LM, NTLMv2, all what WNetAddConnection3 supports Post-Hacks: •/ fgDump wrapper (get password hashes) s Fetch Users ^ Fetch groups (relation user-groups relation) s Fetch OS Version ✓ Fetch RPC Binds •J Fetch network Adapters •J Fetch Disks and shares •J Fetch active sessions V Fetch Event log s System Date and Time s Fetch patch level •/ Via Active directory: • GetShares (directories) • GetGroups • Get Operating system version • Get Users This module is a bit different; it is divided into three sub-modules: HTTP-Basic Auth: Where the only real pre-hack is to fetch the authentication type supported in basic-auth module (and auto-configure brute force hack depending in it). It supports Digest (using MD5) and basic auth. HTTP-Form: This is like other brute-forcers but it is a bit more intuitive. For the next release (hope for this one) a new Charybdis module will be built to auto- configure brute force parameters depending on user navigation. HTTP-Dir/File Brute Force: Tries to find hidden directories/files based on brute force. Also, this module maps the entire webpage to find its entire structure, based on HEAD commands for brute force and GET for web mapping. The 3xx response, searches in the location parameter. A bit of an intelligent modification, it doesn't show the user an apparently found file (from web mapping) if it doesn't receive a 200 or 403 response. It cuts down on the number of false positives and, like every Scylla module, "error proof". Postgres This module uses NPgsql.dll. Pre-Hacks: Try admin-admin user-password combination Hacks: SSL support, crypt, password, md5 and others supported by NPgsql.dll Post-Hacks: s Fetch databases that can be accessed by the user. s Fetch user's profile (pg_shadow, pg_user, pg_group, etc.) s Open Scylla DB Browser LDAP Ldap Query tool Pre-Hacks: Try null password Try Anonymous Auth Hacks: SSL support Post-Hacks: S Fetch Users info S Fetch Groups S Fetch Computer info DNS Snooping Pre-Hacks: Hacks: s Try to see if the server is vulnerable by querying the server for common names SSL support S Fetch Answers s Fetch Name Servers S Fetch Additional info s Determine if it's an authoritative server Report Module Every result the modules throw are stored in a SQLCE database, so your session information won't get lost. A report viewer was built so you can see the information easily. Scylla Report Viewer THE FUTURE This took eight months of work, just for DEF CON 20. Now try to imagine the future of this tool. We will work, primarily to try to make it faster and more accurate. There are other modules planed like SVN, CVS, RSH, RDP, and more. And at last we will be adding hacks, tons of hacks, we'll try to make it a more complete tool of this kind. There are also plans to synchronize Scylla with other tools like MSF and Nessus. Our principal objective is to give as most capabilities to the users, and still be a "hacker- oriented" tool. We are conscious that there is no "wonder tool for everything" and that real hacking is more of a manual process, and that all we need is information, and possibly direction. CONCLUSION Perhaps I'm not the best qualified person to be writing something here, you have the documentation and you can try this tool, so you can make your own conclusions. There is one last thing to be said: I'm not intending to say that other tools are "worse" (they might be better than Scylla) just that maybe I got more free time. Every referenced tool here is a master piece (If you have got some time you should please check them out.), I thank the authors for building them and give people like me tools to work, and even better, Inspiration! You could be sure of something... There is more coming soon! More pics :D Scylla -- 101% Colombiano ■H'SCYLLA ® Sngle Host O Host List |Somnusaj7! Passwd O WoidList O Advanced WoidList □ WondList Usuhb Protocol MS SQL vl • :.n = . ii.z ]:_: e it -.-:. .= : e:_ ■:; _-e □ Use Encryption {SSL) □ Test for SSPI {Windows user authentication) T :-. 3>«*r C) SQ LServer 2000 O SQ LServer 2005 O SQLServer 2005 (■) Latest □ Specify Local Machine Name localhost Specif; I = .=E = :e =■ e !=.= :: □ Open Ul for command execution Scylla Database Browser - master I.~1mJ_*J File Query ► % sstje seS;_rc- ,;,| spt_fallback_dev , ,| spt_fallback_usg | MSreplicationjptiona Scylla DBBrowser over MSSQL Scylla -- 101% Colombiano **SCYLLA Attack Type Normal (using SQLdient) Q Fast Attack (M l~l Use Encryption (SSL) ListOptions @ As Is (Exactly like in the list) □ Double (Cut-CutCut) □ Case Perm {Cut-CUt,cUt.cUT.cut,CUT) □ Reverse {Cuteam - maetuC) □ LowefCase pi-cut) □ UpperCase (Cut-CUT) □ H4c0r pjteam-Qj734m) □ H4cDr PefmutaiionpjteamCu7eam.Qj734rTi.Cute4rTi....) □ Date [ap/pre>pend (Cut-2DDDCut. Cut 15&7....} □ 2Number .Append (Cut-Cut D1 Cut99) Advanced List Options ■ Report VIEWER Root: 257 "/" is current directory FEAT Response; 2 1 1 -Extended features supported: LANG EN* UTF8 AUTH TLE:TLE- CiSSLTLS-P: PBS2 PROTCP; SYST Response: 215 Windows_NT Write Hake Dir Delete Dir FTP Report Module ■k- Scyl la -- 101% Colombia **SCYLLA L ::a2< 2z-~ :va: :- Host /IP [rageguy * Single Host Host List I I <§) Passwd O WordUst O Adverted WorclList User sa □ WofdList Usuers |M55QL v\ Nmap Found user: sa Password: I □ Show Enors Threads: | About | | Report | Start | tries/Sec: {0)0- Left: Scylla main GUI Scylla -- 101% Colombiano **SCYLLA Attack juration Host /IP [rageguy ® Sine*: Host O Host Ust Attack Type ® Normalising SQLaient) O FastAttack '. ;;-a:- : s: ® Passwd O WordUst Start | User |sa □ WordUst U Load map ami file instead [I | | Search | | Upload | Nmap Ruh Protocol MSSQL □ Show Errors Threads: About Fteport Nmap Wrapper **SCYLLA Scylla -- 101% Colombiano Attack Tjpe E-:e:_:-: commands with us -<:■■■:'<■ CjWS to resume I whoami nt authority\system ~ : e : ' * Normal (using SQLCIient} [ : Fast Attack (Medussa-Like) □ Use Encryption (SSL) : : = _:e c.."t". :r_ : - item Version H) O SQLServer 2005 IS ••: Latest :oa i.'achine Name localhost ■eicEcse L .e- e £«* :i for command execution >e : :■• ■ ■ -5 : t-t- c- -t-"." icc-eses -e:::- users info O DB Browser rj|J □ Add SA User Threads 16 ; □ Show Errors Threads: 1 .About Report | Stop! | tries/Sec: (0)0- Left: 2 FSH over MSSQL