Wednesday, November 6, 2013

HashTag: Password Hash Identification

Interested in password cracking or cryptography? Check this out. is a tool written in python which parses and identifies various password hashes based on their type. HashTag was inspired by attending PasswordsCon 13 in Las Vegas, KoreLogic's 'Crack Me If You Can' competition at Defcon, and the research of iphelix and his toolkit PACK (password analysis and cracking kit). HashTag supports the identification of over 250 hash types along with matching them to over 110 hashcat modes. HashTag is able to identify a single hash, parse a single file and identify the hashes within it, or traverse a root directory and all subdirectories for potential hash files and identify any hashes found.

Click here to download source code or access it online at OnlineHashCrack

One of the biggest aspects of this tool is the identification of password hashes. The main attributes I used to distinguish between hash types are character set (hexadecimal, alphanumeric, etc.), hash length, hash format (e.g. 32 character hash followed by a colon and a salt), and any specific substrings (e.g. '$1$'). A lot of password hash strings can't be identified as one specific hash type based on these attributes. For example, MD5 and NTLM hashes are both 32 character hexadecimal strings. In these cases I make an exhaustive list of possible types and have the tool output reflect that. During development I created an excel spreadsheet which contains much of the hash information which can be found here or here.

Usage: {-sh hash |-f file |-d directory} [-o output_filename] [-hc] [-n]

Note: When identifying a single hash on *nix operating systems, remember to use single quotes to prevent interpolation. (e.g. python -sh '$1$abc$12345')

-h, --help show this help message and exit
-sh SINGLEHASH, --singleHash SINGLEHASH Identify a single hash
-f FILE, --file FILE Parse a single file for hashes and identify them
-d DIRECTORY, --directory DIRECTORY Parse, identify, and categorize hashes within a directory and all subdirectories
-o OUTPUT, --output OUTPUT Filename to output full list of all identified hashes
--file default filename: HashTag/HashTag_Output_File.txt
--directory default filename: HashTag/HashTag_Hash_File.txt
-hc, --hashcatOutput --file: Output a file per different hash type found, if corresponding hashcat mode exists
--directory: Appends hashcat mode to end of separate files
-n, --notFound --file: Include unidentifiable hashes in the output file. Good for tool debugging (Is it Identifying properly?)

Identify a single hash (-sh): -sh $1$MtCReiOj$zvOdxVzPtrQ.PXNW3hTHI0
single hash example -sh 7026360f1826f8bc

single hash example 2 -sh 3b1015ccf38fc2a32c18674c166fa447

single hash example 3

Parsing and identifying hashes from a file (-f): -f testdir\street-hashes.10.txt -hc
hashes file example
Here is the output file. Each identified hash outputs the hash, char length, hashcat modes (if found) , and possible hash types:
Output file
Using the -hc/--hashcat argument we get a file for each hash type if a corresponding hashcat mode is found. This makes the process of cracking hashes with hashcat much easier as you immediately have the mode and input file of hashes:
file listing output
Output from a file with many different hash types (the filenames are hashcat modes and inside are all hashes of that type):
hashtag output directory with multiple files

Traversing Directories and Identifying Hashes (-d): -d ./testdir -hc
directory example

The output consists of three main things:

  • Folders containing copies of potentially password protected files. This makes it easy to group files based on extension and attempt to crack them.
  • HashTag default files - A listing of all hashes, password protected files the tool doesn't recognize, and hashes the tool can't identify (good for tool debugging).
  • Files for each identified hash type - each file contains a list of hashes. The -hc/--hashcat argument will append the hashcat mode (if found) to the filename.
hashtag output directory

Resources: Quite a bit of research went into the difference between password hash types. During this research I found a script called Hash Identifier which was actually included in one of the Backtrack versions. After looking it over I feel my tool has a lot more functionality, efficiency, and accuracy. My other research ranged from finding different hash examples to generating my own hashes via the passlib module. I would like to give credit to the following resources which all had some impact in the creation of this tool.

As always, if you see any coding errors, false assumptions (hash identification), or have constructive criticism please contact me. Hope you like it!

Saturday, August 3, 2013

Defcon 21: Password Cracking KoreLogic's Shirt

For the past couple of years KoreLogic Security has had a wonderful presence at Defcon with their 'Crack Me If You Can' contest where some of the best password crackers in the world join up in teams or go solo to compete against each other. Although I haven't competed in this competition (mainly due to lack of hardware and wanting to spend most of my time at briefings) I always make it a point to stop by the KoreLogic booth and grab a shirt. No, I'm not doing it because it's 'free swag', I always stop by for great conversation and to get one of their shirts which have relatively simple hash(es) on them. It's rather fun to practice even the simple things with password cracking. This year for Defcon 21 the shirt they gave out looked like this:

Clearly there is a hash in there somewhere.. looking a little closer it's clear there is a 32 character pattern which wraps around the logo. Hmm.. the most common 32 character hash.. md5! Let's give it a try.

Wait.. how do we know where the hash starts and ends? We don't. There are 32 characters which means 32 different possibilities for the correct hash. To generate the different permutations I wrote a quick python script which writes all of the possible hashes to the file hashlist.hash.


hashArray = ['b','2','c','b','b','e','c','9','1','6','d','c','8','2','b','2','f','b','2','0','d','1','2','b','e','1','d','7','e','3','d','b'] 
hashList = list() 
fullHash = '' 

charIndex = 0 
while charIndex < len(hashArray): 
 hashArray = hashArray[charIndex:] + hashArray[:charIndex] 
 for i in range(len(hashArray)): 
  fullHash += hashArray[i] 
 fullHash = '' 
 charIndex += 1 

f = open('hashlist.hash', 'w') 
for item in hashList: 
 f.write(item + '\n') 
 print item
We now have the following possibilities:

Since I am using a netbook instead of a crazy GPU rig I decided to use hashcat which does CPU cracking (plus and lite for GPU). I then downloaded the rockyou.txt wordlist from skullsecurity. Everything is now ready, I have my cracking tool, list of hashes, and wordlist. Since I am assuming it's md5 I use the following hashcat command:

./hashcat-cli32.bin -m 0 -r rules/best64.rule hashlist.hash rockyou.txt

After about 30 seconds of running we get a hit!


A little anticlimactic but fun nonetheless. This was rather simple, some would say trivial, but the script to make multiple hash permutations with only characters may be helpful to someone. Big thanks to KoreLogic for putting on the CMIYC contest and giving out shirts with challenges.

Tuesday, July 2, 2013

Burp Extension: Directory and File Listing Parser - Burp Site Map Importer

Click Here to Download Source Code

Penetration testers, rejoice! While conducting application penetration tests it’s sometimes necessary to request specific information from the application owner or client. As a pen tester it can be extremely beneficial to perform a test with a full directory and file listing of the application, which sometimes can be difficult to acquire.

So let’s assume all clients are perfect and provide a full directory and file listing of their application (funny, I know) but what do we do with it? My process usually involves manually looking over everything trying to find keywords which jump out… I just might want to take a look at adminpassword.txt. Depending on the size of the application I may attempt to reach every file but usually this is not an efficient use of time. I wanted to create a quick and easy process for dealing with directory and file listings so I created a Burp Suite extension which will do a lot of the work for me.

My Burp extension contains two main features. The first feature is the ability to parse the listing file and generate a list of valid URLs to request each resource. The second feature is generating a request for each URL and importing the valid request/response pairs into Burp’s Target Site Map. Why is having a full site map helpful? We now have the ability to see the entire structure of the application, search within all valid responses, conduct manual testing or an active scan on ALL accessible resources, and much more. The process flow looks like this:

The Burp extension is written in python so a standalone jython jar will be needed to run it: Currently the extension is only tested and working with jython-standalone 2.5.3

After loading the extension you will have an option in the context menu to “Import Directory Listing”:

A GUI will appear for the extension. Fields such as hostname, SSL, and port will automatically populate depending on the request or response the menu option was originally invoked from. Cookies will also be displayed and used in any requests the extension makes. This feature makes it easy to compare site maps of two application user roles (based on varying session information such as cookies) to determine if each role has the correct access.

In this example I have selected the “Import Directory Listing” menu option on the DVWA web application which is running on my local machine. Now we must fill out all options on the left side of the GUI including hostname, full directory path (windows only, but CAN be used to modify URLs from a linux listing type) which specifies where the root of the web application sits, SSL, port, file listing type, and path to listing file.

On a Windows XP machine, I used the ‘dir /s’ command in cmd.exe which displays all files from the current directory and all sub directories. If the application is sitting on a Windows platform this is a very common command used for directory and file listings. A partial output of a directory and file listing for the DVWA web application (selected in the above image as C:\dvwa-listing.txt) looks like this:

dir /s:
 Volume in drive C has no label.
 Volume Serial Number is 5033-AA99

 Directory of C:\xampp\htdocs\dvwa

09/08/2010  09:50 PM    <DIR>          .
09/08/2010  09:50 PM    <DIR>          ..
09/08/2010  09:49 PM               497 .htaccess
08/26/2010  11:15 AM             2,792 about.php
06/06/2010  07:55 PM             5,066 CHANGELOG.txt
09/08/2010  09:50 PM    <DIR>          config
03/16/2010  12:56 AM            33,107 COPYING.txt
09/08/2010  09:50 PM    <DIR>          docs
09/08/2010  09:50 PM    <DIR>          dvwa
03/16/2010  12:56 AM               883 ids_log.php
06/06/2010  07:52 PM             1,878 index.php
03/16/2010  12:56 AM             1,761 instructions.php
08/26/2010  11:18 AM             2,580 login.php
03/16/2010  12:56 AM             2,738 security.php
06/06/2010  10:58 PM             1,350 setup.php
09/08/2010  09:50 PM    <DIR>          vulnerabilities
              16 File(s)         59,772 bytes

 Directory of C:\xampp\htdocs\dvwa\config

09/08/2010  09:50 PM    <DIR>          .
09/08/2010  09:50 PM    <DIR>          ..
08/26/2010  10:32 AM               576
08/26/2010  11:06 AM               576
               2 File(s)          1,152 bytes

 Directory of C:\xampp\htdocs\dvwa\docs

09/08/2010  09:50 PM    <DIR>          .
09/08/2010  09:50 PM    <DIR>          ..
08/26/2010  10:32 AM           526,043 DVWA-Documentation.pdf
               1 File(s)        526,043 bytes

The parser is also capable of parsing directory listing files from various linux commands such as ‘ls -lR’ and ‘ls –R’. Examples of the format are as follows:

ls -lR:
total 124
-rw-rw-r--  1 user user  2792 Aug 26  2010 about.php
-rw-rw-r--  1 user user  5066 Jun  6  2010 CHANGELOG.txt
drwxrwxr-x  2 user user  4096 Jul  1 16:52 config
-rw-rw-r--  1 user user 33107 Mar 16  2010 COPYING.txt
drwxrwxr-x  2 user user  4096 Jul  1 16:52 docs
drwxrwxr-x  6 user user  4096 Jul  1 16:52 dvwa
-rw-rw-r--  1 user user   883 Mar 16  2010 ids_log.php
-rw-rw-r--  1 user user  1878 Jun  6  2010 index.php
-rw-rw-r--  1 user user  1761 Mar 16  2010 instructions.php
-rw-rw-r--  1 user user  2580 Aug 26  2010 login.php
-rw-rw-r--  1 user user   413 Mar 16  2010 logout.php
-rw-rw-r--  1 user user  2738 Mar 16  2010 security.php
-rw-rw-r--  1 user user  1350 Jun  6  2010 setup.php
drwxrwxr-x 11 user user  4096 Jul  1 16:52 vulnerabilities

total 8
-rw-rw-r-- 1 user user 576 Aug 26  2010
-rw-rw-r-- 1 user user 576 Aug 26  2010

total 516
-rw-rw-r-- 1 user user 526043 Aug 26  2010 DVWA-Documentation.pdf

total 16
drwxrwxr-x 2 user user 4096 Jul  1 16:52 css
drwxrwxr-x 2 user user 4096 Jul  1 16:52 images
drwxrwxr-x 3 user user 4096 Jul  1 16:52 includes
drwxrwxr-x 2 user user 4096 Jul  1 16:52 js
ls -R:




Now that we have a directory listing for our application, let’s parse out all of the directories and files and create valid URLs. Click the “Generate URL List” button to start the parsing. Tip: If the generated URLs don’t look correct you can modify the fields on the left of the GUI and regenerate the list or copy the list and use your own text editor to make changes. (Please e-mail with any parsing issues or suggestions)

A text area is populated with the URLs and the total count of directories and files processed.

At this point we have a few options. We can take our list of URLs and use them in Burp’s Intruder. To do this it would be very easy, all that needs to be done is remove the protocol, hostname, and port from each URL within a text editor. From there we take the path of each resource as a payload in a GET request in Intruder. We could then look to see which resources we are able to reach by analyzing status codes and content length. A second option is built into the extension via the “Import URL List to Burp Site Map” button. This button makes a request to each URL in the list (with cookie information, if it was found) and if a valid response is returned, will add the request and response to Burp’s Site Map. Requests with keywords such as logout, logoff, etc. are skipped to avoid ending sessions. The import to site map functionality was one of the main features I wanted to implement.

Warning: Actual requests are being made. Remove any resources you don't want being made, such as delete_database.php!! Regex to remove resources will be added in updates.

Done! A message dialog tells the user how many URLs were valid and imported into the site map. In the above image you can see a full site map and proxy history which was not found by spidering or brute forcing directories/files, but rather a simple directory and file listing of the application. With a full site map we are now ahead of the game. If you have multiple testers testing an application you can save the state in Burp and distribute it to save time, almost completely bypassing the discovery phase.

Note: So far the parsing does not consider virtual directories or different URL mappings from different web frameworks. Future updates may include parsing of mapping files such as ASP.NET’s web.config and Java’s web.xml.

Tip: Running a plugin multiple times or multiple plugins at a time may require increased PermGen, an example to increase the max when launching Burp would be:

java -XX:MaxPermSize=1G -jar burp.jar

Also, please provide feedback if you use this extension. With many different output formats for directory and file listings it can be difficult to write a dynamic parser which works for every format. If you have a listing file which is not being properly parsed please contact me so I can include it in an update. Thanks!

Click Here to Download Source Code

Sunday, May 12, 2013

Using Client SSL Certificates with Burp Suite

As of version 1.5.09 released on Tuesday, March 26 2013, Burp has integrated support for PKCS#11 and 12 client SSL certificates from files, smart cards, and other physical tokens.

Key features include:
  • Ability to configure multiple PKCS#11 and PKCS#12 certificates for use with different hosts (or host wildcard masks).
  • Auto-detection of installed PKCS#11 libraries (currently Windows only).
  • Auto-detection of card slot settings.
  • Support for OS X, Linux and 32-bit Windows (note that Oracle Java does not currently support PKCS#11 on 64-bit Windows).
  • Persistence of configuration across reloads of Burp.

I'll be quickly showing how to use a hard token with Burp Suite on a Windows virtual machine. The process would be very similar on different operating systems or with certificate files.

First, insert your hard token and make sure it's recognized. Because I am using a Windows virtual machine it's recognized as a Rainbow USB Device

In Burp, select the 'Options' tab and scroll down to the 'Client SSL Certificates' section and select 'Add'.

Select the certificate type, either File (PKCS#12) or Hardware token/Smart card (PKCS#11). Also you can specify a specific destination host or leave that part blank to apply to all hosts.

Specify the location of the library file for the hardware token. Burp allows you to manually select this file or it will attempt to automatically locate it. (Windows only)

Select which locations for Burp to search. All found library files will be listed. Select the correct one and click Next. If you're not sure which file to use you can always retry using the different files.

Enter the PIN code and click Refresh. Select the certificate you want to use and click Next.

Success! Check to make sure you have the correct access. Remember, if it doesn't work you may need to try a different library file.

One thing to note, often times various user roles in an application require different tokens. I did have trouble having multiple tokens loaded and quickly switching between them. The fastest way I found was to just add/remove the tokens and certificates one at a time. A slight annoyance when doing role-based testing but not too bad. Overall this is great functionality for Burp Suite to have.

Friday, April 19, 2013

WSDL Wizard: Burp Suite Plugin for Detecting and Discovering WSDL Files


WSDL (Web Service Description Language) files often provide a unique and clear insight into web application functionality. They can be made public and accessible by client-side users or private. From an attacker’s point of view public WSDL files make finding vulnerabilities easier, however even if the files are private, any vulnerabilities will still exist. From the perspective of a penetration tester, depending on what kind of test it is, it may or may not be appropriate to ask the client for WSDL files before the test.

So how do we find the WSDL files which are public? What if there are no direct links to find during spidering? The WSDL Wizard plugin! There have been tools in the past such as OWASP’s WSFuzzer which do an average job when they work. I wanted to write a Burp Suite extension in python which would make WSDL file detection and discovery not only easy to use but also efficient and safe in terms of scope.

This plugin searches the current Burp Suite site map of a user defined host for URLs with the ?wsdl extension while also building a list of viable URLs to fuzz for 'hiding' WSDL files. Two different methods are available to check for ?wsdl files, using urllib2 (default) or Burp's API. The fuzzing method depends on which function is called in the code so switching is easy. When comparing efficiency against large site maps, urllib2 was about 30 percent faster. All found WSDL files are added to the existing site map and printed out in the Extender tab output section.

After we have our WSDL files it’s time to make use of them. I did a previous post called Automatic Web Services Communication and Attacks which discusses using tools such as soapUI to inject into SOAP requests.

WSDL Wizard Use

WSDL Wizard runs off all of the requests and responses in Burp’s Site Map of a user selected host. Before running the plugin it is beneficial to have as much information in the site map as possible. This plugin should be used at the end of the information gathering stage when you have near complete coverage of the application.

To run this plugin three things are needed:

In the Extender > Options tab, select the location of your Jython standalone file.

In the Extender > Extensions tab load

Now we are ready to use the extension. A menu option of ‘Scan for WSDL Files’ will appear if the user right clicks in the message viewer, site map table, or proxy history. In the following case I am running the plugin on OWASP’s WebGoat vulnerable application. In the site map there is already a valid request and response for the WSDL file.

The output from the plugin reports on the host which was scanned, the full URL of the detected WSDL file, and how many other viable URLs it fuzzed with the ?wsdl extension. In this case the WSDL file was detected and 29 files were fuzzed but no more found because there is only one in this application.

Using a site map without a WSDL file in it really displays the main feature of this plugin. It will detect /WebGoat/services/WSDLScanning as being a candidate to fuzz with the ?wsdl extension.

After running the plugin the output reports 1 WSDL file was fuzzed and adds that request and response to the current site map.

Now we have all the WSDL files and the real fun begins! I have now shown how to detect WSDL files and even discover new ones you never knew were there.

I hope everyone likes it. This is my first Burp plugin so feedback would be very much appreciated. Any comments, suggestions, or errors please comment on my blog or email me at

Monday, February 4, 2013

SQLMap Plugin for Burp Extender

SQLMap is a popular tool for automating SQL injection detection and exploitation. Burp is a multifaceted intercepting proxy which is great for testing web applications. Applications are often used by attackers in attempts to communicate with a back-end so finding and fixing these vulnerabilities is a necessity. Wouldn’t it be great if we could integrate SQLMap into Burp instead of creating and modifying different SQLMap commands every time we find a different page or parameter?

We’re in luck as there is a project by the name of Gason (blog:, which is a SQLMap plugin for Burp. A few other people have done ‘how-to’ blog posts on this plugin but I haven’t seen any address some of the errors people have been reporting (mostly with Windows) or how to implement it with Burp’s new extensibility API, Burp Extender, which was released Dec 10, 2012. I’m going to be discussing how to properly install and run this plugin in a Windows environment.


To get started, we need the following:

  • Burp Suite Pro (free edition does not have Extender implemented, but the referenced blog above covers how to load the plugin into the free version).
  • Gason Plugin
  • SQLMap

Burp Extender allows us to add a .jar plugin into Burp (also supports python and ruby with a few extra steps). Start up Burp and go to the Extender tab. Click ‘Add’.

The extension type is Java, and just point to where the .jar file is on your local system. Click ‘Next’. At this point you should see the message ‘The extension loaded successfully’. Click ‘Close’.

Here we can see what it looks like when the plugin has been successfully loaded into Extender:

Working Around a Plugin Error

Currently when trying to run the plugin, a error occurs. I believe this is a problem with how the plugin is called in Windows (other people have reported similar issues). Cannt run program CreateProcess error=193 %1 is not a valid Win32 application.

To get it to work, I used py2exe to make a sqlmap executable which I point to in the plugin rather than the file. You can download a 7zip compressed archive of the sqlmap executable here. This does require some Windows dll files:

USP10.DLL - C:\WINDOWS\system32\USP10.DLL
OLEAUT32.dll - C:\WINDOWS\system32\OLEAUT32.dll
USER32.dll - C:\WINDOWS\system32\USER32.dll
OLE32.dll - C:\WINDOWS\system32\OLE32.dll
WINMM.dll - C:\WINDOWS\system32\WINMM.dll
gdiplus.dll - gdiplus.dll
msvcrt.dll - C:\WINDOWS\system32\msvcrt.dll
WS2_32.dll - C:\WINDOWS\system32\WS2_32.dll
GDI32.dll - C:\WINDOWS\system32\GDI32.dll
KERNEL32.dll - C:\WINDOWS\system32\KERNEL32.dll
IMM32.DLL - C:\WINDOWS\system32\IMM32.DLL

Ready to Attack!

I will be using the vulnerable web application Mutillidae set up on my local network to show how this works.

Make sure your browser is pointing to burp, make a request where an injection vulnerability may exist. After you make the request you can either intercept it or locate it in your history. Right click inside the request and select the ‘send to sqlmap’ option.

A separate window with options for sqlmap will open. Locate the sqlmap.exe file and add that to the bin path. Fill out any other options you want, as you change the options the command will update. Click ‘Run’.

Target URL:
Cookie: showhints=0; PHPSESSID=re8o3orsq4kkto0mblr73bbvi2
Bin path: C:\Python27\dist\sqlmap.exe
Command: C:\Python27\dist\sqlmap.exe --cookie="showhints=0; PHPSESSID=re8o3orsq4kkto0mblr73bbvi2" --risk=3 --level=3 -v 2 -p username -u

After running, a new tab opens up with an interactive command prompt. The tabs allow for multiple commands to be run at once. At this point the output is normal SQLMap.

The result? Vulnerable!

From here we can run another more specific attack based on found information or look for other injection points. If you have any comments or suggestions let me know. Enjoy!