5/31/23

Kunyu - More Efficient Corporate Asset Collection


0x00 Introduce

Tool introduction

Kunyu (kunyu), whose name is taken from , is actually a professional subject related to geographic information, which counts the geographic information of the sea, land, and sky. The same applies to cyberspace. The same is true for discovering unknown and fragile assets. It is more like a cyberspace map, which is used to comprehensively describe and display cyberspace assets, various elements of cyberspace and the relationship between elements, as well as cyberspace and real space. The mapping relationship. So I think "Kun Yu" still fits this concept.

Kunyu aims to make corporate asset collection more efficient and enable more security-related practitioners to understand and use cyberspace surveying and mapping technology.


Application scenario

For the use of kunyu, there can be many application scenarios, such as:

  • Forgotten and isolated assets in the enterprise are identified and added to security management.
  • Perform quick investigation and statistics on externally exposed assets of the enterprise.
  • Red and blue are used against related requirements, and batch inspections of captured IPs are performed.
  • Collect vulnerable assets in batches (0day/1day) for equipment and terminals within the impact.
  • Information on sites involved in new-type cybercrime cases is quickly collected and merged for more efficient research, judgment, and analysis.
  • Statistic and reproduce the fragile assets on the Internet that are affected by related vulnerabilities.

0x01 Install

Need Python3 or higher support

git clone https://github.com/knownsec/Kunyu.git
cd Kunyu
pip3 install -r requirements.txt

Linux:
	python3 setup.py install
	kunyu console

Windows:
	cd kunyu
	python3 console.py

PYPI:
	pip3 install kunyu
	
P.S. Windows also supports python3 setup.py install.

0x02 Configuration instructions

When you run the program for the first time, you can initialize by entering the following command. Other login methods are provided. However, it is recommended to use the API method. Because the user name/password login requires an additional request, the API method is theoretically more efficient.

kunyu init --apikey <your zoomeye key> --seebug <your seebug key>



You need to log in with ZoomEye credentials before using this tool for information collection.

Visit address: https://www.zoomeye.org/

The output file path can be customized by the following command

kunyu init --output C:\Users\风起\kunyu\output



0x03 Tool instructions

Detailed command
kunyu console


 

ZoomEye

Encryption method interface HostCrash <IP> <Domain> Host Header Scan hidden assets Seebug <Query> Search Seebug vulnerability information set <Option> Set arguments values Pocsuite3 Invoke the pocsuite component ExportPath Returns the path of the output file clear Clear the console screen show Show can set options help Print Help info exit Exit KunYu & ">
Global commands:
        info                                      Print User info
        SearchHost <query>                        Basic Host search
        SearchWeb <query>                         Basic Web search
        SearchIcon <File>/<URL>                   Icon Image search
        SearchBatch <File>                        Batch search Host
        SearchCert <Domain>                       SSL certificate Search
        SearchDomain <Domain>                     Domain name associated/subdomain search
        EncodeHash <encryption> <query>           Encryption method interface 
        HostCrash <IP> <Domain>                   Host Header Scan hidden assets
        Seebug <Query>                            Search Seebug vulnerability information
        set <Option>                              Set arguments values
        Pocsuite3                                    Invoke the pocsuite component
        ExportPath                                Returns the path of the output file 
        clear                                     Clear the console screen
        show                                      Show can set options
        help                                      Print Help info
        exit                                      Exit KunYu &

OPTIONS

ZoomEye:
	page <Number>    				The number of pages returned by the query
	dtype <0/1>      				Query associated domain name/subdomain name
	btype <host/web> 				Set the API interface for batch query

Use case introduction

Here we use the ZoomEye module for demonstration

User information query


HOST host search


Web host search


Batch IP search


Icon Search

When collecting corporate assets, we can use this method to retrieve the same ico icon assets, which usually has a good effect when associating related corporate assets. But it should be noted that if some sites also use this ico icon, irrelevant assets may be associated (but people who are bored with other people's ico icons are always in the minority). Support url or local file search.



 

SSL certificate search

Query through the serial number of the SSL certificate, so that the associated assets are more accurate, and services that use the same certificate can be searched. When you encounter an https site, you can use this method.



Multi-factor query

Similarly, Kunyu also supports multi-factor conditional query related assets, which can be realized through ZoomEye logic operation syntax.


 

Feature Search

Through HTTP request packet features or website-related features, the same framework assets can be concatenated more accurately



Associated Domain/Subdomain Search

Search for associated domain names and subdomains, and query associated domain names by default. Two modes can be set by setting the dtype parameter.


 

Encoding hash calculation

In some scenarios, you can use this command to perform common HASH encryption/encoding, such as BASE64, MD5, mmh3, HEX encoding, and debug in this way.



Seebug vulnerability query

You can query historical related vulnerabilities by entering information about the framework and equipment you want to find, but you need to note that only English is supported, and improvements and upgrades will be made later.



Setting parameters

When set page = 2, the returned results are 40. You can modify the page parameter to set the number of pages to be queried. Note that 1 page = 20/items. You can modify the value according to your needs to get more returned results.

The configurable parameters and the current values of the parameters are displayed through show.


 


Pocsuite linkage

In versions after v1.3.1, you can use kunyu to link the console mode of pocsuite3 for integrated use.



HOSTS head collision

Through the HOSTS collision, the hidden assets in the intranet can be effectively collided, and the intranet service can be accessed according to the ServerName domain name and IP configured in the middleware httpf.conf. This can be achieved by setting the local hosts file later, because the local hosts file takes precedence. The level is higher than DNS server resolution. Support reverse check through ZoomEye domain name library or read TXT file to get the list of domain names.

HOSTS cross collision



Data result

All search results are saved in the user's root directory, and the directory is created based on the current timestamp. All query results of a single start are stored in an Excel format under one directory, giving a more intuitive experience. The output path can be returned through the ExportPath command.



0x04 Loading

​ In fact, there are still many ideas, but as an Alpha version, this is the case, and it will continue to be improved in the later period. I hope that Kunyu can be known to more security practitioners. Thank you for your support.

​ The tool framework has reference to Kunlun Mirror and Pocsuite3, which are all very good works.

​ Thanks to all the friends of KnownSec 404 Team.

" 看得清 " 是能力的体现,是 " 器 " ,而 " 看得见 " 就是思想的体现,那最后关联的是 " 道 "。

​ --SuperHei


0x05 Issue

1、Multi-factor search

ZoomEye search can use multi-factor search, dork:cisco +port:80 (note the space) can search all data that meet the conditions of cisco and port:80, if there is no space in between, it is the same search condition, it is that cisco is satisfied and the port is All data for 80. Kunyu's dork does not require quotation marks.

2、High-precision geographical location

ZoomEye gives privileged users high-precision geographic location data, but it should be noted that ordinary users do not have this function, so I hope you know.

3、Username/password login

If you use username/password as the initialization condition, the token will be valid for 12 hours. If you find that your search cannot return data, you may wish to info. If the session times out, the initialization command prompt will be returned. In most cases, we recommend that you use the API KEY method, there is no invalidation problem. This design is also for the security of your account and password. After all, the API KEY can be reset and the token will become invalid. However, with the account and password, it is possible to log in to your ZoomEye account.

4、Cert certificate search

It should be noted that, according to the normal logic, you need to encode the serial number of the target SSL certificate in hexadecimal to match the sentence search, but Kunyu only needs to provide the Domain address to search. The principle is to make a request to the target station to obtain the serial number and process it, but if your host cannot access the target that needs to be searched, it cannot be retrieved. At this time, you can also search with the sentence in the usual way.

5、Favicon icon search

ico icon search not only supports URL retrieval, but also supports local ico icon file search, which has better scalability and compatibility.

6、Query data save path

By default, your query data is in the Kunyu folder under the user directory. You can also use the ExportPath command to query the path in the console mode.

7、Autocomplete

Kunyu's auto-completion supports upper and lower case, command logging, etc., use Tab to complete, please refer to Metasploit for usage.

8. Regarding the error when using pip install kunyu

The following error was reported when using pip install kunyu: File "C:\Users\风起\AppData\Local\Programs\Python\Python37\Scripts\kunyu-script.py", line 1 SyntaxError: Non-UTF-8 code starting with'\xb7' in file C: \Users\风起\AppData\Local\Programs\Python\Python37\Scripts\kunyu-script.py on line 1, but no encoding declared; see http://python.org/dev/peps/pep-0263/ for details

solution: Modify the C:\Users\风起\AppData\Local\Programs\Python\Python37\Scripts\kunyu-script.py file and add # encoding: utf-8 at the beginning of the file.

Then save it and you can use it normally. The bug appears because there is a Chinese name in the user's directory path, which usually appears on windows.

9. Pocsuite3 module POC storage directory

When using the pocsuite3 module, if you want to add a new POC module, you can add a POC file in project directory/kunyu/pocs/.

10. Pocsuite3 module POC missing issue

When using the Pocsuite command linkage, if it is a packaged Kunyu version, the poc has been fixed. At this time, modifying the poc directory cannot add new modules. At this time, you can repackage it or use the project directory/kunyu /console.py Run kunyu to update the poc module in real time.


0x06 Contributions

风起@knownsec 404
wh0am1i@knownsec 404
fenix@knownsec 404
0x7F@knownsec 404


0x07 Community

If you have any questions, you can submit an issue under the project, or contact us through the following methods.

Scan the QR code to add the ZoomEye staff member WeChat, and remark Kunyu, which will draw everyone to the ZoomEye cyberspace surveying and mapping exchange group




Continue reading

  1. Hack Tools 2019
  2. Free Pentest Tools For Windows
  3. Pentest Tools For Android
  4. Hack Website Online Tool
  5. Hacking Tools For Games
  6. Free Pentest Tools For Windows
  7. Hacker Hardware Tools
  8. Computer Hacker
  9. Hacking Tools Windows 10
  10. How To Hack
  11. Hacker Tools 2019
  12. Hacking Tools Online
  13. Pentest Tools Bluekeep
  14. Hacker Security Tools
  15. Hacker Tools
  16. Hack Website Online Tool
  17. Pentest Tools Apk
  18. Pentest Reporting Tools
  19. Hacking Tools Windows
  20. Hack Tools Pc
  21. What Is Hacking Tools
  22. Hacker Tools Free Download
  23. Hacker Tools Free Download
  24. Wifi Hacker Tools For Windows
  25. Pentest Tools Download
  26. Pentest Tools Github
  27. Pentest Tools Apk
  28. Hacking Tools 2020
  29. Hacking Tools Kit
  30. Hacking Tools Hardware
  31. Hacking Tools For Kali Linux
  32. Hacker Tools List
  33. Pentest Automation Tools
  34. Hacking Tools Usb
  35. Pentest Reporting Tools
  36. Pentest Tools Port Scanner
  37. Hacking Tools And Software
  38. Kik Hack Tools
  39. Pentest Tools For Android
  40. Hacker Tools For Ios
  41. Hacker Tools For Windows
  42. Hack Tools
  43. Hacker Tools Free
  44. Hacker Tools Hardware
  45. Best Hacking Tools 2020
  46. Hack Tools For Games
  47. Black Hat Hacker Tools
  48. Black Hat Hacker Tools
  49. Hack Tools
  50. Hacker Tools Github
  51. Hak5 Tools
  52. Hacker Tool Kit
  53. Pentest Tools Subdomain
  54. Pentest Tools Subdomain
  55. Hack Tools Online
  56. Hacker Tools Github
  57. Hacking Tools Software
  58. Tools 4 Hack
  59. Hacker Tools For Mac
  60. Hack Tools Github
  61. Hacker Hardware Tools
  62. Hacking Tools For Games
  63. Hacker Tools For Pc
  64. Pentest Tools Review
  65. Nsa Hack Tools
  66. Hacking Tools Free Download
  67. Pentest Tools Url Fuzzer
  68. World No 1 Hacker Software
  69. Best Hacking Tools 2019
  70. Termux Hacking Tools 2019
  71. Pentest Tools Download
  72. Hacking Tools For Windows
  73. Wifi Hacker Tools For Windows
  74. Nsa Hack Tools Download
  75. Hack Tool Apk No Root
  76. Best Pentesting Tools 2018
  77. Hack Tools 2019
  78. Hacker Tools List
  79. How To Hack
  80. Hack App
  81. Free Pentest Tools For Windows
  82. Hacking Tools For Mac
  83. Hack Tools For Games
  84. Pentest Tools Website
  85. Hacker Tools 2019
  86. Hacking Tools For Games
  87. Hacking Tools Pc
  88. Hacking Tools For Windows
  89. Hack Tool Apk
  90. Nsa Hack Tools Download
  91. Hacking Tools For Kali Linux
  92. Best Hacking Tools 2020
  93. Hacker Tools Github
  94. Usb Pentest Tools
  95. Hack Tools Mac
  96. Hacker Tools Free Download
  97. Pentest Tools Bluekeep
  98. Hacking Tools For Windows Free Download
  99. Nsa Hack Tools Download
  100. Hack Website Online Tool
  101. Github Hacking Tools
  102. Github Hacking Tools
  103. Hacking Tools
  104. Hacker Hardware Tools
  105. Tools For Hacker
  106. Hacking Tools Usb
  107. Pentest Reporting Tools
  108. Pentest Tools For Android
  109. Hacking Apps
  110. Hacking Tools Free Download
  111. Hacking Tools Online
  112. Hacking Tools For Windows 7
  113. Pentest Tools Github
  114. Kik Hack Tools
  115. World No 1 Hacker Software
  116. Hack Tools Pc
  117. Hacker Security Tools
  118. Hack Website Online Tool
  119. Hack Tools 2019
  120. Computer Hacker
  121. Hack Tools For Mac
  122. Hack Tools For Games
  123. Pentest Tools Github
  124. Hack Tools For Windows
Posted by at No comments:

Learning Web Pentesting With DVWA Part 3: Blind SQL Injection

In this article we are going to do the SQL Injection (Blind) challenge of DVWA.
OWASP describes Blind SQL Injection as:
"Blind SQL (Structured Query Language) injection is a type of attack that asks the database true or false questions and determines the answer based on the applications response. This attack is often used when the web application is configured to show generic error messages, but has not mitigated the code that is vulnerable to SQL injection.
When an attacker exploits SQL injection, sometimes the web application displays error messages from the database complaining that the SQL Query's syntax is incorrect. Blind SQL injection is nearly identical to normal , the only difference being the way the data is retrieved from the database. When the database does not output data to the web page, an attacker is forced to steal data by asking the database a series of true or false questions. This makes exploiting the SQL Injection vulnerability more difficult, but not impossible."
To follow along click on the SQL Injection (Blind) navigation link. You will be presented with a page like this:
Lets first try to enter a valid User ID to see what the response looks like. Enter 1 in the User ID field and click submit. The result should look like this:
Lets call this response as valid response for the ease of reference in the rest of the article. Now lets try to enter an invalid ID to see what the response for that would be. Enter something like 1337 the response would be like this:

We will call this invalid response. Since we know both the valid and invalid response, lets try to attack the app now. We will again start with a single quote (') and see the response. The response we got back is the one which we saw when we entered the wrong User ID. This indicates that our query is either invalid or incomplete. Lets try to add an or statement to our query like this:
' or 1=1-- -
This returns a valid response. Which means our query is complete and executes without errors. Lets try to figure out the size of the query output columns like we did with the sql injection before in Learning Web Pentesting With DVWA Part 2: SQL Injection.
Enter the following in the User ID field:
' or 1=1 order by 1-- -
Again we get a valid response lets increase the number to 2.
' or 1=1 order by 2-- -
We get a valid response again lets go for 3.
' or 1=1 order by 3-- -
We get an invalid response so that confirms the size of query columns (number of columns queried by the server SQL statement) is 2.
Lets try to get some data using the blind sql injection, starting by trying to figure out the version of dbms used by the server like this:
1' and substring(version(), 1,1) = 1-- -
Since we don't see any output we have to extract data character by character. Here we are trying to guess the first character of the string returned by version() function which in my case is 1. You'll notice the output returns a valid response when we enter the query above in the input field.
Lets examine the query a bit to further understand what we are trying to accomplish. We know 1 is the valid user id and it returns a valid response, we append it to the query. Following 1, we use a single quote to end the check string. After the single quote we start to build our own query with the and conditional statement which states that the answer is true if and only if both conditions are true. Since the user id 1 exists we know the first condition of the statement is true. In the second condition, we extract first character from the version() function using the substring() function and compare it with the value of 1 and then comment out the rest of server query. Since first condition is true, if the second condition is true as well we will get a valid response back otherwise we will get an invalid response. Since my the version of mariadb installed by the docker container starts with a 1 we will get a valid response. Lets see if we will get an invalid response if we compare the first character of the string returned by the version() function to 2 like this:
1' and substring(version(),1,1) = 2-- -
And we get the invalid response. To determine the second character of the string returned by the version() function, we will write our query like this:
1' and substring(version(),2,2) = 1-- -
We get invalid response. Changing 1 to 2 then 3 and so on we get invalid response back, then we try 0 and we get a valid response back indicating the second character in the string returned by the version() function is 0. Thus we have got so for 10 as the first two characters of the database version. We can try to get the third and fourth characters of the string but as you can guess it will be time consuming. So its time to automate the boring stuff. We can automate this process in two ways. One is to use our awesome programming skills to write a program that will automate this whole thing. Another way is not to reinvent the wheel and try sqlmap. I am going to show you how to use sqlmap but you can try the first method as well, as an exercise.
Lets use sqlmap to get data from the database. Enter 1 in the User ID field and click submit.
Then copy the URL from the URL bar which should look something like this
http://localhost:9000/vulnerabilities/sqli_blind/?id=1&Submit=Submit
Now open a terminal and type this command:
sqlmap --version
this will print the version of your sqlmap installation otherwise it will give an error indicating the package is not installed on your computer. If its not installed then go ahead and install it.
Now type the following command to get the names of the databases:
sqlmap -u "http://localhost:9000/vulnerabilities/sqli_blind/?id=1&Submit=Submit" --cookie="security=low; PHPSESSID=aks68qncbmtnd59q3ue7bmam30" -p id
Here replace the PHPSESSID with your session id which you can get by right clicking on the page and then clicking inspect in your browser (Firefox here). Then click on storage tab and expand cookie to get your PHPSESSID. Also your port for dvwa web app can be different so replace the URL with yours.
The command above uses -u to specify the url to be attacked, --cookie flag specifies the user authentication cookies, and -p is used to specify the parameter of the URL that we are going to attack.
We will now dump the tables of dvwa database using sqlmap like this:
sqlmap -u "http://localhost:9000/vulnerabilities/sqli_blind/?id=1&Submit=Submit" --cookie="security=low; PHPSESSID=aks68qncbmtnd59q3ue7bmam30" -p id -D dvwa --tables
After getting the list of tables its time to dump the columns of users table like this:
sqlmap -u "http://localhost:9000/vulnerabilities/sqli_blind/?id=1&Submit=Submit" --cookie="security=low; PHPSESSID=aks68qncbmtnd59q3ue7bmam30" -p id -D dvwa -T users --columns
And at last we will dump the passwords column of the users table like this:
sqlmap -u "http://localhost:9000/vulnerabilities/sqli_blind/?id=1&Submit=Submit" --cookie="security=low; PHPSESSID=aks68qncbmtnd59q3ue7bmam30" -p id -D dvwa -T users -C password --dump
Now you can see the password hashes.
As you can see automating this blind sqli using sqlmap made it simple. It would have taken us a lot of time to do this stuff manually. That's why in pentests both manual and automated testing is necessary. But its not a good idea to rely on just one of the two rather we should leverage power of both testing types to both understand and exploit the vulnerability.
By the way we could have used something like this to dump all databases and tables using this sqlmap command:
sqlmap -u "http://localhost:9000/vulnerabilities/sqli_blind/?id=1&Submit=Submit" --cookie="security=low; PHPSESSID=aks68qncbmtnd59q3ue7bmam30" -p id --dump-all
But obviously it is time and resource consuming so we only extracted what was interested to us rather than dumping all the stuff.
Also we could have used sqlmap in the simple sql injection that we did in the previous article. As an exercise redo the SQL Injection challenge using sqlmap.

References:

1. Blind SQL Injection: https://owasp.org/www-community/attacks/Blind_SQL_Injection
2. sqlmap: http://sqlmap.org/
3. MySQL SUBSTRING() Function: https://www.w3schools.com/sql/func_mysql_substring.asp
Related posts

  1. Hack And Tools
  2. Hack Tools For Games
  3. Hacking Tools Hardware
  4. Hackers Toolbox
  5. Top Pentest Tools
  6. How To Make Hacking Tools
  7. Pentest Tools Tcp Port Scanner
  8. Hack Tools Download
  9. Hacker Tools Free Download
  10. Hacker Tool Kit
  11. Android Hack Tools Github
  12. Hacking Tools And Software
  13. Hacker Tools Github
  14. Android Hack Tools Github
  15. Hacker Tools Mac
  16. Hacking Tools For Pc
  17. New Hacker Tools
  18. Hacker Search Tools
  19. Hack Tools Online
  20. Hack App
  21. Hacking Tools Kit
  22. Hacker Hardware Tools
  23. How To Install Pentest Tools In Ubuntu
  24. Pentest Tools Open Source
  25. Hacker Tools Apk Download
  26. Hack Website Online Tool
  27. Pentest Tools List
  28. Hack Tools For Pc
  29. Hacking Tools Free Download
  30. Hacker Tools
  31. Hacker Tools Windows
  32. Pentest Tools Kali Linux
  33. Hacking Tools Download
  34. Pentest Tools Url Fuzzer
  35. Install Pentest Tools Ubuntu
  36. Hacker Tools 2019
  37. Computer Hacker
  38. Pentest Tools Windows
  39. Free Pentest Tools For Windows
  40. Hacker Tools For Mac
  41. Pentest Tools Url Fuzzer
  42. Pentest Tools Free
  43. New Hack Tools
  44. Pentest Tools Open Source
  45. Best Hacking Tools 2019
  46. Hack Tools Mac
  47. Install Pentest Tools Ubuntu
  48. Pentest Automation Tools
  49. Best Hacking Tools 2019
  50. Hack Tools Mac
  51. Hacker Tool Kit
  52. What Are Hacking Tools
  53. New Hacker Tools
  54. Tools For Hacker
  55. Pentest Tools
  56. Hacking Tools Kit
  57. Hacking Tools Mac
  58. Hacking Tools 2019
  59. Computer Hacker
  60. Hack Tools For Pc
  61. Pentest Tools Review
  62. Hacking Tools Kit
  63. Hack Tools For Games
  64. Hacking Tools For Games
  65. Hacker Tools Free
  66. Hacker
  67. Hacker Tools For Ios
  68. Pentest Tools Tcp Port Scanner
  69. Pentest Tools Port Scanner
  70. Pentest Box Tools Download
  71. Pentest Tools Linux
  72. Pentest Tools Free
  73. Nsa Hack Tools Download
  74. Pentest Tools Open Source
  75. Hack Website Online Tool
  76. Beginner Hacker Tools
  77. Hacking Tools For Beginners
  78. Hack Tools Github
  79. Hack Rom Tools
  80. Pentest Tools
  81. Hacker Tools Windows
  82. Pentest Tools Kali Linux
  83. New Hack Tools
  84. Blackhat Hacker Tools
  85. Hacker Tools Apk
  86. Ethical Hacker Tools
  87. Android Hack Tools Github
  88. Hack Tools Download
  89. Hacking Tools Pc
  90. Hacker Security Tools
  91. World No 1 Hacker Software
  92. Beginner Hacker Tools
  93. Hacking Tools 2019
  94. World No 1 Hacker Software
  95. Hacking Tools Usb
  96. Hacking Tools
Posted by at No comments:
Subscribe to: Posts (Atom)

Blog Archive