Después de algunas lecturas que revelaban nombres comunes de webshell (backdoors) usadas por diversos grupos de delincuentes, decidí hacer una herramienta para buscar estas backdoors en la red.
Consta de dos partes: una primera parte extrae desde shodan posibles targets vulnerados por delincuentes y una segunda parte confirmar sí efectivamente fueron vulnerados, para esto último se usa un conjunto de reglas nuclei.
import shodan
import sys
import os
if len(sys.argv)<2:
print ("webshellhafnium.py apishodan country:ar ")
sys.exit()
api=shodan.Shodan(sys.argv[1])
result=api.search("http.title:outlook exchange port:443 "+sys.argv[2])
for item in result["matches"]:
print(item["ip_str"])
os.system("echo https://"+item["ip_str"]+" | nuclei -t hafnium_detect.yaml -v")
id: basic-hafnium-webshell
info:
name: hafnium-webshell
author: rfocke
severity: high
requests:
- method: GET
path:
- "{{BaseURL}}/aspnet_client/aspnet.aspx"
- "{{BaseURL}}/aspnet_client/client.aspx"
- "{{BaseURL}}/aspnet_client/discover.aspx"
- "{{BaseURL}}/aspnet_client/caches.aspx"
- "{{BaseURL}}/aspnet_client/shell.aspx"
- "{{BaseURL}}/aspnet_client/dukybySSSS.asp"
- "{{BaseURL}}/aspnet_client/aspnet_regiis.aspx"
- "{{BaseURL}}/aspnet_client/log_error_9e23efc3.aspx"
- "{{BaseURL}}/aspnet_client/errorEE.aspx"
- "{{BaseURL}}/aspnet_client/errorEEE.aspx"
- "{{BaseURL}}/aspnet_client/errorEW.aspx"
- "{{BaseURL}}/aspnet_client/errorFF.aspx"
- "{{BaseURL}}/aspnet_client/healthcheck.aspx"
- "{{BaseURL}}/aspnet_client/HttpProxy.aspx"
- "{{BaseURL}}/aspnet_client/Logout.aspx"
- "{{BaseURL}}/aspnet_client/MultiUp.aspx"
- "{{BaseURL}}/aspnet_client/one.aspx"
- "{{BaseURL}}/aspnet_client/help.aspx"
- "{{BaseURL}}/aspnet_client/OutlookJP.aspx"
- "{{BaseURL}}/aspnet_client/OutlookEN.aspx"
- "{{BaseURL}}/aspnet_client/OutlookRU.aspx"
- "{{BaseURL}}/aspnet_client/RedirSuiteServerProxy.aspx"
- "{{BaseURL}}/aspnet_client/shellex.aspx"
- "{{BaseURL}}/aspnet_client/Supp0rt.aspx"
- "{{BaseURL}}/aspnet_client/sytem_web.aspx"
- "{{BaseURL}}/aspnet_client/t.aspx"
- "{{BaseURL}}/aspnet_client/TimeoutLogout.aspx"
- "{{BaseURL}}/aspnet_client/web.aspx"
- "{{BaseURL}}/aspnet_client/xx.aspx"
- "{{BaseURL}}/aspnet_client/HWTJQDMFVMPOON.aspx"
- "{{BaseURL}}/aspnet_client/VJRFWFCHRULT.aspx"
- "{{BaseURL}}/aspnet_client/error.aspx"
- "{{BaseURL}}/owa/auth/HWTJQDMFVMPOON.aspx"
- "{{BaseURL}}/aspnet_client/nhmxea.aspx.aspx"
- "{{BaseURL}}/aspnet_client/supp0rt.aspx"
- "{{BaseURL}}/owa/auth/d62ffcd688.aspx"
- "{{BaseURL}}/owa/auth/Current/themes/resources/zaivc.aspx"
- "{{BaseURL}}/owa/auth/415cc41ac1.aspx"
- "{{BaseURL}}/aspnet_client/253283293.aspx"
- "{{BaseURL}}/aspnet_client/ykmsr.aspx"
- "{{BaseURL}}/owa/auth/6514f55e1a.aspx"
- "{{BaseURL}}/aspnet_client/KDNLIE.aspx"
- "{{BaseURL}}/aspnet_client/VOLWMFQWPP.aspx"
- "{{BaseURL}}/owa/auth/VOLWMFQWPP.aspx"
- "{{BaseURL}}/aspnet_client/system_web/NUQvLIoq.aspx"
- "{{BaseURL}}/aspnet_client/shell.aspx"
- "{{BaseURL}}/aspnet_client/updateServer.aspx"
matchers:
- type: status
status:
- 200
las tools pueden descargarse desde acá:
https://github.com/robertofocke/test-rapido-HAFNIUM/blob/main/hafnium_detect.yaml
https://github.com/robertofocke/test-rapido-HAFNIUM/blob/main/webshellhafnium.py