Siendo un rati en la red

Después de algunas lecturas que revelaban nombres comunes de webshell (backdoors) usadas por diversos grupos de delincuentes, decidí hacer una herramienta para buscar estas backdoors en la red.

Consta de dos partes: una primera parte extrae desde shodan posibles targets vulnerados por delincuentes y una segunda parte confirmar sí efectivamente fueron vulnerados, para esto último se usa un conjunto de reglas nuclei.

 

 

import shodan
import sys
import os

if len(sys.argv)<2:
	print ("webshellhafnium.py apishodan country:ar ")
	sys.exit()

api=shodan.Shodan(sys.argv[1])
result=api.search("http.title:outlook exchange port:443 "+sys.argv[2])
for item in result["matches"]:
	print(item["ip_str"])
	os.system("echo https://"+item["ip_str"]+" | nuclei -t hafnium_detect.yaml -v")

 

id: basic-hafnium-webshell

info:
  name: hafnium-webshell
  author: rfocke
  severity: high

requests:
  - method: GET
    path:
      - "{{BaseURL}}/aspnet_client/aspnet.aspx"
      - "{{BaseURL}}/aspnet_client/client.aspx"
      - "{{BaseURL}}/aspnet_client/discover.aspx"
      - "{{BaseURL}}/aspnet_client/caches.aspx"
      - "{{BaseURL}}/aspnet_client/shell.aspx"
      - "{{BaseURL}}/aspnet_client/dukybySSSS.asp"
      - "{{BaseURL}}/aspnet_client/aspnet_regiis.aspx"
      - "{{BaseURL}}/aspnet_client/log_error_9e23efc3.aspx"
      - "{{BaseURL}}/aspnet_client/errorEE.aspx"
      - "{{BaseURL}}/aspnet_client/errorEEE.aspx"
      - "{{BaseURL}}/aspnet_client/errorEW.aspx"
      - "{{BaseURL}}/aspnet_client/errorFF.aspx"
      - "{{BaseURL}}/aspnet_client/healthcheck.aspx"
      - "{{BaseURL}}/aspnet_client/HttpProxy.aspx"
      - "{{BaseURL}}/aspnet_client/Logout.aspx"
      - "{{BaseURL}}/aspnet_client/MultiUp.aspx"
      - "{{BaseURL}}/aspnet_client/one.aspx"
      - "{{BaseURL}}/aspnet_client/help.aspx"
      - "{{BaseURL}}/aspnet_client/OutlookJP.aspx"
      - "{{BaseURL}}/aspnet_client/OutlookEN.aspx"
      - "{{BaseURL}}/aspnet_client/OutlookRU.aspx"
      - "{{BaseURL}}/aspnet_client/RedirSuiteServerProxy.aspx"
      - "{{BaseURL}}/aspnet_client/shellex.aspx"
      - "{{BaseURL}}/aspnet_client/Supp0rt.aspx"
      - "{{BaseURL}}/aspnet_client/sytem_web.aspx"
      - "{{BaseURL}}/aspnet_client/t.aspx"
      - "{{BaseURL}}/aspnet_client/TimeoutLogout.aspx"
      - "{{BaseURL}}/aspnet_client/web.aspx"
      - "{{BaseURL}}/aspnet_client/xx.aspx"
      - "{{BaseURL}}/aspnet_client/HWTJQDMFVMPOON.aspx"
      - "{{BaseURL}}/aspnet_client/VJRFWFCHRULT.aspx"
      - "{{BaseURL}}/aspnet_client/error.aspx"
      - "{{BaseURL}}/owa/auth/HWTJQDMFVMPOON.aspx"
      - "{{BaseURL}}/aspnet_client/nhmxea.aspx.aspx"
      - "{{BaseURL}}/aspnet_client/supp0rt.aspx"
      - "{{BaseURL}}/owa/auth/d62ffcd688.aspx"
      - "{{BaseURL}}/owa/auth/Current/themes/resources/zaivc.aspx"
      - "{{BaseURL}}/owa/auth/415cc41ac1.aspx"
      - "{{BaseURL}}/aspnet_client/253283293.aspx"
      - "{{BaseURL}}/aspnet_client/ykmsr.aspx"
      - "{{BaseURL}}/owa/auth/6514f55e1a.aspx"
      - "{{BaseURL}}/aspnet_client/KDNLIE.aspx"
      - "{{BaseURL}}/aspnet_client/VOLWMFQWPP.aspx"
      - "{{BaseURL}}/owa/auth/VOLWMFQWPP.aspx"
      - "{{BaseURL}}/aspnet_client/system_web/NUQvLIoq.aspx"
      - "{{BaseURL}}/aspnet_client/shell.aspx"
      - "{{BaseURL}}/aspnet_client/updateServer.aspx"

    matchers:
      - type: status
        status:
         - 200

las tools pueden descargarse desde acá:

https://github.com/robertofocke/test-rapido-HAFNIUM/blob/main/hafnium_detect.yaml

https://github.com/robertofocke/test-rapido-HAFNIUM/blob/main/webshellhafnium.py

 

 

Deja un comentario

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *