blacklanternsecurity / badsecrets Goto Github PK

@aconite33

Some versions of sitecore include a slightly different dll (like ones that exist at sitecore/shell/Controls/RichTextEditor/Telerik.Web.UI.DialogHandler.aspx which telerik_knownkey doesn't like. Need to track this dll down, likely there's just a slightly different error message.

https://www.graa.nl/articles/2010.html

Unofficial code which was widely distributed instruments an alternate viewstate using the "vstate" parameter which is automatically vulnerable to RCE.

Badsecrets throws error in kali linux when attempting to decode a JWT signature with RS256 algorithm as shown below.

Make assumptions about the page when we hit the root directory or an MVC type endpoint. Further testing.

Some modules, like jsf_viewstate, produce several options because there are multiple algorithm possibilities

We should be able to narrow these down by looking at the length of the signature

By hitting the various except statements intentionally with tests, code coverage will continue to improve

Traceback (most recent call last):
  File "/usr/lib/python3.10/concurrent/futures/process.py", line 246, in _process_worker
    r = call_item.fn(*call_item.args, **call_item.kwargs)
  File "/home/user/..cache/pypoetry/virtualenvs/bbot-IFSyk-JB-py3.10/lib/python3.10/site-packages/badsecrets/base.py", line 188, in carve_all_modules
    r_list = x.carve(**kwargs)
  File "/home/user/.cache/pypoetry/virtualenvs/bbot-IFSyk-JB-py3.10/lib/python3.10/site-packages/badsecrets/base.py", line 92, in carve
    r = self.check_secret(v)
  File "/home/user/.cache/pypoetry/virtualenvs/bbot-IFSyk-JB-py3.10/lib/python3.10/site-packages/badsecrets/modules/rails_secretkeybase.py", line 70, in check_secret
    r = self.rails(rails_cookie, secret_key_base)
  File "/home/user/.cache/pypoetry/virtualenvs/bbot-IFSyk-JB-py3.10/lib/python3.10/site-packages/badsecrets/modules/rails_secretkeybase.py", line 36, in rails
    encrypted_data = base64.b64decode(data).decode()
  File "/usr/lib/python3.10/base64.py", line 87, in b64decode
    return binascii.a2b_base64(s)
binascii.Error: Incorrect padding

Also same line:

binascii.Error: Invalid base64-encoded string: number of data characters (73) cannot be 1 more than a multiple of 4

Traceback (most recent call last):
  File "/home/liquid/.local/bin/badsecrets", line 8, in <module>
    sys.exit(main())
             ^^^^^^
  File "/home/liquid/.local/lib/python3.11/site-packages/badsecrets/examples/cli.py", line 233, in main
    hashcat_candidates = hashcat_all_modules(*args.product)
                         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
TypeError: hashcat_all_modules() takes 1 positional argument but 2 were given

input: badsecrets zzzz KLox5XeGYfb7Lo8zFzr1YepUagXuixcxX55lpFht+rrW6VGheZi831vdusH6DCMfxIhsLG1EPU3OuPvqN2XBc/fj0ew15TQ1zBmmKWJVns4=

Currently, modules have to opt in to the identity check. This check should be present automatically and have to be explicitly opted-out-of.

I had trouble getting this to run on my system with the dependencies, so I Dockerized it, and now it's working.

It's on Docker Hub: https://hub.docker.com/r/pensivesecurity/badsecrets

It can be run with

docker run pensivesecurity/badsecrets -h

If you have a custom secrets file, place the file "decryptionkeys.txt" in your current directory, then run

docker run -v $PWD:/tmp/ pensivesecurity/badsecrets -c /tmp/decryptionkeys.txt [rest_of_command]

The docker file is

FROM python:3

RUN python -m pip install badsecrets
ENTRYPOINT ["badsecrets"]

Please feel free to push an official container and add it to the installation instructions if you want. I figured I'd share this information in case it was helpful to anyone else.

We need to report as a list since there could be multiple matches

{"description": "Cryptographic Product identified. Product Type: [Java Server Faces Viewstate] Product: [Ly8gp+FZKt9XsaxT5gZu41DDxO74k029z88gNBOru2jXW0g1Og+RUPdf2d8hGNTiofkD1VvmQTZAfeV+5qijOoD+SPzw6K72Y1H0sxfx5mFcfFtmqX7iN6Gq0fwLM+9PKQz88f+e7KImJqG1cz5KYhcrgT87c5Ayl03wEHvWwktTq9TcBJc4f1VnNHXVZgALGqQuETU8hYwZ1VilDmQ7J4pZbv+pvPUvzk+/e2oNeybso6TXqUrbT2Mz3k7yfe92q3pRjdxRlGxmkO9bPqNOtETlLPE5dDiZYo1U9gr8BBD=] Detecting Module: [Jsf_viewstate]",

(from bbot scan)

Add an example CLI capable of both check_secret and python request-based carve functions

add an optional severity level for each module (low, medium, high, critical)

create a module to exploit known org.apache.myfaces.SECRET and/or org.apache.myfaces.MAC_SECRET as tested via javax.faces.viewstate value

Currently, only the express-session middleware is supported by the expressjs module, however the cookie-session middleware (which uses a two-cookie format) should also be checked.

Example FP:

s%3A777e09e%22%3A%7B%22%7B%7D%22%3A%7B%22viewLayout%22%3A%7B%22id%22%3A%22viewLayout%22%2C%22homepageFaqs%22%3A%7B%22id%22%3A%22homepage_faqs%3A6689855e%22%2C%22faqs%22%3A%7B%22id%22%3A%22homepage_faqs%3A9fffd7f5%3Afaqs%22%2C%22headerString%22%3A%22Common%20questions%22%2C%22faqsItems%22%3A%5B%7B%22id%22%3A%22homepage_faqs%3A939764f6%3Afaqs%3Afaqs_item%3Ae960175f%22%2C%22questionString%22%3A%22How%20does%20Instacart%20delivery%20and%20curbside%20pickup%20work%3F%22%2C%22faqsItemAnswers%22%3A%5B%7B%22id%22%3A%22homepage_faqs%3Afb0ec3d4%3Afaqs%3Afaqs_item%3Abd312aff%3Afaqs_item_answer%3Aa97f58ca%22%2C%22answerString%22%3A%22Instacart%20makes%20it%20easy%20to%20order%20from%20your%20favorite%20stores.%20Shop%20for%20items%20from%20stores%20near%20you%2C%20with%20a%20selection%20of%20more%2

jsf_viewstate module complains when laravel keys are used, as it is trying to base64 decode the entire value. Laravel keys are in the format base64:

This was intentional, due to there being too many false positives. However, we should implement a solutions where the carve_regex can still get a crack at it.

The default behavior should be to not follow redirects with an option to follow them if desired.

It looks like README.md got overwritten with that of another project in d08738b. This is a repo for badsecrets tool, but the file describes baddns.

File "/jwt/api_jws.py", line 88, in get_algorithm_by_name
return self._algorithms[alg_name]
KeyError: 'http://www.w3.org/2001/04/xmldsig-more#hmac-sha256'

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
File "/jwt/api_jws.py", line 295, in _verify_signature
alg_obj = self.get_algorithm_by_name(alg)
File "/jwt/api_jws.py", line 94, in get_algorithm_by_name
raise NotImplementedError("Algorithm not supported") from e
NotImplementedError: Algorithm not supported

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
File "/root/bbot/bbot/scanner/manager.py", line 306, in catch
ret = callback(args, **kwargs)
File "/root/bbot/bbot/modules/badsecrets.py", line 30, in handle_event
r_list = carve_all_modules(body=resp_body, cookies=resp_cookies)
File "/badsecrets/base.py", line 136, in carve_all_modules
r_list = x.carve(**kwargs)
File "/badsecrets/base.py", line 97, in carve
r = self.carve_to_check_secret(s)
File "/badsecrets/base.py", line 59, in carve_to_check_secret
r = self.check_secret(s.groups()[0])

I find difficulty in installing and using the package in Windows machine, please refer to the below command history for reference.

`
C:\Users\test\Downloads\badsecrets-main\badsecrets\examples>pip install badsecrets
Collecting badsecrets
Downloading badsecrets-0.3.375-py3-none-any.whl (1.6 MB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 1.6/1.6 MB 34.7 MB/s eta 0:00:00
Collecting Django<5.0.0,>=4.1.2
Downloading Django-4.2.3-py3-none-any.whl (8.0 MB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 8.0/8.0 MB 57.0 MB/s eta 0:00:00
Collecting requests<3.0.0,>=2.28.1
Downloading requests-2.31.0-py3-none-any.whl (62 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 62.6/62.6 kB 3.5 MB/s eta 0:00:00
Collecting viewstate<0.6.0,>=0.5.3
Downloading viewstate-0.5.3.tar.gz (8.4 kB)
Preparing metadata (setup.py) ... done
Collecting pycryptodome<4.0.0,>=3.15.0
Downloading pycryptodome-3.18.0-cp35-abi3-win_amd64.whl (1.7 MB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 1.7/1.7 MB 37.5 MB/s eta 0:00:00
Collecting pytest<8.0.0,>=7.1.3
Downloading pytest-7.4.0-py3-none-any.whl (323 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 323.6/323.6 kB 19.6 MB/s eta 0:00:00
Collecting colorama<0.5.0,>=0.4.6
Downloading colorama-0.4.6-py2.py3-none-any.whl (25 kB)
Collecting pyjwt[crypto]<3.0.0,>=2.6.0
Downloading PyJWT-2.8.0-py3-none-any.whl (22 kB)
Collecting flask-unsign<2.0.0,>=1.2.0
Downloading flask-unsign-1.2.0.tar.gz (14 kB)
Preparing metadata (setup.py) ... done
Collecting asgiref<4,>=3.6.0
Downloading asgiref-3.7.2-py3-none-any.whl (24 kB)
Collecting tzdata
Downloading tzdata-2023.3-py2.py3-none-any.whl (341 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 341.8/341.8 kB ? eta 0:00:00
Collecting sqlparse>=0.3.1
Downloading sqlparse-0.4.4-py3-none-any.whl (41 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 41.2/41.2 kB 1.9 MB/s eta 0:00:00
Collecting flask
Downloading Flask-2.3.2-py3-none-any.whl (96 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 96.9/96.9 kB ? eta 0:00:00
Collecting itsdangerous
Downloading itsdangerous-2.1.2-py3-none-any.whl (15 kB)
Collecting markupsafe
Downloading MarkupSafe-2.1.3-cp310-cp310-win_amd64.whl (17 kB)
Collecting werkzeug
Downloading Werkzeug-2.3.6-py3-none-any.whl (242 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 242.5/242.5 kB ? eta 0:00:00
Collecting cryptography>=3.4.0
Downloading cryptography-41.0.2-cp37-abi3-win_amd64.whl (2.6 MB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 2.6/2.6 MB 42.2 MB/s eta 0:00:00
Collecting tomli>=1.0.0
Downloading tomli-2.0.1-py3-none-any.whl (12 kB)
Collecting exceptiongroup>=1.0.0rc8
Downloading exceptiongroup-1.1.2-py3-none-any.whl (14 kB)
Collecting pluggy<2.0,>=0.12
Downloading pluggy-1.2.0-py3-none-any.whl (17 kB)
Collecting packaging
Downloading packaging-23.1-py3-none-any.whl (48 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 48.9/48.9 kB 2.4 MB/s eta 0:00:00
Collecting iniconfig
Downloading iniconfig-2.0.0-py3-none-any.whl (5.9 kB)
Collecting idna<4,>=2.5
Downloading idna-3.4-py3-none-any.whl (61 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 61.5/61.5 kB ? eta 0:00:00
Collecting urllib3<3,>=1.21.1
Downloading urllib3-2.0.4-py3-none-any.whl (123 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 123.9/123.9 kB ? eta 0:00:00
Collecting charset-normalizer<4,>=2
Downloading charset_normalizer-3.2.0-cp310-cp310-win_amd64.whl (96 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 96.9/96.9 kB 5.4 MB/s eta 0:00:00
Collecting certifi>=2017.4.17
Downloading certifi-2023.5.7-py3-none-any.whl (156 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 157.0/157.0 kB 9.2 MB/s eta 0:00:00
Collecting typing-extensions>=4
Downloading typing_extensions-4.7.1-py3-none-any.whl (33 kB)
Collecting cffi>=1.12
Downloading cffi-1.15.1-cp310-cp310-win_amd64.whl (179 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 179.1/179.1 kB 10.6 MB/s eta 0:00:00
Collecting blinker>=1.6.2
Downloading blinker-1.6.2-py3-none-any.whl (13 kB)
Collecting click>=8.1.3
Downloading click-8.1.6-py3-none-any.whl (97 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 97.9/97.9 kB ? eta 0:00:00
Collecting Jinja2>=3.1.2
Downloading Jinja2-3.1.2-py3-none-any.whl (133 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 133.1/133.1 kB ? eta 0:00:00
Collecting pycparser
Downloading pycparser-2.21-py2.py3-none-any.whl (118 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 118.7/118.7 kB ? eta 0:00:00
Installing collected packages: viewstate, urllib3, tzdata, typing-extensions, tomli, sqlparse, pyjwt, pycryptodome, pycparser, pluggy, packaging, markupsafe, itsdangerous, iniconfig, idna, exceptiongroup, colorama, charset-normalizer, certifi, blinker, werkzeug, requests, pytest, Jinja2, click, cffi, asgiref, flask, Django, cryptography, flask-unsign, badsecrets
DEPRECATION: viewstate is being installed using the legacy 'setup.py install' method, because it does not have a 'pyproject.toml' and the 'wheel' package is not installed. pip 23.1 will enforce this behaviour change. A possible replacement is to enable the '--use-pep517' option. Discussion can be found at pypa/pip#8559
Running setup.py install for viewstate ... done
WARNING: The script sqlformat.exe is installed in 'C:\Users\test\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.10_qbz5n2kfra8p0\LocalCache\local-packages\Python310\Scripts' which is not on PATH.
Consider adding this directory to PATH or, if you prefer to suppress this warning, use --no-warn-script-location.
WARNING: The script normalizer.exe is installed in 'C:\Users\test\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.10_qbz5n2kfra8p0\LocalCache\local-packages\Python310\Scripts' which is not on PATH.
Consider adding this directory to PATH or, if you prefer to suppress this warning, use --no-warn-script-location.
WARNING: The scripts py.test.exe and pytest.exe are installed in 'C:\Users\test\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.10_qbz5n2kfra8p0\LocalCache\local-packages\Python310\Scripts' which is not on PATH.
Consider adding this directory to PATH or, if you prefer to suppress this warning, use --no-warn-script-location.
WARNING: The script flask.exe is installed in 'C:\Users\test\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.10_qbz5n2kfra8p0\LocalCache\local-packages\Python310\Scripts' which is not on PATH.
Consider adding this directory to PATH or, if you prefer to suppress this warning, use --no-warn-script-location.
WARNING: The script django-admin.exe is installed in 'C:\Users\test\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.10_qbz5n2kfra8p0\LocalCache\local-packages\Python310\Scripts' which is not on PATH.
Consider adding this directory to PATH or, if you prefer to suppress this warning, use --no-warn-script-location.
DEPRECATION: flask-unsign is being installed using the legacy 'setup.py install' method, because it does not have a 'pyproject.toml' and the 'wheel' package is not installed. pip 23.1 will enforce this behaviour change. A possible replacement is to enable the '--use-pep517' option. Discussion can be found at pypa/pip#8559
Running setup.py install for flask-unsign ... done
WARNING: The script badsecrets.exe is installed in 'C:\Users\test\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.10_qbz5n2kfra8p0\LocalCache\local-packages\Python310\Scripts' which is not on PATH.
Consider adding this directory to PATH or, if you prefer to suppress this warning, use --no-warn-script-location.
Successfully installed Django-4.2.3 Jinja2-3.1.2 asgiref-3.7.2 badsecrets-0.3.375 blinker-1.6.2 certifi-2023.5.7 cffi-1.15.1 charset-normalizer-3.2.0 click-8.1.6 colorama-0.4.6 cryptography-41.0.2 exceptiongroup-1.1.2 flask-2.3.2 flask-unsign-1.2.0 idna-3.4 iniconfig-2.0.0 itsdangerous-2.1.2 markupsafe-2.1.3 packaging-23.1 pluggy-1.2.0 pycparser-2.21 pycryptodome-3.18.0 pyjwt-2.8.0 pytest-7.4.0 requests-2.31.0 sqlparse-0.4.4 tomli-2.0.1 typing-extensions-4.7.1 tzdata-2023.3 urllib3-2.0.4 viewstate-0.5.3 werkzeug-2.3.6

[notice] A new release of pip is available: 23.0.1 -> 23.2
[notice] To update, run: C:\Users\test\AppData\Local\Microsoft\WindowsApps\PythonSoftwareFoundation.Python.3.10_qbz5n2kfra8p0\python.exe -m pip install --upgrade pip

C:\Users\test\Downloads\badsecrets-main\badsecrets\examples>badsecrets eyJhbGciOiJIUzI1NiJ9.eyJJc3N1ZXIiOiJJc3N1ZXIiLCJVc2VybmFtZSI6IkJhZFNlY3JldHMiLCJleHAiOjE1OTMxMzM0ODMsImlhdCI6MTQ2NjkwMzA4M30.ovqRikAo_0kKJ0GVrAwQlezymxrLGjcEiW_s3UJMMCo
'badsecrets' is not recognized as an internal or external command,
operable program or batch file.
`

Add hashcat support + carve regex to ensure identify_only will works for rails cookies

investigate whether this will cause a double report via header carve + cookie check_secret()

Need a standard method for each module to optionally implement that outputs the secret in a format that can be cracked by hashcat

Need a way to optionally pass in a file path to be used instead of the default list associated with that module