Tools
The following are recent tools published by MWR InfoSecurity.
Full TextRDP Cipher Checker
Jan 12, 2009
This is a python script that will enumerate the encryption protocols supported by the server and the cipher strengths supported using native RDP encryption (assuming this is supported).
TCP-over-File Tunnel
Jan 12, 2009
As of Windows 2003, Terminal Services supports the sharing of local folders with clients by default; this tool can be used to tunnel multiple simultaneous TCP connections through shared files. This is very useful if, during a penetration test, you can connect to a server via RDP deep within a data centre and would like to forward ports but all traditional covert channels such as reverse connections and DNS tunnelling are blocked.
It is often the experience of the author that too much reliance is made upon locked down GUIs and so it is assumed it would be difficult for an attacker to directly attack other servers with the data centre. Combined with Metasploit's meterpreter, this tool can be used to tunnel exploits through RDP to attack otherwise inaccessible servers.
It must be noted that a custom virtual channel could be implemented for the same purpose, rather than relying on shared files. However, tunnelling connections through files was chosen as this is often desired functionality and so might be a business requirement. Additionally, this tool could potentially be useful in other environments outside of RDP.
VMWare authd brute forcer
Aug 15, 2008
This is a multithreaded tool to bruteforce the VMware console. This acts as a wrapper around VMware-cmd, which must be installed for this to function. It will allow you to try multiple passwords for a single user account in order to identify any weak passwords which may have been set.
Around 10 threads will normally be fine, Windows systems will lap it up, *NIX systems will be slower. The dictionary should be specified by path. For efficiency and to ensure concurrency between threads the dictionary is read into memory.
WARNING: inetd will only allow a certain number of connections per minute (around 250) after this number the service, in this case vmware-authd, will die causing a DoS. Therefore be careful if you are using this tool against UNIX based systems. If so then ensure that xinetd is being used instead.
VMware VIX toolkit
Aug 15, 2008
This toolkit allows you to use the VMware VIX API within ruby scripts. This is essentially a shared object which provides methods that ruby scripts can call in order to interact with virtual machines or VMware servers. Some of the actions which can be performed with this include:
- transferring files to the virtual machine
- copying files from the virtual machine
- executing commands and scripts on the virtual machine
This functionality is beyond what can be performed from the console of a server.
VMware VI toolkit
Aug 15, 2008
This toolkit allows you to use the VMware VI API from within ruby to communicate with an ESX host.
The VI API is the same API that the virtual infrastructure client provided by VMware uses in order to talk to a host. This toolkit includes modules which allow you to perform actions against and retrieve information from an ESX server.
This makes things easily scriptable and also provides access to areas which are not available through the VI client, such as patch levels.