fox-it/cve-2019-1040-scanner

Stars
276
Rank 149,319 (Top 3 %)
Language
Python
License
MIT License
Created over 5 years ago
Updated about 4 years ago

fox-it/cve-2019-1040-scanner

fox-it

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

CVE-2019-1040 scanner

Checks for CVE-2019-1040 vulnerability over SMB. The script will establish a connection to the target host(s) and send an invalid NTLM authentication. If this is accepted, the host is vulnerable to CVE-2019-1040 and you can execute the MIC Remove attack with ntlmrelayx.

Note that this does not generate failed login attempts as the login information itself is valid, it is just the NTLM message integrity code that is absent, which is why the authentication is refused without increasing the badpwdcount.

Usage

The script requires a recent impacket version. Should work with both python 2 and 3 (Python 3 requires you to use impacket from git).

[*] CVE-2019-1040 scanner by @_dirkjan / Fox-IT - Based on impacket by SecureAuth
usage: scan.py [-h] [-target-file file] [-port [destination port]]
               [-hashes LMHASH:NTHASH]
               target

CVE-2019-1040 scanner - Connects over SMB and attempts to authenticate with
invalid NTLM packets. If accepted, target is vulnerable to MIC remove attack

positional arguments:
  target                [[domain/]username[:password]@]<targetName or address>

optional arguments:
  -h, --help            show this help message and exit

connection:
  -target-file file     Use the targets in the specified file instead of the
                        one on the command line (you must still specify
                        something as target name)
  -port [destination port]
                        Destination port to connect to SMB Server

authentication:
  -hashes LMHASH:NTHASH
                        NTLM hashes, format is LMHASH:NTHASH

dissect

Dissect is a digital forensics & incident response framework and toolset that allows you to quickly access and analyse forensic artefacts from various disk and file formats, developed by Fox-IT (part of NCC Group).

aclpwn.py

Active Directory ACL exploitation with BloodHound

log4j-finder

Find vulnerable Log4j2 versions on disk and also inside Java Archive Files (Log4Shell CVE-2021-44228, CVE-2021-45046, CVE-2021-45105)

dissect.cstruct_legacy

A no-nonsense c-like structure parsing library for Python

quantuminsert

LDAPFragger

mkYARA

Generating YARA rules based on binary code

linux-luks-tpm-boot

A guide for setting up LUKS boot with a key from TPM in Linux

Invoke-CredentialPhisher

bloodhound-import

Python based BloodHound data importer

dissect.cobaltstrike

Python library for dissecting and parsing Cobalt Strike related data such as Beacon payloads and Malleable C2 Profiles

danderspritz-evtx

Parse evtx files and detect use of the DanderSpritz eventlogedit module

cryptophp

CryptoPHP Indicators of Compromise

cobaltstrike-extraneous-space

Historical list of {Cobalt Strike,NanoHTTPD} servers

cobaltstrike-beacon-data

Open Dataset of Cobalt Strike Beacon metadata (2018-2022)

Jupyter Notebook

OpenSSH-Session-Key-Recovery

Project containing several tools/ scripts to recover the OpenSSH session keys used to encrypt/ decrypt SSH traffic.

acquire

acquire is a tool to quickly gather forensic artifacts from disk images or a live system into a lightweight container.

OpenSSH-Network-Parser

Project to decrypt and parse SSH traffic

bro-scripts

Bro-IDS scripts

cisco-ios-xe-implant-detection

Cisco IOS XE implant scanning & detection (CVE-2023-20198, CVE-2023-20273)

dissect.cstruct

A Dissect module implementing a parser for C-like structures.

operation-wocao

Operation Wocao - Indicators of Compromise

dissect.target

The Dissect module tying all other Dissect modules together. It provides a programming API and command line tools which allow easy access to various data sources inside disk images or file collections (a.k.a. targets).

dll-hijacking-poc

A quick POC on how to embed a meterpreter in Firefox via DLL hijacking

citrix-netscaler-triage

Dissect triage script for Citrix NetScaler devices

Decrypt-TFSSecretVariables

ponmocup

Ponmocup Indicators of Compromise

signed-phishing-email

pcap-broker

PCAP-over-IP server written in Golang

mofang

Mofang Indicators of Compromise

spookyssl-pcaps

SpookySSL PCAPS and Network Coverage

dissect.esedb

A Dissect module implementing a parser for Microsofts Extensible Storage Engine Database (ESEDB), used for example in Active Directory, Exchange and Windows Update.

dissect-docs

Dissect documentation project

log4shell-pcaps

Log4Shell PCAPS and Network Coverage

dissect.evidence

A Dissect module implementing a parsers for various forensic evidence file containers, currently: AD1, ASDF and EWF.

dissect.ntfs

A Dissect module implementing a parser for the NTFS file system, used by the Windows operating system.

dissect.eventlog

A Dissect module implementing parsers for the Windows EVT, EVTX and WEVT log file formats.

saitama-server

Server-side implementation for the Saitama implant, useful for detection engineering purposes

flow.record

Recordization library

django-auth-policy

Django Authentication Policy

psixbot

PsiXBot Indicators of Compromise

reasm

Extract parts of the malware and re-compile it on linux for decrypting stuff using same malware algorithms.

aws-lambda-kinesis-windowseventlog

AWS lambda to transform the json from AWS kinesis agent to useful json documents for elasticsearch

dissect.cim

A Dissect module implementing a parser for the Windows Common Information Model (CIM) database, used in the Windows operating system.

dissect.hypervisor

A Dissect module implementing parsers for various hypervisor disk, backup and configuration files.

Decrypt-OrchestratorSecretVariables

dissect.sql

A Dissect module implementing a parsers for the SQLite database file format, commonly used by applications to store configuration data.

blister-research

Scripts, YARA and IOCs from our research on the Blister malware 🩹

dissect.clfs

A Dissect module implementing a parser for the CLFS (Common Log File System) file system of Windows.

dissect.volume

A Dissect module implementing a parser for different disk volume and partition systems, for example LVM2, GPT and MBR.

dissect.ole

A Dissect module implementing a parser for the Object Linking & Embedding (OLE) format, commonly used by document editors on Windows operating systems.

dissect.vmfs

Dissect module implementing a parser for the VMFS file system, used by VMware virtualization software.

dissect.regf

A Dissect module implementing a parser for Windows registry file format, used to store application and OS configuration on Windows operating systems.

Invoke-BadPwdCountSprayer

dissect.fat

A Dissect module implementing parsers for the FAT and exFAT file systems, commonly used on flash memory based storage devices and UEFI partitions.

dissect.shellitem

A Dissect module implementing a parser for the Shellitem structures, commonly used by Microsoft Windows.

dissect.util

A Dissect module implementing various utility functions for the other Dissect modules.

dissect.ffs

A Dissect module implementing a parser for the FFS file system, commonly used by BSD operating systems.

dissect.xfs

A Dissect module implementing a parser for the XFS file system, commonly used by RedHat Linux distributions.

dissect-workflow-templates

Workflow templates for the dissect projects

dissect_legacy

Namespace and collection package for all dissect projects

dissect.extfs

A Dissect module implementing a parser for the ExtFS file system, the native filesystem for Linux operating systems.

dissect.btrfs

A Dissect module implementing a parser for the btrfs file system.

dissect.etl

A Dissect module implementing a parser for Event Trace Log (ETL) files, used by the Windows operating system to log kernel events.