search

blacklanternsecurity / TREVORspray

TREVORspray is a modular password sprayer with threading, clever proxying, loot modules, and more!
GNU General Public License v3.0
1.04k stars 147 forks source link

Error with --subnet argument #9

Closed sandwich-destroyer closed 2 years ago

sandwich-destroyer commented 2 years ago

I have spun up a Linode server and provisioned a /64 IPv6 subnet as described in your blog. When I list the interface I can see the correct subnet listed on the eth0 interface. I then use the following command and receive the following error:

trevorspray -u emails.txt -p “Password2021" --url https://login.windows.net/xxxx-xxxx-xxxx-xxxxxxx/oauth2/token --subnet 2xxx:3xxx:e0xx:00xx::/64 -i eth0

Warning:

[DEBUG] Accepting connection from 127.0.0.1:46886
[DEBUG] Address type == IPv4
[DEBUG] Destination address: 2x.x.x.x
[WARNING] AddressFamily.AF_INET does not match that of subnet (AddressFamily.AF_INET6, source IP randomization is impossible.
[DEBUG] Connected to 2x.x.x.x:443

This appears to me as though it is not sending the requests on the IPv6 subnet and instead sending all requests out of the IPv4 interface.

Additionally, when trying to perform the proof of concept for trevorproxy as shown in the blog (proxychains curl 'http:/[::1]:8080') I recieve the following error when standing up the python webserver:

root@localhost:~# python3 -m http.server --bind ::1 8080
Traceback (most recent call last):
  File "/usr/lib/python3.6/runpy.py", line 193, in _run_module_as_main
    "__main__", mod_spec)
  File "/usr/lib/python3.6/runpy.py", line 85, in _run_code
    exec(code, run_globals)
  File "/usr/lib/python3.6/http/server.py", line 1211, in <module>
    test(HandlerClass=handler_class, port=args.port, bind=args.bind)
  File "/usr/lib/python3.6/http/server.py", line 1185, in test
    with ServerClass(server_address, HandlerClass) as httpd:
  File "/usr/lib/python3.6/socketserver.py", line 456, in __init__
    self.server_bind()
  File "/usr/lib/python3.6/http/server.py", line 136, in server_bind
    socketserver.TCPServer.server_bind(self)
  File "/usr/lib/python3.6/socketserver.py", line 470, in server_bind
    self.socket.bind(self.server_address)
socket.gaierror: [Errno -9] Address family for hostname not supported

I will continue to troubleshoot this error and get back

This is how I installed the tool:

pip3 install --upgrade setuptools pip
pip3 install git+https://github.com/blacklanternsecurity/trevorproxy
pip3 install git+https://github.com/blacklanternsecurity/trevorspray
TheTechromancer commented 2 years ago

The reason for the first error is that login.windows.net does not have an AAAA record. In other words, it resolves to an IPv4 address, but not an IPv6 one. So it doesn't support receiving IPv6 traffic. (You can verify this with dig -t AAAA login.windows.net)

The reason for the second error is that most versions of proxychains do not have proper support for IPv6. Instead you have to use curl --proxy socks5://127.0.0.1:1080.

Spraying O365 with the IPv6 proxy is tricky business. At Black Lantern Security we've found a couple endpoints that work if you spoof the Host header, but M$ seems to be doing some kind of strange IPv4-to-IPv6 translation, so TREVORproxy's IP-rotation doesn't seem to have any effect.

It looks like Microsoft intentionally refuses to expose IPv6 on their authentication endpoints. We think they probably have some, but they're just not documented, and as of right now we don't know what they are.

image

If you specify the -6 option in TREVORspray, it will use the IPv6 URL instead.

EDIT: I've updated TREVORspray to assume -6 if the subnet argument is IPv6.

sandwich-destroyer commented 2 years ago

proxychains do not have proper support for IPv6

I worded this poorly, I get the error when trying to stand up the webserver:

root@localhost:~# python3 -m http.server --bind ::1 8080
Traceback (most recent call last):
  File "/usr/lib/python3.6/runpy.py", line 193, in _run_module_as_main
    "__main__", mod_spec)
  File "/usr/lib/python3.6/runpy.py", line 85, in _run_code
    exec(code, run_globals)
  File "/usr/lib/python3.6/http/server.py", line 1211, in <module>
    test(HandlerClass=handler_class, port=args.port, bind=args.bind)
  File "/usr/lib/python3.6/http/server.py", line 1185, in test
    with ServerClass(server_address, HandlerClass) as httpd:
  File "/usr/lib/python3.6/socketserver.py", line 456, in __init__
    self.server_bind()
  File "/usr/lib/python3.6/http/server.py", line 136, in server_bind
    socketserver.TCPServer.server_bind(self)
  File "/usr/lib/python3.6/socketserver.py", line 470, in server_bind
    self.socket.bind(self.server_address)
socket.gaierror: [Errno -9] Address family for hostname not supported

I believe I figured out this issue, I was on Ubuntu 18.04 which has python 3.6. IPv6 was not supported by default in python until python 3.8. I created a new linode with Ubuntu 20.04 (which has python 3.8.10) and I am now able to get it to work (python3 -m http.server --bind ::1 8080)

I am also able to get the curl command to work (thanks for the --proxy tip) so it looks like it's working now.

Thank you for the quick response :-)