/pentesting-scripts

Scripts that we use for pentesting

Primary LanguagePythonGNU General Public License v3.0GPL-3.0

pentesting-scripts

apiborker

This script can automatically retrieve OAuth2 grants (JSON Web Tokens (JWT)) from an Active Directory Federation Services (ADFS) server. These tokens subsequently can be automatically copied to the clipboard, or used in other tools. Very handy for automating retrieval of short-lived tokens.

The script can also 'brute-force' API endpoints, when passed a list of possible URLs. This might come in handy if you want to 'prefeed' the API endpoints that need authentication to your favourite proxy tool, e.g. Burp Suite or OWASP ZAP. By default it does a GET, POST, PUT and DELETE, with static values.

installation

pip install {jwt,requests,pyclipboard}

usage

Grab a token from an endpoint (automatically logs in, receives a login cookie, requests an authorization token, and converts that to an authorization token for the requested application):

./apiborker.py --adfs-login="https://my.login.server/authorize" --adfs-code="https://my.login.server/authorize" --adfs-token="https://my.login.server/authorize" --resource="https://api.endpoint/authorize" --client-id=X-Y-Z --redirect-uri="X-Y-X" --username="USERNAME" --password="PASSWORD"

Re-use the login cookie (which usually has a longer expiry than codes), grab a token, and test some API calls contained in endpoints.txt:

./apiborker.py --cookie=COOKIE --adfs-code="https://my.login.server/authorize" --adfs-token="https://my.login.server/authorize" --resource="https://api.endpoint/authorize" --client-id=X-Y-Z --redirect-uri="X-Y-X" --username="USERNAME" --password="PASSWORD" --inputfile=endpoints.txt" 

usage: apiborker.py [-h] [--adfs-code ADFS_CODE] [--adfs-token ADFS_TOKEN]
                    [--adfs-login ADFS_LOGIN] [--client-id CLIENT_ID]
                    [--clipboard] [--code CODE] [--cookie COOKIE]
                    [-i INPUTFILE] [--password PASSWORD]
                    [--redirect-uri REDIRECT_URI] [--resource RESOURCE]
                    [-t TOKEN] [-u URL] [--username USERNAME] [-v]

Retrieves JWT tokens and tests API requests

Copyright (C) 2016 Peter Mosmans [Radically Open Security]
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.

optional arguments:
  -h, --help            show this help message and exit
  --adfs-code ADFS_CODE
                        the authorization code URL
  --adfs-token ADFS_TOKEN
                        the authorization token URL
  --adfs-login ADFS_LOGIN
                        the ADFS login URL
  --client-id CLIENT_ID
                        the client ID for ADFS
  --clipboard           copy the token as header to the clipboard
  --code CODE           the authorization code
  --cookie COOKIE       a valid ADFS (MSISauth) login cookie
  -i INPUTFILE, --inputfile INPUTFILE
                        a file containing API endpoints
  --password PASSWORD   the password for login
  --redirect-uri REDIRECT_URI
                        the redirect URI for ADFS
  --resource RESOURCE   the resource to request access to
  -t TOKEN, --token TOKEN
                        the complete token in base64 encoded format
  -u URL, --url URL     the base URL for requests
  --username USERNAME   the username for login
  -v, --verbose         be more verbose

oauth2-tester

Script to perform various tests on an OAuth 2.0 implementation.

Currently only the conversion from code to token is supported.

usage: oauth2-tester.py [-h] [--debug] [-v] [--client-id CLIENT_ID]
                        [--redirect-uri REDIRECT_URI]
                        [--response-type RESPONSE_TYPE] [--scope SCOPE]
                        [--cookie COOKIE] [--code CODE] [--code-to-token]
                        [--token] [--token-name TOKEN_NAME] [--server URL]
                        [--resource URL] [--validate-token HTTP_STATUS_CODE]
                        [--proxy PROXY] [--verify]

oauth2-tester version 0.1 - Test script for OAuth 2.0 framework

Copyright (C) 2017 Peter Mosmans [Radically Open Security]

This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.

optional arguments:
  -h, --help            show this help message and exit
  --debug               Show debug information
  -v, --verbose         Be more verbose
  --client-id CLIENT_ID
                        OAuth 2.0 client_id parameter
  --redirect-uri REDIRECT_URI
                        OAuth 2.0 redirect_uri parameter
  --response-type RESPONSE_TYPE
                        OAuth 2.0 response_type parameter
  --scope SCOPE         OAuth 2.0 comma separated scope parameter
  --cookie COOKIE       Cookie to send with the request(s)
  --code CODE           OAuth 2.0 code
  --code-to-token       Convert code to token
  --token               OAuth 2.0 token
  --token-name TOKEN_NAME
                        OAuth 2.0 token name (default: token)
  --server URL          The authorization server endpoint
  --resource URL        The resource server endpoint
  --validate-token HTTP_STATUS_CODE
                        Validate token against resource server
  --proxy PROXY         Proxy server
  --verify              Validate SSL x.509 certificate

Feedback always welcome. Enjoy!