Adopting programmatic automation of aspects of security assessments can increase the depth and scope of your application testing coverage within the designated time frame of your test cycles. Utilizing custom-payload scripts can dramatically increase the depth and scope of your penetration test.Here are four customized scripts, written in Python, which generate payloads for performing customized attacks against web applications and web hosts. These scripts can be configured depending on the attack type such as fuzzing parameters, brute-force guessing a user’s password, or cycling through page identifiers.
This script converts an IP Address to a generic Number format. This is especially useful while performing or inspecting URL redirection attacks. Applications frequently redirect users to other pages or internal forwards. Sometimes, the target page is specified in an unvalidated parameter, allowing attackers to alter the destination page. If the application ignores the user given URL/IP Address (crafted by using regular expressions ex or URL/IP whitelist), then the attacker could perform the redirection to the malicious page just by giving the whole number (IP to Number). This can be done by supplying the number as a request parameter passing in the HTTP Request as opposed to Domain Name /IP Address.
This MSF script will generate payloads necessary to inject into an exploit that can be used to compromise the windows systems. During the exploitation phase, the tester needs to create a payload and set up a listener to fetch the meterpreter shell access. This is usually done manually, but can be time consuming. This script creates the payload with minimal inputs, and sets up the listener automatically. For instance, in a CSV injection scenario, an attacker can inject a malicious command that executes the MSF generated payload in the victim's system.
Brute-forcing a password attack generally uses large dictionaries, which are generic and might not contain specific words that are used in the application or web-page, therefore making it an inefficient attack. This script generates a password dictionary using strings supplied by the user that were scraped from the application, thereby narrowing down the dictionary specific to this application. It was crafted based on the human behaviour pattern of setting passwords with words or concepts used in the application environment.
This script helps with brute force attacks during an assessment’s “Mapping” stage. In case of an intrusion attack, for instance, you need payloads that has numeric, alphanumeric or just alphabets for brute-force related attacks. This script generates the necessary payload using permutation techniques with the following combinations: Numbers, Uppercase Letters, Lowercase Letters, Numbers & Uppercase Letters, Numbers & Lowercase Letters, Numbers & Uppercase Letters + Lowercase Letters, and Uppercase Letters & Lowercase Letters.