From d11d3bb3bfd8055041531678e7bd53cafe78863d Mon Sep 17 00:00:00 2001 From: lady_bug <45386464+MalavikaSK@users.noreply.github.com> Date: Wed, 11 Jan 2023 11:36:56 +0100 Subject: [PATCH 1/4] Create spnego_http.yaml --- miscellaneous/spnego_http.yaml | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 miscellaneous/spnego_http.yaml diff --git a/miscellaneous/spnego_http.yaml b/miscellaneous/spnego_http.yaml new file mode 100644 index 00000000000..a00c8103d12 --- /dev/null +++ b/miscellaneous/spnego_http.yaml @@ -0,0 +1,30 @@ +id: SPNEGO_HTTP + +info: + name: Identifying SPNEGO over HTTP (might be useful for finding CVE-2022-37958) + author: @lady_bug, @ruppde + severity: Info + reference: + - https://arstechnica.com/information-technology/2022/12/critical-windows-code-execution-vulnerability-went-undetected-until-now/?utm_social-type=owned&utm_source=twitter&utm_medium=social&utm_brand=ars + tags: misc,windows + +requests: + - method: GET + path: + - "{{BaseURL}}" + + redirects: true + max-redirects: 5 + + threads: 10 + + matchers-condition: and + matchers: + - type: dsl + dsl: + - "contains(tolower(all_headers), 'www-authenticate: negotiate')" + + extractors: + - type: kval + kval: + - 'www_authenticate' From 586a4857b4d7abe10b60402c4e2fe89cc58cf3ce Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Tue, 31 Jan 2023 18:39:21 +0530 Subject: [PATCH 2/4] fix-lint --- miscellaneous/{spnego_http.yaml => spnego-http.yaml} | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) rename miscellaneous/{spnego_http.yaml => spnego-http.yaml} (91%) diff --git a/miscellaneous/spnego_http.yaml b/miscellaneous/spnego-http.yaml similarity index 91% rename from miscellaneous/spnego_http.yaml rename to miscellaneous/spnego-http.yaml index a00c8103d12..ec06c7d7576 100644 --- a/miscellaneous/spnego_http.yaml +++ b/miscellaneous/spnego-http.yaml @@ -1,9 +1,9 @@ -id: SPNEGO_HTTP +id: spnego-http info: name: Identifying SPNEGO over HTTP (might be useful for finding CVE-2022-37958) - author: @lady_bug, @ruppde - severity: Info + author: lady_bug, ruppde + severity: info reference: - https://arstechnica.com/information-technology/2022/12/critical-windows-code-execution-vulnerability-went-undetected-until-now/?utm_social-type=owned&utm_source=twitter&utm_medium=social&utm_brand=ars tags: misc,windows @@ -15,9 +15,7 @@ requests: redirects: true max-redirects: 5 - threads: 10 - matchers-condition: and matchers: - type: dsl From 113c60bb2dd7cc39834140566a774b1e19629829 Mon Sep 17 00:00:00 2001 From: pussycat0x <65701233+pussycat0x@users.noreply.github.com> Date: Thu, 13 Jul 2023 10:47:51 +0530 Subject: [PATCH 3/4] minor -changes --- miscellaneous/spnego-http.yaml | 28 ---------------------------- miscellaneous/spnego.yaml | 34 ++++++++++++++++++++++++++++++++++ 2 files changed, 34 insertions(+), 28 deletions(-) delete mode 100644 miscellaneous/spnego-http.yaml create mode 100644 miscellaneous/spnego.yaml diff --git a/miscellaneous/spnego-http.yaml b/miscellaneous/spnego-http.yaml deleted file mode 100644 index ec06c7d7576..00000000000 --- a/miscellaneous/spnego-http.yaml +++ /dev/null @@ -1,28 +0,0 @@ -id: spnego-http - -info: - name: Identifying SPNEGO over HTTP (might be useful for finding CVE-2022-37958) - author: lady_bug, ruppde - severity: info - reference: - - https://arstechnica.com/information-technology/2022/12/critical-windows-code-execution-vulnerability-went-undetected-until-now/?utm_social-type=owned&utm_source=twitter&utm_medium=social&utm_brand=ars - tags: misc,windows - -requests: - - method: GET - path: - - "{{BaseURL}}" - - redirects: true - max-redirects: 5 - threads: 10 - matchers-condition: and - matchers: - - type: dsl - dsl: - - "contains(tolower(all_headers), 'www-authenticate: negotiate')" - - extractors: - - type: kval - kval: - - 'www_authenticate' diff --git a/miscellaneous/spnego.yaml b/miscellaneous/spnego.yaml new file mode 100644 index 00000000000..6ea68319eaa --- /dev/null +++ b/miscellaneous/spnego.yaml @@ -0,0 +1,34 @@ +id: spnego + +info: + name: SPNEGO - Detect + author: lady_bug,ruppde + severity: info + description: | + SPNEGO stands for Simple and Protected GSSAPI Negotiation Mechanism. It is a protocol used for secure authentication and negotiation between client and server applications in a network environment. SPNEGO is based on the Generic Security Services Application Programming Interface (GSSAPI) framework. + reference: + - https://www.ibm.com/docs/en/was-liberty/core?topic=authentication-single-sign-http-requests-using-spnego-web + - https://arstechnica.com/information-technology/2022/12/critical-windows-code-execution-vulnerability-went-undetected-until-now/ + metadata: + verified: true + shodan-query: 'www-authenticate: negotiate' + tags: misc,windows,spnego + +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + max-redirects: 5 + threads: 10 + matchers-condition: and + matchers: + - type: dsl + dsl: + - "contains(tolower(all_headers), 'www-authenticate: negotiate')" + + extractors: + - type: kval + kval: + - 'www_authenticate' \ No newline at end of file From 3280274a01d98f2d95057d241b3728a2791a07ed Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Thu, 13 Jul 2023 11:12:02 +0530 Subject: [PATCH 4/4] remove-threads --- miscellaneous/spnego.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/miscellaneous/spnego.yaml b/miscellaneous/spnego.yaml index 6ea68319eaa..b931e446cad 100644 --- a/miscellaneous/spnego.yaml +++ b/miscellaneous/spnego.yaml @@ -21,7 +21,6 @@ http: host-redirects: true max-redirects: 5 - threads: 10 matchers-condition: and matchers: - type: dsl @@ -31,4 +30,4 @@ http: extractors: - type: kval kval: - - 'www_authenticate' \ No newline at end of file + - 'www_authenticate'