/* Yara Rule Set Author: Florian Roth Date: 2015-06-23 Identifier: CN-PentestSet */ rule CN_Honker_mafix_root { meta: description = "Script from disclosed CN Honker Pentest Toolset - file root" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" score = 70 hash = "826778ef9c22177d41698b467586604e001fed19" strings: $s0 = "echo \"# vbox (voice box) getty\" >> /tmp/.init1" fullword ascii /* PEStudio Blacklist: strings */ $s1 = "cp /var/log/tcp.log $HOMEDIR/.owned/bex2/snifflog" fullword ascii $s2 = "if [ -f /sbin/xlogin ]; then" fullword ascii /* PEStudio Blacklist: strings */ condition: filesize < 96KB and all of them } rule CN_Honker_passwd_dict_3389 { meta: description = "Script from disclosed CN Honker Pentest Toolset - file 3389.txt" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" score = 70 hash = "2897e909e48a9f56ce762244c3a3e9319e12362f" strings: $s0 = "654321" fullword ascii /* reversed goodware string '123456' */ $s1 = "admin123" fullword ascii /* PEStudio Blacklist: strings */ $s2 = "admin123456" fullword ascii /* PEStudio Blacklist: strings */ $s3 = "administrator" fullword ascii /* PEStudio Blacklist: strings */ /* Goodware String - occured 2 times */ $s4 = "passwd" fullword ascii /* PEStudio Blacklist: strings */ /* Goodware String - occured 42 times */ $s5 = "password" fullword ascii /* PEStudio Blacklist: strings */ /* Goodware String - occured 244 times */ $s7 = "12345678" fullword ascii /* Goodware String - occured 29 times */ $s8 = "888888" fullword ascii /* Goodware String - occured 61 times */ condition: filesize < 1KB and all of them } rule CN_Honker_Perl_serv_U { meta: description = "Script from disclosed CN Honker Pentest Toolset - file Perl-serv-U.pl" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" score = 70 hash = "f333c597ff746ebd5a641fbc248497d61e3ec17b" strings: $s1 = "$dir = 'C:\\\\WINNT\\\\System32\\\\';" fullword ascii /* PEStudio Blacklist: strings */ $s2 = "$sock = IO::Socket::INET->new(\"127.0.0.1:$adminport\") || die \"fail\";" fullword ascii /* PEStudio Blacklist: strings */ condition: filesize < 8KB and all of them } rule CN_Honker_F4ck_Team_f4ck { meta: description = "Script from disclosed CN Honker Pentest Toolset - file f4ck.txt" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" score = 70 hash = "e216f4ba3a07de5cdbb12acc038cd8156618759e" strings: $s0 = "PassWord:F4ckTeam!@#" fullword ascii /* PEStudio Blacklist: strings */ $s1 = "UserName:F4ck" fullword ascii /* PEStudio Blacklist: strings */ $s2 = "F4ck Team" fullword ascii condition: filesize < 1KB and all of them } rule CN_Honker_sig_3389_3389 { meta: description = "Script from disclosed CN Honker Pentest Toolset - file 3389.vbs" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" score = 70 hash = "f92b74f41a2138cc05c6b6993bcc86c706017e49" strings: $s1 = "success = obj.run(\"cmd /c takeown /f %SystemRoot%\\system32\\sethc.exe&echo y| " ascii /* PEStudio Blacklist: strings */ condition: filesize < 10KB and all of them } rule CN_Honker_sig_3389_3389_2 { meta: description = "Script from disclosed CN Honker Pentest Toolset - file 3389.bat" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" score = 70 hash = "5ff92f39ade12f8ba6cb75dfdc9bb907e49f0ebd" strings: $s1 = "@del c:\\termsrvhack.dll" fullword ascii $s2 = "@del c:\\3389.txt" fullword ascii condition: filesize < 3KB and all of them } rule CN_Honker_Injection_Transit_jmCook { meta: description = "Script from disclosed CN Honker Pentest Toolset - file jmCook.asp" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" score = 70 hash = "5e1851c77ce922e682333a3cb83b8506e1d7395d" strings: $s1 = ".Open \"POST\",PostUrl,False" fullword ascii /* PEStudio Blacklist: strings */ $s2 = "JmdcwName=request(\"jmdcw\")" fullword ascii /* PEStudio Blacklist: strings */ condition: filesize < 9KB and all of them } rule CN_Honker_Pwdump7_Pwdump7 { meta: description = "Script from disclosed CN Honker Pentest Toolset - file Pwdump7.bat" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" score = 70 hash = "67d0e215c96370dcdc681bb2638703c2eeea188a" strings: $s1 = "Pwdump7.exe >pass.txt" fullword ascii /* PEStudio Blacklist: strings */ condition: filesize < 1KB and all of them } rule CN_Honker_portRecall_pr { meta: description = "Script from disclosed CN Honker Pentest Toolset - file pr" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" score = 70 hash = "583cf6dc2304121d835f2879803a22fea76930f3" strings: $s1 = "Usage: Same as lcx.exe in win32 :)" fullword ascii $s2 = "connect to client" fullword ascii /* PEStudio Blacklist: strings */ $s3 = "PR(Packet redirection) for linux " fullword ascii /* PEStudio Blacklist: strings */ condition: filesize < 70KB and all of them } rule CN_Honker_sig_3389_3389_3 { meta: description = "Script from disclosed CN Honker Pentest Toolset - file 3389.bat" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" score = 70 hash = "cfedec7bd327897694f83501d76063fe16b13450" strings: $s1 = "echo \"fDenyTSConnections\"=dword:00000000>>3389.reg " fullword ascii /* PEStudio Blacklist: strings */ $s2 = "echo \"PortNumber\"=dword:00000d3d>>3389.reg " fullword ascii /* PEStudio Blacklist: strings */ $s3 = "echo [HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server]>>" ascii /* PEStudio Blacklist: strings */ condition: filesize < 2KB and all of them } rule CN_Honker_Alien_D { meta: description = "Script from disclosed CN Honker Pentest Toolset - file D.ASP" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" score = 70 hash = "de9cd4bd72b1384b182d58621f51815a77a5f07d" strings: $s0 = "Paths_str=\"c:\\windows\\\"&chr(13)&chr(10)&\"c:\\Documents and Settings\\\"&chr" ascii /* PEStudio Blacklist: strings */ $s1 = "CONST_FSO=\"Script\"&\"ing.Fil\"&\"eSyst\"&\"emObject\"" fullword ascii /* PEStudio Blacklist: strings */ $s2 = "Response.Write \"
\"" fullword ascii /* PEStudio Blacklist: strings */ $s3 = "set getAtt=FSO.GetFile(filepath)" fullword ascii $s4 = "Response.Write \" AllUsers.txt\")" fullword ascii /* PEStudio Blacklist: strings */ $s2 = "os.system('getent passwd > passwd.txt')" fullword ascii /* PEStudio Blacklist: strings */ $s3 = "os.system(\"rm -rf credentials/\")" fullword ascii /* PEStudio Blacklist: strings */ condition: uint16(0) == 0x2123 and filesize < 50KB and 2 of them } rule CN_Honker_IIS_logcleaner1_0_readme { meta: description = "Script from disclosed CN Honker Pentest Toolset - file readme.txt" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" score = 70 hash = "2ab47d876b49e9a693f602f3545381415e82a556" strings: $s2 = "LogCleaner.exe [Logpath]" fullword ascii $s3 = "http://l-y.vicp.net" fullword ascii condition: filesize < 7KB and all of them } rule CN_Honker_Alien_command { meta: description = "Script from disclosed CN Honker Pentest Toolset - file command.txt" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" score = 70 hash = "5896b74158ef153d426fba76c2324cd9c261c709" strings: $s0 = "for /d %i in (E:\\freehost\\*) do @echo %i" fullword ascii /* PEStudio Blacklist: strings */ $s1 = "/c \"C:\\windows\\temp\\cscript\" C:\\windows\\temp\\iis.vbs" fullword ascii /* PEStudio Blacklist: strings */ condition: filesize < 8KB and all of them } rule CN_Honker_portRecall_bc { meta: description = "Script from disclosed CN Honker Pentest Toolset - file bc.pl" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" score = 70 hash = "2084990406398afd856b2309c7f579d7d61c3767" strings: $s0 = "print \"[*] Connected to remote host \\n\"; " fullword ascii /* PEStudio Blacklist: strings */ $s1 = "print \"Usage: $0 [Host] [Port] \\n\\n\"; " fullword ascii /* PEStudio Blacklist: strings */ $s5 = "print \"[*] Resolving HostName\\n\"; " fullword ascii /* PEStudio Blacklist: strings */ condition: filesize < 10KB and all of them } rule CN_Honker_Tuoku_script_MSSQL_ { meta: description = "Script from disclosed CN Honker Pentest Toolset - file MSSQL_.asp" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" score = 70 hash = "7097c21f92306983add3b5b29a517204cd6cd819" strings: $s1 = "GetLoginCookie = Request.Cookies(Cookie_Login)" fullword ascii /* PEStudio Blacklist: strings */ $s2 = "if ShellPath=\"\" Then ShellPath = \"c:\\\\windows\\\\system32\\\\cmd.exe\"" fullword ascii /* PEStudio Blacklist: strings */ $s8 = "Set DD=CM.exec(ShellPath&\" /c \"&DefCmd)" fullword ascii /* PEStudio Blacklist: strings */ condition: filesize < 100KB and all of them } rule CN_Honker_nc_MOVE { meta: description = "Script from disclosed CN Honker Pentest Toolset - file MOVE.txt" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" score = 70 hash = "4195370c103ca467cddc8f2724a8e477635be424" strings: $s0 = "Destination: http://202.113.20.235/gj/images/2.asp" fullword ascii /* PEStudio Blacklist: strings */ $s1 = "HOST: 202.113.20.235" fullword ascii /* PEStudio Blacklist: strings */ $s2 = "MOVE /gj/images/A.txt HTTP/1.1" fullword ascii condition: filesize < 1KB and all of them } rule CN_Honker_mssqlpw_scan { meta: description = "Script from disclosed CN Honker Pentest Toolset - file mssqlpw scan.txt" author = "Florian Roth" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" score = 70 hash = "e49def9d72bfef09a639ef3f7329083a0b8b151c" strings: $s0 = "response.Write(\"I Get it ! Password is \" & str & \"
" ascii /* PEStudio Blacklist: strings */ $s1 = "response.Write \"Done!
Process \" & tTime & \" s\"" fullword ascii /* PEStudio Blacklist: strings */ condition: filesize < 6KB and all of them }