Mole - A Framework For Identifying And Exploiting Out-Of-Band Application Vulnerabilities

2021-03-21T11:30:00

Description

[![](https://1.bp.blogspot.com/-G4SnmIGlQ1g/YE6MCgPm1LI/AAAAAAAAVng/_Ts1qiMQNIQ2n2PWo7PYVmpCvzYo0XjiwCNcBGAsYHQ/w640-h400/OOB.png)](<https://1.bp.blogspot.com/-G4SnmIGlQ1g/YE6MCgPm1LI/AAAAAAAAVng/_Ts1qiMQNIQ2n2PWo7PYVmpCvzYo0XjiwCNcBGAsYHQ/s670/OOB.png>) A framework for identifying and [exploiting](<https://www.kitploit.com/search/label/Exploiting> "exploiting" ) out-of-band (OOB) vulnerabilities. **Installation & Setup** **Mole Install** Python >= 3.6 `virtualenv -p /usr/bin/python3 venv` `source venv/bin/activate` `./venv/bin/pip3 install -r requirements.txt` `git submodule update --init --recursive` Set an API key in `config.yml` (must be the same for the client and server) **DNS Configuration** You'll need to configure the DNS records in your registrar to point to your mole server. Minimally, you'll need an `A` record for the name server and an `NS` record configured. Mole can be configured to host other configuration options. **Mailgun (Optional)** Mailgun requires DNS entries to enable the service: <https://help.mailgun.com/hc/en-us/articles/203637190-How-Do-I-Add-or-Delete-a-Domain-> **TLS** Currently Mole does not support TLS natively. To implement TLS, use a [reverse](<https://www.kitploit.com/search/label/Reverse> "reverse" ) proxy such as [nginx](<https://docs.nginx.com/nginx/admin-guide/security-controls/terminating-ssl-http/> "nginx" ) to terminate the TLS connection and forward [traffic](<https://www.kitploit.com/search/label/Traffic> "traffic" ) to the Mole server. **Burp Suite Extension** The [Burp Suite Extension](<https://www.kitploit.com/search/label/Burp%20Suite%20Extension> "Burp Suite Extension" ) requires a separate Python 2.7 virtual environment due to the latest version of Jython only supporting 2.7. Below are the instructions for setting up the virtual environment and configuring the Extension. 1. Create a new python2.7 virtualenv for burp/jython, `virtualenv -p /usr/bin/python2.7 burp_venv` 2. Load the venv, `source ./burp_venv/bin/activate` 3. Install the required packages, `./burp_venv/bin/pip -r requirements` 4. Configure the Python Environment by downloading and selecting the jython-standalone jar. 5. Set the "Folder for loading modules" to the full path to `burp_venv/lib/python2.7/site-packages` that was created in steps 1-3. [![](https://1.bp.blogspot.com/-53z9NzOrDJo/YE6MWNHzX2I/AAAAAAAAVnk/vjsFi57Qg9YEKk_5xmVQcnd7M4-nSpwjACNcBGAsYHQ/w640-h238/mole_1_burp_python_env.png)](<https://1.bp.blogspot.com/-53z9NzOrDJo/YE6MWNHzX2I/AAAAAAAAVnk/vjsFi57Qg9YEKk_5xmVQcnd7M4-nSpwjACNcBGAsYHQ/s848/mole_1_burp_python_env.png>) 4. Click Add [![](https://1.bp.blogspot.com/-uBrtnM3EiHw/YE6Ma0ftquI/AAAAAAAAVns/3ETgB3ZJkuMfH-GuIjL7MGcmdmg-9u8FQCNcBGAsYHQ/s16000/mole_2_burp_ext_add_1.png)](<https://1.bp.blogspot.com/-uBrtnM3EiHw/YE6Ma0ftquI/AAAAAAAAVns/3ETgB3ZJkuMfH-GuIjL7MGcmdmg-9u8FQCNcBGAsYHQ/s340/mole_2_burp_ext_add_1.png>) 5. Set the Extension type to `Python` and select the `mole_burp_extension.py` file from the mole project directory. [![](https://1.bp.blogspot.com/-di2NDO2EU64/YE6MgarjeII/AAAAAAAAVnw/28mwlrkC4ngOnDOfCxSC_qEOpY2CYWoVwCNcBGAsYHQ/w640-h198/mole_3_burp_ext_add_2.png)](<https://1.bp.blogspot.com/-di2NDO2EU64/YE6MgarjeII/AAAAAAAAVnw/28mwlrkC4ngOnDOfCxSC_qEOpY2CYWoVwCNcBGAsYHQ/s880/mole_3_burp_ext_add_2.png>) 6. Click Next and if all goes well, there will be no errors on the load screen. [![](https://1.bp.blogspot.com/-YRA2FrXk5Bc/YE6Mk7RCZxI/AAAAAAAAVn0/qBMtUW1YmEwOoGPcLT6zUISOJAMbjO5QACNcBGAsYHQ/w640-h168/mole_4_burp_ext_success.png)](<https://1.bp.blogspot.com/-YRA2FrXk5Bc/YE6Mk7RCZxI/AAAAAAAAVn0/qBMtUW1YmEwOoGPcLT6zUISOJAMbjO5QACNcBGAsYHQ/s835/mole_4_burp_ext_success.png>) **Configuration** **Token** `domain` \- Your custom domain `length` \- Length of the tokens (default 5) The token character set is ascii upper & lower, and digits. The length can be modified to meet needs such as constrained space for a payload. The number of tokens per length is listed below. * 1 - 62 * 2 - 3844 * 3 - 238328 * 4 - 14776336 * 5 - 916132832 `ssl` \- Configure payloads for `https` vs `http` ``server` - domain or IP of the Mole token server `default_tags` \- list of default tags to add to all tokens. Useful for per-project/client tokens. **Server** `api_key` \- API key used to authenticate requests to the mole API `dns_addr` \- IP address used to respond to DNS queries `db_conn` \- [SQLAlchemy](<https://www.sqlalchemy.org/> "SQLAlchemy" ) [database URL](<https://docs.sqlalchemy.org/en/13/core/engines.html> "database URL" ). Default is a SQLite db in the root directory `sqlite:///mole.db` `static_responses` \- list of DNS static response key/value pairs `web_port` \- configure the listening web port `dns_port` -configure the listening dns port **Notifications** All notifications have an `enabled` flag that determines whether or not to trigger the notification on an interaction. Each notification plugin has its own configuration items. `mailgun` \- configure `domain`, `to`, `from`, and `api_key` to enable [mailgun](<https://www.mailgun.com/> "mailgun" ) email notifications `slack` \- `token` and `channel` `webhook` \- generic POST webhook **Issues/Bugs** I'm sure there are many, please create a new [issue](<https://github.com/ztgrace/mole/issues> "issue" ) and fill out the template as best as you can for quick triage. **[Download Mole](<https://github.com/ztgrace/mole> "Download Mole" )**

{"id": "KITPLOIT:5878527601774962255", "vendorId": null, "type": "kitploit", "bulletinFamily": "tools", "title": "Mole - A Framework For Identifying And Exploiting Out-Of-Band Application Vulnerabilities", "description": "[![](https://1.bp.blogspot.com/-G4SnmIGlQ1g/YE6MCgPm1LI/AAAAAAAAVng/_Ts1qiMQNIQ2n2PWo7PYVmpCvzYo0XjiwCNcBGAsYHQ/w640-h400/OOB.png)](<https://1.bp.blogspot.com/-G4SnmIGlQ1g/YE6MCgPm1LI/AAAAAAAAVng/_Ts1qiMQNIQ2n2PWo7PYVmpCvzYo0XjiwCNcBGAsYHQ/s670/OOB.png>)\n\n \n\n\nA framework for identifying and [exploiting](<https://www.kitploit.com/search/label/Exploiting> \"exploiting\" ) out-of-band (OOB) vulnerabilities.\n\n \n\n\n**Installation & Setup** \n \n**Mole Install** \n\n\nPython >= 3.6\n\n`virtualenv -p /usr/bin/python3 venv`\n\n`source venv/bin/activate`\n\n`./venv/bin/pip3 install -r requirements.txt`\n\n`git submodule update --init --recursive`\n\nSet an API key in `config.yml` (must be the same for the client and server)\n\n \n**DNS Configuration** \n\n\nYou'll need to configure the DNS records in your registrar to point to your mole server. Minimally, you'll need an `A` record for the name server and an `NS` record configured.\n\nMole can be configured to host other configuration options.\n\n \n**Mailgun (Optional)** \n\n\nMailgun requires DNS entries to enable the service: <https://help.mailgun.com/hc/en-us/articles/203637190-How-Do-I-Add-or-Delete-a-Domain->\n\n \n**TLS** \n\n\nCurrently Mole does not support TLS natively. To implement TLS, use a [reverse](<https://www.kitploit.com/search/label/Reverse> \"reverse\" ) proxy such as [nginx](<https://docs.nginx.com/nginx/admin-guide/security-controls/terminating-ssl-http/> \"nginx\" ) to terminate the TLS connection and forward [traffic](<https://www.kitploit.com/search/label/Traffic> \"traffic\" ) to the Mole server.\n\n \n**Burp Suite Extension** \n\n\nThe [Burp Suite Extension](<https://www.kitploit.com/search/label/Burp%20Suite%20Extension> \"Burp Suite Extension\" ) requires a separate Python 2.7 virtual environment due to the latest version of Jython only supporting 2.7. Below are the instructions for setting up the virtual environment and configuring the Extension.\n\n 1. Create a new python2.7 virtualenv for burp/jython, `virtualenv -p /usr/bin/python2.7 burp_venv`\n 2. Load the venv, `source ./burp_venv/bin/activate`\n 3. Install the required packages, `./burp_venv/bin/pip -r requirements`\n 4. Configure the Python Environment by downloading and selecting the jython-standalone jar.\n 5. Set the \"Folder for loading modules\" to the full path to `burp_venv/lib/python2.7/site-packages` that was created in steps 1-3.\n\n[![](https://1.bp.blogspot.com/-53z9NzOrDJo/YE6MWNHzX2I/AAAAAAAAVnk/vjsFi57Qg9YEKk_5xmVQcnd7M4-nSpwjACNcBGAsYHQ/w640-h238/mole_1_burp_python_env.png)](<https://1.bp.blogspot.com/-53z9NzOrDJo/YE6MWNHzX2I/AAAAAAAAVnk/vjsFi57Qg9YEKk_5xmVQcnd7M4-nSpwjACNcBGAsYHQ/s848/mole_1_burp_python_env.png>)\n\n \n\n\n 4. Click Add\n\n[![](https://1.bp.blogspot.com/-uBrtnM3EiHw/YE6Ma0ftquI/AAAAAAAAVns/3ETgB3ZJkuMfH-GuIjL7MGcmdmg-9u8FQCNcBGAsYHQ/s16000/mole_2_burp_ext_add_1.png)](<https://1.bp.blogspot.com/-uBrtnM3EiHw/YE6Ma0ftquI/AAAAAAAAVns/3ETgB3ZJkuMfH-GuIjL7MGcmdmg-9u8FQCNcBGAsYHQ/s340/mole_2_burp_ext_add_1.png>)\n\n \n\n\n 5. Set the Extension type to `Python` and select the `mole_burp_extension.py` file from the mole project directory.\n\n[![](https://1.bp.blogspot.com/-di2NDO2EU64/YE6MgarjeII/AAAAAAAAVnw/28mwlrkC4ngOnDOfCxSC_qEOpY2CYWoVwCNcBGAsYHQ/w640-h198/mole_3_burp_ext_add_2.png)](<https://1.bp.blogspot.com/-di2NDO2EU64/YE6MgarjeII/AAAAAAAAVnw/28mwlrkC4ngOnDOfCxSC_qEOpY2CYWoVwCNcBGAsYHQ/s880/mole_3_burp_ext_add_2.png>)\n\n \n\n\n 6. Click Next and if all goes well, there will be no errors on the load screen.\n\n[![](https://1.bp.blogspot.com/-YRA2FrXk5Bc/YE6Mk7RCZxI/AAAAAAAAVn0/qBMtUW1YmEwOoGPcLT6zUISOJAMbjO5QACNcBGAsYHQ/w640-h168/mole_4_burp_ext_success.png)](<https://1.bp.blogspot.com/-YRA2FrXk5Bc/YE6Mk7RCZxI/AAAAAAAAVn0/qBMtUW1YmEwOoGPcLT6zUISOJAMbjO5QACNcBGAsYHQ/s835/mole_4_burp_ext_success.png>)\n\n \n\n\n**Configuration** \n \n**Token** \n\n\n`domain` \\- Your custom domain\n\n`length` \\- Length of the tokens (default 5)\n\nThe token character set is ascii upper & lower, and digits. The length can be modified to meet needs such as constrained space for a payload. The number of tokens per length is listed below.\n\n * 1 - 62\n * 2 - 3844\n * 3 - 238328\n * 4 - 14776336\n * 5 - 916132832\n\n`ssl` \\- Configure payloads for `https` vs `http`\n\n``server` - domain or IP of the Mole token server\n\n`default_tags` \\- list of default tags to add to all tokens. Useful for per-project/client tokens.\n\n \n**Server** \n\n\n`api_key` \\- API key used to authenticate requests to the mole API\n\n`dns_addr` \\- IP address used to respond to DNS queries\n\n`db_conn` \\- [SQLAlchemy](<https://www.sqlalchemy.org/> \"SQLAlchemy\" ) [database URL](<https://docs.sqlalchemy.org/en/13/core/engines.html> \"database URL\" ). Default is a SQLite db in the root directory `sqlite:///mole.db`\n\n`static_responses` \\- list of DNS static response key/value pairs\n\n`web_port` \\- configure the listening web port\n\n`dns_port` -configure the listening dns port\n\n \n**Notifications** \n\n\nAll notifications have an `enabled` flag that determines whether or not to trigger the notification on an interaction. Each notification plugin has its own configuration items.\n\n`mailgun` \\- configure `domain`, `to`, `from`, and `api_key` to enable [mailgun](<https://www.mailgun.com/> \"mailgun\" ) email notifications\n\n`slack` \\- `token` and `channel`\n\n`webhook` \\- generic POST webhook\n\n \n**Issues/Bugs** \n\n\nI'm sure there are many, please create a new [issue](<https://github.com/ztgrace/mole/issues> \"issue\" ) and fill out the template as best as you can for quick triage.\n\n \n \n\n\n**[Download Mole](<https://github.com/ztgrace/mole> \"Download Mole\" )**\n", "published": "2021-03-21T11:30:00", "modified": "2021-03-21T11:30:03", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "http://www.kitploit.com/2021/03/mole-framework-for-identifying-and.html", "reporter": "KitPloit", "references": ["https://github.com/ztgrace/mole", "https://github.com/ztgrace/mole/issues"], "cvelist": [], "immutableFields": [], "lastseen": "2022-04-07T12:02:09", "viewCount": 186, "enchantments": {"dependencies": {}, "score": {"value": 6.8, "vector": "NONE"}, "backreferences": {"references": [{"type": "canvas", "idList": ["NGINX"]}]}, "exploitation": null, "vulnersScore": 6.8}, "_state": {"dependencies": 1659895684, "score": 1684007085, "epss": 1679070268}, "_internal": {"score_hash": "2d60e870eafcdd6158ca9698e829f356"}, "toolHref": "https://github.com/ztgrace/mole"}