XIP - IP addresses mutation


DISCLAIMER: Article originally published on immunIT.


Hi fellas,

Today, I will introduce you to a new tool, developed for the sake of one of my pentesting engagement, named XIP.

XIP claims to provide an efficient way to generate a list of IP addresses, using a set of mutations, in order to bypass blacklists and security measures implemented to avoid hacker to pivot within a given a network.
As you probably already know, blacklist filtering is far from being reliable and there is always a way to circumvent it, which could lead to a full compromise of the information system targeted.

Let’s dive into the main subject by assuming the following scenario.

Scenario

XIP

As it can be seen on the picture above, the web application, accessible over the internet, requests the wanted server in order to provide data to the end user. A filtering process has been deployed on the web application, authorizing connections from the web application to a limited number of servers, in this case the backend server.

Consequently, any connection attempt towards the other appliances will, undoubtfully, fail.
However, IP addresses can be interpreted by systems through different formats, allowing us to shunt the verification process and bypass the filtering system.

It is important to note that IP addresses are handled differently according to the operating system running on the underlying server. Consequently, it does not exist a universal escaping technique.
Nevertheless, having a large file of IP addresses mutated increase the success ratio :wink:.

This is why XIP is born.

XIP

XIP provides several mutations and representations format. Below are the implemented transformations:

  • Hexadecimal
  • Decimal
  • Octal
  • IPV4 to IPV6 conversion
  • Dotless
  • Zeroless
  • Padding
  • Overflow

Moreover, these mutations can be performed randomly, allowing you to push the filtering system to its limits.

Usage

XIP works out of the box thanks to its dockerization

docker pull immunit/xip
docker run --rm -it immunit/xip --help

If docker seems unfriendly to you, XIP can be directly used on any system using python3.

python3 xip.py --help

Example

asciicast

Conclusion

Bypassing such filtering system often lead to critical discovery e.g. SSRF, RCE, etc. I believe that this tool could be, combined with the BurpSuite intruder, valuable to any security assessment.

As any open source project, pull requests are widely welcome!

Github repository => https://github.com/immunIT/XIP

Happy hacking,

Best,
Nitrax

15 Likes

@Nitrax-

Thank you for this brother…

This tool provides an option where the chances of detection are generally going to be low while the pay off is potentially huge.

During engagements, many times I have been faced with a challenge where my most apparent options had me clawing within my own mind for a better option I knew had to exist…

I believe that giving the client their money worth means adversarial methodologies that subvert the obvious holes a thousand vendors drone on about (or their offers lord over gluttonously); for me, that means having the means to create options/advantages for myself with minimal chance of detection…

I love the options this tool has the opportunity to create (the low risk/high reward kind); this is the kind of tool that you remember, utilize and then thank the Fates for when it turns a granite wall into a foot path while remaining as quiet as a mouse…I have a feeling its the kind of tool where you play with the code/intended use and find how multifaceted it really is.

I look forward to getting weird and dangerous with your creation!

-maderas

3 Likes

Thanks mate. I lost hope to see a comment about this tool :sweat_smile:

It is, indeed, a quite contextual approach for tricky vulnerability exploitation but it is completely worth it when you know that it can allow you to reach RMI endpoint and so on which often lead to RCE ahaha.

By the same token, I agree with you on the fact that it may be the stealthier way to perform such attack.

Make good use.

Best,
Nitrax

2 Likes

@Nitrax-

What I meant in regard to stealth was that sometimes I have been caught open mouthed and stupid in respect to a problem on an engagement…

Many times, I think younger operators jump right to a tool/technique/step that that they feel will provide a more conclusive answer by way of the data it provides.

Often though, this amount of data comes at a price, as more and more security solutions are being geared toward tools with longer, more predictable traffic patterns.

I prefer to have many options to surmount an issue that are smaller and maybe more situational rather then those that have broad uses by grabbing lots of data (I am thinking internal/post egress for this matter mostly); knowing/experience in/with network environments as to better recognize the opportunity for tools like yours is a much better solution in the long run of this game rather than spam port scanner, trip IDS, do not collect $200 dollars.

This is why I like your tool so much about your tool…it seems like another way toward developing that fine grain excellence that separates an operator from a scanner monkey.

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.