VMWare Directory Traversal Metasploit Module

Since everyone else is releasing code to check for/exploit the vmware server/esx/esxi directory traversal vulnerability I pushed up my checker module to the metasploit trunk as an auxiliary scanner module.

If you want to just download a full guest host check out:
GuestStealer -- http://www.fyrmassociates.com/tools/gueststealer-v1.1.pl

or the

nmap script -- http://www.skullsecurity.org/blog/?p=436

Props on the Blog Spam

Props on the blog spam for this one...

If I hadn't had coffee this morning that one might have snuck on through.

metasploit getsystem command

Shiny new hotness...

meterpreter > getuid
Server username: WINXPSP3\user
**user is an admin, if not admin you can only use -t 4 or -t 0 which will iterate through all options**

meterpreter > use priv
Loading extension priv...success.
meterpreter > getsystem -h

Usage: getsystem [options]

Attempt to elevate your privilege to that of local system.

Ruby, Nmap XML, and Databases

So I had a requirement to take some output from nmap scans, shove it into a database and then be able to run some queries on that data.

Wait, isn't there something that already does that?!

Actually PBNJ and nmap_xml2sql.pl will do this but uses (eeeek!) perl to do it. I wanted to do it in Ruby.

Your options for Ruby & Nmap parsing are:

-rubynmap http://rubynmap.sourceforge.net/
-ruby-nmap http://ruby-nmap.rubyforge.org/
-metasploit has its own nmap xml parser
-writing your own

I started with rubynmap for my parsing gem.

Various Online Password Crackers

Just a list of online (mostly) md5 crackers but some with do others

This post over on pcsec got me thinking about them.

http://www.pcsec.org/archives/MD5Seacrh-v18-by-mass.html

Of course not all those are working, least not for me.

So here is that list with links and a few others thanks to my twitter homies

passcracking.ru http://passcracking.ru/
md5crack http://md5crack.com/
md5decryption: http://md5decryption.com/
TheKaine.de: http://md5.thekaine.de/

Koobface stealing Chase Bank credentials

Koobface stealing Chase Bank credentials

The malware was dropped by some fake AV website.

Injecting into the legitimate website some harvesting code as seen here is, I'm sure, exponentially more effective at harvesting credentials than redirecting to a fake banking site.

If I get time I'll follow up with some info about the fake AV site.

Cheers,
/dean

Twitter checking for 'bad apples'

Twitter checking for 'bad apples'

Looks like Twitter is making an effort to fight malicious URLs and attacks taking advantage of twitter to spread. Any effort is good in this day and age. A few things I'd do differently would be to disable the URL in the email that is sent to the user informing them that their tweet is being removed. The drive-by url was live and clickable in the email I received.

Also, I'm assuming that Twitter is using something like the Google Malware API to check for malicious urls in the posts. The assumption would be that they are following the links in the shortened URLs like bit.ly, etc...

How about sites that redirect to a drive-by url or a compromised legitimate site with iframes embedded?

2009 Blog Stats

Since everyone else is doing it...

Top 10 posts of of the year 12/26/2008 - 12/26/2009 - blogspot

Adding your own exploits and modules in Metasploit
http://carnal0wnage.blogspot.com/2008/07/adding-your-own-exploits-in-metasploit.html

Gray Hat Python: Python Programming for Hackers and Reverse Engineers Book Review
http://carnal0wnage.blogspot.com/2009/05/gray-hat-python-python-programming-for.html

Dumping Memory to Extract Password Hashes

Metasploit and AR extravaganza 2010 in DC!

Many many things are happening coming up at the end of January / begining in Washington DC.

First HD Moore and I will be giving our Tactical Exploitation class at Blackhat DC Jan 31st - Feb 1st. If you are interested in learning how to hack without exploits, some old and esoteric techniques, and whatever crazy new thing HD is working on, then sign up and hang out with us!

Next I have been working hard with the Blackhat folks to setup the second ever Metasploit Track. We have a great line up of speakers on a wide variety of Metasploit topics.

Metasploit and Money
HD Moore - Metasploit
HD will talk about the joining of Metasploit and Rapid7 as well as all the tons of new features that have been going into MSF.

---

Neurosurgery With Meterpreter

Digging into SSL Cipher Checking

On a recent pentest one of the findings that came up (actually it seems like this finding is on every pentest) is the web server allowing SSLv2.

In the course of doing the report I of course wanted to point to a good reason why this was the case. It was actually difficult to find a CVE/CVSS/etc to say why its bad, in fact I never did. Kind of the same with allowing VRFY on your SMTP server. We all know its bad, but where is the proof.

Nevertheless, here are some links that were useful in understanding the problem.

http://www.foundstone.com/us/resources/whitepapers/wp_ssldigger.pdf