carnal0wnage [Shared Reader]

Wednesday, May 30, 2007

Sometimes I think security jobs are going away but then...

you get posts (and replies) like these:

Original Post on wordpress (in)security:
http://blogsecurity.net/wordpress/articles/article-230507/

Awesome response and why there is still faith on security jobs being around for awhile longer:
http://blogsecurity.net/wordpress/articles/article-230507/#comment-22

"When I upgraded to 2.1.2 it was such a disaster that I probably won’t upgrade again until I *have* to. So many things broke in the upgrade that it took me (novice with php & mysql) days to fix, and I never did get my old theme working.

People like me who just blog for our non-local families and friends don’t want to spend a ton of time fixing our sites - that’s why we use WP in the first place. I suppose I don’t really care if it’s vulnerable - there’s nothing mission-critical that I have to worry about losing."

yes never mind most attackers are looking for another notch in the botnet belt or a box to hop through. oh well, nothing like job security...

Also on the site is a good post about the wordpress vulnerabilities with advisories:
http://blogsecurity.net/wordpress/blogwatch/blogwatch/

everything but the google dorks. oh wait here you go:

http://johnny.ihackstuff.com/ghdb.php?function=detail&id=943

http://johnny.ihackstuff.com/ghdb.php?function=detail&id=1799

http://johnny.ihackstuff.com/ghdb.php?function=detail&id=616

-CG

Monday, May 28, 2007

Chrooting Sendmail and Restricting Relaying

Today I had a client call me in a panic. Their mail queue was full and mail was bouncing. Having a look at the mail sitting in the queue it was obvious that the mail server was being used as a mail relay. They have a dedicated server for web and mail at their hosting company. The problem is that they simply started using the mail server without customizing the configuration files and locking down who has access and who has the ability to send mail.

I helped them out with that and quickly stopped the spamming. Personally I think a rebuild is in order as I don't trust any machine that shows any signs of compromise. So in preparation for when they do decide to rebuild I wrote up a quick little guide to run Sendmail 8.12+ in a Chrooted environment and to restrict relaying. They will still need to further configure Sendmail but this will
help protect the server and other running services by confining the attacker so that they are only able to access the resources within the jail and not further compromise the system.

As the installation of Sendmail in question being used is only to relay mail from the webserver we can chroot Sendmail within a jail.

First we need to specify a root directory for the chroot jail and create the Directory Structure. For example:

/chroot/sendmail - This is the Sendmail chroot root directory

Create the following directories under the above directory:

/dev
/etc
/ect/mail
/lib
/lib/tls
/tmp/
/usr
/usr/bin
/usr/sbin
/usr/lib
/usr/lib/sasl2
/var
/var/run
/var/spool
/var/spool/mqueue

If you have not already done so add a user for Sendmail to run as and add the user to the mail group.

# useradd –u 501 –g mail –s /sbin/nologin –d /dev/null sendmail

This adds the user called sendmail. In the sendmail.mc file you need to enable the RunAsUser setting and change it to the new user.

define(‘confRUN_AS_USER`,`sendmail`) - Recreate the sendmail.cf file to enable this.

Next you need to populate the directories with the files required. Into the /chroot/sendmail/etc directory copy the following

Aliases
Aliases.db
Passwd
Group
Resolv.conf
Host.conf
Nsswitch.conf
Services
Hosts
Localtime

Edit the passwd and group files to contain only the users and groups required to run Sendmail.

Next copy the entire contents of the /etc/mail directory and all subdirectories into /chroot/sendmail/etc/ . This contains all your Sendmail configuration files.

Next you need to populate the /chroot/sendmail/dev directory. You will need to create the following devices, null and random, to allow Sendmail to function correctly.

# mknod /chroot/sendmail/dev/null c 1 3
# mknod /chroot/senmail/dev/random c 1 8

Both devices should be owned by root and should have the following permissions:

Null – 0666
Random – 0644

Next place a copy of the sendmail binary into /chroot/sendmail/usr/bin. Create symbolic links to this binary for the mailq and newaliases commands.

# ln –s /chroot/sendmail/usr/sbin/sendmail /chroot/sendmail/usr/bin/mailq
# ln –s /chroot/sendmail/usr/sbin/sendmail /chroot/sendmial/usr/sbin/newaliases

Sendmail will need various libraries in order to run in the chroot jail.

Run the following command:

# ldd /usr/sbin/sendmail

Record the list of binaries and copy them to their locations in the chroot jail.

NOTE: any libraries located in /usr/kerberos/lib should be copied to /chroot/sendmail/usr/lib. This is so that Sendmail can find them.

Sendmail will require the following additional libraries. These are usually located in /lib.

Libnss_dns.so.2
Libresolv.so.2
Libnss_files.so.2

Copy these to /chroot/sendmail/lib.

If you are using SASL then you need to copy all the files in the /usr/lib/sasl2 directory to /chroot/senmail/usr/lib/sals2.

Next we need to check the permissions and ownerships are correct. The /chroot/senmail/var/spool/mqueue directory needs to be owned by the user specified in the RunAsUser option.

# chown sendmail /chroot/senmail/var/spool/mqueue
# chmod 0700 /chroot/senmail/var/spool/mqueue

All files and databases must be readable by the sendmail user. Ensure that there are no group writable files in the chroot jail.

# chmod –R go-w /chroot/sendmail
# chmod 0400 /chroot/sendmail/etc/mail/*.cf

To start the chrooted sendmail run the following:

# chroot /chroot/sendmail /usr/sbin/sendmail –bd –q15m

We now want to restrict relaying in order to prevent the mail server being used as a spam relay.

Check the sendmail.cf file for the following:

FR-o /etc/mail/relay-domains (note this may need to be changed if you intend to use a chroot jail for sendmail)

This listing forces Sendmail to only accept relaying from the domains listed. The relay-domains file can contain hosts, domains, IP addresses and subnets.

Adding the following settings to the sendmail.mc file further modifies the behavior of the relay-domains file.

FEATURE(relay_hosts_only) - This allows relaying for only hosts listed in the relay-domains file.

Relaying can also be specified by using an access database file. Make sure the access db feature is enabled by checking for the following line in sendmail.mc:

FEATURE(`access_db’,`hash –T [TMPF] -o /etc/mail/access.db’) - replace the '[' and ']' with '<' and '>'. The 'greater than' and 'less than' signs are being interpreted as tags by Blogger and are getting stripped out and I can't be bothered to figure out a workaround tonight.

If access.db is not present add it and recreate sendmail.cf. The access database is located in the /etc/mail directory. Create the file using the makemap command. It takes input from a text file.

# makemap hash access.db '<' access (remove the ' from around the 'less than' sign)

The text file format is as follows:

[ip address] RELAY
[domain name] RELAY

There are different possible responses you can have. RELAY, REJECT, DISCARD and 554 [message].

This covers the basics for running Sendmail in a Chrooted environment and restricting relaying. I hope it helps someone out.

Cheers,
Dean

Addressing in 802.11 Frames

So I've been doing a lot of wireless related stuff lately. Mainly audits of wireless environments. Lots of passive sniffing and packet analysis, so it's necessary to have a solid understanding of 802.11 Framing and the various packet types. By simply looking at the packets you can determine a great deal about the network in question.

A typical packet is made up of the following:

Frame Control [2 bytes] – This defines the options in the header fields and specifies the type of frame (management, data or control) in use. The frames format changes depending on the options specified in this Frame Control field.

Duration/ID [2 bytes] – This defines the amount time that the transmission medium is expected to be busy for the duration of the data transmission.

Address 1 [6 bytes] – This is the destination/receiving address.

Address 2 [6 bytes] - This is the source address. The address of the device that sent the frame.

Address 3 [6 bytes] – This is a filtering address. It is used to filter traffic on the same frequency as other BSS networks.

Sequence Control [2 bytes] – This is used for fragmentation in management and data frames and contains the sequence number and fragment number fields. Frames with payloads larger than 2312 bytes will be fragmented. Fragmentation is seldom used, as the maximum size of an Ethernet frame is 1500 bytes.

Address 4 [6 bytes] – This address is only used in WDS (Wireless Distribution Systems) to specify the source address. This is the station that sent the packet over the WDS.

Data Frame [variable] – This contains the payload. In management frames the structure is strictly ordered and contains fixed length parameters followed by variable length parameters in any order.

Frame Check Sequence [4 bytes] – This is a CRC32 checksum and is used to provide message integrity against accidental corruption of the frame in transit.

Obviously this is a very simple breakdown of an 802.11 frame.

In the Frame Control header field, which defines the options for the remainder of the header fields, there are two bits called the ‘To DS’ and ‘From DS’ bits. These are the 8th and 9th bits respectively. The To Distribution System and From Distribution bits are important for analysis as, depending on the combination of these flags, they identify the type of network the packet originated from.

The distribution system can have various definitions but it’s easiest to define the distribution system as that which connects the wireless network to other networks. In most cases this will be the wired network. By looking at which bit is set we can determine the source and destination MAC addresses in use.

To DS bit is set – The packet is coming from a wireless station to the wired network

From DS bit is set – The packet is coming from the wired network, or possibly the AP itself and is destined for a wireless station.

From DS and To DS are cleared – The packet is from an Ad-hoc network.

From DS and To DS are set – The packet is from a WDS network. Most often a WDS network is used to connect networks together. An example would be a bridge between buildings.

WDS networks are the only ones that will have a value set for all four address fields. When analyzing a packet from a WDS network it is important that you don’t mix up the Receiver Address (address 1), the Transmitter Address (Address 2), the Destination Address (Address 3) and the Source Address (Address 4).

The Receiver Address is the MAC address of the device at one end of a WDS network (I.e.: a bridge) that bridges the wireless connection to the wired network.

The Transmitter Address is the MAC address of the device at the other end of the WDS network that bridges the traffic from the wired network to the wireless network.

Node ←→Wired Network ←→ AP/bridge ←→ AP/bridge ←→ Wireless Network ←→ Node

The Transmitter and Receiver neither create the frame or are the intended recipient of the frame, they merely receive and forward the frame on. The frame is created by the device identified by the MAC address in the source address field. The destination address field identifies the final recipient of the frame.

Hopefully this has clarified how addressing works in a 802.11 frame.

Cheers,
Dean

scping files with spaces in them

nothing l33t...

but if you have to scp files with spaces in them and you dont do it right you can get a stupid

scp: ambiguous target

error, which can be quite unfun.

example:

scp "Other Linux 2.6.x kernel-cl1.vmdk" root@192.168.0.1:"Other Linux 2.6.x kernel-cl1.vmdk"
root@192.168.0.1's password:
scp: ambiguous target

The issue is that even though its in quotes scp is looking at it as "Other" as a file and "Linux" as a file..

here's the fix

scp Other\ Linux\ 2.6.x\ kernel-cl1.vmdk root@192.168.0.1:"Other\ Linux\ 2.6.x\ kernel-cl1.vmdk"
root@192.168.0.1's password:
Other Linux 2.6.x kernel-cl1.vmdk 100% 2043MB 10.9MB/s 03:07

you can also leave out the escape characters in the source files and just put the source file in quotes, but you'll need them on the destination file.

scp "Other Linux 2.6.x kernel-cl1.vmdk" root@192.168.0.1:"Other\ Linux\ 2.6.x\ kernel-cl1.vmdk"
root@192.168.0.1's password:
Other Linux 2.6.x kernel-cl1.vmdk 100% 2043MB 10.9MB/s 03:07

hope that helps someone :-)

Saturday, May 26, 2007

Smashing the Modern Stack

I'm going to plug my buddy Craig's really good paper on Smashing the modern stack which is an update for Aleph One's Smashing The Stack For Fun And Profit'.

From the forward:
When it comes to buffer overflows, 'Smashing The Stack For Fun And Profit' by Aleph One is still the first resource many people are directed towards, and for good reason; it is thorough, well written, and chock-full of examples. However, the GNU C compiler has evolved since 1998, and as a result, many people are left wondering why they can't get the examples to work for them, or if they do get the code to work, why they had to make the changes that they did. Having these same problems myself, and being unable to find an updated version of Aleph One's document on the web, I set out to identify the source of these variations on my own.

Link: http://www.craigheffner.com/security/stacksmash.html

Thursday, May 24, 2007

Using the MSF daemon (msfd)

Msfd plugin"This plugin provides an msf daemon interface that spawns a listener on a defined port (default 55554) and gives each connecting client its own console interface. These consoles all share the same framework instance. Be aware that the console instance that spawns on the port is entirely unauthenticated, so realize that you have been warned."

MSFD options:

SegFault:~/framework-3.0 cg$ ./msfd -h

Usage: msfd

OPTIONS:

-a Bind to this IP address instead of loopback
-f Run the daemon in the foreground
-h Help banner
-p Bind to this port instead of 55554

OR



The default is to set up a listener on 127.0.0.1, that won't do : change the default hostname to the IP of the box running msfd in plugins/msfd.rb and connect to it that way or on the command line with


# The default local hostname that the server listens on.
#
DefaultHost = "192.168.0.105"



To unload the plugin, just type unload "plugin name"

Value of certifications

There has been alot of discussion about the value of certifications lately. Here are a couple of links:

taosecurity link

EH.net link

securityfocus link

My take on it is that most of these guys like Don Parker and Richard Bejtlich are the exceptions to needing certification rather than the norm. If you are published author or regularly speak at conferences you probably possess a large body of knowledge. So its not unthinkable to think that people of this caliber might question the value or need of certification because they already possess advanced knowledge in those subjects

What I'm slowly learning about computers and security is that once something has been brought into your "knowledge realm" its sometimes hard to remember a time when you didn't know that piece of knowledge or how its possible that other people don't know that. nmap switches and usage can be used as an example or maybe even using tools like nessus or metasploit.

In the back of my mind I remember needing my cheat sheet for nmap switches. Now of course I can tell you all about them from memory and don't need a cheat sheet to use the various switches. The question then comes up of how did I or how can someone else get to that point.

Obviously using those tools while working with LSO helped alot but studying the stuff for my CEH and CPTS exams also helped bring that information into the knowledge realm and thankfully it stuck. Certification definitely helps people learn and can create a roadmap for someone trying to get into an IT niche whether it be routers, firewalls, security or whatever.

Does having cert X mean that person is immediately qualified to work in your organization, of course not, thats why you interview a person to make sure whats on their resume is what is actually in their knowledge realm and they can actually apply that stuff at work.

Wednesday, May 23, 2007

SNMP and Printer Hacking

I've recently been doing some research in SNMP which lead me to printer hacking. so I'll do a few posts about SNMP stuff and how a large number of printers seem to be on the net with default settings. I guess I'm trying to work out how a big a threat it is to have people see and maybe change some TCP/IP settings on a printer. So far about the worst I have heard about or seen is storing files on the vuln printer, not the end of the world, not the best thing to have going on on your network but not a shell either.

on the with the snmp enumeration...

SegFault:~ cg$ nmap -A n.y.o.b
Starting Nmap 4.20 ( http://insecure.org ) at 2007-05-21 19:50 MST
Interesting ports on PRINERNAME.host.com(n.y.o.b):
Not shown: 1686 closed ports
PORT STATE SERVICE VERSION
23/tcp open telnet RICOH maintenance telnetd
80/tcp open http Ricoh Afficio printer web image monitor (Web-Server httpd 3.0)
135/tcp filtered msrpc
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
514/tcp open login Aficio/NRG printer logind
515/tcp open printer lpd (error: Illegal service request)
631/tcp open ipp NRG copier or Ricoh Afficio (Embedded Web-Server 3.0)
9100/tcp open jetdirect?
Service Info: Device: printer

SegFault:~ cg$ sudo nmap -sU n.y.o.b

Starting Nmap 4.20 ( http://insecure.org ) at 2007-05-21 19:24 MST

All 1488 scanned ports on PRINERNAME.host.com (n.y.o.b) are open|filtered

Nmap finished: 1 IP address (1 host up) scanned in 145.466 seconds

normal open ports are 21,23,25 (yeah spam relay), 80, 515, 631, 9100

nmap hasnt been giving me good results for UDP scans, there are some other tools to try out i just havent gotten around to it.

SegFault:~/Desktop/cisco-audit/ADMsnmp cg$ ./ADMsnmp
ADMsnmp v 0.1 (c) The ADM crew
./ADMsnmp: [-g,-wordf,-out , [-waitf,-sleep, -manysend,-inter <#>] ]
: host to scan
[-guessname] : guess password with hostname
[-wordfile] : wordlist of password to try
[-outputfile] : output file
[-waitfor] : time in milisecond in each send of snmprequest
[-sleep] : time in second of the scan process life
[-manysend] : how many paket to send by request
[-inter] : time to wait in milisecond after each request
SegFault:~/Desktop/cisco-audit/ADMsnmp


ADMsnmp is a good tool for bruteforcing community names on SNMP enabled boxes.

SegFault:~/Desktop/cisco-audit/ADMsnmp cg$ ./ADMsnmp n.y.o.b -w snmp.passwd
ADMsnmp vbeta 0.1 (c) The ADM crew
ftp://ADM.isp.at/ADM/
greets: !ADM, el8.org, ansia
>>>>>>>>>>> get req name=1234 id = 2 >>>>>>>>>>>
>>>>>>>>>>> get req name=2read id = 5 >>>>>>>>>>>
>>>>>>>>>>> get req name=4changes id = 8 >>>>>>>>>>>
>>>>>>>>>>> get req name=CISCO id = 11 >>>>>>>>>>>
>>>>>>>>>>> get req name=IBM id = 14 >>>>>>>>>>>
>>>>>>>>>>> get req name=OrigEquipMfr id = 17 >>>>>>>>>>>
>>>>>>>>>>> get req name=SNMP id = 20 >>>>>>>>>>>
>>>>>>>>>>> get req name=SUN id = 23 >>>>>>>>>>>
>>>>>>>>>>> get req name=access id = 26 >>>>>>>>>>>
>>>>>>>>>>> get req name=admin id = 29 >>>>>>>>>>>
>>>>>>>>>>> get req name=agent id = 32 >>>>>>>>>>>
>>>>>>>>>>> get req name=all id = 35 >>>>>>>>>>>
>>>>>>>>>>> get req name=cisco id = 38 >>>>>>>>>>>
>>>>>>>>>>> get req name=community id = 41 >>>>>>>>>>>
>>>>>>>>>>> get req name=default id = 44 >>>>>>>>>>>
>>>>>>>>>>> get req name=enable id = 47 >>>>>>>>>>>
>>>>>>>>>>> get req name=field id = 50 >>>>>>>>>>>
>>>>>>>>>>> get req name=guest id = 53 >>>>>>>>>>>
>>>>>>>>>>> get req name=hello id = 56 >>>>>>>>>>>
>>>>>>>>>>> get req name=ibm id = 59 >>>>>>>>>>>
>>>>>>>>>>> get req name=manager id = 62 >>>>>>>>>>>
>>>>>>>>>>> get req name=mngt id = 65 >>>>>>>>>>>
>>>>>>>>>>> get req name=monitor id = 68 >>>>>>>>>>>
>>>>>>>>>>> get req name=netman id = 71 >>>>>>>>>>>
>>>>>>>>>>> get req name=network id = 74 >>>>>>>>>>>
>>>>>>>>>>> get req name=none id = 77 >>>>>>>>>>>
>>>>>>>>>>> get req name=openview id = 80 >>>>>>>>>>>
>>>>>>>>>>> get req name=pass id = 83 >>>>>>>>>>>
>>>>>>>>>>> get req name=password id = 86 >>>>>>>>>>>
>>>>>>>>>>> get req name=private id = 89 >>>>>>>>>>>
>>>>>>>>>>> get req name=proxy id = 92 >>>>>>>>>>>
>>>>>>>>>>> get req name=public id = 95 >>>>>>>>>>>
<<<<<<<<<<< id =" 96" name =" public" ret ="0">
>>>>>>>>>>>> send setrequest id = 96 name = public >>>>>>>>
>>>>>>>>>>> get req name=read id = 98 >>>>>>>>>>>
<<<<<<<<<<< id =" 97" name =" public" ret ="0">
>>>>>>>>>>> get req name=read-only id = 101 >>>>>>>>>>>
>>>>>>>>>>> get req name=read-write id = 104 >>>>>>>>>>>
>>>>>>>>>>> get req name=root id = 107 >>>>>>>>>>>
>>>>>>>>>>> get req name=router id = 110 >>>>>>>>>>>
>>>>>>>>>>> get req name=secret id = 113 >>>>>>>>>>>
>>>>>>>>>>> get req name=security id = 116 >>>>>>>>>>>
>>>>>>>>>>> get req name=snmp id = 119 >>>>>>>>>>>
>>>>>>>>>>> get req name=snmpd id = 122 >>>>>>>>>>>
>>>>>>>>>>> get req name=solaris id = 125 >>>>>>>>>>>
>>>>>>>>>>> get req name=sun id = 128 >>>>>>>>>>>
>>>>>>>>>>> get req name=switch id = 2 >>>>>>>>>>>
>>>>>>>>>>> get req name=system id = 5 >>>>>>>>>>>
>>>>>>>>>>> get req name=tech id = 8 >>>>>>>>>>>
>>>>>>>>>>> get req name=test id = 11 >>>>>>>>>>>
>>>>>>>>>>> get req name=world id = 14 >>>>>>>>>>>
>>>>>>>>>>> get req name=write id = 17 >>>>>>>>>>>

snmp check on n.y.o.b
sys.sysName.0:Aficio 2022
name = public readonly access

This one had changed the write community string but let see what we can get for free.

SegFault:~/Desktop/cisco-audit/snmpenum cg$ perl snmpenum.pl n.y.o.b public linux.txt


----------------------------------------
HOSTNAME
----------------------------------------

Aficio 2022

----------------------------------------
LISTENING TCP PORTS
----------------------------------------

23
80
514
515
631
9100

----------------------------------------
MOUNTPOINTS
----------------------------------------

RAM
FLASH

----------------------------------------
LISTENING UDP PORTS
----------------------------------------

137
138
161

----------------------------------------
UPTIME
----------------------------------------

28 days, 08:06:40.00

----------------------------------------
SYSTEM INFO
----------------------------------------

RICOH Aficio 2022 1.04 / RICOH Network Printer C model / RICOH Network Scanner C model / RICOH Network Facsimile C model


----------------------------------------
RUNNING SOFTWARE PATHS
----------------------------------------


----------------------------------------
RUNNING PROCESSES
----------------------------------------

Sunday, May 20, 2007

Saturday, May 19, 2007

Using the MSF 3.0 Web Interface

Did up two videos for EthicalHacker.net on using the Metasploit Framework 3.0 Web Interface.

2 parts

1st part: We specifically take a look at running auxiliary modules against a server running MSSQL, and then we'll take a look at using the MSFweb GUI to run the idq exploit with the meterpreter payload. What is unique about the idq bug is that it will NOT give you administrator or system on the box, but you can use the rev2self command in meterpreter to elevate your privileges from IUSR_MACHINENAME to SYSTEM. While we're at it, we also dump the hashes using hashdump for a little extra fun.

http://www.ethicalhacker.net/content/view/137/24/

2nd part: We specifically take a look at running "browser" exploits where you have to get the victim to connect back to your listening Metasploit instance. We'll use the ie_createobject exploit via the MSFweb GUI, and then we'll use the wmf_setabortproc exploit using the built in msfconsole (a new addition in MSFWeb 3.0). We'll also take a look at using custom meterpreter scripts; first to see if the victim is running in vmware and second, to clear the event logs. We also show that if you set the IP address of the MSF Web to a reachable IP address (besides the default 127.0.0.1) we can share our sessions on the network.

http://www.ethicalhacker.net/content/view/136/24/


meterpreter scripts:

clearseclog: http://www.carnal0wnage.com/research/clearseclog.rb
clearalllog: http://www.carnal0wnage.com/research/clearalllog.rb

First Post

New blog, I suck at updating blogs but we'll see how we do...