Monday, December 31, 2007

WebGoat 5.0 on Ubuntu

Some days I love Ubuntu, some I friggin hate it. today I hate it.

WebGoat comes with a nifty little .sh script to check to make sure you have sun java 1.5x installed.

well, after installing sun java 1.5.x with synaptic finding the nifty directory its in "/usr/lib/jvm/java-1.5.0-sun" then pasting that in the script it still took a dump giving me

Please set JAVA_HOME to a Java 1.5 JDK install or JVM Is not 1.5 errors.

so I just deleted all that check code, put export JAVA_HOME=/usr/lib/jvm/java-1.5.0-sun/ at the top of the script and it now works...

cg@segfault:~/Desktop/WebGoat-5.0$ sudo ./webgoat.sh start80
Using CATALINA_BASE: ./tomcat
Using CATALINA_HOME: ./tomcat
Using CATALINA_TMPDIR: ./tomcat/temp
Using JAVA_HOME: /usr/lib/jvm/java-1.5.0-sun/

Open http://127.0.0.1/WebGoat/attack
Username: guest
Password: guest
Or try http://guest:guest@127.0.0.1/WebGoat/attack

Here is my new startup script

#! /bin/sh

SYSTEM=`uname -s`
CATALINA_HOME=./tomcat
PATH=${PATH}:./tomcat/bin
export CATALINA_HOME PATH
export JAVA_HOME=/usr/lib/jvm/java-1.5.0-sun/
chmod +x ./$CATALINA_HOME/bin/*.sh

case "$1" in
start80)
cp -f $CATALINA_HOME/conf/server_80.xml $CATALINA_HOME/conf/server.xml
$CATALINA_HOME/bin/startup.sh
printf "\n Open http://127.0.0.1/WebGoat/attack"
printf "\n Username: guest"
printf "\n Password: guest"
printf "\n Or try http://guest:guest@127.0.0.1/WebGoat/attack \n\n\r"
sleep 2
tail -f $CATALINA_HOME/logs/catalina.out
;;
start8080)
cp -f $CATALINA_HOME/conf/server_8080.xml $CATALINA_HOME/conf/server.xml
$CATALINA_HOME/bin/startup.sh
printf "\n Open http://127.0.0.1:8080/WebGoat/attack"
printf "\n Username: guest"
printf "\n Password: guest"
printf "\n Or try http://guest:guest@127.0.0.1:8080/WebGoat/attack \n\n\r"
sleep 2
tail -f $CATALINA_HOME/logs/catalina.out
;;
stop)
$CATALINA_HOME/bin/shutdown.sh
;;
*)
echo $"Usage: $prog {start8080|start80|stop}"
exit 1
;;
esac

Sunday, December 30, 2007

TEMPEST article as suggested blog reading

Andrew Hay recommended reading my TEMPEST paper....way cool

http://www.andrewhay.ca/archives/218





Saturday, December 29, 2007

Interview with Andres Riancho, creator of w3af

This interview was originally published over on LearnSecurityOnline.com.

==============================
Interview with Andres Riancho
==============================


In my opinion penetration testing frameworks and toolkits are fast becoming a necessity in today's audit process. Tools like Core Impact, Saint, BidiBlah and others are staking their claim in this service/client-side exploitation side of this market market and toolslike Web Inspect, Accunetix, Appscan, have staked their claim in the web application security side of the market.

I'm an open-source security tool user myself so my tools of choice for these two areas have been Metasploit (Service/Client-side), and Wapiti (Web App), but ladies and gentlemen there is a new kid on the block. The tool is called w3af (Web Application Attack and Audit Framework). The tool developer Andres Riancho has graciously agreed to an interview with LSO.

I have to say that Andres has been such a great help to me in not only developing a web application testing methodology/framework for my job, but also teaching me the basics of web app security auditing. He has so many skills from his years of experience so he was able give me little tips that really helped me connect the dots so to speak. So Andres, thanks for w3af - I really like the tool, and thanks for all of the help. I really appreciate it.

-j0e

# LSO #
How about some background about yourself, who you are? What you do? Who you work for? Location?

# AR #
First of all I'm a simple guy, that enjoys spending time with his friends, girlfriend, family and dog. On the other hand, I'm a security consultant that works at Cybsec (www.cybsec.com). I'm located in Argentina, land of "dulce de leche" and great meat.

# LSO #
How did you get into the security business (your specific field)?

# AR #
Like most of us, I'm a really curious person , so I started with security when I was 14. After some time, I got a job as an IPS administrator at a local ISP, when I got bored of it (pretty fast actually) I started working for Cybsec, mostly performing web application penetration tests. In other words, I started with security as a hobby, and now I make a living out of it.

# LSO #
How do you think technical aspects of web hacking have changed over time and how does one keep up with the current advances?

# AR #
Technical aspects of web hacking haven't changed much, the vulnerabilities are almost the same, but the "transport" method for the vulnerability is what keeps changing, before we had URL encoded strings, now it's XML and JSON, tomorrow it will be another type of encoding, but there always will be SQL injection, information leakage, etc.

# LSO #
Say I want to get into web security, it HUGE, where do i start?

# AR #
You should start by knowing how HTTP works, the basics of web application development and you should also read a lot about Cross Site Scripting, SQL injection, remote file inclusion and other common vulnerabilities. A good place to start is the OWASP site, and particularly the OWASP TOP 10.


# LSO #
Do you think Javascript is the new shellcode? If so why?

# AR #
I think that new things are still to be discovered about Javascript, but I don't really think it's going to be the "next generation shellcode". Browser security and cross site scripting are an important part of web security, but it's just that, a part of it. We should not focus all the attention on Javascript, there is still a lot of work to be done securing the web applications vulnerabilities that lead to the server being compromised.

# LSO #
Tell us what you think of the future of network enumeration via javascript. What are the attacks that we should look for in the coming years from javascript?

# AR #
Right now we have seen just the beginning of advanced javascript attacks, in the future someone will code a good framework for doing all kinds of attacks over cross site scripting. BeEF (http://bindshell.net/tools/beef/) is one of the cross site scripting exploitation frameworks I have been checking out, and I think it really has some potential.

# LSO #
How viable of a web application audit tool is Firefox? http://www.securityfocus.com/infocus/1879/1 shows Firefox being used for crawling websites, discovering hidden calls, and logic discovery - what are the top 5 tools that you use the most in web application/web services auditing and why?

# AR #
Browsers are the most powerful/useful tool to perform a web app audit, in the particular case of Firefox, this power is multiplied by100 if you use security aware extensions. The TOP5 tools I use while performing a web app audit are:

1- paros or burp ( two of the best local proxies, this tools are the most important in the whole process)
2- firefox ( as explained before )
3- firefox extensions like the web developer toolbar ( very usefull to test sites that have javascript )
4- w3af ( just because I coded it ;) )
5- nikto ( it's a classic, but it finds nice things once in a while )

# LSO #
Ajax is thought by some people to be what is going to lead us into "Web 2.0", and a great deal many security consultants see it as the ultimate attacker's playground. How do you see Ajax?

# AR #
There are only a few security consultants that do interesting work around web2.0, all the others out there are just reinventing the wheel every day; don't get me wrong, Ajax has introduced and will introduce a lot of new attack vectors, but the risk for users and companies IMHO will be low.

# LSO #
Do you plan to integrate ajax discovery/fingerprinting into w3af? Tools like fingerajax.rb/scanajax.rb are good for really simple stuff if you see a .aspx in the url, but there really isn't much of anything else on the market for command-line Linux tools for dealing with ajax.

# AR #
Well, actually I'm going to create a w3af plugin that wraps a browser or some other library/project that knows how to handle javascript. My idea is to wrap a browser, configure the browser to use a local proxy that will be run by w3af and then start interacting with the web application doing "clicks" on every HTML tag and recording the requests that are sent to the browser. Using this approach, w3af will be able to analyze most javascript-enabled sites!

I have been playing with pykhtml and discarded it because of some problems and the lack of portability to windows; and now I'm trying to achieve this task using zc.testbrowser.real, but I'm still working on this section of the project, so if anyone wants to help, just let me know.


# LSO #
Can you compare/rate the criticality of XSS, XSRF, SQLI?

# AR #
XSS: 3/10
XSRF: 2/10
SQLI: 9/10

As you may see, I'm not really into the "XSS is going to destroy the planet" thing, as I said before, it's something important but it's not so critical and we shouldn't loose our perspective and objectivity.


# LSO #
How important do you feel that programming is for this field, specifically how do you feel about Web Language programming? If yes, what language(s) do people need to know well?

# AR #
I think that you can't be a really good security expert if you don't know how to code in at least one low level programming language like C and one high level programming language, like Python. Source code is the base of all what happens in your computer, and if you don't know how to create it, you won't ever understand what happens when you click on a window button.

Web Language programming is something I don't personally enjoy, but it seems to be the future of programming. GWT is getting better and its user base is growing, so it seems that the future is going that way...

# LSO #
What tools need to be in every web application pen-tester's toolkit?

# AR #
w3af is in beta stage right now, but in a year or so it will be a must have tool for every web application pen-tester. Some other awesome tools I use are paros proxy, sqlmap and sqlninja.

# LSO #
What do you think are the 3 biggest changes in the security field in the last 5 years?

# AR #
The shift from attacking the servers, to attacking the clients has been an interesting change that started when most penetration testers found out that the servers weren't the weak link in the chain and that users would download and execute almost everything.

Big companies acquiring security companies was also a change that I was surprised with. Just to mention two of the most important business changes, IBM bought ISS and HP bought SPI Dynamics. I'm still expecting to see the long term repercussions in the world wide market!

One of the new things that have appeared in this last years are the vulnerability markets, like the zero day initiative and wabisabilabi. This business type is really interesting and gives freelance researchers good options to make money without the risks of selling their vulnerabilities and exploits to the Russian mafia.

# LSO #
Where do you see the security field going in the next 1-3 years?

# AR #
I think that many applications will be built over the HTTP protocol, and more than ever they will use Ajax and all the javascript tricks. So, more than ever a stable, complete and open source framework that can audit web applications will be needed.

# LSO #
What are the basics that you think every security person should know?

# AR #
The most important things to know in order to be a security professional are:
- Programming
- TCP/IP
- Web Application security
- Buffer overflows, format strings

# LSO #
What are the specifics that a person in your security field should know?

# AR #
Well, I mostly deal with web application penetration tests, so a person in my security field should really understand how HTTP works, it's internals, encodings, etc. It is also really important for a web application penetration tester to know how the information flows through a web application, type casting, data conversion, database queries, etc; so programming is one of the most important things. Finally but not least important, a good web application penetration tester should keep himself informed about new types of web vulnerabilities, this can only be achieved by reading mailing lists, reading the latest whitepapers and attending to one or two good security conferences a year.


# LSO #
Any suggestions on breaking into the security field? Or someone considering security for a career?

# AR #
There are two really important things to know when you are starting in the information security field:
- knowledge is power
- ask smart questions(http://catb.org/~esr/faqs/smart-questions.html),
no one will answer questions on the mailing lists if you don't ask them the right way

And of course, be ready to buy some glasses, work long hours and become really paranoid about sending non encrypted data over the wire.

# LSO #
Can you tell us about X, Y, Z (latest book, future book, current/future projects)?

# AR #
Right now, and at least for one more year, I'm going to be working on my main project, w3af. The framework has evolved a lot in the last year, and my personal objective is to create a stable and usable open source alternative to the commercial web application vulnerability scanners, that also includes among it's features the option to exploit the vulnerabilities that are found. Some new features I'm working at are Javascript and Flash support, this two features are going to be added to the almost impressive list of features, that include:

- Exploitation plugins
- Advanced post-exploitation payloads
- Integration with metasploit
- Detection of almost all web application vulnerabilities
- Information gathering using internet search engines
- Dynamic communication between plugins
- Easy to use console interface

w3af - Web Application Attack and Audit Framework

Friday, December 28, 2007

TEMPEST article on infosecwriters.com

In case you missed reading the article in HTML format over at EthicalHacker.net, you can take a look at my TEMPEST article at infosecwriters.com

http://www.infosecwriters.com/texts.php?op=display&id=608


"Ok prepare to strap that tinfoil hat on two notches below excruciating, we’re going to talk about TEMPEST. What is TEMPEST? It’s defined in NSTISSI-7000 as:

Electronic and electromechanical information-processing equipment can produce unintentional intelligence-bearing emanations, commonly known as TEMPEST. If intercepted and analyzed, these emanations may disclose information transmitted, received, handled, or otherwise processed by the equipment. (1) "

Tuesday, December 25, 2007

FierceDNS for DNS enumeration

"Fierce is a reconnaissance tool. Fierce is a PERL script that quickly scans domains (usually in just a few minutes, assuming no network lag) using several tactics. First it queries your DNS for the DNS servers of the target. It then switches to using the target's DNS server. Fierce then attempts to dump the SOA records for the domain in the very slim hope that the DNS server that your target uses may be misconfigured. Once that fails (because it almost always will) it attempts to "guess" names that are common amongst a lot of different companies. Next, if it finds anything on any IP address it will scan up and down a set amount (default 5 but you can expand it with -traverse or increase it to the entire subnet with -wide) looking for anything else with the same domain name in it using reverse lookups. If it finds anything on any of those it will recursively scan until it doesn't find any more. In this way it ends up looping a lot, and the bigger the domain is the more you get back. The reason Fierce automatically switches to using the target's DNS server is so that it can probe the Intranet (RFC1918) of the target, assuming the target uses a single DNS server for both their Intranet and external sites."

Let's run it without any arguments to see the help

cg@segfault:~/evil/enumeration/dns/fierceDNS$ perl fierce.pl -h
fierce.pl (C) Copywrite 2006,2007 - By RSnake at http://ha.ckers.org/fierce/

Usage: perl fierce.pl [-dns example.com] [OPTIONS]

Overview:
Fierce is a semi-lightweight scanner that helps locate non-contiguous
IP space and hostnames against specified domains. It's really meant
as a pre-cursor to nmap, unicornscan, nessus, nikto, etc, since all
of those require that you already know what IP space you are looking
for. This does not perform exploitation and does not scan the whole
internet indiscriminately. It is meant specifically to locate likely
targets both inside and outside a corporate network. Because it uses
DNS primarily you will often find mis-configured networks that leak
internal address space. That's especially useful in targeted malware.

Options:
-connect Attempt to make http connections to any non RFC1918
(public) addresses. This will output the return headers but
be warned, this could take a long time against a company with
many targets, depending on network/machine lag. I wouldn't
recommend doing this unless it's a small company or you have a
lot of free time on your hands (could take hours-days).
Inside the file specified the text "Host:n" will be replaced
by the host specified. Usage:

perl fierce.pl -dns example.com -connect headers.txt

-delay The number of seconds to wait between lookups.
-dns The domain you would like scanned.
-dnsfile Use DNS servers provided by a file (one per line) for
reverse lookups (brute force).
-dnsserver Use a particular DNS server for reverse lookups
(probably should be the DNS server of the target). Fierce
uses your DNS server for the initial SOA query and then uses
the target's DNS server for all additional queries by default.
-file A file you would like to output to be logged to.
-fulloutput When combined with -connect this will output everything
the webserver sends back, not just the HTTP headers.
-help This screen.
-nopattern Don't use a search pattern when looking for nearby
hosts. Instead dump everything. This is really noisy but
is useful for finding other domains that spammers might be
using. It will also give you lots of false positives,
especially on large domains.
-range Scan an internal IP range (must be combined with
-dnsserver). Note, that this does not support a pattern
and will simply output anything it finds. Usage:

perl fierce.pl -range 111.222.333.0-255 -dnsserver ns1.example.co

-search Search list. When fierce attempts to traverse up and
down ipspace it may encounter other servers within other
domains that may belong to the same company. If you supply a
comma delimited list to fierce it will report anything found.
This is especially useful if the corporate servers are named
different from the public facing website. Usage:

perl fierce.pl -dns examplecompany.com -search corpcompany,blahcompany

Note that using search could also greatly expand the number of
hosts found, as it will continue to traverse once it locates
servers that you specified in your search list. The more the
better.
-stop Stop scan if Zone Transfer works.
-suppress Suppress all TTY output (when combined with -file).
-tcptimeout Specify a different timeout (default 10 seconds). You
may want to increase this if the DNS server you are querying
is slow or has a lot of network lag.
-threads Specify how many threads to use while scanning (default
is single threaded).
-traverse Specify a number of IPs above and below whatever IP you
have found to look for nearby IPs. Default is 5 above and
below. Traverse will not move into other C blocks.
-version Output the version number.
-wide Scan the entire class C after finding any matching
hostnames in that class C. This generates a lot more traffic
but can uncover a lot more information.
-wordlist Use a seperate wordlist (one word per line). Usage:

perl fierce.pl -dns examplecompany.com -wordlist dictionary.txt

Let's run it against a "fictional" domain

cg@segfault:~/evil/enumeration/dns/fierceDNS$ perl fierce.pl -dns example.com -connect headers.txt
DNS Servers for example.com:
ns2.xyz.com
ns5.xyz.com
dns31.xyz.com
dns11.xyz.com
xyzgate.xyz.com

Trying zone transfer first...
Testing 192.168.136.101
Request timed out or transfer not allowed.
Testing 192.200.104.140
Request timed out or transfer not allowed.
Testing 192.100.1.34
Request timed out or transfer not allowed.
Testing 192.150.100.51
Request timed out or transfer not allowed.
Testing 192.168.136.100
Request timed out or transfer not allowed.

Unsuccessful in zone transfer (it was worth a shot)
Okay, trying the good old fashioned way... brute force

Checking for wildcard DNS...
Nope. Good.
Now performing 1895 test(s)...
192.1.136.108 ap.example.com
192.11.234.101 at.example.com
192.168.16.21 shop.example.com
192.168.16.20 chi.example.com
192.5.217.200 developer.example.com
192.112.22.193 europe.example.com
192.112.30.69 europe.example.com
192.168.136.82 extranet.example.com
192.168.154.105 ftp0.example.com
192.50.230.82 images.example.com
192.168.154.21 int.example.com
127.0.0.1 localhost.example.com
127.0.0.1 loghost.example.com
192.168.16.21 sh.example.com
192.25.201.3 store.example.com
192.25.27.144 wap.example.com
192.168.8.168 www-01.example.com
192.168.8.169 www-02.example.com

Subnets found (may want to probe here using nmap or unicornscan):
127.0.0.0-255 : 2 hostnames found.
192.168.136.0-255 : 1 hostnames found.
192.168.154.0-255 : 2 hostnames found.
192.168.16.0-255 : 3 hostnames found.
192.168.8.0-255 : 2 hostnames found.
192.11.234.0-255 : 1 hostnames found.
192.50.230.0-255 : 1 hostnames found.
192.25.27.0-255 : 1 hostnames found.
192.1.136.0-255 : 1 hostnames found.
192.25.201.0-255 : 1 hostnames found.
192.5.217.0-255 : 1 hostnames found.
192.112.22.0-255 : 1 hostnames found.
192.112.30.0-255 : 1 hostnames found.
IO::Socket::INET=GLOB(0x851a194)

HTTP output for 192.168.16.20 chi.example.com
HTTP/1.0 504 Gateway Timeout
Date: Sat, 22 Dec 2007 18:53:26 GMT
Content-Length: 282
Content-Type: text/html
Server: NetCache appliance (NetApp/5.6.2R1D6)
IO::Socket::INET=GLOB(0x85282b0)

HTTP output for 192.168.16.21 sh.example.com
HTTP/1.0 504 Gateway Timeout
Date: Sat, 22 Dec 2007 18:53:26 GMT
Content-Length: 282
Content-Type: text/html
Server: NetCache appliance (NetApp/5.6.2R1D6)
IO::Socket::INET=GLOB(0x852768c)

HTTP output for 192.168.16.21 shop.example.com
HTTP/1.0 500 Server Error
Date: Sat, 22 Dec 2007 18:53:31 GMT
Content-Length: 285
Content-Type: text/html
Server: NetCache appliance (NetApp/5.6.2R1D6)
IO::Socket::INET=GLOB(0x8519f60)

HTTP output for 192.168.8.168 www-01.example.com
HTTP/1.0 504 Gateway Timeout
Date: Sat, 22 Dec 2007 18:53:31 GMT
Content-Length: 282
Content-Type: text/html
Server: NetCache appliance (NetApp/5.6.2R1D6)
IO::Socket::INET=GLOB(0x8527ba8)

HTTP output for 192.168.8.169 www-02.example.com
HTTP/1.0 504 Gateway Timeout
Date: Sat, 22 Dec 2007 18:53:32 GMT
Content-Length: 282
Content-Type: text/html
Server: NetCache appliance (NetApp/5.6.2R1D6)
IO::Socket::INET=GLOB(0x852768c)

HTTP output for 192.25.201.3 store.example.com
HTTP/1.1 302 Found
Date: Sat, 22 Dec 2007 18:51:27 GMT
Server: Apache
Location: http://www.store.example.com/
Content-Length: 282
Connection: close
Content-Type: text/html; charset=iso-8859-1
IO::Socket::INET=GLOB(0x852768c)

HTTP output for 192.5.217.200 developer.example.com
HTTP/1.1 200 OK
Date: Sat, 22 Dec 2007 18:54:15 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/5.2.3
Set-Cookie: PHPSESSID=4f413bdcdb4e800b991b0d04d40e99fa; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
IO::Socket::INET=GLOB(0x8527dac)

HTTP output for 192.112.22.193 europe.example.com
HTTP/1.1 302 Found
Date: Sat, 22 Dec 2007 18:54:16 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/5.2.5
Location: http://europe.example.com/uk/xyzoz8
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
IO::Socket::INET=GLOB(0x851e6d0)

HTTP output for 192.112.30.69 europe.example.com
HTTP/1.1 302 Found
Date: Sat, 22 Dec 2007 18:54:16 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/5.2.5
Location: http://europe.example.com/uk/xyzoz8
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8

Done with Fierce scan: http://ha.ckers.org/fierce/
Found 18 entries.
and 9 webservers.
Have a nice day.

Lets see what's in the headers.txt file:

cg@segfault:~/evil/enumeration/dns/fierceDNS$ more headers.txt
GET / HTTP/1.0
User-Agent: Mozilla/5.0
Host:

You can also do fun things like specifying specific nameservers to use , scan ranges, and doing reverse lookups. The wide scan option is also worth taking a look at.

Thursday, December 20, 2007

BackTrack3 is NOT an operating system either!!!

So BT3 beta is out, i wanted to see what all the fuss was about...

here are some screenshots, looks and acts pretty much the same. I like their graphics, graphic guy needs a Xmas bonus.





that being said, with the release of any new version of "hacking distro" comes the "how do I get metasploit autopwn to work" garbage from the person that didn't read the man page, didn't read the blog post(s) on autopwn, didnt search the list archives for how autopwn works, and now we get to field questions on why fasttrack.py doesn't work right, did you read (any of) the code? no... sigh. did you go thru dependency hell getting all those badass tools working so maybe you know a couple of things? no...double sigh. did you watch the hack videos on LSO using metasploit?...no...triple sigh.

i said most of it in a previous post here.

Going through dependency hell at least gives you an opportunity to learn and figure stuff out, building your own distro with the tools YOU use is much more helpful from a learning what the F you are doing standpoint.

Don't get me wrong, i'm not belittling the people that made backtrack. its a badass tool and i don't have near the linux kung fu to make it myself, so kudos to them for making a badass tool, its just irritating that it allows people that shouldn't take shortcuts in learning to take them.

what's the solution? build your own attack distro, you'll thank yourself in the morning.

Sunday, December 16, 2007

Zone Transfers Still Exist! -- No Really They Do!

So while helping a buddy out with an audit we came across a mis-configured DNS server that allows zone transfers (I know, we couldn't believe it either). Zone Transfers are one of those things that you read about in security books and even teach but you never think they work (like the ping of death), not quite like seeing a unicorn but kinda like finding a four leaf clover.

Here is some background information on Zone Transfers.

"The data contained in an entire DNS zone may be sensitive in nature. Individually, DNS records are not sensitive, but if a malicious entity obtains a copy of the entire DNS zone for a domain, they may have a complete listing of all hosts in that domain"

This is essentially what we were able to pull down from this DNS server, but not just information from its domain but many other domains because it was authoritative for a whole bunch of domains.


Examples:

Find out the name servers for a zone:

dig @server domain ns

Request all records for a zone from an authoritative server:

dig @server domain axfr

@server is the misconfigured DNS server, domain is the domain you are trying to get information on.

Use host to find all the host records for a zone:

host -l domain

Use host to request all the records for a zone:

host -lv -t any domain

this is what you usually see:

cg@segfault:~$ host -t ns really.vuln.edu

really.vuln.edu name server DNS1.really.vuln.edu.
really.vuln.edu name server DNS2.really.vuln.edu.

cg@segfault:~$ host -lv -t any really.vuln.edu DNS1.really.vuln.edu
Trying "really.vuln.edu"
Using domain server:
Name: DNS1.really.vuln.edu
Address: 192.168.60.150#53
Aliases:

Host really.vuln.edu not found: 5(REFUSED)
; Transfer failed.

The (sanitized) screenshots above is what we got, about 3k internal IPs and hostnames :-)

Of course, the easiest way to test this is to use dnswalk that will do the requests for you.

cg@segfault:~$ dnswalk
Usage: dnswalk domain
domain MUST end with a '.'

cg@segfault:~$ dnswalk really.vuln.edu. DNS1.really.vuln.edu
Checking really.vuln.edu.
Getting zone transfer of really.vuln.edu. from DNS1.really.vuln.edu...failed
FAIL: Zone transfer of really.vuln.edu. from DNS1.really.vuln.edu failed: Response code from server: REFUSED

Getting zone transfer of really.vuln.edu. from dns3.really.vuln.edu...done.
SOA=DNS1.really.vuln.edu contact=admin.nowhere.really.vuln.edu
WARN: router-10.1.1.0.really.vuln.edu A 10.1.1.1: no PTR record
WARN: router_10.2.2.1.really.vuln.edu: invalid character(s) in name
WARN: router_10.3.19.1.really.vuln.edu A 10.115.197.1: no PTR record
...

-CG

Thursday, December 13, 2007

Paterva's Maltego for Information Gathering

If you haven't heard of Paterva's Maltego (formally Evolution) then you've been missing out! HD Moore and Valsmith first mentioned it in their tactical exploitation talk at Blackhat Vegas and Defcon.

From the Paterva Homepage:

  • Maltego is a program that can be used to determine the relationships and real world links between:
    • People
    • Groups of people (social networks)
    • Companies
    • Organizations
    • Web sites
    • Internet infrastructure such as:
      • Domains
      • DNS names
      • Netblocks
      • IP addresses
    • Phrases
    • Affiliations
    • Documents and files
The documentation walks you through the initial setup and accepting of the transforms and getting API keys pretty well, so I wont cover it (go read you lazy bums). Once you get through that its time to use it.

Maltego comes with windows and linux binaries, so just run it ./maltego


Before you can start using Maltego you need to go to tools -->Manage transforms, then follow the wizard (read the documentation). you'll need to register on the Paterva site to get your API key and a couple other sites to get API keys from them.

Here is how Maltego looks after you start it up. To use it, you drag an icon from the infrastructure or personal section to the Maltego Graph (blue) section.

Using Person --> Chris Gates as the search

You can see in the Transform Execution section the results you got back from the various transforms and your graph being populated with the results

The Person --> Chris Gates output. it found several email addresses, forum posts, my Amazon profile, and other stuff that wasnt me (there are actually a ton of Chris Gates' out there).


We could have added a key word to really get better results for me specifically but given that we know the learnsecurityonline.com email is mine, lets use that for another search.

Let's check out doing Infrastructure --> Domain for learnsecurityonline.com


Not bad, I don't think the phone numbers are correct but the other results are relevant. We could have also used the whois transform and DNS bruteforce transform to enumerate some more hosts in the domain and to get the IP space.

That should be enough to get you started, i've been having fun picking random security bloggers I dont know to see what i can dig up about them, very fun. While I don't have a screenshot, the metadata search is awesome when Maltego finds "office" type documents and can be useful to reinforce you are on the track with your search.

Links!
Paterva: http://www.paterva.com
Maltego Downloads: http://www.paterva.com/web2/maltego/maltego-gui-1.0-download.html
Maltego Documentation: http://www.paterva.com/web2/maltego/maltego-docs.html

Presentations on Maltego:
CansecWest07 Presentation [PPT] (1.8MB)
FIRST 2007 Presentation [PPT] (4.5MB)

new look for carnal blog

So we have a new look for carnal blog for '08, its a bit early but after looking at the new look and then looking at the old one I couldnt bring myself to change it back, so here's to a good '08 and a nice clean look for carnal0wnage blog

Wednesday, December 12, 2007

SpearPhishing during a Pentest

So how do you go about performing a phishing attack during a pentest? Well, it depends on the scope of the pentest and whether or not you are allowed to actively compromise the user's station via client-side exploits or not. Do all you want to do is gather data on how many users clicked the links or how many submitted data? Do you want to capture that data? Usernames? Passwords? These are questions that a will be answered during scoping calls and meetings with the company in question.

What is the advantage of attacking the users? We know we'll gain access through at least one of them. Well, firstly, it's a becoming a more and more valid and acceptable attack vector both for pentesters and malicious attackers alike.

The information gathered can be used to show the organization the importance of user awareness training and education on security issues such as phishing, pharming, viruses and malware. It can be used to stress the importance of the end user in the protection of the organization's intellectual property and their own personal information.

We'll take the Social Engineering approach of the malicious email arriving in the user's inbox. Let's consider what is required to develop the phish and get it into the user's inbox. What the link contains is up to you. It could be a site requiring the user to sync their passwords or it could be a link to a client-side exploit from Metasploit.

First you need to harvest emails for your targeted phish. A tool like harvester.py from http://www.edge-security.com/soft.php is a good choice. This tool will scrape google and msn for emails based on the domain name provided. Addtionally, search the company website as it may have an employee directory with all the user information and email addresses that you need. Remember that the more information you have about the users, the more legitimate you can make your phishing emial.

Once you have you email list the next step is to craft an email that is going to look believable to an employee of the company. Research the company, what do they do? Is there a generic 'helpdesk@victim.com' you can spoof? Do they have a mail server that allows relaying? If not use your own. The site you direct them to should also mimick their own branding and image and appearance as much as possible. Crafting the email in HTML allows you to obfuscate the url by 'hiding' it with a legitimate looking address. Encode the hidden URL or register another domain that is similar to the target company's as an added step to make the phish look realistic.

The next step is to send the email itself. I personally prefer not to send out hundreds of emails myself so I wrote a simple perl script to do this for me. It takes a text file that contains the employee emails as an argument. It also can be configured to slow down the sending of emails. Perhaps the target company has a mail/anti-spam gateway that has thresholding set up to prevent too many emails arriving from the same sending mail server in too short a period of time.

This script will need to be modified depending on the format of the email addresses. This example uses email addresses in the following format: firstname.lastname@victim-company.com. The script parses each email and extracts the user's first name to add to the email as well. Make it look legitimate. I have added some HTML content for the body of the email. Edit this to suit your attack.

The script can be downloaded at mailer.pl

Depending on what your goal for the phish is just sit back and wait for the user data to roll in or for the shells to appear in Metasploit. The results are sometimes pretty astonishing or perhaps they should be expected. :)

dean

Tuesday, December 11, 2007

LearnSecurityOnline Interview with Andres Andreu

Originally published in the LearnSecurityOnline.com June 07 Newsletter

What we try to do with the Interviews with Security Professionals is ask people that are considered "Professionals" in the information/computer security field questions about their relevant field of research and advice on how for someone starting out to get to their level. Hopefully good information for people starting out.

============================
Interview with Andres Andreu
============================

[LSO]
How did you get into the security business, specifically penetration testing and penetration testing web applications?


[Andres]
I am at the core a software engineer so coding and architecting complex solutions is still an area of focus. I started getting into the security side of web software because I got sick of the weak app security that the network security world was providing. The Information Security industry needed much more than mere network security and those I was encountering that were in charge of security just couldn't see past the firewall/IDS/IPS paradigm. So I took it upon myself to do what I could so that the solutions I built wouldn't suffer from an overt lack of security.

Pen testing I kind of fell into by accident, it was something I informally did for years. AAMOF when I first heard the term I didnt know what it was but I had been performing those functions for some years. Earlier in my career I just took pleasure in breaking the coding work of others as well as my own. Pen testing is really a formalization of this otherwise devious activity. The web app realm was a natural progression because that kind of development work just started coming my way.


[LSO]
How about some background about yourself, who you are? What you do? Who you work for? Location?


[Andres]
I am a self employed native New Yorker but travel all over with work. I build custom software solutions as well as pen test anything I can legally get my hands on. Other then that I am a very dedicated husband,father of 4, artist (painting/illustration), and martial artist.


[LSO]
What do you think are the 3 biggest changes in the security field lately?


[Andres]
One change that really was inevitable, and is so evident these days, is a hard shift from the edge (network level security) to the core. The old guard of network based security is coming to terms with the fact that the security world is not boolean in nature. In the realm of core web app security there is also an interesting change in that Web 2.0 has brought about a resurgence of client side web computing. The web world of server side computing isn't going away anytime soon so the security field now has to contend with an interesting combination of the 2 tiers working simultaneously.

The field of information security is also getting a harsh dose of change with the distributed nature of things that are coming out these days. Mobile devices and their apps are a perfect example of this; and this concept of high mobility computing adds serious challenges. Moreover, users of these devices are becoming more and more savvy in terms of functionality. But as time has shown us all the more functionality at hand the more security challenges at hand. So expertise in this realm of security is an inevitable change.

Finally the information security field has been forced to get into the realm of compliance. It makes sense to an extent since security has an enforcement role. But time will tell if these moves are indeed wise because I travel the world and see the issue of policy creation and enforcement as a big area of challenge. I also see the frustration of otherwise technical security folk being forced into compliance related roles.


[LSO]
Where do you see the security field going in the next 1-3 years?

[Andres]
To hell! LOL, just joking. But all jokes aside the field has to change, adapt and overcome. It is still for all intents and purposes a reactive industry and that has to change. Many of the old school security people have not been able to keep up with the technological aspects of modern day info sec. They are network people at the core and just dont get the app space. So there will be a distinct shift in the industry where some people will enter the realm of security policy and wont deal with technology hands on. Those that do deal with hands on sec work will have a much richer skill set then what exists nowadays. They will truly be versed in the multiple layers of security, from the edge all the way down to code. This convergence is already starting from the inner world of developers, more and more of them are getting involved with security. And viewing info sec from a coders point of view is radically different then an edge perspective.


[LSO]
What are the basics that you think every security person should know?

[Andres]
The most basic set of knowledge is that of multiple tiers, or layers. No one layer is a silver bullet. I think your standard FW and IDS/IPS knowledge is important along with Proxy and Reverse Proxy technologies. The use of Proxy tiers is critical in todays web centric environments.

I find that protocol knowledge is lacking in the industry as is the handling of data. In reference to the latter, I mean an understanding of the effects that input data can have on a target and how to properly validate or dismiss such input. So those areas should be treated as basic along with the multi layer approach.


[LSO]
What are the specifics that a person in your security field should know?

[Andres]
To be effective in the field of web app security one has to understand how web apps work. So being familiar with the inner workings of web environments is important. Moreover, deeply understanding the OWASP Top 10 as areas of risk and remediation is a must.


[LSO]
Any suggestions on breaking into the security field?

[Andres]
Yeah, don't limit yourself and train yourself to be flexible. Adapting to constant environmental change is a way of life for modern day information technology professionals. The concept of wearing "many hats" is very real these days and maintaining pace with the chaos of modern day technology is key.

Don't be afraid of code, it is the at the heart of the problems most information security professionals have to solve. Familiarity with code will always be an advantage to anyone in the information security field. Also don't be afraid of RFC's, protocol knowledge is very important. You have to deeply understand what it is you will one day protect if you are to be truly effective.

Finally practice, practice and practice some more. An open mind coupled with practice on a myriad of platforms makes for a solid foundation. Virtual environments lend themselves well for all the practice and exposure necessary to be effective as a security professional these days. So build yourself a good virtual lab and hack/protect away.


[LSO]
Can you tell us about interesting things you are working on right now, or just recently finished (latest book, future book, current/future projects)?

[Andres]
I just wrote an article on XML Fuzzing for hackin9 magazine.

I am doing lots of Federated ID work these days. This represents a serious shift in security to that of heavily distributed data sets so it is quite challenging and exciting at the same time. So if for instance properly protecting one app/DB combo is challenging, now imagine protecting an object (of data) that doesn't actually fully exist in any one place. It exists partially in many places and some of those data sources you cant directly touch. This is very fun stuff that will be the norm in the future of the Internet.


[LSO]
Any cool new projects that you think we should let our members know about?

[Andres]
I have recently put some serious work into WSFuzzer, so check that out if you have any SOAP targets. I am also planning on kicking off a new project to deeply pen test REST services since I see them as an integral part of the future of web development.

Other then that I can't really expose my current work due to client confidentiality issues.

thx,

Andres Andreu, CISSP-ISSAP, GSEC
Author of "Professional Pen Testing for Web Applications" ISBN
0471789666

Saturday, December 8, 2007

playing with tnscmd.pl for oracle version identification

doing a little bit of playing with tnscmd.pl on oracle

cg@segfault:~/evil/scanners$ perl tnscmd.pl version -h 192.168.0.242 --indent
sending (CONNECT_DATA=(COMMAND=version)) to 192.168.0.242:1521
writing 90 bytes
reading
.M.......6.........-. ..........
DESCRIPTION=
TMP=
VSNNUM=169869824
ERR=0

.\........TNSLSNR for Linux: Version 10.2.0.2.0 - Production..TNS for Linux: Version 10.2.0.2.0 - Production..Unix Domain Socket IPC NT Protocol Adaptor for Linux: Version 10.2.0.2.0 - Production..Oracle Bequeath NT Protocol Adapter for Linux: Version 10.2.0.2.0 - Production..TCP/IP NT Protocol Adapter for Linux: Version 10.2.0.2.0 - Production,,.........@

or

cg@segfault:~/evil/scanners$ perl tnscmd.pl status -h 192.168.1.114 --indent
sending (CONNECT_DATA=(COMMAND=status)) to 192.168.1.114:1521
writing 89 bytes
reading
. .......6.........m. ...........w........
DESCRIPTION=
TMP=
VSNNUM=153093376
ERR=0
ALIAS=LISTENER
SECURITY=OFF
VERSION=TNSLSNR for Linux: Version 9.2.0.5.0 - Production
START_DATE=13-AUG-2007 19:01:21
SIDNUM=1
LOGFILE=/u01/app/oracle/product/9.2.0.1.0/network/log/listener.log
PRMFILE=/u01/app/oracle/product/9.2.0.1.0/network/admin/listener.ora
TRACING=off
UPTIME=71462092
SNMP=OFF
PID=3833

.#........
ENDPOINT=
HANDLER=
HANDLER_MAXLOAD=0
HANDLER_LOAD=0
ESTABLISHED=0
REFUSED=0
HANDLER_ID=379BDD72B603-9E0F-E040-007F01000EF9
PRE=any
SESSION=NS
DESCRIPTION=
ADDRESS=
PROTOCOL=ipc
KEY=EXTPROC
,,
ENDPOINT=
HANDLER=
HANDLER_MAXLOAD=0
HANDLER_LOAD=0
ESTABLISHED=0
REFUSED=0
HANDLER_ID=379BDD72B604-9E0F-E040-007F01000EF9
PRE=any
SESSION=NS
DESCRIPTION=
ADDRESS=
PROTOCOL=tcp
HOST=OracleServer
PORT=1521
,,
ENDPOINT=
HANDLER=
STA=ready
HANDLER_MAXLOAD=0
HANDLER_LOAD=0
ESTABLISHED=0
REFUSED=0
HANDLER_ID=379BDD72B60C-9E0F-E040-007F01000EF9
PRE=http
SESSION=RAW
DESCRIPTION=
ADDRESS=
PROTOCOL=tcp
HOST=OracleServer
PORT=8080

Presentation=HTTP
Session=RAW
,,
ENDPOINT=
HANDLER=
STA=ready
HANDLER_MAXLOAD=0
HANDLER_LOAD=0
ESTABLISHED=0
REFUSED=0
HANDLER_ID=379BDD72B60D-9E0F-E040-007F01000EF9
PRE=FTP
SESSION=RAW
DESCRIPTION=
ADDRESS=
PROTOCOL=tcp
HOST=OracleServer
PORT=2100

Presentation=FTP
Session=RAW
,,
SERVICE=
SERVICE_NAME=PLSExtProc
INSTANCE=
INSTANCE_NAME=PLSExtProc
NUM=1
INSTANCE_STATUS=UNKNOWN
NUMREL=1
,,
SERVICE=
SERVICE_NAME=orcl
INSTANCE=
INSTANCE_NAME=orcl
NUM=1
INSTANCE_STATUS=UNKNOWN
NUMREL=1

INSTANCE=
INSTANCE_NAME=orcl
NUM=2
NUMREL=1
,,
SERVICE=
SERVICE_NAME=orclXDB
INSTANCE=
INSTANCE_NAME=orcl
NUM=2
NUMREL=1

-------------
Interesting TNS Listener commands

ping Pings the listener

version Provides output of the listener version and platform information

status Returns the current status and variables used by the listener

debug Dumps debugging information to the listener log

reload Reloads the listener config file

services Dumps service data

save_config Writes the listener config file to a backup location

stop Shuts down the listener Shuts down the listener


-------------
LINKS!, everyone loves links...

tnscmd available from: http://www.jammed.com/~jwa/hacks/security/tnscmd/tnscmd

tnscmd documentation:
http://www.jammed.com/~jwa/hacks/security/tnscmd/tnscmd-doc.html

useful post on identifying oracle:
http://www.pentest.co.uk/documents/ora_db_on_network.htm

-CG

Thursday, December 6, 2007

Info & and email gathering with google

There are a couple of neat tools that use google that can help you find email addresses for your client side pen-test...

googleharvester:

cg@segfault:~/evil/enumeration/google$ perl googleharvester0.3.pl
Usage: googleharvester.pl domain or googlefinger --help
cg@segfault:~/evil/enumeration/google$ perl googleharvester0.3.pl learnsecurityonline.com
Searching Results 0
Searching Results 10
Searching Results 20
Searching Results 30
Searching Results 40
Searching Results 50
Searching Results 60
Searching Results 70
Searching Results 80
Searching Results 90
Searching Results 100
Searching Results 110
Searching Results 120
Searching Results 130
Searching Results 140
Searching Results 150
Searching Results 160
Searching Results 170
Searching Results 180
Searching Results 190
encontreGoogleharvester results:

ad8m@learnsecurityonline.com
chr1s@learnsecurityonline.com
learnsecurityonline.com
1nfo@learnsecurityonline.com
j0e@learnsecurityonline.com
...j0e@learnsecurityonline.com

Total accounts: 6
cg@segfault:~/evil/enumeration/google$

goog-mail.py:

cg@segfault:~/evil/enumeration/google$ python goog-mail.py

Extracts emails from google results.

Usage : ./goog-mail.py

cg@segfault:~/evil/enumeration/google$ python goog-mail.py learnsecurityonline.com

+++++++++++++++++++++++++++++++++++++++++++++++++++++
+ Google Web & Group Results:
+++++++++++++++++++++++++++++++++++++++++++++++++++++

ch...@learnsecurityonline.com
chr1s@learnsecurityonline.com
j...@learnsecurityonline.com
m...@learnsecurityonline.com
j0e@learnsecurityonline.com
cg@segfault:~/evil/enumeration/google$

finger-google.py:

cg@segfault:~/evil/enumeration/google/fingergoogle/fingergoogle-1.1$ python fingergoogle.py
Usage: fingergoogle.py [domain]

cg@segfault:~/evil/enumeration/google/fingergoogle/fingergoogle-1.1$ python fingergoogle.py learnsecurityonline.com
Links a navegar: 17
/search?q=%40learnsecurityonline.com&num=20&hl=es&lr=&ie=UTF-8&as_qdr=all&start=0&sa=N&filter=0
"/search?q=%40learnsecurityonline.com&num=20&hl=es&lr=&as_qdr=all&ie=UTF-8&start=20&sa=N&filter=0"
"/search?q=%40learnsecurityonline.com&num=20&hl=es&lr=&as_qdr=all&ie=UTF-8&start=40&sa=N&filter=0"
"/search?q=%40learnsecurityonline.com&num=20&hl=es&lr=&as_qdr=all&ie=UTF-8&start=60&sa=N&filter=0"
"/search?q=%40learnsecurityonline.com&num=20&hl=es&lr=&as_qdr=all&ie=UTF-8&start=80&sa=N&filter=0"
"/search?q=%40learnsecurityonline.com&num=20&hl=es&lr=&as_qdr=all&ie=UTF-8&start=100&sa=N&filter=0"
"/search?q=%40learnsecurityonline.com&num=20&hl=es&lr=&as_qdr=all&ie=UTF-8&start=120&sa=N&filter=0"
"/search?q=%40learnsecurityonline.com&num=20&hl=es&lr=&as_qdr=all&ie=UTF-8&start=140&sa=N&filter=0"
"/search?q=%40learnsecurityonline.com&num=20&hl=es&lr=&as_qdr=all&ie=UTF-8&start=160&sa=N&filter=0"
"/search?q=%40learnsecurityonline.com&num=20&hl=es&lr=&as_qdr=all&ie=UTF-8&start=180&sa=N&filter=0"
"/search?q=%40learnsecurityonline.com&num=20&hl=es&lr=&as_qdr=all&ie=UTF-8&start=120&sa=N"
"/search?q=%40learnsecurityonline.com&num=20&hl=es&lr=&as_qdr=all&ie=UTF-8&start=0&sa=N"
"/search?q=%40learnsecurityonline.com&num=20&hl=es&lr=&as_qdr=all&ie=UTF-8&start=20&sa=N"
"/search?q=%40learnsecurityonline.com&num=20&hl=es&lr=&as_qdr=all&ie=UTF-8&start=40&sa=N"
"/search?q=%40learnsecurityonline.com&num=20&hl=es&lr=&as_qdr=all&ie=UTF-8&start=60&sa=N"
"/search?q=%40learnsecurityonline.com&num=20&hl=es&lr=&as_qdr=all&ie=UTF-8&start=80&sa=N"
"/search?q=%40learnsecurityonline.com&num=20&hl=es&lr=&as_qdr=all&ie=UTF-8&start=100&sa=N"
To search: learnsecurityonline.com
joe
joe
joe
joe
joe
joe
joe
info
adam
adam
adam
joe
joe
info
adam
joe
joe
joe
joe
joe
joe
joe
joe
Accounts found: 3
joe
info
adam

please dont use me for your "client-side" pen test ;-)

-CG

Sunday, December 2, 2007