Sunday, December 27, 2009

2009 Blog Stats

Since everyone else is doing it...

Top 10 posts of of the year 12/26/2008 - 12/26/2009 - blogspot

Adding your own exploits and modules in Metasploit
http://carnal0wnage.blogspot.com/2008/07/adding-your-own-exploits-in-metasploit.html

Gray Hat Python: Python Programming for Hackers and Reverse Engineers Book Review
http://carnal0wnage.blogspot.com/2009/05/gray-hat-python-python-programming-for.html

Dumping Memory to Extract Password Hashes
http://carnal0wnage.blogspot.com/2009/03/dumping-memory-to-extract-password.html

Using the Metasploit SMB Sniffer Module
http://carnal0wnage.blogspot.com/2009/04/using-metasploit-smb-sniffer-module.html

Metasploit and WMAP
http://carnal0wnage.blogspot.com/2008/11/metasploit-and-wmap_24.html

Metasploit + Karma=Karmetasploit Part 1
http://carnal0wnage.blogspot.com/2008/08/playing-with-karmasploit-part-1.html

Token Passing with Incognito
http://carnal0wnage.blogspot.com/2008/05/token-passing-with-incognito.html

Metasploit + Karma=Karmetasploit Part 2
http://carnal0wnage.blogspot.com/2008/08/metasploit-karmakarmasploit-part-2.html

Getting your smartcard to work with Ubuntu
http://carnal0wnage.blogspot.com/2008/11/getting-your-smartcard-to-work-with.html

msvctl -- pass the hash action
http://carnal0wnage.blogspot.com/2008/03/msvctl-pass-hash-action.html

Top 10 posts of of the year 12/26/2008 - 12/26/2009 -- AttackResearch

Release of the TOR Backdoor
http://carnal0wnage.attackresearch.com/node/376

Coming soon to a pentest near you... (assagi teaser)
http://carnal0wnage.attackresearch.com/node/366

Microsoft DirectShow MPEG2TuneRequest Stack Overflow P0C
http://carnal0wnage.attackresearch.com/node/370

Why I hate web app pentesting...
http://carnal0wnage.attackresearch.com/node/383

PDF Defiling Intro
http://carnal0wnage.attackresearch.com/node/362

Past, Present, and Future of Security and the Security Community
http://carnal0wnage.attackresearch.com/node/395

Failing the Test of Trust (guest post By Timelord)
http://carnal0wnage.attackresearch.com/node/386

More On Metasploit Meterpreter & Timestomp
http://carnal0wnage.attackresearch.com/node/390

Security Conferences, pen tests and incident response
http://carnal0wnage.attackresearch.com/node/361

Metasploit JSP Shells
http://carnal0wnage.attackresearch.com/node/389

Top 10 Keywords that brought people to the blog -blogspot

carnal0wnage
gsecdump
karmetasploit
carnal ownage
msvctl
metasploit oracle
metasploit
carnalownage
scapy
c:\windows\system32\2.exe

Top 10 Keywords that brought people to the blog - AttackResearch

metasploit oracle
client-side penetration testing notacon edition slides
node/24
carnal0wnage
ping sweep
tor backdoor
attack research
msvctl
phishing framework
maltego download

Top 10 Referring Sites - blogspot

ethicalhacker.net
metasploit.com
google.com
twitter.com
forums.remote-exploit.org
blogger.com
learnsecurityonline.com
carnal0wnage.com
penetrationtests.com
synjunkie.blogspot.com

Top 10 Referring Sites - AttackResearch

carnal0wnage.blogspot.com
ethicalhacker.net
blog.attackresearch.com
google.com
twitter.com
blog.metasploit.com
attackresearch.com
pentoo.ch
learnsecurityonline.com
pauldotcom.com

Top 10 Countries - blogspot

United States
United Kingdom
France
Germany
India
Canada
Italy
Spain
Australia
Brazil

Top 10 Countries - AttackResearch

United States
United Kingdom
France
India
Canada
Germany
Indonesia
Spain
Italy
Australia

Friday, December 18, 2009

File Upload, Anti-Virus, UPX Packer, Mubix's article and a partridge in a pear tree.

Today I was asked to give a proof-of-concept as a fun way of entering the holiday season. The idea was to prove why file upload (without extension / file type checking) can be dangerous. The target client and web server were both using A/V. We already knew it was possible to upload whatever type of file you chose. The question was, as the administrators demanded would be the case, would the A/V stop such an attack.

The answer?

Using solely the technique gained Here , which is @Mubix's site......sadly......the answer is NO. Now a week ago this would have worked. Recent A/V updates have changed that. So how to get around it?

Note: I've been warned by @carnal0wnage
that this technique will most likely flag on some products because of the UPX packing.

That being said, it worked great against the A/V and it turned out to be a fun day.

Instructions:

Create and encode the meterpreter payload as instructed on Mubix's site (link above).

Download the UPX packer Here. I chose the upx-3.04-i386_linux.tar.bz2 for BT4.

Now simply bunzip2 & tar -xvf the file and cd into the upx directory. Perform a ./upx and consider the file packed. 

Happy Hacking!

Beating Up On Oracle Book List

Need some last minute books to beat up on Oracle? Here's a list.





















(you'll have to go to the rampant press site http://www.rampant-books.com/book_0701_oracle_forensics.htm)




Friday, December 11, 2009

Hackers -- Net Cafe Series Video circa 1996

From the old skool files...

This is the very first episode of the Net Cafe series. It was shot on location at a cybercafe in San Francisco called CoffeeNet. It looks at the hacker culture and their influence on the early growth of the internet. Guests include Dan Farmer, author of SATAN and COPS; Elias Levi (aka Aleph 1), webmaster of underground.org and Bugtraq; also "Reid Fleming" and "White Knight" from Cult of the Dead Cow. Originally broadcast in 1996.


BToD Testing an Intranet site / 'do WWW Authentication'

I'm sure most folks have already used this feature but for those that haven't, I came across a situation recently where I was asked to test an Intranet application and found the 'do WWW Authentication' piece of functionality made life much easier for me.

So as you may know from my earlier post regarding extracting HTML comments using DirChex, Burp Suite and a Burp Suite Plugin this process is very quick and very simple.

DirChex is basically a dumb application. It is fed a list of URIs like so:

http://www.example.com/index.html
http://www.example.com/protected/shouldn't_be_available.html
http://www.example.com/hidden/mydatabasedump.txt
http://www.example.com/protected/TheMetsSuck.html

(That last line was for you Jack)

and it blindly requests each URI thru the proxy of your choice. The whole idea is to view the request/response as an unauthenticated user. I provide no options for setting a cookie/sessionID/login creds.

Here is the problem I ran into. I'm testing an Intranet application, the application uses NTLM which is tied to your Windows Domain account to receive access to the main page of the application. Only after you've first authenticated via your domain account will you have access to the actual application (which has a login form, technically your half authenticated?). So to test the "unauthenticated" portion you technically have to be authenticated :-)

This is where you can save your self some time. If you utilize the 'do WWW Authentication' option every request that is sent via Burp will automatically have the NTLM/Basic/Digest credentials included.

Navigate to the 'Comms' tab ('Options' tab in later version) and fill in the following:



Hope this helps someone.

Happy Hacking!

Wednesday, December 9, 2009

DirChex Help / BT4 version

Hey folks,

Just as an update, if you downloaded the Backtrack 4 DirChex_v1.1 tool and are having issues with the install relating to the apt-get install libXXXX portion, ensure you enter "apt-get update" FIRST so that the newest packages and their corresponding locations are up to date.

Happy Hacking!

Friday, December 4, 2009

Digging into SSL Cipher Checking

On a recent pentest one of the findings that came up (actually it seems like this finding is on every pentest) is the web server allowing SSLv2.

In the course of doing the report I of course wanted to point to a good reason why this was the case. It was actually difficult to find a CVE/CVSS/etc to say why its bad, in fact I never did. Kind of the same with allowing VRFY on your SMTP server. We all know its bad, but where is the proof.

Nevertheless, here are some links that were useful in understanding the problem.

http://www.foundstone.com/us/resources/whitepapers/wp_ssldigger.pdf
http://www.gnu.org/software/gnutls/manual/html_node/On-SSL-2-and-older-protocols.html
http://osvdb.org/show/osvdb/56387
http://www.schneier.com/paper-ssl.pdf
http://en.wikipedia.org/wiki/Secure_Sockets_Layer#Security
http://clearskies.net/blog/2009/03/01/insecure-ssl-and-how-pci-nearly-gets-it-right/

OSVDB updated their entry for SSLv2
http://osvdb.org/56387

Also a couple of tools to do some checking for you:

Foundstone's SSLDigger
http://www.foundstone.com/us/resources/proddesc/ssldigger.htm

nmap will do this for you with -A with port 443 open or with the sslv2 script
http://nmap.org/nsedoc/scripts/sslv2.html

ssl-cipher-check.pl from http://www.unspecific.com/ssl/

Example output from the tool site:

Usage:

$ perl ./ssl-cipher-check.pl
: SSL Cipher Check: 1.2
: written by Lee 'MadHat' Heath (at) Unspecific.com
Usage:
./ssl-cipher-check.pl [ -dvwas ] []
default port is 443
-d Add debug info (show it all, lots of stuff)
-v Verbose. Show more info about what is found
-w Show only weak ciphers enabled.
-a Show all ciphers, enabled or not
-s Show only the STRONG ciphers enabled.
Default Output:
$ perl ./ssl-cipher-check.pl mail.yahoo.com
Testing mail.yahoo.com:443
SSLv3:RC4-MD5 - ENABLED - STRONG 128 bits
SSLv3:DES-CBC3-SHA - ENABLED - STRONG 168 bits
SSLv3:RC4-SHA - ENABLED - STRONG 128 bits
** SSLv3:DES-CBC-SHA - ENABLED - WEAK 56 bits **
** SSLv3:EXP-RC4-MD5 - ENABLED - WEAK 40 bits **
** SSLv3:EXP-DES-CBC-SHA - ENABLED - WEAK 40 bits **
** SSLv3:EXP-RC2-CBC-MD5 - ENABLED - WEAK 40 bits **
SSLv3:AES128-SHA - ENABLED - STRONG 128 bits
SSLv3:AES256-SHA - ENABLED - STRONG 256 bits

TLSv1:RC4-MD5 - ENABLED - STRONG 128 bits
TLSv1:DES-CBC3-SHA - ENABLED - STRONG 168 bits
TLSv1:RC4-SHA - ENABLED - STRONG 128 bits
** TLSv1:DES-CBC-SHA - ENABLED - WEAK 56 bits **
** TLSv1:EXP-RC4-MD5 - ENABLED - WEAK 40 bits **
** TLSv1:EXP-DES-CBC-SHA - ENABLED - WEAK 40 bits **
** TLSv1:EXP-RC2-CBC-MD5 - ENABLED - WEAK 40 bits **
TLSv1:AES128-SHA - ENABLED - STRONG 128 bits
TLSv1:AES256-SHA - ENABLED - STRONG 256 bits

** SSLv2:RC4-MD5 - ENABLED - WEAK 128 bits **
** SSLv2:RC2-CBC-MD5 - ENABLED - WEAK 128 bits **
** SSLv2:DES-CBC-MD5 - ENABLED - WEAK 56 bits **
** SSLv2:EXP-RC4-MD5 - ENABLED - WEAK 40 bits **
** SSLv2:EXP-RC2-CBC-MD5 - ENABLED - WEAK 40 bits **
** SSLv2:DES-CBC3-MD5 - ENABLED - WEAK 168 bits **

*WARNING* 14 WEAK Ciphers Enabled.
Total Ciphers Enabled: 24

Links that go with the above tools

ssl-cipher-check author's talk slides
http://dc214.org/.go/presentations#mar2009

Disabling SSLv2 on a variety of services:
http://blog.zenone.org/2009/03/pci-compliance-disable-sslv2-and-weak.html

http://adamyoung.net/Disable-SSLv2-System-Wide